warp-vpn

point to point VPN implementation
git clone git://git.2f30.org/warp-vpn
Log | Files | Refs | README
commit c068ba6ba9eb642e238f2a88007a5ae04ad9c95b
parent d05cd9b2a746d2f235804c1ac84c79c829d1e9f9
Author: sin <sin@2f30.org>
Date:   Tue, 12 Apr 2016 11:32:23 +0100

factor out crypto code

Diffstat:

MMakefile | 4++--


Acrypto.c | 81+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mstun.c | 72+++++++++++++-----------------------------------------------------------


Mstun.h | 12++++++++++++


4 files changed, 108 insertions(+), 61 deletions(-)

diff --git a/Makefile b/Makefile
@@ -1,9 +1,9 @@
 include config.mk
 
 DISTFILES = Makefile README WHATSNEW UNLICENSE arg.h \
-	config.mk dev_bsd.c dev_linux.c log.c stun.8 stun.c \
+	config.mk crypto.c dev_bsd.c dev_linux.c log.c stun.8 stun.c \
 	stun.h util.c
-OBJ = $(EXTRAOBJ) log.o stun.o util.o
+OBJ = $(EXTRAOBJ) crypto.o log.o stun.o util.o
 BIN = stun
 
 all: $(BIN)
diff --git a/crypto.c b/crypto.c
@@ -0,0 +1,81 @@
+#include <string.h>
+
+#include <openssl/evp.h>
+
+#include "stun.h"
+
+static EVP_AEAD_CTX ectx, dctx;
+static const EVP_AEAD *aead;
+static unsigned char key[EVP_MAX_KEY_LENGTH];
+
+static void
+findcipher(const char *name)
+{
+	struct {
+		const char *name;
+		const EVP_AEAD *(*aeadfn)(void);
+	} *cp, ciphers[] = {
+		{ "aes-128-gcm", EVP_aead_aes_128_gcm },
+		{ "aes-256-gcm", EVP_aead_aes_256_gcm },
+		{ "chacha20-poly1305", EVP_aead_chacha20_poly1305 },
+		{ "chacha20-poly1305-ietf", EVP_aead_chacha20_poly1305_ietf },
+		{ NULL, NULL }
+	};
+
+	for (cp = ciphers; cp->name; cp++) {
+		if (strcmp(cp->name, name) == 0) {
+			aead = (*cp->aeadfn)();
+			return;
+		}
+	}
+	logerr("unknown cipher: %s", name);
+}
+
+void
+cryptoinit(char *pw)
+{
+	size_t keylen;
+
+	findcipher(cipher);
+	keylen = EVP_AEAD_key_length(aead);
+	if (!PKCS5_PBKDF2_HMAC_SHA1(pw, strlen(pw), NULL, 0, NROUNDS,
+		                    keylen, key))
+		logerr("PKCS5_PBKDF2_HMAC_SHA1 failed");
+
+	if (!EVP_AEAD_CTX_init(&ectx, aead, key, keylen,
+	                       EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
+		logerr("EVP_AEAD_CTX_init failed");
+	if (!EVP_AEAD_CTX_init(&dctx, aead, key, keylen,
+	                       EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
+		logerr("EVP_AEAD_CTX_init failed");
+}
+
+size_t
+cryptononcelen(void)
+{
+	return EVP_AEAD_nonce_length(aead);
+}
+
+size_t
+cryptotaglen(void)
+{
+	return EVP_AEAD_max_tag_len(aead);
+}
+
+int
+cryptoseal(unsigned char *out, size_t *outlen, size_t maxoutlen,
+           const unsigned char *nonce, size_t noncelen, const unsigned char *in,
+           size_t inlen, const unsigned char *ad, size_t adlen)
+{
+	return EVP_AEAD_CTX_seal(&ectx, out, outlen, maxoutlen, nonce, noncelen,
+	                         in, inlen, ad, adlen);
+}
+
+int
+cryptoopen(unsigned char *out, size_t *outlen, size_t maxoutlen,
+           const unsigned char *nonce, size_t noncelen, const unsigned char *in,
+           size_t inlen, const unsigned char *ad, size_t adlen)
+{
+	return EVP_AEAD_CTX_open(&dctx, out, outlen, maxoutlen, nonce, noncelen,
+	                         in, inlen, ad, adlen);
+}
diff --git a/stun.c b/stun.c
@@ -62,16 +62,12 @@
 #include <time.h>
 #include <unistd.h>
 
-#include <openssl/evp.h>
 #if defined(__linux__)
 #include <bsd/stdlib.h>
 #endif
 
 #include "stun.h"
 
-EVP_AEAD_CTX ectx, dctx;
-const EVP_AEAD *aead;
-unsigned char key[EVP_MAX_KEY_LENGTH];
 char *argv0;
 char *bindaddr;
 char *host;
@@ -86,8 +82,8 @@ int
 writenet(int fd, unsigned char *pt, int ptlen)
 {
 	unsigned char *pkt;
-	size_t noncelen = EVP_AEAD_nonce_length(aead);
-	size_t taglen = EVP_AEAD_max_tag_len(aead);
+	size_t noncelen = cryptononcelen();
+	size_t taglen = cryptotaglen();
 	size_t pktlen = noncelen + HDRLEN + ptlen + taglen;
 	size_t outlen;
 	int n;
@@ -97,11 +93,11 @@ writenet(int fd, unsigned char *pt, int ptlen)
 
 	arc4random_buf(pkt, noncelen);
 	pack16(&pkt[noncelen], ptlen);
-	if (!EVP_AEAD_CTX_seal(&ectx, &pkt[noncelen + HDRLEN], &outlen,
-	                       ptlen + taglen, pkt, noncelen,
-	                       pt, ptlen, &pkt[noncelen], HDRLEN)) {
+	if (!cryptoseal(&pkt[noncelen + HDRLEN], &outlen,
+	                ptlen + taglen, pkt, noncelen,
+	                pt, ptlen, &pkt[noncelen], HDRLEN)) {
 		free(pkt);
-		logwarn("EVP_AEAD_CTX_seal failed");
+		logwarn("cryptoseal failed");
 		return -1;
 	}
 
@@ -120,8 +116,8 @@ int
 readnet(int fd, unsigned char *pt, int ptlen)
 {
 	unsigned char *pkt;
-	size_t noncelen = EVP_AEAD_nonce_length(aead);
-	size_t taglen = EVP_AEAD_max_tag_len(aead);
+	size_t noncelen = cryptononcelen();
+	size_t taglen = cryptotaglen();
 	size_t pktlen = noncelen + HDRLEN + ptlen + taglen;
 	size_t outlen;
 	int n, ctlen;
@@ -139,11 +135,11 @@ readnet(int fd, unsigned char *pt, int ptlen)
 	if ((n = readall(fd, &pkt[noncelen + HDRLEN], ctlen + taglen)) <= 0)
 		goto err;
 
-	if (!EVP_AEAD_CTX_open(&dctx, pt, &outlen, ptlen, pkt, noncelen,
-	                       &pkt[noncelen + HDRLEN], ctlen + taglen,
-	                       &pkt[noncelen], HDRLEN)) {
+	if (!cryptoopen(pt, &outlen, ptlen, pkt, noncelen,
+	                &pkt[noncelen + HDRLEN], ctlen + taglen,
+	                &pkt[noncelen], HDRLEN)) {
 		free(pkt);
-		logwarn("EVP_AEAD_CTX_open failed");
+		logwarn("cryptoopen failed");
 		return BADPKT;
 	}
 
@@ -376,48 +372,6 @@ err:
 }
 
 void
-mapaead(const EVP_AEAD **aead, const char *name)
-{
-	struct {
-		const char *name;
-		const EVP_AEAD *(*aeadfn)(void);
-	} *cp, ciphers[] = {
-		{ "aes-128-gcm", EVP_aead_aes_128_gcm },
-		{ "aes-256-gcm", EVP_aead_aes_256_gcm },
-		{ "chacha20-poly1305", EVP_aead_chacha20_poly1305 },
-		{ "chacha20-poly1305-ietf", EVP_aead_chacha20_poly1305_ietf },
-		{ NULL, NULL }
-	};
-
-	for (cp = ciphers; cp->name; cp++) {
-		if (strcmp(cp->name, name) == 0) {
-			*aead = (*cp->aeadfn)();
-			return;
-		}
-	}
-	logerr("unknown cipher: %s", name);
-}
-
-void
-aeadinit(char *pw)
-{
-	size_t keylen;
-
-	mapaead(&aead, cipher);
-	keylen = EVP_AEAD_key_length(aead);
-	if (!PKCS5_PBKDF2_HMAC_SHA1(pw, strlen(pw), NULL, 0, NROUNDS,
-		                    keylen, key))
-		logerr("PKCS5_PBKDF2_HMAC_SHA1 failed");
-
-	if (!EVP_AEAD_CTX_init(&ectx, aead, key, keylen,
-	                       EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
-		logerr("EVP_AEAD_CTX_init failed");
-	if (!EVP_AEAD_CTX_init(&dctx, aead, key, keylen,
-	                       EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
-		logerr("EVP_AEAD_CTX_init failed");
-}
-
-void
 usage(void)
 {
 	fprintf(stderr, "usage: stun [-df] -s [-b address] [-p port] [-t devtype] [-c cipher] interface\n");
@@ -484,7 +438,7 @@ main(int argc, char *argv[])
 
 	if (!(pw = getenv("STUNPW")))
 		logerr("STUNPW is not set");
-	aeadinit(pw);
+	cryptoinit(pw);
 	bzero(pw, strlen(pw));
 
 	if (sflag)
diff --git a/stun.h b/stun.h
@@ -18,6 +18,18 @@ enum {
 extern int devtype;
 extern int debug;
 extern int foreground;
+extern char *cipher;
+
+/* crypto.c */
+void cryptoinit(char *);
+size_t cryptononcelen(void);
+size_t cryptotaglen(void);
+int cryptoseal(unsigned char *, size_t *, size_t, const unsigned char *,
+               size_t, const unsigned char *, size_t, const unsigned char *,
+               size_t);
+int cryptoopen(unsigned char *, size_t *, size_t, const unsigned char *,
+               size_t, const unsigned char *, size_t, const unsigned char *,
+               size_t);
 
 /* dev_*.c */
 int opendev(char *);