void Cipher::Key::assign(const char *text, size_t size, const unsigned char *salt, unsigned count)
{
if(!hashid || !algoid) {
keysize = 0;
return;
}
size_t kpos = 0, ivpos = 0;
size_t mdlen = gnutls_hash_get_len((MD_ID)hashid);
size_t tlen = strlen(text);
if(!hashid || !mdlen) {
clear();
return;
}
char previous[MAX_DIGEST_HASHSIZE / 8];
unsigned char temp[MAX_DIGEST_HASHSIZE / 8];
MD_CTX mdc;
unsigned prior = 0;
unsigned loop;
if(!salt)
salt = _salt;
if(!count)
count = _rounds;
do {
gnutls_hash_init(&mdc, (MD_ID)hashid);
if(prior++)
gnutls_hash(mdc, previous, mdlen);
gnutls_hash(mdc, text, tlen);
if(salt)
gnutls_hash(mdc, salt, 8);
gnutls_hash_deinit(mdc, previous);
for(loop = 1; loop < count; ++loop) {
memcpy(temp, previous, mdlen);
gnutls_hash_fast((MD_ID)hashid, temp, mdlen, previous);
}
size_t pos = 0;
while(kpos < keysize && pos < mdlen)
keybuf[kpos++] = previous[pos++];
while(ivpos < blksize && pos < mdlen)
ivbuf[ivpos++] = previous[pos++];
} while(kpos < keysize || ivpos < blksize);
}
int sha1sum_file(char *fnam, unsigned char *digest)
{
char *buf;
int ret;
FILE *f;
long flen;
if (!fnam)
return -1;
process_lock();
f = fopen_cloexec(fnam, "r");
process_unlock();
if (f < 0) {
SYSERROR("Error opening template");
return -1;
}
if (fseek(f, 0, SEEK_END) < 0) {
SYSERROR("Error seeking to end of template");
lock_fclose(f);
return -1;
}
if ((flen = ftell(f)) < 0) {
SYSERROR("Error telling size of template");
lock_fclose(f);
return -1;
}
if (fseek(f, 0, SEEK_SET) < 0) {
SYSERROR("Error seeking to start of template");
lock_fclose(f);
return -1;
}
if ((buf = malloc(flen+1)) == NULL) {
SYSERROR("Out of memory");
lock_fclose(f);
return -1;
}
if (fread(buf, 1, flen, f) != flen) {
SYSERROR("Failure reading template");
free(buf);
lock_fclose(f);
return -1;
}
if (lock_fclose(f) < 0) {
SYSERROR("Failre closing template");
free(buf);
return -1;
}
buf[flen] = '\0';
ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, flen, (void *)digest);
free(buf);
return ret;
}
/**
* infd_acl_account_info_check_password:
* @info: A #InfdAclAccountInfo.
* @password: The password to check.
*
* Check whether @password is the correct password to log into account.
*
* Returns: %TRUE if @password is correct or %FALSE otherwise.
*/
gboolean
infd_acl_account_info_check_password(const InfdAclAccountInfo* info,
const gchar* password)
{
guint password_len;
gchar* salted_password;
gchar* hash;
int res;
gchar cmp;
guint i;
g_return_val_if_fail(info != NULL, FALSE);
g_return_val_if_fail(password != NULL, FALSE);
password_len = strlen(password);
salted_password = g_malloc(32 + password_len);
memcpy(salted_password, info->password_salt, 16);
memcpy(salted_password + 16, password, password_len);
memcpy(salted_password + 16 + password_len, info->password_salt + 16, 16);
hash = g_malloc(gnutls_hash_get_len(GNUTLS_DIG_SHA256));
res = gnutls_hash_fast(
GNUTLS_DIG_SHA256,
salted_password,
32 + password_len,
hash
);
g_free(salted_password);
if(res != GNUTLS_E_SUCCESS)
{
g_free(hash);
return FALSE;
}
/* length-independent string compare */
cmp = 0;
for(i = 0; i < gnutls_hash_get_len(GNUTLS_DIG_SHA256); ++i)
cmp |= (info->password_hash[i] ^ hash[i]);
g_free(hash);
if(cmp != 0)
return FALSE;
return TRUE;
}
void ip_from_seed(uint8_t *seed, unsigned seed_size,
void *ip, size_t ip_size)
{
uint8_t digest[20];
int ret;
if (ip_size > sizeof(digest)) {
syslog(LOG_ERR, "too large IP!");
abort();
}
ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, seed, seed_size, digest);
if (ret < 0) {
syslog(LOG_ERR, "cannot hash: %s", strerror(ret));
abort();
}
memcpy(ip, digest, ip_size);
}
static int ctx_ocsp_response(gnutls_session_t session, void* ptr, gnutls_datum_t* ocsp_resp) {
liGnuTLSOCSP* ocsp = ptr;
guint i;
int r;
gnutls_datum_t serial = { NULL, 0 };
gnutls_datum_t issuer_name = { NULL, 0 };
char* issuer_name_hash = NULL;
if (0 == ocsp->responses->len) return GNUTLS_E_NO_CERTIFICATE_STATUS;
serial.size = ocsp->max_serial_length;
serial.data = gnutls_malloc(serial.size);
issuer_name_hash = gnutls_malloc(ocsp->max_hash_length);
{
gnutls_datum_t const* crt_datum;
gnutls_x509_crt_t crt = NULL;
size_t serial_size = ocsp->max_serial_length;
crt_datum = gnutls_certificate_get_ours(session); /* memory is NOT owned */
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_init(&crt))) goto cleanup;
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_import(crt, crt_datum, GNUTLS_X509_FMT_DER))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}
;
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_get_serial(crt, serial.data, &serial_size))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}
serial.size = serial_size;
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_get_raw_issuer_dn(crt, &issuer_name))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}
gnutls_x509_crt_deinit(crt);
}
for (i = 0; i < ocsp->responses->len; ++i) {
ocsp_response* response = &g_array_index(ocsp->responses, ocsp_response, i);
guint j;
for (j = 0; j < response->certificates->len; ++j) {
ocsp_response_cert_entry* entry = &g_array_index(response->certificates, ocsp_response_cert_entry, i);
if (serial.size != entry->serial.size
|| 0 != memcmp(serial.data, entry->serial.data, serial.size)) continue;
if (GNUTLS_E_SUCCESS > (r = gnutls_hash_fast(entry->digest, issuer_name.data, issuer_name.size, issuer_name_hash))) goto cleanup;
if (0 != memcmp(issuer_name_hash, entry->issuer_name_hash.data, entry->issuer_name_hash.size)) continue;
ocsp_resp->size = response->resp_data.size;
ocsp_resp->data = gnutls_malloc(ocsp_resp->size);
memcpy(ocsp_resp->data, response->resp_data.data, ocsp_resp->size);
r = GNUTLS_E_SUCCESS;
goto cleanup;
}
}
r = GNUTLS_E_NO_CERTIFICATE_STATUS;
cleanup:
gnutls_free(issuer_name_hash);
gnutls_free(issuer_name.data);
gnutls_free(serial.data);
return r;
}
ssize_t /* O - Size of hash or -1 on error */
cupsHashData(const char *algorithm, /* I - Algorithm name */
const void *data, /* I - Data to hash */
size_t datalen, /* I - Length of data to hash */
unsigned char *hash, /* I - Hash buffer */
size_t hashsize) /* I - Size of hash buffer */
{
if (!algorithm || !data || datalen == 0 || !hash || hashsize == 0)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad arguments to function"), 1);
return (-1);
}
#ifdef __APPLE__
if (!strcmp(algorithm, "sha"))
{
/*
* SHA-1...
*/
CC_SHA1_CTX ctx; /* SHA-1 context */
if (hashsize < CC_SHA1_DIGEST_LENGTH)
goto too_small;
CC_SHA1_Init(&ctx);
CC_SHA1_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA1_Final(hash, &ctx);
return (CC_SHA1_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-224"))
{
CC_SHA256_CTX ctx; /* SHA-224 context */
if (hashsize < CC_SHA224_DIGEST_LENGTH)
goto too_small;
CC_SHA224_Init(&ctx);
CC_SHA224_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA224_Final(hash, &ctx);
return (CC_SHA224_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-256"))
{
CC_SHA256_CTX ctx; /* SHA-256 context */
if (hashsize < CC_SHA256_DIGEST_LENGTH)
goto too_small;
CC_SHA256_Init(&ctx);
CC_SHA256_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA256_Final(hash, &ctx);
return (CC_SHA256_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-384"))
{
CC_SHA512_CTX ctx; /* SHA-384 context */
if (hashsize < CC_SHA384_DIGEST_LENGTH)
goto too_small;
CC_SHA384_Init(&ctx);
CC_SHA384_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA384_Final(hash, &ctx);
return (CC_SHA384_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-512"))
{
CC_SHA512_CTX ctx; /* SHA-512 context */
if (hashsize < CC_SHA512_DIGEST_LENGTH)
goto too_small;
CC_SHA512_Init(&ctx);
CC_SHA512_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA512_Final(hash, &ctx);
return (CC_SHA512_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-512_224"))
{
CC_SHA512_CTX ctx; /* SHA-512 context */
unsigned char temp[CC_SHA512_DIGEST_LENGTH];
/* SHA-512 hash */
/*
* SHA2-512 truncated to 224 bits (28 bytes)...
*/
if (hashsize < CC_SHA224_DIGEST_LENGTH)
goto too_small;
CC_SHA512_Init(&ctx);
CC_SHA512_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA512_Final(temp, &ctx);
memcpy(hash, temp, CC_SHA224_DIGEST_LENGTH);
return (CC_SHA224_DIGEST_LENGTH);
}
else if (!strcmp(algorithm, "sha2-512_256"))
{
CC_SHA512_CTX ctx; /* SHA-512 context */
unsigned char temp[CC_SHA512_DIGEST_LENGTH];
/* SHA-512 hash */
/*
* SHA2-512 truncated to 256 bits (32 bytes)...
*/
if (hashsize < CC_SHA256_DIGEST_LENGTH)
goto too_small;
CC_SHA512_Init(&ctx);
CC_SHA512_Update(&ctx, data, (CC_LONG)datalen);
CC_SHA512_Final(temp, &ctx);
memcpy(hash, temp, CC_SHA256_DIGEST_LENGTH);
return (CC_SHA256_DIGEST_LENGTH);
}
#elif defined(HAVE_GNUTLS)
gnutls_digest_algorithm_t alg = GNUTLS_DIG_UNKNOWN;
/* Algorithm */
unsigned char temp[64]; /* Temporary hash buffer */
size_t tempsize = 0; /* Truncate to this size? */
if (!strcmp(algorithm, "sha"))
alg = GNUTLS_DIG_SHA1;
else if (!strcmp(algorithm, "sha2-224"))
alg = GNUTLS_DIG_SHA224;
else if (!strcmp(algorithm, "sha2-256"))
alg = GNUTLS_DIG_SHA256;
else if (!strcmp(algorithm, "sha2-384"))
alg = GNUTLS_DIG_SHA384;
else if (!strcmp(algorithm, "sha2-512"))
alg = GNUTLS_DIG_SHA512;
else if (!strcmp(algorithm, "sha2-512_224"))
{
alg = GNUTLS_DIG_SHA512;
tempsize = 28;
}
else if (!strcmp(algorithm, "sha2-512_256"))
{
alg = GNUTLS_DIG_SHA512;
tempsize = 32;
}
if (alg != GNUTLS_DIG_UNKNOWN)
{
if (tempsize > 0)
{
/*
* Truncate result to tempsize bytes...
*/
if (hashsize < tempsize)
goto too_small;
gnutls_hash_fast(alg, data, datalen, temp);
memcpy(hash, temp, tempsize);
return ((ssize_t)tempsize);
}
if (hashsize < gnutls_hash_get_len(alg))
goto too_small;
gnutls_hash_fast(alg, data, datalen, hash);
return (gnutls_hash_get_len(alg));
}
#else
/*
* No hash support without CommonCrypto or GNU TLS...
*/
if (hashsize < 64)
goto too_small;
#endif /* __APPLE__ */
/*
* Unknown hash algorithm...
*/
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unknown hash algorithm."), 1);
return (-1);
/*
* We get here if the buffer is too small.
*/
too_small:
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1);
return (-1);
}
static void dane_info(const char *host, const char *proto,
unsigned int port, unsigned int ca,
unsigned int domain, common_info_st * cinfo)
{
gnutls_pubkey_t pubkey;
gnutls_x509_crt_t crt;
unsigned char digest[64];
gnutls_datum_t t;
int ret;
unsigned int usage, selector, type;
size_t size;
if (proto == NULL)
proto = "tcp";
if (port == 0)
port = 443;
crt = load_cert(0, cinfo);
if (crt != NULL && HAVE_OPT(X509)) {
selector = 0; /* X.509 */
size = lbuffer_size;
ret =
gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "export error: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt);
} else { /* use public key only */
selector = 1;
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fprintf(stderr, "pubkey_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (crt != NULL) {
ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
if (ret < 0) {
fprintf(stderr, "pubkey_import_x509: %s\n",
gnutls_strerror(ret));
exit(1);
}
size = lbuffer_size;
ret =
gnutls_pubkey_export(pubkey,
GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "pubkey_export: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt);
} else {
pubkey = load_pubkey(1, cinfo);
size = lbuffer_size;
ret =
gnutls_pubkey_export(pubkey,
GNUTLS_X509_FMT_DER,
lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "export error: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
gnutls_pubkey_deinit(pubkey);
}
if (default_dig != GNUTLS_DIG_SHA256
&& default_dig != GNUTLS_DIG_SHA512) {
if (default_dig != GNUTLS_DIG_UNKNOWN)
fprintf(stderr,
"Unsupported digest. Assuming SHA256.\n");
default_dig = GNUTLS_DIG_SHA256;
}
ret = gnutls_hash_fast(default_dig, lbuffer, size, digest);
if (ret < 0) {
fprintf(stderr, "hash error: %s\n", gnutls_strerror(ret));
exit(1);
}
if (default_dig == GNUTLS_DIG_SHA256)
type = 1;
else
type = 2;
/* DANE certificate classification crap */
if (domain == 0) {
if (ca)
usage = 0;
else
usage = 1;
} else {
if (ca)
usage = 2;
else
usage = 3;
}
t.data = digest;
t.size = gnutls_hash_get_len(default_dig);
size = lbuffer_size;
ret = gnutls_hex_encode(&t, (void *) lbuffer, &size);
if (ret < 0) {
fprintf(stderr, "hex encode error: %s\n",
gnutls_strerror(ret));
exit(1);
}
fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n",
port, proto, host, usage, selector, type, lbuffer);
}
/**
* infd_acl_account_info_set_password:
* @info: A #InfdAclAccountInfo.
* @password: The new password for the account, or %NULL.
* @error: Location to store error information, if any.
*
* Changes the password for the given account. If @password is %NULL the
* password is unset, which means that it is not possible to log into this
* account with password authentication.
*
* If @password is non-%NULL, a new random salt is generated and a SHA256
* hash of the salt and the password is stored.
*
* If an error occurs while changing the password the functions set @error
* and returns %FALSE.
*
* Returns: %TRUE in case of success or %FALSE otherwise.
*/
gboolean
infd_acl_account_info_set_password(InfdAclAccountInfo* info,
const gchar* password,
GError** error)
{
gchar* new_salt;
gchar* new_hash;
gchar* salted_password;
guint password_len;
int res;
g_return_val_if_fail(info != NULL, FALSE);
if(password == NULL)
{
g_free(info->password_salt);
g_free(info->password_hash);
info->password_salt = NULL;
info->password_hash = NULL;
}
else
{
new_salt = g_malloc(32);
res = gnutls_rnd(GNUTLS_RND_RANDOM, new_salt, 32);
if(res != GNUTLS_E_SUCCESS)
{
g_free(new_salt);
inf_gnutls_set_error(error, res);
return FALSE;
}
password_len = strlen(password);
salted_password = g_malloc(32 + password_len);
memcpy(salted_password, new_salt, 16);
memcpy(salted_password + 16, password, password_len);
memcpy(salted_password + 16 + password_len, new_salt + 16, 16);
new_hash = g_malloc(gnutls_hash_get_len(GNUTLS_DIG_SHA256));
res = gnutls_hash_fast(
GNUTLS_DIG_SHA256,
salted_password,
32 + password_len,
new_hash
);
g_free(salted_password);
if(res != GNUTLS_E_SUCCESS)
{
g_free(new_hash);
g_free(new_salt);
inf_gnutls_set_error(error, res);
return FALSE;
}
g_free(info->password_salt);
g_free(info->password_hash);
info->password_salt = new_salt;
info->password_hash = new_hash;
}
return TRUE;
}
std::string hash(std::string const & input)
{
std::array<unsigned char, 32> hash{};
gnutls_hash_fast(GNUTLS_DIG_SHA256, input.c_str(), input.length(), hash.data());
return encode_hex({hash.cbegin(), hash.cend()});
}
/**
* gnutls_system_key_add_x509:
* @crt: the certificate to be added
* @privkey: the key to be added
* @label: the friendly name to describe the key
* @cert_url: if non-NULL it will contain an allocated value with the certificate URL
* @key_url: if non-NULL it will contain an allocated value with the key URL
*
* This function will added the given key and certificate pair,
* to the system list.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
**/
int gnutls_system_key_add_x509(gnutls_x509_crt_t crt,
gnutls_x509_privkey_t privkey, const char *label,
char **cert_url, char **key_url)
{
HCERTSTORE store = NULL;
CRYPT_DATA_BLOB pfx;
gnutls_datum_t _pfx = { NULL, 0 };
gnutls_pkcs12_t p12 = NULL;
gnutls_pkcs12_bag_t bag1 = NULL, bag2 = NULL;
uint8_t id[MAX_WID_SIZE];
size_t id_size;
gnutls_datum_t kid;
int ret;
if (ncrypt_init == 0)
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
if (label == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
id_size = sizeof(id);
ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size);
if (ret < 0)
return gnutls_assert_val(ret);
kid.data = id;
kid.size = id_size;
/* the idea: import the cert and private key into PKCS #12
* format, export it into pfx, and import it into store */
ret = gnutls_pkcs12_init(&p12);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_pkcs12_bag_init(&bag1);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_bag_set_crt(bag1, crt);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_bag_set_key_id(bag1, 0, &kid);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (label)
gnutls_pkcs12_bag_set_friendly_name(bag1, 0, label);
ret = gnutls_pkcs12_bag_init(&bag2);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_bag_set_privkey(bag2, privkey, NULL, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_bag_set_key_id(bag2, 0, &kid);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (label)
gnutls_pkcs12_bag_set_friendly_name(bag2, 0, label);
ret = gnutls_pkcs12_set_bag(p12, bag1);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_set_bag(p12, bag2);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_generate_mac(p12, "123456");
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs12_export2(p12, GNUTLS_X509_FMT_DER, &_pfx);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
pfx.cbData = _pfx.size;
pfx.pbData = _pfx.data;
store = PFXImportCertStore(&pfx, L"123456", 0);
if (store == NULL) {
gnutls_assert();
ret = GNUTLS_E_INVALID_REQUEST;
goto cleanup;
}
if (cert_url || key_url) {
unsigned char sha[20];
CRYPT_HASH_BLOB blob;
const CERT_CONTEXT *cert = NULL;
gnutls_datum_t data;
ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &data);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size,
sha);
gnutls_free(data.data);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
blob.cbData = sizeof(sha);
blob.pbData = sha;
cert = CertFindCertificateInStore(store,
X509_ASN_ENCODING,
0,
CERT_FIND_SHA1_HASH,
&blob, NULL);
if (cert == NULL) {
gnutls_assert();
ret = GNUTLS_E_KEY_IMPORT_FAILED;
goto cleanup;
}
ret = get_win_urls(cert, cert_url, key_url, NULL, NULL);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
ret = 0;
cleanup:
if (p12 != NULL)
gnutls_pkcs12_deinit(p12);
if (bag1 != NULL)
gnutls_pkcs12_bag_deinit(bag1);
if (bag2 != NULL)
gnutls_pkcs12_bag_deinit(bag2);
if (store != NULL)
CertCloseStore(store, 0);
gnutls_free(_pfx.data);
return ret;
}
std::string sum(const std::string& data)
{
char digest[this->out_size];
gnutls_hash_fast(algo, data.data(), data.length(), (unsigned char*)digest);
return std::string(digest, this->out_size);
}
