- Per-node EVP_CIPHER_CTX to avoid initialisation overhead.

- LZO compression, thanks to Teemu Kiviniemi. - Updated dutch translation.
2003-05-06 21:13:18 +00:00 · 2003-05-06 21:13:18 +00:00 · c70f52087b
commit c70f52087b
parent 1ad2394b84
10 changed files with 218 additions and 155 deletions
--- a/src/net.c
+++ b/src/net.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: net.c,v 1.35.4.185 2003/04/19 11:12:45 guus Exp $
+    $Id: net.c,v 1.35.4.186 2003/05/06 21:13:14 guus Exp $
 */

 #include "config.h"
@ -385,6 +385,7 @@ void main_loop(void)
 					syslog(LOG_INFO, _("Regenerating symmetric key"));

 				RAND_pseudo_bytes(myself->key, myself->keylength);
+				EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);
 				send_key_changed(broadcast, myself);
 				keyexpires = now + keylifetime;
 			}
--- a/src/net.h
+++ b/src/net.h
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: net.h,v 1.9.4.56 2003/03/28 13:41:49 guus Exp $
+    $Id: net.h,v 1.9.4.57 2003/05/06 21:13:17 guus Exp $
 */

 #ifndef __TINC_NET_H__
@ -37,14 +37,13 @@

 #ifdef ENABLE_JUMBOGRAMS
 #define MTU 9014				/* 9000 bytes payload + 14 bytes ethernet header */
-#define MAXSIZE 9100			/* MTU + header (seqno) and trailer (CBC padding and HMAC) */
-#define MAXBUFSIZE 9100			/* Must support TCP packets of length 9000. */
 #else
 #define MTU 1514				/* 1500 bytes payload + 14 bytes ethernet header */
-#define MAXSIZE 1600			/* MTU + header (seqno) and trailer (CBC padding and HMAC) */
-#define MAXBUFSIZE 2100			/* Quite large but needed for support of keys up to 8192 bits. */
 #endif

+#define MAXSIZE (MTU + 4 + 8 + 64 + MTU/64 + 20)	/* MTU + seqno + padding + HMAC + compressor overhead */
+#define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128)	/* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
+
 #define MAXSOCKETS 128			/* Overkill... */

 #define MAXQUEUELENGTH 8		/* Maximum number of packats in a single queue */
--- a/src/net_packet.c
+++ b/src/net_packet.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: net_packet.c,v 1.1.2.27 2003/04/18 21:18:36 guus Exp $
+    $Id: net_packet.c,v 1.1.2.28 2003/05/06 21:13:17 guus Exp $
 */

 #include "config.h"
@ -56,6 +56,7 @@
 #include <openssl/hmac.h>

 #include <zlib.h>
+#include <lzo1x.h>

 #include <utils.h>
 #include <xalloc.h>
@ -81,9 +82,51 @@
 int keylifetime = 0;
 int keyexpires = 0;
 EVP_CIPHER_CTX packet_ctx;
+char lzo_wrkmem[MAXSIZE];
+

 #define MAX_SEQNO 1073741824

+length_t compress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
+{
+	if(level == 10) {
+		lzo_uint lzolen = sizeof(lzo_wrkmem);
+		lzo1x_1_compress(source, len, dest, &lzolen, lzo_wrkmem);
+		return lzolen;
+	} else if(level < 10) {
+		unsigned long destlen;
+		if(compress2(dest, &destlen, source, len, level) == Z_OK)
+			return destlen;
+		else
+			return -1;
+	} else {
+		lzo_uint lzolen = sizeof(lzo_wrkmem);
+		lzo1x_999_compress(source, len, dest, &lzolen, lzo_wrkmem);
+		return lzolen;
+	}
+	
+	return -1;
+}
+
+length_t uncompress_packet(uint8_t *dest, const uint8_t *source, length_t len, int level)
+{
+	if(level > 9) {
+		lzo_uint lzolen = sizeof(lzo_wrkmem);
+		if(lzo1x_decompress_safe(source, len, dest, &lzolen, NULL) == LZO_E_OK)
+			return lzolen;
+		else
+			return -1;
+	} else {
+		unsigned long destlen;
+		if(uncompress(dest, &destlen, source, len) == Z_OK)
+			return destlen;
+		else
+			return -1;
+	}
+	
+	return -1;
+}
+
 /* VPN packet I/O */

 void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
@ -119,8 +162,9 @@ void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
 	if(myself->cipher) {
 		outpkt = pkt[nextpkt++];

-		EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key,
-						myself->key + myself->cipher->key_len);
+//		EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key,
+//						myself->key + myself->cipher->key_len);
+		EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL);
 		EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
 						  (char *) &inpkt->seqno, inpkt->len);
 		EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
@ -162,13 +206,12 @@ void receive_udppacket(node_t *n, vpn_packet_t *inpkt)
 	if(myself->compression) {
 		outpkt = pkt[nextpkt++];

-		if(uncompress(outpkt->data, &complen, inpkt->data, inpkt->len) != Z_OK) {
+		if((outpkt->len = uncompress_packet(outpkt->data, inpkt->data, inpkt->len, myself->compression)) < 0) {
 			syslog(LOG_ERR, _("Error while uncompressing packet from %s (%s)"),
 				   n->name, n->hostname);
 			return;
 		}

-		outpkt->len = complen;
 		inpkt = outpkt;
 	}

@ -248,15 +291,12 @@ void send_udppacket(node_t *n, vpn_packet_t *inpkt)
 	if(n->compression) {
 		outpkt = pkt[nextpkt++];

-		if(compress2
-		   (outpkt->data, &complen, inpkt->data, inpkt->len,
-			n->compression) != Z_OK) {
+		if((outpkt->len = compress_packet(outpkt->data, inpkt->data, inpkt->len, n->compression)) < 0) {
 			syslog(LOG_ERR, _("Error while compressing packet to %s (%s)"),
 				   n->name, n->hostname);
 			return;
 		}

-		outpkt->len = complen;
 		inpkt = outpkt;
 	}

@ -270,10 +310,11 @@ void send_udppacket(node_t *n, vpn_packet_t *inpkt)
 	if(n->cipher) {
 		outpkt = pkt[nextpkt++];

-		EVP_EncryptInit_ex(&packet_ctx, n->cipher, NULL, n->key, n->key + n->cipher->key_len);
-		EVP_EncryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen,
+//		EVP_EncryptInit_ex(&packet_ctx, n->cipher, NULL, n->key, n->key + n->cipher->key_len);
+		EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL);
+		EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen,
 						  (char *) &inpkt->seqno, inpkt->len);
-		EVP_EncryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);
+		EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad);

 		outpkt->len = outlen + outpad;
 		inpkt = outpkt;
--- a/src/net_setup.c
+++ b/src/net_setup.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: net_setup.c,v 1.1.2.30 2003/03/28 13:41:49 guus Exp $
+    $Id: net_setup.c,v 1.1.2.31 2003/05/06 21:13:17 guus Exp $
 */

 #include "config.h"
@ -406,6 +406,7 @@ int setup_myself(void)
 	keyexpires = now + keylifetime;
 	
 	EVP_CIPHER_CTX_init(&packet_ctx);
+	EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);

 	/* Check if we want to use message authentication codes... */

@ -448,7 +449,7 @@ int setup_myself(void)
 	if(get_config_int
 	   (lookup_config(myself->connection->config_tree, "Compression"),
 		&myself->compression)) {
-		if(myself->compression < 0 || myself->compression > 9) {
+		if(myself->compression < 0 || myself->compression > 11) {
 			syslog(LOG_ERR, _("Bogus compression level!"));
 			return -1;
 		}
--- a/src/node.c
+++ b/src/node.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: node.c,v 1.1.2.18 2002/09/09 22:32:49 guus Exp $
+    $Id: node.c,v 1.1.2.19 2003/05/06 21:13:17 guus Exp $
 */

 #include "config.h"
@ -83,6 +83,7 @@ node_t *new_node(void)
 	n->subnet_tree = new_subnet_tree();
 	n->edge_tree = new_edge_tree();
 	n->queue = list_alloc((list_action_t) free);
+	EVP_CIPHER_CTX_init(&n->packet_ctx);

 	return n;
 }
@ -109,6 +110,8 @@ void free_node(node_t *n)
 	if(n->edge_tree)
 		free_edge_tree(n->edge_tree);

+	EVP_CIPHER_CTX_cleanup(&n->packet_ctx);
+	
 	free(n);
 }

--- a/src/node.h
+++ b/src/node.h
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: node.h,v 1.1.2.21 2003/04/18 21:18:36 guus Exp $
+    $Id: node.h,v 1.1.2.22 2003/05/06 21:13:18 guus Exp $
 */

 #ifndef __TINC_NODE_H__
@ -54,7 +54,8 @@ typedef struct node_t {
 	const EVP_CIPHER *cipher;	/* Cipher type for UDP packets */
 	char *key;					/* Cipher key and iv */
 	int keylength;				/* Cipher key and iv length */
-
+	EVP_CIPHER_CTX packet_ctx;	/* Cipher context */
+	
 	const EVP_MD *digest;		/* Digest type for MAC */
 	int maclength;				/* Length of MAC */

--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: protocol_key.c,v 1.1.4.15 2003/04/18 21:18:36 guus Exp $
+    $Id: protocol_key.c,v 1.1.4.16 2003/05/06 21:13:18 guus Exp $
 */

 #include "config.h"
@ -254,8 +254,15 @@ int ans_key_h(connection_t *c)
 		from->digest = NULL;
 	}

+	if(compression < 0 || compression > 11) {
+		syslog(LOG_ERR, _("Node %s (%s) uses bogus compression level!"), from->name, from->hostname);
+		return -1;
+	}
+	
 	from->compression = compression;

+	EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len);
+
 	flush_queue(from);

 	return 0;