2000-03-26 00:33:07 +00:00
|
|
|
/*
|
|
|
|
|
protocol.h -- header for protocol.c
|
2006-04-26 13:52:58 +00:00
|
|
|
Copyright (C) 1999-2005 Ivo Timmermans,
|
2012-10-14 15:42:49 +00:00
|
|
|
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
|
2000-03-26 00:33:07 +00:00
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
2009-09-24 22:01:00 +00:00
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2000-03-26 00:33:07 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __TINC_PROTOCOL_H__
|
|
|
|
|
#define __TINC_PROTOCOL_H__
|
|
|
|
|
|
Add an invitation protocol.
Using the tinc command, an administrator of an existing VPN can generate
invitations for new nodes. The invitation is a small URL that can easily
be copy&pasted into email or live chat. Another person can have tinc
automatically setup the necessary configuration files and exchange keys
with the server, by only using the invitation URL.
The invitation protocol uses temporary ECDSA keys. The invitation URL
consists of the hostname and port of the server, a hash of the server's
temporary ECDSA key and a cookie. When the client wants to accept an
invitation, it also creates a temporary ECDSA key, connects to the server
and says it wants to accept an invitation. Both sides exchange their
temporary keys. The client verifies that the server's key matches the hash
in the invitation URL. After setting up an SPTPS connection using the
temporary keys, the client gives the cookie to the server. If the cookie
is valid, the server sends the client an invitation file containing the
client's new name and a copy of the server's host config file. If everything
is ok, the client will generate a long-term ECDSA key and send it to the
server, which will add it to a new host config file for the client.
The invitation protocol currently allows multiple host config files to be
send from the server to the client. However, the client filters out
most configuration variables for its own host configuration file. In
particular, it only accepts Name, Mode, Broadcast, ConnectTo, Subnet and
AutoConnect. Also, at the moment no tinc-up script is generated.
When an invitation has succesfully been accepted, the client needs to start
the tinc daemon manually.
2013-05-29 16:31:10 +00:00
|
|
|
#include "ecdsa.h"
|
|
|
|
|
|
2011-07-05 19:19:48 +00:00
|
|
|
/* Protocol version. Different major versions are incompatible. */
|
2000-09-11 10:05:35 +00:00
|
|
|
|
2011-07-05 19:19:48 +00:00
|
|
|
#define PROT_MAJOR 17
|
Introduce lightweight PMTU probe replies.
When replying to a PMTU probe, tinc sends a packet with the same length
as the PMTU probe itself, which is usually large (~1450 bytes). This is
not necessary: the other node wants to know the size of the PMTU probes
that have been received, but encoding this information as the actual
reply length is probably the most inefficient way to do it. It doubles
the bandwidth usage of the PMTU discovery process, and makes it less
reliable since large packets are more likely to be dropped.
This patch introduces a new PMTU probe reply type, encoded as type "2"
in the first byte of the packet, that indicates that the length of the
PMTU probe that is being replied to is encoded in the next two bytes of
the packet. Thus reply packets are only 3 bytes long.
(This also protects against very broken networks that drop very small
packets - yes, I've seen it happen on a subnet of a national ISP - in
such a case the PMTU probe replies will be dropped, and tinc won't
enable UDP communication, which is a good thing.)
Because legacy nodes won't understand type 2 probe replies, the minor
protocol number is bumped to 3.
Note that this also improves bandwidth estimation, as it is able to
measure bandwidth in both directions independently (the node receiving
the replies is measuring in the TX direction) and the use of smaller
reply packets might decrease the influence of jitter.
2013-07-21 12:05:42 +00:00
|
|
|
#define PROT_MINOR 3 /* Should not exceed 255! */
|
2000-09-26 14:06:11 +00:00
|
|
|
|
2003-07-29 22:59:01 +00:00
|
|
|
/* Silly Windows */
|
|
|
|
|
|
|
|
|
|
#ifdef ERROR
|
|
|
|
|
#undef ERROR
|
|
|
|
|
#endif
|
|
|
|
|
|
2000-09-11 10:05:35 +00:00
|
|
|
/* Request numbers */
|
|
|
|
|
|
2003-07-22 20:55:21 +00:00
|
|
|
typedef enum request_t {
|
2012-10-10 15:17:49 +00:00
|
|
|
ALL = -1, /* Guardian for allow_request */
|
2002-09-09 21:25:28 +00:00
|
|
|
ID = 0, METAKEY, CHALLENGE, CHAL_REPLY, ACK,
|
|
|
|
|
STATUS, ERROR, TERMREQ,
|
|
|
|
|
PING, PONG,
|
|
|
|
|
ADD_SUBNET, DEL_SUBNET,
|
|
|
|
|
ADD_EDGE, DEL_EDGE,
|
|
|
|
|
KEY_CHANGED, REQ_KEY, ANS_KEY,
|
|
|
|
|
PACKET,
|
2012-07-19 23:02:51 +00:00
|
|
|
/* Tinc 1.1 requests */
|
2009-11-07 22:43:25 +00:00
|
|
|
CONTROL,
|
2012-07-19 23:02:51 +00:00
|
|
|
REQ_PUBKEY, ANS_PUBKEY,
|
2012-07-30 16:36:59 +00:00
|
|
|
REQ_SPTPS,
|
2012-10-10 15:17:49 +00:00
|
|
|
LAST /* Guardian for the highest request number */
|
2003-07-22 20:55:21 +00:00
|
|
|
} request_t;
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2002-03-21 23:11:53 +00:00
|
|
|
typedef struct past_request_t {
|
2012-05-08 14:44:15 +00:00
|
|
|
const char *request;
|
2002-09-09 21:25:28 +00:00
|
|
|
time_t firstseen;
|
2002-03-21 23:11:53 +00:00
|
|
|
} past_request_t;
|
|
|
|
|
|
2003-11-17 15:30:18 +00:00
|
|
|
extern bool tunnelserver;
|
2010-03-01 23:18:44 +00:00
|
|
|
extern bool strictsubnets;
|
2011-07-11 19:54:01 +00:00
|
|
|
extern bool experimental;
|
2003-11-17 15:30:18 +00:00
|
|
|
|
Add an invitation protocol.
Using the tinc command, an administrator of an existing VPN can generate
invitations for new nodes. The invitation is a small URL that can easily
be copy&pasted into email or live chat. Another person can have tinc
automatically setup the necessary configuration files and exchange keys
with the server, by only using the invitation URL.
The invitation protocol uses temporary ECDSA keys. The invitation URL
consists of the hostname and port of the server, a hash of the server's
temporary ECDSA key and a cookie. When the client wants to accept an
invitation, it also creates a temporary ECDSA key, connects to the server
and says it wants to accept an invitation. Both sides exchange their
temporary keys. The client verifies that the server's key matches the hash
in the invitation URL. After setting up an SPTPS connection using the
temporary keys, the client gives the cookie to the server. If the cookie
is valid, the server sends the client an invitation file containing the
client's new name and a copy of the server's host config file. If everything
is ok, the client will generate a long-term ECDSA key and send it to the
server, which will add it to a new host config file for the client.
The invitation protocol currently allows multiple host config files to be
send from the server to the client. However, the client filters out
most configuration variables for its own host configuration file. In
particular, it only accepts Name, Mode, Broadcast, ConnectTo, Subnet and
AutoConnect. Also, at the moment no tinc-up script is generated.
When an invitation has succesfully been accepted, the client needs to start
the tinc daemon manually.
2013-05-29 16:31:10 +00:00
|
|
|
extern ecdsa_t *invitation_key;
|
|
|
|
|
|
2005-06-03 10:16:03 +00:00
|
|
|
/* Maximum size of strings in a request.
|
|
|
|
|
* scanf terminates %2048s with a NUL character,
|
|
|
|
|
* but the NUL character can be written after the 2048th non-NUL character.
|
|
|
|
|
*/
|
2000-11-22 19:55:53 +00:00
|
|
|
|
2005-06-03 10:16:03 +00:00
|
|
|
#define MAX_STRING_SIZE 2049
|
2002-02-26 23:26:41 +00:00
|
|
|
#define MAX_STRING "%2048s"
|
2000-11-22 19:55:53 +00:00
|
|
|
|
2003-07-22 20:55:21 +00:00
|
|
|
#include "edge.h"
|
|
|
|
|
#include "net.h"
|
|
|
|
|
#include "node.h"
|
|
|
|
|
#include "subnet.h"
|
|
|
|
|
|
2002-02-10 21:57:54 +00:00
|
|
|
/* Basic functions */
|
2000-09-11 10:05:35 +00:00
|
|
|
|
2003-07-30 21:52:41 +00:00
|
|
|
extern bool send_request(struct connection_t *, const char *, ...) __attribute__ ((__format__(printf, 2, 3)));
|
2012-05-08 14:44:15 +00:00
|
|
|
extern void forward_request(struct connection_t *, const char *);
|
|
|
|
|
extern bool receive_request(struct connection_t *, const char *);
|
2003-07-24 12:08:16 +00:00
|
|
|
extern bool check_id(const char *);
|
2000-03-26 00:33:07 +00:00
|
|
|
|
2002-03-22 11:43:48 +00:00
|
|
|
extern void init_requests(void);
|
|
|
|
|
extern void exit_requests(void);
|
2012-05-08 14:44:15 +00:00
|
|
|
extern bool seen_request(const char *);
|
2002-03-22 11:43:48 +00:00
|
|
|
|
2002-02-10 21:57:54 +00:00
|
|
|
/* Requests */
|
|
|
|
|
|
2003-07-22 20:55:21 +00:00
|
|
|
extern bool send_id(struct connection_t *);
|
|
|
|
|
extern bool send_metakey(struct connection_t *);
|
2011-07-07 20:30:55 +00:00
|
|
|
extern bool send_metakey_ec(struct connection_t *);
|
2003-07-22 20:55:21 +00:00
|
|
|
extern bool send_challenge(struct connection_t *);
|
|
|
|
|
extern bool send_chal_reply(struct connection_t *);
|
|
|
|
|
extern bool send_ack(struct connection_t *);
|
2003-07-24 12:08:16 +00:00
|
|
|
extern bool send_status(struct connection_t *, int, const char *);
|
2012-05-08 14:44:15 +00:00
|
|
|
extern bool send_error(struct connection_t *, int, const char *);
|
2003-07-22 20:55:21 +00:00
|
|
|
extern bool send_termreq(struct connection_t *);
|
|
|
|
|
extern bool send_ping(struct connection_t *);
|
|
|
|
|
extern bool send_pong(struct connection_t *);
|
2003-07-24 12:08:16 +00:00
|
|
|
extern bool send_add_subnet(struct connection_t *, const struct subnet_t *);
|
|
|
|
|
extern bool send_del_subnet(struct connection_t *, const struct subnet_t *);
|
|
|
|
|
extern bool send_add_edge(struct connection_t *, const struct edge_t *);
|
|
|
|
|
extern bool send_del_edge(struct connection_t *, const struct edge_t *);
|
2011-05-28 21:36:52 +00:00
|
|
|
extern void send_key_changed(void);
|
2009-04-02 23:05:23 +00:00
|
|
|
extern bool send_req_key(struct node_t *);
|
|
|
|
|
extern bool send_ans_key(struct node_t *);
|
2011-05-28 21:36:52 +00:00
|
|
|
extern bool send_tcppacket(struct connection_t *, const struct vpn_packet_t *);
|
2002-02-10 21:57:54 +00:00
|
|
|
|
|
|
|
|
/* Request handlers */
|
|
|
|
|
|
2012-05-08 14:44:15 +00:00
|
|
|
extern bool id_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool metakey_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool challenge_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool chal_reply_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool ack_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool status_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool error_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool termreq_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool ping_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool pong_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool add_subnet_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool del_subnet_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool add_edge_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool del_edge_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool key_changed_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool req_key_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool ans_key_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool tcppacket_h(struct connection_t *, const char *);
|
|
|
|
|
extern bool control_h(struct connection_t *, const char *);
|
2002-02-10 21:57:54 +00:00
|
|
|
|
2012-10-10 15:17:49 +00:00
|
|
|
#endif /* __TINC_PROTOCOL_H__ */
|
