/**
* crypto_keys_subr_generate_RSA(priv, pub):
* Generate an RSA key and store the private and public parts.
*/
int
crypto_keys_subr_generate_RSA(RSA ** priv, RSA ** pub)
{
/* Free any existing keys. */
if (*priv != NULL)
RSA_free(*priv);
if (*pub != NULL)
RSA_free(*pub);
*priv = RSA_generate_key(2048, 65537, NULL, NULL);
if (*priv == NULL) {
warn0("%s", ERR_error_string(ERR_get_error(), NULL));
goto err0;
}
*pub = RSAPublicKey_dup(*priv);
if (*pub == NULL) {
warn0("%s", ERR_error_string(ERR_get_error(), NULL));
goto err1;
}
/* Success! */
return (0);
err1:
RSA_free(*priv);
*priv = NULL;
err0:
/* Failure! */
return (-1);
}
EVP_PKEY*
tor_public_key_to_evp (TorPublicKey* self)
{
RSA* tmp = NULL;
EVP_PKEY* result = NULL;
assert(self);
assert(self->key);
if (!(tmp = RSAPublicKey_dup(self->key))) {
goto error;
}
if (!(result = EVP_PKEY_new())) {
goto error;
}
if (!EVP_PKEY_assign_RSA(result, tmp)) {
goto error;
}
return result;
error:
if (tmp) {
RSA_free(tmp);
}
if (result) {
EVP_PKEY_free(result);
}
return NULL;
}
/* returns newly allocated SSL_RKEY or NULL */
SSL_RKEY *
ssl_cert_to_rkey(SSL_CERT * cert, uint32 * key_len)
{
EVP_PKEY *epk = NULL;
SSL_RKEY *lkey;
int nid;
/* By some reason, Microsoft sets the OID of the Public RSA key to
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
Kudos to Richard Levitte for the following (. intiutive .)
lines of code that resets the OID and let's us extract the key. */
nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
{
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
}
epk = X509_get_pubkey(cert);
if (NULL == epk)
{
error("Failed to extract public key from certificate\n");
return NULL;
}
lkey = RSAPublicKey_dup(EVP_PKEY_get1_RSA(epk));
EVP_PKEY_free(epk);
*key_len = RSA_size(lkey);
return lkey;
}
int
ccn_keypair_from_rsa(int public_only, RSA *private_key_rsa,
PyObject **py_private_key_ccn, PyObject **py_public_key_ccn)
{
struct ccn_pkey *private_key = NULL, *public_key = NULL;
PyObject *py_private_key = NULL, *py_public_key = NULL;
unsigned int err;
int r;
RSA *public_key_rsa;
if (!public_only && py_private_key_ccn) {
private_key = (struct ccn_pkey *) EVP_PKEY_new();
JUMP_IF_NULL(private_key, openssl_error);
py_private_key = CCNObject_New(PKEY_PRIV, private_key);
JUMP_IF_NULL(py_private_key, error);
r = EVP_PKEY_set1_RSA((EVP_PKEY*) private_key, private_key_rsa);
JUMP_IF_NEG(r, openssl_error);
}
if (py_public_key_ccn) {
public_key = (struct ccn_pkey *) EVP_PKEY_new();
JUMP_IF_NULL(public_key, openssl_error);
py_public_key = CCNObject_New(PKEY_PUB, public_key);
JUMP_IF_NULL(py_public_key, error);
public_key_rsa = RSAPublicKey_dup(private_key_rsa);
JUMP_IF_NULL(public_key_rsa, openssl_error);
r = EVP_PKEY_set1_RSA((EVP_PKEY *) public_key, public_key_rsa);
RSA_free(public_key_rsa);
JUMP_IF_NULL(r, error);
}
if (py_private_key_ccn) {
*py_private_key_ccn = public_only ? (Py_INCREF(Py_None), Py_None) :
py_private_key;
}
if (py_public_key_ccn)
*py_public_key_ccn = py_public_key;
return 0;
openssl_error:
err = ERR_get_error();
PyErr_Format(g_PyExc_CCNKeyError, "Unable to generate keypair from the key:"
" %s", ERR_reason_error_string(err));
error:
if (!py_public_key && public_key)
ccn_pubkey_free(public_key);
Py_XDECREF(py_public_key);
if (!py_private_key && private_key)
ccn_pubkey_free(private_key);
Py_XDECREF(py_private_key);
return -1;
}
RSA *svRSAKey::Duplicate(void)
{
if (type == svRSA_TYPE_PUBLIC)
return RSAPublicKey_dup(key);
else if (type == svRSA_TYPE_PRIVATE)
return RSAPrivateKey_dup(key);
return NULL;
}
Certificate::Certificate(const string& _subject, const string& _issuer, const string& _validity, const Node::Id_t _owner, RSA *_rsaPubKey) :
#ifdef DEBUG_LEAKS
LeakMonitor(LEAK_TYPE_CERTIFICATE),
#endif
stored(false), verified(false), hasSignature(false), x(NULL), subject(_subject), issuer(_issuer), validity(_validity), pubKey(NULL), rsaPubKey(NULL), x509_PEM_str(NULL)
{
memcpy(owner, _owner, sizeof(Node::Id_t));
x = X509_new();
if (!x) {
HAGGLE_ERR("Could not allocate X509 certificate struct\n");
return;
}
X509_set_version(x, 2);
pubKey = EVP_PKEY_new();
if (!pubKey) {
X509_free(x);
HAGGLE_ERR("Could not allocate X509 EVP_PKEY\n");
return;
}
EVP_PKEY_assign_RSA(pubKey, RSAPublicKey_dup(_rsaPubKey));
X509_set_pubkey(x, pubKey);
rsaPubKey = EVP_PKEY_get1_RSA(pubKey);
/* Set validity.
FIXME: currently hardcoded
*/
int days = 30;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
X509_NAME *subject_name = X509_get_subject_name(x);
/* Set subject */
//X509_NAME_add_entry_by_txt(subname,"C", MBSTRING_ASC, "SE", -1, -1, 0);
X509_NAME_add_entry_by_txt(subject_name, "CN", MBSTRING_ASC, (const unsigned char *)subject.c_str(), -1, -1, 0);
X509_NAME_add_entry_by_txt(subject_name, "O", MBSTRING_ASC, (const unsigned char *)"Haggle", -1, -1, 0);
X509_set_subject_name(x, subject_name);
/* Set issuer */
X509_NAME *issuer_name = X509_get_issuer_name(x);
X509_NAME_add_entry_by_txt(issuer_name, "CN", MBSTRING_ASC, (const unsigned char *)issuer.c_str(), -1, -1, 0);
X509_NAME_add_entry_by_txt(issuer_name, "O", MBSTRING_ASC, (const unsigned char *)"Haggle", -1, -1, 0);
X509_set_issuer_name(x, issuer_name);
//HAGGLE_DBG("Subject=\'%s\' issuer=\'%s\'\n", subject.c_str(), issuer.c_str());
certificate_set_serial(x);
}
static bool generate_keys(ScopedEVP_PKEY &private_key_out,
ScopedEVP_PKEY &public_key_out)
{
ScopedEVP_PKEY private_key(EVP_PKEY_new(), EVP_PKEY_free);
ScopedEVP_PKEY public_key(EVP_PKEY_new(), EVP_PKEY_free);
ScopedRSA rsa(RSA_new(), RSA_free);
ScopedBIGNUM e(BN_new(), BN_free);
if (!private_key) {
LOGE("Failed to allocate private key");
openssl_log_errors();
return false;
}
if (!public_key) {
LOGE("Failed to allocate public key");
openssl_log_errors();
return false;
}
if (!rsa) {
LOGE("Failed to allocate RSA");
openssl_log_errors();
return false;
}
if (!e) {
LOGE("Failed to allocate BIGNUM");
openssl_log_errors();
return false;
}
BN_set_word(e.get(), RSA_F4);
if (RSA_generate_key_ex(rsa.get(), 2048, e.get(), nullptr) < 0) {
LOGE("RSA_generate_key_ex() failed");
openssl_log_errors();
return false;
}
if (!EVP_PKEY_assign_RSA(private_key.get(), RSAPrivateKey_dup(rsa.get()))) {
LOGE("EVP_PKEY_assign_RSA() failed for private key");
openssl_log_errors();
return false;
}
if (!EVP_PKEY_assign_RSA(public_key.get(), RSAPublicKey_dup(rsa.get()))) {
LOGE("EVP_PKEY_assign_RSA() failed for public key");
openssl_log_errors();
return false;
}
private_key_out = std::move(private_key);
public_key_out = std::move(public_key);
return true;
}
Qt::HANDLE QSmartCard::key()
{
RSA *rsa = RSAPublicKey_dup( (RSA*)d->t.authCert().publicKey().handle() );
if ( !rsa )
return 0;
RSA_set_method( rsa, &d->method );
rsa->flags |= RSA_FLAG_SIGN_VER;
RSA_set_app_data( rsa, d );
EVP_PKEY *key = EVP_PKEY_new();
EVP_PKEY_set1_RSA( key, rsa );
RSA_free( rsa );
return Qt::HANDLE(key);
}
RSAKey RSAKey::createFromRaw(RSA* raw, bool has_private_key)
{
std::shared_ptr<RSA> sprsa;
if (has_private_key)
{
sprsa.reset(RSAPrivateKey_dup(raw), RSA_free);
}
else
{
sprsa.reset(RSAPublicKey_dup(raw), RSA_free);
}
return RSAKey(sprsa, has_private_key);
}
BOOL rsautil_pubkeyblob_to_rsa(PBYTE blob, DWORD cbBlob, RSA **rsa)
{
BOOL status = FALSE;
EVP_PKEY *pubKey;
RSA *tmp;
if(pubKey = b2i_PublicKey(&blob, cbBlob))
{
if(tmp = EVP_PKEY_get1_RSA(pubKey))
{
*rsa = RSAPublicKey_dup(tmp);
status = (*rsa != NULL);
}
EVP_PKEY_free(pubKey);
}
return status;
}
int
x509_cert_get_key(void *scert, void *keyp)
{
X509 *cert = scert;
EVP_PKEY *key;
key = X509_get_pubkey(cert);
/* Check if we got the right key type. */
if (key->type != EVP_PKEY_RSA) {
log_print("x509_cert_get_key: public key is not a RSA key");
X509_free(cert);
return 0;
}
*(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa);
return *(RSA **)keyp == NULL ? 0 : 1;
}
int rsa_keygen(rsa_pubkey_t **pk, rsa_prvkey_t **sk)
{
int ret = -1;
OPENSSL_assert(pk && *pk == NULL);
OPENSSL_assert(sk && *sk == NULL);
BIGNUM *e = BN_new();
RSA *prv_key = RSA_new();
RSA *pub_key = NULL;
if (!e || !prv_key) {
ERR_print_errors_fp(stderr);
goto end;
}
if (!BN_set_word(e, 65537)) {
ERR_print_errors_fp(stderr);
goto end;
}
if (!RSA_generate_key_ex(prv_key, 1024, e, NULL)) {
ERR_print_errors_fp(stderr);
goto end;
}
if (!(pub_key = RSAPublicKey_dup(prv_key))) {
ERR_print_errors_fp(stderr);
goto end;
}
*pk = pub_key;
*sk = prv_key;
ret = 0;
end:
if (e) BN_free(e);
if (ret && prv_key) RSA_free(prv_key);
if (ret && pub_key) RSA_free(pub_key);
return ret;
}
CRYPTO_PUBLIC_KEY *
crypto_cert_get_public_key(CRYPTO_CERT * cert, uint32 * key_len)
{
#ifdef CRYPTO_OPENSSL
int nid;
CRYPTO_PUBLIC_KEY *lkey;
EVP_PKEY *epk = NULL;
/* For some reason, Microsoft sets the OID of the Public RSA key to
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
Kudos to Richard Levitte for the following (intuitive)
lines of code that resets the OID and lets us extract the key. */
nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
{
ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
}
epk = X509_get_pubkey(cert);
if (NULL == epk)
return NULL;
lkey = RSAPublicKey_dup((RSA *) epk->pkey.ptr);
*key_len = RSA_size(lkey);
EVP_PKEY_free(epk);
return lkey;
#else /* built-in crypto */
return ssl_cert_get_public_key(cert, key_len);
#endif
}
int generateKeysRSA(EVP_PKEY** privKey, EVP_PKEY** pubKey){
RSA* rsa = NULL;
if(privKey == NULL || pubKey == NULL)
return 0;
*privKey = EVP_PKEY_new();
if(*privKey == NULL){
printf("ERR EVP_PKEY_new\n");
return 0;
}
*pubKey = EVP_PKEY_new();
if(*pubKey == NULL){
printf("ERR EVP_PKEY_new\n");
return 0;
}
rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
if(rsa == NULL){
printf("ERR RSA_generate_key\n");
return 0;
}
if(1 != EVP_PKEY_assign_RSA(*privKey,
RSAPrivateKey_dup(rsa))){
printf("ERR EVP_PKEY_assign_RSA\n");
return 0;
}
if(1 != EVP_PKEY_assign_RSA(*pubKey,
RSAPublicKey_dup(rsa))){
printf("ERR EVP_PKEY_assign_RSA\n");
return 0;
}
return 1;
}
int
create_public_key_digest(RSA *private_key_rsa,
PyObject **py_public_key_digest, int *public_key_digest_len)
{
unsigned int err;
unsigned char *public_key_der = NULL;
size_t der_len;
unsigned char *key_digest;
size_t key_digest_size;
PyObject *py_digest = NULL;
int r;
EVP_PKEY *public_key = NULL;
RSA *public_key_rsa = NULL;
assert(private_key_rsa);
assert(py_public_key_digest);
public_key = EVP_PKEY_new();
JUMP_IF_NULL(public_key, openssl_error);
public_key_rsa = RSAPublicKey_dup(private_key_rsa);
JUMP_IF_NULL(public_key_rsa, openssl_error);
r = EVP_PKEY_set1_RSA(public_key, public_key_rsa);
RSA_free(public_key_rsa);
public_key_rsa = NULL;
JUMP_IF_NEG(r, openssl_error);
r = i2d_PUBKEY(public_key, &public_key_der);
EVP_PKEY_free(public_key);
public_key = NULL;
if (r < 0) {
free(public_key_der);
goto openssl_error;
}
der_len = r;
r = create_key_digest(public_key_der, der_len, &key_digest,
&key_digest_size);
free(public_key_der);
public_key_der = NULL;
JUMP_IF_NEG(r, error);
py_digest = PyBytes_FromStringAndSize((char *) key_digest, key_digest_size);
JUMP_IF_NULL(py_digest, error);
*py_public_key_digest = py_digest;
if (public_key_digest_len)
*public_key_digest_len = key_digest_size;
return 0;
openssl_error:
err = ERR_get_error();
PyErr_Format(g_PyExc_CCNKeyError, "Unable to generate digest from the key:"
" %s", ERR_reason_error_string(err));
error:
if (public_key_rsa)
RSA_free(public_key_rsa);
if (public_key)
EVP_PKEY_free(public_key);
if (public_key_der)
free(public_key_der);
return -1;
}
int AuthenticateAgent(AgentConnection *conn, Attributes attr, Promise *pp)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
char dont_implicitly_trust_server, enterprise_field = 'c';
RSA *server_pubkey = NULL;
if (PUBKEY == NULL || PRIVKEY == NULL)
{
CfOut(cf_error, "", "No public/private key pair found\n");
return false;
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, cf_md5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
dont_implicitly_trust_server = 'y';
encrypted_len = RSA_size(server_pubkey);
}
else
{
dont_implicitly_trust_server = 'n'; /* have to trust server, since we can't verify id */
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c", dont_implicitly_trust_server, encrypted_len,
nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_FAIL, "", pp, attr, "Public encryption failed = %s\n", ERR_reason_error_string(err));
free(out);
FreeRSAKey(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->sd, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
if (DEBUG)
{
RSA_print_fp(stdout, PUBKEY, 0);
}
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break connection here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
cfPS(cf_error, CF_INTERPT, "recv", pp, attr, "Protocol transaction broken off (1)");
FreeRSAKey(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
CfOut(cf_error, "", "%s", in);
FreeRSAKey(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
cfPS(cf_error, CF_INTERPT, "recv", pp, attr, "Protocol transaction broken off (2)");
FreeRSAKey(server_pubkey);
return false;
}
if (HashesMatch(digest, in, CF_DEFAULT_DIGEST) || HashesMatch(digest, in, cf_md5)) // Legacy
{
if (dont_implicitly_trust_server == 'y') /* challenge reply was correct */
{
CfOut(cf_verbose, "", ".....................[.h.a.i.l.].................................\n");
CfOut(cf_verbose, "", "Strong authentication of server=%s connection confirmed\n", pp->this_server);
}
else
{
if (attr.copy.trustkey)
{
CfOut(cf_verbose, "", " -> Trusting server identity, promise to accept key from %s=%s", pp->this_server,
conn->remoteip);
}
else
{
CfOut(cf_error, "", " !! Not authorized to trust the server=%s's public key (trustkey=false)\n",
pp->this_server);
PromiseRef(cf_verbose, pp);
FreeRSAKey(server_pubkey);
return false;
}
}
}
else
{
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Challenge response from server %s/%s was incorrect!", pp->this_server,
conn->remoteip);
FreeRSAKey(server_pubkey);
return false;
}
/* Receive counter challenge from server */
CfDebug("Receive counter challenge from server\n");
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->sd, in, NULL);
if (encrypted_len <= 0)
{
CfOut(cf_error, "", "Protocol transaction sent illegal cipher length");
FreeRSAKey(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Private decrypt failed = %s, abandoning\n",
ERR_reason_error_string(err));
FreeRSAKey(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, cf_md5);
}
CfDebug("Replying to counter challenge with hash\n");
if (FIPS_MODE)
{
SendTransaction(conn->sd, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->sd, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
CfOut(cf_verbose, "", " -> Collecting public key from server!\n");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
CfOut(cf_error, "", "Protocol error in RSA authentation from IP %s\n", pp->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Private key decrypt failed = %s\n", ERR_reason_error_string(err));
FreeRSAKey(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
cfPS(cf_inform, CF_INTERPT, "", pp, attr, "Protocol error in RSA authentation from IP %s\n",
pp->this_server);
FreeRSAKey(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Public key decrypt failed = %s\n", ERR_reason_error_string(err));
FreeRSAKey(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
FreeRSAKey(newkey);
}
/* proposition C5 */
SetSessionKey(conn);
if (conn->session_key == NULL)
{
CfOut(cf_error, "", "A random session key could not be established");
FreeRSAKey(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
CfDebug("Encrypt %d bytes of session key into %d RSA bytes\n", session_size, encrypted_len);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Public encryption failed = %s\n", ERR_reason_error_string(err));
free(out);
FreeRSAKey(server_pubkey);
return false;
}
SendTransaction(conn->sd, out, encrypted_len, CF_DONE);
if (server_pubkey != NULL)
{
HashPubKey(server_pubkey, conn->digest, CF_DEFAULT_DIGEST);
CfOut(cf_verbose, "", " -> Public key identity of host \"%s\" is \"%s\"", conn->remoteip,
HashPrint(CF_DEFAULT_DIGEST, conn->digest));
SavePublicKey(conn->username, conn->remoteip, HashPrint(CF_DEFAULT_DIGEST, conn->digest), server_pubkey); // FIXME: username is local
LastSaw(conn->remoteip, conn->digest, cf_connect);
}
free(out);
FreeRSAKey(server_pubkey);
return true;
}
void Key::generateNewKey(string publicKeyFile, string privateKeyFile)
{
priName = privateKeyFile;
pubName = publicKeyFile;
RSA *rsa = RSA_generate_key(LENGTH, RSA_F4, NULL, NULL);
if (rsa == NULL) {
cout << "RSA_generate_key Error!" << endl;
return ;
}
BIO *priBio = BIO_new_file(privateKeyFile.c_str(), "w");
if (PEM_write_bio_RSAPrivateKey(priBio, rsa, NULL, NULL, 0, NULL, NULL) <= 0) {
cout << "Save to private key file error!" << endl;
}
BIO *pubBio = BIO_new_file(publicKeyFile.c_str(), "w");
if (PEM_write_bio_RSAPublicKey(pubBio, rsa) <= 0) {
cout << "Save to public key file error!" << endl;
}
BIO_free(priBio);
BIO_free(pubBio);
// FILE *priFile = fopen(privateKeyFile.c_str(), "w+");
// if (PEM_write_RSAPrivateKey(priFile, rsa, EVP_des_ede3_ofb(), NULL, NULL, NULL, NULL) <= 0) {
// cout << "Save to private key file error!" << endl;
// }
// fclose(priFile);
//
// FILE *pubFile = fopen(publicKeyFile.c_str(), "w+");
// if (PEM_write_RSA_PUBKEY(pubFile, rsa) <= 0) {
// cout << "Save to public key file error!" << endl;
// }
// fclose(pubFile);
//
// BIO *bp = BIO_new(BIO_s_file());
// if (bp == NULL) {
// cout << "BIO_new Error!" << endl;
// return ;
// }
// if (BIO_write_filename(bp, (void *)publicKeyFile.c_str()) <= 0) {
// cout << "BIO_write_filename Error!" << endl;
// return ;
// }
// if (PEM_write_bio_RSAPublicKey(bp, rsa) != 1) {
// cout << "PEM_write_bio_RSAPublicKey Error!" << endl;
// return ;
// }
// cout << "Created Public Key" << endl;
//
// bp = BIO_new_file(privateKeyFile.c_str(), "w+");
// if(NULL == bp) {
// cout << "BIO_new_file error(private key)!" << endl;
// return ;
// }
// if (PEM_write_bio_RSAPrivateKey(bp, rsa, EVP_des_ede3_ofb(), NULL, NULL, NULL, NULL) != 1) {
// cout << "PEM_write_bio_RSAPrivateKey Error!" << endl;
// return ;
// }
//
// BIO_free_all(bp);
this->rsa = rsa;
privateKey = RSAPrivateKey_dup(rsa);
publicKey = RSAPublicKey_dup(rsa);
}
int AuthenticateAgent(AgentConnection *conn, bool trust_key)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
bool need_to_implicitly_trust_server;
char enterprise_field = 'c';
RSA *server_pubkey = NULL;
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
/* Try once more to load the keys, maybe the system is converging. */
LoadSecretKeys();
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
char *pubkeyfile = PublicKeyFile(GetWorkDir());
Log(LOG_LEVEL_ERR, "No public/private key pair found at: %s", pubkeyfile);
free(pubkeyfile);
return false;
}
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
if (nonce_challenge == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot allocate BIGNUM structure for server challenge");
return false;
}
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, HASH_METHOD_MD5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
/* Ask the server to send us the public key if we don't have it. */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
need_to_implicitly_trust_server = false;
encrypted_len = RSA_size(server_pubkey);
}
else
{
need_to_implicitly_trust_server = true;
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c",
need_to_implicitly_trust_server ? 'n': 'y',
encrypted_len, nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Public encryption failed. (RSA_public_encrypt: %s)",
CryptoLastErrorString());
free(out);
RSA_free(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->conn_info, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break conn_info here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->conn_info, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (1). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
Log(LOG_LEVEL_ERR, "Bad protocol reply: %s", in);
RSA_free(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->conn_info, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (2). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
/* Check if challenge reply was correct */
if ((HashesMatch(digest, in, CF_DEFAULT_DIGEST)) ||
(HashesMatch(digest, in, HASH_METHOD_MD5))) // Legacy
{
if (need_to_implicitly_trust_server == false)
{
/* The IP was found in lastseen. */
Log(LOG_LEVEL_VERBOSE,
".....................[.h.a.i.l.].................................");
Log(LOG_LEVEL_VERBOSE,
"Strong authentication of server '%s' connection confirmed",
conn->this_server);
}
else /* IP was not found in lastseen */
{
if (trust_key)
{
Log(LOG_LEVEL_VERBOSE,
"Trusting server identity, promise to accept key from '%s' = '%s'",
conn->this_server, conn->remoteip);
}
else
{
Log(LOG_LEVEL_ERR,
"Not authorized to trust public key of server '%s' (trustkey = false)",
conn->this_server);
RSA_free(server_pubkey);
return false;
}
}
}
else
{
Log(LOG_LEVEL_ERR, "Challenge response from server '%s/%s' was incorrect", conn->this_server,
conn->remoteip);
RSA_free(server_pubkey);
return false;
}
/* Receive counter challenge from server */
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->conn_info, in, NULL);
if (encrypted_len <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol transaction sent illegal cipher length");
RSA_free(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Private decrypt failed, abandoning. (RSA_private_decrypt: %s)",
CryptoLastErrorString());
RSA_free(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, HASH_METHOD_MD5);
}
if (FIPS_MODE)
{
SendTransaction(conn->conn_info, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->conn_info, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
Log(LOG_LEVEL_VERBOSE, "Collecting public key from server!");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->conn_info, in, NULL)) <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol error in RSA authentation from IP '%s'", conn->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR,
"Private key decrypt failed. (BN_mpi2bn: %s)",
CryptoLastErrorString());
RSA_free(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->conn_info, in, NULL)) <= 0)
{
Log(LOG_LEVEL_INFO, "Protocol error in RSA authentation from IP '%s'",
conn->this_server);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR,
"Public key decrypt failed. (BN_mpi2bn: %s)",
CryptoLastErrorString());
RSA_free(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
RSA_free(newkey);
}
assert(server_pubkey != NULL);
/* proposition C5 */
if (!SetSessionKey(conn))
{
Log(LOG_LEVEL_ERR, "Unable to set session key");
return false;
}
if (conn->session_key == NULL)
{
Log(LOG_LEVEL_ERR, "A random session key could not be established");
RSA_free(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Public encryption failed. (RSA_public_encrypt: %s)",
CryptoLastErrorString());
free(out);
RSA_free(server_pubkey);
return false;
}
SendTransaction(conn->conn_info, out, encrypted_len, CF_DONE);
Key *key = KeyNew(server_pubkey, CF_DEFAULT_DIGEST);
conn->conn_info->remote_key = key;
Log(LOG_LEVEL_VERBOSE, "Public key identity of host '%s' is: %s",
conn->remoteip, KeyPrintableHash(conn->conn_info->remote_key));
SavePublicKey(conn->username, KeyPrintableHash(conn->conn_info->remote_key), server_pubkey);
unsigned int length = 0;
LastSaw(conn->remoteip, KeyBinaryHash(conn->conn_info->remote_key, &length), LAST_SEEN_ROLE_CONNECT);
free(out);
return true;
}
int make_keys(EVP_PKEY** skey, EVP_PKEY** vkey)
{
int result = -1;
if(!skey || !vkey)
return -1;
if(*skey != NULL) {
EVP_PKEY_free(*skey);
*skey = NULL;
}
if(*vkey != NULL) {
EVP_PKEY_free(*vkey);
*vkey = NULL;
}
RSA* rsa = NULL;
do
{
*skey = EVP_PKEY_new();
assert(*skey != NULL);
if(*skey == NULL) {
printf("EVP_PKEY_new failed (1), error 0x%lx\n", ERR_get_error());
break; /* failed */
}
*vkey = EVP_PKEY_new();
assert(*vkey != NULL);
if(*vkey == NULL) {
printf("EVP_PKEY_new failed (2), error 0x%lx\n", ERR_get_error());
break; /* failed */
}
rsa=readkey("alice.priv",PRIKEY);
//rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
// assert(rsa != NULL);
// if(rsa == NULL) {
// printf("RSA_generate_key failed, error 0x%lx\n", ERR_get_error());
// break; /* failed */
//}
/* Set signing key */
int rc = EVP_PKEY_assign_RSA(*skey, RSAPrivateKey_dup(rsa));
assert(rc == 1);
if(rc != 1) {
printf("EVP_PKEY_assign_RSA (1) failed, error 0x%lx\n", ERR_get_error());
break; /* failed */
}
/* Sanity check. Verify private exponent is present */
/* assert(EVP_PKEY_get0_RSA(*skey)->d != NULL); */
/* Set verifier key */
RSA *rsa1=readkey("bob.pub",PUBKEY);
rc = EVP_PKEY_assign_RSA(*vkey, RSAPublicKey_dup(rsa1));
assert(rc == 1);
if(rc != 1) {
printf("EVP_PKEY_assign_RSA (2) failed, error 0x%lx\n", ERR_get_error());
break; /* failed */
}
/* Sanity check. Verify private exponent is missing */
/* assert(EVP_PKEY_get0_RSA(*vkey)->d == NULL); */
result = 0;
} while(0);
if(rsa) {
RSA_free(rsa);
rsa = NULL;
}
return !!result;
}
Certificate *Certificate::create(const string subject, const string issuer, const string validity, const Node::Id_t owner, RSA **privKey, size_t keyLength)
{
Certificate *c = NULL;
RSA *pubKey, *keyPair;
#if HAVE_RSA_GENERATE_KEY_EX
BIGNUM *e;
e = BN_new();
if (!e)
return NULL;
// The exponent is an odd number, typically 3, 17 or 65537.
if (BN_set_word(e, 65537) == 0) {
BN_free(e);
return NULL;
}
keyPair = RSA_new();
if (!keyPair) {
BN_free(e);
return NULL;
}
if (RSA_generate_key_ex(keyPair, keyLength, e, NULL) == -1) {
BN_free(e);
goto out;
}
BN_free(e);
#else
// RSA_generate_key is deprecated, but MacOS X seems to bundle an old version of OpenSSL
// with only the old function.
keyPair = RSA_generate_key(keyLength, RSA_F4, NULL, NULL);
if (!keyPair)
return NULL;
#endif
*privKey = RSAPrivateKey_dup(keyPair);
if (!*privKey)
goto out;
pubKey = RSAPublicKey_dup(keyPair);
if (!pubKey) {
RSA_free(*privKey);
*privKey = NULL;
goto out;
}
c = new Certificate(subject, issuer, validity, owner, pubKey);
RSA_free(pubKey);
if (!c) {
RSA_free(*privKey);
}
out:
RSA_free(keyPair);
return c;
}
int rsa_decrypt (const char *const key_name, int public_key, void *input, int ilen, void **output, int *olen, int log_error_level) {
vkprintf (3, "rsa_decrypt (key_name = %s, ilen = %d)\n", key_name, ilen);
int err = 0, rsa_size = -1;
void *b = NULL;
*output = NULL;
if (ilen < 4) {
vkprintf (log_error_level, "Input too short (ilen = %d).\n", ilen);
return -3;
}
memcpy (&rsa_size, input, 4);
if (ilen < 4 + rsa_size + 32) {
vkprintf (log_error_level, "Input too short (ilen = %d).\n", ilen);
return -3;
}
FILE *f = fopen (key_name, "rb");
if (f == NULL) {
vkprintf (log_error_level, "Couldn't open key file: %s\n", key_name);
return -1;
}
RSA *pubKey = NULL;
if (public_key) {
if (!PEM_read_RSA_PUBKEY (f, &pubKey, NULL, NULL)) {
vkprintf (log_error_level, "PEM_read_RSA_PUBKEY: failed.\n");
err = -2;
goto clean;
}
} else {
RSA *privKey = PEM_read_RSAPrivateKey (f, NULL, NULL, NULL);
if (privKey == NULL) {
vkprintf (log_error_level, "PEM_read_RSA_PUBKEY: failed.\n");
err = -7;
goto clean;
}
pubKey = RSAPublicKey_dup (privKey);
assert (pubKey != NULL);
RSA_free (privKey);
}
assert (pubKey != NULL);
fclose (f);
f = NULL;
vkprintf (3, "rsa_decrypt: read key - ok!\n");
if (rsa_size != RSA_size (pubKey)) {
vkprintf (log_error_level, "Illegal key size = %d.\n", RSA_size (pubKey));
err = -4;
goto clean;
}
b = malloc (rsa_size);
if (b == NULL) {
vkprintf (log_error_level, "malloc (%d) fail. %m\n", rsa_size);
err = -8;
goto clean;
}
if (!RSA_public_decrypt (rsa_size, input + 4, b, pubKey, RSA_PKCS1_PADDING)) {
vkprintf (log_error_level, "RSA_public_decrypt failed.\n");
err = -5;
goto clean;
}
unsigned char key[32], iv[32];
memcpy (key, b, 32);
free (b);
b = NULL;
memcpy (iv, input + 4 + rsa_size, 32);
int aes_cipher_len = ilen - (4 + rsa_size + 32);
void *a = malloc (aes_cipher_len);
if (a == NULL) {
vkprintf (log_error_level, "malloc (%d) fail. %m\n", aes_cipher_len);
err = -9;
goto clean;
}
*output = a;
int p_len = 0;
EVP_CIPHER_CTX e;
EVP_CIPHER_CTX_init (&e);
EVP_DecryptInit_ex (&e, EVP_aes_256_cbc(), NULL, key, iv);
EVP_DecryptUpdate (&e, a, &p_len, input + 4 + rsa_size + 32, aes_cipher_len);
int f_len = 0;
EVP_DecryptFinal_ex (&e, input + 4 + rsa_size + 32 + p_len, &f_len);
vkprintf (3, "p_len = %d, f_len = %d\n", p_len, f_len);
*olen = p_len + f_len;
EVP_CIPHER_CTX_cleanup (&e);
clean:
if (f != NULL) {
fclose (f);
}
if (pubKey) {
RSA_free (pubKey);
}
if (b) {
free (b);
}
return err;
}
/* returns newly allocated RDSSL_RKEY or NULL */
RDSSL_RKEY *
rdssl_cert_to_rkey(RDSSL_CERT * cert, uint32 * key_len)
{
EVP_PKEY *epk = NULL;
RDSSL_RKEY *lkey;
int nid;
#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
int ret;
/* By some reason, Microsoft sets the OID of the Public RSA key to
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
Kudos to Richard Levitte for the following (. intiutive .)
lines of code that resets the OID and let's us extract the key. */
X509_PUBKEY *key = NULL;
X509_ALGOR *algor = NULL;
key = X509_get_X509_PUBKEY(cert);
if (key == NULL)
{
error("Failed to get public key from certificate.\n");
return NULL;
}
ret = X509_PUBKEY_get0_param(NULL, NULL, 0, &algor, key);
if (ret != 1)
{
error("Faild to get algorithm used for public key.\n");
return NULL;
}
nid = OBJ_obj2nid(algor->algorithm);
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
{
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption),
0, NULL, NULL, 0);
}
#else /* OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) */
nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
{
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 || && defined(LIBRESSL_VERSION_NUMBER) */
epk = X509_get_pubkey(cert);
if (NULL == epk)
{
error("Failed to extract public key from certificate\n");
return NULL;
}
lkey = RSAPublicKey_dup(EVP_PKEY_get1_RSA(epk));
EVP_PKEY_free(epk);
*key_len = RSA_size(lkey);
return lkey;
}
int KeyAuthentication(struct Image *ip)
{ char sendbuffer[CF_EXPANDSIZE],in[CF_BUFSIZE],*out,*decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len,nonce_len = 0,len;
char cant_trust_server, keyname[CF_BUFSIZE];
RSA *server_pubkey = NULL;
if (COMPATIBILITY_MODE)
{
return true;
}
if (PUBKEY == NULL || PRIVKEY == NULL)
{
CfLog(cferror,"No public/private key pair found\n","");
return false;
}
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
BN_rand(nonce_challenge,CF_NONCELEN,0,0);
nonce_len = BN_bn2mpi(nonce_challenge,in);
ChecksumString(in,nonce_len,digest,'m');
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if (OptionIs(CONTEXTID,"HostnameKeys",true))
{
snprintf(keyname,CF_BUFSIZE,"root-%s",ip->server);
Debug("KeyAuthentication(with hostname key %s)\n",keyname);
}
else
{
snprintf(keyname,CF_BUFSIZE,"root-%s",CONN->remoteip);
Debug("KeyAuthentication(with IP keyname %s)\n",keyname);
}
if (server_pubkey = HavePublicKey(keyname))
{
cant_trust_server = 'y';
/* encrypted_len = BN_num_bytes(server_pubkey->n);*/
encrypted_len = RSA_size(server_pubkey);
}
else
{
cant_trust_server = 'n'; /* have to trust server, since we can't verify id */
encrypted_len = nonce_len;
}
snprintf(sendbuffer,CF_BUFSIZE,"SAUTH %c %d %d",cant_trust_server,encrypted_len,nonce_len);
if ((out = malloc(encrypted_len)) == NULL)
{
FatalError("memory failure");
}
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len,in,out,server_pubkey,RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
snprintf(OUTPUT,CF_BUFSIZE,"Public encryption failed = %s\n",ERR_reason_error_string(err));
CfLog(cferror,OUTPUT,"");
free(out);
return false;
}
memcpy(sendbuffer+CF_RSA_PROTO_OFFSET,out,encrypted_len);
}
else
{
memcpy(sendbuffer+CF_RSA_PROTO_OFFSET,in,nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(CONN->sd,sendbuffer,CF_RSA_PROTO_OFFSET+encrypted_len,CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
if (DEBUG||D2)
{
RSA_print_fp(stdout,PUBKEY,0);
}
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer,0,CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n,sendbuffer);
SendTransaction(CONN->sd,sendbuffer,len,CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer,0,CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e,sendbuffer);
SendTransaction(CONN->sd,sendbuffer,len,CF_DONE);
/* check reply about public key - server can break connection here */
/* proposition S1 */
memset(in,0,CF_BUFSIZE);
if (ReceiveTransaction(CONN->sd,in,NULL) == -1)
{
CfLog(cferror,"Protocol transaction broken off",NULL);
return false;
}
if (BadProtoReply(in))
{
CfLog(cferror,in,"");
return false;
}
/* Get challenge response - should be md5 of challenge */
/* proposition S2 */
memset(in,0,CF_BUFSIZE);
if (ReceiveTransaction(CONN->sd,in,NULL) == -1)
{
CfLog(cferror,"Protocol transaction broken off",NULL);
return false;
}
if (!ChecksumsMatch(digest,in,'m'))
{
snprintf(OUTPUT,CF_BUFSIZE,"Challenge response from server %s/%s was incorrect!",ip->server,CONN->remoteip);
CfLog(cferror,OUTPUT,"");
return false;
}
else
{
char server[CF_EXPANDSIZE];
ExpandVarstring(ip->server,server,NULL);
if (cant_trust_server == 'y') /* challenge reply was correct */
{
Verbose("\n...............................................................\n");
snprintf(OUTPUT,CF_BUFSIZE,"Strong authentication of server=%s connection confirmed\n",server);
CfLog(cfverbose,OUTPUT,"");
}
else
{
if (ip->trustkey == 'y')
{
snprintf(OUTPUT,CF_BUFSIZE,"Trusting server identity and willing to accept key from %s=%s",server,CONN->remoteip);
CfLog(cferror,OUTPUT,"");
}
else
{
snprintf(OUTPUT,CF_BUFSIZE,"Not authorized to trust the server=%s's public key (trustkey=false)\n",server);
CfLog(cferror,OUTPUT,"");
return false;
}
}
}
/* Receive counter challenge from server */
Debug("Receive counter challenge from server\n");
/* proposition S3 */
memset(in,0,CF_BUFSIZE);
encrypted_len = ReceiveTransaction(CONN->sd,in,NULL);
if (encrypted_len < 0)
{
CfLog(cferror,"Protocol transaction sent illegal cipher length",NULL);
return false;
}
if ((decrypted_cchall = malloc(encrypted_len)) == NULL)
{
FatalError("memory failure");
}
if (RSA_private_decrypt(encrypted_len,in,decrypted_cchall,PRIVKEY,RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
snprintf(OUTPUT,CF_BUFSIZE,"Private decrypt failed = %s, abandoning\n",ERR_reason_error_string(err));
CfLog(cferror,OUTPUT,"");
return false;
}
/* proposition C4 */
ChecksumString(decrypted_cchall,nonce_len,digest,'m');
Debug("Replying to counter challenge with md5\n");
SendTransaction(CONN->sd,digest,16,CF_DONE);
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
Debug("Collecting public key from server!\n");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(CONN->sd,in,NULL)) <= 0)
{
CfLog(cferror,"Protocol error in RSA authentation from IP %s\n",ip->server);
return false;
}
if ((newkey->n = BN_mpi2bn(in,len,NULL)) == NULL)
{
err = ERR_get_error();
snprintf(OUTPUT,CF_BUFSIZE,"Private decrypt failed = %s\n",ERR_reason_error_string(err));
CfLog(cferror,OUTPUT,"");
RSA_free(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len=ReceiveTransaction(CONN->sd,in,NULL)) == 0)
{
CfLog(cfinform,"Protocol error in RSA authentation from IP %s\n",ip->server);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in,len,NULL)) == NULL)
{
err = ERR_get_error();
snprintf(OUTPUT,CF_BUFSIZE,"Private decrypt failed = %s\n",ERR_reason_error_string(err));
CfLog(cferror,OUTPUT,"");
RSA_free(newkey);
return false;
}
SavePublicKey(keyname,newkey);
server_pubkey = RSAPublicKey_dup(newkey);
RSA_free(newkey);
}
/* proposition C5 */
GenerateRandomSessionKey();
DebugBinOut(CONN->session_key,CF_BLOWFISHSIZE);
if (CONN->session_key == NULL)
{
CfLog(cferror,"A random session key could not be established","");
return false;
}
else
{
Debug("Generated session key\n");
DebugBinOut(CONN->session_key,CF_BLOWFISHSIZE);
}
/* blowfishmpisize = BN_bn2mpi((BIGNUM *)CONN->session_key,in); */
DebugBinOut(CONN->session_key,CF_BLOWFISHSIZE);
encrypted_len = RSA_size(server_pubkey);
Debug("Encrypt %d to %d\n",CF_BLOWFISHSIZE,encrypted_len);
if ((out = malloc(encrypted_len)) == NULL)
{
FatalError("memory failure");
}
if (RSA_public_encrypt(CF_BLOWFISHSIZE,CONN->session_key,out,server_pubkey,RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
snprintf(OUTPUT,CF_BUFSIZE,"Public encryption failed = %s\n",ERR_reason_error_string(err));
CfLog(cferror,OUTPUT,"");
free(out);
return false;
}
Debug("Encryption succeeded\n");
SendTransaction(CONN->sd,out,encrypted_len,CF_DONE);
DebugBinOut(out,encrypted_len);
if (server_pubkey != NULL)
{
RSA_free(server_pubkey);
}
free(out);
return true;
}
int AuthenticateAgent(AgentConnection *conn, bool trust_key)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
bool implicitly_trust_server;
char enterprise_field = 'c';
RSA *server_pubkey = NULL;
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
Log(LOG_LEVEL_ERR, "No public/private key pair found at %s", PublicKeyFile(GetWorkDir()));
return false;
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
if (nonce_challenge == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot allocate BIGNUM structure for server challenge");
return false;
}
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, HASH_METHOD_MD5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
implicitly_trust_server = false;
encrypted_len = RSA_size(server_pubkey);
}
else
{
implicitly_trust_server = true;
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c", implicitly_trust_server ? 'n': 'y', encrypted_len,
nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public encryption failed = %s", ERR_reason_error_string(err));
free(out);
RSA_free(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->sd, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
if (DEBUG)
{
RSA_print_fp(stdout, PUBKEY, 0);
}
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break connection here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (1): %s", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
Log(LOG_LEVEL_ERR, "%s", in);
RSA_free(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (2): %s", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if ((HashesMatch(digest, in, CF_DEFAULT_DIGEST)) || (HashesMatch(digest, in, HASH_METHOD_MD5))) // Legacy
{
if (implicitly_trust_server == false) /* challenge reply was correct */
{
Log(LOG_LEVEL_VERBOSE, ".....................[.h.a.i.l.].................................");
Log(LOG_LEVEL_VERBOSE, "Strong authentication of server=%s connection confirmed", conn->this_server);
}
else
{
if (trust_key)
{
Log(LOG_LEVEL_VERBOSE, " -> Trusting server identity, promise to accept key from %s=%s", conn->this_server,
conn->remoteip);
}
else
{
Log(LOG_LEVEL_ERR, " !! Not authorized to trust the server=%s's public key (trustkey=false)",
conn->this_server);
RSA_free(server_pubkey);
return false;
}
}
}
else
{
Log(LOG_LEVEL_ERR, "Challenge response from server %s/%s was incorrect!", conn->this_server,
conn->remoteip);
RSA_free(server_pubkey);
return false;
}
/* Receive counter challenge from server */
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->sd, in, NULL);
if (encrypted_len <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol transaction sent illegal cipher length");
RSA_free(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private decrypt failed = %s, abandoning",
ERR_reason_error_string(err));
RSA_free(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, HASH_METHOD_MD5);
}
if (FIPS_MODE)
{
SendTransaction(conn->sd, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->sd, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
Log(LOG_LEVEL_VERBOSE, " -> Collecting public key from server!");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol error in RSA authentation from IP %s", conn->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private key decrypt failed = %s", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
Log(LOG_LEVEL_INFO, "Protocol error in RSA authentation from IP %s",
conn->this_server);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public key decrypt failed = %s", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
RSA_free(newkey);
}
/* proposition C5 */
if (!SetSessionKey(conn))
{
Log(LOG_LEVEL_ERR, "Unable to set session key");
return false;
}
if (conn->session_key == NULL)
{
Log(LOG_LEVEL_ERR, "A random session key could not be established");
RSA_free(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public encryption failed = %s", ERR_reason_error_string(err));
free(out);
RSA_free(server_pubkey);
return false;
}
SendTransaction(conn->sd, out, encrypted_len, CF_DONE);
if (server_pubkey != NULL)
{
char buffer[EVP_MAX_MD_SIZE * 4];
HashPubKey(server_pubkey, conn->digest, CF_DEFAULT_DIGEST);
Log(LOG_LEVEL_VERBOSE, " -> Public key identity of host \"%s\" is \"%s\"", conn->remoteip,
HashPrintSafe(CF_DEFAULT_DIGEST, conn->digest, buffer));
SavePublicKey(conn->username, conn->remoteip, buffer, server_pubkey); // FIXME: username is local
LastSaw(conn->remoteip, conn->digest, LAST_SEEN_ROLE_CONNECT);
}
free(out);
RSA_free(server_pubkey);
return true;
}
