tinc/src/net_setup.c

1088 lines
27 KiB
C
Raw Normal View History

/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2013-01-20 20:03:22 +00:00
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010-11-16 16:28:41 +00:00
2010 Brandon Black <blblack@gmail.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "system.h"
#include "cipher.h"
#include "conf.h"
#include "connection.h"
#include "control.h"
#include "device.h"
#include "digest.h"
2011-07-07 20:28:25 +00:00
#include "ecdsa.h"
#include "graph.h"
#include "logger.h"
#include "names.h"
#include "net.h"
#include "netutl.h"
#include "process.h"
#include "protocol.h"
#include "route.h"
#include "rsa.h"
#include "script.h"
#include "subnet.h"
#include "utils.h"
#include "xalloc.h"
char *myport;
static io_t device_io;
devops_t devops;
char *proxyhost;
char *proxyport;
char *proxyuser;
char *proxypass;
proxytype_t proxytype;
int autoconnect;
bool disablebuggypeers;
2012-10-07 15:53:23 +00:00
char *scriptinterpreter;
char *scriptextension;
bool node_read_ecdsa_public_key(node_t *n) {
if(ecdsa_active(n->ecdsa))
return true;
splay_tree_t *config_tree;
FILE *fp;
char *pubname = NULL;
char *p;
init_configuration(&config_tree);
if(!read_host_config(config_tree, n->name))
goto exit;
/* First, check for simple ECDSAPublicKey statement */
if(get_config_string(lookup_config(config_tree, "ECDSAPublicKey"), &p)) {
n->ecdsa = ecdsa_set_base64_public_key(p);
free(p);
goto exit;
}
/* Else, check for ECDSAPublicKeyFile statement and read it */
2012-10-07 15:53:23 +00:00
if(!get_config_string(lookup_config(config_tree, "ECDSAPublicKeyFile"), &pubname))
xasprintf(&pubname, "%s" SLASH "hosts" SLASH "%s", confbase, n->name);
2012-10-07 15:53:23 +00:00
fp = fopen(pubname, "r");
if(!fp)
goto exit;
n->ecdsa = ecdsa_read_pem_public_key(fp);
fclose(fp);
exit:
exit_configuration(&config_tree);
2012-10-07 15:53:23 +00:00
free(pubname);
return n->ecdsa;
}
2011-07-07 20:28:25 +00:00
bool read_ecdsa_public_key(connection_t *c) {
if(ecdsa_active(c->ecdsa))
return true;
2011-07-07 20:28:25 +00:00
FILE *fp;
char *fname;
char *p;
if(!c->config_tree) {
init_configuration(&c->config_tree);
if(!read_host_config(c->config_tree, c->name))
return false;
}
2011-07-07 20:28:25 +00:00
/* First, check for simple ECDSAPublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "ECDSAPublicKey"), &p)) {
c->ecdsa = ecdsa_set_base64_public_key(p);
2011-07-07 20:28:25 +00:00
free(p);
return c->ecdsa;
2011-07-07 20:28:25 +00:00
}
/* Else, check for ECDSAPublicKeyFile statement and read it */
if(!get_config_string(lookup_config(c->config_tree, "ECDSAPublicKeyFile"), &fname))
xasprintf(&fname, "%s" SLASH "hosts" SLASH "%s", confbase, c->name);
2011-07-07 20:28:25 +00:00
fp = fopen(fname, "r");
if(!fp) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA public key file `%s': %s",
2011-07-07 20:28:25 +00:00
fname, strerror(errno));
free(fname);
return false;
}
c->ecdsa = ecdsa_read_pem_public_key(fp);
2011-07-07 20:28:25 +00:00
fclose(fp);
if(!c->ecdsa)
logger(DEBUG_ALWAYS, LOG_ERR, "Parsing ECDSA public key file `%s' failed.", fname);
2011-07-07 20:28:25 +00:00
free(fname);
return c->ecdsa;
2011-07-07 20:28:25 +00:00
}
2007-05-18 10:00:00 +00:00
bool read_rsa_public_key(connection_t *c) {
if(ecdsa_active(c->ecdsa))
return true;
2002-09-09 21:25:28 +00:00
FILE *fp;
char *fname;
char *n;
2002-09-09 21:25:28 +00:00
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
c->rsa = rsa_set_hex_public_key(n, "FFFF");
free(n);
return c->rsa;
}
/* Else, check for PublicKeyFile statement and read it */
if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
xasprintf(&fname, "%s" SLASH "hosts" SLASH "%s", confbase, c->name);
fp = fopen(fname, "r");
if(!fp) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
free(fname);
2003-07-22 20:55:21 +00:00
return false;
2002-09-09 21:25:28 +00:00
}
c->rsa = rsa_read_pem_public_key(fp);
fclose(fp);
if(!c->rsa)
logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
free(fname);
return c->rsa;
}
2011-07-07 20:28:25 +00:00
static bool read_ecdsa_private_key(void) {
FILE *fp;
char *fname;
/* Check for PrivateKeyFile statement and read it */
if(!get_config_string(lookup_config(config_tree, "ECDSAPrivateKeyFile"), &fname))
xasprintf(&fname, "%s" SLASH "ecdsa_key.priv", confbase);
2011-07-07 20:28:25 +00:00
fp = fopen(fname, "r");
if(!fp) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading ECDSA private key file `%s': %s", fname, strerror(errno));
2013-05-10 19:11:45 +00:00
if(errno == ENOENT)
logger(DEBUG_ALWAYS, LOG_INFO, "Create an ECDSA keypair with `tinc -n %s generate-ecdsa-keys'.", netname ?: ".");
2011-07-07 20:28:25 +00:00
free(fname);
return false;
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
struct stat s;
if(fstat(fileno(fp), &s)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat ECDSA private key file `%s': %s'", fname, strerror(errno));
2011-07-07 20:28:25 +00:00
free(fname);
return false;
}
if(s.st_mode & ~0100700)
logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for ECDSA private key file `%s'!", fname);
2011-07-07 20:28:25 +00:00
#endif
myself->connection->ecdsa = ecdsa_read_pem_private_key(fp);
2011-07-07 20:28:25 +00:00
fclose(fp);
if(!myself->connection->ecdsa)
logger(DEBUG_ALWAYS, LOG_ERR, "Reading ECDSA private key file `%s' failed: %s", fname, strerror(errno));
2011-07-07 20:28:25 +00:00
free(fname);
return myself->connection->ecdsa;
2011-07-07 20:28:25 +00:00
}
Add an invitation protocol. Using the tinc command, an administrator of an existing VPN can generate invitations for new nodes. The invitation is a small URL that can easily be copy&pasted into email or live chat. Another person can have tinc automatically setup the necessary configuration files and exchange keys with the server, by only using the invitation URL. The invitation protocol uses temporary ECDSA keys. The invitation URL consists of the hostname and port of the server, a hash of the server's temporary ECDSA key and a cookie. When the client wants to accept an invitation, it also creates a temporary ECDSA key, connects to the server and says it wants to accept an invitation. Both sides exchange their temporary keys. The client verifies that the server's key matches the hash in the invitation URL. After setting up an SPTPS connection using the temporary keys, the client gives the cookie to the server. If the cookie is valid, the server sends the client an invitation file containing the client's new name and a copy of the server's host config file. If everything is ok, the client will generate a long-term ECDSA key and send it to the server, which will add it to a new host config file for the client. The invitation protocol currently allows multiple host config files to be send from the server to the client. However, the client filters out most configuration variables for its own host configuration file. In particular, it only accepts Name, Mode, Broadcast, ConnectTo, Subnet and AutoConnect. Also, at the moment no tinc-up script is generated. When an invitation has succesfully been accepted, the client needs to start the tinc daemon manually.
2013-05-29 16:31:10 +00:00
static bool read_invitation_key(void) {
FILE *fp;
char *fname;
if(invitation_key) {
ecdsa_free(invitation_key);
invitation_key = NULL;
}
xasprintf(&fname, "%s" SLASH "invitations" SLASH "ecdsa_key.priv", confbase);
fp = fopen(fname, "r");
if(fp) {
invitation_key = ecdsa_read_pem_private_key(fp);
fclose(fp);
if(!invitation_key)
logger(DEBUG_ALWAYS, LOG_ERR, "Reading ECDSA private key file `%s' failed: %s", fname, strerror(errno));
}
free(fname);
return invitation_key;
}
static bool read_rsa_private_key(void) {
2002-09-09 21:25:28 +00:00
FILE *fp;
char *fname;
char *n, *d;
2002-09-09 21:25:28 +00:00
/* First, check for simple PrivateKey statement */
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
logger(DEBUG_ALWAYS, LOG_ERR, "PrivateKey used but no PublicKey found!");
free(d);
return false;
}
myself->connection->rsa = rsa_set_hex_private_key(n, "FFFF", d);
free(n);
free(d);
return myself->connection->rsa;
}
/* Else, check for PrivateKeyFile statement and read it */
2002-09-09 21:25:28 +00:00
if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
xasprintf(&fname, "%s" SLASH "rsa_key.priv", confbase);
2002-09-09 21:25:28 +00:00
fp = fopen(fname, "r");
2002-09-09 21:25:28 +00:00
if(!fp) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA private key file `%s': %s",
fname, strerror(errno));
free(fname);
return false;
}
2002-09-09 21:25:28 +00:00
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
struct stat s;
if(fstat(fileno(fp), &s)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
2002-09-09 21:25:28 +00:00
free(fname);
return false;
}
2002-09-09 21:25:28 +00:00
if(s.st_mode & ~0100700)
logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
#endif
2002-09-09 21:25:28 +00:00
myself->connection->rsa = rsa_read_pem_private_key(fp);
fclose(fp);
if(!myself->connection->rsa)
logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
2002-09-09 21:25:28 +00:00
free(fname);
return myself->connection->rsa;
}
static timeout_t keyexpire_timeout;
static void keyexpire_handler(void *data) {
regenerate_key();
timeout_set(data, &(struct timeval){keylifetime, rand() % 100000});
}
void regenerate_key(void) {
logger(DEBUG_STATUS, LOG_INFO, "Expiring symmetric keys");
send_key_changed();
}
/*
Read Subnets from all host config files
*/
void load_all_subnets(void) {
DIR *dir;
struct dirent *ent;
char *dname;
xasprintf(&dname, "%s" SLASH "hosts", confbase);
dir = opendir(dname);
if(!dir) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
free(dname);
return;
}
while((ent = readdir(dir))) {
if(!check_id(ent->d_name))
continue;
2012-10-07 22:35:38 +00:00
node_t *n = lookup_node(ent->d_name);
#ifdef _DIRENT_HAVE_D_TYPE
//if(ent->d_type != DT_REG)
// continue;
#endif
2012-10-07 22:35:38 +00:00
splay_tree_t *config_tree;
init_configuration(&config_tree);
read_config_options(config_tree, ent->d_name);
read_host_config(config_tree, ent->d_name);
if(!n) {
n = new_node();
n->name = xstrdup(ent->d_name);
node_add(n);
}
2012-10-07 22:35:38 +00:00
for(config_t *cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
subnet_t *s, *s2;
if(!get_config_subnet(cfg, &s))
continue;
if((s2 = lookup_subnet(n, s))) {
s2->expires = -1;
} else {
subnet_add(n, s);
}
}
exit_configuration(&config_tree);
}
closedir(dir);
}
void load_all_nodes(void) {
DIR *dir;
struct dirent *ent;
char *dname;
xasprintf(&dname, "%s" SLASH "hosts", confbase);
dir = opendir(dname);
if(!dir) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
free(dname);
return;
}
while((ent = readdir(dir))) {
if(!check_id(ent->d_name))
continue;
node_t *n = lookup_node(ent->d_name);
if(n)
continue;
n = new_node();
n->name = xstrdup(ent->d_name);
node_add(n);
}
closedir(dir);
}
char *get_name(void) {
char *name = NULL;
get_config_string(lookup_config(config_tree, "Name"), &name);
if(!name)
return NULL;
if(*name == '$') {
char *envname = getenv(name + 1);
char hostname[32] = "";
if(!envname) {
if(strcmp(name + 1, "HOST")) {
2012-10-14 13:37:24 +00:00
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid Name: environment variable %s does not exist\n", name + 1);
return false;
}
if(gethostname(hostname, sizeof hostname) || !*hostname) {
2012-10-14 13:37:24 +00:00
logger(DEBUG_ALWAYS, LOG_ERR, "Could not get hostname: %s\n", strerror(errno));
return false;
}
hostname[31] = 0;
envname = hostname;
}
free(name);
name = xstrdup(envname);
for(char *c = name; *c; c++)
if(!isalnum(*c))
*c = '_';
}
if(!check_id(name)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid name for myself!");
free(name);
return false;
}
return name;
}
bool setup_myself_reloadable(void) {
char *proxy = NULL;
2012-10-07 15:53:23 +00:00
char *rmode = NULL;
char *fmode = NULL;
char *bmode = NULL;
char *afname = NULL;
char *address = NULL;
char *space;
2003-07-22 20:55:21 +00:00
bool choice;
2012-10-07 15:53:23 +00:00
free(scriptinterpreter);
scriptinterpreter = NULL;
get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &scriptinterpreter);
2012-10-10 15:17:49 +00:00
2012-10-07 15:53:23 +00:00
free(scriptextension);
if(!get_config_string(lookup_config(config_tree, "ScriptsExtension"), &scriptextension))
scriptextension = xstrdup("");
get_config_string(lookup_config(config_tree, "Proxy"), &proxy);
if(proxy) {
if((space = strchr(proxy, ' ')))
*space++ = 0;
if(!strcasecmp(proxy, "none")) {
proxytype = PROXY_NONE;
} else if(!strcasecmp(proxy, "socks4")) {
proxytype = PROXY_SOCKS4;
} else if(!strcasecmp(proxy, "socks4a")) {
proxytype = PROXY_SOCKS4A;
} else if(!strcasecmp(proxy, "socks5")) {
proxytype = PROXY_SOCKS5;
} else if(!strcasecmp(proxy, "http")) {
proxytype = PROXY_HTTP;
} else if(!strcasecmp(proxy, "exec")) {
proxytype = PROXY_EXEC;
} else {
logger(DEBUG_ALWAYS, LOG_ERR, "Unknown proxy type %s!", proxy);
return false;
}
switch(proxytype) {
case PROXY_NONE:
default:
break;
case PROXY_EXEC:
if(!space || !*space) {
logger(DEBUG_ALWAYS, LOG_ERR, "Argument expected for proxy type exec!");
return false;
}
proxyhost = xstrdup(space);
break;
case PROXY_SOCKS4:
case PROXY_SOCKS4A:
case PROXY_SOCKS5:
case PROXY_HTTP:
proxyhost = space;
if(space && (space = strchr(space, ' ')))
*space++ = 0, proxyport = space;
if(space && (space = strchr(space, ' ')))
*space++ = 0, proxyuser = space;
if(space && (space = strchr(space, ' ')))
*space++ = 0, proxypass = space;
if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
logger(DEBUG_ALWAYS, LOG_ERR, "Host and port argument expected for proxy!");
return false;
}
proxyhost = xstrdup(proxyhost);
proxyport = xstrdup(proxyport);
if(proxyuser && *proxyuser)
proxyuser = xstrdup(proxyuser);
if(proxypass && *proxypass)
proxypass = xstrdup(proxypass);
break;
}
free(proxy);
}
if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
myself->options |= OPTION_INDIRECT;
2002-09-09 21:25:28 +00:00
if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
myself->options |= OPTION_TCPONLY;
2002-09-09 21:25:28 +00:00
if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT;
get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
get_config_bool(lookup_config(config_tree, "LocalDiscovery"), &localdiscovery);
2012-10-10 15:17:49 +00:00
memset(&localdiscovery_address, 0, sizeof localdiscovery_address);
if(get_config_string(lookup_config(config_tree, "LocalDiscoveryAddress"), &address)) {
struct addrinfo *ai = str2addrinfo(address, myport, SOCK_DGRAM);
free(address);
if(!ai)
return false;
memcpy(&localdiscovery_address, ai->ai_addr, ai->ai_addrlen);
}
2012-10-07 15:53:23 +00:00
if(get_config_string(lookup_config(config_tree, "Mode"), &rmode)) {
if(!strcasecmp(rmode, "router"))
2002-09-09 21:25:28 +00:00
routing_mode = RMODE_ROUTER;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(rmode, "switch"))
2002-09-09 21:25:28 +00:00
routing_mode = RMODE_SWITCH;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(rmode, "hub"))
2002-09-09 21:25:28 +00:00
routing_mode = RMODE_HUB;
else {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid routing mode!");
2003-07-22 20:55:21 +00:00
return false;
2002-09-09 21:25:28 +00:00
}
2012-10-07 15:53:23 +00:00
free(rmode);
}
2002-09-09 21:25:28 +00:00
2012-10-07 15:53:23 +00:00
if(get_config_string(lookup_config(config_tree, "Forwarding"), &fmode)) {
if(!strcasecmp(fmode, "off"))
2010-03-02 22:27:50 +00:00
forwarding_mode = FMODE_OFF;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(fmode, "internal"))
2010-03-02 22:27:50 +00:00
forwarding_mode = FMODE_INTERNAL;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(fmode, "kernel"))
2010-03-02 22:27:50 +00:00
forwarding_mode = FMODE_KERNEL;
else {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid forwarding mode!");
return false;
}
2012-10-07 15:53:23 +00:00
free(fmode);
}
choice = true;
get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
if(choice)
myself->options |= OPTION_PMTU_DISCOVERY;
choice = true;
get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
if(choice)
myself->options |= OPTION_CLAMP_MSS;
2003-07-22 20:55:21 +00:00
get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
get_config_bool(lookup_config(config_tree, "DecrementTTL"), &decrement_ttl);
2012-10-07 15:53:23 +00:00
if(get_config_string(lookup_config(config_tree, "Broadcast"), &bmode)) {
if(!strcasecmp(bmode, "no"))
broadcast_mode = BMODE_NONE;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(bmode, "yes") || !strcasecmp(bmode, "mst"))
broadcast_mode = BMODE_MST;
2012-10-07 15:53:23 +00:00
else if(!strcasecmp(bmode, "direct"))
broadcast_mode = BMODE_DIRECT;
else {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid broadcast mode!");
return false;
}
2012-10-07 15:53:23 +00:00
free(bmode);
}
2003-07-22 20:55:21 +00:00
#if !defined(SOL_IP) || !defined(IP_TOS)
2002-09-09 21:25:28 +00:00
if(priorityinheritance)
logger(DEBUG_ALWAYS, LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
#endif
2002-03-01 12:25:58 +00:00
2002-09-09 21:25:28 +00:00
if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
macexpire = 600;
if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
2002-09-09 21:25:28 +00:00
if(maxtimeout <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Bogus maximum timeout!");
2003-07-22 20:55:21 +00:00
return false;
2002-09-09 21:25:28 +00:00
}
} else
maxtimeout = 900;
if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
if(!strcasecmp(afname, "IPv4"))
addressfamily = AF_INET;
else if(!strcasecmp(afname, "IPv6"))
addressfamily = AF_INET6;
else if(!strcasecmp(afname, "any"))
addressfamily = AF_UNSPEC;
else {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid address family!");
return false;
}
free(afname);
}
get_config_bool(lookup_config(config_tree, "Hostnames"), &hostnames);
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
get_config_int(lookup_config(config_tree, "AutoConnect"), &autoconnect);
if(autoconnect < 0)
autoconnect = 0;
get_config_bool(lookup_config(config_tree, "DisableBuggyPeers"), &disablebuggypeers);
Add an invitation protocol. Using the tinc command, an administrator of an existing VPN can generate invitations for new nodes. The invitation is a small URL that can easily be copy&pasted into email or live chat. Another person can have tinc automatically setup the necessary configuration files and exchange keys with the server, by only using the invitation URL. The invitation protocol uses temporary ECDSA keys. The invitation URL consists of the hostname and port of the server, a hash of the server's temporary ECDSA key and a cookie. When the client wants to accept an invitation, it also creates a temporary ECDSA key, connects to the server and says it wants to accept an invitation. Both sides exchange their temporary keys. The client verifies that the server's key matches the hash in the invitation URL. After setting up an SPTPS connection using the temporary keys, the client gives the cookie to the server. If the cookie is valid, the server sends the client an invitation file containing the client's new name and a copy of the server's host config file. If everything is ok, the client will generate a long-term ECDSA key and send it to the server, which will add it to a new host config file for the client. The invitation protocol currently allows multiple host config files to be send from the server to the client. However, the client filters out most configuration variables for its own host configuration file. In particular, it only accepts Name, Mode, Broadcast, ConnectTo, Subnet and AutoConnect. Also, at the moment no tinc-up script is generated. When an invitation has succesfully been accepted, the client needs to start the tinc daemon manually.
2013-05-29 16:31:10 +00:00
read_invitation_key();
return true;
}
/*
Configure node_t myself and set up the local sockets (listen only)
*/
static bool setup_myself(void) {
char *name, *hostname, *cipher, *digest, *type;
char *address = NULL;
bool port_specified = false;
if(!(name = get_name())) {
logger(DEBUG_ALWAYS, LOG_ERR, "Name for tinc daemon required!");
return false;
}
myself = new_node();
myself->connection = new_connection();
myself->name = name;
myself->connection->name = xstrdup(name);
read_host_config(config_tree, name);
if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
myport = xstrdup("655");
else
port_specified = true;
myself->connection->options = 0;
myself->connection->protocol_major = PROT_MAJOR;
myself->connection->protocol_minor = PROT_MINOR;
myself->options |= PROT_MINOR << 24;
if(!get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental)) {
experimental = read_ecdsa_private_key();
if(!experimental)
logger(DEBUG_ALWAYS, LOG_WARNING, "Support for SPTPS disabled.");
} else {
if(experimental && !read_ecdsa_private_key())
return false;
}
if(!read_rsa_private_key())
return false;
/* Ensure myport is numeric */
if(!atoi(myport)) {
struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
sockaddr_t sa;
if(!ai || !ai->ai_addr)
return false;
free(myport);
memcpy(&sa, ai->ai_addr, ai->ai_addrlen);
sockaddr2str(&sa, NULL, &myport);
}
/* Read in all the subnets specified in the host configuration file */
2012-10-07 22:35:38 +00:00
for(config_t *cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
subnet_t *subnet;
if(!get_config_subnet(cfg, &subnet))
return false;
subnet_add(myself, subnet);
}
/* Check some options */
if(!setup_myself_reloadable())
return false;
get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
strictsubnets |= tunnelserver;
if(get_config_int(lookup_config(config_tree, "MaxConnectionBurst"), &max_connection_burst)) {
if(max_connection_burst <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "MaxConnectionBurst cannot be negative!");
return false;
}
}
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
if(udp_rcvbuf <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "UDPRcvBuf cannot be negative!");
return false;
}
}
if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
if(udp_sndbuf <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "UDPSndBuf cannot be negative!");
return false;
}
}
2012-10-07 22:35:38 +00:00
int replaywin_int;
if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
if(replaywin_int < 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "ReplayWindow cannot be negative!");
return false;
}
replaywin = (unsigned)replaywin_int;
sptps_replaywin = replaywin;
}
2002-09-09 21:25:28 +00:00
/* Generate packet encryption key */
if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
cipher = xstrdup("blowfish");
2002-09-09 21:25:28 +00:00
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
} else if(!(myself->incipher = cipher_open_by_name(cipher))) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized cipher type!");
return false;
}
2002-09-09 21:25:28 +00:00
2012-10-09 14:27:28 +00:00
free(cipher);
timeout_add(&keyexpire_timeout, keyexpire_handler, &keyexpire_timeout, &(struct timeval){keylifetime, rand() % 100000});
2002-09-09 21:25:28 +00:00
/* Check if we want to use message authentication codes... */
int maclength = 4;
get_config_int(lookup_config(config_tree, "MACLength"), &maclength);
if(maclength < 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Bogus MAC length!");
return false;
}
2011-12-26 22:11:27 +00:00
if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
digest = xstrdup("sha1");
if(!strcasecmp(digest, "none")) {
myself->indigest = NULL;
} else if(!(myself->indigest = digest_open_by_name(digest, maclength))) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unrecognized digest type!");
return false;
}
2002-09-09 21:25:28 +00:00
2012-10-09 14:27:28 +00:00
free(digest);
2002-09-09 21:25:28 +00:00
/* Compression */
if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
if(myself->incompression < 0 || myself->incompression > 11) {
logger(DEBUG_ALWAYS, LOG_ERR, "Bogus compression level!");
2003-07-22 20:55:21 +00:00
return false;
2002-09-09 21:25:28 +00:00
}
} else
myself->incompression = 0;
2002-09-09 21:25:28 +00:00
myself->connection->outcompression = 0;
/* Done */
myself->nexthop = myself;
myself->via = myself;
2003-07-22 20:55:21 +00:00
myself->status.reachable = true;
myself->last_state_change = now.tv_sec;
myself->status.sptps = experimental;
2002-09-09 21:25:28 +00:00
node_add(myself);
graph();
if(strictsubnets)
load_all_subnets();
else if(autoconnect)
load_all_nodes();
/* Open device */
devops = os_devops;
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
if(!strcasecmp(type, "dummy"))
devops = dummy_devops;
else if(!strcasecmp(type, "raw_socket"))
devops = raw_socket_devops;
else if(!strcasecmp(type, "multicast"))
devops = multicast_devops;
#ifdef ENABLE_UML
else if(!strcasecmp(type, "uml"))
devops = uml_devops;
#endif
#ifdef ENABLE_VDE
else if(!strcasecmp(type, "vde"))
devops = vde_devops;
#endif
}
if(!devops.setup())
return false;
if(device_fd >= 0)
io_add(&device_io, handle_device_data, NULL, device_fd, IO_READ);
2002-09-09 21:25:28 +00:00
/* Open sockets */
if(!do_detach && getenv("LISTEN_FDS")) {
sockaddr_t sa;
socklen_t salen;
2002-09-09 21:25:28 +00:00
listen_sockets = atoi(getenv("LISTEN_FDS"));
#ifdef HAVE_UNSETENV
unsetenv("LISTEN_FDS");
#endif
2002-09-09 21:25:28 +00:00
if(listen_sockets > MAXSOCKETS) {
logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
return false;
}
2002-09-09 21:25:28 +00:00
2012-10-07 22:35:38 +00:00
for(int i = 0; i < listen_sockets; i++) {
salen = sizeof sa;
if(getsockname(i + 3, &sa.sa, &salen) < 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not get address of listen fd %d: %s", i + 3, sockstrerror(errno));
return false;
}
2002-09-09 21:25:28 +00:00
#ifdef FD_CLOEXEC
2012-10-10 15:17:49 +00:00
fcntl(i + 3, F_SETFD, FD_CLOEXEC);
#endif
int udp_fd = setup_vpn_in_socket(&sa);
if(udp_fd < 0)
return false;
io_add(&listen_socket[i].tcp, (io_cb_t)handle_new_meta_connection, &listen_socket[i], i + 3, IO_READ);
io_add(&listen_socket[i].udp, (io_cb_t)handle_incoming_vpn_data, &listen_socket[i], udp_fd, IO_READ);
2002-09-09 21:25:28 +00:00
if(debug_level >= DEBUG_CONNECTIONS) {
hostname = sockaddr2hostname(&sa);
logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Listening on %s", hostname);
free(hostname);
}
memcpy(&listen_socket[i].sa, &sa, salen);
}
} else {
listen_sockets = 0;
2012-10-07 22:35:38 +00:00
config_t *cfg = lookup_config(config_tree, "BindToAddress");
do {
get_config_string(cfg, &address);
if(cfg)
cfg = lookup_config_next(config_tree, cfg);
char *port = myport;
if(address) {
char *space = strchr(address, ' ');
if(space) {
*space++ = 0;
port = space;
}
if(!strcmp(address, "*"))
*address = 0;
}
2012-10-07 22:35:38 +00:00
struct addrinfo *ai, hint = {0};
hint.ai_family = addressfamily;
hint.ai_socktype = SOCK_STREAM;
hint.ai_protocol = IPPROTO_TCP;
hint.ai_flags = AI_PASSIVE;
2012-10-07 22:35:38 +00:00
int err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
free(address);
if(err || !ai) {
logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "getaddrinfo", err == EAI_SYSTEM ? strerror(err) : gai_strerror(err));
return false;
}
2012-10-07 22:35:38 +00:00
for(struct addrinfo *aip = ai; aip; aip = aip->ai_next) {
if(listen_sockets >= MAXSOCKETS) {
logger(DEBUG_ALWAYS, LOG_ERR, "Too many listening sockets");
return false;
}
2002-09-09 21:25:28 +00:00
int tcp_fd = setup_listen_socket((sockaddr_t *) aip->ai_addr);
2002-09-09 21:25:28 +00:00
if(tcp_fd < 0)
continue;
2002-09-09 21:25:28 +00:00
int udp_fd = setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
2002-09-09 21:25:28 +00:00
if(tcp_fd < 0) {
close(tcp_fd);
continue;
}
io_add(&listen_socket[listen_sockets].tcp, handle_new_meta_connection, &listen_socket[listen_sockets], tcp_fd, IO_READ);
io_add(&listen_socket[listen_sockets].udp, handle_incoming_vpn_data, &listen_socket[listen_sockets], udp_fd, IO_READ);
if(debug_level >= DEBUG_CONNECTIONS) {
hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
logger(DEBUG_CONNECTIONS, LOG_NOTICE, "Listening on %s", hostname);
free(hostname);
}
memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
listen_sockets++;
}
freeaddrinfo(ai);
} while(cfg);
}
2002-09-09 21:25:28 +00:00
if(!listen_sockets) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unable to create any listening socket!");
2003-07-22 20:55:21 +00:00
return false;
2002-09-09 21:25:28 +00:00
}
/* If no Port option was specified, set myport to the port used by the first listening socket. */
if(!port_specified) {
sockaddr_t sa;
socklen_t salen = sizeof sa;
if(!getsockname(listen_socket[0].udp.fd, &sa.sa, &salen)) {
free(myport);
sockaddr2str(&sa, NULL, &myport);
if(!myport)
myport = xstrdup("655");
}
}
xasprintf(&myself->hostname, "MYSELF port %s", myport);
myself->connection->hostname = xstrdup(myself->hostname);
/* Done. */
last_config_check = now.tv_sec;
2003-07-22 20:55:21 +00:00
return true;
}
/*
initialize network
*/
bool setup_network(void) {
2002-09-09 21:25:28 +00:00
init_connections();
init_subnets();
init_nodes();
init_edges();
init_requests();
if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
if(pinginterval < 1) {
pinginterval = 86400;
2002-09-09 21:25:28 +00:00
}
} else
pinginterval = 60;
if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
pingtimeout = 5;
if(pingtimeout < 1 || pingtimeout > pinginterval)
pingtimeout = pinginterval;
if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
maxoutbufsize = 10 * MTU;
2002-09-09 21:25:28 +00:00
2003-07-22 20:55:21 +00:00
if(!setup_myself())
return false;
2003-01-14 12:53:59 +00:00
if(!init_control())
return false;
/* Run tinc-up script to further initialize the tap interface */
char *envp[5] = {NULL};
xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
xasprintf(&envp[1], "DEVICE=%s", device ? : "");
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name);
execute_script("tinc-up", envp);
for(int i = 0; i < 4; i++)
free(envp[i]);
/* Run subnet-up scripts for our own subnets */
subnet_update(myself, NULL, true);
2003-07-22 20:55:21 +00:00
return true;
}
/*
close all open network connections
*/
2007-05-18 10:00:00 +00:00
void close_network_connections(void) {
for(list_node_t *node = connection_list->head, *next; node; node = next) {
2002-09-09 21:25:28 +00:00
next = node->next;
connection_t *c = node->data;
/* Keep control connections open until the end, so they know when we really terminated */
if(c->status.control)
c->socket = -1;
c->outgoing = NULL;
2003-07-22 20:55:21 +00:00
terminate_connection(c, false);
2002-09-09 21:25:28 +00:00
}
list_delete_list(outgoing_list);
2004-12-01 20:06:05 +00:00
if(myself && myself->connection) {
subnet_update(myself, NULL, false);
2003-07-22 20:55:21 +00:00
terminate_connection(myself->connection, false);
free_connection(myself->connection);
2004-12-01 20:06:05 +00:00
}
2002-09-09 21:25:28 +00:00
for(int i = 0; i < listen_sockets; i++) {
io_del(&listen_socket[i].tcp);
io_del(&listen_socket[i].udp);
close(listen_socket[i].tcp.fd);
close(listen_socket[i].udp.fd);
2002-09-09 21:25:28 +00:00
}
char *envp[5] = {NULL};
2009-09-08 16:18:36 +00:00
xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
xasprintf(&envp[1], "DEVICE=%s", device ? : "");
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name);
2002-09-09 21:25:28 +00:00
exit_requests();
exit_edges();
exit_subnets();
exit_nodes();
exit_connections();
execute_script("tinc-down", envp);
if(myport) free(myport);
for(int i = 0; i < 4; i++)
2002-09-09 21:25:28 +00:00
free(envp[i]);
devops.close();
2002-09-09 21:25:28 +00:00
exit_control();
2002-09-09 21:25:28 +00:00
return;
}