gvpe/src/connection.h

/*
    connection.h -- header for connection.C
    Copyright (C) 2003-2008,2013 Marc Lehmann <gvpe@schmorp.de>
 
    This file is part of GVPE.

    GVPE is free software; you can redistribute it and/or modify it
    under the terms of the GNU General Public License as published by the
    Free Software Foundation; either version 3 of the License, or (at your
    option) any later version.
   
    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
    Public License for more details.
   
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/>.
   
    Additional permission under GNU GPL version 3 section 7
   
    If you modify this Program, or any covered work, by linking or
    combining it with the OpenSSL project's OpenSSL library (or a modified
    version of that library), containing parts covered by the terms of the
    OpenSSL or SSLeay licenses, the licensors of this Program grant you
    additional permission to convey the resulting work.  Corresponding
    Source for a non-source form of such a combination shall include the
    source code for the parts of OpenSSL used as well as that of the
    covered work.
*/

#ifndef GVPE_CONNECTION_H__
#define GVPE_CONNECTION_H__

#include <openssl/hmac.h>

#include "global.h"
#include "conf.h"
#include "sockinfo.h"
#include "util.h"
#include "device.h"
#include "curve25519.h"
#include "iv_gen.h"

struct vpn;

// called after HUP etc. to (re-)initialize global data structures
void connection_init ();

typedef curve25519_key ecdh_key;

struct rsa_data
{
  u32 seqno;                     // (ictx) initial sequence nr (31 bits)
  u8 mac_key[MAC_IKMSIZE];       // (ictx) used to generate hmac key
  u8 cipher_key[CIPHER_IKMSIZE]; // (ictx) used to generate cipher key
  u8 hkdf_salt[HKDF_SALT];       // (octx) used as hkdf salt
  u8 extra_auth[                 // (ictx) additional auth randomness
    (RSABITS >> 3)
    - RSA_OAEP_SIZE
    - sizeof (u32) // seqno
    - MAC_IKMSIZE
    - CIPHER_IKMSIZE
    - HKDF_SALT
    - 3 // struct alignment...
  ];
};

struct auth_data
{
  rsa_data rsa;
  ecdh_key ecdh;
};

typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge

struct auth_encr
{
  rsa_crypt rsa;
  ecdh_key ecdh;
};

typedef u8 auth_mac[AUTH_SIZE];

struct auth_response
{
  auth_mac mac;
  ecdh_key ecdh;
};

////////////////////////////////////////////////////////////////////////////////////////

struct crypto_ctx;

struct hmac_packet : net_packet
{
  u8 hmac[HMACLENGTH];          // each and every packet has a hmac field, but that is not (yet) checked everywhere

  void hmac_set (crypto_ctx *ctx);
  bool hmac_chk (crypto_ctx *ctx);

private:
  void hmac_gen (crypto_ctx *ctx, u8 *hmac_digest);
};

struct vpn_packet : hmac_packet
{
  enum ptype
  {
    PT_RESET = 0,
    PT_DATA_UNCOMPRESSED,
    PT_DATA_COMPRESSED,
    PT_PING, PT_PONG,   // wasting namespace space? ;)
    PT_AUTH_REQ,        // authentification request
    PT_AUTH_RES,        // authentification response
    PT_CONNECT_REQ,     // want other node to contact me
    PT_CONNECT_INFO,    // request connection to some node
    PT_DATA_BRIDGED,    // uncompressed packet with foreign mac pot. larger than path mtu (NYI)
    PT_MAX
  };

  u8 type;
  u8 srcdst, src1, dst1;

  void set_hdr (ptype type_, unsigned int dst);

  unsigned int src () const
  {
    return src1 | ((srcdst >> 4) << 8);
  }

  unsigned int dst () const
  {
    return dst1 | ((srcdst & 0xf) << 8);
  }

  ptype typ () const
  {
    return (ptype) type;
  }
};

////////////////////////////////////////////////////////////////////////////////////////

// a very simple fifo pkt-queue
class pkt_queue
{
  int i, j;
  int max_queue;
  double max_ttl;

  struct pkt {
    ev_tstamp tstamp;
    net_packet *pkt;
  } *queue;

  void expire_cb (ev::timer &w, int revents); ev::timer expire;

public:

  void put (net_packet *p);
  net_packet *get ();

  bool empty ()
  {
    return i == j;
  }

  pkt_queue (double max_ttl, int max_queue);
  ~pkt_queue ();
};

enum
{
  FEATURE_COMPRESSION = 0x01,
  FEATURE_ROHC        = 0x02,
  FEATURE_BRIDGING    = 0x04,
};

struct connection
{
  conf_node *conf;
  struct vpn *vpn;

  sockinfo si; // the current(!) destination ip to send packets to
  int retry_cnt;

  tstamp last_activity; // time of last packet received
  tstamp last_establish_attempt;
  //tstamp last_si_change; // time we last changed the socket address

  u32 oseqno;
  sliding_window iseqno;

  u8 protocol;
  u8 features;

  pkt_queue data_queue, vpn_queue;

  crypto_ctx *octx, *ictx;

  void generate_auth_data ();

  ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire
  ev_tstamp hmac_error; // time of first hmac error in a series

  // send auth data - used for octx
  auth_data snd_auth;
  ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request
  ecdh_key snd_ecdh_b; // the public ecdh key we received in the response
  bool have_snd_auth; // received response for our req

  // receive auth data - used for ictx
  auth_data rcv_auth;
  ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response
  ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response
  bool have_rcv_auth; // received auth from other side

#if ENABLE_DNS
  struct dns_connection *dns;
#endif

  enum conf_node::connectmode connectmode;
  u8 prot_minor; // minor number of other side

  void reset_si ();
  const sockinfo &forward_si (const sockinfo &si) const;

  void shutdown ();
  void connection_established (const sockinfo &rsi);
  void reset_connection (const char *reason);

  void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection;
  void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekeying (actually current reset + reestablishing)
  void keepalive_cb (ev::timer &w, int revents); ev::timer keepalive; // next keepalive probe

  void send_connect_request (int id);
  void send_auth_request (const sockinfo &si, bool initiate);
  void send_auth_response (const sockinfo &si);
  void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols);
  void send_reset (const sockinfo &dsi);
  void send_ping (const sockinfo &dsi, u8 pong = 0);
  void send_data_packet (tap_packet *pkt);

  void post_inject_queue ();
  void inject_data_packet (tap_packet *pkt);
  void inject_vpn_packet (vpn_packet *pkt, int tos = 0); // for forwarding

  void recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi);
  void send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos = 0);

  void script_init_env (const char *ext);
  void script_init_connect_env ();
  const char *script_node_up ();
  const char *script_node_change ();
  const char *script_node_down ();

  void dump_status ();

  connection (struct vpn *vpn, conf_node *conf);
  ~connection ();
};

#endif

Revision:	1.42
Committed:	Thu Jun 30 10:57:43 2016 UTC (7 years, 10 months ago) by root
Content type:	text/plain
Branch:	MAIN
Changes since 1.41:	+3 -3 lines
Log Message:	* empty log message *
#	User	Rev	Content
1	pcg	1.1	/*
2			connection.h -- header for connection.C
3	root	1.37	Copyright (C) 2003-2008,2013 Marc Lehmann <gvpe@schmorp.de>
4	pcg	1.1
5	pcg	1.18	This file is part of GVPE.
6
7	pcg	1.32	GVPE is free software; you can redistribute it and/or modify it
8			under the terms of the GNU General Public License as published by the
9			Free Software Foundation; either version 3 of the License, or (at your
10			option) any later version.
11
12			This program is distributed in the hope that it will be useful, but
13			WITHOUT ANY WARRANTY; without even the implied warranty of
14			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15			Public License for more details.
16
17			You should have received a copy of the GNU General Public License along
18			with this program; if not, see <http://www.gnu.org/licenses/>.
19
20			Additional permission under GNU GPL version 3 section 7
21
22			If you modify this Program, or any covered work, by linking or
23			combining it with the OpenSSL project's OpenSSL library (or a modified
24			version of that library), containing parts covered by the terms of the
25			OpenSSL or SSLeay licenses, the licensors of this Program grant you
26			additional permission to convey the resulting work. Corresponding
27			Source for a non-source form of such a combination shall include the
28			source code for the parts of OpenSSL used as well as that of the
29			covered work.
30	pcg	1.1	*/
31
32	pcg	1.22	#ifndef GVPE_CONNECTION_H__
33			#define GVPE_CONNECTION_H__
34	pcg	1.1
35			#include <openssl/hmac.h>
36
37			#include "global.h"
38			#include "conf.h"
39			#include "sockinfo.h"
40			#include "util.h"
41			#include "device.h"
42	root	1.37	#include "curve25519.h"
43	root	1.38	#include "iv_gen.h"
44	pcg	1.1
45			struct vpn;
46
47			// called after HUP etc. to (re-)initialize global data structures
48			void connection_init ();
49
50	root	1.37	typedef curve25519_key ecdh_key;
51
52			struct rsa_data
53			{
54	root	1.39	u32 seqno; // (ictx) initial sequence nr (31 bits)
55			u8 mac_key[MAC_IKMSIZE]; // (ictx) used to generate hmac key
56			u8 cipher_key[CIPHER_IKMSIZE]; // (ictx) used to generate cipher key
57			u8 hkdf_salt[HKDF_SALT]; // (octx) used as hkdf salt
58			u8 extra_auth[ // (ictx) additional auth randomness
59	root	1.37	(RSABITS >> 3)
60	root	1.39	- RSA_OAEP_SIZE
61	root	1.37	- sizeof (u32) // seqno
62	root	1.39	- MAC_IKMSIZE
63			- CIPHER_IKMSIZE
64	root	1.37	- HKDF_SALT
65			- 3 // struct alignment...
66			];
67			};
68
69			struct auth_data
70			{
71			rsa_data rsa;
72			ecdh_key ecdh;
73			};
74
75			typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge
76
77			struct auth_encr
78	pcg	1.29	{
79	root	1.37	rsa_crypt rsa;
80			ecdh_key ecdh;
81	pcg	1.1	};
82
83	root	1.37	typedef u8 auth_mac[AUTH_SIZE];
84
85			struct auth_response
86			{
87			auth_mac mac;
88			ecdh_key ecdh;
89			};
90	pcg	1.1
91			////////////////////////////////////////////////////////////////////////////////////////
92
93			struct crypto_ctx;
94
95	pcg	1.13	struct hmac_packet : net_packet
96	pcg	1.1	{
97			u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere
98
99	root	1.42	void hmac_set (crypto_ctx *ctx);
100			bool hmac_chk (crypto_ctx *ctx);
101	pcg	1.1
102			private:
103	root	1.42	void hmac_gen (crypto_ctx ctx, u8 hmac_digest);
104	pcg	1.1	};
105
106			struct vpn_packet : hmac_packet
107	pcg	1.29	{
108			enum ptype
109	pcg	1.1	{
110	pcg	1.29	PT_RESET = 0,
111			PT_DATA_UNCOMPRESSED,
112			PT_DATA_COMPRESSED,
113			PT_PING, PT_PONG, // wasting namespace space? ;)
114			PT_AUTH_REQ, // authentification request
115			PT_AUTH_RES, // authentification response
116			PT_CONNECT_REQ, // want other node to contact me
117			PT_CONNECT_INFO, // request connection to some node
118	pcg	1.31	PT_DATA_BRIDGED, // uncompressed packet with foreign mac pot. larger than path mtu (NYI)
119	pcg	1.29	PT_MAX
120	pcg	1.1	};
121
122	pcg	1.29	u8 type;
123			u8 srcdst, src1, dst1;
124
125			void set_hdr (ptype type_, unsigned int dst);
126
127			unsigned int src () const
128			{
129			return src1 \| ((srcdst >> 4) << 8);
130			}
131
132			unsigned int dst () const
133			{
134			return dst1 \| ((srcdst & 0xf) << 8);
135			}
136
137			ptype typ () const
138			{
139			return (ptype) type;
140			}
141			};
142
143	pcg	1.1	////////////////////////////////////////////////////////////////////////////////////////
144
145			// a very simple fifo pkt-queue
146			class pkt_queue
147	pcg	1.29	{
148			int i, j;
149	pcg	1.30	int max_queue;
150			double max_ttl;
151
152			struct pkt {
153			ev_tstamp tstamp;
154			net_packet *pkt;
155			} *queue;
156
157			void expire_cb (ev::timer &w, int revents); ev::timer expire;
158	pcg	1.1
159	pcg	1.29	public:
160	pcg	1.1
161	pcg	1.29	void put (net_packet *p);
162			net_packet *get ();
163	pcg	1.1
164	pcg	1.30	bool empty ()
165			{
166			return i == j;
167			}
168
169			pkt_queue (double max_ttl, int max_queue);
170	pcg	1.29	~pkt_queue ();
171			};
172	pcg	1.1
173	pcg	1.14	enum
174	pcg	1.29	{
175			FEATURE_COMPRESSION = 0x01,
176			FEATURE_ROHC = 0x02,
177			FEATURE_BRIDGING = 0x04,
178			};
179	pcg	1.14
180	pcg	1.1	struct connection
181	pcg	1.29	{
182			conf_node *conf;
183			struct vpn *vpn;
184	pcg	1.1
185	pcg	1.29	sockinfo si; // the current(!) destination ip to send packets to
186			int retry_cnt;
187	pcg	1.1
188	pcg	1.29	tstamp last_activity; // time of last packet received
189	root	1.35	tstamp last_establish_attempt;
190	pcg	1.33	//tstamp last_si_change; // time we last changed the socket address
191	pcg	1.1
192	pcg	1.29	u32 oseqno;
193			sliding_window iseqno;
194	pcg	1.1
195	pcg	1.29	u8 protocol;
196			u8 features;
197	pcg	1.1
198	pcg	1.29	pkt_queue data_queue, vpn_queue;
199	pcg	1.1
200	pcg	1.29	crypto_ctx octx, ictx;
201	pcg	1.1
202	root	1.37	void generate_auth_data ();
203
204			ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire
205	root	1.40	ev_tstamp hmac_error; // time of first hmac error in a series
206	root	1.37
207			// send auth data - used for octx
208			auth_data snd_auth;
209			ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request
210			ecdh_key snd_ecdh_b; // the public ecdh key we received in the response
211			bool have_snd_auth; // received response for our req
212
213			// receive auth data - used for ictx
214			auth_data rcv_auth;
215			ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response
216			ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response
217			bool have_rcv_auth; // received auth from other side
218
219	pcg	1.15	#if ENABLE_DNS
220	pcg	1.29	struct dns_connection *dns;
221	pcg	1.15	#endif
222
223	pcg	1.29	enum conf_node::connectmode connectmode;
224			u8 prot_minor; // minor number of other side
225	pcg	1.1
226	pcg	1.29	void reset_si ();
227			const sockinfo &forward_si (const sockinfo &si) const;
228	pcg	1.1
229	pcg	1.29	void shutdown ();
230	root	1.37	void connection_established (const sockinfo &rsi);
231	root	1.40	void reset_connection (const char *reason);
232	pcg	1.29
233			void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection;
234	root	1.40	void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekeying (actually current reset + reestablishing)
235	pcg	1.29	void keepalive_cb (ev::timer &w, int revents); ev::timer keepalive; // next keepalive probe
236
237			void send_connect_request (int id);
238			void send_auth_request (const sockinfo &si, bool initiate);
239	root	1.37	void send_auth_response (const sockinfo &si);
240	pcg	1.29	void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols);
241			void send_reset (const sockinfo &dsi);
242			void send_ping (const sockinfo &dsi, u8 pong = 0);
243			void send_data_packet (tap_packet *pkt);
244
245	pcg	1.31	void post_inject_queue ();
246			void inject_data_packet (tap_packet *pkt);
247	pcg	1.29	void inject_vpn_packet (vpn_packet *pkt, int tos = 0); // for forwarding
248
249			void recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi);
250			void send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos = 0);
251
252			void script_init_env (const char *ext);
253			void script_init_connect_env ();
254			const char *script_node_up ();
255	pcg	1.34	const char *script_node_change ();
256	pcg	1.29	const char *script_node_down ();
257	pcg	1.1
258	pcg	1.29	void dump_status ();
259	pcg	1.1
260	pcg	1.29	connection (struct vpn vpn, conf_node conf);
261			~connection ();
262			};
263	pcg	1.1
264			#endif
265