- Use CFB mode for encrypting packets: it works and we don't need padding.
This commit is contained in:
parent
cea3d8f305
commit
ec12269355
4 changed files with 48 additions and 28 deletions
|
@ -17,7 +17,7 @@
|
|||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
|
||||
$Id: connlist.h,v 1.1.2.7 2000/10/29 01:27:23 guus Exp $
|
||||
$Id: connlist.h,v 1.1.2.8 2000/10/29 22:10:41 guus Exp $
|
||||
*/
|
||||
|
||||
#ifndef __TINC_CONNLIST_H__
|
||||
|
@ -70,9 +70,9 @@ typedef struct conn_list_t {
|
|||
EVP_CIPHER_CTX *cipher_inctx; /* Context of encrypted meta data that will come from him to us */
|
||||
EVP_CIPHER_CTX *cipher_outctx; /* Context of encrypted meta data that will be sent from us to him */
|
||||
|
||||
EVP_CIPHER_CTX *cipher_pktctx; /* Context of encrypted vpn packets that will be sent to him */
|
||||
EVP_CIPHER *cipher_pkttype; /* Cipher type for encrypted vpn packets */
|
||||
char *cipher_pktkey; /* Cipher key */
|
||||
char *cipher_pktkey; /* Cipher key and iv */
|
||||
int cipher_pktkeylength; /* Cipher key and iv length*/
|
||||
|
||||
char *buffer; /* metadata input buffer */
|
||||
int buflen; /* bytes read into buffer */
|
||||
|
|
37
src/net.c
37
src/net.c
|
@ -17,7 +17,7 @@
|
|||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
|
||||
$Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $
|
||||
$Id: net.c,v 1.35.4.55 2000/10/29 22:10:42 guus Exp $
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
@ -111,7 +111,9 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt)
|
|||
cp
|
||||
outpkt.len = inpkt->len;
|
||||
|
||||
EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey);
|
||||
/* Encrypt the packet */
|
||||
|
||||
EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len);
|
||||
EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
|
||||
EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad);
|
||||
outlen += outpad + 2;
|
||||
|
@ -146,8 +148,11 @@ int xrecv(vpn_packet_t *inpkt)
|
|||
EVP_CIPHER_CTX ctx;
|
||||
cp
|
||||
outpkt.len = inpkt->len;
|
||||
EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL);
|
||||
EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len);
|
||||
|
||||
/* Decrypt the packet */
|
||||
|
||||
EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len);
|
||||
EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8);
|
||||
EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad);
|
||||
outlen += outpad;
|
||||
|
||||
|
@ -156,6 +161,10 @@ cp
|
|||
memcpy(&outpkt, inpkt, outlen);
|
||||
*/
|
||||
|
||||
if(debug_lvl >= DEBUG_TRAFFIC)
|
||||
syslog(LOG_ERR, _("Writing packet of %d (%d) bytes to tap device"),
|
||||
outpkt.len, outlen);
|
||||
|
||||
/* Fix mac address */
|
||||
|
||||
memcpy(outpkt.data, mymac.net.mac.address.x, 6);
|
||||
|
@ -770,10 +779,12 @@ cp
|
|||
|
||||
/* Generate packet encryption key */
|
||||
|
||||
myself->cipher_pkttype = EVP_bf_cbc();
|
||||
myself->cipher_pkttype = EVP_bf_cfb();
|
||||
|
||||
myself->cipher_pktkey = (char *)xmalloc(64);
|
||||
RAND_bytes(myself->cipher_pktkey, 64);
|
||||
myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len;
|
||||
|
||||
myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength);
|
||||
RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
|
||||
|
||||
if(!(cfg = get_config_val(config, keyexpire)))
|
||||
keylifetime = 3600;
|
||||
|
@ -1041,6 +1052,7 @@ int handle_incoming_vpn_data()
|
|||
vpn_packet_t pkt;
|
||||
int x, l = sizeof(x);
|
||||
struct sockaddr from;
|
||||
int lenin;
|
||||
socklen_t fromlen = sizeof(from);
|
||||
cp
|
||||
if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0)
|
||||
|
@ -1055,18 +1067,17 @@ cp
|
|||
return -1;
|
||||
}
|
||||
|
||||
if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0)
|
||||
if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0)
|
||||
{
|
||||
syslog(LOG_ERR, _("Receiving packet failed: %m"));
|
||||
return -1;
|
||||
}
|
||||
/*
|
||||
|
||||
if(debug_lvl >= DEBUG_TRAFFIC)
|
||||
{
|
||||
syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len,
|
||||
from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]);
|
||||
syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin);
|
||||
}
|
||||
*/
|
||||
|
||||
cp
|
||||
return xrecv(&pkt);
|
||||
}
|
||||
|
@ -1362,7 +1373,7 @@ cp
|
|||
if(debug_lvl >= DEBUG_STATUS)
|
||||
syslog(LOG_INFO, _("Regenerating symmetric key"));
|
||||
|
||||
RAND_bytes(myself->cipher_pktkey, 64);
|
||||
RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength);
|
||||
send_key_changed(myself, NULL);
|
||||
keyexpires = time(NULL) + keylifetime;
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
|
||||
$Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $
|
||||
$Id: protocol.c,v 1.28.4.52 2000/10/29 22:10:43 guus Exp $
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
@ -471,7 +471,8 @@ cp
|
|||
cl->allow_request = ALL;
|
||||
cl->status.active = 1;
|
||||
cl->nexthop = cl;
|
||||
cl->cipher_pkttype = EVP_bf_cbc();
|
||||
cl->cipher_pkttype = EVP_bf_cfb();
|
||||
cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len;
|
||||
|
||||
if(debug_lvl >= DEBUG_CONNECTIONS)
|
||||
syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname);
|
||||
|
@ -1015,8 +1016,8 @@ cp
|
|||
|
||||
if(!strcmp(to_id, myself->name))
|
||||
{
|
||||
bin2hex(myself->cipher_pktkey, pktkey, 64);
|
||||
pktkey[128] = 0;
|
||||
bin2hex(myself->cipher_pktkey, pktkey, myself->cipher_pktkeylength);
|
||||
pktkey[myself->cipher_pktkeylength*2] = '\0';
|
||||
send_ans_key(myself, from, pktkey);
|
||||
}
|
||||
else
|
||||
|
@ -1028,6 +1029,14 @@ cp
|
|||
free(from_id); free(to_id);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(to->status.validkey) /* Proxy keys */
|
||||
{
|
||||
bin2hex(to->cipher_pktkey, pktkey, to->cipher_pktkeylength);
|
||||
pktkey[to->cipher_pktkeylength*2] = '\0';
|
||||
send_ans_key(to, from, pktkey);
|
||||
}
|
||||
else
|
||||
send_req_key(from, to);
|
||||
}
|
||||
|
||||
|
@ -1068,9 +1077,9 @@ cp
|
|||
|
||||
keylength = strlen(pktkey);
|
||||
|
||||
if((keylength%2)!=0 || (keylength <= 0))
|
||||
if(keylength != from->cipher_pktkeylength*2)
|
||||
{
|
||||
syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"),
|
||||
syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key length"),
|
||||
cl->name, cl->hostname, from->name);
|
||||
free(from_id); free(to_id); free(pktkey);
|
||||
return -1;
|
||||
|
|
10
src/tincd.c
10
src/tincd.c
|
@ -17,7 +17,7 @@
|
|||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
|
||||
$Id: tincd.c,v 1.10.4.19 2000/10/29 09:19:27 guus Exp $
|
||||
$Id: tincd.c,v 1.10.4.20 2000/10/29 22:10:44 guus Exp $
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
@ -33,6 +33,7 @@
|
|||
#include <signal.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/err.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef HAVE_SYS_IOCTL_H
|
||||
|
@ -436,10 +437,9 @@ main(int argc, char **argv, char **envp)
|
|||
if(detach())
|
||||
exit(0);
|
||||
|
||||
/* FIXME: wt* is this suppose to do?
|
||||
if(security_init())
|
||||
return 1;
|
||||
*/
|
||||
if(debug_lvl >= DEBUG_ERROR)
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
for(;;)
|
||||
{
|
||||
if(!setup_network_connections())
|
||||
|
|
Loading…
Reference in a new issue