From 519972c9c18a103a7689844150c75e939c642115 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Mon, 10 Mar 2014 17:42:08 +0100 Subject: Make --verify-config option more flexible --- src/config.c | 28 ++++++++++++++++++++++----- src/config.h | 1 + src/fastd.c | 16 +++++++-------- src/fastd.h | 1 + src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c | 10 ++++++++++ 5 files changed, 43 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/config.c b/src/config.c index 1793b7b..38ca490 100644 --- a/src/config.c +++ b/src/config.c @@ -531,14 +531,14 @@ void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char conf->log_stderr_level = FASTD_DEFAULT_LOG_LEVEL; } -void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf) { +static void config_check_base(fastd_context_t *ctx, fastd_config_t *conf) { if (conf->ifname) { if (strchr(conf->ifname, '/')) exit_error(ctx, "config error: invalid interface name"); } if (conf->mode == MODE_TUN) { - if (!conf->peers || conf->peers->next) + if (conf->peers->next) exit_error(ctx, "config error: in TUN mode exactly one peer must be configured"); if (conf->peer_group->children) exit_error(ctx, "config error: in TUN mode peer groups can't be used"); @@ -546,9 +546,6 @@ void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf) { exit_error(ctx, "config error: in TUN mode peer directories can't be used"); } - if (!conf->peers && !has_peer_group_peer_dirs(conf->peer_group)) - exit_error(ctx, "config error: neither fixed peers nor peer dirs have been configured"); - #ifndef USE_PMTU if (conf->pmtu.set) exit_error(ctx, "config error: setting pmtu is not supported on this system"); @@ -558,6 +555,18 @@ void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf) { if (conf->packet_mark) exit_error(ctx, "config error: setting a packet mark is not supported on this system"); #endif +} + +void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf) { + config_check_base(ctx, conf); + + if (conf->mode == MODE_TUN) { + if (!conf->peers) + exit_error(ctx, "config error: in TUN mode exactly one peer must be configured"); + } + + if (!conf->peers && !has_peer_group_peer_dirs(conf->peer_group)) + exit_error(ctx, "config error: neither fixed peers nor peer dirs have been configured"); if (!conf->method_list) { pr_warn(ctx, "no encryption method configured, falling back to method `null' (unencrypted)"); @@ -571,6 +580,15 @@ void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf) { configure_methods(ctx, conf); } +void fastd_config_verify(fastd_context_t *ctx, fastd_config_t *conf) { + config_check_base(ctx, conf); + configure_methods(ctx, conf); + + fastd_peer_config_t *peer; + for (peer = conf->peers; peer; peer = peer->next) + conf->protocol->peer_verify(ctx, peer); +} + static void peer_dirs_read_peer_group(fastd_context_t *ctx, fastd_config_t *new_conf) { read_peer_dirs(ctx, new_conf); diff --git a/src/config.h b/src/config.h index 9484598..ecdb7dd 100644 --- a/src/config.h +++ b/src/config.h @@ -43,6 +43,7 @@ void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char void fastd_config_check(fastd_context_t *ctx, fastd_config_t *conf); void fastd_config_load_peer_dirs(fastd_context_t *ctx, fastd_config_t *conf); void fastd_config_handle_options(fastd_context_t *ctx, fastd_config_t *conf, int argc, char *const argv[]); +void fastd_config_verify(fastd_context_t *ctx, fastd_config_t *conf); void fastd_add_peer_dir(fastd_context_t *ctx, fastd_config_t *conf, const char *dir); bool fastd_read_config(fastd_context_t *ctx, fastd_config_t *conf, const char *filename, bool peer_config, int depth); diff --git a/src/fastd.c b/src/fastd.c index 9115bbf..1f80939 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -882,6 +882,11 @@ int main(int argc, char *argv[]) { fastd_configure(&ctx, &conf, argc, argv); ctx.conf = &conf; + if (conf.verify_config) { + fastd_config_verify(&ctx, &conf); + exit(0); + } + if (conf.generate_key) { conf.protocol->generate_key(&ctx); exit(0); @@ -896,12 +901,10 @@ int main(int argc, char *argv[]) { init_signals(&ctx); - if (!conf.verify_config) { - if (conf.daemon) - status_fd = daemonize(&ctx); + if (conf.daemon) + status_fd = daemonize(&ctx); - init_log(&ctx); - } + init_log(&ctx); #ifdef HAVE_LIBSODIUM sodium_init(); @@ -915,9 +918,6 @@ int main(int argc, char *argv[]) { fastd_config_check(&ctx, &conf); - if (conf.verify_config) - exit(0); - update_time(&ctx); ctx.next_keepalives = fastd_in_seconds(&ctx, conf.keepalive_interval); diff --git a/src/fastd.h b/src/fastd.h index bad7e66..56b07b9 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -52,6 +52,7 @@ struct fastd_protocol { const char *name; fastd_protocol_config_t* (*init)(fastd_context_t *ctx); + void (*peer_verify)(fastd_context_t *ctx, fastd_peer_config_t *peer_conf); void (*peer_configure)(fastd_context_t *ctx, fastd_peer_config_t *peer_conf); bool (*peer_check)(fastd_context_t *ctx, fastd_peer_config_t *peer_conf); bool (*peer_check_temporary)(fastd_context_t *ctx, fastd_peer_t *peer); diff --git a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c index 1e3c36a..7f77a22 100644 --- a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c +++ b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c @@ -65,6 +65,15 @@ static fastd_protocol_config_t* protocol_init(fastd_context_t *ctx) { return protocol_config; } +static void protocol_peer_verify(fastd_context_t *ctx, fastd_peer_config_t *peer_conf) { + if (!peer_conf->key) + exit_error(ctx, "no key configured for peer `%s'", peer_conf->name); + + aligned_int256_t key; + if (!read_key(key.u8, peer_conf->key)) + exit_error(ctx, "invalid key configured for peer `%s'", peer_conf->name); +} + static void protocol_peer_configure(fastd_context_t *ctx, fastd_peer_config_t *peer_conf) { if (peer_conf->protocol_config) return; @@ -188,6 +197,7 @@ const fastd_protocol_t fastd_protocol_ec25519_fhmqvc = { .name = "ec25519-fhmqvc", .init = protocol_init, + .peer_verify = protocol_peer_verify, .peer_configure = protocol_peer_configure, .peer_check = fastd_protocol_ec25519_fhmqvc_peer_check, -- cgit v1.2.3