From e1707f7739f450c729e26b921e459d5da07602f9 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Fri, 22 Dec 2000 21:34:24 +0000 Subject: [PATCH] - Don't even think about using sscanf with %as anymore - Allow keys to be inside the config files or in a seperate file - Small fixes --- acconfig.h | 3 -- configure.in | 4 +- m4/gnuscanf.m4 | 25 ------------ src/conf.c | 13 ++++-- src/conf.h | 4 +- src/net.c | 105 ++++++++++++++++++++++++++++++++----------------- src/net.h | 4 +- src/protocol.c | 18 +++------ 8 files changed, 89 insertions(+), 87 deletions(-) delete mode 100644 m4/gnuscanf.m4 diff --git a/acconfig.h b/acconfig.h index 031a337b..7bb8efe1 100644 --- a/acconfig.h +++ b/acconfig.h @@ -64,6 +64,3 @@ /* Define to 1 if checkpoint tracing is enabled */ #undef ENABLE_TRACING - -/* Define to 1 if scanf and friends understand %as */ -#undef HAVE_SCANF_AS diff --git a/configure.in b/configure.in index 70b767f8..9d40f7af 100644 --- a/configure.in +++ b/configure.in @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. -dnl $Id: configure.in,v 1.13.2.28 2000/11/29 01:37:50 zarq Exp $ +dnl $Id: configure.in,v 1.13.2.29 2000/12/22 21:34:19 guus Exp $ AC_INIT(src/tincd.c) AM_INIT_AUTOMAKE(tinc, 1.0pre4-cvs) @@ -84,8 +84,6 @@ AC_CHECK_FUNC(gethostbyname, [], [ dnl These are defined in files in m4/ tinc_TUNTAP tinc_OPENSSL -tinc_SCANF_AS - dnl Check if checkpoint tracing has to be enabled AC_ARG_ENABLE(tracing, diff --git a/m4/gnuscanf.m4 b/m4/gnuscanf.m4 deleted file mode 100644 index fd8de464..00000000 --- a/m4/gnuscanf.m4 +++ /dev/null @@ -1,25 +0,0 @@ -dnl Check for a scanf that understands about %as as format specifier - -AC_DEFUN(tinc_SCANF_AS, -[ - AC_CACHE_CHECK([for a scanf that groks %as], tinc_cv_scanf_as, - [ - AC_TRY_RUN([ -/* Very naive program which will probably give a segmentation - fault if the sscanf doesn't work as expected. */ -#include -int main() { - char*s = NULL; - sscanf("string\n", "%as\n", &s); - if(s == NULL) - return 1; - return strcmp("string", s); -} - ], [tinc_cv_scanf_as="yes"], [tinc_cv_scanf_as="no"]) - ]) - -if test "$tinc_cv_scanf_as" = "yes" ; then - AC_DEFINE(HAVE_SCANF_AS) - AC_SUBST(HAVE_SCANF_AS) -fi -]) diff --git a/src/conf.c b/src/conf.c index 0d6d4c2a..3edcb302 100644 --- a/src/conf.c +++ b/src/conf.c @@ -19,7 +19,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: conf.c,v 1.9.4.34 2000/12/06 13:33:48 zarq Exp $ + $Id: conf.c,v 1.9.4.35 2000/12/22 21:34:20 guus Exp $ */ #include "config.h" @@ -68,6 +68,7 @@ static internal_config_t hazahaza[] = { { "Name", config_name, TYPE_NAME }, { "PingTimeout", config_pingtimeout, TYPE_INT }, { "PrivateKey", config_privatekey, TYPE_NAME }, + { "PrivateKeyFile", config_privatekeyfile, TYPE_NAME }, { "TapDevice", config_tapdevice, TYPE_NAME }, { "VpnMask", config_dummy, TYPE_IP }, /* Host configuration file keywords */ @@ -75,6 +76,7 @@ static internal_config_t hazahaza[] = { { "IndirectData", config_indirectdata, TYPE_BOOL }, { "Port", config_port, TYPE_INT }, { "PublicKey", config_publickey, TYPE_NAME }, + { "PublicKeyFile", config_publickeyfile, TYPE_NAME }, { "RestrictAddress", config_restrictaddress, TYPE_BOOL }, { "RestrictHosts", config_restricthosts, TYPE_BOOL }, { "RestrictPort", config_restrictport, TYPE_BOOL }, @@ -232,7 +234,10 @@ int read_config_file(config_t **base, const char *fname) cp if((fp = fopen (fname, "r")) == NULL) - return -1; + { + syslog(LOG_ERR, _("Cannot open config file %s: %m"), fname); + return -1; + } bufsize = 100; buffer = xmalloc(bufsize); @@ -273,7 +278,7 @@ cp if(((q = strtok(NULL, "\t\n\r =")) == NULL) || q[0] == '#') { - fprintf(stderr, _("No value for variable `%s' on line %d while reading config file %s"), + syslog(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"), hazahaza[i].name, lineno, fname); break; } @@ -281,7 +286,7 @@ cp cfg = add_config_val(base, hazahaza[i].argtype, q); if(cfg == NULL) { - fprintf(stderr, _("Invalid value for variable `%s' on line %d while reading config file %s"), + syslog(LOG_ERR, _("Invalid value for variable `%s' on line %d while reading config file %s"), hazahaza[i].name, lineno, fname); break; } diff --git a/src/conf.h b/src/conf.h index 60dee5cd..de527d25 100644 --- a/src/conf.h +++ b/src/conf.h @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: conf.h,v 1.6.4.18 2000/12/06 13:33:49 zarq Exp $ + $Id: conf.h,v 1.6.4.19 2000/12/22 21:34:20 guus Exp $ */ #ifndef __TINC_CONF_H__ @@ -39,6 +39,7 @@ typedef enum which_t { config_pingtimeout, config_tapdevice, config_privatekey, + config_privatekeyfile, config_keyexpire, config_hostnames, config_interface, @@ -46,6 +47,7 @@ typedef enum which_t { config_address, config_port, config_publickey, + config_publickeyfile, config_subnet, config_restricthosts, config_restrictsubnets, diff --git a/src/net.c b/src/net.c index ed00610d..cb32caba 100644 --- a/src/net.c +++ b/src/net.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.c,v 1.35.4.87 2000/12/05 08:59:29 zarq Exp $ + $Id: net.c,v 1.35.4.88 2000/12/22 21:34:20 guus Exp $ */ #include "config.h" @@ -698,59 +698,89 @@ cp return 0; } -int read_rsa_public_key(RSA **key, const char *file) +int read_rsa_public_key(connection_t *cl) { + config_t const *cfg; FILE *fp; + void *result; +cp + if(!cl->rsa_key) + cl->rsa_key = RSA_new(); - if((fp = fopen(file, "r")) == NULL) + if((cfg = get_config_val(cl->config, config_publickey))) { - syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"), - file); - return -1; + BN_hex2bn(&cl->rsa_key->n, cfg->data.ptr); + BN_hex2bn(&cl->rsa_key->e, "FFFF"); } - if(PEM_read_RSAPublicKey(fp, key, NULL, NULL) == NULL) + else if((cfg = get_config_val(cl->config, config_publickeyfile))) + { + if(is_safe_path(cfg->data.ptr)) + { + if((fp = fopen(cfg->data.ptr, "r")) == NULL) + { + syslog(LOG_ERR, _("Error reading RSA public key file `%s': %m"), + cfg->data.ptr); + return -1; + } + result = PEM_read_RSAPublicKey(fp, &cl->rsa_key, NULL, NULL); + fclose(fp); + if(!result) + { + syslog(LOG_ERR, _("Reading RSA public key file `%s' failed: %m"), + cfg->data.ptr); + return -1; + } + } + else + return -1; + } + else { - syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"), - file); + syslog(LOG_ERR, _("No public key for %s specified!"), cl->name); return -1; } - +cp return 0; } -int read_rsa_private_key(RSA **key, const char *file) +int read_rsa_private_key(void) { + config_t const *cfg; FILE *fp; + void *result; +cp + if(!myself->rsa_key) + myself->rsa_key = RSA_new(); - if((fp = fopen(file, "r")) == NULL) + if((cfg = get_config_val(config, config_privatekey))) { - syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"), - file); - return -1; + BN_hex2bn(&myself->rsa_key->d, cfg->data.ptr); + BN_hex2bn(&myself->rsa_key->e, "FFFF"); } - if(PEM_read_RSAPrivateKey(fp, key, NULL, NULL) == NULL) + else if((cfg = get_config_val(config, config_privatekeyfile))) { - syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"), - file); - return -1; - } - - return 0; -} - -int read_rsa_keys(void) -{ - config_t const *cfg; - - if(!(cfg = get_config_val(config, config_privatekey))) + if((fp = fopen(cfg->data.ptr, "r")) == NULL) + { + syslog(LOG_ERR, _("Error reading RSA private key file `%s': %m"), + cfg->data.ptr); + return -1; + } + result = PEM_read_RSAPrivateKey(fp, &myself->rsa_key, NULL, NULL); + fclose(fp); + if(!result) + { + syslog(LOG_ERR, _("Reading RSA private key file `%s' failed: %m"), + cfg->data.ptr); + return -1; + } + } + else { - syslog(LOG_ERR, _("Private key for tinc daemon required!")); + syslog(LOG_ERR, _("No private key for tinc daemon specified!")); return -1; } - - myself->rsa_key = RSA_new(); - - return read_rsa_private_key(&(myself->rsa_key), cfg->data.ptr); +cp + return 0; } /* @@ -782,7 +812,7 @@ cp return -1; } cp - if(read_rsa_keys()) + if(read_rsa_private_key()) return -1; if(read_host_config(myself)) @@ -790,6 +820,9 @@ cp syslog(LOG_ERR, _("Cannot open host configuration file for myself!")); return -1; } + + if(read_rsa_public_key(myself)) + return -1; cp /* @@ -1159,7 +1192,7 @@ cp if(!cl) { - syslog(LOG_WARNING, _("Received UDP packets on port %d from unknown source %lx:%d"), ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); + syslog(LOG_WARNING, _("Received UDP packets on port %d from unknown source %lx:%d"), myself->port, ntohl(from.sin_addr.s_addr), ntohs(from.sin_port)); return 0; } diff --git a/src/net.h b/src/net.h index 2ed8a9ce..27ba87c8 100644 --- a/src/net.h +++ b/src/net.h @@ -16,7 +16,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net.h,v 1.9.4.23 2000/11/30 23:18:21 zarq Exp $ + $Id: net.h,v 1.9.4.24 2000/12/22 21:34:23 guus Exp $ */ #ifndef __TINC_NET_H__ @@ -128,6 +128,6 @@ extern void add_queue(packet_queue_t **, void *, size_t); # include #endif -extern int read_rsa_public_key(RSA **, const char *); +extern int read_rsa_public_key(connection_t *); #endif /* __TINC_NET_H__ */ diff --git a/src/protocol.c b/src/protocol.c index 8a3d1c38..57814fdd 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol.c,v 1.28.4.69 2000/12/05 08:59:30 zarq Exp $ + $Id: protocol.c,v 1.28.4.70 2000/12/22 21:34:24 guus Exp $ */ #include "config.h" @@ -255,17 +255,9 @@ cp /* Read in the public key, so that we can send a challenge */ - if((cfg = get_config_val(cl->config, config_publickey))) - { - cl->rsa_key = RSA_new(); - if(read_rsa_public_key(&(cl->rsa_key), cfg->data.ptr) < 0) - return -1; - } - else - { - syslog(LOG_ERR, _("No public key known for %s (%s)"), cl->name, cl->hostname); - return -1; - } + if(read_rsa_public_key(cl)) + return -1; + cp return send_challenge(cl); } @@ -300,7 +292,7 @@ cp } /* Encrypt the random data */ - + if(RSA_public_encrypt(len, cl->hischallenge, buffer, cl->rsa_key, RSA_NO_PADDING) != len) /* NO_PADDING because the message size equals the RSA key size and it is totally random */ { syslog(LOG_ERR, _("Error during encryption of challenge for %s (%s)"), cl->name, cl->hostname); -- 2.39.5