static char*
pop3pushtls(Pop *pop)
{
int fd;
uchar digest[SHA1dlen];
TLSconn conn;
memset(&conn, 0, sizeof conn);
// conn.trace = pop3log;
fd = tlsClient(pop->fd, &conn);
if(fd < 0)
return "tls error";
if(conn.cert==nil || conn.certlen <= 0){
close(fd);
return "server did not provide TLS certificate";
}
sha1(conn.cert, conn.certlen, digest, nil);
if(!pop->thumb || !okThumbprint(digest, pop->thumb)){
fmtinstall('H', encodefmt);
close(fd);
free(conn.cert);
fprint(2, "upas/fs pop3: server certificate %.*H not recognized\n", SHA1dlen, digest);
return "bad server certificate";
}
free(conn.cert);
close(pop->fd);
pop->fd = fd;
pop->encrypted = 1;
Binit(&pop->bin, pop->fd, OREAD);
Binit(&pop->bout, pop->fd, OWRITE);
return nil;
}
static int32_t
_iotlsdial(va_list *arg)
{
char *addr, *local, *dir;
int *cfdp, fd, tfd, usetls;
TLSconn conn;
addr = va_arg(*arg, char*);
local = va_arg(*arg, char*);
dir = va_arg(*arg, char*);
cfdp = va_arg(*arg, int*);
usetls = va_arg(*arg, int);
fd = dial(addr, local, dir, cfdp);
if(fd < 0)
return -1;
if(!usetls)
return fd;
memset(&conn, 0, sizeof conn);
/* does no good, so far anyway */
// conn.chain = readcertchain("/sys/lib/ssl/vsignss.pem");
tfd = tlsClient(fd, &conn);
close(fd);
if(tfd < 0)
fprint(2, "%s: tlsClient: %r\n", argv0);
else {
/* BUG: check cert here? */
if(conn.cert)
free(conn.cert);
}
return tfd;
}
static int
starttls(Imap *imap, TLSconn *connp)
{
int sfd;
uchar digest[SHA1dlen];
fmtinstall('H', encodefmt);
memset(connp, 0, sizeof *connp);
sfd = tlsClient(imap->fd, connp);
if(sfd < 0) {
werrstr("tlsClient: %r");
return -1;
}
if(connp->cert==nil || connp->certlen <= 0) {
close(sfd);
werrstr("server did not provide TLS certificate");
return -1;
}
sha1(connp->cert, connp->certlen, digest, nil);
/*
* don't do this any more. our local it people are rotating their
* certificates faster than we can keep up.
*/
if(0 && (!imap->thumb || !okThumbprint(digest, imap->thumb))) {
close(sfd);
werrstr("server certificate %.*H not recognized",
SHA1dlen, digest);
return -1;
}
close(imap->fd);
imap->fd = sfd;
return sfd;
}
static char *
wraptls(void)
{
TLSconn *c;
Thumbprint *goodcerts;
char *h, *err;
int fd;
uchar hash[SHA1dlen];
goodcerts = nil;
err = Giveup;
c = mallocz(sizeof(*c), 1);
if (c == nil)
return err;
fd = tlsClient(Bfildes(&bout), c);
if (fd < 0) {
syslog(0, "smtp", "tlsClient to %q: %r", ddomain);
goto Out;
}
Bterm(&bout);
Binit(&bout, fd, OWRITE);
fd = dup(fd, Bfildes(&bin));
Bterm(&bin);
Binit(&bin, fd, OREAD);
goodcerts = initThumbprints(smtpthumbs, smtpexclthumbs);
if (goodcerts == nil) {
syslog(0, "smtp", "bad thumbprints in %s", smtpthumbs);
goto Out;
}
/* compute sha1 hash of remote's certificate, see if we know it */
sha1(c->cert, c->certlen, hash, nil);
if (!okThumbprint(hash, goodcerts)) {
/* TODO? if not excluded, add hash to thumb list */
h = malloc(2*sizeof hash + 1);
if (h == nil)
goto Out;
enc16(h, 2*sizeof hash + 1, hash, sizeof hash);
syslog(0, "smtp", "remote cert. has bad thumbprint: x509 sha1=%s server=%q",
h, ddomain);
free(h);
goto Out;
}
syslog(0, "smtp", "started TLS to %q", ddomain);
err = nil;
Out:
if(goodcerts != nil)
freeThumbprints(goodcerts);
free(c->cert);
free(c->sessionID);
free(c);
return err;
}
int
dotls(int fd)
{
TLSconn conn;
if((fd=tlsClient(fd, &conn)) < 0)
sysfatal("tlsclient: %r");
if(conn.cert != nil)
free(conn.cert);
return fd;
}
/*
* connect to remote server, default network is "tcp/ip"
*/
void
hello(char *dest)
{
char *p;
char dir[Maxpath];
TLSconn conn;
Binit(&stdin, 0, OREAD); /* init for later use */
ctlfd = dial(netmkaddr(dest, "tcp", "ftp"), 0, dir, 0);
if(ctlfd < 0){
fprint(2, "can't dial %s: %r\n", dest);
exits("dialing");
}
Binit(&ctlin, ctlfd, OREAD);
/* remember network for the data connections */
p = strrchr(dir+1, '/');
if(p == 0)
fatal("wrong dial(2) linked with ftp");
*p = 0;
safecpy(net, dir, sizeof(net));
/* wait for hello from other side */
if(getreply(&ctlin, msg, sizeof(msg), 1) != Success)
fatal("bad hello");
if(strstr(msg, "Plan 9"))
os = Plan9;
if(usetls){
sendrequest("AUTH", "TLS");
if(getreply(&ctlin, msg, sizeof(msg), 1) != Success)
fatal("bad auth tls");
ctlfd = tlsClient(ctlfd, &conn);
if(ctlfd < 0)
fatal("starting tls: %r");
free(conn.cert);
Binit(&ctlin, ctlfd, OREAD);
sendrequest("PBSZ", "0");
if(getreply(&ctlin, msg, sizeof(msg), 1) != Success)
fatal("bad pbsz 0");
sendrequest("PROT", "P");
if(getreply(&ctlin, msg, sizeof(msg), 1) != Success)
fatal("bad prot p");
}
}
/*
* have server call back for a data connection
*/
static int
active(int mode, Biobuf **bpp, char *cmda, char *cmdb)
{
int cfd, dfd, rv;
char newdir[Maxpath];
char datafile[Maxpath + 6];
TLSconn conn;
if(port() < 0)
return TempFail;
sendrequest(cmda, cmdb);
rv = getreply(&ctlin, msg, sizeof(msg), 0);
if(rv != Extra){
close(listenfd);
return rv;
}
/* wait for a new call */
cfd = listen(netdir, newdir);
if(cfd < 0)
fatal("waiting for data connection");
close(listenfd);
/* open it's data connection and close the control connection */
sprint(datafile, "%s/data", newdir);
dfd = open(datafile, ORDWR);
close(cfd);
if(dfd < 0)
fatal("opening data connection");
if(usetls){
memset(&conn, 0, sizeof(conn));
dfd = tlsClient(dfd, &conn);
if(dfd < 0)
fatal("starting tls: %r");
free(conn.cert);
}
Binit(&dbuf, dfd, mode);
*bpp = &dbuf;
return Extra;
}
/*
* exchange names with remote host, attempt to
* enable encryption and optionally authenticate.
* not fatal if we can't.
*/
static char *
dotls(char *me)
{
TLSconn *c;
char *err;
int fd;
c = mallocz(sizeof(*c), 1); /* Note: not freed on success */
if (c == nil)
return Giveup;
dBprint("STARTTLS\r\n");
if (getreply() != 2)
return Giveup;
fd = tlsClient(Bfildes(&bout), c);
if (fd < 0) {
syslog(0, "smtp", "tlsClient to %q: %r", ddomain);
return Giveup;
}
err = ckthumbs(c);
if (err && !okunksecure) {
free(c);
close(fd);
return err; /* how to recover? TLS is started */
}
Bterm(&bin);
Bterm(&bout);
/*
* set up bin & bout to use the TLS fd, i/o upon which generates
* i/o on the original, underlying fd.
*/
Binit(&bin, fd, OREAD);
fd = dup(fd, -1);
Binit(&bout, fd, OWRITE);
syslog(0, "smtp", "started TLS to %q", ddomain);
return(hello(me, 1));
}
/*
* call out for a data connection
*/
static int
passive(int mode, Biobuf **bpp, char *cmda, char *cmdb)
{
char msg[1024];
char ds[1024];
char *f[6];
char *p;
int x, fd;
TLSconn conn;
if(nopassive)
return Impossible;
sendrequest("PASV", nil);
if(getreply(&ctlin, msg, sizeof(msg), 0) != Success){
nopassive = 1;
return Impossible;
}
/* get address and port number from reply, this is AI */
p = strchr(msg, '(');
if(p == 0){
for(p = msg+3; *p; p++)
if(isdigit(*p))
break;
} else
p++;
if(getfields(p, f, 6, 0, ",") < 6){
if(debug)
fprint(2, "passive mode protocol botch: %s\n", msg);
werrstr("ftp protocol botch");
nopassive = 1;
return Impossible;
}
snprint(ds, sizeof(ds), "%s!%s.%s.%s.%s!%d", net,
f[0], f[1], f[2], f[3],
((atoi(f[4])&0xff)<<8) + (atoi(f[5])&0xff));
/* open data connection */
fd = dial(ds, 0, 0, 0);
if(fd < 0){
if(debug)
fprint(2, "passive mode connect to %s failed: %r\n", ds);
nopassive = 1;
return TempFail;
}
/* tell remote to send a file */
sendrequest(cmda, cmdb);
x = getreply(&ctlin, msg, sizeof(msg), 0);
if(x != Extra){
close(fd);
if(debug)
fprint(2, "passive mode retrieve failed: %s\n", msg);
werrstr(msg);
return x;
}
if(usetls){
memset(&conn, 0, sizeof(conn));
fd = tlsClient(fd, &conn);
if(fd < 0)
fatal("starting tls: %r");
free(conn.cert);
}
Binit(&dbuf, fd, mode);
*bpp = &dbuf;
return Extra;
}
void
main(int argc, char **argv)
{
int p, fd, dfd, cfd, shared;
char *keypattern, *addr;
Point d;
TLSconn conn;
keypattern = nil;
shared = 0;
ARGBEGIN{
case 'c':
bpp12 = 1;
break;
case 'e':
encodings = EARGF(usage());
break;
case 's':
shared = 1;
break;
case 't':
tls = 1;
break;
case 'v':
verbose = 1;
break;
case 'k':
keypattern = EARGF(usage());
break;
default:
usage();
}ARGEND;
if(argc != 1)
usage();
addr = netmkvncaddr(argv[0]);
serveraddr = argv[0];
dfd = dial(addr, nil, nil, &cfd);
if(dfd < 0)
sysfatal("cannot dial %s: %r", addr);
if(tls){
dfd = tlsClient(dfd, &conn);
if(dfd < 0)
sysfatal("tlsClient: %r");
/* XXX check thumbprint */
}
vnc = vncinit(dfd, cfd, nil);
if(vnchandshake(vnc) < 0)
sysfatal("handshake failure: %r");
if(vncauth(vnc, keypattern) < 0)
sysfatal("authentication failure: %r");
if(vncstart(vnc, shared) < 0)
sysfatal("init failure: %r");
initdraw(0, 0, "vncv");
display->locking = 1;
unlockdisplay(display);
d = addpt(vnc->dim, Pt(2*Borderwidth, 2*Borderwidth));
if(verbose)
fprint(2, "screen size %P, desktop size %P\n", display->image->r.max, d);
choosecolor(vnc);
sendencodings(vnc);
initmouse();
rfork(RFREND);
atexit(shutdown);
pids[0] = getpid();
switch(p = rfork(RFPROC|RFMEM)){
case -1:
sysfatal("rfork: %r");
default:
break;
case 0:
atexit(shutdown);
readfromserver(vnc);
exits(nil);
}
pids[1] = p;
switch(p = rfork(RFPROC|RFMEM)){
case -1:
sysfatal("rfork: %r");
default:
break;
case 0:
atexit(shutdown);
checksnarf(vnc);
exits(nil);
}
pids[2] = p;
fd = open("/dev/label", OWRITE);
if(fd >= 0){
fprint(fd, "vnc %s", serveraddr);
close(fd);
}
if(access("/dev/snarf", AEXIST) >= 0){
switch(p = rfork(RFPROC|RFMEM)){
case -1:
sysfatal("rfork: %r");
default:
break;
case 0:
atexit(shutdown);
readkbd(vnc);
exits(nil);
}
}
pids[3] = p;
readmouse(vnc);
exits(nil);
}
void
keepRegistered(const std::string& sedType,
const ExecConfiguration& config,
const std::string& sedUri,
boost::shared_ptr<SeD> server){
std::vector<std::string> services = server.get()->getServices();
int timeout = vishnu::DEFAUT_TIMEOUT;
config.getConfigValue<int>(vishnu::TIMEOUT, timeout);
std::string dispUri;
config.getRequiredConfigValue<std::string>(vishnu::DISP_URISUBS, dispUri);
boost::shared_ptr<Server> srv = boost::make_shared<Server>(sedType, services, sedUri);
std::string requestData = "1" + srv.get()->toString(); /* prefixed with 1 to say registering request */
std::string response;
bool useSsl = false;
bool connected(false);
while (true){
if (config.getConfigValue<bool>(vishnu::USE_SSL, useSsl) && useSsl) {
std::string host;
int port;
host = vishnu::getHostFromUri(dispUri);
port = vishnu::getPortFromUri(dispUri);
/* Get TLS trust store if set */
std::string cafile;
config.getConfigValue<std::string>(vishnu::SSL_CA, cafile);
/* Logging */
/* Now create a TLS client and go ahead */
TlsClient tlsClient(host, port, cafile);
requestData.append("\n\n"); /* required for the internal protocol */
if (tlsClient.send(requestData) == 0) {
response = tlsClient.recv();
if (response == "OK\n") { // \n at the end because it's in response see sslhelpers.cpp, \n is added at end of message
if (!connected) {
LOG("[INFO] Registered in dispatcher", LogInfo);
}
connected = true;
} else {
connected = false;
LOG("[WARN] Not registered in dispatcher", LogInfo);
}
}
} else {
zmq::context_t ctx(1);
LazyPirateClient lpc(ctx, dispUri, timeout);
lpc.send(requestData);
response = lpc.recv();
if (response == "OK") {
if (!connected) {
LOG("[INFO] Registered in dispatcher", LogInfo);
}
connected = true;
} else {
connected = false;
LOG("[WARN] Not registered in dispatcher", LogInfo);
}
}
sleep(timeout);
}
}
