enoch/n2n
1
0
Fork 0
mirror of https://github.com/ntop/n2n.git synced 2024-09-20 00:51:10 +02:00
Code Issues Actions Packages Projects Releases 1 Wiki Activity

removed minor tranform version

Browse Source
This commit is contained in:
Logan007 2020-08-15 21:14:24 +05:45
parent 052127734e
commit c2cae9d02e
4 changed files with 22 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/transform_aes.c
View File

@ -25,7 +25,6 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#define N2N_AES_TRANSFORM_VERSION 1 /* version of the transform encoding */
#define N2N_AES_IVEC_SIZE (AES_BLOCK_SIZE) #define N2N_AES_IVEC_SIZE (AES_BLOCK_SIZE)
#define AES256_KEY_BYTES (256/8) #define AES256_KEY_BYTES (256/8)
@ -33,13 +32,12 @@
#define AES128_KEY_BYTES (128/8) #define AES128_KEY_BYTES (128/8)
/* AES plaintext preamble */ /* AES plaintext preamble */
#define TRANSOP_AES_VER_SIZE 1 /* Support minor variants in encoding in one module. */
#define TRANSOP_AES_IV_SEED_SIZE 8 /* size of transmitted random part of IV in bytes; could range #define TRANSOP_AES_IV_SEED_SIZE 8 /* size of transmitted random part of IV in bytes; could range
* from 0=lowest security (constant IV) to 16=higest security * from 0=lowest security (constant IV) to 16=higest security
* (fully random IV); default=8 */ * (fully random IV); default=8 */
#define TRANSOP_AES_IV_PADDING_SIZE (N2N_AES_IVEC_SIZE - TRANSOP_AES_IV_SEED_SIZE) #define TRANSOP_AES_IV_PADDING_SIZE (N2N_AES_IVEC_SIZE - TRANSOP_AES_IV_SEED_SIZE)
#define TRANSOP_AES_IV_KEY_BYTES (AES128_KEY_BYTES) /* use AES128 for IV encryption */ #define TRANSOP_AES_IV_KEY_BYTES (AES128_KEY_BYTES) /* use AES128 for IV encryption */
#define TRANSOP_AES_PREAMBLE_SIZE (TRANSOP_AES_VER_SIZE + TRANSOP_AES_IV_SEED_SIZE) #define TRANSOP_AES_PREAMBLE_SIZE (TRANSOP_AES_IV_SEED_SIZE)
typedef unsigned char n2n_aes_ivec_t[N2N_AES_IVEC_SIZE]; typedef unsigned char n2n_aes_ivec_t[N2N_AES_IVEC_SIZE];
@ -138,11 +136,10 @@ static void set_aes_cbc_iv(transop_aes_t *priv, n2n_aes_ivec_t ivec, uint8_t * i
/** The aes packet format consists of: /** The aes packet format consists of:
* *
* - a 8-bit aes encoding version in clear text
* - a TRANSOP_AES_IV_SEED_SIZE-sized [bytes] random IV seed * - a TRANSOP_AES_IV_SEED_SIZE-sized [bytes] random IV seed
* - encrypted payload. * - encrypted payload.
* *
* [V|II|DDDDDDDDDDDDDDDDDDDDD] * [II|DDDDDDDDDDDDDDDDDDDDD]
* |<---- encrypted ---->| * |<---- encrypted ---->|
*/ */
static int transop_encode_aes(n2n_trans_op_t * arg, static int transop_encode_aes(n2n_trans_op_t * arg,
@ -165,9 +162,6 @@ static int transop_encode_aes(n2n_trans_op_t * arg,
traceEvent(TRACE_DEBUG, "encode_aes %lu", in_len); traceEvent(TRACE_DEBUG, "encode_aes %lu", in_len);
/* Encode the aes format version. */
encode_uint8(outbuf, &idx, N2N_AES_TRANSFORM_VERSION);
/* Generate and encode the IV seed using as many calls to n2n_rand() as neccessary. /* Generate and encode the IV seed using as many calls to n2n_rand() as neccessary.
* Note: ( N2N_AES_IV_SEED_SIZE % sizeof(rand_value) ) not neccessarily equals 0. */ * Note: ( N2N_AES_IV_SEED_SIZE % sizeof(rand_value) ) not neccessarily equals 0. */
uint64_t rand_value; uint64_t rand_value;
@ -257,18 +251,13 @@ static int transop_decode_aes(n2n_trans_op_t * arg,
uint8_t assembly[N2N_PKT_BUF_SIZE]; uint8_t assembly[N2N_PKT_BUF_SIZE];
if(((in_len - TRANSOP_AES_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */ if(((in_len - TRANSOP_AES_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */
&& (in_len >= TRANSOP_AES_PREAMBLE_SIZE) /* Has at least version, iv seed */ && (in_len >= TRANSOP_AES_PREAMBLE_SIZE) /* Has at least iv seed */
) )
{ {
size_t rem=in_len; size_t rem=in_len;
size_t idx=0; size_t idx=0;
uint8_t aes_enc_ver=0;
uint8_t iv_seed[TRANSOP_AES_IV_SEED_SIZE]; uint8_t iv_seed[TRANSOP_AES_IV_SEED_SIZE];
/* Get the encoding version to make sure it is supported */
decode_uint8(&aes_enc_ver, inbuf, &rem, &idx );
if(N2N_AES_TRANSFORM_VERSION == aes_enc_ver) {
/* Get the IV seed */ /* Get the IV seed */
decode_buf((uint8_t *)&iv_seed, TRANSOP_AES_IV_SEED_SIZE, inbuf, &rem, &idx); decode_buf((uint8_t *)&iv_seed, TRANSOP_AES_IV_SEED_SIZE, inbuf, &rem, &idx);
@ -336,8 +325,6 @@ static int transop_decode_aes(n2n_trans_op_t * arg,
traceEvent(TRACE_WARNING, "Encrypted length %d is not a multiple of AES_BLOCK_SIZE (%d)", len, AES_BLOCK_SIZE); traceEvent(TRACE_WARNING, "Encrypted length %d is not a multiple of AES_BLOCK_SIZE (%d)", len, AES_BLOCK_SIZE);
len = 0; len = 0;
} }
} else
traceEvent(TRACE_ERROR, "decode_aes unsupported aes version %u.", aes_enc_ver);
} else } else
traceEvent(TRACE_ERROR, "decode_aes inbuf wrong size (%ul) to decrypt.", in_len); traceEvent(TRACE_ERROR, "decode_aes inbuf wrong size (%ul) to decrypt.", in_len);

19
src/transform_cc20.c
View File

@ -24,14 +24,12 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#define N2N_CC20_TRANSFORM_VERSION 1 /* version of the transform encoding */
#define N2N_CC20_IVEC_SIZE 16 #define N2N_CC20_IVEC_SIZE 16
#define CC20_KEY_BYTES (256/8) #define CC20_KEY_BYTES (256/8)
/* ChaCha20 plaintext preamble */ /* ChaCha20 plaintext preamble */
#define TRANSOP_CC20_VER_SIZE 1 /* Support minor variants in encoding in one module. */ #define TRANSOP_CC20_PREAMBLE_SIZE (N2N_CC20_IVEC_SIZE)
#define TRANSOP_CC20_PREAMBLE_SIZE (TRANSOP_CC20_VER_SIZE + N2N_CC20_IVEC_SIZE)
typedef unsigned char n2n_cc20_ivec_t[N2N_CC20_IVEC_SIZE]; typedef unsigned char n2n_cc20_ivec_t[N2N_CC20_IVEC_SIZE];
@ -89,11 +87,10 @@ static void set_cc20_iv(transop_cc20_t *priv, n2n_cc20_ivec_t ivec) {
/** The ChaCha20 packet format consists of: /** The ChaCha20 packet format consists of:
* *
* - a 8-bit cc20 encoding version in clear text
* - a 128-bit random IV * - a 128-bit random IV
* - encrypted payload. * - encrypted payload.
* *
* [V|IIII|DDDDDDDDDDDDDDDDDDDDD] * [IIII|DDDDDDDDDDDDDDDDDDDDD]
* |<---- encrypted ---->| * |<---- encrypted ---->|
*/ */
static int transop_encode_cc20(n2n_trans_op_t * arg, static int transop_encode_cc20(n2n_trans_op_t * arg,
@ -113,9 +110,6 @@ static int transop_encode_cc20(n2n_trans_op_t * arg,
traceEvent(TRACE_DEBUG, "encode_cc20 %lu bytes", in_len); traceEvent(TRACE_DEBUG, "encode_cc20 %lu bytes", in_len);
/* Encode the ChaCha20 format version. */
encode_uint8(outbuf, &idx, N2N_CC20_TRANSFORM_VERSION);
/* Generate and encode the IV. */ /* Generate and encode the IV. */
set_cc20_iv(priv, enc_ivec); set_cc20_iv(priv, enc_ivec);
encode_buf(outbuf, &idx, &enc_ivec, N2N_CC20_IVEC_SIZE); encode_buf(outbuf, &idx, &enc_ivec, N2N_CC20_IVEC_SIZE);
@ -177,18 +171,13 @@ static int transop_decode_cc20(n2n_trans_op_t * arg,
uint8_t assembly[N2N_PKT_BUF_SIZE]; uint8_t assembly[N2N_PKT_BUF_SIZE];
if(((in_len - TRANSOP_CC20_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */ if(((in_len - TRANSOP_CC20_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in assembly */
&& (in_len >= TRANSOP_CC20_PREAMBLE_SIZE) /* Has at least version, iv */ && (in_len >= TRANSOP_CC20_PREAMBLE_SIZE) /* Has at least iv */
) )
{ {
size_t rem=in_len; size_t rem=in_len;
size_t idx=0; size_t idx=0;
uint8_t cc20_enc_ver=0;
n2n_cc20_ivec_t dec_ivec = {0}; n2n_cc20_ivec_t dec_ivec = {0};
/* Get the encoding version to make sure it is supported */
decode_uint8(&cc20_enc_ver, inbuf, &rem, &idx );
if(N2N_CC20_TRANSFORM_VERSION == cc20_enc_ver) {
traceEvent(TRACE_DEBUG, "decode_cc20 %lu bytes", in_len); traceEvent(TRACE_DEBUG, "decode_cc20 %lu bytes", in_len);
len = (in_len - TRANSOP_CC20_PREAMBLE_SIZE); len = (in_len - TRANSOP_CC20_PREAMBLE_SIZE);
@ -221,8 +210,6 @@ static int transop_decode_cc20(n2n_trans_op_t * arg,
EVP_CIPHER_CTX_reset(ctx); EVP_CIPHER_CTX_reset(ctx);
memcpy(outbuf, assembly, len); memcpy(outbuf, assembly, len);
} else
traceEvent(TRACE_ERROR, "decode_cc20 unsupported ChaCha20 version %u.", cc20_enc_ver);
} else } else
traceEvent(TRACE_ERROR, "decode_cc20 inbuf wrong size (%ul) to decrypt.", in_len); traceEvent(TRACE_ERROR, "decode_cc20 inbuf wrong size (%ul) to decrypt.", in_len);

20
src/transform_speck.c
View File

@ -18,14 +18,12 @@
#include "n2n.h" #include "n2n.h"
#define N2N_SPECK_TRANSFORM_VERSION 1 /* version of the transform encoding */
#define N2N_SPECK_IVEC_SIZE 16 #define N2N_SPECK_IVEC_SIZE 16
#define SPECK_KEY_BYTES (256/8) #define SPECK_KEY_BYTES (256/8)
/* Speck plaintext preamble */ /* Speck plaintext preamble */
#define TRANSOP_SPECK_VER_SIZE 1 /* Support minor variants in encoding in one module. */ #define TRANSOP_SPECK_PREAMBLE_SIZE (N2N_SPECK_IVEC_SIZE)
#define TRANSOP_SPECK_PREAMBLE_SIZE (TRANSOP_SPECK_VER_SIZE + N2N_SPECK_IVEC_SIZE)
typedef unsigned char n2n_speck_ivec_t[N2N_SPECK_IVEC_SIZE]; typedef unsigned char n2n_speck_ivec_t[N2N_SPECK_IVEC_SIZE];
@ -64,11 +62,10 @@ static void set_speck_iv(transop_speck_t *priv, n2n_speck_ivec_t ivec) {
/** The Speck packet format consists of: /** The Speck packet format consists of:
* *
* - a 8-bit speck encoding version in clear text
* - a 128-bit random IV * - a 128-bit random IV
* - encrypted payload. * - encrypted payload.
* *
* [V|IIII|DDDDDDDDDDDDDDDDDDDDD] * [IIII|DDDDDDDDDDDDDDDDDDDDD]
* |<---- encrypted ---->| * |<---- encrypted ---->|
*/ */
static int transop_encode_speck(n2n_trans_op_t * arg, static int transop_encode_speck(n2n_trans_op_t * arg,
@ -87,9 +84,6 @@ static int transop_encode_speck(n2n_trans_op_t * arg,
traceEvent(TRACE_DEBUG, "encode_speck %lu bytes", in_len); traceEvent(TRACE_DEBUG, "encode_speck %lu bytes", in_len);
/* Encode the Speck format version. */
encode_uint8(outbuf, &idx, N2N_SPECK_TRANSFORM_VERSION);
/* Generate and encode the IV. */ /* Generate and encode the IV. */
set_speck_iv(priv, enc_ivec); set_speck_iv(priv, enc_ivec);
encode_buf(outbuf, &idx, &enc_ivec, N2N_SPECK_IVEC_SIZE); encode_buf(outbuf, &idx, &enc_ivec, N2N_SPECK_IVEC_SIZE);
@ -129,18 +123,13 @@ static int transop_decode_speck(n2n_trans_op_t * arg,
transop_speck_t * priv = (transop_speck_t *)arg->priv; transop_speck_t * priv = (transop_speck_t *)arg->priv;
if(((in_len - TRANSOP_SPECK_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in buffer */ if(((in_len - TRANSOP_SPECK_PREAMBLE_SIZE) <= N2N_PKT_BUF_SIZE) /* Cipher text fits in buffer */
&& (in_len >= TRANSOP_SPECK_PREAMBLE_SIZE) /* Has at least version, iv */ && (in_len >= TRANSOP_SPECK_PREAMBLE_SIZE) /* Has at least iv */
) )
{ {
size_t rem=in_len; size_t rem=in_len;
size_t idx=0; size_t idx=0;
uint8_t speck_enc_ver=0;
n2n_speck_ivec_t dec_ivec = {0}; n2n_speck_ivec_t dec_ivec = {0};
/* Get the encoding version to make sure it is supported */
decode_uint8(&speck_enc_ver, inbuf, &rem, &idx );
if(N2N_SPECK_TRANSFORM_VERSION == speck_enc_ver) {
traceEvent(TRACE_DEBUG, "decode_speck %lu bytes", in_len); traceEvent(TRACE_DEBUG, "decode_speck %lu bytes", in_len);
len = (in_len - TRANSOP_SPECK_PREAMBLE_SIZE); len = (in_len - TRANSOP_SPECK_PREAMBLE_SIZE);
@ -155,8 +144,6 @@ static int transop_decode_speck(n2n_trans_op_t * arg,
#endif #endif
traceEvent(TRACE_DEBUG, "decode_speck: decrypted %u bytes.\n", len); traceEvent(TRACE_DEBUG, "decode_speck: decrypted %u bytes.\n", len);
} else
traceEvent(TRACE_ERROR, "decode_speck unsupported Speck version %u.", speck_enc_ver);
} else } else
traceEvent(TRACE_ERROR, "decode_speck inbuf wrong size (%ul) to decrypt.", in_len); traceEvent(TRACE_ERROR, "decode_speck inbuf wrong size (%ul) to decrypt.", in_len);
@ -215,4 +202,3 @@ int n2n_transop_speck_init(const n2n_edge_conf_t *conf, n2n_trans_op_t *ttt) {
/* Setup the cipher and key */ /* Setup the cipher and key */
return(setup_speck_key(priv, encrypt_key, encrypt_key_len)); return(setup_speck_key(priv, encrypt_key, encrypt_key_len));
} }

59
src/transform_tf.c
View File

@ -18,9 +18,6 @@
#include "n2n.h" #include "n2n.h"
#define N2N_TWOFISH_NUM_SA 32 /* space for SAa */
#define N2N_TWOFISH_TRANSFORM_VERSION 1 /* version of the transform encoding */
typedef struct transop_tf { typedef struct transop_tf {
TWOFISH* enc_tf; /* tx state */ TWOFISH* enc_tf; /* tx state */
@ -39,17 +36,13 @@ static int transop_deinit_twofish( n2n_trans_op_t * arg ) {
return 0; return 0;
} }
#define TRANSOP_TF_VER_SIZE 1 /* Support minor variants in encoding in one module. */
#define TRANSOP_TF_NONCE_SIZE 4 #define TRANSOP_TF_NONCE_SIZE 4
#define TRANSOP_TF_SA_SIZE 4
/** The twofish packet format consists of: /** The twofish packet format consists of:
* *
* - a 8-bit twofish encoding version in clear text
* - a 32-bit SA number in clear text
* - ciphertext encrypted from a 32-bit nonce followed by the payload. * - ciphertext encrypted from a 32-bit nonce followed by the payload.
* *
* [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD] * [nnnnDDDDDDDDDDDDDDDDDDDDD]
* |<------ encrypted ------>| * |<------ encrypted ------>|
*/ */
static int transop_encode_twofish( n2n_trans_op_t * arg, static int transop_encode_twofish( n2n_trans_op_t * arg,
@ -66,19 +59,10 @@ static int transop_encode_twofish( n2n_trans_op_t * arg,
if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= N2N_PKT_BUF_SIZE ) if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= N2N_PKT_BUF_SIZE )
{ {
if ( (in_len + TRANSOP_TF_NONCE_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_VER_SIZE) <= out_len ) if ( (in_len + TRANSOP_TF_NONCE_SIZE) <= out_len )
{ {
size_t idx=0;
uint32_t sa_id=0; // Not used
traceEvent(TRACE_DEBUG, "encode_twofish %lu", in_len); traceEvent(TRACE_DEBUG, "encode_twofish %lu", in_len);
/* Encode the twofish format version. */
encode_uint8( outbuf, &idx, N2N_TWOFISH_TRANSFORM_VERSION );
/* Encode the security association (SA) number */
encode_uint32( outbuf, &idx, sa_id );
/* The assembly buffer is a source for encrypting data. The nonce is /* The assembly buffer is a source for encrypting data. The nonce is
* written in first followed by the packet payload. The whole * written in first followed by the packet payload. The whole
* contents of assembly are encrypted. */ * contents of assembly are encrypted. */
@ -88,14 +72,10 @@ static int transop_encode_twofish( n2n_trans_op_t * arg,
/* Encrypt the assembly contents and write the ciphertext after the SA. */ /* Encrypt the assembly contents and write the ciphertext after the SA. */
len = TwoFishEncryptRaw( assembly, /* source */ len = TwoFishEncryptRaw( assembly, /* source */
outbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE, outbuf,
in_len + TRANSOP_TF_NONCE_SIZE, /* enc size */ in_len + TRANSOP_TF_NONCE_SIZE, /* enc size */
priv->enc_tf); priv->enc_tf);
if ( len > 0 ) if ( len <= 0 )
{
len += TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE; /* size of data carried in UDP. */
}
else
{ {
traceEvent( TRACE_ERROR, "encode_twofish encryption failed." ); traceEvent( TRACE_ERROR, "encode_twofish encryption failed." );
} }
@ -114,15 +94,7 @@ static int transop_encode_twofish( n2n_trans_op_t * arg,
return len; return len;
} }
/** The twofish packet format consists of:
*
* - a 8-bit twofish encoding version in clear text
* - a 32-bit SA number in clear text
* - ciphertext encrypted from a 32-bit nonce followed by the payload.
*
* [V|SSSS|nnnnDDDDDDDDDDDDDDDDDDDDD]
* |<------ encrypted ------>|
*/
static int transop_decode_twofish( n2n_trans_op_t * arg, static int transop_decode_twofish( n2n_trans_op_t * arg,
uint8_t * outbuf, uint8_t * outbuf,
size_t out_len, size_t out_len,
@ -134,26 +106,15 @@ static int transop_decode_twofish( n2n_trans_op_t * arg,
transop_tf_t * priv = (transop_tf_t *)arg->priv; transop_tf_t * priv = (transop_tf_t *)arg->priv;
uint8_t assembly[N2N_PKT_BUF_SIZE]; uint8_t assembly[N2N_PKT_BUF_SIZE];
if ( ( (in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)) <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */ if ( ( in_len <= N2N_PKT_BUF_SIZE ) /* Cipher text fits in assembly */
&& (in_len >= (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE + TRANSOP_TF_NONCE_SIZE) ) /* Has at least version, SA and nonce */ && (in_len >= TRANSOP_TF_NONCE_SIZE ) /* Has at least nonce */
) { ) {
size_t rem=in_len;
size_t idx=0;
uint8_t tf_enc_ver=0;
uint32_t sa_rx=0; // Not used
/* Get the encoding version to make sure it is supported */
decode_uint8( &tf_enc_ver, inbuf, &rem, &idx );
if ( N2N_TWOFISH_TRANSFORM_VERSION == tf_enc_ver ) {
/* Get the SA number and make sure we are decrypting with the right one. */
decode_uint32( &sa_rx, inbuf, &rem, &idx );
traceEvent(TRACE_DEBUG, "decode_twofish %lu", in_len); traceEvent(TRACE_DEBUG, "decode_twofish %lu", in_len);
len = TwoFishDecryptRaw( (void *)(inbuf + TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE), len = TwoFishDecryptRaw( (void *)inbuf,
assembly, /* destination */ assembly, /* destination */
(in_len - (TRANSOP_TF_VER_SIZE + TRANSOP_TF_SA_SIZE)), in_len,
priv->dec_tf); priv->dec_tf);
if(len > 0) { if(len > 0) {
@ -165,8 +126,6 @@ static int transop_decode_twofish( n2n_trans_op_t * arg,
len ); len );
} else } else
traceEvent(TRACE_ERROR, "decode_twofish decryption failed"); traceEvent(TRACE_ERROR, "decode_twofish decryption failed");
} else
traceEvent( TRACE_ERROR, "decode_twofish unsupported twofish version %u.", tf_enc_ver );
} else } else
traceEvent( TRACE_ERROR, "decode_twofish inbuf wrong size (%ul) to decrypt.", in_len ); traceEvent( TRACE_ERROR, "decode_twofish inbuf wrong size (%ul) to decrypt.", in_len );