chiark / gitweb /
Ian Jackson [Tue, 23 Sep 2014 23:33:52 +0000 (00:33 +0100)]
util: Provide async_linebuf_read
polypath is going to want to read output from the interface and
address reporting script.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 12:56:35 +0000 (13:56 +0100)]
fds: Make many fds nonblocking
Introduce iswouldblock to cope with POSIX not specifying which of
EAGAIN or EWOULDBLOCK you get). In various subsystems, make more fds
nonblocking and handle errors appropriately. Specifically:
* Logging self-pipe reading end.
* Signal self-pipe reading end.
* SLIP both ends. Fixing the writing end involves breaking out
a new function slip_write.
* tun's network interface fd.
In various of these we add code to handle EINTR, too.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 12:26:17 +0000 (13:26 +0100)]
Introduce setnonblock()
This involves reworking setcloexec()'s implementation so that we can
reuse it.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 10:10:06 +0000 (11:10 +0100)]
process: Introduce afterfork()
Rework set_default_signals into afterfork, which does the sigprocmask
too. This is necessary for processes we fork after
setup_signal_handling(), which otherwise inherit our blocking mask and
non-default handlers.
Call it after each fork() (except the ones we use for daemonising).
As a consequence:
- hackypar children will die if they get a terminating signal
- our subprocesses such as `route' and `ifconfig' will inherit
reasonable signal setups
- it will be correct to call udp_make_socket during phase RUN
(previously any authbind would get a strange signal setup)
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 26 Sep 2014 18:26:49 +0000 (19:26 +0100)]
udp: Break out udp_destroy_socket
polypath is are going to want this. No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 24 Sep 2014 23:50:10 +0000 (00:50 +0100)]
logging: Use lg_exitstatus
Replace two open-coded exit status checks with calls to lg_exitstatus.
In the case of slip.c and udp.c this has no significant effect other
than a slight change to message format.
In the case of process.c, we no longer log the command's first
argument. I consider this tolerable for simplifying the code.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 24 Sep 2014 23:47:47 +0000 (00:47 +0100)]
logging: Provide lg_exitstatus
This will allow us to remove a bunch of formulaic exit status
handling.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 24 Sep 2014 00:28:23 +0000 (01:28 +0100)]
comm: Provide udp_socks_deregister
polypath is going to want this.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 22 Sep 2014 01:07:47 +0000 (02:07 +0100)]
comm: Make udp_make_socket be able to tolerate failures
Previously, it would log errors with fatal or fatal_perror. Now it
takes a message class and uses lg_perror, and also returns a boolean
to let the caller know whether it worked.
The repetitive calls to fatal_perror in udp_make_socket have been
replaced with a couple of macros.
The one existing call site passes M_FATAL. So no substantial
functional change in this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 23:51:58 +0000 (00:51 +0100)]
comm: Formalise interface to udp sockets
Have the poll registration done by the udpcommon/udpsocks code, rather
than by udp.c. This means we can abolish the two wrapper functions,
but we do need an extra pointer in a udpsocks to find the udpcommon.
No overall functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 15:11:16 +0000 (16:11 +0100)]
comm: Break out some common udp parts
Provide a section in comm-common.h which allows other comms to share
some of the work done in udp.c. Specifically, we provide the new
concepts of `udpsocks' and `udpcommon'.
The port configuration parameter is lifted into the udp struct.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 11:05:28 +0000 (12:05 +0100)]
comm: Break out common code in comm
We are going to want to introduce a new kind of comm. Currently we
only have one comm, udp, in udp.c - much of whose code we will want to
reuse.
Break that generic comm-handling code out into new files, functions
and macros.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 22:45:01 +0000 (23:45 +0100)]
comm: Rename a lot of state pointer variables
We are going to split `struct udp' into a bunch of substructures with
their own types, to assist with reuse of the udp code in a new comm.
This is going to involve members at different levels of abstraction
being accessed through different pointer variable names.
So change the names now to aliases of the standard `struct udp *st'.
This will much reduce noise in subsequent patches.
Also rename udp.c's MAX_SOCKETS to UDP_MAX_SOCKETS.
No functional change in this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 22 Sep 2014 01:00:50 +0000 (02:00 +0100)]
logging: Provide lg_perror and lg_vperror
These are convenience functions for logging module, config location,
errno value, etc., along with a full formatted message.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 14:02:40 +0000 (15:02 +0100)]
poll: Document reentrancy restriction on before()
If the before() callback might modify the wanted fds or timeouts of
other poll users, the loop over poll users in run() might produce
wrong answers.
Therefore, document that this is not permitted. (All of the existing
before() implementations are indeed fine.)
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 12:56:04 +0000 (13:56 +0100)]
poll: Support deregistration from the main event loop
The logic here is slightly subtle because of reentrancy hazards. See
the comment in deregister_for_poll.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 17:16:09 +0000 (18:16 +0100)]
poll: Abolish max_nfds
We do not need to be advised of a static maximum, since we dynamically
size the array now. Abolish the variable (which is unused) and change
all the callers.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 16:28:56 +0000 (17:28 +0100)]
poll: Make handling of fds array actually dynamic
Previously we relied on the max_fds argument to register_for_poll
being big enough and allocated an array at startup. But we are going
to want to be more dynamic, so actually do the dynamic array resizing.
We now start with a zero-sized array and increase it as needed.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 13:10:28 +0000 (14:10 +0100)]
realloc: Provide safe_realloc_ary
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 16:52:14 +0000 (17:52 +0100)]
poll: Introduce and use BEFOREPOLL_WANT_FDS
This helper macro provides a convenient implementation of the
beforepoll_fn interface for *nfds_io. Use it everywhere.
This produces one bugfix: log_from_fd_beforepoll would fail to set
*nfds_io if it was finished,
This also arranges for many beforepoll callbacks to actually fail
properly with ERANGE if there is not enough space. Previously they
would blithely write the next fd entry or two. In practice the
provided fd array never runs out in the current code, so in these
cases we are just fixing latent bugs.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 12:42:11 +0000 (13:42 +0100)]
main loop: Use <bsd/sys/queue.h> for poll interest list
This makes the code clearer, shorter and more typesafe.
It is also going to make it easier to introduce deregistration.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 12:24:11 +0000 (13:24 +0100)]
udp: Use <bsd/sys/queue.h> for notify lists
This makes the code clearer, shorter and more typesafe.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 10:28:07 +0000 (11:28 +0100)]
hackypar: Fix coding style
For some reason I didn't use the standard secnet coding style for this
file. Fix this by reindenting, and moving functions' opening braces.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 29 Sep 2014 14:02:19 +0000 (15:02 +0100)]
site: Support multiple addresses
The `address' parameter to a site closure can now contain multiple
`address' strings, which may be multiple domain names or multiple
address literals, or some combination.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 13:26:49 +0000 (14:26 +0100)]
Provide dict_read_string_array
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 29 Sep 2014 14:00:47 +0000 (15:00 +0100)]
resolver: Provide input name as argument to callback
This is going to be convenient for our one call site.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 22:15:38 +0000 (23:15 +0100)]
test-example: Switch to testing IPv6 too
Make the published address of `outside' be ::1, rather than 127.0.0.1.
This means we can test both IPv4 and IPv6.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 23:14:41 +0000 (00:14 +0100)]
Python IP addresses: Remove sys.path hacking from test script
Now that we no longer have ipaddr.py in our tree, we can get rid of
this messing about with sys.path. We use the system's ipaddr.py and
our own ipaddrset.py.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 23:47:13 +0000 (00:47 +0100)]
Python IP addresses: Check for and maybe delete stale ipaddr.py
If ipaddr.py (or .pyc) from a previous secnet installation still
exists in /usr/share/secnet or /usr/local/share/secnet, this version
won't work. Check for this situation in `make install' and bomb out.
Provide a `make install-force' which deletes the spurious files.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 23:28:56 +0000 (00:28 +0100)]
Python IP addresses: Use modern ipaddr.py - supports IPv6
Switch to using the modern ipaddr.py from Scott Kitterman, and our own
ipaddrset.py.
The upshot is that make-secnet-sites now supports IPv6.
Aside from adjusting the code in make-secnet-sites to conform to the
new API, we also delete the old Cendio ipaddr.py, and delete the code
to install it, and document the new dependency both in INSTALL and in
the Debian package metadata.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 21:40:52 +0000 (22:40 +0100)]
Python IP addresses: Provide ipaddrset.py library
This library module provides a class for a set of IP addresses, stored
as a list of netmasks. This is in terms of the modern `ipaddr' module
by Scott Kitterman.
In this commit we introduce the ipaddrset.py module and its test
module. We also patch the Makefile to install it, and test in `make
check' that it produces the expected output.
However, due to the presence of the old Cendio ipaddr.py alongside,
the provided ipaddrset-test.py needs some hideous hacking of sys.path
if it is to work when run in the ordinary way inside the secnet source
tree. This will be removed in a later patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 20:02:47 +0000 (21:02 +0100)]
resolver: Support IPv6 literals
With CONFIG_IPV6, use adns_addr2text instead of inet_ntoa.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 18 Sep 2014 17:38:17 +0000 (18:38 +0100)]
resolver: Log reason for DNS resolution failure
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 08:19:37 +0000 (09:19 +0100)]
resolver: Support IPv6 name resolution
Tell adns (via ADNS_FEATURE_MANYAF) that we want mixed address
families in the results, and handle any IPv6 addresses we find.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 21:48:45 +0000 (22:48 +0100)]
udp: Support IPv6 when using authbind
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 08:05:30 +0000 (09:05 +0100)]
udp: Support IPv6 (mostly)
Specifically:
* struct udp now contains an array of (up to three) pairs of iaddr,
fd. Code which deals with the fd and addr has been updated to use
loops etc. as appropriate.
* The sockets are created with the right protocol family value.
For AF_INET6, we set IPV6_V6ONLY.
* Specifically, when transmitting, we try all appropriate sockets and
compute the persistent-failure indication as required.
* And a comm_addr now contains an `int ix' for udp.c's benefit; this
allows udp to note in the comm_addr which socket an incoming packet
was received on (which is required for logging etc.). (NB that the
socket index is ignored when sending; this is so that we can
continue to construct a comm_addr in the current way; it will
simply show up as notionally attached to the first of the udp's
interfaces.)
* We use text2iaddr to convert the string to a socket address, rather
than string_item_to_ipaddr. The latter can cope only with IPv4
(and is now used only for private vpn addrs, proxies, etc.).
* The default is now to create both IPv6 and IPv4 sockets.
Left undone are:
* The special secnet proxy protocol has a 4-byte address prepended
which implies IPv4. I don't intend to fix this.
* The authbind support for IPv6 will be in a future patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 07:59:44 +0000 (08:59 +0100)]
udp.c: Remove some (ab)use of variable name `i'
I find it very odd to find `item_t *i' etc. I would like to be able
to use `int i'. So change some uses of `i' to `item'. (`j' in this
function will go away in the next patch so isn't worth renaming.)
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 08:04:27 +0000 (09:04 +0100)]
Provide text2iaddr.
This will be used shortly.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 07:58:24 +0000 (08:58 +0100)]
Provide ARRAY_SIZE
No call sites yet.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 07:56:50 +0000 (08:56 +0100)]
Make list_length and string_item_to_ipaddr const-correct.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 2 Sep 2014 06:41:37 +0000 (07:41 +0100)]
udp: Break out udp_make_socket
Make this into a function by itself and adjust its arguments so that
when we support multiple sockets (for multiple addresses so that we
can have multiple AFs) we can just call it for each one.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 29 Jun 2014 23:39:02 +0000 (00:39 +0100)]
udp proxy: Properly zero holes in proxied address
The comm_addr we are producing here, from information from a packet
forwarded to us by the proxy, is supposed to have all-bits-zero in any
holes it may have.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 29 Jun 2014 22:10:31 +0000 (23:10 +0100)]
ipv6: Support printing, comparing, etc. IPv6 addresses
If we support IPv6, convert addresses with adns_addr2text. Otherwise
stick with inet_ntoa.
With these changes, there is nothing remaining that will actually
crash secnet if it is passed an IPv6 address. However, it is not yet
possible to mention IPv6 addresses in the configuration, and the udp
transport needs dual stack support.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 29 Jun 2014 22:58:03 +0000 (23:58 +0100)]
ipv6: check for support in system and in adns
We #define CONFIG_IPV6 if the system has AF_INET6 and adns has
adns_addr2text (which only the IPv6-capable adns has).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 29 Jun 2014 22:54:52 +0000 (23:54 +0100)]
autoconf: Update to autoconf 2.69
Rerun autoconf (Debian 2.69-1 i386) to update the configure script.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 29 Jun 2014 22:15:58 +0000 (23:15 +0100)]
ipv6: More buffers in iaddr_to_string
We are going to have addresses of multiple address families in various
places, which will mean more calls to iaddr_to_string for the benefit
of the same logging statement.
Increase the number of static buffers used by iaddr_to_string from 2
to 8.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 26 Feb 2014 15:57:21 +0000 (15:57 +0000)]
ipv6: introduce union iaddr
Replace many occurrences of sockaddr_in by a new union, iaddr.
Everywhere that fills in an address has been modified to look into the
subfields of iaddr. But there is not yet any support for a union
iaddr to contain anything other than a sockaddr_in. This will be
added gradually in forthcoming patches, starting at consumers and
working back.
Additionally, a couple of places that specified a port and address as
a uint16_t and uint32_t have been converted.
We have changed only transport addresses - that is, addresses on the
public network. VPN addresses remain IPv4 only.
We provide a few helper functions for manipulating union iaddr, such
as iaddr_to_string (which replaces saddr_to_string).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 21:02:30 +0000 (22:02 +0100)]
site: Remove "wishful thinking" from transport address handling comment
We have now completed the implementation of the algorithms described
in the comment.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 20 Sep 2014 00:14:17 +0000 (01:14 +0100)]
site: Permit multiple peer addresses even if peer is static
This is necessary to permit multiple addresses of multiple address
families. We (arbitrarily) set the default limit to 3.
Abolish the MAX_MOBILE_PEERS_MAX constant and size the peer addresses
array by MAX_PEER_ADDRS directly.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 16:32:34 +0000 (17:32 +0100)]
resolver: construct comm_addr; honour multiple addresses from the resolver
We move construction of the comm_addr into the resolver. The comm_if
and port are supplied to it by site and filled in by the resolver.
This allows the resolver to return a complete comm_addr array.
While we're here, we make an adns_r_addr query instead of an adns_r_a
query.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 16:15:37 +0000 (17:15 +0100)]
site: transport peers: Update bulk of code for multiple addresses
Make the transport_peers functions which receive name resolution
information cope with multiple addresses.
(We cannot yet receive multiple addresses from the resolver. That
will come next.)
This is just plumbing: no functional change in this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 16:11:07 +0000 (17:11 +0100)]
site: Make transport_record_peers cope with multiple addresses
This is a complete rewrite of this function. The semantics are
similar to before, except that it copes with multiple addresses at
once, and ensures that they arrive, in order, at the front of the
array. It now needs its caller to call transport_peers_expire.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 14:32:19 +0000 (15:32 +0100)]
site: transport peers: Delete or demote unsuitable peers addresses
If comm signals that the address is unuseable (ie we have no IPv4 or
IPv6 interface or routing), delete the address. Or, if we are mobile,
demote it to the end of the list (since we might gain appropriate
routing in the future).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 13:26:56 +0000 (14:26 +0100)]
comm_if: Define the meaning of ->sendmsg returning false
site's transport logic is going to want to know when a failure occurs
which is attributable to the address being unsuitable for the local
network environment (eg v4 address on v6-only host).
Use the boolean return value from sendmsg for that.
At the moment all the callers ignore the return value, and the only
actual sendmsg function always returns true. This is consistent with
the new semantics.
Therefore, no functional change in this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 28 Jun 2014 13:18:19 +0000 (14:18 +0100)]
site: transport peers: Notes on multi-address-family (IPv6) support
Update the comment about transport peer address handling. This
defines the new regime for dual-stack support, which are going to
implement in the following patches.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 Jun 2014 20:32:45 +0000 (21:32 +0100)]
site: transport peers: Formalise interface to transport peers
Make the interface to the transport peers functions more formal:
define when each function is called and what (roughly) it should do.
Remove the predeclaration of transport_record_peer. This is now an
internal function for the transport peer management code; there are no
callers in the body of site.c and we can remove the declaration.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 22:37:58 +0000 (23:37 +0100)]
subnet_to_string: Do not allocate
None of the three call sites want to keep the value for any length of
time - they just use it right away. Replace the allocation with a use
of the round-robin buffers from ipaddr_getbuf, and remove the frees at
the call sites.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 21 Sep 2014 16:53:41 +0000 (17:53 +0100)]
test-example: Provide a fuzzer for the slip decoder
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 22 Sep 2014 14:40:40 +0000 (15:40 +0100)]
slip: Do not malloc the userv activation context etc.
This is unnecessary, as its lifetime does not exceed that of the stack
frame. Replace all the fixed-size malloc/free pairs with local
variables.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 10:41:53 +0000 (11:41 +0100)]
fds: Introduce pipe_cloexec()
Replace all calls to pipe() with this new function, which checks
errors for us, and also sets both fds to close-on-exec.
There are some minor functional changes:
* Error messages from pipe() failing are now less detailed about the
context. This is not important.
* The signal self-pipe is now cloexec too. This is at worst harmless.
* When execing userv-ipif we rely on cloexec to close the spare
copies of the pipe ends.
* The stderr self-pipe spare writing end is redudantly made cloexec
even though it is about to be closed shortly afterwards.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sat, 27 Sep 2014 10:58:42 +0000 (11:58 +0100)]
fds: Simplify fd close condition in tun_set_route
Recreating the condition under which the fd was opened is confusing
and fragile. Instead, simply close it if we opened it, which we can
tell from the value of the variable (because we initialise it to -1 at
the top).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 22 Sep 2014 14:51:30 +0000 (15:51 +0100)]
fds: Provide cloexec() and use it in udp.c and tun.c
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Mon, 22 Sep 2014 15:17:02 +0000 (16:17 +0100)]
changelog, Makefile.in: finalise 0.3.4
Simon Tatham [Mon, 22 Sep 2014 09:28:05 +0000 (10:28 +0100)]
SECURITY: fixed fix to buffer handling
The implementation of buf_remaining_space in
92795040 was entirely
broken. It failed to take buf->size into account at all !
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 22:51:40 +0000 (23:51 +0100)]
changelog, Makefile.in: finalise 0.3.3
Ian Jackson [Fri, 19 Sep 2014 23:05:19 +0000 (00:05 +0100)]
buffers: Rename buffer_if.len to buffer_if.alloclen.
This field contains the total amount of space allocated, starting at
base, which may be less than the amount of space available after
start.
Rename it to help avoid confusion. This also enabled me to review
every site where this variable was used to verify that the length
checks are all now correct.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 23:03:20 +0000 (00:03 +0100)]
buffers: Introduce buf_remaining_space
This calculates the remaining space available to append to a buffer.
Use it in tun_afterpoll and udp_afterpoll (no functional change),
slip_unstuff and buf_append (fixes what appear to be latent bugs).
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 22:35:06 +0000 (23:35 +0100)]
ipaddr_to_string: SECURITY: Do not allocate
ipaddr_to_string is used in many places including runtime logging.
Handling its memory allocation is annoyingly fiddly. Indeed there is
at least one possible memory leak, which represents a potential denial
of service bug.
None of the callers keep the answers for any length of time.
So make it return the next one of a series of round-robin buffers,
instead, and remove all the freeing at all the call sites.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Fri, 19 Sep 2014 22:21:22 +0000 (23:21 +0100)]
udp: SECURITY: Pass correct size argument to recvfrom
Otherwise we risk overflowing the buffer. This is a critical security
problem.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 18 Sep 2014 23:19:31 +0000 (00:19 +0100)]
changelog, Makefile.in: finalise 0.3.3~beta1
Ian Jackson [Wed, 25 Jun 2014 20:43:00 +0000 (21:43 +0100)]
site: transport peers: Use source of NAK packets as reply address
If we get a NAK from our current peer and initiate a key exchange, we
should take the source address of the NAK as a hint for the peer's
public address.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 Jun 2014 20:32:03 +0000 (21:32 +0100)]
site: transport peers: MSG1: use transport_compute_setupinit_peers
This implies a functional change: now we start out with the data
transport peers. For a mobile peer this is a bugfix; for a non-mobile
peer it implies no functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 Jun 2014 20:26:29 +0000 (21:26 +0100)]
site: transport_peers: Rename incoming_packet_addr
Rename the prod_hint_addr argument; we are going to use it for other
things too.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Wed, 25 Jun 2014 17:37:24 +0000 (18:37 +0100)]
site: transport peers: Break out transport_resolve_complete,_tardy
Make two new functions
transport_resolve_complete
transport_resolve_complete_tardy
which encapsulate the transport peers manipulations for these two
situations.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 16:00:06 +0000 (17:00 +0100)]
test-example: Provide clean target in Makefile
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 14 Sep 2014 15:57:28 +0000 (16:57 +0100)]
make-secnet-sites: Put our path component at the beginning
Otherwise installing the modern `ipaddr' python module (as found eg
python-ipaddr.deb) breaks secnet, because it will appear on the path
before our own copy of the Cendio Systems AB one.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 26 Jun 2014 19:29:54 +0000 (20:29 +0100)]
changelog, Makefile.in: finalise 0.3.2
Ian Jackson [Fri, 6 Jun 2014 00:18:59 +0000 (01:18 +0100)]
changelog, Makefile.in: finalise 0.3.2~beta1
Ian Jackson [Mon, 2 Jun 2014 16:45:52 +0000 (17:45 +0100)]
site: Force use of configured name only if we are mobile
In
c22c3541 we arranged to honour our local configured name for the
peer even if the peer initiated the key setup. Previously we used the
address on the incoming packets.
However, this change can break some half-broken configurations, which
would otherwise mostly work. Some of these configurations may even be
deliberate, as a kind of poor version of the mobile site feature.
But, if we are a mobile site it is very unlikely that we have a broken
name or address (or at least, if we do, that things would work well).
So, for now, restrict this new behaviour to the situation where we are
mobile.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 18 May 2014 13:54:20 +0000 (14:54 +0100)]
changelog: Document additional name resolution
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 13 May 2014 23:40:44 +0000 (00:40 +0100)]
site: Do name resolution on peer-initiated key setup too
The current arrangement locks in the peer address used for key
exchange, for the lifetime of the key.
Most configurations do not have the secnet bind to a particular
address. And secnet takes no particular care about the source address
on its packets. The result is that secnet might reply from a
different address. (Also NAT might cause this effect.)
But (unless the peer is mobile) it is not ideal to use an address
other than the configured address. In particular, if we are mobile
then the network environment, and our routing to the peer, might
change so that the previous source address is not valid. This could
result in an extended failure (of up to the key expiry lifetime).
Arguably this is a configuration error, but there is another reason to
dislike the current behaviour: it has the rather odd property that if
an opponent (or incompetent middlebox) reroutes/NATs the packets
during key exchange, the entire dataflow (at least in one direction)
might end up sent via a bizarre route (or, if the environment changes,
not delivered).
We still want to use the peer's address as a hint though: otherwise we
would have to stall a peer-initiated key setup while resolution takes
place.
So:
* Initiate a peer address lookup when we get an incoming MSG1, if we
have a configured name or address. We do this in parallel with the
key exchange. (As a result it is possible that a peer address
lookup might complete well after the key exchange has finished.)
* Except, when the incoming MSG1 has crossed with ours, we must
already have done the the lookup so do not do it again.
* And, in this latter case do not unconditionally record the incoming
peer address; instead, treat it as a "msgok"; otherwise we might
unjustifiably overwrite an address we got from the configuration
with the incoming address from the packet.
* The two points above mean moving the transport_record_peer from
process_msg1 into its two call sites, since the logic now needs to
differ between them.
* Handle the results of the MSG1-prompted peer address lookup. In
SITE_RESOLVE we do as we did before. In most of the other states,
we record the address and use it for future communications.
* If the resolution fails with a non-mobile site, keep using the
apparently-working peer address(es).
* With a mobile site the currently working peer address might stop
working so this is not acceptable. In that case, make arrangements
that a failed peer address lookup will be retried quickly - but in
the meantime, there is no need to halt the packet flow.
* If the attempt to submit the resolver query fails, just use the
apparent peer address as before.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
* Run the resolution after entering the new state, not before.
Otherwise if we get the callback reentrantly, we get a bit
confused.
Ian Jackson [Sat, 17 May 2014 15:57:10 +0000 (16:57 +0100)]
site: Log when resolution completes
This helps with debugging dns and reentrancy problems.
Also, assert in ensure_resolving that we have an address. This makes
it slightly clearer that callers are expected to have checked this.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
New patch in v2 of the series.
Ian Jackson [Tue, 13 May 2014 23:18:38 +0000 (00:18 +0100)]
site: Make local_mobile be a site state variable
We are going to want to know whether we are mobile to decide how to
handle certain name resolution failures.
Also fix a typo in a comment.
No functional change in this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Tue, 13 May 2014 20:17:20 +0000 (21:17 +0100)]
site: Explicitly track name resolution status
Introduce a new variable st->resolving which tracks whether we have an
outstanding name resolution request. This makes it safe to (try to)
start name resolution (via the new function ensure_resolving) multiple
times etc.
No resulting functional change from just this patch.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
* Do slightly complicated dance with st->resolving, which is needed
because of the reentrancy hazard posted by resolver->request. In
v1 of the series there was a bug here which could cause the site
state machine to lock up.
Ian Jackson [Tue, 13 May 2014 20:08:03 +0000 (21:08 +0100)]
site: Fix bugs when resolver request submission fails
Previously, if adns_submit failed:
- the struct query in resolver.c was leaked
- nothing was logged
- the return value from resolver->request was ignored so the site
state machine would hang
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
* Fixed typo in commit message.
Ian Jackson [Sat, 17 May 2014 15:31:21 +0000 (16:31 +0100)]
site: Document some reentrancy hazards in comments
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
New patch in v2 of the series.
Ian Jackson [Sun, 18 May 2014 13:50:04 +0000 (14:50 +0100)]
When printing version (eg during startup), use value from git-describe
Thus include git commit id where applicable.
Some complications in the Makefile[.in] are needed to ensure that the
version is regenerated iff required.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 18 May 2014 10:48:29 +0000 (11:48 +0100)]
changelog: Document logging and security fix
Ian Jackson [Sun, 11 May 2014 18:12:56 +0000 (19:12 +0100)]
site logging: Log peer addresses on timeout
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 18:12:03 +0000 (19:12 +0100)]
comm: Introduce comm_addr_to_string
Convenience function for calling addr_to_string. Use it where
appropriate.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 17:26:57 +0000 (18:26 +0100)]
site logging: Break out logtimeout
We're going to add something to log peer addresses on timeout, so we
need to centralise these two timeout logging calls.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 17:26:14 +0000 (18:26 +0100)]
site logging: introduce vslog
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 17:10:58 +0000 (18:10 +0100)]
site logging: Use [v]slilog_part in slog
Eliminates a pointless log message assembly buffer.
No ultimate functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 17:07:38 +0000 (18:07 +0100)]
site logging: Break out event_log_priority
We're going to want to call this in more places. While we're at it,
line the switch statement up more prettily.
No functional change.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 15:36:52 +0000 (16:36 +0100)]
Makefile.in: introduce -Wunused-function
And delete the two unused logging functions log_multi and syslog_log.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Sun, 11 May 2014 15:28:33 +0000 (16:28 +0100)]
log: Introduce slilog_part; abolish log_if->logfn
[v]Message provides a facility for sending messages to the system log
which are assembled out of pieces. This is quite useful. Generalise
it to other logger interfaces too:
* Move the functionality out of vMessage into a new function
vslilog_part. Provide slilog_part too.
* Move the assembly buffer: it was a static variable (used only
for the system log); now it is a member of the log_if. (Yes,
the log_if, not the private state, because it applies for all
loggers and is used by common code ie vslilog_part.)
* Initialise log_if->buff[0] everywhere.
* Rename LOG_MESSAGE_BUFLEN from MESSAGE_BUFLEN since now it
has to live in secnet.h.
Also, remove log_if->logfn. All the call sites use vlogfn. Doing
this in this patch makes it easy to see that we haven't missed any
places where we should be initialising log_if->buff[0].
We currently have -Wunused ie -Wunused-functions, so for now we leave
the pointless definitions of the various loggers' logfns.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 15 May 2014 00:54:18 +0000 (01:54 +0100)]
site: SECURITY: Properly update full peer address array
If we already have the maximum number of peer addresses, do not
stuff the peer address into the wrong slot.
If a site instance is configured with the maximum permissible limit on
the number of mobile peer addresses (ie with mobile-peers-max set to
5), this overruns the transport peers array. In such a configuration
this is a security problem. It looks like a denial of service and
privilege escalation can't be ruled out. Configurations without
mobile peers are not affected.
Otherwise it simply means the address is ignored.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 15 May 2014 00:31:56 +0000 (01:31 +0100)]
secnet.h: Change bool_t to a C99 _Bool
This will (a) stop misleading readers of the code (b) make it possible
to write code expecting an implicit !! to be applied to assignments to
booleans (c) possibly make secnet smaller or faster.
I don't expect this to produce any functional change, but I haven't
reviewed every bool_t in secnet to check.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 15 May 2014 00:29:13 +0000 (01:29 +0100)]
debian/changelog: Start new version 0.3.2~~
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Ian Jackson [Thu, 15 May 2014 00:28:14 +0000 (01:28 +0100)]
Makefile.in: Improve push rune in release checklist
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>