search

OWASP / pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
https://owasp.org/www-project-core-business-application-security/
GNU General Public License v2.0
219 stars 61 forks source link

rsecssfs key decrypt fix (see #70) #71

Closed gvb84 closed 1 year ago

gvb84 commented 1 year ago

This introduces the new class SAPSSFSKeyE which can be used directly instead of SAPSSFSKey. There is no need to copy the key then anymore as per the proof of concept in issue #70 as the property .key on SAPSSFSKeyE will transparently call the decryption routine and return the decrypted key based on the hardcoded routine in rsec_decrypt_key provided by @rstenet.

martingalloar commented 1 year ago

Looks good to me overall! Will test further later on.

Do you think it would be possible to add a simple unit test, maybe by manually generating some dummy key/data file, and add it to the test suite? This will be important also as we finalize the migration of the codebase to Py3 to make sure there're no regressions. You can take a look at existing unit test for the hdb flavor here: https://github.com/OWASP/pysap/blob/master/tests/sapssfs_test.py#L46

gvb84 commented 1 year ago

@martingalloar Prepared a file with one plaintext and one encrypted value, both the same value. Added a quick test that uses the newly introduced class SAPSSFSKeyE that is used for this test data. Result should be something like the following:

gvb@caladan:~/pysap$ python2 -m unittest tests.sapssfs_test
No handlers could be found for logger "pysap.ssfs"
......
----------------------------------------------------------------------
Ran 6 tests in 0.012s

OK