Security fix
This commit is contained in:
UnlegitDqrk
@@ -13,6 +13,7 @@ import org.openautonomousconnection.protocol.side.server.CustomConnectedClient;
|
||||
import org.openautonomousconnection.protocol.side.server.events.S_CustomClientConnectedEvent;
|
||||
import org.openautonomousconnection.protocol.versions.ProtocolVersion;
|
||||
import org.openautonomousconnection.protocol.versions.v1_0_0.beta.INSResponseStatus;
|
||||
import org.openautonomousconnection.protocol.versions.v1_0_0.beta.TOFUFeedback;
|
||||
|
||||
import java.io.*;
|
||||
import java.util.UUID;
|
||||
@@ -59,9 +60,7 @@ public final class AuthPacket extends OACPacket {
|
||||
if (protocolBridge.isRunningAsINSServer()) {
|
||||
objectOutputStream.writeUTF(protocolBridge.getProtocolVersion().name());
|
||||
|
||||
String caKey = "N/A";
|
||||
String caPem = "N/A";
|
||||
String caSrl = "N/A";
|
||||
|
||||
try {
|
||||
String caPrefix = protocolBridge.getProtocolServer().getFolderStructure().getCaPrefix()
|
||||
@@ -69,32 +68,19 @@ public final class AuthPacket extends OACPacket {
|
||||
|
||||
objectOutputStream.writeUTF(caPrefix);
|
||||
|
||||
caKey = FileUtils.readFileFull(new File(
|
||||
protocolBridge.getProtocolServer().getFolderStructure().privateCAFolder,
|
||||
caPrefix + ".key"));
|
||||
|
||||
caPem = FileUtils.readFileFull(new File(
|
||||
protocolBridge.getProtocolServer().getFolderStructure().publicCAFolder,
|
||||
caPrefix + ".pem"));
|
||||
|
||||
caSrl = FileUtils.readFileFull(new File(
|
||||
protocolBridge.getProtocolServer().getFolderStructure().publicCAFolder,
|
||||
caPrefix + ".srl"));
|
||||
} catch (Exception exception) {
|
||||
protocolBridge.getLogger().exception("Failed to read ca-files", exception);
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
}
|
||||
|
||||
objectOutputStream.writeUTF(caKey);
|
||||
objectOutputStream.writeUTF(caPem);
|
||||
objectOutputStream.writeUTF(caSrl);
|
||||
return;
|
||||
}
|
||||
|
||||
if (protocolBridge.isRunningAsClient()) {
|
||||
// FIX: Send the connection id of the connection this auth is meant for.
|
||||
// If we are connecting/authing against INS, use INS connectionId.
|
||||
// Otherwise use Server connectionId.
|
||||
UUID clientConnectionId = null;
|
||||
|
||||
if (protocolBridge.getProtocolClient() != null) {
|
||||
@@ -161,27 +147,58 @@ public final class AuthPacket extends OACPacket {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_SUCCESS);
|
||||
|
||||
String caPrefix = objectInputStream.readUTF();
|
||||
|
||||
String caKey = objectInputStream.readUTF();
|
||||
String caPem = objectInputStream.readUTF();
|
||||
String caSrl = objectInputStream.readUTF();
|
||||
|
||||
if (caKey.equalsIgnoreCase("N/A") || caPem.equalsIgnoreCase("N/A") || caSrl.equalsIgnoreCase("N/A")) {
|
||||
if (!caPrefix.matches("^[a-zA-Z0-9_-]+$")) {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
return;
|
||||
}
|
||||
|
||||
if (caPem.equalsIgnoreCase("N/A")) {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
} else {
|
||||
|
||||
byte[] caBytes = caPem.getBytes(java.nio.charset.StandardCharsets.UTF_8);
|
||||
java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA-256");
|
||||
String fp = java.util.HexFormat.of().formatHex(md.digest(caBytes));
|
||||
|
||||
|
||||
File caPemFile = new File(protocolBridge.getProtocolClient().getFolderStructure().publicCAFolder, caPrefix + ".pem");
|
||||
File caSrlFile = new File(protocolBridge.getProtocolClient().getFolderStructure().publicCAFolder, caPrefix + ".srl");
|
||||
File caKeyFile = new File(protocolBridge.getProtocolClient().getFolderStructure().privateCAFolder, caPrefix + ".key");
|
||||
|
||||
File fpFile = new File(
|
||||
protocolBridge.getProtocolClient().getFolderStructure().publicCAFolder,
|
||||
caPrefix + ".fp");
|
||||
|
||||
boolean allowWritePem = false;
|
||||
|
||||
if (fpFile.exists()) {
|
||||
String existing = FileUtils.readFileFull(fpFile).trim();
|
||||
TOFUFeedback feedback = protocolBridge.getProtocolClient().insFingerprintChanged(existing, fp);
|
||||
if (feedback == TOFUFeedback.DISCONNECT) {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
protocolBridge.getProtocolClient().getClientINSConnection().disconnect();
|
||||
return;
|
||||
}
|
||||
if (feedback == TOFUFeedback.TRUST) { FileUtils.writeFile(fpFile, fp + System.lineSeparator()); allowWritePem = true; }
|
||||
} else {
|
||||
TOFUFeedback feedback = protocolBridge.getProtocolClient().trustINS(fp);
|
||||
if (feedback == TOFUFeedback.DISCONNECT) {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
protocolBridge.getProtocolClient().getClientINSConnection().disconnect();
|
||||
return;
|
||||
}
|
||||
if (feedback == TOFUFeedback.TRUST) { FileUtils.writeFile(fpFile, fp + System.lineSeparator()); allowWritePem = true; }
|
||||
}
|
||||
|
||||
if (!allowWritePem) {
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED); return;
|
||||
}
|
||||
|
||||
try {
|
||||
if (!caPemFile.exists()) caPemFile.createNewFile();
|
||||
if (!caSrlFile.exists()) caSrlFile.createNewFile();
|
||||
if (!caKeyFile.exists()) caKeyFile.createNewFile();
|
||||
|
||||
// FIX: Correct file assignments.
|
||||
FileUtils.writeFile(caPemFile, caPem);
|
||||
FileUtils.writeFile(caSrlFile, caSrl);
|
||||
FileUtils.writeFile(caKeyFile, caKey);
|
||||
} catch (Exception exception) {
|
||||
protocolBridge.getLogger().exception("Failed to create/save ca-files", exception);
|
||||
setResponseCode(INSResponseStatus.RESPONSE_AUTH_FAILED);
|
||||
|
||||
Reference in New Issue
Block a user