ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.111 by root, Thu Jan 16 07:53:44 2014 UTC vs.
Revision 1.115 by root, Thu Jun 30 16:31:00 2016 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008,2010,2011,2013,2016 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify it 7 GVPE is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by the 8 under the terms of the GNU General Public License as published by the
39#include <openssl/rand.h> 39#include <openssl/rand.h>
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/rsa.h> 41#include <openssl/rsa.h>
42#include <openssl/err.h> 42#include <openssl/err.h>
43 43
44// openssl 0.9.8 compatibility
45#if OPENSSL_VERSION_NUMBER < 0x10100000
46 #define require101(exp) exp
47#else
48 #define require101(exp) equire (exp)
49#endif
50
51#include "conf.h" 44#include "conf.h"
52#include "slog.h" 45#include "slog.h"
46#include "crypto.h"
53#include "device.h" 47#include "device.h"
54#include "vpn.h" 48#include "vpn.h"
55#include "connection.h" 49#include "connection.h"
56#include "hkdf.h" 50#include "hkdf.h"
57 51
109 103
110////////////////////////////////////////////////////////////////////////////// 104//////////////////////////////////////////////////////////////////////////////
111 105
112struct crypto_ctx 106struct crypto_ctx
113{ 107{
114 EVP_CIPHER_CTX cctx; 108 cipher cctx;
115 HMAC_CTX hctx; 109 hmac hctx;
116 110
117 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc); 111 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
118 ~crypto_ctx (); 112 ~crypto_ctx ();
119}; 113};
120 114
132 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); 126 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
133 kdf.extract (s, sizeof (s)); 127 kdf.extract (s, sizeof (s));
134 kdf.extract_done (HKDF_PRF_HASH ()); 128 kdf.extract_done (HKDF_PRF_HASH ());
135 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); 129 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
136 130
137 HMAC_CTX_init (&hctx); 131 hctx.init (mac_key, MAC_KEYSIZE, MAC_DIGEST ());
138 require101 (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
139 } 132 }
140 133
141 { 134 {
142 u8 cipher_key[CIPHER_KEYSIZE]; 135 u8 cipher_key[CIPHER_KEYSIZE];
143 static const unsigned char cipher_info[] = "gvpe cipher key"; 136 static const unsigned char cipher_info[] = "gvpe cipher key";
146 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); 139 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
147 kdf.extract (s, sizeof (s)); 140 kdf.extract (s, sizeof (s));
148 kdf.extract_done (HKDF_PRF_HASH ()); 141 kdf.extract_done (HKDF_PRF_HASH ());
149 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); 142 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
150 143
151 EVP_CIPHER_CTX_init (&cctx); 144 EVP_CIPHER_CTX_init (cctx);
152 require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc)); 145 require (EVP_CipherInit_ex (cctx, CIPHER (), 0, cipher_key, 0, enc));
153 } 146 }
154} 147}
155 148
156crypto_ctx::~crypto_ctx () 149crypto_ctx::~crypto_ctx ()
157{ 150{
158 require (EVP_CIPHER_CTX_cleanup (&cctx)); 151 require (EVP_CIPHER_CTX_cleanup (cctx));
159 HMAC_CTX_cleanup (&hctx);
160} 152}
161 153
162static inline void 154static inline void
163auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr) 155auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
164{ 156{
369///////////////////////////////////////////////////////////////////////////// 361/////////////////////////////////////////////////////////////////////////////
370 362
371void 363void
372hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest) 364hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
373{ 365{
374 HMAC_CTX *hctx = &ctx->hctx; 366 ctx->hctx.init ();
375
376 require101 (HMAC_Init_ex (hctx, 0, 0, 0, 0));
377 require101 (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet))); 367 ctx->hctx.add (((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet));
378 require101 (HMAC_Final (hctx, hmac_digest, 0)); 368 ctx->hctx.digest (hmac_digest);
379} 369}
380 370
381void 371void
382hmac_packet::hmac_set (crypto_ctx *ctx) 372hmac_packet::hmac_set (crypto_ctx *ctx)
383{ 373{
405 srcdst = ((src >> 8) << 4) | (dst >> 8); 395 srcdst = ((src >> 8) << 4) | (dst >> 8);
406 dst1 = dst; 396 dst1 = dst;
407} 397}
408 398
409#define MAXVPNDATA (MAX_MTU - 6 - 6) 399#define MAXVPNDATA (MAX_MTU - 6 - 6)
410#define DATAHDR (sizeof (u32) + RAND_SIZE)
411 400
412struct vpndata_packet : vpn_packet 401struct vpndata_packet : vpn_packet
413{ 402{
414 u8 data[MAXVPNDATA + DATAHDR]; // seqno 403 u32 ctr; // seqno
404 u8 data[MAXVPNDATA];
415 405
416 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 406 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
417 tap_packet *unpack (connection *conn, u32 &seqno); 407 tap_packet *unpack (connection *conn, u32 &seqno);
418 408
419private: 409private:
420 const u32 data_hdr_size () const 410 const u32 data_hdr_size () const
421 { 411 {
422 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR; 412 // the distance from beginning of packet to data member
413 return data - at (0);
423 } 414 }
424}; 415};
425 416
417// expands packet counter (unlike seqno, in network byte order) to counter mode IV
418static unsigned char *
419expand_iv (u32 ctr)
420{
421 static u32 iv[IV_SIZE (CIPHER) / 4];
422
423 require (sizeof (iv) == 4 * 4);
424 require (IV_SIZE (CIPHER) % 4 == 0);
425
426 iv[0] =
427 iv[1] =
428 iv[2] = ctr;
429
430 // I would reuse ctr here to to avoid potential endianness issues,
431 // but it seems openssl wraps around. While this would be still ok,
432 // and I don't even know if its true, let's play safe and initialise
433 // to 0.
434 iv[3] = 0;
435
436 return (unsigned char *)iv;
437}
438
426void 439void
427vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 440vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
428{ 441{
429 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 442 EVP_CIPHER_CTX *cctx = conn->octx->cctx;
430 int outl = 0, outl2; 443 int outl = 0, outl2;
431 ptype type = PT_DATA_UNCOMPRESSED; 444 ptype type = PT_DATA_UNCOMPRESSED;
432 445
433#if ENABLE_COMPRESSION 446#if ENABLE_COMPRESSION
434 u8 cdata[MAX_MTU]; 447 u8 cdata[MAX_MTU];
447 d[1] = cl; 460 d[1] = cl;
448 } 461 }
449 } 462 }
450#endif 463#endif
451 464
452 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1)); 465 ctr = htonl (seqno);
453 466
454 struct { 467 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
455#if RAND_SIZE
456 u8 rnd[RAND_SIZE];
457#endif
458 u32 seqno;
459 } datahdr;
460
461 datahdr.seqno = ntohl (seqno);
462#if RAND_SIZE
463 // NB: a constant (per session) random prefix
464 // is likely enough, but we don't take any chances.
465 conn->oiv.get (datahdr.rnd, RAND_SIZE);
466#endif
467 468
468 require (EVP_EncryptUpdate (cctx, 469 require (EVP_EncryptUpdate (cctx,
469 (unsigned char *) data + outl, &outl2, 470 (unsigned char *)data + outl, &outl2,
470 (unsigned char *) &datahdr, DATAHDR)); 471 (unsigned char *)d, l));
471 outl += outl2; 472 outl += outl2;
472 473
473 require (EVP_EncryptUpdate (cctx, 474 // it seems this is a nop for us, but we do it anyways
474 (unsigned char *) data + outl, &outl2, 475 require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
475 (unsigned char *) d, l));
476 outl += outl2; 476 outl += outl2;
477 477
478 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
479 outl += outl2;
480
481 len = outl + data_hdr_size (); 478 len = data_hdr_size () + outl;
482 479
483 set_hdr (type, dst); 480 set_hdr (type, dst);
484 481
485 hmac_set (conn->octx); 482 hmac_set (conn->octx);
486} 483}
487 484
488tap_packet * 485tap_packet *
489vpndata_packet::unpack (connection *conn, u32 &seqno) 486vpndata_packet::unpack (connection *conn, u32 &seqno)
490{ 487{
491 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx; 488 EVP_CIPHER_CTX *cctx = conn->ictx->cctx;
492 int outl = 0, outl2; 489 int outl = 0, outl2;
493 tap_packet *p = new tap_packet; 490 tap_packet *p = new tap_packet;
494 u8 *d; 491 u8 *d;
495 u32 l = len - data_hdr_size ();
496 492
497 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0)); 493 seqno = ntohl (ctr);
494
495 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
498 496
499#if ENABLE_COMPRESSION 497#if ENABLE_COMPRESSION
500 u8 cdata[MAX_MTU]; 498 u8 cdata[MAX_MTU];
501 499
502 if (type == PT_DATA_COMPRESSED) 500 if (type == PT_DATA_COMPRESSED)
503 d = cdata; 501 d = cdata;
504 else 502 else
505#endif 503#endif
506 d = &(*p)[6 + 6] - DATAHDR; 504 d = &(*p)[6 + 6];
507
508 // we play do evil games with the struct layout atm.
509 // pending better solutions, we at least do some verification.
510 // this is fine, as we left ISO territory long ago.
511 require (DATAHDR <= 16);
512 require ((u8 *)(&p->len + 1) == &(*p)[0]);
513 505
514 // this can overwrite the len/dst/src fields 506 // this can overwrite the len/dst/src fields
515 require (EVP_DecryptUpdate (cctx, 507 require (EVP_DecryptUpdate (cctx,
516 d, &outl2, 508 d, &outl2,
517 (unsigned char *)&data, len - data_hdr_size ())); 509 (unsigned char *)&data, len - data_hdr_size ()));
518 outl += outl2; 510 outl += outl2;
519 511
512 // it seems this is a nop for us, but we do it anyways
520 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2)); 513 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
521 outl += outl2; 514 outl += outl2;
522 515
523 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
524
525 id2mac (dst () ? dst() : THISNODE->id, p->dst); 516 id2mac (dst () ? dst() : THISNODE->id, p->dst);
526 id2mac (src (), p->src); 517 id2mac (src (), p->src);
527 518
528#if ENABLE_COMPRESSION 519#if ENABLE_COMPRESSION
529 if (type == PT_DATA_COMPRESSED) 520 if (type == PT_DATA_COMPRESSED)
530 { 521 {
531 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 522 u32 cl = (d[0] << 8) | d[1];
532 523
533 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0, 524 p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
534 &(*p)[6 + 6], MAX_MTU) 525 &(*p)[6 + 6], MAX_MTU)
535 + 6 + 6; 526 + 6 + 6;
536 } 527 }
537 else 528 else
538 p->len = outl + (6 + 6 - DATAHDR); 529 p->len = outl + (6 + 6);
539#endif 530#endif
540 531
541 return p; 532 return p;
542} 533}
543 534
579void 570void
580config_packet::setup (ptype type, int dst) 571config_packet::setup (ptype type, int dst)
581{ 572{
582 prot_major = PROTOCOL_MAJOR; 573 prot_major = PROTOCOL_MAJOR;
583 prot_minor = PROTOCOL_MINOR; 574 prot_minor = PROTOCOL_MINOR;
584 randsize = RAND_SIZE;
585 flags = 0; 575 flags = 0;
586 features = get_features (); 576 features = get_features ();
587 577
588 strncpy ((char *)serial, conf.serial, sizeof (serial)); 578 strncpy ((char *)serial, conf.serial, sizeof (serial));
589 579
599config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const 589config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
600{ 590{
601 if (prot_major != PROTOCOL_MAJOR) 591 if (prot_major != PROTOCOL_MAJOR)
602 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"), 592 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
603 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR); 593 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
604 else if (randsize != RAND_SIZE)
605 slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
606 conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
607 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ()))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
608 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"), 595 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
609 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ())); 596 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
610 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ()))) 597 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
611 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"), 598 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
715 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0); 702 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
716 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff); 703 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
717 704
718 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1); 705 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
719 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff; 706 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
720
721 oiv.reset ();
722 707
723 // make sure rekeying timeouts are slightly asymmetric 708 // make sure rekeying timeouts are slightly asymmetric
724 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 709 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
725 rekey.start (rekey_interval, rekey_interval); 710 rekey.start (rekey_interval, rekey_interval);
726 711

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines