--- gvpe/src/connection.h 2011/02/08 23:13:48 1.35 +++ gvpe/src/connection.h 2013/07/16 16:44:36 1.37 @@ -1,6 +1,6 @@ /* connection.h -- header for connection.C - Copyright (C) 2003-2008 Marc Lehmann + Copyright (C) 2003-2008,2013 Marc Lehmann This file is part of GVPE. @@ -39,20 +39,57 @@ #include "sockinfo.h" #include "util.h" #include "device.h" +#include "curve25519.h" struct vpn; // called after HUP etc. to (re-)initialize global data structures void connection_init (); -struct rsaid +typedef curve25519_key ecdh_key; + +struct rsa_data +{ + u32 seqno; + u8 auth_key[AUTH_SIZE]; + u8 mac_key[MAC_KEYSIZE]; // used to generate hmac key + u8 cipher_key[CIPHER_KEYSIZE]; // used to generate cipher key + u8 hkdf_salt[HKDF_SALT]; // used as hkdf salt + u8 ikm[IKM_SIZE]; // used as additional keying material for both sides + u8 pad[ + (RSABITS >> 3) + - 41 // OAEP + - sizeof (u32) // seqno + - AUTH_SIZE + - MAC_KEYSIZE + - CIPHER_KEYSIZE + - HKDF_SALT + - IKM_SIZE + - 3 // struct alignment... + ]; +}; + +struct auth_data +{ + rsa_data rsa; + ecdh_key ecdh; +}; + +typedef u8 rsa_crypt[RSA_KEYLEN]; // encrypted challenge + +struct auth_encr { - u8 id[RSA_IDLEN]; // the challenge id + rsa_crypt rsa; + ecdh_key ecdh; }; -typedef rsaclear rsachallenge; // challenge data; -typedef rsacrypt rsaencrdata; // encrypted challenge -typedef u8 rsaresponse[RSA_RESLEN]; // the encrypted ripemd160 hash +typedef u8 auth_mac[AUTH_SIZE]; + +struct auth_response +{ + auth_mac mac; + ecdh_key ecdh; +}; //////////////////////////////////////////////////////////////////////////////////////// @@ -168,10 +205,25 @@ crypto_ctx *octx, *ictx; + void generate_auth_data (); + + ev_tstamp auth_expire; // when the snd_* and *_ecdh values expire + + // send auth data - used for octx + auth_data snd_auth; + auth_mac snd_auth_mac; // expected response mac + ecdh_key snd_ecdh_a; // the secret ecdh key we used for our request + ecdh_key snd_ecdh_b; // the public ecdh key we received in the response + bool have_snd_auth; // received response for our req + + // receive auth data - used for ictx + auth_data rcv_auth; + ecdh_key rcv_ecdh_a; // the secret ecdh key we used for our response + ecdh_key rcv_ecdh_b; // the public ecdh key we sent in our response + bool have_rcv_auth; // received auth from other side + #if ENABLE_DNS struct dns_connection *dns; - - void dnsv4_reset_connection (); #endif enum conf_node::connectmode connectmode; @@ -181,7 +233,7 @@ const sockinfo &forward_si (const sockinfo &si) const; void shutdown (); - void connection_established (); + void connection_established (const sockinfo &rsi); void reset_connection (); void establish_connection_cb (ev::timer &w, int revents); ev::timer establish_connection; @@ -190,7 +242,7 @@ void send_connect_request (int id); void send_auth_request (const sockinfo &si, bool initiate); - void send_auth_response (const sockinfo &si, const rsaid &id, const rsachallenge &chg); + void send_auth_response (const sockinfo &si); void send_connect_info (int rid, const sockinfo &rsi, u8 rprotocols); void send_reset (const sockinfo &dsi); void send_ping (const sockinfo &dsi, u8 pong = 0);