X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_setup.c;h=e0f156969486351f762f627acf8353762afee8b8;hp=6f7f70adbe24a58e8fdebc96fef2121f5d557f0c;hb=a90f1b652c0fb52950f3b0783a7e2b7f2e0cf2db;hpb=5cb147135184e3748c6f5e6e6203d22ab9f904f8

diff --git a/src/net_setup.c b/src/net_setup.c
index 6f7f70ad..e0f15696 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -1,7 +1,7 @@
 /*
     net_setup.c -- Setup.
-    Copyright (C) 1998-2003 Ivo Timmermans <ivo@o2w.nl>,
-                  2000-2003 Guus Sliepen <guus@sliepen.eu.org>
+    Copyright (C) 1998-2005 Ivo Timmermans <ivo@tinc-vpn.org>,
+                  2000-2005 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 
-    $Id: net_setup.c,v 1.1.2.39 2003/07/23 22:17:31 guus Exp $
+    $Id$
 */
 
 #include "system.h"
@@ -25,6 +25,8 @@
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
 
 #include "avl_tree.h"
 #include "conf.h"
@@ -148,48 +150,62 @@ bool read_rsa_public_key(connection_t *c)
 bool read_rsa_private_key(void)
 {
 	FILE *fp;
-	char *fname, *key;
+	char *fname, *key, *pubkey;
+	struct stat s;
 
 	cp();
 
 	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
+		if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) {
+			logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
+			return false;
+		}
 		myself->connection->rsa_key = RSA_new();
 //		RSA_blinding_on(myself->connection->rsa_key, NULL);
 		BN_hex2bn(&myself->connection->rsa_key->d, key);
+		BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
 		BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
 		free(key);
+		free(pubkey);
 		return true;
 	}
 
 	if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
 		asprintf(&fname, "%s/rsa_key.priv", confbase);
 
-	if(is_safe_path(fname)) {
-		fp = fopen(fname, "r");
+	fp = fopen(fname, "r");
 
-		if(!fp) {
-			logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
-				   fname, strerror(errno));
-			free(fname);
-			return false;
-		}
+	if(!fp) {
+		logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
+			   fname, strerror(errno));
+		free(fname);
+		return false;
+	}
 
+#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+	if(fstat(fileno(fp), &s)) {
+		logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
+				fname, strerror(errno));
 		free(fname);
-		myself->connection->rsa_key =
-			PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-		fclose(fp);
+		return false;
+	}
 
-		if(!myself->connection->rsa_key) {
-			logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
-				   fname, strerror(errno));
-			return false;
-		}
+	if(s.st_mode & ~0100700)
+		logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
+#endif
 
-		return true;
+	myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
+	fclose(fp);
+
+	if(!myself->connection->rsa_key) {
+		logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
+			   fname, strerror(errno));
+		free(fname);
+		return false;
 	}
 
 	free(fname);
-	return false;
+	return true;
 }
 
 /*
@@ -202,7 +218,7 @@ bool setup_myself(void)
 	char *name, *hostname, *mode, *afname, *cipher, *digest;
 	char *address = NULL;
 	char *envp[5];
-	struct addrinfo hint, *ai, *aip;
+	struct addrinfo *ai, *aip, hint = {0};
 	bool choice;
 	int i, err;
 
@@ -232,19 +248,15 @@ bool setup_myself(void)
 	myself->name = name;
 	myself->connection->name = xstrdup(name);
 
-	if(!read_rsa_private_key())
-		return false;
-
 	if(!read_connection_config(myself->connection)) {
 		logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
 		return false;
 	}
 
-	if(!read_rsa_public_key(myself->connection))
+	if(!read_rsa_private_key())
 		return false;
 
-	if(!get_config_string
-	   (lookup_config(myself->connection->config_tree, "Port"), &myport))
+	if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
 		asprintf(&myport, "655");
 
 	/* Read in all the subnets specified in the host configuration file */
@@ -262,25 +274,26 @@ bool setup_myself(void)
 
 	/* Check some options */
 
-	if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice))
-		if(choice)
-			myself->options |= OPTION_INDIRECT;
+	if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
+		myself->options |= OPTION_INDIRECT;
 
-	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice))
-		if(choice)
-			myself->options |= OPTION_TCPONLY;
+	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
+		myself->options |= OPTION_TCPONLY;
 
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice))
-		if(choice)
-			myself->options |= OPTION_INDIRECT;
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
+		myself->options |= OPTION_INDIRECT;
+
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
+		myself->options |= OPTION_TCPONLY;
 
-	if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice))
-		if(choice)
-			myself->options |= OPTION_TCPONLY;
+	if(get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice) && choice)
+		myself->options |= OPTION_PMTU_DISCOVERY;
 
 	if(myself->options & OPTION_TCPONLY)
 		myself->options |= OPTION_INDIRECT;
 
+	get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
+
 	if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
 		if(!strcasecmp(mode, "router"))
 			routing_mode = RMODE_ROUTER;
@@ -306,7 +319,7 @@ bool setup_myself(void)
 	if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
 		macexpire = 600;
 
-	if(get_config_int(lookup_config(myself->connection->config_tree, "MaxTimeout"), &maxtimeout)) {
+	if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
 		if(maxtimeout <= 0) {
 			logger(LOG_ERR, _("Bogus maximum timeout!"));
 			return false;
@@ -354,7 +367,7 @@ bool setup_myself(void)
 
 	myself->connection->outcipher = EVP_bf_ofb();
 
-	myself->key = (char *) xmalloc(myself->keylength);
+	myself->key = xmalloc(myself->keylength);
 	RAND_pseudo_bytes(myself->key, myself->keylength);
 
 	if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
@@ -364,7 +377,12 @@ bool setup_myself(void)
 	
 	if(myself->cipher) {
 		EVP_CIPHER_CTX_init(&packet_ctx);
-		EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len);
+		if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) {
+			logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
+					myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
+			return false;
+		}
+
 	}
 
 	/* Check if we want to use message authentication codes... */
@@ -442,9 +460,11 @@ bool setup_myself(void)
 	for(i = 0; i < 5; i++)
 		free(envp[i]);
 
-	/* Open sockets */
+	/* Run subnet-up scripts for our own subnets */
 
-	memset(&hint, 0, sizeof(hint));
+	subnet_update(myself, NULL, true);
+
+	/* Open sockets */
 
 	get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
 
@@ -514,12 +534,20 @@ bool setup_network_connections(void)
 	init_events();
 	init_requests();
 
-	if(get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout)) {
-		if(pingtimeout < 1) {
-			pingtimeout = 86400;
+	if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
+		if(pinginterval < 1) {
+			pinginterval = 86400;
 		}
 	} else
-		pingtimeout = 60;
+		pinginterval = 60;
+
+	if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
+		pingtimeout = 5;
+	if(pingtimeout < 1 || pingtimeout > pinginterval)
+		pingtimeout = pinginterval;
+
+	if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
+		maxoutbufsize = 4 * MTU;
 
 	if(!setup_myself())
 		return false;
@@ -543,21 +571,29 @@ void close_network_connections(void)
 
 	for(node = connection_tree->head; node; node = next) {
 		next = node->next;
-		c = (connection_t *) node->data;
+		c = node->data;
 
 		if(c->outgoing)
 			free(c->outgoing->name), free(c->outgoing), c->outgoing = NULL;
 		terminate_connection(c, false);
 	}
 
-	if(myself && myself->connection)
+	if(myself && myself->connection) {
+		subnet_update(myself, NULL, false);
 		terminate_connection(myself->connection, false);
+	}
 
 	for(i = 0; i < listen_sockets; i++) {
 		close(listen_socket[i].tcp);
 		close(listen_socket[i].udp);
 	}
 
+	asprintf(&envp[0], "NETNAME=%s", netname ? : "");
+	asprintf(&envp[1], "DEVICE=%s", device ? : "");
+	asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
+	asprintf(&envp[3], "NAME=%s", myself->name);
+	envp[4] = NULL;
+
 	exit_requests();
 	exit_events();
 	exit_edges();
@@ -565,12 +601,6 @@ void close_network_connections(void)
 	exit_nodes();
 	exit_connections();
 
-	asprintf(&envp[0], "NETNAME=%s", netname ? : "");
-	asprintf(&envp[1], "DEVICE=%s", device ? : "");
-	asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
-	asprintf(&envp[3], "NAME=%s", myself->name);
-	envp[4] = NULL;
-
 	execute_script("tinc-down", envp);
 
 	for(i = 0; i < 4; i++)