Update version to 0.6.0-rc1

1188 is the uncompressed DNS reply payload size that gets through
unfragmented on Ethernet.

CHANGELOG

@@ -5,6 +5,104 @@ iodine - http://code.kryo.se/iodine
 
 CHANGES:
 
+2010-02-13: 0.6.0-rc1 "Hotspotify"
+	- Fixed tunnel not working on Windows.
+	- Any device name is now supported on Windows, fixes #47.
+	- Multiple installed TAP32 interfaces are now supported, fixes #46.
+	- Return nonzero if tunnel fails to open, fixes #62.
+	- Support for setting a SELinux context, based on patch by
+		Sebastien Raveau. Sample context file in doc/iodine.te
+	- Allow listen port and DNS forward port to be the same if listen IP
+		does not include localhost.
+	- The client will now exit if configuring IP or MTU fails.
+	- The starting cache miss value is randomized at startup, fixes #65.
+	- Raw UDP mode added. If the iodined server is reachable directly,
+		packets can be sent to it without DNS encoding. Fixes #36.
+	- Do not overwrite users CC/CFLAGS/LDFLAGS, only add to them.
+	- Added -F option to write pidfile, based on patch from
+		misc at mandriva.org. Fixes #70.
+	- Allow password to be set via environment variable, fixes #77.
+		Based on patch by logix.
+	- Client now prints server tunnel IP, fixes #78. Patch by logix.
+	- Fix build error on Mac OS X 10.6, patch by G. Rischard. #79.
+	- Added support for CNAME/TXT/A/MX query types, fixes #75.
+		Patch by Anne Bezemer, merge help by logix.
+	- Merged low-latency patch from Anne Bezemer, fixes #76.
+	- Resolve client nameserver argument if given as hostname, fixes #82.
+	- Open log before chroot, fixes #86: logging on FreeBSD.
+
+2009-06-01: 0.5.2 "WifiFree"
+	- Fixed client segfault on OS X, #57
+	- Added check that nameserver lookup was successful
+	- Fixed ENOTSOCK error on OS X and FreeBSD, #58.
+
+2009-03-21: 0.5.1 "Boringo"
+	- Added initial Windows support, fixes #43.
+	- Added length check of autoprobe responses
+	- Refactored and added unit tests
+	- Added syslog logging for iodined on version and login packets
+	- Fixed segfault when encoding just one block, fixes #51.
+		The normal code was never affected by this.
+	- Added win32 code to read DNS server from system, fixes #45.
+	- Disabled password echo on win32, fixes #44.
+	- Fix encoding error making all autoprobing > 1024 bytes fail, #52.
+	- Increase default interface MTU to 1200.
+	- Fix autoprobing error making every third probe fail, set IP flag
+		Dont-Fragment where supported. Fixes #54.
+	- Added TAP32 version 0901 as accepted (#53).
+
+2009-01-23: 0.5.0 "iPassed"
+	- Fixed segfault in server when sending version reject.
+	- Applied patch to make iodine build on BeOS R5-BONE and Haiku,
+		from Francois Revol. Still work to do to get tun device working.
+	- Added capability to forward DNS queries outside tunnel domain to
+		a nameserver on localhost. Use -b port to enable, fixes #31.
+	- iodined now replies to NS request on its own domain, fixes issue #33.
+		The destination IP address is sent as reply. Use -n to specify
+		a specific IP address to return (if behind NAT etc).
+	- Upstream data is now Base64 encoded if relay server preserves case and
+		supports the plus (+) character in domain names, fixes #16.
+	- Fixed problem in client when DNS trans. ID has highest bit set (#37)
+	- IP addresses are now assigned within the netmask, so iodined can
+		use any address for itself, fixes #28.
+	- Netmask size is now adjustable. Setting a small net will reduce the
+		number of users. Use x.x.x.x/n notation on iodined tunnel ip.
+		This fixes #27.
+	- Downstream data is now fragmented, and the fragment size is auto-
+		probed after login. Fixes #7. It only took a few years :)
+	- Enhanced the checks that validates incoming packets
+	- Fixed endless loop in fragment size autodetection, #39.
+	- Fixed broken hostname dot placing with specific lengths, #40.
+
+2008-08-06: 0.4.2 "Opened Zone"
+	- Applied a few small patches from Maxim Bourmistrov and Gregor Herrmann
+	- Applied a patch for not creating and configuring the tun interface,
+		Debian bug #477692 by Vincent Bernat, controlled by -s switch
+	- Applied a security patch from Andrew Griffiths, use setgroups() to
+		limit the groups of the user
+	- Applied a patch to make iodine build on (Open)Solaris, from Albert Lee
+		Needs TUN/TAP driver http://www.whiteboard.ne.jp/~admin2/tuntap/
+		Still needs more code in tun.c for opening/closing the device
+	- Added option in server (-c) to disable IP/port checking on packets,
+		will hopefully help when server is behind NAT
+	- Fixed bug #21, now only IP address part of each packet is checked.
+		Should remove the need for the -c option and also work with
+		bugfixed DNS servers worldwide.
+	- Added -D option on server to enable debugging. Debug level 1 now 
+		prints info about each RX/TX datagram.
+
+2007-11-30: 0.4.1 "Tea Online"
+	- Introduced encoding API
+	- Switched to new Base32 implementation
+	- Added Base64 implementation that only uses 63 chars (not used yet)
+	- Refined 'install' make target and use $(MAKE) for recursive calls
+	- All received error messages (RCODE field) are echoed
+	- Top domain limited to 128 chars
+	- Case preservation check sent after login to decide codec
+	- Fixed crash on incoming NULL query in server with bad top domain
+	- /etc/resolv.conf is consulted if no nameserver is given on commandline
+	- Applied patch from Matthew W. S. Bell (Detach before chroot/dropping priv)
+
 2007-03-25: 0.4.0 "Run Home"
 	- Added multiuser support (up to 8 users simultaneously)
 	- Added authentication (password entered as argument or on stdin)

Makefile

@@ -1,6 +1,11 @@
-PREFIX=/usr/local
+prefix=/usr/local
+sbindir=$(prefix)/sbin
+datadir=$(prefix)/share
+mandir=$(datadir)/man
 
-INSTALL=/usr/bin/install
+DESTDIR=
+
+INSTALL=install
 INSTALL_FLAGS=
 
 MKDIR=mkdir
@@ -9,27 +14,49 @@ MKDIR_FLAGS=-p
 RM=rm
 RM_FLAGS=-f
 
+TARGETOS = `uname`
+
 all: 
-	@(cd src; make all)
+	@(cd src; $(MAKE) TARGETOS=$(TARGETOS) all)
+
+cross-mingw: 
+	@(cd src; $(MAKE) TARGETOS=windows32 CC=i686-mingw32-gcc all)
+
+cross-mingw-dist: cross-mingw
+	@rm -rf iodine-latest-win32*
+	@mkdir -p iodine-latest-win32/bin
+	@for i in `ls bin`; do cp bin/$$i iodine-latest-win32/bin/$$i.exe; done
+	@cp /usr/i686-mingw32/usr/bin/zlib1.dll iodine-latest-win32/bin
+	@cp README* CH* TO* iodine-latest-win32
+	@echo "Create date: " > iodine-latest-win32/VERSION
+	@date >> iodine-latest-win32/VERSION
+	@echo "SVN version: " >> iodine-latest-win32/VERSION
+	@svnversion >> iodine-latest-win32/VERSION
+	@zip -r iodine-latest-win32.zip iodine-latest-win32
 
 install: all
-	$(MKDIR) $(MKDIR_FLAGS) $(PREFIX)/sbin
-	$(INSTALL) $(INSTALL_FLAGS) bin/iodine $(PREFIX)/sbin/iodine
-	$(INSTALL) $(INSTALL_FLAGS) bin/iodined $(PREFIX)/sbin/iodined
-	$(MKDIR) $(MKDIR_FLAGS) $(PREFIX)/man/man8
-	$(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(PREFIX)/man/man8/iodine.8
+	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir)
+	$(INSTALL) $(INSTALL_FLAGS) bin/iodine $(DESTDIR)$(sbindir)/iodine
+	chmod 755 $(DESTDIR)$(sbindir)/iodine
+	$(INSTALL) $(INSTALL_FLAGS) bin/iodined $(DESTDIR)$(sbindir)/iodined
+	chmod 755 $(DESTDIR)$(sbindir)/iodined
+	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
+	$(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
+	chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
 
 uninstall:
-	$(RM) $(RM_FLAGS) $(PREFIX)/sbin/iodine
-	$(RM) $(RM_FLAGS) $(PREFIX)/sbin/iodined
-	$(RM) $(RM_FLAGS) $(PREFIX)/man/man8/iodine.8
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodined
+	$(RM) $(RM_FLAGS) $(DESTDIR)$(mandir)/man8/iodine.8
 	
 test: all
-	@(cd tests; make all)
+	@echo "!! The check library is required for compiling and running the tests"
+	@echo "!! Get it at http://check.sf.net"
+	@(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all)
 
 clean:
 	@echo "Cleaning..."
-	@(cd src; make clean)
-	@(cd tests; make clean)
-	@rm -rf bin
+	@(cd src; $(MAKE) clean)
+	@(cd tests; $(MAKE) clean)
+	@rm -rf bin iodine-latest-win32*
 

README

@@ -11,12 +11,12 @@ firewalled, but DNS queries are allowed.
 QUICKSTART:
 
 Try it out within your own LAN! Follow these simple steps:
-- On your server, run: ./iodined -f 10.0.0.1 test.asdf
+- On your server, run: ./iodined -f 10.0.0.1 test.com
   (If you already use the 10.0.0.0 network, use another internal net like 
   172.16.0.0)
 - Enter a password
-- On the client, run: ./iodine -f 192.168.0.1 test.asdf
-  (Replace 192.168.0.1 with the server's ip address)
+- On the client, run: ./iodine -f -r 192.168.0.1 test.com
+  (Replace 192.168.0.1 with your server's ip address)
 - Enter the same password
 - Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
 - Try pinging each other through the tunnel
@@ -26,57 +26,196 @@ To actually use it through a relaying nameserver, see below.
 
 HOW TO USE:
 
+Note: server and client are required to speak the exact same protocol. In most
+cases, this means running the same iodine version. Unfortunately, implementing
+backward and forward protocol compatibility is usually not feasible.
+
 Server side:
-To use this tunnel, you need control over a real domain (like mytunnel.com),
-and a server with a public IP number (not behind NAT) that does not yet run 
-a DNS server. Then, delegate a subdomain (say, tunnel1.mytunnel.com) to the 
-server. If you use BIND for the domain, add these lines to the zone file:
+To use this tunnel, you need control over a real domain (like mydomain.com),
+and a server with a public IP address to run iodined on. If this server
+already runs a DNS program, change its listening port and then use iodined's
+-b option to let iodined forward the DNS requests. (Note that this procedure
+is not advised in production environments, because iodined's DNS forwarding
+is not completely transparent.)
 
-tunnel1host	IN	A	10.15.213.99
-tunnel1		IN	NS	tunnel1host.mytunnel.com.
+Then, delegate a subdomain (say, t1.mydomain.com) to the iodined server.
+If you use BIND for your domain, add two lines like these to the zone file:
 
-Do not use CNAME instead of A above.
-If your server has a dynamic IP, use a dynamic dns provider:
+t1		IN	NS	t1ns.mydomain.com.		; note the dot!
+t1ns		IN	A	10.15.213.99
 
-tunnel1         IN      NS      tunnel1host.mydyndnsprovider.com
+The "NS" line is all that's needed to route queries for the "t1" subdomain
+to the "t1ns" server. We use a short name for the subdomain, to keep as much
+space as possible available for the data traffic. At the end of the "NS" line
+is the name of your iodined server. This can be any name, pointing anywhere,
+but in this case it's easily kept in the same zone file. It must be a name
+(not an IP address), and that name itself must have an A record (not a CNAME).
 
-Now any DNS querys for domains ending with tunnel1.mytunnnel.com will be sent
-to your server. Start iodined on the server. The first argument is the tunnel
-IP address (like 192.168.99.1) and the second is the assigned domain (in this
-case tunnel1.mytunnel.com). The -f argument will keep iodined running in the
-foreground, which helps when testing. iodined will start a virtual interface,
-and also start listening for DNS queries on UDP port 53. Either enter a
-password on the commandline (-P pass) or after the server has started. Now 
-everything is ready for the client.
+If your iodined server has a dynamic IP, use a dynamic dns provider. Simply
+point the "NS" line to it, and leave the "A" line out:
+
+t1		IN	NS	myname.mydyndnsprovider.com.	; note the dot!
+
+Then reload or restart your nameserver program. Now any DNS queries for
+domains ending in t1.mydomain.com will be sent to your iodined server.
+
+Finally start iodined on your server. The first argument is the IP address
+inside the tunnel, which can be from any range that you don't use yet (for
+example 192.168.99.1), and the second argument is the assigned domain (in this
+case t1.mydomain.com). Using the -f option will keep iodined running in the
+foreground, which helps when testing. iodined will open a virtual interface
+("tun device"), and will also start listening for DNS queries on UDP port 53.
+Either enter a password on the commandline (-P pass) or after the server has
+started. Now everything is ready for the client.
+
+If there is a chance you'll be using an iodine tunnel from unexpected
+environments, start iodined with a -c option.
+
+Resulting commandline in this example situation:
+./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
 
 Client side: 
-All the setup is done, just start iodine. It also takes two
-arguments, the first is the local relaying DNS server and the second is the
-domain used (tunnel1.mytunnnel.com). If DNS queries are allowed to any
-computer, you can use the tunnel endpoint (example: 10.15.213.99 or
-tunnel1host.mytunnel.com) as the first argument. The tunnel interface will get
-an IP close to the servers (in this case 192.168.99.2) and a suitable MTU. 
-Enter the same password as on the server either by argument or after the client
-has started. Now you should be able to ping the other end of the tunnel from 
-either side.  
+All the setup is done, just start iodine. It takes one or two arguments, the
+first is the local relaying DNS server (optional) and the second is the domain
+you used (t1.mydomain.com). If you don't specify the first argument, the
+system's current DNS setting will be consulted.
+
+If DNS queries are allowed to any computer, you can directly give the iodined
+server's address as first argument (in the example: t1ns.mydomain.com or
+10.15.213.99). In that case, it may also happen that _any_ traffic is allowed
+to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
+to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
+-r option (especially useful when testing within your own network).
+
+The client's tunnel interface will get an IP close to the server's (in this
+case 192.168.99.2 or .3 etc.) and a suitable MTU. Enter the same password as
+on the server either as commandline option or after the client has started.
+Using the -f option will keep the iodine client running in the foreground.
+
+Resulting commandline in this example situation:
+./iodine -f -P secretpassword t1.mydomain.com
+(add -r to force DNS tunneling even if raw UDP tunneling would be possible)
+
+From either side, you should now be able to ping the IP address on the other
+end of the tunnel. In this case, ping 192.168.99.1 from the iodine client, and
+192.168.99.2 or .3 etc. from the iodine server.
 
 
 MISC. INFO:
 
-Try experimenting with the MTU size (-m option) to get maximum bandwidth. It is
-set to 1024 by default, which seems to work with most DNS servers. If you have
-problems, try setting it to 220 as this ensures all packets to be < 512 bytes.
-Some DNS servers enforce a 512 byte packet limit, and this is probably the case
-if you can ping through the tunnel but not login via SSH.
+Routing:
+It is possible to route all traffic through the DNS tunnel. To do this, first
+add a host route to the nameserver used by iodine over the wired/wireless
+interface with the default gateway as gateway. Then replace the default
+gateway with the iodined server's IP address inside the DNS tunnel, and
+configure the server to do NAT.
+
+However, note that the tunneled data traffic is not encrypted at all, and can
+be read and changed by external parties relatively easily. For maximum
+security, run a VPN through the DNS tunnel (=double tunneling), or use secure
+shell (SSH) access, possibly with port forwarding. The latter can also be used
+for web browsing, when you run a web proxy (for example Privoxy) on your
+server.
+
+Testing:
+The iodined server replies to NS requests sent for subdomains of the tunnel
+domain. If your iodined subdomain is t1.mydomain.com, send a NS request for
+foo123.t1.mydomain.com to see if the delegation works. dig is a good tool
+for this:
+dig -t NS foo123.t1.mydomain.com
+
+Also, the iodined server will answer requests starting with 'z' for any of the
+supported request types, for example:
+dig -t TXT z456.t1.mydomain.com
+dig -t SRV z456.t1.mydomain.com
+dig -t CNAME z456.t1.mydomain.com
+The reply should look like garbled text in all these cases.
+
+Operational info:
+The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
+To force a specific value (and speed things up), use the -m option.
+
+The DNS hostnames are normally used up to their maximum length, 255 characters.
+Some DNS relays have been found that answer full-length queries rather
+unreliably, giving widely varying (and mostly very bad) results of the
+fragment size autoprobe on repeated tries. In these cases, use the -M switch
+to reduce the DNS hostname length to for example 200 characters, which makes
+these DNS relays much more stable. This is also useful on some "de-optimizing"
+DNS relays that stuff the response with two full copies of the query, leaving
+very little space for downstream data (also not capable of EDNS0). The -M
+switch can trade some upstream bandwidth for downstream bandwidth. Note that
+the minimum -M value is about 100, since the protocol can split packets (1200
+bytes max) in only 16 fragments, requiring at least 75 real data bytes per
+fragment.
+
+The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
+server supports mixed case and '+' in domain names; or Base64u if '_' is
+supported instead; or Base128 if high-byte-value characters are supported.
+This upstream encoding is autodetected. The DNS protocol allows one query per
+packet, and one query can be max 256 chars. Each domain name part can be max
+63 chars. So your domain name and subdomain should be as short as possible to
+allow maximum upstream throughput.
+
+Several DNS request types are supported, with the NULL type expected to provide
+the largest downstream bandwidth. Other available types are TXT, SRV, MX,
+CNAME and A (returning CNAME), in decreasing bandwidth order. Normally the
+"best" request type is autodetected and used. However, DNS relays may impose
+limits on for example NULL and TXT, making SRV or MX actually the best choice.
+This is not autodetected, but can be forced using the -T option. It is
+advisable to try various alternatives especially when the autodetected request
+type provides a downstream fragment size of less than 200 bytes.
+
+Note that SRV, MX and A (returning CNAME) queries may/will cause additional
+lookups by "smart" caching nameservers to get an actual IP address, which may
+either slow down or fail completely.
+
+DNS responses for non-NULL queries can be encoded with the same set of codecs
+as upstream data. This is normally also autodetected, but no fully exhaustive
+tests are done, so some problems may not be noticed when selecting more
+advanced codecs. In that case, you'll see failures/corruption in the fragment
+size autoprobe. In particular, several DNS relays have been found that change
+replies returning hostnames (SRV, MX, CNAME, A) to lowercase only when that
+hostname exceeds ca. 180 characters. In these and similar cases, use the -O
+option to try other downstream codecs; Base32 should always work.
+
+Normal operation now is for the server to _not_ answer a DNS request until
+the next DNS request has come in, a.k.a. being "lazy". This way, the server
+will always have a DNS request handy when new downstream data has to be sent.
+This greatly improves (interactive) performance and latency, and allows to
+slow down the quiescent ping requests to 4 second intervals by default, and
+possibly much slower. In fact, the main purpose of the pings now is to force
+a reply to the previous ping, and prevent DNS server timeouts (usually at
+least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
+give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
+data should still get through in these cases, but iodine will reduce the ping
+interval to 1 second anyway (-I1) to reduce the number of error messages. This
+may not help for very impatient DNS relays like dnsadvantage.com (ultradns),
+which time out in 1 second or even less. Yet data will still get trough, and
+you can ignore the SERVFAIL errors.
+
+If you are running on a local network without any DNS server in-between, try
+-I 50 (iodine and iodined close the connection after 60 seconds of silence).
+The only time you'll notice a slowdown, is when DNS reply packets go missing;
+the iodined server then has to wait for a new ping to re-send the data. You can
+speed this up by generating some upstream traffic (keypress, ping). If this
+happens often, check your network for bottlenecks and/or run with -I1.
+
+The delayed answering in lazy mode will cause some "carrier grade" commercial
+DNS relays to repeatedly re-send the same DNS query to the iodined server.
+If the DNS relay is actually implemented as a pool of parallel servers,
+duplicate requests may even arrive from multiple sources. This effect will
+only be visible in the network traffic at the iodined server, and will not
+affect the client's connection. Iodined will notice these duplicates, and send
+the same answer (when its time has come) to both the original query and the
+latest duplicate. After that, the full answer is cached for a short while.
+Delayed duplicates that arrive at the server even later, get a reply that the
+iodine client will ignore (if it ever arrives there).
 
 If you have problems, try inspecting the traffic with network monitoring tools
-and make sure that the relaying DNS server has not cached the response. A
-cached error message could mean that you started the client before the server.
-
-The upstream data is sent gzipped encoded with Base32. DNS protocol allows
-one query per packet, and one query can be max 256 chars. Each domain name part
-can be max 63 chars. So your domain name and subdomain should be as short as
-possible to allow maximum throughput.
+like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
+has not cached the response. A cached error message could mean that you
+started the client before the server. The -D (and -DD) option on the server
+can also show received and sent queries.
 
 
 TIPS & TRICKS:
@@ -87,14 +226,101 @@ use for instance iptables (on Linux) to forward the traffic:
 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353
 (Sent in by Tom Schouten)
 
+Iodined will reject data from clients that have not been active (data/pings)
+for more than 60 seconds. Similarly, iodine will exit when no downstream
+data has been received for 60 seconds. In case of a long network outage or
+similar, just restart iodine (re-login), possibly multiple times until you get
+your old IP address back. Once that's done, just wait a while, and you'll
+eventually see the tunneled TCP traffic continue to flow from where it left
+off before the outage.
+
+With the introduction of the downstream packet queue in the server, its memory
+usage has increased with several megabytes in the default configuration.
+For use in low-memory environments (e.g. running on your DSL router), you can
+decrease USERS and undefine OUTPACKETQ_LEN in user.h without any ill conse-
+quence, assuming at most one client will be connected at any time. A small
+DNSCACHE_LEN is still advised, preferably 2 or higher, however you can also
+undefine it to save a few more kilobytes.
+
+
+PERFORMANCE:
+
+This section tabulates some performance measurements. To view properly, use
+a fixed-width font like Courier.
+
+Measurements were done in protocol 00000502 in lazy mode; upstream encoding
+always Base128; iodine -M255; iodined -m1130. Network conditions were not
+extremely favorable; results are not benchmarks but a realistic indication of
+real-world performance that can be expected in similar situations.
+
+Upstream/downstream throughput was measured by scp'ing a file previously
+read from /dev/urandom (i.e. incompressible), and measuring size with
+"ls -l ; sleep 30 ; ls -l" on a separate non-tunneled connection. Given the
+large scp block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
+explains why some values are exactly equal.
+Ping round-trip times measured with "ping -c100", presented are average rtt
+and mean deviation (indicating spread around the average), in milliseconds.
+
+
+Situation 1:
+Laptop  ->   Wifi AP   ->  Home server  ->  DSL provider  ->  Datacenter
+ iodine    DNS "relay"        bind9           DNS cache        iodined
+
+                        downstr.  upstream downstr.  ping-up       ping-down
+                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+------------------------------------------------------------------------------
+
+iodine -> Wifi AP :53
+  -Tnull (= -Oraw)           982    43.6    131.0   28.0    4.6   26.8    3.4
+
+iodine -> Home server :53
+  -Tnull (= -Oraw)          1174    48.0    305.8   26.6    5.0   26.9    8.4
+
+iodine -> DSL provider :53  
+  -Tnull (= -Oraw)          1174    56.7    367.0   20.6    3.1   21.2    4.4
+  -Ttxt -Obase32             730    56.7    174.7*
+  -Ttxt -Obase64             874    56.7    174.7
+  -Ttxt -Obase128           1018    56.7    174.7
+  -Ttxt -Oraw               1162    56.7    358.2
+  -Tsrv -Obase128            910    56.7    174.7
+  -Tcname -Obase32           151    56.7     43.6
+  -Tcname -Obase128          212    56.7     52.4
+
+iodine -> DSL provider :53  
+  wired (no Wifi) -Tnull    1174    74.2    585.4   20.2    5.6   19.6    3.4
+
+ [174.7* : these all have 2frag/packet]
+
+
+Situation 2:
+Laptop  ->  Wifi+vpn / wired  ->  Home server
+ iodine                            iodined
+
+                        downstr.  upstream downstr.  ping-up       ping-down
+                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+------------------------------------------------------------------------------
+
+wifi + openvpn  -Tnull      1186   166.0   1022.3    6.3    1.3    6.6    1.6
+
+wired  -Tnull               1186   677.2   2464.1    1.3    0.2    1.3    0.1
+
+
+Performance is strongly coupled to low ping times, as iodine requires
+confirmation for every data fragment before moving on to the next. Allowing
+multiple fragments in-flight like TCP could possibly increase performance,
+but it would likely cause serious overload for the intermediary DNS servers.
+The current protocol scales performance with DNS responsivity, since the
+DNS servers are on average handling at most one DNS request per client.
+
 
 PORTABILITY:
 
-iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD 
-(ia64, x86), OpenBSD (x86), NetBSD (x86) and MacOS X (ppc and x86, with 
-http://www-user.rhrk.uni-kl.de/~nissler/tuntap/). It should work on other 
-unix-like systems as well that has TUN/TAP tunneling support (after some 
-patching). Let us know if you get it to run on other platforms. 
+iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD
+(ia64, x86), OpenBSD (x86), NetBSD (x86), MacOS X (ppc and x86, with
+http://tuntaposx.sourceforge.net/). and Windows (with OpenVPN TAP32 driver, see
+win32 readme file).  It should be easy to port to other unix-like systems that
+has TUN/TAP tunneling support. Let us know if you get it to run on other
+platforms. 
 
 
 THE NAME:
@@ -111,7 +337,8 @@ THANKS:
 
 AUTHORS & LICENSE:
 
-Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+Also major contributions by Anne Bezemer.
 
 Permission to use, copy, modify, and distribute this software for any purpose
 with or without fee is hereby granted, provided that the above copyright notice

README-win32.txt

@@ -0,0 +1,62 @@
+
+
+iodine - http://code.kryo.se/iodine
+
+***********************************
+
+Extra README file for Win32 related stuff
+
+
+== Running iodine on Windows:
+1. Install the TAP32 driver 
+   http://openvpn.net/index.php/open-source/downloads.html
+   Choose OpenVPN 2.0.9 Windows Installer, when installing you can
+   select to install only the TAP driver.
+
+2. Have at least one TAP32 interface installed. There are scripts for adding
+   and removing in the OpenVPN bin directory. If you have more than one
+   installed, use -d to specify which. Use double quotes if you have spaces,
+   example: iodine.exe -d "Local Area Connection 4" abc.ab
+
+3. Make sure the interface you want to use does not have a default gateway set.
+
+4. Run iodine/iodined as normal (see the main README file).
+   You may have to run it as administrator depending on user privileges.
+
+5. Enjoy!
+
+
+== Building on Windows:
+You need:
+	MinGW, MSYS, GCC, zlib
+
+Then just run make
+
+
+== Cross-compiling for MinGW:
+You need:
+	MinGW crosscompiler, crosscompiled zlib
+
+Then run "make cross-mingw"
+Note that the binaries will not get a .exe suffix
+
+
+== Zlib download
+You can get zlib for MinGW here (both for native and crosscompile):
+http://code.kryo.se/iodine/deps/zlib.zip
+Unzip it in your MinGW directory on Windows or in $ROOT/usr for
+cross-compile.
+
+
+== Results of crappy Win32 API:
+The following fixable limitations apply:
+- Server cannot read packet destination address
+
+The following (probably) un-fixable limitations apply:
+- A password entered as -P argument can be shown in process list
+- Priviligies cannot be dropped
+- chroot() cannot be used
+- Detaching from terminal not possible
+- Server on windows must be run with /30 netmask
+- Client can only talk to server, not other clients
+

doc/iodine.te

@@ -0,0 +1,25 @@
+# Sample post-initialization SELinux policy for Iodine
+policy_module(iodine, 1.1)
+
+require {
+	type init_t;
+	type initrc_t;
+	type unconfined_t;
+	type unlabeled_t;
+	class udp_socket { read write };
+	class rawip_socket { write read };
+	class association recvfrom;
+	class unix_dgram_socket { create connect };
+}
+
+type iodine_t;
+domain_type(iodine_t)
+domain_dyntrans_type(initrc_t)
+allow initrc_t iodine_t:process dyntransition;
+
+allow iodine_t unconfined_t:udp_socket { read write };
+allow iodine_t unconfined_t:rawip_socket { write read };
+allow iodine_t unlabeled_t:association recvfrom;
+allow iodine_t self:unix_dgram_socket { create connect };
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)

doc/proto_00000402.txt

@@ -0,0 +1,61 @@
+Detailed specification of protocol in version 00000402
+======================================================
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu means accepted (server ip, client ip, mtu)
+
+Case check:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw
+
+Data:
+Data header:
+	 321 0 
+	+---+-+
+	|UUU|L|
+	+---+-+
+
+UUU = Userid
+L = Last fragment in packet flag
+
+First byte is the header, 4 bits coded as hex in ASCII. 
+Followed by data encoded with Base32.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte userid
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL type response:
+If server has nothing to send, data length is 0 bytes.
+If server has a packet to send, data length is set and the data is a full raw
+unencoded ip packet, prefixed with 32 bits tun data.

doc/proto_00000500.txt

@@ -0,0 +1,112 @@
+Detailed specification of protocol in version 00000500
+======================================================
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
+
+Case check:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw
+
+Switch codec:
+Client sends:
+	First byte s or S
+	5 bits coded as Base32 char, meaning userid
+	5 bits coded as Base32 char, with value 5 or 6, representing number of raw
+	bits per encoded byte
+Server sends:
+	Name of codec if accepted. After this all upstream data packets must 
+	be encoded with the new codec.
+	BADCODEC if not accepted. Client must then revert to Base32
+
+Probe downstream fragment size:
+Client sends:
+	First byte r or R
+	15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
+		meaning 4 bits userid, 11 bits fragment size
+	Then follows a long random query which contents does not matter
+Server sends:
+	Requested number of bytes as a response. The first two bytes contains
+	the requested length. Rest of message can be any data.
+	BADFRAG if requested length not accepted.
+
+Set downstream fragment size:
+Client sends:
+	First byte n or N
+	Rest encoded with base32:
+	1 byte userid
+	2 bytes new downstream fragment size
+	CMC
+Server sends:
+	2 bytes new downstream fragment size. After this all downstream
+	payloads will be max (fragsize + 2) bytes long.
+	BADFRAG if not accepted.
+
+Data:
+Upstream data header:
+	 3210 432 10 43 210 4321 0
+	+----+---+--+--+---+----+-+
+	|UUUU|SSS|FF|FF|DDD|GGGG|L|
+	+----+---+--+--+---+----+-+
+
+Downstream data header:
+	 7 654 3210 765 4321 0
+	+-+---+----+---+----+-+
+	|C|SSS|FFFF|DDD|GGGG|L|
+	+-+---+----+---+----+-+
+
+UUUU = Userid
+L = Last fragment in packet flag
+SS = Upstream packet sequence number
+FFFF = Upstream fragment number
+DDD = Downstream packet sequence number
+GGGG = Downstream fragment number
+C = Compression enabled for downstream packet
+
+Upstream data packet starts with 1 byte ASCII hex coded user byte, then 3 bytes 
+Base32 encoded header, then comes the payload data, encoded with chosen codec.
+
+Downstream data starts with 2 byte header. Then payload data, which may be
+compressed.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte with 4 bits userid
+	1 byte with:
+		3 bits downstream seqno
+		4 bits downstream fragment
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL type response:
+If server has nothing to send, data length is 0 bytes.
+If server has something to send, it will send a downstream data packet, 
+prefixed with 2 bytes header as shown above.

doc/proto_00000502.txt

@@ -0,0 +1,287 @@
+Detailed specification of protocol in version 00000502
+======================================================
+
+Note: work in progress!!
+
+======================================================
+1. DNS protocol
+======================================================
+
+Quick alphabetical index / register:
+	0-9	Data packet
+	A-F	Data packet
+	I	IP address
+	L	Login
+	N	Downstream fragsize	(NS.topdomain A-type reply)
+	O	Options
+	P	Ping
+	R	Downstream fragsize probe
+	S	Switch upstream codec
+	V	Version
+	W				(WWW.topdomain A-type reply)
+	Y	Downstream codec check
+	Z	Upstream codec check
+
+
+CMC = 2 byte Cache Miss Counter, increased every time it is used
+
+Version:
+Client sends:
+	First byte v or V
+	Rest encoded with base32:
+	4 bytes big endian protocol version
+	CMC
+Server replies:
+	4 chars:
+		VACK (version ok), followed by login challenge
+		VNAK (version differs), followed by server protocol version
+		VFUL (server has no free slots), followed by max users
+	4 byte value: means login challenge/server protocol version/max users
+	1 byte userid of the new user, or any byte if not VACK
+	
+Login:
+Client sends:
+	First byte l or L
+	Rest encoded with base32:
+	1 byte userid
+	16 bytes MD5 hash of: (first 32 bytes of password) xor (8 repetitions of login challenge)
+	CMC
+Server replies:
+	LNAK means not accepted
+	x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)
+
+IP Request:
+Client sends:
+	First byte i or I
+	5 bits coded as Base32 char, meaning userid
+	CMC as 3 Base32 chars
+Server replies
+	BADIP if bad userid, or
+	I and then 4 bytes network order external IP address of iodined server
+
+Upstream codec check / bounce:
+Client sends: 
+	First byte z or Z
+	Lots of data that should not be decoded
+Server replies:
+	The requested domain copied raw, in the lowest-grade downstream codec
+	available for the request type.
+
+Downstream codec check:
+Client sends:
+	First byte y or Y
+	1 char, meaning downstream codec to use
+	5 bits coded as Base32 char, meaning check variant
+	CMC as 3 Base32 chars
+	Possibly extra data, depending on check variant
+Server sends:
+	Data encoded with requested downstream codec; data content depending
+	on check variant number.
+	BADCODEC if requested downstream codec not available.
+	BADLEN if check variant is not available, or problem with extra data.
+
+	Downstream codec chars are same as in 'O' Option request, below.
+
+	Check variants:
+	1: Send encoded DOWNCODECCHECK1 string as defined in encoding.h
+
+	(Other variants reserved; possibly variant that sends a decoded-encoded
+	copy of Base32-encoded extra data in the request)
+
+Switch codec:
+Client sends:
+	First byte s or S
+	5 bits coded as Base32 char, meaning userid
+	5 bits coded as Base32 char, representing number of raw bits per
+	encoded byte:
+		5: Base32   (a-z0-5)
+		6: Base64   (a-zA-Z0-9+-)
+		26: Base64u (a-zA-Z0-9_-)
+		7: Base128  (a-zA-Z0-9\274-\375)
+	CMC as 3 Base32 chars
+Server sends:
+	Name of codec if accepted. After this all upstream data packets must 
+	be encoded with the new codec.
+	BADCODEC if not accepted. Client must then revert to previous codec
+	BADLEN if length of query is too short
+
+Options:
+Client sends:
+	First byte o or O
+	5 bits coded as Base32 char, meaning userid
+	1 char, meaning option
+	CMC as 3 Base32 chars
+Server sends:
+	Full name of option if accepted. After this, option immediately takes
+	effect in server.
+	BADCODEC if not accepted. Previous situation remains.
+	All options affect only the requesting client.
+
+	Option chars:
+	t or T: Downstream encoding Base32, for TXT/CNAME/A/MX (default)
+	s or S: Downstream encoding Base64, for TXT/CNAME/A/MX
+	u or U: Downstream encoding Base64u, for TXT/CNAME/A/MX
+	v or V: Downstream encoding Base128, for TXT/CNAME/A/MX
+	r or R: Downstream encoding Raw, for TXT/NULL (default for NULL)
+	If codec unsupported for request type, server will use Base32; note
+	that server will answer any mix of request types that a client sends.
+	Server may disregard this option; client must always use the downstream
+	encoding type indicated in every downstream DNS packet.
+
+	l or L: Lazy mode, server will keep one request unanswered until the
+	next one comes in. Applies only to data transfer; handshake is always
+	answered immediately.
+	i or I: Immediate (non-lazy) mode, server will answer all requests
+	(nearly) immediately.
+
+Probe downstream fragment size:
+Client sends:
+	First byte r or R
+	15 bits coded as 3 Base32 chars: UUUUF FFFFF FFFFF
+		meaning 4 bits userid, 11 bits fragment size
+	Then follows a long random query which contents does not matter
+Server sends:
+	Requested number of bytes as a response. The first two bytes contain
+	the requested length. The third byte is 107 (0x6B). The fourth byte
+	is a random value, and each following byte is incremented with 107.
+	This is checked by the client to determine corruption.
+	BADFRAG if requested length not accepted.
+
+Set downstream fragment size:
+Client sends:
+	First byte n or N
+	Rest encoded with base32:
+	1 byte userid
+	2 bytes new downstream fragment size
+	CMC
+Server sends:
+	2 bytes new downstream fragment size. After this all downstream
+	payloads will be max (fragsize + 2) bytes long.
+	BADFRAG if not accepted.
+
+Data:
+Upstream data header:
+	 3210 432 10 43 210 4321 0 43210
+	+----+---+--+--+---+----+-+-----+
+	|UUUU|SSS|FF|FF|DDD|GGGG|L|UDCMC|
+	+----+---+--+--+---+----+-+-----+
+
+Downstream data header:
+	 7 654 3210 765 4321 0
+	+-+---+----+---+----+-+
+	|C|SSS|FFFF|DDD|GGGG|L|
+	+-+---+----+---+----+-+
+
+UUUU = Userid
+L = Last fragment in packet flag
+SS = Upstream packet sequence number
+FFFF = Upstream fragment number
+DDD = Downstream packet sequence number
+GGGG = Downstream fragment number
+C = Compression enabled for downstream packet
+UDCMC = Upstream Data CMC, 36 steps a-z0-9, case-insensitive
+
+Upstream data packet starts with 1 byte ASCII hex coded user byte; then 3 bytes 
+Base32 encoded header; then 1 char data-CMC; then comes the payload data,
+encoded with the chosen upstream codec.
+
+Downstream data starts with 2 byte header. Then payload data, which may be
+compressed.
+
+In NULL responses, downstream data is always raw. In all other response types,
+downstream data is encoded (see Options above).
+Encoding type is indicated by 1 prefix char:
+TXT:
+	End result is always DNS-chopped (series of len-prefixed strings
+	<=255 bytes)
+	t or T: Base32	 encoded before chop, decoded after un-chop
+	s or S: Base64	 encoded before chop, decoded after un-chop
+	u or U: Base64u	 encoded before chop, decoded after un-chop
+	v or V: Base128	 encoded before chop, decoded after un-chop
+	r or R: Raw	 no encoding, only DNS-chop
+SRV/MX/CNAME/A:
+	h or H: Hostname encoded with Base32
+	i or I: Hostname encoded with Base64
+	j or J: Hostname encoded with Base64u
+	k or K: Hostname encoded with Base128
+SRV and MX may reply with multiple hostnames, each encoded separately. Each
+has a 10-multiple priority, and encoding/decoding is done in strictly
+increasing priority sequence 10, 20, 30, etc. without gaps. Note that some DNS
+relays will shuffle the answer records in the response.
+
+Ping:
+Client sends:
+	First byte p or P
+	Rest encoded with Base32:
+	1 byte with 4 bits userid
+	1 byte with:
+		3 bits downstream seqno
+		4 bits downstream fragment
+	CMC
+
+The server response to Ping and Data packets is a DNS NULL/TXT/.. type response,
+always starting with the 2 bytes downstream data header as shown above.
+If server has nothing to send, no data is added after the header.
+If server has something to send, it will add the downstream data packet
+(or some fragment of it) after the header.
+ 
+ 
+"Lazy-mode" operation
+=====================
+
+Client-server DNS traffic sequence has been reordered to provide increased
+(interactive) performance and greatly reduced latency.
+
+Idea taken from Lucas Nussbaum's slides (24th IFIP International Security
+Conference, 2009) at http://www.loria.fr/~lnussbau/tuns.html. Current
+implementation is original to iodine, no code or documentation from any other
+project was consulted during development.
+
+Server:
+Upstream data is acked immediately*, to keep the slow upstream data flowing
+as fast as possible (client waits for ack to send next frag).
+
+Upstream pings are answered _only_ when 1) downstream data arrives from tun,
+OR 2) new upstream ping/data arrives from client.
+In most cases, this means we answer the previous DNS query instead of the
+current one. The current query is kept in queue and used as soon as
+downstream data has to be sent.
+
+*: upstream data ack is usually done as reply on the previous ping packet,
+and the upstream-data packet itself is kept in queue.
+ 
+Client:
+Downstream data is acked immediately, to keep it flowing fast (includes a
+ping after last downstream frag).
+
+Also, after all available upstream data is sent & acked by the server (which
+in some cases uses up the last query), send an additional ping to prime the
+server for the next downstream data.
+
+
+======================================================
+2. Raw UDP protocol
+======================================================
+
+All Raw UDP protcol messages start with a 3 byte header: 0x10d19e
+This is not the start of a valid DNS message so it is easy to identify.
+The fourth byte contains the command and the user id.
+
+	 7654 3210
+	+----+----+
+	|CCCC|UUUU|
+	+----+----+
+
+Login message (command = 1):
+The header is followed by a MD5 hash with the same password as in the DNS
+login. The client starts the raw mode by sending this message, and uses
+the login challenge +1, and the server responds using the login challenge -1.
+After the login message has been exchanged, both the server and the client
+switch to raw udp mode for the rest of the connection.
+
+Data message (command = 2):
+After the header comes the payload data, which may be compressed.
+
+Ping message (command = 3):
+Sent from client to server and back to keep session open. Has no payload.
+

man/iodine.8

@@ -1,5 +1,5 @@
 .\" groff -man -Tascii iodine.8
-.TH IODINE 8 "FEB 2007" "User Manuals"
+.TH IODINE 8 "DEC 2009" "User Manuals"
 .SH NAME
 iodine, iodined \- tunnel IPv4 over DNS
 .SH SYNOPSIS
@@ -7,47 +7,89 @@ iodine, iodined \- tunnel IPv4 over DNS
 
 .B iodine [-h]
 
-.B iodine [-f] [-u
+.B iodine [-f] [-r] [-u
 .I user
 .B ] [-P
 .I password
+.B ] [-m
+.I fragsize
 .B ] [-t
 .I chrootdir
 .B ] [-d
 .I device
+.B ] [-m
+.I fragsize
+.B ] [-M
+.I namelen
+.B ] [-z
+.I context
+.B ] [-F
+.I pidfile
+.B ] [-T
+.I dnstype
+.B ] [-O
+.I downenc
+.B ] [-L
+.I 0|1
+.B ] [-I
+.I interval
 .B ]
+.B [
 .I nameserver
+.B ]
 .I topdomain
 
 .B iodined [-v]
 
 .B iodined [-h]
 
-.B iodined [-f] [-u
+.B iodined [-c] [-s] [-f] [-D] [-u
 .I user
-.B ] [-P
-.I password
 .B ] [-t
 .I chrootdir
+.B ] [-d
+.I device
 .B ] [-m
 .I mtu
 .B ] [-l
 .I listen_ip
-.B ] [-d
-.I device
+.B ] [-p
+.I port
+.B ] [-n
+.I external_ip
+.B ] [-b
+.I dnsport
+.B ] [-P
+.I password
+.B ] [-z
+.I context
+.B ] [-F
+.I pidfile
 .B ]
 .I tunnel_ip
+.B [
+.I /netmask
+.B ]
 .I topdomain
 .SH DESCRIPTION
 .B iodine
 lets you tunnel IPv4 data through a DNS 
 server. This can be useful in situations where Internet access is firewalled,
 but DNS queries are allowed. It needs a TUN/TAP device to operate. The 
-bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.
+bandwidth is asymmetrical,
+with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s
+downstream in a wired LAN test network.
+Realistic sustained throughput on a Wifi network using a carrier-grade
+DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s
+downstream.
 .B iodine
 is the client application,
 .B iodined
 is the server.
+
+Note: server and client are required to speak the exact same protocol. In most
+cases, this means running the same iodine version. Unfortunately, implementing
+backward and forward protocol compatibility is usually not feasible.
 .SH OPTIONS
 .SS Common Options:
 .TP
@@ -66,39 +108,173 @@ Drop privileges and run as user 'user' after setting up tunnel.
 .B -t chrootdir
 Chroot to 'chrootdir' after setting up tunnel.
 .TP
+.B -d device
+Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
+and otherwise tunX.
+.TP
 .B -P password
 Use 'password' to authenticate. If not used, 
 .B stdin
 will be used as input. Only the first 32 characters will be used.
 .TP
-.B -d device
-Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
-and otherwise tunX.
+.B -z context
+Apply SELinux 'context' after initialization.
+.TP
+.B -F pidfile
+Create 'pidfile' and write process id in it.
+.SS Client Options:
+.TP
+.B -r
+Skip raw UDP mode. If not used, iodine will try getting the public IP address
+of the iodined host and test if it is reachable directly. If it is, traffic
+will be sent to the server instead of the DNS relay.
+.TP
+.B -m fragsize
+Force maximum downstream fragment size. Not setting this will cause the
+client to automatically probe the maximum accepted downstream fragment size.
+.TP
+.B -M namelen
+Maximum length of upstream hostnames, default 255.
+Usable range ca. 100 to 255.
+Use this option to scale back upstream bandwidth in favor of downstream
+bandwidth.
+Also useful for DNS servers that perform unreliably when using full-length
+hostnames, noticable when fragment size autoprobe returns very
+different results each time.
+.TP
+.B -T dnstype
+DNS request type override.
+By default, autodetection will probe for working DNS request types, and
+will select the request type that is expected to provide the most bandwidth.
+However, it may turn out that a DNS relay imposes limits that skew the
+picture, which may lead to an "unexpected" DNS request type providing
+more bandwidth.
+In that case, use this option to override the autodetection.
+In (expected) decreasing bandwidth order, the supported DNS request types are:
+.IR NULL ,
+.IR TXT ,
+.IR SRV ,
+.IR MX ,
+.I CNAME
+and
+.I A
+(returning CNAME).
+Note that
+.IR SRV ,
+.I MX
+and
+.I A
+may/will cause additional lookups by "smart" caching
+nameservers to get an actual IP address, which may either slow down or fail
+completely.
+.TP
+.B -O downenc
+Force downstream encoding type for all query type responses except NULL.
+Default is autodetected, but may not spot all problems for the more advanced
+codecs.
+Use this option to override the autodetection.
+.I Base32
+is the lowest-grade codec and should always work; this is used when
+autodetection fails.
+.I Base64
+provides more bandwidth, but may not work on all nameservers.
+.I Base64u
+is equal to Base64 except in using underscore ('_')
+instead of plus sign ('+'), possibly working where
+.I Base64
+does not.
+.I Base128
+uses high byte values (mostly accented letters in iso8859-1),
+which might work with some nameservers.
+For TXT queries,
+.I Raw
+will provide maximum performance, but this will only work if the nameserver
+path is fully 8-bit-clean for responses that are assumed to be "legible text".
+.TP
+.B -L 0|1
+Lazy-mode switch.
+\-L1 (default): Use lazy mode for improved performance and decreased latency.
+A very small minority of DNS relays appears to be unable to handle the
+lazy mode traffic pattern, resulting in no or very little data coming through.
+The iodine client will detect this and try to switch back to legacy mode,
+but this may not always work.
+In these situations use \-L0 to force running in legacy mode
+(implies \-I1).
+.TP
+.B -I interval
+Maximum interval between requests (pings) so that intermediate DNS
+servers will not time out. Default is 4 in lazy mode, which will work
+fine in most cases. When too many SERVFAIL errors occur, iodine
+will automatically reduce this to 1.
+To get absolute minimum DNS traffic,
+increase well above 4, but not so high that SERVFAIL errors start to occur.
+There are some DNS relays with very small timeouts,
+notably dnsadvantage.com (ultradns), that will give
+SERVFAIL errors even with \-I1; data will still get trough,
+and these errors can be ignored.
+Maximum useful value is 59, since iodined will close a client's
+connection after 60 seconds of inactivity.
 .SS Server Options:
 .TP
+.B -c
+Disable checking the client IP address on all incoming requests.
+By default, requests originating from non-matching IP adresses will be
+rejected, however this will cause problems when requests are routed
+via a cluster of DNS servers.
+.TP
+.B -s
+Don't try to configure IP address or MTU. 
+This should only be used if you have already configured the device that will be
+used.
+.TP
+.B -D
+Increase debug level. Level 1 prints info about each RX/TX packet.
+Implies the
+.B -f
+option.
+On level 2 (-DD) or higher, DNS queries will be printed literally.
+When using Base128 upstream encoding, this is best viewed as
+ISO Latin-1 text instead of (illegal) UTF-8.
+This is easily done with : "LC_ALL=C luit iodined -DD ..."
+(see luit(1)).
+.TP
 .B -m mtu
-Set 'mtu' as mtu size for the tunnel device. This will be sent to the client
-on connect, and the client will use the same mtu.
+Set 'mtu' as mtu size for the tun device. 
+This will be sent to the client on login, and the client will use the same mtu
+for its tun device.  Default 1130.  Note that the DNS traffic will be
+automatically fragmented when needed.
 .TP
 .B -l listen_ip
-Make the server listen only on 'listen_ip' instead of on 0.0.0.0 for incoming
-connections.
+Make the server listen only on 'listen_ip' for incoming requests.
+By default, incoming requests are accepted from all interfaces.
 .TP
 .B -p port
 Make the server listen on 'port' instead of 53 for traffic. 
 .B Note:
 You must make sure the dns requests are forwarded to this port yourself.
+.TP
+.B -n external_ip
+The IP address to return in NS responses. Default is to return the address used
+as destination in the query.
+.TP
+.B -b dnsport
+If this port is specified, all incoming requests not inside the tunnel domain
+will be forwarded to this port on localhost, to be handled by a real dns.
+.B Note:
+The forwarding is not fully transparent, and not advised for use
+in production environments.
 .SS Client Arguments:
 .TP
 .B nameserver
 The nameserver to use to relay the dns traffic. This can be any relaying
-nameserver  or the ip number of the server running iodined if reachable.
-Normally, you should specify a nameserver from your 
+nameserver or the server running iodined if reachable. This field can be
+given as an IP address, or as a hostname. This argument is optional, and 
+if not specified a nameserver will be read from the
 .I /etc/resolv.conf
 file.
 .TP
 .B topdomain
-The dns traffic will be sent as querys of type NULL for subdomains under
+The dns traffic will be sent as queries for subdomains under
 \'topdomain'. This is normally a subdomain to a domain you own. Use a short
 domain name to get better throughput. If 
 .B nameserver
@@ -106,80 +282,57 @@ is the iodined server, then the topdomain can be chosen freely. This argument
 must be the same on both the client and the server.
 .SS Server Arguments:
 .TP
-.B tunnel_ip
-This is the servers ip address on the tunnel interface. The client will be
+.B tunnel_ip[/netmask]
+This is the server's ip address on the tun interface. The client will be
 given the next ip number in the range. It is recommended to use the 
-10.0.0.0/8 or 172.16.0.0/12 ranges.
+10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overriden
+by specifying it here. Using a smaller network will limit the number of
+concurrent users.
 .TP
 .B topdomain
-The dns traffic will is expected to be sent as querys of type NULL for 
+The dns traffic is expected to arrive as queries for
 subdomains under 'topdomain'. This is normally a subdomain to a domain you 
 own. Use a short domain name to get better throughput. This argument must be 
-the same on both the client and the server.
+the same on both the client and the server. Queries for domains other
+than 'topdomain' will be forwarded when the \-b option is given, otherwise
+they will be dropped.
 .SH EXAMPLES
-.SS Quickstart:
-.TP
-Try it out within your own LAN! Follow these simple steps:
-.TP
-- On your server, run: ./iodined -f 10.0.0.1 test.asdf
-(If you already use the 10.0.0.0 network, use another internal net like 
-172.16.0.0)
-.TP
-- Enter a password
-.TP
-- On the client, run: ./iodine -f 192.168.0.1 test.asdf
-(Replace 192.168.0.1 with the server's ip address)
-.TP
-- Enter the same password
-.TP
-- Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
-.TP
-- Try pinging each other through the tunnel
-.TP
-- Done! :)
-.TP
-To actually use it through a relaying nameserver, see below.
-.SS Full setup:
-
-.TP
-.B Server side:
-To use this tunnel, you need control over a real domain (like mytunnel.com),
-and a server with a static public IP number that does not yet run a DNS
-server. Then, delegate a subdomain (say, tunnel1.mytunnel.com) to the server.
-If you use BIND for the domain, add these lines to the zone file (replace
-10.15.213.99 with your server ip):
-
-.nf
-tunnel1host	IN	A	10.15.213.99
-tunnel1		IN	NS	tunnel1host.mytunnel.com.
-.fi
-
-Now any DNS querys for domains ending with tunnel1.mytunnnel.com will be sent
-to your server. Start iodined on the server. The first argument is the tunnel
-IP address (like 192.168.99.1) and the second is the assigned domain (in this
-case tunnel1.mytunnel.com). The -f argument will keep iodined running in the
-foreground, which helps when testing. iodined will start a virtual interface,
-and also start listening for DNS queries on UDP port 53. Either enter a
-password on the commandline (-P pass) or after the server has started. Now 
-everything is ready for the client.
-.TP
-.B Client side: 
-All the setup is done, just start iodine. It also takes two
-arguments, the first is the local relaying DNS server and the second is the
-domain used (tunnel1.mytunnnel.com). If DNS queries are allowed to any
-computer, you can use the tunnel endpoint (example: 10.15.213.99 or
-tunnel1host.mytunnel.com) as the first argument. The tunnel interface will get
-an IP close to the servers (in this case 192.168.99.2) and a suitable MTU. 
-Enter the same password as on the server either by argument or after the client
-has started. Now you should be able to ping the other end of the tunnel from 
-either side.  
-.TP
-.B Routing:
-The normal case is to route all traffic through the DNS tunnel. To do this, first
-add a route to the nameserver you use with the default gateway as gateway. Then
-replace the default gateway with the servers IP address within the DNS tunnel,
-and configure the server to do NAT.
+See the README file for both a quick test scenario, and a detailed description
+of real-world deployment.
+.SH SECURITY
+Login is a relatively secure challenge-response MD5 hash, with the
+password never passing the wire.
+However, all other data is
+.B NOT
+encrypted in any way. The DNS traffic is also vulnerable to replay,
+injection and man-in-the-middle attacks, especially when iodined is used
+with the \-c option. Use of ssh or vpn tunneling is strongly recommended.
+On both server and client, use
+.IR iptables ,
+.I pf
+or other firewalls to block all traffic coming in from the tun interfaces,
+except to the used ssh or vpn ports.
+.SH ENVIRONMENT
+.SS IODINE_PASS
+If the environment variable
+.B IODINE_PASS
+is set, iodine will use the value it is set to as password instead of asking
+for one. The 
+.B -P
+option still has precedence.
+.SS IODINED_PASS
+If the environment variable
+.B IODINED_PASS
+is set, iodined will use the value it is set to as password instead of asking
+for one. The
+.B -P
+option still has precedence.
+.El
+.SH SEE ALSO
+The README file in the source distribution contains some more elaborate
+information.
 .SH BUGS
 File bugs at http://dev.kryo.se/iodine/
 .SH AUTHORS
-Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>
+Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>. Major
+contributions by Anne Bezemer.

src/Makefile

@@ -1,17 +1,17 @@
-CC = gcc
-COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o md5.o common.o
-CLIENTOBJS = iodine.o
+COMMONOBJS = tun.o dns.o read.o encoding.o login.o base32.o base64.o base64u.o base128.o md5.o common.o
+CLIENTOBJS = iodine.o client.o util.o
 CLIENT = ../bin/iodine
-SERVEROBJS = iodined.o user.o
+SERVEROBJS = iodined.o user.o fw_query.o
 SERVER = ../bin/iodined
 
-OS = `uname | tr "a-z" "A-Z"`
+OS = `echo $(TARGETOS) | tr "a-z" "A-Z"`
 ARCH = `uname -m`
 
-LDFLAGS =  -lz
-CFLAGS = -c -g -Wall -D$(OS) -pedantic
+LIBPATH = -L.
+LDFLAGS +=  -lz `sh osflags $(TARGETOS) link` $(LIBPATH)
+CFLAGS += -c -g -Wall -D$(OS) -pedantic `sh osflags $(TARGETOS) cflags`
 
-all: stateos $(CLIENT) $(SERVER) $(TESTSUITE) 
+all: stateos $(CLIENT) $(SERVER)
 
 stateos:
 	@echo OS is $(OS), arch is $(ARCH)
@@ -30,7 +30,17 @@ $(SERVER): $(COMMONOBJS) $(SERVEROBJS)
 	@echo CC $<
 	@$(CC) $(CFLAGS) $< -o $@
 
+base64u.o client.o iodined.o: base64u.h
+base64u.c: base64.c
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.c >> $@
+base64u.h: base64.h
+	@echo Making $@
+	@echo '/* No use in editing, produced by Makefile! */' > $@
+	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.h >> $@
+
 clean:
 	@echo "Cleaning src/"
-	@rm -f $(CLIENT) $(SERVER) *~ *.o *.core
+	@rm -f $(CLIENT){,.exe} $(SERVER){,.exe} *~ *.o *.core base64u.*
 

src/base128.c

@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * raw	76543210 76543210 76543210 76543210 76543210 76543210 76543210
+ * enc	65432106 54321065 43210654 32106543 21065432 10654321 06543210
+ *	^      ^       ^       ^       ^       ^       ^       ^
+ *
+ *	0001 1  0001 1
+ *	0011 3  0011 3
+ *	0111 7  0111 7
+ *	1111 f  0110 6
+ *	1110 e  0100 4
+ *	1100 c
+ *	1000 8
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "encoding.h"
+#include "base128.h"
+
+#define BLKSIZE_RAW 7
+#define BLKSIZE_ENC 8
+
+/* Don't use '-' (restricted to middle of labels), prefer iso_8859-1
+ * accent chars since they might readily be entered in normal use,
+ * don't use 254-255 because of possible function overloading in DNS systems.
+ */
+static const unsigned char cb128[] = 
+	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	"\274\275\276\277"
+	"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317"
+	"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
+	"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
+	"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
+static unsigned char rev128[256];
+static int reverse_init = 0;
+
+static int base128_encode(char *, size_t *, const void *, size_t);
+static int base128_decode(void *, size_t *, const char *, size_t);
+static int base128_handles_dots();
+static int base128_blksize_raw();
+static int base128_blksize_enc();
+
+static struct encoder base128_encoder =
+{
+	"Base128",
+	base128_encode,
+	base128_decode,
+	base128_handles_dots,
+	base128_handles_dots,
+	base128_blksize_raw,
+	base128_blksize_enc
+};
+
+struct encoder
+*get_base128_encoder()
+{
+	return &base128_encoder;
+}
+
+static int 
+base128_handles_dots()
+{
+	return 0;
+}
+
+static int 
+base128_blksize_raw()
+{
+	return BLKSIZE_RAW;
+}
+
+static int 
+base128_blksize_enc()
+{
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base128_reverse_init()
+{
+	int i;
+	unsigned char c;
+
+	if (!reverse_init) {
+		memset (rev128, 0, 256);
+		for (i = 0; i < 128; i++) {
+			c = cb128[i];
+			rev128[(int) c] = i;
+		}
+		reverse_init = 1;
+	}
+}
+
+static int 
+base128_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *ubuf = (unsigned char *) buf;
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0xfe) >> 1)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--; 	/* previous char is useless */
+			break;
+		}
+		ubuf[iout] = cb128[((udata[iin] & 0x01) << 6) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xfc) >> 2) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x03) << 5) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xf8) >> 3) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x07) << 4) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x0f) << 3) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xe0) >> 5) : 0)];
+		iin++;			/* 3 complete, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x1f) << 2) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 4 complete, iin=5 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[((udata[iin] & 0x3f) << 1) |
+				   ((iin + 1 < size) ?
+				    ((udata[iin + 1] & 0x80) >> 7) : 0)];
+		iin++;			/* 5 complete, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		ubuf[iout] = cb128[(udata[iin] & 0x7f)];
+		iin++;			/* 6 complete, iin=7 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	/* store number of bytes from data that was used */
+	*buflen = iin;
+
+	return iout;
+}
+
+#define REV128(x) rev128[(int) (x)]
+
+static int
+base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
+{
+	unsigned char *ustr = (unsigned char *) str;
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
+
+	base128_reverse_init ();
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x7f) << 1) | 
+			     ((REV128(ustr[iin + 1]) & 0x40) >> 6);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x3f) << 2) |
+			     ((REV128(ustr[iin + 1]) & 0x60) >> 5);
+		iin++;  		/* 1 used up, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x1f) << 3) |
+			     ((REV128(ustr[iin + 1]) & 0x70) >> 4);
+		iin++;  		/* 2 used up, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x0f) << 4) |
+			     ((REV128(ustr[iin + 1]) & 0x78) >> 3);
+		iin++;  		/* 3 used up, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x07) << 5) |
+			     ((REV128(ustr[iin + 1]) & 0x7c) >> 2);
+		iin++;  		/* 4 used up, iin=5 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x03) << 6) |
+			     ((REV128(ustr[iin + 1]) & 0x7e) >> 1);
+		iin++;  		/* 5 used up, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV128(ustr[iin]) & 0x01) << 7) |
+			     ((REV128(ustr[iin + 1]) & 0x7f));
+		iin += 2;  		/* 6,7 used up, iin=8 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}

src/base128.h

@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __BASE128_H__
+#define __BASE128_H__
+
+struct encoder *get_base128_encoder(void);
+
+#endif

src/base32.c

@@ -1,5 +1,6 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -21,18 +22,31 @@
 #include "encoding.h"
 #include "base32.h"
 
+#define BLKSIZE_RAW 5
+#define BLKSIZE_ENC 8
+
 static const char cb32[] = 
-	"abcdefghijklmnopqrstuvwxyz0123456789";
-static unsigned char rev32[128];
+	"abcdefghijklmnopqrstuvwxyz012345";
+static const char cb32_ucase[] = 
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZ012345";
+static unsigned char rev32[256];
 static int reverse_init = 0;
 
+static int base32_encode(char *, size_t *, const void *, size_t);
+static int base32_decode(void *, size_t *, const char *, size_t);
+static int base32_handles_dots();
+static int base32_blksize_raw();
+static int base32_blksize_enc();
+
 static struct encoder base32_encoder =
 {
-	"BASE32",
+	"Base32",
 	base32_encode,
 	base32_decode,
 	base32_handles_dots,
-	base32_handles_dots
+	base32_handles_dots,
+	base32_blksize_raw,
+	base32_blksize_enc
 };
 
 struct encoder
@@ -41,137 +55,216 @@ struct encoder
 	return &base32_encoder;
 }
 
-int 
+static int 
 base32_handles_dots()
 {
 	return 0;
 }
 
-int 
-base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
+static int 
+base32_blksize_raw()
+{
+	return BLKSIZE_RAW;
+}
+
+static int 
+base32_blksize_enc()
+{
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base32_reverse_init()
 {
-	size_t newsize;
-	size_t maxsize;
-	unsigned char *s;
-	unsigned char *p;
-	unsigned char *q;
 	int i;
-
-	memset(buf, 0, *buflen);
-
-	/* how many chars can we encode within the buf */
-	maxsize = 5 * (*buflen / 8 - 1) - 1;
-	/* how big will the encoded data be */
-	newsize = 8 * (size / 5 + 1) + 1;
-	/* if the buffer is too small, eat some of the data */
-	if (*buflen < newsize) {
-		size = maxsize;
-	}
-
-	p = s = (unsigned char *) buf;
-	q = (unsigned char *)data;
-
-	for(i=0;i<size;i+=5) {
-		p[0] = cb32[((q[0] & 0xf8) >> 3)];
-		p[1] = cb32[(((q[0] & 0x07) << 2) | ((q[1] & 0xc0) >> 6))];
-		p[2] = (i+1 < size) ? cb32[((q[1] & 0x3e) >> 1)] : '\0';
-		p[3] = (i+1 < size) ? cb32[((q[1] & 0x01) << 4) | ((q[2] & 0xf0) >> 4)] : '\0';
-		p[4] = (i+2 < size) ? cb32[((q[2] & 0x0f) << 1) | ((q[3] & 0x80) >> 7)] : '\0';
-		p[5] = (i+3 < size) ? cb32[((q[3] & 0x7c) >> 2)] : '\0';
-		p[6] = (i+3 < size) ? cb32[((q[3] & 0x03) << 3) | ((q[4] & 0xe0) >> 5)] : '\0';
-		p[7] = (i+4 < size) ? cb32[((q[4] & 0x1f))] : '\0';
-		
-		q += 5;
-		p += 8;
-	}	
-	*p = 0;
-
-	/* store number of bytes from data that was used */
-	*buflen = size;
-
-	return strlen(buf) - 1;
-}
-
-#define DECODE_ERROR 0xffffffff
-#define REV32(x) rev32[(int) (x)]
-
-static int
-decode_token(const unsigned char *t, unsigned char *data, size_t len) 
-{
-	if (len < 2)
-		return 0;
-
-	data[0] = ((REV32(t[0]) & 0x1f) << 3) | 
-			  ((REV32(t[1]) & 0x1c) >> 2);
-	
-	if (len < 4)
-		return 1;
-
-	data[1] = ((REV32(t[1]) & 0x03) << 6) | 
-			  ((REV32(t[2]) & 0x1f) << 1) | 
-			  ((REV32(t[3]) & 0x10) >> 4);
-
-	if (len < 5)
-		return 2;
-
-	data[2] = ((REV32(t[3]) & 0x0f) << 4) |
-			  ((REV32(t[4]) & 0x1e) >> 1);
-
-	if (len < 7)
-		return 3;
-
-	data[3] = ((REV32(t[4]) & 0x01) << 7) |
-			  ((REV32(t[5]) & 0x1f) << 2) |
-			  ((REV32(t[6]) & 0x18) >> 3);
-
-	if (len < 8)
-		return 4;
-
-	data[4] = ((REV32(t[6]) & 0x07) << 5) |
-			  ((REV32(t[7]) & 0x1f));
-
-	return 5;
-}
-
-int
-base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
-{
-	unsigned char *q;
-	size_t newsize;
-	size_t maxsize;
-	const char *p;
 	unsigned char c;
-	int len;
-	int i;
 
 	if (!reverse_init) {
+		memset (rev32, 0, 256);
 		for (i = 0; i < 32; i++) {
 			c = cb32[i];
 			rev32[(int) c] = i;
+			c = cb32_ucase[i];
+			rev32[(int) c] = i;
 		}
 		reverse_init = 1;
 	}
-	
-	/* chars needed to decode slen */
-	newsize = 5 * (slen / 8 + 1) + 1;
-	/* encoded chars that fit in buf */
-	maxsize = 8 * (*buflen / 5 + 1) + 1;
-	/* if the buffer is too small, eat some of the data */
-	if (*buflen < newsize) {
-		slen = maxsize;
-	}
-
-	q = buf;
-	for (p = str; *p && strchr(cb32, *p); p += 8) {
-		len = decode_token((unsigned char *) p, (unsigned char *) q, slen);	
-		q += len;
-		slen -= 8;
-		
-		if (len < 5)
-			break;
-	}
-	*q = '\0';
-	
-	return q - (unsigned char *) buf;
 }
 
+int
+b32_5to8(int in)
+{
+	return cb32[in & 31];
+}
+
+int
+b32_8to5(int in)
+{
+	base32_reverse_init();
+	return rev32[in];
+}
+
+static int 
+base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0xf8) >> 3)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--; 	/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x07) << 2) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x3e) >> 1)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x01) << 4) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x0f) << 1) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0x80) >> 7) : 0)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x7c) >> 2)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb32[((udata[iin] & 0x03) << 3) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xe0) >> 5) : 0)];
+		iin++;			/* 3 complete, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb32[((udata[iin] & 0x1f))];
+		iin++;			/* 4 complete, iin=5 */
+		iout++;
+	}
+
+	buf[iout] = '\0';
+
+	/* store number of bytes from data that was used */
+	*buflen = iin;
+
+	return iout;
+}
+
+#define REV32(x) rev32[(int) (x)]
+
+static int
+base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
+{
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
+
+	base32_reverse_init ();
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x1f) << 3) | 
+			     ((REV32(str[iin + 1]) & 0x1c) >> 2);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin + 2 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0' ||
+		    str[iin + 2] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x03) << 6) | 
+			     ((REV32(str[iin + 1]) & 0x1f) << 1) | 
+			     ((REV32(str[iin + 2]) & 0x10) >> 4);
+		iin += 2;  		/* 1,2 used up, iin=3 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x0f) << 4) |
+			     ((REV32(str[iin + 1]) & 0x1e) >> 1);
+		iin++;  		/* 3 used up, iin=4 */
+		iout++;
+
+		if (iout >= *buflen || iin + 2 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0' ||
+		    str[iin + 2] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x01) << 7) |
+			     ((REV32(str[iin + 1]) & 0x1f) << 2) |
+			     ((REV32(str[iin + 2]) & 0x18) >> 3);
+		iin += 2;  		/* 4,5 used up, iin=6 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV32(str[iin]) & 0x07) << 5) |
+			     ((REV32(str[iin + 1]) & 0x1f));
+		iin += 2;  		/* 6,7 used up, iin=8 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}

src/base32.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,8 +18,7 @@
 #define __BASE32_H__
 
 struct encoder *get_base32_encoder(void);
-int base32_handles_dots();
-int base32_encode(char *, size_t *, const void *, size_t);
-int base32_decode(void *, size_t *, const char *, size_t);
 
+int b32_5to8(int);
+int b32_8to5(int);
 #endif

src/base64.c

@@ -1,5 +1,6 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,26 +20,33 @@
 #include <string.h>
 
 #include "encoding.h"
-#include "common.h"
 #include "base64.h"
 
+#define BLKSIZE_RAW 3
+#define BLKSIZE_ENC 4
+
+/* Note: the "unofficial" char is last here, which means that the \377 pattern
+   in DOWNCODECCHECK1 ('Y' request) will properly test it. */
 static const char cb64[] = 
-	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789.";
-static unsigned char rev64[128];
+	"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789+";
+static unsigned char rev64[256];
 static int reverse_init = 0;
 
-#define REV64(x) rev64[(int) (x)]
-#define MODE 	(cb64[62])
-#define P62	(cb64[62])
-#define P63	(cb64[63])
+static int base64_encode(char *, size_t *, const void *, size_t);
+static int base64_decode(void *, size_t *, const char *, size_t);
+static int base64_handles_dots();
+static int base64_blksize_raw();
+static int base64_blksize_enc();
 
 static struct encoder base64_encoder =
 {
-	"BASE64",
+	"Base64",
 	base64_encode,
 	base64_decode,
 	base64_handles_dots,
-	base64_handles_dots
+	base64_handles_dots,
+	base64_blksize_raw,
+	base64_blksize_enc
 };
 
 struct encoder
@@ -47,292 +55,151 @@ struct encoder
 	return &base64_encoder;
 }
 
-int 
+static int 
 base64_handles_dots()
 {
 	return 0;
 }
 
-static void
-findesc(int *count, unsigned char *esc, char c1, char c2, char c3, char c4)
+static int 
+base64_blksize_raw()
 {
-	int min1 = 0;
-	int min2 = 0;
-
-	int num1 = 0xFF; /* a very big number */
-	int num2 = 0xFE; /* a nearly as big number */
-
-	int i;
-
-	/* check if no more escapes needed */
-	if (count[62] == 0 && count[63] == 0) {
-		esc[0] = MODE;
-		esc[1] = MODE;
-		return;
-	}
-
-	for (i = 0; i < 62; i++) {
-		if (i == c1 || i == c2 || i == c3 || i == c4) {
-			continue;
-		}
-
-		if (count[i] < num1) {
-			min2 = min1;
-			num2 = num1;
-			min1 = i;
-			num1 = count[i];
-		} else if (count[i] < num2) {
-			min2 = i;
-			num2 = count[i];
-		}
-	}
-
-	esc[0] = cb64[min1];
-	esc[1] = cb64[min2];
-}
-	
-static void
-escape_chars(char *buf, size_t buflen)
-{
-	int counter[64];
-	int escapes;
-	int reset;
-	int i;
-	unsigned char temp[4096];
-	unsigned char *r;
-	unsigned char *w;
-	unsigned char *e;
-	unsigned char esc[2];
-
-	memset(counter, 0, sizeof(counter));
-	esc[0] = P62;
-	esc[1] = P63;
-
-	/* first, find the number of times each token is used */
-	r = (unsigned char *) buf;
-	w = temp;
-	while (*r) {
-		counter[REV64(*r)]++;
-		*w++ = *r++;
-	}
-
-	/* check if work needed */
-	if (counter[62] == 0 && counter[63] == 0)
-		return;
-	
-	r = temp;
-	w = (unsigned char *) buf;
-	reset = 1;
-	escapes = 0;
-	/* check a block for esc chars */
-	while (*r) {
-		if (reset == 0 && escapes == 0 && (
-		    r[0] == esc[0] || r[1] == esc[0] ||r[2] == esc[0] ||r[2] == esc[0] ||
-		    r[0] == esc[1] || r[1] == esc[1] ||r[2] == esc[1] ||r[2] == esc[1])) {
-			/* last set of escape chars were unused.
-			 * if we reset last escape switch then maybe we dont have to switch now */
-
-			/* change the latest escape switch to 999 (RESET) */
-			e[1] = MODE;
-			e[2] = MODE;
-			 
-			/* store default esc chars */
-			esc[0] = P62;
-			esc[1] = P63;
-
-			reset = 1;
-		}
-		/* these two if blocks can not be combined because a block can contain both
-		 * char 9 and/or . and the current escape chars. */
-		if (r[0] == esc[0] || r[1] == esc[0] ||r[2] == esc[0] ||r[2] == esc[0] ||
-		    r[0] == esc[1] || r[1] == esc[1] ||r[2] == esc[1] ||r[2] == esc[1]) {
-			/* switch escape chars */
-			escapes = 0;
-			reset = 0;
-
-			/* find 2 suitable escape chars */
-			findesc(counter, esc, REV64(r[0]), REV64(r[1]), REV64(r[2]), REV64(r[3]));
-
-			/* store escape switch position */
-			e = w;
-
-			/* write new escape chars */
-			*w++ = MODE;
-			*w++ = esc[0];
-			*w++ = esc[1];
-		}
-		
-		/* update counter on remaining chars */
-		for (i = 0; i < 4; i++) {
-			if (r[i])
-				counter[REV64(r[i])]--;
-		}
-
-		/* do the escaping */
-		for (i = 0; i < 4; i++) {
-			if (r[i] == P62) {
-				r[i] = esc[0];
-				escapes++;
-			} else if (r[i] == P63) {
-				r[i] = esc[1];
-				escapes++;
-			}
-		}	
-		
-		/* copy back to buf */
-		*w++ = *r++;
-		*w++ = *r++;
-		*w++ = *r++;
-		*w++ = *r++;
-	}
+	return BLKSIZE_RAW;
 }
 
-int 
-base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
+static int 
+base64_blksize_enc()
 {
-	size_t newsize;
-	size_t maxsize;
+	return BLKSIZE_ENC;
+}
+
+inline static void
+base64_reverse_init()
+{
+	int i;
 	unsigned char c;
-	unsigned char *s;
-	unsigned char *p;
-	unsigned char *q;
-	int i;
 
-	memset(buf, 0, *buflen);
-	
 	if (!reverse_init) {
+		memset (rev64, 0, 256);
 		for (i = 0; i < 64; i++) {
 			c = cb64[i];
 			rev64[(int) c] = i;
 		}
 		reverse_init = 1;
 	}
+}
 
-	/* how many chars can we encode within the buf */
-	maxsize = 3 * (*buflen / 4 - 1) - 1;
-	/* how big will the encoded data be */
-	newsize = 4 * (size / 3 + 1) + 1;
-	/* if the buffer is too small, eat some of the data */
-	if (*buflen < newsize) {
-		size = maxsize;
+static int 
+base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
+/*
+ * Fills *buf with max. *buflen characters, encoding size bytes of *data.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold the trailing '\0'.
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ * sets *buflen to : #bytes encoded from data
+ */
+{
+	unsigned char *udata = (unsigned char *) data;
+	int iout = 0;	/* to-be-filled output char */
+	int iin = 0;	/* one more than last input byte that can be
+			   successfully decoded */
+
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[((udata[iin] & 0xfc) >> 2)];
+		iout++;
+
+		if (iout >= *buflen || iin >= size) {
+			iout--;		/* previous char is useless */
+			break;
+		}
+		buf[iout] = cb64[((udata[iin] & 0x03) << 4) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xf0) >> 4) : 0)];
+		iin++;			/* 0 complete, iin=1 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[((udata[iin] & 0x0f) << 2 ) |
+				  ((iin + 1 < size) ?
+				   ((udata[iin + 1] & 0xc0) >> 6) : 0)];
+		iin++;			/* 1 complete, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin >= size)
+			break;
+		buf[iout] = cb64[(udata[iin] & 0x3f)];
+		iin++;			/* 2 complete, iin=3 */
+		iout++;
 	}
 
-	p = s = (unsigned char *) buf;
-	q = (unsigned char *)data;
-
-	for(i=0;i<size;i+=3) {
-		p[0] = cb64[((q[0] & 0xfc) >> 2)];
-		p[1] = cb64[(((q[0] & 0x03) << 4) | ((q[1] & 0xf0) >> 4))];
-		p[2] = (i+1 < size) ? cb64[((q[1] & 0x0f) << 2 ) | ((q[2] & 0xc0) >> 6)] : '\0';
-		p[3] = (i+2 < size) ? cb64[(q[2] & 0x3f)] : '\0';
-		
-		q += 3;
-		p += 4;
-	}	
-	*p = 0;
-
-	escape_chars(buf, *buflen);
+	buf[iout] = '\0';
 
 	/* store number of bytes from data that was used */
-	*buflen = size;
+	*buflen = iin;
 
-	return strlen(buf) - 1;
+	return iout;
 }
 
-#define DECODE_ERROR 0xffffffff
+#define REV64(x) rev64[(int) (x)]
 
 static int
-decode_token(const unsigned char *t, unsigned char *data, size_t len) 
-{
-	if (len < 2)
-		return 0;
-
-	data[0] = ((REV64(t[0]) & 0x3f) << 2) | 
-			  ((REV64(t[1]) & 0x30) >> 4);
-
-	if (len < 3)
-		return 1;
-
-	data[1] = ((REV64(t[1]) & 0x0f) << 4) | 
-			  ((REV64(t[2]) & 0x3c) >> 2);
-
-	if (len < 4)
-		return 2;
-
-	data[2] = ((REV64(t[2]) & 0x03) << 6) |
-			  (REV64(t[3]) & 0x3f);
-
-	return 3;
-}
-
-int
 base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
+/*
+ * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
+ * Decoding stops early when *str contains \0.
+ * Illegal encoded chars are assumed to decode to zero.
+ *
+ * NOTE: *buf space should be at least 1 byte _more_ than *buflen
+ * to hold a trailing '\0' that is added (though *buf will usually
+ * contain full-binary data).
+ *
+ * return value    : #bytes filled in buf   (excluding \0)
+ */
 {
-	unsigned char *q;
-	size_t newsize;
-	size_t maxsize;
-	const char *p;
-	unsigned char c;
-	unsigned char block[4];
-	unsigned char prot62;
-	unsigned char prot63;
-	int len;
-	int i;
+	unsigned char *ubuf = (unsigned char *) buf;
+	int iout = 0;	/* to-be-filled output byte */
+	int iin = 0;	/* next input char to use in decoding */
 
-	if (!reverse_init) {
-		for (i = 0; i < 64; i++) {
-			c = cb64[i];
-			rev64[(int) c] = i;
-		}
-		reverse_init = 1;
-	}
-	
-	/* chars needed to decode slen */
-	newsize = 3 * (slen / 4 + 1) + 1;
-	/* encoded chars that fit in buf */
-	maxsize = 4 * (*buflen / 3 + 1) + 1;
-	/* if the buffer is too small, eat some of the data */
-	if (*buflen < newsize) {
-		slen = maxsize;
-	}
-	
-	prot62 = P62;
-	prot63 = P63;
+	base64_reverse_init ();
 
-	q = buf;
-	for (p = str; *p; p += 4) {
-		/* handle escape instructions */
-		if (*p == MODE) {
-			p++;
-			if (p[0] == MODE && p[1] == MODE) {
-				/* reset escape chars */
-				prot62 = P62;
-				prot63 = P63;
-				
-				p += 2;
-			} else {
-				prot62 = *p++;
-				prot63 = *p++;
-			}
-		}
-		/* since the str is const, we unescape in another buf */
-		for (i = 0; i < 4; i++) {
-			block[i] = p[i];
-			if (prot62 == block[i]) {
-				block[i] = P62;
-			} else if (prot63 == block[i]) {
-				block[i] = P63;
-			}
-		}
-		len = decode_token(block, (unsigned char *) q, slen);	
-		q += len;
-		slen -= 4;
-		
-		if (len < 3)
+	/* Note: Don't bother to optimize manually. GCC optimizes
+	   better(!) when using simplistic array indexing. */
+
+	while (1) {
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
 			break;
-	}
-	*q = '\0';
-	
-	return q - (unsigned char *) buf;
-}
+		ubuf[iout] = ((REV64(str[iin]) & 0x3f) << 2) | 
+			     ((REV64(str[iin + 1]) & 0x30) >> 4);
+		iin++;  		/* 0 used up, iin=1 */
+		iout++;
 
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV64(str[iin]) & 0x0f) << 4) | 
+			     ((REV64(str[iin + 1]) & 0x3c) >> 2);
+		iin++;  		/* 1 used up, iin=2 */
+		iout++;
+
+		if (iout >= *buflen || iin + 1 >= slen ||
+		    str[iin] == '\0' || str[iin + 1] == '\0')
+			break;
+		ubuf[iout] = ((REV64(str[iin]) & 0x03) << 6) |
+			     (REV64(str[iin + 1]) & 0x3f);
+		iin += 2;  		/* 2,3 used up, iin=4 */
+		iout++;
+	}
+
+	ubuf[iout] = '\0';
+
+	return iout;
+}

src/base64.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,8 +18,5 @@
 #define __BASE64_H__
 
 struct encoder *get_base64_encoder(void);
-int base64_handles_dots();
-int base64_encode(char *, size_t *, const void *, size_t);
-int base64_decode(void *, size_t *, const char *, size_t);
 
 #endif

src/client.h

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __CLIENT_H__
+#define __CLIENT_H__
+
+void client_init();
+void client_stop();
+
+enum connection client_get_conn();
+const char *client_get_raw_addr();
+
+void client_set_nameserver(const char *cp, int port);
+void client_set_topdomain(const char *cp);
+void client_set_password(const char *cp);
+void set_qtype(char *qtype);
+char *get_qtype();
+void set_downenc(char *encoding);
+void client_set_selecttimeout(int select_timeout);
+void client_set_lazymode(int lazy_mode);
+void client_set_hostname_maxlen(int i);
+
+int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize);
+int client_tunnel(int tun_fd, int dns_fd);
+
+#endif

src/common.c

@@ -1,4 +1,5 @@
-/* Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+/* Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2007 Albert Lee <trisk@acm.jhu.edu>.
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -13,14 +14,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <netinet/in.h>
-#ifdef DARWIN
-#include <arpa/nameser8_compat.h>
-#endif
 #include <time.h>
-#include <err.h>
+#include <sys/types.h>
+#include <sys/param.h>
 #include <sys/stat.h>
 #include <stdio.h>
 #include <stdint.h>
@@ -29,14 +25,97 @@
 #include <unistd.h>
 #include <string.h>
 #include <ctype.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#include <conio.h>
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#include <termios.h>
+#include <err.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <syslog.h>
+#endif
+
+#ifdef HAVE_SETCON
+# include <selinux/selinux.h>
+#endif
 
 #include "common.h"
 
+/* The raw header used when not using DNS protocol */
+const unsigned char raw_header[RAW_HDR_LEN] = { 0x10, 0xd1, 0x9e, 0x00 };
+
+/* daemon(3) exists only in 4.4BSD or later, and in GNU libc */
+#if !defined(WINDOWS32) && !(defined(BSD) && (BSD >= 199306)) && !defined(__GLIBC__)
+static int daemon(int nochdir, int noclose)
+{
+ 	int fd, i;
+ 
+ 	switch (fork()) {
+ 		case 0:
+ 			break;
+ 		case -1:
+ 			return -1;
+ 		default:
+ 			_exit(0);
+ 	}
+ 
+ 	if (!nochdir) {
+ 		chdir("/");
+ 	}
+ 
+ 	if (setsid() < 0) {
+ 		return -1;
+ 	}
+ 	
+ 	if (!noclose) {
+ 		if ((fd = open("/dev/null", O_RDWR)) >= 0) {
+ 			for (i = 0; i < 3; i++) {
+ 				dup2(fd, i);
+ 			}
+ 			if (fd > 2) {
+ 				close(fd);
+ 			}
+ 		}
+ 	}
+	return 0;
+}
+#endif
+
+#if defined(__BEOS__) && !defined(__HAIKU__)
+int setgroups(int count, int *groups)
+{
+	/* errno = ENOSYS; */
+	return -1;
+}
+#endif
+
+
+void
+check_superuser(void (*usage_fn)(void))
+{
+#ifndef WINDOWS32
+	if (geteuid() != 0) {
+		warnx("Run as root and you'll be happy.\n");
+		usage_fn();
+		/* NOTREACHED */
+	}
+#endif
+}
+
 int 
 open_dns(int localport, in_addr_t listen_ip) 
 {
 	struct sockaddr_in addr;
-	int flag;
+	int flag = 1;
 	int fd;
 
 	memset(&addr, 0, sizeof(addr));
@@ -45,19 +124,32 @@ open_dns(int localport, in_addr_t listen_ip)
 	/* listen_ip already in network byte order from inet_addr, or 0 */
 	addr.sin_addr.s_addr = listen_ip; 
 
-	if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
+	if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+		fprintf(stderr, "got fd %d\n", fd);
 		err(1, "socket");
+	}
 
 	flag = 1;
 #ifdef SO_REUSEPORT
-	setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &flag, sizeof(flag));
+	setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (const void*) &flag, sizeof(flag));
+#endif
+	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void*) &flag, sizeof(flag));
+
+#ifndef WINDOWS32
+	/* To get destination address from each UDP datagram, see iodined.c:read_dns() */
+	setsockopt(fd, IPPROTO_IP, DSTADDR_SOCKOPT, (const void*) &flag, sizeof(flag));
+#endif
+
+#ifdef IP_OPT_DONT_FRAG
+	/* Set dont-fragment ip header flag */
+	flag = DONT_FRAG_VALUE;
+	setsockopt(fd, IPPROTO_IP, IP_OPT_DONT_FRAG, (const void*) &flag, sizeof(flag));
 #endif
-	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof(flag));
 
 	if(bind(fd, (struct sockaddr*)&addr, sizeof(addr)) < 0) 
 		err(1, "bind");
 
-	printf("Opened UDP socket\n");
+	fprintf(stderr, "Opened UDP socket\n");
 
 	return fd;
 }
@@ -71,20 +163,188 @@ close_dns(int fd)
 void
 do_chroot(char *newroot)
 {
-	if (newroot) {
-		if (chroot(newroot) != 0 || chdir("/") != 0)
-			err(1, "%s", newroot);
+#if !(defined(WINDOWS32) || defined(__BEOS__) || defined(__HAIKU__))
+	if (chroot(newroot) != 0 || chdir("/") != 0)
+		err(1, "%s", newroot);
 
-		seteuid(geteuid());
-		setuid(getuid());
+	seteuid(geteuid());
+	setuid(getuid());
+#else
+	warnx("chroot not available");
+#endif
+}
+
+void
+do_setcon(char *context)
+{
+#ifdef HAVE_SETCON
+	if (-1 == setcon(context))
+		err(1, "%s", context);
+#else
+	warnx("No SELinux support built in");
+#endif
+}
+
+void
+do_pidfile(char *pidfile)
+{
+#ifndef WINDOWS32
+	FILE *file;
+
+	if ((file = fopen(pidfile, "w")) == NULL) {
+		syslog(LOG_ERR, "Cannot write pidfile to %s, exiting", pidfile);
+		err(1, "do_pidfile: Can not write pidfile to %s", pidfile);
+	} else {
+		fprintf(file, "%d\n", (int)getpid());
+		fclose(file);
 	}
+#else
+	fprintf(stderr, "Windows version does not support pid file\n");
+#endif
 }
 
 void
 do_detach()
 {
-	printf("Detaching from terminal...\n");
+#ifndef WINDOWS32
+	fprintf(stderr, "Detaching from terminal...\n");
 	daemon(0, 0);
 	umask(0);
 	alarm(0);
+#else
+	fprintf(stderr, "Windows version does not support detaching\n");
+#endif
+}
+
+void
+read_password(char *buf, size_t len)
+{
+	char pwd[80];
+#ifndef WINDOWS32
+	struct termios old;
+	struct termios tp;
+
+	tcgetattr(0, &tp);
+	old = tp;
+	
+	tp.c_lflag &= (~ECHO);
+	tcsetattr(0, TCSANOW, &tp);
+#else
+	int i;
+#endif
+
+	fprintf(stderr, "Enter password: ");
+	fflush(stderr);
+#ifndef WINDOWS32
+	scanf("%79s", pwd);
+#else
+	for (i = 0; i < sizeof(pwd); i++) {
+		pwd[i] = getch();
+		if (pwd[i] == '\r' || pwd[i] == '\n') {
+			pwd[i] = 0;
+			break;
+		} else if (pwd[i] == '\b') {
+			i--; 			/* Remove the \b char */
+			if (i >=0) i--; 	/* If not first char, remove one more */
+		}
+	}
+#endif
+	fprintf(stderr, "\n");
+
+#ifndef WINDOWS32
+	tcsetattr(0, TCSANOW, &old);	
+#endif
+
+	strncpy(buf, pwd, len);
+	buf[len-1] = '\0';
+}
+
+int
+check_topdomain(char *str)
+{
+       int i;
+
+       if(str[0] == '.') /* special case */
+               return 1;
+
+       for( i = 0; i < strlen(str); i++) {
+               if( isalpha(str[i]) || isdigit(str[i]) || str[i] == '-' || str[i] == '.' )
+                       continue;
+               else 
+		       return 1;
+       }
+       return 0;
+}
+
+#ifdef WINDOWS32
+int
+inet_aton(const char *cp, struct in_addr *inp)
+{
+ inp->s_addr = inet_addr(cp);
+ return inp->s_addr != INADDR_ANY;
+}
+
+void
+warn(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	if (fmt) fprintf(stderr, fmt, list);
+	if (errno == 0) {
+		fprintf(stderr, ": WSA error %d\n", WSAGetLastError()); 
+	} else {
+		fprintf(stderr, ": %s\n", strerror(errno));
+	}
+	va_end(list);
+}
+
+void
+warnx(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	if (fmt) fprintf(stderr, fmt, list);
+	fprintf(stderr, "\n");
+	va_end(list);
+}
+
+void
+err(int eval, const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	warn(fmt, list);
+	va_end(list);
+	exit(eval);
+}
+
+void
+errx(int eval, const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	warnx(fmt, list);
+	va_end(list);
+	exit(eval);
+}
+#endif
+
+
+int recent_seqno(int ourseqno, int gotseqno)
+/* Return 1 if we've seen gotseqno recently (current or up to 3 back).
+   Return 0 if gotseqno is new (or very old).
+*/
+{
+	int i;
+	for (i = 0; i < 4; i++, ourseqno--) {
+		if (ourseqno < 0)
+			ourseqno = 7;
+		if (gotseqno == ourseqno)
+			return 1;
+	}
+	return 0;
 }

src/common.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,9 +17,31 @@
 #ifndef __COMMON_H__
 #define __COMMON_H__
 
-#include <arpa/inet.h>
+/* Last byte of raw header is the command */
+#define RAW_HDR_LEN 4
+#define RAW_HDR_IDENT_LEN 3
+#define RAW_HDR_CMD 3
+#define RAW_HDR_CMD_LOGIN 0x10
+#define RAW_HDR_CMD_DATA  0x20
+#define RAW_HDR_CMD_PING  0x30
+
+#define RAW_HDR_CMD_MASK  0xF0
+#define RAW_HDR_USR_MASK  0x0F
+#define RAW_HDR_GET_CMD(x) ((x)[RAW_HDR_CMD] & RAW_HDR_CMD_MASK)
+#define RAW_HDR_GET_USR(x) ((x)[RAW_HDR_CMD] & RAW_HDR_USR_MASK)
+extern const unsigned char raw_header[RAW_HDR_LEN];
+
+#ifdef WINDOWS32
+#include "windows.h"
+#else
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <err.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#endif
+
+#define DNS_PORT 53
 
 #ifndef MIN
 #define MIN(a,b) ((a)<(b)?(a):(b))
@@ -28,25 +50,84 @@
 #define MAX(a,b) ((a)>(b)?(a):(b))
 #endif
 
+#define QUERY_NAME_SIZE 256
+
+#if defined IP_RECVDSTADDR 
+# define DSTADDR_SOCKOPT IP_RECVDSTADDR 
+# define dstaddr(x) ((struct in_addr *) CMSG_DATA(x)) 
+#elif defined IP_PKTINFO 
+# define DSTADDR_SOCKOPT IP_PKTINFO 
+# define dstaddr(x) (&(((struct in_pktinfo *)(CMSG_DATA(x)))->ipi_addr)) 
+#endif
+
+#if defined IP_MTU_DISCOVER
+  /* Linux */
+# define IP_OPT_DONT_FRAG IP_MTU_DISCOVER
+# define DONT_FRAG_VALUE IP_PMTUDISC_DO
+#elif defined IP_DONTFRAG
+  /* FreeBSD */
+# define IP_OPT_DONT_FRAG IP_DONTFRAG
+# define DONT_FRAG_VALUE 1
+#elif defined IP_DONTFRAGMENT
+  /* Winsock2 */
+# define IP_OPT_DONT_FRAG IP_DONTFRAGMENT
+# define DONT_FRAG_VALUE 1
+#endif
+
+#define T_UNSET 65432
+/* Unused RR type; "private use" range, see http://www.bind9.net/dns-parameters */
+
 struct packet 
 {
-	int len;
-	int offset;
-	char data[64*1024];
+	int len;		/* Total packet length */
+	int sentlen;		/* Length of chunk currently transmitted */
+	int offset;		/* Current offset */
+	char data[64*1024];	/* The data */
+	char seqno;		/* The packet sequence number */
+	char fragment;		/* Fragment index */
 };
 
 struct query {
-	char name[258];
-	short type;
-	short id;
+	char name[QUERY_NAME_SIZE];
+	unsigned short type;
+	unsigned short rcode;
+	unsigned short id;
+	struct in_addr destination;
 	struct sockaddr from;
 	int fromlen;
+	unsigned short id2;
+	struct sockaddr from2;
+	int fromlen2;
 };
 
+enum connection {
+	CONN_RAW_UDP,
+	CONN_DNS_NULL,
+	CONN_MAX
+};
+
+void check_superuser(void (*usage_fn)(void));
 int open_dns(int, in_addr_t);
 void close_dns(int);
 
 void do_chroot(char *);
+void do_setcon(char *);
 void do_detach();
+void do_pidfile(char *);
+
+void read_password(char*, size_t);
+
+int check_topdomain(char *);
+
+#ifdef WINDOWS32
+int inet_aton(const char *cp, struct in_addr *inp);
+
+void err(int eval, const char *fmt, ...);
+void warn(const char *fmt, ...);
+void errx(int eval, const char *fmt, ...);
+void warnx(const char *fmt, ...);
+#endif
+
+int recent_seqno(int , int);
 
 #endif

src/dns.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,13 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef DARWIN
-#include <arpa/nameser8_compat.h>
-#endif
 #include <time.h>
-#include <err.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
@@ -28,10 +22,27 @@
 #include <string.h>
 #include <ctype.h>
 
+#ifdef WINDOWS32
+#include "windows.h"
+#else
+#include <arpa/nameser.h>
+#ifdef DARWIN
+#define BIND_8_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+#include <arpa/inet.h>
+#include <err.h>
+#endif
+
+
 #include "dns.h"
 #include "encoding.h"
 #include "read.h"
 
+int dnsc_use_edns0 = 1;
+
+#define CHECKLEN(x) if (buflen - (p-buf) < (x))  return 0
+
 int
 dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_t datalen)
 {
@@ -39,6 +50,10 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 	short name;
 	char *p;
 	int len;
+	int ancnt;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
 
 	memset(buf, 0, buflen);
 	
@@ -56,40 +71,150 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 
 	switch (qr) {
 	case QR_ANSWER:
-		header->ancount = htons(1);
 		header->qdcount = htons(1);
 	
 		name = 0xc000 | ((p - buf) & 0x3fff);
 
-		putname(&p, 256, q->name);
+		/* Question section */
+		putname(&p, buflen - (p - buf), q->name);
 
+		CHECKLEN(4);
 		putshort(&p, q->type);
 		putshort(&p, C_IN);
 
-		putshort(&p, name);	
-		putshort(&p, q->type);
-		putshort(&p, C_IN);
-		putlong(&p, 0);
+		/* Answer section */
 
-		putshort(&p, datalen);
-		putdata(&p, data, datalen);
+		if (q->type == T_CNAME || q->type == T_A) {
+			/* data is expected to be like "Hblabla.host.name.com\0" */
+
+			char *startp;
+			int namelen;
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			if (q->type == T_A)
+				/* answer CNAME to A question */
+				putshort(&p, T_CNAME);
+			else
+				putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			startp = p;
+			p += 2;			/* skip 2 bytes length */
+			putname(&p, buflen - (p - buf), data);
+			CHECKLEN(0);
+			namelen = p - startp;
+			namelen -= 2;
+			putshort(&startp, namelen);
+			ancnt = 1;
+		} else if (q->type == T_MX || q->type == T_SRV) {
+			/* Data is expected to be like
+			   "Hblabla.host.name.com\0Hanother.com\0\0"
+			   For SRV, see RFC2782.
+			 */
+
+			char *mxdata = data;
+			char *startp;
+			int namelen;
+
+			ancnt = 1;
+			while (1) {
+				CHECKLEN(10);
+				putshort(&p, name);	
+				putshort(&p, q->type);
+				putshort(&p, C_IN);
+				putlong(&p, 0);		/* TTL */
+
+				startp = p;
+				p += 2;			/* skip 2 bytes length */
+				CHECKLEN(2);
+				putshort(&p, 10 * ancnt);	/* preference */
+
+				if (q->type == T_SRV) {
+					/* weight, port (5060 = SIP) */
+					CHECKLEN(4);
+					putshort(&p, 10);
+					putshort(&p, 5060);
+				}
+
+				putname(&p, buflen - (p - buf), mxdata);
+				CHECKLEN(0);
+				namelen = p - startp;
+				namelen -= 2;
+				putshort(&startp, namelen);
+
+				mxdata = mxdata + strlen(mxdata) + 1;
+				if (*mxdata == '\0')
+					break;
+
+				ancnt++;
+			}
+		} else if (q->type == T_TXT) {
+			/* TXT has binary or base-X data */
+			char *startp;
+			int txtlen;
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			startp = p;
+			p += 2;			/* skip 2 bytes length */
+			puttxtbin(&p, buflen - (p - buf), data, datalen);
+			CHECKLEN(0);
+			txtlen = p - startp;
+			txtlen -= 2;
+			putshort(&startp, txtlen);
+			ancnt = 1;
+		} else {
+			/* NULL has raw binary data */
+
+			CHECKLEN(10);
+			putshort(&p, name);	
+			putshort(&p, q->type);
+			putshort(&p, C_IN);
+			putlong(&p, 0);		/* TTL */
+
+			datalen = MIN(datalen, buflen - (p - buf));
+			CHECKLEN(2);
+			putshort(&p, datalen);
+			CHECKLEN(datalen);
+			putdata(&p, data, datalen);
+			CHECKLEN(0);
+			ancnt = 1;
+		}
+		header->ancount = htons(ancnt);
 		break;
 	case QR_QUERY:
-		header->qdcount = htons(1);
-		header->arcount = htons(1);
-	
-		putname(&p, 256, data);
+		/* Note that iodined also uses this for forward queries */
 
+		header->qdcount = htons(1);
+	
+		datalen = MIN(datalen, buflen - (p - buf));
+		putname(&p, datalen, data);
+
+		CHECKLEN(4);
 		putshort(&p, q->type);
 		putshort(&p, C_IN);
 
-		/* EDNS0 */
+		/* EDNS0 to advertise maximum response length
+		   (even CNAME/A/MX, 255+255+header would be >512) */
+		if (dnsc_use_edns0) {
+			header->arcount = htons(1);
+			/*XXX START adjust indent 1 tab forward*/
+		CHECKLEN(11);
 		putbyte(&p, 0x00);    /* Root */
 		putshort(&p, 0x0029); /* OPT */
 		putshort(&p, 0x1000); /* Payload size: 4096 */
 		putshort(&p, 0x0000); /* Higher bits/edns version */
 		putshort(&p, 0x8000); /* Z */
 		putshort(&p, 0x0000); /* Data length */
+			/*XXX END adjust indent 1 tab forward*/
+		}
+
 		break;
 	}
 	
@@ -98,14 +223,182 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 	return len;
 }
 
+int
+dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain)
+/* Only used when iodined gets an NS type query */
+/* Mostly same as dns_encode_a_response() below */
+{
+	HEADER *header;
+	int len;
+	short name;
+	short topname;
+	short nsname;
+	char *ipp;
+	int domain_len;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+	
+	header = (HEADER*)buf;
+	
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(1);
+	header->arcount = htons(1);
+
+	/* pointer to start of name */
+	name = 0xc000 | ((p - buf) & 0x3fff);
+
+	domain_len = strlen(q->name) - strlen(topdomain);
+	if (domain_len < 0 || domain_len == 1)
+		return -1;
+	if (strcasecmp(q->name + domain_len, topdomain))
+		return -1;
+	if (domain_len >= 1 && q->name[domain_len - 1] != '.')
+		return -1;
+
+	/* pointer to start of topdomain; instead of dots at the end
+	   we have length-bytes in front, so total length is the same */
+	topname = 0xc000 | ((p - buf + domain_len) & 0x3fff);
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	/* Answer section */
+	CHECKLEN(12);
+	putshort(&p, name);			/* Name */
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 5);			/* Data length */
+
+	/* pointer to ns.topdomain */
+	nsname = 0xc000 | ((p - buf) & 0x3fff);
+	CHECKLEN(5);
+	putbyte(&p, 2);
+	putbyte(&p, 'n');
+	putbyte(&p, 's');
+	putshort(&p, topname);			/* Name Server */
+
+	/* Additional data (A-record of NS server) */
+	CHECKLEN(12);
+	putshort(&p, nsname);			/* Name Server */
+	putshort(&p, T_A);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 4);			/* Data length */
+
+	/* ugly hack to output IP address */
+	ipp = (char *) &q->destination;
+	CHECKLEN(4);
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *ipp);
+
+	len = p - buf;
+	return len;
+}
+
+int
+dns_encode_a_response(char *buf, size_t buflen, struct query *q)
+/* Only used when iodined gets an A type query for ns.topdomain or www.topdomain */
+/* Mostly same as dns_encode_ns_response() above */
+{
+	HEADER *header;
+	int len;
+	short name;
+	char *ipp;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+	
+	header = (HEADER*)buf;
+	
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(1);
+
+	/* pointer to start of name */
+	name = 0xc000 | ((p - buf) & 0x3fff);
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	/* Answer section */
+	CHECKLEN(12);
+	putshort(&p, name);			/* Name */
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 4);			/* Data length */
+
+	/* ugly hack to output IP address */
+	ipp = (char *) &q->destination;
+	CHECKLEN(4);
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *(ipp++));
+	putbyte(&p, *ipp);
+
+	len = p - buf;
+	return len;
+}
+
+#undef CHECKLEN
+
+unsigned short
+dns_get_id(char *packet, size_t packetlen)
+{
+	HEADER *header;
+	header = (HEADER*)packet;
+
+	if (packetlen < sizeof(HEADER))
+		return 0;
+
+	return ntohs(header->id);
+}
+
+#define CHECKLEN(x) if (packetlen - (data-packet) < (x))  return 0
+
 int
 dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, size_t packetlen)
 {
+	char name[QUERY_NAME_SIZE];
 	char rdata[4*1024];
 	HEADER *header;
 	short qdcount;
 	short ancount;
-	char name[255];
 	uint32_t ttl;
 	short class;
 	short type;
@@ -114,6 +407,7 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 	int id; 
 	int rv;
 
+	q->id2 = 0;
 	rv = 0;
 	header = (HEADER*)packet;
 
@@ -131,53 +425,179 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 	ancount = ntohs(header->ancount);
 	
 	id = ntohs(header->id);
+	id = id & 0xFFFF; /* Kill any sign extension */
 		
 	rlen = 0;
 
+	if (q != NULL) 
+		q->rcode = header->rcode;
+
 	switch (qr) {
 	case QR_ANSWER:
-		if(qdcount != 1 || ancount != 1) {
-			warnx("no query or answer in answer");
+		if(qdcount < 1) {
+			/* We need a question */
 			return -1;
 		}
 
 		if (q != NULL) 
 			q->id = id;
 
+		/* Read name even if no answer, to give better error message */
 		readname(packet, packetlen, &data, name, sizeof(name));
+		CHECKLEN(4);
 		readshort(packet, &data, &type);
 		readshort(packet, &data, &class);
 		
-		readname(packet, packetlen, &data, name, sizeof(name));
-		readshort(packet, &data, &type);
-		readshort(packet, &data, &class);
-		readlong(packet, &data, &ttl);
-		readshort(packet, &data, &rlen);
-		rv = MIN(rlen, sizeof(rdata));
-		rv = readdata(packet, &data, rdata, rv);
-
-		if(type == T_NULL && rv > 2) {
-			rv = MIN(rv, buflen);
-			memcpy(buf, rdata, rv);
-		}
-		break;
-	case QR_QUERY:
-		if (qdcount != 1) {
-			warnx("no query on query");
+		/* if CHECKLEN okay, then we're sure to have a proper name */
+		if (q != NULL) {
+			/* We only need the first char to check it */
+			q->name[0] = name[0];
+			q->name[1] = '\0';
+		} 
+		
+		if (ancount < 1) {
+			/* DNS errors like NXDOMAIN have ancount=0 and
+			   stop here. CNAME may also have A; MX/SRV may have
+			   multiple results. */
 			return -1;
 		}
 
-		readname(packet, packetlen, &data, name, sizeof(name) -1);
-		name[256] = 0;
+		/* Here type is still the question type */
+		if (type == T_NULL) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			rv = MIN(rlen, sizeof(rdata));
+			rv = readdata(packet, &data, rdata, rv);
+			if (rv >= 2 && buf) {
+				rv = MIN(rv, buflen);
+				memcpy(buf, rdata, rv);
+			} else {
+				rv = 0;
+			}
+		}
+		else if ((type == T_A || type == T_CNAME) && buf) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			memset(name, 0, sizeof(name));
+			readname(packet, packetlen, &data, name, sizeof(name) - 1);
+			name[sizeof(name)-1] = '\0';
+			strncpy(buf, name, buflen);
+			buf[buflen - 1] = '\0';
+			rv = strlen(buf);
+		}
+		else if ((type == T_MX || type == T_SRV) && buf) {
+			/* We support 250 records, 250*(255+header) ~= 64kB.
+			   Only exact 10-multiples are accepted, and gaps in
+			   numbering are not jumped over (->truncated).
+			   Hopefully DNS servers won't mess around too much.
+			 */
+			char names[250][QUERY_NAME_SIZE];
+			char *rdatastart;
+			short pref;
+			int i;
+			int offset;
+
+			memset(names, 0, sizeof(names));
+
+			for (i=0; i < ancount; i++) {
+				readname(packet, packetlen, &data, name, sizeof(name));
+				CHECKLEN(12);
+				readshort(packet, &data, &type);
+				readshort(packet, &data, &class);
+				readlong(packet, &data, &ttl);
+				readshort(packet, &data, &rlen);
+				rdatastart = data;
+				readshort(packet, &data, &pref);
+
+				if (type == T_SRV) {
+					/* skip weight, port */
+					data += 4;
+					CHECKLEN(0);
+				}
+
+				if (pref % 10 == 0 && pref >= 10 &&
+				    pref < 2500) {
+					readname(packet, packetlen, &data,
+						 names[pref / 10 - 1],
+						 QUERY_NAME_SIZE - 1);
+					names[pref / 10 - 1][QUERY_NAME_SIZE-1] = '\0';
+				}
+
+				/* always trust rlen, not name encoding */ 
+				data = rdatastart + rlen;
+				CHECKLEN(0);
+			}
+
+			/* output is like Hname10.com\0Hname20.com\0\0 */
+			offset = 0;
+			i = 0;
+			while (names[i][0] != '\0') {
+				int l = MIN(strlen(names[i]), buflen-offset-2);
+				if (l <= 0)
+					break;
+				memcpy(buf + offset, names[i], l);
+				offset += l;
+				*(buf + offset) = '\0';
+				offset++;
+				i++;
+			}
+			*(buf + offset) = '\0';
+			rv = offset;
+		}
+		else if (type == T_TXT && buf) {
+			/* Assume that first answer is what we wanted */
+			readname(packet, packetlen, &data, name, sizeof(name));
+			CHECKLEN(10);
+			readshort(packet, &data, &type);
+			readshort(packet, &data, &class);
+			readlong(packet, &data, &ttl);
+			readshort(packet, &data, &rlen);
+
+			rv = readtxtbin(packet, &data, rlen, rdata, sizeof(rdata));
+			if (rv >= 1) {
+				rv = MIN(rv, buflen);
+				memcpy(buf, rdata, rv);
+			} else {
+				rv = 0;
+			}
+		}
+
+		/* Here type is the answer type (note A->CNAME) */
+		if (q != NULL)
+			q->type = type;
+		break;
+	case QR_QUERY:
+		if (qdcount < 1) {
+			warnx("no question section in name query");
+			return -1;
+		}
+
+		memset(name, 0, sizeof(name));
+		readname(packet, packetlen, &data, name, sizeof(name) - 1);
+		name[sizeof(name)-1] = '\0';
+		CHECKLEN(4);
 		readshort(packet, &data, &type);
 		readshort(packet, &data, &class);
 
-		if(type != T_NULL) {
+		if (q == NULL) {
 			rv = 0;
 			break;
 		}
 
-		strncpy(q->name, name, 257);
+		strncpy(q->name, name, sizeof(q->name));
+		q->name[sizeof(q->name) - 1] = '\0';
 		q->type = type;
 		q->id = id;
 

src/dns.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -24,7 +24,12 @@ typedef enum {
 	QR_ANSWER = 1
 } qr_t;
 
+extern int dnsc_use_edns0;
+
 int dns_encode(char *, size_t, struct query *, qr_t, char *, size_t);
+int dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain);
+int dns_encode_a_response(char *buf, size_t buflen, struct query *q);
+unsigned short dns_get_id(char *packet, size_t packetlen);
 int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t);
 
 #endif /* _DNS_H_ */

src/encoding.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,8 +15,45 @@
  */
 
 #include <string.h>
+#include "common.h"
 #include "encoding.h"
 
+int
+build_hostname(char *buf, size_t buflen, 
+		const char *data, const size_t datalen, 
+		const char *topdomain, struct encoder *encoder, int maxlen)
+{
+	int encsize;
+	size_t space;
+	char *b;
+
+	space = MIN(maxlen, buflen) - strlen(topdomain) - 8;
+	/* 8 = 5 max header length + 1 dot before topdomain + 2 safety */
+
+	if (!encoder->places_dots())
+		space -= (space / 57); /* space for dots */
+
+	memset(buf, 0, buflen);
+	
+	encsize = encoder->encode(buf, &space, data, datalen);
+
+	if (!encoder->places_dots())
+		inline_dotify(buf, buflen);
+
+	b = buf;
+	b += strlen(buf);
+
+	/* move b back one step to see if the dot is there */
+	b--;
+	if (*b != '.') 
+		*++b = '.';
+	b++;
+	/* move b ahead of the string so we can copy to it */
+
+	strncpy(b, topdomain, strlen(topdomain)+1);
+
+	return space;
+}
 
 int
 unpack_data(char *buf, size_t buflen, char *data, size_t datalen, struct encoder *enc)
@@ -35,7 +72,7 @@ inline_dotify(char *buf, size_t buflen)
 	char *reader, *writer;
 
 	total = strlen(buf);
-	dots = total / 62;
+	dots = total / 57;
 
 	writer = buf;
 	writer += total;
@@ -52,12 +89,12 @@ inline_dotify(char *buf, size_t buflen)
 	pos = (unsigned) (reader - buf) + 1;
 
 	while (dots) {
-		if (pos % 62 == 0) {
+		*writer-- = *reader--;
+		pos--;
+		if (pos % 57 == 0) {
 			*writer-- = '.';
 			dots--;
 		}
-		*writer-- = *reader--;
-		pos--;
 	}
 
 	/* return new length of string */

src/encoding.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,14 +17,24 @@
 #ifndef _ENCODING_H_
 #define _ENCODING_H_
 
+/* All-0, all-1, 01010101, 10101010: each 4 times to make sure the pattern
+   spreads across multiple encoded chars -> 16 bytes total.
+   Followed by 32 bytes from my /dev/random; should be enough.
+ */
+#define DOWNCODECCHECK1      "\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
+#define DOWNCODECCHECK1_LEN  48
+
 struct encoder {
 	char name[8];
 	int (*encode) (char *, size_t *, const void *, size_t);
 	int (*decode) (void *, size_t *, const char *, size_t);
 	int (*places_dots) (void);
 	int (*eats_dots) (void);
+	int (*blocksize_raw)(void);
+	int (*blocksize_encoded)(void);
 };
 
+int build_hostname(char *, size_t, const char *, const size_t, const char *, struct encoder *, int);
 int unpack_data(char *, size_t, char *, size_t, struct encoder *);
 int inline_dotify(char *, size_t);
 int inline_undotify(char *, size_t);

src/fw_query.c

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2008 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+#include "fw_query.h"
+
+static struct fw_query fwq[FW_QUERY_CACHE_SIZE];
+static int fwq_ix;
+
+void fw_query_init()
+{
+	memset(fwq, 0, sizeof(struct fw_query) * FW_QUERY_CACHE_SIZE);
+	fwq_ix = 0;
+}
+
+void fw_query_put(struct fw_query *fw_query)
+{
+	memcpy(&(fwq[fwq_ix]), fw_query, sizeof(struct fw_query));
+	
+	++fwq_ix;
+	if (fwq_ix >= FW_QUERY_CACHE_SIZE) 
+		fwq_ix = 0;
+}
+
+void fw_query_get(unsigned short query_id, struct fw_query **fw_query)
+{
+	int i;
+
+	*fw_query = NULL;
+	for (i = 0; i < FW_QUERY_CACHE_SIZE; i++) {
+		if (fwq[i].id == query_id) {
+			*fw_query = &(fwq[i]);
+			return;
+		}
+	}
+}

src/fw_query.h

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2008 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __FW_QUERY_H__
+#define __FW_QUERY_H__
+
+#include <sys/types.h>
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <sys/socket.h>
+#endif
+
+#define FW_QUERY_CACHE_SIZE 16
+
+struct fw_query {
+	struct sockaddr addr;
+	int addrlen;
+	unsigned short id;
+};
+
+void fw_query_init();
+void fw_query_put(struct fw_query *fw_query);
+void fw_query_get(unsigned short query_id, struct fw_query **fw_query);
+
+#endif /*__FW_QUERY_H__*/
+

src/iodine.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -20,467 +20,49 @@
 #include <string.h>
 #include <signal.h>
 #include <unistd.h>
-#include <netdb.h>
-#include <netinet/in.h>
 #include <sys/types.h>
-#include <sys/socket.h>
+#include <sys/param.h>
+#include <sys/time.h>
 #include <fcntl.h>
-#include <err.h>
+#include <time.h>
+
+#ifdef WINDOWS32
+#include "windows.h"
+#include <winsock2.h>
+#else
+#include <grp.h>
 #include <pwd.h>
-#include <arpa/inet.h>
-#include <zlib.h>
-#include <arpa/nameser.h>
-#ifdef DARWIN
-#include <arpa/nameser8_compat.h>
 #endif
 
 #include "common.h"
-#include "encoding.h"
-#include "base32.h"
-#include "dns.h"
-#include "login.h"
 #include "tun.h"
-#include "version.h"
+#include "client.h"
+#include "util.h"
 
-static void send_ping(int fd);
-static void send_chunk(int fd);
-static int build_hostname(char *buf, size_t buflen, 
-	const char *data, const size_t datalen, 
-	const char *topdomain);
+#ifdef WINDOWS32
+WORD req_version = MAKEWORD(2, 2);
+WSADATA wsa_data;
+#endif
 
-int running = 1;
-char password[33];
+#if !defined(BSD) && !defined(__GLIBC__)
+static char *__progname;
+#endif
 
-struct sockaddr_in peer;
-static char *topdomain;
-
-uint16_t rand_seed;
-
-/* Current IP packet */
-static char activepacket[4096];
-static char userid;
-static int lastlen;
-static int packetpos;
-static int packetlen;
-static uint16_t chunkid;
-
-static struct encoder *enc;
+#define PASSWORD_ENV_VAR "IODINE_PASS"
 
 static void
 sighandler(int sig) 
 {
-	running = 0;
-}
-
-static void
-send_packet(int fd, char cmd, const char *data, const size_t datalen)
-{
-	char packet[4096];
-	struct query q;
-	char buf[4096];
-	size_t len;
-
-	q.id = ++chunkid;
-	q.type = T_NULL;
-
-	buf[0] = cmd;
-	
-	len = build_hostname(buf + 1, sizeof(buf) - 1, data, datalen, topdomain);
-	len = dns_encode(packet, sizeof(packet), &q, QR_QUERY, buf, strlen(buf));
-
-	sendto(fd, packet, len, 0, (struct sockaddr*)&peer, sizeof(peer));
-}
-
-static int
-build_hostname(char *buf, size_t buflen, 
-		const char *data, const size_t datalen, 
-		const char *topdomain)
-{
-	int encsize;
-	unsigned space;
-	char *b;
-
-
-	space = MIN(0xFF, buflen) - strlen(topdomain) - 2;
-	if (!enc->places_dots())
-		space -= (space / 62); /* space for dots */
-
-	memset(buf, 0, buflen);
-	
-	encsize = enc->encode(buf, &space, data, datalen);
-
-	if (!enc->places_dots())
-		inline_dotify(buf, buflen);
-
-	b = buf;
-	b += strlen(buf);
-
-	if (*b != '.') 
-		*b++ = '.';
-
-	strncpy(b, topdomain, strlen(topdomain)+1);
-
-	return space;
-}
-
-int
-is_sending()
-{
-	return (packetlen != 0);
-}
-
-int
-read_dns(int fd, char *buf, int buflen)
-{
-	struct sockaddr_in from;
-	char packet[64*1024];
-	socklen_t addrlen;
-	struct query q;
-	int rv;
-	int r;
-
-	addrlen = sizeof(struct sockaddr);
-	if ((r = recvfrom(fd, packet, sizeof(packet), 0, 
-					  (struct sockaddr*)&from, &addrlen)) == -1) {
-		warn("recvfrom");
-		return 0;
-	}
-
-	rv = dns_decode(buf, buflen, &q, QR_ANSWER, packet, r);
-
-	if (is_sending() && chunkid == q.id) {
-		/* Got ACK on sent packet */
-		packetpos += lastlen;
-		if (packetpos == packetlen) {
-			/* Packet completed */
-			packetpos = 0;
-			packetlen = 0;
-			lastlen = 0;
-		} else {
-			/* More to send */
-			send_chunk(fd);
-		}
-	}
-	return rv;
-}
-
-
-static int
-tunnel_tun(int tun_fd, int dns_fd)
-{
-	unsigned long outlen;
-	unsigned long inlen;
-	char out[64*1024];
-	char in[64*1024];
-	size_t read;
-
-	if ((read = read_tun(tun_fd, in, sizeof(in))) <= 0)
-		return -1;
-
-	outlen = sizeof(out);
-	inlen = read;
-	compress2((uint8_t*)out, &outlen, (uint8_t*)in, inlen, 9);
-
-	memcpy(activepacket, out, MIN(outlen, sizeof(activepacket)));
-	lastlen = 0;
-	packetpos = 0;
-	packetlen = outlen;
-
-	send_chunk(dns_fd);
-
-	return read;
-}
-
-static int
-tunnel_dns(int tun_fd, int dns_fd)
-{
-	unsigned long outlen;
-	unsigned long inlen;
-	char out[64*1024];
-	char in[64*1024];
-	size_t read;
-
-	if ((read = read_dns(dns_fd, in, sizeof(in))) <= 0) 
-		return -1;
-		
-	outlen = sizeof(out);
-	inlen = read;
-	if (uncompress((uint8_t*)out, &outlen, (uint8_t*)in, inlen) != Z_OK)
-		return -1;
-
-	write_tun(tun_fd, out, outlen);
-	if (!is_sending()) 
-		send_ping(dns_fd);
-	
-	return read;
-}
-
-static int
-tunnel(int tun_fd, int dns_fd)
-{
-	struct timeval tv;
-	fd_set fds;
-	int rv;
-	int i;
-
-	rv = 0;
-
-	while (running) {
-		tv.tv_sec = 1;
-		tv.tv_usec = 0;
-
-		FD_ZERO(&fds);
-		if (!is_sending()) 
-			FD_SET(tun_fd, &fds);
-		FD_SET(dns_fd, &fds);
-
-		i = select(MAX(tun_fd, dns_fd) + 1, &fds, NULL, NULL, &tv);
-		
-		if (running == 0)
-			break;
-
-		if (i < 0) 
-			err(1, "select");
-
-		if (i == 0) /* timeout */
-			send_ping(dns_fd);
-		else {
-			if (FD_ISSET(tun_fd, &fds)) {
-				if (tunnel_tun(tun_fd, dns_fd) <= 0)
-					continue;
-			}
-			if (FD_ISSET(dns_fd, &fds)) {
-				if (tunnel_dns(tun_fd, dns_fd) <= 0)
-					continue;
-			} 
-		}
-	}
-
-	return rv;
-}
-
-static void
-send_chunk(int fd)
-{
-	char hex[] = "0123456789ABCDEF";
-	char packet[4096];
-	struct query q;
-	char buf[4096];
-	int avail;
-	int code;
-	char *p;
-	int len;
-
-	q.id = ++chunkid;
-	q.type = T_NULL;
-
-	p = activepacket;
-	p += packetpos;
-	avail = packetlen - packetpos;
-
-	lastlen = build_hostname(buf + 1, sizeof(buf) - 1, p, avail, topdomain);
-
-	if (lastlen == avail)
-		code = 1;
-	else
-		code = 0;
-		
-	code |= (userid << 1);
-	buf[0] = hex[code];
-	len = dns_encode(packet, sizeof(packet), &q, QR_QUERY, buf, strlen(buf));
-
-	sendto(fd, packet, len, 0, (struct sockaddr*)&peer, sizeof(peer));
-}
-
-void
-send_login(int fd, char *login, int len)
-{
-	char data[19];
-
-	memset(data, 0, sizeof(data));
-	data[0] = userid;
-	memcpy(&data[1], login, MIN(len, 16));
-
-	data[17] = (rand_seed >> 8) & 0xff;
-	data[18] = (rand_seed >> 0) & 0xff;
-	
-	rand_seed++;
-
-	send_packet(fd, 'L', data, sizeof(data));
-}
-
-static void
-send_ping(int fd)
-{
-	char data[3];
-	
-	if (is_sending()) {
-		lastlen = 0;
-		packetpos = 0;
-		packetlen = 0;
-	}
-
-	data[0] = userid;
-	data[1] = (rand_seed >> 8) & 0xff;
-	data[2] = (rand_seed >> 0) & 0xff;
-	
-	rand_seed++;
-
-	send_packet(fd, 'P', data, sizeof(data));
-}
-
-void 
-send_version(int fd, uint32_t version)
-{
-	char data[6];
-
-	data[0] = (version >> 24) & 0xff;
-	data[1] = (version >> 16) & 0xff;
-	data[2] = (version >> 8) & 0xff;
-	data[3] = (version >> 0) & 0xff;
-
-	data[4] = (rand_seed >> 8) & 0xff;
-	data[5] = (rand_seed >> 0) & 0xff;
-	
-	rand_seed++;
-
-	send_packet(fd, 'V', data, sizeof(data));
-}
-
-static int
-handshake(int dns_fd)
-{
-	struct timeval tv;
-	uint32_t payload;
-	char server[65];
-	char client[65];
-	char login[16];
-	char in[4096];
-	fd_set fds;
-	int read;
-	int mtu;
-	int seed;
-	int i;
-	int r;
-
-	for (i = 0; running && i < 5; i++) {
-		tv.tv_sec = i + 1;
-		tv.tv_usec = 0;
-
-		send_version(dns_fd, VERSION);
-		
-		FD_ZERO(&fds);
-		FD_SET(dns_fd, &fds);
-
-		r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
-
-		if(r > 0) {
-			read = read_dns(dns_fd, in, sizeof(in));
-			
-			if(read < 0) {
-				perror("read");
-				continue;
-			}
-
-			if (read >= 9) {
-				payload =  (((in[4] & 0xff) << 24) |
-							((in[5] & 0xff) << 16) |
-							((in[6] & 0xff) << 8) |
-							((in[7] & 0xff)));
-
-				if (strncmp("VACK", in, 4) == 0) {
-					seed = payload;
-					userid = in[8];
-
-					printf("Version ok, both running 0x%08x. You are user #%d\n", VERSION, userid);
-					goto perform_login;
-				} else if (strncmp("VNAK", in, 4) == 0) {
-					errx(1, "you run 0x%08x, server runs 0x%08x. giving up\n", 
-							VERSION, payload);
-					/* NOTREACHED */
-				} else if (strncmp("VFUL", in, 4) == 0) {
-					errx(1, "server full, all %d slots are taken. try again later\n", payload);
-					/* NOTREACHED */
-				}
-			} else 
-				warnx("did not receive proper login challenge\n");
-		}
-		
-		printf("Retrying version check...\n");
-	}
-	errx(1, "couldn't connect to server");
-	/* NOTREACHED */
-	
-perform_login:
-	login_calculate(login, 16, password, seed);
-	
-	for (i=0; running && i<5 ;i++) {
-		tv.tv_sec = i + 1;
-		tv.tv_usec = 0;
-
-		send_login(dns_fd, login, 16);
-		
-		FD_ZERO(&fds);
-		FD_SET(dns_fd, &fds);
-
-		r = select(dns_fd + 1, &fds, NULL, NULL, &tv);
-
-		if(r > 0) {
-			read = read_dns(dns_fd, in, sizeof(in));
-			
-			if(read <= 0) {
-				warn("read");
-				continue;
-			}
-
-			if (read > 0) {
-				if (strncmp("LNAK", in, 4) == 0) {
-					printf("Bad password\n");
-					return 1;
-				} else if (sscanf(in, "%64[^-]-%64[^-]-%d", 
-					server, client, &mtu) == 3) {
-					
-					server[64] = 0;
-					client[64] = 0;
-					if (tun_setip(client) == 0 && 
-						tun_setmtu(mtu) == 0) {
-						return 0;
-					} else {
-						warnx("Received handshake with bad data");
-					}
-				} else {
-					printf("Received bad handshake\n");
-				}
-			}
-		}
-
-		printf("Retrying login...\n");
-	}
-
-	return 1;
-}
-
-static void 
-set_target(const char *host) 
-{
-	struct hostent *h;
-
-	h = gethostbyname(host);
-	if (!h)
-		err(1, "couldn't resolve name %s", host);
-
-	memset(&peer, 0, sizeof(peer));
-	peer.sin_family = AF_INET;
-	peer.sin_port = htons(53);
-	peer.sin_addr = *((struct in_addr *) h->h_addr);
+	client_stop();
 }
 
 static void
 usage() {
 	extern char *__progname;
 
-	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] "
-			"nameserver topdomain\n", __progname);
+	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
+			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
+			"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
 	exit(2);
 }
 
@@ -488,30 +70,39 @@ static void
 help() {
 	extern char *__progname;
 
-	printf("iodine IP over DNS tunneling client\n");
-	printf("Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] "
-			"[-P password] nameserver topdomain\n", __progname);
-	printf("  -v to print version info and exit\n");
-	printf("  -h to print this help and exit\n");
-	printf("  -f to keep running in foreground\n");
-	printf("  -u name to drop privileges and run as user 'name'\n");
-	printf("  -t dir to chroot to directory dir\n");
-	printf("  -d device to set tunnel device name\n");
-	printf("  -P password used for authentication (max 32 chars will be used)\n");
-	printf("nameserver is the IP number of the relaying nameserver\n");
-	printf("topdomain is the FQDN that is delegated to the tunnel endpoint.\n");
+	fprintf(stderr, "iodine IP over DNS tunneling client\n");
+	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
+			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
+			"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
+	fprintf(stderr, "Options to try if connection doesn't work:\n");
+	fprintf(stderr, "  -T force dns type: NULL, TXT, SRV, MX, CNAME, A (default: autodetect)\n");
+	fprintf(stderr, "  -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,\n");
+	fprintf(stderr, "     Base128, or (only for TXT:) Raw  (default: autodetect)\n");
+	fprintf(stderr, "  -I max interval between requests (default 4 sec) to prevent DNS timeouts\n");
+	fprintf(stderr, "  -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)\n");
+	fprintf(stderr, "  -m max size of downstream fragments (default: autodetect)\n");
+	fprintf(stderr, "  -M max size of upstream hostnames (~100-255, default: 255)\n");
+	fprintf(stderr, "  -r to skip raw UDP mode attempt\n");
+	fprintf(stderr, "  -P password used for authentication (max 32 chars will be used)\n");
+	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "  -v to print version info and exit\n");
+	fprintf(stderr, "  -h to print this help and exit\n");
+	fprintf(stderr, "  -f to keep running in foreground\n");
+	fprintf(stderr, "  -u name to drop privileges and run as user 'name'\n");
+	fprintf(stderr, "  -t dir to chroot to directory dir\n");
+	fprintf(stderr, "  -d device to set tunnel device name\n");
+	fprintf(stderr, "  -z context, to apply specified SELinux context after initialization\n");
+	fprintf(stderr, "  -F pidfile to write pid to a file\n");
+	fprintf(stderr, "nameserver is the IP number/hostname of the relaying nameserver. if absent, /etc/resolv.conf is used\n");
+	fprintf(stderr, "topdomain is the FQDN that is delegated to the tunnel endpoint.\n");
 
 	exit(0);
 }
 
 static void
 version() {
-	char *svnver;
-   
-	svnver = "$Rev$ from $Date$";
-
-	printf("iodine IP over DNS tunneling client\n");
-	printf("SVN version: %s\n", svnver);
+	fprintf(stderr, "iodine IP over DNS tunneling client\n");
+	fprintf(stderr, "version: 0.6.0-rc1 from 2010-02-13\n");
 
 	exit(0);
 }
@@ -519,35 +110,81 @@ version() {
 int
 main(int argc, char **argv)
 {
+	char *nameserv_addr;
+	char *topdomain;
+#ifndef WINDOWS32
 	struct passwd *pw;
+#endif
 	char *username;
+	char password[33];
 	int foreground;
 	char *newroot;
+	char *context;
 	char *device;
+	char *pidfile;
 	int choice;
 	int tun_fd;
 	int dns_fd;
+	int max_downstream_frag_size;
+	int autodetect_frag_size;
+	int retval;
+	int raw_mode;
+	int lazymode;
+	int selecttimeout;
+	int hostname_maxlen;
 
-	memset(password, 0, 33);
+	nameserv_addr = NULL;
+	topdomain = NULL;
+#ifndef WINDOWS32
+	pw = NULL;
+#endif
 	username = NULL;
+	memset(password, 0, 33);
+	srand(time(NULL));
 	foreground = 0;
 	newroot = NULL;
+	context = NULL;
 	device = NULL;
-	chunkid = 0;
+	pidfile = NULL;
 
-	enc = get_base32_encoder();
+	autodetect_frag_size = 1;
+	max_downstream_frag_size = 3072;
+	retval = 0;
+	raw_mode = 1;
+	lazymode = 1;
+	selecttimeout = 4;
+	hostname_maxlen = 0xFF;
+
+#ifdef WINDOWS32
+	WSAStartup(req_version, &wsa_data);
+#endif
+
+	srand((unsigned) time(NULL));
+	client_init();
 	
-	while ((choice = getopt(argc, argv, "vfhu:t:d:P:")) != -1) {
+#if !defined(BSD) && !defined(__GLIBC__)
+	__progname = strrchr(argv[0], '/');
+	if (__progname == NULL)
+		__progname = argv[0];
+	else
+		__progname++;
+#endif
+
+	while ((choice = getopt(argc, argv, "vfhru:t:d:P:m:M:F:T:O:L:I:")) != -1) {
 		switch(choice) {
 		case 'v':
 			version();
+			/* NOTREACHED */
 			break;
 		case 'f':
 			foreground = 1;
 			break;
 		case 'h':
 			help();
+			/* NOTREACHED */
 			break;
+		case 'r':
+			raw_mode = 0;
 		case 'u':
 			username = optarg;
 			break;
@@ -558,8 +195,48 @@ main(int argc, char **argv)
 			device = optarg;
 			break;
 		case 'P':
-			strncpy(password, optarg, 32);
-			password[32] = 0;
+			strncpy(password, optarg, sizeof(password));
+			password[sizeof(password)-1] = 0;
+			
+			/* XXX: find better way of cleaning up ps(1) */
+			memset(optarg, 0, strlen(optarg)); 
+			break;
+		case 'm':
+			autodetect_frag_size = 0;
+			max_downstream_frag_size = atoi(optarg);
+			break;
+		case 'M':
+			hostname_maxlen = atoi(optarg);
+			if (hostname_maxlen > 255)
+				hostname_maxlen = 255;
+			if (hostname_maxlen < 10)
+				hostname_maxlen = 10;
+			break;
+		case 'z':
+			context = optarg;
+			break;
+		case 'F':
+			pidfile = optarg;
+			break;    
+		case 'T':
+			set_qtype(optarg);
+			break;
+		case 'O':       /* not -D, is Debug in server */
+			set_downenc(optarg);
+			break;
+		case 'L':
+			lazymode = atoi(optarg);
+			if (lazymode > 1)
+				lazymode = 1;
+			if (lazymode < 0)
+				lazymode = 0;
+			if (!lazymode)
+				selecttimeout = 1;
+			break;
+		case 'I':
+			selecttimeout = atoi(optarg);
+			if (selecttimeout < 1)
+				selecttimeout = 1;
 			break;
 		default:
 			usage();
@@ -567,66 +244,132 @@ main(int argc, char **argv)
 		}
 	}
 	
-	if (geteuid() != 0) {
-		printf("Run as root and you'll be happy.\n");
-		usage();
-	}
+	check_superuser(usage);
 
 	argc -= optind;
 	argv += optind;
-	
-	if (argc != 2) 
+
+	switch (argc) {
+	case 1:
+		nameserv_addr = get_resolvconf_addr();
+		topdomain = strdup(argv[0]);
+		break;
+	case 2:
+		nameserv_addr = argv[0];
+		topdomain = strdup(argv[1]);
+		break;
+	default:
 		usage();
+		/* NOTREACHED */
+	}
 
-	topdomain = strdup(argv[1]);
+	if (max_downstream_frag_size < 1 || max_downstream_frag_size > 0xffff) {
+		warnx("Use a max frag size between 1 and 65535 bytes.\n");
+		usage();
+		/* NOTREACHED */
+	}
 
-	if(username) {
-		pw = getpwnam(username);
-		if (!pw) {
-			printf("User %s does not exist!\n", username);
+	if (nameserv_addr) {
+		client_set_nameserver(nameserv_addr, DNS_PORT);
+	} else {
+		warnx("No nameserver found - not connected to any network?\n");
+		usage();
+		/* NOTREACHED */
+	}	
+
+	if (strlen(topdomain) <= 128) {
+		if(check_topdomain(topdomain)) {
+			warnx("Topdomain contains invalid characters.\n");
 			usage();
+			/* NOTREACHED */
 		}
+	} else {
+		warnx("Use a topdomain max 128 chars long.\n");
+		usage();
+		/* NOTREACHED */
+	}
+
+	client_set_selecttimeout(selecttimeout);
+	client_set_lazymode(lazymode);
+	client_set_topdomain(topdomain);
+	client_set_hostname_maxlen(hostname_maxlen);
+	
+	if (username != NULL) {
+#ifndef WINDOWS32
+		if ((pw = getpwnam(username)) == NULL) {
+			warnx("User %s does not exist!\n", username);
+			usage();
+			/* NOTREACHED */
+		}
+#endif
 	}
 	
 	if (strlen(password) == 0) {
-		printf("Enter password on stdin:\n");
-		scanf("%32s", password);
-		password[32] = 0;
+		if (NULL != getenv(PASSWORD_ENV_VAR))
+			snprintf(password, sizeof(password), "%s", getenv(PASSWORD_ENV_VAR));
+		else
+			read_password(password, sizeof(password));
 	}
+	
+	client_set_password(password);
 
-	if ((tun_fd = open_tun(device)) == -1)
+	if ((tun_fd = open_tun(device)) == -1) {
+		retval = 1;
 		goto cleanup1;
-	if ((dns_fd = open_dns(0, INADDR_ANY)) == -1)
+	}
+	if ((dns_fd = open_dns(0, INADDR_ANY)) == -1) {
+		retval = 1;
 		goto cleanup2;
-	set_target(argv[0]);
+	}
 
 	signal(SIGINT, sighandler);
 	signal(SIGTERM, sighandler);
 
-	if(handshake(dns_fd))
+	fprintf(stderr, "Sending DNS queries for %s to %s\n",
+		topdomain, nameserv_addr);
+
+	if (client_handshake(dns_fd, raw_mode, autodetect_frag_size, max_downstream_frag_size)) {
+		retval = 1;
 		goto cleanup2;
-	
-	printf("Sending queries for %s to %s\n", argv[1], argv[0]);
-
-	do_chroot(newroot);
-	
-	if (username) {
-		if (setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) {
-			printf("Could not switch to user %s!\n", username);
-			usage();
-		}
 	}
 	
-	if (!foreground) {
+	if (client_get_conn() == CONN_RAW_UDP) {
+		fprintf(stderr, "Sending raw traffic directly to %s\n", client_get_raw_addr());
+	}
+
+	fprintf(stderr, "Connection setup complete, transmitting data.\n");
+
+	if (foreground == 0) 
 		do_detach();
+	
+	if (pidfile != NULL)
+		do_pidfile(pidfile);
+
+	if (newroot != NULL)
+		do_chroot(newroot);
+	
+	if (username != NULL) {
+#ifndef WINDOWS32
+		gid_t gids[1];
+		gids[0] = pw->pw_gid;
+		if (setgroups(1, gids) < 0 || setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) {
+			warnx("Could not switch to user %s!\n", username);
+			usage();
+			/* NOTREACHED */
+		}
+#endif
 	}
 
-	tunnel(tun_fd, dns_fd);
+	if (context != NULL)
+		do_setcon(context);
+
+	client_tunnel(tun_fd, dns_fd);
 
 cleanup2:
 	close_dns(dns_fd);
 	close_tun(tun_fd);
 cleanup1:
 
-	return 0;
+	return retval;
 }
+

src/login.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,16 +15,21 @@
  */
 
 #include <string.h>
-#include <arpa/inet.h>
 #include <sys/types.h>
 
+#ifdef WINDOWS32
+#include "windows.h"
+#else
+#include <arpa/inet.h>
+#endif
+
 #include "md5.h"
 
 /* 
  * Needs a 16byte array for output, and 32 bytes password 
  */
 void 
-login_calculate(char *buf, int buflen, char *pass, int seed) 
+login_calculate(char *buf, int buflen, const char *pass, int seed) 
 {
 	unsigned char temp[32];
 	md5_state_t ctx;

src/login.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 #ifndef __LOGIN_H__
 #define __LOGIN_H__
 
-void login_calculate(char *, int, char *, int);
+void login_calculate(char *, int, const char *, int);
 
 #endif
 

src/osflags

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+case $2 in
+link)
+
+	case $1 in
+		SunOS | solaris)
+			echo '-lsocket -lnsl';
+		;;
+		BeOS)
+			echo '-lsocket -lbind -lbsd';
+		;;
+		Haiku)
+			echo '-lnetwork';
+		;;
+		windows32)
+			echo '-lws2_32 -liphlpapi';
+		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-lselinux';
+		;;
+	esac
+	;;
+cflags)
+	case $1 in
+		BeOS)
+			echo '-Dsocklen_t=int';
+		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-DHAVE_SETCON';
+		;;
+	esac
+;;
+*)
+;;
+esac

src/read.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -125,6 +125,35 @@ readdata(char *packet, char **src, char *dst, size_t len)
 	return len;
 }
 
+int
+readtxtbin(char *packet, char **src, size_t srcremain, char *dst, size_t dstremain)
+{
+	unsigned char *uc;
+	int tocopy;
+	int dstused = 0;
+
+	while (srcremain > 0)
+	{
+		uc = (unsigned char*) (*src);
+		tocopy = *uc;
+		(*src)++;
+		srcremain--;
+
+		if (tocopy > srcremain)
+			return 0;	/* illegal, better have nothing */
+		if (tocopy > dstremain)
+			return 0;	/* doesn't fit, better have nothing */
+
+		memcpy(dst, *src, tocopy);
+		dst += tocopy;
+		(*src) += tocopy;
+		srcremain -= tocopy;
+		dstremain -= tocopy;
+		dstused += tocopy;
+	}
+	return dstused;
+}
+
 int
 putname(char **buf, size_t buflen, const char *host)
 {
@@ -212,3 +241,35 @@ putdata(char **dst, char *data, size_t len)
 	return len;
 }
 
+int
+puttxtbin(char **buf, size_t bufremain, char *from, size_t fromremain)
+{
+	unsigned char uc;
+	unsigned char *ucp = &uc;
+	char *cp = (char *) ucp;
+	int tocopy;
+	int bufused = 0;
+
+	while (fromremain > 0)
+	{
+		tocopy = fromremain;
+		if (tocopy > 252)
+			tocopy = 252;	/* allow off-by-1s in caches etc */
+		if (tocopy + 1 > bufremain)
+			return -1;	/* doesn't fit, better have nothing */
+
+		uc = tocopy;
+		**buf = *cp;
+		(*buf)++;
+		bufremain--;
+		bufused++;
+
+		memcpy(*buf, from, tocopy);
+		(*buf) += tocopy;
+		from += tocopy;
+		bufremain -= tocopy;
+		fromremain -= tocopy;
+		bufused += tocopy;
+	}
+	return bufused;
+}

src/read.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -21,11 +21,13 @@ int readname(char *, int, char **, char *, size_t);
 int readshort(char *, char **, short *);
 int readlong(char *, char **, uint32_t *);
 int readdata(char *, char **, char *, size_t);
+int readtxtbin(char *, char **, size_t, char *, size_t);
 
 int putname(char **, size_t, const char *);
 int putbyte(char **, unsigned char);
 int putshort(char **, unsigned short);
 int putlong(char **, uint32_t);
 int putdata(char **, char *, size_t);
+int puttxtbin(char **, size_t, char *, size_t);
 
 #endif

src/tun.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -23,16 +23,42 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#include <winioctl.h>
+#include "windows.h"
+
+HANDLE dev_handle;
+struct tun_data data;
+
+static void get_name(char *ifname, int namelen, char *dev_name);
+
+#define TAP_CONTROL_CODE(request,method) CTL_CODE(FILE_DEVICE_UNKNOWN, request, method, FILE_ANY_ACCESS)
+#define TAP_IOCTL_CONFIG_TUN       TAP_CONTROL_CODE(10, METHOD_BUFFERED)
+#define TAP_IOCTL_SET_MEDIA_STATUS TAP_CONTROL_CODE(6, METHOD_BUFFERED)
+
+#define TAP_ADAPTER_KEY "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
+#define NETWORK_KEY "SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
+#define TAP_DEVICE_SPACE "\\\\.\\Global\\"
+#define TAP_VERSION_ID_0801 "tap0801"
+#define TAP_VERSION_ID_0901 "tap0901"
+#define KEY_COMPONENT_ID "ComponentId"
+#define NET_CFG_INST_ID "NetCfgInstanceId"
+#else
 #include <err.h>
 #include <arpa/inet.h>
 #include <netinet/in.h>
 
-#include "tun.h"
-
 #define TUN_MAX_TRY 50
+#endif
 
-char if_name[50];
+#include "tun.h"
+#include "common.h"
 
+char if_name[250];
+
+#ifndef WINDOWS32
 #ifdef LINUX
 
 #include <sys/ioctl.h>
@@ -58,10 +84,12 @@ open_tun(const char *tun_device)
 
 	if (tun_device != NULL) {
 		strncpy(ifreq.ifr_name, tun_device, IFNAMSIZ);
+		ifreq.ifr_name[IFNAMSIZ-1] = '\0';
 		strncpy(if_name, tun_device, sizeof(if_name));
+		if_name[sizeof(if_name)-1] = '\0';
 
 		if (ioctl(tun_fd, TUNSETIFF, (void *) &ifreq) != -1) {
-			printf("Opened %s\n", ifreq.ifr_name);
+			fprintf(stderr, "Opened %s\n", ifreq.ifr_name);
 			return tun_fd;
 		}
 
@@ -74,7 +102,7 @@ open_tun(const char *tun_device)
 			snprintf(ifreq.ifr_name, IFNAMSIZ, "dns%d", i);
 
 			if (ioctl(tun_fd, TUNSETIFF, (void *) &ifreq) != -1) {
-				printf("Opened %s\n", ifreq.ifr_name);
+				fprintf(stderr, "Opened %s\n", ifreq.ifr_name);
 				snprintf(if_name, sizeof(if_name), "dns%d", i);
 				return tun_fd;
 			}
@@ -87,6 +115,7 @@ open_tun(const char *tun_device)
 
 		warn("open_tun: Couldn't set interface name");
 	}
+	warn("error when opening tun");
 	return -1;
 }
 
@@ -102,20 +131,21 @@ open_tun(const char *tun_device)
 	if (tun_device != NULL) {
 		snprintf(tun_name, sizeof(tun_name), "/dev/%s", tun_device);
 		strncpy(if_name, tun_device, sizeof(if_name));
+		if_name[sizeof(if_name)-1] = '\0';
 
 		if ((tun_fd = open(tun_name, O_RDWR)) < 0) {
 			warn("open_tun: %s: %s", tun_name, strerror(errno));
 			return -1;
 		}
 
-		printf("Opened %s\n", tun_name);
+		fprintf(stderr, "Opened %s\n", tun_name);
 		return tun_fd;
 	} else {
 		for (i = 0; i < TUN_MAX_TRY; i++) {
 			snprintf(tun_name, sizeof(tun_name), "/dev/tun%d", i);
 
 			if ((tun_fd = open(tun_name, O_RDWR)) >= 0) {
-				printf("Opened %s\n", tun_name);
+				fprintf(stderr, "Opened %s\n", tun_name);
 				snprintf(if_name, sizeof(if_name), "tun%d", i);
 				return tun_fd;
 			}
@@ -131,6 +161,191 @@ open_tun(const char *tun_device)
 }
 
 #endif /* !LINUX */
+#else /* WINDOWS32 */
+static void
+get_device(char *device, int device_len, const char *wanted_dev)
+{
+	LONG status;
+	HKEY adapter_key;
+	int index;
+
+	index = 0;
+	status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TAP_ADAPTER_KEY, 0, KEY_READ, &adapter_key);
+
+	if (status != ERROR_SUCCESS) {
+		warnx("Error opening registry key " TAP_ADAPTER_KEY );
+		return;
+	}
+	
+	while (TRUE) {
+		char name[256];
+		char unit[256];
+		char component[256];
+
+		char cid_string[256] = KEY_COMPONENT_ID;
+		HKEY device_key;
+		DWORD datatype;
+		DWORD len;
+
+		/* Iterate through all adapter of this kind */
+		len = sizeof(name);
+		status = RegEnumKeyEx(adapter_key, index, name, &len, NULL, NULL, NULL, NULL);
+		if (status == ERROR_NO_MORE_ITEMS) {
+			break;
+		} else if (status != ERROR_SUCCESS) {
+			warnx("Error enumerating subkeys of registry key " TAP_ADAPTER_KEY );
+			break;
+		}
+
+		snprintf(unit, sizeof(unit), TAP_ADAPTER_KEY "\\%s", name);
+		status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, unit, 0, KEY_READ, &device_key);
+		if (status != ERROR_SUCCESS) {
+			warnx("Error opening registry key %s", unit);
+			goto next;
+		}
+
+		/* Check component id */
+		len = sizeof(component);
+		status = RegQueryValueEx(device_key, cid_string, NULL, &datatype, (LPBYTE)component, &len);
+		if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+			goto next;
+		}
+		if (strncmp(TAP_VERSION_ID_0801, component, strlen(TAP_VERSION_ID_0801)) == 0 ||
+			strncmp(TAP_VERSION_ID_0901, component, strlen(TAP_VERSION_ID_0901)) == 0) {
+			/* We found a TAP32 device, get its NetCfgInstanceId */
+			char iid_string[256] = NET_CFG_INST_ID;
+			
+			status = RegQueryValueEx(device_key, iid_string, NULL, &datatype, (LPBYTE) device, (DWORD *) &device_len);
+			if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+				warnx("Error reading registry key %s\\%s on TAP device", unit, iid_string);
+			} else {
+				/* Done getting GUID of TAP device,
+				 * now check if the name is the requested one */
+				if (wanted_dev) {
+					char name[250];
+					get_name(name, sizeof(name), device);
+					if (strncmp(name, wanted_dev, strlen(wanted_dev))) {
+						/* Skip if name mismatch */
+						goto next;
+					}
+				}
+				/* Get the if name */
+				get_name(if_name, sizeof(if_name), device);
+				RegCloseKey(device_key);
+				return;
+			}
+		}
+next:
+		RegCloseKey(device_key);
+		index++;
+	}
+	RegCloseKey(adapter_key);
+}
+
+static void
+get_name(char *ifname, int namelen, char *dev_name)
+{
+	char path[256];
+	char name_str[256] = "Name";
+	LONG status;
+	HKEY conn_key;
+	DWORD len;
+	DWORD datatype;
+
+	memset(ifname, 0, namelen);
+
+	snprintf(path, sizeof(path), NETWORK_KEY "\\%s\\Connection", dev_name);
+	status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_READ, &conn_key);
+	if (status != ERROR_SUCCESS) {
+		fprintf(stderr, "Could not look up name of interface %s: error opening key\n", dev_name);
+		RegCloseKey(conn_key);
+		return;
+	}
+	len = namelen;
+	status = RegQueryValueEx(conn_key, name_str, NULL, &datatype, (LPBYTE)ifname, &len);
+	if (status != ERROR_SUCCESS || datatype != REG_SZ) {
+		fprintf(stderr, "Could not look up name of interface %s: error reading value\n", dev_name);
+		RegCloseKey(conn_key);
+		return;
+	}
+	RegCloseKey(conn_key);
+}
+
+DWORD WINAPI tun_reader(LPVOID arg)
+{
+	struct tun_data *tun = arg;
+	char buf[64*1024];
+	int len;
+	int res;
+	OVERLAPPED olpd;
+	int sock;
+
+	sock = open_dns(0, INADDR_ANY);
+
+	olpd.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
+
+	while(TRUE) {
+		olpd.Offset = 0;
+		olpd.OffsetHigh = 0;
+		res = ReadFile(tun->tun, buf, sizeof(buf), (LPDWORD) &len, &olpd);
+		if (!res) {
+			WaitForSingleObject(olpd.hEvent, INFINITE);
+			res = GetOverlappedResult(dev_handle, &olpd, (LPDWORD) &len, FALSE);
+			res = sendto(sock, buf, len, 0, (struct sockaddr*) &(tun->addr), 
+				sizeof(struct sockaddr_in));
+		}
+	}
+
+	return 0;
+}
+
+int 
+open_tun(const char *tun_device) 
+{
+	char adapter[256];
+	char tapfile[512];
+	int tunfd;
+	in_addr_t local;
+
+	memset(adapter, 0, sizeof(adapter));
+	memset(if_name, 0, sizeof(if_name));
+	get_device(adapter, sizeof(adapter), tun_device);
+
+	if (strlen(adapter) == 0 || strlen(if_name) == 0) {
+		if (tun_device) {
+			warnx("No TAP adapters found. Try without -d.");
+		} else {
+			warnx("No TAP adapters found. Version 0801 and 0901 are supported.");
+		}
+		return -1;
+	}
+	
+	fprintf(stderr, "Opening device %s\n", if_name);
+	snprintf(tapfile, sizeof(tapfile), "%s%s.tap", TAP_DEVICE_SPACE, adapter);
+	dev_handle = CreateFile(tapfile, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL);
+	if (dev_handle == INVALID_HANDLE_VALUE) {
+		warnx("Could not open device!");
+		return -1;
+	}
+
+	/* Use a UDP connection to forward packets from tun,
+	 * so we can still use select() in main code.
+	 * A thread does blocking reads on tun device and 
+	 * sends data as udp to this socket */
+	
+	local = htonl(0x7f000001); /* 127.0.0.1 */
+	tunfd = open_dns(55353, local);
+
+	data.tun = dev_handle;
+	memset(&(data.addr), 0, sizeof(data.addr));
+	data.addr.sin_family = AF_INET;
+	data.addr.sin_port = htons(55353);
+	data.addr.sin_addr.s_addr = local;
+	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)tun_reader, &data, 0, NULL);
+	
+	return tunfd;
+}
+#endif 
 
 void 
 close_tun(int tun_fd) 
@@ -140,9 +355,9 @@ close_tun(int tun_fd)
 }
 
 int 
-write_tun(int tun_fd, char *data, int len) 
+write_tun(int tun_fd, char *data, size_t len) 
 {
-#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD)
+#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD) || defined(WINDOWS32)
 	data += 4;
 	len -= 4;
 #else /* !FREEBSD/DARWIN */
@@ -159,75 +374,168 @@ write_tun(int tun_fd, char *data, int len)
 #endif /* !LINUX */
 #endif /* FREEBSD */
 
+#ifndef WINDOWS32
 	if (write(tun_fd, data, len) != len) {
 		warn("write_tun");
 		return 1;
 	}
+#else /* WINDOWS32 */
+	{
+		DWORD written;
+		DWORD res;
+		OVERLAPPED olpd;
+
+		olpd.Offset = 0;
+		olpd.OffsetHigh = 0;
+		olpd.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
+		res = WriteFile(dev_handle, data, len, &written, &olpd);
+		if (!res && GetLastError() == ERROR_IO_PENDING) {
+			WaitForSingleObject(olpd.hEvent, INFINITE);
+			res = GetOverlappedResult(dev_handle, &olpd, &written, FALSE);
+			if (written != len) {
+				return -1;
+			}
+		}
+	}
+#endif
 	return 0;
 }
 
-int 
-read_tun(int tun_fd, char *buf, int len) 
+ssize_t
+read_tun(int tun_fd, char *buf, size_t len) 
 {
-#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD)
+#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD) || defined(WINDOWS32)
 	/* FreeBSD/Darwin/NetBSD has no header */
-	return read(tun_fd, buf + 4, len - 4) + 4;
+	int bytes;
+	memset(buf, 0, 4);
+#ifdef WINDOWS32
+	/* Windows needs recv() since it is local UDP socket */
+	bytes = recv(tun_fd, buf + 4, len - 4, 0);
+#else
+	/* The other need read() because fd is not a socket */
+	bytes = read(tun_fd, buf + 4, len - 4);
+#endif /*WINDOWS32*/
+	if (bytes < 0) {
+		return bytes;
+	} else {
+		return bytes + 4;
+	}
 #else /* !FREEBSD */
 	return read(tun_fd, buf, len);
 #endif /* !FREEBSD */
 }
 
 int
-tun_setip(const char *ip)
+tun_setip(const char *ip, const char *remoteip, int netbits)
 {
 	char cmdline[512];
-
-	if (inet_addr(ip) != INADDR_NONE) {
-		snprintf(cmdline, sizeof(cmdline), 
-				"/sbin/ifconfig %s %s %s netmask 255.255.255.0",
-				if_name,
-				ip,
-				ip);
-		
-		printf("Setting IP of %s to %s\n", if_name, ip);
+	int netmask;
+	struct in_addr net;
+	int i;
 #ifndef LINUX
-		int r;
-
-		r = system(cmdline);
-		if(r != 0) {
-			return r;
-		} else {
-			snprintf(cmdline, sizeof(cmdline),
-					"/sbin/route add %s/24 %s",
-					ip, ip);
-		}
-		printf("Adding route %s/24 to %s\n", ip, ip);
+	int r;
 #endif
-		return system(cmdline);
+#ifdef WINDOWS32
+	DWORD status;
+	DWORD ipdata[3];
+	struct in_addr addr;
+	DWORD len;
+#endif
+
+	netmask = 0;
+	for (i = 0; i < netbits; i++) {
+		netmask = (netmask << 1) | 1;
+	}
+	netmask <<= (32 - netbits);
+	net.s_addr = htonl(netmask);
+
+	if (inet_addr(ip) == INADDR_NONE) {
+		fprintf(stderr, "Invalid IP: %s!\n", ip);
+		return 1;
+	}
+#ifndef WINDOWS32
+	snprintf(cmdline, sizeof(cmdline), 
+			"/sbin/ifconfig %s %s %s netmask %s",
+			if_name,
+			ip,
+#ifdef FREEBSD
+			remoteip, /* FreeBSD wants other IP as second IP */
+#else
+			ip,
+#endif
+			inet_ntoa(net));
+	
+	fprintf(stderr, "Setting IP of %s to %s\n", if_name, ip);
+#ifndef LINUX
+	r = system(cmdline);
+	if(r != 0) {
+		return r;
 	} else {
-		printf("Invalid IP: %s!\n", ip);
+		snprintf(cmdline, sizeof(cmdline),
+				"/sbin/route add %s/%d %s",
+				ip, netbits, ip);
+	}
+	fprintf(stderr, "Adding route %s/%d to %s\n", ip, netbits, ip);
+#endif
+	return system(cmdline);
+#else /* WINDOWS32 */
+
+	/* Set device as connected */
+	fprintf(stderr, "Enabling interface '%s'\n", if_name);
+	status = 1;
+	r = DeviceIoControl(dev_handle, TAP_IOCTL_SET_MEDIA_STATUS, &status, 
+		sizeof(status), &status, sizeof(status), &len, NULL);
+	if (!r) {
+		fprintf(stderr, "Failed to enable interface\n");
+		return -1;
+	}
+	
+	if (inet_aton(ip, &addr)) {
+		ipdata[0] = (DWORD) addr.s_addr;   /* local ip addr */
+		ipdata[1] = net.s_addr & ipdata[0]; /* network addr */
+		ipdata[2] = (DWORD) net.s_addr;    /* netmask */
+	} else {
+		return -1;
 	}
 
-	return 1;
+	/* Tell ip/networkaddr/netmask to device for arp use */
+	r = DeviceIoControl(dev_handle, TAP_IOCTL_CONFIG_TUN, &ipdata, 
+		sizeof(ipdata), &ipdata, sizeof(ipdata), &len, NULL);
+	if (!r) {
+		fprintf(stderr, "Failed to set interface in TUN mode\n");
+		return -1;
+	}
+
+	/* use netsh to set ip address */
+	fprintf(stderr, "Setting IP of interface '%s' to %s (can take a few seconds)...\n", if_name, ip);
+	snprintf(cmdline, sizeof(cmdline), "netsh interface ip set address \"%s\" static %s %s",
+		if_name, ip, inet_ntoa(net));
+	return system(cmdline);
+#endif
 }
 
 int 
-tun_setmtu(const int mtu)
+tun_setmtu(const unsigned mtu)
 {
+#ifndef WINDOWS32
 	char cmdline[512];
 
-	if (mtu > 200 && mtu < 1500) {
+	if (mtu > 200 && mtu <= 1500) {
 		snprintf(cmdline, sizeof(cmdline), 
-				"/sbin/ifconfig %s mtu %d",
+				"/sbin/ifconfig %s mtu %u",
 				if_name,
 				mtu);
 		
-		printf("Setting MTU of %s to %d\n", if_name, mtu);
+		fprintf(stderr, "Setting MTU of %s to %u\n", if_name, mtu);
 		return system(cmdline);
 	} else {
-		warn("MTU out of range: %d\n", mtu);
+		warn("MTU out of range: %u\n", mtu);
 	}
 
 	return 1;
+#else /* WINDOWS32 */
+
+	return 0;
+#endif
 }
 

src/tun.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,9 +19,9 @@
 
 int open_tun(const char *);
 void close_tun(int);
-int write_tun(int, char *, int);
-int read_tun(int, char *, int);
-int tun_setip(const char *);
-int tun_setmtu(const int);
+int write_tun(int, char *, size_t);
+ssize_t read_tun(int, char *, size_t);
+int tun_setip(const char *, const char *, int);
+int tun_setmtu(const unsigned);
 
 #endif /* _TUN_H_ */

src/user.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,13 +14,20 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <string.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <time.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#ifdef WINDOWS32
+#include <winsock2.h>
+#else
+#include <netdb.h>
+#endif
 
 #include "common.h"
 #include "encoding.h"
@@ -28,22 +35,62 @@
 
 struct user users[USERS];
 
-void
-init_users(in_addr_t my_ip)
+int
+init_users(in_addr_t my_ip, int netbits)
 {
 	int i;
+	int skip = 0;
 	char newip[16];
+	int created_users = 0;
+
+	int maxusers;
+
+	in_addr_t netmask = 0;
+	struct in_addr net;
+	struct in_addr ipstart;
+
+	for (i = 0; i < netbits; i++) {
+		netmask = (netmask << 1) | 1;
+	}
+	netmask <<= (32 - netbits);
+	net.s_addr = htonl(netmask);
+	ipstart.s_addr = my_ip & net.s_addr;
+
+	maxusers = (1 << (32-netbits)) - 3; /* 3: Net addr, broadcast addr, iodined addr */
 	
 	memset(users, 0, USERS * sizeof(struct user));
 	for (i = 0; i < USERS; i++) {
+		in_addr_t ip;
 		users[i].id = i;
-		snprintf(newip, sizeof(newip), "0.0.0.%d", i + 1);
-		users[i].tun_ip = my_ip + inet_addr(newip);;
-		users[i].inpacket.len = 0;
-		users[i].inpacket.offset = 0;
-		users[i].outpacket.len = 0;
-		users[i].q.id = 0;
+		snprintf(newip, sizeof(newip), "0.0.0.%d", i + skip + 1);
+		ip = ipstart.s_addr + inet_addr(newip);
+		if (ip == my_ip && skip == 0) {
+			/* This IP was taken by iodined */
+			skip++;
+			snprintf(newip, sizeof(newip), "0.0.0.%d", i + skip + 1);
+			ip = ipstart.s_addr + inet_addr(newip);
+		}
+		users[i].tun_ip = ip;
+		net.s_addr = ip;
+		if (maxusers--  < 1) {
+			users[i].disabled = 1;
+		} else {
+			users[i].disabled = 0;
+			created_users++;
+		}
+		users[i].active = 0;
+ 		/* Rest is reset on login ('V' packet) */
 	}
+
+	return created_users;
+}
+
+const char*
+users_get_first_ip()
+{
+	struct in_addr ip;
+	ip.s_addr = users[0].tun_ip;
+	return inet_ntoa(ip);
 }
 
 int
@@ -54,8 +101,9 @@ users_waiting_on_reply()
 
 	ret = 0;
 	for (i = 0; i < USERS; i++) {
-		if (users[i].active && users[i].last_pkt + 60 > time(NULL) &&
-			users[i].q.id != 0) {
+		if (users[i].active && !users[i].disabled && 
+			users[i].last_pkt + 60 > time(NULL) &&
+			users[i].q.id != 0 && users[i].conn == CONN_DNS_NULL) {
 			ret++;
 		}
 	}
@@ -71,7 +119,8 @@ find_user_by_ip(uint32_t ip)
 
 	ret = -1;
 	for (i = 0; i < USERS; i++) {
-		if (users[i].active && users[i].last_pkt + 60 > time(NULL) &&
+		if (users[i].active && !users[i].disabled &&
+			users[i].last_pkt + 60 > time(NULL) &&
 			ip == users[i].tun_ip) {
 			ret = i;
 			break;
@@ -82,6 +131,11 @@ find_user_by_ip(uint32_t ip)
 
 int
 all_users_waiting_to_send()
+/* If this returns true, then reading from tun device is blocked.
+   So only return true when all clients have at least one packet in
+   the outpacket-queue, so that sending back-to-back is possible
+   without going through another select loop.
+*/
 {
 	time_t now;
 	int ret;
@@ -90,8 +144,17 @@ all_users_waiting_to_send()
 	ret = 1;
 	now = time(NULL);
 	for (i = 0; i < USERS; i++) {
-		if (users[i].active && users[i].last_pkt + 60 > now &&
-			users[i].outpacket.len == 0) {
+		if (users[i].active && !users[i].disabled &&
+			users[i].last_pkt + 60 > now &&
+			((users[i].conn == CONN_RAW_UDP) || 
+			((users[i].conn == CONN_DNS_NULL) 
+#ifdef OUTPACKETQ_LEN
+				&& users[i].outpacketq_filled < 1
+#else
+				&& users[i].outpacket.len == 0
+#endif
+			))) {
+
 			ret = 0;
 			break;
 		}
@@ -106,9 +169,11 @@ find_available_user()
 	int i;
 	for (i = 0; i < USERS; i++) {
 		/* Not used at all or not used in one minute */
-		if (!users[i].active || users[i].last_pkt + 60 < time(NULL)) {
+		if ((!users[i].active || users[i].last_pkt + 60 < time(NULL)) && !users[i].disabled) {
 			users[i].active = 1;
 			users[i].last_pkt = time(NULL);
+			users[i].fragsize = 4096;
+			users[i].conn = CONN_DNS_NULL;
 			ret = i;
 			break;
 		}
@@ -116,3 +181,24 @@ find_available_user()
 	return ret;
 }
 
+void
+user_switch_codec(int userid, struct encoder *enc)
+{
+	if (userid < 0 || userid >= USERS)
+		return;
+	
+	users[userid].encoder = enc;
+}
+
+void
+user_set_conn_type(int userid, enum connection c)
+{
+	if (userid < 0 || userid >= USERS)
+		return;
+
+	if (c < 0 || c >= CONN_MAX)
+		return;
+	
+	users[userid].conn = c;
+}
+	

src/user.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,28 +17,71 @@
 #ifndef __USER_H__
 #define __USER_H__
 
-#define USERS 8
+#define USERS 16
+
+#define OUTPACKETQ_LEN 4		/* Note: 16 users * 1 packet = 1MB */
+/* Undefine to have no queue for packets coming in from tun device, which may
+   lead to massive dropping in multi-user situations with high traffic. */
+
+#define DNSCACHE_LEN 4
+/* Undefine to disable. Should be less than 18; also see comments in iodined.c */
+
+
+#define QMEMPING_LEN 30
+/* Max advisable: 64k/2 = 32000. Total mem usage: QMEMPING_LEN * USERS * 6 bytes */
+
+#define QMEMDATA_LEN 15
+/* Max advisable: 36/2 = 18. Total mem usage: QMEMDATA_LEN * USERS * 6 bytes */
 
 struct user {
 	char id;
 	int active;
+	int disabled;
 	time_t last_pkt;
 	int seed;
 	in_addr_t tun_ip;
-	struct sockaddr host;
-	int addrlen;
+	struct in_addr host;
 	struct query q;
+	struct query q_sendrealsoon;
+	int q_sendrealsoon_new;
 	struct packet inpacket;
 	struct packet outpacket;
+	int outfragresent;
 	struct encoder *encoder;
+	char downenc;
+	int out_acked_seqno;
+	int out_acked_fragment;
+	int fragsize;
+	enum connection conn;
+	int lazy;
+	unsigned char qmemping_cmc[QMEMPING_LEN * 4];
+	unsigned short qmemping_type[QMEMPING_LEN];
+	int qmemping_lastfilled;
+	unsigned char qmemdata_cmc[QMEMDATA_LEN * 4];
+	unsigned short qmemdata_type[QMEMDATA_LEN];
+	int qmemdata_lastfilled;
+#ifdef OUTPACKETQ_LEN
+	struct packet outpacketq[OUTPACKETQ_LEN];
+	int outpacketq_nexttouse;
+	int outpacketq_filled;
+#endif
+#ifdef DNSCACHE_LEN
+	struct query dnscache_q[DNSCACHE_LEN];
+	char dnscache_answer[DNSCACHE_LEN][4096];
+	int dnscache_answerlen[DNSCACHE_LEN];
+	int dnscache_lastfilled;
+#endif
 };
 
 extern struct user users[USERS];
 
-void init_users(in_addr_t);
+int init_users(in_addr_t, int);
+const char* users_get_first_ip();
 int users_waiting_on_reply();
 int find_user_by_ip(uint32_t);
 int all_users_waiting_to_send();
 int find_available_user();
+void user_switch_codec(int userid, struct encoder *enc);
+void user_set_conn_type(int userid, enum connection c);
 
 #endif

src/util.c

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include "common.h"
+
+char *
+get_resolvconf_addr()
+{
+	static char addr[16];
+	char *rv;
+#ifndef WINDOWS32
+	char buf[80];
+	FILE *fp;
+	
+	rv = NULL;
+
+	if ((fp = fopen("/etc/resolv.conf", "r")) == NULL) 
+		err(1, "/etc/resolv.conf");
+	
+	while (feof(fp) == 0) {
+		fgets(buf, sizeof(buf), fp);
+
+		if (sscanf(buf, "nameserver %15s", addr) == 1) {
+			rv = addr;
+			break;
+		}
+	}
+	
+	fclose(fp);
+#else /* !WINDOWS32 */
+	FIXED_INFO  *fixed_info;
+	ULONG       buflen;
+	DWORD       ret;
+
+	rv = NULL;
+	fixed_info = malloc(sizeof(FIXED_INFO));
+	buflen = sizeof(FIXED_INFO);
+
+	if (GetNetworkParams(fixed_info, &buflen) == ERROR_BUFFER_OVERFLOW) {
+		/* official ugly api workaround */
+		free(fixed_info);
+		fixed_info = malloc(buflen);
+	}
+
+	ret = GetNetworkParams(fixed_info, &buflen);
+	if (ret == NO_ERROR) {
+		strncpy(addr, fixed_info->DnsServerList.IpAddress.String, sizeof(addr));
+		addr[15] = 0;
+		rv = addr;
+	}
+	free(fixed_info);
+#endif
+	return rv;
+}
+

src/util.h

@@ -0,0 +1,6 @@
+#ifndef __UTIL_H__
+#define __UTIL_H__
+
+char *get_resolvconf_addr();
+
+#endif

src/version.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +19,7 @@
 
 /* This is the version of the network protocol
    It is usually equal to the latest iodine version number */
-#define VERSION 0x00000401
+#define VERSION 0x00000502
 
 #endif /* _VERSION_H_ */
 

src/windows.h

@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __FIX_WINDOWS_H__
+#define __FIX_WINDOWS_H__
+
+typedef unsigned int in_addr_t;
+
+#include <windows.h>
+#include <windns.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <iphlpapi.h>
+
+/* Missing from the mingw headers */
+#ifndef DNS_TYPE_SRV
+# define DNS_TYPE_SRV 33
+#endif
+#ifndef DNS_TYPE_TXT
+# define DNS_TYPE_TXT 16
+#endif
+
+#define T_A DNS_TYPE_A
+#define T_NS DNS_TYPE_NS
+#define T_NULL DNS_TYPE_NULL
+#define T_CNAME DNS_TYPE_CNAME
+#define T_MX DNS_TYPE_MX
+#define T_TXT DNS_TYPE_TXT
+#define T_SRV DNS_TYPE_SRV
+
+#define C_IN 1
+
+#define FORMERR 1
+#define SERVFAIL 2
+#define NXDOMAIN 3
+#define NOTIMP 4
+#define REFUSED 5
+
+#define sleep(seconds) Sleep((seconds)*1000)
+
+typedef struct {
+        unsigned        id :16;         /* query identification number */
+                        /* fields in third byte */
+        unsigned        rd :1;          /* recursion desired */
+        unsigned        tc :1;          /* truncated message */
+        unsigned        aa :1;          /* authoritive answer */
+        unsigned        opcode :4;      /* purpose of message */
+        unsigned        qr :1;          /* response flag */
+                        /* fields in fourth byte */
+        unsigned        rcode :4;       /* response code */
+        unsigned        cd: 1;          /* checking disabled by resolver */
+        unsigned        ad: 1;          /* authentic data from named */
+        unsigned        unused :1;      /* unused bits (MBZ as of 4.9.3a3) */
+        unsigned        ra :1;          /* recursion available */
+                        /* remaining bytes */
+        unsigned        qdcount :16;    /* number of question entries */
+        unsigned        ancount :16;    /* number of answer entries */
+        unsigned        nscount :16;    /* number of authority entries */
+        unsigned        arcount :16;    /* number of resource entries */
+} HEADER;
+
+struct ip
+  {
+    unsigned int ip_hl:4;               /* header length */
+    unsigned int ip_v:4;                /* version */
+    u_char ip_tos;                      /* type of service */
+    u_short ip_len;                     /* total length */
+    u_short ip_id;                      /* identification */
+    u_short ip_off;                     /* fragment offset field */
+#define IP_RF 0x8000                    /* reserved fragment flag */
+#define IP_DF 0x4000                    /* dont fragment flag */
+#define IP_MF 0x2000                    /* more fragments flag */
+#define IP_OFFMASK 0x1fff               /* mask for fragmenting bits */
+    u_char ip_ttl;                      /* time to live */
+    u_char ip_p;                        /* protocol */
+    u_short ip_sum;                     /* checksum */
+    struct in_addr ip_src, ip_dst;      /* source and dest address */
+  };
+
+DWORD WINAPI tun_reader(LPVOID arg);
+struct tun_data {
+	HANDLE tun;
+	int sock;
+	struct sockaddr_in addr;
+};
+
+#endif

tests/Makefile

@@ -1,15 +1,16 @@
 CC = gcc
 TEST = test
-OBJS = test.o base32.o base64.o read.o dns.o encoding.o login.o user.o 
-SRCOBJS = ../src/base32.o  ../src/base64.o ../src/read.o ../src/dns.o ../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o
+OBJS = test.o base32.o base64.o read.o dns.o encoding.o login.o user.o fw_query.o
+SRCOBJS = ../src/base32.o  ../src/base64.o ../src/read.o ../src/dns.o ../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o ../src/fw_query.o
 
 OS = `uname | tr "a-z" "A-Z"`
 
-LDFLAGS =  -L/usr/local/lib -lcheck
-CFLAGS = -g -Wall -D$(OS) -I../src -I/usr/local/include -pedantic
+CHECK_PATH = /usr/local
+LDFLAGS = -L$(CHECK_PATH)/lib -lcheck `../src/osflags link`
+CFLAGS = -g -Wall -D$(OS) -I../src -I$(CHECK_PATH)/include -pedantic `../src/osflags cflags`
 
 all: $(TEST)
-	@./$(TEST)
+	@LD_LIBRARY_PATH=${CHECK_PATH}/lib ./$(TEST)
 
 $(TEST): $(OBJS) $(SRCOBJS)
 	@echo LD $(TEST)
@@ -21,6 +22,6 @@ $(TEST): $(OBJS) $(SRCOBJS)
 
 
 clean:
-	@echo "Cleaning..."
+	@echo "Cleaning tests/"
 	@rm -f *~ *.core $(TEST) $(OBJS)
 

tests/base32.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -24,31 +24,34 @@
 #include "base32.h"
 #include "test.h"
 
+#define TUPLES 5
+
 static struct tuple
 {
 	char *a;
 	char *b;
-} testpairs[] = {
+} testpairs[TUPLES] = {
 	{ "iodinetestingtesting", "nfxwi0lomv0gk21unfxgo3dfon0gs1th" },
 	{ "abc123", "mfrggmjsgm" },
-	{ NULL, NULL }	
+	{ "test", "orsxg3a" },
+	{ "tst", "orzxi" },
+	{ "", "" },
 };
 
 START_TEST(test_base32_encode)
 {
 	size_t len;
 	char buf[4096];
+	struct encoder *b32;
 	int val;
-	int i;
 
-	for (i = 0; testpairs[i].a != NULL; i++) {
-		len = sizeof(buf);
-		val = base32_encode(buf, &len, testpairs[i].a, strlen(testpairs[i].a));
+	b32 = get_base32_encoder();
 
-		fail_unless(val > 0, strerror(errno));
-		fail_unless(strcmp(buf, testpairs[i].b) == 0, 
-				va_str("'%s' != '%s'", buf, testpairs[i].b));
-	}
+	len = sizeof(buf);
+	val = b32->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+
+	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].b);
 }
 END_TEST
 
@@ -56,17 +59,70 @@ START_TEST(test_base32_decode)
 {
 	size_t len;
 	char buf[4096];
+	struct encoder *b32;
 	int val;
+	
+	b32 = get_base32_encoder();
+
+	len = sizeof(buf);
+	val = b32->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+
+	fail_unless(buf != NULL, "buf == NULL");
+	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].a);
+}
+END_TEST
+
+START_TEST(test_base32_5to8_8to5)
+{
 	int i;
+	int c;
 
-	for (i = 0; testpairs[i].a != NULL; i++) {
-		len = sizeof(buf);
-		val = base32_decode(buf, &len, testpairs[i].b, strlen(testpairs[i].b));
+	for (i = 0; i < 32; i++) {
+		c = b32_5to8(i);	
+		fail_unless(b32_8to5(c) == i);
+	}
+}
+END_TEST
 
-		fail_unless(val > 0, strerror(errno));
-		fail_unless(buf != NULL, "buf == NULL");
-		fail_unless(strcmp(buf, testpairs[i].a) == 0, 
-				va_str("'%s' != '%s'", buf, testpairs[i].a));
+START_TEST(test_base32_blksize)
+{
+	size_t rawlen;
+	size_t enclen;
+	char *rawbuf;
+	char *encbuf;
+	struct encoder *b32;
+	int i;
+	int val;
+
+	b32 = get_base32_encoder();
+
+	rawlen = b32->blocksize_raw();
+	enclen = b32->blocksize_encoded();
+
+	rawbuf = malloc(rawlen + 16);
+	encbuf = malloc(enclen + 16);
+
+	for (i = 0; i < rawlen; i++) {
+		rawbuf[i] = 'A';
+	}
+	rawbuf[i] = 0;
+
+	val = b32->encode(encbuf, &enclen, rawbuf, rawlen);
+
+	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
+	fail_unless(enclen == 5, "encoded %d bytes, not 5", enclen);
+	fail_unless(val == 8, "encoded string %s was length %d", encbuf, val);
+
+	memset(rawbuf, 0, rawlen + 16);
+
+	enclen = val;
+	val = b32->decode(rawbuf, &rawlen, encbuf, enclen);
+
+	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
+	fail_unless(val == 5, "val was not 5 but %d", val);
+	for (i = 0; i < rawlen; i++) {
+		fail_unless(rawbuf[i] == 'A');
 	}
 }
 END_TEST
@@ -77,8 +133,10 @@ test_base32_create_tests()
 	TCase *tc;
 
 	tc = tcase_create("Base32");
-	tcase_add_test(tc, test_base32_encode);
-	tcase_add_test(tc, test_base32_decode);
+	tcase_add_loop_test(tc, test_base32_encode, 0, TUPLES);
+	tcase_add_loop_test(tc, test_base32_decode, 0, TUPLES);
+	tcase_add_test(tc, test_base32_5to8_8to5);
+	tcase_add_test(tc, test_base32_blksize);
 
 	return tc;
 }

tests/base64.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -24,14 +24,16 @@
 #include "base64.h"
 #include "test.h"
 
+#define TUPLES 5
+
 static struct tuple
 {
 	char *a;
 	char *b;
-} testpairs[] = {
+} testpairs[TUPLES] = {
 	{ "iodinetestingtesting", "Aw8KAw4LDgvZDgLUz2rLC2rPBMC" },
-	{ "abc123", "ywjJmtiZ" },
-	{ 
+	{ "abc1231", "ywjJmtiZmq" },
+	{
 	  "\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xAA\x68"
 	  "\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50"
 	  "\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40\x3F\x3F\x3C\xEF\xAE\x78"
@@ -41,11 +43,11 @@ static struct tuple
 	  "\xBE\xEB\x6C\xAE\xAA\x68\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58"
 	  "\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40",
 
-	  "9abba876543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfe999dcbapZ"
-	  "776543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9abba87654"
-	  "3210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfe999dcba"
+	  "+9876543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcbapZ"
+	  "776543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba+987654"
+	  "3210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba"
 	},
-	{ 
+	{
 	  "\xFF\xEF\x7C\xEF\xAE\x78\xDF\x6D\x74\xCF\x2C\x70\xBE\xEB\x6C\xAE\xAA\x68"
 	  "\x9E\x69\x64\x8E\x28\x60\x7D\xE7\x5C\x6D\xA6\x58\x5D\x65\x54\x4D\x24\x50"
 	  "\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40\x3F\x3F\x3C\xEF\xAE\x78"
@@ -55,28 +57,27 @@ static struct tuple
 	  "\xBE\xEB\x6C\xAE\xA1\x61\x91\x61\x61\x81\x28\x60\x7D\xE7\x5C\x6D\xA6\x58"
 	  "\x5D\x65\x54\x4D\x24\x50\x3C\xE3\x4C\x2C\xA2\x48\x1C\x61\x44\x0C\x20\x40",
 
-	  "9IJJI876543210-ZYXWVUTSRQPONMLK9LMJIHGFEDCBAzyxwvutsrqponmlkjihgfedcbapZ"
-	  "776543210-ZYXWVUTSRQfHKwfHGsHGFEDCBAzyxwvutsrqponmlkjihgfedcbaML87654321"
+	  "+9876543210-ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcbapZ"
+	  "776543210-ZYXWVUTSRQfHKwfHGsHGFEDCBAzyxwvutsrqponmlkjihgfedcba+987654321"
 	  "0-ZYXWVUTSRQfHKwfHGsHGFEDCBAzyxwvutsrqponmlkjihgfedcba"
 	},
-	{ NULL, NULL }	
+	{ "", "" }
 };
 
 START_TEST(test_base64_encode)
 {
 	size_t len;
 	char buf[4096];
+	struct encoder *b64;
 	int val;
-	int i;
 
-	for (i = 0; testpairs[i].a != NULL; i++) {
-		len = sizeof(buf);
-		val = base64_encode(buf, &len, testpairs[i].a, strlen(testpairs[i].a));
+	b64 = get_base64_encoder();
 
-		fail_unless(val > 0, strerror(errno));
-		fail_unless(strcmp(buf, testpairs[i].b) == 0, 
-				va_str("'%s' != '%s'", buf, testpairs[i].b));
-	}
+	len = sizeof(buf);
+	val = b64->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+
+	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].b);
 }
 END_TEST
 
@@ -84,17 +85,58 @@ START_TEST(test_base64_decode)
 {
 	size_t len;
 	char buf[4096];
+	struct encoder *b64;
 	int val;
+
+	b64 = get_base64_encoder();
+
+	len = sizeof(buf);
+	val = b64->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+
+	fail_unless(buf != NULL, "buf == NULL");
+	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
+			"'%s' != '%s'", buf, testpairs[_i].a);
+}
+END_TEST
+
+START_TEST(test_base64_blksize)
+{
+	size_t rawlen;
+	size_t enclen;
+	char *rawbuf;
+	char *encbuf;
+	struct encoder *b64;
 	int i;
+	int val;
 
-	for (i = 0; testpairs[i].a != NULL; i++) {
-		len = sizeof(buf);
-		val = base64_decode(buf, &len, testpairs[i].b, strlen(testpairs[i].b));
+	b64 = get_base64_encoder();
 
-		fail_unless(val > 0, strerror(errno));
-		fail_unless(buf != NULL, "buf == NULL");
-		fail_unless(strcmp(buf, testpairs[i].a) == 0, 
-				va_str("'%s' != '%s'", buf, testpairs[i].a));
+	rawlen = b64->blocksize_raw();
+	enclen = b64->blocksize_encoded();
+
+	rawbuf = malloc(rawlen + 16);
+	encbuf = malloc(enclen + 16);
+
+	for (i = 0; i < rawlen; i++) {
+		rawbuf[i] = 'A';
+	}
+	rawbuf[i] = 0;
+
+	val = b64->encode(encbuf, &enclen, rawbuf, rawlen);
+
+	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
+	fail_unless(enclen == 3, "encoded %d bytes, not 3", enclen);
+	fail_unless(val == 4, "encoded string %s was length %d", encbuf, val);
+
+	memset(rawbuf, 0, rawlen + 16);
+
+	enclen = val;
+	val = b64->decode(rawbuf, &rawlen, encbuf, enclen);
+
+	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
+	fail_unless(val == 3);
+	for (i = 0; i < rawlen; i++) {
+		fail_unless(rawbuf[i] == 'A');
 	}
 }
 END_TEST
@@ -105,8 +147,9 @@ test_base64_create_tests()
 	TCase *tc;
 
 	tc = tcase_create("Base64");
-	tcase_add_test(tc, test_base64_encode);
-	tcase_add_test(tc, test_base64_decode);
+	tcase_add_loop_test(tc, test_base64_encode, 0, TUPLES);
+	tcase_add_loop_test(tc, test_base64_decode, 0, TUPLES);
+	tcase_add_test(tc, test_base64_blksize);
 
 	return tc;
 }

tests/dns.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -33,24 +33,31 @@
 
 static void dump_packet(char *, size_t);
 
-static char queryPacket[] = 
+static char query_packet[] =
 	"\x05\x39\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x2D\x41\x6A\x62\x63"
 	"\x75\x79\x74\x63\x70\x65\x62\x30\x67\x71\x30\x6C\x74\x65\x62\x75\x78"
 	"\x67\x69\x64\x75\x6E\x62\x73\x73\x61\x33\x64\x66\x6F\x6E\x30\x63\x61"
 	"\x7A\x64\x62\x6F\x72\x71\x71\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00"
 	"\x0A\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00";
 
-static char answerPacket[] = 
+static char answer_packet[] =
 	"\x05\x39\x84\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05\x73\x69\x6C\x6C"
 	"\x79\x04\x68\x6F\x73\x74\x02\x6F\x66\x06\x69\x6F\x64\x69\x6E\x65\x04"
 	"\x63\x6F\x64\x65\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00\x0A\x00\x01"
 	"\xC0\x0C\x00\x0A\x00\x01\x00\x00\x00\x00\x00\x23\x74\x68\x69\x73\x20"
 	"\x69\x73\x20\x74\x68\x65\x20\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x6F"
 	"\x20\x62\x65\x20\x64\x65\x6C\x69\x76\x65\x72\x65\x64";
-	
+
+static char answer_packet_high_trans_id[] =
+	"\x85\x39\x84\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05\x73\x69\x6C\x6C"
+	"\x79\x04\x68\x6F\x73\x74\x02\x6F\x66\x06\x69\x6F\x64\x69\x6E\x65\x04"
+	"\x63\x6F\x64\x65\x04\x6B\x72\x79\x6F\x02\x73\x65\x00\x00\x0A\x00\x01"
+	"\xC0\x0C\x00\x0A\x00\x01\x00\x00\x00\x00\x00\x23\x74\x68\x69\x73\x20"
+	"\x69\x73\x20\x74\x68\x65\x20\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x6F"
+	"\x20\x62\x65\x20\x64\x65\x6C\x69\x76\x65\x72\x65\x64";
 static char *msgData = "this is the message to be delivered";
 static char *topdomain = "kryo.se";
-	
+
 static char *innerData = "HELLO this is the test data";
 
 START_TEST(test_encode_query)
@@ -61,9 +68,10 @@ START_TEST(test_encode_query)
 	struct encoder *enc;
 	char *d;
 	size_t len;
+	size_t enclen;
 	int ret;
 
-	len = sizeof(buf);
+	enclen = sizeof(resolv);
 	memset(&buf, 0, sizeof(buf));
 	memset(&resolv, 0, sizeof(resolv));
 	memset(&q, 0, sizeof(struct query));
@@ -73,22 +81,23 @@ START_TEST(test_encode_query)
 	enc = get_base32_encoder();
 
 	*d++ = 'A';
-	enc->encode(d, &len, innerData, strlen(innerData));
+	enc->encode(d, &enclen, innerData, strlen(innerData));
 	d = resolv + strlen(resolv);
 	if (*d != '.') {
 		*d++ = '.';
 	}
 	strcpy(d, topdomain);
+	len = sizeof(buf);
 	ret = dns_encode(buf, len, &q, QR_QUERY, resolv, strlen(resolv));
-	len = sizeof(queryPacket) - 1; /* Skip extra null character */
+	len = sizeof(query_packet) - 1; /* Skip extra null character */
 
-	if (strncmp(queryPacket, buf, sizeof(queryPacket)) || ret != len) {
+	if (strncmp(query_packet, buf, sizeof(query_packet)) || ret != len) {
 		printf("\n");
-		dump_packet(queryPacket, len);
+		dump_packet(query_packet, len);
 		dump_packet(buf, ret);
 	}
-	fail_unless(strncmp(queryPacket, buf, sizeof(queryPacket)) == 0, "Did not compile expected packet");
-	fail_unless(ret == len, va_str("Bad packet length: %d, expected %d", ret, len));
+	fail_unless(strncmp(query_packet, buf, sizeof(query_packet)) == 0, "Did not compile expected packet");
+	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
 }
 END_TEST
 
@@ -103,16 +112,16 @@ START_TEST(test_decode_query)
 	memset(&q, 0, sizeof(struct query));
 	memset(&buf, 0, sizeof(buf));
 	q.id = 0;
-	len = sizeof(queryPacket) - 1;
+	len = sizeof(query_packet) - 1;
 	enc = get_base32_encoder();
 
-	dns_decode(buf, sizeof(buf), &q, QR_QUERY, queryPacket, len);
+	dns_decode(buf, sizeof(buf), &q, QR_QUERY, query_packet, len);
 	domain = strstr(q.name, topdomain);
 	len = sizeof(buf);
 	unpack_data(buf, len, &(q.name[1]), (int) (domain - q.name) - 1, enc);
 
 	fail_unless(strncmp(buf, innerData, strlen(innerData)) == 0, "Did not extract expected host: '%s'", buf);
-	fail_unless(strlen(buf) == strlen(innerData), va_str("Bad host length: %d, expected %d: '%s'", strlen(buf), strlen(innerData), buf));
+	fail_unless(strlen(buf) == strlen(innerData), "Bad host length: %d, expected %d: '%s'", strlen(buf), strlen(innerData), buf);
 }
 END_TEST
 
@@ -132,25 +141,76 @@ START_TEST(test_encode_response)
 	q.id = 1337;
 
 	ret = dns_encode(buf, len, &q, QR_ANSWER, msgData, strlen(msgData));
-	len = sizeof(answerPacket) - 1; /* Skip extra null character */
+	len = sizeof(answer_packet) - 1; /* Skip extra null character */
 
-	fail_unless(strncmp(answerPacket, buf, sizeof(answerPacket)) == 0, "Did not compile expected packet");
-	fail_unless(ret == len, va_str("Bad packet length: %d, expected %d", ret, len));
+	fail_unless(strncmp(answer_packet, buf, sizeof(answer_packet)) == 0, "Did not compile expected packet");
+	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
 }
 END_TEST
 
 START_TEST(test_decode_response)
 {
 	char buf[512];
+	struct query q;
 	int len;
 	int ret;
 
 	len = sizeof(buf);
 	memset(&buf, 0, sizeof(buf));
 
-	ret = dns_decode(buf, len, NULL, QR_ANSWER, answerPacket, sizeof(answerPacket)-1);
+	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet, sizeof(answer_packet)-1);
 	fail_unless(strncmp(msgData, buf, sizeof(msgData)) == 0, "Did not extract expected data");
-	fail_unless(ret == strlen(msgData), va_str("Bad data length: %d, expected %d", ret, strlen(msgData)));
+	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
+	fail_unless(q.id == 0x0539);
+}
+END_TEST
+
+START_TEST(test_decode_response_with_high_trans_id)
+{
+	char buf[512];
+	struct query q;
+	int len;
+	int ret;
+
+	len = sizeof(buf);
+	memset(&buf, 0, sizeof(buf));
+
+	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id)-1);
+	fail_unless(strncmp(msgData, buf, sizeof(msgData)) == 0, "Did not extract expected data");
+	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
+	fail_unless(q.id == 0x8539, "q.id was %08X instead of %08X!", q.id, 0x8539);
+}
+END_TEST
+
+START_TEST(test_get_id_short_packet)
+{
+	char buf[5];
+	int len;
+	unsigned short id;
+
+	len = sizeof(buf);
+	memset(&buf, 5, sizeof(buf));
+
+	id = dns_get_id(buf, len);
+	fail_unless(id == 0);
+}
+END_TEST
+
+START_TEST(test_get_id_low)
+{
+	unsigned short id;
+
+	id = dns_get_id(answer_packet, sizeof(answer_packet));
+	fail_unless(id == 1337);
+}
+END_TEST
+
+START_TEST(test_get_id_high)
+{
+	unsigned short id;
+
+	id = dns_get_id(answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id));
+	fail_unless(id == 0x8539);
 }
 END_TEST
 
@@ -183,6 +243,10 @@ test_dns_create_tests()
 	tcase_add_test(tc, test_decode_query);
 	tcase_add_test(tc, test_encode_response);
 	tcase_add_test(tc, test_decode_response);
+	tcase_add_test(tc, test_decode_response_with_high_trans_id);
+	tcase_add_test(tc, test_get_id_short_packet);
+	tcase_add_test(tc, test_get_id_low);
+	tcase_add_test(tc, test_get_id_high);
 
 	return tc;
 }

tests/encoding.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -21,54 +21,75 @@
 
 #include "encoding.h"
 #include "test.h"
+#include "base32.h"
+#include "base64.h"
 
-struct tuple
+#define TUPLES 4
+
+static struct tuple
 {
 	char *a;
 	char *b;
 } dottests[] = {
-	{ "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 
-	  "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a"},
-	{ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 
-	  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."},
+	{ "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaabaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa"},
+	{ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."},
+	{ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
 	{ "abc123", "abc123" },
 	{ NULL, NULL }
 };
 
 START_TEST(test_inline_dotify)
 {
-	unsigned i;
 	char temp[1024];
 	char *b;
 
-	while (dottests[i].a) {
-		memset(temp, 0, sizeof(temp));
-		strcpy(temp, dottests[i].a);
-		b = temp;
-		inline_dotify(b, sizeof(temp));
+	memset(temp, 0, sizeof(temp));
+	strcpy(temp, dottests[_i].a);
+	b = temp;
+	inline_dotify(b, sizeof(temp));
 
-		fail_unless(strcmp(dottests[i].b, temp) == 0,
-				va_str("'%s' != '%s'", temp, dottests[i].b));
-		i++;
-	}
+	fail_unless(strcmp(dottests[_i].b, temp) == 0,
+			"'%s' != '%s'", temp, dottests[_i].b);
 }
 END_TEST
 
 START_TEST(test_inline_undotify)
 {
-	unsigned i;
 	char temp[1024];
 	char *b;
 
-	while (dottests[i].a) {
-		memset(temp, 0, sizeof(temp));
-		strcpy(temp, dottests[i].b);
-		b = temp;
-		inline_undotify(b, sizeof(temp));
+	memset(temp, 0, sizeof(temp));
+	strcpy(temp, dottests[_i].b);
+	b = temp;
+	inline_undotify(b, sizeof(temp));
 
-		fail_unless(strcmp(dottests[i].a, temp) == 0,
-				va_str("'%s' != '%s'", temp, dottests[i].a));
-		i++;
+	fail_unless(strcmp(dottests[_i].a, temp) == 0,
+			"'%s' != '%s'", temp, dottests[_i].a);
+}
+END_TEST
+
+START_TEST(test_build_hostname)
+{
+	char data[256];
+	char buf[1024];
+	char *topdomain = "a.c";
+	int buflen;
+	int i;
+
+	for (i = 0; i < sizeof(data); i++) {
+		data[i] = i & 0xFF;
+	}
+
+	buflen = sizeof(buf);
+	
+	for (i = 1; i < sizeof(data); i++) {
+		int len = build_hostname(buf, buflen, data, i, topdomain, get_base32_encoder(), sizeof(buf));
+
+		fail_if(len > i);
+		fail_if(strstr(buf, ".."), "Found double dots when encoding data len %d! buf: %s", i, buf);
 	}
 }
 END_TEST
@@ -79,8 +100,9 @@ test_encoding_create_tests()
 	TCase *tc;
 
 	tc = tcase_create("Encoding");
-	tcase_add_test(tc, test_inline_dotify);
-	tcase_add_test(tc, test_inline_undotify);
+	tcase_add_loop_test(tc, test_inline_dotify, 0, TUPLES);
+	tcase_add_loop_test(tc, test_inline_undotify, 0, TUPLES);
+	tcase_add_test(tc, test_build_hostname);
 
 	return tc;
 }

tests/fw_query.c

@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2006-2009 Erik Ekman <yarrick@kryo.se>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <check.h>
+
+#include "fw_query.h"
+#include "test.h"
+
+START_TEST(test_fw_query_simple)
+{
+	struct fw_query q;
+	struct fw_query *qp;
+
+	q.addrlen = 33;
+	q.id = 0x848A;
+
+	fw_query_init();
+	
+	/* Test empty cache */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp == NULL);
+
+	fw_query_put(&q);
+
+	/* Test cache with one entry */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp->addrlen == q.addrlen);
+	fail_unless(qp->id == q.id);
+}
+END_TEST
+
+START_TEST(test_fw_query_edge)
+{
+	struct fw_query q;
+	struct fw_query *qp;
+	int i;
+
+	fw_query_init();
+	
+	q.addrlen = 33;
+	q.id = 0x848A;
+	fw_query_put(&q);
+
+	for (i = 1; i < FW_QUERY_CACHE_SIZE; i++) {
+		q.addrlen++;
+		q.id++;
+		fw_query_put(&q);
+	}
+
+	/* The query should still be cached */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp->addrlen == 33);
+	fail_unless(qp->id == 0x848A);
+		
+	q.addrlen++;
+	q.id++;
+	fw_query_put(&q);
+
+	/* but now it is overwritten */
+	fw_query_get(0x848A, &qp);
+	fail_unless(qp == NULL);
+}
+END_TEST
+
+TCase *
+test_fw_query_create_tests()
+{
+	TCase *tc;
+
+	tc = tcase_create("Forwarded query");
+	tcase_add_test(tc, test_fw_query_simple);
+	tcase_add_test(tc, test_fw_query_edge);
+
+	return tc;
+}

tests/login.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -28,7 +28,7 @@ START_TEST(test_login_hash)
 	int len;
 	int seed;
 
-	len = 16;
+	len = sizeof(ans);
 	seed = 15;
 
 	memset(ans, 0, sizeof(ans));
@@ -37,6 +37,26 @@ START_TEST(test_login_hash)
 }
 END_TEST
 
+START_TEST(test_login_hash_short)
+{
+	char ans[8];
+	char check[sizeof(ans)];
+	char pass[32] = "iodine is the shit";
+	int len;
+	int seed;
+
+	len = sizeof(ans);
+	seed = 15;
+
+	memset(ans, 0, sizeof(ans));
+	memset(check, 0, sizeof(check));
+
+	/* If len < 16, it should do nothing */
+	login_calculate(ans, len, pass, seed);
+	fail_if(memcmp(ans, check, sizeof(ans)));
+}
+END_TEST
+
 TCase *
 test_login_create_tests()
 {
@@ -44,6 +64,7 @@ test_login_create_tests()
 
 	tc = tcase_create("Login");
 	tcase_add_test(tc, test_login_hash);
+	tcase_add_test(tc, test_login_hash_short);
 
 	return tc;
 }

tests/read.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -33,7 +33,7 @@
 #include "dns.h"
 #include "read.h"
 #include "test.h"
-	
+
 START_TEST(test_read_putshort)
 {
 	unsigned short k;
@@ -44,15 +44,15 @@ START_TEST(test_read_putshort)
 	for (i = 0; i < 65536; i++) {
 		p = (char*)&k;
 		putshort(&p, i);
-		fail_unless(ntohs(k) == i, 
-				va_str("Bad value on putshort for %d: %d != %d", 
-					i, ntohs(k), i));
+		fail_unless(ntohs(k) == i,
+				"Bad value on putshort for %d: %d != %d",
+					i, ntohs(k), i);
 
 		p = (char*)&k;
 		readshort(NULL, &p, (short *) &l);
 		fail_unless(l == i,
-				va_str("Bad value on readshort for %d: %d != %d", 
-					i, l, i));
+				"Bad value on readshort for %d: %d != %d",
+					i, l, i);
 	}
 }
 END_TEST
@@ -71,45 +71,23 @@ START_TEST(test_read_putlong)
 
 		putlong(&p, j);
 
-		fail_unless(ntohl(k) == j, 
-				va_str("Bad value on putlong for %d: %d != %d", i, ntohl(j), j));
-		
+		fail_unless(ntohl(k) == j,
+				"Bad value on putlong for %d: %d != %d", i, ntohl(j), j);
+
 		p = (char*)&k;
 		readlong(NULL, &p, &l);
 
 		fail_unless(l == j,
-				va_str("Bad value on readlong for %d: %d != %d", i, l, j));
+				"Bad value on readlong for %d: %d != %d", i, l, j);
 	}
 }
 END_TEST
 
-START_TEST(test_read_name)
+START_TEST(test_read_name_empty_loop)
 {
 	unsigned char emptyloop[] = {
 		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 }; 
-	unsigned char infloop[] = {
-		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x01, 'A', 0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 }; 
-	unsigned char longname[] = 
-		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
-		"\x00\x00\x01\x00\x01";
-	unsigned char onejump[] = 
-		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
-		"\x02hh\xc0\x15\x00\x01\x00\x01\x05zBCDE\x00";
-	unsigned char badjump[] = {
-		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 }; 
-	unsigned char badjump2[] = {
-		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x02, 'B', 'A', 0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 }; 
-	unsigned char *jumper;
+		0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 };
 	char buf[1024];
 	char *data;
 	int rv;
@@ -118,26 +96,77 @@ START_TEST(test_read_name)
 	data = (char*) emptyloop + sizeof(HEADER);
 	buf[1023] = 'A';
 	rv = readname((char *) emptyloop, sizeof(emptyloop), &data, buf, 1023);
-	fail_unless(buf[1023] == 'A', NULL);
-	
+	fail_unless(buf[1023] == 'A');
+}
+END_TEST
+
+START_TEST(test_read_name_inf_loop)
+{
+	unsigned char infloop[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x01, 'A', 0xc0, 0x0c, 0x00, 0x01, 0x00, 0x01 };
+	char buf[1024];
+	char *data;
+	int rv;
+
 	memset(buf, 0, sizeof(buf));
 	data = (char*) infloop + sizeof(HEADER);
 	buf[4] = '\a';
 	rv = readname((char*) infloop, sizeof(infloop), &data, buf, 4);
-	fail_unless(buf[4] == '\a', NULL);
-	
+	fail_unless(buf[4] == '\a');
+}
+END_TEST
+
+START_TEST(test_read_name_longname)
+{
+	unsigned char longname[] =
+		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x3FzBCDEFGHIJKLMNOPQURSTUVXYZ0123456789abcdefghijklmnopqrstuvxyzAA"
+		"\x00\x00\x01\x00\x01";
+	char buf[1024];
+	char *data;
+	int rv;
+
 	memset(buf, 0, sizeof(buf));
 	data = (char*) longname + sizeof(HEADER);
 	buf[256] = '\a';
 	rv = readname((char*) longname, sizeof(longname), &data, buf, 256);
-	fail_unless(buf[256] == '\a', NULL);
+	fail_unless(buf[256] == '\a');
+}
+END_TEST
+
+START_TEST(test_read_name_onejump)
+{
+	unsigned char onejump[] =
+		"AA\x81\x80\x00\x01\x00\x00\x00\x00\x00\x00"
+		"\x02hh\xc0\x15\x00\x01\x00\x01\x05zBCDE\x00";
+	char buf[1024];
+	char *data;
+	int rv;
 
 	memset(buf, 0, sizeof(buf));
 	data = (char*) onejump + sizeof(HEADER);
 	rv = readname((char*) onejump, sizeof(onejump), &data, buf, 256);
-	fail_unless(rv == 9, NULL);
-	
-	/* These two tests use malloc to cause segfault if jump is executed */
+	fail_unless(rv == 9);
+}
+END_TEST
+
+START_TEST(test_read_name_badjump_start)
+{
+	unsigned char badjump[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 };
+	unsigned char *jumper;
+	char buf[1024];
+	char *data;
+	int rv;
+
+	/* This test uses malloc to cause segfault if jump is executed */
 	memset(buf, 0, sizeof(buf));
 	jumper = malloc(sizeof(badjump));
 	if (jumper) {
@@ -145,11 +174,24 @@ START_TEST(test_read_name)
 		data = (char*) jumper + sizeof(HEADER);
 		rv = readname((char*) jumper, sizeof(badjump), &data, buf, 256);
 
-		fail_unless(rv == 0, NULL);
-		fail_unless(buf[0] == 0, NULL);
+		fail_unless(rv == 0);
+		fail_unless(buf[0] == 0);
 	}
 	free(jumper);
-	
+}
+END_TEST
+
+START_TEST(test_read_name_badjump_second)
+{
+	unsigned char badjump2[] = {
+		'A', 'A', 0x81, 0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x02, 'B', 'A', 0xfe, 0xcc, 0x00, 0x01, 0x00, 0x01 };
+	unsigned char *jumper;
+	char buf[1024];
+	char *data;
+	int rv;
+
+	/* This test uses malloc to cause segfault if jump is executed */
 	memset(buf, 0, sizeof(buf));
 	jumper = malloc(sizeof(badjump2));
 	if (jumper) {
@@ -157,9 +199,9 @@ START_TEST(test_read_name)
 		data = (char*) jumper + sizeof(HEADER);
 		rv = readname((char*) jumper, sizeof(badjump2), &data, buf, 256);
 
-		fail_unless(rv == 4, NULL);
-		fail_unless(strcmp("BA.", buf) == 0, 
-				va_str("buf is not BA: %s", buf));
+		fail_unless(rv == 4);
+		fail_unless(strcmp("BA.", buf) == 0,
+				"buf is not BA: %s", buf);
 	}
 	free(jumper);
 }
@@ -180,15 +222,15 @@ START_TEST(test_putname)
 	b = buf;
 	ret = putname(&b, 256, domain);
 
-	fail_unless(ret == strlen(domain) + 1, NULL);
+	fail_unless(ret == strlen(domain) + 1);
 	fail_unless(strncmp(buf, out, ret) == 0, "Happy flow failed");
 }
 END_TEST
-	
+
 START_TEST(test_putname_nodot)
 {
 	char buf[256];
-	char *nodot = 
+	char *nodot =
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ"
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ";
 	char *b;
@@ -201,15 +243,15 @@ START_TEST(test_putname_nodot)
 	b = buf;
 	ret = putname(&b, 256, nodot);
 
-	fail_unless(ret == -1, NULL);
-	fail_unless(b == buf, NULL);
+	fail_unless(ret == -1);
+	fail_unless(b == buf);
 }
 END_TEST
-	
+
 START_TEST(test_putname_toolong)
 {
 	char buf[256];
-	char *toolong = 
+	char *toolong =
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
 		"ABCDEFGHIJKLMNOPQRSTUVWXYZ.ABCDEFGHIJKLMNOPQRSTUVWXYZ."
@@ -226,8 +268,8 @@ START_TEST(test_putname_toolong)
 	b = buf;
 	ret = putname(&b, 256, toolong);
 
-	fail_unless(ret == -1, NULL);
-	fail_unless(b == buf, NULL);
+	fail_unless(ret == -1);
+	fail_unless(b == buf);
 }
 END_TEST
 
@@ -241,7 +283,12 @@ test_read_create_tests()
 	tcase_set_timeout(tc, 60);
 	tcase_add_test(tc, test_read_putshort);
 	tcase_add_test(tc, test_read_putlong);
-	tcase_add_test(tc, test_read_name);
+	tcase_add_test(tc, test_read_name_empty_loop);
+	tcase_add_test(tc, test_read_name_inf_loop);
+	tcase_add_test(tc, test_read_name_longname);
+	tcase_add_test(tc, test_read_name_onejump);
+	tcase_add_test(tc, test_read_name_badjump_start);
+	tcase_add_test(tc, test_read_name_badjump_second);
 	tcase_add_test(tc, test_putname);
 	tcase_add_test(tc, test_putname_nodot);
 	tcase_add_test(tc, test_putname_toolong);

tests/test.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,20 +22,6 @@
 
 #include "test.h"
 
-char *
-va_str(const char *fmt, ...)
-{
-	static char buf[512];
-	va_list ap;
-
-	memset(buf, 0, sizeof(buf));
-	va_start(ap, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, ap);	
-	va_end(ap);
-
-	return buf;
-}
-
 int
 main()
 {
@@ -67,8 +53,11 @@ main()
  	test = test_user_create_tests();
 	suite_add_tcase(iodine, test);
 
+ 	test = test_fw_query_create_tests();
+	suite_add_tcase(iodine, test);
+
 	runner = srunner_create(iodine);
-	srunner_run_all(runner, CK_VERBOSE);
+	srunner_run_all(runner, CK_NORMAL);
 	failed = srunner_ntests_failed(runner);
 
 	srunner_free(runner);

tests/test.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -24,6 +24,7 @@ TCase *test_encoding_create_tests();
 TCase *test_read_create_tests();
 TCase *test_login_create_tests();
 TCase *test_user_create_tests();
+TCase *test_fw_query_create_tests();
 
 char *va_str(const char *, ...);
 	

tests/user.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006-2007 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
+ * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -34,7 +34,7 @@ START_TEST(test_init_users)
 	int i;
 
 	ip = inet_addr("127.0.0.1");
-	init_users(ip);
+	init_users(ip, 27);
 	for (i = 0; i < USERS; i++) {
 		fail_unless(users[i].id == i);
 		fail_unless(users[i].q.id == 0);
@@ -51,7 +51,7 @@ START_TEST(test_users_waiting)
 	in_addr_t ip;
 
 	ip = inet_addr("127.0.0.1");
-	init_users(ip);
+	init_users(ip, 27);
 
 	fail_unless(users_waiting_on_reply() == 0);
 
@@ -63,6 +63,7 @@ START_TEST(test_users_waiting)
 	
 	fail_unless(users_waiting_on_reply() == 0);
 	
+	users[3].conn = CONN_DNS_NULL;
 	users[3].q.id = 1;
 	
 	fail_unless(users_waiting_on_reply() == 1);
@@ -75,7 +76,8 @@ START_TEST(test_find_user_by_ip)
 	unsigned int testip;
 
 	ip = inet_addr("127.0.0.1");
-	init_users(ip);
+	init_users(ip, 27);
+	users[0].conn = CONN_DNS_NULL;
 
 	testip = (unsigned int) inet_addr("10.0.0.1");
 	fail_unless(find_user_by_ip(testip) == -1);
@@ -100,19 +102,25 @@ START_TEST(test_all_users_waiting_to_send)
 	in_addr_t ip;
 
 	ip = inet_addr("127.0.0.1");
-	init_users(ip);
+	init_users(ip, 27);
 
 	fail_unless(all_users_waiting_to_send() == 1);
 	
+	users[0].conn = CONN_DNS_NULL;
 	users[0].active = 1;
 	
 	fail_unless(all_users_waiting_to_send() == 1);
 	
 	users[0].last_pkt = time(NULL);
+	users[0].outpacket.len = 0;
 	
 	fail_unless(all_users_waiting_to_send() == 0);
 
+#ifdef OUTPACKETQ_LEN
+	users[0].outpacketq_filled = 1;
+#else
 	users[0].outpacket.len = 44;
+#endif
 	
 	fail_unless(all_users_waiting_to_send() == 1);
 }
@@ -124,7 +132,7 @@ START_TEST(test_find_available_user)
 	int i;
 
 	ip = inet_addr("127.0.0.1");
-	init_users(ip);
+	init_users(ip, 27);
 
 	for (i = 0; i < USERS; i++) {
 		fail_unless(find_available_user() == i);
@@ -146,6 +154,34 @@ START_TEST(test_find_available_user)
 }
 END_TEST
 
+START_TEST(test_find_available_user_small_net)
+{
+	in_addr_t ip;
+	int i;
+
+	ip = inet_addr("127.0.0.1");
+	init_users(ip, 29); /* this should result in 5 enabled users */
+
+	for (i = 0; i < 5; i++) {
+		fail_unless(find_available_user() == i);
+	}
+
+	for (i = 0; i < USERS; i++) {
+		fail_unless(find_available_user() == -1);
+	}
+
+	users[3].active = 0;
+
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+
+	users[3].last_pkt = 55;
+	
+	fail_unless(find_available_user() == 3);
+	fail_unless(find_available_user() == -1);
+}
+END_TEST
+
 TCase *
 test_user_create_tests()
 {
@@ -157,6 +193,7 @@ test_user_create_tests()
 	tcase_add_test(tc, test_find_user_by_ip);
 	tcase_add_test(tc, test_all_users_waiting_to_send);
 	tcase_add_test(tc, test_find_available_user);
+	tcase_add_test(tc, test_find_available_user_small_net);
 
 	return tc;
 }