char *cipher_aes_decrypt_base64(const char *ciphertext, const unsigned char key[KDF_HASH_LEN])
{
_cleanup_free_ char *copy = NULL;
_cleanup_free_ char *iv = NULL;
_cleanup_free_ char *data = NULL;
_cleanup_free_ char *unbase64_ciphertext = NULL;
char *pipe;
size_t iv_len, data_len, len;
if (!strlen(ciphertext))
return NULL;
if (ciphertext[0] == '!') {
copy = xstrdup(&ciphertext[1]);
pipe = strchr(copy, '|');
if (!pipe)
return NULL;
*pipe = '\0';
iv_len = unbase64(copy, &iv);
data_len = unbase64(pipe + 1, &data);
len = iv_len + data_len + 1 /* pound */;
unbase64_ciphertext = xcalloc(len, 1);
unbase64_ciphertext[0] = '!';
memcpy(&unbase64_ciphertext[1], iv, iv_len);
memcpy(&unbase64_ciphertext[1 + iv_len], data, data_len);
return cipher_aes_decrypt(unbase64_ciphertext, len, key);
} else {
len = unbase64(ciphertext, &data);
return cipher_aes_decrypt(data, len, key);
}
}
void
decodeParameter(
CString ¶m, // (O) 復号済みデータ
const unsigned char *encryptedString, // (I) 復号したい(暗号化済み)データ
const unsigned char *rsaString ) // (I) 復号に必要な情報(秘密鍵)
{
char *p;
unsigned char targetString[BUFSIZ]; // 復号対象バイト列
int len = -1; // 復号結果(文字列)の長さ
size_t sz = 0;
targetString[0] = NUL;
p = unbase64( encryptedString, targetString, &sz );
if ( p ) {
char *decodedString = NULL; // 復号結果格納領域へのポインタ
if ( targetString[0] )
len = decodeByRSA( &decodedString, rsaString,
(unsigned char *)targetString,
strlen( (char *)targetString ) );
if ( len >= 0 ) {
param = decodedString;
freeRSAbuffer( decodedString );
}
}
}
static bool VerifyBuffer(const unsigned char* buffer, const unsigned int bufferLen,
const unsigned char* signatureEncoded, const unsigned int signatureEncodedLen, const CStdString& appsPublicKeyFile)
{
unsigned char hash[SHA_DIGEST_LENGTH];
SHA_CTX context;
FILE *fkey = NULL;
RSA *rsa = NULL;
bool bSuccedded = false;
unsigned char* signature = NULL;
int signatureLen = 0;
SHA1_Init(&context);
SHA1_Update(&context, buffer, bufferLen);
SHA1_Final(hash, &context);
#ifdef DEBUG
dump_sha1(hash);
#endif
do
{
signatureLen = unbase64((unsigned char*)signatureEncoded, signatureEncodedLen, &signature);
if(!signatureLen)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to decode signature [%s]", __func__, signatureEncoded);
break;
}
fkey = fopen(_P(appsPublicKeyFile), "r");
if (!fkey)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to open publickey file [%s]", __func__, appsPublicKeyFile.c_str());
break;
}
PEM_read_RSA_PUBKEY(fkey, &rsa, NULL, NULL);
if (!rsa)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to load rsa key from file [%s]", __func__, appsPublicKeyFile.c_str());
break;
}
bSuccedded = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, signature, signatureLen, rsa);
} while(false);
if (rsa) RSA_free(rsa);
if (fkey) fclose(fkey);
if (signature) free(signature);
return bSuccedded;
}
// Must free() returned value
char *aes_cbc_b64_decrypt(const unsigned char *in, int inlen, int *decrypt_len,
PASSWORD_ID id)
{
*decrypt_len = 0;
if (!in || inlen == 0) {
return NULL;
}
// Unbase64
int ub64len;
unsigned char *ub64 = unbase64((char *)in, inlen, &ub64len);
if (!ub64 || (ub64len % N_BLOCK) || ub64len < N_BLOCK) {
free(ub64);
return NULL;
}
// Set cipher key
aes_context ctx[1];
memset(ctx, 0, sizeof(ctx));
aes_set_key(memory_read_aeskey(id), 32, ctx);
unsigned char dec_pad[ub64len - N_BLOCK];
aes_cbc_decrypt(ub64 + N_BLOCK, dec_pad, ub64len / N_BLOCK - 1, ub64, ctx);
memset(ub64, 0, ub64len);
free(ub64);
// Strip PKCS7 padding
int padlen = dec_pad[ub64len - N_BLOCK - 1];
if (ub64len - N_BLOCK - padlen <= 0) {
memset(dec_pad, 0, sizeof(dec_pad));
return NULL;
}
char *dec = malloc(ub64len - N_BLOCK - padlen + 1); // +1 for null termination
if (!dec) {
memset(dec_pad, 0, sizeof(dec_pad));
return NULL;
}
memcpy(dec, dec_pad, ub64len - N_BLOCK - padlen);
dec[ub64len - N_BLOCK - padlen] = '\0';
*decrypt_len = ub64len - N_BLOCK - padlen + 1;
memset(dec_pad, 0, sizeof(dec_pad));
return dec;
}
void decodeParameter(
CString ¶m, // 設定先
const unsigned char *encryptedString,// 設定すべき内容(要・復号)
const unsigned char *rsaString ) // RSA鍵対応文字列
{
char *p;
char *decodedString; // 復号結果格納領域へのポインタ
unsigned char targetString[BUFSIZ]; // 復号対象バイト列
int len; // 復号結果(文字列)の長さ
size_t sz = 0;
memset( targetString, 0x00, BUFSIZ );
p = unbase64( encryptedString, targetString, &sz );
if ( p && *p ) {
len = decodeByRSA( &decodedString, rsaString,
(unsigned char *)targetString,
strlen( (char *)targetString ) );
if ( len >= 0 ) {
param = decodedString;
freeRSAbuffer( decodedString );
}
}
}
inline QString unscramble64(QString in)
{
return scramble(unbase64(in));
}
static bool VerifyAppSignature(const CStdString& appFile, const AppInfo& securityInfo, const AuthorityInfo& authorityInfo)
{
unsigned char hash[SHA_DIGEST_LENGTH];
SHA_CTX context;
RSA *rsa = NULL;
BIO *bio = NULL;
bool bSuccedded = false;
unsigned char buffer[4096];
unsigned char* signature = (unsigned char*)securityInfo.signature.c_str();
int signatureLen = securityInfo.signature.size();
XFILE::CFile file;
unsigned int bytesRead = 0;
if(!file.Open(appFile))
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to open file [%s]", __func__, appFile.c_str());
return false;
}
SHA1_Init(&context);
while((bytesRead = file.Read(buffer, sizeof buffer)))
{
SHA1_Update(&context, buffer, bytesRead);
}
SHA1_Final(hash, &context);
file.Close();
#ifdef DEBUG
dump_sha1(hash);
#endif
do
{
signatureLen = unbase64((unsigned char*)securityInfo.signature.c_str(), securityInfo.signature.size(), &signature);
if(!signatureLen)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to decode signature [%s]", __func__, securityInfo.signature.c_str());
break;
}
bio = BIO_new_mem_buf((void*)authorityInfo.publicKey.data(), authorityInfo.publicKey.size());
if(!bio)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to create BIO from public key[%s]", __func__, authorityInfo.publicKey.c_str());
break;
}
PEM_read_bio_RSA_PUBKEY(bio, &rsa, NULL, NULL);
if(!rsa)
{
CLog::Log(LOGERROR, "CAppSecurity::%s - failed to create RSA public key from BIO", __func__);
break;
}
bSuccedded = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, signature, signatureLen, rsa);
} while(false);
if (rsa) RSA_free(rsa);
if (bio) BIO_free(bio);
if (signature) free(signature);
return bSuccedded;
}
static void apply_bpf(int sock, uint16_t port, uint32_t ip)
{
struct sock_filter filter[] = {
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, 12 /* src ip */),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ip, 0, 5),
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20 /* src port */),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PORT, 0, 3),
BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 22 /* dst port */),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, port, 0, 1),
BPF_STMT(BPF_RET + BPF_K, -1),
BPF_STMT(BPF_RET + BPF_K, 0)
};
struct sock_fprog filter_prog = {
.len = sizeof(filter) / sizeof(filter[0]),
.filter = filter
};
if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter_prog, sizeof(filter_prog)) < 0) {
perror("setsockopt(bpf)");
exit(errno);
}
}
int main(int argc, char *argv[])
{
struct sockaddr_in addr = {
.sin_family = AF_INET
};
struct {
struct udphdr udp;
uint8_t my_pubkey[32];
uint8_t their_pubkey[32];
} __attribute__((packed)) packet = {
.udp = {
.len = htons(sizeof(packet)),
.dest = htons(PORT)
}
};
struct {
struct iphdr iphdr;
struct udphdr udp;
uint32_t ip;
uint16_t port;
} __attribute__((packed)) reply;
ssize_t len;
int sock, i;
bool repeat;
struct hostent *ent;
const char *server = argv[1], *interface = argv[2];
if (argc < 3) {
fprintf(stderr, "Usage: %s SERVER WIREGUARD_INTERFACE\nExample:\n %s demo.wireguard.com wg0\n", argv[0], argv[0]);
return EINVAL;
}
if (getuid() != 0) {
fprintf(stderr, "Must be root!\n");
return EPERM;
}
ent = gethostbyname2(server, AF_INET);
if (!ent) {
herror("gethostbyname2");
return h_errno;
}
addr.sin_addr = *(struct in_addr *)ent->h_addr;
read_peers(interface);
cmd("ip link set %s up", interface);
unbase64(packet.my_pubkey, cmd("wg show %s public-key", interface));
packet.udp.source = htons(atoi(cmd("wg show %s listen-port", interface)));
/* We use raw sockets so that the WireGuard interface can actually own the real socket. */
sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
if (sock < 0) {
perror("socket");
return errno;
}
apply_bpf(sock, ntohs(packet.udp.source), ntohl(addr.sin_addr.s_addr));
check_again:
repeat = false;
for (i = 0; i < total_peers; ++i) {
if (peers[i].have_seen)
continue;
printf("[+] Requesting IP and port of %s: ", peers[i].base64_key);
unbase64(packet.their_pubkey, peers[i].base64_key);
if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
putchar('\n');
perror("sendto");
return errno;
}
len = recv(sock, &reply, sizeof(reply), 0);
if (len < 0) {
putchar('\n');
perror("recv");
return errno;
}
if (len != sizeof(reply)) {
printf("server does not yet have it\n");
repeat = true;
} else {
printf("%s:%d\n", inet_ntoa(*(struct in_addr *)&reply.ip), ntohs(reply.port));
peers[i].have_seen = true;
cmd("wg set %s peer %s persistent-keepalive 25 endpoint %s:%d", interface, peers[i].base64_key, inet_ntoa(*(struct in_addr *)&reply.ip), ntohs(reply.port));
}
}
if (repeat) {
sleep(2);
goto check_again;
}
close(sock);
return 0;
}
int main(int argc, char *argv[])
{
int rc, i;
struct statvfs vfs;
if (getuid() != 0) {
fprintf(stderr, "Error: You need to run %s as root!\n", argv[0]);
return EXIT_FAILURE;
}
flags = parseArgs(argc, argv);
if (!mServer || !mUser || !mPass || !mMntPoint)
usage(argv[0]);
if (strcmp(mPwdType, "b64") == 0)
mPass = strdup(unbase64(mPass));
dumpArgs();
if (flagIsSet(FLAG_UNMOUNT) || (flagIsSet(FLAG_FORCE))) {
rc = unmount( replace(argv[0], "./", ""), mMntPoint, flagIsSet(FLAG_FORCE) );
if (flagIsSet(FLAG_UNMOUNT))
return rc;
if ((rc != 0) && (flagIsSet(FLAG_UNMOUNT)))
fprintf(stderr, "Warning: Error unmounting mountpoint %s\n", mMntPoint);
}
if (statvfs(mMntPoint, &vfs) == 0) {
if (vfs.f_fsid == 0) { /* Observed when mounted (FUSE mount) */
fprintf(stderr, "Path %s seems to be already mounted. Cannot "
"continue. Quiting...\n", mMntPoint);
return EXIT_FAILURE;
}
}
if (mysql_init(&sql) == NULL)
return EXIT_FAILURE;
if (!mysql_real_connect(&sql, mServer, mUser, mPass, NULL, 0, NULL, 0)) {
fprintf(stderr, "MySQL connection error: %s (%d)\n", mysql_error(&sql),
mysql_errno(&sql));
mysql_close(&sql);
return EXIT_FAILURE;
}
/* Unset all the arguments for fuse_main */
for (i = 1; i > argc; i++)
free(argv[i]);
argc = 2;
/* Set only the mountpoint argument */
argv[1] = mMntPoint;
printf("Process %s started successfully\n", argv[0]);
rc = fuse_main(argc, argv, &fmysql_oper, NULL);
mysql_close(&sql);
return rc;
}
