4 * The secure anycast tunneling protocol (satp) defines a protocol used
5 * for communication between any combination of unicast and anycast
6 * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
7 * mode and allows tunneling of every ETHER TYPE protocol (e.g.
8 * ethernet, ip, arp ...). satp directly includes cryptography and
9 * message authentication based on the methods used by SRTP. It is
10 * intended to deliver a generic, scaleable and secure solution for
11 * tunneling and relaying of packets of any protocol.
14 * Copyright (C) 2007-2014 Markus Grüneis, Othmar Gsenger, Erwin Nindl,
15 * Christian Pointner <satp@wirdorange.org>
17 * This file is part of Anytun.
19 * Anytun is free software: you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation, either version 3 of the License, or
24 * Anytun is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with Anytun. If not, see <http://www.gnu.org/licenses/>.
32 * In addition, as a special exception, the copyright holders give
33 * permission to link the code of portions of this program with the
34 * OpenSSL library under certain conditions as described in each
35 * individual source file, and distribute linked combinations
37 * You must obey the GNU General Public License in all respects
38 * for all of the code used other than OpenSSL. If you modify
39 * file(s) with this exception, you may extend this exception to your
40 * version of the file(s), but you are not obligated to do so. If you
41 * do not wish to do so, delete this exception statement from your
42 * version. If you delete this exception statement from all source
43 * files in the program, then also delete it here.
48 #include "anytunError.h"
50 #include "encryptedPacket.h"
55 //****** NullAuthAlgo ******
56 void NullAuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet)
60 bool NullAuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet)
66 //****** Sha1AuthAlgo ******
68 Sha1AuthAlgo::Sha1AuthAlgo(kd_dir_t d) : AuthAlgo(d), key_(DIGEST_LENGTH)
70 #if defined(USE_SSL_CRYPTO)
72 #elif defined(USE_NETTLE)
74 #else // USE_GCRYPT is the default
79 bool Sha1AuthAlgo::Init()
81 #if defined(USE_SSL_CRYPTO)
82 # if OPENSSL_VERSION_NUMBER >= 0x10100000L
83 if ((ctx_ = HMAC_CTX_new()) == NULL) {
87 if ((ctx_ = (HMAC_CTX*)calloc(1, sizeof(HMAC_CTX))) == NULL) {
92 HMAC_Init_ex(ctx_, NULL, 0, EVP_sha1(), NULL);
93 #elif defined(USE_NETTLE)
95 #else // USE_GCRYPT is the default
96 gcry_error_t err = gcry_md_open(&handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
98 cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::Sha1AuthAlgo: Failed to open message digest algo";
105 Sha1AuthAlgo::~Sha1AuthAlgo()
107 #if defined(USE_SSL_CRYPTO)
109 # if OPENSSL_VERSION_NUMBER >= 0x10100000L
112 HMAC_CTX_cleanup(ctx_);
116 #elif defined(USE_NETTLE)
118 #else // USE_GCRYPT is the default
120 gcry_md_close(handle_);
125 void Sha1AuthAlgo::generate(KeyDerivation& kd, EncryptedPacket& packet)
127 #if defined(USE_GCRYPT)
134 if(!packet.getAuthTagLength()) {
138 kd.generate(dir_, LABEL_AUTH, packet.getSeqNr(), key_);
139 #if defined(USE_SSL_CRYPTO)
140 HMAC_Init_ex(ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL);
142 uint8_t hmac[DIGEST_LENGTH];
143 HMAC_Update(ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
144 HMAC_Final(ctx_, hmac, NULL);
145 #elif defined(USE_NETTLE)
146 hmac_sha1_set_key(&ctx_, key_.getLength(), key_.getBuf());
148 uint8_t hmac[DIGEST_LENGTH];
149 hmac_sha1_update(&ctx_, packet.getAuthenticatedPortionLength(), packet.getAuthenticatedPortion());
150 hmac_sha1_digest(&ctx_, DIGEST_LENGTH, hmac);
151 #else // USE_GCRYPT is the default
152 gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength());
154 cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << AnytunGpgError(err);
158 gcry_md_reset(handle_);
159 gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
160 gcry_md_final(handle_);
161 uint8_t* hmac = gcry_md_read(handle_, 0);
164 uint8_t* tag = packet.getAuthTag();
165 uint32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH;
167 if(length > DIGEST_LENGTH) {
168 std::memset(tag, 0, packet.getAuthTagLength());
171 std::memcpy(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length);
174 bool Sha1AuthAlgo::checkTag(KeyDerivation& kd, EncryptedPacket& packet)
176 #if defined(USE_GCRYPT)
182 packet.withAuthTag(true);
183 if(!packet.getAuthTagLength()) {
187 kd.generate(dir_, LABEL_AUTH, packet.getSeqNr(), key_);
188 #if defined(USE_SSL_CRYPTO)
189 HMAC_Init_ex(ctx_, key_.getBuf(), key_.getLength(), EVP_sha1(), NULL);
191 uint8_t hmac[DIGEST_LENGTH];
192 HMAC_Update(ctx_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
193 HMAC_Final(ctx_, hmac, NULL);
194 #elif defined(USE_NETTLE)
195 hmac_sha1_set_key(&ctx_, key_.getLength(), key_.getBuf());
197 uint8_t hmac[DIGEST_LENGTH];
198 hmac_sha1_update(&ctx_, packet.getAuthenticatedPortionLength(), packet.getAuthenticatedPortion());
199 hmac_sha1_digest(&ctx_, DIGEST_LENGTH, hmac);
200 #else // USE_GCRYPT is the default
201 gcry_error_t err = gcry_md_setkey(handle_, key_.getBuf(), key_.getLength());
203 cLog.msg(Log::PRIO_ERROR) << "Sha1AuthAlgo::setKey: Failed to set hmac key: " << AnytunGpgError(err);
207 gcry_md_reset(handle_);
208 gcry_md_write(handle_, packet.getAuthenticatedPortion(), packet.getAuthenticatedPortionLength());
209 gcry_md_final(handle_);
210 uint8_t* hmac = gcry_md_read(handle_, 0);
213 uint8_t* tag = packet.getAuthTag();
214 uint32_t length = (packet.getAuthTagLength() < DIGEST_LENGTH) ? packet.getAuthTagLength() : DIGEST_LENGTH;
216 if(length > DIGEST_LENGTH)
217 for(uint32_t i=0; i < (packet.getAuthTagLength() - DIGEST_LENGTH); ++i)
218 if(tag[i]) { return false; }
220 int ret = std::memcmp(&tag[packet.getAuthTagLength() - length], &hmac[DIGEST_LENGTH - length], length);
221 packet.removeAuthTag();