static void HailExec(EvalContext *ctx, AgentConnection *conn, char *peer, char *recvbuffer, char *sendbuffer)
{
FILE *fp = stdout;
char *sp;
int n_read;
if (strlen(DEFINECLASSES))
{
snprintf(sendbuffer, CF_BUFSIZE, "EXEC %s -D%s", REMOTE_AGENT_OPTIONS, DEFINECLASSES);
}
else
{
snprintf(sendbuffer, CF_BUFSIZE, "EXEC %s", REMOTE_AGENT_OPTIONS);
}
if (SendTransaction(&conn->conn_info, sendbuffer, 0, CF_DONE) == -1)
{
Log(LOG_LEVEL_ERR, "Transmission rejected. (send: %s)", GetErrorStr());
DisconnectServer(conn);
return;
}
fp = NewStream(peer);
SendClassData(conn);
while (true)
{
memset(recvbuffer, 0, CF_BUFSIZE);
if ((n_read = ReceiveTransaction(&conn->conn_info, recvbuffer, NULL)) == -1)
{
return;
}
if (n_read == 0)
{
break;
}
if (strlen(recvbuffer) == 0)
{
continue;
}
if ((sp = strstr(recvbuffer, CFD_TERMINATOR)) != NULL)
{
break;
}
if ((sp = strstr(recvbuffer, "BAD:")) != NULL)
{
fprintf(fp, "%s> !! %s\n", VPREFIX, recvbuffer + 4);
continue;
}
if (strstr(recvbuffer, "too soon"))
{
fprintf(fp, "%s> !! %s\n", VPREFIX, recvbuffer);
continue;
}
fprintf(fp, "%s> -> %s", VPREFIX, recvbuffer);
}
DeleteStream(fp);
DisconnectServer(conn);
}
static void HailExec(AgentConnection *conn, char *peer, char *recvbuffer, char *sendbuffer)
{
FILE *fp = stdout;
char *sp;
int n_read;
if (strlen(DEFINECLASSES))
{
snprintf(sendbuffer, CF_BUFSIZE, "EXEC %s -D%s", REMOTE_AGENT_OPTIONS, DEFINECLASSES);
}
else
{
snprintf(sendbuffer, CF_BUFSIZE, "EXEC %s", REMOTE_AGENT_OPTIONS);
}
if (SendTransaction(conn->sd, sendbuffer, 0, CF_DONE) == -1)
{
CfOut(cf_error, "send", "Transmission rejected");
ServerDisconnection(conn);
return;
}
fp = NewStream(peer);
SendClassData(conn);
while (true)
{
memset(recvbuffer, 0, CF_BUFSIZE);
if ((n_read = ReceiveTransaction(conn->sd, recvbuffer, NULL)) == -1)
{
DestroyServerConnection(conn);
return;
}
if (n_read == 0)
{
break;
}
if (strlen(recvbuffer) == 0)
{
continue;
}
if ((sp = strstr(recvbuffer, CFD_TERMINATOR)) != NULL)
{
CfFile(fp, " !!\n\n");
break;
}
if ((sp = strstr(recvbuffer, "BAD:")) != NULL)
{
CfFile(fp, " !! %s\n", recvbuffer + 4);
continue;
}
if (strstr(recvbuffer, "too soon"))
{
CfFile(fp, " !! %s", recvbuffer);
continue;
}
CfFile(fp, " -> %s", recvbuffer);
}
DeleteStream(fp);
ServerDisconnection(conn);
}
int AuthenticateAgent(AgentConnection *conn, Attributes attr, Promise *pp)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
char dont_implicitly_trust_server, enterprise_field = 'c';
RSA *server_pubkey = NULL;
if (PUBKEY == NULL || PRIVKEY == NULL)
{
CfOut(cf_error, "", "No public/private key pair found\n");
return false;
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, cf_md5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
dont_implicitly_trust_server = 'y';
encrypted_len = RSA_size(server_pubkey);
}
else
{
dont_implicitly_trust_server = 'n'; /* have to trust server, since we can't verify id */
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c", dont_implicitly_trust_server, encrypted_len,
nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_FAIL, "", pp, attr, "Public encryption failed = %s\n", ERR_reason_error_string(err));
free(out);
FreeRSAKey(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->sd, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
if (DEBUG)
{
RSA_print_fp(stdout, PUBKEY, 0);
}
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break connection here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
cfPS(cf_error, CF_INTERPT, "recv", pp, attr, "Protocol transaction broken off (1)");
FreeRSAKey(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
CfOut(cf_error, "", "%s", in);
FreeRSAKey(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
cfPS(cf_error, CF_INTERPT, "recv", pp, attr, "Protocol transaction broken off (2)");
FreeRSAKey(server_pubkey);
return false;
}
if (HashesMatch(digest, in, CF_DEFAULT_DIGEST) || HashesMatch(digest, in, cf_md5)) // Legacy
{
if (dont_implicitly_trust_server == 'y') /* challenge reply was correct */
{
CfOut(cf_verbose, "", ".....................[.h.a.i.l.].................................\n");
CfOut(cf_verbose, "", "Strong authentication of server=%s connection confirmed\n", pp->this_server);
}
else
{
if (attr.copy.trustkey)
{
CfOut(cf_verbose, "", " -> Trusting server identity, promise to accept key from %s=%s", pp->this_server,
conn->remoteip);
}
else
{
CfOut(cf_error, "", " !! Not authorized to trust the server=%s's public key (trustkey=false)\n",
pp->this_server);
PromiseRef(cf_verbose, pp);
FreeRSAKey(server_pubkey);
return false;
}
}
}
else
{
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Challenge response from server %s/%s was incorrect!", pp->this_server,
conn->remoteip);
FreeRSAKey(server_pubkey);
return false;
}
/* Receive counter challenge from server */
CfDebug("Receive counter challenge from server\n");
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->sd, in, NULL);
if (encrypted_len <= 0)
{
CfOut(cf_error, "", "Protocol transaction sent illegal cipher length");
FreeRSAKey(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Private decrypt failed = %s, abandoning\n",
ERR_reason_error_string(err));
FreeRSAKey(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, cf_md5);
}
CfDebug("Replying to counter challenge with hash\n");
if (FIPS_MODE)
{
SendTransaction(conn->sd, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->sd, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
CfOut(cf_verbose, "", " -> Collecting public key from server!\n");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
CfOut(cf_error, "", "Protocol error in RSA authentation from IP %s\n", pp->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Private key decrypt failed = %s\n", ERR_reason_error_string(err));
FreeRSAKey(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
cfPS(cf_inform, CF_INTERPT, "", pp, attr, "Protocol error in RSA authentation from IP %s\n",
pp->this_server);
FreeRSAKey(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Public key decrypt failed = %s\n", ERR_reason_error_string(err));
FreeRSAKey(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
FreeRSAKey(newkey);
}
/* proposition C5 */
SetSessionKey(conn);
if (conn->session_key == NULL)
{
CfOut(cf_error, "", "A random session key could not be established");
FreeRSAKey(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
CfDebug("Encrypt %d bytes of session key into %d RSA bytes\n", session_size, encrypted_len);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
cfPS(cf_error, CF_INTERPT, "", pp, attr, "Public encryption failed = %s\n", ERR_reason_error_string(err));
free(out);
FreeRSAKey(server_pubkey);
return false;
}
SendTransaction(conn->sd, out, encrypted_len, CF_DONE);
if (server_pubkey != NULL)
{
HashPubKey(server_pubkey, conn->digest, CF_DEFAULT_DIGEST);
CfOut(cf_verbose, "", " -> Public key identity of host \"%s\" is \"%s\"", conn->remoteip,
HashPrint(CF_DEFAULT_DIGEST, conn->digest));
SavePublicKey(conn->username, conn->remoteip, HashPrint(CF_DEFAULT_DIGEST, conn->digest), server_pubkey); // FIXME: username is local
LastSaw(conn->remoteip, conn->digest, cf_connect);
}
free(out);
FreeRSAKey(server_pubkey);
return true;
}
bool BusyWithNewProtocol(EvalContext *ctx, ServerConnectionState *conn)
{
time_t tloc, trem = 0;
char recvbuffer[CF_BUFSIZE + CF_BUFEXT], sendbuffer[CF_BUFSIZE];
char filename[CF_BUFSIZE], args[CF_BUFSIZE], out[CF_BUFSIZE];
long time_no_see = 0;
unsigned int len = 0;
int drift, received;
ServerFileGetState get_args;
Item *classes;
/* We never double encrypt within the TLS layer */
const int encrypted = 0;
memset(recvbuffer, 0, CF_BUFSIZE + CF_BUFEXT);
memset(&get_args, 0, sizeof(get_args));
received = ReceiveTransaction(&conn->conn_info, recvbuffer, NULL);
if (received == -1 || received == 0)
{
return false;
}
if (strlen(recvbuffer) == 0)
{
Log(LOG_LEVEL_WARNING, "Got NULL transmission, skipping!");
return true;
}
/* Don't process request if we're signalled to exit. */
if (IsPendingTermination())
{
return false;
}
switch (GetCommandNew(recvbuffer))
{
case PROTOCOL_COMMAND_EXEC:
memset(args, 0, CF_BUFSIZE);
sscanf(recvbuffer, "EXEC %255[^\n]", args);
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "Server refusal due to incorrect identity");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!AllowedUser(conn->username))
{
Log(LOG_LEVEL_INFO, "Server refusal due to non-allowed user");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!conn->rsa_auth)
{
Log(LOG_LEVEL_INFO, "Server refusal due to no RSA authentication");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!AccessControl(ctx, CommandArg0(CFRUNCOMMAND), conn, false))
{
Log(LOG_LEVEL_INFO, "Server refusal due to denied access to requested object");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!MatchClasses(ctx, conn))
{
Log(LOG_LEVEL_INFO, "Server refusal due to failed class/context match");
Terminate(&conn->conn_info);
return false;
}
DoExec(ctx, conn, args);
Terminate(&conn->conn_info);
return false;
case PROTOCOL_COMMAND_VERSION:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
}
snprintf(conn->output, CF_BUFSIZE, "OK: %s", Version());
SendTransaction(&conn->conn_info, conn->output, 0, CF_DONE);
return conn->id_verified;
case PROTOCOL_COMMAND_GET:
memset(filename, 0, CF_BUFSIZE);
sscanf(recvbuffer, "GET %d %[^\n]", &(get_args.buf_size), filename);
if ((get_args.buf_size < 0) || (get_args.buf_size > CF_BUFSIZE))
{
Log(LOG_LEVEL_INFO, "GET buffer out of bounds");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!AccessControl(ctx, filename, conn, false))
{
Log(LOG_LEVEL_INFO, "Access denied to get object");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
memset(sendbuffer, 0, CF_BUFSIZE);
if (get_args.buf_size >= CF_BUFSIZE)
{
get_args.buf_size = 2048;
}
get_args.connect = conn;
get_args.encrypt = false;
get_args.replybuff = sendbuffer;
get_args.replyfile = filename;
CfGetFile(&get_args);
return true;
case PROTOCOL_COMMAND_OPENDIR:
memset(filename, 0, CF_BUFSIZE);
sscanf(recvbuffer, "OPENDIR %[^\n]", filename);
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (!AccessControl(ctx, filename, conn, true)) /* opendir don't care about privacy */
{
Log(LOG_LEVEL_INFO, "DIR access error");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
CfOpenDirectory(conn, sendbuffer, filename);
return true;
case PROTOCOL_COMMAND_SYNC:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
memset(filename, 0, CF_BUFSIZE);
sscanf(recvbuffer, "SYNCH %ld STAT %[^\n]", &time_no_see, filename);
trem = (time_t) time_no_see;
if ((time_no_see == 0) || (filename[0] == '\0'))
{
break;
}
if ((tloc = time((time_t *) NULL)) == -1)
{
sprintf(conn->output, "Couldn't read system clock\n");
Log(LOG_LEVEL_INFO, "Couldn't read system clock. (time: %s)", GetErrorStr());
SendTransaction(&conn->conn_info, "BAD: clocks out of synch", 0, CF_DONE);
return true;
}
drift = (int) (tloc - trem);
if (!AccessControl(ctx, filename, conn, true))
{
Log(LOG_LEVEL_VERBOSE, "AccessControl: access denied");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
if (DENYBADCLOCKS && (drift * drift > CLOCK_DRIFT * CLOCK_DRIFT))
{
snprintf(conn->output, CF_BUFSIZE - 1, "BAD: Clocks are too far unsynchronized %ld/%ld\n", (long) tloc,
(long) trem);
SendTransaction(&conn->conn_info, conn->output, 0, CF_DONE);
return true;
}
else
{
Log(LOG_LEVEL_DEBUG, "Clocks were off by %ld", (long) tloc - (long) trem);
StatFile(conn, sendbuffer, filename);
}
return true;
case PROTOCOL_COMMAND_MD5:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
CompareLocalHash(conn, sendbuffer, recvbuffer);
return true;
case PROTOCOL_COMMAND_VAR:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
if (!LiteralAccessControl(ctx, recvbuffer, conn, encrypted))
{
Log(LOG_LEVEL_INFO, "Literal access failure");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
GetServerLiteral(ctx, conn, sendbuffer, recvbuffer, encrypted);
return true;
case PROTOCOL_COMMAND_CONTEXT:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, "Context probe");
return true;
}
if ((classes = ContextAccessControl(ctx, recvbuffer, conn, encrypted)) == NULL)
{
Log(LOG_LEVEL_INFO, "Context access failure on %s", recvbuffer);
RefuseAccess(conn, 0, recvbuffer);
return false;
}
ReplyServerContext(conn, encrypted, classes);
return true;
case PROTOCOL_COMMAND_QUERY:
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
if (!LiteralAccessControl(ctx, recvbuffer, conn, encrypted))
{
Log(LOG_LEVEL_INFO, "Query access failure");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
if (GetServerQuery(conn, recvbuffer, encrypted))
{
return true;
}
break;
case PROTOCOL_COMMAND_CALL_ME_BACK:
sscanf(recvbuffer, "SCALLBACK %u", &len);
if ((len >= sizeof(out)) || (received != (len + CF_PROTO_OFFSET)))
{
Log(LOG_LEVEL_INFO, "Decrypt error CALL_ME_BACK");
RefuseAccess(conn, 0, "decrypt error CALL_ME_BACK");
return true;
}
memcpy(out, recvbuffer + CF_PROTO_OFFSET, len);
DecryptString(conn->encryption_type, out, recvbuffer, conn->session_key, len);
if (strncmp(recvbuffer, "CALL_ME_BACK collect_calls", strlen("CALL_ME_BACK collect_calls")) != 0)
{
Log(LOG_LEVEL_INFO, "CALL_ME_BACK protocol defect");
RefuseAccess(conn, 0, "decryption failure");
return false;
}
if (!conn->id_verified)
{
Log(LOG_LEVEL_INFO, "ID not verified");
RefuseAccess(conn, 0, recvbuffer);
return true;
}
if (!LiteralAccessControl(ctx, recvbuffer, conn, true))
{
Log(LOG_LEVEL_INFO, "Query access failure");
RefuseAccess(conn, 0, recvbuffer);
return false;
}
return ReceiveCollectCall(conn);
case PROTOCOL_COMMAND_BAD:
Log(LOG_LEVEL_WARNING, "Unexpected protocol command: %s", recvbuffer);
}
sprintf(sendbuffer, "BAD: Request denied\n");
SendTransaction(&conn->conn_info, sendbuffer, 0, CF_DONE);
Log(LOG_LEVEL_INFO, "Closing connection, due to request: '%s'", recvbuffer);
return false;
}
int CompareHashNet(const char *file1, const char *file2, bool encrypt, AgentConnection *conn)
{
unsigned char d[EVP_MAX_MD_SIZE + 1];
char *sp, sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], in[CF_BUFSIZE], out[CF_BUFSIZE];
int i, tosend, cipherlen;
HashFile(file2, d, CF_DEFAULT_DIGEST);
memset(recvbuffer, 0, CF_BUFSIZE);
/* We encrypt only for CLASSIC protocol. The TLS protocol is always over
* encrypted layer, so it does not support encrypted (S*) commands. */
encrypt = encrypt && conn->conn_info->protocol == CF_PROTOCOL_CLASSIC;
if (encrypt)
{
snprintf(in, CF_BUFSIZE, "MD5 %s", file1);
sp = in + strlen(in) + CF_SMALL_OFFSET;
for (i = 0; i < CF_DEFAULT_DIGEST_LEN; i++)
{
*sp++ = d[i];
}
cipherlen =
EncryptString(conn->encryption_type, in, out, conn->session_key,
strlen(in) + CF_SMALL_OFFSET + CF_DEFAULT_DIGEST_LEN);
snprintf(sendbuffer, CF_BUFSIZE, "SMD5 %d", cipherlen);
memcpy(sendbuffer + CF_PROTO_OFFSET, out, cipherlen);
tosend = cipherlen + CF_PROTO_OFFSET;
}
else
{
snprintf(sendbuffer, CF_BUFSIZE, "MD5 %s", file1);
sp = sendbuffer + strlen(sendbuffer) + CF_SMALL_OFFSET;
for (i = 0; i < CF_DEFAULT_DIGEST_LEN; i++)
{
*sp++ = d[i];
}
tosend = strlen(sendbuffer) + CF_SMALL_OFFSET + CF_DEFAULT_DIGEST_LEN;
}
if (SendTransaction(conn->conn_info, sendbuffer, tosend, CF_DONE) == -1)
{
Log(LOG_LEVEL_ERR, "Failed send. (SendTransaction: %s)", GetErrorStr());
return false;
}
if (ReceiveTransaction(conn->conn_info, recvbuffer, NULL) == -1)
{
/* TODO mark connection in the cache as closed. */
Log(LOG_LEVEL_ERR, "Failed receive. (ReceiveTransaction: %s)", GetErrorStr());
Log(LOG_LEVEL_VERBOSE, "No answer from host, assuming checksum ok to avoid remote copy for now...");
return false;
}
if (strcmp(CFD_TRUE, recvbuffer) == 0)
{
return true; /* mismatch */
}
else
{
return false;
}
/* Not reached */
}
int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, AgentConnection *conn)
{
int dd, blocksize = 2048, n_read = 0, towrite, plainlen, more = true, finlen, cnt = 0;
int tosend, cipherlen = 0;
char *buf, in[CF_BUFSIZE], out[CF_BUFSIZE], workbuf[CF_BUFSIZE], cfchangedstr[265];
unsigned char iv[32] =
{ 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 };
long n_read_total = 0;
EVP_CIPHER_CTX crypto_ctx;
snprintf(cfchangedstr, 255, "%s%s", CF_CHANGEDSTR1, CF_CHANGEDSTR2);
if ((strlen(dest) > CF_BUFSIZE - 20))
{
Log(LOG_LEVEL_ERR, "Filename too long");
return false;
}
unlink(dest); /* To avoid link attacks */
if ((dd = safe_open(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, 0600)) == -1)
{
Log(LOG_LEVEL_ERR,
"Copy from server '%s' to destination '%s' failed (open: %s)",
conn->this_server, dest, GetErrorStr());
unlink(dest);
return false;
}
if (size == 0)
{
// No sense in copying an empty file
close(dd);
return true;
}
workbuf[0] = '\0';
EVP_CIPHER_CTX_init(&crypto_ctx);
snprintf(in, CF_BUFSIZE - CF_PROTO_OFFSET, "GET dummykey %s", source);
cipherlen = EncryptString(conn->encryption_type, in, out, conn->session_key, strlen(in) + 1);
snprintf(workbuf, CF_BUFSIZE, "SGET %4d %4d", cipherlen, blocksize);
memcpy(workbuf + CF_PROTO_OFFSET, out, cipherlen);
tosend = cipherlen + CF_PROTO_OFFSET;
/* Send proposition C0 - query */
if (SendTransaction(conn->conn_info, workbuf, tosend, CF_DONE) == -1)
{
Log(LOG_LEVEL_ERR, "Couldn't send data. (SendTransaction: %s)", GetErrorStr());
close(dd);
return false;
}
buf = xmalloc(CF_BUFSIZE + sizeof(int));
n_read_total = 0;
while (more)
{
if ((cipherlen = ReceiveTransaction(conn->conn_info, buf, &more)) == -1)
{
free(buf);
return false;
}
cnt++;
/* If the first thing we get is an error message, break. */
if ((n_read_total == 0) && (strncmp(buf + CF_INBAND_OFFSET, CF_FAILEDSTR, strlen(CF_FAILEDSTR)) == 0))
{
Log(LOG_LEVEL_INFO, "Network access to '%s:%s' denied", conn->this_server, source);
close(dd);
free(buf);
return false;
}
if (strncmp(buf + CF_INBAND_OFFSET, cfchangedstr, strlen(cfchangedstr)) == 0)
{
Log(LOG_LEVEL_INFO, "Source '%s:%s' changed while copying", conn->this_server, source);
close(dd);
free(buf);
return false;
}
EVP_DecryptInit_ex(&crypto_ctx, CfengineCipher(CfEnterpriseOptions()), NULL, conn->session_key, iv);
if (!EVP_DecryptUpdate(&crypto_ctx, workbuf, &plainlen, buf, cipherlen))
{
close(dd);
free(buf);
return false;
}
if (!EVP_DecryptFinal_ex(&crypto_ctx, workbuf + plainlen, &finlen))
{
close(dd);
free(buf);
return false;
}
towrite = n_read = plainlen + finlen;
n_read_total += n_read;
if (!FSWrite(dest, dd, workbuf, towrite))
{
Log(LOG_LEVEL_ERR, "Local disk write failed copying '%s:%s' to '%s:%s'",
conn->this_server, source, dest, GetErrorStr());
if (conn)
{
conn->error = true;
}
free(buf);
unlink(dest);
close(dd);
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return false;
}
}
/* If the file ends with a `hole', something needs to be written at
the end. Otherwise the kernel would truncate the file at the end
of the last write operation. Write a null character and truncate
it again. */
if (ftruncate(dd, n_read_total) < 0)
{
Log(LOG_LEVEL_ERR, "Copy failed (no space?) while copying '%s' from network '%s'",
dest, GetErrorStr());
free(buf);
unlink(dest);
close(dd);
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return false;
}
close(dd);
free(buf);
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return true;
}
/* Returning NULL (an empty list) does not mean empty directory but ERROR,
* since every directory has to contain at least . and .. */
Item *RemoteDirList(const char *dirname, bool encrypt, AgentConnection *conn)
{
char sendbuffer[CF_BUFSIZE];
char recvbuffer[CF_BUFSIZE];
char in[CF_BUFSIZE];
char out[CF_BUFSIZE];
int cipherlen = 0, tosend;
if (strlen(dirname) > CF_BUFSIZE - 20)
{
Log(LOG_LEVEL_ERR, "Directory name too long");
return NULL;
}
/* We encrypt only for CLASSIC protocol. The TLS protocol is always over
* encrypted layer, so it does not support encrypted (S*) commands. */
encrypt = encrypt && conn->conn_info->protocol == CF_PROTOCOL_CLASSIC;
if (encrypt)
{
if (conn->session_key == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot do encrypted copy without keys (use cf-key)");
return NULL;
}
snprintf(in, CF_BUFSIZE, "OPENDIR %s", dirname);
cipherlen = EncryptString(conn->encryption_type, in, out, conn->session_key, strlen(in) + 1);
snprintf(sendbuffer, CF_BUFSIZE - 1, "SOPENDIR %d", cipherlen);
memcpy(sendbuffer + CF_PROTO_OFFSET, out, cipherlen);
tosend = cipherlen + CF_PROTO_OFFSET;
}
else
{
snprintf(sendbuffer, CF_BUFSIZE, "OPENDIR %s", dirname);
tosend = strlen(sendbuffer);
}
if (SendTransaction(conn->conn_info, sendbuffer, tosend, CF_DONE) == -1)
{
return NULL;
}
Item *start = NULL, *end = NULL; /* NULL == empty list */
while (true)
{
/* TODO check the CF_MORE flag, no need for CFD_TERMINATOR. */
int nbytes = ReceiveTransaction(conn->conn_info, recvbuffer, NULL);
/* If recv error or socket closed before receiving CFD_TERMINATOR. */
if (nbytes == -1 || nbytes == 0)
{
/* TODO mark connection in the cache as closed. */
goto err;
}
if (recvbuffer[0] == '\0')
{
Log(LOG_LEVEL_ERR,
"Empty%s server packet when listing directory '%s'!",
(start == NULL) ? " first" : "",
dirname);
goto err;
}
if (encrypt)
{
memcpy(in, recvbuffer, nbytes);
DecryptString(conn->encryption_type, in, recvbuffer,
conn->session_key, nbytes);
}
if (FailedProtoReply(recvbuffer))
{
Log(LOG_LEVEL_INFO, "Network access to '%s:%s' denied", conn->this_server, dirname);
goto err;
}
if (BadProtoReply(recvbuffer))
{
Log(LOG_LEVEL_INFO, "%s", recvbuffer + strlen("BAD: "));
goto err;
}
/* Double '\0' means end of packet. */
for (char *sp = recvbuffer; *sp != '\0'; sp += strlen(sp) + 1)
{
if (strcmp(sp, CFD_TERMINATOR) == 0) /* end of all packets */
{
return start;
}
Item *ip = xcalloc(1, sizeof(Item));
ip->name = (char *) AllocateDirentForFilename(sp);
if (start == NULL) /* First element */
{
start = ip;
end = ip;
}
else
{
end->next = ip;
end = ip;
}
}
}
return start;
err: /* free list */
for (Item *ip = start; ip != NULL; ip = start)
{
start = ip->next;
free(ip->name);
free(ip);
}
return NULL;
}
static void HailExec(AgentConnection *conn, char *peer)
{
char sendbuf[CF_BUFSIZE - CF_INBAND_OFFSET] = "EXEC";
size_t sendbuf_len = strlen(sendbuf);
if (!NULL_OR_EMPTY(DEFINECLASSES))
{
StrCat(sendbuf, sizeof(sendbuf), &sendbuf_len, " -D", 0);
StrCat(sendbuf, sizeof(sendbuf), &sendbuf_len, DEFINECLASSES, 0);
}
if (!NULL_OR_EMPTY(REMOTEBUNDLES))
{
StrCat(sendbuf, sizeof(sendbuf), &sendbuf_len, " -b ", 0);
StrCat(sendbuf, sizeof(sendbuf), &sendbuf_len, REMOTEBUNDLES, 0);
}
if (sendbuf_len >= sizeof(sendbuf))
{
Log(LOG_LEVEL_ERR, "Command longer than maximum transaction packet");
DisconnectServer(conn);
return;
}
if (SendTransaction(conn->conn_info, sendbuf, 0, CF_DONE) == -1)
{
Log(LOG_LEVEL_ERR, "Transmission rejected. (send: %s)", GetErrorStr());
DisconnectServer(conn);
return;
}
/* TODO we are sending class data right after EXEC, when the server might
* have already rejected us with BAD reply. So this class data with the
* CFD_TERMINATOR will be interpreted by the server as a new, bogus
* protocol command, and the server will complain. */
SendClassData(conn);
char recvbuffer[CF_BUFSIZE];
FILE *fp = NewStream(peer);
while (true)
{
memset(recvbuffer, 0, sizeof(recvbuffer));
if (ReceiveTransaction(conn->conn_info, recvbuffer, NULL) == -1)
{
break;
}
if (strncmp(recvbuffer, CFD_TERMINATOR, strlen(CFD_TERMINATOR)) == 0)
{
break;
}
const size_t recv_len = strlen(recvbuffer);
const char *ipaddr = conn->remoteip;
if (strncmp(recvbuffer, "BAD:", 4) == 0)
{
fprintf(fp, "%s> !! %s\n", ipaddr, recvbuffer + 4);
}
/* cf-serverd >= 3.7 quotes command output with "> ". */
else if (strncmp(recvbuffer, "> ", 2) == 0)
{
fprintf(fp, "%s> -> %s", ipaddr, &recvbuffer[2]);
}
else
{
fprintf(fp, "%s> %s", ipaddr, recvbuffer);
}
if (recv_len > 0 && recvbuffer[recv_len - 1] != '\n')
{
/* We'll be printing double newlines here with new cf-serverd
* versions, so check for already trailing newlines. */
/* TODO deprecate this path in a couple of versions. cf-serverd is
* supposed to munch the newlines so we must always append one. */
fputc('\n', fp);
}
}
if (fp != stdout)
{
fclose(fp);
}
DisconnectServer(conn);
}
/**
* Currently this function returns false when we want the connection
* closed, and true, when we want to proceed further with requests.
*
* @TODO So we need this function to return more than true/false, because now
* we return true even when access is denied! E.g. return -1 for error, 0 on
* success, 1 on access denied. It can be an option if connection will close
* on denial.
*/
bool BusyWithNewProtocol(EvalContext *ctx, ServerConnectionState *conn)
{
/* The CF_BUFEXT extra space is there to ensure we're not *reading* out of
* bounds in commands that carry extra binary arguments, like MD5. */
char recvbuffer[CF_BUFSIZE + CF_BUFEXT] = { 0 };
/* This size is the max we can SendTransaction(). */
char sendbuffer[CF_BUFSIZE - CF_INBAND_OFFSET] = { 0 };
char filename[CF_BUFSIZE + 1]; /* +1 for appending slash sometimes */
ServerFileGetState get_args = { 0 };
/* We already encrypt because of the TLS layer, no need to encrypt more. */
const int encrypted = 0;
/* Legacy stuff only for old protocol. */
assert(conn->rsa_auth == 1);
assert(conn->user_data_set == 1);
/* Receive up to CF_BUFSIZE - 1 bytes. */
const int received = ReceiveTransaction(conn->conn_info,
recvbuffer, NULL);
if (received == -1)
{
/* Already Log()ged in case of error. */
return false;
}
if (received > CF_BUFSIZE - 1)
{
UnexpectedError("Received transaction of size %d", received);
return false;
}
if (strlen(recvbuffer) == 0)
{
Log(LOG_LEVEL_WARNING,
"Got NULL transmission (of size %d)", received);
return true;
}
/* Don't process request if we're signalled to exit. */
if (IsPendingTermination())
{
Log(LOG_LEVEL_VERBOSE, "Server must exit, closing connection");
return false;
}
/* TODO break recvbuffer here: command, param1, param2 etc. */
switch (GetCommandNew(recvbuffer))
{
case PROTOCOL_COMMAND_EXEC:
{
const size_t EXEC_len = strlen(PROTOCOL_NEW[PROTOCOL_COMMAND_EXEC]);
/* Assert recvbuffer starts with EXEC. */
assert(strncmp(PROTOCOL_NEW[PROTOCOL_COMMAND_EXEC],
recvbuffer, EXEC_len) == 0);
char *args = &recvbuffer[EXEC_len];
args += strspn(args, " \t"); /* bypass spaces */
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "EXEC", args);
bool b = DoExec2(ctx, conn, args,
sendbuffer, sizeof(sendbuffer));
/* In the end we might keep the connection open (return true) to be
* ready for next requests, but we must always send the TERMINATOR
* string so that the client can close the connection at will. */
Terminate(conn->conn_info);
return b;
}
case PROTOCOL_COMMAND_VERSION:
snprintf(sendbuffer, sizeof(sendbuffer), "OK: %s", Version());
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
case PROTOCOL_COMMAND_GET:
{
int ret = sscanf(recvbuffer, "GET %d %[^\n]",
&(get_args.buf_size), filename);
if (ret != 2 ||
get_args.buf_size <= 0 || get_args.buf_size > CF_BUFSIZE)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "GET", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "GET", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to GET: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
memset(sendbuffer, 0, sizeof(sendbuffer));
if (get_args.buf_size >= CF_BUFSIZE)
{
get_args.buf_size = 2048;
}
/* TODO eliminate! */
get_args.conn = conn;
get_args.encrypt = false;
get_args.replybuff = sendbuffer;
get_args.replyfile = filename;
CfGetFile(&get_args);
return true;
}
case PROTOCOL_COMMAND_OPENDIR:
{
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "OPENDIR %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "OPENDIR", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
/* OPENDIR *must* be directory. */
PathAppendTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "OPENDIR", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to OPENDIR: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
CfOpenDirectory(conn, sendbuffer, filename);
return true;
}
case PROTOCOL_COMMAND_SYNCH:
{
long time_no_see = 0;
memset(filename, 0, sizeof(filename));
int ret = sscanf(recvbuffer, "SYNCH %ld STAT %[^\n]",
&time_no_see, filename);
if (ret != 2 || filename[0] == '\0')
{
goto protocol_error;
}
time_t tloc = time(NULL);
if (tloc == -1)
{
/* Should never happen. */
Log(LOG_LEVEL_ERR, "Couldn't read system clock. (time: %s)", GetErrorStr());
SendTransaction(conn->conn_info, "BAD: clocks out of synch", 0, CF_DONE);
return true;
}
time_t trem = (time_t) time_no_see;
int drift = (int) (tloc - trem);
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "STAT", filename);
/* sizeof()-1 because we need one extra byte for
appending '/' afterwards. */
size_t zret = ShortcutsExpand(filename, sizeof(filename) - 1,
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename) - 1);
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
if (IsDirReal(filename) == 1)
{
PathAppendTrailingSlash(filename, strlen(filename));
}
else
{
PathRemoveTrailingSlash(filename, strlen(filename));
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "STAT", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to STAT: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
Log(LOG_LEVEL_DEBUG, "Clocks were off by %ld",
(long) tloc - (long) trem);
if (DENYBADCLOCKS && (drift * drift > CLOCK_DRIFT * CLOCK_DRIFT))
{
snprintf(sendbuffer, sizeof(sendbuffer),
"BAD: Clocks are too far unsynchronized %ld/%ld",
(long) tloc, (long) trem);
Log(LOG_LEVEL_INFO, "denybadclocks %s", sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
StatFile(conn, sendbuffer, filename);
return true;
}
case PROTOCOL_COMMAND_MD5:
{
int ret = sscanf(recvbuffer, "MD5 %[^\n]", filename);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "MD5", filename);
/* TODO batch all the following in one function since it's very
* similar in all of GET, OPENDIR and STAT. */
size_t zret = ShortcutsExpand(filename, sizeof(filename),
SV.path_shortcuts,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)));
if (zret == (size_t) -1)
{
goto protocol_error;
}
zret = PreprocessRequestPath(filename, sizeof(filename));
if (zret == (size_t) -1)
{
RefuseAccess(conn, recvbuffer);
return true;
}
PathRemoveTrailingSlash(filename, strlen(filename));
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Translated to:", "MD5", filename);
if (acl_CheckPath(paths_acl, filename,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to file: %s", filename);
RefuseAccess(conn, recvbuffer);
return true;
}
assert(CF_DEFAULT_DIGEST_LEN <= EVP_MAX_MD_SIZE);
unsigned char digest[EVP_MAX_MD_SIZE + 1];
assert(CF_BUFSIZE + CF_SMALL_OFFSET + CF_DEFAULT_DIGEST_LEN
<= sizeof(recvbuffer));
memcpy(digest, recvbuffer + strlen(recvbuffer) + CF_SMALL_OFFSET,
CF_DEFAULT_DIGEST_LEN);
CompareLocalHash(filename, digest, sendbuffer);
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
return true;
}
case PROTOCOL_COMMAND_VAR:
{
char var[256];
int ret = sscanf(recvbuffer, "VAR %255[^\n]", var);
if (ret != 1)
{
goto protocol_error;
}
/* TODO if this is literals_acl, then when should I check vars_acl? */
if (acl_CheckExact(literals_acl, var,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to variable: %s", var);
RefuseAccess(conn, recvbuffer);
return true;
}
GetServerLiteral(ctx, conn, sendbuffer, recvbuffer, encrypted);
return true;
}
case PROTOCOL_COMMAND_CONTEXT:
{
char client_regex[256];
int ret = sscanf(recvbuffer, "CONTEXT %255[^\n]", client_regex);
if (ret != 1)
{
goto protocol_error;
}
Log(LOG_LEVEL_VERBOSE, "%14s %7s %s",
"Received:", "CONTEXT", client_regex);
/* WARNING: this comes from legacy code and must be killed if we care
* about performance. We should not accept regular expressions from
* the client, but this will break backwards compatibility.
*
* I replicated the code in raw form here to emphasize complexity,
* it's the only *slow* command currently in the protocol. */
Item *persistent_classes = ListPersistentClasses();
Item *matched_classes = NULL;
/* For all persistent classes */
for (Item *ip = persistent_classes; ip != NULL; ip = ip->next)
{
const char *class_name = ip->name;
/* Does this class match the regex the client sent? */
if (StringMatchFull(client_regex, class_name))
{
/* Is this class allowed to be given to the specific
* host, according to the regexes in the ACLs? */
if (acl_CheckRegex(classes_acl, class_name,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)),
NULL)
== true)
{
Log(LOG_LEVEL_DEBUG, "Access granted to class: %s",
class_name);
PrependItem(&matched_classes, class_name, NULL);
}
}
}
if (matched_classes == NULL)
{
Log(LOG_LEVEL_INFO,
"No allowed classes for remoteclassesmatching: %s",
client_regex);
RefuseAccess(conn, recvbuffer);
return true;
}
ReplyServerContext(conn, encrypted, matched_classes);
return true;
}
case PROTOCOL_COMMAND_QUERY:
{
char query[256], name[128];
int ret1 = sscanf(recvbuffer, "QUERY %255[^\n]", query);
int ret2 = sscanf(recvbuffer, "QUERY %127s", name);
if (ret1 != 1 || ret2 != 1)
{
goto protocol_error;
}
if (acl_CheckExact(query_acl, name,
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO, "access denied to query: %s", query);
RefuseAccess(conn, recvbuffer);
return true;
}
if (GetServerQuery(conn, recvbuffer, encrypted))
{
return true;
}
break;
}
case PROTOCOL_COMMAND_CALL_ME_BACK:
/* Server side, handing the collect call off to cf-hub. */
if (acl_CheckExact(query_acl, "collect_calls",
conn->ipaddr, conn->revdns,
KeyPrintableHash(ConnectionInfoKey(conn->conn_info)))
== false)
{
Log(LOG_LEVEL_INFO,
"access denied to Call-Collect, check the ACL for class: collect_calls");
return false;
}
ReceiveCollectCall(conn);
/* On success that returned true; otherwise, it did all
* relevant Log()ging. Either way, we're no longer busy with
* it and our caller can close the connection: */
return false;
case PROTOCOL_COMMAND_BAD:
Log(LOG_LEVEL_WARNING, "Unexpected protocol command: %s", recvbuffer);
}
/* We should only reach this point if something went really bad, and
* close connection. In all other cases (like access denied) connection
* shouldn't be closed.
*/
protocol_error:
strcpy(sendbuffer, "BAD: Request denied");
SendTransaction(conn->conn_info, sendbuffer, 0, CF_DONE);
Log(LOG_LEVEL_INFO,
"Closing connection due to illegal request: %s", recvbuffer);
return false;
}
int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, AgentConnection *conn)
{
int dd, blocksize = 2048, n_read = 0, plainlen, more = true, finlen, cnt = 0;
int tosend, cipherlen = 0;
char *buf, in[CF_BUFSIZE], out[CF_BUFSIZE], workbuf[CF_BUFSIZE], cfchangedstr[265];
unsigned char iv[32] =
{ 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 };
EVP_CIPHER_CTX crypto_ctx;
snprintf(cfchangedstr, 255, "%s%s", CF_CHANGEDSTR1, CF_CHANGEDSTR2);
if ((strlen(dest) > CF_BUFSIZE - 20))
{
Log(LOG_LEVEL_ERR, "Filename too long");
return false;
}
unlink(dest); /* To avoid link attacks */
if ((dd = safe_open(dest, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, 0600)) == -1)
{
Log(LOG_LEVEL_ERR,
"Copy from server '%s' to destination '%s' failed (open: %s)",
conn->this_server, dest, GetErrorStr());
unlink(dest);
return false;
}
if (size == 0)
{
// No sense in copying an empty file
close(dd);
return true;
}
workbuf[0] = '\0';
EVP_CIPHER_CTX_init(&crypto_ctx);
snprintf(in, CF_BUFSIZE - CF_PROTO_OFFSET, "GET dummykey %s", source);
cipherlen = EncryptString(out, sizeof(out), in, strlen(in) + 1, conn->encryption_type, conn->session_key);
tosend = cipherlen + CF_PROTO_OFFSET;
if(tosend > sizeof(workbuf))
{
ProgrammingError("EncryptCopyRegularFileNet: tosend (%d) > workbuf (%ld)",
tosend, sizeof(workbuf));
}
snprintf(workbuf, CF_BUFSIZE, "SGET %4d %4d", cipherlen, blocksize);
memcpy(workbuf + CF_PROTO_OFFSET, out, cipherlen);
/* Send proposition C0 - query */
if (SendTransaction(conn->conn_info, workbuf, tosend, CF_DONE) == -1)
{
Log(LOG_LEVEL_ERR, "Couldn't send data. (SendTransaction: %s)", GetErrorStr());
close(dd);
return false;
}
buf = xmalloc(CF_BUFSIZE + sizeof(int));
bool last_write_made_hole = false;
size_t n_wrote_total = 0;
while (more)
{
if ((cipherlen = ReceiveTransaction(conn->conn_info, buf, &more)) == -1)
{
free(buf);
return false;
}
cnt++;
/* If the first thing we get is an error message, break. */
if (n_wrote_total == 0 &&
strncmp(buf + CF_INBAND_OFFSET, CF_FAILEDSTR, strlen(CF_FAILEDSTR)) == 0)
{
Log(LOG_LEVEL_INFO, "Network access to '%s:%s' denied", conn->this_server, source);
close(dd);
free(buf);
return false;
}
if (strncmp(buf + CF_INBAND_OFFSET, cfchangedstr, strlen(cfchangedstr)) == 0)
{
Log(LOG_LEVEL_INFO, "Source '%s:%s' changed while copying", conn->this_server, source);
close(dd);
free(buf);
return false;
}
EVP_DecryptInit_ex(&crypto_ctx, CfengineCipher(CfEnterpriseOptions()), NULL, conn->session_key, iv);
if (!EVP_DecryptUpdate(&crypto_ctx, workbuf, &plainlen, buf, cipherlen))
{
close(dd);
free(buf);
return false;
}
if (!EVP_DecryptFinal_ex(&crypto_ctx, workbuf + plainlen, &finlen))
{
close(dd);
free(buf);
return false;
}
n_read = plainlen + finlen;
bool w_ok = FileSparseWrite(dd, workbuf, n_read,
&last_write_made_hole);
if (!w_ok)
{
Log(LOG_LEVEL_ERR,
"Local disk write failed copying '%s:%s' to '%s'",
conn->this_server, source, dest);
free(buf);
unlink(dest);
close(dd);
conn->error = true;
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return false;
}
n_wrote_total += n_read;
}
const bool do_sync = false;
bool ret = FileSparseClose(dd, dest, do_sync,
n_wrote_total, last_write_made_hole);
if (!ret)
{
unlink(dest);
free(buf);
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return false;
}
free(buf);
EVP_CIPHER_CTX_cleanup(&crypto_ctx);
return true;
}
int AuthenticateAgent(AgentConnection *conn, bool trust_key)
{
char sendbuffer[CF_EXPANDSIZE], in[CF_BUFSIZE], *out, *decrypted_cchall;
BIGNUM *nonce_challenge, *bn = NULL;
unsigned long err;
unsigned char digest[EVP_MAX_MD_SIZE];
int encrypted_len, nonce_len = 0, len, session_size;
bool implicitly_trust_server;
char enterprise_field = 'c';
RSA *server_pubkey = NULL;
if ((PUBKEY == NULL) || (PRIVKEY == NULL))
{
Log(LOG_LEVEL_ERR, "No public/private key pair found at '%s'", PublicKeyFile(GetWorkDir()));
return false;
}
enterprise_field = CfEnterpriseOptions();
session_size = CfSessionKeySize(enterprise_field);
/* Generate a random challenge to authenticate the server */
nonce_challenge = BN_new();
if (nonce_challenge == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot allocate BIGNUM structure for server challenge");
return false;
}
BN_rand(nonce_challenge, CF_NONCELEN, 0, 0);
nonce_len = BN_bn2mpi(nonce_challenge, in);
if (FIPS_MODE)
{
HashString(in, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(in, nonce_len, digest, HASH_METHOD_MD5);
}
/* We assume that the server bound to the remote socket is the official one i.e. = root's */
if ((server_pubkey = HavePublicKeyByIP(conn->username, conn->remoteip)))
{
implicitly_trust_server = false;
encrypted_len = RSA_size(server_pubkey);
}
else
{
implicitly_trust_server = true;
encrypted_len = nonce_len;
}
// Server pubkey is what we want to has as a unique ID
snprintf(sendbuffer, sizeof(sendbuffer), "SAUTH %c %d %d %c", implicitly_trust_server ? 'n': 'y', encrypted_len,
nonce_len, enterprise_field);
out = xmalloc(encrypted_len);
if (server_pubkey != NULL)
{
if (RSA_public_encrypt(nonce_len, in, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public encryption failed. (RSA_public_encrypt: %s)", ERR_reason_error_string(err));
free(out);
RSA_free(server_pubkey);
return false;
}
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, out, encrypted_len);
}
else
{
memcpy(sendbuffer + CF_RSA_PROTO_OFFSET, in, nonce_len);
}
/* proposition C1 - Send challenge / nonce */
SendTransaction(conn->sd, sendbuffer, CF_RSA_PROTO_OFFSET + encrypted_len, CF_DONE);
BN_free(bn);
BN_free(nonce_challenge);
free(out);
/*Send the public key - we don't know if server has it */
/* proposition C2 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->n, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */
/* proposition C3 */
memset(sendbuffer, 0, CF_EXPANDSIZE);
len = BN_bn2mpi(PUBKEY->e, sendbuffer);
SendTransaction(conn->sd, sendbuffer, len, CF_DONE);
/* check reply about public key - server can break connection here */
/* proposition S1 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (1). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if (BadProtoReply(in))
{
Log(LOG_LEVEL_ERR, "Bad protocol reply '%s'", in);
RSA_free(server_pubkey);
return false;
}
/* Get challenge response - should be CF_DEFAULT_DIGEST of challenge */
/* proposition S2 */
memset(in, 0, CF_BUFSIZE);
if (ReceiveTransaction(conn->sd, in, NULL) == -1)
{
Log(LOG_LEVEL_ERR, "Protocol transaction broken off (2). (ReceiveTransaction: %s)", GetErrorStr());
RSA_free(server_pubkey);
return false;
}
if ((HashesMatch(digest, in, CF_DEFAULT_DIGEST)) || (HashesMatch(digest, in, HASH_METHOD_MD5))) // Legacy
{
if (implicitly_trust_server == false) /* challenge reply was correct */
{
Log(LOG_LEVEL_VERBOSE, ".....................[.h.a.i.l.].................................");
Log(LOG_LEVEL_VERBOSE, "Strong authentication of server '%s' connection confirmed", conn->this_server);
}
else
{
if (trust_key)
{
Log(LOG_LEVEL_VERBOSE, "Trusting server identity, promise to accept key from '%s' = '%s'", conn->this_server,
conn->remoteip);
}
else
{
Log(LOG_LEVEL_ERR, "Not authorized to trust public key of server '%s' (trustkey = false)",
conn->this_server);
RSA_free(server_pubkey);
return false;
}
}
}
else
{
Log(LOG_LEVEL_ERR, "Challenge response from server '%s/%s' was incorrect", conn->this_server,
conn->remoteip);
RSA_free(server_pubkey);
return false;
}
/* Receive counter challenge from server */
/* proposition S3 */
memset(in, 0, CF_BUFSIZE);
encrypted_len = ReceiveTransaction(conn->sd, in, NULL);
if (encrypted_len <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol transaction sent illegal cipher length");
RSA_free(server_pubkey);
return false;
}
decrypted_cchall = xmalloc(encrypted_len);
if (RSA_private_decrypt(encrypted_len, in, decrypted_cchall, PRIVKEY, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private decrypt failed, abandoning. (RSA_private_decrypt: %s)",
ERR_reason_error_string(err));
RSA_free(server_pubkey);
return false;
}
/* proposition C4 */
if (FIPS_MODE)
{
HashString(decrypted_cchall, nonce_len, digest, CF_DEFAULT_DIGEST);
}
else
{
HashString(decrypted_cchall, nonce_len, digest, HASH_METHOD_MD5);
}
if (FIPS_MODE)
{
SendTransaction(conn->sd, digest, CF_DEFAULT_DIGEST_LEN, CF_DONE);
}
else
{
SendTransaction(conn->sd, digest, CF_MD5_LEN, CF_DONE);
}
free(decrypted_cchall);
/* If we don't have the server's public key, it will be sent */
if (server_pubkey == NULL)
{
RSA *newkey = RSA_new();
Log(LOG_LEVEL_VERBOSE, "Collecting public key from server!");
/* proposition S4 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
Log(LOG_LEVEL_ERR, "Protocol error in RSA authentation from IP '%s'", conn->this_server);
return false;
}
if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Private key decrypt failed. (BN_mpi2bn: %s)", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
/* proposition S5 - conditional */
if ((len = ReceiveTransaction(conn->sd, in, NULL)) <= 0)
{
Log(LOG_LEVEL_INFO, "Protocol error in RSA authentation from IP '%s'",
conn->this_server);
RSA_free(newkey);
return false;
}
if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public key decrypt failed. (BN_mpi2bn: %s)", ERR_reason_error_string(err));
RSA_free(newkey);
return false;
}
server_pubkey = RSAPublicKey_dup(newkey);
RSA_free(newkey);
}
/* proposition C5 */
if (!SetSessionKey(conn))
{
Log(LOG_LEVEL_ERR, "Unable to set session key");
return false;
}
if (conn->session_key == NULL)
{
Log(LOG_LEVEL_ERR, "A random session key could not be established");
RSA_free(server_pubkey);
return false;
}
encrypted_len = RSA_size(server_pubkey);
out = xmalloc(encrypted_len);
if (RSA_public_encrypt(session_size, conn->session_key, out, server_pubkey, RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Public encryption failed. (RSA_public_encrypt: %s)", ERR_reason_error_string(err));
free(out);
RSA_free(server_pubkey);
return false;
}
SendTransaction(conn->sd, out, encrypted_len, CF_DONE);
if (server_pubkey != NULL)
{
char buffer[EVP_MAX_MD_SIZE * 4];
HashPubKey(server_pubkey, conn->digest, CF_DEFAULT_DIGEST);
Log(LOG_LEVEL_VERBOSE, "Public key identity of host '%s' is '%s'", conn->remoteip,
HashPrintSafe(CF_DEFAULT_DIGEST, conn->digest, buffer));
SavePublicKey(conn->username, buffer, server_pubkey); // FIXME: username is local
LastSaw(conn->remoteip, conn->digest, LAST_SEEN_ROLE_CONNECT);
}
free(out);
RSA_free(server_pubkey);
return true;
}
