diff options
author | Lars Ingebrigtsen <larsi@gnus.org> | 2019-09-20 23:57:34 +0200 |
---|---|---|
committer | Lars Ingebrigtsen <larsi@gnus.org> | 2019-09-20 23:57:34 +0200 |
commit | 280cf93f313925375cf57d1d64bfbe940f950452 (patch) | |
tree | a70d009252a4487495b60b6a4e7b0420138d2937 | |
parent | c3958e48f6a257fa7e681b2b39ea83d677bcb2f3 (diff) | |
download | emacs-280cf93f313925375cf57d1d64bfbe940f950452.tar.gz |
Further touch-ups to the auth-source obfuscation
* lisp/auth-source.el (auth-source--obfuscate): Avoid leaking the
length of the password by using PKCS#7 padding.
-rw-r--r-- | lisp/auth-source.el | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/lisp/auth-source.el b/lisp/auth-source.el index 365ed2fa284..464facdeafa 100644 --- a/lisp/auth-source.el +++ b/lisp/auth-source.el @@ -1172,42 +1172,45 @@ FILE is the file from which we obtained this token." ;; have to call `auth-source-forget-all-cached'. (unless auth-source--session-nonce (setq auth-source--session-nonce - (apply #'string (cl-loop repeat 32 + (apply #'string (cl-loop repeat 16 collect (random 128))))) (if (and (fboundp 'gnutls-symmetric-encrypt) (gnutls-available-p)) (let ((cdata (car (last (gnutls-ciphers))))) (mapconcat #'base64-encode-string - (append - (list (format "%d" (length string))) - (gnutls-symmetric-encrypt - (pop cdata) - (auth-source--pad auth-source--session-nonce - (plist-get cdata :cipher-keysize)) - (list 'iv-auto (plist-get cdata :cipher-ivsize)) - (auth-source--pad string (plist-get cdata :cipher-blocksize)))) + (gnutls-symmetric-encrypt + (pop cdata) + (auth-source--pad auth-source--session-nonce + (plist-get cdata :cipher-keysize)) + (list 'iv-auto (plist-get cdata :cipher-ivsize)) + (auth-source--pad string (plist-get cdata :cipher-blocksize))) "-")) (mapcar #'1- string))) -(defun auth-source--pad (s length) +(defun auth-source--pad (string length) "Pad string S to a modulo of LENGTH." - (concat s (make-string (- length (mod (length s) length)) ?\0))) + (let ((pad (- length (mod (length string) length)))) + (concat string (make-string pad pad)))) + +(defun auth-source--unpad (string) + "Remove PKCS#7 padding from STRING." + (substring string 0 (- (length string) + (aref string (1- (length string)))))) (defun auth-source--deobfuscate (data) (if (and (fboundp 'gnutls-symmetric-encrypt) (gnutls-available-p)) (let ((cdata (car (last (gnutls-ciphers)))) (bits (split-string data "-"))) - (substring + (auth-source--unpad (car (gnutls-symmetric-decrypt (pop cdata) (auth-source--pad auth-source--session-nonce (plist-get cdata :cipher-keysize)) - (base64-decode-string (caddr bits)) - (base64-decode-string (cadr bits)))) - 0 (string-to-number (base64-decode-string (car bits))))) + (base64-decode-string (cadr bits)) + (base64-decode-string (car bits)))))) (apply #'string (mapcar #'1+ data)))) (cl-defun auth-source-netrc-search (&rest spec |