summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@anytun.org>2014-06-21 18:26:51 +0000
committerChristian Pointner <equinox@anytun.org>2014-06-21 18:26:51 +0000
commit01ef67da5564e1dcb380adead3e7f869fa3be2c8 (patch)
tree2d61c96e2aed44703955ce731ffa28a5f055fff7
parentrefactored crypto lib selection (diff)
added defines for nettle as crypto lib
further improved selection of crypto lib
-rw-r--r--README10
-rw-r--r--src/auth_algo.c22
-rw-r--r--src/auth_algo.h9
-rw-r--r--src/cipher.c24
-rw-r--r--src/cipher.h9
-rwxr-xr-xsrc/configure13
-rw-r--r--src/init_crypt.h10
-rw-r--r--src/key_derivation.c41
-rw-r--r--src/key_derivation.h9
9 files changed, 119 insertions, 28 deletions
diff --git a/README b/README
index 10c3b10..dc07a11 100644
--- a/README
+++ b/README
@@ -1,8 +1,8 @@
Dependencies
============
-uAnytun can be built by using either libgcrypt or the openssl-crypto library.
-The latter is more performant in most cases but there are some license
+uAnytun can be built by using either libgcrypt, libnettle or the openssl-crypto
+library. The latter is more performant in most cases but there are some license
issues when using this library. It also needs more space when installed.
@@ -20,7 +20,13 @@ using ssl crypto library:
build-essential
libssl-dev
+using nettle crypto library:
+
+ build-essential
+ nettle-dev
+
if you want clang as compiler
+
clang
if you want to rebuild the manpage:
diff --git a/src/auth_algo.c b/src/auth_algo.c
index 8ee3f49..87ea472 100644
--- a/src/auth_algo.c
+++ b/src/auth_algo.c
@@ -154,9 +154,12 @@ int auth_algo_sha1_init(auth_algo_t* aa)
auth_algo_sha1_param_t* params = aa->params_;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
HMAC_CTX_init(&params->ctx_);
HMAC_Init_ex(&params->ctx_, NULL, 0, EVP_sha1(), NULL);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_error_t err = gcry_md_open(&params->handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
if(err) {
@@ -176,8 +179,11 @@ void auth_algo_sha1_close(auth_algo_t* aa)
if(aa->params_) {
auth_algo_sha1_param_t* params = aa->params_;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
HMAC_CTX_cleanup(&params->ctx_);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
if(params->handle_)
gcry_md_close(params->handle_);
@@ -207,12 +213,16 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivati
if(ret < 0)
return;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
HMAC_Init_ex(&params->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
u_int8_t hmac[SHA1_LENGTH];
HMAC_Update(&params->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
HMAC_Final(&params->ctx_, hmac, NULL);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+ u_int8_t hmac[SHA1_LENGTH];
+
#else // USE_GCRYPT is the default
gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_);
if(err) {
@@ -255,12 +265,16 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati
if(ret < 0)
return 0;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
HMAC_Init_ex(&params->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
u_int8_t hmac[SHA1_LENGTH];
HMAC_Update(&params->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
HMAC_Final(&params->ctx_, hmac, NULL);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+ u_int8_t hmac[SHA1_LENGTH];
+
#else // USE_GCRYPT is the default
gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_);
if(err) {
diff --git a/src/auth_algo.h b/src/auth_algo.h
index 2c20410..e800c8e 100644
--- a/src/auth_algo.h
+++ b/src/auth_algo.h
@@ -36,8 +36,10 @@
#ifndef UANYTUN_auth_algo_h_INCLUDED
#define UANYTUN_auth_algo_h_INCLUDED
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
#include <openssl/hmac.h>
+#elif defined(USE_NETTLE)
+#include <nettle/hmac.h>
#else // USE_GCRYPT is the default
#include <gcrypt.h>
#endif
@@ -66,8 +68,11 @@ int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivation_di
#define SHA1_LENGTH 20
struct auth_algo_sha1_param_struct {
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
HMAC_CTX ctx_;
+#elif defined(USE_NETTLE)
+ // TOOD: nettle
+
#else // USE_GCRYPT is the default
gcry_md_hd_t handle_;
#endif
diff --git a/src/cipher.c b/src/cipher.c
index 03449a0..a2e7f5e 100644
--- a/src/cipher.c
+++ b/src/cipher.c
@@ -210,7 +210,12 @@ int cipher_aesctr_init(cipher_t* c)
if(!c->params_)
return -2;
-#ifdef USE_GCRYPT
+#if defined(USE_SSL_CRYPTO)
+ // nothing here
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
+#else // USE_GCRYPT is the default
int algo;
switch(c->key_length_) {
case 128: algo = GCRY_CIPHER_AES128; break;
@@ -239,7 +244,12 @@ void cipher_aesctr_close(cipher_t* c)
return;
if(c->params_) {
-#ifdef USE_GCRYPT
+#if defined(USE_SSL_CRYPTO)
+ // nothing here
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
+#else // USE_GCRYPT is the default
cipher_aesctr_param_t* params = c->params_;
gcry_cipher_close(params->handle_);
#endif
@@ -285,12 +295,15 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di
if(ret < 0)
return ret;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, &params->aes_key_);
if(ret) {
log_printf(ERROR, "failed to set cipher key (code: %d)", ret);
return -1;
}
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_);
if(err) {
@@ -305,7 +318,7 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di
return ret;
}
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
log_printf(ERROR, "failed to set cipher CTR: size doesn't fit");
return -1;
@@ -313,6 +326,9 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_derivation_di
u_int32_t num = 0;
memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, &params->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH);
if(err) {
diff --git a/src/cipher.h b/src/cipher.h
index d4506d4..8221a3c 100644
--- a/src/cipher.h
+++ b/src/cipher.h
@@ -37,8 +37,10 @@
#define UANYTUN_cipher_h_INCLUDED
#ifndef NO_CRYPT
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
#include <openssl/aes.h>
+#elif defined(USE_NETTLE)
+#include <nettle/aes.h>
#else // USE_GCRYPT is the default
#include <gcrypt.h>
#endif
@@ -94,9 +96,12 @@ union __attribute__((__packed__)) cipher_aesctr_ctr_union {
typedef union cipher_aesctr_ctr_union cipher_aesctr_ctr_t;
struct cipher_aesctr_param_struct {
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
AES_KEY aes_key_;
u_int8_t ecount_buf_[AES_BLOCK_SIZE];
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_cipher_hd_t handle_;
#endif
diff --git a/src/configure b/src/configure
index f764f89..04d5ac2 100755
--- a/src/configure
+++ b/src/configure
@@ -61,7 +61,8 @@ print_usage() {
echo " --examplesdir=<DIR> the path to the examples files (default: $PREFIX/share/examples)"
echo " --no-examples dont't install example files"
echo " --use-gcrypt use libgcrypt (this is the default)"
- echo " --use-ssl-crypto use ssl crypto library instead of libgcrypt"
+ echo " --use-nettle use libnettle instead of libgcrypt"
+ echo " --use-ssl-crypto use openssl crypto library instead of libgcrypt"
echo " --no-crypto disable crypto at all (only NULL cipher)"
echo " --disable-passphrase disable master key and salt passphrase"
echo " --enable-passphrase enable master key and salt passphrase"
@@ -101,6 +102,9 @@ do
--use-gcrypt)
CRYPTO_LIB='gcrypt'
;;
+ --use-nettle)
+ CRYPTO_LIB='nettle'
+ ;;
--use-ssl-crypto)
CRYPTO_LIB='ssl'
;;
@@ -171,7 +175,12 @@ case $CRYPTO_LIB in
gcrypt)
CFLAGS=$CFLAGS' -DUSE_GCRYPT'
LDFLAGS=$LDFLAGS' -lgcrypt'
- echo "using libgcrypt library"
+ echo "using gcrypt library"
+ ;;
+ nettle)
+ CFLAGS=$CFLAGS' -DUSE_NETTLE'
+ LDFLAGS=$LDFLAGS' -lnettle'
+ echo "using nettle library"
;;
ssl)
CFLAGS=$CFLAGS' -DUSE_SSL_CRYPTO'
diff --git a/src/init_crypt.h b/src/init_crypt.h
index 47688c7..9a8849e 100644
--- a/src/init_crypt.h
+++ b/src/init_crypt.h
@@ -48,7 +48,15 @@ int init_crypt()
#else
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+
+int init_crypt()
+{
+// nothing here
+ return 0;
+}
+
+#elif defined(USE_NETTLE)
int init_crypt()
{
diff --git a/src/key_derivation.c b/src/key_derivation.c
index 7bd4d6e..998c10b 100644
--- a/src/key_derivation.c
+++ b/src/key_derivation.c
@@ -37,8 +37,11 @@
#include "key_derivation.h"
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
#include <openssl/sha.h>
+#elif defined(USE_NETTLE)
+#include <nettle/sha1.h>
+#include <nettle/sha2.h>
#endif
#include "log.h"
@@ -135,8 +138,10 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr
return -1;
}
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
if(key_length > (SHA256_DIGEST_LENGTH * 8)) {
+#elif defined(USE_NETTLE)
+ if(key_length > (SHA256_DIGEST_SIZE * 8)) {
#else // USE_GCRYPT is the default
if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) {
#endif
@@ -145,8 +150,10 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr
}
buffer_t digest;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
digest.length_ = SHA256_DIGEST_LENGTH;
+#elif defined(USE_NETTLE)
+ digest.length_ = SHA256_DIGEST_SIZE;
#else // USE_GCRYPT is the default
digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
#endif
@@ -155,8 +162,11 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr
return -2;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase));
#endif
@@ -191,8 +201,10 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph
return -1;
}
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
if(salt_length > (SHA_DIGEST_LENGTH * 8)) {
+#elif defined(USE_NETTLE)
+ if(salt_length > (SHA1_DIGEST_SIZE * 8)) {
#else // USE_GCRYPT is the default
if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) {
#endif
@@ -201,8 +213,10 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph
}
buffer_t digest;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
digest.length_ = SHA_DIGEST_LENGTH;
+#elif defined(USE_NETTLE)
+ digest.length_ = SHA1_DIGEST_SIZE;
#else // USE_GCRYPT is the default
digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
#endif
@@ -210,8 +224,11 @@ int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passph
if(!digest.buf_)
return -2;
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase));
#endif
@@ -345,12 +362,15 @@ int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase)
}
#endif
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, &params->aes_key_);
if(ret) {
log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret);
return -1;
}
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
int algo;
switch(kd->key_length_) {
@@ -428,7 +448,7 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di
return -1;
}
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
log_printf(ERROR, "failed to set key derivation CTR: size don't fits");
return -1;
@@ -437,6 +457,9 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t di
memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
memset(key, 0, len);
AES_ctr128_encrypt(key, key, len, &params->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_error_t err = gcry_cipher_reset(params->handle_);
if(err) {
diff --git a/src/key_derivation.h b/src/key_derivation.h
index 0d3c93f..01c9a26 100644
--- a/src/key_derivation.h
+++ b/src/key_derivation.h
@@ -36,8 +36,10 @@
#ifndef UANYTUN_key_derivation_h_INCLUDED
#define UANYTUN_key_derivation_h_INCLUDED
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
#include <openssl/aes.h>
+#elif defined(USE_NETTLE)
+#include <nettle/aes.h>
#else // USE_GCRYPT is the default
#include <gcrypt.h>
#endif
@@ -103,9 +105,12 @@ union __attribute__((__packed__)) key_derivation_aesctr_ctr_union {
typedef union key_derivation_aesctr_ctr_union key_derivation_aesctr_ctr_t;
struct key_derivation_aesctr_param_struct {
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
AES_KEY aes_key_;
u_int8_t ecount_buf_[AES_BLOCK_SIZE];
+#elif defined(USE_NETTLE)
+ // TODO: nettle
+
#else // USE_GCRYPT is the default
gcry_cipher_hd_t handle_;
#endif