… | |
… | |
16 | Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
16 | Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
17 | */ |
17 | */ |
18 | |
18 | |
19 | #include "config.h" |
19 | #include "config.h" |
20 | |
20 | |
|
|
21 | #include <list> |
|
|
22 | |
21 | #include <cstdlib> |
23 | #include <cstdlib> |
22 | #include <cstring> |
24 | #include <cstring> |
23 | #include <cstdio> |
25 | #include <cstdio> |
24 | |
26 | |
25 | #include <sys/types.h> |
27 | #include <sys/types.h> |
… | |
… | |
71 | } |
73 | } |
72 | |
74 | |
73 | return challenge; |
75 | return challenge; |
74 | } |
76 | } |
75 | |
77 | |
|
|
78 | // caching of rsa operations really helps slow computers |
|
|
79 | struct rsa_entry { |
|
|
80 | tstamp expire; |
|
|
81 | rsachallenge chg; |
|
|
82 | RSA *key; // which key |
|
|
83 | rsaencrdata encr; |
|
|
84 | |
|
|
85 | rsa_entry () |
|
|
86 | { |
|
|
87 | expire = NOW + CHALLENGE_TTL; |
|
|
88 | } |
|
|
89 | }; |
|
|
90 | |
|
|
91 | struct rsa_cache : list<rsa_entry> |
|
|
92 | { |
|
|
93 | void cleaner_cb (tstamp &ts); time_watcher cleaner; |
|
|
94 | |
|
|
95 | const rsaencrdata *public_encrypt (RSA *key, const rsachallenge &chg) |
|
|
96 | { |
|
|
97 | for (iterator i = begin (); i != end (); ++i) |
|
|
98 | { |
|
|
99 | if (i->key == key && !memcmp (&chg, &i->chg, sizeof chg)) |
|
|
100 | return &i->encr; |
|
|
101 | } |
|
|
102 | |
|
|
103 | if (cleaner.at < NOW) |
|
|
104 | cleaner.start (NOW + CHALLENGE_TTL); |
|
|
105 | |
|
|
106 | resize (size () + 1); |
|
|
107 | rsa_entry *e = &(*rbegin ()); |
|
|
108 | |
|
|
109 | e->key = key; |
|
|
110 | memcpy (&e->chg, &chg, sizeof chg); |
|
|
111 | |
|
|
112 | if (0 > RSA_public_encrypt (sizeof chg, |
|
|
113 | (unsigned char *)&chg, (unsigned char *)&e->encr, |
|
|
114 | key, RSA_PKCS1_OAEP_PADDING)) |
|
|
115 | fatal ("RSA_public_encrypt error"); |
|
|
116 | |
|
|
117 | return &e->encr; |
|
|
118 | } |
|
|
119 | |
|
|
120 | const rsachallenge *private_decrypt (RSA *key, const rsaencrdata &encr) |
|
|
121 | { |
|
|
122 | for (iterator i = begin (); i != end (); ++i) |
|
|
123 | if (i->key == key && !memcmp (&encr, &i->encr, sizeof encr)) |
|
|
124 | return &i->chg; |
|
|
125 | |
|
|
126 | if (cleaner.at < NOW) |
|
|
127 | cleaner.start (NOW + CHALLENGE_TTL); |
|
|
128 | |
|
|
129 | resize (size () + 1); |
|
|
130 | rsa_entry *e = &(*rbegin ()); |
|
|
131 | |
|
|
132 | e->key = key; |
|
|
133 | memcpy (&e->encr, &encr, sizeof encr); |
|
|
134 | |
|
|
135 | if (0 > RSA_private_decrypt (sizeof encr, |
|
|
136 | (unsigned char *)&encr, (unsigned char *)&e->chg, |
|
|
137 | key, RSA_PKCS1_OAEP_PADDING)) |
|
|
138 | { |
|
|
139 | pop_back (); |
|
|
140 | return 0; |
|
|
141 | } |
|
|
142 | |
|
|
143 | return &e->chg; |
|
|
144 | } |
|
|
145 | |
|
|
146 | rsa_cache () |
|
|
147 | : cleaner (this, &rsa_cache::cleaner_cb) |
|
|
148 | { } |
|
|
149 | |
|
|
150 | } rsa_cache; |
|
|
151 | |
|
|
152 | void rsa_cache::cleaner_cb (tstamp &ts) |
|
|
153 | { |
|
|
154 | if (empty ()) |
|
|
155 | ts = TSTAMP_CANCEL; |
|
|
156 | else |
|
|
157 | { |
|
|
158 | ts = NOW + 3; |
|
|
159 | for (iterator i = begin (); i != end (); ) |
|
|
160 | { |
|
|
161 | if (i->expire >= NOW) |
|
|
162 | i = erase (i); |
|
|
163 | else |
|
|
164 | ++i; |
|
|
165 | } |
|
|
166 | } |
|
|
167 | } |
|
|
168 | |
76 | // run a script. yes, it's a template function. yes, c++ |
169 | // run a script. yes, it's a template function. yes, c++ |
77 | // is not a functional language. yes, this suxx. |
170 | // is not a functional language. yes, this suxx. |
78 | template<class owner> |
171 | template<class owner> |
79 | static void |
172 | static void |
80 | run_script (owner *obj, const char *(owner::*setup)(), bool wait) |
173 | run_script (owner *obj, const char *(owner::*setup)(), bool wait) |
… | |
… | |
112 | struct crypto_ctx |
205 | struct crypto_ctx |
113 | { |
206 | { |
114 | EVP_CIPHER_CTX cctx; |
207 | EVP_CIPHER_CTX cctx; |
115 | HMAC_CTX hctx; |
208 | HMAC_CTX hctx; |
116 | |
209 | |
117 | crypto_ctx (rsachallenge &challenge, int enc); |
210 | crypto_ctx (const rsachallenge &challenge, int enc); |
118 | ~crypto_ctx (); |
211 | ~crypto_ctx (); |
119 | }; |
212 | }; |
120 | |
213 | |
121 | crypto_ctx::crypto_ctx (rsachallenge &challenge, int enc) |
214 | crypto_ctx::crypto_ctx (const rsachallenge &challenge, int enc) |
122 | { |
215 | { |
123 | EVP_CIPHER_CTX_init (&cctx); |
216 | EVP_CIPHER_CTX_init (&cctx); |
124 | EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); |
217 | EVP_CipherInit_ex (&cctx, CIPHER, 0, &challenge[CHG_CIPHER_KEY], 0, enc); |
125 | HMAC_CTX_init (&hctx); |
218 | HMAC_CTX_init (&hctx); |
126 | HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); |
219 | HMAC_Init_ex (&hctx, &challenge[CHG_HMAC_KEY], HMAC_KEYLEN, DIGEST, 0); |
… | |
… | |
352 | } |
445 | } |
353 | #endif |
446 | #endif |
354 | |
447 | |
355 | EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); |
448 | EVP_EncryptInit_ex (cctx, 0, 0, 0, 0); |
356 | |
449 | |
|
|
450 | struct { |
357 | #if RAND_SIZE |
451 | #if RAND_SIZE |
358 | struct { |
|
|
359 | u8 rnd[RAND_SIZE]; |
452 | u8 rnd[RAND_SIZE]; |
|
|
453 | #endif |
360 | u32 seqno; |
454 | u32 seqno; |
361 | } datahdr; |
455 | } datahdr; |
362 | |
456 | |
363 | datahdr.seqno = seqno; |
457 | datahdr.seqno = ntohl (seqno); |
|
|
458 | #if RAND_SIZE |
364 | RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); |
459 | RAND_pseudo_bytes ((unsigned char *) datahdr.rnd, RAND_SIZE); |
|
|
460 | #endif |
365 | |
461 | |
366 | EVP_EncryptUpdate (cctx, |
462 | EVP_EncryptUpdate (cctx, |
367 | (unsigned char *) data + outl, &outl2, |
463 | (unsigned char *) data + outl, &outl2, |
368 | (unsigned char *) &datahdr, DATAHDR); |
464 | (unsigned char *) &datahdr, DATAHDR); |
369 | outl += outl2; |
465 | outl += outl2; |
370 | #else |
|
|
371 | EVP_EncryptUpdate (cctx, |
|
|
372 | (unsigned char *) data + outl, &outl2, |
|
|
373 | (unsigned char *) &seqno, DATAHDR); |
|
|
374 | outl += outl2; |
|
|
375 | #endif |
|
|
376 | |
466 | |
377 | EVP_EncryptUpdate (cctx, |
467 | EVP_EncryptUpdate (cctx, |
378 | (unsigned char *) data + outl, &outl2, |
468 | (unsigned char *) data + outl, &outl2, |
379 | (unsigned char *) d, l); |
469 | (unsigned char *) d, l); |
380 | outl += outl2; |
470 | outl += outl2; |
… | |
… | |
416 | outl += outl2; |
506 | outl += outl2; |
417 | |
507 | |
418 | EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); |
508 | EVP_DecryptFinal_ex (cctx, (unsigned char *)d + outl, &outl2); |
419 | outl += outl2; |
509 | outl += outl2; |
420 | |
510 | |
421 | seqno = *(u32 *)(d + RAND_SIZE); |
511 | seqno = ntohl (*(u32 *)(d + RAND_SIZE)); |
422 | |
512 | |
423 | id2mac (dst () ? dst() : THISNODE->id, p->dst); |
513 | id2mac (dst () ? dst() : THISNODE->id, p->dst); |
424 | id2mac (src (), p->src); |
514 | id2mac (src (), p->src); |
425 | |
515 | |
426 | #if ENABLE_COMPRESSION |
516 | #if ENABLE_COMPRESSION |
… | |
… | |
456 | u32 digest_nid; |
546 | u32 digest_nid; |
457 | |
547 | |
458 | const u8 curflags () const |
548 | const u8 curflags () const |
459 | { |
549 | { |
460 | return 0x80 |
550 | return 0x80 |
461 | | 0x02 |
|
|
462 | #if PROTOCOL_MAJOR != 2 |
|
|
463 | #error hi |
|
|
464 | #endif |
|
|
465 | | (ENABLE_COMPRESSION ? 0x01 : 0x00); |
551 | | (ENABLE_COMPRESSION ? 0x01 : 0x00); |
466 | } |
552 | } |
467 | |
553 | |
468 | void setup (ptype type, int dst) |
554 | void setup (ptype type, int dst) |
469 | { |
555 | { |
… | |
… | |
581 | void |
667 | void |
582 | connection::send_reset (SOCKADDR *dsa) |
668 | connection::send_reset (SOCKADDR *dsa) |
583 | { |
669 | { |
584 | static net_rate_limiter limiter(1); |
670 | static net_rate_limiter limiter(1); |
585 | |
671 | |
586 | if (limiter.can (dsa)) |
672 | if (limiter.can (dsa) && connectmode != conf_node::C_DISABLED) |
587 | { |
673 | { |
588 | config_packet *pkt = new config_packet; |
674 | config_packet *pkt = new config_packet; |
589 | |
675 | |
590 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
676 | pkt->setup (vpn_packet::PT_RESET, conf->id); |
591 | vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); |
677 | vpn->send_vpn_packet (pkt, dsa, IPTOS_MINCOST); |
… | |
… | |
593 | delete pkt; |
679 | delete pkt; |
594 | } |
680 | } |
595 | } |
681 | } |
596 | |
682 | |
597 | static rsachallenge * |
683 | static rsachallenge * |
598 | gen_challenge (SOCKADDR *sa) |
684 | gen_challenge (u32 seqrand, SOCKADDR *sa) |
599 | { |
685 | { |
600 | static rsachallenge k; |
686 | static rsachallenge k; |
601 | |
687 | |
602 | memcpy (&k, &challenge_bytes (), sizeof (k)); |
688 | memcpy (&k, &challenge_bytes (), sizeof (k)); |
603 | RAND_bytes ((unsigned char *)&k[CHG_SEQNO], sizeof (u32)); |
689 | *(u32 *)&k[CHG_SEQNO] ^= seqrand; |
604 | xor_sa (k, sa); |
690 | xor_sa (k, sa); |
605 | |
691 | |
606 | return &k; |
692 | return &k; |
607 | } |
693 | } |
608 | |
694 | |
609 | void |
695 | void |
610 | connection::send_auth (auth_subtype subtype, SOCKADDR *sa, rsachallenge *k) |
696 | connection::send_auth (auth_subtype subtype, SOCKADDR *sa, const rsachallenge *k) |
611 | { |
697 | { |
612 | static net_rate_limiter limiter(2); |
698 | static net_rate_limiter limiter(0.2); |
613 | |
699 | |
614 | if (subtype != AUTH_INIT || limiter.can (sa)) |
700 | if (subtype != AUTH_INIT || limiter.can (sa)) |
615 | { |
701 | { |
|
|
702 | if (!k) |
|
|
703 | k = gen_challenge (seqrand, sa); |
|
|
704 | |
616 | auth_packet *pkt = new auth_packet (conf->id, subtype); |
705 | auth_packet *pkt = new auth_packet (conf->id, subtype); |
617 | |
706 | |
618 | if (!k) |
707 | memcpy (pkt->challenge, rsa_cache.public_encrypt (conf->rsa_key, *k), sizeof (rsaencrdata)); |
619 | k = gen_challenge (sa); |
|
|
620 | |
|
|
621 | if (0 > RSA_public_encrypt (sizeof (*k), |
|
|
622 | (unsigned char *)k, (unsigned char *)&pkt->challenge, |
|
|
623 | conf->rsa_key, RSA_PKCS1_OAEP_PADDING)) |
|
|
624 | fatal ("RSA_public_encrypt error"); |
|
|
625 | |
708 | |
626 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
709 | slog (L_TRACE, ">>%d PT_AUTH(%d) [%s]", conf->id, subtype, (const char *)sockinfo (sa)); |
627 | |
710 | |
628 | vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); |
711 | vpn->send_vpn_packet (pkt, sa, IPTOS_RELIABILITY); |
629 | |
712 | |
… | |
… | |
640 | { |
723 | { |
641 | double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; |
724 | double retry_int = double (retry_cnt & 3 ? (retry_cnt & 3) : 1 << (retry_cnt >> 2)) * 0.25; |
642 | |
725 | |
643 | if (retry_int < 3600 * 8) |
726 | if (retry_int < 3600 * 8) |
644 | retry_cnt++; |
727 | retry_cnt++; |
645 | |
|
|
646 | if (connectmode == conf_node::C_ONDEMAND |
|
|
647 | && retry_int > ::conf.keepalive) |
|
|
648 | retry_int = ::conf.keepalive; |
|
|
649 | |
728 | |
650 | ts = NOW + retry_int; |
729 | ts = NOW + retry_int; |
651 | |
730 | |
652 | if (conf->hostname) |
731 | if (conf->hostname) |
653 | { |
732 | { |
… | |
… | |
672 | |
751 | |
673 | if (::conf.script_node_down) |
752 | if (::conf.script_node_down) |
674 | run_script (this, &connection::script_node_down, false); |
753 | run_script (this, &connection::script_node_down, false); |
675 | } |
754 | } |
676 | |
755 | |
677 | delete ictx; |
756 | delete ictx; ictx = 0; |
678 | ictx = 0; |
757 | delete octx; octx = 0; |
679 | |
758 | |
680 | delete octx; |
759 | RAND_bytes ((unsigned char *)&seqrand, sizeof (u32)); |
681 | octx = 0; |
|
|
682 | |
760 | |
683 | sa.sin_port = 0; |
761 | sa.sin_port = 0; |
684 | sa.sin_addr.s_addr = 0; |
762 | sa.sin_addr.s_addr = 0; |
685 | |
763 | |
686 | last_activity = 0; |
764 | last_activity = 0; |
… | |
… | |
774 | reset_connection (); |
852 | reset_connection (); |
775 | |
853 | |
776 | config_packet *p = (config_packet *) pkt; |
854 | config_packet *p = (config_packet *) pkt; |
777 | if (!p->chk_config ()) |
855 | if (!p->chk_config ()) |
778 | { |
856 | { |
779 | slog (L_WARN, _("disabling node '%s' because of differing protocol"), conf->nodename); |
857 | slog (L_WARN, _("protocol mismatch, disabling node '%s'"), conf->nodename); |
780 | connectmode = conf_node::C_NEVER; |
858 | connectmode = conf_node::C_DISABLED; |
781 | } |
859 | } |
782 | else if (connectmode == conf_node::C_ALWAYS) |
860 | else if (connectmode == conf_node::C_ALWAYS) |
783 | establish_connection (); |
861 | establish_connection (); |
784 | } |
862 | } |
785 | break; |
863 | break; |
… | |
… | |
798 | PROTOCOL_MINOR, conf->nodename, p->prot_minor); |
876 | PROTOCOL_MINOR, conf->nodename, p->prot_minor); |
799 | |
877 | |
800 | if (p->subtype == AUTH_INIT) |
878 | if (p->subtype == AUTH_INIT) |
801 | send_auth (AUTH_INITREPLY, ssa); |
879 | send_auth (AUTH_INITREPLY, ssa); |
802 | |
880 | |
803 | rsachallenge k; |
881 | const rsachallenge *k = rsa_cache.private_decrypt (::conf.rsa_key, p->challenge); |
804 | |
882 | |
805 | if (0 > RSA_private_decrypt (sizeof (rsaencrdata), |
883 | if (!k) |
806 | (unsigned char *)&p->challenge, (unsigned char *)&k, |
|
|
807 | ::conf.rsa_key, RSA_PKCS1_OAEP_PADDING)) |
|
|
808 | { |
884 | { |
809 | slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), |
885 | slog (L_ERR, _("challenge from %s (%s) illegal or corrupted"), |
810 | conf->nodename, (const char *)sockinfo (ssa)); |
886 | conf->nodename, (const char *)sockinfo (ssa)); |
811 | break; |
887 | break; |
812 | } |
888 | } |
… | |
… | |
823 | delete ictx; |
899 | delete ictx; |
824 | ictx = 0; |
900 | ictx = 0; |
825 | |
901 | |
826 | delete octx; |
902 | delete octx; |
827 | |
903 | |
828 | octx = new crypto_ctx (k, 1); |
904 | octx = new crypto_ctx (*k, 1); |
829 | oseqno = *(u32 *)&k[CHG_SEQNO] & 0x7fffffff; |
905 | oseqno = ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff; |
830 | |
906 | |
831 | send_auth (AUTH_REPLY, ssa, &k); |
907 | send_auth (AUTH_REPLY, ssa, k); |
832 | break; |
908 | break; |
833 | |
909 | |
834 | case AUTH_REPLY: |
910 | case AUTH_REPLY: |
835 | |
911 | |
836 | if (!memcmp ((u8 *)gen_challenge (ssa) + sizeof (u32), (u8 *)&k + sizeof (u32), |
912 | if (!memcmp ((u8 *)gen_challenge (seqrand, ssa), (u8 *)k, sizeof (rsachallenge))) |
837 | sizeof (rsachallenge) - sizeof (u32))) |
|
|
838 | { |
913 | { |
839 | delete ictx; |
914 | delete ictx; |
840 | |
915 | |
841 | ictx = new crypto_ctx (k, 0); |
916 | ictx = new crypto_ctx (*k, 0); |
842 | iseqno.reset (*(u32 *)&k[CHG_SEQNO] & 0x7fffffff); // at least 2**31 sequence numbers are valid |
917 | iseqno.reset (ntohl (*(u32 *)&k[CHG_SEQNO]) & 0x7fffffff); // at least 2**31 sequence numbers are valid |
843 | |
918 | |
844 | sa = *ssa; |
919 | sa = *ssa; |
845 | |
920 | |
846 | rekey.set (NOW + ::conf.rekey); |
921 | rekey.set (NOW + ::conf.rekey); |
847 | keepalive.set (NOW + ::conf.keepalive); |
922 | keepalive.set (NOW + ::conf.keepalive); |