+2014.06.21 -- Version 0.3.5
+
+* added support for libnettle as crypt library
+* added an exception to the license which allows linking with OpenSSL
+
+2014.06.08 -- Version 0.3.4
+
+* fixed build issues for clang
+* refactored the multi socket support
+
2010.02.16 -- Version 0.3.3
* added -v|--version option
* improved script execution
* added signal handling without races
* all log_targets print time now too
-
+
2009.05.01 -- Version 0.3
* updated to new protocol specification (extended label and crypto role)
- Mind that due this protocol changes this version is incompatible to older
+ Mind that due this protocol changes this version is incompatible to older
version of anytun and uanytun
* the auth tag length can now be configured
* added extended logging support (syslog, file, stdout and stderr)
* fixed bug which prevents the daemon from using the right cipher
key when using a key derivation rate other than 1
-
+
2009.01.11 -- Version 0.2
* added crypto support using libgcrypt or openssl
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2008 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
*/
+
+
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
--- /dev/null
+/*
+ * uAnytun
+ *
+ * uAnytun is a tiny implementation of SATP. Unlike Anytun which is a full
+ * featured implementation uAnytun has no support for multiple connections
+ * or synchronisation. It is a small single threaded implementation intended
+ * to act as a client on small platforms.
+ * The secure anycast tunneling protocol (satp) defines a protocol used
+ * for communication between any combination of unicast and anycast
+ * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
+ * mode and allows tunneling of every ETHER TYPE protocol (e.g.
+ * ethernet, ip, arp ...). satp directly includes cryptography and
+ * message authentication based on the methods used by SRTP. It is
+ * intended to deliver a generic, scaleable and secure solution for
+ * tunneling and relaying of packets of any protocol.
+ *
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
+ *
+ * This file is part of uAnytun.
+ *
+ * uAnytun is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * any later version.
+ *
+ * uAnytun is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ *
+ */
+
+Certain source files in this program permit linking with the OpenSSL
+library (http://www.openssl.org), which otherwise wouldn't be allowed
+under the GPL. For purposes of identifying OpenSSL, most source files
+giving this permission limit it to versions of OpenSSL having a license
+identical to that listed in this file (LICENSE.OpenSSL). It is not
+necessary for the copyright years to match between this file and the
+OpenSSL version in question. However, note that because this file is
+an extension of the license statements of these source files, this file
+may not be changed except with permission from all copyright holders
+of source files in this program which reference this file.
+
+
+ LICENSE ISSUES
+ ==============
+
+ The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+ the OpenSSL License and the original SSLeay license apply to the toolkit.
+ See below for the actual license texts. Actually both licenses are BSD-style
+ Open Source licenses. In case of any license issues related to OpenSSL
+ please contact openssl-core@openssl.org.
+
+ OpenSSL License
+ ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
Dependencies
============
-uAnytun can be built by using either libgcrypt or the openssl-crypto library.
-The latter is more performant in most cases but there are some license
+uAnytun can be built by using either libgcrypt, libnettle or the openssl-crypto
+library. The latter is more performant in most cases but there are some license
issues when using this library. It also needs more space when installed.
(this includes Debian with FreeBSD Kernel)
using libgcrypt:
-
+
build-essential
libgcrypt11-dev
build-essential
libssl-dev
+using nettle crypto library:
+
+ build-essential
+ nettle-dev
+
+if you want clang as compiler
+
+ clang
+
if you want to rebuild the manpage:
asciidoc
textproc/libxslt
textproc/docbook-xsl
sysutils/readlink
- misc/getopt
+ misc/getopt
# ./configure --use-ssl-crypto
# make
-Notes:
+Notes:
- try './configure --help' for further information
- if using openssl pre 0.9.8 you have to disable passphrase
because openssl had no SHA256 implementation prior to this
# sudo make remove
-This removes everytthing except for the config files
+This removes everything except for the config files
# sudo make purge
init.d script
-------------
-The init.d script can be used to start uanytun at boot time. It searches for
+The init.d script can be used to start uanytun at boot time. It searches for
configuration files which reside at $CONFIG_DIR. For each instance of uanytun
which should be started there must be a directory containing at least a file
named config. This file must contain all command line parameter which should
be used when starting the daemon. One line for each parameter. Empty lines and
lines starting with # are ignored. Besides the config file there may be a script
-named post-up.sh which will be called when the tun/tap device comes up.
+named post-up.sh which will be called when the tun/tap device comes up.
This is an example of how the init.d script can be used to start uanytun:
# /etc/init.d/uanytun start client1 p2p-a
In this case the script will start 2 instances of uanytun using the config files
-$CONFIG_DIR/client1/config and $CONFIG_DIR/p2p-a/config.
+$CONFIG_DIR/client1/config and $CONFIG_DIR/p2p-a/config.
If no instance name is specified the script will use the file $CONFIG_DIR/autostart
-to determine which instances to start or stop. This file must contain a list
-of instance names which should be used when no names are specified at the command
+to determine which instances to start or stop. This file must contain a list
+of instance names which should be used when no names are specified at the command
line. One line for each name. Empty lines and lines starting with # are ignored.
## tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
## mode and allows tunneling of every ETHER TYPE protocol (e.g.
## ethernet, ip, arp ...). satp directly includes cryptography and
-## message authentication based on the methodes used by SRTP. It is
+## message authentication based on the methods used by SRTP. It is
## intended to deliver a generic, scaleable and secure solution for
## tunneling and relaying of packets of any protocol.
-##
##
-## Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+##
+## Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
##
## This file is part of uAnytun.
##
## You should have received a copy of the GNU General Public License
## along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
##
+## In addition, as a special exception, the copyright holders give
+## permission to link the code of portions of this program with the
+## OpenSSL library under certain conditions as described in each
+## individual source file, and distribute linked combinations
+## including the two.
+## You must obey the GNU General Public License in all respects
+## for all of the code used other than OpenSSL. If you modify
+## file(s) with this exception, you may extend this exception to your
+## version of the file(s), but you are not obligated to do so. If you
+## do not wish to do so, delete this exception statement from your
+## version. If you delete this exception statement from all source
+## files in the program, then also delete it here.
+##
VERSION=$(shell cat ../version)
-.PHONY: clean
+.PHONY: clean
all: manpage
'\" t
.\" Title: uanytun
.\" Author: [see the "AUTHORS" section]
-.\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/>
-.\" Date: 02/17/2010
-.\" Manual: uanytun user manual
-.\" Source: uanytun 0.3.3
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 06/21/2014
+.\" Manual: \ \&
+.\" Source: \ \&
.\" Language: English
.\"
-.TH "UANYTUN" "8" "02/17/2010" "uanytun 0.3.3" "uanytun user manual"
+.TH "UANYTUN" "8" "06/21/2014" "\ \&" "\ \&"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.PP
\fB\-L, \-\-log \fR\fB\fI<target>:<level>[,<param1>[,<param2>[\&.\&.]]]\fR\fR
.RS 4
-add log target to logging system\&. This can be invoked several times in order to log to different targets at the same time\&. Every target hast its own log level which is a number between 0 and 5\&. Where 0 means disabling log and 5 means debug messages are enabled\&.
+add log target to logging system\&. This can be invoked several times in order to log to different targets at the same time\&. Every target has its own log level which is a number between 0 and 5\&. Where 0 means disabling log and 5 means debug messages are enabled\&.
-The file target can be used more the once with different levels\&. If no target is provided at the command line a single target with the config
+The file target can be used more than once with different levels\&. If no target is provided at the command line a single target with the config
\fIsyslog:3,uanytun,daemon\fR
is added\&.
.RS 4
seqence window size
-Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\' sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&.
+Sometimes, packets arrive out of order on the receiver side\&. This option defines the size of a list of received packets\*(Aq sequence numbers\&. If, according to this list, a received packet has been previously received or has been transmitted in the past, and is therefore not in the list anymore, this is interpreted as a replay attack and the packet is dropped\&. A value of 0 deactivates this list and, as a consequence, the replay protection employed by filtering packets according to their secuence number\&. By default the sequence window is disabled and therefore a window size of 0 is used\&.
.RE
.PP
\fB\-k, \-\-kd\(emprf \fR\fB\fI<kd\-prf type>\fR\fR
\fBHost A:\fR
.RS 4
.sp
-uanytun \-r hostb\&.example\&.com \-t tun \-n 192\&.168\&.123\&.1/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \e \-E have_a_very_safe_and_productive_day \-e left
+uanytun \-r hostb\&.example\&.com \-t tun \-n 192\&.168\&.123\&.1/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \-E have_a_very_safe_and_productive_day \-e left
.RE
.sp
.it 1 an-trap
\fBHost B:\fR
.RS 4
.sp
-uanytun \-r hosta\&.example\&.com \-t tun \-n 192\&.168\&.123\&.2/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \e \-E have_a_very_safe_and_productive_day \-e right
+uanytun \-r hosta\&.example\&.com \-t tun \-n 192\&.168\&.123\&.2/30 \-c aes\-ctr\-256 \-k aes\-ctr\-256 \-E have_a_very_safe_and_productive_day \-e right
.RE
.SS "One unicast and one anycast tunnel endpoint:"
.sp
Main web site: http://www\&.anytun\&.org/
.SH "COPYING"
.sp
-Copyright (C) 2008\-2010 Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&.
+Copyright (C) 2008\-2014 Christian Pointner\&. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version\&.
(SATP). It provides a complete VPN solution similar to OpenVPN or
IPsec in tunnel mode. The main difference is that anycast enables the
setup of tunnels between an arbitrary combination of anycast, unicast
-and multicast hosts. Unlike Anytun which is a full featured implementation
-uAnytun has no support for multiple connections or synchronisation. It is a
-small single threaded implementation intended to act as a client on small
+and multicast hosts. Unlike Anytun which is a full featured implementation
+uAnytun has no support for multiple connections or synchronisation. It is a
+small single threaded implementation intended to act as a client on small
platforms.
instead of becoming a daemon which is the default.
*-u, --username '<username>'*::
- run as this user. If no group is specified (*-g*) the default group of
+ run as this user. If no group is specified (*-g*) the default group of
the user is used. The default is to not drop privileges.
*-g, --groupname '<groupname>'*::
The default is to not drop privileges.
*-C, --chroot '<path>'*::
- Instruct *uAnytun* to run in a chroot jail. The default is
+ Instruct *uAnytun* to run in a chroot jail. The default is
to not run in chroot.
*-P, --write-pid <filename>*::
- Instruct *uAnytun* to write it's pid to this file. The default is
+ Instruct *uAnytun* to write it's pid to this file. The default is
to not create a pid file.
*-L, --log '<target>:<level>[,<param1>[,<param2>[..]]]'*::
add log target to logging system. This can be invoked several times
- in order to log to different targets at the same time. Every target
- hast its own log level which is a number between 0 and 5. Where 0 means
+ in order to log to different targets at the same time. Every target
+ has its own log level which is a number between 0 and 5. Where 0 means
disabling log and 5 means debug messages are enabled. +
- The file target can be used more the once with different levels.
- If no target is provided at the command line a single target with the
+ The file target can be used more than once with different levels.
+ If no target is provided at the command line a single target with the
config 'syslog:3,uanytun,daemon' is added. +
The following targets are supported:
'syslog';; log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
'file';; log to file, parameters <level>[,<path>]
'stdout';; log to standard output, parameters <level>
- 'stderr';; log to standard error, parameters <level>
+ 'stderr';; log to standard error, parameters <level>
*-U, --debug*::
- This option instructs *uAnytun* to run in debug mode. It implicits *-D*
+ This option instructs *uAnytun* to run in debug mode. It implicits *-D*
(don't daemonize) and adds a log target with the configuration
'stdout:5' (logging with maximum level). In future releases there might
be additional output when this option is supplied.
'<prefix>';; the prefix length of the network
*-x, --post-up-script '<script>'*::
- This option instructs *uAnytun* to run this script after the interface
+ This option instructs *uAnytun* to run this script after the interface
is created. By default no script will be executed.
*-m, --mux '<mux-id>'*::
*-s, --sender-id '<sender id>'*::
Each anycast tunnel endpoint needs a unique sender id
(1, 2, 3, ...). It is needed to distinguish the senders
- in case of replay attacks. As *uAnytun* does not support
- synchronisation it can't be used as an anycast endpoint therefore
- this option is quite useless but implemented for compatibility
+ in case of replay attacks. As *uAnytun* does not support
+ synchronisation it can't be used as an anycast endpoint therefore
+ this option is quite useless but implemented for compatibility
reasons. default: 0
*-w, --window-size '<window size>'*::
*-k, --kd--prf '<kd-prf type>'*::
key derivation pseudo random function +
- The pseudo random function which is used for calculating the
+ The pseudo random function which is used for calculating the
session keys and session salt. +
Possible values:
*-e, --role '<role>'*::
SATP uses different session keys for inbound and outbound traffic. The
role parameter is used to determine which keys to use for outbound or
- inbound packets. On both sides of a vpn connection different roles have
- to be used. Possible values are 'left' and 'right'. You may also use
- 'alice' or 'server' as a replacement for 'left' and 'bob' or 'client' as
+ inbound packets. On both sides of a vpn connection different roles have
+ to be used. Possible values are 'left' and 'right'. You may also use
+ 'alice' or 'server' as a replacement for 'left' and 'bob' or 'client' as
a replacement for 'right'. By default 'left' is used.
*-E, --passphrase '<pass phrase>'*::
This passphrase is used to generate the master key and master salt.
- For the master key the last n bits of the SHA256 digest of the
- passphrase (where n is the length of the master key in bits) is used.
- The master salt gets generated with the SHA1 digest.
+ For the master key the last n bits of the SHA256 digest of the
+ passphrase (where n is the length of the master key in bits) is used.
+ The master salt gets generated with the SHA1 digest.
You may force a specific key and or salt by using *--key* and *--salt*.
*-K, --key '<master key>'*::
*-a, --auth-algo '<algo type>'*::
message authentication algorithm +
This option sets the message authentication algorithm. +
- If HMAC-SHA1 is used, the packet length is increased. The additional bytes
+ If HMAC-SHA1 is used, the packet length is increased. The additional bytes
contain the authentication data. see *--auth-tag-length* for more info. +
Possible values:
'sha1';; HMAC-SHA1, default value
*-b, --auth-tag-length '<length>'*::
- The number of bytes to use for the auth tag. This value defaults to 10 bytes
- unless the 'null' auth algo is used in which case it defaults to 0.
+ The number of bytes to use for the auth tag. This value defaults to 10 bytes
+ unless the 'null' auth algo is used in which case it defaults to 0.
EXAMPLES
Host A:
^^^^^^^
-uanytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256 \
+uanytun -r hostb.example.com -t tun -n 192.168.123.1/30 -c aes-ctr-256 -k aes-ctr-256
-E have_a_very_safe_and_productive_day -e left
Host B:
^^^^^^^
-uanytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256 \
+uanytun -r hosta.example.com -t tun -n 192.168.123.2/30 -c aes-ctr-256 -k aes-ctr-256
-E have_a_very_safe_and_productive_day -e right
+
One unicast and one anycast tunnel endpoint:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
+
Unicast tunnel endpoint:
^^^^^^^^^^^^^^^^^^^^^^^^
BUGS
----
+
Most likely there are some bugs in *uAnytun*. If you find a bug, please let
the developers know at uanytun@anytun.org. Of course, patches are preferred.
COPYING
-------
-Copyright \(C) 2008-2010 Christian Pointner. This program is free
-software: you can redistribute it and/or modify it under the terms
-of the GNU General Public License as published by the Free Software
+Copyright \(C) 2008-2014 Christian Pointner. This program is free
+software: you can redistribute it and/or modify it under the terms
+of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or any later version.
#! /bin/sh
### BEGIN INIT INFO
# Provides: uanytun
-# Required-Start: $network $named $syslog
-# Required-Stop:
+# Required-Start: $remote_fs $network $named $syslog
+# Required-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start anycast tunneling daemon at boot time
## tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
## mode and allows tunneling of every ETHER TYPE protocol (e.g.
## ethernet, ip, arp ...). satp directly includes cryptography and
-## message authentication based on the methodes used by SRTP. It is
+## message authentication based on the methods used by SRTP. It is
## intended to deliver a generic, scaleable and secure solution for
## tunneling and relaying of packets of any protocol.
-##
##
-## Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+##
+## Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
##
## This file is part of uAnytun.
##
## You should have received a copy of the GNU General Public License
## along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
##
+## In addition, as a special exception, the copyright holders give
+## permission to link the code of portions of this program with the
+## OpenSSL library under certain conditions as described in each
+## individual source file, and distribute linked combinations
+## including the two.
+## You must obey the GNU General Public License in all respects
+## for all of the code used other than OpenSSL. If you modify
+## file(s) with this exception, you may extend this exception to your
+## version of the file(s), but you are not obligated to do so. If you
+## do not wish to do so, delete this exception statement from your
+## version. If you delete this exception statement from all source
+## files in the program, then also delete it here.
+##
ifneq ($(MAKECMDGOALS),distclean)
include include.mk
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
return aa_null;
else if(!strcmp(type, "sha1"))
return aa_sha1;
-
+
return aa_unknown;
}
int auth_algo_init(auth_algo_t* aa, const char* type)
{
- if(!aa)
+ if(!aa)
return -1;
aa->type_ = auth_algo_get_type(type);
void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, key_derivation_dir_t dir, encrypted_packet_t* packet)
{
- if(!aa)
+ if(!aa)
return;
if(aa->type_ == aa_null)
int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_derivation_dir_t dir, encrypted_packet_t* packet)
{
- if(!aa)
+ if(!aa)
return 0;
if(aa->type_ == aa_null)
if(!aa->params_)
return -2;
+#if defined(USE_SSL_CRYPTO)
+ auth_algo_sha1_param_t* params = aa->params_;
+ HMAC_CTX_init(¶ms->ctx_);
+ HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL);
+#elif defined(USE_NETTLE)
+ // nothing here
+#else // USE_GCRYPT is the default
auth_algo_sha1_param_t* params = aa->params_;
-
-#ifndef USE_SSL_CRYPTO
gcry_error_t err = gcry_md_open(¶ms->handle_, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC);
if(err) {
log_printf(ERROR, "failed to open message digest algo: %s", gcry_strerror(err));
return -1;
- }
-#else
- HMAC_CTX_init(¶ms->ctx_);
- HMAC_Init_ex(¶ms->ctx_, NULL, 0, EVP_sha1(), NULL);
+ }
#endif
return 0;
return;
if(aa->params_) {
+#if defined(USE_SSL_CRYPTO)
+ auth_algo_sha1_param_t* params = aa->params_;
+ HMAC_CTX_cleanup(¶ms->ctx_);
+#elif defined(USE_NETTLE)
+ // nothing here
+#else // USE_GCRYPT is the default
auth_algo_sha1_param_t* params = aa->params_;
-
-#ifndef USE_SSL_CRYPTO
if(params->handle_)
gcry_md_close(params->handle_);
-#else
- HMAC_CTX_cleanup(¶ms->ctx_);
-#endif
+#endif
free(aa->params_);
}
if(ret < 0)
return;
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
+
+ u_int8_t hmac[SHA1_LENGTH];
+ HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
+ HMAC_Final(¶ms->ctx_, hmac, NULL);
+#elif defined(USE_NETTLE)
+ hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_);
+
+ u_int8_t hmac[SHA1_LENGTH];
+ hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet));
+ hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac);
+#else // USE_GCRYPT is the default
gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_);
if(err) {
log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err));
return;
- }
-
+ }
+
gcry_md_reset(params->handle_);
gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
gcry_md_final(params->handle_);
u_int8_t* hmac = gcry_md_read(params->handle_, 0);
-#else
- HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
-
- u_int8_t hmac[SHA1_LENGTH];
- HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
- HMAC_Final(¶ms->ctx_, hmac, NULL);
#endif
u_int8_t* tag = encrypted_packet_get_auth_tag(packet);
if(ret < 0)
return 0;
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
+
+ u_int8_t hmac[SHA1_LENGTH];
+ HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
+ HMAC_Final(¶ms->ctx_, hmac, NULL);
+#elif defined(USE_NETTLE)
+ hmac_sha1_set_key(¶ms->ctx_, aa->key_.length_, aa->key_.buf_);
+
+ u_int8_t hmac[SHA1_LENGTH];
+ hmac_sha1_update(¶ms->ctx_, encrypted_packet_get_auth_portion_length(packet), encrypted_packet_get_auth_portion(packet));
+ hmac_sha1_digest(¶ms->ctx_, SHA1_LENGTH, hmac);
+#else // USE_GCRYPT is the default
gcry_error_t err = gcry_md_setkey(params->handle_, aa->key_.buf_, aa->key_.length_);
if(err) {
log_printf(ERROR, "failed to set hmac key: %s", gcry_strerror(err));
return -1;
- }
+ }
gcry_md_reset(params->handle_);
gcry_md_write(params->handle_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
gcry_md_final(params->handle_);
u_int8_t* hmac = gcry_md_read(params->handle_, 0);
-#else
- HMAC_Init_ex(¶ms->ctx_, aa->key_.buf_, aa->key_.length_, EVP_sha1(), NULL);
-
- u_int8_t hmac[SHA1_LENGTH];
- HMAC_Update(¶ms->ctx_, encrypted_packet_get_auth_portion(packet), encrypted_packet_get_auth_portion_length(packet));
- HMAC_Final(¶ms->ctx_, hmac, NULL);
#endif
u_int8_t* tag = encrypted_packet_get_auth_tag(packet);
if(length > SHA1_LENGTH) {
u_int32_t i;
for(i=0; i < (encrypted_packet_get_auth_tag_length(packet) - SHA1_LENGTH); ++i)
- if(tag[i]) return 0;
+ if(tag[i]) return 0;
}
-
+
int result = memcmp(&tag[encrypted_packet_get_auth_tag_length(packet) - length], &hmac[SHA1_LENGTH - length], length);
-
+
if(result)
return 0;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_auth_algo_h_INCLUDED
#define UANYTUN_auth_algo_h_INCLUDED
-#ifndef USE_SSL_CRYPTO
-#include <gcrypt.h>
-#else
+#if defined(USE_SSL_CRYPTO)
#include <openssl/hmac.h>
+#elif defined(USE_NETTLE)
+#include <nettle/hmac.h>
+#else // USE_GCRYPT is the default
+#include <gcrypt.h>
#endif
#include "key_derivation.h"
#include "encrypted_packet.h"
#define SHA1_LENGTH 20
struct auth_algo_sha1_param_struct {
-#ifndef USE_SSL_CRYPTO
- gcry_md_hd_t handle_;
-#else
+#if defined(USE_SSL_CRYPTO)
HMAC_CTX ctx_;
+#elif defined(USE_NETTLE)
+ struct hmac_sha1_ctx ctx_;
+#else // USE_GCRYPT is the default
+ gcry_md_hd_t handle_;
#endif
};
typedef struct auth_algo_sha1_param_struct auth_algo_sha1_param_t;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
int tun_init(tun_device_t* dev, const char* dev_name, const char* dev_type, const char* ifcfg_addr, u_int16_t ifcfg_prefix)
{
- if(!dev)
+ if(!dev)
return -1;
-
+
tun_conf(dev, dev_name, dev_type, ifcfg_addr, ifcfg_prefix, 1400);
dev->actual_name_ = NULL;
tun_close(dev);
return -2;
}
-
+
dev->fd_ = open(device_file_tmp, O_RDWR);
free(device_file_tmp);
if(dev->fd_ >= 0)
log_printf(ERROR, "can't open device file dynamically: no unused node left");
else
log_printf(ERROR, "can't open device file (%s): %s", device_file, strerror(errno));
-
+
tun_close(dev);
return -1;
}
dev->with_pi_ = 1;
if(dev->type_ == TYPE_TAP)
dev->with_pi_ = 0;
-
- struct tuninfo ti;
+
+ struct tuninfo ti;
if(ioctl(dev->fd_, TUNGIFINFO, &ti) < 0) {
log_printf(ERROR, "can't enable multicast for interface: %s", strerror(errno));
return -1;
- }
+ }
ti.flags |= IFF_MULTICAST;
if(dev->type_ == TYPE_TUN)
ti.flags &= ~IFF_POINTOPOINT;
-
+
if(ioctl(dev->fd_, TUNSIFINFO, &ti) < 0) {
log_printf(ERROR, "can't enable multicast for interface: %s", strerror(errno));
return -1;
if(ioctl(dev->fd_, TUNSLMODE, &arg) < 0) {
log_printf(ERROR, "can't disable link-layer mode for interface: %s", strerror(errno));
return -1;
- }
+ }
arg = 1;
if(ioctl(dev->fd_, TUNSIFHEAD, &arg) < 0) {
log_printf(ERROR, "can't enable multi-af mode for interface: %s", strerror(errno));
return -1;
- }
+ }
arg = IFF_BROADCAST;
arg |= IFF_MULTICAST;
if(ioctl(dev->fd_, TUNSIFMODE, &arg) < 0) {
log_printf(ERROR, "can't enable multicast for interface: %s", strerror(errno));
return -1;
- }
+ }
}
return 0;
{
struct iovec iov[2];
u_int32_t type;
-
+
iov[0].iov_base = &type;
iov[0].iov_len = sizeof(type);
iov[1].iov_base = buf;
struct iovec iov[2];
u_int32_t type;
struct ip *hdr = (struct ip*)buf;
-
+
type = 0;
if(hdr->ip_v == 4)
type = htonl(AF_INET);
else
type = htonl(AF_INET6);
-
+
iov[0].iov_base = &type;
iov[0].iov_len = sizeof(type);
iov[1].iov_base = buf;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
#include "encrypted_packet.h"
#include "cipher.h"
+#if defined(USE_NETTLE)
+#include <nettle/ctr.h>
+#endif
#include "log.h"
int cipher_init(cipher_t* c, const char* type)
{
- if(!c)
+ if(!c)
return -1;
c->key_length_ = 0;
if(type[7] == 0) {
c->key_length_ = C_AESCTR_DEFAULT_KEY_LENGTH;
}
- else if(type[7] != '-')
+ else if(type[7] != '-')
return -1;
else {
const char* tmp = &type[8];
int cipher_encrypt(cipher_t* c, key_derivation_t* kd, key_derivation_dir_t dir, plain_packet_t* in, encrypted_packet_t* out, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux)
{
- if(!c)
+ if(!c)
return -1;
- int32_t len;
+ int32_t len;
if(c->type_ == c_null)
- len = cipher_null_crypt(plain_packet_get_packet(in), plain_packet_get_length(in),
+ len = cipher_null_crypt(plain_packet_get_packet(in), plain_packet_get_length(in),
encrypted_packet_get_payload(out), encrypted_packet_get_payload_length(out));
#ifndef NO_CRYPT
else if(c->type_ == c_aes_ctr)
if(len < 0)
return 0;
- encrypted_packet_set_sender_id(out, sender_id);
+ encrypted_packet_set_sender_id(out, sender_id);
encrypted_packet_set_seq_nr(out, seq_nr);
encrypted_packet_set_mux(out, mux);
int cipher_decrypt(cipher_t* c, key_derivation_t* kd, key_derivation_dir_t dir, encrypted_packet_t* in, plain_packet_t* out)
{
- if(!c)
+ if(!c)
return -1;
- int32_t len;
+ int32_t len;
if(c->type_ == c_null)
len = cipher_null_crypt(encrypted_packet_get_payload(in), encrypted_packet_get_payload_length(in),
plain_packet_get_packet(out), plain_packet_get_length(out));
log_printf(ERROR, "unknown cipher type");
return -1;
}
-
+
if(len < 0)
return 0;
- plain_packet_set_length(out, len);
+ plain_packet_set_length(out, len);
return 0;
}
int32_t cipher_null_crypt(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen)
{
- memcpy(out, in, (ilen < olen) ? ilen : olen);
+ memcpy(out, in, (ilen < olen) ? ilen : olen);
return (ilen < olen) ? ilen : olen;
}
if(!c->params_)
return -2;
- cipher_aesctr_param_t* params = c->params_;
-
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ // nothing here
+#elif defined(USE_NETTLE)
+ // nothing here
+#else // USE_GCRYPT is the default
int algo;
switch(c->key_length_) {
case 128: algo = GCRY_CIPHER_AES128; break;
}
}
+ cipher_aesctr_param_t* params = c->params_;
gcry_error_t err = gcry_cipher_open(¶ms->handle_, algo, GCRY_CIPHER_MODE_CTR, 0);
if(err) {
log_printf(ERROR, "failed to open cipher: %s", gcry_strerror(err));
return -1;
- }
+ }
#endif
return 0;
return;
if(c->params_) {
+#if defined(USE_SSL_CRYPTO)
+ // nothing here
+#elif defined(USE_NETTLE)
+ // nothing here
+#else // USE_GCRYPT is the default
cipher_aesctr_param_t* params = c->params_;
-
-#ifndef USE_SSL_CRYPTO
- if(params->handle_)
- gcry_cipher_close(params->handle_);
+ gcry_cipher_close(params->handle_);
#endif
-
free(c->params_);
}
}
{
if(!c || !c->params_)
return -1;
-
+
cipher_aesctr_param_t* params = c->params_;
int ret = key_derivation_generate(kd, dir, LABEL_SALT, seq_nr, c->salt_.buf_, C_AESCTR_SALT_LENGTH);
int ret = key_derivation_generate(kd, dir, LABEL_ENC, seq_nr, c->key_.buf_, c->key_.length_);
if(ret < 0)
return ret;
-
-#ifdef USE_SSL_CRYPTO
+
+#if defined(USE_SSL_CRYPTO)
ret = AES_set_encrypt_key(c->key_.buf_, c->key_length_, ¶ms->aes_key_);
if(ret) {
- log_printf(ERROR, "failed to set cipher ssl aes-key (code: %d)", ret);
+ log_printf(ERROR, "failed to set cipher key (code: %d)", ret);
return -1;
}
-#else
+#elif defined(USE_NETTLE)
+ aes_set_encrypt_key(¶ms->ctx_, c->key_.length_, c->key_.buf_);
+#else // USE_GCRYPT is the default
gcry_error_t err = gcry_cipher_setkey(params->handle_, c->key_.buf_, c->key_.length_);
if(err) {
log_printf(ERROR, "failed to set cipher key: %s", gcry_strerror(err));
log_printf(ERROR, "failed to calculate cipher CTR");
return ret;
}
-
-#ifndef USE_SSL_CRYPTO
+
+#if defined(USE_SSL_CRYPTO)
+ if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
+ log_printf(ERROR, "failed to set cipher CTR: size doesn't fit");
+ return -1;
+ }
+ u_int32_t num = 0;
+ memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
+ AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
+#elif defined(USE_NETTLE)
+ if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
+ log_printf(ERROR, "failed to set cipher CTR: size doesn't fit");
+ return -1;
+ }
+ ctr_crypt(¶ms->ctx_, (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, params->ctr_.buf_, (ilen < olen) ? ilen : olen, out, in);
+#else // USE_GCRYPT is the default
err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, C_AESCTR_CTR_LENGTH);
if(err) {
log_printf(ERROR, "failed to set cipher CTR: %s", gcry_strerror(err));
log_printf(ERROR, "failed to de/encrypt packet: %s", gcry_strerror(err));
return -1;
}
-#else
- if(C_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
- log_printf(ERROR, "failed to set cipher CTR: size don't fits");
- return -1;
- }
- u_int32_t num = 0;
- memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
- AES_ctr128_encrypt(in, out, (ilen < olen) ? ilen : olen, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
#endif
- return (ilen < olen) ? ilen : olen;
+ return (ilen < olen) ? ilen : olen;
}
#endif
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_cipher_h_INCLUDED
#define UANYTUN_cipher_h_INCLUDED
#ifndef NO_CRYPT
-#ifndef USE_SSL_CRYPTO
-#include <gcrypt.h>
-#else
+#if defined(USE_SSL_CRYPTO)
#include <openssl/aes.h>
+#elif defined(USE_NETTLE)
+#include <nettle/aes.h>
+#else // USE_GCRYPT is the default
+#include <gcrypt.h>
#endif
#include "key_derivation.h"
#else
typedef union cipher_aesctr_ctr_union cipher_aesctr_ctr_t;
struct cipher_aesctr_param_struct {
-#ifndef USE_SSL_CRYPTO
- gcry_cipher_hd_t handle_;
-#else
+#if defined(USE_SSL_CRYPTO)
AES_KEY aes_key_;
u_int8_t ecount_buf_[AES_BLOCK_SIZE];
+#elif defined(USE_NETTLE)
+ struct aes_ctx ctx_;
+#else // USE_GCRYPT is the default
+ gcry_cipher_hd_t handle_;
#endif
cipher_aesctr_ctr_t ctr_;
};
# tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
# mode and allows tunneling of every ETHER TYPE protocol (e.g.
# ethernet, ip, arp ...). satp directly includes cryptography and
-# message authentication based on the methodes used by SRTP. It is
+# message authentication based on the methods used by SRTP. It is
# intended to deliver a generic, scaleable and secure solution for
# tunneling and relaying of packets of any protocol.
-#
#
-# Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+#
+# Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
#
# This file is part of uAnytun.
#
# You should have received a copy of the GNU General Public License
# along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
#
+# In addition, as a special exception, the copyright holders give
+# permission to link the code of portions of this program with the
+# OpenSSL library under certain conditions as described in each
+# individual source file, and distribute linked combinations
+# including the two.
+# You must obey the GNU General Public License in all respects
+# for all of the code used other than OpenSSL. If you modify
+# file(s) with this exception, you may extend this exception to your
+# version of the file(s), but you are not obligated to do so. If you
+# do not wish to do so, delete this exception statement from your
+# version. If you delete this exception statement from all source
+# files in the program, then also delete it here.
+#
TARGET=`uname -s`
-
EBUILD_COMPAT=0
-CFLAGS='-g -O2'
-LDFLAGS='-g -Wall -O2'
+USE_CLANG=0
CRYPTO_LIB='gcrypt'
PASSPHRASE=1
echo " --no-manpage dont't install manpage"
echo " --examplesdir=<DIR> the path to the examples files (default: $PREFIX/share/examples)"
echo " --no-examples dont't install example files"
- echo " --use-ssl-crypto use ssl crypto library instead of libgcrypt"
+ echo " --use-gcrypt use libgcrypt (this is the default)"
+ echo " --use-nettle use libnettle instead of libgcrypt"
+ echo " --use-ssl-crypto use openssl crypto library instead of libgcrypt"
echo " --no-crypto disable crypto at all (only NULL cipher)"
echo " --disable-passphrase disable master key and salt passphrase"
echo " --enable-passphrase enable master key and salt passphrase"
+ echo " --use-clang use clang/llvm as compiler/linker"
}
for arg
--target=*)
TARGET=${arg#--target=}
;;
+ --use-clang)
+ USE_CLANG=1
+ ;;
--prefix=*)
PREFIX=${arg#--prefix=}
;;
--no-examples)
INSTALLEXAMPLES=0
;;
+ --use-gcrypt)
+ CRYPTO_LIB='gcrypt'
+ ;;
+ --use-nettle)
+ CRYPTO_LIB='nettle'
+ ;;
--use-ssl-crypto)
CRYPTO_LIB='ssl'
;;
--no-crypto)
CRYPTO_LIB='none'
- ;;
+ ;;
--disable-passphrase)
PASSPHRASE=0
;;
exit 1
fi
+if [ $USE_CLANG -eq 0 ]; then
+ CFLAGS='-g -Wall -O2'
+ LDFLAGS='-g -Wall -O2'
+ COMPILER='gcc'
+else
+ CFLAGS='-g -O2'
+ LDFLAGS='-g -O2'
+ COMPILER='clang'
+fi
+
rm -f version.h
rm -f include.mk
-case $TARGET in
+case $TARGET in
Linux)
rm -f tun.c
ln -sf linux/tun.c
case $CRYPTO_LIB in
gcrypt)
+ CFLAGS=$CFLAGS' -DUSE_GCRYPT'
LDFLAGS=$LDFLAGS' -lgcrypt'
- echo "using libgcrypt library"
+ echo "using gcrypt library"
+ ;;
+ nettle)
+ CFLAGS=$CFLAGS' -DUSE_NETTLE'
+ LDFLAGS=$LDFLAGS' -lnettle'
+ echo "using nettle library"
;;
ssl)
CFLAGS=$CFLAGS' -DUSE_SSL_CRYPTO'
;;
none)
CFLAGS=$CFLAGS' -DNO_CRYPT'
- echo "NO_CRYPT_OBJ = 1" >> include.mk
echo "disabling crypto"
;;
esac
EXAMPLESDIR=$PREFIX/share/examples
fi
-cat >> include.mk <<EOF
+cat > include.mk <<EOF
# this file was created automatically
-# do not edit this file directly
+# do not edit this file directly
# use ./configure instead
TARGET := $TARGET
-CC := gcc
+CC := $COMPILER
CFLAGS := $CFLAGS
LDFLAGS := $LDFLAGS
STRIP := strip
ETCDIR := $ETCDIR
EOF
+if [ $CRYPTO_LIB = "none" ]; then
+ echo "NO_CRYPT_OBJ = 1" >> include.mk
+fi
+
if [ $INSTALLMANPAGE -eq 1 ]; then
echo "MANDIR := $MANDIR" >> include.mk
echo "installing manpage"
VERSION=`cat ../version`
if which svn >/dev/null; then
- SVN_REV=`svn info | grep "^Revision: " | awk '{print($2)}'`
+ SVN_REV=`svn info 2> /dev/null | grep "^Revision: " | awk '{print($2)}'`
if [ -n "$SVN_REV" ]; then
VERSION="$VERSION (svn$SVN_REV)"
fi
HOSTNAME=`hostname`
DATE=`date +"%d.%m.%Y %H:%M:%S %Z"`
-cat >> version.h <<EOF
-/*
+cat > version.h <<EOF
+/*
* uanytun version info
*
* this file was created automatically
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_daemon_h_INCLUDED
priv->pw_ = getpwnam(username);
if(!priv->pw_) {
- log_printf(ERROR, "unkown user %s", username);
+ log_printf(ERROR, "unknown user %s", username);
return -1;
}
priv->gr_ = getgrgid(priv->pw_->pw_gid);
if(!priv->gr_) {
- log_printf(ERROR, "unkown group %s", groupname);
+ log_printf(ERROR, "unknown group %s", groupname);
return -1;
}
log_printf(ERROR, "can't change to /: %s", strerror(errno));
return -1;
}
+
+ return 0;
}
void daemonize()
}
#endif
-
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_datatypes_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
{
if(!packet)
return 0;
-
+
return MUX_T_NTOH(packet->data_.header_.mux_);
}
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_encrypted_packet_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_init_crypt_h_INCLUDED
#else
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+
+int init_crypt()
+{
+// nothing here
+ return 0;
+}
+
+#elif defined(USE_NETTLE)
+
+int init_crypt()
+{
+// nothing here
+ return 0;
+}
+
+#else // USE_GCRYPT is the default
#include <gcrypt.h>
#define MIN_GCRYPT_VERSION "1.2.0"
-int init_crypt()
+int init_crypt()
{
if(!gcry_check_version(MIN_GCRYPT_VERSION)) {
log_printf(NOTICE, "invalid Version of libgcrypt, should be >= %s", MIN_GCRYPT_VERSION);
return 0;
}
-#else
-
-int init_crypt()
-{
-// nothing here
- return 0;
-}
-
#endif
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
#include "key_derivation.h"
-#ifdef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
#include <openssl/sha.h>
+#elif defined(USE_NETTLE)
+#include <nettle/sha1.h>
+#include <nettle/sha2.h>
+#include <nettle/ctr.h>
#endif
#include "log.h"
int key_derivation_init(key_derivation_t* kd, const char* type, role_t role, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len)
{
- if(!kd)
+ if(!kd)
return -1;
kd->role_ = role;
if(type[7] == 0) {
kd->key_length_ = KD_AESCTR_DEFAULT_KEY_LENGTH;
}
- else if(type[7] != '-')
+ else if(type[7] != '-')
return -1;
else {
const char* tmp = &type[8];
if(kd->master_key_.buf_) {
log_printf(WARNING, "master key and passphrase provided, ignoring passphrase");
return 0;
- }
+ }
log_printf(NOTICE, "using passphrase to generate master key");
if(!key_length || (key_length % 8)) {
return -1;
}
-#ifndef USE_SSL_CRYPTO
- if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) {
-#else
+#if defined(USE_SSL_CRYPTO)
if(key_length > (SHA256_DIGEST_LENGTH * 8)) {
+#elif defined(USE_NETTLE)
+ if(key_length > (SHA256_DIGEST_SIZE * 8)) {
+#else // USE_GCRYPT is the default
+ if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) {
#endif
log_printf(ERROR, "master key too long for passphrase algorithm");
return -1;
}
buffer_t digest;
-#ifndef USE_SSL_CRYPTO
- digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
-#else
+#if defined(USE_SSL_CRYPTO)
digest.length_ = SHA256_DIGEST_LENGTH;
+#elif defined(USE_NETTLE)
+ digest.length_ = SHA256_DIGEST_SIZE;
+#else // USE_GCRYPT is the default
+ digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
#endif
digest.buf_ = malloc(digest.length_);
if(!digest.buf_)
return -2;
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
+#elif defined(USE_NETTLE)
+ struct sha256_ctx ctx;
+ sha256_init(&ctx);
+ sha256_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
+ sha256_digest(&ctx, digest.length_, digest.buf_);
+#else // USE_GCRYPT is the default
gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase));
-#else
- SHA256(passphrase, strlen(passphrase), digest.buf_);
#endif
kd->master_key_.length_ = key_length/8;
if(kd->master_salt_.buf_) {
log_printf(WARNING, "master salt and passphrase provided, ignoring passphrase");
return 0;
- }
+ }
log_printf(NOTICE, "using passphrase to generate master salt");
if(!salt_length || (salt_length % 8)) {
return -1;
}
-#ifndef USE_SSL_CRYPTO
- if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) {
-#else
+#if defined(USE_SSL_CRYPTO)
if(salt_length > (SHA_DIGEST_LENGTH * 8)) {
+#elif defined(USE_NETTLE)
+ if(salt_length > (SHA1_DIGEST_SIZE * 8)) {
+#else // USE_GCRYPT is the default
+ if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) {
#endif
log_printf(ERROR, "master salt too long for passphrase algorithm");
return -1;
}
buffer_t digest;
-#ifndef USE_SSL_CRYPTO
- digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
-#else
+#if defined(USE_SSL_CRYPTO)
digest.length_ = SHA_DIGEST_LENGTH;
+#elif defined(USE_NETTLE)
+ digest.length_ = SHA1_DIGEST_SIZE;
+#else // USE_GCRYPT is the default
+ digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
#endif
digest.buf_ = malloc(digest.length_);
if(!digest.buf_)
return -2;
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
+#elif defined(USE_NETTLE)
+ struct sha1_ctx ctx;
+ sha1_init(&ctx);
+ sha1_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
+ sha1_digest(&ctx, digest.length_, digest.buf_);
+#else // USE_GCRYPT is the default
gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase));
-#else
- SHA1(passphrase, strlen(passphrase), digest.buf_);
#endif
kd->master_salt_.length_ = salt_length/8;
int key_derivation_generate(key_derivation_t* kd, key_derivation_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len)
{
- if(!kd || !key)
+ if(!kd || !key)
return -1;
if(label >= LABEL_NIL) {
return -2;
key_derivation_aesctr_param_t* params = kd->params_;
-#ifndef USE_SSL_CRYPTO
+#ifdef USE_GCRYPT
params->handle_ = 0;
#endif
}
#endif
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_);
+ if(ret) {
+ log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret);
+ return -1;
+ }
+#elif defined(USE_NETTLE)
+ aes_set_encrypt_key(¶ms->ctx_, kd->master_key_.length_, kd->master_key_.buf_);
+#else // USE_GCRYPT is the default
int algo;
switch(kd->key_length_) {
case 128: algo = GCRY_CIPHER_AES128; break;
if(err) {
log_printf(ERROR, "failed to open key derivation cipher: %s", gcry_strerror(err));
return -1;
- }
+ }
err = gcry_cipher_setkey(params->handle_, kd->master_key_.buf_, kd->master_key_.length_);
if(err) {
log_printf(ERROR, "failed to set key derivation key: %s", gcry_strerror(err));
return -1;
}
-#else
- int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_);
- if(ret) {
- log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret);
- return -1;
- }
#endif
return 0;
return;
if(kd->params_) {
+#ifdef USE_GCRYPT
key_derivation_aesctr_param_t* params = kd->params_;
-
-#ifndef USE_SSL_CRYPTO
if(params->handle_)
gcry_cipher_close(params->handle_);
#endif
return -1;
}
-#ifndef USE_SSL_CRYPTO
+#if defined(USE_SSL_CRYPTO)
+ if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
+ log_printf(ERROR, "failed to set key derivation CTR: size don't fits");
+ return -1;
+ }
+ u_int32_t num = 0;
+ memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
+ memset(key, 0, len);
+ AES_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
+#elif defined(USE_NETTLE)
+ if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
+ log_printf(ERROR, "failed to set cipher CTR: size doesn't fit");
+ return -1;
+ }
+ memset(key, 0, len);
+ ctr_crypt(¶ms->ctx_, (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, params->ctr_.buf_, len, key, key);
+#else // USE_GCRYPT is the default
gcry_error_t err = gcry_cipher_reset(params->handle_);
if(err) {
log_printf(ERROR, "failed to reset key derivation cipher: %s", gcry_strerror(err));
log_printf(ERROR, "failed to generate key derivation bitstream: %s", gcry_strerror(err));
return -1;
}
-#else
- if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
- log_printf(ERROR, "failed to set key derivation CTR: size don't fits");
- return -1;
- }
- u_int32_t num = 0;
- memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
- memset(key, 0, len);
- AES_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num);
#endif
-
+
return 0;
}
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_key_derivation_h_INCLUDED
#define UANYTUN_key_derivation_h_INCLUDED
-#ifndef USE_SSL_CRYPTO
-#include <gcrypt.h>
-#else
+#if defined(USE_SSL_CRYPTO)
#include <openssl/aes.h>
+#elif defined(USE_NETTLE)
+#include <nettle/aes.h>
+#else // USE_GCRYPT is the default
+#include <gcrypt.h>
#endif
#include "options.h"
typedef union key_derivation_aesctr_ctr_union key_derivation_aesctr_ctr_t;
struct key_derivation_aesctr_param_struct {
-#ifndef USE_SSL_CRYPTO
- gcry_cipher_hd_t handle_;
-#else
+#if defined(USE_SSL_CRYPTO)
AES_KEY aes_key_;
u_int8_t ecount_buf_[AES_BLOCK_SIZE];
+#elif defined(USE_NETTLE)
+ struct aes_ctx ctx_;
+#else // USE_GCRYPT is the default
+ gcry_cipher_hd_t handle_;
#endif
key_derivation_aesctr_ctr_t ctr_;
};
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
+#define _GNU_SOURCE
#include <stdio.h>
#include "datatypes.h"
#include "sysexec.h"
int tun_init(tun_device_t* dev, const char* dev_name, const char* dev_type, const char* ifcfg_addr, u_int16_t ifcfg_prefix){
- if(!dev)
+ if(!dev)
return -1;
-
+
tun_conf(dev, dev_name, dev_type, ifcfg_addr, ifcfg_prefix, 1400);
dev->actual_name_ = NULL;
- dev->fd_ = open(DEFAULT_DEVICE, O_RDWR);
- if(dev->fd_ < 0) {
+ dev->fd_ = open(DEFAULT_DEVICE, O_RDWR);
+ if(dev->fd_ < 0) {
log_printf(ERROR, "can't open device file (%s): %s", DEFAULT_DEVICE, strerror(errno));
tun_close(dev);
return -1;
}
- struct ifreq ifr;
- memset(&ifr, 0, sizeof(ifr));
+ struct ifreq ifr;
+ memset(&ifr, 0, sizeof(ifr));
if(dev->type_ == TYPE_TUN) {
ifr.ifr_flags = IFF_TUN;
dev->with_pi_ = 1;
- }
+ }
else if(dev->type_ == TYPE_TAP) {
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
dev->with_pi_ = 0;
- }
+ }
else {
log_printf(ERROR, "unable to recognize type of device (tun or tap)");
tun_close(dev);
return -1;
}
- if(dev_name)
- strncpy(ifr.ifr_name, dev_name, IFNAMSIZ);
+ if(dev_name)
+ strncpy(ifr.ifr_name, dev_name, IFNAMSIZ);
- if(!ioctl(dev->fd_, TUNSETIFF, &ifr)) {
- dev->actual_name_ = strdup(ifr.ifr_name);
- } else if(!ioctl(dev->fd_, (('T' << 8) | 202), &ifr)) {
- dev->actual_name_ = strdup(ifr.ifr_name);
- } else {
+ if(!ioctl(dev->fd_, TUNSETIFF, &ifr)) {
+ dev->actual_name_ = strdup(ifr.ifr_name);
+ } else if(!ioctl(dev->fd_, (('T' << 8) | 202), &ifr)) {
+ dev->actual_name_ = strdup(ifr.ifr_name);
+ } else {
log_printf(ERROR, "tun/tap device ioctl failed: %s", strerror(errno));
tun_close(dev);
return -1;
int tun_init_post(tun_device_t* dev)
{
// nothing yet
+ return 0;
}
void tun_close(tun_device_t* dev)
{
struct iovec iov[2];
struct tun_pi tpi;
-
+
iov[0].iov_base = &tpi;
iov[0].iov_len = sizeof(tpi);
iov[1].iov_base = buf;
struct iovec iov[2];
struct tun_pi tpi;
struct iphdr *hdr = (struct iphdr *)buf;
-
+
tpi.flags = 0;
if(hdr->version == 4)
tpi.proto = htons(ETH_P_IP);
else
tpi.proto = htons(ETH_P_IPV6);
-
+
iov[0].iov_base = &tpi;
iov[0].iov_len = sizeof(tpi);
iov[1].iov_base = buf;
return;
char* mtu_str = NULL;
- asprintf(&mtu_str, "%d", dev->mtu_);
- if(!mtu_str) {
+ int len = asprintf(&mtu_str, "%d", dev->mtu_);
+ if(len == -1) {
log_printf(ERROR, "Execution of ifconfig failed");
return;
}
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
+#include <ctype.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
if(tmp->type_ == type)
return 1;
tmp = tmp->next_;
- }
+ }
return 0;
}
log_target_t* tmp = targets->first_;
while(tmp->next_)
tmp = tmp->next_;
-
+
tmp->next_ = new_target;
}
return 0;
int offset = snprintf(msg, MSG_LENGTH_MAX, "dump(%d): ", len);
if(offset < 0)
return;
- u_int8_t* ptr = &msg[offset];
-
+ char* ptr = &msg[offset];
+
for(i=0; i < len; i++) {
if(((i+1)*3) >= (MSG_LENGTH_MAX - offset))
break;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_log_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_log_targets_h_INCLUDED
{
char* time_string;
time_t t = time(NULL);
- if(t < 0)
+ if(t < 0)
time_string = "<time read error>";
else {
time_string = ctime(&t);
{
if(!self || (conf && conf[0] == 0))
return -1;
-
+
self->param_ = malloc(sizeof(log_target_syslog_param_t));
if(!self->param_)
return -2;
if(!len) {
free(self->param_);
return -1;
- }
+ }
logname = malloc(len+1);
if(logname) {
strncpy(logname, conf, len);
((log_target_syslog_param_t*)(self->param_))->facility_ = DAEMON;
return 0;
}
-
+
if(end[1] == 0 || end[1] == ',') {
free(logname);
free(self->param_);
return -1;
}
-
+
const char* start = end + 1;
end = strchr(start, ',');
int i;
if(!self || !self->param_ || !self->opened_)
return;
- syslog((prio + 2) | ((log_target_syslog_param_t*)(self->param_))->facility_, "%s", msg);
+ syslog((prio + 2) | ((log_target_syslog_param_t*)(self->param_))->facility_, "%s", msg);
}
void log_target_syslog_close(log_target_t* self)
{
if(!self || (conf && conf[0] == 0))
return -1;
-
+
self->param_ = malloc(sizeof(log_target_file_param_t));
if(!self->param_)
return -2;
if(!len) {
free(self->param_);
return -1;
- }
+ }
logfilename = malloc(len+1);
if(logfilename) {
strncpy(logfilename, conf, len);
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
if(hex_len%2)
return 1;
- if(buffer->buf_)
+ if(buffer->buf_)
free(buffer->buf_);
-
+
buffer->length_ = hex_len/2;
buffer->buf_ = malloc(buffer->length_);
if(!buffer->buf_) {
free(str);
return 1;
}
-
+
ifcfg->prefix_length_ = atoi(ptr);
ifcfg->net_addr_ = strdup(str);
free(str);
return 1;
}
-
int options_parse(options_t* opt, int argc, char* argv[])
{
if(!opt)
argc--;
+#ifndef NO_CRYPT
char* role = NULL;
+#endif
int i, ipv4_only = 0, ipv6_only = 0;
for(i=1; argc > 0; ++i)
{
PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_)
PARSE_INT_PARAM("-b","--auth-tag-length", opt->auth_tag_length_)
#endif
- else
+ else
return i;
}
if(ipv4_only && ipv6_only)
return;
#ifndef NO_CRYPT
- if(!strcmp(opt->cipher_, "null") && !strcmp(opt->auth_algo_, "null") &&
+ if(!strcmp(opt->cipher_, "null") && !strcmp(opt->auth_algo_, "null") &&
strcmp(opt->kd_prf_, "null")) {
if(opt->kd_prf_)
free(opt->kd_prf_);
opt->kd_prf_ = strdup("null");
}
- if((strcmp(opt->cipher_, "null") || strcmp(opt->auth_algo_, "null")) &&
+ if((strcmp(opt->cipher_, "null") || strcmp(opt->auth_algo_, "null")) &&
!strcmp(opt->kd_prf_, "null")) {
log_printf(WARNING, "using NULL key derivation with encryption and or authentication enabled!");
}
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_options_h_INCLUDED
void options_default(options_t* opt);
void options_clear(options_t* opt);
void options_print_usage();
+void options_print_version();
void options_print(options_t* opt);
#endif
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
{
if(!packet)
return;
-
+
if(len > PLAIN_PACKET_SIZE_MAX)
len = PLAIN_PACKET_SIZE_MAX - sizeof(payload_type_t);
else if(len < sizeof(payload_type_t))
else
len -= sizeof(payload_type_t);
- packet->payload_length_ = len;
+ packet->payload_length_ = len;
}
u_int8_t* plain_packet_get_payload(plain_packet_t* packet)
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_plain_packet_h_INCLUDED
#define PAYLOAD_TYPE_TAP 0x6558
#define PAYLOAD_TYPE_TUN 0x0000
#define PAYLOAD_TYPE_TUN4 0x0800
-#define PAYLOAD_TYPE_TUN6 0x86DD
+#define PAYLOAD_TYPE_TUN6 0x86DD
#define PAYLOAD_TYPE_UNKNOWN 0xFFFF
struct plain_packet_struct {
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
free(to_free);
}
+
+ win->first_ = NULL;
}
-seq_win_element_t* seq_win_new_element(sender_id_t sender_id, seq_nr_t max, window_size_t size)
+static seq_win_element_t* seq_win_new_element(sender_id_t sender_id, seq_nr_t max, window_size_t size)
{
if(!size)
return NULL;
e->sender_id_ = sender_id;
e->max_ = max;
e->pos_ = 0;
- e->window_ = malloc(sizeof(seq_nr_t)*size);
+ e->window_ = malloc(sizeof((*e->window_))*size);
if(!e->window_) {
free(e);
return NULL;
ptr->max_ -= SEQ_NR_MAX/2;
else if(shifted == 2)
ptr->max_ += SEQ_NR_MAX/2;
-
+
return 0;
}
-
+
seq_nr_t diff = ptr->max_ - seq_nr;
- window_size_t pos = diff > ptr->pos_ ? ptr->pos_ + win->size_ : ptr->pos_;
+ window_size_t pos = diff > ptr->pos_ ? ptr->pos_ + win->size_ : ptr->pos_;
pos -= diff;
if(shifted == 1)
return ret;
}
ptr = ptr->next_;
- }
+ }
if(!win->first_) {
win->first_ = seq_win_new_element(sender_id, seq_nr, win->size_);
if(!win->first_)
if(!ptr->next_)
return -2;
}
-
+
return 0;
}
printf("O");
else
printf(".");
-
+
if(i)
i--;
else
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_seq_window_h_INCLUDED
int seq_win_init(seq_win_t* win, window_size_t size);
void seq_win_clear(seq_win_t* win);
-seq_win_element_t* seq_win_new_element(sender_id_t sender_id, seq_nr_t max, window_size_t size);
int seq_win_check_and_add(seq_win_t* win, sender_id_t sender_id, seq_nr_t seq_nr);
void seq_win_print(seq_win_t* win);
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
-
+#include <string.h>
static int sig_pipe_fds[2];
}
}
- struct sigaction act;
+ struct sigaction act, ign;
act.sa_handler = sig_handler;
sigfillset(&act.sa_mask);
act.sa_flags = 0;
+ ign.sa_handler = SIG_IGN;
+ sigfillset(&ign.sa_mask);
+ ign.sa_flags = 0;
if((sigaction(SIGINT, &act, NULL) < 0) ||
(sigaction(SIGQUIT, &act, NULL) < 0) ||
(sigaction(SIGTERM, &act, NULL) < 0) ||
(sigaction(SIGHUP, &act, NULL) < 0) ||
(sigaction(SIGUSR1, &act, NULL) < 0) ||
- (sigaction(SIGUSR2, &act, NULL) < 0)) {
+ (sigaction(SIGUSR2, &act, NULL) < 0) ||
+ (sigaction(SIGCHLD, &ign, NULL) < 0) ||
+ (sigaction(SIGPIPE, &ign, NULL) < 0)) {
log_printf(ERROR, "signal handling init failed (sigaction error: %s)", strerror(errno));
close(sig_pipe_fds[0]);
case SIGINT: log_printf(NOTICE, "SIG-Int caught, exitting"); return_value = 1; break;
case SIGQUIT: log_printf(NOTICE, "SIG-Quit caught, exitting"); return_value = 1; break;
case SIGTERM: log_printf(NOTICE, "SIG-Term caught, exitting"); return_value = 1; break;
- case SIGHUP: log_printf(NOTICE, "SIG-Hup caught"); break;
+ case SIGHUP: log_printf(NOTICE, "SIG-Hup caught"); return_value = 2; break;
case SIGUSR1: log_printf(NOTICE, "SIG-Usr1 caught"); break;
case SIGUSR2: log_printf(NOTICE, "SIG-Usr2 caught"); break;
default: log_printf(WARNING, "unknown signal %d caught, ignoring", sig); break;
sigaction(SIGHUP, &act, NULL);
sigaction(SIGUSR1, &act, NULL);
sigaction(SIGUSR2, &act, NULL);
+ sigaction(SIGPIPE, &act, NULL);
+ sigaction(SIGCHLD, &act, NULL);
close(sig_pipe_fds[0]);
close(sig_pipe_fds[1]);
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_sig_handler_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include <string.h>
{
if(!list)
return;
-
+
list->first_ = NULL;
}
{
if(!list)
return;
-
+
string_list_element_t* tmp = list->first_;
while(tmp) {
printf("%s%s%s", head, tmp->string_, tail);
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_string_list_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
+#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/select.h>
#include <stdlib.h>
+#include <stdio.h>
#include <string.h>
#include "sysexec.h"
log_printf(WARNING, "can't open stderr");
}
execve(script, argv, evp);
- // if execve returns, an error occurred, but logging doesn't work
+ // if execve returns, an error occurred, but logging doesn't work
// because we closed all file descriptors, so just write errno to
// pipe and call exit
- write(pipefd[1], (void*)(&errno), sizeof(errno));
+ int ret = write(pipefd[1], (void*)(&errno), sizeof(errno));
+ if(ret == -1) exit(-1);
exit(-1);
}
close(pipefd[1]);
}
}
if(WIFEXITED(status))
- log_printf(NOTICE, "script '%s' returned %d", script, WEXITSTATUS(status));
+ log_printf(NOTICE, "script '%s' returned %d", script, WEXITSTATUS(status));
else if(WIFSIGNALED(status))
log_printf(NOTICE, "script '%s' terminated after signal %d", script, WTERMSIG(status));
else
- log_printf(ERROR, "executing script '%s': unkown error", script);
+ log_printf(ERROR, "executing script '%s': unknown error", script);
close(pipefd[0]);
return status;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_sysexec_h_INCLUDED
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_tun_h_INCLUDED
int tun_init_post(tun_device_t* dev);
void tun_do_ifconfig(tun_device_t* dev);
void tun_close(tun_device_t* dev);
-
+
int tun_read(tun_device_t* dev, u_int8_t* buf, u_int32_t len);
int tun_write(tun_device_t* dev, u_int8_t* buf, u_int32_t len);
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_tun_helper_h_INCLUDED
{
if(!dev || dev->fd_ < 0)
return "";
-
+
switch(dev->type_)
{
case TYPE_UNDEF: return "undef"; break;
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#include "datatypes.h"
log_printf(ERROR, "could not initialize cipher of type %s", opt->cipher_);
return ret;
}
-
+
#ifndef NO_CRYPT
ret = auth_algo_init(aa, opt->auth_algo_);
if(ret) {
}
int process_tun_data(tun_device_t* dev, udp_t* sock, options_t* opt, plain_packet_t* plain_packet, encrypted_packet_t* encrypted_packet,
- cipher_t* c, auth_algo_t* aa, key_derivation_t* kd, seq_nr_t seq_nr)
+ cipher_t* c, auth_algo_t* aa, key_derivation_t* kd, seq_nr_t* seq_nr)
{
plain_packet_set_payload_length(plain_packet, -1);
encrypted_packet_set_length(encrypted_packet, -1);
log_printf(ERROR, "error on reading from device: %s", strerror(errno));
return 0;
}
-
+
plain_packet_set_payload_length(plain_packet, len);
-
+
if(dev->type_ == TYPE_TUN)
plain_packet_set_type(plain_packet, PAYLOAD_TYPE_TUN);
else if(dev->type_ == TYPE_TAP)
- plain_packet_set_type(plain_packet, PAYLOAD_TYPE_TAP);
+ plain_packet_set_type(plain_packet, PAYLOAD_TYPE_TAP);
else
plain_packet_set_type(plain_packet, PAYLOAD_TYPE_UNKNOWN);
- if(!sock->remote_end_set_)
+ if(!udp_has_remote(sock))
return 0;
-
- cipher_encrypt(c, kd, kd_outbound, plain_packet, encrypted_packet, seq_nr, opt->sender_id_, opt->mux_);
-
+
+ cipher_encrypt(c, kd, kd_outbound, plain_packet, encrypted_packet, *seq_nr, opt->sender_id_, opt->mux_);
+ (*seq_nr)++;
#ifndef NO_CRYPT
auth_algo_generate(aa, kd, kd_outbound, encrypted_packet);
#endif
-
+
len = udp_write(sock, encrypted_packet_get_packet(encrypted_packet), encrypted_packet_get_length(encrypted_packet));
if(len == -1)
log_printf(ERROR, "error on sending udp packet: %s", strerror(errno));
encrypted_packet_set_length(encrypted_packet, -1);
udp_endpoint_t remote;
- memset(&remote, 0, sizeof(udp_endpoint_t));
+ memset(&(remote.addr_), 0, sizeof(remote.addr_));
+ remote.len_ = sizeof(remote.addr_);
int len = udp_read(sock, fd, encrypted_packet_get_packet(encrypted_packet), encrypted_packet_get_length(encrypted_packet), &remote);
if(len == -1) {
log_printf(ERROR, "error on receiving udp packet: %s", strerror(errno));
return 0;
- }
- else if(len < encrypted_packet_get_minimum_length(encrypted_packet)) {
+ } else if(len < encrypted_packet_get_minimum_length(encrypted_packet)) {
log_printf(WARNING, "received packet is too short");
return 0;
}
encrypted_packet_set_length(encrypted_packet, len);
+ if(encrypted_packet_get_mux(encrypted_packet) != opt->mux_) {
+ log_printf(WARNING, "wrong mux value, discarding packet");
+ return 0;
+ }
+
#ifndef NO_CRYPT
if(!auth_algo_check_tag(aa, kd, kd_inbound, encrypted_packet)) {
log_printf(WARNING, "wrong authentication tag, discarding packet");
return 0;
}
#endif
-
- if(encrypted_packet_get_mux(encrypted_packet) != opt->mux_) {
- log_printf(WARNING, "wrong mux value, discarding packet");
- return 0;
- }
-
+
int result = seq_win_check_and_add(seq_win, encrypted_packet_get_sender_id(encrypted_packet), encrypted_packet_get_seq_nr(encrypted_packet));
if(result > 0) {
log_printf(WARNING, "detected replay attack, discarding packet");
return 0;
- }
- else if(result < 0) {
+ } else if(result < 0) {
log_printf(ERROR, "memory error at sequence window");
return -2;
}
-
- udp_set_active_sock(sock, fd);
- if(memcmp(&remote, &(sock->remote_end_), sizeof(remote))) {
- memcpy(&(sock->remote_end_), &remote, sizeof(remote));
- sock->remote_end_set_ = 1;
- char* addrstring = udp_endpoint_to_string(remote);
- log_printf(NOTICE, "autodetected remote host changed %s", addrstring);
- free(addrstring);
- }
+
+ udp_update_remote(sock, fd, &remote);
if(encrypted_packet_get_payload_length(encrypted_packet) <= plain_packet_get_header_length()) {
log_printf(WARNING, "ignoring packet with zero length payload");
return 0;
}
- int ret = cipher_decrypt(c, kd, kd_inbound, encrypted_packet, plain_packet);
- if(ret)
+ int ret = cipher_decrypt(c, kd, kd_inbound, encrypted_packet, plain_packet);
+ if(ret)
return ret;
-
+
len = tun_write(dev, plain_packet_get_payload(plain_packet), plain_packet_get_payload_length(plain_packet));
if(len == -1)
log_printf(ERROR, "error on writing to device: %s", strerror(errno));
-
+
return 0;
}
FD_ZERO(&readfds);
FD_SET(dev->fd_, &readfds);
- int nfds = udp_init_fd_set(sock, &readfds);
+ int nfds = udp_fill_fd_set(sock, &readfds);
nfds = dev->fd_ > nfds ? dev->fd_ : nfds;
int return_value = 0;
int sig_fd = signal_init();
if(sig_fd < 0)
- return_value -1;
+ return_value = -1;
FD_SET(sig_fd, &readfds);
nfds = (nfds < sig_fd) ? sig_fd : nfds;
continue;
if(FD_ISSET(sig_fd, &readyfds)) {
- if(signal_handle()) {
- return_value = 1;
+ return_value = signal_handle();
+ if(return_value == 1)
break;
+ else if(return_value == 2) {
+ seq_win_clear(&seq_win);
+ seq_nr = 0;
+ log_printf(NOTICE, "sequence window cleared");
+ return_value = 0;
}
+ else
+ return_value = 0;
}
if(FD_ISSET(dev->fd_, &readyfds)) {
- return_value = process_tun_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, seq_nr);
- seq_nr++;
+ return_value = process_tun_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, &seq_nr);
if(return_value)
break;
}
udp_socket_t* s = sock->socks_;
while(s) {
if(FD_ISSET(s->fd_, &readyfds)) {
- return_value = process_sock_data(dev, s->fd_, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, &seq_win);
+ return_value = process_sock_data(dev, s->fd_, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, &seq_win);
if(return_value)
break;
}
options_print_version();
}
- if(ret != -2 && ret != -5)
+ if(ret != -2 && ret != -5)
options_print_usage();
if(ret == -1 || ret == -5)
case -4: fprintf(stderr, "this log target is only allowed once: '%s', exitting\n", tmp->string_); break;
default: fprintf(stderr, "syntax error near: '%s', exitting\n", tmp->string_); break;
}
-
+
options_clear(&opt);
log_close();
exit(ret);
log_printf(NOTICE, "executing post-up script '%s'", opt.post_up_script_);
char* const argv[] = { opt.post_up_script_, dev.actual_name_, NULL };
char* const evp[] = { NULL };
- int ret = uanytun_exec(opt.post_up_script_, argv, evp);
+ uanytun_exec(opt.post_up_script_, argv, evp);
}
exit(ret);
}
- if(opt.remote_addr_) {
- if(!udp_set_remote(&sock, opt.remote_addr_, opt.remote_port_, opt.resolv_addr_type_)) {
- char* remote_string = udp_get_remote_end_string(&sock);
- if(remote_string) {
- log_printf(NOTICE, "set remote end to: %s", remote_string);
- free(remote_string);
- }
- }
- }
+ if(opt.remote_addr_)
+ udp_resolv_remote(&sock, opt.remote_addr_, opt.remote_port_, opt.resolv_addr_type_);
FILE* pid_file = NULL;
options_clear(&opt);
log_close();
exit(-1);
- }
+ }
if(opt.daemonize_) {
pid_t oldpid = getpid();
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
+#define _GNU_SOURCE
+#include <stdio.h>
+
#include "datatypes.h"
#include "udp.h"
#include <arpa/inet.h>
#include <netinet/in.h>
-int udp_init(udp_t* sock, const char* local_addr, const char* port, resolv_addr_type_t resolv_type)
+static int udp_resolv_local(udp_t* sock, const char* local_addr, const char* port, resolv_addr_type_t resolv_type, unsigned int* idx)
{
- if(!sock || !port)
- return -1;
-
- sock->socks_ = NULL;
- sock->active_sock_ = NULL;
- memset(&(sock->remote_end_), 0, sizeof(sock->remote_end_));
- sock->remote_end_set_ = 0;
-
struct addrinfo hints, *res;
res = NULL;
}
struct addrinfo* r = res;
- udp_socket_t* prev_sock = NULL;
+ udp_socket_t* prev_sock = sock->socks_;
+ while(prev_sock && prev_sock->next_) prev_sock = prev_sock->next_;
while(r) {
udp_socket_t* new_sock = malloc(sizeof(udp_socket_t));
if(!new_sock) {
udp_close(sock);
return -2;
}
- memset(&(new_sock->local_end_), 0, sizeof(new_sock->local_end_));
+ memset(&(new_sock->local_end_.addr_), 0, sizeof(new_sock->local_end_.addr_));
+ new_sock->local_end_.len_ = sizeof(new_sock->local_end_.addr_);
+ memset(&(new_sock->remote_end_.addr_), 0, sizeof(new_sock->remote_end_.addr_));
+ new_sock->remote_end_.len_ = sizeof(new_sock->remote_end_.addr_);
+ new_sock->remote_end_set_ = 0;
new_sock->next_ = NULL;
+ new_sock->idx_ = (*idx)++;
if(!sock->socks_) {
sock->socks_ = new_sock;
prev_sock->next_ = new_sock;
prev_sock = new_sock;
}
-
- memcpy(&(new_sock->local_end_), r->ai_addr, r->ai_addrlen);
- new_sock->fd_ = socket(r->ai_family, SOCK_DGRAM, 0);
+
+ memcpy(&(new_sock->local_end_.addr_), r->ai_addr, r->ai_addrlen);
+ new_sock->local_end_.len_ = r->ai_addrlen;
+ new_sock->fd_ = socket(new_sock->local_end_.addr_.ss_family, SOCK_DGRAM, 0);
if(new_sock->fd_ < 0) {
log_printf(ERROR, "Error on opening udp socket: %s", strerror(errno));
freeaddrinfo(res);
log_printf(ERROR, "Error on setting IPV6_V6ONLY socket option: %s", strerror(errno));
}
- errcode = bind(new_sock->fd_, r->ai_addr, r->ai_addrlen);
+ errcode = bind(new_sock->fd_, (struct sockaddr*)&(new_sock->local_end_.addr_), new_sock->local_end_.len_);
if(errcode) {
log_printf(ERROR, "Error on binding udp socket: %s", strerror(errno));
freeaddrinfo(res);
udp_close(sock);
return -1;
}
-
- char* local_string = udp_endpoint_to_string(new_sock->local_end_);
+
+ char* local_string = udp_endpoint_to_string(&(new_sock->local_end_));
if(local_string) {
- log_printf(NOTICE, "listening on: %s", local_string);
+ log_printf(NOTICE, "socket[%d] listening on: %s", new_sock->idx_, local_string);
free(local_string);
}
}
freeaddrinfo(res);
+ return 0;
+}
+
+int udp_init(udp_t* sock, const char* local_addr, const char* port, resolv_addr_type_t resolv_type)
+{
+ if(!sock || !port)
+ return -1;
+
+ sock->socks_ = NULL;
+ sock->active_sock_ = NULL;
+
+ unsigned int idx = 0;
+ int ret = udp_resolv_local(sock, local_addr, port, resolv_type, &idx);
+ if(ret)
+ return ret;
return 0;
}
-int udp_init_fd_set(udp_t* sock, fd_set* set)
+int udp_fill_fd_set(udp_t* sock, fd_set* set)
{
int max_fd = 0;
return max_fd;
}
-int udp_set_remote(udp_t* sock, const char* remote_addr, const char* port, resolv_addr_type_t resolv_type)
+int udp_has_remote(udp_t* sock)
{
- if(!sock || !remote_addr || !port)
- return -1;
+ if(!sock->active_sock_ || !sock->active_sock_->remote_end_set_)
+ return 0;
+ udp_socket_t* s = sock->socks_;
+ while(s) {
+ if(s->remote_end_set_)
+ return 1;
+ s = s->next_;
+ }
+
+ return 0;
+}
+
+int udp_resolv_remote(udp_t* sock, const char* remote_addr, const char* port, resolv_addr_type_t resolv_type)
+{
struct addrinfo hints, *res;
+ if(!sock || !remote_addr || !port)
+ return -1;
+
res = NULL;
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_DGRAM;
log_printf(ERROR, "getaddrinfo returned no address for %s:%s", remote_addr, port);
return -1;
}
- memcpy(&(sock->remote_end_), res->ai_addr, res->ai_addrlen);
- sock->remote_end_set_ = 1;
- if(!sock->active_sock_) {
+ int found = 0;
+ struct addrinfo* r = res;
+ while(r) {
udp_socket_t* s = sock->socks_;
while(s) {
- if((((struct sockaddr *)&s->local_end_)->sa_family) == res->ai_family) {
+ if(s->local_end_.addr_.ss_family == r->ai_family && !(s->remote_end_set_)) {
sock->active_sock_ = s;
break;
}
s = s->next_;
}
- }
+ if(s) {
+ memcpy(&(s->remote_end_.addr_), r->ai_addr, r->ai_addrlen);
+ s->remote_end_.len_ = r->ai_addrlen;
+ s->remote_end_set_ = 1;
+ found = 1;
+ char* remote_string = udp_endpoint_to_string(&(s->remote_end_));
+ if(remote_string) {
+ log_printf(NOTICE, "socket[%d] set remote end to: %s", s->idx_, remote_string);
+ free(remote_string);
+ }
+ break;
+ }
+
+ r = r->ai_next;
+ }
freeaddrinfo(res);
+ if(!found)
+ log_printf(WARNING, "no remote address for '%s' found that fits any of the local address families", remote_addr);
+
return 0;
}
-void udp_set_active_sock(udp_t* sock, int fd)
+void udp_update_remote(udp_t* sock, int fd, udp_endpoint_t* remote)
{
- if(!sock || (sock->active_sock_ && sock->active_sock_->fd_ == fd))
+ if(!sock)
return;
- udp_socket_t* s = sock->socks_;
- while(s) {
- if(s->fd_ == fd) {
- sock->active_sock_ = s;
- return;
+ if(!(sock->active_sock_) || sock->active_sock_->fd_ != fd) {
+ udp_socket_t* s = sock->socks_;
+ while(s) {
+ if(s->fd_ == fd) {
+ sock->active_sock_ = s;
+ break;
+ }
+ s = s->next_;
+ }
+ }
+
+ if(!remote)
+ return;
+
+ if(sock->active_sock_) {
+ if(remote->len_ != sock->active_sock_->remote_end_.len_ ||
+ memcmp(&(remote->addr_), &(sock->active_sock_->remote_end_.addr_), remote->len_)) {
+ memcpy(&(sock->active_sock_->remote_end_.addr_), &(remote->addr_), remote->len_);
+ sock->active_sock_->remote_end_.len_ = remote->len_;
+ sock->active_sock_->remote_end_set_ = 1;
+ char* addrstring = udp_endpoint_to_string(remote);
+ log_printf(NOTICE, "socket[%d] autodetected remote host changed %s", sock->active_sock_->idx_, addrstring);
+ free(addrstring);
}
- s = s->next_;
}
}
while(sock->socks_) {
if(sock->socks_->fd_ > 0)
close(sock->socks_->fd_);
-
+
udp_socket_t*s = sock->socks_;
sock->socks_ = sock->socks_->next_;
-
+
free(s);
}
sock->socks_ = NULL;
+ sock->active_sock_ = NULL;
}
-char* udp_endpoint_to_string(udp_endpoint_t e)
+char* udp_endpoint_to_string(udp_endpoint_t* e)
{
- void* ptr;
- u_int16_t port;
- size_t addrstr_len = 0;
- char* addrstr, *ret;
+ if(!e)
+ return strdup("<null>");
+
+ char addrstr[INET6_ADDRSTRLEN + 1], portstr[6], *ret;
char addrport_sep = ':';
- switch (((struct sockaddr *)&e)->sa_family)
+ switch(e->addr_.ss_family)
{
- case AF_INET:
- ptr = &((struct sockaddr_in *)&e)->sin_addr;
- port = ntohs(((struct sockaddr_in *)&e)->sin_port);
- addrstr_len = INET_ADDRSTRLEN + 1;
- addrport_sep = ':';
- break;
- case AF_INET6:
- ptr = &((struct sockaddr_in6 *)&e)->sin6_addr;
- port = ntohs(((struct sockaddr_in6 *)&e)->sin6_port);
- addrstr_len = INET6_ADDRSTRLEN + 1;
- addrport_sep = '.';
- break;
- default:
- asprintf(&ret, "unknown address type");
- return ;
+ case AF_INET: addrport_sep = ':'; break;
+ case AF_INET6: addrport_sep = '.'; break;
+ case AF_UNSPEC: return NULL;
+ default: return strdup("<unknown address type>");
}
- addrstr = malloc(addrstr_len);
- if(!addrstr)
- return NULL;
- inet_ntop (((struct sockaddr *)&e)->sa_family, ptr, addrstr, addrstr_len);
- asprintf(&ret, "%s%c%d", addrstr, addrport_sep ,port);
- free(addrstr);
+
+ int errcode = getnameinfo((struct sockaddr *)&(e->addr_), e->len_, addrstr, sizeof(addrstr), portstr, sizeof(portstr), NI_NUMERICHOST | NI_NUMERICSERV);
+ if (errcode != 0) return NULL;
+ int len = asprintf(&ret, "%s%c%s", addrstr, addrport_sep ,portstr);
+ if(len == -1) return NULL;
return ret;
}
-char* udp_get_remote_end_string(udp_t* sock)
-{
- if(!sock || !sock->remote_end_set_)
- return NULL;
- return udp_endpoint_to_string(sock->remote_end_);
-}
-
int udp_read(udp_t* sock, int fd, u_int8_t* buf, u_int32_t len, udp_endpoint_t* remote_end)
{
- if(!sock || !remote_end)
+ if(!sock || !buf || !remote_end)
return -1;
- socklen_t socklen = sizeof(*remote_end);
- return recvfrom(fd, buf, len, 0, (struct sockaddr *)remote_end, &socklen);
+ return recvfrom(fd, buf, len, 0, (struct sockaddr *)&(remote_end->addr_), &(remote_end->len_));
}
+
int udp_write(udp_t* sock, u_int8_t* buf, u_int32_t len)
{
- if(!sock || !sock->remote_end_set_ || !sock->active_sock_)
+ if(!sock || !buf || !sock->active_sock_ || !sock->active_sock_->remote_end_set_)
return 0;
- socklen_t socklen = sizeof(sock->remote_end_);
- if((((struct sockaddr *)&sock->active_sock_->local_end_)->sa_family) == AF_INET)
- socklen = sizeof(struct sockaddr_in);
- else if ((((struct sockaddr *)&sock->active_sock_->local_end_)->sa_family) == AF_INET6)
- socklen = sizeof(struct sockaddr_in6);
-
- return sendto(sock->active_sock_->fd_, buf, len, 0, (struct sockaddr *)&(sock->remote_end_), socklen);
+ return sendto(sock->active_sock_->fd_, buf, len, 0, (struct sockaddr *)&(sock->active_sock_->remote_end_.addr_), sock->active_sock_->remote_end_.len_);
}
-
* tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
* mode and allows tunneling of every ETHER TYPE protocol (e.g.
* ethernet, ip, arp ...). satp directly includes cryptography and
- * message authentication based on the methodes used by SRTP. It is
+ * message authentication based on the methods used by SRTP. It is
* intended to deliver a generic, scaleable and secure solution for
* tunneling and relaying of packets of any protocol.
- *
*
- * Copyright (C) 2007-2010 Christian Pointner <equinox@anytun.org>
+ *
+ * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
*
* This file is part of uAnytun.
*
*
* You should have received a copy of the GNU General Public License
* along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you
+ * do not wish to do so, delete this exception statement from your
+ * version. If you delete this exception statement from all source
+ * files in the program, then also delete it here.
*/
#ifndef UANYTUN_udp_h_INCLUDED
#include <sys/types.h>
#include <sys/socket.h>
-typedef struct sockaddr_storage udp_endpoint_t;
+typedef struct {
+ socklen_t len_;
+ struct sockaddr_storage addr_;
+} udp_endpoint_t;
struct udp_socket_struct {
int fd_;
+ unsigned int idx_;
udp_endpoint_t local_end_;
+ udp_endpoint_t remote_end_;
+ int remote_end_set_;
struct udp_socket_struct* next_;
};
typedef struct udp_socket_struct udp_socket_t;
struct udp_struct {
udp_socket_t* socks_;
udp_socket_t* active_sock_;
- udp_endpoint_t remote_end_;
- int remote_end_set_;
};
typedef struct udp_struct udp_t;
int udp_init(udp_t* sock, const char* local_addr, const char* port, resolv_addr_type_t resolv_type);
-int udp_init_fd_set(udp_t* sock, fd_set* set);
-int udp_set_remote(udp_t* sock, const char* remote_addr, const char* port, resolv_addr_type_t resolv_type);
-void udp_set_active_sock(udp_t* sock, int fd);
+int udp_fill_fd_set(udp_t* sock, fd_set* set);
+int udp_has_remote(udp_t* sock);
+int udp_resolv_remote(udp_t* sock, const char* remote_addr, const char* port, resolv_addr_type_t resolv_type);
+void udp_update_remote(udp_t* sock, int fd, udp_endpoint_t* remote);
void udp_close(udp_t* sock);
-char* udp_endpoint_to_string(udp_endpoint_t e);
-char* udp_get_remote_end_string(udp_t* sock);
+char* udp_endpoint_to_string(udp_endpoint_t* e);
int udp_read(udp_t* sock, int fd, u_int8_t* buf, u_int32_t len, udp_endpoint_t* remote_end);
int udp_write(udp_t* sock, u_int8_t* buf, u_int32_t len);