From dbf1390e83c43780287fcc16cb1e4c5c592d3d3c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 14 Jan 2009 21:29:18 +0000 Subject: Release 0.2.1 fixed key derivation rate bug --- ChangeLog | 5 +++++ src/auth_algo.c | 46 ++++++++++++++++------------------------------ src/cipher.c | 31 +++++++++++-------------------- src/uanytun.c | 1 - 4 files changed, 32 insertions(+), 51 deletions(-) diff --git a/ChangeLog b/ChangeLog index 152778f..50f9a91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2009.01.14 -- Version 0.2.1svn91 + +* fixed bug which prevents the daemon from using the right cipher + key when using a key derivation rate other than 1 + 2009.01.11 -- Version 0.2svn85 * added crypto support using libgcrypt or openssl diff --git a/src/auth_algo.c b/src/auth_algo.c index f5aef0f..f8fc34d 100644 --- a/src/auth_algo.c +++ b/src/auth_algo.c @@ -193,33 +193,26 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_store_di int ret = key_derivation_generate(kd, dir, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); if(ret < 0) return; - if(ret) { // a new key got generated -#ifndef USE_SSL_CRYPTO - gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); - if(err) { - log_printf(ERR, "failed to set hmac key: %s", gcry_strerror(err)); - return; - } -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - } - else { - HMAC_Init_ex(¶ms->ctx_, NULL, 0, NULL, NULL); -#endif - } #ifndef USE_SSL_CRYPTO + gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); + if(err) { + log_printf(ERR, "failed to set hmac key: %s", gcry_strerror(err)); + return; + } + gcry_md_reset(params->handle_); gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); #else + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + u_int8_t hmac[SHA1_LENGTH]; HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); HMAC_Final(¶ms->ctx_, hmac, NULL); #endif - u_int8_t* tag = encrypted_packet_get_auth_tag(packet); u_int32_t length = (encrypted_packet_get_auth_tag_length(packet) < SHA1_LENGTH) ? encrypted_packet_get_auth_tag_length(packet) : SHA1_LENGTH; @@ -248,28 +241,21 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_store_di int ret = key_derivation_generate(kd, dir, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); if(ret < 0) return 0; - if(ret) { // a new key got generated -#ifndef USE_SSL_CRYPTO - gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); - if(err) { - log_printf(ERR, "failed to set hmac key: %s", gcry_strerror(err)); - return -1; - } -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - } - else { - HMAC_Init_ex(¶ms->ctx_, NULL, 0, NULL, NULL); -#endif - } - #ifndef USE_SSL_CRYPTO + gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); + if(err) { + log_printf(ERR, "failed to set hmac key: %s", gcry_strerror(err)); + return -1; + } + gcry_md_reset(params->handle_); gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); #else + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + u_int8_t hmac[SHA1_LENGTH]; HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); HMAC_Final(¶ms->ctx_, hmac, NULL); diff --git a/src/cipher.c b/src/cipher.c index 2066d1f..01125d4 100644 --- a/src/cipher.c +++ b/src/cipher.c @@ -293,28 +293,19 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t d if(ret < 0) return ret; - if(ret) { // a new key got generated #ifdef USE_SSL_CRYPTO - ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, ¶ms->aes_key_); - if(ret) { - log_printf(ERR, "failed to set cipher ssl aes-key (code: %d)", ret); - return -1; - } + ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, ¶ms->aes_key_); + if(ret) { + log_printf(ERR, "failed to set cipher ssl aes-key (code: %d)", ret); + return -1; + } #else - gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_); - if(err) { - log_printf(ERR, "failed to set cipher key: %s", gcry_strerror(err)); - return -1; - } - } // no new key got generated - else { - gcry_error_t err = gcry_cipher_reset(params->handle_); - if(err) { - log_printf(ERR, "failed to reset cipher: %s", gcry_strerror(err)); - return -1; - } -#endif + gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_); + if(err) { + log_printf(ERR, "failed to set cipher key: %s", gcry_strerror(err)); + return -1; } +#endif ret = cipher_aesctr_calc_ctr(c, kd, dir, seq_nr, sender_id, mux); if(ret < 0) { @@ -323,7 +314,7 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t d } #ifndef USE_SSL_CRYPTO - gcry_error_t err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH); + err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH); if(err) { log_printf(ERR, "failed to set cipher CTR: %s", gcry_strerror(err)); return -1; diff --git a/src/uanytun.c b/src/uanytun.c index 6854200..27f208f 100644 --- a/src/uanytun.c +++ b/src/uanytun.c @@ -120,7 +120,6 @@ int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_ auth_algo_close(aa); return ret; } - #endif ret = seq_win_init(seq_win, opt->seq_window_size_); -- cgit v1.2.3