| /* |
| * OpenVPN -- An application to securely tunnel IP networks |
| * over a single TCP/UDP port, with support for SSL/TLS-based |
| * session authentication and key exchange, |
| * packet encryption, packet authentication, and |
| * packet compression. |
| * |
| * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License version 2 |
| * as published by the Free Software Foundation. |
| * |
| * This program is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License along |
| * with this program; if not, write to the Free Software Foundation, Inc., |
| * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| */ |
| |
| /* |
| * These routines are designed to catch replay attacks, |
| * where a man-in-the-middle captures packets and then |
| * attempts to replay them back later. |
| * |
| * We use the "sliding-window" algorithm, similar |
| * to IPSec. |
| */ |
| |
| #ifdef HAVE_CONFIG_H |
| #include "config.h" |
| #elif defined(_MSC_VER) |
| #include "config-msvc.h" |
| #endif |
| |
| #include "syshead.h" |
| |
| #ifdef ENABLE_CRYPTO |
| |
| #include "packet_id.h" |
| #include "misc.h" |
| #include "integer.h" |
| |
| #include "memdbg.h" |
| |
| /* #define PID_SIMULATE_BACKTRACK */ |
| |
| /* |
| * Special time_t value that indicates that |
| * sequence number has expired. |
| */ |
| #define SEQ_UNSEEN ((time_t)0) |
| #define SEQ_EXPIRED ((time_t)1) |
| |
| static void packet_id_debug_print(int msglevel, |
| const struct packet_id_rec *p, |
| const struct packet_id_net *pin, |
| const char *message, |
| int value); |
| |
| static inline void |
| packet_id_debug(int msglevel, |
| const struct packet_id_rec *p, |
| const struct packet_id_net *pin, |
| const char *message, |
| int value) |
| { |
| #ifdef ENABLE_DEBUG |
| if (unlikely(check_debug_level(msglevel))) |
| { |
| packet_id_debug_print(msglevel, p, pin, message, value); |
| } |
| #endif |
| } |
| |
| void |
| packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit) |
| { |
| dmsg(D_PID_DEBUG, "PID packet_id_init seq_backtrack=%d time_backtrack=%d", |
| seq_backtrack, |
| time_backtrack); |
| |
| ASSERT(p); |
| CLEAR(*p); |
| |
| p->rec.name = name; |
| p->rec.unit = unit; |
| if (seq_backtrack) |
| { |
| ASSERT(MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK); |
| ASSERT(MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK); |
| CIRC_LIST_ALLOC(p->rec.seq_list, struct seq_list, seq_backtrack); |
| p->rec.seq_backtrack = seq_backtrack; |
| p->rec.time_backtrack = time_backtrack; |
| } |
| p->rec.initialized = true; |
| } |
| |
| void |
| packet_id_free(struct packet_id *p) |
| { |
| if (p) |
| { |
| dmsg(D_PID_DEBUG, "PID packet_id_free"); |
| if (p->rec.seq_list) |
| { |
| free(p->rec.seq_list); |
| } |
| CLEAR(*p); |
| } |
| } |
| |
| void |
| packet_id_add(struct packet_id_rec *p, const struct packet_id_net *pin) |
| { |
| const time_t local_now = now; |
| if (p->seq_list) |
| { |
| packet_id_type diff; |
| |
| /* |
| * If time value increases, start a new |
| * sequence number sequence. |
| */ |
| if (!CIRC_LIST_SIZE(p->seq_list) |
| || pin->time > p->time |
| || (pin->id >= (packet_id_type)p->seq_backtrack |
| && pin->id - (packet_id_type)p->seq_backtrack > p->id)) |
| { |
| p->time = pin->time; |
| p->id = 0; |
| if (pin->id > (packet_id_type)p->seq_backtrack) |
| { |
| p->id = pin->id - (packet_id_type)p->seq_backtrack; |
| } |
| CIRC_LIST_RESET(p->seq_list); |
| } |
| |
| while (p->id < pin->id |
| #ifdef PID_SIMULATE_BACKTRACK |
| || (get_random() % 64) < 31 |
| #endif |
| ) |
| { |
| CIRC_LIST_PUSH(p->seq_list, SEQ_UNSEEN); |
| ++p->id; |
| } |
| |
| diff = p->id - pin->id; |
| if (diff < (packet_id_type) CIRC_LIST_SIZE(p->seq_list) |
| && local_now > SEQ_EXPIRED) |
| { |
| CIRC_LIST_ITEM(p->seq_list, diff) = local_now; |
| } |
| } |
| else |
| { |
| p->time = pin->time; |
| p->id = pin->id; |
| } |
| } |
| |
| /* |
| * Expire sequence numbers which can no longer |
| * be accepted because they would violate |
| * time_backtrack. |
| */ |
| void |
| packet_id_reap(struct packet_id_rec *p) |
| { |
| const time_t local_now = now; |
| if (p->time_backtrack) |
| { |
| int i; |
| bool expire = false; |
| for (i = 0; i < CIRC_LIST_SIZE(p->seq_list); ++i) |
| { |
| const time_t t = CIRC_LIST_ITEM(p->seq_list, i); |
| if (t == SEQ_EXPIRED) |
| { |
| break; |
| } |
| if (!expire && t && t + p->time_backtrack < local_now) |
| { |
| expire = true; |
| } |
| if (expire) |
| { |
| CIRC_LIST_ITEM(p->seq_list, i) = SEQ_EXPIRED; |
| } |
| } |
| } |
| p->last_reap = local_now; |
| } |
| |
| /* |
| * Return true if packet id is ok, or false if |
| * it is a replay. |
| */ |
| bool |
| packet_id_test(struct packet_id_rec *p, |
| const struct packet_id_net *pin) |
| { |
| packet_id_type diff; |
| |
| packet_id_debug(D_PID_DEBUG, p, pin, "PID_TEST", 0); |
| |
| ASSERT(p->initialized); |
| |
| if (!pin->id) |
| { |
| return false; |
| } |
| |
| if (p->seq_backtrack) |
| { |
| /* |
| * In backtrack mode, we allow packet reordering subject |
| * to the seq_backtrack and time_backtrack constraints. |
| * |
| * This mode is used with UDP. |
| */ |
| if (pin->time == p->time) |
| { |
| /* is packet-id greater than any one we've seen yet? */ |
| if (pin->id > p->id) |
| { |
| return true; |
| } |
| |
| /* check packet-id sliding window for original/replay status */ |
| diff = p->id - pin->id; |
| |
| /* keep track of maximum backtrack seen for debugging purposes */ |
| if ((int)diff > p->max_backtrack_stat) |
| { |
| p->max_backtrack_stat = (int)diff; |
| packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR replay-window backtrack occurred", p->max_backtrack_stat); |
| } |
| |
| if (diff >= (packet_id_type) CIRC_LIST_SIZE(p->seq_list)) |
| { |
| packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR large diff", diff); |
| return false; |
| } |
| |
| { |
| const time_t v = CIRC_LIST_ITEM(p->seq_list, diff); |
| if (v == 0) |
| { |
| return true; |
| } |
| else |
| { |
| /* raised from D_PID_DEBUG_LOW to reduce verbosity */ |
| packet_id_debug(D_PID_DEBUG_MEDIUM, p, pin, "PID_ERR replay", diff); |
| return false; |
| } |
| } |
| } |
| else if (pin->time < p->time) /* if time goes back, reject */ |
| { |
| packet_id_debug(D_PID_DEBUG_LOW, p, pin, "PID_ERR time backtrack", 0); |
| return false; |
| } |
| else /* time moved forward */ |
| { |
| return true; |
| } |
| } |
| else |
| { |
| /* |
| * In non-backtrack mode, all sequence number series must |
| * begin at some number n > 0 and must increment linearly without gaps. |
| * |
| * This mode is used with TCP. |
| */ |
| if (pin->time == p->time) |
| { |
| return !p->id || pin->id == p->id + 1; |
| } |
| else if (pin->time < p->time) /* if time goes back, reject */ |
| { |
| return false; |
| } |
| else /* time moved forward */ |
| { |
| return pin->id == 1; |
| } |
| } |
| } |
| |
| /* |
| * Read/write a packet ID to/from the buffer. Short form is sequence number |
| * only. Long form is sequence number and timestamp. |
| */ |
| |
| bool |
| packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form) |
| { |
| packet_id_type net_id; |
| net_time_t net_time; |
| |
| pin->id = 0; |
| pin->time = 0; |
| |
| if (!buf_read(buf, &net_id, sizeof(net_id))) |
| { |
| return false; |
| } |
| pin->id = ntohpid(net_id); |
| if (long_form) |
| { |
| if (!buf_read(buf, &net_time, sizeof(net_time))) |
| { |
| return false; |
| } |
| pin->time = ntohtime(net_time); |
| } |
| return true; |
| } |
| |
| static bool |
| packet_id_send_update(struct packet_id_send *p, bool long_form) |
| { |
| if (!p->time) |
| { |
| p->time = now; |
| } |
| if (p->id == PACKET_ID_MAX) |
| { |
| /* Packet ID only allowed to roll over if using long form and time has |
| * moved forward since last roll over. |
| */ |
| if (!long_form || now <= p->time) |
| { |
| return false; |
| } |
| p->time = now; |
| p->id = 0; |
| } |
| p->id++; |
| return true; |
| } |
| |
| bool |
| packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, |
| bool prepend) |
| { |
| if (!packet_id_send_update(p, long_form)) |
| { |
| return false; |
| } |
| |
| const packet_id_type net_id = htonpid(p->id); |
| const net_time_t net_time = htontime(p->time); |
| if (prepend) |
| { |
| if (long_form) |
| { |
| if (!buf_write_prepend(buf, &net_time, sizeof(net_time))) |
| { |
| return false; |
| } |
| } |
| if (!buf_write_prepend(buf, &net_id, sizeof(net_id))) |
| { |
| return false; |
| } |
| } |
| else |
| { |
| if (!buf_write(buf, &net_id, sizeof(net_id))) |
| { |
| return false; |
| } |
| if (long_form) |
| { |
| if (!buf_write(buf, &net_time, sizeof(net_time))) |
| { |
| return false; |
| } |
| } |
| } |
| return true; |
| } |
| |
| const char * |
| packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc) |
| { |
| struct buffer out = alloc_buf_gc(256, gc); |
| |
| buf_printf(&out, "[ #" packet_id_format, (packet_id_print_type)pin->id); |
| if (print_timestamp && pin->time) |
| { |
| buf_printf(&out, " / time = (" packet_id_format ") %s", |
| (packet_id_print_type)pin->time, |
| time_string(pin->time, 0, false, gc)); |
| } |
| |
| buf_printf(&out, " ]"); |
| return BSTR(&out); |
| } |
| |
| /* initialize the packet_id_persist structure in a disabled state */ |
| void |
| packet_id_persist_init(struct packet_id_persist *p) |
| { |
| p->filename = NULL; |
| p->fd = -1; |
| p->time = p->time_last_written = 0; |
| p->id = p->id_last_written = 0; |
| } |
| |
| /* close the file descriptor if it is open, and switch to disabled state */ |
| void |
| packet_id_persist_close(struct packet_id_persist *p) |
| { |
| if (packet_id_persist_enabled(p)) |
| { |
| if (close(p->fd)) |
| { |
| msg(D_PID_PERSIST | M_ERRNO, "Close error on --replay-persist file %s", p->filename); |
| } |
| packet_id_persist_init(p); |
| } |
| } |
| |
| /* load persisted rec packet_id (time and id) only once from file, and set state to enabled */ |
| void |
| packet_id_persist_load(struct packet_id_persist *p, const char *filename) |
| { |
| struct gc_arena gc = gc_new(); |
| if (!packet_id_persist_enabled(p)) |
| { |
| /* open packet-id persist file for both read and write */ |
| p->fd = platform_open(filename, |
| O_CREAT | O_RDWR | O_BINARY, |
| S_IRUSR | S_IWUSR); |
| if (p->fd == -1) |
| { |
| msg(D_PID_PERSIST | M_ERRNO, |
| "Cannot open --replay-persist file %s for read/write", |
| filename); |
| } |
| else |
| { |
| struct packet_id_persist_file_image image; |
| ssize_t n; |
| |
| #if defined(HAVE_FLOCK) && defined(LOCK_EX) && defined(LOCK_NB) |
| if (flock(p->fd, LOCK_EX | LOCK_NB)) |
| { |
| msg(M_ERR, "Cannot obtain exclusive lock on --replay-persist file %s", filename); |
| } |
| #endif |
| |
| p->filename = filename; |
| n = read(p->fd, &image, sizeof(image)); |
| if (n == sizeof(image)) |
| { |
| p->time = p->time_last_written = image.time; |
| p->id = p->id_last_written = image.id; |
| dmsg(D_PID_PERSIST_DEBUG, "PID Persist Read from %s: %s", |
| p->filename, packet_id_persist_print(p, &gc)); |
| } |
| else if (n == -1) |
| { |
| msg(D_PID_PERSIST | M_ERRNO, |
| "Read error on --replay-persist file %s", |
| p->filename); |
| } |
| } |
| } |
| gc_free(&gc); |
| } |
| |
| /* save persisted rec packet_id (time and id) to file (only if enabled state) */ |
| void |
| packet_id_persist_save(struct packet_id_persist *p) |
| { |
| if (packet_id_persist_enabled(p) && p->time && (p->time != p->time_last_written |
| || p->id != p->id_last_written)) |
| { |
| struct packet_id_persist_file_image image; |
| ssize_t n; |
| off_t seek_ret; |
| struct gc_arena gc = gc_new(); |
| |
| image.time = p->time; |
| image.id = p->id; |
| seek_ret = lseek(p->fd, (off_t)0, SEEK_SET); |
| if (seek_ret == (off_t)0) |
| { |
| n = write(p->fd, &image, sizeof(image)); |
| if (n == sizeof(image)) |
| { |
| p->time_last_written = p->time; |
| p->id_last_written = p->id; |
| dmsg(D_PID_PERSIST_DEBUG, "PID Persist Write to %s: %s", |
| p->filename, packet_id_persist_print(p, &gc)); |
| } |
| else |
| { |
| msg(D_PID_PERSIST | M_ERRNO, |
| "Cannot write to --replay-persist file %s", |
| p->filename); |
| } |
| } |
| else |
| { |
| msg(D_PID_PERSIST | M_ERRNO, |
| "Cannot seek to beginning of --replay-persist file %s", |
| p->filename); |
| } |
| gc_free(&gc); |
| } |
| } |
| |
| /* transfer packet_id_persist -> packet_id */ |
| void |
| packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid) |
| { |
| if (p && pid && packet_id_persist_enabled(p) && p->time) |
| { |
| pid->rec.time = p->time; |
| pid->rec.id = p->id; |
| } |
| } |
| |
| const char * |
| packet_id_persist_print(const struct packet_id_persist *p, struct gc_arena *gc) |
| { |
| struct buffer out = alloc_buf_gc(256, gc); |
| |
| buf_printf(&out, "["); |
| |
| if (packet_id_persist_enabled(p)) |
| { |
| buf_printf(&out, " #" packet_id_format, (packet_id_print_type)p->id); |
| if (p->time) |
| { |
| buf_printf(&out, " / time = (" packet_id_format ") %s", |
| (packet_id_print_type)p->time, |
| time_string(p->time, 0, false, gc)); |
| } |
| } |
| |
| buf_printf(&out, " ]"); |
| return (char *)out.data; |
| } |
| |
| #ifdef ENABLE_DEBUG |
| |
| static void |
| packet_id_debug_print(int msglevel, |
| const struct packet_id_rec *p, |
| const struct packet_id_net *pin, |
| const char *message, |
| int value) |
| { |
| struct gc_arena gc = gc_new(); |
| struct buffer out = alloc_buf_gc(256, &gc); |
| struct timeval tv; |
| const time_t prev_now = now; |
| const struct seq_list *sl = p->seq_list; |
| int i; |
| |
| CLEAR(tv); |
| gettimeofday(&tv, NULL); |
| |
| buf_printf(&out, "%s [%d]", message, value); |
| buf_printf(&out, " [%s-%d] [", p->name, p->unit); |
| for (i = 0; sl != NULL && i < sl->x_size; ++i) |
| { |
| char c; |
| time_t v; |
| int diff; |
| |
| v = CIRC_LIST_ITEM(sl, i); |
| if (v == SEQ_UNSEEN) |
| { |
| c = '_'; |
| } |
| else if (v == SEQ_EXPIRED) |
| { |
| c = 'E'; |
| } |
| else |
| { |
| diff = (int) prev_now - v; |
| if (diff < 0) |
| { |
| c = 'N'; |
| } |
| else if (diff < 10) |
| { |
| c = '0' + diff; |
| } |
| else |
| { |
| c = '>'; |
| } |
| } |
| buf_printf(&out, "%c", c); |
| } |
| buf_printf(&out, "] " time_format ":" packet_id_format, (time_type)p->time, (packet_id_print_type)p->id); |
| if (pin) |
| { |
| buf_printf(&out, " " time_format ":" packet_id_format, (time_type)pin->time, (packet_id_print_type)pin->id); |
| } |
| |
| buf_printf(&out, " t=" time_format "[%d]", |
| (time_type)prev_now, |
| (int)(prev_now - tv.tv_sec)); |
| |
| buf_printf(&out, " r=[%d,%d,%d,%d,%d]", |
| (int)(p->last_reap - tv.tv_sec), |
| p->seq_backtrack, |
| p->time_backtrack, |
| p->max_backtrack_stat, |
| (int)p->initialized); |
| if (sl != NULL) |
| { |
| buf_printf(&out, " sl=[%d,%d,%d,%d]", |
| sl->x_head, |
| sl->x_size, |
| sl->x_cap, |
| sl->x_sizeof); |
| } |
| |
| |
| msg(msglevel, "%s", BSTR(&out)); |
| gc_free(&gc); |
| } |
| |
| #endif /* ifdef ENABLE_DEBUG */ |
| |
| #ifdef PID_TEST |
| |
| void |
| packet_id_interactive_test(void) |
| { |
| struct packet_id pid; |
| struct packet_id_net pin; |
| bool long_form; |
| bool count = 0; |
| bool test; |
| |
| const int seq_backtrack = 10; |
| const int time_backtrack = 10; |
| |
| packet_id_init(&pid, seq_backtrack, time_backtrack); |
| |
| while (true) |
| { |
| char buf[80]; |
| if (!fgets(buf, sizeof(buf), stdin)) |
| { |
| break; |
| } |
| update_time(); |
| if (sscanf(buf, "%lu,%u", &pin.time, &pin.id) == 2) |
| { |
| packet_id_reap_test(&pid.rec); |
| test = packet_id_test(&pid.rec, &pin); |
| printf("packet_id_test (" time_format ", " packet_id_format ") returned %d\n", |
| (time_type)pin.time, |
| (packet_id_print_type)pin.id, |
| test); |
| if (test) |
| { |
| packet_id_add(&pid.rec, &pin); |
| } |
| } |
| else |
| { |
| long_form = (count < 20); |
| packet_id_alloc_outgoing(&pid.send, &pin, long_form); |
| printf("(" time_format "(" packet_id_format "), %d)\n", |
| (time_type)pin.time, |
| (packet_id_print_type)pin.id, |
| long_form); |
| if (pid.send.id == 10) |
| { |
| pid.send.id = 0xFFFFFFF8; |
| } |
| ++count; |
| } |
| } |
| packet_id_free(&pid); |
| } |
| #endif /* ifdef PID_TEST */ |
| |
| #endif /* ENABLE_CRYPTO */ |