diff options
| author | Christian Pointner <equinox@anytun.org> | 2014-06-21 18:26:51 +0000 |
|---|---|---|
| committer | Christian Pointner <equinox@anytun.org> | 2014-06-21 18:26:51 +0000 |
| commit | 01ef67da5564e1dcb380adead3e7f869fa3be2c8 (patch) | |
| tree | 2d61c96e2aed44703955ce731ffa28a5f055fff7 | |
| parent | refactored crypto lib selection (diff) | |
added defines for nettle as crypto lib
further improved selection of crypto lib
| -rw-r--r-- | README | 10 | ||||
| -rw-r--r-- | src/auth_algo.c | 22 | ||||
| -rw-r--r-- | src/auth_algo.h | 9 | ||||
| -rw-r--r-- | src/cipher.c | 24 | ||||
| -rw-r--r-- | src/cipher.h | 9 | ||||
| -rwxr-xr-x | src/configure | 13 | ||||
| -rw-r--r-- | src/init_crypt.h | 10 | ||||
| -rw-r--r-- | src/key_derivation.c | 41 | ||||
| -rw-r--r-- | src/key_derivation.h | 9 |
9 files changed, 119 insertions, 28 deletions
@@ -1,8 +1,8 @@ Dependencies ============ -uAnytun can be built by using either libgcrypt or the openssl-crypto library. -The latter is more performant in most cases but there are some license +uAnytun can be built by using either libgcrypt, libnettle or the openssl-crypto +library. The latter is more performant in most cases but there are some license issues when using this library. It also needs more space when installed. @@ -20,7 +20,13 @@ using ssl crypto library: build-essential libssl-dev +using nettle crypto library: + + build-essential + nettle-dev + if you want clang as compiler + clang if you want to rebuild the manpage: diff --git a/src/auth_algo.c b/src/auth_algo.c index 8ee3f49..87ea472 100644 --- a/src/auth_algo.c +++ b/src/auth_algo.c @@ -154,9 +154,12 @@ int auth_algo_sha1_init(auth_algo_t* aa) auth_algo_sha1_param_t* params = aa->params_; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) HMAC_CTX_init(¶ms->ctx_); HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_error_t err = gcry_md_open(¶ms->handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); if(err) { @@ -176,8 +179,11 @@ void auth_algo_sha1_close(auth_algo_t* aa) if(aa->params_) { auth_algo_sha1_param_t* params = aa->params_; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) HMAC_CTX_cleanup(¶ms->ctx_); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default if(params->handle_) gcry_md_close(params->handle_); @@ -207,12 +213,16 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); u_int8_t hmac[SHA1_LENGTH]; HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + // TODO: nettle + u_int8_t hmac[SHA1_LENGTH]; + #else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { @@ -255,12 +265,16 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return 0; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); u_int8_t hmac[SHA1_LENGTH]; HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + // TODO: nettle + u_int8_t hmac[SHA1_LENGTH]; + #else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { diff --git a/src/auth_algo.h b/src/auth_algo.h index 2c20410..e800c8e 100644 --- a/src/auth_algo.h +++ b/src/auth_algo.h @@ -36,8 +36,10 @@ #ifndef UANYTUN_auth_algo_h_INCLUDED #define UANYTUN_auth_algo_h_INCLUDED -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) #include <openssl/hmac.h> +#elif defined(USE_NETTLE) +#include <nettle/hmac.h> #else // USE_GCRYPT is the default #include <gcrypt.h> #endif @@ -66,8 +68,11 @@ int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivation_di #define SHA1_LENGTH 20 struct auth_algo_sha1_param_struct { -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) HMAC_CTX ctx_; +#elif defined(USE_NETTLE) + // TOOD: nettle + #else // USE_GCRYPT is the default gcry_md_hd_t handle_; #endif diff --git a/src/cipher.c b/src/cipher.c index 03449a0..a2e7f5e 100644 --- a/src/cipher.c +++ b/src/cipher.c @@ -210,7 +210,12 @@ int cipher_aesctr_init(cipher_t* c) if(!c->params_) return -2; -#ifdef USE_GCRYPT +#if defined(USE_SSL_CRYPTO) + // nothing here +#elif defined(USE_NETTLE) + // TODO: nettle + +#else // USE_GCRYPT is the default int algo; switch(c->key_length_) { case 128: algo = GCRY_CIPHER_AES128; break; @@ -239,7 +244,12 @@ void cipher_aesctr_close(cipher_t* c) return; if(c->params_) { -#ifdef USE_GCRYPT +#if defined(USE_SSL_CRYPTO) + // nothing here +#elif defined(USE_NETTLE) + // TODO: nettle + +#else // USE_GCRYPT is the default cipher_aesctr_param_t* params = c->params_; gcry_cipher_close(params->handle_); #endif @@ -285,12 +295,15 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di if(ret < 0) return ret; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, ¶ms->aes_key_); if(ret) { log_printf(ERROR, "failed to set cipher key (code: %d)", ret); return -1; } +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_); if(err) { @@ -305,7 +318,7 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di return ret; } -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { log_printf(ERROR, "failed to set cipher CTR: size doesn't fit"); return -1; @@ -313,6 +326,9 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di u_int32_t num = 0; memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH); if(err) { diff --git a/src/cipher.h b/src/cipher.h index d4506d4..8221a3c 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -37,8 +37,10 @@ #define UANYTUN_cipher_h_INCLUDED #ifndef NO_CRYPT -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) #include <openssl/aes.h> +#elif defined(USE_NETTLE) +#include <nettle/aes.h> #else // USE_GCRYPT is the default #include <gcrypt.h> #endif @@ -94,9 +96,12 @@ union __attribute__((__packed__)) cipher_aesctr_ctr_union { typedef union cipher_aesctr_ctr_union cipher_aesctr_ctr_t; struct cipher_aesctr_param_struct { -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) AES_KEY aes_key_; u_int8_t ecount_buf_[AES_BLOCK_SIZE]; +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_cipher_hd_t handle_; #endif diff --git a/src/configure b/src/configure index f764f89..04d5ac2 100755 --- a/src/configure +++ b/src/configure @@ -61,7 +61,8 @@ print_usage() { echo " --examplesdir=<DIR> the path to the examples files (default: $PREFIX/share/examples)" echo " --no-examples dont't install example files" echo " --use-gcrypt use libgcrypt (this is the default)" - echo " --use-ssl-crypto use ssl crypto library instead of libgcrypt" + echo " --use-nettle use libnettle instead of libgcrypt" + echo " --use-ssl-crypto use openssl crypto library instead of libgcrypt" echo " --no-crypto disable crypto at all (only NULL cipher)" echo " --disable-passphrase disable master key and salt passphrase" echo " --enable-passphrase enable master key and salt passphrase" @@ -101,6 +102,9 @@ do --use-gcrypt) CRYPTO_LIB='gcrypt' ;; + --use-nettle) + CRYPTO_LIB='nettle' + ;; --use-ssl-crypto) CRYPTO_LIB='ssl' ;; @@ -171,7 +175,12 @@ case $CRYPTO_LIB in gcrypt) CFLAGS=$CFLAGS' -DUSE_GCRYPT' LDFLAGS=$LDFLAGS' -lgcrypt' - echo "using libgcrypt library" + echo "using gcrypt library" + ;; + nettle) + CFLAGS=$CFLAGS' -DUSE_NETTLE' + LDFLAGS=$LDFLAGS' -lnettle' + echo "using nettle library" ;; ssl) CFLAGS=$CFLAGS' -DUSE_SSL_CRYPTO' diff --git a/src/init_crypt.h b/src/init_crypt.h index 47688c7..9a8849e 100644 --- a/src/init_crypt.h +++ b/src/init_crypt.h @@ -48,7 +48,15 @@ int init_crypt() #else -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + +int init_crypt() +{ +// nothing here + return 0; +} + +#elif defined(USE_NETTLE) int init_crypt() { diff --git a/src/key_derivation.c b/src/key_derivation.c index 7bd4d6e..998c10b 100644 --- a/src/key_derivation.c +++ b/src/key_derivation.c @@ -37,8 +37,11 @@ #include "key_derivation.h" -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) #include <openssl/sha.h> +#elif defined(USE_NETTLE) +#include <nettle/sha1.h> +#include <nettle/sha2.h> #endif #include "log.h" @@ -135,8 +138,10 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr return -1; } -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) if(key_length > (SHA256_DIGEST_LENGTH * 8)) { +#elif defined(USE_NETTLE) + if(key_length > (SHA256_DIGEST_SIZE * 8)) { #else // USE_GCRYPT is the default if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) { #endif @@ -145,8 +150,10 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr } buffer_t digest; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) digest.length_ = SHA256_DIGEST_LENGTH; +#elif defined(USE_NETTLE) + digest.length_ = SHA256_DIGEST_SIZE; #else // USE_GCRYPT is the default digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256); #endif @@ -155,8 +162,11 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr return -2; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase)); #endif @@ -191,8 +201,10 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph return -1; } -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) if(salt_length > (SHA_DIGEST_LENGTH * 8)) { +#elif defined(USE_NETTLE) + if(salt_length > (SHA1_DIGEST_SIZE * 8)) { #else // USE_GCRYPT is the default if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) { #endif @@ -201,8 +213,10 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph } buffer_t digest; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) digest.length_ = SHA_DIGEST_LENGTH; +#elif defined(USE_NETTLE) + digest.length_ = SHA1_DIGEST_SIZE; #else // USE_GCRYPT is the default digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1); #endif @@ -210,8 +224,11 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph if(!digest.buf_) return -2; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase)); #endif @@ -345,12 +362,15 @@ int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase) } #endif -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_); if(ret) { log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret); return -1; } +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default int algo; switch(kd->key_length_) { @@ -428,7 +448,7 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di return -1; } -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { log_printf(ERROR, "failed to set key derivation CTR: size don't fits"); return -1; @@ -437,6 +457,9 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); memset(key, 0, len); AES_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_error_t err = gcry_cipher_reset(params->handle_); if(err) { diff --git a/src/key_derivation.h b/src/key_derivation.h index 0d3c93f..01c9a26 100644 --- a/src/key_derivation.h +++ b/src/key_derivation.h @@ -36,8 +36,10 @@ #ifndef UANYTUN_key_derivation_h_INCLUDED #define UANYTUN_key_derivation_h_INCLUDED -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) #include <openssl/aes.h> +#elif defined(USE_NETTLE) +#include <nettle/aes.h> #else // USE_GCRYPT is the default #include <gcrypt.h> #endif @@ -103,9 +105,12 @@ union __attribute__((__packed__)) key_derivation_aesctr_ctr_union { typedef union key_derivation_aesctr_ctr_union key_derivation_aesctr_ctr_t; struct key_derivation_aesctr_param_struct { -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) AES_KEY aes_key_; u_int8_t ecount_buf_[AES_BLOCK_SIZE]; +#elif defined(USE_NETTLE) + // TODO: nettle + #else // USE_GCRYPT is the default gcry_cipher_hd_t handle_; #endif |