2 * curvetun - the cipherspace wormhole creator
3 * Part of the netsniff-ng project
4 * Copyright 2011 Daniel Borkmann <daniel@netsniff-ng.org>,
5 * Subject to the GPL, version 2.
20 #include <netinet/in.h>
21 #include <netinet/tcp.h>
22 #include <netinet/udp.h>
24 #include <sys/types.h>
25 #include <sys/socket.h>
27 #include <sys/epoll.h>
28 #include <arpa/inet.h>
29 #include <linux/if_tun.h>
38 #include "ct_usermgmt.h"
50 struct worker_struct
{
54 struct parent_info parent
;
55 int (*handler
)(int fd
, const struct worker_struct
*ws
,
56 char *buff
, size_t len
);
57 struct curve25519_struct
*c
;
60 static struct worker_struct
*threadpool
= NULL
;
62 static int auth_log
= 1;
64 extern volatile sig_atomic_t sigint
;
66 static int handler_udp_tun_to_net(int fd
, const struct worker_struct
*ws
,
67 char *buff
, size_t len
) __pure
;
68 static int handler_udp_net_to_tun(int fd
, const struct worker_struct
*ws
,
69 char *buff
, size_t len
) __pure
;
70 static int handler_udp(int fd
, const struct worker_struct
*ws
,
71 char *buff
, size_t len
) __pure
;
72 static int handler_tcp_tun_to_net(int fd
, const struct worker_struct
*ws
,
73 char *buff
, size_t len
) __pure
;
74 static int handler_tcp_net_to_tun(int fd
, const struct worker_struct
*ws
,
75 char *buff
, size_t len
) __pure
;
76 static int handler_tcp(int fd
, const struct worker_struct
*ws
,
77 char *buff
, size_t len
) __pure
;
78 ssize_t
handler_tcp_read(int fd
, char *buff
, size_t len
);
79 static void *worker(void *self
) __pure
;
81 static int handler_udp_tun_to_net(int fd
, const struct worker_struct
*ws
,
82 char *buff
, size_t len
)
86 ssize_t rlen
, err
, clen
;
88 struct curve25519_proto
*p
;
89 struct sockaddr_storage naddr
;
91 size_t off
= sizeof(struct ct_proto
) + crypto_box_zerobytes
;
93 if (!buff
|| len
<= off
)
97 while ((rlen
= read(fd
, buff
+ off
, len
- off
)) > 0) {
98 dfd
= -1; nlen
= 0; p
= NULL
;
100 memset(&naddr
, 0, sizeof(naddr
));
102 hdr
= (struct ct_proto
*) buff
;
103 memset(hdr
, 0, sizeof(*hdr
));
106 trie_addr_lookup(buff
+ off
, rlen
, ws
->parent
.ipv4
, &dfd
, &naddr
,
108 if (unlikely(dfd
< 0 || nlen
== 0)) {
109 memset(buff
, 0, len
);
113 err
= get_user_by_sockaddr(&naddr
, nlen
, &p
);
114 if (unlikely(err
|| !p
)) {
115 memset(buff
, 0, len
);
119 clen
= curve25519_encode(ws
->c
, p
, (unsigned char *) (buff
+ off
-
120 crypto_box_zerobytes
), (rlen
+
121 crypto_box_zerobytes
), (unsigned char **)
123 if (unlikely(clen
<= 0)) {
124 memset(buff
, 0, len
);
128 hdr
->payload
= htons((uint16_t) clen
);
132 sendto(dfd
, hdr
, sizeof(struct ct_proto
), 0, (struct sockaddr
*)
134 sendto(dfd
, cbuff
, clen
, 0, (struct sockaddr
*) &naddr
, nlen
);
138 memset(buff
, 0, len
);
144 static void handler_udp_notify_close(int fd
, struct sockaddr_storage
*addr
)
148 memset(&hdr
, 0, sizeof(hdr
));
149 hdr
.flags
|= PROTO_FLAG_EXIT
;
152 sendto(fd
, &hdr
, sizeof(hdr
), 0, (struct sockaddr
*) addr
,
156 static int handler_udp_net_to_tun(int fd
, const struct worker_struct
*ws
,
157 char *buff
, size_t len
)
161 ssize_t rlen
, err
, clen
;
162 struct ct_proto
*hdr
;
163 struct curve25519_proto
*p
;
164 struct sockaddr_storage naddr
;
165 socklen_t nlen
= sizeof(naddr
);
170 memset(&naddr
, 0, sizeof(naddr
));
171 while ((rlen
= recvfrom(fd
, buff
, len
, 0, (struct sockaddr
*) &naddr
,
175 hdr
= (struct ct_proto
*) buff
;
177 if (unlikely(rlen
< sizeof(struct ct_proto
)))
179 if (unlikely(rlen
- sizeof(*hdr
) != ntohs(hdr
->payload
)))
181 if (unlikely(ntohs(hdr
->payload
) == 0))
183 if (hdr
->flags
& PROTO_FLAG_EXIT
) {
185 remove_user_by_sockaddr(&naddr
, nlen
);
186 trie_addr_remove_addr(&naddr
, nlen
);
187 handler_udp_notify_close(fd
, &naddr
);
191 if (hdr
->flags
& PROTO_FLAG_INIT
) {
192 syslog_maybe(auth_log
, LOG_INFO
, "Got initial userhash "
193 "from remote end!\n");
195 if (unlikely(rlen
- sizeof(*hdr
) <
196 sizeof(struct username_struct
)))
199 err
= try_register_user_by_sockaddr(ws
->c
,
200 buff
+ sizeof(struct ct_proto
),
201 rlen
- sizeof(struct ct_proto
),
202 &naddr
, nlen
, auth_log
);
209 err
= get_user_by_sockaddr(&naddr
, nlen
, &p
);
210 if (unlikely(err
|| !p
))
213 clen
= curve25519_decode(ws
->c
, p
, (unsigned char *) buff
+
214 sizeof(struct ct_proto
),
215 rlen
- sizeof(struct ct_proto
),
216 (unsigned char **) &cbuff
, NULL
);
217 if (unlikely(clen
<= 0))
220 cbuff
+= crypto_box_zerobytes
;
221 clen
-= crypto_box_zerobytes
;
223 err
= trie_addr_maybe_update(cbuff
, clen
, ws
->parent
.ipv4
,
228 err
= write(ws
->parent
.tunfd
, cbuff
, clen
);
230 nlen
= sizeof(naddr
);
231 memset(&naddr
, 0, sizeof(naddr
));
237 static int handler_udp(int fd
, const struct worker_struct
*ws
,
238 char *buff
, size_t len
)
242 if (fd
== ws
->parent
.tunfd
)
243 ret
= handler_udp_tun_to_net(fd
, ws
, buff
, len
);
245 ret
= handler_udp_net_to_tun(fd
, ws
, buff
, len
);
250 static int handler_tcp_tun_to_net(int fd
, const struct worker_struct
*ws
,
251 char *buff
, size_t len
)
255 ssize_t rlen
, err
, clen
;
256 struct ct_proto
*hdr
;
257 struct curve25519_proto
*p
;
259 size_t off
= sizeof(struct ct_proto
) + crypto_box_zerobytes
;
261 if (!buff
|| len
<= off
)
264 memset(buff
, 0, len
);
265 while ((rlen
= read(fd
, buff
+ off
, len
- off
)) > 0) {
268 hdr
= (struct ct_proto
*) buff
;
269 memset(hdr
, 0, sizeof(*hdr
));
272 trie_addr_lookup(buff
+ off
, rlen
, ws
->parent
.ipv4
, &dfd
, NULL
,
274 if (unlikely(dfd
< 0)) {
275 memset(buff
, 0, len
);
279 err
= get_user_by_socket(dfd
, &p
);
280 if (unlikely(err
|| !p
)) {
281 memset(buff
, 0, len
);
285 clen
= curve25519_encode(ws
->c
, p
, (unsigned char *) (buff
+ off
-
286 crypto_box_zerobytes
), (rlen
+
287 crypto_box_zerobytes
), (unsigned char **)
289 if (unlikely(clen
<= 0)) {
290 memset(buff
, 0, len
);
294 hdr
->payload
= htons((uint16_t) clen
);
298 write_exact(dfd
, hdr
, sizeof(struct ct_proto
), 0);
299 write_exact(dfd
, cbuff
, clen
, 0);
303 memset(buff
, 0, len
);
309 ssize_t
handler_tcp_read(int fd
, char *buff
, size_t len
)
312 struct ct_proto
*hdr
= (struct ct_proto
*) buff
;
317 /* May exit on EAGAIN if 0 Byte read */
318 rlen
= read_exact(fd
, buff
, sizeof(struct ct_proto
), 1);
321 if (unlikely(ntohs(hdr
->payload
) > len
- sizeof(struct ct_proto
))) {
323 return 1; /* Force server to close connection */
326 /* May not exit on EAGAIN if 0 Byte read */
327 rlen
= read_exact(fd
, buff
+ sizeof(struct ct_proto
),
328 ntohs(hdr
->payload
), 0);
332 return sizeof(struct ct_proto
) + rlen
;
335 static void handler_tcp_notify_close(int fd
)
339 memset(&hdr
, 0, sizeof(hdr
));
340 hdr
.flags
|= PROTO_FLAG_EXIT
;
343 if (write(fd
, &hdr
, sizeof(hdr
))) { ; }
346 static int handler_tcp_net_to_tun(int fd
, const struct worker_struct
*ws
,
347 char *buff
, size_t len
)
349 int keep
= 1, count
= 0;
351 ssize_t rlen
, err
, clen
;
352 struct ct_proto
*hdr
;
353 struct curve25519_proto
*p
;
358 while ((rlen
= handler_tcp_read(fd
, buff
, len
)) > 0) {
361 hdr
= (struct ct_proto
*) buff
;
363 if (unlikely(rlen
< sizeof(struct ct_proto
)))
365 if (unlikely(rlen
- sizeof(*hdr
) != ntohs(hdr
->payload
)))
367 if (unlikely(ntohs(hdr
->payload
) == 0))
369 if (hdr
->flags
& PROTO_FLAG_EXIT
) {
371 remove_user_by_socket(fd
);
372 trie_addr_remove(fd
);
373 handler_tcp_notify_close(fd
);
374 rlen
= write(ws
->parent
.efd
, &fd
, sizeof(fd
));
379 if (hdr
->flags
& PROTO_FLAG_INIT
) {
380 syslog_maybe(auth_log
, LOG_INFO
, "Got initial userhash "
381 "from remote end!\n");
383 if (unlikely(rlen
- sizeof(*hdr
) <
384 sizeof(struct username_struct
)))
387 err
= try_register_user_by_socket(ws
->c
,
388 buff
+ sizeof(struct ct_proto
),
389 rlen
- sizeof(struct ct_proto
),
397 err
= get_user_by_socket(fd
, &p
);
398 if (unlikely(err
|| !p
))
401 clen
= curve25519_decode(ws
->c
, p
, (unsigned char *) buff
+
402 sizeof(struct ct_proto
),
403 rlen
- sizeof(struct ct_proto
),
404 (unsigned char **) &cbuff
, NULL
);
405 if (unlikely(clen
<= 0))
408 cbuff
+= crypto_box_zerobytes
;
409 clen
-= crypto_box_zerobytes
;
411 err
= trie_addr_maybe_update(cbuff
, clen
, ws
->parent
.ipv4
,
416 err
= write(ws
->parent
.tunfd
, cbuff
, clen
);
420 write_exact(ws
->efd
[1], &fd
, sizeof(fd
), 1);
421 /* Read later next data and let others process */
429 static int handler_tcp(int fd
, const struct worker_struct
*ws
,
430 char *buff
, size_t len
)
434 if (fd
== ws
->parent
.tunfd
)
435 ret
= handler_tcp_tun_to_net(fd
, ws
, buff
, len
);
437 ret
= handler_tcp_net_to_tun(fd
, ws
, buff
, len
);
442 static void *worker(void *self
)
446 size_t blen
= TUNBUFF_SIZ
; //FIXME
447 const struct worker_struct
*ws
= self
;
454 curve25519_alloc_or_maybe_die(ws
->c
);
456 buff
= xmalloc_aligned(blen
, 64);
458 syslog(LOG_INFO
, "curvetun thread on CPU%u up!\n", ws
->cpu
);
460 pthread_cleanup_push(xfree_func
, ws
->c
);
461 pthread_cleanup_push(curve25519_free
, ws
->c
);
462 pthread_cleanup_push(xfree_func
, buff
);
464 while (likely(!sigint
)) {
466 if ((fds
.revents
& POLLIN
) != POLLIN
)
469 pthread_setcancelstate(PTHREAD_CANCEL_DISABLE
, &old_state
);
471 while ((ret
= read_exact(ws
->efd
[0], &fd
, sizeof(fd
), 1)) > 0) {
472 if (ret
!= sizeof(fd
)) {
477 ret
= ws
->handler(fd
, ws
, buff
, blen
);
479 write_exact(ws
->parent
.refd
, &fd
, sizeof(fd
), 1);
482 pthread_setcancelstate(old_state
, NULL
);
485 syslog(LOG_INFO
, "curvetun thread on CPU%u down!\n", ws
->cpu
);
487 pthread_cleanup_pop(1);
488 pthread_cleanup_pop(1);
489 pthread_cleanup_pop(1);
491 pthread_exit((void *) ((long) ws
->cpu
));
494 static void thread_spawn_or_panic(unsigned int cpus
, int efd
, int refd
,
495 int tunfd
, int ipv4
, int udp
)
499 unsigned int threads
;
501 threads
= cpus
* THREADS_PER_CPU
;
503 for (i
= 0; i
< threads
; ++i
) {
505 threadpool
[i
].cpu
= i
% cpus
;
506 CPU_SET(threadpool
[i
].cpu
, &cpuset
);
508 ret
= pipe2(threadpool
[i
].efd
, O_NONBLOCK
);
510 syslog_panic("Cannot create event socket!\n");
512 threadpool
[i
].c
= xmalloc_aligned(sizeof(*threadpool
[i
].c
), 64);
513 threadpool
[i
].parent
.efd
= efd
;
514 threadpool
[i
].parent
.refd
= refd
;
515 threadpool
[i
].parent
.tunfd
= tunfd
;
516 threadpool
[i
].parent
.ipv4
= ipv4
;
517 threadpool
[i
].parent
.udp
= udp
;
518 threadpool
[i
].handler
= udp
? handler_udp
: handler_tcp
;
520 ret
= pthread_create(&threadpool
[i
].trid
, NULL
,
521 worker
, &threadpool
[i
]);
523 syslog_panic("Thread creation failed!\n");
525 ret
= pthread_setaffinity_np(threadpool
[i
].trid
,
526 sizeof(cpuset
), &cpuset
);
528 syslog_panic("Thread CPU migration failed!\n");
530 pthread_detach(threadpool
[i
].trid
);
536 static void thread_finish(unsigned int cpus
)
539 unsigned int threads
;
541 threads
= cpus
* THREADS_PER_CPU
;
543 for (i
= 0; i
< threads
; ++i
) {
544 while (pthread_join(threadpool
[i
].trid
, NULL
) < 0)
547 close(threadpool
[i
].efd
[0]);
548 close(threadpool
[i
].efd
[1]);
552 int server_main(char *home
, char *dev
, char *port
, int udp
, int ipv4
, int log
)
554 int lfd
= -1, kdpfd
, nfds
, nfd
, curfds
, efd
[2], refd
[2], tunfd
, i
;
555 unsigned int cpus
= 0, threads
, udp_cpu
= 0;
557 struct epoll_event
*events
;
558 struct addrinfo hints
, *ahead
, *ai
;
561 openlog("curvetun", LOG_PID
| LOG_CONS
| LOG_NDELAY
, LOG_DAEMON
);
563 syslog(LOG_INFO
, "curvetun server booting!\n");
564 syslog_maybe(!auth_log
, LOG_INFO
, "curvetun user logging disabled!\n");
566 parse_userfile_and_generate_user_store_or_die(home
);
568 memset(&hints
, 0, sizeof(hints
));
569 hints
.ai_family
= PF_UNSPEC
;
570 hints
.ai_socktype
= udp
? SOCK_DGRAM
: SOCK_STREAM
;
571 hints
.ai_protocol
= udp
? IPPROTO_UDP
: IPPROTO_TCP
;
572 hints
.ai_flags
= AI_PASSIVE
;
574 ret
= getaddrinfo(NULL
, port
, &hints
, &ahead
);
576 syslog_panic("Cannot get address info!\n");
578 for (ai
= ahead
; ai
!= NULL
&& lfd
< 0; ai
= ai
->ai_next
) {
579 lfd
= socket(ai
->ai_family
, ai
->ai_socktype
, ai
->ai_protocol
);
582 if (ai
->ai_family
== AF_INET6
) {
584 ret
= set_ipv6_only(lfd
);
594 #endif /* IPV6_V6ONLY */
598 set_mtu_disc_dont(lfd
);
600 ret
= bind(lfd
, ai
->ai_addr
, ai
->ai_addrlen
);
608 ret
= listen(lfd
, 5);
617 ipv4
= (ai
->ai_family
== AF_INET6
? 0 :
618 (ai
->ai_family
== AF_INET
? 1 : -1));
621 syslog_maybe(auth_log
, LOG_INFO
, "curvetun on IPv%d via %s "
622 "on port %s!\n", ai
->ai_family
== AF_INET
? 4 : 6,
623 udp
? "UDP" : "TCP", port
);
624 syslog_maybe(auth_log
, LOG_INFO
, "Allowed overlay proto is "
625 "IPv%d!\n", ipv4
? 4 : 6);
630 if (lfd
< 0 || ipv4
< 0)
631 syslog_panic("Cannot create socket!\n");
633 tunfd
= tun_open_or_die(dev
? dev
: DEVNAME_SERVER
, IFF_TUN
| IFF_NO_PI
);
635 pipe_or_die(efd
, O_NONBLOCK
);
636 pipe_or_die(refd
, O_NONBLOCK
);
638 set_nonblocking(lfd
);
640 events
= xzmalloc(MAX_EPOLL_SIZE
* sizeof(*events
));
641 for (i
= 0; i
< MAX_EPOLL_SIZE
; ++i
)
642 events
[i
].data
.fd
= -1;
644 kdpfd
= epoll_create(MAX_EPOLL_SIZE
);
646 syslog_panic("Cannot create socket!\n");
648 set_epoll_descriptor(kdpfd
, EPOLL_CTL_ADD
, lfd
,
649 udp
? EPOLLIN
| EPOLLET
| EPOLLONESHOT
: EPOLLIN
);
650 set_epoll_descriptor(kdpfd
, EPOLL_CTL_ADD
, efd
[0], EPOLLIN
);
651 set_epoll_descriptor(kdpfd
, EPOLL_CTL_ADD
, refd
[0], EPOLLIN
);
652 set_epoll_descriptor(kdpfd
, EPOLL_CTL_ADD
, tunfd
,
653 EPOLLIN
| EPOLLET
| EPOLLONESHOT
);
658 cpus
= get_number_cpus_online();
659 threads
= cpus
* THREADS_PER_CPU
;
660 if (!ispow2(threads
))
661 syslog_panic("Thread number not power of two!\n");
663 threadpool
= xzmalloc(sizeof(*threadpool
) * threads
);
664 thread_spawn_or_panic(cpus
, efd
[1], refd
[1], tunfd
, ipv4
, udp
);
666 init_cpusched(threads
);
668 register_socket(tunfd
);
669 register_socket(lfd
);
671 syslog(LOG_INFO
, "curvetun up and running!\n");
673 while (likely(!sigint
)) {
674 nfds
= epoll_wait(kdpfd
, events
, curfds
, -1);
676 syslog(LOG_ERR
, "epoll_wait error: %s\n",
681 for (i
= 0; i
< nfds
; ++i
) {
682 if (unlikely(events
[i
].data
.fd
< 0))
685 if (events
[i
].data
.fd
== lfd
&& !udp
) {
687 char hbuff
[256], sbuff
[256];
688 struct sockaddr_storage taddr
;
691 tlen
= sizeof(taddr
);
692 nfd
= accept(lfd
, (struct sockaddr
*) &taddr
,
695 syslog(LOG_ERR
, "accept error: %s\n",
700 if (curfds
+ 1 > MAX_EPOLL_SIZE
) {
707 ncpu
= register_socket(nfd
);
709 memset(hbuff
, 0, sizeof(hbuff
));
710 memset(sbuff
, 0, sizeof(sbuff
));
711 getnameinfo((struct sockaddr
*) &taddr
, tlen
,
712 hbuff
, sizeof(hbuff
),
713 sbuff
, sizeof(sbuff
),
714 NI_NUMERICHOST
| NI_NUMERICSERV
);
716 syslog_maybe(auth_log
, LOG_INFO
, "New connection "
717 "from %s:%s with id %d on CPU%d, %d "
718 "active!\n", hbuff
, sbuff
, nfd
, ncpu
,
721 set_nonblocking(nfd
);
722 set_socket_keepalive(nfd
);
723 set_tcp_nodelay(nfd
);
724 ret
= set_epoll_descriptor2(kdpfd
, EPOLL_CTL_ADD
,
725 nfd
, EPOLLIN
| EPOLLET
| EPOLLONESHOT
);
731 } else if (events
[i
].data
.fd
== refd
[0]) {
734 ret
= read_exact(refd
[0], &fd_one
,
736 if (ret
!= sizeof(fd_one
) || fd_one
<= 0)
739 ret
= set_epoll_descriptor2(kdpfd
, EPOLL_CTL_MOD
,
740 fd_one
, EPOLLIN
| EPOLLET
| EPOLLONESHOT
);
745 } else if (events
[i
].data
.fd
== efd
[0]) {
748 ret
= read_exact(efd
[0], &fd_del
,
750 if (ret
!= sizeof(fd_del
) || fd_del
<= 0)
753 ret
= read(fd_del
, &test
, sizeof(test
));
754 if (ret
< 0 && errno
== EBADF
)
757 ret
= set_epoll_descriptor2(kdpfd
, EPOLL_CTL_DEL
,
766 unregister_socket(fd_del
);
768 syslog_maybe(auth_log
, LOG_INFO
, "Closed connection "
769 "with id %d, %d active!\n", fd_del
,
772 int cpu
, fd_work
= events
[i
].data
.fd
;
775 cpu
= socket_to_cpu(fd_work
);
777 udp_cpu
= (udp_cpu
+ 1) & (threads
- 1);
779 write_exact(threadpool
[udp
? udp_cpu
: cpu
].efd
[1],
780 &fd_work
, sizeof(fd_work
), 1);
785 syslog(LOG_INFO
, "curvetun prepare shut down!\n");
799 unregister_socket(lfd
);
800 unregister_socket(tunfd
);
806 destroy_user_store();
808 syslog(LOG_INFO
, "curvetun shut down!\n");