Showing preview only (398K chars total). Download the full file or copy to clipboard to get everything.
Repository: yarrick/iodine
Branch: master
Commit: 517d7298b084
Files: 66
Total size: 379.2 KB
Directory structure:
gitextract_5r1bs810/
├── .github/
│ └── workflows/
│ ├── freebsd.yml
│ ├── macos.yml
│ ├── openbsd.yml
│ ├── ubuntu.yml
│ └── windows.yml
├── .gitignore
├── .vimrc
├── CHANGELOG
├── LICENSE
├── Makefile
├── README-android.txt
├── README-win32.txt
├── README.md
├── doc/
│ ├── iodine-server.service
│ ├── iodine-server.socket
│ ├── iodine.te
│ ├── proto_00000402.txt
│ ├── proto_00000500.txt
│ └── proto_00000502.txt
├── man/
│ └── iodine.8
├── src/
│ ├── Android.16.mk
│ ├── Android.mk
│ ├── Makefile
│ ├── android_dns.h
│ ├── base128.c
│ ├── base32.c
│ ├── base64.c
│ ├── client.c
│ ├── client.h
│ ├── common.c
│ ├── common.h
│ ├── dns.c
│ ├── dns.h
│ ├── encoding.c
│ ├── encoding.h
│ ├── fw_query.c
│ ├── fw_query.h
│ ├── iodine.c
│ ├── iodined.c
│ ├── login.c
│ ├── login.h
│ ├── md5.c
│ ├── md5.h
│ ├── osflags
│ ├── read.c
│ ├── read.h
│ ├── tun.c
│ ├── tun.h
│ ├── user.c
│ ├── user.h
│ ├── util.c
│ ├── util.h
│ ├── version.h
│ └── windows.h
└── tests/
├── Makefile
├── base32.c
├── base64.c
├── common.c
├── dns.c
├── encoding.c
├── fw_query.c
├── login.c
├── read.c
├── test.c
├── test.h
└── user.c
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/freebsd.yml
================================================
name: freebsd
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: make
uses: vmactions/freebsd-vm@v1.2.0
with:
prepare: |
pkg install -y \
devel/check \
devel/git \
devel/pkgconf
run: |
make
make test
================================================
FILE: .github/workflows/macos.yml
================================================
name: macos
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
build:
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- name: make
run: make
- name: install check
run: brew install check
- name: run tests
run: make test
================================================
FILE: .github/workflows/openbsd.yml
================================================
name: openbsd
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: make
uses: vmactions/openbsd-vm@v1.1.8
with:
prepare: |
pkg_add \
check \
git \
pkgconf
run: |
make
make test
================================================
FILE: .github/workflows/ubuntu.yml
================================================
name: ubuntu
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: make
run: make
- name: install check
run: sudo apt install check
- name: run tests
run: make test
build-android:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: nttld/setup-ndk@v1
with:
ndk-version: r21e
- name: make
run: make cross-android
================================================
FILE: .github/workflows/windows.yml
================================================
name: windows
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
permissions:
contents: read
jobs:
build:
runs-on: windows-latest
defaults:
run:
shell: msys2 {0}
steps:
- uses: actions/checkout@v4
- uses: msys2/setup-msys2@v2
with:
msystem: MINGW64
update: false
install: git make mingw-w64-x86_64-toolchain mingw-w64-x86_64-zlib
- name: make
run: make TARGETOS=windows32
================================================
FILE: .gitignore
================================================
/bin/
*.o
/src/base64u.c
/src/base64u.h
/tests/test
*.o.d
/src/obj/local/*/iodine
/src/libs/*/iodine
================================================
FILE: .vimrc
================================================
set noexpandtab
set tabstop=8
set softtabstop=8
set shiftwidth=8
================================================
FILE: CHANGELOG
================================================
iodine - https://code.kryo.se/iodine
************************************
CHANGES:
master:
- Changed deprecated tzsetwall() to tzset() (only used by FreeBSD),
patch by Pouria Mousavizadeh Tehrani.
- Now builds on macOS even without if_utun.h (pre 10.6).
2023-04-17: 0.8.0 "Burning Snowman"
- Mac OS X: Support native utun VPN devices. Patch by
Peter Sagerson, ported from OpenVPN by Catalin Patulea.
- Fix compilation failure on kFreeBSD and Hurd, by Gregor Herrmann
- Patch from Ryan Welton that fixes compilation warning.
- README converted to markdown by Nicolas Braud-Santoni.
- Linux: use pkg-config for systemd support flags.
Patch by Jason A. Donenfeld.
- Add support for IPv6 in the server.
Raw mode will be with same protocol as used for login.
Traffic inside tunnel is still IPv4.
- Update android build to try to support 5.0 (Lollipop) and newer.
- Change external IP lookup to using myip.opendns.com via DNS.
- Add option to choose IPv4 listen address from external IP lookup.
- Add server support for handling multiple domains via wildcard.
- Recognize tap device component id 'root' prefix on Windows.
2014-06-16: 0.7.0 "Kryoptonite"
- Partial IPv6 support (#107)
Client can connect to iodined through an relaying IPv6
nameserver. Server only supports IPv4 for now.
Traffic inside tunnel is IPv4.
- Add socket activation for systemd, by Michael Scherer.
- Add automated lookup of external ip (via -n auto).
- Bugfix for OS X (Can't assign requested address)
- Fix DNS tunneling bug caused by uninitialized variable, #94
- Handle spaces when entering password interactively, fixes #93.
Patch by Hagar.
- Add -R option to set OpenBSD routing domain for the DNS socket.
Patch by laurent at gouloum fr, fixes #95.
- Add android patches and makefile, from Marcel Bokhorst, fixes #105.
- Added missing break in iodine.c, by Pavel Pergamenshchik, #108.
- A number of minor patches from Frank Denis, Gregor Herrmann and
Barak A. Pearlmutter.
- Testcase compilation fixes for OS X and FreeBSD
- Do not let sockets be inherited by sub-processes, fixes #99.
- Add unspecified RR type (called PRIVATE; id 65399, in private use
range). For servers with RFC3597 support. Fixes #97.
- Fix authentication bypass vulnerability; found by Oscar Reparaz.
2010-02-06: 0.6.0-rc1 "Hotspotify"
- Fixed tunnel not working on Windows.
- Any device name is now supported on Windows, fixes #47.
- Multiple installed TAP32 interfaces are now supported, fixes #46.
- Return nonzero if tunnel fails to open, fixes #62.
- Support for setting a SELinux context, based on patch by
Sebastien Raveau. Sample context file in doc/iodine.te
- Allow listen port and DNS forward port to be the same if listen IP
does not include localhost.
- The client will now exit if configuring IP or MTU fails.
- The starting cache miss value is randomized at startup, fixes #65.
- Raw UDP mode added. If the iodined server is reachable directly,
packets can be sent to it without DNS encoding. Fixes #36.
- Do not overwrite users CC/CFLAGS/LDFLAGS, only add to them.
- Added -F option to write pidfile, based on patch from
misc at mandriva.org. Fixes #70.
- Allow password to be set via environment variable, fixes #77.
Based on patch by logix.
- Client now prints server tunnel IP, fixes #78. Patch by logix.
- Fix build error on Mac OS X 10.6, patch by G. Rischard. #79.
- Added support for CNAME/TXT/A/MX query types, fixes #75.
Patch by Anne Bezemer, merge help by logix.
- Merged low-latency patch from Anne Bezemer, fixes #76.
- Resolve client nameserver argument if given as hostname, fixes #82.
- Open log before chroot, fixes #86: logging on FreeBSD.
- Merged big bugfix patch from Anne Bezemer, #88.
2009-06-01: 0.5.2 "WifiFree"
- Fixed client segfault on OS X, #57
- Added check that nameserver lookup was successful
- Fixed ENOTSOCK error on OS X and FreeBSD, #58.
2009-03-21: 0.5.1 "Boringo"
- Added initial Windows support, fixes #43.
- Added length check of autoprobe responses
- Refactored and added unit tests
- Added syslog logging for iodined on version and login packets
- Fixed segfault when encoding just one block, fixes #51.
The normal code was never affected by this.
- Added win32 code to read DNS server from system, fixes #45.
- Disabled password echo on win32, fixes #44.
- Fix encoding error making all autoprobing > 1024 bytes fail, #52.
- Increase default interface MTU to 1200.
- Fix autoprobing error making every third probe fail, set IP flag
Dont-Fragment where supported. Fixes #54.
- Added TAP32 version 0901 as accepted (#53).
2009-01-23: 0.5.0 "iPassed"
- Fixed segfault in server when sending version reject.
- Applied patch to make iodine build on BeOS R5-BONE and Haiku,
from Francois Revol. Still work to do to get tun device working.
- Added capability to forward DNS queries outside tunnel domain to
a nameserver on localhost. Use -b port to enable, fixes #31.
- iodined now replies to NS request on its own domain, fixes issue #33.
The destination IP address is sent as reply. Use -n to specify
a specific IP address to return (if behind NAT etc).
- Upstream data is now Base64 encoded if relay server preserves case and
supports the plus (+) character in domain names, fixes #16.
- Fixed problem in client when DNS trans. ID has highest bit set (#37)
- IP addresses are now assigned within the netmask, so iodined can
use any address for itself, fixes #28.
- Netmask size is now adjustable. Setting a small net will reduce the
number of users. Use x.x.x.x/n notation on iodined tunnel ip.
This fixes #27.
- Downstream data is now fragmented, and the fragment size is auto-
probed after login. Fixes #7. It only took a few years :)
- Enhanced the checks that validates incoming packets
- Fixed endless loop in fragment size autodetection, #39.
- Fixed broken hostname dot placing with specific lengths, #40.
2008-08-06: 0.4.2 "Opened Zone"
- Applied a few small patches from Maxim Bourmistrov and Gregor Herrmann
- Applied a patch for not creating and configuring the tun interface,
Debian bug #477692 by Vincent Bernat, controlled by -s switch
- Applied a security patch from Andrew Griffiths, use setgroups() to
limit the groups of the user
- Applied a patch to make iodine build on (Open)Solaris, from Albert Lee
Needs TUN/TAP driver http://www.whiteboard.ne.jp/~admin2/tuntap/
Still needs more code in tun.c for opening/closing the device
- Added option in server (-c) to disable IP/port checking on packets,
will hopefully help when server is behind NAT
- Fixed bug #21, now only IP address part of each packet is checked.
Should remove the need for the -c option and also work with
bugfixed DNS servers worldwide.
- Added -D option on server to enable debugging. Debug level 1 now
prints info about each RX/TX datagram.
2007-11-30: 0.4.1 "Tea Online"
- Introduced encoding API
- Switched to new Base32 implementation
- Added Base64 implementation that only uses 63 chars (not used yet)
- Refined 'install' make target and use $(MAKE) for recursive calls
- All received error messages (RCODE field) are echoed
- Top domain limited to 128 chars
- Case preservation check sent after login to decide codec
- Fixed crash on incoming NULL query in server with bad top domain
- /etc/resolv.conf is consulted if no nameserver is given on commandline
- Applied patch from Matthew W. S. Bell (Detach before chroot/dropping priv)
2007-03-25: 0.4.0 "Run Home"
- Added multiuser support (up to 8 users simultaneously)
- Added authentication (password entered as argument or on stdin)
- Added manpage
- Added install/uninstall make target
- Cleanup of dns code, more test cases, use check library
- Changed directory structure
2006-11-08: 0.3.4
- Fixed handshake() buffer overflow
(Found by poplix, Secunia: SA22674 / FrSIRT/ADV-2006-4333)
- Added more tests
- More name parsing enhancements
- Now runs on Linux/AMD64
- Added setting to change server port
2006-11-05: 0.3.3
- Fixed possible buffer overflow
(Found by poplix, Bugtraq ID: 20883)
- Reworked dns hostname encoding
2006-09-11: 0.3.2
- Support for NetBSD
- Fixed potential security problems
- Name parsing routines rewritten, added regression tests
- New encoding, 25% more peak upstream throughput
- New -l option to set local ip to listen to on server
2006-07-11: 0.3.1
- Add Mac OSX support
- Add setting device name
- Use compression of domain name in reply (should allow setting MTU
approx 200 bytes higher)
2006-06-24: 0.3.0
- First public release
- Support for Linux, FreeBSD, OpenBSD
================================================
FILE: LICENSE
================================================
Copyright (c) 2006-2020 iodine authors
Permission to use, copy, modify, and/or distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
================================================
FILE: Makefile
================================================
prefix?=/usr/local
sbindir=$(prefix)/sbin
datadir=$(prefix)/share
mandir=$(datadir)/man
docdir=$(datadir)/doc
DESTDIR=
INSTALL=install
INSTALL_FLAGS=
MKDIR=mkdir
MKDIR_FLAGS=-p
RM=rm
RM_FLAGS=-f
TARGETOS = `uname`
all:
@$(MAKE) -C src TARGETOS=$(TARGETOS) all
install: all
$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir)
$(INSTALL) $(INSTALL_FLAGS) bin/iodine $(DESTDIR)$(sbindir)/iodine
chmod 755 $(DESTDIR)$(sbindir)/iodine
$(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
chmod 755 $(DESTDIR)$(sbindir)/iodined
$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
$(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(docdir)/iodine
$(INSTALL) $(INSTALL_FLAGS) README.md $(DESTDIR)$(docdir)/iodine/README.md
chmod 644 $(DESTDIR)$(docdir)/iodine/README.md
uninstall:
$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
$(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
test: all
@echo "!! The check library is required for compiling and running the tests"
@echo "!! Get it at https://libcheck.github.io/check/"
@$(MAKE) -C tests TARGETOS=$(TARGETOS) all
clean:
@echo "Cleaning..."
@$(MAKE) -C src clean
@$(MAKE) -C tests clean
@rm -rf bin iodine-latest*
#Helper target for windows/android zipfiles
iodine-latest:
@rm -rf iodine-latest*
@mkdir -p iodine-latest
@echo "Create date: " > iodine-latest/VERSION.txt
@LANG=en_US date >> iodine-latest/VERSION.txt
@echo "Git version: " >> iodine-latest/VERSION.txt
@git rev-parse HEAD >> iodine-latest/VERSION.txt
@for i in README.md CHANGELOG; do cp $$i iodine-latest/$$i.txt; done
@unix2dos iodine-latest/*
#non-PIE build for old android
cross-android-old:
@$(MAKE) -C src base64u.c
@(cd src && ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk APP_PLATFORM=android-3)
#Position-indepedent build for modern android
cross-android:
@$(MAKE) -C src base64u.c
@(cd src && ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.16.mk APP_PLATFORM=android-16)
iodine-latest-android.zip: iodine-latest
@mv iodine-latest iodine-latest-android
@mkdir -p iodine-latest-android/pre-kitkat/armeabi
@mkdir -p iodine-latest-android/pre-kitkat/x86
@$(MAKE) cross-android-old TARGET_ARCH_ABI=armeabi
@cp src/libs/armeabi/* iodine-latest-android/pre-kitkat/armeabi
@$(MAKE) cross-android-old TARGET_ARCH_ABI=x86
@cp src/libs/x86/* iodine-latest-android/pre-kitkat/x86
@rm -rf src/libs src/obj
@mkdir -p iodine-latest-android/armeabi
@mkdir -p iodine-latest-android/arm64-v8a
@mkdir -p iodine-latest-android/x86
@$(MAKE) cross-android TARGET_ARCH_ABI=armeabi
@cp src/libs/armeabi/* iodine-latest-android/armeabi
@$(MAKE) cross-android TARGET_ARCH_ABI=arm64-v8a
@cp src/libs/arm64-v8a/* iodine-latest-android/arm64-v8a
@$(MAKE) cross-android TARGET_ARCH_ABI=x86
@cp src/libs/x86/* iodine-latest-android/x86
@cp README-android.txt iodine-latest-android
@zip -r iodine-latest-android.zip iodine-latest-android
cross-mingw32:
@$(MAKE) -C src TARGETOS=windows32 CC=i686-w64-mingw32-gcc all
cross-mingw64:
@$(MAKE) -C src TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc all
iodine-latest-windows.zip: iodine-latest
@mv iodine-latest iodine-latest-windows
@mkdir -p iodine-latest-windows/64bit iodine-latest-windows/32bit
@$(MAKE) -C src TARGETOS=windows32 CC=i686-w64-mingw32-gcc clean all
@i686-w64-mingw32-strip bin/iodine*
@for i in `ls bin`; do cp bin/$$i iodine-latest-windows/32bit/$$i.exe; done
@cp /usr/i686-w64-mingw32/sys-root/mingw/bin/zlib1.dll iodine-latest-windows/32bit
@$(MAKE) -C src TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc clean all
@x86_64-w64-mingw32-strip bin/iodine*
@for i in `ls bin`; do cp bin/$$i iodine-latest-windows/64bit/$$i.exe; done
@cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/zlib1.dll iodine-latest-windows/64bit
@cp README-win32.txt iodine-latest-windows
@zip -r iodine-latest-windows.zip iodine-latest-windows
================================================
FILE: README-android.txt
================================================
iodine - https://code.kryo.se/iodine
***********************************
Extra README file for Android
== Running iodine on Android:
1. Get root access on your android device
2. Find/build a compatible tun.ko for your specific Android kernel
3. Copy tun.ko and the iodine binary to your device:
(Almost all devices need the armeabi binary. Only Intel powered
ones need the x86 build.)
adb push tun.ko /data/local/tmp
adb push iodine /data/local/tmp
adb shell
su
cd /data/local/tmp
chmod 777 iodine
4. Run iodine (see the man page for parameters)
./iodine ...
For more information: http://blog.bokhorst.biz/5123
== Building iodine for Android:
1. Download and install the Android SDK and NDK
2. Download and unpack the iodine sources
3. Build:
cd src
make base64u.h base64u.c
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.16.mk APP_PLATFORM=android-16
or run "make cross-android" in the iodine root directory.
To build for other archs, specify TARGET_ARCH_ABI:
"make cross-android TARGET_ARCH_ABI=x86"
For older android versions (pre-kitkat), build with "make cross-android-old" in the
root directory, or manually like above but with APP_PLATFORM=android-3 and with
APP_BUILD_SCRIPT=Android.mk
The iodine binary ends up in src/libs/<arch>/iodine
================================================
FILE: README-win32.txt
================================================
iodine - https://code.kryo.se/iodine
***********************************
Extra README file for Win32 related stuff
== Running iodine on Windows:
0. After iodine 0.6, you need Windows XP or newer to run.
1. Install the TAP driver
https://openvpn.net/index.php/open-source/downloads.html
Download the OpenVPN TAP driver (under section Tap-windows)
Problems has been reported with the NDIS6 version (9.2x.y), use the
NDIS5 version for now if possible.
2. Have at least one TAP32 interface installed. There are scripts for adding
and removing in the OpenVPN bin directory. If you have more than one
installed, use -d to specify which. Use double quotes if you have spaces,
example: iodine.exe -d "Local Area Connection 4" abc.ab
3. Make sure the interface you want to use does not have a default gateway set.
4. Run iodine/iodined as normal (see the main README file).
You may have to run it as administrator depending on user privileges.
5. Enjoy!
== Building on Windows:
You need:
MinGW, MSYS, GCC, zlib
Then just run make
== Cross-compiling for MinGW:
You need:
MinGW crosscompiler, crosscompiled zlib
Then run "make cross-mingw"
Note that the binaries will not get a .exe suffix
== Zlib download
You can get zlib for MinGW here (both for native and crosscompile):
https://code.kryo.se/iodine/deps/zlib.zip
Unzip it in your MinGW directory on Windows or in $ROOT/usr for
cross-compile.
== Results of crappy Win32 API:
The following fixable limitations apply:
- Server cannot read packet destination address
The following (probably) un-fixable limitations apply:
- A password entered as -P argument can be shown in process list
- Priviligies cannot be dropped
- chroot() cannot be used
- Detaching from terminal not possible
- Server on windows must be run with /30 netmask
- Client can only talk to server, not other clients
================================================
FILE: README.md
================================================
iodine - <https://code.kryo.se/iodine>
=====================================
This is a piece of software that lets you tunnel IPv4 data through a DNS
server. This can be usable in different situations where internet access is
firewalled, but DNS queries are allowed.
COMPILING
---------
Iodine has no configure script. There are two optional features for Linux
(SELinux and systemd support) that will be enabled automatically if the
relevant header files are found in `/usr/include`.
(See script at `./src/osflags`)
Run `make` to compile the server and client binaries.
Run `make install` to copy binaries and manpage to the destination directory.
Run `make test` to compile and run the unit tests. (Requires the `check` library)
QUICKSTART
----------
Try it out within your own LAN! Follow these simple steps:
- On your server, run: `./iodined -f 10.0.0.1 test.com`.
If you already use the `10.0.0.0` network, use another internal net like
`172.16.0.0`.
- Enter a password.
- On the client, run: `./iodine -f -r 192.168.0.1 test.com`.
Replace `192.168.0.1` with your server's ip address.
- Enter the same password.
- Now the client has the tunnel ip `10.0.0.2` and the server has `10.0.0.1`.
- Try pinging each other through the tunnel.
- Done! :)
To actually use it through a relaying nameserver, see below.
HOW TO USE
----------
Note: server and client are required to speak the exact same protocol. In most
cases, this means running the same iodine version. Unfortunately, implementing
backward and forward protocol compatibility is usually not feasible.
### Server side
To use this tunnel, you need control over a real domain (like `mydomain.com`),
and a server with a public IP address to run `iodined` on. If this server
already runs a DNS program, change its listening port and then use `iodined`'s
`-b` option to let `iodined` forward the DNS requests. (Note that this procedure
is not advised in production environments, because `iodined`'s DNS forwarding
is not completely transparent, for example zone transfers will not work.)
Alternatively you can forward the subdomain from your DNS server to `iodined`
which must then run on a different port (`-p`).
Then, delegate a subdomain (say, `t1.mydomain.com`) to the iodined server.
If you use BIND for your domain, add two lines like these to the zone file:
t1 IN NS t1ns.mydomain.com. ; note the dot!
t1ns IN A 10.15.213.99
The `NS` line is all that's needed to route queries for the `t1` subdomain
to the `t1ns` server. We use a short name for the subdomain, to keep as much
space as possible available for the data traffic. At the end of the `NS` line
is the name of your `iodined` server. This can be any name, pointing anywhere,
but in this case it's easily kept in the same zone file. It must be a name
(not an IP address), and that name itself must have an `A` record
(not a `CNAME`).
If your `iodined` server has a dynamic IP, use a dynamic DNS provider. Simply
point the `NS` line to it, and leave the `A` line out:
t1 IN NS myname.mydyndnsprovider.com. ; note the dot!
Then reload or restart your nameserver program. Now any DNS queries for
domains ending in `t1.mydomain.com` will be sent to your `iodined` server.
Finally start `iodined` on your server. The first argument is the IP address
inside the tunnel, which can be from any range that you don't use yet (for
example `192.168.99.1`), and the second argument is the assigned domain (in this
case `t1.mydomain.com`). Using the `-f` option will keep iodined running in the
foreground, which helps when testing. iodined will open a virtual interface
("tun device"), and will also start listening for DNS queries on UDP port 53.
Either enter a password on the commandline (`-P pass`) or after the server has
started. Now everything is ready for the client.
If there is a chance you'll be using an iodine tunnel from unexpected
environments, start `iodined` with a `-c` option.
Resulting commandline in this example situation:
./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
### Client side
All the setup is done, just start `iodine`. It takes one or two arguments, the
first is the local relaying DNS server (optional) and the second is the domain
you used (`t1.mydomain.com`). If you don't specify the first argument, the
system's current DNS setting will be consulted.
If DNS queries are allowed to any computer, you can directly give the `iodined`
server's address as first argument (in the example: `t1ns.mydomain.com` or
`10.15.213.99`). In that case, it may also happen that _any_ traffic is allowed
to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
`-r` option (especially useful when testing within your own network).
The client's tunnel interface will get an IP close to the server's (in this
case `192.168.99.2` or `.3` etc.) and a suitable MTU. Enter the same password as
on the server either as commandline option or after the client has started.
Using the `-f` option will keep the iodine client running in the foreground.
Resulting commandline in this example situation, adding -r forces DNS tunneling
even if raw UDP tunneling would be possible:
./iodine -f -P secretpassword t1.mydomain.com
From either side, you should now be able to ping the IP address on the other
end of the tunnel. In this case, `ping 192.168.99.1` from the iodine client, and
`192.168.99.2` from the iodine server.
### MISC. INFO
#### IPv6
The data inside the tunnel is IPv4 only.
The server listens to both IPv4 and IPv6 for incoming requests by default.
Use options `-4` or `-6` to only listen on one protocol. Raw mode will be
attempted on the same protocol as used for the login.
The client can use IPv4 or IPv6 nameservers to connect to iodined. The relay
nameservers will translate between protocols automatically if needed. Use
options `-4` or `-6` to force the client to use a specific IP version for its DNS
queries.
If your server is listening on IPv6 and is reachable, add an AAAA record for it
to your DNS setup. Extending the example above would look like this:
t1 IN NS t1ns.mydomain.com. ; note the dot!
t1ns IN A 10.15.213.99
t1ns IN AAAA 2001:db8::1001:99
#### Routing
It is possible to route all traffic through the DNS tunnel. To do this, first
add a host route to the nameserver used by iodine over the wired/wireless
interface with the default gateway as gateway. Then replace the default
gateway with the iodined server's IP address inside the DNS tunnel, and
configure the server to do NAT.
However, note that the tunneled data traffic is not encrypted at all, and can
be read and changed by external parties relatively easily. For maximum
security, run a VPN through the DNS tunnel (=double tunneling), or use secure
shell (SSH) access, possibly with port forwarding. The latter can also be used
for web browsing, when you run a web proxy (for example Privoxy) on your
server.
#### Testing
The `iodined` server replies to `NS` requests sent for subdomains of the tunnel
domain. If your iodined subdomain is `t1.mydomain.com`, send a `NS` request for
`foo123.t1.mydomain.com` to see if the delegation works.
`dig` is a good tool for this:
% dig -t NS foo123.t1.mydomain.com
ns.io.citronna.de.
Also, the iodined server will answer requests starting with 'z' for any of the
supported request types, for example:
dig -t TXT z456.t1.mydomain.com
dig -t SRV z456.t1.mydomain.com
dig -t CNAME z456.t1.mydomain.com
The reply should look like garbled text in all these cases.
#### Mac OS X
On Mac OS X 10.6 and later, iodine supports the native utun devices built into
the OS - use `-d utunX`.
Operational info
----------------
The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
To force a specific value (and speed things up), use the `-m` option.
The DNS hostnames are normally used up to their maximum length, 255 characters.
Some DNS relays have been found that answer full-length queries rather
unreliably, giving widely varying (and mostly very bad) results of the
fragment size autoprobe on repeated tries. In these cases, use the `-M` switch
to reduce the DNS hostname length to, for example 200 characters, which makes
these DNS relays much more stable. This is also useful on some “de-optimizing”
DNS relays that stuff the response with two full copies of the query, leaving
very little space for downstream data (also not capable of EDNS0). The `-M`
switch can trade some upstream bandwidth for downstream bandwidth. Note that
the minimum `-M` value is about 100, since the protocol can split packets (1200
bytes max) in only 16 fragments, requiring at least 75 real data bytes per
fragment.
The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
server supports mixed case and `+` in domain names; or Base64u if `_` is
supported instead; or Base128 if high-byte-value characters are supported.
This upstream encoding is autodetected. The DNS protocol allows one query per
packet, and one query can be max 256 chars. Each domain name part can be max
63 chars. So your domain name and subdomain should be as short as possible to
allow maximum upstream throughput.
Several DNS request types are supported, with the `NULL` and `PRIVATE` types
expected to provide the largest downstream bandwidth. The `PRIVATE` type uses
value 65399 in the private-use range. Other available types are `TXT`, `SRV`,
`MX`, `CNAME` and `A` (returning `CNAME`), in decreasing bandwidth order.
Normally the “best” request type is autodetected and used. However, DNS relays
may impose limits on for example NULL and TXT, making SRV or MX actually the best
choice. This is not autodetected, but can be forced using the `-T` option.
It is advisable to try various alternatives especially when the autodetected
request type provides a downstream fragment size of less than 200 bytes.
Note that `SRV`, `MX` and `A` (returning `CNAME`) queries may/will cause
additional lookups by "smart" caching nameservers to get an actual IP address,
which may either slow down or fail completely.
DNS responses for non-`NULL/PRIVATE` queries can be encoded with the same set of
codecs as upstream data. This is normally also autodetected, but no fully
exhaustive tests are done, so some problems may not be noticed when selecting
more advanced codecs. In that case, you'll see failures/corruption in the
fragment size autoprobe. In particular, several DNS relays have been found that
change replies returning hostnames (`SRV`, `MX`, `CNAME`, `A`) to lowercase only
when that hostname exceeds ca. 180 characters. In these and similar cases, use
the `-O` option to try other downstream codecs; Base32 should always work.
Normal operation now is for the server to _not_ answer a DNS request until
the next DNS request has come in, a.k.a. being “lazy”. This way, the server
will always have a DNS request handy when new downstream data has to be sent.
This greatly improves (interactive) performance and latency, and allows to
slow down the quiescent ping requests to 4 second intervals by default, and
possibly much slower. In fact, the main purpose of the pings now is to force
a reply to the previous ping, and prevent DNS server timeouts (usually at
least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
data should still get through in these cases, but `iodine` will reduce the ping
interval to 1 second anyway (-I1) to reduce the number of error messages. This
may not help for very impatient DNS relays like `dnsadvantage.com` (ultradns),
which time out in 1 second or even less. Yet data will still get trough, and
you can ignore the `SERVFAIL` errors.
If you are running on a local network without any DNS server in-between, try
`-I 50` (iodine and iodined close the connection after 60 seconds of silence).
The only time you'll notice a slowdown, is when DNS reply packets go missing;
the `iodined` server then has to wait for a new ping to re-send the data. You can
speed this up by generating some upstream traffic (keypress, ping). If this
happens often, check your network for bottlenecks and/or run with `-I1`.
The delayed answering in lazy mode will cause some “carrier grade” commercial
DNS relays to repeatedly re-send the same DNS query to the iodined server.
If the DNS relay is actually implemented as a pool of parallel servers,
duplicate requests may even arrive from multiple sources. This effect will
only be visible in the network traffic at the `iodined` server, and will not
affect the client's connection. Iodined will notice these duplicates, and send
the same answer (when its time has come) to both the original query and the
latest duplicate. After that, the full answer is cached for a short while.
Delayed duplicates that arrive at the server even later, get a reply that the
iodine client will ignore (if it ever arrives there).
If you have problems, try inspecting the traffic with network monitoring tools
like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
has not cached the response. A cached error message could mean that you
started the client before the server. The `-D` (and `-DD`) option on the server
can also show received and sent queries.
TIPS & TRICKS
-------------
If your port 53 is taken on a specific interface by an application that does
not use it, use `-p` on iodined to specify an alternate port (like `-p 5353`)
and use for instance iptables (on Linux) to forward the traffic:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353
(Sent in by Tom Schouten)
Iodined will reject data from clients that have not been active (data/pings)
for more than 60 seconds. Similarly, iodine will exit when no downstream
data has been received for 60 seconds. In case of a long network outage or
similar, just restart iodine (re-login), possibly multiple times until you get
your old IP address back. Once that's done, just wait a while, and you'll
eventually see the tunneled TCP traffic continue to flow from where it left
off before the outage.
With the introduction of the downstream packet queue in the server, its memory
usage has increased with several megabytes in the default configuration.
For use in low-memory environments (e.g. running on your DSL router), you can
decrease USERS and undefine OUTPACKETQ_LEN in user.h without any ill conse-
quence, assuming at most one client will be connected at any time. A small
DNSCACHE_LEN is still advised, preferably 2 or higher, however you can also
undefine it to save a few more kilobytes.
One iodine server can handle multiple domains. Set up different NS records
on the same domain all pointing to the same host, and use a wildcard
at the start of the topdomain argument (example `*.mydomain.com`). iodine
will accept tunnel traffic for all domains matching that pattern. The wildcard
has to be at the start of the topdomain argument and be followed by a dot.
PERFORMANCE
-----------
This section tabulates some performance measurements. To view properly, use
a fixed-width font like Courier.
Measurements were done in protocol 00000502 in lazy mode; upstream encoding
always Base128; `iodine -M255`; `iodined -m1130`. Network conditions were not
extremely favorable; results are not benchmarks but a realistic indication of
real-world performance that can be expected in similar situations.
Upstream/downstream throughput was measured by `scp`'ing a file previously
read from `/dev/urandom` (i.e. incompressible), and measuring size with
`ls -l ; sleep 30 ; ls -l` on a separate non-tunneled connection. Given the
large `scp` block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
explains why some values are exactly equal.
Ping round-trip times measured with `ping -c100`, presented are average rtt
and mean deviation (indicating spread around the average), in milliseconds.
### Situation 1: `Laptop -> Wifi AP -> Home server -> DSL provider -> Datacenter`
iodine DNS "relay" bind9 DNS cache iodined
downstr. upstream downstr. ping-up ping-down
fragsize kbit/s kbit/s avg +/-mdev avg +/-mdev
-----------------------------------------------------------------------------
iodine -> Wifi AP :53
-Tnull (= -Oraw) 982 43.6 131.0 28.0 4.6 26.8 3.4
iodine -> Home server :53
-Tnull (= -Oraw) 1174 48.0 305.8 26.6 5.0 26.9 8.4
iodine -> DSL provider :53
-Tnull (= -Oraw) 1174 56.7 367.0 20.6 3.1 21.2 4.4
-Ttxt -Obase32 730 56.7 174.7*
-Ttxt -Obase64 874 56.7 174.7
-Ttxt -Obase128 1018 56.7 174.7
-Ttxt -Oraw 1162 56.7 358.2
-Tsrv -Obase128 910 56.7 174.7
-Tcname -Obase32 151 56.7 43.6
-Tcname -Obase128 212 56.7 52.4
iodine -> DSL provider :53
wired (no Wifi) -Tnull 1174 74.2 585.4 20.2 5.6 19.6 3.4
[174.7* : these all have 2frag/packet]
### Situation 2: `Laptop -> Wifi+vpn / wired -> Home server`
iodine iodined
downstr. upstream downstr. ping-up ping-down
fragsize kbit/s kbit/s avg +/-mdev avg +/-mdev
-----------------------------------------------------------------------------
wifi + openvpn -Tnull 1186 166.0 1022.3 6.3 1.3 6.6 1.6
wired -Tnull 1186 677.2 2464.1 1.3 0.2 1.3 0.1
### Notes
Performance is strongly coupled to low ping times, as iodine requires
confirmation for every data fragment before moving on to the next. Allowing
multiple fragments in-flight like TCP could possibly increase performance,
but it would likely cause serious overload for the intermediary DNS servers.
The current protocol scales performance with DNS responsivity, since the
DNS servers are on average handling at most one DNS request per client.
PORTABILITY
-----------
iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD
(ia64, x86), OpenBSD (x86), NetBSD (x86), MacOS X (ppc and x86, with
<http://tuntaposx.sourceforge.net/>). and Windows (with OpenVPN TAP32 driver, see
win32 readme file). It should be easy to port to other unix-like systems that
have TUN/TAP tunneling support. Let us know if you get it to run on other
platforms.
THE NAME
--------
The name iodine was chosen since it starts with IOD (IP Over DNS) and since
iodine has atomic number 53, which happens to be the DNS port number.
THANKS
------
- To kuxien for FreeBSD and OS X testing
- To poplix for code audit
AUTHORS & LICENSE
-----------------
Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>, 2006-2009 Bjorn
Andersson <flex@kryo.se>. Also major contributions by Anne Bezemer.
Permission to use, copy, modify, and/or distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
MD5 implementation by L. Peter Deutsch (license and source in `src/md5.[ch]`)
Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved.
================================================
FILE: doc/iodine-server.service
================================================
[Unit]
Description=Iodine Server
After=local-fs.target network.target
[Service]
EnvironmentFile=-/etc/sysconfig/iodine-server
ExecStart=/usr/local/bin/iodined -i 30 -f $OPTIONS
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
================================================
FILE: doc/iodine-server.socket
================================================
[Unit]
Description=Iodine socket
[Socket]
ListenDatagram=53
ListenDatagram=0.0.0.0:53
BindIPv6Only=ipv6-only
[Install]
WantedBy=sockets.target
================================================
FILE: doc/iodine.te
================================================
# Sample post-initialization SELinux policy for Iodine
policy_module(iodine, 1.1)
require {
type init_t;
type initrc_t;
type unconfined_t;
type unlabeled_t;
class udp_socket { read write };
class rawip_socket { write read };
class association recvfrom;
class unix_dgram_socket { create connect };
}
type iodine_t;
domain_type(iodine_t)
domain_dyntrans_type(initrc_t)
allow initrc_t iodine_t:process dyntransition;
allow iodine_t unconfined_t:udp_socket { read write };
allow iodine_t unconfined_t:rawip_socket { write read };
allow iodine_t unlabeled_t:association recvfrom;
allow iodine_t self:unix_dgram_socket { create connect };
corenet_raw_receive_generic_node(iodine_t)
corenet_rw_tun_tap_dev(iodine_t)
================================================
FILE: doc/proto_00000402.txt
================================================
Detailed specification of protocol in version 00000402
======================================================
CMC = 2 byte Cache Miss Counter, increased every time it is used
Version:
Client sends:
First byte v or V
Rest encoded with base32:
4 bytes big endian protocol version
CMC
Server replies:
4 chars:
VACK (version ok), followed by login challenge
VNAK (version differs), followed by server protocol version
VFUL (server has no free slots), followed by max users
4 byte value: means login challenge/server protocol version/max users
1 byte userid of the new user, or any byte if not VACK
Login:
Client sends:
First byte l or L
Rest encoded with base32:
1 byte userid
16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
CMC
Server replies:
LNAK means not accepted
x.x.x.x-y.y.y.y-mtu means accepted (server ip, client ip, mtu)
Case check:
Client sends:
First byte z or Z
Lots of data that should not be decoded
Server replies:
The requested domain copied raw
Data:
Data header:
321 0
+---+-+
|UUU|L|
+---+-+
UUU = Userid
L = Last fragment in packet flag
First byte is the header, 4 bits coded as hex in ASCII.
Followed by data encoded with Base32.
Ping:
Client sends:
First byte p or P
Rest encoded with Base32:
1 byte userid
CMC
The server response to Ping and Data packets is a DNS NULL type response:
If server has nothing to send, data length is 0 bytes.
If server has a packet to send, data length is set and the data is a full raw
unencoded ip packet, prefixed with 32 bits tun data.
================================================
FILE: doc/proto_00000500.txt
================================================
Detailed specification of protocol in version 00000500
======================================================
CMC = 2 byte Cache Miss Counter, increased every time it is used
Version:
Client sends:
First byte v or V
Rest encoded with base32:
4 bytes big endian protocol version
CMC
Server replies:
4 chars:
VACK (version ok), followed by login challenge
VNAK (version differs), followed by server protocol version
VFUL (server has no free slots), followed by max users
4 byte value: means login challenge/server protocol version/max users
1 byte userid of the new user, or any byte if not VACK
Login:
Client sends:
First byte l or L
Rest encoded with base32:
1 byte userid
16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
CMC
Server replies:
LNAK means not accepted
x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
Case check:
Client sends:
First byte z or Z
Lots of data that should not be decoded
Server replies:
The requested domain copied raw
Switch codec:
Client sends:
First byte s or S
5 bits coded as Base32 char, meaning userid
5 bits coded as Base32 char, with value 5 or 6, representing number of raw
bits per encoded byte
Server sends:
Name of codec if accepted. After this all upstream data packets must
be encoded with the new codec.
BADCODEC if not accepted. Client must then revert to Base32
Probe downstream fragment size:
Client sends:
First byte r or R
15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
meaning 4 bits userid, 11 bits fragment size
Then follows a long random query which contents does not matter
Server sends:
Requested number of bytes as a response. The first two bytes contains
the requested length. Rest of message can be any data.
BADFRAG if requested length not accepted.
Set downstream fragment size:
Client sends:
First byte n or N
Rest encoded with base32:
1 byte userid
2 bytes new downstream fragment size
CMC
Server sends:
2 bytes new downstream fragment size. After this all downstream
payloads will be max (fragsize + 2) bytes long.
BADFRAG if not accepted.
Data:
Upstream data header:
3210 432 10 43 210 4321 0
+----+---+--+--+---+----+-+
|UUUU|SSS|FF|FF|DDD|GGGG|L|
+----+---+--+--+---+----+-+
Downstream data header:
7 654 3210 765 4321 0
+-+---+----+---+----+-+
|C|SSS|FFFF|DDD|GGGG|L|
+-+---+----+---+----+-+
UUUU = Userid
L = Last fragment in packet flag
SS = Upstream packet sequence number
FFFF = Upstream fragment number
DDD = Downstream packet sequence number
GGGG = Downstream fragment number
C = Compression enabled for downstream packet
Upstream data packet starts with 1 byte ASCII hex coded user byte, then 3 bytes
Base32 encoded header, then comes the payload data, encoded with chosen codec.
Downstream data starts with 2 byte header. Then payload data, which may be
compressed.
Ping:
Client sends:
First byte p or P
Rest encoded with Base32:
1 byte with 4 bits userid
1 byte with:
3 bits downstream seqno
4 bits downstream fragment
CMC
The server response to Ping and Data packets is a DNS NULL type response:
If server has nothing to send, data length is 0 bytes.
If server has something to send, it will send a downstream data packet,
prefixed with 2 bytes header as shown above.
================================================
FILE: doc/proto_00000502.txt
================================================
Detailed specification of protocol in version 00000502
======================================================
Note: work in progress!!
======================================================
1. DNS protocol
======================================================
Quick alphabetical index / register:
0-9 Data packet
A-F Data packet
I IP address
L Login
N Downstream fragsize (NS.topdomain A-type reply)
O Options
P Ping
R Downstream fragsize probe
S Switch upstream codec
V Version
W (WWW.topdomain A-type reply)
Y Downstream codec check
Z Upstream codec check
CMC = 2 byte Cache Miss Counter, increased every time it is used
Version:
Client sends:
First byte v or V
Rest encoded with base32:
4 bytes big endian protocol version
CMC
Server replies:
4 chars:
VACK (version ok), followed by login challenge
VNAK (version differs), followed by server protocol version
VFUL (server has no free slots), followed by max users
4 byte value: means login challenge/server protocol version/max users
1 byte userid of the new user, or any byte if not VACK
Login:
Client sends:
First byte l or L
Rest encoded with base32:
1 byte userid
16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
CMC
Server replies:
LNAK means not accepted
x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
IP Request: (for where to try raw login)
Client sends:
First byte i or I
5 bits coded as Base32 char, meaning userid
CMC as 3 Base32 chars
Server replies
BADIP if bad userid
First byte I
Then comes external IP address of iodined server
as 4 bytes (IPv4) or 16 bytes (IPv6)
Upstream codec check / bounce:
Client sends:
First byte z or Z
Lots of data that should not be decoded
Server replies:
The requested domain copied raw, in the lowest-grade downstream codec
available for the request type.
Downstream codec check:
Client sends:
First byte y or Y
1 char, meaning downstream codec to use
5 bits coded as Base32 char, meaning check variant
CMC as 3 Base32 chars
Possibly extra data, depending on check variant
Server sends:
Data encoded with requested downstream codec; data content depending
on check variant number.
BADCODEC if requested downstream codec not available.
BADLEN if check variant is not available, or problem with extra data.
Downstream codec chars are same as in 'O' Option request, below.
Check variants:
1: Send encoded DOWNCODECCHECK1 string as defined in encoding.h
(Other variants reserved; possibly variant that sends a decoded-encoded
copy of Base32-encoded extra data in the request)
Switch codec:
Client sends:
First byte s or S
5 bits coded as Base32 char, meaning userid
5 bits coded as Base32 char, representing number of raw bits per
encoded byte:
5: Base32 (a-z0-5)
6: Base64 (a-zA-Z0-9+-)
26: Base64u (a-zA-Z0-9_-)
7: Base128 (a-zA-Z0-9\274-\375)
CMC as 3 Base32 chars
Server sends:
Name of codec if accepted. After this all upstream data packets must
be encoded with the new codec.
BADCODEC if not accepted. Client must then revert to previous codec
BADLEN if length of query is too short
Options:
Client sends:
First byte o or O
5 bits coded as Base32 char, meaning userid
1 char, meaning option
CMC as 3 Base32 chars
Server sends:
Full name of option if accepted. After this, option immediately takes
effect in server.
BADCODEC if not accepted. Previous situation remains.
All options affect only the requesting client.
Option chars:
t or T: Downstream encoding Base32, for TXT/CNAME/A/MX (default)
s or S: Downstream encoding Base64, for TXT/CNAME/A/MX
u or U: Downstream encoding Base64u, for TXT/CNAME/A/MX
v or V: Downstream encoding Base128, for TXT/CNAME/A/MX
r or R: Downstream encoding Raw, for PRIVATE/TXT/NULL (default for
PRIVATE and NULL)
If codec unsupported for request type, server will use Base32; note
that server will answer any mix of request types that a client sends.
Server may disregard this option; client must always use the downstream
encoding type indicated in every downstream DNS packet.
l or L: Lazy mode, server will keep one request unanswered until the
next one comes in. Applies only to data transfer; handshake is always
answered immediately.
i or I: Immediate (non-lazy) mode, server will answer all requests
(nearly) immediately.
Probe downstream fragment size:
Client sends:
First byte r or R
15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
meaning 4 bits userid, 11 bits fragment size
Then follows a long random query which contents does not matter
Server sends:
Requested number of bytes as a response. The first two bytes contain
the requested length. The third byte is 107 (0x6B). The fourth byte
is a random value, and each following byte is incremented with 107.
This is checked by the client to determine corruption.
BADFRAG if requested length not accepted.
Set downstream fragment size:
Client sends:
First byte n or N
Rest encoded with base32:
1 byte userid
2 bytes new downstream fragment size
CMC
Server sends:
2 bytes new downstream fragment size. After this all downstream
payloads will be max (fragsize + 2) bytes long.
BADFRAG if not accepted.
Data:
Upstream data header:
3210 432 10 43 210 4321 0 43210
+----+---+--+--+---+----+-+-----+
|UUUU|SSS|FF|FF|DDD|GGGG|L|UDCMC|
+----+---+--+--+---+----+-+-----+
Downstream data header:
7 654 3210 765 4321 0
+-+---+----+---+----+-+
|C|SSS|FFFF|DDD|GGGG|L|
+-+---+----+---+----+-+
UUUU = Userid
L = Last fragment in packet flag
SS = Upstream packet sequence number
FFFF = Upstream fragment number
DDD = Downstream packet sequence number
GGGG = Downstream fragment number
C = Compression enabled for downstream packet
UDCMC = Upstream Data CMC, 36 steps a-z0-9, case-insensitive
Upstream data packet starts with 1 byte ASCII hex coded user byte; then 3 bytes
Base32 encoded header; then 1 char data-CMC; then comes the payload data,
encoded with the chosen upstream codec.
Downstream data starts with 2 byte header. Then payload data, which may be
compressed.
In NULL and PRIVATE responses, downstream data is always raw. In all other
response types, downstream data is encoded (see Options above).
Encoding type is indicated by 1 prefix char:
TXT:
End result is always DNS-chopped (series of len-prefixed strings
<=255 bytes)
t or T: Base32 encoded before chop, decoded after un-chop
s or S: Base64 encoded before chop, decoded after un-chop
u or U: Base64u encoded before chop, decoded after un-chop
v or V: Base128 encoded before chop, decoded after un-chop
r or R: Raw no encoding, only DNS-chop
SRV/MX/CNAME/A:
h or H: Hostname encoded with Base32
i or I: Hostname encoded with Base64
j or J: Hostname encoded with Base64u
k or K: Hostname encoded with Base128
SRV and MX may reply with multiple hostnames, each encoded separately. Each
has a 10-multiple priority, and encoding/decoding is done in strictly
increasing priority sequence 10, 20, 30, etc. without gaps. Note that some DNS
relays will shuffle the answer records in the response.
Ping:
Client sends:
First byte p or P
Rest encoded with Base32:
1 byte with 4 bits userid
1 byte with:
3 bits downstream seqno
4 bits downstream fragment
CMC
The server response to Ping and Data packets is a DNS NULL/TXT/.. type response,
always starting with the 2 bytes downstream data header as shown above.
If server has nothing to send, no data is added after the header.
If server has something to send, it will add the downstream data packet
(or some fragment of it) after the header.
"Lazy-mode" operation
=====================
Client-server DNS traffic sequence has been reordered to provide increased
(interactive) performance and greatly reduced latency.
Idea taken from Lucas Nussbaum's slides (24th IFIP International Security
Conference, 2009) at http://www.loria.fr/~lnussbau/tuns.html. Current
implementation is original to iodine, no code or documentation from any other
project was consulted during development.
Server:
Upstream data is acked immediately*, to keep the slow upstream data flowing
as fast as possible (client waits for ack to send next frag).
Upstream pings are answered _only_ when 1) downstream data arrives from tun,
OR 2) new upstream ping/data arrives from client.
In most cases, this means we answer the previous DNS query instead of the
current one. The current query is kept in queue and used as soon as
downstream data has to be sent.
*: upstream data ack is usually done as reply on the previous ping packet,
and the upstream-data packet itself is kept in queue.
Client:
Downstream data is acked immediately, to keep it flowing fast (includes a
ping after last downstream frag).
Also, after all available upstream data is sent & acked by the server (which
in some cases uses up the last query), send an additional ping to prime the
server for the next downstream data.
======================================================
2. Raw UDP protocol
======================================================
All Raw UDP protcol messages start with a 3 byte header: 0x10d19e
This is not the start of a valid DNS message so it is easy to identify.
The fourth byte contains the command and the user id.
7654 3210
+----+----+
|CCCC|UUUU|
+----+----+
Login message (command = 1):
The header is followed by a MD5 hash with the same password as in the DNS
login. The client starts the raw mode by sending this message, and uses
the login challenge +1, and the server responds using the login challenge -1.
After the login message has been exchanged, both the server and the client
switch to raw udp mode for the rest of the connection.
Data message (command = 2):
After the header comes the payload data, which may be compressed.
Ping message (command = 3):
Sent from client to server and back to keep session open. Has no payload.
================================================
FILE: man/iodine.8
================================================
.\" groff -man -Tascii iodine.8
.TH IODINE 8 "APR 2023" "User Manuals"
.SH NAME
iodine, iodined \- tunnel IPv4 over DNS
.SH SYNOPSIS
.B iodine [-v]
.B iodine [-h]
.B iodine [-4] [-6] [-f] [-r] [-u
.I user
.B ] [-P
.I password
.B ] [-m
.I fragsize
.B ] [-t
.I chrootdir
.B ] [-d
.I device
.B ] [-R
.I rdomain
.B ] [-m
.I fragsize
.B ] [-M
.I namelen
.B ] [-z
.I context
.B ] [-F
.I pidfile
.B ] [-T
.I dnstype
.B ] [-O
.I downenc
.B ] [-L
.I 0|1
.B ] [-I
.I interval
.B ]
.B [
.I nameserver
.B ]
.I topdomain
.B iodined [-v]
.B iodined [-h]
.B iodined [-4] [-6] [-c] [-s] [-f] [-D] [-u
.I user
.B ] [-t
.I chrootdir
.B ] [-d
.I device
.B ] [-m
.I mtu
.B ] [-l
.I listen_ip4
.B ] [-L
.I listen_ip6
.B ] [-p
.I port
.B ] [-n
(
.B auto
|
.I external_ip
)
.B ] [-b
.I dnsport
.B ] [-P
.I password
.B ] [-z
.I context
.B ] [-F
.I pidfile
.B ] [-i
.I max_idle_time
.B ]
.I tunnel_ip
.B [
.I /netmask
.B ]
.I topdomain
.SH DESCRIPTION
.B iodine
lets you tunnel IPv4 data through a DNS
server. This can be useful in situations where Internet access is firewalled,
but DNS queries are allowed. It needs a TUN/TAP device to operate. The
bandwidth is asymmetrical,
with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s
downstream in a wired LAN test network.
Realistic sustained throughput on a Wifi network using a carrier-grade
DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s
downstream.
.B iodine
is the client application,
.B iodined
is the server.
Note: server and client are required to speak the exact same protocol. In most
cases, this means running the same iodine version. Unfortunately, implementing
backward and forward protocol compatibility is usually not feasible.
.SH OPTIONS
.SS Common Options:
.TP
.B -v
Print version info and exit.
.TP
.B -h
Print usage info and exit.
.TP
.B -f
Keep running in foreground.
.TP
.B -4
Force/allow only IPv4 DNS queries
.TP
.B -6
Force/allow only IPv6 DNS queries
.TP
.B -u user
Drop privileges and run as user 'user' after setting up tunnel.
.TP
.B -t chrootdir
Chroot to 'chrootdir' after setting up tunnel.
.TP
.B -d device
Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
and otherwise tunX. On Mac OS X 10.6, this can also be utunX, which will attempt
to use an utun device built into the OS.
.TP
.B -P password
Use 'password' to authenticate. If not used,
.B stdin
will be used as input. Only the first 32 characters will be used.
.TP
.B -z context
Apply SELinux 'context' after initialization.
.TP
.B -F pidfile
Create 'pidfile' and write process id in it.
.SS Client Options:
.TP
.B -r
Skip raw UDP mode. If not used, iodine will try getting the public IP address
of the iodined host and test if it is reachable directly. If it is, traffic
will be sent to the server instead of the DNS relay.
.TP
.B -R rdomain
Use OpenBSD routing domain 'rdomain' for the DNS connection.
.TP
.B -m fragsize
Force maximum downstream fragment size. Not setting this will cause the
client to automatically probe the maximum accepted downstream fragment size.
.TP
.B -M namelen
Maximum length of upstream hostnames, default 255.
Usable range ca. 100 to 255.
Use this option to scale back upstream bandwidth in favor of downstream
bandwidth.
Also useful for DNS servers that perform unreliably when using full-length
hostnames, noticeable when fragment size autoprobe returns very
different results each time.
.TP
.B -T dnstype
DNS request type override.
By default, autodetection will probe for working DNS request types, and
will select the request type that is expected to provide the most bandwidth.
However, it may turn out that a DNS relay imposes limits that skew the
picture, which may lead to an "unexpected" DNS request type providing
more bandwidth.
In that case, use this option to override the autodetection.
In (expected) decreasing bandwidth order, the supported DNS request types are:
.IR NULL ,
.IR PRIVATE ,
.IR TXT ,
.IR SRV ,
.IR MX ,
.I CNAME
and
.I A
(returning CNAME).
Note that
.IR SRV ,
.I MX
and
.I A
may/will cause additional lookups by "smart" caching
nameservers to get an actual IP address, which may either slow down or fail
completely. The
.IR PRIVATE
type uses value 65399 (in the 'private use' range) and requires servers
implementing RFC 3597.
.TP
.B -O downenc
Force downstream encoding type for all query type responses except NULL.
Default is autodetected, but may not spot all problems for the more advanced
codecs.
Use this option to override the autodetection.
.I Base32
is the lowest-grade codec and should always work; this is used when
autodetection fails.
.I Base64
provides more bandwidth, but may not work on all nameservers.
.I Base64u
is equal to Base64 except in using underscore ('_')
instead of plus sign ('+'), possibly working where
.I Base64
does not.
.I Base128
uses high byte values (mostly accented letters in iso8859-1),
which might work with some nameservers.
For TXT queries,
.I Raw
will provide maximum performance, but this will only work if the nameserver
path is fully 8-bit-clean for responses that are assumed to be "legible text".
.TP
.B -L 0|1
Lazy-mode switch.
\-L1 (default): Use lazy mode for improved performance and decreased latency.
A very small minority of DNS relays appears to be unable to handle the
lazy mode traffic pattern, resulting in no or very little data coming through.
The iodine client will detect this and try to switch back to legacy mode,
but this may not always work.
In these situations use \-L0 to force running in legacy mode
(implies \-I1).
.TP
.B -I interval
Maximum interval between requests (pings) so that intermediate DNS
servers will not time out. Default is 4 in lazy mode, which will work
fine in most cases. When too many SERVFAIL errors occur, iodine
will automatically reduce this to 1.
To get absolute minimum DNS traffic,
increase well above 4, but not so high that SERVFAIL errors start to occur.
There are some DNS relays with very small timeouts,
notably dnsadvantage.com (ultradns), that will give
SERVFAIL errors even with \-I1; data will still get trough,
and these errors can be ignored.
Maximum useful value is 59, since iodined will close a client's
connection after 60 seconds of inactivity.
.SS Server Options:
.TP
.B -c
Disable checking the client IP address on all incoming requests.
By default, requests originating from non-matching IP addresses will be
rejected, however this will cause problems when requests are routed
via a cluster of DNS servers.
.TP
.B -s
Don't try to configure IP address or MTU.
This should only be used if you have already configured the device that will be
used.
.TP
.B -D
Increase debug level. Level 1 prints info about each RX/TX packet.
Implies the
.B -f
option.
On level 2 (\-DD) or higher, DNS queries will be printed literally.
When using Base128 upstream encoding, this is best viewed as
ISO Latin-1 text instead of (illegal) UTF-8.
This is easily done with : "LC_ALL=C luit iodined \-DD ..."
(see luit(1)).
.TP
.B -m mtu
Set 'mtu' as mtu size for the tun device.
This will be sent to the client on login, and the client will use the same mtu
for its tun device. Default 1130. Note that the DNS traffic will be
automatically fragmented when needed.
.TP
.B -l external|listen_ip4
Make the server listen only on 'listen_ip4' for incoming IPv4 requests.
By default, incoming requests are accepted from all interfaces (0.0.0.0).
A domain name can be used as argument - use one with only one A record.
If listen_ip4 is 'external', iodined will use the opendns.com DNS service to
retrieve the external IP of the host and use that as listen address.
.TP
.B -L listen_ip6
Make the server listen only on 'listen_ip6' for incoming IPv6 requests.
By default, incoming requests are accepted from all interfaces (::).
A domain name can be used as argument - use one with only one AAAA record.
.TP
.B -p port
Make the server listen on 'port' instead of 53 for traffic.
If 'listen_ip4' does not include localhost, this 'port' can be the same
as 'dnsport'.
.B Note:
You must make sure the dns requests are forwarded to this port yourself.
.TP
.B -n auto|external_ip
The IP address to return in NS responses. Default is to return the address used
as destination in the query.
If external_ip is 'auto', iodined will use the opendns.com DNS service to
retrieve the external IP of the host and use that for NS responses.
.TP
.B -b dnsport
If this port is specified, all incoming requests not inside the tunnel domain
will be forwarded to this port on localhost, to be handled by a real dns.
If 'listen_ip' does not include localhost, this 'dnsport' can be the
same as 'port'.
.B Note:
The forwarding is not fully transparent, and not advised for use
in production environments.
.TP
.B -i max_idle_time
Make the server stop itself after max_idle_time seconds if no traffic have been received.
This should be combined with systemd or upstart on demand activation for being effective.
.SS Client Arguments:
.TP
.B nameserver
The nameserver to use to relay the dns traffic. This can be any relaying
nameserver or the server running iodined if reachable. This field can be
given as an IPv4/IPv6 address or as a hostname. This argument is optional,
and if not specified a nameserver will be read from the
.I /etc/resolv.conf
file.
.TP
.B topdomain
The dns traffic will be sent as queries for subdomains under
\'topdomain'. This is normally a subdomain to a domain you own. Use a short
domain name to get better throughput. If
.B nameserver
is the iodined server, then the topdomain can be chosen freely. This argument
must be the same on both the client and the server.
.SS Server Arguments:
.TP
.B tunnel_ip[/netmask]
This is the server's ip address on the tun interface. The client will be
given the next ip number in the range. It is recommended to use the
10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden
by specifying it here. Using a smaller network will limit the number of
concurrent users.
.TP
.B topdomain
The dns traffic is expected to arrive as queries for
subdomains under 'topdomain'. This is normally a subdomain to a domain you
own. Use a short domain name to get better throughput. This argument must be
the same on both the client and the server. Queries for domains other
than 'topdomain' will be forwarded when the \-b option is given, otherwise
they will be dropped. The topdomain can start with '*' which will allow all
domains ending with the same suffix.
.SH EXAMPLES
See the README file for both a quick test scenario, and a detailed description
of real-world deployment.
.SH SECURITY
Login is a relatively secure challenge-response MD5 hash, with the
password never passing the wire.
However, all other data is
.B NOT
encrypted in any way. The DNS traffic is also vulnerable to replay,
injection and man-in-the-middle attacks, especially when iodined is used
with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
On both server and client, use
.IR iptables ,
.I pf
or other firewalls to block all traffic coming in from the tun interfaces,
except to the used ssh or vpn ports.
.SH ENVIRONMENT
.SS IODINE_PASS
If the environment variable
.B IODINE_PASS
is set, iodine will use the value it is set to as password instead of asking
for one. The
.B -P
option still has precedence.
.SS IODINED_PASS
If the environment variable
.B IODINED_PASS
is set, iodined will use the value it is set to as password instead of asking
for one. The
.B -P
option still has precedence.
.SH SEE ALSO
The README file in the source distribution contains some more elaborate
information.
.SH BUGS
File bugs at https://github.com/yarrick/iodine
.SH AUTHORS
Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>. Major
contributions by Anne Bezemer.
================================================
FILE: src/Android.16.mk
================================================
#
# iodine for Android
#
# by Marcel Bokhorst
# http://blog.bokhorst.biz/5123/computers-en-internet/iodine-for-android/
#
# cd iodine-0.6.0-rc1/src
# make base64u.h base64u.c
# .../ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk
#
LOCAL_PATH:= $(call my-dir)
HEAD_COMMIT = `git rev-parse --short HEAD`
include $(CLEAR_VARS)
LOCAL_MODULE := iodine
LOCAL_SRC_FILES := tun.c dns.c read.c encoding.c login.c base32.c base64.c base64u.c base128.c md5.c common.c iodine.c client.c util.c
LOCAL_CFLAGS := -c -DANDROID -DLINUX -DIFCONFIGPATH=\"/system/bin/\" -Wall -DGITREVISION=\"$(HEAD_COMMIT)\"
LOCAL_LDLIBS := -lz
LOCAL_CFLAGS += -fPIE
LOCAL_LDFLAGS += -fPIE -pie
include $(BUILD_EXECUTABLE)
================================================
FILE: src/Android.mk
================================================
#
# iodine for Android
#
# by Marcel Bokhorst
# http://blog.bokhorst.biz/5123/computers-en-internet/iodine-for-android/
#
# cd iodine-0.6.0-rc1/src
# make base64u.h base64u.c
# .../ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk
#
LOCAL_PATH:= $(call my-dir)
HEAD_COMMIT = `git rev-parse --short HEAD`
include $(CLEAR_VARS)
LOCAL_MODULE := iodine
LOCAL_SRC_FILES := tun.c dns.c read.c encoding.c login.c base32.c base64.c base64u.c base128.c md5.c common.c iodine.c client.c util.c
LOCAL_CFLAGS := -c -DANDROID -DLINUX -DIFCONFIGPATH=\"/system/bin/\" -Wall -DGITREVISION=\"$(HEAD_COMMIT)\"
LOCAL_LDLIBS := -lz
include $(BUILD_EXECUTABLE)
================================================
FILE: src/Makefile
================================================
COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o base64u.o base128.o md5.o common.o
CLIENTOBJS = iodine.o client.o util.o
CLIENT = ../bin/iodine
SERVEROBJS = iodined.o user.o fw_query.o
SERVER = ../bin/iodined
OS = `echo $(TARGETOS) | tr "a-z" "A-Z"`
ARCH = `uname -m`
HEAD_COMMIT = `git rev-parse --short HEAD`
LIBPATH = -L.
LDFLAGS += -lz `sh osflags $(TARGETOS) link` $(LIBPATH)
CFLAGS += -std=c99 -c -g -Wall -D$(OS) -pedantic `sh osflags $(TARGETOS) cflags` -DGITREVISION=\"$(HEAD_COMMIT)\"
CFLAGS += -Wstrict-prototypes -Wtype-limits -Wmissing-declarations -Wmissing-prototypes
all: stateos $(CLIENT) $(SERVER)
stateos:
@echo OS is $(OS), arch is $(ARCH)
$(CLIENT): $(COMMONOBJS) $(CLIENTOBJS)
@echo LD $@
@mkdir -p ../bin
@$(CC) $(COMMONOBJS) $(CLIENTOBJS) -o $(CLIENT) $(LDFLAGS)
$(SERVER): $(COMMONOBJS) $(SERVEROBJS)
@echo LD $@
@mkdir -p ../bin
@$(CC) $(COMMONOBJS) $(SERVEROBJS) -o $(SERVER) $(LDFLAGS)
.c.o:
@echo CC $<
@$(CC) $(CFLAGS) $< -o $@
base64u.c: base64.c
@echo Making $@
@echo '/* No use in editing, produced by Makefile! */' > $@
@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.c >> $@
clean:
@echo "Cleaning src/"
@rm -f $(CLIENT){,.exe} $(SERVER){,.exe} *~ *.o *.core base64u.*
@rm -rf obj libs #android stuff
================================================
FILE: src/android_dns.h
================================================
/*
* Copyright (c) 2009 Marcel Bokhorst <marcel@bokhorst.biz>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __FIX_ANDROID_H__
#define __FIX_ANDROID_H__
/* Newer android platforms can have this data already */
#ifndef C_IN
typedef struct {
unsigned id :16;
unsigned rd :1;
unsigned tc :1;
unsigned aa :1;
unsigned opcode :4;
unsigned qr :1;
unsigned rcode :4;
unsigned cd: 1;
unsigned ad: 1;
unsigned unused :1;
unsigned ra :1;
unsigned qdcount :16;
unsigned ancount :16;
unsigned nscount :16;
unsigned arcount :16;
} HEADER;
#define NOERROR 0
#define FORMERR 1
#define SERVFAIL 2
#define NXDOMAIN 3
#define NOTIMP 4
#define REFUSED 5
#define C_IN 1
#define T_A 1
#define T_CNAME 5
#define T_NULL 10
#define T_MX 15
#define T_TXT 16
#define T_SRV 33
#endif /* !C_IN */
#endif
================================================
FILE: src/base128.c
================================================
/*
* Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* raw 76543210 76543210 76543210 76543210 76543210 76543210 76543210
* enc 65432106 54321065 43210654 32106543 21065432 10654321 06543210
* ^ ^ ^ ^ ^ ^ ^ ^
*
* 0001 1 0001 1
* 0011 3 0011 3
* 0111 7 0111 7
* 1111 f 0110 6
* 1110 e 0100 4
* 1100 c
* 1000 8
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "encoding.h"
#define BASE128_BLKSIZE_RAW 7
#define BASE128_BLKSIZE_ENC 8
/* Don't use '-' (restricted to middle of labels), prefer iso_8859-1
* accent chars since they might readily be entered in normal use,
* don't use 254-255 because of possible function overloading in DNS systems.
*/
static const unsigned char cb128[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
"\274\275\276\277"
"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317"
"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
static unsigned char rev128[256];
static int reverse_init = 0;
inline static void base128_reverse_init(void)
{
int i;
unsigned char c;
if (!reverse_init) {
memset(rev128, 0, 256);
for (i = 0; i < 128; i++) {
c = cb128[i];
rev128[(int) c] = i;
}
reverse_init = 1;
}
}
/*
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold the trailing '\0'.
*
* return value : #bytes filled in buf (excluding \0)
* sets *buflen to : #bytes encoded from data
*/
static int base128_encode(char *buf, size_t *buflen, const void *data,
size_t size)
{
unsigned char *ubuf = (unsigned char *) buf;
unsigned char *udata = (unsigned char *) data;
int iout = 0; /* to-be-filled output char */
int iin = 0; /* one more than last input byte that can be
successfully decoded */
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0xfe) >> 1)];
iout++;
if (iout >= *buflen || iin >= size) {
iout--; /* previous char is useless */
break;
}
ubuf[iout] = cb128[((udata[iin] & 0x01) << 6) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xfc) >> 2) : 0)];
iin++; /* 0 complete, iin=1 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0x03) << 5) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xf8) >> 3) : 0)];
iin++; /* 1 complete, iin=2 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0x07) << 4) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xf0) >> 4) : 0)];
iin++; /* 2 complete, iin=3 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0x0f) << 3) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xe0) >> 5) : 0)];
iin++; /* 3 complete, iin=4 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0x1f) << 2) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xc0) >> 6) : 0)];
iin++; /* 4 complete, iin=5 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[((udata[iin] & 0x3f) << 1) |
((iin + 1 < size) ?
((udata[iin + 1] & 0x80) >> 7) : 0)];
iin++; /* 5 complete, iin=6 */
iout++;
if (iout >= *buflen || iin >= size)
break;
ubuf[iout] = cb128[(udata[iin] & 0x7f)];
iin++; /* 6 complete, iin=7 */
iout++;
}
ubuf[iout] = '\0';
/* store number of bytes from data that was used */
*buflen = iin;
return iout;
}
#define REV128(x) rev128[(int) (x)]
/*
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
* Decoding stops early when *str contains \0.
* Illegal encoded chars are assumed to decode to zero.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold a trailing '\0' that is added (though *buf will usually
* contain full-binary data).
*
* return value : #bytes filled in buf (excluding \0)
*/
static int base128_decode(void *buf, size_t *buflen, const char *str,
size_t slen)
{
unsigned char *ustr = (unsigned char *) str;
unsigned char *ubuf = (unsigned char *) buf;
int iout = 0; /* to-be-filled output byte */
int iin = 0; /* next input char to use in decoding */
base128_reverse_init();
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x7f) << 1) |
((REV128(ustr[iin + 1]) & 0x40) >> 6);
iin++; /* 0 used up, iin=1 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x3f) << 2) |
((REV128(ustr[iin + 1]) & 0x60) >> 5);
iin++; /* 1 used up, iin=2 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x1f) << 3) |
((REV128(ustr[iin + 1]) & 0x70) >> 4);
iin++; /* 2 used up, iin=3 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x0f) << 4) |
((REV128(ustr[iin + 1]) & 0x78) >> 3);
iin++; /* 3 used up, iin=4 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x07) << 5) |
((REV128(ustr[iin + 1]) & 0x7c) >> 2);
iin++; /* 4 used up, iin=5 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x03) << 6) |
((REV128(ustr[iin + 1]) & 0x7e) >> 1);
iin++; /* 5 used up, iin=6 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV128(ustr[iin]) & 0x01) << 7) |
((REV128(ustr[iin + 1]) & 0x7f));
iin += 2; /* 6,7 used up, iin=8 */
iout++;
}
ubuf[iout] = '\0';
return iout;
}
const struct encoder base128_ops = {
.name = "Base128",
.encode = base128_encode,
.decode = base128_decode,
.places_dots = false,
.eats_dots = false,
.blocksize_raw = BASE128_BLKSIZE_RAW,
.blocksize_encoded = BASE128_BLKSIZE_ENC,
};
================================================
FILE: src/base32.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
* Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "encoding.h"
#define BASE32_BLKSIZE_RAW 5
#define BASE32_BLKSIZE_ENC 8
static const char cb32[] =
"abcdefghijklmnopqrstuvwxyz012345";
static const char cb32_ucase[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ012345";
static unsigned char rev32[256];
static int reverse_init = 0;
inline static void base32_reverse_init(void)
{
int i;
unsigned char c;
if (!reverse_init) {
memset(rev32, 0, 256);
for (i = 0; i < 32; i++) {
c = cb32[i];
rev32[(int) c] = i;
c = cb32_ucase[i];
rev32[(int) c] = i;
}
reverse_init = 1;
}
}
int b32_5to8(int in)
{
return cb32[in & 31];
}
int b32_8to5(int in)
{
base32_reverse_init();
return rev32[in];
}
/*
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold the trailing '\0'.
*
* return value : #bytes filled in buf (excluding \0)
* sets *buflen to : #bytes encoded from data
*/
static int base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
{
unsigned char *udata = (unsigned char *) data;
int iout = 0; /* to-be-filled output char */
int iin = 0; /* one more than last input byte that can be
successfully decoded */
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb32[((udata[iin] & 0xf8) >> 3)];
iout++;
if (iout >= *buflen || iin >= size) {
iout--; /* previous char is useless */
break;
}
buf[iout] = cb32[((udata[iin] & 0x07) << 2) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xc0) >> 6) : 0)];
iin++; /* 0 complete, iin=1 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb32[((udata[iin] & 0x3e) >> 1)];
iout++;
if (iout >= *buflen || iin >= size) {
iout--; /* previous char is useless */
break;
}
buf[iout] = cb32[((udata[iin] & 0x01) << 4) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xf0) >> 4) : 0)];
iin++; /* 1 complete, iin=2 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb32[((udata[iin] & 0x0f) << 1) |
((iin + 1 < size) ?
((udata[iin + 1] & 0x80) >> 7) : 0)];
iin++; /* 2 complete, iin=3 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb32[((udata[iin] & 0x7c) >> 2)];
iout++;
if (iout >= *buflen || iin >= size) {
iout--; /* previous char is useless */
break;
}
buf[iout] = cb32[((udata[iin] & 0x03) << 3) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xe0) >> 5) : 0)];
iin++; /* 3 complete, iin=4 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb32[((udata[iin] & 0x1f))];
iin++; /* 4 complete, iin=5 */
iout++;
}
buf[iout] = '\0';
/* store number of bytes from data that was used */
*buflen = iin;
return iout;
}
#define REV32(x) rev32[(int) (x)]
/*
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
* Decoding stops early when *str contains \0.
* Illegal encoded chars are assumed to decode to zero.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold a trailing '\0' that is added (though *buf will usually
* contain full-binary data).
*
* return value : #bytes filled in buf (excluding \0)
*/
static int base32_decode(void *buf, size_t *buflen, const char *str,
size_t slen)
{
unsigned char *ubuf = (unsigned char *) buf;
int iout = 0; /* to-be-filled output byte */
int iin = 0; /* next input char to use in decoding */
base32_reverse_init();
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV32(str[iin]) & 0x1f) << 3) |
((REV32(str[iin + 1]) & 0x1c) >> 2);
iin++; /* 0 used up, iin=1 */
iout++;
if (iout >= *buflen || iin + 2 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0' ||
str[iin + 2] == '\0')
break;
ubuf[iout] = ((REV32(str[iin]) & 0x03) << 6) |
((REV32(str[iin + 1]) & 0x1f) << 1) |
((REV32(str[iin + 2]) & 0x10) >> 4);
iin += 2; /* 1,2 used up, iin=3 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV32(str[iin]) & 0x0f) << 4) |
((REV32(str[iin + 1]) & 0x1e) >> 1);
iin++; /* 3 used up, iin=4 */
iout++;
if (iout >= *buflen || iin + 2 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0' ||
str[iin + 2] == '\0')
break;
ubuf[iout] = ((REV32(str[iin]) & 0x01) << 7) |
((REV32(str[iin + 1]) & 0x1f) << 2) |
((REV32(str[iin + 2]) & 0x18) >> 3);
iin += 2; /* 4,5 used up, iin=6 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV32(str[iin]) & 0x07) << 5) |
((REV32(str[iin + 1]) & 0x1f));
iin += 2; /* 6,7 used up, iin=8 */
iout++;
}
ubuf[iout] = '\0';
return iout;
}
const struct encoder base32_ops = {
.name = "Base32",
.encode = base32_encode,
.decode = base32_decode,
.places_dots = false,
.eats_dots = false,
.blocksize_raw = BASE32_BLKSIZE_RAW,
.blocksize_encoded = BASE32_BLKSIZE_ENC,
};
================================================
FILE: src/base64.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
* Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "encoding.h"
#define BASE64_BLKSIZE_RAW 3
#define BASE64_BLKSIZE_ENC 4
/* Note: the "unofficial" char is last here, which means that the \377 pattern
in DOWNCODECCHECK1 ('Y' request) will properly test it. */
static const char cb64[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+";
static unsigned char rev64[256];
static int reverse_init = 0;
inline static void base64_reverse_init(void)
{
int i;
unsigned char c;
if (!reverse_init) {
memset(rev64, 0, 256);
for (i = 0; i < 64; i++) {
c = cb64[i];
rev64[(int) c] = i;
}
reverse_init = 1;
}
}
/*
* Fills *buf with max. *buflen characters, encoding size bytes of *data.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold the trailing '\0'.
*
* return value : #bytes filled in buf (excluding \0)
* sets *buflen to : #bytes encoded from data
*/
static int base64_encode(char *buf, size_t *buflen, const void *data,
size_t size)
{
unsigned char *udata = (unsigned char *) data;
int iout = 0; /* to-be-filled output char */
int iin = 0; /* one more than last input byte that can be
successfully decoded */
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb64[((udata[iin] & 0xfc) >> 2)];
iout++;
if (iout >= *buflen || iin >= size) {
iout--; /* previous char is useless */
break;
}
buf[iout] = cb64[((udata[iin] & 0x03) << 4) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xf0) >> 4) : 0)];
iin++; /* 0 complete, iin=1 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb64[((udata[iin] & 0x0f) << 2) |
((iin + 1 < size) ?
((udata[iin + 1] & 0xc0) >> 6) : 0)];
iin++; /* 1 complete, iin=2 */
iout++;
if (iout >= *buflen || iin >= size)
break;
buf[iout] = cb64[(udata[iin] & 0x3f)];
iin++; /* 2 complete, iin=3 */
iout++;
}
buf[iout] = '\0';
/* store number of bytes from data that was used */
*buflen = iin;
return iout;
}
#define REV64(x) rev64[(int) (x)]
/*
* Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
* Decoding stops early when *str contains \0.
* Illegal encoded chars are assumed to decode to zero.
*
* NOTE: *buf space should be at least 1 byte _more_ than *buflen
* to hold a trailing '\0' that is added (though *buf will usually
* contain full-binary data).
*
* return value : #bytes filled in buf (excluding \0)
*/
static int base64_decode(void *buf, size_t *buflen, const char *str,
size_t slen)
{
unsigned char *ubuf = (unsigned char *) buf;
int iout = 0; /* to-be-filled output byte */
int iin = 0; /* next input char to use in decoding */
base64_reverse_init();
/* Note: Don't bother to optimize manually. GCC optimizes
better(!) when using simplistic array indexing. */
while (1) {
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV64(str[iin]) & 0x3f) << 2) |
((REV64(str[iin + 1]) & 0x30) >> 4);
iin++; /* 0 used up, iin=1 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV64(str[iin]) & 0x0f) << 4) |
((REV64(str[iin + 1]) & 0x3c) >> 2);
iin++; /* 1 used up, iin=2 */
iout++;
if (iout >= *buflen || iin + 1 >= slen ||
str[iin] == '\0' || str[iin + 1] == '\0')
break;
ubuf[iout] = ((REV64(str[iin]) & 0x03) << 6) |
(REV64(str[iin + 1]) & 0x3f);
iin += 2; /* 2,3 used up, iin=4 */
iout++;
}
ubuf[iout] = '\0';
return iout;
}
const struct encoder base64_ops = {
.name = "Base64",
.encode = base64_encode,
.decode = base64_decode,
.places_dots = false,
.eats_dots = false,
.blocksize_raw = BASE64_BLKSIZE_RAW,
.blocksize_encoded = BASE64_BLKSIZE_ENC,
};
================================================
FILE: src/client.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <ctype.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/time.h>
#include <fcntl.h>
#include <zlib.h>
#include <time.h>
#ifdef WINDOWS32
#include "windows.h"
#else
#include <arpa/nameser.h>
#ifdef ANDROID
#include "android_dns.h"
#endif
#ifdef DARWIN
#define BIND_8_COMPAT
#include <arpa/nameser_compat.h>
#endif
#include <grp.h>
#include <pwd.h>
#include <netdb.h>
#endif
#include "common.h"
#include "encoding.h"
#include "dns.h"
#include "login.h"
#include "tun.h"
#include "version.h"
#include "client.h"
static void handshake_lazyoff(int dns_fd);
static int running;
static const char *password;
static struct sockaddr_storage nameserv;
static int nameserv_len;
static struct sockaddr_storage raw_serv;
static int raw_serv_len;
static const char *topdomain;
static uint16_t rand_seed;
/* Current up/downstream IP packet */
static struct packet outpkt;
static struct packet inpkt;
int outchunkresent = 0;
/* My userid at the server */
static char userid;
static char userid_char; /* used when sending (lowercase) */
static char userid_char2; /* also accepted when receiving (uppercase) */
/* DNS id for next packet */
static uint16_t chunkid;
static uint16_t chunkid_prev;
static uint16_t chunkid_prev2;
/* The encoder used for data packets
* Defaults to Base32, can be changed after handshake */
const static struct encoder *dataenc = &base32_ops;
/* The encoder to use for downstream data */
static char downenc = ' ';
/* set query type to send */
static unsigned short do_qtype = T_UNSET;
/* My connection mode */
static enum connection conn;
static int selecttimeout; /* RFC says timeout minimum 5sec */
static int lazymode;
static long send_ping_soon;
static time_t lastdownstreamtime;
static long send_query_sendcnt = -1;
static long send_query_recvcnt = 0;
static int hostname_maxlen = 0xFF;
void
client_init(void)
{
running = 1;
rand_seed = ((unsigned int) rand()) & 0xFFFF;
send_ping_soon = 1; /* send ping immediately after startup */
conn = CONN_DNS_NULL;
chunkid = ((unsigned int) rand()) & 0xFFFF;
chunkid_prev = 0;
chunkid_prev2 = 0;
outpkt.len = 0;
outpkt.seqno = 0;
outpkt.fragment = 0;
outchunkresent = 0;
inpkt.len = 0;
inpkt.seqno = 0;
inpkt.fragment = 0;
}
void
client_stop(void)
{
running = 0;
}
enum connection
client_get_conn(void)
{
return conn;
}
void
client_set_nameserver(struct sockaddr_storage *addr, int addrlen)
{
memcpy(&nameserv, addr, addrlen);
nameserv_len = addrlen;
}
void
client_set_topdomain(const char *cp)
{
topdomain = cp;
}
void
client_set_password(const char *cp)
{
password = cp;
}
int
client_set_qtype(char *qtype)
{
if (!strcasecmp(qtype, "NULL"))
do_qtype = T_NULL;
else if (!strcasecmp(qtype, "PRIVATE"))
do_qtype = T_PRIVATE;
else if (!strcasecmp(qtype, "CNAME"))
do_qtype = T_CNAME;
else if (!strcasecmp(qtype, "A"))
do_qtype = T_A;
else if (!strcasecmp(qtype, "MX"))
do_qtype = T_MX;
else if (!strcasecmp(qtype, "SRV"))
do_qtype = T_SRV;
else if (!strcasecmp(qtype, "TXT"))
do_qtype = T_TXT;
return (do_qtype == T_UNSET);
}
char *
client_get_qtype(void)
{
char *c = "UNDEFINED";
if (do_qtype == T_NULL) c = "NULL";
else if (do_qtype == T_PRIVATE) c = "PRIVATE";
else if (do_qtype == T_CNAME) c = "CNAME";
else if (do_qtype == T_A) c = "A";
else if (do_qtype == T_MX) c = "MX";
else if (do_qtype == T_SRV) c = "SRV";
else if (do_qtype == T_TXT) c = "TXT";
return c;
}
void
client_set_downenc(char *encoding)
{
if (!strcasecmp(encoding, "base32"))
downenc = 'T';
else if (!strcasecmp(encoding, "base64"))
downenc = 'S';
else if (!strcasecmp(encoding, "base64u"))
downenc = 'U';
else if (!strcasecmp(encoding, "base128"))
downenc = 'V';
else if (!strcasecmp(encoding, "raw"))
downenc = 'R';
}
void
client_set_selecttimeout(int select_timeout)
{
selecttimeout = select_timeout;
}
void
client_set_lazymode(int lazy_mode)
{
lazymode = lazy_mode;
}
void
client_set_hostname_maxlen(int i)
{
if (i <= 0xFF)
hostname_maxlen = i;
}
const char *
client_get_raw_addr(void)
{
return format_addr(&raw_serv, raw_serv_len);
}
static void
send_query(int fd, char *hostname)
{
char packet[4096];
struct query q;
size_t len;
chunkid_prev2 = chunkid_prev;
chunkid_prev = chunkid;
chunkid += 7727;
if (chunkid == 0)
/* 0 is used as "no-query" in iodined.c */
chunkid = 7727;
q.id = chunkid;
q.type = do_qtype;
len = dns_encode(packet, sizeof(packet), &q, QR_QUERY, hostname, strlen(hostname));
if (len < 1) {
warnx("dns_encode doesn't fit");
return;
}
#if 0
fprintf(stderr, " Sendquery: id %5d name[0] '%c'\n", q.id, hostname[0]);
#endif
sendto(fd, packet, len, 0, (struct sockaddr*)&nameserv, nameserv_len);
/* There are DNS relays that time out quickly but don't send anything
back on timeout.
And there are relays where, in lazy mode, our new query apparently
_replaces_ our previous query, and we get no answers at all in
lazy mode while legacy immediate-ping-pong works just fine.
Here we detect and fix these situations.
(Can't very well do this anywhere else; this is the only place
we'll reliably get to in such situations.)
*/
if (send_query_sendcnt >= 0 && send_query_sendcnt < 100 && lazymode) {
send_query_sendcnt++;
if ((send_query_sendcnt > 6 && send_query_recvcnt <= 0) ||
(send_query_sendcnt > 10 &&
4 * send_query_recvcnt < send_query_sendcnt)) {
if (selecttimeout > 1) {
warnx("Receiving too few answers. Setting interval to 1 (-I1)");
selecttimeout = 1;
/* restart counting */
send_query_sendcnt = 0;
send_query_recvcnt = 0;
} else if (lazymode) {
warnx("Receiving too few answers. Will try to switch lazy mode off, but that may not always work any more. Start with -L0 next time on this network.");
lazymode = 0;
selecttimeout = 1;
handshake_lazyoff(fd);
}
}
}
}
static void
send_raw(int fd, char *buf, int buflen, int cmd)
{
char packet[4096];
int len;
len = MIN(sizeof(packet) - RAW_HDR_LEN, buflen);
memcpy(packet, raw_header, RAW_HDR_LEN);
if (len) {
memcpy(&packet[RAW_HDR_LEN], buf, len);
}
len += RAW_HDR_LEN;
packet[RAW_HDR_CMD] = cmd | (userid & 0x0F);
sendto(fd, packet, len, 0, (struct sockaddr*)&raw_serv, sizeof(raw_serv));
}
static void
send_raw_data(int dns_fd)
{
send_raw(dns_fd, outpkt.data, outpkt.len, RAW_HDR_CMD_DATA);
outpkt.len = 0;
}
static void
send_packet(int fd, char cmd, const char *data, const size_t datalen)
{
char buf[4096];
buf[0] = cmd;
build_hostname(buf + 1, sizeof(buf) - 1, data, datalen, topdomain,
&base32_ops, hostname_maxlen);
send_query(fd, buf);
}
static inline int is_sending(void)
{
return (outpkt.len != 0);
}
static void
send_chunk(int fd)
{
char buf[4096];
int avail;
int code;
char *p;
static int datacmc = 0;
char *datacmcchars = "abcdefghijklmnopqrstuvwxyz0123456789";
p = outpkt.data;
p += outpkt.offset;
avail = outpkt.len - outpkt.offset;
/* Note: must be same, or smaller than send_fragsize_probe() */
outpkt.sentlen = build_hostname(buf + 5, sizeof(buf) - 5, p, avail,
topdomain, dataenc, hostname_maxlen);
/* Build upstream data header (see doc/proto_xxxxxxxx.txt) */
buf[0] = userid_char; /* First byte is hex userid */
code = ((outpkt.seqno & 7) << 2) | ((outpkt.fragment & 15) >> 2);
buf[1] = b32_5to8(code); /* Second byte is 3 bits seqno, 2 upper bits fragment count */
code = ((outpkt.fragment & 3) << 3) | (inpkt.seqno & 7);
buf[2] = b32_5to8(code); /* Third byte is 2 bits lower fragment count, 3 bits downstream packet seqno */
code = ((inpkt.fragment & 15) << 1) | (outpkt.sentlen == avail);
buf[3] = b32_5to8(code); /* Fourth byte is 4 bits downstream fragment count, 1 bit last frag flag */
buf[4] = datacmcchars[datacmc]; /* Fifth byte is data-CMC */
datacmc++;
if (datacmc >= 36)
datacmc = 0;
#if 0
fprintf(stderr, " Send: down %d/%d up %d/%d, %d bytes\n",
inpkt.seqno, inpkt.fragment, outpkt.seqno, outpkt.fragment,
outpkt.sentlen);
#endif
send_query(fd, buf);
}
static void
send_ping(int fd)
{
if (conn == CONN_DNS_NULL) {
char data[4];
data[0] = userid;
data[1] = ((inpkt.seqno & 7) << 4) | (inpkt.fragment & 15);
data[2] = (rand_seed >> 8) & 0xff;
data[3] = (rand_seed >> 0) & 0xff;
rand_seed++;
#if 0
fprintf(stderr, " Send: down %d/%d (ping)\n",
inpkt.seqno, inpkt.fragment);
#endif
send_packet(fd, 'p', data, sizeof(data));
} else {
send_raw(fd, NULL, 0, RAW_HDR_CMD_PING);
}
}
static void
write_dns_error(struct query *q, int ignore_some_errors)
/* This is called from:
1. handshake_waitdns() when already checked that reply fits to our
latest query.
2. tunnel_dns() when already checked that reply is for our ping or data
packet, but not necessarily the most recent (SERVFAIL mostly comes
after long delay).
So ignorable errors are never printed.
*/
{
if (!q) return;
switch (q->rcode) {
case NOERROR: /* 0 */
if (!ignore_some_errors)
warnx("Got reply without error, but also without question and/or answer");
break;
case FORMERR: /* 1 */
warnx("Got FORMERR as reply: server does not understand our request");
break;
case SERVFAIL: /* 2 */
if (!ignore_some_errors)
warnx("Got SERVFAIL as reply: server failed or recursion timeout");
break;
case NXDOMAIN: /* 3 */
warnx("Got NXDOMAIN as reply: domain does not exist");
break;
case NOTIMP: /* 4 */
warnx("Got NOTIMP as reply: server does not support our request");
break;
case REFUSED: /* 5 */
warnx("Got REFUSED as reply");
break;
default:
warnx("Got RCODE %u as reply", q->rcode);
break;
}
}
static int
dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)
/* Decodes *buf to *outdata.
* *buf WILL be changed by undotify.
* Note: buflen must be _exactly_ strlen(buf) before undotifying.
* (undotify of reduced-len won't copy \0, base-X decode will decode too much.)
* Returns #bytes usefully filled in outdata.
*/
{
size_t outdatalenu = outdatalen;
switch (buf[0]) {
case 'h': /* Hostname with base32 */
case 'H':
/* Need 1 byte H, 3 bytes ".xy", >=1 byte data */
if (buflen < 5)
return 0;
/* this also does undotify */
return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
&base32_ops);
case 'i': /* Hostname++ with base64 */
case 'I':
/* Need 1 byte I, 3 bytes ".xy", >=1 byte data */
if (buflen < 5)
return 0;
/* this also does undotify */
return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
&base64_ops);
case 'j': /* Hostname++ with base64u */
case 'J':
/* Need 1 byte J, 3 bytes ".xy", >=1 byte data */
if (buflen < 5)
return 0;
/* this also does undotify */
return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
&base64u_ops);
case 'k': /* Hostname++ with base128 */
case 'K':
/* Need 1 byte J, 3 bytes ".xy", >=1 byte data */
if (buflen < 5)
return 0;
/* this also does undotify */
return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
&base128_ops);
case 't': /* plain base32(Thirty-two) from TXT */
case 'T':
if (buflen < 2)
return 0;
return base32_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);
case 's': /* plain base64(Sixty-four) from TXT */
case 'S':
if (buflen < 2)
return 0;
return base64_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);
case 'u': /* plain base64u (Underscore) from TXT */
case 'U':
if (buflen < 2)
return 0;
return base64_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);
case 'v': /* plain base128 from TXT */
case 'V':
if (buflen < 2)
return 0;
return base128_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);
case 'r': /* Raw binary from TXT */
case 'R':
/* buflen>=1 already checked */
buflen--;
buflen = MIN(buflen, outdatalen);
memcpy(outdata, buf + 1, buflen);
return buflen;
default:
warnx("Received unsupported encoding");
return 0;
}
/* notreached */
return 0;
}
static int
read_dns_withq(int dns_fd, int tun_fd, char *buf, int buflen, struct query *q)
/* FIXME: tun_fd needed for raw handling */
/* Returns -1 on receive error or decode error, including DNS error replies.
Returns 0 on replies that could be correct but are useless, and are not
DNS error replies.
Returns >0 on correct replies; value is #valid bytes in *buf.
*/
{
struct sockaddr_storage from;
char data[64*1024];
socklen_t addrlen;
int r;
addrlen = sizeof(from);
if ((r = recvfrom(dns_fd, data, sizeof(data), 0,
(struct sockaddr*)&from, &addrlen)) < 0) {
warn("recvfrom");
return -1;
}
if (conn == CONN_DNS_NULL) {
int rv;
if (r <= 0)
/* useless packet */
return 0;
rv = dns_decode(buf, buflen, q, QR_ANSWER, data, r);
if (rv <= 0)
return rv;
if (q->type == T_CNAME || q->type == T_TXT)
/* CNAME can also be returned from an A question */
{
/*
* buf is a hostname or txt stream that we still need to
* decode to binary
*
* also update rv with the number of valid bytes
*
* data is unused here, and will certainly hold the smaller binary
*/
rv = dns_namedec(data, sizeof(data), buf, rv);
rv = MIN(rv, buflen);
if (rv > 0)
memcpy(buf, data, rv);
} else if (q->type == T_MX || q->type == T_SRV) {
/* buf is like "Hname.com\0Hanother.com\0\0" */
int buftotal = rv; /* idx of last \0 */
int bufoffset = 0;
int dataoffset = 0;
int thispartlen, dataspace, datanew;
while (1) {
thispartlen = strlen(buf);
thispartlen = MIN(thispartlen, buftotal-bufoffset);
dataspace = sizeof(data) - dataoffset;
if (thispartlen <= 0 || dataspace <= 0)
break;
datanew = dns_namedec(data + dataoffset, dataspace,
buf + bufoffset, thispartlen);
if (datanew <= 0)
break;
bufoffset += thispartlen + 1;
dataoffset += datanew;
}
rv = dataoffset;
rv = MIN(rv, buflen);
if (rv > 0)
memcpy(buf, data, rv);
}
return rv;
} else { /* CONN_RAW_UDP */
unsigned long datalen;
char buf[64*1024];
/* minimum length */
if (r < RAW_HDR_LEN) return 0;
/* should start with header */
if (memcmp(data, raw_header, RAW_HDR_IDENT_LEN)) return 0;
/* should be my user id */
if (RAW_HDR_GET_USR(data) != userid) return 0;
if (RAW_HDR_GET_CMD(data) == RAW_HDR_CMD_DATA ||
RAW_HDR_GET_CMD(data) == RAW_HDR_CMD_PING)
lastdownstreamtime = time(NULL);
/* should be data packet */
if (RAW_HDR_GET_CMD(data) != RAW_HDR_CMD_DATA) return 0;
r -= RAW_HDR_LEN;
datalen = sizeof(buf);
if (uncompress((uint8_t*)buf, &datalen, (uint8_t*) &data[RAW_HDR_LEN], r) == Z_OK) {
write_tun(tun_fd, buf, datalen);
}
/* don't process any further */
return 0;
}
}
static int
handshake_waitdns(int dns_fd, char *buf, int buflen, char c1, char c2, int timeout)
/* Wait for DNS reply fitting to our latest query and returns it.
Returns length of reply = #bytes used in buf.
Returns 0 if fitting reply happens to be useless.
Returns -2 on (at least) DNS error that fits to our latest query,
error message already printed.
Returns -3 on timeout (given in seconds).
Returns -1 on other errors.
Timeout is restarted when "wrong" (previous/delayed) replies are received,
so effective timeout may be longer than specified.
*/
{
struct query q;
int r, rv;
fd_set fds;
struct timeval tv;
while (1) {
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(dns_fd, &fds);
r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
if (r < 0)
return -1; /* select error */
if (r == 0)
return -3; /* select timeout */
q.id = 0;
q.name[0] = '\0';
rv = read_dns_withq(dns_fd, 0, buf, buflen, &q);
if (q.id != chunkid || (q.name[0] != c1 && q.name[0] != c2)) {
#if 0
fprintf(stderr, "Ignoring unfitting reply id %d starting with '%c'\n", q.id, q.name[0]);
#endif
continue;
}
/* if still here: reply matches our latest query */
/* Non-recursive DNS servers (such as [a-m].root-servers.net)
return no answer, but only additional and authority records.
Can't explicitly test for that here, just assume that
NOERROR is such situation. Only trigger on the very first
requests (Y or V, depending if -T given).
*/
if (rv < 0 && q.rcode == NOERROR &&
(q.name[0] == 'Y' || q.name[0] == 'y' ||
q.name[0] == 'V' || q.name[0] == 'v')) {
fprintf(stderr, "Got empty reply. This nameserver may not be resolving recursively, use another.\n");
fprintf(stderr, "Try \"iodine [options] ns.%s %s\" first, it might just work.\n",
topdomain, topdomain);
return -2;
}
/* If we get an immediate SERVFAIL on the handshake query
we're waiting for, wait a while before sending the next.
SERVFAIL reliably happens during fragsize autoprobe, but
mostly long after we've moved along to some other queries.
However, some DNS relays, once they throw a SERVFAIL, will
for several seconds apply it immediately to _any_ new query
for the same topdomain. When this happens, waiting a while
is the only option that works.
*/
if (rv < 0 && q.rcode == SERVFAIL)
sleep(1);
if (rv < 0) {
write_dns_error(&q, 1);
return -2;
}
/* rv either 0 or >0, return it as is. */
return rv;
}
/* not reached */
return -1;
}
static int
tunnel_tun(int tun_fd, int dns_fd)
{
unsigned long outlen;
unsigned long inlen;
char out[64*1024];
char in[64*1024];
ssize_t read;
if ((read = read_tun(tun_fd, in, sizeof(in))) <= 0)
return -1;
/* We may be here only to empty the tun device; then return -1
to force continue in select loop. */
if (is_sending())
return -1;
outlen = sizeof(out);
inlen = read;
compress2((uint8_t*)out, &outlen, (uint8_t*)in, inlen, 9);
memcpy(outpkt.data, out, MIN(outlen, sizeof(outpkt.data)));
outpkt.sentlen = 0;
outpkt.offset = 0;
outpkt.seqno = (outpkt.seqno + 1) & 7;
outpkt.len = outlen;
outpkt.fragment = 0;
outchunkresent = 0;
if (conn == CONN_DNS_NULL) {
send_chunk(dns_fd);
send_ping_soon = 0;
} else {
send_raw_data(dns_fd);
}
return read;
}
static int
tunnel_dns(int tun_fd, int dns_fd)
{
static long packrecv = 0;
static long packrecv_oos = 0;
static long packrecv_servfail = 0;
int up_ack_seqno;
int up_ack_fragment;
int new_down_seqno;
int new_down_fragment;
struct query q;
unsigned long datalen;
char buf[64*1024];
int read;
int send_something_now = 0;
memset(q.name, 0, sizeof(q.name));
read = read_dns_withq(dns_fd, tun_fd, buf, sizeof(buf), &q);
if (conn != CONN_DNS_NULL)
return 1; /* everything already done */
#if 0
fprintf(stderr, " Recv: id %5d name[0]='%c'\n",
q.id, q.name[0]);
#endif
/* Don't process anything that isn't data for us; usually error
replies from fragsize probes etc. However a sequence of those,
mostly 1 sec apart, will continuously break the >=2-second select
timeout, which means we won't send a proper ping for a while.
So make select a bit faster, <1sec. */
if (q.name[0] != 'P' && q.name[0] != 'p' &&
q.name[0] != userid_char && q.name[0] != userid_char2) {
send_ping_soon = 700;
return -1; /* nothing done */
}
if (read < 2) {
/* Maybe SERVFAIL etc. Send ping to get things back in order,
but wait a bit to prevent fast ping-pong loops. */
if (read < 0)
write_dns_error(&q, 0);
if (read < 0 && q.rcode == SERVFAIL && lazymode &&
selecttimeout > 1) {
if (packrecv < 500 && packrecv_servfail < 4) {
packrecv_servfail++;
warnx("Hmm, that's %ld. Your data should still go through...", packrecv_servfail);
} else if (packrecv < 500 && packrecv_servfail == 4) {
packrecv_servfail++;
warnx("I think %ld is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)", packrecv_servfail);
selecttimeout = 1;
send_query_sendcnt = 0;
send_query_recvcnt = 0;
} else if (packrecv >= 500 && packrecv_servfail > 0) {
warnx("(Sorry, stopped counting; try -I1 if you experience hiccups.)");
packrecv_servfail = 0;
}
}
/* read == 1 happens with "QMEM" illegal replies, caused by
heavy reordering, or after short disconnections when
data-CMC has looped around into the "duplicate" values.
All these cases are helped by faster pinging. */
#if 0
if (read == 1)
fprintf(stderr, " q=%c id %5d 1-byte illegal \"QMEM\" reply\n", q.name[0], q.id);
#endif
send_ping_soon = 900;
return -1; /* nothing done */
}
if (read == 5 && !strncmp("BADIP", buf, 5)) {
warnx("BADIP: Server rejected sender IP address (maybe iodined -c will help), or server kicked us due to timeout. Will exit if no downstream data is received in 60 seconds.");
return -1; /* nothing done */
}
if (send_ping_soon) {
send_something_now = 1;
send_ping_soon = 0;
}
/* Decode the data header, update seqno and frag;
already checked read>=2
Note that buf[] gets overwritten when down-pkt complete */
new_down_seqno = (buf[1] >> 5) & 7;
new_down_fragment = (buf[1] >> 1) & 15;
up_ack_seqno = (buf[0] >> 4) & 7;
up_ack_fragment = buf[0] & 15;
#if 0
fprintf(stderr, " Recv: id %5d down %d/%d up %d/%d, %d bytes\n",
q.id, new_down_seqno, new_down_fragment, up_ack_seqno,
up_ack_fragment, read);
#endif
/* Downstream data traffic */
if (read > 2 && new_down_seqno != inpkt.seqno &&
recent_seqno(inpkt.seqno, new_down_seqno)) {
/* This is the previous seqno, or a bit earlier.
Probably out-of-sequence dupe due to unreliable
intermediary DNS. Don't get distracted, but send
ping quickly to get things back in order.
Ping will send our current seqno idea.
If it's really a new packet that skipped multiple seqnos
(why??), server will re-send and drop a few times and
eventually everything will work again. */
read = 2;
send_ping_soon = 500;
/* Still process upstream ack, if any */
}
if (!(packrecv & 0x1000000))
packrecv++;
send_query_recvcnt++; /* overflow doesn't matter */
/* Don't process any non-recent stuff any further.
No need to remember more than 3 ids: in practice any older replies
arrive after new/current replies, and whatever data the old replies
have, it has become useless in the mean time.
Actually, ever since iodined is replying to both the original query
and the last dupe, this hardly triggers any more.
*/
if (q.id != chunkid && q.id != chunkid_prev && q.id != chunkid_prev2) {
packrecv_oos++;
#if 0
fprintf(stderr, " q=%c Packs received = %8ld Out-of-sequence = %8ld\n", q.name[0], packrecv, packrecv_oos);
#endif
if (lazymode && packrecv < 1000 && packrecv_oos == 5) {
if (selecttimeout > 1)
warnx("Hmm, getting some out-of-sequence DNS replies. Setting interval to 1 (use -I1 next time on this network). If data traffic still has large hiccups, try if -L0 works better.");
else
warnx("Hmm, getting some out-of-sequence DNS replies. If data traffic often has large hiccups, try running with -L0 .");
selecttimeout = 1;
send_query_sendcnt = 0;
send_query_recvcnt = 0;
}
if (send_something_now) {
send_ping(dns_fd);
send_ping_soon = 0;
}
return -1; /* nothing done */
}
#if 0
fprintf(stderr, " q=%c Packs received = %8ld Out-of-sequence = %8ld\n", q.name[0], packrecv, packrecv_oos);
#endif
/* Okay, we have a recent downstream packet */
lastdownstreamtime = time(NULL);
/* In lazy mode, we shouldn't get much replies to our most-recent
query, only during heavy data transfer. Since this means the server
doesn't have any packets left, send one relatively fast (but not
too fast, to avoid runaway ping-pong loops..) */
if (q.id == chunkid && lazymode) {
if (!send_ping_soon || send_ping_soon > 900)
send_ping_soon = 900;
}
if (read == 2 && new_down_seqno != inpkt.seqno &&
!recent_seqno(inpkt.seqno, new_down_seqno)) {
/* This is a seqno that we didn't see yet, but it has
no data any more. Possible since iodined will send
fitting packs just once and not wait for ack.
Real data got lost, or will arrive shortly.
Update our idea of the seqno, and drop any waiting
old pack. Send ping to get things back on track. */
inpkt.seqno = new_down_seqno;
inpkt.fragment = new_down_fragment;
inpkt.len = 0;
send_ping_soon = 500;
}
while (read > 2) {
/* "if" with easy exit */
if (new_down_seqno != inpkt.seqno) {
/* New packet (and not dupe of recent; checked above) */
/* Forget any old packet, even if incomplete */
inpkt.seqno = new_down_seqno;
inpkt.fragment = new_down_fragment; /* hopefully 0 */
inpkt.len = 0;
} else if (inpkt.fragment == 0 && new_down_fragment == 0 &&
inpkt.len == 0) {
/* Weird situation: we probably got a no-data reply
for this seqno (see above), and the actual data
is following now. */
/* okay, nothing to do here, just so that next else-if
doesn't trigger */
} else if (new_down_fragment <= inpkt.fragment) {
/* Same packet but duplicate fragment, ignore.
If the server didn't get our ack for it, the next
ping or chunk will do that. */
send_ping_soon = 500;
break;
} else if (new_down_fragment > inpkt.fragment + 1) {
/* Quite impossible. We missed a fragment, but the
server got our ack for it and is sending the next
fragment already. Don't handle it but let server
re-send and drop. */
send_ping_soon = 500;
break;
}
inpkt.fragment = new_down_fragment;
datalen = MIN(read - 2, sizeof(inpkt.data) - inpkt.len);
/* we are here only when read > 2, so datalen "always" >=1 */
/* Skip 2 byte data header and append to packet */
memcpy(&inpkt.data[inpkt.len], &buf[2], datalen);
inpkt.len += datalen;
if (buf[1] & 1) { /* If last fragment flag is set */
/* Uncompress packet and send to tun */
/* RE-USES buf[] */
datalen = sizeof(buf);
if (uncompress((uint8_t*)buf, &datalen, (uint8_t*) inpkt.data, inpkt.len) == Z_OK) {
write_tun(tun_fd, buf, datalen);
}
inpkt.len = 0;
/* Keep .seqno and .fragment as is, so that we won't
reassemble from duplicate fragments */
}
/* Send anything to ack the received seqno/frag, and get more */
if (inpkt.len == 0) {
/* was last frag; wait just a trifle because our
tun will probably return TCP-ack immediately.
5msec = 200 DNSreq/sec */
send_ping_soon = 5;
} else {
/* server certainly has more data */
send_something_now = 1;
}
break;
}
/* NOTE: buf[] was overwritten when down-packet complete */
/* Upstream data traffic */
if (is_sending()) {
/* already checked read>=2 */
#if 0
fprintf(stderr, "Got ack for %d,%d - expecting %d,%d - id=%d cur=%d prev=%d prev2=%d\n",
up_ack_seqno, up_ack_fragment, outpkt.seqno, outpkt.fragment,
q.id, chunkid, chunkid_prev, chunkid_prev2);
#endif
if (up_ack_seqno == outpkt.seqno &&
up_ack_fragment == outpkt.fragment) {
/* Okay, previously sent fragment has arrived */
outpkt.offset += outpkt.sentlen;
if (outpkt.offset >= outpkt.len) {
/* Packet completed */
outpkt.offset = 0;
outpkt.len = 0;
outpkt.sentlen = 0;
outchunkresent = 0;
/* Normally, server still has a query in queue,
but sometimes not. So send a ping.
(Comment this out and you'll see occasional
hiccups.)
But since the server often still has a
query and we can expect a TCP-ack returned
from our tun device quickly in many cases,
don't be too fast.
20msec still is 50 DNSreq/second... */
if (!send_ping_soon || send_ping_soon > 20)
send_ping_soon = 20;
} else {
/* More to send */
outpkt.fragment++;
outchunkresent = 0;
send_chunk(dns_fd);
send_ping_soon = 0;
send_something_now = 0;
}
}
/* else: Some wrong fragment has arrived, or old fragment is
acked again, mostly by ping responses.
Don't resend chunk, usually not needed; select loop will
re-send on timeout (1sec if is_sending()). */
}
/* Send ping if we didn't send anything yet */
if (send_something_now) {
send_ping(dns_fd);
send_ping_soon = 0;
}
return read;
}
int
client_tunnel(int tun_fd, int dns_fd)
{
struct timeval tv;
fd_set fds;
int rv;
int i;
rv = 0;
lastdownstreamtime = time(NULL);
send_query_sendcnt = 0; /* start counting now */
while (running) {
tv.tv_sec = selecttimeout;
tv.tv_usec = 0;
if (is_sending()) {
/* fast timeout for retransmits */
tv.tv_sec = 1;
tv.tv_usec = 0;
}
if (send_ping_soon) {
tv.tv_sec = 0;
tv.tv_usec = send_ping_soon * 1000;
}
FD_ZERO(&fds);
if (!is_sending() || outchunkresent >= 2) {
/* If re-sending upstream data, chances are that
we're several seconds behind already and TCP
will start filling tun buffer with (useless)
retransmits.
Get up-to-date fast by simply dropping stuff,
that's what TCP is designed to handle. */
FD_SET(tun_fd, &fds);
}
FD_SET(dns_fd, &fds);
i = select(MAX(tun_fd, dns_fd) + 1, &fds, NULL, NULL, &tv);
if (lastdownstreamtime + 60 < time(NULL)) {
warnx("No downstream data received in 60 seconds, shutting down.");
running = 0;
}
if (running == 0)
break;
if (i < 0)
err(1, "select");
if (i == 0) {
/* timeout */
if (is_sending()) {
/* Re-send current fragment; either frag
or ack probably dropped somewhere.
But problem: no cache-miss-counter,
so hostname will be identical.
Just drop whole packet after 3 retries,
and TCP retransmit will solve it.
NOTE: tun dropping above should be
>=(value_here - 1) */
if (outchunkresent < 3) {
outchunkresent++;
send_chunk(dns_fd);
} else {
outpkt.offset = 0;
outpkt.len = 0;
outpkt.sentlen = 0;
outchunkresent = 0;
send_ping(dns_fd);
}
} else {
send_ping(dns_fd);
}
send_ping_soon = 0;
} else {
if (FD_ISSET(tun_fd, &fds)) {
if (tunnel_tun(tun_fd, dns_fd) <= 0)
continue;
/* Returns -1 on error OR when quickly
dropping data in case of DNS congestion;
we need to _not_ do tunnel_dns() then.
If chunk sent, sets send_ping_soon=0. */
}
if (FD_ISSET(dns_fd, &fds)) {
if (tunnel_dns(tun_fd, dns_fd) <= 0)
continue;
}
}
}
return rv;
}
static void
send_login(int fd, char *login, int len)
{
char data[19];
memset(data, 0, sizeof(data));
data[0] = userid;
memcpy(&data[1], login, MIN(len, 16));
data[17] = (rand_seed >> 8) & 0xff;
data[18] = (rand_seed >> 0) & 0xff;
rand_seed++;
send_packet(fd, 'l', data, sizeof(data));
}
static void
send_fragsize_probe(int fd, int fragsize)
{
char probedata[256];
char buf[4096];
/*
* build a large query domain which is random and maximum size,
* will also take up maximal space in the return packet
*/
memset(probedata, MAX(1, rand_seed & 0xff), sizeof(probedata));
probedata[1] = MAX(1, (rand_seed >> 8) & 0xff);
rand_seed++;
/* Note: must either be same, or larger, than send_chunk() */
build_hostname(buf + 5, sizeof(buf) - 5, probedata, sizeof(probedata),
topdomain, dataenc, hostname_maxlen);
fragsize &= 2047;
buf[0] = 'r'; /* Probe downstream fragsize packet */
buf[1] = b32_5to8((userid << 1) | ((fragsize >> 10) & 1));
buf[2] = b32_5to8((fragsize >> 5) & 31);
buf[3] = b32_5to8(fragsize & 31);
buf[4] = 'd'; /* dummy to match send_chunk() */
send_query(fd, buf);
}
static void
send_set_downstream_fragsize(int fd, int fragsize)
{
char data[5];
data[0] = userid;
data[1] = (fragsize & 0xff00) >> 8;
data[2] = (fragsize & 0x00ff);
data[3] = (rand_seed >> 8) & 0xff;
data[4] = (rand_seed >> 0) & 0xff;
rand_seed++;
send_packet(fd, 'n', data, sizeof(data));
}
static void
send_version(int fd, uint32_t version)
{
char data[6];
data[0] = (version >> 24) & 0xff;
data[1] = (version >> 16) & 0xff;
data[2] = (version >> 8) & 0xff;
data[3] = (version >> 0) & 0xff;
data[4] = (rand_seed >> 8) & 0xff;
data[5] = (rand_seed >> 0) & 0xff;
rand_seed++;
send_packet(fd, 'v', data, sizeof(data));
}
/* Add lower 15 bits of rand seed as base32,
* followed by a dot and the tunnel domain and send */
static void
send_handshake_query(int fd, char *prefix)
{
char buf[300];
char cmc_dot[5];
cmc_dot[0] = b32_5to8((rand_seed >> 10) & 0x1f);
cmc_dot[1] = b32_5to8((rand_seed >> 5) & 0x1f);
cmc_dot[2] = b32_5to8((rand_seed) & 0x1f);
cmc_dot[3] = '.';
cmc_dot[4] = 0;
rand_seed++;
buf[0] = 0;
strncat(buf, prefix, 60); /* 63 - space for 3 CMC bytes */
strcat(buf, cmc_dot);
strncat(buf, topdomain, sizeof(buf) - strlen(buf) - 1);
send_query(fd, buf);
}
static void
send_raw_udp_login(int dns_fd, int seed)
{
char buf[16];
login_calculate(buf, 16, password, seed + 1);
send_raw(dns_fd, buf, sizeof(buf), RAW_HDR_CMD_LOGIN);
}
static void
send_upenctest(int fd, const char *s)
/* NOTE: String may be at most 63-4=59 chars to fit in 1 dns chunk. */
{
char buf[512] = "z___";
buf[1] = b32_5to8((rand_seed >> 10) & 0x1f);
buf[2] = b32_5to8((rand_seed >> 5) & 0x1f);
buf[3] = b32_5to8((rand_seed) & 0x1f);
rand_seed++;
strncat(buf, s, 128);
strncat(buf, ".", 2);
strncat(buf, topdomain, 512 - strlen(buf));
send_query(fd, buf);
}
static void
send_downenctest(int fd, char downenc, int variant)
{
char prefix[4] = "y__";
prefix[1] = tolower(downenc);
prefix[2] = b32_5to8(variant);
/* Use send_query directly if we ever send more data here. */
send_handshake_query(fd, prefix);
}
static void
send_lazy_switch(int fd)
{
char sw_lazy[] = { 'o', b32_5to8(userid), 'i', 0 };
if (lazymode)
sw_lazy[2] = 'l';
send_handshake_query(fd, sw_lazy);
}
static int
handshake_version(int dns_fd, int *seed)
{
char hex[] = "0123456789abcdef";
char hex2[] = "0123456789ABCDEF";
char in[4096];
uint32_t payload;
int i;
int read;
for (i = 0; running && i < 5; i++) {
send_version(dns_fd, PROTOCOL_VERSION);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'v', 'V', i+1);
if (read >= 9) {
payload = (((in[4] & 0xff) << 24) |
((in[5] & 0xff) << 16) |
((in[6] & 0xff) << 8) |
((in[7] & 0xff)));
if (strncmp("VACK", in, 4) == 0) {
*seed = payload;
userid = in[8];
userid_char = hex[userid & 15];
userid_char2 = hex2[userid & 15];
fprintf(stderr, "Version ok, both using protocol v 0x%08x. You are user #%d\n",
PROTOCOL_VERSION, userid);
return 0;
} else if (strncmp("VNAK", in, 4) == 0) {
warnx("You use protocol v 0x%08x, server uses v 0x%08x. Giving up",
PROTOCOL_VERSION, payload);
return 1;
} else if (strncmp("VFUL", in, 4) == 0) {
warnx("Server full, all %d slots are taken. Try again later", payload);
return 1;
}
} else if (read > 0)
warnx("did not receive proper login challenge");
fprintf(stderr, "Retrying version check...\n");
}
warnx("couldn't connect to server (maybe other -T options will work)");
return 1;
}
static int
handshake_login(int dns_fd, int seed)
{
char in[4096];
char login[16];
char server[65];
char client[65];
int mtu;
int i;
int read;
login_calculate(login, 16, password, seed);
for (i = 0; running && i < 5; i++) {
send_login(dns_fd, login, 16);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'l', 'L', i+1);
if (read > 0) {
int netmask;
if (strncmp("LNAK", in, 4) == 0) {
fprintf(stderr, "Bad password\n");
return 1;
} else if (strncmp("BADIP", in, 5) == 0) {
warnx("BADIP: Server rejected sender IP address (maybe iodined -c will help)");
return 1;
} else if (sscanf(in, "%64[^-]-%64[^-]-%d-%d",
server, client, &mtu, &netmask) == 4) {
server[64] = 0;
client[64] = 0;
if (tun_setip(client, server, netmask) == 0 &&
tun_setmtu(mtu) == 0) {
fprintf(stderr, "Server tunnel IP is %s\n", server);
return 0;
} else {
errx(4, "Failed to set IP and MTU");
}
} else {
fprintf(stderr, "Received bad handshake\n");
}
}
fprintf(stderr, "Retrying login...\n");
}
warnx("couldn't login to server");
return 1;
}
static int
handshake_raw_udp(int dns_fd, int seed)
{
struct timeval tv;
char get_ip[] = { 'i', b32_5to8(userid), 0 };
char in[4096];
fd_set fds;
int i;
int r;
int len;
int got_addr;
memset(&raw_serv, 0, sizeof(raw_serv));
got_addr = 0;
fprintf(stderr, "Requesting server address to attempt raw UDP mode (skip with -r) ");
fflush(stderr);
for (i = 0; running && i < 3; i++) {
send_handshake_query(dns_fd, get_ip);
len = handshake_waitdns(dns_fd, in, sizeof(in), 'i', 'I', i+1);
if (len == 5 && in[0] == 'I') {
/* Received IPv4 address */
struct sockaddr_in *raw4_serv = (struct sockaddr_in *) &raw_serv;
raw4_serv->sin_family = AF_INET;
memcpy(&raw4_serv->sin_addr, &in[1], sizeof(struct in_addr));
raw4_serv->sin_port = htons(53);
raw_serv_len = sizeof(struct sockaddr_in);
got_addr = 1;
break;
}
if (len == 17 && in[0] == 'I') {
/* Received IPv6 address */
struct sockaddr_in6 *raw6_serv = (struct sockaddr_in6 *) &raw_serv;
raw6_serv->sin6_family = AF_INET6;
memcpy(&raw6_serv->sin6_addr, &in[1], sizeof(struct in6_addr));
raw6_serv->sin6_port = htons(53);
raw_serv_len = sizeof(struct sockaddr_in6);
got_addr = 1;
break;
}
fprintf(stderr, ".");
fflush(stderr);
}
fprintf(stderr, "\n");
if (!running)
return 0;
if (!got_addr) {
fprintf(stderr, "Failed to get raw server IP, will use DNS mode.\n");
return 0;
}
fprintf(stderr, "Server is at %s, trying raw login: (skip with -r) ",
format_addr(&raw_serv, raw_serv_len));
fflush(stderr);
/* do login against port 53 on remote server
* based on the old seed. If reply received,
* switch to raw udp mode */
for (i = 0; running && i < 4; i++) {
tv.tv_sec = i + 1;
tv.tv_usec = 0;
send_raw_udp_login(dns_fd, seed);
FD_ZERO(&fds);
FD_SET(dns_fd, &fds);
r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
if (r > 0) {
/* recv() needed for windows, dont change to read() */
len = recv(dns_fd, in, sizeof(in), 0);
if (len >= (16 + RAW_HDR_LEN)) {
char hash[16];
login_calculate(hash, 16, password, seed - 1);
if (memcmp(in, raw_header, RAW_HDR_IDENT_LEN) == 0
&& RAW_HDR_GET_CMD(in) == RAW_HDR_CMD_LOGIN
&& memcmp(&in[RAW_HDR_LEN], hash, sizeof(hash)) == 0) {
fprintf(stderr, "OK\n");
return 1;
}
}
}
fprintf(stderr, ".");
fflush(stderr);
}
fprintf(stderr, "failed\n");
return 0;
}
static int
handshake_upenctest(int dns_fd, const char *s)
/* NOTE: *s may be max 59 chars; must start with "aA" for case-swap check
Returns:
-1: case swap, no need for any further test: error printed; or Ctrl-C
0: not identical or error or timeout
1: identical string returned
*/
{
char in[4096];
unsigned char *uin = (unsigned char *) in;
const unsigned char *us = (const unsigned char *) s;
int i;
int read;
int slen;
slen = strlen(s);
for (i = 0; running && i < 3; i++) {
send_upenctest(dns_fd, s);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'z', 'Z', i+1);
if (read == -2)
return 0; /* hard error */
if (read > 0 && read < slen + 4)
return 0; /* reply too short (chars dropped) */
if (read > 0) {
int k;
#if 0
/* in[56] = '@'; */
/* in[56] = '_'; */
/* if (in[29] == '\344') in[29] = 'a'; */
in[read] = '\0';
fprintf(stderr, "BounceReply: >%s<\n", in);
#endif
/* quick check if case swapped, to give informative error msg */
if (in[4] == 'A') {
fprintf(stderr, "DNS queries get changed to uppercase, keeping upstream codec Base32\n");
return -1;
}
if (in[5] == 'a') {
fprintf(stderr, "DNS queries get changed to lowercase, keeping upstream codec Base32\n");
return -1;
}
for (k = 0; k < slen; k++) {
if (in[k+4] != s[k]) {
/* Definitely not reliable */
if (in[k+4] >= ' ' && in[k+4] <= '~' &&
s[k] >= ' ' && s[k] <= '~') {
fprintf(stderr, "DNS query char '%c' gets changed into '%c'\n",
s[k], in[k+4]);
} else {
fprintf(stderr, "DNS query char 0x%02X gets changed into 0x%02X\n",
(unsigned int) us[k],
(unsigned int) uin[k+4]);
}
return 0;
}
}
/* if still here, then all okay */
return 1;
}
fprintf(stderr, "Retrying upstream codec test...\n");
}
if (!running)
return -1;
/* timeout */
return 0;
}
static int
handshake_upenc_autodetect(int dns_fd)
/* Returns:
0: keep Base32
1: Base64 is okay
2: Base64u is okay
3: Base128 is okay
*/
{
/* Note: max 59 chars, must start with "aA".
pat64: If 0129 work, assume 3-8 are okay too.
RFC1035 par 2.3.1 states that [A-Z0-9-] allowed, but only
[A-Z] as first, and [A-Z0-9] as last char _per label_.
Test by having '-' as last char.
*/
const char *pat64 = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ+0129-";
const char *pat64u = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ_0129-";
const char *pat128a = "aA-Aaahhh-Drink-mal-ein-J\344germeister-";
const char *pat128b = "aA-La-fl\373te-na\357ve-fran\347aise-est-retir\351-\340-Cr\350te";
const char *pat128c = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ";
const char *pat128d = "aA0123456789\274\275\276\277"
"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317";
const char *pat128e="aA"
"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
int res;
/* Try Base128, starting very gently to not draw attention */
while (1) {
res = handshake_upenctest(dns_fd, pat128a);
if (res < 0) {
/* DNS swaps case, msg already printed; or Ctrl-C */
return 0;
} else if (res == 0) {
/* Probably not okay, skip Base128 entirely */
break;
}
res = handshake_upenctest(dns_fd, pat128b);
if (res < 0)
return 0;
else if (res == 0)
break;
/* if this works, we can test the real stuff */
res = handshake_upenctest(dns_fd, pat128c);
if (res < 0)
return 0;
else if (res == 0)
break;
res = handshake_upenctest(dns_fd, pat128d);
if (res < 0)
return 0;
else if (res == 0)
break;
res = handshake_upenctest(dns_fd, pat128e);
if (res < 0)
return 0;
else if (res == 0)
break;
/* if still here, then base128 works completely */
return 3;
}
/* Try Base64 (with plus sign) */
res = handshake_upenctest(dns_fd, pat64);
if (res < 0) {
/* DNS swaps case, msg already printed; or Ctrl-C */
return 0;
} else if (res > 0) {
/* All okay, Base64 msg will be printed later */
return 1;
}
/* Try Base64u (with _u_nderscore) */
res = handshake_upenctest(dns_fd, pat64u);
if (res < 0) {
/* DNS swaps case, msg already printed; or Ctrl-C */
return 0;
} else if (res > 0) {
/* All okay, Base64u msg will be printed later */
return 2;
}
/* if here, then nonthing worked */
fprintf(stderr, "Keeping upstream codec Base32\n");
return 0;
}
static int
handshake_downenctest(int dns_fd, char trycodec)
/* Returns:
0: not identical or error or timeout
1: identical string returned
*/
{
char in[4096];
int i;
int read;
char *s = DOWNCODECCHECK1;
int slen = DOWNCODECCHECK1_LEN;
for (i = 0; running && i < 3; i++) {
send_downenctest(dns_fd, trycodec, 1);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);
if (read == -2)
return 0; /* hard error */
if (read > 0 && read != slen)
return 0; /* reply incorrect = unreliable */
if (read > 0) {
int k;
for (k = 0; k < slen; k++) {
if (in[k] != s[k]) {
/* Definitely not reliable */
return 0;
}
}
/* if still here, then all okay */
return 1;
}
fprintf(stderr, "Retrying downstream codec test...\n");
}
/* timeout */
return 0;
}
static char
handshake_downenc_autodetect(int dns_fd)
/* Returns codec char (or ' ' if no advanced codec works) */
{
int base64ok = 0;
int base64uok = 0;
int base128ok = 0;
if (do_qtype == T_NULL || do_qtype == T_PRIVATE) {
/* no other choice than raw */
fprintf(stderr, "No alternative downstream codec available, using default (Raw)\n");
return ' ';
}
fprintf(stderr, "Autodetecting downstream codec (use -O to override)\n");
/* Try Base64 */
if (handshake_downenctest(dns_fd, 'S'))
base64ok = 1;
else if (running && handshake_downenctest(dns_fd, 'U'))
base64uok = 1;
/* Try Base128 only if 64 gives us some perspective */
if (running && (base64ok || base64uok)) {
if (handshake_downenctest(dns_fd, 'V'))
base128ok = 1;
}
/* If 128 works, then TXT may give us Raw as well */
if (running && (base128ok && do_qtype == T_TXT)) {
if (handshake_downenctest(dns_fd, 'R'))
return 'R';
}
if (!running)
return ' ';
if (base128ok)
return 'V';
if (base64ok)
return 'S';
if (base64uok)
return 'U';
fprintf(stderr, "No advanced downstream codecs seem to work, using default (Base32)\n");
return ' ';
}
static int
handshake_qtypetest(int dns_fd, int timeout)
/* Returns:
0: doesn't work with this timeout
1: works properly
*/
{
char in[4096];
int read;
char *s = DOWNCODECCHECK1;
int slen = DOWNCODECCHECK1_LEN;
int trycodec;
int k;
if (do_qtype == T_NULL || do_qtype == T_PRIVATE)
trycodec = 'R';
else
trycodec = 'T';
/* We could use 'Z' bouncing here, but 'Y' also tests that 0-255
byte values can be returned, which is needed for NULL/PRIVATE
to work. */
send_downenctest(dns_fd, trycodec, 1);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', timeout);
if (read != slen)
return 0; /* incorrect */
for (k = 0; k < slen; k++) {
if (in[k] != s[k]) {
/* corrupted */
return 0;
}
}
/* if still here, then all okay */
return 1;
}
static int
handshake_qtype_numcvt(int num)
{
switch (num) {
case 0: return T_NULL;
case 1: return T_PRIVATE;
case 2: return T_TXT;
case 3: return T_SRV;
case 4: return T_MX;
case 5: return T_CNAME;
case 6: return T_A;
}
return T_UNSET;
}
static int
handshake_qtype_autodetect(int dns_fd)
/* Returns:
0: okay, do_qtype set
1: problem, program exit
*/
{
int highestworking = 100;
int timeout;
int qtypenum;
fprintf(stderr, "Autodetecting DNS query type (use -T to override)");
fflush(stderr);
/* Method: try all "interesting" qtypes with a 1-sec timeout, then try
all "still-interesting" qtypes with a 2-sec timeout, etc.
"Interesting" means: qtypes that (are expected to) have higher
bandwidth than what we know is working already (highestworking).
Note that DNS relays may not immediately resolve the first (NULL)
query in 1 sec, due to long recursive lookups, so we keep trying
to see if things will start working after a while.
*/
for (timeout = 1; running && timeout <= 3; timeout++) {
for (qtypenum = 0; running && qtypenum < highestworking; qtypenum++) {
do_qtype = handshake_qtype_numcvt(qtypenum);
if (do_qtype == T_UNSET)
break; /* this round finished */
fprintf(stderr, ".");
fflush(stderr);
if (handshake_qtypetest(dns_fd, timeout)) {
/* okay */
highestworking = qtypenum;
#if 0
fprintf(stderr, " Type %s timeout %d works\n",
client_get_qtype(), timeout);
#endif
break;
/* try others with longer timeout */
}
/* else: try next qtype with same timeout */
}
if (highestworking == 0)
/* good, we have NULL; abort immediately */
break;
}
fprintf(stderr, "\n");
if (!running) {
warnx("Stopped while autodetecting DNS query type (try setting manually with -T)");
return 1; /* problem */
}
/* finished */
do_qtype = handshake_qtype_numcvt(highestworking);
if (do_qtype == T_UNSET) {
/* also catches highestworking still 100 */
warnx("No suitable DNS query type found. Are you connected to a network?");
warnx("If you expect very long roundtrip delays, use -T explicitly.");
warnx("(Also, connecting to an \"ancient\" version of iodined won't work.)");
return 1; /* problem */
}
/* "using qtype" message printed in handshake function */
return 0; /* okay */
}
static int
handshake_edns0_check(int dns_fd)
/* Returns:
0: EDNS0 not supported; or Ctrl-C
1: EDNS0 works
*/
{
char in[4096];
int i;
int read;
char *s = DOWNCODECCHECK1;
int slen = DOWNCODECCHECK1_LEN;
char trycodec;
if (do_qtype == T_NULL)
trycodec = 'R';
else
trycodec = 'T';
for (i = 0; running && i < 3; i++) {
send_downenctest(dns_fd, trycodec, 1);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);
if (read == -2)
return 0; /* hard error */
if (read > 0 && read != slen)
return 0; /* reply incorrect = unreliable */
if (read > 0) {
int k;
for (k = 0; k < slen; k++) {
if (in[k] != s[k]) {
/* Definitely not reliable */
return 0;
}
}
/* if still here, then all okay */
return 1;
}
fprintf(stderr, "Retrying EDNS0 support test...\n");
}
/* timeout or Ctrl-C */
return 0;
}
static void
handshake_switch_codec(int dns_fd, int bits)
{
char sw_codec[] = { 's', b32_5to8(userid), b32_5to8(bits), 0 };
char in[4096];
int i;
int read;
const struct encoder *tempenc;
if (bits == 5)
tempenc = &base32_ops;
else if (bits == 6)
tempenc = &base64_ops;
else if (bits == 26) /* "2nd" 6 bits per byte, with underscore */
tempenc = &base64u_ops;
else if (bits == 7)
tempenc = &base128_ops;
else return;
fprintf(stderr, "Switching upstream to codec %s\n", tempenc->name);
for (i = 0; running && i < 5; i++) {
send_handshake_query(dns_fd, sw_codec);
read = handshake_waitdns(dns_fd, in, sizeof(in), 's', 'S', i+1);
if (read > 0) {
if (strncmp("BADLEN", in, 6) == 0) {
fprintf(stderr, "Server got bad message length. ");
goto codec_revert;
} else if (strncmp("BADIP", in, 5) == 0) {
fprintf(stderr, "Server rejected sender IP address. ");
goto codec_revert;
} else if (strncmp("BADCODEC", in, 8) == 0) {
fprintf(stderr, "Server rejected the selected codec. ");
goto codec_revert;
}
in[read] = 0; /* zero terminate */
fprintf(stderr, "Server switched upstream to codec %s\n", in);
dataenc = tempenc;
return;
}
fprintf(stderr, "Retrying codec switch...\n");
}
if (!running)
return;
fprintf(stderr, "No reply from server on codec switch. ");
codec_revert:
fprintf(stderr, "Falling back to upstream codec %s\n", dataenc->name);
}
static void
handshake_switch_downenc(int dns_fd)
{
char sw_downenc[] = { 'o', b32_5to8(userid), tolower(downenc), 0 };
char in[4096];
int i;
int read;
char *dname;
dname = "Base32";
if (downenc == 'S')
dname = "Base64";
else if (downenc == 'U')
dname = "Base64u";
else if (downenc == 'V')
dname = "Base128";
else if (downenc == 'R')
dname = "Raw";
fprintf(stderr, "Switching downstream to codec %s\n", dname);
for (i = 0; running && i < 5; i++) {
send_handshake_query(dns_fd, sw_downenc);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);
if (read > 0) {
if (strncmp("BADLEN", in, 6) == 0) {
fprintf(stderr, "Server got bad message length. ");
goto codec_revert;
} else if (strncmp("BADIP", in, 5) == 0) {
fprintf(stderr, "Server rejected sender IP address. ");
goto codec_revert;
} else if (strncmp("BADCODEC", in, 8) == 0) {
fprintf(stderr, "Server rejected the selected codec. ");
goto codec_revert;
}
in[read] = 0; /* zero terminate */
fprintf(stderr, "Server switched downstream to codec %s\n", in);
return;
}
fprintf(stderr, "Retrying codec switch...\n");
}
if (!running)
return;
fprintf(stderr, "No reply from server on codec switch. ");
codec_revert:
fprintf(stderr, "Falling back to downstream codec Base32\n");
}
static void
handshake_try_lazy(int dns_fd)
{
char in[4096];
int i;
int read;
fprintf(stderr, "Switching to lazy mode for low-latency\n");
for (i = 0; running && i < 5 ;i++) {
send_lazy_switch(dns_fd);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);
if (read > 0) {
if (strncmp("BADLEN", in, 6) == 0) {
fprintf(stderr, "Server got bad message length. ");
goto codec_revert;
} else if (strncmp("BADIP", in, 5) == 0) {
fprintf(stderr, "Server rejected sender IP address. ");
goto codec_revert;
} else if (strncmp("BADCODEC", in, 8) == 0) {
fprintf(stderr, "Server rejected lazy mode. ");
goto codec_revert;
} else if (strncmp("Lazy", in, 4) == 0) {
fprintf(stderr, "Server switched to lazy mode\n");
lazymode = 1;
return;
}
}
fprintf(stderr, "Retrying lazy mode switch...\n");
}
if (!running)
return;
fprintf(stderr, "No reply from server on lazy switch. ");
codec_revert:
fprintf(stderr, "Falling back to legacy mode\n");
lazymode = 0;
selecttimeout = 1;
}
static void
handshake_lazyoff(int dns_fd)
/* Used in the middle of data transfer, timing is different and no error msgs */
{
char in[4096];
int i;
int read;
for (i = 0; running && i < 5; i++) {
send_lazy_switch(dns_fd);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', 1);
if (read == 9 && strncmp("Immediate", in, 9) == 0) {
warnx("Server switched back to legacy mode.\n");
lazymode = 0;
selecttimeout = 1;
return;
}
}
if (!running)
return;
warnx("No reply from server on legacy mode switch.\n");
}
static int
fragsize_check(char *in, int read, int proposed_fragsize, int *max_fragsize)
/* Returns: 0: keep checking, 1: break loop (either okay or definitely wrong) */
{
int acked_fragsize = ((in[0] & 0xff) << 8) | (in[1] & 0xff);
int okay;
int i;
unsigned int v;
if (read >= 5 && strncmp("BADIP", in, 5) == 0) {
fprintf(stderr, "got BADIP (Try iodined -c)..\n");
fflush(stderr);
return 0; /* maybe temporary error */
}
if (acked_fragsize != proposed_fragsize) {
/*
* got ack for wrong fragsize, maybe late response for
* earlier query, or ack corrupted
*/
return 0;
}
if (read != proposed_fragsize) {
/*
* correctly acked fragsize but read too little (or too
* much): this fragsize is definitely not reliable
*/
return 1;
}
/* here: read == proposed_fragsize == acked_fragsize */
/* test: */
/* in[123] = 123; */
if ((in[2] & 0xff) != 107) {
fprintf(stderr, "\n");
warnx("corruption at byte 2, this won't work. Try -O Base32, or other -T options.");
*max_fragsize = -1;
return 1;
}
/* Check for corruption */
okay = 1;
v = in[3] & 0xff;
for (i = 3; i < read; i++, v = (v + 107) & 0xff)
if ((in[i] & 0xff) != v) {
okay = 0;
break;
}
if (okay) {
fprintf(stderr, "%d ok.. ", acked_fragsize);
fflush(stderr);
*max_fragsize = acked_fragsize;
return 1;
} else {
if (downenc != ' ' && downenc != 'T') {
fprintf(stderr, "%d corrupted at %d.. (Try -O Base32)\n", acked_fragsize, i);
} else {
fprintf(stderr, "%d corrupted at %d.. ", acked_fragsize, i);
}
fflush(stderr);
return 1;
}
/* notreached */
return 1;
}
static int
handshake_autoprobe_fragsize(int dns_fd)
{
char in[4096];
int i;
int read;
int proposed_fragsize = 768;
int range = 768;
int max_fragsize;
max_fragsize = 0;
fprintf(stderr, "Autoprobing max downstream fragment size... (skip with -m fragsize)\n");
while (running && range > 0 && (range >= 8 || max_fragsize < 300)) {
/* stop the slow probing early when we have enough bytes anyway */
for (i = 0; running && i < 3; i++) {
send_fragsize_probe(dns_fd, proposed_fragsize);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'r', 'R', 1);
if (read > 0) {
/* We got a reply */
if (fragsize_check(in, read, proposed_fragsize, &max_fragsize) == 1)
break;
}
fprintf(stderr, ".");
fflush(stderr);
}
if (max_fragsize < 0)
break;
range >>= 1;
if (max_fragsize == proposed_fragsize) {
/* Try bigger */
proposed_fragsize += range;
} else {
/* Try smaller */
fprintf(stderr, "%d not ok.. ", proposed_fragsize);
fflush(stderr);
proposed_fragsize -= range;
}
}
if (!running) {
fprintf(stderr, "\n");
warnx("stopped while autodetecting fragment size (Try setting manually with -m)");
return 0;
}
if (max_fragsize <= 2) {
/* Tried all the way down to 2 and found no good size.
But we _did_ do all handshake before this, so there must
be some workable connection. */
fprintf(stderr, "\n");
warnx("found no accepted fragment size.");
warnx("try setting -M to 200 or lower, or try other -T or -O options.");
return 0;
}
/* data header adds 2 bytes */
fprintf(stderr, "will use %d-2=%d\n", max_fragsize, max_fragsize - 2);
/* need 1200 / 16frags = 75 bytes fragsize */
if (max_fragsize < 82) {
fprintf(stderr, "Note: this probably won't work well.\n");
fprintf(stderr, "Try setting -M to 200 or lower, or try other DNS types (-T option).\n");
} else if (max_fragsize < 202 &&
(do_qtype == T_NULL || do_qtype == T_PRIVATE || do_qtype == T_TXT ||
do_qtype == T_SRV || do_qtype == T_MX)) {
fprintf(stderr, "Note: this isn't very much.\n");
fprintf(stderr, "Try setting -M to 200 or lower, or try other DNS types (-T option).\n");
}
return max_fragsize - 2;
}
static void
handshake_set_fragsize(int dns_fd, int fragsize)
{
char in[4096];
int i;
int read;
fprintf(stderr, "Setting downstream fragment size to max %d...\n", fragsize);
for (i = 0; running && i < 5; i++) {
send_set_downstream_fragsize(dns_fd, fragsize);
read = handshake_waitdns(dns_fd, in, sizeof(in), 'n', 'N', i+1);
if (read > 0) {
if (strncmp("BADFRAG", in, 7) == 0) {
fprintf(stderr, "Server rejected fragsize. Keeping default.");
return;
} else if (strncmp("BADIP", in, 5) == 0) {
fprintf(stderr, "Server rejected sender IP address.\n");
return;
}
/* The server returns the accepted fragsize:
accepted_fragsize = ((in[0] & 0xff) << 8) | (in[1] & 0xff) */
return;
}
fprintf(stderr, "Retrying set fragsize...\n");
}
if (!running)
return;
fprintf(stderr, "No reply from server when setting fragsize. Keeping default.\n");
}
int
client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize)
{
int seed;
int upcodec;
int r;
dnsc_use_edns0 = 0;
/* qtype message printed in handshake function */
if (do_qtype == T_UNSET) {
r = handshake_qtype_autodetect(dns_fd);
if (r) {
return r;
}
}
fprintf(stderr, "Using DNS type %s queries\n", client_get_qtype());
r = handshake_version(dns_fd, &seed);
if (r) {
return r;
}
r = handshake_login(dns_fd, seed);
if (r) {
return r;
}
if (raw_mode && handshake_raw_udp(dns_fd, seed)) {
conn = CONN_RAW_UDP;
selecttimeout = 20;
} else {
if (raw_mode == 0) {
fprintf(stderr, "Skipping raw mode\n");
}
dnsc_use_edns0 = 1;
if (handshake_edns0_check(dns_fd) && running) {
fprintf(stderr, "Using EDNS0 extension\n");
} else if (!running) {
return -1;
} else {
fprintf(stderr, "DNS relay does not support EDNS0 extension\n");
dnsc_use_edns0 = 0;
}
upcodec = handshake_upenc_autodetect(dns_fd);
if (!running)
return -1;
if (upcodec == 1) {
handshake_switch_codec(dns_fd, 6);
} else if (upcodec == 2) {
handshake_switch_codec(dns_fd, 26);
} else if (upcodec == 3) {
handshake_switch_codec(dns_fd, 7);
}
if (!running)
return -1;
if (downenc == ' ') {
downenc = handshake_downenc_autodetect(dns_fd);
}
if (!running)
return -1;
if (downenc != ' ') {
handshake_switch_downenc(dns_fd);
}
if (!running)
return -1;
if (lazymode) {
handshake_try_lazy(dns_fd);
}
if (!running)
return -1;
if (autodetect_frag_size) {
fragsize = handshake_autoprobe_fragsize(dns_fd);
if (!fragsize) {
return 1;
}
}
handshake_set_fragsize(dns_fd, fragsize);
if (!running)
return -1;
}
return 0;
}
================================================
FILE: src/client.h
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __CLIENT_H__
#define __CLIENT_H__
void client_init(void);
void client_stop(void);
enum connection client_get_conn(void);
const char *client_get_raw_addr(void);
void client_set_nameserver(struct sockaddr_storage *, int);
void client_set_topdomain(const char *cp);
void client_set_password(const char *cp);
int client_set_qtype(char *qtype);
char *client_get_qtype(void);
void client_set_downenc(char *encoding);
void client_set_selecttimeout(int select_timeout);
void client_set_lazymode(int lazy_mode);
void client_set_hostname_maxlen(int i);
int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size,
int fragsize);
int client_tunnel(int tun_fd, int dns_fd);
#endif
================================================
FILE: src/common.c
================================================
/* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
* Copyright (c) 2007 Albert Lee <trisk@acm.jhu.edu>.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <time.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <fcntl.h>
#include <errno.h>
#ifdef WINDOWS32
#include <winsock2.h>
#include <conio.h>
#else
#include <arpa/nameser.h>
#ifdef DARWIN
#define BIND_8_COMPAT
#include <arpa/nameser_compat.h>
#endif
#include <termios.h>
#include <err.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <syslog.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
#ifdef HAVE_SETCON
# include <selinux/selinux.h>
#endif
#include "common.h"
/* The raw header used when not using DNS protocol */
const unsigned char raw_header[RAW_HDR_LEN] = { 0x10, 0xd1, 0x9e, 0x00 };
/* daemon(3) exists only in 4.4BSD or later, and in GNU libc */
#if !defined(ANDROID) && !defined(WINDOWS32) && !(defined(BSD) && (BSD >= 199306)) && !defined(__GLIBC__) && !defined(__HAIKU__)
static int daemon(int nochdir, int noclose)
{
int fd, i;
switch (fork()) {
case 0:
break;
case -1:
return -1;
default:
_exit(0);
}
if (!nochdir) {
chdir("/");
}
if (setsid() < 0) {
return -1;
}
if (!noclose) {
if ((fd = open("/dev/null", O_RDWR)) >= 0) {
for (i = 0; i < 3; i++) {
dup2(fd, i);
}
if (fd > 2) {
close(fd);
}
}
}
return 0;
}
#endif
#if defined(__BEOS__) && !defined(__HAIKU__)
int setgroups(int count, int *groups)
{
/* errno = ENOSYS; */
return -1;
}
#endif
#ifndef WINDOWS32
void
check_superuser(void)
{
if (geteuid() != 0) {
warnx("Run as root and you'll be happy.");
exit(-1);
}
}
#endif
char *
format_addr(struct sockaddr_storage *sockaddr, int sockaddr_len)
{
static char dst[INET6_ADDRSTRLEN + 1];
memset(dst, 0, sizeof(dst));
if (sockaddr->ss_family == AF_INET && sockaddr_len >= sizeof(struct sockaddr_in)) {
getnameinfo((struct sockaddr *)sockaddr, sockaddr_len, dst, sizeof(dst) - 1, NULL, 0, NI_NUMERICHOST);
} else if (sockaddr->ss_family == AF_INET6 && sockaddr_len >= sizeof(struct sockaddr_in6)) {
struct sockaddr_in6 *addr = (struct sockaddr_in6 *) sockaddr;
if (IN6_IS_ADDR_V4MAPPED(&addr->sin6_addr)) {
struct in_addr ia;
/* Get mapped v4 addr from last 32bit field */
memcpy(&ia.s_addr, &addr->sin6_addr.s6_addr[12], sizeof(ia));
strcpy(dst, inet_ntoa(ia));
} else {
getnameinfo((struct sockaddr *)sockaddr, sockaddr_len, dst, sizeof(dst) - 1, NULL, 0, NI_NUMERICHOST);
}
} else {
dst[0] = '?';
}
return dst;
}
int
get_addr(char *host, int port, int addr_family, int flags, struct sockaddr_storage *out)
{
struct addrinfo hints, *addr;
int res;
char portnum[8];
int addrlen;
memset(portnum, 0, sizeof(portnum));
snprintf(portnum, sizeof(portnum) - 1, "%d", port);
memset(&hints, 0, sizeof(hints));
hints.ai_family = addr_family;
#if defined(WINDOWS32) || defined(OPENBSD)
/* AI_ADDRCONFIG misbehaves on windows, and does not exist in OpenBSD */
hints.ai_flags = flags;
#else
hints.ai_flags = AI_ADDRCONFIG | flags;
#endif
hints.ai_socktype = SOCK_DGRAM;
hints.ai_protocol = IPPROTO_UDP;
res = getaddrinfo(host, portnum, &hints, &addr);
if (res != 0) {
return -1;
}
addrlen = addr->ai_addrlen;
/* Grab first result */
memcpy(out, addr->ai_addr, addr->ai_addrlen);
freeaddrinfo(addr);
return addrlen;
}
int
open_dns(struct sockaddr_storage *sockaddr, size_t sockaddr_len)
{
return open_dns_opt(sockaddr, sockaddr_len, -1);
}
int
open_dns_opt(struct sockaddr_storage *sockaddr, size_t sockaddr_len, int v6only)
{
int flag;
int fd;
if ((fd = socket(sockaddr->ss_family, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
err(1, "socket");
}
flag = 1;
#ifdef SO_REUSEPORT
setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void*) &flag, sizeof(flag));
#endif
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void*) &flag, sizeof(flag));
#ifndef WINDOWS32
fd_set_close_on_exec(fd);
#endif
if (sockaddr->ss_family == AF_INET6 && v6only >= 0) {
setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, (const void*) &v6only, sizeof(v6only));
}
#ifdef IP_OPT_DONT_FRAG
/* Set dont-fragment ip header flag */
flag = DONT_FRAG_VALUE;
setsockopt(fd, IPPROTO_IP, IP_OPT_DONT_FRAG, (const void*) &flag, sizeof(flag));
#endif
if (bind(fd, (struct sockaddr*) sockaddr, sockaddr_len) < 0)
err(1, "bind() to %s", format_addr(sockaddr, sockaddr_len));
fprintf(stderr, "Opened IPv%d UDP socket\n", sockaddr->ss_family == AF_INET6 ? 6 : 4);
return fd;
}
int
open_dns_from_host(char *host, int port, int addr_family, int flags)
{
struct sockaddr_storage addr;
int addrlen;
addrlen = get_addr(host, port, addr_family, flags, &addr);
if (addrlen < 0)
return addrlen;
return open_dns(&addr, addrlen);
}
void
close_dns(int fd)
{
close(fd);
}
void
do_chroot(char *newroot)
{
#if !(defined(WINDOWS32) || defined(__BEOS__) || defined(__HAIKU__))
if (chroot(newroot) != 0 || chdir("/") != 0)
err(1, "%s", newroot);
if (seteuid(geteuid()) != 0 || setuid(getuid()) != 0) {
err(1, "set[e]uid()");
}
#else
warnx("chroot not available");
#endif
}
void
do_setcon(char *context)
{
#ifdef HAVE_SETCON
if (-1 == setcon(context))
err(1, "%s", context);
#else
warnx("No SELinux support built in");
#endif
}
void
do_pidfile(char *pidfile)
{
#ifndef WINDOWS32
FILE *file;
if ((file = fopen(pidfile, "w")) == NULL) {
syslog(LOG_ERR, "Cannot write pidfile to %s, exiting", pidfile);
err(1, "do_pidfile: Can not write pidfile to %s", pidfile);
} else {
fprintf(file, "%d\n", (int)getpid());
fclose(file);
}
#else
fprintf(stderr, "Windows version does not support pid file\n");
#endif
}
void
do_detach(void)
{
#ifndef WINDOWS32
fprintf(stderr, "Detaching from terminal...\n");
daemon(0, 0);
umask(0);
alarm(0);
#else
fprintf(stderr, "Windows version does not support detaching\n");
#endif
}
void
read_password(char *buf, size_t len)
{
char pwd[80] = {0};
#ifndef WINDOWS32
struct termios old;
struct termios tp;
tcgetattr(0, &tp);
old = tp;
tp.c_lflag &= (~ECHO);
tcsetattr(0, TCSANOW, &tp);
#else
int i;
#endif
fprintf(stderr, "Enter tunnel password: ");
fflush(stderr);
#ifndef WINDOWS32
fscanf(stdin, "%79[^\n]", pwd);
#else
for (i = 0; i < sizeof(pwd); i++) {
pwd[i] = getch();
if (pwd[i] == '\r' || pwd[i] == '\n') {
pwd[i] = 0;
break;
} else if (pwd[i] == '\b') {
i--; /* Remove the \b char */
if (i >=0) i--; /* If not first char, remove one more */
}
}
#endif
fprintf(stderr, "\n");
#ifndef WINDOWS32
tcsetattr(0, TCSANOW, &old);
#endif
strncpy(buf, pwd, len);
buf[len-1] = '\0';
}
int
check_topdomain(char *str, int allow_wildcard, char **errormsg)
{
int i;
int dots = 0;
int chunklen = 0;
if (strlen(str) < 3) {
if (errormsg) *errormsg = "Too short (< 3)";
return 1;
}
if (strlen(str) > 128) {
if (errormsg) *errormsg = "Too long (> 128)";
return 1;
}
if (str[0] == '.') {
if (errormsg) *errormsg = "Starts with a dot";
return 1;
}
for (i = 0; i < strlen(str); i++) {
if (str[i] == '.') {
dots++;
if (chunklen == 0) {
if (errormsg) *errormsg = "Consecutive dots";
return 1;
}
if (chunklen > 63) {
if (errormsg) *errormsg = "Too long domain part (> 63)";
return 1;
}
chunklen = 0;
} else {
chunklen++;
}
if ((str[i] >= 'a' && str[i] <= 'z') || (str[i] >= 'A' && str[i] <= 'Z') ||
isdigit(str[i]) || str[i] == '-' || str[i] == '.') {
continue;
} else if (allow_wildcard && str[i] == '*') {
/* First char allowed to be wildcard, if followed by dot */
if (i == 0) {
if (str[i+1] == '.') {
continue;
}
if (errormsg) *errormsg = "Wildcard (*) must be followed by dot";
return 1;
} else {
if (errormsg) *errormsg = "Wildcard (*) only allowed as first char";
return 1;
}
} else {
if (errormsg) *errormsg = "Contains illegal character (allowed: [a-zA-Z0-9-.])";
return 1;
}
}
if (dots == 0) {
if (errormsg) *errormsg = "No dots";
return 1;
}
if (chunklen == 0) {
if (errormsg) *errormsg = "Ends with a dot";
return 1;
}
if (chunklen > 63) {
if (errormsg) *errormsg = "Too long domain part (> 63)";
return 1;
}
return 0;
}
int
query_datalen(const char *qname, const char *topdomain)
{
/* Return number of data bytes embedded in DNS query name,
* or -1 if domains do not match.
*/
int qpos = strlen(qname);
int tpos = strlen(topdomain);
if (tpos < 3 || qpos < tpos) {
/* Domain or query name too short */
return -1;
}
/* Backward string compare */
qpos--;
tpos--;
while (qpos >= 0) {
if (topdomain[tpos] == '*') {
/* Wild match, is first in topdomain */
if (qname[qpos] == '*') {
/* Don't match against stars in query name */
return -1;
} else if (qpos == 0 || qname[qpos-1] == '.') {
/* Reached start of query name or chunk separator */
return qpos;
}
qpos--;
} else if (tolower(qname[qpos]) == tolower(topdomain[tpos])) {
/* Matching char, exclude wildcard in query name */
if (tpos == 0) {
/* Fully matched domain */
if (qpos == 0 || qname[qpos-1] == '.') {
/* Start of name or has dot before matching topdomain */
return qpos;
}
/* Query name has longer chunk than topdomain */
return -1;
}
tpos--;
qpos--;
} else {
return -1;
}
}
return -1;
}
#if defined(WINDOWS32) || defined(ANDROID)
#ifndef ANDROID
int
inet_aton(const char *cp, struct in_addr *inp)
{
inp->s_addr = inet_addr(cp);
return inp->s_addr != INADDR_ANY;
}
#endif
void
vwarn(const char *fmt, va_list list)
{
if (fmt) vfprintf(stderr, fmt, list);
#ifndef ANDROID
if (errno == 0) {
fprintf(stderr, ": WSA error %d\n", WSAGetLastError());
} else {
fprintf(stderr, ": %s\n", strerror(errno));
}
#endif
}
void
warn(const char *fmt, ...)
{
va_list list;
va_start(list, fmt);
vwarn(fmt, list);
va_end(list);
}
void
err(int eval, const char *fmt, ...)
{
va_list list;
va_start(list, fmt);
vwarn(fmt, list);
va_end(list);
exit(eval);
}
void
vwarnx(const char *fmt, va_list list)
{
if (fmt) vfprintf(stderr, fmt, list);
fprintf(stderr, "\n");
}
void
warnx(const char *fmt, ...)
{
va_list list;
va_start(list, fmt);
vwarnx(fmt, list);
va_end(list);
}
void
errx(int eval, const char *fmt, ...)
{
va_list list;
va_start(list, fmt);
vwarnx(fmt, list);
va_end(list);
exit(eval);
}
#endif
int recent_seqno(int ourseqno, int gotseqno)
/* Return 1 if we've seen gotseqno recently (current or up to 3 back).
Return 0 if gotseqno is new (or very old).
*/
{
int i;
for (i = 0; i < 4; i++, ourseqno--) {
if (ourseqno < 0)
ourseqno = 7;
if (gotseqno == ourseqno)
return 1;
}
return 0;
}
#ifndef WINDOWS32
/* Set FD_CLOEXEC flag on file descriptor.
* This stops it from being inherited by system() calls.
*/
void
fd_set_close_on_exec(int fd)
{
int flags;
flags = fcntl(fd, F_GETFD);
if (flags == -1)
err(4, "Failed to get fd flags");
flags |= FD_CLOEXEC;
if (fcntl(fd, F_SETFD, flags) == -1)
err(4, "Failed to set fd flags");
}
#endif
================================================
FILE: src/common.h
================================================
/*
* Copyright (c) 2006-2015 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __COMMON_H__
#define __COMMON_H__
/* Last byte of raw header is the command */
#define RAW_HDR_LEN 4
#define RAW_HDR_IDENT_LEN 3
#define RAW_HDR_CMD 3
#define RAW_HDR_CMD_LOGIN 0x10
#define RAW_HDR_CMD_DATA 0x20
#define RAW_HDR_CMD_PING 0x30
#define RAW_HDR_CMD_MASK 0xF0
#define RAW_HDR_USR_MASK 0x0F
#define RAW_HDR_GET_CMD(x) ((x)[RAW_HDR_CMD] & RAW_HDR_CMD_MASK)
#define RAW_HDR_GET_USR(x) ((x)[RAW_HDR_CMD] & RAW_HDR_USR_MASK)
extern const unsigned char raw_header[RAW_HDR_LEN];
#include <stdarg.h>
#ifdef WINDOWS32
#include "windows.h"
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <err.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#define DNS_PORT 53
#ifndef MIN
#define MIN(a,b) ((a)<(b)?(a):(b))
#endif
#ifndef MAX
#define MAX(a,b) ((a)>(b)?(a):(b))
#endif
#define QUERY_NAME_SIZE 256
#if defined IP_MTU_DISCOVER
/* Linux */
# define IP_OPT_DONT_FRAG IP_MTU_DISCOVER
# define DONT_FRAG_VALUE IP_PMTUDISC_DO
#elif defined IP_DONTFRAG
/* FreeBSD */
# define IP_OPT_DONT_FRAG IP_DONTFRAG
# define DONT_FRAG_VALUE 1
#elif defined IP_DONTFRAGMENT
/* Winsock2 */
# define IP_OPT_DONT_FRAG IP_DONTFRAGMENT
# define DONT_FRAG_VALUE 1
#endif
#define T_PRIVATE 65399
/* Undefined RR type; "private use" range, see
* http://www.bind9.net/dns-parameters */
#define T_UNSET 65432
/* Unused RR type, never actually sent */
struct packet
{
int len; /* Total packet length */
int sentlen; /* Length of chunk currently transmitted */
int offset; /* Current offset */
char data[64*1024]; /* The data */
char seqno; /* The packet sequence number */
char fragment; /* Fragment index */
};
struct query {
char name[QUERY_NAME_SIZE];
unsigned short type;
unsigned short rcode;
unsigned short id;
struct sockaddr_storage destination;
socklen_t dest_len;
struct sockaddr_storage from;
socklen_t fromlen;
unsigned short id2;
struct sockaddr_storage from2;
socklen_t fromlen2;
};
enum connection {
CONN_RAW_UDP = 0,
CONN_DNS_NULL,
CONN_MAX
};
#ifdef WINDOWS32
static inline void check_superuser(void)
{
}
#else
void check_superuser(void);
#endif
char *format_addr(struct sockaddr_storage *sockaddr, int sockaddr_len);
int get_addr(char *, int, int, int, struct sockaddr_storage *);
int open_dns(struct sockaddr_storage *, size_t);
int open_dns_opt(struct sockaddr_storage *sockaddr, size_t sockaddr_len,
int v6only);
int open_dns_from_host(char *host, int port, int addr_family, int flags);
void close_dns(int);
void do_chroot(char *);
void do_setcon(char *);
void do_detach(void);
void do_pidfile(char *);
void read_password(char*, size_t);
int check_topdomain(char *, int, char **);
int query_datalen(const char *qname, const char *topdomain);
#if defined(WINDOWS32) || defined(ANDROID)
#ifndef ANDROID
int inet_aton(const char *cp, struct in_addr *inp);
#endif
void vwarn(const char *fmt, va_list list);
void warn(const char *fmt, ...);
void err(int eval, const char *fmt, ...);
void vwarnx(const char *fmt, va_list list);
void warnx(const char *fmt, ...);
void errx(int eval, const char *fmt, ...);
#endif
int recent_seqno(int , int);
#ifndef WINDOWS32
void fd_set_close_on_exec(int fd);
#endif
#endif
================================================
FILE: src/dns.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <time.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <strings.h>
#include <ctype.h>
#ifdef WINDOWS32
#include "windows.h"
#else
#include <arpa/nameser.h>
#ifdef DARWIN
#define BIND_8_COMPAT
#include <arpa/nameser_compat.h>
#endif
#include <netinet/in.h>
#include <arpa/inet.h>
#include <err.h>
#ifdef ANDROID
#include "android_dns.h"
#endif
#endif
#include "dns.h"
#include "encoding.h"
#include "read.h"
int dnsc_use_edns0 = 1;
#define CHECKLEN(x) if (buflen < (x) + (size_t)(p-buf)) return 0
int dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr,
const char *data, size_t datalen)
{
HEADER *header;
short name;
char *p;
int len;
int ancnt;
if (buflen < sizeof(HEADER))
return 0;
memset(buf, 0, buflen);
header = (HEADER*)buf;
header->id = htons(q->id);
header->qr = (qr == QR_ANSWER);
header->opcode = 0;
header->aa = (qr == QR_ANSWER);
header->tc = 0;
header->rd = (qr == QR_QUERY);
header->ra = 0;
p = buf + sizeof(HEADER);
switch (qr) {
case QR_ANSWER:
header->qdcount = htons(1);
name = 0xc000 | ((p - buf) & 0x3fff);
/* Question section */
putname(&p, buflen - (p - buf), q->name);
CHECKLEN(4);
putshort(&p, q->type);
putshort(&p, C_IN);
/* Answer section */
if (q->type == T_CNAME || q->type == T_A) {
/* data is expected to be like
* "Hblabla.host.name.com\0" */
char *startp;
int namelen;
CHECKLEN(10);
putshort(&p, name);
if (q->type == T_A)
/* answer CNAME to A question */
putshort(&p, T_CNAME);
else
putshort(&p, q->type);
putshort(&p, C_IN);
putlong(&p, 0); /* TTL */
startp = p;
p += 2; /* skip 2 bytes length */
putname(&p, buflen - (p - buf), data);
CHECKLEN(0);
namelen = p - startp;
namelen -= 2;
putshort(&startp, namelen);
ancnt = 1;
} else if (q->type == T_MX || q->type == T_SRV) {
/* Data is expected to be like
"Hblabla.host.name.com\0Hanother.com\0\0"
For SRV, see RFC2782.
*/
const char *mxdata = data;
char *startp;
int namelen;
ancnt = 1;
while (1) {
CHECKLEN(10);
putshort(&p, name);
putshort(&p, q->type);
putshort(&p, C_IN);
putlong(&p, 0); /* TTL */
startp = p;
p += 2; /* skip 2 bytes length */
CHECKLEN(2);
putshort(&p, 10 * ancnt); /* preference */
if (q->type == T_SRV) {
/* weight, port (5060 = SIP) */
CHECKLEN(4);
putshort(&p, 10);
putshort(&p, 5060);
}
putname(&p, buflen - (p - buf), mxdata);
CHECKLEN(0);
namelen = p - startp;
namelen -= 2;
putshort(&startp, namelen);
mxdata = mxdata + strlen(mxdata) + 1;
if (*mxdata == '\0')
break;
ancnt++;
}
} else if (q->type == T_TXT) {
/* TXT has binary or base-X data */
char *startp;
int txtlen;
CHECKLEN(10);
putshort(&p, name);
putshort(&p, q->type);
putshort(&p, C_IN);
putlong(&p, 0); /* TTL */
startp = p;
p += 2; /* skip 2 bytes length */
puttxtbin(&p, buflen - (p - buf), data, datalen);
CHECKLEN(0);
txtlen = p - startp;
txtlen -= 2;
putshort(&startp, txtlen);
ancnt = 1;
} else {
/* NULL has raw binary data */
CHECKLEN(10);
putshort(&p, name);
putshort(&p, q->type);
putshort(&p, C_IN);
putlong(&p, 0); /* TTL */
datalen = MIN(datalen, buflen - (p - buf));
CHECKLEN(2);
putshort(&p, datalen);
CHECKLEN(datalen);
putdata(&p, data, datalen);
CHECKLEN(0);
ancnt = 1;
}
header->ancount = htons(ancnt);
break;
case QR_QUERY:
/* Note that iodined also uses this for forward queries */
header->qdcount = htons(1);
datalen = MIN(datalen, buflen - (p - buf));
putname(&p, datalen, data);
CHECKLEN(4);
putshort(&p, q->type);
putshort(&p, C_IN);
/* EDNS0 to advertise maximum response length
(even CNAME/A/MX, 255+255+header would be >512) */
if (dnsc_use_edns0) {
header->arcount = htons(1);
CHECKLEN(11);
putbyte(&p, 0x00); /* Root */
putshort(&p, 0x0029); /* OPT */
putshort(&p, 0x1000); /* Payload size: 4096 */
putshort(&p, 0x0000); /* Higher bits/edns version */
putshort(&p, 0x8000); /* Z */
putshort(&p, 0x0000); /* Data length */
}
break;
}
len = p - buf;
return len;
}
/* Only used when iodined gets an NS type query */
/* Mostly same as dns_encode_a_response() below */
int dns_encode_ns_response(char *buf, size_t buflen, struct query *q,
char *topdomain)
{
HEADER *header;
int len;
short name;
short topname;
short nsname;
char *ipp;
int domain_len;
char *p;
if (buflen < sizeof(HEADER))
return 0;
memset(buf, 0, buflen);
header = (HEADER*)buf;
header->id = htons(q->id);
header->qr = 1;
header->opcode = 0;
header->aa = 1;
header->tc = 0;
header->rd = 0;
header->ra = 0;
p = buf + sizeof(HEADER);
header->qdcount = htons(1);
header->ancount = htons(1);
/* pointer to start of name */
name = 0xc000 | ((p - buf) & 0x3fff);
domain_len = strlen(q->name) - strlen(topdomain);
if (domain_len < 0 || domain_len == 1)
return -1;
if (strcasecmp(q->name + domain_len, topdomain))
return -1;
if (domain_len >= 1 && q->name[domain_len - 1] != '.')
return -1;
/* pointer to start of topdomain; instead of dots at the end
we have length-bytes in front, so total length is the same */
topname = 0xc000 | ((p - buf + domain_len) & 0x3fff);
/* Query section */
putname(&p, buflen - (p - buf), q->name); /* Name */
CHECKLEN(4);
putshort(&p, q->type); /* Type */
putshort(&p, C_IN); /* Class */
/* Answer section */
CHECKLEN(12);
putshort(&p, name); /* Name */
putshort(&p, q->type); /* Type */
putshort(&p, C_IN); /* Class */
putlong(&p, 3600); /* TTL */
putshort(&p, 5); /* Data length */
/* pointer to ns.topdomain */
nsname = 0xc000 | ((p - buf) & 0x3fff);
CHECKLEN(5);
putbyte(&p, 2);
putbyte(&p, 'n');
putbyte(&p, 's');
putshort(&p, topname); /* Name Server */
/* Do we have an IPv4 address to send? */
if (q->destination.ss_family == AF_INET) {
struct sockaddr_in *dest = (struct sockaddr_in *) &q->destination;
/* One additional record coming */
header->arcount = htons(1);
/* Additional data (A-record of NS server) */
CHECKLEN(12);
putshort(&p, nsname); /* Name Server */
putshort(&p, T_A); /* Type */
putshort(&p, C_IN); /* Class */
putlong(&p, 3600); /* TTL */
putshort(&p, 4); /* Data length */
/* ugly hack to output IP address */
ipp = (char *) &dest->sin_addr.s_addr;
CHECKLEN(4);
putbyte(&p, *(ipp++));
putbyte(&p, *(ipp++));
putbyte(&p, *(ipp++));
putbyte(&p, *ipp);
}
len = p - buf;
return len;
}
/* Only used when iodined gets an A type query for ns.topdomain or
* www.topdomain . Mostly same as dns_encode_ns_response() above */
int dns_encode_a_response(char *buf, size_t buflen, struct query *q)
{
struct sockaddr_in *dest = (struct sockaddr_in *) &q->destination;
HEADER *header;
int len;
short name;
char *ipp;
char *p;
/* Check if we have an IPv4 address to send */
if (q->destination.ss_family != AF_INET)
return -1;
if (buflen < sizeof(HEADER))
return 0;
memset(buf, 0, buflen);
header = (HEADER*)buf;
header->id = htons(q->id);
header->qr = 1;
header->opcode = 0;
header->aa = 1;
header->tc = 0;
header->rd = 0;
header->ra = 0;
p = buf + sizeof(HEADER);
header->qdcount = htons(1);
header->ancount = htons(1);
/* pointer to start of name */
name = 0xc000 | ((p - buf) & 0x3fff);
/* Query section */
putname(&p, buflen - (p - buf), q->name); /* Name */
CHECKLEN(4);
putshort(&p, q->type); /* Type */
putshort(&p, C_IN); /* Class */
/* Answer section */
CHECKLEN(12);
putshort(&p, name); /* Name */
putshort(&p, q->type); /* Type */
putshort(&p, C_IN); /* Class */
putlong(&p, 3600); /* TTL */
putshort(&p, 4); /* Data length */
/* ugly hack to output IP address */
ipp = (char *) &dest->sin_addr.s_addr;
CHECKLEN(4);
putbyte(&p, *(ipp++));
putbyte(&p, *(ipp++));
putbyte(&p, *(ipp++));
putbyte(&p, *ipp);
len = p - buf;
return len;
}
int dns_encode_nxdomain(char *buf, size_t buflen, struct query *q, const char *zone)
{
char rnamebuf[256];
char nsbuf[256];
HEADER *header;
char *soa_start;
char *p;
if (buflen < sizeof(HEADER))
return 0;
memset(buf, 0, buflen);
header = (HEADER*)buf;
header->id = htons(q->id);
header->qr = 1; // response
header->opcode = 0;
header->aa = 1; // authoritative
header->tc = 0;
header->rd = 0;
header->ra = 0;
header->rcode = 3; // NXDOMAIN
header->qdcount = htons(1);
header->ancount = htons(0);
header->nscount = htons(1); // We'll include SOA
header->arcount = htons(0);
p = buf + sizeof(HEADER);
// Question section
putname(&p, buflen - (p - buf), q->name);
CHECKLEN(4);
putshort(&p, q->type);
putshort(&p, C_IN);
// Authority section (SOA)
CHECKLEN(10);
putname(&p, buflen - (p - buf), zone); // zone name (owner of SOA)
putshort(&p, T_SOA);
putshort(&p, C_IN);
putlong(&p, 60); // TTL
soa_start = p;
p += 2; // skip rdlength (to be filled later)
// Primary NS and responsible mailbox
snprintf(nsbuf, sizeof(nsbuf), "ns.%s", zone);
putname(&p, buflen - (p - buf), nsbuf);
snprintf(rnamebuf, sizeof(rnamebuf), "hostmaster.%s", zone);
putname(&p, buflen - (p - buf), rnamebuf);
// SOA fields: serial, refresh, retry, expire, minimum
putlong(&p, 1); // serial
putlong(&p, 3600); // refresh
putlong(&p, 1800); // retry
putlong(&p, 604800); // expire
putlong(&p, 60); // minimum
int soalen = p - soa_start - 2;
putshort(&soa_start, soalen); // fill in rdlength
return p - buf;
}
#undef CHECKLEN
unsigned short dns_get_id(char *packet, size_t packetlen)
{
HEADER *header;
header = (HEADER*)packet;
if (packetlen < sizeof(HEADER))
return 0;
return ntohs(header->id);
}
#define CHECKLEN(x) if (packetlen < (x) + (size_t)(data-packet)) return 0
int dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet,
size_t packetlen)
{
char name[QUERY_NAME_SIZE];
char rdata[4*1024];
HEADER *header;
short qdcount;
short ancount;
uint32_t ttl;
unsigned short class;
unsigned short type;
char *data;
unsigned short rlen;
int id;
int rv;
q->id2 = 0;
rv = 0;
header = (HEADER*)packet;
/* Reject short packets */
if (packetlen < sizeof(HEADER))
return 0;
if (header->qr != qr) {
warnx("header->qr does not match the requested qr");
return -1;
}
data = packet + sizeof(HEADER);
qdcount = ntohs(header->qdcount);
ancount = ntohs(header->ancount);
id = ntohs(header->id);
id = id & 0xFFFF; /* Kill any sign extension */
rlen = 0;
if (q != NULL)
q->rcode = header->rcode;
switch (qr) {
case QR_ANSWER:
if (qdcount < 1) {
/* We need a question */
return -1;
}
if (q != NULL)
q->id = id;
/* Read name even if no answer, to give better error message */
readname(packet, packetlen, &data, name, sizeof(name));
CHECKLEN(4);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
/* if CHECKLEN okay, then we're sure to have a proper name */
if (q != NULL) {
/* We only need the first char to check it */
q->name[0] = name[0];
q->name[1] = '\0';
}
if (ancount < 1) {
/* DNS errors like NXDOMAIN have ancount=0 and
stop here. CNAME may also have A; MX/SRV may have
multiple results. */
return -1;
}
/* Here type is still the question type */
if (type == T_NULL || type == T_PRIVATE) {
/* Assume that first answer is what we wanted */
readname(packet, packetlen, &data, name, sizeof(name));
CHECKLEN(10);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
readlong(packet, &data, &ttl);
readshort(packet, &data, &rlen);
rv = MIN(rlen, sizeof(rdata));
rv = readdata(packet, &data, rdata, rv);
if (rv >= 2 && buf) {
rv = MIN(rv, buflen);
memcpy(buf, rdata, rv);
} else {
rv = 0;
}
}
else if ((type == T_A || type == T_CNAME) && buf) {
/* Assume that first answer is what we wanted */
readname(packet, packetlen, &data, name, sizeof(name));
CHECKLEN(10);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
readlong(packet, &data, &ttl);
readshort(packet, &data, &rlen);
if (type == T_CNAME) {
/* For tunnels, query type A has CNAME type answer */
memset(name, 0, sizeof(name));
readname(packet, packetlen, &data, name, sizeof(name) - 1);
name[sizeof(name)-1] = '\0';
strncpy(buf, name, buflen);
buf[buflen - 1] = '\0';
rv = strlen(buf);
}
if (type == T_A) {
/* Answer type A includes only 4 bytes.
Not used for tunneling. */
rv = MIN(rlen, sizeof(rdata));
rv = readdata(packet, &data, rdata, rv);
if (rv >= 2 && buf) {
rv = MIN(rv, buflen);
memcpy(buf, rdata, rv);
} else {
rv = 0;
}
}
}
else if ((type == T_MX || type == T_SRV) && buf) {
/* We support 250 records, 250*(255+header) ~= 64kB.
Only exact 10-multiples are accepted, and gaps in
numbering are not jumped over (->truncated).
Hopefully DNS servers won't mess around too much.
*/
char names[250][QUERY_NAME_SIZE];
char *rdatastart;
unsigned short pref;
int i;
int offset;
memset(names, 0, sizeof(names));
for (i = 0; i < ancount; i++) {
readname(packet, packetlen, &data, name, sizeof(name));
CHECKLEN(12);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
readlong(packet, &data, &ttl);
readshort(packet, &data, &rlen);
rdatastart = data;
readshort(packet, &data, &pref);
if (type == T_SRV) {
/* skip weight, port */
data += 4;
CHECKLEN(0);
}
if (pref % 10 == 0 && pref >= 10 &&
pref < 2500) {
readname(packet, packetlen, &data,
names[pref / 10 - 1],
QUERY_NAME_SIZE - 1);
names[pref / 10 - 1]
[QUERY_NAME_SIZE-1] = '\0';
}
/* always trust rlen, not name encoding */
data = rdatastart + rlen;
CHECKLEN(0);
}
/* output is like Hname10.com\0Hname20.com\0\0 */
offset = 0;
i = 0;
while (names[i][0] != '\0') {
int l = MIN(strlen(names[i]), buflen-offset-2);
if (l <= 0)
break;
memcpy(buf + offset, names[i], l);
offset += l;
*(buf + offset) = '\0';
offset++;
i++;
}
*(buf + offset) = '\0';
rv = offset;
}
else if (type == T_TXT && buf) {
/* Assume that first answer is what we wanted */
readname(packet, packetlen, &data, name, sizeof(name));
CHECKLEN(10);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
readlong(packet, &data, &ttl);
readshort(packet, &data, &rlen);
rv = readtxtbin(packet, &data, rlen, rdata,
sizeof(rdata));
if (rv >= 1) {
rv = MIN(rv, buflen);
memcpy(buf, rdata, rv);
} else {
rv = 0;
}
}
/* Here type is the answer type (note A->CNAME) */
if (q != NULL)
q->type = type;
break;
case QR_QUERY:
if (qdcount < 1) {
warnx("no question section in name query");
return -1;
}
memset(name, 0, sizeof(name));
readname(packet, packetlen, &data, name, sizeof(name) - 1);
name[sizeof(name)-1] = '\0';
CHECKLEN(4);
readshort(packet, &data, &type);
readshort(packet, &data, &class);
if (q == NULL) {
rv = 0;
break;
}
strncpy(q->name, name, sizeof(q->name));
q->name[sizeof(q->name) - 1] = '\0';
q->type = type;
q->id = id;
rv = strlen(q->name);
break;
}
return rv;
}
================================================
FILE: src/dns.h
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __DNS_H__
#define __DNS_H__
#include "common.h"
typedef enum {
QR_QUERY = 0,
QR_ANSWER = 1
} qr_t;
extern int dnsc_use_edns0;
int dns_encode(char *, size_t, struct query *, qr_t, const char *, size_t);
int dns_encode_ns_response(char *buf, size_t buflen, struct query *q,
char *topdomain);
int dns_encode_a_response(char *buf, size_t buflen, struct query *q);
int dns_encode_nxdomain(char *buf, size_t buflen, struct query *q, const char *zone);
unsigned short dns_get_id(char *packet, size_t packetlen);
int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t);
#endif /* _DNS_H_ */
================================================
FILE: src/encoding.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <string.h>
#include "common.h"
#include "encoding.h"
int build_hostname(char *buf, size_t buflen, const char *data,
const size_t datalen, const char *topdomain,
const struct encoder *encoder, int maxlen)
{
size_t space;
char *b;
space = MIN((size_t)maxlen, buflen) - strlen(topdomain) - 8;
/* 8 = 5 max header length + 1 dot before topdomain + 2 safety */
if (!encoder->places_dots)
space -= (space / 57); /* space for dots */
memset(buf, 0, buflen);
encoder->encode(buf, &space, data, datalen);
if (!encoder->places_dots)
inline_dotify(buf, buflen);
b = buf;
b += strlen(buf);
/* move b back one step to see if the dot is there */
b--;
if (*b != '.')
*++b = '.';
b++;
/* move b ahead of the string so we can copy to it */
strncpy(b, topdomain, strlen(topdomain)+1);
return space;
}
int unpack_data(char *buf, size_t buflen, char *data, size_t datalen,
const struct encoder *enc)
{
if (!enc->eats_dots)
datalen = inline_undotify(data, datalen);
return enc->decode(buf, &buflen, data, datalen);
}
int inline_dotify(char *buf, size_t buflen)
{
unsigned dots;
unsigned pos;
unsigned total;
char *reader, *writer;
total = strlen(buf);
dots = total / 57;
writer = buf;
writer += total;
writer += dots;
total += dots;
if (strlen(buf) + dots > buflen) {
writer = buf;
writer += buflen;
total = buflen;
}
reader = writer - dots;
pos = (unsigned) (reader - buf) + 1;
while (dots) {
*writer-- = *reader--;
pos--;
if (pos % 57 == 0) {
*writer-- = '.';
dots--;
}
}
/* return new length of string */
return total;
}
int inline_undotify(char *buf, size_t len)
{
unsigned pos;
unsigned dots;
char *reader, *writer;
writer = buf;
reader = writer;
pos = 0;
dots = 0;
while (pos < len) {
if (*reader == '.') {
reader++;
pos++;
dots++;
continue;
}
*writer++ = *reader++;
pos++;
}
/* return new length of string */
return len - dots;
}
================================================
FILE: src/encoding.h
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman
* 2006-2009 Bjorn Andersson
* Copyright (c) 2017 Ralf Ramsauer
*
* Authors:
* Bjorn Andersson <flex@kryo.se>
* Erok Ekman <yarrick@kryo.se>,
* Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _ENCODING_H_
#define _ENCODING_H_
#include <stdbool.h>
/* All-0, all-1, 01010101, 10101010: each 4 times to make sure the pattern
spreads across multiple encoded chars -> 16 bytes total.
Followed by 32 bytes from my /dev/random; should be enough.
*/
#define DOWNCODECCHECK1 \
"\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252" \
"\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041" \
"\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
#define DOWNCODECCHECK1_LEN 48
struct encoder {
const char name[8];
int (*encode)(char *dst, size_t *dstlen, const void *src, size_t srclen);
int (*decode)(void *dst, size_t *dstlen, const char *src, size_t srclen);
const bool places_dots;
const bool eats_dots;
const int blocksize_raw;
const int blocksize_encoded;
};
int build_hostname(char *, size_t, const char *, const size_t, const char *,
const struct encoder *, int);
int unpack_data(char *, size_t, char *, size_t, const struct encoder *);
int inline_dotify(char *, size_t);
int inline_undotify(char *, size_t);
extern const struct encoder base32_ops;
extern const struct encoder base64_ops;
extern const struct encoder base64u_ops;
extern const struct encoder base128_ops;
int b32_5to8(int);
int b32_8to5(int);
#endif
================================================
FILE: src/fw_query.c
================================================
/*
* Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <string.h>
#include "fw_query.h"
static struct fw_query fwq[FW_QUERY_CACHE_SIZE];
static int fwq_ix;
void fw_query_init(void)
{
memset(fwq, 0, sizeof(struct fw_query) * FW_QUERY_CACHE_SIZE);
fwq_ix = 0;
}
void fw_query_put(struct fw_query *fw_query)
{
memcpy(&(fwq[fwq_ix]), fw_query, sizeof(struct fw_query));
++fwq_ix;
if (fwq_ix >= FW_QUERY_CACHE_SIZE)
fwq_ix = 0;
}
void fw_query_get(unsigned short query_id, struct fw_query **fw_query)
{
int i;
*fw_query = NULL;
for (i = 0; i < FW_QUERY_CACHE_SIZE; i++) {
if (fwq[i].id == query_id) {
*fw_query = &(fwq[i]);
return;
}
}
}
================================================
FILE: src/fw_query.h
================================================
/*
* Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef __FW_QUERY_H__
#define __FW_QUERY_H__
#include <sys/types.h>
#ifdef WINDOWS32
#include "windows.h"
#include <winsock2.h>
#else
#include <sys/socket.h>
#endif
#define FW_QUERY_CACHE_SIZE 16
struct fw_query {
struct sockaddr_storage addr;
int addrlen;
unsigned short id;
};
void fw_query_init(void);
void fw_query_put(struct fw_query *fw_query);
void fw_query_get(unsigned short query_id, struct fw_query **fw_query);
#endif /*__FW_QUERY_H__*/
================================================
FILE: src/iodine.c
================================================
/*
* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
* 2006-2009 Bjorn Andersson <flex@kryo.se>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdbool.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <fcntl.h>
#include <time.h>
#ifdef WINDOWS32
#include "windows.h"
#include <winsock2.h>
#else
#include <grp.h>
#include <pwd.h>
#include <netdb.h>
#endif
#include "common.h"
#include "tun.h"
#include "client.h"
#include "util.h"
#ifdef WINDOWS32
WORD req_version = MAKEWORD(2, 2);
WSADATA wsa_data;
#endif
#if !defined(BSD) && !defined(__GLIBC__)
static char *__progname;
#else
extern char *__progname;
#endif
#define PASSWORD_ENV_VAR "IODINE_PASS"
static void
sighandler(int sig)
{
client_stop();
}
#if defined(__GNUC__) || defined(__clang__)
/* mark as no return to help some compilers to avoid warnings
* about use of uninitialized variables */
static inline void usage(void) __attribute__((noreturn));
static inline void help(FILE * stream, bool verbose) __attribute__((noreturn));
#endif
static void help(FILE *
gitextract_5r1bs810/
├── .github/
│ └── workflows/
│ ├── freebsd.yml
│ ├── macos.yml
│ ├── openbsd.yml
│ ├── ubuntu.yml
│ └── windows.yml
├── .gitignore
├── .vimrc
├── CHANGELOG
├── LICENSE
├── Makefile
├── README-android.txt
├── README-win32.txt
├── README.md
├── doc/
│ ├── iodine-server.service
│ ├── iodine-server.socket
│ ├── iodine.te
│ ├── proto_00000402.txt
│ ├── proto_00000500.txt
│ └── proto_00000502.txt
├── man/
│ └── iodine.8
├── src/
│ ├── Android.16.mk
│ ├── Android.mk
│ ├── Makefile
│ ├── android_dns.h
│ ├── base128.c
│ ├── base32.c
│ ├── base64.c
│ ├── client.c
│ ├── client.h
│ ├── common.c
│ ├── common.h
│ ├── dns.c
│ ├── dns.h
│ ├── encoding.c
│ ├── encoding.h
│ ├── fw_query.c
│ ├── fw_query.h
│ ├── iodine.c
│ ├── iodined.c
│ ├── login.c
│ ├── login.h
│ ├── md5.c
│ ├── md5.h
│ ├── osflags
│ ├── read.c
│ ├── read.h
│ ├── tun.c
│ ├── tun.h
│ ├── user.c
│ ├── user.h
│ ├── util.c
│ ├── util.h
│ ├── version.h
│ └── windows.h
└── tests/
├── Makefile
├── base32.c
├── base64.c
├── common.c
├── dns.c
├── encoding.c
├── fw_query.c
├── login.c
├── read.c
├── test.c
├── test.h
└── user.c
SYMBOL INDEX (317 symbols across 35 files)
FILE: src/android_dns.h
type HEADER (line 23) | typedef struct {
FILE: src/base128.c
function base128_reverse_init (line 54) | inline static void base128_reverse_init(void)
function base128_encode (line 78) | static int base128_encode(char *buf, size_t *buflen, const void *data,
function base128_decode (line 174) | static int base128_decode(void *buf, size_t *buflen, const char *str,
type encoder (line 250) | struct encoder
FILE: src/base32.c
function base32_reverse_init (line 35) | inline static void base32_reverse_init(void)
function b32_5to8 (line 52) | int b32_5to8(int in)
function b32_8to5 (line 57) | int b32_8to5(int in)
function base32_encode (line 72) | static int base32_encode(char *buf, size_t *buflen, const void *data, si...
function base32_decode (line 164) | static int base32_decode(void *buf, size_t *buflen, const char *str,
type encoder (line 227) | struct encoder
FILE: src/base64.c
function base64_reverse_init (line 35) | inline static void base64_reverse_init(void)
function base64_encode (line 59) | static int base64_encode(char *buf, size_t *buflen, const void *data,
function base64_decode (line 122) | static int base64_decode(void *buf, size_t *buflen, const char *str,
type encoder (line 165) | struct encoder
FILE: src/client.c
type sockaddr_storage (line 61) | struct sockaddr_storage
type sockaddr_storage (line 63) | struct sockaddr_storage
type packet (line 70) | struct packet
type packet (line 71) | struct packet
type encoder (line 86) | struct encoder
type connection (line 95) | enum connection
function client_init (line 105) | void
function client_stop (line 126) | void
function client_get_conn (line 132) | enum connection
function client_set_nameserver (line 138) | void
function client_set_topdomain (line 145) | void
function client_set_password (line 151) | void
function client_set_qtype (line 157) | int
function client_set_downenc (line 193) | void
function client_set_selecttimeout (line 208) | void
function client_set_lazymode (line 214) | void
function client_set_hostname_maxlen (line 220) | void
function send_query (line 233) | static void
function send_raw (line 294) | static void
function send_raw_data (line 313) | static void
function send_packet (line 321) | static void
function is_sending (line 333) | static inline int is_sending(void)
function send_chunk (line 338) | static void
function send_ping (line 383) | static void
function write_dns_error (line 407) | static void
function dns_namedec (line 447) | static int
function read_dns_withq (line 544) | static int
function handshake_waitdns (line 651) | static int
function tunnel_tun (line 734) | static int
function tunnel_dns (line 774) | static int
function client_tunnel (line 1079) | int
function send_login (line 1178) | static void
function send_fragsize_probe (line 1195) | static void
function send_set_downstream_fragsize (line 1224) | static void
function send_version (line 1240) | static void
function send_handshake_query (line 1260) | static void
function send_raw_udp_login (line 1280) | static void
function send_upenctest (line 1289) | static void
function send_downenctest (line 1306) | static void
function send_lazy_switch (line 1317) | static void
function handshake_version (line 1328) | static int
function handshake_login (line 1376) | static int
function handshake_raw_udp (line 1427) | static int
function handshake_upenctest (line 1523) | static int
function handshake_upenc_autodetect (line 1600) | static int
function handshake_downenctest (line 1695) | static int
function handshake_downenc_autodetect (line 1739) | static char
function handshake_qtypetest (line 1787) | static int
function handshake_qtype_numcvt (line 1828) | static int
function handshake_qtype_autodetect (line 1843) | static int
function handshake_edns0_check (line 1915) | static int
function handshake_switch_codec (line 1965) | static void
function handshake_switch_downenc (line 2020) | static void
function handshake_try_lazy (line 2073) | static void
function handshake_lazyoff (line 2117) | static void
function fragsize_check (line 2144) | static int
function handshake_autoprobe_fragsize (line 2217) | static int
function handshake_set_fragsize (line 2291) | static void
function client_handshake (line 2328) | int
FILE: src/client.h
type connection (line 24) | enum connection
type sockaddr_storage (line 27) | struct sockaddr_storage
FILE: src/common.c
function daemon (line 61) | static int daemon(int nochdir, int noclose)
function setgroups (line 97) | int setgroups(int count, int *groups)
function check_superuser (line 105) | void
type sockaddr_storage (line 116) | struct sockaddr_storage
type sockaddr_in (line 121) | struct sockaddr_in
type sockaddr (line 122) | struct sockaddr
type sockaddr_in6 (line 123) | struct sockaddr_in6
type sockaddr_in6 (line 124) | struct sockaddr_in6
type sockaddr_in6 (line 124) | struct sockaddr_in6
type in_addr (line 126) | struct in_addr
type sockaddr (line 131) | struct sockaddr
function get_addr (line 139) | int
function open_dns (line 173) | int
function open_dns_opt (line 179) | int
function open_dns_from_host (line 217) | int
function close_dns (line 230) | void
function do_chroot (line 236) | void
function do_setcon (line 251) | void
function do_pidfile (line 262) | void
function do_detach (line 280) | void
function read_password (line 293) | void
function check_topdomain (line 336) | int
function query_datalen (line 409) | int
function inet_aton (line 457) | int
function vwarn (line 465) | void
function warn (line 478) | void
function err (line 488) | void
function vwarnx (line 499) | void
function warnx (line 506) | void
function errx (line 516) | void
function recent_seqno (line 529) | int recent_seqno(int ourseqno, int gotseqno)
function fd_set_close_on_exec (line 548) | void
FILE: src/common.h
type packet (line 77) | struct packet
type query (line 87) | struct query {
type connection (line 101) | enum connection {
function check_superuser (line 108) | static inline void check_superuser(void)
type sockaddr_storage (line 114) | struct sockaddr_storage
type sockaddr_storage (line 115) | struct sockaddr_storage
type sockaddr_storage (line 116) | struct sockaddr_storage
type sockaddr_storage (line 117) | struct sockaddr_storage
type in_addr (line 135) | struct in_addr
FILE: src/dns.c
function dns_encode (line 52) | int dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr,
function dns_encode_ns_response (line 232) | int dns_encode_ns_response(char *buf, size_t buflen, struct query *q,
function dns_encode_a_response (line 331) | int dns_encode_a_response(char *buf, size_t buflen, struct query *q)
function dns_encode_nxdomain (line 393) | int dns_encode_nxdomain(char *buf, size_t buflen, struct query *q, const...
function dns_get_id (line 460) | unsigned short dns_get_id(char *packet, size_t packetlen)
function dns_decode (line 473) | int dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char ...
FILE: src/dns.h
type qr_t (line 23) | typedef enum {
type query (line 30) | struct query
type query (line 31) | struct query
type query (line 33) | struct query
type query (line 34) | struct query
type query (line 36) | struct query
FILE: src/encoding.c
function build_hostname (line 22) | int build_hostname(char *buf, size_t buflen, const char *data,
function unpack_data (line 57) | int unpack_data(char *buf, size_t buflen, char *data, size_t datalen,
function inline_dotify (line 65) | int inline_dotify(char *buf, size_t buflen)
function inline_undotify (line 102) | int inline_undotify(char *buf, size_t len)
FILE: src/encoding.h
type encoder (line 39) | struct encoder {
type encoder (line 52) | struct encoder
type encoder (line 53) | struct encoder
type encoder (line 57) | struct encoder
type encoder (line 58) | struct encoder
type encoder (line 59) | struct encoder
type encoder (line 60) | struct encoder
FILE: src/fw_query.c
type fw_query (line 20) | struct fw_query
function fw_query_init (line 23) | void fw_query_init(void)
function fw_query_put (line 29) | void fw_query_put(struct fw_query *fw_query)
function fw_query_get (line 38) | void fw_query_get(unsigned short query_id, struct fw_query **fw_query)
FILE: src/fw_query.h
type fw_query (line 30) | struct fw_query {
type fw_query (line 37) | struct fw_query
type fw_query (line 38) | struct fw_query
FILE: src/iodine.c
function sighandler (line 58) | static void
function help (line 71) | static void help(FILE *stream, bool verbose)
function usage (line 111) | static inline void usage(void)
function version (line 116) | static void version(void)
function main (line 124) | int main(int argc, char **argv)
FILE: src/iodined.c
type dnsfd (line 108) | struct dnsfd {
type dnsfd (line 113) | struct dnsfd
type query (line 113) | struct query
type query (line 114) | struct query
type dnsfd (line 115) | struct dnsfd
function get_dns_fd (line 117) | static int
function get_external_ip (line 127) | static int
function sigint (line 179) | static void
function check_user_and_ip (line 186) | static int check_user_and_ip(int userid, struct query *q)
function check_authenticated_user_and_ip (line 229) | static int check_authenticated_user_and_ip(int userid, struct query *q)
function check_authenticated_user_and_ip_and_options (line 241) | static int check_authenticated_user_and_ip_and_options(int userid, struc...
function send_raw (line 253) | static void send_raw(int fd, char *buf, int buflen, int user, int cmd, s...
function start_new_outpacket (line 277) | static void start_new_outpacket(int userid, char *data, int datalen)
function save_to_outpacketq (line 293) | static int save_to_outpacketq(int userid, char *data, int datalen)
function get_from_outpacketq (line 321) | static int get_from_outpacketq(int userid)
function save_to_dnscache (line 368) | static void save_to_dnscache(int userid, struct query *q, char *answer, ...
function answer_from_dnscache (line 387) | static int answer_from_dnscache(int dns_fd, int userid, struct query *q)
function save_to_qmem (line 428) | static inline void save_to_qmem(unsigned char *qmem_cmc,
function save_to_qmem_pingordata (line 446) | static inline void save_to_qmem_pingordata(int userid, struct query *q)
function answer_from_qmem (line 501) | static int answer_from_qmem(int dns_fd, struct query *q,
function answer_from_qmem_data (line 534) | static inline int answer_from_qmem_data(int dns_fd, int userid,
function send_chunk_or_dataless (line 560) | static int send_chunk_or_dataless(int dns_fd, int userid, struct query *q)
function tunnel_tun (line 644) | static int tunnel_tun(int tun_fd, struct dnsfd *dns_fds)
type version_ack_t (line 695) | typedef enum {
function send_version_response (line 701) | static void send_version_response(int fd, version_ack_t ack, uint32_t pa...
function process_downstream_ack (line 731) | static void process_downstream_ack(int userid, int down_seq, int down_frag)
function handle_null_request (line 764) | static void
function handle_ns_request (line 1525) | static void
function handle_a_request (line 1558) | static void
function handle_underscore_request (line 1600) | static void
function forward_query (line 1621) | static void
function tunnel_bind (line 1656) | static int
function tunnel_dns (line 1703) | static int
function tunnel (line 1781) | static int
function handle_full_packet (line 1891) | static void
function handle_raw_login (line 1952) | static void
function handle_raw_data (line 1991) | static void
function handle_raw_ping (line 2016) | static void
function raw_decode (line 2036) | static int
function read_dns (line 2067) | static int
function write_dns_nameenc (line 2149) | static size_t
function write_dns (line 2219) | static void
function print_usage (line 2307) | static void print_usage(FILE *stream)
function usage (line 2317) | static void usage(void)
function help (line 2323) | static void help(FILE *stream)
function version (line 2364) | static void version(void)
function prepare_dns_fd (line 2373) | static void prepare_dns_fd(int fd)
function main (line 2390) | int
FILE: src/login.c
function login_calculate (line 34) | void
FILE: src/md5.c
function md5_process (line 131) | static void
function md5_init (line 312) | void
function md5_append (line 322) | void
function md5_finish (line 360) | void
FILE: src/md5.h
type md5_byte_t (line 63) | typedef unsigned char md5_byte_t;
type md5_word_t (line 64) | typedef unsigned int md5_word_t;
type md5_state_t (line 67) | typedef struct md5_state_s {
FILE: src/read.c
function readname_loop (line 24) | static int
function readname (line 83) | int
function readshort (line 89) | int
function readlong (line 101) | int
function readdata (line 118) | int
function readtxtbin (line 128) | int
function putname (line 157) | int
function putbyte (line 193) | int
function putshort (line 202) | int
function putlong (line 216) | int
function putdata (line 233) | int
function puttxtbin (line 242) | int
FILE: src/tun.c
type tun_data (line 53) | struct tun_data
function open_tun (line 88) | int
function get_device (line 150) | static void
function get_name (line 231) | static void
function DWORD (line 260) | DWORD WINAPI tun_reader(LPVOID arg)
function open_tun (line 288) | int
function utun_unit (line 342) | static int
function open_utun (line 360) | static int
function open_tun (line 425) | int
function close_tun (line 488) | void
function write_tun (line 496) | int
function read_tun (line 520) | ssize_t
function tun_uses_header (line 534) | static int
function write_tun (line 548) | int
function read_tun (line 579) | ssize_t
function tun_setip (line 598) | int
function tun_setmtu (line 696) | int
FILE: src/user.c
type tun_user (line 37) | struct tun_user
function init_users (line 40) | int init_users(in_addr_t my_ip, int netbits)
type in_addr (line 89) | struct in_addr
function find_user_by_ip (line 94) | int find_user_by_ip(uint32_t ip)
function all_users_waiting_to_send (line 118) | int all_users_waiting_to_send(void)
function find_available_user (line 145) | int find_available_user(void)
function user_switch_codec (line 166) | void user_switch_codec(int userid, const struct encoder *enc)
function user_set_conn_type (line 174) | void user_set_conn_type(int userid, enum connection c)
FILE: src/user.h
type tun_user (line 37) | struct tun_user {
type tun_user (line 81) | struct tun_user
type encoder (line 88) | struct encoder
type connection (line 89) | enum connection
FILE: src/util.c
function socket_setrtable (line 79) | void
FILE: src/windows.h
type in_addr_t (line 21) | typedef unsigned int in_addr_t;
type HEADER (line 56) | typedef struct {
type ip (line 77) | struct ip {
type tun_data (line 95) | struct tun_data {
FILE: tests/base32.c
type tuple (line 29) | struct tuple
function START_TEST (line 41) | START_TEST(test_base32_encode)
function END_TEST (line 54) | END_TEST
function END_TEST (line 68) | END_TEST
function END_TEST (line 80) | END_TEST
function END_TEST (line 119) | END_TEST
FILE: tests/base64.c
type tuple (line 29) | struct tuple
function START_TEST (line 67) | START_TEST(test_base64_encode)
function END_TEST (line 79) | END_TEST
function END_TEST (line 93) | END_TEST
function END_TEST (line 132) | END_TEST
FILE: tests/common.c
function START_TEST (line 24) | START_TEST(test_topdomain_ok)
function END_TEST (line 41) | END_TEST
function END_TEST (line 76) | END_TEST
function END_TEST (line 114) | END_TEST
function END_TEST (line 144) | END_TEST
function END_TEST (line 165) | END_TEST
function END_TEST (line 190) | END_TEST
function END_TEST (line 210) | END_TEST
function END_TEST (line 230) | END_TEST
function END_TEST (line 255) | END_TEST
function END_TEST (line 281) | END_TEST
function END_TEST (line 303) | END_TEST
FILE: tests/dns.c
function START_TEST (line 67) | START_TEST(test_encode_query)
function END_TEST (line 108) | END_TEST
function END_TEST (line 135) | END_TEST
function END_TEST (line 160) | END_TEST
function END_TEST (line 179) | END_TEST
function END_TEST (line 199) | END_TEST
function END_TEST (line 213) | END_TEST
function END_TEST (line 222) | END_TEST
function END_TEST (line 231) | END_TEST
function TCase (line 252) | TCase *
FILE: tests/encoding.c
type tuple (line 28) | struct tuple
function START_TEST (line 43) | START_TEST(test_inline_dotify)
function END_TEST (line 55) | END_TEST
function END_TEST (line 69) | END_TEST
function END_TEST (line 93) | END_TEST
FILE: tests/fw_query.c
function START_TEST (line 22) | START_TEST(test_fw_query_simple)
function END_TEST (line 43) | END_TEST
function END_TEST (line 76) | END_TEST
FILE: tests/login.c
function START_TEST (line 24) | START_TEST(test_login_hash)
function END_TEST (line 39) | END_TEST
function END_TEST (line 59) | END_TEST
FILE: tests/read.c
function START_TEST (line 39) | START_TEST(test_read_putshort)
function END_TEST (line 60) | END_TEST
function END_TEST (line 86) | END_TEST
function END_TEST (line 104) | END_TEST
function END_TEST (line 122) | END_TEST
function END_TEST (line 146) | END_TEST
function END_TEST (line 162) | END_TEST
function END_TEST (line 187) | END_TEST
function END_TEST (line 212) | END_TEST
function END_TEST (line 229) | END_TEST
function END_TEST (line 247) | END_TEST
function END_TEST (line 269) | END_TEST
FILE: tests/test.c
function main (line 26) | int
FILE: tests/user.c
function START_TEST (line 31) | START_TEST(test_init_users)
function END_TEST (line 49) | END_TEST
function END_TEST (line 81) | END_TEST
function END_TEST (line 110) | END_TEST
function END_TEST (line 142) | END_TEST
function END_TEST (line 170) | END_TEST
Condensed preview — 66 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (423K chars).
[
{
"path": ".github/workflows/freebsd.yml",
"chars": 454,
"preview": "name: freebsd\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\npermissions:\n contents:"
},
{
"path": ".github/workflows/macos.yml",
"chars": 343,
"preview": "name: macos\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\npermissions:\n contents: r"
},
{
"path": ".github/workflows/openbsd.yml",
"chars": 429,
"preview": "name: openbsd\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\npermissions:\n contents:"
},
{
"path": ".github/workflows/ubuntu.yml",
"chars": 555,
"preview": "name: ubuntu\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\npermissions:\n contents: "
},
{
"path": ".github/workflows/windows.yml",
"chars": 484,
"preview": "name: windows\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\npermissions:\n contents:"
},
{
"path": ".gitignore",
"chars": 101,
"preview": "/bin/\n*.o\n/src/base64u.c\n/src/base64u.h\n/tests/test\n*.o.d\n/src/obj/local/*/iodine\n/src/libs/*/iodine\n"
},
{
"path": ".vimrc",
"chars": 65,
"preview": "set noexpandtab\nset tabstop=8\nset softtabstop=8\nset shiftwidth=8\n"
},
{
"path": "CHANGELOG",
"chars": 8681,
"preview": "\niodine - https://code.kryo.se/iodine\n\n************************************\n\nCHANGES:\n\nmaster:\n\t- Changed deprecated tzs"
},
{
"path": "LICENSE",
"chars": 737,
"preview": "Copyright (c) 2006-2020 iodine authors\n\nPermission to use, copy, modify, and/or distribute this software for any purpose"
},
{
"path": "Makefile",
"chars": 4021,
"preview": "prefix?=/usr/local\nsbindir=$(prefix)/sbin\ndatadir=$(prefix)/share\nmandir=$(datadir)/man\ndocdir=$(datadir)/doc\n\nDESTDIR=\n"
},
{
"path": "README-android.txt",
"chars": 1364,
"preview": "\r\n\r\niodine - https://code.kryo.se/iodine\r\n\r\n***********************************\r\n\r\nExtra README file for Android\r\n\r\n\r\n=="
},
{
"path": "README-win32.txt",
"chars": 1941,
"preview": "\r\n\r\niodine - https://code.kryo.se/iodine\r\n\r\n***********************************\r\n\r\nExtra README file for Win32 related s"
},
{
"path": "README.md",
"chars": 19901,
"preview": "iodine - <https://code.kryo.se/iodine>\n=====================================\n\n\nThis is a piece of software that lets you"
},
{
"path": "doc/iodine-server.service",
"chars": 238,
"preview": "[Unit]\nDescription=Iodine Server\nAfter=local-fs.target network.target\n\n[Service]\nEnvironmentFile=-/etc/sysconfig/iodine-"
},
{
"path": "doc/iodine-server.socket",
"chars": 145,
"preview": "[Unit]\nDescription=Iodine socket\n\n[Socket]\nListenDatagram=53\nListenDatagram=0.0.0.0:53\nBindIPv6Only=ipv6-only\n\n[Install]"
},
{
"path": "doc/iodine.te",
"chars": 720,
"preview": "# Sample post-initialization SELinux policy for Iodine\npolicy_module(iodine, 1.1)\n\nrequire {\n\ttype init_t;\n\ttype initrc_"
},
{
"path": "doc/proto_00000402.txt",
"chars": 1578,
"preview": "Detailed specification of protocol in version 00000402\n======================================================\n\nCMC = 2 b"
},
{
"path": "doc/proto_00000500.txt",
"chars": 3310,
"preview": "Detailed specification of protocol in version 00000500\n======================================================\n\nCMC = 2 b"
},
{
"path": "doc/proto_00000502.txt",
"chars": 9892,
"preview": "Detailed specification of protocol in version 00000502\n======================================================\n\nNote: wor"
},
{
"path": "man/iodine.8",
"chars": 11738,
"preview": ".\\\" groff -man -Tascii iodine.8\n.TH IODINE 8 \"APR 2023\" \"User Manuals\"\n.SH NAME\niodine, iodined \\- tunnel IPv4 over DNS\n"
},
{
"path": "src/Android.16.mk",
"chars": 712,
"preview": "#\n# iodine for Android\n#\n# by Marcel Bokhorst\n# http://blog.bokhorst.biz/5123/computers-en-internet/iodine-for-android/\n"
},
{
"path": "src/Android.mk",
"chars": 662,
"preview": "#\n# iodine for Android\n#\n# by Marcel Bokhorst\n# http://blog.bokhorst.biz/5123/computers-en-internet/iodine-for-android/\n"
},
{
"path": "src/Makefile",
"chars": 1314,
"preview": "COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o base64u.o base128.o md5.o common.o\nCLIENTOBJS = iod"
},
{
"path": "src/android_dns.h",
"chars": 1508,
"preview": "/*\n * Copyright (c) 2009 Marcel Bokhorst <marcel@bokhorst.biz>\n *\n * Permission to use, copy, modify, and/or distribute "
},
{
"path": "src/base128.c",
"chars": 7491,
"preview": "/*\n * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl\n *\n * Permission to use, copy, modify, and/or distribute this"
},
{
"path": "src/base32.c",
"chars": 6357,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n * Mostly rewrit"
},
{
"path": "src/base64.c",
"chars": 4913,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n * Mostly rewrit"
},
{
"path": "src/client.c",
"chars": 60774,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/client.h",
"chars": 1542,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/common.c",
"chars": 11924,
"preview": "/* Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n * Copyright (c) 20"
},
{
"path": "src/common.h",
"chars": 4026,
"preview": "/*\n * Copyright (c) 2006-2015 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/dns.c",
"chars": 16339,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/dns.h",
"chars": 1458,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/encoding.c",
"chars": 2797,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/encoding.h",
"chars": 2277,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman\n * 2006-2009 Bjorn Andersson\n * Copyright (c) 2017 Ralf Ramsauer\n *\n * Authors:"
},
{
"path": "src/fw_query.c",
"chars": 1410,
"preview": "/*\n * Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>\n *\n * Permission to use, copy, modify, and/or distribute this"
},
{
"path": "src/fw_query.h",
"chars": 1255,
"preview": "/*\n * Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>\n *\n * Permission to use, copy, modify, and/or distribute this"
},
{
"path": "src/iodine.c",
"chars": 9655,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/iodined.c",
"chars": 78451,
"preview": "/*\n * Copyright (c) 2006-2015 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/login.c",
"chars": 1478,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/login.h",
"chars": 945,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/md5.c",
"chars": 12395,
"preview": "/*\n Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved.\n\n This software is provided 'as-is', wit"
},
{
"path": "src/md5.h",
"chars": 3391,
"preview": "/*\n Copyright (C) 1999, 2002 Aladdin Enterprises. All rights reserved.\n\n This software is provided 'as-is', without a"
},
{
"path": "src/osflags",
"chars": 1132,
"preview": "#!/bin/sh\n\n: \"${PKG_CONFIG:=pkg-config}\"\n\ncase $2 in\nlink)\n\n\tcase $1 in\n\t\tSunOS | solaris)\n\t\t\techo '-lsocket -lnsl';\n\t\t;"
},
{
"path": "src/read.c",
"chars": 5034,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/read.h",
"chars": 1384,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/tun.c",
"chars": 16998,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n * 2013 Peter Sa"
},
{
"path": "src/tun.h",
"chars": 1100,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/user.c",
"chars": 4260,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/user.h",
"chars": 2809,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/util.c",
"chars": 2375,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/util.h",
"chars": 964,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/version.h",
"chars": 1054,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "src/windows.h",
"chars": 3300,
"preview": "/*\r\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\r\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\r\n *\r\n * Permis"
},
{
"path": "tests/Makefile",
"chars": 834,
"preview": "TEST = test\nOBJS = test.o base32.o base64.o common.o read.o dns.o encoding.o login.o user.o fw_query.o\nSRCOBJS = ../src/"
},
{
"path": "tests/base32.c",
"chars": 3106,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/base64.c",
"chars": 4518,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/common.c",
"chars": 10874,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/dns.c",
"chars": 7384,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/encoding.c",
"chars": 2787,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/fw_query.c",
"chars": 1938,
"preview": "/*\n * Copyright (c) 2009-2014 Erik Ekman <yarrick@kryo.se>\n *\n * Permission to use, copy, modify, and/or distribute this"
},
{
"path": "tests/login.c",
"chars": 1822,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/read.c",
"chars": 7275,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/test.c",
"chars": 1886,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/test.h",
"chars": 1434,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
},
{
"path": "tests/user.c",
"chars": 4282,
"preview": "/*\n * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,\n * 2006-2009 Bjorn Andersson <flex@kryo.se>\n *\n * Permission"
}
]
About this extraction
This page contains the full source code of the yarrick/iodine GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 66 files (379.2 KB), approximately 121.6k tokens, and a symbol index with 317 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.