adjust a few encryption things
This commit is contained in:
parent
28603b2a2e
commit
06d0c28499
|
@ -257,11 +257,10 @@ bool TeleClientUDP::notify(byte event, const char* payload)
|
|||
if (wifi.connected())
|
||||
{
|
||||
#if SERVER_ENCRYPTION_ENABLE == 1
|
||||
char *orig_send_buf = netbuf.buffer();
|
||||
unsigned int orig_send_buf_len = netbuf.length();
|
||||
unsigned char encrypted_buf[12 + orig_send_buf_len + 16];
|
||||
encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf);
|
||||
if (!wifi.send((const char *)encrypted_buf, sizeof(encrypted_buf))) break;
|
||||
unsigned int encrypted_len;
|
||||
unsigned char* encrypted_buf = encrypt_buffer(netbuf.buffer(), netbuf.length(), &encrypted_len);
|
||||
bool wifi_send = wifi.send((const char *)encrypted_buf, encrypted_len);
|
||||
free(encrypted_buf);
|
||||
#else
|
||||
if (!wifi.send(netbuf.buffer(), netbuf.length())) break;
|
||||
#endif
|
||||
|
@ -270,11 +269,11 @@ bool TeleClientUDP::notify(byte event, const char* payload)
|
|||
#endif
|
||||
{
|
||||
#if SERVER_ENCRYPTION_ENABLE == 1
|
||||
char *orig_send_buf = netbuf.buffer();
|
||||
unsigned int orig_send_buf_len = netbuf.length();
|
||||
unsigned char encrypted_buf[12 + orig_send_buf_len + 16];
|
||||
encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf);
|
||||
if (!cell.send((const char *)encrypted_buf, sizeof(encrypted_buf))) break;
|
||||
unsigned int encrypted_len;
|
||||
unsigned char* encrypted_buf = encrypt_buffer(netbuf.buffer(), netbuf.length(), &encrypted_len);
|
||||
bool cell_send = cell.send((const char *)encrypted_buf, sizeof(encrypted_buf));
|
||||
free(encrypted_buf);
|
||||
if (!cell_send) break;
|
||||
#else
|
||||
if (!cell.send(netbuf.buffer(), netbuf.length())) break;
|
||||
#endif
|
||||
|
|
|
@ -66,32 +66,10 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou
|
|||
size_t decryptedLength = length - sizeof(nonce) - chachaPoly.tagSize();
|
||||
chachaPoly.decrypt(output, input + sizeof(nonce), decryptedLength);
|
||||
|
||||
// String decryptedString = "";
|
||||
// for (size_t i = 0; i < decryptedLength; i++) {
|
||||
// decryptedString += (char)output[i];
|
||||
// }
|
||||
// Serial.println(decryptedString);
|
||||
|
||||
const unsigned char *tagPtr = input + sizeof(nonce) + decryptedLength; // actual tag
|
||||
uint8_t computedTag[16]; // computed tag
|
||||
chachaPoly.computeTag(computedTag, sizeof(computedTag));
|
||||
|
||||
// Serial.print("Tag: ");
|
||||
// for (size_t i = 0; i < chachaPoly.tagSize(); i++) {
|
||||
// Serial.print(tagPtr[i], HEX);
|
||||
// Serial.print(" ");
|
||||
// }
|
||||
// Serial.println();
|
||||
// Serial.print("Computed Tag: ");
|
||||
// for (size_t i = 0; i < sizeof(computedTag); i++) {
|
||||
// Serial.print(computedTag[i], HEX);
|
||||
// Serial.print(" ");
|
||||
// }
|
||||
// Serial.println();
|
||||
|
||||
///// BEGIN TAG VERIFY
|
||||
// The crypto library implementation of tag verification crashes.
|
||||
|
||||
// Can never match if the expected tag length is too long.
|
||||
if (chachaPoly.tagSize() > 16) {
|
||||
Serial.println("[CHACHA] Authentication failed: expected tag length is too long");
|
||||
|
@ -100,9 +78,9 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou
|
|||
}
|
||||
|
||||
// Compute the tag and check it.
|
||||
// The crypto library implementation of tag verification crashes.
|
||||
bool equal = secure_compare(computedTag, tagPtr, chachaPoly.tagSize());
|
||||
clean(computedTag);
|
||||
|
||||
if (!equal) {
|
||||
Serial.println("[CHACHA] Authentication failed!");
|
||||
output[0] = '\0';
|
||||
|
@ -114,3 +92,16 @@ void decrypt_string(const unsigned char *input, size_t length, unsigned char *ou
|
|||
output[decryptedLength] = '\0';
|
||||
chachaPoly.clear();
|
||||
}
|
||||
|
||||
unsigned char* encrypt_buffer(char* buf, unsigned int len, unsigned int* encrypted_len) {
|
||||
// Increase the size of encrypted_buf to hold the nonce, the encrypted data, and the authentication tag.
|
||||
unsigned char* encrypted_buf = (unsigned char*)malloc(12 + len + 16); // 12 bytes for nonce and 16 bytes for tag
|
||||
if(!encrypted_buf) {
|
||||
// handle error
|
||||
return NULL;
|
||||
}
|
||||
encrypt_string((unsigned char *)buf, len, encrypted_buf);
|
||||
*encrypted_len = 12 + len + 16;
|
||||
return encrypted_buf;
|
||||
}
|
||||
|
||||
|
|
|
@ -7,3 +7,4 @@
|
|||
void encrypt_string(const unsigned char *input, size_t length, unsigned char *output);
|
||||
void decrypt_string(const unsigned char *input, size_t length, unsigned char *output);
|
||||
void print_hex(const unsigned char *data, size_t length);
|
||||
unsigned char* encrypt_buffer(char* buf, unsigned int len, unsigned int* encrypted_len);
|
|
@ -1007,12 +1007,11 @@ void telemetry(void* inst)
|
|||
#endif
|
||||
|
||||
#if SERVER_ENCRYPTION_ENABLE == 1
|
||||
char *orig_send_buf = store.buffer();
|
||||
unsigned int orig_send_buf_len = store.length();
|
||||
// Increase the size of encrypted_buf to hold the nonce, the encrypted data, and the authentication tag.
|
||||
unsigned char encrypted_buf[12 + orig_send_buf_len + 16]; // 12 bytes for nonce and 16 bytes for tag
|
||||
encrypt_string((unsigned char *)orig_send_buf, orig_send_buf_len, encrypted_buf);
|
||||
if (teleClient.transmit((const char *)encrypted_buf, sizeof(encrypted_buf))) {
|
||||
unsigned int encrypted_len;
|
||||
unsigned char* encrypted_buf = encrypt_buffer(store.buffer(), store.length(), &encrypted_len);
|
||||
bool transmit_success = teleClient.transmit((const char *)encrypted_buf, sizeof(encrypted_buf));
|
||||
free(encrypted_buf);
|
||||
if (transmit_success) {
|
||||
#else
|
||||
if (teleClient.transmit(store.buffer(), store.length())) {
|
||||
#endif
|
||||
|
|
|
@ -84,22 +84,25 @@ func main() {
|
|||
|
||||
// Handle the message.
|
||||
go func(addr *net.UDPAddr, buf []byte, n int) {
|
||||
// Do the decryption.
|
||||
var plaintext []byte
|
||||
shouldEncrypt := true
|
||||
if len(buf[:n]) > 0 {
|
||||
plaintext, err = encryption.Decrypt(key, buf[:n]) // Use only the part of the buffer that has data.
|
||||
if err != nil {
|
||||
rawHex := hex.EncodeToString(buf[:n])
|
||||
logger.Warnf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf(`Error decrypting message: %s. Length: %d, Raw: "%s"`, err, len(rawHex), rawHex)))
|
||||
plaintext = buf[:n] // Forward the raw message to the backend without bothering with decryption.
|
||||
if len(plaintext) > 0 {
|
||||
logger.Warningf("Encryption failed, possibly recieved unencrypted message -- %s", plaintext)
|
||||
logger.Warningf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf(`Error decrypting message: %s. Length: %d, Raw: "%s"`, err, len(rawHex), rawHex)))
|
||||
plaintext = buf[:n] // Don't bother with decryption.
|
||||
shouldEncrypt = false
|
||||
if len(buf[:n]) > 0 {
|
||||
logger.Warningln("Encryption failed, possibly recieved unencrypted message")
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// If empty message.
|
||||
plaintext = buf[:n]
|
||||
shouldEncrypt = false
|
||||
}
|
||||
logger.Infof(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, string(plaintext)))
|
||||
|
||||
forwardAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", dest.Address, dest.Port))
|
||||
if err != nil {
|
||||
|
@ -107,14 +110,12 @@ func main() {
|
|||
return
|
||||
}
|
||||
|
||||
// Create a new UDP address for listening to the backend server's response.
|
||||
listenAddr, err := net.ResolveUDPAddr("udp", ":0") // Let the OS pick a free port.
|
||||
if err != nil {
|
||||
logger.Fatalln("Error resolving listen address:", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Create a new UDP listener for the backend server's response.
|
||||
listenConn, err := net.ListenUDP("udp", listenAddr)
|
||||
if err != nil {
|
||||
logger.Fatalln("Error listening for backend response:", err)
|
||||
|
@ -122,7 +123,6 @@ func main() {
|
|||
}
|
||||
defer listenConn.Close()
|
||||
|
||||
// Dial the backend server without binding a local address.
|
||||
forwardConn, err := net.DialUDP("udp", nil, forwardAddr)
|
||||
if err != nil {
|
||||
logger.Fatalln("Error dialing to forward address:", err)
|
||||
|
@ -145,11 +145,15 @@ func main() {
|
|||
return
|
||||
}
|
||||
|
||||
// Encrypt the backend's response.
|
||||
encryptedBackendResponse, err := encryption.Encrypt(key, backendResponse[:n])
|
||||
if err != nil {
|
||||
logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error encrypting response: %s", err)))
|
||||
return
|
||||
var encryptedBackendResponse []byte
|
||||
if shouldEncrypt {
|
||||
encryptedBackendResponse, err = encryption.Encrypt(key, backendResponse[:n])
|
||||
if err != nil {
|
||||
logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error encrypting response: %s", err)))
|
||||
return
|
||||
}
|
||||
} else {
|
||||
encryptedBackendResponse = backendResponse
|
||||
}
|
||||
|
||||
// Forward the encrypted backend response to the client.
|
||||
|
@ -158,8 +162,6 @@ func main() {
|
|||
logger.Errorf(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, fmt.Sprintf("Error forwarding response to client: %s", err)))
|
||||
return
|
||||
}
|
||||
|
||||
logger.Infof(formatLogMsg(addr.IP.String(), dest.Address, dest.Port, string(plaintext)))
|
||||
}(addr, buf, n)
|
||||
}
|
||||
}(port, dest)
|
||||
|
|
Loading…
Reference in New Issue