410c8acf |
1 | /* -*-c-*- |
2 | * |
3cdc3f3a |
3 | * $Id$ |
410c8acf |
4 | * |
5 | * Main header file for TrIPE |
6 | * |
7 | * (c) 2001 Straylight/Edgeware |
8 | */ |
9 | |
10 | /*----- Licensing notice --------------------------------------------------* |
11 | * |
12 | * This file is part of Trivial IP Encryption (TrIPE). |
13 | * |
14 | * TrIPE is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU General Public License as published by |
16 | * the Free Software Foundation; either version 2 of the License, or |
17 | * (at your option) any later version. |
18 | * |
19 | * TrIPE is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | * GNU General Public License for more details. |
23 | * |
24 | * You should have received a copy of the GNU General Public License |
25 | * along with TrIPE; if not, write to the Free Software Foundation, |
26 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
27 | */ |
28 | |
410c8acf |
29 | #ifndef TRIPE_H |
30 | #define TRIPE_H |
31 | |
32 | #ifdef __cplusplus |
33 | extern "C" { |
34 | #endif |
35 | |
36 | /*----- Header files ------------------------------------------------------*/ |
37 | |
73189848 |
38 | #include "config.h" |
39 | |
410c8acf |
40 | #include <assert.h> |
41 | #include <ctype.h> |
42 | #include <errno.h> |
b9066fbb |
43 | #include <limits.h> |
410c8acf |
44 | #include <signal.h> |
45 | #include <stdarg.h> |
46 | #include <stddef.h> |
47 | #include <stdio.h> |
48 | #include <stdlib.h> |
49 | #include <string.h> |
50 | #include <time.h> |
51 | |
52 | #include <sys/types.h> |
53 | #include <sys/time.h> |
54 | #include <unistd.h> |
55 | #include <fcntl.h> |
56 | #include <sys/stat.h> |
57 | |
58 | #include <sys/socket.h> |
59 | #include <sys/un.h> |
60 | #include <netinet/in.h> |
61 | #include <arpa/inet.h> |
62 | #include <netdb.h> |
63 | |
64 | #include <pwd.h> |
65 | #include <grp.h> |
66 | |
67 | #include <mLib/alloc.h> |
68 | #include <mLib/arena.h> |
69 | #include <mLib/bres.h> |
70 | #include <mLib/dstr.h> |
71 | #include <mLib/env.h> |
72 | #include <mLib/fdflags.h> |
73 | #include <mLib/fwatch.h> |
74 | #include <mLib/mdwopt.h> |
75 | #include <mLib/quis.h> |
76 | #include <mLib/report.h> |
77 | #include <mLib/sel.h> |
78 | #include <mLib/selbuf.h> |
79 | #include <mLib/sig.h> |
80 | #include <mLib/str.h> |
81 | #include <mLib/sub.h> |
82 | #include <mLib/trace.h> |
83 | |
165db1a8 |
84 | #include <catacomb/buf.h> |
85 | |
410c8acf |
86 | #include <catacomb/gcipher.h> |
87 | #include <catacomb/gmac.h> |
88 | #include <catacomb/grand.h> |
89 | #include <catacomb/key.h> |
90 | #include <catacomb/paranoia.h> |
91 | |
410c8acf |
92 | #include <catacomb/noise.h> |
93 | #include <catacomb/rand.h> |
410c8acf |
94 | |
95 | #include <catacomb/mp.h> |
410c8acf |
96 | #include <catacomb/mprand.h> |
97 | #include <catacomb/dh.h> |
52c03a2a |
98 | #include <catacomb/ec.h> |
99 | #include <catacomb/ec-keys.h> |
100 | #include <catacomb/group.h> |
410c8acf |
101 | |
165db1a8 |
102 | #include "tripe-protocol.h" |
410c8acf |
103 | #include "util.h" |
104 | |
105 | #undef sun |
106 | |
107 | /*----- Magic numbers -----------------------------------------------------*/ |
108 | |
109 | /* --- Tunnel types --- */ |
110 | |
111 | #define TUN_NOTDEF 0 |
112 | #define TUN_UNET 1 |
113 | #define TUN_BSD 2 |
37075862 |
114 | #define TUN_LINUX 3 |
b9066fbb |
115 | #define TUN_SLIP 4 |
410c8acf |
116 | |
117 | /* --- Trace flags --- */ |
118 | |
119 | #define T_TUNNEL 1u |
120 | #define T_PEER 2u |
121 | #define T_PACKET 4u |
122 | #define T_ADMIN 8u |
123 | #define T_CRYPTO 16u |
124 | #define T_KEYSET 32u |
125 | #define T_KEYEXCH 64u |
126 | #define T_KEYMGMT 128u |
127 | |
128 | #define T_ALL 255u |
129 | |
130 | /* --- Units --- */ |
131 | |
132 | #define SEC(n) (n##u) |
133 | #define MIN(n) (n##u * 60u) |
134 | #define MEG(n) (n##ul * 1024ul * 1024ul) |
135 | |
136 | /* --- Other things --- */ |
137 | |
138 | #define PKBUFSZ 65536 |
139 | |
832a2ab6 |
140 | /*----- Cipher selections -------------------------------------------------*/ |
141 | |
b5c45da1 |
142 | typedef struct algswitch { |
143 | const gccipher *c; /* Symmetric encryption scheme */ |
144 | const gccipher *mgf; /* Mask-generation function */ |
145 | const gchash *h; /* Hash function */ |
146 | const gcmac *m; /* Message authentication code */ |
147 | size_t hashsz; /* Hash output size */ |
148 | size_t tagsz; /* Length to truncate MAC tags */ |
149 | size_t cksz, mksz; /* Key lengths for @c@ and @m@ */ |
150 | } algswitch; |
832a2ab6 |
151 | |
b5c45da1 |
152 | extern algswitch algs; |
832a2ab6 |
153 | |
b5c45da1 |
154 | #define MAXHASHSZ 64 /* Largest possible hash size */ |
832a2ab6 |
155 | |
b5c45da1 |
156 | #define HASH_STRING(h, s) GH_HASH((h), (s), sizeof(s)) |
410c8acf |
157 | |
aeeb5611 |
158 | /*----- Data structures ---------------------------------------------------*/ |
410c8acf |
159 | |
160 | /* --- Socket addresses --- * |
161 | * |
162 | * A magic union of supported socket addresses. |
163 | */ |
164 | |
165 | typedef union addr { |
166 | struct sockaddr sa; |
167 | struct sockaddr_in sin; |
168 | } addr; |
169 | |
170 | /* --- A symmetric keyset --- * |
171 | * |
172 | * A keyset contains a set of symmetric keys for encrypting and decrypting |
173 | * packets. Keysets are stored in a list, sorted in reverse order of |
174 | * creation, so that the most recent keyset (the one most likely to be used) |
175 | * is first. |
176 | * |
177 | * Each keyset has a time limit and a data limit. The keyset is destroyed |
178 | * when either it has existed for too long, or it has been used to encrypt |
179 | * too much data. New key exchanges are triggered when keys are close to |
180 | * expiry. |
181 | */ |
182 | |
183 | typedef struct keyset { |
184 | struct keyset *next; /* Next active keyset in the list */ |
832a2ab6 |
185 | unsigned ref; /* Reference count for keyset */ |
9466fafa |
186 | struct peer *p; /* Pointer to peer structure */ |
410c8acf |
187 | time_t t_exp; /* Expiry time for this keyset */ |
188 | unsigned long sz_exp; /* Data limit for the keyset */ |
832a2ab6 |
189 | T( unsigned seq; ) /* Sequence number for tracing */ |
190 | unsigned f; /* Various useful flags */ |
191 | gcipher *cin, *cout; /* Keyset ciphers for encryption */ |
b5c45da1 |
192 | size_t tagsz; /* Length to truncate MAC tags */ |
832a2ab6 |
193 | gmac *min, *mout; /* Keyset MACs for integrity */ |
1484d822 |
194 | uint32 oseq; /* Outbound sequence number */ |
195 | uint32 iseq, iwin; /* Inbound sequence number */ |
410c8acf |
196 | } keyset; |
197 | |
1484d822 |
198 | #define KS_SEQWINSZ 32 /* Bits in sequence number window */ |
199 | |
832a2ab6 |
200 | #define KSF_LISTEN 1u /* Don't encrypt packets yet */ |
201 | #define KSF_LINK 2u /* Key is in a linked list */ |
202 | |
410c8acf |
203 | /* --- Key exchange --- * |
204 | * |
205 | * TrIPE uses the Wrestlers Protocol for its key exchange. The Wrestlers |
206 | * Protocol has a number of desirable features (e.g., perfect forward |
207 | * secrecy, and zero-knowledge authentication) which make it attractive for |
208 | * use in TrIPE. The Wrestlers Protocol was designed by Mark Wooding and |
209 | * Clive Jones. |
210 | */ |
211 | |
832a2ab6 |
212 | #define KX_NCHAL 16u |
213 | #define KX_THRESH 4u |
214 | |
215 | typedef struct kxchal { |
216 | struct keyexch *kx; /* Pointer back to key exchange */ |
52c03a2a |
217 | ge *c; /* Responder's challenge */ |
218 | ge *r; /* My reply to the challenge */ |
832a2ab6 |
219 | keyset *ks; /* Pointer to temporary keyset */ |
220 | unsigned f; /* Various useful flags */ |
221 | sel_timer t; /* Response timer for challenge */ |
b5c45da1 |
222 | octet hc[MAXHASHSZ]; /* Hash of his challenge */ |
1d27afe6 |
223 | mp *ck; /* The check value */ |
b5c45da1 |
224 | octet hswrq_in[MAXHASHSZ]; /* Inbound switch request message */ |
225 | octet hswok_in[MAXHASHSZ]; /* Inbound switch confirmation */ |
226 | octet hswrq_out[MAXHASHSZ]; /* Outbound switch request message */ |
227 | octet hswok_out[MAXHASHSZ]; /* Outbound switch confirmation */ |
832a2ab6 |
228 | } kxchal; |
229 | |
410c8acf |
230 | typedef struct keyexch { |
410c8acf |
231 | struct peer *p; /* Pointer back to the peer */ |
832a2ab6 |
232 | keyset **ks; /* Peer's list of keysets */ |
410c8acf |
233 | unsigned f; /* Various useful flags */ |
832a2ab6 |
234 | unsigned s; /* Current state in exchange */ |
410c8acf |
235 | sel_timer t; /* Timer for next exchange */ |
52c03a2a |
236 | ge *kpub; /* Peer's public key */ |
00e64b67 |
237 | time_t texp_kpub; /* Expiry time for public key */ |
832a2ab6 |
238 | mp *alpha; /* My temporary secret */ |
52c03a2a |
239 | ge *c; /* My challenge */ |
240 | ge *rx; /* The expected response */ |
832a2ab6 |
241 | unsigned nr; /* Number of extant responses */ |
410c8acf |
242 | time_t t_valid; /* When this exchange goes bad */ |
b5c45da1 |
243 | octet hc[MAXHASHSZ]; /* Hash of my challenge */ |
832a2ab6 |
244 | kxchal *r[KX_NCHAL]; /* Array of challenges */ |
410c8acf |
245 | } keyexch; |
246 | |
247 | #define KXF_TIMER 1u /* Waiting for a timer to go off */ |
00e64b67 |
248 | #define KXF_DEAD 2u /* The key-exchanger isn't up */ |
249 | #define KXF_PUBKEY 4u /* Key exchanger has a public key */ |
832a2ab6 |
250 | |
251 | enum { |
252 | KXS_DEAD, /* Uninitialized state (magical) */ |
253 | KXS_CHAL, /* Main answer-challenges state */ |
254 | KXS_COMMIT, /* Committed: send switch request */ |
255 | KXS_SWITCH /* Switched: send confirmation */ |
256 | }; |
410c8acf |
257 | |
258 | /* --- Tunnel structure --- * |
259 | * |
260 | * Used to maintain system-specific information about the tunnel interface. |
261 | */ |
262 | |
110d564e |
263 | #if TUN_TYPE == TUN_LINUX |
264 | # include <linux/if.h> |
265 | # include <linux/if_tun.h> |
266 | #endif |
267 | |
b9066fbb |
268 | #if TUN_TYPE == TUN_SLIP |
269 | typedef struct slipif { |
270 | struct slipif *next; /* Next one in the list */ |
271 | int ifd, ofd; /* File descriptors to talk on */ |
272 | char *name; /* Interface name */ |
273 | unsigned f; /* Various flags */ |
274 | # define SLIPIFF_INUSE 1u /* Interface is in use */ |
275 | } slipif; |
276 | #endif |
277 | |
410c8acf |
278 | typedef struct tunnel { |
37075862 |
279 | #if TUN_TYPE == TUN_UNET |
410c8acf |
280 | sel_file f; /* Selector for Usernet device */ |
281 | struct peer *p; /* Pointer to my peer */ |
37075862 |
282 | #elif TUN_TYPE == TUN_LINUX |
283 | sel_file f; /* Selector for TUN/TAP device */ |
284 | struct peer *p; /* Pointer to my peer */ |
285 | char ifn[IFNAMSIZ]; /* Interface name buffer */ |
1484d822 |
286 | #elif TUN_TYPE == TUN_BSD |
287 | sel_file f; /* Selector for tunnel device */ |
288 | struct peer *p; /* Pointer to my peer */ |
289 | unsigned n; /* Number of my tunnel device */ |
b9066fbb |
290 | #elif TUN_TYPE == TUN_SLIP |
291 | slipif *sl; /* My interface record */ |
292 | sel_file f; /* Selector for SLIP tty */ |
293 | struct peer *p; /* Pointer to my peer */ |
294 | unsigned st; /* Current parser state */ |
295 | # define SLIPST_ESC 1u /* Last saw an escape character */ |
296 | # define SLIPST_BAD 2u /* This packet is malformed */ |
297 | # define SLIPST_EOF 4u /* File descriptor reported EOF */ |
298 | size_t n; /* Number of bytes used in buffer */ |
299 | octet buf[PKBUFSZ]; /* Buffer for incoming data */ |
410c8acf |
300 | #else |
301 | # error "No support for this tunnel type" |
302 | #endif |
303 | } tunnel; |
304 | |
832a2ab6 |
305 | /* --- Peer statistics --- * |
306 | * |
307 | * Contains various interesting and not-so-interesting statistics about a |
308 | * peer. This is updated by various parts of the code. The format of the |
309 | * structure isn't considered private, and @p_stats@ returns a pointer to the |
310 | * statistics block for a given peer. |
311 | */ |
312 | |
313 | typedef struct stats { |
314 | unsigned long sz_in, sz_out; /* Size of all data in and out */ |
315 | unsigned long sz_kxin, sz_kxout; /* Size of key exchange messages */ |
316 | unsigned long sz_ipin, sz_ipout; /* Size of encapsulated IP packets */ |
3cdc3f3a |
317 | time_t t_start, t_last, t_kx; /* Time peer created, last pk, kx */ |
832a2ab6 |
318 | unsigned long n_reject; /* Number of rejected packets */ |
319 | unsigned long n_in, n_out; /* Number of packets in and out */ |
320 | unsigned long n_kxin, n_kxout; /* Number of key exchange packets */ |
321 | unsigned long n_ipin, n_ipout; /* Number of encrypted packets */ |
322 | } stats; |
323 | |
410c8acf |
324 | /* --- Peer structure --- * |
325 | * |
326 | * The main structure which glues everything else together. |
327 | */ |
328 | |
329 | typedef struct peer { |
330 | struct peer *next, *prev; /* Links to next and previous */ |
331 | char *name; /* Name of this peer */ |
332 | tunnel t; /* Tunnel for local packets */ |
333 | keyset *ks; /* List head for keysets */ |
410c8acf |
334 | buf b; /* Buffer for sending packets */ |
335 | addr peer; /* Peer socket address */ |
336 | size_t sasz; /* Socket address size */ |
832a2ab6 |
337 | stats st; /* Statistics */ |
338 | keyexch kx; /* Key exchange protocol block */ |
410c8acf |
339 | } peer; |
340 | |
341 | /* --- Admin structure --- */ |
342 | |
fd3cf232 |
343 | #define OBUFSZ 16384u |
344 | |
345 | typedef struct obuf { |
346 | struct obuf *next; /* Next buffer in list */ |
347 | char *p_in, *p_out; /* Pointers into the buffer */ |
348 | char buf[OBUFSZ]; /* The actual buffer */ |
349 | } obuf; |
350 | |
410c8acf |
351 | typedef struct admin { |
352 | struct admin *next, *prev; /* Links to next and previous */ |
fd3cf232 |
353 | unsigned f; /* Various useful flags */ |
410c8acf |
354 | #ifndef NTRACE |
355 | unsigned seq; /* Sequence number for tracing */ |
356 | #endif |
357 | char *pname; /* Peer name to create */ |
358 | char *paddr; /* Address string to resolve */ |
fd3cf232 |
359 | obuf *o_head, *o_tail; /* Output buffer list */ |
360 | selbuf b; /* Line buffer for commands */ |
361 | sel_file w; /* Selector for write buffering */ |
410c8acf |
362 | bres_client r; /* Background resolver task */ |
363 | sel_timer t; /* Timer for resolver */ |
364 | addr peer; /* Address to set */ |
365 | size_t sasz; /* Size of the address */ |
366 | } admin; |
367 | |
fd3cf232 |
368 | #define AF_DEAD 1u /* Destroy this admin block */ |
369 | #define AF_LOCK 2u /* Don't destroy it yet */ |
3cdc3f3a |
370 | #define AF_NOTE 4u /* Catch notifications */ |
371 | #ifndef NTRACE |
372 | #define AF_TRACE 8u /* Catch tracing */ |
373 | #endif |
374 | #define AF_WARN 16u /* Catch warning messages */ |
375 | |
376 | #ifndef NTRACE |
377 | # define AF_ALLMSGS (AF_NOTE | AF_TRACE | AF_WARN) |
378 | #else |
379 | # define AF_ALLMSGS (AF_NOTE | AF_WARN) |
380 | #endif |
fd3cf232 |
381 | |
410c8acf |
382 | /*----- Global variables --------------------------------------------------*/ |
383 | |
384 | extern sel_state sel; /* Global I/O event state */ |
52c03a2a |
385 | extern group *gg; /* The group we work in */ |
386 | extern mp *kpriv; /* Our private key */ |
832a2ab6 |
387 | extern octet buf_i[PKBUFSZ], buf_o[PKBUFSZ], buf_t[PKBUFSZ]; |
410c8acf |
388 | |
389 | #ifndef NTRACE |
390 | extern const trace_opt tr_opts[]; /* Trace options array */ |
391 | extern unsigned tr_flags; /* Trace options flags */ |
392 | #endif |
393 | |
8d0c7a83 |
394 | /*----- Other macros ------------------------------------------------------*/ |
395 | |
396 | #define TIMER noise_timer(RAND_GLOBAL) |
397 | |
410c8acf |
398 | /*----- Key management ----------------------------------------------------*/ |
399 | |
400 | /* --- @km_interval@ --- * |
401 | * |
402 | * Arguments: --- |
403 | * |
404 | * Returns: Zero if OK, nonzero to force reloading of keys. |
405 | * |
406 | * Use: Called on the interval timer to perform various useful jobs. |
407 | */ |
408 | |
409 | extern int km_interval(void); |
410 | |
411 | /* --- @km_init@ --- * |
412 | * |
413 | * Arguments: @const char *kr_priv@ = private keyring file |
414 | * @const char *kr_pub@ = public keyring file |
415 | * @const char *tag@ = tag to load |
416 | * |
417 | * Returns: --- |
418 | * |
419 | * Use: Initializes, and loads the private key. |
420 | */ |
421 | |
422 | extern void km_init(const char */*kr_priv*/, const char */*kr_pub*/, |
423 | const char */*tag*/); |
424 | |
425 | /* --- @km_getpubkey@ --- * |
426 | * |
427 | * Arguments: @const char *tag@ = public key tag to load |
52c03a2a |
428 | * @ge *kpub@ = where to put the public key |
00e64b67 |
429 | * @time_t *t_exp@ = where to put the expiry time |
410c8acf |
430 | * |
431 | * Returns: Zero if OK, nonzero if it failed. |
432 | * |
433 | * Use: Fetches a public key from the keyring. |
434 | */ |
435 | |
52c03a2a |
436 | extern int km_getpubkey(const char */*tag*/, ge */*kpub*/, |
00e64b67 |
437 | time_t */*t_exp*/); |
410c8acf |
438 | |
439 | /*----- Key exchange ------------------------------------------------------*/ |
440 | |
441 | /* --- @kx_start@ --- * |
442 | * |
443 | * Arguments: @keyexch *kx@ = pointer to key exchange context |
444 | * |
445 | * Returns: --- |
446 | * |
447 | * Use: Stimulates a key exchange. If a key exchage is in progress, |
448 | * a new challenge is sent (unless the quiet timer forbids |
449 | * this); if no exchange is in progress, one is commenced. |
450 | */ |
451 | |
452 | extern void kx_start(keyexch */*kx*/); |
453 | |
832a2ab6 |
454 | /* --- @kx_message@ --- * |
410c8acf |
455 | * |
456 | * Arguments: @keyexch *kx@ = pointer to key exchange context |
832a2ab6 |
457 | * @unsigned msg@ = the message code |
458 | * @buf *b@ = pointer to buffer containing the packet |
410c8acf |
459 | * |
460 | * Returns: --- |
461 | * |
832a2ab6 |
462 | * Use: Reads a packet containing key exchange messages and handles |
463 | * it. |
410c8acf |
464 | */ |
465 | |
832a2ab6 |
466 | extern void kx_message(keyexch */*kx*/, unsigned /*msg*/, buf */*b*/); |
410c8acf |
467 | |
468 | /* --- @kx_free@ --- * |
469 | * |
470 | * Arguments: @keyexch *kx@ = pointer to key exchange context |
471 | * |
472 | * Returns: --- |
473 | * |
474 | * Use: Frees everything in a key exchange context. |
475 | */ |
476 | |
477 | extern void kx_free(keyexch */*kx*/); |
478 | |
479 | /* --- @kx_newkeys@ --- * |
480 | * |
481 | * Arguments: @keyexch *kx@ = pointer to key exchange context |
482 | * |
483 | * Returns: --- |
484 | * |
485 | * Use: Informs the key exchange module that its keys may have |
486 | * changed. If fetching the new keys fails, the peer will be |
487 | * destroyed, we log messages and struggle along with the old |
488 | * keys. |
489 | */ |
490 | |
491 | extern void kx_newkeys(keyexch */*kx*/); |
492 | |
493 | /* --- @kx_init@ --- * |
494 | * |
495 | * Arguments: @keyexch *kx@ = pointer to key exchange context |
496 | * @peer *p@ = pointer to peer context |
497 | * @keyset **ks@ = pointer to keyset list |
498 | * |
499 | * Returns: Zero if OK, nonzero if it failed. |
500 | * |
501 | * Use: Initializes a key exchange module. The module currently |
502 | * contains no keys, and will attempt to initiate a key |
503 | * exchange. |
504 | */ |
505 | |
506 | extern int kx_init(keyexch */*kx*/, peer */*p*/, keyset **/*ks*/); |
507 | |
508 | /*----- Keysets and symmetric cryptography --------------------------------*/ |
509 | |
832a2ab6 |
510 | /* --- @ks_drop@ --- * |
511 | * |
512 | * Arguments: @keyset *ks@ = pointer to a keyset |
513 | * |
514 | * Returns: --- |
515 | * |
516 | * Use: Decrements a keyset's reference counter. If the counter hits |
517 | * zero, the keyset is freed. |
518 | */ |
519 | |
520 | extern void ks_drop(keyset */*ks*/); |
521 | |
522 | /* --- @ks_gen@ --- * |
523 | * |
524 | * Arguments: @const void *k@ = pointer to key material |
525 | * @size_t x, y, z@ = offsets into key material (see below) |
9466fafa |
526 | * @peer *p@ = pointer to peer information |
832a2ab6 |
527 | * |
528 | * Returns: A pointer to the new keyset. |
529 | * |
530 | * Use: Derives a new keyset from the given key material. The |
531 | * offsets @x@, @y@ and @z@ separate the key material into three |
532 | * parts. Between the @k@ and @k + x@ is `my' contribution to |
533 | * the key material; between @k + x@ and @k + y@ is `your' |
534 | * contribution; and between @k + y@ and @k + z@ is a shared |
535 | * value we made together. These are used to construct two |
536 | * pairs of symmetric keys. Each pair consists of an encryption |
537 | * key and a message authentication key. One pair is used for |
538 | * outgoing messages, the other for incoming messages. |
539 | * |
540 | * The new key is marked so that it won't be selected for output |
541 | * by @ksl_encrypt@. You can still encrypt data with it by |
542 | * calling @ks_encrypt@ directly. |
543 | */ |
544 | |
545 | extern keyset *ks_gen(const void */*k*/, |
9466fafa |
546 | size_t /*x*/, size_t /*y*/, size_t /*z*/, |
547 | peer */*p*/); |
832a2ab6 |
548 | |
549 | /* --- @ks_tregen@ --- * |
550 | * |
551 | * Arguments: @keyset *ks@ = pointer to a keyset |
552 | * |
553 | * Returns: The time at which moves ought to be made to replace this key. |
554 | */ |
555 | |
556 | extern time_t ks_tregen(keyset */*ks*/); |
557 | |
558 | /* --- @ks_activate@ --- * |
559 | * |
560 | * Arguments: @keyset *ks@ = pointer to a keyset |
561 | * |
562 | * Returns: --- |
563 | * |
564 | * Use: Activates a keyset, so that it can be used for encrypting |
565 | * outgoing messages. |
566 | */ |
567 | |
568 | extern void ks_activate(keyset */*ks*/); |
569 | |
570 | /* --- @ks_encrypt@ --- * |
571 | * |
572 | * Arguments: @keyset *ks@ = pointer to a keyset |
7ed14135 |
573 | * @unsigned ty@ = message type |
832a2ab6 |
574 | * @buf *b@ = pointer to input buffer |
575 | * @buf *bb@ = pointer to output buffer |
576 | * |
577 | * Returns: Zero if OK, nonzero if the key needs replacing. If the |
578 | * encryption failed, the output buffer is broken and zero is |
579 | * returned. |
580 | * |
581 | * Use: Encrypts a block of data using the key. Note that the `key |
582 | * ought to be replaced' notification is only ever given once |
583 | * for each key. Also note that this call forces a keyset to be |
584 | * used even if it's marked as not for data output. |
585 | */ |
586 | |
7ed14135 |
587 | extern int ks_encrypt(keyset */*ks*/, unsigned /*ty*/, |
588 | buf */*b*/, buf */*bb*/); |
832a2ab6 |
589 | |
590 | /* --- @ks_decrypt@ --- * |
591 | * |
592 | * Arguments: @keyset *ks@ = pointer to a keyset |
7ed14135 |
593 | * @unsigned ty@ = expected type code |
832a2ab6 |
594 | * @buf *b@ = pointer to an input buffer |
595 | * @buf *bb@ = pointer to an output buffer |
596 | * |
597 | * Returns: Zero on success, or nonzero if there was some problem. |
598 | * |
599 | * Use: Attempts to decrypt a message using a given key. Note that |
600 | * requesting decryption with a key directly won't clear a |
601 | * marking that it's not for encryption. |
602 | */ |
603 | |
7ed14135 |
604 | extern int ks_decrypt(keyset */*ks*/, unsigned /*ty*/, |
605 | buf */*b*/, buf */*bb*/); |
832a2ab6 |
606 | |
607 | /* --- @ksl_free@ --- * |
410c8acf |
608 | * |
609 | * Arguments: @keyset **ksroot@ = pointer to keyset list head |
610 | * |
611 | * Returns: --- |
612 | * |
832a2ab6 |
613 | * Use: Frees (releases references to) all of the keys in a keyset. |
410c8acf |
614 | */ |
615 | |
832a2ab6 |
616 | extern void ksl_free(keyset **/*ksroot*/); |
410c8acf |
617 | |
832a2ab6 |
618 | /* --- @ksl_link@ --- * |
410c8acf |
619 | * |
620 | * Arguments: @keyset **ksroot@ = pointer to keyset list head |
832a2ab6 |
621 | * @keyset *ks@ = pointer to a keyset |
410c8acf |
622 | * |
623 | * Returns: --- |
624 | * |
832a2ab6 |
625 | * Use: Links a keyset into a list. A keyset can only be on one list |
626 | * at a time. Bad things happen otherwise. |
410c8acf |
627 | */ |
628 | |
832a2ab6 |
629 | extern void ksl_link(keyset **/*ksroot*/, keyset */*ks*/); |
410c8acf |
630 | |
832a2ab6 |
631 | /* --- @ksl_prune@ --- * |
410c8acf |
632 | * |
633 | * Arguments: @keyset **ksroot@ = pointer to keyset list head |
410c8acf |
634 | * |
832a2ab6 |
635 | * Returns: --- |
410c8acf |
636 | * |
832a2ab6 |
637 | * Use: Prunes the keyset list by removing keys which mustn't be used |
638 | * any more. |
410c8acf |
639 | */ |
640 | |
832a2ab6 |
641 | extern void ksl_prune(keyset **/*ksroot*/); |
410c8acf |
642 | |
832a2ab6 |
643 | /* --- @ksl_encrypt@ --- * |
410c8acf |
644 | * |
645 | * Arguments: @keyset **ksroot@ = pointer to keyset list head |
7ed14135 |
646 | * @unsigned ty@ = message type |
410c8acf |
647 | * @buf *b@ = pointer to input buffer |
648 | * @buf *bb@ = pointer to output buffer |
649 | * |
650 | * Returns: Nonzero if a new key is needed. |
651 | * |
652 | * Use: Encrypts a packet. |
653 | */ |
654 | |
7ed14135 |
655 | extern int ksl_encrypt(keyset **/*ksroot*/, unsigned /*ty*/, |
656 | buf */*b*/, buf */*bb*/); |
410c8acf |
657 | |
832a2ab6 |
658 | /* --- @ksl_decrypt@ --- * |
410c8acf |
659 | * |
660 | * Arguments: @keyset **ksroot@ = pointer to keyset list head |
7ed14135 |
661 | * @unsigned ty@ = expected type code |
410c8acf |
662 | * @buf *b@ = pointer to input buffer |
663 | * @buf *bb@ = pointer to output buffer |
664 | * |
665 | * Returns: Nonzero if the packet couldn't be decrypted. |
666 | * |
667 | * Use: Decrypts a packet. |
668 | */ |
669 | |
7ed14135 |
670 | extern int ksl_decrypt(keyset **/*ksroot*/, unsigned /*ty*/, |
671 | buf */*b*/, buf */*bb*/); |
410c8acf |
672 | |
673 | /*----- Administration interface ------------------------------------------*/ |
674 | |
675 | /* --- @a_warn@ --- * |
676 | * |
677 | * Arguments: @const char *fmt@ = pointer to format string |
678 | * @...@ = other arguments |
679 | * |
680 | * Returns: --- |
681 | * |
682 | * Use: Informs all admin connections of a warning. |
683 | */ |
684 | |
685 | extern void a_warn(const char */*fmt*/, ...); |
686 | |
3cdc3f3a |
687 | /* --- @a_notify@ --- * |
688 | * |
689 | * Arguments: @const char *fmt@ = pointer to format string |
690 | * @...@ = other arguments |
691 | * |
692 | * Returns: --- |
693 | * |
694 | * Use: Sends a notification to interested admin connections. |
695 | */ |
696 | |
697 | extern void a_notify(const char */*fmt*/, ...); |
698 | |
410c8acf |
699 | /* --- @a_create@ --- * |
700 | * |
701 | * Arguments: @int fd_in, fd_out@ = file descriptors to use |
3cdc3f3a |
702 | * @unsigned f@ = initial flags to set |
410c8acf |
703 | * |
704 | * Returns: --- |
705 | * |
706 | * Use: Creates a new admin connection. |
707 | */ |
708 | |
3cdc3f3a |
709 | extern void a_create(int /*fd_in*/, int /*fd_out*/, unsigned /*f*/); |
410c8acf |
710 | |
711 | /* --- @a_quit@ --- * |
712 | * |
713 | * Arguments: --- |
714 | * |
715 | * Returns: --- |
716 | * |
717 | * Use: Shuts things down nicely. |
718 | */ |
719 | |
720 | extern void a_quit(void); |
721 | |
722 | /* --- @a_daemon@ --- * |
723 | * |
724 | * Arguments: --- |
725 | * |
726 | * Returns: --- |
727 | * |
728 | * Use: Informs the admin module that it's a daemon. |
729 | */ |
730 | |
731 | extern void a_daemon(void); |
732 | |
733 | /* --- @a_init@ --- * |
734 | * |
735 | * Arguments: @const char *sock@ = socket name to create |
736 | * |
737 | * Returns: --- |
738 | * |
739 | * Use: Creates the admin listening socket. |
740 | */ |
741 | |
742 | extern void a_init(const char */*sock*/); |
743 | |
744 | /*----- Peer management ---------------------------------------------------*/ |
745 | |
746 | /* --- @p_txstart@ --- * |
747 | * |
748 | * Arguments: @peer *p@ = pointer to peer block |
749 | * @unsigned msg@ = message type code |
750 | * |
751 | * Returns: A pointer to a buffer to write to. |
752 | * |
753 | * Use: Starts sending to a peer. Only one send can happen at a |
754 | * time. |
755 | */ |
756 | |
757 | extern buf *p_txstart(peer */*p*/, unsigned /*msg*/); |
758 | |
759 | /* --- @p_txend@ --- * |
760 | * |
761 | * Arguments: @peer *p@ = pointer to peer block |
762 | * |
763 | * Returns: --- |
764 | * |
765 | * Use: Sends a packet to the peer. |
766 | */ |
767 | |
768 | extern void p_txend(peer */*p*/); |
769 | |
770 | /* --- @p_tun@ --- * |
771 | * |
772 | * Arguments: @peer *p@ = pointer to peer block |
773 | * @buf *b@ = buffer containing incoming packet |
774 | * |
775 | * Returns: --- |
776 | * |
777 | * Use: Handles a packet which needs to be sent to a peer. |
778 | */ |
779 | |
780 | extern void p_tun(peer */*p*/, buf */*b*/); |
781 | |
782 | /* --- @p_interval@ --- * |
783 | * |
784 | * Arguments: --- |
785 | * |
786 | * Returns: --- |
787 | * |
788 | * Use: Called periodically to do tidying. |
789 | */ |
790 | |
791 | extern void p_interval(void); |
792 | |
832a2ab6 |
793 | /* --- @p_stats@ --- * |
794 | * |
795 | * Arguments: @peer *p@ = pointer to a peer block |
796 | * |
797 | * Returns: A pointer to the peer's statistics. |
798 | */ |
799 | |
800 | extern stats *p_stats(peer */*p*/); |
801 | |
410c8acf |
802 | /* --- @p_ifname@ --- * |
803 | * |
804 | * Arguments: @peer *p@ = pointer to a peer block |
805 | * |
806 | * Returns: A pointer to the peer's interface name. |
807 | */ |
808 | |
809 | extern const char *p_ifname(peer */*p*/); |
810 | |
811 | /* --- @p_addr@ --- * |
812 | * |
813 | * Arguments: @peer *p@ = pointer to a peer block |
814 | * |
815 | * Returns: A pointer to the peer's address. |
816 | */ |
817 | |
818 | extern const addr *p_addr(peer */*p*/); |
819 | |
820 | /* --- @p_init@ --- * |
821 | * |
767b36e2 |
822 | * Arguments: @struct in_addr addr@ = address to bind to |
823 | * @unsigned port@ = port number to listen to |
410c8acf |
824 | * |
825 | * Returns: --- |
826 | * |
827 | * Use: Initializes the peer system; creates the socket. |
828 | */ |
829 | |
767b36e2 |
830 | extern void p_init(struct in_addr /*addr*/, unsigned /*port*/); |
410c8acf |
831 | |
832 | /* --- @p_port@ --- * |
833 | * |
834 | * Arguments: --- |
835 | * |
836 | * Returns: Port number used for socket. |
837 | */ |
838 | |
839 | unsigned p_port(void); |
840 | |
841 | /* --- @p_create@ --- * |
842 | * |
843 | * Arguments: @const char *name@ = name for this peer |
844 | * @struct sockaddr *sa@ = socket address of peer |
845 | * @size_t sz@ = size of socket address |
846 | * |
847 | * Returns: Pointer to the peer block, or null if it failed. |
848 | * |
849 | * Use: Creates a new named peer block. No peer is actually attached |
850 | * by this point. |
851 | */ |
852 | |
853 | extern peer *p_create(const char */*name*/, |
854 | struct sockaddr */*sa*/, size_t /*sz*/); |
855 | |
856 | /* --- @p_name@ --- * |
857 | * |
858 | * Arguments: @peer *p@ = pointer to a peer block |
859 | * |
860 | * Returns: A pointer to the peer's name. |
861 | */ |
862 | |
863 | extern const char *p_name(peer */*p*/); |
864 | |
865 | /* --- @p_find@ --- * |
866 | * |
867 | * Arguments: @const char *name@ = name to look up |
868 | * |
869 | * Returns: Pointer to the peer block, or null if not found. |
870 | * |
871 | * Use: Finds a peer by name. |
872 | */ |
873 | |
874 | extern peer *p_find(const char */*name*/); |
875 | |
876 | /* --- @p_destroy@ --- * |
877 | * |
878 | * Arguments: @peer *p@ = pointer to a peer |
879 | * |
880 | * Returns: --- |
881 | * |
882 | * Use: Destroys a peer. |
883 | */ |
884 | |
885 | extern void p_destroy(peer */*p*/); |
886 | |
887 | /* --- @p_first@, @p_next@ --- * |
888 | * |
889 | * Arguments: @peer *p@ = a peer block |
890 | * |
891 | * Returns: @peer_first@ returns the first peer in some ordering; |
892 | * @peer_next@ returns the peer following a given one in the |
893 | * same ordering. Null is returned for the end of the list. |
894 | */ |
895 | |
896 | extern peer *p_first(void); |
897 | extern peer *p_next(peer */*p*/); |
898 | |
899 | /*----- Tunnel interface --------------------------------------------------*/ |
900 | |
901 | /* --- @tun_init@ --- * |
902 | * |
903 | * Arguments: --- |
904 | * |
905 | * Returns: --- |
906 | * |
907 | * Use: Initializes the tunneling system. Maybe this will require |
908 | * opening file descriptors or something. |
909 | */ |
910 | |
911 | extern void tun_init(void); |
912 | |
913 | /* --- @tun_create@ --- * |
914 | * |
915 | * Arguments: @tunnel *t@ = pointer to tunnel block |
916 | * @peer *p@ = pointer to peer block |
917 | * |
918 | * Returns: Zero if it worked, nonzero on failure. |
919 | * |
920 | * Use: Initializes a new tunnel. |
921 | */ |
922 | |
923 | extern int tun_create(tunnel */*t*/, peer */*p*/); |
924 | |
925 | /* --- @tun_ifname@ --- * |
926 | * |
927 | * Arguments: @tunnel *t@ = pointer to tunnel block |
928 | * |
929 | * Returns: A pointer to the tunnel's interface name. |
930 | */ |
931 | |
932 | extern const char *tun_ifname(tunnel */*t*/); |
933 | |
934 | /* --- @tun_inject@ --- * |
935 | * |
936 | * Arguments: @tunnel *t@ = pointer to tunnel block |
937 | * @buf *b@ = buffer to send |
938 | * |
939 | * Returns: --- |
940 | * |
941 | * Use: Injects a packet into the local network stack. |
942 | */ |
943 | |
944 | extern void tun_inject(tunnel */*t*/, buf */*b*/); |
945 | |
946 | /* --- @tun_destroy@ --- * |
947 | * |
948 | * Arguments: @tunnel *t@ = pointer to tunnel block |
949 | * |
950 | * Returns: --- |
951 | * |
952 | * Use: Destroys a tunnel. |
953 | */ |
954 | |
955 | extern void tun_destroy(tunnel */*t*/); |
956 | |
410c8acf |
957 | /*----- Other handy utilities ---------------------------------------------*/ |
958 | |
959 | /* --- @mpstr@ --- * |
960 | * |
961 | * Arguments: @mp *m@ = a multiprecision integer |
962 | * |
963 | * Returns: A pointer to the integer's textual representation. |
964 | * |
965 | * Use: Converts a multiprecision integer to a string. Corrupts |
832a2ab6 |
966 | * @buf_t@. |
410c8acf |
967 | */ |
968 | |
969 | extern const char *mpstr(mp */*m*/); |
970 | |
52c03a2a |
971 | /* --- @gestr@ --- * |
972 | * |
973 | * Arguments: @group *g@ = a group |
974 | * @ge *x@ = a group element |
975 | * |
976 | * Returns: A pointer to the element's textual representation. |
977 | * |
978 | * Use: Converts a group element to a string. Corrupts |
979 | * @buf_t@. |
980 | */ |
981 | |
982 | extern const char *gestr(group */*g*/, ge */*x*/); |
983 | |
832a2ab6 |
984 | /* --- @timestr@ --- * |
985 | * |
986 | * Arguments: @time_t t@ = a time to convert |
987 | * |
988 | * Returns: A pointer to a textual representation of the time. |
989 | * |
990 | * Use: Converts a time to a textual representation. Corrupts |
991 | * @buf_t@. |
992 | */ |
993 | |
994 | extern const char *timestr(time_t /*t*/); |
995 | |
410c8acf |
996 | /*----- That's all, folks -------------------------------------------------*/ |
997 | |
998 | #ifdef __cplusplus |
999 | } |
1000 | #endif |
1001 | |
1002 | #endif |