[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.110 by root, Thu Jan 9 08:15:05 2014 UTC vs.
Revision 1.115 by root, Thu Jun 30 16:31:00 2016 UTC

 /*
     connection.C -- manage a single connection
-    Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
+    Copyright (C) 2003-2008,2010,2011,2013,2016 Marc Lehmann <gvpe@schmorp.de>
     This file is part of GVPE.
     GVPE is free software; you can redistribute it and/or modify it
     under the terms of the GNU General Public License as published by the
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/err.h>
-// openssl 0.9.8 compatibility
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-  #define require101(exp) exp
-#else
-  #define require101(exp) equire (exp)
-#endif
 #include "conf.h"
 #include "slog.h"
+#include "crypto.h"
 #include "device.h"
 #include "vpn.h"
 #include "connection.h"
 #include "hkdf.h"
 #include "netcompat.h"
 #define MAGIC     "gvpe\xbd\xc6\xdb\x82"	// 8 bytes of magic
-#define MAGIC     "HUHN\xbd\xc6\xdb\x82"	// 8 bytes of magic//D
 #define ULTRA_FAST 1
 #define HLOG 15
 #include "lzf/lzf.h"
 #include "lzf/lzf_c.c"
 //////////////////////////////////////////////////////////////////////////////
 struct crypto_ctx
 {
-  EVP_CIPHER_CTX cctx;
+  cipher cctx;
-  HMAC_CTX hctx;
+  hmac hctx;
   crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
   ~crypto_ctx ();
 };
     kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
     kdf.extract (s, sizeof (s));
     kdf.extract_done (HKDF_PRF_HASH ());
     kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
-    HMAC_CTX_init (&hctx);
+    hctx.init (mac_key, MAC_KEYSIZE, MAC_DIGEST ());
-    require101 (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
   }
   {
     u8 cipher_key[CIPHER_KEYSIZE];
     static const unsigned char cipher_info[] = "gvpe cipher key";
     kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
     kdf.extract (s, sizeof (s));
     kdf.extract_done (HKDF_PRF_HASH ());
     kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
-    EVP_CIPHER_CTX_init (&cctx);
+    EVP_CIPHER_CTX_init (cctx);
-    require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc));
+    require (EVP_CipherInit_ex (cctx, CIPHER (), 0, cipher_key, 0, enc));
   }
 }
 crypto_ctx::~crypto_ctx ()
 {
-  require (EVP_CIPHER_CTX_cleanup (&cctx));
+  require (EVP_CIPHER_CTX_cleanup (cctx));
-  HMAC_CTX_cleanup (&hctx);
 }
 static inline void
 auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
 {
 /////////////////////////////////////////////////////////////////////////////
 void
 hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
 {
-  HMAC_CTX *hctx = &ctx->hctx;
+  ctx->hctx.init ();
-  require101 (HMAC_Init_ex (hctx, 0, 0, 0, 0));
-  require101 (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet)));
+  ctx->hctx.add (((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet));
-  require101 (HMAC_Final (hctx, hmac_digest, 0));
+  ctx->hctx.digest (hmac_digest);
 }
 void
 hmac_packet::hmac_set (crypto_ctx *ctx)
 {
   srcdst = ((src >> 8) << 4) | (dst >> 8);
   dst1 = dst;
 }
 #define MAXVPNDATA (MAX_MTU - 6 - 6)
-#define DATAHDR (sizeof (u32) + RAND_SIZE)
 struct vpndata_packet : vpn_packet
 {
-  u8 data[MAXVPNDATA + DATAHDR]; // seqno
+  u32 ctr; // seqno
+  u8 data[MAXVPNDATA];
   void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
   tap_packet *unpack (connection *conn, u32 &seqno);
 private:
   const u32 data_hdr_size () const
   {
-    return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
+    // the distance from beginning of packet to data member
+    return data - at (0);
   }
 };
+// expands packet counter (unlike seqno, in network byte order) to counter mode IV
+static unsigned char *
+expand_iv (u32 ctr)
+{
+  static u32 iv[IV_SIZE (CIPHER) / 4];
+  require (sizeof (iv) == 4 * 4);
+  require (IV_SIZE (CIPHER) % 4 == 0);
+  iv[0] =
+  iv[1] =
+  iv[2] = ctr;
+  // I would reuse ctr here to to avoid potential endianness issues,
+  // but it seems openssl wraps around. While this would be still ok,
+  // and I don't even know if its true, let's play safe and initialise
+  // to 0.
+  iv[3] = 0;
+  return (unsigned char *)iv;
+}
 void
 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
 {
-  EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
+  EVP_CIPHER_CTX *cctx = conn->octx->cctx;
   int outl = 0, outl2;
   ptype type = PT_DATA_UNCOMPRESSED;
 #if ENABLE_COMPRESSION
   u8 cdata[MAX_MTU];
           d[1] = cl;
         }
     }
 #endif
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
+  ctr = htonl (seqno);
-  struct {
+  require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
-#if RAND_SIZE
-    u8 rnd[RAND_SIZE];
-#endif
-    u32 seqno;
-  } datahdr;
-  datahdr.seqno = ntohl (seqno);
-#if RAND_SIZE
-  // NB: a constant (per session) random prefix
-  // is likely enough, but we don't take any chances.
-  conn->oiv.get (datahdr.rnd, RAND_SIZE);
-#endif
   require (EVP_EncryptUpdate (cctx,
-                     (unsigned char *) data + outl, &outl2,
+                     (unsigned char *)data + outl, &outl2,
-                     (unsigned char *) &datahdr, DATAHDR));
+                     (unsigned char *)d, l));
   outl += outl2;
-  require (EVP_EncryptUpdate (cctx,
+  // it seems this is a nop for us, but we do it anyways
-                     (unsigned char *) data + outl, &outl2,
+  require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
-                     (unsigned char *) d, l));
   outl += outl2;
-  require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
-  outl += outl2;
-  len = outl + data_hdr_size ();
+  len = data_hdr_size () + outl;
   set_hdr (type, dst);
   hmac_set (conn->octx);
 }
 tap_packet *
 vpndata_packet::unpack (connection *conn, u32 &seqno)
 {
-  EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
+  EVP_CIPHER_CTX *cctx = conn->ictx->cctx;
   int outl = 0, outl2;
   tap_packet *p = new tap_packet;
   u8 *d;
-  u32 l = len - data_hdr_size ();
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
+  seqno = ntohl (ctr);
+  require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
 #if ENABLE_COMPRESSION
   u8 cdata[MAX_MTU];
   if (type == PT_DATA_COMPRESSED)
     d = cdata;
   else
 #endif
-    d = &(*p)[6 + 6] - DATAHDR;
+    d = &(*p)[6 + 6];
-  // we play do evil games with the struct layout atm.
-  // pending better solutions, we at least do some verification.
-  // this is fine, as we left ISO territory long ago.
-  require (DATAHDR <= 16);
-  require ((u8 *)(&p->len + 1) == &(*p)[0]);
   // this can overwrite the len/dst/src fields
   require (EVP_DecryptUpdate (cctx,
                      d, &outl2,
                      (unsigned char *)&data, len - data_hdr_size ()));
   outl += outl2;
+  // it seems this is a nop for us, but we do it anyways
   require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
   outl += outl2;
-  seqno = ntohl (*(u32 *)(d + RAND_SIZE));
   id2mac (dst () ? dst() : THISNODE->id, p->dst);
   id2mac (src (),                        p->src);
 #if ENABLE_COMPRESSION
   if (type == PT_DATA_COMPRESSED)
     {
-      u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
+      u32 cl = (d[0] << 8) | d[1];
-      p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
+      p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
                                &(*p)[6 + 6], MAX_MTU)
                + 6 + 6;
     }
   else
-    p->len = outl + (6 + 6 - DATAHDR);
+    p->len = outl + (6 + 6);
 #endif
   return p;
 }
 void
 config_packet::setup (ptype type, int dst)
 {
   prot_major = PROTOCOL_MAJOR;
   prot_minor = PROTOCOL_MINOR;
-  randsize = RAND_SIZE;
   flags = 0;
   features = get_features ();
   strncpy ((char *)serial, conf.serial, sizeof (serial));
 config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
 {
   if (prot_major != PROTOCOL_MAJOR)
     slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
           conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
-  else if (randsize != RAND_SIZE)
-    slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
-          conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
   else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
     slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
           conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
   else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
     slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
   delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
   iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
   delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b   , 1);
   oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
-  oiv.reset ();
   // make sure rekeying timeouts are slightly asymmetric
   ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
   rekey.start (rekey_interval, rekey_interval);

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.110 by root, Thu Jan 9 08:15:05 2014 UTC vs. Revision 1.115 by root, Thu Jun 30 16:31:00 2016 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.110 by root, Thu Jan 9 08:15:05 2014 UTC vs.
Revision 1.115 by root, Thu Jun 30 16:31:00 2016 UTC