3 Copyright (C) 1998-2005 Ivo Timmermans,
4 2000-2010 Guus Sliepen <guus@tinc-vpn.org>
5 2006 Scott Lamb <slamb@slamb.org>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write to the Free Software Foundation, Inc.,
19 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "splay_tree.h"
27 #include "connection.h"
44 static struct event device_ev;
46 bool read_rsa_public_key(connection_t *c) {
52 /* First, check for simple PublicKey statement */
54 if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &n)) {
55 result = rsa_set_hex_public_key(&c->rsa, n, "FFFF");
60 /* Else, check for PublicKeyFile statement and read it */
62 if(!get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname))
63 xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
65 fp = fopen(fname, "r");
68 logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
69 fname, strerror(errno));
74 result = rsa_read_pem_public_key(&c->rsa, fp);
78 logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
83 bool read_rsa_private_key() {
89 /* First, check for simple PrivateKey statement */
91 if(get_config_string(lookup_config(config_tree, "PrivateKey"), &d)) {
92 if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &n)) {
93 logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
97 result = rsa_set_hex_private_key(&myself->connection->rsa, n, "FFFF", d);
103 /* Else, check for PrivateKeyFile statement and read it */
105 if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
106 xasprintf(&fname, "%s/rsa_key.priv", confbase);
108 fp = fopen(fname, "r");
111 logger(LOG_ERR, "Error reading RSA private key file `%s': %s",
112 fname, strerror(errno));
117 #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
120 if(fstat(fileno(fp), &s)) {
121 logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
126 if(s.st_mode & ~0100700)
127 logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
130 result = rsa_read_pem_private_key(&myself->connection->rsa, fp);
134 logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
139 static struct event keyexpire_event;
141 static void keyexpire_handler(int fd, short events, void *data) {
145 void regenerate_key() {
146 if(timeout_initialized(&keyexpire_event)) {
147 ifdebug(STATUS) logger(LOG_INFO, "Expiring symmetric keys");
148 event_del(&keyexpire_event);
149 send_key_changed(broadcast, myself);
151 timeout_set(&keyexpire_event, keyexpire_handler, NULL);
154 event_add(&keyexpire_event, &(struct timeval){keylifetime, 0});
158 Read Subnets from all host config files
160 void load_all_subnets(void) {
165 splay_tree_t *config_tree;
171 xasprintf(&dname, "%s/hosts", confbase);
172 dir = opendir(dname);
174 logger(LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
179 while((ent = readdir(dir))) {
180 if(!check_id(ent->d_name))
183 n = lookup_node(ent->d_name);
184 #ifdef _DIRENT_HAVE_D_TYPE
185 //if(ent->d_type != DT_REG)
189 xasprintf(&fname, "%s/hosts/%s", confbase, ent->d_name);
190 init_configuration(&config_tree);
191 result = read_config_file(config_tree, fname);
198 n->name = xstrdup(ent->d_name);
202 for(cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
203 if(!get_config_subnet(cfg, &s))
206 if((s2 = lookup_subnet(n, s))) {
213 exit_configuration(&config_tree);
220 Configure node_t myself and set up the local sockets (listen only)
222 bool setup_myself(void) {
225 char *name, *hostname, *mode, *afname, *cipher, *digest;
226 char *address = NULL;
228 struct addrinfo *ai, *aip, hint = {0};
233 myself->connection = new_connection();
234 init_configuration(&myself->connection->config_tree);
236 myself->hostname = xstrdup("MYSELF");
237 myself->connection->hostname = xstrdup("MYSELF");
239 myself->connection->options = 0;
240 myself->connection->protocol_version = PROT_CURRENT;
242 if(!get_config_string(lookup_config(config_tree, "Name"), &name)) { /* Not acceptable */
243 logger(LOG_ERR, "Name for tinc daemon required!");
247 if(!check_id(name)) {
248 logger(LOG_ERR, "Invalid name for myself!");
254 myself->connection->name = xstrdup(name);
256 if(!read_connection_config(myself->connection)) {
257 logger(LOG_ERR, "Cannot open host configuration file for myself!");
261 if(!read_rsa_private_key())
264 if(!get_config_string(lookup_config(config_tree, "Port"), &myport)
265 && !get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
266 myport = xstrdup("655");
269 struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
271 if(!ai || !ai->ai_addr)
274 memcpy(&sa, ai->ai_addr, ai->ai_addrlen);
275 sockaddr2str(&sa, NULL, &myport);
278 /* Read in all the subnets specified in the host configuration file */
280 cfg = lookup_config(myself->connection->config_tree, "Subnet");
283 if(!get_config_subnet(cfg, &subnet))
286 subnet_add(myself, subnet);
288 cfg = lookup_config_next(myself->connection->config_tree, cfg);
291 /* Check some options */
293 if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
294 myself->options |= OPTION_INDIRECT;
296 if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
297 myself->options |= OPTION_TCPONLY;
299 if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
300 myself->options |= OPTION_INDIRECT;
302 if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
303 myself->options |= OPTION_TCPONLY;
305 if(myself->options & OPTION_TCPONLY)
306 myself->options |= OPTION_INDIRECT;
308 get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
309 get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
310 get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
311 strictsubnets |= tunnelserver;
313 if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
314 if(!strcasecmp(mode, "router"))
315 routing_mode = RMODE_ROUTER;
316 else if(!strcasecmp(mode, "switch"))
317 routing_mode = RMODE_SWITCH;
318 else if(!strcasecmp(mode, "hub"))
319 routing_mode = RMODE_HUB;
321 logger(LOG_ERR, "Invalid routing mode!");
327 if(get_config_string(lookup_config(config_tree, "Forwarding"), &mode)) {
328 if(!strcasecmp(mode, "off"))
329 forwarding_mode = FMODE_OFF;
330 else if(!strcasecmp(mode, "internal"))
331 forwarding_mode = FMODE_INTERNAL;
332 else if(!strcasecmp(mode, "kernel"))
333 forwarding_mode = FMODE_KERNEL;
335 logger(LOG_ERR, "Invalid forwarding mode!");
342 get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
343 get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
345 myself->options |= OPTION_PMTU_DISCOVERY;
348 get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
349 get_config_bool(lookup_config(myself->connection->config_tree, "ClampMSS"), &choice);
351 myself->options |= OPTION_CLAMP_MSS;
353 get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
355 #if !defined(SOL_IP) || !defined(IP_TOS)
356 if(priorityinheritance)
357 logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
360 if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
363 if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
364 if(maxtimeout <= 0) {
365 logger(LOG_ERR, "Bogus maximum timeout!");
371 if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
372 if(!strcasecmp(afname, "IPv4"))
373 addressfamily = AF_INET;
374 else if(!strcasecmp(afname, "IPv6"))
375 addressfamily = AF_INET6;
376 else if(!strcasecmp(afname, "any"))
377 addressfamily = AF_UNSPEC;
379 logger(LOG_ERR, "Invalid address family!");
385 get_config_bool(lookup_config(config_tree, "Hostnames"), &hostnames);
387 /* Generate packet encryption key */
389 if(!get_config_string(lookup_config(myself->connection->config_tree, "Cipher"), &cipher))
390 cipher = xstrdup("blowfish");
392 if(!cipher_open_by_name(&myself->incipher, cipher)) {
393 logger(LOG_ERR, "Unrecognized cipher type!");
397 if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
402 /* Check if we want to use message authentication codes... */
404 if(!get_config_string(lookup_config(myself->connection->config_tree, "Digest"), &digest))
405 digest = xstrdup("sha1");
408 get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &maclength);
411 logger(LOG_ERR, "Bogus MAC length!");
415 if(!digest_open_by_name(&myself->indigest, digest, maclength)) {
416 logger(LOG_ERR, "Unrecognized digest type!");
422 if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), &myself->incompression)) {
423 if(myself->incompression < 0 || myself->incompression > 11) {
424 logger(LOG_ERR, "Bogus compression level!");
428 myself->incompression = 0;
430 myself->connection->outcompression = 0;
434 myself->nexthop = myself;
435 myself->via = myself;
436 myself->status.reachable = true;
450 event_set(&device_ev, device_fd, EV_READ|EV_PERSIST, handle_device_data, NULL);
452 if (event_add(&device_ev, NULL) < 0) {
453 logger(LOG_ERR, "event_add failed: %s", strerror(errno));
459 /* Run tinc-up script to further initialize the tap interface */
460 xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
461 xasprintf(&envp[1], "DEVICE=%s", device ? : "");
462 xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
463 xasprintf(&envp[3], "NAME=%s", myself->name);
466 execute_script("tinc-up", envp);
468 for(i = 0; i < 5; i++)
471 /* Run subnet-up scripts for our own subnets */
473 subnet_update(myself, NULL, true);
477 get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
479 hint.ai_family = addressfamily;
480 hint.ai_socktype = SOCK_STREAM;
481 hint.ai_protocol = IPPROTO_TCP;
482 hint.ai_flags = AI_PASSIVE;
484 err = getaddrinfo(address, myport, &hint, &ai);
487 logger(LOG_ERR, "System call `%s' failed: %s", "getaddrinfo",
494 for(aip = ai; aip; aip = aip->ai_next) {
495 listen_socket[listen_sockets].tcp =
496 setup_listen_socket((sockaddr_t *) aip->ai_addr);
498 if(listen_socket[listen_sockets].tcp < 0)
501 listen_socket[listen_sockets].udp =
502 setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
504 if(listen_socket[listen_sockets].udp < 0) {
505 close(listen_socket[listen_sockets].tcp);
509 event_set(&listen_socket[listen_sockets].ev_tcp,
510 listen_socket[listen_sockets].tcp,
512 handle_new_meta_connection, NULL);
513 if(event_add(&listen_socket[listen_sockets].ev_tcp, NULL) < 0) {
514 logger(LOG_ERR, "event_add failed: %s", strerror(errno));
518 event_set(&listen_socket[listen_sockets].ev_udp,
519 listen_socket[listen_sockets].udp,
521 handle_incoming_vpn_data, NULL);
522 if(event_add(&listen_socket[listen_sockets].ev_udp, NULL) < 0) {
523 logger(LOG_ERR, "event_add failed: %s", strerror(errno));
527 ifdebug(CONNECTIONS) {
528 hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
529 logger(LOG_NOTICE, "Listening on %s", hostname);
533 memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
536 if(listen_sockets >= MAXSOCKETS) {
537 logger(LOG_WARNING, "Maximum of %d listening sockets reached", MAXSOCKETS);
545 logger(LOG_NOTICE, "Ready");
547 logger(LOG_ERR, "Unable to create any listening socket!");
557 bool setup_network(void) {
564 if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
565 if(pinginterval < 1) {
566 pinginterval = 86400;
571 if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
573 if(pingtimeout < 1 || pingtimeout > pinginterval)
574 pingtimeout = pinginterval;
576 if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
577 maxoutbufsize = 10 * MTU;
586 close all open network connections
588 void close_network_connections(void) {
589 splay_node_t *node, *next;
594 for(node = connection_tree->head; node; node = next) {
598 terminate_connection(c, false);
601 list_delete_list(outgoing_list);
603 if(myself && myself->connection) {
604 subnet_update(myself, NULL, false);
605 terminate_connection(myself->connection, false);
606 free_connection(myself->connection);
609 for(i = 0; i < listen_sockets; i++) {
610 event_del(&listen_socket[i].ev_tcp);
611 event_del(&listen_socket[i].ev_udp);
612 close(listen_socket[i].tcp);
613 close(listen_socket[i].udp);
616 xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
617 xasprintf(&envp[1], "DEVICE=%s", device ? : "");
618 xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
619 xasprintf(&envp[3], "NAME=%s", myself->name);
628 execute_script("tinc-down", envp);
630 if(myport) free(myport);
632 for(i = 0; i < 4; i++)