diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/anytun.cpp | 158 | ||||
| -rw-r--r-- | src/authAlgo.cpp | 3 | ||||
| -rw-r--r-- | src/authAlgo.h | 3 | ||||
| -rw-r--r-- | src/authAlgoFactory.cpp | 2 | ||||
| -rw-r--r-- | src/cipher.cpp | 7 | ||||
| -rw-r--r-- | src/cipher.h | 3 | ||||
| -rw-r--r-- | src/cipherFactory.cpp | 2 | ||||
| -rw-r--r-- | src/cryptinit.hpp | 82 | ||||
| -rw-r--r-- | src/daemon.hpp | 6 | ||||
| -rw-r--r-- | src/keyDerivation.cpp | 7 | ||||
| -rw-r--r-- | src/keyDerivation.h | 3 | ||||
| -rw-r--r-- | src/keyDerivationFactory.cpp | 2 | ||||
| -rw-r--r-- | src/sysexec.hpp | 26 |
13 files changed, 152 insertions, 152 deletions
diff --git a/src/anytun.cpp b/src/anytun.cpp index 3e1c4fc..553c451 100644 --- a/src/anytun.cpp +++ b/src/anytun.cpp @@ -40,7 +40,9 @@ #include <unistd.h> #include <boost/bind.hpp> +#ifndef NOCRYPT #include <gcrypt.h> +#endif #include <cerrno> // for ENOMEM #include "datatypes.h" @@ -76,6 +78,10 @@ #include "threadParam.h" #define MAX_PACKET_LENGTH 1600 +#include "cryptinit.hpp" +#include "daemon.hpp" +#include "sysexec.hpp" + #define SESSION_KEYLEN_AUTH 20 // TODO: hardcoded size #define SESSION_KEYLEN_ENCR 16 // TODO: hardcoded size #define SESSION_KEYLEN_SALT 14 // TODO: hardcoded size @@ -342,150 +348,6 @@ void receiver(void* p) } } -// boost thread callbacks for libgcrypt -#if defined(BOOST_HAS_PTHREADS) - -static int boost_mutex_init(void **priv) -{ - boost::mutex *lock = new boost::mutex(); - if (!lock) - return ENOMEM; - *priv = lock; - return 0; -} - -static int boost_mutex_destroy(void **lock) -{ - delete reinterpret_cast<boost::mutex*>(*lock); - return 0; -} - -static int boost_mutex_lock(void **lock) -{ - reinterpret_cast<boost::mutex*>(*lock)->lock(); - return 0; -} - -static int boost_mutex_unlock(void **lock) -{ - reinterpret_cast<boost::mutex*>(*lock)->unlock(); - return 0; -} - -static struct gcry_thread_cbs gcry_threads_boost = -{ GCRY_THREAD_OPTION_USER, NULL, - boost_mutex_init, boost_mutex_destroy, - boost_mutex_lock, boost_mutex_unlock }; -#else -#error this libgcrypt thread callbacks only work with pthreads -#endif - -#define MIN_GCRYPT_VERSION "1.2.0" - -bool initLibGCrypt() -{ - // make libgcrypt thread safe - // this must be called before any other libgcrypt call - gcry_control( GCRYCTL_SET_THREAD_CBS, &gcry_threads_boost ); - - // this must be called right after the GCRYCTL_SET_THREAD_CBS command - // no other function must be called till now - if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { - std::cout << "initLibGCrypt: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION << std::endl; - return false; - } - - gcry_error_t err = gcry_control (GCRYCTL_DISABLE_SECMEM, 0); - if( err ) { - char buf[STERROR_TEXT_MAX]; - buf[0] = 0; - std::cout << "initLibGCrypt: Failed to disable secure memory: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX) << std::endl; - return false; - } - - // Tell Libgcrypt that initialization has completed. - err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); - if( err ) { - char buf[STERROR_TEXT_MAX]; - buf[0] = 0; - std::cout << "initLibGCrypt: Failed to finish initialization: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX) << std::endl; - return false; - } - - cLog.msg(Log::PRIO_NOTICE) << "initLibGCrypt: libgcrypt init finished"; - return true; -} - -void chrootAndDrop(std::string const& chrootdir, std::string const& username) -{ - if (getuid() != 0) - { - std::cerr << "this programm has to be run as root in order to run in a chroot" << std::endl; - exit(-1); - } - - struct passwd *pw = getpwnam(username.c_str()); - if(pw) { - if(chroot(chrootdir.c_str())) - { - std::cerr << "can't chroot to " << chrootdir << std::endl; - exit(-1); - } - cLog.msg(Log::PRIO_NOTICE) << "we are in chroot jail (" << chrootdir << ") now" << std::endl; - chdir("/"); - if (initgroups(pw->pw_name, pw->pw_gid) || setgid(pw->pw_gid) || setuid(pw->pw_uid)) - { - std::cerr << "can't drop to user " << username << " " << pw->pw_uid << ":" << pw->pw_gid << std::endl; - exit(-1); - } - cLog.msg(Log::PRIO_NOTICE) << "dropped user to " << username << " " << pw->pw_uid << ":" << pw->pw_gid << std::endl; - } - else - { - std::cerr << "unknown user " << username << std::endl; - exit(-1); - } -} - -void daemonize() -{ - pid_t pid; - - pid = fork(); - if(pid) exit(0); - setsid(); - pid = fork(); - if(pid) exit(0); - -// std::cout << "running in background now..." << std::endl; - - int fd; -// for (fd=getdtablesize();fd>=0;--fd) // close all file descriptors - for (fd=0;fd<=2;fd++) // close all file descriptors - close(fd); - fd=open("/dev/null",O_RDWR); // stdin - dup(fd); // stdout - dup(fd); // stderr - umask(027); -} - -int execScript(std::string const& script, std::string const& ifname) -{ - pid_t pid; - pid = fork(); - if(!pid) { - int fd; - for (fd=getdtablesize();fd>=0;--fd) // close all file descriptors - close(fd); - fd=open("/dev/null",O_RDWR); // stdin - dup(fd); // stdout - dup(fd); // stderr - return execl("/bin/sh", "/bin/sh", script.c_str(), ifname.c_str(), NULL); - } - int status = 0; - waitpid(pid, &status, 0); - return status; -} int main(int argc, char* argv[]) { @@ -513,10 +375,12 @@ int main(int argc, char* argv[]) cLog.msg(Log::PRIO_NOTICE) << "dev created (opened)"; cLog.msg(Log::PRIO_NOTICE) << "dev opened - actual name is '" << dev.getActualName() << "'"; cLog.msg(Log::PRIO_NOTICE) << "dev type is '" << dev.getTypeString() << "'"; +#ifndef NOEXEC if(gOpt.getPostUpScript() != "") { int postup_ret = execScript(gOpt.getPostUpScript(), dev.getActualName()); cLog.msg(Log::PRIO_NOTICE) << "post up script '" << gOpt.getPostUpScript() << "' returned " << postup_ret; } +#endif PacketSource* src; if(gOpt.getLocalAddr() == "") @@ -537,6 +401,7 @@ int main(int argc, char* argv[]) createConnection(endpoint,cl,gOpt.getSeqWindowSize(), queue, gOpt.getMux()); } +#ifndef NODAEMON if(gOpt.getChroot()) chrootAndDrop(gOpt.getChrootDir(), gOpt.getUsername()); if(gOpt.getDaemonize()) @@ -544,6 +409,7 @@ int main(int argc, char* argv[]) daemonize(); daemonized = true; } +#endif if(pidFile.is_open()) { pid_t pid = getpid(); @@ -556,9 +422,11 @@ int main(int argc, char* argv[]) ThreadParam p(dev, *src, cl, queue,*(new OptionConnectTo())); - // this must be called before any other libgcrypt call +#ifndef NOCRYPT +// this must be called before any other libgcrypt call if(!initLibGCrypt()) return -1; +#endif boost::thread senderThread(boost::bind(sender,&p)); boost::thread receiverThread(boost::bind(receiver,&p)); diff --git a/src/authAlgo.cpp b/src/authAlgo.cpp index 80ee3ba..ebd76d2 100644 --- a/src/authAlgo.cpp +++ b/src/authAlgo.cpp @@ -54,6 +54,7 @@ u_int32_t NullAuthAlgo::getMaxLength() return MAX_LENGTH_; } +#ifndef NOCRYPT //****** Sha1AuthAlgo ****** Sha1AuthAlgo::Sha1AuthAlgo() : ctx_(NULL) @@ -128,3 +129,5 @@ u_int32_t Sha1AuthAlgo::getMaxLength() { return MAX_LENGTH_; } +#endif + diff --git a/src/authAlgo.h b/src/authAlgo.h index c53f3c0..2e01c0b 100644 --- a/src/authAlgo.h +++ b/src/authAlgo.h @@ -81,7 +81,7 @@ public: static const u_int32_t MAX_LENGTH_ = 0; }; - +#ifndef NOCRYPT //****** Sha1AuthAlgo ****** //* HMAC SHA1 Auth Tag Generator Class @@ -101,5 +101,6 @@ public: private: gcry_md_hd_t ctx_; }; +#endif #endif diff --git a/src/authAlgoFactory.cpp b/src/authAlgoFactory.cpp index 4e51f36..333c47c 100644 --- a/src/authAlgoFactory.cpp +++ b/src/authAlgoFactory.cpp @@ -40,8 +40,10 @@ AuthAlgo* AuthAlgoFactory::create(std::string const& type) { if( type == "null" ) return new NullAuthAlgo(); +#ifndef NOCRYPT else if( type == "sha1" ) return new Sha1AuthAlgo(); +#endif else throw std::invalid_argument("auth algo not available"); } diff --git a/src/cipher.cpp b/src/cipher.cpp index ab8b013..edfc760 100644 --- a/src/cipher.cpp +++ b/src/cipher.cpp @@ -34,10 +34,12 @@ #include <string> #include <cstdio> #include <cstring> +#ifndef NOCRYPT #include <gcrypt.h> +#include "mpi.h" +#endif #include "cipher.h" -#include "mpi.h" #include "log.h" @@ -73,7 +75,7 @@ u_int32_t NullCipher::decipher(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_in return (ilen < olen) ? ilen : olen; } - +#ifndef NOCRYPT //****** AesIcmCipher ****** AesIcmCipher::AesIcmCipher() : cipher_(NULL) @@ -178,4 +180,5 @@ void AesIcmCipher::calc(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t o return; } } +#endif diff --git a/src/cipher.h b/src/cipher.h index f590aef..d402bce 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -70,6 +70,7 @@ protected: u_int32_t decipher(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); }; +#ifndef NOCRYPT //****** AesIcmCipher ****** class AesIcmCipher : public Cipher @@ -90,6 +91,6 @@ private: gcry_cipher_hd_t cipher_; Buffer salt_; }; - +#endif #endif diff --git a/src/cipherFactory.cpp b/src/cipherFactory.cpp index 228b29b..b02e5bc 100644 --- a/src/cipherFactory.cpp +++ b/src/cipherFactory.cpp @@ -40,8 +40,10 @@ Cipher* CipherFactory::create(std::string const& type) { if( type == "null" ) return new NullCipher(); +#ifndef NOCRYPT else if( type == "aes-ctr" ) return new AesIcmCipher(); +#endif else throw std::invalid_argument("cipher not available"); } diff --git a/src/cryptinit.hpp b/src/cryptinit.hpp new file mode 100644 index 0000000..567a374 --- /dev/null +++ b/src/cryptinit.hpp @@ -0,0 +1,82 @@ +#ifndef _CRYPTINIT_HPP +#define _CRYPTINIT_HPP +#ifndef NOCRYPT + +// boost thread callbacks for libgcrypt +#if defined(BOOST_HAS_PTHREADS) + +static int boost_mutex_init(void **priv) +{ + boost::mutex *lock = new boost::mutex(); + if (!lock) + return ENOMEM; + *priv = lock; + return 0; +} + +static int boost_mutex_destroy(void **lock) +{ + delete reinterpret_cast<boost::mutex*>(*lock); + return 0; +} + +static int boost_mutex_lock(void **lock) +{ + reinterpret_cast<boost::mutex*>(*lock)->lock(); + return 0; +} + +static int boost_mutex_unlock(void **lock) +{ + reinterpret_cast<boost::mutex*>(*lock)->unlock(); + return 0; +} + +static struct gcry_thread_cbs gcry_threads_boost = +{ GCRY_THREAD_OPTION_USER, NULL, + boost_mutex_init, boost_mutex_destroy, + boost_mutex_lock, boost_mutex_unlock }; +#else +#error this libgcrypt thread callbacks only work with pthreads +#endif + + +#define MIN_GCRYPT_VERSION "1.2.0" + +bool initLibGCrypt() +{ + // make libgcrypt thread safe + // this must be called before any other libgcrypt call + gcry_control( GCRYCTL_SET_THREAD_CBS, &gcry_threads_boost ); + + // this must be called right after the GCRYCTL_SET_THREAD_CBS command + // no other function must be called till now + if( !gcry_check_version( MIN_GCRYPT_VERSION ) ) { + std::cout << "initLibGCrypt: Invalid Version of libgcrypt, should be >= " << MIN_GCRYPT_VERSION << std::endl; + return false; + } + + gcry_error_t err = gcry_control (GCRYCTL_DISABLE_SECMEM, 0); + if( err ) { + char buf[STERROR_TEXT_MAX]; + buf[0] = 0; + std::cout << "initLibGCrypt: Failed to disable secure memory: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX) << std::endl; + return false; + } + + // Tell Libgcrypt that initialization has completed. + err = gcry_control(GCRYCTL_INITIALIZATION_FINISHED); + if( err ) { + char buf[STERROR_TEXT_MAX]; + buf[0] = 0; + std::cout << "initLibGCrypt: Failed to finish initialization: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX) << std::endl; + return false; + } + + cLog.msg(Log::PRIO_NOTICE) << "initLibGCrypt: libgcrypt init finished"; + return true; +} + +#endif +#endif + diff --git a/src/daemon.hpp b/src/daemon.hpp index 13c4132..be5c710 100644 --- a/src/daemon.hpp +++ b/src/daemon.hpp @@ -1,3 +1,6 @@ +#ifndef _DAEMON_HPP +#define _DAEMON_HPP +#ifndef NODAEMON void chrootAndDrop(std::string const& chrootdir, std::string const& username) { @@ -51,5 +54,6 @@ void daemonize() dup(fd); // stderr umask(027); } - +#endif +#endif diff --git a/src/keyDerivation.cpp b/src/keyDerivation.cpp index 1c88352..946943e 100644 --- a/src/keyDerivation.cpp +++ b/src/keyDerivation.cpp @@ -32,15 +32,16 @@ #include "log.h" #include "keyDerivation.h" -#include "mpi.h" #include "threadUtils.hpp" #include <stdexcept> #include <iostream> #include <string> +#ifndef NOCRYPT #include <gcrypt.h> - +#include "mpi.h" +#endif void KeyDerivation::setLogKDRate(const uint8_t log_rate) { @@ -56,6 +57,7 @@ void NullKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& for(u_int32_t i=0; i < key.getLength(); ++i) key[i] = 0; } +#ifndef NOCRYPT //****** AesIcmKeyDerivation ****** AesIcmKeyDerivation::~AesIcmKeyDerivation() @@ -165,4 +167,5 @@ void AesIcmKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX); } } +#endif diff --git a/src/keyDerivation.h b/src/keyDerivation.h index b64500b..0f41895 100644 --- a/src/keyDerivation.h +++ b/src/keyDerivation.h @@ -111,6 +111,7 @@ private: }; +#ifndef NOCRYPT //****** AesIcmKeyDerivation ****** class AesIcmKeyDerivation : public KeyDerivation @@ -139,3 +140,5 @@ private: #endif +#endif + diff --git a/src/keyDerivationFactory.cpp b/src/keyDerivationFactory.cpp index 56a750a..58518b8 100644 --- a/src/keyDerivationFactory.cpp +++ b/src/keyDerivationFactory.cpp @@ -40,8 +40,10 @@ KeyDerivation* KeyDerivationFactory::create(std::string const& type) { if( type == "null" ) return new NullKeyDerivation(); +#ifndef NOCRYPT else if( type == "aes-ctr" ) return new AesIcmKeyDerivation(); +#endif else throw std::invalid_argument("key derivation prf not available"); } diff --git a/src/sysexec.hpp b/src/sysexec.hpp new file mode 100644 index 0000000..73a18bf --- /dev/null +++ b/src/sysexec.hpp @@ -0,0 +1,26 @@ +#ifndef _SYSEXEC_HPP +#define _SYSEXEC_HPP +#ifndef NOEXEC + +int execScript(std::string const& script, std::string const& ifname) +{ + pid_t pid; + pid = fork(); + if(!pid) { + int fd; + for (fd=getdtablesize();fd>=0;--fd) // close all file descriptors + close(fd); + fd=open("/dev/null",O_RDWR); // stdin + dup(fd); // stdout + dup(fd); // stderr + return execl("/bin/sh", "/bin/sh", script.c_str(), ifname.c_str(), NULL); + } + int status = 0; + waitpid(pid, &status, 0); + return status; +} + + +#endif +#endif + |