--- gvpe/src/gvpectrl.C 2005/03/18 01:53:05 1.1 +++ gvpe/src/gvpectrl.C 2016/11/02 05:58:53 1.21 @@ -1,24 +1,34 @@ /* - vpectrl.C -- the main file for gvpectrl + gvpectrl.C -- the main file for gvpectrl Copyright (C) 1998-2002 Ivo Timmermans 2000-2002 Guus Sliepen - 2003-2005 Marc Lehmann + 2003-2013 Marc Lehmann This file is part of GVPE. - GVPE is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with gvpe; if not, write to the Free Software - Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + GVPE is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, see . + + Additional permission under GNU GPL version 3 section 7 + + If you modify this Program, or any covered work, by linking or + combining it with the OpenSSL project's OpenSSL library (or a modified + version of that library), containing parts covered by the terms of the + OpenSSL or SSLeay licenses, the licensors of this Program grant you + additional permission to convey the resulting work. Corresponding + Source for a non-source form of such a combination shall include the + source code for the parts of OpenSSL used as well as that of the + covered work. */ #include "config.h" @@ -36,6 +46,7 @@ #include #include +#include #include #include #include @@ -54,25 +65,37 @@ /* If nonzero, print the version on standard output and exit. */ static int show_version; -/* If nonzero, it will attempt to kill a running vped and exit. */ -static int kill_vped; +/* If nonzero, it will attempt to kill a running gvpe and exit. */ +static int kill_gvpe; -/* If nonzero, it will attempt to kill a running vped and exit. */ +/* If nonzero, it will attempt to kill a running gvpe and exit. */ static int show_config; +/* If nonzero, do not output anything but warnings/errors/very unusual conditions */ +static int quiet; + +/* If nonzero, generate single public/private keypair. */ +static const char *generate_key; + /* If nonzero, generate public/private keypair for this net. */ static int generate_keys; +// output some debugging info, interna constants &c +static int debug_info; + static struct option const long_options[] = - { - {"config", required_argument, NULL, 'c'}, - {"kill", optional_argument, NULL, 'k'}, - {"help", no_argument, &show_help, 1}, - {"version", no_argument, &show_version, 1}, - {"generate-keys", no_argument, NULL, 'g'}, - {"show-config", no_argument, &show_config, 's'}, - {NULL, 0, NULL, 0} - }; +{ + {"config", required_argument, NULL, 'c'}, + {"kill", optional_argument, NULL, 'k'}, + {"help", no_argument, &show_help, 1}, + {"version", no_argument, &show_version, 1}, + {"generate-key", required_argument, NULL, 'g'}, + {"generate-keys", no_argument, NULL, 'G'}, + {"quiet", no_argument, &quiet, 1}, + {"show-config", no_argument, &show_config, 's'}, + {"debug-info", no_argument, &debug_info, 1}, + {NULL, 0, NULL, 0} +}; static void usage (int status) @@ -84,143 +107,212 @@ printf (_("Usage: %s [option]...\n\n"), get_identity ()); printf (_ (" -c, --config=DIR Read configuration options from DIR.\n" - " -k, --kill[=SIGNAL] Attempt to kill a running vped and exit.\n" - " -g, --generate-keys Generate public/private RSA keypair.\n" + " -k, --kill[=SIGNAL] Attempt to kill a running gvpe and exit.\n" + " -g, --generate-key=file Generate public/private RSA keypair.\n" + " -G, --generate-keys Generate all public/private RSA keypairs.\n" " -s, --show-config Display the configuration information.\n" + " -q, --quiet Be quite quiet.\n" " --help Display this help and exit.\n" " --version Output version information and exit.\n\n")); - printf (_("Report bugs to .\n")); + printf (_("Report bugs to .\n")); } exit (status); } -void +static void parse_options (int argc, char **argv, char **envp) { int r; int option_index = 0; - while ((r = - getopt_long (argc, argv, "c:k::gs", long_options, - &option_index)) != EOF) + while ((r = getopt_long (argc, argv, "c:k::qg:Gs", long_options, &option_index)) != EOF) { switch (r) { - case 0: /* long option */ - break; + case 0: /* long option */ + break; - case 'c': /* config file */ - confbase = strdup (optarg); - break; - - case 'k': /* kill old vpeds */ - if (optarg) - { - if (!strcasecmp (optarg, "HUP")) - kill_vped = SIGHUP; - else if (!strcasecmp (optarg, "TERM")) - kill_vped = SIGTERM; - else if (!strcasecmp (optarg, "KILL")) - kill_vped = SIGKILL; - else if (!strcasecmp (optarg, "USR1")) - kill_vped = SIGUSR1; - else if (!strcasecmp (optarg, "USR2")) - kill_vped = SIGUSR2; - else if (!strcasecmp (optarg, "INT")) - kill_vped = SIGINT; - else if (!strcasecmp (optarg, "ALRM")) - kill_vped = SIGALRM; - else - { - kill_vped = atoi (optarg); - - if (!kill_vped) - { - fprintf (stderr, - _ - ("Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, USR1, USR2, WINCH, INT or ALRM.\n"), - optarg); - usage (1); - } - } - } - else - kill_vped = SIGTERM; - - break; - - case 'g': /* generate public/private keypair */ - generate_keys = RSA_KEYBITS; - break; - - case 's': - show_config = 1; - break; + case 'c': /* config file */ + confbase = strdup (optarg); + break; + + case 'k': /* kill old gvpes */ + if (optarg) + { + if (!strcasecmp (optarg, "HUP")) + kill_gvpe = SIGHUP; + else if (!strcasecmp (optarg, "TERM")) + kill_gvpe = SIGTERM; + else if (!strcasecmp (optarg, "KILL")) + kill_gvpe = SIGKILL; + else if (!strcasecmp (optarg, "USR1")) + kill_gvpe = SIGUSR1; + else if (!strcasecmp (optarg, "USR2")) + kill_gvpe = SIGUSR2; + else if (!strcasecmp (optarg, "INT")) + kill_gvpe = SIGINT; + else if (!strcasecmp (optarg, "ALRM")) + kill_gvpe = SIGALRM; + else + { + kill_gvpe = atoi (optarg); + + if (!kill_gvpe) + { + fprintf (stderr, + _ + ("Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, USR1, USR2, WINCH, INT or ALRM.\n"), + optarg); + usage (1); + } + } + } + else + kill_gvpe = SIGTERM; + + break; + + case 'g': /* generate public/private keypair */ + generate_key = optarg; + break; + + case 'G': /* generate public/private keypairs */ + generate_keys = 1; + break; + + case 's': + show_config = 1; + break; + + case 'q': + quiet = 1; + break; - case '?': - usage (1); + case '?': + usage (1); - default: - break; + default: + break; } } } -/* This function prettyprints the key generation process */ - -void -indicator (int a, int b, void *p) +// this function prettyprints the key generation process +static int +indicator (int a, int b, BN_GENCB *cb) { + if (quiet) + return 1; + switch (a) { - case 0: - fprintf (stderr, "."); - break; - - case 1: - fprintf (stderr, "+"); - break; - - case 2: - fprintf (stderr, "-"); - break; - - case 3: - switch (b) - { - case 0: - fprintf (stderr, " p\n"); - break; - - case 1: - fprintf (stderr, " q\n"); - break; + case 0: + fprintf (stderr, "."); + break; + + case 1: + fprintf (stderr, "+"); + break; + + case 2: + fprintf (stderr, "-"); + break; + + case 3: + switch (b) + { + case 0: + fprintf (stderr, " p\n"); + break; + + case 1: + fprintf (stderr, " q\n"); + break; + + default: + fprintf (stderr, "?"); + } + break; - default: - fprintf (stderr, "?"); - } - break; - - default: - fprintf (stderr, "?"); + default: + fprintf (stderr, "?"); } + + return 1; } /* * generate public/private RSA keypairs for all hosts that don't have one. */ -int -keygen (int bits) +static int +keygen (const char *pub, const char *priv) { - RSA *rsa_key; - FILE *f; - char *name = NULL; - char *fname; - asprintf (&fname, "%s/hostkeys", confbase); - mkdir (fname, 0700); - free (fname); + FILE *pubf = fopen (pub, "ab"); + if (!pubf || fseek (pubf, 0, SEEK_END)) + { + perror (pub); + exit (EXIT_FAILURE); + } + + if (ftell (pubf)) + { + fclose (pubf); + return 1; + } + + FILE *privf = fopen (priv, "ab"); + + /* some libcs are buggy and require an extra seek to the end */ + if (!privf || fseek (privf, 0, SEEK_END)) + { + perror (priv); + exit (EXIT_FAILURE); + } + + if (ftell (privf)) + { + fclose (pubf); + fclose (privf); + return 1; + } + + RSA *rsa = RSA_new (); + BIGNUM *e = BN_new (); + BN_set_bit (e, 0); BN_set_bit (e, 16); // 0x10001, 65537 + +#if 0 +#if OPENSSL_VERSION_NUMBER < 0x10100000 + BN_GENCB cb_100; + BN_GENCB *cb = &cb_100; +#else + BN_GENCB *cb = BN_GENCB_new (); + require (cb); +#endif + + BN_GENCB_set (cb, indicator, 0); + require (RSA_generate_key_ex (rsa, RSABITS, e, cb)); +#else + require (RSA_generate_key_ex (rsa, RSABITS, e, 0)); +#endif + + require (PEM_write_RSAPublicKey (pubf, rsa)); + require (PEM_write_RSAPrivateKey (privf, rsa, NULL, NULL, 0, NULL, NULL)); + + fclose (pubf); + fclose (privf); + + BN_free (e); + RSA_free (rsa); + + return 0; +} + +static int +keygen_all () +{ + char *fname; asprintf (&fname, "%s/pubkey", confbase); mkdir (fname, 0700); @@ -230,56 +322,49 @@ { conf_node *node = *i; - asprintf (&fname, "%s/pubkey/%s", confbase, node->nodename); + ::thisnode = node->nodename; - f = fopen (fname, "a"); + char *pub = conf.config_filename ("pubkey/%s", 0); + char *priv = conf.config_filename (conf.prikeyfile, "hostkey"); - if (!f) - { - perror (fname); - exit (EXIT_FAILURE); - } + int status = keygen (pub, priv); - if (ftell (f)) + if (status == 0) { - fprintf (stderr, "'%s' already exists, skipping this node\n", - fname); - fclose (f); - continue; + if (!quiet) + fprintf (stderr, _("generated %d bits key for %s.\n"), RSABITS, node->nodename); } + else if (status == 1) + fprintf (stderr, _("'%s' keypair already exists, skipping node %s.\n"), pub, node->nodename); - fprintf (stderr, _("generating %d bits key for %s:\n"), bits, - node->nodename); - - rsa_key = RSA_generate_key (bits, 0xFFFF, indicator, NULL); + free (priv); + free (pub); + } - if (!rsa_key) - { - fprintf (stderr, _("error during key generation!\n")); - return -1; - } - else - fprintf (stderr, _("Done.\n")); + return 0; +} - require (PEM_write_RSAPublicKey (f, rsa_key)); - fclose (f); - free (fname); +static int +keygen_one (const char *pubname) +{ + char *privname; - asprintf (&fname, "%s/hostkeys/%s", confbase, node->nodename); + asprintf (&privname, "%s.key", pubname); - f = fopen (fname, "a"); - if (!f) - { - perror (fname); - exit (EXIT_FAILURE); - } + int status = keygen (pubname, privname); - require (PEM_write_RSAPrivateKey (f, rsa_key, NULL, NULL, 0, NULL, NULL)); - fclose (f); - free (fname); + if (status == 0) + { + if (!quiet) + fprintf (stderr, _("generated %d bits key as %s.\n"), RSABITS, pubname); + } + else if (status == 1) + { + fprintf (stderr, _("'%s' keypair already exists, not generating key.\n"), pubname); + exit (EXIT_FAILURE); } - return 0; + free(privname); } int @@ -296,11 +381,11 @@ if (show_version) { - printf (_("%s version %s (built %s %s, protocol %d.%d)\n"), get_identity (), + printf (_("%s version %s (built %s %s, protocol version %d.%d)\n"), get_identity (), VERSION, __DATE__, __TIME__, PROTOCOL_MAJOR, PROTOCOL_MINOR); printf (_("Built with kernel interface %s/%s.\n"), IFTYPE, IFSUBTYPE); printf (_ - ("Copyright (C) 2003 Marc Lehmann and others.\n" + ("Copyright (C) 2003-2013 Marc Lehmann and others.\n" "See the AUTHORS file for a complete list.\n\n" "vpe comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -312,16 +397,38 @@ if (show_help) usage (0); - conf.read_config (false); + { + configuration_parser (conf, false, 0, 0); + } + + if (debug_info) + { + printf ("cipher_nid=%d\n", EVP_CIPHER_nid (CIPHER ())); + printf ("mac_nid=%d\n", EVP_MD_type (MAC_DIGEST ())); + printf ("auth_nid=%d\n", EVP_MD_type (AUTH_DIGEST ())); + printf ("sizeof_auth_data=%d\n", sizeof (auth_data)); + printf ("sizeof_rsa_data=%d\n", sizeof (rsa_data)); + printf ("sizeof_rsa_data_extra_auth=%d\n", sizeof (((rsa_data *)0)->extra_auth)); + printf ("raw_overhead=%d\n", VPE_OVERHEAD); + printf ("vpn_overhead=%d\n", VPE_OVERHEAD + 6 + 6); + printf ("udp_overhead=%d\n", UDP_OVERHEAD + VPE_OVERHEAD + 6 + 6); + exit (EXIT_SUCCESS); + } + + if (generate_key) + { + RAND_load_file (conf.seed_dev, SEED_SIZE); + exit (keygen_one (generate_key)); + } if (generate_keys) { - RAND_load_file ("/dev/urandom", 1024); - exit (keygen (generate_keys)); + RAND_load_file (conf.seed_dev, SEED_SIZE); + exit (keygen_all ()); } - if (kill_vped) - exit (kill_other (kill_vped)); + if (kill_gvpe) + exit (kill_other (kill_gvpe)); if (show_config) { @@ -331,3 +438,4 @@ usage (1); } +