X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Ftincctl.c;h=0309cd4884ee3fc80ec93a993f552e536a2a9bbb;hp=6c54eff90ac20fa7953ab9ae002e0910174a78b6;hb=7c223917cb3d478fc3f5b23ee5602925f083e4d4;hpb=513bffe1fee07bcbcb50691e221874adc1507857 diff --git a/src/tincctl.c b/src/tincctl.c index 6c54eff9..0309cd48 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -1,6 +1,6 @@ /* tincctl.c -- Controlling a running tincd - Copyright (C) 2007-2015 Guus Sliepen + Copyright (C) 2007-2017 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -74,6 +74,9 @@ bool netnamegiven = false; char *scriptinterpreter = NULL; char *scriptextension = ""; static char *prompt; +char *device = NULL; +char *iface = NULL; +int debug_level = -1; static struct option const long_options[] = { {"batch", no_argument, NULL, 'b'}, @@ -89,7 +92,7 @@ static struct option const long_options[] = { static void version(void) { printf("%s version %s (built %s %s, protocol %d.%d)\n", PACKAGE, BUILD_VERSION, BUILD_DATE, BUILD_TIME, PROT_MAJOR, PROT_MINOR); - printf("Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.\n" + printf("Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -154,6 +157,8 @@ static void usage(bool status) { " join INVITATION Join a VPN using an INVITATION\n" " network [NETNAME] List all known networks, or switch to the one named NETNAME.\n" " fsck Check the configuration files for problems.\n" + " sign [FILE] Generate a signed version of a file.\n" + " verify NODE [FILE] Verify that a file was signed by the given NODE.\n" "\n"); printf("Report bugs to tinc@tinc-vpn.org.\n"); } @@ -328,7 +333,7 @@ static void disable_old_keys(const char *filename, const char *what) { static FILE *ask_and_open(const char *filename, const char *what, const char *mode, bool ask, mode_t perms) { FILE *r; - char *directory; + char directory[PATH_MAX] = "."; char buf[PATH_MAX]; char buf2[PATH_MAX]; @@ -356,7 +361,7 @@ static FILE *ask_and_open(const char *filename, const char *what, const char *mo if(filename[0] != '/') { #endif /* The directory is a relative path or a filename. */ - directory = get_current_dir_name(); + getcwd(directory, sizeof directory); snprintf(buf2, sizeof buf2, "%s" SLASH "%s", directory, filename); filename = buf2; } @@ -444,11 +449,13 @@ static bool rsa_keygen(int bits, bool ask) { // Make sure the key size is a multiple of 8 bits. bits &= ~0x7; - // Force them to be between 1024 and 8192 bits long. - if(bits < 1024) - bits = 1024; - if(bits > 8192) - bits = 8192; + // Make sure that a valid key size is used. + if(bits < 1024 || bits > 8192) { + fprintf(stderr, "Invalid key size %d specified! It should be between 1024 and 8192 bits.\n", bits); + return false; + } else if(bits < 2048) { + fprintf(stderr, "WARNING: generating a weak %d bits RSA key! 2048 or more bits are recommended.\n", bits); + } fprintf(stderr, "Generating %d bits keys:\n", bits); @@ -506,7 +513,7 @@ bool recvline(int fd, char *line, size_t len) { char *newline = NULL; if(!fd) - abort(); + return false; while(!(newline = memchr(buffer, '\n', blen))) { int result = recv(fd, buffer + blen, sizeof buffer - blen, 0); @@ -558,6 +565,7 @@ bool sendline(int fd, char *format, ...) { va_start(ap, format); blen = vsnprintf(buffer, sizeof buffer, format, ap); + buffer[sizeof buffer - 1] = 0; va_end(ap); if(blen < 1 || blen >= sizeof buffer) @@ -718,6 +726,14 @@ bool connect_tincd(bool verbose) { fclose(f); #ifndef HAVE_MINGW + if ((pid == 0) || (kill(pid, 0) && (errno == ESRCH))) { + fprintf(stderr, "Could not find tincd running at pid %d\n", pid); + /* clean up the stale socket and pid file */ + unlink(pidfilename); + unlink(unixsocketname); + return false; + } + struct sockaddr_un sa; sa.sun_family = AF_UNIX; strncpy(sa.sun_path, unixsocketname, sizeof sa.sun_path); @@ -787,7 +803,7 @@ bool connect_tincd(bool verbose) { char data[4096]; int version; - if(!recvline(fd, line, sizeof line) || sscanf(line, "%d %s %d", &code, data, &version) != 3 || code != 0) { + if(!recvline(fd, line, sizeof line) || sscanf(line, "%d %4095s %d", &code, data, &version) != 3 || code != 0) { if(verbose) fprintf(stderr, "Cannot read greeting from control socket: %s\n", sockstrerror(sockerrno)); close(fd); @@ -876,7 +892,7 @@ static int cmd_start(int argc, char *argv[]) { if(!pid) { close(pfd[0]); - char buf[100] = ""; + char buf[100]; snprintf(buf, sizeof buf, "%d", pfd[1]); setenv("TINC_UMBILICAL", buf, true); exit(execvp(c, nargv)); @@ -935,11 +951,11 @@ static int cmd_stop(int argc, char *argv[]) { if(!connect_tincd(true)) { if(pid) { if(kill(pid, SIGTERM)) { - fprintf(stderr, "Could not send TERM signal to process with PID %u: %s\n", pid, strerror(errno)); + fprintf(stderr, "Could not send TERM signal to process with PID %d: %s\n", pid, strerror(errno)); return 1; } - fprintf(stderr, "Sent TERM signal to process with PID %u.\n", pid); + fprintf(stderr, "Sent TERM signal to process with PID %d.\n", pid); waitpid(pid, NULL, 0); return 0; } @@ -1014,7 +1030,6 @@ static int dump_invitations(void) { FILE *f = fopen(fname, "r"); if(!f) { fprintf(stderr, "Cannot open %s: %s\n", fname, strerror(errno)); - fclose(f); continue; } @@ -1103,7 +1118,7 @@ static int cmd_dump(int argc, char *argv[]) { while(recvline(fd, line, sizeof line)) { char node1[4096], node2[4096]; - int n = sscanf(line, "%d %d %s %s", &code, &req, node1, node2); + int n = sscanf(line, "%d %d %4095s %4095s", &code, &req, node1, node2); if(n == 2) { if(do_graph && req == REQ_DUMP_NODES) continue; @@ -1135,7 +1150,7 @@ static int cmd_dump(int argc, char *argv[]) { switch(req) { case REQ_DUMP_NODES: { - int n = sscanf(line, "%*d %*d %s %s %s port %s %d %d %d %d %x %x %s %s %d %hd %hd %hd %ld", node, id, host, port, &cipher, &digest, &maclength, &compression, &options, &status_int, nexthop, via, &distance, &pmtu, &minmtu, &maxmtu, &last_state_change); + int n = sscanf(line, "%*d %*d %4095s %4095s %4095s port %4095s %d %d %d %d %x %x %4095s %4095s %d %hd %hd %hd %ld", node, id, host, port, &cipher, &digest, &maclength, &compression, &options, &status_int, nexthop, via, &distance, &pmtu, &minmtu, &maxmtu, &last_state_change); if(n != 17) { fprintf(stderr, "Unable to parse node dump from tincd: %s\n", line); return 1; @@ -1165,7 +1180,7 @@ static int cmd_dump(int argc, char *argv[]) { } break; case REQ_DUMP_EDGES: { - int n = sscanf(line, "%*d %*d %s %s %s port %s %s port %s %x %d", from, to, host, port, local_host, local_port, &options, &weight); + int n = sscanf(line, "%*d %*d %4095s %4095s %4095s port %4095s %4095s port %4095s %x %d", from, to, host, port, local_host, local_port, &options, &weight); if(n != 8) { fprintf(stderr, "Unable to parse edge dump from tincd.\n"); return 1; @@ -1183,7 +1198,7 @@ static int cmd_dump(int argc, char *argv[]) { } break; case REQ_DUMP_SUBNETS: { - int n = sscanf(line, "%*d %*d %s %s", subnet, node); + int n = sscanf(line, "%*d %*d %4095s %4095s", subnet, node); if(n != 2) { fprintf(stderr, "Unable to parse subnet dump from tincd.\n"); return 1; @@ -1192,7 +1207,7 @@ static int cmd_dump(int argc, char *argv[]) { } break; case REQ_DUMP_CONNECTIONS: { - int n = sscanf(line, "%*d %*d %s %s port %s %x %d %x", node, host, port, &options, &socket, &status_int); + int n = sscanf(line, "%*d %*d %4095s %4095s port %4095s %x %d %x", node, host, port, &options, &socket, &status_int); if(n != 6) { fprintf(stderr, "Unable to parse connection dump from tincd.\n"); return 1; @@ -1382,7 +1397,7 @@ static int cmd_pid(int argc, char *argv[]) { return 1; } - if(!connect_tincd(true) && !pid) + if(!connect_tincd(true) || !pid) return 1; printf("%d\n", pid); @@ -1431,6 +1446,29 @@ char *get_my_name(bool verbose) { return NULL; } +ecdsa_t *get_pubkey(FILE *f) { + char buf[4096]; + char *value; + while(fgets(buf, sizeof buf, f)) { + int len = strcspn(buf, "\t ="); + value = buf + len; + value += strspn(value, "\t "); + if(*value == '=') { + value++; + value += strspn(value, "\t "); + } + if(!rstrip(value)) + continue; + buf[len] = 0; + if(strcasecmp(buf, "Ed25519PublicKey")) + continue; + if(*value) + return ecdsa_set_base64_public_key(value); + } + + return NULL; +} + const var_t variables[] = { /* Server configuration */ {"AddressFamily", VAR_SERVER}, @@ -1452,9 +1490,11 @@ const var_t variables[] = { {"Hostnames", VAR_SERVER}, {"IffOneQueue", VAR_SERVER}, {"Interface", VAR_SERVER}, + {"InvitationExpire", VAR_SERVER}, {"KeyExpire", VAR_SERVER}, {"ListenAddress", VAR_SERVER | VAR_MULTIPLE}, {"LocalDiscovery", VAR_SERVER}, + {"LogLevel", VAR_SERVER}, {"MACExpire", VAR_SERVER}, {"MaxConnectionBurst", VAR_SERVER}, {"MaxOutputBufferSize", VAR_SERVER}, @@ -2194,7 +2234,7 @@ static int cmd_import(int argc, char *argv[]) { bool firstline = true; while(fgets(buf, sizeof buf, in)) { - if(sscanf(buf, "Name = %s", name) == 1) { + if(sscanf(buf, "Name = %4095s", name) == 1) { firstline = false; if(!check_id(name)) { @@ -2259,26 +2299,29 @@ static int cmd_exchange_all(int argc, char *argv[]) { } static int switch_network(char *name) { + if(strcmp(name, ".")) { + if(!check_netname(name, false)) { + fprintf(stderr, "Invalid character in netname!\n"); + return 1; + } + + if(!check_netname(name, true)) + fprintf(stderr, "Warning: unsafe character in netname!\n"); + } + if(fd >= 0) { close(fd); fd = -1; } - free(confbase); - confbase = NULL; - free(pidfilename); - pidfilename = NULL; - free(logfilename); - logfilename = NULL; - free(unixsocketname); - unixsocketname = NULL; + free_names(); + netname = strcmp(name, ".") ? xstrdup(name) : NULL; + make_names(false); + free(tinc_conf); free(hosts_dir); free(prompt); - free(netname); - netname = strcmp(name, ".") ? xstrdup(name) : NULL; - xasprintf(&tinc_conf, "%s" SLASH "tinc.conf", confbase); xasprintf(&hosts_dir, "%s" SLASH "hosts", confbase); xasprintf(&prompt, "%s> ", identname); @@ -2331,6 +2374,234 @@ static int cmd_fsck(int argc, char *argv[]) { return fsck(orig_argv[0]); } +static void *readfile(FILE *in, size_t *len) { + size_t count = 0; + size_t alloced = 4096; + char *buf = xmalloc(alloced); + + while(!feof(in)) { + size_t read = fread(buf + count, 1, alloced - count, in); + if(!read) + break; + count += read; + if(count >= alloced) { + alloced *= 2; + buf = xrealloc(buf, alloced); + } + } + + if(len) + *len = count; + + return buf; +} + +static int cmd_sign(int argc, char *argv[]) { + if(argc > 2) { + fprintf(stderr, "Too many arguments!\n"); + return 1; + } + + if(!name) { + name = get_my_name(true); + if(!name) + return 1; + } + + char fname[PATH_MAX]; + snprintf(fname, sizeof fname, "%s" SLASH "ed25519_key.priv", confbase); + FILE *fp = fopen(fname, "r"); + if(!fp) { + fprintf(stderr, "Could not open %s: %s\n", fname, strerror(errno)); + return 1; + } + + ecdsa_t *key = ecdsa_read_pem_private_key(fp); + + if(!key) { + fprintf(stderr, "Could not read private key from %s\n", fname); + fclose(fp); + return 1; + } + + fclose(fp); + + FILE *in; + + if(argc == 2) { + in = fopen(argv[1], "rb"); + if(!in) { + fprintf(stderr, "Could not open %s: %s\n", argv[1], strerror(errno)); + ecdsa_free(key); + return 1; + } + } else { + in = stdin; + } + + size_t len; + char *data = readfile(in, &len); + if(in != stdin) + fclose(in); + if(!data) { + fprintf(stderr, "Error reading %s: %s\n", argv[1], strerror(errno)); + ecdsa_free(key); + return 1; + } + + // Ensure we sign our name and current time as well + long t = time(NULL); + char *trailer; + xasprintf(&trailer, " %s %ld", name, t); + int trailer_len = strlen(trailer); + + data = xrealloc(data, len + trailer_len); + memcpy(data + len, trailer, trailer_len); + free(trailer); + + char sig[87]; + if(!ecdsa_sign(key, data, len + trailer_len, sig)) { + fprintf(stderr, "Error generating signature\n"); + free(data); + ecdsa_free(key); + return 1; + } + b64encode(sig, sig, 64); + ecdsa_free(key); + + fprintf(stdout, "Signature = %s %ld %s\n", name, t, sig); + fwrite(data, len, 1, stdout); + + free(data); + return 0; +} + +static int cmd_verify(int argc, char *argv[]) { + if(argc < 2) { + fprintf(stderr, "Not enough arguments!\n"); + return 1; + } + + if(argc > 3) { + fprintf(stderr, "Too many arguments!\n"); + return 1; + } + + char *node = argv[1]; + if(!strcmp(node, ".")) { + if(!name) { + name = get_my_name(true); + if(!name) + return 1; + } + node = name; + } else if(!strcmp(node, "*")) { + node = NULL; + } else { + if(!check_id(node)) { + fprintf(stderr, "Invalid node name\n"); + return 1; + } + } + + FILE *in; + + if(argc == 3) { + in = fopen(argv[2], "rb"); + if(!in) { + fprintf(stderr, "Could not open %s: %s\n", argv[2], strerror(errno)); + return 1; + } + } else { + in = stdin; + } + + size_t len; + char *data = readfile(in, &len); + if(in != stdin) + fclose(in); + if(!data) { + fprintf(stderr, "Error reading %s: %s\n", argv[1], strerror(errno)); + return 1; + } + + char *newline = memchr(data, '\n', len); + if(!newline || (newline - data > MAX_STRING_SIZE - 1)) { + fprintf(stderr, "Invalid input\n"); + free(data); + return 1; + } + + *newline++ = '\0'; + size_t skip = newline - data; + + char signer[MAX_STRING_SIZE] = ""; + char sig[MAX_STRING_SIZE] = ""; + long t = 0; + + if(sscanf(data, "Signature = %s %ld %s", signer, &t, sig) != 3 || strlen(sig) != 86 || !t || !check_id(signer)) { + fprintf(stderr, "Invalid input\n"); + free(data); + return 1; + } + + if(node && strcmp(node, signer)) { + fprintf(stderr, "Signature is not made by %s\n", node); + free(data); + return 1; + } + + if(!node) + node = signer; + + char *trailer; + xasprintf(&trailer, " %s %ld", signer, t); + int trailer_len = strlen(trailer); + + data = xrealloc(data, len + trailer_len); + memcpy(data + len, trailer, trailer_len); + free(trailer); + + newline = data + skip; + + char fname[PATH_MAX]; + snprintf(fname, sizeof fname, "%s" SLASH "hosts" SLASH "%s", confbase, node); + FILE *fp = fopen(fname, "r"); + if(!fp) { + fprintf(stderr, "Could not open %s: %s\n", fname, strerror(errno)); + free(data); + return 1; + } + + ecdsa_t *key = get_pubkey(fp); + if(!key) { + rewind(fp); + key = ecdsa_read_pem_public_key(fp); + } + if(!key) { + fprintf(stderr, "Could not read public key from %s\n", fname); + fclose(fp); + free(data); + return 1; + } + + fclose(fp); + + if(b64decode(sig, sig, 86) != 64 || !ecdsa_verify(key, newline, len + trailer_len - (newline - data), sig)) { + fprintf(stderr, "Invalid signature\n"); + free(data); + ecdsa_free(key); + return 1; + } + + ecdsa_free(key); + + fwrite(newline, len - (newline - data), 1, stdout); + + free(data); + return 0; +} + static const struct { const char *command; int (*function)(int argc, char *argv[]); @@ -2375,6 +2646,8 @@ static const struct { {"join", cmd_join}, {"network", cmd_network}, {"fsck", cmd_fsck}, + {"sign", cmd_sign}, + {"verify", cmd_verify}, {NULL, NULL}, }; @@ -2453,7 +2726,7 @@ static char *complete_info(const char *text, int state) { while(recvline(fd, line, sizeof line)) { char item[4096]; - int n = sscanf(line, "%d %d %s", &code, &req, item); + int n = sscanf(line, "%d %d %4095s", &code, &req, item); if(n == 2) { i++; if(i >= 2) @@ -2554,8 +2827,6 @@ static int cmd_shell(int argc, char *argv[]) { while(p && *p) { if(nargc >= maxargs) { - fprintf(stderr, "next %p '%s', p %p '%s'\n", next, next, p, p); - abort(); maxargs *= 2; nargv = xrealloc(nargv, maxargs * sizeof *nargv); } @@ -2568,8 +2839,10 @@ static int cmd_shell(int argc, char *argv[]) { if(nargc == argc) continue; - if(!strcasecmp(nargv[argc], "exit") || !strcasecmp(nargv[argc], "quit")) + if(!strcasecmp(nargv[argc], "exit") || !strcasecmp(nargv[argc], "quit")) { + free(nargv); return result; + } bool found = false;