/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
- 2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
#include "netutl.h"
#include "process.h"
#include "protocol.h"
+#include "proxy.h"
#include "route.h"
#include "subnet.h"
#include "utils.h"
char *myport;
devops_t devops;
+#ifndef HAVE_RSA_SET0_KEY
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+ BN_free(r->n); r->n = n;
+ BN_free(r->e); r->e = e;
+ BN_free(r->d); r->d = d;
+ return 1;
+}
+#endif
+
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
- char *fname;
+ char *pubname;
+ char *hcfname;
char *key;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
if(!c->rsa_key) {
c->rsa_key = RSA_new();
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
- BN_hex2bn(&c->rsa_key->n, key);
- BN_hex2bn(&c->rsa_key->e, "FFFF");
+ if(BN_hex2bn(&n, key) != strlen(key)) {
+ free(key);
+ logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
+ return false;
+ }
free(key);
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
+ return false;
+ }
return true;
}
/* Else, check for PublicKeyFile statement and read it */
- if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
- fp = fopen(fname, "r");
+ if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &pubname)) {
+ fp = fopen(pubname, "r");
if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
- fname, strerror(errno));
- free(fname);
+ logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
+ free(pubname);
return false;
}
- free(fname);
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
fclose(fp);
- if(c->rsa_key)
+ if(c->rsa_key) {
+ free(pubname);
return true; /* Woohoo. */
+ }
/* If it fails, try PEM_read_RSA_PUBKEY. */
- fp = fopen(fname, "r");
+ fp = fopen(pubname, "r");
if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s",
- fname, strerror(errno));
- free(fname);
+ logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
+ free(pubname);
return false;
}
- free(fname);
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
fclose(fp);
if(c->rsa_key) {
// RSA_blinding_on(c->rsa_key, NULL);
+ free(pubname);
return true;
}
- logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s",
- fname, strerror(errno));
+ logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", pubname, strerror(errno));
+ free(pubname);
return false;
}
/* Else, check if a harnessed public key is in the config file */
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- fp = fopen(fname, "r");
+ xasprintf(&hcfname, "%s/hosts/%s", confbase, c->name);
+ fp = fopen(hcfname, "r");
if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
- free(fname);
+ logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
+ free(hcfname);
return false;
}
c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
fclose(fp);
- free(fname);
- if(c->rsa_key)
+ if(c->rsa_key) {
+ free(hcfname);
return true;
+ }
/* Try again with PEM_read_RSA_PUBKEY. */
- xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
- fp = fopen(fname, "r");
+ fp = fopen(hcfname, "r");
if(!fp) {
- logger(LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
- free(fname);
+ logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
+ free(hcfname);
return false;
}
+ free(hcfname);
c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
// RSA_blinding_on(c->rsa_key, NULL);
fclose(fp);
- free(fname);
if(c->rsa_key)
return true;
static bool read_rsa_private_key(void) {
FILE *fp;
char *fname, *key, *pubkey;
- struct stat s;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
+ BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
+ myself->connection->rsa_key = RSA_new();
+// RSA_blinding_on(myself->connection->rsa_key, NULL);
+ if(BN_hex2bn(&d, key) != strlen(key)) {
+ logger(LOG_ERR, "Invalid PrivateKey for myself!");
+ free(key);
+ return false;
+ }
+ free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
+ BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
- myself->connection->rsa_key = RSA_new();
-// RSA_blinding_on(myself->connection->rsa_key, NULL);
- BN_hex2bn(&myself->connection->rsa_key->d, key);
- BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
- free(key);
+ if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
+ free(pubkey);
+ BN_free(d);
+ logger(LOG_ERR, "Invalid PublicKey for myself!");
+ return false;
+ }
free(pubkey);
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
+ BN_free(d);
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
+ return false;
+ }
return true;
}
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
- if(fstat(fileno(fp), &s)) {
- logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
- fname, strerror(errno));
- free(fname);
- return false;
- }
+ struct stat s;
- if(s.st_mode & ~0100700)
- logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
+ if(!fstat(fileno(fp), &s)) {
+ if(s.st_mode & ~0100700)
+ logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
+ } else {
+ logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
+ }
#endif
myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
if(*name == '$') {
char *envname = getenv(name + 1);
+ char hostname[32] = "";
if(!envname) {
if(strcmp(name + 1, "HOST")) {
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
+ free(name);
return false;
}
- envname = alloca(32);
- if(gethostname(envname, 32)) {
+ if(gethostname(hostname, sizeof hostname) || !*hostname) {
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
+ free(name);
return false;
}
- envname[31] = 0;
+ hostname[31] = 0;
+ envname = hostname;
}
free(name);
name = xstrdup(envname);
char *name, *hostname, *mode, *afname, *cipher, *digest, *type;
char *fname = NULL;
char *address = NULL;
- char *envp[5];
+ char *proxy = NULL;
+ char *space;
+ char *envp[5] = {NULL};
struct addrinfo *ai, *aip, hint = {0};
bool choice;
int i, err;
int replaywin_int;
+ bool port_specified = false;
myself = new_node();
myself->connection = new_connection();
return false;
}
+ /* Read tinc.conf and our own host config file */
+
myself->name = name;
myself->connection->name = xstrdup(name);
xasprintf(&fname, "%s/hosts/%s", confbase, name);
if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
myport = xstrdup("655");
+ else
+ port_specified = true;
+
+ /* Ensure myport is numeric */
if(!atoi(myport)) {
struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
sockaddr2str(&sa, NULL, &myport);
}
+ if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) {
+ if((space = strchr(proxy, ' ')))
+ *space++ = 0;
+
+ if(!strcasecmp(proxy, "none")) {
+ proxytype = PROXY_NONE;
+ } else if(!strcasecmp(proxy, "socks4")) {
+ proxytype = PROXY_SOCKS4;
+ } else if(!strcasecmp(proxy, "socks4a")) {
+ proxytype = PROXY_SOCKS4A;
+ } else if(!strcasecmp(proxy, "socks5")) {
+ proxytype = PROXY_SOCKS5;
+ } else if(!strcasecmp(proxy, "http")) {
+ proxytype = PROXY_HTTP;
+ } else if(!strcasecmp(proxy, "exec")) {
+ proxytype = PROXY_EXEC;
+ } else {
+ logger(LOG_ERR, "Unknown proxy type %s!", proxy);
+ free(proxy);
+ return false;
+ }
+
+ switch(proxytype) {
+ case PROXY_NONE:
+ default:
+ break;
+
+ case PROXY_EXEC:
+ if(!space || !*space) {
+ logger(LOG_ERR, "Argument expected for proxy type exec!");
+ free(proxy);
+ return false;
+ }
+ proxyhost = xstrdup(space);
+ break;
+
+ case PROXY_SOCKS4:
+ case PROXY_SOCKS4A:
+ case PROXY_SOCKS5:
+ case PROXY_HTTP:
+ proxyhost = space;
+ if(space && (space = strchr(space, ' ')))
+ *space++ = 0, proxyport = space;
+ if(space && (space = strchr(space, ' ')))
+ *space++ = 0, proxyuser = space;
+ if(space && (space = strchr(space, ' ')))
+ *space++ = 0, proxypass = space;
+ if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
+ logger(LOG_ERR, "Host and port argument expected for proxy!");
+ free(proxy);
+ return false;
+ }
+ proxyhost = xstrdup(proxyhost);
+ proxyport = xstrdup(proxyport);
+ if(proxyuser && *proxyuser)
+ proxyuser = xstrdup(proxyuser);
+ if(proxypass && *proxypass)
+ proxypass = xstrdup(proxypass);
+ break;
+ }
+
+ free(proxy);
+ }
+
/* Read in all the subnets specified in the host configuration file */
cfg = lookup_config(config_tree, "Subnet");
routing_mode = RMODE_HUB;
else {
logger(LOG_ERR, "Invalid routing mode!");
+ free(mode);
return false;
}
free(mode);
forwarding_mode = FMODE_KERNEL;
else {
logger(LOG_ERR, "Invalid forwarding mode!");
+ free(mode);
return false;
}
free(mode);
broadcast_mode = BMODE_DIRECT;
else {
logger(LOG_ERR, "Invalid broadcast mode!");
+ free(mode);
return false;
}
free(mode);
#if !defined(SOL_IP) || !defined(IP_TOS)
if(priorityinheritance)
- logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
+ logger(LOG_WARNING, "%s not supported on this platform for IPv4 connection", "PriorityInheritance");
+#endif
+
+#if !defined(IPPROTO_IPV6) || !defined(IPV6_TCLASS)
+ if(priorityinheritance)
+ logger(LOG_WARNING, "%s not supported on this platform for IPv6 connection", "PriorityInheritance");
#endif
if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
} else
maxtimeout = 900;
+ if(get_config_int(lookup_config(config_tree, "MinTimeout"), &mintimeout)) {
+ if(mintimeout < 0) {
+ logger(LOG_ERR, "Bogus minimum timeout!");
+ return false;
+ }
+ if(mintimeout > maxtimeout) {
+ logger(LOG_WARNING, "Minimum timeout (%d s) cannot be larger than maximum timeout (%d s). Correcting !", mintimeout, maxtimeout );
+ mintimeout=maxtimeout;
+ }
+ } else
+ mintimeout = 0;
+
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
if(udp_rcvbuf <= 0) {
logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
addressfamily = AF_UNSPEC;
else {
logger(LOG_ERR, "Invalid address family!");
+ free(afname);
return false;
}
free(afname);
/* Generate packet encryption key */
- if(get_config_string
- (lookup_config(config_tree, "Cipher"), &cipher)) {
+ if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
} else {
if(!myself->incipher) {
logger(LOG_ERR, "Unrecognized cipher type!");
+ free(cipher);
return false;
}
}
+ free(cipher);
} else
- myself->incipher = EVP_bf_cbc();
+ myself->incipher = EVP_aes_256_cbc();
if(myself->incipher)
- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
+ myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else
myself->inkeylength = 1;
- myself->connection->outcipher = EVP_bf_ofb();
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
+ but try to match the key size with the one from the cipher selected
+ by Cipher.
+
+ If Cipher is set to none, still use a low level of encryption for the
+ meta protocol.
+ */
+
+ int keylen = myself->incipher ? EVP_CIPHER_key_length(myself->incipher) : 0;
+ if(keylen <= 16)
+ myself->connection->outcipher = EVP_aes_128_cfb();
+ else if(keylen <= 24)
+ myself->connection->outcipher = EVP_aes_192_cfb();
+ else
+ myself->connection->outcipher = EVP_aes_256_cfb();
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
if(!myself->indigest) {
logger(LOG_ERR, "Unrecognized digest type!");
+ free(digest);
return false;
}
}
+
+ free(digest);
} else
- myself->indigest = EVP_sha1();
+ myself->indigest = EVP_sha256();
- myself->connection->outdigest = EVP_sha1();
+ myself->connection->outdigest = EVP_sha256();
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) {
- if(myself->inmaclength > myself->indigest->md_size) {
+ if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!");
return false;
} else if(myself->inmaclength < 0) {
else if(!strcasecmp(type, "vde"))
devops = vde_devops;
#endif
+ free(type);
}
if(!devops.setup())
xasprintf(&envp[1], "DEVICE=%s", device ? : "");
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name);
- envp[4] = NULL;
+#ifdef HAVE_MINGW
+ Sleep(1000);
+#endif
+#ifdef HAVE_CYGWIN
+ sleep(1);
+#endif
execute_script("tinc-up", envp);
- for(i = 0; i < 5; i++)
+ for(i = 0; i < 4; i++)
free(envp[i]);
/* Run subnet-up scripts for our own subnets */
hint.ai_protocol = IPPROTO_TCP;
hint.ai_flags = AI_PASSIVE;
+#if HAVE_DECL_RES_INIT
+ // ensure glibc reloads /etc/resolv.conf.
+ res_init();
+#endif
err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
free(address);
} while(cfg);
}
- if(listen_sockets)
- logger(LOG_NOTICE, "Ready");
- else {
+ if(!listen_sockets) {
logger(LOG_ERR, "Unable to create any listening socket!");
return false;
}
+ /* If no Port option was specified, set myport to the port used by the first listening socket. */
+
+ if(!port_specified) {
+ sockaddr_t sa;
+ socklen_t salen = sizeof sa;
+ if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) {
+ free(myport);
+ sockaddr2str(&sa, NULL, &myport);
+ if(!myport)
+ myport = xstrdup("655");
+ }
+ }
+
+ /* Done. */
+
+ logger(LOG_NOTICE, "Ready");
return true;
}
void close_network_connections(void) {
avl_node_t *node, *next;
connection_t *c;
- char *envp[5];
+ char *envp[5] = {NULL};
int i;
for(node = connection_tree->head; node; node = next) {
xasprintf(&envp[1], "DEVICE=%s", device ? : "");
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name);
- envp[4] = NULL;
exit_requests();
exit_edges();
projects / tinc / blobdiff