From: Guus Sliepen Date: Thu, 14 Sep 2000 11:54:51 +0000 (+0000) Subject: - Lots of small changes. X-Git-Tag: release-1.0pre3~116 X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=c04c84c98055c6b9e9e7890d3992648a3b715a1a - Lots of small changes. --- diff --git a/src/net.c b/src/net.c index 72c1b5e1..a5989c36 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.27 2000/09/06 11:49:03 guus Exp $ + $Id: net.c,v 1.35.4.28 2000/09/14 11:54:50 guus Exp $ */ #include "config.h" @@ -103,8 +103,7 @@ cp rp.len = htons(rp.len); if(debug_lvl > 3) - syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), - ntohs(rp.len), cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Sending packet of %d bytes to %s (%s)"), ntohs(rp.len), cl->id, cl->hostname); total_socket_out += ntohs(rp.len); @@ -115,8 +114,7 @@ cp if((send(cl->socket, (char*)&rp, ntohs(rp.len), 0)) < 0) { - syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Error sending packet to %s (%s): %m"), cl->id, cl->hostname); return -1; } cp @@ -132,8 +130,7 @@ cp add_mac_addresses(&vp); if(debug_lvl > 3) - syslog(LOG_ERR, _("Receiving packet of %d bytes from %s (%s)"), - ((real_packet_t*)packet)->len, cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Receiving packet of %d bytes from %s (%s)"), ((real_packet_t*)packet)->len, cl->id, cl->hostname); if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0) syslog(LOG_ERR, _("Can't write to tap device: %m")); @@ -146,59 +143,6 @@ cp return 0; } -int tcprecv(conn_list_t *cl, real_packet_t *rp) -{ - vpn_packet_t vp; - int lenin; - conn_list_t *f; -cp - rp->data.len = ntohs(rp->data.len); - rp->len = ntohs(rp->len); - rp->from = ntohl(rp->from); - - total_socket_in += rp->len; - - if(rp->len >= 0) - { - f = lookup_conn(rp->from); - if(!f) - { - syslog(LOG_ERR, _("Got packet from %s (%s) with unknown origin %d.%d.%d.%d?"), - cl->vpn_hostname, cl->real_hostname, IP_ADDR_V(rp->from)); - return -1; - } - - if(f->status.validkey) - { - do_decrypt(rp, &vp, cl->key); - add_mac_addresses(&vp); - - if(debug_lvl > 3) - syslog(LOG_ERR, _("Receiving packet of %d bytes from %s (%s)"), - rp->len, cl->vpn_hostname, cl->real_hostname); - - if((lenin = write(tap_fd, &vp, vp.len + sizeof(vp.len))) < 0) - syslog(LOG_ERR, _("Can't write to tap device: %m")); - else - total_tap_out += lenin; - } - else - { - add_queue(&(cl->sq), rp, rp->len + 2); - if(!cl->status.waitingforkey) - send_key_request(rp->from); - } - - if(my_key_expiry <= time(NULL)) - regenerate_keys(); - } - - cl->want_ping = 0; - cl->last_ping_time = time(NULL); -cp - return 0; -} - /* add the given packet of size s to the queue q, be it the send or receive queue @@ -307,16 +251,14 @@ cp if(cl->sq) { if(debug_lvl > 3) - syslog(LOG_DEBUG, _("Flushing send queue for %s (%s)"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_DEBUG, _("Flushing send queue for %s (%s)"), cl->id, cl->hostname); flush_queue(cl, &(cl->sq), xsend); } if(cl->rq) { if(debug_lvl > 3) - syslog(LOG_DEBUG, _("Flushing receive queue for %s (%s)"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_DEBUG, _("Flushing receive queue for %s (%s)"), cl->id, cl->hostname); flush_queue(cl, &(cl->rq), xrecv); } cp @@ -336,22 +278,16 @@ cp syslog(LOG_NOTICE, _("Trying to look up %d.%d.%d.%d in connection list failed!"), IP_ADDR_V(to)); } - - /* Is this really necessary? If we can't find "to", then neither should any uplink. (GS) */ - + return -1; - - for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next); - if(!cl) - { /* No open outgoing connection has been found. */ - if(debug_lvl > 3) - syslog(LOG_NOTICE, _("There is no remote host I can send this packet to!")); - return -1; - } - } + } /* If we ourselves have indirectdata flag set, we should send only to our uplink! */ + /* The next few lines will be obsoleted, if we are going indirect, matching subnet_t + should point to only our uplink as the recepient + */ + if(myself->flags & EXPORTINDIRECTDATA) { for(cl = conn_list; cl != NULL && !cl->status.outgoing; cl = cl->next); @@ -372,13 +308,11 @@ cp if(cl->flags & INDIRECTDATA) { if(debug_lvl > 3) - syslog(LOG_NOTICE, _("Indirect packet to %s via %s"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_NOTICE, _("Indirect packet to %s via %s"), cl->id, cl->hostname); if((cl = lookup_conn(cl->real_ip)) == NULL) { if(debug_lvl > 3) - syslog(LOG_NOTICE, _("Indirect look up %d.%d.%d.%d in connection list failed!"), - IP_ADDR_V(to)); + syslog(LOG_NOTICE, _("Indirect look up %d.%d.%d.%d in connection list failed!"), IP_ADDR_V(to)); /* Gateway tincd dead? Should we kill it? (GS) */ @@ -387,8 +321,7 @@ cp if(cl->flags & INDIRECTDATA) /* This should not happen */ { if(debug_lvl > 3) - syslog(LOG_NOTICE, _("Double indirection for %d.%d.%d.%d"), - IP_ADDR_V(to)); + syslog(LOG_NOTICE, _("Double indirection for %d.%d.%d.%d"), IP_ADDR_V(to)); return -1; } } @@ -399,14 +332,14 @@ cp if(!cl->status.dataopen) if(setup_vpn_connection(cl) < 0) { - syslog(LOG_ERR, _("Could not open UDP connection to %s (%s)"), cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Could not open UDP connection to %s (%s)"), cl->id, cl->hostname); return -1; } if(!cl->status.validkey) { if(debug_lvl > 3) - syslog(LOG_INFO, _("%s (%s) has no valid key, queueing packet"), cl->vpn_hostname, cl->real_hostname); + syslog(LOG_INFO, _("%s (%s) has no valid key, queueing packet"), cl->id, cl->hostname); add_queue(&(cl->sq), packet, packet->len + 2); if(!cl->status.waitingforkey) send_key_request(cl->vpn_ip); /* Keys should be sent to the host running the tincd */ @@ -416,7 +349,7 @@ cp if(!cl->status.active) { if(debug_lvl > 3) - syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), cl->vpn_hostname, cl->real_hostname); + syslog(LOG_INFO, _("%s (%s) is not ready, queueing packet"), cl->id, cl->hostname); add_queue(&(cl->sq), packet, packet->len + 2); return 0; /* We don't want to mess up, do we? */ } @@ -573,7 +506,7 @@ int setup_outgoing_meta_socket(conn_list_t *cl) config_t const *cfg; cp if(debug_lvl > 0) - syslog(LOG_INFO, _("Trying to connect to %s"), cl->real_hostname); + syslog(LOG_INFO, _("Trying to connect to %s"), cl->hostname); if((cfg = get_config_val(upstreamport)) == NULL) cl->port = 655; @@ -584,7 +517,7 @@ cp if(cl->meta_socket == -1) { syslog(LOG_ERR, _("Creating socket for %s port %d failed: %m"), - cl->real_hostname, cl->port); + cl->hostname, cl->port); return -1; } @@ -594,7 +527,7 @@ cp if(connect(cl->meta_socket, (struct sockaddr *)&a, sizeof(a)) == -1) { - syslog(LOG_ERR, _("%s port %hd: %m"), cl->real_hostname, cl->port); + syslog(LOG_ERR, _("%s port %hd: %m"), cl->hostname, cl->port); return -1; } @@ -602,13 +535,13 @@ cp if(fcntl(cl->meta_socket, F_SETFL, flags | O_NONBLOCK) < 0) { syslog(LOG_ERR, _("fcntl for %s port %d: %m"), - cl->real_hostname, cl->port); + cl->hostname, cl->port); return -1; } if(debug_lvl > 0) syslog(LOG_INFO, _("Connected to %s port %hd"), - cl->real_hostname, cl->port); + cl->hostname, cl->port); cp return 0; } @@ -633,12 +566,12 @@ cp ncn = new_conn_list(); ncn->real_ip = ntohl(*((ip_t*)(h->h_addr_list[0]))); - ncn->real_hostname = hostlookup(htonl(ncn->real_ip)); + ncn->hostname = hostlookup(htonl(ncn->real_ip)); if(setup_outgoing_meta_socket(ncn) < 0) { syslog(LOG_ERR, _("Could not set up a meta connection to %s"), - ncn->real_hostname); + ncn->hostname); free_conn_element(ncn); return -1; } @@ -668,7 +601,7 @@ cp myself->vpn_ip = cfg->data.ip->ip; myself->vpn_hostname = hostlookup(htonl(myself->vpn_ip)); - myself->real_hostname = hostlookup(htonl(myself->vpn_ip)); + myself->hostname = hostlookup(htonl(myself->vpn_ip)); myself->vpn_mask = cfg->data.ip->mask; myself->flags = 0; @@ -817,7 +750,7 @@ int setup_vpn_connection(conn_list_t *cl) struct sockaddr_in a; cp if(debug_lvl > 0) - syslog(LOG_DEBUG, _("Opening UDP socket to %s"), cl->real_hostname); + syslog(LOG_DEBUG, _("Opening UDP socket to %s"), cl->hostname); nfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(nfd == -1) @@ -833,15 +766,14 @@ cp if(connect(nfd, (struct sockaddr *)&a, sizeof(a)) == -1) { syslog(LOG_ERR, _("Connecting to %s port %d failed: %m"), - cl->real_hostname, cl->port); + cl->hostname, cl->port); return -1; } flags = fcntl(nfd, F_GETFL); if(fcntl(nfd, F_SETFL, flags | O_NONBLOCK) < 0) { - syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, nfd, - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, nfd, cl->id, cl->hostname); return -1; } @@ -870,7 +802,7 @@ cp } p->real_ip = ntohl(ci.sin_addr.s_addr); - p->real_hostname = hostlookup(ci.sin_addr.s_addr); + p->hostname = hostlookup(ci.sin_addr.s_addr); p->meta_socket = sfd; p->status.meta = 1; p->buflen = 0; @@ -879,7 +811,7 @@ cp if(debug_lvl > 0) syslog(LOG_NOTICE, _("Connection from %s port %d"), - p->real_hostname, htons(ci.sin_port)); + p->hostname, htons(ci.sin_port)); if(send_basic_info(p) < 0) { @@ -927,14 +859,12 @@ int handle_incoming_vpn_data(conn_list_t *cl) cp if(getsockopt(cl->socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) { - syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, cl->socket, - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, cl->socket, cl->id, cl->hostname); return -1; } if(x) { - syslog(LOG_ERR, _("Incoming data socket error for %s (%s): %s"), - cl->vpn_hostname, cl->real_hostname, strerror(x)); + syslog(LOG_ERR, _("Incoming data socket error for %s (%s): %s"), cl->id, cl->hostname, strerror(x)); return -1; } @@ -942,7 +872,7 @@ cp lenin = recvfrom(cl->socket, &rp, MTU, 0, NULL, NULL); if(lenin <= 0) { - syslog(LOG_ERR, _("Receiving packet from %s (%s) failed: %m"), cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Receiving packet from %s (%s) failed: %m"), cl->id, cl->hostname); return -1; } total_socket_in += lenin; @@ -956,8 +886,7 @@ cp f = lookup_conn(rp.from); if(!f) { - syslog(LOG_ERR, _("Got packet from %s (%s) with unknown origin %d.%d.%d.%d?"), - cl->vpn_hostname, cl->real_hostname, IP_ADDR_V(rp.from)); + syslog(LOG_ERR, _("Got packet from %s (%s) with unknown origin %d.%d.%d.%d?"), cl->id, cl->hostname, IP_ADDR_V(rp.from)); return -1; } @@ -990,8 +919,7 @@ cp return; if(debug_lvl > 0) - syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_NOTICE, _("Closing connection with %s (%s)"), cl->id, cl->hostname); if(cl->status.timeout) send_timeout(cl); @@ -1064,8 +992,7 @@ cp if(p->status.pinged && !p->status.got_pong) { if(debug_lvl > 1) - syslog(LOG_INFO, _("%s (%s) didn't respond to PING"), - p->vpn_hostname, p->real_hostname); + syslog(LOG_INFO, _("%s (%s) didn't respond to PING"), cl->id, cl->hostname); p->status.timeout = 1; terminate_connection(p); } @@ -1125,18 +1052,16 @@ int handle_incoming_meta_data(conn_list_t *cl) cp if(getsockopt(cl->meta_socket, SOL_SOCKET, SO_ERROR, &x, &l) < 0) { - syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, cl->meta_socket, - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("This is a bug: %s:%d: %d:%m %s (%s)"), __FILE__, __LINE__, cl->meta_socket, cl->id, cl->hostname); return -1; } if(x) { - syslog(LOG_ERR, _("Metadata socket error for %s (%s): %s"), - cl->vpn_hostname, cl->real_hostname, strerror(x)); + syslog(LOG_ERR, _("Metadata socket error for %s (%s): %s"), cl->id, cl->hostname, strerror(x)); return -1; } - lenin = read(cl->meta_socket, cl->buffer, MAXBUFSIZE - cl->buflen); + lenin = read(cl->meta_socket, cl->buffer+cl->buflen, MAXBUFSIZE - cl->buflen); if(lenin<=0) { @@ -1144,92 +1069,77 @@ cp return 0; if(errno==0) { - if(debug_lvl>0) - syslog(LOG_NOTICE, _("Connection closed by %s (%s)"), - cl->vpn_hostname, cl->real_hostname); + if(debug_lvl>DEBUG_CONNECTIONS) + syslog(LOG_NOTICE, _("Connection closed by %s (%s)"), cl->id, cl->hostname); } else - syslog(LOG_ERR, _("Metadata socket read error for %s (%s): %m"), - cl->vpn_hostname, cl->real_hostname); + syslog(LOG_ERR, _("Metadata socket read error for %s (%s): %m"), cl->id, cl->hostname); return -1; } + if(cl->status.encrypted) + { + /* FIXME: do decryption. */ + } + oldlen = cl->buflen; cl->buflen += lenin; for(;;) { - if(cl->tcppacket) + cl->reqlen = 0; + + for(i = oldlen; i < cl->buflen; i++) { - if(cl->buflen >= cl->tcppacket) - { - tcprecv(cl, (real_packet_t *)cl->buffer); - cl->buflen -= cl->tcppacket; - memmove(cl->buffer, cl->buffer + cl->tcppacket, cl->buflen); - oldlen = 0; - cl->tcppacket=0; - } - else + if(cl->buffer[i] == '\n') { + cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */ + cl->reqlen = i + 1; break; } } - else - { - cl->reqlen = 0; - for(i = oldlen; i < cl->buflen; i++) - { - if(cl->buffer[i] == '\n') - { - cl->buffer[i] = 0; /* replace end-of-line by end-of-string so we can use sscanf */ - cl->reqlen = i + 1; - break; - } - } - - if(cl->reqlen) + if(cl->reqlen) + { + if(debug_lvl > DEBUG_PROTOCOL) + syslog(LOG_DEBUG, _("Got request from %s (%s): %s"), cl->id, cl->hostname, cl->buffer); + if(sscanf(cl->buffer, "%d", &request) == 1) { - if(debug_lvl > 2) - syslog(LOG_DEBUG, _("Got request from %s (%s): %s"), - cl->vpn_hostname, cl->real_hostname, cl->buffer); - if(sscanf(cl->buffer, "%d", &request) == 1) + if((request < 0) || (request > 255) || (request_handlers[request] == NULL)) { - if((request < 0) || (request > 255) || (request_handlers[request] == NULL)) - { - syslog(LOG_ERR, _("Unknown request from %s (%s)"), - cl->vpn_hostname, cl->real_hostname); - return -1; - } - - if(request_handlers[request](cl)) /* Something went wrong. Probably scriptkiddies. Terminate. */ - { - syslog(LOG_ERR, _("Error while processing request from %s (%s)"), - cl->vpn_hostname, cl->real_hostname); - return -1; - } + syslog(LOG_ERR, _("Unknown request from %s (%s)"), cl->id, cl->hostname); + return -1; } else { - syslog(LOG_ERR, _("Bogus data received from %s (%s)"), - cl->vpn_hostname, cl->real_hostname); + if(debug_lvl > DEBUG_PROTOCOL) + syslog(LOG_DEBUG, _("Got %s from %s (%s)"), request_name[request], cl->id, cl->hostname); + + if(request_handlers[request](cl)) /* Something went wrong. Probably scriptkiddies. Terminate. */ + { + syslog(LOG_ERR, _("Error while processing %s from %s (%s)"), request_name[request], cl->id, cl->hostname); return -1; } - - cl->buflen -= cl->reqlen; - memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen); - oldlen = 0; } else { - break; + syslog(LOG_ERR, _("Bogus data received from %s (%s)"), cl->id, cl->hostname); + return -1; } + + cl->buflen -= cl->reqlen; + memmove(cl->buffer, cl->buffer + cl->reqlen, cl->buflen); + oldlen = 0; + } + else + { + break; } } if(cl->buflen >= MAXBUFSIZE) { - syslog(LOG_ERR, _("Metadata read buffer overflow!")); + syslog(LOG_ERR, _("Metadata read buffer overflow for %s (%s)"), cl->id, cl->hostname); return -1; } @@ -1263,8 +1173,7 @@ cp I've once got here when it said `No route to host'. */ getsockopt(p->socket, SOL_SOCKET, SO_ERROR, &x, &l); - syslog(LOG_ERR, _("Outgoing data socket error for %s (%s): %s"), - p->vpn_hostname, p->real_hostname, strerror(x)); + syslog(LOG_ERR, _("Outgoing data socket error for %s (%s): %s"), cl->id, cl->hostname, strerror(x)); terminate_connection(p); return; } @@ -1309,15 +1218,14 @@ cp if(ether_type != 0x0800) { if(debug_lvl > 3) - syslog(LOG_INFO, _("Non-IP ethernet frame %04x from " MAC_ADDR_S), - ether_type, MAC_ADDR_V(vp.data[6])); + syslog(LOG_INFO, _("Non-IP ethernet frame %04x from %02x:%02x:%02x:%02x:%02x:%02x"), ether_type, MAC_ADDR_V(vp.data[6])); return; } if(lenin < 32) { if(debug_lvl > 3) - syslog(LOG_INFO, _("Dropping short packet")); + syslog(LOG_INFO, _("Dropping short packet from %02x:%02x:%02x:%02x:%02x:%02x"), MAC_ADDR_V(vp.data[6])); return; } diff --git a/src/protocol.c b/src/protocol.c index 2081edc6..0b76cc3d 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.29 2000/09/11 10:05:34 guus Exp $ + $Id: protocol.c,v 1.28.4.30 2000/09/14 11:54:51 guus Exp $ */ #include "config.h" @@ -67,7 +67,7 @@ cp if(debug_lvl >= DEBUG_META) syslog(LOG_DEBUG, _("Sending meta data to %s (%s): %s"), cl->id, cl->hostname, buffer); - if(cl->status.encryptout) + if(cl->status.encrypted) { /* FIXME: Do encryption */ } @@ -83,16 +83,22 @@ cp /* Connection protocol: Client Server - send_id(*) - send_challenge - send_chal_reply(*) - send_id - send_challenge - send_chal_reply - send_ack - send_ack - - (*) Unencrypted. + send_id(u) + send_challenge(R) + send_chal_reply(BH) + send_id(B) + send_challenge(BR) + send_chal_reply(BH) + send_ack(B) + send_ack(B) + + (u) Unencrypted, + (R) RSA, + (H) SHA1, + (B) Blowfish. + + Part of the challenge is directly used to set the blowfish key and the initial vector. + (Twee vliegen in één klap!) */ int send_id(conn_list_t *cl) @@ -163,10 +169,6 @@ cp } } - /* Since we know the identity now, we can encrypt the meta channel */ - - cl->status.encryptout = 1; - /* Send a challenge to verify the identity */ cl->allow_request = CHAL_REPLY; @@ -186,13 +188,20 @@ cp /* Allocate buffers for the challenge and the hash */ cl->chal_hash = xmalloc(SHA_DIGEST_LEN); - keylength = BN_num_bytes(cl->metakey.n); + keylength = BN_num_bytes(cl->rsakey.n); buffer = xmalloc(keylength*2); /* Copy random data and the public key to the buffer */ RAND_bytes(buffer, keylength); - BN_bn2bin(cl->metakey.n, buffer+keylength); + BN_bn2bin(cl->rsakey.n, buffer+keylength); + + /* If we don't have a blowfish key set yet, use the random data from the challenge to do so. */ + + if(!cl->status.encrypted) + { + set_metakey(cl, buffer, keylength); + } /* Calculate the hash from that */ @@ -208,6 +217,7 @@ cp cl->allow_request = CHAL_REPLY; x = send_request(cl, "%d %s", CHALLENGE, buffer); free(buffer); + cl->status.encrypted = 1; cp return x; } @@ -237,7 +247,7 @@ int send_chal_reply(conn_list_t *cl, char *challenge) char *hash; int x; cp - keylength = BN_num_bytes(myself->meyakey.n); + keylength = BN_num_bytes(myself->rsakey.n); /* Check if the length of the challenge is all right */ @@ -255,11 +265,20 @@ cp /* Copy the incoming random data and our public key to the buffer */ hex2bin(challenge, buffer, keylength); - BN_bn2bin(myself->metakey.n, buffer+keylength); + BN_bn2bin(myself->rsakey.n, buffer+keylength); /* Calculate the hash from that */ SHA1(buffer, keylength*2, hash); + + /* If we don't have a blowfish key set yet, use the random data from the challenge to do so. */ + + if(!cl->status.encrypted) + { + set_metakey(cl, buffer, keylength); + cl->status.encrypted = 1; + } + free(buffer); /* Convert the hash to a hexadecimal formatted string */