diff options
author | LogicParrot <LogicParrot@users.noreply.github.com> | 2016-02-05 22:45:45 +0100 |
---|---|---|
committer | LogicParrot <LogicParrot@users.noreply.github.com> | 2016-02-05 22:50:18 +0100 |
commit | ca6ef58b1ee8521e4b940ee4883dee714960e413 (patch) | |
tree | 8532add455224b07c07a759e3d906f50c0695888 /src/PolarSSL++ | |
parent | Merge pull request #2972 from marvinkopf/PlayerAutoComplete (diff) | |
download | cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar.gz cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar.bz2 cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar.lz cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar.xz cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.tar.zst cuberite-ca6ef58b1ee8521e4b940ee4883dee714960e413.zip |
Diffstat (limited to 'src/PolarSSL++')
-rw-r--r-- | src/PolarSSL++/AesCfb128Decryptor.cpp | 4 | ||||
-rw-r--r-- | src/PolarSSL++/AesCfb128Decryptor.h | 16 | ||||
-rw-r--r-- | src/PolarSSL++/AesCfb128Encryptor.cpp | 4 | ||||
-rw-r--r-- | src/PolarSSL++/AesCfb128Encryptor.h | 14 | ||||
-rw-r--r-- | src/PolarSSL++/BlockingSslClientSocket.cpp | 18 | ||||
-rw-r--r-- | src/PolarSSL++/BlockingSslClientSocket.h | 28 | ||||
-rw-r--r-- | src/PolarSSL++/BufferedSslContext.h | 12 | ||||
-rw-r--r-- | src/PolarSSL++/CallbackSslContext.h | 12 | ||||
-rw-r--r-- | src/PolarSSL++/CryptoKey.cpp | 8 | ||||
-rw-r--r-- | src/PolarSSL++/CryptoKey.h | 22 | ||||
-rw-r--r-- | src/PolarSSL++/CtrDrbgContext.cpp | 2 | ||||
-rw-r--r-- | src/PolarSSL++/CtrDrbgContext.h | 12 | ||||
-rw-r--r-- | src/PolarSSL++/EntropyContext.h | 2 | ||||
-rw-r--r-- | src/PolarSSL++/RsaPrivateKey.cpp | 8 | ||||
-rw-r--r-- | src/PolarSSL++/RsaPrivateKey.h | 20 | ||||
-rw-r--r-- | src/PolarSSL++/Sha1Checksum.cpp | 6 | ||||
-rw-r--r-- | src/PolarSSL++/Sha1Checksum.h | 16 | ||||
-rw-r--r-- | src/PolarSSL++/SslContext.cpp | 36 | ||||
-rw-r--r-- | src/PolarSSL++/SslContext.h | 52 | ||||
-rw-r--r-- | src/PolarSSL++/X509Cert.h | 6 |
20 files changed, 149 insertions, 149 deletions
diff --git a/src/PolarSSL++/AesCfb128Decryptor.cpp b/src/PolarSSL++/AesCfb128Decryptor.cpp index af0d5106e..0aba1c42c 100644 --- a/src/PolarSSL++/AesCfb128Decryptor.cpp +++ b/src/PolarSSL++/AesCfb128Decryptor.cpp @@ -33,7 +33,7 @@ cAesCfb128Decryptor::~cAesCfb128Decryptor() void cAesCfb128Decryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) { ASSERT(!IsValid()); // Cannot Init twice - + memcpy(m_IV, a_IV, 16); aes_setkey_enc(&m_Aes, a_Key, 128); m_IsValid = true; @@ -46,7 +46,7 @@ void cAesCfb128Decryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) void cAesCfb128Decryptor::ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length) { ASSERT(IsValid()); // Must Init() first - + // PolarSSL doesn't support AES-CFB8, need to implement it manually: for (size_t i = 0; i < a_Length; i++) { diff --git a/src/PolarSSL++/AesCfb128Decryptor.h b/src/PolarSSL++/AesCfb128Decryptor.h index 84c790b83..56b96d3b3 100644 --- a/src/PolarSSL++/AesCfb128Decryptor.h +++ b/src/PolarSSL++/AesCfb128Decryptor.h @@ -19,28 +19,28 @@ class cAesCfb128Decryptor { public: - + cAesCfb128Decryptor(void); ~cAesCfb128Decryptor(); - + /** Initializes the decryptor with the specified Key / IV */ void Init(const Byte a_Key[16], const Byte a_IV[16]); - + /** Decrypts a_Length bytes of the encrypted data; produces a_Length output bytes */ void ProcessData(Byte * a_DecryptedOut, const Byte * a_EncryptedIn, size_t a_Length); - + /** Returns true if the object has been initialized with the Key / IV */ bool IsValid(void) const { return m_IsValid; } - + protected: aes_context m_Aes; - + /** The InitialVector, used by the CFB mode decryption */ Byte m_IV[16]; - + /** Current offset in the m_IV, used by the CFB mode decryption */ size_t m_IVOffset; - + /** Indicates whether the object has been initialized with the Key / IV */ bool m_IsValid; } ; diff --git a/src/PolarSSL++/AesCfb128Encryptor.cpp b/src/PolarSSL++/AesCfb128Encryptor.cpp index a641ad48e..ac0262e69 100644 --- a/src/PolarSSL++/AesCfb128Encryptor.cpp +++ b/src/PolarSSL++/AesCfb128Encryptor.cpp @@ -34,7 +34,7 @@ void cAesCfb128Encryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) { ASSERT(!IsValid()); // Cannot Init twice ASSERT(m_IVOffset == 0); - + memcpy(m_IV, a_IV, 16); aes_setkey_enc(&m_Aes, a_Key, 128); m_IsValid = true; @@ -47,7 +47,7 @@ void cAesCfb128Encryptor::Init(const Byte a_Key[16], const Byte a_IV[16]) void cAesCfb128Encryptor::ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length) { ASSERT(IsValid()); // Must Init() first - + // PolarSSL doesn't do AES-CFB8, so we need to implement it ourselves: for (size_t i = 0; i < a_Length; i++) { diff --git a/src/PolarSSL++/AesCfb128Encryptor.h b/src/PolarSSL++/AesCfb128Encryptor.h index 9dbb5d2c3..71280a098 100644 --- a/src/PolarSSL++/AesCfb128Encryptor.h +++ b/src/PolarSSL++/AesCfb128Encryptor.h @@ -21,25 +21,25 @@ class cAesCfb128Encryptor public: cAesCfb128Encryptor(void); ~cAesCfb128Encryptor(); - + /** Initializes the decryptor with the specified Key / IV */ void Init(const Byte a_Key[16], const Byte a_IV[16]); - + /** Encrypts a_Length bytes of the plain data; produces a_Length output bytes */ void ProcessData(Byte * a_EncryptedOut, const Byte * a_PlainIn, size_t a_Length); - + /** Returns true if the object has been initialized with the Key / IV */ bool IsValid(void) const { return m_IsValid; } - + protected: aes_context m_Aes; - + /** The InitialVector, used by the CFB mode encryption */ Byte m_IV[16]; - + /** Current offset in the m_IV, used by the CFB mode encryption */ size_t m_IVOffset; - + /** Indicates whether the object has been initialized with the Key / IV */ bool m_IsValid; } ; diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/PolarSSL++/BlockingSslClientSocket.cpp index 61aee211d..7d7fc4ccf 100644 --- a/src/PolarSSL++/BlockingSslClientSocket.cpp +++ b/src/PolarSSL++/BlockingSslClientSocket.cpp @@ -106,7 +106,7 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po m_LastErrorText = "Already connected"; return false; } - + // Connect the underlying socket: m_ServerName = a_ServerName; if (!cNetwork::Connect(a_ServerName, a_Port, @@ -123,7 +123,7 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po { return false; } - + // Initialize the SSL: int ret = m_Ssl.Initialize(true); if (ret != 0) @@ -131,20 +131,20 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po Printf(m_LastErrorText, "SSL initialization failed: -0x%x", -ret); return false; } - + // If we have been assigned a trusted CA root cert store, push it into the SSL context: if (m_CACerts.get() != nullptr) { m_Ssl.SetCACerts(m_CACerts, m_ExpectedPeerName); } - + ret = m_Ssl.Handshake(); if (ret != 0) { Printf(m_LastErrorText, "SSL handshake failed: -0x%x", -ret); return false; } - + return true; } @@ -163,7 +163,7 @@ bool cBlockingSslClientSocket::SetTrustedRootCertsFromString(const AString & a_C a_ExpectedPeerName.c_str() ); } - + // Parse the cert: m_CACerts.reset(new cX509Cert); int ret = m_CACerts->Parse(a_CACerts.data(), a_CACerts.size()); @@ -173,7 +173,7 @@ bool cBlockingSslClientSocket::SetTrustedRootCertsFromString(const AString & a_C return false; } m_ExpectedPeerName = a_ExpectedPeerName; - + return true; } @@ -188,7 +188,7 @@ bool cBlockingSslClientSocket::Send(const void * a_Data, size_t a_NumBytes) m_LastErrorText = "Socket is closed"; return false; } - + // Keep sending the data until all of it is sent: const char * Data = reinterpret_cast<const char *>(a_Data); size_t NumBytes = a_NumBytes; @@ -241,7 +241,7 @@ void cBlockingSslClientSocket::Disconnect(void) { return; } - + m_Ssl.NotifyClose(); m_IsConnected = false; diff --git a/src/PolarSSL++/BlockingSslClientSocket.h b/src/PolarSSL++/BlockingSslClientSocket.h index 3c61f7f89..bc7cbe039 100644 --- a/src/PolarSSL++/BlockingSslClientSocket.h +++ b/src/PolarSSL++/BlockingSslClientSocket.h @@ -27,60 +27,60 @@ public: { Disconnect(); } - + /** Connects to the specified server and performs SSL handshake. Returns true if successful, false on failure. Sets internal error text on failure. */ bool Connect(const AString & a_ServerName, UInt16 a_Port); - + /** Sends the specified data over the connection. Returns true if successful, false on failure. Sets the internal error text on failure. */ bool Send(const void * a_Data, size_t a_NumBytes); - + /** Receives data from the connection. Blocks until there is any data available, then returns as much as possible. Returns the number of bytes actually received, negative number on failure. Sets the internal error text on failure. */ int Receive(void * a_Data, size_t a_MaxBytes); - + /** Disconnects the connection gracefully, if possible. Note that this also frees the internal SSL context, so all the certificates etc. are lost. */ void Disconnect(void); - + /** Sets the root certificates that are to be trusted. Forces the connection to use strict cert verification. Needs to be used before calling Connect(). a_ExpectedPeerName is the name that we expect to receive in the SSL peer's cert; verification will fail if the presented name is different (possible MITM). Returns true on success, false on failure. Sets internal error text on failure. */ bool SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName); - + /** Returns the text of the last error that has occurred in this instance. */ const AString & GetLastErrorText(void) const { return m_LastErrorText; } - + protected: friend class cBlockingSslClientSocketConnectCallbacks; friend class cBlockingSslClientSocketLinkCallbacks; /** The SSL context used for the socket */ cCallbackSslContext m_Ssl; - + /** The underlying socket to the SSL server */ cTCPLinkPtr m_Socket; /** The object used to signal state changes in the socket (the cause of the blocking). */ cEvent m_Event; - + /** The trusted CA root cert store, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ cX509CertPtr m_CACerts; - + /** The expected SSL peer's name, if we are to verify the cert strictly. Set by SetTrustedRootCertsFromString(). */ AString m_ExpectedPeerName; /** The hostname to which the socket is connecting (stored for error reporting). */ AString m_ServerName; - + /** Text of the last error that has occurred. */ AString m_LastErrorText; - + /** Set to true if the connection established successfully. */ std::atomic<bool> m_IsConnected; @@ -90,8 +90,8 @@ protected: /** Buffer for the data incoming on the network socket. Protected by m_CSIncomingData. */ AString m_IncomingData; - - + + /** Called when the connection is established successfully. */ void OnConnected(void); diff --git a/src/PolarSSL++/BufferedSslContext.h b/src/PolarSSL++/BufferedSslContext.h index 1b7e1af46..ab058a52e 100644 --- a/src/PolarSSL++/BufferedSslContext.h +++ b/src/PolarSSL++/BufferedSslContext.h @@ -19,28 +19,28 @@ class cBufferedSslContext : public cSslContext { typedef cSslContext super; - + public: /** Creates a new context with the buffers of specified size for the encrypted / decrypted data. */ cBufferedSslContext(size_t a_BufferSize = 64000); - + /** Stores the specified data in the "incoming" buffer, to be process by the SSL decryptor. This is the data received from the SSL peer. Returns the number of bytes actually stored. If 0 is returned, owner should check the error state. */ size_t WriteIncoming(const void * a_Data, size_t a_NumBytes); - + /** Retrieves data from the "outgoing" buffer, after being processed by the SSL encryptor. This is the data to be sent to the SSL peer. Returns the number of bytes actually retrieved. */ size_t ReadOutgoing(void * a_Data, size_t a_DataMaxSize); - + protected: /** Buffer for the data that has been encrypted into the SSL stream and should be sent out. */ cByteBuffer m_OutgoingData; - + /** Buffer for the data that has come in and needs to be decrypted from the SSL stream. */ cByteBuffer m_IncomingData; - + // cSslContext overrides: virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) override; diff --git a/src/PolarSSL++/CallbackSslContext.h b/src/PolarSSL++/CallbackSslContext.h index 3e6edc5f4..1fc131182 100644 --- a/src/PolarSSL++/CallbackSslContext.h +++ b/src/PolarSSL++/CallbackSslContext.h @@ -25,7 +25,7 @@ public: public: // Force a virtual destructor in descendants: virtual ~cDataCallbacks() {} - + /** Called when PolarSSL wants to read encrypted data from the SSL peer. The returned value is the number of bytes received, or a PolarSSL error on failure. The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate @@ -33,7 +33,7 @@ public: SSL operation that invoked this call will terminate with the same return value, so that the owner is notified of this condition and can potentially restart the operation later on. */ virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; - + /** Called when PolarSSL wants to write encrypted data to the SSL peer. The returned value is the number of bytes sent, or a PolarSSL error on failure. The implementation can return POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE to indicate @@ -42,14 +42,14 @@ public: notified of this condition and can potentially restart the operation later on. */ virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; } ; - - + + /** Creates a new SSL context with no callbacks assigned */ cCallbackSslContext(void); - + /** Creates a new SSL context with the specified callbacks */ cCallbackSslContext(cDataCallbacks & a_Callbacks); - + protected: /** The callbacks to use to send and receive SSL peer data */ cDataCallbacks * m_Callbacks; diff --git a/src/PolarSSL++/CryptoKey.cpp b/src/PolarSSL++/CryptoKey.cpp index cc4eefdfe..b01fee5f9 100644 --- a/src/PolarSSL++/CryptoKey.cpp +++ b/src/PolarSSL++/CryptoKey.cpp @@ -66,7 +66,7 @@ cCryptoKey::~cCryptoKey() int cCryptoKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength) { ASSERT(IsValid()); - + size_t DecryptedLen = a_DecryptedMaxLength; int res = pk_decrypt(&m_Pk, a_EncryptedData, a_EncryptedLength, @@ -87,7 +87,7 @@ int cCryptoKey::Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, int cCryptoKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength) { ASSERT(IsValid()); - + size_t EncryptedLength = a_EncryptedMaxLength; int res = pk_encrypt(&m_Pk, a_PlainData, a_PlainLength, a_EncryptedData, &EncryptedLength, a_EncryptedMaxLength, @@ -108,7 +108,7 @@ int cCryptoKey::Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a int cCryptoKey::ParsePublic(const void * a_Data, size_t a_NumBytes) { ASSERT(!IsValid()); // Cannot parse a second key - + return pk_parse_public_key(&m_Pk, reinterpret_cast<const unsigned char *>(a_Data), a_NumBytes); } @@ -120,7 +120,7 @@ int cCryptoKey::ParsePublic(const void * a_Data, size_t a_NumBytes) int cCryptoKey::ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password) { ASSERT(!IsValid()); // Cannot parse a second key - + if (a_Password.empty()) { return pk_parse_key(&m_Pk, reinterpret_cast<const unsigned char *>(a_Data), a_NumBytes, nullptr, 0); diff --git a/src/PolarSSL++/CryptoKey.h b/src/PolarSSL++/CryptoKey.h index 9c298e501..fc8034d16 100644 --- a/src/PolarSSL++/CryptoKey.h +++ b/src/PolarSSL++/CryptoKey.h @@ -19,30 +19,30 @@ class cCryptoKey { friend class cSslContext; - + public: /** Constructs an empty key instance. Before use, it needs to be filled by ParsePublic() or ParsePrivate() */ cCryptoKey(void); - + /** Constructs the public key out of the DER- or PEM-encoded pubkey data */ cCryptoKey(const AString & a_PublicKeyData); - + /** Constructs the private key out of the DER- or PEM-encoded privkey data, with the specified password. If a_Password is empty, no password is assumed. */ cCryptoKey(const AString & a_PrivateKeyData, const AString & a_Password); - + ~cCryptoKey(); - + /** Decrypts the data using the stored public key Both a_EncryptedData and a_DecryptedData must be at least <KeySizeBytes> bytes large. Returns the number of bytes decrypted, or negative number for error. */ int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); - + /** Encrypts the data using the stored public key Both a_EncryptedData and a_DecryptedData must be at least <KeySizeBytes> bytes large. Returns the number of bytes decrypted, or negative number for error. */ int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); - + /** Parses the specified data into a public key representation. The key can be DER- or PEM-encoded. Returns 0 on success, PolarSSL error code on failure. */ @@ -53,18 +53,18 @@ public: The key can be DER- or PEM-encoded. Returns 0 on success, PolarSSL error code on failure. */ int ParsePrivate(const void * a_Data, size_t a_NumBytes, const AString & a_Password); - + /** Returns true if the contained key is valid. */ bool IsValid(void) const; protected: /** The PolarSSL representation of the key data */ pk_context m_Pk; - + /** The random generator used in encryption and decryption */ cCtrDrbgContext m_CtrDrbg; - - + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ pk_context * GetInternal(void) { return &m_Pk; } } ; diff --git a/src/PolarSSL++/CtrDrbgContext.cpp b/src/PolarSSL++/CtrDrbgContext.cpp index 25c2987b1..daacc70cc 100644 --- a/src/PolarSSL++/CtrDrbgContext.cpp +++ b/src/PolarSSL++/CtrDrbgContext.cpp @@ -38,7 +38,7 @@ int cCtrDrbgContext::Initialize(const void * a_Custom, size_t a_CustomSize) // Already initialized return 0; } - + int res = ctr_drbg_init(&m_CtrDrbg, entropy_func, &(m_EntropyContext->m_Entropy), reinterpret_cast<const unsigned char *>(a_Custom), a_CustomSize); m_IsValid = (res == 0); return res; diff --git a/src/PolarSSL++/CtrDrbgContext.h b/src/PolarSSL++/CtrDrbgContext.h index 230db8753..16b4a44b0 100644 --- a/src/PolarSSL++/CtrDrbgContext.h +++ b/src/PolarSSL++/CtrDrbgContext.h @@ -27,29 +27,29 @@ class cCtrDrbgContext friend class cSslContext; friend class cRsaPrivateKey; friend class cCryptoKey; - + public: /** Constructs the context with a new entropy context. */ cCtrDrbgContext(void); - + /** Constructs the context with the specified entropy context. */ cCtrDrbgContext(const SharedPtr<cEntropyContext> & a_EntropyContext); - + /** Initializes the context. a_Custom is optional additional data to use for entropy, nullptr is accepted. Returns 0 if successful, PolarSSL error code on failure. */ int Initialize(const void * a_Custom, size_t a_CustomSize); - + /** Returns true if the object is valid (has been initialized properly) */ bool IsValid(void) const { return m_IsValid; } - + protected: /** The entropy source used for generating the random */ SharedPtr<cEntropyContext> m_EntropyContext; /** The random generator context */ ctr_drbg_context m_CtrDrbg; - + /** Set to true if the object is valid (has been initialized properly) */ bool m_IsValid; diff --git a/src/PolarSSL++/EntropyContext.h b/src/PolarSSL++/EntropyContext.h index bc7fff066..69671d32f 100644 --- a/src/PolarSSL++/EntropyContext.h +++ b/src/PolarSSL++/EntropyContext.h @@ -21,7 +21,7 @@ class cEntropyContext public: cEntropyContext(void); ~cEntropyContext(); - + protected: entropy_context m_Entropy; } ; diff --git a/src/PolarSSL++/RsaPrivateKey.cpp b/src/PolarSSL++/RsaPrivateKey.cpp index ed94923c2..17cede05f 100644 --- a/src/PolarSSL++/RsaPrivateKey.cpp +++ b/src/PolarSSL++/RsaPrivateKey.cpp @@ -78,7 +78,7 @@ AString cRsaPrivateKey::GetPubKeyDER(void) } m_IsValid = true; } - + ~cPubKey() { if (m_IsValid) @@ -86,14 +86,14 @@ AString cRsaPrivateKey::GetPubKeyDER(void) pk_free(&m_Key); } } - + operator pk_context * (void) { return &m_Key; } - + protected: bool m_IsValid; pk_context m_Key; } PkCtx(&m_Rsa); - + unsigned char buf[3000]; int res = pk_write_pubkey_der(PkCtx, buf, sizeof(buf)); if (res < 0) diff --git a/src/PolarSSL++/RsaPrivateKey.h b/src/PolarSSL++/RsaPrivateKey.h index 4d03f27df..32422da8d 100644 --- a/src/PolarSSL++/RsaPrivateKey.h +++ b/src/PolarSSL++/RsaPrivateKey.h @@ -20,41 +20,41 @@ class cRsaPrivateKey { friend class cSslContext; - + public: /** Creates a new empty object, the key is not assigned */ cRsaPrivateKey(void); - + /** Deep-copies the key from a_Other */ cRsaPrivateKey(const cRsaPrivateKey & a_Other); - + ~cRsaPrivateKey(); - + /** Generates a new key within this object, with the specified size in bits. Returns true on success, false on failure. */ bool Generate(unsigned a_KeySizeBits = 1024); - + /** Returns the public key part encoded in ASN1 DER encoding */ AString GetPubKeyDER(void); - + /** Decrypts the data using RSAES-PKCS#1 algorithm. Both a_EncryptedData and a_DecryptedData must be at least <KeySizeBytes> bytes large. Returns the number of bytes decrypted, or negative number for error. */ int Decrypt(const Byte * a_EncryptedData, size_t a_EncryptedLength, Byte * a_DecryptedData, size_t a_DecryptedMaxLength); - + /** Encrypts the data using RSAES-PKCS#1 algorithm. Both a_EncryptedData and a_DecryptedData must be at least <KeySizeBytes> bytes large. Returns the number of bytes decrypted, or negative number for error. */ int Encrypt(const Byte * a_PlainData, size_t a_PlainLength, Byte * a_EncryptedData, size_t a_EncryptedMaxLength); - + protected: /** The PolarSSL key context */ rsa_context m_Rsa; /** The random generator used for generating the key and encryption / decryption */ cCtrDrbgContext m_CtrDrbg; - - + + /** Returns the internal context ptr. Only use in PolarSSL API calls. */ rsa_context * GetInternal(void) { return &m_Rsa; } } ; diff --git a/src/PolarSSL++/Sha1Checksum.cpp b/src/PolarSSL++/Sha1Checksum.cpp index e69ef236f..5a56c18b0 100644 --- a/src/PolarSSL++/Sha1Checksum.cpp +++ b/src/PolarSSL++/Sha1Checksum.cpp @@ -66,7 +66,7 @@ cSha1Checksum::cSha1Checksum(void) : void cSha1Checksum::Update(const Byte * a_Data, size_t a_Length) { ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed - + sha1_update(&m_Sha1, a_Data, a_Length); } @@ -77,7 +77,7 @@ void cSha1Checksum::Update(const Byte * a_Data, size_t a_Length) void cSha1Checksum::Finalize(cSha1Checksum::Checksum & a_Output) { ASSERT(m_DoesAcceptInput); // Not Finalize()-d yet, or Restart()-ed - + sha1_finish(&m_Sha1, a_Output); m_DoesAcceptInput = false; } @@ -90,7 +90,7 @@ void cSha1Checksum::DigestToJava(const Checksum & a_Digest, AString & a_Out) { Checksum Digest; memcpy(Digest, a_Digest, sizeof(Digest)); - + bool IsNegative = (Digest[0] >= 0x80); if (IsNegative) { diff --git a/src/PolarSSL++/Sha1Checksum.h b/src/PolarSSL++/Sha1Checksum.h index 68fdbcf1b..23eb6f420 100644 --- a/src/PolarSSL++/Sha1Checksum.h +++ b/src/PolarSSL++/Sha1Checksum.h @@ -20,30 +20,30 @@ class cSha1Checksum { public: typedef Byte Checksum[20]; // The type used for storing the checksum - + cSha1Checksum(void); - + /** Adds the specified data to the checksum */ void Update(const Byte * a_Data, size_t a_Length); - + /** Calculates and returns the final checksum */ void Finalize(Checksum & a_Output); - + /** Returns true if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ bool DoesAcceptInput(void) const { return m_DoesAcceptInput; } - + /** Converts a raw 160-bit SHA1 digest into a Java Hex representation According to http://wiki.vg/wiki/index.php?title=Protocol_Encryption&oldid=2802 */ static void DigestToJava(const Checksum & a_Digest, AString & a_JavaOut); - + /** Clears the current context and start a new checksum calculation */ void Restart(void); - + protected: /** True if the object is accepts more input data, false if Finalize()-d (need to Restart()) */ bool m_DoesAcceptInput; - + sha1_context m_Sha1; } ; diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp index 4ff0c3077..74b45ea33 100644 --- a/src/PolarSSL++/SslContext.cpp +++ b/src/PolarSSL++/SslContext.cpp @@ -44,7 +44,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & LOGWARNING("SSL: Double initialization is not supported."); return POLARSSL_ERR_SSL_BAD_INPUT_DATA; // There is no return value well-suited for this, reuse this one. } - + // Set the CtrDrbg context, create a new one if needed: m_CtrDrbg = a_CtrDrbg; if (m_CtrDrbg.get() == nullptr) @@ -52,7 +52,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & m_CtrDrbg.reset(new cCtrDrbgContext); m_CtrDrbg->Initialize("Cuberite", 8); } - + // Initialize PolarSSL's structures: memset(&m_Ssl, 0, sizeof(m_Ssl)); int res = ssl_init(&m_Ssl); @@ -64,7 +64,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & ssl_set_authmode(&m_Ssl, SSL_VERIFY_NONE); // We cannot verify because we don't have a CA chain, required by PolarSSL, implemented yet (TODO) ssl_set_rng(&m_Ssl, ctr_drbg_random, &m_CtrDrbg->m_CtrDrbg); ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this); - + #ifdef _DEBUG /* // These functions allow us to debug SSL and certificate problems, but produce way too much output, @@ -74,7 +74,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & ssl_set_verify(&m_Ssl, &SSLVerifyCert, this); //*/ - + /* // Set ciphersuite to the easiest one to decode, so that the connection can be wireshark-decoded: static const int CipherSuites[] = @@ -87,7 +87,7 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & ssl_set_ciphersuites(&m_Ssl, CipherSuites); //*/ #endif - + m_IsValid = true; return 0; } @@ -99,18 +99,18 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey) { ASSERT(m_IsValid); // Call Initialize() first - + // Check that both the cert and the key is valid: if ((a_OwnCert.get() == nullptr) || (a_OwnCertPrivKey.get() == nullptr)) { LOGWARNING("SSL: Own certificate is not valid, skipping the set."); return; } - + // Make sure we have the cert stored for later, PolarSSL only uses the cert later on m_OwnCert = a_OwnCert; m_OwnCertPrivKey = a_OwnCertPrivKey; - + // Set into the context: ssl_set_own_cert_rsa(&m_Ssl, m_OwnCert->GetInternal(), m_OwnCertPrivKey->GetInternal()); } @@ -122,18 +122,18 @@ void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKe void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr & a_OwnCertPrivKey) { ASSERT(m_IsValid); // Call Initialize() first - + // Check that both the cert and the key is valid: if ((a_OwnCert.get() == nullptr) || (a_OwnCertPrivKey.get() == nullptr)) { LOGWARNING("SSL: Own certificate is not valid, skipping the set."); return; } - + // Make sure we have the cert stored for later, PolarSSL only uses the cert later on m_OwnCert = a_OwnCert; m_OwnCertPrivKey2 = a_OwnCertPrivKey; - + // Set into the context: ssl_set_own_cert(&m_Ssl, m_OwnCert->GetInternal(), m_OwnCertPrivKey2->GetInternal()); } @@ -145,12 +145,12 @@ void cSslContext::SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr void cSslContext::SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName) { ASSERT(m_IsValid); // Call Initialize() first - + // Store the data in our internal buffers, to avoid losing the pointers later on // PolarSSL will need these after this call returns, and the caller may move / delete the data before that: m_ExpectedPeerName = a_ExpectedPeerName; m_CACerts = a_CACert; - + // Set the trusted CA root cert store: ssl_set_authmode(&m_Ssl, SSL_VERIFY_REQUIRED); ssl_set_ca_chain(&m_Ssl, m_CACerts->GetInternal(), nullptr, m_ExpectedPeerName.empty() ? nullptr : m_ExpectedPeerName.c_str()); @@ -171,7 +171,7 @@ int cSslContext::WritePlain(const void * a_Data, size_t a_NumBytes) return res; } } - + return ssl_write(&m_Ssl, reinterpret_cast<const unsigned char *>(a_Data), a_NumBytes); } @@ -190,7 +190,7 @@ int cSslContext::ReadPlain(void * a_Data, size_t a_MaxBytes) return res; } } - + return ssl_read(&m_Ssl, reinterpret_cast<unsigned char *>(a_Data), a_MaxBytes); } @@ -202,7 +202,7 @@ int cSslContext::Handshake(void) { ASSERT(m_IsValid); // Need to call Initialize() first ASSERT(!m_HasHandshaken); // Must not call twice - + int res = ssl_handshake(&m_Ssl); if (res == 0) { @@ -232,7 +232,7 @@ int cSslContext::NotifyClose(void) // Don't want the trace messages return; } - + // Remove the terminating LF: size_t len = strlen(a_Text) - 1; while ((len > 0) && (a_Text[len] <= 32)) @@ -240,7 +240,7 @@ int cSslContext::NotifyClose(void) len--; } AString Text(a_Text, len + 1); - + LOGD("SSL (%d): %s", a_Level, Text.c_str()); } diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h index 408fc7c56..27f9dd674 100644 --- a/src/PolarSSL++/SslContext.h +++ b/src/PolarSSL++/SslContext.h @@ -39,30 +39,30 @@ class cSslContext abstract public: /** Creates a new uninitialized context */ cSslContext(void); - + virtual ~cSslContext(); - + /** Initializes the context for use as a server or client. Returns 0 on success, PolarSSL error on failure. */ int Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> & a_CtrDrbg = SharedPtr<cCtrDrbgContext>()); - + /** Returns true if the object has been initialized properly. */ bool IsValid(void) const { return m_IsValid; } - + /** Sets the certificate to use as our own. Must be used when representing a server, optional when client. Must be called after Initialize(). */ void SetOwnCert(const cX509CertPtr & a_OwnCert, const cRsaPrivateKeyPtr & a_OwnCertPrivKey); - + /** Sets the certificate to use as our own. Must be used when representing a server, optional when client. Must be called after Initialize(). */ void SetOwnCert(const cX509CertPtr & a_OwnCert, const cCryptoKeyPtr & a_OwnCertPrivKey); - + /** Sets a cert chain as the trusted cert store for this context. Must be called after Initialize(). Calling this will switch the context into strict cert verification mode. a_ExpectedPeerName is the CommonName that we expect the SSL peer to have in its cert, if it is different, the verification will fail. An empty string will disable the CN check. */ void SetCACerts(const cX509CertPtr & a_CACert, const AString & a_ExpectedPeerName); - + /** Writes data to be encrypted and sent to the SSL peer. Will perform SSL handshake, if needed. Returns the number of bytes actually written, or PolarSSL error code. If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any @@ -70,7 +70,7 @@ public: this function again with the same parameters. Note that this may repeat a few times before the data is actually written, mainly due to initial handshake. */ int WritePlain(const void * a_Data, size_t a_NumBytes); - + /** Reads data decrypted from the SSL stream. Will perform SSL handshake, if needed. Returns the number of bytes actually read, or PolarSSL error code. If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any @@ -78,75 +78,75 @@ public: this function again with the same parameters. Note that this may repeat a few times before the data is actually read, mainly due to initial handshake. */ int ReadPlain(void * a_Data, size_t a_MaxBytes); - + /** Performs the SSL handshake. Returns zero on success, PoladSSL error code on failure. If the return value is POLARSSL_ERR_NET_WANT_READ or POLARSSL_ERR_NET_WANT_WRITE, the owner should send any cached outgoing data to the SSL peer and write any incoming data received from the SSL peer and then call this function again. Note that this may repeat a few times before the handshake is completed. */ int Handshake(void); - + /** Returns true if the SSL handshake has been completed. */ bool HasHandshaken(void) const { return m_HasHandshaken; } - + /** Notifies the SSL peer that the connection is being closed. Returns 0 on success, PolarSSL error code on failure. */ int NotifyClose(void); - + protected: /** True if the object has been initialized properly. */ bool m_IsValid; - + /** The random generator to use */ SharedPtr<cCtrDrbgContext> m_CtrDrbg; - + /** The SSL context that PolarSSL uses. */ ssl_context m_Ssl; - + /** The certificate that we present to the peer. */ cX509CertPtr m_OwnCert; - + /** Private key for m_OwnCert, if initialized from a cRsaPrivateKey. */ cRsaPrivateKeyPtr m_OwnCertPrivKey; - + /** Private key for m_OwnCert, if initialized from a cCryptoKey. */ cCryptoKeyPtr m_OwnCertPrivKey2; - + /** True if the SSL handshake has been completed. */ bool m_HasHandshaken; - + /** A copy of the trusted CA root cert store that is passed to us in SetCACerts(), so that the pointer stays valid even after the call, when PolarSSL finally uses it. */ cX509CertPtr m_CACerts; - + /** Buffer for the expected peer name. We need to buffer it because the caller may free the string they give us before PolarSSL consumes the raw pointer it gets to the CN. */ AString m_ExpectedPeerName; - - + + /** The callback used by PolarSSL when it wants to read encrypted data. */ static int ReceiveEncrypted(void * a_This, unsigned char * a_Buffer, size_t a_NumBytes) { return (reinterpret_cast<cSslContext *>(a_This))->ReceiveEncrypted(a_Buffer, a_NumBytes); } - + /** The callback used by PolarSSL when it wants to write encrypted data. */ static int SendEncrypted(void * a_This, const unsigned char * a_Buffer, size_t a_NumBytes) { return (reinterpret_cast<cSslContext *>(a_This))->SendEncrypted(a_Buffer, a_NumBytes); } - + #ifdef _DEBUG /** The callback used by PolarSSL to output debug messages */ static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text); - + /** The callback used by PolarSSL to log information on the cert chain */ static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags); #endif // _DEBUG /** Called when PolarSSL wants to read encrypted data. */ virtual int ReceiveEncrypted(unsigned char * a_Buffer, size_t a_NumBytes) = 0; - + /** Called when PolarSSL wants to write encrypted data. */ virtual int SendEncrypted(const unsigned char * a_Buffer, size_t a_NumBytes) = 0; } ; diff --git a/src/PolarSSL++/X509Cert.h b/src/PolarSSL++/X509Cert.h index 991617d24..8c3468f03 100644 --- a/src/PolarSSL++/X509Cert.h +++ b/src/PolarSSL++/X509Cert.h @@ -18,15 +18,15 @@ class cX509Cert { friend class cSslContext; - + public: cX509Cert(void); ~cX509Cert(void); - + /** Parses the certificate chain data into the context. Returns 0 on succes, or PolarSSL error code on failure. */ int Parse(const void * a_CertContents, size_t a_Size); - + protected: x509_crt m_Cert; |