summaryrefslogtreecommitdiff
path: root/src/ipcpd
diff options
context:
space:
mode:
authorDimitri Staessens <[email protected]>2019-08-02 19:12:34 +0200
committerSander Vrijders <[email protected]>2019-08-03 12:10:57 +0200
commit9e8d603d14561095fb8d08871319a315d3bf6763 (patch)
tree7a87c212fcd642a8696145b4246a4fc4cf964e10 /src/ipcpd
parent8a37ffbf8c0776a38f2de18a63e885383960ee68 (diff)
downloadouroboros-9e8d603d14561095fb8d08871319a315d3bf6763.tar.gz
ouroboros-9e8d603d14561095fb8d08871319a315d3bf6763.zip
lib: Add per-message encryption with OpenSSL
This adds a per-message symmetric encryption using the OpenSSL library. At flow allocation, an Elliptic Curve Diffie-Hellman exchange is performed to derive a shared secret, which is then hashed using SHA3-256 to be used as a key for symmetric AES-256 encryption. Each message on an encrypted flow adds a small crypto header that includes a random 128-bit Initialization Vector (IV). If the server does not have OpenSSL enabled, the flow allocation will fail with an -ECRYPT error. Future optimizations are to piggyback the public keys on the flow allocation message, and to enable per-flow encryption that maintains the context of the encryption over multiple packets and doesn't require sending IVs. Signed-off-by: Dimitri Staessens <[email protected]> Signed-off-by: Sander Vrijders <[email protected]>
Diffstat (limited to 'src/ipcpd')
-rw-r--r--src/ipcpd/eth/eth.c3
-rw-r--r--src/ipcpd/udp/main.c4
-rw-r--r--src/ipcpd/unicast/fa.c3
3 files changed, 10 insertions, 0 deletions
diff --git a/src/ipcpd/eth/eth.c b/src/ipcpd/eth/eth.c
index 1a332272..dccfd190 100644
--- a/src/ipcpd/eth/eth.c
+++ b/src/ipcpd/eth/eth.c
@@ -162,6 +162,7 @@ struct mgmt_msg {
uint32_t ber;
uint32_t max_gap;
uint32_t delay;
+ uint16_t cypher_s;
uint8_t in_order;
#if defined (BUILD_ETH_DIX)
uint8_t code;
@@ -485,6 +486,7 @@ static int eth_ipcp_alloc(const uint8_t * dst_addr,
msg->ber = hton32(qs.ber);
msg->in_order = qs.in_order;
msg->max_gap = hton32(qs.max_gap);
+ msg->cypher_s = hton16(qs.cypher_s);
memcpy(msg + 1, hash, ipcp_dir_hash_len());
@@ -731,6 +733,7 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf,
qs.ber = ntoh32(msg->ber);
qs.in_order = msg->in_order;
qs.max_gap = ntoh32(msg->max_gap);
+ qs.cypher_s = hton32(msg->cypher_s);
if (shim_data_reg_has(eth_data.shim_data,
buf + sizeof(*msg))) {
diff --git a/src/ipcpd/udp/main.c b/src/ipcpd/udp/main.c
index a1dcb602..f6aa57d1 100644
--- a/src/ipcpd/udp/main.c
+++ b/src/ipcpd/udp/main.c
@@ -91,6 +91,7 @@ struct mgmt_msg {
uint32_t loss;
uint32_t ber;
uint32_t max_gap;
+ uint32_t cypher_s;
} __attribute__((packed));
struct mgmt_frame {
@@ -209,6 +210,7 @@ static int ipcp_udp_port_alloc(int skfd,
msg->ber = hton32(qs.ber);
msg->in_order = qs.in_order;
msg->max_gap = hton32(qs.max_gap);
+ msg->cypher_s = hton32(qs.cypher_s);
memcpy(msg + 1, dst, ipcp_dir_hash_len());
@@ -383,6 +385,8 @@ static int ipcp_udp_mgmt_frame(const uint8_t * buf,
qs.ber = ntoh32(msg->ber);
qs.in_order = msg->in_order;
qs.max_gap = ntoh32(msg->max_gap);
+ qs.cypher_s = ntoh16(msg->cypher_s);
+
return ipcp_udp_port_req(&c_saddr, ntoh32(msg->s_eid),
(uint8_t *) (msg + 1), qs);
case FLOW_REPLY:
diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c
index fbcbc6fa..c1cb065f 100644
--- a/src/ipcpd/unicast/fa.c
+++ b/src/ipcpd/unicast/fa.c
@@ -66,6 +66,7 @@ struct fa_msg {
uint32_t loss;
uint32_t ber;
uint32_t max_gap;
+ uint16_t cypher_s;
} __attribute__((packed));
struct cmd {
@@ -217,6 +218,7 @@ static void * fa_handle_packet(void * o)
qs.ber = ntoh32(msg->ber);
qs.in_order = msg->in_order;
qs.max_gap = ntoh32(msg->max_gap);
+ qs.cypher_s = ntoh16(msg->cypher_s);
fd = ipcp_flow_req_arr((uint8_t *) (msg + 1),
ipcp_dir_hash_len(),
@@ -386,6 +388,7 @@ int fa_alloc(int fd,
msg->ber = hton32(qs.ber);
msg->in_order = qs.in_order;
msg->max_gap = hton32(qs.max_gap);
+ msg->cypher_s = hton16(qs.cypher_s);
memcpy(msg + 1, dst, ipcp_dir_hash_len());