Source: vdeplug-agno
Version: 0.1.2-1
Severity: important
Tags: patch
Before vdeplug-agno entered Debian it used to require OpenSSL instead of
wolfSSL. For your convenience, I have added a patch that reverts the
commit introducing wolfSSL so that the package can stay in testing and
prevent being autoremoved. See #1023697. Obviously, the Build-Depends
and package description have to be adjusted to libssl-dev instead of
libwolfssl-dev.
From: Bastian Germann <[email protected]>
Subject: Revert "use wolfssl instead of openssl"
This reverts commit 0fb0df7be2a95904d5558544828516a33bff0813.
---
CMakeLists.txt | 6 ++--
libvdeplug_agno.c | 90 ++++++++++++-----------------------------------
2 files changed, 26 insertions(+), 70 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 318750d..fd45463 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -10,8 +10,8 @@ include(CheckIncludeFile)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2 -O2 -pedantic -Wall
-Wextra")
set(CMAKE_REQUIRED_QUIET TRUE)
-set(LIBS_REQUIRED vdeplug_mod wolfssl)
-set(HEADERS_REQUIRED strcase.h libvdeplug.h strcase.h wolfssl/options.h
wolfssl/wolfcrypt/aes.h wolfssl/wolfcrypt/random.h)
+set(LIBS_REQUIRED vdeplug_mod crypto)
+set(HEADERS_REQUIRED strcase.h libvdeplug.h openssl/aes.h openssl/rand.h)
foreach(THISLIB IN LISTS LIBS_REQUIRED)
find_library(LIB${THISLIB}_OK ${THISLIB})
@@ -31,7 +31,7 @@ add_definitions(-D_GNU_SOURCE)
include_directories(${CMAKE_CURRENT_SOURCE_DIR})
add_library(vdeplug_agno SHARED libvdeplug_agno.c)
-target_link_libraries(vdeplug_agno vdeplug_mod wolfssl)
+target_link_libraries(vdeplug_agno vdeplug_mod ssl crypto)
install(TARGETS vdeplug_agno DESTINATION ${CMAKE_INSTALL_LIBDIR}/vdeplug)
diff --git a/libvdeplug_agno.c b/libvdeplug_agno.c
index 28c0e3e..752df22 100644
--- a/libvdeplug_agno.c
+++ b/libvdeplug_agno.c
@@ -1,6 +1,6 @@
/*
* VDE - libvdeplug_agno agnostic encrypted vde net (aes encoded)
- * Copyright (C) 2017-2020 Renzo Davoli VirtualSquare
+ * Copyright (C) 2017 Renzo Davoli VirtualSquare
* contributions by Michele Nalli
*
* This library is free software; you can redistribute it and/or modify it
@@ -18,7 +18,6 @@
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-//#define DEBUG_DISABLE_ENCRYPTION
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@@ -34,19 +33,17 @@
#include <net/if.h>
#include <net/ethernet.h>
#include <arpa/inet.h>
-#ifndef DEBUG_DISABLE_ENCRYPTION
-#include <wolfssl/options.h>
-#include <wolfssl/wolfcrypt/aes.h>
-#include <wolfssl/wolfcrypt/random.h>
-#endif
+#include <openssl/aes.h>
+#include <openssl/rand.h>
#include <libvdeplug.h>
#include <libvdeplug_mod.h>
#include <strcase.h>
// 128-bit key
- // e.g. echo secret | md5sum
+ // openssl enc -aes-128-cbc -k secret -P -md sha1
#define DEFAULT_KEYFILE ".vde_agno_key"
+//#define DEBUG_DISABLE_ENCRYPTION
static VDECONN *vde_agno_open(char *vde_url, char *descr, int
interface_version,
struct vde_open_args *open_args);
@@ -81,9 +78,8 @@ struct vde_agno_conn {
struct vdeplug_module *module;
VDECONN *conn;
uint16_t ether_type;
- Aes ekey; /* Encryption key */
- Aes dkey; /* Decryption key */
- WC_RNG rng;
+ AES_KEY ekey; /* Encryption key */
+ AES_KEY dkey; /* Decryption key */
};
/* Declaration of the module sructure */
@@ -229,7 +225,7 @@ static VDECONN *vde_agno_open(char *vde_url, char *descr,
int interface_version,
}
if (type == 0)
newconn->ether_type = htons(AGNO_TYPE);
- else if (type >= 0x600
&& type < 0xffff)
+ else if (type >= 0x600
&& type < 0xffff)
/* The input
tag is valid */
newconn->ether_type = htons(type);
else {
@@ -240,9 +236,8 @@ static VDECONN *vde_agno_open(char *vde_url, char *descr,
int interface_version,
}
/* Set key as encryption and decryption key */
#ifndef DEBUG_DISABLE_ENCRYPTION
- wc_AesSetKey(&newconn->ekey, cryptkey, sizeof(cryptkey), NULL,
AES_ENCRYPTION);
- wc_AesSetKey(&newconn->dkey, cryptkey, sizeof(cryptkey), NULL,
AES_DECRYPTION);
- wc_InitRng(&newconn->rng);
+ AES_set_encrypt_key(cryptkey, sizeof(cryptkey) * 8, &newconn->ekey);
+ AES_set_decrypt_key(cryptkey, sizeof(cryptkey) * 8, &newconn->dkey);
#endif
return (VDECONN *) newconn;
@@ -251,40 +246,6 @@ error:
return NULL;
}
-/* wc_AesCbcEncrypt + padding */
-static inline int pad_AesCbcEncrypt(Aes* aes, byte* out,
- const byte* in, word32 sz) {
- int rv;
- word32 szcomplete = sz & ~(AES_BLOCK_SIZE - 1);
- rv = wc_AesCbcEncrypt(aes, out, in, szcomplete);
- if (szcomplete != sz && rv == 0) {
- word32 i;
- byte buf[AES_BLOCK_SIZE];
- for (i = 0; szcomplete + i < sz; i++)
- buf[i] = in[szcomplete + i];
- for( ; i < AES_BLOCK_SIZE; i++)
- buf[i] = 0;
- rv = wc_AesCbcEncrypt(aes, out + szcomplete, buf,
AES_BLOCK_SIZE);
- }
- return rv;
-}
-
-/* pad_AesCbcDecrypt + padding */
-static inline int pad_AesCbcDecrypt(Aes* aes, byte* out,
- const byte* in, word32 sz) {
- int rv;
- word32 szcomplete = sz & ~(AES_BLOCK_SIZE - 1);
- rv = wc_AesCbcDecrypt(aes, out, in, szcomplete);
- if (szcomplete != sz && rv == 0) {
- word32 i;
- byte buf[AES_BLOCK_SIZE];
- rv = pad_AesCbcDecrypt(aes, buf, in + szcomplete,
AES_BLOCK_SIZE);
- for (i = 0; szcomplete + i < sz; i++)
- out[szcomplete + i] = buf[i];
- }
- return rv;
-}
-
static ssize_t vde_agno_recv(VDECONN *conn, void *buf, size_t len, int flags) {
struct vde_agno_conn *vde_conn = (struct vde_agno_conn *)conn;
/* */
@@ -306,7 +267,7 @@ static ssize_t vde_agno_recv(VDECONN *conn, void *buf,
size_t len, int flags) {
#ifdef DEBUG_DISABLE_ENCRYPTION
memcpy(&ahdr, encbuf + sizeof(*ehdr), sizeof(ahdr));
#else
- wc_AesEcbDecrypt(&vde_conn->dkey, (unsigned char *)&ahdr, encbuf +
sizeof(*ehdr), AES_BLOCK_SIZE);
+ AES_ecb_encrypt(encbuf + sizeof(*ehdr), (unsigned char *)&ahdr,
&vde_conn->dkey, AES_DECRYPT);
#endif
/* Tag check */
if (ahdr.tag != AGNO_TAG)
@@ -320,10 +281,10 @@ static ssize_t vde_agno_recv(VDECONN *conn, void *buf,
size_t len, int flags) {
#ifdef DEBUG_DISABLE_ENCRYPTION
memcpy(((unsigned char *) buf) + ETH_HEADER_SIZE, encbuf +
sizeof(*ehdr) + sizeof(ahdr), retval - ETH_HEADER_SIZE); //Decrypt 2
#else
- wc_AesSetIV(&vde_conn->dkey, iv_dec);
- pad_AesCbcDecrypt(&vde_conn->dkey, ((unsigned char *) buf) +
ETH_HEADER_SIZE,
+ AES_cbc_encrypt(
encbuf + sizeof(*ehdr) + sizeof(ahdr),
- retval - ETH_HEADER_SIZE);
+ ((unsigned char *) buf) + ETH_HEADER_SIZE,
+ retval - ETH_HEADER_SIZE, &vde_conn->dkey, iv_dec,
AES_DECRYPT);
#endif
return retval;
error:
@@ -368,24 +329,23 @@ static ssize_t vde_agno_send(VDECONN *conn, const void
*buf, size_t len, int fla
}
/* Complete initialization of agno header */
#ifndef DEBUG_DISABLE_ENCRYPTION
- wc_RNG_GenerateBlock(&vde_conn->rng, ahdr.rand, 4);
+ RAND_bytes(ahdr.rand, 4);
#endif
/* Encrypt agno header */
#ifdef DEBUG_DISABLE_ENCRYPTION
memcpy(encbuf + sizeof(*ehdr), &ahdr, sizeof(ahdr));
#else
- wc_AesEcbEncrypt(&vde_conn->ekey, encbuf + sizeof(*ehdr), (unsigned
char *)&ahdr, AES_BLOCK_SIZE);
+ AES_ecb_encrypt((unsigned char *)&ahdr, encbuf + sizeof(*ehdr),
&vde_conn->ekey, AES_ENCRYPT);
#endif
memcpy(iv_enc, &ahdr, sizeof(iv_enc));
/* Encrypt payload */
#ifdef DEBUG_DISABLE_ENCRYPTION
memcpy(encbuf + sizeof(*ehdr) + sizeof(ahdr), ((const unsigned char *)
buf) + ETH_HEADER_SIZE, len - ETH_HEADER_SIZE);
#else
- wc_AesSetIV(&vde_conn->ekey, iv_enc);
- pad_AesCbcEncrypt(&vde_conn->ekey,
+ AES_cbc_encrypt(
+ ((const unsigned char *) buf) + ETH_HEADER_SIZE,
encbuf + sizeof(*ehdr) + sizeof(ahdr),
- ((unsigned char *) buf) + ETH_HEADER_SIZE,
- len - ETH_HEADER_SIZE);
+ len - ETH_HEADER_SIZE, &vde_conn->ekey, iv_enc,
AES_ENCRYPT);
#endif
retval = vde_send(vde_conn->conn, encbuf, enclen, flags);
if (retval == enclen)
@@ -405,12 +365,8 @@ static int vde_agno_ctlfd(VDECONN *conn) {
}
static int vde_agno_close(VDECONN *conn) {
- struct vde_agno_conn *vde_conn = (struct vde_agno_conn *)conn;
- int rv;
-#ifndef DEBUG_DISABLE_ENCRYPTION
- wc_FreeRng(&vde_conn->rng);
-#endif
- rv = vde_close(vde_conn->conn);
- free(vde_conn);
- return rv;
+ struct vde_agno_conn *vde_conn = (struct vde_agno_conn *)conn;
+ int rv = vde_close(vde_conn->conn);
+ free(vde_conn);
+ return rv;
}
