From b772e017b13307ac19fa8dffff157f58f8404d40 Mon Sep 17 00:00:00 2001
From: bergware <bergware@users.noreply.github.com>
Date: Wed, 12 Feb 2025 03:09:00 +0100
Subject: [PATCH] Wireless support - allow initial plain username and password

When user name and password are stored in plain text, these will be encrypted at start up.
---
 .../dynamix/include/update.wireless.php       |  7 ++---
 emhttp/plugins/dynamix/scripts/open_ssl       | 28 +++++++++++++++++++
 etc/rc.d/rc.wireless                          | 19 ++++++++++---
 3 files changed, 46 insertions(+), 8 deletions(-)
 create mode 100644 emhttp/plugins/dynamix/scripts/open_ssl

diff --git a/emhttp/plugins/dynamix/include/update.wireless.php b/emhttp/plugins/dynamix/include/update.wireless.php
index 898f4b163..0aa3f00bb 100644
--- a/emhttp/plugins/dynamix/include/update.wireless.php
+++ b/emhttp/plugins/dynamix/include/update.wireless.php
@@ -11,12 +11,11 @@
  */
 ?>
 <?
-$ssl = '/etc/rc.d/rc.ssl.input';
-if (is_readable($ssl)) extract(parse_ini_file($ssl));
+$open_ssl = "/usr/local/emhttp/webGui/scripts/open_ssl";
 
 // encrypt username and password before saving (if existing)
-if (!empty($_POST['USERNAME']) && isset($cipher,$key,$iv)) $_POST['USERNAME'] = openssl_encrypt($_POST['USERNAME'],$cipher,$key,0,$iv);
-if (!empty($_POST['PASSWORD']) && isset($cipher,$key,$iv)) $_POST['PASSWORD'] = openssl_encrypt($_POST['PASSWORD'],$cipher,$key,0,$iv);
+if (!empty($_POST['USERNAME'])) $_POST['USERNAME'] = exec("$open_ssl encrypt \"{$_POST['USERNAME']}\"");
+if (!empty($_POST['PASSWORD'])) $_POST['PASSWORD'] = exec("$open_ssl encrypt \"{$_POST['PASSWORD']}\"");
 
 // update active wifi selection
 foreach ($keys as $key => $val) if (isset($val['GROUP'])) $keys[$key]['GROUP'] = 'saved';
diff --git a/emhttp/plugins/dynamix/scripts/open_ssl b/emhttp/plugins/dynamix/scripts/open_ssl
new file mode 100644
index 000000000..734511776
--- /dev/null
+++ b/emhttp/plugins/dynamix/scripts/open_ssl
@@ -0,0 +1,28 @@
+#!/usr/bin/php -q
+<?PHP
+/* Copyright 2005-2025, Lime Technology
+ * Copyright 2012-2025, Bergware International.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ */
+?>
+<?
+$ssl_input = '/etc/rc.d/rc.ssl.input';
+if (is_readable($ssl_input)) extract(parse_ini_file($ssl_input));
+
+switch ($argv[1]) {
+case 'encrypt':
+  if (!empty($argv[2]) && isset($cipher,$key,$iv)) $encrypt = openssl_encrypt($argv[2],$cipher,$key,0,$iv);
+  if (!empty($encrypt)) echo "$encrypt";
+  break;
+case 'decrypt':
+  if (!empty($argv[2]) && isset($cipher,$key,$iv)) $decrypt = openssl_decrypt($argv[2],$cipher,$key,0,$iv);
+  if (!empty($decrypt)) echo "$decrypt";
+  break;
+}
+?>
diff --git a/etc/rc.d/rc.wireless b/etc/rc.d/rc.wireless
index 8c100daad..8ee968d0e 100755
--- a/etc/rc.d/rc.wireless
+++ b/etc/rc.d/rc.wireless
@@ -11,6 +11,7 @@ CALLER="wifi"
 INI="/var/local/emhttp/wireless.ini"
 CFG="/boot/config/wireless.cfg"
 SSLINPUT="/etc/rc.d/rc.ssl.input"
+OPENSSL="/usr/local/emhttp/webGui/scripts/open_ssl"
 STARTWIFI="/usr/local/emhttp/webGui/scripts/wireless"
 WPA="/etc/wpa_supplicant.conf"
 
@@ -233,10 +234,20 @@ wifi_join(){
     return
   fi
   [[ -e $SSLINPUT ]] || ssl_init
-# get SSL keys
-  . $SSLINPUT
-  [[ -n $USERNAME ]] && USERNAME=$(echo $USERNAME | openssl $cipher -a -d -K $(hex $key) -iv $(hex $iv) 2>/dev/null)
-  [[ -n $PASSWORD ]] && PASSWORD=$(echo $PASSWORD | openssl $cipher -a -d -K $(hex $key) -iv $(hex $iv) 2>/dev/null)
+  [[ -n $USERNAME ]] && DECRYPT1=$($OPENSSL decrypt "$USERNAME")
+  [[ -n $DECRYPT1 ]] && USERNAME=$DECRYPT1
+  [[ -n $PASSWORD ]] && DECRYPT2=$($OPENSSL decrypt "$PASSWORD")
+  [[ -n $DECRYPT2 ]] && PASSWORD=$DECRYPT2
+# plain username, encrypt username in settings file
+  if [[ -n $USERNAME && -z $DECRYPT1 ]]; then
+    ENCRYPT1=$($OPENSSL encrypt "$USERNAME")
+    sed -ri "s/^(USERNAME=\").+$/\1$ENCRYPT1\"/" $CFG
+  fi
+# plain password, encrypt password in settings file
+  if [[ -n $PASSWORD && -z $DECRYPT2 ]]; then
+    ENCRYPT2=$($OPENSSL encrypt "$PASSWORD")
+    sed -ri "s/^(PASSWORD=\").+$/\1$ENCRYPT2\"/" $CFG
+  fi
   SECURITY=${SECURITY:-$ATTR3}
   if [[ -z $SECURITY || ${SECURITY^^} == "OPEN" ]]; then
     # open network