static struct sockaddr *get_socket_peer_address(int fd, struct error *err)
{
struct sockaddr_storage ss;
socklen_t len = sizeof ss;
if (getpeername(fd, (struct sockaddr *)&ss, &len) >= 0)
return copy_sockaddr(&ss, len, err);
error_errno(err, "getpeername");
return NULL;
}
/*
* Setup to handle new incoming connections
*/
static void
krb5_accept(
const struct security_driver *driver,
char *(*conf_fn)(char *, void *),
int in,
int out,
void (*fn)(security_handle_t *, pkt_t *),
void *datap)
{
sockaddr_union sin;
socklen_t_equiv len;
struct tcp_conn *rc;
char hostname[NI_MAXHOST];
int result;
char *errmsg = NULL;
krb5_init();
len = sizeof(sin);
if (getpeername(in, (struct sockaddr *)&sin, &len) < 0) {
dbprintf(_("getpeername returned: %s\n"),
strerror(errno));
return;
}
if ((result = getnameinfo((struct sockaddr *)&sin, len,
hostname, NI_MAXHOST, NULL, 0, 0) != 0)) {
dbprintf(_("getnameinfo failed: %s\n"),
gai_strerror(result));
return;
}
if (check_name_give_sockaddr(hostname,
(struct sockaddr *)&sin, &errmsg) < 0) {
dbprintf(_("check_name_give_sockaddr(%s): %s\n"),
hostname, errmsg);
amfree(errmsg);
return;
}
rc = sec_tcp_conn_get(hostname, 0);
rc->conf_fn = conf_fn;
rc->datap = datap;
rc->recv_security_ok = NULL;
rc->prefix_packet = NULL;
copy_sockaddr(&rc->peer, &sin);
rc->read = in;
rc->write = out;
rc->driver = driver;
if (gss_server(rc) < 0)
error("gss_server failed: %s\n", rc->errmsg);
rc->accept_fn = fn;
sec_tcp_conn_read(rc);
}
static int
do_directtcp_connect(
XferElementGlue *self,
DirectTCPAddr *addrs)
{
XferElement *elt = XFER_ELEMENT(self);
sockaddr_union addr;
int sock;
#ifdef WORKING_IPV6
char strsockaddr[INET6_ADDRSTRLEN + 20];
#else
char strsockaddr[INET_ADDRSTRLEN + 20];
#endif
if (!addrs) {
g_debug("element-glue got no directtcp addresses to connect to!");
if (!elt->cancelled) {
xfer_cancel_with_error(elt,
"%s got no directtcp addresses to connect to",
xfer_element_repr(elt));
}
goto cancel_wait;
}
/* set up the sockaddr -- IPv4 only */
copy_sockaddr(&addr, addrs);
str_sockaddr_r(&addr, strsockaddr, sizeof(strsockaddr));
if (strncmp(strsockaddr,"255.255.255.255:", 16) == 0) {
char buffer[32770];
char *s;
int size;
char *data_host;
int data_port;
g_debug("do_directtcp_connect making indirect data connection to %s",
strsockaddr);
data_port = SU_GET_PORT(&addr);
sock = stream_client(NULL, "localhost", data_port,
STREAM_BUFSIZE, 0, NULL, 0);
if (sock < 0) {
xfer_cancel_with_error(elt, "stream_client(): %s", strerror(errno));
goto cancel_wait;
}
size = full_read(sock, buffer, 32768);
if (size < 0 ) {
xfer_cancel_with_error(elt, "failed to read from indirecttcp: %s",
strerror(errno));
goto cancel_wait;
}
close(sock);
buffer[size++] = ' ';
buffer[size] = '\0';
if ((s = strchr(buffer, ':')) == NULL) {
xfer_cancel_with_error(elt,
"Failed to parse indirect data stream: %s",
buffer);
goto cancel_wait;
}
*s++ = '\0';
data_host = buffer;
data_port = atoi(s);
str_to_sockaddr(data_host, &addr);
SU_SET_PORT(&addr, data_port);
str_sockaddr_r(&addr, strsockaddr, sizeof(strsockaddr));
}
sock = socket(SU_GET_FAMILY(&addr), SOCK_STREAM, 0);
g_debug("do_directtcp_connect making data connection to %s", strsockaddr);
if (sock < 0) {
xfer_cancel_with_error(elt,
"socket(): %s", strerror(errno));
goto cancel_wait;
}
if (connect(sock, (struct sockaddr *)&addr, SS_LEN(&addr)) < 0) {
xfer_cancel_with_error(elt,
"connect(): %s", strerror(errno));
close(sock);
goto cancel_wait;
}
g_debug("do_directtcp_connect: connected to %s, fd %d", strsockaddr, sock);
return sock;
cancel_wait:
wait_until_xfer_cancelled(elt->xfer);
return -1;
}
static gboolean
do_directtcp_listen(
XferElement *elt,
int *sockp,
DirectTCPAddr **addrsp)
{
int sock;
sockaddr_union data_addr;
DirectTCPAddr *addrs;
socklen_t len;
struct addrinfo *res;
struct addrinfo *res_addr;
sockaddr_union *addr = NULL;
if (resolve_hostname("localhost", 0, &res, NULL) != 0) {
xfer_cancel_with_error(elt, "resolve_hostname(): %s", strerror(errno));
return FALSE;
}
for (res_addr = res; res_addr != NULL; res_addr = res_addr->ai_next) {
if (res_addr->ai_family == AF_INET) {
addr = (sockaddr_union *)res_addr->ai_addr;
break;
}
}
if (!addr) {
addr = (sockaddr_union *)res->ai_addr;
}
sock = *sockp = socket(SU_GET_FAMILY(addr), SOCK_STREAM, 0);
if (sock < 0) {
xfer_cancel_with_error(elt, "socket(): %s", strerror(errno));
freeaddrinfo(res);
return FALSE;
}
len = SS_LEN(addr);
if (bind(sock, (struct sockaddr *)addr, len) != 0) {
xfer_cancel_with_error(elt, "bind(): %s", strerror(errno));
freeaddrinfo(res);
close(sock);
*sockp = -1;
return FALSE;
}
if (listen(sock, 1) < 0) {
xfer_cancel_with_error(elt, "listen(): %s", strerror(errno));
freeaddrinfo(res);
close(sock);
*sockp = -1;
return FALSE;
}
/* TODO: which addresses should this display? all ifaces? localhost? */
len = sizeof(data_addr);
if (getsockname(sock, (struct sockaddr *)&data_addr, &len) < 0)
error("getsockname(): %s", strerror(errno));
addrs = g_new0(DirectTCPAddr, 2);
copy_sockaddr(&addrs[0], &data_addr);
*addrsp = addrs;
freeaddrinfo(res);
return TRUE;
}
static int
stream_client_internal(
const char *hostname,
in_port_t port,
size_t sendsize,
size_t recvsize,
in_port_t *localport,
int nonblock,
int priv)
{
sockaddr_union svaddr, claddr;
int save_errno = 0;
int client_socket = 0;
int *portrange = NULL;
int result;
struct addrinfo *res, *res_addr;
result = resolve_hostname(hostname, SOCK_STREAM, &res, NULL);
if(result != 0) {
g_debug(_("resolve_hostname(%s): %s"), hostname, gai_strerror(result));
errno = EHOSTUNREACH;
return -1;
}
if(!res) {
g_debug(_("resolve_hostname(%s): no results"), hostname);
errno = EHOSTUNREACH;
return -1;
}
for (res_addr = res; res_addr != NULL; res_addr = res_addr->ai_next) {
/* copy the first (preferred) address we found */
copy_sockaddr(&svaddr, (sockaddr_union *)res_addr->ai_addr);
SU_SET_PORT(&svaddr, port);
SU_INIT(&claddr, SU_GET_FAMILY(&svaddr));
SU_SET_INADDR_ANY(&claddr);
/*
* If a privileged port range was requested, we try to get a port in
* that range first and fail if it is not available. Next, we try
* to get a port in the range built in when Amanda was configured.
* If that fails, we just go for any port.
*
* It is up to the caller to make sure we have the proper permissions
* to get the desired port, and to make sure we return a port that
* is within the range it requires.
*/
if (priv) {
portrange = getconf_intrange(CNF_RESERVED_TCP_PORT);
} else {
portrange = getconf_intrange(CNF_UNRESERVED_TCP_PORT);
}
client_socket = connect_portrange(&claddr, (in_port_t)portrange[0],
(in_port_t)portrange[1],
"tcp", &svaddr, nonblock);
save_errno = errno;
if (client_socket > 0)
break;
}
freeaddrinfo(res);
if (client_socket > 0)
goto out;
g_debug(_("stream_client: Could not bind to port in range %d-%d."),
portrange[0], portrange[1]);
errno = save_errno;
return -1;
out:
try_socksize(client_socket, SO_SNDBUF, sendsize);
try_socksize(client_socket, SO_RCVBUF, recvsize);
if (localport != NULL)
*localport = SU_GET_PORT(&claddr);
return client_socket;
}
/*
* Open a ssl connection to the host listed in rc->hostname
* Returns negative on error, with an errmsg in rc->errmsg.
*/
static int
runssl(
struct sec_handle * rh,
in_port_t port,
char *src_ip,
char *ssl_fingerprint_file,
char *ssl_cert_file,
char *ssl_key_file,
char *ssl_ca_cert_file,
char *ssl_cipher_list,
int ssl_check_certificate_host)
{
int my_socket;
in_port_t my_port;
struct tcp_conn *rc = rh->rc;
int err;
X509 *remote_cert;
sockaddr_union sin;
socklen_t_equiv len;
if (!ssl_key_file) {
security_seterror(&rh->sech, _("ssl-key-file must be set"));
return -1;
}
if (!ssl_cert_file) {
security_seterror(&rh->sech, _("ssl-cert-file must be set"));
return -1;
}
my_socket = stream_client(src_ip,
rc->hostname,
port,
STREAM_BUFSIZE,
STREAM_BUFSIZE,
&my_port,
0);
if(my_socket < 0) {
security_seterror(&rh->sech,
"%s", strerror(errno));
return -1;
}
rc->read = rc->write = my_socket;
len = sizeof(sin);
if (getpeername(my_socket, (struct sockaddr *)&sin, &len) < 0) {
security_seterror(&rh->sech, _("getpeername returned: %s\n"), strerror(errno));
return -1;
}
copy_sockaddr(&rc->peer, &sin);
init_ssl();
/* Create an SSL_CTX structure */
rc->ctx = SSL_CTX_new(SSLv3_client_method());
if (!rc->ctx) {
security_seterror(&rh->sech, "%s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
SSL_CTX_set_mode(rc->ctx, SSL_MODE_AUTO_RETRY);
if (ssl_cipher_list) {
g_debug("Set ssl_cipher_list to %s", ssl_cipher_list);
if (SSL_CTX_set_cipher_list(rc->ctx, ssl_cipher_list) == 0) {
security_seterror(&rh->sech, "%s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
}
/* Load the private-key corresponding to the remote certificate */
g_debug("Loading ssl-key-file private-key %s", ssl_key_file);
if (SSL_CTX_use_PrivateKey_file(rc->ctx, ssl_key_file,
SSL_FILETYPE_PEM) <= 0) {
security_seterror(&rh->sech, "%s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
/* Load the me certificate into the SSL_CTX structure */
g_debug("Loading ssl-cert-file certificate %s", ssl_cert_file);
if (SSL_CTX_use_certificate_file(rc->ctx, ssl_cert_file,
SSL_FILETYPE_PEM) <= 0) {
security_seterror(&rh->sech, "%s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
/* Check if the remote certificate and private-key matches */
if (ssl_cert_file) {
if (!SSL_CTX_check_private_key(rc->ctx)) {
security_seterror(&rh->sech,
_("Private key does not match the certificate public key"));
return -1;
}
}
if (ssl_ca_cert_file) {
/* Load the RSA CA certificate into the SSL_CTX structure */
/* This will allow this remote to verify the me's */
/* certificate. */
g_debug("Loading ssl-ca-cert-file ca %s", ssl_ca_cert_file);
if (!SSL_CTX_load_verify_locations(rc->ctx, ssl_ca_cert_file, NULL)) {
security_seterror(&rh->sech, "%s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
} else {
g_debug(_("no ssl-ca-cert-file defined"));
}
/* Set flag in context to require peer (me) certificate */
/* verification */
if (ssl_ca_cert_file) {
g_debug("Enabling certification verification");
SSL_CTX_set_verify(rc->ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(rc->ctx, 1);
} else {
g_debug("Not enabling certification verification");
}
/* ----------------------------------------------- */
rc->ssl = SSL_new(rc->ctx);
if (!rc->ssl) {
security_seterror(&rh->sech, _("SSL_new failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
SSL_set_connect_state(rc->ssl);
/* Assign the socket into the SSL structure (SSL and socket without BIO) */
SSL_set_fd(rc->ssl, my_socket);
/* Perform SSL Handshake on the SSL remote */
err = SSL_connect(rc->ssl);
if (err == -1) {
security_seterror(&rh->sech, _("SSL_connect failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
/* Get the me's certificate (optional) */
remote_cert = SSL_get_peer_certificate(rc->ssl);
if (remote_cert == NULL) {
security_seterror(&rh->sech, _("server have no certificate"));
return -1;
} else {
char *str;
str = X509_NAME_oneline(X509_get_subject_name(remote_cert), 0, 0);
auth_debug(1, _("\t subject: %s\n"), str);
amfree (str);
str = X509_NAME_oneline(X509_get_issuer_name(remote_cert), 0, 0);
auth_debug(1, _("\t issuer: %s\n"), str);
amfree(str);
if (ssl_check_certificate_host) {
int loc = -1;
char *errmsg = NULL;
X509_NAME *x509_name = X509_get_subject_name(remote_cert);
loc = X509_NAME_get_index_by_NID(x509_name, NID_commonName, loc);
if (loc != -1) {
X509_NAME_ENTRY *x509_entry = X509_NAME_get_entry(x509_name, loc);
ASN1_STRING *asn1_string = X509_NAME_ENTRY_get_data(x509_entry);
char *cert_hostname = (char *)ASN1_STRING_data(asn1_string);
auth_debug(1, "common_name: %s\n", cert_hostname);
if (check_name_give_sockaddr((char*)cert_hostname,
(struct sockaddr *)&rc->peer, &errmsg) < 0) {
security_seterror(&rh->sech,
_("Common name of certicate (%s) doesn't resolv to IP (%s): %s"),
cert_hostname, str_sockaddr(&rc->peer), errmsg);
amfree(errmsg);
return -1;
}
auth_debug(1,
_("Certificate common name (%s) resolve to IP (%s)\n"),
cert_hostname, str_sockaddr(&rc->peer));
} else {
security_seterror(&rh->sech,
_("Certificate have no common name"));
g_debug("Certificate have no common name");
return -1;
}
}
/*
if (ssl_dir) {
if (!ssl_fingerprint_file || ssl_fingerprint_file == '\0') {
struct stat statbuf;
ssl_fingerprint_file = g_strdup_printf("%s/remote/%s/fingerprint", ssl_dir, cert_hostname);
if (stat(ssl_fingerprint_file, &statbuf) == -1) {
g_free(ssl_fingerprint_file);
ssl_fingerprint_file = NULL;
}
}
}
*/
if (ssl_fingerprint_file) {
g_debug(_("run_ssl: Loading ssl-fingerprint-file %s"), ssl_fingerprint_file);
str = validate_fingerprints(remote_cert, ssl_fingerprint_file);
if (str) {
security_seterror(&rh->sech, "%s", str);
amfree(str);
return -1;
}
}
X509_free (remote_cert);
}
g_debug(_("SSL_cipher: %s"), SSL_get_cipher(rc->ssl));
return 0;
}
/*
* Setup to handle new incoming connections
*/
static void
ssl_accept(
const struct security_driver *driver,
char * (*conf_fn)(char *, void *),
int in,
int out,
void (*fn)(security_handle_t *, pkt_t *),
void *datap)
{
sockaddr_union sin;
socklen_t_equiv len = sizeof(struct sockaddr);
struct tcp_conn *rc;
char hostname[NI_MAXHOST];
int result;
char *errmsg = NULL;
int err;
X509 *remote_cert;
char *str;
X509_NAME *x509_name;
char *cert_hostname;
SSL_CTX *ctx;
SSL *ssl;
int loc;
char *ssl_dir = getconf_str(CNF_SSL_DIR);
char *ssl_fingerprint_file = conf_fn("ssl_fingerprint_file", datap);
char *ssl_cert_file = conf_fn("ssl_cert_file", datap);
char *ssl_key_file = conf_fn("ssl_key_file", datap);
char *ssl_ca_cert_file = conf_fn("ssl_ca_cert_file", datap);
char *ssl_cipher_list = conf_fn("ssl_cipher_list", datap);
int ssl_check_host = atoi(conf_fn("ssl_check_host", datap));
int ssl_check_certificate_host = atoi(conf_fn("ssl_check_certificate_host", datap));
if (getpeername(in, (struct sockaddr *)&sin, &len) < 0) {
g_debug(_("getpeername returned: %s"), strerror(errno));
return;
}
if ((result = getnameinfo((struct sockaddr *)&sin, len,
hostname, NI_MAXHOST, NULL, 0, 0) != 0)) {
g_debug(_("getnameinfo failed: %s"),
gai_strerror(result));
return;
}
if (ssl_check_host && check_name_give_sockaddr(hostname,
(struct sockaddr *)&sin, &errmsg) < 0) {
amfree(errmsg);
return;
}
if (ssl_dir) {
if (!ssl_cert_file || ssl_cert_file == '\0') {
ssl_cert_file = g_strdup_printf("%s/me/crt.pem", ssl_dir);
}
if (!ssl_key_file || ssl_key_file == '\0') {
ssl_key_file = g_strdup_printf("%s/me/private/key.pem", ssl_dir);
}
if (!ssl_ca_cert_file || ssl_ca_cert_file == '\0') {
ssl_ca_cert_file = g_strdup_printf("%s/CA/crt.pem", ssl_dir);
}
}
if (!ssl_cert_file) {
g_debug(_("ssl-cert-file must be set in amanda-remote.conf"));
return;
}
if (!ssl_key_file) {
g_debug(_("ssl-key-file must be set in amanda-remote.conf"));
return;
}
if (!ssl_ca_cert_file) {
g_debug(_("ssl_ca_cert_file must be set in amanda-remote.conf"));
return;
}
len = sizeof(sin);
init_ssl();
/* Create a SSL_CTX structure */
ctx = SSL_CTX_new(SSLv3_server_method());
if (!ctx) {
g_debug(_("SSL_CTX_new failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
if (ssl_cipher_list) {
g_debug("Set ssl_cipher_list to %s", ssl_cipher_list);
if (SSL_CTX_set_cipher_list(ctx, ssl_cipher_list) == 0) {
g_debug(_("SSL_CTX_set_cipher_list failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
}
/* Load the me certificate into the SSL_CTX structure */
g_debug(_("Loading ssl-cert-file certificate %s"), ssl_cert_file);
if (SSL_CTX_use_certificate_file(ctx, ssl_cert_file,
SSL_FILETYPE_PEM) <= 0) {
g_debug(_("Load ssl-cert-file failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
/* Load the private-key corresponding to the me certificate */
g_debug(_("Loading ssl-key-file private-key %s"), ssl_key_file);
if (SSL_CTX_use_PrivateKey_file(ctx, ssl_key_file,
SSL_FILETYPE_PEM) <= 0) {
g_debug(_("Load ssl-key-file failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
if (ssl_ca_cert_file) {
/* Load the RSA CA certificate into the SSL_CTX structure */
g_debug(_("Loading ssl-ca-cert-file ca certificate %s"),
ssl_ca_cert_file);
if (!SSL_CTX_load_verify_locations(ctx, ssl_ca_cert_file, NULL)) {
g_debug(_("Load ssl-ca-cert-file failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
/* Set to require peer (remote) certificate verification */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
/* Set the verification depth to 1 */
SSL_CTX_set_verify_depth(ctx,1);
}
ssl = SSL_new(ctx);
if (!ssl) {
g_debug(_("SSL_new failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
SSL_set_accept_state(ssl);
/* Assign the socket into the SSL structure (SSL and socket without BIO) */
SSL_set_fd(ssl, in);
/* Perform SSL Handshake on the SSL me */
err = SSL_accept(ssl);
if (err == -1) {
g_debug(_("SSL_accept failed: %s"),
ERR_error_string(ERR_get_error(), NULL));
return;
}
/* Get the me's certificate (optional) */
remote_cert = SSL_get_peer_certificate (ssl);
if (remote_cert == NULL) {
g_debug(_("remote doesn't sent a certificate"));
return;
}
x509_name = X509_get_subject_name(remote_cert);
str = X509_NAME_oneline(X509_get_subject_name(remote_cert), 0, 0);
auth_debug(1, _("\t subject: %s\n"), str);
amfree (str);
str = X509_NAME_oneline(X509_get_issuer_name(remote_cert), 0, 0);
auth_debug(1, _("\t issuer: %s\n"), str);
amfree(str);
loc = -1;
loc = X509_NAME_get_index_by_NID(x509_name, NID_commonName, loc);
if (loc != -1) {
X509_NAME_ENTRY *x509_entry = X509_NAME_get_entry(x509_name, loc);
ASN1_STRING *asn1_string = X509_NAME_ENTRY_get_data(x509_entry);
cert_hostname = (char *)ASN1_STRING_data(asn1_string);
auth_debug(1, "common_name: %s\n", cert_hostname);
if (ssl_check_certificate_host &&
check_name_give_sockaddr((char*)cert_hostname,
(struct sockaddr *)&sin, &errmsg) < 0) {
g_debug("Common name of certicate (%s) doesn't resolv to IP (%s)", cert_hostname, str_sockaddr(&sin));
amfree(errmsg);
X509_free(remote_cert);
return;
}
} else {
g_debug("Certificate have no common name");
X509_free(remote_cert);
return;
}
if (ssl_dir) {
if (!ssl_fingerprint_file || ssl_fingerprint_file == '\0') {
struct stat statbuf;
ssl_fingerprint_file = g_strdup_printf("%s/remote/%s/fingerprint", ssl_dir, cert_hostname);
if (stat(ssl_fingerprint_file, &statbuf) == -1) {
g_free(ssl_fingerprint_file);
ssl_fingerprint_file = NULL;
}
}
}
if (ssl_fingerprint_file) {
g_debug(_("Loading ssl-fingerprint-file %s"), ssl_fingerprint_file);
str = validate_fingerprints(remote_cert, ssl_fingerprint_file);
if (str) {
g_debug("%s", str);
amfree(str);
X509_free(remote_cert);
return;
}
}
X509_free(remote_cert);
rc = sec_tcp_conn_get(hostname, 0);
rc->recv_security_ok = &bsd_recv_security_ok;
rc->prefix_packet = &bsd_prefix_packet;
rc->need_priv_port = 0;
copy_sockaddr(&rc->peer, &sin);
rc->read = in;
rc->write = out;
rc->accept_fn = fn;
rc->driver = driver;
rc->conf_fn = conf_fn;
rc->datap = datap;
rc->ctx = ctx;
rc->ssl = ssl;
strncpy(rc->hostname, cert_hostname, sizeof(rc->hostname)-1);
g_debug(_("SSL_cipher: %s"), SSL_get_cipher(rc->ssl));
sec_tcp_conn_read(rc);
}
