From a002bbdae7018d7c23f857780074ef00e3e6f31e Mon Sep 17 00:00:00 2001
From: Tobi Oetiker <tobi@oetiker.ch>
Date: Tue, 18 Mar 2008 08:10:40 +0000
Subject: switch to HMAC digest to avert extension attack

---
 lib/Smokeping/Master.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'lib/Smokeping/Master.pm')

diff --git a/lib/Smokeping/Master.pm b/lib/Smokeping/Master.pm
index 6fbdcbf..bb06921 100644
--- a/lib/Smokeping/Master.pm
+++ b/lib/Smokeping/Master.pm
@@ -5,7 +5,7 @@ use Storable qw(nstore dclone retrieve);
 use strict;
 use warnings;
 use Fcntl qw(:flock);
-use Digest::MD5 qw(md5_base64);
+use Digest::MD5 qw(hmac_md5_hex);
 
 =head1 NAME
 
@@ -225,7 +225,7 @@ sub answer_slave {
         return;
     }
     # lets make sure the we share a secret
-    if (md5_base64($secret.$data) eq $key){
+    if (hmac_md5_hex($data,$secret) eq $key){
         save_updates $cfg, $slave, $data;
     } else {
         print "Content-Type: text/plain\n\n";
@@ -237,7 +237,7 @@ sub answer_slave {
         my $config = extract_config $cfg, $slave;    
         if ($config){
             print "Content-Type: application/smokeping-config\n";
-            print "Key: ".md5_base64($secret.$config)."\n\n";
+            print "Key: ".hmac_md5_hex($config,$secret)."\n\n";
             print $config;
         } else {
             print "Content-Type: text/plain\n\n";
-- 
cgit v1.2.3-24-g4f1b