tinc-vpn.org Git - tinc/blob - src/net_setup.c

   1 /*
   2     net_setup.c -- Setup.
   3     Copyright (C) 1998-2005 Ivo Timmermans,
   4                   2000-2006 Guus Sliepen <guus@tinc-vpn.org>
   5
   6     This program is free software; you can redistribute it and/or modify
   7     it under the terms of the GNU General Public License as published by
   8     the Free Software Foundation; either version 2 of the License, or
   9     (at your option) any later version.
  10
  11     This program is distributed in the hope that it will be useful,
  12     but WITHOUT ANY WARRANTY; without even the implied warranty of
  13     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14     GNU General Public License for more details.
  15
  16     You should have received a copy of the GNU General Public License
  17     along with this program; if not, write to the Free Software
  18     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  19
  20     $Id$
  21 */
  22
  23 #include "system.h"
  24
  25 #include <openssl/pem.h>
  26 #include <openssl/rsa.h>
  27 #include <openssl/rand.h>
  28 #include <openssl/err.h>
  29 #include <openssl/evp.h>
  30
  31 #include "avl_tree.h"
  32 #include "conf.h"
  33 #include "connection.h"
  34 #include "device.h"
  35 #include "event.h"
  36 #include "graph.h"
  37 #include "logger.h"
  38 #include "net.h"
  39 #include "netutl.h"
  40 #include "process.h"
  41 #include "protocol.h"
  42 #include "route.h"
  43 #include "subnet.h"
  44 #include "utils.h"
  45 #include "xalloc.h"
  46
  47 char *myport;
  48
  49 bool read_rsa_public_key(connection_t *c)
  50 {
  51         FILE *fp;
  52         char *fname;
  53         char *key;
  54
  55         cp();
  56
  57         if(!c->rsa_key) {
  58                 c->rsa_key = RSA_new();
  59 //              RSA_blinding_on(c->rsa_key, NULL);
  60         }
  61
  62         /* First, check for simple PublicKey statement */
  63
  64         if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
  65                 BN_hex2bn(&c->rsa_key->n, key);
  66                 BN_hex2bn(&c->rsa_key->e, "FFFF");
  67                 free(key);
  68                 return true;
  69         }
  70
  71         /* Else, check for PublicKeyFile statement and read it */
  72
  73         if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &fname)) {
  74                 fp = fopen(fname, "r");
  75
  76                 if(!fp) {
  77                         logger(LOG_ERR, _("Error reading RSA public key file `%s': %s"),
  78                                    fname, strerror(errno));
  79                         free(fname);
  80                         return false;
  81                 }
  82
  83                 free(fname);
  84                 c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
  85                 fclose(fp);
  86
  87                 if(c->rsa_key)
  88                         return true;            /* Woohoo. */
  89
  90                 /* If it fails, try PEM_read_RSA_PUBKEY. */
  91                 fp = fopen(fname, "r");
  92
  93                 if(!fp) {
  94                         logger(LOG_ERR, _("Error reading RSA public key file `%s': %s"),
  95                                    fname, strerror(errno));
  96                         free(fname);
  97                         return false;
  98                 }
  99
 100                 free(fname);
 101                 c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
 102                 fclose(fp);
 103
 104                 if(c->rsa_key) {
 105 //                              RSA_blinding_on(c->rsa_key, NULL);
 106                         return true;
 107                 }
 108
 109                 logger(LOG_ERR, _("Reading RSA public key file `%s' failed: %s"),
 110                            fname, strerror(errno));
 111                 return false;
 112         }
 113
 114         /* Else, check if a harnessed public key is in the config file */
 115
 116         asprintf(&fname, "%s/hosts/%s", confbase, c->name);
 117         fp = fopen(fname, "r");
 118
 119         if(fp) {
 120                 c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
 121                 fclose(fp);
 122         }
 123
 124         free(fname);
 125
 126         if(c->rsa_key)
 127                 return true;
 128
 129         /* Try again with PEM_read_RSA_PUBKEY. */
 130
 131         asprintf(&fname, "%s/hosts/%s", confbase, c->name);
 132         fp = fopen(fname, "r");
 133
 134         if(fp) {
 135                 c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
 136 //              RSA_blinding_on(c->rsa_key, NULL);
 137                 fclose(fp);
 138         }
 139
 140         free(fname);
 141
 142         if(c->rsa_key)
 143                 return true;
 144
 145         logger(LOG_ERR, _("No public key for %s specified!"), c->name);
 146
 147         return false;
 148 }
 149
 150 bool read_rsa_private_key(void)
 151 {
 152         FILE *fp;
 153         char *fname, *key, *pubkey;
 154         struct stat s;
 155
 156         cp();
 157
 158         if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
 159                 if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) {
 160                         logger(LOG_ERR, _("PrivateKey used but no PublicKey found!"));
 161                         return false;
 162                 }
 163                 myself->connection->rsa_key = RSA_new();
 164 //              RSA_blinding_on(myself->connection->rsa_key, NULL);
 165                 BN_hex2bn(&myself->connection->rsa_key->d, key);
 166                 BN_hex2bn(&myself->connection->rsa_key->n, pubkey);
 167                 BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
 168                 free(key);
 169                 free(pubkey);
 170                 return true;
 171         }
 172
 173         if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
 174                 asprintf(&fname, "%s/rsa_key.priv", confbase);
 175
 176         fp = fopen(fname, "r");
 177
 178         if(!fp) {
 179                 logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
 180                            fname, strerror(errno));
 181                 free(fname);
 182                 return false;
 183         }
 184
 185 #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
 186         if(fstat(fileno(fp), &s)) {
 187                 logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
 188                                 fname, strerror(errno));
 189                 free(fname);
 190                 return false;
 191         }
 192
 193         if(s.st_mode & ~0100700)
 194                 logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
 195 #endif
 196
 197         myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
 198         fclose(fp);
 199
 200         if(!myself->connection->rsa_key) {
 201                 logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
 202                            fname, strerror(errno));
 203                 free(fname);
 204                 return false;
 205         }
 206
 207         free(fname);
 208         return true;
 209 }
 210
 211 /*
 212   Configure node_t myself and set up the local sockets (listen only)
 213 */
 214 bool setup_myself(void)
 215 {
 216         config_t *cfg;
 217         subnet_t *subnet;
 218         char *name, *hostname, *mode, *afname, *cipher, *digest;
 219         char *address = NULL;
 220         char *envp[5];
 221         struct addrinfo *ai, *aip, hint = {0};
 222         bool choice;
 223         int i, err;
 224
 225         cp();
 226
 227         myself = new_node();
 228         myself->connection = new_connection();
 229         init_configuration(&myself->connection->config_tree);
 230
 231         asprintf(&myself->hostname, _("MYSELF"));
 232         asprintf(&myself->connection->hostname, _("MYSELF"));
 233
 234         myself->connection->options = 0;
 235         myself->connection->protocol_version = PROT_CURRENT;
 236
 237         if(!get_config_string(lookup_config(config_tree, "Name"), &name)) {     /* Not acceptable */
 238                 logger(LOG_ERR, _("Name for tinc daemon required!"));
 239                 return false;
 240         }
 241
 242         if(!check_id(name)) {
 243                 logger(LOG_ERR, _("Invalid name for myself!"));
 244                 free(name);
 245                 return false;
 246         }
 247
 248         myself->name = name;
 249         myself->connection->name = xstrdup(name);
 250
 251         if(!read_connection_config(myself->connection)) {
 252                 logger(LOG_ERR, _("Cannot open host configuration file for myself!"));
 253                 return false;
 254         }
 255
 256         if(!read_rsa_private_key())
 257                 return false;
 258
 259         if(!get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
 260                 asprintf(&myport, "655");
 261
 262         /* Read in all the subnets specified in the host configuration file */
 263
 264         cfg = lookup_config(myself->connection->config_tree, "Subnet");
 265
 266         while(cfg) {
 267                 if(!get_config_subnet(cfg, &subnet))
 268                         return false;
 269
 270                 subnet_add(myself, subnet);
 271
 272                 cfg = lookup_config_next(myself->connection->config_tree, cfg);
 273         }
 274
 275         /* Check some options */
 276
 277         if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
 278                 myself->options |= OPTION_INDIRECT;
 279
 280         if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
 281                 myself->options |= OPTION_TCPONLY;
 282
 283         if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
 284                 myself->options |= OPTION_INDIRECT;
 285
 286         if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
 287                 myself->options |= OPTION_TCPONLY;
 288
 289         if(get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice) && choice)
 290                 myself->options |= OPTION_PMTU_DISCOVERY;
 291
 292         if(myself->options & OPTION_TCPONLY)
 293                 myself->options |= OPTION_INDIRECT;
 294
 295         get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
 296
 297         if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
 298                 if(!strcasecmp(mode, "router"))
 299                         routing_mode = RMODE_ROUTER;
 300                 else if(!strcasecmp(mode, "switch"))
 301                         routing_mode = RMODE_SWITCH;
 302                 else if(!strcasecmp(mode, "hub"))
 303                         routing_mode = RMODE_HUB;
 304                 else {
 305                         logger(LOG_ERR, _("Invalid routing mode!"));
 306                         return false;
 307                 }
 308                 free(mode);
 309         } else
 310                 routing_mode = RMODE_ROUTER;
 311
 312         get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
 313
 314 #if !defined(SOL_IP) || !defined(IP_TOS)
 315         if(priorityinheritance)
 316                 logger(LOG_WARNING, _("PriorityInheritance not supported on this platform"));
 317 #endif
 318
 319         if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
 320                 macexpire = 600;
 321
 322         if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
 323                 if(maxtimeout <= 0) {
 324                         logger(LOG_ERR, _("Bogus maximum timeout!"));
 325                         return false;
 326                 }
 327         } else
 328                 maxtimeout = 900;
 329
 330         if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
 331                 if(!strcasecmp(afname, "IPv4"))
 332                         addressfamily = AF_INET;
 333                 else if(!strcasecmp(afname, "IPv6"))
 334                         addressfamily = AF_INET6;
 335                 else if(!strcasecmp(afname, "any"))
 336                         addressfamily = AF_UNSPEC;
 337                 else {
 338                         logger(LOG_ERR, _("Invalid address family!"));
 339                         return false;
 340                 }
 341                 free(afname);
 342         }
 343
 344         get_config_bool(lookup_config(config_tree, "Hostnames"), &hostnames);
 345
 346         /* Generate packet encryption key */
 347
 348         if(get_config_string
 349            (lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) {
 350                 if(!strcasecmp(cipher, "none")) {
 351                         myself->cipher = NULL;
 352                 } else {
 353                         myself->cipher = EVP_get_cipherbyname(cipher);
 354
 355                         if(!myself->cipher) {
 356                                 logger(LOG_ERR, _("Unrecognized cipher type!"));
 357                                 return false;
 358                         }
 359                 }
 360         } else
 361                 myself->cipher = EVP_bf_cbc();
 362
 363         if(myself->cipher)
 364                 myself->keylength = myself->cipher->key_len + myself->cipher->iv_len;
 365         else
 366                 myself->keylength = 1;
 367
 368         myself->connection->outcipher = EVP_bf_ofb();
 369
 370         myself->key = xmalloc(myself->keylength);
 371         RAND_pseudo_bytes((unsigned char *)myself->key, myself->keylength);
 372
 373         if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
 374                 keylifetime = 3600;
 375
 376         keyexpires = now + keylifetime;
 377
 378         if(myself->cipher) {
 379                 EVP_CIPHER_CTX_init(&packet_ctx);
 380                 if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, (unsigned char *)myself->key, (unsigned char *)myself->key + myself->cipher->key_len)) {
 381                         logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
 382                                         myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL));
 383                         return false;
 384                 }
 385
 386         }
 387
 388         /* Check if we want to use message authentication codes... */
 389
 390         if(get_config_string
 391            (lookup_config(myself->connection->config_tree, "Digest"), &digest)) {
 392                 if(!strcasecmp(digest, "none")) {
 393                         myself->digest = NULL;
 394                 } else {
 395                         myself->digest = EVP_get_digestbyname(digest);
 396
 397                         if(!myself->digest) {
 398                                 logger(LOG_ERR, _("Unrecognized digest type!"));
 399                                 return false;
 400                         }
 401                 }
 402         } else
 403                 myself->digest = EVP_sha1();
 404
 405         myself->connection->outdigest = EVP_sha1();
 406
 407         if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"),
 408                 &myself->maclength)) {
 409                 if(myself->digest) {
 410                         if(myself->maclength > myself->digest->md_size) {
 411                                 logger(LOG_ERR, _("MAC length exceeds size of digest!"));
 412                                 return false;
 413                         } else if(myself->maclength < 0) {
 414                                 logger(LOG_ERR, _("Bogus MAC length!"));
 415                                 return false;
 416                         }
 417                 }
 418         } else
 419                 myself->maclength = 4;
 420
 421         myself->connection->outmaclength = 0;
 422
 423         /* Compression */
 424
 425         if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"),
 426                 &myself->compression)) {
 427                 if(myself->compression < 0 || myself->compression > 11) {
 428                         logger(LOG_ERR, _("Bogus compression level!"));
 429                         return false;
 430                 }
 431         } else
 432                 myself->compression = 0;
 433
 434         myself->connection->outcompression = 0;
 435
 436         /* Done */
 437
 438         myself->nexthop = myself;
 439         myself->via = myself;
 440         myself->status.active = true;
 441         myself->status.reachable = true;
 442         node_add(myself);
 443
 444         graph();
 445
 446         /* Open device */
 447
 448         if(!setup_device())
 449                 return false;
 450
 451         /* Run tinc-up script to further initialize the tap interface */
 452         asprintf(&envp[0], "NETNAME=%s", netname ? : "");
 453         asprintf(&envp[1], "DEVICE=%s", device ? : "");
 454         asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
 455         asprintf(&envp[3], "NAME=%s", myself->name);
 456         envp[4] = NULL;
 457
 458         execute_script("tinc-up", envp);
 459
 460         for(i = 0; i < 5; i++)
 461                 free(envp[i]);
 462
 463         /* Run subnet-up scripts for our own subnets */
 464
 465         subnet_update(myself, NULL, true);
 466
 467         /* Open sockets */
 468
 469         get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
 470
 471         hint.ai_family = addressfamily;
 472         hint.ai_socktype = SOCK_STREAM;
 473         hint.ai_protocol = IPPROTO_TCP;
 474         hint.ai_flags = AI_PASSIVE;
 475
 476         err = getaddrinfo(address, myport, &hint, &ai);
 477
 478         if(err || !ai) {
 479                 logger(LOG_ERR, _("System call `%s' failed: %s"), "getaddrinfo",
 480                            gai_strerror(err));
 481                 return false;
 482         }
 483
 484         listen_sockets = 0;
 485
 486         for(aip = ai; aip; aip = aip->ai_next) {
 487                 listen_socket[listen_sockets].tcp =
 488                         setup_listen_socket((sockaddr_t *) aip->ai_addr);
 489
 490                 if(listen_socket[listen_sockets].tcp < 0)
 491                         continue;
 492
 493                 listen_socket[listen_sockets].udp =
 494                         setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
 495
 496                 if(listen_socket[listen_sockets].udp < 0)
 497                         continue;
 498
 499                 ifdebug(CONNECTIONS) {
 500                         hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
 501                         logger(LOG_NOTICE, _("Listening on %s"), hostname);
 502                         free(hostname);
 503                 }
 504
 505                 listen_socket[listen_sockets].sa.sa = *aip->ai_addr;
 506                 listen_sockets++;
 507         }
 508
 509         freeaddrinfo(ai);
 510
 511         if(listen_sockets)
 512                 logger(LOG_NOTICE, _("Ready"));
 513         else {
 514                 logger(LOG_ERR, _("Unable to create any listening socket!"));
 515                 return false;
 516         }
 517
 518         return true;
 519 }
 520
 521 /*
 522   setup all initial network connections
 523 */
 524 bool setup_network_connections(void)
 525 {
 526         cp();
 527
 528         now = time(NULL);
 529
 530         init_connections();
 531         init_subnets();
 532         init_nodes();
 533         init_edges();
 534         init_events();
 535         init_requests();
 536
 537         if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
 538                 if(pinginterval < 1) {
 539                         pinginterval = 86400;
 540                 }
 541         } else
 542                 pinginterval = 60;
 543
 544         if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
 545                 pingtimeout = 5;
 546         if(pingtimeout < 1 || pingtimeout > pinginterval)
 547                 pingtimeout = pinginterval;
 548
 549         if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
 550                 maxoutbufsize = 4 * MTU;
 551
 552         if(!setup_myself())
 553                 return false;
 554
 555         try_outgoing_connections();
 556
 557         return true;
 558 }
 559
 560 /*
 561   close all open network connections
 562 */
 563 void close_network_connections(void)
 564 {
 565         avl_node_t *node, *next;
 566         connection_t *c;
 567         char *envp[5];
 568         int i;
 569
 570         cp();
 571
 572         for(node = connection_tree->head; node; node = next) {
 573                 next = node->next;
 574                 c = node->data;
 575
 576                 if(c->outgoing)
 577                         free(c->outgoing->name), free(c->outgoing), c->outgoing = NULL;
 578                 terminate_connection(c, false);
 579         }
 580
 581         if(myself && myself->connection) {
 582                 subnet_update(myself, NULL, false);
 583                 terminate_connection(myself->connection, false);
 584         }
 585
 586         for(i = 0; i < listen_sockets; i++) {
 587                 close(listen_socket[i].tcp);
 588                 close(listen_socket[i].udp);
 589         }
 590
 591         asprintf(&envp[0], "NETNAME=%s", netname ? : "");
 592         asprintf(&envp[1], "DEVICE=%s", device ? : "");
 593         asprintf(&envp[2], "INTERFACE=%s", iface ? : "");
 594         asprintf(&envp[3], "NAME=%s", myself->name);
 595         envp[4] = NULL;
 596
 597         exit_requests();
 598         exit_events();
 599         exit_edges();
 600         exit_subnets();
 601         exit_nodes();
 602         exit_connections();
 603
 604         execute_script("tinc-down", envp);
 605
 606         for(i = 0; i < 4; i++)
 607                 free(envp[i]);
 608
 609         close_device();
 610
 611         return;
 612 }