Example #1
0
static void set_route(struct connection_data *data, struct vpn_route *route)
{
	/*
	 * If the VPN administrator/user has given a route to
	 * VPN server, then we must discard that because the
	 * server cannot be contacted via VPN tunnel.
	 */
	if (check_host(data->host_ip, route->network) == TRUE) {
		DBG("Discarding VPN route to %s via %s at index %d",
			route->network, route->gateway, data->index);
		return;
	}

	if (route->family == AF_INET6) {
		unsigned char prefix_len = atoi(route->netmask);

		connman_inet_add_ipv6_network_route(data->index,
							route->network,
							route->gateway,
							prefix_len);
	} else {
		connman_inet_add_network_route(data->index, route->network,
						route->gateway,
						route->netmask);
	}
}
Example #2
0
/* check whether cert is preauthorized. If host is not null, verify that
 * it matches the certificate.
 * Return > 0: authorized, < 0: problems, 0: unknown validity */
static int ssl_check_preauth (X509 *cert, const char* host)
{
        char buf[SHORT_STRING];

/* check session cache first */
        if (check_certificate_cache (cert)) {
                dprint (2, (debugfile, "ssl_check_preauth: using cached certificate\n"));
                return 1;
        }

        buf[0] = 0;
        if (host && option (OPTSSLVERIFYHOST) != M_NO) {
                if (!check_host (cert, host, buf, sizeof (buf))) {
                        mutt_error (_("Certificate host check failed: %s"), buf);
                        mutt_sleep (2);
                        return -1;
                }
                dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
        }

        if (check_certificate_by_signer (cert)) {
                dprint (2, (debugfile, "ssl_check_preauth: signer check passed\n"));
                return 1;
        }

/* automatic check from user's database */
        if (SslCertFile && check_certificate_by_digest (cert)) {
                dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n"));
                return 1;
        }

        return 0;
}
Example #3
0
/*
 * check AUTH_SYS
 */
static int
check_sys(
	struct svc_req		*rqstp,		/* RPC stuff */
	int			amode,		/* R_OK | W_OK */
	md_error_t		*ep		/* returned status */
)
{
	static mutex_t		mx = DEFAULTMUTEX;
	struct authsys_parms	*sys_credp;

	/* for read, anything is OK */
	if (! (amode & W_OK))
		return (0);

	/* single thread (not really needed if daemon stays single threaded) */
	mutex_lock(&mx);

	/* check for remote root or METAD_GID */
	/*LINTED*/
	sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
	if ((check_gid14(sys_credp->aup_uid) == 0) ||
	    (check_host(rqstp) == 0)) {
		mutex_unlock(&mx);
		return (0);
	}

	/* return failure */
	mutex_unlock(&mx);
	return (mdsyserror(ep, EACCES, "rpc.metad"));
}
Example #4
0
int main(int argc, char *argv[]){

	if(argc != 3){
		help();
	}

	char *target = argv[1], *arquivo = argv[2], *subdominio, line[1024];
	FILE *arq;

	int i, j;
	size_t host_len;

	if( (arq = fopen(arquivo, "rt")) == NULL ){
		error(stderr, "fopen() failed\n");
		return 1;
	}

	host_len = strlen(target);

	while(!feof(arq)){

		if( fgets(line, 1024, arq) ){
			chomp(line);

			if( (subdominio = malloc( host_len + strlen(line) + 2)) == NULL ){
				error(stderr, "malloc() failed\n");
				exit(1);
			}

			for(j=0; line[j]; j++){
				subdominio[j] = line[j];
			}

			if(j){
				if(line[j-1] != '.' && target[0] != '.'){
					subdominio[j++] = '.';
				}
			}

			for(i=0; target[i]; i++, j++){
				subdominio[j] = target[i];
			}

			subdominio[j] = 0x0;


			info(stdout, "Checking -> %s\n", subdominio);
			check_host(subdominio);
			free(subdominio);

		}
	}

	fclose(arq);

	return 0;
}
void CheckHostThread::run()
{
    while(!stopped){
        //this->mutex.lock();
        //QSettings *checkini=new QSettings(file,QSettings::IniFormat);
        inifile=new QSettings(this->file,QSettings::IniFormat);
        check_host(inifile);
        if(this->isFinished())
            stop();
    }
    //this->mutex.unlock();
}
Example #6
0
static int check_attempt(const abl_args *args, abl_info *info) {
    int err;
    time_t tm = time(NULL);
    if (info->user != NULL && info->service != NULL && info->host != NULL) {
        info->subject = HOST;
        err = check_host(args, info, tm);
        if (err) log_warning(args,"Failed to check host.");
        if (info->state == BLOCKED ) {
            /*No point in continuing since they've failed.*/
            return 0;
        }

        info->subject = USER;
        err = check_user(args, info, tm);
        if (err) log_warning(args,"Failed to check user.");
        
    }
    return 0;
}
Example #7
0
/* let's go... */
int main(int argc, char *argv[])
{
    int c = 0;
    ctrl_t *ctrl = NULL;


    /* banner is very important */
    banner();
    check_argc(argc);
    ctrl = alloc_structs();
    ctrl = set_ctrl_defaults(ctrl);

    while ((c = getopt(argc, argv, "h:t:s:m:p:vVH")) != -1) {
        switch (c) {
        case 'h':
            check_host(optarg);
            ctrl->packet->host = convert_host(optarg);
            break;
        case 't':
            check_pkt_type(ctrl, optarg);
            ctrl->packet->type = (unsigned char) ATOI(optarg);
            break;
        case 's':
            check_shell_mode(ctrl, optarg);
            ctrl->shell->mode = (unsigned char) ATOI(optarg);
            break;
        case 'm':
            ctrl->packet->payload = optarg;
            break;
        case 'p':
            check_port(ctrl, ATOI(optarg));
            ctrl->packet->port = (uint16_t) ATOI(optarg);
            break;
        case 'v':
            ctrl->verbose = VERBOSE;
            break;
        case 'V':
            puts(VERSION);
            __EXIT_SUCCESS;
            break;
        case 'H':
            usage();
            __EXIT_SUCCESS;
            break;
        default:
            __EXIT_FAILURE;
        }
    }

    /* few checks before we can go on */
    __VERBOSE_ARGS;
    check_args(ctrl);
    check_uid(ctrl);

    /* install signal handler */
    install_signals();

    /* let's go */
    start_trixd00r(ctrl);
    end_trixd00r(ctrl);

    return 0;
}
Example #8
0
int
main(int argc, char *argv[])
{
	int	eflag = 0, dflag = 0, nflag = 0;
	int	uflag = 0, vflag = 0, Eflag = 0;
	int	status, ch, fd;
	char	*input = NULL, *output = NULL;
	DBM	*db;
	datum	key, val;
	DBM	*new_db = NULL;
	static	char mapname[] = "ypdbXXXXXXXXXX";
	char	db_mapname[PATH_MAX], db_outfile[PATH_MAX];
	char	db_tempname[PATH_MAX];
	char	user[4096], host[4096]; /* XXX: DB bsize = 4096 in ypdb.c */
	char	myname[HOST_NAME_MAX+1], datestr[11], *slash;

	while ((ch = getopt(argc, argv, "Edensuv")) != -1)
		switch (ch) {
		case 'E':
			eflag = 1;	/* Check hostname */
			Eflag = 1;	/* .. even check MX records */
			break;
		case 'd':
			dflag = 1;	/* Don't check DNS hostname */
			break;
		case 'e':
			eflag = 1;	/* Check hostname */
			break;
		case 'n':
			nflag = 1;	/* Capitalize name parts */
			break;
		case 's':		/* Ignore */ 
			break;
		case 'u':
			uflag = 1;	/* Don't check UUCP hostname */
			break;
		case 'v':
			vflag = 1;	/* Verbose */
			break;
		default:
			usage();
			break;
		}

	if (optind == argc)
		usage();

	input = argv[optind++];
	if (optind < argc)
		output = argv[optind++];
	if (optind < argc)
		usage();

	db = ypdb_open(input, O_RDONLY, 0444);
	if (db == NULL) {
		err(1, "Unable to open input database %s", input);
		/* NOTREACHED */
	}

	if (output != NULL) {
		if (strlen(output) + strlen(YPDB_SUFFIX) > PATH_MAX) {
			errx(1, "%s: file name too long", output);
			/* NOTREACHED */
		}

		snprintf(db_outfile, sizeof(db_outfile),
		    "%s%s", output, YPDB_SUFFIX);

		slash = strrchr(output, '/');
		if (slash != NULL)
			slash[1] = 0;			/* truncate to dir */
		else
			*output = 0;			/* eliminate */

		/* note: output is now directory where map goes ! */

		if (strlen(output) + strlen(mapname) +
		    strlen(YPDB_SUFFIX) > PATH_MAX) {
			errx(1, "%s: directory name too long", output);
			/* NOTREACHED */
		}

		snprintf(db_tempname, sizeof(db_tempname), "%s%s%s", output,
		    mapname, YPDB_SUFFIX);
		fd = mkstemps(db_tempname, 3);
		if (fd == -1)
			goto fail;
		close(fd);

		strncpy(db_mapname, db_tempname, strlen(db_tempname) - 3);
		db_mapname[sizeof(db_mapname) - 1] = '\0';

		new_db = ypdb_open(db_mapname, O_RDWR|O_TRUNC, 0444);
		if (new_db == NULL) {
fail:
			if (fd != -1)
				unlink(db_tempname);
			err(1, "Unable to open output database %s",
			    db_outfile);
			/* NOTREACHED */
		}
	}

	for (key = ypdb_firstkey(db); key.dptr != NULL;
	    key = ypdb_nextkey(db)) {
		val = ypdb_fetch(db, key);

		if (val.dptr == NULL)
			continue;			/* No value */
		if (*key.dptr == '@' && key.dsize == 1)
			continue;			/* Sendmail token */
		if (strncmp(key.dptr, "YP_", 3)==0)	/* YP token */
			continue;
		if (memchr(val.dptr, ',', val.dsize))
			continue;			/* List... */
		if (memchr(val.dptr, '|', val.dsize))
			continue;			/* Pipe... */

		if (!(memchr(val.dptr, '@', val.dsize) ||
		    memchr(val.dptr, '!', val.dsize)))
			continue;		/* Skip local users */

		split_address(val.dptr, val.dsize, user, host);

		if (eflag && check_host(val.dptr, val.dsize, host, dflag, uflag, Eflag)) {
			warnx("Invalid host %s in %*.*s:%*.*s",
			    host, key.dsize, key.dsize, key.dptr,
			    val.dsize, val.dsize, val.dptr);
			continue;
		}

		if (nflag)
			capitalize(key.dptr, key.dsize);

		if (new_db != NULL) {
			status = ypdb_store(new_db, val, key, YPDB_INSERT);
			if (status != 0) {
				warnx("problem storing %*.*s %*.*s",
				    val.dsize, val.dsize, val.dptr,
				    key.dsize, key.dsize, key.dptr);
			}
		}

		if (vflag) {
			printf("%*.*s --> %*.*s\n",
			    val.dsize, val.dsize, val.dptr,
			    key.dsize, key.dsize, key.dptr);
		}

	}

	if (new_db != NULL) {
		snprintf(datestr, sizeof datestr, "%010lld",
		    (long long)time(NULL));
		key.dptr = YP_LAST_KEY;
		key.dsize = strlen(YP_LAST_KEY);
		val.dptr = datestr;
		val.dsize = strlen(datestr);
		status = ypdb_store(new_db, key, val, YPDB_INSERT);
		if (status != 0) {
			warnx("problem storing %*.*s %*.*s",
			    key.dsize, key.dsize, key.dptr,
			    val.dsize, val.dsize, val.dptr);
		}
	}

	if (new_db != NULL) {
		gethostname(myname, sizeof(myname));
		key.dptr = YP_MASTER_KEY;
		key.dsize = strlen(YP_MASTER_KEY);
		val.dptr = myname;
		val.dsize = strlen(myname);
		status = ypdb_store(new_db, key, val, YPDB_INSERT);
		if (status != 0) {
			warnx("problem storing %*.*s %*.*s",
			    key.dsize, key.dsize, key.dptr,
			    val.dsize, val.dsize, val.dptr);
		}
	}

	ypdb_close(db);

	if (new_db != NULL) {
		ypdb_close(new_db);
		if (rename(db_tempname, db_outfile) < 0) {
			err(1, "rename %s -> %s failed", db_tempname,
			    db_outfile);
			/* NOTREACHED */
		}
	}
	return(0);
}
Example #9
0
int
server_mode (const char *pidfile, struct sockaddr_in *phis_addr)
{
  int ctl_sock, fd;
  struct servent *sv;
  int port;
  static struct  sockaddr_in server_addr;  /* Our address.  */

  /* Become a daemon.  */
#ifdef HAVE_DAEMON
  if (daemon(1,1) < 0)
#endif
    {
      syslog (LOG_ERR, "failed to become a daemon");
      return -1;
    }
  (void) signal (SIGCHLD, reapchild);

  /* Get port for ftp/tcp.  */
  sv = getservbyname ("ftp", "tcp");
  port = (sv == NULL) ? DEFPORT : sv->s_port;

  /* Open socket, bind and start listen.  */
  ctl_sock = socket (AF_INET, SOCK_STREAM, 0);
  if (ctl_sock < 0)
    {
      syslog (LOG_ERR, "control socket: %m");
      return -1;
    }

  /* Enable local address reuse.  */
  {
    int on = 1;
    if (setsockopt (ctl_sock, SOL_SOCKET, SO_REUSEADDR,
		    (char *)&on, sizeof(on)) < 0)
      syslog (LOG_ERR, "control setsockopt: %m");
  }

  memset (&server_addr, 0, sizeof server_addr);
  server_addr.sin_family = AF_INET;
  server_addr.sin_port = htons (port);

  if (bind (ctl_sock, (struct sockaddr *)&server_addr, sizeof server_addr))
    {
      syslog (LOG_ERR, "control bind: %m");
      return -1;
    }
  if (listen (ctl_sock, 32) < 0)
    {
      syslog (LOG_ERR, "control listen: %m");
      return -1;
    }

  /* Stash pid in pidfile.  */
  {
    FILE *pid_fp = fopen (pidfile, "w");
    if (pid_fp == NULL)
      syslog (LOG_ERR, "can't open %s: %m", PATH_FTPDPID);
    else
      {
	fprintf (pid_fp, "%d\n", getpid());
	fchmod (fileno(pid_fp), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
	fclose (pid_fp);
      }
  }

  /* Loop forever accepting connection requests and forking off
     children to handle them.  */
  while (1)
    {
      int addrlen = sizeof (*phis_addr);
      fd = accept (ctl_sock, (struct sockaddr *)phis_addr, &addrlen);
#ifdef HAVE_WORKING_FORK
      if (fork () == 0) /* child */
#else
      if (vfork () == 0) /* child */
#endif
	{
	  (void) dup2 (fd, 0);
	  (void) dup2 (fd, 1);
	  close (ctl_sock);
	  break;
	}
      close (fd);
    }

#ifdef WITH_WRAP
  /* In the child.  */
  if (!check_host ((struct sockaddr *)phis_addr))
    return -1;
#endif
  return fd;
}
Example #10
0
File: ssl.c Project: darnir/neomutt
/**
 * ssl_verify_callback - Certificate verification callback
 * @param preverify_ok If true, don't question the user if they skipped verification
 * @param ctx          X509 store context
 * @retval true  Certificate is valid
 * @retval false Error, or Certificate is invalid
 *
 * Called for each certificate in the chain sent by the peer, starting from the
 * root; returning true means that the given certificate is trusted, returning
 * false immediately aborts the SSL connection
 */
static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
  char buf[256];
  const char *host = NULL;
  size_t len;
  int pos;
  X509 *cert = NULL;
  SSL *ssl = NULL;
  bool skip_mode;

  ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
  if (!ssl)
  {
    mutt_debug(LL_DEBUG1,
               "failed to retrieve SSL structure from X509_STORE_CTX\n");
    return false;
  }
  host = SSL_get_ex_data(ssl, HostExDataIndex);
  if (!host)
  {
    mutt_debug(LL_DEBUG1, "failed to retrieve hostname from SSL structure\n");
    return false;
  }

  /* This is true when a previous entry in the certificate chain did
   * not verify and the user manually chose to skip it via the
   * $ssl_verify_partial_chains option.
   * In this case, all following certificates need to be treated as non-verified
   * until one is actually verified.  */
  skip_mode = (SSL_get_ex_data(ssl, SkipModeExDataIndex));

  cert = X509_STORE_CTX_get_current_cert(ctx);
  pos = X509_STORE_CTX_get_error_depth(ctx);
  len = sk_X509_num(X509_STORE_CTX_get0_chain(ctx));

  mutt_debug(LL_DEBUG1, "checking cert chain entry %s (preverify: %d skipmode: %d)\n",
             X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)),
             preverify_ok, skip_mode);

#ifdef HAVE_SSL_PARTIAL_CHAIN
  /* Sometimes, when a certificate is (s)kipped, OpenSSL will pass it
   * a second time with preverify_ok = 1.  Don't show it or the user
   * will think their "s" key is broken.  */
  if (C_SslVerifyPartialChains)
  {
    static int last_pos = 0;
    static X509 *last_cert = NULL;
    if (skip_mode && preverify_ok && (pos == last_pos) && last_cert)
    {
      unsigned char last_cert_md[EVP_MAX_MD_SIZE];
      unsigned int last_cert_mdlen;
      if (X509_digest(last_cert, EVP_sha256(), last_cert_md, &last_cert_mdlen) &&
          compare_certificates(cert, last_cert, last_cert_md, last_cert_mdlen))
      {
        mutt_debug(LL_DEBUG2, "ignoring duplicate skipped certificate.\n");
        return true;
      }
    }

    last_pos = pos;
    if (last_cert)
      X509_free(last_cert);
    last_cert = X509_dup(cert);
  }
#endif

  /* check session cache first */
  if (check_certificate_cache(cert))
  {
    mutt_debug(LL_DEBUG2, "using cached certificate\n");
    SSL_set_ex_data(ssl, SkipModeExDataIndex, NULL);
    return true;
  }

  /* check hostname only for the leaf certificate */
  buf[0] = '\0';
  if ((pos == 0) && (C_SslVerifyHost != MUTT_NO))
  {
    if (check_host(cert, host, buf, sizeof(buf)) == 0)
    {
      mutt_error(_("Certificate host check failed: %s"), buf);
      /* we disallow (a)ccept always in the prompt, because it will have no effect
       * for hostname mismatches. */
      return interactive_check_cert(cert, pos, len, ssl, false);
    }
    mutt_debug(LL_DEBUG2, "hostname check passed\n");
  }

  if (!preverify_ok || skip_mode)
  {
    /* automatic check from user's database */
    if (C_CertificateFile && check_certificate_by_digest(cert))
    {
      mutt_debug(LL_DEBUG2, "digest check passed\n");
      SSL_set_ex_data(ssl, SkipModeExDataIndex, NULL);
      return true;
    }

    /* log verification error */
    int err = X509_STORE_CTX_get_error(ctx);
    snprintf(buf, sizeof(buf), "%s (%d)", X509_verify_cert_error_string(err), err);
    mutt_debug(LL_DEBUG2, "X509_verify_cert: %s\n", buf);

    /* prompt user */
    return interactive_check_cert(cert, pos, len, ssl, true);
  }

  return true;
}
Example #11
0
/*{
** Name: II_PrecheckInstallationEx - Extended installation environment pre-check
**
** Description:
**  Verify that a machine environment will support the current release of
**  Ingres.
**  The following checks may be made by specifying the required set of flags:
**(E
**
**  a. Test for invalid characters in the machine hostname
**  b. Test for invalid characters in the username
**  c. A minimum operating system version
**  d. Test that the path value supplied for II_SYSTEM
**      i)      does not contain disallowed characters (Windows only)
**      ii)     consists of an existing parent directory
**  e. Test that the operating system user of the running process is granted
**     permission to write in d.ii).
**  f. The value of the instancecode field in the response file is tested
**     for valid characters and character sequences.
**)E
**
**  The path check flags II_CHK_PATHDIR and II_CHK_PATHPERM may be combined
**  (bit wise); they include an implicit II_CHK_PATHCHAR. All path checks
**  implicitly include an II_CHK_PATHLEN flag.
**  Use the II_CHK_ALL flag as a convenient shorthand to perform each of the
**  tests together.
**  Specifying a flag of zero will check for the existence of the
**  II_SYSTEM entry in the response file.
**
** Inputs:
**  eflags          Specifies the pre-installation checks to be performed.
**                  Can be a combination of the following
**                  0                   Test for existence of II_SYSTEM entry
**                                      in response file
**                  II_CHK_HOSTNAME     Verify characters in machine name
**                  II_CHK_OSVERSION    Verify minimum OS version
**                  II_CHK_PATHCHAR     Check characters used in II_SYSTEM
**                  II_CHK_PATHDIR      Check II_SYSTEM path for a valid
**                                      existing directory
**                  II_CHK_PATHPERM     Check path write permissions
**                  II_CHK_PATHLEN      Check length of path not exceeded
**                  II_CHK_USERNAME     Verify characters in user name
**                  II_CHK_INSTCODE     Verify characters of the configured
**                                      instance code
**                  II_CHK_ALL          Equivalent to II_PrecheckInstallation
**                                      call.
**  architecture    The value of architecture is used only if the
**                  II_CHK_VERSION flag is set in the eflags field.
**                  If the II_CHK_VERSION flag is set
**                      Let the value of architecture be set as follows:
**                      Case:
**                          -   II_DEFVER determines if the suitability of
**                              the internal Ingres platform architecture
**                              is appropriate for the operating architecture.
**                          -   Determines if the suitability of the defined
**                              value of architecture is appropriate for the
**                              operating architecture.
**                  If the II_CHK_VERSION flag is not set
**                      Let the value of architecture be set to II_DEFVER.
**
**  response_file   Path to the Embedded Ingres response file
**                  For more information concerning response file options
**                  please see the Ingres Embedded Edition User Guide.
**                  This function requires valid values for the II_SYSTEM and
**                  charmap entries.
**
** Outputs:
**  error_msg       Message text for status.  If the message text exceeds
**                  MAX_IIERR_LEN then the message is truncated to
**                  MAX_IIERR_LEN.
**                  Unchanged if II_SUCCESSFUL is returned.
**
** Returns:
**  II_SUCCESSFUL           The environment test completed successfully
**  II_NULL_PARAM           The parameters passed are invalid
**  II_NO_INSTALL_PATH      Error reading response file or no II_SYSTEM entry
**  II_NO_CHAR_MAP          Error reading response file or no II_CHARMAP entry
**  II_CHARMAP_ERROR        Error processing character mapping file
**  II_GET_COMPUTER_FAIL    Attempt to retrieve computer name failed
**  II_INVALID_HOST         Computer name contains illegal characters
**  II_GET_HOST_FAILED      Attempt to retrieve the network name failed
**  II_INVALID_USER         The username contains illegal characters
**  II_UNMATCHED_NAME       Computer name does not match network name
**  II_OS_NOT_MIN_VERSION   OS version does not meet the minimum requirement
**  II_BAD_PATH             The II_SYSTEM path is incorrectly formed
**  II_INVAL_CHARS_IN_PATH  The II_SYSTEM path contains illegal characters
**  II_PATH_NOT_DIR         The II_SYSTEM path does not contain a valid
**                          directory
**  II_PATH_CANNOT_WRITE    No write permission in the II_SYSTEM directory or
**                          a parent directory.
**  II_PATH_EXCEEDED        Length of the path exceeds permitted maximum
**  II_INVALID_INSTANCECODE Instance code contains illegal characters
**  II_INSTANCE_ERROR       Error reading instance code or no instancecode
**                          entry.
**
** Example:
**  # include "tngapi.h"
**
**  # if defined(UNIX)
**  II_CHAR reponsefile[] = {"./ingres.rsp"};
**  # else
**  II_CHAR reponsefile[] = {".\\ingres.rsp"};
**  # endif
**  II_INT4 status;
**  II_INT4 eflags = (II_CHK_HOSTNAME | II_CHK_OSVERSION | \
**      II_CHK_PATHCHAR | II_CHK_PATHDIR | II_CHK_PATHPERM | II_CHK_PATHLEN \
**      II_CHK_INSTCODE);
**  II_CHAR error_msg[MAX_IIERR_LEN + 1] = { '\0' };
**
**  if ((status = II_PrecheckInstallationEx( eflags, II_DEFARCH, responsefile,
**      error_msg )) != II_SUCCESSFUL)
**  {
**      printf( "II_PrecheckInstallationEx failed - %s\n", error_msg );
**  }
**
**  if ((status = II_PrecheckInstallationEx( II_CHK_OSVERSION, II_IA64,
**      responsefile, error_msg )) != II_SUCCESSFUL)
**  {
**      printf( "II_PrecheckInstallationEx failed - %s\n", error_msg );
**      if (status == II_OS_NOT_MIN_VERSION)
**      {
**          printf( "Target environment is unsuitable for IA64 binaries\n");
**      }
**  }
**
** Side Effects:
**  none
**
** History:
**  07-Sep-2004 (fanra01)
**      Created based on II_PrecheckInstallation.
**  30-Jun-2005 (fanra01)
**      Moved and extended path validation into check_path function.
**  18-Aug-2005 (fanra01)
**      Include path length check on character map file.
}*/
int
II_PrecheckInstallationEx(
    int     eflags,
    int     architecture,
    char*   response_file,
    char*   error_msg
)
{
    i4                  status = II_SUCCESSFUL;
    i4			        flags;
    i4                  pathlen;
    LOCATION		    loc;
    LOINFORMATION	    loinfo;
    char		        buf[MAX_LOC + 3]; /* over size buffer to detect overrun */
    char		        charmap[MAX_LOC + 3];
    char		        ii_install[MAX_LOC + 3];
    CL_ERR_DESC         clerr;
    i4                  pathchk = 0;
    
    while(TRUE)
    {
        if (!response_file || !error_msg)
        {
            status = II_NULL_PARAM;
            break;
        }
        if ((pathlen = GetPrivateProfileString( ERx("Ingres Configuration"),
            ERx("II_SYSTEM"), "", buf, sizeof(buf), response_file )) == 0)
        {
            status = II_NO_INSTALL_PATH;
            break;
        }
        else
        {
            if ((pathchk = (eflags & (II_CHK_PATHCHAR | II_CHK_PATHDIR |
                             II_CHK_PATHPERM | II_CHK_PATHLEN))) &&
                (pathlen > MAX_LOC))
            {
                status = II_PATH_EXCEEDED;
                break;
            }
        }
        if (eflags & II_CHK_INSTCODE)
        {
            if ((pathlen = GetPrivateProfileString("Ingres Configuration",
                 II_INSTCODE, "", ii_install, sizeof(ii_install), response_file)) == 0)
            {
                status = II_INSTANCE_ERROR;
                break;
            }
            else
            {
                if ((status = check_instcode( ii_install )) != II_SUCCESSFUL)
                {
                    break;
                }
            }
        }
        if ((eflags & (II_CHK_HOSTNAME | II_CHK_USERNAME | pathchk)) &&
            ((pathlen = GetPrivateProfileString("Ingres Configuration",
             II_CHARMAP, "", charmap, sizeof(charmap), response_file)) == 0))
        {
            status = II_NO_CHAR_MAP;
            break;
        }
        else
        {
            if (eflags & (II_CHK_HOSTNAME | II_CHK_USERNAME | pathchk))
            {
                if (pathlen > MAX_LOC)
                {
                    status = II_PATH_EXCEEDED;
                    break;
                }
                else
                {
#if defined(UNIX)
                    if ((status = CMset_attr( charmap, &clerr )) != 0)
#else
                    if ((status = CMread_attr( II_CHARSET, charmap, &clerr )) != 0)
#endif 
                    {
                        status = II_CHARMAP_ERROR;
                        break;
                    }
                }
            }
        }
    
        if ((eflags & II_CHK_HOSTNAME) &&
            ((status = check_host()) != II_SUCCESSFUL))
        {
            break;
        }
        
        if ((eflags & II_CHK_USERNAME) &&
            ((status = check_user()) != II_SUCCESSFUL))
        {
            break;
        }
        
        if ((eflags & II_CHK_OSVERSION) &&
            (check_platform( architecture ) != OK))
        {
            status = II_OS_NOT_MIN_VERSION;
            break;
        }

        /*
        ** Perform path validation test.
        */
        if (eflags & (II_CHK_PATHCHAR | II_CHK_PATHDIR | II_CHK_PATHPERM))
        {
            status = check_path( buf, eflags );
            break;
        }
        break;
    }
    if ((status != II_SUCCESSFUL) && (error_msg != NULL))
    {
        II_GetErrorMessage( error_msgs[status], error_msg );
    }
    return(status);
}
Example #12
0
/*{
** Name: II_PrecheckInstallation - Pre-check installation environment
**
** Description:
**	Verify that a machine environment will support the current release of
**	Ingres. The following checks are made:
**(E
**	a. A minimum operating system version
**	b. Other required software (currently none)
**	c. Check the install path
**	   - exists
**	   - that user can write to it
**	   - does not have any disallowed characters (Windows only).
**)E
**
** Inputs:
**	response_file	path to the Embedded Ingres response file.
**                  For more information concerning response file options
**                  please see the Ingres Embedded Edition User Guide.
**
** Outputs:
**  error_msg       Message text for status.  If the message text exceeds
**                  MAX_IIERR_LEN then the message is truncated to
**                  MAX_IIERR_LEN.
**                  Unchanged if II_SUCCESSFUL is returned.
**
** Returns:
**  II_SUCCESSFUL           The environment test completed successfully
**  II_NULL_PARAM           The parameters passed are invalid
**  II_NO_INSTALL_PATH      Error reading response file or no II_SYSTEM entry
**  II_CHARMAP_ERROR        Error processing character mapping file
**  II_GET_COMPUTER_FAIL    Attempt to retrieve computer name failed
**  II_INVALID_HOST         Computer name contains illegal characters
**  II_GET_HOST_FAILED      Attempt to retrieve the network name failed
**  II_INVALID_USER         The username contains illegal characters
**  II_UNMATCHED_NAME       Computer name does not match network name
**  II_OS_NOT_MIN_VERSION   OS version does not meet the minimum requirement
**  II_BAD_PATH             The II_SYSTEM path is incorrectly formed
**  II_INVAL_CHARS_IN_PATH  The II_SYSTEM path contains illegal characters
**  II_PATH_NOT_DIR         The II_SYSTEM path is not a directory
**  II_PATH_CANNOT_WRITE    No write permission in the II_SYSTEM directory
**  II_PATH_EXCEEDED        Length of the path exceeds permitted maximum
**
** Example:
**  # include "tngapi.h"
**
**  # if defined(UNIX)
**  II_CHAR reponsefile[] = {"./ingres.rsp"};
**  # else
**  II_CHAR reponsefile[] = {".\\ingres.rsp"};
**  # endif
**  II_INT4 status;
**  II_CHAR error_msg[MAX_IIERR_LEN + 1] = { '\0' };
**
**  if ((status = II_PrecheckInstallation( responsefile, error_msg )) !=
**      II_SUCCESSFUL)
**  {
**      printf( "II_PrecheckInstallation failed - %s\n", error_msg );
**  }
**
** Side Effects:
**	none
**
** History:
**	16-apr-2002 (abbjo03)
**	    Written.
**  11-Jul-2005 (fanra01)
**      Add more specific status code from check_path_chars.
*/
int
II_PrecheckInstallation(
char	*response_file,
char	*error_msg)
{
    LOCATION		loc;
    char		buf[MAX_LOC];
    char		charmap[MAX_LOC+1];
    LOINFORMATION	loinfo;
    i4			flags;
    int			result;
    CL_ERR_DESC clerr;

    if (!response_file || !error_msg)
    {
        result = II_NULL_PARAM;
        if (error_msg)
            II_GetErrorMessage(error_msgs[result], error_msg);
        return result;
    }

    if (!GetPrivateProfileString("Ingres Configuration", "II_SYSTEM", "", buf,
	    sizeof(buf), response_file))
    {
        result = II_NO_INSTALL_PATH;
        II_GetErrorMessage(error_msgs[result], error_msg);
        return result;
    }
    
    /*
    ** Get the charmap field from the response file.
    */
    if (!GetPrivateProfileString("Ingres Configuration", II_CHARMAP, "",
        charmap, sizeof(charmap), response_file))
    {
        result = II_NO_CHAR_MAP;
        II_GetErrorMessage(error_msgs[result], error_msg);
        return result;
    }

    /*
    ** Open and read the character map specified in the response file.
    ** This is a special installation character description file.
    */
#if defined(UNIX)
    if ((result = CMset_attr( charmap, &clerr )) != 0)
#else
    if ((result = CMread_attr( II_CHARSET, charmap, &clerr )) != 0)
#endif 
    {
        result = II_CHARMAP_ERROR;
        II_GetErrorMessage( error_msgs[result], error_msg );
        return(result);
    }

    if ((result = check_user()) != II_SUCCESSFUL)
    {
        II_GetErrorMessage( error_msgs[result], error_msg );
        return(result);
    }

    if ((result = check_host()) != II_SUCCESSFUL)
    {
        II_GetErrorMessage( error_msgs[result], error_msg );
        return(result);
    }
    
    if (check_platform( II_DEFARCH ) != OK)
    {
	result = II_OS_NOT_MIN_VERSION;
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }

    if (LOfroms(PATH & FILENAME, buf, &loc) != OK)
    {
	result = II_BAD_PATH;
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }

    flags = LO_I_TYPE | LO_I_PERMS;
    if (LOinfo(&loc, &flags, &loinfo) != OK)
    {
	result = II_BAD_PATH;
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }

    if ((flags & LO_I_TYPE) == 0 || loinfo.li_type != LO_IS_DIR)
    {
	result = II_PATH_NOT_DIR;
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }
    if ((flags & LO_I_PERMS) == 0 || (loinfo.li_perms & LO_P_WRITE) == 0)
    {
	result = II_PATH_CANNOT_WRITE;
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }
    
    if (check_path_chars(&loc, &result))
    {
        switch(result)
        {
            case LO_BAD_DEVICE:
                result = II_BAD_PATH;
                break;
            case LO_NOT_PATH:
            case LO_NOT_FILE:
            default:
                result = II_INVAL_CHARS_IN_PATH;
                break;
        }
	II_GetErrorMessage(error_msgs[result], error_msg);
	return result;
    }
    
    result = II_SUCCESSFUL;
    II_GetErrorMessage(error_msgs[result], error_msg);
    return result;
}
Example #13
0
int process_header_end(request * req)
{
    if (!req->logline) {
        log_error_doc(req);
        fputs("No logline in process_header_end\n", stderr);
        send_r_error(req);
        return 0;
    }

    /* Percent-decode request */
    if (unescape_uri(req->request_uri, &(req->query_string)) == 0) {
        log_error_doc(req);
        fputs("URI contains bogus characters\n", stderr);
        send_r_bad_request(req);
        return 0;
    }

    /* clean pathname */
    clean_pathname(req->request_uri);

    if (req->request_uri[0] != '/') {
        log_error("URI does not begin with '/'\n");
        send_r_bad_request(req);
        return 0;
    }

    if (vhost_root) {
        char *c;
        if (!req->header_host) {
            req->host = strdup(default_vhost);
        } else {
            req->host = strdup(req->header_host);
        }
        if (!req->host) {
            log_error_doc(req);
            fputs("unable to strdup default_vhost/req->header_host\n", stderr);
            send_r_error(req);
            return 0;
        }
        strlower(req->host);
        /* check for port, and remove
         * we essentially ignore the port, because we cannot
         * as yet report a different port than the one we are
         * listening on
         */
        c = strchr(req->host, ':');
        if (c)
            *c = '\0';

        if (check_host(req->host) < 1) {
            log_error_doc(req);
            fputs("host invalid!\n", stderr);
            send_r_bad_request(req);
            return 0;
        }
    }

    if (translate_uri(req) == 0) { /* unescape, parse uri */
        /* errors already logged */
        SQUASH_KA(req);
        return 0;               /* failure, close down */
    }

    if (req->method == M_POST) {
        req->post_data_fd = create_temporary_file(1, NULL, 0);
        if (req->post_data_fd == 0) {
            /* errors already logged */
            send_r_error(req);
            return 0;
        }
        if (fcntl(req->post_data_fd, F_SETFD, 1) == -1) {
            log_error_doc(req);
            fputs("unable to set close-on-exec for req->post_data_fd!\n", stderr);
            close(req->post_data_fd);
            req->post_data_fd = 0;
            send_r_error(req);
            return 0;
        }
        return 1;             /* success */
    }

    if (req->cgi_type) {
        return init_cgi(req);
    }
    
    req->status = WRITE;
//    return complete_response(req);
    return init_control(req);
//    return init_get(req);       /* get and head */
}
Example #14
0
File: request.c Project: gpg/boa
int process_header_end(request * req)
{
    if (!req->logline) {
        log_error_doc(req);
        fputs("No logline in process_header_end\n", stderr);
        send_r_error(req);
        return 0;
    }

    /* Percent-decode request */
    if (unescape_uri(req->request_uri, &(req->query_string)) == 0) {
        log_error_doc(req);
        fputs("URI contains bogus characters\n", stderr);
        send_r_bad_request(req);
        return 0;
    }

    /* clean pathname */
    clean_pathname(req->request_uri);

    if (req->request_uri[0] != '/') {
        log_error("URI does not begin with '/'\n");
        send_r_bad_request(req);
        return 0;
    }


    if (use_caudium_hack) {
        /* We check whether the path is of the form "/(ll)/foo/..."
           which is used by the Caudium webserver for caching purposes
           and people have bookmarked it.  To cope with this we simply
           strip it of. */
        if (req->request_uri[0] == '/'
            && req->request_uri[1] == '('
            && req->request_uri[2] >= 'a' && req->request_uri[2] <= 'z'
            && req->request_uri[3] >= 'a' && req->request_uri[3] <= 'z'
            && req->request_uri[4] == ')'
            && req->request_uri[5] == '/'
            && req->request_uri[6] ) {
            unsigned int len = strlen(req->request_uri);
            memmove (req->request_uri, req->request_uri+5, len - 5 + 1);
        }
    }

    if (vhost_root) {
        char *c;
        if (!req->header_host) {
            req->host = strdup(default_vhost);
        } else {
            req->host = strdup(req->header_host);
        }
        if (!req->host) {
            log_error_doc(req);
            fputs("unable to strdup default_vhost/req->header_host\n", stderr);
            send_r_error(req);
            return 0;
        }
        strlower(req->host);
        /* check for port, and remove
         * we essentially ignore the port, because we cannot
         * as yet report a different port than the one we are
         * listening on
         */
        c = strchr(req->host, ':');
        if (c)
            *c = '\0';

        if (check_host(req->host) < 1) {
            log_error_doc(req);
            fputs("host invalid!\n", stderr);
            send_r_bad_request(req);
            return 0;
        }
    }

    if (translate_uri(req) == 0) { /* unescape, parse uri */
        /* errors already logged */
        SQUASH_KA(req);
        return 0;               /* failure, close down */
    }

    if (req->method == M_POST) {
        req->post_data_fd = create_temporary_file(1, NULL, 0);
        if (req->post_data_fd == 0) {
            /* errors already logged */
            send_r_error(req);
            return 0;
        }
        if (fcntl(req->post_data_fd, F_SETFD, 1) == -1) {
            boa_perror(req, "unable to set close-on-exec for req->post_data_fd!");
            close(req->post_data_fd);
            req->post_data_fd = 0;
            return 0;
        }
        return 1;             /* success */
    }

    if (req->cgi_type) {
        return init_cgi(req);
    }

    req->status = WRITE;

    return init_get(req);       /* get and head */
}
Example #15
0
unsigned int nf_hook_func(
        unsigned int hooknum, struct sk_buff *skb, const struct net_device *in,
        const struct net_device *out, int (*okfn)(struct sk_buff *)) {
    struct sk_buff   *skb_ = skb;
#else
unsigned int nf_hook_func(
        unsigned int hooknum, struct sk_buff **skb, const struct net_device *in,
        const struct net_device *out, int (*okfn)(struct sk_buff *)) {
    struct sk_buff   *skb_ = *skb;
#endif
    struct iphdr     *ip_header_ = NULL;
    struct tcphdr    *tcp_header_ = NULL;
    unsigned char    *tcp_data_ = NULL;

    if (!skb_)
        return NF_ACCEPT;

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
    ip_header_ = ip_hdr(skb_);
#else
    ip_header_ = skb_->h.ipiph;
#endif

    // 仅仅过滤 TCP 协议
    if (!ip_header_ || ip_header_->protocol != IPPROTO_TCP)
        return NF_ACCEPT;

    // 已知在 2.6.18/3.19.2 上,tcp_hdr(skb_) 会返回预期的 tcp 头偏移量。
    // 已知在 2.6.32 上,tcp_hdr(skb_) 与 ip_hdr(skb_) 会返回相同的指针地址。
    //
    // 2.6.32:
    // TCP 包来自 1/2 层,netfilter/ipv4 钩子会在第 3 层被注入。
    // 因此,此时使用 tcp_hdr 函数不会获得预期的 tcp 头偏移量。
    // 直接根据 IP 头偏移量计算 TCP 头偏移量是最合适的
    tcp_header_ = (struct tcphdr *)((__u32 *)ip_header_ + ip_header_->ihl);

    // 仅仅过滤指定的 HTTP 端口
    if (htons(tcp_header_->dest) != HTTP_PORT)
        return NF_ACCEPT;

    // 如果是信任的网络,则放行。不做任何过滤
    // 因此,如果本机作为转发网关,必须添加内网网段,内网网络才能访问公网。
    if (check_net(ip_header_->saddr, g_net_array, g_net_array_size))
        return NF_ACCEPT;

    //    GET / HTTP/1.1\r\n
    //    User-Agent: curl/7.41.0\r\n
    //    Host: abc.com\r\n
    //    Accept: */*\r\n
    //    \r\n
    tcp_data_ = get_tcp_data(skb_, ip_header_, tcp_header_);

    // 跳过非 HTTP 头相关包
    if (!check_http_header(tcp_data_))
        return NF_ACCEPT;

    // 如果是信任的主机,则放行
    if (check_host(tcp_data_, g_hosts, g_hosts_size))
        return NF_ACCEPT;

    return NF_DROP;
}

static struct nf_hook_ops g_nf_hook = {
        .hook = (nf_hookfn*) nf_hook_func,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
        .hooknum = NF_INET_PRE_ROUTING,
#else
        .hooknum = NF_IP_PRE_ROUTING,
#endif
        .pf = PF_INET,
        .priority = NF_IP_PRI_FIRST
};

int init_module() {
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,18)
    pr_err("[%s] Linux Kernel Version does not supported.\n", MODOUBLE_NAME);
    return -1;
#endif

    pr_info("Loading module \"%s\"\n", MODOUBLE_NAME);

    if (!init_host_str(&g_hosts, &g_hosts_size)) {
        pr_err("Cannot initialize host whitelist.\n");
        pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
        return -1;
    }

    if (!init_net_array(&g_net_array, &g_net_array_size)) {
        pr_err("Cannot initialize network whitelist.\n");
        pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
        return -1;
    }

    if (nf_register_hook(&g_nf_hook) < 0) {
        pr_err("Cannot register netfilter hook.\n");
        pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
        return -1;
    }

    return 0;
}

void cleanup_module() {
    pr_info("Unloading module \"%s\"\n", MODOUBLE_NAME);
    if (g_hosts) kfree(g_hosts);
    if (g_net_array) kfree(g_net_array);
    nf_unregister_hook(&g_nf_hook);
}