Administrivia: Fix erroneous GPL3+ licence notices "version d or later" (!) Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Copyright updates - update to GPLv3, etc. Update to GPLv3. secnet as actually installed is GPLv3+ anyway because it depends on python-ipaddr (Apache 2.0, which is GPLv2-incompatible), adns (now GPLv3+), and libgmp (now LGPLv3+). Also: * Add missing copyright notices and credits. * Get rid of old FSF street address; use URL instead. * Remove obsolete LICENCE.txt (which was for snprintf reimplementation). * Remove obsolete references to Cendio (for old ipaddr.py, now gone). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
NEW etc.: Use NEW in all obvious places Entirely automatic conversion, using the following Perl rune: perl -i~ -pe 's#^(\s+)(\w+)=safe_malloc\(sizeof\(\*\2\),"[^"]+"\);$#$1NEW($2);#' *.c conffile.fl conffile.y Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
fds etc.: Support non-forking persistent children Polypath is are going to want to spawn a persistent child process, which will not exec. This child ought not to hold onto the various important fds. Otherwise, if the main secnet process dies but the child does not (for some reason), the network interfaces, udp sockets, etc., set up by the old secnet will remain owned by the child. Introduce a new PHASE for this purpose (currently never entered). Provide a convenient common hook function for closing a single fd. Add phase hooks to: * Close udp sockets (in the udp and polypath comm modules); * Close the pipes to userv-ipif (slip netlink module); * Close the tun device (tun netlink module); * Zero out data transport keys, to improve forward secrecy in case the subprocess leaks somehow. (Sadly we can't conveniently find the asymmmetric crypto session key negotiation state to wipe it.) Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
slip: Remove an incorrect XXX comment There is no need to strdup anything before calling exec (or exit, of course). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
fds: Make many fds nonblocking Introduce iswouldblock to cope with POSIX not specifying which of EAGAIN or EWOULDBLOCK you get). In various subsystems, make more fds nonblocking and handle errors appropriately. Specifically: * Logging self-pipe reading end. * Signal self-pipe reading end. * SLIP both ends. Fixing the writing end involves breaking out a new function slip_write. We have to set these nonblocking after reading the confiramation byte. * tun's network interface fd. In various of these we add code to handle EINTR, too. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
slip: Report unexpected kinds of death from userv If st->expecting_userv_exit, we are expecting userv to exit 0 or die with SIGTERM. If anything else happens, we should at least log it. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
logging: Use lg_exitstatus Replace two open-coded exit status checks with calls to lg_exitstatus. In the case of slip.c and udp.c this has no significant effect other than a slight change to message format. In the case of process.c, we no longer log the command's first argument. I consider this tolerable for simplifying the code. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
poll: Abolish max_nfds We do not need to be advised of a static maximum, since we dynamically size the array now. Abolish the variable (which is unused) and change all the callers. No functional change. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
poll: Introduce and use BEFOREPOLL_WANT_FDS This helper macro provides a convenient implementation of the beforepoll_fn interface for *nfds_io. Use it everywhere. This produces one bugfix: log_from_fd_beforepoll would fail to set *nfds_io if it was finished, This also arranges for many beforepoll callbacks to actually fail properly with ERANGE if there is not enough space. Previously they would blithely write the next fd entry or two. In practice the provided fd array never runs out in the current code, so in these cases we are just fixing latent bugs. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
subnet_to_string: Do not allocate None of the three call sites want to keep the value for any length of time - they just use it right away. Replace the allocation with a use of the round-robin buffers from ipaddr_getbuf, and remove the frees at the call sites. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
slip: Do not malloc the userv activation context etc. This is unnecessary, as its lifetime does not exceed that of the stack frame. Replace all the fixed-size malloc/free pairs with local variables. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
fds: Introduce pipe_cloexec() Replace all calls to pipe() with this new function, which checks errors for us, and also sets both fds to close-on-exec. There are some minor functional changes: * Error messages from pipe() failing are now less detailed about the context. This is not important. * The signal self-pipe is now cloexec too. This is at worst harmless. * When execing userv-ipif we rely on cloexec to close the spare copies of the pipe ends. * The stderr self-pipe spare writing end is redudantly made cloexec even though it is about to be closed shortly afterwards. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
buffers: Introduce buf_remaining_space This calculates the remaining space available to append to a buffer. Use it in tun_afterpoll and udp_afterpoll (no functional change), slip_unstuff and buf_append (fixes what appear to be latent bugs). Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
netlink: Move local_address into struct netlink All the actual netlinks have this, and proper ICMP generation on point-to-point links is going to need it. The dummy "null" netlink previously didn't have this parameter; now, it is mandatory. This is an incompatible configuration change, but only for configurations which contain a null netlink - which we think is only done for testing or debugging. No other functional change. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
slip: Drop packets >mtu (SECURITY) Trying to send them to the kernel crashes userv-ipif. This is a DoS vulnerability, exposed to internal sites only. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
slip: Buffer management (max_start_pad) fixes Nothing in slip.c calls buffer_init for the first packet. We don't normally notice this because userv-ipif _both_ prints a confirmation END byte right away, _and_ bookends packets with ENDs. But this should be fixed. Otherwise we fail an assertion when we try to prepend things to the first data packet. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
max_start_pad: calculate globally, not via client graph There is quite a lot of plumbing of max_start_pad values from one place to another. Sadly this plumbing is not complete, which can lead to crashes as the start padding is exhausted. And completing it is a lot of work which would be difficult to get correct, even if that's possible in principle. Instead, we take a different approach. We calculate a single global max_pad_start value that can be used everywhere. It is the sum of: * Headers that "site" instances might need add to the start of packets (source and destination site indices, message type both inside and outside the encryption; * Anything that "transform" instances might need to add to the start of packets. This depends on the transforms, but since it isn't a priori predictable which path any particular incoming packet might take, we have to take the worst case. These transform instances are applied only by "site" and each packet goes through at most on "forward" transform instance. * Anything that "comm" instances might need to add. This is currently only needed for the proxy feature. This is based on the assumption that a packet may follow one of these paths: comm -->- site_incoming --. ,-- site_outgoing -->- comm \ / netlink / \ tun/slip ----->-----------' `------>---------- tun/slip On the inbound side, tun and slip have to set up the buffer with the necessary start padding. site_incoming only removes stuff from the beginning (since it uses transform->reverse). netlink doesn't add or remove anything. It is site_outgoing and comm which may need to prepend things. site additionally calls transform->forwards. If in the future a module appears which can take packets out of the RHS of this diagram and feed them back into the left, it may have to do something about the buffer. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Use FORMAT everywhere, and fix up the errors it finds Many printf-like variadic functions weren't properly decorated with FORMAT annotations. Add them everywhere. It is not possible to annotate a function pointer type, so that doesn't work for the function pointers in struct log_if. However, we have convenience wrapper functions slilog and vslilog, which are appropriately decorated and therefore safer. Change all call sites to use those instead, and leave a comment. (Rename the function pointer variable names so that we don't miss any call sites.) Fix the bugs that this new compiler checking reveals. These are nearly all in fatal error reporting, and not very scary. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
unaligned.h: rationalise; provide buf_append_uint8 et al Replace the formulaic macros buf_{,un}{append,prepend}_{uint32,uint16} with some macro-generated inline functions. These have better typechecking, and are also better because it's not possible to accidentally mess up one of the definitions by failing to permute it in the right way. Add the functions for uint8 too. This involves providing put_uint8 and get_uint8 macros, which we do along the lines of the existing put_ and get_ macros. Use the new uint8 function in the one place where it's currently useful. More call sites will appear shortly. Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>