View source
<?php
function lockr_migrate_keys_form($form, &$form_state) {
$migrate_key = random_bytes(32);
$key_data = hash('sha512', $migrate_key, TRUE);
$enc_key = substr($key_data, 0, 32);
$hmac_key = substr($key_data, 32);
$to_migrate = [];
$backups = [];
$keys = key_get_keys_by_provider('lockr');
foreach ($keys as $key) {
if (strpos($key['key_provider_settings']['encoded'], 'rijndael-256$cbc$') === 0) {
$to_migrate[] = $key['id'];
if (strpos($key['key_type'], 'encryption') !== FALSE) {
$value = key_get_key_value($key);
$ciphertext = lockr_migrate_encrypt($value, $enc_key, $hmac_key);
$ciphertext = base64_encode($ciphertext);
$backups[] = "{$key['id']}:{$ciphertext}";
}
}
}
if (!$to_migrate) {
drupal_goto('admin/config/system/lockr');
}
if ($backups) {
$form['backups'] = [
'header' => [
'#theme' => 'html_tag',
'#tag' => 'h2',
'#value' => t('Backup Values'),
],
'description' => [
'#theme' => 'html_tag',
'#tag' => 'p',
'#value' => t("While we migrate your values to the latest encryption libraries, we want to make sure in the unlikely event that your system crashes no data is lost. So keep these are encrypted values for you to keep during this process. We'll throw away the key to them once everything is confirmed to be ok. If something does go wrong, please contact our support immediately and we'll assist in getting you migrated without data loss."),
],
'content' => [
'#theme' => 'html_tag',
'#tag' => 'pre',
'#value' => implode("\n", $backups),
],
];
}
$form_state['migrate_key'] = $migrate_key;
$form_state['to_migrate'] = $to_migrate;
$form['submit'] = [
'#type' => 'submit',
'#value' => t('Migrate keys'),
];
return $form;
}
function lockr_migrate_keys_form_submit($form, &$form_state) {
variable_set('lockr_migrate_key', base64_encode($form_state['migrate_key']));
$batch = [
'title' => t('Migrating'),
'operations' => [
[
'lockr_migrate_keys_batch_op',
[
$form_state['to_migrate'],
],
],
],
'file' => drupal_get_path('module', 'lockr') . '/lockr.forms.inc',
'finished' => 'lockr_migrate_keys_batch_finished',
];
batch_set($batch);
$form_state['redirect'] = 'admin/config/system/lockr';
}
function lockr_migrate_keys_batch_op($key_ids, &$context) {
if (empty($context['sandbox'])) {
$context['sandbox']['total'] = count($key_ids);
$context['sandbox']['key_ids'] = $key_ids;
}
$key_id = array_shift($context['sandbox']['key_ids']);
$key_config = key_get_key($key_id);
$value = key_get_key_value($key_config);
$key_client = lockr_key_client();
$encoded = _lockr_set_key($key_id, $value, $key_config['label']);
db_update('key_config')
->fields([
'key_provider_settings' => serialize([
'encoded' => $encoded,
]),
])
->condition('id', $key_id)
->execute();
if ($context['sandbox']['key_ids']) {
$num = $context['sandbox']['total'] - count($context['sandbox']['key_ids']);
$context['finished'] = $num / $context['sandbox']['total'];
}
}
function lockr_migrate_keys_batch_finished($success, $results, $operations) {
if (!$success) {
drupal_set_message(t('Migration was not successful, please contact Lockr support at either support@lockr.io or https://slack.lockr.io.'));
}
else {
drupal_set_message(t('Migration was successful, you are good to go and no longer need the backup values we provided earlier.'));
variable_del('lockr_migrate_key');
}
}
function lockr_migrate_encrypt($plaintext, $enc_key, $hmac_key) {
$iv = random_bytes(16);
$ciphertext = openssl_encrypt($plaintext, 'aes-256-cbc', $enc_key, OPENSSL_RAW_DATA, $iv);
$hmac_data = 'aes-256-cbc' . $iv . $ciphertext;
$hmac = hash_hmac('sha256', $hmac_data, $hmac_key, TRUE);
return $iv . $ciphertext . $hmac;
}
