From 9e8d603d14561095fb8d08871319a315d3bf6763 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Fri, 2 Aug 2019 19:12:34 +0200
Subject: lib: Add per-message encryption with OpenSSL

This adds a per-message symmetric encryption using the OpenSSL
library. At flow allocation, an Elliptic Curve Diffie-Hellman exchange
is performed to derive a shared secret, which is then hashed using
SHA3-256 to be used as a key for symmetric AES-256 encryption. Each
message on an encrypted flow adds a small crypto header that includes
a random 128-bit Initialization Vector (IV). If the server does not
have OpenSSL enabled, the flow allocation will fail with an -ECRYPT
error.

Future optimizations are to piggyback the public keys on the flow
allocation message, and to enable per-flow encryption that maintains
the context of the encryption over multiple packets and doesn't
require sending IVs.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/lib/config.h.in | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/lib/config.h.in')

diff --git a/src/lib/config.h.in b/src/lib/config.h.in
index 3e5a7b1e..70261cab 100644
--- a/src/lib/config.h.in
+++ b/src/lib/config.h.in
@@ -24,6 +24,10 @@
 #cmakedefine HAVE_LIBGCRYPT
 #cmakedefine HAVE_OPENSSL
 
+#ifdef HAVE_OPENSSL
+#define HAVE_ENCRYPTION
+#endif
+
 #define SYS_MAX_FLOWS       @SYS_MAX_FLOWS@
 
 #cmakedefine                SHM_RBUFF_LOCKLESS
-- 
cgit v1.2.3