static bool upgrade_h(connection_t *c, const char *request) { char pubkey[MAX_STRING_SIZE]; if(sscanf(request, "%*d " MAX_STRING, pubkey) != 1) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s)", "ACK", c->name, c->hostname); return false; } if(ecdsa_active(c->ecdsa) || read_ecdsa_public_key(c)) { char *knownkey = ecdsa_get_base64_public_key(c->ecdsa); bool different = strcmp(knownkey, pubkey); free(knownkey); if(different) { logger(DEBUG_ALWAYS, LOG_ERR, "Already have an Ed25519 public key from %s (%s) which is different from the one presented now!", c->name, c->hostname); return false; } logger(DEBUG_ALWAYS, LOG_INFO, "Already have Ed25519 public key from %s (%s), ignoring.", c->name, c->hostname); c->allow_request = TERMREQ; return send_termreq(c); } c->ecdsa = ecdsa_set_base64_public_key(pubkey); if(!c->ecdsa) { logger(DEBUG_ALWAYS, LOG_INFO, "Got bad Ed25519 public key from %s (%s), not upgrading.", c->name, c->hostname); return false; } logger(DEBUG_ALWAYS, LOG_INFO, "Got Ed25519 public key from %s (%s), upgrading!", c->name, c->hostname); append_config_file(c->name, "Ed25519PublicKey", pubkey); c->allow_request = TERMREQ; return send_termreq(c); }
static bool send_upgrade(connection_t *c) { /* Special case when protocol_minor is 1: the other end is Ed25519 capable, * but doesn't know our key yet. So send it now. */ char *pubkey = ecdsa_get_base64_public_key(myself->connection->ecdsa); if(!pubkey) return false; bool result = send_request(c, "%d %s", ACK, pubkey); free(pubkey); return result; }
bool id_h(connection_t *c, const char *request) { char name[MAX_STRING_SIZE]; if(sscanf(request, "%*d " MAX_STRING " %d.%d", name, &c->protocol_major, &c->protocol_minor) < 2) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s)", "ID", c->name, c->hostname); return false; } /* Check if this is a control connection */ if(name[0] == '^' && !strcmp(name + 1, controlcookie)) { c->status.control = true; c->allow_request = CONTROL; c->last_ping_time = now.tv_sec + 3600; free(c->name); c->name = xstrdup("<control>"); return send_request(c, "%d %d %d", ACK, TINC_CTL_VERSION_CURRENT, getpid()); } if(name[0] == '?') { if(!invitation_key) { logger(DEBUG_ALWAYS, LOG_ERR, "Got invitation from %s but we don't have an invitation key", c->hostname); return false; } c->ecdsa = ecdsa_set_base64_public_key(name + 1); if(!c->ecdsa) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad invitation from %s", c->hostname); return false; } c->status.invitation = true; char *mykey = ecdsa_get_base64_public_key(invitation_key); if(!mykey) return false; if(!send_request(c, "%d %s", ACK, mykey)) return false; free(mykey); c->protocol_minor = 2; return sptps_start(&c->sptps, c, false, false, invitation_key, c->ecdsa, "tinc invitation", 15, send_meta_sptps, receive_invitation_sptps); } /* Check if identity is a valid name */ if(!check_id(name)) { logger(DEBUG_ALWAYS, LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name, c->hostname, "invalid name"); return false; } /* If this is an outgoing connection, make sure we are connected to the right host */ if(c->outgoing) { if(strcmp(c->name, name)) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s is %s instead of %s", c->hostname, name, c->name); return false; } } else { if(c->name) free(c->name); c->name = xstrdup(name); } /* Check if version matches */ if(c->protocol_major != myself->connection->protocol_major) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) uses incompatible version %d.%d", c->name, c->hostname, c->protocol_major, c->protocol_minor); return false; } if(bypass_security) { if(!c->config_tree) init_configuration(&c->config_tree); c->allow_request = ACK; return send_ack(c); } if(!experimental) c->protocol_minor = 0; if(!c->config_tree) { init_configuration(&c->config_tree); if(!read_host_config(c->config_tree, c->name)) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s had unknown identity (%s)", c->hostname, c->name); return false; } if(experimental) read_ecdsa_public_key(c); /* Ignore failures if no key known yet */ } if(c->protocol_minor && !ecdsa_active(c->ecdsa)) c->protocol_minor = 1; /* Forbid version rollback for nodes whose Ed25519 key we know */ if(ecdsa_active(c->ecdsa) && c->protocol_minor < 2) { logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s (%s) tries to roll back protocol version to %d.%d", c->name, c->hostname, c->protocol_major, c->protocol_minor); return false; } c->allow_request = METAKEY; if(c->protocol_minor >= 2) { c->allow_request = ACK; char label[25 + strlen(myself->name) + strlen(c->name)]; if(c->outgoing) snprintf(label, sizeof label, "tinc TCP key expansion %s %s", myself->name, c->name); else snprintf(label, sizeof label, "tinc TCP key expansion %s %s", c->name, myself->name); return sptps_start(&c->sptps, c, c->outgoing, false, myself->connection->ecdsa, c->ecdsa, label, sizeof label, send_meta_sptps, receive_meta_sptps); } else { return send_metakey(c); } }
static bool receive_invitation_sptps(void *handle, uint8_t type, const void *data, uint16_t len) { connection_t *c = handle; if(type == 128) return true; if(type == 1 && c->status.invitation_used) return finalize_invitation(c, data, len); if(type != 0 || len != 18 || c->status.invitation_used) return false; // Recover the filename from the cookie and the key digest_t *digest = digest_open_by_name("sha256", 18); if(!digest) abort(); char *fingerprint = ecdsa_get_base64_public_key(invitation_key); char hashbuf[18 + strlen(fingerprint)]; char cookie[25]; memcpy(hashbuf, data, 18); memcpy(hashbuf + 18, fingerprint, sizeof hashbuf - 18); digest_create(digest, hashbuf, sizeof hashbuf, cookie); b64encode_urlsafe(cookie, cookie, 18); digest_close(digest); free(fingerprint); char filename[PATH_MAX], usedname[PATH_MAX]; snprintf(filename, sizeof filename, "%s" SLASH "invitations" SLASH "%s", confbase, cookie); snprintf(usedname, sizeof usedname, "%s" SLASH "invitations" SLASH "%s.used", confbase, cookie); // Atomically rename the invitation file if(rename(filename, usedname)) { if(errno == ENOENT) logger(DEBUG_ALWAYS, LOG_ERR, "Peer %s tried to use non-existing invitation %s\n", c->hostname, cookie); else logger(DEBUG_ALWAYS, LOG_ERR, "Error trying to rename invitation %s\n", cookie); return false; } // Open the renamed file FILE *f = fopen(usedname, "r"); if(!f) { logger(DEBUG_ALWAYS, LOG_ERR, "Error trying to open invitation %s\n", cookie); return false; } // Read the new node's Name from the file char buf[1024]; fgets(buf, sizeof buf, f); if(*buf) buf[strlen(buf) - 1] = 0; len = strcspn(buf, " \t="); char *name = buf + len; name += strspn(name, " \t"); if(*name == '=') { name++; name += strspn(name, " \t"); } buf[len] = 0; if(!*buf || !*name || strcasecmp(buf, "Name") || !check_id(name)) { logger(DEBUG_ALWAYS, LOG_ERR, "Invalid invitation file %s\n", cookie); fclose(f); return false; } free(c->name); c->name = xstrdup(name); // Send the node the contents of the invitation file rewind(f); size_t result; while((result = fread(buf, 1, sizeof buf, f))) sptps_send_record(&c->sptps, 0, buf, result); sptps_send_record(&c->sptps, 1, buf, 0); fclose(f); unlink(usedname); c->status.invitation_used = true; logger(DEBUG_CONNECTIONS, LOG_INFO, "Invitation %s succesfully sent to %s (%s)", cookie, c->name, c->hostname); return true; }
int fsck(const char *argv0) { #ifdef HAVE_MINGW int uid = 0; #else uid_t uid = getuid(); #endif // Check that tinc.conf is readable. if(access(tinc_conf, R_OK)) { fprintf(stderr, "ERROR: cannot read %s: %s\n", tinc_conf, strerror(errno)); if(errno == ENOENT) { fprintf(stderr, "No tinc configuration found. Create a new one with:\n\n"); print_tinc_cmd(argv0, "init"); } else if(errno == EACCES) { if(uid != 0) fprintf(stderr, "You are currently not running tinc as root. Use sudo?\n"); else fprintf(stderr, "Check the permissions of each component of the path %s.\n", tinc_conf); } return 1; } char *name = get_my_name(true); if(!name) { fprintf(stderr, "ERROR: tinc cannot run without a valid Name.\n"); return 1; } // Check for private keys. // TODO: use RSAPrivateKeyFile and Ed25519PrivateKeyFile variables if present. struct stat st; char fname[PATH_MAX]; char dname[PATH_MAX]; ecdsa_t *ecdsa_priv = NULL; snprintf(fname, sizeof fname, "%s/ed25519_key.priv", confbase); if(stat(fname, &st)) { if(errno != ENOENT) { // Something is seriously wrong here. If we can access the directory with tinc.conf in it, we should certainly be able to stat() an existing file. fprintf(stderr, "ERROR: cannot read %s: %s\n", fname, strerror(errno)); fprintf(stderr, "Please correct this error.\n"); return 1; } } else { FILE *f = fopen(fname, "r"); if(!f) { fprintf(stderr, "ERROR: could not open %s: %s\n", fname, strerror(errno)); return 1; } ecdsa_priv = ecdsa_read_pem_private_key(f); fclose(f); if(!ecdsa_priv) { fprintf(stderr, "ERROR: No key or unusable key found in %s.\n", fname); fprintf(stderr, "You can generate a new Ed25519 key with:\n\n"); print_tinc_cmd(argv0, "generate-ed25519-keys"); return 1; } if(st.st_mode & 077) { fprintf(stderr, "WARNING: unsafe file permissions on %s.\n", fname); if(st.st_uid != uid) { fprintf(stderr, "You are not running %s as the same uid as %s.\n", argv0, fname); } else if(ask_fix()) { if(chmod(fname, st.st_mode & ~077)) fprintf(stderr, "ERROR: could not change permissions of %s: %s\n", fname, strerror(errno)); else fprintf(stderr, "Fixed permissions of %s.\n", fname); } } } if(!ecdsa_priv) { fprintf(stderr, "ERROR: No Ed25519 private key found.\n"); fprintf(stderr, "You can generate new keys with:\n\n"); print_tinc_cmd(argv0, "generate-keys"); return 1; } // Check for public keys. // TODO: use RSAPublicKeyFile and Ed25519PublicKeyFile variables if present. snprintf(fname, sizeof fname, "%s/hosts/%s", confbase, name); if(access(fname, R_OK)) fprintf(stderr, "WARNING: cannot read %s\n", fname); FILE *f; // TODO: this should read the Ed25519PublicKey config variable instead. ecdsa_t *ecdsa_pub = NULL; f = fopen(fname, "r"); if(f) ecdsa_pub = ecdsa_read_pem_public_key(f); fclose(f); if(ecdsa_priv) { if(!ecdsa_pub) { fprintf(stderr, "WARNING: No (usable) public Ed25519 key found.\n"); if(ask_fix()) { FILE *f = fopen(fname, "a"); if(f) { if(ecdsa_write_pem_public_key(ecdsa_priv, f)) fprintf(stderr, "Wrote Ed25519 public key to %s.\n", fname); else fprintf(stderr, "ERROR: could not write Ed25519 public key to %s.\n", fname); fclose(f); } else { fprintf(stderr, "ERROR: could not append to %s: %s\n", fname, strerror(errno)); } } } else { // TODO: suggest remedies char *key1 = ecdsa_get_base64_public_key(ecdsa_pub); if(!key1) { fprintf(stderr, "ERROR: public Ed25519 key does not work.\n"); return 1; } char *key2 = ecdsa_get_base64_public_key(ecdsa_priv); if(!key2) { free(key1); fprintf(stderr, "ERROR: private Ed25519 key does not work.\n"); return 1; } int result = strcmp(key1, key2); free(key1); free(key2); if(result) { fprintf(stderr, "ERROR: public and private Ed25519 keys do not match.\n"); return 1; } } } else { if(ecdsa_pub) fprintf(stderr, "WARNING: A public Ed25519 key was found but no private key is known.\n"); } // Check whether scripts are executable struct dirent *ent; DIR *dir = opendir(confbase); if(!dir) { fprintf(stderr, "ERROR: cannot read directory %s: %s\n", confbase, strerror(errno)); return 1; } while((ent = readdir(dir))) { if(strtailcmp(ent->d_name, "-up") && strtailcmp(ent->d_name, "-down")) continue; strncpy(fname, ent->d_name, sizeof fname); char *dash = strrchr(fname, '-'); if(!dash) continue; *dash = 0; if(strcmp(fname, "tinc") && strcmp(fname, "host") && strcmp(fname, "subnet")) { static bool explained = false; fprintf(stderr, "WARNING: Unknown script %s" SLASH "%s found.\n", confbase, ent->d_name); if(!explained) { fprintf(stderr, "The only scripts in %s executed by tinc are:\n", confbase); fprintf(stderr, "tinc-up, tinc-down, host-up, host-down, subnet-up and subnet-down.\n"); explained = true; } continue; } snprintf(fname, sizeof fname, "%s" SLASH "%s", confbase, ent->d_name); if(access(fname, R_OK | X_OK)) { if(errno != EACCES) { fprintf(stderr, "ERROR: cannot access %s: %s\n", fname, strerror(errno)); continue; } fprintf(stderr, "WARNING: cannot read and execute %s: %s\n", fname, strerror(errno)); if(ask_fix()) { if(chmod(fname, 0755)) fprintf(stderr, "ERROR: cannot change permissions on %s: %s\n", fname, strerror(errno)); } } } closedir(dir); snprintf(dname, sizeof dname, "%s" SLASH "hosts", confbase); dir = opendir(dname); if(!dir) { fprintf(stderr, "ERROR: cannot read directory %s: %s\n", dname, strerror(errno)); return 1; } while((ent = readdir(dir))) { if(strtailcmp(ent->d_name, "-up") && strtailcmp(ent->d_name, "-down")) continue; strncpy(fname, ent->d_name, sizeof fname); char *dash = strrchr(fname, '-'); if(!dash) continue; *dash = 0; snprintf(fname, sizeof fname, "%s" SLASH "hosts" SLASH "%s", confbase, ent->d_name); if(access(fname, R_OK | X_OK)) { if(errno != EACCES) { fprintf(stderr, "ERROR: cannot access %s: %s\n", fname, strerror(errno)); continue; } fprintf(stderr, "WARNING: cannot read and execute %s: %s\n", fname, strerror(errno)); if(ask_fix()) { if(chmod(fname, 0755)) fprintf(stderr, "ERROR: cannot change permissions on %s: %s\n", fname, strerror(errno)); } } } closedir(dir); // Check for obsolete / unsafe / unknown configuration variables. check_conffile(tinc_conf, true); dir = opendir(dname); if(dir) { while((ent = readdir(dir))) { if(!check_id(ent->d_name)) continue; snprintf(fname, sizeof fname, "%s" SLASH "hosts" SLASH "%s", confbase, ent->d_name); check_conffile(fname, false); } closedir(dir); } return 0; }
int cmd_join(int argc, char *argv[]) { free(data); data = NULL; datalen = 0; if(argc > 2) { fprintf(stderr, "Too many arguments!\n"); return 1; } // Make sure confbase exists and is accessible. if(!confbase_given && mkdir(confdir, 0755) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", confdir, strerror(errno)); return 1; } if(mkdir(confbase, 0777) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", confbase, strerror(errno)); return 1; } if(access(confbase, R_OK | W_OK | X_OK)) { fprintf(stderr, "No permission to write in directory %s: %s\n", confbase, strerror(errno)); return 1; } // If a netname or explicit configuration directory is specified, check for an existing tinc.conf. if((netname || confbasegiven) && !access(tinc_conf, F_OK)) { fprintf(stderr, "Configuration file %s already exists!\n", tinc_conf); return 1; } // Either read the invitation from the command line or from stdin. char *invitation; if(argc > 1) { invitation = argv[1]; } else { if(tty) fprintf(stderr, "Enter invitation URL: "); errno = EPIPE; if(!fgets(line, sizeof line, stdin)) { fprintf(stderr, "Error while reading stdin: %s\n", strerror(errno)); return false; } invitation = line; } // Parse the invitation URL. rstrip(line); char *slash = strchr(invitation, '/'); if(!slash) goto invalid; *slash++ = 0; if(strlen(slash) != 48) goto invalid; char *address = invitation; char *port = NULL; if(*address == '[') { address++; char *bracket = strchr(address, ']'); if(!bracket) goto invalid; *bracket = 0; if(bracket[1] == ':') port = bracket + 2; } else { port = strchr(address, ':'); if(port) *port++ = 0; } if(!port || !*port) port = "655"; if(!b64decode(slash, hash, 24) || !b64decode(slash + 24, cookie, 24)) goto invalid; // Generate a throw-away key for the invitation. ecdsa_t *key = ecdsa_generate(); if(!key) return 1; char *b64key = ecdsa_get_base64_public_key(key); // Connect to the tinc daemon mentioned in the URL. struct addrinfo *ai = str2addrinfo(address, port, SOCK_STREAM); if(!ai) return 1; struct addrinfo *aip = NULL; next: if(!aip) aip = ai; else { aip = aip->ai_next; if(!aip) return 1; } sock = socket(aip->ai_family, aip->ai_socktype, aip->ai_protocol); if(sock <= 0) { fprintf(stderr, "Could not open socket: %s\n", strerror(errno)); goto next; } if(connect(sock, aip->ai_addr, aip->ai_addrlen)) { char *addrstr, *portstr; sockaddr2str((sockaddr_t *)aip->ai_addr, &addrstr, &portstr); fprintf(stderr, "Could not connect to %s port %s: %s\n", addrstr, portstr, strerror(errno)); free(addrstr); free(portstr); closesocket(sock); goto next; } fprintf(stderr, "Connected to %s port %s...\n", address, port); // Tell him we have an invitation, and give him our throw-away key. int len = snprintf(line, sizeof line, "0 ?%s %d.%d\n", b64key, PROT_MAJOR, PROT_MINOR); if(len <= 0 || len >= sizeof line) abort(); if(!sendline(sock, "0 ?%s %d.%d", b64key, PROT_MAJOR, 1)) { fprintf(stderr, "Error sending request to %s port %s: %s\n", address, port, strerror(errno)); closesocket(sock); goto next; } char hisname[4096] = ""; int code, hismajor, hisminor = 0; if(!recvline(sock, line, sizeof line) || sscanf(line, "%d %s %d.%d", &code, hisname, &hismajor, &hisminor) < 3 || code != 0 || hismajor != PROT_MAJOR || !check_id(hisname) || !recvline(sock, line, sizeof line) || !rstrip(line) || sscanf(line, "%d ", &code) != 1 || code != ACK || strlen(line) < 3) { fprintf(stderr, "Cannot read greeting from peer\n"); closesocket(sock); goto next; } // Check if the hash of the key he gave us matches the hash in the URL. char *fingerprint = line + 2; char hishash[64]; if(sha512(fingerprint, strlen(fingerprint), hishash)) { fprintf(stderr, "Could not create digest\n%s\n", line + 2); return 1; } if(memcmp(hishash, hash, 18)) { fprintf(stderr, "Peer has an invalid key!\n%s\n", line + 2); return 1; } ecdsa_t *hiskey = ecdsa_set_base64_public_key(fingerprint); if(!hiskey) return 1; // Start an SPTPS session if(!sptps_start(&sptps, NULL, true, false, key, hiskey, "tinc invitation", 15, invitation_send, invitation_receive)) return 1; // Feed rest of input buffer to SPTPS if(!sptps_receive_data(&sptps, buffer, blen)) return 1; while((len = recv(sock, line, sizeof line, 0))) { if(len < 0) { if(errno == EINTR) continue; fprintf(stderr, "Error reading data from %s port %s: %s\n", address, port, strerror(errno)); return 1; } char *p = line; while(len) { int done = sptps_receive_data(&sptps, p, len); if(!done) return 1; len -= done; p += done; } } sptps_stop(&sptps); ecdsa_free(hiskey); ecdsa_free(key); closesocket(sock); if(!success) { fprintf(stderr, "Connection closed by peer, invitation cancelled.\n"); return 1; } return 0; invalid: fprintf(stderr, "Invalid invitation URL.\n"); return 1; }
static bool finalize_join(void) { char *name = xstrdup(get_value(data, "Name")); if(!name) { fprintf(stderr, "No Name found in invitation!\n"); return false; } if(!check_id(name)) { fprintf(stderr, "Invalid Name found in invitation: %s!\n", name); return false; } if(!netname) netname = grep(data, "NetName"); bool ask_netname = false; char temp_netname[32]; make_names: if(!confbasegiven) { free(confbase); confbase = NULL; } make_names(false); free(tinc_conf); free(hosts_dir); xasprintf(&tinc_conf, "%s" SLASH "tinc.conf", confbase); xasprintf(&hosts_dir, "%s" SLASH "hosts", confbase); if(!access(tinc_conf, F_OK)) { fprintf(stderr, "Configuration file %s already exists!\n", tinc_conf); if(confbasegiven) return false; // Generate a random netname, ask for a better one later. ask_netname = true; snprintf(temp_netname, sizeof temp_netname, "join_%x", rand()); netname = temp_netname; goto make_names; } if(mkdir(confbase, 0777) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", confbase, strerror(errno)); return false; } if(mkdir(hosts_dir, 0777) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", hosts_dir, strerror(errno)); return false; } FILE *f = fopen(tinc_conf, "w"); if(!f) { fprintf(stderr, "Could not create file %s: %s\n", tinc_conf, strerror(errno)); return false; } fprintf(f, "Name = %s\n", name); char filename[PATH_MAX]; snprintf(filename, sizeof filename, "%s" SLASH "%s", hosts_dir, name); FILE *fh = fopen(filename, "w"); if(!fh) { fprintf(stderr, "Could not create file %s: %s\n", filename, strerror(errno)); fclose(f); return false; } // Filter first chunk on approved keywords, split between tinc.conf and hosts/Name // Other chunks go unfiltered to their respective host config files const char *p = data; char *l, *value; while((l = get_line(&p))) { // Ignore comments if(*l == '#') continue; // Split line into variable and value int len = strcspn(l, "\t ="); value = l + len; value += strspn(value, "\t "); if(*value == '=') { value++; value += strspn(value, "\t "); } l[len] = 0; // Is it a Name? if(!strcasecmp(l, "Name")) if(strcmp(value, name)) break; else continue; else if(!strcasecmp(l, "NetName")) continue; // Check the list of known variables bool found = false; int i; for(i = 0; variables[i].name; i++) { if(strcasecmp(l, variables[i].name)) continue; found = true; break; } // Ignore unknown and unsafe variables if(!found) { fprintf(stderr, "Ignoring unknown variable '%s' in invitation.\n", l); continue; } else if(!(variables[i].type & VAR_SAFE)) { fprintf(stderr, "Ignoring unsafe variable '%s' in invitation.\n", l); continue; } // Copy the safe variable to the right config file fprintf(variables[i].type & VAR_HOST ? fh : f, "%s = %s\n", l, value); } fclose(f); while(l && !strcasecmp(l, "Name")) { if(!check_id(value)) { fprintf(stderr, "Invalid Name found in invitation.\n"); return false; } if(!strcmp(value, name)) { fprintf(stderr, "Secondary chunk would overwrite our own host config file.\n"); return false; } snprintf(filename, sizeof filename, "%s" SLASH "%s", hosts_dir, value); f = fopen(filename, "w"); if(!f) { fprintf(stderr, "Could not create file %s: %s\n", filename, strerror(errno)); return false; } while((l = get_line(&p))) { if(!strcmp(l, "#---------------------------------------------------------------#")) continue; int len = strcspn(l, "\t ="); if(len == 4 && !strncasecmp(l, "Name", 4)) { value = l + len; value += strspn(value, "\t "); if(*value == '=') { value++; value += strspn(value, "\t "); } l[len] = 0; break; } fputs(l, f); fputc('\n', f); } fclose(f); } // Generate our key and send a copy to the server ecdsa_t *key = ecdsa_generate(); if(!key) return false; char *b64key = ecdsa_get_base64_public_key(key); if(!b64key) return false; snprintf(filename, sizeof filename, "%s" SLASH "ed25519_key.priv", confbase); f = fopenmask(filename, "w", 0600); if(!f) return false; if(!ecdsa_write_pem_private_key(key, f)) { fprintf(stderr, "Error writing private key!\n"); ecdsa_free(key); fclose(f); return false; } fclose(f); fprintf(fh, "Ed25519PublicKey = %s\n", b64key); sptps_send_record(&sptps, 1, b64key, strlen(b64key)); free(b64key); ecdsa_free(key); check_port(name); ask_netname: if(ask_netname && tty) { fprintf(stderr, "Enter a new netname: "); if(!fgets(line, sizeof line, stdin)) { fprintf(stderr, "Error while reading stdin: %s\n", strerror(errno)); return false; } if(!*line || *line == '\n') goto ask_netname; line[strlen(line) - 1] = 0; char newbase[PATH_MAX]; snprintf(newbase, sizeof newbase, CONFDIR SLASH "tinc" SLASH "%s", line); if(rename(confbase, newbase)) { fprintf(stderr, "Error trying to rename %s to %s: %s\n", confbase, newbase, strerror(errno)); goto ask_netname; } netname = line; make_names(false); } fprintf(stderr, "Configuration stored in: %s\n", confbase); return true; }
int cmd_invite(int argc, char *argv[]) { if(argc < 2) { fprintf(stderr, "Not enough arguments!\n"); return 1; } // Check validity of the new node's name if(!check_id(argv[1])) { fprintf(stderr, "Invalid name for node.\n"); return 1; } char *myname = get_my_name(true); if(!myname) return 1; // Ensure no host configuration file with that name exists char filename[PATH_MAX]; snprintf(filename, sizeof filename, "%s" SLASH "hosts" SLASH "%s", confbase, argv[1]); if(!access(filename, F_OK)) { fprintf(stderr, "A host config file for %s already exists!\n", argv[1]); return 1; } // If a daemon is running, ensure no other nodes know about this name bool found = false; if(connect_tincd(false)) { sendline(fd, "%d %d", CONTROL, REQ_DUMP_NODES); while(recvline(fd, line, sizeof line)) { char node[4096]; int code, req; if(sscanf(line, "%d %d %s", &code, &req, node) != 3) break; if(!strcmp(node, argv[1])) found = true; } if(found) { fprintf(stderr, "A node with name %s is already known!\n", argv[1]); return 1; } } snprintf(filename, sizeof filename, "%s" SLASH "invitations", confbase); if(mkdir(filename, 0700) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", filename, strerror(errno)); return 1; } // Count the number of valid invitations, clean up old ones DIR *dir = opendir(filename); if(!dir) { fprintf(stderr, "Could not read directory %s: %s\n", filename, strerror(errno)); return 1; } errno = 0; int count = 0; struct dirent *ent; time_t deadline = time(NULL) - 604800; // 1 week in the past while((ent = readdir(dir))) { if(strlen(ent->d_name) != 24) continue; char invname[PATH_MAX]; struct stat st; snprintf(invname, sizeof invname, "%s" SLASH "%s", filename, ent->d_name); if(!stat(invname, &st)) { if(deadline < st.st_mtime) count++; else unlink(invname); } else { fprintf(stderr, "Could not stat %s: %s\n", invname, strerror(errno)); errno = 0; } } closedir(dir); if(errno) { fprintf(stderr, "Error while reading directory %s: %s\n", filename, strerror(errno)); return 1; } ecdsa_t *key; snprintf(filename, sizeof filename, "%s" SLASH "invitations" SLASH "ed25519_key.priv", confbase); // Remove the key if there are no outstanding invitations. if(!count) unlink(filename); // Create a new key if necessary. FILE *f = fopen(filename, "r"); if(!f) { if(errno != ENOENT) { fprintf(stderr, "Could not read %s: %s\n", filename, strerror(errno)); return 1; } key = ecdsa_generate(); if(!key) return 1; f = fopen(filename, "w"); if(!f) { fprintf(stderr, "Could not write %s: %s\n", filename, strerror(errno)); return 1; } chmod(filename, 0600); if(!ecdsa_write_pem_private_key(key, f)) { fprintf(stderr, "Could not write ECDSA private key\n"); fclose(f); return 1; } fclose(f); if(connect_tincd(false)) sendline(fd, "%d %d", CONTROL, REQ_RELOAD); } else { key = ecdsa_read_pem_private_key(f); fclose(f); if(!key) fprintf(stderr, "Could not read private key from %s\n", filename); } if(!key) return 1; // Create a hash of the key. char hash[64]; char *fingerprint = ecdsa_get_base64_public_key(key); sha512(fingerprint, strlen(fingerprint), hash); b64encode_urlsafe(hash, hash, 18); // Create a random cookie for this invitation. char cookie[25]; randomize(cookie, 18); // Create a filename that doesn't reveal the cookie itself char buf[18 + strlen(fingerprint)]; char cookiehash[64]; memcpy(buf, cookie, 18); memcpy(buf + 18, fingerprint, sizeof buf - 18); sha512(buf, sizeof buf, cookiehash); b64encode_urlsafe(cookiehash, cookiehash, 18); b64encode_urlsafe(cookie, cookie, 18); // Create a file containing the details of the invitation. snprintf(filename, sizeof filename, "%s" SLASH "invitations" SLASH "%s", confbase, cookiehash); int ifd = open(filename, O_RDWR | O_CREAT | O_EXCL, 0600); if(!ifd) { fprintf(stderr, "Could not create invitation file %s: %s\n", filename, strerror(errno)); return 1; } f = fdopen(ifd, "w"); if(!f) abort(); // Get the local address char *address = get_my_hostname(); // Fill in the details. fprintf(f, "Name = %s\n", argv[1]); if(netname) fprintf(f, "NetName = %s\n", netname); fprintf(f, "ConnectTo = %s\n", myname); // Copy Broadcast and Mode FILE *tc = fopen(tinc_conf, "r"); if(tc) { char buf[1024]; while(fgets(buf, sizeof buf, tc)) { if((!strncasecmp(buf, "Mode", 4) && strchr(" \t=", buf[4])) || (!strncasecmp(buf, "Broadcast", 9) && strchr(" \t=", buf[9]))) { fputs(buf, f); // Make sure there is a newline character. if(!strchr(buf, '\n')) fputc('\n', f); } } fclose(tc); } fprintf(f, "#---------------------------------------------------------------#\n"); fprintf(f, "Name = %s\n", myname); char filename2[PATH_MAX]; snprintf(filename2, sizeof filename2, "%s" SLASH "hosts" SLASH "%s", confbase, myname); fcopy(f, filename2); fclose(f); // Create an URL from the local address, key hash and cookie char *url; xasprintf(&url, "%s/%s%s", address, hash, cookie); // Call the inviation-created script char *envp[6] = {}; xasprintf(&envp[0], "NAME=%s", myname); xasprintf(&envp[1], "NETNAME=%s", netname); xasprintf(&envp[2], "NODE=%s", argv[1]); xasprintf(&envp[3], "INVITATION_FILE=%s", filename); xasprintf(&envp[4], "INVITATION_URL=%s", url); execute_script("invitation-created", envp); for(int i = 0; i < 6 && envp[i]; i++) free(envp[i]); puts(url); free(url); free(address); return 0; }