From ec12269355f7979fdc0783dc15d109832f1e83cd Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sun, 29 Oct 2000 22:10:44 +0000 Subject: [PATCH] - Use CFB mode for encrypting packets: it works and we don't need padding. --- src/connlist.h | 6 +++--- src/net.c | 37 ++++++++++++++++++++++++------------- src/protocol.c | 23 ++++++++++++++++------- src/tincd.c | 10 +++++----- 4 files changed, 48 insertions(+), 28 deletions(-) diff --git a/src/connlist.h b/src/connlist.h index d3b2ce30..d993c840 100644 --- a/src/connlist.h +++ b/src/connlist.h @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: connlist.h,v 1.1.2.7 2000/10/29 01:27:23 guus Exp $ + $Id: connlist.h,v 1.1.2.8 2000/10/29 22:10:41 guus Exp $ */ #ifndef __TINC_CONNLIST_H__ @@ -70,9 +70,9 @@ typedef struct conn_list_t { EVP_CIPHER_CTX *cipher_inctx; /* Context of encrypted meta data that will come from him to us */ EVP_CIPHER_CTX *cipher_outctx; /* Context of encrypted meta data that will be sent from us to him */ - EVP_CIPHER_CTX *cipher_pktctx; /* Context of encrypted vpn packets that will be sent to him */ EVP_CIPHER *cipher_pkttype; /* Cipher type for encrypted vpn packets */ - char *cipher_pktkey; /* Cipher key */ + char *cipher_pktkey; /* Cipher key and iv */ + int cipher_pktkeylength; /* Cipher key and iv length*/ char *buffer; /* metadata input buffer */ int buflen; /* bytes read into buffer */ diff --git a/src/net.c b/src/net.c index e62bb8dc..5450b9ae 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.54 2000/10/29 10:39:06 guus Exp $ + $Id: net.c,v 1.35.4.55 2000/10/29 22:10:42 guus Exp $ */ #include "config.h" @@ -111,7 +111,9 @@ int xsend(conn_list_t *cl, vpn_packet_t *inpkt) cp outpkt.len = inpkt->len; - EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey); + /* Encrypt the packet */ + + EVP_EncryptInit(&ctx, cl->cipher_pkttype, cl->cipher_pktkey, cl->cipher_pktkey + cl->cipher_pkttype->key_len); EVP_EncryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); EVP_EncryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad + 2; @@ -146,8 +148,11 @@ int xrecv(vpn_packet_t *inpkt) EVP_CIPHER_CTX ctx; cp outpkt.len = inpkt->len; - EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, NULL); - EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len); + + /* Decrypt the packet */ + + EVP_DecryptInit(&ctx, myself->cipher_pkttype, myself->cipher_pktkey, myself->cipher_pktkey + myself->cipher_pkttype->key_len); + EVP_DecryptUpdate(&ctx, outpkt.data, &outlen, inpkt->data, inpkt->len + 8); EVP_DecryptFinal(&ctx, outpkt.data + outlen, &outpad); outlen += outpad; @@ -156,6 +161,10 @@ cp memcpy(&outpkt, inpkt, outlen); */ + if(debug_lvl >= DEBUG_TRAFFIC) + syslog(LOG_ERR, _("Writing packet of %d (%d) bytes to tap device"), + outpkt.len, outlen); + /* Fix mac address */ memcpy(outpkt.data, mymac.net.mac.address.x, 6); @@ -770,10 +779,12 @@ cp /* Generate packet encryption key */ - myself->cipher_pkttype = EVP_bf_cbc(); + myself->cipher_pkttype = EVP_bf_cfb(); + + myself->cipher_pktkeylength = myself->cipher_pkttype->key_len + myself->cipher_pkttype->iv_len; - myself->cipher_pktkey = (char *)xmalloc(64); - RAND_bytes(myself->cipher_pktkey, 64); + myself->cipher_pktkey = (char *)xmalloc(myself->cipher_pktkeylength); + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); if(!(cfg = get_config_val(config, keyexpire))) keylifetime = 3600; @@ -1041,6 +1052,7 @@ int handle_incoming_vpn_data() vpn_packet_t pkt; int x, l = sizeof(x); struct sockaddr from; + int lenin; socklen_t fromlen = sizeof(from); cp if(getsockopt(myself->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) @@ -1055,18 +1067,17 @@ cp return -1; } - if(recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen) <= 0) + if((lenin = recvfrom(myself->socket, (char *) &(pkt.len), MTU, 0, &from, &fromlen)) <= 0) { syslog(LOG_ERR, _("Receiving packet failed: %m")); return -1; } -/* + if(debug_lvl >= DEBUG_TRAFFIC) { - syslog(LOG_DEBUG, _("Received packet of %d bytes from %d.%d.%d.%d"), pkt.len, - from.sa_addr[0], from.sa_addr[1], from.sa_addr[2], from.sa_addr[3]); + syslog(LOG_DEBUG, _("Received packet of %d bytes"), lenin); } -*/ + cp return xrecv(&pkt); } @@ -1362,7 +1373,7 @@ cp if(debug_lvl >= DEBUG_STATUS) syslog(LOG_INFO, _("Regenerating symmetric key")); - RAND_bytes(myself->cipher_pktkey, 64); + RAND_bytes(myself->cipher_pktkey, myself->cipher_pktkeylength); send_key_changed(myself, NULL); keyexpires = time(NULL) + keylifetime; } diff --git a/src/protocol.c b/src/protocol.c index d9b10dfd..d3b34c98 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.51 2000/10/29 10:39:08 guus Exp $ + $Id: protocol.c,v 1.28.4.52 2000/10/29 22:10:43 guus Exp $ */ #include "config.h" @@ -471,7 +471,8 @@ cp cl->allow_request = ALL; cl->status.active = 1; cl->nexthop = cl; - cl->cipher_pkttype = EVP_bf_cbc(); + cl->cipher_pkttype = EVP_bf_cfb(); + cl->cipher_pktkeylength = cl->cipher_pkttype->key_len + cl->cipher_pkttype->iv_len; if(debug_lvl >= DEBUG_CONNECTIONS) syslog(LOG_NOTICE, _("Connection with %s (%s) activated"), cl->name, cl->hostname); @@ -1015,8 +1016,8 @@ cp if(!strcmp(to_id, myself->name)) { - bin2hex(myself->cipher_pktkey, pktkey, 64); - pktkey[128] = 0; + bin2hex(myself->cipher_pktkey, pktkey, myself->cipher_pktkeylength); + pktkey[myself->cipher_pktkeylength*2] = '\0'; send_ans_key(myself, from, pktkey); } else @@ -1028,7 +1029,15 @@ cp free(from_id); free(to_id); return -1; } - send_req_key(from, to); + + if(to->status.validkey) /* Proxy keys */ + { + bin2hex(to->cipher_pktkey, pktkey, to->cipher_pktkeylength); + pktkey[to->cipher_pktkeylength*2] = '\0'; + send_ans_key(to, from, pktkey); + } + else + send_req_key(from, to); } free(from_id); free(to_id); @@ -1068,9 +1077,9 @@ cp keylength = strlen(pktkey); - if((keylength%2)!=0 || (keylength <= 0)) + if(keylength != from->cipher_pktkeylength*2) { - syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key"), + syslog(LOG_ERR, _("Got bad ANS_KEY from %s (%s) origin %s: invalid key length"), cl->name, cl->hostname, from->name); free(from_id); free(to_id); free(pktkey); return -1; diff --git a/src/tincd.c b/src/tincd.c index 75482357..2e607b67 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: tincd.c,v 1.10.4.19 2000/10/29 09:19:27 guus Exp $ + $Id: tincd.c,v 1.10.4.20 2000/10/29 22:10:44 guus Exp $ */ #include "config.h" @@ -33,6 +33,7 @@ #include #include #include +#include #include #ifdef HAVE_SYS_IOCTL_H @@ -436,10 +437,9 @@ main(int argc, char **argv, char **envp) if(detach()) exit(0); -/* FIXME: wt* is this suppose to do? - if(security_init()) - return 1; -*/ + if(debug_lvl >= DEBUG_ERROR) + ERR_load_crypto_strings(); + for(;;) { if(!setup_network_connections()) -- 2.20.1