mirror of https://github.com/ntop/n2n.git
Browse Source
- Legacy features are now moved to the legacy directory with readme - Keyschedule feature is not supported anymorepull/100/head
emanuele-f
5 years ago
12 changed files with 1351 additions and 160 deletions
@ -0,0 +1,33 @@ |
|||||
|
# Removed Features |
||||
|
|
||||
|
This folder contains a list N2N legacy features which have been dropped due to |
||||
|
maintainance cost versus effective use and benefits. |
||||
|
|
||||
|
Multiple Transops |
||||
|
----------------- |
||||
|
|
||||
|
N2N used to initialize all the available transops and use the "tick" function of |
||||
|
the transops to decide which transop to use before sending a packet. This however |
||||
|
has the following problems: |
||||
|
|
||||
|
- It only works with the keyfile, whereas with normal encryption we inizialize and |
||||
|
keep structures that we don't need. |
||||
|
- It is unfeasable as an edge node is required to implement all the transops in order |
||||
|
to properly talk with other edge nodes (via keyfile). |
||||
|
- It rises the complexity of the code. |
||||
|
- It is not clear which transop will be used. |
||||
|
- Mixing multiple encyptions together is not necessarily a good idea to improve security |
||||
|
as a vulnerability in at least one encryption method will leak some information. |
||||
|
|
||||
|
Keyfile and Key Rotation |
||||
|
------------------------ |
||||
|
|
||||
|
The keyfile mechanism allowed N2N users to specify a keyfile to be used to periodically |
||||
|
rotate keys and encryption methods. However, it has the following problems: |
||||
|
|
||||
|
- This feature is obscure for most of the users and poorly documented. |
||||
|
- It is tightly integrated in the core whereas it is used by only a few people (if any). |
||||
|
|
||||
|
In conclusion the main problem is the complexity that it adds to the code. In a possible |
||||
|
future rework this could be integrated as an extention (e.g. a specific trasop) without |
||||
|
rising the core complexity. |
@ -0,0 +1,102 @@ |
|||||
|
typedef struct n2n_tostat { |
||||
|
uint8_t can_tx; /* Does this transop have a valid SA for encoding. */ |
||||
|
n2n_cipherspec_t tx_spec; /* If can_tx, the spec used to encode. */ |
||||
|
} n2n_tostat_t; |
||||
|
|
||||
|
typedef int (*n2n_transaddspec_f)( struct n2n_trans_op * arg, |
||||
|
const n2n_cipherspec_t * cspec ); |
||||
|
|
||||
|
typedef n2n_tostat_t (*n2n_transtick_f)( struct n2n_trans_op * arg, |
||||
|
time_t now ); |
||||
|
|
||||
|
/** Read in a key-schedule file, parse the lines and pass each line to the
|
||||
|
* appropriate trans_op for parsing of key-data and adding key-schedule |
||||
|
* entries. The lookup table of time->trans_op is constructed such that |
||||
|
* encoding can be passed to the correct trans_op. The trans_op internal table |
||||
|
* will then determine the best SA for that trans_op from the key schedule to |
||||
|
* use for encoding. */ |
||||
|
|
||||
|
static int edge_init_keyschedule(n2n_edge_t *eee) { |
||||
|
#define N2N_NUM_CIPHERSPECS 32 |
||||
|
|
||||
|
int retval = -1; |
||||
|
ssize_t numSpecs=0; |
||||
|
n2n_cipherspec_t specs[N2N_NUM_CIPHERSPECS]; |
||||
|
size_t i; |
||||
|
time_t now = time(NULL); |
||||
|
|
||||
|
numSpecs = n2n_read_keyfile(specs, N2N_NUM_CIPHERSPECS, eee->conf.keyschedule); |
||||
|
|
||||
|
if(numSpecs > 0) |
||||
|
{ |
||||
|
traceEvent(TRACE_NORMAL, "keyfile = %s read -> %d specs.\n", optarg, (signed int)numSpecs); |
||||
|
|
||||
|
for (i=0; i < (size_t)numSpecs; ++i) |
||||
|
{ |
||||
|
n2n_transform_t idx = (n2n_transform_t) specs[i].t; |
||||
|
if(idx != eee->transop.transform_id) { |
||||
|
traceEvent(TRACE_ERROR, "changing transop in keyschedule is not supported"); |
||||
|
retval = -1; |
||||
|
} |
||||
|
|
||||
|
if(eee->transop.addspec != NULL) |
||||
|
retval = eee->transop.addspec(&eee->transop, &(specs[i])); |
||||
|
|
||||
|
if (0 != retval) |
||||
|
{ |
||||
|
traceEvent(TRACE_ERROR, "keyschedule failed to add spec[%u] to transop[%d].\n", |
||||
|
(unsigned int)i, idx); |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
n2n_tick_transop(eee, now); |
||||
|
} |
||||
|
else |
||||
|
traceEvent(TRACE_ERROR, "Failed to process '%s'", eee->conf.keyschedule); |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
#if 0 |
||||
|
if(recvlen >= 6) |
||||
|
{ |
||||
|
if(0 == memcmp(udp_buf, "reload", 6)) |
||||
|
{ |
||||
|
if(strlen(eee->conf.keyschedule) > 0) |
||||
|
{ |
||||
|
if(edge_init_keyschedule(eee) == 0) |
||||
|
{ |
||||
|
msg_len=0; |
||||
|
msg_len += snprintf((char *)(udp_buf+msg_len), (N2N_PKT_BUF_SIZE-msg_len), |
||||
|
"> OK\n"); |
||||
|
sendto(eee->udp_mgmt_sock, udp_buf, msg_len, 0/*flags*/, |
||||
|
(struct sockaddr *)&sender_sock, sizeof(struct sockaddr_in)); |
||||
|
} |
||||
|
return; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
#endif |
||||
|
|
||||
|
#if 0 |
||||
|
case'K': |
||||
|
{ |
||||
|
if(conf->encrypt_key) { |
||||
|
traceEvent(TRACE_ERROR, "Error: -K and -k options are mutually exclusive"); |
||||
|
exit(1); |
||||
|
} else { |
||||
|
strncpy(conf->keyschedule, optargument, N2N_PATHNAME_MAXLEN-1); |
||||
|
/* strncpy does not add NULL if the source has no NULL. */ |
||||
|
conf->keyschedule[N2N_PATHNAME_MAXLEN-1] = 0; |
||||
|
|
||||
|
traceEvent(TRACE_NORMAL, "keyfile = '%s'\n", conf->keyschedule); |
||||
|
} |
||||
|
break; |
||||
|
} |
||||
|
#endif |
||||
|
|
||||
|
#if 0 |
||||
|
printf("-K <key file> | Specify a key schedule file to load. Not with -k.\n"); |
||||
|
#endif |
@ -0,0 +1,730 @@ |
|||||
|
/**
|
||||
|
* (C) 2007-18 - ntop.org and contributors |
||||
|
* |
||||
|
* This program is free software; you can redistribute it and/or modify |
||||
|
* it under the terms of the GNU General Public License as published by |
||||
|
* the Free Software Foundation; either version 3 of the License, or |
||||
|
* (at your option) any later version. |
||||
|
* |
||||
|
* This program is distributed in the hope that it will be useful, |
||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
|
* GNU General Public License for more details. |
||||
|
* |
||||
|
* You should have received a copy of the GNU General Public License |
||||
|
* along with this program; if not see see <http://www.gnu.org/licenses/>
|
||||
|
* |
||||
|
*/ |
||||
|
|
||||
|
#include "n2n.h" |
||||
|
#include "n2n_transforms.h" |
||||
|
|
||||
|
#if defined(N2N_HAVE_AES) |
||||
|
|
||||
|
#include "openssl/aes.h" |
||||
|
#include "openssl/sha.h" |
||||
|
#ifndef _MSC_VER |
||||
|
/* Not included in Visual Studio 2008 */ |
||||
|
#include <strings.h> /* index() */ |
||||
|
#endif |
||||
|
|
||||
|
#define N2N_AES_NUM_SA 32 /* space for SAa */ |
||||
|
|
||||
|
#define N2N_AES_TRANSFORM_VERSION 1 /* version of the transform encoding */ |
||||
|
#define N2N_AES_IVEC_SIZE 32 /* Enough space for biggest AES ivec */ |
||||
|
|
||||
|
#define AES256_KEY_BYTES (256/8) |
||||
|
#define AES192_KEY_BYTES (192/8) |
||||
|
#define AES128_KEY_BYTES (128/8) |
||||
|
|
||||
|
typedef unsigned char n2n_aes_ivec_t[N2N_AES_IVEC_SIZE]; |
||||
|
|
||||
|
struct sa_aes |
||||
|
{ |
||||
|
n2n_cipherspec_t spec; /* cipher spec parameters */ |
||||
|
n2n_sa_t sa_id; /* security association index */ |
||||
|
AES_KEY enc_key; /* tx key */ |
||||
|
AES_KEY dec_key; /* tx key */ |
||||
|
AES_KEY iv_enc_key; /* key used to encrypt the IV */ |
||||
|
uint8_t iv_ext_val[AES128_KEY_BYTES]; /* key used to extend the random IV seed to full block size */ |
||||
|
}; |
||||
|
|
||||
|
typedef struct sa_aes sa_aes_t; |
||||
|
|
||||
|
|
||||
|
/** Aes transform state data.
|
||||
|
* |
||||
|
* With a key-schedule in place this will be populated with a number of |
||||
|
* SAs. Each SA has a lifetime and some opque data. The opaque data for aes |
||||
|
* consists of the SA number and key material. |
||||
|
* |
||||
|
*/ |
||||
|
struct transop_aes |
||||
|
{ |
||||
|
ssize_t tx_sa; |
||||
|
size_t num_sa; |
||||
|
sa_aes_t sa[N2N_AES_NUM_SA]; |
||||
|
u_int8_t psk_mode; |
||||
|
}; |
||||
|
|
||||
|
typedef struct transop_aes transop_aes_t; |
||||
|
|
||||
|
static ssize_t aes_find_sa( const transop_aes_t * priv, const n2n_sa_t req_id ); |
||||
|
static int setup_aes_key(transop_aes_t *priv, const uint8_t *key, ssize_t key_size, size_t sa_num); |
||||
|
|
||||
|
static int transop_deinit_aes( n2n_trans_op_t * arg ) |
||||
|
{ |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
size_t i; |
||||
|
|
||||
|
if ( priv ) |
||||
|
{ |
||||
|
/* Memory was previously allocated */ |
||||
|
for (i=0; i<N2N_AES_NUM_SA; ++i ) |
||||
|
{ |
||||
|
sa_aes_t * sa = &(priv->sa[i]); |
||||
|
|
||||
|
sa->sa_id=0; |
||||
|
} |
||||
|
|
||||
|
priv->num_sa=0; |
||||
|
priv->tx_sa=-1; |
||||
|
|
||||
|
free(priv); |
||||
|
} |
||||
|
|
||||
|
arg->priv=NULL; /* return to fully uninitialised state */ |
||||
|
|
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
static size_t aes_choose_tx_sa( transop_aes_t * priv, const u_int8_t * peer_mac ) { |
||||
|
return priv->tx_sa; /* set in tick */ |
||||
|
} |
||||
|
|
||||
|
static ssize_t aes_choose_rx_sa( transop_aes_t * priv, const u_int8_t * peer_mac, ssize_t sa_rx) { |
||||
|
if(!priv->psk_mode) |
||||
|
return aes_find_sa(priv, sa_rx); |
||||
|
else |
||||
|
/* NOTE the sa_rx of the packet is ignored in this case */ |
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
/* AES plaintext preamble */ |
||||
|
#define TRANSOP_AES_VER_SIZE 1 /* Support minor variants in encoding in one module. */ |
||||
|
#define TRANSOP_AES_SA_SIZE 4 |
||||
|
#define TRANSOP_AES_IV_SEED_SIZE 8 |
||||
|
#define TRANSOP_AES_PREAMBLE_SIZE (TRANSOP_AES_VER_SIZE + TRANSOP_AES_SA_SIZE + TRANSOP_AES_IV_SEED_SIZE) |
||||
|
|
||||
|
/* AES ciphertext preamble */ |
||||
|
#define TRANSOP_AES_NONCE_SIZE 4 |
||||
|
|
||||
|
/* Return the best acceptable AES key size (in bytes) given an input keysize.
|
||||
|
* |
||||
|
* The value returned will be one of AES128_KEY_BYTES, AES192_KEY_BYTES or |
||||
|
* AES256_KEY_BYTES. |
||||
|
*/ |
||||
|
static size_t aes_best_keysize(size_t numBytes) |
||||
|
{ |
||||
|
if (numBytes >= AES256_KEY_BYTES ) |
||||
|
{ |
||||
|
return AES256_KEY_BYTES; |
||||
|
} |
||||
|
else if (numBytes >= AES192_KEY_BYTES) |
||||
|
{ |
||||
|
return AES192_KEY_BYTES; |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
return AES128_KEY_BYTES; |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
static void set_aes_cbc_iv(sa_aes_t *sa, n2n_aes_ivec_t ivec, uint64_t iv_seed) { |
||||
|
uint8_t iv_full[AES_BLOCK_SIZE]; |
||||
|
|
||||
|
/* Extend the seed to full block size via the fixed ext value */ |
||||
|
memcpy(iv_full, sa->iv_ext_val, sizeof(iv_seed)); // note: only 64bits used of 128 available
|
||||
|
memcpy(iv_full + sizeof(iv_seed), &iv_seed, sizeof(iv_seed)); |
||||
|
|
||||
|
/* Encrypt the IV with secret key to make it unpredictable.
|
||||
|
* As discussed in https://github.com/ntop/n2n/issues/72, it's important to
|
||||
|
* have an unpredictable IV since the initial part of the packet plaintext |
||||
|
* can be easily reconstructed from plaintext headers and used by an attacker |
||||
|
* to perform differential analysis. |
||||
|
*/ |
||||
|
AES_ecb_encrypt(iv_full, ivec, &sa->iv_enc_key, AES_ENCRYPT); |
||||
|
} |
||||
|
|
||||
|
/** The aes packet format consists of:
|
||||
|
* |
||||
|
* - a 8-bit aes encoding version in clear text |
||||
|
* - a 32-bit SA number in clear text |
||||
|
* - a 64-bit random IV seed |
||||
|
* - ciphertext encrypted from a 32-bit nonce followed by the payload. |
||||
|
* |
||||
|
* [V|SSSS|II|nnnnDDDDDDDDDDDDDDDDDDDDD] |
||||
|
* |<------ encrypted ------>| |
||||
|
*/ |
||||
|
static int transop_encode_aes( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len, |
||||
|
const uint8_t * peer_mac) |
||||
|
{ |
||||
|
int len2=-1; |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
uint8_t assembly[N2N_PKT_BUF_SIZE] = {0}; |
||||
|
uint32_t * pnonce; |
||||
|
|
||||
|
if ( (in_len + TRANSOP_AES_NONCE_SIZE) <= N2N_PKT_BUF_SIZE ) |
||||
|
{ |
||||
|
if ( (in_len + TRANSOP_AES_NONCE_SIZE + TRANSOP_AES_PREAMBLE_SIZE) <= out_len ) |
||||
|
{ |
||||
|
int len=-1; |
||||
|
size_t idx=0; |
||||
|
sa_aes_t * sa; |
||||
|
size_t tx_sa_num = 0; |
||||
|
uint64_t iv_seed = 0; |
||||
|
uint8_t padding = 0; |
||||
|
n2n_aes_ivec_t enc_ivec = {0}; |
||||
|
|
||||
|
/* The transmit sa is periodically updated */ |
||||
|
tx_sa_num = aes_choose_tx_sa( priv, peer_mac ); |
||||
|
|
||||
|
sa = &(priv->sa[tx_sa_num]); /* Proper Tx SA index */ |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "encode_aes %lu with SA %lu.", in_len, sa->sa_id ); |
||||
|
|
||||
|
/* Encode the aes format version. */ |
||||
|
encode_uint8( outbuf, &idx, N2N_AES_TRANSFORM_VERSION ); |
||||
|
|
||||
|
/* Encode the security association (SA) number */ |
||||
|
encode_uint32( outbuf, &idx, sa->sa_id ); |
||||
|
|
||||
|
/* Generate and encode the IV seed.
|
||||
|
* Using two calls to rand() because RAND_MAX is usually < 64bit |
||||
|
* (e.g. linux) and sometimes < 32bit (e.g. Windows). |
||||
|
*/ |
||||
|
((uint32_t*)&iv_seed)[0] = rand(); |
||||
|
((uint32_t*)&iv_seed)[1] = rand(); |
||||
|
encode_buf(outbuf, &idx, &iv_seed, sizeof(iv_seed)); |
||||
|
|
||||
|
/* Encrypt the assembly contents and write the ciphertext after the SA. */ |
||||
|
len = in_len + TRANSOP_AES_NONCE_SIZE; |
||||
|
|
||||
|
/* The assembly buffer is a source for encrypting data. The nonce is
|
||||
|
* written in first followed by the packet payload. The whole |
||||
|
* contents of assembly are encrypted. */ |
||||
|
pnonce = (uint32_t *)assembly; |
||||
|
*pnonce = rand(); |
||||
|
memcpy( assembly + TRANSOP_AES_NONCE_SIZE, inbuf, in_len ); |
||||
|
|
||||
|
/* Need at least one encrypted byte at the end for the padding. */ |
||||
|
len2 = ( (len / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE; /* Round up to next whole AES adding at least one byte. */ |
||||
|
padding = (len2-len); |
||||
|
assembly[len2 - 1] = padding; |
||||
|
traceEvent( TRACE_DEBUG, "padding = %u, seed = %016lx", padding, iv_seed ); |
||||
|
|
||||
|
set_aes_cbc_iv(sa, enc_ivec, iv_seed); |
||||
|
|
||||
|
AES_cbc_encrypt( assembly, /* source */ |
||||
|
outbuf + TRANSOP_AES_PREAMBLE_SIZE, /* dest */ |
||||
|
len2, /* enc size */ |
||||
|
&(sa->enc_key), enc_ivec, AES_ENCRYPT ); |
||||
|
|
||||
|
len2 += TRANSOP_AES_PREAMBLE_SIZE; /* size of data carried in UDP. */ |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "encode_aes outbuf too small." ); |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "encode_aes inbuf too big to encrypt." ); |
||||
|
} |
||||
|
|
||||
|
return len2; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
/* Search through the array of SAs to find the one with the required ID.
|
||||
|
* |
||||
|
* @return array index where found or -1 if not found |
||||
|
*/ |
||||
|
static ssize_t aes_find_sa( const transop_aes_t * priv, const n2n_sa_t req_id ) |
||||
|
{ |
||||
|
size_t i; |
||||
|
|
||||
|
for (i=0; i < priv->num_sa; ++i) |
||||
|
{ |
||||
|
const sa_aes_t * sa=NULL; |
||||
|
|
||||
|
sa = &(priv->sa[i]); |
||||
|
if (req_id == sa->sa_id) |
||||
|
{ |
||||
|
return i; |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
return -1; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
/* See transop_encode_aes for packet format */ |
||||
|
static int transop_decode_aes( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len, |
||||
|
const uint8_t * peer_mac) |
||||
|
{ |
||||
|
int len=0; |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
uint8_t assembly[N2N_PKT_BUF_SIZE]; |
||||
|
|
||||
|
if ( ( (in_len - TRANSOP_AES_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */ |
||||
|
&& (in_len >= (TRANSOP_AES_PREAMBLE_SIZE + TRANSOP_AES_NONCE_SIZE) ) /* Has at least version, SA, iv seed and nonce */ |
||||
|
) |
||||
|
{ |
||||
|
n2n_sa_t sa_rx; |
||||
|
ssize_t sa_idx=-1; |
||||
|
size_t rem=in_len; |
||||
|
size_t idx=0; |
||||
|
uint8_t aes_enc_ver=0; |
||||
|
uint64_t iv_seed=0; |
||||
|
|
||||
|
/* Get the encoding version to make sure it is supported */ |
||||
|
decode_uint8( &aes_enc_ver, inbuf, &rem, &idx ); |
||||
|
|
||||
|
if ( N2N_AES_TRANSFORM_VERSION == aes_enc_ver ) |
||||
|
{ |
||||
|
/* Get the SA number and make sure we are decrypting with the right one. */ |
||||
|
decode_uint32( &sa_rx, inbuf, &rem, &idx ); |
||||
|
|
||||
|
sa_idx = aes_choose_rx_sa(priv, peer_mac, sa_rx); |
||||
|
|
||||
|
if ( sa_idx >= 0 ) |
||||
|
{ |
||||
|
sa_aes_t * sa = &(priv->sa[sa_idx]); |
||||
|
|
||||
|
/* Get the IV seed */ |
||||
|
decode_buf((uint8_t *)&iv_seed, sizeof(iv_seed), inbuf, &rem, &idx); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "decode_aes %lu with SA %lu and seed %016lx", in_len, sa->sa_id, iv_seed ); |
||||
|
|
||||
|
len = (in_len - TRANSOP_AES_PREAMBLE_SIZE); |
||||
|
|
||||
|
if ( 0 == (len % AES_BLOCK_SIZE ) ) |
||||
|
{ |
||||
|
uint8_t padding; |
||||
|
n2n_aes_ivec_t dec_ivec = {0}; |
||||
|
|
||||
|
set_aes_cbc_iv(sa, dec_ivec, iv_seed); |
||||
|
|
||||
|
AES_cbc_encrypt( (inbuf + TRANSOP_AES_PREAMBLE_SIZE), |
||||
|
assembly, /* destination */ |
||||
|
len, |
||||
|
&(sa->dec_key), |
||||
|
dec_ivec, AES_DECRYPT ); |
||||
|
|
||||
|
/* last byte is how much was padding: max value should be
|
||||
|
* AES_BLOCKSIZE-1 */ |
||||
|
padding = assembly[ len-1 ] & 0xff; |
||||
|
|
||||
|
if ( len >= (padding + TRANSOP_AES_NONCE_SIZE)) |
||||
|
{ |
||||
|
/* strictly speaking for this to be an ethernet packet
|
||||
|
* it is going to need to be even bigger; but this is |
||||
|
* enough to prevent segfaults. */ |
||||
|
traceEvent( TRACE_DEBUG, "padding = %u", padding ); |
||||
|
len -= padding; |
||||
|
|
||||
|
len -= TRANSOP_AES_NONCE_SIZE; /* size of ethernet packet */ |
||||
|
|
||||
|
/* Step over 4-byte random nonce value */ |
||||
|
memcpy( outbuf, |
||||
|
assembly + TRANSOP_AES_NONCE_SIZE, |
||||
|
len ); |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_WARNING, "UDP payload decryption failed." ); |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_WARNING, "Encrypted length %d is not a multiple of AES_BLOCK_SIZE (%d)", len, AES_BLOCK_SIZE ); |
||||
|
len = 0; |
||||
|
} |
||||
|
|
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
/* Wrong security association; drop the packet as it is undecodable. */ |
||||
|
traceEvent( TRACE_ERROR, "decode_aes SA number %lu not found.", sa_rx ); |
||||
|
|
||||
|
/* REVISIT: should be able to load a new SA at this point to complete the decoding. */ |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
/* Wrong security association; drop the packet as it is undecodable. */ |
||||
|
traceEvent( TRACE_ERROR, "decode_aes unsupported aes version %u.", aes_enc_ver ); |
||||
|
|
||||
|
/* REVISIT: should be able to load a new SA at this point to complete the decoding. */ |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "decode_aes inbuf wrong size (%ul) to decrypt.", in_len ); |
||||
|
} |
||||
|
|
||||
|
return len; |
||||
|
} |
||||
|
|
||||
|
struct sha512_keybuf { |
||||
|
uint8_t enc_dec_key[AES256_KEY_BYTES]; /* The key to use for AES CBC encryption/decryption */ |
||||
|
uint8_t iv_enc_key[AES128_KEY_BYTES]; /* The key to use to encrypt the IV with AES ECB */ |
||||
|
uint8_t iv_ext_val[AES128_KEY_BYTES]; /* A value to extend the IV seed */ |
||||
|
}; /* size: SHA512_DIGEST_LENGTH */ |
||||
|
|
||||
|
/* NOTE: the caller should adjust priv->num_sa accordingly */ |
||||
|
static int setup_aes_key(transop_aes_t *priv, const uint8_t *key, ssize_t key_size, size_t sa_num) { |
||||
|
sa_aes_t * sa = &(priv->sa[sa_num]); |
||||
|
size_t aes_keysize_bytes; |
||||
|
size_t aes_keysize_bits; |
||||
|
struct sha512_keybuf keybuf; |
||||
|
|
||||
|
/* Clear out any old possibly longer key matter. */ |
||||
|
memset( &(sa->enc_key), 0, sizeof(sa->enc_key) ); |
||||
|
memset( &(sa->dec_key), 0, sizeof(sa->dec_key) ); |
||||
|
memset( &(sa->iv_enc_key), 0, sizeof(sa->iv_enc_key) ); |
||||
|
memset( &(sa->iv_ext_val), 0, sizeof(sa->iv_ext_val) ); |
||||
|
|
||||
|
/* We still use aes_best_keysize (even not necessary since we hash the key
|
||||
|
* into the 256bits enc_dec_key) to let the users choose the degree of encryption. |
||||
|
* Long keys will pick AES192 or AES256 with more robust but expensive encryption. |
||||
|
*/ |
||||
|
aes_keysize_bytes = aes_best_keysize(key_size); |
||||
|
aes_keysize_bits = 8 * aes_keysize_bytes; |
||||
|
|
||||
|
/* Hash the main key to generate subkeys */ |
||||
|
SHA512(key, key_size, (u_char*)&keybuf); |
||||
|
|
||||
|
/* setup of enc_key/dec_key, used for the CBC encryption */ |
||||
|
AES_set_encrypt_key(keybuf.enc_dec_key, aes_keysize_bits, &(sa->enc_key)); |
||||
|
AES_set_decrypt_key(keybuf.enc_dec_key, aes_keysize_bits, &(sa->dec_key)); |
||||
|
|
||||
|
/* setup of iv_enc_key and iv_ext_val, used for generating the CBC IV */ |
||||
|
AES_set_encrypt_key(keybuf.iv_enc_key, sizeof(keybuf.iv_enc_key) * 8, &(sa->iv_enc_key)); |
||||
|
memcpy(sa->iv_ext_val, keybuf.iv_ext_val, sizeof(keybuf.iv_ext_val)); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "transop_addspec_aes sa_id=%u, %u bits key=%s.\n", |
||||
|
priv->sa[sa_num].sa_id, aes_keysize_bits, key); |
||||
|
|
||||
|
return(0); |
||||
|
} |
||||
|
|
||||
|
/*
|
||||
|
* priv: pointer to transform state |
||||
|
* keybuf: buffer holding the key |
||||
|
* pstat: length of keybuf |
||||
|
*/ |
||||
|
static void add_aes_key(transop_aes_t *priv, uint8_t *keybuf, ssize_t pstat) { |
||||
|
setup_aes_key(priv, keybuf, pstat, priv->num_sa); |
||||
|
++(priv->num_sa); |
||||
|
} |
||||
|
|
||||
|
static int transop_addspec_aes( n2n_trans_op_t * arg, const n2n_cipherspec_t * cspec ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
ssize_t pstat=-1; |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
uint8_t keybuf[N2N_MAX_KEYSIZE]; |
||||
|
|
||||
|
if ( priv->num_sa < N2N_AES_NUM_SA ) |
||||
|
{ |
||||
|
const char * op = (const char *)cspec->opaque; |
||||
|
const char * sep = index( op, '_' ); |
||||
|
|
||||
|
if ( sep ) |
||||
|
{ |
||||
|
char tmp[256]; |
||||
|
size_t s; |
||||
|
|
||||
|
s = sep - op; |
||||
|
memcpy( tmp, cspec->opaque, s ); |
||||
|
tmp[s]=0; |
||||
|
|
||||
|
s = strlen(sep+1); /* sep is the _ which might be immediately followed by NULL */ |
||||
|
|
||||
|
priv->sa[priv->num_sa].spec = *cspec; |
||||
|
priv->sa[priv->num_sa].sa_id = strtoul(tmp, NULL, 10); |
||||
|
|
||||
|
memset( keybuf, 0, N2N_MAX_KEYSIZE ); |
||||
|
pstat = n2n_parse_hex( keybuf, N2N_MAX_KEYSIZE, sep+1, s ); |
||||
|
if ( pstat > 0 ) |
||||
|
{ |
||||
|
add_aes_key(priv, keybuf, pstat); |
||||
|
retval = 0; |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "transop_addspec_aes : bad key data - missing '_'.\n"); |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "transop_addspec_aes : full.\n"); |
||||
|
} |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
static n2n_tostat_t transop_tick_aes( n2n_trans_op_t * arg, time_t now ) |
||||
|
{ |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
size_t i; |
||||
|
int found=0; |
||||
|
n2n_tostat_t r; |
||||
|
|
||||
|
memset( &r, 0, sizeof(r) ); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "transop_aes tick num_sa=%u now=%lu", priv->num_sa, now ); |
||||
|
|
||||
|
for ( i=0; i < priv->num_sa; ++i ) |
||||
|
{ |
||||
|
if ( 0 == validCipherSpec( &(priv->sa[i].spec), now ) ) |
||||
|
{ |
||||
|
time_t remaining = priv->sa[i].spec.valid_until - now; |
||||
|
|
||||
|
traceEvent( TRACE_INFO, "transop_aes choosing tx_sa=%u (valid for %lu sec)", priv->sa[i].sa_id, remaining ); |
||||
|
priv->tx_sa=i; |
||||
|
found=1; |
||||
|
break; |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_DEBUG, "transop_aes tick rejecting sa=%u %lu -> %lu", |
||||
|
priv->sa[i].sa_id, priv->sa[i].spec.valid_from, priv->sa[i].spec.valid_until ); |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
if ( 0==found) |
||||
|
{ |
||||
|
traceEvent( TRACE_INFO, "transop_aes no keys are currently valid. Keeping tx_sa=%u", priv->tx_sa ); |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
r.can_tx = 1; |
||||
|
r.tx_spec.t = N2N_TRANSFORM_ID_AESCBC; |
||||
|
r.tx_spec = priv->sa[priv->tx_sa].spec; |
||||
|
} |
||||
|
|
||||
|
return r; |
||||
|
} |
||||
|
|
||||
|
static n2n_tostat_t transop_tick_aes_psk(n2n_trans_op_t * arg, time_t now) { |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
n2n_tostat_t r; |
||||
|
|
||||
|
memset(&r, 0, sizeof(r)); |
||||
|
|
||||
|
// Always tx
|
||||
|
r.can_tx = 1; |
||||
|
r.tx_spec.t = N2N_TRANSFORM_ID_AESCBC; |
||||
|
r.tx_spec = priv->sa[priv->tx_sa].spec; |
||||
|
|
||||
|
return r; |
||||
|
} |
||||
|
|
||||
|
int transop_aes_init( n2n_trans_op_t * ttt ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
transop_aes_t * priv = NULL; |
||||
|
|
||||
|
if ( ttt->priv ) |
||||
|
{ |
||||
|
transop_deinit_aes( ttt ); |
||||
|
} |
||||
|
|
||||
|
memset( ttt, 0, sizeof( n2n_trans_op_t ) ); |
||||
|
|
||||
|
priv = (transop_aes_t *) calloc(1, sizeof(transop_aes_t)); |
||||
|
|
||||
|
if ( NULL != priv ) |
||||
|
{ |
||||
|
size_t i; |
||||
|
sa_aes_t * sa=NULL; |
||||
|
|
||||
|
/* install the private structure. */ |
||||
|
ttt->priv = priv; |
||||
|
priv->num_sa=0; |
||||
|
priv->tx_sa=0; /* We will use this sa index for encoding. */ |
||||
|
priv->psk_mode = 0; |
||||
|
|
||||
|
ttt->transform_id = N2N_TRANSFORM_ID_AESCBC; |
||||
|
ttt->addspec = transop_addspec_aes; |
||||
|
ttt->tick = transop_tick_aes; /* chooses a new tx_sa */ |
||||
|
ttt->deinit = transop_deinit_aes; |
||||
|
ttt->fwd = transop_encode_aes; |
||||
|
ttt->rev = transop_decode_aes; |
||||
|
|
||||
|
for(i=0; i<N2N_AES_NUM_SA; ++i) |
||||
|
{ |
||||
|
sa = &(priv->sa[i]); |
||||
|
sa->sa_id=0; |
||||
|
memset( &(sa->spec), 0, sizeof(n2n_cipherspec_t) ); |
||||
|
memset( &(sa->enc_key), 0, sizeof(sa->enc_key) ); |
||||
|
memset( &(sa->dec_key), 0, sizeof(sa->dec_key) ); |
||||
|
memset( &(sa->iv_enc_key), 0, sizeof(sa->iv_enc_key) ); |
||||
|
memset( &(sa->iv_ext_val), 0, sizeof(sa->iv_ext_val) ); |
||||
|
} |
||||
|
|
||||
|
retval = 0; |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
memset( ttt, 0, sizeof(n2n_trans_op_t) ); |
||||
|
traceEvent( TRACE_ERROR, "Failed to allocate priv for aes" ); |
||||
|
} |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
/* Setup AES in pre-shared key mode */ |
||||
|
int transop_aes_setup_psk(n2n_trans_op_t *ttt, |
||||
|
n2n_sa_t sa_num, |
||||
|
uint8_t *encrypt_pwd, |
||||
|
uint32_t encrypt_pwd_len) { |
||||
|
int retval = 1; |
||||
|
transop_aes_t *priv = (transop_aes_t *)ttt->priv; |
||||
|
|
||||
|
if(ttt->priv) { |
||||
|
/* Replace the tick function with the PSK version of it */ |
||||
|
ttt->tick = transop_tick_aes_psk; |
||||
|
priv->psk_mode = 1; |
||||
|
priv->num_sa=0; |
||||
|
priv->tx_sa=0; |
||||
|
|
||||
|
/* Setup the key to use for encryption/decryption */ |
||||
|
add_aes_key(priv, encrypt_pwd, encrypt_pwd_len); |
||||
|
|
||||
|
retval = 0; |
||||
|
} else |
||||
|
traceEvent(TRACE_ERROR, "AES priv is not allocated"); |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
#else /* #if defined(N2N_HAVE_AES) */ |
||||
|
|
||||
|
struct transop_aes |
||||
|
{ |
||||
|
ssize_t tx_sa; |
||||
|
}; |
||||
|
|
||||
|
typedef struct transop_aes transop_aes_t; |
||||
|
|
||||
|
|
||||
|
static int transop_deinit_aes( n2n_trans_op_t * arg ) |
||||
|
{ |
||||
|
transop_aes_t * priv = (transop_aes_t *)arg->priv; |
||||
|
|
||||
|
if ( priv ) |
||||
|
{ |
||||
|
free(priv); |
||||
|
} |
||||
|
|
||||
|
arg->priv=NULL; /* return to fully uninitialised state */ |
||||
|
|
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
static int transop_encode_aes( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len ) |
||||
|
{ |
||||
|
return -1; |
||||
|
} |
||||
|
|
||||
|
static int transop_decode_aes( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len ) |
||||
|
{ |
||||
|
return -1; |
||||
|
} |
||||
|
|
||||
|
static int transop_addspec_aes( n2n_trans_op_t * arg, const n2n_cipherspec_t * cspec ) |
||||
|
{ |
||||
|
traceEvent( TRACE_DEBUG, "transop_addspec_aes AES not built into edge.\n"); |
||||
|
|
||||
|
return -1; |
||||
|
} |
||||
|
|
||||
|
static n2n_tostat_t transop_tick_aes( n2n_trans_op_t * arg, time_t now ) |
||||
|
{ |
||||
|
n2n_tostat_t r; |
||||
|
|
||||
|
memset( &r, 0, sizeof(r) ); |
||||
|
|
||||
|
return r; |
||||
|
} |
||||
|
|
||||
|
int transop_aes_init( n2n_trans_op_t * ttt ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
transop_aes_t * priv = NULL; |
||||
|
|
||||
|
if ( ttt->priv ) |
||||
|
{ |
||||
|
transop_deinit_aes( ttt ); |
||||
|
} |
||||
|
|
||||
|
memset( ttt, 0, sizeof( n2n_trans_op_t ) ); |
||||
|
|
||||
|
priv = (transop_aes_t *) malloc( sizeof(transop_aes_t) ); |
||||
|
|
||||
|
if ( NULL != priv ) |
||||
|
{ |
||||
|
/* install the private structure. */ |
||||
|
ttt->priv = priv; |
||||
|
priv->tx_sa=0; /* We will use this sa index for encoding. */ |
||||
|
|
||||
|
ttt->transform_id = N2N_TRANSFORM_ID_AESCBC; |
||||
|
ttt->addspec = transop_addspec_aes; |
||||
|
ttt->tick = transop_tick_aes; /* chooses a new tx_sa */ |
||||
|
ttt->deinit = transop_deinit_aes; |
||||
|
ttt->fwd = transop_encode_aes; |
||||
|
ttt->rev = transop_decode_aes; |
||||
|
|
||||
|
retval = 0; |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
memset( ttt, 0, sizeof(n2n_trans_op_t) ); |
||||
|
traceEvent( TRACE_ERROR, "Failed to allocate priv for aes" ); |
||||
|
} |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
int transop_aes_setup_psk(n2n_trans_op_t *ttt, |
||||
|
n2n_sa_t sa_num, |
||||
|
uint8_t *encrypt_pwd, |
||||
|
uint32_t encrypt_pwd_len) { |
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
#endif /* #if defined(N2N_HAVE_AES) */ |
||||
|
|
@ -0,0 +1,467 @@ |
|||||
|
/**
|
||||
|
* (C) 2007-18 - ntop.org and contributors |
||||
|
* |
||||
|
* This program is free software; you can redistribute it and/or modify |
||||
|
* it under the terms of the GNU General Public License as published by |
||||
|
* the Free Software Foundation; either version 3 of the License, or |
||||
|
* (at your option) any later version. |
||||
|
* |
||||
|
* This program is distributed in the hope that it will be useful, |
||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
|
* GNU General Public License for more details. |
||||
|
* |
||||
|
* You should have received a copy of the GNU General Public License |
||||
|
* along with this program; if not see see <http://www.gnu.org/licenses/>
|
||||
|
* |
||||
|
*/ |
||||
|
|
||||
|
#include "n2n.h" |
||||
|
#include "n2n_transforms.h" |
||||
|
#include "twofish.h" |
||||
|
#ifndef _MSC_VER |
||||
|
/* Not included in Visual Studio 2008 */ |
||||
|
#include <strings.h> /* index() */ |
||||
|
#endif |
||||
|
|
||||
|
#define N2N_TWOFISH_NUM_SA 32 /* space for SAa */ |
||||
|
|
||||
|
#define N2N_TWOFISH_TRANSFORM_VERSION 1 /* version of the transform encoding */ |
||||
|
|
||||
|
struct sa_twofish |
||||
|
{ |
||||
|
n2n_cipherspec_t spec; /* cipher spec parameters */ |
||||
|
n2n_sa_t sa_id; /* security association index */ |
||||
|
TWOFISH * enc_tf; /* tx state */ |
||||
|
TWOFISH * dec_tf; /* rx state */ |
||||
|
}; |
||||
|
|
||||
|
typedef struct sa_twofish sa_twofish_t; |
||||
|
|
||||
|
|
||||
|
/** Twofish transform state data.
|
||||
|
* |
||||
|
* With a key-schedule in place this will be populated with a number of |
||||
|
* SAs. Each SA has a lifetime and some opque data. The opaque data for twofish |
||||
|
* consists of the SA number and key material. |
||||
|
* |
||||
|
*/ |
||||
|
struct transop_tf |
||||
|
{ |
||||
|
ssize_t tx_sa; |
||||
|
size_t num_sa; |
||||
|
sa_twofish_t sa[N2N_TWOFISH_NUM_SA]; |
||||
|
}; |
||||
|
|
||||
|
typedef struct transop_tf transop_tf_t; |
||||
|
|
||||
|
static int transop_deinit_twofish( n2n_trans_op_t * arg ) |
||||
|
{ |
||||
|
transop_tf_t * priv = (transop_tf_t *)arg->priv; |
||||
|
size_t i; |
||||
|
|
||||
|
if ( priv ) |
||||
|
{ |
||||
|
/* Memory was previously allocated */ |
||||
|
for (i=0; i<N2N_TWOFISH_NUM_SA; ++i ) |
||||
|
{ |
||||
|
sa_twofish_t * sa = &(priv->sa[i]); |
||||
|
|
||||
|
TwoFishDestroy(sa->enc_tf); /* deallocate TWOFISH */ |
||||
|
sa->enc_tf=NULL; |
||||
|
|
||||
|
TwoFishDestroy(sa->dec_tf); /* deallocate TWOFISH */ |
||||
|
sa->dec_tf=NULL; |
||||
|
|
||||
|
sa->sa_id=0; |
||||
|
} |
||||
|
|
||||
|
priv->num_sa=0; |
||||
|
priv->tx_sa=-1; |
||||
|
|
||||
|
free(priv); |
||||
|
} |
||||
|
|
||||
|
arg->priv=NULL; /* return to fully uninitialised state */ |
||||
|
|
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
static size_t tf_choose_tx_sa( transop_tf_t * priv ) |
||||
|
{ |
||||
|
return priv->tx_sa; /* set in tick */ |
||||
|
} |
||||
|
|
||||
|
#define TRANSOP_TF_VER_SIZE 1 /* Support minor variants in encoding in one module. */ |
||||
|
#define TRANSOP_TF_NONCE_SIZE 4 |
||||
|
#define TRANSOP_TF_SA_SIZE 4 |
||||
|
|
||||
|
/** The twofish packet format consists of:
|
||||
|
* |
||||
|
* - a 8-bit twofish encoding version in clear text |
||||
|
* - a 32-bit SA number in clear text |
||||
|
* - ciphertext encrypted from a 32-bit nonce followed by the payload. |
||||
|
* |
||||
|
* [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD] |
||||
|
* |<------ encrypted ------>| |
||||
|
*/ |
||||
|
static int transop_encode_twofish( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len, |
||||
|
const uint8_t * peer_mac) |
||||
|
{ |
||||
|
int len=-1; |
||||
|
transop_tf_t * priv = (transop_tf_t *)arg->priv; |
||||
|
uint8_t assembly[N2N_PKT_BUF_SIZE]; |
||||
|
uint32_t * pnonce; |
||||
|
|
||||
|
if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= N2N_PKT_BUF_SIZE ) |
||||
|
{ |
||||
|
if ( (in_len + TRANSOP_TF_NONCE_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_VER_SIZE) <= out_len ) |
||||
|
{ |
||||
|
size_t idx=0; |
||||
|
sa_twofish_t * sa; |
||||
|
size_t tx_sa_num = 0; |
||||
|
|
||||
|
/* The transmit sa is periodically updated */ |
||||
|
tx_sa_num = tf_choose_tx_sa( priv ); |
||||
|
|
||||
|
sa = &(priv->sa[tx_sa_num]); /* Proper Tx SA index */ |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "encode_twofish %lu with SA %lu.", in_len, sa->sa_id ); |
||||
|
|
||||
|
/* Encode the twofish format version. */ |
||||
|
encode_uint8( outbuf, &idx, N2N_TWOFISH_TRANSFORM_VERSION ); |
||||
|
|
||||
|
/* Encode the security association (SA) number */ |
||||
|
encode_uint32( outbuf, &idx, sa->sa_id ); |
||||
|
|
||||
|
/* The assembly buffer is a source for encrypting data. The nonce is
|
||||
|
* written in first followed by the packet payload. The whole |
||||
|
* contents of assembly are encrypted. */ |
||||
|
pnonce = (uint32_t *)assembly; |
||||
|
*pnonce = rand(); |
||||
|
memcpy( assembly + TRANSOP_TF_NONCE_SIZE, inbuf, in_len ); |
||||
|
|
||||
|
/* Encrypt the assembly contents and write the ciphertext after the SA. */ |
||||
|
len = TwoFishEncryptRaw( assembly, /* source */ |
||||
|
outbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE, |
||||
|
in_len + TRANSOP_TF_NONCE_SIZE, /* enc size */ |
||||
|
sa->enc_tf); |
||||
|
if ( len > 0 ) |
||||
|
{ |
||||
|
len += TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE; /* size of data carried in UDP. */ |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "encode_twofish encryption failed." ); |
||||
|
} |
||||
|
|
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "encode_twofish outbuf too small." ); |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "encode_twofish inbuf too big to encrypt." ); |
||||
|
} |
||||
|
|
||||
|
return len; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
/* Search through the array of SAs to find the one with the required ID.
|
||||
|
* |
||||
|
* @return array index where found or -1 if not found |
||||
|
*/ |
||||
|
static ssize_t twofish_find_sa( const transop_tf_t * priv, const n2n_sa_t req_id ) |
||||
|
{ |
||||
|
size_t i; |
||||
|
|
||||
|
for (i=0; i < priv->num_sa; ++i) |
||||
|
{ |
||||
|
const sa_twofish_t * sa=NULL; |
||||
|
|
||||
|
sa = &(priv->sa[i]); |
||||
|
if (req_id == sa->sa_id) |
||||
|
{ |
||||
|
return i; |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
return -1; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
/** The twofish packet format consists of:
|
||||
|
* |
||||
|
* - a 8-bit twofish encoding version in clear text |
||||
|
* - a 32-bit SA number in clear text |
||||
|
* - ciphertext encrypted from a 32-bit nonce followed by the payload. |
||||
|
* |
||||
|
* [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD] |
||||
|
* |<------ encrypted ------>| |
||||
|
*/ |
||||
|
static int transop_decode_twofish( n2n_trans_op_t * arg, |
||||
|
uint8_t * outbuf, |
||||
|
size_t out_len, |
||||
|
const uint8_t * inbuf, |
||||
|
size_t in_len, |
||||
|
const uint8_t * peer_mac) |
||||
|
{ |
||||
|
int len=0; |
||||
|
transop_tf_t * priv = (transop_tf_t *)arg->priv; |
||||
|
uint8_t assembly[N2N_PKT_BUF_SIZE]; |
||||
|
|
||||
|
if ( ( (in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)) <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */ |
||||
|
&& (in_len >= (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_NONCE_SIZE) ) /* Has at least version, SA and nonce */ |
||||
|
) |
||||
|
{ |
||||
|
n2n_sa_t sa_rx; |
||||
|
ssize_t sa_idx=-1; |
||||
|
size_t rem=in_len; |
||||
|
size_t idx=0; |
||||
|
uint8_t tf_enc_ver=0; |
||||
|
|
||||
|
/* Get the encoding version to make sure it is supported */ |
||||
|
decode_uint8( &tf_enc_ver, inbuf, &rem, &idx ); |
||||
|
|
||||
|
if ( N2N_TWOFISH_TRANSFORM_VERSION == tf_enc_ver ) |
||||
|
{ |
||||
|
/* Get the SA number and make sure we are decrypting with the right one. */ |
||||
|
decode_uint32( &sa_rx, inbuf, &rem, &idx ); |
||||
|
|
||||
|
sa_idx = twofish_find_sa(priv, sa_rx); |
||||
|
if ( sa_idx >= 0 ) |
||||
|
{ |
||||
|
sa_twofish_t * sa = &(priv->sa[sa_idx]); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "decode_twofish %lu with SA %lu.", in_len, sa_rx, sa->sa_id ); |
||||
|
|
||||
|
len = TwoFishDecryptRaw( (void *)(inbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE), |
||||
|
assembly, /* destination */ |
||||
|
(in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)), |
||||
|
sa->dec_tf); |
||||
|
|
||||
|
if ( len > 0 ) |
||||
|
{ |
||||
|
/* Step over 4-byte random nonce value */ |
||||
|
len -= TRANSOP_TF_NONCE_SIZE; /* size of ethernet packet */ |
||||
|
|
||||
|
memcpy( outbuf, |
||||
|
assembly + TRANSOP_TF_NONCE_SIZE, |
||||
|
len ); |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "decode_twofish decryption failed." ); |
||||
|
} |
||||
|
|
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
/* Wrong security association; drop the packet as it is undecodable. */ |
||||
|
traceEvent( TRACE_ERROR, "decode_twofish SA number %lu not found.", sa_rx ); |
||||
|
|
||||
|
/* REVISIT: should be able to load a new SA at this point to complete the decoding. */ |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
/* Wrong security association; drop the packet as it is undecodable. */ |
||||
|
traceEvent( TRACE_ERROR, "decode_twofish unsupported twofish version %u.", tf_enc_ver ); |
||||
|
|
||||
|
/* REVISIT: should be able to load a new SA at this point to complete the decoding. */ |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "decode_twofish inbuf wrong size (%ul) to decrypt.", in_len ); |
||||
|
} |
||||
|
|
||||
|
return len; |
||||
|
} |
||||
|
|
||||
|
static int transop_addspec_twofish( n2n_trans_op_t * arg, const n2n_cipherspec_t * cspec ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
ssize_t pstat=-1; |
||||
|
transop_tf_t * priv = (transop_tf_t *)arg->priv; |
||||
|
uint8_t keybuf[N2N_MAX_KEYSIZE]; |
||||
|
|
||||
|
if ( priv->num_sa < N2N_TWOFISH_NUM_SA ) |
||||
|
{ |
||||
|
const char * op = (const char *)cspec->opaque; |
||||
|
#ifdef __ANDROID_NDK__ |
||||
|
const char *sep = strchr(op, '_'); |
||||
|
#else |
||||
|
const char * sep = index( op, '_' ); |
||||
|
#endif // __ANDROID_NDK__
|
||||
|
|
||||
|
if ( sep ) |
||||
|
{ |
||||
|
char tmp[256]; |
||||
|
size_t s; |
||||
|
|
||||
|
s = sep - op; |
||||
|
memcpy( tmp, cspec->opaque, s ); |
||||
|
tmp[s]=0; |
||||
|
|
||||
|
s = strlen(sep+1); /* sep is the _ which might be immediately followed by NULL */ |
||||
|
|
||||
|
priv->sa[priv->num_sa].spec = *cspec; |
||||
|
priv->sa[priv->num_sa].sa_id = strtoul(tmp, NULL, 10); |
||||
|
|
||||
|
pstat = n2n_parse_hex( keybuf, N2N_MAX_KEYSIZE, sep+1, s ); |
||||
|
if ( pstat > 0 ) |
||||
|
{ |
||||
|
priv->sa[priv->num_sa].enc_tf = TwoFishInit( keybuf, pstat); |
||||
|
priv->sa[priv->num_sa].dec_tf = TwoFishInit( keybuf, pstat); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "transop_addspec_twofish sa_id=%u data=%s.\n", |
||||
|
priv->sa[priv->num_sa].sa_id, sep+1); |
||||
|
|
||||
|
++(priv->num_sa); |
||||
|
retval = 0; |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "transop_addspec_twofish : bad key data - missing '_'.\n"); |
||||
|
} |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_ERROR, "transop_addspec_twofish : full.\n"); |
||||
|
} |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
|
||||
|
static n2n_tostat_t transop_tick_twofish( n2n_trans_op_t * arg, time_t now ) |
||||
|
{ |
||||
|
transop_tf_t * priv = (transop_tf_t *)arg->priv; |
||||
|
size_t i; |
||||
|
int found=0; |
||||
|
n2n_tostat_t r; |
||||
|
|
||||
|
memset( &r, 0, sizeof(r) ); |
||||
|
|
||||
|
traceEvent( TRACE_DEBUG, "transop_tf tick num_sa=%u", priv->num_sa ); |
||||
|
|
||||
|
for ( i=0; i < priv->num_sa; ++i ) |
||||
|
{ |
||||
|
if ( 0 == validCipherSpec( &(priv->sa[i].spec), now ) ) |
||||
|
{ |
||||
|
time_t remaining = priv->sa[i].spec.valid_until - now; |
||||
|
|
||||
|
traceEvent( TRACE_INFO, "transop_tf choosing tx_sa=%u (valid for %lu sec)", priv->sa[i].sa_id, remaining ); |
||||
|
priv->tx_sa=i; |
||||
|
found=1; |
||||
|
break; |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
traceEvent( TRACE_DEBUG, "transop_tf tick rejecting sa=%u %lu -> %lu", |
||||
|
priv->sa[i].sa_id, priv->sa[i].spec.valid_from, priv->sa[i].spec.valid_until ); |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
if ( 0==found) |
||||
|
{ |
||||
|
traceEvent( TRACE_INFO, "transop_tf no keys are currently valid. Keeping tx_sa=%u", priv->tx_sa ); |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
r.can_tx = 1; |
||||
|
r.tx_spec.t = N2N_TRANSFORM_ID_TWOFISH; |
||||
|
r.tx_spec = priv->sa[priv->tx_sa].spec; |
||||
|
} |
||||
|
|
||||
|
return r; |
||||
|
} |
||||
|
|
||||
|
int transop_twofish_setup_psk( n2n_trans_op_t * ttt, |
||||
|
n2n_sa_t sa_num, |
||||
|
uint8_t * encrypt_pwd, |
||||
|
uint32_t encrypt_pwd_len ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
transop_tf_t * priv = (transop_tf_t *)ttt->priv; |
||||
|
|
||||
|
if(priv) { |
||||
|
sa_twofish_t *sa; |
||||
|
|
||||
|
priv->num_sa=1; /* There is one SA in the array. */ |
||||
|
priv->tx_sa=0; |
||||
|
sa = &(priv->sa[priv->tx_sa]); |
||||
|
sa->sa_id=sa_num; |
||||
|
sa->spec.valid_until = 0x7fffffff; |
||||
|
|
||||
|
/* This is a preshared key setup. Both Tx and Rx are using the same security association. */ |
||||
|
|
||||
|
sa->enc_tf = TwoFishInit(encrypt_pwd, encrypt_pwd_len); |
||||
|
sa->dec_tf = TwoFishInit(encrypt_pwd, encrypt_pwd_len); |
||||
|
|
||||
|
if ( (sa->enc_tf) && (sa->dec_tf) ) |
||||
|
retval = 0; |
||||
|
else |
||||
|
traceEvent( TRACE_ERROR, "transop_twofish_setup_psk" ); |
||||
|
} else |
||||
|
traceEvent( TRACE_ERROR, "twofish priv is not allocated" ); |
||||
|
|
||||
|
return retval; |
||||
|
} |
||||
|
|
||||
|
int transop_twofish_init( n2n_trans_op_t * ttt ) |
||||
|
{ |
||||
|
int retval = 1; |
||||
|
transop_tf_t * priv = NULL; |
||||
|
|
||||
|
if ( ttt->priv ) |
||||
|
{ |
||||
|
transop_deinit_twofish( ttt ); |
||||
|
} |
||||
|
|
||||
|
memset( ttt, 0, sizeof( n2n_trans_op_t ) ); |
||||
|
|
||||
|
priv = (transop_tf_t *) malloc( sizeof(transop_tf_t) ); |
||||
|
|
||||
|
if ( NULL != priv ) { |
||||
|
size_t i; |
||||
|
sa_twofish_t * sa=NULL; |
||||
|
|
||||
|
/* install the private structure. */ |
||||
|
ttt->priv = priv; |
||||
|
priv->num_sa=0; |
||||
|
priv->tx_sa=0; /* We will use this sa index for encoding. */ |
||||
|
|
||||
|
ttt->transform_id = N2N_TRANSFORM_ID_TWOFISH; |
||||
|
ttt->addspec = transop_addspec_twofish; |
||||
|
ttt->tick = transop_tick_twofish; /* chooses a new tx_sa */ |
||||
|
ttt->deinit = transop_deinit_twofish; |
||||
|
ttt->fwd = transop_encode_twofish; |
||||
|
ttt->rev = transop_decode_twofish; |
||||
|
|
||||
|
for(i=0; i<N2N_TWOFISH_NUM_SA; ++i) |
||||
|
{ |
||||
|
sa = &(priv->sa[i]); |
||||
|
sa->sa_id=0; |
||||
|
memset( &(sa->spec), 0, sizeof(n2n_cipherspec_t) ); |
||||
|
sa->enc_tf=NULL; |
||||
|
sa->dec_tf=NULL; |
||||
|
} |
||||
|
|
||||
|
retval = 0; |
||||
|
} else { |
||||
|
memset( ttt, 0, sizeof(n2n_trans_op_t) ); |
||||
|
traceEvent( TRACE_ERROR, "Failed to allocate priv for twofish" ); |
||||
|
} |
||||
|
|
||||
|
return retval; |
||||
|
} |
Loading…
Reference in new issue