static void set_route(struct connection_data *data, struct vpn_route *route)
{
/*
* If the VPN administrator/user has given a route to
* VPN server, then we must discard that because the
* server cannot be contacted via VPN tunnel.
*/
if (check_host(data->host_ip, route->network) == TRUE) {
DBG("Discarding VPN route to %s via %s at index %d",
route->network, route->gateway, data->index);
return;
}
if (route->family == AF_INET6) {
unsigned char prefix_len = atoi(route->netmask);
connman_inet_add_ipv6_network_route(data->index,
route->network,
route->gateway,
prefix_len);
} else {
connman_inet_add_network_route(data->index, route->network,
route->gateway,
route->netmask);
}
}
/* check whether cert is preauthorized. If host is not null, verify that
* it matches the certificate.
* Return > 0: authorized, < 0: problems, 0: unknown validity */
static int ssl_check_preauth (X509 *cert, const char* host)
{
char buf[SHORT_STRING];
/* check session cache first */
if (check_certificate_cache (cert)) {
dprint (2, (debugfile, "ssl_check_preauth: using cached certificate\n"));
return 1;
}
buf[0] = 0;
if (host && option (OPTSSLVERIFYHOST) != M_NO) {
if (!check_host (cert, host, buf, sizeof (buf))) {
mutt_error (_("Certificate host check failed: %s"), buf);
mutt_sleep (2);
return -1;
}
dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
}
if (check_certificate_by_signer (cert)) {
dprint (2, (debugfile, "ssl_check_preauth: signer check passed\n"));
return 1;
}
/* automatic check from user's database */
if (SslCertFile && check_certificate_by_digest (cert)) {
dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n"));
return 1;
}
return 0;
}
/*
* check AUTH_SYS
*/
static int
check_sys(
struct svc_req *rqstp, /* RPC stuff */
int amode, /* R_OK | W_OK */
md_error_t *ep /* returned status */
)
{
static mutex_t mx = DEFAULTMUTEX;
struct authsys_parms *sys_credp;
/* for read, anything is OK */
if (! (amode & W_OK))
return (0);
/* single thread (not really needed if daemon stays single threaded) */
mutex_lock(&mx);
/* check for remote root or METAD_GID */
/*LINTED*/
sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
if ((check_gid14(sys_credp->aup_uid) == 0) ||
(check_host(rqstp) == 0)) {
mutex_unlock(&mx);
return (0);
}
/* return failure */
mutex_unlock(&mx);
return (mdsyserror(ep, EACCES, "rpc.metad"));
}
int main(int argc, char *argv[]){
if(argc != 3){
help();
}
char *target = argv[1], *arquivo = argv[2], *subdominio, line[1024];
FILE *arq;
int i, j;
size_t host_len;
if( (arq = fopen(arquivo, "rt")) == NULL ){
error(stderr, "fopen() failed\n");
return 1;
}
host_len = strlen(target);
while(!feof(arq)){
if( fgets(line, 1024, arq) ){
chomp(line);
if( (subdominio = malloc( host_len + strlen(line) + 2)) == NULL ){
error(stderr, "malloc() failed\n");
exit(1);
}
for(j=0; line[j]; j++){
subdominio[j] = line[j];
}
if(j){
if(line[j-1] != '.' && target[0] != '.'){
subdominio[j++] = '.';
}
}
for(i=0; target[i]; i++, j++){
subdominio[j] = target[i];
}
subdominio[j] = 0x0;
info(stdout, "Checking -> %s\n", subdominio);
check_host(subdominio);
free(subdominio);
}
}
fclose(arq);
return 0;
}
void CheckHostThread::run()
{
while(!stopped){
//this->mutex.lock();
//QSettings *checkini=new QSettings(file,QSettings::IniFormat);
inifile=new QSettings(this->file,QSettings::IniFormat);
check_host(inifile);
if(this->isFinished())
stop();
}
//this->mutex.unlock();
}
static int check_attempt(const abl_args *args, abl_info *info) {
int err;
time_t tm = time(NULL);
if (info->user != NULL && info->service != NULL && info->host != NULL) {
info->subject = HOST;
err = check_host(args, info, tm);
if (err) log_warning(args,"Failed to check host.");
if (info->state == BLOCKED ) {
/*No point in continuing since they've failed.*/
return 0;
}
info->subject = USER;
err = check_user(args, info, tm);
if (err) log_warning(args,"Failed to check user.");
}
return 0;
}
/* let's go... */
int main(int argc, char *argv[])
{
int c = 0;
ctrl_t *ctrl = NULL;
/* banner is very important */
banner();
check_argc(argc);
ctrl = alloc_structs();
ctrl = set_ctrl_defaults(ctrl);
while ((c = getopt(argc, argv, "h:t:s:m:p:vVH")) != -1) {
switch (c) {
case 'h':
check_host(optarg);
ctrl->packet->host = convert_host(optarg);
break;
case 't':
check_pkt_type(ctrl, optarg);
ctrl->packet->type = (unsigned char) ATOI(optarg);
break;
case 's':
check_shell_mode(ctrl, optarg);
ctrl->shell->mode = (unsigned char) ATOI(optarg);
break;
case 'm':
ctrl->packet->payload = optarg;
break;
case 'p':
check_port(ctrl, ATOI(optarg));
ctrl->packet->port = (uint16_t) ATOI(optarg);
break;
case 'v':
ctrl->verbose = VERBOSE;
break;
case 'V':
puts(VERSION);
__EXIT_SUCCESS;
break;
case 'H':
usage();
__EXIT_SUCCESS;
break;
default:
__EXIT_FAILURE;
}
}
/* few checks before we can go on */
__VERBOSE_ARGS;
check_args(ctrl);
check_uid(ctrl);
/* install signal handler */
install_signals();
/* let's go */
start_trixd00r(ctrl);
end_trixd00r(ctrl);
return 0;
}
int
main(int argc, char *argv[])
{
int eflag = 0, dflag = 0, nflag = 0;
int uflag = 0, vflag = 0, Eflag = 0;
int status, ch, fd;
char *input = NULL, *output = NULL;
DBM *db;
datum key, val;
DBM *new_db = NULL;
static char mapname[] = "ypdbXXXXXXXXXX";
char db_mapname[PATH_MAX], db_outfile[PATH_MAX];
char db_tempname[PATH_MAX];
char user[4096], host[4096]; /* XXX: DB bsize = 4096 in ypdb.c */
char myname[HOST_NAME_MAX+1], datestr[11], *slash;
while ((ch = getopt(argc, argv, "Edensuv")) != -1)
switch (ch) {
case 'E':
eflag = 1; /* Check hostname */
Eflag = 1; /* .. even check MX records */
break;
case 'd':
dflag = 1; /* Don't check DNS hostname */
break;
case 'e':
eflag = 1; /* Check hostname */
break;
case 'n':
nflag = 1; /* Capitalize name parts */
break;
case 's': /* Ignore */
break;
case 'u':
uflag = 1; /* Don't check UUCP hostname */
break;
case 'v':
vflag = 1; /* Verbose */
break;
default:
usage();
break;
}
if (optind == argc)
usage();
input = argv[optind++];
if (optind < argc)
output = argv[optind++];
if (optind < argc)
usage();
db = ypdb_open(input, O_RDONLY, 0444);
if (db == NULL) {
err(1, "Unable to open input database %s", input);
/* NOTREACHED */
}
if (output != NULL) {
if (strlen(output) + strlen(YPDB_SUFFIX) > PATH_MAX) {
errx(1, "%s: file name too long", output);
/* NOTREACHED */
}
snprintf(db_outfile, sizeof(db_outfile),
"%s%s", output, YPDB_SUFFIX);
slash = strrchr(output, '/');
if (slash != NULL)
slash[1] = 0; /* truncate to dir */
else
*output = 0; /* eliminate */
/* note: output is now directory where map goes ! */
if (strlen(output) + strlen(mapname) +
strlen(YPDB_SUFFIX) > PATH_MAX) {
errx(1, "%s: directory name too long", output);
/* NOTREACHED */
}
snprintf(db_tempname, sizeof(db_tempname), "%s%s%s", output,
mapname, YPDB_SUFFIX);
fd = mkstemps(db_tempname, 3);
if (fd == -1)
goto fail;
close(fd);
strncpy(db_mapname, db_tempname, strlen(db_tempname) - 3);
db_mapname[sizeof(db_mapname) - 1] = '\0';
new_db = ypdb_open(db_mapname, O_RDWR|O_TRUNC, 0444);
if (new_db == NULL) {
fail:
if (fd != -1)
unlink(db_tempname);
err(1, "Unable to open output database %s",
db_outfile);
/* NOTREACHED */
}
}
for (key = ypdb_firstkey(db); key.dptr != NULL;
key = ypdb_nextkey(db)) {
val = ypdb_fetch(db, key);
if (val.dptr == NULL)
continue; /* No value */
if (*key.dptr == '@' && key.dsize == 1)
continue; /* Sendmail token */
if (strncmp(key.dptr, "YP_", 3)==0) /* YP token */
continue;
if (memchr(val.dptr, ',', val.dsize))
continue; /* List... */
if (memchr(val.dptr, '|', val.dsize))
continue; /* Pipe... */
if (!(memchr(val.dptr, '@', val.dsize) ||
memchr(val.dptr, '!', val.dsize)))
continue; /* Skip local users */
split_address(val.dptr, val.dsize, user, host);
if (eflag && check_host(val.dptr, val.dsize, host, dflag, uflag, Eflag)) {
warnx("Invalid host %s in %*.*s:%*.*s",
host, key.dsize, key.dsize, key.dptr,
val.dsize, val.dsize, val.dptr);
continue;
}
if (nflag)
capitalize(key.dptr, key.dsize);
if (new_db != NULL) {
status = ypdb_store(new_db, val, key, YPDB_INSERT);
if (status != 0) {
warnx("problem storing %*.*s %*.*s",
val.dsize, val.dsize, val.dptr,
key.dsize, key.dsize, key.dptr);
}
}
if (vflag) {
printf("%*.*s --> %*.*s\n",
val.dsize, val.dsize, val.dptr,
key.dsize, key.dsize, key.dptr);
}
}
if (new_db != NULL) {
snprintf(datestr, sizeof datestr, "%010lld",
(long long)time(NULL));
key.dptr = YP_LAST_KEY;
key.dsize = strlen(YP_LAST_KEY);
val.dptr = datestr;
val.dsize = strlen(datestr);
status = ypdb_store(new_db, key, val, YPDB_INSERT);
if (status != 0) {
warnx("problem storing %*.*s %*.*s",
key.dsize, key.dsize, key.dptr,
val.dsize, val.dsize, val.dptr);
}
}
if (new_db != NULL) {
gethostname(myname, sizeof(myname));
key.dptr = YP_MASTER_KEY;
key.dsize = strlen(YP_MASTER_KEY);
val.dptr = myname;
val.dsize = strlen(myname);
status = ypdb_store(new_db, key, val, YPDB_INSERT);
if (status != 0) {
warnx("problem storing %*.*s %*.*s",
key.dsize, key.dsize, key.dptr,
val.dsize, val.dsize, val.dptr);
}
}
ypdb_close(db);
if (new_db != NULL) {
ypdb_close(new_db);
if (rename(db_tempname, db_outfile) < 0) {
err(1, "rename %s -> %s failed", db_tempname,
db_outfile);
/* NOTREACHED */
}
}
return(0);
}
int
server_mode (const char *pidfile, struct sockaddr_in *phis_addr)
{
int ctl_sock, fd;
struct servent *sv;
int port;
static struct sockaddr_in server_addr; /* Our address. */
/* Become a daemon. */
#ifdef HAVE_DAEMON
if (daemon(1,1) < 0)
#endif
{
syslog (LOG_ERR, "failed to become a daemon");
return -1;
}
(void) signal (SIGCHLD, reapchild);
/* Get port for ftp/tcp. */
sv = getservbyname ("ftp", "tcp");
port = (sv == NULL) ? DEFPORT : sv->s_port;
/* Open socket, bind and start listen. */
ctl_sock = socket (AF_INET, SOCK_STREAM, 0);
if (ctl_sock < 0)
{
syslog (LOG_ERR, "control socket: %m");
return -1;
}
/* Enable local address reuse. */
{
int on = 1;
if (setsockopt (ctl_sock, SOL_SOCKET, SO_REUSEADDR,
(char *)&on, sizeof(on)) < 0)
syslog (LOG_ERR, "control setsockopt: %m");
}
memset (&server_addr, 0, sizeof server_addr);
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
if (bind (ctl_sock, (struct sockaddr *)&server_addr, sizeof server_addr))
{
syslog (LOG_ERR, "control bind: %m");
return -1;
}
if (listen (ctl_sock, 32) < 0)
{
syslog (LOG_ERR, "control listen: %m");
return -1;
}
/* Stash pid in pidfile. */
{
FILE *pid_fp = fopen (pidfile, "w");
if (pid_fp == NULL)
syslog (LOG_ERR, "can't open %s: %m", PATH_FTPDPID);
else
{
fprintf (pid_fp, "%d\n", getpid());
fchmod (fileno(pid_fp), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
fclose (pid_fp);
}
}
/* Loop forever accepting connection requests and forking off
children to handle them. */
while (1)
{
int addrlen = sizeof (*phis_addr);
fd = accept (ctl_sock, (struct sockaddr *)phis_addr, &addrlen);
#ifdef HAVE_WORKING_FORK
if (fork () == 0) /* child */
#else
if (vfork () == 0) /* child */
#endif
{
(void) dup2 (fd, 0);
(void) dup2 (fd, 1);
close (ctl_sock);
break;
}
close (fd);
}
#ifdef WITH_WRAP
/* In the child. */
if (!check_host ((struct sockaddr *)phis_addr))
return -1;
#endif
return fd;
}
/**
* ssl_verify_callback - Certificate verification callback
* @param preverify_ok If true, don't question the user if they skipped verification
* @param ctx X509 store context
* @retval true Certificate is valid
* @retval false Error, or Certificate is invalid
*
* Called for each certificate in the chain sent by the peer, starting from the
* root; returning true means that the given certificate is trusted, returning
* false immediately aborts the SSL connection
*/
static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
char buf[256];
const char *host = NULL;
size_t len;
int pos;
X509 *cert = NULL;
SSL *ssl = NULL;
bool skip_mode;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
if (!ssl)
{
mutt_debug(LL_DEBUG1,
"failed to retrieve SSL structure from X509_STORE_CTX\n");
return false;
}
host = SSL_get_ex_data(ssl, HostExDataIndex);
if (!host)
{
mutt_debug(LL_DEBUG1, "failed to retrieve hostname from SSL structure\n");
return false;
}
/* This is true when a previous entry in the certificate chain did
* not verify and the user manually chose to skip it via the
* $ssl_verify_partial_chains option.
* In this case, all following certificates need to be treated as non-verified
* until one is actually verified. */
skip_mode = (SSL_get_ex_data(ssl, SkipModeExDataIndex));
cert = X509_STORE_CTX_get_current_cert(ctx);
pos = X509_STORE_CTX_get_error_depth(ctx);
len = sk_X509_num(X509_STORE_CTX_get0_chain(ctx));
mutt_debug(LL_DEBUG1, "checking cert chain entry %s (preverify: %d skipmode: %d)\n",
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)),
preverify_ok, skip_mode);
#ifdef HAVE_SSL_PARTIAL_CHAIN
/* Sometimes, when a certificate is (s)kipped, OpenSSL will pass it
* a second time with preverify_ok = 1. Don't show it or the user
* will think their "s" key is broken. */
if (C_SslVerifyPartialChains)
{
static int last_pos = 0;
static X509 *last_cert = NULL;
if (skip_mode && preverify_ok && (pos == last_pos) && last_cert)
{
unsigned char last_cert_md[EVP_MAX_MD_SIZE];
unsigned int last_cert_mdlen;
if (X509_digest(last_cert, EVP_sha256(), last_cert_md, &last_cert_mdlen) &&
compare_certificates(cert, last_cert, last_cert_md, last_cert_mdlen))
{
mutt_debug(LL_DEBUG2, "ignoring duplicate skipped certificate.\n");
return true;
}
}
last_pos = pos;
if (last_cert)
X509_free(last_cert);
last_cert = X509_dup(cert);
}
#endif
/* check session cache first */
if (check_certificate_cache(cert))
{
mutt_debug(LL_DEBUG2, "using cached certificate\n");
SSL_set_ex_data(ssl, SkipModeExDataIndex, NULL);
return true;
}
/* check hostname only for the leaf certificate */
buf[0] = '\0';
if ((pos == 0) && (C_SslVerifyHost != MUTT_NO))
{
if (check_host(cert, host, buf, sizeof(buf)) == 0)
{
mutt_error(_("Certificate host check failed: %s"), buf);
/* we disallow (a)ccept always in the prompt, because it will have no effect
* for hostname mismatches. */
return interactive_check_cert(cert, pos, len, ssl, false);
}
mutt_debug(LL_DEBUG2, "hostname check passed\n");
}
if (!preverify_ok || skip_mode)
{
/* automatic check from user's database */
if (C_CertificateFile && check_certificate_by_digest(cert))
{
mutt_debug(LL_DEBUG2, "digest check passed\n");
SSL_set_ex_data(ssl, SkipModeExDataIndex, NULL);
return true;
}
/* log verification error */
int err = X509_STORE_CTX_get_error(ctx);
snprintf(buf, sizeof(buf), "%s (%d)", X509_verify_cert_error_string(err), err);
mutt_debug(LL_DEBUG2, "X509_verify_cert: %s\n", buf);
/* prompt user */
return interactive_check_cert(cert, pos, len, ssl, true);
}
return true;
}
/*{
** Name: II_PrecheckInstallationEx - Extended installation environment pre-check
**
** Description:
** Verify that a machine environment will support the current release of
** Ingres.
** The following checks may be made by specifying the required set of flags:
**(E
**
** a. Test for invalid characters in the machine hostname
** b. Test for invalid characters in the username
** c. A minimum operating system version
** d. Test that the path value supplied for II_SYSTEM
** i) does not contain disallowed characters (Windows only)
** ii) consists of an existing parent directory
** e. Test that the operating system user of the running process is granted
** permission to write in d.ii).
** f. The value of the instancecode field in the response file is tested
** for valid characters and character sequences.
**)E
**
** The path check flags II_CHK_PATHDIR and II_CHK_PATHPERM may be combined
** (bit wise); they include an implicit II_CHK_PATHCHAR. All path checks
** implicitly include an II_CHK_PATHLEN flag.
** Use the II_CHK_ALL flag as a convenient shorthand to perform each of the
** tests together.
** Specifying a flag of zero will check for the existence of the
** II_SYSTEM entry in the response file.
**
** Inputs:
** eflags Specifies the pre-installation checks to be performed.
** Can be a combination of the following
** 0 Test for existence of II_SYSTEM entry
** in response file
** II_CHK_HOSTNAME Verify characters in machine name
** II_CHK_OSVERSION Verify minimum OS version
** II_CHK_PATHCHAR Check characters used in II_SYSTEM
** II_CHK_PATHDIR Check II_SYSTEM path for a valid
** existing directory
** II_CHK_PATHPERM Check path write permissions
** II_CHK_PATHLEN Check length of path not exceeded
** II_CHK_USERNAME Verify characters in user name
** II_CHK_INSTCODE Verify characters of the configured
** instance code
** II_CHK_ALL Equivalent to II_PrecheckInstallation
** call.
** architecture The value of architecture is used only if the
** II_CHK_VERSION flag is set in the eflags field.
** If the II_CHK_VERSION flag is set
** Let the value of architecture be set as follows:
** Case:
** - II_DEFVER determines if the suitability of
** the internal Ingres platform architecture
** is appropriate for the operating architecture.
** - Determines if the suitability of the defined
** value of architecture is appropriate for the
** operating architecture.
** If the II_CHK_VERSION flag is not set
** Let the value of architecture be set to II_DEFVER.
**
** response_file Path to the Embedded Ingres response file
** For more information concerning response file options
** please see the Ingres Embedded Edition User Guide.
** This function requires valid values for the II_SYSTEM and
** charmap entries.
**
** Outputs:
** error_msg Message text for status. If the message text exceeds
** MAX_IIERR_LEN then the message is truncated to
** MAX_IIERR_LEN.
** Unchanged if II_SUCCESSFUL is returned.
**
** Returns:
** II_SUCCESSFUL The environment test completed successfully
** II_NULL_PARAM The parameters passed are invalid
** II_NO_INSTALL_PATH Error reading response file or no II_SYSTEM entry
** II_NO_CHAR_MAP Error reading response file or no II_CHARMAP entry
** II_CHARMAP_ERROR Error processing character mapping file
** II_GET_COMPUTER_FAIL Attempt to retrieve computer name failed
** II_INVALID_HOST Computer name contains illegal characters
** II_GET_HOST_FAILED Attempt to retrieve the network name failed
** II_INVALID_USER The username contains illegal characters
** II_UNMATCHED_NAME Computer name does not match network name
** II_OS_NOT_MIN_VERSION OS version does not meet the minimum requirement
** II_BAD_PATH The II_SYSTEM path is incorrectly formed
** II_INVAL_CHARS_IN_PATH The II_SYSTEM path contains illegal characters
** II_PATH_NOT_DIR The II_SYSTEM path does not contain a valid
** directory
** II_PATH_CANNOT_WRITE No write permission in the II_SYSTEM directory or
** a parent directory.
** II_PATH_EXCEEDED Length of the path exceeds permitted maximum
** II_INVALID_INSTANCECODE Instance code contains illegal characters
** II_INSTANCE_ERROR Error reading instance code or no instancecode
** entry.
**
** Example:
** # include "tngapi.h"
**
** # if defined(UNIX)
** II_CHAR reponsefile[] = {"./ingres.rsp"};
** # else
** II_CHAR reponsefile[] = {".\\ingres.rsp"};
** # endif
** II_INT4 status;
** II_INT4 eflags = (II_CHK_HOSTNAME | II_CHK_OSVERSION | \
** II_CHK_PATHCHAR | II_CHK_PATHDIR | II_CHK_PATHPERM | II_CHK_PATHLEN \
** II_CHK_INSTCODE);
** II_CHAR error_msg[MAX_IIERR_LEN + 1] = { '\0' };
**
** if ((status = II_PrecheckInstallationEx( eflags, II_DEFARCH, responsefile,
** error_msg )) != II_SUCCESSFUL)
** {
** printf( "II_PrecheckInstallationEx failed - %s\n", error_msg );
** }
**
** if ((status = II_PrecheckInstallationEx( II_CHK_OSVERSION, II_IA64,
** responsefile, error_msg )) != II_SUCCESSFUL)
** {
** printf( "II_PrecheckInstallationEx failed - %s\n", error_msg );
** if (status == II_OS_NOT_MIN_VERSION)
** {
** printf( "Target environment is unsuitable for IA64 binaries\n");
** }
** }
**
** Side Effects:
** none
**
** History:
** 07-Sep-2004 (fanra01)
** Created based on II_PrecheckInstallation.
** 30-Jun-2005 (fanra01)
** Moved and extended path validation into check_path function.
** 18-Aug-2005 (fanra01)
** Include path length check on character map file.
}*/
int
II_PrecheckInstallationEx(
int eflags,
int architecture,
char* response_file,
char* error_msg
)
{
i4 status = II_SUCCESSFUL;
i4 flags;
i4 pathlen;
LOCATION loc;
LOINFORMATION loinfo;
char buf[MAX_LOC + 3]; /* over size buffer to detect overrun */
char charmap[MAX_LOC + 3];
char ii_install[MAX_LOC + 3];
CL_ERR_DESC clerr;
i4 pathchk = 0;
while(TRUE)
{
if (!response_file || !error_msg)
{
status = II_NULL_PARAM;
break;
}
if ((pathlen = GetPrivateProfileString( ERx("Ingres Configuration"),
ERx("II_SYSTEM"), "", buf, sizeof(buf), response_file )) == 0)
{
status = II_NO_INSTALL_PATH;
break;
}
else
{
if ((pathchk = (eflags & (II_CHK_PATHCHAR | II_CHK_PATHDIR |
II_CHK_PATHPERM | II_CHK_PATHLEN))) &&
(pathlen > MAX_LOC))
{
status = II_PATH_EXCEEDED;
break;
}
}
if (eflags & II_CHK_INSTCODE)
{
if ((pathlen = GetPrivateProfileString("Ingres Configuration",
II_INSTCODE, "", ii_install, sizeof(ii_install), response_file)) == 0)
{
status = II_INSTANCE_ERROR;
break;
}
else
{
if ((status = check_instcode( ii_install )) != II_SUCCESSFUL)
{
break;
}
}
}
if ((eflags & (II_CHK_HOSTNAME | II_CHK_USERNAME | pathchk)) &&
((pathlen = GetPrivateProfileString("Ingres Configuration",
II_CHARMAP, "", charmap, sizeof(charmap), response_file)) == 0))
{
status = II_NO_CHAR_MAP;
break;
}
else
{
if (eflags & (II_CHK_HOSTNAME | II_CHK_USERNAME | pathchk))
{
if (pathlen > MAX_LOC)
{
status = II_PATH_EXCEEDED;
break;
}
else
{
#if defined(UNIX)
if ((status = CMset_attr( charmap, &clerr )) != 0)
#else
if ((status = CMread_attr( II_CHARSET, charmap, &clerr )) != 0)
#endif
{
status = II_CHARMAP_ERROR;
break;
}
}
}
}
if ((eflags & II_CHK_HOSTNAME) &&
((status = check_host()) != II_SUCCESSFUL))
{
break;
}
if ((eflags & II_CHK_USERNAME) &&
((status = check_user()) != II_SUCCESSFUL))
{
break;
}
if ((eflags & II_CHK_OSVERSION) &&
(check_platform( architecture ) != OK))
{
status = II_OS_NOT_MIN_VERSION;
break;
}
/*
** Perform path validation test.
*/
if (eflags & (II_CHK_PATHCHAR | II_CHK_PATHDIR | II_CHK_PATHPERM))
{
status = check_path( buf, eflags );
break;
}
break;
}
if ((status != II_SUCCESSFUL) && (error_msg != NULL))
{
II_GetErrorMessage( error_msgs[status], error_msg );
}
return(status);
}
/*{
** Name: II_PrecheckInstallation - Pre-check installation environment
**
** Description:
** Verify that a machine environment will support the current release of
** Ingres. The following checks are made:
**(E
** a. A minimum operating system version
** b. Other required software (currently none)
** c. Check the install path
** - exists
** - that user can write to it
** - does not have any disallowed characters (Windows only).
**)E
**
** Inputs:
** response_file path to the Embedded Ingres response file.
** For more information concerning response file options
** please see the Ingres Embedded Edition User Guide.
**
** Outputs:
** error_msg Message text for status. If the message text exceeds
** MAX_IIERR_LEN then the message is truncated to
** MAX_IIERR_LEN.
** Unchanged if II_SUCCESSFUL is returned.
**
** Returns:
** II_SUCCESSFUL The environment test completed successfully
** II_NULL_PARAM The parameters passed are invalid
** II_NO_INSTALL_PATH Error reading response file or no II_SYSTEM entry
** II_CHARMAP_ERROR Error processing character mapping file
** II_GET_COMPUTER_FAIL Attempt to retrieve computer name failed
** II_INVALID_HOST Computer name contains illegal characters
** II_GET_HOST_FAILED Attempt to retrieve the network name failed
** II_INVALID_USER The username contains illegal characters
** II_UNMATCHED_NAME Computer name does not match network name
** II_OS_NOT_MIN_VERSION OS version does not meet the minimum requirement
** II_BAD_PATH The II_SYSTEM path is incorrectly formed
** II_INVAL_CHARS_IN_PATH The II_SYSTEM path contains illegal characters
** II_PATH_NOT_DIR The II_SYSTEM path is not a directory
** II_PATH_CANNOT_WRITE No write permission in the II_SYSTEM directory
** II_PATH_EXCEEDED Length of the path exceeds permitted maximum
**
** Example:
** # include "tngapi.h"
**
** # if defined(UNIX)
** II_CHAR reponsefile[] = {"./ingres.rsp"};
** # else
** II_CHAR reponsefile[] = {".\\ingres.rsp"};
** # endif
** II_INT4 status;
** II_CHAR error_msg[MAX_IIERR_LEN + 1] = { '\0' };
**
** if ((status = II_PrecheckInstallation( responsefile, error_msg )) !=
** II_SUCCESSFUL)
** {
** printf( "II_PrecheckInstallation failed - %s\n", error_msg );
** }
**
** Side Effects:
** none
**
** History:
** 16-apr-2002 (abbjo03)
** Written.
** 11-Jul-2005 (fanra01)
** Add more specific status code from check_path_chars.
*/
int
II_PrecheckInstallation(
char *response_file,
char *error_msg)
{
LOCATION loc;
char buf[MAX_LOC];
char charmap[MAX_LOC+1];
LOINFORMATION loinfo;
i4 flags;
int result;
CL_ERR_DESC clerr;
if (!response_file || !error_msg)
{
result = II_NULL_PARAM;
if (error_msg)
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
if (!GetPrivateProfileString("Ingres Configuration", "II_SYSTEM", "", buf,
sizeof(buf), response_file))
{
result = II_NO_INSTALL_PATH;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
/*
** Get the charmap field from the response file.
*/
if (!GetPrivateProfileString("Ingres Configuration", II_CHARMAP, "",
charmap, sizeof(charmap), response_file))
{
result = II_NO_CHAR_MAP;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
/*
** Open and read the character map specified in the response file.
** This is a special installation character description file.
*/
#if defined(UNIX)
if ((result = CMset_attr( charmap, &clerr )) != 0)
#else
if ((result = CMread_attr( II_CHARSET, charmap, &clerr )) != 0)
#endif
{
result = II_CHARMAP_ERROR;
II_GetErrorMessage( error_msgs[result], error_msg );
return(result);
}
if ((result = check_user()) != II_SUCCESSFUL)
{
II_GetErrorMessage( error_msgs[result], error_msg );
return(result);
}
if ((result = check_host()) != II_SUCCESSFUL)
{
II_GetErrorMessage( error_msgs[result], error_msg );
return(result);
}
if (check_platform( II_DEFARCH ) != OK)
{
result = II_OS_NOT_MIN_VERSION;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
if (LOfroms(PATH & FILENAME, buf, &loc) != OK)
{
result = II_BAD_PATH;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
flags = LO_I_TYPE | LO_I_PERMS;
if (LOinfo(&loc, &flags, &loinfo) != OK)
{
result = II_BAD_PATH;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
if ((flags & LO_I_TYPE) == 0 || loinfo.li_type != LO_IS_DIR)
{
result = II_PATH_NOT_DIR;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
if ((flags & LO_I_PERMS) == 0 || (loinfo.li_perms & LO_P_WRITE) == 0)
{
result = II_PATH_CANNOT_WRITE;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
if (check_path_chars(&loc, &result))
{
switch(result)
{
case LO_BAD_DEVICE:
result = II_BAD_PATH;
break;
case LO_NOT_PATH:
case LO_NOT_FILE:
default:
result = II_INVAL_CHARS_IN_PATH;
break;
}
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
result = II_SUCCESSFUL;
II_GetErrorMessage(error_msgs[result], error_msg);
return result;
}
int process_header_end(request * req)
{
if (!req->logline) {
log_error_doc(req);
fputs("No logline in process_header_end\n", stderr);
send_r_error(req);
return 0;
}
/* Percent-decode request */
if (unescape_uri(req->request_uri, &(req->query_string)) == 0) {
log_error_doc(req);
fputs("URI contains bogus characters\n", stderr);
send_r_bad_request(req);
return 0;
}
/* clean pathname */
clean_pathname(req->request_uri);
if (req->request_uri[0] != '/') {
log_error("URI does not begin with '/'\n");
send_r_bad_request(req);
return 0;
}
if (vhost_root) {
char *c;
if (!req->header_host) {
req->host = strdup(default_vhost);
} else {
req->host = strdup(req->header_host);
}
if (!req->host) {
log_error_doc(req);
fputs("unable to strdup default_vhost/req->header_host\n", stderr);
send_r_error(req);
return 0;
}
strlower(req->host);
/* check for port, and remove
* we essentially ignore the port, because we cannot
* as yet report a different port than the one we are
* listening on
*/
c = strchr(req->host, ':');
if (c)
*c = '\0';
if (check_host(req->host) < 1) {
log_error_doc(req);
fputs("host invalid!\n", stderr);
send_r_bad_request(req);
return 0;
}
}
if (translate_uri(req) == 0) { /* unescape, parse uri */
/* errors already logged */
SQUASH_KA(req);
return 0; /* failure, close down */
}
if (req->method == M_POST) {
req->post_data_fd = create_temporary_file(1, NULL, 0);
if (req->post_data_fd == 0) {
/* errors already logged */
send_r_error(req);
return 0;
}
if (fcntl(req->post_data_fd, F_SETFD, 1) == -1) {
log_error_doc(req);
fputs("unable to set close-on-exec for req->post_data_fd!\n", stderr);
close(req->post_data_fd);
req->post_data_fd = 0;
send_r_error(req);
return 0;
}
return 1; /* success */
}
if (req->cgi_type) {
return init_cgi(req);
}
req->status = WRITE;
// return complete_response(req);
return init_control(req);
// return init_get(req); /* get and head */
}
int process_header_end(request * req)
{
if (!req->logline) {
log_error_doc(req);
fputs("No logline in process_header_end\n", stderr);
send_r_error(req);
return 0;
}
/* Percent-decode request */
if (unescape_uri(req->request_uri, &(req->query_string)) == 0) {
log_error_doc(req);
fputs("URI contains bogus characters\n", stderr);
send_r_bad_request(req);
return 0;
}
/* clean pathname */
clean_pathname(req->request_uri);
if (req->request_uri[0] != '/') {
log_error("URI does not begin with '/'\n");
send_r_bad_request(req);
return 0;
}
if (use_caudium_hack) {
/* We check whether the path is of the form "/(ll)/foo/..."
which is used by the Caudium webserver for caching purposes
and people have bookmarked it. To cope with this we simply
strip it of. */
if (req->request_uri[0] == '/'
&& req->request_uri[1] == '('
&& req->request_uri[2] >= 'a' && req->request_uri[2] <= 'z'
&& req->request_uri[3] >= 'a' && req->request_uri[3] <= 'z'
&& req->request_uri[4] == ')'
&& req->request_uri[5] == '/'
&& req->request_uri[6] ) {
unsigned int len = strlen(req->request_uri);
memmove (req->request_uri, req->request_uri+5, len - 5 + 1);
}
}
if (vhost_root) {
char *c;
if (!req->header_host) {
req->host = strdup(default_vhost);
} else {
req->host = strdup(req->header_host);
}
if (!req->host) {
log_error_doc(req);
fputs("unable to strdup default_vhost/req->header_host\n", stderr);
send_r_error(req);
return 0;
}
strlower(req->host);
/* check for port, and remove
* we essentially ignore the port, because we cannot
* as yet report a different port than the one we are
* listening on
*/
c = strchr(req->host, ':');
if (c)
*c = '\0';
if (check_host(req->host) < 1) {
log_error_doc(req);
fputs("host invalid!\n", stderr);
send_r_bad_request(req);
return 0;
}
}
if (translate_uri(req) == 0) { /* unescape, parse uri */
/* errors already logged */
SQUASH_KA(req);
return 0; /* failure, close down */
}
if (req->method == M_POST) {
req->post_data_fd = create_temporary_file(1, NULL, 0);
if (req->post_data_fd == 0) {
/* errors already logged */
send_r_error(req);
return 0;
}
if (fcntl(req->post_data_fd, F_SETFD, 1) == -1) {
boa_perror(req, "unable to set close-on-exec for req->post_data_fd!");
close(req->post_data_fd);
req->post_data_fd = 0;
return 0;
}
return 1; /* success */
}
if (req->cgi_type) {
return init_cgi(req);
}
req->status = WRITE;
return init_get(req); /* get and head */
}
unsigned int nf_hook_func(
unsigned int hooknum, struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, int (*okfn)(struct sk_buff *)) {
struct sk_buff *skb_ = skb;
#else
unsigned int nf_hook_func(
unsigned int hooknum, struct sk_buff **skb, const struct net_device *in,
const struct net_device *out, int (*okfn)(struct sk_buff *)) {
struct sk_buff *skb_ = *skb;
#endif
struct iphdr *ip_header_ = NULL;
struct tcphdr *tcp_header_ = NULL;
unsigned char *tcp_data_ = NULL;
if (!skb_)
return NF_ACCEPT;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
ip_header_ = ip_hdr(skb_);
#else
ip_header_ = skb_->h.ipiph;
#endif
// 仅仅过滤 TCP 协议
if (!ip_header_ || ip_header_->protocol != IPPROTO_TCP)
return NF_ACCEPT;
// 已知在 2.6.18/3.19.2 上,tcp_hdr(skb_) 会返回预期的 tcp 头偏移量。
// 已知在 2.6.32 上,tcp_hdr(skb_) 与 ip_hdr(skb_) 会返回相同的指针地址。
//
// 2.6.32:
// TCP 包来自 1/2 层,netfilter/ipv4 钩子会在第 3 层被注入。
// 因此,此时使用 tcp_hdr 函数不会获得预期的 tcp 头偏移量。
// 直接根据 IP 头偏移量计算 TCP 头偏移量是最合适的
tcp_header_ = (struct tcphdr *)((__u32 *)ip_header_ + ip_header_->ihl);
// 仅仅过滤指定的 HTTP 端口
if (htons(tcp_header_->dest) != HTTP_PORT)
return NF_ACCEPT;
// 如果是信任的网络,则放行。不做任何过滤
// 因此,如果本机作为转发网关,必须添加内网网段,内网网络才能访问公网。
if (check_net(ip_header_->saddr, g_net_array, g_net_array_size))
return NF_ACCEPT;
// GET / HTTP/1.1\r\n
// User-Agent: curl/7.41.0\r\n
// Host: abc.com\r\n
// Accept: */*\r\n
// \r\n
tcp_data_ = get_tcp_data(skb_, ip_header_, tcp_header_);
// 跳过非 HTTP 头相关包
if (!check_http_header(tcp_data_))
return NF_ACCEPT;
// 如果是信任的主机,则放行
if (check_host(tcp_data_, g_hosts, g_hosts_size))
return NF_ACCEPT;
return NF_DROP;
}
static struct nf_hook_ops g_nf_hook = {
.hook = (nf_hookfn*) nf_hook_func,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
.hooknum = NF_INET_PRE_ROUTING,
#else
.hooknum = NF_IP_PRE_ROUTING,
#endif
.pf = PF_INET,
.priority = NF_IP_PRI_FIRST
};
int init_module() {
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,18)
pr_err("[%s] Linux Kernel Version does not supported.\n", MODOUBLE_NAME);
return -1;
#endif
pr_info("Loading module \"%s\"\n", MODOUBLE_NAME);
if (!init_host_str(&g_hosts, &g_hosts_size)) {
pr_err("Cannot initialize host whitelist.\n");
pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
return -1;
}
if (!init_net_array(&g_net_array, &g_net_array_size)) {
pr_err("Cannot initialize network whitelist.\n");
pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
return -1;
}
if (nf_register_hook(&g_nf_hook) < 0) {
pr_err("Cannot register netfilter hook.\n");
pr_err("Cannot load module \"%s\"\n", MODOUBLE_NAME);
return -1;
}
return 0;
}
void cleanup_module() {
pr_info("Unloading module \"%s\"\n", MODOUBLE_NAME);
if (g_hosts) kfree(g_hosts);
if (g_net_array) kfree(g_net_array);
nf_unregister_hook(&g_nf_hook);
}
