--- gvpe/src/connection.h 2008/08/07 17:30:28 1.31 +++ gvpe/src/connection.h 2016/06/30 10:57:43 1.42 @@ -1,22 +1,32 @@ /* connection.h -- header for connection.C - Copyright (C) 2003-2005 Marc Lehmann + Copyright (C) 2003-2008,2013 Marc Lehmann This file is part of GVPE. - GVPE is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with gvpe; if not, write to the Free Software - Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + GVPE is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, see . + + Additional permission under GNU GPL version 3 section 7 + + If you modify this Program, or any covered work, by linking or + combining it with the OpenSSL project's OpenSSL library (or a modified + version of that library), containing parts covered by the terms of the + OpenSSL or SSLeay licenses, the licensors of this Program grant you + additional permission to convey the resulting work. Corresponding + Source for a non-source form of such a combination shall include the + source code for the parts of OpenSSL used as well as that of the + covered work. */ #ifndef GVPE_CONNECTION_H__ @@ -29,20 +39,54 @@ #include "sockinfo.h" #include "util.h" #include "device.h" +#include "curve25519.h" +#include "iv_gen.h" struct vpn; // called after HUP etc. to (re-)initialize global data structures void connection_init (); -struct rsaid +typedef curve25519_key ecdh_key; + +struct rsa_data +{ + u32 seqno; // (ictx) initial sequence nr (31 bits) + u8 mac_key[MAC_IKMSIZE]; // (ictx) used to generate hmac key + u8 cipher_key[CIPHER_IKMSIZE]; // (ictx) used to generate cipher key + u8 hkdf_salt[HKDF_SALT]; // (octx) used as hkdf salt + u8 extra_auth[ // (ictx) additional auth randomness + (RSABITS >> 3) + - RSA_OAEP_SIZE + - sizeof (u32) // seqno + - MAC_IKMSIZE + - CIPHER_IKMSIZE + - HKDF_SALT + - 3 // struct alignment... + ]; +}; + +struct auth_data +{ + rsa_data rsa; + ecdh_key ecdh; +}; + +typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge + +struct auth_encr { - u8 id[RSA_IDLEN]; // the challenge id + rsa_crypt rsa; + ecdh_key ecdh; }; -typedef rsaclear rsachallenge; // challenge data; -typedef rsacrypt rsaencrdata; // encrypted challenge -typedef u8 rsaresponse[RSA_RESLEN]; // the encrypted ripemd160 hash +typedef u8 auth_mac[AUTH_SIZE]; + +struct auth_response +{ + auth_mac mac; + ecdh_key ecdh; +}; //////////////////////////////////////////////////////////////////////////////////////// @@ -52,13 +96,11 @@ { u8 hmac[HMACLENGTH]; // each and every packet has a hmac field, but that is not (yet) checked everywhere - void hmac_set (crypto_ctx * ctx); - bool hmac_chk (crypto_ctx * ctx); + void hmac_set (crypto_ctx *ctx); + bool hmac_chk (crypto_ctx *ctx); private: - static unsigned char hmac_digest[EVP_MAX_MD_SIZE]; - - void hmac_gen (crypto_ctx * ctx); + void hmac_gen (crypto_ctx *ctx, u8 *hmac_digest); }; struct vpn_packet : hmac_packet @@ -144,7 +186,8 @@ int retry_cnt; tstamp last_activity; // time of last packet received - tstamp last_establish_attempt; + tstamp last_establish_attempt; + //tstamp last_si_change; // time we last changed the socket address u32 oseqno; sliding_window iseqno; @@ -156,10 +199,25 @@ crypto_ctx *octx, *ictx; + void generate_auth_data (); + + ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire + ev_tstamp hmac_error; // time of first hmac error in a series + + // send auth data - used for octx + auth_data snd_auth; + ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request + ecdh_key snd_ecdh_b; // the public ecdh key we received in the response + bool have_snd_auth; // received response for our req + + // receive auth data - used for ictx + auth_data rcv_auth; + ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response + ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response + bool have_rcv_auth; // received auth from other side + #if ENABLE_DNS struct dns_connection *dns; - - void dnsv4_reset_connection (); #endif enum conf_node::connectmode connectmode; @@ -169,16 +227,16 @@ const sockinfo &forward_si (const sockinfo &si) const; void shutdown (); - void connection_established (); - void reset_connection (); + void connection_established (const sockinfo &rsi); + void reset_connection (const char *reason); void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection; - void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekying (actually current reset + reestablishing) + void rekey_cb (ev::timer &w, int revents); ev::timer rekey; // next rekeying (actually current reset + reestablishing) void keepalive_cb (ev::timer &w, int revents); ev::timer keepalive; // next keepalive probe void send_connect_request (int id); void send_auth_request (const sockinfo &si, bool initiate); - void send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg); + void send_auth_response (const sockinfo &si); void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols); void send_reset (const sockinfo &dsi); void send_ping (const sockinfo &dsi, u8 pong = 0); @@ -194,6 +252,7 @@ void script_init_env (const char *ext); void script_init_connect_env (); const char *script_node_up (); + const char *script_node_change (); const char *script_node_down (); void dump_status ();