diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
commit | 8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch) | |
tree | 566d0620eb693320cb121dfd93a5675fa704a30b /packet_id.h | |
parent | 349cfa7acb95abe865209a28e417ec74b56f9bba (diff) |
Imported Upstream version 2.3_rc1
Diffstat (limited to 'packet_id.h')
-rw-r--r-- | packet_id.h | 335 |
1 files changed, 0 insertions, 335 deletions
diff --git a/packet_id.h b/packet_id.h deleted file mode 100644 index 12c1df3..0000000 --- a/packet_id.h +++ /dev/null @@ -1,335 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/* - * These routines are designed to catch replay attacks, - * where a man-in-the-middle captures packets and then - * attempts to replay them back later. - */ - -#ifdef USE_CRYPTO - -#ifndef PACKET_ID_H -#define PACKET_ID_H - -#include "circ_list.h" -#include "buffer.h" -#include "error.h" -#include "otime.h" - -/* - * Enables OpenVPN to be compiled in special packet_id test mode. - */ -/*#define PID_TEST*/ - -#if 1 -/* - * These are the types that members of - * a struct packet_id_net are converted - * to for network transmission. - */ -typedef uint32_t packet_id_type; -typedef uint32_t net_time_t; - -/* - * In TLS mode, when a packet ID gets to this level, - * start thinking about triggering a new - * SSL/TLS handshake. - */ -#define PACKET_ID_WRAP_TRIGGER 0xFF000000 - -/* convert a packet_id_type from host to network order */ -#define htonpid(x) htonl(x) - -/* convert a packet_id_type from network to host order */ -#define ntohpid(x) ntohl(x) - -/* convert a time_t in host order to a net_time_t in network order */ -#define htontime(x) htonl((net_time_t)x) - -/* convert a net_time_t in network order to a time_t in host order */ -#define ntohtime(x) ((time_t)ntohl(x)) - -#else - -/* - * DEBUGGING ONLY. - * Make packet_id_type and net_time_t small - * to test wraparound logic and corner cases. - */ - -typedef uint8_t packet_id_type; -typedef uint16_t net_time_t; - -#define PACKET_ID_WRAP_TRIGGER 0x80 - -#define htonpid(x) (x) -#define ntohpid(x) (x) -#define htontime(x) htons((net_time_t)x) -#define ntohtime(x) ((time_t)ntohs(x)) - -#endif - -/* - * Printf formats for special types - */ -#define packet_id_format "%u" -typedef unsigned int packet_id_print_type; - -/* - * Maximum allowed backtrack in - * sequence number due to packets arriving - * out of order. - */ -#define MIN_SEQ_BACKTRACK 0 -#define MAX_SEQ_BACKTRACK 65536 -#define DEFAULT_SEQ_BACKTRACK 64 - -/* - * Maximum allowed backtrack in - * seconds due to packets arriving - * out of order. - */ -#define MIN_TIME_BACKTRACK 0 -#define MAX_TIME_BACKTRACK 600 -#define DEFAULT_TIME_BACKTRACK 15 - -/* - * Do a reap pass through the sequence number - * array once every n seconds in order to - * expire sequence numbers which can no longer - * be accepted because they would violate - * TIME_BACKTRACK. - */ -#define SEQ_REAP_INTERVAL 5 - -CIRC_LIST (seq_list, time_t); - -/* - * This is the data structure we keep on the receiving side, - * to check that no packet-id (i.e. sequence number + optional timestamp) - * is accepted more than once. - */ -struct packet_id_rec -{ - time_t last_reap; /* last call of packet_id_reap */ - time_t time; /* highest time stamp received */ - packet_id_type id; /* highest sequence number received */ - int seq_backtrack; /* set from --replay-window */ - int time_backtrack; /* set from --replay-window */ - bool initialized; /* true if packet_id_init was called */ - struct seq_list *seq_list; /* packet-id "memory" */ -}; - -/* - * file to facilitate cross-session persistence - * of time/id - */ -struct packet_id_persist -{ - const char *filename; - int fd; - time_t time; /* time stamp */ - packet_id_type id; /* sequence number */ - time_t time_last_written; - packet_id_type id_last_written; -}; - -struct packet_id_persist_file_image -{ - time_t time; /* time stamp */ - packet_id_type id; /* sequence number */ -}; - -/* - * Keep a record of our current packet-id state - * on the sending side. - */ -struct packet_id_send -{ - packet_id_type id; - time_t time; -}; - -/* - * Communicate packet-id over the wire. - * A short packet-id is just a 32 bit - * sequence number. A long packet-id - * includes a timestamp as well. - * - * Long packet-ids are used as IVs for - * CFB/OFB ciphers. - * - * This data structure is always sent - * over the net in network byte order, - * by calling htonpid, ntohpid, - * htontime, and ntohtime on the - * data elements to change them - * to and from standard sizes. - * - * In addition, time is converted to - * a net_time_t before sending, - * since openvpn always - * uses a 32-bit time_t but some - * 64 bit platforms use a - * 64 bit time_t. - */ -struct packet_id_net -{ - packet_id_type id; - time_t time; /* converted to net_time_t before transmission */ -}; - -struct packet_id -{ - struct packet_id_send send; - struct packet_id_rec rec; -}; - -void packet_id_init (struct packet_id *p, int seq_backtrack, int time_backtrack); -void packet_id_free (struct packet_id *p); - -/* should we accept an incoming packet id ? */ -bool packet_id_test (const struct packet_id_rec *p, - const struct packet_id_net *pin); - -/* change our current state to reflect an accepted packet id */ -void packet_id_add (struct packet_id_rec *p, - const struct packet_id_net *pin); - -/* expire TIME_BACKTRACK sequence numbers */ -void packet_id_reap (struct packet_id_rec *p); - -/* - * packet ID persistence - */ - -/* initialize the packet_id_persist structure in a disabled state */ -void packet_id_persist_init (struct packet_id_persist *p); - -/* close the file descriptor if it is open, and switch to disabled state */ -void packet_id_persist_close (struct packet_id_persist *p); - -/* load persisted rec packet_id (time and id) only once from file, and set state to enabled */ -void packet_id_persist_load (struct packet_id_persist *p, const char *filename); - -/* save persisted rec packet_id (time and id) to file (only if enabled state) */ -void packet_id_persist_save (struct packet_id_persist *p); - -/* transfer packet_id_persist -> packet_id */ -void packet_id_persist_load_obj (const struct packet_id_persist *p, struct packet_id* pid); - -/* return an ascii string representing a packet_id_persist object */ -const char *packet_id_persist_print (const struct packet_id_persist *p, struct gc_arena *gc); - -/* - * Read/write a packet ID to/from the buffer. Short form is sequence number - * only. Long form is sequence number and timestamp. - */ - -bool packet_id_read (struct packet_id_net *pin, struct buffer *buf, bool long_form); -bool packet_id_write (const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend); - -/* - * Inline functions. - */ - -/* are we in enabled state? */ -static inline bool -packet_id_persist_enabled (const struct packet_id_persist *p) -{ - return p->fd >= 0; -} - -/* transfer packet_id -> packet_id_persist */ -static inline void -packet_id_persist_save_obj (struct packet_id_persist *p, const struct packet_id* pid) -{ - if (packet_id_persist_enabled (p) && pid->rec.time) - { - p->time = pid->rec.time; - p->id = pid->rec.id; - } -} - -const char* packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc); - -#ifdef PID_TEST -void packet_id_interactive_test(); -#endif - -static inline int -packet_id_size (bool long_form) -{ - return sizeof (packet_id_type) + (long_form ? sizeof (net_time_t) : 0); -} - -static inline bool -packet_id_close_to_wrapping (const struct packet_id_send *p) -{ - return p->id >= PACKET_ID_WRAP_TRIGGER; -} - -/* - * Allocate an outgoing packet id. - * Sequence number ranges from 1 to 2^32-1. - * In long_form, a time_t is added as well. - */ -static inline void -packet_id_alloc_outgoing (struct packet_id_send *p, struct packet_id_net *pin, bool long_form) -{ - if (!p->time) - p->time = now; - pin->id = ++p->id; - if (!pin->id) - { - ASSERT (long_form); - p->time = now; - pin->id = p->id = 1; - } - pin->time = p->time; -} - -static inline bool -check_timestamp_delta (time_t remote, unsigned int max_delta) -{ - unsigned int abs; - const time_t local_now = now; - - if (local_now >= remote) - abs = local_now - remote; - else - abs = remote - local_now; - return abs <= max_delta; -} - -static inline void -packet_id_reap_test (struct packet_id_rec *p) -{ - if (p->last_reap + SEQ_REAP_INTERVAL <= now) - packet_id_reap (p); -} - -#endif /* PACKET_ID_H */ -#endif /* USE_CRYPTO */ |