Mercurial > hg > quicktun
comparison src/proto.salty.c @ 43:4adbd9b67fe2
Fix nonce calculation when both sides use the same key in nacltai and salty protocols
author | Ivo Smits <Ivo@UCIS.nl> |
---|---|
date | Thu, 16 May 2013 01:35:26 +0200 |
parents | c8d176154d7c |
children | 671d640390f2 |
comparison
equal
deleted
inserted
replaced
42:c8d176154d7c | 43:4adbd9b67fe2 |
---|---|
142 unsigned char nonce[NONCEBYTES]; | 142 unsigned char nonce[NONCEBYTES]; |
143 }; | 143 }; |
144 struct qt_proto_data_salty { | 144 struct qt_proto_data_salty { |
145 time_t lastkeyupdate, lastkeyupdatesent; | 145 time_t lastkeyupdate, lastkeyupdatesent; |
146 unsigned char controlkey[BEFORENMBYTES]; | 146 unsigned char controlkey[BEFORENMBYTES]; |
147 bool controlencoderole; | 147 int controlroles; |
148 uint64 controldecodetime; | 148 uint64 controldecodetime; |
149 uint64 controlencodetime; | 149 uint64 controlencodetime; |
150 struct qt_proto_data_salty_keyset* dataencoder; | 150 struct qt_proto_data_salty_keyset* dataencoder; |
151 struct qt_proto_data_salty_keyset datalocalkeys[2]; | 151 struct qt_proto_data_salty_keyset datalocalkeys[2]; |
152 int datalocalkeyid; | 152 int datalocalkeyid; |
224 encodeuint64(buffer + 32 + 1 + 32 + 24 + 32 + 24, d->controldecodetime); | 224 encodeuint64(buffer + 32 + 1 + 32 + 24 + 32 + 24, d->controldecodetime); |
225 memset(buffer, 0, 32); | 225 memset(buffer, 0, 32); |
226 d->controlencodetime++; | 226 d->controlencodetime++; |
227 unsigned char nonce[24]; | 227 unsigned char nonce[24]; |
228 memset(nonce, 0, 24); | 228 memset(nonce, 0, 24); |
229 nonce[0] = d->controlencoderole ? 1 : 0; | 229 nonce[0] = d->controlroles & 1; |
230 encodeuint64(nonce + 16, d->controlencodetime); | 230 encodeuint64(nonce + 16, d->controlencodetime); |
231 unsigned char encbuffer[32 + 1 + 32 + 24 + 32 + 24 + 8]; | 231 unsigned char encbuffer[32 + 1 + 32 + 24 + 32 + 24 + 8]; |
232 if (crypto_box_curve25519xsalsa20poly1305_afternm(encbuffer, buffer, 32 + (1 + 32 + 24 + 32 + 24 + 8), nonce, d->controlkey)) return; | 232 if (crypto_box_curve25519xsalsa20poly1305_afternm(encbuffer, buffer, 32 + (1 + 32 + 24 + 32 + 24 + 8), nonce, d->controlkey)) return; |
233 memcpy(encbuffer + 16 - 8, nonce + 16, 8); | 233 memcpy(encbuffer + 16 - 8, nonce + 16, 8); |
234 encbuffer[16 - 1 - 8] = 0x80; | 234 encbuffer[16 - 1 - 8] = 0x80; |
292 return errorexit("Missing PRIVATE_KEY"); | 292 return errorexit("Missing PRIVATE_KEY"); |
293 } | 293 } |
294 crypto_box_curve25519xsalsa20poly1305_beforenm(d->controlkey, cpublickey, csecretkey); | 294 crypto_box_curve25519xsalsa20poly1305_beforenm(d->controlkey, cpublickey, csecretkey); |
295 unsigned char cownpublickey[PUBLICKEYBYTES]; | 295 unsigned char cownpublickey[PUBLICKEYBYTES]; |
296 crypto_scalarmult_curve25519_base(cownpublickey, csecretkey); | 296 crypto_scalarmult_curve25519_base(cownpublickey, csecretkey); |
297 d->controlencoderole = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES) > 0; | 297 int role = memcmp(cownpublickey, cpublickey, PUBLICKEYBYTES); |
298 d->controlroles = (role == 0) ? 0 : ((role > 0) ? 1 : 2); | |
298 d->controldecodetime = 0; | 299 d->controldecodetime = 0; |
299 d->controlencodetime = ((uint64)time(NULL)) << 8; | 300 d->controlencodetime = ((uint64)time(NULL)) << 8; |
300 d->datalocalkeyid = 0; | 301 d->datalocalkeyid = 0; |
301 d->datalocalkeynextid = -1; | 302 d->datalocalkeynextid = -1; |
302 d->dataremotekeyid = 0; | 303 d->dataremotekeyid = 0; |
397 fprintf(stderr, "Late control packet received: %llu < %llu\n", ts, d->controldecodetime); | 398 fprintf(stderr, "Late control packet received: %llu < %llu\n", ts, d->controldecodetime); |
398 return -1; | 399 return -1; |
399 } | 400 } |
400 unsigned char cnonce[NONCEBYTES]; | 401 unsigned char cnonce[NONCEBYTES]; |
401 memset(cnonce, 0, 24); | 402 memset(cnonce, 0, 24); |
402 cnonce[0] = d->controlencoderole ? 0 : 1; | 403 cnonce[0] = (d->controlroles >> 1) & 1; |
403 memcpy(cnonce + 16, enc + 13, 8); | 404 memcpy(cnonce + 16, enc + 13, 8); |
404 memset(enc + 12 + 1 + 8 - 16, 0, 16); | 405 memset(enc + 12 + 1 + 8 - 16, 0, 16); |
405 if (crypto_box_curve25519xsalsa20poly1305_open_afternm(raw, enc + 12 + 1 + 8 - 16, len - 1 - 8 + 16, cnonce, d->controlkey)) { | 406 if (crypto_box_curve25519xsalsa20poly1305_open_afternm(raw, enc + 12 + 1 + 8 - 16, len - 1 - 8 + 16, cnonce, d->controlkey)) { |
406 fprintf(stderr, "Decryption of control packet failed len=%d\n", len); | 407 fprintf(stderr, "Decryption of control packet failed len=%d\n", len); |
407 return -1; | 408 return -1; |