1 |
pcg |
1.1 |
/* |
2 |
|
|
connection.h -- header for connection.C |
3 |
root |
1.37 |
Copyright (C) 2003-2008,2013 Marc Lehmann <gvpe@schmorp.de> |
4 |
pcg |
1.1 |
|
5 |
pcg |
1.18 |
This file is part of GVPE. |
6 |
|
|
|
7 |
pcg |
1.32 |
GVPE is free software; you can redistribute it and/or modify it |
8 |
|
|
under the terms of the GNU General Public License as published by the |
9 |
|
|
Free Software Foundation; either version 3 of the License, or (at your |
10 |
|
|
option) any later version. |
11 |
|
|
|
12 |
|
|
This program is distributed in the hope that it will be useful, but |
13 |
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of |
14 |
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
15 |
|
|
Public License for more details. |
16 |
|
|
|
17 |
|
|
You should have received a copy of the GNU General Public License along |
18 |
|
|
with this program; if not, see <http://www.gnu.org/licenses/>. |
19 |
|
|
|
20 |
|
|
Additional permission under GNU GPL version 3 section 7 |
21 |
|
|
|
22 |
|
|
If you modify this Program, or any covered work, by linking or |
23 |
|
|
combining it with the OpenSSL project's OpenSSL library (or a modified |
24 |
|
|
version of that library), containing parts covered by the terms of the |
25 |
|
|
OpenSSL or SSLeay licenses, the licensors of this Program grant you |
26 |
|
|
additional permission to convey the resulting work. Corresponding |
27 |
|
|
Source for a non-source form of such a combination shall include the |
28 |
|
|
source code for the parts of OpenSSL used as well as that of the |
29 |
|
|
covered work. |
30 |
pcg |
1.1 |
*/ |
31 |
|
|
|
32 |
pcg |
1.22 |
#ifndef GVPE_CONNECTION_H__ |
33 |
|
|
#define GVPE_CONNECTION_H__ |
34 |
pcg |
1.1 |
|
35 |
|
|
#include <openssl/hmac.h> |
36 |
|
|
|
37 |
|
|
#include "global.h" |
38 |
|
|
#include "conf.h" |
39 |
|
|
#include "sockinfo.h" |
40 |
|
|
#include "util.h" |
41 |
|
|
#include "device.h" |
42 |
root |
1.37 |
#include "curve25519.h" |
43 |
root |
1.38 |
#include "iv_gen.h" |
44 |
pcg |
1.1 |
|
45 |
|
|
struct vpn; |
46 |
|
|
|
47 |
|
|
// called after HUP etc. to (re-)initialize global data structures |
48 |
|
|
void connection_init (); |
49 |
|
|
|
50 |
root |
1.37 |
typedef curve25519_key ecdh_key; |
51 |
|
|
|
52 |
|
|
struct rsa_data |
53 |
|
|
{ |
54 |
root |
1.39 |
u32 seqno; // (ictx) initial sequence nr (31 bits) |
55 |
|
|
u8 mac_key[MAC_IKMSIZE]; // (ictx) used to generate hmac key |
56 |
|
|
u8 cipher_key[CIPHER_IKMSIZE]; // (ictx) used to generate cipher key |
57 |
|
|
u8 hkdf_salt[HKDF_SALT]; // (octx) used as hkdf salt |
58 |
|
|
u8 extra_auth[ // (ictx) additional auth randomness |
59 |
root |
1.37 |
(RSABITS >> 3) |
60 |
root |
1.39 |
- RSA_OAEP_SIZE |
61 |
root |
1.37 |
- sizeof (u32) // seqno |
62 |
root |
1.39 |
- MAC_IKMSIZE |
63 |
|
|
- CIPHER_IKMSIZE |
64 |
root |
1.37 |
- HKDF_SALT |
65 |
|
|
- 3 // struct alignment... |
66 |
|
|
]; |
67 |
|
|
}; |
68 |
|
|
|
69 |
|
|
struct auth_data |
70 |
|
|
{ |
71 |
|
|
rsa_data rsa; |
72 |
|
|
ecdh_key ecdh; |
73 |
|
|
}; |
74 |
|
|
|
75 |
|
|
typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge |
76 |
|
|
|
77 |
|
|
struct auth_encr |
78 |
pcg |
1.29 |
{ |
79 |
root |
1.37 |
rsa_crypt rsa; |
80 |
|
|
ecdh_key ecdh; |
81 |
pcg |
1.1 |
}; |
82 |
|
|
|
83 |
root |
1.37 |
typedef u8 auth_mac[AUTH_SIZE]; |
84 |
|
|
|
85 |
|
|
struct auth_response |
86 |
|
|
{ |
87 |
|
|
auth_mac mac; |
88 |
|
|
ecdh_key ecdh; |
89 |
|
|
}; |
90 |
pcg |
1.1 |
|
91 |
|
|
//////////////////////////////////////////////////////////////////////////////////////// |
92 |
|
|
|
93 |
|
|
struct crypto_ctx; |
94 |
|
|
|
95 |
pcg |
1.13 |
struct hmac_packet : net_packet |
96 |
pcg |
1.1 |
{ |
97 |
|
|
u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere |
98 |
|
|
|
99 |
root |
1.42 |
void hmac_set (crypto_ctx *ctx); |
100 |
|
|
bool hmac_chk (crypto_ctx *ctx); |
101 |
pcg |
1.1 |
|
102 |
|
|
private: |
103 |
root |
1.42 |
void hmac_gen (crypto_ctx *ctx, u8 *hmac_digest); |
104 |
pcg |
1.1 |
}; |
105 |
|
|
|
106 |
|
|
struct vpn_packet : hmac_packet |
107 |
pcg |
1.29 |
{ |
108 |
|
|
enum ptype |
109 |
pcg |
1.1 |
{ |
110 |
pcg |
1.29 |
PT_RESET = 0, |
111 |
|
|
PT_DATA_UNCOMPRESSED, |
112 |
|
|
PT_DATA_COMPRESSED, |
113 |
|
|
PT_PING, PT_PONG, // wasting namespace space? ;) |
114 |
|
|
PT_AUTH_REQ, // authentification request |
115 |
|
|
PT_AUTH_RES, // authentification response |
116 |
|
|
PT_CONNECT_REQ, // want other node to contact me |
117 |
|
|
PT_CONNECT_INFO, // request connection to some node |
118 |
pcg |
1.31 |
PT_DATA_BRIDGED, // uncompressed packet with foreign mac pot. larger than path mtu (NYI) |
119 |
pcg |
1.29 |
PT_MAX |
120 |
pcg |
1.1 |
}; |
121 |
|
|
|
122 |
pcg |
1.29 |
u8 type; |
123 |
|
|
u8 srcdst, src1, dst1; |
124 |
|
|
|
125 |
|
|
void set_hdr (ptype type_, unsigned int dst); |
126 |
|
|
|
127 |
|
|
unsigned int src () const |
128 |
|
|
{ |
129 |
|
|
return src1 | ((srcdst >> 4) << 8); |
130 |
|
|
} |
131 |
|
|
|
132 |
|
|
unsigned int dst () const |
133 |
|
|
{ |
134 |
|
|
return dst1 | ((srcdst & 0xf) << 8); |
135 |
|
|
} |
136 |
|
|
|
137 |
|
|
ptype typ () const |
138 |
|
|
{ |
139 |
|
|
return (ptype) type; |
140 |
|
|
} |
141 |
|
|
}; |
142 |
|
|
|
143 |
pcg |
1.1 |
//////////////////////////////////////////////////////////////////////////////////////// |
144 |
|
|
|
145 |
|
|
// a very simple fifo pkt-queue |
146 |
|
|
class pkt_queue |
147 |
pcg |
1.29 |
{ |
148 |
|
|
int i, j; |
149 |
pcg |
1.30 |
int max_queue; |
150 |
|
|
double max_ttl; |
151 |
|
|
|
152 |
|
|
struct pkt { |
153 |
|
|
ev_tstamp tstamp; |
154 |
|
|
net_packet *pkt; |
155 |
|
|
} *queue; |
156 |
|
|
|
157 |
|
|
void expire_cb (ev::timer &w, int revents); ev::timer expire; |
158 |
pcg |
1.1 |
|
159 |
pcg |
1.29 |
public: |
160 |
pcg |
1.1 |
|
161 |
pcg |
1.29 |
void put (net_packet *p); |
162 |
|
|
net_packet *get (); |
163 |
pcg |
1.1 |
|
164 |
pcg |
1.30 |
bool empty () |
165 |
|
|
{ |
166 |
|
|
return i == j; |
167 |
|
|
} |
168 |
|
|
|
169 |
|
|
pkt_queue (double max_ttl, int max_queue); |
170 |
pcg |
1.29 |
~pkt_queue (); |
171 |
|
|
}; |
172 |
pcg |
1.1 |
|
173 |
pcg |
1.14 |
enum |
174 |
pcg |
1.29 |
{ |
175 |
|
|
FEATURE_COMPRESSION = 0x01, |
176 |
|
|
FEATURE_ROHC = 0x02, |
177 |
|
|
FEATURE_BRIDGING = 0x04, |
178 |
|
|
}; |
179 |
pcg |
1.14 |
|
180 |
pcg |
1.1 |
struct connection |
181 |
pcg |
1.29 |
{ |
182 |
|
|
conf_node *conf; |
183 |
|
|
struct vpn *vpn; |
184 |
pcg |
1.1 |
|
185 |
pcg |
1.29 |
sockinfo si; // the current(!) destination ip to send packets to |
186 |
|
|
int retry_cnt; |
187 |
pcg |
1.1 |
|
188 |
pcg |
1.29 |
tstamp last_activity; // time of last packet received |
189 |
root |
1.35 |
tstamp last_establish_attempt; |
190 |
pcg |
1.33 |
//tstamp last_si_change; // time we last changed the socket address |
191 |
pcg |
1.1 |
|
192 |
pcg |
1.29 |
u32 oseqno; |
193 |
|
|
sliding_window iseqno; |
194 |
pcg |
1.1 |
|
195 |
pcg |
1.29 |
u8 protocol; |
196 |
|
|
u8 features; |
197 |
pcg |
1.1 |
|
198 |
pcg |
1.29 |
pkt_queue data_queue, vpn_queue; |
199 |
pcg |
1.1 |
|
200 |
pcg |
1.29 |
crypto_ctx *octx, *ictx; |
201 |
pcg |
1.1 |
|
202 |
root |
1.37 |
void generate_auth_data (); |
203 |
|
|
|
204 |
|
|
ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire |
205 |
root |
1.40 |
ev_tstamp hmac_error; // time of first hmac error in a series |
206 |
root |
1.37 |
|
207 |
|
|
// send auth data - used for octx |
208 |
|
|
auth_data snd_auth; |
209 |
|
|
ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request |
210 |
|
|
ecdh_key snd_ecdh_b; // the public ecdh key we received in the response |
211 |
|
|
bool have_snd_auth; // received response for our req |
212 |
|
|
|
213 |
|
|
// receive auth data - used for ictx |
214 |
|
|
auth_data rcv_auth; |
215 |
|
|
ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response |
216 |
|
|
ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response |
217 |
|
|
bool have_rcv_auth; // received auth from other side |
218 |
|
|
|
219 |
pcg |
1.15 |
#if ENABLE_DNS |
220 |
pcg |
1.29 |
struct dns_connection *dns; |
221 |
pcg |
1.15 |
#endif |
222 |
|
|
|
223 |
pcg |
1.29 |
enum conf_node::connectmode connectmode; |
224 |
|
|
u8 prot_minor; // minor number of other side |
225 |
pcg |
1.1 |
|
226 |
pcg |
1.29 |
void reset_si (); |
227 |
|
|
const sockinfo &forward_si (const sockinfo &si) const; |
228 |
pcg |
1.1 |
|
229 |
pcg |
1.29 |
void shutdown (); |
230 |
root |
1.37 |
void connection_established (const sockinfo &rsi); |
231 |
root |
1.40 |
void reset_connection (const char *reason); |
232 |
pcg |
1.29 |
|
233 |
|
|
void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection; |
234 |
root |
1.40 |
void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekeying (actually current reset + reestablishing) |
235 |
pcg |
1.29 |
void keepalive_cb (ev::timer &w, int revents); ev::timer keepalive; // next keepalive probe |
236 |
|
|
|
237 |
|
|
void send_connect_request (int id); |
238 |
|
|
void send_auth_request (const sockinfo &si, bool initiate); |
239 |
root |
1.37 |
void send_auth_response (const sockinfo &si); |
240 |
pcg |
1.29 |
void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols); |
241 |
|
|
void send_reset (const sockinfo &dsi); |
242 |
|
|
void send_ping (const sockinfo &dsi, u8 pong = 0); |
243 |
|
|
void send_data_packet (tap_packet *pkt); |
244 |
|
|
|
245 |
pcg |
1.31 |
void post_inject_queue (); |
246 |
|
|
void inject_data_packet (tap_packet *pkt); |
247 |
pcg |
1.29 |
void inject_vpn_packet (vpn_packet *pkt, int tos = 0); // for forwarding |
248 |
|
|
|
249 |
|
|
void recv_vpn_packet (vpn_packet *pkt, const sockinfo &rsi); |
250 |
|
|
void send_vpn_packet (vpn_packet *pkt, const sockinfo &si, int tos = 0); |
251 |
|
|
|
252 |
|
|
void script_init_env (const char *ext); |
253 |
|
|
void script_init_connect_env (); |
254 |
|
|
const char *script_node_up (); |
255 |
pcg |
1.34 |
const char *script_node_change (); |
256 |
pcg |
1.29 |
const char *script_node_down (); |
257 |
pcg |
1.1 |
|
258 |
pcg |
1.29 |
void dump_status (); |
259 |
pcg |
1.1 |
|
260 |
pcg |
1.29 |
connection (struct vpn *vpn, conf_node *conf); |
261 |
|
|
~connection (); |
262 |
|
|
}; |
263 |
pcg |
1.1 |
|
264 |
|
|
#endif |
265 |
|
|
|