bool CNetTokenManager::CheckToken(const NETADDR *pAddr, TOKEN Token, TOKEN ResponseToken, bool Notify)
{
TOKEN CurrentToken = GenerateToken(pAddr, m_Seed);
if(CurrentToken == Token)
return true;
if(GenerateToken(pAddr, m_PrevSeed) == Token)
{
if(Notify)
CNetBase::SendControlMsgWithToken(m_Socket, (NETADDR *)pAddr,
ResponseToken, 0, NET_CTRLMSG_TOKEN, CurrentToken);
// notify the peer about the new token
return true;
}
else if(Token == m_GlobalToken)
return true;
else if(Token == m_PrevGlobalToken)
{
if(Notify)
CNetBase::SendControlMsgWithToken(m_Socket, (NETADDR *)pAddr,
ResponseToken, 0, NET_CTRLMSG_TOKEN, m_GlobalToken);
// notify the peer about the new token
return true;
}
return false;
}
bool CNetTokenManager::CheckToken(const NETADDR *pAddr, TOKEN Token, TOKEN ResponseToken, bool *BroadcastResponse)
{
TOKEN CurrentToken = GenerateToken(pAddr, m_Seed);
if(CurrentToken == Token)
return true;
if(GenerateToken(pAddr, m_PrevSeed) == Token)
{
// no need to notify the peer, just a one time thing
return true;
}
else if(Token == m_GlobalToken)
{
*BroadcastResponse = true;
return true;
}
else if(Token == m_PrevGlobalToken)
{
// no need to notify the peer, just a broadcast token response
*BroadcastResponse = true;
return true;
}
return false;
}
int CNetTokenManager::ProcessMessage(const NETADDR *pAddr, const CNetPacketConstruct *pPacket, bool Notify)
{
if(pPacket->m_Token != NET_TOKEN_NONE
&& !CheckToken(pAddr, pPacket->m_Token, pPacket->m_ResponseToken, Notify))
return 0; // wrong token, silent ignore
bool Verified = pPacket->m_Token != NET_TOKEN_NONE;
bool TokenMessage = (pPacket->m_Flags & NET_PACKETFLAG_CONTROL)
&& pPacket->m_aChunkData[0] == NET_CTRLMSG_TOKEN;
if(pPacket->m_Flags&NET_PACKETFLAG_CONNLESS)
return (Verified) ? 1 : 0; // connless packets without token are not allowed
if(!TokenMessage)
{
if(Verified)
return 1; // verified packet
else
// the only allowed not connless packet
// without token is NET_CTRLMSG_TOKEN
return 0;
}
if(Verified && TokenMessage)
return 1; // everything is fine, token exchange complete
// client requesting token
CNetBase::SendControlMsgWithToken(m_Socket, (NETADDR *)pAddr,
pPacket->m_ResponseToken, 0, NET_CTRLMSG_TOKEN,
GenerateToken(pAddr));
return 0; // no need to process NET_CTRLMSG_TOKEN further
}
EXPORT_C TInt RFTokenClient::GenerateToken(const TDesC& aFileName, const TSecurityPolicy& aSecurityPolicy, TDes8& aToken) const
{
// unefficient, but this way we can make _easily_ sure that client is actually allowed to open a file
// Not sure if we were allowed to just change CEikonEnv's file server session to shared, so we could acutally save
// this extra session..
RFs fs;
TInt err = fs.Connect();
if (!err)
{
err = fs.ShareProtected();
if (!err)
{
RFile file;
err = file.Open(fs, aFileName, EFileShareReadersOnly); // Todo: check the correct mode
if (!err)
{
err = GenerateToken(file, aSecurityPolicy, aToken);
}
file.Close();
}
fs.Close();
}
return err;
//return SendReceive(EGenerateTokenBasedOnName, TIpcArgs(&aFileName, aAllowedProcessUid.iUid, &aToken));
}
InputCallbackToken InputManager::AddMouseWheelCallback( InputCallbackMouseWheelFn callback )
{
InputCallbackMouseWheelInfo info;
info.callback = callback;
info.token = GenerateToken();
m_MouseWheelCallbacks.push_back( info );
return info.token;
}
InputCallbackToken InputManager::AddMouseCallback( InputCallbackMouseFn callback, MouseButton button, ButtonState buttonState )
{
InputCallbackMouseInfo info;
info.callback = callback;
info.button = button;
info.buttonState = buttonState;
info.token = GenerateToken();
m_MouseCallbacks.push_back( info );
return info.token;
}
InputCallbackToken InputManager::AddKeyboardCallback( InputCallbackKeyboardFn callback, SDL_Scancode button, ButtonState buttonState )
{
InputCallbackKeyboardInfo info;
info.callback = callback;
info.button = button;
info.buttonState = buttonState;
info.token = GenerateToken();
m_KeyboardCallbacks.push_back( info );
return info.token;
}
int CNetConnection::Connect(NETADDR *pAddr)
{
if(State() != NET_CONNSTATE_OFFLINE)
return -1;
// init connection
Reset();
m_PeerAddr = *pAddr;
m_PeerToken = NET_TOKEN_NONE;
SetToken(GenerateToken(pAddr));
mem_zero(m_ErrorString, sizeof(m_ErrorString));
m_State = NET_CONNSTATE_TOKEN;
SendControlWithToken(NET_CTRLMSG_TOKEN);
return 0;
}
void CNetTokenManager::GenerateSeed()
{
static const NETADDR NullAddr = { 0 };
m_PrevSeed = m_Seed;
for(int i = 0; i < 2; i++)
{
m_Seed <<= 32;
m_Seed ^= random_int();
}
m_PrevGlobalToken = m_GlobalToken;
m_GlobalToken = GenerateToken(&NullAddr);
m_NextSeedTime = time_get() + time_freq() * m_SeedTime;
}
TOKEN CNetTokenManager::GenerateToken(const NETADDR *pAddr, int64 Seed)
{
static const NETADDR NullAddr = { 0 };
NETADDR Addr;
char aBuf[sizeof(NETADDR) + sizeof(int64)];
unsigned int Result;
if(pAddr->type & NETTYPE_LINK_BROADCAST)
return GenerateToken(&NullAddr, Seed);
Addr = *pAddr;
Addr.port = 0;
mem_copy(aBuf, &Addr, sizeof(NETADDR));
mem_copy(aBuf + sizeof(NETADDR), &Seed, sizeof(int64));
Result = Hash(aBuf, sizeof(aBuf)) & NET_TOKEN_MASK;
if(Result == NET_TOKEN_NONE)
Result--;
return Result;
}
TOKEN CNetTokenManager::GenerateToken(const NETADDR *pAddr) const
{
return GenerateToken(pAddr, m_Seed);
}
EXPORT_C TInt RFTokenClient::GenerateToken(const RFile& aOpenFile, const TUid& aConsumerUid,TDes8& aToken) const
{
TSecureId consumerUid(aConsumerUid);
return GenerateToken(aOpenFile, TSecurityPolicy(consumerUid), aToken);
}
EXPORT_C TInt RFTokenClient::GenerateToken(const TDesC8& aExistingToken, const TUid& aConsumerUid,TDes8& aToken) const
{
TSecureId consumerUid(aConsumerUid);
return GenerateToken(aExistingToken, TSecurityPolicy(consumerUid), aToken);
}
/// <summary>
/// Authenticates cartridge by verifying its certificate and its signature of a random token.
/// </summary>
/// <param name="ucCartridgeNum">The cartridge number.</param>
/// <param name="aucPubKS">Stratasys public key.</param>
/// <param name="aucIdd">The tag identification data (output parameter).</param>
/// <param name="usIddLength">The tag identification data length (output parameter).</param>
/// <param name="uiCurrentVolume">The tag current volume (output parameter).</param>
/// <returns>0 on success, non-zero for failures.</returns>
int MaterialMonitor::AuthenticateCartridge(unsigned char ucCartridgeNum, const unsigned char *aucPubKS, unsigned char *aucIdd, unsigned short *usIddLength, unsigned int *uiCurrentVolume)
{
UniqueLock uniqueLock(m_mtx);
int returnValue = IDTLIB_SUCCESS;
if (aucPubKS == NULL && m_pubKS == NULL)
{
returnValue = INVALID_HOST_KEY;
LOG_EXT(LEVEL_ERROR, "Invalid host key (error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
if (aucIdd == NULL || usIddLength == NULL || uiCurrentVolume == NULL)
{
returnValue = AUTHENTICATE_NULL_PARAMS;
LOG_EXT(LEVEL_ERROR, "Invalid parameters (error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
if (!m_bInitialized)
{
returnValue = HW_NOT_INITIALIZED;
LOG_EXT(LEVEL_ERROR, "Hardware not initialized (error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
try
{
LOG_EXT(LEVEL_INFO, "Cartridge #" << (unsigned short)ucCartridgeNum << " authentication started:");
LOG_EXT(LEVEL_INFO, "Reset cartridge #"<< (unsigned short)ucCartridgeNum << " info...");
int returnValue = ResetCartridgeInfo(ucCartridgeNum);
if (returnValue != IDTLIB_SUCCESS)
{
LOG_EXT(LEVEL_ERROR, "Error resetting cartridge #"<< (unsigned short)ucCartridgeNum << " info (number of cartridges: " << (unsigned short)m_ucCartridgesCount << ", error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
LOG_EXT(LEVEL_INFO, "Switching to cartridge #"<< (unsigned short)ucCartridgeNum << "...");
returnValue = m_tagAdapter->SwitchToCartridge(ucCartridgeNum);
if (returnValue != IDTLIB_SUCCESS)
{
LOG_EXT(LEVEL_ERROR, "Error switching to cartridge #"<< (unsigned short)ucCartridgeNum << " (number of cartridges: " << (unsigned short)m_ucCartridgesCount << ", error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
LOG_EXT(LEVEL_INFO, "Reading ID certificate...");
unsigned char aucBuffer[CERTIFICATE_SIZE];
memset(aucBuffer, 0, sizeof(aucBuffer));
returnValue = ReadIDCertificate(aucBuffer);
if (returnValue != IDTLIB_SUCCESS)
{
LOG_EXT(LEVEL_ERROR, "Error reading ID certificate (error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
bool isEmpty = m_tagAdapter->IsCertificateEmpty(aucBuffer);
if (isEmpty)
{
returnValue = EMPTY_CERTIFICATE_FILE;
LOG_EXT(LEVEL_ERROR, "Tag is blank (error code 0x" << hex << (short)returnValue << ").");
return returnValue;
}
LOG_EXT(LEVEL_DEBUG, "Extracting cartridge #" << (unsigned short)ucCartridgeNum << " public key...");
IDCertificate *certificate = new IDCertificate();
unsigned short certificateSize;
try
{
certificateSize = (unsigned short)certificate->Decode(aucBuffer);
}
catch (exception& e)
{
delete certificate;
returnValue = INVALID_CERTIFICATE_FILE;
LOG_EXT(LEVEL_ERROR, "Invalid certificate (error code 0x" << hex << (short)returnValue << "): " << e.what() << ".");
return returnValue;
}
*usIddLength = certificateSize - SIGNATURE_SIZE - PUBLIC_KEY_SIZE;
memcpy(aucIdd, aucBuffer, *usIddLength);
ECDSA<EC2N, SHA256>::PublicKey* pubKS;
if (aucPubKS != NULL)
{
pubKS = LoadPublicKey(aucPubKS);
if (pubKS == NULL)
{
delete certificate;
return INVALID_HOST_KEY;
}
}
else
{
pubKS = m_pubKS;
}
LOG_EXT(LEVEL_INFO, "Verifying ID certificate...");
SetVerifier(pubKS);
pthread_t verifierThread;
VerifyParameters* verifyParameters = CreateVerifyParameters(
m_veriferS,
aucBuffer,
certificateSize - SIGNATURE_SIZE,
aucBuffer + (certificateSize - SIGNATURE_SIZE),
SIGNATURE_SIZE);
CreateVerifierThread(&verifierThread, verifyParameters);
LOG_EXT(LEVEL_INFO, "Sending random token for IDT to sign...");
byte aucHostChallenge[TOKEN_SIZE];
GenerateToken(aucHostChallenge, TOKEN_SIZE);
byte aucDeviceChallenge[64]; // expected device challenge length
byte aucSignedDeviceChallenge[SIGNATURE_SIZE];
unsigned short usDeviceChallengeLength = sizeof(aucDeviceChallenge);
unsigned short usSignedDeviceChallengeLength = sizeof(aucSignedDeviceChallenge);
returnValue = ChallengeHostDevice(ucCartridgeNum, aucHostChallenge, TOKEN_SIZE, aucDeviceChallenge, &usDeviceChallengeLength, aucSignedDeviceChallenge, &usSignedDeviceChallengeLength);
void* status;
pthread_join(verifierThread, &status);
delete verifyParameters;
if (!m_bVerified)
{
returnValue = INVALID_CERTIFICATE_SIGNATURE;
LOG_EXT(LEVEL_ERROR, "Error verifying ID certificate (error code 0x" << hex << (short)returnValue << ").");
delete certificate;
return returnValue;
}
if (returnValue != IDTLIB_SUCCESS)
{
LOG_EXT(LEVEL_ERROR, "Error sending random token to IDT (error code 0x" << hex << (short)returnValue << ").");
delete certificate;
return returnValue;
}
LOG_EXT(LEVEL_INFO, "Verifying IDT signature...");
verifyParameters = CreateVerifyParameters(
certificate->IDD.GetVerifier(),
aucDeviceChallenge,
usDeviceChallengeLength,
aucSignedDeviceChallenge,
usSignedDeviceChallengeLength);
CreateVerifierThread(&verifierThread, verifyParameters);
LOG_EXT(LEVEL_INFO, "Getting current volume...");
returnValue = GetCurrentVolume(ucCartridgeNum, uiCurrentVolume);
pthread_join(verifierThread, &status);
delete verifyParameters;
if (!m_bVerified)
{
returnValue = INVALID_TOKEN_SIGNATURE;
LOG_EXT(LEVEL_ERROR, "Invalid signature (error code 0x" << hex << (short)returnValue << ").");
delete certificate;
return returnValue;
}
if (returnValue != IDTLIB_SUCCESS)
{
LOG_EXT(LEVEL_ERROR, "Error getting current volume (error code 0x" << hex << (short)returnValue << ").");
delete certificate;
return returnValue;
}
m_certificates[ucCartridgeNum] = certificate;
LOG_EXT(LEVEL_INFO, "Cartridge #" << (unsigned short)ucCartridgeNum << " authentication ended successfully. Current weight: " << *uiCurrentVolume << " milligrams.");
return returnValue;
}
catch (exception& e)
{
LOG_EXT(LEVEL_ERROR, "Exception caught: " << e.what() << ".");
return EXCEPTION_CAUGHT;
}
}
