mirror of
https://github.com/yarrick/iodine.git
synced 2024-11-28 12:35:13 +00:00
Applied patch from #88, thanks a lot!
This commit is contained in:
parent
1a26a91db3
commit
b177901d38
299
README
299
README
@ -11,12 +11,12 @@ firewalled, but DNS queries are allowed.
|
||||
QUICKSTART:
|
||||
|
||||
Try it out within your own LAN! Follow these simple steps:
|
||||
- On your server, run: ./iodined -f 10.0.0.1 test.asdf
|
||||
- On your server, run: ./iodined -f 10.0.0.1 test.com
|
||||
(If you already use the 10.0.0.0 network, use another internal net like
|
||||
172.16.0.0)
|
||||
- Enter a password
|
||||
- On the client, run: ./iodine -f 192.168.0.1 test.asdf
|
||||
(Replace 192.168.0.1 with the server's ip address)
|
||||
- On the client, run: ./iodine -f -r 192.168.0.1 test.com
|
||||
(Replace 192.168.0.1 with your server's ip address)
|
||||
- Enter the same password
|
||||
- Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
|
||||
- Try pinging each other through the tunnel
|
||||
@ -26,113 +26,196 @@ To actually use it through a relaying nameserver, see below.
|
||||
|
||||
HOW TO USE:
|
||||
|
||||
Note: server and client are required to speak the exact same protocol. In most
|
||||
cases, this means running the same iodine version. Unfortunately, implementing
|
||||
backward and forward protocol compatibility is usually not feasible.
|
||||
|
||||
Server side:
|
||||
To use this tunnel, you need control over a real domain (like mytunnel.com),
|
||||
and a server with a public IP number. If the server already runs a DNS
|
||||
server, change the listening port and then use the -b option to let
|
||||
iodined forward the DNS requests. Then, delegate a subdomain
|
||||
(say, tunnel1.mytunnel.com) to the server. If you use BIND for the domain,
|
||||
add these lines to the zone file:
|
||||
To use this tunnel, you need control over a real domain (like mydomain.com),
|
||||
and a server with a public IP address to run iodined on. If this server
|
||||
already runs a DNS program, change its listening port and then use iodined's
|
||||
-b option to let iodined forward the DNS requests. (Note that this procedure
|
||||
is not advised in production environments, because iodined's DNS forwarding
|
||||
is not completely transparent.)
|
||||
|
||||
tunnel1host IN A 10.15.213.99
|
||||
tunnel1 IN NS tunnel1host.mytunnel.com.
|
||||
Then, delegate a subdomain (say, t1.mydomain.com) to the iodined server.
|
||||
If you use BIND for your domain, add two lines like these to the zone file:
|
||||
|
||||
Do not use CNAME instead of A above.
|
||||
If your server has a dynamic IP, use a dynamic dns provider:
|
||||
t1 IN NS t1ns.mydomain.com. ; note the dot!
|
||||
t1ns IN A 10.15.213.99
|
||||
|
||||
tunnel1 IN NS tunnel1host.mydyndnsprovider.com
|
||||
The "NS" line is all that's needed to route queries for the "t1" subdomain
|
||||
to the "t1ns" server. We use a short name for the subdomain, to keep as much
|
||||
space as possible available for the data traffic. At the end of the "NS" line
|
||||
is the name of your iodined server. This can be any name, pointing anywhere,
|
||||
but in this case it's easily kept in the same zone file. It must be a name
|
||||
(not an IP address), and that name itself must have an A record (not a CNAME).
|
||||
|
||||
Now any DNS querys for domains ending with tunnel1.mytunnnel.com will be sent
|
||||
to your server. Start iodined on the server. The first argument is the tunnel
|
||||
IP address (like 192.168.99.1) and the second is the assigned domain (in this
|
||||
case tunnel1.mytunnel.com). The -f argument will keep iodined running in the
|
||||
foreground, which helps when testing. iodined will start a virtual interface,
|
||||
and also start listening for DNS queries on UDP port 53. Either enter a
|
||||
password on the commandline (-P pass) or after the server has started. Now
|
||||
everything is ready for the client.
|
||||
If your iodined server has a dynamic IP, use a dynamic dns provider. Simply
|
||||
point the "NS" line to it, and leave the "A" line out:
|
||||
|
||||
t1 IN NS myname.mydyndnsprovider.com. ; note the dot!
|
||||
|
||||
Then reload or restart your nameserver program. Now any DNS queries for
|
||||
domains ending in t1.mydomain.com will be sent to your iodined server.
|
||||
|
||||
Finally start iodined on your server. The first argument is the IP address
|
||||
inside the tunnel, which can be from any range that you don't use yet (for
|
||||
example 192.168.99.1), and the second argument is the assigned domain (in this
|
||||
case t1.mydomain.com). Using the -f option will keep iodined running in the
|
||||
foreground, which helps when testing. iodined will open a virtual interface
|
||||
("tun device"), and will also start listening for DNS queries on UDP port 53.
|
||||
Either enter a password on the commandline (-P pass) or after the server has
|
||||
started. Now everything is ready for the client.
|
||||
|
||||
If there is a chance you'll be using an iodine tunnel from unexpected
|
||||
environments, start iodined with a -c option.
|
||||
|
||||
Resulting commandline in this example situation:
|
||||
./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
|
||||
|
||||
Client side:
|
||||
All the setup is done, just start iodine. It takes up to two arguments, the
|
||||
All the setup is done, just start iodine. It takes one or two arguments, the
|
||||
first is the local relaying DNS server (optional) and the second is the domain
|
||||
used (tunnel1.mytunnnel.com). If DNS queries are allowed to any computer, you
|
||||
can use the tunnel endpoint (example: 10.15.213.99 or tunnel1host.mytunnel.com)
|
||||
as the first argument. The tunnel interface will get an IP close to the servers
|
||||
(in this case 192.168.99.2) and a suitable MTU. Enter the same password as on
|
||||
the server either by argument or after the client has started. Now you should
|
||||
be able to ping the other end of the tunnel from either side.
|
||||
you used (t1.mydomain.com). If you don't specify the first argument, the
|
||||
system's current DNS setting will be consulted.
|
||||
|
||||
If DNS queries are allowed to any computer, you can directly give the iodined
|
||||
server's address as first argument (in the example: t1ns.mydomain.com or
|
||||
10.15.213.99). In that case, it may also happen that _any_ traffic is allowed
|
||||
to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
|
||||
to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
|
||||
-r option (especially useful when testing within your own network).
|
||||
|
||||
The client's tunnel interface will get an IP close to the server's (in this
|
||||
case 192.168.99.2 or .3 etc.) and a suitable MTU. Enter the same password as
|
||||
on the server either as commandline option or after the client has started.
|
||||
Using the -f option will keep the iodine client running in the foreground.
|
||||
|
||||
Resulting commandline in this example situation:
|
||||
./iodine -f -P secretpassword t1.mydomain.com
|
||||
(add -r to force DNS tunneling even if raw UDP tunneling would be possible)
|
||||
|
||||
From either side, you should now be able to ping the IP address on the other
|
||||
end of the tunnel. In this case, ping 192.168.99.1 from the iodine client, and
|
||||
192.168.99.2 or .3 etc. from the iodine server.
|
||||
|
||||
|
||||
MISC. INFO:
|
||||
|
||||
Routing:
|
||||
The normal case is to route all traffic through the DNS tunnel. To do this, first
|
||||
add a route to the nameserver you use with the default gateway as gateway. Then
|
||||
replace the default gateway with the servers IP address within the DNS tunnel,
|
||||
and configure the server to do NAT.
|
||||
It is possible to route all traffic through the DNS tunnel. To do this, first
|
||||
add a host route to the nameserver used by iodine over the wired/wireless
|
||||
interface with the default gateway as gateway. Then replace the default
|
||||
gateway with the iodined server's IP address inside the DNS tunnel, and
|
||||
configure the server to do NAT.
|
||||
|
||||
However, note that the tunneled data traffic is not encrypted at all, and can
|
||||
be read and changed by external parties relatively easily. For maximum
|
||||
security, run a VPN through the DNS tunnel (=double tunneling), or use secure
|
||||
shell (SSH) access, possibly with port forwarding. The latter can also be used
|
||||
for web browsing, when you run a web proxy (for example Privoxy) on your
|
||||
server.
|
||||
|
||||
Testing:
|
||||
The iodined server replies to NS requests sent for subdomains of the tunnel
|
||||
domain. If your iodined subdomain is t1.mydomain.com, send a NS request for
|
||||
foo123.t1.mydomain.com to see if the delegation works. dig is a good tool
|
||||
for this:
|
||||
dig -t NS foo123.t1.mydomain.com
|
||||
|
||||
Also, the iodined server will answer requests starting with 'z' for any of the
|
||||
supported request types, for example:
|
||||
dig -t TXT z456.t1.mydomain.com
|
||||
dig -t SRV z456.t1.mydomain.com
|
||||
dig -t CNAME z456.t1.mydomain.com
|
||||
The reply should look like garbled text in all these cases.
|
||||
|
||||
Operational info:
|
||||
The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
|
||||
To force a specific value (and speed things up), use the -m option.
|
||||
|
||||
The iodined server replies to NS requests sent for subdomains of the tunnel
|
||||
domain. If your domain is tunnel.com, send a NS request for foo.tunnel.com
|
||||
to see if the delegation works. dig is a good tool for this:
|
||||
dig -t NS foo123.tunnel.com
|
||||
The DNS hostnames are normally used up to their maximum length, 255 characters.
|
||||
Some DNS relays have been found that answer full-length queries rather
|
||||
unreliably, giving widely varying (and mostly very bad) results of the
|
||||
fragment size autoprobe on repeated tries. In these cases, use the -M switch
|
||||
to reduce the DNS hostname length to for example 200 characters, which makes
|
||||
these DNS relays much more stable. This is also useful on some "de-optimizing"
|
||||
DNS relays that stuff the response with two full copies of the query, leaving
|
||||
very little space for downstream data (also not capable of EDNS0). The -M
|
||||
switch can trade some upstream bandwidth for downstream bandwidth. Note that
|
||||
the minimum -M value is about 100, since the protocol can split packets (1200
|
||||
bytes max) in only 16 fragments, requiring at least 75 real data bytes per
|
||||
fragment.
|
||||
|
||||
The upstream data is sent gzipped encoded with Base32, or Base64 if the relay
|
||||
server support '+' in domain names. DNS protocol allows one query per packet,
|
||||
and one query can be max 256 chars. Each domain name part can be max 63 chars.
|
||||
So your domain name and subdomain should be as short as possible to allow
|
||||
maximum upstream throughput.
|
||||
The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
|
||||
server supports mixed case and '+' in domain names; or Base64u if '_' is
|
||||
supported instead; or Base128 if high-byte-value characters are supported.
|
||||
This upstream encoding is autodetected. The DNS protocol allows one query per
|
||||
packet, and one query can be max 256 chars. Each domain name part can be max
|
||||
63 chars. So your domain name and subdomain should be as short as possible to
|
||||
allow maximum upstream throughput.
|
||||
|
||||
The default is to use DNS NULL-type queries, as this provides the largest
|
||||
downstream bandwidth. If your DNS server blocks NULL requests, try TXT or
|
||||
CNAME queries via the -T option. Also supported are A (returning CNAME) and
|
||||
MX requests, but these may/will cause additional lookups by "smart" caching
|
||||
nameservers to get an actual IP address, which may either slow down or fail
|
||||
completely. DNS responses for non-NULL are Base32 encoded by default, which
|
||||
should always work. For more bandwidth, try Base64 or Raw (TXT only) via the
|
||||
-O option. If Base64/Raw doesn't work, you'll see many failures in the
|
||||
fragment size autoprobe.
|
||||
Several DNS request types are supported, with the NULL type expected to provide
|
||||
the largest downstream bandwidth. Other available types are TXT, SRV, MX,
|
||||
CNAME and A (returning CNAME), in decreasing bandwidth order. Normally the
|
||||
"best" request type is autodetected and used. However, DNS relays may impose
|
||||
limits on for example NULL and TXT, making SRV or MX actually the best choice.
|
||||
This is not autodetected, but can be forced using the -T option. It is
|
||||
advisable to try various alternatives especially when the autodetected request
|
||||
type provides a downstream fragment size of less than 200 bytes.
|
||||
|
||||
Note that SRV, MX and A (returning CNAME) queries may/will cause additional
|
||||
lookups by "smart" caching nameservers to get an actual IP address, which may
|
||||
either slow down or fail completely.
|
||||
|
||||
DNS responses for non-NULL queries can be encoded with the same set of codecs
|
||||
as upstream data. This is normally also autodetected, but no fully exhaustive
|
||||
tests are done, so some problems may not be noticed when selecting more
|
||||
advanced codecs. In that case, you'll see failures/corruption in the fragment
|
||||
size autoprobe. In particular, several DNS relays have been found that change
|
||||
replies returning hostnames (SRV, MX, CNAME, A) to lowercase only when that
|
||||
hostname exceeds ca. 180 characters. In these and similar cases, use the -O
|
||||
option to try other downstream codecs; Base32 should always work.
|
||||
|
||||
Normal operation now is for the server to _not_ answer a DNS request until
|
||||
the next DNS request has come in, a.k.a. being "lazy". This way, the server
|
||||
will always have a DNS request handy when new downstream data has to be sent.
|
||||
This greatly improves (interactive) performance and latency, and allows to
|
||||
slow down the quiescent ping requests to 4 second intervals by default.
|
||||
In fact, the main purpose of the pings now is to force a reply to the previous
|
||||
ping, and prevent DNS server timeouts (usually 5-10 seconds per RFC1035).
|
||||
In the unlikely case that you do experience DNS server timeouts (SERVFAIL),
|
||||
decrease the -I option to 1. If you are running on a local network without
|
||||
any DNS server in-between, try -I 50 (iodine and iodined time out after 60
|
||||
seconds). The only time you'll notice a slowdown, is when DNS reply packets
|
||||
go missing; the iodined server then has to wait for a new ping to re-send the
|
||||
data. You can speed this up by generating some upstream traffic (keypress,
|
||||
ping). If this happens often, check your network for bottlenecks and/or run
|
||||
with -I1 .
|
||||
slow down the quiescent ping requests to 4 second intervals by default, and
|
||||
possibly much slower. In fact, the main purpose of the pings now is to force
|
||||
a reply to the previous ping, and prevent DNS server timeouts (usually at
|
||||
least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
|
||||
give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
|
||||
data should still get through in these cases, but iodine will reduce the ping
|
||||
interval to 1 second anyway (-I1) to reduce the number of error messages. This
|
||||
may not help for very impatient DNS relays like dnsadvantage.com (ultradns),
|
||||
which time out in 1 second or even less. Yet data will still get trough, and
|
||||
you can ignore the SERVFAIL errors.
|
||||
|
||||
Some DNS servers appear to be quite impatient and start retrying DNS requests
|
||||
(with _different_ DNS ids!) when an answer does not appear within a few
|
||||
milliseconds. Usually they scale back retries when iodined's lazy mode
|
||||
repeatedly takes several seconds to answer; and they scale up retries again
|
||||
when iodined answers fast during heavy data transfer. Some commercial DNS
|
||||
servers advertise this as "carrier-grade adaptive retransmission techniques".
|
||||
The effect will only be visible in the network traffic at the iodined server,
|
||||
and will not affect the client's connection. Iodined has rather elaborate
|
||||
logic to deal with (i.e., ignore) these unwanted duplicates.
|
||||
If you are running on a local network without any DNS server in-between, try
|
||||
-I 50 (iodine and iodined close the connection after 60 seconds of silence).
|
||||
The only time you'll notice a slowdown, is when DNS reply packets go missing;
|
||||
the iodined server then has to wait for a new ping to re-send the data. You can
|
||||
speed this up by generating some upstream traffic (keypress, ping). If this
|
||||
happens often, check your network for bottlenecks and/or run with -I1.
|
||||
|
||||
Other DNS servers, notably the opendns.com network, seem to regard iodined's
|
||||
lazyness as incompetency, and will start shuffling requests around, possibly
|
||||
in an attempt to reduce iodined's workload. The resulting out-of-sequence DNS
|
||||
traffic works quite badly for lazy mode. The iodine client will detect this,
|
||||
and switch back to legacy mode ("immediate ping-pong") automatically. In these
|
||||
cases, start the iodine client with -L0 to prevent it from operating in lazy
|
||||
mode altogether. Note that this will negatively affect interactive performance
|
||||
and latency, especially in the downstream direction.
|
||||
The delayed answering in lazy mode will cause some "carrier grade" commercial
|
||||
DNS relays to repeatedly re-send the same DNS query to the iodined server.
|
||||
If the DNS relay is actually implemented as a pool of parallel servers,
|
||||
duplicate requests may even arrive from multiple sources. This effect will
|
||||
only be visible in the network traffic at the iodined server, and will not
|
||||
affect the client's connection. Iodined will notice these duplicates, and send
|
||||
the same answer (when its time has come) to both the original query and the
|
||||
latest duplicate. After that, the full answer is cached for a short while.
|
||||
Delayed duplicates that arrive at the server even later, get a reply that the
|
||||
iodine client will ignore (if it ever arrives there).
|
||||
|
||||
If you have problems, try inspecting the traffic with network monitoring tools
|
||||
and make sure that the relaying DNS server has not cached the response. A
|
||||
cached error message could mean that you started the client before the server.
|
||||
The -D (and -DD) option on the server can also show received and sent queries.
|
||||
like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
|
||||
has not cached the response. A cached error message could mean that you
|
||||
started the client before the server. The -D (and -DD) option on the server
|
||||
can also show received and sent queries.
|
||||
|
||||
|
||||
TIPS & TRICKS:
|
||||
@ -165,13 +248,16 @@ PERFORMANCE:
|
||||
This section tabulates some performance measurements. To view properly, use
|
||||
a fixed-width font like Courier.
|
||||
|
||||
Measurements were done in protocol 00000500 with lazy mode unless indicated
|
||||
otherwise. Upstream encoding always Base64.
|
||||
Measurements were done in protocol 00000502 in lazy mode; upstream encoding
|
||||
always Base128; iodine -M255; iodined -m1130. Network conditions were not
|
||||
extremely favorable; results are not benchmarks but a realistic indication of
|
||||
real-world performance that can be expected in similar situations.
|
||||
|
||||
Upstream/downstream throughput was measured by scp'ing a file previously
|
||||
read from /dev/urandom (i.e. incompressible), and measuring size with
|
||||
"ls -l ; sleep 30 ; ls -l" on a separate non-tunneled connection. Given the
|
||||
large scp block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
|
||||
explains why many values are exactly equal.
|
||||
explains why some values are exactly equal.
|
||||
Ping round-trip times measured with "ping -c100", presented are average rtt
|
||||
and mean deviation (indicating spread around the average), in milliseconds.
|
||||
|
||||
@ -185,43 +271,28 @@ Laptop -> Wifi AP -> Home server -> DSL provider -> Datacenter
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
iodine -> Wifi AP :53
|
||||
-Tnull (= -Oraw) 982 39.3 148.5 26.7 3.1 26.6 3.0
|
||||
-Tnull (= -Oraw) 982 43.6 131.0 28.0 4.6 26.8 3.4
|
||||
|
||||
iodine -> Home server :53
|
||||
-Tnull (= -Oraw) 1174 43.6 174.7 25.2 4.0 25.5 3.4
|
||||
-Tnull (= -Oraw) 1174 48.0 305.8 26.6 5.0 26.9 8.4
|
||||
|
||||
iodine -> DSL provider :53
|
||||
-Tnull (= -Oraw) 1174 52.4 200.9 20.3 3.2 20.3 2.7
|
||||
-Ttxt -Obase32 730 52.4 192.2*
|
||||
-Ttxt -Obase64 874 52.4 192.2
|
||||
-Ttxt -Oraw 1162 52.4 192.2
|
||||
-Tcname -Obase32 148 52.4 48.0
|
||||
-Tcname -Obase64 181 52.4 61.1
|
||||
-Tnull (= -Oraw) 1174 56.7 367.0 20.6 3.1 21.2 4.4
|
||||
-Ttxt -Obase32 730 56.7 174.7*
|
||||
-Ttxt -Obase64 874 56.7 174.7
|
||||
-Ttxt -Obase128 1018 56.7 174.7
|
||||
-Ttxt -Oraw 1162 56.7 358.2
|
||||
-Tsrv -Obase128 910 56.7 174.7
|
||||
-Tcname -Obase32 151 56.7 43.6
|
||||
-Tcname -Obase128 212 56.7 52.4
|
||||
|
||||
iodine -> DSL provider :53
|
||||
wired (no Wifi) -Tnull 1174 65.5 244.6 17.7 1.9 17.8 1.6
|
||||
wired (no Wifi) -Tnull 1174 74.2 585.4 20.2 5.6 19.6 3.4
|
||||
|
||||
[192.2* : nice, because still 2frag/packet]
|
||||
[174.7* : these all have 2frag/packet]
|
||||
|
||||
|
||||
Situation 2:
|
||||
Laptop -> (wire) -> (Home server) -> (DSL) -> opendns.com -> Datacenter
|
||||
iodine DNS cache iodined
|
||||
|
||||
downstr. upstream downstr. ping-up ping-down
|
||||
fragsize kbit/s kbit/s avg +/-mdev avg +/-mdev
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
iodine -> opendns.com :53
|
||||
-Tnull -L1 (lazy mode) 230 - - 404.4 196.2 663.8 679.6
|
||||
(20% lost) (2% lost)
|
||||
|
||||
-Tnull -L0 (legacy mode) 230 5.6 7.4 197.3 4.7 610.8 323.5
|
||||
|
||||
[Note: Throughput measured over 300 seconds to get better resolution]
|
||||
|
||||
|
||||
Situation 3:
|
||||
Laptop -> Wifi+vpn / wired -> Home server
|
||||
iodine iodined
|
||||
|
||||
@ -229,9 +300,9 @@ Laptop -> Wifi+vpn / wired -> Home server
|
||||
fragsize kbit/s kbit/s avg +/-mdev avg +/-mdev
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
wifi + openvpn -Tnull 1186 183.5 611.6 5.7 1.4 7.0 2.7
|
||||
wifi + openvpn -Tnull 1186 166.0 1022.3 6.3 1.3 6.6 1.6
|
||||
|
||||
wired -Tnull 1186 685.9 2350.5 1.3 0.1 1.4 0.4
|
||||
wired -Tnull 1186 677.2 2464.1 1.3 0.2 1.3 0.1
|
||||
|
||||
|
||||
Performance is strongly coupled to low ping times, as iodine requires
|
||||
|
@ -1,4 +1,4 @@
|
||||
Detailed specification of protocol in version 00000501
|
||||
Detailed specification of protocol in version 00000502
|
||||
======================================================
|
||||
|
||||
Note: work in progress!!
|
||||
@ -7,6 +7,22 @@ Note: work in progress!!
|
||||
1. DNS protocol
|
||||
======================================================
|
||||
|
||||
Quick alphabetical index / register:
|
||||
0-9 Data packet
|
||||
A-F Data packet
|
||||
I IP address
|
||||
L Login
|
||||
N Downstream fragsize (NS.topdomain A-type reply)
|
||||
O Options
|
||||
P Ping
|
||||
R Downstream fragsize probe
|
||||
S Switch upstream codec
|
||||
V Version
|
||||
W (WWW.topdomain A-type reply)
|
||||
Y Downstream codec check
|
||||
Z Upstream codec check
|
||||
|
||||
|
||||
CMC = 2 byte Cache Miss Counter, increased every time it is used
|
||||
|
||||
Version:
|
||||
@ -38,29 +54,55 @@ IP Request:
|
||||
Client sends:
|
||||
First byte i or I
|
||||
5 bits coded as Base32 char, meaning userid
|
||||
CMC
|
||||
CMC as 3 Base32 chars
|
||||
Server replies
|
||||
BADIP if bad userid, or
|
||||
I and then 4 bytes network order external IP address of iodined server
|
||||
|
||||
Case check:
|
||||
Upstream codec check / bounce:
|
||||
Client sends:
|
||||
First byte z or Z
|
||||
Lots of data that should not be decoded
|
||||
Server replies:
|
||||
The requested domain copied raw
|
||||
The requested domain copied raw, in the lowest-grade downstream codec
|
||||
available for the request type.
|
||||
|
||||
Downstream codec check:
|
||||
Client sends:
|
||||
First byte y or Y
|
||||
1 char, meaning downstream codec to use
|
||||
5 bits coded as Base32 char, meaning check variant
|
||||
CMC as 3 Base32 chars
|
||||
Possibly extra data, depending on check variant
|
||||
Server sends:
|
||||
Data encoded with requested downstream codec; data content depending
|
||||
on check variant number.
|
||||
BADCODEC if requested downstream codec not available.
|
||||
BADLEN if check variant is not available, or problem with extra data.
|
||||
|
||||
Downstream codec chars are same as in 'O' Option request, below.
|
||||
|
||||
Check variants:
|
||||
1: Send encoded DOWNCODECCHECK1 string as defined in encoding.h
|
||||
|
||||
(Other variants reserved; possibly variant that sends a decoded-encoded
|
||||
copy of Base32-encoded extra data in the request)
|
||||
|
||||
Switch codec:
|
||||
Client sends:
|
||||
First byte s or S
|
||||
5 bits coded as Base32 char, meaning userid
|
||||
5 bits coded as Base32 char, with value 5 or 6, representing number of raw
|
||||
bits per encoded byte
|
||||
CMC
|
||||
5 bits coded as Base32 char, representing number of raw bits per
|
||||
encoded byte:
|
||||
5: Base32 (a-z0-5)
|
||||
6: Base64 (a-zA-Z0-9+-)
|
||||
26: Base64u (a-zA-Z0-9_-)
|
||||
7: Base128 (a-zA-Z0-9\274-\375)
|
||||
CMC as 3 Base32 chars
|
||||
Server sends:
|
||||
Name of codec if accepted. After this all upstream data packets must
|
||||
be encoded with the new codec.
|
||||
BADCODEC if not accepted. Client must then revert to Base32
|
||||
BADCODEC if not accepted. Client must then revert to previous codec
|
||||
BADLEN if length of query is too short
|
||||
|
||||
Options:
|
||||
@ -68,6 +110,7 @@ Client sends:
|
||||
First byte o or O
|
||||
5 bits coded as Base32 char, meaning userid
|
||||
1 char, meaning option
|
||||
CMC as 3 Base32 chars
|
||||
Server sends:
|
||||
Full name of option if accepted. After this, option immediately takes
|
||||
effect in server.
|
||||
@ -77,6 +120,8 @@ Server sends:
|
||||
Option chars:
|
||||
t or T: Downstream encoding Base32, for TXT/CNAME/A/MX (default)
|
||||
s or S: Downstream encoding Base64, for TXT/CNAME/A/MX
|
||||
u or U: Downstream encoding Base64u, for TXT/CNAME/A/MX
|
||||
v or V: Downstream encoding Base128, for TXT/CNAME/A/MX
|
||||
r or R: Downstream encoding Raw, for TXT/NULL (default for NULL)
|
||||
If codec unsupported for request type, server will use Base32; note
|
||||
that server will answer any mix of request types that a client sends.
|
||||
@ -96,8 +141,10 @@ Client sends:
|
||||
meaning 4 bits userid, 11 bits fragment size
|
||||
Then follows a long random query which contents does not matter
|
||||
Server sends:
|
||||
Requested number of bytes as a response. The first two bytes contains
|
||||
the requested length. Rest of message can be any data.
|
||||
Requested number of bytes as a response. The first two bytes contain
|
||||
the requested length. The third byte is 107 (0x6B). The fourth byte
|
||||
is a random value, and each following byte is incremented with 107.
|
||||
This is checked by the client to determine corruption.
|
||||
BADFRAG if requested length not accepted.
|
||||
|
||||
Set downstream fragment size:
|
||||
@ -114,10 +161,10 @@ Server sends:
|
||||
|
||||
Data:
|
||||
Upstream data header:
|
||||
3210 432 10 43 210 4321 0
|
||||
+----+---+--+--+---+----+-+
|
||||
|UUUU|SSS|FF|FF|DDD|GGGG|L|
|
||||
+----+---+--+--+---+----+-+
|
||||
3210 432 10 43 210 4321 0 43210
|
||||
+----+---+--+--+---+----+-+-----+
|
||||
|UUUU|SSS|FF|FF|DDD|GGGG|L|UDCMC|
|
||||
+----+---+--+--+---+----+-+-----+
|
||||
|
||||
Downstream data header:
|
||||
7 654 3210 765 4321 0
|
||||
@ -132,9 +179,11 @@ FFFF = Upstream fragment number
|
||||
DDD = Downstream packet sequence number
|
||||
GGGG = Downstream fragment number
|
||||
C = Compression enabled for downstream packet
|
||||
UDCMC = Upstream Data CMC, 36 steps a-z0-9, case-insensitive
|
||||
|
||||
Upstream data packet starts with 1 byte ASCII hex coded user byte, then 3 bytes
|
||||
Base32 encoded header, then comes the payload data, encoded with chosen codec.
|
||||
Upstream data packet starts with 1 byte ASCII hex coded user byte; then 3 bytes
|
||||
Base32 encoded header; then 1 char data-CMC; then comes the payload data,
|
||||
encoded with the chosen upstream codec.
|
||||
|
||||
Downstream data starts with 2 byte header. Then payload data, which may be
|
||||
compressed.
|
||||
@ -147,10 +196,18 @@ TXT:
|
||||
<=255 bytes)
|
||||
t or T: Base32 encoded before chop, decoded after un-chop
|
||||
s or S: Base64 encoded before chop, decoded after un-chop
|
||||
u or U: Base64u encoded before chop, decoded after un-chop
|
||||
v or V: Base128 encoded before chop, decoded after un-chop
|
||||
r or R: Raw no encoding, only DNS-chop
|
||||
CNAME/A/MX:
|
||||
SRV/MX/CNAME/A:
|
||||
h or H: Hostname encoded with Base32
|
||||
i or I: Hostname encoded with Base64
|
||||
j or J: Hostname encoded with Base64u
|
||||
k or K: Hostname encoded with Base128
|
||||
SRV and MX may reply with multiple hostnames, each encoded separately. Each
|
||||
has a 10-multiple priority, and encoding/decoding is done in strictly
|
||||
increasing priority sequence 10, 20, 30, etc. without gaps. Note that some DNS
|
||||
relays will shuffle the answer records in the response.
|
||||
|
||||
Ping:
|
||||
Client sends:
|
||||
@ -162,10 +219,11 @@ Client sends:
|
||||
4 bits downstream fragment
|
||||
CMC
|
||||
|
||||
The server response to Ping and Data packets is a DNS NULL type response:
|
||||
If server has nothing to send, data length is 0 bytes.
|
||||
If server has something to send, it will send a downstream data packet,
|
||||
prefixed with 2 bytes header as shown above.
|
||||
The server response to Ping and Data packets is a DNS NULL/TXT/.. type response,
|
||||
always starting with the 2 bytes downstream data header as shown above.
|
||||
If server has nothing to send, no data is added after the header.
|
||||
If server has something to send, it will add the downstream data packet
|
||||
(or some fragment of it) after the header.
|
||||
|
||||
|
||||
"Lazy-mode" operation
|
185
man/iodine.8
185
man/iodine.8
@ -1,5 +1,5 @@
|
||||
.\" groff -man -Tascii iodine.8
|
||||
.TH IODINE 8 "SEP 2009" "User Manuals"
|
||||
.TH IODINE 8 "DEC 2009" "User Manuals"
|
||||
.SH NAME
|
||||
iodine, iodined \- tunnel IPv4 over DNS
|
||||
.SH SYNOPSIS
|
||||
@ -19,6 +19,8 @@ iodine, iodined \- tunnel IPv4 over DNS
|
||||
.I device
|
||||
.B ] [-m
|
||||
.I fragsize
|
||||
.B ] [-M
|
||||
.I namelen
|
||||
.B ] [-z
|
||||
.I context
|
||||
.B ] [-F
|
||||
@ -84,6 +86,10 @@ downstream.
|
||||
is the client application,
|
||||
.B iodined
|
||||
is the server.
|
||||
|
||||
Note: server and client are required to speak the exact same protocol. In most
|
||||
cases, this means running the same iodine version. Unfortunately, implementing
|
||||
backward and forward protocol compatibility is usually not feasible.
|
||||
.SH OPTIONS
|
||||
.SS Common Options:
|
||||
.TP
|
||||
@ -127,49 +133,85 @@ will be sent to the server instead of the DNS relay.
|
||||
Force maximum downstream fragment size. Not setting this will cause the
|
||||
client to automatically probe the maximum accepted downstream fragment size.
|
||||
.TP
|
||||
.B -M namelen
|
||||
Maximum length of upstream hostnames, default 255.
|
||||
Usable range ca. 100 to 255.
|
||||
Use this option to scale back upstream bandwidth in favor of downstream
|
||||
bandwidth.
|
||||
Also useful for DNS servers that perform unreliably when using full-length
|
||||
hostnames, noticable when fragment size autoprobe returns very
|
||||
different results each time.
|
||||
.TP
|
||||
.B -T dnstype
|
||||
DNS request type.
|
||||
.I NULL
|
||||
is default. If this doesn't work, try
|
||||
.I TXT
|
||||
(some less bandwidth) or
|
||||
DNS request type override.
|
||||
By default, autodetection will probe for working DNS request types, and
|
||||
will select the request type that is expected to provide the most bandwidth.
|
||||
However, it may turn out that a DNS relay imposes limits that skew the
|
||||
picture, which may lead to an "unexpected" DNS request type providing
|
||||
more bandwidth.
|
||||
In that case, use this option to override the autodetection.
|
||||
In (expected) decreasing bandwidth order, the supported DNS request types are:
|
||||
.IR NULL ,
|
||||
.IR TXT ,
|
||||
.IR SRV ,
|
||||
.IR MX ,
|
||||
.I CNAME
|
||||
(much less bandwidth). Also supported are
|
||||
and
|
||||
.I A
|
||||
(returning CNAME) and
|
||||
(returning CNAME).
|
||||
Note that
|
||||
.IR SRV ,
|
||||
.I MX
|
||||
requests, but these may/will cause additional lookups by "smart" caching
|
||||
and
|
||||
.I A
|
||||
may/will cause additional lookups by "smart" caching
|
||||
nameservers to get an actual IP address, which may either slow down or fail
|
||||
completely.
|
||||
.TP
|
||||
.B -O downenc
|
||||
Downstream encoding for all query type responses except NULL.
|
||||
Force downstream encoding type for all query type responses except NULL.
|
||||
Default is autodetected, but may not spot all problems for the more advanced
|
||||
codecs.
|
||||
Use this option to override the autodetection.
|
||||
.I Base32
|
||||
is default and should always work.
|
||||
is the lowest-grade codec and should always work; this is used when
|
||||
autodetection fails.
|
||||
.I Base64
|
||||
provides more bandwidth, but may not work on all nameservers.
|
||||
.I Base64u
|
||||
is equal to Base64 except in using underscore ('_')
|
||||
instead of plus sign ('+'), possibly working where
|
||||
.I Base64
|
||||
does not.
|
||||
.I Base128
|
||||
uses high byte values (mostly accented letters in iso8859-1),
|
||||
which might work with some nameservers.
|
||||
For TXT queries,
|
||||
.I Raw
|
||||
will provide maximum performance. This will only work if the nameserver
|
||||
will provide maximum performance, but this will only work if the nameserver
|
||||
path is fully 8-bit-clean for responses that are assumed to be "legible text".
|
||||
.TP
|
||||
.B -L 0|1
|
||||
Lazy-mode switch.
|
||||
\-L1 (default): Use lazy mode if server supports it, for improved
|
||||
performance and decreased latency.
|
||||
Some DNS servers, notably the opendns.com network, appear unstable when
|
||||
handling lazy mode DNS traffic and will re-order requests. If this occurs,
|
||||
you will notice fluctuating response speed in interactive sessions.
|
||||
The iodine client will eventually detect this and switch back to legacy
|
||||
mode automatically. Use \-L0 to force running in legacy mode
|
||||
\-L1 (default): Use lazy mode for improved performance and decreased latency.
|
||||
A very small minority of DNS relays appears to be unable to handle the
|
||||
lazy mode traffic pattern, resulting in no or very little data coming through.
|
||||
The iodine client will detect this and try to switch back to legacy mode,
|
||||
but this may not always work.
|
||||
In these situations use \-L0 to force running in legacy mode
|
||||
(implies \-I1).
|
||||
.TP
|
||||
.B -I interval
|
||||
Maximum interval between requests (pings) so that intermediate DNS
|
||||
servers will not time out. Default is 4 in lazy mode, which will work
|
||||
fine in almost all cases. Decrease if you get SERVFAIL errors in periods
|
||||
without tunneled data traffic. To get absolute minimum DNS traffic,
|
||||
increase well above 4 until SERVFAIL errors start to occur.
|
||||
fine in most cases. When too many SERVFAIL errors occur, iodine
|
||||
will automatically reduce this to 1.
|
||||
To get absolute minimum DNS traffic,
|
||||
increase well above 4, but not so high that SERVFAIL errors start to occur.
|
||||
There are some DNS relays with very small timeouts,
|
||||
notably dnsadvantage.com (ultradns), that will give
|
||||
SERVFAIL errors even with \-I1; data will still get trough,
|
||||
and these errors can be ignored.
|
||||
Maximum useful value is 59, since iodined will close a client's
|
||||
connection after 60 seconds of inactivity.
|
||||
.SS Server Options:
|
||||
@ -190,11 +232,16 @@ Increase debug level. Level 1 prints info about each RX/TX packet.
|
||||
Implies the
|
||||
.B -f
|
||||
option.
|
||||
On level 2 (-DD) or higher, DNS queries will be printed literally.
|
||||
When using Base128 upstream encoding, this is best viewed as
|
||||
ISO Latin-1 text instead of (illegal) UTF-8.
|
||||
This is easily done with : "LC_ALL=C luit iodined -DD ..."
|
||||
(see luit(1)).
|
||||
.TP
|
||||
.B -m mtu
|
||||
Set 'mtu' as mtu size for the tun device.
|
||||
This will be sent to the client on login, and the client will use the same mtu
|
||||
for its tun device. Default 1200. Note that the DNS traffic will be
|
||||
for its tun device. Default 1130. Note that the DNS traffic will be
|
||||
automatically fragmented when needed.
|
||||
.TP
|
||||
.B -l listen_ip
|
||||
@ -236,97 +283,22 @@ must be the same on both the client and the server.
|
||||
.SS Server Arguments:
|
||||
.TP
|
||||
.B tunnel_ip[/netmask]
|
||||
+This is the server's ip address on the tun interface. The client will be
|
||||
This is the server's ip address on the tun interface. The client will be
|
||||
given the next ip number in the range. It is recommended to use the
|
||||
10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overriden
|
||||
by specifying it here. Using a smaller network will limit the number of
|
||||
concurrent users.
|
||||
.TP
|
||||
.B topdomain
|
||||
+The dns traffic is expected to arrive as queries for
|
||||
The dns traffic is expected to arrive as queries for
|
||||
subdomains under 'topdomain'. This is normally a subdomain to a domain you
|
||||
own. Use a short domain name to get better throughput. This argument must be
|
||||
the same on both the client and the server. Queries for domains other
|
||||
than 'topdomain' will be forwarded when the \-b option is given, otherwise
|
||||
they will be dropped.
|
||||
.SH EXAMPLES
|
||||
.SS Quickstart:
|
||||
.TP
|
||||
Try it out within your own LAN! Follow these simple steps:
|
||||
.TP
|
||||
- On your server, run: ./iodined \-f 10.0.0.1 test.asdf
|
||||
(If you already use the 10.0.0.0 network, use another internal net like
|
||||
172.16.0.0)
|
||||
.TP
|
||||
- Enter a password
|
||||
.TP
|
||||
- On the client, run: ./iodine \-f 192.168.0.1 test.asdf
|
||||
(Replace 192.168.0.1 with the server's ip address)
|
||||
.TP
|
||||
- Enter the same password
|
||||
.TP
|
||||
- Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
|
||||
.TP
|
||||
- Try pinging each other through the tunnel
|
||||
.TP
|
||||
- Done! :)
|
||||
.TP
|
||||
To actually use it through a relaying nameserver, see below.
|
||||
.SS Full setup:
|
||||
|
||||
.TP
|
||||
.B Server side:
|
||||
To use this tunnel, you need control over a real domain (like mytunnel.com),
|
||||
and a server with a public IP number. If the server already runs a DNS
|
||||
server, change the listening port and then use the \-b option to let
|
||||
iodined forward the DNS requests. Then, delegate a subdomain
|
||||
(say, tunnel1.mytunnel.com) to the server. If you use BIND for the domain,
|
||||
add these lines to the zone file (replace 10.15.213.99 with your server ip):
|
||||
|
||||
.nf
|
||||
tunnel1host IN A 10.15.213.99
|
||||
tunnel1 IN NS tunnel1host.mytunnel.com.
|
||||
.fi
|
||||
|
||||
Now any DNS querys for domains ending with tunnel1.mytunnnel.com will be sent
|
||||
to your server. Start iodined on the server. The first argument is the tunnel
|
||||
IP address (like 192.168.99.1) and the second is the assigned domain (in this
|
||||
case tunnel1.mytunnel.com). The \-f argument will keep iodined running in the
|
||||
foreground, which helps when testing. iodined will start a virtual interface,
|
||||
and also start listening for DNS queries on UDP port 53. Either enter a
|
||||
password on the commandline (\-P pass) or after the server has started. Now
|
||||
everything is ready for the client.
|
||||
.TP
|
||||
.B Client side:
|
||||
All the setup is done, just start iodine. It also takes two
|
||||
arguments, the first is the local relaying DNS server and the second is the
|
||||
domain used (tunnel1.mytunnnel.com). If DNS queries are allowed to any
|
||||
computer, you can use the tunnel endpoint (example: 10.15.213.99 or
|
||||
tunnel1host.mytunnel.com) as the first argument. The tunnel interface will get
|
||||
an IP close to the servers (in this case 192.168.99.2) and a suitable MTU.
|
||||
Enter the same password as on the server either by argument or after the client
|
||||
has started. Now you should be able to ping the other end of the tunnel from
|
||||
either side.
|
||||
.TP
|
||||
.B Routing:
|
||||
The normal case is to route all traffic through the DNS tunnel. To do this, first
|
||||
add a route to the nameserver you use with the default gateway as gateway. Then
|
||||
replace the default gateway with the servers IP address within the DNS tunnel,
|
||||
and configure the server to do NAT.
|
||||
.TP
|
||||
.B Troubleshooting:
|
||||
Use the \-D option on the server to show received and sent queries, or use a
|
||||
tool like Wireshark/tcpdump. The iodined server replies to NS requests sent for
|
||||
subdomains of the tunnel domain. If your domain is tunnel.com, send a NS
|
||||
request for foo.tunnel.com to see if the delegation works. dig is a good tool
|
||||
for this:
|
||||
.nf
|
||||
dig \-t NS foo123.tunnel.com
|
||||
.fi
|
||||
.TP
|
||||
.B MTU issues:
|
||||
These issues should be solved now, with automatic fragmentation of downstream
|
||||
packets. There should be no need to set the MTU explicitly on the server.
|
||||
See the README file for both a quick test scenario, and a detailed description
|
||||
of real-world deployment.
|
||||
.SH SECURITY
|
||||
Login is a relatively secure challenge-response MD5 hash, with the
|
||||
password never passing the wire.
|
||||
@ -336,10 +308,9 @@ encrypted in any way. The DNS traffic is also vulnerable to replay,
|
||||
injection and man-in-the-middle attacks, especially when iodined is used
|
||||
with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
|
||||
On both server and client, use
|
||||
.I iptables
|
||||
,
|
||||
.IR iptables ,
|
||||
.I pf
|
||||
or other firewlls to block all traffic coming in from the tun interfaces,
|
||||
or other firewalls to block all traffic coming in from the tun interfaces,
|
||||
except to the used ssh or vpn ports.
|
||||
.SH ENVIRONMENT
|
||||
.SS IODINE_PASS
|
||||
@ -348,14 +319,14 @@ If the environment variable
|
||||
is set, iodine will use the value it is set to as password instead of asking
|
||||
for one. The
|
||||
.B -P
|
||||
option still has preference.
|
||||
option still has precedence.
|
||||
.SS IODINED_PASS
|
||||
If the environment variable
|
||||
.B IODINED_PASS
|
||||
is set, iodined will use the value it is set to as password instead of asking
|
||||
for one. The
|
||||
.B -P
|
||||
option still has preference.
|
||||
option still has precedence.
|
||||
.El
|
||||
.SH SEE ALSO
|
||||
The README file in the source distribution contains some more elaborate
|
||||
|
14
src/Makefile
14
src/Makefile
@ -1,4 +1,4 @@
|
||||
COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o md5.o common.o
|
||||
COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o base64u.o base128.o md5.o common.o
|
||||
CLIENTOBJS = iodine.o client.o util.o
|
||||
CLIENT = ../bin/iodine
|
||||
SERVEROBJS = iodined.o user.o fw_query.o
|
||||
@ -30,7 +30,17 @@ $(SERVER): $(COMMONOBJS) $(SERVEROBJS)
|
||||
@echo CC $<
|
||||
@$(CC) $(CFLAGS) $< -o $@
|
||||
|
||||
base64u.o client.o iodined.o: base64u.h
|
||||
base64u.c: base64.c
|
||||
@echo Making $@
|
||||
@echo '/* No use in editing, produced by Makefile! */' > $@
|
||||
@sed -e 's/\(base64\)/\1u/ig ; s/0123456789+/0123456789_/' < $< >> $@
|
||||
base64u.h: base64.h
|
||||
@echo Making $@
|
||||
@echo '/* No use in editing, produced by Makefile! */' > $@
|
||||
@sed -e 's/\(base64\)/\1u/ig ; s/0123456789+/0123456789_/' < $< >> $@
|
||||
|
||||
clean:
|
||||
@echo "Cleaning src/"
|
||||
@rm -f $(CLIENT){,.exe} $(SERVER){,.exe} *~ *.o *.core
|
||||
@rm -f $(CLIENT){,.exe} $(SERVER){,.exe} *~ *.o *.core base64u.*
|
||||
|
||||
|
291
src/base128.c
Normal file
291
src/base128.c
Normal file
@ -0,0 +1,291 @@
|
||||
/*
|
||||
* Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/*
|
||||
* raw 76543210 76543210 76543210 76543210 76543210 76543210 76543210
|
||||
* enc 65432106 54321065 43210654 32106543 21065432 10654321 06543210
|
||||
* ^ ^ ^ ^ ^ ^ ^ ^
|
||||
*
|
||||
* 0001 1 0001 1
|
||||
* 0011 3 0011 3
|
||||
* 0111 7 0111 7
|
||||
* 1111 f 0110 6
|
||||
* 1110 e 0100 4
|
||||
* 1100 c
|
||||
* 1000 8
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "encoding.h"
|
||||
#include "base128.h"
|
||||
|
||||
#define BLKSIZE_RAW 7
|
||||
#define BLKSIZE_ENC 8
|
||||
|
||||
/* Don't use '-' (restricted to middle of labels), prefer iso_8859-1
|
||||
* accent chars since they might readily be entered in normal use,
|
||||
* don't use 254-255 because of possible function overloading in DNS systems.
|
||||
*/
|
||||
static const unsigned char cb128[] =
|
||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
||||
"\274\275\276\277"
|
||||
"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317"
|
||||
"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
|
||||
"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
|
||||
"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
|
||||
static unsigned char rev128[256];
|
||||
static int reverse_init = 0;
|
||||
|
||||
static int base128_encode(char *, size_t *, const void *, size_t);
|
||||
static int base128_decode(void *, size_t *, const char *, size_t);
|
||||
static int base128_handles_dots();
|
||||
static int base128_blksize_raw();
|
||||
static int base128_blksize_enc();
|
||||
|
||||
static struct encoder base128_encoder =
|
||||
{
|
||||
"Base128",
|
||||
base128_encode,
|
||||
base128_decode,
|
||||
base128_handles_dots,
|
||||
base128_handles_dots,
|
||||
base128_blksize_raw,
|
||||
base128_blksize_enc
|
||||
};
|
||||
|
||||
struct encoder
|
||||
*get_base128_encoder()
|
||||
{
|
||||
return &base128_encoder;
|
||||
}
|
||||
|
||||
static int
|
||||
base128_handles_dots()
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
base128_blksize_raw()
|
||||
{
|
||||
return BLKSIZE_RAW;
|
||||
}
|
||||
|
||||
static int
|
||||
base128_blksize_enc()
|
||||
{
|
||||
return BLKSIZE_ENC;
|
||||
}
|
||||
|
||||
inline static void
|
||||
base128_reverse_init()
|
||||
{
|
||||
int i;
|
||||
unsigned char c;
|
||||
|
||||
if (!reverse_init) {
|
||||
memset (rev128, 0, 256);
|
||||
for (i = 0; i < 128; i++) {
|
||||
c = cb128[i];
|
||||
rev128[(int) c] = i;
|
||||
}
|
||||
reverse_init = 1;
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
base128_encode(char *buf, size_t *buflen, const void *data, size_t size)
|
||||
/*
|
||||
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold the trailing '\0'.
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
* sets *buflen to : #bytes encoded from data
|
||||
*/
|
||||
{
|
||||
unsigned char *ubuf = (unsigned char *) buf;
|
||||
unsigned char *udata = (unsigned char *) data;
|
||||
int iout = 0; /* to-be-filled output char */
|
||||
int iin = 0; /* one more than last input byte that can be
|
||||
successfully decoded */
|
||||
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0xfe) >> 1)];
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size) {
|
||||
iout--; /* previous char is useless */
|
||||
break;
|
||||
}
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x01) << 6) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xfc) >> 2) : 0)];
|
||||
iin++; /* 0 complete, iin=1 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x03) << 5) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xf8) >> 3) : 0)];
|
||||
iin++; /* 1 complete, iin=2 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x07) << 4) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xf0) >> 4) : 0)];
|
||||
iin++; /* 2 complete, iin=3 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x0f) << 3) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xe0) >> 5) : 0)];
|
||||
iin++; /* 3 complete, iin=4 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x1f) << 2) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xc0) >> 6) : 0)];
|
||||
iin++; /* 4 complete, iin=5 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[((udata[iin] & 0x3f) << 1) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0x80) >> 7) : 0)];
|
||||
iin++; /* 5 complete, iin=6 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
ubuf[iout] = cb128[(udata[iin] & 0x7f)];
|
||||
iin++; /* 6 complete, iin=7 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
ubuf[iout] = '\0';
|
||||
|
||||
/* store number of bytes from data that was used */
|
||||
*buflen = iin;
|
||||
|
||||
return iout;
|
||||
}
|
||||
|
||||
#define REV128(x) rev128[(int) (x)]
|
||||
|
||||
static int
|
||||
base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)
|
||||
/*
|
||||
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
|
||||
* Decoding stops early when *str contains \0.
|
||||
* Illegal encoded chars are assumed to decode to zero.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold a trailing '\0' that is added (though *buf will usually
|
||||
* contain full-binary data).
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
*/
|
||||
{
|
||||
unsigned char *ustr = (unsigned char *) str;
|
||||
unsigned char *ubuf = (unsigned char *) buf;
|
||||
int iout = 0; /* to-be-filled output byte */
|
||||
int iin = 0; /* next input char to use in decoding */
|
||||
|
||||
base128_reverse_init ();
|
||||
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x7f) << 1) |
|
||||
((REV128(ustr[iin + 1]) & 0x40) >> 6);
|
||||
iin++; /* 0 used up, iin=1 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x3f) << 2) |
|
||||
((REV128(ustr[iin + 1]) & 0x60) >> 5);
|
||||
iin++; /* 1 used up, iin=2 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x1f) << 3) |
|
||||
((REV128(ustr[iin + 1]) & 0x70) >> 4);
|
||||
iin++; /* 2 used up, iin=3 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x0f) << 4) |
|
||||
((REV128(ustr[iin + 1]) & 0x78) >> 3);
|
||||
iin++; /* 3 used up, iin=4 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x07) << 5) |
|
||||
((REV128(ustr[iin + 1]) & 0x7c) >> 2);
|
||||
iin++; /* 4 used up, iin=5 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x03) << 6) |
|
||||
((REV128(ustr[iin + 1]) & 0x7e) >> 1);
|
||||
iin++; /* 5 used up, iin=6 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV128(ustr[iin]) & 0x01) << 7) |
|
||||
((REV128(ustr[iin + 1]) & 0x7f));
|
||||
iin += 2; /* 6,7 used up, iin=8 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
ubuf[iout] = '\0';
|
||||
|
||||
return iout;
|
||||
}
|
22
src/base128.h
Normal file
22
src/base128.h
Normal file
@ -0,0 +1,22 @@
|
||||
/*
|
||||
* Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef __BASE128_H__
|
||||
#define __BASE128_H__
|
||||
|
||||
struct encoder *get_base128_encoder(void);
|
||||
|
||||
#endif
|
244
src/base32.c
244
src/base32.c
@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
|
||||
* Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@ -28,10 +29,11 @@ static const char cb32[] =
|
||||
"abcdefghijklmnopqrstuvwxyz012345";
|
||||
static const char cb32_ucase[] =
|
||||
"ABCDEFGHIJKLMNOPQRSTUVWXYZ012345";
|
||||
static unsigned char rev32[128];
|
||||
static unsigned char rev32[256];
|
||||
static int reverse_init = 0;
|
||||
|
||||
static int base32_decode(void *, size_t *, const char *, size_t);
|
||||
static int base32_encode(char *, size_t *, const void *, size_t);
|
||||
static int base32_decode(void *, size_t *, const char *, size_t);
|
||||
static int base32_handles_dots();
|
||||
static int base32_blksize_raw();
|
||||
static int base32_blksize_enc();
|
||||
@ -71,14 +73,14 @@ base32_blksize_enc()
|
||||
return BLKSIZE_ENC;
|
||||
}
|
||||
|
||||
static void
|
||||
inline static void
|
||||
base32_reverse_init()
|
||||
{
|
||||
int i;
|
||||
unsigned char c;
|
||||
static int reverse_init = 0;
|
||||
|
||||
if (!reverse_init) {
|
||||
memset (rev32, 0, 256);
|
||||
for (i = 0; i < 32; i++) {
|
||||
c = cb32[i];
|
||||
rev32[(int) c] = i;
|
||||
@ -104,123 +106,165 @@ b32_8to5(int in)
|
||||
|
||||
static int
|
||||
base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
|
||||
/*
|
||||
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold the trailing '\0'.
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
* sets *buflen to : #bytes encoded from data
|
||||
*/
|
||||
{
|
||||
size_t newsize;
|
||||
size_t maxsize;
|
||||
unsigned char *p;
|
||||
unsigned char *q;
|
||||
int i;
|
||||
unsigned char *udata = (unsigned char *) data;
|
||||
int iout = 0; /* to-be-filled output char */
|
||||
int iin = 0; /* one more than last input byte that can be
|
||||
successfully decoded */
|
||||
|
||||
memset(buf, 0, *buflen);
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
/* how many chars can we encode within the buf */
|
||||
maxsize = BLKSIZE_RAW * (*buflen / BLKSIZE_ENC);
|
||||
/* how big will the encoded data be */
|
||||
newsize = BLKSIZE_ENC * (size / BLKSIZE_RAW);
|
||||
if (size % BLKSIZE_RAW) {
|
||||
newsize += BLKSIZE_ENC;
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb32[((udata[iin] & 0xf8) >> 3)];
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size) {
|
||||
iout--; /* previous char is useless */
|
||||
break;
|
||||
}
|
||||
/* if the buffer is too small, eat some of the data */
|
||||
if (*buflen < newsize) {
|
||||
size = maxsize;
|
||||
buf[iout] = cb32[((udata[iin] & 0x07) << 2) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xc0) >> 6) : 0)];
|
||||
iin++; /* 0 complete, iin=1 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb32[((udata[iin] & 0x3e) >> 1)];
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size) {
|
||||
iout--; /* previous char is useless */
|
||||
break;
|
||||
}
|
||||
buf[iout] = cb32[((udata[iin] & 0x01) << 4) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xf0) >> 4) : 0)];
|
||||
iin++; /* 1 complete, iin=2 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb32[((udata[iin] & 0x0f) << 1) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0x80) >> 7) : 0)];
|
||||
iin++; /* 2 complete, iin=3 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb32[((udata[iin] & 0x7c) >> 2)];
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size) {
|
||||
iout--; /* previous char is useless */
|
||||
break;
|
||||
}
|
||||
buf[iout] = cb32[((udata[iin] & 0x03) << 3) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xe0) >> 5) : 0)];
|
||||
iin++; /* 3 complete, iin=4 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb32[((udata[iin] & 0x1f))];
|
||||
iin++; /* 4 complete, iin=5 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
p = (unsigned char *) buf;
|
||||
q = (unsigned char *)data;
|
||||
|
||||
for(i=0;i<size;i+=BLKSIZE_RAW) {
|
||||
p[0] = cb32[((q[0] & 0xf8) >> 3)];
|
||||
p[1] = cb32[(((q[0] & 0x07) << 2) | ((q[1] & 0xc0) >> 6))];
|
||||
p[2] = (i+1 < size) ? cb32[((q[1] & 0x3e) >> 1)] : '\0';
|
||||
p[3] = (i+1 < size) ? cb32[((q[1] & 0x01) << 4) | ((q[2] & 0xf0) >> 4)] : '\0';
|
||||
p[4] = (i+2 < size) ? cb32[((q[2] & 0x0f) << 1) | ((q[3] & 0x80) >> 7)] : '\0';
|
||||
p[5] = (i+3 < size) ? cb32[((q[3] & 0x7c) >> 2)] : '\0';
|
||||
p[6] = (i+3 < size) ? cb32[((q[3] & 0x03) << 3) | ((q[4] & 0xe0) >> 5)] : '\0';
|
||||
p[7] = (i+4 < size) ? cb32[((q[4] & 0x1f))] : '\0';
|
||||
|
||||
q += BLKSIZE_RAW;
|
||||
p += BLKSIZE_ENC;
|
||||
}
|
||||
*p = 0;
|
||||
buf[iout] = '\0';
|
||||
|
||||
/* store number of bytes from data that was used */
|
||||
*buflen = size;
|
||||
*buflen = iin;
|
||||
|
||||
return strlen(buf);
|
||||
return iout;
|
||||
}
|
||||
|
||||
#define DECODE_ERROR 0xffffffff
|
||||
#define REV32(x) rev32[(int) (x)]
|
||||
|
||||
static int
|
||||
decode_token(const unsigned char *t, unsigned char *data, size_t len)
|
||||
{
|
||||
if (len < 2)
|
||||
return 0;
|
||||
|
||||
data[0] = ((REV32(t[0]) & 0x1f) << 3) |
|
||||
((REV32(t[1]) & 0x1c) >> 2);
|
||||
|
||||
if (len < 4)
|
||||
return 1;
|
||||
|
||||
data[1] = ((REV32(t[1]) & 0x03) << 6) |
|
||||
((REV32(t[2]) & 0x1f) << 1) |
|
||||
((REV32(t[3]) & 0x10) >> 4);
|
||||
|
||||
if (len < 5)
|
||||
return 2;
|
||||
|
||||
data[2] = ((REV32(t[3]) & 0x0f) << 4) |
|
||||
((REV32(t[4]) & 0x1e) >> 1);
|
||||
|
||||
if (len < 7)
|
||||
return 3;
|
||||
|
||||
data[3] = ((REV32(t[4]) & 0x01) << 7) |
|
||||
((REV32(t[5]) & 0x1f) << 2) |
|
||||
((REV32(t[6]) & 0x18) >> 3);
|
||||
|
||||
if (len < 8)
|
||||
return 4;
|
||||
|
||||
data[4] = ((REV32(t[6]) & 0x07) << 5) |
|
||||
((REV32(t[7]) & 0x1f));
|
||||
|
||||
return 5;
|
||||
}
|
||||
|
||||
static int
|
||||
base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
|
||||
/*
|
||||
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
|
||||
* Decoding stops early when *str contains \0.
|
||||
* Illegal encoded chars are assumed to decode to zero.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold a trailing '\0' that is added (though *buf will usually
|
||||
* contain full-binary data).
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
*/
|
||||
{
|
||||
unsigned char *q;
|
||||
size_t newsize;
|
||||
size_t maxsize;
|
||||
const char *p;
|
||||
int len;
|
||||
unsigned char *ubuf = (unsigned char *) buf;
|
||||
int iout = 0; /* to-be-filled output byte */
|
||||
int iin = 0; /* next input char to use in decoding */
|
||||
|
||||
base32_reverse_init ();
|
||||
|
||||
/* chars needed to decode slen */
|
||||
newsize = BLKSIZE_RAW * (slen / BLKSIZE_ENC + 1) + 1;
|
||||
/* encoded chars that fit in buf */
|
||||
maxsize = BLKSIZE_ENC * (*buflen / BLKSIZE_RAW + 1) + 1;
|
||||
/* if the buffer is too small, eat some of the data */
|
||||
if (*buflen < newsize) {
|
||||
slen = maxsize;
|
||||
}
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
q = buf;
|
||||
for (p = str; *p && strchr(cb32, *p); p += BLKSIZE_ENC) {
|
||||
len = decode_token((unsigned char *) p, (unsigned char *) q, slen);
|
||||
q += len;
|
||||
slen -= BLKSIZE_ENC;
|
||||
|
||||
if (len < BLKSIZE_RAW)
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
}
|
||||
*q = '\0';
|
||||
ubuf[iout] = ((REV32(str[iin]) & 0x1f) << 3) |
|
||||
((REV32(str[iin + 1]) & 0x1c) >> 2);
|
||||
iin++; /* 0 used up, iin=1 */
|
||||
iout++;
|
||||
|
||||
return q - (unsigned char *) buf;
|
||||
if (iout >= *buflen || iin + 2 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0' ||
|
||||
str[iin + 2] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV32(str[iin]) & 0x03) << 6) |
|
||||
((REV32(str[iin + 1]) & 0x1f) << 1) |
|
||||
((REV32(str[iin + 2]) & 0x10) >> 4);
|
||||
iin += 2; /* 1,2 used up, iin=3 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV32(str[iin]) & 0x0f) << 4) |
|
||||
((REV32(str[iin + 1]) & 0x1e) >> 1);
|
||||
iin++; /* 3 used up, iin=4 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 2 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0' ||
|
||||
str[iin + 2] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV32(str[iin]) & 0x01) << 7) |
|
||||
((REV32(str[iin + 1]) & 0x1f) << 2) |
|
||||
((REV32(str[iin + 2]) & 0x18) >> 3);
|
||||
iin += 2; /* 4,5 used up, iin=6 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV32(str[iin]) & 0x07) << 5) |
|
||||
((REV32(str[iin + 1]) & 0x1f));
|
||||
iin += 2; /* 6,7 used up, iin=8 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
ubuf[iout] = '\0';
|
||||
|
||||
return iout;
|
||||
}
|
||||
|
217
src/base64.c
217
src/base64.c
@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
|
||||
* Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@ -19,15 +20,16 @@
|
||||
#include <string.h>
|
||||
|
||||
#include "encoding.h"
|
||||
#include "common.h"
|
||||
#include "base64.h"
|
||||
|
||||
#define BLKSIZE_RAW 3
|
||||
#define BLKSIZE_ENC 4
|
||||
|
||||
/* Note: the "unofficial" char is last here, which means that the \377 pattern
|
||||
in DOWNCODECCHECK1 ('Y' request) will properly test it. */
|
||||
static const char cb64[] =
|
||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+";
|
||||
static unsigned char rev64[128];
|
||||
static unsigned char rev64[256];
|
||||
static int reverse_init = 0;
|
||||
|
||||
static int base64_encode(char *, size_t *, const void *, size_t);
|
||||
@ -36,8 +38,6 @@ static int base64_handles_dots();
|
||||
static int base64_blksize_raw();
|
||||
static int base64_blksize_enc();
|
||||
|
||||
#define REV64(x) rev64[(int) (x)]
|
||||
|
||||
static struct encoder base64_encoder =
|
||||
{
|
||||
"Base64",
|
||||
@ -73,122 +73,133 @@ base64_blksize_enc()
|
||||
return BLKSIZE_ENC;
|
||||
}
|
||||
|
||||
static int
|
||||
base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
|
||||
inline static void
|
||||
base64_reverse_init()
|
||||
{
|
||||
size_t newsize;
|
||||
size_t maxsize;
|
||||
unsigned char *s;
|
||||
unsigned char *p;
|
||||
unsigned char *q;
|
||||
int i;
|
||||
|
||||
memset(buf, 0, *buflen);
|
||||
|
||||
/* how many chars can we encode within the buf */
|
||||
maxsize = BLKSIZE_RAW * (*buflen / BLKSIZE_ENC);
|
||||
/* how big will the encoded data be */
|
||||
newsize = BLKSIZE_ENC * (size / BLKSIZE_RAW);
|
||||
if (size % BLKSIZE_RAW) {
|
||||
newsize += BLKSIZE_ENC;
|
||||
}
|
||||
|
||||
/* if the buffer is too small, eat some of the data */
|
||||
if (*buflen < newsize) {
|
||||
size = maxsize;
|
||||
}
|
||||
|
||||
p = s = (unsigned char *) buf;
|
||||
q = (unsigned char *)data;
|
||||
|
||||
for(i=0;i<size;i+=BLKSIZE_RAW) {
|
||||
p[0] = cb64[((q[0] & 0xfc) >> 2)];
|
||||
p[1] = cb64[(((q[0] & 0x03) << 4) | ((q[1] & 0xf0) >> 4))];
|
||||
p[2] = (i+1 < size) ? cb64[((q[1] & 0x0f) << 2 ) | ((q[2] & 0xc0) >> 6)] : '\0';
|
||||
p[3] = (i+2 < size) ? cb64[(q[2] & 0x3f)] : '\0';
|
||||
|
||||
q += BLKSIZE_RAW;
|
||||
p += BLKSIZE_ENC;
|
||||
}
|
||||
*p = 0;
|
||||
|
||||
/* store number of bytes from data that was used */
|
||||
*buflen = size;
|
||||
|
||||
return strlen(buf);
|
||||
}
|
||||
|
||||
#define DECODE_ERROR 0xffffffff
|
||||
|
||||
static int
|
||||
decode_token(const unsigned char *t, unsigned char *data, size_t len)
|
||||
{
|
||||
if (len < 2)
|
||||
return 0;
|
||||
|
||||
data[0] = ((REV64(t[0]) & 0x3f) << 2) |
|
||||
((REV64(t[1]) & 0x30) >> 4);
|
||||
|
||||
if (len < 3)
|
||||
return 1;
|
||||
|
||||
data[1] = ((REV64(t[1]) & 0x0f) << 4) |
|
||||
((REV64(t[2]) & 0x3c) >> 2);
|
||||
|
||||
if (len < 4)
|
||||
return 2;
|
||||
|
||||
data[2] = ((REV64(t[2]) & 0x03) << 6) |
|
||||
(REV64(t[3]) & 0x3f);
|
||||
|
||||
return 3;
|
||||
}
|
||||
|
||||
static int
|
||||
base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
|
||||
{
|
||||
unsigned char *q;
|
||||
size_t newsize;
|
||||
size_t maxsize;
|
||||
const char *p;
|
||||
unsigned char c;
|
||||
unsigned char block[BLKSIZE_ENC];
|
||||
int len;
|
||||
int i;
|
||||
|
||||
if (!reverse_init) {
|
||||
memset (rev64, 0, 256);
|
||||
for (i = 0; i < 64; i++) {
|
||||
c = cb64[i];
|
||||
rev64[(int) c] = i;
|
||||
}
|
||||
reverse_init = 1;
|
||||
}
|
||||
|
||||
/* chars needed to decode slen */
|
||||
newsize = BLKSIZE_RAW * (slen / BLKSIZE_ENC + 1) + 1;
|
||||
/* encoded chars that fit in buf */
|
||||
maxsize = BLKSIZE_ENC * (*buflen / BLKSIZE_RAW + 1) + 1;
|
||||
/* if the buffer is too small, eat some of the data */
|
||||
if (*buflen < newsize) {
|
||||
slen = maxsize;
|
||||
}
|
||||
|
||||
static int
|
||||
base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
|
||||
/*
|
||||
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold the trailing '\0'.
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
* sets *buflen to : #bytes encoded from data
|
||||
*/
|
||||
{
|
||||
unsigned char *udata = (unsigned char *) data;
|
||||
int iout = 0; /* to-be-filled output char */
|
||||
int iin = 0; /* one more than last input byte that can be
|
||||
successfully decoded */
|
||||
|
||||
q = buf;
|
||||
for (p = str; *p; p += BLKSIZE_ENC) {
|
||||
/* since the str is const, we unescape in another buf */
|
||||
for (i = 0; i < BLKSIZE_ENC; i++) {
|
||||
block[i] = p[i];
|
||||
}
|
||||
len = decode_token(block, (unsigned char *) q, slen);
|
||||
q += len;
|
||||
slen -= BLKSIZE_ENC;
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
if (len < BLKSIZE_RAW)
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb64[((udata[iin] & 0xfc) >> 2)];
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size) {
|
||||
iout--; /* previous char is useless */
|
||||
break;
|
||||
}
|
||||
*q = '\0';
|
||||
buf[iout] = cb64[((udata[iin] & 0x03) << 4) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xf0) >> 4) : 0)];
|
||||
iin++; /* 0 complete, iin=1 */
|
||||
iout++;
|
||||
|
||||
return q - (unsigned char *) buf;
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb64[((udata[iin] & 0x0f) << 2 ) |
|
||||
((iin + 1 < size) ?
|
||||
((udata[iin + 1] & 0xc0) >> 6) : 0)];
|
||||
iin++; /* 1 complete, iin=2 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin >= size)
|
||||
break;
|
||||
buf[iout] = cb64[(udata[iin] & 0x3f)];
|
||||
iin++; /* 2 complete, iin=3 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
buf[iout] = '\0';
|
||||
|
||||
/* store number of bytes from data that was used */
|
||||
*buflen = iin;
|
||||
|
||||
return iout;
|
||||
}
|
||||
|
||||
#define REV64(x) rev64[(int) (x)]
|
||||
|
||||
static int
|
||||
base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
|
||||
/*
|
||||
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
|
||||
* Decoding stops early when *str contains \0.
|
||||
* Illegal encoded chars are assumed to decode to zero.
|
||||
*
|
||||
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
|
||||
* to hold a trailing '\0' that is added (though *buf will usually
|
||||
* contain full-binary data).
|
||||
*
|
||||
* return value : #bytes filled in buf (excluding \0)
|
||||
*/
|
||||
{
|
||||
unsigned char *ubuf = (unsigned char *) buf;
|
||||
int iout = 0; /* to-be-filled output byte */
|
||||
int iin = 0; /* next input char to use in decoding */
|
||||
|
||||
base64_reverse_init ();
|
||||
|
||||
/* Note: Don't bother to optimize manually. GCC optimizes
|
||||
better(!) when using simplistic array indexing. */
|
||||
|
||||
while (1) {
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV64(str[iin]) & 0x3f) << 2) |
|
||||
((REV64(str[iin + 1]) & 0x30) >> 4);
|
||||
iin++; /* 0 used up, iin=1 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV64(str[iin]) & 0x0f) << 4) |
|
||||
((REV64(str[iin + 1]) & 0x3c) >> 2);
|
||||
iin++; /* 1 used up, iin=2 */
|
||||
iout++;
|
||||
|
||||
if (iout >= *buflen || iin + 1 >= slen ||
|
||||
str[iin] == '\0' || str[iin + 1] == '\0')
|
||||
break;
|
||||
ubuf[iout] = ((REV64(str[iin]) & 0x03) << 6) |
|
||||
(REV64(str[iin + 1]) & 0x3f);
|
||||
iin += 2; /* 2,3 used up, iin=4 */
|
||||
iout++;
|
||||
}
|
||||
|
||||
ubuf[iout] = '\0';
|
||||
|
||||
return iout;
|
||||
}
|
||||
|
1319
src/client.c
1319
src/client.c
File diff suppressed because it is too large
Load Diff
@ -27,9 +27,11 @@ void client_set_nameserver(const char *cp, int port);
|
||||
void client_set_topdomain(const char *cp);
|
||||
void client_set_password(const char *cp);
|
||||
void set_qtype(char *qtype);
|
||||
char *get_qtype();
|
||||
void set_downenc(char *encoding);
|
||||
void client_set_selecttimeout(int select_timeout);
|
||||
void client_set_lazymode(int lazy_mode);
|
||||
void client_set_hostname_maxlen(int i);
|
||||
|
||||
int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize);
|
||||
int client_tunnel(int tun_fd, int dns_fd);
|
||||
|
@ -74,6 +74,9 @@ extern const unsigned char raw_header[RAW_HDR_LEN];
|
||||
# define DONT_FRAG_VALUE 1
|
||||
#endif
|
||||
|
||||
#define T_UNSET 65432
|
||||
/* Unused RR type; "private use" range, see http://www.bind9.net/dns-parameters */
|
||||
|
||||
struct packet
|
||||
{
|
||||
int len; /* Total packet length */
|
||||
@ -89,10 +92,12 @@ struct query {
|
||||
unsigned short type;
|
||||
unsigned short rcode;
|
||||
unsigned short id;
|
||||
unsigned short iddupe; /* only used for dupe checking */
|
||||
struct in_addr destination;
|
||||
struct sockaddr from;
|
||||
int fromlen;
|
||||
unsigned short id2;
|
||||
struct sockaddr from2;
|
||||
int fromlen2;
|
||||
};
|
||||
|
||||
enum connection {
|
||||
|
274
src/dns.c
274
src/dns.c
@ -39,6 +39,8 @@
|
||||
#include "encoding.h"
|
||||
#include "read.h"
|
||||
|
||||
int dnsc_use_edns0 = 1;
|
||||
|
||||
#define CHECKLEN(x) if (buflen - (p-buf) < (x)) return 0
|
||||
|
||||
int
|
||||
@ -48,6 +50,7 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
short name;
|
||||
char *p;
|
||||
int len;
|
||||
int ancnt;
|
||||
|
||||
if (buflen < sizeof(HEADER))
|
||||
return 0;
|
||||
@ -68,7 +71,6 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
|
||||
switch (qr) {
|
||||
case QR_ANSWER:
|
||||
header->ancount = htons(1);
|
||||
header->qdcount = htons(1);
|
||||
|
||||
name = 0xc000 | ((p - buf) & 0x3fff);
|
||||
@ -81,56 +83,115 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
putshort(&p, C_IN);
|
||||
|
||||
/* Answer section */
|
||||
|
||||
if (q->type == T_CNAME || q->type == T_A) {
|
||||
/* data is expected to be like "Hblabla.host.name.com\0" */
|
||||
|
||||
char *startp;
|
||||
int namelen;
|
||||
|
||||
CHECKLEN(10);
|
||||
putshort(&p, name);
|
||||
if (q->type == T_A)
|
||||
putshort(&p, T_CNAME); /* answer CNAME to A question */
|
||||
/* answer CNAME to A question */
|
||||
putshort(&p, T_CNAME);
|
||||
else
|
||||
putshort(&p, q->type);
|
||||
putshort(&p, C_IN);
|
||||
putlong(&p, 0); /* TTL */
|
||||
|
||||
if (q->type == T_CNAME || q->type == T_A || q->type == T_MX) {
|
||||
/* data is expected to be like "Hblabla.host.name.com\0" */
|
||||
|
||||
char *startp = p;
|
||||
int namelen;
|
||||
|
||||
startp = p;
|
||||
p += 2; /* skip 2 bytes length */
|
||||
CHECKLEN(2);
|
||||
if (q->type == T_MX)
|
||||
putshort(&p, 10); /* preference */
|
||||
putname(&p, buflen - (p - buf), data);
|
||||
CHECKLEN(0);
|
||||
namelen = p - startp;
|
||||
namelen -= 2;
|
||||
putshort(&startp, namelen);
|
||||
ancnt = 1;
|
||||
} else if (q->type == T_MX || q->type == T_SRV) {
|
||||
/* Data is expected to be like
|
||||
"Hblabla.host.name.com\0Hanother.com\0\0"
|
||||
For SRV, see RFC2782.
|
||||
*/
|
||||
|
||||
char *mxdata = data;
|
||||
char *startp;
|
||||
int namelen;
|
||||
|
||||
ancnt = 1;
|
||||
while (1) {
|
||||
CHECKLEN(10);
|
||||
putshort(&p, name);
|
||||
putshort(&p, q->type);
|
||||
putshort(&p, C_IN);
|
||||
putlong(&p, 0); /* TTL */
|
||||
|
||||
startp = p;
|
||||
p += 2; /* skip 2 bytes length */
|
||||
CHECKLEN(2);
|
||||
putshort(&p, 10 * ancnt); /* preference */
|
||||
|
||||
if (q->type == T_SRV) {
|
||||
/* weight, port (5060 = SIP) */
|
||||
CHECKLEN(4);
|
||||
putshort(&p, 10);
|
||||
putshort(&p, 5060);
|
||||
}
|
||||
|
||||
putname(&p, buflen - (p - buf), mxdata);
|
||||
CHECKLEN(0);
|
||||
namelen = p - startp;
|
||||
namelen -= 2;
|
||||
putshort(&startp, namelen);
|
||||
|
||||
mxdata = mxdata + strlen(mxdata) + 1;
|
||||
if (*mxdata == '\0')
|
||||
break;
|
||||
|
||||
ancnt++;
|
||||
}
|
||||
} else if (q->type == T_TXT) {
|
||||
/* TXT has binary or base-X data */
|
||||
char *startp = p;
|
||||
char *startp;
|
||||
int txtlen;
|
||||
|
||||
CHECKLEN(10);
|
||||
putshort(&p, name);
|
||||
putshort(&p, q->type);
|
||||
putshort(&p, C_IN);
|
||||
putlong(&p, 0); /* TTL */
|
||||
|
||||
startp = p;
|
||||
p += 2; /* skip 2 bytes length */
|
||||
puttxtbin(&p, buflen - (p - buf), data, datalen);
|
||||
CHECKLEN(0);
|
||||
txtlen = p - startp;
|
||||
txtlen -= 2;
|
||||
putshort(&startp, txtlen);
|
||||
ancnt = 1;
|
||||
} else {
|
||||
/* NULL has raw binary data */
|
||||
|
||||
CHECKLEN(10);
|
||||
putshort(&p, name);
|
||||
putshort(&p, q->type);
|
||||
putshort(&p, C_IN);
|
||||
putlong(&p, 0); /* TTL */
|
||||
|
||||
datalen = MIN(datalen, buflen - (p - buf));
|
||||
CHECKLEN(2);
|
||||
putshort(&p, datalen);
|
||||
CHECKLEN(datalen);
|
||||
putdata(&p, data, datalen);
|
||||
CHECKLEN(0);
|
||||
ancnt = 1;
|
||||
}
|
||||
header->ancount = htons(ancnt);
|
||||
break;
|
||||
case QR_QUERY:
|
||||
/* Note that iodined also uses this for forward queries */
|
||||
|
||||
header->qdcount = htons(1);
|
||||
header->arcount = htons(1);
|
||||
|
||||
datalen = MIN(datalen, buflen - (p - buf));
|
||||
putname(&p, datalen, data);
|
||||
@ -141,6 +202,9 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
|
||||
/* EDNS0 to advertise maximum response length
|
||||
(even CNAME/A/MX, 255+255+header would be >512) */
|
||||
if (dnsc_use_edns0) {
|
||||
header->arcount = htons(1);
|
||||
/*XXX START adjust indent 1 tab forward*/
|
||||
CHECKLEN(11);
|
||||
putbyte(&p, 0x00); /* Root */
|
||||
putshort(&p, 0x0029); /* OPT */
|
||||
@ -148,6 +212,9 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
putshort(&p, 0x0000); /* Higher bits/edns version */
|
||||
putshort(&p, 0x8000); /* Z */
|
||||
putshort(&p, 0x0000); /* Data length */
|
||||
/*XXX END adjust indent 1 tab forward*/
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
@ -159,13 +226,14 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
|
||||
int
|
||||
dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain)
|
||||
/* Only used when iodined gets an NS type query */
|
||||
/* Mostly same as dns_encode_a_response() below */
|
||||
{
|
||||
HEADER *header;
|
||||
int len;
|
||||
short name;
|
||||
short topname;
|
||||
short nsname;
|
||||
char *domain;
|
||||
char *ipp;
|
||||
int domain_len;
|
||||
char *p;
|
||||
|
||||
@ -193,13 +261,16 @@ dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomai
|
||||
/* pointer to start of name */
|
||||
name = 0xc000 | ((p - buf) & 0x3fff);
|
||||
|
||||
domain = strstr(q->name, topdomain);
|
||||
if (domain) {
|
||||
domain_len = (int) (domain - q->name);
|
||||
} else {
|
||||
domain_len = strlen(q->name) - strlen(topdomain);
|
||||
if (domain_len < 0 || domain_len == 1)
|
||||
return -1;
|
||||
}
|
||||
/* pointer to start of topdomain */
|
||||
if (strcasecmp(q->name + domain_len, topdomain))
|
||||
return -1;
|
||||
if (domain_len >= 1 && q->name[domain_len - 1] != '.')
|
||||
return -1;
|
||||
|
||||
/* pointer to start of topdomain; instead of dots at the end
|
||||
we have length-bytes in front, so total length is the same */
|
||||
topname = 0xc000 | ((p - buf + domain_len) & 0x3fff);
|
||||
|
||||
/* Query section */
|
||||
@ -233,12 +304,72 @@ dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomai
|
||||
putshort(&p, 4); /* Data length */
|
||||
|
||||
/* ugly hack to output IP address */
|
||||
domain = (char *) &q->destination;
|
||||
ipp = (char *) &q->destination;
|
||||
CHECKLEN(4);
|
||||
putbyte(&p, *domain++);
|
||||
putbyte(&p, *domain++);
|
||||
putbyte(&p, *domain++);
|
||||
putbyte(&p, *domain);
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *ipp);
|
||||
|
||||
len = p - buf;
|
||||
return len;
|
||||
}
|
||||
|
||||
int
|
||||
dns_encode_a_response(char *buf, size_t buflen, struct query *q)
|
||||
/* Only used when iodined gets an A type query for ns.topdomain or www.topdomain */
|
||||
/* Mostly same as dns_encode_ns_response() above */
|
||||
{
|
||||
HEADER *header;
|
||||
int len;
|
||||
short name;
|
||||
char *ipp;
|
||||
char *p;
|
||||
|
||||
if (buflen < sizeof(HEADER))
|
||||
return 0;
|
||||
|
||||
memset(buf, 0, buflen);
|
||||
|
||||
header = (HEADER*)buf;
|
||||
|
||||
header->id = htons(q->id);
|
||||
header->qr = 1;
|
||||
header->opcode = 0;
|
||||
header->aa = 1;
|
||||
header->tc = 0;
|
||||
header->rd = 0;
|
||||
header->ra = 0;
|
||||
|
||||
p = buf + sizeof(HEADER);
|
||||
|
||||
header->qdcount = htons(1);
|
||||
header->ancount = htons(1);
|
||||
|
||||
/* pointer to start of name */
|
||||
name = 0xc000 | ((p - buf) & 0x3fff);
|
||||
|
||||
/* Query section */
|
||||
putname(&p, buflen - (p - buf), q->name); /* Name */
|
||||
CHECKLEN(4);
|
||||
putshort(&p, q->type); /* Type */
|
||||
putshort(&p, C_IN); /* Class */
|
||||
|
||||
/* Answer section */
|
||||
CHECKLEN(12);
|
||||
putshort(&p, name); /* Name */
|
||||
putshort(&p, q->type); /* Type */
|
||||
putshort(&p, C_IN); /* Class */
|
||||
putlong(&p, 3600); /* TTL */
|
||||
putshort(&p, 4); /* Data length */
|
||||
|
||||
/* ugly hack to output IP address */
|
||||
ipp = (char *) &q->destination;
|
||||
CHECKLEN(4);
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *(ipp++));
|
||||
putbyte(&p, *ipp);
|
||||
|
||||
len = p - buf;
|
||||
return len;
|
||||
@ -276,6 +407,7 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
int id;
|
||||
int rv;
|
||||
|
||||
q->id2 = 0;
|
||||
rv = 0;
|
||||
header = (HEADER*)packet;
|
||||
|
||||
@ -324,11 +456,15 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
}
|
||||
|
||||
if (ancount < 1) {
|
||||
/* We may get both CNAME and A, then ancount=2 */
|
||||
/* DNS errors like NXDOMAIN have ancount=0 and
|
||||
stop here. CNAME may also have A; MX/SRV may have
|
||||
multiple results. */
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Assume that first answer is NULL/CNAME that we wanted */
|
||||
/* Here type is still the question type */
|
||||
if (type == T_NULL) {
|
||||
/* Assume that first answer is what we wanted */
|
||||
readname(packet, packetlen, &data, name, sizeof(name));
|
||||
CHECKLEN(10);
|
||||
readshort(packet, &data, &type);
|
||||
@ -336,7 +472,6 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
readlong(packet, &data, &ttl);
|
||||
readshort(packet, &data, &rlen);
|
||||
|
||||
if (type == T_NULL) {
|
||||
rv = MIN(rlen, sizeof(rdata));
|
||||
rv = readdata(packet, &data, rdata, rv);
|
||||
if (rv >= 2 && buf) {
|
||||
@ -346,9 +481,15 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
rv = 0;
|
||||
}
|
||||
}
|
||||
if ((type == T_CNAME || type == T_MX) && buf) {
|
||||
if (type == T_MX)
|
||||
data += 2; /* skip preference */
|
||||
else if ((type == T_A || type == T_CNAME) && buf) {
|
||||
/* Assume that first answer is what we wanted */
|
||||
readname(packet, packetlen, &data, name, sizeof(name));
|
||||
CHECKLEN(10);
|
||||
readshort(packet, &data, &type);
|
||||
readshort(packet, &data, &class);
|
||||
readlong(packet, &data, &ttl);
|
||||
readshort(packet, &data, &rlen);
|
||||
|
||||
memset(name, 0, sizeof(name));
|
||||
readname(packet, packetlen, &data, name, sizeof(name) - 1);
|
||||
name[sizeof(name)-1] = '\0';
|
||||
@ -356,7 +497,74 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
buf[buflen - 1] = '\0';
|
||||
rv = strlen(buf);
|
||||
}
|
||||
if (type == T_TXT && buf) {
|
||||
else if ((type == T_MX || type == T_SRV) && buf) {
|
||||
/* We support 250 records, 250*(255+header) ~= 64kB.
|
||||
Only exact 10-multiples are accepted, and gaps in
|
||||
numbering are not jumped over (->truncated).
|
||||
Hopefully DNS servers won't mess around too much.
|
||||
*/
|
||||
char names[250][QUERY_NAME_SIZE];
|
||||
char *rdatastart;
|
||||
short pref;
|
||||
int i;
|
||||
int offset;
|
||||
|
||||
memset(names, 0, sizeof(names));
|
||||
|
||||
for (i=0; i < ancount; i++) {
|
||||
readname(packet, packetlen, &data, name, sizeof(name));
|
||||
CHECKLEN(12);
|
||||
readshort(packet, &data, &type);
|
||||
readshort(packet, &data, &class);
|
||||
readlong(packet, &data, &ttl);
|
||||
readshort(packet, &data, &rlen);
|
||||
rdatastart = data;
|
||||
readshort(packet, &data, &pref);
|
||||
|
||||
if (type == T_SRV) {
|
||||
/* skip weight, port */
|
||||
data += 4;
|
||||
CHECKLEN(0);
|
||||
}
|
||||
|
||||
if (pref % 10 == 0 && pref >= 10 &&
|
||||
pref < 2500) {
|
||||
readname(packet, packetlen, &data,
|
||||
names[pref / 10 - 1],
|
||||
QUERY_NAME_SIZE - 1);
|
||||
names[pref / 10 - 1][QUERY_NAME_SIZE-1] = '\0';
|
||||
}
|
||||
|
||||
/* always trust rlen, not name encoding */
|
||||
data = rdatastart + rlen;
|
||||
CHECKLEN(0);
|
||||
}
|
||||
|
||||
/* output is like Hname10.com\0Hname20.com\0\0 */
|
||||
offset = 0;
|
||||
i = 0;
|
||||
while (names[i][0] != '\0') {
|
||||
int l = MIN(strlen(names[i]), buflen-offset-2);
|
||||
if (l <= 0)
|
||||
break;
|
||||
memcpy(buf + offset, names[i], l);
|
||||
offset += l;
|
||||
*(buf + offset) = '\0';
|
||||
offset++;
|
||||
i++;
|
||||
}
|
||||
*(buf + offset) = '\0';
|
||||
rv = offset;
|
||||
}
|
||||
else if (type == T_TXT && buf) {
|
||||
/* Assume that first answer is what we wanted */
|
||||
readname(packet, packetlen, &data, name, sizeof(name));
|
||||
CHECKLEN(10);
|
||||
readshort(packet, &data, &type);
|
||||
readshort(packet, &data, &class);
|
||||
readlong(packet, &data, &ttl);
|
||||
readshort(packet, &data, &rlen);
|
||||
|
||||
rv = readtxtbin(packet, &data, rlen, rdata, sizeof(rdata));
|
||||
if (rv >= 1) {
|
||||
rv = MIN(rv, buflen);
|
||||
@ -365,6 +573,8 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
|
||||
rv = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* Here type is the answer type (note A->CNAME) */
|
||||
if (q != NULL)
|
||||
q->type = type;
|
||||
break;
|
||||
|
@ -24,8 +24,11 @@ typedef enum {
|
||||
QR_ANSWER = 1
|
||||
} qr_t;
|
||||
|
||||
extern int dnsc_use_edns0;
|
||||
|
||||
int dns_encode(char *, size_t, struct query *, qr_t, char *, size_t);
|
||||
int dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain);
|
||||
int dns_encode_a_response(char *buf, size_t buflen, struct query *q);
|
||||
unsigned short dns_get_id(char *packet, size_t packetlen);
|
||||
int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t);
|
||||
|
||||
|
@ -21,13 +21,15 @@
|
||||
int
|
||||
build_hostname(char *buf, size_t buflen,
|
||||
const char *data, const size_t datalen,
|
||||
const char *topdomain, struct encoder *encoder)
|
||||
const char *topdomain, struct encoder *encoder, int maxlen)
|
||||
{
|
||||
int encsize;
|
||||
size_t space;
|
||||
char *b;
|
||||
|
||||
space = MIN(0xFF, buflen) - strlen(topdomain) - 7;
|
||||
space = MIN(maxlen, buflen) - strlen(topdomain) - 8;
|
||||
/* 8 = 5 max header length + 1 dot before topdomain + 2 safety */
|
||||
|
||||
if (!encoder->places_dots())
|
||||
space -= (space / 57); /* space for dots */
|
||||
|
||||
|
@ -17,6 +17,13 @@
|
||||
#ifndef _ENCODING_H_
|
||||
#define _ENCODING_H_
|
||||
|
||||
/* All-0, all-1, 01010101, 10101010: each 4 times to make sure the pattern
|
||||
spreads across multiple encoded chars -> 16 bytes total.
|
||||
Followed by 32 bytes from my /dev/random; should be enough.
|
||||
*/
|
||||
#define DOWNCODECCHECK1 "\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
|
||||
#define DOWNCODECCHECK1_LEN 48
|
||||
|
||||
struct encoder {
|
||||
char name[8];
|
||||
int (*encode) (char *, size_t *, const void *, size_t);
|
||||
@ -27,7 +34,7 @@ struct encoder {
|
||||
int (*blocksize_encoded)(void);
|
||||
};
|
||||
|
||||
int build_hostname(char *, size_t, const char *, const size_t, const char *, struct encoder *);
|
||||
int build_hostname(char *, size_t, const char *, const size_t, const char *, struct encoder *, int);
|
||||
int unpack_data(char *, size_t, char *, size_t, struct encoder *);
|
||||
int inline_dotify(char *, size_t);
|
||||
int inline_undotify(char *, size_t);
|
||||
|
43
src/iodine.c
43
src/iodine.c
@ -61,7 +61,7 @@ usage() {
|
||||
extern char *__progname;
|
||||
|
||||
fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
|
||||
"[-P password] [-m maxfragsize] [-T type] [-O enc] [-L 0|1] [-I sec] "
|
||||
"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
|
||||
"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
|
||||
exit(2);
|
||||
}
|
||||
@ -72,21 +72,25 @@ help() {
|
||||
|
||||
fprintf(stderr, "iodine IP over DNS tunneling client\n");
|
||||
fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
|
||||
"[-P password] [-m maxfragsize] [-T type] [-O enc] [-L 0|1] [-I sec] "
|
||||
"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
|
||||
"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
|
||||
fprintf(stderr, "Options to try if connection doesn't work:\n");
|
||||
fprintf(stderr, " -T force dns type: NULL, TXT, SRV, MX, CNAME, A (default: autodetect)\n");
|
||||
fprintf(stderr, " -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,\n");
|
||||
fprintf(stderr, " Base128, or (only for TXT:) Raw (default: autodetect)\n");
|
||||
fprintf(stderr, " -I max interval between requests (default 4 sec) to prevent DNS timeouts\n");
|
||||
fprintf(stderr, " -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)\n");
|
||||
fprintf(stderr, " -m max size of downstream fragments (default: autodetect)\n");
|
||||
fprintf(stderr, " -M max size of upstream hostnames (~100-255, default: 255)\n");
|
||||
fprintf(stderr, " -r to skip raw UDP mode attempt\n");
|
||||
fprintf(stderr, " -P password used for authentication (max 32 chars will be used)\n");
|
||||
fprintf(stderr, "Other options:\n");
|
||||
fprintf(stderr, " -v to print version info and exit\n");
|
||||
fprintf(stderr, " -h to print this help and exit\n");
|
||||
fprintf(stderr, " -f to keep running in foreground\n");
|
||||
fprintf(stderr, " -r to skip raw UDP mode attempt\n");
|
||||
fprintf(stderr, " -u name to drop privileges and run as user 'name'\n");
|
||||
fprintf(stderr, " -t dir to chroot to directory dir\n");
|
||||
fprintf(stderr, " -d device to set tunnel device name\n");
|
||||
fprintf(stderr, " -P password used for authentication (max 32 chars will be used)\n");
|
||||
fprintf(stderr, " -m maxfragsize, to limit size of downstream packets\n");
|
||||
fprintf(stderr, " -T dns type: NULL (default, fastest), TXT, CNAME, A (CNAME answer), MX\n");
|
||||
fprintf(stderr, " -O downstream encoding (!NULL): Base32(default), Base64, or Raw (only TXT)\n");
|
||||
fprintf(stderr, " -L 1: try lazy mode for low-latency (default). 0: don't (implies -I1)\n");
|
||||
fprintf(stderr, " -I max interval between requests (default 4 sec) to prevent server timeouts\n");
|
||||
fprintf(stderr, " -z context, to apply specified SELinux context after initialization\n");
|
||||
fprintf(stderr, " -F pidfile to write pid to a file\n");
|
||||
fprintf(stderr, "nameserver is the IP number/hostname of the relaying nameserver. if absent, /etc/resolv.conf is used\n");
|
||||
@ -131,6 +135,7 @@ main(int argc, char **argv)
|
||||
int raw_mode;
|
||||
int lazymode;
|
||||
int selecttimeout;
|
||||
int hostname_maxlen;
|
||||
|
||||
nameserv_addr = NULL;
|
||||
topdomain = NULL;
|
||||
@ -152,6 +157,7 @@ main(int argc, char **argv)
|
||||
raw_mode = 1;
|
||||
lazymode = 1;
|
||||
selecttimeout = 4;
|
||||
hostname_maxlen = 0xFF;
|
||||
|
||||
#ifdef WINDOWS32
|
||||
WSAStartup(req_version, &wsa_data);
|
||||
@ -168,7 +174,7 @@ main(int argc, char **argv)
|
||||
__progname++;
|
||||
#endif
|
||||
|
||||
while ((choice = getopt(argc, argv, "vfhru:t:d:P:m:F:T:O:L:I:")) != -1) {
|
||||
while ((choice = getopt(argc, argv, "vfhru:t:d:P:m:M:F:T:O:L:I:")) != -1) {
|
||||
switch(choice) {
|
||||
case 'v':
|
||||
version();
|
||||
@ -203,6 +209,13 @@ main(int argc, char **argv)
|
||||
autodetect_frag_size = 0;
|
||||
max_downstream_frag_size = atoi(optarg);
|
||||
break;
|
||||
case 'M':
|
||||
hostname_maxlen = atoi(optarg);
|
||||
if (hostname_maxlen > 255)
|
||||
hostname_maxlen = 255;
|
||||
if (hostname_maxlen < 10)
|
||||
hostname_maxlen = 10;
|
||||
break;
|
||||
case 'z':
|
||||
context = optarg;
|
||||
break;
|
||||
@ -283,6 +296,7 @@ main(int argc, char **argv)
|
||||
client_set_selecttimeout(selecttimeout);
|
||||
client_set_lazymode(lazymode);
|
||||
client_set_topdomain(topdomain);
|
||||
client_set_hostname_maxlen(hostname_maxlen);
|
||||
|
||||
if (username != NULL) {
|
||||
#ifndef WINDOWS32
|
||||
@ -315,17 +329,20 @@ main(int argc, char **argv)
|
||||
signal(SIGINT, sighandler);
|
||||
signal(SIGTERM, sighandler);
|
||||
|
||||
fprintf(stderr, "Sending DNS queries for %s to %s\n",
|
||||
topdomain, nameserv_addr);
|
||||
|
||||
if (client_handshake(dns_fd, raw_mode, autodetect_frag_size, max_downstream_frag_size)) {
|
||||
retval = 1;
|
||||
goto cleanup2;
|
||||
}
|
||||
|
||||
if (client_get_conn() == CONN_DNS_NULL) {
|
||||
fprintf(stderr, "Sending queries for %s to %s\n", topdomain, nameserv_addr);
|
||||
} else {
|
||||
if (client_get_conn() == CONN_RAW_UDP) {
|
||||
fprintf(stderr, "Sending raw traffic directly to %s\n", client_get_raw_addr());
|
||||
}
|
||||
|
||||
fprintf(stderr, "Connection setup complete, transmitting data.\n");
|
||||
|
||||
if (foreground == 0)
|
||||
do_detach();
|
||||
|
||||
|
698
src/iodined.c
698
src/iodined.c
File diff suppressed because it is too large
Load Diff
16
src/user.h
16
src/user.h
@ -24,7 +24,14 @@
|
||||
lead to massive dropping in multi-user situations with high traffic. */
|
||||
|
||||
#define DNSCACHE_LEN 4
|
||||
/* Undefine to disable. MUST be less than 7; also see comments in iodined.c */
|
||||
/* Undefine to disable. Should be less than 18; also see comments in iodined.c */
|
||||
|
||||
|
||||
#define QMEMPING_LEN 30
|
||||
/* Max advisable: 64k/2 = 32000. Total mem usage: QMEMPING_LEN * USERS * 6 bytes */
|
||||
|
||||
#define QMEMDATA_LEN 15
|
||||
/* Max advisable: 36/2 = 18. Total mem usage: QMEMDATA_LEN * USERS * 6 bytes */
|
||||
|
||||
struct user {
|
||||
char id;
|
||||
@ -35,7 +42,6 @@ struct user {
|
||||
in_addr_t tun_ip;
|
||||
struct in_addr host;
|
||||
struct query q;
|
||||
struct query q_prev;
|
||||
struct query q_sendrealsoon;
|
||||
int q_sendrealsoon_new;
|
||||
struct packet inpacket;
|
||||
@ -48,6 +54,12 @@ struct user {
|
||||
int fragsize;
|
||||
enum connection conn;
|
||||
int lazy;
|
||||
unsigned char qmemping_cmc[QMEMPING_LEN * 4];
|
||||
unsigned short qmemping_type[QMEMPING_LEN];
|
||||
int qmemping_lastfilled;
|
||||
unsigned char qmemdata_cmc[QMEMDATA_LEN * 4];
|
||||
unsigned short qmemdata_type[QMEMDATA_LEN];
|
||||
int qmemdata_lastfilled;
|
||||
#ifdef OUTPACKETQ_LEN
|
||||
struct packet outpacketq[OUTPACKETQ_LEN];
|
||||
int outpacketq_nexttouse;
|
||||
|
@ -19,7 +19,7 @@
|
||||
|
||||
/* This is the version of the network protocol
|
||||
It is usually equal to the latest iodine version number */
|
||||
#define VERSION 0x00000501
|
||||
#define VERSION 0x00000502
|
||||
|
||||
#endif /* _VERSION_H_ */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user