diff options
-rw-r--r-- | doc/uanytun.8.txt | 108 | ||||
-rw-r--r-- | src/cipher.h | 2 | ||||
-rw-r--r-- | src/options.c | 32 | ||||
-rw-r--r-- | src/options.h | 4 |
4 files changed, 69 insertions, 77 deletions
diff --git a/doc/uanytun.8.txt b/doc/uanytun.8.txt index bb58f87..dc1b934 100644 --- a/doc/uanytun.8.txt +++ b/doc/uanytun.8.txt @@ -17,22 +17,21 @@ SYNOPSIS [ *-P|--write-pid* <filename> ] [ *-i|--interface* <ip-address> ] [ *-p|--port* <port> ] +[ *-s|--sender-id* <sender id> ] [ *-r|--remote-host* <hostname|ip> ] [ *-o|--remote-port* <port> ] [ *-d|--dev* <name> ] [ *-t|--type* <tun|tap> ] [ *-n|--ifconfig* <local> <remote|netmask> ] [ *-x|--post-up-script* <script> ] -[ *-s|--sender-id* <sender id> ] -[ *-w|--window-size* <window size> ] [ *-m|--mux* <mux-id> ] -[ *-c|--cipher* <cipher type> ] -[ *-a|--auth-algo* <algo type> ] +[ *-w|--window-size* <window size> ] [ *-k|--kd-prf* <kd-prf type> ] -[ *-l|--ld-kdr* <ld-kdr> ] [ *-E|--passphrase <pass phrase> ] [ *-K|--key* <master key> ] [ *-A|--salt* <master salt> ] +[ *-c|--cipher* <cipher type> ] +[ *-a|--auth-algo* <algo type> ] DESCRIPTION ----------- @@ -97,6 +96,15 @@ The local UDP port that is used to send and receive the payload data. The two tunnel endpoints can use different ports. default: 4444 +-s|--sender-id <sender id> +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Each anycast tunnel endpoint needs a uniqe sender id +(1, 2, 3, ...). It is needed to distinguish the senders +in case of replay attacks. As *uAnytun* does not support +synchronisation it can't be used as an anycast endpoint therefore +this option is quite useless. default: 0 + -r|--remote-host <hostname|ip> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -143,13 +151,14 @@ tunnels, tun for IP tunnels. *<remote|netmask>* the remote IP address (tun) or netmask (tap) In tap/Ethernet tunnel mode: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The local IP address and subnet mask of the tunnel interface, in ifconfig style. The remote tunnel endpoint has to use a different IP address in the same subnet. In tun/IP tunnel mode: +^^^^^^^^^^^^^^^^^^^^^^ The local IP address of the tunnel interface and the IP address of the tunnel interface on the remote tunnel @@ -161,14 +170,10 @@ endpoint. This option instructs *uAnytun* to run this script after the interface is created. By default no script will be executed. --s|--sender-id <sender id> -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-m|--mux <mux-id> +~~~~~~~~~~~~~~~~~ -Each anycast tunnel endpoint needs a uniqe sender id -(1, 2, 3, ...). It is needed to distinguish the senders -in case of replay attacks. As *uAnytun* does not support -synchronisation it can't be used as an anycast endpoint therefore -this option is quite useless. default: 0 +the multiplex id to use. default: 0 -w|--window-size <window size> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -187,41 +192,6 @@ by filtering packets according to their secuence number. By default the sequence window is disabled and therefore a window size of 0 is used. --m|--mux <mux-id> -~~~~~~~~~~~~~~~~~ - -the multiplex id to use. default: 0 - --c|--cipher <cipher type> -~~~~~~~~~~~~~~~~~~~~~~~~~ - -payload encryption algorithm - -Encryption algorithm used for encrypting the payload - -Possible values: - -* *null* - no encryption -* *aes-ctr* - AES in counter mode with 128 Bits, default value -* *aes-ctr-128* - AES in counter mode with 128 Bits -* *aes-ctr-192* - AES in counter mode with 192 Bits -* *aes-ctr-256* - AES in counter mode with 256 Bits - --a|--auth-algo <algo type> -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -message authentication algorithm - -This option sets the message authentication algorithm. - -Possible values: - -* *null* - no message authentication -* *sha1* - HMAC-SHA1, default value - -If HMAC-SHA1 is used, the packet length is increased by -10 bytes. These 10 bytes contain the authentication data. - -k|--kd--prf <kd-prf type> ~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -238,17 +208,6 @@ Possible values: * *aes-ctr-192* - AES in counter mode with 192 Bits * *aes-ctr-256* - AES in counter mode with 256 Bits --l|--ld-kdr <ld-kdr> -~~~~~~~~~~~~~~~~~~~~ - -The log2 of the key derivation rate. This is used by the key -derivation to determine how ofen a new session key has to be -generated. A value of -1 means to generate only one key and use -it forever. The default is 0 which means to calculate a new key -for every packet. A value of 1 would tell the key derivation -to generate a new key after 2 packets, for 2 its 4 packets and -so on. - -E|--passphrase <pass phrase> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -276,6 +235,37 @@ Master salt in hexadecimal notation, eg 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length of 28 characters (14 bytes). +-c|--cipher <cipher type> +~~~~~~~~~~~~~~~~~~~~~~~~~ + +payload encryption algorithm + +Encryption algorithm used for encrypting the payload + +Possible values: + +* *null* - no encryption +* *aes-ctr* - AES in counter mode with 128 Bits, default value +* *aes-ctr-128* - AES in counter mode with 128 Bits +* *aes-ctr-192* - AES in counter mode with 192 Bits +* *aes-ctr-256* - AES in counter mode with 256 Bits + +-a|--auth-algo <algo type> +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +message authentication algorithm + +This option sets the message authentication algorithm. + +Possible values: + +* *null* - no message authentication +* *sha1* - HMAC-SHA1, default value + +If HMAC-SHA1 is used, the packet length is increased by +10 bytes. These 10 bytes contain the authentication data. + + EXAMPLES -------- diff --git a/src/cipher.h b/src/cipher.h index 995315b..555b97a 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -43,6 +43,8 @@ #endif #include "key_derivation.h" #else +enum key_store_dir_enum { kd_inbound = 0, kd_outbound = 1 }; +typedef enum key_store_dir_enum key_store_dir_t; typedef u_int8_t key_derivation_t; #endif diff --git a/src/options.c b/src/options.c index 8876017..db7d4e1 100644 --- a/src/options.c +++ b/src/options.c @@ -186,25 +186,25 @@ int options_parse(options_t* opt, int argc, char* argv[]) PARSE_STRING_PARAM("-P","--write-pid", opt->pid_file_) PARSE_STRING_PARAM("-i","--interface", opt->local_addr_) PARSE_STRING_PARAM("-p","--port", opt->local_port_) + PARSE_INT_PARAM("-s","--sender-id", opt->sender_id_) PARSE_STRING_PARAM("-r","--remote-host", opt->remote_addr_) PARSE_STRING_PARAM("-o","--remote-port", opt->remote_port_) PARSE_STRING_PARAM("-d","--dev", opt->dev_name_) PARSE_STRING_PARAM("-t","--type", opt->dev_type_) PARSE_STRING_PARAM2("-n","--ifconfig", opt->ifconfig_param_local_, opt->ifconfig_param_remote_netmask_) PARSE_STRING_PARAM("-x","--post-up-script", opt->post_up_script_) - PARSE_INT_PARAM("-s","--sender-id", opt->sender_id_) PARSE_INT_PARAM("-m","--mux", opt->mux_) PARSE_INT_PARAM("-w","--window-size", opt->seq_window_size_) #ifndef NO_CRYPT - PARSE_STRING_PARAM("-c","--cipher", opt->cipher_) PARSE_STRING_PARAM("-k","--kd-prf", opt->kd_prf_) - PARSE_INT_PARAM("-l","--ld-kdr", opt->ld_kdr_) - PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_) +// PARSE_INT_PARAM("-l","--ld-kdr", opt->ld_kdr_) #ifndef NO_PASSPHRASE PARSE_STRING_PARAM_SEC("-E","--passphrase", opt->passphrase_) #endif PARSE_HEXSTRING_PARAM_SEC("-K","--key", opt->key_) PARSE_HEXSTRING_PARAM_SEC("-A","--salt", opt->salt_) + PARSE_STRING_PARAM("-c","--cipher", opt->cipher_) + PARSE_STRING_PARAM("-a","--auth-algo", opt->auth_algo_) #endif else return i; @@ -240,9 +240,9 @@ void options_default(options_t* opt) opt->username_ = strdup("nobody"); opt->chroot_dir_ = strdup("/var/run/uanytun"); opt->pid_file_ = NULL; - opt->sender_id_ = 0; opt->local_addr_ = NULL; opt->local_port_ = strdup("4444"); + opt->sender_id_ = 0; opt->remote_addr_ = NULL; opt->remote_port_ = strdup("4444"); opt->dev_name_ = NULL; @@ -250,17 +250,17 @@ void options_default(options_t* opt) opt->ifconfig_param_local_ = NULL; opt->ifconfig_param_remote_netmask_ = NULL; opt->post_up_script_ = NULL; + opt->mux_ = 0; opt->seq_window_size_ = 0; #ifndef NO_CRYPT - opt->cipher_ = strdup("aes-ctr"); opt->kd_prf_ = strdup("aes-ctr"); opt->ld_kdr_ = 0; - opt->auth_algo_ = strdup("sha1"); opt->passphrase_ = NULL; + opt->cipher_ = strdup("aes-ctr"); + opt->auth_algo_ = strdup("sha1"); #else opt->cipher_ = strdup("null"); #endif - opt->mux_ = 0; opt->key_.buf_ = NULL; opt->key_.length_ = 0; opt->salt_.buf_ = NULL; @@ -301,10 +301,10 @@ void options_clear(options_t* opt) if(opt->cipher_) free(opt->cipher_); #ifndef NO_CRYPT - if(opt->kd_prf_) - free(opt->kd_prf_); if(opt->auth_algo_) free(opt->auth_algo_); + if(opt->kd_prf_) + free(opt->kd_prf_); if(opt->passphrase_) free(opt->passphrase_); #endif @@ -325,6 +325,7 @@ void options_print_usage() printf(" [-P|--write-pid] <path> write pid to this file\n"); printf(" [-i|--interface] <ip-address> local ip address to bind to\n"); printf(" [-p|--port] <port> local port to bind to\n"); + printf(" [-s|--sender-id ] <sender id> the sender id to use\n"); printf(" [-r|--remote-host] <hostname|ip> remote host\n"); printf(" [-o|--remote-port] <port> remote port\n"); printf(" [-d|--dev] <name> device name\n"); @@ -332,19 +333,18 @@ void options_print_usage() printf(" [-n|--ifconfig] <local> the local address for the tun/tap device\n"); printf(" <remote|netmask> the remote address(tun) or netmask(tap)\n"); printf(" [-x|--post-up-script] <script> script gets called after interface is created\n"); - printf(" [-s|--sender-id ] <sender id> the sender id to use\n"); - printf(" [-w|--window-size] <window size> seqence number window size\n"); printf(" [-m|--mux] <mux-id> the multiplex id to use\n"); + printf(" [-w|--window-size] <window size> seqence number window size\n"); #ifndef NO_CRYPT - printf(" [-c|--cipher] <cipher type> payload encryption algorithm\n"); - printf(" [-a|--auth-algo] <algo type> message authentication algorithm\n"); printf(" [-k|--kd-prf] <kd-prf type> key derivation pseudo random function\n"); - printf(" [-l|--ld-kdr] <ld-kdr> log2 of key derivation rate\n"); +// printf(" [-l|--ld-kdr] <ld-kdr> log2 of key derivation rate\n"); #ifndef NO_PASSPHRASE printf(" [-E|--passphrase] <pass phrase> a passprhase to generate master key and salt from\n"); #endif printf(" [-K|--key] <master key> master key to use for encryption\n"); printf(" [-A|--salt] <master salt> master salt to use for encryption\n"); + printf(" [-c|--cipher] <cipher type> payload encryption algorithm\n"); + printf(" [-a|--auth-algo] <algo type> message authentication algorithm\n"); #endif } @@ -358,6 +358,7 @@ void options_print(options_t* opt) printf("pid_file: '%s'\n", opt->pid_file_); printf("local_addr: '%s'\n", opt->local_addr_); printf("local_port: '%s'\n", opt->local_port_); + printf("sender_id: %d\n", opt->sender_id_); printf("remote_addr: '%s'\n", opt->remote_addr_); printf("remote_port: '%s'\n", opt->remote_port_); printf("dev_name: '%s'\n", opt->dev_name_); @@ -365,7 +366,6 @@ void options_print(options_t* opt) printf("ifconfig_local: '%s'\n", opt->ifconfig_param_local_); printf("ifconfig_remote_netmask: '%s'\n", opt->ifconfig_param_remote_netmask_); printf("post_up_script: '%s'\n", opt->post_up_script_); - printf("sender_id: %d\n", opt->sender_id_); printf("mux: %d\n", opt->mux_); printf("seq_window_size: %d\n", opt->seq_window_size_); printf("cipher: '%s'\n", opt->cipher_); diff --git a/src/options.h b/src/options.h index ecaf3a3..b1695a8 100644 --- a/src/options.h +++ b/src/options.h @@ -42,9 +42,9 @@ struct options_struct { char* username_; char* chroot_dir_; char* pid_file_; - sender_id_t sender_id_; char* local_addr_; char* local_port_; + sender_id_t sender_id_; char* remote_addr_; char* remote_port_; char* dev_name_; @@ -52,6 +52,7 @@ struct options_struct { char* ifconfig_param_local_; char* ifconfig_param_remote_netmask_; char* post_up_script_; + mux_t mux_; window_size_t seq_window_size_; char* cipher_; #ifndef NO_CRYPT @@ -60,7 +61,6 @@ struct options_struct { char* auth_algo_; char* passphrase_; #endif - mux_t mux_; buffer_t key_; buffer_t salt_; }; |