static void *CFTestD_ServeReport(void *config_arg)
{
CFTestD_Config *config = (CFTestD_Config *) config_arg;
/* Set prefix for all Log()ging: */
LoggingPrivContext *prior = LoggingPrivGetContext();
LoggingPrivContext log_ctx = {
.log_hook = LogAddPrefix,
.param = config->address
};
LoggingPrivSetContext(&log_ctx);
char *priv_key_path = NULL;
char *pub_key_path = NULL;
if (config->key_file != NULL)
{
priv_key_path = config->key_file;
pub_key_path = xstrdup(priv_key_path);
StringReplace(pub_key_path, strlen(pub_key_path) + 1,
"priv", "pub");
}
LoadSecretKeys(priv_key_path, pub_key_path, &(config->priv_key), &(config->pub_key));
free(pub_key_path);
char *report_file = config->report_file;
if (report_file != NULL)
{
Log(LOG_LEVEL_NOTICE, "Got file argument: '%s'", report_file);
if (!FileCanOpen(report_file, "r"))
{
Log(LOG_LEVEL_ERR,
"Can't open file '%s' for reading",
report_file);
exit(EXIT_FAILURE);
}
Writer *contents = FileRead(report_file, SIZE_MAX, NULL);
if (!contents)
{
Log(LOG_LEVEL_ERR, "Error reading report file '%s'", report_file);
exit(EXIT_FAILURE);
}
size_t report_data_len = StringWriterLength(contents);
config->report_data = StringWriterClose(contents);
Seq *report = SeqNew(64, NULL);
size_t report_len = 0;
StringRef ts_ref = StringGetToken(config->report_data, report_data_len, 0, "\n");
char *ts = (char *) ts_ref.data;
*(ts + ts_ref.len) = '\0';
SeqAppend(report, ts);
/* start right after the newline after the timestamp header */
char *position = ts + ts_ref.len + 1;
char *report_line;
size_t report_line_len;
while (CFTestD_GetReportLine(position, &report_line, &report_line_len))
{
*(report_line + report_line_len) = '\0';
SeqAppend(report, report_line);
report_len += report_line_len;
position = report_line + report_line_len + 1; /* there's an extra newline after each report_line */
}
config->report = report;
config->report_len = report_len;
Log(LOG_LEVEL_NOTICE,
"Read %d bytes for report contents",
config->report_len);
if (config->report_len <= 0)
{
Log(LOG_LEVEL_ERR, "Report file contained no bytes");
exit(EXIT_FAILURE);
}
}
Log(LOG_LEVEL_INFO, "Starting server at %s...", config->address);
fflush(stdout); // for debugging startup
config->ret = CFTestD_StartServer(config);
free(config->report_data);
/* we don't really need to do this here because the process is about the
* terminate, but it's a good way the cleanup actually works and doesn't
* cause a segfault or something */
ServerTLSDeInitialize(&(config->priv_key), &(config->pub_key), &(config->ssl_ctx));
LoggingPrivSetContext(prior);
return NULL;
}
static void HandleSignal(int signum)
{
switch (signum)
{
case SIGTERM:
case SIGINT:
// flush all logging before process ends.
fflush(stdout);
fprintf(stderr, "Terminating...\n");
TERMINATE = true;
break;
default:
break;
}
}
/**
* @param ip_str string representation of an IPv4 address (the usual one, with
* 4 octets separated by dots)
* @return a new string representing the incremented IP address (HAS TO BE FREED)
*/
static char *IncrementIPaddress(const char *ip_str)
{
uint32_t ip = (uint32_t) inet_addr(ip_str);
if (ip == INADDR_NONE)
{
Log(LOG_LEVEL_ERR, "Failed to parse address: '%s'", ip_str);
return NULL;
}
int step = 1;
char *last_dot = strrchr(ip_str, '.');
assert(last_dot != NULL); /* the doc comment says there must be dots! */
if (StringSafeEqual(last_dot + 1, "255"))
{
/* avoid the network address (ending with 0) */
step = 2;
}
else if (StringSafeEqual(last_dot + 1, "254"))
{
/* avoid the broadcast address and the network address */
step = 3;
}
uint32_t ip_num = ntohl(ip);
ip_num += step;
ip = htonl(ip_num);
struct in_addr ip_struct;
ip_struct.s_addr = ip;
return xstrdup(inet_ntoa(ip_struct));
}
void GenericAgentInitialize(EvalContext *ctx, GenericAgentConfig *config)
{
int force = false;
struct stat statbuf, sb;
char vbuff[CF_BUFSIZE];
char ebuff[CF_EXPANDSIZE];
#ifdef __MINGW32__
InitializeWindows();
#endif
DetermineCfenginePort();
EvalContextClassPutHard(ctx, "any", "source=agent");
GenericAgentAddEditionClasses(ctx);
strcpy(VPREFIX, GetConsolePrefix());
/* Define trusted directories */
{
const char *workdir = GetWorkDir();
if (!workdir)
{
FatalError(ctx, "Error determining working directory");
}
strcpy(CFWORKDIR, workdir);
MapName(CFWORKDIR);
}
OpenLog(LOG_USER);
SetSyslogFacility(LOG_USER);
Log(LOG_LEVEL_VERBOSE, "Work directory is %s", CFWORKDIR);
snprintf(vbuff, CF_BUFSIZE, "%s%cupdate.conf", GetInputDir(), FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cbin%ccf-agent -D from_cfexecd", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs%cspooled_reports", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%clastseen%cintermittencies", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%creports%cvarious", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s", GetInputDir());
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/inputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/outputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_procs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_rootprocs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_otherprocs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cprevious_state%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cdiff%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cuntracked%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
OpenNetwork();
CryptoInitialize();
CheckWorkingDirectories(ctx);
/* Initialize keys and networking. cf-key, doesn't need keys. In fact it
must function properly even without them, so that it generates them! */
if (config->agent_type != AGENT_TYPE_KEYGEN)
{
LoadSecretKeys();
char *bootstrapped_policy_server = ReadPolicyServerFile(CFWORKDIR);
PolicyHubUpdateKeys(bootstrapped_policy_server);
free(bootstrapped_policy_server);
cfnet_init();
}
size_t cwd_size = PATH_MAX;
while (true)
{
char cwd[cwd_size];
if (!getcwd(cwd, cwd_size))
{
if (errno == ERANGE)
{
cwd_size *= 2;
continue;
}
Log(LOG_LEVEL_WARNING, "Could not determine current directory. (getcwd: '%s')", GetErrorStr());
break;
}
EvalContextSetLaunchDirectory(ctx, cwd);
break;
}
if (!MINUSF)
{
GenericAgentConfigSetInputFile(config, GetInputDir(), "promises.cf");
}
VIFELAPSED = 1;
VEXPIREAFTER = 1;
setlinebuf(stdout);
if (config->agent_specific.agent.bootstrap_policy_server)
{
snprintf(vbuff, CF_BUFSIZE, "%s%cfailsafe.cf", GetInputDir(), FILE_SEPARATOR);
if (stat(vbuff, &statbuf) == -1)
{
GenericAgentConfigSetInputFile(config, GetInputDir(), "failsafe.cf");
}
else
{
GenericAgentConfigSetInputFile(config, GetInputDir(), vbuff);
}
}
}
void GenericAgentInitialize(EvalContext *ctx, GenericAgentConfig *config)
{
int force = false;
struct stat statbuf, sb;
char vbuff[CF_BUFSIZE];
char ebuff[CF_EXPANDSIZE];
SHORT_CFENGINEPORT = htons((unsigned short) 5308);
snprintf(STR_CFENGINEPORT, 15, "5308");
EvalContextHeapAddHard(ctx, "any");
strcpy(VPREFIX, GetConsolePrefix());
/* Define trusted directories */
{
const char *workdir = GetWorkDir();
if (!workdir)
{
FatalError(ctx, "Error determining working directory");
}
strcpy(CFWORKDIR, workdir);
MapName(CFWORKDIR);
}
/* On windows, use 'binary mode' as default for files */
#ifdef __MINGW32__
_fmode = _O_BINARY;
#endif
OpenLog(LOG_USER);
SetSyslogFacility(LOG_USER);
if (!LOOKUP) /* cf-know should not do this in lookup mode */
{
Log(LOG_LEVEL_VERBOSE, "Work directory is %s", CFWORKDIR);
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs%cupdate.conf", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cbin%ccf-agent -D from_cfexecd", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs%cspooled_reports", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%clastseen%cintermittencies", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%creports%cvarious", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/inputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/outputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
sprintf(ebuff, "%s%cstate%ccf_procs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff, "%s%cstate%ccf_rootprocs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff, "%s%cstate%ccf_otherprocs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
}
OpenNetwork();
CryptoInitialize();
if (!LOOKUP)
{
CheckWorkingDirectories(ctx);
}
const char *bootstrapped_policy_server = ReadPolicyServerFile(CFWORKDIR);
/* Initialize keys and networking. cf-key, doesn't need keys. In fact it
must function properly even without them, so that it generates them! */
if (config->agent_type != AGENT_TYPE_KEYGEN)
{
LoadSecretKeys(bootstrapped_policy_server);
cfnet_init();
}
if (!MINUSF)
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), "promises.cf");
}
DetermineCfenginePort();
VIFELAPSED = 1;
VEXPIREAFTER = 1;
setlinebuf(stdout);
if (config->agent_specific.agent.bootstrap_policy_server)
{
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs%cfailsafe.cf", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
#ifndef HAVE_ENTERPRISE
if (stat(vbuff, &statbuf) == -1)
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), "failsafe.cf");
}
else
#endif
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), vbuff);
}
}
}
int AuthenticateAgent(AgentConnection *conn, bool trust_key)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
bool need_to_implicitly_trust_server;
char enterprise_field = 'c';
RSA *server_pubkey = NULL;
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
/* Try once more to load the keys, maybe the system is converging. */
LoadSecretKeys();
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
char *pubkeyfile = PublicKeyFile(GetWorkDir());
Log(LOG_LEVEL_ERR, "No public/private key pair found at: %s", pubkeyfile);
free(pubkeyfile);
return false;
}
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
if (nonce_challenge == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot allocate BIGNUM structure for server challenge");
return false;
}
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, HASH_METHOD_MD5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
/* Ask the server to send us the public key if we don't have it. */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
need_to_implicitly_trust_server = false;
encrypted_len = RSA_size(server_pubkey);
}
else
{
need_to_implicitly_trust_server = true;
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c",
need_to_implicitly_trust_server ? 'n': 'y',
encrypted_len, nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Public encryption failed. (RSA_public_encrypt: %s)",
CryptoLastErrorString());
free(out);
RSA_free(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->conn_info, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break conn_info here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->conn_info, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (1). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
Log(LOG_LEVEL_ERR, "Bad protocol reply: %s", in);
RSA_free(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->conn_info, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (2). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
/* Check if challenge reply was correct */
if ((HashesMatch(digest, in, CF_DEFAULT_DIGEST)) ||
(HashesMatch(digest, in, HASH_METHOD_MD5))) // Legacy
{
if (need_to_implicitly_trust_server == false)
{
/* The IP was found in lastseen. */
Log(LOG_LEVEL_VERBOSE,
".....................[.h.a.i.l.].................................");
Log(LOG_LEVEL_VERBOSE,
"Strong authentication of server '%s' connection confirmed",
conn->this_server);
}
else /* IP was not found in lastseen */
{
if (trust_key)
{
Log(LOG_LEVEL_VERBOSE,
"Trusting server identity, promise to accept key from '%s' = '%s'",
conn->this_server, conn->remoteip);
}
else
{
Log(LOG_LEVEL_ERR,
"Not authorized to trust public key of server '%s' (trustkey = false)",
conn->this_server);
RSA_free(server_pubkey);
return false;
}
}
}
else
{
Log(LOG_LEVEL_ERR, "Challenge response from server '%s/%s' was incorrect", conn->this_server,
conn->remoteip);
RSA_free(server_pubkey);
return false;
}
/* Receive counter challenge from server */
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->conn_info, in, NULL);
if (encrypted_len <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol transaction sent illegal cipher length");
RSA_free(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Private decrypt failed, abandoning. (RSA_private_decrypt: %s)",
CryptoLastErrorString());
RSA_free(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, HASH_METHOD_MD5);
}
if (FIPS_MODE)
{
SendTransaction(conn->conn_info, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->conn_info, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
Log(LOG_LEVEL_VERBOSE, "Collecting public key from server!");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->conn_info, in, NULL)) <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol error in RSA authentation from IP '%s'", conn->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR,
"Private key decrypt failed. (BN_mpi2bn: %s)",
CryptoLastErrorString());
RSA_free(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->conn_info, in, NULL)) <= 0)
{
Log(LOG_LEVEL_INFO, "Protocol error in RSA authentation from IP '%s'",
conn->this_server);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR,
"Public key decrypt failed. (BN_mpi2bn: %s)",
CryptoLastErrorString());
RSA_free(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
RSA_free(newkey);
}
assert(server_pubkey != NULL);
/* proposition C5 */
if (!SetSessionKey(conn))
{
Log(LOG_LEVEL_ERR, "Unable to set session key");
return false;
}
if (conn->session_key == NULL)
{
Log(LOG_LEVEL_ERR, "A random session key could not be established");
RSA_free(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
Log(LOG_LEVEL_ERR,
"Public encryption failed. (RSA_public_encrypt: %s)",
CryptoLastErrorString());
free(out);
RSA_free(server_pubkey);
return false;
}
SendTransaction(conn->conn_info, out, encrypted_len, CF_DONE);
Key *key = KeyNew(server_pubkey, CF_DEFAULT_DIGEST);
conn->conn_info->remote_key = key;
Log(LOG_LEVEL_VERBOSE, "Public key identity of host '%s' is: %s",
conn->remoteip, KeyPrintableHash(conn->conn_info->remote_key));
SavePublicKey(conn->username, KeyPrintableHash(conn->conn_info->remote_key), server_pubkey);
unsigned int length = 0;
LastSaw(conn->remoteip, KeyBinaryHash(conn->conn_info->remote_key, &length), LAST_SEEN_ROLE_CONNECT);
free(out);
return true;
}
void InitializeGA(int argc,char *argv[])
{
int seed,force = false;
struct stat statbuf,sb;
unsigned char s[16];
char vbuff[CF_BUFSIZE];
char ebuff[CF_EXPANDSIZE];
SHORT_CFENGINEPORT = htons((unsigned short)5308);
snprintf(STR_CFENGINEPORT,15,"5308");
NewClass("any");
#if defined HAVE_CONSTELLATION
NewClass("constellation_edition");
#elif defined HAVE_NOVA
NewClass("nova_edition");
#else
NewClass("community_edition");
#endif
strcpy(VPREFIX,GetConsolePrefix());
if (VERBOSE)
{
NewClass("verbose_mode");
}
if (INFORM)
{
NewClass("inform_mode");
}
if (DEBUG)
{
NewClass("debug_mode");
}
CfOut(cf_verbose,"","Cfengine - autonomous configuration engine - commence self-diagnostic prelude\n");
CfOut(cf_verbose,"","------------------------------------------------------------------------\n");
/* Define trusted directories */
#ifdef MINGW
if(NovaWin_GetProgDir(CFWORKDIR, CF_BUFSIZE - sizeof("Cfengine")))
{
strcat(CFWORKDIR, "\\Cfengine");
}
else
{
CfOut(cf_error, "", "!! Could not get CFWORKDIR from Windows environment variable, falling back to compile time dir (%s)", WORKDIR);
strcpy(CFWORKDIR,WORKDIR);
}
Debug("Setting CFWORKDIR=%s\n", CFWORKDIR);
#elif defined(CFCYG)
strcpy(CFWORKDIR,WORKDIR);
MapName(CFWORKDIR);
#else
if (getuid() > 0)
{
strncpy(CFWORKDIR,GetHome(getuid()),CF_BUFSIZE-10);
strcat(CFWORKDIR,"/.cfagent");
if (strlen(CFWORKDIR) > CF_BUFSIZE/2)
{
FatalError("Suspicious looking home directory. The path is too long and will lead to problems.");
}
}
else
{
strcpy(CFWORKDIR,WORKDIR);
}
#endif
/* On windows, use 'binary mode' as default for files */
#ifdef MINGW
_fmode = _O_BINARY;
#endif
strcpy(SYSLOGHOST,"localhost");
SYSLOGPORT = htons(514);
Cf3OpenLog(LOG_USER);
if (!LOOKUP) /* cf-know should not do this in lookup mode */
{
CfOut(cf_verbose,"","Work directory is %s\n",CFWORKDIR);
snprintf(HASHDB,CF_BUFSIZE-1,"%s%c%s",CFWORKDIR,FILE_SEPARATOR,CF_CHKDB);
snprintf(vbuff,CF_BUFSIZE,"%s%cinputs%cupdate.conf",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(vbuff,force);
snprintf(vbuff,CF_BUFSIZE,"%s%cbin%ccf-agent -D from_cfexecd",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(vbuff,force);
snprintf(vbuff,CF_BUFSIZE,"%s%coutputs%cspooled_reports",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(vbuff,force);
snprintf(vbuff,CF_BUFSIZE,"%s%clastseen%cintermittencies",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(vbuff,force);
snprintf(vbuff,CF_BUFSIZE,"%s%creports%cvarious",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(vbuff,force);
snprintf(vbuff,CF_BUFSIZE,"%s%cinputs",CFWORKDIR,FILE_SEPARATOR);
if (cfstat(vbuff,&sb) == -1)
{
FatalError(" !!! No access to WORKSPACE/inputs dir");
}
else
{
cf_chmod(vbuff,sb.st_mode | 0700);
}
snprintf(vbuff,CF_BUFSIZE,"%s%coutputs",CFWORKDIR,FILE_SEPARATOR);
if (cfstat(vbuff,&sb) == -1)
{
FatalError(" !!! No access to WORKSPACE/outputs dir");
}
else
{
cf_chmod(vbuff,sb.st_mode | 0700);
}
sprintf(ebuff,"%s%cstate%ccf_procs",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
MakeParentDirectory(ebuff,force);
if (cfstat(ebuff,&statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff,"%s%cstate%ccf_rootprocs",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
if (cfstat(ebuff,&statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff,"%s%cstate%ccf_otherprocs",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
if (cfstat(ebuff,&statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
}
OpenNetwork();
/* Init crypto stuff */
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
if(!LOOKUP)
{
CheckWorkingDirectories();
}
RandomSeed();
RAND_bytes(s,16);
s[15] = '\0';
seed = ElfHash(s);
srand48((long)seed);
LoadSecretKeys();
/* CheckOpts(argc,argv); - MacOS can't handle this back reference */
if (!MINUSF)
{
snprintf(VINPUTFILE,CF_BUFSIZE-1,"promises.cf");
}
AUDITDBP = NULL;
DetermineCfenginePort();
VIFELAPSED = 1;
VEXPIREAFTER = 1;
setlinebuf(stdout);
if (BOOTSTRAP)
{
snprintf(vbuff,CF_BUFSIZE,"%s%cinputs%cfailsafe.cf",CFWORKDIR,FILE_SEPARATOR,FILE_SEPARATOR);
if (!IsEnterprise() && cfstat(vbuff,&statbuf) == -1)
{
snprintf(VINPUTFILE,CF_BUFSIZE-1,".%cfailsafe.cf",FILE_SEPARATOR);
}
else
{
strncpy(VINPUTFILE,vbuff,CF_BUFSIZE-1);
}
}
}
/**
* @warning Make sure you've called CryptoInitialize() first!
*/
bool TLSClientInitialize()
{
int ret;
static bool is_initialised = false;
if (is_initialised)
{
return true;
}
if (!TLSGenericInitialize())
{
return false;
}
SSLCLIENTCONTEXT = SSL_CTX_new(SSLv23_client_method());
if (SSLCLIENTCONTEXT == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_CTX_new: %s",
ERR_reason_error_string(ERR_get_error()));
goto err1;
}
TLSSetDefaultOptions(SSLCLIENTCONTEXT);
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair is loaded, trying to reload");
LoadSecretKeys();
if (PRIVKEY == NULL || PUBKEY == NULL)
{
Log(CryptoGetMissingKeyLogLevel(),
"No public/private key pair found");
goto err2;
}
}
/* Create cert into memory and load it into SSL context. */
SSLCLIENTCERT = TLSGenerateCertFromPrivKey(PRIVKEY);
if (SSLCLIENTCERT == NULL)
{
Log(LOG_LEVEL_ERR,
"Failed to generate in-memory-certificate from private key");
goto err2;
}
SSL_CTX_use_certificate(SSLCLIENTCONTEXT, SSLCLIENTCERT);
ret = SSL_CTX_use_RSAPrivateKey(SSLCLIENTCONTEXT, PRIVKEY);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Failed to use RSA private key: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
/* Verify cert consistency. */
ret = SSL_CTX_check_private_key(SSLCLIENTCONTEXT);
if (ret != 1)
{
Log(LOG_LEVEL_ERR, "Inconsistent key and TLS cert: %s",
ERR_reason_error_string(ERR_get_error()));
goto err3;
}
is_initialised = true;
return true;
err3:
X509_free(SSLCLIENTCERT);
SSLCLIENTCERT = NULL;
err2:
SSL_CTX_free(SSLCLIENTCONTEXT);
SSLCLIENTCONTEXT = NULL;
err1:
return false;
}
