From c701adbd241ea84d6f64842e8015c1009a41d786 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 21:34:45 +0200 Subject: Initial C++ SSL classes. --- src/Globals.h | 6 ++-- src/PolarSSL++/CtrDrbgContext.cpp | 49 ++++++++++++++++++++++++++++++++ src/PolarSSL++/CtrDrbgContext.h | 60 +++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/EntropyContext.cpp | 29 +++++++++++++++++++ src/PolarSSL++/EntropyContext.h | 31 ++++++++++++++++++++ src/PolarSSL++/X509Cert.cpp | 38 +++++++++++++++++++++++++ src/PolarSSL++/X509Cert.h | 37 ++++++++++++++++++++++++ 7 files changed, 248 insertions(+), 2 deletions(-) create mode 100644 src/PolarSSL++/CtrDrbgContext.cpp create mode 100644 src/PolarSSL++/CtrDrbgContext.h create mode 100644 src/PolarSSL++/EntropyContext.cpp create mode 100644 src/PolarSSL++/EntropyContext.h create mode 100644 src/PolarSSL++/X509Cert.cpp create mode 100644 src/PolarSSL++/X509Cert.h diff --git a/src/Globals.h b/src/Globals.h index 26a0d87a9..3d7c9707c 100644 --- a/src/Globals.h +++ b/src/Globals.h @@ -264,9 +264,11 @@ template class SizeChecker; // Same as assert but in all Self test builds #ifdef SELF_TEST -#define assert_test(x) ( !!(x) || (assert(!#x), exit(1), 0)) + #define assert_test(x) ( !!(x) || (assert(!#x), exit(1), 0)) #endif +#define SharedPtr std::tr1::shared_ptr + @@ -296,7 +298,7 @@ T Clamp(T a_Value, T a_Min, T a_Max) #ifndef TOLUA_TEMPLATE_BIND -#define TOLUA_TEMPLATE_BIND(x) + #define TOLUA_TEMPLATE_BIND(x) #endif diff --git a/src/PolarSSL++/CtrDrbgContext.cpp b/src/PolarSSL++/CtrDrbgContext.cpp new file mode 100644 index 000000000..86e6d1ca5 --- /dev/null +++ b/src/PolarSSL++/CtrDrbgContext.cpp @@ -0,0 +1,49 @@ + +// CtrDrbgContext.cpp + +// Implements the cCtrDrbgContext class representing a wrapper over CTR-DRBG implementation in PolarSSL + +#include "Globals.h" +#include "CtrDrbgContext.h" +#include "EntropyContext.h" + + + + + +cCtrDrbgContext::cCtrDrbgContext(void) : + m_EntropyContext(new cEntropyContext), + m_IsValid(false) +{ +} + + + + + +cCtrDrbgContext::cCtrDrbgContext(const SharedPtr & a_EntropyContext) : + m_EntropyContext(a_EntropyContext), + m_IsValid(false) +{ +} + + + + + +int cCtrDrbgContext::Initialize(const void * a_Custom, size_t a_CustomSize) +{ + if (m_IsValid) + { + // Already initialized + return 0; + } + + int res = ctr_drbg_init(&m_CtrDrbg, entropy_func, &(m_EntropyContext->m_Entropy), (const unsigned char *)a_Custom, a_CustomSize); + m_IsValid = (res == 0); + return res; +} + + + + diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h new file mode 100644 index 000000000..987f4dd72 --- /dev/null +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -0,0 +1,60 @@ + +// CtrDrbgContext.h + +// Declares the cCtrDrbgContext class representing a wrapper over CTR-DRBG implementation in PolarSSL + + + + + +#pragma once + +#include "polarssl/ctr_drbg.h" + + + + + +// fwd: EntropyContext.h +class cEntropyContext; + + + + + +class cCtrDrbgContext +{ + friend class cSslContext; + +public: + /** Constructs the context with a new entropy context. */ + cCtrDrbgContext(void); + + /** Constructs the context with the specified entropy context. */ + cCtrDrbgContext(const SharedPtr & a_EntropyContext); + + /** Initializes the context. + a_Custom is optional additional data to use for entropy, nullptr is accepted. + Returns 0 if successful, PolarSSL error code on failure. */ + int Initialize(const void * a_Custom, size_t a_CustomSize); + + /** Returns true if the object is valid (has been initialized properly) */ + bool IsValid(void) const { return m_IsValid; } + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + __declspec(deprecated) ctr_drbg_context * Get(void) { return &m_CtrDrbg; } + +protected: + /** The entropy source used for generating the random */ + SharedPtr m_EntropyContext; + + /** The random generator context */ + ctr_drbg_context m_CtrDrbg; + + /** Set to true if the object is valid (has been initialized properly) */ + bool m_IsValid; +} ; + + + + diff --git a/src/PolarSSL++/EntropyContext.cpp b/src/PolarSSL++/EntropyContext.cpp new file mode 100644 index 000000000..9c59b3f11 --- /dev/null +++ b/src/PolarSSL++/EntropyContext.cpp @@ -0,0 +1,29 @@ + +// EntropyContext.cpp + +// Implements the cEntropyContext class representing a wrapper over entropy contexts in PolarSSL + +#include "Globals.h" +#include "EntropyContext.h" + + + + + +cEntropyContext::cEntropyContext(void) +{ + entropy_init(&m_Entropy); +} + + + + + +cEntropyContext::~cEntropyContext() +{ + entropy_free(&m_Entropy); +} + + + + diff --git a/src/PolarSSL++/EntropyContext.h b/src/PolarSSL++/EntropyContext.h new file mode 100644 index 000000000..bc7fff066 --- /dev/null +++ b/src/PolarSSL++/EntropyContext.h @@ -0,0 +1,31 @@ + +// EntropyContext.h + +// Declares the cEntropyContext class representing a wrapper over entropy contexts in PolarSSL + + + + + +#pragma once + +#include "polarssl/entropy.h" + + + + + +class cEntropyContext +{ + friend class cCtrDrbgContext; +public: + cEntropyContext(void); + ~cEntropyContext(); + +protected: + entropy_context m_Entropy; +} ; + + + + diff --git a/src/PolarSSL++/X509Cert.cpp b/src/PolarSSL++/X509Cert.cpp new file mode 100644 index 000000000..ecf664855 --- /dev/null +++ b/src/PolarSSL++/X509Cert.cpp @@ -0,0 +1,38 @@ + +// X509Cert.cpp + +// Implements the cX509Cert class representing a wrapper over X509 certs in PolarSSL + +#include "Globals.h" +#include "X509Cert.h" + + + + + +cX509Cert::cX509Cert(void) +{ + x509_crt_init(&m_Cert); +} + + + + + +cX509Cert::~cX509Cert() +{ + x509_crt_free(&m_Cert); +} + + + + + +int cX509Cert::Parse(const void * a_CertContents, size_t a_Size) +{ + return x509_crt_parse(&m_Cert, (const unsigned char *)a_CertContents, a_Size); +} + + + + diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h new file mode 100644 index 000000000..b0450510d --- /dev/null +++ b/src/PolarSSL++/X509Cert.h @@ -0,0 +1,37 @@ + +// X509Cert.h + +// Declares the cX509Cert class representing a wrapper over X509 certs in PolarSSL + + + + + +#pragma once + +#include "polarssl/x509_crt.h" + + + + + +class cX509Cert +{ +public: + cX509Cert(void); + ~cX509Cert(void); + + /** Parses the certificate chain data into the context. + Returns 0 on succes, or PolarSSL error code on failure. */ + int Parse(const void * a_CertContents, size_t a_Size); + + /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ + __declspec(deprecated) x509_crt * Get(void) { return &m_Cert; } + +protected: + x509_crt m_Cert; +} ; + + + + -- cgit v1.2.3 From c4b4447a3ada43d4333bba329e89700527870332 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 21:51:19 +0200 Subject: Authenticator uses some C++ SSL objects. --- src/Protocol/Authenticator.cpp | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp index e0fcc0007..ccc994e36 100644 --- a/src/Protocol/Authenticator.cpp +++ b/src/Protocol/Authenticator.cpp @@ -13,10 +13,12 @@ #include "polarssl/config.h" #include "polarssl/net.h" #include "polarssl/ssl.h" -#include "polarssl/entropy.h" #include "polarssl/ctr_drbg.h" #include "polarssl/error.h" -#include "polarssl/certs.h" + +#include "PolarSSL++/EntropyContext.h" +#include "PolarSSL++/CtrDrbgContext.h" +#include "PolarSSL++/X509Cert.h" #include #include @@ -150,31 +152,52 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S int ret, server_fd = -1; unsigned char buf[1024]; - const char *pers = "cAuthenticator"; + const char pers[] = "cAuthenticator"; - entropy_context entropy; - ctr_drbg_context ctr_drbg; + cCtrDrbgContext CtrDrbg; ssl_context ssl; - x509_crt cacert; + cX509Cert CACert; /* Initialize the RNG and the session data */ memset(&ssl, 0, sizeof(ssl_context)); - x509_crt_init(&cacert); - entropy_init(&entropy); - if ((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (const unsigned char *)pers, strlen(pers))) != 0) + if ((ret = CtrDrbg.Initialize(pers, sizeof(pers))) != 0) { - LOGWARNING("cAuthenticator: ctr_drbg_init returned %d", ret); + LOGWARNING("cAuthenticator: CtrDrbg.Initialize() returned %d", ret); return false; } /* Initialize certificates */ - // TODO: Grab the sessionserver's root CA and any intermediates and hard-code them here, instead of test_ca_list - ret = x509_crt_parse(&cacert, (const unsigned char *)test_ca_list, strlen(test_ca_list)); - + // This is the root cert for Starfield Technologies, the CA that signed sessionserver.mojang.com's cert: + static const char StarfieldCACert[] = + "-----BEGIN CERTIFICATE-----\n" + "MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx\n" + "EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT\n" + "HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs\n" + "ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw\n" + "MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6\n" + "b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj\n" + "aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp\n" + "Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg\n" + "nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1\n" + "HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N\n" + "Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN\n" + "dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n" + "HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\n" + "BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G\n" + "CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU\n" + "sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3\n" + "4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg\n" + "8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K\n" + "pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1\n" + "mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0\n" + "-----END CERTIFICATE-----"; + // Parse the Starfield CA and add it to "trusted root certs" + ret = CACert.Parse(StarfieldCACert, sizeof(StarfieldCACert) - 1); if (ret < 0) { - LOGWARNING("cAuthenticator: x509_crt_parse returned -0x%x", -ret); + LOGWARNING("cAuthenticator: CACert.Parse returned -0x%x", -ret); return false; } @@ -193,8 +216,8 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S } ssl_set_endpoint(&ssl, SSL_IS_CLIENT); ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL); - ssl_set_ca_chain(&ssl, &cacert, NULL, "PolarSSL Server 1"); - ssl_set_rng(&ssl, ctr_drbg_random, &ctr_drbg); + ssl_set_ca_chain(&ssl, CACert.Get(), NULL, "PolarSSL Server 1"); + ssl_set_rng(&ssl, ctr_drbg_random, CtrDrbg.Get()); ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd); /* Handshake */ @@ -253,13 +276,11 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S } Response.append((const char *)buf, ret); - } + } ssl_close_notify(&ssl); - x509_crt_free(&cacert); net_close(server_fd); ssl_free(&ssl); - entropy_free(&entropy); memset(&ssl, 0, sizeof(ssl)); // Check the HTTP status line: -- cgit v1.2.3 From e33573ab59fefb76c1d01910f49428d808992b2b Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 21:51:39 +0200 Subject: Attempted CMake inclusion for PolarSSL++. --- src/CMakeLists.txt | 4 ++-- src/PolarSSL++/CMakeLists.txt | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 src/PolarSSL++/CMakeLists.txt diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 30e9dbfd4..67bb299db 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories (SYSTEM "${PROJECT_SOURCE_DIR}/../lib/") include_directories (SYSTEM "${PROJECT_SOURCE_DIR}/../lib/jsoncpp/include") include_directories (SYSTEM "${PROJECT_SOURCE_DIR}/../lib/polarssl/include") -set(FOLDERS OSSupport HTTPServer Items Blocks Protocol Generating) +set(FOLDERS OSSupport HTTPServer Items Blocks Protocol Generating PolarSSL++) set(FOLDERS ${FOLDERS} WorldStorage Mobs Entities Simulator UI BlockEntities Generating/Prefabs) @@ -233,7 +233,7 @@ endif () if (NOT MSVC) target_link_libraries(${EXECUTABLE} OSSupport HTTPServer Bindings Items Blocks) target_link_libraries(${EXECUTABLE} Protocol Generating Generating_Prefabs WorldStorage) - target_link_libraries(${EXECUTABLE} Mobs Entities Simulator UI BlockEntities) + target_link_libraries(${EXECUTABLE} Mobs Entities Simulator UI BlockEntities PolarSSL++) endif () if (WIN32) target_link_libraries(${EXECUTABLE} expat tolualib ws2_32.lib Psapi.lib) diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt new file mode 100644 index 000000000..4f954a7e5 --- /dev/null +++ b/src/PolarSSL++/CMakeLists.txt @@ -0,0 +1,17 @@ + +cmake_minimum_required (VERSION 2.6) +project (MCServer) + +include_directories ("${PROJECT_SOURCE_DIR}/../") + +set(SOURCES + "EntropyContext.cpp" + "CtrDrbgContext.cpp" + "x509Cert.cpp" +) + +add_library(PolarSSL++ ${SOURCES}) + +if (UNIX) + target_link_libraries(PolarSSL++ polarssl) +endif() -- cgit v1.2.3 From c7694687f5d921a354fa87ea47c36570e705b9ff Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:15:21 +0200 Subject: Fixed filename case. --- src/PolarSSL++/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 4f954a7e5..c5b747980 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -7,7 +7,7 @@ include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES "EntropyContext.cpp" "CtrDrbgContext.cpp" - "x509Cert.cpp" + "X509Cert.cpp" ) add_library(PolarSSL++ ${SOURCES}) -- cgit v1.2.3 From a02e8e8021147783b011d9a2f99ba3f1128ae8e8 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:30:19 +0200 Subject: Declared a SharedPtr that hopefully resolves on all platforms. MSVC2008 has it in std::tr1, all the others in std. --- src/Globals.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/Globals.h b/src/Globals.h index 3d7c9707c..2e7e0c9cf 100644 --- a/src/Globals.h +++ b/src/Globals.h @@ -267,7 +267,15 @@ template class SizeChecker; #define assert_test(x) ( !!(x) || (assert(!#x), exit(1), 0)) #endif -#define SharedPtr std::tr1::shared_ptr +// Allow both Older versions of MSVC and newer versions of everything use a shared_ptr: +// Note that we cannot typedef, because C++ doesn't allow (partial) templates to be typedeffed. +#if (defined(_MSC_VER) && (_MSC_VER < 1600)) + // MSVC before 2010 doesn't have std::shared_ptr, but has std::tr1::shared_ptr + #define SharedPtr std::tr1::shared_ptr +#else + // All others have std::shared ptr + #define SharedPtr std::shared_ptr +#endif -- cgit v1.2.3 From 616fb15508187d317a7ca4195667e204faf3749c Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:42:33 +0200 Subject: cByteBuffer uses void * instead of char * in data interface. This makes it compatible with any pointer type. --- src/ByteBuffer.cpp | 9 +++++---- src/ByteBuffer.h | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/ByteBuffer.cpp b/src/ByteBuffer.cpp index c634dc308..ad753118b 100644 --- a/src/ByteBuffer.cpp +++ b/src/ByteBuffer.cpp @@ -171,7 +171,7 @@ cByteBuffer::~cByteBuffer() -bool cByteBuffer::Write(const char * a_Bytes, size_t a_Count) +bool cByteBuffer::Write(const void * a_Bytes, size_t a_Count) { CHECK_THREAD; CheckValid(); @@ -187,13 +187,14 @@ bool cByteBuffer::Write(const char * a_Bytes, size_t a_Count) } ASSERT(m_BufferSize >= m_WritePos); size_t TillEnd = m_BufferSize - m_WritePos; + const char * Bytes = (const char *)a_Bytes; if (TillEnd <= a_Count) { // Need to wrap around the ringbuffer end if (TillEnd > 0) { - memcpy(m_Buffer + m_WritePos, a_Bytes, TillEnd); - a_Bytes += TillEnd; + memcpy(m_Buffer + m_WritePos, Bytes, TillEnd); + Bytes += TillEnd; a_Count -= TillEnd; WrittenBytes = TillEnd; } @@ -203,7 +204,7 @@ bool cByteBuffer::Write(const char * a_Bytes, size_t a_Count) // We're guaranteed that we'll fit in a single write op if (a_Count > 0) { - memcpy(m_Buffer + m_WritePos, a_Bytes, a_Count); + memcpy(m_Buffer + m_WritePos, Bytes, a_Count); m_WritePos += a_Count; WrittenBytes += a_Count; } diff --git a/src/ByteBuffer.h b/src/ByteBuffer.h index 44f43e17f..7656a5b13 100644 --- a/src/ByteBuffer.h +++ b/src/ByteBuffer.h @@ -31,7 +31,7 @@ public: ~cByteBuffer(); /// Writes the bytes specified to the ringbuffer. Returns true if successful, false if not - bool Write(const char * a_Bytes, size_t a_Count); + bool Write(const void * a_Bytes, size_t a_Count); /// Returns the number of bytes that can be successfully written to the ringbuffer size_t GetFreeSpace(void) const; -- cgit v1.2.3 From 4f49c978cf6b130ede105e9a858831806e51d118 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:43:20 +0200 Subject: Replaced MSVC-specific decorators with our universal ones. --- src/PolarSSL++/CtrDrbgContext.h | 2 +- src/PolarSSL++/X509Cert.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 987f4dd72..e9a1e17e2 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -42,7 +42,7 @@ public: bool IsValid(void) const { return m_IsValid; } /** Returns the internal context ptr. Only use in PolarSSL API calls. */ - __declspec(deprecated) ctr_drbg_context * Get(void) { return &m_CtrDrbg; } + OBSOLETE ctr_drbg_context * Get(void) { return &m_CtrDrbg; } protected: /** The entropy source used for generating the random */ diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h index b0450510d..5ef19c324 100644 --- a/src/PolarSSL++/X509Cert.h +++ b/src/PolarSSL++/X509Cert.h @@ -26,7 +26,7 @@ public: int Parse(const void * a_CertContents, size_t a_Size); /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ - __declspec(deprecated) x509_crt * Get(void) { return &m_Cert; } + OBSOLETE x509_crt * Get(void) { return &m_Cert; } protected: x509_crt m_Cert; -- cgit v1.2.3 From f3dfc0349d7008efa50855c739d86918bdbf4a88 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Fri, 25 Apr 2014 09:48:52 +0200 Subject: Added shared_ptr handling for C++03 mode. --- src/Globals.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Globals.h b/src/Globals.h index 2e7e0c9cf..93baf69ea 100644 --- a/src/Globals.h +++ b/src/Globals.h @@ -270,11 +270,15 @@ template class SizeChecker; // Allow both Older versions of MSVC and newer versions of everything use a shared_ptr: // Note that we cannot typedef, because C++ doesn't allow (partial) templates to be typedeffed. #if (defined(_MSC_VER) && (_MSC_VER < 1600)) - // MSVC before 2010 doesn't have std::shared_ptr, but has std::tr1::shared_ptr + // MSVC before 2010 doesn't have std::shared_ptr, but has std::tr1::shared_ptr, defined in included earlier #define SharedPtr std::tr1::shared_ptr -#else - // All others have std::shared ptr +#elif (__cplusplus > 201103L) + // C++11 has std::shared_ptr in , included earlier #define SharedPtr std::shared_ptr +#else + // C++03 has std::tr1::shared_ptr in + #include + #define SharedPtr std::tr1::shared_ptr #endif -- cgit v1.2.3 From 6d167b370e409d77eb2b9e02bc95b80463670823 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Fri, 25 Apr 2014 16:05:24 +0200 Subject: Fixed C++11 check for SharedPtr. --- src/Globals.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Globals.h b/src/Globals.h index 93baf69ea..a09819ce9 100644 --- a/src/Globals.h +++ b/src/Globals.h @@ -272,7 +272,7 @@ template class SizeChecker; #if (defined(_MSC_VER) && (_MSC_VER < 1600)) // MSVC before 2010 doesn't have std::shared_ptr, but has std::tr1::shared_ptr, defined in included earlier #define SharedPtr std::tr1::shared_ptr -#elif (__cplusplus > 201103L) +#elif (__cplusplus >= 201103L) // C++11 has std::shared_ptr in , included earlier #define SharedPtr std::shared_ptr #else -- cgit v1.2.3 From f301d052cfa70d00f76c31fcad4f961040736a80 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 22:20:49 +0200 Subject: cSocket creates the socket in Connect if no socket is present yet. --- src/OSSupport/Socket.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/OSSupport/Socket.cpp b/src/OSSupport/Socket.cpp index c29e495c3..98f694a79 100644 --- a/src/OSSupport/Socket.cpp +++ b/src/OSSupport/Socket.cpp @@ -295,7 +295,7 @@ bool cSocket::ConnectToLocalhostIPv4(unsigned short a_Port) bool cSocket::ConnectIPv4(const AString & a_HostNameOrAddr, unsigned short a_Port) { - // First try IP Address string to hostent conversion, because it's faster + // First try IP Address string to hostent conversion, because it's faster and local: unsigned long addr = inet_addr(a_HostNameOrAddr.c_str()); if (addr == INADDR_NONE) { @@ -307,10 +307,16 @@ bool cSocket::ConnectIPv4(const AString & a_HostNameOrAddr, unsigned short a_Por CloseSocket(); return false; } - // Should be optimised to a single word copy memcpy(&addr, hp->h_addr, hp->h_length); } + // If the socket is not created yet, create one: + if (!IsValid()) + { + m_Socket = socket((int)IPv4, SOCK_STREAM, 0); + } + + // Connect the socket: sockaddr_in server; server.sin_addr.s_addr = addr; server.sin_family = AF_INET; -- cgit v1.2.3 From 0bdc49221b325feb3a09988737559361fe916be2 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 22:27:53 +0200 Subject: PolarSSL wrappers for the SSL context. --- src/PolarSSL++/BlockingSslClientSocket.cpp | 195 +++++++++++++++++++++++++++++ src/PolarSSL++/BlockingSslClientSocket.h | 80 ++++++++++++ src/PolarSSL++/BufferedSslContext.cpp | 62 +++++++++ src/PolarSSL++/BufferedSslContext.h | 52 ++++++++ src/PolarSSL++/CMakeLists.txt | 18 ++- src/PolarSSL++/CallbackSslContext.cpp | 59 +++++++++ src/PolarSSL++/CallbackSslContext.h | 61 +++++++++ src/PolarSSL++/SslContext.cpp | 181 ++++++++++++++++++++++++++ src/PolarSSL++/SslContext.h | 134 ++++++++++++++++++++ src/PolarSSL++/X509Cert.h | 10 +- 10 files changed, 847 insertions(+), 5 deletions(-) create mode 100644 src/PolarSSL++/BlockingSslClientSocket.cpp create mode 100644 src/PolarSSL++/BlockingSslClientSocket.h create mode 100644 src/PolarSSL++/BufferedSslContext.cpp create mode 100644 src/PolarSSL++/BufferedSslContext.h create mode 100644 src/PolarSSL++/CallbackSslContext.cpp create mode 100644 src/PolarSSL++/CallbackSslContext.h create mode 100644 src/PolarSSL++/SslContext.cpp create mode 100644 src/PolarSSL++/SslContext.h diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/PolarSSL++/BlockingSslClientSocket.cpp new file mode 100644 index 000000000..20b2df1e7 --- /dev/null +++ b/src/PolarSSL++/BlockingSslClientSocket.cpp @@ -0,0 +1,195 @@ + +// BlockingSslClientSocket.cpp + +// Implements the cBlockingSslClientSocket class representing a blocking TCP socket with client SSL encryption over it + +#include "Globals.h" +#include "BlockingSslClientSocket.h" + + + + + +cBlockingSslClientSocket::cBlockingSslClientSocket(void) : + m_IsConnected(false), + m_Ssl(*this) +{ + // Nothing needed yet +} + + + + + +bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Port) +{ + // If already connected, report an error: + if (m_IsConnected) + { + // TODO: Handle this better - if connected to the same server and port, and the socket is alive, return success + m_LastErrorText = "Already connected"; + return false; + } + + // Connect the underlying socket: + m_Socket.CreateSocket(cSocket::IPv4); + if (!m_Socket.ConnectIPv4(a_ServerName.c_str(), a_Port)) + { + Printf(m_LastErrorText, "Socket connect failed: %s", m_Socket.GetLastErrorString().c_str()); + return false; + } + + // Initialize the SSL: + int ret = m_Ssl.Initialize(true); + if (ret != 0) + { + Printf(m_LastErrorText, "SSL initialization failed: -0x%x", -ret); + return false; + } + + // If we have been assigned a trusted CA root cert store, push it into the SSL context: + if (m_CACerts.get() != NULL) + { + m_Ssl.SetCACerts(m_CACerts, m_ExpectedPeerName); + } + + ret = m_Ssl.Handshake(); + if (ret != 0) + { + Printf(m_LastErrorText, "SSL handshake failed: -0x%x", -ret); + return false; + } + + m_IsConnected = true; + return true; +} + + + + + + +bool cBlockingSslClientSocket::SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName) +{ + // Warn if used multiple times, but don't signal an error: + if (m_CACerts.get() != NULL) + { + LOGWARNING( + "SSL: Trying to set multiple trusted CA root cert stores, only the last one will be used. Name: %s", + a_ExpectedPeerName.c_str() + ); + } + + // Parse the cert: + m_CACerts.reset(new cX509Cert); + int ret = m_CACerts->Parse(a_CACerts.data(), a_CACerts.size()); + if (ret < 0) + { + Printf(m_LastErrorText, "CA cert parsing failed: -0x%x", -ret); + return false; + } + m_ExpectedPeerName = a_ExpectedPeerName; + + return true; +} + + + + + +bool cBlockingSslClientSocket::Send(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(m_IsConnected); + + // Keep sending the data until all of it is sent: + const char * Data = (const char *)a_Data; + size_t NumBytes = a_NumBytes; + for (;;) + { + int res = m_Ssl.WritePlain(a_Data, a_NumBytes); + if (res < 0) + { + ASSERT(res != POLARSSL_ERR_NET_WANT_READ); // This should never happen with callback-based SSL + ASSERT(res != POLARSSL_ERR_NET_WANT_WRITE); // This should never happen with callback-based SSL + Printf(m_LastErrorText, "Data cannot be written to SSL context: -0x%x", -res); + return false; + } + else + { + Data += res; + NumBytes -= res; + if (NumBytes == 0) + { + return true; + } + } + } +} + + + + + + +int cBlockingSslClientSocket::Receive(void * a_Data, size_t a_MaxBytes) +{ + ASSERT(m_IsConnected); + + int res = m_Ssl.ReadPlain(a_Data, a_MaxBytes); + if (res < 0) + { + Printf(m_LastErrorText, "Data cannot be read form SSL context: -0x%x", -res); + } + return res; +} + + + + + +void cBlockingSslClientSocket::Disconnect(void) +{ + // Ignore if not connected + if (!m_IsConnected) + { + return; + } + + m_Ssl.NotifyClose(); + m_Socket.CloseSocket(); + m_IsConnected = false; +} + + + + + +int cBlockingSslClientSocket::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + int res = m_Socket.Receive((char *)a_Buffer, a_NumBytes, 0); + if (res < 0) + { + // PolarSSL's net routines distinguish between connection reset and general failure, we don't need to + return POLARSSL_ERR_NET_RECV_FAILED; + } + return res; +} + + + + + +int cBlockingSslClientSocket::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + int res = m_Socket.Send((const char *)a_Buffer, a_NumBytes); + if (res < 0) + { + // PolarSSL's net routines distinguish between connection reset and general failure, we don't need to + return POLARSSL_ERR_NET_SEND_FAILED; + } + return res; +} + + + + diff --git a/src/PolarSSL++/BlockingSslClientSocket.h b/src/PolarSSL++/BlockingSslClientSocket.h new file mode 100644 index 000000000..7af897582 --- /dev/null +++ b/src/PolarSSL++/BlockingSslClientSocket.h @@ -0,0 +1,80 @@ + +// BlockingSslClientSocket.h + +// Declares the cBlockingSslClientSocket class representing a blocking TCP socket with client SSL encryption over it + + + + + +#pragma once + +#include "CallbackSslContext.h" +#include "../OSSupport/Socket.h" + + + + + +class cBlockingSslClientSocket : + protected cCallbackSslContext::cDataCallbacks +{ +public: + cBlockingSslClientSocket(void); + + /** Connects to the specified server and performs SSL handshake. + Returns true if successful, false on failure. Sets internal error text on failure. */ + bool Connect(const AString & a_ServerName, UInt16 a_Port); + + /** Sends the specified data over the connection. + Returns true if successful, false on failure. Sets the internal error text on failure. */ + bool Send(const void * a_Data, size_t a_NumBytes); + + /** Receives data from the connection. + Blocks until there is any data available, then returns as much as possible. + Returns the number of bytes actually received, negative number on failure. + Sets the internal error text on failure. */ + int Receive(void * a_Data, size_t a_MaxBytes); + + /** Disconnects the connection gracefully, if possible. + Note that this also frees the internal SSL context, so all the certificates etc. are lost. */ + void Disconnect(void); + + /** Sets the root certificates that are to be trusted. Forces the connection to use strict cert + verification. Needs to be used before calling Connect(). + a_ExpectedPeerName is the name that we expect to receive in the SSL peer's cert; verification will fail if + the presented name is different (possible MITM). + Returns true on success, false on failure. Sets internal error text on failure. */ + bool SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName); + + /** Returns the text of the last error that has occurred in this instance. */ + const AString & GetLastErrorText(void) const { return m_LastErrorText; } + +protected: + /** The SSL context used for the socket */ + cCallbackSslContext m_Ssl; + + /** The underlying socket to the SSL server */ + cSocket m_Socket; + + /** The trusted CA root cert store, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ + cX509CertPtr m_CACerts; + + /** The expected SSL peer's name, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ + AString m_ExpectedPeerName; + + /** Text of the last error that has occurred. */ + AString m_LastErrorText; + + /** Set to true if the connection established successfully. */ + bool m_IsConnected; + + + // cCallbackSslContext::cDataCallbacks overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +} ; + + + + diff --git a/src/PolarSSL++/BufferedSslContext.cpp b/src/PolarSSL++/BufferedSslContext.cpp new file mode 100644 index 000000000..885b30c68 --- /dev/null +++ b/src/PolarSSL++/BufferedSslContext.cpp @@ -0,0 +1,62 @@ + +// BufferedSslContext.cpp + +// Implements the cBufferedSslContext class representing a SSL context with the SSL peer data backed by a cByteBuffer + +#include "Globals.h" +#include "BufferedSslContext.h" + + + + + +cBufferedSslContext::cBufferedSslContext(size_t a_BufferSize): + m_OutgoingData(a_BufferSize), + m_IncomingData(a_BufferSize) +{ +} + + + + + +int cBufferedSslContext::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + // Called when PolarSSL wants to read encrypted data from the SSL peer + // Read the data from the buffer inside this object, where the owner has stored them using WriteIncoming(): + size_t NumBytes = std::min(a_NumBytes, m_IncomingData.GetReadableSpace()); + if (NumBytes == 0) + { + return POLARSSL_ERR_NET_WANT_READ; + } + if (!m_IncomingData.ReadBuf(a_Buffer, NumBytes)) + { + m_IncomingData.ResetRead(); + return POLARSSL_ERR_NET_RECV_FAILED; + } + m_IncomingData.CommitRead(); + return (int)NumBytes; +} + + + + + +int cBufferedSslContext::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + // Called when PolarSSL wants to write encrypted data to the SSL peer + // Write the data into the buffer inside this object, where the owner can later read them using ReadOutgoing(): + if (!m_OutgoingData.CanWriteBytes(a_NumBytes)) + { + return POLARSSL_ERR_NET_WANT_WRITE; + } + if (!m_OutgoingData.Write((const char *)a_Buffer, a_NumBytes)) + { + return POLARSSL_ERR_NET_SEND_FAILED; + } + return (int)a_NumBytes; +} + + + + diff --git a/src/PolarSSL++/BufferedSslContext.h b/src/PolarSSL++/BufferedSslContext.h new file mode 100644 index 000000000..1b7e1af46 --- /dev/null +++ b/src/PolarSSL++/BufferedSslContext.h @@ -0,0 +1,52 @@ + +// BufferedSslContext.h + +// Declares the cBufferedSslContext class representing a SSL context with the SSL peer data backed by a cByteBuffer + + + + + +#pragma once + +#include "SslContext.h" + + + + + +class cBufferedSslContext : + public cSslContext +{ + typedef cSslContext super; + +public: + /** Creates a new context with the buffers of specified size for the encrypted / decrypted data. */ + cBufferedSslContext(size_t a_BufferSize = 64000); + + /** Stores the specified data in the "incoming" buffer, to be process by the SSL decryptor. + This is the data received from the SSL peer. + Returns the number of bytes actually stored. If 0 is returned, owner should check the error state. */ + size_t WriteIncoming(const void * a_Data, size_t a_NumBytes); + + /** Retrieves data from the "outgoing" buffer, after being processed by the SSL encryptor. + This is the data to be sent to the SSL peer. + Returns the number of bytes actually retrieved. */ + size_t ReadOutgoing(void * a_Data, size_t a_DataMaxSize); + +protected: + /** Buffer for the data that has been encrypted into the SSL stream and should be sent out. */ + cByteBuffer m_OutgoingData; + + /** Buffer for the data that has come in and needs to be decrypted from the SSL stream. */ + cByteBuffer m_IncomingData; + + + // cSslContext overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +} ; + + + + diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index c5b747980..14a6dc537 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -5,12 +5,26 @@ project (MCServer) include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES - "EntropyContext.cpp" + "BlockingSslClientSocket.cpp" + "BufferedSslSocket.cpp" + "CallbackSslContext.cpp" "CtrDrbgContext.cpp" + "EntropyContext.cpp" + "SslContext.cpp" "X509Cert.cpp" ) -add_library(PolarSSL++ ${SOURCES}) +set(HEADERS + "BlockingSslClientSocket.h" + "BufferedSslSocket.h" + "CallbackSslContext.h" + "CtrDrbgContext.h" + "EntropyContext.h" + "SslContext.h" + "X509Cert.h" +) + +add_library(PolarSSL++ ${SOURCES} ${HEADERS}) if (UNIX) target_link_libraries(PolarSSL++ polarssl) diff --git a/src/PolarSSL++/CallbackSslContext.cpp b/src/PolarSSL++/CallbackSslContext.cpp new file mode 100644 index 000000000..0cc88a14a --- /dev/null +++ b/src/PolarSSL++/CallbackSslContext.cpp @@ -0,0 +1,59 @@ + +// CallbackSslContext.cpp + +// Declares the cCallbackSslContext class representing a SSL context wrapper that uses callbacks to read and write SSL peer data + +#include "Globals.h" +#include "CallbackSslContext.h" + + + + + + +cCallbackSslContext::cCallbackSslContext(void) +{ + // Nothing needed, but the constructor needs to exist so +} + + + + + +cCallbackSslContext::cCallbackSslContext(cCallbackSslContext::cDataCallbacks & a_Callbacks) : + m_Callbacks(&a_Callbacks) +{ +} + + + + + +int cCallbackSslContext::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + if (m_Callbacks == NULL) + { + LOGWARNING("SSL: Trying to receive data with no callbacks, aborting."); + return POLARSSL_ERR_NET_RECV_FAILED; + } + return m_Callbacks->ReceiveEncrypted(a_Buffer, a_NumBytes); +} + + + + + +int cCallbackSslContext::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + if (m_Callbacks == NULL) + { + LOGWARNING("SSL: Trying to send data with no callbacks, aborting."); + return POLARSSL_ERR_NET_SEND_FAILED; + } + return m_Callbacks->SendEncrypted(a_Buffer, a_NumBytes); +} + + + + + diff --git a/src/PolarSSL++/CallbackSslContext.h b/src/PolarSSL++/CallbackSslContext.h new file mode 100644 index 000000000..4e4c1ed7f --- /dev/null +++ b/src/PolarSSL++/CallbackSslContext.h @@ -0,0 +1,61 @@ + +// CallbackSslContext.h + +// Declares the cCallbackSslContext class representing a SSL context wrapper that uses callbacks to read and write SSL peer data + + + + + +#pragma once + +#include "SslContext.h" + + + + + +class cCallbackSslContext : + public cSslContext +{ +public: + /** Interface used as a data sink for the SSL peer data. */ + class cDataCallbacks + { + public: + /** Called when PolarSSL wants to read encrypted data from the SSL peer. + The returned value is the number of bytes received, or a PolarSSL error on failure. + The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate + that there's currently no more data and that there might be more data in the future. In such cases the + SSL operation that invoked this call will terminate with the same return value, so that the owner is + notified of this condition and can potentially restart the operation later on. */ + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; + + /** Called when PolarSSL wants to write encrypted data to the SSL peer. + The returned value is the number of bytes sent, or a PolarSSL error on failure. + The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate + that there's currently no more data and that there might be more data in the future. In such cases the + SSL operation that invoked this call will terminate with the same return value, so that the owner is + notified of this condition and can potentially restart the operation later on. */ + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; + } ; + + + /** Creates a new SSL context with no callbacks assigned */ + cCallbackSslContext(void); + + /** Creates a new SSL context with the specified callbacks */ + cCallbackSslContext(cDataCallbacks & a_Callbacks); + +protected: + /** The callbacks to use to send and receive SSL peer data */ + cDataCallbacks * m_Callbacks; + + // cSslContext overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +}; + + + + diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp new file mode 100644 index 000000000..e7fa11c75 --- /dev/null +++ b/src/PolarSSL++/SslContext.cpp @@ -0,0 +1,181 @@ + +// SslContext.cpp + +// Implements the cSslContext class that holds everything a single SSL context needs to function + +#include "Globals.h" +#include "SslContext.h" +#include "EntropyContext.h" +#include "CtrDrbgContext.h" + + + + + +cSslContext::cSslContext(void) : + m_IsValid(false), + m_HasHandshaken(false) +{ +} + + + + + +cSslContext::~cSslContext() +{ + if (m_IsValid) + { + ssl_free(&m_Ssl); + } +} + + + + + +int cSslContext::Initialize(bool a_IsClient, const SharedPtr & a_CtrDrbg) +{ + // Check double-initialization: + if (m_IsValid) + { + LOGWARNING("SSL: Double initialization is not supported."); + return POLARSSL_ERR_SSL_MALLOC_FAILED; // There is no return value well-suited for this, reuse this one. + } + + // Set the CtrDrbg context, create a new one if needed: + m_CtrDrbg = a_CtrDrbg; + if (m_CtrDrbg.get() == NULL) + { + m_CtrDrbg.reset(new cCtrDrbgContext); + m_CtrDrbg->Initialize("MCServer", 8); + } + + // Initialize PolarSSL's structures: + memset(&m_Ssl, 0, sizeof(m_Ssl)); + int res = ssl_init(&m_Ssl); + if (res != 0) + { + return res; + } + ssl_set_endpoint(&m_Ssl, a_IsClient ? SSL_IS_CLIENT : SSL_IS_SERVER); + ssl_set_authmode(&m_Ssl, SSL_VERIFY_OPTIONAL); + ssl_set_rng(&m_Ssl, ctr_drbg_random, &m_CtrDrbg->m_CtrDrbg); + ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); + + #ifdef _DEBUG + ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); + #endif + + m_IsValid = true; + return 0; +} + + + + + +void cSslContext::SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName) +{ + // Store the data in our internal buffers, to avoid losing the pointers later on + // PolarSSL will need these after this call returns, and the caller may move / delete the data before that: + m_ExpectedPeerName = a_ExpectedPeerName; + m_CACerts = a_CACert; + + // Set the trusted CA root cert store: + ssl_set_authmode(&m_Ssl, SSL_VERIFY_REQUIRED); + ssl_set_ca_chain(&m_Ssl, m_CACerts->GetInternal(), NULL, m_ExpectedPeerName.empty() ? NULL : m_ExpectedPeerName.c_str()); +} + + + + + +int cSslContext::WritePlain(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + if (!m_HasHandshaken) + { + int res = Handshake(); + if (res != 0) + { + return res; + } + } + + return ssl_write(&m_Ssl, (const unsigned char *)a_Data, a_NumBytes); +} + + + + + +int cSslContext::ReadPlain(void * a_Data, size_t a_MaxBytes) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + if (!m_HasHandshaken) + { + int res = Handshake(); + if (res != 0) + { + return res; + } + } + + return ssl_read(&m_Ssl, (unsigned char *)a_Data, a_MaxBytes); +} + + + + + +int cSslContext::Handshake(void) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + ASSERT(!m_HasHandshaken); // Must not call twice + + int res = ssl_handshake(&m_Ssl); + if (res == 0) + { + m_HasHandshaken = true; + } + return res; +} + + + + + +int cSslContext::NotifyClose(void) +{ + return ssl_close_notify(&m_Ssl); +} + + + + + +#ifdef _DEBUG + void cSslContext::SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text) + { + if (a_Level > 3) + { + // Don't want the trace messages + return; + } + + // Remove the terminating LF: + size_t len = strlen(a_Text) - 1; + while ((len > 0) && (a_Text[len] <= 32)) + { + len--; + } + AString Text(a_Text, len + 1); + + LOGD("SSL (%d): %s", a_Level, Text.c_str()); + } +#endif // _DEBUG + + + + diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h new file mode 100644 index 000000000..6effdcaea --- /dev/null +++ b/src/PolarSSL++/SslContext.h @@ -0,0 +1,134 @@ + +// SslContext.h + +// Declares the cSslContext class that holds everything a single SSL context needs to function + + + + + +#pragma once + +#include "polarssl/ssl.h" +#include "../ByteBuffer.h" +#include "X509Cert.h" + + + + + +// fwd: +class cCtrDrbgContext; + + + + + +/** +Acts as a generic SSL encryptor / decryptor between the two endpoints. The "owner" of this class is expected +to create it, initialize it and then provide the means of reading and writing data through the SSL link. +This is an abstract base class, there are descendants that handle the specific aspects of how the SSL peer +data comes into the system: + - cBufferedSslContext uses a cByteBuffer to read and write the data + - cCallbackSslContext uses callbacks to provide the data +*/ +class cSslContext abstract +{ +public: + /** Creates a new uninitialized context */ + cSslContext(void); + + ~cSslContext(); + + /** Initializes the context for use as a server or client. + Returns 0 on success, PolarSSL error on failure. */ + int Initialize(bool a_IsClient, const SharedPtr & a_CtrDrbg = SharedPtr()); + + /** Returns true if the object has been initialized properly. */ + bool IsValid(void) const { return m_IsValid; } + + /** Sets a cert chain as the trusted cert store for this context. + Calling this will switch the context into strict cert verification mode. + a_ExpectedPeerName is the CommonName that we expect the SSL peer to have in its cert, + if it is different, the verification will fail. An empty string will disable the CN check. */ + void SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName); + + /** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed. + Returns the number of bytes actually written, or PolarSSL error code. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again with the same parameters. Note that this may repeat a few times before the data is + actually written, mainly due to initial handshake. */ + int WritePlain(const void * a_Data, size_t a_NumBytes); + + /** Reads data decrypted from the SSL stream. Will perform SSL handshake, if needed. + Returns the number of bytes actually read, or PolarSSL error code. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again with the same parameters. Note that this may repeat a few times before the data is + actually read, mainly due to initial handshake. */ + int ReadPlain(void * a_Data, size_t a_MaxBytes); + + /** Performs the SSL handshake. + Returns zero on success, PoladSSL error code on failure. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again. Note that this may repeat a few times before the handshake is completed. */ + int Handshake(void); + + /** Returns true if the SSL handshake has been completed. */ + bool HasHandshaken(void) const { return m_HasHandshaken; } + + /** Notifies the SSL peer that the connection is being closed. + Returns 0 on success, PolarSSL error code on failure. */ + int NotifyClose(void); + +protected: + /** True if the object has been initialized properly. */ + bool m_IsValid; + + /** The random generator to use */ + SharedPtr m_CtrDrbg; + + /** The SSL context that PolarSSL uses. */ + ssl_context m_Ssl; + + /** True if the SSL handshake has been completed. */ + bool m_HasHandshaken; + + /** A copy of the trusted CA root cert store that is passed to us in SetCACerts(), so that the pointer + stays valid even after the call, when PolarSSL finally uses it. */ + cX509CertPtr m_CACerts; + + /** Buffer for the expected peer name. We need to buffer it because the caller may free the string they + give us before PolarSSL consumes the raw pointer it gets to the CN. */ + AString m_ExpectedPeerName; + + + /** The callback used by PolarSSL when it wants to read encrypted data. */ + static int ReceiveEncrypted(void * a_This, unsigned char * a_Buffer, size_t a_NumBytes) + { + return ((cSslContext *)a_This)->ReceiveEncrypted(a_Buffer, a_NumBytes); + } + + /** The callback used by PolarSSL when it wants to write encrypted data. */ + static int SendEncrypted(void * a_This, const unsigned char * a_Buffer, size_t a_NumBytes) + { + return ((cSslContext *)a_This)->SendEncrypted(a_Buffer, a_NumBytes); + } + + #ifdef _DEBUG + /** The callback used by PolarSSL to output debug messages */ + static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); + #endif // _DEBUG + + /** Called when PolarSSL wants to read encrypted data. */ + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; + + /** Called when PolarSSL wants to write encrypted data. */ + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; +} ; + + + + diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h index 5ef19c324..991617d24 100644 --- a/src/PolarSSL++/X509Cert.h +++ b/src/PolarSSL++/X509Cert.h @@ -17,6 +17,8 @@ class cX509Cert { + friend class cSslContext; + public: cX509Cert(void); ~cX509Cert(void); @@ -25,13 +27,15 @@ public: Returns 0 on succes, or PolarSSL error code on failure. */ int Parse(const void * a_CertContents, size_t a_Size); - /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ - OBSOLETE x509_crt * Get(void) { return &m_Cert; } - protected: x509_crt m_Cert; + + /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ + x509_crt * GetInternal(void) { return &m_Cert; } } ; +typedef SharedPtr cX509CertPtr; + -- cgit v1.2.3 From dd52719c2d34aa251e90fafb87448af7086e2658 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 22:28:14 +0200 Subject: Rewritten cAuthenticator to use the new PolarSSL++ wrapper classes. --- src/Protocol/Authenticator.cpp | 136 ++++++++++++++--------------------------- 1 file changed, 45 insertions(+), 91 deletions(-) diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp index ccc994e36..efeb6c41c 100644 --- a/src/Protocol/Authenticator.cpp +++ b/src/Protocol/Authenticator.cpp @@ -16,9 +16,7 @@ #include "polarssl/ctr_drbg.h" #include "polarssl/error.h" -#include "PolarSSL++/EntropyContext.h" -#include "PolarSSL++/CtrDrbgContext.h" -#include "PolarSSL++/X509Cert.h" +#include "PolarSSL++/BlockingSslClientSocket.h" #include #include @@ -150,87 +148,47 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S { LOGD("Trying to auth user %s", a_UserName.c_str()); - int ret, server_fd = -1; + int ret; unsigned char buf[1024]; - const char pers[] = "cAuthenticator"; - - cCtrDrbgContext CtrDrbg; - ssl_context ssl; - cX509Cert CACert; - - /* Initialize the RNG and the session data */ - memset(&ssl, 0, sizeof(ssl_context)); - - if ((ret = CtrDrbg.Initialize(pers, sizeof(pers))) != 0) - { - LOGWARNING("cAuthenticator: CtrDrbg.Initialize() returned %d", ret); - return false; - } /* Initialize certificates */ // This is the root cert for Starfield Technologies, the CA that signed sessionserver.mojang.com's cert: - static const char StarfieldCACert[] = - "-----BEGIN CERTIFICATE-----\n" - "MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx\n" - "EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT\n" - "HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs\n" - "ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw\n" - "MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6\n" - "b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj\n" - "aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp\n" - "Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" - "ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg\n" - "nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1\n" - "HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N\n" - "Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN\n" - "dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n" - "HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\n" - "BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G\n" - "CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU\n" - "sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3\n" - "4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg\n" - "8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K\n" - "pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1\n" - "mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0\n" - "-----END CERTIFICATE-----"; - // Parse the Starfield CA and add it to "trusted root certs" - ret = CACert.Parse(StarfieldCACert, sizeof(StarfieldCACert) - 1); - if (ret < 0) - { - LOGWARNING("cAuthenticator: CACert.Parse returned -0x%x", -ret); - return false; - } - - /* Connect */ - if ((ret = net_connect(&server_fd, m_Server.c_str(), 443)) != 0) - { - LOGWARNING("cAuthenticator: Can't connect to %s: %d", m_Server.c_str(), ret); - return false; - } - - /* Setup */ - if ((ret = ssl_init(&ssl)) != 0) + static const AString StarfieldCACert( + "-----BEGIN CERTIFICATE-----\n" + "MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx\n" + "EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT\n" + "HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs\n" + "ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw\n" + "MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6\n" + "b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj\n" + "aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp\n" + "Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg\n" + "nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1\n" + "HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N\n" + "Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN\n" + "dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0\n" + "HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO\n" + "BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G\n" + "CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU\n" + "sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3\n" + "4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg\n" + "8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K\n" + "pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1\n" + "mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0\n" + "-----END CERTIFICATE-----" + ); + + // Connect the socket: + cBlockingSslClientSocket Socket; + Socket.SetTrustedRootCertsFromString(StarfieldCACert, m_Server); + if (!Socket.Connect(m_Server, 443)) { - LOGWARNING("cAuthenticator: ssl_init returned %d", ret); + LOGWARNING("cAuthenticator: Can't connect to %s: %s", m_Server.c_str(), Socket.GetLastErrorText().c_str()); return false; } - ssl_set_endpoint(&ssl, SSL_IS_CLIENT); - ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL); - ssl_set_ca_chain(&ssl, CACert.Get(), NULL, "PolarSSL Server 1"); - ssl_set_rng(&ssl, ctr_drbg_random, CtrDrbg.Get()); - ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd); - - /* Handshake */ - while ((ret = ssl_handshake(&ssl)) != 0) - { - if ((ret != POLARSSL_ERR_NET_WANT_READ) && (ret != POLARSSL_ERR_NET_WANT_WRITE)) - { - LOGWARNING("cAuthenticator: ssl_handshake returned -0x%x", -ret); - return false; - } - } - /* Write the GET request */ + // Create the GET request: AString ActualAddress = m_Address; ReplaceString(ActualAddress, "%USERNAME%", a_UserName); ReplaceString(ActualAddress, "%SERVERID%", a_ServerId); @@ -242,23 +200,23 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S Request += "Connection: close\r\n"; Request += "\r\n"; - ret = ssl_write(&ssl, (const unsigned char *)Request.c_str(), Request.size()); - if (ret <= 0) + if (!Socket.Send(Request.c_str(), Request.size())) { - LOGWARNING("cAuthenticator: ssl_write returned %d", ret); + LOGWARNING("cAuthenticator: Writing SSL data failed: %s", Socket.GetLastErrorText().c_str()); return false; } - /* Read the HTTP response */ + // Read the HTTP response: std::string Response; for (;;) { - memset(buf, 0, sizeof(buf)); - ret = ssl_read(&ssl, buf, sizeof(buf)); + ret = Socket.Receive(buf, sizeof(buf)); if ((ret == POLARSSL_ERR_NET_WANT_READ) || (ret == POLARSSL_ERR_NET_WANT_WRITE)) { - continue; + // This value should never be returned, it is handled internally by cBlockingSslClientSocket + LOGWARNING("cAuthenticator: SSL reading failed internally."); + return false; } if (ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) { @@ -266,22 +224,18 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S } if (ret < 0) { - LOGWARNING("cAuthenticator: ssl_read returned %d", ret); - break; + LOGWARNING("cAuthenticator: SSL reading failed: -0x%x", -ret); + return false; } if (ret == 0) { - LOGWARNING("cAuthenticator: EOF"); break; } - Response.append((const char *)buf, ret); + Response.append((const char *)buf, (size_t)ret); } - ssl_close_notify(&ssl); - net_close(server_fd); - ssl_free(&ssl); - memset(&ssl, 0, sizeof(ssl)); + Socket.Disconnect(); // Check the HTTP status line: AString prefix("HTTP/1.1 200 OK"); -- cgit v1.2.3 From bb73af68432b56d0c52c23448e4092d753521057 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 23:31:26 +0200 Subject: Fixed a late-night typo. --- src/PolarSSL++/CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 14a6dc537..0493baba4 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -6,7 +6,7 @@ include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES "BlockingSslClientSocket.cpp" - "BufferedSslSocket.cpp" + "BufferedSslContext.cpp" "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" @@ -16,7 +16,7 @@ set(SOURCES set(HEADERS "BlockingSslClientSocket.h" - "BufferedSslSocket.h" + "BufferedSslContext.h" "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" -- cgit v1.2.3 From ef57133f9b457430d2717825b91b747b378e6233 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 23:35:17 +0200 Subject: Reordered constructors. --- src/PolarSSL++/BlockingSslClientSocket.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/PolarSSL++/BlockingSslClientSocket.cpp index 20b2df1e7..699bc57ee 100644 --- a/src/PolarSSL++/BlockingSslClientSocket.cpp +++ b/src/PolarSSL++/BlockingSslClientSocket.cpp @@ -11,8 +11,8 @@ cBlockingSslClientSocket::cBlockingSslClientSocket(void) : - m_IsConnected(false), - m_Ssl(*this) + m_Ssl(*this), + m_IsConnected(false) { // Nothing needed yet } -- cgit v1.2.3 From 16b3eae8623916fa7bc2cd9cad292bbad8d6a116 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Mon, 28 Apr 2014 21:16:32 +0200 Subject: Added a debug cert printing function. --- src/PolarSSL++/SslContext.cpp | 62 +++++++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/SslContext.h | 3 +++ 2 files changed, 65 insertions(+) diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index e7fa11c75..1994cf844 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -64,7 +64,12 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); #ifdef _DEBUG + /* + // These functions allow us to debug SSL and certificate problems, but produce way too much output, + // so they're disabled until someone needs them ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); + ssl_set_verify(&m_Ssl, &SSLVerifyCert, this); + */ #endif m_IsValid = true; @@ -174,6 +179,63 @@ int cSslContext::NotifyClose(void) LOGD("SSL (%d): %s", a_Level, Text.c_str()); } + + + + + + int cSslContext::SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags) + { + char buf[1024]; + UNUSED(a_This); + + LOG("Verify requested for (Depth %d):", a_Depth); + x509_crt_info(buf, sizeof(buf) - 1, "", a_Crt); + LOG("%s", buf); + + int Flags = *a_Flags; + if ((Flags & BADCERT_EXPIRED) != 0) + { + LOG(" ! server certificate has expired"); + } + + if ((Flags & BADCERT_REVOKED) != 0) + { + LOG(" ! server certificate has been revoked"); + } + + if ((Flags & BADCERT_CN_MISMATCH) != 0) + { + LOG(" ! CN mismatch"); + } + + if ((Flags & BADCERT_NOT_TRUSTED) != 0) + { + LOG(" ! self-signed or not signed by a trusted CA"); + } + + if ((Flags & BADCRL_NOT_TRUSTED) != 0) + { + LOG(" ! CRL not trusted"); + } + + if ((Flags & BADCRL_EXPIRED) != 0) + { + LOG(" ! CRL expired"); + } + + if ((Flags & BADCERT_OTHER) != 0) + { + LOG(" ! other (unknown) flag"); + } + + if (Flags == 0) + { + LOG(" This certificate has no flags"); + } + + return 0; + } #endif // _DEBUG diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 6effdcaea..85add5f8b 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -120,6 +120,9 @@ protected: #ifdef _DEBUG /** The callback used by PolarSSL to output debug messages */ static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); + + /** The callback used by PolarSSL to log information on the cert chain */ + static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags); #endif // _DEBUG /** Called when PolarSSL wants to read encrypted data. */ -- cgit v1.2.3 From bab3a3cd31c26d7c8c195888675b31ece5ab80b7 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Mon, 28 Apr 2014 21:16:52 +0200 Subject: Added the G1 root cert. Now the authenticator finally works. --- src/Protocol/Authenticator.cpp | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp index efeb6c41c..f7008a5c4 100644 --- a/src/Protocol/Authenticator.cpp +++ b/src/Protocol/Authenticator.cpp @@ -152,8 +152,10 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S unsigned char buf[1024]; /* Initialize certificates */ - // This is the root cert for Starfield Technologies, the CA that signed sessionserver.mojang.com's cert: + // This is the data of the root certs for Starfield Technologies, the CA that signed sessionserver.mojang.com's cert: + // Downloaded from http://certs.starfieldtech.com/repository/ static const AString StarfieldCACert( + // G2 cert "-----BEGIN CERTIFICATE-----\n" "MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx\n" "EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT\n" @@ -176,7 +178,32 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S "8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K\n" "pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1\n" "mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0\n" - "-----END CERTIFICATE-----" + "-----END CERTIFICATE-----\n\n" + // Original (G1) cert: + "-----BEGIN CERTIFICATE-----\n" + "MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\n" + "MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\n" + "U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\n" + "NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\n" + "ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\n" + "ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\n" + "DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\n" + "8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\n" + "+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\n" + "X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\n" + "K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\n" + "1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\n" + "A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\n" + "zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\n" + "YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\n" + "bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\n" + "DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\n" + "L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\n" + "eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\n" + "xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\n" + "VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n" + "WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n" + "-----END CERTIFICATE-----\n" ); // Connect the socket: -- cgit v1.2.3 From ec33bbe2949010e1ed377b9dcc1ace56a0126bfe Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 11:04:54 +0200 Subject: Moved cRsaPrivateKey to PolarSSL++, rewritten using existing objects. --- src/Crypto.cpp | 174 --------------------------------------- src/Crypto.h | 43 ---------- src/PolarSSL++/CMakeLists.txt | 2 + src/PolarSSL++/CtrDrbgContext.h | 8 +- src/PolarSSL++/RsaPrivateKey.cpp | 173 ++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/RsaPrivateKey.h | 59 +++++++++++++ src/Protocol/Protocol132.cpp | 2 +- src/Protocol/Protocol17x.cpp | 2 +- src/Server.h | 6 +- 9 files changed, 244 insertions(+), 225 deletions(-) create mode 100644 src/PolarSSL++/RsaPrivateKey.cpp create mode 100644 src/PolarSSL++/RsaPrivateKey.h diff --git a/src/Crypto.cpp b/src/Crypto.cpp index 16be5ec35..dd8787293 100644 --- a/src/Crypto.cpp +++ b/src/Crypto.cpp @@ -55,180 +55,6 @@ public: /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // cRSAPrivateKey: -cRSAPrivateKey::cRSAPrivateKey(void) -{ - rsa_init(&m_Rsa, RSA_PKCS_V15, 0); - InitRnd(); -} - - - - - -cRSAPrivateKey::cRSAPrivateKey(const cRSAPrivateKey & a_Other) -{ - rsa_init(&m_Rsa, RSA_PKCS_V15, 0); - rsa_copy(&m_Rsa, &a_Other.m_Rsa); - InitRnd(); -} - - - - - -cRSAPrivateKey::~cRSAPrivateKey() -{ - entropy_free(&m_Entropy); - rsa_free(&m_Rsa); -} - - - - - -void cRSAPrivateKey::InitRnd(void) -{ - entropy_init(&m_Entropy); - const unsigned char pers[] = "rsa_genkey"; - ctr_drbg_init(&m_Ctr_drbg, entropy_func, &m_Entropy, pers, sizeof(pers) - 1); -} - - - - - -bool cRSAPrivateKey::Generate(unsigned a_KeySizeBits) -{ - if (rsa_gen_key(&m_Rsa, ctr_drbg_random, &m_Ctr_drbg, a_KeySizeBits, 65537) != 0) - { - // Key generation failed - return false; - } - - return true; -} - - - - - -AString cRSAPrivateKey::GetPubKeyDER(void) -{ - class cPubKey - { - public: - cPubKey(rsa_context * a_Rsa) : - m_IsValid(false) - { - pk_init(&m_Key); - if (pk_init_ctx(&m_Key, pk_info_from_type(POLARSSL_PK_RSA)) != 0) - { - ASSERT(!"Cannot init PrivKey context"); - return; - } - if (rsa_copy(pk_rsa(m_Key), a_Rsa) != 0) - { - ASSERT(!"Cannot copy PrivKey to PK context"); - return; - } - m_IsValid = true; - } - - ~cPubKey() - { - if (m_IsValid) - { - pk_free(&m_Key); - } - } - - operator pk_context * (void) { return &m_Key; } - - protected: - bool m_IsValid; - pk_context m_Key; - } PkCtx(&m_Rsa); - - unsigned char buf[3000]; - int res = pk_write_pubkey_der(PkCtx, buf, sizeof(buf)); - if (res < 0) - { - return AString(); - } - return AString((const char *)(buf + sizeof(buf) - res), (size_t)res); -} - - - - - -int cRSAPrivateKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) -{ - if (a_EncryptedLength < m_Rsa.len) - { - LOGD("%s: Invalid a_EncryptedLength: got %u, exp at least %u", - __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) - ); - ASSERT(!"Invalid a_DecryptedMaxLength!"); - return -1; - } - if (a_DecryptedMaxLength < m_Rsa.len) - { - LOGD("%s: Invalid a_DecryptedMaxLength: got %u, exp at least %u", - __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) - ); - ASSERT(!"Invalid a_DecryptedMaxLength!"); - return -1; - } - size_t DecryptedLength; - int res = rsa_pkcs1_decrypt( - &m_Rsa, ctr_drbg_random, &m_Ctr_drbg, RSA_PRIVATE, &DecryptedLength, - a_EncryptedData, a_DecryptedData, a_DecryptedMaxLength - ); - if (res != 0) - { - return -1; - } - return (int)DecryptedLength; -} - - - - - -int cRSAPrivateKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) -{ - if (a_EncryptedMaxLength < m_Rsa.len) - { - LOGD("%s: Invalid a_EncryptedMaxLength: got %u, exp at least %u", - __FUNCTION__, (unsigned)a_EncryptedMaxLength, (unsigned)(m_Rsa.len) - ); - ASSERT(!"Invalid a_DecryptedMaxLength!"); - return -1; - } - if (a_PlainLength < m_Rsa.len) - { - LOGD("%s: Invalid a_PlainLength: got %u, exp at least %u", - __FUNCTION__, (unsigned)a_PlainLength, (unsigned)(m_Rsa.len) - ); - ASSERT(!"Invalid a_PlainLength!"); - return -1; - } - int res = rsa_pkcs1_encrypt( - &m_Rsa, ctr_drbg_random, &m_Ctr_drbg, RSA_PRIVATE, - a_PlainLength, a_PlainData, a_EncryptedData - ); - if (res != 0) - { - return -1; - } - return (int)m_Rsa.len; -} - - - - - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // cPublicKey: diff --git a/src/Crypto.h b/src/Crypto.h index a9ec2c6d4..24f246897 100644 --- a/src/Crypto.h +++ b/src/Crypto.h @@ -20,49 +20,6 @@ -/** Encapsulates an RSA private key used in PKI cryptography */ -class cRSAPrivateKey -{ -public: - /** Creates a new empty object, the key is not assigned */ - cRSAPrivateKey(void); - - /** Deep-copies the key from a_Other */ - cRSAPrivateKey(const cRSAPrivateKey & a_Other); - - ~cRSAPrivateKey(); - - /** Generates a new key within this object, with the specified size in bits. - Returns true on success, false on failure. */ - bool Generate(unsigned a_KeySizeBits = 1024); - - /** Returns the public key part encoded in ASN1 DER encoding */ - AString GetPubKeyDER(void); - - /** Decrypts the data using RSAES-PKCS#1 algorithm. - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); - - /** Encrypts the data using RSAES-PKCS#1 algorithm. - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); - -protected: - rsa_context m_Rsa; - entropy_context m_Entropy; - ctr_drbg_context m_Ctr_drbg; - - /** Initializes the m_Entropy and m_Ctr_drbg contexts - Common part of this object's construction, called from all constructors. */ - void InitRnd(void); -} ; - - - - - class cPublicKey { public: diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 0493baba4..ebdd52de5 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -10,6 +10,7 @@ set(SOURCES "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" + "RsaPrivateKey.cpp" "SslContext.cpp" "X509Cert.cpp" ) @@ -20,6 +21,7 @@ set(HEADERS "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" + "RsaPrivateKey.h" "SslContext.h" "X509Cert.h" ) diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index e9a1e17e2..817222a53 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -25,6 +25,7 @@ class cEntropyContext; class cCtrDrbgContext { friend class cSslContext; + friend class cRsaPrivateKey; public: /** Constructs the context with a new entropy context. */ @@ -41,9 +42,6 @@ public: /** Returns true if the object is valid (has been initialized properly) */ bool IsValid(void) const { return m_IsValid; } - /** Returns the internal context ptr. Only use in PolarSSL API calls. */ - OBSOLETE ctr_drbg_context * Get(void) { return &m_CtrDrbg; } - protected: /** The entropy source used for generating the random */ SharedPtr m_EntropyContext; @@ -53,6 +51,10 @@ protected: /** Set to true if the object is valid (has been initialized properly) */ bool m_IsValid; + + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + ctr_drbg_context * GetInternal(void) { return &m_CtrDrbg; } } ; diff --git a/src/PolarSSL++/RsaPrivateKey.cpp b/src/PolarSSL++/RsaPrivateKey.cpp new file mode 100644 index 000000000..d042139cf --- /dev/null +++ b/src/PolarSSL++/RsaPrivateKey.cpp @@ -0,0 +1,173 @@ + +// RsaPrivateKey.cpp + +#include "Globals.h" +#include "RsaPrivateKey.h" +#include "CtrDrbgContext.h" +#include "polarssl/pk.h" + + + + + + +cRsaPrivateKey::cRsaPrivateKey(void) +{ + rsa_init(&m_Rsa, RSA_PKCS_V15, 0); +} + + + + + +cRsaPrivateKey::cRsaPrivateKey(const cRsaPrivateKey & a_Other) +{ + rsa_init(&m_Rsa, RSA_PKCS_V15, 0); + rsa_copy(&m_Rsa, &a_Other.m_Rsa); +} + + + + + +cRsaPrivateKey::~cRsaPrivateKey() +{ + rsa_free(&m_Rsa); +} + + + + + +bool cRsaPrivateKey::Generate(unsigned a_KeySizeBits) +{ + if (rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537) != 0) + { + // Key generation failed + return false; + } + + return true; +} + + + + + +AString cRsaPrivateKey::GetPubKeyDER(void) +{ + class cPubKey + { + public: + cPubKey(rsa_context * a_Rsa) : + m_IsValid(false) + { + pk_init(&m_Key); + if (pk_init_ctx(&m_Key, pk_info_from_type(POLARSSL_PK_RSA)) != 0) + { + ASSERT(!"Cannot init PrivKey context"); + return; + } + if (rsa_copy(pk_rsa(m_Key), a_Rsa) != 0) + { + ASSERT(!"Cannot copy PrivKey to PK context"); + return; + } + m_IsValid = true; + } + + ~cPubKey() + { + if (m_IsValid) + { + pk_free(&m_Key); + } + } + + operator pk_context * (void) { return &m_Key; } + + protected: + bool m_IsValid; + pk_context m_Key; + } PkCtx(&m_Rsa); + + unsigned char buf[3000]; + int res = pk_write_pubkey_der(PkCtx, buf, sizeof(buf)); + if (res < 0) + { + return AString(); + } + return AString((const char *)(buf + sizeof(buf) - res), (size_t)res); +} + + + + + +int cRsaPrivateKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) +{ + if (a_EncryptedLength < m_Rsa.len) + { + LOGD("%s: Invalid a_EncryptedLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + if (a_DecryptedMaxLength < m_Rsa.len) + { + LOGD("%s: Invalid a_DecryptedMaxLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + size_t DecryptedLength; + int res = rsa_pkcs1_decrypt( + &m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), RSA_PRIVATE, &DecryptedLength, + a_EncryptedData, a_DecryptedData, a_DecryptedMaxLength + ); + if (res != 0) + { + return -1; + } + return (int)DecryptedLength; +} + + + + + +int cRsaPrivateKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) +{ + if (a_EncryptedMaxLength < m_Rsa.len) + { + LOGD("%s: Invalid a_EncryptedMaxLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedMaxLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + if (a_PlainLength < m_Rsa.len) + { + LOGD("%s: Invalid a_PlainLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_PlainLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_PlainLength!"); + return -1; + } + int res = rsa_pkcs1_encrypt( + &m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), RSA_PRIVATE, + a_PlainLength, a_PlainData, a_EncryptedData + ); + if (res != 0) + { + return -1; + } + return (int)m_Rsa.len; +} + + + + + diff --git a/src/PolarSSL++/RsaPrivateKey.h b/src/PolarSSL++/RsaPrivateKey.h new file mode 100644 index 000000000..ffacde11b --- /dev/null +++ b/src/PolarSSL++/RsaPrivateKey.h @@ -0,0 +1,59 @@ + +// RsaPrivateKey.h + +// Declares the cRsaPrivateKey class representing a private key for RSA operations. + + + + + +#pragma once + +#include "CtrDrbgContext.h" +#include "polarssl/rsa.h" + + + + + +/** Encapsulates an RSA private key used in PKI cryptography */ +class cRsaPrivateKey +{ +public: + /** Creates a new empty object, the key is not assigned */ + cRsaPrivateKey(void); + + /** Deep-copies the key from a_Other */ + cRsaPrivateKey(const cRsaPrivateKey & a_Other); + + ~cRsaPrivateKey(); + + /** Generates a new key within this object, with the specified size in bits. + Returns true on success, false on failure. */ + bool Generate(unsigned a_KeySizeBits = 1024); + + /** Returns the public key part encoded in ASN1 DER encoding */ + AString GetPubKeyDER(void); + + /** Decrypts the data using RSAES-PKCS#1 algorithm. + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); + + /** Encrypts the data using RSAES-PKCS#1 algorithm. + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + +protected: + /** The PolarSSL key context */ + rsa_context m_Rsa; + + /** The random generator used for generating the key and encryption / decryption */ + cCtrDrbgContext m_CtrDrbg; +} ; + + + + + diff --git a/src/Protocol/Protocol132.cpp b/src/Protocol/Protocol132.cpp index 53d8c1561..acfa5e811 100644 --- a/src/Protocol/Protocol132.cpp +++ b/src/Protocol/Protocol132.cpp @@ -819,7 +819,7 @@ void cProtocol132::SendEncryptionKeyRequest(void) void cProtocol132::HandleEncryptionKeyResponse(const AString & a_EncKey, const AString & a_EncNonce) { // Decrypt EncNonce using privkey - cRSAPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey(); + cRsaPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey(); Int32 DecryptedNonce[MAX_ENC_LEN / sizeof(Int32)]; int res = rsaDecryptor.Decrypt((const Byte *)a_EncNonce.data(), a_EncNonce.size(), (Byte *)DecryptedNonce, sizeof(DecryptedNonce)); diff --git a/src/Protocol/Protocol17x.cpp b/src/Protocol/Protocol17x.cpp index a04d8ac3c..001b8c219 100644 --- a/src/Protocol/Protocol17x.cpp +++ b/src/Protocol/Protocol17x.cpp @@ -1690,7 +1690,7 @@ void cProtocol172::HandlePacketLoginEncryptionResponse(cByteBuffer & a_ByteBuffe } // Decrypt EncNonce using privkey - cRSAPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey(); + cRsaPrivateKey & rsaDecryptor = cRoot::Get()->GetServer()->GetPrivateKey(); Int32 DecryptedNonce[MAX_ENC_LEN / sizeof(Int32)]; int res = rsaDecryptor.Decrypt((const Byte *)EncNonce.data(), EncNonce.size(), (Byte *)DecryptedNonce, sizeof(DecryptedNonce)); if (res != 4) diff --git a/src/Server.h b/src/Server.h index 51c450ebd..3d76c8ccf 100644 --- a/src/Server.h +++ b/src/Server.h @@ -23,7 +23,7 @@ #pragma warning(disable:4702) #endif -#include "Crypto.h" +#include "PolarSSL++/RsaPrivateKey.h" #ifdef _MSC_VER #pragma warning(pop) @@ -109,7 +109,7 @@ public: // tolua_export /** Returns base64 encoded favicon data (obtained from favicon.png) */ const AString & GetFaviconData(void) const { return m_FaviconData; } - cRSAPrivateKey & GetPrivateKey(void) { return m_PrivateKey; } + cRsaPrivateKey & GetPrivateKey(void) { return m_PrivateKey; } const AString & GetPublicKeyDER(void) const { return m_PublicKeyDER; } bool ShouldAuthenticate(void) const { return m_ShouldAuthenticate; } @@ -182,7 +182,7 @@ private: bool m_bRestarting; /** The private key used for the assymetric encryption start in the protocols */ - cRSAPrivateKey m_PrivateKey; + cRsaPrivateKey m_PrivateKey; /** Public key for m_PrivateKey, ASN1-DER-encoded */ AString m_PublicKeyDER; -- cgit v1.2.3 From 79ec770d77beb0ce9176ee9858b830c32380b742 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 11:17:47 +0200 Subject: Added missing initialization. --- src/PolarSSL++/RsaPrivateKey.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PolarSSL++/RsaPrivateKey.cpp b/src/PolarSSL++/RsaPrivateKey.cpp index d042139cf..2d5a2a4b1 100644 --- a/src/PolarSSL++/RsaPrivateKey.cpp +++ b/src/PolarSSL++/RsaPrivateKey.cpp @@ -14,6 +14,7 @@ cRsaPrivateKey::cRsaPrivateKey(void) { rsa_init(&m_Rsa, RSA_PKCS_V15, 0); + m_CtrDrbg.Initialize("RSA", 3); } @@ -24,6 +25,7 @@ cRsaPrivateKey::cRsaPrivateKey(const cRsaPrivateKey & a_Other) { rsa_init(&m_Rsa, RSA_PKCS_V15, 0); rsa_copy(&m_Rsa, &a_Other.m_Rsa); + m_CtrDrbg.Initialize("RSA", 3); } @@ -41,9 +43,10 @@ cRsaPrivateKey::~cRsaPrivateKey() bool cRsaPrivateKey::Generate(unsigned a_KeySizeBits) { - if (rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537) != 0) + int res = rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537); + if (res != 0) { - // Key generation failed + LOG("RSA key generation failed: -0x%x", -res); return false; } -- cgit v1.2.3 From e39f2a21d550626b962a342b23e0adfb491e6e48 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 11:48:57 +0200 Subject: Fixed ProtoProxy. --- Tools/ProtoProxy/CMakeLists.txt | 6 ++++++ Tools/ProtoProxy/Globals.h | 14 ++++++++++++++ Tools/ProtoProxy/ProtoProxy.txt | 2 +- Tools/ProtoProxy/Server.h | 6 ++++-- 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/Tools/ProtoProxy/CMakeLists.txt b/Tools/ProtoProxy/CMakeLists.txt index 01f1e88ad..a94df0e24 100644 --- a/Tools/ProtoProxy/CMakeLists.txt +++ b/Tools/ProtoProxy/CMakeLists.txt @@ -37,6 +37,9 @@ set(SHARED_SRC ../../src/Log.cpp ../../src/MCLogger.cpp ../../src/Crypto.cpp + ../../src/PolarSSL++/CtrDrbgContext.cpp + ../../src/PolarSSL++/EntropyContext.cpp + ../../src/PolarSSL++/RsaPrivateKey.cpp ) set(SHARED_HDR ../../src/ByteBuffer.h @@ -44,6 +47,9 @@ set(SHARED_HDR ../../src/Log.h ../../src/MCLogger.h ../../src/Crypto.h + ../../src/PolarSSL++/CtrDrbgContext.h + ../../src/PolarSSL++/EntropyContext.h + ../../src/PolarSSL++/RsaPrivateKey.h ) set(SHARED_OSS_SRC ../../src/OSSupport/CriticalSection.cpp diff --git a/Tools/ProtoProxy/Globals.h b/Tools/ProtoProxy/Globals.h index e2f5aa860..186efa611 100644 --- a/Tools/ProtoProxy/Globals.h +++ b/Tools/ProtoProxy/Globals.h @@ -216,6 +216,20 @@ typedef unsigned char Byte; // Pretty much the same as ASSERT() but stays in Release builds #define VERIFY( x ) ( !!(x) || ( LOGERROR("Verification failed: %s, file %s, line %i", #x, __FILE__, __LINE__ ), exit(1), 0 ) ) +// Allow both Older versions of MSVC and newer versions of everything use a shared_ptr: +// Note that we cannot typedef, because C++ doesn't allow (partial) templates to be typedeffed. +#if (defined(_MSC_VER) && (_MSC_VER < 1600)) + // MSVC before 2010 doesn't have std::shared_ptr, but has std::tr1::shared_ptr, defined in included earlier + #define SharedPtr std::tr1::shared_ptr +#elif (__cplusplus >= 201103L) + // C++11 has std::shared_ptr in , included earlier + #define SharedPtr std::shared_ptr +#else + // C++03 has std::tr1::shared_ptr in + #include + #define SharedPtr std::tr1::shared_ptr +#endif + diff --git a/Tools/ProtoProxy/ProtoProxy.txt b/Tools/ProtoProxy/ProtoProxy.txt index e25d513f3..ee52f393e 100644 --- a/Tools/ProtoProxy/ProtoProxy.txt +++ b/Tools/ProtoProxy/ProtoProxy.txt @@ -20,7 +20,7 @@ You need to set the server *not* to verify usernames ("online-mode=false" in ser ProtoProxy is not much dependent on the protocol - it will work with unknown packets, it just won't parse them into human-readable format. -The latest protocol which has been tested is 1.6.1 (#73). +The latest protocol which has been tested is 1.7.9 (#5). */ diff --git a/Tools/ProtoProxy/Server.h b/Tools/ProtoProxy/Server.h index 85f817a4d..8adc7093d 100644 --- a/Tools/ProtoProxy/Server.h +++ b/Tools/ProtoProxy/Server.h @@ -9,6 +9,8 @@ #pragma once +#include "PolarSSL++/RsaPrivateKey.h" + @@ -17,7 +19,7 @@ class cServer { SOCKET m_ListenSocket; - cRSAPrivateKey m_PrivateKey; + cRsaPrivateKey m_PrivateKey; AString m_PublicKeyDER; short m_ConnectPort; @@ -27,7 +29,7 @@ public: int Init(short a_ListenPort, short a_ConnectPort); void Run(void); - cRSAPrivateKey & GetPrivateKey(void) { return m_PrivateKey; } + cRsaPrivateKey & GetPrivateKey(void) { return m_PrivateKey; } const AString & GetPublicKeyDER (void) { return m_PublicKeyDER; } short GetConnectPort(void) const { return m_ConnectPort; } -- cgit v1.2.3 From 5d33ce226ff95b527b0e5e620078bf79b0bb11b9 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 15:36:05 +0200 Subject: Added BiomeToString() API function. --- src/BiomeDef.cpp | 180 +++++++++++++++++++++++++++++++------------------------ src/BiomeDef.h | 7 ++- 2 files changed, 106 insertions(+), 81 deletions(-) diff --git a/src/BiomeDef.cpp b/src/BiomeDef.cpp index 3fba93e8a..9852b3dd9 100644 --- a/src/BiomeDef.cpp +++ b/src/BiomeDef.cpp @@ -7,6 +7,88 @@ #include "BiomeDef.h" + + +// The "map" used for biome <-> string conversions: +static struct { + EMCSBiome m_Biome; + const char * m_String; +} g_BiomeMap[] = +{ + {biOcean, "Ocean"} , + {biPlains, "Plains"}, + {biDesert, "Desert"}, + {biExtremeHills, "ExtremeHills"}, + {biForest, "Forest"}, + {biTaiga, "Taiga"}, + {biSwampland, "Swampland"}, + {biRiver, "River"}, + {biNether, "Hell"}, + {biNether, "Nether"}, + {biEnd, "Sky"}, + {biEnd, "End"}, + {biFrozenOcean, "FrozenOcean"}, + {biFrozenRiver, "FrozenRiver"}, + {biIcePlains, "IcePlains"}, + {biIcePlains, "Tundra"}, + {biIceMountains, "IceMountains"}, + {biMushroomIsland, "MushroomIsland"}, + {biMushroomShore, "MushroomShore"}, + {biBeach, "Beach"}, + {biDesertHills, "DesertHills"}, + {biForestHills, "ForestHills"}, + {biTaigaHills, "TaigaHills"}, + {biExtremeHillsEdge, "ExtremeHillsEdge"}, + {biJungle, "Jungle"}, + {biJungleHills, "JungleHills"}, + + // Release 1.7 biomes: + {biJungleEdge, "JungleEdge"}, + {biDeepOcean, "DeepOcean"}, + {biStoneBeach, "StoneBeach"}, + {biColdBeach, "ColdBeach"}, + {biBirchForest, "BirchForest"}, + {biBirchForestHills, "BirchForestHills"}, + {biRoofedForest, "RoofedForest"}, + {biColdTaiga, "ColdTaiga"}, + {biColdTaigaHills, "ColdTaigaHills"}, + {biMegaTaiga, "MegaTaiga"}, + {biMegaTaigaHills, "MegaTaigaHills"}, + {biExtremeHillsPlus, "ExtremeHillsPlus"}, + {biSavanna, "Savanna"}, + {biSavannaPlateau, "SavannaPlateau"}, + {biMesa, "Mesa"}, + {biMesaPlateauF, "MesaPlateauF"}, + {biMesaPlateau, "MesaPlateau"}, + + // Release 1.7 variants: + {biSunflowerPlains, "SunflowerPlains"}, + {biDesertM, "DesertM"}, + {biExtremeHillsM, "ExtremeHillsM"}, + {biFlowerForest, "FlowerForest"}, + {biTaigaM, "TaigaM"}, + {biSwamplandM, "SwamplandM"}, + {biIcePlainsSpikes, "IcePlainsSpikes"}, + {biJungleM, "JungleM"}, + {biJungleEdgeM, "JungleEdgeM"}, + {biBirchForestM, "BirchForestM"}, + {biBirchForestHillsM, "BirchForestHillsM"}, + {biRoofedForestM, "RoofedForestM"}, + {biColdTaigaM, "ColdTaigaM"}, + {biMegaSpruceTaiga, "MegaSpruceTaiga"}, + {biMegaSpruceTaigaHills, "MegaSpruceTaigaHills"}, + {biExtremeHillsPlusM, "ExtremeHillsPlusM"}, + {biSavannaM, "SavannaM"}, + {biSavannaPlateauM, "SavannaPlateauM"}, + {biMesaBryce, "MesaBryce"}, + {biMesaPlateauFM, "MesaPlateauFM"}, + {biMesaPlateauM, "MesaPlateauM"}, +} ; + + + + + EMCSBiome StringToBiome(const AString & a_BiomeString) { // If it is a number, return it: @@ -25,87 +107,11 @@ EMCSBiome StringToBiome(const AString & a_BiomeString) return biInvalidBiome; } - // Convert using the built-in map: - static struct { - EMCSBiome m_Biome; - const char * m_String; - } BiomeMap[] = - { - {biOcean, "Ocean"} , - {biPlains, "Plains"}, - {biDesert, "Desert"}, - {biExtremeHills, "ExtremeHills"}, - {biForest, "Forest"}, - {biTaiga, "Taiga"}, - {biSwampland, "Swampland"}, - {biRiver, "River"}, - {biNether, "Hell"}, - {biNether, "Nether"}, - {biEnd, "Sky"}, - {biEnd, "End"}, - {biFrozenOcean, "FrozenOcean"}, - {biFrozenRiver, "FrozenRiver"}, - {biIcePlains, "IcePlains"}, - {biIcePlains, "Tundra"}, - {biIceMountains, "IceMountains"}, - {biMushroomIsland, "MushroomIsland"}, - {biMushroomShore, "MushroomShore"}, - {biBeach, "Beach"}, - {biDesertHills, "DesertHills"}, - {biForestHills, "ForestHills"}, - {biTaigaHills, "TaigaHills"}, - {biExtremeHillsEdge, "ExtremeHillsEdge"}, - {biJungle, "Jungle"}, - {biJungleHills, "JungleHills"}, - - // Release 1.7 biomes: - {biJungleEdge, "JungleEdge"}, - {biDeepOcean, "DeepOcean"}, - {biStoneBeach, "StoneBeach"}, - {biColdBeach, "ColdBeach"}, - {biBirchForest, "BirchForest"}, - {biBirchForestHills, "BirchForestHills"}, - {biRoofedForest, "RoofedForest"}, - {biColdTaiga, "ColdTaiga"}, - {biColdTaigaHills, "ColdTaigaHills"}, - {biMegaTaiga, "MegaTaiga"}, - {biMegaTaigaHills, "MegaTaigaHills"}, - {biExtremeHillsPlus, "ExtremeHillsPlus"}, - {biSavanna, "Savanna"}, - {biSavannaPlateau, "SavannaPlateau"}, - {biMesa, "Mesa"}, - {biMesaPlateauF, "MesaPlateauF"}, - {biMesaPlateau, "MesaPlateau"}, - - // Release 1.7 variants: - {biSunflowerPlains, "SunflowerPlains"}, - {biDesertM, "DesertM"}, - {biExtremeHillsM, "ExtremeHillsM"}, - {biFlowerForest, "FlowerForest"}, - {biTaigaM, "TaigaM"}, - {biSwamplandM, "SwamplandM"}, - {biIcePlainsSpikes, "IcePlainsSpikes"}, - {biJungleM, "JungleM"}, - {biJungleEdgeM, "JungleEdgeM"}, - {biBirchForestM, "BirchForestM"}, - {biBirchForestHillsM, "BirchForestHillsM"}, - {biRoofedForestM, "RoofedForestM"}, - {biColdTaigaM, "ColdTaigaM"}, - {biMegaSpruceTaiga, "MegaSpruceTaiga"}, - {biMegaSpruceTaigaHills, "MegaSpruceTaigaHills"}, - {biExtremeHillsPlusM, "ExtremeHillsPlusM"}, - {biSavannaM, "SavannaM"}, - {biSavannaPlateauM, "SavannaPlateauM"}, - {biMesaBryce, "MesaBryce"}, - {biMesaPlateauFM, "MesaPlateauFM"}, - {biMesaPlateauM, "MesaPlateauM"}, - } ; - - for (size_t i = 0; i < ARRAYCOUNT(BiomeMap); i++) + for (size_t i = 0; i < ARRAYCOUNT(g_BiomeMap); i++) { - if (NoCaseCompare(BiomeMap[i].m_String, a_BiomeString) == 0) + if (NoCaseCompare(g_BiomeMap[i].m_String, a_BiomeString) == 0) { - return BiomeMap[i].m_Biome; + return g_BiomeMap[i].m_Biome; } } // for i - BiomeMap[] return biInvalidBiome; @@ -115,6 +121,22 @@ EMCSBiome StringToBiome(const AString & a_BiomeString) +AString BiomeToString(int a_Biome) +{ + for (size_t i = 0; i < ARRAYCOUNT(g_BiomeMap); i++) + { + if (g_BiomeMap[i].m_Biome == a_Biome) + { + return g_BiomeMap[i].m_String; + } + } + return AString(); +} + + + + + bool IsBiomeNoDownfall(EMCSBiome a_Biome) { switch (a_Biome) diff --git a/src/BiomeDef.h b/src/BiomeDef.h index 474d4df76..67916890d 100644 --- a/src/BiomeDef.h +++ b/src/BiomeDef.h @@ -104,10 +104,13 @@ enum EMCSBiome biMaxVariantBiome = biNumVariantBiomes - 1, // The maximum biome value } ; -/// Translates a biome string to biome enum. Takes either a number or a biome alias (built-in). Returns biInvalidBiome on failure. +/** Translates a biome string to biome enum. Takes either a number or a biome alias (built-in). Returns biInvalidBiome on failure. */ extern EMCSBiome StringToBiome(const AString & a_BiomeString); -/// Returns true if the biome has no downfall - deserts and savannas +/** Translates biome enum into biome string. Returns empty string on failure (unknown biome). */ +extern AString BiomeToString(int a_Biome); + +/** Returns true if the biome has no downfall - deserts and savannas */ extern bool IsBiomeNoDownfall(EMCSBiome a_Biome); -- cgit v1.2.3 From d9f7ae6a4d0895752c1a62657c36433e92104346 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 17:13:08 +0200 Subject: Moved cPublicKey to its separate file in PolarSSL++. --- Tools/ProtoProxy/CMakeLists.txt | 2 ++ Tools/ProtoProxy/Connection.cpp | 1 + src/Crypto.cpp | 78 ----------------------------------------- src/Crypto.h | 31 ---------------- src/PolarSSL++/CMakeLists.txt | 2 ++ src/PolarSSL++/CtrDrbgContext.h | 1 + src/PolarSSL++/PublicKey.cpp | 73 ++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/PublicKey.h | 48 +++++++++++++++++++++++++ 8 files changed, 127 insertions(+), 109 deletions(-) create mode 100644 src/PolarSSL++/PublicKey.cpp create mode 100644 src/PolarSSL++/PublicKey.h diff --git a/Tools/ProtoProxy/CMakeLists.txt b/Tools/ProtoProxy/CMakeLists.txt index a94df0e24..a2241f355 100644 --- a/Tools/ProtoProxy/CMakeLists.txt +++ b/Tools/ProtoProxy/CMakeLists.txt @@ -39,6 +39,7 @@ set(SHARED_SRC ../../src/Crypto.cpp ../../src/PolarSSL++/CtrDrbgContext.cpp ../../src/PolarSSL++/EntropyContext.cpp + ../../src/PolarSSL++/PublicKey.cpp ../../src/PolarSSL++/RsaPrivateKey.cpp ) set(SHARED_HDR @@ -49,6 +50,7 @@ set(SHARED_HDR ../../src/Crypto.h ../../src/PolarSSL++/CtrDrbgContext.h ../../src/PolarSSL++/EntropyContext.h + ../../src/PolarSSL++/PublicKey.h ../../src/PolarSSL++/RsaPrivateKey.h ) set(SHARED_OSS_SRC diff --git a/Tools/ProtoProxy/Connection.cpp b/Tools/ProtoProxy/Connection.cpp index b21d2ae59..fcbd9190c 100644 --- a/Tools/ProtoProxy/Connection.cpp +++ b/Tools/ProtoProxy/Connection.cpp @@ -7,6 +7,7 @@ #include "Connection.h" #include "Server.h" #include +#include "PolarSSL++/PublicKey.h" #ifdef _WIN32 #include // For _mkdir() diff --git a/src/Crypto.cpp b/src/Crypto.cpp index dd8787293..370b498bf 100644 --- a/src/Crypto.cpp +++ b/src/Crypto.cpp @@ -52,84 +52,6 @@ public: -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -// cRSAPrivateKey: - -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -// cPublicKey: - -cPublicKey::cPublicKey(const AString & a_PublicKeyDER) -{ - pk_init(&m_Pk); - if (pk_parse_public_key(&m_Pk, (const Byte *)a_PublicKeyDER.data(), a_PublicKeyDER.size()) != 0) - { - ASSERT(!"Cannot parse PubKey"); - return; - } - InitRnd(); -} - - - - - -cPublicKey::~cPublicKey() -{ - pk_free(&m_Pk); -} - - - - - -int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) -{ - size_t DecryptedLen = a_DecryptedMaxLength; - int res = pk_decrypt(&m_Pk, - a_EncryptedData, a_EncryptedLength, - a_DecryptedData, &DecryptedLen, a_DecryptedMaxLength, - ctr_drbg_random, &m_Ctr_drbg - ); - if (res != 0) - { - return res; - } - return (int)DecryptedLen; -} - - - - - -int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) -{ - size_t EncryptedLength = a_EncryptedMaxLength; - int res = pk_encrypt(&m_Pk, - a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, - ctr_drbg_random, &m_Ctr_drbg - ); - if (res != 0) - { - return res; - } - return (int)EncryptedLength; -} - - - - - -void cPublicKey::InitRnd(void) -{ - entropy_init(&m_Entropy); - const unsigned char pers[] = "rsa_genkey"; - ctr_drbg_init(&m_Ctr_drbg, entropy_func, &m_Entropy, pers, sizeof(pers) - 1); -} - - - - - /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // cAESCFBDecryptor: diff --git a/src/Crypto.h b/src/Crypto.h index 24f246897..993b21afb 100644 --- a/src/Crypto.h +++ b/src/Crypto.h @@ -14,37 +14,6 @@ #include "polarssl/entropy.h" #include "polarssl/ctr_drbg.h" #include "polarssl/sha1.h" -#include "polarssl/pk.h" - - - - - -class cPublicKey -{ -public: - cPublicKey(const AString & a_PublicKeyDER); - ~cPublicKey(); - - /** Decrypts the data using the stored public key - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); - - /** Encrypts the data using the stored public key - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); - -protected: - pk_context m_Pk; - entropy_context m_Entropy; - ctr_drbg_context m_Ctr_drbg; - - /** Initializes the m_Entropy and m_Ctr_drbg contexts - Common part of this object's construction, called from all constructors. */ - void InitRnd(void); -} ; diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index ebdd52de5..bf7720abc 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -10,6 +10,7 @@ set(SOURCES "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" + "PublicKey.cpp" "RsaPrivateKey.cpp" "SslContext.cpp" "X509Cert.cpp" @@ -21,6 +22,7 @@ set(HEADERS "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" + "PublicKey.h" "RsaPrivateKey.h" "SslContext.h" "X509Cert.h" diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 817222a53..65e9a2374 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -26,6 +26,7 @@ class cCtrDrbgContext { friend class cSslContext; friend class cRsaPrivateKey; + friend class cPublicKey; public: /** Constructs the context with a new entropy context. */ diff --git a/src/PolarSSL++/PublicKey.cpp b/src/PolarSSL++/PublicKey.cpp new file mode 100644 index 000000000..49794a0c8 --- /dev/null +++ b/src/PolarSSL++/PublicKey.cpp @@ -0,0 +1,73 @@ + +// PublicKey.cpp + +// Implements the cPublicKey class representing a RSA public key in PolarSSL + +#include "Globals.h" +#include "PublicKey.h" + + + + + +cPublicKey::cPublicKey(const AString & a_PublicKeyDER) +{ + pk_init(&m_Pk); + if (pk_parse_public_key(&m_Pk, (const Byte *)a_PublicKeyDER.data(), a_PublicKeyDER.size()) != 0) + { + ASSERT(!"Cannot parse PubKey"); + return; + } + m_CtrDrbg.Initialize("rsa_pubkey", 10); +} + + + + + +cPublicKey::~cPublicKey() +{ + pk_free(&m_Pk); +} + + + + + +int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) +{ + size_t DecryptedLen = a_DecryptedMaxLength; + int res = pk_decrypt(&m_Pk, + a_EncryptedData, a_EncryptedLength, + a_DecryptedData, &DecryptedLen, a_DecryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)DecryptedLen; +} + + + + + +int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) +{ + size_t EncryptedLength = a_EncryptedMaxLength; + int res = pk_encrypt(&m_Pk, + a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)EncryptedLength; +} + + + + + diff --git a/src/PolarSSL++/PublicKey.h b/src/PolarSSL++/PublicKey.h new file mode 100644 index 000000000..5a0a57147 --- /dev/null +++ b/src/PolarSSL++/PublicKey.h @@ -0,0 +1,48 @@ + +// PublicKey.h + +// Declares the cPublicKey class representing a RSA public key in PolarSSL + + + + + +#pragma once + +#include "CtrDrbgContext.h" +#include "polarssl/pk.h" + + + + + +class cPublicKey +{ +public: + /** Constructs the public key out of the DER-encoded pubkey data */ + cPublicKey(const AString & a_PublicKeyDER); + + ~cPublicKey(); + + /** Decrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); + + /** Encrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + +protected: + /** The public key PolarSSL representation */ + pk_context m_Pk; + + /** The random generator used in encryption and decryption */ + cCtrDrbgContext m_CtrDrbg; +} ; + + + + + -- cgit v1.2.3 From 6cb2d2461f869d5c9d986cccec5edf1021878df2 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 17:37:15 +0200 Subject: Moved the rest of the Crypto objects into their own respective files. --- Tools/ProtoProxy/CMakeLists.txt | 6 +- Tools/ProtoProxy/Connection.cpp | 4 +- Tools/ProtoProxy/Connection.h | 10 +- Tools/ProtoProxy/Globals.h | 6 - src/Crypto.cpp | 257 ---------------------------------- src/Crypto.h | 124 ---------------- src/PolarSSL++/AesCfb128Decryptor.cpp | 67 +++++++++ src/PolarSSL++/AesCfb128Decryptor.h | 52 +++++++ src/PolarSSL++/AesCfb128Encryptor.cpp | 68 +++++++++ src/PolarSSL++/AesCfb128Encryptor.h | 50 +++++++ src/PolarSSL++/CMakeLists.txt | 42 +++--- src/PolarSSL++/Sha1Checksum.cpp | 138 ++++++++++++++++++ src/PolarSSL++/Sha1Checksum.h | 52 +++++++ src/Protocol/Protocol132.cpp | 18 +-- src/Protocol/Protocol132.h | 7 +- src/Protocol/Protocol17x.cpp | 5 +- src/Protocol/Protocol17x.h | 7 +- 17 files changed, 477 insertions(+), 436 deletions(-) delete mode 100644 src/Crypto.cpp delete mode 100644 src/Crypto.h create mode 100644 src/PolarSSL++/AesCfb128Decryptor.cpp create mode 100644 src/PolarSSL++/AesCfb128Decryptor.h create mode 100644 src/PolarSSL++/AesCfb128Encryptor.cpp create mode 100644 src/PolarSSL++/AesCfb128Encryptor.h create mode 100644 src/PolarSSL++/Sha1Checksum.cpp create mode 100644 src/PolarSSL++/Sha1Checksum.h diff --git a/Tools/ProtoProxy/CMakeLists.txt b/Tools/ProtoProxy/CMakeLists.txt index a2241f355..a136c95df 100644 --- a/Tools/ProtoProxy/CMakeLists.txt +++ b/Tools/ProtoProxy/CMakeLists.txt @@ -36,7 +36,8 @@ set(SHARED_SRC ../../src/StringUtils.cpp ../../src/Log.cpp ../../src/MCLogger.cpp - ../../src/Crypto.cpp + ../../src/PolarSSL++/AesCfb128Decryptor.cpp + ../../src/PolarSSL++/AesCfb128Encryptor.cpp ../../src/PolarSSL++/CtrDrbgContext.cpp ../../src/PolarSSL++/EntropyContext.cpp ../../src/PolarSSL++/PublicKey.cpp @@ -47,7 +48,8 @@ set(SHARED_HDR ../../src/StringUtils.h ../../src/Log.h ../../src/MCLogger.h - ../../src/Crypto.h + ../../src/PolarSSL++/AesCfb128Decryptor.h + ../../src/PolarSSL++/AesCfb128Encryptor.h ../../src/PolarSSL++/CtrDrbgContext.h ../../src/PolarSSL++/EntropyContext.h ../../src/PolarSSL++/PublicKey.h diff --git a/Tools/ProtoProxy/Connection.cpp b/Tools/ProtoProxy/Connection.cpp index fcbd9190c..26aed2206 100644 --- a/Tools/ProtoProxy/Connection.cpp +++ b/Tools/ProtoProxy/Connection.cpp @@ -472,7 +472,7 @@ bool cConnection::SendData(SOCKET a_Socket, cByteBuffer & a_Data, const char * a -bool cConnection::SendEncryptedData(SOCKET a_Socket, cAESCFBEncryptor & a_Encryptor, const char * a_Data, size_t a_Size, const char * a_Peer) +bool cConnection::SendEncryptedData(SOCKET a_Socket, cAesCfb128Encryptor & a_Encryptor, const char * a_Data, size_t a_Size, const char * a_Peer) { DataLog(a_Data, a_Size, "Encrypting %d bytes to %s", a_Size, a_Peer); const Byte * Data = (const Byte *)a_Data; @@ -496,7 +496,7 @@ bool cConnection::SendEncryptedData(SOCKET a_Socket, cAESCFBEncryptor & a_Encryp -bool cConnection::SendEncryptedData(SOCKET a_Socket, cAESCFBEncryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer) +bool cConnection::SendEncryptedData(SOCKET a_Socket, cAesCfb128Encryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer) { AString All; a_Data.ReadAll(All); diff --git a/Tools/ProtoProxy/Connection.h b/Tools/ProtoProxy/Connection.h index 9e04994b7..1fc9536de 100644 --- a/Tools/ProtoProxy/Connection.h +++ b/Tools/ProtoProxy/Connection.h @@ -11,6 +11,8 @@ #include "ByteBuffer.h" #include "OSSupport/Timer.h" +#include "PolarSSL++/AesCfb128Decryptor.h" +#include "PolarSSL++/AesCfb128Encryptor.h" @@ -66,8 +68,8 @@ protected: cByteBuffer m_ClientBuffer; cByteBuffer m_ServerBuffer; - cAESCFBDecryptor m_ServerDecryptor; - cAESCFBEncryptor m_ServerEncryptor; + cAesCfb128Decryptor m_ServerDecryptor; + cAesCfb128Encryptor m_ServerEncryptor; AString m_ServerEncryptionBuffer; // Buffer for the data to be sent to the server once encryption is established @@ -109,10 +111,10 @@ protected: bool SendData(SOCKET a_Socket, cByteBuffer & a_Data, const char * a_Peer); /// Sends data to the specfied socket, after encrypting it using a_Encryptor. If sending fails, prints a fail message using a_Peer and returns false - bool SendEncryptedData(SOCKET a_Socket, cAESCFBEncryptor & a_Encryptor, const char * a_Data, size_t a_Size, const char * a_Peer); + bool SendEncryptedData(SOCKET a_Socket, cAesCfb128Encryptor & a_Encryptor, const char * a_Data, size_t a_Size, const char * a_Peer); /// Sends data to the specfied socket, after encrypting it using a_Encryptor. If sending fails, prints a fail message using a_Peer and returns false - bool SendEncryptedData(SOCKET a_Socket, cAESCFBEncryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer); + bool SendEncryptedData(SOCKET a_Socket, cAesCfb128Encryptor & a_Encryptor, cByteBuffer & a_Data, const char * a_Peer); /// Decodes packets coming from the client, sends appropriate counterparts to the server; returns false if the connection is to be dropped bool DecodeClientsPackets(const char * a_Data, int a_Size); diff --git a/Tools/ProtoProxy/Globals.h b/Tools/ProtoProxy/Globals.h index 186efa611..54e7e9251 100644 --- a/Tools/ProtoProxy/Globals.h +++ b/Tools/ProtoProxy/Globals.h @@ -246,12 +246,6 @@ public: -#include "../../src/Crypto.h" - - - - - #define LOGERROR printf #define LOGINFO printf #define LOGWARNING printf diff --git a/src/Crypto.cpp b/src/Crypto.cpp deleted file mode 100644 index 370b498bf..000000000 --- a/src/Crypto.cpp +++ /dev/null @@ -1,257 +0,0 @@ - -// Crypto.cpp - -// Implements classes that wrap the cryptographic code library - -#include "Globals.h" -#include "Crypto.h" - -#include "polarssl/pk.h" - - - - - -/* -// Self-test the hash formatting for known values: -// sha1(Notch) : 4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48 -// sha1(jeb_) : -7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1 -// sha1(simon) : 88e16a1019277b15d58faf0541e11910eb756f6 - -class Test -{ -public: - Test(void) - { - AString DigestNotch, DigestJeb, DigestSimon; - Byte Digest[20]; - cSHA1Checksum Checksum; - Checksum.Update((const Byte *)"Notch", 5); - Checksum.Finalize(Digest); - cSHA1Checksum::DigestToJava(Digest, DigestNotch); - Checksum.Restart(); - Checksum.Update((const Byte *)"jeb_", 4); - Checksum.Finalize(Digest); - cSHA1Checksum::DigestToJava(Digest, DigestJeb); - Checksum.Restart(); - Checksum.Update((const Byte *)"simon", 5); - Checksum.Finalize(Digest); - cSHA1Checksum::DigestToJava(Digest, DigestSimon); - printf("Notch: \"%s\"\n", DigestNotch.c_str()); - printf("jeb_: \"%s\"\n", DigestJeb.c_str()); - printf("simon: \"%s\"\n", DigestSimon.c_str()); - assert(DigestNotch == "4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48"); - assert(DigestJeb == "-7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1"); - assert(DigestSimon == "88e16a1019277b15d58faf0541e11910eb756f6"); - } -} test; -*/ - - - - - - -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -// cAESCFBDecryptor: - -cAESCFBDecryptor::cAESCFBDecryptor(void) : - m_IVOffset(0), - m_IsValid(false) -{ -} - - - - - -cAESCFBDecryptor::~cAESCFBDecryptor() -{ - // Clear the leftover in-memory data, so that they can't be accessed by a backdoor - memset(&m_Aes, 0, sizeof(m_Aes)); -} - - - - - -void cAESCFBDecryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) -{ - ASSERT(!IsValid()); // Cannot Init twice - - memcpy(m_IV, a_IV, 16); - aes_setkey_enc(&m_Aes, a_Key, 128); - m_IsValid = true; -} - - - - - -void cAESCFBDecryptor::ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length) -{ - ASSERT(IsValid()); // Must Init() first - - // PolarSSL doesn't support AES-CFB8, need to implement it manually: - for (size_t i = 0; i < a_Length; i++) - { - Byte Buffer[sizeof(m_IV)]; - aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); - for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) - { - m_IV[idx] = m_IV[idx + 1]; - } - m_IV[sizeof(m_IV) - 1] = a_EncryptedIn[i]; - a_DecryptedOut[i] = a_EncryptedIn[i] ^ Buffer[0]; - } -} - - - - - -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -// cAESCFBEncryptor: - -cAESCFBEncryptor::cAESCFBEncryptor(void) : - m_IVOffset(0), - m_IsValid(false) -{ -} - - - - - -cAESCFBEncryptor::~cAESCFBEncryptor() -{ - // Clear the leftover in-memory data, so that they can't be accessed by a backdoor - memset(&m_Aes, 0, sizeof(m_Aes)); -} - - - - - -void cAESCFBEncryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) -{ - ASSERT(!IsValid()); // Cannot Init twice - ASSERT(m_IVOffset == 0); - - memcpy(m_IV, a_IV, 16); - aes_setkey_enc(&m_Aes, a_Key, 128); - m_IsValid = true; -} - - - - - -void cAESCFBEncryptor::ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length) -{ - ASSERT(IsValid()); // Must Init() first - - // PolarSSL doesn't do AES-CFB8, so we need to implement it ourselves: - for (size_t i = 0; i < a_Length; i++) - { - Byte Buffer[sizeof(m_IV)]; - aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); - for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) - { - m_IV[idx] = m_IV[idx + 1]; - } - a_EncryptedOut[i] = a_PlainIn[i] ^ Buffer[0]; - m_IV[sizeof(m_IV) - 1] = a_EncryptedOut[i]; - } -} - - - - - -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -// cSHA1Checksum: - -cSHA1Checksum::cSHA1Checksum(void) : - m_DoesAcceptInput(true) -{ - sha1_starts(&m_Sha1); -} - - - - - -void cSHA1Checksum::Update(const Byte * a_Data, size_t a_Length) -{ - ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed - - sha1_update(&m_Sha1, a_Data, a_Length); -} - - - - - -void cSHA1Checksum::Finalize(cSHA1Checksum::Checksum & a_Output) -{ - ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed - - sha1_finish(&m_Sha1, a_Output); - m_DoesAcceptInput = false; -} - - - - - -void cSHA1Checksum::DigestToJava(const Checksum & a_Digest, AString & a_Out) -{ - Checksum Digest; - memcpy(Digest, a_Digest, sizeof(Digest)); - - bool IsNegative = (Digest[0] >= 0x80); - if (IsNegative) - { - // Two's complement: - bool carry = true; // Add one to the whole number - for (int i = 19; i >= 0; i--) - { - Digest[i] = ~Digest[i]; - if (carry) - { - carry = (Digest[i] == 0xff); - Digest[i]++; - } - } - } - a_Out.clear(); - a_Out.reserve(40); - for (int i = 0; i < 20; i++) - { - AppendPrintf(a_Out, "%02x", Digest[i]); - } - while ((a_Out.length() > 0) && (a_Out[0] == '0')) - { - a_Out.erase(0, 1); - } - if (IsNegative) - { - a_Out.insert(0, "-"); - } -} - - - - - - -void cSHA1Checksum::Restart(void) -{ - sha1_starts(&m_Sha1); - m_DoesAcceptInput = true; -} - - - - diff --git a/src/Crypto.h b/src/Crypto.h deleted file mode 100644 index 993b21afb..000000000 --- a/src/Crypto.h +++ /dev/null @@ -1,124 +0,0 @@ - -// Crypto.h - -// Declares classes that wrap the cryptographic code library - - - - - -#pragma once - -#include "polarssl/rsa.h" -#include "polarssl/aes.h" -#include "polarssl/entropy.h" -#include "polarssl/ctr_drbg.h" -#include "polarssl/sha1.h" - - - - - -/** Decrypts data using the AES / CFB (128) algorithm */ -class cAESCFBDecryptor -{ -public: - Byte test; - - cAESCFBDecryptor(void); - ~cAESCFBDecryptor(); - - /** Initializes the decryptor with the specified Key / IV */ - void Init(const Byte a_Key[16], const Byte a_IV[16]); - - /** Decrypts a_Length bytes of the encrypted data; produces a_Length output bytes */ - void ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length); - - /** Returns true if the object has been initialized with the Key / IV */ - bool IsValid(void) const { return m_IsValid; } - -protected: - aes_context m_Aes; - - /** The InitialVector, used by the CFB mode decryption */ - Byte m_IV[16]; - - /** Current offset in the m_IV, used by the CFB mode decryption */ - size_t m_IVOffset; - - /** Indicates whether the object has been initialized with the Key / IV */ - bool m_IsValid; -} ; - - - - - -/** Encrypts data using the AES / CFB (128) algorithm */ -class cAESCFBEncryptor -{ -public: - cAESCFBEncryptor(void); - ~cAESCFBEncryptor(); - - /** Initializes the decryptor with the specified Key / IV */ - void Init(const Byte a_Key[16], const Byte a_IV[16]); - - /** Encrypts a_Length bytes of the plain data; produces a_Length output bytes */ - void ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length); - - /** Returns true if the object has been initialized with the Key / IV */ - bool IsValid(void) const { return m_IsValid; } - -protected: - aes_context m_Aes; - - /** The InitialVector, used by the CFB mode encryption */ - Byte m_IV[16]; - - /** Current offset in the m_IV, used by the CFB mode encryption */ - size_t m_IVOffset; - - /** Indicates whether the object has been initialized with the Key / IV */ - bool m_IsValid; -} ; - - - - - -/** Calculates a SHA1 checksum for data stream */ -class cSHA1Checksum -{ -public: - typedef Byte Checksum[20]; // The type used for storing the checksum - - cSHA1Checksum(void); - - /** Adds the specified data to the checksum */ - void Update(const Byte * a_Data, size_t a_Length); - - /** Calculates and returns the final checksum */ - void Finalize(Checksum & a_Output); - - /** Returns true if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ - bool DoesAcceptInput(void) const { return m_DoesAcceptInput; } - - /** Converts a raw 160-bit SHA1 digest into a Java Hex representation - According to http://wiki.vg/wiki/index.php?title=Protocol_Encryption&oldid=2802 - */ - static void DigestToJava(const Checksum & a_Digest, AString & a_JavaOut); - - /** Clears the current context and start a new checksum calculation */ - void Restart(void); - -protected: - /** True if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ - bool m_DoesAcceptInput; - - sha1_context m_Sha1; -} ; - - - - diff --git a/src/PolarSSL++/AesCfb128Decryptor.cpp b/src/PolarSSL++/AesCfb128Decryptor.cpp new file mode 100644 index 000000000..af0d5106e --- /dev/null +++ b/src/PolarSSL++/AesCfb128Decryptor.cpp @@ -0,0 +1,67 @@ + +// AesCfb128Decryptor.cpp + +// Implements the cAesCfb128Decryptor class decrypting data using AES CFB-128 + +#include "Globals.h" +#include "AesCfb128Decryptor.h" + + + + + +cAesCfb128Decryptor::cAesCfb128Decryptor(void) : + m_IVOffset(0), + m_IsValid(false) +{ +} + + + + + +cAesCfb128Decryptor::~cAesCfb128Decryptor() +{ + // Clear the leftover in-memory data, so that they can't be accessed by a backdoor + memset(&m_Aes, 0, sizeof(m_Aes)); +} + + + + + +void cAesCfb128Decryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) +{ + ASSERT(!IsValid()); // Cannot Init twice + + memcpy(m_IV, a_IV, 16); + aes_setkey_enc(&m_Aes, a_Key, 128); + m_IsValid = true; +} + + + + + +void cAesCfb128Decryptor::ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length) +{ + ASSERT(IsValid()); // Must Init() first + + // PolarSSL doesn't support AES-CFB8, need to implement it manually: + for (size_t i = 0; i < a_Length; i++) + { + Byte Buffer[sizeof(m_IV)]; + aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); + for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) + { + m_IV[idx] = m_IV[idx + 1]; + } + m_IV[sizeof(m_IV) - 1] = a_EncryptedIn[i]; + a_DecryptedOut[i] = a_EncryptedIn[i] ^ Buffer[0]; + } +} + + + + + diff --git a/src/PolarSSL++/AesCfb128Decryptor.h b/src/PolarSSL++/AesCfb128Decryptor.h new file mode 100644 index 000000000..68c203d70 --- /dev/null +++ b/src/PolarSSL++/AesCfb128Decryptor.h @@ -0,0 +1,52 @@ + +// AesCfb128Decryptor.h + +// Declares the cAesCfb128Decryptor class decrypting data using AES CFB-128 + + + + + +#pragma once + +#include "polarssl/aes.h" + + + + + +/** Decrypts data using the AES / CFB 128 algorithm */ +class cAesCfb128Decryptor +{ +public: + Byte test; + + cAesCfb128Decryptor(void); + ~cAesCfb128Decryptor(); + + /** Initializes the decryptor with the specified Key / IV */ + void Init(const Byte a_Key[16], const Byte a_IV[16]); + + /** Decrypts a_Length bytes of the encrypted data; produces a_Length output bytes */ + void ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length); + + /** Returns true if the object has been initialized with the Key / IV */ + bool IsValid(void) const { return m_IsValid; } + +protected: + aes_context m_Aes; + + /** The InitialVector, used by the CFB mode decryption */ + Byte m_IV[16]; + + /** Current offset in the m_IV, used by the CFB mode decryption */ + size_t m_IVOffset; + + /** Indicates whether the object has been initialized with the Key / IV */ + bool m_IsValid; +} ; + + + + + diff --git a/src/PolarSSL++/AesCfb128Encryptor.cpp b/src/PolarSSL++/AesCfb128Encryptor.cpp new file mode 100644 index 000000000..a641ad48e --- /dev/null +++ b/src/PolarSSL++/AesCfb128Encryptor.cpp @@ -0,0 +1,68 @@ + +// AesCfb128Encryptor.cpp + +// Implements the cAesCfb128Encryptor class encrypting data using AES CFB-128 + +#include "Globals.h" +#include "AesCfb128Encryptor.h" + + + + + +cAesCfb128Encryptor::cAesCfb128Encryptor(void) : + m_IVOffset(0), + m_IsValid(false) +{ +} + + + + + +cAesCfb128Encryptor::~cAesCfb128Encryptor() +{ + // Clear the leftover in-memory data, so that they can't be accessed by a backdoor + memset(&m_Aes, 0, sizeof(m_Aes)); +} + + + + + +void cAesCfb128Encryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) +{ + ASSERT(!IsValid()); // Cannot Init twice + ASSERT(m_IVOffset == 0); + + memcpy(m_IV, a_IV, 16); + aes_setkey_enc(&m_Aes, a_Key, 128); + m_IsValid = true; +} + + + + + +void cAesCfb128Encryptor::ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length) +{ + ASSERT(IsValid()); // Must Init() first + + // PolarSSL doesn't do AES-CFB8, so we need to implement it ourselves: + for (size_t i = 0; i < a_Length; i++) + { + Byte Buffer[sizeof(m_IV)]; + aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); + for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) + { + m_IV[idx] = m_IV[idx + 1]; + } + a_EncryptedOut[i] = a_PlainIn[i] ^ Buffer[0]; + m_IV[sizeof(m_IV) - 1] = a_EncryptedOut[i]; + } +} + + + + + diff --git a/src/PolarSSL++/AesCfb128Encryptor.h b/src/PolarSSL++/AesCfb128Encryptor.h new file mode 100644 index 000000000..9dbb5d2c3 --- /dev/null +++ b/src/PolarSSL++/AesCfb128Encryptor.h @@ -0,0 +1,50 @@ + +// AesCfb128Encryptor.h + +// Declares the cAesCfb128Encryptor class encrypting data using AES CFB-128 + + + + + +#pragma once + +#include "polarssl/aes.h" + + + + + +/** Encrypts data using the AES / CFB (128) algorithm */ +class cAesCfb128Encryptor +{ +public: + cAesCfb128Encryptor(void); + ~cAesCfb128Encryptor(); + + /** Initializes the decryptor with the specified Key / IV */ + void Init(const Byte a_Key[16], const Byte a_IV[16]); + + /** Encrypts a_Length bytes of the plain data; produces a_Length output bytes */ + void ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length); + + /** Returns true if the object has been initialized with the Key / IV */ + bool IsValid(void) const { return m_IsValid; } + +protected: + aes_context m_Aes; + + /** The InitialVector, used by the CFB mode encryption */ + Byte m_IV[16]; + + /** Current offset in the m_IV, used by the CFB mode encryption */ + size_t m_IVOffset; + + /** Indicates whether the object has been initialized with the Key / IV */ + bool m_IsValid; +} ; + + + + + diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index bf7720abc..b0a592760 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -5,27 +5,33 @@ project (MCServer) include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES - "BlockingSslClientSocket.cpp" - "BufferedSslContext.cpp" - "CallbackSslContext.cpp" - "CtrDrbgContext.cpp" - "EntropyContext.cpp" - "PublicKey.cpp" - "RsaPrivateKey.cpp" - "SslContext.cpp" - "X509Cert.cpp" + AesCfb128Decryptor.cpp + AesCfb128Encryptor.cpp + BlockingSslClientSocket.cpp + BufferedSslContext.cpp + CallbackSslContext.cpp + CtrDrbgContext.cpp + EntropyContext.cpp + PublicKey.cpp + RsaPrivateKey.cpp + Sha1Checksum.cpp + SslContext.cpp + X509Cert.cpp ) set(HEADERS - "BlockingSslClientSocket.h" - "BufferedSslContext.h" - "CallbackSslContext.h" - "CtrDrbgContext.h" - "EntropyContext.h" - "PublicKey.h" - "RsaPrivateKey.h" - "SslContext.h" - "X509Cert.h" + AesCfb128Decryptor.h + AesCfb128Encryptor.h + BlockingSslClientSocket.h + BufferedSslContext.h + CallbackSslContext.h + CtrDrbgContext.h + EntropyContext.h + PublicKey.h + RsaPrivateKey.h + SslContext.h + Sha1Checksum.h + X509Cert.h ) add_library(PolarSSL++ ${SOURCES} ${HEADERS}) diff --git a/src/PolarSSL++/Sha1Checksum.cpp b/src/PolarSSL++/Sha1Checksum.cpp new file mode 100644 index 000000000..a1ee9d7b9 --- /dev/null +++ b/src/PolarSSL++/Sha1Checksum.cpp @@ -0,0 +1,138 @@ + +// Sha1Checksum.cpp + +// Declares the cSha1Checksum class representing the SHA-1 checksum calculator + +#include "Globals.h" +#include "Sha1Checksum.h" + + + + + +/* +// Self-test the hash formatting for known values: +// sha1(Notch) : 4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48 +// sha1(jeb_) : -7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1 +// sha1(simon) : 88e16a1019277b15d58faf0541e11910eb756f6 + +static class Test +{ +public: + Test(void) + { + AString DigestNotch, DigestJeb, DigestSimon; + Byte Digest[20]; + cSha1Checksum Checksum; + Checksum.Update((const Byte *)"Notch", 5); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestNotch); + Checksum.Restart(); + Checksum.Update((const Byte *)"jeb_", 4); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestJeb); + Checksum.Restart(); + Checksum.Update((const Byte *)"simon", 5); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestSimon); + printf("Notch: \"%s\"\n", DigestNotch.c_str()); + printf("jeb_: \"%s\"\n", DigestJeb.c_str()); + printf("simon: \"%s\"\n", DigestSimon.c_str()); + assert(DigestNotch == "4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48"); + assert(DigestJeb == "-7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1"); + assert(DigestSimon == "88e16a1019277b15d58faf0541e11910eb756f6"); + } +} test; +*/ + + + + + + +/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +// cSha1Checksum: + +cSha1Checksum::cSha1Checksum(void) : + m_DoesAcceptInput(true) +{ + sha1_starts(&m_Sha1); +} + + + + + +void cSha1Checksum::Update(const Byte * a_Data, size_t a_Length) +{ + ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed + + sha1_update(&m_Sha1, a_Data, a_Length); +} + + + + + +void cSha1Checksum::Finalize(cSha1Checksum::Checksum & a_Output) +{ + ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed + + sha1_finish(&m_Sha1, a_Output); + m_DoesAcceptInput = false; +} + + + + + +void cSha1Checksum::DigestToJava(const Checksum & a_Digest, AString & a_Out) +{ + Checksum Digest; + memcpy(Digest, a_Digest, sizeof(Digest)); + + bool IsNegative = (Digest[0] >= 0x80); + if (IsNegative) + { + // Two's complement: + bool carry = true; // Add one to the whole number + for (int i = 19; i >= 0; i--) + { + Digest[i] = ~Digest[i]; + if (carry) + { + carry = (Digest[i] == 0xff); + Digest[i]++; + } + } + } + a_Out.clear(); + a_Out.reserve(40); + for (int i = 0; i < 20; i++) + { + AppendPrintf(a_Out, "%02x", Digest[i]); + } + while ((a_Out.length() > 0) && (a_Out[0] == '0')) + { + a_Out.erase(0, 1); + } + if (IsNegative) + { + a_Out.insert(0, "-"); + } +} + + + + + + +void cSha1Checksum::Restart(void) +{ + sha1_starts(&m_Sha1); + m_DoesAcceptInput = true; +} + + + + diff --git a/src/PolarSSL++/Sha1Checksum.h b/src/PolarSSL++/Sha1Checksum.h new file mode 100644 index 000000000..68fdbcf1b --- /dev/null +++ b/src/PolarSSL++/Sha1Checksum.h @@ -0,0 +1,52 @@ + +// Sha1Checksum.h + +// Declares the cSha1Checksum class representing the SHA-1 checksum calculator + + + + + +#pragma once + +#include "polarssl/sha1.h" + + + + + +/** Calculates a SHA1 checksum for data stream */ +class cSha1Checksum +{ +public: + typedef Byte Checksum[20]; // The type used for storing the checksum + + cSha1Checksum(void); + + /** Adds the specified data to the checksum */ + void Update(const Byte * a_Data, size_t a_Length); + + /** Calculates and returns the final checksum */ + void Finalize(Checksum & a_Output); + + /** Returns true if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ + bool DoesAcceptInput(void) const { return m_DoesAcceptInput; } + + /** Converts a raw 160-bit SHA1 digest into a Java Hex representation + According to http://wiki.vg/wiki/index.php?title=Protocol_Encryption&oldid=2802 + */ + static void DigestToJava(const Checksum & a_Digest, AString & a_JavaOut); + + /** Clears the current context and start a new checksum calculation */ + void Restart(void); + +protected: + /** True if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ + bool m_DoesAcceptInput; + + sha1_context m_Sha1; +} ; + + + + diff --git a/src/Protocol/Protocol132.cpp b/src/Protocol/Protocol132.cpp index acfa5e811..f4717f592 100644 --- a/src/Protocol/Protocol132.cpp +++ b/src/Protocol/Protocol132.cpp @@ -18,19 +18,7 @@ #include "../WorldStorage/FastNBT.h" #include "../WorldStorage/EnchantmentSerializer.h" #include "../StringCompression.h" - -#ifdef _MSC_VER - #pragma warning(push) - #pragma warning(disable:4127) - #pragma warning(disable:4244) - #pragma warning(disable:4231) - #pragma warning(disable:4189) - #pragma warning(disable:4702) -#endif - -#ifdef _MSC_VER - #pragma warning(pop) -#endif +#include "PolarSSL++/Sha1Checksum.h" @@ -876,7 +864,7 @@ void cProtocol132::StartEncryption(const Byte * a_Key) m_IsEncrypted = true; // Prepare the m_AuthServerID: - cSHA1Checksum Checksum; + cSha1Checksum Checksum; cServer * Server = cRoot::Get()->GetServer(); AString ServerID = Server->GetServerID(); Checksum.Update((const Byte *)ServerID.c_str(), ServerID.length()); @@ -884,7 +872,7 @@ void cProtocol132::StartEncryption(const Byte * a_Key) Checksum.Update((const Byte *)Server->GetPublicKeyDER().data(), Server->GetPublicKeyDER().size()); Byte Digest[20]; Checksum.Finalize(Digest); - cSHA1Checksum::DigestToJava(Digest, m_AuthServerID); + cSha1Checksum::DigestToJava(Digest, m_AuthServerID); } diff --git a/src/Protocol/Protocol132.h b/src/Protocol/Protocol132.h index b280c8a41..32bc7d581 100644 --- a/src/Protocol/Protocol132.h +++ b/src/Protocol/Protocol132.h @@ -24,7 +24,8 @@ #pragma warning(pop) #endif -#include "../Crypto.h" +#include "PolarSSL++/AesCfb128Decryptor.h" +#include "PolarSSL++/AesCfb128Encryptor.h" @@ -79,8 +80,8 @@ public: protected: bool m_IsEncrypted; - cAESCFBDecryptor m_Decryptor; - cAESCFBEncryptor m_Encryptor; + cAesCfb128Decryptor m_Decryptor; + cAesCfb128Encryptor m_Encryptor; AString m_DataToSend; diff --git a/src/Protocol/Protocol17x.cpp b/src/Protocol/Protocol17x.cpp index 001b8c219..a6d566625 100644 --- a/src/Protocol/Protocol17x.cpp +++ b/src/Protocol/Protocol17x.cpp @@ -33,6 +33,7 @@ Implements the 1.7.x protocol classes: #include "../CompositeChat.h" #include "../Entities/ArrowEntity.h" #include "../Entities/FireworkEntity.h" +#include "PolarSSL++/Sha1Checksum.h" @@ -2293,7 +2294,7 @@ void cProtocol172::StartEncryption(const Byte * a_Key) m_IsEncrypted = true; // Prepare the m_AuthServerID: - cSHA1Checksum Checksum; + cSha1Checksum Checksum; cServer * Server = cRoot::Get()->GetServer(); const AString & ServerID = Server->GetServerID(); Checksum.Update((const Byte *)ServerID.c_str(), ServerID.length()); @@ -2301,7 +2302,7 @@ void cProtocol172::StartEncryption(const Byte * a_Key) Checksum.Update((const Byte *)Server->GetPublicKeyDER().data(), Server->GetPublicKeyDER().size()); Byte Digest[20]; Checksum.Finalize(Digest); - cSHA1Checksum::DigestToJava(Digest, m_AuthServerID); + cSha1Checksum::DigestToJava(Digest, m_AuthServerID); } diff --git a/src/Protocol/Protocol17x.h b/src/Protocol/Protocol17x.h index 6a3e81eff..3f9c93357 100644 --- a/src/Protocol/Protocol17x.h +++ b/src/Protocol/Protocol17x.h @@ -30,7 +30,8 @@ Declares the 1.7.x protocol classes: #pragma warning(pop) #endif -#include "../Crypto.h" +#include "PolarSSL++/AesCfb128Decryptor.h" +#include "PolarSSL++/AesCfb128Encryptor.h" @@ -236,8 +237,8 @@ protected: bool m_IsEncrypted; - cAESCFBDecryptor m_Decryptor; - cAESCFBEncryptor m_Encryptor; + cAesCfb128Decryptor m_Decryptor; + cAesCfb128Decryptor m_Encryptor; /** The logfile where the comm is logged, when g_ShouldLogComm is true */ cFile m_CommLogFile; -- cgit v1.2.3 From c045bb3f4ccea1c357a726d73cd75d699cfe901c Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 17:45:20 +0200 Subject: Removed unneeded #includes. --- src/Protocol/Authenticator.cpp | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp index f7008a5c4..8100b6395 100644 --- a/src/Protocol/Authenticator.cpp +++ b/src/Protocol/Authenticator.cpp @@ -10,12 +10,6 @@ #include "inifile/iniFile.h" #include "json/json.h" -#include "polarssl/config.h" -#include "polarssl/net.h" -#include "polarssl/ssl.h" -#include "polarssl/ctr_drbg.h" -#include "polarssl/error.h" - #include "PolarSSL++/BlockingSslClientSocket.h" #include -- cgit v1.2.3