char *filename(char *user, char *domain, char *directory, char *sizo)
{
char right[BUFF_SIZE];
char left[20];
char middle[BUFF_SIZE];
struct timeval tv;
char *p = NULL;
int i = 1;
#if HAVE_VPOPMAIL
struct vqpasswd *vret;
struct stat buf;
#endif
long int timo = time(NULL);
if (timo == -1)
return NULL;
/* Left */
sprintf(left, "%ld", timo);
/* Middle */
middle[0] = 'M';
if (gettimeofday(&tv, NULL) == -1)
return NULL;
i += sprintf(middle+1, "%ld", tv.tv_usec);
middle[i++] = 'P';
i += sprintf(middle+i, "%d", getpid());
#if HAVE_VPOPMAIL
middle[i++] = 'V';
if ((vret = vauth_getpw(user, domain)) == NULL)
return NULL;
p = calloc(strlen(vret->pw_dir) + 13 + strlen(directory) + 3, sizeof(char));
if (vret->pw_dir == NULL)
return NULL;
sprintf(p, "%s/Maildir/%s/new", vret->pw_dir, directory);
if (stat(p, &buf) == -1)
return NULL;
i += sprintf(middle+i, "%.16X", (unsigned int)buf.st_dev);
middle[i++] = 'I';
i += sprintf(middle+i, "%.16X_0", (unsigned int)buf.st_ino);
#endif
/* Right */
if (gethostname((char *)&right, BUFF_SIZE) == -1)
return NULL;
check_hostname((char *)&right);
sprintf(right, "%s,S=%s", right, sizo);
p = realloc(p, strlen(p)+strlen(left)+strlen(middle)+strlen(right));
sprintf(p, "%s/%s.%s.%s", p, left, middle, right);
return p;
}
void decrypt_file(FILE* enc_file, FILE* raw_file, unsigned char* key) {
int size = file_size(enc_file);
char* enc_buf = calloc(1, size);
fread(enc_buf, 1, size, enc_file);
if(decrypt_buffer(enc_buf, size, (char*)key, 16) != 0) {
printf("There was an error decrypting the file!\n");
return;
}
char* raw_buf = enc_buf;
file_header* header = (file_header*) raw_buf;
if(header->magic_number != MAGIC) {
printf("Invalid password!\n");
return;
}
if(!check_hostname(header)) {
printf("[#] Warning: File not encrypted by current machine.\n");
}
printf("=> Decrypted file successfully\n");
int write_size = MIN(header->file_size, size - sizeof(file_header));
fwrite(raw_buf+sizeof(file_header), 1, write_size, raw_file);
free(enc_buf);
}
static gfarm_error_t
check_hostaliases(int nhostaliases, char **hostaliases)
{
int i;
for (i = 0; i < nhostaliases; i++) {
if (check_hostname(hostaliases[i]) != GFARM_ERR_NO_ERROR)
return (APP_ERR_HOSTALIAS_IS_ALREADY_REGISERED);
}
return (GFARM_ERR_NO_ERROR);
}
int main(int argc, char *argv[]) {
int interval;
char *command;
struct in_addr *ips;
FILE *pidfd;
if (argc < 5)
usage();
interval = atoi(argv[2]);
if (interval < 1) {
fprintf(stderr, "Invalid interval %d\n", interval);
exit(3);
}
command = argv[3];
ips = calloc(argc - 4, sizeof(struct in_addr));
if (ips == NULL) {
fprintf(stderr, "calloc failed\n");
exit(2);
}
/* go into background */
if (daemon(0, 0) == -1)
exit(1);
/* write PID to file */
pidfd = fopen(argv[1], "w");
if (pidfd) {
fprintf(pidfd, "%d\n", getpid());
fclose(pidfd);
}
while (1) {
int i;
int changes = 0;
for (i = 4; i < argc; i++)
changes += check_hostname(argv[i], &ips[i-4]);
if (changes > 0)
system(command);
sleep(interval);
}
return 0;
}
/* Loop through all the common name entries until we find a match or
* an error occurs.
*/
int check_subject_cn(X509 *cert, const char *manager)
{
X509_NAME *name = NULL;
int result = VERIFY_FALSE;
int i = 0;
if ((name = X509_get_subject_name(cert))) {
while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0 && result == VERIFY_FALSE) {
X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
result = check_hostname(X509_NAME_ENTRY_get_data(ne), manager);
}
}
return result;
}
gfarm_error_t
add_host(char *hostname, int port, char **hostaliases, char *architecture,
int ncpu, int flags)
{
int nhostaliases = gfarm_strarray_length(hostaliases);
gfarm_error_t e;
e = check_hostname(hostname);
if (e != GFARM_ERR_NO_ERROR)
return (e);
e = check_hostaliases(nhostaliases, hostaliases);
if (e != GFARM_ERR_NO_ERROR)
return (e);
return (update_host(hostname, port, nhostaliases, hostaliases,
architecture, ncpu, flags, gfm_client_host_info_set));
}
/* Loop through all the subject_alt_name entries until we find a match or
* an error occurs. Only entries containing a normal domain name or IP
* address are considered.
*/
int check_subject_alt_names(X509 *cert, const char *manager)
{
GENERAL_NAMES *names = NULL;
int result = VERIFY_FALSE;
int i = 0;
if ((names = (GENERAL_NAMES *) X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
for (i = 0; i < sk_GENERAL_NAME_num(names) && result == VERIFY_FALSE; i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) {
result = check_hostname(name->d.dNSName, manager);
} else if (name->type == GEN_IPADD) {
result = check_ipaddr(name->d.iPAddress, manager);
}
}
GENERAL_NAMES_free(names);
}
return result;
}
/******************************************************************************
* NETCON_secure_connect
* Initiates a secure connection over an existing plaintext connection.
*/
BOOL NETCON_secure_connect(WININET_NETCONNECTION *connection, LPCWSTR hostname)
{
#ifdef SONAME_LIBSSL
long verify_res;
X509 *cert;
int len;
char *hostname_unix;
/* can't connect if we are already connected */
if (connection->useSSL)
{
ERR("already connected\n");
return FALSE;
}
ctx = pSSL_CTX_new(meth);
if (!pSSL_CTX_set_default_verify_paths(ctx))
{
ERR("SSL_CTX_set_default_verify_paths failed: %s\n",
pERR_error_string(pERR_get_error(), 0));
INTERNET_SetLastError(ERROR_OUTOFMEMORY);
return FALSE;
}
connection->ssl_s = pSSL_new(ctx);
if (!connection->ssl_s)
{
ERR("SSL_new failed: %s\n",
pERR_error_string(pERR_get_error(), 0));
INTERNET_SetLastError(ERROR_OUTOFMEMORY);
goto fail;
}
if (!pSSL_set_fd(connection->ssl_s, connection->socketFD))
{
ERR("SSL_set_fd failed: %s\n",
pERR_error_string(pERR_get_error(), 0));
INTERNET_SetLastError(ERROR_INTERNET_SECURITY_CHANNEL_ERROR);
goto fail;
}
if (pSSL_connect(connection->ssl_s) <= 0)
{
ERR("SSL_connect failed: %s\n",
pERR_error_string(pERR_get_error(), 0));
INTERNET_SetLastError(ERROR_INTERNET_SECURITY_CHANNEL_ERROR);
goto fail;
}
cert = pSSL_get_peer_certificate(connection->ssl_s);
if (!cert)
{
ERR("no certificate for server %s\n", debugstr_w(hostname));
/* FIXME: is this the best error? */
INTERNET_SetLastError(ERROR_INTERNET_INVALID_CA);
goto fail;
}
verify_res = pSSL_get_verify_result(connection->ssl_s);
if (verify_res != X509_V_OK)
{
ERR("couldn't verify the security of the connection, %ld\n", verify_res);
/* FIXME: we should set an error and return, but we only warn at
* the moment */
}
len = WideCharToMultiByte(CP_UNIXCP, 0, hostname, -1, NULL, 0, NULL, NULL);
hostname_unix = HeapAlloc(GetProcessHeap(), 0, len);
if (!hostname_unix)
{
INTERNET_SetLastError(ERROR_OUTOFMEMORY);
goto fail;
}
WideCharToMultiByte(CP_UNIXCP, 0, hostname, -1, hostname_unix, len, NULL, NULL);
if (!check_hostname(cert, hostname_unix))
{
HeapFree(GetProcessHeap(), 0, hostname_unix);
INTERNET_SetLastError(ERROR_INTERNET_SEC_CERT_CN_INVALID);
goto fail;
}
HeapFree(GetProcessHeap(), 0, hostname_unix);
connection->useSSL = TRUE;
return TRUE;
fail:
if (connection->ssl_s)
{
pSSL_shutdown(connection->ssl_s);
pSSL_free(connection->ssl_s);
connection->ssl_s = NULL;
}
#endif
return FALSE;
}
int
tds_ssl_init(TDSSOCKET *tds)
{
#define OPENSSL_CIPHERS \
"DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA " \
"AES256-SHA EDH-RSA-DES-CBC3-SHA " \
"EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA " \
"DES-CBC3-MD5 DHE-RSA-AES128-SHA " \
"DHE-DSS-AES128-SHA AES128-SHA RC2-CBC-MD5 RC4-SHA RC4-MD5"
SSL *con;
SSL_CTX *ctx;
BIO *b, *b2;
int ret;
const char *tls_msg;
con = NULL;
b = NULL;
b2 = NULL;
ret = 1;
tds_check_wildcard_test();
tds_ssl_deinit(tds->conn);
tls_msg = "initializing tls";
ctx = tds_init_openssl();
if (!ctx)
goto cleanup;
if (!tds_dstr_isempty(&tds->login->cafile)) {
tls_msg = "loading CA file";
if (strcasecmp(tds_dstr_cstr(&tds->login->cafile), "system") == 0)
ret = SSL_CTX_set_default_verify_paths(ctx);
else
ret = SSL_CTX_load_verify_locations(ctx, tds_dstr_cstr(&tds->login->cafile), NULL);
if (ret != 1)
goto cleanup;
if (!tds_dstr_isempty(&tds->login->crlfile)) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_LOOKUP *lookup;
tls_msg = "loading CRL file";
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))
|| (!X509_load_crl_file(lookup, tds_dstr_cstr(&tds->login->crlfile), X509_FILETYPE_PEM)))
goto cleanup;
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
}
/* Initialize TLS session */
tls_msg = "initializing session";
con = SSL_new(ctx);
if (!con)
goto cleanup;
tls_msg = "creating bio";
b = BIO_new(&tds_method_login);
if (!b)
goto cleanup;
b2 = BIO_new(&tds_method);
if (!b2)
goto cleanup;
b->shutdown=1;
b->init=1;
b->num= -1;
b->ptr = tds;
BIO_set_conn_hostname(b, tds_dstr_cstr(&tds->login->server_host_name));
SSL_set_bio(con, b, b);
b = NULL;
/* use priorities... */
SSL_set_cipher_list(con, OPENSSL_CIPHERS);
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
/* this disable a security improvement but allow connection... */
SSL_set_options(con, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#endif
/* Perform the TLS handshake */
tls_msg = "handshake";
SSL_set_connect_state(con);
ret = SSL_connect(con) != 1 || con->state != SSL_ST_OK;
if (ret != 0)
goto cleanup;
/* check certificate hostname */
if (!tds_dstr_isempty(&tds->login->cafile) && tds->login->check_ssl_hostname) {
X509 *cert;
cert = SSL_get_peer_certificate(con);
tls_msg = "checking hostname";
if (!cert || !check_hostname(cert, tds_dstr_cstr(&tds->login->server_host_name)))
goto cleanup;
}
tdsdump_log(TDS_DBG_INFO1, "handshake succeeded!!\n");
b2->shutdown = 1;
b2->init = 1;
b2->num = -1;
b2->ptr = tds->conn;
SSL_set_bio(con, b2, b2);
tds->conn->tls_session = con;
tds->conn->tls_ctx = ctx;
return TDS_SUCCESS;
cleanup:
if (b2)
BIO_free(b2);
if (b)
BIO_free(b);
if (con) {
SSL_shutdown(con);
SSL_free(con);
}
SSL_CTX_free(ctx);
tdsdump_log(TDS_DBG_ERROR, "%s failed\n", tls_msg);
return TDS_FAIL;
}
