From b40cf3a296dc3c888cf080b08f0ca6cfb54ff472 Mon Sep 17 00:00:00 2001 From: rettenbe Date: Wed, 20 Feb 2008 13:07:12 +0000 Subject: [PATCH] clean up security sensitive functions git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@8985 594d385d-05f5-0310-b6e9-bd551577e9d8 --- gosa-si/gosa-si-bus | 43 ++++++++++++++++++- gosa-si/gosa-si-client | 55 +++++++++++++++++++++++- gosa-si/gosa-si-server | 20 ++------- gosa-si/modules/GosaSupportDaemon.pm | 63 ++++++++++------------------ 4 files changed, 120 insertions(+), 61 deletions(-) diff --git a/gosa-si/gosa-si-bus b/gosa-si/gosa-si-bus index a9ae07261..53b99c31f 100755 --- a/gosa-si/gosa-si-bus +++ b/gosa-si/gosa-si-bus @@ -28,8 +28,6 @@ use Time::HiRes qw( gettimeofday ); use POE qw(Component::Server::TCP); use Data::Dumper; use Crypt::Rijndael; -use GOSA::DBsqlite; -use GOSA::GosaSupportDaemon; use IO::Socket::INET; use NetAddr::IP; use XML::Simple; @@ -37,6 +35,8 @@ use MIME::Base64; use File::Basename; use Digest::MD5 qw(md5 md5_hex md5_base64); +use GOSA::GosaSupportDaemon; +use GOSA::DBsqlite; my ($cfg_file, $default_cfg_file, %cfg_defaults, $foreground, $verbose, $pid_file, $procid, $pid, $log_file,); my ($bus_address, $bus_key, $bus_ip, $bus_port, $bus_mac_address); @@ -466,6 +466,45 @@ sub create_passwd { } +sub create_ciphering { + my ($passwd) = @_; + if((!defined($passwd)) || length($passwd)==0) { + $passwd = ""; + } + $passwd = substr(md5_hex("$passwd") x 32, 0, 32); + my $iv = substr(md5_hex('GONICUS GmbH'),0, 16); + my $my_cipher = Crypt::Rijndael->new($passwd , Crypt::Rijndael::MODE_CBC()); + $my_cipher->set_iv($iv); + return $my_cipher; +} + + +sub encrypt_msg { + my ($msg, $key) = @_; + my $my_cipher = &create_ciphering($key); + { + use bytes; + $msg = "\0"x(16-length($msg)%16).$msg; + } + $msg = $my_cipher->encrypt($msg); + chomp($msg = &encode_base64($msg)); + # there are no newlines allowed inside msg + $msg=~ s/\n//g; + return $msg; +} + + +sub decrypt_msg { + + my ($msg, $key) = @_ ; + $msg = &decode_base64($msg); + my $my_cipher = &create_ciphering($key); + $msg = $my_cipher->decrypt($msg); + $msg =~ s/\0*//g; + return $msg; +} + + sub send_msg_hash2address { my ($msg_hash, $address, $encrypt_key) = @_ ; my $msg = &create_xml_string($msg_hash); diff --git a/gosa-si/gosa-si-client b/gosa-si/gosa-si-client index cf4488c25..b4f6a4358 100755 --- a/gosa-si/gosa-si-client +++ b/gosa-si/gosa-si-client @@ -636,6 +636,45 @@ sub create_passwd { } +sub create_ciphering { + my ($passwd) = @_; + if((!defined($passwd)) || length($passwd)==0) { + $passwd = ""; + } + $passwd = substr(md5_hex("$passwd") x 32, 0, 32); + my $iv = substr(md5_hex('GONICUS GmbH'),0, 16); + my $my_cipher = Crypt::Rijndael->new($passwd , Crypt::Rijndael::MODE_CBC()); + $my_cipher->set_iv($iv); + return $my_cipher; +} + + +sub encrypt_msg { + my ($msg, $key) = @_; + my $my_cipher = &create_ciphering($key); + { + use bytes; + $msg = "\0"x(16-length($msg)%16).$msg; + } + $msg = $my_cipher->encrypt($msg); + chomp($msg = &encode_base64($msg)); + # there are no newlines allowed inside msg + $msg=~ s/\n//g; + return $msg; +} + + +sub decrypt_msg { + + my ($msg, $key) = @_ ; + $msg = &decode_base64($msg); + my $my_cipher = &create_ciphering($key); + $msg = $my_cipher->decrypt($msg); + $msg =~ s/\0*//g; + return $msg; +} + + sub get_server_addresses { my $domain= shift; my @result; @@ -1137,9 +1176,21 @@ sub generic_file_error { sub fifo_got_record { my $file_record = $_[ARG0]; - print STDERR "$file_record\n"; + my $header; + my $content = ""; + + $file_record =~ /^(\S+)[ ]?([\s\S]+)?$/; + if( defined $1 ) { + $header = $1; + } else { + return; + } + + if( defined $2 ) { + $content = $2; + } - my $clmsg_hash = &create_xml_hash("CLMSG_$file_record", $client_address, $server_address); + my $clmsg_hash = &create_xml_hash("CLMSG_$header", $client_address, $server_address, $content); my $clmsg = &create_xml_string($clmsg_hash); &send_msg_to_target($clmsg, $server_address, $server_key); return; diff --git a/gosa-si/gosa-si-server b/gosa-si/gosa-si-server index 5c1a96a38..a182873d3 100755 --- a/gosa-si/gosa-si-server +++ b/gosa-si/gosa-si-server @@ -41,6 +41,7 @@ use Cwd; use File::Spec; use File::Basename; use GOSA::DBsqlite; +use GOSA::GosaSupportDaemon; use POE qw(Component::Server::TCP); my $modules_path = "/usr/lib/gosa-si/modules"; @@ -223,21 +224,6 @@ sub daemon_log { } -sub get_time { - my ($seconds, $minutes, $hours, $monthday, $month, - $year, $weekday, $yearday, $sommertime) = localtime(time); - $hours = $hours < 10 ? $hours = "0".$hours : $hours; - $minutes = $minutes < 10 ? $minutes = "0".$minutes : $minutes; - $seconds = $seconds < 10 ? $seconds = "0".$seconds : $seconds; - $month+=1; - $month = $month < 10 ? $month = "0".$month : $month; - $monthday = $monthday < 10 ? $monthday = "0".$monthday : $monthday; - $year+=1900; - return "$year$month$monthday$hours$minutes$seconds"; - -} - - #=== FUNCTION ================================================================ # NAME: check_cmdline_param # PARAMETERS: nothing @@ -375,8 +361,6 @@ $SIG{INT} = \&sig_int_handler; sub check_key_and_xml_validity { my ($crypted_msg, $module_key) = @_; -#print STDERR "crypted_msg:$crypted_msg\n"; -#print STDERR "modul_key:$module_key\n"; my $msg; my $msg_hash; @@ -604,6 +588,7 @@ sub input_from_unknown_host { return ($msg, $msg_hash, $module); } + sub create_ciphering { my ($passwd) = @_; if((!defined($passwd)) || length($passwd)==0) { @@ -633,6 +618,7 @@ sub encrypt_msg { sub decrypt_msg { + my ($msg, $key) = @_ ; $msg = &decode_base64($msg); my $my_cipher = &create_ciphering($key); diff --git a/gosa-si/modules/GosaSupportDaemon.pm b/gosa-si/modules/GosaSupportDaemon.pm index 3a15aa941..813ea4f02 100644 --- a/gosa-si/modules/GosaSupportDaemon.pm +++ b/gosa-si/modules/GosaSupportDaemon.pm @@ -7,9 +7,6 @@ my @functions = ( "get_content_from_xml_hash", "add_content2xml_hash", "create_xml_string", - "encrypt_msg", - "decrypt_msg", - "create_ciphering", "transform_msg2hash", "get_time", "build_msg", @@ -150,33 +147,19 @@ sub add_content2xml_hash { # RETURNS: crypted_msg - string - crypted message # DESCRIPTION: crypts the incoming message with the Crypt::Rijndael module #=============================================================================== -sub encrypt_msg { -# my ($msg, $my_cipher) = @_; -# if(not defined $my_cipher) { print "no cipher object\n"; } +#sub encrypt_msg { +# my ($msg, $key) = @_; +# my $my_cipher = &create_ciphering($key); # { # use bytes; # $msg = "\0"x(16-length($msg)%16).$msg; # } # $msg = $my_cipher->encrypt($msg); # chomp($msg = &encode_base64($msg)); -# # # there are no newlines allowed inside msg # $msg=~ s/\n//g; -# # return $msg; - my ($msg, $key) = @_; - my $my_cipher = &create_ciphering($key); - { - use bytes; - $msg = "\0"x(16-length($msg)%16).$msg; - } - $msg = $my_cipher->encrypt($msg); - chomp($msg = &encode_base64($msg)); - # there are no newlines allowed inside msg - $msg=~ s/\n//g; - return $msg; - -} +#} #=== FUNCTION ================================================================ @@ -186,7 +169,7 @@ sub encrypt_msg { # RETURNS: msg - string - decrypted message # DESCRIPTION: decrypts the incoming message with the Crypt::Rijndael module #=============================================================================== -sub decrypt_msg { +#sub decrypt_msg { # my ($msg, $my_cipher) = @_ ; # # if(defined $msg && defined $my_cipher) { @@ -195,13 +178,13 @@ sub decrypt_msg { # $msg = $my_cipher->decrypt($msg); # $msg =~ s/\0*//g; # return $msg; - my ($msg, $key) = @_ ; - $msg = &decode_base64($msg); - my $my_cipher = &create_ciphering($key); - $msg = $my_cipher->decrypt($msg); - $msg =~ s/\0*//g; - return $msg; -} +# my ($msg, $key) = @_ ; +# $msg = &decode_base64($msg); +# my $my_cipher = &create_ciphering($key); +# $msg = $my_cipher->decrypt($msg); +# $msg =~ s/\0*//g; +# return $msg; +#} #=== FUNCTION ================================================================ @@ -210,17 +193,17 @@ sub decrypt_msg { # RETURNS: cipher - object # DESCRIPTION: creates a Crypt::Rijndael::MODE_CBC object with passwd as key #=============================================================================== -sub create_ciphering { - my ($passwd) = @_; - $passwd = substr(md5_hex("$passwd") x 32, 0, 32); - my $iv = substr(md5_hex('GONICUS GmbH'),0, 16); - - #daemon_log("iv: $iv", 7); - #daemon_log("key: $passwd", 7); - my $my_cipher = Crypt::Rijndael->new($passwd , Crypt::Rijndael::MODE_CBC()); - $my_cipher->set_iv($iv); - return $my_cipher; -} +#sub create_ciphering { +# my ($passwd) = @_; +# $passwd = substr(md5_hex("$passwd") x 32, 0, 32); +# my $iv = substr(md5_hex('GONICUS GmbH'),0, 16); +# +# #daemon_log("iv: $iv", 7); +# #daemon_log("key: $passwd", 7); +# my $my_cipher = Crypt::Rijndael->new($passwd , Crypt::Rijndael::MODE_CBC()); +# $my_cipher->set_iv($iv); +# return $my_cipher; +#} #=== FUNCTION ================================================================ -- 2.30.2