static int openvpn_create_client_conf(const char *conf_file, int is_tun) { FILE *fp; int i, i_prot, i_auth, i_atls; i_auth = nvram_get_int("vpnc_ov_auth"); i_atls = nvram_get_int("vpnc_ov_atls"); for (i=0; i<4; i++) { if (i_auth == 1 && (i == 1 || i == 2)) continue; if (!i_atls && (i == 3)) continue; if (!openvpn_check_key(openvpn_client_keys[i], 0)) return 1; } i_prot = nvram_get_int("vpnc_ov_prot"); fp = fopen(conf_file, "w+"); if (fp) { fprintf(fp, "client\n"); if (i_prot > 0) fprintf(fp, "proto %s\n", "tcp-client"); else fprintf(fp, "proto %s\n", "udp"); fprintf(fp, "remote %s %d\n", nvram_safe_get("vpnc_peer"), nvram_safe_get_int("vpnc_ov_port", 1194, 1, 65535)); fprintf(fp, "resolv-retry %s\n", "infinite"); fprintf(fp, "nobind\n"); fprintf(fp, "dev %s\n", (is_tun) ? IFNAME_CLIENT_TUN : IFNAME_CLIENT_TAP); fprintf(fp, "ca %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[0]); if (i_auth == 0) { fprintf(fp, "cert %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[1]); fprintf(fp, "key %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[2]); } if (i_atls) fprintf(fp, "tls-auth %s/%s %d\n", CLIENT_CERT_DIR, openvpn_client_keys[3], 1); openvpn_add_auth(fp, nvram_get_int("vpnc_ov_mdig")); openvpn_add_cipher(fp, nvram_get_int("vpnc_ov_ciph")); openvpn_add_lzo(fp, nvram_get_int("vpnc_ov_clzo"), 0); if (i_auth == 1) { fprintf(fp, "auth-user-pass %s\n", "secret"); openvpn_create_client_secret("secret"); } if (nvram_match("vpnc_dgw", "1")) fprintf(fp, "redirect-gateway def1 bypass-dhcp\n"); fprintf(fp, "persist-key\n"); fprintf(fp, "script-security %d\n", 2); fprintf(fp, "writepid %s\n", CLIENT_PID_FILE); fprintf(fp, "up %s\n", SCRIPT_OVPN_CLIENT); fprintf(fp, "down %s\n", SCRIPT_OVPN_CLIENT); fprintf(fp, "\n### User params:\n"); load_user_config(fp, CLIENT_CERT_DIR, "client.conf", forbidden_list); fclose(fp); chmod(conf_file, 0644); return 0; } return 1; }
static int openvpn_create_server_conf(const char *conf_file, int is_tun) { FILE *fp; int i, i_prot, i_atls, i_rdgw, i_dhcp, i_items, i_cli0, i_cli1; unsigned int laddr, lmask, lsnet; struct in_addr pool_in; char pooll[32], pool1[32], pool2[32]; char *lanip, *lannm, *wins, *dns1, *dns2; i_atls = nvram_get_int("vpns_ov_atls"); for (i=0; i<5; i++) { if (!i_atls && (i == 4)) continue; if (!openvpn_check_key(openvpn_server_keys[i], 1)) return 1; } i_prot = nvram_get_int("vpns_ov_prot"); i_rdgw = nvram_get_int("vpns_ov_rdgw"); i_cli0 = nvram_safe_get_int("vpns_cli0", 245, 1, 254); i_cli1 = nvram_safe_get_int("vpns_cli1", 254, 2, 254); i_dhcp = is_dhcpd_enabled(0); lanip = nvram_safe_get("lan_ipaddr"); lannm = nvram_safe_get("lan_netmask"); laddr = ntohl(inet_addr(lanip)); lmask = ntohl(inet_addr(lannm)); lsnet = (~lmask) - 1; if (i_cli0 > (int)lsnet) i_cli0 = (int)lsnet; if (i_cli1 > (int)lsnet) i_cli1 = (int)lsnet; if (i_cli1 < i_cli0) i_cli1 = i_cli0; pool_in.s_addr = htonl(laddr & lmask); strcpy(pooll, inet_ntoa(pool_in)); pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli0); strcpy(pool1, inet_ntoa(pool_in)); pool_in.s_addr = htonl((laddr & lmask) | (unsigned int)i_cli1); strcpy(pool2, inet_ntoa(pool_in)); fp = fopen(conf_file, "w+"); if (fp) { if (i_prot > 0) fprintf(fp, "proto %s\n", "tcp-server"); else fprintf(fp, "proto %s\n", "udp"); fprintf(fp, "port %d\n", nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535)); if (is_tun) { char *vnet, *vmsk; vnet = nvram_safe_get("vpns_vnet"); vmsk = VPN_SERVER_SUBNET_MASK; laddr = ntohl(inet_addr(vnet)); lmask = ntohl(inet_addr(vmsk)); pool_in.s_addr = htonl(laddr & lmask); fprintf(fp, "dev %s\n", IFNAME_SERVER_TUN); fprintf(fp, "topology %s\n", "subnet"); fprintf(fp, "server %s %s\n", inet_ntoa(pool_in), vmsk); fprintf(fp, "client-config-dir %s\n", "ccd"); openvpn_create_server_acl(fp, "ccd"); fprintf(fp, "push \"route %s %s\"\n", pooll, lannm); } else { fprintf(fp, "dev %s\n", IFNAME_SERVER_TAP); fprintf(fp, "server-bridge %s %s %s %s\n", lanip, lannm, pool1, pool2); } openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig")); openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph")); openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 1); i_items = 0; if (i_rdgw) { fprintf(fp, "push \"redirect-gateway def1 %s\"\n", "bypass-dhcp"); if (i_dhcp) { dns1 = nvram_safe_get("dhcp_dns1_x"); dns2 = nvram_safe_get("dhcp_dns2_x"); if (is_valid_ipv4(dns1) && (strcmp(dns1, lanip))) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns1); } if (is_valid_ipv4(dns2) && (strcmp(dns2, lanip)) && (strcmp(dns2, dns1))) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns2); } } if (i_items < 2) fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", lanip); } i_items = 0; if (i_dhcp) { wins = nvram_safe_get("dhcp_wins_x"); if (is_valid_ipv4(wins)) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", wins); } } #if defined(APP_SMBD) || defined(APP_NMBD) if ((i_items < 1) && nvram_get_int("wins_enable")) fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", lanip); #endif fprintf(fp, "ca %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[0]); fprintf(fp, "dh %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[1]); fprintf(fp, "cert %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[2]); fprintf(fp, "key %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[3]); if (i_atls) fprintf(fp, "tls-auth %s/%s %d\n", SERVER_CERT_DIR, openvpn_server_keys[4], 0); fprintf(fp, "persist-key\n"); fprintf(fp, "persist-tun\n"); fprintf(fp, "user %s\n", SYS_USER_NOBODY); fprintf(fp, "group %s\n", SYS_GROUP_NOGROUP); fprintf(fp, "script-security %d\n", 2); fprintf(fp, "tmp-dir %s\n", COMMON_TEMP_DIR); fprintf(fp, "writepid %s\n", SERVER_PID_FILE); fprintf(fp, "client-connect %s\n", SCRIPT_OVPN_SERVER); fprintf(fp, "client-disconnect %s\n", SCRIPT_OVPN_SERVER); fprintf(fp, "\n### User params:\n"); load_user_config(fp, SERVER_CERT_DIR, "server.conf", forbidden_list); fclose(fp); chmod(conf_file, 0644); return 0; } return 1; }
/* Serve the client that connected to the webserver */ static int serve_client(t_session *session) { int result, length, auth_result; char *qmark, chr, *header; t_host *host_record; t_access access; t_deny_body *deny_body; t_req_method request_method; t_ip_addr ip_addr; #ifdef ENABLE_XSLT char *xslt_file; #endif #ifdef ENABLE_TOOLKIT int i; t_toolkit_options toolkit_options; #endif #ifdef ENABLE_RPROXY t_rproxy *rproxy; #endif #ifdef ENABLE_DEBUG session->current_task = "fetch & parse request"; #endif if ((result = fetch_request(session)) != 200) { session->request_method = GET; return result; } else if ((result = parse_request(session, session->header_length + session->content_length)) != 200) { session->request_method = GET; return result; } #ifdef ENABLE_DEBUG session->current_task = "serve client"; #endif session->time = time(NULL); /* Hide reverse proxies */ if (in_iplist(session->config->hide_proxy, &(session->ip_address))) { if (last_forwarded_ip(session->http_headers, &ip_addr) == 0) { if (reposition_client(session, &ip_addr) != -1) { copy_ip(&(session->ip_address), &ip_addr); } } } /* SSH tunneling */ #ifdef ENABLE_RPROXY if (session->request_method == CONNECT) { if (in_iplist(session->config->tunnel_ssh, &(session->ip_address)) == false) { return 405; } #ifdef ENABLE_SSL if (session->binding->use_ssl) { return 405; } #endif if (strcmp(session->request_uri, "localhost:22") != 0) { if (strcmp(session->request_uri, "127.0.0.1:22") != 0) { if (strcmp(session->request_uri, "::1.22") != 0) { return 403; } } } log_system(session, "SSH tunnel requested"); if (tunnel_ssh_connection(session->client_socket) != 0) { log_system(session, "SSH tunnel failed"); } else { log_system(session, "SSH tunnel terminated"); } session->keep_alive = false; return 200; } #endif /* Find host record */ if (session->hostname != NULL) { if (remove_port_from_hostname(session) == -1) { log_error(session, "error removing port from hostname"); return 500; } if ((host_record = get_hostrecord(session->config->first_host, session->hostname, session->binding)) != NULL) { session->host = host_record; #ifdef ENABLE_TOMAHAWK session->last_host = host_record; #endif } } session->host->access_time = session->time; #ifdef ENABLE_SSL /* SSL client authentication */ if (session->binding->use_ssl) { if ((session->host->ca_certificate != NULL) && (ssl_has_peer_cert(&(session->ssl_context)) == false)) { log_error(session, "Missing client SSL certificate"); return 440; } } #endif /* Enforce usage of first hostname */ if (session->host->enforce_first_hostname && (session->hostname != NULL)) { if (**(session->host->hostname.item) != '*') { if (strcmp(session->hostname, *(session->host->hostname.item)) != 0) { session->cause_of_301 = enforce_first_hostname; return 301; } } } /* Enforce usage of SSL */ #ifdef ENABLE_SSL if (session->host->require_ssl && (session->binding->use_ssl == false)) { if ((qmark = strchr(session->uri, '?')) != NULL) { *qmark = '\0'; session->vars = qmark + 1; session->uri_len = strlen(session->uri); } session->cause_of_301 = require_ssl; return 301; } #endif /* Deny matching bodies */ if (session->body != NULL) { chr = *(session->body + session->content_length); *(session->body + session->content_length) = '\0'; deny_body = session->host->deny_body; while (deny_body != NULL) { if (strpcmp(session->body, &(deny_body->pattern)) == 0) { if ((session->config->ban_on_denied_body > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_denied_body, session->config->kick_on_ban); log_system(session, "Client banned because of denied body"); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } log_exploit_attempt(session, "denied body", session->body); #ifdef ENABLE_TOMAHAWK increment_counter(COUNTER_EXPLOIT); #endif #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_exploit(session); monitor_event("Request body denied for %s", session->host->hostname.item[0]); } #endif *(session->body + session->content_length) = chr; return 403; } deny_body = deny_body->next; } *(session->body + session->content_length) = chr; } /* Websocket */ if (session->request_method == GET) { if ((header = get_http_header("Connection:", session->http_headers)) != NULL) { if (strcasestr(header, "upgrade") != NULL) { if ((header = get_http_header("Upgrade:", session->http_headers)) != NULL) { if (strcasecmp(header, "websocket") == 0) { switch (access = allow_client(session)) { case deny: log_error(session, fb_accesslist); return 403; case allow: break; case pwd: case unspecified: if ((auth_result = http_authentication_result(session, access == unspecified)) != 200) { return auth_result; } } session->keep_alive = false; if (forward_to_websocket(session) == -1) { return 500; } return 200; } } } } } #ifdef ENABLE_RPROXY /* Reverse proxy */ rproxy = session->host->rproxy; while (rproxy != NULL) { if (rproxy_match(rproxy, session->request_uri)) { if (rproxy_loop_detected(session->http_headers)) { return 508; } if ((qmark = strchr(session->uri, '?')) != NULL) { *qmark = '\0'; session->vars = qmark + 1; } if (validate_url(session) == false) { return -1; } if ((session->vars != NULL) && (session->host->secure_url)) { if (forbidden_chars_present(session->vars)) { log_error(session, "URL contains forbidden characters"); return 403; } } if (duplicate_host(session) == false) { log_error(session, "duplicate_host() error"); return 500; } if ((result = uri_to_path(session)) != 200) { return result; } if (session->host->ignore_dot_hiawatha == false) { if (load_user_config(session) == -1) { return 500; } } if ((result = copy_directory_settings(session)) != 200) { return result; } switch (access = allow_client(session)) { case deny: log_error(session, fb_accesslist); return 403; case allow: break; case pwd: case unspecified: if ((auth_result = http_authentication_result(session, access == unspecified)) != 200) { return auth_result; } } /* Prevent SQL injection */ if (session->host->prevent_sqli) { result = prevent_sqli(session); if (result == 1) { session->error_cause = ec_SQL_INJECTION; } if (result != 0) { return -1; } } /* Prevent Cross-site Scripting */ if (session->host->prevent_xss != p_no) { if (prevent_xss(session) > 0) { if (session->host->prevent_xss == p_block) { session->error_cause = ec_XSS; return -1; } } } /* Prevent Cross-site Request Forgery */ if (session->host->prevent_csrf != p_no) { if (prevent_csrf(session) > 0) { if (session->host->prevent_csrf == p_block) { session->error_cause = ec_CSRF; return -1; } } } return proxy_request(session, rproxy); } rproxy = rproxy->next; } #endif /* Actions based on request method */ switch (session->request_method) { case TRACE: if (session->binding->enable_trace == false) { return 501; } return handle_trace_request(session); case PUT: case DELETE: if ((session->binding->enable_alter == false) && (session->host->webdav_app == false)) { return 501; } break; case unknown: return 400; case unsupported: if (session->host->webdav_app == false) { return 501; } break; default: break; } if (duplicate_host(session) == false) { log_error(session, "duplicate_host() error"); return 500; } #ifdef ENABLE_TOOLKIT if (session->host->ignore_dot_hiawatha == false) { if (load_user_root_config(session) == -1) { return 500; } } /* URL toolkit */ init_toolkit_options(&toolkit_options); toolkit_options.method = session->method; toolkit_options.website_root = session->host->website_root; toolkit_options.url_toolkit = session->config->url_toolkit; toolkit_options.allow_dot_files = session->host->allow_dot_files; toolkit_options.http_headers = session->http_headers; #ifdef ENABLE_SSL toolkit_options.use_ssl = session->binding->use_ssl; #endif if (((session->request_method != PUT) && (session->request_method != DELETE)) || session->host->webdav_app) { for (i = 0; i < session->host->toolkit_rules.size; i++) { if ((result = use_toolkit(session->uri, session->host->toolkit_rules.item[i], &toolkit_options)) == UT_ERROR) { return 500; } if ((toolkit_options.ban > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), toolkit_options.ban, session->config->kick_on_ban); log_system(session, "Client banned because of URL match in UrlToolkit rule"); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif return 403; } session->toolkit_fastcgi = toolkit_options.fastcgi_server; if (toolkit_options.new_url != NULL) { if (register_tempdata(&(session->tempdata), toolkit_options.new_url, tc_data) == -1) { free(toolkit_options.new_url); log_error(session, "error registering temporary data"); return 500; } session->uri = toolkit_options.new_url; } if (result == UT_REDIRECT) { if ((session->location = strdup(toolkit_options.new_url)) == NULL) { return -1; } session->cause_of_301 = location; return 301; } if (result == UT_DENY_ACCESS) { log_error(session, "access denied via URL toolkit rule"); return 403; } if (toolkit_options.expire > -1) { session->expires = toolkit_options.expire; session->caco_private = toolkit_options.caco_private; } } } #endif /* Find GET data */ if ((qmark = strchr(session->uri, '?')) != NULL) { *qmark = '\0'; session->vars = qmark + 1; } url_decode(session->uri); session->uri_len = strlen(session->uri); if ((session->vars != NULL) && (session->host->secure_url)) { if (forbidden_chars_present(session->vars)) { log_error(session, "URL contains forbidden characters"); return 403; } } if (validate_url(session) == false) { return -1; } if ((result = uri_to_path(session)) != 200) { return result; } /* Load configfile from directories */ if (session->host->ignore_dot_hiawatha == false) { if (load_user_config(session) == -1) { return 500; } } if ((result = copy_directory_settings(session)) != 200) { return result; } switch (access = allow_client(session)) { case deny: log_error(session, fb_accesslist); return 403; case allow: break; case pwd: case unspecified: if ((auth_result = http_authentication_result(session, access == unspecified)) != 200) { return auth_result; } } switch (is_directory(session->file_on_disk)) { case error: return 500; case yes: session->uri_is_dir = true; break; case no: if (((session->request_method != PUT) || session->host->webdav_app) && (session->host->enable_path_info)) { if ((result = get_path_info(session)) != 200) { return result; } } break; case no_access: log_error(session, fb_filesystem); return 403; case not_found: if (session->request_method == DELETE) { return 404; } } #ifdef ENABLE_TOOLKIT if ((session->toolkit_fastcgi == NULL) && session->uri_is_dir) { #else if (session->uri_is_dir) { #endif length = strlen(session->file_on_disk); if (*(session->file_on_disk + length - 1) == '/') { strcpy(session->file_on_disk + length, session->host->start_file); } else { return 301; } } if (get_target_extension(session) == -1) { log_error(session, "error getting extension"); return 500; } if (((session->request_method != PUT) && (session->request_method != DELETE)) || session->host->webdav_app) { check_target_is_cgi(session); } /* Handle request based on request method */ request_method = session->request_method; if (session->host->webdav_app) { if ((request_method == PUT) || (request_method == DELETE)) { request_method = POST; } } switch (request_method) { case GET: case HEAD: if (session->cgi_type != no_cgi) { session->body = NULL; result = execute_cgi(session); #ifdef ENABLE_XSLT } else if ((xslt_file = find_xslt_file(session)) != NULL) { result = handle_xml_file(session, xslt_file); free(xslt_file); #endif } else { result = send_file(session); } if (result == 404) { #ifdef ENABLE_XSLT if ((session->host->show_index != NULL) && (session->uri[session->uri_len - 1] == '/')) { result = show_index(session); } #endif #ifdef ENABLE_MONITOR } else if (session->config->monitor_enabled) { if ((result == 200) && (session->host->monitor_host)) { unlink(session->file_on_disk); } #endif } if ((session->request_method == GET) && (session->cgi_type == no_cgi) && (session->directory != NULL)) { if (session->directory->run_on_download != NULL) { run_program(session, session->directory->run_on_download, result); } } break; case POST: case unsupported: if (session->cgi_type != no_cgi) { result = execute_cgi(session); #ifdef ENABLE_XSLT } else if ((xslt_file = find_xslt_file(session)) != NULL) { result = handle_xml_file(session, xslt_file); free(xslt_file); #endif } else { result = 405; } break; case PUT: result = handle_put_request(session); if (((result == 201) || (result == 204)) && (session->host->run_on_alter != NULL)) { run_program(session, session->host->run_on_alter, result); } break; case DELETE: result = handle_delete_request(session); if ((result == 204) && (session->host->run_on_alter != NULL)) { run_program(session, session->host->run_on_alter, result); } break; case WHEN: send_code(session); break; default: result = 400; } return result; } /* Handle timeout upon sending request */ static void handle_timeout(t_session *session) { if ((session->config->ban_on_timeout > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_timeout, session->config->kick_on_ban); log_system(session, "Client banned because of connection timeout"); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } else { log_system(session, "Timeout while waiting for first request"); } } /* Request has been handled, handle the return code. */ static void handle_request_result(t_session *session, int result) { char *hostname; #ifdef ENABLE_DEBUG session->current_task = "handle request result"; #endif if (result == -1) switch (session->error_cause) { case ec_MAX_REQUESTSIZE: log_system(session, "Maximum request size reached"); session->return_code = 413; send_code(session); if ((session->config->ban_on_max_request_size > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_max_request_size, session->config->kick_on_ban); log_system(session, "Client banned because of sending a too large request"); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } break; case ec_TIMEOUT: if (session->kept_alive == 0) { session->return_code = 408; send_code(session); handle_timeout(session); } break; case ec_CLIENT_DISCONNECTED: if (session->kept_alive == 0) { log_system(session, "Silent client disconnected"); } break; case ec_SOCKET_READ_ERROR: if (errno != ECONNRESET) { log_system(session, "Error while reading request"); } break; case ec_SOCKET_WRITE_ERROR: log_request(session); break; case ec_FORCE_QUIT: log_system(session, "Client kicked"); break; case ec_SQL_INJECTION: if ((session->config->ban_on_sqli > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_sqli, session->config->kick_on_ban); hostname = (session->hostname != NULL) ? session->hostname : unknown_host; log_system(session, "Client banned because of SQL injection on %s", hostname); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } session->return_code = 441; send_code(session); log_request(session); break; case ec_XSS: session->return_code = 442; send_code(session); log_request(session); break; case ec_CSRF: session->return_code = 443; send_code(session); log_request(session); break; case ec_INVALID_URL: if ((session->config->ban_on_invalid_url > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_invalid_url, session->config->kick_on_ban); hostname = (session->hostname != NULL) ? session->hostname : unknown_host; log_system(session, "Client banned because of invalid URL on %s", hostname); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } send_code(session); break; default: if (session->data_sent == false) { session->return_code = 500; if (send_code(session) == -1) { session->keep_alive = false; } } } else switch (result) { case 200: break; case 201: case 204: case 304: case 412: if (session->data_sent == false) { session->return_code = result; if (send_header(session) == -1) { session->keep_alive = false; } else if (send_buffer(session, "Content-Length: 0\r\n\r\n", 21) == -1) { session->keep_alive = false; } } break; case 411: case 413: session->keep_alive = false; if (session->data_sent == false) { session->return_code = result; if (send_header(session) == -1) { session->keep_alive = false; } else if (send_buffer(session, "Content-Length: 0\r\n\r\n", 21) == -1) { session->keep_alive = false; } } break; case 400: log_garbage(session); if (session->data_sent == false) { session->return_code = 400; if (send_code(session) == -1) { session->keep_alive = false; } } if ((session->config->ban_on_garbage > 0) && (ip_allowed(&(session->ip_address), session->config->banlist_mask) != deny)) { ban_ip(&(session->ip_address), session->config->ban_on_garbage, session->config->kick_on_ban); log_system(session, "Client banned because of sending garbage"); #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_ban(session); } #endif } #ifdef ENABLE_MONITOR if (session->config->monitor_enabled) { monitor_count_bad_request(session); } #endif break; case 401: case 403: case 404: case 501: case 503: if (session->data_sent == false) { switch (handle_error(session, result)) { case -1: session->keep_alive = false; break; case 200: break; default: if (session->data_sent == false) { session->return_code = result; if (send_code(session) == -1) { session->keep_alive = false; } } } } break; case 500: session->keep_alive = false; default: if (session->data_sent == false) { session->return_code = result; send_code(session); } } if ((result > 0) && (result != 400)) { log_request(session); } else { session->keep_alive = false; } }
static void inner_main (void *closure, int argc, char **argv) { SCM main_mod; char* fn; GError *error = NULL; scm_c_eval_string("(debug-set! stack 200000)"); main_mod = scm_c_resolve_module("gnucash main"); scm_set_current_module(main_mod); load_gnucash_modules(); /* Load the config before starting up the gui. This insures that * custom reports have been read into memory before the Reports * menu is created. */ load_system_config(); load_user_config(); /* Setting-up the report menu must come after the module loading but before the gui initialization. */ scm_c_use_module("gnucash report report-gnome"); scm_c_eval_string("(gnc:report-menu-setup)"); /* TODO: After some more guile-extraction, this should happen even before booting guile. */ gnc_main_gui_init(); gnc_hook_add_dangler(HOOK_UI_SHUTDOWN, (GFunc)gnc_file_quit, NULL); scm_c_eval_string("(gnc:main)"); /* Install Price Quote Sources */ gnc_update_splash_screen(_("Checking Finance::Quote..."), GNC_SPLASH_PERCENTAGE_UNKNOWN); scm_c_use_module("gnucash price-quotes"); scm_c_eval_string("(gnc:price-quotes-install-sources)"); gnc_hook_run(HOOK_STARTUP, NULL); if (!nofile && (fn = get_file_to_load())) { gnc_update_splash_screen(_("Loading data..."), GNC_SPLASH_PERCENTAGE_UNKNOWN); gnc_file_open_file(fn); g_free(fn); } else if (gnc_gconf_get_bool("dialogs/new_user", "first_startup", &error) && !error) { gnc_destroy_splash_screen(); gnc_ui_new_user_dialog(); } gnc_destroy_splash_screen(); gnc_main_window_show_all_windows(); gnc_hook_run(HOOK_UI_POST_STARTUP, NULL); gnc_ui_start_event_loop(); gnc_hook_remove_dangler(HOOK_UI_SHUTDOWN, (GFunc)gnc_file_quit); gnc_shutdown(0); return; }
static int openvpn_create_client_conf(const char *conf_file, int is_tun) { FILE *fp; int i, i_prot, i_prot_ori, i_auth, i_atls; const char *p_peer, *p_prot; i_auth = nvram_get_int("vpnc_ov_auth"); i_atls = nvram_get_int("vpnc_ov_atls"); for (i=0; i<4; i++) { if (i_auth == 1 && (i == 1 || i == 2)) continue; if (!i_atls && (i == 3)) continue; if (!openvpn_check_key(openvpn_client_keys[i], 0)) return 1; } i_prot = nvram_get_int("vpnc_ov_prot"); i_prot_ori = i_prot; if (i_prot > 1 && get_ipv6_type() == IPV6_DISABLED) i_prot &= 1; p_peer = nvram_safe_get("vpnc_peer"); /* note: upcoming openvpn 2.4 will need direct set udp4/tcp4-client for ipv4 only */ #if defined (USE_IPV6) /* check peer address is direct ipv4/ipv6 */ if (i_prot > 1 && is_valid_ipv4(p_peer)) i_prot &= 1; else if (i_prot < 2 && is_valid_ipv6(p_peer)) i_prot += 2; if (i_prot == 3) p_prot = "tcp6-client"; else if (i_prot == 2) p_prot = "udp6"; else #endif if (i_prot == 1) p_prot = "tcp-client"; else p_prot = "udp"; /* fixup ipv4/ipv6 mismatch */ if (i_prot != i_prot_ori) nvram_set_int("vpnc_ov_prot", i_prot); fp = fopen(conf_file, "w+"); if (!fp) return 1; fprintf(fp, "client\n"); fprintf(fp, "proto %s\n", p_prot); fprintf(fp, "remote %s %d\n", p_peer, nvram_safe_get_int("vpnc_ov_port", 1194, 1, 65535)); fprintf(fp, "resolv-retry %s\n", "infinite"); fprintf(fp, "nobind\n"); fprintf(fp, "dev %s\n", (is_tun) ? IFNAME_CLIENT_TUN : IFNAME_CLIENT_TAP); fprintf(fp, "ca %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[0]); if (i_auth == 0) { fprintf(fp, "cert %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[1]); fprintf(fp, "key %s/%s\n", CLIENT_CERT_DIR, openvpn_client_keys[2]); } if (i_atls) fprintf(fp, "tls-auth %s/%s %d\n", CLIENT_CERT_DIR, openvpn_client_keys[3], 1); openvpn_add_auth(fp, nvram_get_int("vpnc_ov_mdig")); openvpn_add_cipher(fp, nvram_get_int("vpnc_ov_ciph")); openvpn_add_lzo(fp, nvram_get_int("vpnc_ov_clzo"), 0); if (i_auth == 1) { fprintf(fp, "auth-user-pass %s\n", "secret"); openvpn_create_client_secret("secret"); } if (nvram_match("vpnc_dgw", "1")) fprintf(fp, "redirect-gateway def1 bypass-dhcp\n"); fprintf(fp, "persist-key\n"); fprintf(fp, "script-security %d\n", 2); fprintf(fp, "writepid %s\n", CLIENT_PID_FILE); fprintf(fp, "up %s\n", SCRIPT_OVPN_CLIENT); fprintf(fp, "down %s\n", SCRIPT_OVPN_CLIENT); fprintf(fp, "\n### User params:\n"); load_user_config(fp, CLIENT_CERT_DIR, "client.conf", forbidden_list); fclose(fp); chmod(conf_file, 0644); return 0; }
static int openvpn_create_server_conf(const char *conf_file, int is_tun) { FILE *fp; int i, i_prot, i_prot_ori, i_atls, i_rdgw, i_dhcp, i_items; unsigned int laddr, lmask; char *lanip, *lannm, *wins, *dns1, *dns2; const char *p_prot; struct in_addr pool_in; i_atls = nvram_get_int("vpns_ov_atls"); for (i=0; i<5; i++) { if (!i_atls && (i == 4)) continue; if (!openvpn_check_key(openvpn_server_keys[i], 1)) return 1; } i_prot = nvram_get_int("vpns_ov_prot"); i_rdgw = nvram_get_int("vpns_ov_rdgw"); i_dhcp = is_dhcpd_enabled(0); lanip = nvram_safe_get("lan_ipaddr"); lannm = nvram_safe_get("lan_netmask"); laddr = ntohl(inet_addr(lanip)); lmask = ntohl(inet_addr(lannm)); i_prot_ori = i_prot; if (i_prot > 1 && get_ipv6_type() == IPV6_DISABLED) i_prot &= 1; /* note: upcoming openvpn 2.4 will need direct set udp4/tcp4-server for ipv4 only */ #if defined (USE_IPV6) if (i_prot == 3) p_prot = "tcp6-server"; else if (i_prot == 2) p_prot = "udp6"; else #endif if (i_prot == 1) p_prot = "tcp-server"; else p_prot = "udp"; /* fixup ipv4/ipv6 mismatch */ if (i_prot != i_prot_ori) nvram_set_int("vpns_ov_prot", i_prot); fp = fopen(conf_file, "w+"); if (!fp) return 1; fprintf(fp, "proto %s\n", p_prot); fprintf(fp, "port %d\n", nvram_safe_get_int("vpns_ov_port", 1194, 1, 65535)); if (is_tun) { unsigned int vnet, vmsk; vnet = ntohl(inet_addr(nvram_safe_get("vpns_vnet"))); vmsk = ntohl(inet_addr(VPN_SERVER_SUBNET_MASK)); pool_in.s_addr = htonl(vnet & vmsk); fprintf(fp, "dev %s\n", IFNAME_SERVER_TUN); fprintf(fp, "topology %s\n", "subnet"); fprintf(fp, "server %s %s\n", inet_ntoa(pool_in), VPN_SERVER_SUBNET_MASK); fprintf(fp, "client-config-dir %s\n", "ccd"); openvpn_create_server_acl(fp, "ccd", vnet, vmsk); pool_in.s_addr = htonl(laddr & lmask); fprintf(fp, "push \"route %s %s\"\n", inet_ntoa(pool_in), lannm); } else { char sp_b[INET_ADDRSTRLEN], sp_e[INET_ADDRSTRLEN]; unsigned int vp_b, vp_e, lnet; lnet = ~(lmask) - 1; vp_b = (unsigned int)nvram_safe_get_int("vpns_cli0", 245, 1, 254); vp_e = (unsigned int)nvram_safe_get_int("vpns_cli1", 254, 2, 254); if (vp_b > lnet) vp_b = lnet; if (vp_e > lnet) vp_e = lnet; if (vp_e < vp_b) vp_e = vp_b; pool_in.s_addr = htonl((laddr & lmask) | vp_b); strcpy(sp_b, inet_ntoa(pool_in)); pool_in.s_addr = htonl((laddr & lmask) | vp_e); strcpy(sp_e, inet_ntoa(pool_in)); fprintf(fp, "dev %s\n", IFNAME_SERVER_TAP); fprintf(fp, "server-bridge %s %s %s %s\n", lanip, lannm, sp_b, sp_e); } openvpn_add_auth(fp, nvram_get_int("vpns_ov_mdig")); openvpn_add_cipher(fp, nvram_get_int("vpns_ov_ciph")); openvpn_add_lzo(fp, nvram_get_int("vpns_ov_clzo"), 1); i_items = 0; if (i_rdgw) { fprintf(fp, "push \"redirect-gateway def1 %s\"\n", "bypass-dhcp"); if (i_dhcp) { dns1 = nvram_safe_get("dhcp_dns1_x"); dns2 = nvram_safe_get("dhcp_dns2_x"); if (is_valid_ipv4(dns1)) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns1); } if (is_valid_ipv4(dns2) && strcmp(dns2, dns1)) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", dns2); } } if (i_items < 1) fprintf(fp, "push \"dhcp-option %s %s\"\n", "DNS", lanip); } i_items = 0; if (i_dhcp) { wins = nvram_safe_get("dhcp_wins_x"); if (is_valid_ipv4(wins)) { i_items++; fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", wins); } } #if defined(APP_SMBD) || defined(APP_NMBD) if ((i_items < 1) && nvram_get_int("wins_enable")) fprintf(fp, "push \"dhcp-option %s %s\"\n", "WINS", lanip); #endif fprintf(fp, "ca %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[0]); fprintf(fp, "dh %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[1]); fprintf(fp, "cert %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[2]); fprintf(fp, "key %s/%s\n", SERVER_CERT_DIR, openvpn_server_keys[3]); if (i_atls) fprintf(fp, "tls-auth %s/%s %d\n", SERVER_CERT_DIR, openvpn_server_keys[4], 0); fprintf(fp, "persist-key\n"); fprintf(fp, "persist-tun\n"); fprintf(fp, "user %s\n", SYS_USER_NOBODY); fprintf(fp, "group %s\n", SYS_GROUP_NOGROUP); fprintf(fp, "script-security %d\n", 2); fprintf(fp, "tmp-dir %s\n", COMMON_TEMP_DIR); fprintf(fp, "writepid %s\n", SERVER_PID_FILE); fprintf(fp, "client-connect %s\n", SCRIPT_OVPN_SERVER); fprintf(fp, "client-disconnect %s\n", SCRIPT_OVPN_SERVER); fprintf(fp, "\n### User params:\n"); load_user_config(fp, SERVER_CERT_DIR, "server.conf", forbidden_list); fclose(fp); chmod(conf_file, 0644); return 0; }