SUBDIRS += pkstream
SUBDIRS += init
+## Path MTU discovery.
+if PATHMTU
+SUBDIRS += pathmtu
+endif
+
## Wireshark.
if HAVE_WIRESHARK
SUBDIRS += wireshark
EXTRA_DIST += debian/pkstream.copyright
EXTRA_DIST += debian/pkstream.install
+## pathmtu
+EXTRA_DIST += debian/pathmtu.copyright
+EXTRA_DIST += debian/pathmtu.install
+
## server and client
EXTRA_DIST += debian/tripe.README
EXTRA_DIST += debian/tripe.dirs
## wireshark
EXTRA_DIST += debian/tripe-wireshark.install
-
###----- That's all, folks --------------------------------------------------
bin_PROGRAMS =
man_MANS =
+LDADD = $(libtripe) $(mLib_LIBS)
+
###--------------------------------------------------------------------------
### Client program.
bin_PROGRAMS += tripectl
-tripectl_LDADD = $(libtripe)
tripectl_SOURCES = tripectl.c
## Manual page.
else if (logname)
die(EXIT_FAILURE, d.buf);
if (f & f_syslog)
- syslog(LOG_ERR, d.buf);
+ syslog(LOG_ERR, "%s", d.buf);
dstr_destroy(&d);
}
}
PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.1])
CFLAGS="$CFLAGS $mLib_CFLAGS $catacomb_CFLAGS"
-LIBS="$LIBS $mLib_LIBS"
dnl--------------------------------------------------------------------------
dnl Directories to install things into.
AC_DEFINE([NTRACE], [1], [Disable all tracing.])],
[:])
+dnl--------------------------------------------------------------------------
+dnl Path MTU discovery.
+
+case $host_os in
+ linux*)
+ pmtu=yes
+ ;;
+ *)
+ pmtu=no
+ ;;
+esac
+AM_CONDITIONAL([PATHMTU], [test $pmtu = yes])
+
dnl--------------------------------------------------------------------------
dnl Tunnel devices.
dnl If we're still interested, find Glib.
case "$haveshark" in
- yes) AM_PATH_GLIB([1.2.0], [], haveshark=false, [gmodule]) ;;
+ yes) AM_PATH_GLIB_2_0([2.4.0], [], [haveshark=false], [gmodule]) ;;
esac
dnl Find the include directory. This would be much easier if they just
[Makefile]
[common/Makefile]
[uslip/Makefile]
+ [pathmtu/Makefile]
[client/Makefile]
[server/Makefile]
[proxy/Makefile]
## Individual packages
pkstream
+pathmtu
tripe
tripe.default
tripe.init
tripe-keys
tripe-ethereal
tripe-uslip
+
packets on standard input and output; it also natively understands TCP
sockets. Anything else can probably be fudged up with a port forwarder.
+Package: pathmtu
+Architecture: any
+Depends: ${shlibs:Depends}
+Description: Discover the path MTU to a given host
+ Pathmtu is a simple utility which prints the path MTU to a given host, i.e.,
+ the size of the largest IP packet which can be sent to the host without
+ needing to be fragmented.
+
Package: tripe-uslip
Architecture: any
Depends: ${shlibs:Depends}
--- /dev/null
+Pathmtu is copyright (c) 2003 Straylight/Edgeware.
+
+Pathmtu is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+Pathmtu is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have a copy of the GNU General Public License in
+/usr/share/common-licenses/GPL; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+USA.
--- /dev/null
+debian/tmp/usr/bin/pathmtu
+debian/tmp/usr/share/man/man1/pathmtu.1
EXTRA_DIST += tripe.conf
## Necessary directories.
-install-hook:
+install-data-hook:
for i in "$(configdir)" "$(socketdir)"; do \
case "$$i" in /*) $(mkdir_p) $(DESTDIR)$$i ;; esac; \
done
.B "rebuild"
.br
.B "clean"
+.br
+.BR "mtu " [ \fIpath-mtu ]
.
.\"--------------------------------------------------------------------------
.SH "DESCRIPTION"
and their associated
.B .old
files.
+.TP
+.BR "mtu " [ \fIpath-mtu ]
+Write, as a decimal number on standard output, the recommended MTU for a
+TrIPE tunnel interface, given that the
+.I path-mtu
+between two peers is as specified. The default is 1500, which is very
+commonly correct, but you should check using a tool such as
+.BR tracepath (8).
+Getting the MTU too big will lead to unnecessary fragmentation of
+TrIPE's UDP datagrams; getting it too small will fail to utilize the
+underlying network effectively. If in doubt, it's therefore better to
+underestimate.
.
.\"--------------------------------------------------------------------------
.SH "SEE ALSO"
r == 'keyring' or r == 'keyring.pub' or r.startswith('peer-')):
zap(i)
+###--------------------------------------------------------------------------
+### Commands: mtu
+
+def cmd_mtu(args):
+ mtu, = (lambda mtu = '1500': (mtu,))(*args)
+ mtu = int(mtu)
+
+ blksz = C.gcciphers[conf['cipher']].blksz
+
+ index = conf['mac'].find('/')
+ if index == -1:
+ tagsz = C.gcmacs[conf['mac']].tagsz
+ else:
+ tagsz = int(conf['mac'][index + 1:])/8
+
+ mtu -= 20 # Minimum IP header
+ mtu -= 8 # UDP header
+ mtu -= 1 # TrIPE packet type octet
+ mtu -= tagsz # MAC tag
+ mtu -= 4 # Sequence number
+ mtu -= blksz # Initialization vector
+
+ print mtu
+
###--------------------------------------------------------------------------
### Main driver.
'upload': (cmd_upload, 0, 0, ''),
'update': (cmd_update, 0, 0, ''),
'clean': (cmd_clean, 0, 0, ''),
+ 'mtu': (cmd_mtu, 0, 1, '[PATH-MTU]'),
'generate': (cmd_generate, 1, 1, 'TAG'),
'rebuild': (cmd_rebuild, 0, 0, '')}
--- /dev/null
+### -*-makefile-*-
+###
+### Build script for pathmtu
+###
+### (c) 2008 Straylight/Edgeware
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This file is part of Trivial IP Encryption (TrIPE).
+###
+### TrIPE is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### TrIPE is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with TrIPE; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+include $(top_srcdir)/vars.am
+
+bin_PROGRAMS =
+man_MANS =
+
+LDADD = $(mLib_LIBS)
+
+###--------------------------------------------------------------------------
+### Path MTU discovery.
+
+## The program.
+bin_PROGRAMS += pathmtu
+pathmtu_SOURCES = pathmtu.c
+
+## Docuemntation.
+man_MANS += pathmtu.1
+CLEANFILES += pathmtu.1
+EXTRA_DIST += pathmtu.1.in
+
+###----- That's all, folks --------------------------------------------------
--- /dev/null
+.\" -*-nroff-*-
+.\"
+.\" Documentation for pathmtu
+.\"
+.\" (c) 2008 Straylight/Edgeware.
+.\"
+
+.\"----- Licensing notice ---------------------------------------------------
+.\"
+.\" This file is part of Trivial IP Encryption (TrIPE).
+.\"
+.\" TrIPE is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" TrIPE is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with TrIPE; if not, write to the Free Software Foundation,
+.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+.
+.\"--------------------------------------------------------------------------
+.so ../defs.man.in \" @@@PRE@@@
+.
+.\"--------------------------------------------------------------------------
+.TH pathmtu 1 "29 December 2008" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
+.
+.\"--------------------------------------------------------------------------
+.SH "NAME"
+.
+pathmtu \- discover path MTU to a given host
+.
+.\"--------------------------------------------------------------------------
+.SH "SYNOPSIS"
+.
+.B pathmtu
+.RB [ \-t
+.IR timeout ]
+.RB [ \-H
+.IR header ]
+.I host
+.RI [ port ]
+.
+.\"--------------------------------------------------------------------------
+.SH "DESCRIPTION"
+.
+The
+.B pathmtu
+program discovers the size of the largest IP packet which can be sent to
+a given
+.I host
+(specified as a dotted-quad IP address or host name) without being
+fragmented. This is useful information, particularly when setting up
+VPN tunnel interfaces.
+.PP
+The program works by sending UDP packets and finding out whether they
+get fragmented. The packets are sent to a specified
+.I port
+(specified as a number or service name) on the destination host. The
+destination does not need to be listening on the given port \(en indeed,
+it doesn't matter if the port is firewalled. The default port is 7
+(echo), chosen because if it is active, we'll get an answer.
+.PP
+If the local host or some intermediate router is configured to drop ICMP
+fragmentation-required errors then the discovery attempt will silently
+fail. It is likely that TCP connections with the destination host will
+fail in unexpected ways if this is the case. Don't drop
+fragmentation-required errors!
+.PP
+Command-line options are as follows.
+.TP
+.B "\-h, \-\-help"
+Writes a brief description of the command-line options available to
+standard output and exits with status 0.
+.TP
+.B "\-v, \-\-version"
+Writes tripe's version number to standard output and exits with status
+0.
+.TP
+.B "\-u, \-\-usage"
+Writes a brief usage summary to standard output and exits with status 0.
+.TP
+.BI "\-t, \-\-timeout=" timeout
+Sets the time to wait for a reply, in seconds. If no reply or error is
+received within the timeout, it is assumed that the attempt to send a
+packet was successful. The timeout can be fractional; the default is
+five seconds.
+.TP
+.BI "\-H, \-\-header=" header
+Sets the packet header, in hexadecimal. If you set an explicit port
+number, it may be worth setting the packet header too, so as not to
+alarm anything which might be listening on that port. The default
+packet contents are a fixed pseudorandomly-generated block of data.
+.
+.\"--------------------------------------------------------------------------
+.SH "BUGS"
+.
+The
+.B pathmtu
+program currently only works on Linux. Code for other operating systems
+is welcome.
+.
+.\"--------------------------------------------------------------------------
+.SH "AUTHOR"
+.
+Mark Wooding, <mdw@distorted.org.uk>
+.
+.\"----- That's all, folks --------------------------------------------------
--- /dev/null
+/* -*-c-*-
+ *
+ * Report MTU on path to specified host
+ *
+ * (c) 2008 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Trivial IP Encryption (TrIPE).
+ *
+ * TrIPE is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * TrIPE is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with TrIPE; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <mLib/dstr.h>
+#include <mLib/hex.h>
+#include <mLib/mdwopt.h>
+#include <mLib/quis.h>
+#include <mLib/report.h>
+#include <mLib/tv.h>
+
+/*----- Static variables --------------------------------------------------*/
+
+static unsigned char buf[65536];
+
+/*----- Utility functions -------------------------------------------------*/
+
+/* Fill buffer with a constant but pseudorandom string. Uses a simple
+ * LFSR.
+ */
+static void fillbuffer(unsigned char *p, size_t sz)
+{
+ unsigned int y = 0xbc20;
+ const unsigned char *l = p + sz;
+ int i;
+#define POLY 0x002d
+
+ while (p < l) {
+ *p++ = y & 0xff;
+ for (i = 0; i < 8; i++) {
+ if (!(y & 0x8000)) y <<= 1;
+ else y = (y << 1) ^ POLY;
+ }
+ }
+}
+
+/*----- Doing the actual job ----------------------------------------------*/
+
+#if defined(linux)
+
+#ifndef IP_MTU
+# define IP_MTU 14 /* Blech! */
+#endif
+
+static int pathmtu(struct sockaddr_in *sin, double to)
+{
+ int sk;
+ fd_set fd_in;
+ int mtu;
+ int i;
+ size_t sz;
+ struct timeval tv;
+
+ tv.tv_sec = to; tv.tv_usec = (to - tv.tv_sec) * 1000000;
+ if ((sk = socket(PF_INET, SOCK_DGRAM, 0)) < 0) goto fail_0;
+ i = IP_PMTUDISC_DO;
+ if (setsockopt(sk, SOL_IP, IP_MTU_DISCOVER, &i, sizeof(i)))
+ goto fail_1;
+ if (connect(sk, (struct sockaddr *)sin, sizeof(*sin))) goto fail_1;
+ for (;;) {
+ sz = sizeof(mtu);
+ if (getsockopt(sk, SOL_IP, IP_MTU, &mtu, &sz)) goto fail_1;
+ if (write(sk, buf, mtu - 28) < 0) goto fail_1;
+ FD_SET(sk, &fd_in);
+ if (select(sk + 1, &fd_in, 0, 0, &tv) < 0) goto fail_1;
+ if (!FD_ISSET(sk, &fd_in)) break;
+ if (read(sk, &i, 1) >= 0 ||
+ errno == ECONNREFUSED || errno == EHOSTUNREACH)
+ break;
+ if (errno != EMSGSIZE) goto fail_1;
+ }
+ close(sk);
+ return (mtu);
+
+fail_1:
+ close(sk);
+fail_0:
+ return (-1);
+}
+
+#else
+
+# error "path MTU discovery not implemented"
+
+#endif
+
+/*----- Help options ------------------------------------------------------*/
+
+static void version(FILE *fp)
+ { pquis(fp, "$, TrIPE version " VERSION "\n"); }
+
+static void usage(FILE *fp)
+ { pquis(fp, "Usage: $ [-t TIMEOUT] [-H HEADER] HOST [PORT]\n"); }
+
+static void help(FILE *fp)
+{
+ version(fp);
+ fputc('\n', fp);
+ usage(fp);
+ fputs("\
+\n\
+Options in full:\n\
+\n\
+-h, --help Show this help text.\n\
+-v, --version Show version number.\n\
+-u, --usage Show brief usage message.\n\
+\n\
+-t, --timeout=TIMEOUT Time to wait for reply, in seconds.\n\
+-H, --header=HEX Packet header, in hexadecimal.\n\
+", fp);
+}
+
+/*----- Main code ---------------------------------------------------------*/
+
+int main(int argc, char *argv[])
+{
+ struct sockaddr_in sin;
+ hex_ctx hc;
+ dstr d = DSTR_INIT;
+ size_t sz;
+ int i;
+ unsigned long u;
+ char *q;
+ struct hostent *h;
+ struct servent *s;
+ double to = 5.0;
+ unsigned f = 0;
+
+#define f_bogus 1u
+
+ ego(argv[0]);
+ fillbuffer(buf, sizeof(buf));
+ sin.sin_port = htons(7);
+
+ for (;;) {
+ static const struct option opts[] = {
+ { "help", 0, 0, 'h' },
+ { "version", 0, 0, 'v' },
+ { "usage", 0, 0, 'u' },
+ { "header", OPTF_ARGREQ, 0, 'H' },
+ { "timeout", OPTF_ARGREQ, 0, 't' },
+ { 0, 0, 0, 0 }
+ };
+
+ i = mdwopt(argc, argv, "hvu" "H:", opts, 0, 0, 0);
+ if (i < 0) break;
+ switch (i) {
+ case 'h': help(stdout); exit(0);
+ case 'v': version(stdout); exit(0);
+ case 'u': usage(stdout); exit(0);
+
+ case 'H':
+ DRESET(&d);
+ hex_init(&hc);
+ hex_decode(&hc, optarg, strlen(optarg), &d);
+ hex_decode(&hc, 0, 0, &d);
+ sz = d.len < sizeof(buf) ? d.len : sizeof(buf);
+ memcpy(buf, d.buf, sz);
+ break;
+
+ case 't':
+ errno = 0;
+ to = strtod(optarg, &q);
+ if (errno || *q) die(EXIT_FAILURE, "bad timeout");
+ break;
+
+ default:
+ f |= f_bogus;
+ break;
+ }
+ }
+ argv += optind; argc -= optind;
+ if ((f & f_bogus) || 1 > argc || argc > 2) {
+ usage(stderr);
+ exit(EXIT_FAILURE);
+ }
+
+ if ((h = gethostbyname(*argv)) == 0)
+ die(EXIT_FAILURE, "unknown host `%s': %s", *argv, hstrerror(h_errno));
+ if (h->h_addrtype != AF_INET)
+ die(EXIT_FAILURE, "unsupported address family for host `%s'", *argv);
+ memcpy(&sin.sin_addr, h->h_addr, sizeof(struct in_addr));
+ argv++; argc--;
+
+ if (*argv) {
+ errno = 0;
+ u = strtoul(*argv, &q, 0);
+ if (!errno && !*q)
+ sin.sin_port = htons(u);
+ else if ((s = getservbyname(*argv, "udp")) == 0)
+ die(EXIT_FAILURE, "unknown UDP service `%s'", *argv);
+ else
+ sin.sin_port = s->s_port;
+ }
+
+ sin.sin_family = AF_INET;
+ i = pathmtu(&sin, to);
+ if (i < 0)
+ die(EXIT_FAILURE, "failed to discover MTU: %s", strerror(errno));
+ printf("%d\n", i);
+ if (ferror(stdout) || fflush(stdout) || fclose(stdout))
+ die(EXIT_FAILURE, "failed to write result: %s", strerror(errno));
+ return (0);
+}
+
+/*----- That's all, folks -------------------------------------------------*/
bin_PROGRAMS =
man_MANS =
+LDADD = $(mLib_LIBS)
+
###--------------------------------------------------------------------------
### Packet-streaming proxy.
bin_PROGRAMS =
man_MANS =
+LDADD = $mLib_LIBS
+
###--------------------------------------------------------------------------
### Proxy.
sbin_PROGRAMS =
man_MANS =
+LDADD = $(libtripe) $(catacomb_LIBS)
+
###--------------------------------------------------------------------------
### The main server.
sbin_PROGRAMS += tripe
tripe_SOURCES =
-tripe_LDADD = $(libtripe) $(catacomb_LIBS)
## Main header file.
tripe_SOURCES += tripe.h
}
}
+static void acmd_algs(admin *a, unsigned ac, char *av[])
+{
+ a_info(a,
+ "kx-group=%s", gg->ops->name,
+ "kx-group-order-bits=%lu", (unsigned long)mp_bits(gg->r),
+ "kx-group-elt-bits=%lu", (unsigned long)gg->nbits,
+ A_END);
+ a_info(a,
+ "hash=%s", algs.h->name,
+ "mgf=%s", algs.mgf->name,
+ "hash-sz=%lu", (unsigned long)algs.h->hashsz,
+ A_END);
+ a_info(a,
+ "cipher=%s", algs.c->name,
+ "cipher-keysz=%lu", (unsigned long)algs.cksz,
+ "cipher-blksz=%lu", (unsigned long)algs.c->blksz,
+ A_END);
+ a_info(a,
+ "cipher-data-limit=%lu", (unsigned long)algs.expsz,
+ A_END);
+ a_info(a,
+ "mac=%s", algs.m->name,
+ "mac-keysz=%lu", (unsigned long)algs.mksz,
+ "mac-tagsz=%lu", (unsigned long)algs.tagsz,
+ A_END);
+ a_ok(a);
+}
+
static void acmd_list(admin *a, unsigned ac, char *av[])
{
FOREACH_PEER(p, { a_info(a, "%s", p_name(p), A_END); });
static const acmd acmdtab[] = {
{ "add", "[OPTIONS] PEER ADDR ...", 2, 0xffff, acmd_add },
{ "addr", "PEER", 1, 1, acmd_addr },
+ { "algs", 0, 0, 0, acmd_algs },
{ "bgcancel", "TAG", 1, 1, acmd_bgcancel },
{ "checkchal", "CHAL", 1, 1, acmd_checkchal },
{ "daemon", 0, 0, 0, acmd_daemon },
line reporting the IP address and port number stored for
.IR peer .
.SP
+.B "ALGS"
+Emits information about the cryptographic algorithms in use, in
+key-value form. The keys are as follows.
+.RS
+.TP
+.B kx-group
+Type of key-exchange group in use, currently either
+.B ec
+or
+.BR prime .
+.TP
+.B kx-group-order-bits
+Length of the group order, in bits. This gives an approximate measure
+of the group strength.
+.TP
+.B kx-group-elt-bits
+Length of a group element, in bits. This may be useful when analyzing
+protocol traces.
+.TP
+.B hash
+The hash function in use, e.g.,
+.BR sha256 .
+.TP
+.B mgf
+The mask-generating function in use, e.g.,
+.BR whirlpool-mgf .
+.TP
+.B hashsz
+The size of the hash function's output, in octets.
+.TP
+.B cipher
+The name of the bulk data cipher in use, e.g.,
+.BR blowfish-cbc .
+.TP
+.B cipher-keysz
+The length of key used by the bulk data cipher, in octets.
+.TP
+.B cipher-blksz
+The block size of the bulk data cipher, or zero if it's not based on a
+block cipher.
+.TP
+.B cipher-data-limit
+The maximum amount of data to be encrypted using a single key. (A new
+key exchange is instigated well before the limit is reached, in order to
+allow for a seamless changeover of keys.)
+.TP
+.B mac
+The message authentication algorithm in use, e.g.,
+.BR ripemd160-hmac ..
+.TP
+.B mac-keysz
+The length of the key used by the message authentication algorithm, in
+octets.
+.TP
+.B mac-tagsz
+The length of the message authentication tag, in octets.
+.PP
+The various sizes are useful, for example, when computing the MTU for a
+tunnel interface. If
+.I MTU
+is the MTU of the path to the peer, then the tunnel MTU should be
+.IP
+.I MTU
+\- 33 \-
+.I cipher-blksz
+\-
+.I mac-tagsz
+.PP
+allowing 20 bytes of IP header, 8 bytes of UDP header, a packet type
+octet, a four-octet sequence number, an IV, and a MAC tag.
+.RE
+.SP
.BI "BGCANCEL " tag
Cancels the background job with the named
.IR tag .
bin_PROGRAMS =
man_MANS =
+LDADD = $(mLib_LIBS)
+
###--------------------------------------------------------------------------
### Fake slip interface.