1fb3cba0 |
1 | /* |
2 | * Encrypting tunnel for userv-ipif tunnels, actual implementation |
f0e54a99 |
3 | */ |
4 | /* |
1fb3cba0 |
5 | * usage: |
09966b49 |
6 | * udptunnel-forwarder <optchars> |
7 | * <public-local-fd> <private-in-fd> <private-out-fd> |
8 | * <encdec-keys-fd> |
1fb3cba0 |
9 | * <mtu> <keepalive> <timeout> |
10 | * <public-remote-addr> [<public-remote-port>] |
ed509ebd |
11 | * |<mech1> [<mech1-params> ...] |
12 | * |<mech2> [<mech2-params> ...] |
1fb3cba0 |
13 | * '' |
14 | * |
15 | * Remote addr may '' to mean wait to receive a packet and reply to |
16 | * whereever we get a good packet from first, in which case port |
17 | * should not be specified. |
18 | * |
09966b49 |
19 | * <optchars> is zero or more of |
20 | * w means generate and write encdec keys, rather than reading them |
0f4b558c |
21 | * K means do crypto debug (use with care!) |
1fb3cba0 |
22 | * |
ed509ebd |
23 | * encdec keys datastream has keys for packets from key datastream |
24 | * writer to reader first, then keys for packets from reader to |
25 | * writer. |
26 | * |
1fb3cba0 |
27 | * Every must be numeric. There is very little argument checking. |
28 | * |
29 | * Exit status: |
30 | * SIGALARM timed out |
31 | * 0 terminated due to outbound packet stream EOF |
32 | * 4 other error |
33 | * 8 system problem |
34 | * 12 usage error |
35 | * 16 bad trouble |
36 | */ |
f0e54a99 |
37 | /* |
38 | * Copyright (C) 2000 Ian Jackson |
39 | * |
40 | * This is free software; you can redistribute it and/or modify it |
41 | * under the terms of the GNU General Public License as published by |
42 | * the Free Software Foundation; either version 2 of the License, or |
43 | * (at your option) any later version. |
44 | * |
45 | * This program is distributed in the hope that it will be useful, but |
46 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
47 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
48 | * General Public License for more details. |
49 | * |
50 | * You should have received a copy of the GNU General Public License |
51 | * along with userv-utils; if not, write to the Free Software |
52 | * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
53 | */ |
1fb3cba0 |
54 | |
55 | #include <sys/socket.h> |
56 | #include <netinet/in.h> |
57 | #include <arpa/inet.h> |
58 | #include <sys/utsname.h> |
59 | #include <sys/poll.h> |
60 | |
61 | #include <string.h> |
62 | #include <errno.h> |
63 | #include <assert.h> |
64 | #include <stdlib.h> |
65 | |
66 | #include <unistd.h> |
67 | #include <fcntl.h> |
68 | |
f9e59051 |
69 | #include "forwarder.h" |
1fb3cba0 |
70 | |
71 | #define MAXMECHS 10 |
1fb3cba0 |
72 | |
1fb3cba0 |
73 | static size_t buffer_size; |
0f4b558c |
74 | static struct utsname uname_result; |
1fb3cba0 |
75 | |
09966b49 |
76 | static const char *opt_chars; |
1fb3cba0 |
77 | static int public_local_fd, private_in_fd, private_out_fd; |
78 | static int mtu2, keepalive, timeout; |
79 | static int public_remote_specd; |
80 | static struct sockaddr_in public_remote; |
09966b49 |
81 | static int encdec_keys_fd, encdec_keys_write, crypto_debug; |
1fb3cba0 |
82 | static int n_mechs; |
83 | static const struct mechanism *mechs[MAXMECHS]; |
84 | |
85 | static struct mechdata *md_in[MAXMECHS], *md_out[MAXMECHS]; |
86 | static size_t maxprefix, maxsuffix; |
87 | |
88 | static struct buffer buf_in, buf_out; |
89 | static unsigned char *accum_buf; |
90 | static size_t accum_used, accum_avail; |
91 | |
92 | static time_t nextsendka; |
93 | |
09966b49 |
94 | static void cdebug(int mechno /*or -1*/, const char *msg) { |
95 | if (!crypto_debug) return; |
ed509ebd |
96 | printf("%-8.8s: CRYPTO: %-20s %s\n", |
97 | uname_result.nodename, |
0f4b558c |
98 | mechno >= 0 ? mechs[mechno]->name : "", |
09966b49 |
99 | msg); |
100 | } |
101 | |
0f4b558c |
102 | static void cdebughex(int mechno /*or -1*/, const char *msg, const void *ptr, |
103 | size_t sz, size_t skipbefore, |
104 | int spc_offset, int dot_offset) { |
09966b49 |
105 | const unsigned char *p; |
0f4b558c |
106 | size_t i; |
107 | unsigned j= dot_offset; |
09966b49 |
108 | |
109 | if (!crypto_debug) return; |
0f4b558c |
110 | printf("%-8.8s: CRYPTO: %-20s %-10s", |
111 | uname_result.nodename, |
112 | mechno >= 0 ? mechs[mechno]->name : "", |
09966b49 |
113 | msg); |
0f4b558c |
114 | |
115 | for (i=0; i<spc_offset; i++, j++) fputs(j&3 ? " " : " ",stdout); |
116 | for (i=0; i<skipbefore; i++, j++) fputs(j&3 ? ".." : " ..",stdout); |
117 | for (i=0, p=ptr; i<sz; i++, j++, p++) printf(j&3 ? "%02x" : " %02x",*p); |
118 | |
09966b49 |
119 | fputc('\n',stdout); |
120 | } |
121 | |
0f4b558c |
122 | static void cdebugbuf(int mechno /*or -1*/, const char *msg, |
123 | const struct buffer *buf, int spc_offset, int dot_offset) { |
124 | cdebughex(mechno, msg, buf->start, buf->size, buf->start - buf->base, |
125 | spc_offset, dot_offset); |
126 | } |
127 | |
09966b49 |
128 | void get_random(void *ptr, size_t sz) { |
129 | static FILE *randfile; |
130 | |
131 | size_t r; |
132 | |
133 | if (!randfile) { |
134 | randfile= fopen("/dev/urandom","rb"); |
135 | if (!randfile && errno==ENOENT) randfile= fopen("/dev/random","rb"); |
136 | if (!randfile) sysfail("open random number generator"); |
137 | } |
138 | |
139 | r= fread(ptr,1,sz,randfile); |
0f4b558c |
140 | if (r != sz) |
141 | (ferror(randfile) ? sysfail : fail)("cannot read random number generator"); |
09966b49 |
142 | |
0f4b558c |
143 | cdebughex(-1, "get_random", ptr, sz, 0,0,0); |
09966b49 |
144 | } |
1fb3cba0 |
145 | |
f9e59051 |
146 | void random_key(void *ptr, size_t sz) { |
147 | if (encdec_keys_write) { |
148 | get_random(ptr,sz); |
149 | write_must(encdec_keys_fd,ptr,sz,"write keys datastream"); |
150 | } else { |
151 | read_must(encdec_keys_fd,ptr,sz,"read keys datastream"); |
ed509ebd |
152 | cdebughex(-1, "random_key", ptr, sz, 0,0,0); |
1fb3cba0 |
153 | } |
1fb3cba0 |
154 | } |
155 | |
1fb3cba0 |
156 | |
157 | static void setnonblock(int fd, int nonblock) { |
158 | int r; |
159 | |
160 | r= fcntl(fd,F_GETFL); |
161 | if (r==-1) sysfail("fcntl F_GETFL"); |
162 | r= fcntl(fd,F_SETFL, nonblock ? r|O_NONBLOCK : r&~O_NONBLOCK); |
163 | if (r==-1) sysfail("fcntl F_SETFL"); |
164 | } |
165 | |
0f4b558c |
166 | static const struct mechanism *find_mech(const char *name) { |
1fb3cba0 |
167 | const struct mechanism *mech, *const *mechlist; |
168 | |
1fb3cba0 |
169 | for (mechlist= mechanismlists; |
170 | *mechlist; |
171 | mechlist++) |
172 | for (mech= *mechlist; mech->name; mech++) |
173 | if (!strcmp(mech->name,name)) return mech; |
174 | |
175 | fprintf(stderr,"%s: unknown mechanism: %s\n",programid,name); |
176 | exit(4); |
177 | } |
178 | |
179 | static void inbound(void) { |
180 | static int any_recvd; |
181 | |
182 | struct sockaddr_in this_saddr; |
183 | int r, i, different, this_saddrlen; |
184 | const char *emsg; |
185 | |
9d4e63db |
186 | buf_in.start= buf_in.base+1; |
187 | buf_in.size= buffer_size-2; |
188 | |
1fb3cba0 |
189 | setnonblock(public_local_fd,1); |
190 | this_saddrlen= sizeof(this_saddr); |
9d4e63db |
191 | r= recvfrom(public_local_fd, buf_in.start, buf_in.size, 0, |
1fb3cba0 |
192 | &this_saddr, &this_saddrlen); |
193 | if (!r) { diag("empty ciphertext"); return; } |
194 | |
195 | if (r<0) { |
f9e59051 |
196 | if (errno != EAGAIN && errno != EINTR) { sysdiag("receive"); sleep(1); } |
1fb3cba0 |
197 | return; |
198 | } |
199 | if (this_saddr.sin_family != AF_INET) { |
9d4e63db |
200 | fprintf(stderr,"%s: received unknown AF %lu\n", |
1fb3cba0 |
201 | programid, (unsigned long)this_saddr.sin_family); |
202 | return; |
203 | } |
204 | assert(this_saddrlen == sizeof(this_saddr)); |
205 | |
9d4e63db |
206 | assert(r <= buf_in.size); |
207 | buf_in.size= r; |
0f4b558c |
208 | cdebugbuf(-1, "decode", &buf_in, 3,0); |
1fb3cba0 |
209 | for (i=n_mechs-1; i>=0; i--) { |
210 | emsg= mechs[i]->decode(md_in[i],&buf_in); |
211 | if (emsg) { |
f0e54a99 |
212 | if (*emsg) |
213 | fprintf(stderr, "%s: bad packet: %s: %s\n", |
214 | programid, mechs[i]->name, emsg); |
1fb3cba0 |
215 | return; |
216 | } |
0f4b558c |
217 | cdebugbuf(i, "decode", &buf_in, 3,0); |
1fb3cba0 |
218 | } |
219 | |
f9e59051 |
220 | alarm(timeout); |
221 | |
9d4e63db |
222 | different= (!public_remote_specd || |
223 | public_remote.sin_addr.s_addr != this_saddr.sin_addr.s_addr || |
224 | public_remote.sin_port != this_saddr.sin_port); |
1fb3cba0 |
225 | |
226 | if (different) { |
227 | |
228 | if (public_remote_specd==2) { |
9d4e63db |
229 | fprintf(stderr, "%s: packet from unexpected sender %s:%lu\n", |
1fb3cba0 |
230 | programid, inet_ntoa(this_saddr.sin_addr), |
9d4e63db |
231 | (unsigned long)ntohs(this_saddr.sin_port)); |
1fb3cba0 |
232 | return; |
233 | } |
234 | |
9d4e63db |
235 | fprintf(stderr, "%s: tunnel open with peer %s:%lu\n", |
1fb3cba0 |
236 | programid, inet_ntoa(this_saddr.sin_addr), |
9d4e63db |
237 | (unsigned long)ntohs(this_saddr.sin_port)); |
1fb3cba0 |
238 | nextsendka= now(); |
239 | public_remote_specd= 1; |
240 | memcpy(&public_remote,&this_saddr,sizeof(public_remote)); |
241 | |
242 | } else if (!any_recvd) { |
243 | |
244 | diag("tunnel open"); |
245 | |
246 | } |
247 | |
248 | any_recvd= 1; |
9d4e63db |
249 | |
250 | if (!buf_in.size || *buf_in.start != 0300) { |
251 | *--buf_in.start= 0300; |
252 | buf_in.size++; |
253 | } |
254 | if (buf_in.start[buf_in.size-1] != 0300) { |
255 | buf_in.start[buf_in.size++]= 0300; |
256 | } |
1fb3cba0 |
257 | |
258 | setnonblock(private_in_fd,0); |
f9e59051 |
259 | write_must(private_in_fd, buf_in.start, buf_in.size, "write down"); |
1fb3cba0 |
260 | } |
261 | |
262 | static void sendpacket(const unsigned char *message, size_t size) { |
263 | int i, r; |
264 | |
265 | buf_out.start= buf_out.base+maxprefix; |
266 | buf_out.size= size; |
267 | memcpy(buf_out.start, message, size); |
268 | |
269 | nextsendka= now() + keepalive; |
270 | |
0f4b558c |
271 | cdebugbuf(-1, "encode", &buf_out, 4,0); |
272 | for (i=0; i<n_mechs; i++) { |
273 | mechs[i]->encode(md_out[i],&buf_out); |
274 | cdebugbuf(i, "encode", &buf_out, 4,0); |
275 | } |
1fb3cba0 |
276 | assert(public_remote_specd); |
277 | |
278 | setnonblock(public_local_fd,1); |
279 | for (;;) { |
280 | r= sendto(public_local_fd, buf_out.start, buf_out.size, 0, |
281 | &public_remote, sizeof(public_remote)); |
282 | if (r == buf_out.size) break; |
283 | if (r >= 0) { diag("unexpected short send"); return; } |
284 | if (errno != EINTR) { sysdiag("send"); return; } |
285 | } |
286 | } |
287 | |
288 | static void outbound(void) { |
289 | int r; |
290 | unsigned char *after_eaten, *delim; |
291 | size_t this_packet; |
292 | |
293 | setnonblock(private_out_fd,1); |
294 | |
295 | for (;;) { |
296 | r= read(private_out_fd, accum_buf + accum_used, accum_avail - accum_used); |
297 | if (!r) { diag("outbound datastream closed, quitting"); exit(0); } |
298 | if (r<0) { |
299 | if (errno == EAGAIN) return; |
300 | if (errno == EINTR) continue; |
301 | } |
302 | accum_used += r; |
303 | assert(accum_used<=accum_avail); |
304 | |
305 | after_eaten= accum_buf; |
306 | while ((delim= memchr(after_eaten, 0300, accum_used))) { |
307 | this_packet= delim - after_eaten; |
9d4e63db |
308 | if (this_packet) sendpacket(after_eaten, this_packet); |
1fb3cba0 |
309 | accum_used -= this_packet+1; |
310 | after_eaten = delim+1; |
311 | } |
312 | memmove(accum_buf, after_eaten, accum_used); |
313 | |
314 | if (accum_used == accum_avail) { |
315 | diag("missing interpacket delimiter in output datastream"); |
316 | accum_used= 0; |
317 | } |
318 | } |
319 | } |
320 | |
321 | int main(int argc, const char *const *const argv_in) { |
322 | const char *arg; |
0f4b558c |
323 | const char *const *argv_save; |
324 | const char *const *argv_done; |
1fb3cba0 |
325 | struct pollfd pollfds[2]; |
1fb3cba0 |
326 | int i, polltimeout, r; |
327 | time_t tnow; |
328 | |
329 | argv= argv_in; |
330 | |
331 | if (uname(&uname_result)) { perror(PROGRAM ": uname failed"); exit(16); } |
332 | sprintf(programid, PROGRAM ": %.*s", SYS_NMLN, uname_result.nodename); |
09966b49 |
333 | |
334 | opt_chars= getarg_string(); |
0f4b558c |
335 | encdec_keys_write= !!strchr(opt_chars,'w'); |
336 | crypto_debug= !!strchr(opt_chars,'K'); |
09966b49 |
337 | |
1fb3cba0 |
338 | public_local_fd= getarg_ulong(); |
f9e59051 |
339 | private_in_fd= getarg_ulong(); |
340 | private_out_fd= getarg_ulong(); |
09966b49 |
341 | encdec_keys_fd= getarg_ulong(); |
342 | |
1fb3cba0 |
343 | mtu2= getarg_ulong() * 2; |
344 | keepalive= getarg_ulong(); |
345 | timeout= getarg_ulong(); |
1fb3cba0 |
346 | |
347 | arg= getarg_string(); |
348 | if (*arg) { |
349 | public_remote_specd= 1; |
9d4e63db |
350 | public_remote.sin_family= AF_INET; |
1fb3cba0 |
351 | arg_assert(inet_aton(arg,&public_remote.sin_addr)); |
9d4e63db |
352 | public_remote.sin_port= htons(getarg_ulong()); |
1fb3cba0 |
353 | } |
354 | |
09966b49 |
355 | if (crypto_debug) { |
356 | diag("crypto debugging enabled!"); |
357 | setvbuf(stdout,0,_IOLBF,0); |
358 | } |
1fb3cba0 |
359 | |
360 | maxprefix= 0; |
0f4b558c |
361 | i= 0; |
362 | while ((arg= *++argv)) { |
ed509ebd |
363 | arg_assert(*arg++ == '|'); |
0f4b558c |
364 | arg_assert(i <= MAXMECHS); |
365 | mechs[i]= find_mech(arg); |
0f4b558c |
366 | |
ed509ebd |
367 | cdebug(i,"writer->reader setup"); |
0f4b558c |
368 | argv_save= argv; |
ed509ebd |
369 | |
370 | if (encdec_keys_write) |
371 | mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix); |
372 | else |
373 | mechs[i]->decsetup(&md_in[i]); |
0f4b558c |
374 | |
375 | argv_done= argv; |
376 | argv= argv_save; |
ed509ebd |
377 | cdebug(i,"reader->writer setup"); |
378 | |
379 | if (encdec_keys_write) |
380 | mechs[i]->decsetup(&md_in[i]); |
381 | else |
382 | mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix); |
0f4b558c |
383 | |
384 | assert(argv == argv_done); |
385 | |
386 | i++; |
09966b49 |
387 | } |
0f4b558c |
388 | n_mechs= i; |
1fb3cba0 |
389 | |
390 | if (maxprefix<1) maxprefix= 1; |
391 | if (maxsuffix<1) maxsuffix= 1; |
392 | buffer_size= mtu2 + maxprefix + maxsuffix; |
393 | buf_in.base= xmalloc(buffer_size); |
394 | buf_out.base= xmalloc(buffer_size); |
395 | accum_avail= mtu2 + 1; |
396 | accum_buf= xmalloc(accum_avail); |
397 | |
398 | alarm(timeout); |
399 | |
400 | pollfds[0].fd= public_local_fd; |
401 | pollfds[0].events= POLLIN; |
402 | pollfds[1].fd= private_out_fd; |
403 | for (;;) { |
404 | pollfds[1].events= public_remote_specd ? POLLIN : 0; |
405 | pollfds[0].revents= 0; |
406 | pollfds[1].revents= 0; |
407 | |
408 | if (keepalive) { |
409 | tnow= now(); |
9d4e63db |
410 | if (tnow >= nextsendka && public_remote_specd) sendpacket("\300",1); |
1fb3cba0 |
411 | polltimeout= (nextsendka - tnow)*1000; |
412 | } else { |
413 | polltimeout= -1; |
414 | } |
415 | |
416 | r= poll(pollfds,2,polltimeout); |
417 | if (!r) continue; |
418 | if (r==-1 && errno==EINTR) continue; |
419 | if (r==-1) sysfail("poll"); |
420 | |
9d4e63db |
421 | if (pollfds[0].revents & (POLLIN|POLLERR)) inbound(); |
422 | if (pollfds[1].revents & (POLLIN|POLLERR)) outbound(); |
1fb3cba0 |
423 | } |
424 | } |