# # # patch "database.cc" # from [23fbe46aed38d2500801aa3bda745464b63f58de] # to [7c32fac2c58b7babc6e760ba146862f2baf3f6b9] # # patch "database.hh" # from [dbf1f978a8f1f65bfc11328cf2684ff99fe327c8] # to [e15e46d3bbc5714ba567813e28157f3f7e5a2278] # # patch "key_store.cc" # from [88eb6652bb10578e5ef3f6ed28166c85f0bfd2b7] # to [625800e8c5ef8a52e7101f72c77c4674e9bda147] # # patch "key_store.hh" # from [533b4f6d4954a6c1575bc1caacdf6879a4273267] # to [4553714cdb2de487cc192c43e34a858fb0d0bf57] # # patch "keys.cc" # from [19386cf9af1196c244e09555f81b7e06b3616b96] # to [8608e18b9d703bf601c723f8694c3a99644c83a9] # # patch "netsync.cc" # from [03bb6c7bab712664c42d3b886492ef96cd0e3357] # to [eecd6fec7789d51c10daf9b819380e99ea1a00b3] # ============================================================ --- database.cc 23fbe46aed38d2500801aa3bda745464b63f58de +++ database.cc 7c32fac2c58b7babc6e760ba146862f2baf3f6b9 @@ -79,8 +79,10 @@ using boost::shared_ptr; using std::vector; using boost::shared_ptr; +using boost::shared_dynamic_cast; using boost::lexical_cast; +using Botan::PK_Encryptor; using Botan::PK_Verifier; using Botan::SecureVector; using Botan::X509_PublicKey; @@ -2688,6 +2690,35 @@ database::delete_public_key(rsa_keypair_ % text(pub_id())); } +void +database::encrypt_rsa(rsa_keypair_id const & pub_id, + string const & plaintext, + rsa_oaep_sha_data & ciphertext) +{ + rsa_pub_key pub; + get_key(pub_id, pub); + + SecureVector pub_block; + pub_block.set(reinterpret_cast(pub().data()), + pub().size()); + + shared_ptr x509_key(Botan::X509::load_key(pub_block)); + shared_ptr pub_key + = shared_dynamic_cast(x509_key); + if (!pub_key) + throw informative_failure("Failed to get RSA encrypting key"); + + shared_ptr + encryptor(get_pk_encryptor(*pub_key, "EME1(SHA-1)")); + + SecureVector ct; + ct = encryptor->encrypt( + reinterpret_cast(plaintext.data()), + plaintext.size()); + ciphertext = rsa_oaep_sha_data(string(reinterpret_cast(ct.begin()), + ct.size())); +} + cert_status database::check_signature(rsa_keypair_id const & id, string const & alleged_text, ============================================================ --- database.hh dbf1f978a8f1f65bfc11328cf2684ff99fe327c8 +++ database.hh e15e46d3bbc5714ba567813e28157f3f7e5a2278 @@ -254,6 +254,12 @@ public: void delete_public_key(rsa_keypair_id const & pub_id); + // Crypto operations + + void encrypt_rsa(rsa_keypair_id const & pub_id, + std::string const & plaintext, + rsa_oaep_sha_data & ciphertext); + cert_status check_signature(rsa_keypair_id const & id, std::string const & alleged_text, base64 const & signature); ============================================================ --- key_store.cc 88eb6652bb10578e5ef3f6ed28166c85f0bfd2b7 +++ key_store.cc 625800e8c5ef8a52e7101f72c77c4674e9bda147 @@ -31,6 +31,7 @@ using Botan::PKCS8_PrivateKey; using Botan::SecureVector; using Botan::X509_PublicKey; using Botan::PKCS8_PrivateKey; +using Botan::PK_Decryptor; using Botan::PK_Signer; using Botan::Pipe; @@ -424,8 +425,25 @@ key_store::change_key_passphrase(rsa_key put_key_pair(id, kp); } +void +key_store::decrypt_rsa(rsa_keypair_id const & id, + rsa_oaep_sha_data const & ciphertext, + string & plaintext) +{ + keypair kp; + load_key_pair(*this, id, kp); + shared_ptr priv_key = get_private_key(*this, id, kp.priv); + shared_ptr + decryptor(get_pk_decryptor(*priv_key, "EME1(SHA-1)")); + SecureVector plain = decryptor->decrypt( + reinterpret_cast(ciphertext().data()), + ciphertext().size()); + plaintext = string(reinterpret_cast(plain.begin()), + plain.size()); +} + void key_store::make_signature(database & db, rsa_keypair_id const & id, ============================================================ --- key_store.hh 533b4f6d4954a6c1575bc1caacdf6879a4273267 +++ key_store.hh 4553714cdb2de487cc192c43e34a858fb0d0bf57 @@ -60,6 +60,10 @@ public: void change_key_passphrase(rsa_keypair_id const & id); + void decrypt_rsa(rsa_keypair_id const & id, + rsa_oaep_sha_data const & ciphertext, + std::string & plaintext); + void make_signature(database & db, rsa_keypair_id const & id, std::string const & tosign, base64 & signature); ============================================================ --- keys.cc 19386cf9af1196c244e09555f81b7e06b3616b96 +++ keys.cc 8608e18b9d703bf601c723f8694c3a99644c83a9 @@ -318,48 +318,6 @@ get_private_key(key_store & keys, I(false); } -void encrypt_rsa(key_store & keys, - rsa_keypair_id const & id, - base64 & pub_encoded, - string const & plaintext, - rsa_oaep_sha_data & ciphertext) -{ - rsa_pub_key pub; - decode_base64(pub_encoded, pub); - SecureVector pub_block; - pub_block.set(reinterpret_cast(pub().data()), pub().size()); - - shared_ptr x509_key = shared_ptr(Botan::X509::load_key(pub_block)); - shared_ptr pub_key = shared_dynamic_cast(x509_key); - if (!pub_key) - throw informative_failure("Failed to get RSA encrypting key"); - - shared_ptr encryptor; - encryptor = shared_ptr(get_pk_encryptor(*pub_key, "EME1(SHA-1)")); - - SecureVector ct; - ct = encryptor->encrypt( - reinterpret_cast(plaintext.data()), plaintext.size()); - ciphertext = rsa_oaep_sha_data(string(reinterpret_cast(ct.begin()), ct.size())); -} - -void decrypt_rsa(key_store & keys, - rsa_keypair_id const & id, - base64< rsa_priv_key > const & priv, - rsa_oaep_sha_data const & ciphertext, - string & plaintext) -{ - shared_ptr priv_key = get_private_key(keys, id, priv); - - shared_ptr decryptor; - decryptor = shared_ptr(get_pk_decryptor(*priv_key, "EME1(SHA-1)")); - - SecureVector plain; - plain = decryptor->decrypt( - reinterpret_cast(ciphertext().data()), ciphertext().size()); - plaintext = string(reinterpret_cast(plain.begin()), plain.size()); -} - void key_hash_code(rsa_keypair_id const & ident, base64 const & pub, ============================================================ --- netsync.cc 03bb6c7bab712664c42d3b886492ef96cd0e3357 +++ netsync.cc eecd6fec7789d51c10daf9b819380e99ea1a00b3 @@ -471,16 +471,14 @@ session: void queue_anonymous_cmd(protocol_role role, globish const & include_pattern, globish const & exclude_pattern, - id const & nonce2, - base64 server_key_encoded); + id const & nonce2); void queue_auth_cmd(protocol_role role, globish const & include_pattern, globish const & exclude_pattern, id const & client, id const & nonce1, id const & nonce2, - string const & signature, - base64 server_key_encoded); + string const & signature); void queue_confirm_cmd(); void queue_refine_cmd(refinement_type ty, merkle_node const & node); void queue_data_cmd(netcmd_item_type type, @@ -786,11 +784,8 @@ session::set_session_key(rsa_oaep_sha_da { if (use_transport_auth) { - keypair our_kp; - load_key_pair(keys, signing_key, our_kp); string hmac_key; - decrypt_rsa(keys, signing_key, our_kp.priv, - hmac_key_encrypted, hmac_key); + keys.decrypt_rsa(signing_key, hmac_key_encrypted, hmac_key); set_session_key(hmac_key); } } @@ -1163,14 +1158,12 @@ session::queue_anonymous_cmd(protocol_ro session::queue_anonymous_cmd(protocol_role role, globish const & include_pattern, globish const & exclude_pattern, - id const & nonce2, - base64 server_key_encoded) + id const & nonce2) { netcmd cmd; rsa_oaep_sha_data hmac_key_encrypted; if (use_transport_auth) - encrypt_rsa(keys, remote_peer_key_name, server_key_encoded, - nonce2(), hmac_key_encrypted); + project.db.encrypt_rsa(remote_peer_key_name, nonce2(), hmac_key_encrypted); cmd.write_anonymous_cmd(role, include_pattern, exclude_pattern, hmac_key_encrypted); write_netcmd_and_try_flush(cmd); @@ -1184,14 +1177,12 @@ session::queue_auth_cmd(protocol_role ro id const & client, id const & nonce1, id const & nonce2, - string const & signature, - base64 server_key_encoded) + string const & signature) { netcmd cmd; rsa_oaep_sha_data hmac_key_encrypted; I(use_transport_auth); - encrypt_rsa(keys, remote_peer_key_name, server_key_encoded, - nonce2(), hmac_key_encrypted); + project.db.encrypt_rsa(remote_peer_key_name, nonce2(), hmac_key_encrypted); cmd.write_auth_cmd(role, include_pattern, exclude_pattern, client, nonce1, hmac_key_encrypted, signature); write_netcmd_and_try_flush(cmd); @@ -1371,6 +1362,7 @@ session::process_hello_cmd(rsa_keypair_i id their_key_hash_decoded; decode_hexenc(their_key_hash, their_key_hash_decoded); this->remote_peer_key_hash = their_key_hash_decoded; + this->remote_peer_key_name = their_keyname; } // clients always include in the synchronization set, every branch that the @@ -1410,13 +1402,12 @@ session::process_hello_cmd(rsa_keypair_i // make a new nonce of our own and send off the 'auth' queue_auth_cmd(this->role, our_include_pattern, our_exclude_pattern, - our_key_hash_raw, nonce, mk_nonce(), sig_raw(), - their_key_encoded); + our_key_hash_raw, nonce, mk_nonce(), sig_raw()); } else { queue_anonymous_cmd(this->role, our_include_pattern, - our_exclude_pattern, mk_nonce(), their_key_encoded); + our_exclude_pattern, mk_nonce()); } lua.hook_note_netsync_start(session_id, "client", this->role,