X-Git-Url: https://git.syn-net.org/debian/?a=blobdiff_plain;f=src%2FauthAlgo.cpp;h=f0e3303dead71ba8cb2b3668e644d33cb1dc337a;hb=refs%2Fremotes%2Forigin%2FHEAD;hp=f9228c6f2d285dd278ed08f8526559d8f2e9ca88;hpb=f9ad69dfae6bcec427652b0c4230603e465bd544;p=anytun.git diff --git a/src/authAlgo.cpp b/src/authAlgo.cpp index f9228c6..f0e3303 100644 --- a/src/authAlgo.cpp +++ b/src/authAlgo.cpp @@ -6,12 +6,12 @@ * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel * mode and allows tunneling of every ETHER TYPE protocol (e.g. * ethernet, ip, arp ...). satp directly includes cryptography and - * message authentication based on the methodes used by SRTP. It is + * message authentication based on the methods used by SRTP. It is * intended to deliver a generic, scaleable and secure solution for * tunneling and relaying of packets of any protocol. * * - * Copyright (C) 2007-2009 Othmar Gsenger, Erwin Nindl, + * Copyright (C) 2007-2014 Markus Grüneis, Othmar Gsenger, Erwin Nindl, * Christian Pointner * * This file is part of Anytun. @@ -27,7 +27,20 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with anytun. If not, see . + * along with Anytun. If not, see . + * + * In addition, as a special exception, the copyright holders give + * permission to link the code of portions of this program with the + * OpenSSL library under certain conditions as described in each + * individual source file, and distribute linked combinations + * including the two. + * You must obey the GNU General Public License in all respects + * for all of the code used other than OpenSSL. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you + * do not wish to do so, delete this exception statement from your + * version. If you delete this exception statement from all source + * files in the program, then also delete it here. */ #include "authAlgo.h" @@ -54,115 +67,136 @@ bool NullAuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet) Sha1AuthAlgo::Sha1AuthAlgo(kd_dir_t d) : AuthAlgo(d), key_(DIGEST_LENGTH) { -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_CTX_init(&ctx_); + HMAC_Init_ex(&ctx_, NULL, 0, EVP_sha1(), NULL); +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_open(&handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); if(err) { cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::Sha1AuthAlgo: Failed to open message digest algo"; return; - } -#else - HMAC_CTX_init(&ctx_); - HMAC_Init_ex(&ctx_, NULL, 0, EVP_sha1(), NULL); + } #endif } Sha1AuthAlgo::~Sha1AuthAlgo() { -#ifndef USE_SSL_CRYPTO - if(handle_) - gcry_md_close(handle_); -#else +#if defined(USE_SSL_CRYPTO) HMAC_CTX_cleanup(&ctx_); -#endif +#elif defined(USE_NETTLE) + // nothing here +#else // USE_GCRYPT is the default + if(handle_) { + gcry_md_close(handle_); + } +#endif } void Sha1AuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet) { -#ifndef USE_SSL_CRYPTO - if(!handle_) +#if defined(USE_GCRYPT) + if(!handle_) { return; + } #endif packet.addAuthTag(); - if(!packet.getAuthTagLength()) + if(!packet.getAuthTagLength()) { return; - + } + kd.generate(dir_, LABEL_AUTH, packet.getSeqNr(), key_); -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); + + uint8_t hmac[DIGEST_LENGTH]; + HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + HMAC_Final(&ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(&ctx_, key_.getLength(), key_.getBuf()); + + uint8_t hmac[DIGEST_LENGTH]; + hmac_sha1_update(&ctx_, packet.getAuthenticatedPortionLength(), packet.getAuthenticatedPortion()); + hmac_sha1_digest(&ctx_, DIGEST_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength()); if(err) { cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << AnytunGpgError(err); return; - } + } gcry_md_reset(handle_); gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); gcry_md_final(handle_); - u_int8_t* hmac = gcry_md_read(handle_, 0); -#else - HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); - - u_int8_t hmac[DIGEST_LENGTH]; - HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); - HMAC_Final(&ctx_, hmac, NULL); + uint8_t* hmac = gcry_md_read(handle_, 0); #endif - u_int8_t* tag = packet.getAuthTag(); - u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; + uint8_t* tag = packet.getAuthTag(); + uint32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; - if(length > DIGEST_LENGTH) + if(length > DIGEST_LENGTH) { std::memset(tag, 0, packet.getAuthTagLength()); + } std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length); } bool Sha1AuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet) { -#ifndef USE_SSL_CRYPTO - if(!handle_) +#if defined(USE_GCRYPT) + if(!handle_) { return false; + } #endif packet.withAuthTag(true); - if(!packet.getAuthTagLength()) + if(!packet.getAuthTagLength()) { return true; + } kd.generate(dir_, LABEL_AUTH, packet.getSeqNr(), key_); -#ifndef USE_SSL_CRYPTO +#if defined(USE_SSL_CRYPTO) + HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); + + uint8_t hmac[DIGEST_LENGTH]; + HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); + HMAC_Final(&ctx_, hmac, NULL); +#elif defined(USE_NETTLE) + hmac_sha1_set_key(&ctx_, key_.getLength(), key_.getBuf()); + + uint8_t hmac[DIGEST_LENGTH]; + hmac_sha1_update(&ctx_, packet.getAuthenticatedPortionLength(), packet.getAuthenticatedPortion()); + hmac_sha1_digest(&ctx_, DIGEST_LENGTH, hmac); +#else // USE_GCRYPT is the default gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength()); if(err) { cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << AnytunGpgError(err); return false; - } - + } + gcry_md_reset(handle_); gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); gcry_md_final(handle_); - u_int8_t* hmac = gcry_md_read(handle_, 0); -#else - HMAC_Init_ex(&ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL); - - u_int8_t hmac[DIGEST_LENGTH]; - HMAC_Update(&ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength()); - HMAC_Final(&ctx_, hmac, NULL); + uint8_t* hmac = gcry_md_read(handle_, 0); #endif - u_int8_t* tag = packet.getAuthTag(); - u_int32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; + uint8_t* tag = packet.getAuthTag(); + uint32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH; if(length > DIGEST_LENGTH) - for(u_int32_t i=0; i < (packet.getAuthTagLength() - DIGEST_LENGTH); ++i) - if(tag[i]) return false; + for(uint32_t i=0; i < (packet.getAuthTagLength() - DIGEST_LENGTH); ++i) + if(tag[i]) { return false; } int ret = std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length); packet.removeAuthTag(); - - if(ret) + + if(ret) { return false; + } return true; - } #endif -