summaryrefslogtreecommitdiffabout
authorMichael Krelin <hacker@klever.net>2009-04-06 20:27:39 (UTC)
committer Michael Krelin <hacker@klever.net>2009-04-06 20:27:39 (UTC)
commit51d8a8a4ac6ef6096c393fd602df34c6bf8f6366 (patch) (side-by-side diff)
tree8126f60fac6562b14c965e41d19983d81312638a
parentde964540e5a58b3a9195c642ef7a0745ee3b2344 (diff)
downloadiii-51d8a8a4ac6ef6096c393fd602df34c6bf8f6366.zip
iii-51d8a8a4ac6ef6096c393fd602df34c6bf8f6366.tar.gz
iii-51d8a8a4ac6ef6096c393fd602df34c6bf8f6366.tar.bz2
better nonce generation and session credentials verification
based on the patch from Chris Davies Signed-off-by: Michael Krelin <hacker@klever.net>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--AUTHORS1
-rw-r--r--configure.ac6
-rw-r--r--src/Makefile.am4
-rw-r--r--src/eyefiservice.cc21
-rw-r--r--src/eyetil.cc17
-rw-r--r--src/eyetil.h1
6 files changed, 43 insertions, 7 deletions
diff --git a/AUTHORS b/AUTHORS
index 257669f..e7f9101 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -7,3 +7,4 @@ Thanks to:
cdavies of Eye-Fi forums for integrity digest verification algorithm.
See http://forums.eye.fi/viewtopic.php?f=4&t=270&p=4074#p4074
+ and session nonce verification patch
diff --git a/configure.ac b/configure.ac
index 2e66fc4..515d465 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,6 +15,12 @@ AC_PATH_PROG([XSLTPROC],[xsltproc],[true])
PKG_CHECK_MODULES([MODULES],[gsoap++ openssl libconfuse],,[
AC_MSG_ERROR([one of the build dependencies isn't satisfied])
])
+PKG_CHECK_MODULES([UUID],[uuid],[have_uuid=true],[have_uuid=false])
+AM_CONDITIONAL([HAVE_UUID],[$have_uuid])
+if $have_uuid ; then
+ AC_DEFINE([HAVE_LIBUUID],,[defined in presence of libuuid])
+ AC_SUBST([UUID_UUID],[uuid])
+fi
AC_PATH_PROG([SOAPCPP2],[soapcpp2],[false])
test "$SOAPCPP2" = "false" && AC_MSG_ERROR([no soapcpp2 tool, part of gsoap package, found.])
diff --git a/src/Makefile.am b/src/Makefile.am
index 09f698e..b5b7d5c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,7 +7,7 @@ noinst_HEADERS = \
AM_CPPFLAGS = ${CPPFLAGS_DEBUG} \
-DEYEKIN_CONF_DIR=\"${sysconfdir}/${PACKAGE}\"
DEFAULT_INCLUDES = -I${top_builddir} -I${builddir} -I${srcdir}
-INCLUDES = ${MODULES_CFLAGS}
+INCLUDES = ${MODULES_CFLAGS} ${UUID_CFLAGS}
iiid_SOURCES = iiid.cc \
eyekinfig.cc eyetil.cc \
@@ -15,7 +15,7 @@ iiid_SOURCES = iiid.cc \
nodist_iiid_SOURCES = \
${builddir}/soapC.cpp ${builddir}/soapeyefiService.cpp \
COPYING.cc
-iiid_LDADD = ${MODULES_LIBS}
+iiid_LDADD = ${MODULES_LIBS} ${UUID_LIBS}
COPYING.cc: ${top_srcdir}/COPYING
echo "const char * COPYING = " >$@ || (rm $@;exit 1)
diff --git a/src/eyefiservice.cc b/src/eyefiservice.cc
index d233a07..1a21c02 100644
--- a/src/eyefiservice.cc
+++ b/src/eyefiservice.cc
@@ -6,10 +6,13 @@
#include <syslog.h>
#include <sys/wait.h>
#include <autosprintf.h>
+#include <openssl/rand.h>
#include "eyekinfig.h"
#include "eyetil.h"
#include "soapeyefiService.h"
+static binary_t session_nonce;
+
static bool detached_child() {
pid_t p = fork();
if(p<0) throw std::runtime_error("failed to fork()");
@@ -46,9 +49,8 @@ int eyefiService::StartSession(
macaddress.c_str(), cnonce.c_str(), transfermode, transfermodetimestamp );
#endif
r.credential = binary_t(macaddress+cnonce+eyekinfig_t(macaddress).get_upload_key()).md5().hex();
- /* TODO: better nonce generator */
- time_t t = time(0);
- r.snonce = binary_t(&t,sizeof(t)).md5().hex();
+
+ r.snonce = session_nonce.make_nonce().hex();
r.transfermode=transfermode;
r.transfermodetimestamp=transfermodetimestamp;
r.upsyncallowed=false;
@@ -74,9 +76,18 @@ int eyefiService::GetPhotoStatus(
struct rns__GetPhotoStatusResponse &r ) {
#ifndef NDEBUG
syslog(LOG_DEBUG,
- "GetPhotoStatus request from %s with credential=%s, filename=%s, filesize=%ld, filesignature=%s",
- macaddress.c_str(), credential.c_str(), filename.c_str(), filesize, filesignature.c_str() );
+ "GetPhotoStatus request from %s with credential=%s, filename=%s, filesize=%ld, filesignature=%s; session nonce=%s",
+ macaddress.c_str(), credential.c_str(), filename.c_str(), filesize, filesignature.c_str(), session_nonce.hex().c_str() );
+#endif
+
+ std::string computed_credential = binary_t(macaddress+eyekinfig_t(macaddress).get_upload_key()+session_nonce.hex()).md5().hex();
+
+#ifndef NDEBUG
+ syslog(LOG_DEBUG, " computed credential=%s", computed_credential.c_str());
#endif
+
+ if (credential != computed_credential) throw std::runtime_error("card authentication failed");
+
r.fileid = 1; r.offset = 0;
return SOAP_OK;
}
diff --git a/src/eyetil.cc b/src/eyetil.cc
index fe816a6..7669cb6 100644
--- a/src/eyetil.cc
+++ b/src/eyetil.cc
@@ -9,6 +9,11 @@
#include <openssl/md5.h>
#include "eyetil.h"
+#include "config.h"
+#ifdef HAVE_LIBUUID
+# include <uuid/uuid.h>
+#endif
+
binary_t& binary_t::from_hex(const std::string& h) {
std::string::size_type hs = h.length();
if(hs&1)
@@ -32,6 +37,18 @@ binary_t& binary_t::from_data(const void *d,size_t s) {
return *this;
}
+binary_t& binary_t::make_nonce() {
+#ifdef HAVE_LIBUUID
+ uuid_t uuid;
+ uuid_generate(uuid);
+ from_data((unsigned char*)uuid,sizeof(uuid));
+#else
+ resize(16);
+ std::generate_n(begin(),16,rand);
+#endif /* HAVE_LIBUUID */
+ return *this;
+}
+
std::string binary_t::hex() const {
std::string rv;
rv.reserve((size()<<1)+1);
diff --git a/src/eyetil.h b/src/eyetil.h
index 378f703..d946e71 100644
--- a/src/eyetil.h
+++ b/src/eyetil.h
@@ -15,6 +15,7 @@ class binary_t : public std::vector<unsigned char> {
binary_t& from_hex(const std::string& h);
binary_t& from_data(const void *d,size_t s);
+ binary_t& make_nonce();
std::string hex() const;
binary_t md5() const;