2 * curvetun - the cipherspace wormhole creator
3 * Part of the netsniff-ng project
4 * Copyright 2011 Daniel Borkmann <dborkma@tik.ee.ethz.ch>,
5 * Copyright 2011 Emmanuel Roullit.
6 * Subject to the GPL, version 2.
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/ptrace.h>
23 #include <sys/fsuid.h>
24 #include <netinet/in.h>
33 #include "ct_usermgmt.h"
34 #include "ct_servmgmt.h"
37 #include "crypto_verify_32.h"
38 #include "crypto_box_curve25519xsalsa20poly1305.h"
39 #include "crypto_scalarmult_curve25519.h"
40 #include "crypto_auth_hmacsha512256.h"
42 #define CURVETUN_ENTROPY_SOURCE "/dev/random"
44 extern void print_stun_probe(char *server
, uint16_t sport
, uint16_t tunport
);
56 volatile sig_atomic_t sigint
= 0;
58 static const char *short_options
= "kxc::svhp:t:d:uCS46DN";
59 static const struct option long_options
[] = {
60 {"client", optional_argument
, NULL
, 'c'},
61 {"dev", required_argument
, NULL
, 'd'},
62 {"port", required_argument
, NULL
, 'p'},
63 {"stun", required_argument
, NULL
, 't'},
64 {"keygen", no_argument
, NULL
, 'k'},
65 {"export", no_argument
, NULL
, 'x'},
66 {"dumpc", no_argument
, NULL
, 'C'},
67 {"dumps", no_argument
, NULL
, 'S'},
68 {"no-logging", no_argument
, NULL
, 'N'},
69 {"server", no_argument
, NULL
, 's'},
70 {"udp", no_argument
, NULL
, 'u'},
71 {"ipv4", no_argument
, NULL
, '4'},
72 {"ipv6", no_argument
, NULL
, '6'},
73 {"nofork", no_argument
, NULL
, 'D'},
74 {"version", no_argument
, NULL
, 'v'},
75 {"help", no_argument
, NULL
, 'h'},
79 static void signal_handler(int number
)
91 static void __noreturn
help(void)
93 printf("\ncurvetun %s, lightweight curve25519-based VPN/IP tunnel\n", VERSION_STRING
);
94 puts("http://www.netsniff-ng.org\n\n"
95 "Usage: curvetun [options]\n"
97 " -d|--dev <tun> Networking tunnel device, e.g. tun0\n"
98 " -p|--port <num> Server port number (mandatory)\n"
99 " -t|--stun <server> Show public IP/Port mapping via STUN\n"
100 " -c|--client[=alias] Client mode, server alias optional\n"
101 " -k|--keygen Generate public/private keypair\n"
102 " -x|--export Export your public data for remote servers\n"
103 " -C|--dumpc Dump parsed clients\n"
104 " -S|--dumps Dump parsed servers\n"
105 " -D|--nofork Do not daemonize\n"
106 " -s|--server Server mode, options follow below\n"
107 " -N|--no-logging Disable server logging (for better anonymity)\n"
108 " -u|--udp Use UDP as carrier instead of TCP\n"
109 " -4|--ipv4 Tunnel devices are IPv4\n"
110 " -6|--ipv6 Tunnel devices are IPv6\n"
111 " -v|--version Print version and exit\n"
112 " -h|--help Print this help and exit\n\n"
114 " See curvetun's man page for a configuration example.\n"
115 " curvetun --server -4 -u -N --port 6666 --stun stunserver.org\n"
116 " curvetun --client=ethz\n\n"
117 " curvetun --keygen\n"
118 " curvetun --export\n"
120 " There is no default port specified, so that you are forced\n"
121 " to select your own! For client/server status messages see syslog!\n"
122 " This software is an experimental prototype intended for researchers.\n\n"
123 "Secret ingredient: 7647-14-5\n\n"
124 "Please report bugs to <bugs@netsniff-ng.org>\n"
125 "Copyright (C) 2011-2013 Daniel Borkmann <dborkma@tik.ee.ethz.ch>,\n"
126 "Swiss federal institute of technology (ETH Zurich)\n"
127 "License: GNU GPL version 2.0\n"
128 "This is free software: you are free to change and redistribute it.\n"
129 "There is NO WARRANTY, to the extent permitted by law.\n");
133 static void __noreturn
version(void)
135 printf("\ncurvetun %s, lightweight curve25519-based VPN/IP tunnel\n", VERSION_LONG
);
136 puts("http://www.netsniff-ng.org\n\n"
137 "Please report bugs to <bugs@netsniff-ng.org>\n"
138 "Copyright (C) 2011-2013 Daniel Borkmann <dborkma@tik.ee.ethz.ch>,\n"
139 "Swiss federal institute of technology (ETH Zurich)\n"
140 "License: GNU GPL version 2.0\n"
141 "This is free software: you are free to change and redistribute it.\n"
142 "There is NO WARRANTY, to the extent permitted by law.\n");
146 static void check_file_or_die(char *home
, char *file
, int maybeempty
)
151 memset(path
, 0, sizeof(path
));
152 slprintf(path
, sizeof(path
), "%s/%s", home
, file
);
155 panic("No such file %s! Type --help for further information\n",
158 if (!S_ISREG(st
.st_mode
))
159 panic("%s is not a regular file!\n", path
);
161 if ((st
.st_mode
& ~S_IFREG
) != (S_IRUSR
| S_IWUSR
))
162 panic("You have set too many permissions on %s (%o)!\n",
165 if (maybeempty
== 0 && st
.st_size
== 0)
166 panic("%s is empty!\n", path
);
169 static void check_config_exists_or_die(char *home
)
172 panic("No home dir specified!\n");
174 check_file_or_die(home
, FILE_CLIENTS
, 1);
175 check_file_or_die(home
, FILE_SERVERS
, 1);
176 check_file_or_die(home
, FILE_PRIVKEY
, 0);
177 check_file_or_die(home
, FILE_PUBKEY
, 0);
178 check_file_or_die(home
, FILE_USERNAM
, 0);
181 static char *fetch_home_dir(void)
183 char *home
= getenv("HOME");
185 panic("No HOME defined!\n");
189 static void write_username(char *home
)
195 memset(path
, 0, sizeof(path
));
196 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_USERNAM
);
198 printf("Username: [%s] ", getenv("USER"));
201 memset(user
, 0, sizeof(user
));
202 if (fgets(user
, sizeof(user
), stdin
) == NULL
)
203 panic("Could not read from stdin!\n");
204 user
[sizeof(user
) - 1] = 0;
205 user
[strlen(user
) - 1] = 0; /* omit last \n */
206 if (strlen(user
) == 0)
207 strlcpy(user
, getenv("USER"), sizeof(user
));
209 fd
= open_or_die_m(path
, O_WRONLY
| O_CREAT
| O_TRUNC
, S_IRUSR
| S_IWUSR
);
211 ret
= write(fd
, user
, strlen(user
));
212 if (ret
!= strlen(user
))
213 panic("Could not write username!\n");
217 printf("Username written to %s!\n", path
);
220 static void create_curvedir(char *home
)
225 memset(path
, 0, sizeof(path
));
226 slprintf(path
, sizeof(path
), "%s/%s", home
, ".curvetun/");
230 ret
= mkdir(path
, S_IRWXU
);
231 if (ret
< 0 && errno
!= EEXIST
)
232 panic("Cannot create curvetun dir!\n");
234 printf("curvetun directory %s created!\n", path
);
235 /* We also create empty files for clients and servers! */
237 memset(path
, 0, sizeof(path
));
238 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_CLIENTS
);
240 create_or_die(path
, S_IRUSR
| S_IWUSR
);
242 printf("Empty client file written to %s!\n", path
);
244 memset(path
, 0, sizeof(path
));
245 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_SERVERS
);
247 create_or_die(path
, S_IRUSR
| S_IWUSR
);
249 printf("Empty server file written to %s!\n", path
);
252 static void create_keypair(char *home
)
256 unsigned char publickey
[crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES
] = { 0 };
257 unsigned char secretkey
[crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES
] = { 0 };
259 const char * errstr
= NULL
;
261 printf("Reading from %s (this may take a while) ...\n", CURVETUN_ENTROPY_SOURCE
);
263 fd
= open_or_die(CURVETUN_ENTROPY_SOURCE
, O_RDONLY
);
265 ret
= read_exact(fd
, secretkey
, sizeof(secretkey
), 0);
266 if (ret
!= sizeof(secretkey
)) {
268 errstr
= "Cannot read from "CURVETUN_ENTROPY_SOURCE
"!\n";
274 crypto_scalarmult_curve25519_base(publickey
, secretkey
);
276 memset(path
, 0, sizeof(path
));
277 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_PUBKEY
);
279 fd
= open(path
, O_WRONLY
| O_CREAT
| O_TRUNC
, S_IRUSR
| S_IWUSR
);
282 errstr
= "Cannot open pubkey file!\n";
286 ret
= write(fd
, publickey
, sizeof(publickey
));
287 if (ret
!= sizeof(publickey
)) {
289 errstr
= "Cannot write public key!\n";
295 printf("Public key written to %s!\n", path
);
297 memset(path
, 0, sizeof(path
));
298 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_PRIVKEY
);
300 fd
= open(path
, O_WRONLY
| O_CREAT
| O_TRUNC
, S_IRUSR
| S_IWUSR
);
303 errstr
= "Cannot open privkey file!\n";
307 ret
= write(fd
, secretkey
, sizeof(secretkey
));
308 if (ret
!= sizeof(secretkey
)) {
310 errstr
= "Cannot write private key!\n";
316 xmemset(publickey
, 0, sizeof(publickey
));
317 xmemset(secretkey
, 0, sizeof(secretkey
));
320 panic("%s: %s", errstr
, strerror(errno
));
322 printf("Private key written to %s!\n", path
);
325 static void check_config_keypair_or_die(char *home
)
329 const char * errstr
= NULL
;
330 unsigned char publickey
[crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES
];
331 unsigned char publicres
[crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES
];
332 unsigned char secretkey
[crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES
];
335 memset(path
, 0, sizeof(path
));
336 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_PRIVKEY
);
338 fd
= open(path
, O_RDONLY
);
341 errstr
= "Cannot open privkey file!\n";
345 ret
= read(fd
, secretkey
, sizeof(secretkey
));
346 if (ret
!= sizeof(secretkey
)) {
348 errstr
= "Cannot read private key!\n";
354 memset(path
, 0, sizeof(path
));
355 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_PUBKEY
);
357 fd
= open(path
, O_RDONLY
);
360 errstr
= "Cannot open pubkey file!\n";
364 ret
= read(fd
, publickey
, sizeof(publickey
));
365 if (ret
!= sizeof(publickey
)) {
367 errstr
= "Cannot read public key!\n";
371 crypto_scalarmult_curve25519_base(publicres
, secretkey
);
373 err
= crypto_verify_32(publicres
, publickey
);
376 errstr
= "WARNING: your keypair is corrupted!!! You need to "
377 "generate new keys!!!\n";
383 xmemset(publickey
, 0, sizeof(publickey
));
384 xmemset(publicres
, 0, sizeof(publicres
));
385 xmemset(secretkey
, 0, sizeof(secretkey
));
388 panic("%s: %s\n", errstr
, strerror(errno
));
391 static int main_keygen(char *home
)
393 create_curvedir(home
);
394 write_username(home
);
395 create_keypair(home
);
396 check_config_keypair_or_die(home
);
401 static int main_export(char *home
)
405 char path
[PATH_MAX
], tmp
[64];
407 check_config_exists_or_die(home
);
408 check_config_keypair_or_die(home
);
410 printf("Your exported public information:\n\n");
412 memset(path
, 0, sizeof(path
));
413 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_USERNAM
);
415 fd
= open_or_die(path
, O_RDONLY
);
417 while ((ret
= read(fd
, tmp
, sizeof(tmp
))) > 0) {
418 ret
= write(STDOUT_FILENO
, tmp
, ret
);
425 memset(path
, 0, sizeof(path
));
426 slprintf(path
, sizeof(path
), "%s/%s", home
, FILE_PUBKEY
);
428 fd
= open_or_die(path
, O_RDONLY
);
430 ret
= read(fd
, tmp
, sizeof(tmp
));
431 if (ret
!= crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES
)
432 panic("Cannot read public key!\n");
434 for (i
= 0; i
< ret
; ++i
)
436 printf("%02x\n\n", (unsigned char) tmp
[i
]);
438 printf("%02x:", (unsigned char) tmp
[i
]);
446 static int main_dumpc(char *home
)
448 check_config_exists_or_die(home
);
449 check_config_keypair_or_die(home
);
451 printf("Your clients:\n\n");
453 parse_userfile_and_generate_user_store_or_die(home
);
457 destroy_user_store();
464 static int main_dumps(char *home
)
466 check_config_exists_or_die(home
);
467 check_config_keypair_or_die(home
);
469 printf("Your servers:\n\n");
471 parse_userfile_and_generate_serv_store_or_die(home
);
475 destroy_serv_store();
482 static void daemonize(const char *lockfile
)
485 mode_t lperm
= S_IRWXU
| S_IRGRP
| S_IXGRP
; /* 0750 */
492 panic("Cannot daemonize: %s", strerror(errno
));
499 lfp
= open(lockfile
, O_RDWR
| O_CREAT
| O_EXCL
,
500 S_IRUSR
| S_IWUSR
| S_IRGRP
);
502 syslog_panic("Cannot create lockfile at %s! "
503 "curvetun server already running?\n",
506 slprintf(pidstr
, sizeof(pidstr
), "%u", getpid());
507 if (write(lfp
, pidstr
, strlen(pidstr
)) <= 0)
508 syslog_panic("Could not write pid to pidfile %s",
515 static int main_client(char *home
, char *dev
, char *alias
, int daemon
)
520 check_config_exists_or_die(home
);
521 check_config_keypair_or_die(home
);
523 parse_userfile_and_generate_serv_store_or_die(home
);
525 get_serv_store_entry_by_alias(alias
, alias
? strlen(alias
) + 1 : 0,
527 if (!host
|| !port
|| udp
< 0)
528 panic("Did not find alias/entry in configuration!\n");
530 printf("Using [%s] -> %s:%s via %s as endpoint!\n",
531 alias
? : "default", host
, port
, udp
? "udp" : "tcp");
535 ret
= client_main(home
, dev
, host
, port
, udp
);
537 destroy_serv_store();
542 static int main_server(char *home
, char *dev
, char *port
, int udp
,
543 int ipv4
, int daemon
, int log
)
547 check_config_exists_or_die(home
);
548 check_config_keypair_or_die(home
);
553 ret
= server_main(home
, dev
, port
, udp
, ipv4
, log
);
560 int main(int argc
, char **argv
)
562 int ret
= 0, c
, opt_index
, udp
= 0, ipv4
= -1, daemon
= 1, log
= 1;
563 char *port
= NULL
, *stun
= NULL
, *dev
= NULL
, *home
= NULL
, *alias
= NULL
;
564 enum working_mode wmode
= MODE_UNKNOW
;
569 home
= fetch_home_dir();
571 while ((c
= getopt_long(argc
, argv
, short_options
, long_options
,
572 &opt_index
)) != EOF
) {
597 alias
= xstrdup(optarg
);
601 dev
= xstrdup(optarg
);
622 stun
= xstrdup(optarg
);
625 port
= xstrdup(optarg
);
633 panic("Option -%c requires an argument!\n",
637 printf("Unknown option character `0x%X\'!\n", optopt
);
648 register_signal(SIGINT
, signal_handler
);
649 register_signal(SIGHUP
, signal_handler
);
650 register_signal(SIGTERM
, signal_handler
);
651 register_signal(SIGPIPE
, signal_handler
);
653 curve25519_selftest();
657 ret
= main_keygen(home
);
660 ret
= main_export(home
);
663 ret
= main_dumpc(home
);
666 ret
= main_dumps(home
);
669 ret
= main_client(home
, dev
, alias
, daemon
);
673 panic("No port specified!\n");
675 print_stun_probe(stun
, 3478, strtoul(port
, NULL
, 10));
676 ret
= main_server(home
, dev
, port
, udp
, ipv4
, daemon
, log
);