> with the attached patch, the conversion works on buster. > > The script uses php-mcrypt for no reason - the first use always returns > an constant 16, the second returns random bytes. > > With the applied patch, the script works without php-mcrypt. While focusing on what the two mcrypt library calls did, something felt weird, but I didn't know what. I somehow did not trust that what I did was right, because how this decryption should work was not entirely clear to me, despite having basic understanding of how it works. Now I know why: A random IV does not make any sense at all in decryption, and in ECB mode, there is no such thing as an IV at all. Thus, I updated the patch to remove that useless code all together. -nik
--- gosa-mcrypt-to-openssl-passwords.orig 2019-04-18 19:38:43.665650068 +0200
+++ gosa-mcrypt-to-openssl-passwords.new 2019-04-18 21:43:28.782380951 +0200
@@ -25,9 +25,7 @@
}
function cred_decrypt($input, $password) {
- $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
- $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
- return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n");
+ return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING ), "\0\3\4\n");
}
Attachment:
signature.asc
Description: PGP signature