/*
net_setup.c -- Setup.
- Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
- 2006 Scott Lamb <slamb@slamb.org>
- 2010 Brandon Black <blblack@gmail.com>
+ Copyright (C) 2014 Guus Sliepen <guus@meshlink.io>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "cipher.h"
#include "conf.h"
#include "connection.h"
-#include "control.h"
#include "digest.h"
#include "ecdsa.h"
#include "graph.h"
#include "logger.h"
-#include "names.h"
#include "net.h"
#include "netutl.h"
-#include "process.h"
#include "protocol.h"
#include "route.h"
-#include "rsa.h"
#include "utils.h"
#include "xalloc.h"
return c->ecdsa;
}
-bool read_rsa_public_key(connection_t *c) {
- if(ecdsa_active(c->ecdsa))
- return true;
-
- FILE *fp;
- char *fname;
- char *n;
-
- /* First, check for simple PublicKey statement */
-
- if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
- c->rsa = rsa_set_hex_public_key(n, "FFFF");
- free(n);
- return c->rsa;
- }
-
- /* Else, check for PublicKeyFile statement and read it */
-
- if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
- xasprintf(&fname, "%s" SLASH "hosts" SLASH "%s", confbase, c->name);
-
- fp = fopen(fname, "r");
-
- if(!fp) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
- free(fname);
- return false;
- }
-
- c->rsa = rsa_read_pem_public_key(fp);
- fclose(fp);
-
- if(!c->rsa)
- logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
- free(fname);
- return c->rsa;
-}
-
static bool read_ecdsa_private_key(void) {
FILE *fp;
char *fname;
if(!fp) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA private key file `%s': %s", fname, strerror(errno));
if(errno == ENOENT)
- logger(DEBUG_ALWAYS, LOG_INFO, "Create an ECDSA keypair with `tinc -n %s generate-ecdsa-keys'.", netname ?: ".");
+ logger(DEBUG_ALWAYS, LOG_INFO, "Create an ECDSA keypair with `tinc generate-ecdsa-keys'.");
free(fname);
return false;
}
return invitation_key;
}
-static bool read_rsa_private_key(void) {
- FILE *fp;
- char *fname;
- char *n, *d;
-
- /* First, check for simple PrivateKey statement */
-
- if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
- if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
- logger(DEBUG_ALWAYS, LOG_ERR, "PrivateKey used but no PublicKey found!");
- free(d);
- return false;
- }
- myself->connection->rsa = rsa_set_hex_private_key(n, "FFFF", d);
- free(n);
- free(d);
- return myself->connection->rsa;
- }
-
- /* Else, check for PrivateKeyFile statement and read it */
-
- if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
- xasprintf(&fname, "%s" SLASH "rsa_key.priv", confbase);
-
- fp = fopen(fname, "r");
-
- if(!fp) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA private key file `%s': %s",
- fname, strerror(errno));
- free(fname);
- return false;
- }
-
-#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
- struct stat s;
-
- if(fstat(fileno(fp), &s)) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
- free(fname);
- return false;
- }
-
- if(s.st_mode & ~0100700)
- logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
-#endif
-
- myself->connection->rsa = rsa_read_pem_private_key(fp);
- fclose(fp);
-
- if(!myself->connection->rsa)
- logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
- free(fname);
- return myself->connection->rsa;
-}
-
static timeout_t keyexpire_timeout;
static void keyexpire_handler(void *data) {
myself->options |= PROT_MINOR << 24;
- if(!get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental)) {
- experimental = read_ecdsa_private_key();
- if(!experimental)
- logger(DEBUG_ALWAYS, LOG_WARNING, "Support for SPTPS disabled.");
- } else {
- if(experimental && !read_ecdsa_private_key())
- return false;
- }
-
- if(!read_rsa_private_key())
+ if(!read_ecdsa_private_key())
return false;
/* Ensure myport is numeric */
if(!setup_myself_reloadable())
return false;
- get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
-
if(get_config_int(lookup_config(config_tree, "MaxConnectionBurst"), &max_connection_burst)) {
if(max_connection_burst <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "MaxConnectionBurst cannot be negative!");
}
}
- if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
- if(udp_rcvbuf <= 0) {
- logger(DEBUG_ALWAYS, LOG_ERR, "UDPRcvBuf cannot be negative!");
- return false;
- }
- }
-
- if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
- if(udp_sndbuf <= 0) {
- logger(DEBUG_ALWAYS, LOG_ERR, "UDPSndBuf cannot be negative!");
- return false;
- }
- }
-
int replaywin_int;
if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
if(replaywin_int < 0) {
sptps_replaywin = replaywin;
}
- /* Generate packet encryption key */
-
- if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
- cipher = xstrdup("blowfish");
-
- if(!strcasecmp(cipher, "none")) {
- myself->incipher = NULL;
- } else if(!(myself->incipher = cipher_open_by_name(cipher))) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized cipher type!");
- return false;
- }
-
- free(cipher);
-
timeout_add(&keyexpire_timeout, keyexpire_handler, &keyexpire_timeout, &(struct timeval){keylifetime, rand() % 100000});
- /* Check if we want to use message authentication codes... */
-
- int maclength = 4;
- get_config_int(lookup_config(config_tree, "MACLength"), &maclength);
-
- if(maclength < 0) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Bogus MAC length!");
- return false;
- }
-
- if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
- digest = xstrdup("sha1");
-
- if(!strcasecmp(digest, "none")) {
- myself->indigest = NULL;
- } else if(!(myself->indigest = digest_open_by_name(digest, maclength))) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized digest type!");
- return false;
- }
-
- free(digest);
-
/* Compression */
if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
myself->via = myself;
myself->status.reachable = true;
myself->last_state_change = now.tv_sec;
- myself->status.sptps = experimental;
node_add(myself);
graph();
/* Open sockets */
- if(!do_detach && getenv("LISTEN_FDS")) {
- sockaddr_t sa;
- socklen_t salen;
-
- listen_sockets = atoi(getenv("LISTEN_FDS"));
-#ifdef HAVE_UNSETENV
- unsetenv("LISTEN_FDS");
-#endif
+ listen_sockets = 0;
+ int cfgs = 0;
- if(listen_sockets > MAXSOCKETS) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
+ for(config_t *cfg = lookup_config(config_tree, "BindToAddress"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
+ cfgs++;
+ get_config_string(cfg, &address);
+ if(!add_listen_address(address, true))
return false;
- }
-
- for(int i = 0; i < listen_sockets; i++) {
- salen = sizeof sa;
- if(getsockname(i + 3, &sa.sa, &salen) < 0) {
- logger(DEBUG_ALWAYS, LOG_ERR, "Could not get address of listen fd %d: %s", i + 3, sockstrerror(errno));
- return false;
- }
-
-#ifdef FD_CLOEXEC
- fcntl(i + 3, F_SETFD, FD_CLOEXEC);
-#endif
-
- int udp_fd = setup_vpn_in_socket(&sa);
- if(udp_fd < 0)
- return false;
-
- io_add(&listen_socket[i].tcp, (io_cb_t)handle_new_meta_connection, &listen_socket[i], i + 3, IO_READ);
- io_add(&listen_socket[i].udp, (io_cb_t)handle_incoming_vpn_data, &listen_socket[i], udp_fd, IO_READ);
-
- if(debug_level >= DEBUG_CONNECTIONS) {
- hostname = sockaddr2hostname(&sa);
- logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Listening on %s", hostname);
- free(hostname);
- }
-
- memcpy(&listen_socket[i].sa, &sa, salen);
- }
- } else {
- listen_sockets = 0;
- int cfgs = 0;
-
- for(config_t *cfg = lookup_config(config_tree, "BindToAddress"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
- cfgs++;
- get_config_string(cfg, &address);
- if(!add_listen_address(address, true))
- return false;
- }
-
- for(config_t *cfg = lookup_config(config_tree, "ListenAddress"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
- cfgs++;
- get_config_string(cfg, &address);
- if(!add_listen_address(address, false))
- return false;
- }
+ }
- if(!cfgs)
- if(!add_listen_address(address, NULL))
- return false;
+ for(config_t *cfg = lookup_config(config_tree, "ListenAddress"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
+ cfgs++;
+ get_config_string(cfg, &address);
+ if(!add_listen_address(address, false))
+ return false;
}
+ if(!cfgs)
+ if(!add_listen_address(address, NULL))
+ return false;
+
if(!listen_sockets) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unable to create any listening socket!");
return false;
if(!setup_myself())
return false;
- if(!init_control())
- return false;
-
return true;
}
for(list_node_t *node = connection_list->head, *next; node; node = next) {
next = node->next;
connection_t *c = node->data;
- /* Keep control connections open until the end, so they know when we really terminated */
- if(c->status.control)
- c->socket = -1;
c->outgoing = NULL;
terminate_connection(c, false);
}
if(myport) free(myport);
- exit_control();
-
return;
}
projects / meshlink / blobdiff