Comment out old public/private keys when generating new ones.
authorGuus Sliepen <guus@tinc-vpn.org>
Thu, 27 Sep 2012 13:45:02 +0000 (15:45 +0200)
committerGuus Sliepen <guus@tinc-vpn.org>
Thu, 27 Sep 2012 13:45:02 +0000 (15:45 +0200)
src/tincctl.c

index 5916d7b5cb1f9167cd01590bbc0f9fa15d0a0990..eaf676d6580934177d93ef12c0fd95fedbed04cb 100644 (file)
@@ -217,6 +217,83 @@ static bool parse_options(int argc, char **argv) {
        return true;
 }
 
+static void disable_old_keys(const char *filename, const char *what) {
+       char tmpfile[PATH_MAX] = "";
+       char buf[1024];
+       bool disabled = false;
+       bool block = false;
+       bool error = false;
+       FILE *r, *w;
+
+       r = fopen(filename, "r");
+       if(!r)
+               return;
+
+       snprintf(tmpfile, sizeof tmpfile, "%s.tmp", filename);
+
+       w = fopen(tmpfile, "w");
+
+       while(fgets(buf, sizeof buf, r)) {
+               if(!block && !strncmp(buf, "-----BEGIN ", 11)) {
+                       if((strstr(buf, " EC ") && strstr(what, "ECDSA")) || (strstr(buf, " RSA ") && strstr(what, "RSA"))) {
+                               disabled = true;
+                               block = true;
+                       }
+               }
+
+               bool ecdsapubkey = !strncasecmp(buf, "ECDSAPublicKey", 14) && strchr(" \t=", buf[14]) && strstr(what, "ECDSA");
+
+               if(ecdsapubkey)
+                       disabled = true;
+
+               if(w) {
+                       if(block || ecdsapubkey)
+                               fputc('#', w);
+                       if(fputs(buf, w) < 0) {
+                               error = true;
+                               break;
+                       }
+               }
+
+               if(block && !strncmp(buf, "-----END ", 9))
+                       block = false;
+       }
+
+       if(w)
+               if(fclose(w) < 0)
+                       error = true;
+       if(ferror(r) || fclose(r) < 0)
+               error = true;
+
+       if(disabled) {
+               if(!w || error) {
+                       fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n");
+                       if(w)
+                               unlink(tmpfile);
+                       return;
+               }
+
+#ifdef HAVE_MINGW
+               // We cannot atomically replace files on Windows.
+               char bakfile[PATH_MAX] = "";
+               snprintf(bakfile, sizeof bakfile, "%s.bak", filename);
+               if(rename(filename, bakfile) || rename(tmpfile, filename)) {
+                       rename(bakfile, filename);
+#else
+               if(rename(tmpfile, filename)) {
+#endif
+                       fprintf(stderr, "Warning: old key(s) found, remove them by hand!\n");
+               } else  {
+#ifdef HAVE_MINGW
+                       unlink(bakfile);
+#endif
+                       fprintf(stderr, "Warning: old key(s) found and disabled.\n");
+               }
+       }
+
+       unlink(tmpfile);
+}
+
 static FILE *ask_and_open(const char *filename, const char *what, const char *mode, bool ask) {
        FILE *r;
        char *directory;
@@ -257,6 +334,8 @@ static FILE *ask_and_open(const char *filename, const char *what, const char *mo
 
        umask(0077);                            /* Disallow everything for group and other */
 
+       disable_old_keys(filename, what);
+
        /* Open it first to keep the inode busy */
 
        r = fopen(filename, mode);
@@ -297,9 +376,6 @@ static bool ecdsa_keygen(bool ask) {
        fchmod(fileno(f), 0600);
 #endif
                
-       if(ftell(f))
-               fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
-
        ecdsa_write_pem_private_key(&key, f);
 
        fclose(f);
@@ -315,9 +391,6 @@ static bool ecdsa_keygen(bool ask) {
        if(!f)
                return false;
 
-       if(ftell(f))
-               fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
-
        char *pubkey = ecdsa_get_base64_public_key(&key);
        fprintf(f, "ECDSAPublicKey = %s\n", pubkey);
        free(pubkey);
@@ -356,9 +429,6 @@ static bool rsa_keygen(int bits, bool ask) {
        fchmod(fileno(f), 0600);
 #endif
                
-       if(ftell(f))
-               fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
-
        rsa_write_pem_private_key(&key, f);
 
        fclose(f);
@@ -374,9 +444,6 @@ static bool rsa_keygen(int bits, bool ask) {
        if(!f)
                return false;
 
-       if(ftell(f))
-               fprintf(stderr, "Appending key to existing contents.\nMake sure only one key is stored in the file.\n");
-
        rsa_write_pem_public_key(&key, f);
 
        fclose(f);