X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fconf.c;h=58d7b6d30e94b4975aa016ed697bf39340bcdfd7;hp=b6d2b0af835a05dafdf62da11ebf1afcce3d2c39;hb=26203e250433b846118be1b2e236bf2541aa260d;hpb=5db596c6844169f1eb5f804b72abe99d067aaa5a diff --git a/src/conf.c b/src/conf.c index b6d2b0af..58d7b6d3 100644 --- a/src/conf.c +++ b/src/conf.c @@ -1,9 +1,10 @@ /* conf.c -- configuration code Copyright (C) 1998 Robert van der Meulen - 1998-2003 Ivo Timmermans - 2000-2003 Guus Sliepen - 2000 Cris van Pelt + 1998-2005 Ivo Timmermans + 2000-2014 Guus Sliepen + 2010-2011 Julien Muchembled + 2000 Cris van Pelt This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -15,574 +16,582 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - - $Id: conf.c,v 1.9.4.65 2003/07/12 17:41:45 guus Exp $ + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "config.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include /* for cp */ -#include +#include "system.h" +#include "avl_tree.h" +#include "connection.h" #include "conf.h" -#include "netutl.h" /* for str2address */ +#include "list.h" #include "logger.h" - -#include "system.h" +#include "netutl.h" /* for str2address */ +#include "protocol.h" +#include "utils.h" /* for cp */ +#include "xalloc.h" avl_tree_t *config_tree; -int pingtimeout = 0; /* seconds before timeout */ -char *confbase = NULL; /* directory in which all config files are */ -char *netname = NULL; /* name of the vpn network */ +int pinginterval = 0; /* seconds between pings */ +int pingtimeout = 0; /* seconds to wait for response */ +char *confbase = NULL; /* directory in which all config files are */ +char *netname = NULL; /* name of the vpn network */ +list_t *cmdline_conf = NULL; /* global/host configuration values given at the command line */ -static int config_compare(config_t *a, config_t *b) -{ + +static int config_compare(const config_t *a, const config_t *b) { int result; result = strcasecmp(a->variable, b->variable); - if(result) + if(result) { return result; + } + + /* give priority to command line options */ + result = !b->file - !a->file; + + if(result) { + return result; + } result = a->line - b->line; - if(result) + if(result) { return result; - else - return strcmp(a->file, b->file); + } else { + return a->file ? strcmp(a->file, b->file) : 0; + } } -void init_configuration(avl_tree_t ** config_tree) -{ - cp(); - +void init_configuration(avl_tree_t **config_tree) { *config_tree = avl_alloc_tree((avl_compare_t) config_compare, (avl_action_t) free_config); } -void exit_configuration(avl_tree_t ** config_tree) -{ - cp(); - +void exit_configuration(avl_tree_t **config_tree) { avl_delete_tree(*config_tree); *config_tree = NULL; } -config_t *new_config(void) -{ - cp(); - - return (config_t *) xmalloc_and_zero(sizeof(config_t)); +config_t *new_config(void) { + return xmalloc_and_zero(sizeof(config_t)); } -void free_config(config_t *cfg) -{ - cp(); - - if(cfg->variable) - free(cfg->variable); - - if(cfg->value) - free(cfg->value); - - if(cfg->file) - free(cfg->file); - +void free_config(config_t *cfg) { + free(cfg->variable); + free(cfg->value); + free(cfg->file); free(cfg); } -void config_add(avl_tree_t *config_tree, config_t *cfg) -{ - cp(); - +void config_add(avl_tree_t *config_tree, config_t *cfg) { avl_insert(config_tree, cfg); } -config_t *lookup_config(avl_tree_t *config_tree, char *variable) -{ +config_t *lookup_config(const avl_tree_t *config_tree, char *variable) { config_t cfg, *found; - cp(); - cfg.variable = variable; - cfg.file = ""; + cfg.file = NULL; cfg.line = 0; found = avl_search_closest_greater(config_tree, &cfg); - if(!found) + if(!found) { return NULL; + } - if(strcasecmp(found->variable, variable)) + if(strcasecmp(found->variable, variable)) { return NULL; + } return found; } -config_t *lookup_config_next(avl_tree_t *config_tree, config_t *cfg) -{ +config_t *lookup_config_next(const avl_tree_t *config_tree, const config_t *cfg) { avl_node_t *node; config_t *found; - cp(); - node = avl_search_node(config_tree, cfg); if(node) { if(node->next) { - found = (config_t *) node->next->data; + found = node->next->data; - if(!strcasecmp(found->variable, cfg->variable)) + if(!strcasecmp(found->variable, cfg->variable)) { return found; + } } } return NULL; } -int get_config_bool(config_t *cfg, int *result) -{ - cp(); - - if(!cfg) - return 0; +bool get_config_bool(const config_t *cfg, bool *result) { + if(!cfg) { + return false; + } if(!strcasecmp(cfg->value, "yes")) { - *result = 1; - return 1; + *result = true; + return true; } else if(!strcasecmp(cfg->value, "no")) { - *result = 0; - return 1; + *result = false; + return true; } - logger(LOG_ERR, _("\"yes\" or \"no\" expected for configuration variable %s in %s line %d"), - cfg->variable, cfg->file, cfg->line); + logger(LOG_ERR, "\"yes\" or \"no\" expected for configuration variable %s in %s line %d", + cfg->variable, cfg->file, cfg->line); - return 0; + return false; } -int get_config_int(config_t *cfg, int *result) -{ - cp(); - - if(!cfg) - return 0; +bool get_config_int(const config_t *cfg, int *result) { + if(!cfg) { + return false; + } - if(sscanf(cfg->value, "%d", result) == 1) - return 1; + if(sscanf(cfg->value, "%d", result) == 1) { + return true; + } - logger(LOG_ERR, _("Integer expected for configuration variable %s in %s line %d"), - cfg->variable, cfg->file, cfg->line); + logger(LOG_ERR, "Integer expected for configuration variable %s in %s line %d", + cfg->variable, cfg->file, cfg->line); - return 0; + return false; } -int get_config_string(config_t *cfg, char **result) -{ - cp(); - - if(!cfg) - return 0; +bool get_config_string(const config_t *cfg, char **result) { + if(!cfg) { + return false; + } *result = xstrdup(cfg->value); - return 1; + return true; } -int get_config_address(config_t *cfg, struct addrinfo **result) -{ +bool get_config_address(const config_t *cfg, struct addrinfo **result) { struct addrinfo *ai; - cp(); - - if(!cfg) - return 0; + if(!cfg) { + return false; + } ai = str2addrinfo(cfg->value, NULL, 0); if(ai) { *result = ai; - return 1; + return true; } - logger(LOG_ERR, _("Hostname or IP address expected for configuration variable %s in %s line %d"), - cfg->variable, cfg->file, cfg->line); + logger(LOG_ERR, "Hostname or IP address expected for configuration variable %s in %s line %d", + cfg->variable, cfg->file, cfg->line); - return 0; + return false; } -int get_config_subnet(config_t *cfg, subnet_t ** result) -{ - subnet_t *subnet; - - cp(); - - if(!cfg) - return 0; +bool get_config_subnet(const config_t *cfg, subnet_t **result) { + subnet_t subnet = {0}; - subnet = str2net(cfg->value); + if(!cfg) { + return false; + } - if(!subnet) { - logger(LOG_ERR, _("Subnet expected for configuration variable %s in %s line %d"), - cfg->variable, cfg->file, cfg->line); - return 0; + if(!str2net(&subnet, cfg->value)) { + logger(LOG_ERR, "Subnet expected for configuration variable %s in %s line %d", + cfg->variable, cfg->file, cfg->line); + return false; } /* Teach newbies what subnets are... */ - if(((subnet->type == SUBNET_IPV4) - && maskcheck(&subnet->net.ipv4.address, subnet->net.ipv4.prefixlength, sizeof(ipv4_t))) - || ((subnet->type == SUBNET_IPV6) - && maskcheck(&subnet->net.ipv6.address, subnet->net.ipv6.prefixlength, sizeof(ipv6_t)))) { - logger(LOG_ERR, _ ("Network address and prefix length do not match for configuration variable %s in %s line %d"), - cfg->variable, cfg->file, cfg->line); - free(subnet); - return 0; + if(((subnet.type == SUBNET_IPV4) + && !maskcheck(&subnet.net.ipv4.address, subnet.net.ipv4.prefixlength, sizeof(ipv4_t))) + || ((subnet.type == SUBNET_IPV6) + && !maskcheck(&subnet.net.ipv6.address, subnet.net.ipv6.prefixlength, sizeof(ipv6_t)))) { + logger(LOG_ERR, "Network address and prefix length do not match for configuration variable %s in %s line %d", + cfg->variable, cfg->file, cfg->line); + return false; } - *result = subnet; + *(*result = new_subnet()) = subnet; - return 1; + return true; } /* - Read exactly one line and strip the trailing newline if any. If the - file was on EOF, return NULL. Otherwise, return all the data in a - dynamically allocated buffer. - - If line is non-NULL, it will be used as an initial buffer, to avoid - unnecessary mallocing each time this function is called. If buf is - given, and buf needs to be expanded, the var pointed to by buflen - will be increased. + Read exactly one line and strip the trailing newline if any. */ -static char *readline(FILE * fp, char **buf, size_t *buflen) -{ +static char *readline(FILE *fp, char *buf, size_t buflen) { char *newline = NULL; char *p; - char *line; /* The array that contains everything that has been read so far */ - char *idx; /* Read into this pointer, which points to an offset within line */ - size_t size, newsize; /* The size of the current array pointed to by line */ - size_t maxlen; /* Maximum number of characters that may be read with fgets. This is newsize - oldsize. */ - if(feof(fp)) + if(feof(fp)) { return NULL; + } - if(buf && buflen) { - size = *buflen; - line = *buf; - } else { - size = 100; - line = xmalloc(size); + p = fgets(buf, buflen, fp); + + if(!p) { + return NULL; } - maxlen = size; - idx = line; - *idx = 0; + newline = strchr(p, '\n'); - for(;;) { - errno = 0; - p = fgets(idx, maxlen, fp); + if(!newline) { + return buf; + } - if(!p) { /* EOF or error */ - if(feof(fp)) - break; + *newline = '\0'; /* kill newline */ - /* otherwise: error; let the calling function print an error message if applicable */ - free(line); - return NULL; - } + if(newline > p && newline[-1] == '\r') { /* and carriage return if necessary */ + newline[-1] = '\0'; + } + + return buf; +} - newline = strchr(p, '\n'); +config_t *parse_config_line(char *line, const char *fname, int lineno) { + config_t *cfg; + int len; + char *variable, *value, *eol; + variable = value = line; - if(!newline) { /* We haven't yet read everything to the end of the line */ - newsize = size << 1; - line = xrealloc(line, newsize); - idx = &line[size - 1]; - maxlen = newsize - size + 1; - size = newsize; - } else { - *newline = '\0'; /* kill newline */ - break; /* yay */ - } + eol = line + strlen(line); + + while(strchr("\t ", *--eol)) { + *eol = '\0'; + } + + len = strcspn(value, "\t ="); + value += len; + value += strspn(value, "\t "); + + if(*value == '=') { + value++; + value += strspn(value, "\t "); } - if(buf && buflen) { - *buflen = size; - *buf = line; + variable[len] = '\0'; + + if(!*value) { + const char err[] = "No value for variable"; + + if(fname) + logger(LOG_ERR, "%s `%s' on line %d while reading config file %s", + err, variable, lineno, fname); + else + logger(LOG_ERR, "%s `%s' in command line option %d", + err, variable, lineno); + + return NULL; } - return line; + cfg = new_config(); + cfg->variable = xstrdup(variable); + cfg->value = xstrdup(value); + cfg->file = fname ? xstrdup(fname) : NULL; + cfg->line = lineno; + + return cfg; } /* Parse a configuration file and put the results in the configuration tree starting at *base. */ -int read_config_file(avl_tree_t *config_tree, const char *fname) -{ - int err = -2; /* Parse error */ +bool read_config_file(avl_tree_t *config_tree, const char *fname) { FILE *fp; - char *buffer, *line; - char *variable, *value; - int lineno = 0, ignore = 0; + char buffer[MAX_STRING_SIZE]; + char *line; + int lineno = 0; + bool ignore = false; config_t *cfg; - size_t bufsize; - - cp(); + bool result = false; fp = fopen(fname, "r"); if(!fp) { - logger(LOG_ERR, _("Cannot open config file %s: %s"), fname, - strerror(errno)); - return -3; + logger(LOG_ERR, "Cannot open config file %s: %s", fname, strerror(errno)); + return false; } - bufsize = 100; - buffer = xmalloc(bufsize); - for(;;) { - line = readline(fp, &buffer, &bufsize); + line = readline(fp, buffer, sizeof(buffer)); if(!line) { - err = -1; - break; - } + if(feof(fp)) { + result = true; + } - if(feof(fp)) { - err = 0; break; } lineno++; - variable = strtok(line, "\t ="); - - if(!variable) - continue; /* no tokens on this line */ - - if(variable[0] == '#') - continue; /* comment: ignore */ + if(!*line || *line == '#') { + continue; + } - if(!strcmp(variable, "-----BEGIN")) - ignore = 1; + if(ignore) { + if(!strncmp(line, "-----END", 8)) { + ignore = false; + } - if(!ignore) { - value = strtok(NULL, "\t\n\r ="); + continue; + } - if(!value || value[0] == '#') { - logger(LOG_ERR, _("No value for variable `%s' on line %d while reading config file %s"), - variable, lineno, fname); - break; - } + if(!strncmp(line, "-----BEGIN", 10)) { + ignore = true; + continue; + } - cfg = new_config(); - cfg->variable = xstrdup(variable); - cfg->value = xstrdup(value); - cfg->file = xstrdup(fname); - cfg->line = lineno; + cfg = parse_config_line(line, fname, lineno); - config_add(config_tree, cfg); + if(!cfg) { + break; } - if(!strcmp(variable, "-----END")) - ignore = 0; + config_add(config_tree, cfg); } - free(buffer); fclose(fp); - return err; + return result; } -int read_server_config() -{ - char *fname; - int x; +void read_config_options(avl_tree_t *config_tree, const char *prefix) { + size_t prefix_len = prefix ? strlen(prefix) : 0; - cp(); + for(const list_node_t *node = cmdline_conf->tail; node; node = node->prev) { + const config_t *cfg = node->data; - asprintf(&fname, "%s/tinc.conf", confbase); - x = read_config_file(config_tree, fname); - - if(x == -1) { /* System error: complain */ - logger(LOG_ERR, _("Failed to read `%s': %s"), fname, strerror(errno)); - } + if(!prefix) { + if(strchr(cfg->variable, '.')) { + continue; + } + } else { + if(strncmp(prefix, cfg->variable, prefix_len) || + cfg->variable[prefix_len] != '.') { + continue; + } + } - free(fname); + config_t *new = new_config(); - return x; -} + if(prefix) { + new->variable = xstrdup(cfg->variable + prefix_len + 1); + } else { + new->variable = xstrdup(cfg->variable); + } -int is_safe_path(const char *file) -{ - char *p; - const char *f; - char x; - struct stat s; - char l[MAXBUFSIZE]; + new->value = xstrdup(cfg->value); + new->file = NULL; + new->line = cfg->line; - if(*file != '/') { - logger(LOG_ERR, _("`%s' is not an absolute path"), file); - return 0; + config_add(config_tree, new); } +} - p = strrchr(file, '/'); +bool read_server_config(void) { + char fname[PATH_MAX]; + bool x; - if(p == file) /* It's in the root */ - p++; + read_config_options(config_tree, NULL); - x = *p; - *p = '\0'; + snprintf(fname, sizeof(fname), "%s/tinc.conf", confbase); + errno = 0; + x = read_config_file(config_tree, fname); - f = file; + // We will try to read the conf files in the "conf.d" dir + if(x) { + char dname[PATH_MAX]; + snprintf(dname, sizeof(dname), "%s/conf.d", confbase); + DIR *dir = opendir(dname); + + // If we can find this dir + if(dir) { + struct dirent *ep; + + // We list all the files in it + while(x && (ep = readdir(dir))) { + size_t l = strlen(ep->d_name); + + // And we try to read the ones that end with ".conf" + if(l > 5 && !strcmp(".conf", & ep->d_name[ l - 5 ])) { + if((size_t)snprintf(fname, sizeof(fname), "%s/%s", dname, ep->d_name) >= sizeof(fname)) { + logger(LOG_ERR, "Pathname too long: %s/%s", dname, ep->d_name); + return false; + } + + x = read_config_file(config_tree, fname); + } + } -check1: - if(lstat(f, &s) < 0) { - logger(LOG_ERR, _("Couldn't stat `%s': %s"), f, strerror(errno)); - return 0; + closedir(dir); + } } - if(s.st_uid != geteuid()) { - logger(LOG_ERR, _("`%s' is owned by UID %d instead of %d"), - f, s.st_uid, geteuid()); - return 0; + if(!x && errno) { + logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno)); } - if(S_ISLNK(s.st_mode)) { - logger(LOG_WARNING, _("Warning: `%s' is a symlink"), f); + return x; +} - if(readlink(f, l, MAXBUFSIZE) < 0) { - logger(LOG_ERR, _("Unable to read symbolic link `%s': %s"), f, - strerror(errno)); - return 0; - } +bool read_connection_config(connection_t *c) { + char fname[PATH_MAX]; + bool x; - f = l; - goto check1; - } + read_config_options(c->config_tree, c->name); - *p = x; - f = file; + snprintf(fname, sizeof(fname), "%s/hosts/%s", confbase, c->name); + x = read_config_file(c->config_tree, fname); -check2: - if(lstat(f, &s) < 0 && errno != ENOENT) { - logger(LOG_ERR, _("Couldn't stat `%s': %s"), f, strerror(errno)); - return 0; - } + return x; +} - if(errno == ENOENT) - return 1; +static void disable_old_keys(const char *filename) { + char tmpfile[PATH_MAX] = ""; + char buf[1024]; + bool disabled = false; + FILE *r, *w; - if(s.st_uid != geteuid()) { - logger(LOG_ERR, _("`%s' is owned by UID %d instead of %d"), - f, s.st_uid, geteuid()); - return 0; + r = fopen(filename, "r"); + + if(!r) { + return; } - if(S_ISLNK(s.st_mode)) { - logger(LOG_WARNING, _("Warning: `%s' is a symlink"), f); + snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename); + + w = fopen(tmpfile, "w"); + + while(fgets(buf, sizeof(buf), r)) { + if(!strncmp(buf, "-----BEGIN RSA", 14)) { + buf[11] = 'O'; + buf[12] = 'L'; + buf[13] = 'D'; + disabled = true; + } else if(!strncmp(buf, "-----END RSA", 12)) { + buf[ 9] = 'O'; + buf[10] = 'L'; + buf[11] = 'D'; + disabled = true; + } - if(readlink(f, l, MAXBUFSIZE) < 0) { - logger(LOG_ERR, _("Unable to read symbolic link `%s': %s"), f, - strerror(errno)); - return 0; + if(w && fputs(buf, w) < 0) { + disabled = false; + break; } + } + + if(w) { + fclose(w); + } - f = l; - goto check2; + fclose(r); + + if(!w && disabled) { + fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n"); + return; } - if(s.st_mode & 0007) { - /* Accessible by others */ - logger(LOG_ERR, _("`%s' has unsecure permissions"), f); - return 0; + if(disabled) { +#ifdef HAVE_MINGW + // We cannot atomically replace files on Windows. + char bakfile[PATH_MAX] = ""; + snprintf(bakfile, sizeof(bakfile), "%s.bak", filename); + + if(rename(filename, bakfile) || rename(tmpfile, filename)) { + rename(bakfile, filename); +#else + + if(rename(tmpfile, filename)) { +#endif + fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n"); + } else { +#ifdef HAVE_MINGW + unlink(bakfile); +#endif + fprintf(stderr, "Warning: old key(s) found and disabled.\n"); + } } - return 1; + unlink(tmpfile); } -FILE *ask_and_safe_open(const char *filename, const char *what, - const char *mode) -{ +FILE *ask_and_open(const char *filename, const char *what) { FILE *r; - char *directory; - char *fn; + char directory[PATH_MAX]; + char line[PATH_MAX]; + char abspath[PATH_MAX]; + const char *fn; /* Check stdin and stdout */ if(!isatty(0) || !isatty(1)) { /* Argh, they are running us from a script or something. Write the files to the current directory and let them burn in hell for ever. */ - fn = xstrdup(filename); + fn = filename; } else { /* Ask for a file and/or directory name. */ - fprintf(stdout, _("Please enter a file to save %s to [%s]: "), - what, filename); + fprintf(stdout, "Please enter a file to save %s to [%s]: ", + what, filename); fflush(stdout); - fn = readline(stdin, NULL, NULL); + fn = readline(stdin, line, sizeof(line)); if(!fn) { - fprintf(stderr, _("Error while reading stdin: %s\n"), - strerror(errno)); + fprintf(stderr, "Error while reading stdin: %s\n", + strerror(errno)); return NULL; } if(!strlen(fn)) /* User just pressed enter. */ - fn = xstrdup(filename); + { + fn = filename; + } } - if(!strchr(fn, '/') || fn[0] != '/') { +#ifdef HAVE_MINGW + + if(fn[0] != '\\' && fn[0] != '/' && !strchr(fn, ':')) { +#else + + if(fn[0] != '/') { +#endif /* The directory is a relative path or a filename. */ - char *p; + getcwd(directory, sizeof(directory)); + + if((size_t)snprintf(abspath, sizeof(abspath), "%s/%s", directory, fn) >= sizeof(abspath)) { + fprintf(stderr, "Pathname too long: %s/%s\n", directory, fn); + return NULL; + } - directory = get_current_dir_name(); - asprintf(&p, "%s/%s", directory, fn); - free(fn); - free(directory); - fn = p; + fn = abspath; } - umask(0077); /* Disallow everything for group and other */ + umask(0077); /* Disallow everything for group and other */ + + disable_old_keys(fn); /* Open it first to keep the inode busy */ - r = fopen(fn, mode); + r = fopen(fn, "a"); if(!r) { - fprintf(stderr, _("Error opening file `%s': %s\n"), - fn, strerror(errno)); - free(fn); - return NULL; - } - - /* Then check the file for nasty attacks */ - if(!is_safe_path(fn)) { /* Do not permit any directories that are readable or writeable by other users. */ - fprintf(stderr, _("The file `%s' (or any of the leading directories) has unsafe permissions.\n" - "I will not create or overwrite this file.\n"), fn); - fclose(r); - free(fn); + fprintf(stderr, "Error opening file `%s': %s\n", + fn, strerror(errno)); return NULL; } - free(fn); - return r; } + +