X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Ftincd.c;h=1e111a25155b3ff1c7b9735c2dea08475b5c0eb7;hb=refs%2Fheads%2F1.1;hp=148e13e444ef2c7ef8188e04baa3e1a189504a55;hpb=89f4574e0b1553c8e5dcbfc275e829a759b697f6;p=tinc diff --git a/src/tincd.c b/src/tincd.c index 148e13e4..4c33dc07 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd Copyright (C) 1998-2005 Ivo Timmermans - 2000-2012 Guus Sliepen + 2000-2022 Guus Sliepen 2008 Max Rijevski 2009 Michael Tokarev 2010 Julien Muchembled @@ -29,477 +29,421 @@ #define _P1003_1B_VISIBLE #endif -#ifdef HAVE_SYS_MMAN_H -#include -#endif - -#include -#include -#include -#include -#include - #ifdef HAVE_LZO #include LZO1X_H #endif -#ifndef HAVE_MINGW +#ifdef HAVE_LZ4 +#include +#endif + +#ifndef HAVE_WINDOWS #include #include #include #endif -#include -#include "pidfile.h" - #include "conf.h" -#include "device.h" +#include "crypto.h" +#include "event.h" #include "logger.h" +#include "names.h" #include "net.h" -#include "netutl.h" #include "process.h" #include "protocol.h" #include "utils.h" #include "xalloc.h" - -/* The name this program was run with. */ -char *program_name = NULL; +#include "version.h" +#include "random.h" +#include "sandbox.h" +#include "watchdog.h" +#include "fs.h" /* If nonzero, display usage information and exit. */ -bool show_help = false; +static bool show_help = false; /* If nonzero, print the version on standard output and exit. */ -bool show_version = false; - -/* If nonzero, it will attempt to kill a running tincd and exit. */ -int kill_tincd = 0; - -/* If nonzero, generate public/private keypair for this host/net. */ -int generate_keys = 0; - -/* If nonzero, use null ciphers and skip all key exchanges. */ -bool bypass_security = false; +static bool show_version = false; +#ifdef HAVE_MLOCKALL /* If nonzero, disable swapping for this process. */ -bool do_mlock = false; +static bool do_mlock = false; +#endif +#ifndef HAVE_WINDOWS /* If nonzero, chroot to netdir after startup. */ static bool do_chroot = false; /* If !NULL, do setuid to given user after startup */ static const char *switchuser = NULL; +#endif -/* If nonzero, write log entries to a separate file. */ -bool use_logfile = false; - -char *identname = NULL; /* program name for syslog */ -char *pidfilename = NULL; /* pid file location */ -char *logfilename = NULL; /* log file location */ -char **g_argv; /* a copy of the cmdline arguments */ - -static int status; +char **g_argv; /* a copy of the cmdline arguments */ + +static int status = 1; + +typedef enum option_t { + OPT_BAD_OPTION = '?', + OPT_LONG_OPTION = 0, + + // Short options + OPT_CONFIG_FILE = 'c', + OPT_NETNAME = 'n', + OPT_NO_DETACH = 'D', + OPT_DEBUG = 'd', + OPT_MLOCK = 'L', + OPT_CHROOT = 'R', + OPT_CHANGE_USER = 'U', + OPT_SYSLOG = 's', + OPT_OPTION = 'o', + + // Long options + OPT_HELP = 255, + OPT_VERSION, + OPT_NO_SECURITY, + OPT_LOGFILE, + OPT_PIDFILE, +} option_t; static struct option const long_options[] = { - {"config", required_argument, NULL, 'c'}, - {"kill", optional_argument, NULL, 'k'}, - {"net", required_argument, NULL, 'n'}, - {"help", no_argument, NULL, 1}, - {"version", no_argument, NULL, 2}, - {"no-detach", no_argument, NULL, 'D'}, - {"generate-keys", optional_argument, NULL, 'K'}, - {"debug", optional_argument, NULL, 'd'}, - {"bypass-security", no_argument, NULL, 3}, - {"mlock", no_argument, NULL, 'L'}, - {"chroot", no_argument, NULL, 'R'}, - {"user", required_argument, NULL, 'U'}, - {"logfile", optional_argument, NULL, 4}, - {"pidfile", required_argument, NULL, 5}, - {"option", required_argument, NULL, 'o'}, - {NULL, 0, NULL, 0} + {"config", required_argument, NULL, OPT_CONFIG_FILE}, + {"net", required_argument, NULL, OPT_NETNAME}, + {"no-detach", no_argument, NULL, OPT_NO_DETACH}, + {"debug", optional_argument, NULL, OPT_DEBUG}, + {"mlock", no_argument, NULL, OPT_MLOCK}, + {"chroot", no_argument, NULL, OPT_CHROOT}, + {"user", required_argument, NULL, OPT_CHANGE_USER}, + {"syslog", no_argument, NULL, OPT_SYSLOG}, + {"option", required_argument, NULL, OPT_OPTION}, + {"help", no_argument, NULL, OPT_HELP}, + {"version", no_argument, NULL, OPT_VERSION}, + {"bypass-security", no_argument, NULL, OPT_NO_SECURITY}, + {"logfile", optional_argument, NULL, OPT_LOGFILE}, + {"pidfile", required_argument, NULL, OPT_PIDFILE}, + {NULL, 0, NULL, 0}, }; -#ifdef HAVE_MINGW +#ifdef HAVE_WINDOWS static struct WSAData wsa_state; -CRITICAL_SECTION mutex; int main2(int argc, char **argv); #endif static void usage(bool status) { if(status) fprintf(stderr, "Try `%s --help\' for more information.\n", - program_name); + program_name); else { - printf("Usage: %s [option]...\n\n", program_name); - printf(" -c, --config=DIR Read configuration options from DIR.\n" - " -D, --no-detach Don't fork and detach.\n" - " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n" - " -k, --kill[=SIGNAL] Attempt to kill a running tincd and exit.\n" - " -n, --net=NETNAME Connect to net NETNAME.\n" - " -K, --generate-keys[=BITS] Generate public/private RSA keypair.\n" - " -L, --mlock Lock tinc into main memory.\n" - " --logfile[=FILENAME] Write log entries to a logfile.\n" - " --pidfile=FILENAME Write PID to FILENAME.\n" - " -o, --option=[HOST.]KEY=VALUE Set global/host configuration value.\n" - " -R, --chroot chroot to NET dir at startup.\n" - " -U, --user=USER setuid to given USER at startup.\n" - " --help Display this help and exit.\n" - " --version Output version information and exit.\n\n"); - printf("Report bugs to tinc@tinc-vpn.org.\n"); + fprintf(stdout, + "Usage: %s [option]...\n" + "\n" + " -c, --config=DIR Read configuration options from DIR.\n" + " -D, --no-detach Don't fork and detach.\n" + " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n" + " -n, --net=NETNAME Connect to net NETNAME.\n" +#ifdef HAVE_MLOCKALL + " -L, --mlock Lock tinc into main memory.\n" +#endif + " --logfile[=FILENAME] Write log entries to a logfile.\n" + " -s --syslog Use syslog instead of stderr with --no-detach.\n" + " --pidfile=FILENAME Write PID and control socket cookie to FILENAME.\n" + " --bypass-security Disables meta protocol security, for debugging.\n" + " -o, --option[HOST.]KEY=VALUE Set global/host configuration value.\n" +#ifndef HAVE_WINDOWS + " -R, --chroot chroot to NET dir at startup.\n" + " -U, --user=USER setuid to given USER at startup.\n" +#endif + " --help Display this help and exit.\n" + " --version Output version information and exit.\n" + "\n" + "Report bugs to tinc@tinc-vpn.org.\n", + program_name); } } +// Try to resolve path to absolute, return a copy of the argument if this fails. +static char *get_path_arg(char *arg) { + char *result = absolute_path(arg); + + if(!result) { + result = xstrdup(arg); + } + + return result; +} + static bool parse_options(int argc, char **argv) { config_t *cfg; int r; int option_index = 0; int lineno = 0; - cmdline_conf = list_alloc((list_action_t)free_config); + while((r = getopt_long(argc, argv, "c:DLd::n:so:RU:", long_options, &option_index)) != EOF) { + switch((option_t) r) { + case OPT_LONG_OPTION: + break; - while((r = getopt_long(argc, argv, "c:DLd::k::n:o:K::RU:", long_options, &option_index)) != EOF) { - switch (r) { - case 0: /* long option */ - break; + case OPT_BAD_OPTION: + usage(true); + goto exit_fail; - case 'c': /* config file */ - confbase = xstrdup(optarg); - break; + case OPT_CONFIG_FILE: + assert(optarg); + free(confbase); + confbase = get_path_arg(optarg); + break; - case 'D': /* no detach */ - do_detach = false; - break; + case OPT_NO_DETACH: + do_detach = false; + break; - case 'L': /* no detach */ + case OPT_MLOCK: /* lock tincd into RAM */ #ifndef HAVE_MLOCKALL - logger(LOG_ERR, "%s not supported on this platform", "mlockall()"); - return false; -#else - do_mlock = true; - break; -#endif - - case 'd': /* inc debug level */ - if(optarg) - debug_level = atoi(optarg); - else - debug_level++; - break; - - case 'k': /* kill old tincds */ -#ifndef HAVE_MINGW - if(optarg) { - if(!strcasecmp(optarg, "HUP")) - kill_tincd = SIGHUP; - else if(!strcasecmp(optarg, "TERM")) - kill_tincd = SIGTERM; - else if(!strcasecmp(optarg, "KILL")) - kill_tincd = SIGKILL; - else if(!strcasecmp(optarg, "USR1")) - kill_tincd = SIGUSR1; - else if(!strcasecmp(optarg, "USR2")) - kill_tincd = SIGUSR2; - else if(!strcasecmp(optarg, "WINCH")) - kill_tincd = SIGWINCH; - else if(!strcasecmp(optarg, "INT")) - kill_tincd = SIGINT; - else if(!strcasecmp(optarg, "ALRM")) - kill_tincd = SIGALRM; - else if(!strcasecmp(optarg, "ABRT")) - kill_tincd = SIGABRT; - else { - kill_tincd = atoi(optarg); - - if(!kill_tincd) { - fprintf(stderr, "Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, USR1, USR2, WINCH, INT or ALRM.\n", - optarg); - usage(true); - return false; - } - } - } else - kill_tincd = SIGTERM; + logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]); + goto exit_fail; #else - kill_tincd = 1; -#endif - break; - - case 'n': /* net name given */ - /* netname "." is special: a "top-level name" */ - netname = strcmp(optarg, ".") != 0 ? - xstrdup(optarg) : NULL; - break; - - case 'o': /* option */ - cfg = parse_config_line(optarg, NULL, ++lineno); - if (!cfg) - return false; - list_insert_tail(cmdline_conf, cfg); - break; - - case 'K': /* generate public/private keypair */ - if(optarg) { - generate_keys = atoi(optarg); - - if(generate_keys < 512) { - fprintf(stderr, "Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n", - optarg); - usage(true); - return false; - } - - generate_keys &= ~7; /* Round it to bytes */ - } else - generate_keys = 2048; - break; - - case 'R': /* chroot to NETNAME dir */ - do_chroot = true; - break; - - case 'U': /* setuid to USER */ - switchuser = optarg; - break; - - case 1: /* show help */ - show_help = true; - break; - - case 2: /* show version */ - show_version = true; - break; - - case 3: /* bypass security */ - bypass_security = true; - break; - - case 4: /* write log entries to a file */ - use_logfile = true; - if(optarg) - logfilename = xstrdup(optarg); - break; - - case 5: /* write PID to a file */ - pidfilename = xstrdup(optarg); - break; - - case '?': - usage(true); - return false; - - default: - break; - } - } + do_mlock = true; + break; +#endif - return true; -} + case OPT_DEBUG: /* increase debug level */ + if(!optarg && optind < argc && *argv[optind] != '-') { + optarg = argv[optind++]; + } -/* This function prettyprints the key generation process */ + if(optarg) { + debug_level = atoi(optarg); + } else { + debug_level++; + } -static void indicator(int a, int b, void *p) { - switch (a) { - case 0: - fprintf(stderr, "."); break; - case 1: - fprintf(stderr, "+"); + case OPT_NETNAME: + assert(optarg); + free(netname); + netname = xstrdup(optarg); break; - case 2: - fprintf(stderr, "-"); + case OPT_SYSLOG: + use_logfile = false; + use_syslog = true; break; - case 3: - switch (b) { - case 0: - fprintf(stderr, " p\n"); - break; - - case 1: - fprintf(stderr, " q\n"); - break; + case OPT_OPTION: + cfg = parse_config_line(optarg, NULL, ++lineno); - default: - fprintf(stderr, "?"); + if(!cfg) { + goto exit_fail; } + + list_insert_tail(&cmdline_conf, cfg); break; - default: - fprintf(stderr, "?"); - } -} +#ifdef HAVE_WINDOWS -/* - Generate a public/private RSA keypair, and ask for a file to store - them in. -*/ -static bool keygen(int bits) { - RSA *rsa_key; - FILE *f; - char *name = NULL; - char *filename; + case OPT_CHANGE_USER: + case OPT_CHROOT: + logger(DEBUG_ALWAYS, LOG_ERR, "The %s option is not supported on this platform.", argv[optind - 1]); + goto exit_fail; +#else - get_config_string(lookup_config(config_tree, "Name"), &name); + case OPT_CHROOT: + do_chroot = true; + break; - if(name && !check_id(name)) { - fprintf(stderr, "Invalid name for myself!\n"); - return false; - } + case OPT_CHANGE_USER: + switchuser = optarg; + break; +#endif - fprintf(stderr, "Generating %d bits keys:\n", bits); - rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); + case OPT_HELP: + show_help = true; + break; - if(!rsa_key) { - fprintf(stderr, "Error during key generation!\n"); - return false; - } else - fprintf(stderr, "Done.\n"); + case OPT_VERSION: + show_version = true; + break; - xasprintf(&filename, "%s/rsa_key.priv", confbase); - f = ask_and_open(filename, "private RSA key"); + case OPT_NO_SECURITY: + bypass_security = true; + break; - if(!f) - return false; + case OPT_LOGFILE: + use_syslog = false; + use_logfile = true; -#ifdef HAVE_FCHMOD - /* Make it unreadable for others. */ - fchmod(fileno(f), 0600); -#endif - - fputc('\n', f); - PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); - fclose(f); - free(filename); + if(!optarg && optind < argc && *argv[optind] != '-') { + optarg = argv[optind++]; + } - if(name) - xasprintf(&filename, "%s/hosts/%s", confbase, name); - else - xasprintf(&filename, "%s/rsa_key.pub", confbase); + if(optarg) { + free(logfilename); + logfilename = get_path_arg(optarg); + } - f = ask_and_open(filename, "public RSA key"); + break; - if(!f) - return false; + case OPT_PIDFILE: + assert(optarg); + free(pidfilename); + pidfilename = get_path_arg(optarg); + break; - fputc('\n', f); - PEM_write_RSAPublicKey(f, rsa_key); - fclose(f); - free(filename); - if(name) - free(name); + default: + break; + } + } - return true; -} + if(optind < argc) { + fprintf(stderr, "%s: unrecognized argument '%s'\n", argv[0], argv[optind]); + usage(true); + goto exit_fail; + } -/* - Set all files and paths according to netname -*/ -static void make_names(void) { -#ifdef HAVE_MINGW - HKEY key; - char installdir[1024] = ""; - long len = sizeof(installdir); -#endif - - if(netname) - xasprintf(&identname, "tinc.%s", netname); - else - identname = xstrdup("tinc"); - -#ifdef HAVE_MINGW - if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { - if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) { - if(!logfilename) - xasprintf(&logfilename, "%s/log/%s.log", identname); - if(!confbase) { - if(netname) - xasprintf(&confbase, "%s/%s", installdir, netname); - else - xasprintf(&confbase, "%s", installdir); - } - } - RegCloseKey(key); - if(*installdir) - return; + if(!netname && (netname = getenv("NETNAME"))) { + netname = xstrdup(netname); } -#endif - if(!pidfilename) - xasprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname); + /* netname "." is special: a "top-level name" */ - if(!logfilename) - xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname); + if(netname && (!*netname || !strcmp(netname, "."))) { + free(netname); + netname = NULL; + } - if(netname) { - if(!confbase) - xasprintf(&confbase, CONFDIR "/tinc/%s", netname); - else - logger(LOG_INFO, "Both netname and configuration directory given, using the latter..."); - } else { - if(!confbase) - xasprintf(&confbase, CONFDIR "/tinc"); + if(netname && !check_netname(netname, false)) { + fprintf(stderr, "Invalid character in netname!\n"); + goto exit_fail; } -} -static void free_names() { - if (identname) free(identname); - if (netname) free(netname); - if (pidfilename) free(pidfilename); - if (logfilename) free(logfilename); - if (confbase) free(confbase); + if(netname && !check_netname(netname, true)) { + fprintf(stderr, "Warning: unsafe character in netname!\n"); + } + + return true; + +exit_fail: + free_names(); + list_empty_list(&cmdline_conf); + return false; } -static bool drop_privs() { -#ifdef HAVE_MINGW - if (switchuser) { - logger(LOG_ERR, "%s not supported on this platform", "-U"); - return false; +static bool read_sandbox_level(void) { + sandbox_level_t level; + char *value = NULL; + + if(get_config_string(lookup_config(&config_tree, "Sandbox"), &value)) { + if(!strcasecmp("off", value)) { + level = SANDBOX_NONE; + } else if(!strcasecmp("normal", value)) { + level = SANDBOX_NORMAL; + } else if(!strcasecmp("high", value)) { + level = SANDBOX_HIGH; + } else { + logger(DEBUG_ALWAYS, LOG_ERR, "Bad sandbox value %s!", value); + free(value); + return false; + } + + free(value); + } else { +#ifdef HAVE_SANDBOX + level = SANDBOX_NORMAL; +#else + level = SANDBOX_NONE; +#endif } - if (do_chroot) { - logger(LOG_ERR, "%s not supported on this platform", "-R"); + +#ifndef HAVE_SANDBOX + + if(level > SANDBOX_NONE) { + logger(DEBUG_ALWAYS, LOG_ERR, "Sandbox is used but is not supported on this platform"); return false; } -#else + +#endif + sandbox_set_level(level); + return true; +} + +static bool drop_privs(void) { +#ifndef HAVE_WINDOWS uid_t uid = 0; - if (switchuser) { + + if(switchuser) { struct passwd *pw = getpwnam(switchuser); - if (!pw) { - logger(LOG_ERR, "unknown user `%s'", switchuser); + + if(!pw) { + logger(DEBUG_ALWAYS, LOG_ERR, "unknown user `%s'", switchuser); return false; } + uid = pw->pw_uid; - if (initgroups(switchuser, pw->pw_gid) != 0 || - setgid(pw->pw_gid) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", + + // The second parameter to initgroups on macOS requires int, + // but __gid_t is unsigned int. There's not much we can do here. + if(initgroups(switchuser, pw->pw_gid) != 0 || // NOLINT(bugprone-narrowing-conversions) + setgid(pw->pw_gid) != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "initgroups", strerror(errno)); return false; } + +#ifndef __ANDROID__ +// Not supported in android NDK endgrent(); endpwent(); +#endif } - if (do_chroot) { - tzset(); /* for proper timestamps in logs */ - if (chroot(confbase) != 0 || chdir("/") != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", + + if(do_chroot) { + tzset(); /* for proper timestamps in logs */ + + if(chroot(confbase) != 0 || chdir("/") != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "chroot", strerror(errno)); return false; } + free(confbase); confbase = xstrdup(""); } - if (switchuser) - if (setuid(uid) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", + + if(switchuser) + if(setuid(uid) != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setuid", strerror(errno)); return false; } -#endif - return true; + +#endif // HAVE_WINDOWS + + makedirs(DIR_CACHE | DIR_HOSTS | DIR_INVITATIONS); + + return sandbox_enter(); } -#ifdef HAVE_MINGW +#ifdef HAVE_WINDOWS # define setpriority(level) !SetPriorityClass(GetCurrentProcess(), (level)) + +static void stop_handler(void *data, int flags) { + (void)data; + (void)flags; + + event_exit(); +} + +static BOOL WINAPI console_ctrl_handler(DWORD type) { + (void)type; + + logger(DEBUG_ALWAYS, LOG_NOTICE, "Got console shutdown request"); + + if(WSASetEvent(stop_io.event) == FALSE) { + abort(); + } + + return TRUE; +} #else # define NORMAL_PRIORITY_CLASS 0 # define BELOW_NORMAL_PRIORITY_CLASS 10 @@ -507,23 +451,70 @@ static bool drop_privs() { # define setpriority(level) (setpriority(PRIO_PROCESS, 0, (level))) #endif +static void cleanup(void) { + splay_empty_tree(&config_tree); + list_empty_list(&cmdline_conf); + free_names(); +} + int main(int argc, char **argv) { program_name = argv[0]; - if(!parse_options(argc, argv)) + if(!parse_options(argc, argv)) { return 1; - - make_names(); + } if(show_version) { - printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, - VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf("Copyright (C) 1998-2012 Ivo Timmermans, Guus Sliepen and others.\n" - "See the AUTHORS file for a complete list.\n\n" - "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" - "and you are welcome to redistribute it under certain conditions;\n" - "see the file COPYING for details.\n"); - + fprintf(stdout, + "%s version %s (built %s %s, protocol %d.%d)\n" + "Features:" +#ifdef HAVE_OPENSSL + " openssl" +#endif +#ifdef HAVE_LIBGCRYPT + " libgcrypt" +#endif +#ifdef HAVE_LZO + " comp_lzo" +#endif +#ifdef HAVE_ZLIB + " comp_zlib" +#endif +#ifdef HAVE_LZ4 + " comp_lz4" +#endif +#ifndef DISABLE_LEGACY + " legacy_protocol" +#endif +#ifdef ENABLE_JUMBOGRAMS + " jumbograms" +#endif +#ifdef ENABLE_TUNEMU + " tunemu" +#endif +#ifdef HAVE_MINIUPNPC + " miniupnpc" +#endif +#ifdef HAVE_SANDBOX + " sandbox" +#endif +#ifdef ENABLE_UML + " uml" +#endif +#ifdef ENABLE_VDE + " vde" +#endif +#ifdef HAVE_WATCHDOG + " watchdog" +#endif + "\n\n" + "Copyright (C) 1998-2021 Ivo Timmermans, Guus Sliepen and others.\n" + "See the AUTHORS file for a complete list.\n" + "\n" + "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" + "and you are welcome to redistribute it under certain conditions;\n" + "see the file COPYING for details.\n", + PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR); return 0; } @@ -532,146 +523,206 @@ int main(int argc, char **argv) { return 0; } - if(kill_tincd) - return !kill_other(kill_tincd); + make_names(true); + atexit(cleanup); + + if(chdir(confbase) == -1) { + logger(DEBUG_ALWAYS, LOG_ERR, "Could not change to configuration directory: %s", strerror(errno)); + return 1; + } + +#ifdef HAVE_WINDOWS + + if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError())); + return 1; + } + +#else + // Check if we got an umbilical fd from the process that started us + char *umbstr = getenv("TINC_UMBILICAL"); + + if(umbstr) { + int colorize = 0; + sscanf(umbstr, "%d %d", &umbilical, &colorize); + umbilical_colorize = colorize; + + if(fcntl(umbilical, F_GETFL) < 0) { + umbilical = 0; + } - openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR); +#ifdef FD_CLOEXEC + + if(umbilical) { + fcntl(umbilical, F_SETFD, FD_CLOEXEC); + } + +#endif + } + +#endif + + openlogger("tinc", use_logfile ? LOGMODE_FILE : LOGMODE_STDERR); g_argv = argv; - if(getenv("LISTEN_PID") && atoi(getenv("LISTEN_PID")) == getpid()) + const char *listen_pid = getenv("LISTEN_PID"); + + if(listen_pid && atoi(listen_pid) == getpid()) { do_detach = false; + } + #ifdef HAVE_UNSETENV unsetenv("LISTEN_PID"); #endif - init_configuration(&config_tree); + gettimeofday(&now, NULL); + random_init(); + crypto_init(); + prng_init(); - /* Slllluuuuuuurrrrp! */ - - RAND_load_file("/dev/urandom", 1024); + if(!read_server_config(&config_tree)) { + return 1; + } - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); + if(!read_sandbox_level()) { + return 1; + } - OpenSSL_add_all_algorithms(); + if(debug_level == DEBUG_NOTHING) { + int level = 0; - if(generate_keys) { - read_server_config(); - return !keygen(generate_keys); + if(get_config_int(lookup_config(&config_tree, "LogLevel"), &level)) { + debug_level = level; + } } - if(!read_server_config()) - return 1; - #ifdef HAVE_LZO + if(lzo_init() != LZO_E_OK) { - logger(LOG_ERR, "Error initializing LZO compressor!"); + logger(DEBUG_ALWAYS, LOG_ERR, "Error initializing LZO compressor!"); return 1; } + #endif -#ifdef HAVE_MINGW - if(WSAStartup(MAKEWORD(2, 2), &wsa_state)) { - logger(LOG_ERR, "System call `%s' failed: %s", "WSAStartup", winerror(GetLastError())); - return 1; +#ifdef HAVE_WINDOWS + io_add_event(&stop_io, stop_handler, NULL, WSACreateEvent()); + + if(stop_io.event == FALSE) { + abort(); } - if(!do_detach || !init_service()) - return main2(argc, argv); - else - return 1; + int result; + + if(!do_detach || !init_service()) { + SetConsoleCtrlHandler(console_ctrl_handler, TRUE); + result = main2(argc, argv); + } else { + result = 1; + } + + if(WSACloseEvent(stop_io.event) == FALSE) { + abort(); + } + + io_del(&stop_io); + return result; } int main2(int argc, char **argv) { - InitializeCriticalSection(&mutex); - EnterCriticalSection(&mutex); + (void)argc; + (void)argv; #endif - char *priority = NULL; + char *priority = NULL; - if(!detach()) + if(!detach()) { return 1; + } #ifdef HAVE_MLOCKALL + /* Lock all pages into memory if requested. * This has to be done after daemon()/fork() so it works for child. * No need to do that in parent as it's very short-lived. */ if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", "mlockall", - strerror(errno)); + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "mlockall", + strerror(errno)); return 1; } + #endif /* Setup sockets and open device. */ - if(!setup_network()) + if(!setup_network()) { goto end; - - /* Initiate all outgoing connections. */ - - try_outgoing_connections(); + } /* Change process priority */ - if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) { - if(!strcasecmp(priority, "Normal")) { - if (setpriority(NORMAL_PRIORITY_CLASS) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", - "setpriority", strerror(errno)); - goto end; - } - } else if(!strcasecmp(priority, "Low")) { - if (setpriority(BELOW_NORMAL_PRIORITY_CLASS) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", - "setpriority", strerror(errno)); - goto end; - } - } else if(!strcasecmp(priority, "High")) { - if (setpriority(HIGH_PRIORITY_CLASS) != 0) { - logger(LOG_ERR, "System call `%s' failed: %s", - "setpriority", strerror(errno)); - goto end; - } - } else { - logger(LOG_ERR, "Invalid priority `%s`!", priority); - goto end; - } - } + if(get_config_string(lookup_config(&config_tree, "ProcessPriority"), &priority)) { + if(!strcasecmp(priority, "Normal")) { + if(setpriority(NORMAL_PRIORITY_CLASS) != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setpriority", strerror(errno)); + goto end; + } + } else if(!strcasecmp(priority, "Low")) { + if(setpriority(BELOW_NORMAL_PRIORITY_CLASS) != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setpriority", strerror(errno)); + goto end; + } + } else if(!strcasecmp(priority, "High")) { + if(setpriority(HIGH_PRIORITY_CLASS) != 0) { + logger(DEBUG_ALWAYS, LOG_ERR, "System call `%s' failed: %s", "setpriority", strerror(errno)); + goto end; + } + } else { + logger(DEBUG_ALWAYS, LOG_ERR, "Invalid priority `%s`!", priority); + goto end; + } + } /* drop privileges */ - if (!drop_privs()) + if(!drop_privs()) { goto end; + } /* Start main loop. It only exits when tinc is killed. */ - status = main_loop(); + logger(DEBUG_ALWAYS, LOG_NOTICE, "Ready"); - /* Shutdown properly. */ + if(umbilical) { // snip! + if(write(umbilical, "", 1) != 1) { + // Pipe full or broken, nothing we can do about it. + } - ifdebug(CONNECTIONS) - devops.dump_stats(); + close(umbilical); + umbilical = 0; + } - close_network_connections(); + try_outgoing_connections(); -end: - logger(LOG_NOTICE, "Terminating"); +#ifdef HAVE_WATCHDOG + watchdog_start(); +#endif -#ifndef HAVE_MINGW - remove_pid(pidfilename); + status = main_loop(); + +#ifdef HAVE_WATCHDOG + watchdog_stop(); #endif - free(priority); + /* Shutdown properly. */ - EVP_cleanup(); - ENGINE_cleanup(); - CRYPTO_cleanup_all_ex_data(); - ERR_remove_state(0); - ERR_free_strings(); +end: + close_network_connections(); - exit_configuration(&config_tree); - list_free(cmdline_conf); - free_names(); + logger(DEBUG_ALWAYS, LOG_NOTICE, "Terminating"); + + free(priority); + + random_exit(); return status; }