diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/anytun.cpp | 31 | ||||
-rw-r--r-- | src/authAlgo.cpp | 145 | ||||
-rw-r--r-- | src/authAlgo.h | 44 |
3 files changed, 118 insertions, 102 deletions
diff --git a/src/anytun.cpp b/src/anytun.cpp index 1e54378..e46731a 100644 --- a/src/anytun.cpp +++ b/src/anytun.cpp @@ -80,8 +80,6 @@ #include "daemon.hpp" #include "sysexec.hpp" -#define SESSION_KEYLEN_AUTH 20 // TODO: hardcoded size - void createConnection(const PacketSourceEndpoint & remote_end, window_size_t seqSize, mux_t mux) { SeqWindow * seq= new SeqWindow(seqSize); @@ -122,9 +120,6 @@ void sender(void* p) PlainPacket plain_packet(MAX_PACKET_LENGTH); EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH); - Buffer session_auth_key(u_int32_t(SESSION_KEYLEN_AUTH)); // TODO: hardcoded size - - //TODO replace mux u_int16_t mux = gOpt.getMux(); PacketSourceEndpoint emptyEndpoint; while(1) @@ -180,12 +175,8 @@ void sender(void* p) conn.seq_nr_++; // add authentication tag - if(a->getMaxLength()) { - encrypted_packet.addAuthTag(); - conn.kd_.generate(LABEL_SATP_MSG_AUTH, encrypted_packet.getSeqNr(), session_auth_key); - a->setKey(session_auth_key); - a->generate(encrypted_packet); - } + a->generate(conn.kd_, encrypted_packet); + try { param->src.send(encrypted_packet.getBuf(), encrypted_packet.getLength(), conn.remote_end_); @@ -259,8 +250,6 @@ void receiver(void* p) EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH); PlainPacket plain_packet(MAX_PACKET_LENGTH); - Buffer session_auth_key(u_int32_t(SESSION_KEYLEN_AUTH)); // TODO: hardcoded size - while(1) { PacketSourceEndpoint remote_end; @@ -287,17 +276,11 @@ void receiver(void* p) ConnectionParam & conn = cit->second; // check whether auth tag is ok or not - if(a->getMaxLength()) { - encrypted_packet.withAuthTag(true); - conn.kd_.generate(LABEL_SATP_MSG_AUTH, encrypted_packet.getSeqNr(), session_auth_key); - a->setKey(session_auth_key); - if(!a->checkTag(encrypted_packet)) { - cLog.msg(Log::PRIO_NOTICE) << "wrong Authentication Tag!" << std::endl; - continue; - } - encrypted_packet.removeAuthTag(); - } - + if(!a->checkTag(conn.kd_, encrypted_packet)) { + cLog.msg(Log::PRIO_NOTICE) << "wrong Authentication Tag!" << std::endl; + continue; + } + //Allow dynamic IP changes //TODO: add command line option to turn this off if (remote_end != conn.remote_end_) diff --git a/src/authAlgo.cpp b/src/authAlgo.cpp index 7689374..669308b 100644 --- a/src/authAlgo.cpp +++ b/src/authAlgo.cpp @@ -37,99 +37,138 @@ #include <iostream> #include <cstring> -#ifndef NOCRYPT -#include <gcrypt.h> -#endif - //****** NullAuthAlgo ****** -void NullAuthAlgo::generate(EncryptedPacket& packet) +void NullAuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet) { } -bool NullAuthAlgo::checkTag(EncryptedPacket& packet) +bool NullAuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet) { return true; } -u_int32_t NullAuthAlgo::getMaxLength() -{ - return MAX_LENGTH_; -} - #ifndef NOCRYPT //****** Sha1AuthAlgo ****** -Sha1AuthAlgo::Sha1AuthAlgo() : ctx_(NULL) +Sha1AuthAlgo::Sha1AuthAlgo() : key_(DIGEST_LENGTH) { - gcry_error_t err = gcry_md_open( &ctx_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC ); - if( err ) +#ifndef USE_SSL_CRYPTO + gcry_error_t err = gcry_md_open(&handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + if(err) { cLog.msg(Log::PRIO_CRIT) << "Sha1AuthAlgo::Sha1AuthAlgo: Failed to open message digest algo"; + return; + } +#else + HMAC_CTX_init(&ctx_); + HMAC_Init_ex(&ctx_, NULL, 0, EVP_sha1(), NULL); +#endif } Sha1AuthAlgo::~Sha1AuthAlgo() { - if(ctx_) - gcry_md_close( ctx_ ); +#ifndef USE_SSL_CRYPTO + if(handle_) + gcry_md_close(handle_); +#else + HMAC_CTX_cleanup(&ctx_); +#endif } -void Sha1AuthAlgo::setKey(Buffer& key) +void Sha1AuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet) { - if(!ctx_) + packet.addAuthTag(); + if(!packet.getAuthTagLength()) return; - - gcry_error_t err = gcry_md_setkey( ctx_, key.getBuf(), key.getLength() ); - if( err ) { - char buf[STERROR_TEXT_MAX]; - buf[0] = 0; - cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set cipher key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX); + + bool result = kd.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), key_); + if(result) { // a new key got generated +#ifndef USE_SSL_CRYPTO + gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength()); + if(err) { + char buf[STERROR_TEXT_MAX]; + buf[0] = 0; + cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX); + return; + } +#else + HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); + } + else { + HMAC_Init_ex(&ctx_, NULL, 0, NULL, NULL); +#endif } -} -void Sha1AuthAlgo::generate(EncryptedPacket& packet) -{ - if(!packet.getAuthTagLength()) - return; +#ifndef USE_SSL_CRYPTO + gcry_md_reset(handle_); + gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + gcry_md_final(handle_); + u_int8_t* hmac = gcry_md_read(handle_, 0); +#else + u_int8_t hmac[DIGEST_LENGTH]; + HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + HMAC_Final(&ctx_, hmac, NULL); +#endif - gcry_md_reset( ctx_ ); + u_int8_t* tag = packet.getAuthTag(); + u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; - gcry_md_write( ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength() ); - gcry_md_final( ctx_ ); + if(length > DIGEST_LENGTH) + std::memset(tag, 0, packet.getAuthTagLength()); - u_int8_t* tag = packet.getAuthTag(); - if(packet.getAuthTagLength() > MAX_LENGTH_) - std::memset(tag, 0, (packet.getAuthTagLength() - MAX_LENGTH_)); - - u_int8_t* hmac = gcry_md_read(ctx_, 0); - u_int32_t length = (packet.getAuthTagLength() < MAX_LENGTH_) ? packet.getAuthTagLength() : MAX_LENGTH_; - std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[MAX_LENGTH_ - length], length); + std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length); } -bool Sha1AuthAlgo::checkTag(EncryptedPacket& packet) +bool Sha1AuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet) { + packet.withAuthTag(true); if(!packet.getAuthTagLength()) return true; - gcry_md_reset( ctx_ ); + bool result = kd.generate(LABEL_SATP_MSG_AUTH, packet.getSeqNr(), key_); + if(result) { // a new key got generated +#ifndef USE_SSL_CRYPTO + gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength()); + if(err) { + char buf[STERROR_TEXT_MAX]; + buf[0] = 0; + cLog.msg(Log::PRIO_ERR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX); + return false; + } +#else + HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); + } + else { + HMAC_Init_ex(&ctx_, NULL, 0, NULL, NULL); +#endif + } - gcry_md_write( ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength() ); - gcry_md_final( ctx_ ); +#ifndef USE_SSL_CRYPTO + gcry_md_reset(handle_); + gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + gcry_md_final(handle_); + u_int8_t* hmac = gcry_md_read(handle_, 0); +#else + u_int8_t hmac[DIGEST_LENGTH]; + HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + HMAC_Final(&ctx_, hmac, NULL); +#endif u_int8_t* tag = packet.getAuthTag(); - if(packet.getAuthTagLength() > MAX_LENGTH_) - for(u_int32_t i=0; i < (packet.getAuthTagLength() - MAX_LENGTH_); ++i) - if(tag[i]) return false; + u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; + + if(length > DIGEST_LENGTH) + for(u_int32_t i=0; i < (packet.getAuthTagLength() - DIGEST_LENGTH); ++i) + if(tag[i]) return false; + + int ret = std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length); + packet.removeAuthTag(); - u_int8_t* hmac = gcry_md_read(ctx_, 0); - u_int32_t length = (packet.getAuthTagLength() < MAX_LENGTH_) ? packet.getAuthTagLength() : MAX_LENGTH_; - if(std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[MAX_LENGTH_ - length], length)) + if(ret) return false; return true; -} -u_int32_t Sha1AuthAlgo::getMaxLength() -{ - return MAX_LENGTH_; } + #endif diff --git a/src/authAlgo.h b/src/authAlgo.h index 3085673..be8d158 100644 --- a/src/authAlgo.h +++ b/src/authAlgo.h @@ -37,8 +37,13 @@ #include "encryptedPacket.h" #ifndef NOCRYPT +#ifndef USE_SSL_CRYPTO #include <gcrypt.h> +#else +#include <openssl/hmac.h> #endif +#endif +#include "keyDerivation.h" class AuthAlgo { @@ -47,27 +52,16 @@ public: virtual ~AuthAlgo() {}; /** - * set the key for the auth algo - * @param key key for hmac calculation - */ - virtual void setKey(Buffer& key) = 0; - - /** * generate the mac * @param packet the packet to be authenticated */ - virtual void generate(EncryptedPacket& packet) = 0; + virtual void generate(KeyDerivation& kd, EncryptedPacket& packet) = 0; /** * check the mac * @param packet the packet to be authenticated */ - virtual bool checkTag(EncryptedPacket& packet) = 0; - - /** - * get the maximum size of the auth algo - */ - virtual u_int32_t getMaxLength() = 0; + virtual bool checkTag(KeyDerivation& kd, EncryptedPacket& packet) = 0; }; //****** NullAuthAlgo ****** @@ -75,12 +69,8 @@ public: class NullAuthAlgo : public AuthAlgo { public: - void setKey(Buffer& key) {}; - void generate(EncryptedPacket& packet); - bool checkTag(EncryptedPacket& packet); - u_int32_t getMaxLength(); - - static const u_int32_t MAX_LENGTH_ = 0; + void generate(KeyDerivation& kd, EncryptedPacket& packet); + bool checkTag(KeyDerivation& kd, EncryptedPacket& packet); }; #ifndef NOCRYPT @@ -93,15 +83,19 @@ public: Sha1AuthAlgo(); ~Sha1AuthAlgo(); - void setKey(Buffer& key); - void generate(EncryptedPacket& packet); - bool checkTag(EncryptedPacket& packet); - u_int32_t getMaxLength(); + void generate(KeyDerivation& kd, EncryptedPacket& packet); + bool checkTag(KeyDerivation& kd, EncryptedPacket& packet); - static const u_int32_t MAX_LENGTH_ = 20; + static const u_int32_t DIGEST_LENGTH = 20; private: - gcry_md_hd_t ctx_; +#ifndef USE_SSL_CRYPTO + gcry_md_hd_t handle_; +#else + HMAC_CTX ctx_; +#endif + + Buffer key_; }; #endif |