~mdw / tripe / blob
? search:


2530f15118a99336a07825b7daba21afcff66b7e
[tripe] / proxy / tripe-mitm.c
1 /* -*-c-*-
2 *
3 * An evil proxy for TrIPE
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software: you can redistribute it and/or modify it under
13 * the terms of the GNU General Public License as published by the Free
14 * Software Foundation; either version 3 of the License, or (at your
15 * option) any later version.
16 *
17 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
24 */
25
26 /*----- Header files ------------------------------------------------------*/
27
28 #include "config.h"
29
30 #include <assert.h>
31 #include <errno.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <time.h>
36
37 #include <sys/types.h>
38 #include <sys/time.h>
39 #include <unistd.h>
40 #include <fcntl.h>
41
42 #include <sys/socket.h>
43 #include <netinet/in.h>
44 #include <arpa/inet.h>
45 #include <netdb.h>
46
47 #include <mLib/alloc.h>
48 #include <mLib/dstr.h>
49 #include <mLib/fdflags.h>
50 #include <mLib/mdwopt.h>
51 #include <mLib/quis.h>
52 #include <mLib/report.h>
53 #include <mLib/sel.h>
54 #include <mLib/sub.h>
55 #include <mLib/tv.h>
56
57 #include <catacomb/buf.h>
58
59 #include <catacomb/key.h>
60
61 #include <catacomb/mp.h>
62 #include <catacomb/mprand.h>
63 #include <catacomb/dh.h>
64
65 #include <catacomb/chacha20.h>
66 #include <catacomb/noise.h>
67 #include <catacomb/rand.h>
68
69 #include "util.h"
70
71 /*----- Data structures ---------------------------------------------------*/
72
73 typedef struct peer {
74 sel_file sf;
75 const char *name;
76 struct filter *f;
77 } peer;
78
79 typedef struct filter {
80 struct filter *next;
81 peer *p_from, *p_to;
82 void (*func)(struct filter */*f*/, const octet */*buf*/, size_t /*sz*/);
83 void *state;
84 } filter;
85
86 typedef struct qnode {
87 octet *buf;
88 size_t sz;
89 } qnode;
90
91 /*----- Static variables --------------------------------------------------*/
92
93 #define PKBUFSZ 65536
94
95 static sel_state sel;
96 static peer peers[2];
97 static unsigned npeer = 0;
98 static key_file keys;
99 static grand *rng;
100 static const char *delim = ":";
101
102 #define PASS(f, buf, sz) ((f) ? (f)->func((f), (buf), (sz)) : (void)0)
103 #define RND(i) (rng->ops->range(rng, (i)))
104
105 /*----- Peer management ---------------------------------------------------*/
106
107 static void dopacket(int fd, unsigned mode, void *vv)
108 {
109 octet buf[PKBUFSZ];
110 peer *p = vv;
111 int r = read(fd, buf, sizeof(buf));
112 if (r >= 0) {
113 printf("recv from `%s'\n", p->name);
114 PASS(p->f, buf, r);
115 }
116 }
117
118 static void addpeer(unsigned ac, char **av)
119 {
120 struct hostent *h;
121 struct sockaddr_in sin;
122 int len = PKBUFSZ;
123 peer *p;
124 int fd;
125
126 if (ac != 4) die(1, "syntax: peer:NAME:PORT:ADDR:PORT");
127 if (npeer >= 2) die(1, "enough peers already");
128 if (!key_bytag(&keys, av[0])) die(1, "no key named `%s'", av[0]);
129 p = &peers[npeer++];
130 p->name = xstrdup(av[0]);
131 if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
132 die(1, "socket: %s", strerror(errno));
133 fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC);
134 memset(&sin, 0, sizeof(sin));
135 sin.sin_family = AF_INET;
136 sin.sin_addr.s_addr = INADDR_ANY;
137 sin.sin_port = htons(atoi(av[1]));
138 if (bind(fd, (struct sockaddr *)&sin, sizeof(sin)))
139 die(1, "bind: %s", strerror(errno));
140 memset(&sin, 0, sizeof(sin));
141 sin.sin_family = AF_INET;
142 if ((h = gethostbyname(av[2])) == 0)
143 die(1, "gethostbyname `%s'", av[2]);
144 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &len, sizeof(len)) ||
145 setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &len, sizeof(len)))
146 die(1, "setsockopt: %s", strerror(errno));
147 memcpy(&sin.sin_addr, h->h_addr, sizeof(sin.sin_addr));
148 sin.sin_port = htons(atoi(av[3]));
149 if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)))
150 die(1, "connect: %s", strerror(errno));
151 sel_initfile(&sel, &p->sf, fd, SEL_READ, dopacket, p);
152 sel_addfile(&p->sf);
153 }
154
155 /*----- Fork filter -------------------------------------------------------*/
156
157 typedef struct forknode {
158 struct forknode *next;
159 filter *f;
160 } forknode;
161
162 typedef struct forkfilt {
163 const char *name;
164 forknode *fn;
165 } forkfilt;
166
167 static void dofork(filter *f, const octet *buf, size_t sz)
168 {
169 forkfilt *ff = f->state;
170 forknode *fn;
171 unsigned i = 0;
172
173 ff = f->state;
174 for (fn = ff->fn; fn; fn = fn->next) {
175 printf("fork branch %u of fork `%s'\n", i++, ff->name);
176 PASS(fn->f, buf, sz);
177 }
178 printf("fork branch %u of fork `%s'\n", i++, ff->name);
179 PASS(f->next, buf, sz);
180 }
181
182 static void addfork(filter *f, unsigned ac, char **av)
183 {
184 forkfilt *ff;
185 if (ac != 1) die(1, "syntax: filt:fork:NAME");
186 ff = CREATE(forkfilt);
187 ff->name = xstrdup(av[0]);
188 ff->fn = 0;
189 f->func = dofork;
190 f->state = ff;
191 }
192
193 static void nextfork(unsigned ac, char **av)
194 {
195 unsigned i, j;
196 filter *f;
197 forkfilt *ff;
198 forknode *fn, **ffn;
199 peer *p;
200
201 if (ac < 1) die(1, "syntax: next:NAME:...");
202 for (i = 0; i < 2; i++) {
203 p = &peers[i];
204 for (f = p->f; f; f = f->next) {
205 if (f->func != dofork) continue;
206 ff = f->state;
207 for (j = 0; j < ac; j++)
208 if (strcmp(av[j], ff->name) == 0) goto match;
209 continue;
210 match:
211 fn = CREATE(forknode);
212 for (ffn = &ff->fn; *ffn; ffn = &(*ffn)->next);
213 fn->f = f->next;
214 f->next = 0;
215 fn->next = 0;
216 *ffn = fn;
217 }
218 }
219 }
220
221 /*----- Corrupt filter ----------------------------------------------------*/
222
223 typedef struct corrupt {
224 unsigned p_corrupt;
225 } corrupt;
226
227 static void docorrupt(filter *f, const octet *buf, size_t sz)
228 {
229 corrupt *c = f->state;
230 octet b[PKBUFSZ];
231 memcpy(b, buf, sz);
232
233 while (!RND(c->p_corrupt)) {
234 puts("corrupt packet");
235 b[RND(sz)] ^= RND(256);
236 }
237 PASS(f->next, b, sz);
238 }
239
240 static void addcorrupt(filter *f, unsigned ac, char **av)
241 {
242 corrupt *c;
243 if (ac > 1) die(1, "syntax: filt:corrupt[:P-CORRUPT]");
244 c = CREATE(corrupt);
245 if (ac > 0) c->p_corrupt = atoi(av[0]);
246 else c->p_corrupt = 5;
247 f->state = c;
248 f->func = docorrupt;
249 }
250
251 /*----- Drop filter -------------------------------------------------------*/
252
253 typedef struct drop {
254 unsigned p_drop;
255 } drop;
256
257 static void dodrop(filter *f, const octet *buf, size_t sz)
258 {
259 drop *d = f->state;
260
261 if (!RND(d->p_drop)) puts("drop packet");
262 else PASS(f->next, buf, sz);
263 }
264
265 static void adddrop(filter *f, unsigned ac, char **av)
266 {
267 drop *d;
268 if (ac > 1) die(1, "syntax: filt:drop[:P-DROP]");
269 d = CREATE(drop);
270 if (ac > 0) d->p_drop = atoi(av[0]);
271 else d->p_drop = 5;
272 f->state = d;
273 f->func = dodrop;
274 }
275
276 /*----- Delay filter ------------------------------------------------------*/
277
278 typedef struct delaynode {
279 unsigned flag;
280 sel_timer tm;
281 unsigned i;
282 struct delay *d;
283 octet *buf;
284 size_t sz;
285 unsigned seq;
286 } delaynode;
287
288 typedef struct delay {
289 unsigned max, n;
290 unsigned long t;
291 unsigned p_replay;
292 filter *f;
293 delaynode *q;
294 } delay;
295
296 static void dtimer(struct timeval *tv, void *vv);
297
298 static void dinsert(delaynode *dn)
299 {
300 struct timeval tv;
301 sel_timer *ta, *tb;
302 unsigned long tdelta = RND(dn->d->t);
303 gettimeofday(&tv, 0);
304 TV_ADDL(&tv, &tv, 0, tdelta);
305 assert(!dn->flag);
306 sel_addtimer(&sel, &dn->tm, &tv, dtimer, dn);
307 dn->flag = 1;
308 for (ta = tb = sel.timers; ta; ta = ta->next) {
309 ta = ta->next; if (!ta) break; assert(ta != tb);
310 ta = ta->next; if (!ta) break; assert(ta != tb);
311 tb = tb->next;
312 }
313 printf(" delay %lu usecs", tdelta);
314 }
315
316 static void dsend(delaynode *dn, unsigned force)
317 {
318 delay *d = dn->d;
319 delaynode *ddn;
320 unsigned i;
321
322 fputs(" send...\n", stdout);
323 assert(dn->buf);
324 PASS(d->f->next, dn->buf, dn->sz);
325 fputs("delay ...", stdout);
326 if (!force)
327 dinsert(dn);
328 else {
329 xfree(dn->buf);
330 dn->buf = 0;
331 d->n--;
332 if (dn->i < d->n) {
333 ddn = &d->q[d->n];
334 sel_rmtimer(&ddn->tm);
335 sel_addtimer(&sel, &dn->tm, &ddn->tm.tv, dtimer, dn);
336 dn->flag = 1;
337 dn->buf = ddn->buf;
338 dn->sz = ddn->sz;
339 dn->seq = ddn->seq;
340 ddn->buf = 0;
341 ddn->flag = 0;
342 printf(" move id %u from slot %u to slot %u", ddn->seq, ddn->i, dn->i);
343 }
344 for (i = 0; i < d->n; i++) assert(d->q[i].buf);
345 fputs(" remove", stdout);
346 }
347 }
348
349 static void dtimer(struct timeval *tv, void *vv)
350 {
351 delaynode *dn = vv;
352 printf("delay timer peer `%s' id %u slot %u",
353 dn->d->f->p_from->name, dn->seq, dn->i);
354 dn->flag = 0;
355 dsend(dn, RND(dn->d->p_replay));
356 fputc('\n', stdout);
357 }
358
359 static void dodelay(filter *f, const octet *buf, size_t sz)
360 {
361 delay *d = f->state;
362 delaynode *dn;
363 static unsigned seq = 0;
364
365 fputs("delay", stdout);
366 if (d->n == d->max) {
367 dn = &d->q[RND(d->n)];
368 printf(" force uid %u", dn->seq);
369 sel_rmtimer(&dn->tm);
370 dn->flag = 0;
371 dsend(dn, 1);
372 fputc(';', stdout);
373 }
374 dn = &d->q[d->n++];
375 dn->seq = seq++;
376 printf(" new id %u in slot %u", dn->seq, dn->i);
377 dn->buf = xmalloc(sz);
378 dn->sz = sz;
379 memcpy(dn->buf, buf, sz);
380 dinsert(dn);
381 fputc('\n', stdout);
382 }
383
384 static void adddelay(filter *f, unsigned ac, char **av)
385 {
386 delay *d;
387 unsigned i;
388
389 if (ac < 1 || ac > 3) die(1, "syntax: filt:delay:QLEN[:MILLIS:P-REPLAY]");
390 d = CREATE(delay);
391 d->max = atoi(av[0]);
392 if (ac > 1) d->t = strtoul(av[1], 0, 10);
393 else d->t = 100;
394 d->t *= 1000;
395 if (ac > 2) d->p_replay = atoi(av[2]);
396 else d->p_replay = 20;
397 d->n = 0;
398 d->q = xmalloc(d->max * sizeof(delaynode));
399 d->f = f;
400 f->state = d;
401 f->func = dodelay;
402 for (i = 0; i < d->max; i++) {
403 d->q[i].d = d;
404 d->q[i].i = i;
405 d->q[i].buf = 0;
406 d->q[i].flag = 0;
407 }
408 }
409
410 /*----- Filters -----------------------------------------------------------*/
411
412 static void dosend(filter *f, const octet *buf, size_t sz)
413 {
414 printf("send to `%s'\n", f->p_to->name);
415 DISCARD(write(f->p_to->sf.fd, buf, sz));
416 }
417
418 static void addsend(filter *f, unsigned ac, char **av)
419 {
420 if (ac) die(1, "syntax: filt:send");
421 f->func = dosend;
422 }
423
424 const struct filtab {
425 const char *name;
426 void (*func)(filter */*f*/, unsigned /*ac*/, char **/*av*/);
427 } filtab[] = {
428 { "send", addsend },
429 { "fork", addfork },
430 { "delay", adddelay },
431 { "drop", adddrop },
432 { "corrupt", addcorrupt },
433 { 0, 0 }
434 };
435
436 static void dofilter(peer *from, peer *to, unsigned ac, char **av)
437 {
438 filter **ff, *f = CREATE(filter);
439 const struct filtab *ft;
440 if (ac < 1) die(1, "syntax: {l,r,}filt:NAME:...");
441 f->next = 0;
442 f->p_from = from;
443 f->p_to = to;
444 f->state = 0;
445 for (ff = &from->f; *ff; ff = &(*ff)->next);
446 *ff = f;
447 for (ft = filtab; ft->name; ft++)
448 if (strcmp(av[0], ft->name) == 0)
449 { ft->func(f, ac - 1, av + 1); return; }
450 die(1, "unknown filter `%s'", av[0]);
451 }
452
453 /*----- Flooding ----------------------------------------------------------*/
454
455 typedef struct flood {
456 peer *p;
457 unsigned type;
458 size_t sz;
459 unsigned long t;
460 sel_timer tm;
461 } flood;
462
463 static void setflood(flood *f);
464
465 static void floodtimer(struct timeval *tv, void *vv)
466 {
467 flood *f = vv;
468 octet buf[PKBUFSZ];
469 size_t sz;
470
471 sz = RND(f->sz);
472 sz += RND(f->sz);
473 sz += RND(f->sz);
474 sz += RND(f->sz);
475 sz /= 2;
476
477 rng->ops->fill(rng, buf, sz);
478 if (f->type < 0x100) buf[0] = f->type;
479 puts("flood packet");
480 PASS(f->p->f, buf, sz);
481 setflood(f);
482 }
483
484 static void setflood(flood *f)
485 {
486 struct timeval tv;
487 gettimeofday(&tv, 0);
488 TV_ADDL(&tv, &tv, 0, RND(f->t));
489 sel_addtimer(&sel, &f->tm, &tv, floodtimer, f);
490 }
491
492 static void doflood(peer *p, unsigned ac, char **av)
493 {
494 flood *f;
495 if (ac > 3) die(1, "syntax: flood[:TYPE:MILLIS:SIZE]");
496 f = CREATE(flood);
497 f->p = p;
498 if (ac > 0) f->type = strtoul(av[0], 0, 16);
499 else f->type = 0x100;
500 if (ac > 1) f->t = atoi(av[1]);
501 else f->t = 10;
502 if (ac > 2) f->sz = atoi(av[2]);
503 else f->sz = 128;
504 f->t *= 1000;
505 setflood(f);
506 }
507
508 /*----- Configuration commands --------------------------------------------*/
509
510 static void parse(char *p);
511
512 static void addflood(unsigned ac, char **av) {
513 doflood(&peers[0], ac, av);
514 doflood(&peers[1], ac, av);
515 }
516 static void addlflood(unsigned ac, char **av) {
517 doflood(&peers[0], ac, av);
518 }
519 static void addrflood(unsigned ac, char **av) {
520 doflood(&peers[1], ac, av);
521 }
522
523 static void addfilter(unsigned ac, char **av) {
524 dofilter(&peers[0], &peers[1], ac, av);
525 dofilter(&peers[1], &peers[0], ac, av);
526 }
527 static void addlfilter(unsigned ac, char **av) {
528 dofilter(&peers[0], &peers[1], ac, av);
529 }
530 static void addrfilter(unsigned ac, char **av) {
531 dofilter(&peers[1], &peers[0], ac, av);
532 }
533
534 static void include(unsigned ac, char **av)
535 {
536 FILE *fp;
537 dstr d = DSTR_INIT;
538 if (!ac) die(1, "syntax: include:FILE:...");
539 while (*av) {
540 if ((fp = fopen(*av, "r")) == 0)
541 die(1, "fopen `%s': %s", *av, strerror(errno));
542 while (dstr_putline(&d, fp) != EOF) { parse(d.buf); DRESET(&d); }
543 fclose(fp);
544 av++;
545 }
546 }
547
548 const struct cmdtab {
549 const char *name;
550 void (*func)(unsigned /*ac*/, char **/*av*/);
551 } cmdtab[] = {
552 { "peer", addpeer },
553 { "include", include },
554 { "filt", addfilter },
555 { "lfilt", addlfilter },
556 { "rfilt", addrfilter },
557 { "next", nextfork },
558 { "flood", addflood },
559 { "lflood", addlflood },
560 { "rflood", addrflood },
561 { 0, 0 }
562 };
563
564 #define AVMAX 16
565
566 static void parse(char *p)
567 {
568 char *v[AVMAX];
569 unsigned c = 0;
570 const struct cmdtab *ct;
571
572 p = strtok(p, delim);
573 if (!p || *p == '#') return;
574 do {
575 v[c++] = p;
576 p = strtok(0, delim);
577 } while (p && c < AVMAX - 1);
578 v[c] = 0;
579 for (ct = cmdtab; ct->name; ct++) {
580 if (strcmp(ct->name, v[0]) == 0) {
581 ct->func(c - 1, v + 1);
582 return;
583 }
584 }
585 die(1, "unknown command `%s'", v[0]);
586 }
587
588 /*----- Main driver -------------------------------------------------------*/
589
590 static void version(FILE *fp)
591 { pquis(fp, "$, TrIPE version " VERSION "\n"); }
592
593 static void usage(FILE *fp)
594 { pquis(fp, "Usage: $ [-d CHAR] [-k KEYRING] DIRECTIVE...\n"); }
595
596 static void help(FILE *fp)
597 {
598 version(fp);
599 putc('\n', fp);
600 usage(fp);
601 fputs("\n\
602 Options:\n\
603 \n\
604 -h, --help Show this help text.\n\
605 -v, --version Show the version number.\n\
606 -u, --usage Show terse usage summary.\n\
607 \n\
608 -d, --delimiter=CHAR Use CHAR rather than `:' as delimiter.\n\
609 -k, --keyring=FILE Fetch keys from FILE.\n\
610 \n\
611 Directives:\n\
612 peer:NAME:LOCAL-PORT:REMOTE-ADDR:REMOTE-PORT\n\
613 include:FILE\n\
614 {,l,r}filt:FILTER:ARGS:...\n\
615 next:TAG\n\
616 {,l,r}flood:TYPE:MILLIS:SIZE\n\
617 \n\
618 Filters:\n\
619 send\n\
620 fork:TAG\n\
621 delay:QLEN[:MILLIS:P-REPLAY]\n\
622 drop[:P-DROP]\n\
623 corrupt[:P-CORRUPT]\n",
624 fp);
625 }
626
627 int main(int argc, char *argv[])
628 {
629 const char *kfname = "keyring.pub";
630 int i;
631 unsigned f = 0;
632 char buf[32];
633 static octet zero[CHACHA_NONCESZ];
634
635 #define f_bogus 1u
636
637 ego(argv[0]);
638 for (;;) {
639 static const struct option opt[] = {
640 { "help", 0, 0, 'h' },
641 { "version", 0, 0, 'v' },
642 { "usage", 0, 0, 'u' },
643 { "delimiter", OPTF_ARGREQ, 0, 'd' },
644 { "keyring", OPTF_ARGREQ, 0, 'k' },
645 { 0, 0, 0, 0 }
646 };
647 if ((i = mdwopt(argc, argv, "hvud:k:", opt, 0, 0, 0)) < 0) break;
648 switch (i) {
649 case 'h': help(stdout); exit(0);
650 case 'v': version(stdout); exit(0);
651 case 'u': usage(stdout); exit(0);
652 case 'd':
653 if (!optarg[0] || optarg[1])
654 die(1, "delimiter must be a single character");
655 delim = optarg;
656 break;
657 case 'k': kfname = optarg; break;
658 default: f |= f_bogus; break;
659 }
660 }
661 if (f & f_bogus) { usage(stderr); exit(1); }
662
663 rand_noisesrc(RAND_GLOBAL, &noise_source);
664 rand_seed(RAND_GLOBAL, 256);
665 rand_get(RAND_GLOBAL, buf, sizeof(buf));
666 rng = chacha20_rand(buf, sizeof(buf), zero);
667 sel_init(&sel);
668 if (key_open(&keys, kfname, KOPEN_READ, key_moan, 0))
669 die(1, "couldn't open `%s': %s", kfname, strerror(errno));
670 for (i = optind; i < argc; i++) parse(argv[i]);
671 if (npeer != 2) die(1, "need two peers");
672 for (;;) {
673 if (sel_select(&sel) && errno != EINTR)
674 die(1, "select failed: %s", strerror(errno));
675 }
676
677 #undef f_bogus
678 }
679
680 /*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN