- Small fixes

- Do proper key exchange - Encrypt packets - it works, but there is something wrong with the MAC header after decryption...
2000-10-29 10:39:08 +00:00 · 2000-10-29 10:39:08 +00:00 · cea3d8f305
commit cea3d8f305
parent 8fa9bc017d
2 changed files with 87 additions and 47 deletions
--- a/src/net.c
+++ b/src/net.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: net.c,v 1.35.4.53 2000/10/29 09:19:24 guus Exp $
+    $Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $
 */

 #include "config.h"
@ -39,6 +39,9 @@
 #include <syslog.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>

 #ifdef HAVE_TUNTAP
 #include LINUX_IF_TUN_H
@ -67,6 +70,9 @@ int total_socket_out = 0;
 config_t *upstreamcfg;
 static int seconds_till_retry;

+int keylifetime = 0;
+int keyexpires = 0;
+
 char *unknown = NULL;

 subnet_t mymac;
@ -101,19 +107,20 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt)
 {
  vpn_packet_t outpkt;
  int outlen, outpad;
+  EVP_CIPHER_CTX ctx;
 cp
  outpkt.len = inpkt->len;
-/*
-  EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL);
-  EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
-  EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad);
+  
+  EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey);
+  EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+  EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
  outlen += outpad + 2;

-  Do encryption when everything else is fixed...
-*/
+/* Bypass
  outlen = outpkt.len + 2;
  memcpy(&outpkt, inpkt, outlen);
-  
+*/  
+
  if(debug_lvl >= DEBUG_TRAFFIC)
    syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"),
           outlen, cl->name, cl->hostname);
@ -136,18 +143,18 @@ int xrecv(vpn_packet_t *inpkt)
 {
  vpn_packet_t outpkt;
  int outlen, outpad;
+  EVP_CIPHER_CTX ctx;
 cp
  outpkt.len = inpkt->len;
-/*
-  EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
-  EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
-  EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad);
+  EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
+  EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
+  EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
  outlen += outpad;

-  Do decryption is everything else is fixed...
-*/
+/* Bypass
  outlen = outpkt.len+2;
  memcpy(&outpkt, inpkt, outlen);
+*/
     
  /* Fix mac address */

@ -329,7 +336,7 @@ cp
      
  if(!cl->status.validkey)
    {
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
      if(debug_lvl >= DEBUG_TRAFFIC)
 	syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"),
 	       cl->name, cl->hostname);
@ -342,7 +349,7 @@ cp

  if(!cl->status.active)
    {
-/* Don't queue until everything else is fixed.
+/* FIXME: Don't queue until everything else is fixed.
      if(debug_lvl >= DEBUG_TRAFFIC)
 	syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"),
 	       cl->name, cl->hostname);
@ -761,6 +768,22 @@ cp
      return -1;
    }

+  /* Generate packet encryption key */
+
+  myself->cipher_pkttype = EVP_bf_cbc();
+
+  myself->cipher_pktkey = (char *)xmalloc(64);
+  RAND_bytes(myself->cipher_pktkey, 64);
+
+  if(!(cfg = get_config_val(config, keyexpire)))
+    keylifetime = 3600;
+  else
+    keylifetime = cfg->data.val;
+    
+  keyexpires = time(NULL) + keylifetime;
+
+  /* Activate ourselves */
+  
  myself->status.active = 1;

  syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port);
@ -1281,6 +1304,7 @@ void main_loop(void)
  struct timeval tv;
  int r;
  time_t last_ping_check;
+  int t;
 cp
  last_ping_check = time(NULL);

@ -1322,11 +1346,26 @@ cp
          continue;
        }

-      if(last_ping_check + timeout < time(NULL))
-	/* Let's check if everybody is still alive */
+      t = time(NULL);
+
+      /* Let's check if everybody is still alive */
+
+      if(last_ping_check + timeout < t)
 	{
 	  check_dead_connections();
          last_ping_check = time(NULL);
+
+          /* Should we regenerate our key? */
+
+          if(keyexpires < t)
+            {
+              if(debug_lvl >= DEBUG_STATUS)
+                syslog(LOG_INFO, _("Regenerating symmetric key"));
+                
+              RAND_bytes(myself->cipher_pktkey, 64);
+              send_key_changed(myself, NULL);
+              keyexpires = time(NULL) + keylifetime;
+            }
 	}

      if(r > 0)
--- a/src/protocol.c
+++ b/src/protocol.c
@ -17,7 +17,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

-    $Id: protocol.c,v 1.28.4.50 2000/10/29 09:19:25 guus Exp $
+    $Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $
 */

 #include "config.h"
@ -38,6 +38,7 @@

 #include <openssl/sha.h>
 #include <openssl/rand.h>
+#include <openssl/evp.h>

 #include "conf.h"
 #include "net.h"
@ -470,6 +471,7 @@ cp
  cl->allow_request = ALL;
  cl->status.active = 1;
  cl->nexthop = cl;
+  cl->cipher_pkttype = EVP_bf_cbc();

  if(debug_lvl >= DEBUG_CONNECTIONS)
    syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
@ -992,6 +994,7 @@ int req_key_h(conn_list_t *cl)
 {
  char *from_id, *to_id;
  conn_list_t *from, *to;
+  char pktkey[129];
 cp
  if(sscanf(cl->buffer, "%*d %as %as", &from_id, &to_id) != 2)
    {
@ -1012,7 +1015,9 @@ cp

  if(!strcmp(to_id, myself->name))
    {
-      send_ans_key(myself, from, myself->cipher_pktkey);
+      bin2hex(myself->cipher_pktkey, pktkey, 64);
+      pktkey[128] = 0;
+      send_ans_key(myself, from, pktkey);
    }
  else
    {
@ -1059,46 +1064,42 @@ cp
      return -1;
    }

-  /* Check if this key request is for us */
+  /* Update origin's packet key */

-  if(!strcmp(to_id, myself->name))
+  keylength = strlen(pktkey);
+
+  if((keylength%2)!=0 || (keylength <= 0))
    {
-      /* It is for us, convert it to binary and set the key with it. */
-
-      keylength = strlen(pktkey);
-
-      if((keylength%2)!=0 || (keylength <= 0))
-        {
-          syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"),
-                 cl->name, cl->hostname, from->name);
-          free(from_id); free(to_id); free(pktkey);
-          return -1;
-        }
-
-      if(from->cipher_pktkey)
-        free(from->cipher_pktkey);
-
-      keylength /= 2;
-      hex2bin(pktkey, pktkey, keylength);
-      pktkey[keylength] = '\0';
-      from->cipher_pktkey = pktkey;
-
-      from->status.validkey = 1;
-      from->status.waitingforkey = 0;
+      syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"),
+             cl->name, cl->hostname, from->name);
+      free(from_id); free(to_id); free(pktkey);
+      return -1;
    }
-  else
+
+  if(from->cipher_pktkey)
+    free(from->cipher_pktkey);
+
+  keylength /= 2;
+  hex2bin(pktkey, pktkey, keylength);
+  pktkey[keylength] = '\0';
+  from->cipher_pktkey = pktkey;
+
+  from->status.validkey = 1;
+  from->status.waitingforkey = 0;
+    
+  if(strcmp(to_id, myself->name))
    {
      if(!(to = lookup_id(to_id)))
        {
          syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) destination %s which does not exist in our connection list"),
                 cl->name, cl->hostname, to_id);
-          free(from_id); free(to_id); free(pktkey);
+          free(from_id); free(to_id);
          return -1;
        }
      send_ans_key(from, to, pktkey);
    }

-  free(from_id); free(to_id); free(pktkey);
+  free(from_id); free(to_id);
 cp
  return 0;
 }