diff --git a/src/transform_aes.c b/src/transform_aes.c index 27eeaaf..2442f5c 100644 --- a/src/transform_aes.c +++ b/src/transform_aes.c @@ -25,7 +25,6 @@ #include #include -#define N2N_AES_TRANSFORM_VERSION 1 /* version of the transform encoding */ #define N2N_AES_IVEC_SIZE (AES_BLOCK_SIZE) #define AES256_KEY_BYTES (256/8) @@ -33,13 +32,12 @@ #define AES128_KEY_BYTES (128/8) /* AES plaintext preamble */ -#define TRANSOP_AES_VER_SIZE 1 /* Support minor variants in encoding in one module. */ #define TRANSOP_AES_IV_SEED_SIZE 8 /* size of transmitted random part of IV in bytes; could range * from 0=lowest security (constant IV) to 16=higest security * (fully random IV); default=8 */ #define TRANSOP_AES_IV_PADDING_SIZE (N2N_AES_IVEC_SIZE - TRANSOP_AES_IV_SEED_SIZE) #define TRANSOP_AES_IV_KEY_BYTES (AES128_KEY_BYTES) /* use AES128 for IV encryption */ -#define TRANSOP_AES_PREAMBLE_SIZE (TRANSOP_AES_VER_SIZE + TRANSOP_AES_IV_SEED_SIZE) +#define TRANSOP_AES_PREAMBLE_SIZE (TRANSOP_AES_IV_SEED_SIZE) typedef unsigned char n2n_aes_ivec_t[N2N_AES_IVEC_SIZE]; @@ -138,12 +136,11 @@ static void set_aes_cbc_iv(transop_aes_t *priv, n2n_aes_ivec_t ivec, uint8_t * i /** The aes packet format consists of: * - * - a 8-bit aes encoding version in clear text * - a TRANSOP_AES_IV_SEED_SIZE-sized [bytes] random IV seed * - encrypted payload. * - * [V|II|DDDDDDDDDDDDDDDDDDDDD] - * |<---- encrypted ---->| + * [II|DDDDDDDDDDDDDDDDDDDDD] + * |<---- encrypted ---->| */ static int transop_encode_aes(n2n_trans_op_t * arg, uint8_t * outbuf, @@ -165,9 +162,6 @@ static int transop_encode_aes(n2n_trans_op_t * arg, traceEvent(TRACE_DEBUG, "encode_aes %lu", in_len); - /* Encode the aes format version. */ - encode_uint8(outbuf, &idx, N2N_AES_TRANSFORM_VERSION); - /* Generate and encode the IV seed using as many calls to n2n_rand() as neccessary. * Note: ( N2N_AES_IV_SEED_SIZE % sizeof(rand_value) ) not neccessarily equals 0. */ uint64_t rand_value; @@ -257,18 +251,13 @@ static int transop_decode_aes(n2n_trans_op_t * arg, uint8_t assembly[N2N_PKT_BUF_SIZE]; if(((in_len - TRANSOP_AES_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */ - && (in_len >= TRANSOP_AES_PREAMBLE_SIZE) /* Has at least version, iv seed */ + && (in_len >= TRANSOP_AES_PREAMBLE_SIZE) /* Has at least iv seed */ ) { size_t rem=in_len; size_t idx=0; - uint8_t aes_enc_ver=0; uint8_t iv_seed[TRANSOP_AES_IV_SEED_SIZE]; - /* Get the encoding version to make sure it is supported */ - decode_uint8(&aes_enc_ver, inbuf, &rem, &idx ); - - if(N2N_AES_TRANSFORM_VERSION == aes_enc_ver) { /* Get the IV seed */ decode_buf((uint8_t *)&iv_seed, TRANSOP_AES_IV_SEED_SIZE, inbuf, &rem, &idx); @@ -336,8 +325,6 @@ static int transop_decode_aes(n2n_trans_op_t * arg, traceEvent(TRACE_WARNING, "Encrypted length %d is not a multiple of AES_BLOCK_SIZE (%d)", len, AES_BLOCK_SIZE); len = 0; } - } else - traceEvent(TRACE_ERROR, "decode_aes unsupported aes version %u.", aes_enc_ver); } else traceEvent(TRACE_ERROR, "decode_aes inbuf wrong size (%ul) to decrypt.", in_len); diff --git a/src/transform_cc20.c b/src/transform_cc20.c index 44fd70b..0665c3b 100644 --- a/src/transform_cc20.c +++ b/src/transform_cc20.c @@ -24,14 +24,12 @@ #include #include -#define N2N_CC20_TRANSFORM_VERSION 1 /* version of the transform encoding */ #define N2N_CC20_IVEC_SIZE 16 #define CC20_KEY_BYTES (256/8) /* ChaCha20 plaintext preamble */ -#define TRANSOP_CC20_VER_SIZE 1 /* Support minor variants in encoding in one module. */ -#define TRANSOP_CC20_PREAMBLE_SIZE (TRANSOP_CC20_VER_SIZE + N2N_CC20_IVEC_SIZE) +#define TRANSOP_CC20_PREAMBLE_SIZE (N2N_CC20_IVEC_SIZE) typedef unsigned char n2n_cc20_ivec_t[N2N_CC20_IVEC_SIZE]; @@ -89,12 +87,11 @@ static void set_cc20_iv(transop_cc20_t *priv, n2n_cc20_ivec_t ivec) { /** The ChaCha20 packet format consists of: * - * - a 8-bit cc20 encoding version in clear text * - a 128-bit random IV * - encrypted payload. * - * [V|IIII|DDDDDDDDDDDDDDDDDDDDD] - * |<---- encrypted ---->| + * [IIII|DDDDDDDDDDDDDDDDDDDDD] + * |<---- encrypted ---->| */ static int transop_encode_cc20(n2n_trans_op_t * arg, uint8_t * outbuf, @@ -113,9 +110,6 @@ static int transop_encode_cc20(n2n_trans_op_t * arg, traceEvent(TRACE_DEBUG, "encode_cc20 %lu bytes", in_len); - /* Encode the ChaCha20 format version. */ - encode_uint8(outbuf, &idx, N2N_CC20_TRANSFORM_VERSION); - /* Generate and encode the IV. */ set_cc20_iv(priv, enc_ivec); encode_buf(outbuf, &idx, &enc_ivec, N2N_CC20_IVEC_SIZE); @@ -177,18 +171,13 @@ static int transop_decode_cc20(n2n_trans_op_t * arg, uint8_t assembly[N2N_PKT_BUF_SIZE]; if(((in_len - TRANSOP_CC20_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */ - && (in_len >= TRANSOP_CC20_PREAMBLE_SIZE) /* Has at least version, iv */ + && (in_len >= TRANSOP_CC20_PREAMBLE_SIZE) /* Has at least iv */ ) { size_t rem=in_len; size_t idx=0; - uint8_t cc20_enc_ver=0; n2n_cc20_ivec_t dec_ivec = {0}; - /* Get the encoding version to make sure it is supported */ - decode_uint8(&cc20_enc_ver, inbuf, &rem, &idx ); - - if(N2N_CC20_TRANSFORM_VERSION == cc20_enc_ver) { traceEvent(TRACE_DEBUG, "decode_cc20 %lu bytes", in_len); len = (in_len - TRANSOP_CC20_PREAMBLE_SIZE); @@ -221,8 +210,6 @@ static int transop_decode_cc20(n2n_trans_op_t * arg, EVP_CIPHER_CTX_reset(ctx); memcpy(outbuf, assembly, len); - } else - traceEvent(TRACE_ERROR, "decode_cc20 unsupported ChaCha20 version %u.", cc20_enc_ver); } else traceEvent(TRACE_ERROR, "decode_cc20 inbuf wrong size (%ul) to decrypt.", in_len); diff --git a/src/transform_speck.c b/src/transform_speck.c index ede1378..18b9aa4 100644 --- a/src/transform_speck.c +++ b/src/transform_speck.c @@ -18,14 +18,12 @@ #include "n2n.h" -#define N2N_SPECK_TRANSFORM_VERSION 1 /* version of the transform encoding */ #define N2N_SPECK_IVEC_SIZE 16 #define SPECK_KEY_BYTES (256/8) /* Speck plaintext preamble */ -#define TRANSOP_SPECK_VER_SIZE 1 /* Support minor variants in encoding in one module. */ -#define TRANSOP_SPECK_PREAMBLE_SIZE (TRANSOP_SPECK_VER_SIZE + N2N_SPECK_IVEC_SIZE) +#define TRANSOP_SPECK_PREAMBLE_SIZE (N2N_SPECK_IVEC_SIZE) typedef unsigned char n2n_speck_ivec_t[N2N_SPECK_IVEC_SIZE]; @@ -64,12 +62,11 @@ static void set_speck_iv(transop_speck_t *priv, n2n_speck_ivec_t ivec) { /** The Speck packet format consists of: * - * - a 8-bit speck encoding version in clear text * - a 128-bit random IV * - encrypted payload. * - * [V|IIII|DDDDDDDDDDDDDDDDDDDDD] - * |<---- encrypted ---->| + * [IIII|DDDDDDDDDDDDDDDDDDDDD] + * |<---- encrypted ---->| */ static int transop_encode_speck(n2n_trans_op_t * arg, uint8_t * outbuf, @@ -87,9 +84,6 @@ static int transop_encode_speck(n2n_trans_op_t * arg, traceEvent(TRACE_DEBUG, "encode_speck %lu bytes", in_len); - /* Encode the Speck format version. */ - encode_uint8(outbuf, &idx, N2N_SPECK_TRANSFORM_VERSION); - /* Generate and encode the IV. */ set_speck_iv(priv, enc_ivec); encode_buf(outbuf, &idx, &enc_ivec, N2N_SPECK_IVEC_SIZE); @@ -129,18 +123,13 @@ static int transop_decode_speck(n2n_trans_op_t * arg, transop_speck_t * priv = (transop_speck_t *)arg->priv; if(((in_len - TRANSOP_SPECK_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in buffer */ - && (in_len >= TRANSOP_SPECK_PREAMBLE_SIZE) /* Has at least version, iv */ + && (in_len >= TRANSOP_SPECK_PREAMBLE_SIZE) /* Has at least iv */ ) { size_t rem=in_len; size_t idx=0; - uint8_t speck_enc_ver=0; n2n_speck_ivec_t dec_ivec = {0}; - /* Get the encoding version to make sure it is supported */ - decode_uint8(&speck_enc_ver, inbuf, &rem, &idx ); - - if(N2N_SPECK_TRANSFORM_VERSION == speck_enc_ver) { traceEvent(TRACE_DEBUG, "decode_speck %lu bytes", in_len); len = (in_len - TRANSOP_SPECK_PREAMBLE_SIZE); @@ -155,8 +144,6 @@ static int transop_decode_speck(n2n_trans_op_t * arg, #endif traceEvent(TRACE_DEBUG, "decode_speck: decrypted %u bytes.\n", len); - } else - traceEvent(TRACE_ERROR, "decode_speck unsupported Speck version %u.", speck_enc_ver); } else traceEvent(TRACE_ERROR, "decode_speck inbuf wrong size (%ul) to decrypt.", in_len); @@ -215,4 +202,3 @@ int n2n_transop_speck_init(const n2n_edge_conf_t *conf, n2n_trans_op_t *ttt) { /* Setup the cipher and key */ return(setup_speck_key(priv, encrypt_key, encrypt_key_len)); } - diff --git a/src/transform_tf.c b/src/transform_tf.c index a630d51..26b99e9 100644 --- a/src/transform_tf.c +++ b/src/transform_tf.c @@ -18,9 +18,6 @@ #include "n2n.h" -#define N2N_TWOFISH_NUM_SA 32 /* space for SAa */ - -#define N2N_TWOFISH_TRANSFORM_VERSION 1 /* version of the transform encoding */ typedef struct transop_tf { TWOFISH* enc_tf; /* tx state */ @@ -39,18 +36,14 @@ static int transop_deinit_twofish( n2n_trans_op_t * arg ) { return 0; } -#define TRANSOP_TF_VER_SIZE 1 /* Support minor variants in encoding in one module. */ #define TRANSOP_TF_NONCE_SIZE 4 -#define TRANSOP_TF_SA_SIZE 4 /** The twofish packet format consists of: * - * - a 8-bit twofish encoding version in clear text - * - a 32-bit SA number in clear text * - ciphertext encrypted from a 32-bit nonce followed by the payload. * - * [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD] - * |<------ encrypted ------>| + * [nnnnDDDDDDDDDDDDDDDDDDDDD] + * |<------ encrypted ------>| */ static int transop_encode_twofish( n2n_trans_op_t * arg, uint8_t * outbuf, @@ -66,18 +59,9 @@ static int transop_encode_twofish( n2n_trans_op_t * arg, if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= N2N_PKT_BUF_SIZE ) { - if ( (in_len + TRANSOP_TF_NONCE_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_VER_SIZE) <= out_len ) + if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= out_len ) { - size_t idx=0; - uint32_t sa_id=0; // Not used - traceEvent(TRACE_DEBUG, "encode_twofish %lu", in_len); - - /* Encode the twofish format version. */ - encode_uint8( outbuf, &idx, N2N_TWOFISH_TRANSFORM_VERSION ); - - /* Encode the security association (SA) number */ - encode_uint32( outbuf, &idx, sa_id ); /* The assembly buffer is a source for encrypting data. The nonce is * written in first followed by the packet payload. The whole @@ -88,14 +72,10 @@ static int transop_encode_twofish( n2n_trans_op_t * arg, /* Encrypt the assembly contents and write the ciphertext after the SA. */ len = TwoFishEncryptRaw( assembly, /* source */ - outbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE, + outbuf, in_len + TRANSOP_TF_NONCE_SIZE, /* enc size */ priv->enc_tf); - if ( len > 0 ) - { - len += TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE; /* size of data carried in UDP. */ - } - else + if ( len <= 0 ) { traceEvent( TRACE_ERROR, "encode_twofish encryption failed." ); } @@ -114,15 +94,7 @@ static int transop_encode_twofish( n2n_trans_op_t * arg, return len; } -/** The twofish packet format consists of: - * - * - a 8-bit twofish encoding version in clear text - * - a 32-bit SA number in clear text - * - ciphertext encrypted from a 32-bit nonce followed by the payload. - * - * [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD] - * |<------ encrypted ------>| - */ + static int transop_decode_twofish( n2n_trans_op_t * arg, uint8_t * outbuf, size_t out_len, @@ -134,26 +106,15 @@ static int transop_decode_twofish( n2n_trans_op_t * arg, transop_tf_t * priv = (transop_tf_t *)arg->priv; uint8_t assembly[N2N_PKT_BUF_SIZE]; - if ( ( (in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)) <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */ - && (in_len >= (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_NONCE_SIZE) ) /* Has at least version, SA and nonce */ + if ( ( in_len <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */ + && (in_len >= TRANSOP_TF_NONCE_SIZE ) /* Has at least nonce */ ) { - size_t rem=in_len; - size_t idx=0; - uint8_t tf_enc_ver=0; - uint32_t sa_rx=0; // Not used - - /* Get the encoding version to make sure it is supported */ - decode_uint8( &tf_enc_ver, inbuf, &rem, &idx ); - - if ( N2N_TWOFISH_TRANSFORM_VERSION == tf_enc_ver ) { - /* Get the SA number and make sure we are decrypting with the right one. */ - decode_uint32( &sa_rx, inbuf, &rem, &idx ); traceEvent(TRACE_DEBUG, "decode_twofish %lu", in_len); - len = TwoFishDecryptRaw( (void *)(inbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE), + len = TwoFishDecryptRaw( (void *)inbuf, assembly, /* destination */ - (in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)), + in_len, priv->dec_tf); if(len > 0) { @@ -165,8 +126,6 @@ static int transop_decode_twofish( n2n_trans_op_t * arg, len ); } else traceEvent(TRACE_ERROR, "decode_twofish decryption failed"); - } else - traceEvent( TRACE_ERROR, "decode_twofish unsupported twofish version %u.", tf_enc_ver ); } else traceEvent( TRACE_ERROR, "decode_twofish inbuf wrong size (%ul) to decrypt.", in_len );