gvpe/src/conf.C

/*
    conf.c -- configuration code
    Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
 
    This file is part of GVPE.

    GVPE is free software; you can redistribute it and/or modify it
    under the terms of the GNU General Public License as published by the
    Free Software Foundation; either version 3 of the License, or (at your
    option) any later version.
   
    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
    Public License for more details.
   
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/>.
   
    Additional permission under GNU GPL version 3 section 7
   
    If you modify this Program, or any covered work, by linking or
    combining it with the OpenSSL project's OpenSSL library (or a modified
    version of that library), containing parts covered by the terms of the
    OpenSSL or SSLeay licenses, the licensors of this Program grant you
    additional permission to convey the resulting work.  Corresponding
    Source for a non-source form of such a combination shall include the
    source code for the parts of OpenSSL used as well as that of the
    covered work.
*/

#include "config.h"

#include <cstdio>
#include <cstdlib>
#include <cstring>

#include <errno.h>
#include <netdb.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#include "netcompat.h"

#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
#include <openssl/bn.h>

#include "conf.h"
#include "slog.h"
#include "util.h"

char *confbase;
char *thisnode;
char *identname;

struct configuration conf;

u8
best_protocol (u8 protset)
{
  if (protset & PROT_IPv4  ) return PROT_IPv4;
  if (protset & PROT_ICMPv4) return PROT_ICMPv4;
  if (protset & PROT_UDPv4 ) return PROT_UDPv4;
  if (protset & PROT_TCPv4 ) return PROT_TCPv4;
  if (protset & PROT_DNSv4 ) return PROT_DNSv4;

  return 0;
}

const char *
strprotocol (u8 protocol)
{
  if (protocol & PROT_IPv4  ) return "rawip";
  if (protocol & PROT_ICMPv4) return "icmp";
  if (protocol & PROT_UDPv4 ) return "udp";
  if (protocol & PROT_TCPv4 ) return "tcp";
  if (protocol & PROT_DNSv4 ) return "dns";

  return "<unknown>";
}

static bool
match_list (const vector<const char *> &list, const char *str)
{
   for (vector<const char *>::const_iterator i = list.end (); i-- > list.begin (); )
     if ((*i)[0] == '*' && !(*i)[1])
       return true;
     else if (!strcmp (*i, str))
       return true;

   return false;
}

bool
conf_node::may_direct (struct conf_node *other)
{
  if (match_list (allow_direct, other->nodename))
    return true;

  if (match_list (deny_direct, other->nodename))
    return false;

  return true;
}

conf_node::~conf_node ()
{
#if 0
  // does not work, because string pointers etc. are shared
  // is not called, however
  if (rsa_key)
    RSA_free (rsa_key);

  free (nodename);
  free (hostname);
  free (if_up_data);
#if ENABLE_DNS
  free (domain);
  free (dns_hostname);
#endif
#endif
}

void
configuration::init ()
{
  memset (this, 0, sizeof (*this));

  mtu       = DEFAULT_MTU;
  nfmark    = 0;
  rekey     = DEFAULT_REKEY;
  keepalive = DEFAULT_KEEPALIVE;
  llevel    = L_INFO;
  ip_proto  = IPPROTO_GRE;
#if ENABLE_ICMP
  icmp_type = ICMP_ECHOREPLY;
#endif

  default_node.udp_port    = DEFAULT_UDPPORT;
  default_node.tcp_port    = DEFAULT_UDPPORT; // ehrm
  default_node.connectmode = conf_node::C_ALWAYS;
  default_node.compress    = true;
  default_node.protocols   = 0;
  default_node.max_retry   = DEFAULT_MAX_RETRY;
  default_node.max_ttl     = DEFAULT_MAX_TTL;
  default_node.max_queue   = DEFAULT_MAX_QUEUE;
  default_node.if_up_data  = strdup ("");

#if ENABLE_DNS
  default_node.dns_port    = 0; // default is 0 == client

  dns_forw_host       = strdup ("127.0.0.1");
  dns_forw_port       = 53;
  dns_timeout_factor  = DEFAULT_DNS_TIMEOUT_FACTOR;
  dns_send_interval   = DEFAULT_DNS_SEND_INTERVAL;
  dns_overlap_factor  = DEFAULT_DNS_OVERLAP_FACTOR;
  dns_max_outstanding = DEFAULT_DNS_MAX_OUTSTANDING;
#endif

  conf.pidfilename = strdup (LOCALSTATEDIR "/run/gvpe.pid");
}

void
configuration::cleanup ()
{
  if (rsa_key)
    RSA_free (rsa_key);

  rsa_key = 0;

  free (pidfilename);        pidfilename        = 0;
  free (ifname);             ifname             = 0;
#if ENABLE_HTTP_PROXY
  free (proxy_host);         proxy_host         = 0;
  free (proxy_auth);         proxy_auth         = 0;
#endif
#if ENABLE_DNS
  free (dns_forw_host);      dns_forw_host      = 0;
#endif
  free (script_if_up);       script_if_up       = 0;
  free (script_node_up);     script_node_up     = 0;
  free (script_node_change); script_node_change = 0;
  free (script_node_down);   script_node_down   = 0;
}

void
configuration::clear ()
{
  for (configuration::node_vector::iterator i = nodes.begin(); i != nodes.end(); ++i)
    delete *i;

  nodes.clear ();

  cleanup ();
  init ();
}

#define parse_bool(target,name,trueval,falseval) do {           \
  if      (!strcmp (val, "yes"))        target = trueval;       \
  else if (!strcmp (val, "no"))         target = falseval;      \
  else if (!strcmp (val, "true"))       target = trueval;       \
  else if (!strcmp (val, "false"))      target = falseval;      \
  else if (!strcmp (val, "on"))         target = trueval;       \
  else if (!strcmp (val, "off"))        target = falseval;      \
  else                                                          \
    return _("illegal boolean value, only 'yes|true|on' or 'no|false|off' allowed. (ignored)"); \
} while (0)

const char *
configuration_parser::parse_line (char *line)
{
  {
    char *end = line + strlen (line);

    while (*end < ' ' && end >= line)
      end--;

    *++end = 0;
  }

  char *tok = line;
  const char *var = strtok (tok, "\t =");
  tok = 0;

  if (!var || !var[0])
    return 0;           /* no tokens on this line */

  if (var[0] == '#')
    return 0;           /* comment: ignore */

  char *val = strtok (NULL, "\t\n\r =");

  if (!val || val[0] == '#')
    return _("no value given for variable. (ignored)");

  if (!strcmp (var, "on"))
    {
      if (!::thisnode
          || (val[0] == '!' && strcmp (val + 1, ::thisnode))
          || !strcmp (val, ::thisnode))
        return parse_line (strtok (NULL, "\n\r"));
      else
        return 0;
    }

  // truly global
  if (!strcmp (var, "loglevel"))
    {
      loglevel l = string_to_loglevel (val);

      if (l == L_NONE)
        return _("unknown loglevel. (skipping)");
    }
  else if (!strcmp (var, "ip-proto"))
    conf.ip_proto = atoi (val);
  else if (!strcmp (var, "icmp-type"))
    {
#if ENABLE_ICMP
      conf.icmp_type = atoi (val);
#endif
    }

  // per config
  else if (!strcmp (var, "node"))
    {
      parse_argv ();

      conf.default_node.id++;
      node = new conf_node (conf.default_node);
      conf.nodes.push_back (node);
      node->nodename = strdup (val);

      {
        char *fname;
        FILE *f;

        asprintf (&fname, "%s/pubkey/%s", confbase, node->nodename);

        f = fopen (fname, "r");
        if (f)
          {
            node->rsa_key = RSA_new ();

            if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL))
              {
                ERR_load_RSA_strings (); ERR_load_PEM_strings ();
                slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0));
                exit (EXIT_FAILURE);
              }

            require (RSA_blinding_on (node->rsa_key, 0));

            fclose (f);
          }
        else
          {
            slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno));

            if (need_keys)
              exit (EXIT_FAILURE);
          }

        free (fname);
      }

      if (::thisnode && !strcmp (node->nodename, ::thisnode))
        conf.thisnode = node;
    }
  else if (!strcmp (var, "private-key"))
    free (conf.prikeyfile), conf.prikeyfile = strdup (val);
  else if (!strcmp (var, "ifpersist"))
    parse_bool (conf.ifpersist, "ifpersist", true, false);
  else if (!strcmp (var, "ifname"))
    free (conf.ifname), conf.ifname = strdup (val);
  else if (!strcmp (var, "rekey"))
    conf.rekey = atoi (val);
  else if (!strcmp (var, "keepalive"))
    conf.keepalive = atoi (val);
  else if (!strcmp (var, "mtu"))
    conf.mtu = atoi (val);
  else if (!strcmp (var, "nfmark"))
    conf.nfmark = atoi (val);
  else if (!strcmp (var, "if-up"))
    free (conf.script_if_up), conf.script_if_up = strdup (val);
  else if (!strcmp (var, "node-up"))
    free (conf.script_node_up), conf.script_node_up = strdup (val);
  else if (!strcmp (var, "node-change"))
    free (conf.script_node_change), conf.script_node_change = strdup (val);
  else if (!strcmp (var, "node-down"))
    free (conf.script_node_down), conf.script_node_down = strdup (val);
  else if (!strcmp (var, "pid-file"))
    free (conf.pidfilename), conf.pidfilename = strdup (val);
  else if (!strcmp (var, "dns-forw-host"))
    {
#if ENABLE_DNS
      free (conf.dns_forw_host), conf.dns_forw_host = strdup (val);
#endif
    }
  else if (!strcmp (var, "dns-forw-port"))
    {
#if ENABLE_DNS
      conf.dns_forw_port = atoi (val);
#endif
    }
  else if (!strcmp (var, "dns-timeout-factor"))
    {
#if ENABLE_DNS
      conf.dns_timeout_factor = atof (val);
#endif
    }
  else if (!strcmp (var, "dns-send-interval"))
    {
#if ENABLE_DNS
      conf.dns_send_interval = atoi (val);
#endif
    }
  else if (!strcmp (var, "dns-overlap-factor"))
    {
#if ENABLE_DNS
      conf.dns_overlap_factor = atof (val);
#endif
    }
  else if (!strcmp (var, "dns-max-outstanding"))
    {
#if ENABLE_DNS
      conf.dns_max_outstanding = atoi (val);
#endif
    }
  else if (!strcmp (var, "http-proxy-host"))
    {
#if ENABLE_HTTP_PROXY
      free (conf.proxy_host), conf.proxy_host = strdup (val);
#endif
    }
  else if (!strcmp (var, "http-proxy-port"))
    {
#if ENABLE_HTTP_PROXY
      conf.proxy_port = atoi (val);
#endif
    }
  else if (!strcmp (var, "http-proxy-auth"))
    {
#if ENABLE_HTTP_PROXY
      conf.proxy_auth = (char *)base64_encode ((const u8 *)val, strlen (val));
#endif
    }

  /* node-specific, non-defaultable */
  else if (node != &conf.default_node && !strcmp (var, "hostname"))
    free (node->hostname), node->hostname = strdup (val);

  /* node-specific, defaultable */
  else if (!strcmp (var, "udp-port"))
    node->udp_port = atoi (val);
  else if (!strcmp (var, "tcp-port"))
    node->tcp_port = atoi (val);
  else if (!strcmp (var, "dns-hostname"))
    {
#if ENABLE_DNS
      free (node->dns_hostname), node->dns_hostname = strdup (val);
#endif
    }
  else if (!strcmp (var, "dns-port"))
    {
#if ENABLE_DNS
      node->dns_port = atoi (val);
#endif
    }
  else if (!strcmp (var, "dns-domain"))
    {
#if ENABLE_DNS
      free (node->domain), node->domain = strdup (val);
#endif
    }
  else if (!strcmp (var, "if-up-data"))
    free (node->if_up_data), node->if_up_data = strdup (val);
  else if (!strcmp (var, "router-priority"))
    node->routerprio = atoi (val);
  else if (!strcmp (var, "max-retry"))
    node->max_retry = atoi (val);
  else if (!strcmp (var, "connect"))
    {
      if (!strcmp (val, "ondemand"))
        node->connectmode = conf_node::C_ONDEMAND;
      else if (!strcmp (val, "never"))
        node->connectmode = conf_node::C_NEVER;
      else if (!strcmp (val, "always"))
        node->connectmode = conf_node::C_ALWAYS;
      else if (!strcmp (val, "disabled"))
        node->connectmode = conf_node::C_DISABLED;
      else
        return _("illegal value for 'connectmode', use one of 'ondemand', 'never', 'always' or 'disabled'. (ignored)");
    }
  else if (!strcmp (var, "inherit-tos"))
    parse_bool (node->inherit_tos, "inherit-tos", true, false);
  else if (!strcmp (var, "compress"))
    parse_bool (node->compress, "compress", true, false);
  // all these bool options really really cost a lot of executable size!
  else if (!strcmp (var, "enable-tcp"))
    {
#if ENABLE_TCP
      u8 v; parse_bool (v, "enable-tcp" , PROT_TCPv4, 0); node->protocols = (node->protocols & ~PROT_TCPv4) | v;
#endif
    }
  else if (!strcmp (var, "enable-icmp"))
    {
#if ENABLE_ICMP
      u8 v; parse_bool (v, "enable-icmp" , PROT_ICMPv4, 0); node->protocols = (node->protocols & ~PROT_ICMPv4) | v;
#endif
    }
  else if (!strcmp (var, "enable-dns"))
    {
#if ENABLE_DNS
      u8 v; parse_bool (v, "enable-dns" , PROT_DNSv4, 0); node->protocols = (node->protocols & ~PROT_DNSv4) | v;
#endif
    }
  else if (!strcmp (var, "enable-udp"))
    {
      u8 v; parse_bool (v, "enable-udp" , PROT_UDPv4, 0); node->protocols = (node->protocols & ~PROT_UDPv4) | v;
    }
  else if (!strcmp (var, "enable-rawip"))
    {
      u8 v; parse_bool (v, "enable-rawip", PROT_IPv4, 0); node->protocols = (node->protocols & ~PROT_IPv4 ) | v;
    }
  else if (!strcmp (var, "allow-direct"))
    node->allow_direct.push_back (strdup (val));
  else if (!strcmp (var, "deny-direct"))
    node->deny_direct.push_back (strdup (val));
  else if (!strcmp (var, "max-ttl"))
    node->max_ttl = atof (val);
  else if (!strcmp (var, "max-queue"))
    node->max_queue = atoi (val);

  // unknown or misplaced
  else
    return _("unknown configuration directive. (ignored)");

  return 0;
}

void
conf_node::finalise ()
{
  if (max_queue < 1)
    {
      slog (L_WARN, _("%s: max-queue value invalid, setting it to 1."), nodename);
      max_queue = 1;
    }

  if (routerprio > 1 && (connectmode != C_ALWAYS && connectmode != C_DISABLED))
    {
      //slog (L_WARN, _("%s: has non-zero router-priority but either 'never' or 'ondemand' as connectmode, setting it to 'always'."), nodename);
      connectmode = C_ALWAYS;
    }
}

void
configuration_parser::parse_argv ()
{
  for (int i = 0; i < argc; ++i)
    {
      char *v = argv [i];

      if (!*v)
        continue;

      char *enode = v;

      while (*enode != '.' && *enode > ' ' && *enode != '=' && *enode)
        enode++;

      if (*enode != '.')
        enode = 0;

      char *wnode = node == &conf.default_node
                    ? 0
                    : node->nodename;

      if ((!wnode && !enode)
          || (wnode && enode && !strncmp (wnode, v, enode - v)))
        {
          const char *warn = parse_line (enode ? enode + 1 : v);

          if (warn)
            slog (L_WARN, _("%s, while parsing command line option '%s'."), warn, v);

          *v = 0;
        }
    }
}

configuration_parser::configuration_parser (configuration &conf,
                                            bool need_keys,
                                            int argc,
                                            char **argv)
: conf (conf),need_keys (need_keys), argc (argc), argv (argv)
{
  char *fname;
  FILE *f;

  conf.clear ();

  asprintf (&fname, "%s/gvpe.conf", confbase);
  f = fopen (fname, "r");

  if (f)
    {
      char line[16384];
      int lineno = 0;
      node = &conf.default_node;

      while (fgets (line, sizeof (line), f))
        {
          lineno++;

          const char *warn = parse_line (line);

          if (warn)
            slog (L_WARN, _("%s, at '%s', line %d."), warn, fname, lineno);
        }

      fclose (f);

      parse_argv ();
    }
  else
    {
      slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno));
      exit (EXIT_FAILURE);
    }

  free (fname);

  fname = conf.config_filename (conf.prikeyfile, "hostkey");

  f = fopen (fname, "r");
  if (f)
    {
      conf.rsa_key = RSA_new ();

      if (!PEM_read_RSAPrivateKey (f, &conf.rsa_key, NULL, NULL))
        {
          ERR_load_RSA_strings (); ERR_load_PEM_strings ();
          slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0));
          exit (EXIT_FAILURE);
        }

      require (RSA_blinding_on (conf.rsa_key, 0));

      fclose (f);
    }
  else
    {
      slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno));

      if (need_keys)
        exit (EXIT_FAILURE);
    }

  if (need_keys && ::thisnode
      && conf.rsa_key && conf.thisnode && conf.thisnode->rsa_key)
    if (BN_cmp (conf.rsa_key->n, conf.thisnode->rsa_key->n) != 0
        || BN_cmp (conf.rsa_key->e, conf.thisnode->rsa_key->e) != 0)
      {
        slog (L_NOTICE, _("private hostkey and public node key mismatch: is '%s' the correct node?"), ::thisnode);
        exit (EXIT_FAILURE);
      }

  free (fname);

  for (configuration::node_vector::iterator i = conf.nodes.begin(); i != conf.nodes.end(); ++i)
    (*i)->finalise ();
}

char *
configuration::config_filename (const char *name, const char *dflt)
{
  char *fname;

  asprintf (&fname, name ? name : dflt, ::thisnode);

  if (!ABSOLUTE_PATH (fname))
    {
      char *rname = fname;
      asprintf (&fname, "%s/%s", confbase, rname);
      free (rname);
    }

  return fname;
}

void
conf_node::print ()
{
  printf ("%4d  fe:fd:80:00:0%1x:%02x  %c  %-8.8s  %-10.10s   %02x  %s%s%d\n",
          id,
          id >> 8, id & 0xff,
          compress ? 'Y' : 'N',
          connectmode   == C_ONDEMAND ? "ondemand"
          : connectmode == C_NEVER    ? "never"
          : connectmode == C_ALWAYS   ? "always"
          : connectmode == C_DISABLED ? "disabled"
          :                             "",
          nodename,
          protocols,
          hostname ? hostname : "",
          hostname ? ":" : "",
          hostname ? udp_port : 0
          );
}

void
configuration::print ()
{
  printf (_("\nConfiguration\n\n"));
  printf (_("# of nodes:         %d\n"), nodes.size ());
  printf (_("this node:          %s\n"), thisnode ? thisnode->nodename : "<unset>");
  printf (_("MTU:                %d\n"), mtu);
  printf (_("rekeying interval:  %d\n"), rekey);
  printf (_("keepalive interval: %d\n"), keepalive);
  printf (_("interface:          %s\n"), ifname);
  printf (_("primary rsa key:    %s\n"), prikeyfile ? prikeyfile : "<default>");
  printf (_("rsa key size:       %d\n"), rsa_key ? RSA_size (rsa_key) * 8 : -1);
  printf ("\n");

  printf ("%4s  %-17s %s %-8.8s  %-10.10s  %04s %s\n",
          _("ID#"), _("MAC"), _("Com"), _("Conmode"), _("Node"), _("Prot"), _("Host:Port"));

  for (node_vector::iterator i = nodes.begin (); i != nodes.end (); ++i)
    (*i)->print ();

  printf ("\n");
}

configuration::configuration ()
{
  asprintf (&confbase, "%s/gvpe", CONFDIR);

  init ();
}

configuration::~configuration ()
{
  cleanup ();
}

Revision:	1.54
Committed:	Tue Feb 15 13:31:23 2011 UTC (13 years, 3 months ago) by root
Content type:	text/plain
Branch:	MAIN
Changes since 1.53:	+22 -21 lines
Log Message:	* empty log message *
#	User	Rev	Content
1	pcg	1.1	/*
2			conf.c -- configuration code
3	pcg	1.44	Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de>
4	pcg	1.1
5	pcg	1.31	This file is part of GVPE.
6
7	pcg	1.44	GVPE is free software; you can redistribute it and/or modify it
8			under the terms of the GNU General Public License as published by the
9			Free Software Foundation; either version 3 of the License, or (at your
10			option) any later version.
11
12			This program is distributed in the hope that it will be useful, but
13			WITHOUT ANY WARRANTY; without even the implied warranty of
14			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
15			Public License for more details.
16
17			You should have received a copy of the GNU General Public License along
18			with this program; if not, see <http://www.gnu.org/licenses/>.
19
20			Additional permission under GNU GPL version 3 section 7
21
22			If you modify this Program, or any covered work, by linking or
23			combining it with the OpenSSL project's OpenSSL library (or a modified
24			version of that library), containing parts covered by the terms of the
25			OpenSSL or SSLeay licenses, the licensors of this Program grant you
26			additional permission to convey the resulting work. Corresponding
27			Source for a non-source form of such a combination shall include the
28			source code for the parts of OpenSSL used as well as that of the
29			covered work.
30	pcg	1.1	*/
31
32			#include "config.h"
33
34			#include <cstdio>
35			#include <cstdlib>
36			#include <cstring>
37
38			#include <errno.h>
39			#include <netdb.h>
40			#include <sys/stat.h>
41			#include <sys/types.h>
42			#include <unistd.h>
43
44	pcg	1.17	#include "netcompat.h"
45	pcg	1.5
46	pcg	1.1	#include <openssl/err.h>
47			#include <openssl/pem.h>
48			#include <openssl/rsa.h>
49			#include <openssl/rand.h>
50	pcg	1.22	#include <openssl/bn.h>
51	pcg	1.1
52			#include "conf.h"
53			#include "slog.h"
54			#include "util.h"
55
56			char *confbase;
57			char *thisnode;
58			char *identname;
59
60			struct configuration conf;
61
62	root	1.52	u8
63			best_protocol (u8 protset)
64	pcg	1.7	{
65	pcg	1.13	if (protset & PROT_IPv4 ) return PROT_IPv4;
66			if (protset & PROT_ICMPv4) return PROT_ICMPv4;
67			if (protset & PROT_UDPv4 ) return PROT_UDPv4;
68			if (protset & PROT_TCPv4 ) return PROT_TCPv4;
69	pcg	1.24	if (protset & PROT_DNSv4 ) return PROT_DNSv4;
70	pcg	1.7
71	pcg	1.9	return 0;
72	pcg	1.7	}
73
74	root	1.52	const char *
75			strprotocol (u8 protocol)
76	pcg	1.7	{
77	pcg	1.13	if (protocol & PROT_IPv4 ) return "rawip";
78			if (protocol & PROT_ICMPv4) return "icmp";
79			if (protocol & PROT_UDPv4 ) return "udp";
80			if (protocol & PROT_TCPv4 ) return "tcp";
81	pcg	1.24	if (protocol & PROT_DNSv4 ) return "dns";
82	pcg	1.7
83			return "<unknown>";
84			}
85
86	pcg	1.42	static bool
87			match_list (const vector<const char > &list, const char str)
88			{
89			for (vector<const char *>::const_iterator i = list.end (); i-- > list.begin (); )
90			if ((i)[0] == '' && !(*i)[1])
91			return true;
92			else if (!strcmp (*i, str))
93			return true;
94
95			return false;
96			}
97
98			bool
99	pcg	1.46	conf_node::may_direct (struct conf_node *other)
100	pcg	1.42	{
101			if (match_list (allow_direct, other->nodename))
102			return true;
103
104			if (match_list (deny_direct, other->nodename))
105			return false;
106
107			return true;
108			}
109
110	pcg	1.12	conf_node::~conf_node ()
111	pcg	1.1	{
112	pcg	1.39	#if 0
113			// does not work, because string pointers etc. are shared
114			// is not called, however
115	pcg	1.12	if (rsa_key)
116			RSA_free (rsa_key);
117
118			free (nodename);
119			free (hostname);
120	pcg	1.39	free (if_up_data);
121	pcg	1.30	#if ENABLE_DNS
122	pcg	1.28	free (domain);
123	pcg	1.30	free (dns_hostname);
124			#endif
125	pcg	1.39	#endif
126	pcg	1.1	}
127
128	root	1.52	void
129			configuration::init ()
130	pcg	1.1	{
131			memset (this, 0, sizeof (*this));
132
133	pcg	1.19	mtu = DEFAULT_MTU;
134	pcg	1.50	nfmark = 0;
135	pcg	1.1	rekey = DEFAULT_REKEY;
136			keepalive = DEFAULT_KEEPALIVE;
137	pcg	1.2	llevel = L_INFO;
138	pcg	1.5	ip_proto = IPPROTO_GRE;
139	pcg	1.16	#if ENABLE_ICMP
140	pcg	1.13	icmp_type = ICMP_ECHOREPLY;
141	pcg	1.16	#endif
142	pcg	1.1
143	pcg	1.5	default_node.udp_port = DEFAULT_UDPPORT;
144	pcg	1.24	default_node.tcp_port = DEFAULT_UDPPORT; // ehrm
145	pcg	1.1	default_node.connectmode = conf_node::C_ALWAYS;
146			default_node.compress = true;
147	pcg	1.29	default_node.protocols = 0;
148	pcg	1.27	default_node.max_retry = DEFAULT_MAX_RETRY;
149	pcg	1.43	default_node.max_ttl = DEFAULT_MAX_TTL;
150			default_node.max_queue = DEFAULT_MAX_QUEUE;
151	pcg	1.39	default_node.if_up_data = strdup ("");
152	pcg	1.25
153	pcg	1.30	#if ENABLE_DNS
154	pcg	1.32	default_node.dns_port = 0; // default is 0 == client
155	pcg	1.38
156			dns_forw_host = strdup ("127.0.0.1");
157			dns_forw_port = 53;
158			dns_timeout_factor = DEFAULT_DNS_TIMEOUT_FACTOR;
159			dns_send_interval = DEFAULT_DNS_SEND_INTERVAL;
160			dns_overlap_factor = DEFAULT_DNS_OVERLAP_FACTOR;
161			dns_max_outstanding = DEFAULT_DNS_MAX_OUTSTANDING;
162	pcg	1.30	#endif
163
164	pcg	1.27	conf.pidfilename = strdup (LOCALSTATEDIR "/run/gvpe.pid");
165	pcg	1.1	}
166
167	root	1.52	void
168			configuration::cleanup ()
169	pcg	1.1	{
170			if (rsa_key)
171			RSA_free (rsa_key);
172
173	pcg	1.12	rsa_key = 0;
174	pcg	1.1
175	pcg	1.51	free (pidfilename); pidfilename = 0;
176			free (ifname); ifname = 0;
177	root	1.53	#if ENABLE_HTTP_PROXY
178	pcg	1.51	free (proxy_host); proxy_host = 0;
179			free (proxy_auth); proxy_auth = 0;
180	root	1.53	#endif
181			#if ENABLE_DNS
182	pcg	1.51	free (dns_forw_host); dns_forw_host = 0;
183			#endif
184			free (script_if_up); script_if_up = 0;
185			free (script_node_up); script_node_up = 0;
186			free (script_node_change); script_node_change = 0;
187			free (script_node_down); script_node_down = 0;
188	pcg	1.1	}
189
190			void
191	pcg	1.40	configuration::clear ()
192	pcg	1.1	{
193			for (configuration::node_vector::iterator i = nodes.begin(); i != nodes.end(); ++i)
194			delete *i;
195
196			nodes.clear ();
197
198			cleanup ();
199			init ();
200			}
201
202	pcg	1.37	#define parse_bool(target,name,trueval,falseval) do { \
203			if (!strcmp (val, "yes")) target = trueval; \
204	pcg	1.5	else if (!strcmp (val, "no")) target = falseval; \
205			else if (!strcmp (val, "true")) target = trueval; \
206			else if (!strcmp (val, "false")) target = falseval; \
207			else if (!strcmp (val, "on")) target = trueval; \
208			else if (!strcmp (val, "off")) target = falseval; \
209			else \
210	pcg	1.40	return _("illegal boolean value, only 'yes\|true\|on' or 'no\|false\|off' allowed. (ignored)"); \
211	pcg	1.37	} while (0)
212	pcg	1.5
213	pcg	1.40	const char *
214			configuration_parser::parse_line (char *line)
215	pcg	1.1	{
216	pcg	1.40	{
217			char *end = line + strlen (line);
218
219			while (*end < ' ' && end >= line)
220			end--;
221	pcg	1.1
222	pcg	1.40	*++end = 0;
223			}
224	pcg	1.1
225	pcg	1.40	char *tok = line;
226			const char *var = strtok (tok, "\t =");
227			tok = 0;
228	pcg	1.1
229	pcg	1.40	if (!var \|\| !var[0])
230			return 0; /* no tokens on this line */
231	pcg	1.1
232	pcg	1.40	if (var[0] == '#')
233			return 0; /* comment: ignore */
234	pcg	1.1
235	pcg	1.40	char *val = strtok (NULL, "\t\n\r =");
236	pcg	1.1
237	pcg	1.40	if (!val \|\| val[0] == '#')
238			return _("no value given for variable. (ignored)");
239	pcg	1.1
240	pcg	1.40	if (!strcmp (var, "on"))
241			{
242			if (!::thisnode
243			\|\| (val[0] == '!' && strcmp (val + 1, ::thisnode))
244			\|\| !strcmp (val, ::thisnode))
245			return parse_line (strtok (NULL, "\n\r"));
246			else
247			return 0;
248			}
249	pcg	1.1
250	pcg	1.40	// truly global
251			if (!strcmp (var, "loglevel"))
252			{
253			loglevel l = string_to_loglevel (val);
254	pcg	1.1
255	pcg	1.40	if (l == L_NONE)
256			return _("unknown loglevel. (skipping)");
257			}
258			else if (!strcmp (var, "ip-proto"))
259			conf.ip_proto = atoi (val);
260			else if (!strcmp (var, "icmp-type"))
261			{
262	pcg	1.16	#if ENABLE_ICMP
263	pcg	1.40	conf.icmp_type = atoi (val);
264	pcg	1.16	#endif
265	pcg	1.40	}
266	pcg	1.1
267	pcg	1.40	// per config
268			else if (!strcmp (var, "node"))
269			{
270			parse_argv ();
271	pcg	1.1
272	pcg	1.40	conf.default_node.id++;
273			node = new conf_node (conf.default_node);
274			conf.nodes.push_back (node);
275			node->nodename = strdup (val);
276	pcg	1.1
277	pcg	1.40	{
278			char *fname;
279			FILE *f;
280
281			asprintf (&fname, "%s/pubkey/%s", confbase, node->nodename);
282	pcg	1.1
283	pcg	1.40	f = fopen (fname, "r");
284			if (f)
285			{
286			node->rsa_key = RSA_new ();
287	pcg	1.1
288	pcg	1.40	if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL))
289	pcg	1.1	{
290	pcg	1.40	ERR_load_RSA_strings (); ERR_load_PEM_strings ();
291			slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0));
292			exit (EXIT_FAILURE);
293			}
294
295			require (RSA_blinding_on (node->rsa_key, 0));
296	pcg	1.1
297	pcg	1.40	fclose (f);
298			}
299			else
300			{
301			slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno));
302	pcg	1.1
303	pcg	1.40	if (need_keys)
304			exit (EXIT_FAILURE);
305			}
306	pcg	1.1
307	pcg	1.40	free (fname);
308			}
309	pcg	1.1
310	pcg	1.40	if (::thisnode && !strcmp (node->nodename, ::thisnode))
311			conf.thisnode = node;
312			}
313			else if (!strcmp (var, "private-key"))
314			free (conf.prikeyfile), conf.prikeyfile = strdup (val);
315			else if (!strcmp (var, "ifpersist"))
316			parse_bool (conf.ifpersist, "ifpersist", true, false);
317			else if (!strcmp (var, "ifname"))
318			free (conf.ifname), conf.ifname = strdup (val);
319			else if (!strcmp (var, "rekey"))
320			conf.rekey = atoi (val);
321			else if (!strcmp (var, "keepalive"))
322			conf.keepalive = atoi (val);
323			else if (!strcmp (var, "mtu"))
324			conf.mtu = atoi (val);
325	pcg	1.50	else if (!strcmp (var, "nfmark"))
326			conf.nfmark = atoi (val);
327	pcg	1.40	else if (!strcmp (var, "if-up"))
328			free (conf.script_if_up), conf.script_if_up = strdup (val);
329			else if (!strcmp (var, "node-up"))
330			free (conf.script_node_up), conf.script_node_up = strdup (val);
331	pcg	1.51	else if (!strcmp (var, "node-change"))
332			free (conf.script_node_change), conf.script_node_change = strdup (val);
333	pcg	1.40	else if (!strcmp (var, "node-down"))
334			free (conf.script_node_down), conf.script_node_down = strdup (val);
335			else if (!strcmp (var, "pid-file"))
336			free (conf.pidfilename), conf.pidfilename = strdup (val);
337			else if (!strcmp (var, "dns-forw-host"))
338			{
339	pcg	1.30	#if ENABLE_DNS
340	pcg	1.40	free (conf.dns_forw_host), conf.dns_forw_host = strdup (val);
341	pcg	1.34	#endif
342	pcg	1.40	}
343			else if (!strcmp (var, "dns-forw-port"))
344			{
345	pcg	1.34	#if ENABLE_DNS
346	pcg	1.40	conf.dns_forw_port = atoi (val);
347	pcg	1.28	#endif
348	pcg	1.40	}
349			else if (!strcmp (var, "dns-timeout-factor"))
350			{
351	pcg	1.38	#if ENABLE_DNS
352	pcg	1.40	conf.dns_timeout_factor = atof (val);
353	pcg	1.38	#endif
354	pcg	1.40	}
355			else if (!strcmp (var, "dns-send-interval"))
356			{
357	pcg	1.38	#if ENABLE_DNS
358	pcg	1.40	conf.dns_send_interval = atoi (val);
359	pcg	1.38	#endif
360	pcg	1.40	}
361			else if (!strcmp (var, "dns-overlap-factor"))
362			{
363	pcg	1.38	#if ENABLE_DNS
364	pcg	1.40	conf.dns_overlap_factor = atof (val);
365	pcg	1.38	#endif
366	pcg	1.40	}
367			else if (!strcmp (var, "dns-max-outstanding"))
368			{
369	pcg	1.38	#if ENABLE_DNS
370	pcg	1.40	conf.dns_max_outstanding = atoi (val);
371	pcg	1.38	#endif
372	pcg	1.40	}
373			else if (!strcmp (var, "http-proxy-host"))
374			{
375	pcg	1.12	#if ENABLE_HTTP_PROXY
376	pcg	1.40	free (conf.proxy_host), conf.proxy_host = strdup (val);
377	pcg	1.20	#endif
378	pcg	1.40	}
379			else if (!strcmp (var, "http-proxy-port"))
380			{
381	pcg	1.20	#if ENABLE_HTTP_PROXY
382	pcg	1.40	conf.proxy_port = atoi (val);
383	pcg	1.20	#endif
384	pcg	1.40	}
385			else if (!strcmp (var, "http-proxy-auth"))
386			{
387	pcg	1.20	#if ENABLE_HTTP_PROXY
388	pcg	1.40	conf.proxy_auth = (char )base64_encode ((const u8 )val, strlen (val));
389	pcg	1.12	#endif
390	pcg	1.40	}
391	pcg	1.1
392	pcg	1.40	/* node-specific, non-defaultable */
393			else if (node != &conf.default_node && !strcmp (var, "hostname"))
394			free (node->hostname), node->hostname = strdup (val);
395
396			/* node-specific, defaultable */
397			else if (!strcmp (var, "udp-port"))
398			node->udp_port = atoi (val);
399			else if (!strcmp (var, "tcp-port"))
400			node->tcp_port = atoi (val);
401			else if (!strcmp (var, "dns-hostname"))
402			{
403	pcg	1.30	#if ENABLE_DNS
404	pcg	1.40	free (node->dns_hostname), node->dns_hostname = strdup (val);
405	pcg	1.34	#endif
406	pcg	1.40	}
407			else if (!strcmp (var, "dns-port"))
408			{
409	pcg	1.34	#if ENABLE_DNS
410	pcg	1.40	node->dns_port = atoi (val);
411	pcg	1.34	#endif
412	pcg	1.40	}
413			else if (!strcmp (var, "dns-domain"))
414			{
415	pcg	1.34	#if ENABLE_DNS
416	pcg	1.40	free (node->domain), node->domain = strdup (val);
417	pcg	1.28	#endif
418	pcg	1.40	}
419			else if (!strcmp (var, "if-up-data"))
420			free (node->if_up_data), node->if_up_data = strdup (val);
421			else if (!strcmp (var, "router-priority"))
422			node->routerprio = atoi (val);
423			else if (!strcmp (var, "max-retry"))
424			node->max_retry = atoi (val);
425			else if (!strcmp (var, "connect"))
426			{
427			if (!strcmp (val, "ondemand"))
428			node->connectmode = conf_node::C_ONDEMAND;
429			else if (!strcmp (val, "never"))
430			node->connectmode = conf_node::C_NEVER;
431			else if (!strcmp (val, "always"))
432			node->connectmode = conf_node::C_ALWAYS;
433			else if (!strcmp (val, "disabled"))
434			node->connectmode = conf_node::C_DISABLED;
435			else
436			return _("illegal value for 'connectmode', use one of 'ondemand', 'never', 'always' or 'disabled'. (ignored)");
437			}
438			else if (!strcmp (var, "inherit-tos"))
439			parse_bool (node->inherit_tos, "inherit-tos", true, false);
440			else if (!strcmp (var, "compress"))
441			parse_bool (node->compress, "compress", true, false);
442			// all these bool options really really cost a lot of executable size!
443			else if (!strcmp (var, "enable-tcp"))
444			{
445	pcg	1.11	#if ENABLE_TCP
446	pcg	1.40	u8 v; parse_bool (v, "enable-tcp" , PROT_TCPv4, 0); node->protocols = (node->protocols & ~PROT_TCPv4) \| v;
447	pcg	1.13	#endif
448	pcg	1.40	}
449			else if (!strcmp (var, "enable-icmp"))
450			{
451	pcg	1.13	#if ENABLE_ICMP
452	pcg	1.40	u8 v; parse_bool (v, "enable-icmp" , PROT_ICMPv4, 0); node->protocols = (node->protocols & ~PROT_ICMPv4) \| v;
453	pcg	1.11	#endif
454	pcg	1.40	}
455			else if (!strcmp (var, "enable-dns"))
456			{
457	pcg	1.24	#if ENABLE_DNS
458	pcg	1.40	u8 v; parse_bool (v, "enable-dns" , PROT_DNSv4, 0); node->protocols = (node->protocols & ~PROT_DNSv4) \| v;
459	pcg	1.24	#endif
460	pcg	1.40	}
461			else if (!strcmp (var, "enable-udp"))
462			{
463			u8 v; parse_bool (v, "enable-udp" , PROT_UDPv4, 0); node->protocols = (node->protocols & ~PROT_UDPv4) \| v;
464			}
465			else if (!strcmp (var, "enable-rawip"))
466			{
467			u8 v; parse_bool (v, "enable-rawip", PROT_IPv4, 0); node->protocols = (node->protocols & ~PROT_IPv4 ) \| v;
468			}
469	pcg	1.42	else if (!strcmp (var, "allow-direct"))
470			node->allow_direct.push_back (strdup (val));
471			else if (!strcmp (var, "deny-direct"))
472			node->deny_direct.push_back (strdup (val));
473	pcg	1.43	else if (!strcmp (var, "max-ttl"))
474			node->max_ttl = atof (val);
475			else if (!strcmp (var, "max-queue"))
476	pcg	1.46	node->max_queue = atoi (val);
477	pcg	1.40
478			// unknown or misplaced
479			else
480			return _("unknown configuration directive. (ignored)");
481
482			return 0;
483			}
484
485	root	1.52	void
486			conf_node::finalise ()
487	pcg	1.46	{
488			if (max_queue < 1)
489			{
490			slog (L_WARN, _("%s: max-queue value invalid, setting it to 1."), nodename);
491			max_queue = 1;
492			}
493
494	pcg	1.49	if (routerprio > 1 && (connectmode != C_ALWAYS && connectmode != C_DISABLED))
495	pcg	1.46	{
496	pcg	1.48	//slog (L_WARN, _("%s: has non-zero router-priority but either 'never' or 'ondemand' as connectmode, setting it to 'always'."), nodename);
497	pcg	1.46	connectmode = C_ALWAYS;
498			}
499			}
500
501	root	1.52	void
502			configuration_parser::parse_argv ()
503	pcg	1.40	{
504			for (int i = 0; i < argc; ++i)
505			{
506			char *v = argv [i];
507
508			if (!*v)
509			continue;
510
511			char *enode = v;
512
513			while (enode != '.' && enode > ' ' && enode != '=' && enode)
514			enode++;
515
516			if (*enode != '.')
517			enode = 0;
518
519			char *wnode = node == &conf.default_node
520			? 0
521			: node->nodename;
522
523			if ((!wnode && !enode)
524			\|\| (wnode && enode && !strncmp (wnode, v, enode - v)))
525			{
526			const char *warn = parse_line (enode ? enode + 1 : v);
527
528			if (warn)
529			slog (L_WARN, _("%s, while parsing command line option '%s'."), warn, v);
530
531			*v = 0;
532			}
533			}
534			}
535
536			configuration_parser::configuration_parser (configuration &conf,
537			bool need_keys,
538			int argc,
539			char **argv)
540			: conf (conf),need_keys (need_keys), argc (argc), argv (argv)
541			{
542			char *fname;
543			FILE *f;
544
545			conf.clear ();
546
547			asprintf (&fname, "%s/gvpe.conf", confbase);
548			f = fopen (fname, "r");
549
550			if (f)
551			{
552			char line[16384];
553			int lineno = 0;
554			node = &conf.default_node;
555
556			while (fgets (line, sizeof (line), f))
557			{
558			lineno++;
559
560			const char *warn = parse_line (line);
561
562			if (warn)
563			slog (L_WARN, _("%s, at '%s', line %d."), warn, fname, lineno);
564	pcg	1.1	}
565
566			fclose (f);
567	pcg	1.40
568			parse_argv ();
569	pcg	1.1	}
570			else
571			{
572			slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno));
573	pcg	1.22	exit (EXIT_FAILURE);
574	pcg	1.1	}
575
576			free (fname);
577
578	pcg	1.40	fname = conf.config_filename (conf.prikeyfile, "hostkey");
579	pcg	1.1
580			f = fopen (fname, "r");
581			if (f)
582			{
583	pcg	1.40	conf.rsa_key = RSA_new ();
584	pcg	1.1
585	pcg	1.40	if (!PEM_read_RSAPrivateKey (f, &conf.rsa_key, NULL, NULL))
586	pcg	1.1	{
587			ERR_load_RSA_strings (); ERR_load_PEM_strings ();
588			slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0));
589	pcg	1.22	exit (EXIT_FAILURE);
590	pcg	1.1	}
591
592	pcg	1.40	require (RSA_blinding_on (conf.rsa_key, 0));
593	pcg	1.1
594			fclose (f);
595			}
596			else
597			{
598			slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno));
599
600			if (need_keys)
601	pcg	1.22	exit (EXIT_FAILURE);
602	pcg	1.1	}
603	pcg	1.22
604	pcg	1.23	if (need_keys && ::thisnode
605	pcg	1.40	&& conf.rsa_key && conf.thisnode && conf.thisnode->rsa_key)
606			if (BN_cmp (conf.rsa_key->n, conf.thisnode->rsa_key->n) != 0
607			\|\| BN_cmp (conf.rsa_key->e, conf.thisnode->rsa_key->e) != 0)
608	pcg	1.22	{
609			slog (L_NOTICE, _("private hostkey and public node key mismatch: is '%s' the correct node?"), ::thisnode);
610			exit (EXIT_FAILURE);
611			}
612	pcg	1.1
613			free (fname);
614	pcg	1.46
615			for (configuration::node_vector::iterator i = conf.nodes.begin(); i != conf.nodes.end(); ++i)
616			(*i)->finalise ();
617	pcg	1.1	}
618
619	root	1.52	char *
620			configuration::config_filename (const char name, const char dflt)
621	pcg	1.1	{
622			char *fname;
623
624			asprintf (&fname, name ? name : dflt, ::thisnode);
625
626			if (!ABSOLUTE_PATH (fname))
627			{
628			char *rname = fname;
629			asprintf (&fname, "%s/%s", confbase, rname);
630			free (rname);
631			}
632
633			return fname;
634			}
635
636			void
637	root	1.54	conf_node::print ()
638			{
639			printf ("%4d fe:fd:80:00:0%1x:%02x %c %-8.8s %-10.10s %02x %s%s%d\n",
640			id,
641			id >> 8, id & 0xff,
642			compress ? 'Y' : 'N',
643			connectmode == C_ONDEMAND ? "ondemand"
644			: connectmode == C_NEVER ? "never"
645			: connectmode == C_ALWAYS ? "always"
646			: connectmode == C_DISABLED ? "disabled"
647			: "",
648			nodename,
649			protocols,
650			hostname ? hostname : "",
651			hostname ? ":" : "",
652			hostname ? udp_port : 0
653			);
654			}
655
656			void
657	pcg	1.1	configuration::print ()
658			{
659			printf (_("\nConfiguration\n\n"));
660			printf (_("# of nodes: %d\n"), nodes.size ());
661			printf (_("this node: %s\n"), thisnode ? thisnode->nodename : "<unset>");
662			printf (_("MTU: %d\n"), mtu);
663			printf (_("rekeying interval: %d\n"), rekey);
664			printf (_("keepalive interval: %d\n"), keepalive);
665			printf (_("interface: %s\n"), ifname);
666			printf (_("primary rsa key: %s\n"), prikeyfile ? prikeyfile : "<default>");
667	pcg	1.15	printf (_("rsa key size: %d\n"), rsa_key ? RSA_size (rsa_key) * 8 : -1);
668	pcg	1.1	printf ("\n");
669
670	root	1.54	printf ("%4s %-17s %s %-8.8s %-10.10s %04s %s\n",
671			_("ID#"), _("MAC"), _("Com"), _("Conmode"), _("Node"), _("Prot"), _("Host:Port"));
672	pcg	1.1
673			for (node_vector::iterator i = nodes.begin (); i != nodes.end (); ++i)
674			(*i)->print ();
675
676			printf ("\n");
677			}
678
679	pcg	1.12	configuration::configuration ()
680			{
681	pcg	1.27	asprintf (&confbase, "%s/gvpe", CONFDIR);
682	pcg	1.26
683	pcg	1.12	init ();
684			}
685
686			configuration::~configuration ()
687	pcg	1.1	{
688	pcg	1.12	cleanup ();
689	pcg	1.1	}
690	pcg	1.12