diff options
Diffstat (limited to 'libtransport')
-rw-r--r-- | libtransport/includes/hicn/transport/security/signer.h | 7 | ||||
-rw-r--r-- | libtransport/includes/hicn/transport/security/verifier.h | 11 | ||||
-rw-r--r-- | libtransport/src/security/signer.cc | 44 | ||||
-rw-r--r-- | libtransport/src/security/verifier.cc | 121 |
4 files changed, 91 insertions, 92 deletions
diff --git a/libtransport/includes/hicn/transport/security/signer.h b/libtransport/includes/hicn/transport/security/signer.h index 31b21462b..45bcdb516 100644 --- a/libtransport/includes/hicn/transport/security/signer.h +++ b/libtransport/includes/hicn/transport/security/signer.h @@ -76,15 +76,10 @@ class Signer { PARCKeyStore *getKeyStore(); private: - PARCBufferComposer *composer_ = nullptr; - PARCBuffer *key_buffer_ = nullptr; - PARCSymmetricKeyStore *symmetricKeyStore_ = nullptr; + CryptoSuite suite_; PARCSigner *signer_ = nullptr; - PARCSignature *signature_ = nullptr; PARCKeyId *key_id_ = nullptr; - CryptoSuite suite_; size_t signature_length_; - static uint8_t zeros[200]; }; } // namespace utils diff --git a/libtransport/includes/hicn/transport/security/verifier.h b/libtransport/includes/hicn/transport/security/verifier.h index 7ec6e7eda..838868427 100644 --- a/libtransport/includes/hicn/transport/security/verifier.h +++ b/libtransport/includes/hicn/transport/security/verifier.h @@ -84,20 +84,11 @@ class Verifier { */ int verify(const Packet &packet); - CryptoHash getPacketHash(const Packet &packet, - std::shared_ptr<CryptoHasher> hasher); + CryptoHash getPacketHash(const Packet &packet, CryptoHasher &hasher); private: PARCVerifier *verifier_ = nullptr; - PARCCertificateFactory *factory_ = nullptr; - PARCCertificate *certificate_ = nullptr; - PARCKeyId *keyId_ = nullptr; - PARCKey *key_ = nullptr; - PARCBuffer *key_buffer_ = nullptr; - PARCSymmetricKeyStore *symmetricKeyStore_ = nullptr; PARCSigner *signer_ = nullptr; - PARCBufferComposer *composer_ = nullptr; - static uint8_t zeros[200]; }; } // namespace utils diff --git a/libtransport/src/security/signer.cc b/libtransport/src/security/signer.cc index 8a56cfa3d..aa2751611 100644 --- a/libtransport/src/security/signer.cc +++ b/libtransport/src/security/signer.cc @@ -36,9 +36,6 @@ TRANSPORT_CLANG_DISABLE_WARNING("-Wextern-c-compat") namespace utils { -uint8_t Signer::zeros[200] = {0}; - -/*One signer_ per Private Key*/ Signer::Signer(PARCKeyStore *keyStore, CryptoSuite suite) { parcSecurity_Init(); @@ -77,15 +74,20 @@ Signer::Signer(const std::string &passphrase, CryptoSuite suite) { switch (suite) { case CryptoSuite::HMAC_SHA256: case CryptoSuite::HMAC_SHA512: { - composer_ = parcBufferComposer_Create(); - parcBufferComposer_PutString(composer_, passphrase.c_str()); - key_buffer_ = parcBufferComposer_ProduceBuffer(composer_); - symmetricKeyStore_ = parcSymmetricKeyStore_Create(key_buffer_); + PARCBufferComposer *composer = parcBufferComposer_Create(); + parcBufferComposer_PutString(composer, passphrase.c_str()); + PARCBuffer *key_buffer = parcBufferComposer_ProduceBuffer(composer); + PARCSymmetricKeyStore *symmetricKeyStore = + parcSymmetricKeyStore_Create(key_buffer); this->signer_ = parcSigner_Create( parcSymmetricKeySigner_Create( - symmetricKeyStore_, parcCryptoSuite_GetCryptoHash( - static_cast<PARCCryptoSuite>(suite))), + symmetricKeyStore, parcCryptoSuite_GetCryptoHash( + static_cast<PARCCryptoSuite>(suite))), PARCSymmetricKeySignerAsSigner); + + parcBuffer_Release(&key_buffer); + parcSymmetricKeyStore_Release(&symmetricKeyStore); + parcBufferComposer_Release(&composer); break; } default: { return; } @@ -97,9 +99,9 @@ Signer::Signer(const std::string &passphrase, CryptoSuite suite) { } Signer::Signer(const PARCSigner *signer, CryptoSuite suite) - : signer_(parcSigner_Acquire(signer)), + : suite_(suite), + signer_(parcSigner_Acquire(signer)), key_id_(parcSigner_CreateKeyId(this->signer_)), - suite_(suite), signature_length_(parcSigner_GetSignatureSize(this->signer_)) { parcSecurity_Init(); } @@ -108,17 +110,13 @@ Signer::Signer(const PARCSigner *signer) : Signer(signer, CryptoSuite::UNKNOWN) {} Signer::~Signer() { - if (signature_) parcSignature_Release(&signature_); - if (symmetricKeyStore_) parcSymmetricKeyStore_Release(&symmetricKeyStore_); - if (key_buffer_) parcBuffer_Release(&key_buffer_); - if (composer_) parcBufferComposer_Release(&composer_); if (signer_) parcSigner_Release(&signer_); if (key_id_) parcKeyId_Release(&key_id_); parcSecurity_Fini(); } void Signer::sign(Packet &packet) { - // header chain points to the IP + TCP hicn header + AH Header + /* header chain points to the IP + TCP hicn header + AH Header */ MemBuf *header_chain = packet.header_head_; MemBuf *payload_chain = packet.payload_head_; uint8_t *hicn_packet = (uint8_t *)header_chain->writableData(); @@ -130,7 +128,7 @@ void Signer::sign(Packet &packet) { packet.setSignatureSize(signature_length_); - // Copy IP+TCP/ICMP header before zeroing them + /* Copy IP+TCP/ICMP header before zeroing them */ hicn_header_t header_copy; hicn_packet_copy_header(format, (const hicn_header_t *)packet.packet_start_, &header_copy, false); @@ -151,7 +149,7 @@ void Signer::sign(Packet &packet) { (PARCBuffer *)parcKeyId_GetKeyId(this->key_id_), 0); packet.setKeyId(key_id); - // Calculate hash + /* Calculate hash */ CryptoHasher hasher(parcSigner_GetCryptoHasher(signer_)); hasher.init(); hasher.updateBytes(hicn_packet, header_len + signature_length_); @@ -162,10 +160,10 @@ void Signer::sign(Packet &packet) { } CryptoHash hash = hasher.finalize(); - signature_ = parcSigner_SignDigestNoAlloc(this->signer_, hash.hash_, - packet.getSignature(), - (uint32_t)signature_length_); - PARCBuffer *buffer = parcSignature_GetSignature(signature_); + PARCSignature *signature = parcSigner_SignDigestNoAlloc( + this->signer_, hash.hash_, packet.getSignature(), + (uint32_t)signature_length_); + PARCBuffer *buffer = parcSignature_GetSignature(signature); size_t bytes_len = parcBuffer_Remaining(buffer); if (bytes_len > signature_length_) { @@ -175,7 +173,7 @@ void Signer::sign(Packet &packet) { hicn_packet_copy_header(format, &header_copy, (hicn_header_t *)packet.packet_start_, false); - parcSignature_Release(&signature_); + parcSignature_Release(&signature); } size_t Signer::getSignatureLength() { return signature_length_; } diff --git a/libtransport/src/security/verifier.cc b/libtransport/src/security/verifier.cc index 0cfbdc6f9..39b815d40 100644 --- a/libtransport/src/security/verifier.cc +++ b/libtransport/src/security/verifier.cc @@ -36,8 +36,6 @@ TRANSPORT_ALWAYS_INLINE bool file_exists(const std::string &name) { return (stat(name.c_str(), &buffer) == 0); } -uint8_t Verifier::zeros[200] = {0}; - Verifier::Verifier() { parcSecurity_Init(); PARCInMemoryVerifier *in_memory_verifier = parcInMemoryVerifier_Create(); @@ -46,14 +44,7 @@ Verifier::Verifier() { } Verifier::~Verifier() { - if (key_) parcKey_Release(&key_); - if (keyId_) parcKeyId_Release(&keyId_); if (signer_) parcSigner_Release(&signer_); - if (symmetricKeyStore_) parcSymmetricKeyStore_Release(&symmetricKeyStore_); - if (key_buffer_) parcBuffer_Release(&key_buffer_); - if (composer_) parcBufferComposer_Release(&composer_); - if (certificate_) parcCertificate_Release(&certificate_); - if (factory_) parcCertificateFactory_Release(&factory_); if (verifier_) parcVerifier_Release(&verifier_); parcSecurity_Fini(); } @@ -61,10 +52,10 @@ Verifier::~Verifier() { /* * TODO: Unsupported in libparc */ -bool Verifier::hasKey(PARCKeyId *keyId) { return false; } +bool Verifier::hasKey(PARCKeyId *key_id) { return false; } /* - * TODO: signal errors without trap. + * TODO: Signal errors without trap. */ bool Verifier::addKey(PARCKey *key) { parcVerifier_AddKey(this->verifier_, key); @@ -73,28 +64,36 @@ bool Verifier::addKey(PARCKey *key) { PARCKeyId *Verifier::addKeyFromPassphrase(const std::string &passphrase, CryptoSuite suite) { - composer_ = parcBufferComposer_Create(); - parcBufferComposer_PutString(composer_, passphrase.c_str()); - key_buffer_ = parcBufferComposer_ProduceBuffer(composer_); + PARCBufferComposer *composer = parcBufferComposer_Create(); + parcBufferComposer_PutString(composer, passphrase.c_str()); + PARCBuffer *key_buffer = parcBufferComposer_ProduceBuffer(composer); - symmetricKeyStore_ = parcSymmetricKeyStore_Create(key_buffer_); + PARCSymmetricKeyStore *symmetricKeyStore = + parcSymmetricKeyStore_Create(key_buffer); signer_ = parcSigner_Create( parcSymmetricKeySigner_Create( - symmetricKeyStore_, + symmetricKeyStore, parcCryptoSuite_GetCryptoHash(static_cast<PARCCryptoSuite>(suite))), PARCSymmetricKeySignerAsSigner); - keyId_ = parcSigner_CreateKeyId(signer_); - key_ = parcKey_CreateFromSymmetricKey( - keyId_, parcSigner_GetSigningAlgorithm(signer_), key_buffer_); - addKey(key_); - return keyId_; + PARCKeyId *key_id = parcSigner_CreateKeyId(signer_); + PARCKey *key = parcKey_CreateFromSymmetricKey( + key_id, parcSigner_GetSigningAlgorithm(signer_), key_buffer); + + addKey(key); + + parcKey_Release(&key); + parcSymmetricKeyStore_Release(&symmetricKeyStore); + parcBuffer_Release(&key_buffer); + parcBufferComposer_Release(&composer); + + return key_id; } PARCKeyId *Verifier::addKeyFromCertificate(const std::string &file_name) { - factory_ = parcCertificateFactory_Create(PARCCertificateType_X509, - PARCContainerEncoding_PEM); - parcAssertNotNull(factory_, "Expected non-NULL factory"); + PARCCertificateFactory *factory = parcCertificateFactory_Create( + PARCCertificateType_X509, PARCContainerEncoding_PEM); + parcAssertNotNull(factory, "Expected non-NULL factory"); if (!file_exists(file_name)) { TRANSPORT_LOGW("Warning! The certificate %s file does not exist", @@ -102,72 +101,86 @@ PARCKeyId *Verifier::addKeyFromCertificate(const std::string &file_name) { return nullptr; } - certificate_ = parcCertificateFactory_CreateCertificateFromFile( - factory_, (char *)file_name.c_str(), NULL); + PARCCertificate *certificate = + parcCertificateFactory_CreateCertificateFromFile( + factory, (char *)file_name.c_str(), NULL); PARCBuffer *derEncodedVersion = - parcCertificate_GetDEREncodedPublicKey(certificate_); - PARCCryptoHash *keyDigest = parcCertificate_GetPublicKeyDigest(certificate_); - keyId_ = parcKeyId_Create(parcCryptoHash_GetDigest(keyDigest)); - key_ = parcKey_CreateFromDerEncodedPublicKey(keyId_, PARCSigningAlgorithm_RSA, - derEncodedVersion); - - addKey(key_); - return keyId_; + parcCertificate_GetDEREncodedPublicKey(certificate); + PARCCryptoHash *keyDigest = parcCertificate_GetPublicKeyDigest(certificate); + + PARCKeyId *key_id = parcKeyId_Create(parcCryptoHash_GetDigest(keyDigest)); + PARCKey *key = parcKey_CreateFromDerEncodedPublicKey( + key_id, PARCSigningAlgorithm_RSA, derEncodedVersion); + + addKey(key); + + parcKey_Release(&key); + parcCertificate_Release(&certificate); + parcCertificateFactory_Release(&factory); + + return key_id; } int Verifier::verify(const Packet &packet) { - // Initialize packet.payload_head_ + /* Initialize packet.payload_head_ */ const_cast<Packet *>(&packet)->separateHeaderPayload(); - Packet::Format format = packet.getFormat(); + bool valid = false; + Packet::Format format = packet.getFormat(); - if (!(packet.format_ & HFO_AH)) { + if (!(format & HFO_AH)) { throw errors::MalformedAHPacketException(); } - // Copy IP+TCP/ICMP header before zeroing them + /* Copy IP+TCP/ICMP header before zeroing them */ hicn_header_t header_copy; hicn_packet_copy_header(format, (const hicn_header_t *)packet.packet_start_, &header_copy, false); + /* Get crypto suite */ PARCCryptoSuite suite = static_cast<PARCCryptoSuite>(packet.getValidationAlgorithm()); PARCCryptoHashType hashtype = parcCryptoSuite_GetCryptoHash(suite); + + /* Fetch the key that we will use to verify the signature */ KeyId _key_id = packet.getKeyId(); PARCBuffer *buffer = parcBuffer_Wrap(_key_id.first, _key_id.second, 0, _key_id.second); PARCKeyId *key_id = parcKeyId_Create(buffer); parcBuffer_Release(&buffer); + /* Fetch signature */ int ah_payload_len = (int)packet.getSignatureSize(); uint8_t *_signature = packet.getSignature(); uint8_t *signature = new uint8_t[ah_payload_len]; - std::shared_ptr<CryptoHasher> hasher; - - // TODO Remove signature copy at this point, by not setting to zero - // the validation payload. + /* TODO Remove signature copy at this point, by not setting to zero */ + /* the validation payload. */ std::memcpy(signature, _signature, ah_payload_len); + /* Prepare local computation of the signature based on the crypto suite */ + PARCCryptoHasher *hasher_ptr = nullptr; switch (CryptoSuite(suite)) { case CryptoSuite::DSA_SHA256: case CryptoSuite::RSA_SHA256: case CryptoSuite::RSA_SHA512: case CryptoSuite::ECDSA_256K1: { - hasher = std::make_shared<CryptoHasher>( - parcVerifier_GetCryptoHasher(verifier_, key_id, hashtype)); + hasher_ptr = parcVerifier_GetCryptoHasher(verifier_, key_id, hashtype); break; } case CryptoSuite::HMAC_SHA256: case CryptoSuite::HMAC_SHA512: { if (!signer_) return false; - hasher = - std::make_shared<CryptoHasher>(parcSigner_GetCryptoHasher(signer_)); + hasher_ptr = parcSigner_GetCryptoHasher(signer_); break; } default: { return false; } } - CryptoHash hash_computed_locally = getPacketHash(packet, hasher); + /* Compute the packet signature locally */ + CryptoHasher crypto_hasher(hasher_ptr); + CryptoHash hash_computed_locally = getPacketHash(packet, crypto_hasher); + + /* Create a signature object from the raw packet signature */ PARCBuffer *bits = parcBuffer_Wrap(signature, ah_payload_len, 0, ah_payload_len); parcBuffer_Rewind(bits); @@ -184,6 +197,7 @@ int Verifier::verify(const Packet &packet) { } if (!parcBuffer_HasRemaining(bits)) { + delete[] signature; parcKeyId_Release(&key_id); parcBuffer_Release(&bits); return valid; @@ -196,10 +210,11 @@ int Verifier::verify(const Packet &packet) { parcBuffer_SetPosition(bits, 0); } + /* Compare the packet signature to the locally computed one */ valid = parcVerifier_VerifyDigestSignature( verifier_, key_id, hash_computed_locally.hash_, suite, signatureToVerify); - /* Restore the resetted fields */ + /* Restore the fields that were reset */ hicn_packet_copy_header(format, &header_copy, (hicn_header_t *)packet.packet_start_, false); @@ -212,7 +227,7 @@ int Verifier::verify(const Packet &packet) { } CryptoHash Verifier::getPacketHash(const Packet &packet, - std::shared_ptr<CryptoHasher> hasher) { + CryptoHasher &crypto_hasher) { MemBuf *header_chain = packet.header_head_; MemBuf *payload_chain = packet.payload_head_; Packet::Format format = packet.getFormat(); @@ -220,16 +235,16 @@ CryptoHash Verifier::getPacketHash(const Packet &packet, uint8_t *hicn_packet = header_chain->writableData(); std::size_t header_len = Packet::getHeaderSizeFromFormat(format); - // Reset fields that should not appear in the signature + /* Reset fields that should not appear in the signature */ const_cast<Packet &>(packet).resetForHash(); - hasher->init().updateBytes(hicn_packet, header_len + ah_payload_len); + crypto_hasher.init().updateBytes(hicn_packet, header_len + ah_payload_len); for (MemBuf *current = payload_chain; current != header_chain; current = current->next()) { - hasher->updateBytes(current->data(), current->length()); + crypto_hasher.updateBytes(current->data(), current->length()); } - return hasher->finalize(); + return crypto_hasher.finalize(); } } // namespace utils |