#include "system.h"
#include <sys/un.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/pem.h>
-#include <openssl/evp.h>
-#include <openssl/engine.h>
-
#include <getopt.h>
#include "xalloc.h"
#include "protocol.h"
#include "control_common.h"
+#include "rsagen.h"
/* The name this program was run with. */
char *program_name = NULL;
" subnets - all known subnets in the VPN\n"
" connections - all meta connections with ourself\n"
" graph - graph of the VPN in dotty format\n"
+ " purge Purge unreachable nodes\n"
+ " debug N Set debug level\n"
+ " retry Retry all outgoing connections\n"
+ " reload Partial reload of configuration\n"
"\n"));
printf(_("Report bugs to tinc@tinc-vpn.org.\n"));
}
return r;
}
-/* This function prettyprints the key generation process */
-
-static void indicator(int a, int b, void *p) {
- switch (a) {
- case 0:
- fprintf(stderr, ".");
- break;
-
- case 1:
- fprintf(stderr, "+");
- break;
-
- case 2:
- fprintf(stderr, "-");
- break;
-
- case 3:
- switch (b) {
- case 0:
- fprintf(stderr, " p\n");
- break;
-
- case 1:
- fprintf(stderr, " q\n");
- break;
-
- default:
- fprintf(stderr, "?");
- }
- break;
-
- default:
- fprintf(stderr, "?");
- }
-}
-
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
- RSA *rsa_key;
+ rsa_t key;
FILE *f;
char *name = NULL;
char *filename;
fprintf(stderr, _("Generating %d bits keys:\n"), bits);
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
- if(!rsa_key) {
+ if(!rsa_generate(&key, bits, 0x10001)) {
fprintf(stderr, _("Error during key generation!\n"));
return false;
} else
if(ftell(f))
fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
- PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
+ rsa_write_pem_private_key(&key, f);
+
fclose(f);
free(filename);
if(ftell(f))
fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
- PEM_write_RSAPublicKey(f, rsa_key);
+ rsa_write_pem_public_key(&key, f);
+
fclose(f);
free(filename);
#ifdef HAVE_MINGW
HKEY key;
char installdir[1024] = "";
- long len = sizeof(installdir);
+ long len = sizeof installdir;
#endif
if(netname)
#endif
if(!controlsocketname)
- asprintf(&controlsocketname, LOCALSTATEDIR "/run/%s.control", identname);
+ asprintf(&controlsocketname, "%s/run/%s.control/socket", LOCALSTATEDIR, identname);
if(netname) {
if(!confbase)
static int fullread(int fd, void *data, size_t datalen) {
int rv, len = 0;
- while (len < datalen) {
+ while(len < datalen) {
rv = read(fd, data + len, datalen - len);
if(rv == -1 && errno == EINTR)
continue;
- else if (rv == -1)
+ else if(rv == -1)
return rv;
- else if (rv == 0) {
+ else if(rv == 0) {
errno = ENODATA;
return -1;
}
tinc_ctl_request_t req;
int rv;
struct iovec vector[2] = {
- {&req, sizeof(req)},
+ {&req, sizeof req},
{(void*) outdata, outdatalen}
};
void *indata;
}
if(req.length > sizeof req) {
- if (indata_p == NULL) {
+ if(indata_p == NULL) {
errno = EINVAL;
return -1;
}
}
if(buf != NULL) {
- printf("%*s", buflen, buf);
+ printf("%*s", (int)buflen, buf);
free(buf);
}
int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_un addr;
- int fd;
- int len;
tinc_ctl_greeting_t greeting;
- tinc_ctl_request_t req;
+ int fd;
+ int result;
program_name = argv[0];
if(!strcasecmp(argv[optind], "start")) {
argv[optind] = NULL;
- execve("tincd", argv, envp);
+ execve(SBINDIR "/tincd", argv, envp);
fprintf(stderr, _("Could not start tincd: %s"), strerror(errno));
return 1;
}
- // Now handle commands that do involve connecting to a running tinc daemon.
+ /*
+ * Now handle commands that do involve connecting to a running tinc daemon.
+ * Authenticate the server by ensuring the parent directory can be
+ * traversed only by root. Note this is not totally race-free unless all
+ * ancestors are writable only by trusted users, which we don't verify.
+ */
+
+ struct stat statbuf;
+ char *lastslash = strrchr(controlsocketname, '/');
+ if(lastslash != NULL) {
+ /* control socket is not in cwd; stat its parent */
+ *lastslash = 0;
+ result = stat(controlsocketname, &statbuf);
+ *lastslash = '/';
+ } else
+ result = stat(".", &statbuf);
+
+ if(result < 0) {
+ fprintf(stderr, _("Unable to check control socket directory permissions: %s\n"), strerror(errno));
+ return 1;
+ }
+
+ if(statbuf.st_uid != 0 || (statbuf.st_mode & S_IXOTH) != 0 || (statbuf.st_gid != 0 && (statbuf.st_mode & S_IXGRP)) != 0) {
+ fprintf(stderr, _("Insecure permissions on control socket directory\n"));
+ return 1;
+ }
if(strlen(controlsocketname) >= sizeof addr.sun_path) {
fprintf(stderr, _("Control socket filename too long!\n"));
return 1;
}
- struct ucred cred;
- socklen_t credlen = sizeof cred;
-
- if(getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &credlen) < 0) {
- fprintf(stderr, _("Could not obtain PID: %s\n"), strerror(errno));
- return 1;
- }
-
if(!strcasecmp(argv[optind], "pid")) {
- printf("%d\n", cred.pid);
+ printf("%d\n", greeting.pid);
return 0;
}
}
if(!strcasecmp(argv[optind], "dump")) {
- if (argc < optind + 2) {
+ if(argc < optind + 2) {
fprintf(stderr, _("Not enough arguments.\n"));
usage(true);
return 1;
return 1;
}
+ if(!strcasecmp(argv[optind], "purge")) {
+ return send_ctl_request_cooked(fd, REQ_PURGE, NULL, 0) != -1;
+ }
+
+ if(!strcasecmp(argv[optind], "debug")) {
+ int debuglevel;
+
+ if(argc != optind + 2) {
+ fprintf(stderr, "Invalid arguments.\n");
+ return 1;
+ }
+ debuglevel = atoi(argv[optind+1]);
+ return send_ctl_request_cooked(fd, REQ_SET_DEBUG, &debuglevel,
+ sizeof debuglevel) != -1;
+ }
+
+ if(!strcasecmp(argv[optind], "retry")) {
+ return send_ctl_request_cooked(fd, REQ_RETRY, NULL, 0) != -1;
+ }
+
+ if(!strcasecmp(argv[optind], "reload")) {
+ return send_ctl_request_cooked(fd, REQ_RELOAD, NULL, 0) != -1;
+ }
+
fprintf(stderr, _("Unknown command `%s'.\n"), argv[optind]);
usage(true);
projects / tinc / blobdiff