summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/anytun.cpp31
-rw-r--r--src/authAlgo.cpp145
-rw-r--r--src/authAlgo.h44
3 files changed, 118 insertions, 102 deletions
diff --git a/src/anytun.cpp b/src/anytun.cpp
index 1e54378..e46731a 100644
--- a/src/anytun.cpp
+++ b/src/anytun.cpp
@@ -80,8 +80,6 @@
#include "daemon.hpp"
#include "sysexec.hpp"
-#define SESSION_KEYLEN_AUTH 20 // TODO: hardcoded size
-
void createConnection(const PacketSourceEndpoint & remote_end, window_size_t seqSize, mux_t mux)
{
SeqWindow * seq= new SeqWindow(seqSize);
@@ -122,9 +120,6 @@ void sender(void* p)
PlainPacket plain_packet(MAX_PACKET_LENGTH);
EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH);
- Buffer session_auth_key(u_int32_t(SESSION_KEYLEN_AUTH)); // TODO: hardcoded size
-
- //TODO replace mux
u_int16_t mux = gOpt.getMux();
PacketSourceEndpoint emptyEndpoint;
while(1)
@@ -180,12 +175,8 @@ void sender(void* p)
conn.seq_nr_++;
// add authentication tag
- if(a->getMaxLength()) {
- encrypted_packet.addAuthTag();
- conn.kd_.generate(LABEL_SATP_MSG_AUTH, encrypted_packet.getSeqNr(), session_auth_key);
- a->setKey(session_auth_key);
- a->generate(encrypted_packet);
- }
+ a->generate(conn.kd_, encrypted_packet);
+
try
{
param->src.send(encrypted_packet.getBuf(), encrypted_packet.getLength(), conn.remote_end_);
@@ -259,8 +250,6 @@ void receiver(void* p)
EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH);
PlainPacket plain_packet(MAX_PACKET_LENGTH);
- Buffer session_auth_key(u_int32_t(SESSION_KEYLEN_AUTH)); // TODO: hardcoded size
-
while(1)
{
PacketSourceEndpoint remote_end;
@@ -287,17 +276,11 @@ void receiver(void* p)
ConnectionParam & conn = cit->second;
// check whether auth tag is ok or not
- if(a->getMaxLength()) {
- encrypted_packet.withAuthTag(true);
- conn.kd_.generate(LABEL_SATP_MSG_AUTH, encrypted_packet.getSeqNr(), session_auth_key);
- a->setKey(session_auth_key);
- if(!a->checkTag(encrypted_packet)) {
- cLog.msg(Log::PRIO_NOTICE) << "wrong Authentication Tag!" << std::endl;
- continue;
- }
- encrypted_packet.removeAuthTag();
- }
-
+ if(!a->checkTag(conn.kd_, encrypted_packet)) {
+ cLog.msg(Log::PRIO_NOTICE) << "wrong Authentication Tag!" << std::endl;
+ continue;
+ }
+
//Allow dynamic IP changes
//TODO: add command line option to turn this off
if (remote_end != conn.remote_end_)
diff --git a/src/authAlgo.cpp b/src/authAlgo.cpp
index 7689374..669308b 100644
--- a/src/authAlgo.cpp
+++ b/src/authAlgo.cpp
@@ -37,99 +37,138 @@
#include <iostream>
#include <cstring>
-#ifndef NOCRYPT
-#include <gcrypt.h>
-#endif
-
//****** NullAuthAlgo ******
-void NullAuthAlgo::generate(EncryptedPacket& packet)
+void NullAuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet)
{
}
-bool NullAuthAlgo::checkTag(EncryptedPacket& packet)
+bool NullAuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet)
{
return true;
}
-u_int32_t NullAuthAlgo::getMaxLength()
-{
- return MAX_LENGTH_;
-}
-
#ifndef NOCRYPT
//****** Sha1AuthAlgo ******
-Sha1AuthAlgo::Sha1AuthAlgo() : ctx_(NULL)
+Sha1AuthAlgo::Sha1AuthAlgo() : key_(DIGEST_LENGTH)
{
- gcry_error_t err = gcry_md_open( &ctx_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC );
- if( err )
+#ifndef USE_SSL_CRYPTO
+ gcry_error_t err = gcry_md_open(&handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
+ if(err) {
cLog.msg(Log::PRIO_CRIT) << "Sha1AuthAlgo::Sha1AuthAlgo: Failed to open message digest algo";
+ return;
+ }
+#else
+ HMAC_CTX_init(&ctx_);
+ HMAC_Init_ex(&ctx_, NULL, 0, EVP_sha1(), NULL);
+#endif
}
Sha1AuthAlgo::~Sha1AuthAlgo()
{
- if(ctx_)
- gcry_md_close( ctx_ );
+#ifndef USE_SSL_CRYPTO
+ if(handle_)
+ gcry_md_close(handle_);
+#else
+ HMAC_CTX_cleanup(&ctx_);
+#endif
}
-void Sha1AuthAlgo::setKey(Buffer& key)
+void Sha1AuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet)
{
- if(!ctx_)
+ packet.addAuthTag();
+ if(!packet.getAuthTagLength())
return;
-
- gcry_error_t err = gcry_md_setkey( ctx_, key.getBuf(), key.getLength() );
- if( err ) {
- char buf[STERROR_TEXT_MAX];
- buf[0] = 0;
- cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set cipher key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
+
+ bool result = kd.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), key_);
+ if(result) { // a new key got generated
+#ifndef USE_SSL_CRYPTO
+ gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength());
+ if(err) {
+ char buf[STERROR_TEXT_MAX];
+ buf[0] = 0;
+ cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
+ return;
+ }
+#else
+ HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL);
+ }
+ else {
+ HMAC_Init_ex(&ctx_, NULL, 0, NULL, NULL);
+#endif
}
-}
-void Sha1AuthAlgo::generate(EncryptedPacket& packet)
-{
- if(!packet.getAuthTagLength())
- return;
+#ifndef USE_SSL_CRYPTO
+ gcry_md_reset(handle_);
+ gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
+ gcry_md_final(handle_);
+ u_int8_t* hmac = gcry_md_read(handle_, 0);
+#else
+ u_int8_t hmac[DIGEST_LENGTH];
+ HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
+ HMAC_Final(&ctx_, hmac, NULL);
+#endif
- gcry_md_reset( ctx_ );
+ u_int8_t* tag = packet.getAuthTag();
+ u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH;
- gcry_md_write( ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength() );
- gcry_md_final( ctx_ );
+ if(length > DIGEST_LENGTH)
+ std::memset(tag, 0, packet.getAuthTagLength());
- u_int8_t* tag = packet.getAuthTag();
- if(packet.getAuthTagLength() > MAX_LENGTH_)
- std::memset(tag, 0, (packet.getAuthTagLength() - MAX_LENGTH_));
-
- u_int8_t* hmac = gcry_md_read(ctx_, 0);
- u_int32_t length = (packet.getAuthTagLength() < MAX_LENGTH_) ? packet.getAuthTagLength() : MAX_LENGTH_;
- std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[MAX_LENGTH_ - length], length);
+ std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length);
}
-bool Sha1AuthAlgo::checkTag(EncryptedPacket& packet)
+bool Sha1AuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet)
{
+ packet.withAuthTag(true);
if(!packet.getAuthTagLength())
return true;
- gcry_md_reset( ctx_ );
+ bool result = kd.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), key_);
+ if(result) { // a new key got generated
+#ifndef USE_SSL_CRYPTO
+ gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength());
+ if(err) {
+ char buf[STERROR_TEXT_MAX];
+ buf[0] = 0;
+ cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
+ return false;
+ }
+#else
+ HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL);
+ }
+ else {
+ HMAC_Init_ex(&ctx_, NULL, 0, NULL, NULL);
+#endif
+ }
- gcry_md_write( ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength() );
- gcry_md_final( ctx_ );
+#ifndef USE_SSL_CRYPTO
+ gcry_md_reset(handle_);
+ gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
+ gcry_md_final(handle_);
+ u_int8_t* hmac = gcry_md_read(handle_, 0);
+#else
+ u_int8_t hmac[DIGEST_LENGTH];
+ HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
+ HMAC_Final(&ctx_, hmac, NULL);
+#endif
u_int8_t* tag = packet.getAuthTag();
- if(packet.getAuthTagLength() > MAX_LENGTH_)
- for(u_int32_t i=0; i < (packet.getAuthTagLength() - MAX_LENGTH_); ++i)
- if(tag[i]) return false;
+ u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH;
+
+ if(length > DIGEST_LENGTH)
+ for(u_int32_t i=0; i < (packet.getAuthTagLength() - DIGEST_LENGTH); ++i)
+ if(tag[i]) return false;
+
+ int ret = std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length);
+ packet.removeAuthTag();
- u_int8_t* hmac = gcry_md_read(ctx_, 0);
- u_int32_t length = (packet.getAuthTagLength() < MAX_LENGTH_) ? packet.getAuthTagLength() : MAX_LENGTH_;
- if(std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[MAX_LENGTH_ - length], length))
+ if(ret)
return false;
return true;
-}
-u_int32_t Sha1AuthAlgo::getMaxLength()
-{
- return MAX_LENGTH_;
}
+
#endif
diff --git a/src/authAlgo.h b/src/authAlgo.h
index 3085673..be8d158 100644
--- a/src/authAlgo.h
+++ b/src/authAlgo.h
@@ -37,8 +37,13 @@
#include "encryptedPacket.h"
#ifndef NOCRYPT
+#ifndef USE_SSL_CRYPTO
#include <gcrypt.h>
+#else
+#include <openssl/hmac.h>
#endif
+#endif
+#include "keyDerivation.h"
class AuthAlgo
{
@@ -47,27 +52,16 @@ public:
virtual ~AuthAlgo() {};
/**
- * set the key for the auth algo
- * @param key key for hmac calculation
- */
- virtual void setKey(Buffer& key) = 0;
-
- /**
* generate the mac
* @param packet the packet to be authenticated
*/
- virtual void generate(EncryptedPacket& packet) = 0;
+ virtual void generate(KeyDerivation& kd, EncryptedPacket& packet) = 0;
/**
* check the mac
* @param packet the packet to be authenticated
*/
- virtual bool checkTag(EncryptedPacket& packet) = 0;
-
- /**
- * get the maximum size of the auth algo
- */
- virtual u_int32_t getMaxLength() = 0;
+ virtual bool checkTag(KeyDerivation& kd, EncryptedPacket& packet) = 0;
};
//****** NullAuthAlgo ******
@@ -75,12 +69,8 @@ public:
class NullAuthAlgo : public AuthAlgo
{
public:
- void setKey(Buffer& key) {};
- void generate(EncryptedPacket& packet);
- bool checkTag(EncryptedPacket& packet);
- u_int32_t getMaxLength();
-
- static const u_int32_t MAX_LENGTH_ = 0;
+ void generate(KeyDerivation& kd, EncryptedPacket& packet);
+ bool checkTag(KeyDerivation& kd, EncryptedPacket& packet);
};
#ifndef NOCRYPT
@@ -93,15 +83,19 @@ public:
Sha1AuthAlgo();
~Sha1AuthAlgo();
- void setKey(Buffer& key);
- void generate(EncryptedPacket& packet);
- bool checkTag(EncryptedPacket& packet);
- u_int32_t getMaxLength();
+ void generate(KeyDerivation& kd, EncryptedPacket& packet);
+ bool checkTag(KeyDerivation& kd, EncryptedPacket& packet);
- static const u_int32_t MAX_LENGTH_ = 20;
+ static const u_int32_t DIGEST_LENGTH = 20;
private:
- gcry_md_hd_t ctx_;
+#ifndef USE_SSL_CRYPTO
+ gcry_md_hd_t handle_;
+#else
+ HMAC_CTX ctx_;
+#endif
+
+ Buffer key_;
};
#endif