Skip to content

Commit

Permalink
Only compute the key once
Browse files Browse the repository at this point in the history
  • Loading branch information
@jrouzierinverse
jrouzierinverse committed Oct 1, 2024
1 parent fbe823e commit 6ff775a
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 19 deletions.
9 changes: 6 additions & 3 deletions go/config/pfcrypt/init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@ import (
)

var systemInitKey []byte
var dervivedKey []byte

func setupSystemInitKey(envName, fileName string) error {
val := os.Getenv("PF_SYSTEM_INIT_KEY_FILE")
val := os.Getenv(envName)
if val != "" {
systemInitKey = []byte(val)
return nil
Expand All @@ -26,7 +27,9 @@ func setupSystemInitKey(envName, fileName string) error {
}

func init() {
if err := setupSystemInitKey("PF_SYSTEM_INIT_KEY_FILE", file_paths.SYSTEM_INIT_KEY_FILE); err != nil {
panic("The PF_SYSTEM_INIT_KEY_FILE environment is not" + err.Error())
if err := setupSystemInitKey("PF_SYSTEM_INIT_KEY", file_paths.SYSTEM_INIT_KEY_FILE); err != nil {
panic("Unable to setup the PF_SYSTEM_INIT secret" + err.Error())
}

dervivedKey = makeDerivedKey()
}
8 changes: 3 additions & 5 deletions go/config/pfcrypt/pfcrypt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,7 @@ func encodeParts(inputs ...part) string {
}

func PfEncrypt(data []byte) (string, error) {
key := derivedKey()
aesCypher, err := aes.NewCipher(key)
aesCypher, err := aes.NewCipher(dervivedKey)
ad := []byte{}
if err != nil {
return "", fmt.Errorf("PfEncrypt NewCipher: %w", err)
Expand Down Expand Up @@ -134,8 +133,7 @@ func PfDecrypt(data string) ([]byte, error) {
return nil, fmt.Errorf("Associated Data Not Found")
}

key := derivedKey()
aesCypher, err := aes.NewCipher(key)
aesCypher, err := aes.NewCipher(dervivedKey)
if err != nil {
return nil, fmt.Errorf("PfDerypt NewCipher: %w", err)
}
Expand All @@ -156,6 +154,6 @@ func PfDecrypt(data string) ([]byte, error) {
return output, nil
}

func derivedKey() []byte {
func makeDerivedKey() []byte {
return pbkdf2.Key(systemInitKey, []byte("packetfence"), ITERATION_COUNT, LEN, sha256.New)
}
28 changes: 19 additions & 9 deletions lib/pf/config/crypt.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,17 @@ use MIME::Base64;
use pf::file_paths qw($system_init_key_file);

our $PREFIX = 'PF_ENC[';
my $ITERATION_COUNT = 5000;
my $HASH_TYPE = 'SHA256';
my $LEN = 32;
my $SYSTEM_INIT_KEY;
our $ITERATION_COUNT = 5000;
our $HASH_TYPE = 'SHA256';
our $LEN = 32;
our $SYSTEM_INIT_KEY = '';
our $DERIVED_KEY;

BEGIN {
my $val = $ENV{PF_SYSTEM_INIT_KEY_FILE};
$ITERATION_COUNT = 5000;
$HASH_TYPE = 'SHA256';
$LEN = 32;
my $val = $ENV{PF_SYSTEM_INIT_KEY};
if ($val) {
$SYSTEM_INIT_KEY = $val;
} else {
Expand All @@ -41,6 +45,14 @@ sub derived_key {
return pbkdf2($SYSTEM_INIT_KEY, 'packetfence', $ITERATION_COUNT, $HASH_TYPE, $LEN);
}

BEGIN {
if ($SYSTEM_INIT_KEY eq '') {
die "system init key";
}

$DERIVED_KEY = derived_key();
}

sub encode_tags {
if (@_ % 2) {
die "odd number of passed";
Expand Down Expand Up @@ -69,17 +81,15 @@ sub decode_tags {
sub pf_encrypt {
my ($text) = @_;
my $iv = random_bytes(12);
my $derived_key = derived_key();
my $ad = '';
my ($ciphertext, $tag) = gcm_encrypt_authenticate('AES', $derived_key, $iv, $ad, $text);
my ($ciphertext, $tag) = gcm_encrypt_authenticate('AES', $DERIVED_KEY, $iv, $ad, $text);
return 'PF_ENC[' . encode_tags(data => $ciphertext, tag => $tag, iv => $iv, ad => $ad) . ']';
}

sub pf_decrypt {
my ($data) = @_;
my $tags = decode_tags($data);
my $derived_key = derived_key();
return gcm_decrypt_verify('AES', $derived_key, $tags->{iv}, $tags->{ad}, $tags->{data}, $tags->{tag});
return gcm_decrypt_verify('AES', $DERIVED_KEY, $tags->{iv}, $tags->{ad}, $tags->{data}, $tags->{tag});
}
=head1 AUTHOR
Expand Down
4 changes: 2 additions & 2 deletions t/unittest/config/crypt/object.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ BEGIN {

use Test::More tests => 4;
use pf::config::crypt::object;
use pf::Sereal qw($DECODER $ENCODER);
use pf::Sereal qw($DECODER $ENCODER_FREEZER);
use Sereal::Encoder qw(sereal_encode_with_object);
use Sereal::Decoder qw(sereal_decode_with_object);

Expand All @@ -37,7 +37,7 @@ my $frozen = $object->FREEZE(undef);
my $thawed = $object->THAW(undef, $frozen);
is($secret, $thawed, "Data frozen and thawed");

my $data = sereal_encode_with_object($ENCODER, $object);
my $data = sereal_encode_with_object($ENCODER_FREEZER, $object);
$thawed = sereal_decode_with_object($DECODER, $data);
is($secret, $thawed, "Data frozen and thawed");

Expand Down

0 comments on commit 6ff775a

Please sign in to comment.