Merge branch 'master' into release

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

10 files changed, 149 insertions, 30 deletions

diff --git a/ChangeLog b/ChangeLog
index 1f5bad8..2e9cf54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
 PingTunnel-NG Changelog
 =======================
 
+1.42 - 27. April 2019
+- updated SeLinux policy file
+- added SeLinux policy compile script
+- list available pcap devices
+- fixed build errors related to pcap
+
 1.41 - 03. April 2019
 - change the RNG device during ./configure (fixes issues on systems without
   enough entropy avilable from it's random source)
diff --git a/README b/README
index 1a0712e..6092f15 100644
--- a/README
+++ b/README
@@ -121,6 +121,13 @@ be compiled on Windows, courtesy of Mike Miller, assuming mingw and WinPcap is
 installed.
 
 
+TODOs
+-----
+- challenge response: switch from md5 to sha-512
+- packet obfuscation
+- encryption (metadata + payload)
+
+
 Credits and contributors
 ------------------------
 Daniel Stoedle et al.
diff --git a/README.md b/README.md
index 5d48190..6e6720b 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
-[![Build Status](https://travis-ci.org/lnslbrty/ptunnel-ng.svg?branch=master)](https://travis-ci.org/lnslbrty/ptunnel-ng)
+[![Travis Build Status](https://travis-ci.org/lnslbrty/ptunnel-ng.svg?branch=master)](https://travis-ci.org/lnslbrty/ptunnel-ng)
+[![Gitlab Build Status](https://gitlab.com/lnslbrty/ptunnel-ng/badges/master/build.svg)](https://gitlab.com/lnslbrty/ptunnel-ng)
 [![Coverity Status](https://scan.coverity.com/projects/14737/badge.svg?flat=1)](https://scan.coverity.com/projects/14737)
 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/021aa1d88dd7486db83df3ff96f9eff8)](https://www.codacy.com/app/lnslbrty/ptunnel-ng?utm_source=github.com&utm_medium=referral&utm_content=lnslbrty/ptunnel-ng&utm_campaign=Badge_Grade)
 [![GitHub issues](https://img.shields.io/github/issues/lnslbrty/ptunnel-ng.svg)](https://github.com/lnslbrty/ptunnel-ng/issues)
@@ -137,6 +138,13 @@ be compiled on Windows, courtesy of Mike Miller, assuming mingw and WinPcap is
 installed.
 ```
 
+## TODOs
+```
+- challenge response: switch from md5 to sha-512
+- packet obfuscation
+- encryption (metadata + payload)
+```
+
 ## Credits and contributors
 ```
 Daniel Stoedle et al.
diff --git a/configure.ac b/configure.ac
index 9e92922..5a6af52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,6 +113,10 @@ struct foo {
 dnl Check for std functions.
 AC_CHECK_FUNCS([malloc calloc free memcpy memset printf sprintf vsnprintf strerror strlen strncmp strstr strtol strtoul fopen fprintf gettimeofday close fclose exit getopt_long],,
     [AC_MSG_ERROR([Missing essential std functions.])])
+if test x"${use_msw}" = x; then
+AC_CHECK_FUNCS([inet_ntoa],,
+    [AC_MSG_ERROR([Missing essential std functions.])])
+fi
 
 dnl `--disable-pcap`: Enabled if found.
 AC_ARG_ENABLE([pcap],
@@ -150,14 +154,14 @@ AC_MSG_RESULT([${with_rngdev}])
 AC_DEFINE_UNQUOTED([RNGDEV], ["${with_rngdev}"],
 	[set the path to the random device you want to use for pt_random])
 
-dnl Check libcap headers/functions.
+dnl Check libpcap headers/functions.
 if test x"${pcap_enabled}" != x -a \
         x"${use_msw}" != xyes; then
 	AC_CHECK_HEADERS([pcap.h],,
 	    [pcap_enabled=])
 	AC_SEARCH_LIBS([pcap_lookupnet], [pcap],,
 	    [pcap_enabled=],)
-	AC_CHECK_FUNCS([pcap_compile pcap_close pcap_setfilter pcap_dispatch],,
+	AC_CHECK_FUNCS([pcap_compile pcap_close pcap_setfilter pcap_dispatch pcap_findalldevs pcap_freealldevs],,
 	    [pcap_enabled=])
 fi
 
diff --git a/selinux/compile.sh b/selinux/compile.sh
new file mode 100644
index 0000000..f70ab1b
--- /dev/null
+++ b/selinux/compile.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -x
+set -e
+
+OUTDIR="$(dirname $0)"
+checkmodule -M -m -o ${OUTDIR}/ptunnel-ng.mod ${OUTDIR}/ptunnel-ng.te
+semodule_package -o ${OUTDIR}/ptunnel-ng.pp -m ${OUTDIR}/ptunnel-ng.mod
+
+exit 0
diff --git a/selinux/ptunnel-ng.te b/selinux/ptunnel-ng.te
new file mode 100644
index 0000000..79412d2
--- /dev/null
+++ b/selinux/ptunnel-ng.te
@@ -0,0 +1,60 @@
+
+module ptunnel-ng 1.0;
+
+require {
+	type local_login_t;
+	type file_context_t;
+	type unconfined_t;
+	type lvm_t;
+	type bin_t;
+	type gpmctl_t;
+	type tracefs_t;
+	type dpkg_script_t;
+	type xconsole_device_t;
+	type modules_object_t;
+	type initrc_var_run_t;
+	type var_run_t;
+	type debugfs_t;
+	type udev_var_run_t;
+	type bootloader_t;
+	type tmp_t;
+	type fsadm_run_t;
+	class file { create execmod execute execute_no_trans getattr link open read rename setattr unlink write };
+	class capability sys_module;
+	class dir { add_name getattr remove_name search write };
+	class fifo_file getattr;
+	class sock_file getattr;
+	class system module_load;
+}
+
+#============= bootloader_t ==============
+allow bootloader_t debugfs_t:dir search;
+allow bootloader_t file_context_t:dir search;
+allow bootloader_t file_context_t:file { getattr open read };
+allow bootloader_t fsadm_run_t:dir { add_name getattr remove_name write };
+allow bootloader_t fsadm_run_t:file { create getattr link open read rename setattr unlink write };
+allow bootloader_t gpmctl_t:sock_file getattr;
+allow bootloader_t modules_object_t:system module_load;
+allow bootloader_t self:capability sys_module;
+allow bootloader_t tmp_t:file { execute execute_no_trans getattr open read };
+allow bootloader_t tracefs_t:dir search;
+allow bootloader_t udev_var_run_t:file { getattr open read };
+allow bootloader_t xconsole_device_t:fifo_file getattr;
+
+#============= dpkg_script_t ==============
+
+#!!!! This avc can be allowed using the boolean 'allow_execmod'
+allow dpkg_script_t bin_t:file execmod;
+
+#============= local_login_t ==============
+allow local_login_t initrc_var_run_t:file unlink;
+allow local_login_t var_run_t:dir { add_name remove_name write };
+allow local_login_t var_run_t:file { getattr open read rename unlink };
+
+#============= lvm_t ==============
+allow lvm_t initrc_var_run_t:dir { add_name getattr write };
+
+#============= unconfined_t ==============
+
+#!!!! This avc can be allowed using the boolean 'allow_execmod'
+allow unconfined_t bin_t:file execmod;
diff --git a/selinux/ptunnel.te b/selinux/ptunnel.te
deleted file mode 100644
index 995c765..0000000
--- a/selinux/ptunnel.te
+++ /dev/null
@@ -1,22 +0,0 @@
-policy_module(ptunnel, 1.7)
-
-require {
-	type initrc_t;
-	type unconfined_t;
-	type unlabeled_t;
-	class tcp_socket { read write create connect };
-	class association recvfrom;
-	class rawip_socket { write read };
-}
-
-type ptunnel_t;
-domain_dyntrans_type(initrc_t)
-
-allow ptunnel_t self:tcp_socket { read write create connect };
-allow ptunnel_t unconfined_t:rawip_socket { write read };
-allow ptunnel_t unlabeled_t:association recvfrom;
-corenet_tcp_sendrecv_generic_if(ptunnel_t)
-corenet_tcp_sendrecv_ssh_port(ptunnel_t)
-corenet_raw_receive_generic_node(ptunnel_t)
-corenet_tcp_connect_ssh_port(ptunnel_t)
-corenet_tcp_sendrecv_lo_node(ptunnel_t)
diff --git a/src/options.c b/src/options.c
index ad43380..ffb5339 100644
--- a/src/options.c
+++ b/src/options.c
@@ -113,6 +113,13 @@ static const struct option_usage usage[] = {
 #endif
 		"Enable libpcap on the given device.\n"
 	},
+	/** --list-libpcap-devices */
+	{NULL,           0, OPT_BOOL,   {.num = 0},
+#ifndef HAVE_PCAP
+		"(Not available on this platform.)\n"
+#endif
+		"List all available pcap devices.\n"
+	},
 	/** --logfile */
 	{"file",         0, OPT_STR,    {.str = "/var/log/ptunnel.log"},
 		"Specify a file to log to, rather than printing to standard out.\n"
@@ -219,11 +226,12 @@ static struct option long_options[] = {
 	{"connections", required_argument, 0, 'c'},
 	{"verbosity",   required_argument, 0, 'v'},
 	{"libpcap",     required_argument, 0, 'L'},
+	{"list-libpcap-devices", no_argument, &opts.list_pcap_devices, 1},
 	{"logfile",     optional_argument, 0, 'o'},
 	{"statistics",        no_argument, 0, 's'},
 	{"passwd",      required_argument, 0, 'P'},
-	{"udp",               no_argument, &opts.udp, 1 },
-	{"unprivileged",      no_argument, &opts.unprivileged, 1 },
+	{"udp",               no_argument, &opts.udp, 1},
+	{"unprivileged",      no_argument, &opts.unprivileged, 1},
 	{"window-size", required_argument, 0, 'w'},
 	{"ack-interval", required_argument, 0, 'a'},
 	{"resend-interval", required_argument, 0, 't'},
@@ -272,8 +280,6 @@ static void set_options_defaults(void) {
 	opts.log_path        = strdup(*(char **)get_default_optval(OPT_STR, "logfile"));
 	opts.log_file        = stdout;
 	opts.print_stats     = *(int *)       get_default_optval(OPT_BOOL,  "statistics");
-	opts.udp             = *(int *)       get_default_optval(OPT_BOOL,  "udp");
-	opts.unprivileged    = *(int *)       get_default_optval(OPT_BOOL,  "unprivileged");
 #ifndef WIN32
 	opts.pid_path        = strdup(*(char **)get_default_optval(OPT_STR, "daemon"));
 
diff --git a/src/options.h b/src/options.h
index 7afcfec..9c2ca3f 100644
--- a/src/options.h
+++ b/src/options.h
@@ -75,6 +75,8 @@ struct options {
 	/** Device to capture packets from */
 	char *pcap_device;
 #endif
+	/** List all available pcap devices and exit */
+	int list_pcap_devices;
 	/** Usually stdout, but can be altered by the user */
 	char *log_path;
 	FILE *log_file;
diff --git a/src/ptunnel.c b/src/ptunnel.c
index 01e0ef5..d70edce 100644
--- a/src/ptunnel.c
+++ b/src/ptunnel.c
@@ -100,6 +100,31 @@ proxy_desc_t *chain = 0;
 const char *state_name[kNum_proto_types] = { "start", "ack  ", "data ",
                                              "close", "authenticate" };
 
+#ifdef HAVE_PCAP
+static void print_pcap_devices(void) {
+	pcap_if_t *devs, *cur_dev;
+	pcap_addr_t *cur_addr;
+	char errbuf[PCAP_ERRBUF_SIZE+1];
+
+	if (pcap_findalldevs(&devs, errbuf)) {
+		pt_log(kLog_error, "List all available pcap devices failed: %s.\n", errbuf);
+	}
+	printf("Available pcap devices:\n");
+	for (cur_dev = devs; cur_dev; cur_dev = cur_dev->next) {
+		if (cur_dev->description)
+			printf("\n\t%s%c '%s'\n", cur_dev->name, (cur_dev->addresses ? ':' : ' '),
+				cur_dev->description);
+		else
+			printf("\n\t%s%c\n", cur_dev->name, (cur_dev->addresses ? ':' : ' '));
+		for (cur_addr = cur_dev->addresses; cur_addr; cur_addr = cur_addr->next) {
+			if (cur_addr->addr->sa_family == AF_INET)
+				printf("\t\t%s\n", inet_ntoa(((struct sockaddr_in*)cur_addr->addr)->sin_addr));
+		}
+	}
+	pcap_freealldevs(devs);
+}
+#endif
+
 /* Let the fun begin! */
 int main(int argc, char *argv[]) {
 #ifndef WIN32
@@ -139,6 +164,16 @@ int main(int argc, char *argv[]) {
 	/* Init ptunnel RNG */
 	pt_random();
 
+	if (opts.list_pcap_devices) {
+#ifdef HAVE_PCAP
+		print_pcap_devices();
+		return 0;
+#else
+		pt_log(kLog_error, "Pcap not available!\n");
+		return 1;
+#endif
+	}
+
 #ifdef HAVE_PCAP
 	if (opts.pcap && opts.udp) {
 		pt_log(kLog_error, "Packet capture is not supported (or needed) when using UDP for transport.\n");
@@ -146,7 +181,10 @@ int main(int argc, char *argv[]) {
 	}
 #ifdef WIN32
 	if (!opts.pcap && !opts.udp) {
-		pt_log(kLog_info, "WARNING: Running ptunnel-ng on Windows in ICMP mode without WinPcap enabled is not supported and may not work!\n");
+		pt_log(kLog_info, "Running ptunnel-ng on Windows in ICMP mode without WinPcap enabled is not supported and may not work!\n");
+        pt_log(kLog_info, "If you encounter problems, install WinPCAP from:\n");
+		pt_log(kLog_info, "https://www.winpcap.org/install/default.htm or for WIN10: https://nmap.org/npcap/windows-10.html\n");
+		pt_log(kLog_info, "After WinPCAP is installed, you can list pcap devices with: --list-pcap-devices\n");
 	}
 #endif
 #endif