void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-06 20:43:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

HMACSHA384 the nonce bytes, not the hex encoded nonce bytes

Browse source
This commit is contained in:
Grant Limberg 2021-06-04 20:04:01 -07:00
parent 0b89a49201
commit 21d27c314c
No known key found for this signature in database
GPG key ID: 2BA62CCABBB4095A
2 changed files with 9 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
controller/PostgreSQL.cpp
View file

@ -143,6 +143,7 @@ PostgreSQL::PostgreSQL(const Identity &myId, const char *path, int listenPort, R
memset(_ssoPsk, 0, sizeof(_ssoPsk)); memset(_ssoPsk, 0, sizeof(_ssoPsk));
char *const ssoPskHex = getenv("ZT_SSO_PSK"); char *const ssoPskHex = getenv("ZT_SSO_PSK");
fprintf(stderr, "ZT_SSO_PSK: %s\n", ssoPskHex);
if (ssoPskHex) { if (ssoPskHex) {
// SECURITY: note that ssoPskHex will always be null-terminated if libc acatually // SECURITY: note that ssoPskHex will always be null-terminated if libc acatually
// returns something non-NULL. If the hex encodes something shorter than 48 bytes, // returns something non-NULL. If the hex encodes something shorter than 48 bytes,
@ -328,6 +329,7 @@ std::string PostgreSQL::getSSOAuthURL(const nlohmann::json &member, const std::s
auto c = _pool->borrow(); auto c = _pool->borrow();
pqxx::work w(*c->c); pqxx::work w(*c->c);
char nonceBytes[16] = {0};
std::string nonce = ""; std::string nonce = "";
// check if the member exists first. // check if the member exists first.
@ -342,12 +344,12 @@ std::string PostgreSQL::getSSOAuthURL(const nlohmann::json &member, const std::s
if (r.size() == 1) { if (r.size() == 1) {
// we have an existing nonce. Use it // we have an existing nonce. Use it
nonce = r.at(0)[0].as<std::string>(); nonce = r.at(0)[0].as<std::string>();
Utils::unhex(nonce.c_str(), nonceBytes, sizeof(nonceBytes));
} else if (r.empty()) { } else if (r.empty()) {
// create a nonce // create a nonce
char randBuf[16] = {0}; Utils::getSecureRandom(nonceBytes, 16);
Utils::getSecureRandom(randBuf, 16); char nonceBuf[64] = {0};
char nonceBuf[256] = {0}; Utils::hex(nonceBytes, sizeof(nonceBytes), nonceBuf);
Utils::hex(randBuf, sizeof(randBuf), nonceBuf);
nonce = std::string(nonceBuf); nonce = std::string(nonceBuf);
pqxx::result ir = w.exec_params0("INSERT INTO ztc_sso_expiry " pqxx::result ir = w.exec_params0("INSERT INTO ztc_sso_expiry "
@ -383,7 +385,7 @@ std::string PostgreSQL::getSSOAuthURL(const nlohmann::json &member, const std::s
have_auth = true; have_auth = true;
uint8_t state[48]; uint8_t state[48];
HMACSHA384(_ssoPsk, nonce.data(), (unsigned int)nonce.length(), state); HMACSHA384(_ssoPsk, nonceBytes, sizeof(nonceBytes), state);
char state_hex[256]; char state_hex[256];
Utils::hex(state, 48, state_hex); Utils::hex(state, 48, state_hex);

4
ext/central-controller-docker/Dockerfile
View file

@ -15,14 +15,14 @@ RUN tar -xzf libpqxx.tar.gz && \
pushd libpqxx-6.4.5/ && \ pushd libpqxx-6.4.5/ && \
mkdir build && pushd build/ && \ mkdir build && pushd build/ && \
cmake .. && \ cmake .. && \
make install && \ make install -j8 && \
popd && popd popd && popd
# RUN git clone http://git.int.zerotier.com/zerotier/ZeroTierOne.git # RUN git clone http://git.int.zerotier.com/zerotier/ZeroTierOne.git
# RUN if [ "$git_branch" != "master" ]; then cd ZeroTierOne && git checkout -b $git_branch origin/$git_branch; fi # RUN if [ "$git_branch" != "master" ]; then cd ZeroTierOne && git checkout -b $git_branch origin/$git_branch; fi
ADD . /ZeroTierOne ADD . /ZeroTierOne
RUN cd ZeroTierOne && make clean && make central-controller RUN cd ZeroTierOne && make clean && make central-controller -j8
FROM centos:8 FROM centos:8
RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm