首页 发现 帮助
登录
OWEALs
/
tinc
镜像自地址 https://tinc-vpn.org/git/tinc
2
0
派生 0
文件 工单管理 0 Wiki
目录树: 110ca1958a
分支列表 标签列表
tinc
/
src
/
net_setup.c

net_setup.c 23 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950 
  1. /*
    2. 

  2.     net_setup.c -- Setup.
    3. 

  3.     Copyright (C) 1998-2005 Ivo Timmermans,
    4. 

  4.                   2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    5. 

  5.                   2006      Scott Lamb <slamb@slamb.org>
    6. 

  6.                   2010      Brandon Black <blblack@gmail.com>
    7. 

  7. 

  8.     This program is free software; you can redistribute it and/or modify
    9. 

  9.     it under the terms of the GNU General Public License as published by
    10. 

  10.     the Free Software Foundation; either version 2 of the License, or
    11. 

  11.     (at your option) any later version.
    12. 

  12. 

  13.     This program is distributed in the hope that it will be useful,
    14. 

  14.     but WITHOUT ANY WARRANTY; without even the implied warranty of
    15. 

  15.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    16. 

  16.     GNU General Public License for more details.
    17. 

  17. 

  18.     You should have received a copy of the GNU General Public License along
    19. 

  19.     with this program; if not, write to the Free Software Foundation, Inc.,
    20. 

  20.     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    21. 

  21. */
    22. 

  22. 

  23. #include "system.h"
    24. 

  24. 

  25. #include <openssl/pem.h>
    26. 

  26. #include <openssl/rsa.h>
    27. 

  27. #include <openssl/rand.h>
    28. 

  28. #include <openssl/err.h>
    29. 

  29. #include <openssl/evp.h>
    30. 

  30. 

  31. #include "avl_tree.h"
    32. 

  32. #include "conf.h"
    33. 

  33. #include "connection.h"
    34. 

  34. #include "device.h"
    35. 

  35. #include "event.h"
    36. 

  36. #include "graph.h"
    37. 

  37. #include "logger.h"
    38. 

  38. #include "net.h"
    39. 

  39. #include "netutl.h"
    40. 

  40. #include "process.h"
    41. 

  41. #include "protocol.h"
    42. 

  42. #include "route.h"
    43. 

  43. #include "subnet.h"
    44. 

  44. #include "utils.h"
    45. 

  45. #include "xalloc.h"
    46. 

  46. 

  47. char *myport;
    48. 

  48. devops_t devops;
    49. 

  49. 

  50. char *proxyhost;
    51. 

  51. char *proxyport;
    52. 

  52. char *proxyuser;
    53. 

  53. char *proxypass;
    54. 

  54. proxytype_t proxytype;
    55. 

  55. 

  56. bool read_rsa_public_key(connection_t *c) {
    57. 

  57. 	FILE *fp;
    58. 

  58. 	char *pubname;
    59. 

  59. 	char *hcfname;
    60. 

  60. 	char *key;
    61. 

  61. 

  62. 	if(!c->rsa_key) {
    63. 

  63. 		c->rsa_key = RSA_new();
    64. 

  64. //		RSA_blinding_on(c->rsa_key, NULL);
    65. 

  65. 	}
    66. 

  66. 

  67. 	/* First, check for simple PublicKey statement */
    68. 

  68. 

  69. 	if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
    70. 

  70. 		if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
    71. 

  71. 			logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
    72. 

  72. 			return false;
    73. 

  73. 		}
    74. 

  74. 		BN_hex2bn(&c->rsa_key->e, "FFFF");
    75. 

  75. 		free(key);
    76. 

  76. 		return true;
    77. 

  77. 	}
    78. 

  78. 

  79. 	/* Else, check for PublicKeyFile statement and read it */
    80. 

  80. 

  81. 	if(get_config_string(lookup_config(c->config_tree, "PublicKeyFile"), &pubname)) {
    82. 

  82. 		fp = fopen(pubname, "r");
    83. 

  83. 

  84. 		if(!fp) {
    85. 

  85. 			logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
    86. 

  86. 			free(pubname);
    87. 

  87. 			return false;
    88. 

  88. 		}
    89. 

  89. 

  90. 		c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
    91. 

  91. 		fclose(fp);
    92. 

  92. 

  93. 		if(c->rsa_key) {
    94. 

  94. 			free(pubname);
    95. 

  95. 			return true;		/* Woohoo. */
    96. 

  96. 		}
    97. 

  97. 

  98. 		/* If it fails, try PEM_read_RSA_PUBKEY. */
    99. 

  99. 		fp = fopen(pubname, "r");
    100. 

  100. 

  101. 		if(!fp) {
    102. 

  102. 			logger(LOG_ERR, "Error reading RSA public key file `%s': %s", pubname, strerror(errno));
    103. 

  103. 			free(pubname);
    104. 

  104. 			return false;
    105. 

  105. 		}
    106. 

  106. 

  107. 		c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
    108. 

  108. 		fclose(fp);
    109. 

  109. 

  110. 		if(c->rsa_key) {
    111. 

  111. //				RSA_blinding_on(c->rsa_key, NULL);
    112. 

  112. 			free(pubname);
    113. 

  113. 			return true;
    114. 

  114. 		}
    115. 

  115. 

  116. 		logger(LOG_ERR, "Reading RSA public key file `%s' failed: %s", pubname, strerror(errno));
    117. 

  117. 		free(pubname);
    118. 

  118. 		return false;
    119. 

  119. 	}
    120. 

  120. 

  121. 	/* Else, check if a harnessed public key is in the config file */
    122. 

  122. 

  123. 	xasprintf(&hcfname, "%s/hosts/%s", confbase, c->name);
    124. 

  124. 	fp = fopen(hcfname, "r");
    125. 

  125. 

  126. 	if(!fp) {
    127. 

  127. 		logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
    128. 

  128. 		free(hcfname);
    129. 

  129. 		return false;
    130. 

  130. 	}
    131. 

  131. 

  132. 	c->rsa_key = PEM_read_RSAPublicKey(fp, &c->rsa_key, NULL, NULL);
    133. 

  133. 	fclose(fp);
    134. 

  134. 

  135. 	if(c->rsa_key) {
    136. 

  136. 		free(hcfname);
    137. 

  137. 		return true;
    138. 

  138. 	}
    139. 

  139. 

  140. 	/* Try again with PEM_read_RSA_PUBKEY. */
    141. 

  141. 

  142. 	fp = fopen(hcfname, "r");
    143. 

  143. 

  144. 	if(!fp) {
    145. 

  145. 		logger(LOG_ERR, "Error reading RSA public key file `%s': %s", hcfname, strerror(errno));
    146. 

  146. 		free(hcfname);
    147. 

  147. 		return false;
    148. 

  148. 	}
    149. 

  149. 

  150. 	free(hcfname);
    151. 

  151. 	c->rsa_key = PEM_read_RSA_PUBKEY(fp, &c->rsa_key, NULL, NULL);
    152. 

  152. //	RSA_blinding_on(c->rsa_key, NULL);
    153. 

  153. 	fclose(fp);
    154. 

  154. 

  155. 	if(c->rsa_key)
    156. 

  156. 		return true;
    157. 

  157. 

  158. 	logger(LOG_ERR, "No public key for %s specified!", c->name);
    159. 

  159. 

  160. 	return false;
    161. 

  161. }
    162. 

  162. 

  163. static bool read_rsa_private_key(void) {
    164. 

  164. 	FILE *fp;
    165. 

  165. 	char *fname, *key, *pubkey;
    166. 

  166. 

  167. 	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
    168. 

  168. 		myself->connection->rsa_key = RSA_new();
    169. 

  169. //		RSA_blinding_on(myself->connection->rsa_key, NULL);
    170. 

  170. 		if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
    171. 

  171. 			logger(LOG_ERR, "Invalid PrivateKey for myself!");
    172. 

  172. 			free(key);
    173. 

  173. 			return false;
    174. 

  174. 		}
    175. 

  175. 		free(key);
    176. 

  176. 		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
    177. 

  177. 			logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
    178. 

  178. 			return false;
    179. 

  179. 		}
    180. 

  180. 		if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
    181. 

  181. 			logger(LOG_ERR, "Invalid PublicKey for myself!");
    182. 

  182. 			free(pubkey);
    183. 

  183. 			return false;
    184. 

  184. 		}
    185. 

  185. 		free(pubkey);
    186. 

  186. 		BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
    187. 

  187. 		return true;
    188. 

  188. 	}
    189. 

  189. 

  190. 	if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
    191. 

  191. 		xasprintf(&fname, "%s/rsa_key.priv", confbase);
    192. 

  192. 

  193. 	fp = fopen(fname, "r");
    194. 

  194. 

  195. 	if(!fp) {
    196. 

  196. 		logger(LOG_ERR, "Error reading RSA private key file `%s': %s",
    197. 

  197. 			   fname, strerror(errno));
    198. 

  198. 		free(fname);
    199. 

  199. 		return false;
    200. 

  200. 	}
    201. 

  201. 

  202. #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
    203. 

  203. 	struct stat s;
    204. 

  204. 

  205. 	if(!fstat(fileno(fp), &s)) {
    206. 

  206. 		if(s.st_mode & ~0100700)
    207. 

  207. 			logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
    208. 

  208. 	} else {
    209. 

  209. 		logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
    210. 

  210. 	}
    211. 

  211. #endif
    212. 

  212. 

  213. 	myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
    214. 

  214. 	fclose(fp);
    215. 

  215. 

  216. 	if(!myself->connection->rsa_key) {
    217. 

  217. 		logger(LOG_ERR, "Reading RSA private key file `%s' failed: %s",
    218. 

  218. 			   fname, strerror(errno));
    219. 

  219. 		free(fname);
    220. 

  220. 		return false;
    221. 

  221. 	}
    222. 

  222. 

  223. 	free(fname);
    224. 

  224. 	return true;
    225. 

  225. }
    226. 

  226. 

  227. /*
    228. 

  228.   Read Subnets from all host config files
    229. 

  229. */
    230. 

  230. void load_all_subnets(void) {
    231. 

  231. 	DIR *dir;
    232. 

  232. 	struct dirent *ent;
    233. 

  233. 	char *dname;
    234. 

  234. 	char *fname;
    235. 

  235. 	avl_tree_t *config_tree;
    236. 

  236. 	config_t *cfg;
    237. 

  237. 	subnet_t *s, *s2;
    238. 

  238. 	node_t *n;
    239. 

  239. 

  240. 	xasprintf(&dname, "%s/hosts", confbase);
    241. 

  241. 	dir = opendir(dname);
    242. 

  242. 	if(!dir) {
    243. 

  243. 		logger(LOG_ERR, "Could not open %s: %s", dname, strerror(errno));
    244. 

  244. 		free(dname);
    245. 

  245. 		return;
    246. 

  246. 	}
    247. 

  247. 

  248. 	while((ent = readdir(dir))) {
    249. 

  249. 		if(!check_id(ent->d_name))
    250. 

  250. 			continue;
    251. 

  251. 

  252. 		n = lookup_node(ent->d_name);
    253. 

  253. 		#ifdef _DIRENT_HAVE_D_TYPE
    254. 

  254. 		//if(ent->d_type != DT_REG)
    255. 

  255. 		//	continue;
    256. 

  256. 		#endif
    257. 

  257. 

  258. 		xasprintf(&fname, "%s/hosts/%s", confbase, ent->d_name);
    259. 

  259. 		init_configuration(&config_tree);
    260. 

  260. 		read_config_options(config_tree, ent->d_name);
    261. 

  261. 		read_config_file(config_tree, fname);
    262. 

  262. 		free(fname);
    263. 

  263. 

  264. 		if(!n) {
    265. 

  265. 			n = new_node();
    266. 

  266. 			n->name = xstrdup(ent->d_name);
    267. 

  267. 			node_add(n);
    268. 

  268. 		}
    269. 

  269. 

  270. 		for(cfg = lookup_config(config_tree, "Subnet"); cfg; cfg = lookup_config_next(config_tree, cfg)) {
    271. 

  271. 			if(!get_config_subnet(cfg, &s))
    272. 

  272. 				continue;
    273. 

  273. 

  274. 			if((s2 = lookup_subnet(n, s))) {
    275. 

  275. 				s2->expires = -1;
    276. 

  276. 			} else {
    277. 

  277. 				subnet_add(n, s);
    278. 

  278. 			}
    279. 

  279. 		}
    280. 

  280. 

  281. 		exit_configuration(&config_tree);
    282. 

  282. 	}
    283. 

  283. 

  284. 	closedir(dir);
    285. 

  285. }
    286. 

  286. 

  287. char *get_name(void) {
    288. 

  288. 	char *name = NULL;
    289. 

  289. 

  290. 	get_config_string(lookup_config(config_tree, "Name"), &name);
    291. 

  291. 

  292. 	if(!name)
    293. 

  293. 		return NULL;
    294. 

  294. 

  295. 	if(*name == '$') {
    296. 

  296. 		char *envname = getenv(name + 1);
    297. 

  297. 		char hostname[32] = "";
    298. 

  298. 		if(!envname) {
    299. 

  299. 			if(strcmp(name + 1, "HOST")) {
    300. 

  300. 				fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
    301. 

  301. 				free(name);
    302. 

  302. 				return false;
    303. 

  303. 			}
    304. 

  304. 			if(gethostname(hostname, sizeof hostname) || !*hostname) {
    305. 

  305. 				fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
    306. 

  306. 				free(name);
    307. 

  307. 				return false;
    308. 

  308. 			}
    309. 

  309. 			hostname[31] = 0;
    310. 

  310. 			envname = hostname;
    311. 

  311. 		}
    312. 

  312. 		free(name);
    313. 

  313. 		name = xstrdup(envname);
    314. 

  314. 		for(char *c = name; *c; c++)
    315. 

  315. 			if(!isalnum(*c))
    316. 

  316. 				*c = '_';
    317. 

  317. 	}
    318. 

  318. 

  319. 	if(!check_id(name)) {
    320. 

  320. 		logger(LOG_ERR, "Invalid name for myself!");
    321. 

  321. 		free(name);
    322. 

  322. 		return false;
    323. 

  323. 	}
    324. 

  324. 

  325. 	return name;
    326. 

  326. }
    327. 

  327. 

  328. /*
    329. 

  329.   Configure node_t myself and set up the local sockets (listen only)
    330. 

  330. */
    331. 

  331. static bool setup_myself(void) {
    332. 

  332. 	config_t *cfg;
    333. 

  333. 	subnet_t *subnet;
    334. 

  334. 	char *name, *hostname, *mode, *afname, *cipher, *digest, *type;
    335. 

  335. 	char *fname = NULL;
    336. 

  336. 	char *address = NULL;
    337. 

  337. 	char *proxy = NULL;
    338. 

  338. 	char *space;
    339. 

  339. 	char *envp[5] = {NULL};
    340. 

  340. 	struct addrinfo *ai, *aip, hint = {0};
    341. 

  341. 	bool choice;
    342. 

  342. 	int i, err;
    343. 

  343. 	int replaywin_int;
    344. 

  344. 	bool port_specified = false;
    345. 

  345. 

  346. 	myself = new_node();
    347. 

  347. 	myself->connection = new_connection();
    348. 

  348. 

  349. 	myself->hostname = xstrdup("MYSELF");
    350. 

  350. 	myself->connection->hostname = xstrdup("MYSELF");
    351. 

  351. 

  352. 	myself->connection->options = 0;
    353. 

  353. 	myself->connection->protocol_version = PROT_CURRENT;
    354. 

  354. 

  355. 	if(!(name = get_name())) {
    356. 

  356. 		logger(LOG_ERR, "Name for tinc daemon required!");
    357. 

  357. 		return false;
    358. 

  358. 	}
    359. 

  359. 

  360. 	/* Read tinc.conf and our own host config file */
    361. 

  361. 

  362. 	myself->name = name;
    363. 

  363. 	myself->connection->name = xstrdup(name);
    364. 

  364. 	xasprintf(&fname, "%s/hosts/%s", confbase, name);
    365. 

  365. 	read_config_options(config_tree, name);
    366. 

  366. 	read_config_file(config_tree, fname);
    367. 

  367. 	free(fname);
    368. 

  368. 

  369. 	if(!read_rsa_private_key())
    370. 

  370. 		return false;
    371. 

  371. 

  372. 	if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
    373. 

  373. 		myport = xstrdup("655");
    374. 

  374. 	else
    375. 

  375. 		port_specified = true;
    376. 

  376. 

  377. 	/* Ensure myport is numeric */
    378. 

  378. 

  379. 	if(!atoi(myport)) {
    380. 

  380. 		struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
    381. 

  381. 		sockaddr_t sa;
    382. 

  382. 		if(!ai || !ai->ai_addr)
    383. 

  383. 			return false;
    384. 

  384. 		free(myport);
    385. 

  385. 		memcpy(&sa, ai->ai_addr, ai->ai_addrlen);
    386. 

  386. 		sockaddr2str(&sa, NULL, &myport);
    387. 

  387. 	}
    388. 

  388. 

  389. 	if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) {
    390. 

  390. 		if((space = strchr(proxy, ' ')))
    391. 

  391. 			*space++ = 0;
    392. 

  392. 

  393. 		if(!strcasecmp(proxy, "none")) {
    394. 

  394. 			proxytype = PROXY_NONE;
    395. 

  395. 		} else if(!strcasecmp(proxy, "socks4")) {
    396. 

  396. 			proxytype = PROXY_SOCKS4;
    397. 

  397. 		} else if(!strcasecmp(proxy, "socks4a")) {
    398. 

  398. 			proxytype = PROXY_SOCKS4A;
    399. 

  399. 		} else if(!strcasecmp(proxy, "socks5")) {
    400. 

  400. 			proxytype = PROXY_SOCKS5;
    401. 

  401. 		} else if(!strcasecmp(proxy, "http")) {
    402. 

  402. 			proxytype = PROXY_HTTP;
    403. 

  403. 		} else if(!strcasecmp(proxy, "exec")) {
    404. 

  404. 			proxytype = PROXY_EXEC;
    405. 

  405. 		} else {
    406. 

  406. 			logger(LOG_ERR, "Unknown proxy type %s!", proxy);
    407. 

  407. 			free(proxy);
    408. 

  408. 			return false;
    409. 

  409. 		}
    410. 

  410. 

  411. 		switch(proxytype) {
    412. 

  412. 			case PROXY_NONE:
    413. 

  413. 			default:
    414. 

  414. 				break;
    415. 

  415. 

  416. 			case PROXY_EXEC:
    417. 

  417. 				if(!space || !*space) {
    418. 

  418. 					logger(LOG_ERR, "Argument expected for proxy type exec!");
    419. 

  419. 					free(proxy);
    420. 

  420. 					return false;
    421. 

  421. 				}
    422. 

  422. 				proxyhost =  xstrdup(space);
    423. 

  423. 				break;
    424. 

  424. 

  425. 			case PROXY_SOCKS4:
    426. 

  426. 			case PROXY_SOCKS4A:
    427. 

  427. 			case PROXY_SOCKS5:
    428. 

  428. 			case PROXY_HTTP:
    429. 

  429. 				proxyhost = space;
    430. 

  430. 				if(space && (space = strchr(space, ' ')))
    431. 

  431. 					*space++ = 0, proxyport = space;
    432. 

  432. 				if(space && (space = strchr(space, ' ')))
    433. 

  433. 					*space++ = 0, proxyuser = space;
    434. 

  434. 				if(space && (space = strchr(space, ' ')))
    435. 

  435. 					*space++ = 0, proxypass = space;
    436. 

  436. 				if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
    437. 

  437. 					logger(LOG_ERR, "Host and port argument expected for proxy!");
    438. 

  438. 					free(proxy);
    439. 

  439. 					return false;
    440. 

  440. 				}
    441. 

  441. 				proxyhost = xstrdup(proxyhost);
    442. 

  442. 				proxyport = xstrdup(proxyport);
    443. 

  443. 				if(proxyuser && *proxyuser)
    444. 

  444. 					proxyuser = xstrdup(proxyuser);
    445. 

  445. 				if(proxypass && *proxypass)
    446. 

  446. 					proxypass = xstrdup(proxypass);
    447. 

  447. 				break;
    448. 

  448. 		}
    449. 

  449. 

  450. 		free(proxy);
    451. 

  451. 	}
    452. 

  452. 

  453. 	/* Read in all the subnets specified in the host configuration file */
    454. 

  454. 

  455. 	cfg = lookup_config(config_tree, "Subnet");
    456. 

  456. 

  457. 	while(cfg) {
    458. 

  458. 		if(!get_config_subnet(cfg, &subnet))
    459. 

  459. 			return false;
    460. 

  460. 

  461. 		subnet_add(myself, subnet);
    462. 

  462. 

  463. 		cfg = lookup_config_next(config_tree, cfg);
    464. 

  464. 	}
    465. 

  465. 

  466. 	/* Check some options */
    467. 

  467. 

  468. 	if(get_config_bool(lookup_config(config_tree, "IndirectData"), &choice) && choice)
    469. 

  469. 		myself->options |= OPTION_INDIRECT;
    470. 

  470. 

  471. 	if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
    472. 

  472. 		myself->options |= OPTION_TCPONLY;
    473. 

  473. 

  474. 	if(myself->options & OPTION_TCPONLY)
    475. 

  475. 		myself->options |= OPTION_INDIRECT;
    476. 

  476. 

  477. 	get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
    478. 

  478. 	get_config_bool(lookup_config(config_tree, "StrictSubnets"), &strictsubnets);
    479. 

  479. 	get_config_bool(lookup_config(config_tree, "TunnelServer"), &tunnelserver);
    480. 

  480. 	get_config_bool(lookup_config(config_tree, "LocalDiscovery"), &localdiscovery);
    481. 

  481. 	strictsubnets |= tunnelserver;
    482. 

  482. 

  483. 	if(get_config_string(lookup_config(config_tree, "Mode"), &mode)) {
    484. 

  484. 		if(!strcasecmp(mode, "router"))
    485. 

  485. 			routing_mode = RMODE_ROUTER;
    486. 

  486. 		else if(!strcasecmp(mode, "switch"))
    487. 

  487. 			routing_mode = RMODE_SWITCH;
    488. 

  488. 		else if(!strcasecmp(mode, "hub"))
    489. 

  489. 			routing_mode = RMODE_HUB;
    490. 

  490. 		else {
    491. 

  491. 			logger(LOG_ERR, "Invalid routing mode!");
    492. 

  492. 			free(mode);
    493. 

  493. 			return false;
    494. 

  494. 		}
    495. 

  495. 		free(mode);
    496. 

  496. 	}
    497. 

  497. 

  498. 	if(get_config_string(lookup_config(config_tree, "Forwarding"), &mode)) {
    499. 

  499. 		if(!strcasecmp(mode, "off"))
    500. 

  500. 			forwarding_mode = FMODE_OFF;
    501. 

  501. 		else if(!strcasecmp(mode, "internal"))
    502. 

  502. 			forwarding_mode = FMODE_INTERNAL;
    503. 

  503. 		else if(!strcasecmp(mode, "kernel"))
    504. 

  504. 			forwarding_mode = FMODE_KERNEL;
    505. 

  505. 		else {
    506. 

  506. 			logger(LOG_ERR, "Invalid forwarding mode!");
    507. 

  507. 			free(mode);
    508. 

  508. 			return false;
    509. 

  509. 		}
    510. 

  510. 		free(mode);
    511. 

  511. 	}
    512. 

  512. 

  513. 	choice = true;
    514. 

  514. 	get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
    515. 

  515. 	if(choice)
    516. 

  516. 		myself->options |= OPTION_PMTU_DISCOVERY;
    517. 

  517. 

  518. 	choice = true;
    519. 

  519. 	get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
    520. 

  520. 	if(choice)
    521. 

  521. 		myself->options |= OPTION_CLAMP_MSS;
    522. 

  522. 

  523. 	get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
    524. 

  524. 	get_config_bool(lookup_config(config_tree, "DecrementTTL"), &decrement_ttl);
    525. 

  525. 	if(get_config_string(lookup_config(config_tree, "Broadcast"), &mode)) {
    526. 

  526. 		if(!strcasecmp(mode, "no"))
    527. 

  527. 			broadcast_mode = BMODE_NONE;
    528. 

  528. 		else if(!strcasecmp(mode, "yes") || !strcasecmp(mode, "mst"))
    529. 

  529. 			broadcast_mode = BMODE_MST;
    530. 

  530. 		else if(!strcasecmp(mode, "direct"))
    531. 

  531. 			broadcast_mode = BMODE_DIRECT;
    532. 

  532. 		else {
    533. 

  533. 			logger(LOG_ERR, "Invalid broadcast mode!");
    534. 

  534. 			free(mode);
    535. 

  535. 			return false;
    536. 

  536. 		}
    537. 

  537. 		free(mode);
    538. 

  538. 	}
    539. 

  539. 

  540. #if !defined(SOL_IP) || !defined(IP_TOS)
    541. 

  541. 	if(priorityinheritance)
    542. 

  542. 		logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
    543. 

  543. #endif
    544. 

  544. 

  545. 	if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
    546. 

  546. 		macexpire = 600;
    547. 

  547. 

  548. 	if(get_config_int(lookup_config(config_tree, "MaxTimeout"), &maxtimeout)) {
    549. 

  549. 		if(maxtimeout <= 0) {
    550. 

  550. 			logger(LOG_ERR, "Bogus maximum timeout!");
    551. 

  551. 			return false;
    552. 

  552. 		}
    553. 

  553. 	} else
    554. 

  554. 		maxtimeout = 900;
    555. 

  555. 

  556. 	if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
    557. 

  557. 		if(udp_rcvbuf <= 0) {
    558. 

  558. 			logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
    559. 

  559. 			return false;
    560. 

  560. 		}
    561. 

  561. 	}
    562. 

  562. 

  563. 	if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
    564. 

  564. 		if(udp_sndbuf <= 0) {
    565. 

  565. 			logger(LOG_ERR, "UDPSndBuf cannot be negative!");
    566. 

  566. 			return false;
    567. 

  567. 		}
    568. 

  568. 	}
    569. 

  569. 

  570. 	if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
    571. 

  571. 		if(replaywin_int < 0) {
    572. 

  572. 			logger(LOG_ERR, "ReplayWindow cannot be negative!");
    573. 

  573. 			return false;
    574. 

  574. 		}
    575. 

  575. 		replaywin = (unsigned)replaywin_int;
    576. 

  576. 	}
    577. 

  577. 

  578. 	if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
    579. 

  579. 		if(!strcasecmp(afname, "IPv4"))
    580. 

  580. 			addressfamily = AF_INET;
    581. 

  581. 		else if(!strcasecmp(afname, "IPv6"))
    582. 

  582. 			addressfamily = AF_INET6;
    583. 

  583. 		else if(!strcasecmp(afname, "any"))
    584. 

  584. 			addressfamily = AF_UNSPEC;
    585. 

  585. 		else {
    586. 

  586. 			logger(LOG_ERR, "Invalid address family!");
    587. 

  587. 			free(afname);
    588. 

  588. 			return false;
    589. 

  589. 		}
    590. 

  590. 		free(afname);
    591. 

  591. 	}
    592. 

  592. 

  593. 	get_config_bool(lookup_config(config_tree, "Hostnames"), &hostnames);
    594. 

  594. 

  595. 	/* Generate packet encryption key */
    596. 

  596. 

  597. 	if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
    598. 

  598. 		if(!strcasecmp(cipher, "none")) {
    599. 

  599. 			myself->incipher = NULL;
    600. 

  600. 		} else {
    601. 

  601. 			myself->incipher = EVP_get_cipherbyname(cipher);
    602. 

  602. 

  603. 			if(!myself->incipher) {
    604. 

  604. 				logger(LOG_ERR, "Unrecognized cipher type!");
    605. 

  605. 				free(cipher);
    606. 

  606. 				return false;
    607. 

  607. 			}
    608. 

  608. 		}
    609. 

  609. 		free(cipher);
    610. 

  610. 	} else
    611. 

  611. 		myself->incipher = EVP_bf_cbc();
    612. 

  612. 

  613. 	if(myself->incipher)
    614. 

  614. 		myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
    615. 

  615. 	else
    616. 

  616. 		myself->inkeylength = 1;
    617. 

  617. 

  618. 	myself->connection->outcipher = EVP_bf_ofb();
    619. 

  619. 

  620. 	if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
    621. 

  621. 		keylifetime = 3600;
    622. 

  622. 

  623. 	keyexpires = now + keylifetime;
    624. 

  624. 	
    625. 

  625. 	/* Check if we want to use message authentication codes... */
    626. 

  626. 

  627. 	if(get_config_string(lookup_config(config_tree, "Digest"), &digest)) {
    628. 

  628. 		if(!strcasecmp(digest, "none")) {
    629. 

  629. 			myself->indigest = NULL;
    630. 

  630. 		} else {
    631. 

  631. 			myself->indigest = EVP_get_digestbyname(digest);
    632. 

  632. 

  633. 			if(!myself->indigest) {
    634. 

  634. 				logger(LOG_ERR, "Unrecognized digest type!");
    635. 

  635. 				free(digest);
    636. 

  636. 				return false;
    637. 

  637. 			}
    638. 

  638. 		}
    639. 

  639. 

  640. 		free(digest);
    641. 

  641. 	} else
    642. 

  642. 		myself->indigest = EVP_sha1();
    643. 

  643. 

  644. 	myself->connection->outdigest = EVP_sha1();
    645. 

  645. 

  646. 	if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
    647. 

  647. 		if(myself->indigest) {
    648. 

  648. 			if(myself->inmaclength > myself->indigest->md_size) {
    649. 

  649. 				logger(LOG_ERR, "MAC length exceeds size of digest!");
    650. 

  650. 				return false;
    651. 

  651. 			} else if(myself->inmaclength < 0) {
    652. 

  652. 				logger(LOG_ERR, "Bogus MAC length!");
    653. 

  653. 				return false;
    654. 

  654. 			}
    655. 

  655. 		}
    656. 

  656. 	} else
    657. 

  657. 		myself->inmaclength = 4;
    658. 

  658. 

  659. 	myself->connection->outmaclength = 0;
    660. 

  660. 

  661. 	/* Compression */
    662. 

  662. 

  663. 	if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
    664. 

  664. 		if(myself->incompression < 0 || myself->incompression > 11) {
    665. 

  665. 			logger(LOG_ERR, "Bogus compression level!");
    666. 

  666. 			return false;
    667. 

  667. 		}
    668. 

  668. 	} else
    669. 

  669. 		myself->incompression = 0;
    670. 

  670. 

  671. 	myself->connection->outcompression = 0;
    672. 

  672. 

  673. 	/* Done */
    674. 

  674. 

  675. 	myself->nexthop = myself;
    676. 

  676. 	myself->via = myself;
    677. 

  677. 	myself->status.reachable = true;
    678. 

  678. 	node_add(myself);
    679. 

  679. 

  680. 	graph();
    681. 

  681. 

  682. 	if(strictsubnets)
    683. 

  683. 		load_all_subnets();
    684. 

  684. 

  685. 	/* Open device */
    686. 

  686. 

  687. 	devops = os_devops;
    688. 

  688. 

  689. 	if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
    690. 

  690. 		if(!strcasecmp(type, "dummy"))
    691. 

  691. 			devops = dummy_devops;
    692. 

  692. 		else if(!strcasecmp(type, "raw_socket"))
    693. 

  693. 			devops = raw_socket_devops;
    694. 

  694. 		else if(!strcasecmp(type, "multicast"))
    695. 

  695. 			devops = multicast_devops;
    696. 

  696. #ifdef ENABLE_UML
    697. 

  697. 		else if(!strcasecmp(type, "uml"))
    698. 

  698. 			devops = uml_devops;
    699. 

  699. #endif
    700. 

  700. #ifdef ENABLE_VDE
    701. 

  701. 		else if(!strcasecmp(type, "vde"))
    702. 

  702. 			devops = vde_devops;
    703. 

  703. #endif
    704. 

  704. 		free(type);
    705. 

  705. 	}
    706. 

  706. 

  707. 	if(!devops.setup())
    708. 

  708. 		return false;
    709. 

  709. 

  710. 	/* Run tinc-up script to further initialize the tap interface */
    711. 

  711. 	xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
    712. 

  712. 	xasprintf(&envp[1], "DEVICE=%s", device ? : "");
    713. 

  713. 	xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
    714. 

  714. 	xasprintf(&envp[3], "NAME=%s", myself->name);
    715. 

  715. 

  716. 	execute_script("tinc-up", envp);
    717. 

  717. 

  718. 	for(i = 0; i < 4; i++)
    719. 

  719. 		free(envp[i]);
    720. 

  720. 

  721. 	/* Run subnet-up scripts for our own subnets */
    722. 

  722. 

  723. 	subnet_update(myself, NULL, true);
    724. 

  724. 

  725. 	/* Open sockets */
    726. 

  726. 

  727. 	if(!do_detach && getenv("LISTEN_FDS")) {
    728. 

  728. 		sockaddr_t sa;
    729. 

  729. 		socklen_t salen;
    730. 

  730. 

  731. 		listen_sockets = atoi(getenv("LISTEN_FDS"));
    732. 

  732. #ifdef HAVE_UNSETENV
    733. 

  733. 		unsetenv("LISTEN_FDS");
    734. 

  734. #endif
    735. 

  735. 

  736. 		if(listen_sockets > MAXSOCKETS) {
    737. 

  737. 			logger(LOG_ERR, "Too many listening sockets");
    738. 

  738. 			return false;
    739. 

  739. 		}
    740. 

  740. 

  741. 		for(i = 0; i < listen_sockets; i++) {
    742. 

  742. 			salen = sizeof sa;
    743. 

  743. 			if(getsockname(i + 3, &sa.sa, &salen) < 0) {
    744. 

  744. 				logger(LOG_ERR, "Could not get address of listen fd %d: %s", i + 3, sockstrerror(errno));
    745. 

  745. 				return false;
    746. 

  746. 			}
    747. 

  747. 

  748. 			listen_socket[i].tcp = i + 3;
    749. 

  749. 

  750. #ifdef FD_CLOEXEC
    751. 

  751. 		        fcntl(i + 3, F_SETFD, FD_CLOEXEC);
    752. 

  752. #endif
    753. 

  753. 

  754. 			listen_socket[i].udp = setup_vpn_in_socket(&sa);
    755. 

  755. 			if(listen_socket[i].udp < 0)
    756. 

  756. 				return false;
    757. 

  757. 

  758. 			ifdebug(CONNECTIONS) {
    759. 

  759. 				hostname = sockaddr2hostname(&sa);
    760. 

  760. 				logger(LOG_NOTICE, "Listening on %s", hostname);
    761. 

  761. 				free(hostname);
    762. 

  762. 			}
    763. 

  763. 

  764. 			memcpy(&listen_socket[i].sa, &sa, salen);
    765. 

  765. 		}
    766. 

  766. 	} else {
    767. 

  767. 		listen_sockets = 0;
    768. 

  768. 		cfg = lookup_config(config_tree, "BindToAddress");
    769. 

  769. 

  770. 		do {
    771. 

  771. 			get_config_string(cfg, &address);
    772. 

  772. 			if(cfg)
    773. 

  773. 				cfg = lookup_config_next(config_tree, cfg);
    774. 

  774. 

  775. 			char *port = myport;
    776. 

  776. 

  777. 			if(address) {
    778. 

  778. 				char *space = strchr(address, ' ');
    779. 

  779. 				if(space) {
    780. 

  780. 					*space++ = 0;
    781. 

  781. 					port = space;
    782. 

  782. 				}
    783. 

  783. 

  784. 				if(!strcmp(address, "*"))
    785. 

  785. 					*address = 0;
    786. 

  786. 			}
    787. 

  787. 

  788. 			hint.ai_family = addressfamily;
    789. 

  789. 			hint.ai_socktype = SOCK_STREAM;
    790. 

  790. 			hint.ai_protocol = IPPROTO_TCP;
    791. 

  791. 			hint.ai_flags = AI_PASSIVE;
    792. 

  792. 

  793. 			err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
    794. 

  794. 			free(address);
    795. 

  795. 

  796. 			if(err || !ai) {
    797. 

  797. 				logger(LOG_ERR, "System call `%s' failed: %s", "getaddrinfo",
    798. 

  798. 					   gai_strerror(err));
    799. 

  799. 				return false;
    800. 

  800. 			}
    801. 

  801. 

  802. 			for(aip = ai; aip; aip = aip->ai_next) {
    803. 

  803. 				if(listen_sockets >= MAXSOCKETS) {
    804. 

  804. 					logger(LOG_ERR, "Too many listening sockets");
    805. 

  805. 					return false;
    806. 

  806. 				}
    807. 

  807. 

  808. 				listen_socket[listen_sockets].tcp =
    809. 

  809. 					setup_listen_socket((sockaddr_t *) aip->ai_addr);
    810. 

  810. 

  811. 				if(listen_socket[listen_sockets].tcp < 0)
    812. 

  812. 					continue;
    813. 

  813. 

  814. 				listen_socket[listen_sockets].udp =
    815. 

  815. 					setup_vpn_in_socket((sockaddr_t *) aip->ai_addr);
    816. 

  816. 

  817. 				if(listen_socket[listen_sockets].udp < 0)
    818. 

  818. 					continue;
    819. 

  819. 

  820. 				ifdebug(CONNECTIONS) {
    821. 

  821. 					hostname = sockaddr2hostname((sockaddr_t *) aip->ai_addr);
    822. 

  822. 					logger(LOG_NOTICE, "Listening on %s", hostname);
    823. 

  823. 					free(hostname);
    824. 

  824. 				}
    825. 

  825. 

  826. 				memcpy(&listen_socket[listen_sockets].sa, aip->ai_addr, aip->ai_addrlen);
    827. 

  827. 				listen_sockets++;
    828. 

  828. 			}
    829. 

  829. 

  830. 			freeaddrinfo(ai);
    831. 

  831. 		} while(cfg);
    832. 

  832. 	}
    833. 

  833. 

  834. 	if(!listen_sockets) {
    835. 

  835. 		logger(LOG_ERR, "Unable to create any listening socket!");
    836. 

  836. 		return false;
    837. 

  837. 	}
    838. 

  838. 

  839. 	/* If no Port option was specified, set myport to the port used by the first listening socket. */
    840. 

  840. 

  841. 	if(!port_specified) {
    842. 

  842. 		sockaddr_t sa;
    843. 

  843. 		socklen_t salen = sizeof sa;
    844. 

  844. 		if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) {
    845. 

  845. 			free(myport);
    846. 

  846. 			sockaddr2str(&sa, NULL, &myport);
    847. 

  847. 			if(!myport)
    848. 

  848. 				myport = xstrdup("655");
    849. 

  849. 		}
    850. 

  850. 	}
    851. 

  851. 

  852. 	/* Done. */
    853. 

  853. 

  854. 	logger(LOG_NOTICE, "Ready");
    855. 

  855. 	return true;
    856. 

  856. }
    857. 

  857. 

  858. /*
    859. 

  859.   initialize network
    860. 

  860. */
    861. 

  861. bool setup_network(void) {
    862. 

  862. 	now = time(NULL);
    863. 

  863. 

  864. 	init_events();
    865. 

  865. 	init_connections();
    866. 

  866. 	init_subnets();
    867. 

  867. 	init_nodes();
    868. 

  868. 	init_edges();
    869. 

  869. 	init_requests();
    870. 

  870. 

  871. 	if(get_config_int(lookup_config(config_tree, "PingInterval"), &pinginterval)) {
    872. 

  872. 		if(pinginterval < 1) {
    873. 

  873. 			pinginterval = 86400;
    874. 

  874. 		}
    875. 

  875. 	} else
    876. 

  876. 		pinginterval = 60;
    877. 

  877. 

  878. 	if(!get_config_int(lookup_config(config_tree, "PingTimeout"), &pingtimeout))
    879. 

  879. 		pingtimeout = 5;
    880. 

  880. 	if(pingtimeout < 1 || pingtimeout > pinginterval)
    881. 

  881. 		pingtimeout = pinginterval;
    882. 

  882. 

  883. 	if(!get_config_int(lookup_config(config_tree, "MaxOutputBufferSize"), &maxoutbufsize))
    884. 

  884. 		maxoutbufsize = 10 * MTU;
    885. 

  885. 

  886. 	if(!setup_myself())
    887. 

  887. 		return false;
    888. 

  888. 

  889. 	return true;
    890. 

  890. }
    891. 

  891. 

  892. /*
    893. 

  893.   close all open network connections
    894. 

  894. */
    895. 

  895. void close_network_connections(void) {
    896. 

  896. 	avl_node_t *node, *next;
    897. 

  897. 	connection_t *c;
    898. 

  898. 	char *envp[5] = {NULL};
    899. 

  899. 	int i;
    900. 

  900. 

  901. 	for(node = connection_tree->head; node; node = next) {
    902. 

  902. 		next = node->next;
    903. 

  903. 		c = node->data;
    904. 

  904. 		c->outgoing = NULL;
    905. 

  905. 		terminate_connection(c, false);
    906. 

  906. 	}
    907. 

  907. 

  908. 	for(list_node_t *node = outgoing_list->head; node; node = node->next) {
    909. 

  909. 		outgoing_t *outgoing = node->data;
    910. 

  910. 

  911. 		if(outgoing->event)
    912. 

  912. 			event_del(outgoing->event);
    913. 

  913. 	}
    914. 

  914. 

  915. 	list_delete_list(outgoing_list);
    916. 

  916. 

  917. 	if(myself && myself->connection) {
    918. 

  918. 		subnet_update(myself, NULL, false);
    919. 

  919. 		terminate_connection(myself->connection, false);
    920. 

  920. 		free_connection(myself->connection);
    921. 

  921. 	}
    922. 

  922. 

  923. 	for(i = 0; i < listen_sockets; i++) {
    924. 

  924. 		close(listen_socket[i].tcp);
    925. 

  925. 		close(listen_socket[i].udp);
    926. 

  926. 	}
    927. 

  927. 

  928. 	xasprintf(&envp[0], "NETNAME=%s", netname ? : "");
    929. 

  929. 	xasprintf(&envp[1], "DEVICE=%s", device ? : "");
    930. 

  930. 	xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
    931. 

  931. 	xasprintf(&envp[3], "NAME=%s", myself->name);
    932. 

  932. 

  933. 	exit_requests();
    934. 

  934. 	exit_edges();
    935. 

  935. 	exit_subnets();
    936. 

  936. 	exit_nodes();
    937. 

  937. 	exit_connections();
    938. 

  938. 	exit_events();
    939. 

  939. 

  940. 	execute_script("tinc-down", envp);
    941. 

  941. 

  942. 	if(myport) free(myport);
    943. 

  943. 

  944. 	for(i = 0; i < 4; i++)
    945. 

  945. 		free(envp[i]);
    946. 

  946. 

  947. 	devops.close();
    948. 

  948. 

  949. 	return;
    950. 

  950. }
    951.