--- gvpe/src/connection.h 2008/08/07 17:30:28 1.31 +++ gvpe/src/connection.h 2013/07/18 13:35:16 1.38 @@ -1,22 +1,32 @@ /* connection.h -- header for connection.C - Copyright (C) 2003-2005 Marc Lehmann + Copyright (C) 2003-2008,2013 Marc Lehmann This file is part of GVPE. - GVPE is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with gvpe; if not, write to the Free Software - Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + GVPE is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, see . + + Additional permission under GNU GPL version 3 section 7 + + If you modify this Program, or any covered work, by linking or + combining it with the OpenSSL project's OpenSSL library (or a modified + version of that library), containing parts covered by the terms of the + OpenSSL or SSLeay licenses, the licensors of this Program grant you + additional permission to convey the resulting work. Corresponding + Source for a non-source form of such a combination shall include the + source code for the parts of OpenSSL used as well as that of the + covered work. */ #ifndef GVPE_CONNECTION_H__ @@ -29,20 +39,56 @@ #include "sockinfo.h" #include "util.h" #include "device.h" +#include "curve25519.h" +#include "iv_gen.h" struct vpn; // called after HUP etc. to (re-)initialize global data structures void connection_init (); -struct rsaid +typedef curve25519_key ecdh_key; + +struct rsa_data { - u8 id[RSA_IDLEN]; // the challenge id + u32 seqno; + u8 auth_key[AUTH_SIZE]; + u8 mac_key[MAC_KEYSIZE]; // used to generate hmac key + u8 cipher_key[CIPHER_KEYSIZE]; // used to generate cipher key + u8 hkdf_salt[HKDF_SALT]; // used as hkdf salt + u8 pad[ + (RSABITS >> 3) + - 41 // OAEP + - sizeof (u32) // seqno + - AUTH_SIZE + - MAC_KEYSIZE + - CIPHER_KEYSIZE + - HKDF_SALT + - 3 // struct alignment... + ]; }; -typedef rsaclear rsachallenge; // challenge data; -typedef rsacrypt rsaencrdata; // encrypted challenge -typedef u8 rsaresponse[RSA_RESLEN]; // the encrypted ripemd160 hash +struct auth_data +{ + rsa_data rsa; + ecdh_key ecdh; +}; + +typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge + +struct auth_encr +{ + rsa_crypt rsa; + ecdh_key ecdh; +}; + +typedef u8 auth_mac[AUTH_SIZE]; + +struct auth_response +{ + auth_mac mac; + ecdh_key ecdh; +}; //////////////////////////////////////////////////////////////////////////////////////// @@ -144,22 +190,40 @@ int retry_cnt; tstamp last_activity; // time of last packet received - tstamp last_establish_attempt; + tstamp last_establish_attempt; + //tstamp last_si_change; // time we last changed the socket address u32 oseqno; sliding_window iseqno; u8 protocol; u8 features; + bool is_direct; // current connection (si) is direct? pkt_queue data_queue, vpn_queue; crypto_ctx *octx, *ictx; + iv_gen oiv; // generator for random byte prefix + + void generate_auth_data (); + + ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire + + // send auth data - used for octx + auth_data snd_auth; + auth_mac snd_auth_mac; // expected response mac + ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request + ecdh_key snd_ecdh_b; // the public ecdh key we received in the response + bool have_snd_auth; // received response for our req + + // receive auth data - used for ictx + auth_data rcv_auth; + ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response + ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response + bool have_rcv_auth; // received auth from other side #if ENABLE_DNS struct dns_connection *dns; - - void dnsv4_reset_connection (); #endif enum conf_node::connectmode connectmode; @@ -169,7 +233,7 @@ const sockinfo &forward_si (const sockinfo &si) const; void shutdown (); - void connection_established (); + void connection_established (const sockinfo &rsi); void reset_connection (); void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection; @@ -178,7 +242,7 @@ void send_connect_request (int id); void send_auth_request (const sockinfo &si, bool initiate); - void send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg); + void send_auth_response (const sockinfo &si); void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols); void send_reset (const sockinfo &dsi); void send_ping (const sockinfo &dsi, u8 pong = 0); @@ -194,6 +258,7 @@ void script_init_env (const char *ext); void script_init_connect_env (); const char *script_node_up (); + const char *script_node_change (); const char *script_node_down (); void dump_status ();