diff options
author | Christian Pointner <equinox@anytun.org> | 2009-01-06 01:30:00 +0000 |
---|---|---|
committer | Christian Pointner <equinox@anytun.org> | 2009-01-06 01:30:00 +0000 |
commit | 749c7bd9adc37d4e1cfc4d2a570fdcde0e20c3c8 (patch) | |
tree | 5790c95aa9320b9e5eed10bfa5cbe79d60ef4ce3 | |
parent | added libssl crypto based auth algo HMAC-Sha1 (diff) |
some cleanup
added option for passphrase
enabled option for kd-prf
-rw-r--r-- | src/key_derivation.c | 35 | ||||
-rw-r--r-- | src/key_derivation.h | 7 | ||||
-rw-r--r-- | src/options.c | 37 | ||||
-rw-r--r-- | src/options.h | 1 | ||||
-rw-r--r-- | src/uanytun.c | 20 |
5 files changed, 77 insertions, 23 deletions
diff --git a/src/key_derivation.c b/src/key_derivation.c index af3228d..9f16467 100644 --- a/src/key_derivation.c +++ b/src/key_derivation.c @@ -41,16 +41,28 @@ #include <stdlib.h> #include <string.h> -int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len) +int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len) { if(!kd) return -1; + kd->key_length_ = 0; + kd->type_ = kd_unknown; if(!strcmp(type, "null")) kd->type_ = kd_null; - else if(!strcmp(type, "aes-ctr")) + else if(!strncmp(type, "aes-ctr", 7)) { kd->type_ = kd_aes_ctr; + if(type[7] == 0) { + kd->key_length_ = KD_AESCTR_DEFAULT_KEY_LENGTH; + } + else if(type[7] != '-') + return -1; + else { + const char* tmp = &type[8]; + kd->key_length_ = atoi(tmp); + } + } else { log_printf(ERR, "unknown key derivation type"); return -1; @@ -60,7 +72,6 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u if(ld_kdr > (int8_t)(sizeof(seq_nr_t) * 8)) kd->ld_kdr_ = sizeof(seq_nr_t) * 8; - kd->key_length_ = key_len * sizeof(key[0]) * 8; kd->params_ = NULL; int i; @@ -99,7 +110,7 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u int ret = 0; if(kd->type_ == kd_aes_ctr) - ret = key_derivation_aesctr_init(kd); + ret = key_derivation_aesctr_init(kd, passphrase); if(ret) key_derivation_close(kd); @@ -107,6 +118,18 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u return ret; } +int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphrase, u_int16_t key_length) +{ + + return 0; +} + +int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length) +{ + + return 0; +} + void key_derivation_close(key_derivation_t* kd) { if(!kd) @@ -159,7 +182,7 @@ int key_derivation_null_generate(u_int8_t* key, u_int32_t len) /* ---------------- AES-Ctr Key Derivation ---------------- */ -int key_derivation_aesctr_init(key_derivation_t* kd) +int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase) { if(!kd) return -1; @@ -173,6 +196,8 @@ int key_derivation_aesctr_init(key_derivation_t* kd) key_derivation_aesctr_param_t* params = kd->params_; #ifndef USE_SSL_CRYPTO + params->handle_ = 0; + int algo; switch(kd->key_length_) { case 128: algo = GCRY_CIPHER_AES128; break; diff --git a/src/key_derivation.h b/src/key_derivation.h index 2f1bfb5..d045527 100644 --- a/src/key_derivation.h +++ b/src/key_derivation.h @@ -69,13 +69,16 @@ struct key_derivation_struct { }; typedef struct key_derivation_struct key_derivation_t; -int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len); +int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len); +int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphrase, u_int16_t key_length); +int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length); void key_derivation_close(key_derivation_t* kd); int key_derivation_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); int key_derivation_null_generate(u_int8_t* key, u_int32_t len); +#define KD_AESCTR_DEFAULT_KEY_LENGTH 128 #define KD_AESCTR_CTR_LENGTH 16 #define KD_AESCTR_SALT_LENGTH 14 @@ -115,7 +118,7 @@ struct key_derivation_aesctr_param_struct { }; typedef struct key_derivation_aesctr_param_struct key_derivation_aesctr_param_t; -int key_derivation_aesctr_init(key_derivation_t* kd); +int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase); void key_derivation_aesctr_close(key_derivation_t* kd); int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr); int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); diff --git a/src/options.c b/src/options.c index ae5d264..31dc498 100644 --- a/src/options.c +++ b/src/options.c @@ -40,6 +40,8 @@ #include <stdio.h> #include <string.h> +#include "log.h" + #define PARSE_BOOL_PARAM(SHORT, LONG, VALUE) \ else if(!strcmp(str,SHORT) || !strcmp(str,LONG)) \ VALUE = 1; @@ -71,6 +73,22 @@ i++; \ } +#define PARSE_STRING_PARAM_SEC(SHORT, LONG, VALUE) \ + else if(!strcmp(str,SHORT) || !strcmp(str,LONG)) \ + { \ + if(argc < 1 || argv[i+1][0] == '-') \ + return i; \ + if(VALUE) free(VALUE); \ + VALUE = strdup(argv[i+1]); \ + if(!VALUE) \ + return -2; \ + size_t j; \ + for(j=0; j < strlen(argv[i+1]); ++j) \ + argv[i+1][j] = '#'; \ + argc--; \ + i++; \ + } + #define PARSE_STRING_PARAM2(SHORT, LONG, VALUE1, VALUE2) \ else if(!strcmp(str,SHORT) || !strcmp(str,LONG)) \ { \ @@ -174,11 +192,12 @@ int options_parse(options_t* opt, int argc, char* argv[]) PARSE_INT_PARAM("-s","--sender-id", opt->sender_id_) PARSE_INT_PARAM("-m","--mux", opt->mux_) PARSE_INT_PARAM("-w","--window-size", opt->seq_window_size_) - PARSE_STRING_PARAM("-c","--cipher", opt->cipher_) #ifndef NO_CRYPT + PARSE_STRING_PARAM("-c","--cipher", opt->cipher_) PARSE_STRING_PARAM("-k","--kd-prf", opt->kd_prf_) PARSE_INT_PARAM("-l","--ld-kdr", opt->ld_kdr_) PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_) + PARSE_STRING_PARAM_SEC("-E","--passphrase", opt->passphrase_) PARSE_HEXSTRING_PARAM_SEC("-K","--key", opt->key_) PARSE_HEXSTRING_PARAM_SEC("-A","--salt", opt->salt_) #endif @@ -187,14 +206,9 @@ int options_parse(options_t* opt, int argc, char* argv[]) } #ifndef NO_CRYPT - if(!strcmp(opt->cipher_, "null") && !strcmp(opt->auth_algo_, "null")) { - if(opt->kd_prf_) free(opt->kd_prf_); - opt->kd_prf_ = strdup("null"); - } if((strcmp(opt->cipher_, "null") || strcmp(opt->auth_algo_, "null")) && !strcmp(opt->kd_prf_, "null")) { - if(opt->kd_prf_) free(opt->kd_prf_); - opt->kd_prf_ = strdup("aes-ctr"); + log_printf(WARNING, "using NULL key derivation with encryption and or authentication enabled!"); } #endif @@ -231,6 +245,7 @@ void options_default(options_t* opt) opt->kd_prf_ = strdup("aes-ctr"); opt->ld_kdr_ = 0; opt->auth_algo_ = strdup("sha1"); + opt->passphrase_ = NULL; #else opt->cipher_ = strdup("null"); #endif @@ -279,6 +294,8 @@ void options_clear(options_t* opt) free(opt->kd_prf_); if(opt->auth_algo_) free(opt->auth_algo_); + if(opt->passphrase_) + free(opt->passphrase_); #endif if(opt->key_.buf_) free(opt->key_.buf_); @@ -308,11 +325,12 @@ void options_print_usage() printf(" [-s|--sender-id ] <sender id> the sender id to use\n"); printf(" [-w|--window-size] <window size> seqence number window size\n"); printf(" [-m|--mux] <mux-id> the multiplex id to use\n"); - printf(" [-c|--cipher] <cipher type> payload encryption algorithm\n"); #ifndef NO_CRYPT + printf(" [-c|--cipher] <cipher type> payload encryption algorithm\n"); printf(" [-a|--auth-algo] <algo type> message authentication algorithm\n"); -// printf(" [-k|--kd-prf] <kd-prf type> key derivation pseudo random function\n"); + printf(" [-k|--kd-prf] <kd-prf type> key derivation pseudo random function\n"); printf(" [-l|--ld-kdr] <ld-kdr> log2 of key derivation rate\n"); + printf(" [-E|--passphrase <pass phrase> a passprhase to generate master key and salt from\n"); printf(" [-K|--key] <master key> master key to use for encryption\n"); printf(" [-A|--salt] <master salt> master salt to use for encryption\n"); #endif @@ -343,6 +361,7 @@ void options_print(options_t* opt) printf("auth_algo: '%s'\n", opt->auth_algo_); printf("kd_prf: '%s'\n", opt->kd_prf_); printf("ld_kdr: %d\n", opt->ld_kdr_); + printf("passphrase: '%s'\n", opt->passphrase_); #endif u_int32_t i; diff --git a/src/options.h b/src/options.h index 8808e63..ce8f3fc 100644 --- a/src/options.h +++ b/src/options.h @@ -58,6 +58,7 @@ struct options_struct { char* kd_prf_; int ld_kdr_; char* auth_algo_; + char* passphrase_; #endif mux_t mux_; buffer_t key_; diff --git a/src/uanytun.c b/src/uanytun.c index b33ff43..051886a 100644 --- a/src/uanytun.c +++ b/src/uanytun.c @@ -95,7 +95,6 @@ int init_libgcrypt() int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) { - int return_value = 0; log_printf(INFO, "entering main loop"); plain_packet_t plain_packet; @@ -111,7 +110,7 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) int ret = cipher_init(&c, opt->cipher_); if(ret) { log_printf(ERR, "could not initialize cipher of type %s", opt->cipher_); - return_value = ret; + return ret; } #ifndef NO_CRYPT @@ -119,26 +118,33 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) ret = auth_algo_init(&aa, opt->auth_algo_); if(ret) { log_printf(ERR, "could not initialize auth algo of type %s", opt->auth_algo_); - return_value = ret; + cipher_close(&c); + return ret; } key_derivation_t kd_in; - ret = key_derivation_init(&kd_in, opt->kd_prf_, opt->ld_kdr_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); + ret = key_derivation_init(&kd_in, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); if(ret) { log_printf(ERR, "could not initialize inbound key derivation of type %s", opt->kd_prf_); - return_value = ret; + cipher_close(&c); + auth_algo_close(&aa); + return ret; } key_derivation_t kd_out; - ret = key_derivation_init(&kd_out, opt->kd_prf_, opt->ld_kdr_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); + ret = key_derivation_init(&kd_out, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); if(ret) { log_printf(ERR, "could not initialize outbound key derivation of type %s", opt->kd_prf_); - return_value = ret; + cipher_close(&c); + auth_algo_close(&aa); + key_derivation_close(&kd_in); + return ret; } #else key_derivation_t kd_in, kd_out; #endif + int return_value = 0; seq_win_t seq_win; ret = seq_win_init(&seq_win, opt->seq_window_size_); if(ret) { |