| … | |
… | |
| 120 | +------+------+--------+------+ |
120 | +------+------+--------+------+ |
| 121 | | HMAC | TYPE | SRCDST | DATA | |
121 | | HMAC | TYPE | SRCDST | DATA | |
| 122 | +------+------+--------+------+ |
122 | +------+------+--------+------+ |
| 123 | |
123 | |
| 124 | The HMAC field is present in all packets, even if not used (e.g. in auth |
124 | The HMAC field is present in all packets, even if not used (e.g. in auth |
| 125 | request packets), in which case it is set to all zeroes. The checksum |
125 | request packets), in which case it is set to all zeroes. The MAC itself is |
| 126 | itself is calculated over the TYPE, SRCDST and DATA fields in all cases. |
126 | calculated over the TYPE, SRCDST and DATA fields in all cases. |
| 127 | |
127 | |
| 128 | The TYPE field is a single byte and determines the purpose of the packet |
128 | The TYPE field is a single byte and determines the purpose of the packet |
| 129 | (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, |
129 | (e.g. RESET, COMPRESSED/UNCOMPRESSED DATA, PING, AUTH REQUEST/RESPONSE, |
| 130 | CONNECT REQUEST/INFO etc.). |
130 | CONNECT REQUEST/INFO etc.). |
| 131 | |
131 | |
| … | |
… | |
| 134 | |
134 | |
| 135 | The DATA portion differs between each packet type, naturally, and is the |
135 | The DATA portion differs between each packet type, naturally, and is the |
| 136 | only part that can be encrypted. Data packets contain more fields, as |
136 | only part that can be encrypted. Data packets contain more fields, as |
| 137 | shown: |
137 | shown: |
| 138 | |
138 | |
| 139 | +------+------+--------+------+-------+------+ |
139 | +------+------+--------+-------+------+ |
| 140 | | HMAC | TYPE | SRCDST | RAND | SEQNO | DATA | |
140 | | HMAC | TYPE | SRCDST | SEQNO | DATA | |
| 141 | +------+------+--------+------+-------+------+ |
141 | +------+------+--------+-------+------+ |
| 142 | |
|
|
| 143 | RAND is a sequence of fully random bytes, used to increase the entropy of |
|
|
| 144 | the data for encryption purposes. |
|
|
| 145 | |
142 | |
| 146 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
143 | SEQNO is a 32-bit sequence number. It is negotiated at every connection |
| 147 | initialization and starts at some random 31 bit value. GVPE currently uses |
144 | initialization and starts at some random 31 bit value. GVPE currently uses |
| 148 | a sliding window of 512 packets/sequence numbers to detect reordering, |
145 | a sliding window of 512 packets/sequence numbers to detect reordering, |
| 149 | duplication and replay attacks. |
146 | duplication and replay attacks. |
| 150 | |
147 | |
| 151 | The encryption is done on RAND+SEQNO+DATA in CBC mode with zero IV (or, |
148 | The encryption is done on SEQNO+DATA in CTR mode with IV generated from |
| 152 | equivalently, the IV is RAND+SEQNO, encrypted with the block cipher, |
149 | the seqno (for AES: seqno || seqno || seqno || (u32)0), which ensures |
| 153 | unless RAND size is decreased or increased over the default value). |
150 | uniqueness for a given key. |
| 154 | |
|
|
| 155 | The random prefix itself is generated by using AES in CTR mode with a |
|
|
| 156 | random key and starting value, which should make them unpredictable even |
|
|
| 157 | before encrypting them again. The sequence number additionally ensures |
|
|
| 158 | that the IV is unique. |
|
|
| 159 | |
151 | |
| 160 | =head2 The authentication/key exchange protocol |
152 | =head2 The authentication/key exchange protocol |
| 161 | |
153 | |
| 162 | Before nodes can exchange packets, they need to establish authenticity of |
154 | Before nodes can exchange packets, they need to establish authenticity of |
| 163 | the other side and a key. Every node has a private RSA key and the public |
155 | the other side and a key. Every node has a private RSA key and the public |
