When Moodle's mnet certificate expires ( every 28 days ) and a new key pair is generated in mnet/lib.php mnet_generate_keypair() the code below is breaking which forces use to manually update the certificate in Mahara's database.

The behaviour of openssl has changed in the latest packages for Ubuntu 20.04 and Ubuntu 22.04 when decrypting incoming payload from Mahara. 

In: mnet/xmlrpc/serverlib.php

In: mnet_server_strip_encryption()

$isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $mnet->get_private_key(), 'RC4');

if ($isOpen) {

        $remoteclient->was_encrypted();

        return $payload;

}

openssl_open is returning true even when the payload was signed with an old certificate. I appreciate that this is a problem with openssl, but there is an easy fix which moodle could add to the code, which is to valid the decrypted payload to check it is XML.

Suggested Fix:{}

At lines 62 and 78 of mnet/xmlrpc/serverlib.php

$isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $mnet->get_private_key(), 'RC4');

$dom = new DOMDocument();

libxml_use_internal_errors(true);

if ($dom->loadXML($payload)) {

    $isXML = true;

} else {

    $isXML = false;

    libxml_clear_errors();

}

if ($isOpen && $isXML) {

    $remoteclient->was_encrypted();

    return $payload;

} 

This fix allows the code to function is it should. By correctly decrypting the xml payload using the key from openssl_history, the function calls: $remoteclient->set_pushkey(); which
causes mnet/xmlrpc/server.php to return the 7025 faultCode with the new certificate for the client ( aka Mahara ) to store.

I do appreciate the mnet using xmlrpc is being deprecated, but until then it would be good to keep everything working.

Attachment:

Attached is a test script which demonstrates the problem with openssl_open incorrectly thinking it has decrypted the payload