From 9e8d603d14561095fb8d08871319a315d3bf6763 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 2 Aug 2019 19:12:34 +0200 Subject: lib: Add per-message encryption with OpenSSL This adds a per-message symmetric encryption using the OpenSSL library. At flow allocation, an Elliptic Curve Diffie-Hellman exchange is performed to derive a shared secret, which is then hashed using SHA3-256 to be used as a key for symmetric AES-256 encryption. Each message on an encrypted flow adds a small crypto header that includes a random 128-bit Initialization Vector (IV). If the server does not have OpenSSL enabled, the flow allocation will fail with an -ECRYPT error. Future optimizations are to piggyback the public keys on the flow allocation message, and to enable per-flow encryption that maintains the context of the encryption over multiple packets and doesn't require sending IVs. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/ipcpd/eth/eth.c | 3 +++ src/ipcpd/udp/main.c | 4 ++++ src/ipcpd/unicast/fa.c | 3 +++ 3 files changed, 10 insertions(+) (limited to 'src/ipcpd') diff --git a/src/ipcpd/eth/eth.c b/src/ipcpd/eth/eth.c index 1a332272..dccfd190 100644 --- a/src/ipcpd/eth/eth.c +++ b/src/ipcpd/eth/eth.c @@ -162,6 +162,7 @@ struct mgmt_msg { uint32_t ber; uint32_t max_gap; uint32_t delay; + uint16_t cypher_s; uint8_t in_order; #if defined (BUILD_ETH_DIX) uint8_t code; @@ -485,6 +486,7 @@ static int eth_ipcp_alloc(const uint8_t * dst_addr, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); + msg->cypher_s = hton16(qs.cypher_s); memcpy(msg + 1, hash, ipcp_dir_hash_len()); @@ -731,6 +733,7 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); + qs.cypher_s = hton32(msg->cypher_s); if (shim_data_reg_has(eth_data.shim_data, buf + sizeof(*msg))) { diff --git a/src/ipcpd/udp/main.c b/src/ipcpd/udp/main.c index a1dcb602..f6aa57d1 100644 --- a/src/ipcpd/udp/main.c +++ b/src/ipcpd/udp/main.c @@ -91,6 +91,7 @@ struct mgmt_msg { uint32_t loss; uint32_t ber; uint32_t max_gap; + uint32_t cypher_s; } __attribute__((packed)); struct mgmt_frame { @@ -209,6 +210,7 @@ static int ipcp_udp_port_alloc(int skfd, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); + msg->cypher_s = hton32(qs.cypher_s); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -383,6 +385,8 @@ static int ipcp_udp_mgmt_frame(const uint8_t * buf, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); + qs.cypher_s = ntoh16(msg->cypher_s); + return ipcp_udp_port_req(&c_saddr, ntoh32(msg->s_eid), (uint8_t *) (msg + 1), qs); case FLOW_REPLY: diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c index fbcbc6fa..c1cb065f 100644 --- a/src/ipcpd/unicast/fa.c +++ b/src/ipcpd/unicast/fa.c @@ -66,6 +66,7 @@ struct fa_msg { uint32_t loss; uint32_t ber; uint32_t max_gap; + uint16_t cypher_s; } __attribute__((packed)); struct cmd { @@ -217,6 +218,7 @@ static void * fa_handle_packet(void * o) qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); + qs.cypher_s = ntoh16(msg->cypher_s); fd = ipcp_flow_req_arr((uint8_t *) (msg + 1), ipcp_dir_hash_len(), @@ -386,6 +388,7 @@ int fa_alloc(int fd, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); + msg->cypher_s = hton16(qs.cypher_s); memcpy(msg + 1, dst, ipcp_dir_hash_len()); -- cgit v1.2.3