From cea3d8f3056d3c6aaaef473443240b8470c8ea2d Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sun, 29 Oct 2000 10:39:08 +0000 Subject: [PATCH] - Small fixes - Do proper key exchange - Encrypt packets - it works, but there is something wrong with the MAC header after decryption... --- src/net.c | 75 ++++++++++++++++++++++++++++++++++++++------------ src/protocol.c | 59 ++++++++++++++++++++------------------- 2 files changed, 87 insertions(+), 47 deletions(-) diff --git a/src/net.c b/src/net.c index b52412d8..e62bb8dc 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.53 2000/10/29 09:19:24 guus Exp $ + $Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $ */ #include "config.h" @@ -39,6 +39,9 @@ #include #include #include +#include +#include +#include #ifdef HAVE_TUNTAP #include LINUX_IF_TUN_H @@ -67,6 +70,9 @@ int total_socket_out = 0; config_t *upstreamcfg; static int seconds_till_retry; +int keylifetime = 0; +int keyexpires = 0; + char *unknown = NULL; subnet_t mymac; @@ -101,19 +107,20 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_EncryptInit(cl->cipher_pktctx, cl->cipher_pkttype, cl->cipher_pktkey, NULL); - EVP_EncryptUpdate(cl->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_EncryptFinal(cl->cipher_pktctx, outpkt.data + outlen, &outpad); + + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey); + EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); + EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad + 2; - Do encryption when everything else is fixed... -*/ +/* Bypass outlen = outpkt.len + 2; memcpy(&outpkt, inpkt, outlen); - +*/ + if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), outlen, cl->name, cl->hostname); @@ -136,18 +143,18 @@ int xrecv(vpn_packet_t *inpkt) { vpn_packet_t outpkt; int outlen, outpad; + EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; -/* - EVP_DecryptInit(myself->cipher_pktctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL); - EVP_DecryptUpdate(myself->cipher_pktctx, outpkt.data, &outlen, inpkt->data, inpkt->len); - EVP_DecryptFinal(myself->cipher_pktctx, outpkt.data + outlen, &outpad); + EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL); + EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); + EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad; - Do decryption is everything else is fixed... -*/ +/* Bypass outlen = outpkt.len+2; memcpy(&outpkt, inpkt, outlen); +*/ /* Fix mac address */ @@ -329,7 +336,7 @@ cp if(!cl->status.validkey) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("No valid key known yet for %s (%s), queueing packet"), cl->name, cl->hostname); @@ -342,7 +349,7 @@ cp if(!cl->status.active) { -/* Don't queue until everything else is fixed. +/* FIXME: Don't queue until everything else is fixed. if(debug_lvl >= DEBUG_TRAFFIC) syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), cl->name, cl->hostname); @@ -761,6 +768,22 @@ cp return -1; } + /* Generate packet encryption key */ + + myself->cipher_pkttype = EVP_bf_cbc(); + + myself->cipher_pktkey = (char *)xmalloc(64); + RAND_bytes(myself->cipher_pktkey, 64); + + if(!(cfg = get_config_val(config, keyexpire))) + keylifetime = 3600; + else + keylifetime = cfg->data.val; + + keyexpires = time(NULL) + keylifetime; + + /* Activate ourselves */ + myself->status.active = 1; syslog(LOG_NOTICE, _("Ready: listening on port %hd"), myself->port); @@ -1281,6 +1304,7 @@ void main_loop(void) struct timeval tv; int r; time_t last_ping_check; + int t; cp last_ping_check = time(NULL); @@ -1322,11 +1346,26 @@ cp continue; } - if(last_ping_check + timeout < time(NULL)) - /* Let's check if everybody is still alive */ + t = time(NULL); + + /* Let's check if everybody is still alive */ + + if(last_ping_check + timeout < t) { check_dead_connections(); last_ping_check = time(NULL); + + /* Should we regenerate our key? */ + + if(keyexpires < t) + { + if(debug_lvl >= DEBUG_STATUS) + syslog(LOG_INFO, _("Regenerating symmetric key")); + + RAND_bytes(myself->cipher_pktkey, 64); + send_key_changed(myself, NULL); + keyexpires = time(NULL) + keylifetime; + } } if(r > 0) diff --git a/src/protocol.c b/src/protocol.c index 50889b91..d9b10dfd 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.50 2000/10/29 09:19:25 guus Exp $ + $Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $ */ #include "config.h" @@ -38,6 +38,7 @@ #include #include +#include #include "conf.h" #include "net.h" @@ -470,6 +471,7 @@ cp cl->allow_request = ALL; cl->status.active = 1; cl->nexthop = cl; + cl->cipher_pkttype = EVP_bf_cbc(); if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); @@ -992,6 +994,7 @@ int req_key_h(conn_list_t *cl) { char *from_id, *to_id; conn_list_t *from, *to; + char pktkey[129]; cp if(sscanf(cl->buffer, "%*d %as %as", &from_id, &to_id) != 2) { @@ -1012,7 +1015,9 @@ cp if(!strcmp(to_id, myself->name)) { - send_ans_key(myself, from, myself->cipher_pktkey); + bin2hex(myself->cipher_pktkey, pktkey, 64); + pktkey[128] = 0; + send_ans_key(myself, from, pktkey); } else { @@ -1059,46 +1064,42 @@ cp return -1; } - /* Check if this key request is for us */ + /* Update origin's packet key */ - if(!strcmp(to_id, myself->name)) + keylength = strlen(pktkey); + + if((keylength%2)!=0 || (keylength <= 0)) { - /* It is for us, convert it to binary and set the key with it. */ - - keylength = strlen(pktkey); - - if((keylength%2)!=0 || (keylength <= 0)) - { - syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"), - cl->name, cl->hostname, from->name); - free(from_id); free(to_id); free(pktkey); - return -1; - } - - if(from->cipher_pktkey) - free(from->cipher_pktkey); - - keylength /= 2; - hex2bin(pktkey, pktkey, keylength); - pktkey[keylength] = '\0'; - from->cipher_pktkey = pktkey; - - from->status.validkey = 1; - from->status.waitingforkey = 0; + syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"), + cl->name, cl->hostname, from->name); + free(from_id); free(to_id); free(pktkey); + return -1; } - else + + if(from->cipher_pktkey) + free(from->cipher_pktkey); + + keylength /= 2; + hex2bin(pktkey, pktkey, keylength); + pktkey[keylength] = '\0'; + from->cipher_pktkey = pktkey; + + from->status.validkey = 1; + from->status.waitingforkey = 0; + + if(strcmp(to_id, myself->name)) { if(!(to = lookup_id(to_id))) { syslog(LOG_ERR, _("Got ANS_KEY from %s (%s) destination %s which does not exist in our connection list"), cl->name, cl->hostname, to_id); - free(from_id); free(to_id); free(pktkey); + free(from_id); free(to_id); return -1; } send_ans_key(from, to, pktkey); } - free(from_id); free(to_id); free(pktkey); + free(from_id); free(to_id); cp return 0; }