Hello,
Thank you for the link.
Yes, I can cut the first 16 bytes off, but things get more complicated if I try
vice versa scenario - to encrypt password on outside of kamailio and then
decrypt it in kamailio using crypto_aes_decrypt
For example, I have a PHP method to encrypt passwords:
public function encrypt($password) {
$keyLength = 32;
$iterations = 5;
//https://github.com/kamailio/kamailio/blob/master/src/modules/crypto/crypto_aes.c#L79
$nonce = 'AQLlFx36iCWO4JwJ';
var_dump(base64_encode($nonce));
$prepared_key = openssl_pbkdf2(getenv('ENCRYPTION_KEY'), null,
$keyLength, $iterations); //ENCRYPTION_KEY == aFrHumvUSb24LbMwrSyUt2TZEakhSAFS
return openssl_encrypt(
$password,
'AES-256-CBC',
$prepared_key,
null,
$nonce
);
}
Encrypting string kamailio_qwerty123 using this method gives me:
Nonce/IV: QVFMbEZ4MzZpQ1dPNEp3Sg==
Passphrase: +JqKBJC99PIo5gDS1x35SONeslxH90l8FB4nVpKdJcw=
Encrypting the same string kamailio_qwerty123 using crypto_aes_encrypt gives:
QVFMbEZ4MzZpQ1dPNEp3Sju/bdBKyeVCEgiRrvpBdGs36brwNM+VqNmAzbeQTiy7
On kamailio side I have:
#!ifdef WITH_CRYPTO
modparam("crypto", "salt", "")
modparam("crypto", "key_derivation", 0)
modparam("crypto", "init_vector", "QVFMbEZ4MzZpQ1dPNEp3Sg==") # which is base64
of AQLlFx36iCWO4JwJ
#!endif
crypto_aes_decrypt("$avp(secret_encrypted)",
"YUZySHVtdlVTYjI0TGJNd3JTeVV0MlRaRWFraFNBRlM=", "$var(decrypted)");
YUZySHVtdlVTYjI0TGJNd3JTeVV0MlRaRWFraFNBRlM= is base64 of
aFrHumvUSb24LbMwrSyUt2TZEakhSAFS (if I got it right kamailio xpects base64
encoded password here:
https://github.com/kamailio/kamailio/blob/master/src/modules/crypto/crypto_mod.c#L501)
I noticed that first part of kamailio result is quite similar to nonce returned
by PHP, but even if I glue together nonce+passphrase, kamailio is unable to
decrypt resulting string:
QVFMbEZ4MzZpQ1dPNEp3Sg+JqKBJC99PIo5gDS1x35SONeslxH90l8FB4nVpKdJcw
Jan 10 00:38:43 kamailio docker[9648]: 7(13) exec: {1 35307 REGISTER
[email protected]} *** cfgtrace:dbg_cfg_trace():
request_route=[AUTH] c=[/etc/kamailio/kamailio.cfg] l=1260 a=27
n=crypto_aes_decrypt
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:108]: crypto_aes_init():
got 256 bytes key
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 61, iv: 9
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 46, iv: d7
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 72, iv: e7
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 48, iv: 53
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 75, iv: 79
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 6d, iv: 4
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 76, iv: f
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 55, iv: 66
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 53, iv: cf
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 62, iv: c9
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 32, iv: e
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 34, iv: 5c
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 4c, iv: cb
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 62, iv: b5
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 4d, iv: 6a
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 77, iv: 24
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 72, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 53, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 79, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 55, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 74, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 32, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 54, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 5a, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 45, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 61, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 6b, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 68, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 53, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 41, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 46, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) DEBUG: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:114]: crypto_aes_init():
key: 53, iv: 0
Jan 10 00:38:43 kamailio docker[9648]: 7(13) ERROR: {1 35307 REGISTER
[email protected]} crypto [crypto_aes.c:198]:
crypto_aes_decrypt(): failure in EVP_DecryptFinal_ex
Jan 10 00:38:43 kamailio docker[9648]: 7(13) ERROR: {1 35307 REGISTER
[email protected]} crypto [crypto_mod.c:531]:
ki_crypto_aes_decrypt_helper(): AES decryption failed
Please advice, maybe I am missing something here.
Best regards,
Arsenijs
________________________________
From: Henning Westerholt <[email protected]>
Sent: Monday, January 9, 2023 18:52
To: Arsenijs Kabihno <[email protected]>; [email protected]
<[email protected]>
Subject: RE: Kamailio Crypto module and 3rd party openssl
Hello,
maybe just try to cut the first bytes off, or specify it in the PHP function.
This (random) web site looks a bit more similar for what the Kamailio is doing,
maybe you can give it a try:
https://www.meridianoutpost.com/resources/etools/php-functions/php-openssl-decrypt.php
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>
From: Arsenijs Kabihno <[email protected]>
Sent: Monday, January 9, 2023 5:28 PM
To: [email protected]
Cc: Henning Westerholt <[email protected]>
Subject: Re: Kamailio Crypto module and 3rd party openssl
Hello and thank you!
Yes, I did tried that, but unfortunately it doesn't change the way how 3rd
party openssl decrypted string looks, the only difference is that in case of
fixed IV first 16 symbols of string are the same for any password.
For example:
Password: kamailio
Encoded: QVFMbEZ4MzZpQ1dPNEp3SsEUkYkN9MYynvOmKYddD6A=
Decoded: çò<õ"×ÅÇR*u¢þn½Ýkamailio
Password: kamailio_qwerty123
Encoded: QVFMbEZ4MzZpQ1dPNEp3Sju/bdBKyeVCEgiRrvpBdGs36brwNM+VqNmAzbeQTiy7
Decoded: çò<õ"×ÅÇR*u¢þn½Ýkamailio_qwerty123
Best regards,
Arsenijs
________________________________
From: Henning Westerholt <[email protected]<mailto:[email protected]>>
Sent: Monday, January 9, 2023 16:00
To: Kamailio (SER) - Users Mailing List
<[email protected]<mailto:[email protected]>>
Cc: Arsenijs Kabihno <[email protected]<mailto:[email protected]>>
Subject: RE: Kamailio Crypto module and 3rd party openssl
Hello,
did you tried to actually set a fixed IV in the cfg? Otherwise it will generate
a random IV.
https://www.kamailio.org/docs/modules/devel/modules/crypto.html#crypto.p.init_vector
This was added to provider interoperability to other implementations.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>
From: Arsenijs Kabihno <[email protected]<mailto:[email protected]>>
Sent: Monday, January 9, 2023 1:54 PM
To: [email protected]<mailto:[email protected]>
Subject: [SR-Users] Kamailio Crypto module and 3rd party openssl
Hello,
I am trying to make use of crypto module. The scenario is the following:
1. Encrypt plaintext passwords on kamailio side using crypto_aes_encrypt
function of crypto module
2. Decrypt them outside of kamailio using 3rd party tools, such as PHP
openssl_decrypt
Crypto module parametrs are the following:
modparam("crypto", "salt", "")
modparam("crypto", "key_derivation", 0)
If encryption and decription are handled by kamailio, the initial password
matches the decrypted string (initial password -> encrypted string -> decrypted
string)
For example:
sql_query("ds_dburl", "select secret from kamailio_sip_buddies where
username='$au'", "secret");
$avp(secret_plain) = $dbr(secret=>[0,0]); //value: 'kamailio'
crypto_aes_encrypt("$avp(secret_plain)",
"YUZySHVtdlVTYjI0TGJNd3JTeVV0MlRaRWFraFNBRlM=", "$var(encrypted)"); //value:
'qfOqTMoJMgGAherGCqLRRQc4zTlqsEj3MEtcORurFf0='
crypto_aes_decrypt("$avp(secret_plain)",
"YUZySHVtdlVTYjI0TGJNd3JTeVV0MlRaRWFraFNBRlM=", "$var(decrypted)"); //value:
'kamailio'
But in case I try to decrypt the value of $var(encrypted) using PHP
openssl_decrypt or online tool like
https://www.devglan.com/online-tools/aes-encryption-decryption, I am getting
the result 'kamailio' prepended by 16 random bytes, like:
6“¤›¿Ð+IÊ\ñžïZkamailio
or
6�����+I\��Zkamailio
I believe this 16 bytes are actually random initialization vector in some
encoding.
Possibly kamailio is trimming them from result here:
https://github.com/kamailio/kamailio/blob/master/src/modules/crypto/crypto_mod.c#L511
Moreover, if secret was encrypted using crypto_aes_encrypt and random IV, you
can use any IV while decrypting and get 16 different bytes+result
Please advice if someone have used crypto module in similar way and what are
the possible ways to acheive results consistency
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
