[ViewVC] Diff of: cvs/gvpe/src/connection.C

Comparing gvpe/src/connection.C (file contents):
Revision 1.108 by root, Fri Oct 11 04:07:24 2013 UTC vs.
Revision 1.113 by root, Thu Jan 29 00:21:39 2015 UTC

 // openssl 0.9.8 compatibility
 #if OPENSSL_VERSION_NUMBER < 0x10100000
   #define require101(exp) exp
 #else
-  #define require101(exp) equire (exp)
+  #define require101(exp) require (exp)
 #endif
 #include "conf.h"
 #include "slog.h"
 #include "device.h"
 #include "hkdf.h"
 #include "netcompat.h"
 #define MAGIC     "gvpe\xbd\xc6\xdb\x82"	// 8 bytes of magic
-#define MAGIC     "HUHN\xbd\xc6\xdb\x82"	// 8 bytes of magic//D
 #define ULTRA_FAST 1
 #define HLOG 15
 #include "lzf/lzf.h"
 #include "lzf/lzf_c.c"
 bool
 hmac_packet::hmac_chk (crypto_ctx *ctx)
 {
   unsigned char hmac_digest[EVP_MAX_MD_SIZE];
   hmac_gen (ctx, hmac_digest);
-  return !memcmp (hmac, hmac_digest, HMACLENGTH);
+  return slow_memeq (hmac, hmac_digest, HMACLENGTH);
 }
 void
 vpn_packet::set_hdr (ptype type_, unsigned int dst)
 {
   srcdst = ((src >> 8) << 4) | (dst >> 8);
   dst1 = dst;
 }
 #define MAXVPNDATA (MAX_MTU - 6 - 6)
-#define DATAHDR (sizeof (u32) + RAND_SIZE)
 struct vpndata_packet : vpn_packet
 {
-  u8 data[MAXVPNDATA + DATAHDR]; // seqno
+  u32 ctr; // seqno
+  u8 data[MAXVPNDATA];
   void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
   tap_packet *unpack (connection *conn, u32 &seqno);
 private:
   const u32 data_hdr_size () const
   {
-    return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
+    // the distance from beginning of packet to data member
+    return data - at (0);
   }
 };
+// expands packet counter (unlike seqno, in network byte order) to counter mode IV
+static unsigned char *
+expand_iv (u32 ctr)
+{
+  static u32 iv[IV_SIZE (CIPHER) / 4];
+  require (sizeof (iv) == 4 * 4);
+  require (IV_SIZE (CIPHER) % 4 == 0);
+  iv[0] =
+  iv[1] =
+  iv[2] = ctr;
+  // I would reuse ctr here to to avoid potential endianness issues,
+  // but it seems openssl wraps around. While this would be still ok,
+  // and I don't even know if its true, let's play safe and initialise
+  // to 0.
+  iv[3] = 0;
+  return (unsigned char *)iv;
+}
 void
 vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
 {
   EVP_CIPHER_CTX *cctx = &conn->octx->cctx;
           d[1] = cl;
         }
     }
 #endif
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1));
+  ctr = htonl (seqno);
-  struct {
+  require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
-#if RAND_SIZE
-    u8 rnd[RAND_SIZE];
-#endif
-    u32 seqno;
-  } datahdr;
-  datahdr.seqno = ntohl (seqno);
-#if RAND_SIZE
-  // NB: a constant (per session) random prefix
-  // is likely enough, but we don't take any chances.
-  conn->oiv.get (datahdr.rnd, RAND_SIZE);
-#endif
   require (EVP_EncryptUpdate (cctx,
-                     (unsigned char *) data + outl, &outl2,
+                     (unsigned char *)data + outl, &outl2,
-                     (unsigned char *) &datahdr, DATAHDR));
+                     (unsigned char *)d, l));
   outl += outl2;
-  require (EVP_EncryptUpdate (cctx,
+  // it seems this is a nop for us, but we do it anyways
-                     (unsigned char *) data + outl, &outl2,
+  require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
-                     (unsigned char *) d, l));
   outl += outl2;
-  require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
-  outl += outl2;
-  len = outl + data_hdr_size ();
+  len = data_hdr_size () + outl;
   set_hdr (type, dst);
   hmac_set (conn->octx);
 }
 {
   EVP_CIPHER_CTX *cctx = &conn->ictx->cctx;
   int outl = 0, outl2;
   tap_packet *p = new tap_packet;
   u8 *d;
-  u32 l = len - data_hdr_size ();
-  require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0));
+  seqno = ntohl (ctr);
+  require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
 #if ENABLE_COMPRESSION
   u8 cdata[MAX_MTU];
   if (type == PT_DATA_COMPRESSED)
     d = cdata;
   else
 #endif
-    d = &(*p)[6 + 6] - DATAHDR;
+    d = &(*p)[6 + 6];
-  // we play do evil games with the struct layout atm.
-  // pending better solutions, we at least do some verification.
-  // this is fine, as we left ISO territory long ago.
-  require (DATAHDR <= 16);
-  require ((u8 *)(&p->len + 1) == &(*p)[0]);
   // this can overwrite the len/dst/src fields
   require (EVP_DecryptUpdate (cctx,
                      d, &outl2,
                      (unsigned char *)&data, len - data_hdr_size ()));
   outl += outl2;
+  // it seems this is a nop for us, but we do it anyways
   require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
   outl += outl2;
-  seqno = ntohl (*(u32 *)(d + RAND_SIZE));
   id2mac (dst () ? dst() : THISNODE->id, p->dst);
   id2mac (src (),                        p->src);
 #if ENABLE_COMPRESSION
   if (type == PT_DATA_COMPRESSED)
     {
-      u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1];
+      u32 cl = (d[0] << 8) | d[1];
-      p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0,
+      p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
                                &(*p)[6 + 6], MAX_MTU)
                + 6 + 6;
     }
   else
-    p->len = outl + (6 + 6 - DATAHDR);
+    p->len = outl + (6 + 6);
 #endif
   return p;
 }
 void
 config_packet::setup (ptype type, int dst)
 {
   prot_major = PROTOCOL_MAJOR;
   prot_minor = PROTOCOL_MINOR;
-  randsize = RAND_SIZE;
   flags = 0;
   features = get_features ();
   strncpy ((char *)serial, conf.serial, sizeof (serial));
 config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
 {
   if (prot_major != PROTOCOL_MAJOR)
     slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
           conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
-  else if (randsize != RAND_SIZE)
-    slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
-          conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
   else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
     slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
           conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
   else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
     slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
   iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
   delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b   , 1);
   oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
-  oiv.reset ();
   // make sure rekeying timeouts are slightly asymmetric
   ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
   rekey.start (rekey_interval, rekey_interval);
   hmac_error = 0.;
                                          ? (retry_cnt & 3) + 1
                                          : 1 << (retry_cnt >> 2));
       reset_si ();
-      bool slow = si.prot & PROT_SLOW;
+      bool slow = (si.prot & PROT_SLOW) || (conf->low_power || THISNODE->low_power);
       if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
         {
           /*TODO*/ /* start the timer so we don't recurse endlessly */
           w.start (1);
           slow = slow || (dsi.prot & PROT_SLOW);
           if (dsi.valid () && auth_rate_limiter.can (dsi))
             {
-              if (retry_cnt < 4)
+              // use ping after the first few retries
+              // TODO: on rekeys, the other node might not interpret ping correctly,
+              // TODO: as it will still have a valid connection
+              if (retry_cnt < 4 && (!conf->low_power || THISNODE->low_power))
                 send_auth_request (dsi, true);
               else
                 send_ping (dsi, 0);
             }
         }
-      retry_int *= slow ? 8. : 0.9;
+      retry_int *= slow ? 4. : 0.9;
       if (retry_int < conf->max_retry)
         retry_cnt++;
       else
         retry_int = conf->max_retry;
 void
 connection::post_inject_queue ()
 {
   // force a connection every now and when when packets are sent (max 1/s)
-  if (ev_now () - last_establish_attempt >= 0.95) // arbitrary
+  if (ev_now () - last_establish_attempt >= (conf->low_power || THISNODE->low_power ? 2.95 : 0.95)) // arbitrary
     establish_connection.stop ();
   establish_connection ();
 }
                     slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
                           conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
                   }
                 else
                   {
-                    bool chg = !have_rcv_auth || memcmp (&rcv_auth, &auth, sizeof auth);
+                    bool chg = !have_rcv_auth || !slow_memeq (&rcv_auth, &auth, sizeof auth);
                     rcv_auth = auth;
                     have_rcv_auth = true;
                     send_auth_response (rsi);
           slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
           auth_mac local_mac;
           auth_hash (snd_auth, p->response.ecdh, local_mac);
-          if (memcmp (&p->response.mac, local_mac, sizeof local_mac))
+          if (!slow_memeq (&p->response.mac, local_mac, sizeof local_mac))
             {
               slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
                     conf->nodename, (const char *)rsi);
             }
           else if (!have_snd_auth)

Diff Legend

-–
+Removed lines
-+
+Added lines
-<
+Changed lines
->
+Changed lines

Comparing gvpe/src/connection.C (file contents): Revision 1.108 by root, Fri Oct 11 04:07:24 2013 UTC vs. Revision 1.113 by root, Thu Jan 29 00:21:39 2015 UTC

Diff Legend

Comparing gvpe/src/connection.C (file contents):
Revision 1.108 by root, Fri Oct 11 04:07:24 2013 UTC vs.
Revision 1.113 by root, Thu Jan 29 00:21:39 2015 UTC