X-Git-Url: https://git.syn-net.org/?p=debian%2Fuanytun.git;a=blobdiff_plain;f=src%2Fauth_algo.c;h=ac102c76e0ed8a7abce61498d64d867254593140;hp=b148946c3942ec49d970d50002c42b9d90132ec1;hb=71f6f666a3d69c6e1e7a77e238362c5bbe288e66;hpb=aa74a4fd24d8e8537f76531e6257fa90145355d3 diff --git a/src/auth_algo.c b/src/auth_algo.c index b148946..ac102c7 100644 --- a/src/auth_algo.c +++ b/src/auth_algo.c @@ -10,12 +10,12 @@ * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel * mode and allows tunneling of every ETHER TYPE protocol (e.g. * ethernet, ip, arp ...). satp directly includes cryptography and - * message authentication based on the methodes used by SRTP. It is + * message authentication based on the methods used by SRTP. It is * intended to deliver a generic, scaleable and secure solution for * tunneling and relaying of packets of any protocol. - * * - * Copyright (C) 2007-2010 Christian Pointner + * + * Copyright (C) 2007-2014 Christian Pointner * * This file is part of uAnytun. * @@ -31,6 +31,19 @@ * * You should have received a copy of the GNU General Public License * along with uAnytun. If not, see . + * + * In addition, as a special exception, the copyright holders give + * permission to link the code of portions of this program with the + * OpenSSL library under certain conditions as described in each + * individual source file, and distribute linked combinations + * including the two. + * You must obey the GNU General Public License in all respects + * for all of the code used other than OpenSSL. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you + * do not wish to do so, delete this exception statement from your + * version. If you delete this exception statement from all source + * files in the program, then also delete it here. */ #include "datatypes.h" @@ -50,7 +63,7 @@ auth_algo_type_t auth_algo_get_type(const char* type) return aa_null; else if(!strcmp(type, "sha1")) return aa_sha1; - + return aa_unknown; } @@ -65,7 +78,7 @@ u_int32_t auth_algo_get_max_length(const char* type) int auth_algo_init(auth_algo_t* aa, const char* type) { - if(!aa) + if(!aa) return -1; aa->type_ = auth_algo_get_type(type); @@ -103,7 +116,7 @@ void auth_algo_close(auth_algo_t* aa) void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivation_dir_t dir, encrypted_packet_t* packet) { - if(!aa) + if(!aa) return; if(aa->type_ == aa_null) @@ -118,7 +131,7 @@ void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivation_di int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivation_dir_t dir, encrypted_packet_t* packet) { - if(!aa) + if(!aa) return 0; if(aa->type_ == aa_null) @@ -152,17 +165,19 @@ int auth_algo_sha1_init(auth_algo_t* aa) if(!aa->params_) return -2; +#if defined(USE_SSL_CRYPTO) + auth_algo_sha1_param_t* params = aa->params_; + HMAC_CTX_init(¶ms->ctx_); + HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL); +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default auth_algo_sha1_param_t* params = aa->params_; - -#ifndef USE_SSL_CRYPTO gcry_error_t err = gcry_md_open(¶ms->handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); if(err) { log_printf(ERROR, "failed to open message digest algo: %s", gcry_strerror(err)); return -1; - } -#else - HMAC_CTX_init(¶ms->ctx_); - HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL); + } #endif return 0; @@ -174,14 +189,16 @@ void auth_algo_sha1_close(auth_algo_t* aa) return; if(aa->params_) { +#if defined(USE_SSL_CRYPTO) + auth_algo_sha1_param_t* params = aa->params_; + HMAC_CTX_cleanup(¶ms->ctx_); +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default auth_algo_sha1_param_t* params = aa->params_; - -#ifndef USE_SSL_CRYPTO if(params->handle_) gcry_md_close(params->handle_); -#else - HMAC_CTX_cleanup(¶ms->ctx_); -#endif +#endif free(aa->params_); } @@ -207,23 +224,29 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return; -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + + u_int8_t hmac[SHA1_LENGTH]; + HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); + HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_); + + u_int8_t hmac[SHA1_LENGTH]; + hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet)); + hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err)); return; - } - + } + gcry_md_reset(params->handle_); gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - - u_int8_t hmac[SHA1_LENGTH]; - HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); - HMAC_Final(¶ms->ctx_, hmac, NULL); #endif u_int8_t* tag = encrypted_packet_get_auth_tag(packet); @@ -255,23 +278,29 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(ret < 0) return 0; -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); + + u_int8_t hmac[SHA1_LENGTH]; + HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); + HMAC_Final(¶ms->ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_); + + u_int8_t hmac[SHA1_LENGTH]; + hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet)); + hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_); if(err) { log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err)); return -1; - } + } gcry_md_reset(params->handle_); gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); gcry_md_final(params->handle_); u_int8_t* hmac = gcry_md_read(params->handle_, 0); -#else - HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL); - - u_int8_t hmac[SHA1_LENGTH]; - HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet)); - HMAC_Final(¶ms->ctx_, hmac, NULL); #endif u_int8_t* tag = encrypted_packet_get_auth_tag(packet); @@ -280,11 +309,11 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivati if(length > SHA1_LENGTH) { u_int32_t i; for(i=0; i < (encrypted_packet_get_auth_tag_length(packet) - SHA1_LENGTH); ++i) - if(tag[i]) return 0; + if(tag[i]) return 0; } - + int result = memcmp(&tag[encrypted_packet_get_auth_tag_length(packet) - length], &hmac[SHA1_LENGTH - length], length); - + if(result) return 0;