… | |
… | |
48 | #include "hkdf.h" |
48 | #include "hkdf.h" |
49 | |
49 | |
50 | #include "netcompat.h" |
50 | #include "netcompat.h" |
51 | |
51 | |
52 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
52 | #define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic |
|
|
53 | #define MAGIC "HUHN\xbd\xc6\xdb\x82" // 8 bytes of magic//D |
53 | |
54 | |
54 | #define ULTRA_FAST 1 |
55 | #define ULTRA_FAST 1 |
55 | #define HLOG 15 |
56 | #define HLOG 15 |
56 | #include "lzf/lzf.h" |
57 | #include "lzf/lzf.h" |
57 | #include "lzf/lzf_c.c" |
58 | #include "lzf/lzf_c.c" |
… | |
… | |
119 | { |
120 | { |
120 | u8 mac_key[MAC_KEYSIZE]; |
121 | u8 mac_key[MAC_KEYSIZE]; |
121 | static const unsigned char mac_info[] = "gvpe mac key"; |
122 | static const unsigned char mac_info[] = "gvpe mac key"; |
122 | |
123 | |
123 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
124 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
124 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
|
|
125 | kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); |
125 | kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); |
126 | kdf.extract (s, sizeof (s)); |
126 | kdf.extract (s, sizeof (s)); |
127 | kdf.extract_done (HKDF_PRF_HASH ()); |
127 | kdf.extract_done (HKDF_PRF_HASH ()); |
128 | kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); |
128 | kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); |
129 | |
129 | |
… | |
… | |
134 | { |
134 | { |
135 | u8 cipher_key[CIPHER_KEYSIZE]; |
135 | u8 cipher_key[CIPHER_KEYSIZE]; |
136 | static const unsigned char cipher_info[] = "gvpe cipher key"; |
136 | static const unsigned char cipher_info[] = "gvpe cipher key"; |
137 | |
137 | |
138 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
138 | hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ()); |
139 | kdf.extract (auth2.rsa.ikm, sizeof (auth2.rsa.ikm)); |
|
|
140 | kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); |
139 | kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); |
141 | kdf.extract (s, sizeof (s)); |
140 | kdf.extract (s, sizeof (s)); |
142 | kdf.extract_done (HKDF_PRF_HASH ()); |
141 | kdf.extract_done (HKDF_PRF_HASH ()); |
143 | kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); |
142 | kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); |
144 | |
143 | |
… | |
… | |
196 | connection::generate_auth_data () |
195 | connection::generate_auth_data () |
197 | { |
196 | { |
198 | if (auth_expire < ev_now ()) |
197 | if (auth_expire < ev_now ()) |
199 | { |
198 | { |
200 | // request data |
199 | // request data |
201 | RAND_bytes ((unsigned char *)&snd_auth.rsa, sizeof snd_auth.rsa); |
200 | rand_fill (snd_auth.rsa); |
202 | curve25519_generate (snd_ecdh_a, snd_auth.ecdh); |
201 | curve25519_generate (snd_ecdh_a, snd_auth.ecdh); |
203 | auth_hash (snd_auth, snd_auth_mac); |
202 | auth_hash (snd_auth, snd_auth_mac); |
204 | |
203 | |
205 | // eventual response data |
204 | // eventual response data |
206 | curve25519_generate (rcv_ecdh_a, rcv_ecdh_b); |
205 | curve25519_generate (rcv_ecdh_a, rcv_ecdh_b); |
… | |
… | |
461 | u32 seqno; |
460 | u32 seqno; |
462 | } datahdr; |
461 | } datahdr; |
463 | |
462 | |
464 | datahdr.seqno = ntohl (seqno); |
463 | datahdr.seqno = ntohl (seqno); |
465 | #if RAND_SIZE |
464 | #if RAND_SIZE |
466 | RAND_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); |
465 | // NB: a constant (per session) random prefix |
|
|
466 | // is likely enough, but we don't take any chances. |
|
|
467 | conn->oiv.get (datahdr.rnd, RAND_SIZE); |
467 | #endif |
468 | #endif |
468 | |
469 | |
469 | require (EVP_EncryptUpdate (cctx, |
470 | require (EVP_EncryptUpdate (cctx, |
470 | (unsigned char *) data + outl, &outl2, |
471 | (unsigned char *) data + outl, &outl2, |
471 | (unsigned char *) &datahdr, DATAHDR)); |
472 | (unsigned char *) &datahdr, DATAHDR)); |
… | |
… | |
502 | |
503 | |
503 | if (type == PT_DATA_COMPRESSED) |
504 | if (type == PT_DATA_COMPRESSED) |
504 | d = cdata; |
505 | d = cdata; |
505 | else |
506 | else |
506 | #endif |
507 | #endif |
507 | d = &(*p)[6 + 6 - DATAHDR]; |
508 | d = &(*p)[6 + 6] - DATAHDR; |
508 | |
509 | |
509 | /* this overwrites part of the src mac, but we fix that later */ |
510 | // we play do evil games with the struct layout atm. |
|
|
511 | // pending better solutions, we at least do some verification. |
|
|
512 | // this is fine, as we left ISO territory long ago. |
|
|
513 | require (DATAHDR <= 16); |
|
|
514 | require ((u8 *)(&p->len + 1) == &(*p)[0]); |
|
|
515 | |
|
|
516 | // this can overwrite the len/dst/src fields |
510 | require (EVP_DecryptUpdate (cctx, |
517 | require (EVP_DecryptUpdate (cctx, |
511 | d, &outl2, |
518 | d, &outl2, |
512 | (unsigned char *)&data, len - data_hdr_size ())); |
519 | (unsigned char *)&data, len - data_hdr_size ())); |
513 | outl += outl2; |
520 | outl += outl2; |
514 | |
521 | |
… | |
… | |
695 | iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff); |
702 | iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff); |
696 | |
703 | |
697 | delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1); |
704 | delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1); |
698 | oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff; |
705 | oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff; |
699 | |
706 | |
|
|
707 | oiv.reset (); |
|
|
708 | |
|
|
709 | // make sure rekeying timeouts are slightly asymmetric |
|
|
710 | ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); |
|
|
711 | rekey.start (rekey_interval, rekey_interval); |
|
|
712 | |
|
|
713 | keepalive.start (::conf.keepalive); |
|
|
714 | |
|
|
715 | // send queued packets |
700 | if (ictx && octx) |
716 | if (ictx && octx) |
701 | { |
717 | { |
702 | // make sure rekeying timeouts are slightly asymmetric |
718 | while (tap_packet *p = (tap_packet *)data_queue.get ()) |
703 | ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); |
|
|
704 | rekey.start (rekey_interval, rekey_interval); |
|
|
705 | |
|
|
706 | keepalive.start (::conf.keepalive); |
|
|
707 | |
|
|
708 | // send queued packets |
|
|
709 | if (ictx && octx) |
|
|
710 | { |
719 | { |
711 | while (tap_packet *p = (tap_packet *)data_queue.get ()) |
|
|
712 | { |
|
|
713 | if (p->len) send_data_packet (p); |
720 | if (p->len) send_data_packet (p); |
714 | delete p; |
721 | delete p; |
715 | } |
|
|
716 | |
|
|
717 | while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) |
|
|
718 | { |
|
|
719 | if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY); |
|
|
720 | delete p; |
|
|
721 | } |
|
|
722 | } |
722 | } |
723 | |
723 | |
|
|
724 | while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) |
|
|
725 | { |
|
|
726 | if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY); |
|
|
727 | delete p; |
|
|
728 | } |
|
|
729 | } |
|
|
730 | |
724 | vpn->connection_established (this); |
731 | vpn->connection_established (this); |
725 | } |
|
|
726 | #if 0 |
|
|
727 | else |
|
|
728 | { |
|
|
729 | retry_cnt = 0; |
|
|
730 | establish_connection.start (5); |
|
|
731 | keepalive.stop (); |
|
|
732 | rekey.stop (); |
|
|
733 | } |
|
|
734 | #endif |
|
|
735 | } |
732 | } |
736 | |
733 | |
737 | void |
734 | void |
738 | connection::reset_si () |
735 | connection::reset_si () |
739 | { |
736 | { |