ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/src/connection.C
(Generate patch)

Comparing gvpe/src/connection.C (file contents):
Revision 1.87 by pcg, Fri Nov 12 18:39:33 2010 UTC vs.
Revision 1.115 by root, Thu Jun 30 16:31:00 2016 UTC

1/* 1/*
2 connection.C -- manage a single connection 2 connection.C -- manage a single connection
3 Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de> 3 Copyright (C) 2003-2008,2010,2011,2013,2016 Marc Lehmann <gvpe@schmorp.de>
4 4
5 This file is part of GVPE. 5 This file is part of GVPE.
6 6
7 GVPE is free software; you can redistribute it and/or modify it 7 GVPE is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by the 8 under the terms of the GNU General Public License as published by the
33 33
34#include <list> 34#include <list>
35#include <queue> 35#include <queue>
36#include <utility> 36#include <utility>
37 37
38#include <openssl/opensslv.h>
38#include <openssl/rand.h> 39#include <openssl/rand.h>
39#include <openssl/evp.h> 40#include <openssl/evp.h>
40#include <openssl/rsa.h> 41#include <openssl/rsa.h>
41#include <openssl/err.h> 42#include <openssl/err.h>
42 43
43#include "conf.h" 44#include "conf.h"
44#include "slog.h" 45#include "slog.h"
46#include "crypto.h"
45#include "device.h" 47#include "device.h"
46#include "vpn.h" 48#include "vpn.h"
47#include "connection.h" 49#include "connection.h"
50#include "hkdf.h"
48 51
49#include "netcompat.h" 52#include "netcompat.h"
50 53
51#if !HAVE_RAND_PSEUDO_BYTES
52# define RAND_pseudo_bytes RAND_bytes
53#endif
54
55#define MAGIC_OLD "vped\xbd\xc6\xdb\x82" // 8 bytes of magic (still used in the protocol)
56#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic (understood but not generated) 54#define MAGIC "gvpe\xbd\xc6\xdb\x82" // 8 bytes of magic
57 55
58#define ULTRA_FAST 1 56#define ULTRA_FAST 1
59#define HLOG 15 57#define HLOG 15
60#include "lzf/lzf.h" 58#include "lzf/lzf.h"
61#include "lzf/lzf_c.c" 59#include "lzf/lzf_c.c"
64////////////////////////////////////////////////////////////////////////////// 62//////////////////////////////////////////////////////////////////////////////
65 63
66static std::queue< std::pair<run_script_cb *, const char *> > rs_queue; 64static std::queue< std::pair<run_script_cb *, const char *> > rs_queue;
67static ev::child rs_child_ev; 65static ev::child rs_child_ev;
68 66
67namespace
68{
69void // c++ requires external linkage here, apparently :( 69 void // c++ requires external linkage here, apparently :(
70rs_child_cb (ev::child &w, int revents) 70 rs_child_cb (ev::child &w, int revents)
71{ 71 {
72 w.stop (); 72 w.stop ();
73 73
74 if (rs_queue.empty ()) 74 if (rs_queue.empty ())
75 return; 75 return;
76 76
77 pid_t pid = run_script (*rs_queue.front ().first, false); 77 pid_t pid = run_script (*rs_queue.front ().first, false);
78 if (pid) 78 if (pid)
79 { 79 {
80 w.set (pid); 80 w.set (pid);
81 w.start (); 81 w.start ();
82 } 82 }
83 else 83 else
84 slog (L_WARN, rs_queue.front ().second); 84 slog (L_WARN, rs_queue.front ().second);
85 85
86 delete rs_queue.front ().first; 86 delete rs_queue.front ().first;
87 rs_queue.pop (); 87 rs_queue.pop ();
88} 88 }
89};
89 90
90// despite the fancy name, this is quite a hack 91// despite the fancy name, this is quite a hack
91static void 92static void
92run_script_queued (run_script_cb *cb, const char *warnmsg) 93run_script_queued (run_script_cb *cb, const char *warnmsg)
93{ 94{
102 103
103////////////////////////////////////////////////////////////////////////////// 104//////////////////////////////////////////////////////////////////////////////
104 105
105struct crypto_ctx 106struct crypto_ctx
106{ 107{
107 EVP_CIPHER_CTX cctx; 108 cipher cctx;
108 HMAC_CTX hctx; 109 hmac hctx;
109 110
110 crypto_ctx (const rsachallenge &challenge, int enc); 111 crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc);
111 ~crypto_ctx (); 112 ~crypto_ctx ();
112}; 113};
113 114
114crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) 115crypto_ctx::crypto_ctx (const auth_data &auth1, const auth_data &auth2, const ecdh_key &a, const ecdh_key &b, int enc)
115{ 116{
117 ecdh_key s;
118
119 curve25519_combine (a, b, s);
120
121 {
122 u8 mac_key[MAC_KEYSIZE];
123 static const unsigned char mac_info[] = "gvpe mac key";
124
125 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
126 kdf.extract (auth1.rsa.mac_key, sizeof (auth1.rsa.mac_key));
127 kdf.extract (s, sizeof (s));
128 kdf.extract_done (HKDF_PRF_HASH ());
129 kdf.expand (mac_key, sizeof (mac_key), mac_info, sizeof (mac_info));
130
131 hctx.init (mac_key, MAC_KEYSIZE, MAC_DIGEST ());
132 }
133
134 {
135 u8 cipher_key[CIPHER_KEYSIZE];
136 static const unsigned char cipher_info[] = "gvpe cipher key";
137
138 hkdf kdf (auth2.rsa.hkdf_salt, sizeof (auth2.rsa.hkdf_salt), HKDF_XTR_HASH ());
139 kdf.extract (auth1.rsa.cipher_key, sizeof (auth1.rsa.cipher_key));
140 kdf.extract (s, sizeof (s));
141 kdf.extract_done (HKDF_PRF_HASH ());
142 kdf.expand (cipher_key, sizeof (cipher_key), cipher_info, sizeof (cipher_info));
143
116 EVP_CIPHER_CTX_init (&cctx); 144 EVP_CIPHER_CTX_init (cctx);
117 require (EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc)); 145 require (EVP_CipherInit_ex (cctx, CIPHER (), 0, cipher_key, 0, enc));
118 HMAC_CTX_init (&hctx); 146 }
119 HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0);
120} 147}
121 148
122crypto_ctx::~crypto_ctx () 149crypto_ctx::~crypto_ctx ()
123{ 150{
124 require (EVP_CIPHER_CTX_cleanup (&cctx)); 151 require (EVP_CIPHER_CTX_cleanup (cctx));
125 HMAC_CTX_cleanup (&hctx); 152}
153
154static inline void
155auth_encrypt (RSA *key, const auth_data &auth, auth_encr &encr)
156{
157 if (RSA_public_encrypt (sizeof (auth.rsa),
158 (unsigned char *)&auth.rsa, (unsigned char *)&encr.rsa,
159 key, RSA_PKCS1_OAEP_PADDING) < 0)
160 fatal ("RSA_public_encrypt error");
161
162 memcpy (&encr.ecdh, &auth.ecdh, sizeof (encr.ecdh));
163}
164
165static inline bool
166auth_decrypt (RSA *key, const auth_encr &encr, auth_data &auth)
167{
168 u8 rsa_decrypt[RSA_KEYLEN];
169
170 if (RSA_private_decrypt (sizeof (encr.rsa),
171 (const unsigned char *)&encr.rsa, (unsigned char *)rsa_decrypt,
172 key, RSA_PKCS1_OAEP_PADDING) != sizeof (auth.rsa))
173 return 0;
174
175 memcpy (&auth.rsa, rsa_decrypt, sizeof (auth.rsa));
176 memcpy (&auth.ecdh, &encr.ecdh, sizeof (auth.ecdh));
177
178 return 1;
126} 179}
127 180
128static void 181static void
129rsa_hash (const rsaid &id, const rsachallenge &chg, rsaresponse &h) 182auth_hash (const auth_data &auth, const ecdh_key &b, auth_mac &mac)
130{ 183{
131 EVP_MD_CTX ctx; 184 hkdf kdf (b, sizeof b, AUTH_DIGEST ()); // use response ecdh b as salt
132 185 kdf.extract (&auth.rsa, sizeof (auth.rsa));
133 EVP_MD_CTX_init (&ctx); 186 kdf.extract_done ();
134 require (EVP_DigestInit (&ctx, RSA_HASH)); 187 kdf.expand (mac, sizeof mac, auth.ecdh, sizeof (auth.ecdh)); // use challenge ecdh b as info
135 require (EVP_DigestUpdate(&ctx, &chg, sizeof chg));
136 require (EVP_DigestUpdate(&ctx, &id, sizeof id));
137 require (EVP_DigestFinal (&ctx, (unsigned char *)&h, 0));
138 EVP_MD_CTX_cleanup (&ctx);
139} 188}
140 189
141struct rsa_entry 190void
191connection::generate_auth_data ()
142{ 192{
143 tstamp expire; 193 if (auth_expire < ev_now ())
144 rsaid id;
145 rsachallenge chg;
146};
147
148struct rsa_cache : list<rsa_entry>
149{
150 inline void cleaner_cb (ev::timer &w, int revents); ev::timer cleaner;
151
152 bool find (const rsaid &id, rsachallenge &chg)
153 {
154 for (iterator i = begin (); i != end (); ++i)
155 { 194 {
156 if (!memcmp (&id, &i->id, sizeof id) && i->expire > ev_now ()) 195 // request data
157 { 196 rand_fill (snd_auth.rsa);
158 memcpy (&chg, &i->chg, sizeof chg); 197 curve25519_generate (snd_ecdh_a, snd_auth.ecdh);
159 198
160 erase (i); 199 // eventual response data
161 return true; 200 curve25519_generate (rcv_ecdh_a, rcv_ecdh_b);
162 }
163 } 201 }
164 202
165 if (!cleaner.is_active ()) 203 // every use prolongs the expiry
166 cleaner.again ();
167
168 return false;
169 }
170
171 void gen (rsaid &id, rsachallenge &chg)
172 {
173 rsa_entry e;
174
175 RAND_bytes ((unsigned char *)&id, sizeof id);
176 RAND_bytes ((unsigned char *)&chg, sizeof chg);
177
178 e.expire = ev_now () + RSA_TTL; 204 auth_expire = ev_now () + AUTH_TTL;
179 e.id = id;
180 memcpy (&e.chg, &chg, sizeof chg);
181
182 push_back (e);
183
184 if (!cleaner.is_active ())
185 cleaner.again ();
186 }
187
188 rsa_cache ()
189 {
190 cleaner.set<rsa_cache, &rsa_cache::cleaner_cb> (this);
191 cleaner.set (RSA_TTL, RSA_TTL);
192 }
193
194} rsa_cache;
195
196void rsa_cache::cleaner_cb (ev::timer &w, int revents)
197{
198 if (empty ())
199 w.stop ();
200 else
201 {
202 for (iterator i = begin (); i != end (); )
203 if (i->expire <= ev_now ())
204 i = erase (i);
205 else
206 ++i;
207 }
208} 205}
209 206
210////////////////////////////////////////////////////////////////////////////// 207//////////////////////////////////////////////////////////////////////////////
211 208
212pkt_queue::pkt_queue (double max_ttl, int max_queue) 209pkt_queue::pkt_queue (double max_ttl, int max_queue)
226 delete p; 223 delete p;
227 224
228 delete [] queue; 225 delete [] queue;
229} 226}
230 227
228void
231void pkt_queue::expire_cb (ev::timer &w, int revents) 229pkt_queue::expire_cb (ev::timer &w, int revents)
232{ 230{
233 ev_tstamp expire = ev_now () - max_ttl; 231 ev_tstamp expire = ev_now () - max_ttl;
234 232
235 for (;;) 233 for (;;)
236 { 234 {
247 245
248 delete get (); 246 delete get ();
249 } 247 }
250} 248}
251 249
250void
252void pkt_queue::put (net_packet *p) 251pkt_queue::put (net_packet *p)
253{ 252{
254 ev_tstamp now = ev_now (); 253 ev_tstamp now = ev_now ();
255 254
256 // start expiry timer 255 // start expiry timer
257 if (empty ()) 256 if (empty ())
266 queue[i].tstamp = now; 265 queue[i].tstamp = now;
267 266
268 i = ni; 267 i = ni;
269} 268}
270 269
271net_packet *pkt_queue::get () 270net_packet *
271pkt_queue::get ()
272{ 272{
273 if (empty ()) 273 if (empty ())
274 return 0; 274 return 0;
275 275
276 net_packet *p = queue[j].pkt; 276 net_packet *p = queue[j].pkt;
300 300
301 bool can (const sockinfo &si) { return can((u32)si.host); } 301 bool can (const sockinfo &si) { return can((u32)si.host); }
302 bool can (u32 host); 302 bool can (u32 host);
303}; 303};
304 304
305net_rate_limiter auth_rate_limiter, reset_rate_limiter; 305static net_rate_limiter auth_rate_limiter, reset_rate_limiter;
306 306
307bool
307bool net_rate_limiter::can (u32 host) 308net_rate_limiter::can (u32 host)
308{ 309{
309 iterator i; 310 iterator i;
310 311
311 for (i = begin (); i != end (); ) 312 for (i = begin (); i != end (); )
312 if (i->host == host) 313 if (i->host == host)
357 } 358 }
358} 359}
359 360
360///////////////////////////////////////////////////////////////////////////// 361/////////////////////////////////////////////////////////////////////////////
361 362
362unsigned char hmac_packet::hmac_digest[EVP_MAX_MD_SIZE]; 363void
363
364void hmac_packet::hmac_gen (crypto_ctx *ctx) 364hmac_packet::hmac_gen (crypto_ctx *ctx, u8 *hmac_digest)
365{ 365{
366 unsigned int xlen; 366 ctx->hctx.init ();
367 367 ctx->hctx.add (((unsigned char *) this) + sizeof (hmac_packet), len - sizeof (hmac_packet));
368 HMAC_CTX *hctx = &ctx->hctx; 368 ctx->hctx.digest (hmac_digest);
369
370 HMAC_Init_ex (hctx, 0, 0, 0, 0);
371 HMAC_Update (hctx, ((unsigned char *) this) + sizeof (hmac_packet),
372 len - sizeof (hmac_packet));
373 HMAC_Final (hctx, (unsigned char *) &hmac_digest, &xlen);
374} 369}
375 370
376void 371void
377hmac_packet::hmac_set (crypto_ctx *ctx) 372hmac_packet::hmac_set (crypto_ctx *ctx)
378{ 373{
379 hmac_gen (ctx); 374 unsigned char hmac_digest[EVP_MAX_MD_SIZE];
380 375 hmac_gen (ctx, hmac_digest);
381 memcpy (hmac, hmac_digest, HMACLENGTH); 376 memcpy (hmac, hmac_digest, HMACLENGTH);
382} 377}
383 378
384bool 379bool
385hmac_packet::hmac_chk (crypto_ctx *ctx) 380hmac_packet::hmac_chk (crypto_ctx *ctx)
386{ 381{
387 hmac_gen (ctx); 382 unsigned char hmac_digest[EVP_MAX_MD_SIZE];
388 383 hmac_gen (ctx, hmac_digest);
389 return !memcmp (hmac, hmac_digest, HMACLENGTH); 384 return slow_memeq (hmac, hmac_digest, HMACLENGTH);
390} 385}
391 386
387void
392void vpn_packet::set_hdr (ptype type_, unsigned int dst) 388vpn_packet::set_hdr (ptype type_, unsigned int dst)
393{ 389{
394 type = type_; 390 type = type_;
395 391
396 int src = THISNODE->id; 392 int src = THISNODE->id;
397 393
399 srcdst = ((src >> 8) << 4) | (dst >> 8); 395 srcdst = ((src >> 8) << 4) | (dst >> 8);
400 dst1 = dst; 396 dst1 = dst;
401} 397}
402 398
403#define MAXVPNDATA (MAX_MTU - 6 - 6) 399#define MAXVPNDATA (MAX_MTU - 6 - 6)
404#define DATAHDR (sizeof (u32) + RAND_SIZE)
405 400
406struct vpndata_packet : vpn_packet 401struct vpndata_packet : vpn_packet
402{
403 u32 ctr; // seqno
404 u8 data[MAXVPNDATA];
405
406 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
407 tap_packet *unpack (connection *conn, u32 &seqno);
408
409private:
410 const u32 data_hdr_size () const
407 { 411 {
408 u8 data[MAXVPNDATA + DATAHDR]; // seqno 412 // the distance from beginning of packet to data member
409 413 return data - at (0);
410 void setup (connection *conn, int dst, u8 *d, u32 len, u32 seqno);
411 tap_packet *unpack (connection *conn, u32 &seqno);
412private:
413
414 const u32 data_hdr_size () const
415 {
416 return sizeof (vpndata_packet) - sizeof (net_packet) - MAXVPNDATA - DATAHDR;
417 }
418 }; 414 }
415};
416
417// expands packet counter (unlike seqno, in network byte order) to counter mode IV
418static unsigned char *
419expand_iv (u32 ctr)
420{
421 static u32 iv[IV_SIZE (CIPHER) / 4];
422
423 require (sizeof (iv) == 4 * 4);
424 require (IV_SIZE (CIPHER) % 4 == 0);
425
426 iv[0] =
427 iv[1] =
428 iv[2] = ctr;
429
430 // I would reuse ctr here to to avoid potential endianness issues,
431 // but it seems openssl wraps around. While this would be still ok,
432 // and I don't even know if its true, let's play safe and initialise
433 // to 0.
434 iv[3] = 0;
435
436 return (unsigned char *)iv;
437}
419 438
420void 439void
421vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno) 440vpndata_packet::setup (connection *conn, int dst, u8 *d, u32 l, u32 seqno)
422{ 441{
423 EVP_CIPHER_CTX *cctx = &conn->octx->cctx; 442 EVP_CIPHER_CTX *cctx = conn->octx->cctx;
424 int outl = 0, outl2; 443 int outl = 0, outl2;
425 ptype type = PT_DATA_UNCOMPRESSED; 444 ptype type = PT_DATA_UNCOMPRESSED;
426 445
427#if ENABLE_COMPRESSION 446#if ENABLE_COMPRESSION
428 u8 cdata[MAX_MTU]; 447 u8 cdata[MAX_MTU];
441 d[1] = cl; 460 d[1] = cl;
442 } 461 }
443 } 462 }
444#endif 463#endif
445 464
465 ctr = htonl (seqno);
466
446 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, 0)); 467 require (EVP_EncryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
447
448 struct {
449#if RAND_SIZE
450 u8 rnd[RAND_SIZE];
451#endif
452 u32 seqno;
453 } datahdr;
454
455 datahdr.seqno = ntohl (seqno);
456#if RAND_SIZE
457 RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE);
458#endif
459 468
460 require (EVP_EncryptUpdate (cctx, 469 require (EVP_EncryptUpdate (cctx,
461 (unsigned char *) data + outl, &outl2, 470 (unsigned char *)data + outl, &outl2,
462 (unsigned char *) &datahdr, DATAHDR)); 471 (unsigned char *)d, l));
463 outl += outl2; 472 outl += outl2;
464 473
465 require (EVP_EncryptUpdate (cctx, 474 // it seems this is a nop for us, but we do it anyways
466 (unsigned char *) data + outl, &outl2, 475 require (EVP_EncryptFinal_ex (cctx, (unsigned char *)data + outl, &outl2));
467 (unsigned char *) d, l));
468 outl += outl2; 476 outl += outl2;
469 477
470 require (EVP_EncryptFinal_ex (cctx, (unsigned char *) data + outl, &outl2));
471 outl += outl2;
472
473 len = outl + data_hdr_size (); 478 len = data_hdr_size () + outl;
474 479
475 set_hdr (type, dst); 480 set_hdr (type, dst);
476 481
477 hmac_set (conn->octx); 482 hmac_set (conn->octx);
478} 483}
479 484
480tap_packet * 485tap_packet *
481vpndata_packet::unpack (connection *conn, u32 &seqno) 486vpndata_packet::unpack (connection *conn, u32 &seqno)
482{ 487{
483 EVP_CIPHER_CTX *cctx = &conn->ictx->cctx; 488 EVP_CIPHER_CTX *cctx = conn->ictx->cctx;
484 int outl = 0, outl2; 489 int outl = 0, outl2;
485 tap_packet *p = new tap_packet; 490 tap_packet *p = new tap_packet;
486 u8 *d; 491 u8 *d;
487 u32 l = len - data_hdr_size ();
488 492
493 seqno = ntohl (ctr);
494
489 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, 0)); 495 require (EVP_DecryptInit_ex (cctx, 0, 0, 0, expand_iv (ctr)));
490 496
491#if ENABLE_COMPRESSION 497#if ENABLE_COMPRESSION
492 u8 cdata[MAX_MTU]; 498 u8 cdata[MAX_MTU];
493 499
494 if (type == PT_DATA_COMPRESSED) 500 if (type == PT_DATA_COMPRESSED)
495 d = cdata; 501 d = cdata;
496 else 502 else
497#endif 503#endif
498 d = &(*p)[6 + 6 - DATAHDR]; 504 d = &(*p)[6 + 6];
499 505
500 /* this overwrites part of the src mac, but we fix that later */ 506 // this can overwrite the len/dst/src fields
501 require (EVP_DecryptUpdate (cctx, 507 require (EVP_DecryptUpdate (cctx,
502 d, &outl2, 508 d, &outl2,
503 (unsigned char *)&data, len - data_hdr_size ())); 509 (unsigned char *)&data, len - data_hdr_size ()));
504 outl += outl2; 510 outl += outl2;
505 511
512 // it seems this is a nop for us, but we do it anyways
506 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2)); 513 require (EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2));
507 outl += outl2; 514 outl += outl2;
508 515
509 seqno = ntohl (*(u32 *)(d + RAND_SIZE));
510
511 id2mac (dst () ? dst() : THISNODE->id, p->dst); 516 id2mac (dst () ? dst() : THISNODE->id, p->dst);
512 id2mac (src (), p->src); 517 id2mac (src (), p->src);
513 518
514#if ENABLE_COMPRESSION 519#if ENABLE_COMPRESSION
515 if (type == PT_DATA_COMPRESSED) 520 if (type == PT_DATA_COMPRESSED)
516 { 521 {
517 u32 cl = (d[DATAHDR] << 8) | d[DATAHDR + 1]; 522 u32 cl = (d[0] << 8) | d[1];
518 523
519 p->len = lzf_decompress (d + DATAHDR + 2, cl < MAX_MTU ? cl : 0, 524 p->len = lzf_decompress (d + 2, cl < MAX_MTU - 2 ? cl : 0,
520 &(*p)[6 + 6], MAX_MTU) 525 &(*p)[6 + 6], MAX_MTU)
521 + 6 + 6; 526 + 6 + 6;
522 } 527 }
523 else 528 else
524 p->len = outl + (6 + 6 - DATAHDR); 529 p->len = outl + (6 + 6);
525#endif 530#endif
526 531
527 return p; 532 return p;
528} 533}
529 534
536 } 541 }
537}; 542};
538 543
539struct config_packet : vpn_packet 544struct config_packet : vpn_packet
540{ 545{
541 // actually, hmaclen cannot be checked because the hmac 546 u8 serial[SERIAL_SIZE];
542 // field comes before this data, so peers with other
543 // hmacs simply will not work.
544 u8 prot_major, prot_minor, randsize, hmaclen; 547 u8 prot_major, prot_minor, randsize;
545 u8 flags, challengelen, features, pad3; 548 u8 flags, features, pad6, pad7, pad8;
546 u32 cipher_nid, digest_nid, hmac_nid; 549 u32 cipher_nid, mac_nid, auth_nid;
547 550
548 void setup (ptype type, int dst); 551 void setup (ptype type, int dst);
549 bool chk_config () const; 552 bool chk_config (const conf_node *conf, const sockinfo &rsi) const;
550 553
551 static u8 get_features () 554 static u8 get_features ()
552 { 555 {
553 u8 f = 0; 556 u8 f = 0;
554#if ENABLE_COMPRESSION 557#if ENABLE_COMPRESSION
562#endif 565#endif
563 return f; 566 return f;
564 } 567 }
565}; 568};
566 569
570void
567void config_packet::setup (ptype type, int dst) 571config_packet::setup (ptype type, int dst)
568{ 572{
569 prot_major = PROTOCOL_MAJOR; 573 prot_major = PROTOCOL_MAJOR;
570 prot_minor = PROTOCOL_MINOR; 574 prot_minor = PROTOCOL_MINOR;
571 randsize = RAND_SIZE;
572 hmaclen = HMACLENGTH;
573 flags = 0; 575 flags = 0;
574 challengelen = sizeof (rsachallenge);
575 features = get_features (); 576 features = get_features ();
576 577
578 strncpy ((char *)serial, conf.serial, sizeof (serial));
579
577 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER)); 580 cipher_nid = htonl (EVP_CIPHER_nid (CIPHER ()));
578 digest_nid = htonl (EVP_MD_type (RSA_HASH));
579 hmac_nid = htonl (EVP_MD_type (DIGEST)); 581 mac_nid = htonl (EVP_MD_type (MAC_DIGEST ()));
582 auth_nid = htonl (EVP_MD_type (AUTH_DIGEST ()));
580 583
581 len = sizeof (*this) - sizeof (net_packet); 584 len = sizeof (*this) - sizeof (net_packet);
582 set_hdr (type, dst); 585 set_hdr (type, dst);
583} 586}
584 587
585bool config_packet::chk_config () const 588bool
589config_packet::chk_config (const conf_node *conf, const sockinfo &rsi) const
586{ 590{
587 if (prot_major != PROTOCOL_MAJOR) 591 if (prot_major != PROTOCOL_MAJOR)
588 slog (L_WARN, _("major version mismatch (remote %d <=> local %d)"), prot_major, PROTOCOL_MAJOR); 592 slog (L_WARN, _("%s(%s): major version mismatch (remote %d <=> local %d)"),
589 else if (randsize != RAND_SIZE) 593 conf->nodename, (const char *)rsi, prot_major, PROTOCOL_MAJOR);
590 slog (L_WARN, _("rand size mismatch (remote %d <=> local %d)"), randsize, RAND_SIZE);
591 else if (hmaclen != HMACLENGTH)
592 slog (L_WARN, _("hmac length mismatch (remote %d <=> local %d)"), hmaclen, HMACLENGTH);
593 else if (challengelen != sizeof (rsachallenge))
594 slog (L_WARN, _("challenge length mismatch (remote %d <=> local %d)"), challengelen, sizeof (rsachallenge));
595 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER))) 594 else if (cipher_nid != htonl (EVP_CIPHER_nid (CIPHER ())))
596 slog (L_WARN, _("cipher mismatch (remote %x <=> local %x)"), ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER)); 595 slog (L_WARN, _("%s(%s): cipher algo mismatch (remote %x <=> local %x)"),
597 else if (digest_nid != htonl (EVP_MD_type (RSA_HASH))) 596 conf->nodename, (const char *)rsi, ntohl (cipher_nid), EVP_CIPHER_nid (CIPHER ()));
598 slog (L_WARN, _("digest mismatch (remote %x <=> local %x)"), ntohl (digest_nid), EVP_MD_type (RSA_HASH));
599 else if (hmac_nid != htonl (EVP_MD_type (DIGEST))) 597 else if (mac_nid != htonl (EVP_MD_type (MAC_DIGEST ())))
600 slog (L_WARN, _("hmac mismatch (remote %x <=> local %x)"), ntohl (hmac_nid), EVP_MD_type (DIGEST)); 598 slog (L_WARN, _("%s(%s): mac algo mismatch (remote %x <=> local %x)"),
599 conf->nodename, (const char *)rsi, ntohl (mac_nid), EVP_MD_type (MAC_DIGEST ()));
600 else if (auth_nid != htonl (EVP_MD_type (AUTH_DIGEST ())))
601 slog (L_WARN, _("%s(%s): auth algo mismatch (remote %x <=> local %x)"),
602 conf->nodename, (const char *)rsi, ntohl (auth_nid), EVP_MD_type (AUTH_DIGEST ()));
601 else 603 else
604 {
605 int cmp = memcmp (serial, ::conf.serial, sizeof (serial));
606
607 if (cmp > 0)
608 slog (L_WARN, _("%s(%s): remote serial newer than local serial - outdated config?"),
609 conf->nodename, (const char *)rsi);
610 else if (cmp == 0)
602 return true; 611 return true;
612 }
603 613
604 return false; 614 return false;
605} 615}
606 616
607struct auth_req_packet : config_packet 617struct auth_req_packet : config_packet // UNPROTECTED
608{ 618{
609 char magic[8]; 619 char magic[8];
610 u8 initiate; // false if this is just an automatic reply 620 u8 initiate; // false if this is just an automatic reply
611 u8 protocols; // supported protocols (will be patched on forward) 621 u8 protocols; // supported protocols (will be patched on forward)
612 u8 pad2, pad3; 622 u8 pad2, pad3;
613 rsaid id; 623 auth_encr encr;
614 rsaencrdata encr;
615 624
616 auth_req_packet (int dst, bool initiate_, u8 protocols_) 625 auth_req_packet (int dst, bool initiate_, u8 protocols_)
617 { 626 {
618 config_packet::setup (PT_AUTH_REQ, dst); 627 config_packet::setup (PT_AUTH_REQ, dst);
619 strncpy (magic, MAGIC_OLD, 8); 628 memcpy (magic, MAGIC, 8);
620 initiate = !!initiate_; 629 initiate = !!initiate_;
621 protocols = protocols_; 630 protocols = protocols_;
622 631
623 len = sizeof (*this) - sizeof (net_packet); 632 len = sizeof (*this) - sizeof (net_packet);
624 } 633 }
625}; 634};
626 635
627struct auth_res_packet : config_packet 636struct auth_res_packet : vpn_packet // UNPROTECTED
628{ 637{
629 rsaid id;
630 u8 pad1, pad2, pad3;
631 u8 response_len; // encrypted length
632 rsaresponse response; 638 auth_response response;
633 639
634 auth_res_packet (int dst) 640 auth_res_packet (int dst)
635 { 641 {
636 config_packet::setup (PT_AUTH_RES, dst); 642 set_hdr (PT_AUTH_RES, dst);
637 643
638 len = sizeof (*this) - sizeof (net_packet); 644 len = sizeof (*this) - sizeof (net_packet);
639 } 645 }
640}; 646};
641 647
671}; 677};
672 678
673///////////////////////////////////////////////////////////////////////////// 679/////////////////////////////////////////////////////////////////////////////
674 680
675void 681void
676connection::connection_established () 682connection::connection_established (const sockinfo &rsi)
677{ 683{
678 slog (L_NOISE, _("%s: possible connection establish (ictx %d, octx %d)"), conf->nodename, !!ictx, !!octx); 684 if (!have_snd_auth || !have_rcv_auth)
685 return;
679 686
680 if (ictx && octx) 687 si = rsi;
688 protocol = rsi.prot;
689
690 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
691 conf->nodename, (const char *)rsi,
692 vpn->can_direct (THISNODE, conf) ? "direct" : "forwarded",
693 PROTOCOL_MAJOR, prot_minor);
694
695 if (::conf.script_node_up)
696 {
697 run_script_cb *cb = new run_script_cb;
698 cb->set<connection, &connection::script_node_up> (this);
699 run_script_queued (cb, _("node-up command execution failed, continuing."));
681 { 700 }
701
702 delete ictx; ictx = new crypto_ctx (rcv_auth, snd_auth, rcv_ecdh_a, rcv_auth.ecdh, 0);
703 iseqno.reset (ntohl (rcv_auth.rsa.seqno) & 0x7fffffff);
704
705 delete octx; octx = new crypto_ctx (snd_auth, rcv_auth, snd_ecdh_a, snd_ecdh_b , 1);
706 oseqno = ntohl (snd_auth.rsa.seqno) & 0x7fffffff;
707
682 // make sure rekeying timeouts are slightly asymmetric 708 // make sure rekeying timeouts are slightly asymmetric
683 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0); 709 ev::tstamp rekey_interval = ::conf.rekey + (conf->id > THISNODE->id ? 10 : 0);
684 rekey.start (rekey_interval, rekey_interval); 710 rekey.start (rekey_interval, rekey_interval);
711
712 hmac_error = 0.;
713
685 keepalive.start (::conf.keepalive); 714 keepalive.start (::conf.keepalive);
686 715
687 // send queued packets 716 // send queued packets
688 if (ictx && octx)
689 {
690 while (tap_packet *p = (tap_packet *)data_queue.get ()) 717 while (tap_packet *p = (tap_packet *)data_queue.get ())
691 { 718 {
692 if (p->len) send_data_packet (p); 719 if (p->len) send_data_packet (p);
693 delete p; 720 delete p;
694 } 721 }
695 722
696 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ()) 723 while (vpn_packet *p = (vpn_packet *)vpn_queue.get ())
697 { 724 {
698 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY); 725 if (p->len) send_vpn_packet (p, si, IPTOS_RELIABILITY);
699 delete p; 726 delete p;
700 } 727 }
701 }
702 728
703 vpn->connection_established (this); 729 vpn->connection_established (this);
704 }
705 else
706 {
707 retry_cnt = 0;
708 establish_connection.start (5);
709 keepalive.stop ();
710 rekey.stop ();
711 }
712} 730}
713 731
714void 732void
715connection::reset_si () 733connection::reset_si ()
716{ 734{
721 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename); 739 slog (L_TRACE, _("%s: direct connection denied by config."), conf->nodename);
722 protocol = 0; 740 protocol = 0;
723 } 741 }
724 742
725 si.set (conf, protocol); 743 si.set (conf, protocol);
726
727 is_direct = si.valid ();
728} 744}
729 745
730// ensure sockinfo is valid, forward if necessary 746// ensure sockinfo is valid, forward if necessary
731const sockinfo & 747const sockinfo &
732connection::forward_si (const sockinfo &si) const 748connection::forward_si (const sockinfo &si) const
751 767
752void 768void
753connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos) 769connection::send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos)
754{ 770{
755 if (!vpn->send_vpn_packet (pkt, si, tos)) 771 if (!vpn->send_vpn_packet (pkt, si, tos))
756 reset_connection (); 772 reset_connection ("packet send error");
757} 773}
758 774
759void 775void
760connection::send_ping (const sockinfo &si, u8 pong) 776connection::send_ping (const sockinfo &si, u8 pong)
761{ 777{
762 ping_packet *pkt = new ping_packet; 778 ping_packet *pkt = new ping_packet;
763 779
764 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING); 780 pkt->setup (conf->id, pong ? ping_packet::PT_PONG : ping_packet::PT_PING);
765 781
766 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si); 782 slog (L_TRACE, "%s << %s [%s]", conf->nodename, pong ? "PT_PONG" : "PT_PING", (const char *)si);
767
768 send_vpn_packet (pkt, si, IPTOS_LOWDELAY); 783 send_vpn_packet (pkt, si, IPTOS_LOWDELAY);
769 784
770 delete pkt; 785 delete pkt;
771} 786}
772 787
787void 802void
788connection::send_auth_request (const sockinfo &si, bool initiate) 803connection::send_auth_request (const sockinfo &si, bool initiate)
789{ 804{
790 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols); 805 auth_req_packet *pkt = new auth_req_packet (conf->id, initiate, THISNODE->protocols);
791 806
792 rsachallenge chg; 807 generate_auth_data ();
793 rsa_cache.gen (pkt->id, chg);
794 rsa_encrypt (conf->rsa_key, chg, pkt->encr); 808 auth_encrypt (conf->rsa_key, snd_auth, pkt->encr);
795 809
796 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si); 810 slog (L_TRACE, "%s << PT_AUTH_REQ [%s]", conf->nodename, (const char *)si);
797
798 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly 811 send_vpn_packet (pkt, si, IPTOS_RELIABILITY | IPTOS_LOWDELAY); // rsa is very very costly
799 812
800 delete pkt; 813 delete pkt;
801} 814}
802 815
803void 816void
804connection::send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg) 817connection::send_auth_response (const sockinfo &si)
805{ 818{
806 auth_res_packet *pkt = new auth_res_packet (conf->id); 819 auth_res_packet *pkt = new auth_res_packet (conf->id);
807 820
808 pkt->id = id; 821 memcpy (pkt->response.ecdh, rcv_ecdh_b, sizeof rcv_ecdh_b);
809 822 auth_hash (rcv_auth, rcv_ecdh_b, pkt->response.mac);
810 rsa_hash (id, chg, pkt->response);
811
812 pkt->hmac_set (octx);
813 823
814 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si); 824 slog (L_TRACE, "%s << PT_AUTH_RES [%s]", conf->nodename, (const char *)si);
815
816 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly 825 send_vpn_packet (pkt, si, IPTOS_RELIABILITY); // rsa is very very costly
817 826
818 delete pkt; 827 delete pkt;
819} 828}
820 829
821void 830void
822connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols) 831connection::send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols)
823{ 832{
824 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s)", conf->nodename, 833 slog (L_TRACE, "%s << PT_CONNECT_INFO(%s,%s,p%02x)", conf->nodename,
825 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi); 834 vpn->conns[rid - 1]->conf->nodename, (const char *)rsi,
835 conf->protocols);
826 836
827 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols); 837 connect_info_packet *r = new connect_info_packet (conf->id, rid, rsi, rprotocols);
828 838
829 r->hmac_set (octx); 839 r->hmac_set (octx);
830 send_vpn_packet (r, si); 840 send_vpn_packet (r, si);
833} 843}
834 844
835inline void 845inline void
836connection::establish_connection_cb (ev::timer &w, int revents) 846connection::establish_connection_cb (ev::timer &w, int revents)
837{ 847{
838 if (!ictx 848 if (!(ictx && octx)
839 && conf != THISNODE 849 && conf != THISNODE
840 && connectmode != conf_node::C_NEVER 850 && connectmode != conf_node::C_NEVER
841 && connectmode != conf_node::C_DISABLED 851 && connectmode != conf_node::C_DISABLED
842 && !w.is_active ()) 852 && !w.is_active ())
843 { 853 {
844 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection 854 // a bit hacky, if ondemand, and packets are no longer queued, then reset the connection
845 // and stop trying. should probably be handled by a per-connection expire handler. 855 // and stop trying. should probably be handled by a per-connection expire handler.
846 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ()) 856 if (connectmode == conf_node::C_ONDEMAND && vpn_queue.empty () && data_queue.empty ())
847 { 857 {
848 reset_connection (); 858 reset_connection ("no demand");
849 return; 859 return;
850 } 860 }
851 861
852 last_establish_attempt = ev_now (); 862 last_establish_attempt = ev_now ();
853 863
855 ? (retry_cnt & 3) + 1 865 ? (retry_cnt & 3) + 1
856 : 1 << (retry_cnt >> 2)); 866 : 1 << (retry_cnt >> 2));
857 867
858 reset_si (); 868 reset_si ();
859 869
860 bool slow = si.prot & PROT_SLOW; 870 bool slow = (si.prot & PROT_SLOW) || (conf->low_power || THISNODE->low_power);
861 871
862 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf)) 872 if (si.prot && !si.host && vpn->can_direct (THISNODE, conf))
863 { 873 {
864 /*TODO*/ /* start the timer so we don't recurse endlessly */ 874 /*TODO*/ /* start the timer so we don't recurse endlessly */
865 w.start (1); 875 w.start (1);
875 885
876 slow = slow || (dsi.prot & PROT_SLOW); 886 slow = slow || (dsi.prot & PROT_SLOW);
877 887
878 if (dsi.valid () && auth_rate_limiter.can (dsi)) 888 if (dsi.valid () && auth_rate_limiter.can (dsi))
879 { 889 {
880 if (retry_cnt < 4) 890 // use ping after the first few retries
891 // TODO: on rekeys, the other node might not interpret ping correctly,
892 // TODO: as it will still have a valid connection
893 if (retry_cnt < 4 && (!conf->low_power || THISNODE->low_power))
881 send_auth_request (dsi, true); 894 send_auth_request (dsi, true);
882 else 895 else
883 send_ping (dsi, 0); 896 send_ping (dsi, 0);
884 } 897 }
885 } 898 }
886 899
887 retry_int *= slow ? 8. : 0.9; 900 retry_int *= slow ? 4. : 0.9;
888 901
889 if (retry_int < conf->max_retry) 902 if (retry_int < conf->max_retry)
890 retry_cnt++; 903 retry_cnt++;
891 else 904 else
892 retry_int = conf->max_retry; 905 retry_int = conf->max_retry;
894 w.start (retry_int); 907 w.start (retry_int);
895 } 908 }
896} 909}
897 910
898void 911void
899connection::reset_connection () 912connection::reset_connection (const char *reason)
900{ 913{
901 if (ictx && octx) 914 if (ictx && octx)
902 { 915 {
903 slog (L_INFO, _("%s(%s): connection lost"), 916 slog (L_INFO, _("%s(%s): connection lost (%s)"),
904 conf->nodename, (const char *)si); 917 conf->nodename, (const char *)si, reason);
905 918
906 if (::conf.script_node_down) 919 if (::conf.script_node_down)
907 { 920 {
908 run_script_cb *cb = new run_script_cb; 921 run_script_cb *cb = new run_script_cb;
909 cb->set<connection, &connection::script_node_down> (this); 922 cb->set<connection, &connection::script_node_down> (this);
911 } 924 }
912 } 925 }
913 926
914 delete ictx; ictx = 0; 927 delete ictx; ictx = 0;
915 delete octx; octx = 0; 928 delete octx; octx = 0;
916#if ENABLE_DNS
917 dnsv4_reset_connection ();
918#endif
919 929
920 si.host = 0; 930 si.host = 0;
931
932 have_snd_auth = false;
933 have_rcv_auth = false;
934 auth_expire = 0.;
921 935
922 last_activity = 0.; 936 last_activity = 0.;
923 //last_si_change = 0.; 937 //last_si_change = 0.;
924 retry_cnt = 0; 938 retry_cnt = 0;
925 939
932connection::shutdown () 946connection::shutdown ()
933{ 947{
934 if (ictx && octx) 948 if (ictx && octx)
935 send_reset (si); 949 send_reset (si);
936 950
937 reset_connection (); 951 reset_connection ("shutdown");
938} 952}
939 953
940// poor-man's rekeying 954// poor-man's rekeying
941inline void 955inline void
942connection::rekey_cb (ev::timer &w, int revents) 956connection::rekey_cb (ev::timer &w, int revents)
943{ 957{
944 reset_connection (); 958 reset_connection ("rekeying");
945 establish_connection (); 959 establish_connection ();
946} 960}
947 961
948void 962void
949connection::send_data_packet (tap_packet *pkt) 963connection::send_data_packet (tap_packet *pkt)
966 980
967void 981void
968connection::post_inject_queue () 982connection::post_inject_queue ()
969{ 983{
970 // force a connection every now and when when packets are sent (max 1/s) 984 // force a connection every now and when when packets are sent (max 1/s)
971 if (ev_now () - last_establish_attempt >= 0.95) // arbitrary 985 if (ev_now () - last_establish_attempt >= (conf->low_power || THISNODE->low_power ? 2.95 : 0.95)) // arbitrary
972 establish_connection.stop (); 986 establish_connection.stop ();
973 987
974 establish_connection (); 988 establish_connection ();
975} 989}
976 990
984 data_queue.put (new tap_packet (*pkt)); 998 data_queue.put (new tap_packet (*pkt));
985 post_inject_queue (); 999 post_inject_queue ();
986 } 1000 }
987} 1001}
988 1002
1003void
989void connection::inject_vpn_packet (vpn_packet *pkt, int tos) 1004connection::inject_vpn_packet (vpn_packet *pkt, int tos)
990{ 1005{
991 if (ictx && octx) 1006 if (ictx && octx)
992 send_vpn_packet (pkt, si, tos); 1007 send_vpn_packet (pkt, si, tos);
993 else 1008 else
994 { 1009 {
1000void 1015void
1001connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi) 1016connection::recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi)
1002{ 1017{
1003 last_activity = ev_now (); 1018 last_activity = ev_now ();
1004 1019
1005 slog (L_NOISE, "%s >> received packet type %d from %d to %d.", 1020 slog (L_NOISE, "%s >> received packet type %d from %d to %d.",
1006 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ()); 1021 conf->nodename, pkt->typ (), pkt->src (), pkt->dst ());
1007 1022
1008 if (connectmode == conf_node::C_DISABLED) 1023 if (connectmode == conf_node::C_DISABLED)
1009 return; 1024 return;
1010 1025
1014 slog (L_TRACE, "%s >> PT_PING", conf->nodename); 1029 slog (L_TRACE, "%s >> PT_PING", conf->nodename);
1015 1030
1016 // we send pings instead of auth packets after some retries, 1031 // we send pings instead of auth packets after some retries,
1017 // so reset the retry counter and establish a connection 1032 // so reset the retry counter and establish a connection
1018 // when we receive a ping. 1033 // when we receive a ping.
1019 if (!(ictx && octx)) 1034 if (!ictx)
1020 { 1035 {
1021 if (auth_rate_limiter.can (rsi)) 1036 if (auth_rate_limiter.can (rsi))
1022 send_auth_request (rsi, true); 1037 send_auth_request (rsi, true);
1023 } 1038 }
1024 else 1039 else
1025 // we would love to change thre socket address here, but ping's aren't 1040 // we would love to change the socket address here, but ping's aren't
1026 // authenticated, so we best ignore it. 1041 // authenticated, so we best ignore it.
1027 send_ping (rsi, 1); // pong 1042 send_ping (rsi, 1); // pong
1028 1043
1029 break; 1044 break;
1030 1045
1031 case vpn_packet::PT_PONG: 1046 case vpn_packet::PT_PONG:
1032 slog (L_TRACE, "%s >> PT_PONG", conf->nodename); 1047 slog (L_TRACE, "%s >> PT_PONG", conf->nodename);
1048
1049 // a PONG might mean that the other side doesn't really know
1050 // about our desire for communication.
1051 establish_connection ();
1033 break; 1052 break;
1034 1053
1035 case vpn_packet::PT_RESET: 1054 case vpn_packet::PT_RESET:
1055 slog (L_TRACE, "%s >> PT_RESET", conf->nodename);
1056
1057 if (ictx && octx)
1036 { 1058 {
1037 reset_connection (); 1059 reset_connection ("remote reset");
1038 1060
1039 config_packet *p = (config_packet *) pkt; 1061 config_packet *p = (config_packet *) pkt;
1040 1062
1041 if (!p->chk_config ()) 1063 if (p->chk_config (conf, rsi) && connectmode == conf_node::C_ALWAYS)
1042 {
1043 slog (L_WARN, _("%s(%s): protocol mismatch, disabling node."),
1044 conf->nodename, (const char *)rsi);
1045 connectmode = conf_node::C_DISABLED;
1046 }
1047 else if (connectmode == conf_node::C_ALWAYS)
1048 establish_connection (); 1064 establish_connection ();
1049 } 1065 }
1066
1050 break; 1067 break;
1051 1068
1052 case vpn_packet::PT_AUTH_REQ: 1069 case vpn_packet::PT_AUTH_REQ:
1053 if (auth_rate_limiter.can (rsi)) 1070 if (auth_rate_limiter.can (rsi))
1054 { 1071 {
1055 auth_req_packet *p = (auth_req_packet *) pkt; 1072 auth_req_packet *p = (auth_req_packet *)pkt;
1056 1073
1057 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s)", conf->nodename, p->initiate ? "initiate" : "reply"); 1074 slog (L_TRACE, "%s >> PT_AUTH_REQ(%s,p%02x,f%02x)",
1075 conf->nodename, p->initiate ? "initiate" : "reply",
1076 p->protocols, p->features);
1058 1077
1078 if (memcmp (p->magic, MAGIC, 8))
1079 {
1080 slog (L_WARN, _("%s(%s): protocol magic mismatch - stray packet?"),
1081 conf->nodename, (const char *)rsi);
1082 }
1059 if (p->chk_config () 1083 else if (p->chk_config (conf, rsi))
1060 && (!strncmp (p->magic, MAGIC_OLD, 8) || !strncmp (p->magic, MAGIC, 8)))
1061 { 1084 {
1062 if (p->prot_minor != PROTOCOL_MINOR) 1085 if (p->prot_minor != PROTOCOL_MINOR)
1063 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."), 1086 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1064 conf->nodename, (const char *)rsi, 1087 conf->nodename, (const char *)rsi,
1065 PROTOCOL_MINOR, conf->nodename, p->prot_minor); 1088 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1066 1089
1067 if (p->initiate) 1090 if (p->initiate)
1091 {
1068 send_auth_request (rsi, false); 1092 send_auth_request (rsi, false);
1069 1093
1070 rsachallenge k; 1094 if (ictx && octx)
1095 reset_connection ("reconnect");
1096 }
1071 1097
1098 auth_data auth;
1099
1072 if (!rsa_decrypt (::conf.rsa_key, p->encr, k)) 1100 if (!auth_decrypt (::conf.rsa_key, p->encr, auth))
1073 { 1101 {
1074 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"), 1102 slog (L_ERR, _("%s(%s): challenge illegal or corrupted (%s). mismatched key or config file?"),
1075 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0)); 1103 conf->nodename, (const char *)rsi, ERR_error_string (ERR_get_error (), 0));
1076 break;
1077 } 1104 }
1078 else 1105 else
1079 { 1106 {
1080 delete octx; 1107 bool chg = !have_rcv_auth || !slow_memeq (&rcv_auth, &auth, sizeof auth);
1081 1108
1082 octx = new crypto_ctx (k, 1); 1109 rcv_auth = auth;
1083 oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; 1110 have_rcv_auth = true;
1084 1111
1112 send_auth_response (rsi);
1113
1114 if (chg)
1115 {
1085 conf->protocols = p->protocols; 1116 conf->protocols = p->protocols;
1086 features = p->features & config_packet::get_features (); 1117 features = p->features & config_packet::get_features ();
1087 1118
1088 send_auth_response (rsi, p->id, k);
1089
1090 connection_established (); 1119 connection_established (rsi);
1091
1092 break; 1120 }
1093 } 1121 }
1122
1123 break;
1094 } 1124 }
1095 else
1096 slog (L_WARN, _("%s(%s): protocol mismatch."),
1097 conf->nodename, (const char *)rsi);
1098 1125
1099 send_reset (rsi); 1126 send_reset (rsi);
1100 } 1127 }
1101 1128
1102 break; 1129 break;
1105 { 1132 {
1106 auth_res_packet *p = (auth_res_packet *)pkt; 1133 auth_res_packet *p = (auth_res_packet *)pkt;
1107 1134
1108 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename); 1135 slog (L_TRACE, "%s >> PT_AUTH_RES", conf->nodename);
1109 1136
1110 if (p->chk_config ()) 1137 auth_mac local_mac;
1138 auth_hash (snd_auth, p->response.ecdh, local_mac);
1139
1140 if (!slow_memeq (&p->response.mac, local_mac, sizeof local_mac))
1111 { 1141 {
1112 if (p->prot_minor != PROTOCOL_MINOR)
1113 slog (L_INFO, _("%s(%s): protocol minor version mismatch: ours is %d, %s's is %d."),
1114 conf->nodename, (const char *)rsi,
1115 PROTOCOL_MINOR, conf->nodename, p->prot_minor);
1116
1117 rsachallenge chg;
1118
1119 if (!rsa_cache.find (p->id, chg))
1120 {
1121 slog (L_ERR, _("%s(%s): unrequested auth response, ignoring."), 1142 slog (L_ERR, _("%s(%s): unrequested or outdated auth response, ignoring."),
1122 conf->nodename, (const char *)rsi); 1143 conf->nodename, (const char *)rsi);
1123 break;
1124 } 1144 }
1125 else 1145 else if (!have_snd_auth)
1126 { 1146 {
1127 crypto_ctx *cctx = new crypto_ctx (chg, 0); 1147 memcpy (snd_ecdh_b, p->response.ecdh, sizeof snd_ecdh_b);
1128 1148
1129 if (!p->hmac_chk (cctx)) 1149 have_snd_auth = true;
1130 {
1131 slog (L_ERR, _("%s(%s): hmac authentication error on auth response, received invalid packet\n"
1132 "could be an attack, or just corruption or a synchronization error."),
1133 conf->nodename, (const char *)rsi);
1134 break;
1135 }
1136 else
1137 {
1138 rsaresponse h;
1139
1140 rsa_hash (p->id, chg, h);
1141
1142 if (!memcmp ((u8 *)&h, (u8 *)p->response, sizeof h))
1143 {
1144 prot_minor = p->prot_minor;
1145
1146 delete ictx; ictx = cctx;
1147
1148 iseqno.reset (ntohl (*(u32 *)&chg[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid
1149
1150 si = rsi;
1151 protocol = rsi.prot;
1152
1153 slog (L_INFO, _("%s(%s): connection established (%s), protocol version %d.%d."),
1154 conf->nodename, (const char *)rsi,
1155 is_direct ? "direct" : "forwarded",
1156 p->prot_major, p->prot_minor);
1157
1158 connection_established (); 1150 connection_established (rsi);
1159
1160 if (::conf.script_node_up)
1161 {
1162 run_script_cb *cb = new run_script_cb;
1163 cb->set<connection, &connection::script_node_up> (this);
1164 run_script_queued (cb, _("node-up command execution failed, continuing."));
1165 }
1166
1167 break;
1168 }
1169 else
1170 slog (L_ERR, _("%s(%s): sent and received challenge do not match."),
1171 conf->nodename, (const char *)rsi);
1172 }
1173
1174 delete cctx;
1175 }
1176 } 1151 }
1177 } 1152 }
1178
1179 send_reset (rsi);
1180 break; 1153 break;
1181 1154
1182 case vpn_packet::PT_DATA_COMPRESSED: 1155 case vpn_packet::PT_DATA_COMPRESSED:
1183#if !ENABLE_COMPRESSION 1156#if !ENABLE_COMPRESSION
1184 send_reset (rsi); 1157 send_reset (rsi);
1190 if (ictx && octx) 1163 if (ictx && octx)
1191 { 1164 {
1192 vpndata_packet *p = (vpndata_packet *)pkt; 1165 vpndata_packet *p = (vpndata_packet *)pkt;
1193 1166
1194 if (!p->hmac_chk (ictx)) 1167 if (!p->hmac_chk (ictx))
1168 {
1169 // rekeying often creates temporary hmac auth floods
1170 // we assume they don't take longer than a few seconds normally,
1171 // and suppress messages and resets during that time.
1172 //TODO: should be done per source address
1173 if (!hmac_error)
1174 {
1175 hmac_error = ev_now () + 3;
1176 break;
1177 }
1178 else if (hmac_error >= ev_now ())
1179 break; // silently suppress
1180 else
1181 {
1195 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n" 1182 slog (L_ERR, _("%s(%s): hmac authentication error, received invalid packet\n"
1196 "could be an attack, or just corruption or a synchronization error."), 1183 "could be an attack, or just corruption or a synchronization error."),
1197 conf->nodename, (const char *)rsi); 1184 conf->nodename, (const char *)rsi);
1185 // reset
1186 }
1187 }
1198 else 1188 else
1199 { 1189 {
1200 u32 seqno; 1190 u32 seqno;
1201 tap_packet *d = p->unpack (this, seqno); 1191 tap_packet *d = p->unpack (this, seqno);
1202 int seqclass = iseqno.seqno_classify (seqno); 1192 int seqclass = iseqno.seqno_classify (seqno);
1193
1194 hmac_error = 0;
1203 1195
1204 if (seqclass == 0) // ok 1196 if (seqclass == 0) // ok
1205 { 1197 {
1206 vpn->tap->send (d); 1198 vpn->tap->send (d);
1207 1199
1257 if (p->id > 0 && p->id <= vpn->conns.size ()) 1249 if (p->id > 0 && p->id <= vpn->conns.size ())
1258 { 1250 {
1259 connection *c = vpn->conns[p->id - 1]; 1251 connection *c = vpn->conns[p->id - 1];
1260 conf->protocols = p->protocols; 1252 conf->protocols = p->protocols;
1261 1253
1262 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s) [%d]", 1254 slog (L_TRACE, "%s >> PT_CONNECT_REQ(%s,p%02x) [%d]",
1263 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, c->ictx && c->octx); 1255 conf->nodename, vpn->conns[p->id - 1]->conf->nodename,
1256 p->protocols,
1257 c->ictx && c->octx);
1264 1258
1265 if (c->ictx && c->octx) 1259 if (c->ictx && c->octx)
1266 { 1260 {
1267 // send connect_info packets to both sides, in case one is 1261 // send connect_info packets to both sides, in case one is
1268 // behind a nat firewall (or both ;) 1262 // behind a nat firewall (or both ;)
1291 1285
1292 c->conf->protocols = p->protocols; 1286 c->conf->protocols = p->protocols;
1293 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf)); 1287 protocol = best_protocol (c->conf->protocols & THISNODE->protocols & p->si.supported_protocols (c->conf));
1294 p->si.upgrade_protocol (protocol, c->conf); 1288 p->si.upgrade_protocol (protocol, c->conf);
1295 1289
1296 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s) [%d]", 1290 slog (L_TRACE, "%s >> PT_CONNECT_INFO(%s,%s,protocols=%02x,protocol=%02x,upgradable=%02x) [%d]",
1291 conf->nodename,
1297 conf->nodename, vpn->conns[p->id - 1]->conf->nodename, 1292 vpn->conns[p->id - 1]->conf->nodename,
1293 (const char *)p->si,
1294 p->protocols,
1295 protocol,
1296 p->si.supported_protocols (c->conf),
1298 (const char *)p->si, !c->ictx && !c->octx); 1297 !c->ictx && !c->octx);
1299 1298
1300 const sockinfo &dsi = forward_si (p->si); 1299 const sockinfo &dsi = forward_si (p->si);
1301 1300
1302 if (dsi.valid ()) 1301 if (dsi.valid ())
1303 c->send_auth_request (dsi, true); 1302 c->send_auth_request (dsi, true);
1303 else
1304 slog (L_INFO, "connect info for %s received (%s), but still unable to contact.",
1305 vpn->conns[p->id - 1]->conf->nodename,
1306 (const char *)p->si);
1304 } 1307 }
1305 else 1308 else
1306 slog (L_WARN, 1309 slog (L_WARN,
1307 _("received authenticated connection request from unknown node #%d, config file mismatch?"), 1310 _("received authenticated connection request from unknown node #%d, config file mismatch?"),
1308 p->id); 1311 p->id);
1317} 1320}
1318 1321
1319inline void 1322inline void
1320connection::keepalive_cb (ev::timer &w, int revents) 1323connection::keepalive_cb (ev::timer &w, int revents)
1321{ 1324{
1322 if (ev_now () >= last_activity + ::conf.keepalive + 15) 1325 ev_tstamp when = last_activity + ::conf.keepalive - ev::now ();
1326
1327 if (when >= 0)
1328 w.start (when);
1329 else if (when < -15)
1323 { 1330 {
1324 reset_connection (); 1331 reset_connection ("keepalive overdue");
1325 establish_connection (); 1332 establish_connection ();
1326 } 1333 }
1327 else if (ev_now () < last_activity + ::conf.keepalive)
1328 w.start (last_activity + ::conf.keepalive - ev::now ());
1329 else if (conf->connectmode != conf_node::C_ONDEMAND 1334 else if (conf->connectmode != conf_node::C_ONDEMAND
1330 || THISNODE->connectmode != conf_node::C_ONDEMAND) 1335 || THISNODE->connectmode != conf_node::C_ONDEMAND)
1331 { 1336 {
1337 w.start (3);
1332 send_ping (si); 1338 send_ping (si);
1333 w.start (3);
1334 } 1339 }
1335 else if (ev_now () < last_activity + ::conf.keepalive + 10) 1340 else if (when >= -10)
1336 // hold ondemand connections implicitly a few seconds longer 1341 // hold ondemand connections implicitly a few seconds longer
1337 // should delete octx, though, or something like that ;) 1342 // should delete octx, though, or something like that ;)
1338 w.start (last_activity + ::conf.keepalive + 10 - ev::now ()); 1343 w.start (when + 10);
1339 else 1344 else
1340 reset_connection (); 1345 reset_connection ("keepalive timeout");
1341} 1346}
1342 1347
1348void
1343void connection::send_connect_request (int id) 1349connection::send_connect_request (int id)
1344{ 1350{
1345 connect_req_packet *p = new connect_req_packet (conf->id, id, conf->protocols); 1351 connect_req_packet *p = new connect_req_packet (conf->id, id, THISNODE->protocols);
1346 1352
1347 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s)", 1353 slog (L_TRACE, "%s << PT_CONNECT_REQ(%s,p%02x)",
1348 conf->nodename, vpn->conns[id - 1]->conf->nodename); 1354 conf->nodename, vpn->conns[id - 1]->conf->nodename,
1355 THISNODE->protocols);
1349 p->hmac_set (octx); 1356 p->hmac_set (octx);
1350 send_vpn_packet (p, si); 1357 send_vpn_packet (p, si);
1351 1358
1352 delete p; 1359 delete p;
1353} 1360}
1354 1361
1362void
1355void connection::script_init_env (const char *ext) 1363connection::script_init_env (const char *ext)
1356{ 1364{
1357 char *env; 1365 char *env;
1358 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env); 1366 asprintf (&env, "IFUPDATA%s=%s", ext, conf->if_up_data); putenv (env);
1359 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env); 1367 asprintf (&env, "NODENAME%s=%s", ext, conf->nodename); putenv (env);
1360 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext, 1368 asprintf (&env, "MAC%s=%02x:%02x:%02x:%02x:%02x:%02x", ext,
1361 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8, 1369 0xfe, 0xfd, 0x80, 0x00, conf->id >> 8,
1362 conf->id & 0xff); putenv (env); 1370 conf->id & 0xff); putenv (env);
1363} 1371}
1364 1372
1373void
1365void connection::script_init_connect_env () 1374connection::script_init_connect_env ()
1366{ 1375{
1367 vpn->script_init_env (); 1376 vpn->script_init_env ();
1368 1377
1369 char *env; 1378 char *env;
1370 asprintf (&env, "DESTID=%d", conf->id); putenv (env); 1379 asprintf (&env, "DESTID=%d", conf->id); putenv (env);
1435 establish_connection.set<connection, &connection::establish_connection_cb> (this); 1444 establish_connection.set<connection, &connection::establish_connection_cb> (this);
1436 1445
1437 last_establish_attempt = 0.; 1446 last_establish_attempt = 0.;
1438 octx = ictx = 0; 1447 octx = ictx = 0;
1439 1448
1440 if (!conf->protocols) // make sure some protocol is enabled
1441 conf->protocols = PROT_UDPv4;
1442
1443 connectmode = conf->connectmode; 1449 connectmode = conf->connectmode;
1444 1450
1445 // queue a dummy packet to force an initial connection attempt 1451 // queue a dummy packet to force an initial connection attempt
1446 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED) 1452 if (connectmode != conf_node::C_ALWAYS && connectmode != conf_node::C_DISABLED)
1447 vpn_queue.put (new net_packet); 1453 vpn_queue.put (new net_packet);
1448 1454
1449 reset_connection (); 1455 reset_connection ("startup");
1450} 1456}
1451 1457
1452connection::~connection () 1458connection::~connection ()
1453{ 1459{
1454 shutdown (); 1460 shutdown ();
1455} 1461}
1456 1462
1463void
1457void connection_init () 1464connection_init ()
1458{ 1465{
1459 auth_rate_limiter.clear (); 1466 auth_rate_limiter.clear ();
1460 reset_rate_limiter.clear (); 1467 reset_rate_limiter.clear ();
1461} 1468}
1462 1469

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines