2 * Encrypting tunnel for userv-ipif tunnels, actual core implementation
6 * udptunnel-forwarder <optchars>
7 * <public-local-fd> <private-in-fd> <private-out-fd>
9 * <mtu> <keepalive> <timeout> <reannounce>
10 * <public-remote-addr> [<public-remote-port>]
11 * |<mech1> [<mech1-params> ...]
12 * |<mech2> [<mech2-params> ...]
15 * Remote addr may '' to mean wait to receive a packet and reply to
16 * whereever we get a good packet from first, in which case port
17 * should not be specified.
19 * <optchars> is zero or more of
20 * w means generate and write encdec keys, rather than reading them
21 * K means do crypto debug (use with care!)
23 * encdec keys datastream has keys for packets from key datastream
24 * writer to reader first, then keys for packets from reader to
27 * Every addr or port must be numeric. There is very little argument checking.
31 * 0 terminated due to outbound packet stream EOF
38 * This file is part of ipif, part of userv-utils
40 * Copyright 1996-2013 Ian Jackson <ijackson@chiark.greenend.org.uk>
41 * Copyright 1998 David Damerell <damerell@chiark.greenend.org.uk>
43 * Chancellor Masters and Scholars of the University of Cambridge
44 * Copyright 2010 Tony Finch <fanf@dotat.at>
46 * This is free software; you can redistribute it and/or modify it
47 * under the terms of the GNU General Public License as published by
48 * the Free Software Foundation; either version 3 of the License, or
49 * (at your option) any later version.
51 * This program is distributed in the hope that it will be useful, but
52 * WITHOUT ANY WARRANTY; without even the implied warranty of
53 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
54 * General Public License for more details.
56 * You should have received a copy of the GNU General Public License
57 * along with userv-utils; if not, see http://www.gnu.org/licenses/.
60 #include <sys/socket.h>
61 #include <netinet/in.h>
62 #include <arpa/inet.h>
63 #include <sys/utsname.h>
74 #include "forwarder.h"
78 static size_t buffer_size
;
79 static struct utsname uname_result
;
81 static const char *opt_chars
;
82 static int public_local_fd
, private_in_fd
, private_out_fd
;
83 static int mtu2
, keepalive
, timeout
, reannounce
;
84 static int public_remote_specd
;
85 static struct sockaddr_in public_remote
;
86 static int encdec_keys_fd
, encdec_keys_write
, crypto_debug
;
88 static const struct mechanism
*mechs
[MAXMECHS
];
90 static struct mechdata
*md_in
[MAXMECHS
], *md_out
[MAXMECHS
];
91 static int maxprefix
, maxsuffix
;
93 static struct buffer buf_in
, buf_out
;
94 static unsigned char *accum_buf
;
95 static size_t accum_used
, accum_avail
;
97 static time_t nextsendka
;
99 static void cdebug(int mechno
/*or -1*/, const char *msg
) {
100 if (!crypto_debug
) return;
101 printf("%-8.8s: CRYPTO: %-20s %s\n",
102 uname_result
.nodename
,
103 mechno
>= 0 ? mechs
[mechno
]->name
: "",
107 static void cdebughex(int mechno
/*or -1*/, const char *msg
, const void *ptr
,
108 size_t sz
, size_t skipbefore
,
109 int spc_offset
, int dot_offset
) {
110 const unsigned char *p
;
112 unsigned j
= dot_offset
;
114 if (!crypto_debug
) return;
115 printf("%-8.8s: CRYPTO: %-20s %-10s",
116 uname_result
.nodename
,
117 mechno
>= 0 ? mechs
[mechno
]->name
: "",
120 for (i
=0; i
<spc_offset
; i
++, j
++) fputs(j
&3 ?
" " : " ",stdout
);
121 for (i
=0; i
<skipbefore
; i
++, j
++) fputs(j
&3 ?
".." : " ..",stdout
);
122 for (i
=0, p
=ptr
; i
<sz
; i
++, j
++, p
++) printf(j
&3 ?
"%02x" : " %02x",*p
);
127 static void cdebugbuf(int mechno
/*or -1*/, const char *msg
,
128 const struct buffer
*buf
, int spc_offset
, int dot_offset
) {
129 cdebughex(mechno
, msg
, buf
->start
, buf
->size
, buf
->start
- buf
->base
,
130 spc_offset
, dot_offset
);
133 void get_random(void *ptr
, size_t sz
) {
134 static FILE *randfile
;
139 randfile
= fopen("/dev/urandom","rb");
140 if (!randfile
&& errno
==ENOENT
) randfile
= fopen("/dev/random","rb");
141 if (!randfile
) sysfail("open random number generator");
144 r
= fread(ptr
,1,sz
,randfile
);
146 (ferror(randfile
) ? sysfail
: fail
)("cannot read random number generator");
148 cdebughex(-1, "get_random", ptr
, sz
, 0,0,0);
151 void random_key(void *ptr
, size_t sz
) {
152 if (encdec_keys_write
) {
154 write_must(encdec_keys_fd
,ptr
,sz
,"write keys datastream");
156 read_must(encdec_keys_fd
,ptr
,sz
,"read keys datastream");
157 cdebughex(-1, "random_key", ptr
, sz
, 0,0,0);
162 static void setnonblock(int fd
, int nonblock
) {
165 r
= fcntl(fd
,F_GETFL
);
166 if (r
==-1) sysfail("fcntl F_GETFL");
167 r
= fcntl(fd
,F_SETFL
, nonblock ? r
|O_NONBLOCK
: r
&~O_NONBLOCK
);
168 if (r
==-1) sysfail("fcntl F_SETFL");
171 static const struct mechanism
*find_mech(const char *name
) {
172 const struct mechanism
*mech
, *const *mechlist
;
174 for (mechlist
= mechanismlists
;
177 for (mech
= *mechlist
; mech
->name
; mech
++)
178 if (!strcmp(mech
->name
,name
)) return mech
;
180 fprintf(stderr
,"%s: unknown mechanism: %s\n",programid
,name
);
184 static void inbound(void) {
185 static int any_recvd
;
186 static time_t nextreann
;
187 static unsigned long npackets
, nbytes
;
189 struct sockaddr_in this_saddr
;
190 size_t this_saddrlen
;
194 buf_in
.start
= buf_in
.base
+1;
195 buf_in
.size
= buffer_size
-2;
197 setnonblock(public_local_fd
,1);
198 this_saddrlen
= sizeof(this_saddr
);
199 r
= recvfrom(public_local_fd
, buf_in
.start
, buf_in
.size
, 0,
200 &this_saddr
, &this_saddrlen
);
201 if (!r
) { diag("empty ciphertext"); return; }
204 if (errno
!= EAGAIN
&& errno
!= EINTR
) { sysdiag("receive"); sleep(1); }
207 if (this_saddr
.sin_family
!= AF_INET
) {
208 fprintf(stderr
,"%s: received unknown AF %lu\n",
209 programid
, (unsigned long)this_saddr
.sin_family
);
212 assert(this_saddrlen
== sizeof(this_saddr
));
214 assert(r
<= buf_in
.size
);
216 cdebugbuf(-1, "decode", &buf_in
, 3,0);
217 for (i
=n_mechs
-1; i
>=0; i
--) {
218 emsg
= mechs
[i
]->decode(md_in
[i
],&buf_in
);
221 fprintf(stderr
, "%s: bad packet: %s: %s\n",
222 programid
, mechs
[i
]->name
, emsg
);
224 cdebug(i
,"silently discarded");
227 cdebugbuf(i
, "decode", &buf_in
, 3,0);
231 nbytes
+= buf_in
.size
;
234 different
= (!public_remote_specd
||
235 public_remote
.sin_addr
.s_addr
!= this_saddr
.sin_addr
.s_addr
||
236 public_remote
.sin_port
!= this_saddr
.sin_port
);
240 if (public_remote_specd
==2) {
241 fprintf(stderr
, "%s: packet from unexpected sender %s:%lu\n",
242 programid
, inet_ntoa(this_saddr
.sin_addr
),
243 (unsigned long)ntohs(this_saddr
.sin_port
));
247 fprintf(stderr
, "%s: tunnel open with peer %s:%lu\n",
248 programid
, inet_ntoa(this_saddr
.sin_addr
),
249 (unsigned long)ntohs(this_saddr
.sin_port
));
251 public_remote_specd
= 1;
252 memcpy(&public_remote
,&this_saddr
,sizeof(public_remote
));
254 } else if (!any_recvd
) {
258 } else if (reannounce
&& now() >= nextreann
) {
260 fprintf(stderr
, "%s: tunnel still open: received %lu packets, %lu bytes\n",
261 programid
, npackets
, nbytes
);
265 goto no_set_reann
; /* only reset this if we don't print a message. */
270 nextreann
= now() + reannounce
;
276 if (!buf_in
.size
|| *buf_in
.start
!= 0300) {
277 *--buf_in
.start
= 0300;
280 if (buf_in
.start
[buf_in
.size
-1] != 0300) {
281 buf_in
.start
[buf_in
.size
++]= 0300;
284 setnonblock(private_in_fd
,0);
285 write_must(private_in_fd
, buf_in
.start
, buf_in
.size
, "write down");
288 static void sendpacket(const unsigned char *message
, size_t size
) {
291 buf_out
.start
= buf_out
.base
+maxprefix
;
293 memcpy(buf_out
.start
, message
, size
);
295 nextsendka
= now() + keepalive
;
297 cdebugbuf(-1, "encode", &buf_out
, 4,0);
298 for (i
=0; i
<n_mechs
; i
++) {
299 mechs
[i
]->encode(md_out
[i
],&buf_out
);
300 cdebugbuf(i
, "encode", &buf_out
, 4,0);
302 assert(public_remote_specd
);
304 setnonblock(public_local_fd
,1);
306 r
= sendto(public_local_fd
, buf_out
.start
, buf_out
.size
, 0,
307 &public_remote
, sizeof(public_remote
));
308 if (r
== buf_out
.size
) break;
309 if (r
>= 0) { diag("unexpected short send"); return; }
310 if (errno
!= EINTR
) { sysdiag("send"); return; }
314 static void outbound(void) {
316 unsigned char *after_eaten
, *delim
;
319 setnonblock(private_out_fd
,1);
322 r
= read(private_out_fd
, accum_buf
+ accum_used
, accum_avail
- accum_used
);
323 if (!r
) { diag("outbound datastream closed, quitting"); exit(0); }
325 if (errno
== EAGAIN
) return;
326 if (errno
== EINTR
) continue;
329 assert(accum_used
<=accum_avail
);
331 after_eaten
= accum_buf
;
332 while ((delim
= memchr(after_eaten
, 0300, accum_used
))) {
333 this_packet
= delim
- after_eaten
;
334 if (this_packet
) sendpacket(after_eaten
, this_packet
);
335 accum_used
-= this_packet
+1;
336 after_eaten
= delim
+1;
338 memmove(accum_buf
, after_eaten
, accum_used
);
340 if (accum_used
== accum_avail
) {
341 diag("missing interpacket delimiter in output datastream");
347 int main(int argc
, const char *const *const argv_in
) {
349 const char *const *argv_save
;
350 const char *const *argv_done
;
351 struct pollfd pollfds
[2];
352 int i
, polltimeout
, r
;
357 if (uname(&uname_result
)) { perror(PROGRAM
": uname failed"); exit(16); }
358 sprintf(programid
, PROGRAM
": %.*s", SYS_NMLN
, uname_result
.nodename
);
360 opt_chars
= getarg_string();
361 encdec_keys_write
= !!strchr(opt_chars
,'w');
362 crypto_debug
= !!strchr(opt_chars
,'K');
364 public_local_fd
= getarg_ulong();
365 private_in_fd
= getarg_ulong();
366 private_out_fd
= getarg_ulong();
367 encdec_keys_fd
= getarg_ulong();
369 mtu2
= getarg_ulong() * 2;
370 keepalive
= getarg_ulong();
371 timeout
= getarg_ulong();
372 reannounce
= getarg_ulong();
374 arg
= getarg_string();
376 public_remote_specd
= 1;
377 public_remote
.sin_family
= AF_INET
;
378 arg_assert(inet_aton(arg
,&public_remote
.sin_addr
));
379 public_remote
.sin_port
= htons(getarg_ulong());
383 diag("crypto debugging enabled!");
384 setvbuf(stdout
,0,_IOLBF
,0);
389 while ((arg
= *++argv
)) {
390 arg_assert(*arg
++ == '|');
391 arg_assert(i
<= MAXMECHS
);
392 mechs
[i
]= find_mech(arg
);
394 cdebug(i
,"writer->reader setup");
397 if (encdec_keys_write
)
398 mechs
[i
]->encsetup(&md_out
[i
], &maxprefix
, &maxsuffix
);
400 mechs
[i
]->decsetup(&md_in
[i
]);
404 cdebug(i
,"reader->writer setup");
406 if (encdec_keys_write
)
407 mechs
[i
]->decsetup(&md_in
[i
]);
409 mechs
[i
]->encsetup(&md_out
[i
], &maxprefix
, &maxsuffix
);
411 assert(argv
== argv_done
);
417 if (maxprefix
<1) maxprefix
= 1;
418 if (maxsuffix
<1) maxsuffix
= 1;
419 buffer_size
= mtu2
+ maxprefix
+ maxsuffix
;
420 buf_in
.base
= xmalloc(buffer_size
);
421 buf_out
.base
= xmalloc(buffer_size
);
422 accum_avail
= mtu2
+ 1;
423 accum_buf
= xmalloc(accum_avail
);
427 pollfds
[0].fd
= public_local_fd
;
428 pollfds
[0].events
= POLLIN
;
429 pollfds
[1].fd
= private_out_fd
;
431 pollfds
[1].events
= public_remote_specd ? POLLIN
: 0;
432 pollfds
[0].revents
= 0;
433 pollfds
[1].revents
= 0;
437 if (tnow
>= nextsendka
&& public_remote_specd
)
438 sendpacket((unsigned char*)"\300",1);
439 polltimeout
= (nextsendka
- tnow
)*1000;
444 r
= poll(pollfds
,2,polltimeout
);
446 if (r
==-1 && errno
==EINTR
) continue;
447 if (r
==-1) sysfail("poll");
449 if (pollfds
[0].revents
& (POLLIN
|POLLERR
)) inbound();
450 if (pollfds
[1].revents
& (POLLIN
|POLLERR
)) outbound();