From 9d0572da23c76bf6fed84d873e2736afaa8d59d0 Mon Sep 17 00:00:00 2001 From: deWiced Date: Mon, 26 Jun 2017 06:35:49 -0700 Subject: [PATCH 1/9] Added nodewatcher-agent development section to README. --- README.rst | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.rst b/README.rst index f280c1f..50f0a17 100644 --- a/README.rst +++ b/README.rst @@ -137,3 +137,45 @@ discuss the project, use `nodewatcher mailing list`_. .. _open a new one: https://dev.wlan-si.net/newticket .. _GitHub: https://github.com/wlanslovenija/nodewatcher-agent .. _nodewatcher mailing list: https://wlan-si.net/lists/info/nodewatcher + +Development setup +----------------- + +To build the master version of nodewatcher-agent package a buildroot needs to be set up. Checkout `firmware-core`_ and use the scripts which automatically download all the relevant feeds and create the buildroot in `build/lede`: + + ./lede/scripts/prepare v17.01.2 source.git 2da512ecf4631cd7812283f0931cf6bbf842a313 + ./lede/scripts/configure-platform x86_64 + ./lede/scripts/build-toolchain + +If building for a different platform, replace x86_64 with a desired one (e.g. ar71xx). + +To build the nodewatcher-agent and generate the desired package run: + + make package/nodewatcher-agent/{clean,compile} V=s + +Now `make` needs to be set so it builds the local version of the nodewatcher-agent. Run `make menuconfig`, go to `Advanced configuration options (for developers)` and check the `Enable package source tree override` option (press y). Exit and confirm changes. + +All that remains is to create a symlink to the development repository: + + cd package/feeds/nodewatcher/nodewatcher-agent + ln -s /home/user/path/to/nodewatcher-agent/.git git-src + +The above `make` command will now build the local HEAD version. Any changes need to be added to a temporary `commit` and edited using `git commit --amend`. + +---- + +If building for an x86_64 architecture, a virtual machine can be used for development. Run `make` in the buildroot directory to generate LEDE VM images for VMWare and VirtualBox. They will be located in `bin/targets/x86/64`. Once the VM is running, set the SSH password using `passwd` and change `lan` setting from `static` to `dhcp` using: + + uci set network.lan.proto='dhcp' + uci commit + reboot + +The built packages are located in `bin/packages/x86_64/nodewatcher` (if building for an x86_64 architecture). They need to be transferred to a target device or virtual machine and installed. The easiest way would be to set up a local network and transfer the packages using `scp -r nodewatcher root@192.168.X.X:/tmp`. Some dependencies need to be transferred from `bin/packages/x86_64/lede`, `bin/packages/x86_64/base` and `bin/targets/x86/64/packages`. + +Once all the packages are on the target machine connect to it using SSH: + + ssh -oKexAlgorithms=+'diffie-hellman-group1-sha1' root@192.168.X.X + +Go to target directories and install packages using `opkg install *.ipk`. + +Troubleshoot connection issues with commands like `uci show dropbear`, `cat /etc/passwd`, `cat /etc/shadow`, `logread`, `ip addr`... \ No newline at end of file From 00094636a2dddd36304bb84036b941d8e37f2fd5 Mon Sep 17 00:00:00 2001 From: deWiced Date: Mon, 26 Jun 2017 17:27:23 -0700 Subject: [PATCH 2/9] Updated README styling. --- README.rst | 60 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/README.rst b/README.rst index 50f0a17..8868364 100644 --- a/README.rst +++ b/README.rst @@ -124,58 +124,68 @@ implemented: * ``core.routing.olsr`` provides information about the node's OLSR routing daemon. -Source Code, Issue Tracker and Mailing List -------------------------------------------- - -For development *wlan slovenija* open wireless network `development Trac`_ is -used, so you can see `existing open tickets`_ or `open a new one`_ there. Source -code is available on GitHub_. If you have any questions or if you want to -discuss the project, use `nodewatcher mailing list`_. - -.. _development Trac: https://dev.wlan-si.net/wiki/Nodewatcher -.. _existing open tickets: https://dev.wlan-si.net/report/14 -.. _open a new one: https://dev.wlan-si.net/newticket -.. _GitHub: https://github.com/wlanslovenija/nodewatcher-agent -.. _nodewatcher mailing list: https://wlan-si.net/lists/info/nodewatcher - Development setup ----------------- -To build the master version of nodewatcher-agent package a buildroot needs to be set up. Checkout `firmware-core`_ and use the scripts which automatically download all the relevant feeds and create the buildroot in `build/lede`: +To build the master version of nodewatcher agent package a buildroot needs to be set up. Checkout `firmware core`_ and use the scripts which automatically download all the relevant feeds and create the buildroot in ``build/lede``:: ./lede/scripts/prepare v17.01.2 source.git 2da512ecf4631cd7812283f0931cf6bbf842a313 ./lede/scripts/configure-platform x86_64 ./lede/scripts/build-toolchain -If building for a different platform, replace x86_64 with a desired one (e.g. ar71xx). +If building for a different platform, replace ``x86_64`` with a desired one (e.g. ``ar71xx``). -To build the nodewatcher-agent and generate the desired package run: +To build the nodewatcher agent and generate the desired package run:: make package/nodewatcher-agent/{clean,compile} V=s -Now `make` needs to be set so it builds the local version of the nodewatcher-agent. Run `make menuconfig`, go to `Advanced configuration options (for developers)` and check the `Enable package source tree override` option (press y). Exit and confirm changes. +Now ``make`` needs to be set so it builds the local version of the nodewatcher agent. Run ``make menuconfig``, go to ``Advanced configuration options (for developers)`` and check the ``Enable package source tree override`` option (press y). Exit and confirm changes. -All that remains is to create a symlink to the development repository: +All that remains is to create a symlink to the development repository:: cd package/feeds/nodewatcher/nodewatcher-agent ln -s /home/user/path/to/nodewatcher-agent/.git git-src -The above `make` command will now build the local HEAD version. Any changes need to be added to a temporary `commit` and edited using `git commit --amend`. +The above ``make`` command will now build the local HEAD version. Any changes need to be added to a temporary commit and edited using ``git commit --amend``. ---- -If building for an x86_64 architecture, a virtual machine can be used for development. Run `make` in the buildroot directory to generate LEDE VM images for VMWare and VirtualBox. They will be located in `bin/targets/x86/64`. Once the VM is running, set the SSH password using `passwd` and change `lan` setting from `static` to `dhcp` using: +If building for an ``x86_64`` architecture, a virtual machine can be used for development. Run ``make`` in the buildroot directory to generate LEDE VM images for VMWare and VirtualBox. They will be located in ``bin/targets/x86/64``. Once the VM is running, set the SSH password using ``passwd`` and change ``lan`` setting from ``static`` to ``dhcp`` using:: uci set network.lan.proto='dhcp' uci commit reboot -The built packages are located in `bin/packages/x86_64/nodewatcher` (if building for an x86_64 architecture). They need to be transferred to a target device or virtual machine and installed. The easiest way would be to set up a local network and transfer the packages using `scp -r nodewatcher root@192.168.X.X:/tmp`. Some dependencies need to be transferred from `bin/packages/x86_64/lede`, `bin/packages/x86_64/base` and `bin/targets/x86/64/packages`. +The built packages are located in ``bin/packages/x86_64/nodewatcher`` (if building for an ``x86_64`` architecture). They need to be transferred to a target device or virtual machine and installed. The easiest way would be to set up a local network and transfer the packages using:: + + scp -r nodewatcher root@192.168.X.X:/tmp -Once all the packages are on the target machine connect to it using SSH: +Some dependencies need to be transferred from ``bin/packages/x86_64/lede``, ``bin/packages/x86_64/base`` and ``bin/targets/x86/64/packages``. + +Once all the packages are on the target machine connect to it using SSH:: ssh -oKexAlgorithms=+'diffie-hellman-group1-sha1' root@192.168.X.X -Go to target directories and install packages using `opkg install *.ipk`. +Go to target directories and install packages using:: + + opkg install *.ipk -Troubleshoot connection issues with commands like `uci show dropbear`, `cat /etc/passwd`, `cat /etc/shadow`, `logread`, `ip addr`... \ No newline at end of file +---- + +Troubleshoot connection issues with commands like ``uci show dropbear``, ``cat /etc/passwd``, ``cat /etc/shadow``, ``logread``, ``ip addr``... + +.. _firmware core: https://github.com/wlanslovenija/firmware-core + +Source Code, Issue Tracker and Mailing List +------------------------------------------- + +For development *wlan slovenija* open wireless network `development Trac`_ is +used, so you can see `existing open tickets`_ or `open a new one`_ there. Source +code is available on GitHub_. If you have any questions or if you want to +discuss the project, use `nodewatcher mailing list`_. + +.. _development Trac: https://dev.wlan-si.net/wiki/Nodewatcher +.. _existing open tickets: https://dev.wlan-si.net/report/14 +.. _open a new one: https://dev.wlan-si.net/newticket +.. _GitHub: https://github.com/wlanslovenija/nodewatcher-agent +.. _nodewatcher mailing list: https://wlan-si.net/lists/info/nodewatcher From a44c43e150d3e39b83578ebcbd6f8c50f4bac94e Mon Sep 17 00:00:00 2001 From: deWiced Date: Tue, 27 Jun 2017 03:46:55 -0700 Subject: [PATCH 3/9] Added commit hash warning and subsections to README. --- README.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 8868364..a5c9fb4 100644 --- a/README.rst +++ b/README.rst @@ -133,7 +133,7 @@ To build the master version of nodewatcher agent package a buildroot needs to be ./lede/scripts/configure-platform x86_64 ./lede/scripts/build-toolchain -If building for a different platform, replace ``x86_64`` with a desired one (e.g. ``ar71xx``). +The latest version and commit hash should be looked up in the repository. If building for a different platform, replace ``x86_64`` with a desired one (e.g. ``ar71xx``). To build the nodewatcher agent and generate the desired package run:: @@ -148,7 +148,8 @@ All that remains is to create a symlink to the development repository:: The above ``make`` command will now build the local HEAD version. Any changes need to be added to a temporary commit and edited using ``git commit --amend``. ----- +Installing packages +~~~~~~~~~~~~~~~~~~~ If building for an ``x86_64`` architecture, a virtual machine can be used for development. Run ``make`` in the buildroot directory to generate LEDE VM images for VMWare and VirtualBox. They will be located in ``bin/targets/x86/64``. Once the VM is running, set the SSH password using ``passwd`` and change ``lan`` setting from ``static`` to ``dhcp`` using:: @@ -170,7 +171,8 @@ Go to target directories and install packages using:: opkg install *.ipk ----- +Troubleshooting +~~~~~~~~~~~~~~~ Troubleshoot connection issues with commands like ``uci show dropbear``, ``cat /etc/passwd``, ``cat /etc/shadow``, ``logread``, ``ip addr``... From 830468999ee798916282faad9da156a48d5b5883 Mon Sep 17 00:00:00 2001 From: deWiced Date: Tue, 27 Jun 2017 08:06:21 -0700 Subject: [PATCH 4/9] Added LEDE repository link. --- README.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index a5c9fb4..3ebc22c 100644 --- a/README.rst +++ b/README.rst @@ -133,7 +133,7 @@ To build the master version of nodewatcher agent package a buildroot needs to be ./lede/scripts/configure-platform x86_64 ./lede/scripts/build-toolchain -The latest version and commit hash should be looked up in the repository. If building for a different platform, replace ``x86_64`` with a desired one (e.g. ``ar71xx``). +The latest LEDE version and commit hash should be looked up in the repository_. If building for a different platform, replace ``x86_64`` with a desired one (e.g. ``ar71xx``). To build the nodewatcher agent and generate the desired package run:: @@ -177,6 +177,7 @@ Troubleshooting Troubleshoot connection issues with commands like ``uci show dropbear``, ``cat /etc/passwd``, ``cat /etc/shadow``, ``logread``, ``ip addr``... .. _firmware core: https://github.com/wlanslovenija/firmware-core +.. _repository: https://github.com/lede-project/source/releases Source Code, Issue Tracker and Mailing List ------------------------------------------- From da088ef84819a29d7572838d14f59224c1092238 Mon Sep 17 00:00:00 2001 From: deWiced Date: Thu, 20 Jul 2017 17:40:17 -0700 Subject: [PATCH 5/9] HMAC signing for http push using OpenSSL. --- modules/http_push.c | 54 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 11 deletions(-) diff --git a/modules/http_push.c b/modules/http_push.c index 2381b2a..60d45dc 100644 --- a/modules/http_push.c +++ b/modules/http_push.c @@ -22,6 +22,7 @@ #include #include +#include /* Timestamp when last successful push occurred. */ static time_t last_push_at = 0; @@ -49,6 +50,7 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, /* Get the configured URL from UCI. */ char *url = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_url"); + if (url) { /* Collect all the module data and perform the push. */ json_object *data = nw_module_get_output(); @@ -61,30 +63,60 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, /* Default. */ timeout = 5; } + + const char* data_string = json_object_to_json_string(data); // TODO: const? + curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout); curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); curl_easy_setopt(curl, CURLOPT_URL, url); curl_easy_setopt(curl, CURLOPT_POST, 1); - curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_object_to_json_string(data)); + curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data_string); + #if LIBCURL_VERSION_NUM >= 0x072700 /* Pin server-side public key when configured. */ char *server_pubkey = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_server_pubkey"); + char *auth_type = nw_uci_get_string(uci, "nodewatcher.@agent[0].authentication_method"); + if (server_pubkey) { - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, server_pubkey); + if (strcmp(auth_type, "hmac") == 0) { + unsigned char *hmac_result = HMAC(EVP_sha256(), server_pubkey, strlen(server_pubkey), (unsigned char *)data_string, strlen(data_string), NULL, NULL); + char signature[((strlen((char *)hmac_result)+2)/3)*4]; + + if (nw_base64_encode(hmac_result, strlen((char *)hmac_result), signature, sizeof(signature)) == 0) { + char sig_dest[26+sizeof(signature)]; + strcat(strcpy(sig_dest, "X-Nodewatcher-Signature: "), signature); + + struct curl_slist *chunk = NULL; + chunk = curl_slist_append(chunk, "X-Nodewatcher-Signature-Algorithm: hmac-sha256"); + chunk = curl_slist_append(chunk, sig_dest); + curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk); + } + + free(hmac_result); + + } else { + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, server_pubkey); + } + free(server_pubkey); + free(auth_type); } #endif + /* Setup client authentication when configured. */ - char *client_certificate = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_certificate"); - char *client_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_key"); - if (client_certificate && client_key) { - curl_easy_setopt(curl, CURLOPT_SSLCERT, client_certificate); - curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key); - } + if (strcmp(auth_type, "hmac") != 0) { + char *client_certificate = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_certificate"); + char *client_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_key"); - free(client_certificate); - free(client_key); + if (client_certificate && client_key) { + curl_easy_setopt(curl, CURLOPT_SSLCERT, client_certificate); + curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key); + } + + free(client_certificate); + free(client_key); + } /* Provide a buffer to store errors in. */ char errbuf[CURL_ERROR_SIZE]; From 9489e58b77f5ced6d3b241d3de999ce484f13c10 Mon Sep 17 00:00:00 2001 From: deWiced Date: Fri, 21 Jul 2017 04:51:01 -0700 Subject: [PATCH 6/9] Separate HMAC code block, HMAC key setting, variable renaming. --- modules/http_push.c | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/modules/http_push.c b/modules/http_push.c index 60d45dc..80e94cd 100644 --- a/modules/http_push.c +++ b/modules/http_push.c @@ -22,6 +22,7 @@ #include #include +#include #include /* Timestamp when last successful push occurred. */ @@ -64,7 +65,7 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, timeout = 5; } - const char* data_string = json_object_to_json_string(data); // TODO: const? + const char* data_string = json_object_to_json_string(data); curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout); curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); @@ -72,14 +73,13 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, curl_easy_setopt(curl, CURLOPT_POST, 1); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data_string); -#if LIBCURL_VERSION_NUM >= 0x072700 - /* Pin server-side public key when configured. */ - char *server_pubkey = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_server_pubkey"); - char *auth_type = nw_uci_get_string(uci, "nodewatcher.@agent[0].authentication_method"); - - if (server_pubkey) { - if (strcmp(auth_type, "hmac") == 0) { - unsigned char *hmac_result = HMAC(EVP_sha256(), server_pubkey, strlen(server_pubkey), (unsigned char *)data_string, strlen(data_string), NULL, NULL); + const char *auth_type = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_authentication_method"); // TODO: is hmac default? + + if (strcasecmp(auth_type, "hmac") == 0) { + const char *hmac_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].hmac_key"); + + if (hmac_key) { + const unsigned char *hmac_result = HMAC(EVP_sha256(), hmac_key, strlen(hmac_key), (unsigned char *)data_string, strlen(data_string), NULL, NULL); char signature[((strlen((char *)hmac_result)+2)/3)*4]; if (nw_base64_encode(hmac_result, strlen((char *)hmac_result), signature, sizeof(signature)) == 0) { @@ -92,20 +92,24 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk); } - free(hmac_result); + free((unsigned char *)hmac_result); + } + + free((char *)hmac_key); + + } else { - } else { +#if LIBCURL_VERSION_NUM >= 0x072700 + /* Pin server-side public key when configured. */ + char *server_pubkey = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_server_pubkey"); + + if (server_pubkey) { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, server_pubkey); + free(server_pubkey); } - - free(server_pubkey); - free(auth_type); - } #endif - - /* Setup client authentication when configured. */ - if (strcmp(auth_type, "hmac") != 0) { + /* Setup client authentication when configured. */ char *client_certificate = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_certificate"); char *client_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_client_key"); @@ -118,6 +122,9 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, free(client_key); } + free((char *)data_string); + free((char *)auth_type); + /* Provide a buffer to store errors in. */ char errbuf[CURL_ERROR_SIZE]; curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf); From 8453843d1c4eb2dd1a9aa3170c020b99471777c4 Mon Sep 17 00:00:00 2001 From: deWiced Date: Sun, 23 Jul 2017 05:23:02 -0700 Subject: [PATCH 7/9] Hmac implementation, temporary sha256, updated http_push module. --- common/hmac.c | 47 +++++++++ common/sha256.c | 159 +++++++++++++++++++++++++++++ include/nodewatcher-agent/hmac.h | 12 +++ include/nodewatcher-agent/sha256.h | 31 ++++++ modules/http_push.c | 20 ++-- 5 files changed, 259 insertions(+), 10 deletions(-) create mode 100644 common/hmac.c create mode 100644 common/sha256.c create mode 100644 include/nodewatcher-agent/hmac.h create mode 100644 include/nodewatcher-agent/sha256.h diff --git a/common/hmac.c b/common/hmac.c new file mode 100644 index 0000000..b2d839a --- /dev/null +++ b/common/hmac.c @@ -0,0 +1,47 @@ +#include + +void sha256(const BYTE *text, BYTE *buf) +{ + SHA256_CTX ctx; + sha256_init(&ctx); + sha256_update(&ctx, text, strlen((char *)text)); + sha256_final(&ctx, buf); +} + +void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out) +{ + BYTE key_buf[SHA256_BLOCK_SIZE] = {0}; + + if (key_len > SHA256_BLOCK_SIZE) { + sha256(key, key_buf); + } + if (key_len < SHA256_BLOCK_SIZE) { + memcpy(key_buf, key, key_len); + } + + for (int i = 0; i < SHA256_BLOCK_SIZE; i++) { + key_buf[i] ^= 0x36; + } + + size_t buf_size = SHA256_BLOCK_SIZE + data_len; + BYTE *in_buf = (BYTE *)malloc(buf_size); + memset(in_buf, 0x00, buf_size); + memcpy(in_buf, key_buf, SHA256_BLOCK_SIZE); + memcpy(in_buf + SHA256_BLOCK_SIZE, data, data_len); + memset(hmac_out, 0x00, SHA256_HASH_SIZE); + sha256(in_buf, hmac_out); + + for (int i = 0; i < SHA256_BLOCK_SIZE; i++) { + key_buf[i] ^= 0x36 ^ 0x5c; + } + + buf_size = SHA256_BLOCK_SIZE + SHA256_HASH_SIZE + 1; + in_buf = (BYTE *)realloc(in_buf, buf_size); + memset(in_buf, 0x00, buf_size); + memcpy(in_buf, key_buf, SHA256_BLOCK_SIZE); + memcpy(in_buf + SHA256_BLOCK_SIZE, hmac_out, SHA256_HASH_SIZE); + memset(hmac_out, 0x00, SHA256_HASH_SIZE); + sha256(in_buf, hmac_out); + + free(in_buf); +} \ No newline at end of file diff --git a/common/sha256.c b/common/sha256.c new file mode 100644 index 0000000..56ad3d7 --- /dev/null +++ b/common/sha256.c @@ -0,0 +1,159 @@ +/********************************************************************* +* Filename: sha256.c +* Author: Brad Conte (brad AT bradconte.com) +* Copyright: +* Disclaimer: This code is presented "as is" without any guarantees. +* Details: Implementation of the SHA-256 hashing algorithm. + SHA-256 is one of the three algorithms in the SHA2 + specification. The others, SHA-384 and SHA-512, are not + offered in this implementation. + Algorithm specification can be found here: + * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf + This implementation uses little endian byte order. +*********************************************************************/ + +/*************************** HEADER FILES ***************************/ +#include + +#include +#include + +/****************************** MACROS ******************************/ +#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) +#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) + +#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) +#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) +#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) +#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) +#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) + +/**************************** VARIABLES *****************************/ +static const WORD k[64] = { + 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, + 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, + 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, + 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, + 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, + 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, + 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, + 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +}; + +/*********************** FUNCTION DEFINITIONS ***********************/ +void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) +{ + WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; + + for (i = 0, j = 0; i < 16; ++i, j += 4) + m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); + for ( ; i < 64; ++i) + m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; + + a = ctx->state[0]; + b = ctx->state[1]; + c = ctx->state[2]; + d = ctx->state[3]; + e = ctx->state[4]; + f = ctx->state[5]; + g = ctx->state[6]; + h = ctx->state[7]; + + for (i = 0; i < 64; ++i) { + t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; + t2 = EP0(a) + MAJ(a,b,c); + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + + ctx->state[0] += a; + ctx->state[1] += b; + ctx->state[2] += c; + ctx->state[3] += d; + ctx->state[4] += e; + ctx->state[5] += f; + ctx->state[6] += g; + ctx->state[7] += h; +} + +void sha256_init(SHA256_CTX *ctx) +{ + ctx->datalen = 0; + ctx->bitlen = 0; + ctx->state[0] = 0x6a09e667; + ctx->state[1] = 0xbb67ae85; + ctx->state[2] = 0x3c6ef372; + ctx->state[3] = 0xa54ff53a; + ctx->state[4] = 0x510e527f; + ctx->state[5] = 0x9b05688c; + ctx->state[6] = 0x1f83d9ab; + ctx->state[7] = 0x5be0cd19; +} + +void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) +{ + WORD i; + + for (i = 0; i < len; ++i) { + ctx->data[ctx->datalen] = data[i]; + ctx->datalen++; + if (ctx->datalen == 64) { + sha256_transform(ctx, ctx->data); + ctx->bitlen += 512; + ctx->datalen = 0; + } + } +} + +void sha256_final(SHA256_CTX *ctx, BYTE hash[]) +{ + WORD i; + + i = ctx->datalen; + + // Pad whatever data is left in the buffer. + if (ctx->datalen < 56) { + ctx->data[i++] = 0x80; + while (i < 56) + ctx->data[i++] = 0x00; + } + else { + ctx->data[i++] = 0x80; + while (i < 64) + ctx->data[i++] = 0x00; + sha256_transform(ctx, ctx->data); + memset(ctx->data, 0, 56); + } + + // Append to the padding the total message's length in bits and transform. + ctx->bitlen += ctx->datalen * 8; + ctx->data[63] = ctx->bitlen; + ctx->data[62] = ctx->bitlen >> 8; + ctx->data[61] = ctx->bitlen >> 16; + ctx->data[60] = ctx->bitlen >> 24; + ctx->data[59] = ctx->bitlen >> 32; + ctx->data[58] = ctx->bitlen >> 40; + ctx->data[57] = ctx->bitlen >> 48; + ctx->data[56] = ctx->bitlen >> 56; + sha256_transform(ctx, ctx->data); + + // Since this implementation uses little endian byte ordering and SHA uses big endian, + // reverse all the bytes when copying the final state to the output hash. + for (i = 0; i < 4; ++i) { + hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; + hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; + hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; + hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; + hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; + hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; + hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; + hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; + } +} \ No newline at end of file diff --git a/include/nodewatcher-agent/hmac.h b/include/nodewatcher-agent/hmac.h new file mode 100644 index 0000000..eec77a3 --- /dev/null +++ b/include/nodewatcher-agent/hmac.h @@ -0,0 +1,12 @@ +#ifndef NODEWATCHER_AGENT_HMAC_H +#define NODEWATCHER_AGENT_HMAC_H + +#include + +#define SHA256_HASH_SIZE 32 +#define SHA256_BLOCK_SIZE 64 + +void sha256(const BYTE *text, BYTE *buf); +void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out); + +#endif // NODEWATCHER_AGENT_HMAC_H \ No newline at end of file diff --git a/include/nodewatcher-agent/sha256.h b/include/nodewatcher-agent/sha256.h new file mode 100644 index 0000000..097860f --- /dev/null +++ b/include/nodewatcher-agent/sha256.h @@ -0,0 +1,31 @@ +/********************************************************************* +* Filename: sha256.h +* Author: Brad Conte (brad AT bradconte.com) +* Copyright: +* Disclaimer: This code is presented "as is" without any guarantees. +* Details: Defines the API for the corresponding SHA1 implementation. +*********************************************************************/ + +#ifndef SHA256_H +#define SHA256_H + +/*************************** HEADER FILES ***************************/ +#include + +/**************************** DATA TYPES ****************************/ +typedef unsigned char BYTE; // 8-bit byte +typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines + +typedef struct { + BYTE data[64]; + WORD datalen; + unsigned long long bitlen; + WORD state[8]; +} SHA256_CTX; + +/*********************** FUNCTION DECLARATIONS **********************/ +void sha256_init(SHA256_CTX *ctx); +void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); +void sha256_final(SHA256_CTX *ctx, BYTE hash[]); + +#endif // SHA256_H \ No newline at end of file diff --git a/modules/http_push.c b/modules/http_push.c index 80e94cd..e92e4e5 100644 --- a/modules/http_push.c +++ b/modules/http_push.c @@ -19,11 +19,11 @@ #include #include #include +#include #include #include -#include -#include +#include /* Timestamp when last successful push occurred. */ static time_t last_push_at = 0; @@ -79,20 +79,20 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, const char *hmac_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].hmac_key"); if (hmac_key) { - const unsigned char *hmac_result = HMAC(EVP_sha256(), hmac_key, strlen(hmac_key), (unsigned char *)data_string, strlen(data_string), NULL, NULL); - char signature[((strlen((char *)hmac_result)+2)/3)*4]; + unsigned char hmac_out[SHA256_HASH_SIZE]; + hmac((unsigned char *)hmac_key, strlen(hmac_key), (unsigned char *)data_string, strlen(data_string), hmac_out); - if (nw_base64_encode(hmac_result, strlen((char *)hmac_result), signature, sizeof(signature)) == 0) { - char sig_dest[26+sizeof(signature)]; - strcat(strcpy(sig_dest, "X-Nodewatcher-Signature: "), signature); + char signature[SHA256_HASH_SIZE + 1] = {0}; + + if (nw_base64_encode(hmac_out, SHA256_HASH_SIZE, signature, SHA256_HASH_SIZE) == 0) { + char signature_header[26+sizeof(signature)] = {0}; + strcat(strcpy(signature_header, "X-Nodewatcher-Signature: "), signature); struct curl_slist *chunk = NULL; chunk = curl_slist_append(chunk, "X-Nodewatcher-Signature-Algorithm: hmac-sha256"); - chunk = curl_slist_append(chunk, sig_dest); + chunk = curl_slist_append(chunk, signature_header); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk); } - - free((unsigned char *)hmac_result); } free((char *)hmac_key); From 7abca81d4085c1906543d9cd92dd94a1a15455b4 Mon Sep 17 00:00:00 2001 From: deWiced Date: Mon, 24 Jul 2017 12:07:38 -0700 Subject: [PATCH 8/9] Style changes, variable renaming. --- common/hmac.c | 10 +++++----- common/sha256.c | 2 +- include/nodewatcher-agent/hmac.h | 4 ++-- include/nodewatcher-agent/sha256.h | 2 +- modules/http_push.c | 10 +++++----- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/common/hmac.c b/common/hmac.c index b2d839a..7f045d0 100644 --- a/common/hmac.c +++ b/common/hmac.c @@ -4,11 +4,11 @@ void sha256(const BYTE *text, BYTE *buf) { SHA256_CTX ctx; sha256_init(&ctx); - sha256_update(&ctx, text, strlen((char *)text)); + sha256_update(&ctx, text, strlen((char*) text)); sha256_final(&ctx, buf); } -void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out) +void hmac_sha256(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out) { BYTE key_buf[SHA256_BLOCK_SIZE] = {0}; @@ -24,7 +24,7 @@ void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out } size_t buf_size = SHA256_BLOCK_SIZE + data_len; - BYTE *in_buf = (BYTE *)malloc(buf_size); + BYTE *in_buf = (BYTE*) malloc(buf_size); memset(in_buf, 0x00, buf_size); memcpy(in_buf, key_buf, SHA256_BLOCK_SIZE); memcpy(in_buf + SHA256_BLOCK_SIZE, data, data_len); @@ -36,7 +36,7 @@ void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out } buf_size = SHA256_BLOCK_SIZE + SHA256_HASH_SIZE + 1; - in_buf = (BYTE *)realloc(in_buf, buf_size); + in_buf = (BYTE*) realloc(in_buf, buf_size); memset(in_buf, 0x00, buf_size); memcpy(in_buf, key_buf, SHA256_BLOCK_SIZE); memcpy(in_buf + SHA256_BLOCK_SIZE, hmac_out, SHA256_HASH_SIZE); @@ -44,4 +44,4 @@ void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out sha256(in_buf, hmac_out); free(in_buf); -} \ No newline at end of file +} diff --git a/common/sha256.c b/common/sha256.c index 56ad3d7..ff53b39 100644 --- a/common/sha256.c +++ b/common/sha256.c @@ -156,4 +156,4 @@ void sha256_final(SHA256_CTX *ctx, BYTE hash[]) hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; } -} \ No newline at end of file +} diff --git a/include/nodewatcher-agent/hmac.h b/include/nodewatcher-agent/hmac.h index eec77a3..900f563 100644 --- a/include/nodewatcher-agent/hmac.h +++ b/include/nodewatcher-agent/hmac.h @@ -7,6 +7,6 @@ #define SHA256_BLOCK_SIZE 64 void sha256(const BYTE *text, BYTE *buf); -void hmac(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out); +void hmac_sha256(BYTE *key, int key_len, const BYTE *data, int data_len, BYTE *hmac_out); -#endif // NODEWATCHER_AGENT_HMAC_H \ No newline at end of file +#endif // NODEWATCHER_AGENT_HMAC_H diff --git a/include/nodewatcher-agent/sha256.h b/include/nodewatcher-agent/sha256.h index 097860f..da31d4b 100644 --- a/include/nodewatcher-agent/sha256.h +++ b/include/nodewatcher-agent/sha256.h @@ -28,4 +28,4 @@ void sha256_init(SHA256_CTX *ctx); void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); void sha256_final(SHA256_CTX *ctx, BYTE hash[]); -#endif // SHA256_H \ No newline at end of file +#endif // SHA256_H diff --git a/modules/http_push.c b/modules/http_push.c index e92e4e5..bf2fd97 100644 --- a/modules/http_push.c +++ b/modules/http_push.c @@ -73,14 +73,14 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, curl_easy_setopt(curl, CURLOPT_POST, 1); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data_string); - const char *auth_type = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_authentication_method"); // TODO: is hmac default? + const char *auth_type = nw_uci_get_string(uci, "nodewatcher.@agent[0].push_authentication_method"); if (strcasecmp(auth_type, "hmac") == 0) { const char *hmac_key = nw_uci_get_string(uci, "nodewatcher.@agent[0].hmac_key"); if (hmac_key) { unsigned char hmac_out[SHA256_HASH_SIZE]; - hmac((unsigned char *)hmac_key, strlen(hmac_key), (unsigned char *)data_string, strlen(data_string), hmac_out); + hmac_sha256((unsigned char*) hmac_key, strlen(hmac_key), (unsigned char*) data_string, strlen(data_string), hmac_out); char signature[SHA256_HASH_SIZE + 1] = {0}; @@ -95,7 +95,7 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, } } - free((char *)hmac_key); + free((char*) hmac_key); } else { @@ -122,8 +122,8 @@ static int nw_http_push_start_acquire_data(struct nodewatcher_module *module, free(client_key); } - free((char *)data_string); - free((char *)auth_type); + free((char*) data_string); + free((char*) auth_type); /* Provide a buffer to store errors in. */ char errbuf[CURL_ERROR_SIZE]; From 7e13185a8426f2eb1cee132990414a11204d46f4 Mon Sep 17 00:00:00 2001 From: deWiced Date: Mon, 24 Jul 2017 14:16:26 -0700 Subject: [PATCH 9/9] Added missing licence to new files. --- common/hmac.c | 18 ++++++++++++++++++ include/nodewatcher-agent/hmac.h | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/common/hmac.c b/common/hmac.c index 7f045d0..f1a577e 100644 --- a/common/hmac.c +++ b/common/hmac.c @@ -1,3 +1,21 @@ +/* + * nodewatcher-agent - remote monitoring daemon + * + * Copyright (C) 2017 Anej Placer + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Affero General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License + * for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ #include void sha256(const BYTE *text, BYTE *buf) diff --git a/include/nodewatcher-agent/hmac.h b/include/nodewatcher-agent/hmac.h index 900f563..e90ef11 100644 --- a/include/nodewatcher-agent/hmac.h +++ b/include/nodewatcher-agent/hmac.h @@ -1,3 +1,21 @@ +/* + * nodewatcher-agent - remote monitoring daemon + * + * Copyright (C) 2017 Anej Placer + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Affero General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License + * for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ #ifndef NODEWATCHER_AGENT_HMAC_H #define NODEWATCHER_AGENT_HMAC_H