static char* pop3pushtls(Pop *pop) { int fd; uchar digest[SHA1dlen]; TLSconn conn; memset(&conn, 0, sizeof conn); // conn.trace = pop3log; fd = tlsClient(pop->fd, &conn); if(fd < 0) return "tls error"; if(conn.cert==nil || conn.certlen <= 0){ close(fd); return "server did not provide TLS certificate"; } sha1(conn.cert, conn.certlen, digest, nil); if(!pop->thumb || !okThumbprint(digest, pop->thumb)){ fmtinstall('H', encodefmt); close(fd); free(conn.cert); fprint(2, "upas/fs pop3: server certificate %.*H not recognized\n", SHA1dlen, digest); return "bad server certificate"; } free(conn.cert); close(pop->fd); pop->fd = fd; pop->encrypted = 1; Binit(&pop->bin, pop->fd, OREAD); Binit(&pop->bout, pop->fd, OWRITE); return nil; }
static int32_t _iotlsdial(va_list *arg) { char *addr, *local, *dir; int *cfdp, fd, tfd, usetls; TLSconn conn; addr = va_arg(*arg, char*); local = va_arg(*arg, char*); dir = va_arg(*arg, char*); cfdp = va_arg(*arg, int*); usetls = va_arg(*arg, int); fd = dial(addr, local, dir, cfdp); if(fd < 0) return -1; if(!usetls) return fd; memset(&conn, 0, sizeof conn); /* does no good, so far anyway */ // conn.chain = readcertchain("/sys/lib/ssl/vsignss.pem"); tfd = tlsClient(fd, &conn); close(fd); if(tfd < 0) fprint(2, "%s: tlsClient: %r\n", argv0); else { /* BUG: check cert here? */ if(conn.cert) free(conn.cert); } return tfd; }
static int starttls(Imap *imap, TLSconn *connp) { int sfd; uchar digest[SHA1dlen]; fmtinstall('H', encodefmt); memset(connp, 0, sizeof *connp); sfd = tlsClient(imap->fd, connp); if(sfd < 0) { werrstr("tlsClient: %r"); return -1; } if(connp->cert==nil || connp->certlen <= 0) { close(sfd); werrstr("server did not provide TLS certificate"); return -1; } sha1(connp->cert, connp->certlen, digest, nil); /* * don't do this any more. our local it people are rotating their * certificates faster than we can keep up. */ if(0 && (!imap->thumb || !okThumbprint(digest, imap->thumb))) { close(sfd); werrstr("server certificate %.*H not recognized", SHA1dlen, digest); return -1; } close(imap->fd); imap->fd = sfd; return sfd; }
static char * wraptls(void) { TLSconn *c; Thumbprint *goodcerts; char *h, *err; int fd; uchar hash[SHA1dlen]; goodcerts = nil; err = Giveup; c = mallocz(sizeof(*c), 1); if (c == nil) return err; fd = tlsClient(Bfildes(&bout), c); if (fd < 0) { syslog(0, "smtp", "tlsClient to %q: %r", ddomain); goto Out; } Bterm(&bout); Binit(&bout, fd, OWRITE); fd = dup(fd, Bfildes(&bin)); Bterm(&bin); Binit(&bin, fd, OREAD); goodcerts = initThumbprints(smtpthumbs, smtpexclthumbs); if (goodcerts == nil) { syslog(0, "smtp", "bad thumbprints in %s", smtpthumbs); goto Out; } /* compute sha1 hash of remote's certificate, see if we know it */ sha1(c->cert, c->certlen, hash, nil); if (!okThumbprint(hash, goodcerts)) { /* TODO? if not excluded, add hash to thumb list */ h = malloc(2*sizeof hash + 1); if (h == nil) goto Out; enc16(h, 2*sizeof hash + 1, hash, sizeof hash); syslog(0, "smtp", "remote cert. has bad thumbprint: x509 sha1=%s server=%q", h, ddomain); free(h); goto Out; } syslog(0, "smtp", "started TLS to %q", ddomain); err = nil; Out: if(goodcerts != nil) freeThumbprints(goodcerts); free(c->cert); free(c->sessionID); free(c); return err; }
int dotls(int fd) { TLSconn conn; if((fd=tlsClient(fd, &conn)) < 0) sysfatal("tlsclient: %r"); if(conn.cert != nil) free(conn.cert); return fd; }
/* * connect to remote server, default network is "tcp/ip" */ void hello(char *dest) { char *p; char dir[Maxpath]; TLSconn conn; Binit(&stdin, 0, OREAD); /* init for later use */ ctlfd = dial(netmkaddr(dest, "tcp", "ftp"), 0, dir, 0); if(ctlfd < 0){ fprint(2, "can't dial %s: %r\n", dest); exits("dialing"); } Binit(&ctlin, ctlfd, OREAD); /* remember network for the data connections */ p = strrchr(dir+1, '/'); if(p == 0) fatal("wrong dial(2) linked with ftp"); *p = 0; safecpy(net, dir, sizeof(net)); /* wait for hello from other side */ if(getreply(&ctlin, msg, sizeof(msg), 1) != Success) fatal("bad hello"); if(strstr(msg, "Plan 9")) os = Plan9; if(usetls){ sendrequest("AUTH", "TLS"); if(getreply(&ctlin, msg, sizeof(msg), 1) != Success) fatal("bad auth tls"); ctlfd = tlsClient(ctlfd, &conn); if(ctlfd < 0) fatal("starting tls: %r"); free(conn.cert); Binit(&ctlin, ctlfd, OREAD); sendrequest("PBSZ", "0"); if(getreply(&ctlin, msg, sizeof(msg), 1) != Success) fatal("bad pbsz 0"); sendrequest("PROT", "P"); if(getreply(&ctlin, msg, sizeof(msg), 1) != Success) fatal("bad prot p"); } }
/* * have server call back for a data connection */ static int active(int mode, Biobuf **bpp, char *cmda, char *cmdb) { int cfd, dfd, rv; char newdir[Maxpath]; char datafile[Maxpath + 6]; TLSconn conn; if(port() < 0) return TempFail; sendrequest(cmda, cmdb); rv = getreply(&ctlin, msg, sizeof(msg), 0); if(rv != Extra){ close(listenfd); return rv; } /* wait for a new call */ cfd = listen(netdir, newdir); if(cfd < 0) fatal("waiting for data connection"); close(listenfd); /* open it's data connection and close the control connection */ sprint(datafile, "%s/data", newdir); dfd = open(datafile, ORDWR); close(cfd); if(dfd < 0) fatal("opening data connection"); if(usetls){ memset(&conn, 0, sizeof(conn)); dfd = tlsClient(dfd, &conn); if(dfd < 0) fatal("starting tls: %r"); free(conn.cert); } Binit(&dbuf, dfd, mode); *bpp = &dbuf; return Extra; }
/* * exchange names with remote host, attempt to * enable encryption and optionally authenticate. * not fatal if we can't. */ static char * dotls(char *me) { TLSconn *c; char *err; int fd; c = mallocz(sizeof(*c), 1); /* Note: not freed on success */ if (c == nil) return Giveup; dBprint("STARTTLS\r\n"); if (getreply() != 2) return Giveup; fd = tlsClient(Bfildes(&bout), c); if (fd < 0) { syslog(0, "smtp", "tlsClient to %q: %r", ddomain); return Giveup; } err = ckthumbs(c); if (err && !okunksecure) { free(c); close(fd); return err; /* how to recover? TLS is started */ } Bterm(&bin); Bterm(&bout); /* * set up bin & bout to use the TLS fd, i/o upon which generates * i/o on the original, underlying fd. */ Binit(&bin, fd, OREAD); fd = dup(fd, -1); Binit(&bout, fd, OWRITE); syslog(0, "smtp", "started TLS to %q", ddomain); return(hello(me, 1)); }
/* * call out for a data connection */ static int passive(int mode, Biobuf **bpp, char *cmda, char *cmdb) { char msg[1024]; char ds[1024]; char *f[6]; char *p; int x, fd; TLSconn conn; if(nopassive) return Impossible; sendrequest("PASV", nil); if(getreply(&ctlin, msg, sizeof(msg), 0) != Success){ nopassive = 1; return Impossible; } /* get address and port number from reply, this is AI */ p = strchr(msg, '('); if(p == 0){ for(p = msg+3; *p; p++) if(isdigit(*p)) break; } else p++; if(getfields(p, f, 6, 0, ",") < 6){ if(debug) fprint(2, "passive mode protocol botch: %s\n", msg); werrstr("ftp protocol botch"); nopassive = 1; return Impossible; } snprint(ds, sizeof(ds), "%s!%s.%s.%s.%s!%d", net, f[0], f[1], f[2], f[3], ((atoi(f[4])&0xff)<<8) + (atoi(f[5])&0xff)); /* open data connection */ fd = dial(ds, 0, 0, 0); if(fd < 0){ if(debug) fprint(2, "passive mode connect to %s failed: %r\n", ds); nopassive = 1; return TempFail; } /* tell remote to send a file */ sendrequest(cmda, cmdb); x = getreply(&ctlin, msg, sizeof(msg), 0); if(x != Extra){ close(fd); if(debug) fprint(2, "passive mode retrieve failed: %s\n", msg); werrstr(msg); return x; } if(usetls){ memset(&conn, 0, sizeof(conn)); fd = tlsClient(fd, &conn); if(fd < 0) fatal("starting tls: %r"); free(conn.cert); } Binit(&dbuf, fd, mode); *bpp = &dbuf; return Extra; }
void main(int argc, char **argv) { int p, fd, dfd, cfd, shared; char *keypattern, *addr; Point d; TLSconn conn; keypattern = nil; shared = 0; ARGBEGIN{ case 'c': bpp12 = 1; break; case 'e': encodings = EARGF(usage()); break; case 's': shared = 1; break; case 't': tls = 1; break; case 'v': verbose = 1; break; case 'k': keypattern = EARGF(usage()); break; default: usage(); }ARGEND; if(argc != 1) usage(); addr = netmkvncaddr(argv[0]); serveraddr = argv[0]; dfd = dial(addr, nil, nil, &cfd); if(dfd < 0) sysfatal("cannot dial %s: %r", addr); if(tls){ dfd = tlsClient(dfd, &conn); if(dfd < 0) sysfatal("tlsClient: %r"); /* XXX check thumbprint */ } vnc = vncinit(dfd, cfd, nil); if(vnchandshake(vnc) < 0) sysfatal("handshake failure: %r"); if(vncauth(vnc, keypattern) < 0) sysfatal("authentication failure: %r"); if(vncstart(vnc, shared) < 0) sysfatal("init failure: %r"); initdraw(0, 0, "vncv"); display->locking = 1; unlockdisplay(display); d = addpt(vnc->dim, Pt(2*Borderwidth, 2*Borderwidth)); if(verbose) fprint(2, "screen size %P, desktop size %P\n", display->image->r.max, d); choosecolor(vnc); sendencodings(vnc); initmouse(); rfork(RFREND); atexit(shutdown); pids[0] = getpid(); switch(p = rfork(RFPROC|RFMEM)){ case -1: sysfatal("rfork: %r"); default: break; case 0: atexit(shutdown); readfromserver(vnc); exits(nil); } pids[1] = p; switch(p = rfork(RFPROC|RFMEM)){ case -1: sysfatal("rfork: %r"); default: break; case 0: atexit(shutdown); checksnarf(vnc); exits(nil); } pids[2] = p; fd = open("/dev/label", OWRITE); if(fd >= 0){ fprint(fd, "vnc %s", serveraddr); close(fd); } if(access("/dev/snarf", AEXIST) >= 0){ switch(p = rfork(RFPROC|RFMEM)){ case -1: sysfatal("rfork: %r"); default: break; case 0: atexit(shutdown); readkbd(vnc); exits(nil); } } pids[3] = p; readmouse(vnc); exits(nil); }
void keepRegistered(const std::string& sedType, const ExecConfiguration& config, const std::string& sedUri, boost::shared_ptr<SeD> server){ std::vector<std::string> services = server.get()->getServices(); int timeout = vishnu::DEFAUT_TIMEOUT; config.getConfigValue<int>(vishnu::TIMEOUT, timeout); std::string dispUri; config.getRequiredConfigValue<std::string>(vishnu::DISP_URISUBS, dispUri); boost::shared_ptr<Server> srv = boost::make_shared<Server>(sedType, services, sedUri); std::string requestData = "1" + srv.get()->toString(); /* prefixed with 1 to say registering request */ std::string response; bool useSsl = false; bool connected(false); while (true){ if (config.getConfigValue<bool>(vishnu::USE_SSL, useSsl) && useSsl) { std::string host; int port; host = vishnu::getHostFromUri(dispUri); port = vishnu::getPortFromUri(dispUri); /* Get TLS trust store if set */ std::string cafile; config.getConfigValue<std::string>(vishnu::SSL_CA, cafile); /* Logging */ /* Now create a TLS client and go ahead */ TlsClient tlsClient(host, port, cafile); requestData.append("\n\n"); /* required for the internal protocol */ if (tlsClient.send(requestData) == 0) { response = tlsClient.recv(); if (response == "OK\n") { // \n at the end because it's in response see sslhelpers.cpp, \n is added at end of message if (!connected) { LOG("[INFO] Registered in dispatcher", LogInfo); } connected = true; } else { connected = false; LOG("[WARN] Not registered in dispatcher", LogInfo); } } } else { zmq::context_t ctx(1); LazyPirateClient lpc(ctx, dispUri, timeout); lpc.send(requestData); response = lpc.recv(); if (response == "OK") { if (!connected) { LOG("[INFO] Registered in dispatcher", LogInfo); } connected = true; } else { connected = false; LOG("[WARN] Not registered in dispatcher", LogInfo); } } sleep(timeout); } }