jetpack: Use better cipher in WPCOM Connection test (#38393)

RC4 is long obsolete, and likely isn't even available on modern hosts. Choose AES-256-CTR or AES-256-CBC if available and use that instead. If neither is available, don't even bother with RC4 anymore. Note this needs D155629-code on the server, or the test in the Jetpack Debugger will show as failing.
Automattic · Jul 23, 2024 · 1425539 · 1425539
1 parent ece8721
commit 1425539
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/projects/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php b/projects/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php
@@ -1594,10 +1594,7 @@ public static function jetpack_connection_test_for_external() {
 		return rest_ensure_response(
 			array(
 				'code'  => 'response',
-				'debug' => array(
-					'data' => $encrypted['data'],
-					'key'  => $encrypted['key'],
-				),
+				'debug' => $encrypted,
 			)
 		);
 	}

diff --git a/projects/plugins/jetpack/_inc/lib/debugger/class-jetpack-cxn-test-base.php b/projects/plugins/jetpack/_inc/lib/debugger/class-jetpack-cxn-test-base.php
@@ -525,12 +525,19 @@ public function encrypt_string_for_wpcom( $data ) {
 
 		$public_key = openssl_get_publickey( JETPACK__DEBUGGER_PUBLIC_KEY );
 
-		if ( $public_key && openssl_seal( $data, $encrypted_data, $env_key, array( $public_key ), 'RC4' ) ) {
+		// Select the first allowed cipher method.
+		$allowed_methods = array( 'aes-256-ctr', 'aes-256-cbc' );
+		$methods         = array_intersect( $allowed_methods, openssl_get_cipher_methods() );
+		$method          = array_shift( $methods );
+
+		$iv = '';
+		if ( $public_key && $method && openssl_seal( $data, $encrypted_data, $env_key, array( $public_key ), $method, $iv ) ) {
 			// We are returning base64-encoded values to ensure they're characters we can use in JSON responses without issue.
 			$return = array(
 				'data'   => base64_encode( $encrypted_data ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
 				'key'    => base64_encode( $env_key[0] ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
-				'cipher' => 'RC4', // When Jetpack's minimum WP version is at PHP 5.3+, we will add in detecting and using a stronger one.
+				'iv'     => base64_encode( $iv ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+				'cipher' => strtoupper( $method ),
 			);
 		}
 

diff --git a/projects/plugins/jetpack/changelog/update-jetpack-site-tester-more-ciphers b/projects/plugins/jetpack/changelog/update-jetpack-site-tester-more-ciphers
@@ -0,0 +1,4 @@
+Significance: patch
+Type: other
+
+WPCOM Connection test: use better ciphers than RC4, which is no longer available on many hosts.