void ExtensionSecurityBlock::encrypt(dtn::data::Bundle& bundle, const SecurityKey &key, dtn::data::Bundle::iterator it, const dtn::data::EID& source, const dtn::data::EID& destination)
{
uint32_t salt = 0;
// load the rsa key
RSA *rsa_key = key.getRSA();
// key used for encrypting the block. the key will be encrypted using RSA
unsigned char ephemeral_key[ibrcommon::AES128Stream::key_size_in_bytes];
createSaltAndKey(salt, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes);
dtn::security::ExtensionSecurityBlock& esb = SecurityBlock::encryptBlock<ExtensionSecurityBlock>(bundle, it, salt, ephemeral_key);
// set the source and destination address of the new block
if (source != bundle.source) esb.setSecuritySource( source );
if (destination != bundle.destination) esb.setSecurityDestination( destination );
// encrypt the ephemeral key and place it in _ciphersuite_params
addSalt(esb._ciphersuite_params, salt);
addKey(esb._ciphersuite_params, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes, rsa_key);
esb._ciphersuite_flags |= CONTAINS_CIPHERSUITE_PARAMS;
// free the rsa key
key.free(rsa_key);
}
/*
* @param(IN) salt salt in binary format
* @param(IN) saltSize number of bytes for the salt
* @param(IN) clearPasswd clearPasswd
* @param(OUT) the hashed password with salt in ascii b64 format
*
* #sample keyfile line
* j2ee;{SSHA}WRWaz20fzw3zN9x5Uzyyk5Wfvrbe4m40rYTPrA==;staff,eng
*/
void sshaPasswd(const char* salt, const int saltSize,const char* clearPasswd,NSString& hashed)
{
//PRBool workaround= PR_FALSE; //PR_TRUE;
const int digestLen = SHA1_LENGTH; //20
unsigned char H[512];
char* pwdAndSalt=NULL;
hashed.clear();
if (!clearPasswd) {
return;
}
int tobeHashedLen = 0;
pwdAndSalt = addSalt(clearPasswd, salt, saltSize,tobeHashedLen);
//if (workaround==PR_TRUE) {
//https_SHA1_Hash(H,pwdAndSalt); //refer lib/libadmin/password.cpp
//} else {
//const int keylen = PRIVATE_KEY_LEN;
//unsigned char DigestPrivatekey[PRIVATE_KEY_LEN];
//PK11_GenerateRandom(DigestPrivatekey, keylen);
PK11Context * SHA1Ctx = PK11_CreateDigestContext(SEC_OID_SHA1);
if (SHA1Ctx==NULL) {
FREE(pwdAndSalt);
return;
}
PK11_DigestBegin(SHA1Ctx);
//PK11_DigestOp(SHA1Ctx, (unsigned char*)pwdAndSalt, strlen(pwdAndSalt) );
PK11_DigestOp(SHA1Ctx, (unsigned char*)pwdAndSalt, tobeHashedLen );
PK11_DigestFinal(SHA1Ctx, (unsigned char *)H, (unsigned int*)&digestLen, sizeof(H));
PK11_DestroyContext(SHA1Ctx, 1);
PR_ASSERT(digestLen==20);
//}
char* base64Val=NULL;
if (salt!=NULL && saltSize>0) {
memcpy(H+20,salt,saltSize); //append salt to hashed passwd
base64Val = BTOA_DataToAscii(H,digestLen+saltSize); //base64.h
} else {
base64Val = BTOA_DataToAscii(H,digestLen); //base64.h
}
hashed.append(SSHA_TAG );
hashed.append(base64Val);
if (base64Val)
PORT_Free(base64Val);
base64Val = NULL;
FREE(pwdAndSalt);
return;
}
void PayloadConfidentialBlock::encrypt(dtn::data::Bundle& bundle, const dtn::security::SecurityKey &long_key, const dtn::data::EID& source)
{
// contains the random salt
uint32_t salt;
// contains the random key
unsigned char ephemeral_key[ibrcommon::AES128Stream::key_size_in_bytes];
unsigned char iv[ibrcommon::AES128Stream::iv_len];
unsigned char tag[ibrcommon::AES128Stream::tag_len];
// create a new correlator value
dtn::data::Number correlator = createCorrelatorValue(bundle);
// create a random salt and key
createSaltAndKey(salt, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes);
// count all PCBs
dtn::data::Size pcbs_size = std::count(bundle.begin(), bundle.end(), PayloadConfidentialBlock::BLOCK_TYPE);
// count all PIBs
dtn::data::Size pibs_size = std::count(bundle.begin(), bundle.end(), PayloadIntegrityBlock::BLOCK_TYPE);
// encrypt PCBs and PIBs
dtn::data::Bundle::find_iterator find_pcb(bundle.begin(), PayloadConfidentialBlock::BLOCK_TYPE);
while (find_pcb.next(bundle.end()))
{
SecurityBlock::encryptBlock<PayloadConfidentialBlock>(bundle, find_pcb, salt, ephemeral_key).setCorrelator(correlator);
}
dtn::data::Bundle::find_iterator find_pib(bundle.begin(), PayloadIntegrityBlock::BLOCK_TYPE);
while (find_pib.next(bundle.end()))
{
SecurityBlock::encryptBlock<PayloadConfidentialBlock>(bundle, find_pib, salt, ephemeral_key).setCorrelator(correlator);
}
// create a new payload confidential block
PayloadConfidentialBlock& pcb = bundle.push_front<PayloadConfidentialBlock>();
// set the correlator
if (pcbs_size > 0 || pibs_size > 0)
pcb.setCorrelator(correlator);
// get reference to the payload block
dtn::data::PayloadBlock& plb = bundle.find<dtn::data::PayloadBlock>();
ibrcommon::BLOB::Reference blobref = plb.getBLOB();
// encrypt payload - BEGIN
{
ibrcommon::BLOB::iostream stream = blobref.iostream();
ibrcommon::AES128Stream aes_stream(ibrcommon::CipherStream::CIPHER_ENCRYPT, *stream, ephemeral_key, salt);
// encrypt in place
((ibrcommon::CipherStream&)aes_stream).encrypt(*stream);
// check if this is a fragment
if (bundle.get(dtn::data::PrimaryBlock::FRAGMENT))
{
// ... and set the corresponding cipher suit params
addFragmentRange(pcb._ciphersuite_params, bundle.fragmentoffset, stream.size());
}
// get the IV
aes_stream.getIV(iv);
// get the tag
aes_stream.getTag(tag);
}
// encrypt payload - END
// set the source and destination address of the new block
if (source != bundle.source.getNode()) pcb.setSecuritySource( source );
if (long_key.reference != bundle.destination.getNode()) pcb.setSecurityDestination( long_key.reference );
// set replicate in every fragment to true
pcb.set(REPLICATE_IN_EVERY_FRAGMENT, true);
// store encypted key, tag, iv and salt
addSalt(pcb._ciphersuite_params, salt);
// get the RSA key
RSA *rsa_key = long_key.getRSA();
// encrypt the random key and add it to the ciphersuite params
addKey(pcb._ciphersuite_params, ephemeral_key, ibrcommon::AES128Stream::key_size_in_bytes, rsa_key);
// free the RSA key
long_key.free(rsa_key);
pcb._ciphersuite_params.set(SecurityBlock::initialization_vector, iv, ibrcommon::AES128Stream::iv_len);
pcb._ciphersuite_flags |= SecurityBlock::CONTAINS_CIPHERSUITE_PARAMS;
pcb._security_result.set(SecurityBlock::PCB_integrity_check_value, tag, ibrcommon::AES128Stream::tag_len);
pcb._ciphersuite_flags |= SecurityBlock::CONTAINS_SECURITY_RESULT;
}
