git-master/AuthHMAC_8cpp_source.html

/*

 * SPDX-FileCopyrightText: 2006-2021 Istituto Italiano di Tecnologia (IIT)

 * SPDX-FileCopyrightText: 2010 Daniel Krieg <krieg@fias.uni-frankfurt.de>

 * SPDX-License-Identifier: BSD-3-Clause

 */


#include <yarp/os/impl/AuthHMAC.h>


#include <yarp/os/Bytes.h>

#include <yarp/os/Network.h>

#include <yarp/os/Property.h>

#include <yarp/os/ResourceFinder.h>

#include <yarp/os/impl/NameClient.h>

#include <yarp/os/impl/LogComponent.h>


#include <cstdio>

#include <cstdlib>

#include <cstring>

#include <ctime>

#include <random>

#include <string>


namespace {

YARP_OS_LOG_COMPONENT(AUTHHMAC, "yarp.os.impl.AuthHMAC")

} // namespace


void show_hmac_debug(unsigned char* hex, unsigned int length, const std::string& context)

{

    char* buf;

    int off = context.length();

    buf = new char[length * 3 + off + 2];

    strcpy(buf, context.c_str());

    for (unsigned int i = 0; i < length; i++) {

        sprintf(&(buf[off + i * 3]), "%X ", hex[i]);

    }

    yCDebug(AUTHHMAC, "%s\n", buf);

    delete[] buf;

}


using namespace yarp::os::impl;

using namespace yarp::os;


AuthHMAC::AuthHMAC() :

        authentication_enabled(false)

{

    memset(&context, 0, sizeof(HMAC_CONTEXT));

    static bool auth_warning_shown = false;

    if (auth_warning_shown) {

        // If the warning was already shown, we have nothing to do.

        // return as soon as possible

        return;

    }

    std::string key;

    ResourceFinder& rf = ResourceFinder::getResourceFinderSingleton();

    std::string fname;

    Network::lock();

    ResourceFinderOptions opt;

    opt.messageFilter = ResourceFinderOptions::ShowNone;

    fname = rf.findFile("auth.conf", opt);

    Network::unlock();


    if (fname.empty()) {

        yCDebug(AUTHHMAC, "Cannot find auth.conf file. Authentication disabled.\n");

        auth_warning_shown = true;

        return;

    }


    Property config;

    config.fromConfigFile(fname);

    Bottle group = config.findGroup("AUTH");


    if (group.isNull()) {

        yCWarning(AUTHHMAC, "No \"AUTH\" group found in auth.conf file. Authentication disabled.\n");

        auth_warning_shown = true;

        return;

    }


    key = group.find("key").asString();

    if (!(key.length() > 0)) {

        yCWarning(AUTHHMAC, "No \"key\" found in \"AUTH\" group in auth.conf file. Authentication disabled.\n");

        auth_warning_shown = true;

        return;

    }


    size_t key_len = key.length();

    auto* tmp = new unsigned char[key_len];

    strcpy(reinterpret_cast<char*>(tmp), key.c_str());

    HMAC_INIT(&context, tmp, static_cast<unsigned int>(key_len));

    delete[] tmp;

    srand(static_cast<unsigned>(time(nullptr)));


    if (!authentication_enabled) {

        yCInfo(AUTHHMAC, "Authentication enabled.\n");

        authentication_enabled = true;

    }

}


bool AuthHMAC::authSource(InputStream* streamIn, OutputStream* streamOut)

{


    if (!authentication_enabled) {

        return true;

    }


    /* ---------------

      * 3-way auth

      * Port A

      * ---------------

      */


    unsigned char nonce1[NONCE_LEN];

    unsigned char nonce2[NONCE_LEN];

    unsigned char nonce3[NONCE_LEN];


    unsigned char mac[DIGEST_SIZE];

    unsigned char mac_check[DIGEST_SIZE];


    /* ---------------

      * Send first msg: A->B

      */

    fill_nonce(nonce1);

    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_FINAL(&context, mac, DIGEST_SIZE);

    if (!send_hmac(streamOut, nonce1, mac)) {

        return false;

    }


    /* ---------------

      * Receive and check second msg: B->A

      */

    if (!receive_hmac(streamIn, nonce2, mac)) {

        return false;

    }


    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_UPDATE(&context, nonce2, NONCE_LEN);

    HMAC_FINAL(&context, mac_check, DIGEST_SIZE);

    if (!check_hmac(mac, mac_check)) {

        return false;

    }

    /* Authentication of B successful */


    /* ---------------

      * Send third msg: A->B

      */

    fill_nonce(nonce3);

    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_UPDATE(&context, nonce2, NONCE_LEN);

    HMAC_UPDATE(&context, nonce3, NONCE_LEN);

    HMAC_FINAL(&context, mac, DIGEST_SIZE);

    return send_hmac(streamOut, nonce3, mac);

}


bool AuthHMAC::authDest(InputStream* streamIn, OutputStream* streamOut)

{


    if (!authentication_enabled) {

        return true;

    }


    /* ---------------

     * 3-way auth

     * Port B

     * ---------------

     */


    unsigned char nonce1[NONCE_LEN];

    unsigned char nonce2[NONCE_LEN];

    unsigned char nonce3[NONCE_LEN];


    unsigned char mac[DIGEST_SIZE];

    unsigned char mac_check[DIGEST_SIZE];


    /* ---------------

     * Receive and check first msg: A->B

     */

    if (!receive_hmac(streamIn, nonce1, mac)) {

        return false;

    }

    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_FINAL(&context, mac_check, DIGEST_SIZE);

    if (!check_hmac(mac, mac_check)) {

        return false;

    }


    /* ---------------

     * Send second msg: B->A

     */

    fill_nonce(nonce2);

    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_UPDATE(&context, nonce2, NONCE_LEN);

    HMAC_FINAL(&context, mac, DIGEST_SIZE);

    if (!send_hmac(streamOut, nonce2, mac)) {

        return false;

    }


    /* ---------------

     * Receive and check third msg: A->B

     */

    if (!receive_hmac(streamIn, nonce3, mac)) {

        return false;

    }

    HMAC_REINIT(&context);

    HMAC_UPDATE(&context, nonce1, NONCE_LEN);

    HMAC_UPDATE(&context, nonce2, NONCE_LEN);

    HMAC_UPDATE(&context, nonce3, NONCE_LEN);

    HMAC_FINAL(&context, mac_check, DIGEST_SIZE);

    if (!check_hmac(mac, mac_check)) {

        return false;

    }

    /* Authentication of A successful */


    return true;

}


bool AuthHMAC::send_hmac(OutputStream* stream, unsigned char* nonce, unsigned char* mac)

{

    Bytes nonce_bytes(reinterpret_cast<char*>(nonce), NONCE_LEN);

    Bytes mac_bytes(reinterpret_cast<char*>(mac), DIGEST_SIZE);

    stream->write(nonce_bytes);

    stream->write(mac_bytes);


    show_hmac_debug(nonce, NONCE_LEN, "send nonce ");

    show_hmac_debug(mac, DIGEST_SIZE, "send digest ");


    return stream->isOk();

}


bool AuthHMAC::receive_hmac(InputStream* stream, unsigned char* nonce, unsigned char* mac)

{

    Bytes nonce_bytes(reinterpret_cast<char*>(nonce), NONCE_LEN);

    Bytes mac_bytes(reinterpret_cast<char*>(mac), DIGEST_SIZE);

    stream->read(nonce_bytes);

    stream->read(mac_bytes);


    show_hmac_debug(nonce, NONCE_LEN, "got nonce ");

    show_hmac_debug(mac, DIGEST_SIZE, "got digest ");


    return stream->isOk();

}


bool AuthHMAC::check_hmac(unsigned char* mac, unsigned char* mac_check)

{

    int cmp = memcmp(mac, mac_check, DIGEST_SIZE);


    std::string check = "digest check ";

    if (cmp == 0) {

        check += "successful";

    } else {

        check += "FAILED";

    }

    show_hmac_debug(mac_check, DIGEST_SIZE, check);


    return (cmp == 0);

}


void AuthHMAC::fill_nonce(unsigned char* nonce)

{

    std::random_device rd;

    std::mt19937 mt(rd());

    std::uniform_int_distribution<int> dist(0, 255);

    for (unsigned int i = 0; i < NONCE_LEN; i++) {

        nonce[i] = static_cast<unsigned char>(dist(mt));

    }

}

show_hmac_debug
void show_hmac_debug(unsigned char *hex, unsigned int length, const std::string &context)
Definition AuthHMAC.cpp:27

AuthHMAC.h

HMAC_FINAL
#define HMAC_FINAL
Definition AuthHMAC.h:20

HMAC_INIT
#define HMAC_INIT
Definition AuthHMAC.h:17

HMAC_UPDATE
#define HMAC_UPDATE
Definition AuthHMAC.h:19

NONCE_LEN
#define NONCE_LEN
Definition AuthHMAC.h:21

DIGEST_SIZE
#define DIGEST_SIZE
Definition AuthHMAC.h:15

HMAC_REINIT
#define HMAC_REINIT
Definition AuthHMAC.h:18

HMAC_CONTEXT
#define HMAC_CONTEXT
Definition AuthHMAC.h:16

Bytes.h

NameClient.h

Network.h

Property.h

ResourceFinder.h

yarp::os::Bottle
A simple collection of objects that can be described and transmitted in a portable way.
Definition Bottle.h:64

yarp::os::Bottle::isNull
bool isNull() const override
Checks if the object is invalid.
Definition Bottle.cpp:343

yarp::os::Bottle::find
Value & find(const std::string &key) const override
Gets a value corresponding to a given keyword.
Definition Bottle.cpp:287

yarp::os::BufferedPort
A mini-server for performing network communication in the background.
Definition BufferedPort.h:60

yarp::os::Bytes
A simple abstraction for a block of bytes.
Definition Bytes.h:24

yarp::os::InputStream
Simple specification of the minimum functions needed from input streams.
Definition InputStream.h:25

yarp::os::InputStream::isOk
virtual bool isOk() const =0
Check if the stream is ok or in an error state.

yarp::os::InputStream::read
virtual int read()
Read and return a single byte.
Definition InputStream.cpp:20

yarp::os::NetworkBase::unlock
static void unlock()
Call post() on a global mutual-exclusion semaphore allocated by YARP.
Definition Network.cpp:1423

yarp::os::NetworkBase::lock
static void lock()
Call wait() on a global mutual-exclusion semaphore allocated by YARP.
Definition Network.cpp:1418

yarp::os::OutputStream
Simple specification of the minimum functions needed from output streams.
Definition OutputStream.h:21

yarp::os::OutputStream::isOk
virtual bool isOk() const =0
Check if the stream is ok or in an error state.

yarp::os::OutputStream::write
virtual void write(char ch)
Write a single byte to the stream.
Definition OutputStream.cpp:14

yarp::os::Property
A class for storing options and configuration information.
Definition Property.h:33

yarp::os::Property::fromConfigFile
bool fromConfigFile(const std::string &fname, bool wipe=true)
Interprets a file as a list of properties.
Definition Property.cpp:1070

yarp::os::Property::findGroup
Bottle & findGroup(const std::string &key) const override
Gets a list corresponding to a given keyword.
Definition Property.cpp:1114

yarp::os::ResourceFinderOptions
These options are loosely based on http://wiki.icub.org/wiki/YARP_ResourceFinder.
Definition ResourceFinderOptions.h:24

yarp::os::ResourceFinderOptions::ShowNone
@ ShowNone
Definition ResourceFinderOptions.h:57

yarp::os::ResourceFinder
Helper class for finding config files and other external resources.
Definition ResourceFinder.h:29

yarp::os::ResourceFinder::getResourceFinderSingleton
static ResourceFinder & getResourceFinderSingleton()
Access a ResourceFinder singleton whose lifetime will match that of the YARP library.
Definition ResourceFinder.cpp:959

yarp::os::ResourceFinder::findFile
std::string findFile(const std::string &name)
Find the full path to a file.
Definition ResourceFinder.cpp:830

yarp::os::Value::asString
virtual std::string asString() const
Get string value.
Definition Value.cpp:234

yarp::os::impl::AuthHMAC::AuthHMAC
AuthHMAC()
Constructor.
Definition AuthHMAC.cpp:43

yarp::os::impl::AuthHMAC::authDest
bool authDest(yarp::os::InputStream *streamIn, yarp::os::OutputStream *streamOut)
Definition AuthHMAC.cpp:159

yarp::os::impl::AuthHMAC::authSource
bool authSource(yarp::os::InputStream *streamIn, yarp::os::OutputStream *streamOut)
Definition AuthHMAC.cpp:100

yCInfo
#define yCInfo(component,...)
Definition LogComponent.h:171

yCWarning
#define yCWarning(component,...)
Definition LogComponent.h:192

yCDebug
#define yCDebug(component,...)
Definition LogComponent.h:128

LogComponent.h

YARP_OS_LOG_COMPONENT
#define YARP_OS_LOG_COMPONENT(name, name_string)
Definition LogComponent.h:29

yarp::os::impl
The components from which ports and connections are built.

yarp::os
An interface to the operating system, including Port based communication.
Definition AbstractCarrier.h:13