From b1f12b72e5bdb58f4de2522607e3612c1742a536 Mon Sep 17 00:00:00 2001 From: Xavier Date: Thu, 27 Jun 2019 20:48:01 +0200 Subject: [PATCH] Add MAC verification to crypto --- .../lib/Lemonldap/NG/Common/Crypto.pm | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm index 179c92036..70af44638 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm @@ -71,10 +71,11 @@ sub encrypt { $data .= "\0" x ( 16 - $l ) unless ( $l == 0 ); my $iv = $low ? md5( rand() . time . {} ) : $newIv->(); + my $hmac = md5($data); eval { $data = - encode_base64( $iv . $self->_getCipher->set_iv($iv)->encrypt($data), - '' ); + encode_base64( + $iv . $hmac . $self->_getCipher->set_iv($iv)->encrypt($data), '' ); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; @@ -100,13 +101,18 @@ sub decrypt { $data = decode_base64($data); my $iv; $iv = bytes::substr( $data, 0, 16 ); - $data = bytes::substr( $data, 16 ); + my $hmac = bytes::substr( $data, 16, 16 ); + $data = bytes::substr( $data, 32 ); eval { $data = $self->_getCipher->set_iv($iv)->decrypt($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; } + if ( md5($data) ne $hmac ) { + $msg = "Bad MAC"; + return undef; + } else { $msg = ''; @@ -163,21 +169,21 @@ sub _cryptHex { return undef; } my $iv; - if($sub eq 'encrypt') { + if ( $sub eq 'encrypt' ) { $iv = $newIv->(); } $data = pack "H*", $data; - if($sub eq 'decrypt') { - $iv = bytes::substr($data,0,16); - $data = bytes::substr($data,16); + if ( $sub eq 'decrypt' ) { + $iv = bytes::substr( $data, 0, 16 ); + $data = bytes::substr( $data, 16 ); } eval { $data = $self->_getCipher($key)->set_iv($iv)->$sub($data); }; if ($@) { $msg = "Crypt::Rijndael error : $@"; return undef; } - if($sub eq 'encrypt') { - $data = $iv.$data; + if ( $sub eq 'encrypt' ) { + $data = $iv . $data; } $msg = ""; $data = unpack "H*", $data;