- Use CFB mode for encrypting packets: it works and we don't need padding.

This commit is contained in:
Guus Sliepen 2000-10-29 22:10:44 +00:00
parent cea3d8f305
commit ec12269355
4 changed files with 48 additions and 28 deletions

View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: connlist.h,v 1.1.2.7 2000/10/29 01:27:23 guus Exp $ $Id: connlist.h,v 1.1.2.8 2000/10/29 22:10:41 guus Exp $
*/ */
#ifndef __TINC_CONNLIST_H__ #ifndef __TINC_CONNLIST_H__
@ -70,9 +70,9 @@ typedef struct conn_list_t {
EVP_CIPHER_CTX *cipher_inctx; /* Context of encrypted meta data that will come from him to us */ EVP_CIPHER_CTX *cipher_inctx; /* Context of encrypted meta data that will come from him to us */
EVP_CIPHER_CTX *cipher_outctx; /* Context of encrypted meta data that will be sent from us to him */ EVP_CIPHER_CTX *cipher_outctx; /* Context of encrypted meta data that will be sent from us to him */
EVP_CIPHER_CTX *cipher_pktctx; /* Context of encrypted vpn packets that will be sent to him */
EVP_CIPHER *cipher_pkttype; /* Cipher type for encrypted vpn packets */ EVP_CIPHER *cipher_pkttype; /* Cipher type for encrypted vpn packets */
char *cipher_pktkey; /* Cipher key */ char *cipher_pktkey; /* Cipher key and iv */
int cipher_pktkeylength; /* Cipher key and iv length*/
char *buffer; /* metadata input buffer */ char *buffer; /* metadata input buffer */
int buflen; /* bytes read into buffer */ int buflen; /* bytes read into buffer */

View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $ $Id: net.c,v 1.35.4.55 2000/10/29 22:10:42 guus Exp $
*/ */
#include "config.h" #include "config.h"
@ -111,7 +111,9 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt)
cp cp
outpkt.len = inpkt->len; outpkt.len = inpkt->len;
EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey); /* Encrypt the packet */
EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len);
EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
outlen += outpad + 2; outlen += outpad + 2;
@ -146,8 +148,11 @@ int xrecv(vpn_packet_t *inpkt)
EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX ctx;
cp cp
outpkt.len = inpkt->len; outpkt.len = inpkt->len;
EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); /* Decrypt the packet */
EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len);
EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8);
EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
outlen += outpad; outlen += outpad;
@ -156,6 +161,10 @@ cp
memcpy(&outpkt, inpkt, outlen); memcpy(&outpkt, inpkt, outlen);
*/ */
if(debug_lvl >= DEBUG_TRAFFIC)
syslog(LOG_ERR, _("Writing packet of %d (%d) bytes to tap device"),
outpkt.len, outlen);
/* Fix mac address */ /* Fix mac address */
memcpy(outpkt.data, mymac.net.mac.address.x, 6); memcpy(outpkt.data, mymac.net.mac.address.x, 6);
@ -770,10 +779,12 @@ cp
/* Generate packet encryption key */ /* Generate packet encryption key */
myself->cipher_pkttype = EVP_bf_cbc(); myself->cipher_pkttype = EVP_bf_cfb();
myself->cipher_pktkey = (char *)xmalloc(64); myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len;
RAND_bytes(myself->cipher_pktkey, 64);
myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength);
RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
if(!(cfg = get_config_val(config, keyexpire))) if(!(cfg = get_config_val(config, keyexpire)))
keylifetime = 3600; keylifetime = 3600;
@ -1041,6 +1052,7 @@ int handle_incoming_vpn_data()
vpn_packet_t pkt; vpn_packet_t pkt;
int x, l = sizeof(x); int x, l = sizeof(x);
struct sockaddr from; struct sockaddr from;
int lenin;
socklen_t fromlen = sizeof(from); socklen_t fromlen = sizeof(from);
cp cp
if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
@ -1055,18 +1067,17 @@ cp
return -1; return -1;
} }
if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0) if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0)
{ {
syslog(LOG_ERR, _("Receiving packet failed: %m")); syslog(LOG_ERR, _("Receiving packet failed: %m"));
return -1; return -1;
} }
/*
if(debug_lvl >= DEBUG_TRAFFIC) if(debug_lvl >= DEBUG_TRAFFIC)
{ {
syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len, syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin);
from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]);
} }
*/
cp cp
return xrecv(&pkt); return xrecv(&pkt);
} }
@ -1362,7 +1373,7 @@ cp
if(debug_lvl >= DEBUG_STATUS) if(debug_lvl >= DEBUG_STATUS)
syslog(LOG_INFO, _("Regenerating symmetric key")); syslog(LOG_INFO, _("Regenerating symmetric key"));
RAND_bytes(myself->cipher_pktkey, 64); RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
send_key_changed(myself, NULL); send_key_changed(myself, NULL);
keyexpires = time(NULL) + keylifetime; keyexpires = time(NULL) + keylifetime;
} }

View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $ $Id: protocol.c,v 1.28.4.52 2000/10/29 22:10:43 guus Exp $
*/ */
#include "config.h" #include "config.h"
@ -471,7 +471,8 @@ cp
cl->allow_request = ALL; cl->allow_request = ALL;
cl->status.active = 1; cl->status.active = 1;
cl->nexthop = cl; cl->nexthop = cl;
cl->cipher_pkttype = EVP_bf_cbc(); cl->cipher_pkttype = EVP_bf_cfb();
cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len;
if(debug_lvl >= DEBUG_CONNECTIONS) if(debug_lvl >= DEBUG_CONNECTIONS)
syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
@ -1015,8 +1016,8 @@ cp
if(!strcmp(to_id, myself->name)) if(!strcmp(to_id, myself->name))
{ {
bin2hex(myself->cipher_pktkey, pktkey, 64); bin2hex(myself->cipher_pktkey, pktkey, myself->cipher_pktkeylength);
pktkey[128] = 0; pktkey[myself->cipher_pktkeylength*2] = '\0';
send_ans_key(myself, from, pktkey); send_ans_key(myself, from, pktkey);
} }
else else
@ -1028,6 +1029,14 @@ cp
free(from_id); free(to_id); free(from_id); free(to_id);
return -1; return -1;
} }
if(to->status.validkey) /* Proxy keys */
{
bin2hex(to->cipher_pktkey, pktkey, to->cipher_pktkeylength);
pktkey[to->cipher_pktkeylength*2] = '\0';
send_ans_key(to, from, pktkey);
}
else
send_req_key(from, to); send_req_key(from, to);
} }
@ -1068,9 +1077,9 @@ cp
keylength = strlen(pktkey); keylength = strlen(pktkey);
if((keylength%2)!=0 || (keylength <= 0)) if(keylength != from->cipher_pktkeylength*2)
{ {
syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"), syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key length"),
cl->name, cl->hostname, from->name); cl->name, cl->hostname, from->name);
free(from_id); free(to_id); free(pktkey); free(from_id); free(to_id); free(pktkey);
return -1; return -1;

View file

@ -17,7 +17,7 @@
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
$Id: tincd.c,v 1.10.4.19 2000/10/29 09:19:27 guus Exp $ $Id: tincd.c,v 1.10.4.20 2000/10/29 22:10:44 guus Exp $
*/ */
#include "config.h" #include "config.h"
@ -33,6 +33,7 @@
#include <signal.h> #include <signal.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/err.h>
#include <string.h> #include <string.h>
#ifdef HAVE_SYS_IOCTL_H #ifdef HAVE_SYS_IOCTL_H
@ -436,10 +437,9 @@ main(int argc, char **argv, char **envp)
if(detach()) if(detach())
exit(0); exit(0);
/* FIXME: wt* is this suppose to do? if(debug_lvl >= DEBUG_ERROR)
if(security_init()) ERR_load_crypto_strings();
return 1;
*/
for(;;) for(;;)
{ {
if(!setup_network_connections()) if(!setup_network_connections())