int main(int argc, char **argv)
{
ne_sock_addr *addr;
char buf[256];
int ret = 0;
if (argc < 2) {
printf("Usage: %s hostname\n", argv[0]);
return 1;
}
if (ne_sock_init()) {
printf("%s: Failed to initialize socket library.\n", argv[0]);
return 1;
}
addr = ne_addr_resolve(argv[1], 0);
if (ne_addr_result(addr)) {
printf("Could not resolve `%s': %s\n", argv[1],
ne_addr_error(addr, buf, sizeof buf));
ret = 2;
} else {
const ne_inet_addr *ia;
printf("Resolved `%s' OK:", argv[1]);
for (ia = ne_addr_first(addr); ia; ia = ne_addr_next(addr)) {
printf(" <%s>", ne_iaddr_print(ia, buf, sizeof buf));
}
putchar('\n');
}
ne_addr_destroy(addr);
return ret;
}
static int addr_make_v6(void)
{
#ifdef TEST_IPV6
struct {
const unsigned char *addr;
const char *rep;
} as[] = {
{ raw6_cafe, "feed::cafe" },
{ raw6_babe, "cafe:babe::" },
{ raw6_nuls, "::" },
{ NULL, NULL }
};
int n;
for (n = 0; as[n].rep != NULL; n++) {
ne_inet_addr *ia = ne_iaddr_make(ne_iaddr_ipv6, as[n].addr);
char pr[128];
unsigned char raw[17];
ONV(ia == NULL, ("could not make address for '%s'",
as[n].rep));
ne_iaddr_print(ia, pr, sizeof pr);
ONV(strcmp(pr, as[n].rep),
("address %d was '%s' not '%s'", n, pr, as[n].rep));
ONN("bogus ne_iaddr_typeof return", ne_iaddr_typeof(ia) != ne_iaddr_ipv6);
raw[16] = 'Z';
ONN("ne_iaddr_raw gave bad retval", ne_iaddr_raw(ia, raw) != raw);
ONN("raw address mismatch", memcmp(raw, as[n].addr, 4) != 0);
ONN("ne_iaddr_raw buffer overflow", raw[16] != 'Z');
ne_iaddr_free(ia);
ia = ne_iaddr_parse(as[n].rep, ne_iaddr_ipv6);
ONV(ia == NULL, ("ne_iaddr_parse failed for %s", as[n].rep));
ONN("bogus ne_iaddr_typeof return", ne_iaddr_typeof(ia) != ne_iaddr_ipv6);
ONN("ne_iaddr_raw gave bad retval", ne_iaddr_raw(ia, raw) != raw);
ONN("raw address mismatch", memcmp(raw, as[n].addr, 4) != 0);
ONN("ne_iaddr_raw buffer overflow", raw[16] != 'Z');
ne_iaddr_free(ia);
}
return OK;
#else
/* should fail when lacking IPv6 support. */
ne_inet_addr *ia = ne_iaddr_make(ne_iaddr_ipv6, raw6_nuls);
ONN("ne_iaddr_make did not return NULL", ia != NULL);
ONN("ne_iaddr_parse did not return NULL", ne_iaddr_parse("127.0.0.1", ne_iaddr_ipv6));
#endif
return OK;
}
static int resolve_numeric(void)
{
ne_sock_addr *addr = ne_addr_resolve("127.0.0.1", 0);
ONV(ne_addr_result(addr),
("failed to resolve 127.0.0.1: %s",
ne_addr_error(addr, buffer, sizeof buffer)));
ONN("ne_addr_first returned NULL", ne_addr_first(addr) == NULL);
ONN("ne_iaddr_print didn't return buffer",
ne_iaddr_print(ne_addr_first(addr), buffer, sizeof buffer) != buffer);
ONV(strcmp(buffer, "127.0.0.1"), ("ntop gave `%s' not 127.0.0.1", buffer));
ne_addr_destroy(addr);
return OK;
}
static int addr_make_v4(void)
{
ne_inet_addr *ia;
char pr[50];
ia = ne_iaddr_make(ne_iaddr_ipv4, raw_127);
ONN("ne_iaddr_make returned NULL", ia == NULL);
ne_iaddr_print(ia, pr, sizeof pr);
ONV(strcmp(pr, "127.0.0.1"), ("address was %s not 127.0.0.1", pr));
CALL(check_is_raw127(ia));
ne_iaddr_free(ia);
return OK;
}
static int serve_ppeer(ne_socket *sock, void *ud)
{
unsigned int port = 99999;
ne_inet_addr *ia = ne_sock_peer(sock, &port);
char buf[128], line[256];
if (ia == NULL)
ne_snprintf(line, sizeof line, "error: %s", ne_sock_error(sock));
else
ne_snprintf(line, sizeof line,
"%s@%u\n", ne_iaddr_print(ia, buf, sizeof buf),
port);
CALL(full_write(sock, line, strlen(line)));
ne_iaddr_free(ia);
return OK;
}
static int try_prebind(int addr, int port)
{
ne_socket *sock = ne_sock_create();
ne_inet_addr *ia;
char buf[128], line[256];
unsigned int srvport;
ia = ne_iaddr_make(ne_iaddr_ipv4, raw_127);
ONN("ne_iaddr_make returned NULL", ia == NULL);
CALL(new_spawn_server(1, serve_ppeer, NULL, &srvport));
ne_sock_prebind(sock, addr ? ia : NULL, port ? 7778 : 0);
ONN("could not connect", ne_sock_connect(sock, ia, srvport));
ne_snprintf(line, sizeof line,
"%s@%d\n", ne_iaddr_print(ia, buf, sizeof buf),
7778);
if (!port) {
/* Don't know what port will be chosen, so... */
ssize_t ret = ne_sock_readline(sock, buffer, BUFSIZ);
ONV(ret < 0, ("socket error `%s'", ne_sock_error(sock)));
ONV(strncmp(line, buffer, strchr(line, '@') - line) != 0,
("bad address: '%s', expecting '%s'",
buffer, line));
}
else {
LINE(line);
}
ne_sock_close(sock);
CALL(await_server());
ne_iaddr_free(ia);
return OK;
}
/* Check certificate identity. Returns zero if identity matches; 1 if
* identity does not match, or <0 if the certificate had no identity.
* If 'identity' is non-NULL, store the malloc-allocated identity in
* *identity. Logic specified by RFC 2818 and RFC 3280. */
static int check_identity(const ne_uri *server, X509 *cert, char **identity)
{
STACK_OF(GENERAL_NAME) *names;
int match = 0, found = 0;
const char *hostname;
hostname = server ? server->host : "";
names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
int n;
/* subjectAltName contains a sequence of GeneralNames */
for (n = 0; n < sk_GENERAL_NAME_num(names) && !match; n++) {
GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, n);
/* handle dNSName and iPAddress name extensions only. */
if (nm->type == GEN_DNS) {
char *name = dup_ia5string(nm->d.ia5);
if (identity && !found) *identity = ne_strdup(name);
match = ne__ssl_match_hostname(name, strlen(name), hostname);
free(name);
found = 1;
}
else if (nm->type == GEN_IPADD) {
/* compare IP address with server IP address. */
ne_inet_addr *ia;
if (nm->d.ip->length == 4)
ia = ne_iaddr_make(ne_iaddr_ipv4, nm->d.ip->data);
else if (nm->d.ip->length == 16)
ia = ne_iaddr_make(ne_iaddr_ipv6, nm->d.ip->data);
else
ia = NULL;
/* ne_iaddr_make returns NULL if address type is unsupported */
if (ia != NULL) { /* address type was supported. */
char buf[128];
match = strcmp(hostname,
ne_iaddr_print(ia, buf, sizeof buf)) == 0;
found = 1;
ne_iaddr_free(ia);
} else {
NE_DEBUG(NE_DBG_SSL, "iPAddress name with unsupported "
"address type (length %d), skipped.\n",
nm->d.ip->length);
}
}
else if (nm->type == GEN_URI) {
char *name = dup_ia5string(nm->d.ia5);
ne_uri uri;
if (ne_uri_parse(name, &uri) == 0 && uri.host && uri.scheme) {
ne_uri tmp;
if (identity && !found) *identity = ne_strdup(name);
found = 1;
if (server) {
/* For comparison purposes, all that matters is
* host, scheme and port; ignore the rest. */
memset(&tmp, 0, sizeof tmp);
tmp.host = uri.host;
tmp.scheme = uri.scheme;
tmp.port = uri.port;
match = ne_uri_cmp(server, &tmp) == 0;
}
}
ne_uri_free(&uri);
free(name);
}
}
/* free the whole stack. */
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
/* Check against the commonName if no DNS alt. names were found,
* as per RFC3280. */
if (!found) {
X509_NAME *subj = X509_get_subject_name(cert);
X509_NAME_ENTRY *entry;
ne_buffer *cname = ne_buffer_ncreate(30);
int idx = -1, lastidx;
/* find the most specific commonName attribute. */
do {
lastidx = idx;
idx = X509_NAME_get_index_by_NID(subj, NID_commonName, lastidx);
} while (idx >= 0);
if (lastidx < 0) {
/* no commonName attributes at all. */
ne_buffer_destroy(cname);
return -1;
}
/* extract the string from the entry */
entry = X509_NAME_get_entry(subj, lastidx);
if (append_dirstring(cname, X509_NAME_ENTRY_get_data(entry))) {
ne_buffer_destroy(cname);
return -1;
}
if (identity) *identity = ne_strdup(cname->data);
match = ne__ssl_match_hostname(cname->data, cname->used - 1, hostname);
ne_buffer_destroy(cname);
}
NE_DEBUG(NE_DBG_SSL, "Identity match for '%s': %s\n", hostname,
match ? "good" : "bad");
return match ? 0 : 1;
}
static int netxml_alarm_subscribe(const char *page)
{
int ret, port = -1, secret = -1;
char buf[LARGEBUF], *s;
ne_request *request;
ne_sock_addr *addr;
const ne_inet_addr *ai;
char resp_buf[LARGEBUF];
/* Clear response buffer */
memset(resp_buf, 0, sizeof(resp_buf));
upsdebugx(2, "%s: %s", __func__, page);
sock = ne_sock_create();
if (gethostname(buf, sizeof(buf)) == 0) {
dstate_setinfo("driver.hostname", "%s", buf);
} else {
dstate_setinfo("driver.hostname", "<unknown>");
}
#ifdef HAVE_NE_SOCK_CONNECT_TIMEOUT
ne_sock_connect_timeout(sock, timeout);
#endif
ne_sock_read_timeout(sock, 1);
netxml_get_page(subdriver->configure);
snprintf(buf, sizeof(buf), "<?xml version=\"1.0\"?>\n");
snprintfcat(buf, sizeof(buf), "<Subscribe>\n");
snprintfcat(buf, sizeof(buf), "<Class>%s v%s</Class>\n", progname, DRIVER_VERSION);
snprintfcat(buf, sizeof(buf), "<Type>connected socket</Type>\n");
snprintfcat(buf, sizeof(buf), "<HostName>%s</HostName>\n", dstate_getinfo("driver.hostname"));
snprintfcat(buf, sizeof(buf), "<XMLClientParameters>\n");
snprintfcat(buf, sizeof(buf), "<ShutdownDuration>%d</ShutdownDuration>\n", shutdown_duration);
if( shutdown_timer > 0 ) {
snprintfcat(buf, sizeof(buf), "<ShutdownTimer>%d</ShutdownTimer>\r\n", shutdown_timer);
}
else {
snprintfcat(buf, sizeof(buf), "<ShutdownTimer>NONE</ShutdownTimer>\n");
}
snprintfcat(buf, sizeof(buf), "<AutoConfig>LOCAL</AutoConfig>\n");
snprintfcat(buf, sizeof(buf), "<OutletGroup>1</OutletGroup>\n");
snprintfcat(buf, sizeof(buf), "</XMLClientParameters>\n");
snprintfcat(buf, sizeof(buf), "<Warning></Warning>\n");
snprintfcat(buf, sizeof(buf), "</Subscribe>\n");
/* now send subscription message setting all the proper flags */
request = ne_request_create(session, "POST", page);
ne_set_request_body_buffer(request, buf, strlen(buf));
/* as the NMC reply is not xml standard compliant let's parse it this way */
do {
#ifndef HAVE_NE_SOCK_CONNECT_TIMEOUT
alarm(timeout+1);
#endif
ret = ne_begin_request(request);
#ifndef HAVE_NE_SOCK_CONNECT_TIMEOUT
alarm(0);
#endif
if (ret != NE_OK) {
break;
}
ret = ne_read_response_block(request, resp_buf, sizeof(resp_buf));
if (ret == NE_OK) {
ret = ne_end_request(request);
}
} while (ret == NE_RETRY);
ne_request_destroy(request);
/* due to different formats used by the various NMCs, we need to\
break up the reply in lines and parse each one separately */
for (s = strtok(resp_buf, "\r\n"); s != NULL; s = strtok(NULL, "\r\n")) {
upsdebugx(2, "%s: parsing %s", __func__, s);
if (!strncasecmp(s, "<Port>", 6) && (sscanf(s+6, "%u", &port) != 1)) {
return NE_RETRY;
}
if (!strncasecmp(s, "<Secret>", 8) && (sscanf(s+8, "%u", &secret) != 1)) {
return NE_RETRY;
}
}
if ((port == -1) || (secret == -1)) {
upsdebugx(2, "%s: parsing initial subcription failed", __func__);
return NE_RETRY;
}
/* Resolve the given hostname. 'flags' must be zero. Hex
* string IPv6 addresses (e.g. `::1') may be enclosed in brackets
* (e.g. `[::1]'). */
addr = ne_addr_resolve(uri.host, 0);
/* Returns zero if name resolution was successful, non-zero on
* error. */
if (ne_addr_result(addr) != 0) {
upsdebugx(2, "%s: name resolution failure on %s: %s", __func__, uri.host, ne_addr_error(addr, buf, sizeof(buf)));
ne_addr_destroy(addr);
return NE_RETRY;
}
for (ai = ne_addr_first(addr); ai != NULL; ai = ne_addr_next(addr)) {
upsdebugx(2, "%s: connecting to host %s port %d", __func__, ne_iaddr_print(ai, buf, sizeof(buf)), port);
#ifndef HAVE_NE_SOCK_CONNECT_TIMEOUT
alarm(timeout+1);
#endif
ret = ne_sock_connect(sock, ai, port);
#ifndef HAVE_NE_SOCK_CONNECT_TIMEOUT
alarm(0);
#endif
if (ret == NE_OK) {
upsdebugx(2, "%s: connection to %s open on fd %d", __func__, uri.host, ne_sock_fd(sock));
break;
}
}
ne_addr_destroy(addr);
if (ai == NULL) {
upsdebugx(2, "%s: failed to create listening socket", __func__);
return NE_RETRY;
}
snprintf(buf, sizeof(buf), "<Subscription Identification=\"%u\"></Subscription>", secret);
ret = ne_sock_fullwrite(sock, buf, strlen(buf) + 1);
if (ret != NE_OK) {
upsdebugx(2, "%s: send failed: %s", __func__, ne_sock_error(sock));
return NE_RETRY;
}
ret = ne_sock_read(sock, buf, sizeof(buf));
if (ret < 1) {
upsdebugx(2, "%s: read failed: %s", __func__, ne_sock_error(sock));
return NE_RETRY;
}
if (strcasecmp(buf, "<Subscription Answer=\"ok\"></Subscription>")) {
upsdebugx(2, "%s: subscription rejected", __func__);
return NE_RETRY;
}
upslogx(LOG_INFO, "NSM connection to '%s' established", uri.host);
return NE_OK;
}
/* Check certificate identity. Returns zero if identity matches; 1 if
* identity does not match, or <0 if the certificate had no identity.
* If 'identity' is non-NULL, store the malloc-allocated identity in
* *identity. If 'server' is non-NULL, it must be the network address
* of the server in use, and identity must be NULL. */
static int check_identity(const ne_uri *server, gnutls_x509_crt cert,
char **identity)
{
char name[255];
unsigned int critical;
int ret, seq = 0;
int match = 0, found = 0;
size_t len;
const char *hostname;
hostname = server ? server->host : "";
do {
len = sizeof name - 1;
ret = gnutls_x509_crt_get_subject_alt_name(cert, seq, name, &len,
&critical);
switch (ret) {
case GNUTLS_SAN_DNSNAME:
name[len] = '\0';
if (identity && !found) *identity = ne_strdup(name);
match = ne__ssl_match_hostname(name, len, hostname);
found = 1;
break;
case GNUTLS_SAN_IPADDRESS: {
ne_inet_addr *ia;
if (len == 4)
ia = ne_iaddr_make(ne_iaddr_ipv4, (unsigned char *)name);
else if (len == 16)
ia = ne_iaddr_make(ne_iaddr_ipv6, (unsigned char *)name);
else
ia = NULL;
if (ia) {
char buf[128];
match = strcmp(hostname,
ne_iaddr_print(ia, buf, sizeof buf)) == 0;
if (identity) *identity = ne_strdup(buf);
found = 1;
ne_iaddr_free(ia);
} else {
NE_DEBUG(NE_DBG_SSL, "iPAddress name with unsupported "
"address type (length %" NE_FMT_SIZE_T "), skipped.\n",
len);
}
} break;
case GNUTLS_SAN_URI: {
ne_uri uri;
name[len] = '\0';
if (ne_uri_parse(name, &uri) == 0 && uri.host && uri.scheme) {
ne_uri tmp;
if (identity && !found) *identity = ne_strdup(name);
found = 1;
if (server) {
/* For comparison purposes, all that matters is
* host, scheme and port; ignore the rest. */
memset(&tmp, 0, sizeof tmp);
tmp.host = uri.host;
tmp.scheme = uri.scheme;
tmp.port = uri.port;
match = ne_uri_cmp(server, &tmp) == 0;
}
}
ne_uri_free(&uri);
} break;
default:
break;
}
seq++;
} while (!match && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
/* Check against the commonName if no DNS alt. names were found,
* as per RFC3280. */
if (!found) {
seq = oid_find_highest_index(cert, 1, GNUTLS_OID_X520_COMMON_NAME);
if (seq >= 0) {
len = sizeof name;
name[0] = '\0';
ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
seq, 0, name, &len);
if (ret == 0) {
if (identity) *identity = ne_strdup(name);
match = ne__ssl_match_hostname(name, len, hostname);
}
} else {
return -1;
}
}
if (*hostname)
NE_DEBUG(NE_DBG_SSL, "ssl: Identity match for '%s': %s\n", hostname,
match ? "good" : "bad");
return match ? 0 : 1;
}
/* Check certificate identity. Returns zero if identity matches; 1 if
* identity does not match, or <0 if the certificate had no identity.
* If 'identity' is non-NULL, store the malloc-allocated identity in
* *identity. If 'server' is non-NULL, it must be the network address
* of the server in use, and identity must be NULL. */
static int check_identity(const char *hostname, gnutls_x509_crt cert,
char **identity)
{
char name[255];
unsigned int critical;
int ret, seq = 0;
int match = 0, found = 0;
size_t len;
do {
len = sizeof name;
ret = gnutls_x509_crt_get_subject_alt_name(cert, seq, name, &len,
&critical);
switch (ret) {
case GNUTLS_SAN_DNSNAME:
if (identity && !found) *identity = ne_strdup(name);
match = match_hostname(name, hostname);
found = 1;
break;
case GNUTLS_SAN_IPADDRESS: {
ne_inet_addr *ia;
if (len == 4)
ia = ne_iaddr_make(ne_iaddr_ipv4, (unsigned char *)name);
else if (len == 16)
ia = ne_iaddr_make(ne_iaddr_ipv6, (unsigned char *)name);
else
ia = NULL;
if (ia) {
char buf[128];
match = strcmp(hostname,
ne_iaddr_print(ia, buf, sizeof buf)) == 0;
if (identity) *identity = ne_strdup(buf);
found = 1;
ne_iaddr_free(ia);
} else {
NE_DEBUG(NE_DBG_SSL, "iPAddress name with unsupported "
"address type (length %" NE_FMT_SIZE_T "), skipped.\n",
len);
}
} break;
default:
break;
}
seq++;
} while (!match && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
/* Check against the commonName if no DNS alt. names were found,
* as per RFC3280. */
if (!found) {
seq = oid_find_highest_index(cert, 1, GNUTLS_OID_X520_COMMON_NAME);
if (seq >= 0) {
len = sizeof name;
name[0] = '\0';
ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
seq, 0, name, &len);
if (ret == 0) {
if (identity) *identity = ne_strdup(name);
match = match_hostname(name, hostname);
}
} else {
return -1;
}
}
NE_DEBUG(NE_DBG_SSL, "Identity match: %s\n", match ? "good" : "bad");
return match ? 0 : 1;
}
