chiark - git - ianmdlvl - secnet.git/log

site: transport peers: fix incorrect stride when debug output enabled

When there are multiple peer addresses, attempts to copy them from one
table of peers addresses to another with transport_peers_copy will go
wrong because the stride argument to transport_peers_debug is wrong -
we take sizeof() the pointer rather than of the array element.

This will typically cause a segfault if it happens, but the bug can
only be triggered if LOG_PEER_ADDRS debugging is enabled.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

messages: add some missing newlines

Message and cfgfatal must be called with a message containing a
newline (or, a newline sent in a later call). Fix a few call sites.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

log: Print truncated messages

If a message doesn't survive the vsnprintf in vMessage untruncated,
the result may be that its newline is lost.  After that, buff will
never manage to gain a newline and all further messages will be
discarded.

Fix this by always putting "\n\0" at the end of buff.  That way a
truncated message is printed and the buffer will be cleared out for
the next call.

This does mean that sometimes a message which is just slightly shorter
than the buffer will produce a spurious empty message sent to the
syslog.  However, the whole logging approach here will inevitably
occasionally insert spurious newlines, if only to split up long
messages; long messages may also be truncated.  The bad effect of the
change in this patch is simply to make the length at which
infelicities appear very slightly shorter.  The good effect is that it
turns a very nasty failure mode into a benign one.

So I think it is reasonable to err on the side of code which clearly
cannot go wrong in a bad way.  Other approaches which make the
infelicity threshold a couple of characters longer, or which slightly
reduce the different kinds of infelicity, are much more complicated
and therefore more likely to have bugs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

log: Eliminate potential out-of-control recursion

vMessage looks for the system log instance.  If there is one, it uses
it; otherwise it just uses stderr or stdout.

The system log instance consists, eventually, of syslog_vlog or
logfile_vlog.  Both of these functions have a fallback: if they are
properly set up they do their thing; otherwise they call vMessage.
This is wrong because in this situation they have probably been called
by vMessage so it doesn't help.

At first sight this ought to produce unbounded recursion but for
complicated reasons another bug prevents this.  Instead, messages can
just vanish.

Break out the fallback mode of [v]Message into [v]MessageFallback so
that syslog_vlog and logfile_vlog can use it directly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Makefile: honour EXTRA_CFLAGS, etc.

This makes it easier to add command-line options at build-time.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

SECURITY: actually reject messages with improper lengths

transform_reverse checks to see if the incoming message is a multiple
of the block cipher block size.  If the message fails this check, it
sets *errmsg but it fails to return.  Instead, it proceeds to attempt
to decrypt it.  This will involve a buffer read/write overrun.

It transform_reverse fails to check to see if the incoming message is
long enough to contain the IV, MAC and padding.  This can easily be
exploited to cause secnet to segfault.

buffer_unprepend should check that the buffer has enough data in it to
unprepend.  With the other patches, this should be irrelevant, but it
turns various other potential read overrun bugs into crashes.

site_incoming should check that the incoming message is long enough.
Again, without this, this is an buffer read overrun or possibly a
segfault.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

userv-ipif: Always request routes from userv, regardless of link quality

Previously the userv-ipif netlink would not request (from userv) a
route for a site for which the link quality was DOWN. The link
quality is a dynamic quantity but userv-ipif lacks any machinery for
dynamically adding routes, so this is wrong.

Instead, in userv-ipif, unconditionally add routes for all sites,
regardless of link up status.

In practice this code is run during startup and the only reason a link
might be down at that point, ie LINK_QUALITY_DOWN, is that it does not
have an address configured. Mobile sites are often in this situation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: Update build-dependency information

Update build-dependency documentation and add missing references to
flex and bison to debian/control.

Signed-off-by: Matthew Vernon <matthewv@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Do not permit "include" in simple sites files

Restrict the "include" directive to the "header" of -u (groupfile
update) mode. Callers who are simply using make-secnet-sites to
transform a (possibly untrusted) sites file into a (to be trusted)
sites.conf file should not have to worry about includes.

"include" directives are already forbidden in group files.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: In -u mode, output file "dereferences" include directives

Whenm make-secnet-sites is writing the "output" sites file in -u
(groupfile update) mode, it includes the effective contents of files
referenced in "include" directives, rather than the "include"
directive itself.

So the "output" sites file does not any longer depend on any files
included by the header.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Do newline-trimming in pline()

This will make life a little easier in a future patch. While we're at
it, use rstrip rather than open-coding it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Actually include addresses in sites.conf

This was broken in

   commit c9d84e31f48a04eb0af525324707f22c738cc8b7
   Author: Ian Jackson <ijackson@chiark.greenend.org.uk>
   Date:   Sat Dec 17 21:21:47 2011 +0000

       make-secnet-sites: Allow sites with no address

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: If definition found in wrong place, bomb out

If it doesn't exit here, make-secnet-sites might subsequently crash
with Python stack backtrace.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: New -P <prefix> option

make-secnet-sites generates a config file which defines the keys
"vpn-data", "vpn", and "all-sites".

To make it possible to usefully include the output of more than one
different piece of output from make-secnet-sites, support the option
-P <prefix>, which generates a config file which defines
"<prefix>vpn-data", "<prefix>vpn", and "<prefix>all-sites".

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Allow sites with no address

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: Fix userv invocation after pfilepath

The commit 9b8369e07aeba5ed2c69fb4a7f74d07c8cebe015
make-secnet-sites: refactor to break out new function "pfilepath"
broke the userv service invocation, because it turned out that later
code depended on the "headerinput" variable whose assignment had been
removed and replaced by a call to pfilepath.

Make pfilepath return the lines read from the file and assign the
result to headerinput.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

netlink: Fix up link down behaviour

Partially reverts 04f92904ea6c41517ff7154910c16ef4c3bc646b
"userv-ipif: Always request routes from userv, regardless of link quality"

It turns out that this check is necessary to avoid bringing up a route
for a "netlink" stanza in the configuration file which is never used.

In particular, this avoids bringing up a netlink for (a) sites which
are not mentioned in the config file (b) the site on which secnet is
running.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

userv-ipif: Always request routes from userv, regardless of link quality

Previously the userv-ipif netlink would not request (from userv) a
route for a site for which the link quality was DOWN. The link
quality is a dynamic quantity but userv-ipif lacks any machinery for
dynamically adding routes, so this is wrong.

Instead, in userv-ipif, unconditionally add routes for all sites,
regardless of link up status.

In practice this code is run during startup and the only reason a link
might be down at that point, ie LINK_QUALITY_DOWN, is that it does not
have an address configured. Mobile sites are often in this situation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: new "include" keyword

Allow "headers" files and "sites" files to contain "include"
directives.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

make-secnet-sites: refactor to break out new function "pfilepath"

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: More release checklist updates

Need to "make dist" again.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Update VERSION

build system: Fix Ian's email address in debian/changelog

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

authbind: get endianness right (again)

It appears that:

* authbind's documentation authbind-helper(8) describes the
   endianness convention of authbind's helper program incorrectly.
   See Debian #651694.

* The version of secnet 0.1.16 tagged as such in revision control
   contains a "fix" which was based on the authbind documentation but
   not apparently tested against authbind.  Ie, this part from NEWS:
    4) Change the endianess of the arguments to authbind-helper.
       sprintf("%04X") already translates from machine repesentation to most
       significant octet first so htons reversed it again.

* The version of secnet 0.1.16 actually in service on chiark had an
   out-of-version-control change to udp.c to make it work with
   chiark's authbind 1.2.0.  The actual code found has been recorded
   on the dead branch "chiark-0.1.16" in the master git repo, but the
   version of udp.c is exactly that from 0.1.15 so it looks like we
   just reverted to the previous udp.c during deployment of 0.1.16.

* We (re)discovered all this after the release of secnet 0.2.0
   because my attempt to deploy 0.2.0 on chiark was not actually
   effective.

Therefore, undo the authbind endianness change introduced in secnet
0.1.16.  This is most easily achieved by constructing the arguments to
the helper from the sockaddr rather than the contents of "st".

Thanks are due to Simon Tatham for the bug report.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Update VERSION

build system: Further improvements to release checklist

We have to:
* Update debian/changelog
* Build a new .deb
* Copy the files to chiark:~secnet/ in case anyone looks there

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

New --managed option for use when running under a daemon supervisor.

The effect is secnet is told that it is running as a daemon right from
the start, so it knows to follow the logging rules for daemons but not
to fork.

The conflation of daemonization with dropping privilege is also
unpicked by this patch. Most importantly this ensures that errors
from PHASE_GETRESOURCES operations such as 'route' commands is sent to
the logfile (or syslog).

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Make the list of phases be an enumeration.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Set group ID and group list.

More sensible username lookup.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

build system: Include signing of tarballs in release checklist

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: New "make dist" uses git; add release checklist

We no longer try to separately track which files should be shipped in
the tarball. Instead, the tarball contains exactly the same files as
the repo.

Add a release checklist at the bottom of Makefile.in, based on the one
from the stable branch (in 813ff677f7020b12fb1356e977a73dc910e64ce5).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

md5: correct size arg to memset().

On realistic targets the effect of the error was that the MD5 context
wasn't fully cleared.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

cleanup: build on Ubuntu Lucid

The discard() idiom is chosen because Clang tolerates it.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Add a man page.

As it stands it is purely reference material - no conceptual or
tutorial stuff whatsoever.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Remove snprintf reimplementation.

We don't want to think about the "Frontier Artistic License" and the
requirements it may or may not impose on distribution of secnet.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Config file fixes.

* Reject integers in excess of 2^32-1 (rather than reducing them mod
  2^32).
* ptree_dump():
  - Remove a magic number.
  - More realistic recursion limit.
* Various bits of type hygeine.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Detect Fink automatically.

The logic is that if Fink is in the path then we should use it. So
(unlike certain build systems I could mention) if you want to use a
local install of GMP, it should be sufficient to run ./configure
without /sw/bin in the path.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

OSX: fix home directory in setup.mac.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Mobile sites: Update test example

Make the "inside" site in test-example be mobile.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Multiple udp ports: Add to test

For testing, add an extra port to one of the sites in test-example.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Multiple udp ports for the same site (multiple "comm"s)

Now you can meaningfully specify more than one comm closure (ie, more
than one udp port) for a site. secnet will respond to incoming key
exchange and data packets on any of the ports.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Support in make-secnet-sites

This allows a sites file to specify that a site is mobile; the mobile
flag gets propagated into the generated sites.conf.

Includes new support for boolean values.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Use different default tuning parameters

Links involving mobile peers are best served by somewhat different
tuning parameters. So make the defaults vary accordingly.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Require specification of whether we think we are mobile

We introduce a new config option "local-mobile" which must match our
peers' idea of whether we are mobile. This is cross-checked with the
"site" entry for our own site, if there is one, to detect mistakes.

We do not transfer this data in the protocol because we don't want to
break compatibility with older secnets which do not understand mobile
peers at all.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Mobile sites: Maintain multiple addresses for some peers (new feature)

Provides the following new config option, and some satellite options:

  mobile (bool): if True then peer is "mobile" ie we assume it may change
    its apparent IP address and port number without either it or us
    being aware of the change; so, we remember the last several port/addr
    pairs we've seen and send packets to all of them (subject to a timeout).
    We maintain one set of addresses for key setup exchanges, and another for
    data traffic. [false]

In the code this involves replacing the comm_addrs for setup_peer and
peer with a new struct transport_peers which contains zero or more
comm_addrs.  This subsumes peer_valid, too.

Additionally, we are slightly cleaner about the use of setup_peer: we
ensure that we clean it out appropriately when we go into states where
it won't (shouldn't) be used.

The transport_peers structure is opaque to most of site.c and is
manipulated by a new set of functions which implement the detailed
semantics described in site.c.

The main code in site.c is no longer supposed to call dump_packet and
st->comm->sendmsg directly; it should use transport_xmit (which will
do dump_packet as well as appropriate sendmsgs).

No intentional functional change if mobile=false (the default) and the
new debug log feature ("peer-addrs") is not enabled.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Protocol change: Initiate key setup on incoming packets, not outgoing ones

If data is exchanged after the "renegotiation time", we need to
refresh the data transfer key - ie, to initiate a key setup.
Previously this was done by the peer which wanted to transmit data
using an existing but in-need-of-refreshing key.

However, mobile peers may often be disconnected.  There is no point
trying to do a key renegotiation while they are disconnected.  Thus it
is better to have the renegotiation initiated by a peer which receives
a data packet.  That means that if there is a network outage,
renegotiation will be deferred until the network is restored.

In particular, it means that a mobile node which has no underlying
network but which has applications trying to send data will not waste
effort attempting key renegotiation until it once more has
connectivity.

This minor functional change should be harmless or even beneficial for
non-mobile sites too.  It simply means that the other peer will play
the role of initiator during renegotiation, but since which peer
played this role is arbitrary for non-mobile sites this should make no
difference.

Compatibility: In the case of an old version of secnet talking to a
new version, only data packets in one direction will cause
renegotiation.  This should not be a problem since all real-world
IP protocols involve data in both directions.

So we make the new behaviour universal rather than making it depend on
the forthcoming "mobile-peer" site config option.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

comm, udp: Provide an addr_to_string method

This method writes (into a single static buffer) a string describing a
comm_addr. It describes both the comm instance and the peer address.

No callers yet, but one is about to be introduced.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Site tuning defaults: Improve documentation; internal improvements

Two documentation fixes:

* Quote the correct default value for setup-timeout
  (setup_retry_interval) in the README.
* Improve the documentation of the default value for renegotiate-time.

Three simple internal improvements:

* Change definitions of DEFAULT_* to forms which make the semantics
  of the values clearer, thus obviating the need for the comments
  giving human-readable values.
* Add comments to DEFAULT_* time values giving the units (currently,
  they are all in millisecons).
* Rename (in the code) SETUP_TIMEOUT and setup_timeout to
  SETUP_RETRY_INTERVAL, which is more accurate.  We leave the config
  dictionary entry with the misleading name (particularly, since we
  have no facility for spotting obsolete or misspelled config keys).

Also two changes which are preparatory to the mobile peers support:

* New macro DEFAULT(D) which currently simply expands to DEFAULT_*.
* New convenience macro CFG_NUMBER for a common pattern of use for
  dict_read_number, which uses DEFAULT().

No intentional functional changes.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

comm, site: pass a new "struct comm_addr" rather than sockaddr_in

This abstracts away the fact that the peer address is a sockaddr_in;
instead, most of the code in site.c now only handles the peer address
as an opaque structure.

We put the struct comm_if* in the address structure too, as this will
be useful later. Amongst other things, doing this arranges that the
comm client knows which comm is notifying about an incoming packet.
Previously the client was expected to "just know" because the only
actual client in secnet is site which currently only deals with one
comm.

Also make the relevant arguments const-correct.

Contains consequential changes the signatures of many functions but no
intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: When shutting down, if debug enabled, do dump the MSG7

Insert a call to dump_packet in send_msg7. The packet is mostly
ciphertext and may not make a great deal of sense but turning on
debugging should not show all management packets; only data packets
should not be shown.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site: Remove some spurious "break"s

Remove two occurrences of "break" which immediately follow
unconditional "return". No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Keepalives: Document that they're unimplemented; remove vestigial code

Keepalives are not actually implemented; the keepalive option does
nothing. Mention this in the README. Remove the option's parsing
and recording from site.c.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: Style improvement to python literals in make-secnet-sites

Python literals can have a trailing comma after the last element.
Doing this is a good idea as it means that adding new elements at the
end doesn't necessitate modifying the previous line.

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: provide helpful FILLZERO macro (for certain memset calls)

This macro replaces these idioms:
memset(&foo,0,sizeof(foo)); => FILLZERO(foo);
memset(foo,0,sizeof(*foo)); => FILLZERO(*foo);

This makes it impossible to accidentally get the wrong size.

Use this macro in all such patterns in secnet, apart from two in
site.c which are going to be removed soon anyway.

No intentional functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

secnet.h: provide helpful STRING macro (for preprocessor stringification)

Uses preprocessor stringification; can be helpful for rendering
compile-time constants (eg compile time limit macros) for messages,
etc.

Not used yet; will be used later in this series.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Test example: improve logging, choice of ports

* Turn up the logging in test-example/common.conf, to "all".

* Change the udp port numbers we use to 16900 and 16910, which
conveniently have a "0" for "outside" and a "1" for "inside".

* Swap the order of the inside and outside sites in the sites file, so
that the consistentliy-lower-numbered "outside" comes first.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

.gitignore build-stamp.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Introduce an installdirs target.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Correct a couple of errors in the README.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Prohibit lists where single values expected.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Document XCode 3.2 import.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Fix version number in a couple of places.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Security: Reduce impact of bogus key setup packet DoS

If a MSG1 (key setup initiation packet) is received containing
expected local and remote site names, the receiving secnet will start
a key setup attempt with details from that packet.

MSG1 packets are (almost necessarily) unauthenticated, so anyone on
the Internet can cause this to happen.  secnet is only willing to have
one key exchange attempt ongoing at once, and will ignore subsequent
incoming MSG1s until it has dealt with the first key exchange attempt.

So this means that an attacker who can send packets to any secnet
instance can DoS secnet at session setup (or key renewal) time.  All
the attacker needs to know is the secnet site names, and the IP
address and port number of one of the secnets.  The attacker does not
need to spoof their IP address or know any secret keys.

If the attacker sends a contant stream of bogus packets they can
probably prevent the link coming up at all.

This is difficult to fix without changing the protocol.

However, there is worse: when the key setup with the bogus peer
eventually fails, as it must, secnet invalidates the current session
key and its note of where to send actual data packets.  It will then
refuse to attempt a new key exchange for a timeout period.  During
this period, data packets will not flow.

This means that sending one fairly easy to construct udp packet can
cause a 20s outage.  Worse, after this one packet has had its effect,
the attacker can prevent the connection being reestablished, as
described above.

In this patch we fix the latter problem.  It is simply a bug that the
session key and data transport peer address (resulting from a previous
successful key exchange) are discarded when a key setup fails.

We also provide a test program "test-example/bogus-setutp-request.c"
which can be used to reproduce the problem.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Test example: instructions for running under valgrind memcheck.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Test example: Files for a simple testing configuration now in test-example/

Including a set of dummy keys, and dummy IP addresses in 172.18.232.0/28.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

build system: add *.pyc to .gitignore

Python tends to leave this dropping.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

resolver: support IPv4 address literals

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
IP ADDR LIT size_t strlen

Build system: make several patterns in .gitignore absolute paths

Specifically, version.c, and the files which are generated by
autoconf/automake but whose names do not unambiguously say so.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Log write failures on tun device.

This is useful when debugging. Short writes count as failures The
error reporting is rate limited to ensure that the logs are not
flooded.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

sys_cmd error handling improved.

(1) If the subprocess exits nonzero then the exit status
    is unpicked and logged.
(2) If the exec in the child fails, the command and
    errno string are written to stderr (which should
    end up in secnet's usual log output).
(3) _exit() is used instead of exit(), to avoid
    any possibility of craziness with stdio/atexit/etc.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

.gitignore XCode-specific files.

Checking those files in doesn't make much sense as they change at the
drop of a hat.

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Update Mac-specific notes.

- how (and why) to enable IP forwarding
- correct 'launchctl unload' invocation

Signed-off-by: Richard Kettlewell <rjk@terraraq.org.uk>

Exit nonzero if any unknown options are provided on the command line.

Signed-off-by: Richard Kettlewell <rjk@greenend.org.uk>

Make -d option consistent.

Previously --debug required an argument and -d did not. The argument
was in any case ignored.

Signed-off-by: Richard Kettlewell <rjk@greenend.org.uk>

tun: Drop support for Linux 2.2.

tun.c attempted to guess at runtime what kind of tun interface to use
by looking at uname.  Specifically, for Linux it would do
  TUN_FLAVOUR_BSD if u.release starts 2.2
  TUN_FLAVOUR_LINUX if u.release starts 2.4
and require the user to specify, otherwise.

Linux 2.6 and all later versions use TUN_FLAVOUR_LINUX.  The guessing
code is pretty nasty and Linux 2.2 is very very obsolete, so drop it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Poll loop: fix read of unused fds[]

Commit 29672515
portability: Work around Apple's bizarrely deficient poll() implementation
introduced a read of unitialised data in fds[], because it failed to
honour i->nfds which is 0 on the first iteration.

The symptom is that secnet may, on the first iteration, die due to
mistakenly seeing POLLNVAL.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Evict built-in getopt() implementation.
It intercepts #include commands that should get the system's version.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

Work around Bison's crazy redeclaration of malloc/free.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>

portability: Scripts and documentation for Mac OS X support.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

portability: Work around Apple's bizarrely deficient poll() implementation.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

bugfix: generate 32-bit site index in packets in a sane way

Use a sequential nonzero integer as site index instead of the address
of the site structure(!). This value is not secret but does need to
be unique, and truncating the address to 32 bits doesn't guarantee
that.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: Remove pointless double assignment

-Wsequence-point doesn't like it.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: correct type of key exchange strings from uint8_t* to char*

Change type of kx signature and pubkey fields to reflect that they are
strings, squashing a GCC warning.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: buffer size for snprintf should come from sizeof

Previously, hardcoded copies of the buffer size literals were used.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

portability: use socklen_t for argument to recvfrom

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: fix up the types of input to hashes to const void* from const uint8_t*

It is permissible to pass any object to these functions and expect
them to hash it.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

packaging: Add LSB headers to init script.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>

build system: Builds OK under dpkg-buildpackage.

- added a Build-Depends line
- made 'debian/rules clean' work even if there has been no build.

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>

build system: provide configure option --enable-hacky-parallel

This allows -DHACKY_PARALLEL to be turned on with an option to configure.
The corresponding comments in the Makefile.in, suggesting to edit it by
hand there, are therefore removed.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site setup: actually use calculated default for st->key_renegotiate_time

We go to some trouble to calculate an appropriate default value for
st->key_renegotiate_time. However, when we actually do the config
file lookup we overwrote the result and used st->key_lifetime as the
default instead, which is wrong.

The upshot is that prior to this patch, DEFAULT_KEY_RENEGOTIATE_GAP
and the associated logic was unused, and keys were only renegotiated
at the point where they expired, which would produce a small gap in
connectivity.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site setup: move st->key_renegotiate_time default calculation nearer use

st->key_renegotiate_time is first calculated as a default and then
that value ought to be used as a default for the config lookup. So
move the default calculation near where the config lookup takes place
to keep the related code together.

Pure code motion; no functional change. Also, the value computed is
not currently used due to a bug which will be fixed in the next patch.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

site setup: Correct logic for DEFAULT_KEY_RENEGOTIATE_GAP

Previously, key_renegotiate_time would be set to
key_lifetime - DEFAULT_KEY_RENEGOTIATE_GAP
unless that was negative, in which case it would be set to
key_lifetime / 2
This is illogical as it is not monotonic in key_lifetime.
Instead we now set it to the larger of those two values.

(This bug has had no effect as the buggy calculation was ignored due
to another bug, which will be fixed in a later patch.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

event loop: remove now parameter from site_settimeout

This is now available as a global variable.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

event loop: remove now and tv_now from before/afterpoll API

beforepoll/afterpoll routines now use the global variables provided.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

event loop: make tv_now and now into globals

This makes these values available to all functions in the rest of the
program, even if the particular event before/after function doesn't
pass them on.

We give variables new names so that we can introduce convenience
pointer aliases; that way, all the other references in the whole
program can remain unchanged when we remove now and tv_now from the
beforepoll/afterpoll parameter lists.

The pointer aliases are "static const *const" which is somewhat ugly.
We do this in the hope that the compiler will optimise out the actual
variable, which it couldn't do if the pointer alias had external
linkage. The alternative would be a macro but we don't want to
local scopes (and not just in the current before/afterpoll api).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: Turn on -Werror

Having cleaned up the code to be warning-free we can now turn on -Werror.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

bugfix: -fno-strict-aliasing, because tun.c breaks the rules.

(What it does is: fills in 'struct sockaddr' fields of 'struct
rtentry' by casting to 'struct sockaddr_in' pointers and accessing
through those. A more intrusive change would be to construct the
sockaddr_in in another object and then memcpy it into place, which
would achieve the same effect without (AFAIK) breaching C's aliasing
rules.)

Signed-off-by: Richard Kettlewell <richard@greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

cleanup: remove unused "line" member in struct transform

This member is never set or used.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

portability: warn if provided snprintf.c is used

We don't have any visibility of changes to fix bugs in the snprintf
which is supplied with secnet. Therefore at the very least we should
print a warning if we turn out to use it, rather than perhaps silently
using an ancient and perhaps-buggy implementation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

integer arithmetic types: do not use unsigned for site timeouts etc.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>