/*
* Generate a random key. If key_type is provided, make
* sure generated key is valid for key_type.
*/
void
generate_key_random (struct key *key, const struct key_type *kt)
{
int cipher_len = MAX_CIPHER_KEY_LENGTH;
int hmac_len = MAX_HMAC_KEY_LENGTH;
struct gc_arena gc = gc_new ();
do {
CLEAR (*key);
if (kt)
{
if (kt->cipher && kt->cipher_length > 0 && kt->cipher_length <= cipher_len)
cipher_len = kt->cipher_length;
if (kt->digest && kt->hmac_length > 0 && kt->hmac_length <= hmac_len)
hmac_len = kt->hmac_length;
}
if (!rand_bytes (key->cipher, cipher_len)
|| !rand_bytes (key->hmac, hmac_len))
msg (M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
dmsg (D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex (key->cipher, cipher_len, 0, &gc));
dmsg (D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex (key->hmac, hmac_len, 0, &gc));
if (kt)
fixup_key (key, kt);
} while (kt && !check_key (key, kt));
gc_free (&gc);
}
END_TEST
START_TEST(test_large_data_symmetric)
{
unsigned char k[CRYPTO_SYMMETRIC_KEY_SIZE];
unsigned char n[CRYPTO_NONCE_SIZE];
unsigned char m1[16 * 16 * 16];
unsigned char c1[sizeof(m1) + CRYPTO_MAC_SIZE];
unsigned char m1prime[sizeof(m1)];
int c1len;
int m1plen;
//Generate random messages
rand_bytes(m1, sizeof(m1));
rand_bytes(n, CRYPTO_NONCE_SIZE);
//Generate key
new_symmetric_key(k);
c1len = encrypt_data_symmetric(k, n, m1, sizeof(m1), c1);
ck_assert_msg(c1len == sizeof(m1) + CRYPTO_MAC_SIZE, "could not encrypt data");
m1plen = decrypt_data_symmetric(k, n, c1, c1len, m1prime);
ck_assert_msg(m1plen == sizeof(m1), "decrypted text lengths differ");
ck_assert_msg(memcmp(m1prime, m1, sizeof(m1)) == 0, "decrypted texts differ");
}
void * auth_simple_init_data() {
auth_simple_global_data *global = (auth_simple_global_data*)malloc(sizeof(auth_simple_global_data));
rand_bytes(global->local_client_id, 8);
rand_bytes((uint8_t*)&global->connection_id, 4);
global->connection_id &= 0xFFFFFF;
return global;
}
/*
Generate random compact signatures and messagse and check
*/
void test_random_sigs(int count) {
int error_count = 0;
for(int i=0;i<count; i++) {
unsigned char sig[64];
unsigned char msg[32];
unsigned char pubkey[33];
int pubkeylen;
rand_bytes(sig,64); //try 65
rand_bytes(msg,32);
int ret = secp256k1_ecdsa_recover_compact(
msg, 32,
sig,
pubkey, &pubkeylen,
1, (int)(rand_byte()%4)
);
if(ret == 1) { error_count++; }
}
printf("test_random_sigs: %d out of %d randomly generated messages/signatures returned 1 for secp256k1_ecdsa_recover_compact\n", error_count, count);
}
static int
obfs_tls_response(buffer_t *buf, size_t cap, obfs_t *obfs)
{
if (obfs == NULL || obfs->obfs_stage < 0) return 0;
static buffer_t tmp = { 0, 0, 0, NULL };
if (obfs->obfs_stage == 0) {
size_t buf_len = buf->len;
size_t hello_len = sizeof(struct tls_server_hello);
size_t change_cipher_spec_len = sizeof(struct tls_change_cipher_spec);
size_t encrypted_handshake_len = sizeof(struct tls_encrypted_handshake);
size_t tls_len = hello_len + change_cipher_spec_len + encrypted_handshake_len + buf_len;
brealloc(&tmp, buf_len, cap);
brealloc(buf, tls_len, cap);
memcpy(tmp.data, buf->data, buf_len);
/* Server Hello */
memcpy(buf->data, &tls_server_hello_template, hello_len);
struct tls_server_hello *hello = (struct tls_server_hello *)buf->data;
hello->random_unix_time = CT_HTONL((uint32_t)time(NULL));
rand_bytes(hello->random_bytes, 28);
if (obfs->buf != NULL) {
memcpy(hello->session_id, obfs->buf->data, 32);
} else {
rand_bytes(hello->session_id, 32);
}
/* Change Cipher Spec */
memcpy(buf->data + hello_len, &tls_change_cipher_spec_template, change_cipher_spec_len);
/* Encrypted Handshake */
memcpy(buf->data + hello_len + change_cipher_spec_len, &tls_encrypted_handshake_template,
encrypted_handshake_len);
memcpy(buf->data + hello_len + change_cipher_spec_len + encrypted_handshake_len,
tmp.data, buf_len);
struct tls_encrypted_handshake *encrypted_handshake =
(struct tls_encrypted_handshake *)(buf->data + hello_len + change_cipher_spec_len);
encrypted_handshake->len = CT_HTONS(buf_len);
buf->len = tls_len;
obfs->obfs_stage++;
} else if (obfs->obfs_stage == 1) {
obfs_app_data(buf, cap, obfs);
}
return buf->len;
}
TEST_F(cryptoboxtest, send_ten_messages)
{
struct device *a, *b;
add_devices(2);
/* Connect the 2 devices */
connect_devices();
a = (struct device *)devicel.head->data;
b = (struct device *)devicel.tail->data;
err = device_new_session(a, b);
ASSERT_EQ(0, err);
for (int i=0; i<5; i++) {
size_t len = rand_u16();
uint8_t *msg = (uint8_t *)mem_alloc(len, NULL);
rand_bytes(msg, len);
send_message(a, b, msg, len);
/* reverse direction */
send_message(b, a, msg, len);
mem_deref(msg);
}
}
static void test_binary_seq_rev_cmp()
{
test_status("binary_seq_reverse_complement() binary_seq_to_str()");
uint8_t data[TLEN], tmp[TLEN];
char str[4*TLEN+1], rev[4*TLEN+1], restore[4*TLEN+1];
size_t i, j, k, nbases;
for(i = 0; i < NTESTS; i++)
{
// Get random sequence, mask top byte, convert to string
rand_bytes(data, TLEN);
nbases = rand() & (4*TLEN-1);
binary_seq_to_str(data, nbases, str);
// Reverse complement, convert to string
memcpy(tmp, data, TLEN);
binary_seq_reverse_complement(tmp, nbases);
binary_seq_to_str(tmp, nbases, rev);
// Check strings match
for(j = 0, k = nbases-1; j < nbases; j++, k--)
TASSERT(str[j] == dna_char_complement(rev[k]));
// Reverse complement again, check we get back same binary_seq+string
binary_seq_reverse_complement(tmp, nbases);
binary_seq_to_str(tmp, nbases, restore);
TASSERT(memcmp(data, tmp, TLEN) == 0);
TASSERT(strncmp(str, restore, nbases) == 0);
}
}
void
prng_bytes (uint8_t *output, int len)
{
static size_t processed = 0;
if (nonce_md)
{
const int md_size = md_kt_size (nonce_md);
while (len > 0)
{
unsigned int outlen = 0;
const int blen = min_int (len, md_size);
md_full(nonce_md, nonce_data, md_size + nonce_secret_len, nonce_data);
memcpy (output, nonce_data, blen);
output += blen;
len -= blen;
/* Ensure that random data is reset regularly */
processed += blen;
if(processed > PRNG_NONCE_RESET_BYTES) {
prng_reset_nonce();
processed = 0;
}
}
}
else
rand_bytes (output, len);
}
static int media_alloc(struct mnat_media **mp, struct mnat_sess *sess,
int proto, void *sock1, void *sock2,
struct sdp_media *sdpm)
{
struct mnat_media *m;
struct sa laddr;
struct pcp_map map;
unsigned i;
int err = 0;
if (!mp || !sess || !sdpm || proto != IPPROTO_UDP)
return EINVAL;
m = mem_zalloc(sizeof(*m), media_destructor);
if (!m)
return ENOMEM;
m->compc = sock2 ? 2 : 1;
list_append(&sess->medial, &m->le, m);
m->sess = sess;
m->sdpm = mem_ref(sdpm);
for (i=0; i<m->compc; i++) {
struct comp *comp = &m->compv[i];
comp->id = i+1;
comp->media = m;
err = udp_local_get(i==0 ? sock1 : sock2, &laddr);
if (err)
goto out;
rand_bytes(map.nonce, sizeof(map.nonce));
map.proto = proto;
map.int_port = sa_port(&laddr);
/* note: using same address-family as the PCP server */
sa_init(&map.ext_addr, sa_af(&pcp_srv));
info("pcp: %s: internal port for %s is %u\n",
sdp_media_name(sdpm),
i==0 ? "RTP" : "RTCP",
map.int_port);
err = pcp_request(&comp->pcp, NULL, &pcp_srv, PCP_MAP,
LIFETIME, &map, pcp_resp_handler, comp, 0);
if (err)
goto out;
}
out:
if (err)
mem_deref(m);
else if (mp) {
*mp = m;
}
return err;
}
void enc_ctx_init(int method, enc_ctx_t *ctx, int enc)
{
memset(ctx, 0, sizeof(enc_ctx_t));
cipher_context_init(&ctx->evp, method, enc);
if (enc) {
rand_bytes(ctx->evp.iv, enc_iv_len);
}
}
int auth_simple_pack_auth_data(auth_simple_global_data *global, char *data, int datalength, char *outdata) {
unsigned char rand_len = (xorshift128plus() & 0xF) + 1;
int out_size = rand_len + datalength + 6 + 12;
outdata[0] = out_size >> 8;
outdata[1] = out_size;
outdata[2] = rand_len;
++global->connection_id;
if (global->connection_id > 0xFF000000) {
rand_bytes(global->local_client_id, 8);
rand_bytes((uint8_t*)&global->connection_id, 4);
global->connection_id &= 0xFFFFFF;
}
time_t t = time(NULL);
memintcopy_lt(outdata + rand_len + 2, t);
memmove(outdata + rand_len + 2 + 4, global->local_client_id, 4);
memintcopy_lt(outdata + rand_len + 2 + 8, global->connection_id);
memmove(outdata + rand_len + 2 + 12, data, datalength);
fillcrc32((unsigned char *)outdata, out_size);
return out_size;
}
void
stream_ctx_init(cipher_t *cipher, cipher_ctx_t *cipher_ctx, int enc)
{
sodium_memzero(cipher_ctx, sizeof(cipher_ctx_t));
stream_cipher_ctx_init(cipher_ctx, cipher->method, enc);
cipher_ctx->cipher = cipher;
if (enc) {
rand_bytes(cipher_ctx->nonce, cipher->nonce_len);
}
}
void
aead_ctx_init(cipher_t *cipher, cipher_ctx_t *cipher_ctx, int enc)
{
sodium_memzero(cipher_ctx, sizeof(cipher_ctx_t));
cipher_ctx->cipher = cipher;
aead_cipher_ctx_init(cipher_ctx, cipher->method, enc);
if (enc) {
rand_bytes(cipher_ctx->salt, cipher->key_len);
}
}
void
test_crypto (const struct crypto_options *co, struct frame* frame)
{
int i, j;
struct gc_arena gc = gc_new ();
struct buffer src = alloc_buf_gc (TUN_MTU_SIZE (frame), &gc);
struct buffer work = alloc_buf_gc (BUF_SIZE (frame), &gc);
struct buffer encrypt_workspace = alloc_buf_gc (BUF_SIZE (frame), &gc);
struct buffer decrypt_workspace = alloc_buf_gc (BUF_SIZE (frame), &gc);
struct buffer buf = clear_buf();
/* init work */
ASSERT (buf_init (&work, FRAME_HEADROOM (frame)));
msg (M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode.");
for (i = 1; i <= TUN_MTU_SIZE (frame); ++i)
{
update_time ();
msg (M_INFO, "TESTING ENCRYPT/DECRYPT of packet length=%d", i);
/*
* Load src with random data.
*/
ASSERT (buf_init (&src, 0));
ASSERT (i <= src.capacity);
src.len = i;
ASSERT (rand_bytes (BPTR (&src), BLEN (&src)));
/* copy source to input buf */
buf = work;
memcpy (buf_write_alloc (&buf, BLEN (&src)), BPTR (&src), BLEN (&src));
/* encrypt */
openvpn_encrypt (&buf, encrypt_workspace, co, frame);
/* decrypt */
openvpn_decrypt (&buf, decrypt_workspace, co, frame);
/* compare */
if (buf.len != src.len)
msg (M_FATAL, "SELF TEST FAILED, src.len=%d buf.len=%d", src.len, buf.len);
for (j = 0; j < i; ++j)
{
const uint8_t in = *(BPTR (&src) + j);
const uint8_t out = *(BPTR (&buf) + j);
if (in != out)
msg (M_FATAL, "SELF TEST FAILED, pos=%d in=%d out=%d", j, in, out);
}
}
msg (M_INFO, PACKAGE_NAME " crypto self-test mode SUCCEEDED.");
gc_free (&gc);
}
int auth_sha1_v4_pack_auth_data(auth_simple_global_data *global, server_info *server, char *data, int datalength, char *outdata) {
unsigned int rand_len = (datalength > 1300 ? 0 : datalength > 400 ? (xorshift128plus() & 0x7F) : (xorshift128plus() & 0x3FF)) + 1;
int data_offset = rand_len + 4 + 2;
int out_size = data_offset + datalength + 12 + OBFS_HMAC_SHA1_LEN;
const char* salt = "auth_sha1_v4";
int salt_len = strlen(salt);
unsigned char *crc_salt = (unsigned char*)malloc(salt_len + server->key_len + 2);
crc_salt[0] = outdata[0] = out_size >> 8;
crc_salt[1] = outdata[1] = out_size;
memcpy(crc_salt + 2, salt, salt_len);
memcpy(crc_salt + salt_len + 2, server->key, server->key_len);
fillcrc32to(crc_salt, salt_len + server->key_len + 2, (unsigned char *)outdata + 2);
free(crc_salt);
if (rand_len < 128)
{
outdata[6] = rand_len;
}
else
{
outdata[6] = 0xFF;
outdata[7] = rand_len >> 8;
outdata[8] = rand_len;
}
++global->connection_id;
if (global->connection_id > 0xFF000000) {
rand_bytes(global->local_client_id, 8);
rand_bytes((uint8_t*)&global->connection_id, 4);
global->connection_id &= 0xFFFFFF;
}
time_t t = time(NULL);
memintcopy_lt(outdata + data_offset, t);
memmove(outdata + data_offset + 4, global->local_client_id, 4);
memintcopy_lt(outdata + data_offset + 8, global->connection_id);
memmove(outdata + data_offset + 12, data, datalength);
char hash[ONETIMEAUTH_BYTES * 2];
ss_sha1_hmac(hash, outdata, out_size - OBFS_HMAC_SHA1_LEN, server->iv);
memcpy(outdata + out_size - OBFS_HMAC_SHA1_LEN, hash, OBFS_HMAC_SHA1_LEN);
return out_size;
}
void rand_pseudo_bytes(char* buf, int count)
{
static int init = init_openssl();
(void)init;
// RAND_pseudo_bytes is deprecated in favor of RAND_bytes as of OpenSSL 1.1.0
#if OPENSSL_VERSION_NUMBER < 0x10100000L
int result = RAND_pseudo_bytes((unsigned char*)buf, count);
if (result == -1)
FC_THROW("Error calling OpenSSL's RAND_pseudo_bytes(): ${code}", ("code", (uint32_t)ERR_get_error()));
#else
rand_bytes(buf, count);
#endif
}
END_TEST
START_TEST(test_large_data)
{
unsigned char k[CRYPTO_SHARED_KEY_SIZE];
unsigned char n[CRYPTO_NONCE_SIZE];
unsigned char m1[MAX_CRYPTO_PACKET_SIZE - CRYPTO_MAC_SIZE];
unsigned char c1[sizeof(m1) + CRYPTO_MAC_SIZE];
unsigned char m1prime[sizeof(m1)];
unsigned char m2[MAX_CRYPTO_PACKET_SIZE];
unsigned char c2[sizeof(m2) + CRYPTO_MAC_SIZE];
int c1len, c2len;
int m1plen;
//Generate random messages
rand_bytes(m1, sizeof(m1));
rand_bytes(m2, sizeof(m2));
rand_bytes(n, CRYPTO_NONCE_SIZE);
//Generate key
rand_bytes(k, CRYPTO_SHARED_KEY_SIZE);
c1len = encrypt_data_symmetric(k, n, m1, sizeof(m1), c1);
c2len = encrypt_data_symmetric(k, n, m2, sizeof(m2), c2);
ck_assert_msg(c1len == sizeof(m1) + CRYPTO_MAC_SIZE, "could not encrypt");
ck_assert_msg(c2len == sizeof(m2) + CRYPTO_MAC_SIZE, "could not encrypt");
m1plen = decrypt_data_symmetric(k, n, c1, c1len, m1prime);
ck_assert_msg(m1plen == sizeof(m1), "decrypted text lengths differ");
ck_assert_msg(memcmp(m1prime, m1, sizeof(m1)) == 0, "decrypted texts differ");
}
void fp_rand(fp_t a) {
int bits, digits;
rand_bytes((uint8_t *)a, RLC_FP_DIGS * sizeof(dig_t));
RLC_RIP(bits, digits, RLC_FP_BITS);
if (bits > 0) {
dig_t mask = ((dig_t)1 << (dig_t)bits) - 1;
a[RLC_FP_DIGS - 1] &= mask;
}
while (dv_cmp(a, fp_prime_get(), RLC_FP_DIGS) != RLC_LT) {
fp_subn_low(a, a, fp_prime_get());
}
}
int auth_sha1_pack_auth_data(auth_simple_global_data *global, server_info *server, char *data, int datalength, char *outdata) {
unsigned char rand_len = (xorshift128plus() & 0x7F) + 1;
int data_offset = rand_len + 4 + 2;
int out_size = data_offset + datalength + 12 + OBFS_HMAC_SHA1_LEN;
fillcrc32to((unsigned char *)server->key, server->key_len, (unsigned char *)outdata);
outdata[4] = out_size >> 8;
outdata[5] = out_size;
outdata[6] = rand_len;
++global->connection_id;
if (global->connection_id > 0xFF000000) {
rand_bytes(global->local_client_id, 8);
rand_bytes((uint8_t*)&global->connection_id, 4);
global->connection_id &= 0xFFFFFF;
}
time_t t = time(NULL);
memintcopy_lt(outdata + data_offset, t);
memmove(outdata + data_offset + 4, global->local_client_id, 4);
memintcopy_lt(outdata + data_offset + 8, global->connection_id);
memmove(outdata + data_offset + 12, data, datalength);
char hash[ONETIMEAUTH_BYTES * 2];
ss_sha1_hmac(hash, outdata, out_size - OBFS_HMAC_SHA1_LEN, server->iv);
memcpy(outdata + out_size - OBFS_HMAC_SHA1_LEN, hash, OBFS_HMAC_SHA1_LEN);
return out_size;
}
/* Reset the nonce value, also done periodically to refresh entropy */
static void
prng_reset_nonce ()
{
const int size = md_kt_size (nonce_md) + nonce_secret_len;
#if 1 /* Must be 1 for real usage */
if (!rand_bytes (nonce_data, size))
msg (M_FATAL, "ERROR: Random number generator cannot obtain entropy for PRNG");
#else
/* Only for testing -- will cause a predictable PRNG sequence */
{
int i;
for (i = 0; i < size; ++i)
nonce_data[i] = (uint8_t) i;
}
#endif
}
int tls12_ticket_pack_auth_data(tls12_ticket_auth_global_data *global, server_info *server, char *outdata) {
int out_size = 32;
time_t t = time(NULL);
outdata[0] = t >> 24;
outdata[1] = t >> 16;
outdata[2] = t >> 8;
outdata[3] = t;
rand_bytes((uint8_t*)outdata + 4, 18);
uint8_t *key = (uint8_t*)malloc(server->key_len + 32);
char hash[ONETIMEAUTH_BYTES * 2];
memcpy(key, server->key, server->key_len);
memcpy(key + server->key_len, global->local_client_id, 32);
ss_sha1_hmac_with_key(hash, outdata, out_size - OBFS_HMAC_SHA1_LEN, key, server->key_len + 32);
free(key);
memcpy(outdata + out_size - OBFS_HMAC_SHA1_LEN, hash, OBFS_HMAC_SHA1_LEN);
return out_size;
}
void bn_rand(bn_t a, int sign, int bits) {
int digits;
SPLIT(bits, digits, bits, BN_DIG_LOG);
digits += (bits > 0 ? 1 : 0);
bn_grow(a, digits);
rand_bytes((uint8_t *)a->dp, digits * sizeof(dig_t));
a->used = digits;
a->sign = sign;
if (bits > 0) {
dig_t mask = ((dig_t)1 << (dig_t)bits) - 1;
a->dp[a->used - 1] &= mask;
}
bn_trim(a);
}
TEST_F(cryptoboxtest, performance)
{
#define NUM_MESSAGES 1000
#define MSG_SIZE 256
uint64_t t1, t2;
struct device *a, *b;
size_t len = MSG_SIZE;
add_devices(2);
connect_devices();
a = (struct device *)devicel.head->data;
b = (struct device *)devicel.tail->data;
err = device_new_session(a, b);
ASSERT_EQ(0, err);
uint8_t *msg = (uint8_t *)mem_alloc(len, NULL);
rand_bytes(msg, len);
re_printf("sending %d messages of size %zu bytes\n",
NUM_MESSAGES, len);
t1 = tmr_jiffies();
for (int i=0; i<NUM_MESSAGES; i++) {
send_message(a, b, msg, len);
}
t2 = tmr_jiffies();
re_printf("~~~ performance report ~~~\n");
re_printf("num_messages: %d\n", NUM_MESSAGES);
re_printf("message_size: %zu\n", len);
re_printf("total_time: %d ms\n", (int)(t2-t1));
re_printf("average: %.1f ms\n", 1.0*(t2-t1)/NUM_MESSAGES);
re_printf("~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~\n");
re_printf("\n");
mem_deref(msg);
}
int
radius_packet_init(struct pppoe_buf *pbuf, uint32 *seed, uint8 code) {
struct radius_packet *packet;
if (unlikely(!pbuf || !seed)) {
pppoe_log(LOG_WARNING, "Radius Packet init fail (input error)\n");
return PPPOEERR_EINVAL;
}
packet = (struct radius_packet *)pbuf_put(pbuf, sizeof(struct radius_packet));
packet->code = code;
packet->id = 0;
packet->length = htons(sizeof(struct radius_packet));
if (RADIUS_CODE_ACCESS_REQUEST == packet->code) {
rand_bytes(seed, packet->authenticator, RADIUS_AUTHLEN);
}
return PPPOEERR_SUCCESS;
}
int test_sys_rand(void)
{
char str[64];
uint8_t buf[64];
volatile uint16_t u16 = rand_u16();
volatile uint32_t u32 = rand_u32();
volatile uint64_t u64 = rand_u64();
volatile char ch = rand_char();
(void)u16;
(void)u32;
(void)u64;
(void)ch;
rand_str(str, sizeof(str));
rand_bytes(buf, sizeof(buf));
return 0;
}
void cipher_context_set_iv(cipher_ctx_t *evp, uint8_t *iv, size_t iv_len, int enc)
{
if (evp == NULL || iv == NULL) {
LOGE("cipher_context_set_keyiv(): Cipher context or IV is null");
return;
}
if (enc) {
rand_bytes(iv, iv_len);
}
#if defined(USE_CRYPTO_OPENSSL)
if (!EVP_CipherInit_ex(evp, NULL, NULL, enc_key, iv, enc)) {
EVP_CIPHER_CTX_cleanup(evp);
FATAL("Cannot set key and IV");
}
#elif defined(USE_CRYPTO_POLARSSL)
if (cipher_setkey(evp, enc_key, enc_key_len * 8, enc) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher key");
}
#if POLARSSL_VERSION_NUMBER >= 0x01030000
if (cipher_set_iv(evp, iv, iv_len) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher IV");
}
if(cipher_reset(evp) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot finalize PolarSSL cipher context");
}
#else
if(cipher_reset(evp, iv) != 0) {
cipher_free_ctx(evp);
FATAL("Cannot set PolarSSL cipher IV");
}
#endif
#endif
#ifdef DEBUG
dump("IV", iv);
#endif
}
END_TEST
START_TEST(test_endtoend)
{
unsigned char pk1[CRYPTO_PUBLIC_KEY_SIZE];
unsigned char sk1[CRYPTO_SECRET_KEY_SIZE];
unsigned char pk2[CRYPTO_PUBLIC_KEY_SIZE];
unsigned char sk2[CRYPTO_SECRET_KEY_SIZE];
unsigned char k1[CRYPTO_SHARED_KEY_SIZE];
unsigned char k2[CRYPTO_SHARED_KEY_SIZE];
unsigned char n[CRYPTO_NONCE_SIZE];
unsigned char m[500];
unsigned char c1[sizeof(m) + CRYPTO_MAC_SIZE];
unsigned char c2[sizeof(m) + CRYPTO_MAC_SIZE];
unsigned char c3[sizeof(m) + CRYPTO_MAC_SIZE];
unsigned char c4[sizeof(m) + CRYPTO_MAC_SIZE];
unsigned char m1[sizeof(m)];
unsigned char m2[sizeof(m)];
unsigned char m3[sizeof(m)];
unsigned char m4[sizeof(m)];
int mlen;
int c1len, c2len, c3len, c4len;
int m1len, m2len, m3len, m4len;
int testno;
// Test 100 random messages and keypairs
for (testno = 0; testno < 100; testno++) {
//Generate random message (random length from 100 to 500)
mlen = (random_u32() % 400) + 100;
rand_bytes(m, mlen);
rand_bytes(n, CRYPTO_NONCE_SIZE);
//Generate keypairs
crypto_new_keypair(pk1, sk1);
crypto_new_keypair(pk2, sk2);
//Precompute shared keys
encrypt_precompute(pk2, sk1, k1);
encrypt_precompute(pk1, sk2, k2);
ck_assert_msg(memcmp(k1, k2, CRYPTO_SHARED_KEY_SIZE) == 0, "encrypt_precompute: bad");
//Encrypt all four ways
c1len = encrypt_data(pk2, sk1, n, m, mlen, c1);
c2len = encrypt_data(pk1, sk2, n, m, mlen, c2);
c3len = encrypt_data_symmetric(k1, n, m, mlen, c3);
c4len = encrypt_data_symmetric(k2, n, m, mlen, c4);
ck_assert_msg(c1len == c2len && c1len == c3len && c1len == c4len, "cyphertext lengths differ");
ck_assert_msg(c1len == mlen + (int)CRYPTO_MAC_SIZE, "wrong cyphertext length");
ck_assert_msg(memcmp(c1, c2, c1len) == 0 && memcmp(c1, c3, c1len) == 0
&& memcmp(c1, c4, c1len) == 0, "crypertexts differ");
//Decrypt all four ways
m1len = decrypt_data(pk2, sk1, n, c1, c1len, m1);
m2len = decrypt_data(pk1, sk2, n, c1, c1len, m2);
m3len = decrypt_data_symmetric(k1, n, c1, c1len, m3);
m4len = decrypt_data_symmetric(k2, n, c1, c1len, m4);
ck_assert_msg(m1len == m2len && m1len == m3len && m1len == m4len, "decrypted text lengths differ");
ck_assert_msg(m1len == mlen, "wrong decrypted text length");
ck_assert_msg(memcmp(m1, m2, mlen) == 0 && memcmp(m1, m3, mlen) == 0
&& memcmp(m1, m4, mlen) == 0, "decrypted texts differ");
ck_assert_msg(memcmp(m1, m, mlen) == 0, "wrong decrypted text");
}
}
int ss_encrypt_all(buffer_t *plain, int method, int auth, size_t capacity)
{
if (method > TABLE) {
cipher_ctx_t evp;
cipher_context_init(&evp, method, 1);
size_t iv_len = enc_iv_len;
int err = 1;
static buffer_t tmp = { 0, 0, 0, NULL };
brealloc(&tmp, iv_len + plain->len, capacity);
buffer_t *cipher = &tmp;
cipher->len = plain->len;
uint8_t iv[MAX_IV_LENGTH];
rand_bytes(iv, iv_len);
cipher_context_set_iv(&evp, iv, iv_len, 1);
memcpy(cipher->array, iv, iv_len);
if (auth) {
ss_onetimeauth(plain, iv, capacity);
cipher->len = plain->len;
}
if (method >= SALSA20) {
crypto_stream_xor_ic((uint8_t *)(cipher->array + iv_len),
(const uint8_t *)plain->array, (uint64_t)(plain->len),
(const uint8_t *)iv,
0, enc_key, method);
} else {
err = cipher_context_update(&evp, (uint8_t *)(cipher->array + iv_len),
&cipher->len, (const uint8_t *)plain->array,
plain->len);
}
if (!err) {
bfree(plain);
cipher_context_release(&evp);
return -1;
}
#ifdef DEBUG
dump("PLAIN", plain->array, plain->len);
dump("CIPHER", cipher->array + iv_len, cipher->len);
#endif
cipher_context_release(&evp);
brealloc(plain, iv_len + cipher->len, capacity);
memcpy(plain->array, cipher->array, iv_len + cipher->len);
plain->len = iv_len + cipher->len;
return 0;
} else {
char *begin = plain->array;
char *ptr = plain->array;
while (ptr < begin + plain->len) {
*ptr = (char)enc_table[(uint8_t)*ptr];
ptr++;
}
return 0;
}
}
void
tls_crypt_v2_write_client_key_file(const char *filename,
const char *b64_metadata,
const char *server_key_file,
const char *server_key_inline)
{
struct gc_arena gc = gc_new();
struct key_ctx server_key = { 0 };
struct buffer client_key_pem = { 0 };
struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN
+ TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
struct key2 client_key = { 2 };
if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
{
msg(M_FATAL, "ERROR: could not generate random key");
goto cleanup;
}
ASSERT(buf_write(&dst, client_key.keys, sizeof(client_key.keys)));
struct buffer metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &gc);
if (b64_metadata)
{
if (TLS_CRYPT_V2_MAX_B64_METADATA_LEN < strlen(b64_metadata))
{
msg(M_FATAL,
"ERROR: metadata too long (%d bytes, max %u bytes)",
(int)strlen(b64_metadata), TLS_CRYPT_V2_MAX_B64_METADATA_LEN);
}
ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1));
int decoded_len = openvpn_base64_decode(b64_metadata, BPTR(&metadata),
BCAP(&metadata));
if (decoded_len < 0)
{
msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
goto cleanup;
}
ASSERT(buf_inc_len(&metadata, decoded_len));
}
else
{
int64_t timestamp = htonll((uint64_t)now);
ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_TIMESTAMP, 1));
ASSERT(buf_write(&metadata, ×tamp, sizeof(timestamp)));
}
tls_crypt_v2_init_server_key(&server_key, true, server_key_file,
server_key_inline);
if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key,
&gc))
{
msg(M_FATAL, "ERROR: could not wrap generated client key");
goto cleanup;
}
/* PEM-encode Kc || WKc */
if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst,
&gc))
{
msg(M_FATAL, "ERROR: could not PEM-encode client key");
goto cleanup;
}
if (!buffer_write_file(filename, &client_key_pem))
{
msg(M_FATAL, "ERROR: could not write client key file");
goto cleanup;
}
/* Sanity check: load client key (as "client") */
struct key_ctx_bi test_client_key;
struct buffer test_wrapped_client_key;
msg(D_GENKEY, "Testing client-side key loading...");
tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key,
filename, NULL);
free_key_ctx_bi(&test_client_key);
/* Sanity check: unwrap and load client key (as "server") */
struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
&gc);
struct key2 test_client_key2 = { 0 };
free_key_ctx(&server_key);
tls_crypt_v2_init_server_key(&server_key, false, server_key_file,
server_key_inline);
msg(D_GENKEY, "Testing server-side key loading...");
ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
test_wrapped_client_key, &server_key));
secure_memzero(&test_client_key2, sizeof(test_client_key2));
free_buf(&test_wrapped_client_key);
cleanup:
secure_memzero(&client_key, sizeof(client_key));
free_key_ctx(&server_key);
buf_clear(&client_key_pem);
buf_clear(&dst);
gc_free(&gc);
}
_IKED::_IKED()
{
path_conf[ 0 ] = 0;
path_log[ 0 ] = 0;
peercount = 0;
loopcount = 0;
tunnelid = 2;
policyid = 1;
dnsgrpid = 0;
logflags = LOGFLAG_ECHO;
retry_count = 2;
retry_delay = 5;
sock_ike_open = 0;
sock_natt_open = 0;
rand_bytes( &ident, 2 );
lock_run.name( "run" );
lock_net.name( "net" );
lock_idb.name( "idb" );
cond_run.alert();
cond_idb.alert();
unsigned char xauth[] = VEND_XAUTH;
vend_xauth.set( xauth, sizeof( xauth ) );
unsigned char frag[] = VEND_FRAG;
vend_frag.set( frag, sizeof( frag ) );
unsigned char dpd1[] = VEND_DPD1;
vend_dpd1.set( dpd1, sizeof( dpd1 ) );
unsigned char dpd1_ng[] = VEND_DPD1_NG;
vend_dpd1_ng.set( dpd1_ng, sizeof( dpd1_ng ) );
unsigned char hbeat[] = VEND_HBEAT;
vend_hbeat.set( hbeat, sizeof( hbeat ) );
unsigned char natt_v00[] = VEND_NATT_V00;
vend_natt_v00.set( natt_v00, sizeof( natt_v00 ) );
unsigned char natt_v01[] = VEND_NATT_V01;
vend_natt_v01.set( natt_v01, sizeof( natt_v01 ) );
unsigned char natt_v02[] = VEND_NATT_V02;
vend_natt_v02.set( natt_v02, sizeof( natt_v02 ) );
unsigned char natt_v03[] = VEND_NATT_V03;
vend_natt_v03.set( natt_v03, sizeof( natt_v03 ) );
unsigned char natt_rfc[] = VEND_NATT_RFC;
vend_natt_rfc.set( natt_rfc, sizeof( natt_rfc ) );
unsigned char ssoft[] = VEND_SSOFT;
vend_ssoft.set( ssoft, sizeof( ssoft ) );
unsigned char kame[] = VEND_KAME;
vend_kame.set( kame, sizeof( kame ) );
unsigned char unity[] = VEND_UNITY;
vend_unity.set( unity, sizeof( unity ) );
unsigned char netsc[] = VEND_NETSC;
vend_netsc.set( netsc, sizeof( netsc ) );
unsigned char zwall[] = VEND_ZWALL;
vend_zwall.set( zwall, sizeof( zwall ) );
unsigned char swind[] = VEND_SWIND;
vend_swind.set( swind, sizeof( swind ) );
unsigned char chkpt[] = VEND_CHKPT;
vend_chkpt.set( chkpt, sizeof( chkpt ) );
unsigned char fwtype[] = UNITY_FWTYPE;
unity_fwtype.set( fwtype, sizeof( fwtype ) );
dump_decrypt = false;
dump_encrypt = false;
conf_fail = false;
}
