From: Mark Wooding Date: Tue, 30 Dec 2008 14:50:50 +0000 (+0000) Subject: Merge branch 'public' X-Git-Tag: 1.0.0pre8~35 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/commitdiff_plain/3cbd2d89482ab48adea16aef781b191b793d9a26?hp=bd7248fa75f84b1a9dd627ceba0ffc99bdb0f6c5 Merge branch 'public' * public: pathmtu: New program for determining the MTU to a host. server/admin: New ALGS command. Build: Explicitly link against mLib or catacomb. tripe-keys: Add a subcommand to print the correct tunnel MTU. client/tripectl.c: Fix format string bug in tripectl. init/Makefile.am: Switch install-hook to install-data-hook. configure.ac: Use AM_PATH_GLIB_2_0. --- diff --git a/Makefile.am b/Makefile.am index e9d3febb..89262790 100644 --- a/Makefile.am +++ b/Makefile.am @@ -39,6 +39,11 @@ SUBDIRS += proxy SUBDIRS += pkstream SUBDIRS += init +## Path MTU discovery. +if PATHMTU +SUBDIRS += pathmtu +endif + ## Wireshark. if HAVE_WIRESHARK SUBDIRS += wireshark @@ -104,6 +109,10 @@ EXTRA_DIST += debian/copyright EXTRA_DIST += debian/pkstream.copyright EXTRA_DIST += debian/pkstream.install +## pathmtu +EXTRA_DIST += debian/pathmtu.copyright +EXTRA_DIST += debian/pathmtu.install + ## server and client EXTRA_DIST += debian/tripe.README EXTRA_DIST += debian/tripe.dirs @@ -123,5 +132,4 @@ EXTRA_DIST += debian/tripemon.install ## wireshark EXTRA_DIST += debian/tripe-wireshark.install - ###----- That's all, folks -------------------------------------------------- diff --git a/client/Makefile.am b/client/Makefile.am index dbbc2579..4e03c3be 100644 --- a/client/Makefile.am +++ b/client/Makefile.am @@ -28,12 +28,13 @@ include $(top_srcdir)/vars.am bin_PROGRAMS = man_MANS = +LDADD = $(libtripe) $(mLib_LIBS) + ###-------------------------------------------------------------------------- ### Client program. bin_PROGRAMS += tripectl -tripectl_LDADD = $(libtripe) tripectl_SOURCES = tripectl.c ## Manual page. diff --git a/client/tripectl.c b/client/tripectl.c index e171b0da..661e5199 100644 --- a/client/tripectl.c +++ b/client/tripectl.c @@ -263,7 +263,7 @@ static void logfile(const char *name) else if (logname) die(EXIT_FAILURE, d.buf); if (f & f_syslog) - syslog(LOG_ERR, d.buf); + syslog(LOG_ERR, "%s", d.buf); dstr_destroy(&d); } } diff --git a/configure.ac b/configure.ac index 0eeb1ec5..674116e3 100644 --- a/configure.ac +++ b/configure.ac @@ -61,7 +61,6 @@ PKG_CHECK_MODULES([mLib], [mLib >= 2.0.4]) PKG_CHECK_MODULES([catacomb], [catacomb >= 2.1.1]) CFLAGS="$CFLAGS $mLib_CFLAGS $catacomb_CFLAGS" -LIBS="$LIBS $mLib_LIBS" dnl-------------------------------------------------------------------------- dnl Directories to install things into. @@ -107,6 +106,19 @@ AC_ARG_WITH([tracing], AC_DEFINE([NTRACE], [1], [Disable all tracing.])], [:]) +dnl-------------------------------------------------------------------------- +dnl Path MTU discovery. + +case $host_os in + linux*) + pmtu=yes + ;; + *) + pmtu=no + ;; +esac +AM_CONDITIONAL([PATHMTU], [test $pmtu = yes]) + dnl-------------------------------------------------------------------------- dnl Tunnel devices. @@ -227,7 +239,7 @@ esac dnl If we're still interested, find Glib. case "$haveshark" in - yes) AM_PATH_GLIB([1.2.0], [], haveshark=false, [gmodule]) ;; + yes) AM_PATH_GLIB_2_0([2.4.0], [], [haveshark=false], [gmodule]) ;; esac dnl Find the include directory. This would be much easier if they just @@ -291,6 +303,7 @@ AC_CONFIG_FILES( [Makefile] [common/Makefile] [uslip/Makefile] + [pathmtu/Makefile] [client/Makefile] [server/Makefile] [proxy/Makefile] diff --git a/debian/.gitignore b/debian/.gitignore index 87f0ea24..a993e57d 100644 --- a/debian/.gitignore +++ b/debian/.gitignore @@ -10,6 +10,7 @@ compat ## Individual packages pkstream +pathmtu tripe tripe.default tripe.init @@ -18,3 +19,4 @@ tripemon tripe-keys tripe-ethereal tripe-uslip + diff --git a/debian/control b/debian/control index d59c2629..61ed0f6b 100644 --- a/debian/control +++ b/debian/control @@ -29,6 +29,14 @@ Description: Forward UDP packets over a stream packets on standard input and output; it also natively understands TCP sockets. Anything else can probably be fudged up with a port forwarder. +Package: pathmtu +Architecture: any +Depends: ${shlibs:Depends} +Description: Discover the path MTU to a given host + Pathmtu is a simple utility which prints the path MTU to a given host, i.e., + the size of the largest IP packet which can be sent to the host without + needing to be fragmented. + Package: tripe-uslip Architecture: any Depends: ${shlibs:Depends} diff --git a/debian/pathmtu.copyright b/debian/pathmtu.copyright new file mode 100644 index 00000000..dcb9f2a9 --- /dev/null +++ b/debian/pathmtu.copyright @@ -0,0 +1,16 @@ +Pathmtu is copyright (c) 2003 Straylight/Edgeware. + +Pathmtu is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +Pathmtu is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have a copy of the GNU General Public License in +/usr/share/common-licenses/GPL; if not, write to the Free Software +Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +USA. diff --git a/debian/pathmtu.install b/debian/pathmtu.install new file mode 100644 index 00000000..e568fbf3 --- /dev/null +++ b/debian/pathmtu.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/pathmtu +debian/tmp/usr/share/man/man1/pathmtu.1 diff --git a/init/Makefile.am b/init/Makefile.am index 2d528191..a37214fd 100644 --- a/init/Makefile.am +++ b/init/Makefile.am @@ -44,7 +44,7 @@ tripe-init: tripe-init.in Makefile EXTRA_DIST += tripe.conf ## Necessary directories. -install-hook: +install-data-hook: for i in "$(configdir)" "$(socketdir)"; do \ case "$$i" in /*) $(mkdir_p) $(DESTDIR)$$i ;; esac; \ done diff --git a/keys/tripe-keys.8.in b/keys/tripe-keys.8.in index eb2604b8..ce3c1ec1 100644 --- a/keys/tripe-keys.8.in +++ b/keys/tripe-keys.8.in @@ -55,6 +55,8 @@ tripe-keys \- simple centralized key management for tripe .B "rebuild" .br .B "clean" +.br +.BR "mtu " [ \fIpath-mtu ] . .\"-------------------------------------------------------------------------- .SH "DESCRIPTION" @@ -215,6 +217,18 @@ might have written to a directory. In particular, it deletes and their associated .B .old files. +.TP +.BR "mtu " [ \fIpath-mtu ] +Write, as a decimal number on standard output, the recommended MTU for a +TrIPE tunnel interface, given that the +.I path-mtu +between two peers is as specified. The default is 1500, which is very +commonly correct, but you should check using a tool such as +.BR tracepath (8). +Getting the MTU too big will lead to unnecessary fragmentation of +TrIPE's UDP datagrams; getting it too small will fail to utilize the +underlying network effectively. If in doubt, it's therefore better to +underestimate. . .\"-------------------------------------------------------------------------- .SH "SEE ALSO" diff --git a/keys/tripe-keys.in b/keys/tripe-keys.in index b195342c..b0dbf945 100644 --- a/keys/tripe-keys.in +++ b/keys/tripe-keys.in @@ -473,6 +473,30 @@ def cmd_clean(args): r == 'keyring' or r == 'keyring.pub' or r.startswith('peer-')): zap(i) +###-------------------------------------------------------------------------- +### Commands: mtu + +def cmd_mtu(args): + mtu, = (lambda mtu = '1500': (mtu,))(*args) + mtu = int(mtu) + + blksz = C.gcciphers[conf['cipher']].blksz + + index = conf['mac'].find('/') + if index == -1: + tagsz = C.gcmacs[conf['mac']].tagsz + else: + tagsz = int(conf['mac'][index + 1:])/8 + + mtu -= 20 # Minimum IP header + mtu -= 8 # UDP header + mtu -= 1 # TrIPE packet type octet + mtu -= tagsz # MAC tag + mtu -= 4 # Sequence number + mtu -= blksz # Initialization vector + + print mtu + ###-------------------------------------------------------------------------- ### Main driver. @@ -485,6 +509,7 @@ commands = {'help': (cmd_help, 0, 1, ''), 'upload': (cmd_upload, 0, 0, ''), 'update': (cmd_update, 0, 0, ''), 'clean': (cmd_clean, 0, 0, ''), + 'mtu': (cmd_mtu, 0, 1, '[PATH-MTU]'), 'generate': (cmd_generate, 1, 1, 'TAG'), 'rebuild': (cmd_rebuild, 0, 0, '')} diff --git a/pathmtu/Makefile.am b/pathmtu/Makefile.am new file mode 100644 index 00000000..06af0530 --- /dev/null +++ b/pathmtu/Makefile.am @@ -0,0 +1,45 @@ +### -*-makefile-*- +### +### Build script for pathmtu +### +### (c) 2008 Straylight/Edgeware +### + +###----- Licensing notice --------------------------------------------------- +### +### This file is part of Trivial IP Encryption (TrIPE). +### +### TrIPE is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### TrIPE is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with TrIPE; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +include $(top_srcdir)/vars.am + +bin_PROGRAMS = +man_MANS = + +LDADD = $(mLib_LIBS) + +###-------------------------------------------------------------------------- +### Path MTU discovery. + +## The program. +bin_PROGRAMS += pathmtu +pathmtu_SOURCES = pathmtu.c + +## Docuemntation. +man_MANS += pathmtu.1 +CLEANFILES += pathmtu.1 +EXTRA_DIST += pathmtu.1.in + +###----- That's all, folks -------------------------------------------------- diff --git a/pathmtu/pathmtu.1.in b/pathmtu/pathmtu.1.in new file mode 100644 index 00000000..364526bc --- /dev/null +++ b/pathmtu/pathmtu.1.in @@ -0,0 +1,112 @@ +.\" -*-nroff-*- +.\" +.\" Documentation for pathmtu +.\" +.\" (c) 2008 Straylight/Edgeware. +.\" + +.\"----- Licensing notice --------------------------------------------------- +.\" +.\" This file is part of Trivial IP Encryption (TrIPE). +.\" +.\" TrIPE is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" TrIPE is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with TrIPE; if not, write to the Free Software Foundation, +.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +. +.\"-------------------------------------------------------------------------- +.so ../defs.man.in \" @@@PRE@@@ +. +.\"-------------------------------------------------------------------------- +.TH pathmtu 1 "29 December 2008" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" +. +.\"-------------------------------------------------------------------------- +.SH "NAME" +. +pathmtu \- discover path MTU to a given host +. +.\"-------------------------------------------------------------------------- +.SH "SYNOPSIS" +. +.B pathmtu +.RB [ \-t +.IR timeout ] +.RB [ \-H +.IR header ] +.I host +.RI [ port ] +. +.\"-------------------------------------------------------------------------- +.SH "DESCRIPTION" +. +The +.B pathmtu +program discovers the size of the largest IP packet which can be sent to +a given +.I host +(specified as a dotted-quad IP address or host name) without being +fragmented. This is useful information, particularly when setting up +VPN tunnel interfaces. +.PP +The program works by sending UDP packets and finding out whether they +get fragmented. The packets are sent to a specified +.I port +(specified as a number or service name) on the destination host. The +destination does not need to be listening on the given port \(en indeed, +it doesn't matter if the port is firewalled. The default port is 7 +(echo), chosen because if it is active, we'll get an answer. +.PP +If the local host or some intermediate router is configured to drop ICMP +fragmentation-required errors then the discovery attempt will silently +fail. It is likely that TCP connections with the destination host will +fail in unexpected ways if this is the case. Don't drop +fragmentation-required errors! +.PP +Command-line options are as follows. +.TP +.B "\-h, \-\-help" +Writes a brief description of the command-line options available to +standard output and exits with status 0. +.TP +.B "\-v, \-\-version" +Writes tripe's version number to standard output and exits with status +0. +.TP +.B "\-u, \-\-usage" +Writes a brief usage summary to standard output and exits with status 0. +.TP +.BI "\-t, \-\-timeout=" timeout +Sets the time to wait for a reply, in seconds. If no reply or error is +received within the timeout, it is assumed that the attempt to send a +packet was successful. The timeout can be fractional; the default is +five seconds. +.TP +.BI "\-H, \-\-header=" header +Sets the packet header, in hexadecimal. If you set an explicit port +number, it may be worth setting the packet header too, so as not to +alarm anything which might be listening on that port. The default +packet contents are a fixed pseudorandomly-generated block of data. +. +.\"-------------------------------------------------------------------------- +.SH "BUGS" +. +The +.B pathmtu +program currently only works on Linux. Code for other operating systems +is welcome. +. +.\"-------------------------------------------------------------------------- +.SH "AUTHOR" +. +Mark Wooding, +. +.\"----- That's all, folks -------------------------------------------------- diff --git a/pathmtu/pathmtu.c b/pathmtu/pathmtu.c new file mode 100644 index 00000000..acc88378 --- /dev/null +++ b/pathmtu/pathmtu.c @@ -0,0 +1,247 @@ +/* -*-c-*- + * + * Report MTU on path to specified host + * + * (c) 2008 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Trivial IP Encryption (TrIPE). + * + * TrIPE is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * TrIPE is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with TrIPE; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +/*----- Static variables --------------------------------------------------*/ + +static unsigned char buf[65536]; + +/*----- Utility functions -------------------------------------------------*/ + +/* Fill buffer with a constant but pseudorandom string. Uses a simple + * LFSR. + */ +static void fillbuffer(unsigned char *p, size_t sz) +{ + unsigned int y = 0xbc20; + const unsigned char *l = p + sz; + int i; +#define POLY 0x002d + + while (p < l) { + *p++ = y & 0xff; + for (i = 0; i < 8; i++) { + if (!(y & 0x8000)) y <<= 1; + else y = (y << 1) ^ POLY; + } + } +} + +/*----- Doing the actual job ----------------------------------------------*/ + +#if defined(linux) + +#ifndef IP_MTU +# define IP_MTU 14 /* Blech! */ +#endif + +static int pathmtu(struct sockaddr_in *sin, double to) +{ + int sk; + fd_set fd_in; + int mtu; + int i; + size_t sz; + struct timeval tv; + + tv.tv_sec = to; tv.tv_usec = (to - tv.tv_sec) * 1000000; + if ((sk = socket(PF_INET, SOCK_DGRAM, 0)) < 0) goto fail_0; + i = IP_PMTUDISC_DO; + if (setsockopt(sk, SOL_IP, IP_MTU_DISCOVER, &i, sizeof(i))) + goto fail_1; + if (connect(sk, (struct sockaddr *)sin, sizeof(*sin))) goto fail_1; + for (;;) { + sz = sizeof(mtu); + if (getsockopt(sk, SOL_IP, IP_MTU, &mtu, &sz)) goto fail_1; + if (write(sk, buf, mtu - 28) < 0) goto fail_1; + FD_SET(sk, &fd_in); + if (select(sk + 1, &fd_in, 0, 0, &tv) < 0) goto fail_1; + if (!FD_ISSET(sk, &fd_in)) break; + if (read(sk, &i, 1) >= 0 || + errno == ECONNREFUSED || errno == EHOSTUNREACH) + break; + if (errno != EMSGSIZE) goto fail_1; + } + close(sk); + return (mtu); + +fail_1: + close(sk); +fail_0: + return (-1); +} + +#else + +# error "path MTU discovery not implemented" + +#endif + +/*----- Help options ------------------------------------------------------*/ + +static void version(FILE *fp) + { pquis(fp, "$, TrIPE version " VERSION "\n"); } + +static void usage(FILE *fp) + { pquis(fp, "Usage: $ [-t TIMEOUT] [-H HEADER] HOST [PORT]\n"); } + +static void help(FILE *fp) +{ + version(fp); + fputc('\n', fp); + usage(fp); + fputs("\ +\n\ +Options in full:\n\ +\n\ +-h, --help Show this help text.\n\ +-v, --version Show version number.\n\ +-u, --usage Show brief usage message.\n\ +\n\ +-t, --timeout=TIMEOUT Time to wait for reply, in seconds.\n\ +-H, --header=HEX Packet header, in hexadecimal.\n\ +", fp); +} + +/*----- Main code ---------------------------------------------------------*/ + +int main(int argc, char *argv[]) +{ + struct sockaddr_in sin; + hex_ctx hc; + dstr d = DSTR_INIT; + size_t sz; + int i; + unsigned long u; + char *q; + struct hostent *h; + struct servent *s; + double to = 5.0; + unsigned f = 0; + +#define f_bogus 1u + + ego(argv[0]); + fillbuffer(buf, sizeof(buf)); + sin.sin_port = htons(7); + + for (;;) { + static const struct option opts[] = { + { "help", 0, 0, 'h' }, + { "version", 0, 0, 'v' }, + { "usage", 0, 0, 'u' }, + { "header", OPTF_ARGREQ, 0, 'H' }, + { "timeout", OPTF_ARGREQ, 0, 't' }, + { 0, 0, 0, 0 } + }; + + i = mdwopt(argc, argv, "hvu" "H:", opts, 0, 0, 0); + if (i < 0) break; + switch (i) { + case 'h': help(stdout); exit(0); + case 'v': version(stdout); exit(0); + case 'u': usage(stdout); exit(0); + + case 'H': + DRESET(&d); + hex_init(&hc); + hex_decode(&hc, optarg, strlen(optarg), &d); + hex_decode(&hc, 0, 0, &d); + sz = d.len < sizeof(buf) ? d.len : sizeof(buf); + memcpy(buf, d.buf, sz); + break; + + case 't': + errno = 0; + to = strtod(optarg, &q); + if (errno || *q) die(EXIT_FAILURE, "bad timeout"); + break; + + default: + f |= f_bogus; + break; + } + } + argv += optind; argc -= optind; + if ((f & f_bogus) || 1 > argc || argc > 2) { + usage(stderr); + exit(EXIT_FAILURE); + } + + if ((h = gethostbyname(*argv)) == 0) + die(EXIT_FAILURE, "unknown host `%s': %s", *argv, hstrerror(h_errno)); + if (h->h_addrtype != AF_INET) + die(EXIT_FAILURE, "unsupported address family for host `%s'", *argv); + memcpy(&sin.sin_addr, h->h_addr, sizeof(struct in_addr)); + argv++; argc--; + + if (*argv) { + errno = 0; + u = strtoul(*argv, &q, 0); + if (!errno && !*q) + sin.sin_port = htons(u); + else if ((s = getservbyname(*argv, "udp")) == 0) + die(EXIT_FAILURE, "unknown UDP service `%s'", *argv); + else + sin.sin_port = s->s_port; + } + + sin.sin_family = AF_INET; + i = pathmtu(&sin, to); + if (i < 0) + die(EXIT_FAILURE, "failed to discover MTU: %s", strerror(errno)); + printf("%d\n", i); + if (ferror(stdout) || fflush(stdout) || fclose(stdout)) + die(EXIT_FAILURE, "failed to write result: %s", strerror(errno)); + return (0); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/pkstream/Makefile.am b/pkstream/Makefile.am index faafe0a7..a6cebddd 100644 --- a/pkstream/Makefile.am +++ b/pkstream/Makefile.am @@ -28,6 +28,8 @@ include $(top_srcdir)/vars.am bin_PROGRAMS = man_MANS = +LDADD = $(mLib_LIBS) + ###-------------------------------------------------------------------------- ### Packet-streaming proxy. diff --git a/proxy/Makefile.am b/proxy/Makefile.am index 54add7ec..0d4e516d 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -28,6 +28,8 @@ include $(top_srcdir)/vars.am bin_PROGRAMS = man_MANS = +LDADD = $mLib_LIBS + ###-------------------------------------------------------------------------- ### Proxy. diff --git a/server/Makefile.am b/server/Makefile.am index e033ab0c..3c050a10 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -28,13 +28,14 @@ include $(top_srcdir)/vars.am sbin_PROGRAMS = man_MANS = +LDADD = $(libtripe) $(catacomb_LIBS) + ###-------------------------------------------------------------------------- ### The main server. sbin_PROGRAMS += tripe tripe_SOURCES = -tripe_LDADD = $(libtripe) $(catacomb_LIBS) ## Main header file. tripe_SOURCES += tripe.h diff --git a/server/admin.c b/server/admin.c index c4433e45..045727f7 100644 --- a/server/admin.c +++ b/server/admin.c @@ -1646,6 +1646,34 @@ static void acmd_bgcancel(admin *a, unsigned ac, char *av[]) } } +static void acmd_algs(admin *a, unsigned ac, char *av[]) +{ + a_info(a, + "kx-group=%s", gg->ops->name, + "kx-group-order-bits=%lu", (unsigned long)mp_bits(gg->r), + "kx-group-elt-bits=%lu", (unsigned long)gg->nbits, + A_END); + a_info(a, + "hash=%s", algs.h->name, + "mgf=%s", algs.mgf->name, + "hash-sz=%lu", (unsigned long)algs.h->hashsz, + A_END); + a_info(a, + "cipher=%s", algs.c->name, + "cipher-keysz=%lu", (unsigned long)algs.cksz, + "cipher-blksz=%lu", (unsigned long)algs.c->blksz, + A_END); + a_info(a, + "cipher-data-limit=%lu", (unsigned long)algs.expsz, + A_END); + a_info(a, + "mac=%s", algs.m->name, + "mac-keysz=%lu", (unsigned long)algs.mksz, + "mac-tagsz=%lu", (unsigned long)algs.tagsz, + A_END); + a_ok(a); +} + static void acmd_list(admin *a, unsigned ac, char *av[]) { FOREACH_PEER(p, { a_info(a, "%s", p_name(p), A_END); }); @@ -1846,6 +1874,7 @@ static void acmd_help(admin */*a*/, unsigned /*ac*/, char */*av*/[]); static const acmd acmdtab[] = { { "add", "[OPTIONS] PEER ADDR ...", 2, 0xffff, acmd_add }, { "addr", "PEER", 1, 1, acmd_addr }, + { "algs", 0, 0, 0, acmd_algs }, { "bgcancel", "TAG", 1, 1, acmd_bgcancel }, { "checkchal", "CHAL", 1, 1, acmd_checkchal }, { "daemon", 0, 0, 0, acmd_daemon }, diff --git a/server/tripe-admin.5.in b/server/tripe-admin.5.in index 3442b023..c493d187 100644 --- a/server/tripe-admin.5.in +++ b/server/tripe-admin.5.in @@ -344,6 +344,78 @@ Emits an line reporting the IP address and port number stored for .IR peer . .SP +.B "ALGS" +Emits information about the cryptographic algorithms in use, in +key-value form. The keys are as follows. +.RS +.TP +.B kx-group +Type of key-exchange group in use, currently either +.B ec +or +.BR prime . +.TP +.B kx-group-order-bits +Length of the group order, in bits. This gives an approximate measure +of the group strength. +.TP +.B kx-group-elt-bits +Length of a group element, in bits. This may be useful when analyzing +protocol traces. +.TP +.B hash +The hash function in use, e.g., +.BR sha256 . +.TP +.B mgf +The mask-generating function in use, e.g., +.BR whirlpool-mgf . +.TP +.B hashsz +The size of the hash function's output, in octets. +.TP +.B cipher +The name of the bulk data cipher in use, e.g., +.BR blowfish-cbc . +.TP +.B cipher-keysz +The length of key used by the bulk data cipher, in octets. +.TP +.B cipher-blksz +The block size of the bulk data cipher, or zero if it's not based on a +block cipher. +.TP +.B cipher-data-limit +The maximum amount of data to be encrypted using a single key. (A new +key exchange is instigated well before the limit is reached, in order to +allow for a seamless changeover of keys.) +.TP +.B mac +The message authentication algorithm in use, e.g., +.BR ripemd160-hmac .. +.TP +.B mac-keysz +The length of the key used by the message authentication algorithm, in +octets. +.TP +.B mac-tagsz +The length of the message authentication tag, in octets. +.PP +The various sizes are useful, for example, when computing the MTU for a +tunnel interface. If +.I MTU +is the MTU of the path to the peer, then the tunnel MTU should be +.IP +.I MTU +\- 33 \- +.I cipher-blksz +\- +.I mac-tagsz +.PP +allowing 20 bytes of IP header, 8 bytes of UDP header, a packet type +octet, a four-octet sequence number, an IV, and a MAC tag. +.RE +.SP .BI "BGCANCEL " tag Cancels the background job with the named .IR tag . diff --git a/uslip/Makefile.am b/uslip/Makefile.am index 182f8391..d7228578 100644 --- a/uslip/Makefile.am +++ b/uslip/Makefile.am @@ -28,6 +28,8 @@ include $(top_srcdir)/vars.am bin_PROGRAMS = man_MANS = +LDADD = $(mLib_LIBS) + ###-------------------------------------------------------------------------- ### Fake slip interface.