static AJ_Status DecodeCertificateName(DER_Element* der, uint8_t type, AJ_GUID* ou, AJ_GUID* cn) { AJ_Status status = AJ_OK; DER_Element set; DER_Element seq; DER_Element oid; DER_Element tmp; while ((AJ_OK == status) && (der->size)) { status = AJ_ASN1DecodeElement(der, ASN_SET_OF, &set); if (AJ_OK != status) { return status; } status = AJ_ASN1DecodeElement(&set, ASN_SEQ, &seq); if (AJ_OK != status) { return status; } status = AJ_ASN1DecodeElement(&seq, ASN_OID, &oid); if (AJ_OK != status) { return status; } status = AJ_ASN1DecodeElement(&seq, ASN_UTF8, &tmp); if (AJ_OK != status) { return status; } if (CompareOID(&oid, OID_DN_OU, sizeof (OID_DN_OU))) { status = AJ_GUID_FromString(ou, (const char*) tmp.data); if (AJ_OK != status) { return status; } } else if (CompareOID(&oid, OID_DN_CN, sizeof (OID_DN_CN))) { status = AJ_GUID_FromString(cn, (const char*) tmp.data); if (AJ_OK != status) { return status; } } } return status; }
AJ_Status AJ_PeerHandleExchangeGUIDs(AJ_Message* msg, AJ_Message* reply) { char guidStr[33]; uint32_t version; char* str; AJ_GUID remoteGuid; AJ_GUID localGuid; AJ_UnmarshalArgs(msg, "su", &str, &version); AJ_GUID_FromString(&remoteGuid, str); AJ_GUID_AddNameMapping(&remoteGuid, msg->sender, NULL); /* * We are not currently negotiating versions so we tell the peer what version we require. */ version = REQUIRED_AUTH_VERSION; AJ_MarshalReplyMsg(msg, reply); AJ_GetLocalGUID(&localGuid); AJ_GUID_ToString(&localGuid, guidStr, sizeof(guidStr)); return AJ_MarshalArgs(reply, "su", guidStr, version); }
AJ_Status AJ_PeerHandleGenSessionKey(AJ_Message* msg, AJ_Message* reply) { AJ_Status status; char* remGuid; char* locGuid; char* nonce; AJ_GUID guid; AJ_GUID localGuid; /* * For 12 bytes of verifier, we need at least 12 * 2 characters * to store its representation in hex (24 octets + 1 octet for \0). * However, the KeyGen function demands a bigger buffer * (to store 16 bytes key in addition to the 12 bytes verifier). * Hence we allocate, the maximum of (12 * 2 + 1) and (16 + 12). */ char verifier[AES_KEY_LEN + VERIFIER_LEN]; /* * Remote peer GUID, Local peer GUID and Remote peer's nonce */ AJ_UnmarshalArgs(msg, "sss", &remGuid, &locGuid, &nonce); /* * We expect arg[1] to be the local GUID */ status = AJ_GUID_FromString(&guid, locGuid); if (AJ_OK == status) { status = AJ_GetLocalGUID(&localGuid); } if ((status != AJ_OK) || (memcmp(&guid, &localGuid, sizeof(AJ_GUID)) != 0)) { return AJ_MarshalErrorMsg(msg, reply, AJ_ErrRejected); } AJ_RandHex(authContext.nonce, sizeof(authContext.nonce), NONCE_LEN); status = KeyGen(msg->sender, AJ_ROLE_KEY_RESPONDER, nonce, authContext.nonce, (uint8_t*)verifier, sizeof(verifier)); if (status == AJ_OK) { AJ_MarshalReplyMsg(msg, reply); status = AJ_MarshalArgs(reply, "ss", authContext.nonce, verifier); } else { status = AJ_MarshalErrorMsg(msg, reply, AJ_ErrRejected); } return status; }
AJ_Status AJ_PeerHandleExchangeGUIDsReply(AJ_Message* msg) { AJ_Status status; const char* guidStr; AJ_GUID remoteGuid; uint32_t version; char nul = '\0'; status = AJ_UnmarshalArgs(msg, "su", &guidStr, &version); if (status != AJ_OK) { return status; } if (version != REQUIRED_AUTH_VERSION) { PeerAuthComplete(AJ_ERR_SECURITY); return AJ_OK; } AJ_GUID_FromString(&remoteGuid, guidStr); /* * Two name mappings to add, the well known name, and the unique name from the message. */ AJ_GUID_AddNameMapping(&remoteGuid, msg->sender, authContext.peerName); /* * Remember which peer is being authenticated */ authContext.peerGuid = AJ_GUID_Find(msg->sender); /* * Initialize SASL state machine */ AJ_SASL_InitContext(&authContext.sasl, authMechanisms, AJ_AUTH_RESPONDER, msg->bus->pwdCallback); /* * Start the authentication conversation */ status = AuthResponse(msg, &nul); if (status != AJ_OK) { PeerAuthComplete(status); } return status; }
AJ_Status TestCreds() { AJ_Status status = AJ_OK; AJ_GUID localGuid; AJ_GUID remoteGuid; char str[33]; AJ_PeerCred*peerCredRead; int i = 0; AJ_GUID peerGuid; uint8_t secretLen = 24; uint8_t secret[24]; uint32_t expiration = 50898; char hex[100]; AJ_AlwaysPrintf(("Start TestCreds\n")); status = AJ_GetLocalGUID(&localGuid); if (AJ_OK != status) { return status; } AJ_GUID_FromString(&localGuid, str); AJ_InfoPrintf(("TestCreds() Layout Print\n")); AJ_NVRAM_Layout_Print(); memset(&peerGuid, 1, sizeof(AJ_GUID)); for (i = 0; i < secretLen; i++) { secret[i] = i; } AJ_GUID_ToString(&peerGuid, hex, 100); AJ_AlwaysPrintf(("AJ_StorePeerSecret guid %s\n", hex)); status = AJ_StorePeerSecret(&peerGuid, secret, secretLen, expiration); memcpy(&remoteGuid, &peerGuid, sizeof(AJ_GUID)); // backup the GUID if (AJ_OK != status) { AJ_AlwaysPrintf(("AJ_StorePeerSecret failed = %d\n", status)); return status; } AJ_NVRAM_Layout_Print(); AJ_InfoPrintf(("TestCreds() StoreCred() Layout Print\n")); AJ_NVRAM_Layout_Print(); AJ_GUID_ToString(&remoteGuid, hex, 100); AJ_AlwaysPrintf(("AJ_GetPeerCredential guid %s\n", hex)); status = AJ_GetPeerCredential(&remoteGuid, &peerCredRead); if (AJ_OK != status) { AJ_AlwaysPrintf(("AJ_GetPeerCredential failed = %d\n", status)); return status; } if (0 != memcmp(peerCredRead->id, &peerGuid, peerCredRead->idLen)) { AJ_AlwaysPrintf(("The retrieved credential does not match\n")); AJ_FreeCredential(peerCredRead); return AJ_ERR_FAILURE; } if (peerCredRead->dataLen != secretLen) { AJ_AlwaysPrintf(("no match for secretLen got %d expected %d\n", peerCredRead->dataLen, secretLen)); AJ_FreeCredential(peerCredRead); return AJ_ERR_FAILURE; } if (secretLen > 0) { if (0 != memcmp(peerCredRead->data, secret, secretLen)) { AJ_AlwaysPrintf(("no match for secret\n")); AJ_FreeCredential(peerCredRead); return AJ_ERR_FAILURE; } } if (peerCredRead->expiration != expiration) { AJ_AlwaysPrintf(("no match for expiration got %d expected %d\n", peerCredRead->expiration, expiration)); AJ_FreeCredential(peerCredRead); return AJ_ERR_FAILURE; } status = AJ_DeletePeerCredential(&remoteGuid); if (AJ_OK != status) { AJ_AlwaysPrintf(("AJ_DeleteCredential failed = %d\n", status)); AJ_FreeCredential(peerCredRead); return status; } AJ_FreeCredential(peerCredRead); if (AJ_ERR_FAILURE == AJ_GetPeerCredential(&remoteGuid, NULL)) { status = AJ_OK; } else { return AJ_ERR_FAILURE; } AJ_InfoPrintf(("TestCreds() Layout Print\n")); AJ_NVRAM_Layout_Print(); AJ_ClearCredentials(); if (AJ_ERR_FAILURE == AJ_GetPeerCredential(&remoteGuid, NULL)) { status = AJ_OK; } else { return AJ_ERR_FAILURE; } AJ_InfoPrintf(("TestCreds() Layout Print\n")); AJ_NVRAM_Layout_Print(); AJ_AlwaysPrintf(("TestCreds done.\n")); return status; }
AJ_Status TestCreds() { AJ_Status status = AJ_OK; AJ_GUID localGuid; AJ_GUID remoteGuid; char str[33]; AJ_PeerCred peerCred; AJ_PeerCred peerCredRead; int i = 0; status = AJ_GetLocalGUID(&localGuid); if (AJ_OK != status) { goto TEST_CREDS_EXIT; } AJ_GUID_FromString(&localGuid, str); AJ_NVRAM_Layout_Print(); memset(&peerCred.guid, 1, sizeof(AJ_GUID)); memcpy(&remoteGuid, &peerCred.guid, sizeof(AJ_GUID)); // backup the GUID for (i = 0; i < 24; i++) { peerCred.secret[i] = i; } status = AJ_StoreCredential(&peerCred); if (AJ_OK != status) { AJ_Printf("AJ_StoreCredential failed = %d\n", status); goto TEST_CREDS_EXIT; } status = AJ_GetRemoteCredential(&remoteGuid, &peerCredRead); if (AJ_OK != status) { AJ_Printf("AJ_StoreCredential failed = %d\n", status); goto TEST_CREDS_EXIT; } if (0 != memcmp(&peerCredRead, &peerCred, sizeof(AJ_PeerCred))) { AJ_Printf("The retrieved credential does not match\n"); status = AJ_ERR_FAILURE; goto TEST_CREDS_EXIT; } status = AJ_DeleteCredential(&remoteGuid); if (AJ_OK != status) { AJ_Printf("AJ_DeleteCredential failed = %d\n", status); goto TEST_CREDS_EXIT; } if (AJ_ERR_FAILURE == AJ_GetRemoteCredential(&remoteGuid, &peerCredRead)) { status = AJ_OK; } else { status = AJ_ERR_FAILURE; goto TEST_CREDS_EXIT; } AJ_NVRAM_Layout_Print(); status = AJ_StoreCredential(&peerCred); if (AJ_OK != status) { AJ_Printf("AJ_StoreCredential failed = %d\n", status); goto TEST_CREDS_EXIT; } AJ_ClearCredentials(); if (AJ_ERR_FAILURE == AJ_GetRemoteCredential(&remoteGuid, &peerCredRead)) { status = AJ_OK; } else { status = AJ_ERR_FAILURE; goto TEST_CREDS_EXIT; } AJ_NVRAM_Layout_Print(); TEST_CREDS_EXIT: return status; }