memcpy() addresses from packet headers before calling the lookup functions.
[tinc] / src / net_setup.c
1 /*
2     net_setup.c -- Setup.
3     Copyright (C) 1998-2005 Ivo Timmermans,
4                   2000-2006 Guus Sliepen <guus@tinc-vpn.org>
5
6     This program is free software; you can redistribute it and/or modify
7     it under the terms of the GNU General Public License as published by
8     the Free Software Foundation; either version 2 of the License, or
9     (at your option) any later version.
10
11     This program is distributed in the hope that it will be useful,
12     but WITHOUT ANY WARRANTY; without even the implied warranty of
13     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14     GNU General Public License for more details.
15
16     You should have received a copy of the GNU General Public License
17     along with this program; if not, write to the Free Software
18     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19
20     $Id$
21 */
22
23 #include "system.h"
24
25 #include <openssl/pem.h>
26 #include <openssl/rsa.h>
27 #include <openssl/rand.h>
28 #include <openssl/err.h>
29 #include <openssl/evp.h>
30
31 #include "avl_tree.h"
32 #include "conf.h"
33 #include "connection.h"
34 #include "device.h"
35 #include "event.h"
36 #include "graph.h"
37 #include "logger.h"
38 #include "net.h"
39 #include "netutl.h"
40 #include "process.h"
41 #include "protocol.h"
42 #include "route.h"
43 #include "subnet.h"
44 #include "utils.h"
45 #include "xalloc.h"
46
47 char *myport;
48
49 bool read_rsa_public_key(connection_t *c)
50 {
51         FILE *fp;
52         char *fname;
53         char *key;
54
55         cp();
56
57         if(!c->rsa_key) {
58                 c->rsa_key = RSA_new();
59 //              RSA_blinding_on(c->rsa_key, NULL);
60         }
61
62         /* First, check for simple PublicKey statement */
63
64         if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
65                 BN_hex2bn(&c->rsa_key->n, key);
66                 BN_hex2bn(&c->rsa_key->e, "FFFF");
67                 free(key);
68                 return true;
69         }
70
71         /* Else, check for PublicKeyFile statement and read it */
72
73         if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
74                 fp = fopen(fname, "r");
75
76                 if(!fp) {
77                         logger(LOG_ERR, _("Error reading RSA public key file `%s': %s"),
78                                    fname, strerror(errno));
79                         free(fname);
80                         return false;
81                 }
82
83                 free(fname);
84                 c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
85                 fclose(fp);
86
87                 if(c->rsa_key)
88                         return true;            /* Woohoo. */
89
90                 /* If it fails, try PEM_read_RSA_PUBKEY. */
91                 fp = fopen(fname, "r");
92
93                 if(!fp) {
94                         logger(LOG_ERR, _("Error reading RSA public key file `%s': %s"),
95                                    fname, strerror(errno));
96                         free(fname);
97                         return false;
98                 }
99
100                 free(fname);
101                 c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
102                 fclose(fp);
103
104                 if(c->rsa_key) {
105 //                              RSA_blinding_on(c->rsa_key, NULL);
106                         return true;
107                 }
108
109                 logger(LOG_ERR, _("Reading RSA public key file `%s' failed: %s"),
110                            fname, strerror(errno));
111                 return false;
112         }
113
114         /* Else, check if a harnessed public key is in the config file */
115
116         asprintf(&fname, "%s/hosts/%s", confbase, c->name);
117         fp = fopen(fname, "r");
118
119         if(fp) {
120                 c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
121                 fclose(fp);
122         }
123
124         free(fname);
125
126         if(c->rsa_key)
127                 return true;
128
129         /* Try again with PEM_read_RSA_PUBKEY. */
130
131         asprintf(&fname, "%s/hosts/%s", confbase, c->name);
132         fp = fopen(fname, "r");
133
134         if(fp) {
135                 c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
136 //              RSA_blinding_on(c->rsa_key, NULL);
137                 fclose(fp);
138         }
139
140         free(fname);
141
142         if(c->rsa_key)
143                 return true;
144
145         logger(LOG_ERR, _("No public key for %s specified!"), c->name);
146
147         return false;
148 }
149
150 bool read_rsa_private_key(void)
151 {
152         FILE *fp;
153         char *fname, *key, *pubkey;
154         struct stat s;
155
156         cp();
157
158         if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
159                 if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) {
160                         logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
161                         return false;
162                 }
163                 myself->connection->rsa_key = RSA_new();
164 //              RSA_blinding_on(myself->connection->rsa_key, NULL);
165                 BN_hex2bn(&myself->connection->rsa_key->d, key);
166                 BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
167                 BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
168                 free(key);
169                 free(pubkey);
170                 return true;
171         }
172
173         if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
174                 asprintf(&fname, "%s/rsa_key.priv", confbase);
175
176         fp = fopen(fname, "r");
177
178         if(!fp) {
179                 logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
180                            fname, strerror(errno));
181                 free(fname);
182                 return false;
183         }
184
185 #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
186         if(fstat(fileno(fp), &s)) {
187                 logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
188                                 fname, strerror(errno));
189                 free(fname);
190                 return false;
191         }
192
193         if(s.st_mode & ~0100700)
194                 logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
195 #endif
196
197         myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
198         fclose(fp);
199
200         if(!myself->connection->rsa_key) {
201                 logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
202                            fname, strerror(errno));
203                 free(fname);
204                 return false;
205         }
206
207         free(fname);
208         return true;
209 }
210
211 /*
212   Configure node_t myself and set up the local sockets (listen only)
213 */
214 bool setup_myself(void)
215 {
216         config_t *cfg;
217         subnet_t *subnet;
218         char *name, *hostname, *mode, *afname, *cipher, *digest;
219         char *address = NULL;
220         char *envp[5];
221         struct addrinfo *ai, *aip, hint = {0};
222         bool choice;
223         int i, err;
224
225         cp();
226
227         myself = new_node();
228         myself->connection = new_connection();
229         init_configuration(&myself->connection->config_tree);
230
231         asprintf(&myself->hostname, _("MYSELF"));
232         asprintf(&myself->connection->hostname, _("MYSELF"));
233
234         myself->connection->options = 0;
235         myself->connection->protocol_version = PROT_CURRENT;
236
237         if(!get_config_string(lookup_config(config_tree, "Name"), &name)) {     /* Not acceptable */
238                 logger(LOG_ERR, _("Name for tinc daemon required!"));
239                 return false;
240         }
241
242         if(!check_id(name)) {
243                 logger(LOG_ERR, _("Invalid name for myself!"));
244                 free(name);
245                 return false;
246         }
247
248         myself->name = name;
249         myself->connection->name = xstrdup(name);
250
251         if(!read_connection_config(myself->connection)) {
252                 logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
253                 return false;
254         }
255
256         if(!read_rsa_private_key())
257                 return false;
258
259         if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
260                 asprintf(&myport, "655");
261
262         /* Read in all the subnets specified in the host configuration file */
263
264         cfg = lookup_config(myself->connection->config_tree, "Subnet");
265
266         while(cfg) {
267                 if(!get_config_subnet(cfg, &subnet))
268                         return false;
269
270                 subnet_add(myself, subnet);
271
272                 cfg = lookup_config_next(myself->connection->config_tree, cfg);
273         }
274
275         /* Check some options */
276
277         if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
278                 myself->options |= OPTION_INDIRECT;
279
280         if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
281                 myself->options |= OPTION_TCPONLY;
282
283         if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
284                 myself->options |= OPTION_INDIRECT;
285
286         if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
287                 myself->options |= OPTION_TCPONLY;
288
289         if(get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice) && choice)
290                 myself->options |= OPTION_PMTU_DISCOVERY;
291
292         if(myself->options & OPTION_TCPONLY)
293                 myself->options |= OPTION_INDIRECT;
294
295         get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
296
297         if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
298                 if(!strcasecmp(mode, "router"))
299                         routing_mode = RMODE_ROUTER;
300                 else if(!strcasecmp(mode, "switch"))
301                         routing_mode = RMODE_SWITCH;
302                 else if(!strcasecmp(mode, "hub"))
303                         routing_mode = RMODE_HUB;
304                 else {
305                         logger(LOG_ERR, _("Invalid routing mode!"));
306                         return false;
307                 }
308                 free(mode);
309         } else
310                 routing_mode = RMODE_ROUTER;
311
312         get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
313
314 #if !defined(SOL_IP) || !defined(IP_TOS)
315         if(priorityinheritance)
316                 logger(LOG_WARNING, _("PriorityInheritance not supported on this platform"));
317 #endif
318
319         if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
320                 macexpire = 600;
321
322         if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
323                 if(maxtimeout <= 0) {
324                         logger(LOG_ERR, _("Bogus maximum timeout!"));
325                         return false;
326                 }
327         } else
328                 maxtimeout = 900;
329
330         if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
331                 if(!strcasecmp(afname, "IPv4"))
332                         addressfamily = AF_INET;
333                 else if(!strcasecmp(afname, "IPv6"))
334                         addressfamily = AF_INET6;
335                 else if(!strcasecmp(afname, "any"))
336                         addressfamily = AF_UNSPEC;
337                 else {
338                         logger(LOG_ERR, _("Invalid address family!"));
339                         return false;
340                 }
341                 free(afname);
342         }
343
344         get_config_bool(lookup_config(config_tree, "Hostnames"), &hostnames);
345
346         /* Generate packet encryption key */
347
348         if(get_config_string
349            (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {
350                 if(!strcasecmp(cipher, "none")) {
351                         myself->cipher = NULL;
352                 } else {
353                         myself->cipher = EVP_get_cipherbyname(cipher);
354
355                         if(!myself->cipher) {
356                                 logger(LOG_ERR, _("Unrecognized cipher type!"));
357                                 return false;
358                         }
359                 }
360         } else
361                 myself->cipher = EVP_bf_cbc();
362
363         if(myself->cipher)
364                 myself->keylength = myself->cipher->key_len + myself->cipher->iv_len;
365         else
366                 myself->keylength = 1;
367
368         myself->connection->outcipher = EVP_bf_ofb();
369
370         myself->key = xmalloc(myself->keylength);
371         RAND_pseudo_bytes((unsigned char *)myself->key, myself->keylength);
372
373         if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
374                 keylifetime = 3600;
375
376         keyexpires = now + keylifetime;
377         
378         if(myself->cipher) {
379                 EVP_CIPHER_CTX_init(&packet_ctx);
380                 if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, (unsigned char *)myself->key, (unsigned char *)myself->key + myself->cipher->key_len)) {
381                         logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
382                                         myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
383                         return false;
384                 }
385
386         }
387
388         /* Check if we want to use message authentication codes... */
389
390         if(get_config_string
391            (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {
392                 if(!strcasecmp(digest, "none")) {
393                         myself->digest = NULL;
394                 } else {
395                         myself->digest = EVP_get_digestbyname(digest);
396
397                         if(!myself->digest) {
398                                 logger(LOG_ERR, _("Unrecognized digest type!"));
399                                 return false;
400                         }
401                 }
402         } else
403                 myself->digest = EVP_sha1();
404
405         myself->connection->outdigest = EVP_sha1();
406
407         if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"),
408                 &myself->maclength)) {
409                 if(myself->digest) {
410                         if(myself->maclength > myself->digest->md_size) {
411                                 logger(LOG_ERR, _("MAC length exceeds size of digest!"));
412                                 return false;
413                         } else if(myself->maclength < 0) {
414                                 logger(LOG_ERR, _("Bogus MAC length!"));
415                                 return false;
416                         }
417                 }
418         } else
419                 myself->maclength = 4;
420
421         myself->connection->outmaclength = 0;
422
423         /* Compression */
424
425         if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"),
426                 &myself->compression)) {
427                 if(myself->compression < 0 || myself->compression > 11) {
428                         logger(LOG_ERR, _("Bogus compression level!"));
429                         return false;
430                 }
431         } else
432                 myself->compression = 0;
433
434         myself->connection->outcompression = 0;
435
436         /* Done */
437
438         myself->nexthop = myself;
439         myself->via = myself;
440         myself->status.active = true;
441         myself->status.reachable = true;
442         node_add(myself);
443
444         graph();
445
446         /* Open device */
447
448         if(!setup_device())
449                 return false;
450
451         /* Run tinc-up script to further initialize the tap interface */
452         asprintf(&envp[0], "NETNAME=%s", netname ? : "");
453         asprintf(&envp[1], "DEVICE=%s", device ? : "");
454         asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
455         asprintf(&envp[3], "NAME=%s", myself->name);
456         envp[4] = NULL;
457
458         execute_script("tinc-up", envp);
459
460         for(i = 0; i < 5; i++)
461                 free(envp[i]);
462
463         /* Run subnet-up scripts for our own subnets */
464
465         subnet_update(myself, NULL, true);
466
467         /* Open sockets */
468
469         get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
470
471         hint.ai_family = addressfamily;
472         hint.ai_socktype = SOCK_STREAM;
473         hint.ai_protocol = IPPROTO_TCP;
474         hint.ai_flags = AI_PASSIVE;
475
476         err = getaddrinfo(address, myport, &hint, &ai);
477
478         if(err || !ai) {
479                 logger(LOG_ERR, _("System call `%s' failed: %s"), "getaddrinfo",
480                            gai_strerror(err));
481                 return false;
482         }
483
484         listen_sockets = 0;
485
486         for(aip = ai; aip; aip = aip->ai_next) {
487                 listen_socket[listen_sockets].tcp =
488                         setup_listen_socket((sockaddr_t *) aip->ai_addr);
489
490                 if(listen_socket[listen_sockets].tcp < 0)
491                         continue;
492
493                 listen_socket[listen_sockets].udp =
494                         setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
495
496                 if(listen_socket[listen_sockets].udp < 0)
497                         continue;
498
499                 ifdebug(CONNECTIONS) {
500                         hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
501                         logger(LOG_NOTICE, _("Listening on %s"), hostname);
502                         free(hostname);
503                 }
504
505                 memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
506                 listen_sockets++;
507         }
508
509         freeaddrinfo(ai);
510
511         if(listen_sockets)
512                 logger(LOG_NOTICE, _("Ready"));
513         else {
514                 logger(LOG_ERR, _("Unable to create any listening socket!"));
515                 return false;
516         }
517
518         return true;
519 }
520
521 /*
522   setup all initial network connections
523 */
524 bool setup_network_connections(void)
525 {
526         cp();
527
528         now = time(NULL);
529
530         init_connections();
531         init_subnets();
532         init_nodes();
533         init_edges();
534         init_events();
535         init_requests();
536
537         if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
538                 if(pinginterval < 1) {
539                         pinginterval = 86400;
540                 }
541         } else
542                 pinginterval = 60;
543
544         if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
545                 pingtimeout = 5;
546         if(pingtimeout < 1 || pingtimeout > pinginterval)
547                 pingtimeout = pinginterval;
548
549         if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
550                 maxoutbufsize = 4 * MTU;
551
552         if(!setup_myself())
553                 return false;
554
555         try_outgoing_connections();
556
557         return true;
558 }
559
560 /*
561   close all open network connections
562 */
563 void close_network_connections(void)
564 {
565         avl_node_t *node, *next;
566         connection_t *c;
567         char *envp[5];
568         int i;
569
570         cp();
571
572         for(node = connection_tree->head; node; node = next) {
573                 next = node->next;
574                 c = node->data;
575
576                 if(c->outgoing)
577                         free(c->outgoing->name), free(c->outgoing), c->outgoing = NULL;
578                 terminate_connection(c, false);
579         }
580
581         if(myself && myself->connection) {
582                 subnet_update(myself, NULL, false);
583                 terminate_connection(myself->connection, false);
584         }
585
586         for(i = 0; i < listen_sockets; i++) {
587                 close(listen_socket[i].tcp);
588                 close(listen_socket[i].udp);
589         }
590
591         asprintf(&envp[0], "NETNAME=%s", netname ? : "");
592         asprintf(&envp[1], "DEVICE=%s", device ? : "");
593         asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
594         asprintf(&envp[3], "NAME=%s", myself->name);
595         envp[4] = NULL;
596
597         exit_requests();
598         exit_events();
599         exit_edges();
600         exit_subnets();
601         exit_nodes();
602         exit_connections();
603
604         execute_script("tinc-down", envp);
605
606         for(i = 0; i < 4; i++)
607                 free(envp[i]);
608
609         close_device();
610
611         return;
612 }