libauth-yubikey-decrypter-perl 0.07-1 / usr / share / perl5 / Auth / Yubikey_Decrypter.pm

This file is indexed.

/usr/share/perl5/Auth/Yubikey_Decrypter.pm is in libauth-yubikey-decrypter-perl 0.07-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
package Auth::Yubikey_Decrypter;

use warnings;
use strict;
require Crypt::Rijndael;

=head1 NAME

Auth::Yubikey_Decrypter - Decrypting the output from the yubikey token

=head1 VERSION

Version 0.07

=cut

use vars qw($VERSION);
$VERSION = '0.07';

=head1 SYNOPSIS

The decryption module does only one thing - decrypt the AES encrypted OTP from the Yubikey.  To this, it
requires the OTP, and the AES key.

Please note - this module does not perform authentication - it is a required component to decrypt the token first before authentication can be performed.

	#!/usr/bin/perl

	use strict;
	use Auth::Yubikey_Decrypter;

	my $fulltoken   = "dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh";
	my $aeskey      = "ecde18dbe76fbd0c33330f1c354871db";

	my ($publicID,$secretid_hex,$counter_dec,$timestamp_dec,$session_use_dec,$random_dec,$crc_dec,$crc_ok) =
        	Auth::Yubikey_Decrypter::yubikey_decrypt($fulltoken,$aeskey);

	print "publicID  : $publicID\n";
	print "Secret id : $secretid_hex\n";
	print "Counter   : $counter_dec\n";
	print "Timestamp : $timestamp_dec\n";
	print "Session   : $session_use_dec\n";
	print "Random    : $random_dec\n";
	print "crc       : $crc_dec\n";
	print "crc ok?   : $crc_ok\n";

=head1 FUNCTIONS

=head2 yubikey_decrypt

Input : token aeskey

Token - received by the Yubikey
aeskey - either the modhex or hex AES key for your Yubikey (contact Yubico if you don't have the AES key)

Output :

$publicID
$secretid_hex
$counter_dec
$timestamp_dec
$session_use_dec
$random_dec
$crc_dec
$crc_ok

=cut 

sub yubikey_decrypt
{
        my $fulltoken   = $_[0];
        my $aeskey      = $_[1];
	my $aeskey_bin;

	# Let's sanitize the inut, just in case
	$aeskey =~ s/[^A-Z0-9]//gi;
	$fulltoken =~ s/[^A-Z0-9]//gi;

	# Determine what mode the AES key is in
        if($aeskey =~ /^[a-f0-9]+$/i)
        {
		$aeskey_bin  = pack "H*", $aeskey;
        }
        elsif($aeskey =~ /^[cbdefghijklnrtuv]+$/i)
        {
		$aeskey_bin     = &yubikey_modhex_decode($aeskey);
        }
        else
        {
                die "A weird AES key was supplied.  Please provide only hex or modhex.";
        }

        # strip out the actual token
        my $publicID = substr($fulltoken,0,length($fulltoken)-32);
        my $token = substr($fulltoken,length($fulltoken)-32);

        # decode the token from modhex down to binary
        my $token_bin = &yubikey_modhex_decode($token);

        # Decrypt the token using it's key

        my $cipher = Crypt::Rijndael->new( $aeskey_bin );
        my $token_decoded_bin = $cipher->decrypt($token_bin);

        my $token_decoded_hex = unpack "H*", $token_decoded_bin;

        # get all the values from the decoded token
        my $secretid_hex        = substr($token_decoded_hex,0,12);
        my $counter_dec         = ord(substr($token_decoded_bin,7,1))*256+ord(substr($token_decoded_bin,6,1));
        my $timestamp_dec       = ord(substr($token_decoded_bin,10,1))*65536+ord(substr($token_decoded_bin,9,1))*256+ord(substr($token_decoded_bin,8,1));
        my $session_use_dec     = ord(substr($token_decoded_bin,11,1));
        my $random_dec          = ord(substr($token_decoded_bin,13,1))*256+ord(substr($token_decoded_bin,12,1));
        my $crc_dec             = ord(substr($token_decoded_bin,15,1))*256+ord(substr($token_decoded_bin,14,1));
        my $crc_ok              = &yubikey_crc_check($token_decoded_bin);

        return ($publicID,$secretid_hex,$counter_dec,$timestamp_dec,$session_use_dec,$random_dec,$crc_dec,$crc_ok);
}

=head2 yubikey_modhex_decode

Input : the modhex code
Output : decoded modhex code in hex

=cut

sub yubikey_modhex_decode
{
        my $mstring = $_[0];
        my $cset="cbdefghijklnrtuv";
        my $decoded="";
        my $hbyte=0;
        my $pos;
        for (my $i=0; $i<length($mstring);$i++)
        {
                $pos=index($cset,substr($mstring,$i,1));
                if ($i/2 != int($i/2))
                {
                        $decoded .= chr($hbyte+$pos);
                        $hbyte=0;
                }
                else
                {
                        $hbyte=$pos*16;
                }
        }
        return $decoded;
}

=head2 yubikey_crc_check

Performs a crc check on the decoded data

=cut

sub yubikey_crc_check
{
        my $buffer = $_[0];
        my $m_crc=0xffff;
        my $j;
        for(my $bpos=0; $bpos<16; $bpos++)
        {
                $m_crc ^= ord(substr($buffer,$bpos,1)) & 0xff;
                for (my $i=0; $i<8; $i++)
                {
                        $j=$m_crc & 1;
                        $m_crc >>= 1;
                        if ($j)
                        {
                                $m_crc ^= 0x8408;
                        }
                }
        }
        return $m_crc==0xf0b8;

        return 0;
}

=head1 REQUIRES

Perl 5, L<Crypt::Rijndael>

Order your Yubikey from L<http://www.yubico.com>

=head1 BUGS

Please report any bugs or feature requests to C<bug-auth-yubikey_decrypter at rt.cpan.org>, or through
the web interface at L<http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Auth-Yubikey_Decrypter>.  I will be notified, and then you'll
automatically be notified of progress on your bug as I make changes.

=head1 SUPPORT

You can find documentation for this module with the perldoc command.

    perldoc Auth::Yubikey_Decrypter

You can also look for information at:

=over 4

=item * RT: CPAN's request tracker

L<http://rt.cpan.org/NoAuth/Bugs.html?Dist=Auth-Yubikey_Decrypter>

=item * AnnoCPAN: Annotated CPAN documentation

L<http://annocpan.org/dist/Auth-Yubikey_Decrypter>

=item * CPAN Ratings

L<http://cpanratings.perl.org/d/Auth-Yubikey_Decrypter>

=item * Search CPAN

L<http://search.cpan.org/dist/Auth-Yubikey_Decrypter>

=back

=head1 AUTHOR

Phil Massyn, C<< <phil at massyn.net> >>

=head1 ACKNOWLEDGEMENTS

Based a lot on PHP code by : PHP yubikey decryptor v0.1 by Alex Skov Jensen
Thanks to almut from L<http://perlmonks.org> for code guidance
Thanks to Mark Foobar L<http://blog.maniac.nl> for reporting the -32 bug on line 91 and 92.

=head1 COPYRIGHT & LICENSE

Copyright 2008 Phil Massyn, all rights reserved.

This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.

=cut

1; # End of Auth::Yubikey_Decrypter

APT Browse - Built by Thomas Orozco.