diff options
| author | Christian Pointner <equinox@anytun.org> | 2008-02-16 14:34:53 +0000 |
|---|---|---|
| committer | Christian Pointner <equinox@anytun.org> | 2008-02-16 14:34:53 +0000 |
| commit | c15f428cef737e093cafa78f806c6ffc0ccee60c (patch) | |
| tree | 313ad89dbaec390106ba9fd4ca5429ee348f87b0 | |
| parent | added fancy output to lua (diff) | |
minor changes
code cleanups
| -rw-r--r-- | anytun.cpp | 96 | ||||
| -rw-r--r-- | authAlgoFactory.h | 10 | ||||
| -rw-r--r-- | cypher.cpp | 41 | ||||
| -rw-r--r-- | cypher.h | 7 | ||||
| -rw-r--r-- | cypherFactory.h | 9 | ||||
| -rw-r--r-- | datatypes.h | 4 | ||||
| -rw-r--r-- | keyDerivation.cpp | 33 | ||||
| -rw-r--r-- | keyDerivation.h | 12 | ||||
| -rw-r--r-- | mpi.h | 2 |
9 files changed, 107 insertions, 107 deletions
@@ -116,7 +116,7 @@ bool checkPacketSeqNr(EncryptedPacket& pack,ConnectionParam& conn) << " seq:"<<pack.getSeqNr() << " sid: "<<pack.getSenderId(); return false; } - + conn.seq_window_.addSeqNr(pack.getSenderId(), pack.getSeqNr()); return true; } @@ -125,21 +125,22 @@ void* sender(void* p) { ThreadParam* param = reinterpret_cast<ThreadParam*>(p); - CypherFactory c_factory; - AuthAlgoFactory a_factory; - std::auto_ptr<Cypher> c(c_factory.create(param->opt.getCypher())); - std::auto_ptr<AuthAlgo> a( a_factory.create(param->opt.getAuthAlgo()) ); + std::auto_ptr<Cypher> c(CypherFactory::create(param->opt.getCypher())); + std::auto_ptr<AuthAlgo> a(AuthAlgoFactory::create(param->opt.getAuthAlgo()) ); PlainPacket plain_packet(1600); // TODO: fix me... mtu size EncryptedPacket packet(1600); - Buffer session_key(SESSION_KEYLEN_ENCR), session_salt(SESSION_KEYLEN_SALT), session_auth_key(SESSION_KEYLEN_AUTH); + // TODO: hardcoded keySize!!! + Buffer session_key(SESSION_KEYLEN_ENCR); + Buffer session_salt(SESSION_KEYLEN_SALT); + Buffer session_auth_key(SESSION_KEYLEN_AUTH); //TODO replace mux u_int16_t mux = 0; while(1) { - plain_packet.setLength( plain_packet.getMaxLength()); + plain_packet.setLength( plain_packet.getMaxLength()); // Q@NINE wtf??? // read packet from device u_int32_t len = param->dev.read(plain_packet); @@ -160,18 +161,20 @@ void* sender(void* p) else plain_packet.setPayloadType(0); - // encrypt packet - conn.kd_.generate(LABEL_SATP_ENCRYPTION, conn.seq_nr_, session_key, session_key.getLength()); - conn.kd_.generate(LABEL_SATP_SALT, conn.seq_nr_, session_salt, session_salt.getLength()); - conn.kd_.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), session_auth_key, session_auth_key.getLength()); - + // generate packet-key + conn.kd_.generate(LABEL_SATP_ENCRYPTION, conn.seq_nr_, session_key); + conn.kd_.generate(LABEL_SATP_SALT, conn.seq_nr_, session_salt); c->setKey(session_key); c->setSalt(session_salt); + + // encrypt packet c->encrypt(plain_packet, packet, conn.seq_nr_, param->opt.getSenderId()); packet.setHeader(conn.seq_nr_, param->opt.getSenderId(), mux); conn.seq_nr_++; + // TODO: activate authentication +// conn.kd_.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), session_auth_key); // a->setKey(session_auth_key); // addPacketAuthTag(packet, a.get(), conn); param->src.send(packet, conn.remote_host_, conn.remote_port_); @@ -217,46 +220,48 @@ void* receiver(void* p) { ThreadParam* param = reinterpret_cast<ThreadParam*>(p); - CypherFactory c_factory; - AuthAlgoFactory a_factory; - std::auto_ptr<Cypher> c( c_factory.create(param->opt.getCypher()) ); - std::auto_ptr<AuthAlgo> a( a_factory.create(param->opt.getAuthAlgo()) ); + std::auto_ptr<Cypher> c( CypherFactory::create(param->opt.getCypher()) ); + std::auto_ptr<AuthAlgo> a( AuthAlgoFactory::create(param->opt.getAuthAlgo()) ); EncryptedPacket packet(1600); // TODO: dynamic mtu size PlainPacket plain_packet(1600); - Buffer session_key(SESSION_KEYLEN_SALT), session_salt(SESSION_KEYLEN_SALT), session_auth_key(SESSION_KEYLEN_AUTH); + + // TODO: hardcoded keysize!!! + Buffer session_key(SESSION_KEYLEN_SALT); + Buffer session_salt(SESSION_KEYLEN_SALT); + Buffer session_auth_key(SESSION_KEYLEN_AUTH); while(1) { string remote_host; u_int16_t remote_port; - packet.setLength( packet.getMaxLength() ); - plain_packet.setLength( plain_packet.getMaxLength() ); + packet.setLength( packet.getMaxLength() ); // Q@NINE wtf??? + plain_packet.setLength( plain_packet.getMaxLength() ); // Q@NINE wtf??? // u_int16_t sid = 0, seq = 0; // read packet from socket u_int32_t len = param->src.recv(packet, remote_host, remote_port); packet.setLength(len); + // TODO: check auth tag first +// conn.kd_.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), session_auth_key); +// a->setKey( session_auth_key ); +// if(!checkPacketAuthTag(packet, a.get(), conn)) +// continue; + + // autodetect peer - // TODO check auth tag first - // this should be done by keymanagement anyway if(param->opt.getRemoteAddr() == "" && param->cl.empty()) { cLog.msg(Log::PRIO_NOTICE) << "autodetected remote host " << remote_host << ":" << remote_port; createConnection(remote_host, remote_port, param->cl,param->opt.getSeqWindowSize(),param->queue); } - //TODO Add multi connection support here + // TODO: Add multi connection support here ConnectionParam & conn = param->cl.getConnection(0)->second; - conn.kd_.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), session_auth_key, session_auth_key.getLength()); -// a->setKey( session_auth_key ); -// if(!checkPacketAuthTag(packet, a.get(), conn)) -// continue; - //Allow dynamic IP changes - //TODO add command line option to turn this off + //TODO: add command line option to turn this off if (remote_host != conn.remote_host_ || remote_port != conn.remote_port_) { cLog.msg(Log::PRIO_NOTICE) << "autodetected remote host ip changed " << remote_host << ":" << remote_port; @@ -269,15 +274,17 @@ void* receiver(void* p) // Replay Protection if (!checkPacketSeqNr(packet, conn)) continue; - - // decrypt packet - conn.kd_.generate(LABEL_SATP_ENCRYPTION, packet.getSeqNr(), session_key, session_key.getLength()); - conn.kd_.generate(LABEL_SATP_SALT, packet.getSeqNr(), session_salt, session_salt.getLength()); + + // generate packet-key + conn.kd_.generate(LABEL_SATP_ENCRYPTION, packet.getSeqNr(), session_key); + conn.kd_.generate(LABEL_SATP_SALT, packet.getSeqNr(), session_salt); c->setKey(session_key); c->setSalt(session_salt); + + // decrypt packet c->decrypt(packet, plain_packet); - // check payload_type and remove it + // check payload_type if((param->dev.getType() == TunDevice::TYPE_TUN && plain_packet.getPayloadType() != PAYLOAD_TYPE_TUN) || (param->dev.getType() == TunDevice::TYPE_TAP && plain_packet.getPayloadType() != PAYLOAD_TYPE_TAP)) continue; @@ -295,7 +302,7 @@ extern "C" { GCRY_THREAD_OPTION_PTHREAD_IMPL; } -void initLibGCrypt() +bool initLibGCrypt() { // make libgcrypt thread safe gcry_control( GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread ); @@ -306,11 +313,12 @@ void initLibGCrypt() { if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { cLog.msg(Log::PRIO_ERR) << "initLibGCrypt: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION; - return; + std::cout << "initLibGCrypt: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION << std::endl; + return false; } - // do NOT allocate a pool of secure memory! - // this is NOT thread safe! + // do NOT allocate a pool uof secure memory! Q@NINE? + // this is NOT thread safe! ?????????????????????????????????? /* Allocate a pool of 16k secure memory. This also drops priviliges * on some systems. */ @@ -318,18 +326,21 @@ void initLibGCrypt() if( err ) { cLog.msg(Log::PRIO_ERR) << "Failed to allocate " << GCRYPT_SEC_MEM << " bytes of secure memory: " << gpg_strerror( err ); - return; + std::cout << "Failed to allocate " << GCRYPT_SEC_MEM << " bytes of secure memory: " << gpg_strerror( err ) << std::endl; + return false; } /* Tell Libgcrypt that initialization has completed. */ err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); if( err ) { cLog.msg(Log::PRIO_ERR) << "initLibGCrypt: Failed to finish the initialization of libgcrypt: " << gpg_strerror( err ); - return; - } else { - cLog.msg(Log::PRIO_NOTICE) << "initLibGCrypt: libgcrypt init finished"; + std::cout << "initLibGCrypt: Failed to finish the initialization of libgcrypt: " << gpg_strerror( err ) << std::endl; + return false; } } + cLog.msg(Log::PRIO_NOTICE) << "initLibGCrypt: libgcrypt init finished"; + + return true; } int main(int argc, char* argv[]) @@ -367,7 +378,8 @@ int main(int argc, char* argv[]) cLog.msg(Log::PRIO_NOTICE) << "dev opened - actual name is '" << p.dev.getActualName() << "'"; cLog.msg(Log::PRIO_NOTICE) << "dev type is '" << p.dev.getTypeString() << "'"; - initLibGCrypt(); + if(!initLibGCrypt()) + return -1; pthread_t senderThread; pthread_create(&senderThread, NULL, sender, &p); diff --git a/authAlgoFactory.h b/authAlgoFactory.h index 5949ca3..716e800 100644 --- a/authAlgoFactory.h +++ b/authAlgoFactory.h @@ -39,11 +39,13 @@ class AuthAlgoFactory { public: - AuthAlgoFactory() {}; - ~AuthAlgoFactory() {}; - - AuthAlgo* create(std::string const& type); + static AuthAlgo* create(std::string const& type); +private: + AuthAlgoFactory(); + AuthAlgoFactory(const AuthAlgoFactory& src); + void operator=(const AuthAlgoFactory& src); + ~AuthAlgoFactory(); }; #endif @@ -52,43 +52,24 @@ void Cypher::decrypt(const EncryptedPacket & in,PlainPacket & out) out.setCompletePayloadLength(in.payload_length_); } + + +//****** NullCypher ****** + void NullCypher::cypher(u_int8_t * out, u_int8_t * in, u_int32_t length, seq_nr_t seq_nr, sender_id_t sender_id) { std::memcpy(out, in, length ); } -const char* AesIcmCypher::MIN_GCRYPT_VERSION = "1.2.3"; -AesIcmCypher::AesIcmCypher() : salt_(Buffer(14)) + +//****** AesIcmCypher ****** + +AesIcmCypher::AesIcmCypher() : salt_(Buffer(14)) // Q@NINE 14?????? { gcry_error_t err; - // No other library has already initialized libgcrypt. - if( !gcry_control(GCRYCTL_ANY_INITIALIZATION_P) ) - { - if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { - cLog.msg(Log::PRIO_ERR) << "AesIcmCypher::AesIcmCypher: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION; - return; - } - - /* Allocate a pool of secure memory. This also drops priviliges - on some systems. */ - err = gcry_control(GCRYCTL_INIT_SECMEM, GCRYPT_SEC_MEM, 0); - if( err ) { - cLog.msg(Log::PRIO_ERR) << "Failed to allocate " << GCRYPT_SEC_MEM << "bytes of secure memory: " << gpg_strerror( err ); - return; - } - - /* Tell Libgcrypt that initialization has completed. */ - err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); - if( err ) { - cLog.msg(Log::PRIO_CRIT) << "AesIcmCypher::AesIcmCypher: Failed to finish the initialization of libgcrypt: " << gpg_strerror( err ); - return; - } else { - cLog.msg(Log::PRIO_DEBUG) << "AesIcmCypher::AesIcmCypher: libgcrypt init finished"; - } - } - + // TODO: hardcoded keysize!!!!! err = gcry_cipher_open( &cipher_, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0 ); if( err ) cLog.msg(Log::PRIO_CRIT) << "AesIcmCypher::AesIcmCypher: Failed to open cypher"; @@ -105,8 +86,8 @@ AesIcmCypher::~AesIcmCypher() void AesIcmCypher::setKey(Buffer key) { gcry_error_t err; - // FIXXME: hardcoded keysize - err = gcry_cipher_setkey( cipher_, key.getBuf(), 16 ); + + err = gcry_cipher_setkey( cipher_, key.getBuf(), key.getLength() ); if( err ) cLog.msg(Log::PRIO_ERR) << "AesIcmCypher::setKey: Failed to set cipher key: " << gpg_strerror( err ); } @@ -53,6 +53,8 @@ private: virtual void cypher(u_int8_t * in, u_int8_t * out, u_int32_t length, seq_nr_t seq_nr, sender_id_t sender_id) {}; }; +//****** NullCypher ****** + class NullCypher : public Cypher { public: @@ -62,6 +64,8 @@ protected: void cypher(u_int8_t * in, u_int8_t * out, u_int32_t length, seq_nr_t seq_nr, sender_id_t sender_id); }; +//****** AesIcmCypher ****** + class AesIcmCypher : public Cypher { public: @@ -70,9 +74,6 @@ public: void setKey(Buffer key); void setSalt(Buffer salt); - static const char* MIN_GCRYPT_VERSION; - static const u_int32_t GCRYPT_SEC_MEM = 16384; // 16k secure memory - protected: void cypher(u_int8_t * in, u_int8_t * out, u_int32_t length, seq_nr_t seq_nr, sender_id_t sender_id); gcry_cipher_hd_t cipher_; diff --git a/cypherFactory.h b/cypherFactory.h index f245301..002d741 100644 --- a/cypherFactory.h +++ b/cypherFactory.h @@ -39,10 +39,13 @@ class CypherFactory { public: - CypherFactory() {}; - ~CypherFactory() {}; + static Cypher* create(std::string const& type); - Cypher* create(std::string const& type); +private: + CypherFactory(); + CypherFactory(const CypherFactory& src); + void operator=(const CypherFactory& src); + ~CypherFactory(); }; #endif diff --git a/datatypes.h b/datatypes.h index a23015b..481c603 100644 --- a/datatypes.h +++ b/datatypes.h @@ -40,8 +40,8 @@ typedef unsigned short u_int16_t; typedef signed int int32; typedef unsigned int u_int32_t; -//typedef signed long long int64_t; -//typedef unsigned long long u_int64_t; +typedef signed long long int64_t; +typedef unsigned long long u_int64_t; typedef u_int32_t window_size_t; diff --git a/keyDerivation.cpp b/keyDerivation.cpp index 893825c..ad2265d 100644 --- a/keyDerivation.cpp +++ b/keyDerivation.cpp @@ -46,15 +46,15 @@ void KeyDerivation::init(Buffer key, Buffer salt) Lock lock(mutex_); gcry_error_t err; - // TODO: hardcoded keysize! + // TODO: hardcoded cipher-type and keysize?? err = gcry_cipher_open( &cipher_, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0 ); if( err ) { cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to open cipher: " << gpg_strerror( err ); return; } - salt_ = SyncBuffer(salt); - key_ = SyncBuffer(key); + master_salt_ = SyncBuffer(salt); + master_key_ = SyncBuffer(key); updateKey(); } @@ -63,9 +63,9 @@ void KeyDerivation::updateKey() { gcry_error_t err; - err = gcry_cipher_setkey( cipher_, key_.getBuf(), key_.getLength() ); + err = gcry_cipher_setkey( cipher_, master_key_.getBuf(), master_key_.getLength() ); if( err ) - cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to set cipher key: " << gpg_strerror( err ); + cLog.msg(Log::PRIO_ERR) << "KeyDerivation::updateKey: Failed to set cipher key: " << gpg_strerror( err ); } KeyDerivation::~KeyDerivation() @@ -81,14 +81,14 @@ void KeyDerivation::setLogKDRate(const uint8_t log_rate) ld_kdr_ = log_rate; } -void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, u_int32_t length) +void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key) { ////Lock lock(mutex_); gcry_error_t err; Mpi r; - Mpi key_id(128); - Mpi iv(128); + Mpi key_id(128); // TODO: hardcoded keySize!!!!!!! Q@NINE? + Mpi iv(128); // TODO: hardcoded keySize!!!!!!! Q@NINE? // see at: http://tools.ietf.org/html/rfc3711#section-4.3 // * Let r = index DIV key_derivation_rate (with DIV as defined above). @@ -101,27 +101,28 @@ void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, if( ld_kdr_ == -1 ) // means key_derivation_rate = 0 r = 0; else - // TODO: kdr can be greater than 2^32 (= 2^48) - r = static_cast<long unsigned int>(seq_nr / ( 0x01 << ld_kdr_ )); + // TODO: kdr can be greater than 2^32 (= 2^48) ???? Q@NINE? +// Q@NINE? was: r = static_cast<long unsigned int>(seq_nr / ( 0x01 << ld_kdr_ )); + r = static_cast<u_int64_t>(seq_nr / ( 0x01 << ld_kdr_ )); - r = r.mul2exp(8); + r = r.mul2exp(8); // Q@NINE? === r << 8 key_id = r + static_cast<long unsigned int>(label); - - Mpi salt = Mpi(salt_.getBuf(), salt_.getLength()); + + Mpi salt = Mpi(master_salt_.getBuf(), master_salt_.getLength()); iv = key_id ^ salt; err = gcry_cipher_reset( cipher_ ); if( err ) cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to reset cipher: " << gpg_strerror( err ); - + u_int8_t *iv_buf = iv.getNewBuf(16); err = gcry_cipher_setiv( cipher_ , iv_buf, 16); delete[] iv_buf; if( err ) cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to set IV: " << gpg_strerror( err ); - err = gcry_cipher_encrypt( cipher_, key, length, 0, 0 ); - + err = gcry_cipher_encrypt( cipher_, key, key.getLength(), 0, 0 ); + if( err ) cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << gpg_strerror( err ); } diff --git a/keyDerivation.h b/keyDerivation.h index e313795..88027ed 100644 --- a/keyDerivation.h +++ b/keyDerivation.h @@ -51,12 +51,12 @@ typedef enum { class KeyDerivation { public: - KeyDerivation() : ld_kdr_(-1), salt_(0), cipher_(NULL) {}; + KeyDerivation() : ld_kdr_(-1), master_salt_(0), cipher_(NULL) {}; virtual ~KeyDerivation(); void init(Buffer key, Buffer salt); void setLogKDRate(const u_int8_t ld_rate); - void generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, u_int32_t length); + void generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key); private: void updateKey(); @@ -68,15 +68,15 @@ private: { Lock lock(mutex_); ar & ld_kdr_; - ar & salt_; - ar & key_; + ar & master_salt_; + ar & master_key_; updateKey(); } protected: int8_t ld_kdr_; // ld(key_derivation_rate) - SyncBuffer salt_; - SyncBuffer key_; + SyncBuffer master_salt_; + SyncBuffer master_key_; gcry_cipher_hd_t cipher_; Mutex mutex_; @@ -38,7 +38,7 @@ /** - * This class is a wrapper for the libgcrypt multi precision integer library [1].<br> + * This class is a wrapper for the libgcrypt multi precision integer library [1] * [1] http://www.gnupg.org/documentation/manuals/gcrypt/MPI-library.html * */ |