xtunnelsxcipher.h

xtunnel nat/fw traversal source code

/*

	File:       XTunnelsXCipher.h

	Contains:   X-Cipher protocol definitions and implementation for X-Tunnels server

	Copyright:  (c) 2003 by Xten Networks, Inc., all rights reserved.

*/

#ifndef XCIPHER_H__191B9296_88DE_4A48_BCFA_6E7FEB6A12D3_
#define XCIPHER_H__191B9296_88DE_4A48_BCFA_6E7FEB6A12D3_ 1

#include <sys/types.h>
#include <list>
#include "uuid.h"
#include "XTunnelsFamilyData.h"

namespace XCipher {

enum {

  	// the TCP port on which server listens for peer connections
	EDefaultXCipherListenPort = 13837,
	
	// global server definitions
   EGlobalServer_VERSION_PROTOCOL_MAJOR = 1,
   EGlobalServer_VERSION_PROTOCOL_MINOR = 0,
   EGlobalServer_VERSION_PROTOCOL_PRIVATE_BUILD = 1,

   EGlobalServer_PORT_XCIPHER_GLOBAL_SERVER = 13842,
   EGlobalServer_PORT_GLOBAL_SERVER_ADMIN = 13843,
   
   // time for caches to expire
   EHostPairCacheDuration = 11 * 60 * 60, // days * hours * minutes * seconds
   EConversationCacheDuration = 10 * 60, // minutes * seconds

   // errors for connection
   EErrorBadRemoteHost = 100,
   EErrorBadLocalHost = 101,
   EErrorNoGlobalServer = 102,
   EErrorProtocolGlobalServer = 103,
   EErrorCommunicationGlobalServer = 104,
   EErrorProtocolMasterServer = 105,
   EErrorCommunicationMasterServer = 106,
   EErrorBadRemoteHostBadName = 107,
   EErrorBadRemoteHostBadClientRequest = 108,
   EErrorBadRemoteHostCouldNotFindPassword = 109,
   EErrorBadRemoteHostPasswordsDoNotMatch = 110,
   ELastProtocolError,

	// login sequence is implemented using exact same protocol as client <--> server
	// see "XTunnelsProtocol.h" for relevant definitions
   // in TClientToServerHelloParam m_szHost is caller and m_szUserID is empty
   // password to calculate MD5/SHA1 digests for challenges has been retrieved from global server
   
   // caller is EWaitingVersion
   //
   // caller --> XTunnels_Version --> callee
   // caller --> XTunnels_ClientToServer_Hello --> callee
   // caller <-- XTunnels_Version <-- callee
   //
   // caller is EWaitingChallenge
   //
   // caller <-- XTunnels_ServerToClient_Challenge <-- callee
   //
   // caller is EWaitingChallengeReply
   //
   // caller --> XTunnels_ChallengeReply --> callee
   // caller <-- XTunnels_ChallengeReply <-- callee
   //
   // caller is EWaitingReady
   //
   // caller --> XTunnels_ClientToServer_Ready --> callee
   // caller <-- XTunnels_ServerToClient_Ready <-- callee
   //
   // caller is EReady

	// once successful connection is established, only allowable packets from
	// the X-Tunnels client <--> server protocol are
	// caller <--> EMessageClientRequestSendPacket <--> callee
	// caller <--> EMessagePing <--> callee (following timeout specified during login sequence)
	// caller <--> EMessageDisconnect <--> callee
	// any others constitute a protocol error and immediate disconnection without notice

   // disconnection protocol follows X-Tunnels implementation, with additional possible reasons
   
   EDisconnect_REASON_ID_INVALID_IP_ADDRESS    = 103,
   EDisconnect_REASON_ID_INVALID_CONNECTION_ID = 104,
   EDisconnect_REASON_ID_INVALID_HOSTNAME      = 105,

	EDisconnectClientConnectionLost = 300,
	EDisconnectClientConnectionTerminated = 301,
	
// master server to global server messaging - uses a dual direction challenge mechanism
//
// master server is EWaitingVersion
// global server is EWaitingVersion
//
// master server --> CXgsMarshal_GlobalServerCommunication_Version --> global server
//
// global server is EWaitingChallenge  (hello is a form of challenge)
//
// master server -->CXgsMarshal_GlobalServerCommunication_MasterServerToGlobalServer_Hello --> global server
//
// global sever is EWaitingChallengeReply
//
// master server <-- CXgsMarshal_GlobalServerCommunication_Version <-- global server
//
// master server is EWaitingChallenge
//
// master server <-- CXgsMarshal_GlobalServerCommunication_GlobalServerToMasterServer_Challenge <-- global server
//
// master server is EWaitingChallengeReply
//
// master server --> CXgsMarshal_GlobalServerCommunication_ChallengeReply --> global server
//
// global server is EWaitingReady
//
// master server <-- CXgsMarshal_GlobalServerCommunication_ChallengeReply <-- global server
//
// master server is EWaitingReady
//
// master server --> CXgsMarshal_GlobalServerCommunication_Ready --> global server
//
// global server is EReady
//
// master server <-- CXgsMarshal_GlobalServerCommunication_Ready <-- global server
//
// master server is EReady
//
	
	// Ping -- 1
	// Version -- 2
	// ChallengeReply -- 100
	// Disconnect -- 101
  	EMessageGlobalServerCommunication_Ready = 102,
   // Hello -- 200 -- note different param structure
  	EMessageGlobalServerCommunication_MasterServerToGlobalServer_RequestSecureHostKeyPair = 201,
   // server challenge -- 300
  	EMessageGlobalServerCommunication_GlobalServerToMasterServer_ReplySecureHostKeyPair = 301,
  	EMessageGlobalServerCommunication_GlobalServerToMasterServer_ReplySecureHostKeyPairError = 302,
  	
  	// master server to master server -- uses regular logins and disconnects
  	EMessageMasterServerToMasterServer_SendConversationInfo = 400
   
}; // end enums

// no need to pack these, they aren't sent

typedef struct TXCipherGlobalServerHelloParam
	{
	unsigned long how;
	unsigned short useridsize;
	char m_szUserID[1024]; // note: sent packed!
	unsigned long algorithm;
	unsigned long challengeblobsize;
	uuid_t challengeblob;
   } TXCipherGlobalServerHelloParam;

typedef struct TXCipherGlobalServerRequestSecureHostKeyPairParam
	{
	unsigned short m_usRequestIDSize;
	char m_szRequestID[1024]; // note: sent packed!
	unsigned short m_usSourceSecureHostSize;
	char m_szSourceSecureHost[1024]; // note: sent packed!
	unsigned short m_usDestinationSecureHostSize;
	char m_szDestinationSecureHost[1024]; // note: sent packed!
   } TXCipherGlobalServerRequestSecureHostKeyPairParam;

typedef struct TXCipherGlobalServerReplySecureHostKeyPairParam
	{
	unsigned short m_usRequestIDSize;
	char m_szRequestID[1024]; // note: sent packed!
	uuid_t m_tSequenceNumber;
	unsigned short m_usSecureHostKeyPairPasswordSize;
	char m_szSecureHostKeyPairPassword[1024]; // note: sent packed!
   } TXCipherGlobalServerReplySecureHostKeyPairParam;

// maintained by parent and added to by children
class CXCipher
   {
   public:
   
   // set by g_szConfigFileLineXCipherEnabled line in xtunnels.cfg
   static bool g_bXCipherEnabled;

   static CXCipher*  g_pXCipher;
                     CXCipher();
   void              DestroyXCipher();
   
   std::list<XTunnels::THostPairPasswordInfo> m_cHostPairKeyCache;

   std::list<XTunnels::TConversationInfoParam> m_cConversationCache;
   
   // - extract key pair (from cache if possible) for a requested host to connect to
   // - retrieve key pair from global server if not cached or expired
   int GetHostPairPassword(
      const char* szRemote,
      const char* szLocal,
      const char* szLocalPassword,
      char* szOutHostPairPassword,
      uuid_t& tOutSequenceNumber
   );

   void GetHostPairPasswordFromCache(
      const char* szRemote,
      const char* szLocal,
      char* szOutHostPairPassword,
      uuid_t& tOutSequenceNumber
   );

   int GetHostPairPasswordFromGlobalServer(
      const char* szRemote,
      const char* szLocal,
      const char* szLocalPassword,
      char* szOutHostPairPassword,
      uuid_t& tOutSequenceNumber
   );

   bool GetCipherkeyFromCache(
      const char* szLocalHost,
      const char* szRemoteHost,
      const char* szUsername,
      char m_pOutCipherkeyBytes[32]
   );

   void CleanCaches();
   void EmptyHostPairCache();
   void CleanHostPairCache(const char* szOutOfSyncHost);
   void UpdateHostPairCache(XTunnels::THostPairPasswordInfo& tNewPair);
   void UpdateConversationCache(XTunnels::TConversationInfoParam& tNewConversation);
   
   // - pipe key pair to parent for future children's use if successful connection established
   void CacheHostPairPassword(
      const char* szRemote,
      const char* szLocal,
      const char* szHostPairPassword,
      uuid_t& tSequenceNumber
   );

   bool FindCipherkey(
      const char* szUsername,
      const char* szHost,
      char* pOutCipherkeyBytes
      );

   int CreateAndSendCipherkey(
      const char* szUsername,
      const char* szHost,
      char* pOutCipherkeyBytes
      );

   int MakeCipherkey(
      const char* szHost,
      const uuid_t& tSessionGUID, 
      char* pOutCipherKeyBytes
      );

   // piped from child
   void HandleCipherKeyRequest(XTunnels::TCipherKeyRequest& tRequest);
   
   // sent from client
   int HandleMessageClientRequestXCipherSecureConversationKey(XTunnels::TXTunnelsPacket* pReceivedPacket);

   // sent from global server
   int HandleMessageGlobalXCipherSaysToClearCache(XTunnels::TXTunnelsPacket* pReceivedPacket);
   
   // another master server would like to send us a conversation key
   int GetConversationIDOrResetRequestFromCaller(int iCallerSocket);
   int HandleXCipherConnectionRequest(int iXCipherListenSocket);

   protected:
   
   
   };

bool InitializeXCipher(bool bForceEnabled);
inline bool& XCipherEnabled() { return CXCipher::g_bXCipherEnabled; }

// set in config file
extern char g_szXCipherGlobalServerSRVRequest[XTunnels::EMaxSmallBufferSize];
extern char g_szLocalXCipherHost[XTunnels::EMaxSmallBufferSize];
extern char g_szLocalXCipherPassword[XTunnels::EMaxSmallBufferSize];

} // end namespace XCipher

inline XCipher::CXCipher* GetXCipher() { return XCipher::CXCipher::g_pXCipher; }

#endif // XCIPHER_H__191B9296_88DE_4A48_BCFA_6E7FEB6A12D3_