From: ian Date: Wed, 31 May 2000 00:58:53 +0000 (+0000) Subject: New encrypting tunnel seems to work ! X-Git-Tag: userv-utils-0-1-finger-mergeup-1~7 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ian/git?p=userv-utils.git;a=commitdiff_plain;h=ed509ebded419ce594b9c6a6942cf41033a7a16b New encrypting tunnel seems to work ! --- diff --git a/ipif/Makefile b/ipif/Makefile index 122a72e..c2e3a7f 100644 --- a/ipif/Makefile +++ b/ipif/Makefile @@ -30,12 +30,13 @@ libuserv= $(libdir)/userv etcuserv= $(etcdir)/userv services= $(etcuserv)/services.d -TARGETS= service udptunnel-forwarder +TARGETS= service udptunnel-forwarder blowfishtest MECHFILES= null pkcs5 timestamp sequence blowfish MECHOBJS= $(foreach m, $(MECHFILES), mech-$m.o) OBJS_FORWARD= forwarder.o $(MECHOBJS) blowfish.o automech.c utils.c +OBJS_BFTEST= blowfishtest.o blowfish.o hex.o all: $(TARGETS) @@ -49,8 +50,12 @@ install: all udptunnel-forwarder: $(OBJS_FORWARD) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_FORWARD) +blowfishtest: $(OBJS_BFTEST) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OBJS_BFTEST) + automech.c automech.h: automechgen.sh Makefile ./$< $(MECHFILES) forwarder.o $(MECHOBJS) automech.o utils.o: forwarder.h automech.h -blowfish.o mech-blowfish.o: blowfish.h +blowfish.o mech-blowfish.o blowfishtest.o: blowfish.h +blowfishtest.o hex.o: hex.h diff --git a/ipif/blowfishtest.c b/ipif/blowfishtest.c index ad14194..5b2fe57 100644 --- a/ipif/blowfishtest.c +++ b/ipif/blowfishtest.c @@ -11,8 +11,8 @@ int main(void) { char buf[200], keybuf[200], plainbuf[200], cipherbuf[200], comparebuf[200], ivbuf[200]; char keytxt[sizeof(buf)+1], plaintxt[sizeof(buf)+1], ciphertxt[sizeof(buf)+1]; - uint8 key[BLOWFISH_MAXKEYBYTES*2], plain[100], cipher[100], compare[100]; - uint8 iv[BLOWFISH_BLOCKBYTES]; + uint8_t key[BLOWFISH_MAXKEYBYTES*2], plain[100], cipher[100], compare[100]; + uint8_t iv[BLOWFISH_BLOCKBYTES]; int keysz, plainsz, ciphersz, cskey, csiv, csplain, i; struct blowfish_expandedkey ek; struct blowfish_cbc_state cs; diff --git a/ipif/forwarder.c b/ipif/forwarder.c index 5867832..d3a0f0f 100644 --- a/ipif/forwarder.c +++ b/ipif/forwarder.c @@ -7,8 +7,8 @@ * * * [] - * ! [ ...] - * ! [ ...] + * | [ ...] + * | [ ...] * '' * * Remote addr may '' to mean wait to receive a packet and reply to @@ -19,6 +19,10 @@ * w means generate and write encdec keys, rather than reading them * K means do crypto debug (use with care!) * + * encdec keys datastream has keys for packets from key datastream + * writer to reader first, then keys for packets from reader to + * writer. + * * Every must be numeric. There is very little argument checking. * * Exit status: @@ -71,8 +75,8 @@ static time_t nextsendka; static void cdebug(int mechno /*or -1*/, const char *msg) { if (!crypto_debug) return; - printf("%s: CRYPTO: %-20s %s\n", - programid, + printf("%-8.8s: CRYPTO: %-20s %s\n", + uname_result.nodename, mechno >= 0 ? mechs[mechno]->name : "", msg); } @@ -127,6 +131,7 @@ void random_key(void *ptr, size_t sz) { write_must(encdec_keys_fd,ptr,sz,"write keys datastream"); } else { read_must(encdec_keys_fd,ptr,sz,"read keys datastream"); + cdebughex(-1, "random_key", ptr, sz, 0,0,0); } } @@ -335,18 +340,26 @@ int main(int argc, const char *const *const argv_in) { maxprefix= 0; i= 0; while ((arg= *++argv)) { - arg_assert(*arg++ == '!'); + arg_assert(*arg++ == '|'); arg_assert(i <= MAXMECHS); mechs[i]= find_mech(arg); - cdebug(i,"encsetup"); + cdebug(i,"writer->reader setup"); argv_save= argv; - mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix); + + if (encdec_keys_write) + mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix); + else + mechs[i]->decsetup(&md_in[i]); argv_done= argv; argv= argv_save; - cdebug(i,"decsetup"); - mechs[i]->decsetup(&md_in[i]); + cdebug(i,"reader->writer setup"); + + if (encdec_keys_write) + mechs[i]->decsetup(&md_in[i]); + else + mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix); assert(argv == argv_done); diff --git a/ipif/hex.c b/ipif/hex.c index fd889a2..dc0c749 100644 --- a/ipif/hex.c +++ b/ipif/hex.c @@ -7,7 +7,7 @@ #include "hex.h" -const char *tohex(uint8 *data, int len, char *buf) { +const char *tohex(uint8_t *data, int len, char *buf) { char *p; for (p= buf; @@ -17,7 +17,7 @@ const char *tohex(uint8 *data, int len, char *buf) { return buf; } -void unhex(const char *what, const char *txt, uint8 *datar, int *lenr, +void unhex(const char *what, const char *txt, uint8_t *datar, int *lenr, int minlen, int maxlen) { int l, v; char buf[3], *ep; diff --git a/ipif/hex.h b/ipif/hex.h index e637f9a..5bce442 100644 --- a/ipif/hex.h +++ b/ipif/hex.h @@ -3,8 +3,10 @@ #ifndef HEX__H_INCLUDED #define HEX__H_INCLUDED -const char *tohex(uint8 *data, int len, char *buf); -void unhex(const char *what, const char *txt, uint8 *datar, int *lenr, +#include + +const char *tohex(uint8_t *data, int len, char *buf); +void unhex(const char *what, const char *txt, uint8_t *datar, int *lenr, int minlen, int maxlen); #endif diff --git a/ipif/mech-blowfish.c b/ipif/mech-blowfish.c index 7447cad..65e3311 100644 --- a/ipif/mech-blowfish.c +++ b/ipif/mech-blowfish.c @@ -13,13 +13,13 @@ #include "blowfish.h" struct mechdata { + unsigned char iv[BLOWFISH_BLOCKBYTES]; struct blowfish_cbc_state cbc; }; static void mds_blowfish(struct mechdata **md_r) { struct mechdata *md; unsigned long keysize; - unsigned char iv[BLOWFISH_BLOCKBYTES]; unsigned char key[BLOWFISH_MAXKEYBYTES]; XMALLOC(md); @@ -29,12 +29,10 @@ static void mds_blowfish(struct mechdata **md_r) { keysize >>= 3; arg_assert(keysize > 0 && keysize <= BLOWFISH_MAXKEYBYTES); - random_key(iv,sizeof(iv)); + random_key(md->iv,sizeof(md->iv)); random_key(key,keysize); blowfish_loadkey(&md->cbc.ek, key,keysize); - blowfish_cbc_setiv(&md->cbc, iv); - *md_r= md; } @@ -62,6 +60,7 @@ static void mes_bfmac(struct mechdata **md_r, int *maxprefix_io, int *maxsuffix_ #define FOREACH_BLOCK(func,inptr,outptr) \ { \ unsigned char *ptr; \ + blowfish_cbc_setiv(&md->cbc, md->iv); \ for (ptr= buf->start; \ ptr < buf->start + msgsize; \ ptr += BLOWFISH_BLOCKBYTES) { \ diff --git a/ipif/mech-pkcs5.c b/ipif/mech-pkcs5.c index 6ff35cd..df4d918 100644 --- a/ipif/mech-pkcs5.c +++ b/ipif/mech-pkcs5.c @@ -58,11 +58,11 @@ static const char *mdec_pkcs5(struct mechdata *md, struct buffer *buf) { unsigned padlen; int i; - BUF_UNPREPEND(padp,buf,1); + BUF_UNAPPEND(padp,buf,1); padlen= *padp; - if (!padlen || (padlen & ~md->mask)) return "invalid length"; + if (!padlen || (padlen > md->mask+1)) return "invalid length"; - BUF_UNPREPEND(padp,buf,padlen-1); + BUF_UNAPPEND(padp,buf,padlen-1); for (i=0; imax_skew && age > md->max_skew) { + if (md->max_skew && age < -md->max_skew) { sprintf(cbuf,"too much skew (%lds)",-age); return cbuf; } diff --git a/ipif/udptunnel b/ipif/udptunnel index e52ee73..bb48d1d 100755 --- a/ipif/udptunnel +++ b/ipif/udptunnel @@ -189,7 +189,7 @@ while ($ARGV[0] =~ m/^-/) { $encrarg= arg_value($_,'-e'); push @remoteopts, "-e$encrarg"; @thisencryption= split m#/#, $encrarg; - $thisencryption[0] =~ s/^/\!/; + $thisencryption[0] =~ s/^/\|/; push @encryption, @thisencryption; } elsif (s/^-m/-/) { $masq= 1;