From b8fcf091779468def5493f7db9dc55334c826003 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 7 Jun 2020 10:00:18 +0200 Subject: [PATCH] Compilation fixes --- README.md | 3 +- edge.c | 87 ++++++++++++++++++++++++++---------------------- transform_cc20.c | 6 ---- 3 files changed, 50 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 862232f..fb99257 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,8 @@ When encryption is enabled, the supernode will not be able to decrypt the traffi two edge nodes, but it will know that edge A is talking with edge B. Recently AES encryption support has been implemented, which increases both security and performance, -so it is recommended to enable it on all the edge nodes by specifying the `-A` option. +so it is recommended to enable it on all the edge nodes that must have the -Ax value. When possible +(i.e. when n2n is compiled with OpenSSL 1.1) we recommend to use -A4 A benchmark of the encryption methods is available when compiled from source with `tools/n2n-benchmark`. diff --git a/edge.c b/edge.c index da0cd4f..fe2eb41 100644 --- a/edge.c +++ b/edge.c @@ -189,12 +189,12 @@ static void help() { #endif printf("-r | Enable packet forwarding through n2n community.\n"); printf("-A1 | Disable payload encryption. Do not use with -k.\n"); - printf("-A2 | Use Twofish for payload encryption (default). Requires a key.\n"); + printf("-A2 | Use Twofish for payload encryption (default). Requires a key (-k).\n"); #ifdef N2N_HAVE_AES - printf("-A3 or -A (deprecated) | Use AES-CBC for payload encryption. Requires a key.\n"); + printf("-A3 or -A (deprecated) | Use AES-CBC for payload encryption. Requires a key (-k).\n"); #endif #ifdef HAVE_OPENSSL_1_1 - printf("-A4 | Use ChaCha20 for payload encryption. Requires a key.\n"); + printf("-A4 | Use ChaCha20 for payload encryption. Requires a key (-k).\n"); #endif printf("-z | Enable lzo1x compression for outgoing data packets\n"); printf(" | (default=disabled).\n"); @@ -220,6 +220,46 @@ static void help() { /* *************************************************** */ +static void setPayloadEncryption( n2n_edge_conf_t *conf, int cipher) { + /* even though 'cipher' and 'conf->transop_id' share the same encoding scheme, + * a switch-statement under conditional compilation is used to sort out the + * unsupported ciphers */ + switch (cipher) { + case 1: + { + conf->transop_id = N2N_TRANSFORM_ID_NULL; + break; + } + case 2: + { + conf->transop_id = N2N_TRANSFORM_ID_TWOFISH; + break; + } +#ifdef N2N_HAVE_AES + case 3: + { + conf->transop_id = N2N_TRANSFORM_ID_AESCBC; + break; + } +#endif +#ifdef HAVE_OPENSSL_1_1 + case 4: + { + conf->transop_id = N2N_TRANSFORM_ID_CHACHA20; + break; + } +#endif + default: + { + conf->transop_id = N2N_TRANSFORM_ID_INVAL; + traceEvent(TRACE_NORMAL, "the %s cipher given by -A_ option is not supported in this version.", transop_str(cipher)); + exit(1); + } + } +} + +/* *************************************************** */ + static int setOption(int optkey, char *optargument, n2n_priv_config_t *ec, n2n_edge_conf_t *conf) { /* traceEvent(TRACE_NORMAL, "Option %c = %s", optkey, optargument ? optargument : ""); */ @@ -308,48 +348,17 @@ static int setOption(int optkey, char *optargument, n2n_priv_config_t *ec, n2n_e case 'A': { - int cipher = N2N_TRANSFORM_ID_AESCBC; // default, if '-A' only + int cipher; + if (optargument) { cipher = atoi(optargument); } else { traceEvent(TRACE_NORMAL, "the use of the solitary -A switch is deprecated and might not be supported in future versions. " "please use -A3 instead to choose a the AES-CBC cipher for payload encryption."); + cipher = N2N_TRANSFORM_ID_AESCBC; // default, if '-A' only } - /* even though 'cipher' and 'conf->transop_id' share the same encoding scheme, - * a switch-statement under conditional compilation is used to sort out the - * unsupported ciphers */ - switch (cipher) { - case 1: - { - conf->transop_id = N2N_TRANSFORM_ID_NULL; - break; - } - case 2: - { - conf->transop_id = N2N_TRANSFORM_ID_TWOFISH; - break; - } -#ifdef N2N_HAVE_AES - case 3: - { - conf->transop_id = N2N_TRANSFORM_ID_AESCBC; - break; - } -#endif -#ifdef HAVE_OPENSSL_1_1 - case 4: - { - conf->transop_id = N2N_TRANSFORM_ID_CHACHA20; - break; - } -#endif - default: - { - conf->transop_id = N2N_TRANSFORM_ID_INVAL; - traceEvent(TRACE_NORMAL, "the %s cipher given by -A_ option is not supported in this version.", transop_str(cipher)); - exit(1); - } - } + + setPayloadEncryption(conf, cipher); break; } diff --git a/transform_cc20.c b/transform_cc20.c index 389cfe5..f937775 100644 --- a/transform_cc20.c +++ b/transform_cc20.c @@ -120,9 +120,6 @@ static int transop_encode_cc20(n2n_trans_op_t * arg, /* Generate and encode the IV. */ set_cc20_iv(priv, enc_ivec); encode_buf(outbuf, &idx, &enc_ivec, N2N_CC20_IVEC_SIZE); - traceEvent(TRACE_DEBUG, "encode_cc20 iv=%016llx:%016llx", - htobe64(*(uint64_t*)&enc_ivec[0]), - htobe64(*(uint64_t*)&enc_ivec[8]) ); /* Encrypt the assembly contents and write the ciphertext after the iv. */ /* len is set to the length of the cipher plain text to be encrpyted @@ -198,9 +195,6 @@ static int transop_decode_cc20(n2n_trans_op_t * arg, /* Get the IV */ decode_buf((uint8_t *)&dec_ivec, N2N_CC20_IVEC_SIZE, inbuf, &rem, &idx); - traceEvent(TRACE_DEBUG, "decode_cc20 iv=%016llx:%016llx", - htobe64(*(uint64_t*)&dec_ivec[0]), - htobe64(*(uint64_t*)&dec_ivec[8]) ); EVP_CIPHER_CTX *ctx = priv->dec_ctx; int evp_len;