diff options
| author | Christian Pointner <equinox@anytun.org> | 2014-06-21 19:48:12 +0000 |
|---|---|---|
| committer | Christian Pointner <equinox@anytun.org> | 2014-06-21 19:48:12 +0000 |
| commit | b0eb467680943a45f7ef2346d37efce073b837b2 (patch) | |
| tree | 6b26bf687a2e6fb22f57db12b7b14ea70a91a210 | |
| parent | fixed typo in description (diff) | |
| parent | implemented key derivation in nettle (diff) | |
merged nettle branch to trunk
| -rw-r--r-- | README | 10 | ||||
| -rw-r--r-- | src/auth_algo.c | 62 | ||||
| -rw-r--r-- | src/auth_algo.h | 16 | ||||
| -rw-r--r-- | src/cipher.c | 47 | ||||
| -rw-r--r-- | src/cipher.h | 16 | ||||
| -rwxr-xr-x | src/configure | 14 | ||||
| -rw-r--r-- | src/init_crypt.h | 26 | ||||
| -rw-r--r-- | src/key_derivation.c | 107 | ||||
| -rw-r--r-- | src/key_derivation.h | 16 |
9 files changed, 208 insertions, 106 deletions
@@ -1,8 +1,8 @@ Dependencies ============ -uAnytun can be built by using either libgcrypt or the openssl-crypto library. -The latter is more performant in most cases but there are some license +uAnytun can be built by using either libgcrypt, libnettle or the openssl-crypto +library. The latter is more performant in most cases but there are some license issues when using this library. It also needs more space when installed. @@ -20,7 +20,13 @@ using ssl crypto library: build-essential libssl-dev +using nettle crypto library: + + build-essential + nettle-dev + if you want clang as compiler + clang if you want to rebuild the manpage: diff --git a/src/auth_algo.c b/src/auth_algo.c index e9b6d0f..e1f5de5 100644 --- a/src/auth_algo.c +++ b/src/auth_algo.c @@ -152,17 +152,19 @@ int auth_algo_sha1_init(auth_algo_t* aa) if(!aa->params_) return -2; +#if defined(USE_SSL_CRYPTO) + auth_algo_sha1_param_t* params = aa->params_; + HMAC_CTX_init(¶ms->ctx_); + HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL); +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default auth_algo_sha1_param_t* params = aa->params_; - -#ifndef USE_SSL_CRYPTO gcry_error_t err = gcry_md_open(¶ms->handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); if(err) { log_printf(ERROR, "failed to open message digest algo: %s", gcry_strerror(err)); return -1; } -#else - HMAC_CTX_init(¶ms->ctx_); - HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL); #endif return 0; @@ -174,13 +176,15 @@ void auth_algo_sha1_close(auth_algo_t* aa) return; if(aa->params_) { +#if defined(USE_SSL_CRYPTO) + auth_algo_sha1_param_t* params = aa->params_; + HMAC_CTX_cleanup(¶ms->ctx_); +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default auth_algo_sha1_param_t* params = aa->params_; - -#ifndef USE_SSL_CRYPTO if(params->handle_) gcry_md_close(params->handle_); -#else - HMAC_CTX_cleanup(¶ms->ctx_); #endif free(aa->params_); @@ -207,7 +211,19 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return; -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + + u_int8_t hmac[SHA1_LENGTH]; + HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); + HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_); + + u_int8_t hmac[SHA1_LENGTH]; + hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet)); + hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err)); @@ -218,12 +234,6 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivati gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - - u_int8_t hmac[SHA1_LENGTH]; - HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); - HMAC_Final(¶ms->ctx_, hmac, NULL); #endif u_int8_t* tag = encrypted_packet_get_auth_tag(packet); @@ -255,7 +265,19 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return 0; -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + + u_int8_t hmac[SHA1_LENGTH]; + HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); + HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_); + + u_int8_t hmac[SHA1_LENGTH]; + hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet)); + hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err)); @@ -266,12 +288,6 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - - u_int8_t hmac[SHA1_LENGTH]; - HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); - HMAC_Final(¶ms->ctx_, hmac, NULL); #endif u_int8_t* tag = encrypted_packet_get_auth_tag(packet); diff --git a/src/auth_algo.h b/src/auth_algo.h index c3caaa6..b8a20b8 100644 --- a/src/auth_algo.h +++ b/src/auth_algo.h @@ -36,10 +36,12 @@ #ifndef UANYTUN_auth_algo_h_INCLUDED #define UANYTUN_auth_algo_h_INCLUDED -#ifndef USE_SSL_CRYPTO -#include <gcrypt.h> -#else +#if defined(USE_SSL_CRYPTO) #include <openssl/hmac.h> +#elif defined(USE_NETTLE) +#include <nettle/hmac.h> +#else // USE_GCRYPT is the default +#include <gcrypt.h> #endif #include "key_derivation.h" #include "encrypted_packet.h" @@ -66,10 +68,12 @@ int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivation_di #define SHA1_LENGTH 20 struct auth_algo_sha1_param_struct { -#ifndef USE_SSL_CRYPTO - gcry_md_hd_t handle_; -#else +#if defined(USE_SSL_CRYPTO) HMAC_CTX ctx_; +#elif defined(USE_NETTLE) + struct hmac_sha1_ctx ctx_; +#else // USE_GCRYPT is the default + gcry_md_hd_t handle_; #endif }; typedef struct auth_algo_sha1_param_struct auth_algo_sha1_param_t; diff --git a/src/cipher.c b/src/cipher.c index 6f08eef..9afd84a 100644 --- a/src/cipher.c +++ b/src/cipher.c @@ -39,6 +39,9 @@ #include "encrypted_packet.h" #include "cipher.h" +#if defined(USE_NETTLE) +#include <nettle/ctr.h> +#endif #include "log.h" @@ -210,7 +213,11 @@ int cipher_aesctr_init(cipher_t* c) if(!c->params_) return -2; -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + // nothing here +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default int algo; switch(c->key_length_) { case 128: algo = GCRY_CIPHER_AES128; break; @@ -239,7 +246,11 @@ void cipher_aesctr_close(cipher_t* c) return; if(c->params_) { -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + // nothing here +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default cipher_aesctr_param_t* params = c->params_; gcry_cipher_close(params->handle_); #endif @@ -285,13 +296,15 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di if(ret < 0) return ret; -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, ¶ms->aes_key_); if(ret) { - log_printf(ERROR, "failed to set cipher ssl aes-key (code: %d)", ret); + log_printf(ERROR, "failed to set cipher key (code: %d)", ret); return -1; } -#else +#elif defined(USE_NETTLE) + aes_set_encrypt_key(¶ms->ctx_, c->key_.length_, c->key_.buf_); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_); if(err) { log_printf(ERROR, "failed to set cipher key: %s", gcry_strerror(err)); @@ -305,7 +318,21 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di return ret; } -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { + log_printf(ERROR, "failed to set cipher CTR: size doesn't fit"); + return -1; + } + u_int32_t num = 0; + memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); + AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); +#elif defined(USE_NETTLE) + if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { + log_printf(ERROR, "failed to set cipher CTR: size doesn't fit"); + return -1; + } + ctr_crypt(¶ms->ctx_, (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, params->ctr_.buf_, (ilen < olen) ? ilen : olen, out, in); +#else // USE_GCRYPT is the default err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH); if(err) { log_printf(ERROR, "failed to set cipher CTR: %s", gcry_strerror(err)); @@ -317,14 +344,6 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di log_printf(ERROR, "failed to de/encrypt packet: %s", gcry_strerror(err)); return -1; } -#else - if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { - log_printf(ERROR, "failed to set cipher CTR: size don't fits"); - return -1; - } - u_int32_t num = 0; - memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); - AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); #endif return (ilen < olen) ? ilen : olen; diff --git a/src/cipher.h b/src/cipher.h index 5758fde..e5976b0 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -37,10 +37,12 @@ #define UANYTUN_cipher_h_INCLUDED #ifndef NO_CRYPT -#ifndef USE_SSL_CRYPTO -#include <gcrypt.h> -#else +#if defined(USE_SSL_CRYPTO) #include <openssl/aes.h> +#elif defined(USE_NETTLE) +#include <nettle/aes.h> +#else // USE_GCRYPT is the default +#include <gcrypt.h> #endif #include "key_derivation.h" #else @@ -94,11 +96,13 @@ union __attribute__((__packed__)) cipher_aesctr_ctr_union { typedef union cipher_aesctr_ctr_union cipher_aesctr_ctr_t; struct cipher_aesctr_param_struct { -#ifndef USE_SSL_CRYPTO - gcry_cipher_hd_t handle_; -#else +#if defined(USE_SSL_CRYPTO) AES_KEY aes_key_; u_int8_t ecount_buf_[AES_BLOCK_SIZE]; +#elif defined(USE_NETTLE) + struct aes_ctx ctx_; +#else // USE_GCRYPT is the default + gcry_cipher_hd_t handle_; #endif cipher_aesctr_ctr_t ctr_; }; diff --git a/src/configure b/src/configure index 2d753eb..04d5ac2 100755 --- a/src/configure +++ b/src/configure @@ -61,7 +61,8 @@ print_usage() { echo " --examplesdir=<DIR> the path to the examples files (default: $PREFIX/share/examples)" echo " --no-examples dont't install example files" echo " --use-gcrypt use libgcrypt (this is the default)" - echo " --use-ssl-crypto use ssl crypto library instead of libgcrypt" + echo " --use-nettle use libnettle instead of libgcrypt" + echo " --use-ssl-crypto use openssl crypto library instead of libgcrypt" echo " --no-crypto disable crypto at all (only NULL cipher)" echo " --disable-passphrase disable master key and salt passphrase" echo " --enable-passphrase enable master key and salt passphrase" @@ -101,6 +102,9 @@ do --use-gcrypt) CRYPTO_LIB='gcrypt' ;; + --use-nettle) + CRYPTO_LIB='nettle' + ;; --use-ssl-crypto) CRYPTO_LIB='ssl' ;; @@ -169,8 +173,14 @@ esac case $CRYPTO_LIB in gcrypt) + CFLAGS=$CFLAGS' -DUSE_GCRYPT' LDFLAGS=$LDFLAGS' -lgcrypt' - echo "using libgcrypt library" + echo "using gcrypt library" + ;; + nettle) + CFLAGS=$CFLAGS' -DUSE_NETTLE' + LDFLAGS=$LDFLAGS' -lnettle' + echo "using nettle library" ;; ssl) CFLAGS=$CFLAGS' -DUSE_SSL_CRYPTO' diff --git a/src/init_crypt.h b/src/init_crypt.h index 314ebc5..9a8849e 100644 --- a/src/init_crypt.h +++ b/src/init_crypt.h @@ -48,7 +48,23 @@ int init_crypt() #else -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + +int init_crypt() +{ +// nothing here + return 0; +} + +#elif defined(USE_NETTLE) + +int init_crypt() +{ +// nothing here + return 0; +} + +#else // USE_GCRYPT is the default #include <gcrypt.h> @@ -77,14 +93,6 @@ int init_crypt() return 0; } -#else - -int init_crypt() -{ -// nothing here - return 0; -} - #endif diff --git a/src/key_derivation.c b/src/key_derivation.c index 3ba0656..75ce4a5 100644 --- a/src/key_derivation.c +++ b/src/key_derivation.c @@ -37,8 +37,12 @@ #include "key_derivation.h" -#ifdef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) #include <openssl/sha.h> +#elif defined(USE_NETTLE) +#include <nettle/sha1.h> +#include <nettle/sha2.h> +#include <nettle/ctr.h> #endif #include "log.h" @@ -135,30 +139,39 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr return -1; } -#ifndef USE_SSL_CRYPTO - if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) { -#else +#if defined(USE_SSL_CRYPTO) if(key_length > (SHA256_DIGEST_LENGTH * 8)) { +#elif defined(USE_NETTLE) + if(key_length > (SHA256_DIGEST_SIZE * 8)) { +#else // USE_GCRYPT is the default + if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) { #endif log_printf(ERROR, "master key too long for passphrase algorithm"); return -1; } buffer_t digest; -#ifndef USE_SSL_CRYPTO - digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256); -#else +#if defined(USE_SSL_CRYPTO) digest.length_ = SHA256_DIGEST_LENGTH; +#elif defined(USE_NETTLE) + digest.length_ = SHA256_DIGEST_SIZE; +#else // USE_GCRYPT is the default + digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256); #endif digest.buf_ = malloc(digest.length_); if(!digest.buf_) return -2; -#ifndef USE_SSL_CRYPTO - gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase)); -#else +#if defined(USE_SSL_CRYPTO) SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_); +#elif defined(USE_NETTLE) + struct sha256_ctx ctx; + sha256_init(&ctx); + sha256_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase); + sha256_digest(&ctx, digest.length_, digest.buf_); +#else // USE_GCRYPT is the default + gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase)); #endif kd->master_key_.length_ = key_length/8; @@ -191,29 +204,38 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph return -1; } -#ifndef USE_SSL_CRYPTO - if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) { -#else +#if defined(USE_SSL_CRYPTO) if(salt_length > (SHA_DIGEST_LENGTH * 8)) { +#elif defined(USE_NETTLE) + if(salt_length > (SHA1_DIGEST_SIZE * 8)) { +#else // USE_GCRYPT is the default + if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) { #endif log_printf(ERROR, "master salt too long for passphrase algorithm"); return -1; } buffer_t digest; -#ifndef USE_SSL_CRYPTO - digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1); -#else +#if defined(USE_SSL_CRYPTO) digest.length_ = SHA_DIGEST_LENGTH; +#elif defined(USE_NETTLE) + digest.length_ = SHA1_DIGEST_SIZE; +#else // USE_GCRYPT is the default + digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1); #endif digest.buf_ = malloc(digest.length_); if(!digest.buf_) return -2; -#ifndef USE_SSL_CRYPTO - gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase)); -#else +#if defined(USE_SSL_CRYPTO) SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_); +#elif defined(USE_NETTLE) + struct sha1_ctx ctx; + sha1_init(&ctx); + sha1_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase); + sha1_digest(&ctx, digest.length_, digest.buf_); +#else // USE_GCRYPT is the default + gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase)); #endif kd->master_salt_.length_ = salt_length/8; @@ -330,7 +352,7 @@ int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase) return -2; key_derivation_aesctr_param_t* params = kd->params_; -#ifndef USE_SSL_CRYPTO +#ifdef USE_GCRYPT params->handle_ = 0; #endif @@ -345,7 +367,15 @@ int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase) } #endif -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_); + if(ret) { + log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret); + return -1; + } +#elif defined(USE_NETTLE) + aes_set_encrypt_key(¶ms->ctx_, kd->master_key_.length_, kd->master_key_.buf_); +#else // USE_GCRYPT is the default int algo; switch(kd->key_length_) { case 128: algo = GCRY_CIPHER_AES128; break; @@ -368,12 +398,6 @@ int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase) log_printf(ERROR, "failed to set key derivation key: %s", gcry_strerror(err)); return -1; } -#else - int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_); - if(ret) { - log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret); - return -1; - } #endif return 0; @@ -385,7 +409,7 @@ void key_derivation_aesctr_close(key_derivation_t* kd) return; if(kd->params_) { -#ifndef USE_SSL_CRYPTO +#ifdef USE_GCRYPT key_derivation_aesctr_param_t* params = kd->params_; if(params->handle_) gcry_cipher_close(params->handle_); @@ -428,7 +452,23 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di return -1; } -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { + log_printf(ERROR, "failed to set key derivation CTR: size don't fits"); + return -1; + } + u_int32_t num = 0; + memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); + memset(key, 0, len); + AES_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); +#elif defined(USE_NETTLE) + if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { + log_printf(ERROR, "failed to set cipher CTR: size doesn't fit"); + return -1; + } + memset(key, 0, len); + ctr_crypt(¶ms->ctx_, (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, params->ctr_.buf_, len, key, key); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_cipher_reset(params->handle_); if(err) { log_printf(ERROR, "failed to reset key derivation cipher: %s", gcry_strerror(err)); @@ -447,15 +487,6 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di log_printf(ERROR, "failed to generate key derivation bitstream: %s", gcry_strerror(err)); return -1; } -#else - if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) { - log_printf(ERROR, "failed to set key derivation CTR: size don't fits"); - return -1; - } - u_int32_t num = 0; - memset(params->ecount_buf_, 0, AES_BLOCK_SIZE); - memset(key, 0, len); - AES_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num); #endif return 0; diff --git a/src/key_derivation.h b/src/key_derivation.h index 19fd88b..df97765 100644 --- a/src/key_derivation.h +++ b/src/key_derivation.h @@ -36,10 +36,12 @@ #ifndef UANYTUN_key_derivation_h_INCLUDED #define UANYTUN_key_derivation_h_INCLUDED -#ifndef USE_SSL_CRYPTO -#include <gcrypt.h> -#else +#if defined(USE_SSL_CRYPTO) #include <openssl/aes.h> +#elif defined(USE_NETTLE) +#include <nettle/aes.h> +#else // USE_GCRYPT is the default +#include <gcrypt.h> #endif #include "options.h" @@ -103,11 +105,13 @@ union __attribute__((__packed__)) key_derivation_aesctr_ctr_union { typedef union key_derivation_aesctr_ctr_union key_derivation_aesctr_ctr_t; struct key_derivation_aesctr_param_struct { -#ifndef USE_SSL_CRYPTO - gcry_cipher_hd_t handle_; -#else +#if defined(USE_SSL_CRYPTO) AES_KEY aes_key_; u_int8_t ecount_buf_[AES_BLOCK_SIZE]; +#elif defined(USE_NETTLE) + struct aes_ctx ctx_; +#else // USE_GCRYPT is the default + gcry_cipher_hd_t handle_; #endif key_derivation_aesctr_ctr_t ctr_; }; |