1 | /* |
1 | /* |
2 | conf.c -- configuration code |
2 | conf.c -- configuration code |
3 | Copyright (C) 1998 Robert van der Meulen |
3 | Copyright (C) 2003-2004 Marc Lehmann <pcg@goof.com> |
4 | 1998-2002 Ivo Timmermans <ivo@o2w.nl> |
|
|
5 | 2000-2002 Guus Sliepen <guus@sliepen.eu.org> |
|
|
6 | 2000 Cris van Pelt <tribbel@arise.dhs.org> |
|
|
7 | 2003 Marc Lehmann <pcg@goof.com> |
|
|
8 | |
4 | |
9 | This program is free software; you can redistribute it and/or modify |
5 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License as published by |
6 | it under the terms of the GNU General Public License as published by |
11 | the Free Software Foundation; either version 2 of the License, or |
7 | the Free Software Foundation; either version 2 of the License, or |
12 | (at your option) any later version. |
8 | (at your option) any later version. |
… | |
… | |
31 | #include <netdb.h> |
27 | #include <netdb.h> |
32 | #include <sys/stat.h> |
28 | #include <sys/stat.h> |
33 | #include <sys/types.h> |
29 | #include <sys/types.h> |
34 | #include <unistd.h> |
30 | #include <unistd.h> |
35 | |
31 | |
36 | #include <netinet/in.h> |
32 | #include "netcompat.h" |
37 | |
33 | |
38 | #include <openssl/err.h> |
34 | #include <openssl/err.h> |
39 | #include <openssl/pem.h> |
35 | #include <openssl/pem.h> |
40 | #include <openssl/rsa.h> |
36 | #include <openssl/rsa.h> |
41 | #include <openssl/rand.h> |
37 | #include <openssl/rand.h> |
|
|
38 | #include <openssl/bn.h> |
42 | |
39 | |
43 | #include "gettext.h" |
40 | #include "gettext.h" |
44 | |
41 | |
45 | #include "conf.h" |
42 | #include "conf.h" |
46 | #include "slog.h" |
43 | #include "slog.h" |
… | |
… | |
53 | |
50 | |
54 | struct configuration conf; |
51 | struct configuration conf; |
55 | |
52 | |
56 | u8 best_protocol (u8 protset) |
53 | u8 best_protocol (u8 protset) |
57 | { |
54 | { |
58 | if (protset & PROT_IPv4 ) return PROT_IPv4; |
55 | if (protset & PROT_IPv4 ) return PROT_IPv4; |
|
|
56 | if (protset & PROT_ICMPv4) return PROT_ICMPv4; |
59 | if (protset & PROT_UDPv4) return PROT_UDPv4; |
57 | if (protset & PROT_UDPv4 ) return PROT_UDPv4; |
60 | if (protset & PROT_TCPv4) return PROT_TCPv4; |
58 | if (protset & PROT_TCPv4 ) return PROT_TCPv4; |
61 | |
59 | |
62 | return 0; |
60 | return 0; |
63 | } |
61 | } |
64 | |
62 | |
65 | const char *strprotocol (u8 protocol) |
63 | const char *strprotocol (u8 protocol) |
66 | { |
64 | { |
67 | if (protocol & PROT_IPv4 ) return "rawip"; |
65 | if (protocol & PROT_IPv4 ) return "rawip"; |
|
|
66 | if (protocol & PROT_ICMPv4) return "icmp"; |
68 | if (protocol & PROT_UDPv4) return "udp"; |
67 | if (protocol & PROT_UDPv4 ) return "udp"; |
69 | if (protocol & PROT_TCPv4) return "tcp"; |
68 | if (protocol & PROT_TCPv4 ) return "tcp"; |
70 | |
69 | |
71 | return "<unknown>"; |
70 | return "<unknown>"; |
72 | } |
71 | } |
73 | |
72 | |
74 | void |
73 | void |
… | |
… | |
99 | |
98 | |
100 | void configuration::init () |
99 | void configuration::init () |
101 | { |
100 | { |
102 | memset (this, 0, sizeof (*this)); |
101 | memset (this, 0, sizeof (*this)); |
103 | |
102 | |
|
|
103 | mtu = DEFAULT_MTU; |
104 | rekey = DEFAULT_REKEY; |
104 | rekey = DEFAULT_REKEY; |
105 | keepalive = DEFAULT_KEEPALIVE; |
105 | keepalive = DEFAULT_KEEPALIVE; |
106 | llevel = L_INFO; |
106 | llevel = L_INFO; |
107 | ip_proto = IPPROTO_GRE; |
107 | ip_proto = IPPROTO_GRE; |
|
|
108 | #if ENABLE_ICMP |
|
|
109 | icmp_type = ICMP_ECHOREPLY; |
|
|
110 | #endif |
108 | |
111 | |
109 | default_node.udp_port = DEFAULT_UDPPORT; |
112 | default_node.udp_port = DEFAULT_UDPPORT; |
110 | default_node.tcp_port = DEFAULT_UDPPORT; |
113 | default_node.tcp_port = DEFAULT_UDPPORT; |
111 | default_node.connectmode = conf_node::C_ALWAYS; |
114 | default_node.connectmode = conf_node::C_ALWAYS; |
112 | default_node.compress = true; |
115 | default_node.compress = true; |
… | |
… | |
223 | else |
226 | else |
224 | slog (L_WARN, "'%s': %s, at '%s' line %d", val, UNKNOWN_LOGLEVEL, fname, line); |
227 | slog (L_WARN, "'%s': %s, at '%s' line %d", val, UNKNOWN_LOGLEVEL, fname, line); |
225 | } |
228 | } |
226 | else if (!strcmp (var, "ip-proto")) |
229 | else if (!strcmp (var, "ip-proto")) |
227 | ip_proto = atoi (val); |
230 | ip_proto = atoi (val); |
|
|
231 | else if (!strcmp (var, "icmp-type")) |
|
|
232 | { |
|
|
233 | #if ENABLE_ICMP |
|
|
234 | icmp_type = atoi (val); |
|
|
235 | #endif |
|
|
236 | } |
228 | |
237 | |
229 | // per config |
238 | // per config |
230 | else if (!strcmp (var, "node")) |
239 | else if (!strcmp (var, "node")) |
231 | { |
240 | { |
232 | default_node.id++; |
241 | default_node.id++; |
… | |
… | |
250 | |
259 | |
251 | if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL)) |
260 | if (!PEM_read_RSAPublicKey(f, &node->rsa_key, NULL, NULL)) |
252 | { |
261 | { |
253 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
262 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
254 | slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
263 | slog (L_ERR, _("unable to open public rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
255 | exit (1); |
264 | exit (EXIT_FAILURE); |
256 | } |
265 | } |
257 | |
266 | |
258 | RSA_blinding_on (node->rsa_key, 0); |
267 | require (RSA_blinding_on (node->rsa_key, 0)); |
259 | |
268 | |
260 | fclose (f); |
269 | fclose (f); |
261 | } |
270 | } |
262 | else |
271 | else |
263 | { |
272 | { |
264 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno)); |
273 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to read public rsa key file '%s': %s"), fname, strerror (errno)); |
265 | |
274 | |
266 | if (need_keys) |
275 | if (need_keys) |
267 | exit (1); |
276 | exit (EXIT_FAILURE); |
268 | } |
277 | } |
269 | |
278 | |
270 | free (fname); |
279 | free (fname); |
271 | } |
280 | } |
272 | |
281 | |
… | |
… | |
291 | script_if_up = strdup (val); |
300 | script_if_up = strdup (val); |
292 | else if (!strcmp (var, "node-up")) |
301 | else if (!strcmp (var, "node-up")) |
293 | script_node_up = strdup (val); |
302 | script_node_up = strdup (val); |
294 | else if (!strcmp (var, "node-down")) |
303 | else if (!strcmp (var, "node-down")) |
295 | script_node_down = strdup (val); |
304 | script_node_down = strdup (val); |
|
|
305 | else if (!strcmp (var, "http-proxy-host")) |
|
|
306 | { |
296 | #if ENABLE_HTTP_PROXY |
307 | #if ENABLE_HTTP_PROXY |
297 | else if (!strcmp (var, "http-proxy-host")) |
|
|
298 | proxy_host = strdup (val); |
308 | proxy_host = strdup (val); |
|
|
309 | #endif |
|
|
310 | } |
299 | else if (!strcmp (var, "http-proxy-port")) |
311 | else if (!strcmp (var, "http-proxy-port")) |
|
|
312 | { |
|
|
313 | #if ENABLE_HTTP_PROXY |
300 | proxy_port = atoi (val); |
314 | proxy_port = atoi (val); |
|
|
315 | #endif |
|
|
316 | } |
301 | else if (!strcmp (var, "http-proxy-auth")) |
317 | else if (!strcmp (var, "http-proxy-auth")) |
|
|
318 | { |
|
|
319 | #if ENABLE_HTTP_PROXY |
302 | proxy_auth = (char *)base64_encode ((const u8 *)val, strlen (val)); |
320 | proxy_auth = (char *)base64_encode ((const u8 *)val, strlen (val)); |
303 | #endif |
321 | #endif |
|
|
322 | } |
304 | |
323 | |
305 | /* node-specific, non-defaultable */ |
324 | /* node-specific, non-defaultable */ |
306 | else if (node != &default_node && !strcmp (var, "hostname")) |
325 | else if (node != &default_node && !strcmp (var, "hostname")) |
307 | { |
326 | { |
308 | free (node->hostname); |
327 | free (node->hostname); |
… | |
… | |
344 | { |
363 | { |
345 | #if ENABLE_TCP |
364 | #if ENABLE_TCP |
346 | u8 v; parse_bool (v, "enable-tcp" , PROT_TCPv4, 0); node->protocols = (node->protocols & ~PROT_TCPv4) | v; |
365 | u8 v; parse_bool (v, "enable-tcp" , PROT_TCPv4, 0); node->protocols = (node->protocols & ~PROT_TCPv4) | v; |
347 | #endif |
366 | #endif |
348 | } |
367 | } |
|
|
368 | else if (!strcmp (var, "enable-icmp")) |
|
|
369 | { |
|
|
370 | #if ENABLE_ICMP |
|
|
371 | u8 v; parse_bool (v, "enable-icmp" , PROT_ICMPv4, 0); node->protocols = (node->protocols & ~PROT_ICMPv4) | v; |
|
|
372 | #endif |
|
|
373 | } |
349 | else if (!strcmp (var, "enable-udp")) |
374 | else if (!strcmp (var, "enable-udp")) |
350 | { |
375 | { |
351 | u8 v; parse_bool (v, "enable-udp" , PROT_UDPv4, 0); node->protocols = (node->protocols & ~PROT_UDPv4) | v; |
376 | u8 v; parse_bool (v, "enable-udp" , PROT_UDPv4, 0); node->protocols = (node->protocols & ~PROT_UDPv4) | v; |
352 | } |
377 | } |
353 | else if (!strcmp (var, "enable-rawip")) |
378 | else if (!strcmp (var, "enable-rawip")) |
… | |
… | |
365 | fclose (f); |
390 | fclose (f); |
366 | } |
391 | } |
367 | else |
392 | else |
368 | { |
393 | { |
369 | slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno)); |
394 | slog (L_ERR, _("unable to read config file '%s': %s"), fname, strerror (errno)); |
370 | exit (1); |
395 | exit (EXIT_FAILURE); |
371 | } |
396 | } |
372 | |
397 | |
373 | free (fname); |
398 | free (fname); |
374 | |
399 | |
375 | fname = config_filename (prikeyfile, "hostkey"); |
400 | fname = config_filename (prikeyfile, "hostkey"); |
… | |
… | |
381 | |
406 | |
382 | if (!PEM_read_RSAPrivateKey (f, &rsa_key, NULL, NULL)) |
407 | if (!PEM_read_RSAPrivateKey (f, &rsa_key, NULL, NULL)) |
383 | { |
408 | { |
384 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
409 | ERR_load_RSA_strings (); ERR_load_PEM_strings (); |
385 | slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
410 | slog (L_ERR, _("unable to read private rsa key file '%s': %s"), fname, ERR_error_string (ERR_get_error (), 0)); |
386 | exit (1); |
411 | exit (EXIT_FAILURE); |
387 | } |
412 | } |
388 | |
413 | |
389 | RSA_blinding_on (rsa_key, 0); |
414 | require (RSA_blinding_on (rsa_key, 0)); |
390 | |
415 | |
391 | fclose (f); |
416 | fclose (f); |
392 | } |
417 | } |
393 | else |
418 | else |
394 | { |
419 | { |
395 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno)); |
420 | slog (need_keys ? L_ERR : L_NOTICE, _("unable to open private rsa key file '%s': %s"), fname, strerror (errno)); |
396 | |
421 | |
397 | if (need_keys) |
422 | if (need_keys) |
398 | exit (1); |
423 | exit (EXIT_FAILURE); |
399 | } |
424 | } |
|
|
425 | |
|
|
426 | if (need_keys && rsa_key && thisnode && thisnode->rsa_key) |
|
|
427 | if (BN_cmp (rsa_key->n, thisnode->rsa_key->n) != 0 |
|
|
428 | || BN_cmp (rsa_key->e, thisnode->rsa_key->e) != 0) |
|
|
429 | { |
|
|
430 | slog (L_NOTICE, _("private hostkey and public node key mismatch: is '%s' the correct node?"), ::thisnode); |
|
|
431 | exit (EXIT_FAILURE); |
|
|
432 | } |
400 | |
433 | |
401 | free (fname); |
434 | free (fname); |
402 | } |
435 | } |
403 | |
436 | |
404 | char *configuration::config_filename (const char *name, const char *dflt) |
437 | char *configuration::config_filename (const char *name, const char *dflt) |
… | |
… | |
426 | printf (_("MTU: %d\n"), mtu); |
459 | printf (_("MTU: %d\n"), mtu); |
427 | printf (_("rekeying interval: %d\n"), rekey); |
460 | printf (_("rekeying interval: %d\n"), rekey); |
428 | printf (_("keepalive interval: %d\n"), keepalive); |
461 | printf (_("keepalive interval: %d\n"), keepalive); |
429 | printf (_("interface: %s\n"), ifname); |
462 | printf (_("interface: %s\n"), ifname); |
430 | printf (_("primary rsa key: %s\n"), prikeyfile ? prikeyfile : "<default>"); |
463 | printf (_("primary rsa key: %s\n"), prikeyfile ? prikeyfile : "<default>"); |
431 | printf (_("rsa key size: %d\n"), rsa_key ? RSA_size (rsa_key) : -1); |
464 | printf (_("rsa key size: %d\n"), rsa_key ? RSA_size (rsa_key) * 8 : -1); |
432 | printf ("\n"); |
465 | printf ("\n"); |
433 | |
466 | |
434 | printf ("%4s %-17s %s %-8.8s %-10.10s %s\n", |
467 | printf ("%4s %-17s %s %-8.8s %-10.10s %s\n", |
435 | _("ID#"), _("MAC"), _("Com"), _("Conmode"), _("Node"), _("Host:Port")); |
468 | _("ID#"), _("MAC"), _("Com"), _("Conmode"), _("Node"), _("Host:Port")); |
436 | |
469 | |