static int CheckStoreKey(ServerConnectionState *conn, RSA *key)
{
RSA *savedkey;
const char *udigest = KeyPrintableHash(ConnectionInfoKey(conn->conn_info));
assert(udigest != NULL);
if ((savedkey = HavePublicKey(conn->username, MapAddress(conn->ipaddr), udigest)))
{
Log(LOG_LEVEL_VERBOSE, "A public key was already known from %s/%s - no trust required", conn->hostname,
conn->ipaddr);
if ((BN_cmp(savedkey->e, key->e) == 0) && (BN_cmp(savedkey->n, key->n) == 0))
{
Log(LOG_LEVEL_VERBOSE, "The public key identity was confirmed as %s@%s", conn->username, conn->hostname);
SendTransaction(conn->conn_info, "OK: key accepted", 0, CF_DONE);
RSA_free(savedkey);
return true;
}
}
/* Finally, if we're still here then the key is new (not in ppkeys
* directory): Allow access only if host is listed in "trustkeysfrom" body
* server control option. */
if ((SV.trustkeylist != NULL) && (IsMatchItemIn(SV.trustkeylist, MapAddress(conn->ipaddr))))
{
Log(LOG_LEVEL_VERBOSE, "Host %s/%s was found in the list of hosts to trust", conn->hostname, conn->ipaddr);
SendTransaction(conn->conn_info, "OK: unknown key was accepted on trust", 0, CF_DONE);
SavePublicKey(conn->username, udigest, key);
return true;
}
else
{
Log(LOG_LEVEL_VERBOSE, "No previous key found, and unable to accept this one on trust");
SendTransaction(conn->conn_info, "BAD: key could not be accepted on trust", 0, CF_DONE);
return false;
}
}
static int AuthenticationDialogue(ServerConnectionState *conn, char *recvbuffer, int recvlen)
{
char in[CF_BUFSIZE], *out, *decrypted_nonce;
BIGNUM *counter_challenge = NULL;
unsigned char digest[EVP_MAX_MD_SIZE + 1] = { 0 };
unsigned int crypt_len, nonce_len = 0, encrypted_len = 0;
char sauth[10], iscrypt = 'n', enterprise_field = 'c';
int len_n = 0, len_e = 0, keylen, session_size;
unsigned long err;
RSA *newkey;
int digestLen = 0;
HashMethod digestType;
if ((PRIVKEY == NULL) || (PUBKEY == NULL))
{
Log(LOG_LEVEL_ERR, "No public/private key pair exists, create one with cf-key");
return false;
}
if (FIPS_MODE)
{
digestType = CF_DEFAULT_DIGEST;
digestLen = CF_DEFAULT_DIGEST_LEN;
}
else
{
digestType = HASH_METHOD_MD5;
digestLen = CF_MD5_LEN;
}
/* proposition C1 */
/* Opening string is a challenge from the client (some agent) */
sauth[0] = '\0';
sscanf(recvbuffer, "%s %c %u %u %c", sauth, &iscrypt, &crypt_len, &nonce_len, &enterprise_field);
if ((crypt_len == 0) || (nonce_len == 0) || (strlen(sauth) == 0))
{
Log(LOG_LEVEL_INFO, "Protocol format error in authentation from IP %s", conn->hostname);
return false;
}
if (nonce_len > CF_NONCELEN * 2)
{
Log(LOG_LEVEL_INFO, "Protocol deviant authentication nonce from %s", conn->hostname);
return false;
}
if (crypt_len > 2 * CF_NONCELEN)
{
Log(LOG_LEVEL_INFO, "Protocol abuse in unlikely cipher from %s", conn->hostname);
return false;
}
/* Check there is no attempt to read past the end of the received input */
if (recvbuffer + CF_RSA_PROTO_OFFSET + nonce_len > recvbuffer + recvlen)
{
Log(LOG_LEVEL_INFO, "Protocol consistency error in authentication from %s", conn->hostname);
return false;
}
if ((strcmp(sauth, "SAUTH") != 0) || (nonce_len == 0) || (crypt_len == 0))
{
Log(LOG_LEVEL_INFO, "Protocol error in RSA authentication from IP '%s'", conn->hostname);
return false;
}
Log(LOG_LEVEL_DEBUG, "Challenge encryption = %c, nonce = %d, buf = %d", iscrypt, nonce_len, crypt_len);
decrypted_nonce = xmalloc(crypt_len);
if (iscrypt == 'y')
{
if (RSA_private_decrypt
(crypt_len, recvbuffer + CF_RSA_PROTO_OFFSET, decrypted_nonce, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR,
"Private decrypt failed = '%s'. Probably the client has the wrong public key for this server",
ERR_reason_error_string(err));
free(decrypted_nonce);
return false;
}
}
else
{
if (nonce_len > crypt_len)
{
Log(LOG_LEVEL_ERR, "Illegal challenge");
free(decrypted_nonce);
return false;
}
memcpy(decrypted_nonce, recvbuffer + CF_RSA_PROTO_OFFSET, nonce_len);
}
/* Client's ID is now established by key or trusted, reply with digest */
HashString(decrypted_nonce, nonce_len, digest, digestType);
free(decrypted_nonce);
/* Get the public key from the client */
newkey = RSA_new();
/* proposition C2 */
if ((len_n = ReceiveTransaction(conn->conn_info, recvbuffer, NULL)) == -1)
{
Log(LOG_LEVEL_INFO, "Protocol error 1 in RSA authentation from IP %s", conn->hostname);
RSA_free(newkey);
return false;
}
if (len_n == 0)
{
Log(LOG_LEVEL_INFO, "Protocol error 2 in RSA authentation from IP %s", conn->hostname);
RSA_free(newkey);
return false;
}
if ((newkey->n = BN_mpi2bn(recvbuffer, len_n, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private decrypt failed = %s", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
/* proposition C3 */
if ((len_e = ReceiveTransaction(conn->conn_info, recvbuffer, NULL)) == -1)
{
Log(LOG_LEVEL_INFO, "Protocol error 3 in RSA authentation from IP %s", conn->hostname);
RSA_free(newkey);
return false;
}
if (len_e == 0)
{
Log(LOG_LEVEL_INFO, "Protocol error 4 in RSA authentation from IP %s", conn->hostname);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(recvbuffer, len_e, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private decrypt failed = %s", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
/* Compute and store hash of the client's public key. */
Key *key = KeyNew(newkey, CF_DEFAULT_DIGEST);
ConnectionInfoSetKey(conn->conn_info, key);
Log(LOG_LEVEL_VERBOSE, "Public key identity of host '%s' is '%s'",
conn->ipaddr, KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
LastSaw1(conn->ipaddr, KeyPrintableHash(ConnectionInfoKey(conn->conn_info)),
LAST_SEEN_ROLE_ACCEPT);
if (!CheckStoreKey(conn, newkey)) /* conceals proposition S1 */
{
return false;
}
/* Reply with digest of original challenge */
/* proposition S2 */
SendTransaction(conn->conn_info, digest, digestLen, CF_DONE);
/* Send counter challenge to be sure this is a live session */
counter_challenge = BN_new();
if (counter_challenge == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot allocate BIGNUM structure for counter challenge");
return false;
}
BN_rand(counter_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(counter_challenge, in);
// hash the challenge from the client
HashString(in, nonce_len, digest, digestType);
encrypted_len = RSA_size(newkey); /* encryption buffer is always the same size as n */
out = xmalloc(encrypted_len + 1);
if (RSA_public_encrypt(nonce_len, in, out, newkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public encryption failed = %s", ERR_reason_error_string(err));
free(out);
return false;
}
/* proposition S3 */
SendTransaction(conn->conn_info, out, encrypted_len, CF_DONE);
/* if the client doesn't have our public key, send it */
if (iscrypt != 'y')
{
/* proposition S4 - conditional */
memset(in, 0, CF_BUFSIZE);
len_n = BN_bn2mpi(PUBKEY->n, in);
SendTransaction(conn->conn_info, in, len_n, CF_DONE);
/* proposition S5 - conditional */
memset(in, 0, CF_BUFSIZE);
len_e = BN_bn2mpi(PUBKEY->e, in);
SendTransaction(conn->conn_info, in, len_e, CF_DONE);
}
/* Receive reply to counter_challenge */
/* proposition C4 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->conn_info, in, NULL) == -1)
{
BN_free(counter_challenge);
free(out);
return false;
}
if (HashesMatch(digest, in, digestType)) /* replay / piggy in the middle attack ? */
{
Log(LOG_LEVEL_VERBOSE, "Authentication of client %s/%s achieved", conn->hostname, conn->ipaddr);
}
else
{
BN_free(counter_challenge);
free(out);
Log(LOG_LEVEL_INFO, "Challenge response from client %s was incorrect - ID false?", conn->ipaddr);
return false;
}
/* Receive random session key,... */
/* proposition C5 */
memset(in, 0, CF_BUFSIZE);
if ((keylen = ReceiveTransaction(conn->conn_info, in, NULL)) == -1)
{
BN_free(counter_challenge);
free(out);
return false;
}
if (keylen > CF_BUFSIZE / 2)
{
BN_free(counter_challenge);
free(out);
Log(LOG_LEVEL_INFO, "Session key length received from %s is too long", conn->ipaddr);
return false;
}
session_size = CfSessionKeySize(enterprise_field);
conn->session_key = xmalloc(session_size);
conn->encryption_type = enterprise_field;
Log(LOG_LEVEL_VERBOSE, "Receiving session key from client (size=%d)...", keylen);
Log(LOG_LEVEL_DEBUG, "keylen = %d, session_size = %d", keylen, session_size);
if (keylen == CF_BLOWFISHSIZE) /* Support the old non-ecnrypted for upgrade */
{
memcpy(conn->session_key, in, session_size);
}
else
{
/* New protocol encrypted */
if (RSA_private_decrypt(keylen, in, out, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private decrypt failed = %s", ERR_reason_error_string(err));
BN_free(counter_challenge);
free(out);
return false;
}
memcpy(conn->session_key, out, session_size);
}
BN_free(counter_challenge);
free(out);
return true;
}
/**
* @brief Accept a TLS connection and authenticate and identify.
* @note Various fields in #conn are set, like username and keyhash.
*/
int ServerTLSSessionEstablish(ServerConnectionState *conn)
{
int ret;
if (ConnectionInfoConnectionStatus(conn->conn_info) != CF_CONNECTION_ESTABLISHED)
{
assert(ConnectionInfoSSL(conn->conn_info) == NULL);
SSL *ssl = SSL_new(SSLSERVERCONTEXT);
if (ssl == NULL)
{
Log(LOG_LEVEL_ERR, "SSL_new: %s",
TLSErrorString(ERR_get_error()));
return -1;
}
ConnectionInfoSetSSL(conn->conn_info, ssl);
/* Pass conn_info inside the ssl struct for TLSVerifyCallback(). */
SSL_set_ex_data(ssl, CONNECTIONINFO_SSL_IDX, conn->conn_info);
/* Now we are letting OpenSSL take over the open socket. */
SSL_set_fd(ssl, ConnectionInfoSocket(conn->conn_info));
ret = SSL_accept(ssl);
if (ret <= 0)
{
TLSLogError(ssl, LOG_LEVEL_ERR,
"Failed to accept TLS connection", ret);
return -1;
}
Log(LOG_LEVEL_VERBOSE, "TLS cipher negotiated: %s, %s",
SSL_get_cipher_name(ssl),
SSL_get_cipher_version(ssl));
Log(LOG_LEVEL_VERBOSE, "TLS session established, checking trust...");
/* Send/Receive "CFE_v%d" version string, agree on version, receive
identity (username) of peer. */
char username[sizeof(conn->username)] = "";
bool b = ServerIdentificationDialog(conn->conn_info,
username, sizeof(username));
if (b != true)
{
return -1;
}
/* We *now* (maybe a bit late) verify the key that the client sent us in
* the TLS handshake, since we need the username to do so. TODO in the
* future store keys irrelevant of username, so that we can match them
* before IDENTIFY. */
ret = TLSVerifyPeer(conn->conn_info, conn->ipaddr, username);
if (ret == -1) /* error */
{
return -1;
}
if (ret == 1) /* trusted key */
{
Log(LOG_LEVEL_VERBOSE,
"%s: Client is TRUSTED, public key MATCHES stored one.",
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
}
if (ret == 0) /* untrusted key */
{
if ((SV.trustkeylist != NULL) &&
(IsMatchItemIn(SV.trustkeylist, conn->ipaddr)))
{
Log(LOG_LEVEL_VERBOSE,
"Peer was found in \"trustkeysfrom\" list");
Log(LOG_LEVEL_NOTICE, "Trusting new key: %s",
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
SavePublicKey(username, KeyPrintableHash(conn->conn_info->remote_key),
KeyRSA(ConnectionInfoKey(conn->conn_info)));
}
else
{
Log(LOG_LEVEL_NOTICE,
"TRUST FAILED, peer presented an untrusted key, dropping connection!");
Log(LOG_LEVEL_VERBOSE,
"Add peer to \"trustkeysfrom\" if you really want to start trusting this new key.");
return -1;
}
}
/* All checks succeeded, set conn->uid (conn->sid for Windows)
* according to the received USERNAME identity. */
SetConnIdentity(conn, username);
/* No CAUTH, SAUTH in non-classic protocol. */
conn->user_data_set = 1;
conn->rsa_auth = 1;
LastSaw1(conn->ipaddr, KeyPrintableHash(ConnectionInfoKey(conn->conn_info)),
LAST_SEEN_ROLE_ACCEPT);
ServerSendWelcome(conn);
}
return 1;
}
bool BusyWithNewProtocol(EvalContext *ctx, ServerConnectionState *conn)
{
/* The CF_BUFEXT extra space is there to ensure we're not reading out of
* bounds in commands that carry extra binary arguments, like MD5. */
char recvbuffer[CF_BUFSIZE + CF_BUFEXT] = { 0 };
char sendbuffer[CF_BUFSIZE] = { 0 };
char filename[CF_BUFSIZE + 1]; /* +1 for appending slash sometimes */
int received;
ServerFileGetState get_args = { 0 };
/* We already encrypt because of the TLS layer, no need to encrypt more. */
const int encrypted = 0;
/* Legacy stuff only for old protocol. */
assert(conn->rsa_auth == 1);
assert(conn->user_data_set == 1);
/* Receive up to CF_BUFSIZE - 1 bytes. */
received = ReceiveTransaction(conn->conn_info, recvbuffer, NULL);
if (received == -1 || received == 0)
{
return false;
}
if (strlen(recvbuffer) == 0)
{
Log(LOG_LEVEL_WARNING, "Got NULL transmission, skipping!");
return true;
}
/* Don't process request if we're signalled to exit. */
if (IsPendingTermination())
{
Log(LOG_LEVEL_VERBOSE, "Server must exit, closing connection");
return false;
}
/* TODO break recvbuffer here: command, param1, param2 etc. */
switch (GetCommandNew(recvbuffer))
{
case PROTOCOL_COMMAND_EXEC:
{
/* TODO check it is always file, never directory, no end with '/' */
char args[256];
int ret = sscanf(recvbuffer, "EXEC %255[^\n]", args);
if (ret != 1) /* No arguments, use default args. */
{
args[0] = '\0';
}
if (!AllowedUser(conn->username))
{
Log(LOG_LEVEL_INFO, "EXEC denied due to not allowed user: %s",
conn->username);
RefuseAccess(conn, recvbuffer);
return true;
}
char arg0[PATH_MAX];
size_t zret = CommandArg0_bound(arg0, CFRUNCOMMAND, sizeof(arg0));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(arg0, sizeof(arg0));
if (zret == (size_t) -1)
{
goto protocol_error;
}
/* TODO EXEC should not just use paths_acl access control, but
* specific "path_exec" ACL. Then different command execution could be
* allowed per host, and the host could even set argv[0] in his EXEC
* request, rather than only the arguments. */
if (acl_CheckPath(paths_acl, arg0,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "EXEC denied due to ACL for file: %s", arg0);
RefuseAccess(conn, recvbuffer);
return true;
}
if (!MatchClasses(ctx, conn))
{
Log(LOG_LEVEL_INFO, "EXEC denied due to failed class match");
Terminate(conn->conn_info);
return true;
}
DoExec(ctx, conn, args);
Terminate(conn->conn_info);
return true;
}
case PROTOCOL_COMMAND_VERSION:
snprintf(sendbuffer, sizeof(sendbuffer), "OK: %s", Version());
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
case PROTOCOL_COMMAND_GET:
{
int ret = sscanf(recvbuffer, "GET %d %[^\n]",
&(get_args.buf_size), filename);
if (ret != 2 ||
get_args.buf_size <= 0 || get_args.buf_size > CF_BUFSIZE)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "GET", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
goto protocol_error;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "GET", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to GET: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
memset(sendbuffer, 0, sizeof(sendbuffer));
if (get_args.buf_size >= CF_BUFSIZE)
{
get_args.buf_size = 2048;
}
/* TODO eliminate! */
get_args.conn = conn;
get_args.encrypt = false;
get_args.replybuff = sendbuffer;
get_args.replyfile = filename;
CfGetFile(&get_args);
return true;
}
case PROTOCOL_COMMAND_OPENDIR:
{
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "OPENDIR %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "OPENDIR", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
goto protocol_error;
}
/* OPENDIR *must* be directory. */
PathAppendTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "OPENDIR", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to OPENDIR: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
CfOpenDirectory(conn, sendbuffer, filename);
return true;
}
case PROTOCOL_COMMAND_SYNCH:
{
long time_no_see = 0;
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "SYNCH %ld STAT %[^\n]",
&time_no_see, filename);
if (ret != 2 || filename[0] == '\0')
{
goto protocol_error;
}
time_t tloc = time(NULL);
if (tloc == -1)
{
/* Should never happen. */
Log(LOG_LEVEL_ERR, "Couldn't read system clock. (time: %s)", GetErrorStr());
SendTransaction(conn->conn_info, "BAD: clocks out of synch", 0, CF_DONE);
return true;
}
time_t trem = (time_t) time_no_see;
int drift = (int) (tloc - trem);
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "STAT", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
if (IsDirReal(filename) == 1)
{
PathAppendTrailingSlash(filename, strlen(filename));
}
else
{
PathRemoveTrailingSlash(filename, strlen(filename));
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "STAT", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to STAT: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
if (DENYBADCLOCKS && (drift * drift > CLOCK_DRIFT * CLOCK_DRIFT))
{
snprintf(sendbuffer, sizeof(sendbuffer),
"BAD: Clocks are too far unsynchronized %ld/%ld",
(long) tloc, (long) trem);
Log(LOG_LEVEL_INFO, "denybadclocks %s", sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
else
{
Log(LOG_LEVEL_DEBUG, "Clocks were off by %ld", (long) tloc - (long) trem);
StatFile(conn, sendbuffer, filename);
}
return true;
}
case PROTOCOL_COMMAND_MD5:
{
int ret = sscanf(recvbuffer, "MD5 %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "MD5", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
goto protocol_error;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "MD5", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to file: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
assert(CF_DEFAULT_DIGEST_LEN <= EVP_MAX_MD_SIZE);
unsigned char digest[EVP_MAX_MD_SIZE + 1];
assert(CF_BUFSIZE + CF_SMALL_OFFSET + CF_DEFAULT_DIGEST_LEN
<= sizeof(recvbuffer));
memcpy(digest, recvbuffer + strlen(recvbuffer) + CF_SMALL_OFFSET,
CF_DEFAULT_DIGEST_LEN);
CompareLocalHash(filename, digest, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
case PROTOCOL_COMMAND_VAR:
{
char var[256];
int ret = sscanf(recvbuffer, "VAR %255[^\n]", var);
if (ret != 1)
{
goto protocol_error;
}
/* TODO if this is literals_acl, then when should I check vars_acl? */
if (acl_CheckExact(literals_acl, var,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to variable: %s", var);
RefuseAccess(conn, recvbuffer);
return true;
}
GetServerLiteral(ctx, conn, sendbuffer, recvbuffer, encrypted);
return true;
}
case PROTOCOL_COMMAND_CONTEXT:
{
char client_regex[256];
int ret = sscanf(recvbuffer, "CONTEXT %255[^\n]", client_regex);
if (ret != 1)
{
goto protocol_error;
}
/* WARNING: this comes from legacy code and must be killed if we care
* about performance. We should not accept regular expressions from
* the client, but this will break backwards compatibility.
*
* I replicated the code in raw form here to emphasize complexity,
* it's the only *slow* command currently in the protocol. */
Item *persistent_classes = ListPersistentClasses();
Item *matched_classes = NULL;
/* For all persistent classes */
for (Item *ip = persistent_classes; ip != NULL; ip = ip->next)
{
const char *class_name = ip->name;
/* Does this class match the regex the client sent? */
if (StringMatchFull(client_regex, class_name))
{
/* For all ACLs */
for (size_t i = 0; i < classes_acl->len; i++)
{
struct resource_acl *racl = &classes_acl->acls[i];
/* Does this ACL apply to this host? */
if (access_CheckResource(racl, conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== true)
{
const char *allowed_classes_regex =
classes_acl->resource_names->list[i]->str;
/* Does this ACL admits access for this class to the
* connected host? */
if (StringMatchFull(allowed_classes_regex, class_name))
{
PrependItem(&matched_classes, class_name, NULL);
}
}
}
}
}
if (matched_classes == NULL)
{
Log(LOG_LEVEL_INFO,
"No allowed classes for remoteclassesmatching: %s",
client_regex);
RefuseAccess(conn, recvbuffer);
return true;
}
ReplyServerContext(conn, encrypted, matched_classes);
return true;
}
case PROTOCOL_COMMAND_QUERY:
{
char query[256], name[128];
int ret1 = sscanf(recvbuffer, "QUERY %255[^\n]", query);
int ret2 = sscanf(recvbuffer, "QUERY %127s", name);
if (ret1 != 1 || ret2 != 1)
{
goto protocol_error;
}
if (acl_CheckExact(query_acl, name,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to query: %s", query);
RefuseAccess(conn, recvbuffer);
return true;
}
if (GetServerQuery(conn, recvbuffer, encrypted))
{
return true;
}
break;
}
case PROTOCOL_COMMAND_CALL_ME_BACK:
if (acl_CheckExact(query_acl, "collect_calls",
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO,
"access denied to Call-Collect, check the ACL for class: collect_calls");
return false;
}
ReceiveCollectCall(conn);
/* On success that returned true; otherwise, it did all
* relevant Log()ging. Either way, it closed the connection,
* so we're no longer busy with it: */
return false;
case PROTOCOL_COMMAND_BAD:
Log(LOG_LEVEL_WARNING, "Unexpected protocol command: %s", recvbuffer);
}
/* We should only reach this point if something went really bad, and
* close connection. In all other cases (like access denied) connection
* shouldn't be closed.
* TODO So we need this function to return more than true/false, because
* now we return true even when access is denied! E.g. return -1 for
* error, 0 on success, 1 on access denied. It can be an option if
* connection will close on denial. */
protocol_error:
strcpy(sendbuffer, "BAD: Request denied");
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
Log(LOG_LEVEL_INFO, "Closing connection due to request: %s", recvbuffer);
return false;
}
/**
* Currently this function returns false when we want the connection
* closed, and true, when we want to proceed further with requests.
*
* @TODO So we need this function to return more than true/false, because now
* we return true even when access is denied! E.g. return -1 for error, 0 on
* success, 1 on access denied. It can be an option if connection will close
* on denial.
*/
bool BusyWithNewProtocol(EvalContext *ctx, ServerConnectionState *conn)
{
/* The CF_BUFEXT extra space is there to ensure we're not *reading* out of
* bounds in commands that carry extra binary arguments, like MD5. */
char recvbuffer[CF_BUFSIZE + CF_BUFEXT] = { 0 };
/* This size is the max we can SendTransaction(). */
char sendbuffer[CF_BUFSIZE - CF_INBAND_OFFSET] = { 0 };
char filename[CF_BUFSIZE + 1]; /* +1 for appending slash sometimes */
ServerFileGetState get_args = { 0 };
/* We already encrypt because of the TLS layer, no need to encrypt more. */
const int encrypted = 0;
/* Legacy stuff only for old protocol. */
assert(conn->rsa_auth == 1);
assert(conn->user_data_set == 1);
/* Receive up to CF_BUFSIZE - 1 bytes. */
const int received = ReceiveTransaction(conn->conn_info,
recvbuffer, NULL);
if (received == -1)
{
/* Already Log()ged in case of error. */
return false;
}
if (received > CF_BUFSIZE - 1)
{
UnexpectedError("Received transaction of size %d", received);
return false;
}
if (strlen(recvbuffer) == 0)
{
Log(LOG_LEVEL_WARNING,
"Got NULL transmission (of size %d)", received);
return true;
}
/* Don't process request if we're signalled to exit. */
if (IsPendingTermination())
{
Log(LOG_LEVEL_VERBOSE, "Server must exit, closing connection");
return false;
}
/* TODO break recvbuffer here: command, param1, param2 etc. */
switch (GetCommandNew(recvbuffer))
{
case PROTOCOL_COMMAND_EXEC:
{
const size_t EXEC_len = strlen(PROTOCOL_NEW[PROTOCOL_COMMAND_EXEC]);
/* Assert recvbuffer starts with EXEC. */
assert(strncmp(PROTOCOL_NEW[PROTOCOL_COMMAND_EXEC],
recvbuffer, EXEC_len) == 0);
char *args = &recvbuffer[EXEC_len];
args += strspn(args, " \t"); /* bypass spaces */
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "EXEC", args);
bool b = DoExec2(ctx, conn, args,
sendbuffer, sizeof(sendbuffer));
/* In the end we might keep the connection open (return true) to be
* ready for next requests, but we must always send the TERMINATOR
* string so that the client can close the connection at will. */
Terminate(conn->conn_info);
return b;
}
case PROTOCOL_COMMAND_VERSION:
snprintf(sendbuffer, sizeof(sendbuffer), "OK: %s", Version());
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
case PROTOCOL_COMMAND_GET:
{
int ret = sscanf(recvbuffer, "GET %d %[^\n]",
&(get_args.buf_size), filename);
if (ret != 2 ||
get_args.buf_size <= 0 || get_args.buf_size > CF_BUFSIZE)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "GET", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "GET", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to GET: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
memset(sendbuffer, 0, sizeof(sendbuffer));
if (get_args.buf_size >= CF_BUFSIZE)
{
get_args.buf_size = 2048;
}
/* TODO eliminate! */
get_args.conn = conn;
get_args.encrypt = false;
get_args.replybuff = sendbuffer;
get_args.replyfile = filename;
CfGetFile(&get_args);
return true;
}
case PROTOCOL_COMMAND_OPENDIR:
{
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "OPENDIR %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "OPENDIR", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
/* OPENDIR *must* be directory. */
PathAppendTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "OPENDIR", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to OPENDIR: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
CfOpenDirectory(conn, sendbuffer, filename);
return true;
}
case PROTOCOL_COMMAND_SYNCH:
{
long time_no_see = 0;
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "SYNCH %ld STAT %[^\n]",
&time_no_see, filename);
if (ret != 2 || filename[0] == '\0')
{
goto protocol_error;
}
time_t tloc = time(NULL);
if (tloc == -1)
{
/* Should never happen. */
Log(LOG_LEVEL_ERR, "Couldn't read system clock. (time: %s)", GetErrorStr());
SendTransaction(conn->conn_info, "BAD: clocks out of synch", 0, CF_DONE);
return true;
}
time_t trem = (time_t) time_no_see;
int drift = (int) (tloc - trem);
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "STAT", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
if (IsDirReal(filename) == 1)
{
PathAppendTrailingSlash(filename, strlen(filename));
}
else
{
PathRemoveTrailingSlash(filename, strlen(filename));
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "STAT", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to STAT: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
Log(LOG_LEVEL_DEBUG, "Clocks were off by %ld",
(long) tloc - (long) trem);
if (DENYBADCLOCKS && (drift * drift > CLOCK_DRIFT * CLOCK_DRIFT))
{
snprintf(sendbuffer, sizeof(sendbuffer),
"BAD: Clocks are too far unsynchronized %ld/%ld",
(long) tloc, (long) trem);
Log(LOG_LEVEL_INFO, "denybadclocks %s", sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
StatFile(conn, sendbuffer, filename);
return true;
}
case PROTOCOL_COMMAND_MD5:
{
int ret = sscanf(recvbuffer, "MD5 %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "MD5", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "MD5", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to file: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
assert(CF_DEFAULT_DIGEST_LEN <= EVP_MAX_MD_SIZE);
unsigned char digest[EVP_MAX_MD_SIZE + 1];
assert(CF_BUFSIZE + CF_SMALL_OFFSET + CF_DEFAULT_DIGEST_LEN
<= sizeof(recvbuffer));
memcpy(digest, recvbuffer + strlen(recvbuffer) + CF_SMALL_OFFSET,
CF_DEFAULT_DIGEST_LEN);
CompareLocalHash(filename, digest, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
case PROTOCOL_COMMAND_VAR:
{
char var[256];
int ret = sscanf(recvbuffer, "VAR %255[^\n]", var);
if (ret != 1)
{
goto protocol_error;
}
/* TODO if this is literals_acl, then when should I check vars_acl? */
if (acl_CheckExact(literals_acl, var,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to variable: %s", var);
RefuseAccess(conn, recvbuffer);
return true;
}
GetServerLiteral(ctx, conn, sendbuffer, recvbuffer, encrypted);
return true;
}
case PROTOCOL_COMMAND_CONTEXT:
{
char client_regex[256];
int ret = sscanf(recvbuffer, "CONTEXT %255[^\n]", client_regex);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "CONTEXT", client_regex);
/* WARNING: this comes from legacy code and must be killed if we care
* about performance. We should not accept regular expressions from
* the client, but this will break backwards compatibility.
*
* I replicated the code in raw form here to emphasize complexity,
* it's the only *slow* command currently in the protocol. */
Item *persistent_classes = ListPersistentClasses();
Item *matched_classes = NULL;
/* For all persistent classes */
for (Item *ip = persistent_classes; ip != NULL; ip = ip->next)
{
const char *class_name = ip->name;
/* Does this class match the regex the client sent? */
if (StringMatchFull(client_regex, class_name))
{
/* Is this class allowed to be given to the specific
* host, according to the regexes in the ACLs? */
if (acl_CheckRegex(classes_acl, class_name,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)),
NULL)
== true)
{
Log(LOG_LEVEL_DEBUG, "Access granted to class: %s",
class_name);
PrependItem(&matched_classes, class_name, NULL);
}
}
}
if (matched_classes == NULL)
{
Log(LOG_LEVEL_INFO,
"No allowed classes for remoteclassesmatching: %s",
client_regex);
RefuseAccess(conn, recvbuffer);
return true;
}
ReplyServerContext(conn, encrypted, matched_classes);
return true;
}
case PROTOCOL_COMMAND_QUERY:
{
char query[256], name[128];
int ret1 = sscanf(recvbuffer, "QUERY %255[^\n]", query);
int ret2 = sscanf(recvbuffer, "QUERY %127s", name);
if (ret1 != 1 || ret2 != 1)
{
goto protocol_error;
}
if (acl_CheckExact(query_acl, name,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to query: %s", query);
RefuseAccess(conn, recvbuffer);
return true;
}
if (GetServerQuery(conn, recvbuffer, encrypted))
{
return true;
}
break;
}
case PROTOCOL_COMMAND_CALL_ME_BACK:
/* Server side, handing the collect call off to cf-hub. */
if (acl_CheckExact(query_acl, "collect_calls",
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO,
"access denied to Call-Collect, check the ACL for class: collect_calls");
return false;
}
ReceiveCollectCall(conn);
/* On success that returned true; otherwise, it did all
* relevant Log()ging. Either way, we're no longer busy with
* it and our caller can close the connection: */
return false;
case PROTOCOL_COMMAND_BAD:
Log(LOG_LEVEL_WARNING, "Unexpected protocol command: %s", recvbuffer);
}
/* We should only reach this point if something went really bad, and
* close connection. In all other cases (like access denied) connection
* shouldn't be closed.
*/
protocol_error:
strcpy(sendbuffer, "BAD: Request denied");
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
Log(LOG_LEVEL_INFO,
"Closing connection due to illegal request: %s", recvbuffer);
return false;
}
