X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_setup.c;h=b28413564ddc0b3a7ad3bade8dad1bc9b3b774c8;hp=5bbaa7996b561707df82c4779267617eaf0e9be8;hb=9bab08e972ae0ca4b904a659d9aed46aaa9b5dd5;hpb=fcbe29bc4cc67530581a36cf1a3a1445c741b8e5

diff --git a/src/net_setup.c b/src/net_setup.c
index 5bbaa799..b2841356 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 
-    $Id: net_setup.c,v 1.1.2.41 2003/07/30 11:50:45 guus Exp $
+    $Id: net_setup.c,v 1.1.2.49 2003/12/20 21:09:33 guus Exp $
 */
 
 #include "system.h"
@@ -25,6 +25,8 @@
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
 
 #include "avl_tree.h"
 #include "conf.h"
@@ -149,6 +151,7 @@ bool read_rsa_private_key(void)
 {
 	FILE *fp;
 	char *fname, *key;
+	struct stat s;
 
 	cp();
 
@@ -164,32 +167,39 @@ bool read_rsa_private_key(void)
 	if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
 		asprintf(&fname, "%s/rsa_key.priv", confbase);
 
-	if(is_safe_path(fname)) {
-		fp = fopen(fname, "r");
+	fp = fopen(fname, "r");
 
-		if(!fp) {
-			logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
-				   fname, strerror(errno));
-			free(fname);
-			return false;
-		}
+	if(!fp) {
+		logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
+			   fname, strerror(errno));
+		free(fname);
+		return false;
+	}
 
+#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+	if(fstat(fileno(fp), &s)) {
+		logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
+				fname, strerror(errno));
 		free(fname);
-		myself->connection->rsa_key =
-			PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-		fclose(fp);
+		return false;
+	}
 
-		if(!myself->connection->rsa_key) {
-			logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
-				   fname, strerror(errno));
-			return false;
-		}
+	if(s.st_mode & ~0100700)
+		logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
+#endif
 
-		return true;
+	myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
+	fclose(fp);
+
+	if(!myself->connection->rsa_key) {
+		logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
+			   fname, strerror(errno));
+		free(fname);
+		return false;
 	}
 
 	free(fname);
-	return false;
+	return true;
 }
 
 /*
@@ -262,25 +272,26 @@ bool setup_myself(void)
 
 	/* Check some options */
 
-	if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice))
-		if(choice)
-			myself->options |= OPTION_INDIRECT;
+	if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
+		myself->options |= OPTION_INDIRECT;
+
+	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
+		myself->options |= OPTION_TCPONLY;
 
-	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice))
-		if(choice)
-			myself->options |= OPTION_TCPONLY;
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
+		myself->options |= OPTION_INDIRECT;
 
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice))
-		if(choice)
-			myself->options |= OPTION_INDIRECT;
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
+		myself->options |= OPTION_TCPONLY;
 
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice))
-		if(choice)
-			myself->options |= OPTION_TCPONLY;
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice) && choice)
+		myself->options |= OPTION_DONTFRAGMENT;
 
 	if(myself->options & OPTION_TCPONLY)
 		myself->options |= OPTION_INDIRECT;
 
+	get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
+
 	if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
 		if(!strcasecmp(mode, "router"))
 			routing_mode = RMODE_ROUTER;
@@ -306,7 +317,7 @@ bool setup_myself(void)
 	if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
 		macexpire = 600;
 
-	if(get_config_int(lookup_config(myself->connection->config_tree, "MaxTimeout"), &maxtimeout)) {
+	if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
 		if(maxtimeout <= 0) {
 			logger(LOG_ERR, _("Bogus maximum timeout!"));
 			return false;
@@ -354,7 +365,7 @@ bool setup_myself(void)
 
 	myself->connection->outcipher = EVP_bf_ofb();
 
-	myself->key = (char *) xmalloc(myself->keylength);
+	myself->key = xmalloc(myself->keylength);
 	RAND_pseudo_bytes(myself->key, myself->keylength);
 
 	if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
@@ -364,7 +375,12 @@ bool setup_myself(void)
 	
 	if(myself->cipher) {
 		EVP_CIPHER_CTX_init(&packet_ctx);
-		EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);
+		if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) {
+			logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
+					myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
+			return false;
+		}
+
 	}
 
 	/* Check if we want to use message authentication codes... */
@@ -541,7 +557,7 @@ void close_network_connections(void)
 
 	for(node = connection_tree->head; node; node = next) {
 		next = node->next;
-		c = (connection_t *) node->data;
+		c = node->data;
 
 		if(c->outgoing)
 			free(c->outgoing->name), free(c->outgoing), c->outgoing = NULL;