~mdw / userv-utils / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright notices.
[userv-utils] / ipif / forwarder.c
1 /*
2 * Encrypting tunnel for userv-ipif tunnels, actual implementation
3 */
4 /*
5 * usage:
6 * udptunnel-forwarder <optchars>
7 * <public-local-fd> <private-in-fd> <private-out-fd>
8 * <encdec-keys-fd>
9 * <mtu> <keepalive> <timeout>
10 * <public-remote-addr> [<public-remote-port>]
11 * |<mech1> [<mech1-params> ...]
12 * |<mech2> [<mech2-params> ...]
13 * ''
14 *
15 * Remote addr may '' to mean wait to receive a packet and reply to
16 * whereever we get a good packet from first, in which case port
17 * should not be specified.
18 *
19 * <optchars> is zero or more of
20 * w means generate and write encdec keys, rather than reading them
21 * K means do crypto debug (use with care!)
22 *
23 * encdec keys datastream has keys for packets from key datastream
24 * writer to reader first, then keys for packets from reader to
25 * writer.
26 *
27 * Every must be numeric. There is very little argument checking.
28 *
29 * Exit status:
30 * SIGALARM timed out
31 * 0 terminated due to outbound packet stream EOF
32 * 4 other error
33 * 8 system problem
34 * 12 usage error
35 * 16 bad trouble
36 */
37 /*
38 * Copyright (C) 2000 Ian Jackson
39 *
40 * This is free software; you can redistribute it and/or modify it
41 * under the terms of the GNU General Public License as published by
42 * the Free Software Foundation; either version 2 of the License, or
43 * (at your option) any later version.
44 *
45 * This program is distributed in the hope that it will be useful, but
46 * WITHOUT ANY WARRANTY; without even the implied warranty of
47 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
48 * General Public License for more details.
49 *
50 * You should have received a copy of the GNU General Public License
51 * along with userv-utils; if not, write to the Free Software
52 * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
53 */
54
55 #include <sys/socket.h>
56 #include <netinet/in.h>
57 #include <arpa/inet.h>
58 #include <sys/utsname.h>
59 #include <sys/poll.h>
60
61 #include <string.h>
62 #include <errno.h>
63 #include <assert.h>
64 #include <stdlib.h>
65
66 #include <unistd.h>
67 #include <fcntl.h>
68
69 #include "forwarder.h"
70
71 #define MAXMECHS 10
72
73 static size_t buffer_size;
74 static struct utsname uname_result;
75
76 static const char *opt_chars;
77 static int public_local_fd, private_in_fd, private_out_fd;
78 static int mtu2, keepalive, timeout;
79 static int public_remote_specd;
80 static struct sockaddr_in public_remote;
81 static int encdec_keys_fd, encdec_keys_write, crypto_debug;
82 static int n_mechs;
83 static const struct mechanism *mechs[MAXMECHS];
84
85 static struct mechdata *md_in[MAXMECHS], *md_out[MAXMECHS];
86 static size_t maxprefix, maxsuffix;
87
88 static struct buffer buf_in, buf_out;
89 static unsigned char *accum_buf;
90 static size_t accum_used, accum_avail;
91
92 static time_t nextsendka;
93
94 static void cdebug(int mechno /*or -1*/, const char *msg) {
95 if (!crypto_debug) return;
96 printf("%-8.8s: CRYPTO: %-20s %s\n",
97 uname_result.nodename,
98 mechno >= 0 ? mechs[mechno]->name : "",
99 msg);
100 }
101
102 static void cdebughex(int mechno /*or -1*/, const char *msg, const void *ptr,
103 size_t sz, size_t skipbefore,
104 int spc_offset, int dot_offset) {
105 const unsigned char *p;
106 size_t i;
107 unsigned j= dot_offset;
108
109 if (!crypto_debug) return;
110 printf("%-8.8s: CRYPTO: %-20s %-10s",
111 uname_result.nodename,
112 mechno >= 0 ? mechs[mechno]->name : "",
113 msg);
114
115 for (i=0; i<spc_offset; i++, j++) fputs(j&3 ? " " : " ",stdout);
116 for (i=0; i<skipbefore; i++, j++) fputs(j&3 ? ".." : " ..",stdout);
117 for (i=0, p=ptr; i<sz; i++, j++, p++) printf(j&3 ? "%02x" : " %02x",*p);
118
119 fputc('\n',stdout);
120 }
121
122 static void cdebugbuf(int mechno /*or -1*/, const char *msg,
123 const struct buffer *buf, int spc_offset, int dot_offset) {
124 cdebughex(mechno, msg, buf->start, buf->size, buf->start - buf->base,
125 spc_offset, dot_offset);
126 }
127
128 void get_random(void *ptr, size_t sz) {
129 static FILE *randfile;
130
131 size_t r;
132
133 if (!randfile) {
134 randfile= fopen("/dev/urandom","rb");
135 if (!randfile && errno==ENOENT) randfile= fopen("/dev/random","rb");
136 if (!randfile) sysfail("open random number generator");
137 }
138
139 r= fread(ptr,1,sz,randfile);
140 if (r != sz)
141 (ferror(randfile) ? sysfail : fail)("cannot read random number generator");
142
143 cdebughex(-1, "get_random", ptr, sz, 0,0,0);
144 }
145
146 void random_key(void *ptr, size_t sz) {
147 if (encdec_keys_write) {
148 get_random(ptr,sz);
149 write_must(encdec_keys_fd,ptr,sz,"write keys datastream");
150 } else {
151 read_must(encdec_keys_fd,ptr,sz,"read keys datastream");
152 cdebughex(-1, "random_key", ptr, sz, 0,0,0);
153 }
154 }
155
156
157 static void setnonblock(int fd, int nonblock) {
158 int r;
159
160 r= fcntl(fd,F_GETFL);
161 if (r==-1) sysfail("fcntl F_GETFL");
162 r= fcntl(fd,F_SETFL, nonblock ? r|O_NONBLOCK : r&~O_NONBLOCK);
163 if (r==-1) sysfail("fcntl F_SETFL");
164 }
165
166 static const struct mechanism *find_mech(const char *name) {
167 const struct mechanism *mech, *const *mechlist;
168
169 for (mechlist= mechanismlists;
170 *mechlist;
171 mechlist++)
172 for (mech= *mechlist; mech->name; mech++)
173 if (!strcmp(mech->name,name)) return mech;
174
175 fprintf(stderr,"%s: unknown mechanism: %s\n",programid,name);
176 exit(4);
177 }
178
179 static void inbound(void) {
180 static int any_recvd;
181
182 struct sockaddr_in this_saddr;
183 int r, i, different, this_saddrlen;
184 const char *emsg;
185
186 buf_in.start= buf_in.base+1;
187 buf_in.size= buffer_size-2;
188
189 setnonblock(public_local_fd,1);
190 this_saddrlen= sizeof(this_saddr);
191 r= recvfrom(public_local_fd, buf_in.start, buf_in.size, 0,
192 &this_saddr, &this_saddrlen);
193 if (!r) { diag("empty ciphertext"); return; }
194
195 if (r<0) {
196 if (errno != EAGAIN && errno != EINTR) { sysdiag("receive"); sleep(1); }
197 return;
198 }
199 if (this_saddr.sin_family != AF_INET) {
200 fprintf(stderr,"%s: received unknown AF %lu\n",
201 programid, (unsigned long)this_saddr.sin_family);
202 return;
203 }
204 assert(this_saddrlen == sizeof(this_saddr));
205
206 assert(r <= buf_in.size);
207 buf_in.size= r;
208 cdebugbuf(-1, "decode", &buf_in, 3,0);
209 for (i=n_mechs-1; i>=0; i--) {
210 emsg= mechs[i]->decode(md_in[i],&buf_in);
211 if (emsg) {
212 if (*emsg)
213 fprintf(stderr, "%s: bad packet: %s: %s\n",
214 programid, mechs[i]->name, emsg);
215 return;
216 }
217 cdebugbuf(i, "decode", &buf_in, 3,0);
218 }
219
220 alarm(timeout);
221
222 different= (!public_remote_specd ||
223 public_remote.sin_addr.s_addr != this_saddr.sin_addr.s_addr ||
224 public_remote.sin_port != this_saddr.sin_port);
225
226 if (different) {
227
228 if (public_remote_specd==2) {
229 fprintf(stderr, "%s: packet from unexpected sender %s:%lu\n",
230 programid, inet_ntoa(this_saddr.sin_addr),
231 (unsigned long)ntohs(this_saddr.sin_port));
232 return;
233 }
234
235 fprintf(stderr, "%s: tunnel open with peer %s:%lu\n",
236 programid, inet_ntoa(this_saddr.sin_addr),
237 (unsigned long)ntohs(this_saddr.sin_port));
238 nextsendka= now();
239 public_remote_specd= 1;
240 memcpy(&public_remote,&this_saddr,sizeof(public_remote));
241
242 } else if (!any_recvd) {
243
244 diag("tunnel open");
245
246 }
247
248 any_recvd= 1;
249
250 if (!buf_in.size || *buf_in.start != 0300) {
251 *--buf_in.start= 0300;
252 buf_in.size++;
253 }
254 if (buf_in.start[buf_in.size-1] != 0300) {
255 buf_in.start[buf_in.size++]= 0300;
256 }
257
258 setnonblock(private_in_fd,0);
259 write_must(private_in_fd, buf_in.start, buf_in.size, "write down");
260 }
261
262 static void sendpacket(const unsigned char *message, size_t size) {
263 int i, r;
264
265 buf_out.start= buf_out.base+maxprefix;
266 buf_out.size= size;
267 memcpy(buf_out.start, message, size);
268
269 nextsendka= now() + keepalive;
270
271 cdebugbuf(-1, "encode", &buf_out, 4,0);
272 for (i=0; i<n_mechs; i++) {
273 mechs[i]->encode(md_out[i],&buf_out);
274 cdebugbuf(i, "encode", &buf_out, 4,0);
275 }
276 assert(public_remote_specd);
277
278 setnonblock(public_local_fd,1);
279 for (;;) {
280 r= sendto(public_local_fd, buf_out.start, buf_out.size, 0,
281 &public_remote, sizeof(public_remote));
282 if (r == buf_out.size) break;
283 if (r >= 0) { diag("unexpected short send"); return; }
284 if (errno != EINTR) { sysdiag("send"); return; }
285 }
286 }
287
288 static void outbound(void) {
289 int r;
290 unsigned char *after_eaten, *delim;
291 size_t this_packet;
292
293 setnonblock(private_out_fd,1);
294
295 for (;;) {
296 r= read(private_out_fd, accum_buf + accum_used, accum_avail - accum_used);
297 if (!r) { diag("outbound datastream closed, quitting"); exit(0); }
298 if (r<0) {
299 if (errno == EAGAIN) return;
300 if (errno == EINTR) continue;
301 }
302 accum_used += r;
303 assert(accum_used<=accum_avail);
304
305 after_eaten= accum_buf;
306 while ((delim= memchr(after_eaten, 0300, accum_used))) {
307 this_packet= delim - after_eaten;
308 if (this_packet) sendpacket(after_eaten, this_packet);
309 accum_used -= this_packet+1;
310 after_eaten = delim+1;
311 }
312 memmove(accum_buf, after_eaten, accum_used);
313
314 if (accum_used == accum_avail) {
315 diag("missing interpacket delimiter in output datastream");
316 accum_used= 0;
317 }
318 }
319 }
320
321 int main(int argc, const char *const *const argv_in) {
322 const char *arg;
323 const char *const *argv_save;
324 const char *const *argv_done;
325 struct pollfd pollfds[2];
326 int i, polltimeout, r;
327 time_t tnow;
328
329 argv= argv_in;
330
331 if (uname(&uname_result)) { perror(PROGRAM ": uname failed"); exit(16); }
332 sprintf(programid, PROGRAM ": %.*s", SYS_NMLN, uname_result.nodename);
333
334 opt_chars= getarg_string();
335 encdec_keys_write= !!strchr(opt_chars,'w');
336 crypto_debug= !!strchr(opt_chars,'K');
337
338 public_local_fd= getarg_ulong();
339 private_in_fd= getarg_ulong();
340 private_out_fd= getarg_ulong();
341 encdec_keys_fd= getarg_ulong();
342
343 mtu2= getarg_ulong() * 2;
344 keepalive= getarg_ulong();
345 timeout= getarg_ulong();
346
347 arg= getarg_string();
348 if (*arg) {
349 public_remote_specd= 1;
350 public_remote.sin_family= AF_INET;
351 arg_assert(inet_aton(arg,&public_remote.sin_addr));
352 public_remote.sin_port= htons(getarg_ulong());
353 }
354
355 if (crypto_debug) {
356 diag("crypto debugging enabled!");
357 setvbuf(stdout,0,_IOLBF,0);
358 }
359
360 maxprefix= 0;
361 i= 0;
362 while ((arg= *++argv)) {
363 arg_assert(*arg++ == '|');
364 arg_assert(i <= MAXMECHS);
365 mechs[i]= find_mech(arg);
366
367 cdebug(i,"writer->reader setup");
368 argv_save= argv;
369
370 if (encdec_keys_write)
371 mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix);
372 else
373 mechs[i]->decsetup(&md_in[i]);
374
375 argv_done= argv;
376 argv= argv_save;
377 cdebug(i,"reader->writer setup");
378
379 if (encdec_keys_write)
380 mechs[i]->decsetup(&md_in[i]);
381 else
382 mechs[i]->encsetup(&md_out[i], &maxprefix, &maxsuffix);
383
384 assert(argv == argv_done);
385
386 i++;
387 }
388 n_mechs= i;
389
390 if (maxprefix<1) maxprefix= 1;
391 if (maxsuffix<1) maxsuffix= 1;
392 buffer_size= mtu2 + maxprefix + maxsuffix;
393 buf_in.base= xmalloc(buffer_size);
394 buf_out.base= xmalloc(buffer_size);
395 accum_avail= mtu2 + 1;
396 accum_buf= xmalloc(accum_avail);
397
398 alarm(timeout);
399
400 pollfds[0].fd= public_local_fd;
401 pollfds[0].events= POLLIN;
402 pollfds[1].fd= private_out_fd;
403 for (;;) {
404 pollfds[1].events= public_remote_specd ? POLLIN : 0;
405 pollfds[0].revents= 0;
406 pollfds[1].revents= 0;
407
408 if (keepalive) {
409 tnow= now();
410 if (tnow >= nextsendka && public_remote_specd) sendpacket("\300",1);
411 polltimeout= (nextsendka - tnow)*1000;
412 } else {
413 polltimeout= -1;
414 }
415
416 r= poll(pollfds,2,polltimeout);
417 if (!r) continue;
418 if (r==-1 && errno==EINTR) continue;
419 if (r==-1) sysfail("poll");
420
421 if (pollfds[0].revents & (POLLIN|POLLERR)) inbound();
422 if (pollfds[1].revents & (POLLIN|POLLERR)) outbound();
423 }
424 }
Userv utilities (local modifications)