From 5d9142674d09379a9e4394779c1e624dd2d6ece5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@fauth.dev>
Date: Fri, 23 Sep 2022 14:32:30 -0300
Subject: [PATCH] Allow longer cookie encryption keys to be used
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
---
 doc/config.rst                                          |  5 +++--
 libraries/classes/Controllers/HomeController.php        | 14 +++++++++-----
 libraries/classes/Plugins/Auth/AuthenticationCookie.php | 13 ++++++++++++-
 psalm-baseline.xml                                      |  4 +---
 4 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/doc/config.rst b/doc/config.rst
index 11f5b1d893..27d9500311 100644
--- a/doc/config.rst
+++ b/doc/config.rst
@@ -1913,8 +1913,9 @@ Cookie authentication options
 
     .. warning::
 
-        The encryption key must be 32 bytes long. If it has a different length of bytes, a new key will be automatically
-        generated for you. However it will only last for the duration of the session.
+        The encryption key must be 32 bytes long. If it is longer than the length of bytes, only the first 32 bytes will
+        be used, and if it is shorter, a new temporary key will be automatically generated for you. However, this
+        temporary key will only last for the duration of the session.
 
     .. note::
 
diff --git a/libraries/classes/Controllers/HomeController.php b/libraries/classes/Controllers/HomeController.php
index 998cc3b4ce..39235fdc06 100644
--- a/libraries/classes/Controllers/HomeController.php
+++ b/libraries/classes/Controllers/HomeController.php
@@ -311,19 +311,23 @@ class HomeController extends AbstractController
          * Check if user does not have defined blowfish secret and it is being used.
          */
         if (! empty($_SESSION['encryption_key'])) {
-            if (empty($cfg['blowfish_secret'])) {
+            $encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');
+            if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => __(
-                        'The configuration file now needs a secret passphrase (blowfish_secret).'
+                        'The configuration file needs a valid key for cookie encryption.'
+                        . ' A temporary key was automatically generated for you.'
+                        . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                     ),
                     'severity' => 'warning',
                 ];
-            } elseif (mb_strlen($cfg['blowfish_secret'], '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            } elseif ($encryptionKeyLength > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => sprintf(
                         __(
-                            'The secret passphrase in configuration (blowfish_secret) is not the correct length.'
-                            . ' It should be %d bytes long.'
+                            'The cookie encryption key in the configuration file is longer than necessary.'
+                            . ' It should only be %d bytes long.'
+                            . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                         ),
                         SODIUM_CRYPTO_SECRETBOX_KEYBYTES
                     ),
diff --git a/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/libraries/classes/Plugins/Auth/AuthenticationCookie.php
index 33faf56b34..e083ddf19a 100644
--- a/libraries/classes/Plugins/Auth/AuthenticationCookie.php
+++ b/libraries/classes/Plugins/Auth/AuthenticationCookie.php
@@ -597,11 +597,21 @@ class AuthenticationCookie extends AuthenticationPlugin
      */
     private function getEncryptionSecret(): string
     {
+        /** @var mixed $key */
         $key = $GLOBALS['cfg']['blowfish_secret'] ?? null;
-        if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+        if (! is_string($key)) {
+            return $this->getSessionEncryptionSecret();
+        }
+
+        $length = mb_strlen($key, '8bit');
+        if ($length === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             return $key;
         }
 
+        if ($length > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            return mb_substr($key, 0, SODIUM_CRYPTO_SECRETBOX_KEYBYTES, '8bit');
+        }
+
         return $this->getSessionEncryptionSecret();
     }
 
@@ -610,6 +620,7 @@ class AuthenticationCookie extends AuthenticationPlugin
      */
     private function getSessionEncryptionSecret(): string
     {
+        /** @var mixed $key */
         $key = $_SESSION['encryption_key'] ?? null;
         if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             return $key;
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
index be2ba27d96..874757e842 100644
--- a/psalm-baseline.xml
+++ b/psalm-baseline.xml
@@ -9042,14 +9042,12 @@
     <MixedArrayOffset occurrences="1">
       <code>$_SESSION['browser_access_time'][$key]</code>
     </MixedArrayOffset>
-    <MixedAssignment occurrences="14">
+    <MixedAssignment occurrences="12">
       <code>$GLOBALS['pma_auth_server']</code>
       <code>$_form_params['route']</code>
       <code>$captchaSiteVerifyURL</code>
       <code>$captchaSiteVerifyURL</code>
       <code>$key</code>
-      <code>$key</code>
-      <code>$key</code>
       <code>$password</code>
       <code>$serverCookie</code>
       <code>$serverCookie</code>
-- 
2.11.4.GIT