projects / tinc / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add timeouts to 'tinc join'
[tinc] / src / keys.c
1 #include "system.h"
2 #include "keys.h"
3 #include "conf.h"
4 #include "logger.h"
5 #include "names.h"
6 #include "xalloc.h"
7 #include "ecdsa.h"
8 #include "fs.h"
9
10 bool disable_old_keys(const char *filename, const char *what) {
11         char tmpfile[PATH_MAX] = "";
12         char buf[1024];
13         bool disabled = false;
14         bool block = false;
15         bool error = false;
16
17         FILE *r = fopen(filename, "r");
18         FILE *w = NULL;
19
20         if(!r) {
21                 return false;
22         }
23
24         size_t result = snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename);
25
26         if(result < sizeof(tmpfile)) {
27                 struct stat st = {.st_mode = 0600};
28                 fstat(fileno(r), &st);
29                 w = fopenmask(tmpfile, "w", st.st_mode);
30         }
31
32         while(fgets(buf, sizeof(buf), r)) {
33                 if(!block && !strncmp(buf, "-----BEGIN ", 11)) {
34                         if((strstr(buf, " ED25519 ") && strstr(what, "Ed25519")) || (strstr(buf, " RSA ") && strstr(what, "RSA"))) {
35                                 disabled = true;
36                                 block = true;
37                         }
38                 }
39
40                 bool ed25519pubkey = !strncasecmp(buf, "Ed25519PublicKey", 16) && strchr(" \t=", buf[16]) && strstr(what, "Ed25519");
41
42                 if(ed25519pubkey) {
43                         disabled = true;
44                 }
45
46                 if(w) {
47                         if(block || ed25519pubkey) {
48                                 fputc('#', w);
49                         }
50
51                         if(fputs(buf, w) < 0) {
52                                 error = true;
53                                 break;
54                         }
55                 }
56
57                 if(block && !strncmp(buf, "-----END ", 9)) {
58                         block = false;
59                 }
60         }
61
62         if(w)
63                 if(fclose(w) < 0) {
64                         error = true;
65                 }
66
67         if(ferror(r) || fclose(r) < 0) {
68                 error = true;
69         }
70
71         if(disabled) {
72                 if(!w || error) {
73                         fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n");
74
75                         if(w) {
76                                 unlink(tmpfile);
77                         }
78
79                         return false;
80                 }
81
82 #ifdef HAVE_WINDOWS
83                 // We cannot atomically replace files on Windows.
84                 char bakfile[PATH_MAX] = "";
85                 snprintf(bakfile, sizeof(bakfile), "%s.bak", filename);
86
87                 if(rename(filename, bakfile) || rename(tmpfile, filename)) {
88                         rename(bakfile, filename);
89 #else
90
91                 if(rename(tmpfile, filename)) {
92 #endif
93                         fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n");
94                         unlink(tmpfile);
95                         return false;
96                 }
97
98 #ifdef HAVE_WINDOWS
99                 unlink(bakfile);
100 #endif
101                 fprintf(stderr, "Warning: old key(s) found and disabled.\n");
102         }
103
104         unlink(tmpfile);
105         return true;
106 }
107
108 ecdsa_t *read_ecdsa_private_key(splay_tree_t *config_tree, char **keyfile) {
109         FILE *fp;
110         char *fname;
111
112         /* Check for PrivateKeyFile statement and read it */
113
114         if(!get_config_string(lookup_config(config_tree, "Ed25519PrivateKeyFile"), &fname)) {
115                 xasprintf(&fname, "%s" SLASH "ed25519_key.priv", confbase);
116         }
117
118         fp = fopen(fname, "r");
119
120         if(!fp) {
121                 logger(DEBUG_ALWAYS, LOG_ERR, "Error reading Ed25519 private key file `%s': %s", fname, strerror(errno));
122
123                 if(errno == ENOENT) {
124                         logger(DEBUG_ALWAYS, LOG_INFO, "Create an Ed25519 key pair with `tinc -n %s generate-ed25519-keys'.", netname ? netname : ".");
125                 }
126
127                 free(fname);
128                 return NULL;
129         }
130
131 #ifndef HAVE_WINDOWS
132         struct stat s;
133
134         if(fstat(fileno(fp), &s)) {
135                 logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat Ed25519 private key file `%s': %s'", fname, strerror(errno));
136                 free(fname);
137                 fclose(fp);
138                 return false;
139         }
140
141         if(s.st_mode & ~0100700u) {
142                 logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for Ed25519 private key file `%s'!", fname);
143         }
144
145 #endif
146
147         ecdsa_t *key = ecdsa_read_pem_private_key(fp);
148         fclose(fp);
149
150         if(!key) {
151                 logger(DEBUG_ALWAYS, LOG_ERR, "Reading Ed25519 private key file `%s' failed", fname);
152                 free(fname);
153                 return NULL;
154         }
155
156         if(keyfile) {
157                 *keyfile = fname;
158         } else {
159                 free(fname);
160         }
161
162         return key;
163 }
164
165 ecdsa_t *read_ecdsa_public_key(splay_tree_t **config_tree, const char *name) {
166         FILE *fp;
167         char *fname;
168         char *p;
169
170         if(!*config_tree) {
171                 *config_tree = create_configuration();
172
173                 if(!read_host_config(*config_tree, name, true)) {
174                         return NULL;
175                 }
176         }
177
178         /* First, check for simple Ed25519PublicKey statement */
179
180         if(get_config_string(lookup_config(*config_tree, "Ed25519PublicKey"), &p)) {
181                 ecdsa_t *ecdsa = ecdsa_set_base64_public_key(p);
182                 free(p);
183                 return ecdsa;
184         }
185
186         /* Else, check for Ed25519PublicKeyFile statement and read it */
187
188         if(!get_config_string(lookup_config(*config_tree, "Ed25519PublicKeyFile"), &fname)) {
189                 xasprintf(&fname, "%s" SLASH "hosts" SLASH "%s", confbase, name);
190         }
191
192         fp = fopen(fname, "r");
193
194         if(!fp) {
195                 logger(DEBUG_ALWAYS, LOG_ERR, "Error reading Ed25519 public key file `%s': %s",
196                        fname, strerror(errno));
197                 free(fname);
198                 return NULL;
199         }
200
201         ecdsa_t *ecdsa = ecdsa_read_pem_public_key(fp);
202
203         if(!ecdsa && errno != ENOENT) {
204                 logger(DEBUG_ALWAYS, LOG_ERR, "Parsing Ed25519 public key file `%s' failed.", fname);
205         }
206
207         fclose(fp);
208         free(fname);
209
210         return ecdsa;
211 }
212
213 #ifndef DISABLE_LEGACY
214 rsa_t *read_rsa_private_key(splay_tree_t *config_tree, char **keyfile) {
215         FILE *fp;
216         char *fname;
217         char *n, *d;
218         rsa_t *key;
219
220         /* First, check for simple PrivateKey statement */
221
222         config_t *rsa_priv_conf = lookup_config(config_tree, "PrivateKey");
223
224         if(get_config_string(rsa_priv_conf, &d)) {
225                 if(!get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
226                         logger(DEBUG_ALWAYS, LOG_ERR, "PrivateKey used but no PublicKey found!");
227                         free_string(d);
228                         return NULL;
229                 }
230
231                 key = rsa_set_hex_private_key(n, "FFFF", d);
232                 free(n);
233                 free_string(d);
234
235                 if(key && keyfile && rsa_priv_conf->file) {
236                         *keyfile = xstrdup(rsa_priv_conf->file);
237                 }
238
239                 return key;
240         }
241
242         /* Else, check for PrivateKeyFile statement and read it */
243
244         if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname)) {
245                 xasprintf(&fname, "%s" SLASH "rsa_key.priv", confbase);
246         }
247
248         fp = fopen(fname, "r");
249
250         if(!fp) {
251                 logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA private key file `%s': %s",
252                        fname, strerror(errno));
253
254                 if(errno == ENOENT) {
255                         logger(DEBUG_ALWAYS, LOG_INFO, "Create an RSA key pair with `tinc -n %s generate-rsa-keys'.", netname ? netname : ".");
256                 }
257
258                 free(fname);
259                 return NULL;
260         }
261
262 #ifndef HAVE_WINDOWS
263         struct stat s;
264
265         if(fstat(fileno(fp), &s)) {
266                 logger(DEBUG_ALWAYS, LOG_ERR, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
267                 free(fname);
268                 fclose(fp);
269                 return NULL;
270         }
271
272         if(s.st_mode & ~0100700u) {
273                 logger(DEBUG_ALWAYS, LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
274         }
275
276 #endif
277
278         key = rsa_read_pem_private_key(fp);
279         fclose(fp);
280
281         if(!key) {
282                 logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA private key file `%s' failed: %s", fname, strerror(errno));
283                 free(fname);
284                 return NULL;
285         }
286
287         if(keyfile) {
288                 *keyfile = fname;
289         } else {
290                 free(fname);
291         }
292
293         return key;
294 }
295
296 rsa_t *read_rsa_public_key(splay_tree_t *config_tree, const char *name) {
297         FILE *fp;
298         char *fname;
299         char *n;
300
301         /* First, check for simple PublicKey statement */
302
303         if(get_config_string(lookup_config(config_tree, "PublicKey"), &n)) {
304                 rsa_t *rsa = rsa_set_hex_public_key(n, "FFFF");
305                 free(n);
306                 return rsa;
307         }
308
309         /* Else, check for PublicKeyFile statement and read it */
310
311         if(!get_config_string(lookup_config(config_tree, "PublicKeyFile"), &fname)) {
312                 xasprintf(&fname, "%s" SLASH "hosts" SLASH "%s", confbase, name);
313         }
314
315         fp = fopen(fname, "r");
316
317         if(!fp) {
318                 logger(DEBUG_ALWAYS, LOG_ERR, "Error reading RSA public key file `%s': %s", fname, strerror(errno));
319                 free(fname);
320                 return NULL;
321         }
322
323         rsa_t *rsa = rsa_read_pem_public_key(fp);
324         fclose(fp);
325
326         if(!rsa) {
327                 logger(DEBUG_ALWAYS, LOG_ERR, "Reading RSA public key file `%s' failed: %s", fname, strerror(errno));
328         }
329
330         free(fname);
331
332         return rsa;
333 }
334 #endif
tinc, the VPN daemon