AC_HEADER_STDC
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h])
-AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h],
+AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h time.h],
[], [], [#include "have.h"]
)
AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h],
AC_FUNC_MEMCMP
AC_FUNC_ALLOCA
AC_TYPE_SIGNAL
-AC_CHECK_FUNCS([asprintf daemon fchmod flock ftime fork get_current_dir_name gettimeofday mlockall putenv random select strdup strerror strsignal strtol system unsetenv vsyslog writev],
+AC_CHECK_FUNCS([asprintf daemon fchmod flock ftime fork get_current_dir_name gettimeofday mlockall putenv random select strdup strerror strsignal strtol system time unsetenv vsyslog writev],
[], [], [#include "have.h"]
)
AC_FUNC_MALLOC
if test "$with_libgcrypt" = yes; then
AM_PATH_LIBGCRYPT([1.4.0], [], [])
- ln -sf gcrypt/crypto.c gcrypt/crypto.h gcrypt/cipher.c gcrypt/cipher.h gcrypt/digest.c gcrypt/digest.h gcrypt/rsa.c gcrypt/rsa.h src/
+ ln -sf gcrypt/cipher.c gcrypt/cipher.h gcrypt/crypto.c gcrypt/crypto.h gcrypt/digest.c gcrypt/digest.h gcrypt/rsa.c gcrypt/rsa.h gcrypt/rsagen.c gcrypt/rsagen.h src/
else
tinc_OPENSSL
- ln -sf openssl/crypto.c openssl/crypto.h openssl/cipher.c openssl/cipher.h openssl/digest.c openssl/digest.h openssl/rsa.c openssl/rsa.h src/
+ ln -sf openssl/cipher.c openssl/cipher.h openssl/crypto.c openssl/crypto.h openssl/digest.c openssl/digest.h openssl/rsa.c openssl/rsa.h openssl/rsagen.c openssl/rsagen.h src/
fi
#include <sys/time.h>
#endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#include <winsock2.h>
#endif
+#ifdef HAVE_LIBEVENT
+#include <event.h>
+#endif
+
#endif /* __TINC_SYSTEM_H__ */
net_socket.c netutl.c node.c process.c protocol.c protocol_auth.c protocol_edge.c protocol_misc.c \
protocol_key.c protocol_subnet.c route.c rsa.c subnet.c tincd.c
-tincctl_SOURCES = tincctl.c
+tincctl_SOURCES = tincctl.c rsagen.c
nodist_tincd_SOURCES = device.c
INCLUDES = @INCLUDES@ -I$(top_builddir) -I$(top_srcdir)/lib
noinst_HEADERS = cipher.h conf.h connection.h control.h crypto.h device.h digest.h edge.h graph.h logger.h meta.h net.h netutl.h node.h process.h \
- protocol.h route.h rsa.h subnet.h
+ protocol.h route.h rsa.h rsagen.h subnet.h
LIBS = @LIBS@ @LIBGCRYPT_LIBS@ @LIBINTL@
#ifndef __TINC_CONNECTION_H__
#define __TINC_CONNECTION_H__
-#include <event.h>
-
#include "cipher.h"
#include "digest.h"
#include "rsa.h"
};
static bool nametocipher(const char *name, int *algo, int *mode) {
- int i;
+ size_t i;
for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
if(ciphertable[i].name && !strcasecmp(name, ciphertable[i].name)) {
}
static bool nidtocipher(int nid, int *algo, int *mode) {
- int i;
+ size_t i;
for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
if(nid == ciphertable[i].nid) {
}
static bool ciphertonid(int algo, int mode, int *nid) {
- int i;
+ size_t i;
for(i = 0; i < sizeof ciphertable / sizeof *ciphertable; i++) {
if(algo == ciphertable[i].algo && mode == ciphertable[i].mode) {
#include <gcrypt.h>
+#define CIPHER_MAX_BLOCK_SIZE 32
+#define CIPHER_MAX_IV_SIZE 16
+#define CIPHER_MAX_KEY_SIZE 32
+
typedef struct cipher {
gcry_cipher_hd_t handle;
char *key;
#include <gcrypt.h>
+#define DIGEST_MAX_SIZE 64
+
typedef struct digest {
int algo;
int nid;
#include "logger.h"
#include "rsa.h"
-// Base64 encoding/decoding tables
+// Base64 decoding table
static const uint8_t b64d[128] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff
};
-static const char b64e[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
// PEM encoding/decoding functions
static bool pem_decode(FILE *fp, const char *header, uint8_t *buf, size_t size, size_t *outsize) {
--- /dev/null
+/*
+ rsagen.c -- RSA key generation and export
+ Copyright (C) 2008 Guus Sliepen <guus@tinc-vpn.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ $Id$
+*/
+
+#include "system.h"
+
+#include <gcrypt.h>
+
+#include "rsagen.h"
+
+#if 0
+// Base64 encoding table
+
+static const char b64e[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+// PEM encoding
+
+static bool pem_encode(FILE *fp, const char *header, uint8_t *buf, size_t size) {
+ bool decode = false;
+ char line[1024];
+ uint32_t word = 0;
+ int shift = 0;
+ size_t i, j = 0;
+
+ fprintf(fp, "-----BEGIN %s-----\n", header);
+
+ for(i = 0; i < size; i += 3) {
+ if(i <= size - 3) {
+ word = buf[i] << 16 | buf[i + 1] << 8 | buf[i + 2];
+ } else {
+ word = buf[i] << 16;
+ if(i == size - 2)
+ word |= buf[i + 1] << 8;
+ }
+
+ line[j++] = b64e[(word >> 18) ];
+ line[j++] = b64e[(word >> 12) & 0x3f];
+ line[j++] = b64e[(word >> 6) & 0x3f];
+ line[j++] = b64e[(word ) & 0x3f];
+
+ if(j >= 64) {
+ line[j++] = '\n';
+ line[j] = 0;
+ fputs(line, fp);
+ j = 0;
+ }
+ }
+
+ if(size % 3 > 0) {
+ if(size % 3 > 1)
+ line[j++] = '=';
+ line[j++] = '=';
+ }
+
+ if(j) {
+ line[j++] = '\n';
+ line[j] = 0;
+ fputs(line, fp);
+ }
+
+ fprintf(fp, "-----END %s-----\n", header);
+
+ return true;
+}
+
+
+// BER encoding functions
+
+static bool ber_write_id(uint8_t **p, size_t *buflen, int id) {
+ if(*buflen <= 0)
+ return false;
+
+ if(id >= 0x1f) {
+ while(id) {
+ if(*buflen <= 0)
+ return false;
+
+ (*buflen)--;
+ **p = id & 0x7f;
+ id >>= 7;
+ if(id)
+ **p |= 0x80;
+ (*p)++;
+ }
+ } else {
+ (*buflen)--;
+ *(*p)++ = id;
+ }
+
+ return true;
+}
+
+static bool ber_write_len(uint8_t **p, size_t *buflen, size_t len) {
+ do {
+ if(*buflen <= 0)
+ return false;
+
+ (*buflen)--;
+ **p = len & 0x7f;
+ len >>= 7;
+ if(len)
+ **p |= 0x80;
+ (*p)++;
+ } while(len);
+
+ return true;
+}
+
+static bool ber_write_sequence(uint8_t **p, size_t *buflen, uint8_t *seqbuf, size_t seqlen) {
+ if(!ber_write_id(p, buflen, 0x10) || !ber_write_len(p, buflen, seqlen) || *buflen < seqlen)
+ return false;
+
+ memcpy(*p, seqbuf, seqlen);
+ *p += seqlen;
+ *buflen -= seqlen;
+
+ return true;
+}
+
+static bool ber_write_mpi(uint8_t **p, size_t *buflen, gcry_mpi_t mpi) {
+ uint8_t tmpbuf[1024];
+ size_t tmplen = sizeof tmpbuf;
+ gcry_error_t err;
+
+ err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &tmpbuf, &tmplen, mpi);
+ if(err)
+ return false;
+
+ if(!ber_write_id(p, buflen, 0x02) || !ber_write_len(p, buflen, tmplen) || *buflen < tmplen)
+ return false;
+
+ memcpy(*p, tmpbuf, tmplen);
+ *p += tmplen;
+ *buflen -= tmplen;
+
+ return true;
+}
+
+// Write PEM RSA keys
+
+bool rsa_write_pem_public_key(rsa_t *rsa, FILE *fp) {
+ uint8_t derbuf1[8096];
+ uint8_t derbuf2[8096];
+ uint8_t *derp1 = derbuf1;
+ uint8_t *derp2 = derbuf2;
+ size_t derlen1 = sizeof derbuf1;
+ size_t derlen2 = sizeof derbuf2;
+
+ if(!ber_write_mpi(&derp1, &derlen1, &rsa->n)
+ || !ber_write_mpi(&derp1, &derlen1, &rsa->e)
+ || !ber_write_sequence(&derp2, &derlen2, derbuf1, derlen1)) {
+ logger(LOG_ERR, _("Error while encoding RSA public key"));
+ return false;
+ }
+
+ if(!pem_encode(fp, "RSA PUBLIC KEY", derbuf2, derlen2)) {
+ logger(LOG_ERR, _("Unable to write RSA public key: %s"), strerror(errno));
+ return false;
+ }
+
+ return true;
+}
+
+bool rsa_write_pem_private_key(rsa_t *rsa, FILE *fp) {
+ uint8_t derbuf1[8096];
+ uint8_t derbuf2[8096];
+ uint8_t *derp1 = derbuf1;
+ uint8_t *derp2 = derbuf2;
+ size_t derlen1 = sizeof derbuf1;
+ size_t derlen2 = sizeof derbuf2;
+
+ if(!ber_write_mpi(&derp1, &derlen1, &bits)
+ || ber_write_mpi(&derp1, &derlen1, &rsa->n) // modulus
+ || ber_write_mpi(&derp1, &derlen1, &rsa->e) // public exponent
+ || ber_write_mpi(&derp1, &derlen1, &rsa->d) // private exponent
+ || ber_write_mpi(&derp1, &derlen1, &p)
+ || ber_write_mpi(&derp1, &derlen1, &q)
+ || ber_write_mpi(&derp1, &derlen1, &exp1)
+ || ber_write_mpi(&derp1, &derlen1, &exp2)
+ || ber_write_mpi(&derp1, &derlen1, &coeff))
+ logger(LOG_ERR, _("Error while encoding RSA private key"));
+ return false;
+ }
+
+ if(!pem_encode(fp, "RSA PRIVATE KEY", derbuf2, derlen2)) {
+ logger(LOG_ERR, _("Unable to write RSA private key: %s"), strerror(errno));
+ return false;
+ }
+
+ return true;
+}
+#endif
+
+bool rsa_write_pem_public_key(rsa_t *rsa, FILE *fp) {
+ return false;
+}
+
+bool rsa_write_pem_private_key(rsa_t *rsa, FILE *fp) {
+ return false;
+}
+
+bool rsa_generate(rsa_t *rsa, size_t bits, unsigned long exponent) {
+ fprintf(stderr, _("Generating RSA keys with libgcrypt not implemented yet\n"));
+ return false;
+}
--- /dev/null
+/*
+ rsagen.h -- RSA key generation and export
+ Copyright (C) 2008 Guus Sliepen <guus@tinc-vpn.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ $Id$
+*/
+
+#ifndef __TINC_RSAGEN_H__
+#define __TINC_RSAGEN_H__
+
+#include "rsa.h"
+
+extern bool rsa_generate(rsa_t *rsa, size_t bits, unsigned long exponent);
+extern bool rsa_write_pem_public_key(rsa_t *rsa, FILE *fp);
+extern bool rsa_write_pem_private_key(rsa_t *rsa, FILE *fp);
+
+#endif
bufp = endp;
} else {
size_t outlen = inlen;
- ifdebug(META) logger(LOG_DEBUG, _("Received encrypted %d bytes"), inlen);
+ ifdebug(META) logger(LOG_DEBUG, _("Received encrypted %zu bytes"), inlen);
evbuffer_expand(c->buffer->input, c->buffer->input->off + inlen);
if(!cipher_decrypt(&c->incipher, bufp, inlen, c->buffer->input->buffer + c->buffer->input->off, &outlen, false) || inlen != outlen) {
#ifndef __TINC_NET_H__
#define __TINC_NET_H__
-#include <openssl/evp.h>
-#include <event.h>
-
#include "ipv6.h"
+#include "cipher.h"
+#include "digest.h"
#ifdef ENABLE_JUMBOGRAMS
#define MTU 9018 /* 9000 bytes payload + 14 bytes ethernet header + 4 bytes VLAN tag */
#define MTU 1518 /* 1500 bytes payload + 14 bytes ethernet header + 4 bytes VLAN tag */
#endif
-#define MAXSIZE (MTU + 4 + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
+#define MAXSIZE (MTU + 4 + CIPHER_MAX_BLOCK_SIZE + DIGEST_MAX_SIZE + MTU/64 + 20) /* MTU + seqno + padding + HMAC + compressor overhead */
#define MAXBUFSIZE ((MAXSIZE > 2048 ? MAXSIZE : 2048) + 128) /* Enough room for a request with a MAXSIZEd packet or a 8192 bits RSA key */
#define MAXSOCKETS 8 /* Probably overkill... */
extern int keylifetime;
extern bool do_prune;
extern char *myport;
-extern EVP_CIPHER_CTX packet_ctx;
/* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
#include "connection.h"
#ifndef __TINC_NODE_H__
#define __TINC_NODE_H__
+#include <event.h>
+
#include "splay_tree.h"
#include "cipher.h"
#include "connection.h"
#include <openssl/evp.h>
+#define CIPHER_MAX_BLOCK_SIZE EVP_MAX_BLOCK_LENGTH
+#define CIPHER_MAX_KEY_SIZE EVP_MAX_KEY_LENGTH
+#define CIPHER_MAX_IV_SIZE EVP_MAX_IV_LENGTH
+
typedef struct cipher {
EVP_CIPHER_CTX ctx;
const EVP_CIPHER *cipher;
#include <openssl/evp.h>
+#define DIGEST_MAX_SIZE EVP_MAX_MD_SIZE
+
typedef struct digest {
const EVP_MD *digest;
} digest_t;
--- /dev/null
+/*
+ rsagen.c -- RSA key generation and export
+ Copyright (C) 2008 Guus Sliepen <guus@tinc-vpn.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ $Id$
+*/
+
+#include "system.h"
+
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+#include "logger.h"
+#include "rsagen.h"
+
+/* This function prettyprints the key generation process */
+
+static void indicator(int a, int b, void *p) {
+ switch (a) {
+ case 0:
+ fprintf(stderr, ".");
+ break;
+
+ case 1:
+ fprintf(stderr, "+");
+ break;
+
+ case 2:
+ fprintf(stderr, "-");
+ break;
+
+ case 3:
+ switch (b) {
+ case 0:
+ fprintf(stderr, " p\n");
+ break;
+
+ case 1:
+ fprintf(stderr, " q\n");
+ break;
+
+ default:
+ fprintf(stderr, "?");
+ }
+ break;
+
+ default:
+ fprintf(stderr, "?");
+ }
+}
+
+// Generate RSA key
+
+bool rsa_generate(rsa_t *rsa, size_t bits, unsigned long exponent) {
+ *rsa = RSA_generate_key(bits, exponent, indicator, NULL);
+
+ return *rsa;
+}
+
+// Write PEM RSA keys
+
+bool rsa_write_pem_public_key(rsa_t *rsa, FILE *fp) {
+ PEM_write_RSAPublicKey(fp, *rsa);
+
+ return true;
+}
+
+bool rsa_write_pem_private_key(rsa_t *rsa, FILE *fp) {
+ PEM_write_RSAPrivateKey(fp, *rsa, NULL, NULL, 0, NULL, NULL);
+ return true;
+}
--- /dev/null
+/*
+ rsagen.h -- RSA key generation and export
+ Copyright (C) 2008 Guus Sliepen <guus@tinc-vpn.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ $Id$
+*/
+
+#ifndef __TINC_RSAGEN_H__
+#define __TINC_RSAGEN_H__
+
+#include "rsa.h"
+
+extern bool rsa_generate(rsa_t *rsa, size_t bits, unsigned long exponent);
+extern bool rsa_write_pem_public_key(rsa_t *rsa, FILE *fp);
+extern bool rsa_write_pem_private_key(rsa_t *rsa, FILE *fp);
+
+#endif
#include "system.h"
#include <sys/un.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-#include <openssl/evp.h>
-#include <openssl/engine.h>
-
#include <getopt.h>
#include "xalloc.h"
#include "protocol.h"
#include "control_common.h"
+#include "rsagen.h"
/* The name this program was run with. */
char *program_name = NULL;
return r;
}
-/* This function prettyprints the key generation process */
-
-static void indicator(int a, int b, void *p) {
- switch (a) {
- case 0:
- fprintf(stderr, ".");
- break;
-
- case 1:
- fprintf(stderr, "+");
- break;
-
- case 2:
- fprintf(stderr, "-");
- break;
-
- case 3:
- switch (b) {
- case 0:
- fprintf(stderr, " p\n");
- break;
-
- case 1:
- fprintf(stderr, " q\n");
- break;
-
- default:
- fprintf(stderr, "?");
- }
- break;
-
- default:
- fprintf(stderr, "?");
- }
-}
-
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
- RSA *rsa_key;
+ rsa_t key;
FILE *f;
char *name = NULL;
char *filename;
fprintf(stderr, _("Generating %d bits keys:\n"), bits);
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
- if(!rsa_key) {
+ if(!rsa_generate(&key, bits, 0x10001)) {
fprintf(stderr, _("Error during key generation!\n"));
return false;
} else
if(ftell(f))
fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
- PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
+ rsa_write_pem_private_key(&key, f);
+
fclose(f);
free(filename);
if(ftell(f))
fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
- PEM_write_RSAPublicKey(f, rsa_key);
+ rsa_write_pem_public_key(&key, f);
+
fclose(f);
free(filename);
}
if(buf != NULL) {
- printf("%*s", buflen, buf);
+ printf("%*s", (int)buflen, buf);
free(buf);
}