From c01ff56f61b28d0a909f46b95182b5a26aaa6cd3 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 4 Feb 2008 20:34:37 +0000 Subject: fixed bug @ sync key gets updatet @ sync --- anytun.cpp | 66 +++++++++++++++++++++++++++++++++++++++++------------ connectionList.cpp | 18 +++++++++++++++ connectionList.h | 1 + keyDerivation.cpp | 67 +++++++++++++++--------------------------------------- keyDerivation.h | 11 +++++---- plainPacket.cpp | 4 +++- syncCommand.h | 4 ++-- 7 files changed, 100 insertions(+), 71 deletions(-) diff --git a/anytun.cpp b/anytun.cpp index 925e5dd..0e7b01b 100644 --- a/anytun.cpp +++ b/anytun.cpp @@ -70,26 +70,26 @@ #define SESSION_KEYLEN_ENCR 16 #define SESSION_KEYLEN_SALT 14 -uint8_t key[] = { - 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', - 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', - 'q', 'r', 's', 't' -}; - -uint8_t salt[] = { - 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', - 'i', 'j', 'k', 'l', 'm', 'n' -}; - void createConnection(const std::string & remote_host , u_int16_t remote_port, ConnectionList & cl, u_int16_t seqSize, SyncQueue & queue) { + uint8_t key[] = { + 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', + 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p' + }; + + uint8_t salt[] = { + 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', + 'i', 'j', 'k', 'l', 'm', 'n' + }; SeqWindow * seq= new SeqWindow(seqSize); seq_nr_t seq_nr_=0; KeyDerivation * kd = new KeyDerivation; kd->init(Buffer(key, sizeof(key)), Buffer(salt, sizeof(salt))); cLog.msg(Log::PRIO_NOTICE) << "added connection remote host " << remote_host << ":" << remote_port; + ConnectionParam connparam ( (*kd), (*seq), seq_nr_, remote_host, remote_port); + cl.addConnection(connparam,0); SyncCommand sc (cl,0); queue.push(sc); @@ -282,9 +282,9 @@ void* receiver(void* p) c->decrypt(packet, plain_packet); // check payload_type and remove it - if((param->dev.getType() == TunDevice::TYPE_TUN && plain_packet.getPayloadType() != PAYLOAD_TYPE_TUN) || - (param->dev.getType() == TunDevice::TYPE_TAP && plain_packet.getPayloadType() != PAYLOAD_TYPE_TAP)) - continue; + if((param->dev.getType() == TunDevice::TYPE_TUN && plain_packet.getPayloadType() != PAYLOAD_TYPE_TUN) || + (param->dev.getType() == TunDevice::TYPE_TAP && plain_packet.getPayloadType() != PAYLOAD_TYPE_TAP)) + continue; // write it on the device param->dev.write(plain_packet); @@ -292,6 +292,43 @@ void* receiver(void* p) pthread_exit(NULL); } +#define MIN_GCRYPT_VERSION "1.2.3" +#define GCRYPT_SEC_MEM 32768 // 32k secure memory + +void initLibGCrypt() +{ + gcry_error_t err; + // No other library has already initialized libgcrypt. + if( !gcry_control(GCRYCTL_ANY_INITIALIZATION_P) ) + { + if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { + cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION; + return; + } + + // do NOT allocate a pool of secure memory! + // this is NOT thread safe! + + /* Allocate a pool of 16k secure memory. This also drops priviliges + * on some systems. */ + err = gcry_control(GCRYCTL_INIT_SECMEM, GCRYPT_SEC_MEM, 0); + if( err ) + { + cLog.msg(Log::PRIO_ERR) << "Failed to allocate " << GCRYPT_SEC_MEM << " bytes of secure memory: " << gpg_strerror( err ); + return; + } + + /* Tell Libgcrypt that initialization has completed. */ + err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); + if( err ) { + cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to finish the initialization of libgcrypt: " << gpg_strerror( err ); + return; + } else { + cLog.msg(Log::PRIO_NOTICE) << "KeyDerivation::init: libgcrypt init finished"; + } + } +} + // make libgcrypt thread safe extern "C" { @@ -336,6 +373,7 @@ int main(int argc, char* argv[]) // make libgcrypt thread safe gcry_control( GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread ); + initLibGCrypt(); pthread_t senderThread; pthread_create(&senderThread, NULL, sender, &p); diff --git a/connectionList.cpp b/connectionList.cpp index 3b1c528..f4d9cde 100644 --- a/connectionList.cpp +++ b/connectionList.cpp @@ -69,12 +69,25 @@ const ConnectionMap::iterator ConnectionList::getConnection(u_int16_t mux) ConnectionParam & ConnectionList::getOrNewConnection(u_int16_t mux) { Lock lock(mutex_); + ConnectionMap::iterator it = connections_.find(mux); if(it!=connections_.end()) return it->second; + + uint8_t key[] = { + 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', + 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p' + }; + + uint8_t salt[] = { + 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', + 'i', 'j', 'k', 'l', 'm', 'n' + }; + SeqWindow * seq= new SeqWindow(0); seq_nr_t seq_nr_=0; KeyDerivation * kd = new KeyDerivation; + kd->init(Buffer(key, sizeof(key)), Buffer(salt, sizeof(salt))); ConnectionParam conn ( (*kd), (*seq), seq_nr_, "", 0); connections_.insert(ConnectionMap::value_type(mux, conn)); it = connections_.find(mux); @@ -92,3 +105,8 @@ bool ConnectionList::empty() Lock lock(mutex_); return connections_.empty(); } + +Mutex& ConnectionList::getMutex() +{ + return mutex_; +} diff --git a/connectionList.h b/connectionList.h index 670f077..6cd24b4 100644 --- a/connectionList.h +++ b/connectionList.h @@ -51,6 +51,7 @@ public: ConnectionParam & getOrNewConnection(u_int16_t mux); bool empty(); void clear(); + Mutex& getMutex(); private: ConnectionList(const ConnectionList &s); diff --git a/keyDerivation.cpp b/keyDerivation.cpp index 911ea87..893825c 100644 --- a/keyDerivation.cpp +++ b/keyDerivation.cpp @@ -41,55 +41,37 @@ #include -const char* KeyDerivation::MIN_GCRYPT_VERSION = "1.2.3"; - void KeyDerivation::init(Buffer key, Buffer salt) { Lock lock(mutex_); gcry_error_t err; - // No other library has already initialized libgcrypt. - if( !gcry_control(GCRYCTL_ANY_INITIALIZATION_P) ) - { - if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { - cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION; - return; - } - - // do NOT allocate a pool of secure memory! - // this is NOT thread safe! - - /* Allocate a pool of 16k secure memory. This also drops priviliges - * on some systems. */ - err = gcry_control(GCRYCTL_INIT_SECMEM, GCRYPT_SEC_MEM, 0); - if( err ) - { - cLog.msg(Log::PRIO_ERR) << "Failed to allocate " << GCRYPT_SEC_MEM << " bytes of secure memory: " << gpg_strerror( err ); - return; - } - - /* Tell Libgcrypt that initialization has completed. */ - err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); - if( err ) { - cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to finish the initialization of libgcrypt: " << gpg_strerror( err ); - return; - } else { - cLog.msg(Log::PRIO_NOTICE) << "KeyDerivation::init: libgcrypt init finished"; - } - } - + // TODO: hardcoded keysize! err = gcry_cipher_open( &cipher_, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0 ); if( err ) { cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to open cipher: " << gpg_strerror( err ); return; } - // FIXXME: hardcoded keysize! - err = gcry_cipher_setkey( cipher_, key.getBuf(), 16 ); + salt_ = SyncBuffer(salt); + key_ = SyncBuffer(key); + + updateKey(); +} + +void KeyDerivation::updateKey() +{ + gcry_error_t err; + + err = gcry_cipher_setkey( cipher_, key_.getBuf(), key_.getLength() ); if( err ) cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to set cipher key: " << gpg_strerror( err ); +} - salt_ = SyncBuffer(salt); +KeyDerivation::~KeyDerivation() +{ + Lock lock(mutex_); + gcry_cipher_close( cipher_ ); } void KeyDerivation::setLogKDRate(const uint8_t log_rate) @@ -99,7 +81,6 @@ void KeyDerivation::setLogKDRate(const uint8_t log_rate) ld_kdr_ = log_rate; } - void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, u_int32_t length) { ////Lock lock(mutex_); @@ -120,7 +101,7 @@ void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, if( ld_kdr_ == -1 ) // means key_derivation_rate = 0 r = 0; else - // FIXXME: kdr can be greater than 2^32 (= 2^48) + // TODO: kdr can be greater than 2^32 (= 2^48) r = static_cast(seq_nr / ( 0x01 << ld_kdr_ )); r = r.mul2exp(8); @@ -144,15 +125,3 @@ void KeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, if( err ) cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << gpg_strerror( err ); } - - -void KeyDerivation::clear() -{ - Lock lock(mutex_); - gcry_cipher_close( cipher_ ); -} - -u_int32_t KeyDerivation::bufferGetLength() const -{ - return salt_.getLength(); -} diff --git a/keyDerivation.h b/keyDerivation.h index 214a1a4..e313795 100644 --- a/keyDerivation.h +++ b/keyDerivation.h @@ -52,15 +52,15 @@ class KeyDerivation { public: KeyDerivation() : ld_kdr_(-1), salt_(0), cipher_(NULL) {}; - virtual ~KeyDerivation() {}; + virtual ~KeyDerivation(); void init(Buffer key, Buffer salt); void setLogKDRate(const u_int8_t ld_rate); void generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key, u_int32_t length); - void clear(); - u_int32_t bufferGetLength() const; private: + void updateKey(); + KeyDerivation(const KeyDerivation & src); friend class boost::serialization::access; template @@ -69,13 +69,14 @@ private: Lock lock(mutex_); ar & ld_kdr_; ar & salt_; + ar & key_; + updateKey(); } protected: int8_t ld_kdr_; // ld(key_derivation_rate) SyncBuffer salt_; - static const char* MIN_GCRYPT_VERSION; - static const u_int32_t GCRYPT_SEC_MEM = 32768; // 32k secure memory + SyncBuffer key_; gcry_cipher_hd_t cipher_; Mutex mutex_; diff --git a/plainPacket.cpp b/plainPacket.cpp index 7baef0b..50b8280 100644 --- a/plainPacket.cpp +++ b/plainPacket.cpp @@ -46,6 +46,7 @@ PlainPacket::~PlainPacket() PlainPacket::PlainPacket(u_int32_t max_payload_length) : Buffer(max_payload_length + sizeof(payload_type_t)) { + payload_type_ = NULL; splitPayload(); } @@ -73,7 +74,8 @@ payload_type_t PlainPacket::getPayloadType() const void PlainPacket::setPayloadType(payload_type_t payload_type) { - *payload_type_ = PAYLOAD_TYPE_T_HTON(payload_type); + if(payload_type_) + *payload_type_ = PAYLOAD_TYPE_T_HTON(payload_type); } void PlainPacket::setLength(u_int32_t length) diff --git a/syncCommand.h b/syncCommand.h index c556cfb..e8f66a7 100644 --- a/syncCommand.h +++ b/syncCommand.h @@ -22,7 +22,7 @@ private: template void serialize(Archive & ar, const unsigned int version) { - Lock lock(mutex_); + Lock lock(cl_.getMutex()); ar & mux_; ConnectionParam & conn = cl_.getOrNewConnection(mux_); ar & conn; @@ -30,4 +30,4 @@ private: }; -#endif // _SYNCSOCKET_H +#endif // _SYNCCOMMAND_H -- cgit v1.2.3