From c701adbd241ea84d6f64842e8015c1009a41d786 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 21:34:45 +0200 Subject: Initial C++ SSL classes. --- src/PolarSSL++/CtrDrbgContext.cpp | 49 ++++++++++++++++++++++++++++++++ src/PolarSSL++/CtrDrbgContext.h | 60 +++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/EntropyContext.cpp | 29 +++++++++++++++++++ src/PolarSSL++/EntropyContext.h | 31 ++++++++++++++++++++ src/PolarSSL++/X509Cert.cpp | 38 +++++++++++++++++++++++++ src/PolarSSL++/X509Cert.h | 37 ++++++++++++++++++++++++ 6 files changed, 244 insertions(+) create mode 100644 src/PolarSSL++/CtrDrbgContext.cpp create mode 100644 src/PolarSSL++/CtrDrbgContext.h create mode 100644 src/PolarSSL++/EntropyContext.cpp create mode 100644 src/PolarSSL++/EntropyContext.h create mode 100644 src/PolarSSL++/X509Cert.cpp create mode 100644 src/PolarSSL++/X509Cert.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CtrDrbgContext.cpp b/src/PolarSSL++/CtrDrbgContext.cpp new file mode 100644 index 000000000..86e6d1ca5 --- /dev/null +++ b/src/PolarSSL++/CtrDrbgContext.cpp @@ -0,0 +1,49 @@ + +// CtrDrbgContext.cpp + +// Implements the cCtrDrbgContext class representing a wrapper over CTR-DRBG implementation in PolarSSL + +#include "Globals.h" +#include "CtrDrbgContext.h" +#include "EntropyContext.h" + + + + + +cCtrDrbgContext::cCtrDrbgContext(void) : + m_EntropyContext(new cEntropyContext), + m_IsValid(false) +{ +} + + + + + +cCtrDrbgContext::cCtrDrbgContext(const SharedPtr & a_EntropyContext) : + m_EntropyContext(a_EntropyContext), + m_IsValid(false) +{ +} + + + + + +int cCtrDrbgContext::Initialize(const void * a_Custom, size_t a_CustomSize) +{ + if (m_IsValid) + { + // Already initialized + return 0; + } + + int res = ctr_drbg_init(&m_CtrDrbg, entropy_func, &(m_EntropyContext->m_Entropy), (const unsigned char *)a_Custom, a_CustomSize); + m_IsValid = (res == 0); + return res; +} + + + + diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h new file mode 100644 index 000000000..987f4dd72 --- /dev/null +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -0,0 +1,60 @@ + +// CtrDrbgContext.h + +// Declares the cCtrDrbgContext class representing a wrapper over CTR-DRBG implementation in PolarSSL + + + + + +#pragma once + +#include "polarssl/ctr_drbg.h" + + + + + +// fwd: EntropyContext.h +class cEntropyContext; + + + + + +class cCtrDrbgContext +{ + friend class cSslContext; + +public: + /** Constructs the context with a new entropy context. */ + cCtrDrbgContext(void); + + /** Constructs the context with the specified entropy context. */ + cCtrDrbgContext(const SharedPtr & a_EntropyContext); + + /** Initializes the context. + a_Custom is optional additional data to use for entropy, nullptr is accepted. + Returns 0 if successful, PolarSSL error code on failure. */ + int Initialize(const void * a_Custom, size_t a_CustomSize); + + /** Returns true if the object is valid (has been initialized properly) */ + bool IsValid(void) const { return m_IsValid; } + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + __declspec(deprecated) ctr_drbg_context * Get(void) { return &m_CtrDrbg; } + +protected: + /** The entropy source used for generating the random */ + SharedPtr m_EntropyContext; + + /** The random generator context */ + ctr_drbg_context m_CtrDrbg; + + /** Set to true if the object is valid (has been initialized properly) */ + bool m_IsValid; +} ; + + + + diff --git a/src/PolarSSL++/EntropyContext.cpp b/src/PolarSSL++/EntropyContext.cpp new file mode 100644 index 000000000..9c59b3f11 --- /dev/null +++ b/src/PolarSSL++/EntropyContext.cpp @@ -0,0 +1,29 @@ + +// EntropyContext.cpp + +// Implements the cEntropyContext class representing a wrapper over entropy contexts in PolarSSL + +#include "Globals.h" +#include "EntropyContext.h" + + + + + +cEntropyContext::cEntropyContext(void) +{ + entropy_init(&m_Entropy); +} + + + + + +cEntropyContext::~cEntropyContext() +{ + entropy_free(&m_Entropy); +} + + + + diff --git a/src/PolarSSL++/EntropyContext.h b/src/PolarSSL++/EntropyContext.h new file mode 100644 index 000000000..bc7fff066 --- /dev/null +++ b/src/PolarSSL++/EntropyContext.h @@ -0,0 +1,31 @@ + +// EntropyContext.h + +// Declares the cEntropyContext class representing a wrapper over entropy contexts in PolarSSL + + + + + +#pragma once + +#include "polarssl/entropy.h" + + + + + +class cEntropyContext +{ + friend class cCtrDrbgContext; +public: + cEntropyContext(void); + ~cEntropyContext(); + +protected: + entropy_context m_Entropy; +} ; + + + + diff --git a/src/PolarSSL++/X509Cert.cpp b/src/PolarSSL++/X509Cert.cpp new file mode 100644 index 000000000..ecf664855 --- /dev/null +++ b/src/PolarSSL++/X509Cert.cpp @@ -0,0 +1,38 @@ + +// X509Cert.cpp + +// Implements the cX509Cert class representing a wrapper over X509 certs in PolarSSL + +#include "Globals.h" +#include "X509Cert.h" + + + + + +cX509Cert::cX509Cert(void) +{ + x509_crt_init(&m_Cert); +} + + + + + +cX509Cert::~cX509Cert() +{ + x509_crt_free(&m_Cert); +} + + + + + +int cX509Cert::Parse(const void * a_CertContents, size_t a_Size) +{ + return x509_crt_parse(&m_Cert, (const unsigned char *)a_CertContents, a_Size); +} + + + + diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h new file mode 100644 index 000000000..b0450510d --- /dev/null +++ b/src/PolarSSL++/X509Cert.h @@ -0,0 +1,37 @@ + +// X509Cert.h + +// Declares the cX509Cert class representing a wrapper over X509 certs in PolarSSL + + + + + +#pragma once + +#include "polarssl/x509_crt.h" + + + + + +class cX509Cert +{ +public: + cX509Cert(void); + ~cX509Cert(void); + + /** Parses the certificate chain data into the context. + Returns 0 on succes, or PolarSSL error code on failure. */ + int Parse(const void * a_CertContents, size_t a_Size); + + /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ + __declspec(deprecated) x509_crt * Get(void) { return &m_Cert; } + +protected: + x509_crt m_Cert; +} ; + + + + -- cgit v1.2.3 From e33573ab59fefb76c1d01910f49428d808992b2b Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 21:51:39 +0200 Subject: Attempted CMake inclusion for PolarSSL++. --- src/PolarSSL++/CMakeLists.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 src/PolarSSL++/CMakeLists.txt (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt new file mode 100644 index 000000000..4f954a7e5 --- /dev/null +++ b/src/PolarSSL++/CMakeLists.txt @@ -0,0 +1,17 @@ + +cmake_minimum_required (VERSION 2.6) +project (MCServer) + +include_directories ("${PROJECT_SOURCE_DIR}/../") + +set(SOURCES + "EntropyContext.cpp" + "CtrDrbgContext.cpp" + "x509Cert.cpp" +) + +add_library(PolarSSL++ ${SOURCES}) + +if (UNIX) + target_link_libraries(PolarSSL++ polarssl) +endif() -- cgit v1.2.3 From c7694687f5d921a354fa87ea47c36570e705b9ff Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:15:21 +0200 Subject: Fixed filename case. --- src/PolarSSL++/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 4f954a7e5..c5b747980 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -7,7 +7,7 @@ include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES "EntropyContext.cpp" "CtrDrbgContext.cpp" - "x509Cert.cpp" + "X509Cert.cpp" ) add_library(PolarSSL++ ${SOURCES}) -- cgit v1.2.3 From 4f49c978cf6b130ede105e9a858831806e51d118 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 24 Apr 2014 22:43:20 +0200 Subject: Replaced MSVC-specific decorators with our universal ones. --- src/PolarSSL++/CtrDrbgContext.h | 2 +- src/PolarSSL++/X509Cert.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 987f4dd72..e9a1e17e2 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -42,7 +42,7 @@ public: bool IsValid(void) const { return m_IsValid; } /** Returns the internal context ptr. Only use in PolarSSL API calls. */ - __declspec(deprecated) ctr_drbg_context * Get(void) { return &m_CtrDrbg; } + OBSOLETE ctr_drbg_context * Get(void) { return &m_CtrDrbg; } protected: /** The entropy source used for generating the random */ diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h index b0450510d..5ef19c324 100644 --- a/src/PolarSSL++/X509Cert.h +++ b/src/PolarSSL++/X509Cert.h @@ -26,7 +26,7 @@ public: int Parse(const void * a_CertContents, size_t a_Size); /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ - __declspec(deprecated) x509_crt * Get(void) { return &m_Cert; } + OBSOLETE x509_crt * Get(void) { return &m_Cert; } protected: x509_crt m_Cert; -- cgit v1.2.3 From 0bdc49221b325feb3a09988737559361fe916be2 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 22:27:53 +0200 Subject: PolarSSL wrappers for the SSL context. --- src/PolarSSL++/BlockingSslClientSocket.cpp | 195 +++++++++++++++++++++++++++++ src/PolarSSL++/BlockingSslClientSocket.h | 80 ++++++++++++ src/PolarSSL++/BufferedSslContext.cpp | 62 +++++++++ src/PolarSSL++/BufferedSslContext.h | 52 ++++++++ src/PolarSSL++/CMakeLists.txt | 18 ++- src/PolarSSL++/CallbackSslContext.cpp | 59 +++++++++ src/PolarSSL++/CallbackSslContext.h | 61 +++++++++ src/PolarSSL++/SslContext.cpp | 181 ++++++++++++++++++++++++++ src/PolarSSL++/SslContext.h | 134 ++++++++++++++++++++ src/PolarSSL++/X509Cert.h | 10 +- 10 files changed, 847 insertions(+), 5 deletions(-) create mode 100644 src/PolarSSL++/BlockingSslClientSocket.cpp create mode 100644 src/PolarSSL++/BlockingSslClientSocket.h create mode 100644 src/PolarSSL++/BufferedSslContext.cpp create mode 100644 src/PolarSSL++/BufferedSslContext.h create mode 100644 src/PolarSSL++/CallbackSslContext.cpp create mode 100644 src/PolarSSL++/CallbackSslContext.h create mode 100644 src/PolarSSL++/SslContext.cpp create mode 100644 src/PolarSSL++/SslContext.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/PolarSSL++/BlockingSslClientSocket.cpp new file mode 100644 index 000000000..20b2df1e7 --- /dev/null +++ b/src/PolarSSL++/BlockingSslClientSocket.cpp @@ -0,0 +1,195 @@ + +// BlockingSslClientSocket.cpp + +// Implements the cBlockingSslClientSocket class representing a blocking TCP socket with client SSL encryption over it + +#include "Globals.h" +#include "BlockingSslClientSocket.h" + + + + + +cBlockingSslClientSocket::cBlockingSslClientSocket(void) : + m_IsConnected(false), + m_Ssl(*this) +{ + // Nothing needed yet +} + + + + + +bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Port) +{ + // If already connected, report an error: + if (m_IsConnected) + { + // TODO: Handle this better - if connected to the same server and port, and the socket is alive, return success + m_LastErrorText = "Already connected"; + return false; + } + + // Connect the underlying socket: + m_Socket.CreateSocket(cSocket::IPv4); + if (!m_Socket.ConnectIPv4(a_ServerName.c_str(), a_Port)) + { + Printf(m_LastErrorText, "Socket connect failed: %s", m_Socket.GetLastErrorString().c_str()); + return false; + } + + // Initialize the SSL: + int ret = m_Ssl.Initialize(true); + if (ret != 0) + { + Printf(m_LastErrorText, "SSL initialization failed: -0x%x", -ret); + return false; + } + + // If we have been assigned a trusted CA root cert store, push it into the SSL context: + if (m_CACerts.get() != NULL) + { + m_Ssl.SetCACerts(m_CACerts, m_ExpectedPeerName); + } + + ret = m_Ssl.Handshake(); + if (ret != 0) + { + Printf(m_LastErrorText, "SSL handshake failed: -0x%x", -ret); + return false; + } + + m_IsConnected = true; + return true; +} + + + + + + +bool cBlockingSslClientSocket::SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName) +{ + // Warn if used multiple times, but don't signal an error: + if (m_CACerts.get() != NULL) + { + LOGWARNING( + "SSL: Trying to set multiple trusted CA root cert stores, only the last one will be used. Name: %s", + a_ExpectedPeerName.c_str() + ); + } + + // Parse the cert: + m_CACerts.reset(new cX509Cert); + int ret = m_CACerts->Parse(a_CACerts.data(), a_CACerts.size()); + if (ret < 0) + { + Printf(m_LastErrorText, "CA cert parsing failed: -0x%x", -ret); + return false; + } + m_ExpectedPeerName = a_ExpectedPeerName; + + return true; +} + + + + + +bool cBlockingSslClientSocket::Send(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(m_IsConnected); + + // Keep sending the data until all of it is sent: + const char * Data = (const char *)a_Data; + size_t NumBytes = a_NumBytes; + for (;;) + { + int res = m_Ssl.WritePlain(a_Data, a_NumBytes); + if (res < 0) + { + ASSERT(res != POLARSSL_ERR_NET_WANT_READ); // This should never happen with callback-based SSL + ASSERT(res != POLARSSL_ERR_NET_WANT_WRITE); // This should never happen with callback-based SSL + Printf(m_LastErrorText, "Data cannot be written to SSL context: -0x%x", -res); + return false; + } + else + { + Data += res; + NumBytes -= res; + if (NumBytes == 0) + { + return true; + } + } + } +} + + + + + + +int cBlockingSslClientSocket::Receive(void * a_Data, size_t a_MaxBytes) +{ + ASSERT(m_IsConnected); + + int res = m_Ssl.ReadPlain(a_Data, a_MaxBytes); + if (res < 0) + { + Printf(m_LastErrorText, "Data cannot be read form SSL context: -0x%x", -res); + } + return res; +} + + + + + +void cBlockingSslClientSocket::Disconnect(void) +{ + // Ignore if not connected + if (!m_IsConnected) + { + return; + } + + m_Ssl.NotifyClose(); + m_Socket.CloseSocket(); + m_IsConnected = false; +} + + + + + +int cBlockingSslClientSocket::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + int res = m_Socket.Receive((char *)a_Buffer, a_NumBytes, 0); + if (res < 0) + { + // PolarSSL's net routines distinguish between connection reset and general failure, we don't need to + return POLARSSL_ERR_NET_RECV_FAILED; + } + return res; +} + + + + + +int cBlockingSslClientSocket::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + int res = m_Socket.Send((const char *)a_Buffer, a_NumBytes); + if (res < 0) + { + // PolarSSL's net routines distinguish between connection reset and general failure, we don't need to + return POLARSSL_ERR_NET_SEND_FAILED; + } + return res; +} + + + + diff --git a/src/PolarSSL++/BlockingSslClientSocket.h b/src/PolarSSL++/BlockingSslClientSocket.h new file mode 100644 index 000000000..7af897582 --- /dev/null +++ b/src/PolarSSL++/BlockingSslClientSocket.h @@ -0,0 +1,80 @@ + +// BlockingSslClientSocket.h + +// Declares the cBlockingSslClientSocket class representing a blocking TCP socket with client SSL encryption over it + + + + + +#pragma once + +#include "CallbackSslContext.h" +#include "../OSSupport/Socket.h" + + + + + +class cBlockingSslClientSocket : + protected cCallbackSslContext::cDataCallbacks +{ +public: + cBlockingSslClientSocket(void); + + /** Connects to the specified server and performs SSL handshake. + Returns true if successful, false on failure. Sets internal error text on failure. */ + bool Connect(const AString & a_ServerName, UInt16 a_Port); + + /** Sends the specified data over the connection. + Returns true if successful, false on failure. Sets the internal error text on failure. */ + bool Send(const void * a_Data, size_t a_NumBytes); + + /** Receives data from the connection. + Blocks until there is any data available, then returns as much as possible. + Returns the number of bytes actually received, negative number on failure. + Sets the internal error text on failure. */ + int Receive(void * a_Data, size_t a_MaxBytes); + + /** Disconnects the connection gracefully, if possible. + Note that this also frees the internal SSL context, so all the certificates etc. are lost. */ + void Disconnect(void); + + /** Sets the root certificates that are to be trusted. Forces the connection to use strict cert + verification. Needs to be used before calling Connect(). + a_ExpectedPeerName is the name that we expect to receive in the SSL peer's cert; verification will fail if + the presented name is different (possible MITM). + Returns true on success, false on failure. Sets internal error text on failure. */ + bool SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName); + + /** Returns the text of the last error that has occurred in this instance. */ + const AString & GetLastErrorText(void) const { return m_LastErrorText; } + +protected: + /** The SSL context used for the socket */ + cCallbackSslContext m_Ssl; + + /** The underlying socket to the SSL server */ + cSocket m_Socket; + + /** The trusted CA root cert store, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ + cX509CertPtr m_CACerts; + + /** The expected SSL peer's name, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ + AString m_ExpectedPeerName; + + /** Text of the last error that has occurred. */ + AString m_LastErrorText; + + /** Set to true if the connection established successfully. */ + bool m_IsConnected; + + + // cCallbackSslContext::cDataCallbacks overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +} ; + + + + diff --git a/src/PolarSSL++/BufferedSslContext.cpp b/src/PolarSSL++/BufferedSslContext.cpp new file mode 100644 index 000000000..885b30c68 --- /dev/null +++ b/src/PolarSSL++/BufferedSslContext.cpp @@ -0,0 +1,62 @@ + +// BufferedSslContext.cpp + +// Implements the cBufferedSslContext class representing a SSL context with the SSL peer data backed by a cByteBuffer + +#include "Globals.h" +#include "BufferedSslContext.h" + + + + + +cBufferedSslContext::cBufferedSslContext(size_t a_BufferSize): + m_OutgoingData(a_BufferSize), + m_IncomingData(a_BufferSize) +{ +} + + + + + +int cBufferedSslContext::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + // Called when PolarSSL wants to read encrypted data from the SSL peer + // Read the data from the buffer inside this object, where the owner has stored them using WriteIncoming(): + size_t NumBytes = std::min(a_NumBytes, m_IncomingData.GetReadableSpace()); + if (NumBytes == 0) + { + return POLARSSL_ERR_NET_WANT_READ; + } + if (!m_IncomingData.ReadBuf(a_Buffer, NumBytes)) + { + m_IncomingData.ResetRead(); + return POLARSSL_ERR_NET_RECV_FAILED; + } + m_IncomingData.CommitRead(); + return (int)NumBytes; +} + + + + + +int cBufferedSslContext::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + // Called when PolarSSL wants to write encrypted data to the SSL peer + // Write the data into the buffer inside this object, where the owner can later read them using ReadOutgoing(): + if (!m_OutgoingData.CanWriteBytes(a_NumBytes)) + { + return POLARSSL_ERR_NET_WANT_WRITE; + } + if (!m_OutgoingData.Write((const char *)a_Buffer, a_NumBytes)) + { + return POLARSSL_ERR_NET_SEND_FAILED; + } + return (int)a_NumBytes; +} + + + + diff --git a/src/PolarSSL++/BufferedSslContext.h b/src/PolarSSL++/BufferedSslContext.h new file mode 100644 index 000000000..1b7e1af46 --- /dev/null +++ b/src/PolarSSL++/BufferedSslContext.h @@ -0,0 +1,52 @@ + +// BufferedSslContext.h + +// Declares the cBufferedSslContext class representing a SSL context with the SSL peer data backed by a cByteBuffer + + + + + +#pragma once + +#include "SslContext.h" + + + + + +class cBufferedSslContext : + public cSslContext +{ + typedef cSslContext super; + +public: + /** Creates a new context with the buffers of specified size for the encrypted / decrypted data. */ + cBufferedSslContext(size_t a_BufferSize = 64000); + + /** Stores the specified data in the "incoming" buffer, to be process by the SSL decryptor. + This is the data received from the SSL peer. + Returns the number of bytes actually stored. If 0 is returned, owner should check the error state. */ + size_t WriteIncoming(const void * a_Data, size_t a_NumBytes); + + /** Retrieves data from the "outgoing" buffer, after being processed by the SSL encryptor. + This is the data to be sent to the SSL peer. + Returns the number of bytes actually retrieved. */ + size_t ReadOutgoing(void * a_Data, size_t a_DataMaxSize); + +protected: + /** Buffer for the data that has been encrypted into the SSL stream and should be sent out. */ + cByteBuffer m_OutgoingData; + + /** Buffer for the data that has come in and needs to be decrypted from the SSL stream. */ + cByteBuffer m_IncomingData; + + + // cSslContext overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +} ; + + + + diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index c5b747980..14a6dc537 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -5,12 +5,26 @@ project (MCServer) include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES - "EntropyContext.cpp" + "BlockingSslClientSocket.cpp" + "BufferedSslSocket.cpp" + "CallbackSslContext.cpp" "CtrDrbgContext.cpp" + "EntropyContext.cpp" + "SslContext.cpp" "X509Cert.cpp" ) -add_library(PolarSSL++ ${SOURCES}) +set(HEADERS + "BlockingSslClientSocket.h" + "BufferedSslSocket.h" + "CallbackSslContext.h" + "CtrDrbgContext.h" + "EntropyContext.h" + "SslContext.h" + "X509Cert.h" +) + +add_library(PolarSSL++ ${SOURCES} ${HEADERS}) if (UNIX) target_link_libraries(PolarSSL++ polarssl) diff --git a/src/PolarSSL++/CallbackSslContext.cpp b/src/PolarSSL++/CallbackSslContext.cpp new file mode 100644 index 000000000..0cc88a14a --- /dev/null +++ b/src/PolarSSL++/CallbackSslContext.cpp @@ -0,0 +1,59 @@ + +// CallbackSslContext.cpp + +// Declares the cCallbackSslContext class representing a SSL context wrapper that uses callbacks to read and write SSL peer data + +#include "Globals.h" +#include "CallbackSslContext.h" + + + + + + +cCallbackSslContext::cCallbackSslContext(void) +{ + // Nothing needed, but the constructor needs to exist so +} + + + + + +cCallbackSslContext::cCallbackSslContext(cCallbackSslContext::cDataCallbacks & a_Callbacks) : + m_Callbacks(&a_Callbacks) +{ +} + + + + + +int cCallbackSslContext::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) +{ + if (m_Callbacks == NULL) + { + LOGWARNING("SSL: Trying to receive data with no callbacks, aborting."); + return POLARSSL_ERR_NET_RECV_FAILED; + } + return m_Callbacks->ReceiveEncrypted(a_Buffer, a_NumBytes); +} + + + + + +int cCallbackSslContext::SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) +{ + if (m_Callbacks == NULL) + { + LOGWARNING("SSL: Trying to send data with no callbacks, aborting."); + return POLARSSL_ERR_NET_SEND_FAILED; + } + return m_Callbacks->SendEncrypted(a_Buffer, a_NumBytes); +} + + + + + diff --git a/src/PolarSSL++/CallbackSslContext.h b/src/PolarSSL++/CallbackSslContext.h new file mode 100644 index 000000000..4e4c1ed7f --- /dev/null +++ b/src/PolarSSL++/CallbackSslContext.h @@ -0,0 +1,61 @@ + +// CallbackSslContext.h + +// Declares the cCallbackSslContext class representing a SSL context wrapper that uses callbacks to read and write SSL peer data + + + + + +#pragma once + +#include "SslContext.h" + + + + + +class cCallbackSslContext : + public cSslContext +{ +public: + /** Interface used as a data sink for the SSL peer data. */ + class cDataCallbacks + { + public: + /** Called when PolarSSL wants to read encrypted data from the SSL peer. + The returned value is the number of bytes received, or a PolarSSL error on failure. + The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate + that there's currently no more data and that there might be more data in the future. In such cases the + SSL operation that invoked this call will terminate with the same return value, so that the owner is + notified of this condition and can potentially restart the operation later on. */ + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; + + /** Called when PolarSSL wants to write encrypted data to the SSL peer. + The returned value is the number of bytes sent, or a PolarSSL error on failure. + The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate + that there's currently no more data and that there might be more data in the future. In such cases the + SSL operation that invoked this call will terminate with the same return value, so that the owner is + notified of this condition and can potentially restart the operation later on. */ + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; + } ; + + + /** Creates a new SSL context with no callbacks assigned */ + cCallbackSslContext(void); + + /** Creates a new SSL context with the specified callbacks */ + cCallbackSslContext(cDataCallbacks & a_Callbacks); + +protected: + /** The callbacks to use to send and receive SSL peer data */ + cDataCallbacks * m_Callbacks; + + // cSslContext overrides: + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) override; +}; + + + + diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp new file mode 100644 index 000000000..e7fa11c75 --- /dev/null +++ b/src/PolarSSL++/SslContext.cpp @@ -0,0 +1,181 @@ + +// SslContext.cpp + +// Implements the cSslContext class that holds everything a single SSL context needs to function + +#include "Globals.h" +#include "SslContext.h" +#include "EntropyContext.h" +#include "CtrDrbgContext.h" + + + + + +cSslContext::cSslContext(void) : + m_IsValid(false), + m_HasHandshaken(false) +{ +} + + + + + +cSslContext::~cSslContext() +{ + if (m_IsValid) + { + ssl_free(&m_Ssl); + } +} + + + + + +int cSslContext::Initialize(bool a_IsClient, const SharedPtr & a_CtrDrbg) +{ + // Check double-initialization: + if (m_IsValid) + { + LOGWARNING("SSL: Double initialization is not supported."); + return POLARSSL_ERR_SSL_MALLOC_FAILED; // There is no return value well-suited for this, reuse this one. + } + + // Set the CtrDrbg context, create a new one if needed: + m_CtrDrbg = a_CtrDrbg; + if (m_CtrDrbg.get() == NULL) + { + m_CtrDrbg.reset(new cCtrDrbgContext); + m_CtrDrbg->Initialize("MCServer", 8); + } + + // Initialize PolarSSL's structures: + memset(&m_Ssl, 0, sizeof(m_Ssl)); + int res = ssl_init(&m_Ssl); + if (res != 0) + { + return res; + } + ssl_set_endpoint(&m_Ssl, a_IsClient ? SSL_IS_CLIENT : SSL_IS_SERVER); + ssl_set_authmode(&m_Ssl, SSL_VERIFY_OPTIONAL); + ssl_set_rng(&m_Ssl, ctr_drbg_random, &m_CtrDrbg->m_CtrDrbg); + ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); + + #ifdef _DEBUG + ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); + #endif + + m_IsValid = true; + return 0; +} + + + + + +void cSslContext::SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName) +{ + // Store the data in our internal buffers, to avoid losing the pointers later on + // PolarSSL will need these after this call returns, and the caller may move / delete the data before that: + m_ExpectedPeerName = a_ExpectedPeerName; + m_CACerts = a_CACert; + + // Set the trusted CA root cert store: + ssl_set_authmode(&m_Ssl, SSL_VERIFY_REQUIRED); + ssl_set_ca_chain(&m_Ssl, m_CACerts->GetInternal(), NULL, m_ExpectedPeerName.empty() ? NULL : m_ExpectedPeerName.c_str()); +} + + + + + +int cSslContext::WritePlain(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + if (!m_HasHandshaken) + { + int res = Handshake(); + if (res != 0) + { + return res; + } + } + + return ssl_write(&m_Ssl, (const unsigned char *)a_Data, a_NumBytes); +} + + + + + +int cSslContext::ReadPlain(void * a_Data, size_t a_MaxBytes) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + if (!m_HasHandshaken) + { + int res = Handshake(); + if (res != 0) + { + return res; + } + } + + return ssl_read(&m_Ssl, (unsigned char *)a_Data, a_MaxBytes); +} + + + + + +int cSslContext::Handshake(void) +{ + ASSERT(m_IsValid); // Need to call Initialize() first + ASSERT(!m_HasHandshaken); // Must not call twice + + int res = ssl_handshake(&m_Ssl); + if (res == 0) + { + m_HasHandshaken = true; + } + return res; +} + + + + + +int cSslContext::NotifyClose(void) +{ + return ssl_close_notify(&m_Ssl); +} + + + + + +#ifdef _DEBUG + void cSslContext::SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text) + { + if (a_Level > 3) + { + // Don't want the trace messages + return; + } + + // Remove the terminating LF: + size_t len = strlen(a_Text) - 1; + while ((len > 0) && (a_Text[len] <= 32)) + { + len--; + } + AString Text(a_Text, len + 1); + + LOGD("SSL (%d): %s", a_Level, Text.c_str()); + } +#endif // _DEBUG + + + + diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h new file mode 100644 index 000000000..6effdcaea --- /dev/null +++ b/src/PolarSSL++/SslContext.h @@ -0,0 +1,134 @@ + +// SslContext.h + +// Declares the cSslContext class that holds everything a single SSL context needs to function + + + + + +#pragma once + +#include "polarssl/ssl.h" +#include "../ByteBuffer.h" +#include "X509Cert.h" + + + + + +// fwd: +class cCtrDrbgContext; + + + + + +/** +Acts as a generic SSL encryptor / decryptor between the two endpoints. The "owner" of this class is expected +to create it, initialize it and then provide the means of reading and writing data through the SSL link. +This is an abstract base class, there are descendants that handle the specific aspects of how the SSL peer +data comes into the system: + - cBufferedSslContext uses a cByteBuffer to read and write the data + - cCallbackSslContext uses callbacks to provide the data +*/ +class cSslContext abstract +{ +public: + /** Creates a new uninitialized context */ + cSslContext(void); + + ~cSslContext(); + + /** Initializes the context for use as a server or client. + Returns 0 on success, PolarSSL error on failure. */ + int Initialize(bool a_IsClient, const SharedPtr & a_CtrDrbg = SharedPtr()); + + /** Returns true if the object has been initialized properly. */ + bool IsValid(void) const { return m_IsValid; } + + /** Sets a cert chain as the trusted cert store for this context. + Calling this will switch the context into strict cert verification mode. + a_ExpectedPeerName is the CommonName that we expect the SSL peer to have in its cert, + if it is different, the verification will fail. An empty string will disable the CN check. */ + void SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName); + + /** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed. + Returns the number of bytes actually written, or PolarSSL error code. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again with the same parameters. Note that this may repeat a few times before the data is + actually written, mainly due to initial handshake. */ + int WritePlain(const void * a_Data, size_t a_NumBytes); + + /** Reads data decrypted from the SSL stream. Will perform SSL handshake, if needed. + Returns the number of bytes actually read, or PolarSSL error code. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again with the same parameters. Note that this may repeat a few times before the data is + actually read, mainly due to initial handshake. */ + int ReadPlain(void * a_Data, size_t a_MaxBytes); + + /** Performs the SSL handshake. + Returns zero on success, PoladSSL error code on failure. + If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any + cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call + this function again. Note that this may repeat a few times before the handshake is completed. */ + int Handshake(void); + + /** Returns true if the SSL handshake has been completed. */ + bool HasHandshaken(void) const { return m_HasHandshaken; } + + /** Notifies the SSL peer that the connection is being closed. + Returns 0 on success, PolarSSL error code on failure. */ + int NotifyClose(void); + +protected: + /** True if the object has been initialized properly. */ + bool m_IsValid; + + /** The random generator to use */ + SharedPtr m_CtrDrbg; + + /** The SSL context that PolarSSL uses. */ + ssl_context m_Ssl; + + /** True if the SSL handshake has been completed. */ + bool m_HasHandshaken; + + /** A copy of the trusted CA root cert store that is passed to us in SetCACerts(), so that the pointer + stays valid even after the call, when PolarSSL finally uses it. */ + cX509CertPtr m_CACerts; + + /** Buffer for the expected peer name. We need to buffer it because the caller may free the string they + give us before PolarSSL consumes the raw pointer it gets to the CN. */ + AString m_ExpectedPeerName; + + + /** The callback used by PolarSSL when it wants to read encrypted data. */ + static int ReceiveEncrypted(void * a_This, unsigned char * a_Buffer, size_t a_NumBytes) + { + return ((cSslContext *)a_This)->ReceiveEncrypted(a_Buffer, a_NumBytes); + } + + /** The callback used by PolarSSL when it wants to write encrypted data. */ + static int SendEncrypted(void * a_This, const unsigned char * a_Buffer, size_t a_NumBytes) + { + return ((cSslContext *)a_This)->SendEncrypted(a_Buffer, a_NumBytes); + } + + #ifdef _DEBUG + /** The callback used by PolarSSL to output debug messages */ + static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); + #endif // _DEBUG + + /** Called when PolarSSL wants to read encrypted data. */ + virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; + + /** Called when PolarSSL wants to write encrypted data. */ + virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; +} ; + + + + diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h index 5ef19c324..991617d24 100644 --- a/src/PolarSSL++/X509Cert.h +++ b/src/PolarSSL++/X509Cert.h @@ -17,6 +17,8 @@ class cX509Cert { + friend class cSslContext; + public: cX509Cert(void); ~cX509Cert(void); @@ -25,13 +27,15 @@ public: Returns 0 on succes, or PolarSSL error code on failure. */ int Parse(const void * a_CertContents, size_t a_Size); - /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ - OBSOLETE x509_crt * Get(void) { return &m_Cert; } - protected: x509_crt m_Cert; + + /** Returns the internal cert ptr. Only use in PolarSSL API calls. */ + x509_crt * GetInternal(void) { return &m_Cert; } } ; +typedef SharedPtr cX509CertPtr; + -- cgit v1.2.3 From bb73af68432b56d0c52c23448e4092d753521057 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 23:31:26 +0200 Subject: Fixed a late-night typo. --- src/PolarSSL++/CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 14a6dc537..0493baba4 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -6,7 +6,7 @@ include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES "BlockingSslClientSocket.cpp" - "BufferedSslSocket.cpp" + "BufferedSslContext.cpp" "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" @@ -16,7 +16,7 @@ set(SOURCES set(HEADERS "BlockingSslClientSocket.h" - "BufferedSslSocket.h" + "BufferedSslContext.h" "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" -- cgit v1.2.3 From ef57133f9b457430d2717825b91b747b378e6233 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Sun, 27 Apr 2014 23:35:17 +0200 Subject: Reordered constructors. --- src/PolarSSL++/BlockingSslClientSocket.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/PolarSSL++/BlockingSslClientSocket.cpp index 20b2df1e7..699bc57ee 100644 --- a/src/PolarSSL++/BlockingSslClientSocket.cpp +++ b/src/PolarSSL++/BlockingSslClientSocket.cpp @@ -11,8 +11,8 @@ cBlockingSslClientSocket::cBlockingSslClientSocket(void) : - m_IsConnected(false), - m_Ssl(*this) + m_Ssl(*this), + m_IsConnected(false) { // Nothing needed yet } -- cgit v1.2.3 From 16b3eae8623916fa7bc2cd9cad292bbad8d6a116 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Mon, 28 Apr 2014 21:16:32 +0200 Subject: Added a debug cert printing function. --- src/PolarSSL++/SslContext.cpp | 62 +++++++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/SslContext.h | 3 +++ 2 files changed, 65 insertions(+) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index e7fa11c75..1994cf844 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -64,7 +64,12 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); #ifdef _DEBUG + /* + // These functions allow us to debug SSL and certificate problems, but produce way too much output, + // so they're disabled until someone needs them ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); + ssl_set_verify(&m_Ssl, &SSLVerifyCert, this); + */ #endif m_IsValid = true; @@ -174,6 +179,63 @@ int cSslContext::NotifyClose(void) LOGD("SSL (%d): %s", a_Level, Text.c_str()); } + + + + + + int cSslContext::SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags) + { + char buf[1024]; + UNUSED(a_This); + + LOG("Verify requested for (Depth %d):", a_Depth); + x509_crt_info(buf, sizeof(buf) - 1, "", a_Crt); + LOG("%s", buf); + + int Flags = *a_Flags; + if ((Flags & BADCERT_EXPIRED) != 0) + { + LOG(" ! server certificate has expired"); + } + + if ((Flags & BADCERT_REVOKED) != 0) + { + LOG(" ! server certificate has been revoked"); + } + + if ((Flags & BADCERT_CN_MISMATCH) != 0) + { + LOG(" ! CN mismatch"); + } + + if ((Flags & BADCERT_NOT_TRUSTED) != 0) + { + LOG(" ! self-signed or not signed by a trusted CA"); + } + + if ((Flags & BADCRL_NOT_TRUSTED) != 0) + { + LOG(" ! CRL not trusted"); + } + + if ((Flags & BADCRL_EXPIRED) != 0) + { + LOG(" ! CRL expired"); + } + + if ((Flags & BADCERT_OTHER) != 0) + { + LOG(" ! other (unknown) flag"); + } + + if (Flags == 0) + { + LOG(" This certificate has no flags"); + } + + return 0; + } #endif // _DEBUG diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 6effdcaea..85add5f8b 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -120,6 +120,9 @@ protected: #ifdef _DEBUG /** The callback used by PolarSSL to output debug messages */ static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); + + /** The callback used by PolarSSL to log information on the cert chain */ + static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags); #endif // _DEBUG /** Called when PolarSSL wants to read encrypted data. */ -- cgit v1.2.3 From ec33bbe2949010e1ed377b9dcc1ace56a0126bfe Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 11:04:54 +0200 Subject: Moved cRsaPrivateKey to PolarSSL++, rewritten using existing objects. --- src/PolarSSL++/CMakeLists.txt | 2 + src/PolarSSL++/CtrDrbgContext.h | 8 +- src/PolarSSL++/RsaPrivateKey.cpp | 173 +++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/RsaPrivateKey.h | 59 +++++++++++++ 4 files changed, 239 insertions(+), 3 deletions(-) create mode 100644 src/PolarSSL++/RsaPrivateKey.cpp create mode 100644 src/PolarSSL++/RsaPrivateKey.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 0493baba4..ebdd52de5 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -10,6 +10,7 @@ set(SOURCES "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" + "RsaPrivateKey.cpp" "SslContext.cpp" "X509Cert.cpp" ) @@ -20,6 +21,7 @@ set(HEADERS "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" + "RsaPrivateKey.h" "SslContext.h" "X509Cert.h" ) diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index e9a1e17e2..817222a53 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -25,6 +25,7 @@ class cEntropyContext; class cCtrDrbgContext { friend class cSslContext; + friend class cRsaPrivateKey; public: /** Constructs the context with a new entropy context. */ @@ -41,9 +42,6 @@ public: /** Returns true if the object is valid (has been initialized properly) */ bool IsValid(void) const { return m_IsValid; } - /** Returns the internal context ptr. Only use in PolarSSL API calls. */ - OBSOLETE ctr_drbg_context * Get(void) { return &m_CtrDrbg; } - protected: /** The entropy source used for generating the random */ SharedPtr m_EntropyContext; @@ -53,6 +51,10 @@ protected: /** Set to true if the object is valid (has been initialized properly) */ bool m_IsValid; + + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + ctr_drbg_context * GetInternal(void) { return &m_CtrDrbg; } } ; diff --git a/src/PolarSSL++/RsaPrivateKey.cpp b/src/PolarSSL++/RsaPrivateKey.cpp new file mode 100644 index 000000000..d042139cf --- /dev/null +++ b/src/PolarSSL++/RsaPrivateKey.cpp @@ -0,0 +1,173 @@ + +// RsaPrivateKey.cpp + +#include "Globals.h" +#include "RsaPrivateKey.h" +#include "CtrDrbgContext.h" +#include "polarssl/pk.h" + + + + + + +cRsaPrivateKey::cRsaPrivateKey(void) +{ + rsa_init(&m_Rsa, RSA_PKCS_V15, 0); +} + + + + + +cRsaPrivateKey::cRsaPrivateKey(const cRsaPrivateKey & a_Other) +{ + rsa_init(&m_Rsa, RSA_PKCS_V15, 0); + rsa_copy(&m_Rsa, &a_Other.m_Rsa); +} + + + + + +cRsaPrivateKey::~cRsaPrivateKey() +{ + rsa_free(&m_Rsa); +} + + + + + +bool cRsaPrivateKey::Generate(unsigned a_KeySizeBits) +{ + if (rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537) != 0) + { + // Key generation failed + return false; + } + + return true; +} + + + + + +AString cRsaPrivateKey::GetPubKeyDER(void) +{ + class cPubKey + { + public: + cPubKey(rsa_context * a_Rsa) : + m_IsValid(false) + { + pk_init(&m_Key); + if (pk_init_ctx(&m_Key, pk_info_from_type(POLARSSL_PK_RSA)) != 0) + { + ASSERT(!"Cannot init PrivKey context"); + return; + } + if (rsa_copy(pk_rsa(m_Key), a_Rsa) != 0) + { + ASSERT(!"Cannot copy PrivKey to PK context"); + return; + } + m_IsValid = true; + } + + ~cPubKey() + { + if (m_IsValid) + { + pk_free(&m_Key); + } + } + + operator pk_context * (void) { return &m_Key; } + + protected: + bool m_IsValid; + pk_context m_Key; + } PkCtx(&m_Rsa); + + unsigned char buf[3000]; + int res = pk_write_pubkey_der(PkCtx, buf, sizeof(buf)); + if (res < 0) + { + return AString(); + } + return AString((const char *)(buf + sizeof(buf) - res), (size_t)res); +} + + + + + +int cRsaPrivateKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) +{ + if (a_EncryptedLength < m_Rsa.len) + { + LOGD("%s: Invalid a_EncryptedLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + if (a_DecryptedMaxLength < m_Rsa.len) + { + LOGD("%s: Invalid a_DecryptedMaxLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + size_t DecryptedLength; + int res = rsa_pkcs1_decrypt( + &m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), RSA_PRIVATE, &DecryptedLength, + a_EncryptedData, a_DecryptedData, a_DecryptedMaxLength + ); + if (res != 0) + { + return -1; + } + return (int)DecryptedLength; +} + + + + + +int cRsaPrivateKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) +{ + if (a_EncryptedMaxLength < m_Rsa.len) + { + LOGD("%s: Invalid a_EncryptedMaxLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_EncryptedMaxLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_DecryptedMaxLength!"); + return -1; + } + if (a_PlainLength < m_Rsa.len) + { + LOGD("%s: Invalid a_PlainLength: got %u, exp at least %u", + __FUNCTION__, (unsigned)a_PlainLength, (unsigned)(m_Rsa.len) + ); + ASSERT(!"Invalid a_PlainLength!"); + return -1; + } + int res = rsa_pkcs1_encrypt( + &m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), RSA_PRIVATE, + a_PlainLength, a_PlainData, a_EncryptedData + ); + if (res != 0) + { + return -1; + } + return (int)m_Rsa.len; +} + + + + + diff --git a/src/PolarSSL++/RsaPrivateKey.h b/src/PolarSSL++/RsaPrivateKey.h new file mode 100644 index 000000000..ffacde11b --- /dev/null +++ b/src/PolarSSL++/RsaPrivateKey.h @@ -0,0 +1,59 @@ + +// RsaPrivateKey.h + +// Declares the cRsaPrivateKey class representing a private key for RSA operations. + + + + + +#pragma once + +#include "CtrDrbgContext.h" +#include "polarssl/rsa.h" + + + + + +/** Encapsulates an RSA private key used in PKI cryptography */ +class cRsaPrivateKey +{ +public: + /** Creates a new empty object, the key is not assigned */ + cRsaPrivateKey(void); + + /** Deep-copies the key from a_Other */ + cRsaPrivateKey(const cRsaPrivateKey & a_Other); + + ~cRsaPrivateKey(); + + /** Generates a new key within this object, with the specified size in bits. + Returns true on success, false on failure. */ + bool Generate(unsigned a_KeySizeBits = 1024); + + /** Returns the public key part encoded in ASN1 DER encoding */ + AString GetPubKeyDER(void); + + /** Decrypts the data using RSAES-PKCS#1 algorithm. + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); + + /** Encrypts the data using RSAES-PKCS#1 algorithm. + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + +protected: + /** The PolarSSL key context */ + rsa_context m_Rsa; + + /** The random generator used for generating the key and encryption / decryption */ + cCtrDrbgContext m_CtrDrbg; +} ; + + + + + -- cgit v1.2.3 From 79ec770d77beb0ce9176ee9858b830c32380b742 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 11:17:47 +0200 Subject: Added missing initialization. --- src/PolarSSL++/RsaPrivateKey.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/RsaPrivateKey.cpp b/src/PolarSSL++/RsaPrivateKey.cpp index d042139cf..2d5a2a4b1 100644 --- a/src/PolarSSL++/RsaPrivateKey.cpp +++ b/src/PolarSSL++/RsaPrivateKey.cpp @@ -14,6 +14,7 @@ cRsaPrivateKey::cRsaPrivateKey(void) { rsa_init(&m_Rsa, RSA_PKCS_V15, 0); + m_CtrDrbg.Initialize("RSA", 3); } @@ -24,6 +25,7 @@ cRsaPrivateKey::cRsaPrivateKey(const cRsaPrivateKey & a_Other) { rsa_init(&m_Rsa, RSA_PKCS_V15, 0); rsa_copy(&m_Rsa, &a_Other.m_Rsa); + m_CtrDrbg.Initialize("RSA", 3); } @@ -41,9 +43,10 @@ cRsaPrivateKey::~cRsaPrivateKey() bool cRsaPrivateKey::Generate(unsigned a_KeySizeBits) { - if (rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537) != 0) + int res = rsa_gen_key(&m_Rsa, ctr_drbg_random, m_CtrDrbg.GetInternal(), a_KeySizeBits, 65537); + if (res != 0) { - // Key generation failed + LOG("RSA key generation failed: -0x%x", -res); return false; } -- cgit v1.2.3 From d9f7ae6a4d0895752c1a62657c36433e92104346 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 17:13:08 +0200 Subject: Moved cPublicKey to its separate file in PolarSSL++. --- src/PolarSSL++/CMakeLists.txt | 2 ++ src/PolarSSL++/CtrDrbgContext.h | 1 + src/PolarSSL++/PublicKey.cpp | 73 +++++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/PublicKey.h | 48 +++++++++++++++++++++++++++ 4 files changed, 124 insertions(+) create mode 100644 src/PolarSSL++/PublicKey.cpp create mode 100644 src/PolarSSL++/PublicKey.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index ebdd52de5..bf7720abc 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -10,6 +10,7 @@ set(SOURCES "CallbackSslContext.cpp" "CtrDrbgContext.cpp" "EntropyContext.cpp" + "PublicKey.cpp" "RsaPrivateKey.cpp" "SslContext.cpp" "X509Cert.cpp" @@ -21,6 +22,7 @@ set(HEADERS "CallbackSslContext.h" "CtrDrbgContext.h" "EntropyContext.h" + "PublicKey.h" "RsaPrivateKey.h" "SslContext.h" "X509Cert.h" diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 817222a53..65e9a2374 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -26,6 +26,7 @@ class cCtrDrbgContext { friend class cSslContext; friend class cRsaPrivateKey; + friend class cPublicKey; public: /** Constructs the context with a new entropy context. */ diff --git a/src/PolarSSL++/PublicKey.cpp b/src/PolarSSL++/PublicKey.cpp new file mode 100644 index 000000000..49794a0c8 --- /dev/null +++ b/src/PolarSSL++/PublicKey.cpp @@ -0,0 +1,73 @@ + +// PublicKey.cpp + +// Implements the cPublicKey class representing a RSA public key in PolarSSL + +#include "Globals.h" +#include "PublicKey.h" + + + + + +cPublicKey::cPublicKey(const AString & a_PublicKeyDER) +{ + pk_init(&m_Pk); + if (pk_parse_public_key(&m_Pk, (const Byte *)a_PublicKeyDER.data(), a_PublicKeyDER.size()) != 0) + { + ASSERT(!"Cannot parse PubKey"); + return; + } + m_CtrDrbg.Initialize("rsa_pubkey", 10); +} + + + + + +cPublicKey::~cPublicKey() +{ + pk_free(&m_Pk); +} + + + + + +int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) +{ + size_t DecryptedLen = a_DecryptedMaxLength; + int res = pk_decrypt(&m_Pk, + a_EncryptedData, a_EncryptedLength, + a_DecryptedData, &DecryptedLen, a_DecryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)DecryptedLen; +} + + + + + +int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) +{ + size_t EncryptedLength = a_EncryptedMaxLength; + int res = pk_encrypt(&m_Pk, + a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)EncryptedLength; +} + + + + + diff --git a/src/PolarSSL++/PublicKey.h b/src/PolarSSL++/PublicKey.h new file mode 100644 index 000000000..5a0a57147 --- /dev/null +++ b/src/PolarSSL++/PublicKey.h @@ -0,0 +1,48 @@ + +// PublicKey.h + +// Declares the cPublicKey class representing a RSA public key in PolarSSL + + + + + +#pragma once + +#include "CtrDrbgContext.h" +#include "polarssl/pk.h" + + + + + +class cPublicKey +{ +public: + /** Constructs the public key out of the DER-encoded pubkey data */ + cPublicKey(const AString & a_PublicKeyDER); + + ~cPublicKey(); + + /** Decrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); + + /** Encrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + +protected: + /** The public key PolarSSL representation */ + pk_context m_Pk; + + /** The random generator used in encryption and decryption */ + cCtrDrbgContext m_CtrDrbg; +} ; + + + + + -- cgit v1.2.3 From 6cb2d2461f869d5c9d986cccec5edf1021878df2 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Tue, 29 Apr 2014 17:37:15 +0200 Subject: Moved the rest of the Crypto objects into their own respective files. --- src/PolarSSL++/AesCfb128Decryptor.cpp | 67 +++++++++++++++++ src/PolarSSL++/AesCfb128Decryptor.h | 52 +++++++++++++ src/PolarSSL++/AesCfb128Encryptor.cpp | 68 +++++++++++++++++ src/PolarSSL++/AesCfb128Encryptor.h | 50 ++++++++++++ src/PolarSSL++/CMakeLists.txt | 42 ++++++----- src/PolarSSL++/Sha1Checksum.cpp | 138 ++++++++++++++++++++++++++++++++++ src/PolarSSL++/Sha1Checksum.h | 52 +++++++++++++ 7 files changed, 451 insertions(+), 18 deletions(-) create mode 100644 src/PolarSSL++/AesCfb128Decryptor.cpp create mode 100644 src/PolarSSL++/AesCfb128Decryptor.h create mode 100644 src/PolarSSL++/AesCfb128Encryptor.cpp create mode 100644 src/PolarSSL++/AesCfb128Encryptor.h create mode 100644 src/PolarSSL++/Sha1Checksum.cpp create mode 100644 src/PolarSSL++/Sha1Checksum.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/AesCfb128Decryptor.cpp b/src/PolarSSL++/AesCfb128Decryptor.cpp new file mode 100644 index 000000000..af0d5106e --- /dev/null +++ b/src/PolarSSL++/AesCfb128Decryptor.cpp @@ -0,0 +1,67 @@ + +// AesCfb128Decryptor.cpp + +// Implements the cAesCfb128Decryptor class decrypting data using AES CFB-128 + +#include "Globals.h" +#include "AesCfb128Decryptor.h" + + + + + +cAesCfb128Decryptor::cAesCfb128Decryptor(void) : + m_IVOffset(0), + m_IsValid(false) +{ +} + + + + + +cAesCfb128Decryptor::~cAesCfb128Decryptor() +{ + // Clear the leftover in-memory data, so that they can't be accessed by a backdoor + memset(&m_Aes, 0, sizeof(m_Aes)); +} + + + + + +void cAesCfb128Decryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) +{ + ASSERT(!IsValid()); // Cannot Init twice + + memcpy(m_IV, a_IV, 16); + aes_setkey_enc(&m_Aes, a_Key, 128); + m_IsValid = true; +} + + + + + +void cAesCfb128Decryptor::ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length) +{ + ASSERT(IsValid()); // Must Init() first + + // PolarSSL doesn't support AES-CFB8, need to implement it manually: + for (size_t i = 0; i < a_Length; i++) + { + Byte Buffer[sizeof(m_IV)]; + aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); + for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) + { + m_IV[idx] = m_IV[idx + 1]; + } + m_IV[sizeof(m_IV) - 1] = a_EncryptedIn[i]; + a_DecryptedOut[i] = a_EncryptedIn[i] ^ Buffer[0]; + } +} + + + + + diff --git a/src/PolarSSL++/AesCfb128Decryptor.h b/src/PolarSSL++/AesCfb128Decryptor.h new file mode 100644 index 000000000..68c203d70 --- /dev/null +++ b/src/PolarSSL++/AesCfb128Decryptor.h @@ -0,0 +1,52 @@ + +// AesCfb128Decryptor.h + +// Declares the cAesCfb128Decryptor class decrypting data using AES CFB-128 + + + + + +#pragma once + +#include "polarssl/aes.h" + + + + + +/** Decrypts data using the AES / CFB 128 algorithm */ +class cAesCfb128Decryptor +{ +public: + Byte test; + + cAesCfb128Decryptor(void); + ~cAesCfb128Decryptor(); + + /** Initializes the decryptor with the specified Key / IV */ + void Init(const Byte a_Key[16], const Byte a_IV[16]); + + /** Decrypts a_Length bytes of the encrypted data; produces a_Length output bytes */ + void ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length); + + /** Returns true if the object has been initialized with the Key / IV */ + bool IsValid(void) const { return m_IsValid; } + +protected: + aes_context m_Aes; + + /** The InitialVector, used by the CFB mode decryption */ + Byte m_IV[16]; + + /** Current offset in the m_IV, used by the CFB mode decryption */ + size_t m_IVOffset; + + /** Indicates whether the object has been initialized with the Key / IV */ + bool m_IsValid; +} ; + + + + + diff --git a/src/PolarSSL++/AesCfb128Encryptor.cpp b/src/PolarSSL++/AesCfb128Encryptor.cpp new file mode 100644 index 000000000..a641ad48e --- /dev/null +++ b/src/PolarSSL++/AesCfb128Encryptor.cpp @@ -0,0 +1,68 @@ + +// AesCfb128Encryptor.cpp + +// Implements the cAesCfb128Encryptor class encrypting data using AES CFB-128 + +#include "Globals.h" +#include "AesCfb128Encryptor.h" + + + + + +cAesCfb128Encryptor::cAesCfb128Encryptor(void) : + m_IVOffset(0), + m_IsValid(false) +{ +} + + + + + +cAesCfb128Encryptor::~cAesCfb128Encryptor() +{ + // Clear the leftover in-memory data, so that they can't be accessed by a backdoor + memset(&m_Aes, 0, sizeof(m_Aes)); +} + + + + + +void cAesCfb128Encryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) +{ + ASSERT(!IsValid()); // Cannot Init twice + ASSERT(m_IVOffset == 0); + + memcpy(m_IV, a_IV, 16); + aes_setkey_enc(&m_Aes, a_Key, 128); + m_IsValid = true; +} + + + + + +void cAesCfb128Encryptor::ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length) +{ + ASSERT(IsValid()); // Must Init() first + + // PolarSSL doesn't do AES-CFB8, so we need to implement it ourselves: + for (size_t i = 0; i < a_Length; i++) + { + Byte Buffer[sizeof(m_IV)]; + aes_crypt_ecb(&m_Aes, AES_ENCRYPT, m_IV, Buffer); + for (size_t idx = 0; idx < sizeof(m_IV) - 1; idx++) + { + m_IV[idx] = m_IV[idx + 1]; + } + a_EncryptedOut[i] = a_PlainIn[i] ^ Buffer[0]; + m_IV[sizeof(m_IV) - 1] = a_EncryptedOut[i]; + } +} + + + + + diff --git a/src/PolarSSL++/AesCfb128Encryptor.h b/src/PolarSSL++/AesCfb128Encryptor.h new file mode 100644 index 000000000..9dbb5d2c3 --- /dev/null +++ b/src/PolarSSL++/AesCfb128Encryptor.h @@ -0,0 +1,50 @@ + +// AesCfb128Encryptor.h + +// Declares the cAesCfb128Encryptor class encrypting data using AES CFB-128 + + + + + +#pragma once + +#include "polarssl/aes.h" + + + + + +/** Encrypts data using the AES / CFB (128) algorithm */ +class cAesCfb128Encryptor +{ +public: + cAesCfb128Encryptor(void); + ~cAesCfb128Encryptor(); + + /** Initializes the decryptor with the specified Key / IV */ + void Init(const Byte a_Key[16], const Byte a_IV[16]); + + /** Encrypts a_Length bytes of the plain data; produces a_Length output bytes */ + void ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length); + + /** Returns true if the object has been initialized with the Key / IV */ + bool IsValid(void) const { return m_IsValid; } + +protected: + aes_context m_Aes; + + /** The InitialVector, used by the CFB mode encryption */ + Byte m_IV[16]; + + /** Current offset in the m_IV, used by the CFB mode encryption */ + size_t m_IVOffset; + + /** Indicates whether the object has been initialized with the Key / IV */ + bool m_IsValid; +} ; + + + + + diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index bf7720abc..b0a592760 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -5,27 +5,33 @@ project (MCServer) include_directories ("${PROJECT_SOURCE_DIR}/../") set(SOURCES - "BlockingSslClientSocket.cpp" - "BufferedSslContext.cpp" - "CallbackSslContext.cpp" - "CtrDrbgContext.cpp" - "EntropyContext.cpp" - "PublicKey.cpp" - "RsaPrivateKey.cpp" - "SslContext.cpp" - "X509Cert.cpp" + AesCfb128Decryptor.cpp + AesCfb128Encryptor.cpp + BlockingSslClientSocket.cpp + BufferedSslContext.cpp + CallbackSslContext.cpp + CtrDrbgContext.cpp + EntropyContext.cpp + PublicKey.cpp + RsaPrivateKey.cpp + Sha1Checksum.cpp + SslContext.cpp + X509Cert.cpp ) set(HEADERS - "BlockingSslClientSocket.h" - "BufferedSslContext.h" - "CallbackSslContext.h" - "CtrDrbgContext.h" - "EntropyContext.h" - "PublicKey.h" - "RsaPrivateKey.h" - "SslContext.h" - "X509Cert.h" + AesCfb128Decryptor.h + AesCfb128Encryptor.h + BlockingSslClientSocket.h + BufferedSslContext.h + CallbackSslContext.h + CtrDrbgContext.h + EntropyContext.h + PublicKey.h + RsaPrivateKey.h + SslContext.h + Sha1Checksum.h + X509Cert.h ) add_library(PolarSSL++ ${SOURCES} ${HEADERS}) diff --git a/src/PolarSSL++/Sha1Checksum.cpp b/src/PolarSSL++/Sha1Checksum.cpp new file mode 100644 index 000000000..a1ee9d7b9 --- /dev/null +++ b/src/PolarSSL++/Sha1Checksum.cpp @@ -0,0 +1,138 @@ + +// Sha1Checksum.cpp + +// Declares the cSha1Checksum class representing the SHA-1 checksum calculator + +#include "Globals.h" +#include "Sha1Checksum.h" + + + + + +/* +// Self-test the hash formatting for known values: +// sha1(Notch) : 4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48 +// sha1(jeb_) : -7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1 +// sha1(simon) : 88e16a1019277b15d58faf0541e11910eb756f6 + +static class Test +{ +public: + Test(void) + { + AString DigestNotch, DigestJeb, DigestSimon; + Byte Digest[20]; + cSha1Checksum Checksum; + Checksum.Update((const Byte *)"Notch", 5); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestNotch); + Checksum.Restart(); + Checksum.Update((const Byte *)"jeb_", 4); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestJeb); + Checksum.Restart(); + Checksum.Update((const Byte *)"simon", 5); + Checksum.Finalize(Digest); + cSha1Checksum::DigestToJava(Digest, DigestSimon); + printf("Notch: \"%s\"\n", DigestNotch.c_str()); + printf("jeb_: \"%s\"\n", DigestJeb.c_str()); + printf("simon: \"%s\"\n", DigestSimon.c_str()); + assert(DigestNotch == "4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48"); + assert(DigestJeb == "-7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1"); + assert(DigestSimon == "88e16a1019277b15d58faf0541e11910eb756f6"); + } +} test; +*/ + + + + + + +/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +// cSha1Checksum: + +cSha1Checksum::cSha1Checksum(void) : + m_DoesAcceptInput(true) +{ + sha1_starts(&m_Sha1); +} + + + + + +void cSha1Checksum::Update(const Byte * a_Data, size_t a_Length) +{ + ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed + + sha1_update(&m_Sha1, a_Data, a_Length); +} + + + + + +void cSha1Checksum::Finalize(cSha1Checksum::Checksum & a_Output) +{ + ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed + + sha1_finish(&m_Sha1, a_Output); + m_DoesAcceptInput = false; +} + + + + + +void cSha1Checksum::DigestToJava(const Checksum & a_Digest, AString & a_Out) +{ + Checksum Digest; + memcpy(Digest, a_Digest, sizeof(Digest)); + + bool IsNegative = (Digest[0] >= 0x80); + if (IsNegative) + { + // Two's complement: + bool carry = true; // Add one to the whole number + for (int i = 19; i >= 0; i--) + { + Digest[i] = ~Digest[i]; + if (carry) + { + carry = (Digest[i] == 0xff); + Digest[i]++; + } + } + } + a_Out.clear(); + a_Out.reserve(40); + for (int i = 0; i < 20; i++) + { + AppendPrintf(a_Out, "%02x", Digest[i]); + } + while ((a_Out.length() > 0) && (a_Out[0] == '0')) + { + a_Out.erase(0, 1); + } + if (IsNegative) + { + a_Out.insert(0, "-"); + } +} + + + + + + +void cSha1Checksum::Restart(void) +{ + sha1_starts(&m_Sha1); + m_DoesAcceptInput = true; +} + + + + diff --git a/src/PolarSSL++/Sha1Checksum.h b/src/PolarSSL++/Sha1Checksum.h new file mode 100644 index 000000000..68fdbcf1b --- /dev/null +++ b/src/PolarSSL++/Sha1Checksum.h @@ -0,0 +1,52 @@ + +// Sha1Checksum.h + +// Declares the cSha1Checksum class representing the SHA-1 checksum calculator + + + + + +#pragma once + +#include "polarssl/sha1.h" + + + + + +/** Calculates a SHA1 checksum for data stream */ +class cSha1Checksum +{ +public: + typedef Byte Checksum[20]; // The type used for storing the checksum + + cSha1Checksum(void); + + /** Adds the specified data to the checksum */ + void Update(const Byte * a_Data, size_t a_Length); + + /** Calculates and returns the final checksum */ + void Finalize(Checksum & a_Output); + + /** Returns true if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ + bool DoesAcceptInput(void) const { return m_DoesAcceptInput; } + + /** Converts a raw 160-bit SHA1 digest into a Java Hex representation + According to http://wiki.vg/wiki/index.php?title=Protocol_Encryption&oldid=2802 + */ + static void DigestToJava(const Checksum & a_Digest, AString & a_JavaOut); + + /** Clears the current context and start a new checksum calculation */ + void Restart(void); + +protected: + /** True if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ + bool m_DoesAcceptInput; + + sha1_context m_Sha1; +} ; + + + + -- cgit v1.2.3 From e6786074d58d81a230a6d5d01a5d89fa2f5ab16e Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 00:27:42 +0200 Subject: Added cBufferedSslContext implementation. --- src/PolarSSL++/BufferedSslContext.cpp | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/BufferedSslContext.cpp b/src/PolarSSL++/BufferedSslContext.cpp index 885b30c68..2455d5781 100644 --- a/src/PolarSSL++/BufferedSslContext.cpp +++ b/src/PolarSSL++/BufferedSslContext.cpp @@ -20,6 +20,37 @@ cBufferedSslContext::cBufferedSslContext(size_t a_BufferSize): +size_t cBufferedSslContext::WriteIncoming(const void * a_Data, size_t a_NumBytes) +{ + size_t NumBytes = std::min(m_IncomingData.GetFreeSpace(), a_NumBytes); + if (NumBytes > 0) + { + m_IncomingData.Write(a_Data, NumBytes); + return a_NumBytes - NumBytes; + } + return 0; +} + + + + + +size_t cBufferedSslContext::ReadOutgoing(void * a_Data, size_t a_DataMaxSize) +{ + size_t NumBytes = std::min(m_OutgoingData.GetReadableSpace(), a_DataMaxSize); + if (NumBytes > 0) + { + m_OutgoingData.ReadBuf(a_Data, NumBytes); + m_OutgoingData.CommitRead(); + return a_DataMaxSize - NumBytes; + } + return 0; +} + + + + + int cBufferedSslContext::ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) { // Called when PolarSSL wants to read encrypted data from the SSL peer -- cgit v1.2.3 From 47feb91e57f83c81722188ec3025c3109758dd33 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 00:28:27 +0200 Subject: cSslContext supports setting own cert / privkey. --- src/PolarSSL++/PublicKey.cpp | 82 ++++++++++++++++++++++++++++++++++++++++-- src/PolarSSL++/PublicKey.h | 32 +++++++++++++++-- src/PolarSSL++/RsaPrivateKey.h | 8 +++++ src/PolarSSL++/SslContext.cpp | 50 +++++++++++++++++++++++++- src/PolarSSL++/SslContext.h | 22 +++++++++++- 5 files changed, 187 insertions(+), 7 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/PublicKey.cpp b/src/PolarSSL++/PublicKey.cpp index 49794a0c8..dae026082 100644 --- a/src/PolarSSL++/PublicKey.cpp +++ b/src/PolarSSL++/PublicKey.cpp @@ -10,15 +10,44 @@ -cPublicKey::cPublicKey(const AString & a_PublicKeyDER) +cPublicKey::cPublicKey(void) { pk_init(&m_Pk); - if (pk_parse_public_key(&m_Pk, (const Byte *)a_PublicKeyDER.data(), a_PublicKeyDER.size()) != 0) + m_CtrDrbg.Initialize("rsa_pubkey", 10); +} + + + + + +cPublicKey::cPublicKey(const AString & a_PublicKeyData) +{ + pk_init(&m_Pk); + m_CtrDrbg.Initialize("rsa_pubkey", 10); + int res = ParsePublic(a_PublicKeyData.data(), a_PublicKeyData.size()); + if (res != 0) { + LOGWARNING("Failed to parse public key: -0x%x", res); + ASSERT(!"Cannot parse PubKey"); + return; + } +} + + + + + +cPublicKey::cPublicKey(const AString & a_PrivateKeyData, const AString & a_Password) +{ + pk_init(&m_Pk); + m_CtrDrbg.Initialize("rsa_privkey", 11); + int res = ParsePrivate(a_PrivateKeyData.data(), a_PrivateKeyData.size(), a_Password); + if (res != 0) + { + LOGWARNING("Failed to parse private key: -0x%x", res); ASSERT(!"Cannot parse PubKey"); return; } - m_CtrDrbg.Initialize("rsa_pubkey", 10); } @@ -36,6 +65,8 @@ cPublicKey::~cPublicKey() int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) { + ASSERT(IsValid()); + size_t DecryptedLen = a_DecryptedMaxLength; int res = pk_decrypt(&m_Pk, a_EncryptedData, a_EncryptedLength, @@ -55,6 +86,8 @@ int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) { + ASSERT(IsValid()); + size_t EncryptedLength = a_EncryptedMaxLength; int res = pk_encrypt(&m_Pk, a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, @@ -71,3 +104,46 @@ int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a + +int cPublicKey::ParsePublic(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(!IsValid()); // Cannot parse a second key + + return pk_parse_public_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes); +} + + + + + + +int cPublicKey::ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password) +{ + ASSERT(!IsValid()); // Cannot parse a second key + + if (a_Password.empty()) + { + return pk_parse_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes, NULL, 0); + } + else + { + return pk_parse_key( + &m_Pk, + (const unsigned char *)a_Data, a_NumBytes, + (const unsigned char *)a_Password.c_str(), a_Password.size() + ); + } +} + + + + + +bool cPublicKey::IsValid(void) const +{ + return (pk_get_type(&m_Pk) != POLARSSL_PK_NONE); +} + + + + diff --git a/src/PolarSSL++/PublicKey.h b/src/PolarSSL++/PublicKey.h index 5a0a57147..df52a4143 100644 --- a/src/PolarSSL++/PublicKey.h +++ b/src/PolarSSL++/PublicKey.h @@ -18,9 +18,18 @@ class cPublicKey { + friend class cSslContext; + public: - /** Constructs the public key out of the DER-encoded pubkey data */ - cPublicKey(const AString & a_PublicKeyDER); + /** Constructs an empty key instance. Before use, it needs to be filled by ParsePublic() or ParsePrivate() */ + cPublicKey(void); + + /** Constructs the public key out of the DER- or PEM-encoded pubkey data */ + cPublicKey(const AString & a_PublicKeyData); + + /** Constructs the private key out of the DER- or PEM-encoded privkey data, with the specified password. + If a_Password is empty, no password is assumed. */ + cPublicKey(const AString & a_PrivateKeyData, const AString & a_Password); ~cPublicKey(); @@ -33,6 +42,20 @@ public: Both a_EncryptedData and a_DecryptedData must be at least bytes large. Returns the number of bytes decrypted, or negative number for error. */ int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + + /** Parses the specified data into a public key representation. + The key can be DER- or PEM-encoded. + Returns 0 on success, PolarSSL error code on failure. */ + int ParsePublic(const void * a_Data, size_t a_NumBytes); + + /** Parses the specified data into a private key representation. + If a_Password is empty, no password is assumed. + The key can be DER- or PEM-encoded. + Returns 0 on success, PolarSSL error code on failure. */ + int ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password); + + /** Returns true if the contained key is valid. */ + bool IsValid(void) const; protected: /** The public key PolarSSL representation */ @@ -40,8 +63,13 @@ protected: /** The random generator used in encryption and decryption */ cCtrDrbgContext m_CtrDrbg; + + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + pk_context * GetInternal(void) { return &m_Pk; } } ; +typedef SharedPtr cPublicKeyPtr; diff --git a/src/PolarSSL++/RsaPrivateKey.h b/src/PolarSSL++/RsaPrivateKey.h index ffacde11b..4d03f27df 100644 --- a/src/PolarSSL++/RsaPrivateKey.h +++ b/src/PolarSSL++/RsaPrivateKey.h @@ -19,6 +19,8 @@ /** Encapsulates an RSA private key used in PKI cryptography */ class cRsaPrivateKey { + friend class cSslContext; + public: /** Creates a new empty object, the key is not assigned */ cRsaPrivateKey(void); @@ -51,8 +53,14 @@ protected: /** The random generator used for generating the key and encryption / decryption */ cCtrDrbgContext m_CtrDrbg; + + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + rsa_context * GetInternal(void) { return &m_Rsa; } } ; +typedef SharedPtr cRsaPrivateKeyPtr; + diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index 1994cf844..3d2b8cef7 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -40,7 +40,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & if (m_IsValid) { LOGWARNING("SSL: Double initialization is not supported."); - return POLARSSL_ERR_SSL_MALLOC_FAILED; // There is no return value well-suited for this, reuse this one. + return POLARSSL_ERR_SSL_BAD_INPUT_DATA; // There is no return value well-suited for this, reuse this one. } // Set the CtrDrbg context, create a new one if needed: @@ -80,8 +80,56 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & +void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey) +{ + ASSERT(m_IsValid); // Call Initialize() first + + // Check that both the cert and the key is valid: + if ((a_OwnCert.get() == NULL) || (a_OwnCertPrivKey.get() == NULL)) + { + LOGWARNING("SSL: Own certificate is not valid, skipping the set."); + return; + } + + // Make sure we have the cert stored for later, PolarSSL only uses the cert later on + m_OwnCert = a_OwnCert; + m_OwnCertPrivKey = a_OwnCertPrivKey; + + // Set into the context: + ssl_set_own_cert_rsa(&m_Ssl, m_OwnCert->GetInternal(), m_OwnCertPrivKey->GetInternal()); +} + + + + + +void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cPublicKeyPtr & a_OwnCertPrivKey) +{ + ASSERT(m_IsValid); // Call Initialize() first + + // Check that both the cert and the key is valid: + if ((a_OwnCert.get() == NULL) || (a_OwnCertPrivKey.get() == NULL)) + { + LOGWARNING("SSL: Own certificate is not valid, skipping the set."); + return; + } + + // Make sure we have the cert stored for later, PolarSSL only uses the cert later on + m_OwnCert = a_OwnCert; + m_OwnCertPrivKey2 = a_OwnCertPrivKey; + + // Set into the context: + ssl_set_own_cert(&m_Ssl, m_OwnCert->GetInternal(), m_OwnCertPrivKey2->GetInternal()); +} + + + + + void cSslContext::SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName) { + ASSERT(m_IsValid); // Call Initialize() first + // Store the data in our internal buffers, to avoid losing the pointers later on // PolarSSL will need these after this call returns, and the caller may move / delete the data before that: m_ExpectedPeerName = a_ExpectedPeerName; diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 85add5f8b..273939b9f 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -11,6 +11,8 @@ #include "polarssl/ssl.h" #include "../ByteBuffer.h" +#include "PublicKey.h" +#include "RsaPrivateKey.h" #include "X509Cert.h" @@ -47,7 +49,16 @@ public: /** Returns true if the object has been initialized properly. */ bool IsValid(void) const { return m_IsValid; } - /** Sets a cert chain as the trusted cert store for this context. + /** Sets the certificate to use as our own. Must be used when representing a server, optional when client. + Must be called after Initialize(). */ + void SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey); + + /** Sets the certificate to use as our own. Must be used when representing a server, optional when client. + Must be called after Initialize(). + Despite the class name, a_OwnCertPrivKey is a PRIVATE key. */ + void SetOwnCert(const cX509CertPtr & a_OwnCert, const cPublicKeyPtr & a_OwnCertPrivKey); + + /** Sets a cert chain as the trusted cert store for this context. Must be called after Initialize(). Calling this will switch the context into strict cert verification mode. a_ExpectedPeerName is the CommonName that we expect the SSL peer to have in its cert, if it is different, the verification will fail. An empty string will disable the CN check. */ @@ -93,6 +104,15 @@ protected: /** The SSL context that PolarSSL uses. */ ssl_context m_Ssl; + /** The certificate that we present to the peer. */ + cX509CertPtr m_OwnCert; + + /** Private key for m_OwnCert, if initialized from a cRsaPrivateKey */ + cRsaPrivateKeyPtr m_OwnCertPrivKey; + + /** Private key for m_OwnCert, if initialized from a cPublicKey. Despite the class name, this is a PRIVATE key. */ + cPublicKeyPtr m_OwnCertPrivKey2; + /** True if the SSL handshake has been completed. */ bool m_HasHandshaken; -- cgit v1.2.3 From e2bf3783e8c8f7855532e04203bb1b46b976cfee Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 11:32:25 +0200 Subject: Fixed BufferedSslContext's buffer reading and writing. --- src/PolarSSL++/BufferedSslContext.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/BufferedSslContext.cpp b/src/PolarSSL++/BufferedSslContext.cpp index 2455d5781..9f7caeb8a 100644 --- a/src/PolarSSL++/BufferedSslContext.cpp +++ b/src/PolarSSL++/BufferedSslContext.cpp @@ -26,7 +26,7 @@ size_t cBufferedSslContext::WriteIncoming(const void * a_Data, size_t a_NumBytes if (NumBytes > 0) { m_IncomingData.Write(a_Data, NumBytes); - return a_NumBytes - NumBytes; + return NumBytes; } return 0; } @@ -42,7 +42,7 @@ size_t cBufferedSslContext::ReadOutgoing(void * a_Data, size_t a_DataMaxSize) { m_OutgoingData.ReadBuf(a_Data, NumBytes); m_OutgoingData.CommitRead(); - return a_DataMaxSize - NumBytes; + return NumBytes; } return 0; } -- cgit v1.2.3 From e1b6a169457b267c3e11bbdb9e58e9ab7b3f0136 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 11:33:29 +0200 Subject: Added a (disabled) test of low-security ciphersuites. Enabling this allows the connection to be sniffed and decoded using Wireshark, when given the SSL private key. --- src/PolarSSL++/SslContext.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index 3d2b8cef7..df0219610 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -70,6 +70,18 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this); ssl_set_verify(&m_Ssl, &SSLVerifyCert, this); */ + + /* + // Set ciphersuite to the easiest one to decode, so that the connection can be wireshark-decoded: + static const int CipherSuites[] = + { + TLS_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + 0, // Must be 0-terminated! + }; + ssl_set_ciphersuites(&m_Ssl, CipherSuites); + */ #endif m_IsValid = true; -- cgit v1.2.3 From 1587b21edded56dbfb88150500336c2853b460c6 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 15:21:41 +0200 Subject: Renamed cPublicKey to cCryptoKey. The class can hold both the private key and the public key, bad naming on PolarSSL's part. Also somewhat fixed the cert and key loading in cHTTPServer. --- src/PolarSSL++/CryptoKey.cpp | 149 ++++++++++++++++++++++++++++++++++++++++ src/PolarSSL++/CryptoKey.h | 76 ++++++++++++++++++++ src/PolarSSL++/CtrDrbgContext.h | 2 +- src/PolarSSL++/PublicKey.cpp | 149 ---------------------------------------- src/PolarSSL++/PublicKey.h | 76 -------------------- src/PolarSSL++/SslContext.cpp | 2 +- src/PolarSSL++/SslContext.h | 13 ++-- 7 files changed, 233 insertions(+), 234 deletions(-) create mode 100644 src/PolarSSL++/CryptoKey.cpp create mode 100644 src/PolarSSL++/CryptoKey.h delete mode 100644 src/PolarSSL++/PublicKey.cpp delete mode 100644 src/PolarSSL++/PublicKey.h (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CryptoKey.cpp b/src/PolarSSL++/CryptoKey.cpp new file mode 100644 index 000000000..0763c387b --- /dev/null +++ b/src/PolarSSL++/CryptoKey.cpp @@ -0,0 +1,149 @@ + +// CryptoKey.cpp + +// Implements the cCryptoKey class representing a RSA public key in PolarSSL + +#include "Globals.h" +#include "CryptoKey.h" + + + + + +cCryptoKey::cCryptoKey(void) +{ + pk_init(&m_Pk); + m_CtrDrbg.Initialize("rsa_pubkey", 10); +} + + + + + +cCryptoKey::cCryptoKey(const AString & a_PublicKeyData) +{ + pk_init(&m_Pk); + m_CtrDrbg.Initialize("rsa_pubkey", 10); + int res = ParsePublic(a_PublicKeyData.data(), a_PublicKeyData.size()); + if (res != 0) + { + LOGWARNING("Failed to parse public key: -0x%x", res); + ASSERT(!"Cannot parse PubKey"); + return; + } +} + + + + + +cCryptoKey::cCryptoKey(const AString & a_PrivateKeyData, const AString & a_Password) +{ + pk_init(&m_Pk); + m_CtrDrbg.Initialize("rsa_privkey", 11); + int res = ParsePrivate(a_PrivateKeyData.data(), a_PrivateKeyData.size(), a_Password); + if (res != 0) + { + LOGWARNING("Failed to parse private key: -0x%x", res); + ASSERT(!"Cannot parse PubKey"); + return; + } +} + + + + + +cCryptoKey::~cCryptoKey() +{ + pk_free(&m_Pk); +} + + + + + +int cCryptoKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) +{ + ASSERT(IsValid()); + + size_t DecryptedLen = a_DecryptedMaxLength; + int res = pk_decrypt(&m_Pk, + a_EncryptedData, a_EncryptedLength, + a_DecryptedData, &DecryptedLen, a_DecryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)DecryptedLen; +} + + + + + +int cCryptoKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) +{ + ASSERT(IsValid()); + + size_t EncryptedLength = a_EncryptedMaxLength; + int res = pk_encrypt(&m_Pk, + a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, + ctr_drbg_random, m_CtrDrbg.GetInternal() + ); + if (res != 0) + { + return res; + } + return (int)EncryptedLength; +} + + + + + + +int cCryptoKey::ParsePublic(const void * a_Data, size_t a_NumBytes) +{ + ASSERT(!IsValid()); // Cannot parse a second key + + return pk_parse_public_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes); +} + + + + + + +int cCryptoKey::ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password) +{ + ASSERT(!IsValid()); // Cannot parse a second key + + if (a_Password.empty()) + { + return pk_parse_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes, NULL, 0); + } + else + { + return pk_parse_key( + &m_Pk, + (const unsigned char *)a_Data, a_NumBytes, + (const unsigned char *)a_Password.c_str(), a_Password.size() + ); + } +} + + + + + +bool cCryptoKey::IsValid(void) const +{ + return (pk_get_type(&m_Pk) != POLARSSL_PK_NONE); +} + + + + diff --git a/src/PolarSSL++/CryptoKey.h b/src/PolarSSL++/CryptoKey.h new file mode 100644 index 000000000..9c298e501 --- /dev/null +++ b/src/PolarSSL++/CryptoKey.h @@ -0,0 +1,76 @@ + +// CryptoKey.h + +// Declares the cCryptoKey class representing a RSA public key in PolarSSL + + + + + +#pragma once + +#include "CtrDrbgContext.h" +#include "polarssl/pk.h" + + + + + +class cCryptoKey +{ + friend class cSslContext; + +public: + /** Constructs an empty key instance. Before use, it needs to be filled by ParsePublic() or ParsePrivate() */ + cCryptoKey(void); + + /** Constructs the public key out of the DER- or PEM-encoded pubkey data */ + cCryptoKey(const AString & a_PublicKeyData); + + /** Constructs the private key out of the DER- or PEM-encoded privkey data, with the specified password. + If a_Password is empty, no password is assumed. */ + cCryptoKey(const AString & a_PrivateKeyData, const AString & a_Password); + + ~cCryptoKey(); + + /** Decrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); + + /** Encrypts the data using the stored public key + Both a_EncryptedData and a_DecryptedData must be at least bytes large. + Returns the number of bytes decrypted, or negative number for error. */ + int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); + + /** Parses the specified data into a public key representation. + The key can be DER- or PEM-encoded. + Returns 0 on success, PolarSSL error code on failure. */ + int ParsePublic(const void * a_Data, size_t a_NumBytes); + + /** Parses the specified data into a private key representation. + If a_Password is empty, no password is assumed. + The key can be DER- or PEM-encoded. + Returns 0 on success, PolarSSL error code on failure. */ + int ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password); + + /** Returns true if the contained key is valid. */ + bool IsValid(void) const; + +protected: + /** The PolarSSL representation of the key data */ + pk_context m_Pk; + + /** The random generator used in encryption and decryption */ + cCtrDrbgContext m_CtrDrbg; + + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ + pk_context * GetInternal(void) { return &m_Pk; } +} ; + +typedef SharedPtr cCryptoKeyPtr; + + + + diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 65e9a2374..230db8753 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -26,7 +26,7 @@ class cCtrDrbgContext { friend class cSslContext; friend class cRsaPrivateKey; - friend class cPublicKey; + friend class cCryptoKey; public: /** Constructs the context with a new entropy context. */ diff --git a/src/PolarSSL++/PublicKey.cpp b/src/PolarSSL++/PublicKey.cpp deleted file mode 100644 index dae026082..000000000 --- a/src/PolarSSL++/PublicKey.cpp +++ /dev/null @@ -1,149 +0,0 @@ - -// PublicKey.cpp - -// Implements the cPublicKey class representing a RSA public key in PolarSSL - -#include "Globals.h" -#include "PublicKey.h" - - - - - -cPublicKey::cPublicKey(void) -{ - pk_init(&m_Pk); - m_CtrDrbg.Initialize("rsa_pubkey", 10); -} - - - - - -cPublicKey::cPublicKey(const AString & a_PublicKeyData) -{ - pk_init(&m_Pk); - m_CtrDrbg.Initialize("rsa_pubkey", 10); - int res = ParsePublic(a_PublicKeyData.data(), a_PublicKeyData.size()); - if (res != 0) - { - LOGWARNING("Failed to parse public key: -0x%x", res); - ASSERT(!"Cannot parse PubKey"); - return; - } -} - - - - - -cPublicKey::cPublicKey(const AString & a_PrivateKeyData, const AString & a_Password) -{ - pk_init(&m_Pk); - m_CtrDrbg.Initialize("rsa_privkey", 11); - int res = ParsePrivate(a_PrivateKeyData.data(), a_PrivateKeyData.size(), a_Password); - if (res != 0) - { - LOGWARNING("Failed to parse private key: -0x%x", res); - ASSERT(!"Cannot parse PubKey"); - return; - } -} - - - - - -cPublicKey::~cPublicKey() -{ - pk_free(&m_Pk); -} - - - - - -int cPublicKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) -{ - ASSERT(IsValid()); - - size_t DecryptedLen = a_DecryptedMaxLength; - int res = pk_decrypt(&m_Pk, - a_EncryptedData, a_EncryptedLength, - a_DecryptedData, &DecryptedLen, a_DecryptedMaxLength, - ctr_drbg_random, m_CtrDrbg.GetInternal() - ); - if (res != 0) - { - return res; - } - return (int)DecryptedLen; -} - - - - - -int cPublicKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) -{ - ASSERT(IsValid()); - - size_t EncryptedLength = a_EncryptedMaxLength; - int res = pk_encrypt(&m_Pk, - a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, - ctr_drbg_random, m_CtrDrbg.GetInternal() - ); - if (res != 0) - { - return res; - } - return (int)EncryptedLength; -} - - - - - - -int cPublicKey::ParsePublic(const void * a_Data, size_t a_NumBytes) -{ - ASSERT(!IsValid()); // Cannot parse a second key - - return pk_parse_public_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes); -} - - - - - - -int cPublicKey::ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password) -{ - ASSERT(!IsValid()); // Cannot parse a second key - - if (a_Password.empty()) - { - return pk_parse_key(&m_Pk, (const unsigned char *)a_Data, a_NumBytes, NULL, 0); - } - else - { - return pk_parse_key( - &m_Pk, - (const unsigned char *)a_Data, a_NumBytes, - (const unsigned char *)a_Password.c_str(), a_Password.size() - ); - } -} - - - - - -bool cPublicKey::IsValid(void) const -{ - return (pk_get_type(&m_Pk) != POLARSSL_PK_NONE); -} - - - - diff --git a/src/PolarSSL++/PublicKey.h b/src/PolarSSL++/PublicKey.h deleted file mode 100644 index df52a4143..000000000 --- a/src/PolarSSL++/PublicKey.h +++ /dev/null @@ -1,76 +0,0 @@ - -// PublicKey.h - -// Declares the cPublicKey class representing a RSA public key in PolarSSL - - - - - -#pragma once - -#include "CtrDrbgContext.h" -#include "polarssl/pk.h" - - - - - -class cPublicKey -{ - friend class cSslContext; - -public: - /** Constructs an empty key instance. Before use, it needs to be filled by ParsePublic() or ParsePrivate() */ - cPublicKey(void); - - /** Constructs the public key out of the DER- or PEM-encoded pubkey data */ - cPublicKey(const AString & a_PublicKeyData); - - /** Constructs the private key out of the DER- or PEM-encoded privkey data, with the specified password. - If a_Password is empty, no password is assumed. */ - cPublicKey(const AString & a_PrivateKeyData, const AString & a_Password); - - ~cPublicKey(); - - /** Decrypts the data using the stored public key - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); - - /** Encrypts the data using the stored public key - Both a_EncryptedData and a_DecryptedData must be at least bytes large. - Returns the number of bytes decrypted, or negative number for error. */ - int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); - - /** Parses the specified data into a public key representation. - The key can be DER- or PEM-encoded. - Returns 0 on success, PolarSSL error code on failure. */ - int ParsePublic(const void * a_Data, size_t a_NumBytes); - - /** Parses the specified data into a private key representation. - If a_Password is empty, no password is assumed. - The key can be DER- or PEM-encoded. - Returns 0 on success, PolarSSL error code on failure. */ - int ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password); - - /** Returns true if the contained key is valid. */ - bool IsValid(void) const; - -protected: - /** The public key PolarSSL representation */ - pk_context m_Pk; - - /** The random generator used in encryption and decryption */ - cCtrDrbgContext m_CtrDrbg; - - - /** Returns the internal context ptr. Only use in PolarSSL API calls. */ - pk_context * GetInternal(void) { return &m_Pk; } -} ; - -typedef SharedPtr cPublicKeyPtr; - - - - diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index df0219610..bc397b655 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -115,7 +115,7 @@ void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKe -void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cPublicKeyPtr & a_OwnCertPrivKey) +void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr & a_OwnCertPrivKey) { ASSERT(m_IsValid); // Call Initialize() first diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 273939b9f..a4ad1a345 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -11,7 +11,7 @@ #include "polarssl/ssl.h" #include "../ByteBuffer.h" -#include "PublicKey.h" +#include "CryptoKey.h" #include "RsaPrivateKey.h" #include "X509Cert.h" @@ -54,9 +54,8 @@ public: void SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey); /** Sets the certificate to use as our own. Must be used when representing a server, optional when client. - Must be called after Initialize(). - Despite the class name, a_OwnCertPrivKey is a PRIVATE key. */ - void SetOwnCert(const cX509CertPtr & a_OwnCert, const cPublicKeyPtr & a_OwnCertPrivKey); + Must be called after Initialize(). */ + void SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr & a_OwnCertPrivKey); /** Sets a cert chain as the trusted cert store for this context. Must be called after Initialize(). Calling this will switch the context into strict cert verification mode. @@ -107,11 +106,11 @@ protected: /** The certificate that we present to the peer. */ cX509CertPtr m_OwnCert; - /** Private key for m_OwnCert, if initialized from a cRsaPrivateKey */ + /** Private key for m_OwnCert, if initialized from a cRsaPrivateKey. */ cRsaPrivateKeyPtr m_OwnCertPrivKey; - /** Private key for m_OwnCert, if initialized from a cPublicKey. Despite the class name, this is a PRIVATE key. */ - cPublicKeyPtr m_OwnCertPrivKey2; + /** Private key for m_OwnCert, if initialized from a cCryptoKey. */ + cCryptoKeyPtr m_OwnCertPrivKey2; /** True if the SSL handshake has been completed. */ bool m_HasHandshaken; -- cgit v1.2.3 From d9e5dbf16526aa102abdc818d3515928663a973c Mon Sep 17 00:00:00 2001 From: Mattes D Date: Thu, 1 May 2014 18:06:23 +0200 Subject: Renamed PublicKey to CryptoKey in CMakeLists.txt --- src/PolarSSL++/CMakeLists.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index b0a592760..9a59cdb2c 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -1,4 +1,3 @@ - cmake_minimum_required (VERSION 2.6) project (MCServer) @@ -11,8 +10,8 @@ set(SOURCES BufferedSslContext.cpp CallbackSslContext.cpp CtrDrbgContext.cpp + CryptoKey.cpp EntropyContext.cpp - PublicKey.cpp RsaPrivateKey.cpp Sha1Checksum.cpp SslContext.cpp @@ -26,8 +25,8 @@ set(HEADERS BufferedSslContext.h CallbackSslContext.h CtrDrbgContext.h + CryptoKey.h EntropyContext.h - PublicKey.h RsaPrivateKey.h SslContext.h Sha1Checksum.h -- cgit v1.2.3 From 9221b458989512e41f8502b56ed738d143599093 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 21:23:37 +0200 Subject: cSslContext has virtual destructor now. --- src/PolarSSL++/SslContext.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index a4ad1a345..6b4f2c1e7 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -40,7 +40,7 @@ public: /** Creates a new uninitialized context */ cSslContext(void); - ~cSslContext(); + virtual ~cSslContext(); /** Initializes the context for use as a server or client. Returns 0 on success, PolarSSL error on failure. */ -- cgit v1.2.3 From a6eba4ff8b007863eac20693db5dd859f0dcbc70 Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 1 May 2014 22:41:41 +0200 Subject: Fixed warning in cCallbackSslContext::cDataCallbacks. --- src/PolarSSL++/CallbackSslContext.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CallbackSslContext.h b/src/PolarSSL++/CallbackSslContext.h index 4e4c1ed7f..3e6edc5f4 100644 --- a/src/PolarSSL++/CallbackSslContext.h +++ b/src/PolarSSL++/CallbackSslContext.h @@ -23,6 +23,9 @@ public: class cDataCallbacks { public: + // Force a virtual destructor in descendants: + virtual ~cDataCallbacks() {} + /** Called when PolarSSL wants to read encrypted data from the SSL peer. The returned value is the number of bytes received, or a PolarSSL error on failure. The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate -- cgit v1.2.3 From 683b839e2b3e634dd1a0a5b85327efe4ffa968fd Mon Sep 17 00:00:00 2001 From: Mattes D Date: Sat, 10 May 2014 09:21:29 +0200 Subject: Client cert is not requested. --- src/PolarSSL++/SslContext.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index bc397b655..c3074f197 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -59,7 +59,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr & return res; } ssl_set_endpoint(&m_Ssl, a_IsClient ? SSL_IS_CLIENT : SSL_IS_SERVER); - ssl_set_authmode(&m_Ssl, SSL_VERIFY_OPTIONAL); + ssl_set_authmode(&m_Ssl, a_IsClient ? SSL_VERIFY_OPTIONAL : SSL_VERIFY_NONE); // Clients ask for server's cert but don't verify strictly; servers don't ask clients for certs by default ssl_set_rng(&m_Ssl, ctr_drbg_random, &m_CtrDrbg->m_CtrDrbg); ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); -- cgit v1.2.3 From 87c4d0ea576d6a3e8ec78329ff510291ccf0e674 Mon Sep 17 00:00:00 2001 From: worktycho Date: Wed, 4 Jun 2014 10:58:09 +0100 Subject: Initialise m_Callbacks field to NULL in empty constructor. --- src/PolarSSL++/CallbackSslContext.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CallbackSslContext.cpp b/src/PolarSSL++/CallbackSslContext.cpp index 0cc88a14a..c4d19b2a0 100644 --- a/src/PolarSSL++/CallbackSslContext.cpp +++ b/src/PolarSSL++/CallbackSslContext.cpp @@ -11,7 +11,8 @@ -cCallbackSslContext::cCallbackSslContext(void) +cCallbackSslContext::cCallbackSslContext(void) : + m_Callbacks(NULL) { // Nothing needed, but the constructor needs to exist so } -- cgit v1.2.3 From 85be62a8cd7eeb1c5c9a2967f9928abf46817261 Mon Sep 17 00:00:00 2001 From: worktycho Date: Wed, 4 Jun 2014 11:02:17 +0100 Subject: Removed unused field test --- src/PolarSSL++/AesCfb128Decryptor.h | 1 - 1 file changed, 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/AesCfb128Decryptor.h b/src/PolarSSL++/AesCfb128Decryptor.h index 68c203d70..84c790b83 100644 --- a/src/PolarSSL++/AesCfb128Decryptor.h +++ b/src/PolarSSL++/AesCfb128Decryptor.h @@ -19,7 +19,6 @@ class cAesCfb128Decryptor { public: - Byte test; cAesCfb128Decryptor(void); ~cAesCfb128Decryptor(); -- cgit v1.2.3 From 2423fbf2efa39e28cc348acc11b9269e573dcdef Mon Sep 17 00:00:00 2001 From: madmaxoft Date: Thu, 17 Jul 2014 22:15:34 +0200 Subject: Normalized comments. This was mostly done automatically and then visually inspected for obvious errors. All //-style comments should have a 2-space separation from the code, and 1 space after the comment sign. --- src/PolarSSL++/Sha1Checksum.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/Sha1Checksum.cpp b/src/PolarSSL++/Sha1Checksum.cpp index a1ee9d7b9..e69ef236f 100644 --- a/src/PolarSSL++/Sha1Checksum.cpp +++ b/src/PolarSSL++/Sha1Checksum.cpp @@ -50,7 +50,7 @@ public: -/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////////////// // cSha1Checksum: cSha1Checksum::cSha1Checksum(void) : -- cgit v1.2.3 From 135dc333c131a9bde32609351e2b495c80b49f53 Mon Sep 17 00:00:00 2001 From: archshift Date: Fri, 18 Jul 2014 16:04:07 -0700 Subject: CMakeLists: Moved Bindings-specific code to subdir --- src/PolarSSL++/CMakeLists.txt | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'src/PolarSSL++') diff --git a/src/PolarSSL++/CMakeLists.txt b/src/PolarSSL++/CMakeLists.txt index 9a59cdb2c..39d41292d 100644 --- a/src/PolarSSL++/CMakeLists.txt +++ b/src/PolarSSL++/CMakeLists.txt @@ -3,7 +3,7 @@ project (MCServer) include_directories ("${PROJECT_SOURCE_DIR}/../") -set(SOURCES +set(SRCS AesCfb128Decryptor.cpp AesCfb128Encryptor.cpp BlockingSslClientSocket.cpp @@ -18,7 +18,7 @@ set(SOURCES X509Cert.cpp ) -set(HEADERS +set(HDRS AesCfb128Decryptor.h AesCfb128Encryptor.h BlockingSslClientSocket.h @@ -33,8 +33,10 @@ set(HEADERS X509Cert.h ) -add_library(PolarSSL++ ${SOURCES} ${HEADERS}) +if(NOT MSVC) + add_library(PolarSSL++ ${SRCS} ${HDRS}) -if (UNIX) - target_link_libraries(PolarSSL++ polarssl) + if (UNIX) + target_link_libraries(PolarSSL++ polarssl) + endif() endif() -- cgit v1.2.3