[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.105 by root, Fri Jul 19 18:22:54 2013 UTC vs.
Revision 1.114 by root, Thu Jun 30 11:43:38 2016 UTC

 /*
     connection.C -- manage a single connection
-    Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de>
+    Copyright (C) 2003-2008,2010,2011,2013,2016 Marc Lehmann <gvpe@schmorp.de>
     This file is part of GVPE.
     GVPE is free software; you can redistribute it and/or modify it
     under the terms of the GNU General Public License as published by the
 #include <list>
 #include <queue>
 #include <utility>
+#include <openssl/opensslv.h>
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/err.h>
 #include "conf.h"
 #include "slog.h"
+#include "crypto.h"
 #include "device.h"
 #include "vpn.h"
 #include "connection.h"
 #include "hkdf.h"
 #include "netcompat.h"
 #define MAGIC     "gvpe\xbd\xc6\xdb\x82"	// 8 bytes of magic
-#define MAGIC     "HUHN\xbd\xc6\xdb\x82"	// 8 bytes of magic//D
 #define ULTRA_FAST 1
 #define HLOG 15
 #include "lzf/lzf.h"
 #include "lzf/lzf_c.c"
 //////////////////////////////////////////////////////////////////////////////
 struct crypto_ctx
 {
   EVP_CIPHER_CTX cctx;
-  HMAC_CTX hctx;
+  hmac hctx;
   crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
   ~crypto_ctx ();
 };
     kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
     kdf.extract (s, sizeof (s));
     kdf.extract_done (HKDF_PRF_HASH ());
     kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
-    HMAC_CTX_init (&hctx);
+    hctx.init (mac_key, MAC_KEYSIZE, MAC_DIGEST ());
-    require (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
   }
   {
     u8 cipher_key[CIPHER_KEYSIZE];
     static const unsigned char cipher_info[] = "gvpe cipher key";
 }
 crypto_ctx::~crypto_ctx ()
 {
   require (EVP_CIPHER_CTX_cleanup (&cctx));
-  HMAC_CTX_cleanup (&hctx);
 }
 static inline void
 auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
 {
 }
 static void
 auth_hash (const auth_data &auth, const ecdh_key &b, auth_mac &mac)
 {
-  hkdf kdf (&auth.ecdh, sizeof (auth.ecdh), AUTH_DIGEST ()); // use remote ecdh b as salt
+  hkdf kdf (b, sizeof b, AUTH_DIGEST ()); // use response ecdh b as salt
   kdf.extract (&auth.rsa, sizeof (auth.rsa));
   kdf.extract_done ();
-  kdf.expand (mac, sizeof mac, b, sizeof b); // use response ecdh b as info
+  kdf.expand (mac, sizeof mac, auth.ecdh, sizeof (auth.ecdh)); // use challenge ecdh b as info
 }
 void
 connection::generate_auth_data ()
 {
 /////////////////////////////////////////////////////////////////////////////
 void
 hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
 {
-  HMAC_CTX *hctx = &ctx->hctx;
+  ctx->hctx.init ();
-  require (HMAC_Init_ex (hctx, 0, 0, 0, 0));
-  require (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet)));
+  ctx->hctx.add (((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet));
-  require (HMAC_Final (hctx, hmac_digest, 0));
+  ctx->hctx.digest (hmac_digest);
 }
 void
 hmac_packet::hmac_set (crypto_ctx *ctx)
 {
 bool
 hmac_packet::hmac_chk (crypto_ctx *ctx)
 {
   unsigned char hmac_digest[EVP_MAX_MD_SIZE];
   hmac_gen (ctx, hmac_digest);
-  return !memcmp (hmac, hmac_digest, HMACLENGTH);
+  return slow_memeq (hmac, hmac_digest, HMACLENGTH);
 }
 void
 vpn_packet::set_hdr (ptype type_, unsigned int dst)
 {
   srcdst = ((src >> 8) << 4) | (dst >> 8);
   dst1 = dst;
 }
 #define MAXVPNDATA (MAX_MTU - 6 - 6)
-#define DATAHDR (sizeof (u32) + RAND_SIZE)
 struct vpndata_packet : vpn_packet
 {
-  u8 data[MAXVPNDATA + DATAHDR]; // seqno
+  u32 ctr; // seqno
+  u8 data[MAXVPNDATA];
   void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
   tap_packet *unpack (connection *conn, u32 &seqno);
 private:
   const u32 data_hdr_size () const
   {
-    return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
+    // the distance from beginning of packet to data member
+    return data - at (0);
   }
 };
+// expands packet counter (unlike seqno, in network byte order) to counter mode IV
+static unsigned char *
+expand_iv (u32 ctr)
+{
+  static u32 iv[IV_SIZE (CIPHER) / 4];
+  require (sizeof (iv) == 4 * 4);
+  require (IV_SIZE (CIPHER) % 4 == 0);
+  iv[0] =
+  iv[1] =
+  iv[2] = ctr;
+  // I would reuse ctr here to to avoid potential endianness issues,
+  // but it seems openssl wraps around. While this would be still ok,
+  // and I don't even know if its true, let's play safe and initialise
+  // to 0.
+  iv[3] = 0;
+  return (unsigned char *)iv;
+}
 void
 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
 {
   EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
           d[1] = cl;
         }
     }
 #endif
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
+  ctr = htonl (seqno);
-  struct {
+  require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
-#if RAND_SIZE
-    u8 rnd[RAND_SIZE];
-#endif
-    u32 seqno;
-  } datahdr;
-  datahdr.seqno = ntohl (seqno);
-#if RAND_SIZE
-  // NB: a constant (per session) random prefix
-  // is likely enough, but we don't take any chances.
-  conn->oiv.get (datahdr.rnd, RAND_SIZE);
-#endif
   require (EVP_EncryptUpdate (cctx,
-                     (unsigned char *) data + outl, &outl2,
+                     (unsigned char *)data + outl, &outl2,
-                     (unsigned char *) &datahdr, DATAHDR));
+                     (unsigned char *)d, l));
   outl += outl2;
-  require (EVP_EncryptUpdate (cctx,
+  // it seems this is a nop for us, but we do it anyways
-                     (unsigned char *) data + outl, &outl2,
+  require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
-                     (unsigned char *) d, l));
   outl += outl2;
-  require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
-  outl += outl2;
-  len = outl + data_hdr_size ();
+  len = data_hdr_size () + outl;
   set_hdr (type, dst);
   hmac_set (conn->octx);
 }
 {
   EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
   int outl = 0, outl2;
   tap_packet *p = new tap_packet;
   u8 *d;
-  u32 l = len - data_hdr_size ();
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
+  seqno = ntohl (ctr);
+  require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
 #if ENABLE_COMPRESSION
   u8 cdata[MAX_MTU];
   if (type == PT_DATA_COMPRESSED)
     d = cdata;
   else
 #endif
-    d = &(*p)[6 + 6] - DATAHDR;
+    d = &(*p)[6 + 6];
-  // we play do evil games with the struct layout atm.
-  // pending better solutions, we at least do some verification.
-  // this is fine, as we left ISO territory long ago.
-  require (DATAHDR <= 16);
-  require ((u8 *)(&p->len + 1) == &(*p)[0]);
   // this can overwrite the len/dst/src fields
   require (EVP_DecryptUpdate (cctx,
                      d, &outl2,
                      (unsigned char *)&data, len - data_hdr_size ()));
   outl += outl2;
+  // it seems this is a nop for us, but we do it anyways
   require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
   outl += outl2;
-  seqno = ntohl (*(u32 *)(d + RAND_SIZE));
   id2mac (dst () ? dst() : THISNODE->id, p->dst);
   id2mac (src (),                        p->src);
 #if ENABLE_COMPRESSION
   if (type == PT_DATA_COMPRESSED)
     {
-      u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
+      u32 cl = (d[0] << 8) | d[1];
-      p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
+      p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
                                &(*p)[6 + 6], MAX_MTU)
                + 6 + 6;
     }
   else
-    p->len = outl + (6 + 6 - DATAHDR);
+    p->len = outl + (6 + 6);
 #endif
   return p;
 }
 void
 config_packet::setup (ptype type, int dst)
 {
   prot_major = PROTOCOL_MAJOR;
   prot_minor = PROTOCOL_MINOR;
-  randsize = RAND_SIZE;
   flags = 0;
   features = get_features ();
   strncpy ((char *)serial, conf.serial, sizeof (serial));
 config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
 {
   if (prot_major != PROTOCOL_MAJOR)
     slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
           conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
-  else if (randsize != RAND_SIZE)
-    slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
-          conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
   else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
     slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
           conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
   else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
     slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
   si = rsi;
   protocol = rsi.prot;
   slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
         conf->nodename, (const char *)rsi,
-        is_direct ? "direct" : "forwarded",
+        vpn->can_direct (THISNODE, conf) ? "direct" : "forwarded",
         PROTOCOL_MAJOR, prot_minor);
   if (::conf.script_node_up)
     {
       run_script_cb *cb = new run_script_cb;
   iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
   delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b   , 1);
   oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
-  oiv.reset ();
   // make sure rekeying timeouts are slightly asymmetric
   ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
   rekey.start (rekey_interval, rekey_interval);
+  hmac_error = 0.;
   keepalive.start (::conf.keepalive);
   // send queued packets
-  if (ictx && octx)
-    {
-      while (tap_packet *p = (tap_packet *)data_queue.get ())
+  while (tap_packet *p = (tap_packet *)data_queue.get ())
-        {
+    {
-          if (p->len) send_data_packet (p);
+      if (p->len) send_data_packet (p);
-          delete p;
+      delete p;
-        }
+    }
-      while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
+  while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
-        {
+    {
-          if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
+      if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
-          delete p;
+      delete p;
-        }
     }
   vpn->connection_established (this);
 }
       slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
       protocol = 0;
     }
   si.set (conf, protocol);
-  is_direct = si.valid ();
 }
 // ensure sockinfo is valid, forward if necessary
 const sockinfo &
 connection::forward_si (const sockinfo &si) const
 void
 connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
 {
   if (!vpn->send_vpn_packet (pkt, si, tos))
-    reset_connection ();
+    reset_connection ("packet send error");
 }
 void
 connection::send_ping (const sockinfo &si, u8 pong)
 {
     {
       // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
       // and stop trying. should probably be handled by a per-connection expire handler.
       if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
         {
-          reset_connection ();
+          reset_connection ("no demand");
           return;
         }
       last_establish_attempt = ev_now ();
                                          ? (retry_cnt & 3) + 1
                                          : 1 << (retry_cnt >> 2));
       reset_si ();
-      bool slow = si.prot & PROT_SLOW;
+      bool slow = (si.prot & PROT_SLOW) || (conf->low_power || THISNODE->low_power);
       if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
         {
           /*TODO*/ /* start the timer so we don't recurse endlessly */
           w.start (1);
           slow = slow || (dsi.prot & PROT_SLOW);
           if (dsi.valid () && auth_rate_limiter.can (dsi))
             {
-              if (retry_cnt < 4)
+              // use ping after the first few retries
+              // TODO: on rekeys, the other node might not interpret ping correctly,
+              // TODO: as it will still have a valid connection
+              if (retry_cnt < 4 && (!conf->low_power || THISNODE->low_power))
                 send_auth_request (dsi, true);
               else
                 send_ping (dsi, 0);
             }
         }
-      retry_int *= slow ? 8. : 0.9;
+      retry_int *= slow ? 4. : 0.9;
       if (retry_int < conf->max_retry)
         retry_cnt++;
       else
         retry_int = conf->max_retry;
       w.start (retry_int);
     }
 }
 void
-connection::reset_connection ()
+connection::reset_connection (const char *reason)
 {
   if (ictx && octx)
     {
-      slog (L_INFO, _("%s(%s): connection lost"),
+      slog (L_INFO, _("%s(%s): connection lost (%s)"),
-            conf->nodename, (const char *)si);
+            conf->nodename, (const char *)si, reason);
       if (::conf.script_node_down)
         {
           run_script_cb *cb = new run_script_cb;
           cb->set<connection, &connection::script_node_down> (this);
 connection::shutdown ()
 {
   if (ictx && octx)
     send_reset (si);
-  reset_connection ();
+  reset_connection ("shutdown");
 }
 // poor-man's rekeying
 inline void
 connection::rekey_cb (ev::timer &w, int revents)
 {
-  reset_connection ();
+  reset_connection ("rekeying");
   establish_connection ();
 }
 void
 connection::send_data_packet (tap_packet *pkt)
 void
 connection::post_inject_queue ()
 {
   // force a connection every now and when when packets are sent (max 1/s)
-  if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
+  if (ev_now () - last_establish_attempt >= (conf->low_power || THISNODE->low_power ? 2.95 : 0.95)) // arbitrary
     establish_connection.stop ();
   establish_connection ();
 }
         // about our desire for communication.
         establish_connection ();
         break;
       case vpn_packet::PT_RESET:
+          slog (L_TRACE, "%s >> PT_RESET", conf->nodename);
+        if (ictx && octx)
-        {
+          {
-          reset_connection ();
+            reset_connection ("remote reset");
-          config_packet *p = (config_packet *) pkt;
+            config_packet *p = (config_packet *) pkt;
-          if (p->chk_config (conf, rsi) && connectmode == conf_node::C_ALWAYS)
+            if (p->chk_config (conf, rsi) && connectmode == conf_node::C_ALWAYS)
-            establish_connection ();
+              establish_connection ();
-        }
+          }
         break;
       case vpn_packet::PT_AUTH_REQ:
         if (auth_rate_limiter.can (rsi))
           {
                   slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
                         conf->nodename, (const char *)rsi,
                         PROTOCOL_MINOR, conf->nodename, p->prot_minor);
                 if (p->initiate)
+                  {
-                  send_auth_request (rsi, false);
+                    send_auth_request (rsi, false);
+                    if (ictx && octx)
+                      reset_connection ("reconnect");
+                  }
                 auth_data auth;
                 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
                   {
                     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
                           conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
                   }
                 else
                   {
-                    bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
+                    bool chg = !have_rcv_auth || !slow_memeq (&rcv_auth, &auth, sizeof auth);
                     rcv_auth = auth;
                     have_rcv_auth = true;
                     send_auth_response (rsi);
           slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
           auth_mac local_mac;
           auth_hash (snd_auth, p->response.ecdh, local_mac);
-          if (memcmp (&p->response.mac, local_mac, sizeof local_mac))
+          if (!slow_memeq (&p->response.mac, local_mac, sizeof local_mac))
             {
               slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
                     conf->nodename, (const char *)rsi);
             }
           else if (!have_snd_auth)
         if (ictx && octx)
           {
             vpndata_packet *p = (vpndata_packet *)pkt;
             if (!p->hmac_chk (ictx))
+              {
+                // rekeying often creates temporary hmac auth floods
+                // we assume they don't take longer than a few seconds normally,
+                // and suppress messages and resets during that time.
+                //TODO: should be done per source address
+                if (!hmac_error)
+                  {
+                    hmac_error = ev_now () + 3;
+                    break;
+                  }
+                else if (hmac_error >= ev_now ())
+                  break; // silently suppress
+                else
+                  {
-              slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
+                    slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
-                             "could be an attack, or just corruption or a synchronization error."),
+                                   "could be an attack, or just corruption or a synchronization error."),
-                    conf->nodename, (const char *)rsi);
+                          conf->nodename, (const char *)rsi);
+                    // reset
+                  }
+              }
             else
               {
                 u32 seqno;
                 tap_packet *d = p->unpack (this, seqno);
                 int seqclass = iseqno.seqno_classify (seqno);
+                hmac_error = 0;
                 if (seqclass == 0) // ok
                   {
                     vpn->tap->send (d);
   if (when >= 0)
     w.start (when);
   else if (when < -15)
     {
-      reset_connection ();
+      reset_connection ("keepalive overdue");
       establish_connection ();
     }
   else if (conf->connectmode != conf_node::C_ONDEMAND
            || THISNODE->connectmode != conf_node::C_ONDEMAND)
     {
   else if (when >= -10)
     // hold ondemand connections implicitly a few seconds longer
     // should delete octx, though, or something like that ;)
     w.start (when + 10);
   else
-    reset_connection ();
+    reset_connection ("keepalive timeout");
 }
 void
 connection::send_connect_request (int id)
 {
   // queue a dummy packet to force an initial connection attempt
   if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
     vpn_queue.put (new net_packet);
-  reset_connection ();
+  reset_connection ("startup");
 }
 connection::~connection ()
 {
   shutdown ();

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.105 by root, Fri Jul 19 18:22:54 2013 UTC vs. Revision 1.114 by root, Thu Jun 30 11:43:38 2016 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.105 by root, Fri Jul 19 18:22:54 2013 UTC vs.
Revision 1.114 by root, Thu Jun 30 11:43:38 2016 UTC