aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--examples/c-decrypt/c-decrypt.c10
-rw-r--r--ncrypt.c81
-rw-r--r--ncrypt.h7
3 files changed, 65 insertions, 33 deletions
diff --git a/examples/c-decrypt/c-decrypt.c b/examples/c-decrypt/c-decrypt.c
index 2ec27fba1..f03e82295 100644
--- a/examples/c-decrypt/c-decrypt.c
+++ b/examples/c-decrypt/c-decrypt.c
@@ -122,7 +122,7 @@ int udp_server(struct ncrypt * const nc)
if (ret < 0)
{
logger(1, "Crypto error: %d", ret);
- break;
+ continue;
}
msgs_recvd++;
@@ -137,10 +137,12 @@ int udp_server(struct ncrypt * const nc)
HASH_ITER(hh, nc->peers, current_peer, ctmp)
{
printf(
- "*** Peer: %8X | Cryptions: %5zu | Crypto Errors: %2zu | IV Mismatches: %2zu | Send Errors: "
+ "*** Peer: %8X | Key Rotations: %5zu | Cryptions: %5zu | Crypto Errors: %2zu | IV Mismatches: "
+ "%2zu | Send Errors: "
"%2zu | "
"Partial Writes: %2zu ***\n",
current_peer->hash_key,
+ current_peer->key_rotations,
current_peer->cryptions,
current_peer->crypto_errors,
current_peer->iv_mismatches,
@@ -159,12 +161,14 @@ int udp_server(struct ncrypt * const nc)
if (ret != PARSE_OK)
{
logger(1, "JSON parsing failed with: %d", ret);
- break;
+ continue;
}
json_ctx.tokens_found = 0;
}
}
+ ncrypt_free(nc);
+
return 0;
}
diff --git a/ncrypt.c b/ncrypt.c
index bb356a06c..cf5f6aec7 100644
--- a/ncrypt.c
+++ b/ncrypt.c
@@ -23,10 +23,10 @@
{ \
fprintf(stderr, "OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); \
} while (0);
-
#define PACKET_TYPE_KEYEX 0x00u
#define PACKET_TYPE_JSON 0xFFu
-
+#define PACKET_JSON_OVERHEAD (NCRYPT_AAD_SIZE + NCRYPT_AES_IVLEN + NCRYPT_TAG_SIZE)
+#define PACKET_BUFFER_SIZE (PACKET_JSON_OVERHEAD + NCRYPT_BUFFER_SIZE)
#define NCRYPT_PACKED __attribute__((__packed__))
static unsigned char hkdf_salt[] = {0xf2, 0xad, 0xc9, 0xca, 0x6e, 0xb3, 0xd9, 0xcd, 0x3b, 0x34, 0xf3, 0x8d, 0x75,
@@ -47,7 +47,7 @@ union iv
union packet
{
- unsigned char raw[NCRYPT_PACKET_BUFFER_SIZE];
+ unsigned char raw[PACKET_BUFFER_SIZE];
struct
{
union
@@ -622,6 +622,35 @@ int ncrypt_decrypt(struct aes * const aes,
return decrypt(aes, encrypted, encrypt_size, iv, tag, plaintext, aad);
}
+static size_t keyex_packet()
+{
+ return 0;
+}
+
+static size_t json_packet(struct peer * const current_peer,
+ union packet * const pkt,
+ char const * const plaintext,
+ size_t plaintext_size)
+{
+ pkt->aad.type = PACKET_TYPE_JSON;
+ pkt->aad.size = htons(NCRYPT_AES_IVLEN + NCRYPT_TAG_SIZE + plaintext_size);
+
+ int encrypted_used = encrypt(
+ &current_peer->aes, plaintext, plaintext_size, current_peer->iv, pkt->json.data, pkt->json.tag, pkt->aad.raw);
+ if (encrypted_used < 0 || encrypted_used > (int)NCRYPT_BUFFER_SIZE)
+ {
+ current_peer->crypto_errors++;
+ return 0;
+ }
+ encrypted_used += PACKET_JSON_OVERHEAD;
+
+ current_peer->cryptions++;
+ memcpy(pkt->json.iv, current_peer->iv, NCRYPT_AES_IVLEN);
+ next_iv(current_peer);
+
+ return encrypted_used;
+}
+
int ncrypt_dgram_send(struct ncrypt * const nc, int fd, char const * const plaintext, size_t plaintext_size)
{
if (plaintext_size > NCRYPT_BUFFER_SIZE)
@@ -633,41 +662,37 @@ int ncrypt_dgram_send(struct ncrypt * const nc, int fd, char const * const plain
struct peer * current_peer;
struct peer * tmp_peer;
union packet encrypted;
- encrypted.aad.type = PACKET_TYPE_JSON;
HASH_ITER(hh, nc->peers, current_peer, tmp_peer)
{
- encrypted.aad.size = htons(NCRYPT_AES_IVLEN + NCRYPT_TAG_SIZE + plaintext_size);
- int encrypted_used = encrypt(&current_peer->aes,
- plaintext,
- plaintext_size,
- current_peer->iv,
- encrypted.json.data,
- encrypted.json.tag,
- encrypted.aad.raw);
- if (encrypted_used < 0 || encrypted_used > (int)NCRYPT_BUFFER_SIZE)
+ ssize_t used;
+
+ if (current_peer->ephemeral.current_private_key != NULL)
{
- current_peer->crypto_errors++;
- retval++;
- continue;
+ used = keyex_packet();
+ if (used == 0)
+ {
+ retval++;
+ continue;
+ }
}
- current_peer->cryptions++;
-
- memcpy(encrypted.json.iv, current_peer->iv, NCRYPT_AES_IVLEN);
- ssize_t bytes_written = sendto(fd,
- encrypted.raw,
- NCRYPT_PACKET_OVERHEAD + encrypted_used,
- 0,
- &current_peer->address.raw,
- current_peer->address.size);
- next_iv(current_peer);
-
+ else
+ {
+ used = json_packet(current_peer, &encrypted, plaintext, plaintext_size);
+ if (used == 0)
+ {
+ retval++;
+ continue;
+ }
+ }
+ ssize_t bytes_written =
+ sendto(fd, encrypted.raw, used, 0, &current_peer->address.raw, current_peer->address.size);
if (bytes_written < 0)
{
current_peer->send_errors++;
retval++;
continue;
}
- if (bytes_written != NCRYPT_PACKET_OVERHEAD + encrypted_used)
+ if (bytes_written != used)
{
current_peer->partial_writes++;
retval++;
diff --git a/ncrypt.h b/ncrypt.h
index bd2f00149..344badfcd 100644
--- a/ncrypt.h
+++ b/ncrypt.h
@@ -11,8 +11,6 @@
#define NCRYPT_TAG_SIZE 16
#define NCRYPT_AAD_SIZE 3 // packet type + packet size
#define NCRYPT_BUFFER_SIZE NETWORK_BUFFER_MAX_SIZE
-#define NCRYPT_PACKET_OVERHEAD (NCRYPT_AAD_SIZE + NCRYPT_AES_IVLEN + NCRYPT_TAG_SIZE)
-#define NCRYPT_PACKET_BUFFER_SIZE (NCRYPT_PACKET_OVERHEAD + NCRYPT_BUFFER_SIZE)
struct aes
{
@@ -24,6 +22,11 @@ struct peer
nDPIsrvd_hashkey hash_key;
struct nDPIsrvd_address address;
unsigned char iv[NCRYPT_AES_IVLEN];
+ struct
+ {
+ void * last_private_key;
+ void * current_private_key;
+ } ephemeral;
size_t key_rotations;
size_t cryptions;
size_t crypto_errors;
Powered by cgit, Themed by Ted Yin.