ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.111 by root, Thu Jan 16 07:53:44 2014 UTC vs.
Revision 1.116 by root, Mon Apr 1 03:10:26 2019 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008,2010,2011,2013 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008,2010,2011,2013,2016 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify it 7 GVPE is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by the 8 under the terms of the GNU General Public License as published by the
39#include <openssl/rand.h> 39#include <openssl/rand.h>
40#include <openssl/evp.h> 40#include <openssl/evp.h>
41#include <openssl/rsa.h> 41#include <openssl/rsa.h>
42#include <openssl/err.h> 42#include <openssl/err.h>
43 43
44// openssl 0.9.8 compatibility
45#if OPENSSL_VERSION_NUMBER < 0x10100000
46 #define require101(exp) exp
47#else
48 #define require101(exp) equire (exp)
49#endif
50
51#include "conf.h" 44#include "conf.h"
52#include "slog.h" 45#include "slog.h"
46#include "crypto.h"
53#include "device.h" 47#include "device.h"
54#include "vpn.h" 48#include "vpn.h"
55#include "connection.h" 49#include "connection.h"
56#include "hkdf.h" 50#include "hkdf.h"
57 51
58#include "netcompat.h" 52#include "netcompat.h"
59 53
60#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic 54#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
61 55
56#define LZF_STATE_ARG 1
62#define ULTRA_FAST 1 57#define ULTRA_FAST 1
63#define HLOG 15 58#define HLOG 15
64#include "lzf/lzf.h" 59#define INIT_HTAB 0
65#include "lzf/lzf_c.c" 60#include "lzf/lzf_c.c"
66#include "lzf/lzf_d.c" 61#include "lzf/lzf_d.c"
67 62
68////////////////////////////////////////////////////////////////////////////// 63//////////////////////////////////////////////////////////////////////////////
69 64
109 104
110////////////////////////////////////////////////////////////////////////////// 105//////////////////////////////////////////////////////////////////////////////
111 106
112struct crypto_ctx 107struct crypto_ctx
113{ 108{
114 EVP_CIPHER_CTX cctx; 109 cipher cctx;
115 HMAC_CTX hctx; 110 hmac hctx;
116 111
117 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc); 112 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
118 ~crypto_ctx (); 113 ~crypto_ctx ();
119}; 114};
120 115
132 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key)); 127 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
133 kdf.extract (s, sizeof (s)); 128 kdf.extract (s, sizeof (s));
134 kdf.extract_done (HKDF_PRF_HASH ()); 129 kdf.extract_done (HKDF_PRF_HASH ());
135 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info)); 130 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
136 131
137 HMAC_CTX_init (&hctx); 132 hctx.init (mac_key, MAC_KEYSIZE, MAC_DIGEST ());
138 require101 (HMAC_Init_ex (&hctx, mac_key, MAC_KEYSIZE, MAC_DIGEST (), 0));
139 } 133 }
140 134
141 { 135 {
142 u8 cipher_key[CIPHER_KEYSIZE]; 136 u8 cipher_key[CIPHER_KEYSIZE];
143 static const unsigned char cipher_info[] = "gvpe cipher key"; 137 static const unsigned char cipher_info[] = "gvpe cipher key";
146 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key)); 140 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
147 kdf.extract (s, sizeof (s)); 141 kdf.extract (s, sizeof (s));
148 kdf.extract_done (HKDF_PRF_HASH ()); 142 kdf.extract_done (HKDF_PRF_HASH ());
149 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info)); 143 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
150 144
151 EVP_CIPHER_CTX_init (&cctx); 145 EVP_CIPHER_CTX_init (cctx);
152 require (EVP_CipherInit_ex (&cctx, CIPHER (), 0, cipher_key, 0, enc)); 146 require (EVP_CipherInit_ex (cctx, CIPHER (), 0, cipher_key, 0, enc));
153 } 147 }
154} 148}
155 149
156crypto_ctx::~crypto_ctx () 150crypto_ctx::~crypto_ctx ()
157{ 151{
158 require (EVP_CIPHER_CTX_cleanup (&cctx)); 152 require (EVP_CIPHER_CTX_cleanup (cctx));
159 HMAC_CTX_cleanup (&hctx);
160} 153}
161 154
162static inline void 155static inline void
163auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr) 156auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
164{ 157{
369///////////////////////////////////////////////////////////////////////////// 362/////////////////////////////////////////////////////////////////////////////
370 363
371void 364void
372hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest) 365hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
373{ 366{
374 HMAC_CTX *hctx = &ctx->hctx; 367 ctx->hctx.init ();
375
376 require101 (HMAC_Init_ex (hctx, 0, 0, 0, 0));
377 require101 (HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet))); 368 ctx->hctx.add (((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet));
378 require101 (HMAC_Final (hctx, hmac_digest, 0)); 369 ctx->hctx.digest (hmac_digest);
379} 370}
380 371
381void 372void
382hmac_packet::hmac_set (crypto_ctx *ctx) 373hmac_packet::hmac_set (crypto_ctx *ctx)
383{ 374{
405 srcdst = ((src >> 8) << 4) | (dst >> 8); 396 srcdst = ((src >> 8) << 4) | (dst >> 8);
406 dst1 = dst; 397 dst1 = dst;
407} 398}
408 399
409#define MAXVPNDATA (MAX_MTU - 6 - 6) 400#define MAXVPNDATA (MAX_MTU - 6 - 6)
410#define DATAHDR (sizeof (u32) + RAND_SIZE)
411 401
412struct vpndata_packet : vpn_packet 402struct vpndata_packet : vpn_packet
413{ 403{
414 u8 data[MAXVPNDATA + DATAHDR]; // seqno 404 u32 ctr; // seqno
405 u8 data[MAXVPNDATA];
415 406
416 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno); 407 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
417 tap_packet *unpack (connection *conn, u32 &seqno); 408 tap_packet *unpack (connection *conn, u32 &seqno);
418 409
419private: 410private:
420 const u32 data_hdr_size () const 411 const u32 data_hdr_size () const
421 { 412 {
422 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR; 413 // the distance from beginning of packet to data member
414 return data - at (0);
423 } 415 }
424}; 416};
425 417
418// expands packet counter (unlike seqno, in network byte order) to counter mode IV
419static unsigned char *
420expand_iv (u32 ctr)
421{
422 static u32 iv[IV_SIZE (CIPHER) / 4];
423
424 require (sizeof (iv) == 4 * 4);
425 require (IV_SIZE (CIPHER) % 4 == 0);
426
427 iv[0] =
428 iv[1] =
429 iv[2] = ctr;
430
431 // I would reuse ctr here to to avoid potential endianness issues,
432 // but it seems openssl wraps around. While this would be still ok,
433 // and I don't even know if its true, let's play safe and initialise
434 // to 0.
435 iv[3] = 0;
436
437 return (unsigned char *)iv;
438}
439
426void 440void
427vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 441vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
428{ 442{
429 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 443 EVP_CIPHER_CTX *cctx = conn->octx->cctx;
430 int outl = 0, outl2; 444 int outl = 0, outl2;
431 ptype type = PT_DATA_UNCOMPRESSED; 445 ptype type = PT_DATA_UNCOMPRESSED;
432 446
433#if ENABLE_COMPRESSION 447#if ENABLE_COMPRESSION
434 u8 cdata[MAX_MTU]; 448 u8 cdata[MAX_MTU];
435 449
436 if (conn->features & FEATURE_COMPRESSION) 450 if (conn->features & FEATURE_COMPRESSION)
437 { 451 {
452 static LZF_STATE lzf_state;
438 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7); 453 u32 cl = lzf_compress (d, l, cdata + 2, (l - 2) & ~7, lzf_state);
439 454
440 if (cl) 455 if (cl)
441 { 456 {
442 type = PT_DATA_COMPRESSED; 457 type = PT_DATA_COMPRESSED;
443 d = cdata; 458 d = cdata;
447 d[1] = cl; 462 d[1] = cl;
448 } 463 }
449 } 464 }
450#endif 465#endif
451 466
452 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 1)); 467 ctr = htonl (seqno);
453 468
454 struct { 469 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
455#if RAND_SIZE
456 u8 rnd[RAND_SIZE];
457#endif
458 u32 seqno;
459 } datahdr;
460
461 datahdr.seqno = ntohl (seqno);
462#if RAND_SIZE
463 // NB: a constant (per session) random prefix
464 // is likely enough, but we don't take any chances.
465 conn->oiv.get (datahdr.rnd, RAND_SIZE);
466#endif
467 470
468 require (EVP_EncryptUpdate (cctx, 471 require (EVP_EncryptUpdate (cctx,
469 (unsigned char *) data + outl, &outl2, 472 (unsigned char *)data + outl, &outl2,
470 (unsigned char *) &datahdr, DATAHDR)); 473 (unsigned char *)d, l));
471 outl += outl2; 474 outl += outl2;
472 475
473 require (EVP_EncryptUpdate (cctx, 476 // it seems this is a nop for us, but we do it anyways
474 (unsigned char *) data + outl, &outl2, 477 require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
475 (unsigned char *) d, l));
476 outl += outl2; 478 outl += outl2;
477 479
478 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
479 outl += outl2;
480
481 len = outl + data_hdr_size (); 480 len = data_hdr_size () + outl;
482 481
483 set_hdr (type, dst); 482 set_hdr (type, dst);
484 483
485 hmac_set (conn->octx); 484 hmac_set (conn->octx);
486} 485}
487 486
488tap_packet * 487tap_packet *
489vpndata_packet::unpack (connection *conn, u32 &seqno) 488vpndata_packet::unpack (connection *conn, u32 &seqno)
490{ 489{
491 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx; 490 EVP_CIPHER_CTX *cctx = conn->ictx->cctx;
492 int outl = 0, outl2; 491 int outl = 0, outl2;
493 tap_packet *p = new tap_packet; 492 tap_packet *p = new tap_packet;
494 u8 *d; 493 u8 *d;
495 u32 l = len - data_hdr_size ();
496 494
497 require (EVP_CipherInit_ex (cctx, 0, 0, 0, 0, 0)); 495 seqno = ntohl (ctr);
496
497 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
498 498
499#if ENABLE_COMPRESSION 499#if ENABLE_COMPRESSION
500 u8 cdata[MAX_MTU]; 500 u8 cdata[MAX_MTU];
501 501
502 if (type == PT_DATA_COMPRESSED) 502 if (type == PT_DATA_COMPRESSED)
503 d = cdata; 503 d = cdata;
504 else 504 else
505#endif 505#endif
506 d = &(*p)[6 + 6] - DATAHDR; 506 d = &(*p)[6 + 6];
507
508 // we play do evil games with the struct layout atm.
509 // pending better solutions, we at least do some verification.
510 // this is fine, as we left ISO territory long ago.
511 require (DATAHDR <= 16);
512 require ((u8 *)(&p->len + 1) == &(*p)[0]);
513 507
514 // this can overwrite the len/dst/src fields 508 // this can overwrite the len/dst/src fields
515 require (EVP_DecryptUpdate (cctx, 509 require (EVP_DecryptUpdate (cctx,
516 d, &outl2, 510 d, &outl2,
517 (unsigned char *)&data, len - data_hdr_size ())); 511 (unsigned char *)&data, len - data_hdr_size ()));
518 outl += outl2; 512 outl += outl2;
519 513
514 // it seems this is a nop for us, but we do it anyways
520 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2)); 515 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
521 outl += outl2; 516 outl += outl2;
522 517
523 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
524
525 id2mac (dst () ? dst() : THISNODE->id, p->dst); 518 id2mac (dst () ? dst() : THISNODE->id, p->dst);
526 id2mac (src (), p->src); 519 id2mac (src (), p->src);
527 520
528#if ENABLE_COMPRESSION 521#if ENABLE_COMPRESSION
529 if (type == PT_DATA_COMPRESSED) 522 if (type == PT_DATA_COMPRESSED)
530 { 523 {
531 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 524 u32 cl = (d[0] << 8) | d[1];
532 525
533 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0, 526 p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
534 &(*p)[6 + 6], MAX_MTU) 527 &(*p)[6 + 6], MAX_MTU)
535 + 6 + 6; 528 + 6 + 6;
536 } 529 }
537 else 530 else
538 p->len = outl + (6 + 6 - DATAHDR); 531 p->len = outl + (6 + 6);
539#endif 532#endif
540 533
541 return p; 534 return p;
542} 535}
543 536
579void 572void
580config_packet::setup (ptype type, int dst) 573config_packet::setup (ptype type, int dst)
581{ 574{
582 prot_major = PROTOCOL_MAJOR; 575 prot_major = PROTOCOL_MAJOR;
583 prot_minor = PROTOCOL_MINOR; 576 prot_minor = PROTOCOL_MINOR;
584 randsize = RAND_SIZE;
585 flags = 0; 577 flags = 0;
586 features = get_features (); 578 features = get_features ();
587 579
588 strncpy ((char *)serial, conf.serial, sizeof (serial)); 580 strncpy ((char *)serial, conf.serial, sizeof (serial));
589 581
599config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const 591config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
600{ 592{
601 if (prot_major != PROTOCOL_MAJOR) 593 if (prot_major != PROTOCOL_MAJOR)
602 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"), 594 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
603 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR); 595 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
604 else if (randsize != RAND_SIZE)
605 slog (L_WARN, _("%s(%s): rand size mismatch (remote %d <=> local %d)"),
606 conf->nodename, (const char *)rsi, randsize, RAND_SIZE);
607 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ()))) 596 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
608 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"), 597 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
609 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ())); 598 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
610 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ()))) 599 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
611 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"), 600 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
715 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0); 704 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
716 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff); 705 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
717 706
718 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1); 707 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
719 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff; 708 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
720
721 oiv.reset ();
722 709
723 // make sure rekeying timeouts are slightly asymmetric 710 // make sure rekeying timeouts are slightly asymmetric
724 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 711 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
725 rekey.start (rekey_interval, rekey_interval); 712 rekey.start (rekey_interval, rekey_interval);
726 713

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines