| 1 | /* |
1 | /* |
| 2 | gvpectrl.C -- the main file for gvpectrl |
2 | gvpectrl.C -- the main file for gvpectrl |
| 3 | Copyright (C) 1998-2002 Ivo Timmermans <ivo@o2w.nl> |
3 | Copyright (C) 1998-2002 Ivo Timmermans <ivo@o2w.nl> |
| 4 | 2000-2002 Guus Sliepen <guus@sliepen.eu.org> |
4 | 2000-2002 Guus Sliepen <guus@sliepen.eu.org> |
| 5 | 2003-2011 Marc Lehmann <gvpe@schmorp.de> |
5 | 2003-2013 Marc Lehmann <gvpe@schmorp.de> |
| 6 | |
6 | |
| 7 | This file is part of GVPE. |
7 | This file is part of GVPE. |
| 8 | |
8 | |
| 9 | GVPE is free software; you can redistribute it and/or modify it |
9 | GVPE is free software; you can redistribute it and/or modify it |
| 10 | under the terms of the GNU General Public License as published by the |
10 | under the terms of the GNU General Public License as published by the |
| … | |
… | |
| 44 | #include <sys/stat.h> |
44 | #include <sys/stat.h> |
| 45 | #include <sys/types.h> |
45 | #include <sys/types.h> |
| 46 | #include <unistd.h> |
46 | #include <unistd.h> |
| 47 | #include <signal.h> |
47 | #include <signal.h> |
| 48 | |
48 | |
|
|
49 | #include <openssl/bn.h> |
| 49 | #include <openssl/rand.h> |
50 | #include <openssl/rand.h> |
| 50 | #include <openssl/rsa.h> |
51 | #include <openssl/rsa.h> |
| 51 | #include <openssl/pem.h> |
52 | #include <openssl/pem.h> |
| 52 | #include <openssl/evp.h> |
53 | #include <openssl/evp.h> |
| 53 | |
54 | |
| … | |
… | |
| 73 | /* If nonzero, do not output anything but warnings/errors/very unusual conditions */ |
74 | /* If nonzero, do not output anything but warnings/errors/very unusual conditions */ |
| 74 | static int quiet; |
75 | static int quiet; |
| 75 | |
76 | |
| 76 | /* If nonzero, generate public/private keypair for this net. */ |
77 | /* If nonzero, generate public/private keypair for this net. */ |
| 77 | static int generate_keys; |
78 | static int generate_keys; |
|
|
79 | |
|
|
80 | // output some debugging info, interna constants &c |
|
|
81 | static int debug_info; |
| 78 | |
82 | |
| 79 | static struct option const long_options[] = |
83 | static struct option const long_options[] = |
| 80 | { |
84 | { |
| 81 | {"config", required_argument, NULL, 'c'}, |
85 | {"config", required_argument, NULL, 'c'}, |
| 82 | {"kill", optional_argument, NULL, 'k'}, |
86 | {"kill", optional_argument, NULL, 'k'}, |
| 83 | {"help", no_argument, &show_help, 1}, |
87 | {"help", no_argument, &show_help, 1}, |
| 84 | {"version", no_argument, &show_version, 1}, |
88 | {"version", no_argument, &show_version, 1}, |
| 85 | {"generate-keys", no_argument, NULL, 'g'}, |
89 | {"generate-keys", no_argument, NULL, 'g'}, |
| 86 | {"quiet", no_argument, &quiet, 1}, |
90 | {"quiet", no_argument, &quiet, 1}, |
| 87 | {"show-config", no_argument, &show_config, 's'}, |
91 | {"show-config", no_argument, &show_config, 's'}, |
|
|
92 | {"debug-info", no_argument, &debug_info, 1}, |
| 88 | {NULL, 0, NULL, 0} |
93 | {NULL, 0, NULL, 0} |
| 89 | }; |
94 | }; |
| 90 | |
95 | |
| 91 | static void |
96 | static void |
| 92 | usage (int status) |
97 | usage (int status) |
| … | |
… | |
| 162 | kill_gvpe = SIGTERM; |
167 | kill_gvpe = SIGTERM; |
| 163 | |
168 | |
| 164 | break; |
169 | break; |
| 165 | |
170 | |
| 166 | case 'g': /* generate public/private keypair */ |
171 | case 'g': /* generate public/private keypair */ |
| 167 | generate_keys = RSA_KEYBITS; |
172 | generate_keys = RSABITS; |
| 168 | break; |
173 | break; |
| 169 | |
174 | |
| 170 | case 's': |
175 | case 's': |
| 171 | show_config = 1; |
176 | show_config = 1; |
| 172 | break; |
177 | break; |
| … | |
… | |
| 183 | } |
188 | } |
| 184 | } |
189 | } |
| 185 | } |
190 | } |
| 186 | |
191 | |
| 187 | // this function prettyprints the key generation process |
192 | // this function prettyprints the key generation process |
| 188 | static void |
193 | static int |
| 189 | indicator (int a, int b, void *p) |
194 | indicator (int a, int b, BN_GENCB *cb) |
| 190 | { |
195 | { |
| 191 | if (quiet) |
196 | if (quiet) |
| 192 | return; |
197 | return 1; |
| 193 | |
198 | |
| 194 | switch (a) |
199 | switch (a) |
| 195 | { |
200 | { |
| 196 | case 0: |
201 | case 0: |
| 197 | fprintf (stderr, "."); |
202 | fprintf (stderr, "."); |
| … | |
… | |
| 222 | break; |
227 | break; |
| 223 | |
228 | |
| 224 | default: |
229 | default: |
| 225 | fprintf (stderr, "?"); |
230 | fprintf (stderr, "?"); |
| 226 | } |
231 | } |
|
|
232 | |
|
|
233 | return 1; |
| 227 | } |
234 | } |
| 228 | |
235 | |
| 229 | /* |
236 | /* |
| 230 | * generate public/private RSA keypairs for all hosts that don't have one. |
237 | * generate public/private RSA keypairs for all hosts that don't have one. |
| 231 | */ |
238 | */ |
| 232 | static int |
239 | static int |
| 233 | keygen (int bits) |
240 | keygen (int bits) |
| 234 | { |
241 | { |
| 235 | RSA *rsa_key; |
242 | FILE *f, *pubf; |
| 236 | FILE *f; |
|
|
| 237 | char *name = NULL; |
|
|
| 238 | char *fname; |
243 | char *fname; |
| 239 | |
|
|
| 240 | asprintf (&fname, "%s/hostkeys", confbase); |
|
|
| 241 | mkdir (fname, 0700); |
|
|
| 242 | free (fname); |
|
|
| 243 | |
244 | |
| 244 | asprintf (&fname, "%s/pubkey", confbase); |
245 | asprintf (&fname, "%s/pubkey", confbase); |
| 245 | mkdir (fname, 0700); |
246 | mkdir (fname, 0700); |
| 246 | free (fname); |
247 | free (fname); |
| 247 | |
248 | |
| 248 | for (configuration::node_vector::iterator i = conf.nodes.begin (); i != conf.nodes.end (); ++i) |
249 | for (configuration::node_vector::iterator i = conf.nodes.begin (); i != conf.nodes.end (); ++i) |
| 249 | { |
250 | { |
| 250 | conf_node *node = *i; |
251 | conf_node *node = *i; |
| 251 | |
252 | |
| 252 | asprintf (&fname, "%s/pubkey/%s", confbase, node->nodename); |
253 | ::thisnode = node->nodename; |
| 253 | |
254 | |
|
|
255 | fname = conf.config_filename (conf.prikeyfile, "hostkey"); |
|
|
256 | |
| 254 | f = fopen (fname, "a"); |
257 | f = fopen (fname, "ab"); |
| 255 | |
258 | |
| 256 | /* some libcs are buggy and require an extra seek to the end */ |
259 | /* some libcs are buggy and require an extra seek to the end */ |
| 257 | if (!f || fseek (f, 0, SEEK_END)) |
260 | if (!f || fseek (f, 0, SEEK_END)) |
| 258 | { |
261 | { |
| 259 | perror (fname); |
262 | perror (fname); |
| … | |
… | |
| 261 | } |
264 | } |
| 262 | |
265 | |
| 263 | if (ftell (f)) |
266 | if (ftell (f)) |
| 264 | { |
267 | { |
| 265 | if (!quiet) |
268 | if (!quiet) |
| 266 | fprintf (stderr, "'%s' already exists, skipping this node %d\n", |
269 | fprintf (stderr, "'%s' already exists, skipping node %s\n", fname, node->nodename); |
| 267 | fname, quiet); |
|
|
| 268 | |
270 | |
|
|
271 | free (fname); |
| 269 | fclose (f); |
272 | fclose (f); |
| 270 | continue; |
273 | continue; |
| 271 | } |
274 | } |
| 272 | |
275 | |
| 273 | fprintf (stderr, _("generating %d bits key for %s:\n"), bits, |
|
|
| 274 | node->nodename); |
|
|
| 275 | |
|
|
| 276 | rsa_key = RSA_generate_key (bits, 0xFFFF, indicator, NULL); |
|
|
| 277 | |
|
|
| 278 | if (!rsa_key) |
|
|
| 279 | { |
|
|
| 280 | fprintf (stderr, _("error during key generation!\n")); |
|
|
| 281 | return -1; |
|
|
| 282 | } |
|
|
| 283 | else |
|
|
| 284 | fprintf (stderr, _("Done.\n")); |
|
|
| 285 | |
|
|
| 286 | require (PEM_write_RSAPublicKey (f, rsa_key)); |
|
|
| 287 | fclose (f); |
|
|
| 288 | free (fname); |
276 | free (fname); |
| 289 | |
277 | |
| 290 | asprintf (&fname, "%s/hostkeys/%s", confbase, node->nodename); |
278 | fprintf (stderr, _("generating %d bits key for %s:\n"), bits, node->nodename); |
| 291 | |
279 | |
|
|
280 | RSA *rsa = RSA_new (); |
|
|
281 | BIGNUM *e = BN_new (); |
|
|
282 | BN_set_bit (e, 0); BN_set_bit (e, 16); // 0x10001, 65537 |
|
|
283 | |
|
|
284 | #if OPENSSL_VERSION_NUMBER < 0x10100000 |
|
|
285 | BN_GENCB cb; |
|
|
286 | BN_GENCB_set (&cb, indicator, 0); |
|
|
287 | require (RSA_generate_key_ex (rsa, bits, e, &cb)); |
|
|
288 | #else |
|
|
289 | BN_GENCB *cb = BN_GENCB_new (); |
|
|
290 | BN_GENCB_set (cb, indicator, 0); |
|
|
291 | require (RSA_generate_key_ex (rsa, bits, e, cb)); |
|
|
292 | #endif |
|
|
293 | |
|
|
294 | fprintf (stderr, _("Done.\n")); |
|
|
295 | |
|
|
296 | fname = conf.config_filename ("pubkey/%s", 0); |
| 292 | f = fopen (fname, "a"); |
297 | pubf = fopen (fname, "wb"); |
| 293 | if (!f) |
298 | if (!pubf) |
| 294 | { |
299 | { |
| 295 | perror (fname); |
300 | perror (fname); |
| 296 | exit (EXIT_FAILURE); |
301 | exit (EXIT_FAILURE); |
| 297 | } |
302 | } |
| 298 | |
303 | |
|
|
304 | free (fname); |
|
|
305 | |
|
|
306 | require (PEM_write_RSAPublicKey (pubf, rsa)); |
|
|
307 | fclose (pubf); |
|
|
308 | |
| 299 | require (PEM_write_RSAPrivateKey (f, rsa_key, NULL, NULL, 0, NULL, NULL)); |
309 | require (PEM_write_RSAPrivateKey (f, rsa, NULL, NULL, 0, NULL, NULL)); |
| 300 | fclose (f); |
310 | fclose (f); |
|
|
311 | |
| 301 | free (fname); |
312 | BN_free (e); |
|
|
313 | RSA_free (rsa); |
| 302 | } |
314 | } |
| 303 | |
315 | |
| 304 | return 0; |
316 | return 0; |
| 305 | } |
317 | } |
| 306 | |
318 | |
| … | |
… | |
| 320 | { |
332 | { |
| 321 | printf (_("%s version %s (built %s %s, protocol version %d.%d)\n"), get_identity (), |
333 | printf (_("%s version %s (built %s %s, protocol version %d.%d)\n"), get_identity (), |
| 322 | VERSION, __DATE__, __TIME__, PROTOCOL_MAJOR, PROTOCOL_MINOR); |
334 | VERSION, __DATE__, __TIME__, PROTOCOL_MAJOR, PROTOCOL_MINOR); |
| 323 | printf (_("Built with kernel interface %s/%s.\n"), IFTYPE, IFSUBTYPE); |
335 | printf (_("Built with kernel interface %s/%s.\n"), IFTYPE, IFSUBTYPE); |
| 324 | printf (_ |
336 | printf (_ |
| 325 | ("Copyright (C) 2003-2008 Marc Lehmann <gvpe@schmorp.de> and others.\n" |
337 | ("Copyright (C) 2003-2013 Marc Lehmann <gvpe@schmorp.de> and others.\n" |
| 326 | "See the AUTHORS file for a complete list.\n\n" |
338 | "See the AUTHORS file for a complete list.\n\n" |
| 327 | "vpe comes with ABSOLUTELY NO WARRANTY. This is free software,\n" |
339 | "vpe comes with ABSOLUTELY NO WARRANTY. This is free software,\n" |
| 328 | "and you are welcome to redistribute it under certain conditions;\n" |
340 | "and you are welcome to redistribute it under certain conditions;\n" |
| 329 | "see the file COPYING for details.\n")); |
341 | "see the file COPYING for details.\n")); |
| 330 | |
342 | |
| … | |
… | |
| 336 | |
348 | |
| 337 | { |
349 | { |
| 338 | configuration_parser (conf, false, 0, 0); |
350 | configuration_parser (conf, false, 0, 0); |
| 339 | } |
351 | } |
| 340 | |
352 | |
|
|
353 | if (debug_info) |
|
|
354 | { |
|
|
355 | printf ("cipher_nid=%d\n", EVP_CIPHER_nid (CIPHER ())); |
|
|
356 | printf ("mac_nid=%d\n", EVP_MD_type (MAC_DIGEST ())); |
|
|
357 | printf ("auth_nid=%d\n", EVP_MD_type (AUTH_DIGEST ())); |
|
|
358 | printf ("sizeof_auth_data=%d\n", sizeof (auth_data)); |
|
|
359 | printf ("sizeof_rsa_data=%d\n", sizeof (rsa_data)); |
|
|
360 | printf ("sizeof_rsa_data_extra_auth=%d\n", sizeof (((rsa_data *)0)->extra_auth)); |
|
|
361 | printf ("raw_overhead=%d\n", VPE_OVERHEAD); |
|
|
362 | printf ("vpn_overhead=%d\n", VPE_OVERHEAD + 6 + 6); |
|
|
363 | printf ("udp_overhead=%d\n", UDP_OVERHEAD + VPE_OVERHEAD + 6 + 6); |
|
|
364 | exit (EXIT_SUCCESS); |
|
|
365 | } |
|
|
366 | |
| 341 | if (generate_keys) |
367 | if (generate_keys) |
| 342 | { |
368 | { |
| 343 | RAND_load_file ("/dev/urandom", 1024); |
369 | RAND_load_file (conf.seed_dev, SEED_SIZE); |
| 344 | exit (keygen (generate_keys)); |
370 | exit (keygen (generate_keys)); |
| 345 | } |
371 | } |
| 346 | |
372 | |
| 347 | if (kill_gvpe) |
373 | if (kill_gvpe) |
| 348 | exit (kill_other (kill_gvpe)); |
374 | exit (kill_other (kill_gvpe)); |
| … | |
… | |
| 353 | exit (EXIT_SUCCESS); |
379 | exit (EXIT_SUCCESS); |
| 354 | } |
380 | } |
| 355 | |
381 | |
| 356 | usage (1); |
382 | usage (1); |
| 357 | } |
383 | } |
|
|
384 | |
