| … | |
… | |
| 48 | #include "hkdf.h" |
48 | #include "hkdf.h" |
| 49 | |
49 | |
| 50 | #include "netcompat.h" |
50 | #include "netcompat.h" |
| 51 | |
51 | |
| 52 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
52 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
|
|
53 | #define MAGIC "PORN\xbd\xc6\xdb\x82" // 8 bytes of magic//D |
| 53 | |
54 | |
| 54 | #define ULTRA_FAST 1 |
55 | #define ULTRA_FAST 1 |
| 55 | #define HLOG 15 |
56 | #define HLOG 15 |
| 56 | #include "lzf/lzf.h" |
57 | #include "lzf/lzf.h" |
| 57 | #include "lzf/lzf_c.c" |
58 | #include "lzf/lzf_c.c" |
| … | |
… | |
| 118 | |
119 | |
| 119 | { |
120 | { |
| 120 | u8 mac_key[MAC_KEYSIZE]; |
121 | u8 mac_key[MAC_KEYSIZE]; |
| 121 | static const unsigned char mac_info[] = "gvpe mac key"; |
122 | static const unsigned char mac_info[] = "gvpe mac key"; |
| 122 | |
123 | |
| 123 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt)); |
124 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
| 124 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
125 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
| 125 | kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); |
126 | kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); |
| 126 | kdf.extract (s, sizeof (s)); |
127 | kdf.extract (s, sizeof (s)); |
| 127 | kdf.extract_done (); |
128 | kdf.extract_done (HKDF_PRF_HASH ()); |
| 128 | kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); |
129 | kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); |
| 129 | |
130 | |
| 130 | HMAC_CTX_init (&hctx); |
131 | HMAC_CTX_init (&hctx); |
| 131 | require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0)); |
132 | require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0)); |
| 132 | } |
133 | } |
| 133 | |
134 | |
| 134 | { |
135 | { |
| 135 | u8 cipher_key[CIPHER_KEYSIZE]; |
136 | u8 cipher_key[CIPHER_KEYSIZE]; |
| 136 | static const unsigned char cipher_info[] = "gvpe cipher key"; |
137 | static const unsigned char cipher_info[] = "gvpe cipher key"; |
| 137 | |
138 | |
| 138 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt)); |
139 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
| 139 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
140 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
| 140 | kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); |
141 | kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); |
| 141 | kdf.extract (s, sizeof (s)); |
142 | kdf.extract (s, sizeof (s)); |
| 142 | kdf.extract_done (); |
143 | kdf.extract_done (HKDF_PRF_HASH ()); |
| 143 | kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); |
144 | kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); |
| 144 | |
145 | |
| 145 | EVP_CIPHER_CTX_init (&cctx); |
146 | EVP_CIPHER_CTX_init (&cctx); |
| 146 | require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc)); |
147 | require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc)); |
| 147 | } |
148 | } |
| … | |
… | |
| 158 | { |
159 | { |
| 159 | if (RSA_public_encrypt (sizeof (auth.rsa), |
160 | if (RSA_public_encrypt (sizeof (auth.rsa), |
| 160 | (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa, |
161 | (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa, |
| 161 | key, RSA_PKCS1_OAEP_PADDING) < 0) |
162 | key, RSA_PKCS1_OAEP_PADDING) < 0) |
| 162 | fatal ("RSA_public_encrypt error"); |
163 | fatal ("RSA_public_encrypt error"); |
|
|
164 | |
|
|
165 | memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh)); |
| 163 | } |
166 | } |
| 164 | |
167 | |
| 165 | static inline bool |
168 | static inline bool |
| 166 | auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth) |
169 | auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth) |
| 167 | { |
170 | { |
| … | |
… | |
| 171 | (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt, |
174 | (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt, |
| 172 | key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa)) |
175 | key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa)) |
| 173 | return 0; |
176 | return 0; |
| 174 | |
177 | |
| 175 | memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa)); |
178 | memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa)); |
|
|
179 | memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh)); |
| 176 | |
180 | |
| 177 | return 1; |
181 | return 1; |
| 178 | } |
182 | } |
| 179 | |
183 | |
| 180 | static void |
184 | static void |
| … | |
… | |
| 193 | connection::generate_auth_data () |
197 | connection::generate_auth_data () |
| 194 | { |
198 | { |
| 195 | if (auth_expire < ev_now ()) |
199 | if (auth_expire < ev_now ()) |
| 196 | { |
200 | { |
| 197 | // request data |
201 | // request data |
| 198 | RAND_pseudo_bytes ((unsigned char *)&snd_auth.rsa, sizeof snd_auth.rsa); |
202 | rand_fill (snd_auth.rsa); |
| 199 | curve25519_generate (snd_ecdh_a, snd_auth.ecdh); |
203 | curve25519_generate (snd_ecdh_a, snd_auth.ecdh); |
| 200 | auth_hash (snd_auth, snd_auth_mac); |
204 | auth_hash (snd_auth, snd_auth_mac); |
| 201 | |
205 | |
| 202 | // eventual response data |
206 | // eventual response data |
| 203 | curve25519_generate (rcv_ecdh_a, rcv_ecdh_b); |
207 | curve25519_generate (rcv_ecdh_a, rcv_ecdh_b); |
| … | |
… | |
| 458 | u32 seqno; |
462 | u32 seqno; |
| 459 | } datahdr; |
463 | } datahdr; |
| 460 | |
464 | |
| 461 | datahdr.seqno = ntohl (seqno); |
465 | datahdr.seqno = ntohl (seqno); |
| 462 | #if RAND_SIZE |
466 | #if RAND_SIZE |
| 463 | RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); |
467 | require (RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE) >= 0); |
| 464 | #endif |
468 | #endif |
| 465 | |
469 | |
| 466 | require (EVP_EncryptUpdate (cctx, |
470 | require (EVP_EncryptUpdate (cctx, |
| 467 | (unsigned char *) data + outl, &outl2, |
471 | (unsigned char *) data + outl, &outl2, |
| 468 | (unsigned char *) &datahdr, DATAHDR)); |
472 | (unsigned char *) &datahdr, DATAHDR)); |
| … | |
… | |
| 499 | |
503 | |
| 500 | if (type == PT_DATA_COMPRESSED) |
504 | if (type == PT_DATA_COMPRESSED) |
| 501 | d = cdata; |
505 | d = cdata; |
| 502 | else |
506 | else |
| 503 | #endif |
507 | #endif |
| 504 | d = &(*p)[6 + 6 - DATAHDR]; |
508 | d = &(*p)[6 + 6] - DATAHDR; |
| 505 | |
509 | |
| 506 | /* this overwrites part of the src mac, but we fix that later */ |
510 | // we play do evil games with the struct layout atm. |
|
|
511 | // pending better solutions, we at least do some verification. |
|
|
512 | // this is fine, as we left ISO territory long ago. |
|
|
513 | require (DATAHDR <= 16); |
|
|
514 | require ((u8 *)(&p->len + 1) == &(*p)[0]); |
|
|
515 | |
|
|
516 | // this can overwrite the len/dst/src fields |
| 507 | require (EVP_DecryptUpdate (cctx, |
517 | require (EVP_DecryptUpdate (cctx, |
| 508 | d, &outl2, |
518 | d, &outl2, |
| 509 | (unsigned char *)&data, len - data_hdr_size ())); |
519 | (unsigned char *)&data, len - data_hdr_size ())); |
| 510 | outl += outl2; |
520 | outl += outl2; |
| 511 | |
521 | |
