diff options
author | Nicolas Douma <nicolas@serveur.io> | 2019-10-02 21:10:51 +0200 |
---|---|---|
committer | Nicolas Douma <nicolas@serveur.io> | 2019-10-12 05:32:53 +0200 |
commit | 0ea1df3c192beccad9a5f04d7d6b8d3b4e34a85f (patch) | |
tree | 18b2503d500d89470966f9874ca01a60ea9f4505 /src/tools/wg-quick/android/wg-quick.c | |
parent | wg-quick: android: add addresses after bringing interface up (diff) | |
download | wireguard-monolithic-historical-0ea1df3c192beccad9a5f04d7d6b8d3b4e34a85f.tar.xz wireguard-monolithic-historical-0ea1df3c192beccad9a5f04d7d6b8d3b4e34a85f.zip |
wg-quick: android: use Binder for setting DNS on Android 10nd/android-10-dns
Signed-off-by: Nicolas Douma <nicolas@serveur.io>
Diffstat (limited to 'src/tools/wg-quick/android/wg-quick.c')
-rw-r--r-- | src/tools/wg-quick/android/wg-quick.c | 905 |
1 files changed, 905 insertions, 0 deletions
diff --git a/src/tools/wg-quick/android/wg-quick.c b/src/tools/wg-quick/android/wg-quick.c new file mode 100644 index 0000000..fcde744 --- /dev/null +++ b/src/tools/wg-quick/android/wg-quick.c @@ -0,0 +1,905 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * + * This is a shell script written in C. It very intentionally still functions like + * a shell script, calling out to external executables such as ip(8). + */ + +#define _GNU_SOURCE +#include <stddef.h> +#include <stdlib.h> +#include <stdio.h> +#include <stdbool.h> +#include <string.h> +#include <strings.h> +#include <stdarg.h> +#include <stdint.h> +#include <ctype.h> +#include <time.h> +#include <unistd.h> +#include <errno.h> +#include <regex.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <sys/param.h> + +#include "dnsresolver.h" + +#ifndef WG_PACKAGE_NAME +#define WG_PACKAGE_NAME "com.wireguard.android" +#endif +#ifndef WG_CONFIG_SEARCH_PATHS +#define WG_CONFIG_SEARCH_PATHS "/data/misc/wireguard /data/data/" WG_PACKAGE_NAME "/files" +#endif + +/* + * the following values are default values observed in AOSP + */ +#define WG_DNS_SAMPLE_VALIDITY 1800 /* sec */ +#define WG_DNS_SUCCESS_THRESHOLD 25 +#define WG_DNS_MIN_SAMPLES 8 +#define WG_DNS_MAX_SAMPLES 8 +#define WG_DNS_BASE_TIMEOUT 5000 /* msec */ +#define WG_DNS_RETRY_COUNT 2 + + +#define _printf_(x, y) __attribute__((format(printf, x, y))) +#define _cleanup_(x) __attribute__((cleanup(x))) +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) + +static bool is_exiting = false; + +static void *xmalloc(size_t size) +{ + void *ret = malloc(size); + if (ret) + return ret; + perror("Error: malloc"); + exit(errno); +} + +static void *xcalloc(size_t nmemb, size_t size) +{ + void *ret = calloc(nmemb, size); + if (ret) + return ret; + perror("Error: calloc"); + exit(errno); +} + +static void *xstrdup(const char *str) +{ + char *ret = strdup(str); + if (ret) + return ret; + perror("Error: strdup"); + exit(errno); +} + +static void xregcomp(regex_t *preg, const char *regex, int cflags) +{ + if (regcomp(preg, regex, cflags)) { + fprintf(stderr, "Error: Regex compilation error\n"); + exit(EBADR); + } +} + +static char *concat(char *first, ...) +{ + va_list args; + size_t len = 0; + char *ret; + + va_start(args, first); + for (char *i = first; i; i = va_arg(args, char *)) + len += strlen(i); + va_end(args); + + ret = xmalloc(len + 1); + ret[0] = '\0'; + + va_start(args, first); + for (char *i = first; i; i = va_arg(args, char *)) + strcat(ret, i); + va_end(args); + + return ret; +} + +static char *concat_and_free(char *orig, const char *delim, const char *new_line) +{ + char *ret; + + if (!orig) + ret = xstrdup(new_line); + else + ret = concat(orig, delim, new_line, NULL); + free(orig); + return ret; +} + +struct command_buffer { + char *line; + size_t len; + FILE *stream; +}; + +static void free_command_buffer(struct command_buffer *c) +{ + if (!c) + return; + if (c->stream) + pclose(c->stream); + free(c->line); +} +static void freenularr(void *p) +{ + void **a = *(void ***)p; + if (a) { + for (int i = 0; a[i]; ++i) + free(a[i]); + } + free(a); +} + +static void freep(void *p) +{ + free(*(void **)p); +} +static void fclosep(FILE **f) +{ + if (*f) + fclose(*f); +} +#define _cleanup_free_ _cleanup_(freep) +#define _cleanup_fclose_ _cleanup_(fclosep) +#define _cleanup_regfree_ _cleanup_(regfree) +#define _cleanup_freenularr_ _cleanup_(freenularr) + +#define DEFINE_CMD(name) _cleanup_(free_command_buffer) struct command_buffer name = { 0 }; + +static char *vcmd_ret(struct command_buffer *c, const char *cmd_fmt, va_list args) +{ + _cleanup_free_ char *cmd = NULL; + + if (!c->stream && !cmd_fmt) + return NULL; + if (c->stream && cmd_fmt) + pclose(c->stream); + + if (cmd_fmt) { + if (vasprintf(&cmd, cmd_fmt, args) < 0) { + perror("Error: vasprintf"); + exit(errno); + } + + c->stream = popen(cmd, "r"); + if (!c->stream) { + perror("Error: popen"); + exit(errno); + } + } + errno = 0; + if (getline(&c->line, &c->len, c->stream) < 0) { + if (errno) { + perror("Error: getline"); + exit(errno); + } + return NULL; + } + return c->line; +} + +_printf_(1, 2) static void cmd(const char *cmd_fmt, ...) +{ + _cleanup_free_ char *cmd = NULL; + va_list args; + int ret; + + va_start(args, cmd_fmt); + if (vasprintf(&cmd, cmd_fmt, args) < 0) { + perror("Error: vasprintf"); + exit(errno); + } + va_end(args); + + printf("[#] %s\n", cmd); + ret = system(cmd); + + if (ret < 0) + ret = ESRCH; + else if (ret > 0) + ret = WIFEXITED(ret) ? WEXITSTATUS(ret) : EIO; + + if (ret && !is_exiting) + exit(ret); +} + +_printf_(2, 3) static char *cmd_ret(struct command_buffer *c, const char *cmd_fmt, ...) +{ + va_list args; + char *ret; + + va_start(args, cmd_fmt); + ret = vcmd_ret(c, cmd_fmt, args); + va_end(args); + return ret; +} + +_printf_(1, 2) static void cndc(const char *cmd_fmt, ...) +{ + DEFINE_CMD(c); + int error_code; + char *ret; + va_list args; + _cleanup_free_ char *ndc_fmt = concat("ndc ", cmd_fmt, NULL); + + va_start(args, cmd_fmt); + printf("[#] "); + vprintf(ndc_fmt, args); + printf("\n"); + va_end(args); + + va_start(args, cmd_fmt); + ret = vcmd_ret(&c, ndc_fmt, args); + va_end(args); + + if (!ret) { + fprintf(stderr, "Error: could not call ndc\n"); + exit(ENOSYS); + } + + error_code = atoi(ret); + if (error_code >= 400 && error_code < 600) { + fprintf(stderr, "Error: %s\n", ret); + exit(ENONET); + } +} + +static void auto_su(int argc, char *argv[]) +{ + char *args[argc + 4]; + + if (!getuid()) + return; + + args[0] = "su"; + args[1] = "-p"; + args[2] = "-c"; + memcpy(&args[3], argv, argc * sizeof(*args)); + args[argc + 3] = NULL; + + printf("[$] su -p -c "); + for (int i = 0; i < argc; ++i) + printf("%s%c", argv[i], i == argc - 1 ? '\n' : ' '); + + execvp("su", args); + exit(errno); +} + +static void add_if(const char *iface) +{ + cmd("ip link add %s type wireguard", iface); +} + +static void del_if(const char *iface) +{ + DEFINE_CMD(c_rule); + DEFINE_CMD(c_iptables); + DEFINE_CMD(c_ip6tables); + _cleanup_regfree_ regex_t rule_reg = { 0 }, iptables_reg = { 0 }; + regmatch_t matches[2]; + char *netid = NULL; + _cleanup_free_ char *rule_regex = concat("0xc([0-9a-f]+)/0xcffff lookup ", iface, NULL); + _cleanup_free_ char *iptables_regex = concat("^-A (.* --comment \"wireguard rule ", iface, "\"[^\n]*)\n*$", NULL); + + xregcomp(&rule_reg, rule_regex, REG_EXTENDED); + xregcomp(&iptables_reg, iptables_regex, REG_EXTENDED); + + cmd("ip link del %s", iface); + + for (char *rule = cmd_ret(&c_iptables, "iptables-save"); rule; rule = cmd_ret(&c_iptables, NULL)) { + if (!regexec(&iptables_reg, rule, ARRAY_SIZE(matches), matches, 0)) { + rule[matches[1].rm_eo] = '\0'; + cmd("iptables -D %s", &rule[matches[1].rm_so]); + } + } + for (char *rule = cmd_ret(&c_ip6tables, "ip6tables-save"); rule; rule = cmd_ret(&c_ip6tables, NULL)) { + if (!regexec(&iptables_reg, rule, ARRAY_SIZE(matches), matches, 0)) { + rule[matches[1].rm_eo] = '\0'; + cmd("ip6tables -D %s", &rule[matches[1].rm_so]); + } + } + + for (char *rule = cmd_ret(&c_rule, "ip rule show"); rule; rule = cmd_ret(&c_rule, NULL)) { + if (!regexec(&rule_reg, rule, ARRAY_SIZE(matches), matches, 0)) { + rule[matches[1].rm_eo] = '\0'; + netid = &rule[matches[1].rm_so]; + break; + } + } + if (netid) + cndc("network destroy %lu", strtoul(netid, NULL, 16)); +} + +static bool should_block_ipv6(const char *iface) +{ + DEFINE_CMD(c); + bool has_ipv6 = false, has_all_none = true; + + for (char *endpoint = cmd_ret(&c, "wg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c, NULL)) { + char *start = strchr(endpoint, '\t'); + + if (!start) + continue; + ++start; + if (start[0] != '(') + has_all_none = false; + if (start[0] == '[') + has_ipv6 = true; + } + return !has_ipv6 && !has_all_none; +} + +static uint16_t determine_listen_port(const char *iface) +{ + DEFINE_CMD(c); + unsigned long listen_port = 0; + char *value; + + cmd("ip link set up dev %s", iface); + value = cmd_ret(&c, "wg show %s listen-port", iface); + if (!value) + goto set_back_down; + listen_port = strtoul(value, NULL, 10); + if (listen_port > UINT16_MAX || !listen_port) { + listen_port = 0; + goto set_back_down; + } +set_back_down: + cmd("ip link set down dev %s", iface); + return listen_port; +} + +static void up_if(unsigned int *netid, const char *iface, uint16_t listen_port) +{ + srandom(time(NULL) ^ getpid()); /* Not real randomness. */ + + while (*netid < 4096) + *netid = random() & 0xfffe; + + cmd("wg set %s fwmark 0x20000", iface); + cmd("iptables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface); + cmd("ip6tables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface); + if (listen_port) { + cmd("iptables -I INPUT 1 -p udp --dport %u -j ACCEPT -m comment --comment \"wireguard rule %s\"", listen_port, iface); + cmd("ip6tables -I INPUT 1 -p udp --dport %u -j %s -m comment --comment \"wireguard rule %s\"", listen_port, should_block_ipv6(iface) ? "DROP" : "ACCEPT", iface); + } + cndc("interface setcfg %s up", iface); + cndc("network create %u vpn 1 1", *netid); + cndc("network interface add %u %s", *netid, iface); +} + +static int compare_uid(const void *a, const void *b) +{ + return *(const uid_t *)a - *(const uid_t *)b; +} + +static uid_t *get_uid_list(const char *selected_applications) +{ + _cleanup_fclose_ FILE *package_list = NULL; + _cleanup_free_ char *line = NULL; + uid_t package_uid; + size_t line_len = 0, i; + const char *comma, *start; + uid_t *uid_list; + + if (!selected_applications) + return xcalloc(1, sizeof(*uid_list)); + + for (i = 1, comma = selected_applications; comma; comma = strchr(comma + 1, ','), ++i); + uid_list = xcalloc(i, sizeof(*uid_list)); + i = 0; + + package_list = fopen("/data/system/packages.list", "r"); + if (!package_list) { + perror("Error: Unable to open package list"); + exit(errno); + } + + while (getline(&line, &line_len, package_list) >= 0) { + char *package_name, *package_uid_str, *endptr; + + package_name = line; + package_uid_str = strchr(package_name, ' '); + if (!package_uid_str) + continue; + *package_uid_str++ = '\0'; + *strchrnul(package_uid_str, ' ') = '\0'; + package_uid = strtoul(package_uid_str, &endptr, 10); + if (!package_uid || !*package_uid_str || *endptr) + continue; + + for (start = selected_applications; comma = strchrnul(start, ','), *start; start = comma + 1) { + ptrdiff_t token_len = comma - start; + + if (token_len && strlen(package_name) == token_len && !strncmp(start, package_name, token_len)) + uid_list[i++] = package_uid; + } + } + qsort(uid_list, i, sizeof(*uid_list), compare_uid); + return uid_list; +} + +static void set_users(unsigned int netid, const char *excluded_applications) +{ + _cleanup_free_ uid_t *excluded_uids = get_uid_list(excluded_applications); + _cleanup_free_ char *ranges = NULL; + char range[22]; + uid_t start; + + for (start = 0; *excluded_uids; start = *excluded_uids + 1, ++excluded_uids) { + if (start > *excluded_uids - 1) + continue; + else if (start == *excluded_uids - 1) + snprintf(range, sizeof(range), "%u", start); + else + snprintf(range, sizeof(range), "%u-%u", start, *excluded_uids - 1); + ranges = concat_and_free(ranges, " ", range); + } + if (start < 99999) { + snprintf(range, sizeof(range), "%u-99999", start); + ranges = concat_and_free(ranges, " ", range); + } + + cndc("network users add %u %s", netid, ranges); +} + +static void set_dnses(unsigned int netid, const char *dnses) +{ + size_t len = strlen(dnses); + if (len > (1<<16)) + return; + _cleanup_free_ char *mutable = xstrdup(dnses); + _cleanup_free_ char *arglist = xmalloc(len * 4 + 1); + _cleanup_free_ char *arg = xmalloc(len + 4); + _cleanup_freenularr_ char **dns_list = xmalloc(len + 2); + size_t dns_list_size = 0; + _cleanup_free_ char *pretty_dns_list = NULL; + _cleanup_dnsresolver_ void *handle = NULL; + + if (!len) + return; + arglist[0] = '\0'; + + for (char *dns = strtok(mutable, ", \t\n"); dns; dns = strtok(NULL, ", \t\n")) { + if (strchr(dns, '\'') || strchr(dns, '\\')) + continue; + snprintf(arg, len + 3, "'%s' ", dns); + strncat(arglist, arg, len * 4 - 1); + dns_list[dns_list_size++] = xstrdup(dns); + } + dns_list[dns_list_size] = NULL; + + if ((handle = dnsresolver_get_handle())) { + if (!dns_list_size) + return; + + int32_t status; + + printf("[#] <binder>::dnsResolver::createNetworkCache(%u)\n", netid); + status = dnsresolver_create_network_cache(handle, netid); + if (status != 0) { + fprintf(stderr, "Error: unable to create network cache\n"); + exit(ELIBACC); + } + + struct resolver_params params = { + .netid = netid, + .sample_validity_seconds = WG_DNS_SAMPLE_VALIDITY, + .success_threshold = WG_DNS_SUCCESS_THRESHOLD, + .min_samples = WG_DNS_MIN_SAMPLES, + .max_samples = WG_DNS_MAX_SAMPLES, + .base_timeout_msec = WG_DNS_BASE_TIMEOUT, + .retry_count = WG_DNS_RETRY_COUNT, + .servers = dns_list, + .domains = (char *[]){NULL}, + .tls_name = "", + .tls_servers = (char *[]){NULL}, + .tls_fingerprints = (char *[]){NULL} + }; + + for (int i = 0; dns_list[i]; ++i) + pretty_dns_list = concat_and_free(pretty_dns_list, ", ", dns_list[i]); + + printf("[#] <binder>::dnsResolver::setResolverConfiguration(%u, [%s], [], %d, %d, %d, %d, %d, %d, [], [])\n", + netid, pretty_dns_list, WG_DNS_SAMPLE_VALIDITY, WG_DNS_SUCCESS_THRESHOLD, + WG_DNS_MIN_SAMPLES, WG_DNS_MAX_SAMPLES, WG_DNS_BASE_TIMEOUT, WG_DNS_RETRY_COUNT); + + status = dnsresolver_set_resolver_configuration(handle, ¶ms); + + if (status != 0) { + fprintf(stderr, "Error: unable to set DNS servers through Binder"); + printf("[#] <binder>::dnsResolver::destroyNetworkCache(%u)\n", netid); + dnsresolver_destroy_network_cache(handle, netid); + exit(ELIBACC); + } + + return; + } + + if (!strlen(arglist)) + return; + cndc("resolver setnetdns %u '' %s", netid, arglist); +} + +static void add_addr(const char *iface, const char *addr) +{ + if (strchr(addr, ':')) { + cndc("interface ipv6 %s enable", iface); + cmd("ip -6 addr add '%s' dev %s", addr, iface); + } else { + _cleanup_free_ char *mut_addr = strdup(addr); + char *slash = strchr(mut_addr, '/'); + unsigned char mask = 32; + + if (slash) { + *slash = '\0'; + mask = atoi(slash + 1); + } + cndc("interface setcfg %s '%s' %u", iface, mut_addr, mask); + } +} + +static void set_addr(const char *iface, const char *addrs) +{ + _cleanup_free_ char *mutable = xstrdup(addrs); + + for (char *addr = strtok(mutable, ", \t\n"); addr; addr = strtok(NULL, ", \t\n")) { + if (strchr(addr, '\'') || strchr(addr, '\\')) + continue; + add_addr(iface, addr); + } +} + +static int get_route_mtu(const char *endpoint) +{ + DEFINE_CMD(c_route); + DEFINE_CMD(c_dev); + regmatch_t matches[2]; + _cleanup_regfree_ regex_t regex_mtu = { 0 }, regex_dev = { 0 }; + char *route, *mtu, *dev; + + xregcomp(®ex_mtu, "mtu ([0-9]+)", REG_EXTENDED); + xregcomp(®ex_dev, "dev ([^ ]+)", REG_EXTENDED); + + if (strcmp(endpoint, "default")) + route = cmd_ret(&c_route, "ip -o route get %s", endpoint); + else + route = cmd_ret(&c_route, "ip -o route show %s", endpoint); + if (!route) + return -1; + + if (!regexec(®ex_mtu, route, ARRAY_SIZE(matches), matches, 0)) { + route[matches[1].rm_eo] = '\0'; + mtu = &route[matches[1].rm_so]; + } else if (!regexec(®ex_dev, route, ARRAY_SIZE(matches), matches, 0)) { + route[matches[1].rm_eo] = '\0'; + dev = &route[matches[1].rm_so]; + route = cmd_ret(&c_dev, "ip -o link show dev %s", dev); + if (!route) + return -1; + if (regexec(®ex_mtu, route, ARRAY_SIZE(matches), matches, 0)) + return -1; + route[matches[1].rm_eo] = '\0'; + mtu = &route[matches[1].rm_so]; + } else + return -1; + return atoi(mtu); +} + +static void set_mtu(const char *iface, unsigned int mtu) +{ + DEFINE_CMD(c_endpoints); + _cleanup_regfree_ regex_t regex_endpoint = { 0 }; + regmatch_t matches[2]; + int endpoint_mtu, next_mtu; + + if (mtu) { + cndc("interface setmtu %s %u", iface, mtu); + return; + } + + xregcomp(®ex_endpoint, "^\\[?([a-z0-9:.]+)\\]?:[0-9]+$", REG_EXTENDED); + + endpoint_mtu = get_route_mtu("default"); + if (endpoint_mtu == -1) + endpoint_mtu = 1500; + + for (char *endpoint = cmd_ret(&c_endpoints, "wg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c_endpoints, NULL)) { + if (regexec(®ex_endpoint, endpoint, ARRAY_SIZE(matches), matches, 0)) + continue; + endpoint[matches[1].rm_eo] = '\0'; + endpoint = &endpoint[matches[1].rm_so]; + + next_mtu = get_route_mtu(endpoint); + if (next_mtu > 0 && next_mtu < endpoint_mtu) + endpoint_mtu = next_mtu; + } + + cndc("interface setmtu %s %d", iface, endpoint_mtu - 80); +} + +static void add_route(const char *iface, unsigned int netid, const char *route) +{ + cndc("network route add %u %s %s", netid, iface, route); +} + +static void set_routes(const char *iface, unsigned int netid) +{ + DEFINE_CMD(c); + + for (char *allowedips = cmd_ret(&c, "wg show %s allowed-ips", iface); allowedips; allowedips = cmd_ret(&c, NULL)) { + char *start = strchr(allowedips, '\t'); + + if (!start) + continue; + ++start; + for (char *allowedip = strtok(start, " \n"); allowedip; allowedip = strtok(NULL, " \n")) { + if (!strcmp(allowedip, "(none)")) + continue; + add_route(iface, netid, allowedip); + } + } +} + +static void set_config(const char *iface, const char *config) +{ + FILE *config_writer; + _cleanup_free_ char *cmd = concat("wg setconf ", iface, " /proc/self/fd/0", NULL); + int ret; + + printf("[#] %s\n", cmd); + + config_writer = popen(cmd, "w"); + if (!config_writer) { + perror("Error: popen"); + exit(errno); + } + if (fputs(config, config_writer) < 0) { + perror("Error: fputs"); + exit(errno); + } + ret = pclose(config_writer); + if (ret) + exit(WIFEXITED(ret) ? WEXITSTATUS(ret) : EIO); +} + +static void broadcast_change(void) +{ + const char *pkg = getenv("CALLING_PACKAGE"); + + if (!pkg || strcmp(pkg, WG_PACKAGE_NAME)) + cmd("am broadcast -a com.wireguard.android.action.REFRESH_TUNNEL_STATES " WG_PACKAGE_NAME); +} + +static void print_search_paths(FILE *file, const char *prefix) +{ + _cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS); + + for (char *path = strtok(paths, " "); path; path = strtok(NULL, " ")) + fprintf(file, "%s%s\n", prefix, path); +} + +static void cmd_usage(const char *program) +{ + printf( "Usage: %s [ up | down ] [ CONFIG_FILE | INTERFACE ]\n" + "\n" + " CONFIG_FILE is a configuration file, whose filename is the interface name\n" + " followed by `.conf'. Otherwise, INTERFACE is an interface name, with\n" + " configuration found at:\n\n", program); + print_search_paths(stdout, " - "); + printf( "\n It is to be readable by wg(8)'s `setconf' sub-command, with the exception\n" + " of the following additions to the [Interface] section, which are handled by\n" + " this program:\n\n" + " - Address: may be specified one or more times and contains one or more\n" + " IP addresses (with an optional CIDR mask) to be set for the interface.\n" + " - MTU: an optional MTU for the interface; if unspecified, auto-calculated.\n" + " - DNS: an optional DNS server to use while the device is up.\n" + " - ExcludedApplications: optional applications to exclude from the tunnel.\n\n" + " See wg-quick(8) for more info and examples.\n"); +} + +static char *cleanup_iface = NULL; + +static void cmd_up_cleanup(void) +{ + is_exiting = true; + if (cleanup_iface) + del_if(cleanup_iface); + free(cleanup_iface); +} + +static void cmd_up(const char *iface, const char *config, unsigned int mtu, const char *addrs, const char *dnses, const char *excluded_applications) +{ + DEFINE_CMD(c); + unsigned int netid = 0; + uint16_t listen_port; + + if (cmd_ret(&c, "ip link show dev %s 2>/dev/null", iface)) { + fprintf(stderr, "Error: %s already exists\n", iface); + exit(EEXIST); + } + + cleanup_iface = xstrdup(iface); + atexit(cmd_up_cleanup); + + add_if(iface); + set_config(iface, config); + listen_port = determine_listen_port(iface); + up_if(&netid, iface, listen_port); + set_addr(iface, addrs); + set_dnses(netid, dnses); + set_routes(iface, netid); + set_mtu(iface, mtu); + set_users(netid, excluded_applications); + broadcast_change(); + + free(cleanup_iface); + cleanup_iface = NULL; + exit(EXIT_SUCCESS); +} + +static void cmd_down(const char *iface) +{ + DEFINE_CMD(c); + bool found = false; + + char *ifaces = cmd_ret(&c, "wg show interfaces"); + if (ifaces) { + for (char *eiface = strtok(ifaces, " \n"); eiface; eiface = strtok(NULL, " \n")) { + if (!strcmp(iface, eiface)) { + found = true; + break; + } + } + } + if (!found) { + fprintf(stderr, "Error: %s is not a WireGuard interface\n", iface); + exit(EMEDIUMTYPE); + } + + del_if(iface); + broadcast_change(); + exit(EXIT_SUCCESS); +} + +static void parse_options(char **iface, char **config, unsigned int *mtu, char **addrs, char **dnses, char **excluded_applications, const char *arg) +{ + _cleanup_fclose_ FILE *file = NULL; + _cleanup_free_ char *line = NULL; + _cleanup_free_ char *filename = NULL; + _cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS); + _cleanup_regfree_ regex_t regex_iface = { 0 }, regex_conf = { 0 }; + regmatch_t matches[2]; + struct stat sbuf; + size_t n = 0; + bool in_interface_section = false; + + *iface = *config = *addrs = *dnses = NULL; + *mtu = 0; + + xregcomp(®ex_iface, "^[a-zA-Z0-9_=+.-]{1,15}$", REG_EXTENDED | REG_NOSUB); + xregcomp(®ex_conf, "/?([a-zA-Z0-9_=+.-]{1,15})\\.conf$", REG_EXTENDED); + + if (!regexec(®ex_iface, arg, 0, NULL, 0)) { + for (char *path = strtok(paths, " "); path; path = strtok(NULL, " ")) { + free(filename); + if (asprintf(&filename, "%s/%s.conf", path, arg) < 0) { + perror("Error: asprintf"); + exit(errno); + } + file = fopen(filename, "r"); + if (file) + break; + } + if (!file) { + fprintf(stderr, "Error: Unable to find configuration file for `%s' in:\n", arg); + print_search_paths(stderr, "- "); + exit(errno); + } + } else { + filename = xstrdup(arg); + file = fopen(filename, "r"); + if (!file) { + fprintf(stderr, "Error: Unable to find configuration file at `%s'\n", filename); + exit(errno); + } + } + + if (regexec(®ex_conf, filename, ARRAY_SIZE(matches), matches, 0)) { + fprintf(stderr, "Error: The config file must be a valid interface name, followed by .conf\n"); + exit(EINVAL); + } + + if (fstat(fileno(file), &sbuf) < 0) { + perror("Error: fstat"); + exit(errno); + } + if (sbuf.st_mode & 0007) + fprintf(stderr, "Warning: `%s' is world accessible\n", filename); + + filename[matches[1].rm_eo] = '\0'; + *iface = xstrdup(&filename[matches[1].rm_so]); + + while (getline(&line, &n, file) >= 0) { + size_t len = strlen(line), j = 0; + if (len > (1<<16)) + return; + _cleanup_free_ char *clean = xmalloc(len + 1); + + for (size_t i = 0; i < len; ++i) { + if (!isspace(line[i])) + clean[j++] = line[i]; + } + clean[j] = '\0'; + + if (clean[0] == '[') + in_interface_section = false; + if (!strcasecmp(clean, "[Interface]")) + in_interface_section = true; + if (in_interface_section) { + if (!strncasecmp(clean, "Address=", 8) && j > 8) { + *addrs = concat_and_free(*addrs, ",", clean + 8); + continue; + } else if (!strncasecmp(clean, "DNS=", 4) && j > 4) { + *dnses = concat_and_free(*dnses, ",", clean + 4); + continue; + } else if (!strncasecmp(clean, "ExcludedApplications=", 21) && j > 4) { + *excluded_applications = concat_and_free(*excluded_applications, ",", clean + 21); + continue; + } else if (!strncasecmp(clean, "MTU=", 4) && j > 4) { + *mtu = atoi(clean + 4); + continue; + } + } + *config = concat_and_free(*config, "", line); + } + + if (!*iface) + *iface = xstrdup(""); + if (!*config) + *config = xstrdup(""); + if (!*addrs) + *addrs = xstrdup(""); + if (!*dnses) + *dnses = xstrdup(""); +} + +int main(int argc, char *argv[]) +{ + _cleanup_free_ char *iface = NULL; + _cleanup_free_ char *config = NULL; + _cleanup_free_ char *addrs = NULL; + _cleanup_free_ char *dnses = NULL; + _cleanup_free_ char *excluded_applications = NULL; + unsigned int mtu; + + if (argc == 2 && (!strcmp(argv[1], "help") || !strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))) + cmd_usage(argv[0]); + else if (argc == 3 && !strcmp(argv[1], "up")) { + auto_su(argc, argv); + parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, argv[2]); + cmd_up(iface, config, mtu, addrs, dnses, excluded_applications); + } else if (argc == 3 && !strcmp(argv[1], "down")) { + auto_su(argc, argv); + parse_options(&iface, &config, &mtu, &addrs, &dnses, &excluded_applications, argv[2]); + cmd_down(iface); + } else { + cmd_usage(argv[0]); + return 1; + } + return 0; +} |