From 06d0c284996b93076b7c012f75380837c876871b Mon Sep 17 00:00:00 2001 From: Cyberes Date: Tue, 2 Jul 2024 21:18:25 -0600 Subject: [PATCH] adjust a few encryption things --- esp32/telelogger/teleclient.cpp | 19 ++++++++-------- esp32/telelogger/telecrypt.cpp | 39 +++++++++++++-------------------- esp32/telelogger/telecrypt.h | 3 ++- esp32/telelogger/telelogger.ino | 11 +++++----- server/src/server.go | 32 ++++++++++++++------------- 5 files changed, 48 insertions(+), 56 deletions(-) diff --git a/esp32/telelogger/teleclient.cpp b/esp32/telelogger/teleclient.cpp index 845bdf6..c677d36 100644 --- a/esp32/telelogger/teleclient.cpp +++ b/esp32/telelogger/teleclient.cpp @@ -257,11 +257,10 @@ bool TeleClientUDP::notify(byte event, const char* payload) if (wifi.connected()) { #if SERVER_ENCRYPTION_ENABLE == 1 - char *orig_send_buf = netbuf.buffer(); - unsigned int orig_send_buf_len = netbuf.length(); - unsigned char encrypted_buf[12 + orig_send_buf_len + 16]; - encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf); - if (!wifi.send((const char *)encrypted_buf, sizeof(encrypted_buf))) break; + unsigned int encrypted_len; + unsigned char* encrypted_buf = encrypt_buffer(netbuf.buffer(), netbuf.length(), &encrypted_len); + bool wifi_send = wifi.send((const char *)encrypted_buf, encrypted_len); + free(encrypted_buf); #else if (!wifi.send(netbuf.buffer(), netbuf.length())) break; #endif @@ -270,11 +269,11 @@ bool TeleClientUDP::notify(byte event, const char* payload) #endif { #if SERVER_ENCRYPTION_ENABLE == 1 - char *orig_send_buf = netbuf.buffer(); - unsigned int orig_send_buf_len = netbuf.length(); - unsigned char encrypted_buf[12 + orig_send_buf_len + 16]; - encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf); - if (!cell.send((const char *)encrypted_buf, sizeof(encrypted_buf))) break; + unsigned int encrypted_len; + unsigned char* encrypted_buf = encrypt_buffer(netbuf.buffer(), netbuf.length(), &encrypted_len); + bool cell_send = cell.send((const char *)encrypted_buf, sizeof(encrypted_buf)); + free(encrypted_buf); + if (!cell_send) break; #else if (!cell.send(netbuf.buffer(), netbuf.length())) break; #endif diff --git a/esp32/telelogger/telecrypt.cpp b/esp32/telelogger/telecrypt.cpp index 77defff..e6cc672 100644 --- a/esp32/telelogger/telecrypt.cpp +++ b/esp32/telelogger/telecrypt.cpp @@ -65,33 +65,11 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou // Decrypt the input data size_t decryptedLength = length - sizeof(nonce) - chachaPoly.tagSize(); chachaPoly.decrypt(output, input + sizeof(nonce), decryptedLength); - - // String decryptedString = ""; - // for (size_t i = 0; i < decryptedLength; i++) { - // decryptedString += (char)output[i]; - // } - // Serial.println(decryptedString); const unsigned char *tagPtr = input + sizeof(nonce) + decryptedLength; // actual tag uint8_t computedTag[16]; // computed tag chachaPoly.computeTag(computedTag, sizeof(computedTag)); - // Serial.print("Tag: "); - // for (size_t i = 0; i < chachaPoly.tagSize(); i++) { - // Serial.print(tagPtr[i], HEX); - // Serial.print(" "); - // } - // Serial.println(); - // Serial.print("Computed Tag: "); - // for (size_t i = 0; i < sizeof(computedTag); i++) { - // Serial.print(computedTag[i], HEX); - // Serial.print(" "); - // } - // Serial.println(); - - ///// BEGIN TAG VERIFY - // The crypto library implementation of tag verification crashes. - // Can never match if the expected tag length is too long. if (chachaPoly.tagSize() > 16) { Serial.println("[CHACHA] Authentication failed: expected tag length is too long"); @@ -100,9 +78,9 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou } // Compute the tag and check it. + // The crypto library implementation of tag verification crashes. bool equal = secure_compare(computedTag, tagPtr, chachaPoly.tagSize()); clean(computedTag); - if (!equal) { Serial.println("[CHACHA] Authentication failed!"); output[0] = '\0'; @@ -113,4 +91,17 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou output[decryptedLength] = '\0'; chachaPoly.clear(); -} \ No newline at end of file +} + +unsigned char* encrypt_buffer(char* buf, unsigned int len, unsigned int* encrypted_len) { + // Increase the size of encrypted_buf to hold the nonce, the encrypted data, and the authentication tag. + unsigned char* encrypted_buf = (unsigned char*)malloc(12 + len + 16); // 12 bytes for nonce and 16 bytes for tag + if(!encrypted_buf) { + // handle error + return NULL; + } + encrypt_string((unsigned char *)buf, len, encrypted_buf); + *encrypted_len = 12 + len + 16; + return encrypted_buf; +} + diff --git a/esp32/telelogger/telecrypt.h b/esp32/telelogger/telecrypt.h index 37098b4..e08dbe6 100644 --- a/esp32/telelogger/telecrypt.h +++ b/esp32/telelogger/telecrypt.h @@ -6,4 +6,5 @@ void encrypt_string(const unsigned char *input, size_t length, unsigned char *output); void decrypt_string(const unsigned char *input, size_t length, unsigned char *output); -void print_hex(const unsigned char *data, size_t length); \ No newline at end of file +void print_hex(const unsigned char *data, size_t length); +unsigned char* encrypt_buffer(char* buf, unsigned int len, unsigned int* encrypted_len); \ No newline at end of file diff --git a/esp32/telelogger/telelogger.ino b/esp32/telelogger/telelogger.ino index 33e0247..755f895 100644 --- a/esp32/telelogger/telelogger.ino +++ b/esp32/telelogger/telelogger.ino @@ -1007,12 +1007,11 @@ void telemetry(void* inst) #endif #if SERVER_ENCRYPTION_ENABLE == 1 - char *orig_send_buf = store.buffer(); - unsigned int orig_send_buf_len = store.length(); - // Increase the size of encrypted_buf to hold the nonce, the encrypted data, and the authentication tag. - unsigned char encrypted_buf[12 + orig_send_buf_len + 16]; // 12 bytes for nonce and 16 bytes for tag - encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf); - if (teleClient.transmit((const char *)encrypted_buf, sizeof(encrypted_buf))) { + unsigned int encrypted_len; + unsigned char* encrypted_buf = encrypt_buffer(store.buffer(), store.length(), &encrypted_len); + bool transmit_success = teleClient.transmit((const char *)encrypted_buf, sizeof(encrypted_buf)); + free(encrypted_buf); + if (transmit_success) { #else if (teleClient.transmit(store.buffer(), store.length())) { #endif diff --git a/server/src/server.go b/server/src/server.go index 7dd4cd2..9379036 100644 --- a/server/src/server.go +++ b/server/src/server.go @@ -84,22 +84,25 @@ func main() { // Handle the message. go func(addr *net.UDPAddr, buf []byte, n int) { - // Do the decryption. var plaintext []byte + shouldEncrypt := true if len(buf[:n]) > 0 { plaintext, err = encryption.Decrypt(key, buf[:n]) // Use only the part of the buffer that has data. if err != nil { rawHex := hex.EncodeToString(buf[:n]) - logger.Warnf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf(`Error decrypting message: %s. Length: %d, Raw: "%s"`, err, len(rawHex), rawHex))) - plaintext = buf[:n] // Forward the raw message to the backend without bothering with decryption. - if len(plaintext) > 0 { - logger.Warningf("Encryption failed, possibly recieved unencrypted message -- %s", plaintext) + logger.Warningf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf(`Error decrypting message: %s. Length: %d, Raw: "%s"`, err, len(rawHex), rawHex))) + plaintext = buf[:n] // Don't bother with decryption. + shouldEncrypt = false + if len(buf[:n]) > 0 { + logger.Warningln("Encryption failed, possibly recieved unencrypted message") } } } else { // If empty message. plaintext = buf[:n] + shouldEncrypt = false } + logger.Infof(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, string(plaintext))) forwardAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.Address, dest.Port)) if err != nil { @@ -107,14 +110,12 @@ func main() { return } - // Create a new UDP address for listening to the backend server's response. listenAddr, err := net.ResolveUDPAddr("udp", ":0") // Let the OS pick a free port. if err != nil { logger.Fatalln("Error resolving listen address:", err) return } - // Create a new UDP listener for the backend server's response. listenConn, err := net.ListenUDP("udp", listenAddr) if err != nil { logger.Fatalln("Error listening for backend response:", err) @@ -122,7 +123,6 @@ func main() { } defer listenConn.Close() - // Dial the backend server without binding a local address. forwardConn, err := net.DialUDP("udp", nil, forwardAddr) if err != nil { logger.Fatalln("Error dialing to forward address:", err) @@ -145,11 +145,15 @@ func main() { return } - // Encrypt the backend's response. - encryptedBackendResponse, err := encryption.Encrypt(key, backendResponse[:n]) - if err != nil { - logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error encrypting response: %s", err))) - return + var encryptedBackendResponse []byte + if shouldEncrypt { + encryptedBackendResponse, err = encryption.Encrypt(key, backendResponse[:n]) + if err != nil { + logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error encrypting response: %s", err))) + return + } + } else { + encryptedBackendResponse = backendResponse } // Forward the encrypted backend response to the client. @@ -158,8 +162,6 @@ func main() { logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error forwarding response to client: %s", err))) return } - - logger.Infof(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, string(plaintext))) }(addr, buf, n) } }(port, dest)