From fd3381002564c87b85feb2d1947a588e8ca6fdf9 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 29 Sep 2023 13:15:00 +0200 Subject: lib: Make crypt.c independent source file The cryptography functions were in a C source that was directly imported into dev.c, enabling ECDHE+AES256 symmetric key encryption on flows. Now crypt.c is an independent source file with associated crypt.h header, to prepare for security management and configuration in the IRMd. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/lib/CMakeLists.txt | 1 + src/lib/crypt.c | 89 +++++++++++++++++++++++++++++--------------------- src/lib/dev.c | 30 ++++++++--------- src/lib/frct.c | 2 +- 4 files changed, 68 insertions(+), 54 deletions(-) (limited to 'src/lib') diff --git a/src/lib/CMakeLists.txt b/src/lib/CMakeLists.txt index b75fd0e0..514d60d4 100644 --- a/src/lib/CMakeLists.txt +++ b/src/lib/CMakeLists.txt @@ -253,6 +253,7 @@ set(SOURCE_FILES_COMMON bitmap.c btree.c crc32.c + crypt.c hash.c list.c lockfile.c diff --git a/src/lib/crypt.c b/src/lib/crypt.c index 600ff3d1..c5d6101a 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -20,9 +20,19 @@ * License along with this library; if not, write to the Free Software * Foundation, Inc., http://www.fsf.org/about/contact/. */ +#include + +#include +#include + +#include +#include #ifdef HAVE_OPENSSL +#include +#include + #include #include #include @@ -202,7 +212,8 @@ static int openssl_ecdh_derive(void * pkp, * encryption context for each packet. */ -static int openssl_encrypt(struct flow * f, +static int openssl_encrypt(void * ctx, + uint8_t * key, struct shm_du_buff * sdb) { uint8_t * out; @@ -226,24 +237,24 @@ static int openssl_encrypt(struct flow * f, if (out == NULL) goto fail_iv; - EVP_CIPHER_CTX_reset(f->ctx); + EVP_CIPHER_CTX_reset(ctx); - ret = EVP_EncryptInit_ex(f->ctx, EVP_aes_256_cbc(), NULL, f->key, iv); + ret = EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv); if (ret != 1) goto fail_encrypt_init; - ret = EVP_EncryptUpdate(f->ctx, out, &tmp_sz, in, in_sz); + ret = EVP_EncryptUpdate(ctx, out, &tmp_sz, in, in_sz); if (ret != 1) goto fail_encrypt; out_sz = tmp_sz; - ret = EVP_EncryptFinal_ex(f->ctx, out + tmp_sz, &tmp_sz); + ret = EVP_EncryptFinal_ex(ctx, out + tmp_sz, &tmp_sz); if (ret != 1) goto fail_encrypt; out_sz += tmp_sz; - EVP_CIPHER_CTX_cleanup(f->ctx); + EVP_CIPHER_CTX_cleanup(ctx); assert(out_sz >= in_sz); @@ -264,14 +275,15 @@ static int openssl_encrypt(struct flow * f, fail_tail_alloc: shm_du_buff_head_release(sdb, IVSZ); fail_encrypt: - EVP_CIPHER_CTX_cleanup(f->ctx); + EVP_CIPHER_CTX_cleanup(ctx); fail_encrypt_init: free(out); fail_iv: return -ECRYPT; } -static int openssl_decrypt(struct flow * f, +static int openssl_decrypt(void * ctx, + uint8_t * key, struct shm_du_buff * sdb) { uint8_t * in; @@ -297,19 +309,19 @@ static int openssl_decrypt(struct flow * f, if (out == NULL) goto fail_malloc; - EVP_CIPHER_CTX_reset(f->ctx); + EVP_CIPHER_CTX_reset(ctx); - ret = EVP_DecryptInit_ex(f->ctx, EVP_aes_256_cbc(), NULL, f->key, iv); + ret = EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv); if (ret != 1) goto fail_decrypt_init; - ret = EVP_DecryptUpdate(f->ctx, out, &tmp_sz, in, in_sz); + ret = EVP_DecryptUpdate(ctx, out, &tmp_sz, in, in_sz); if (ret != 1) goto fail_decrypt; out_sz = tmp_sz; - ret = EVP_DecryptFinal_ex(f->ctx, out + tmp_sz, &tmp_sz); + ret = EVP_DecryptFinal_ex(ctx, out + tmp_sz, &tmp_sz); if (ret != 1) goto fail_decrypt; @@ -326,7 +338,7 @@ static int openssl_decrypt(struct flow * f, return 0; fail_decrypt: - EVP_CIPHER_CTX_cleanup(f->ctx); + EVP_CIPHER_CTX_cleanup(ctx); fail_decrypt_init: free(out); fail_malloc: @@ -350,8 +362,8 @@ static void openssl_crypt_fini(void * ctx) #endif /* HAVE_OPENSSL */ -static int crypt_dh_pkp_create(void ** pkp, - uint8_t * pk) +int crypt_dh_pkp_create(void ** pkp, + uint8_t * pk) { #ifdef HAVE_OPENSSL assert(pkp != NULL); @@ -361,14 +373,13 @@ static int crypt_dh_pkp_create(void ** pkp, (void) pkp; (void) pk; - memset(pk, 0, MSGBUFSZ); *pkp = NULL; return 0; #endif } -static void crypt_dh_pkp_destroy(void * pkp) +void crypt_dh_pkp_destroy(void * pkp) { #ifdef HAVE_OPENSSL openssl_ecdh_pkp_destroy(pkp); @@ -378,10 +389,10 @@ static void crypt_dh_pkp_destroy(void * pkp) #endif } -static int crypt_dh_derive(void * pkp, - uint8_t * pk, - size_t len, - uint8_t * s) +int crypt_dh_derive(void * pkp, + uint8_t * pk, + size_t len, + uint8_t * s) { #ifdef HAVE_OPENSSL return openssl_ecdh_derive(pkp, pk, len, s); @@ -396,50 +407,52 @@ static int crypt_dh_derive(void * pkp, #endif } -static int crypt_encrypt(struct flow * f, - struct shm_du_buff * sdb) +int crypt_encrypt(struct crypt_info * info, + struct shm_du_buff * sdb) { + if (info->flags == 0) + return 0; + #ifdef HAVE_OPENSSL - return openssl_encrypt(f, sdb); + return openssl_encrypt(info->ctx, info->key, sdb); #else - (void) f; (void) sdb; return 0; #endif } -static int crypt_decrypt(struct flow * f, - struct shm_du_buff * sdb) +int crypt_decrypt(struct crypt_info * info, + struct shm_du_buff * sdb) { + if (info->flags == 0) + return 0; + #ifdef HAVE_OPENSSL - return openssl_decrypt(f, sdb); + return openssl_decrypt(info->ctx, info->key, sdb); #else - (void) f; (void) sdb; return -ECRYPT; #endif } -static int crypt_init(void ** ctx) +int crypt_init(struct crypt_info * info) { #ifdef HAVE_OPENSSL - return openssl_crypt_init(ctx); + return openssl_crypt_init(&info->ctx); #else - assert(ctx != NULL); - *ctx = NULL; - + info->ctx = NULL; return 0; #endif } -static void crypt_fini(void * ctx) +void crypt_fini(struct crypt_info * info) { #ifdef HAVE_OPENSSL - openssl_crypt_fini(ctx); + openssl_crypt_fini(info->ctx); #else - assert(ctx == NULL); - (void) ctx; + (void) info; + assert(info->ctx == NULL); #endif } diff --git a/src/lib/dev.c b/src/lib/dev.c index ef909e1a..02f9d3f9 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -30,6 +30,7 @@ #include #include +#include #include #include #include @@ -71,7 +72,6 @@ #define CRCLEN (sizeof(uint32_t)) #define SECMEMSZ 16384 -#define SYMMKEYSZ 32 #define MSGBUFSZ 2048 enum flow_state { @@ -102,8 +102,7 @@ struct flow { qosspec_t qs; ssize_t part_idx; - void * ctx; - uint8_t key[SYMMKEYSZ]; + struct crypt_info crypt; pid_t pid; @@ -256,7 +255,6 @@ static int proc_announce(char * prog) return ret; } -#include "crypt.c" #include "frct.c" void * flow_tx(void * o) @@ -429,8 +427,7 @@ static void flow_fini(int fd) shm_flow_set_close(ai.flows[fd].set); } - if (ai.flows[fd].ctx != NULL) - crypt_fini(ai.flows[fd].ctx); + crypt_fini(&ai.flows[fd].crypt); list_del(&ai.flows[fd].next); @@ -480,12 +477,15 @@ static int flow_init(int flow_id, flow->snd_act = now; flow->rcv_act = now; - if (qs.cypher_s > 0) { - if (crypt_init(&flow->ctx) < 0) - goto fail_ctx; + flow->crypt.flags = qs.cypher_s; /* TODO: remove cypher_s from qos */ - memcpy(flow->key, s, SYMMKEYSZ); - } + if (flow->crypt.flags > 0) + memcpy(flow->crypt.key, s ,SYMMKEYSZ); + else + memset(flow->crypt.key, 0, SYMMKEYSZ); + + if (crypt_init(&flow->crypt) < 0) + goto fail_crypt; assert(flow->frcti == NULL); @@ -518,8 +518,8 @@ static int flow_init(int flow_id, fail_flow_set_add: frcti_destroy(flow->frcti); fail_frcti: - crypt_fini(flow->ctx); - fail_ctx: + crypt_fini(&flow->crypt); + fail_crypt: shm_flow_set_close(flow->set); fail_set: shm_rbuff_close(flow->tx_rb); @@ -1299,7 +1299,7 @@ static int flow_tx_sdb(struct flow * flow, if (frcti_snd(flow->frcti, sdb) < 0) goto enomem; - if (flow->qs.cypher_s > 0 && crypt_encrypt(flow, sdb) < 0) + if (crypt_encrypt(&flow->crypt, sdb) < 0) goto enomem; if (flow->qs.ber == 0 && add_crc(sdb) != 0) @@ -1401,7 +1401,7 @@ static bool invalid_pkt(struct flow * flow, if (flow->qs.ber == 0 && chk_crc(sdb) != 0) return true; - if (flow->qs.cypher_s > 0 && crypt_decrypt(flow, sdb) < 0) + if (crypt_decrypt(&flow->crypt, sdb) < 0) return true; return false; diff --git a/src/lib/frct.c b/src/lib/frct.c index a00b1acd..a3408481 100644 --- a/src/lib/frct.c +++ b/src/lib/frct.c @@ -261,7 +261,7 @@ static void __send_frct_pkt(int fd, f = &ai.flows[fd]; - if (f->qs.cypher_s > 0 && crypt_encrypt(f, sdb) < 0) + if (crypt_encrypt(&f->crypt, sdb) < 0) goto fail; #ifdef RXM_BLOCKING -- cgit v1.2.3