4 * The secure anycast tunneling protocol (satp) defines a protocol used
5 * for communication between any combination of unicast and anycast
6 * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
7 * mode and allows tunneling of every ETHER TYPE protocol (e.g.
8 * ethernet, ip, arp ...). satp directly includes cryptography and
9 * message authentication based on the methods used by SRTP. It is
10 * intended to deliver a generic, scaleable and secure solution for
11 * tunneling and relaying of packets of any protocol.
14 * Copyright (C) 2007-2014 Markus Grüneis, Othmar Gsenger, Erwin Nindl,
15 * Christian Pointner <satp@wirdorange.org>
17 * This file is part of Anytun.
19 * Anytun is free software: you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation, either version 3 of the License, or
24 * Anytun is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with Anytun. If not, see <http://www.gnu.org/licenses/>.
32 * In addition, as a special exception, the copyright holders give
33 * permission to link the code of portions of this program with the
34 * OpenSSL library under certain conditions as described in each
35 * individual source file, and distribute linked combinations
37 * You must obey the GNU General Public License in all respects
38 * for all of the code used other than OpenSSL. If you modify
39 * file(s) with this exception, you may extend this exception to your
40 * version of the file(s), but you are not obligated to do so. If you
41 * do not wish to do so, delete this exception statement from your
42 * version. If you delete this exception statement from all source
43 * files in the program, then also delete it here.
46 #include <boost/bind.hpp>
47 #include <boost/thread.hpp>
48 #include <boost/assign.hpp>
52 #include "datatypes.h"
57 #include "plainPacket.h"
58 #include "encryptedPacket.h"
60 #include "keyDerivation.h"
62 #include "cipherFactory.h"
63 #include "authAlgoFactory.h"
64 #include "keyDerivationFactory.h"
65 #include "signalController.h"
66 #if !defined(_MSC_VER) && !defined(MINGW)
67 # include "daemonService.h"
70 # include "win32/winService.h"
72 # include "nullDaemon.h"
75 #include "packetSource.h"
76 #include "tunDevice.h"
78 #include "seqWindow.h"
79 #include "connectionList.h"
81 #include "routingTable.h"
82 #include "networkAddress.h"
86 #include "syncQueue.h"
87 #include "syncCommand.h"
88 #include "syncServer.h"
89 #include "syncClient.h"
90 #include "syncOnConnect.hpp"
93 #include "cryptinit.hpp"
96 bool disableRouting = false;
98 void createConnection(const PacketSourceEndpoint& remote_end, window_size_t seqSize, mux_t mux)
100 SeqWindow* seq = new SeqWindow(seqSize);
102 KeyDerivation* kd = KeyDerivationFactory::create(gOpt.getKdPrf());
103 kd->init(gOpt.getKey(), gOpt.getSalt(), gOpt.getPassphrase());
104 kd->setRole(gOpt.getRole());
105 cLog.msg(Log::PRIO_NOTICE) << "added connection remote host " << remote_end;
107 ConnectionParam connparam((*kd), (*seq), seq_nr_, remote_end);
108 gConnectionList.addConnection(connparam,mux);
109 #ifndef ANYTUN_NOSYNC
110 SyncCommand sc(gConnectionList,mux);
115 void createConnectionResolver(PacketSourceResolverIt& it, window_size_t seqSize, mux_t mux)
117 createConnection(*it, seqSize, mux);
120 void createConnectionError(const std::exception& e)
122 gSignalController.inject(SIGERROR, e.what());
125 #ifndef ANYTUN_NOSYNC
126 void syncConnector(const OptionHost& connto)
128 SyncClient sc(connto.addr, connto.port);
135 SyncServer server(gOpt.getLocalSyncAddr(), gOpt.getLocalSyncPort(), boost::bind(syncOnConnect, _1));
136 gSyncQueue.setSyncServerPtr(&server);
138 } catch(std::runtime_error& e) {
139 cLog.msg(Log::PRIO_ERROR) << "sync listener thread died due to an uncaught runtime_error: " << e.what();
140 } catch(std::exception& e) {
141 cLog.msg(Log::PRIO_ERROR) << "sync listener thread died due to an uncaught exception: " << e.what();
146 void sender(TunDevice* dev, PacketSource* src)
149 cLog.msg(Log::PRIO_ERROR) << "sender thread died because either dev or src pointer is null";
154 std::auto_ptr<Cipher> c(CipherFactory::create(gOpt.getCipher(), KD_OUTBOUND));
155 std::auto_ptr<AuthAlgo> a(AuthAlgoFactory::create(gOpt.getAuthAlgo(), KD_OUTBOUND));
157 PlainPacket plain_packet(MAX_PACKET_LENGTH);
158 EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, gOpt.getAuthTagLength());
160 uint16_t mux = gOpt.getMux();
161 PacketSourceEndpoint emptyEndpoint;
163 plain_packet.setLength(MAX_PACKET_LENGTH);
164 encrypted_packet.withAuthTag(false);
165 encrypted_packet.setLength(MAX_PACKET_LENGTH);
167 // read packet from device
168 int len = dev->read(plain_packet.getPayload(), plain_packet.getPayloadLength());
170 continue; // silently ignore device read errors, this is probably no good idea...
173 if(static_cast<uint32_t>(len) < PlainPacket::getHeaderLength()) {
174 continue; // ignore short packets
176 plain_packet.setPayloadLength(len);
178 if(dev->getType() == TYPE_TUN) {
179 plain_packet.setPayloadType(PAYLOAD_TYPE_TUN);
180 } else if(dev->getType() == TYPE_TAP) {
181 plain_packet.setPayloadType(PAYLOAD_TYPE_TAP);
183 plain_packet.setPayloadType(0);
186 if(gConnectionList.empty()) {
189 //std::cout << "got Packet for plain "<<plain_packet.getDstAddr().toString();
190 ConnectionMap::iterator cit;
194 mux = gRoutingTable.getRoute(plain_packet.getDstAddr());
195 //std::cout << " -> "<<mux << std::endl;
196 cit = gConnectionList.getConnection(mux);
197 } catch(std::exception&) { continue; } // no route
199 cit = gConnectionList.getBegin();
202 cit = gConnectionList.getBegin();
205 if(cit==gConnectionList.getEnd()) {
206 continue; //no connection
208 ConnectionParam& conn = cit->second;
210 if(conn.remote_end_ == emptyEndpoint) {
211 //cLog.msg(Log::PRIO_INFO) << "no remote address set";
216 c->encrypt(conn.kd_, plain_packet, encrypted_packet, conn.seq_nr_, gOpt.getSenderId(), mux);
218 encrypted_packet.setHeader(conn.seq_nr_, gOpt.getSenderId(), mux);
221 // add authentication tag
222 a->generate(conn.kd_, encrypted_packet);
225 src->send(encrypted_packet.getBuf(), encrypted_packet.getLength(), conn.remote_end_);
226 } catch(std::exception& /*e*/) {
227 //TODO: do something here
228 //cLog.msg(Log::PRIO_ERROR) << "could not send data: " << e.what();
231 } catch(std::runtime_error& e) {
232 cLog.msg(Log::PRIO_ERROR) << "sender thread died due to an uncaught runtime_error: " << e.what();
233 } catch(std::exception& e) {
234 cLog.msg(Log::PRIO_ERROR) << "sender thread died due to an uncaught exception: " << e.what();
238 void receiver(TunDevice* dev, PacketSource* src)
241 cLog.msg(Log::PRIO_ERROR) << "receiver thread died because either dev or src pointer is null";
246 std::auto_ptr<Cipher> c(CipherFactory::create(gOpt.getCipher(), KD_INBOUND));
247 std::auto_ptr<AuthAlgo> a(AuthAlgoFactory::create(gOpt.getAuthAlgo(), KD_INBOUND));
249 uint32_t auth_tag_length = gOpt.getAuthTagLength();
250 EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, auth_tag_length);
251 PlainPacket plain_packet(MAX_PACKET_LENGTH);
254 PacketSourceEndpoint remote_end;
256 plain_packet.setLength(MAX_PACKET_LENGTH);
257 encrypted_packet.withAuthTag(false);
258 encrypted_packet.setLength(MAX_PACKET_LENGTH);
260 // read packet from socket
263 len = src->recv(encrypted_packet.getBuf(), encrypted_packet.getLength(), remote_end);
264 } catch(std::exception& /*e*/) {
265 //TODO: do something here
266 //cLog.msg(Log::PRIO_ERROR) << "could not recive packet "<< e.what();
270 continue; // silently ignore socket recv errors, this is probably no good idea...
273 if(static_cast<uint32_t>(len) < (EncryptedPacket::getHeaderLength() + auth_tag_length)) {
274 continue; // ignore short packets
276 encrypted_packet.setLength(len);
278 mux_t mux = encrypted_packet.getMux();
280 if(gConnectionList.empty() && gOpt.getRemoteAddr() == "") {
281 cLog.msg(Log::PRIO_NOTICE) << "autodetected remote host " << remote_end;
282 createConnection(remote_end, gOpt.getSeqWindowSize(),mux);
285 ConnectionMap::iterator cit = gConnectionList.getConnection(mux);
286 if(cit == gConnectionList.getEnd()) {
289 ConnectionParam& conn = cit->second;
291 // check whether auth tag is ok or not
292 if(!a->checkTag(conn.kd_, encrypted_packet)) {
293 cLog.msg(Log::PRIO_NOTICE) << "wrong Authentication Tag!";
298 if(conn.seq_window_.checkAndAdd(encrypted_packet.getSenderId(), encrypted_packet.getSeqNr())) {
299 cLog.msg(Log::PRIO_NOTICE) << "Replay attack from " << conn.remote_end_
300 << " seq:"<< encrypted_packet.getSeqNr() << " sid: "<< encrypted_packet.getSenderId();
304 //Allow dynamic IP changes
305 //TODO: add command line option to turn this off
306 if(remote_end != conn.remote_end_) {
307 cLog.msg(Log::PRIO_NOTICE) << "connection "<< mux << " autodetected remote host ip changed " << remote_end;
308 conn.remote_end_=remote_end;
309 #ifndef ANYTUN_NOSYNC
310 SyncCommand sc(gConnectionList,mux);
314 // ignore zero length packets
315 if(encrypted_packet.getPayloadLength() <= PlainPacket::getHeaderLength()) {
320 c->decrypt(conn.kd_, encrypted_packet, plain_packet);
322 // check payload_type
323 if((dev->getType() == TYPE_TUN && plain_packet.getPayloadType() != PAYLOAD_TYPE_TUN4 &&
324 plain_packet.getPayloadType() != PAYLOAD_TYPE_TUN6) ||
325 (dev->getType() == TYPE_TAP && plain_packet.getPayloadType() != PAYLOAD_TYPE_TAP)) {
329 // write it on the device
330 dev->write(plain_packet.getPayload(), plain_packet.getLength());
332 } catch(std::runtime_error& e) {
333 cLog.msg(Log::PRIO_ERROR) << "receiver thread died due to an uncaught runtime_error: " << e.what();
334 } catch(std::exception& e) {
335 cLog.msg(Log::PRIO_ERROR) << "receiver thread died due to an uncaught exception: " << e.what();
339 void startSendRecvThreads(TunDevice* dev, PacketSource* src)
341 src->waitUntilReady();
343 boost::thread(boost::bind(sender, dev, src));
344 boost::thread(boost::bind(receiver, dev, src));
349 int main(int argc, char* argv[])
353 if(std::string(argv[1]) == "install") {
354 WinService::install();
356 } else if(std::string(argv[1]) == "uninstall") {
357 WinService::uninstall();
363 } catch(std::runtime_error& e) {
364 std::cout << "caught runtime error, exiting: " << e.what() << std::endl;
365 } catch(std::exception& e) {
366 std::cout << "caught exception, exiting: " << e.what() << std::endl;
370 int real_main(int argc, char* argv[], WinService& service)
373 int main(int argc, char* argv[])
375 DaemonService service;
379 if(!gOpt.parse(argc, argv)) {
383 StringList targets = gOpt.getLogTargets();
384 for(StringList::const_iterator it = targets.begin(); it != targets.end(); ++it) {
387 } catch(syntax_error& e) {
388 std::cerr << e << std::endl;
393 cLog.msg(Log::PRIO_NOTICE) << "anytun started...";
394 gOpt.parse_post(); // print warnings
396 // daemonizing has to done before any thread gets started
397 service.initPrivs(gOpt.getUsername(), gOpt.getGroupname());
398 if(gOpt.getDaemonize()) {
402 OptionNetwork net = gOpt.getIfconfigParam();
403 TunDevice dev(gOpt.getDevName(), gOpt.getDevType(), net.net_addr, net.prefix_length);
404 cLog.msg(Log::PRIO_NOTICE) << "dev opened - name '" << dev.getActualName() << "', node '" << dev.getActualNode() << "'";
405 cLog.msg(Log::PRIO_NOTICE) << "dev type is '" << dev.getTypeString() << "'";
407 SysExec* postup_script = NULL;
408 if(gOpt.getPostUpScript() != "") {
409 cLog.msg(Log::PRIO_NOTICE) << "executing post-up script '" << gOpt.getPostUpScript() << "'";
410 StringVector args = boost::assign::list_of(dev.getActualName())(dev.getActualNode());
411 postup_script = new SysExec(gOpt.getPostUpScript(), args);
414 if(gOpt.getChrootDir() != "") {
416 service.chroot(gOpt.getChrootDir());
417 } catch(const std::runtime_error& e) {
418 cLog.msg(Log::PRIO_WARNING) << "ignoring chroot error: " << e.what();
423 // this has to be called before the first thread is started
424 gSignalController.init(service);
426 boost::thread(boost::bind(&TunDevice::waitUntilReady,&dev));
428 boost::thread(boost::bind(&SysExec::waitAndDestroy,postup_script));
433 PacketSource* src = new UDPPacketSource(gOpt.getLocalAddr(), gOpt.getLocalPort());
435 if(gOpt.getRemoteAddr() != "") {
436 gResolver.resolveUdp(gOpt.getRemoteAddr(), gOpt.getRemotePort(), boost::bind(createConnectionResolver, _1, gOpt.getSeqWindowSize(), gOpt.getMux()), boost::bind(createConnectionError, _1), gOpt.getResolvAddrType());
439 HostList connect_to = gOpt.getRemoteSyncHosts();
441 NetworkList routes = gOpt.getRoutes();
442 NetworkList::const_iterator rit;
443 for(rit = routes.begin(); rit != routes.end(); ++rit) {
444 NetworkAddress addr(rit->net_addr);
445 NetworkPrefix prefix(addr, static_cast<uint8_t>(rit->prefix_length));
446 gRoutingTable.addRoute(prefix, gOpt.getMux());
448 if(connect_to.begin() == connect_to.end() || gOpt.getDevType()!="tun") {
449 cLog.msg(Log::PRIO_NOTICE) << "No sync/control host defined or not a tun device. Disabling multi connection support (routing)";
454 #ifndef ANYTUN_NOSYNC
455 boost::thread* syncListenerThread = NULL;
456 if(gOpt.getLocalSyncPort() != "") {
457 syncListenerThread = new boost::thread(boost::bind(syncListener));
458 if(syncListenerThread) syncListenerThread->detach();
461 boost::thread_group connectThreads;
462 for(HostList::const_iterator it = connect_to.begin() ; it != connect_to.end(); ++it) {
463 connectThreads.create_thread(boost::bind(syncConnector, *it));
467 // wait for packet source to finish in a seperate thread in order
468 // to be still able to process signals while waiting
469 boost::thread(boost::bind(startSendRecvThreads, &dev, src));
471 int ret = gSignalController.run();
473 // TODO: stop all threads and cleanup
480 } catch(std::runtime_error& e) {
481 cLog.msg(Log::PRIO_ERROR) << "uncaught runtime error, exiting: " << e.what();
482 if(!service.isDaemonized()) {
483 std::cout << "uncaught runtime error, exiting: " << e.what() << std::endl;
485 } catch(std::exception& e) {
486 cLog.msg(Log::PRIO_ERROR) << "uncaught exception, exiting: " << e.what();
487 if(!service.isDaemonized()) {
488 std::cout << "uncaught exception, exiting: " << e.what() << std::endl;