chiark / gitweb /
secnet.git
4 years agonetlink: Use MIN rather than ?:
Ian Jackson [Fri, 3 Oct 2014 20:16:49 +0000 (21:16 +0100)]
netlink: Use MIN rather than ?:

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoutil.h etc.: Provide MAX_RAW and MIN_RAW; etc.
Ian Jackson [Fri, 3 Oct 2014 19:22:18 +0000 (20:22 +0100)]
util.h etc.: Provide MAX_RAW and MIN_RAW; etc.

MAX and MIN are unsuitable for use where a constant expression is
required.  Provide MAX_RAW and MIN_RAW which are suitable but might
evaluate the left argument twice.

Remove max() in ipaddr.c and replace the call with one to MAX (not
MAX_RAW.  (The old max macro there is operator-priority-unsafe but
there is only one call site and it happens to be OK.)

We ae going to use MAX_RAW later.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Introduce some `us' convenience variables, etc.
Ian Jackson [Sat, 27 Sep 2014 14:01:05 +0000 (15:01 +0100)]
udp: Introduce some `us' convenience variables, etc.

* Introduce appropriate `struct udpsock *us' in a few places, and use
  them as appropriate.  We are going to make a few more places where
  these are used and this avoids some repetition.

* Introduce an `af' variable for the intended destination address
  family at one point.  We are going to want to reuse this.

* Add a comment on a line `} else {' distant from its `if (..) {'.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocleanup: Replace a few calls to malloc/realloc with safe_malloc
Ian Jackson [Thu, 2 Oct 2014 00:16:47 +0000 (01:16 +0100)]
cleanup: Replace a few calls to malloc/realloc with safe_malloc

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoslip: Remove an incorrect XXX comment
Ian Jackson [Sat, 27 Sep 2014 13:28:20 +0000 (14:28 +0100)]
slip: Remove an incorrect XXX comment

There is no need to strdup anything before calling exec (or exit, of
course).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoutil: Provide async_linebuf_read
Ian Jackson [Tue, 23 Sep 2014 23:33:52 +0000 (00:33 +0100)]
util: Provide async_linebuf_read

polypath is going to want to read output from the interface and
address reporting script.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agofds: Make many fds nonblocking
Ian Jackson [Sat, 27 Sep 2014 12:56:35 +0000 (13:56 +0100)]
fds: Make many fds nonblocking

Introduce iswouldblock to cope with POSIX not specifying which of
EAGAIN or EWOULDBLOCK you get).  In various subsystems, make more fds
nonblocking and handle errors appropriately.  Specifically:

* Logging self-pipe reading end.
* Signal self-pipe reading end.
* SLIP both ends.  Fixing the writing end involves breaking out a new
  function slip_write.  We have to set these nonblocking after reading
  the confiramation byte.
* tun's network interface fd.

In various of these we add code to handle EINTR, too.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoIntroduce setnonblock()
Ian Jackson [Sat, 27 Sep 2014 12:26:17 +0000 (13:26 +0100)]
Introduce setnonblock()

This involves reworking setcloexec()'s implementation so that we can
reuse it.

We now treat a failure to set O_NONBLOCK in udp_make_socket as a
fatal, rather than recoverable, error.  This is fine.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoprocess: Introduce afterfork()
Ian Jackson [Sat, 27 Sep 2014 10:10:06 +0000 (11:10 +0100)]
process: Introduce afterfork()

Rework set_default_signals into afterfork, which does the sigprocmask
too.  This is necessary for processes we fork after
setup_signal_handling(), which otherwise inherit our blocking mask and
non-default handlers.

Call it after each fork() (except the ones we use for daemonising).
As a consequence:
 - hackypar children will die if they get a terminating signal
 - our subprocesses such as `route' and `ifconfig' will inherit
   reasonable signal setups
 - it will be correct to call udp_make_socket during phase RUN
   (previously any authbind would get a strange signal setup)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Break out udp_destroy_socket
Ian Jackson [Fri, 26 Sep 2014 18:26:49 +0000 (19:26 +0100)]
udp: Break out udp_destroy_socket

polypath is are going to want this.  No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Report authbind exit status as errno value if it seems appropriate
Ian Jackson [Sun, 5 Oct 2014 23:49:02 +0000 (00:49 +0100)]
udp: Report authbind exit status as errno value if it seems appropriate

authbind-helper is documented as indicating an errno value in its exit
status.  When the exit status is small enough that it's unlikely to
have come from the runtime system, print it as an errno value instead
of using lg_exitstatus.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoslip: Report unexpected kinds of death from userv
Ian Jackson [Mon, 6 Oct 2014 23:39:04 +0000 (00:39 +0100)]
slip: Report unexpected kinds of death from userv

If st->expecting_userv_exit, we are expecting userv to exit 0 or die
with SIGTERM.  If anything else happens, we should at least log it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: Use lg_exitstatus
Ian Jackson [Wed, 24 Sep 2014 23:50:10 +0000 (00:50 +0100)]
logging: Use lg_exitstatus

Replace two open-coded exit status checks with calls to lg_exitstatus.

In the case of slip.c and udp.c this has no significant effect other
than a slight change to message format.

In the case of process.c, we no longer log the command's first
argument.  I consider this tolerable for simplifying the code.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: Provide lg_exitstatus
Ian Jackson [Wed, 24 Sep 2014 23:47:47 +0000 (00:47 +0100)]
logging: Provide lg_exitstatus

This will allow us to remove a bunch of formulaic exit status
handling.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Provide udp_socks_deregister
Ian Jackson [Wed, 24 Sep 2014 00:28:23 +0000 (01:28 +0100)]
comm: Provide udp_socks_deregister

polypath is going to want this.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Make udp_make_socket be able to tolerate failures
Ian Jackson [Mon, 22 Sep 2014 01:07:47 +0000 (02:07 +0100)]
comm: Make udp_make_socket be able to tolerate failures

Previously, it would log errors with fatal or fatal_perror.  Now it
takes a message class and uses lg_perror, and also returns a boolean
to let the caller know whether it worked.

The repetitive calls to fatal_perror in udp_make_socket have been
replaced with a couple of macros.

The one existing call site passes M_FATAL.  So no substantial
functional change in this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Formalise interface to udp sockets
Ian Jackson [Sun, 21 Sep 2014 23:51:58 +0000 (00:51 +0100)]
comm: Formalise interface to udp sockets

Have the poll registration done by the udpcommon/udpsocks code, rather
than by udp.c.  This means we can abolish the two wrapper functions,
but we do need an extra pointer in a udpsocks to find the udpcommon.

No overall functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Break out some common udp parts
Ian Jackson [Sun, 21 Sep 2014 15:11:16 +0000 (16:11 +0100)]
comm: Break out some common udp parts

Provide a section in comm-common.h which allows other comms to share
some of the work done in udp.c.  Specifically, we provide the new
concepts of `udpsocks' and `udpcommon'.

The port configuration parameter is lifted into the udp struct.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Break out common code in comm
Ian Jackson [Sun, 21 Sep 2014 11:05:28 +0000 (12:05 +0100)]
comm: Break out common code in comm

We are going to want to introduce a new kind of comm.  Currently we
only have one comm, udp, in udp.c - much of whose code we will want to
reuse.

Break that generic comm-handling code out into new files, functions
and macros.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Use BUF_GET_BYTES
Ian Jackson [Thu, 2 Oct 2014 14:44:18 +0000 (15:44 +0100)]
comm: Use BUF_GET_BYTES

There are two calls in udp_afterpoll which could use BUF_GET_BYTES.
Convert them.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm: Rename a lot of state pointer variables
Ian Jackson [Sun, 21 Sep 2014 22:45:01 +0000 (23:45 +0100)]
comm: Rename a lot of state pointer variables

We are going to split `struct udp' into a bunch of substructures with
their own types, to assist with reuse of the udp code in a new comm.
This is going to involve members at different levels of abstraction
being accessed through different pointer variable names.

So change the names now to aliases of the standard `struct udp *st'.
This will much reduce noise in subsequent patches.

Also rename udp.c's MAX_SOCKETS to UDP_MAX_SOCKETS.

No functional change in this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: Provide lg_perror and lg_vperror
Ian Jackson [Mon, 22 Sep 2014 01:00:50 +0000 (02:00 +0100)]
logging: Provide lg_perror and lg_vperror

These are convenience functions for logging module, config location,
errno value, etc., along with a full formatted message.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Document reentrancy restriction on before()
Ian Jackson [Sun, 21 Sep 2014 14:02:40 +0000 (15:02 +0100)]
poll: Document reentrancy restriction on before()

If the before() callback might modify the wanted fds or timeouts of
other poll users, the loop over poll users in run() might produce
wrong answers.  Therefore, document that this is not permitted.  (All
of the existing before() implementations are indeed fine.)

Also, document a couple of features of the afterpoll_fn interface.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Support deregistration from the main event loop
Ian Jackson [Sat, 20 Sep 2014 12:56:04 +0000 (13:56 +0100)]
poll: Support deregistration from the main event loop

The logic here is slightly subtle because of reentrancy hazards.  See
the comment in deregister_for_poll.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Abolish max_nfds
Ian Jackson [Sat, 20 Sep 2014 17:16:09 +0000 (18:16 +0100)]
poll: Abolish max_nfds

We do not need to be advised of a static maximum, since we dynamically
size the array now.  Abolish the variable (which is unused) and change
all the callers.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Avoid duplicate array index counting
Ian Jackson [Fri, 3 Oct 2014 20:43:39 +0000 (21:43 +0100)]
poll: Avoid duplicate array index counting

Calculate remain from idx at the top of the loop.  This avoids having
to keep both remain and idx in step.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Make handling of fds array actually dynamic
Ian Jackson [Sat, 20 Sep 2014 16:28:56 +0000 (17:28 +0100)]
poll: Make handling of fds array actually dynamic

Previously we relied on the max_fds argument to register_for_poll
being big enough and allocated an array at startup.  But we are going
to want to be more dynamic, so actually do the dynamic array resizing.

We now start with a zero-sized array and increase it as needed.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agorealloc: Provide safe_realloc_ary
Ian Jackson [Sat, 20 Sep 2014 13:10:28 +0000 (14:10 +0100)]
realloc: Provide safe_realloc_ary

Also, make it OK to call safe_malloc(0).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopoll: Introduce and use BEFOREPOLL_WANT_FDS
Ian Jackson [Sat, 20 Sep 2014 16:52:14 +0000 (17:52 +0100)]
poll: Introduce and use BEFOREPOLL_WANT_FDS

This helper macro provides a convenient implementation of the
beforepoll_fn interface for *nfds_io.  Use it everywhere.

This produces one bugfix: log_from_fd_beforepoll would fail to set
*nfds_io if it was finished,

This also arranges for many beforepoll callbacks to actually fail
properly with ERANGE if there is not enough space.  Previously they
would blithely write the next fd entry or two.  In practice the
provided fd array never runs out in the current code, so in these
cases we are just fixing latent bugs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomain loop: Use <bsd/sys/queue.h> for poll interest list
Ian Jackson [Sat, 20 Sep 2014 12:42:11 +0000 (13:42 +0100)]
main loop: Use <bsd/sys/queue.h> for poll interest list

This makes the code clearer, shorter and more typesafe.

It is also going to make it easier to introduce deregistration.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Use <bsd/sys/queue.h> for notify lists
Ian Jackson [Sat, 20 Sep 2014 12:24:11 +0000 (13:24 +0100)]
udp: Use <bsd/sys/queue.h> for notify lists

This makes the code clearer, shorter and more typesafe.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agohackypar: Fix coding style
Ian Jackson [Sat, 27 Sep 2014 10:28:07 +0000 (11:28 +0100)]
hackypar: Fix coding style

For some reason I didn't use the standard secnet coding style for this
file.  Fix this by reindenting, and moving functions' opening braces.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Support multiple addresses base.polypath.v4 proposed.ipv6.v4
Ian Jackson [Mon, 29 Sep 2014 14:02:19 +0000 (15:02 +0100)]
site: Support multiple addresses

The `address' parameter to a site closure can now contain multiple
`address' strings, which may be multiple domain names or multiple
address literals, or some combination.

We run all the resolutions in parallel, and keep a count of how many
we have outstanding, combining the results as they come in.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoProvide dict_read_string_array
Ian Jackson [Sat, 27 Sep 2014 13:26:49 +0000 (14:26 +0100)]
Provide dict_read_string_array

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: Provide input name as argument to callback
Ian Jackson [Mon, 29 Sep 2014 14:00:47 +0000 (15:00 +0100)]
resolver: Provide input name as argument to callback

This is going to be convenient for our one call site.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agotest-example: Switch to testing IPv6 too
Ian Jackson [Fri, 19 Sep 2014 22:15:38 +0000 (23:15 +0100)]
test-example: Switch to testing IPv6 too

Make the published address of `outside' be ::1, rather than 127.0.0.1.
This means we can test both IPv4 and IPv6.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoPython IP addresses: Remove sys.path hacking from test script
Ian Jackson [Sun, 14 Sep 2014 23:14:41 +0000 (00:14 +0100)]
Python IP addresses: Remove sys.path hacking from test script

Now that we no longer have ipaddr.py in our tree, we can get rid of
this messing about with sys.path.  We use the system's ipaddr.py and
our own ipaddrset.py.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoPython IP addresses: Check for and maybe delete stale ipaddr.py
Ian Jackson [Sun, 14 Sep 2014 23:47:13 +0000 (00:47 +0100)]
Python IP addresses: Check for and maybe delete stale ipaddr.py

If ipaddr.py (or .pyc) from a previous secnet installation still
exists in /usr/share/secnet or /usr/local/share/secnet, this version
won't work.  Check for this situation in `make install' and bomb out.
Provide a `make install-force' which deletes the spurious files.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoPython IP addresses: Use modern ipaddr.py - supports IPv6
Ian Jackson [Sun, 14 Sep 2014 23:28:56 +0000 (00:28 +0100)]
Python IP addresses: Use modern ipaddr.py - supports IPv6

Switch to using the modern ipaddr.py from Scott Kitterman, and our own
ipaddrset.py.

The upshot is that make-secnet-sites now supports IPv6.

Aside from adjusting the code in make-secnet-sites to conform to the
new API, we also delete the old Cendio ipaddr.py, and delete the code
to install it, and document the new dependency both in INSTALL and in
the Debian package metadata.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoPython IP addresses: Provide ipaddrset.py library
Ian Jackson [Sun, 14 Sep 2014 21:40:52 +0000 (22:40 +0100)]
Python IP addresses: Provide ipaddrset.py library

This library module provides a class for a set of IP addresses, stored
as a list of netmasks.  This is in terms of the modern `ipaddr' module
by Scott Kitterman.

In this commit we introduce the ipaddrset.py module and its test
module.  We also patch the Makefile to install it, and test in `make
check' that it produces the expected output.

However, due to the presence of the old Cendio ipaddr.py alongside,
the provided ipaddrset-test.py needs some hideous hacking of sys.path
if it is to work when run in the ordinary way inside the secnet source
tree.  This will be removed in a later patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: Support IPv6 literals
Ian Jackson [Fri, 19 Sep 2014 20:02:47 +0000 (21:02 +0100)]
resolver: Support IPv6 literals

With CONFIG_IPV6, use adns_addr2text instead of inet_ntoa.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: Log reason for DNS resolution failure
Ian Jackson [Thu, 18 Sep 2014 17:38:17 +0000 (18:38 +0100)]
resolver: Log reason for DNS resolution failure

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: Support IPv6 name resolution
Ian Jackson [Tue, 2 Sep 2014 08:19:37 +0000 (09:19 +0100)]
resolver: Support IPv6 name resolution

Tell adns (via ADNS_FEATURE_MANYAF) that we want mixed address
families in the results, and handle any IPv6 addresses we find.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Support IPv6 when using authbind
Ian Jackson [Fri, 19 Sep 2014 21:48:45 +0000 (22:48 +0100)]
udp: Support IPv6 when using authbind

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Support IPv6 (mostly)
Ian Jackson [Tue, 2 Sep 2014 08:05:30 +0000 (09:05 +0100)]
udp: Support IPv6 (mostly)

Specifically:

 * struct udp now contains an array of (up to three) pairs of iaddr,
   fd.  Code which deals with the fd and addr has been updated to use
   loops etc. as appropriate.

 * The sockets are created with the right protocol family value.
   For AF_INET6, we set IPV6_V6ONLY.

 * Specifically, when transmitting, we try all appropriate sockets and
   compute the persistent-failure indication as required.

 * And a comm_addr now contains an `int ix' for udp.c's benefit,
   particularly when logging.

 * We use string_item_to_iaddr to convert the string to a socket
   address, rather than string_item_to_ipaddr.  The latter can cope
   only with IPv4 (and is now used only for private vpn addrs,
   proxies, etc.).

 * The default is now to create both IPv6 and IPv4 sockets.

Left undone are:

 * The special secnet proxy protocol has a 4-byte address prepended
   which implies IPv4.  I don't intend to fix this.

 * The authbind support for IPv6 will be in a future patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp.c: Remove some (ab)use of variable name `i'
Ian Jackson [Tue, 2 Sep 2014 07:59:44 +0000 (08:59 +0100)]
udp.c: Remove some (ab)use of variable name `i'

I find it very odd to find `item_t *i' etc.  I would like to be able
to use `int i'.  So change some uses of `i' to `item'.  (`j' in this
function will go away in the next patch so isn't worth renaming.)

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoProvide string_item_to_iaddr
Ian Jackson [Tue, 2 Sep 2014 08:04:27 +0000 (09:04 +0100)]
Provide string_item_to_iaddr

This will be used shortly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoProvide ARRAY_SIZE
Ian Jackson [Tue, 2 Sep 2014 07:58:24 +0000 (08:58 +0100)]
Provide ARRAY_SIZE

No call sites yet.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoMake list_length and string_item_to_ipaddr const-correct.
Ian Jackson [Tue, 2 Sep 2014 07:56:50 +0000 (08:56 +0100)]
Make list_length and string_item_to_ipaddr const-correct.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: Break out udp_make_socket
Ian Jackson [Tue, 2 Sep 2014 06:41:37 +0000 (07:41 +0100)]
udp: Break out udp_make_socket

Make this into a function by itself and adjust its arguments so that
when we support multiple sockets (for multiple addresses so that we
can have multiple AFs) we can just call it for each one.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoipv6: Support printing, comparing, etc. IPv6 addresses
Ian Jackson [Sun, 29 Jun 2014 22:10:31 +0000 (23:10 +0100)]
ipv6: Support printing, comparing, etc. IPv6 addresses

If we support IPv6, convert addresses with adns_addr2text.  Otherwise
stick with inet_ntoa.

With these changes, there is nothing remaining that will actually
crash secnet if it is passed an IPv6 address.  However, it is not yet
possible to mention IPv6 addresses in the configuration, and the udp
transport needs dual stack support.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoipv6: check for support in system and in adns
Ian Jackson [Sun, 29 Jun 2014 22:58:03 +0000 (23:58 +0100)]
ipv6: check for support in system and in adns

We #define CONFIG_IPV6 if the system has AF_INET6 and adns has
adns_addr2text (which only the IPv6-capable adns has).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoautoconf: Update to autoconf 2.69
Ian Jackson [Sun, 29 Jun 2014 22:54:52 +0000 (23:54 +0100)]
autoconf: Update to autoconf 2.69

Rerun autoconf (Debian 2.69-1 i386) to update the configure script.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoipv6: More buffers in iaddr_to_string
Ian Jackson [Sun, 29 Jun 2014 22:15:58 +0000 (23:15 +0100)]
ipv6: More buffers in iaddr_to_string

We are going to have addresses of multiple address families in various
places, which will mean more calls to iaddr_to_string for the benefit
of the same logging statement.

Increase the number of static buffers used by iaddr_to_string from 2
to 8.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm etc.: Provide comm_addr_equal
Ian Jackson [Sun, 5 Oct 2014 11:03:21 +0000 (12:03 +0100)]
comm etc.: Provide comm_addr_equal

Abolish the rule that a comm_addr has zeroes in all its holes.
Provide comm_addr_equal instead.

We can get rid of a lot of calls to FILLZERO.

In resolver.c we no longer need to copy the fields of ia individually.
We still need to look at the incoming address family since util.c
aborts on unknown AFs and adns (perhaps a new version or something)
might have sent us things we don't understand.  (Also reorganise the
loop/switch a little to get `wslot++' out of the `case'.)

We have to move the declaration of iaddr_equal.

Abolish transport_addrs_equal and replace it at call sites with the
new comm_addr_equal.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoipv6: introduce union iaddr
Ian Jackson [Wed, 26 Feb 2014 15:57:21 +0000 (15:57 +0000)]
ipv6: introduce union iaddr

Replace many occurrences of sockaddr_in by a new union, iaddr.

Everywhere that fills in an address has been modified to look into the
subfields of iaddr.  Also, replace references to the size of a
sockaddr_in by the new function iaddr_socklen.

But there is not yet any support for a union iaddr to contain anything
other than a sockaddr_in.  This will be added gradually in forthcoming
patches, starting at consumers and working back.

Additionally, a couple of places that specified a port and address as
a uint16_t and uint32_t have been converted.

We have changed only transport addresses - that is, addresses on the
public network.  VPN addresses remain IPv4 only.

We provide a few helper functions for manipulating union iaddr, such
as iaddr_to_string (which replaces saddr_to_string).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Remove "wishful thinking" from transport address handling comment
Ian Jackson [Fri, 19 Sep 2014 21:02:30 +0000 (22:02 +0100)]
site: Remove "wishful thinking" from transport address handling comment

We have now completed the implementation of the algorithms described
in the comment.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Change default number of mobile peers
Ian Jackson [Fri, 3 Oct 2014 17:32:25 +0000 (18:32 +0100)]
site: Change default number of mobile peers

As the comment has it:

   - The default number of addrs to keep is 3, or 4 if we have a
     configured name or address.  That's space for two configured
     addresses (one IPv6 and one IPv4), plus two received addresses.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Permit multiple peer addresses even if peer is static
Ian Jackson [Sat, 20 Sep 2014 00:14:17 +0000 (01:14 +0100)]
site: Permit multiple peer addresses even if peer is static

This is necessary to permit multiple addresses of multiple address
families.  We (arbitrarily) set the default limit to 3.

Abolish the MAX_MOBILE_PEERS_MAX constant and size the peer addresses
array by MAX_PEER_ADDRS directly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: construct comm_addr; honour multiple addresses from the resolver
Ian Jackson [Sat, 28 Jun 2014 16:32:34 +0000 (17:32 +0100)]
resolver: construct comm_addr; honour multiple addresses from the resolver

We move construction of the comm_addr into the resolver.  The comm_if
and port are supplied to it by site and filled in by the resolver.
This allows the resolver to return a complete comm_addr array.

While we're here, we make an adns_r_addr query instead of an adns_r_a
query.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: Update bulk of code for multiple addresses
Ian Jackson [Sat, 28 Jun 2014 16:15:37 +0000 (17:15 +0100)]
site: transport peers: Update bulk of code for multiple addresses

Make the transport_peers functions which receive name resolution
information cope with multiple addresses.

(We cannot yet receive multiple addresses from the resolver.  That
will come next.)

This is just plumbing: no functional change (other than tiny
changes to log messages) in this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Provide transport_record_peers to cope with multiple addresses
Ian Jackson [Sat, 28 Jun 2014 16:11:07 +0000 (17:11 +0100)]
site: Provide transport_record_peers to cope with multiple addresses

This is a complete replacement of transport_record_peer by this new
function.  The semantics are similar to the old function, except that
the new one copes with multiple addresses at once (ensuring that they
arrive, in order, at the front of the array).  It now needs its
caller to call transport_peers_expire.

We provide a convenience function transport_expire_record_peers for
the various call sites that want to call expire and then record.

As yet, there are no callers of transport_record_peers which pass
naddrs!=1 so there is no overall functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: Delete or demote unsuitable peers addresses
Ian Jackson [Sat, 28 Jun 2014 14:32:19 +0000 (15:32 +0100)]
site: transport peers: Delete or demote unsuitable peers addresses

If comm signals that the address is unuseable (ie we have no IPv4 or
IPv6 interface or routing), delete the address.  Or, if we are mobile,
demote it to the end of the list (since we might gain appropriate
routing in the future).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agocomm_if: Define the meaning of ->sendmsg returning false
Ian Jackson [Sat, 28 Jun 2014 13:26:56 +0000 (14:26 +0100)]
comm_if: Define the meaning of ->sendmsg returning false

site's transport logic is going to want to know when a failure occurs
which is attributable to the address being unsuitable for the local
network environment (eg v4 address on v6-only host).

Use the boolean return value from sendmsg for that.

At the moment all the callers ignore the return value, and the only
actual sendmsg function always returns true.  This is consistent with
the new semantics.

Therefore, no functional change in this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: Notes on multi-address-family (IPv6) support
Ian Jackson [Sat, 28 Jun 2014 13:18:19 +0000 (14:18 +0100)]
site: transport peers: Notes on multi-address-family (IPv6) support

Update the comment about transport peer address handling.  This
defines the new regime for dual-stack support, which are going to
implement in the following patches.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: Formalise interface to transport peers
Ian Jackson [Wed, 25 Jun 2014 20:32:45 +0000 (21:32 +0100)]
site: transport peers: Formalise interface to transport peers

Make the interface to the transport peers functions more formal:
define when each function is called and what (roughly) it should do.

Remove the predeclaration of transport_record_peer.  This is now an
internal function for the transport peer management code; there are no
callers in the body of site.c and we can remove the declaration.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosubnet_to_string: Do not allocate
Ian Jackson [Fri, 19 Sep 2014 22:37:58 +0000 (23:37 +0100)]
subnet_to_string: Do not allocate

None of the three call sites want to keep the value for any length of
time - they just use it right away.  Replace the allocation with a use
of the round-robin buffers from ipaddr_getbuf, and remove the frees at
the call sites.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoUse memcpy helpers and FILLZERO
Ian Jackson [Thu, 2 Oct 2014 14:28:54 +0000 (15:28 +0100)]
Use memcpy helpers and FILLZERO

Replace various calls to memcpy and memset with equivalent calls to
these macros.

There are still a couple of open-coded memcpy(,buf_unprepend(),)
in udp.c's proxy code which will be done later.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoProvide various wrappers for memcpy (COPY_OBJ, BUF_...)
Ian Jackson [Thu, 2 Oct 2014 14:26:58 +0000 (15:26 +0100)]
Provide various wrappers for memcpy (COPY_OBJ, BUF_...)

These wrappers avoid specifying the size separately or twice, and
COPY_OBJ can check for type safety.

No call sites yet.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Permit transport-peers-max to be equal to MAX_PEER_ADDRS
Ian Jackson [Fri, 3 Oct 2014 20:21:39 +0000 (21:21 +0100)]
site: Permit transport-peers-max to be equal to MAX_PEER_ADDRS

Not just one less.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoMakefile.in: Use -MMD, not depend.sh
Ian Jackson [Thu, 2 Oct 2014 15:29:21 +0000 (16:29 +0100)]
Makefile.in: Use -MMD, not depend.sh

Generate the dependency information in .d files automatically with
-MMD, rather than explicitly in the Makefile.  This is faster, and
more reliable.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoautoconf: Provide an autogen.sh
Ian Jackson [Sun, 5 Oct 2014 20:05:58 +0000 (21:05 +0100)]
autoconf: Provide an autogen.sh

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agotest-example: Provide a fuzzer for the slip decoder base.ipv6.v3 base.ipv6.v4
Ian Jackson [Sun, 21 Sep 2014 16:53:41 +0000 (17:53 +0100)]
test-example: Provide a fuzzer for the slip decoder

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoslip: Do not malloc the userv activation context etc.
Ian Jackson [Mon, 22 Sep 2014 14:40:40 +0000 (15:40 +0100)]
slip: Do not malloc the userv activation context etc.

This is unnecessary, as its lifetime does not exceed that of the stack
frame.  Replace all the fixed-size malloc/free pairs with local
variables.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agofds: Introduce pipe_cloexec()
Ian Jackson [Sat, 27 Sep 2014 10:41:53 +0000 (11:41 +0100)]
fds: Introduce pipe_cloexec()

Replace all calls to pipe() with this new function, which checks
errors for us, and also sets both fds to close-on-exec.

There are some minor functional changes:
 * Error messages from pipe() failing are now less detailed about the
   context.  This is not important.
 * The signal self-pipe is now cloexec too.  This is at worst harmless.
 * When execing userv-ipif we rely on cloexec to close the spare
   copies of the pipe ends.
 * The stderr self-pipe spare writing end is redudantly made cloexec
   even though it is about to be closed shortly afterwards.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agofds: Simplify fd close condition in tun_set_route
Ian Jackson [Sat, 27 Sep 2014 10:58:42 +0000 (11:58 +0100)]
fds: Simplify fd close condition in tun_set_route

Recreating the condition under which the fd was opened is confusing
and fragile.  Instead, simply close it if we opened it, which we can
tell from the value of the variable (because we initialise it to -1 at
the top).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agofds: Provide cloexec() and use it in udp.c and tun.c
Ian Jackson [Mon, 22 Sep 2014 14:51:30 +0000 (15:51 +0100)]
fds: Provide cloexec() and use it in udp.c and tun.c

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog, Makefile.in: finalise 0.3.4 base.fuzz-slip-decoder.2 base.fuzz-slip-decoder.v2
Ian Jackson [Mon, 22 Sep 2014 15:17:02 +0000 (16:17 +0100)]
changelog, Makefile.in: finalise 0.3.4

4 years agoSECURITY: fixed fix to buffer handling
Simon Tatham [Mon, 22 Sep 2014 09:28:05 +0000 (10:28 +0100)]
SECURITY: fixed fix to buffer handling

The implementation of buf_remaining_space in 92795040 was entirely
broken.  It failed to take buf->size into account at all !

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog, Makefile.in: finalise 0.3.3
Ian Jackson [Fri, 19 Sep 2014 22:51:40 +0000 (23:51 +0100)]
changelog, Makefile.in: finalise 0.3.3

4 years agobuffers: Rename buffer_if.len to buffer_if.alloclen.
Ian Jackson [Fri, 19 Sep 2014 23:05:19 +0000 (00:05 +0100)]
buffers: Rename buffer_if.len to buffer_if.alloclen.

This field contains the total amount of space allocated, starting at
base, which may be less than the amount of space available after
start.

Rename it to help avoid confusion.  This also enabled me to review
every site where this variable was used to verify that the length
checks are all now correct.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agobuffers: Introduce buf_remaining_space
Ian Jackson [Fri, 19 Sep 2014 23:03:20 +0000 (00:03 +0100)]
buffers: Introduce buf_remaining_space

This calculates the remaining space available to append to a buffer.

Use it in tun_afterpoll and udp_afterpoll (no functional change),
slip_unstuff and buf_append (fixes what appear to be latent bugs).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoipaddr_to_string: SECURITY: Do not allocate
Ian Jackson [Fri, 19 Sep 2014 22:35:06 +0000 (23:35 +0100)]
ipaddr_to_string: SECURITY: Do not allocate

ipaddr_to_string is used in many places including runtime logging.
Handling its memory allocation is annoyingly fiddly.  Indeed there is
at least one possible memory leak, which represents a potential denial
of service bug.

None of the callers keep the answers for any length of time.

So make it return the next one of a series of round-robin buffers,
instead, and remove all the freeing at all the call sites.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoudp: SECURITY: Pass correct size argument to recvfrom
Ian Jackson [Fri, 19 Sep 2014 22:21:22 +0000 (23:21 +0100)]
udp: SECURITY: Pass correct size argument to recvfrom

Otherwise we risk overflowing the buffer.  This is a critical security
problem.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog, Makefile.in: finalise 0.3.3~beta1
Ian Jackson [Thu, 18 Sep 2014 23:19:31 +0000 (00:19 +0100)]
changelog, Makefile.in: finalise 0.3.3~beta1

4 years agosite: transport peers: Use source of NAK packets as reply address
Ian Jackson [Wed, 25 Jun 2014 20:43:00 +0000 (21:43 +0100)]
site: transport peers: Use source of NAK packets as reply address

If we get a NAK from our current peer and initiate a key exchange, we
should take the source address of the NAK as a hint for the peer's
public address.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: MSG1: use transport_compute_setupinit_peers
Ian Jackson [Wed, 25 Jun 2014 20:32:03 +0000 (21:32 +0100)]
site: transport peers: MSG1: use transport_compute_setupinit_peers

This implies a functional change: now we start out with the data
transport peers.  For a mobile peer this is a bugfix; for a non-mobile
peer it implies no functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport_peers: Rename incoming_packet_addr
Ian Jackson [Wed, 25 Jun 2014 20:26:29 +0000 (21:26 +0100)]
site: transport_peers: Rename incoming_packet_addr

Rename the prod_hint_addr argument; we are going to use it for other
things too.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: transport peers: Break out transport_resolve_complete,_tardy
Ian Jackson [Wed, 25 Jun 2014 17:37:24 +0000 (18:37 +0100)]
site: transport peers: Break out transport_resolve_complete,_tardy

Make two new functions
  transport_resolve_complete
  transport_resolve_complete_tardy
which encapsulate the transport peers manipulations for these two
situations.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agotest-example: Provide clean target in Makefile
Ian Jackson [Sun, 14 Sep 2014 16:00:06 +0000 (17:00 +0100)]
test-example: Provide clean target in Makefile

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomake-secnet-sites: Put our path component at the beginning
Ian Jackson [Sun, 14 Sep 2014 15:57:28 +0000 (16:57 +0100)]
make-secnet-sites: Put our path component at the beginning

Otherwise installing the modern `ipaddr' python module (as found eg
python-ipaddr.deb) breaks secnet, because it will appear on the path
before our own copy of the Cendio Systems AB one.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
5 years agochangelog, Makefile.in: finalise 0.3.2
Ian Jackson [Thu, 26 Jun 2014 19:29:54 +0000 (20:29 +0100)]
changelog, Makefile.in: finalise 0.3.2

5 years agochangelog, Makefile.in: finalise 0.3.2~beta1
Ian Jackson [Fri, 6 Jun 2014 00:18:59 +0000 (01:18 +0100)]
changelog, Makefile.in: finalise 0.3.2~beta1

5 years agosite: Force use of configured name only if we are mobile
Ian Jackson [Mon, 2 Jun 2014 16:45:52 +0000 (17:45 +0100)]
site: Force use of configured name only if we are mobile

In c22c3541 we arranged to honour our local configured name for the
peer even if the peer initiated the key setup.  Previously we used the
address on the incoming packets.

However, this change can break some half-broken configurations, which
would otherwise mostly work.  Some of these configurations may even be
deliberate, as a kind of poor version of the mobile site feature.

But, if we are a mobile site it is very unlikely that we have a broken
name or address (or at least, if we do, that things would work well).

So, for now, restrict this new behaviour to the situation where we are
mobile.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
5 years agochangelog: Document additional name resolution
Ian Jackson [Sun, 18 May 2014 13:54:20 +0000 (14:54 +0100)]
changelog: Document additional name resolution

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
5 years agosite: Do name resolution on peer-initiated key setup too
Ian Jackson [Tue, 13 May 2014 23:40:44 +0000 (00:40 +0100)]
site: Do name resolution on peer-initiated key setup too

The current arrangement locks in the peer address used for key
exchange, for the lifetime of the key.

Most configurations do not have the secnet bind to a particular
address.  And secnet takes no particular care about the source address
on its packets.  The result is that secnet might reply from a
different address.  (Also NAT might cause this effect.)

But (unless the peer is mobile) it is not ideal to use an address
other than the configured address.  In particular, if we are mobile
then the network environment, and our routing to the peer, might
change so that the previous source address is not valid.  This could
result in an extended failure (of up to the key expiry lifetime).

Arguably this is a configuration error, but there is another reason to
dislike the current behaviour: it has the rather odd property that if
an opponent (or incompetent middlebox) reroutes/NATs the packets
during key exchange, the entire dataflow (at least in one direction)
might end up sent via a bizarre route (or, if the environment changes,
not delivered).

We still want to use the peer's address as a hint though: otherwise we
would have to stall a peer-initiated key setup while resolution takes
place.

So:

 * Initiate a peer address lookup when we get an incoming MSG1, if we
   have a configured name or address.  We do this in parallel with the
   key exchange.  (As a result it is possible that a peer address
   lookup might complete well after the key exchange has finished.)

 * Except, when the incoming MSG1 has crossed with ours, we must
   already have done the the lookup so do not do it again.

 * And, in this latter case do not unconditionally record the incoming
   peer address; instead, treat it as a "msgok"; otherwise we might
   unjustifiably overwrite an address we got from the configuration
   with the incoming address from the packet.

 * The two points above mean moving the transport_record_peer from
   process_msg1 into its two call sites, since the logic now needs to
   differ between them.

 * Handle the results of the MSG1-prompted peer address lookup.  In
   SITE_RESOLVE we do as we did before.  In most of the other states,
   we record the address and use it for future communications.

 * If the resolution fails with a non-mobile site, keep using the
   apparently-working peer address(es).

 * With a mobile site the currently working peer address might stop
   working so this is not acceptable.  In that case, make arrangements
   that a failed peer address lookup will be retried quickly - but in
   the meantime, there is no need to halt the packet flow.

 * If the attempt to submit the resolver query fails, just use the
   apparent peer address as before.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
  * Run the resolution after entering the new state, not before.
    Otherwise if we get the callback reentrantly, we get a bit
    confused.

5 years agosite: Log when resolution completes
Ian Jackson [Sat, 17 May 2014 15:57:10 +0000 (16:57 +0100)]
site: Log when resolution completes

This helps with debugging dns and reentrancy problems.

Also, assert in ensure_resolving that we have an address.  This makes
it slightly clearer that callers are expected to have checked this.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
New patch in v2 of the series.

5 years agosite: Make local_mobile be a site state variable
Ian Jackson [Tue, 13 May 2014 23:18:38 +0000 (00:18 +0100)]
site: Make local_mobile be a site state variable

We are going to want to know whether we are mobile to decide how to
handle certain name resolution failures.

Also fix a typo in a comment.

No functional change in this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
5 years agosite: Explicitly track name resolution status
Ian Jackson [Tue, 13 May 2014 20:17:20 +0000 (21:17 +0100)]
site: Explicitly track name resolution status

Introduce a new variable st->resolving which tracks whether we have an
outstanding name resolution request.  This makes it safe to (try to)
start name resolution (via the new function ensure_resolving) multiple
times etc.

No resulting functional change from just this patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
  * Do slightly complicated dance with st->resolving, which is needed
    because of the reentrancy hazard posted by resolver->request.  In
    v1 of the series there was a bug here which could cause the site
    state machine to lock up.

5 years agosite: Fix bugs when resolver request submission fails
Ian Jackson [Tue, 13 May 2014 20:08:03 +0000 (21:08 +0100)]
site: Fix bugs when resolver request submission fails

Previously, if adns_submit failed:
 - the struct query in resolver.c was leaked
 - nothing was logged
 - the return value from resolver->request was ignored so the site
   state machine would hang

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
  * Fixed typo in commit message.