X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/e9fcf28eed6a6e44d2e2b963b06bad2ae76309e1..HEAD:/server/tripe.h diff --git a/server/tripe.h b/server/tripe.h index 5550c1fd..ea980c6b 100644 --- a/server/tripe.h +++ b/server/tripe.h @@ -62,10 +62,17 @@ #include #include +#ifdef HAVE_LIBADNS +# define ADNS_FEATURE_MANYAF +# include +#endif + #include #include #include -#include +#ifndef HAVE_LIBADNS +# include +#endif #include #include #include @@ -92,9 +99,11 @@ #include #include +#include #include #include #include +#include #include #include #include @@ -402,6 +411,7 @@ struct algswitch { struct kdata { unsigned ref; /* Reference counter */ struct knode *kn; /* Pointer to cache entry */ + uint32 id; /* The underlying key's id */ char *tag; /* Full tag name of the key */ dhgrp *grp; /* The group we work in */ dhsc *k; /* The private key (or null) */ @@ -427,6 +437,27 @@ extern const bulkops bulktab[]; /*----- Data structures ---------------------------------------------------*/ +/* --- The address-family table --- */ + +#define ADDRFAM(_) \ + _(INET, want_ipv4) \ + _(INET6, want_ipv6) + +enum { +#define ENUM(af, qf) AFIX_##af, + ADDRFAM(ENUM) +#undef ENUM + NADDRFAM +}; + +extern const struct addrfam { + int af; + const char *name; +#ifdef HAVE_LIBADNS + adns_queryflags qf; +#endif +} aftab[NADDRFAM]; + /* --- Socket addresses --- * * * A magic union of supported socket addresses. @@ -435,6 +466,7 @@ extern const bulkops bulktab[]; typedef union addr { struct sockaddr sa; struct sockaddr_in sin; + struct sockaddr_in6 sin6; } addr; /* --- Mapping keyed on addresses --- */ @@ -568,7 +600,7 @@ typedef struct tunnel_ops { const char *name; /* Name of this tunnel driver */ unsigned flags; /* Various interesting flags */ #define TUNF_PRIVOPEN 1u /* Need helper to open file */ - void (*init)(void); /* Initializes the system */ + int (*init)(void); /* Initializes the system */ tunnel *(*create)(struct peer */*p*/, int /*fd*/, char **/*ifn*/); /* Initializes a new tunnel */ void (*setifname)(tunnel */*t*/, const char */*ifn*/); @@ -581,6 +613,10 @@ typedef struct tunnel_ops { struct tunnel { const tunnel_ops *ops; }; #endif +typedef struct tun_iter { + const struct tunnel_node *next; +} tun_iter; + /* --- Peer statistics --- * * * Contains various interesting and not-so-interesting statistics about a @@ -609,12 +645,14 @@ typedef struct peerspec { char *name; /* Peer's name */ char *privtag; /* Private key tag */ char *tag; /* Public key tag */ + char *knock; /* Knock string, or null */ const tunnel_ops *tops; /* Tunnel operations */ unsigned long t_ka; /* Keep alive interval */ addr sa; /* Socket address to speak to */ unsigned f; /* Flags for the peer */ #define PSF_KXMASK 255u /* Key-exchange flags to set */ #define PSF_MOBILE 256u /* Address may change rapidly */ +#define PSF_EPHEM 512u /* Association is ephemeral */ } peerspec; typedef struct peer_byname { @@ -632,6 +670,7 @@ typedef struct peer { peer_byaddr *byaddr; /* Lookup-by-address block */ struct ping *pings; /* Pings we're waiting for */ peerspec spec; /* Specifications for this peer */ + int afix; /* Index of address family */ tunnel *t; /* Tunnel for local packets */ char *ifname; /* Interface name for tunnel */ keyset *ks; /* List head for keysets */ @@ -643,6 +682,11 @@ typedef struct peer { typedef struct peer_iter { sym_iter i; } peer_iter; +typedef struct udpsocket { + sel_file sf; /* Selector for the socket */ + unsigned port; /* Chosen port number */ +} udpsocket; + typedef struct ping { struct ping *next, *prev; /* Links to next and previous */ peer *p; /* Peer so we can free it */ @@ -688,9 +732,14 @@ typedef struct admin_bgop { typedef struct admin_resop { admin_bgop bg; /* Background operation header */ char *addr; /* Hostname to be resolved */ +#ifdef HAVE_LIBADNS + adns_query q; +#else bres_client r; /* Background resolver task */ +#endif sel_timer t; /* Timer for resolver */ addr sa; /* Socket address */ + unsigned port; /* Port number chosen */ size_t sasz; /* Socket address size */ void (*func)(struct admin_resop *, int); /* Handler */ } admin_resop; @@ -772,10 +821,9 @@ struct admin { extern sel_state sel; /* Global I/O event state */ extern octet buf_i[PKBUFSZ], buf_o[PKBUFSZ], buf_t[PKBUFSZ], buf_u[PKBUFSZ]; -extern const tunnel_ops *tunnels[]; /* Table of tunnels (0-term) */ -extern const tunnel_ops *tun_default; /* Default tunnel to use */ +extern udpsocket udpsock[NADDRFAM]; /* The master UDP sockets */ extern kdata *master; /* Default private key */ -extern const char *tag_priv; /* Default private key tag */ +extern char *tag_priv; /* Default private key tag */ #ifndef NTRACE extern const trace_opt tr_opts[]; /* Trace options array */ @@ -795,14 +843,14 @@ extern unsigned tr_flags; /* Trace options flags */ * @const char *pubkr@ = public keyring file * @const char *ptag@ = default private-key tag * - * Returns: --- + * Returns: Zero on success, @-1@ on failure. * * Use: Initializes the key-management machinery, loading the * keyrings and so on. */ -extern void km_init(const char */*privkr*/, const char */*pubkr*/, - const char */*ptag*/); +extern int km_init(const char */*privkr*/, const char */*pubkr*/, + const char */*ptag*/); /* --- @km_reload@ --- * * @@ -815,6 +863,20 @@ extern void km_init(const char */*privkr*/, const char */*pubkr*/, extern int km_reload(void); +/* --- @km_clear@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Forget the currently loaded keyrings. The @master@ key will + * be cleared, but other keys already loaded will continue to + * exist until their reference count drops to zero. Call + * @km_init@ to make everything work again. + */ + +extern void km_clear(void); + /* --- @km_findpub@, @km_findpriv@ --- * * * Arguments: @const char *tag@ = key tag to load @@ -827,6 +889,19 @@ extern int km_reload(void); extern kdata *km_findpub(const char */*tag*/); extern kdata *km_findpriv(const char */*tag*/); +/* --- @km_findpubbyid@, @km_findprivbyid@ --- * + * + * Arguments: @uint32 id@ = key id to load + * + * Returns: Pointer to the kdata object if successful, or null on error. + * + * Use: Fetches a public or private key from the keyring given its + * numeric id. + */ + +extern kdata *km_findpubbyid(uint32 /*id*/); +extern kdata *km_findprivbyid(uint32 /*id*/); + /* --- @km_samealgsp@ --- * * * Arguments: @const kdata *kdx, *kdy@ = two key data objects @@ -889,16 +964,18 @@ extern void kx_start(keyexch */*kx*/, int /*forcep*/); /* --- @kx_message@ --- * * * Arguments: @keyexch *kx@ = pointer to key exchange context + * @const addr *a@ = sender's IP address and port * @unsigned msg@ = the message code * @buf *b@ = pointer to buffer containing the packet * - * Returns: --- + * Returns: Nonzero if the sender's address was unknown. * * Use: Reads a packet containing key exchange messages and handles * it. */ -extern void kx_message(keyexch */*kx*/, unsigned /*msg*/, buf */*b*/); +extern int kx_message(keyexch */*kx*/, const addr */*a*/, + unsigned /*msg*/, buf */*b*/); /* --- @kx_free@ --- * * @@ -942,6 +1019,17 @@ extern void kx_newkeys(keyexch */*kx*/); extern int kx_setup(keyexch */*kx*/, peer */*p*/, keyset **/*ks*/, unsigned /*f*/); +/* --- @kx_init@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Initializes the key-exchange logic. + */ + +extern void kx_init(void); + /*----- Keysets and symmetric cryptography --------------------------------*/ /* --- @ks_drop@ --- * @@ -1163,7 +1251,9 @@ extern int c_check(const void */*m*/, size_t /*msz*/, buf */*b*/); * * * "?PEER" PEER -- peer's name * - * * "?ERRNO" ERRNO -- system error code + * * "?ERR" CODE -- system error code + * + * * "?ERRNO" -- system error code from @errno@ * * * "[!]..." ... -- @dstr_putf@-like string as single token */ @@ -1227,22 +1317,14 @@ extern void EXECL_LIKE(0) a_notify(const char */*fmt*/, ...); * * Returns: --- * - * Use: Creates a new admin connection. + * Use: Creates a new admin connection. It's safe to call this + * before @a_init@ -- and, indeed, this makes sense if you also + * call @a_switcherr@ to report initialization errors through + * the administration machinery. */ extern void a_create(int /*fd_in*/, int /*fd_out*/, unsigned /*f*/); -/* --- @a_quit@ --- * - * - * Arguments: --- - * - * Returns: --- - * - * Use: Shuts things down nicely. - */ - -extern void a_quit(void); - /* --- @a_preselect@ --- * * * Arguments: --- @@ -1267,6 +1349,61 @@ extern void a_preselect(void); extern void a_daemon(void); +/* --- @a_listen@ --- * + * + * Arguments: @const char *name@ = socket name to create + * @uid_t u@ = user to own the socket + * @gid_t g@ = group to own the socket + * @mode_t m@ = permissions to set on the socket + * + * Returns: Zero on success, @-1@ on failure. + * + * Use: Creates the admin listening socket. + */ + +extern int a_listen(const char */*sock*/, + uid_t /*u*/, gid_t /*g*/, mode_t /*m*/); + +/* --- @a_unlisten@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Stops listening to the administration socket and removes it. + */ + +extern void a_unlisten(void); + +/* --- @a_switcherr@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Arrange to report warnings, trace messages, etc. to + * administration clients rather than the standard-error stream. + * + * Obviously this makes no sense unless there is at least one + * client established. Calling @a_listen@ won't help with this, + * because the earliest a new client can connect is during the + * first select-loop iteration, which is too late: some initial + * client must have been added manually using @a_create@. + */ + +extern void a_switcherr(void); + +/* --- @a_signals@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Establishes handlers for the obvious signals. + */ + +extern void a_signals(void); + /* --- @a_init@ --- * * * Arguments: @const char *sock@ = socket name to create @@ -1274,13 +1411,12 @@ extern void a_daemon(void); * @gid_t g@ = group to own the socket * @mode_t m@ = permissions to set on the socket * - * Returns: --- + * Returns: Zero on success, @-1@ on failure. * * Use: Creates the admin listening socket. */ -extern void a_init(const char */*sock*/, - uid_t /*u*/, gid_t /*g*/, mode_t /*m*/); +extern int a_init(void); /*----- Mapping with addresses as keys ------------------------------------*/ @@ -1380,13 +1516,13 @@ extern int ps_tunfd(const tunnel_ops */*tops*/, char **/*ifn*/); * * Arguments: @int detachp@ = whether to detach the child from its terminal * - * Returns: --- + * Returns: Zero on success, @-1@ on failure. * * Use: Separates off the privileged tunnel-opening service from the * rest of the server. */ -extern void ps_split(int /*detachp*/); +extern int ps_split(int /*detachp*/); /* --- @ps_quit@ --- * * @@ -1427,6 +1563,20 @@ extern int p_updateaddr(peer */*p*/, const addr */*a*/); extern buf *p_txstart(peer */*p*/, unsigned /*msg*/); +/* --- @p_txaddr@ --- * + * + * Arguments: @const addr *a@ = recipient address + * @const void *p@ = pointer to packet to send + * @size_t sz@ = length of packet + * + * Returns: Zero if successful, nonzero on error. + * + * Use: Sends a packet to an address which (possibly) isn't a current + * peer. + */ + +extern int p_txaddr(const addr */*a*/, const void */*p*/, size_t /*sz*/); + /* --- @p_txend@ --- * * * Arguments: @peer *p@ = pointer to peer block @@ -1555,26 +1705,123 @@ extern void p_setifname(peer */*p*/, const char */*name*/); extern const addr *p_addr(peer */*p*/); +/* --- @p_bind@ --- * + * + * Arguments: @struct addrinfo *ailist@ = addresses to bind to + * + * Returns: Zero on success, @-1@ on failure. + * + * Use: Binds to the main UDP sockets. + */ + +extern int p_bind(struct addrinfo */*ailist*/); + +/* --- @p_unbind@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Unbinds the UDP sockets. There must not be any active peers, + * and none can be created until the sockets are rebound. + */ + +extern void p_unbind(void); + /* --- @p_init@ --- * * - * Arguments: @struct in_addr addr@ = address to bind to - * @unsigned port@ = port number to listen to + * Arguments: --- * * Returns: --- * - * Use: Initializes the peer system; creates the socket. + * Use: Initializes the peer system. */ -extern void p_init(struct in_addr /*addr*/, unsigned /*port*/); +extern void p_init(void); -/* --- @p_port@ --- * +/* --- @p_addtun@ --- * + * + * Arguments: @const tunnel_ops *tops@ = tunnel ops to add + * + * Returns: Zero on success, @-1@ on failure. + * + * Use: Adds a tunnel class to the list of known classes, if it + * initializes properly. If there is no current default tunnel, + * then this one is made the default. + * + * Does nothing if the tunnel class is already known. So adding + * a bunch of tunnels takes quadratic time, but there will be + * too few to care about. + */ + +extern int p_addtun(const tunnel_ops */*tops*/); + +/* --- @p_setdflttun@ --- * + * + * Arguments: @const tunnel_ops *tops@ = tunnel ops to set + * + * Returns: --- + * + * Use: Sets the default tunnel. It must already be registered. The + * old default is forgotten. + */ + +extern void p_setdflttun(const tunnel_ops */*tops*/); + +/* --- @p_dflttun@ --- * * * Arguments: --- * - * Returns: Port number used for socket. + * Returns: A pointer to the current default tunnel operations, or null + * if no tunnels are defined. + */ + +extern const tunnel_ops *p_dflttun(void); + +/* --- @p_findtun@ --- * + * + * Arguments: @const char *name@ = tunnel name + * + * Returns: Pointer to the tunnel operations, or null. + * + * Use: Finds the operations for a named tunnel class. + */ + +extern const tunnel_ops *p_findtun(const char */*name*/); + +/* --- @p_mktuniter@ --- * + * + * Arguments: @tuniter *i@ = pointer to iterator to initialize + * + * Returns: --- + * + * Use: Initializes a tunnel iterator. + */ + +extern void p_mktuniter(tun_iter */*i*/); + +/* --- @p_nexttun@ --- * + * + * Arguments: @tuniter *i@ = pointer to iterator + * + * Returns: Pointer to the next tunnel's operations, or null. */ -unsigned p_port(void); +extern const tunnel_ops *p_nexttun(tun_iter */*i*/); + +/* --- @FOREACH_TUN@ --- * + * + * Arguments: @tops@ = name to bind to each tunnel + * @stuff@ = thing to do for each item + * + * Use: Does something for each known tunnel class. + */ + +#define FOREACH_TUN(tops, stuff) do { \ + tun_iter i_; \ + const tunnel_ops *tops; \ + for (p_mktuniter(&i_); (tops = p_nexttun(&i_)) != 0; ) stuff; \ +} while (0) /* --- @p_create@ --- * * @@ -1651,13 +1898,25 @@ extern peer *p_find(const char */*name*/); /* --- @p_destroy@ --- * * * Arguments: @peer *p@ = pointer to a peer + * @int bye@ = say goodbye to the peer? * * Returns: --- * * Use: Destroys a peer. */ -extern void p_destroy(peer */*p*/); +extern void p_destroy(peer */*p*/, int /*bye*/); + +/* --- @p_destroyall@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Destroys all of the peers, saying goodbye. + */ + +extern void p_destroyall(void); /* --- @FOREACH_PEER@ --- * * @@ -1695,6 +1954,68 @@ extern void p_mkiter(peer_iter */*i*/); extern peer *p_next(peer_iter */*i*/); +/*----- The interval timer ------------------------------------------------*/ + +/* --- @iv_addreason@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Adds an `interval timer reason'; if there are no others, the + * interval timer is engaged. + */ + +extern void iv_addreason(void); + +/* --- @iv_rmreason@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Removes an interval timer reason; if there are none left, the + * interval timer is disengaged. + */ + +extern void iv_rmreason(void); + +/*----- The main loop -----------------------------------------------------*/ + +/* --- @lp_init@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Initializes the main loop. Most importantly, this sets up + * the select multiplexor that everything else hooks onto. + */ + +extern void lp_init(void); + +/* --- @lp_end@ --- * + * + * Arguments: --- + * + * Returns: --- + * + * Use: Requests an exit from the main loop. + */ + +extern void lp_end(void); + +/* --- @lp_run@ --- * + * + * Arguments: --- + * + * Returns: Zero on successful termination; @-1@ if things went wrong. + * + * Use: Cranks the main loop until it should be cranked no more. + */ + +extern int lp_run(void); + /*----- Tunnel drivers ----------------------------------------------------*/ #ifdef TUN_LINUX @@ -1734,6 +2055,15 @@ extern const char *timestr(time_t /*t*/); extern int mystrieq(const char */*x*/, const char */*y*/); +/* --- @afix@ --- * + * + * Arguments: @int af@ = an address family code + * + * Returns: The index of the address family's record in @aftab@, or @-1@. + */ + +extern int afix(int af); + /* --- @addrsz@ --- * * * Arguments: @const addr *a@ = a network address @@ -1743,6 +2073,19 @@ extern int mystrieq(const char */*x*/, const char */*y*/); extern socklen_t addrsz(const addr */*a*/); +/* --- @getport@, @setport@ --- * + * + * Arguments: @addr *a@ = a network address + * @unsigned port@ = port number to set + * + * Returns: --- + * + * Use: Retrieves or sets the port number in an address structure. + */ + +extern unsigned getport(addr */*a*/); +extern void setport(addr */*a*/, unsigned /*port*/); + /* --- @seq_reset@ --- * * * Arguments: @seqwin *s@ = sequence-checking window @@ -1801,6 +2144,42 @@ extern void ratelim_init(ratelim */*r*/, extern int ratelim_withdraw(ratelim */*r*/, unsigned /*n*/); +/* --- @ies_encrypt@ --- * + * + * Arguments: @kdata *kpub@ = recipient's public key + * @unsigned ty@ = message type octet + * @buf *b@ = input message buffer + * @buf *bb@ = output buffer for the ciphertext + * + * Returns: On error, returns a @KSERR_...@ code or breaks the buffer; + * on success, returns zero and the buffer is good. + * + * Use: Encrypts a message for a recipient, given their public key. + * This does not (by itself) provide forward secrecy or sender + * authenticity. The ciphertext is self-delimiting (unlike + * @ks_encrypt@). + */ + +extern int ies_encrypt(kdata */*kpub*/, unsigned /*ty*/, + buf */*b*/, buf */*bb*/); + +/* --- @ies_decrypt@ --- * + * + * Arguments: @kdata *kpub@ = private key key + * @unsigned ty@ = message type octet + * @buf *b@ = input ciphertext buffer + * @buf *bb@ = output buffer for the message + * + * Returns: On error, returns a @KSERR_...@ code; on success, returns + * zero and the buffer is good. + * + * Use: Decrypts a message encrypted using @ies_encrypt@, given our + * private key. + */ + +extern int ies_decrypt(kdata */*kpriv*/, unsigned /*ty*/, + buf */*b*/, buf */*bb*/); + /*----- That's all, folks -------------------------------------------------*/ #ifdef __cplusplus