Remove salt and sync perl and golang encrypt/decrypt

inverse-inc · Sep 11, 2024 · 822f8a8 · 822f8a8
1 parent a3233df
commit 822f8a8
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 19 deletions.
diff --git a/go/pfcrypt/pfcrypt.go b/go/pfcrypt/pfcrypt.go
@@ -34,8 +34,8 @@ func encodeParts(inputs ...part) string {
 	return strings.Join(parts, ",")
 }
 
-func PfEncrypt(data []byte, salt []byte) (string, error) {
-	key := derivedKey(salt)
+func PfEncrypt(data []byte) (string, error) {
+	key := derivedKey()
 	aesCypher, err := aes.NewCipher(key)
 	ad := []byte{}
 	if err != nil {
@@ -61,7 +61,6 @@ func PfEncrypt(data []byte, salt []byte) (string, error) {
 		encodeParts(
 			part{name: "data", data: out},
 			part{name: "iv", data: iv},
-			part{name: "salt", data: salt},
 			part{name: "tag", data: tag},
 			part{name: "ad", data: ad},
 		) +
@@ -115,11 +114,6 @@ func PfDecrypt(data string) ([]byte, error) {
 		return nil, err
 	}
 
-	saltPart, found := getPart(parts, "salt")
-	if !found {
-		return nil, fmt.Errorf("Salt Not Found")
-	}
-
 	tagPart, found := getPart(parts, "tag")
 	if !found {
 		return nil, fmt.Errorf("Tag Not Found")
@@ -140,7 +134,7 @@ func PfDecrypt(data string) ([]byte, error) {
 		return nil, fmt.Errorf("Associated Data Not Found")
 	}
 
-	key := derivedKey(saltPart.data)
+	key := derivedKey()
 	aesCypher, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, fmt.Errorf("PfDerypt NewCipher: %w", err)
@@ -164,8 +158,8 @@ func PfDecrypt(data string) ([]byte, error) {
 
 var systemUser pfconfigdriver.UnifiedApiSystemUser
 
-func derivedKey(salt []byte) []byte {
-	return pbkdf2.Key([]byte(systemUser.Pass), salt, ITERATION_COUNT, LEN, sha256.New)
+func derivedKey() []byte {
+	return pbkdf2.Key([]byte(systemUser.Pass), []byte("packetfence"), ITERATION_COUNT, LEN, sha256.New)
 }
 
 func init() {

diff --git a/go/pfcrypt/pfcrypt_test.go b/go/pfcrypt/pfcrypt_test.go
@@ -0,0 +1,45 @@
+package pfcrypt
+
+import (
+	"bytes"
+	"os/exec"
+	"testing"
+)
+
+func TestRoundTrip(t *testing.T) {
+
+	input := []byte("Hello Test")
+	ciphertext, err := PfEncrypt(input)
+	if err != nil {
+		t.Fatalf("PfEncrypt: %s", err.Error())
+	}
+
+	output, err := PfDecrypt(ciphertext)
+	if err != nil {
+		t.Fatalf("PfDecrypt: %s", err.Error())
+	}
+
+	if bytes.Compare(input, output) != 0 {
+		t.Fatalf("Input does not match Output")
+	}
+
+}
+
+func TestPerl(t *testing.T) {
+	expected := []byte("Hello Test")
+	cmd := exec.Command("perl", "-I/usr/local/pf/lib", "-I/usr/local/pf/lib_perl/lib/perl5", "-Mpf::config::crypt", "-eprint pf::config::crypt::pf_encrypt('Hello Test')")
+	ciphertext, err := cmd.Output()
+	if err != nil {
+		t.Fatalf("perl crypt: %s", err.Error())
+	}
+
+	output, err := PfDecrypt(string(ciphertext))
+	if err != nil {
+		t.Fatalf("PfDecrypt: %s", err.Error())
+	}
+
+	if bytes.Compare(expected, output) != 0 {
+		t.Fatalf("expected does not match Output")
+	}
+
+}
diff --git a/lib/pf/config/crypt.pm b/lib/pf/config/crypt.pm
@@ -24,8 +24,7 @@ my $HASH_TYPE = 'SHA256';
 my $LEN = 32;
 
 sub derived_key {
-    my ($salt) = @_;
-    return pbkdf2($unified_api_system_user->{pass}, $salt, $ITERATION_COUNT, $HASH_TYPE, $LEN);
+    return pbkdf2($unified_api_system_user->{pass}, 'packetfence', $ITERATION_COUNT, $HASH_TYPE, $LEN);
 }
 
 sub encode_tags {
@@ -54,19 +53,18 @@ sub decode_tags {
 }
 
 sub pf_encrypt {
-    my ($text, $salt) = @_;
-    my $iv = random_bytes(16);
-    my $derived_key = derived_key($salt);
+    my ($text) = @_;
+    my $iv = random_bytes(12);
+    my $derived_key = derived_key();
     my $ad = '';
     my ($ciphertext, $tag) = gcm_encrypt_authenticate('AES', $derived_key, $iv, $ad, $text);
-    return 'PF_ENC[' . encode_tags(data => $ciphertext, tag => $tag, iv => $iv, salt => $salt, ad => $ad) . ']';
+    return 'PF_ENC[' . encode_tags(data => $ciphertext, tag => $tag, iv => $iv, ad => $ad) . ']';
 }
 
 sub pf_decrypt {
     my ($data) = @_;
     my $tags = decode_tags($data);
-    my $salt = $tags->{salt};
-    my $derived_key = derived_key($salt);
+    my $derived_key = derived_key();
     return gcm_decrypt_verify('AES', $derived_key, $tags->{iv}, $tags->{ad}, $tags->{data}, $tags->{tag});
 }
 =head1 AUTHOR