X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/f1393100aa5412f0df5ee363c6bdd42b2465fa59..refs/heads/mdw/xdh:/secnet.h diff --git a/secnet.h b/secnet.h index 54d84a5..e54dbbe 100644 --- a/secnet.h +++ b/secnet.h @@ -1,4 +1,22 @@ /* Core interface of secnet, to be used by all modules */ +/* + * This file is part of secnet. + * See README for full list of copyright holders. + * + * secnet is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * secnet is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 3 along with secnet; if not, see + * https://www.gnu.org/licenses/gpl.html. + */ #ifndef secnet_h #define secnet_h @@ -14,8 +32,11 @@ #include #include #include +#include +#include #include #include +#include #include #include #include @@ -58,6 +79,16 @@ extern struct log_if *system_log; /* from process.c */ extern void start_signal_handling(void); +void afterfork(void); +/* Must be called before exec in every child made after + start_signal_handling. Safe to call in earlier children too. */ + +void childpersist_closefd_hook(void *fd_p, uint32_t newphase); +/* Convenience hook function for use with add_hook PHASE_CHILDPERSIST. + With `int fd' in your state struct, pass fd_p=&fd. The hook checks + whether fd>=0, so you can use it for an fd which is only sometimes + open. This function will set fd to -1, so it is idempotent. */ + /***** CONFIGURATION support *****/ extern bool_t just_check_config; /* If True then we're going to exit after @@ -141,6 +172,8 @@ extern uint32_t dict_read_number(dict_t *dict, cstring_t key, bool_t required, /* return value can safely be assigned to int32_t */ extern bool_t dict_read_bool(dict_t *dict, cstring_t key, bool_t required, cstring_t desc, struct cloc loc, bool_t def); +extern dict_t *dict_read_dict(dict_t *dict, cstring_t key, bool_t required, + cstring_t desc, struct cloc loc); const char **dict_read_string_array(dict_t *dict, cstring_t key, bool_t required, cstring_t desc, struct cloc loc, const char *const *def); @@ -168,7 +201,18 @@ extern void *safe_malloc_ary(size_t size, size_t count, const char *message); extern void *safe_realloc_ary(void *p, size_t size, size_t count, const char *message); +#define NEW(p) \ + ((p)=safe_malloc(sizeof(*(p)), \ + __FILE__ ":" #p)) +#define NEW_ARY(p,count) \ + ((p)=safe_malloc_ary(sizeof(*(p)),(count), \ + __FILE__ ":" #p "[" #count "]")) +#define REALLOC_ARY(p,count) \ + ((p)=safe_realloc_ary((p),sizeof(*(p)),(count), \ + __FILE__ ":" #p "[" #count "]")) + void setcloexec(int fd); /* cannot fail */ +void setnonblock(int fd); /* cannot fail */ void pipe_cloexec(int fd[2]); /* pipe(), setcloexec() twice; cannot fail */ extern int sys_cmd(const char *file, const char *argc, ...); @@ -251,10 +295,18 @@ enum phase { PHASE_DROPPRIV, /* Last chance for privileged operations */ PHASE_RUN, PHASE_SHUTDOWN, /* About to die; delete key material, etc. */ + PHASE_CHILDPERSIST, /* Forked long-term child: close fds, etc. */ /* Keep this last: */ NR_PHASES, }; +/* Each module should, in its CHILDPERSIST hooks, close all fds which + constitute ownership of important operating system resources, or + which are used for IPC with other processes who want to get the + usual disconnection effects if the main secnet process dies. + CHILDPERSIST hooks are not run if the child is going to exec; + so fds such as described above should be CLOEXEC too. */ + typedef void hook_fn(void *self, uint32_t newphase); bool_t add_hook(uint32_t phase, hook_fn *f, void *state); bool_t remove_hook(uint32_t phase, hook_fn *f, void *state); @@ -262,12 +314,20 @@ bool_t remove_hook(uint32_t phase, hook_fn *f, void *state); extern uint32_t current_phase; extern void enter_phase(uint32_t new_phase); +void phase_hooks_init(void); /* for main() only */ +void clear_phase_hooks(uint32_t phase); /* for afterfork() */ + /* Some features (like netlink 'soft' routes) require that secnet retain root privileges. They should indicate that here when appropriate. */ extern bool_t require_root_privileges; extern cstring_t require_root_privileges_explanation; +/* Some modules may want to know whether secnet is going to drop + privilege, so that they know whether to do privsep. Call only + in phases SETUP and later. */ +bool_t will_droppriv(void); + /***** END of program lifetime support *****/ /***** MODULE support *****/ @@ -282,6 +342,7 @@ extern void init_builtin_modules(dict_t *dict); extern init_module resolver_module; extern init_module random_module; extern init_module udp_module; +extern init_module polypath_module; extern init_module util_module; extern init_module site_module; extern init_module transform_eax_module; @@ -289,10 +350,12 @@ extern init_module transform_cbcmac_module; extern init_module netlink_module; extern init_module rsa_module; extern init_module dh_module; +extern init_module xdh_module; extern init_module md5_module; extern init_module slip_module; extern init_module tun_module; extern init_module sha1_module; +extern init_module sha512_module; extern init_module log_module; /***** END of module support *****/ @@ -341,8 +404,8 @@ struct resolver_if { /* RANDOMSRC interface */ -/* Return some random data. Returns TRUE for success. */ -typedef bool_t random_fn(void *st, int32_t bytes, uint8_t *buff); +/* Return some random data. Cannot fail. */ +typedef void random_fn(void *st, int32_t bytes, uint8_t *buff); struct random_if { void *st; @@ -377,8 +440,17 @@ struct comm_addr { int ix; /* see comment `Re comm_addr.ix' in udp.c */ }; +struct comm_clientinfo; /* private for comm */ + +typedef struct comm_clientinfo *comm_clientinfo_fn(void *state, dict_t*, + struct cloc cloc); +/* A comm client may call this during configuration, and then pass + * the resulting comm_clientinfo* to some or all sendmsg calls. + * The semantics depend on the dict and defined by the comm, and + * should be documented in README. */ + /* Return True if the packet was processed, and shouldn't be passed to - any other potential receivers. */ + any other potential receivers. (buf is freed iff True returned.) */ typedef bool_t comm_notify_fn(void *state, struct buffer_if *buf, const struct comm_addr *source); typedef void comm_request_notify_fn(void *commst, void *nst, @@ -386,7 +458,8 @@ typedef void comm_request_notify_fn(void *commst, void *nst, typedef void comm_release_notify_fn(void *commst, void *nst, comm_notify_fn *fn); typedef bool_t comm_sendmsg_fn(void *commst, struct buffer_if *buf, - const struct comm_addr *dest); + const struct comm_addr *dest, + struct comm_clientinfo* /* 0 OK */); /* Only returns false if (we know that) the local network * environment is such that this address cannot work; transient * or unknown/unexpected failures return true. */ @@ -395,13 +468,15 @@ typedef const char *comm_addr_to_string_fn(void *commst, /* Returned string is in a static buffer. */ struct comm_if { void *st; + comm_clientinfo_fn *clientinfo; comm_request_notify_fn *request_notify; comm_release_notify_fn *release_notify; comm_sendmsg_fn *sendmsg; comm_addr_to_string_fn *addr_to_string; }; -bool_t iaddr_equal(const union iaddr *ia, const union iaddr *ib); +bool_t iaddr_equal(const union iaddr *ia, const union iaddr *ib, + bool_t ignoreport); static inline const char *comm_addr_to_string(const struct comm_addr *ca) { @@ -411,7 +486,7 @@ static inline const char *comm_addr_to_string(const struct comm_addr *ca) static inline bool_t comm_addr_equal(const struct comm_addr *a, const struct comm_addr *b) { - return a->comm==b->comm && iaddr_equal(&a->ia,&b->ia); + return a->comm==b->comm && iaddr_equal(&a->ia,&b->ia,False); } /* LOG interface */ @@ -470,13 +545,24 @@ typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen, typedef bool_t transform_valid_fn(void *st); /* 0: no key; 1: ok */ typedef void transform_delkey_fn(void *st); typedef void transform_destroyinstance_fn(void *st); -/* Returns: - * 0: all is well - * 1: for any other problem - * 2: message decrypted but sequence number was out of range - */ -typedef uint32_t transform_apply_fn(void *st, struct buffer_if *buf, - const char **errmsg); + +typedef enum { + transform_apply_ok = 0, /* all is well (everyone may assume==0) */ + transform_apply_err = 1, /* any other problem */ + transform_apply_seqrange = 2, + /* message decrypted but sequence number was out of recent range */ + transform_apply_seqdupe = 3, + /* message decrypted but was dupe of recent packet */ +} transform_apply_return; + +static inline bool_t +transform_apply_return_badseq(transform_apply_return problem) { + return problem == transform_apply_seqrange || + problem == transform_apply_seqdupe; +} + +typedef transform_apply_return transform_apply_fn(void *st, + struct buffer_if *buf, const char **errmsg); struct transform_inst_if { void *st; @@ -490,8 +576,7 @@ struct transform_inst_if { struct transform_if { void *st; - int capab_transformnum; - int32_t keylen; /* <<< INT_MAX */ + int capab_bit; transform_createinstance_fn *create; }; @@ -527,17 +612,32 @@ struct netlink_if { /* DH interface */ -/* Returns public key as a malloced hex string */ -typedef string_t dh_makepublic_fn(void *st, uint8_t *secret, - int32_t secretlen); -/* Fills buffer (up to buflen) with shared secret */ -typedef void dh_makeshared_fn(void *st, uint8_t *secret, - int32_t secretlen, cstring_t rempublic, - uint8_t *sharedsecret, int32_t buflen); +/* Write public value corresponding to the secret to the public buffer, and + * return its actual length. The size of the buffer is given in publiclen, + * which will be at least the public_len reported by the closure. The + * secretlen will be the secret_len reported by the closure. This operation + * is not expected to fail. + */ +typedef int32_t dh_makepublic_fn(void *st, void *public, int32_t publiclen, + uint8_t *secret, int32_t secretlen); + +/* Fills buffer (up to buflen) with shared secret. The publiclen comes from + * the remote site, and may not be acceptable, though it has been checked for + * memory-safety. The secretlen and buflen are the secret_len and shared_len + * reported by the closure, respectively. Return false on faliure (e.g., if + * the publiclen is unacceptable). + */ +typedef bool_t dh_makeshared_fn(void *st, + uint8_t *secret, int32_t secretlen, + const void *public, int32_t publiclen, + uint8_t *sharedsecret, int32_t buflen); + struct dh_if { void *st; - int32_t len; /* Approximate size of modulus in bytes */ - int32_t ceil_len; /* Number of bytes just sufficient to contain modulus */ + int32_t secret_len; /* Size of random secret to generate */ + int32_t public_len; /* Maximum number of bytes needed for public value */ + int32_t shared_len; /* Size of generated shared secret */ + int capab_bit; dh_makepublic_fn *makepublic; dh_makeshared_fn *makeshared; }; @@ -597,6 +697,8 @@ void lg_vperror(struct log_if *lg, const char *desc, struct cloc *loc, void lg_perror(struct log_if *lg, const char *desc, struct cloc *loc, int class, int errnoval, const char *fmt, ...) FORMAT(printf,6,7); +void lg_exitstatus(struct log_if *lg, const char *desc, struct cloc *loc, + int class, int status, const char *progname); /* The cfgfatal() family of functions require messages that end in '\n' */ extern NORETURN(cfgfatal(struct cloc loc, cstring_t facility,