1 |
pcg |
1.1 |
/* |
2 |
|
|
connection.h -- header for connection.C |
3 |
root |
1.37 |
Copyright (C) 2003-2008,2013 Marc Lehmann <gvpe@schmorp.de> |
4 |
pcg |
1.1 |
|
5 |
pcg |
1.18 |
This file is part of GVPE. |
6 |
|
|
|
7 |
pcg |
1.32 |
GVPE is free software; you can redistribute it and/or modify it |
8 |
|
|
under the terms of the GNU General Public License as published by the |
9 |
|
|
Free Software Foundation; either version 3 of the License, or (at your |
10 |
|
|
option) any later version. |
11 |
|
|
|
12 |
|
|
This program is distributed in the hope that it will be useful, but |
13 |
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
15 |
|
|
Public License for more details. |
16 |
|
|
|
17 |
|
|
You should have received a copy of the GNU General Public License along |
18 |
|
|
with this program; if not, see <http://www.gnu.org/licenses/>. |
19 |
|
|
|
20 |
|
|
Additional permission under GNU GPL version 3 section 7 |
21 |
|
|
|
22 |
|
|
If you modify this Program, or any covered work, by linking or |
23 |
|
|
combining it with the OpenSSL project's OpenSSL library (or a modified |
24 |
|
|
version of that library), containing parts covered by the terms of the |
25 |
|
|
OpenSSL or SSLeay licenses, the licensors of this Program grant you |
26 |
|
|
additional permission to convey the resulting work. Corresponding |
27 |
|
|
Source for a non-source form of such a combination shall include the |
28 |
|
|
source code for the parts of OpenSSL used as well as that of the |
29 |
|
|
covered work. |
30 |
pcg |
1.1 |
*/ |
31 |
|
|
|
32 |
pcg |
1.22 |
#ifndef GVPE_CONNECTION_H__ |
33 |
|
|
#define GVPE_CONNECTION_H__ |
34 |
pcg |
1.1 |
|
35 |
|
|
#include <openssl/hmac.h> |
36 |
|
|
|
37 |
|
|
#include "global.h" |
38 |
|
|
#include "conf.h" |
39 |
|
|
#include "sockinfo.h" |
40 |
|
|
#include "util.h" |
41 |
|
|
#include "device.h" |
42 |
root |
1.37 |
#include "curve25519.h" |
43 |
pcg |
1.1 |
|
44 |
|
|
struct vpn; |
45 |
|
|
|
46 |
|
|
// called after HUP etc. to (re-)initialize global data structures |
47 |
|
|
void connection_init (); |
48 |
|
|
|
49 |
root |
1.37 |
typedef curve25519_key ecdh_key; |
50 |
|
|
|
51 |
|
|
struct rsa_data |
52 |
|
|
{ |
53 |
|
|
u32 seqno; |
54 |
|
|
u8 auth_key[AUTH_SIZE]; |
55 |
|
|
u8 mac_key[MAC_KEYSIZE]; // used to generate hmac key |
56 |
|
|
u8 cipher_key[CIPHER_KEYSIZE]; // used to generate cipher key |
57 |
|
|
u8 hkdf_salt[HKDF_SALT]; // used as hkdf salt |
58 |
|
|
u8 ikm[IKM_SIZE]; // used as additional keying material for both sides |
59 |
|
|
u8 pad[ |
60 |
|
|
(RSABITS >> 3) |
61 |
|
|
- 41 // OAEP |
62 |
|
|
- sizeof (u32) // seqno |
63 |
|
|
- AUTH_SIZE |
64 |
|
|
- MAC_KEYSIZE |
65 |
|
|
- CIPHER_KEYSIZE |
66 |
|
|
- HKDF_SALT |
67 |
|
|
- IKM_SIZE |
68 |
|
|
- 3 // struct alignment... |
69 |
|
|
]; |
70 |
|
|
}; |
71 |
|
|
|
72 |
|
|
struct auth_data |
73 |
|
|
{ |
74 |
|
|
rsa_data rsa; |
75 |
|
|
ecdh_key ecdh; |
76 |
|
|
}; |
77 |
|
|
|
78 |
|
|
typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge |
79 |
|
|
|
80 |
|
|
struct auth_encr |
81 |
pcg |
1.29 |
{ |
82 |
root |
1.37 |
rsa_crypt rsa; |
83 |
|
|
ecdh_key ecdh; |
84 |
pcg |
1.1 |
}; |
85 |
|
|
|
86 |
root |
1.37 |
typedef u8 auth_mac[AUTH_SIZE]; |
87 |
|
|
|
88 |
|
|
struct auth_response |
89 |
|
|
{ |
90 |
|
|
auth_mac mac; |
91 |
|
|
ecdh_key ecdh; |
92 |
|
|
}; |
93 |
pcg |
1.1 |
|
94 |
|
|
//////////////////////////////////////////////////////////////////////////////////////// |
95 |
|
|
|
96 |
|
|
struct crypto_ctx; |
97 |
|
|
|
98 |
pcg |
1.13 |
struct hmac_packet : net_packet |
99 |
pcg |
1.1 |
{ |
100 |
|
|
u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere |
101 |
|
|
|
102 |
|
|
void hmac_set (crypto_ctx * ctx); |
103 |
|
|
bool hmac_chk (crypto_ctx * ctx); |
104 |
|
|
|
105 |
|
|
private: |
106 |
|
|
static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; |
107 |
|
|
|
108 |
|
|
void hmac_gen (crypto_ctx * ctx); |
109 |
|
|
}; |
110 |
|
|
|
111 |
|
|
struct vpn_packet : hmac_packet |
112 |
pcg |
1.29 |
{ |
113 |
|
|
enum ptype |
114 |
pcg |
1.1 |
{ |
115 |
pcg |
1.29 |
PT_RESET = 0, |
116 |
|
|
PT_DATA_UNCOMPRESSED, |
117 |
|
|
PT_DATA_COMPRESSED, |
118 |
|
|
PT_PING, PT_PONG, // wasting namespace space? ;) |
119 |
|
|
PT_AUTH_REQ, // authentification request |
120 |
|
|
PT_AUTH_RES, // authentification response |
121 |
|
|
PT_CONNECT_REQ, // want other node to contact me |
122 |
|
|
PT_CONNECT_INFO, // request connection to some node |
123 |
pcg |
1.31 |
PT_DATA_BRIDGED, // uncompressed packet with foreign mac pot. larger than path mtu (NYI) |
124 |
pcg |
1.29 |
PT_MAX |
125 |
pcg |
1.1 |
}; |
126 |
|
|
|
127 |
pcg |
1.29 |
u8 type; |
128 |
|
|
u8 srcdst, src1, dst1; |
129 |
|
|
|
130 |
|
|
void set_hdr (ptype type_, unsigned int dst); |
131 |
|
|
|
132 |
|
|
unsigned int src () const |
133 |
|
|
{ |
134 |
|
|
return src1 | ((srcdst >> 4) << 8); |
135 |
|
|
} |
136 |
|
|
|
137 |
|
|
unsigned int dst () const |
138 |
|
|
{ |
139 |
|
|
return dst1 | ((srcdst & 0xf) << 8); |
140 |
|
|
} |
141 |
|
|
|
142 |
|
|
ptype typ () const |
143 |
|
|
{ |
144 |
|
|
return (ptype) type; |
145 |
|
|
} |
146 |
|
|
}; |
147 |
|
|
|
148 |
pcg |
1.1 |
//////////////////////////////////////////////////////////////////////////////////////// |
149 |
|
|
|
150 |
|
|
// a very simple fifo pkt-queue |
151 |
|
|
class pkt_queue |
152 |
pcg |
1.29 |
{ |
153 |
|
|
int i, j; |
154 |
pcg |
1.30 |
int max_queue; |
155 |
|
|
double max_ttl; |
156 |
|
|
|
157 |
|
|
struct pkt { |
158 |
|
|
ev_tstamp tstamp; |
159 |
|
|
net_packet *pkt; |
160 |
|
|
} *queue; |
161 |
|
|
|
162 |
|
|
void expire_cb (ev::timer &w, int revents); ev::timer expire; |
163 |
pcg |
1.1 |
|
164 |
pcg |
1.29 |
public: |
165 |
pcg |
1.1 |
|
166 |
pcg |
1.29 |
void put (net_packet *p); |
167 |
|
|
net_packet *get (); |
168 |
pcg |
1.1 |
|
169 |
pcg |
1.30 |
bool empty () |
170 |
|
|
{ |
171 |
|
|
return i == j; |
172 |
|
|
} |
173 |
|
|
|
174 |
|
|
pkt_queue (double max_ttl, int max_queue); |
175 |
pcg |
1.29 |
~pkt_queue (); |
176 |
|
|
}; |
177 |
pcg |
1.1 |
|
178 |
pcg |
1.14 |
enum |
179 |
pcg |
1.29 |
{ |
180 |
|
|
FEATURE_COMPRESSION = 0x01, |
181 |
|
|
FEATURE_ROHC = 0x02, |
182 |
|
|
FEATURE_BRIDGING = 0x04, |
183 |
|
|
}; |
184 |
pcg |
1.14 |
|
185 |
pcg |
1.1 |
struct connection |
186 |
pcg |
1.29 |
{ |
187 |
|
|
conf_node *conf; |
188 |
|
|
struct vpn *vpn; |
189 |
pcg |
1.1 |
|
190 |
pcg |
1.29 |
sockinfo si; // the current(!) destination ip to send packets to |
191 |
|
|
int retry_cnt; |
192 |
pcg |
1.1 |
|
193 |
pcg |
1.29 |
tstamp last_activity; // time of last packet received |
194 |
root |
1.35 |
tstamp last_establish_attempt; |
195 |
pcg |
1.33 |
//tstamp last_si_change; // time we last changed the socket address |
196 |
pcg |
1.1 |
|
197 |
pcg |
1.29 |
u32 oseqno; |
198 |
|
|
sliding_window iseqno; |
199 |
pcg |
1.1 |
|
200 |
pcg |
1.29 |
u8 protocol; |
201 |
|
|
u8 features; |
202 |
pcg |
1.33 |
bool is_direct; // current connection (si) is direct? |
203 |
pcg |
1.1 |
|
204 |
pcg |
1.29 |
pkt_queue data_queue, vpn_queue; |
205 |
pcg |
1.1 |
|
206 |
pcg |
1.29 |
crypto_ctx *octx, *ictx; |
207 |
pcg |
1.1 |
|
208 |
root |
1.37 |
void generate_auth_data (); |
209 |
|
|
|
210 |
|
|
ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire |
211 |
|
|
|
212 |
|
|
// send auth data - used for octx |
213 |
|
|
auth_data snd_auth; |
214 |
|
|
auth_mac snd_auth_mac; // expected response mac |
215 |
|
|
ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request |
216 |
|
|
ecdh_key snd_ecdh_b; // the public ecdh key we received in the response |
217 |
|
|
bool have_snd_auth; // received response for our req |
218 |
|
|
|
219 |
|
|
// receive auth data - used for ictx |
220 |
|
|
auth_data rcv_auth; |
221 |
|
|
ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response |
222 |
|
|
ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response |
223 |
|
|
bool have_rcv_auth; // received auth from other side |
224 |
|
|
|
225 |
pcg |
1.15 |
#if ENABLE_DNS |
226 |
pcg |
1.29 |
struct dns_connection *dns; |
227 |
pcg |
1.15 |
#endif |
228 |
|
|
|
229 |
pcg |
1.29 |
enum conf_node::connectmode connectmode; |
230 |
|
|
u8 prot_minor; // minor number of other side |
231 |
pcg |
1.1 |
|
232 |
pcg |
1.29 |
void reset_si (); |
233 |
|
|
const sockinfo &forward_si (const sockinfo &si) const; |
234 |
pcg |
1.1 |
|
235 |
pcg |
1.29 |
void shutdown (); |
236 |
root |
1.37 |
void connection_established (const sockinfo &rsi); |
237 |
pcg |
1.29 |
void reset_connection (); |
238 |
|
|
|
239 |
|
|
void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection; |
240 |
|
|
void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekying (actually current reset + reestablishing) |
241 |
|
|
void keepalive_cb (ev::timer &w, int revents); ev::timer keepalive; // next keepalive probe |
242 |
|
|
|
243 |
|
|
void send_connect_request (int id); |
244 |
|
|
void send_auth_request (const sockinfo &si, bool initiate); |
245 |
root |
1.37 |
void send_auth_response (const sockinfo &si); |
246 |
pcg |
1.29 |
void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols); |
247 |
|
|
void send_reset (const sockinfo &dsi); |
248 |
|
|
void send_ping (const sockinfo &dsi, u8 pong = 0); |
249 |
|
|
void send_data_packet (tap_packet *pkt); |
250 |
|
|
|
251 |
pcg |
1.31 |
void post_inject_queue (); |
252 |
|
|
void inject_data_packet (tap_packet *pkt); |
253 |
pcg |
1.29 |
void inject_vpn_packet (vpn_packet *pkt, int tos = 0); // for forwarding |
254 |
|
|
|
255 |
|
|
void recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi); |
256 |
|
|
void send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos = 0); |
257 |
|
|
|
258 |
|
|
void script_init_env (const char *ext); |
259 |
|
|
void script_init_connect_env (); |
260 |
|
|
const char *script_node_up (); |
261 |
pcg |
1.34 |
const char *script_node_change (); |
262 |
pcg |
1.29 |
const char *script_node_down (); |
263 |
pcg |
1.1 |
|
264 |
pcg |
1.29 |
void dump_status (); |
265 |
pcg |
1.1 |
|
266 |
pcg |
1.29 |
connection (struct vpn *vpn, conf_node *conf); |
267 |
|
|
~connection (); |
268 |
|
|
}; |
269 |
pcg |
1.1 |
|
270 |
|
|
#endif |
271 |
|
|
|