diff options
author | Nils Durner <durner@gnunet.org> | 2010-10-07 20:15:33 +0000 |
---|---|---|
committer | Nils Durner <durner@gnunet.org> | 2010-10-07 20:15:33 +0000 |
commit | ae0639baf2b2863e528adff8907c89983c0374bb (patch) | |
tree | faf8e523c06a7016d106858c86cd63f2f065e4f8 /src/core | |
parent | b6bc596b82586c695507ce1ac48d7a10ce289ca6 (diff) | |
download | gnunet-ae0639baf2b2863e528adff8907c89983c0374bb.tar.gz gnunet-ae0639baf2b2863e528adff8907c89983c0374bb.zip |
authenticated ciphertext only, use seed for individual HMAC keys
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/gnunet-service-core.c | 72 |
1 files changed, 29 insertions, 43 deletions
diff --git a/src/core/gnunet-service-core.c b/src/core/gnunet-service-core.c index d74925fae..cc549b073 100644 --- a/src/core/gnunet-service-core.c +++ b/src/core/gnunet-service-core.c | |||
@@ -172,16 +172,14 @@ struct EncryptedMessage | |||
172 | struct GNUNET_MessageHeader header; | 172 | struct GNUNET_MessageHeader header; |
173 | 173 | ||
174 | /** | 174 | /** |
175 | * MAC of the (partially) encrypted message (starting at 'iv_seed'), | 175 | * MAC of the encrypted message (starting at 'sequence_number'), |
176 | * used to verify message integrity. Everything after this value | 176 | * used to verify message integrity. |
177 | * will be authenticated. AUTHENTICATED_HEADER_SIZE must be set to | ||
178 | * the offset of the *next* field. | ||
179 | */ | 177 | */ |
180 | GNUNET_HashCode hmac; | 178 | GNUNET_HashCode hmac; |
181 | 179 | ||
182 | /** | 180 | /** |
183 | * Random value used for IV generation. Everything after this value | 181 | * Random value used for IV generation. Everything after this value |
184 | * (excluding this value itself) will be encrypted. | 182 | * (excluding this value itself) will be encrypted and authenticated. |
185 | * ENCRYPTED_HEADER_SIZE must be set to the offset of the *next* field. | 183 | * ENCRYPTED_HEADER_SIZE must be set to the offset of the *next* field. |
186 | */ | 184 | */ |
187 | uint32_t iv_seed GNUNET_PACKED; | 185 | uint32_t iv_seed GNUNET_PACKED; |
@@ -215,13 +213,6 @@ struct EncryptedMessage | |||
215 | 213 | ||
216 | 214 | ||
217 | /** | 215 | /** |
218 | * Number of bytes (at the beginning) of "struct EncryptedMessage" | ||
219 | * that are NOT authenticated. | ||
220 | */ | ||
221 | #define AUTHENTICATED_HEADER_SIZE (offsetof(struct EncryptedMessage, iv_seed)) | ||
222 | |||
223 | |||
224 | /** | ||
225 | * We're sending an (encrypted) PING to the other peer to check if he | 216 | * We're sending an (encrypted) PING to the other peer to check if he |
226 | * can decrypt. The other peer should respond with a PONG with the | 217 | * can decrypt. The other peer should respond with a PONG with the |
227 | * same content, except this time encrypted with the receiver's key. | 218 | * same content, except this time encrypted with the receiver's key. |
@@ -484,18 +475,6 @@ struct Neighbour | |||
484 | struct GNUNET_CRYPTO_AesSessionKey decrypt_key; | 475 | struct GNUNET_CRYPTO_AesSessionKey decrypt_key; |
485 | 476 | ||
486 | /** | 477 | /** |
487 | * Key we use to authenticate messages sent to the other peer | ||
488 | * (derived from the encrypt_key during the handshake) | ||
489 | */ | ||
490 | struct GNUNET_CRYPTO_AuthKey encrypt_auth_key; | ||
491 | |||
492 | /** | ||
493 | * Key we use to authenticate messages sent from the other peer | ||
494 | * (derived from the decrypt_key during the handshake) | ||
495 | */ | ||
496 | struct GNUNET_CRYPTO_AuthKey decrypt_auth_key; | ||
497 | |||
498 | /** | ||
499 | * ID of task used for re-trying plaintext scheduling. | 478 | * ID of task used for re-trying plaintext scheduling. |
500 | */ | 479 | */ |
501 | GNUNET_SCHEDULER_TaskIdentifier retry_plaintext_task; | 480 | GNUNET_SCHEDULER_TaskIdentifier retry_plaintext_task; |
@@ -755,17 +734,17 @@ static unsigned long long bandwidth_target_out_bps; | |||
755 | static void | 734 | static void |
756 | derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey, | 735 | derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey, |
757 | const struct GNUNET_CRYPTO_AesSessionKey *skey, | 736 | const struct GNUNET_CRYPTO_AesSessionKey *skey, |
758 | const struct GNUNET_TIME_Absolute creation_time, | 737 | const unsigned int seed, |
759 | const struct GNUNET_PeerIdentity *identity) | 738 | const struct GNUNET_TIME_Absolute creation_time) |
760 | { | 739 | { |
761 | static char ctx[] = "authentication key"; | 740 | static char ctx[] = "authentication key"; |
762 | 741 | ||
763 | GNUNET_CRYPTO_hmac_derive_key (akey, | 742 | GNUNET_CRYPTO_hmac_derive_key (akey, |
764 | skey, | 743 | skey, |
744 | &seed, | ||
745 | sizeof(seed), | ||
765 | &skey->key, | 746 | &skey->key, |
766 | sizeof(skey->key), | 747 | sizeof(skey->key), |
767 | &identity->hashPubKey.bits, | ||
768 | sizeof(identity->hashPubKey.bits), | ||
769 | &creation_time, | 748 | &creation_time, |
770 | sizeof(creation_time), | 749 | sizeof(creation_time), |
771 | ctx, | 750 | ctx, |
@@ -2104,6 +2083,7 @@ process_plaintext_neighbour_queue (struct Neighbour *n) | |||
2104 | struct GNUNET_TIME_Absolute deadline; | 2083 | struct GNUNET_TIME_Absolute deadline; |
2105 | struct GNUNET_TIME_Relative retry_time; | 2084 | struct GNUNET_TIME_Relative retry_time; |
2106 | struct GNUNET_CRYPTO_AesInitializationVector iv; | 2085 | struct GNUNET_CRYPTO_AesInitializationVector iv; |
2086 | struct GNUNET_CRYPTO_AuthKey auth_key; | ||
2107 | 2087 | ||
2108 | if (n->retry_plaintext_task != GNUNET_SCHEDULER_NO_TASK) | 2088 | if (n->retry_plaintext_task != GNUNET_SCHEDULER_NO_TASK) |
2109 | { | 2089 | { |
@@ -2224,16 +2204,20 @@ process_plaintext_neighbour_queue (struct Neighbour *n) | |||
2224 | &iv, | 2204 | &iv, |
2225 | &ph->sequence_number, | 2205 | &ph->sequence_number, |
2226 | &em->sequence_number, used - ENCRYPTED_HEADER_SIZE)); | 2206 | &em->sequence_number, used - ENCRYPTED_HEADER_SIZE)); |
2227 | GNUNET_CRYPTO_hmac (&n->encrypt_auth_key, | 2207 | derive_auth_key (&auth_key, |
2228 | &em->iv_seed, | 2208 | &n->encrypt_key, |
2229 | used - AUTHENTICATED_HEADER_SIZE, | 2209 | ph->iv_seed, |
2210 | n->encrypt_key_created); | ||
2211 | GNUNET_CRYPTO_hmac (&auth_key, | ||
2212 | &em->sequence_number, | ||
2213 | used - ENCRYPTED_HEADER_SIZE, | ||
2230 | &em->hmac); | 2214 | &em->hmac); |
2231 | #if DEBUG_HANDSHAKE | 2215 | #if DEBUG_HANDSHAKE |
2232 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 2216 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
2233 | "Authenticated %u bytes of ciphertext %u: `%s'\n", | 2217 | "Authenticated %u bytes of ciphertext %u: `%s'\n", |
2234 | used - AUTHENTICATED_HEADER_SIZE, | 2218 | used - ENCRYPTED_HEADER_SIZE, |
2235 | GNUNET_CRYPTO_crc32_n (&em->iv_seed, | 2219 | GNUNET_CRYPTO_crc32_n (&em->sequence_number, |
2236 | used - AUTHENTICATED_HEADER_SIZE), | 2220 | used - ENCRYPTED_HEADER_SIZE), |
2237 | GNUNET_h2s (&em->hmac)); | 2221 | GNUNET_h2s (&em->hmac)); |
2238 | #endif | 2222 | #endif |
2239 | /* append to transmission list */ | 2223 | /* append to transmission list */ |
@@ -2309,7 +2293,6 @@ create_neighbour (const struct GNUNET_PeerIdentity *pid) | |||
2309 | n->bw_out_external_limit = GNUNET_CONSTANTS_DEFAULT_BW_IN_OUT; | 2293 | n->bw_out_external_limit = GNUNET_CONSTANTS_DEFAULT_BW_IN_OUT; |
2310 | n->ping_challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, | 2294 | n->ping_challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, |
2311 | UINT32_MAX); | 2295 | UINT32_MAX); |
2312 | derive_auth_key (&n->encrypt_auth_key, &n->encrypt_key, now, &n->peer); | ||
2313 | neighbour_quota_update (n, NULL); | 2296 | neighbour_quota_update (n, NULL); |
2314 | consider_free_neighbour (n); | 2297 | consider_free_neighbour (n); |
2315 | return n; | 2298 | return n; |
@@ -3251,7 +3234,6 @@ handle_set_key (struct Neighbour *n, const struct SetKeyMessage *m) | |||
3251 | 1, | 3234 | 1, |
3252 | GNUNET_NO); | 3235 | GNUNET_NO); |
3253 | n->decrypt_key = k; | 3236 | n->decrypt_key = k; |
3254 | derive_auth_key(&n->decrypt_auth_key, &n->decrypt_key, t, &my_identity); | ||
3255 | if (n->decrypt_key_created.value != t.value) | 3237 | if (n->decrypt_key_created.value != t.value) |
3256 | { | 3238 | { |
3257 | /* fresh key, reset sequence numbers */ | 3239 | /* fresh key, reset sequence numbers */ |
@@ -3259,7 +3241,6 @@ handle_set_key (struct Neighbour *n, const struct SetKeyMessage *m) | |||
3259 | n->last_packets_bitmap = 0; | 3241 | n->last_packets_bitmap = 0; |
3260 | n->decrypt_key_created = t; | 3242 | n->decrypt_key_created = t; |
3261 | } | 3243 | } |
3262 | derive_auth_key(&n->decrypt_auth_key, &k, n->decrypt_key_created, &my_identity); | ||
3263 | sender_status = (enum PeerStateMachine) ntohl (m->sender_status); | 3244 | sender_status = (enum PeerStateMachine) ntohl (m->sender_status); |
3264 | switch (n->status) | 3245 | switch (n->status) |
3265 | { | 3246 | { |
@@ -3449,6 +3430,7 @@ handle_encrypted_message (struct Neighbour *n, | |||
3449 | uint32_t snum; | 3430 | uint32_t snum; |
3450 | struct GNUNET_TIME_Absolute t; | 3431 | struct GNUNET_TIME_Absolute t; |
3451 | struct GNUNET_CRYPTO_AesInitializationVector iv; | 3432 | struct GNUNET_CRYPTO_AesInitializationVector iv; |
3433 | struct GNUNET_CRYPTO_AuthKey auth_key; | ||
3452 | 3434 | ||
3453 | #if DEBUG_CORE | 3435 | #if DEBUG_CORE |
3454 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 3436 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
@@ -3466,15 +3448,19 @@ handle_encrypted_message (struct Neighbour *n, | |||
3466 | return; | 3448 | return; |
3467 | pt = (struct EncryptedMessage *) buf; | 3449 | pt = (struct EncryptedMessage *) buf; |
3468 | /* validate hash */ | 3450 | /* validate hash */ |
3469 | GNUNET_CRYPTO_hmac (&n->decrypt_auth_key, | 3451 | derive_auth_key (&auth_key, |
3470 | &m->iv_seed, | 3452 | &n->decrypt_key, |
3471 | size - AUTHENTICATED_HEADER_SIZE, &ph); | 3453 | m->iv_seed, |
3454 | n->decrypt_key_created); | ||
3455 | GNUNET_CRYPTO_hmac (&auth_key, | ||
3456 | &m->sequence_number, | ||
3457 | size - ENCRYPTED_HEADER_SIZE, &ph); | ||
3472 | #if DEBUG_HANDSHAKE | 3458 | #if DEBUG_HANDSHAKE |
3473 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 3459 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
3474 | "Re-Authenticated %u bytes of ciphertext (`%u'): `%s'\n", | 3460 | "Re-Authenticated %u bytes of ciphertext (`%u'): `%s'\n", |
3475 | (unsigned int) size - AUTHENTICATED_HEADER_SIZE, | 3461 | (unsigned int) size - ENCRYPTED_HEADER_SIZE, |
3476 | GNUNET_CRYPTO_crc32_n (&m->iv_seed, | 3462 | GNUNET_CRYPTO_crc32_n (&m->sequence_number, |
3477 | size - AUTHENTICATED_HEADER_SIZE), | 3463 | size - ENCRYPTED_HEADER_SIZE), |
3478 | GNUNET_h2s (&ph)); | 3464 | GNUNET_h2s (&ph)); |
3479 | #endif | 3465 | #endif |
3480 | if (0 != memcmp (&ph, | 3466 | if (0 != memcmp (&ph, |