diff options
-rw-r--r-- | src/Makefile | 9 | ||||
-rw-r--r-- | src/cipher.c | 35 | ||||
-rw-r--r-- | src/cipher.h | 9 | ||||
-rw-r--r-- | src/key_derivation.c | 19 | ||||
-rw-r--r-- | src/options.c | 14 | ||||
-rw-r--r-- | src/options.h | 2 | ||||
-rw-r--r-- | src/uanytun.c | 25 |
7 files changed, 90 insertions, 23 deletions
diff --git a/src/Makefile b/src/Makefile index 1431568..29de57a 100644 --- a/src/Makefile +++ b/src/Makefile @@ -34,7 +34,7 @@ TARGET=$(shell uname -s) CC = gcc -CCFLAGS = -g -O2 #-DANYTUN_02_COMPAT +CCFLAGS = -g -O2 #-DNO_LIBGMP #-DNO_CRYPT #-DANYTUN_02_COMPAT LD = gcc LDFLAGS = -g -Wall -O2 -lgcrypt -lgpg-error -lgmp @@ -46,6 +46,9 @@ ifeq ($(TARGET),OpenBSD) LDFLAGS += -L/usr/local/lib endif +CRYPT_OBJS = key_derivation.o \ + auth_algo.o + OBJS = log.o \ signal.o \ options.o \ @@ -54,11 +57,11 @@ OBJS = log.o \ plain_packet.o \ encrypted_packet.o \ seq_window.o \ - key_derivation.o \ cipher.o \ - auth_algo.o \ uanytun.o +OBJS += $(CRYPT_OBJS) + EXECUTABLE = uanytun all: $(EXECUTABLE) diff --git a/src/cipher.c b/src/cipher.c index f1a4bf4..07c9f32 100644 --- a/src/cipher.c +++ b/src/cipher.c @@ -44,7 +44,9 @@ #include <stdlib.h> #include <string.h> +#ifndef NO_LIBGMP #include <gmp.h> +#endif int cipher_init(cipher_t* c, const char* type) { @@ -56,6 +58,7 @@ int cipher_init(cipher_t* c, const char* type) c->type_ = c_unknown; if(!strcmp(type, "null")) c->type_ = c_null; +#ifndef NO_CRYPT else if(!strncmp(type, "aes-ctr", 7)) { c->type_ = c_aes_ctr; if(type[7] == 0) { @@ -68,12 +71,15 @@ int cipher_init(cipher_t* c, const char* type) c->key_length_ = atoi(tmp); } } +#endif else { log_printf(ERR, "unknown cipher type"); return -1; } +#ifndef NO_CRYPT c->handle_ = 0; +#endif c->key_.buf_ = NULL; c->key_.length_ = 0; @@ -82,8 +88,10 @@ int cipher_init(cipher_t* c, const char* type) c->salt_.length_ = 0; int ret = 0; +#ifndef NO_CRYPT if(c->type_ == c_aes_ctr) ret = cipher_aesctr_init(c); +#endif if(ret) cipher_close(c); @@ -96,8 +104,10 @@ void cipher_close(cipher_t* c) if(!c) return; +#ifndef NO_CRYPT if(c->type_ == c_aes_ctr) cipher_aesctr_close(c); +#endif if(c->key_.buf_) free(c->key_.buf_); @@ -115,10 +125,12 @@ int cipher_encrypt(cipher_t* c, key_derivation_t* kd, plain_packet_t* in, encryp if(c->type_ == c_null) len = cipher_null_crypt(plain_packet_get_packet(in), plain_packet_get_length(in), encrypted_packet_get_payload(out), encrypted_packet_get_payload_length(out)); +#ifndef NO_CRYPT else if(c->type_ == c_aes_ctr) len = cipher_aesctr_crypt(c, kd, plain_packet_get_packet(in), plain_packet_get_length(in), encrypted_packet_get_payload(out), encrypted_packet_get_payload_length(out), seq_nr, sender_id, mux); +#endif else { log_printf(ERR, "unknown cipher type"); return -1; @@ -145,11 +157,13 @@ int cipher_decrypt(cipher_t* c, key_derivation_t* kd, encrypted_packet_t* in, pl if(c->type_ == c_null) len = cipher_null_crypt(encrypted_packet_get_payload(in), encrypted_packet_get_payload_length(in), plain_packet_get_packet(out), plain_packet_get_length(out)); +#ifndef NO_CRYPT else if(c->type_ == c_aes_ctr) len = cipher_aesctr_crypt(c, kd, encrypted_packet_get_payload(in), encrypted_packet_get_payload_length(in), plain_packet_get_packet(out), plain_packet_get_length(out), encrypted_packet_get_seq_nr(in), encrypted_packet_get_sender_id(in), encrypted_packet_get_mux(in)); +#endif else { log_printf(ERR, "unknown cipher type"); return -1; @@ -171,6 +185,7 @@ int32_t cipher_null_crypt(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t return (ilen < olen) ? ilen : olen; } +#ifndef NO_CRYPT /* ---------------- AES-Ctr Cipher ---------------- */ int cipher_aesctr_init(cipher_t* c) @@ -236,17 +251,18 @@ buffer_t cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_ if(ret < 0) return result; - mpz_t ctr, sid_mux, seq; - mpz_init2(ctr, 128); - mpz_init2(sid_mux, 128); - mpz_init2(seq, 128); - int faked_msb = 0; if(!c->salt_.buf_[0]) { c->salt_.buf_[0] = 1; faked_msb = 1; } +#ifndef NO_LIBGMP + mpz_t ctr, sid_mux, seq; + mpz_init2(ctr, 128); + mpz_init2(sid_mux, 128); + mpz_init2(seq, 128); + mpz_import(ctr, c->salt_.length_, 1, 1, 0, 0, c->salt_.buf_); mpz_set_ui(sid_mux, mux); @@ -262,6 +278,10 @@ buffer_t cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_ mpz_mul_2exp(ctr, ctr, 16); result.buf_ = mpz_export(NULL, (size_t*)&result.length_, 1, 1, 0, 0, ctr); + mpz_clear(ctr); + mpz_clear(sid_mux); + mpz_clear(seq); +#endif #ifndef ANYTUN_02_COMPAT if(faked_msb) { @@ -270,10 +290,6 @@ buffer_t cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_ } #endif - mpz_clear(ctr); - mpz_clear(sid_mux); - mpz_clear(seq); - return result; } @@ -328,3 +344,4 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_i return (ilen < olen) ? ilen : olen; } +#endif diff --git a/src/cipher.h b/src/cipher.h index 5b750b9..036eb72 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -35,8 +35,12 @@ #ifndef _CIPHER_H_ #define _CIPHER_H_ +#ifndef NO_CRYPT #include <gcrypt.h> #include "key_derivation.h" +#else +typedef u_int8_t* key_derivation_t; +#endif enum cipher_type_enum { c_unknown, c_null, c_aes_ctr }; typedef enum cipher_type_enum cipher_type_t; @@ -46,7 +50,9 @@ struct cipher_struct { u_int16_t key_length_; buffer_t key_; buffer_t salt_; +#ifndef NO_CRYPT gcry_cipher_hd_t handle_; +#endif }; typedef struct cipher_struct cipher_t; @@ -58,9 +64,12 @@ int cipher_decrypt(cipher_t* c, key_derivation_t* kd, encrypted_packet_t* in, pl int32_t cipher_null_crypt(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen); + +#ifndef NO_CRYPT int cipher_aesctr_init(cipher_t* c); void cipher_aesctr_close(cipher_t* c); buffer_t cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); +#endif #endif diff --git a/src/key_derivation.c b/src/key_derivation.c index dbbd1d2..2911272 100644 --- a/src/key_derivation.c +++ b/src/key_derivation.c @@ -41,8 +41,9 @@ #include <stdlib.h> #include <string.h> +#ifndef NO_LIBGMP #include <gmp.h> - +#endif int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len) { @@ -217,15 +218,17 @@ int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_store_t* result, sa } result->r_ = r; - mpz_t ctr, key_id; - mpz_init2(ctr, 128); - mpz_init2(key_id, 128); - int faked_msb = 0; if(!kd->master_salt_.buf_[0]) { kd->master_salt_.buf_[0] = 1; faked_msb = 1; } + +#ifndef NO_LIBGMP + mpz_t ctr, key_id; + mpz_init2(ctr, 128); + mpz_init2(key_id, 128); + mpz_import(ctr, kd->master_salt_.length_, 1, 1, 0, 0, kd->master_salt_.buf_); mpz_set_ui(key_id, label); @@ -242,6 +245,9 @@ int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_store_t* result, sa if(result->key_.buf_) free(result->key_.buf_); result->key_.buf_ = mpz_export(NULL, (size_t*)&(result->key_.length_), 1, 1, 0, 0, ctr); + mpz_clear(ctr); + mpz_clear(key_id); +#endif #ifndef ANYTUN_02_COMPAT if(faked_msb) { @@ -250,9 +256,6 @@ int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_store_t* result, sa } #endif - mpz_clear(ctr); - mpz_clear(key_id); - return 1; } diff --git a/src/options.c b/src/options.c index b430eba..ae5d264 100644 --- a/src/options.c +++ b/src/options.c @@ -175,15 +175,18 @@ int options_parse(options_t* opt, int argc, char* argv[]) PARSE_INT_PARAM("-m","--mux", opt->mux_) PARSE_INT_PARAM("-w","--window-size", opt->seq_window_size_) PARSE_STRING_PARAM("-c","--cipher", opt->cipher_) +#ifndef NO_CRYPT PARSE_STRING_PARAM("-k","--kd-prf", opt->kd_prf_) PARSE_INT_PARAM("-l","--ld-kdr", opt->ld_kdr_) PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_) PARSE_HEXSTRING_PARAM_SEC("-K","--key", opt->key_) PARSE_HEXSTRING_PARAM_SEC("-A","--salt", opt->salt_) +#endif else return i; } +#ifndef NO_CRYPT if(!strcmp(opt->cipher_, "null") && !strcmp(opt->auth_algo_, "null")) { if(opt->kd_prf_) free(opt->kd_prf_); opt->kd_prf_ = strdup("null"); @@ -193,6 +196,7 @@ int options_parse(options_t* opt, int argc, char* argv[]) if(opt->kd_prf_) free(opt->kd_prf_); opt->kd_prf_ = strdup("aes-ctr"); } +#endif if(!(opt->dev_name_) && !(opt->dev_type_)) opt->dev_type_ = strdup("tun"); @@ -222,10 +226,14 @@ void options_default(options_t* opt) opt->ifconfig_param_remote_netmask_ = NULL; opt->post_up_script_ = NULL; opt->seq_window_size_ = 100; +#ifndef NO_CRYPT opt->cipher_ = strdup("aes-ctr"); opt->kd_prf_ = strdup("aes-ctr"); opt->ld_kdr_ = 0; opt->auth_algo_ = strdup("sha1"); +#else + opt->cipher_ = strdup("null"); +#endif opt->mux_ = 0; opt->key_.buf_ = NULL; opt->key_.length_ = 0; @@ -266,10 +274,12 @@ void options_clear(options_t* opt) free(opt->post_up_script_); if(opt->cipher_) free(opt->cipher_); +#ifndef NO_CRYPT if(opt->kd_prf_) free(opt->kd_prf_); if(opt->auth_algo_) free(opt->auth_algo_); +#endif if(opt->key_.buf_) free(opt->key_.buf_); if(opt->salt_.buf_) @@ -299,11 +309,13 @@ void options_print_usage() printf(" [-w|--window-size] <window size> seqence number window size\n"); printf(" [-m|--mux] <mux-id> the multiplex id to use\n"); printf(" [-c|--cipher] <cipher type> payload encryption algorithm\n"); +#ifndef NO_CRYPT printf(" [-a|--auth-algo] <algo type> message authentication algorithm\n"); // printf(" [-k|--kd-prf] <kd-prf type> key derivation pseudo random function\n"); printf(" [-l|--ld-kdr] <ld-kdr> log2 of key derivation rate\n"); printf(" [-K|--key] <master key> master key to use for encryption\n"); printf(" [-A|--salt] <master salt> master salt to use for encryption\n"); +#endif } void options_print(options_t* opt) @@ -327,9 +339,11 @@ void options_print(options_t* opt) printf("mux: %d\n", opt->mux_); printf("seq_window_size: %d\n", opt->seq_window_size_); printf("cipher: '%s'\n", opt->cipher_); +#ifndef NO_CRYPT printf("auth_algo: '%s'\n", opt->auth_algo_); printf("kd_prf: '%s'\n", opt->kd_prf_); printf("ld_kdr: %d\n", opt->ld_kdr_); +#endif u_int32_t i; printf("key_[%d]: '", opt->key_.length_); diff --git a/src/options.h b/src/options.h index 93836b5..8808e63 100644 --- a/src/options.h +++ b/src/options.h @@ -54,9 +54,11 @@ struct options_struct { char* post_up_script_; window_size_t seq_window_size_; char* cipher_; +#ifndef NO_CRYPT char* kd_prf_; int ld_kdr_; char* auth_algo_; +#endif mux_t mux_; buffer_t key_; buffer_t salt_; diff --git a/src/uanytun.c b/src/uanytun.c index 55a73a2..14e0ab5 100644 --- a/src/uanytun.c +++ b/src/uanytun.c @@ -50,14 +50,20 @@ #include "encrypted_packet.h" #include "seq_window.h" -#include "key_derivation.h" + #include "cipher.h" +#ifndef NO_CRYPT +#include "key_derivation.h" #include "auth_algo.h" +#include <gcrypt.h> +#endif + + #include "daemon.h" #include "sysexec.h" -#include <gcrypt.h> +#ifndef NO_CRYPT #define MIN_GCRYPT_VERSION "1.2.0" @@ -83,6 +89,7 @@ int init_libgcrypt() log_printf(NOTICE, "libgcrypt init finished"); return 0; } +#endif int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) { @@ -105,6 +112,7 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) return_value = ret; } +#ifndef NO_CRYPT auth_algo_t aa; ret = auth_algo_init(&aa, opt->auth_algo_); if(ret) { @@ -125,6 +133,9 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) log_printf(ERR, "could not initialize outbound key derivation of type %s", opt->kd_prf_); return_value = ret; } +#else + key_derivation_t kd_in, kd_out; +#endif seq_win_t seq_win; ret = seq_win_init(&seq_win, opt->seq_window_size_); @@ -175,7 +186,9 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) cipher_encrypt(&c, &kd_out, &plain_packet, &encrypted_packet, seq_nr, opt->sender_id_, opt->mux_); seq_nr++; +#ifndef NO_CRYPT auth_algo_generate(&aa, &kd_out, &encrypted_packet); +#endif len = udp_write(sock, encrypted_packet_get_packet(&encrypted_packet), encrypted_packet_get_length(&encrypted_packet)); if(len == -1) @@ -190,11 +203,13 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) } encrypted_packet_set_length(&encrypted_packet, len); - + +#ifndef NO_CRYPT if(!auth_algo_check_tag(&aa, &kd_out, &encrypted_packet)) { log_printf(WARNING, "wrong authentication tag, discarding packet"); continue; } +#endif if(encrypted_packet_get_mux(&encrypted_packet) != opt->mux_) continue; @@ -227,9 +242,11 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) } cipher_close(&c); +#ifndef NO_CRYPT auth_algo_close(&aa); key_derivation_close(&kd_out); key_derivation_close(&kd_in); +#endif seq_win_clear(&seq_win); return return_value; @@ -274,12 +291,14 @@ int main(int argc, char* argv[]) log_printf(NOTICE, "just started..."); +#ifndef NO_CRYPT ret = init_libgcrypt(); if(ret) { log_printf(ERR, "error on libgcrpyt initialization, exitting"); options_clear(&opt); exit(ret); } +#endif tun_device_t dev; |