1 | /* |
1 | /* |
2 | conf.c -- configuration code |
2 | conf.c -- configuration code |
3 | Copyright (C) 1998 Robert van der Meulen |
3 | Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com> |
4 | 1998-2002 Ivo Timmermans <ivo@o2w.nl> |
|
|
5 | 2000-2002 Guus Sliepen <guus@sliepen.eu.org> |
|
|
6 | 2000 Cris van Pelt <tribbel@arise.dhs.org> |
|
|
7 | 2003 Marc Lehmann <pcg@goof.com> |
|
|
8 | |
4 | |
9 | This program is free software; you can redistribute it and/or modify |
5 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License as published by |
6 | it under the terms of the GNU General Public License as published by |
11 | the Free Software Foundation; either version 2 of the License, or |
7 | the Free Software Foundation; either version 2 of the License, or |
12 | (at your option) any later version. |
8 | (at your option) any later version. |
… | |
… | |
31 | #include <netdb.h> |
27 | #include <netdb.h> |
32 | #include <sys/stat.h> |
28 | #include <sys/stat.h> |
33 | #include <sys/types.h> |
29 | #include <sys/types.h> |
34 | #include <unistd.h> |
30 | #include <unistd.h> |
35 | |
31 | |
36 | #include <netinet/in.h> |
32 | #include "netcompat.h" |
37 | #include <netinet/ip_icmp.h> |
|
|
38 | |
33 | |
39 | #include <openssl/err.h> |
34 | #include <openssl/err.h> |
40 | #include <openssl/pem.h> |
35 | #include <openssl/pem.h> |
41 | #include <openssl/rsa.h> |
36 | #include <openssl/rsa.h> |
42 | #include <openssl/rand.h> |
37 | #include <openssl/rand.h> |
|
|
38 | #include <openssl/bn.h> |
43 | |
39 | |
44 | #include "gettext.h" |
40 | #include "gettext.h" |
45 | |
41 | |
46 | #include "conf.h" |
42 | #include "conf.h" |
47 | #include "slog.h" |
43 | #include "slog.h" |
… | |
… | |
102 | |
98 | |
103 | void configuration::init () |
99 | void configuration::init () |
104 | { |
100 | { |
105 | memset (this, 0, sizeof (*this)); |
101 | memset (this, 0, sizeof (*this)); |
106 | |
102 | |
|
|
103 | mtu = DEFAULT_MTU; |
107 | rekey = DEFAULT_REKEY; |
104 | rekey = DEFAULT_REKEY; |
108 | keepalive = DEFAULT_KEEPALIVE; |
105 | keepalive = DEFAULT_KEEPALIVE; |
109 | llevel = L_INFO; |
106 | llevel = L_INFO; |
110 | ip_proto = IPPROTO_GRE; |
107 | ip_proto = IPPROTO_GRE; |
|
|
108 | #if ENABLE_ICMP |
111 | icmp_type = ICMP_ECHOREPLY; |
109 | icmp_type = ICMP_ECHOREPLY; |
|
|
110 | #endif |
112 | |
111 | |
113 | default_node.udp_port = DEFAULT_UDPPORT; |
112 | default_node.udp_port = DEFAULT_UDPPORT; |
114 | default_node.tcp_port = DEFAULT_UDPPORT; |
113 | default_node.tcp_port = DEFAULT_UDPPORT; |
115 | default_node.connectmode = conf_node::C_ALWAYS; |
114 | default_node.connectmode = conf_node::C_ALWAYS; |
116 | default_node.compress = true; |
115 | default_node.compress = true; |
… | |
… | |
228 | slog (L_WARN, "'%s': %s, at '%s' line %d", val, UNKNOWN_LOGLEVEL, fname, line); |
227 | slog (L_WARN, "'%s': %s, at '%s' line %d", val, UNKNOWN_LOGLEVEL, fname, line); |
229 | } |
228 | } |
230 | else if (!strcmp (var, "ip-proto")) |
229 | else if (!strcmp (var, "ip-proto")) |
231 | ip_proto = atoi (val); |
230 | ip_proto = atoi (val); |
232 | else if (!strcmp (var, "icmp-type")) |
231 | else if (!strcmp (var, "icmp-type")) |
|
|
232 | { |
|
|
233 | #if ENABLE_ICMP |
233 | icmp_type = atoi (val); |
234 | icmp_type = atoi (val); |
|
|
235 | #endif |
|
|
236 | } |
234 | |
237 | |
235 | // per config |
238 | // per config |
236 | else if (!strcmp (var, "node")) |
239 | else if (!strcmp (var, "node")) |
237 | { |
240 | { |
238 | default_node.id++; |
241 | default_node.id++; |
… | |
… | |
256 | |
259 | |
257 | if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL)) |
260 | if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL)) |
258 | { |
261 | { |
259 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
262 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
260 | slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
263 | slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
261 | exit (1); |
264 | exit (EXIT_FAILURE); |
262 | } |
265 | } |
263 | |
266 | |
264 | RSA_blinding_on (node->rsa_key, 0); |
267 | require (RSA_blinding_on (node->rsa_key, 0)); |
265 | |
268 | |
266 | fclose (f); |
269 | fclose (f); |
267 | } |
270 | } |
268 | else |
271 | else |
269 | { |
272 | { |
270 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno)); |
273 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno)); |
271 | |
274 | |
272 | if (need_keys) |
275 | if (need_keys) |
273 | exit (1); |
276 | exit (EXIT_FAILURE); |
274 | } |
277 | } |
275 | |
278 | |
276 | free (fname); |
279 | free (fname); |
277 | } |
280 | } |
278 | |
281 | |
279 | if (!::thisnode || !strcmp (node->nodename, ::thisnode)) |
282 | if (::thisnode && !strcmp (node->nodename, ::thisnode)) |
280 | thisnode = node; |
283 | thisnode = node; |
281 | } |
284 | } |
282 | else if (!strcmp (var, "private-key")) |
285 | else if (!strcmp (var, "private-key")) |
283 | prikeyfile = strdup (val); |
286 | prikeyfile = strdup (val); |
284 | else if (!strcmp (var, "ifpersist")) |
287 | else if (!strcmp (var, "ifpersist")) |
… | |
… | |
297 | script_if_up = strdup (val); |
300 | script_if_up = strdup (val); |
298 | else if (!strcmp (var, "node-up")) |
301 | else if (!strcmp (var, "node-up")) |
299 | script_node_up = strdup (val); |
302 | script_node_up = strdup (val); |
300 | else if (!strcmp (var, "node-down")) |
303 | else if (!strcmp (var, "node-down")) |
301 | script_node_down = strdup (val); |
304 | script_node_down = strdup (val); |
|
|
305 | else if (!strcmp (var, "http-proxy-host")) |
|
|
306 | { |
302 | #if ENABLE_HTTP_PROXY |
307 | #if ENABLE_HTTP_PROXY |
303 | else if (!strcmp (var, "http-proxy-host")) |
|
|
304 | proxy_host = strdup (val); |
308 | proxy_host = strdup (val); |
|
|
309 | #endif |
|
|
310 | } |
305 | else if (!strcmp (var, "http-proxy-port")) |
311 | else if (!strcmp (var, "http-proxy-port")) |
|
|
312 | { |
|
|
313 | #if ENABLE_HTTP_PROXY |
306 | proxy_port = atoi (val); |
314 | proxy_port = atoi (val); |
|
|
315 | #endif |
|
|
316 | } |
307 | else if (!strcmp (var, "http-proxy-auth")) |
317 | else if (!strcmp (var, "http-proxy-auth")) |
|
|
318 | { |
|
|
319 | #if ENABLE_HTTP_PROXY |
308 | proxy_auth = (char *)base64_encode ((const u8 *)val, strlen (val)); |
320 | proxy_auth = (char *)base64_encode ((const u8 *)val, strlen (val)); |
309 | #endif |
321 | #endif |
|
|
322 | } |
310 | |
323 | |
311 | /* node-specific, non-defaultable */ |
324 | /* node-specific, non-defaultable */ |
312 | else if (node != &default_node && !strcmp (var, "hostname")) |
325 | else if (node != &default_node && !strcmp (var, "hostname")) |
313 | { |
326 | { |
314 | free (node->hostname); |
327 | free (node->hostname); |
… | |
… | |
377 | fclose (f); |
390 | fclose (f); |
378 | } |
391 | } |
379 | else |
392 | else |
380 | { |
393 | { |
381 | slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno)); |
394 | slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno)); |
382 | exit (1); |
395 | exit (EXIT_FAILURE); |
383 | } |
396 | } |
384 | |
397 | |
385 | free (fname); |
398 | free (fname); |
386 | |
399 | |
387 | fname = config_filename (prikeyfile, "hostkey"); |
400 | fname = config_filename (prikeyfile, "hostkey"); |
… | |
… | |
393 | |
406 | |
394 | if (!PEM_read_RSAPrivateKey (f, &rsa_key, NULL, NULL)) |
407 | if (!PEM_read_RSAPrivateKey (f, &rsa_key, NULL, NULL)) |
395 | { |
408 | { |
396 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
409 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
397 | slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
410 | slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
398 | exit (1); |
411 | exit (EXIT_FAILURE); |
399 | } |
412 | } |
400 | |
413 | |
401 | RSA_blinding_on (rsa_key, 0); |
414 | require (RSA_blinding_on (rsa_key, 0)); |
402 | |
415 | |
403 | fclose (f); |
416 | fclose (f); |
404 | } |
417 | } |
405 | else |
418 | else |
406 | { |
419 | { |
407 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno)); |
420 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno)); |
408 | |
421 | |
409 | if (need_keys) |
422 | if (need_keys) |
410 | exit (1); |
423 | exit (EXIT_FAILURE); |
411 | } |
424 | } |
|
|
425 | |
|
|
426 | if (need_keys && ::thisnode |
|
|
427 | && rsa_key && thisnode && thisnode->rsa_key) |
|
|
428 | if (BN_cmp (rsa_key->n, thisnode->rsa_key->n) != 0 |
|
|
429 | || BN_cmp (rsa_key->e, thisnode->rsa_key->e) != 0) |
|
|
430 | { |
|
|
431 | slog (L_NOTICE, _("private hostkey and public node key mismatch: is '%s' the correct node?"), ::thisnode); |
|
|
432 | exit (EXIT_FAILURE); |
|
|
433 | } |
412 | |
434 | |
413 | free (fname); |
435 | free (fname); |
414 | } |
436 | } |
415 | |
437 | |
416 | char *configuration::config_filename (const char *name, const char *dflt) |
438 | char *configuration::config_filename (const char *name, const char *dflt) |