void envdir(int argc, const char *const *argv) {
const char *dir;
if (! (dir =*++argv)) envdir_usage();
if (! *++argv) envdir_usage();
edir(dir);
pathexec(argv);
fatal2("unable to run", *argv);
}
void envuidgid(int argc, const char *const *argv) {
const char *account;
if (! (account =*++argv)) envuidgid_usage();
if (! *++argv) envuidgid_usage();
euidgid((char*)account, 0);
pathexec(argv);
fatal2("unable to run", *argv);
}
void setlock(int argc, const char *const *argv) {
int opt;
unsigned int delay =0;
unsigned int x =0;
const char *fn;
while ((opt =getopt(argc, argv, "nNxX")) != opteof)
switch(opt) {
case 'n': delay =1; break;
case 'N': delay =0; break;
case 'x': x =1; break;
case 'X': x =0; break;
default: setlock_usage();
}
argv +=optind;
if (! (fn =*argv)) setlock_usage();
if (! *++argv) setlock_usage();
slock(fn, delay, x);
pathexec(argv);
if (! x) fatal2("unable to run", *argv);
_exit(0);
}
void softlimit(int argc, const char *const *argv) {
int opt;
while ((opt =getopt(argc,argv,"a:c:d:f:l:m:o:p:r:s:t:")) != opteof)
switch(opt) {
case '?': softlimit_usage();
case 'a': getlarg(&limita); break;
case 'c': getlarg(&limitc); break;
case 'd': getlarg(&limitd); break;
case 'f': getlarg(&limitf); break;
case 'l': getlarg(&limitl); break;
case 'm': getlarg(&limitd); limits =limitl =limita =limitd; break;
case 'o': getlarg(&limito); break;
case 'p': getlarg(&limitp); break;
case 'r': getlarg(&limitr); break;
case 's': getlarg(&limits); break;
case 't': getlarg(&limitt); break;
}
argv +=optind;
if (!*argv) softlimit_usage();
slimit();
pathexec(argv);
fatal2("unable to run", *argv);
}
void doit(int t) {
int fakev4=0;
int j;
SSL *ssl;
int wstat;
uint32 scope_id;
int sslctl[2];
char *s;
unsigned long tmp_long;
char sslctl_cmd;
stralloc ssl_env = { 0 };
buffer ssl_env_buf;
if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: ");
switch(fork()) {
case -1:
strerr_die2sys(111,DROP,"unable to fork: ");
case 0:
/* Child */
break;
default:
/* Parent */
close(pi[0]); close(po[1]); close(sslctl[1]);
if ((s=env_get("SSL_CHROOT")))
if (chroot(s) == -1)
strerr_die2x(111,DROPSSL,"unable to chroot");
if ((s=env_get("SSL_GID"))) {
scan_ulong(s,&tmp_long);
gid = tmp_long;
}
if (gid) if (prot_gid(gid) == -1) strerr_die2sys(111,DROPSSL,"unable to set gid: ");
if ((s=env_get("SSL_UID"))) {
scan_ulong(s,&tmp_long);
uid = tmp_long;
}
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,DROPSSL,"unable to set uid: ");
/* This will exit on a fatal error or if the client quits
* without activating SSL
*/
sslctl_cmd = ucspitls_master_wait_for_activation(sslctl[0]);
/* If we got here, SSL must have been activated */
ssl = ssl_new(ctx,t);
if (!ssl) strerr_die2x(111,DROP,"unable to create SSL instance");
if (ndelay_on(t) == -1)
strerr_die2sys(111,DROP,"unable to set socket options: ");
if (ssl_timeoutaccept(ssl,ssltimeout) == -1)
strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno));
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn3("sslserver: ssl ",strnum," accept ",0);
}
if (flagclientcert) {
switch(ssl_verify(ssl,verifyhost)) {
case -1:
strerr_die2x(111,DROP,"unable to verify client certificate");
case -2:
strerr_die2x(111,DROP,"no client certificate");
case -3:
strerr_die2x(111,DROP,"client name does not match certificate");
default: break;
}
}
if (sslctl_cmd == 'Y') {
ssl_server_env(ssl, &ssl_env);
stralloc_0(&ssl_env); /* Add another NUL */
buffer_init(&ssl_env_buf,buffer_unixwrite,sslctl[0],NULL,0);
if (buffer_putflush(&ssl_env_buf, ssl_env.s, ssl_env.len) == -1) {
strerr_die2sys(111, FATAL, "unable to write SSL environment: ");
}
} else if (sslctl_cmd != 'y') {
strerr_die2x(111,DROP,"Protocol error on SSL control descriptor: invalid command character read");
}
if (close(sslctl[0]) != 0) {
strerr_die2sys(111, DROP, "Error closing SSL control socket: ");
}
if (ssl_io(ssl,pi[1],po[0],io_opt) != 0)
strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno));
if (wait_nohang(&wstat) > 0)
_exit(wait_exitcode(wstat));
ssl_close(ssl);
_exit(0);
}
/* Child-only below this point */
if (close(sslctl[0]) != 0) {
strerr_die2sys(111, DROP, "Error closing SSL control socket: ");
}
if (!forcev6 && ip6_isv4mapped(remoteip))
fakev4=1;
if (fakev4)
remoteipstr[ip4_fmt(remoteipstr,remoteip+12)] = 0;
else
remoteipstr[ip6_fmt(remoteipstr,remoteip)] = 0;
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn4("sslserver: pid ",strnum," from ",remoteipstr,0);
}
if (socket_local6(t,localip,&localport,&scope_id) == -1)
strerr_die2sys(111,DROP,"unable to get local address: ");
if (fakev4)
localipstr[ip4_fmt(localipstr,localip+12)] = 0;
else
localipstr[ip6_fmt(localipstr,localip)] = 0;
remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0;
if (!localhost)
if (dns_name6(&localhostsa,localip) == 0)
if (localhostsa.len) {
if (!stralloc_0(&localhostsa)) drop_nomem();
localhost = localhostsa.s;
}
env("PROTO",fakev4?"SSL":"SSL6");
env("SSLLOCALIP",localipstr);
env("SSL6LOCALIP",localipstr);
env("SSLLOCALPORT",localportstr);
env("SSL6LOCALPORT",localportstr);
env("SSLLOCALHOST",localhost);
env("SSL6LOCALHOST",localhost);
if (!fakev4 && scope_id)
env("SSL6INTERFACE",socket_getifname(scope_id));
if (flagtcpenv) {
env("TCPLOCALIP",localipstr);
env("TCP6LOCALIP",localipstr);
env("TCPLOCALPORT",localportstr);
env("TCP6LOCALPORT",localportstr);
env("TCPLOCALHOST",localhost);
env("TCP6LOCALHOST",localhost);
if (!fakev4 && scope_id)
env("TCP6INTERFACE",socket_getifname(scope_id));
}
if (flagremotehost)
if (dns_name6(&remotehostsa,remoteip) == 0)
if (remotehostsa.len) {
if (flagparanoid) {
verifyhost = remoteipstr;
if (dns_ip6(&tmp,&remotehostsa) == 0)
for (j = 0;j + 16 <= tmp.len;j += 16)
if (byte_equal(remoteip,16,tmp.s + j)) {
flagparanoid = 0;
break;
}
}
if (!flagparanoid) {
if (!stralloc_0(&remotehostsa)) drop_nomem();
remotehost = remotehostsa.s;
verifyhost = remotehostsa.s;
}
}
env("SSLREMOTEIP",remoteipstr);
env("SSL6REMOTEIP",remoteipstr);
remoteipstr[ip6_fmt(remoteipstr,remoteip)]=0;
env("SSLREMOTEPORT",remoteportstr);
env("SSL6REMOTEPORT",remoteportstr);
env("SSLREMOTEHOST",remotehost);
env("SSL6REMOTEHOST",remotehost);
if (flagtcpenv) {
env("TCPREMOTEIP",remoteipstr);
env("TCP6REMOTEIP",remoteipstr);
env("TCPREMOTEPORT",remoteportstr);
env("TCP6REMOTEPORT",remoteportstr);
env("TCPREMOTEHOST",remotehost);
env("TCP6REMOTEHOST",remotehost);
}
if (flagremoteinfo) {
if (remoteinfo6(&tcpremoteinfo,remoteip,remoteport,localip,localport,timeout,netif) == -1)
flagremoteinfo = 0;
if (!stralloc_0(&tcpremoteinfo)) drop_nomem();
}
env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
env("SSL6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (flagtcpenv) {
env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
env("TCP6REMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
}
if (fnrules) {
int fdrules;
fdrules = open_read(fnrules);
if (fdrules == -1) {
if (errno != error_noent) drop_rules();
if (!flagallownorules) drop_rules();
}
else {
int fakev4=0;
char* temp;
if (!forcev6 && ip6_isv4mapped(remoteip))
fakev4=1;
if (fakev4)
temp=remoteipstr+7;
else
temp=remoteipstr;
if (rules(found,fdrules,temp,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1) drop_rules();
close(fdrules);
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem();
safecats(flagdeny ? "deny" : "ok");
cats(" "); safecats(strnum);
cats(" "); if (localhost) safecats(localhost);
cats(":"); safecats(localipstr);
cats(":"); safecats(localportstr);
cats(" "); if (remotehost) safecats(remotehost);
cats(":"); safecats(remoteipstr);
cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
cats(":"); safecats(remoteportstr);
cats("\n");
buffer_putflush(buffer_2,tmp.s,tmp.len);
}
if (flagdeny) _exit(100);
if (gid) if (prot_gid(gid) == -1)
strerr_die2sys(111,FATAL,"unable to set gid: ");
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,FATAL,"unable to set uid: ");
close(pi[1]); close(po[0]);
sig_uncatch(sig_child);
sig_unblock(sig_child);
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
if (fcntl(sslctl[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,sslctl[1])]=0;
setenv("SSLCTLFD",strnum,1);
if (fcntl(pi[0],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,pi[0])]=0;
setenv("SSLREADFD",strnum,1);
if (fcntl(po[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,po[1])]=0;
setenv("SSLWRITEFD",strnum,1);
if (flagsslwait) {
if (fd_copy(0,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_copy(1,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
} else {
if (fd_move(0,pi[0]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_move(1,po[1]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
}
if (flagkillopts)
socket_ipoptionskill(t);
if (!flagdelay)
socket_tcpnodelay(t);
if (*banner) {
buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace);
if (buffer_putsflush(&b,banner) == -1)
strerr_die2sys(111,DROP,"unable to print banner: ");
}
if (!flagsslwait) {
strnum[fmt_ulong(strnum,flagsslenv)] = 0;
strerr_warn2("flagsslenv: ", strnum, 0);
ucspitls(flagsslenv,0,1);
}
pathexec(prog);
strerr_die4sys(111,DROP,"unable to run ",*prog,": ");
}
void doit(int t) {
int j;
SSL *ssl;
int wstat;
int sslctl[2];
char *s;
unsigned long tmp_long;
char ssl_cmd;
stralloc ssl_env = { 0 };
int bytesleft;
char envbuf[8192];
int childpid;
if (pipe(pi) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (pipe(po) == -1) strerr_die2sys(111,DROP,"unable to create pipe: ");
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sslctl) == -1) strerr_die2sys(111,DROP,"unable to create socketpair: ");
if ((j = ip_fmt(&remoteipsa,&remoteaddr)))
strerr_die3x(111,DROP,"unable to print remote ip",gai_strerror(j));
if (flagremotehost) {
if (dns_name(&remotehostsa,&remoteaddr) == 0)
if (remotehostsa.len) {
if (flagparanoid) {
struct addrinfo *reverse, hints = {0};
verifyhost = remoteipsa.s;
hints.ai_family = remoteaddr.sa4.sin_family;
if (remoteaddr.sa6.sin6_family == AF_INET6) {
hints.ai_flags = AI_V4MAPPED | AI_ALL;
}
if (getaddrinfo(remotehostsa.s, NULL, &hints, &reverse) == 0) {
hints.ai_next = reverse;
while (hints.ai_next) {
if (hints.ai_next->ai_family == AF_INET
&& remoteaddr.sa4.sin_family == AF_INET
&& byte_equal(&remoteaddr.sa4.sin_addr, 4, &((struct sockaddr_in*) hints.ai_next->ai_addr)->sin_addr)
|| hints.ai_next->ai_family == AF_INET6
&& remoteaddr.sa6.sin6_family == AF_INET6
&& byte_equal(remoteaddr.sa6.sin6_addr.s6_addr, 16,
&((struct sockaddr_in6*) hints.ai_next->ai_addr)->sin6_addr.s6_addr)) {
flagparanoid = 0;
break;
}
hints.ai_next = hints.ai_next->ai_next;
}
freeaddrinfo(reverse);
}
}
if (!flagparanoid) {
remotehost = remotehostsa.s;
verifyhost = remotehostsa.s;
}
}
}
switch(childpid=fork()) {
case -1:
strerr_die2sys(111,DROP,"unable to fork: ");
case 0:
/* Child */
close(sslctl[0]);
break;
default:
/* Parent */
close(pi[0]); close(po[1]); close(sslctl[1]);
if ((s=env_get("SSL_CHROOT")))
if (chroot(s) == -1) {
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to chroot");
}
if ((s=env_get("SSL_GID"))) {
scan_ulong(s,&tmp_long);
gid = tmp_long;
}
if (gid) if (prot_gid(gid) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,FATAL,"unable to set gid: ");
}
if ((s=env_get("SSL_UID"))) {
scan_ulong(s,&tmp_long);
uid = tmp_long;
}
if (uid)
if (prot_uid(uid) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,FATAL,"unable to set uid: ");
}
/* Read the TLS command socket. This will block until/unless
* TLS is requested.
*/
if (read(sslctl[0],&ssl_cmd,1) == 1) {
ssl = ssl_new(ctx,t);
if (!ssl) {
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to create SSL instance");
}
if (ndelay_on(t) == -1) {
kill(childpid, SIGTERM);
strerr_die2sys(111,DROP,"unable to set socket options: ");
}
if (ssl_timeoutaccept(ssl,ssltimeout) == -1) {
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"unable to accept SSL: ",ssl_error_str(ssl_errno));
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn3("sslserver: ssl ",strnum," accept ",0);
}
if (flagclientcert) {
switch(ssl_verify(ssl,verifyhost)) {
case -1:
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"unable to verify client certificate");
case -2:
kill(childpid, SIGTERM);
strerr_die2x(111,DROP,"no client certificate");
case -3:
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"certificate name does not match client fqdn: ",verifyhost);
default: break;
}
}
if (ssl_cmd == 'Y') {
ssl_server_env(ssl, &ssl_env);
if(!stralloc_0(&ssl_env)) drop_nomem(); /* Add another NUL */
env("SSLCTL",ssl_env.s);
for(bytesleft = ssl_env.len; bytesleft>0; bytesleft-=j)
if ( (j=write(sslctl[0], ssl_env.s, bytesleft)) < 0) {
kill(childpid, SIGTERM);
strerr_die2sys(111, FATAL, "unable to write SSL environment: ");
}
}
if (ssl_cmd == 'Y' || ssl_cmd == 'y') {
if (ssl_io(ssl,pi[1],po[0],progtimeout) != 0) {
kill(childpid, SIGTERM);
strerr_die3x(111,DROP,"unable to speak SSL: ",ssl_error_str(ssl_errno));
}
if (wait_nohang(&wstat) > 0)
_exit(wait_exitcode(wstat));
ssl_close(ssl);
}
kill(childpid, SIGTERM);
_exit(0);
}
/* Child-only below this point */
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
strerr_warn4("sslserver: pid ",strnum," from ",remoteipsa.s,0);
}
if (socket_local(t,&localaddr,&localport) == -1)
strerr_die2sys(111,DROP,"unable to get local address: ");
if ((j = ip_fmt(&localipsa,&localaddr)))
strerr_die3x(111,DROP,"unable to print local address: ",gai_strerror(j));
remoteportstr[fmt_ulong(remoteportstr,remoteport)] = 0;
if (!localhost)
if (dns_name(&localhostsa,&localaddr) == 0)
if (localhostsa.len) {
if (!stralloc_0(&localhostsa)) drop_nomem();
localhost = localhostsa.s;
}
/* If remoteipsa.s contain ':' colon character will assume it is IPv6 */
if (byte_chr(remoteipsa.s, remoteipsa.len, ':') < remoteipsa.len)
env("PROTO","SSL6");
else
env("PROTO","SSL");
env("SSLLOCALIP",localipsa.s);
env("SSLLOCALPORT",localportstr);
env("SSLLOCALHOST",localhost);
if (flagtcpenv) {
env("TCPLOCALIP",localipsa.s);
env("TCPLOCALPORT",localportstr);
env("TCPLOCALHOST",localhost);
}
env("SSLREMOTEIP",remoteipsa.s);
env("SSLREMOTEPORT",remoteportstr);
env("SSLREMOTEHOST",remotehost);
if (flagtcpenv) {
env("TCPREMOTEIP",remoteipsa.s);
env("TCPREMOTEPORT",remoteportstr);
env("TCPREMOTEHOST",remotehost);
}
if (flagremoteinfo) {
if (remoteinfo(&tcpremoteinfo,&remoteaddr,&localaddr,timeout) == -1)
flagremoteinfo = 0;
if (!stralloc_0(&tcpremoteinfo)) drop_nomem();
}
env("SSLREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (flagtcpenv)
env("TCPREMOTEINFO",flagremoteinfo ? tcpremoteinfo.s : 0);
if (fnrules) {
int fdrules;
fdrules = open_read(fnrules);
if (fdrules == -1) {
if (errno != error_noent) drop_rules();
if (!flagallownorules) drop_rules();
}
else {
if (rules(found,fdrules,&remoteaddr,remotehost,flagremoteinfo ? tcpremoteinfo.s : 0) == -1)
drop_rules();
close(fdrules);
}
}
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
if (!stralloc_copys(&tmp,"sslserver: ")) drop_nomem();
safecats(flagdeny ? "deny" : "ok");
cats(" "); safecats(strnum);
cats(" "); if (localhost) safecats(localhost);
cats(":"); safecats(localipsa.s);
cats(":"); safecats(localportstr);
cats(" "); if (remotehost) safecats(remotehost);
cats(":"); safecats(remoteipsa.s);
cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
cats(":"); safecats(remoteportstr);
cats("\n");
buffer_putflush(buffer_2,tmp.s,tmp.len);
}
if (flagdeny) _exit(100);
if (gid) if (prot_gid(gid) == -1)
strerr_die2sys(111,FATAL,"unable to set gid: ");
if (uid) if (prot_uid(uid) == -1)
strerr_die2sys(111,FATAL,"unable to set uid: ");
close(pi[1]); close(po[0]); close(sslctl[0]);
sig_uncatch(sig_child);
sig_unblock(sig_child);
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
if (fcntl(sslctl[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,sslctl[1])]=0;
env("SSLCTLFD",strnum);
if (fcntl(pi[0],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,pi[0])]=0;
env("SSLREADFD",strnum);
if (fcntl(po[1],F_SETFD,0) == -1)
strerr_die2sys(111,FATAL,"unable to clear close-on-exec flag");
strnum[fmt_ulong(strnum,po[1])]=0;
env("SSLWRITEFD",strnum);
if (flagsslwait) {
if (fd_copy(0,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_copy(1,t) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
} else {
if (fd_move(0,pi[0]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 0: ");
if (fd_move(1,po[1]) == -1)
strerr_die2sys(111,DROP,"unable to set up descriptor 1: ");
}
if (flagkillopts)
socket_ipoptionskill(t);
if (!flagdelay)
socket_tcpnodelay(t);
if (*banner) {
buffer_init(&b,buffer_unixwrite,1,bspace,sizeof bspace);
if (buffer_putsflush(&b,banner) == -1)
strerr_die2sys(111,DROP,"unable to print banner: ");
}
if (!flagsslwait) {
ssl_cmd = flagsslenv ? 'Y' : 'y';
if (write(sslctl[1], &ssl_cmd, 1) < 1)
strerr_die2sys(111,DROP,"unable to start SSL: ");
if (flagsslenv) {
while ((j=read(sslctl[1],envbuf,8192)) > 0) {
stralloc_catb(&ssl_env,envbuf,j);
if (ssl_env.len >= 2 && ssl_env.s[ssl_env.len-2]==0 && ssl_env.s[ssl_env.len-1]==0)
break;
}
if (j < 0)
strerr_die2sys(111,DROP,"unable to read SSL environment: ");
pathexec_multienv(&ssl_env);
}
}
pathexec(prog);
strerr_die4sys(111,DROP,"unable to run ",*prog,": ");
}
main(int argc,char **argv)
{
int fakev4=0;
unsigned long u;
int opt;
char *x;
int j;
int s;
int cloop;
dns_random_init(seed);
close(6);
close(7);
sig_ignore(sig_pipe);
while ((opt = getopt(argc,argv,"46dDvqQhHrRi:p:t:T:l:I:")) != opteof)
switch(opt) {
case '4': noipv6 = 1; break;
case '6': forcev6 = 1; break;
case 'd': flagdelay = 1; break;
case 'D': flagdelay = 0; break;
case 'v': verbosity = 2; break;
case 'q': verbosity = 0; break;
case 'Q': verbosity = 1; break;
case 'l': forcelocal = optarg; break;
case 'H': flagremotehost = 0; break;
case 'h': flagremotehost = 1; break;
case 'R': flagremoteinfo = 0; break;
case 'r': flagremoteinfo = 1; break;
case 't': scan_ulong(optarg,&itimeout); break;
case 'T': j = scan_ulong(optarg,&ctimeout[0]);
if (optarg[j] == '+') ++j;
scan_ulong(optarg + j,&ctimeout[1]);
break;
case 'i': if (!scan_ip6(optarg,iplocal)) usage(); break;
case 'I': netif=socket_getifidx(optarg); break;
case 'p': scan_ulong(optarg,&u); portlocal = u; break;
default: usage();
}
argv += optind;
if (!verbosity)
buffer_2->fd = -1;
hostname = *argv;
if (!hostname) usage();
if (!hostname[0] || str_equal(hostname,"0"))
hostname = (noipv6?"127.0.0.1":"::1");
x = *++argv;
if (!x) usage();
if (!x[scan_ulong(x,&u)])
portremote = u;
else {
struct servent *se;
se = getservbyname(x,"tcp");
if (!se)
strerr_die3x(111,FATAL,"unable to figure out port number for ",x);
portremote = ntohs(se->s_port);
/* i continue to be amazed at the stupidity of the s_port interface */
}
if (!*++argv) usage();
if (!stralloc_copys(&tmp,hostname)) nomem();
if (dns_ip6_qualify(&addresses,&fqdn,&tmp) == -1)
strerr_die4sys(111,FATAL,"temporarily unable to figure out IP address for ",hostname,": ");
if (addresses.len < 16)
strerr_die3x(111,FATAL,"no IP address for ",hostname);
if (addresses.len == 16) {
ctimeout[0] += ctimeout[1];
ctimeout[1] = 0;
}
for (cloop = 0;cloop < 2;++cloop) {
if (!stralloc_copys(&moreaddresses,"")) nomem();
for (j = 0;j + 16 <= addresses.len;j += 4) {
s = socket_tcp6();
if (s == -1)
strerr_die2sys(111,FATAL,"unable to create socket: ");
if (socket_bind6(s,iplocal,portlocal,netif) == -1)
strerr_die2sys(111,FATAL,"unable to bind socket: ");
if (timeoutconn6(s,addresses.s + j,portremote,ctimeout[cloop],netif) == 0)
goto CONNECTED;
close(s);
if (!cloop && ctimeout[1] && (errno == error_timeout)) {
if (!stralloc_catb(&moreaddresses,addresses.s + j,16)) nomem();
}
else {
strnum[fmt_ulong(strnum,portremote)] = 0;
if (ip6_isv4mapped(addresses.s+j))
ipstr[ip4_fmt(ipstr,addresses.s + j + 12)] = 0;
else
ipstr[ip6_fmt(ipstr,addresses.s + j)] = 0;
strerr_warn5(CONNECT,ipstr," port ",strnum,": ",&strerr_sys);
}
}
if (!stralloc_copy(&addresses,&moreaddresses)) nomem();
}
_exit(111);
CONNECTED:
if (!flagdelay)
socket_tcpnodelay(s); /* if it fails, bummer */
if (socket_local6(s,iplocal,&portlocal,&netif) == -1)
strerr_die2sys(111,FATAL,"unable to get local address: ");
if (!forcev6 && (ip6_isv4mapped(iplocal) || byte_equal(iplocal,16,V6any)))
fakev4=1;
if (!pathexec_env("PROTO",fakev4?"TCP":"TCP6")) nomem();
strnum[fmt_ulong(strnum,portlocal)] = 0;
if (!pathexec_env("TCPLOCALPORT",strnum)) nomem();
if (fakev4)
ipstr[ip4_fmt(ipstr,iplocal+12)] = 0;
else
ipstr[ip6_fmt(ipstr,iplocal)] = 0;
if (!pathexec_env("TCPLOCALIP",ipstr)) nomem();
x = forcelocal;
if (!x)
if (dns_name6(&tmp,iplocal) == 0) {
if (!stralloc_0(&tmp)) nomem();
x = tmp.s;
}
if (!pathexec_env("TCPLOCALHOST",x)) nomem();
if (socket_remote6(s,ipremote,&portremote,&netif) == -1)
strerr_die2sys(111,FATAL,"unable to get remote address: ");
strnum[fmt_ulong(strnum,portremote)] = 0;
if (!pathexec_env("TCPREMOTEPORT",strnum)) nomem();
if (fakev4)
ipstr[ip4_fmt(ipstr,ipremote+12)] = 0;
else
ipstr[ip6_fmt(ipstr,ipremote)] = 0;
if (!pathexec_env("TCPREMOTEIP",ipstr)) nomem();
if (verbosity >= 2)
strerr_warn4("tcpclient: connected to ",ipstr," port ",strnum,0);
x = 0;
if (flagremotehost)
if (dns_name6(&tmp,ipremote) == 0) {
if (!stralloc_0(&tmp)) nomem();
x = tmp.s;
}
if (!pathexec_env("TCPREMOTEHOST",x)) nomem();
x = 0;
if (flagremoteinfo)
if (remoteinfo6(&tmp,ipremote,portremote,iplocal,portlocal,itimeout,netif) == 0) {
if (!stralloc_0(&tmp)) nomem();
x = tmp.s;
}
if (!pathexec_env("TCPREMOTEINFO",x)) nomem();
if (fd_move(6,s) == -1)
strerr_die2sys(111,FATAL,"unable to set up descriptor 6: ");
if (fd_copy(7,6) == -1)
strerr_die2sys(111,FATAL,"unable to set up descriptor 7: ");
sig_uncatch(sig_pipe);
pathexec(argv);
strerr_die4sys(111,FATAL,"unable to run ",*argv,": ");
}
int main (int argc, char const *const *argv, char const *const *envp)
{
unsigned int strict = el_getstrict() ;
unsigned int b = 0 ;
unsigned int n = 0 ;
unsigned int sharp ;
unsigned int i = 0 ;
PROG = "shift" ;
{
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
register int opt = subgetopt_r(argc, argv, "n:b:", &l) ;
if (opt == -1) break ;
switch (opt)
{
case 'n' :
if (!uint0_scan(l.arg, &n)) dieusage() ;
i = 1 ;
break ;
case 'b' :
if (!uint0_scan(l.arg, &b)) dieusage() ;
i = 1 ;
break ;
default : dieusage() ;
}
}
argc -= l.ind ; argv += l.ind ;
}
if (!argc) dieusage() ;
if (i) i = 0 ; else n = 1 ;
{
char const *x = env_get2(envp, "#") ;
if (!x) strerr_dienotset(100, "#") ;
if (!uint0_scan(x, &sharp)) strerr_dieinvalid(100, "#") ;
}
/* Shift n args */
if (n > sharp)
{
if (strict)
{
char fmtn[UINT_FMT] ;
char fmtsharp[UINT_FMT] ;
fmtn[uint_fmt(fmtn, n)] = 0 ;
fmtsharp[uint_fmt(fmtsharp, sharp)] = 0 ;
if (strict == 1)
strerr_warnwu5x("shift", " ", fmtn, " arguments: got ", fmtsharp) ;
else
strerr_diefu5x(100, "shift", " ", fmtn, " arguments: got ", fmtsharp) ;
}
n = sharp ;
}
/* Shift b blocks */
for (; i < b ; i++)
{
for (;;)
{
char const *x ;
unsigned int base = n ;
char fmt[UINT_FMT] ;
fmt[uint_fmt(fmt, ++n)] = 0 ;
if (n > sharp)
{
char fmti[UINT_FMT] ;
fmti[uint_fmt(fmt, i)] = 0 ;
strerr_diefu6x(100, "shift", " block ", fmti, ": too few arguments (", fmt, ")") ;
}
x = env_get2(envp, fmt) ;
if (!x) strerr_dienotset(100, fmt) ;
if ((x[0] == EXECLINE_BLOCK_END_CHAR) && (!EXECLINE_BLOCK_END_CHAR || !x[1])) break ;
if ((x[0] != EXECLINE_BLOCK_QUOTE_CHAR) && strict)
{
char fmti[UINT_FMT] ;
char fmtp[UINT_FMT] ;
fmti[uint_fmt(fmti, i)] = 0 ;
fmtp[uint_fmt(fmtp, n - base)] = 0 ;
if (strict == 1)
strerr_warnw6x("unquoted positional ", x, " at block ", fmti, " position ", fmtp) ;
else
strerr_dief6x(100, "unquoted positional ", x, " at block ", fmti, " position ", fmtp) ;
}
}
}
/* n = shift value; modify the env */
{
register unsigned int i = 1 ;
char fmt[UINT_FMT] ;
fmt[uint_fmt(fmt, sharp - n)] = 0 ;
if (!pathexec_env("#", fmt)) strerr_diefu1sys(111, "pathexec_env") ;
for (; i <= sharp ; i++)
{
char fmu[UINT_FMT] ;
fmt[uint_fmt(fmt, i)] = 0 ;
fmu[uint_fmt(fmu, i + n)] = 0 ;
if (!pathexec_env(fmt, i <= (sharp - n) ? env_get2(envp, fmu) : 0))
strerr_diefu1sys(111, "pathexec_env") ;
}
}
pathexec(argv) ;
strerr_dieexec(111, argv[0]) ;
}
void pathexec0 (char const *const *argv)
{
if (!argv[0]) _exit(0) ;
pathexec(argv) ;
}
void connection_accept(int c) {
int ac;
const char **run;
const char *args[4];
char *ip =(char*)&socka.sin_addr;
remote_ip[ipsvd_fmt_ip(remote_ip, ip)] =0;
if (verbose) {
out(INFO); out("pid ");
bufnum[fmt_ulong(bufnum, getpid())] =0;
out(bufnum); out(" from "); outfix(remote_ip); flush("\n");
}
remote_port[ipsvd_fmt_port(remote_port, (char*)&socka.sin_port)] =0;
if (lookuphost) {
if (ipsvd_hostname(&remote_hostname, ip, paranoid) == -1)
warn2("unable to look up hostname", remote_ip);
if (! stralloc_0(&remote_hostname)) drop_nomem();
}
socka_size =sizeof(socka);
if (getsockname(c, (struct sockaddr*)&socka, &socka_size) == -1)
drop("unable to get local address");
if (! local_hostname.len) {
if (dns_name4(&local_hostname, (char*)&socka.sin_addr) == -1)
drop("unable to look up local hostname");
if (! stralloc_0(&local_hostname)) die_nomem();
}
local_ip[ipsvd_fmt_ip(local_ip, (char*)&socka.sin_addr)] =0;
if (ucspi) ucspi_env();
if (instructs) {
ac =ipsvd_check(iscdb, &inst, &match, (char*)instructs,
remote_ip, remote_hostname.s, timeout);
if (ac == -1) drop2("unable to check inst", remote_ip);
if (ac == IPSVD_ERR) drop2("unable to read", (char*)instructs);
}
else ac =IPSVD_DEFAULT;
if (phccmax) {
if (phcc > phccmax) {
ac =IPSVD_DENY;
if (phccmsg) {
ndelay_on(c);
if (write(c, phccmsg, str_len(phccmsg)) == -1)
warn("unable to write concurrency message");
}
}
if (verbose) {
bufnum[fmt_ulong(bufnum, getpid())] =0;
out(INFO); out("concurrency "); out(bufnum); out(" ");
outfix(remote_ip); out(" ");
bufnum[fmt_ulong(bufnum, phcc)] =0;
out(bufnum); out("/");
bufnum[fmt_ulong(bufnum, phccmax)] =0;
out(bufnum); out("\n");
}
}
if (verbose) {
out(INFO);
switch(ac) {
case IPSVD_DENY: out("deny "); break;
case IPSVD_DEFAULT: case IPSVD_INSTRUCT: out("start "); break;
case IPSVD_EXEC: out("exec "); break;
}
bufnum[fmt_ulong(bufnum, getpid())] =0;
out(bufnum); out(" ");
outfix(local_hostname.s); out(":"); out(local_ip);
out(" :"); outfix(remote_hostname.s); out(":");
outfix(remote_ip); out(":"); outfix(remote_port);
if (instructs) {
out(" ");
if (iscdb) {
out((char*)instructs); out("/");
}
outfix(match.s);
if(inst.s && inst.len && (verbose > 1)) {
out(": "); outinst(&inst);
}
}
flush("\n");
}
if (ac == IPSVD_DENY) {
close(c);
_exit(100);
}
if (ac == IPSVD_EXEC) {
args[0] ="/bin/sh"; args[1] ="-c"; args[2] =inst.s; args[3] =0;
run =args;
}
else run =prog;
if ((fd_move(0, c) == -1) || (fd_copy(1, 0) == -1))
drop("unable to set filedescriptor");
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
sig_uncatch(sig_child);
sig_unblock(sig_child);
#ifdef SSLSVD
pid =getpid();
id[fmt_ulong(id, pid)] =0;
ssl_io(0, run);
#else
pathexec(run);
#endif
drop2("unable to run", (char *)*prog);
}
int main(int argc,char **argv)
{
char *hostname;
// char *portname;
int opt;
struct servent *se;
char *x;
unsigned long u;
int s;
int t;
while ((opt = getopt(argc,argv,"4dDvqQhHrR1UXx:t:u:g:l:b:B:c:I:pPoO")) != opteof)
switch(opt) {
case 'b': scan_ulong(optarg,&backlog); break;
case 'c': scan_ulong(optarg,&limit); break;
case 'X': flagallownorules = 1; break;
case 'x': fnrules = optarg; break;
case 'B': banner = optarg; break;
case 'd': flagdelay = 1; break;
case 'D': flagdelay = 0; break;
case 'v': verbosity = 2; break;
case 'q': verbosity = 0; break;
case 'Q': verbosity = 1; break;
case 'P': flagparanoid = 0; break;
case 'p': flagparanoid = 1; break;
case 'O': flagkillopts = 1; break;
case 'o': flagkillopts = 0; break;
case 'H': flagremotehost = 0; break;
case 'h': flagremotehost = 1; break;
// case 'R': flagremoteinfo = 0; break;
case 'r': flagremoteinfo = 1; break;
case 't': scan_ulong(optarg,&timeout); break;
case 'U': x = env_get("UID"); if (x) scan_ulong(x,&uid);
x = env_get("GID"); if (x) scan_ulong(x,&gid); break;
case 'u': scan_ulong(optarg,&uid); break;
case 'g': scan_ulong(optarg,&gid); break;
case 'I': netif=socket_getifidx(optarg); break;
case '1': flag1 = 1; break;
// case '4': noipv6 = 1; break;
case '4': ipv4socket = 1; break;
// case '6': forcev6 = 1; break;
case 'l': localhost = optarg; break;
default: usage();
}
argc -= optind;
argv += optind;
if (!verbosity)
buffer_2->fd = -1;
hostname = *argv++;
if (!hostname) usage();
if (str_equal(hostname,"")) hostname = "0";
x = *argv++;
if (!x) usage();
if (!x[scan_ulong(x,&u)])
localport = u;
else {
se = getservbyname(x,"tcp");
if (!se)
errint(EHARD,B("unable to figure out port number for ",x));
uint16_unpack_big((char*)&se->s_port,&localport);
}
if (!*argv) usage();
sig_block(sig_child);
sig_catch(sig_child,sigchld);
sig_catch(sig_term,sigterm);
sig_ignore(sig_pipe);
if (str_equal(hostname,"0")) {
byte_zero(localip,sizeof localip);
} else {
if (!stralloc_copys(&tmp,hostname)) errmem;
if (dns_ip6_qualify(&addresses,&fqdn,&tmp) == -1)
errint(EHARD,B("temporarily unable to figure out IP address for ",hostname,": "));
if (addresses.len < 16)
errint(EHARD,B("no IP address for ",hostname));
byte_copy(localip,16,addresses.s);
if (ip6_isv4mapped(localip))
ipv4socket = 1;
}
s = socket_tcp();
if (s == -1)
errint(EHARD,"unable to create socket: ");
if (socket_bind_reuse(s,localip,localport,netif) == -1)
errint(EHARD,"unable to bind: ");
if (!ipv4socket) ipv4socket = ip6_isv4mapped(localip);
if (socket_local(s,localip,&localport,&netif) == -1)
errint(EHARD,"unable to get local address: ");
if (socket_listen(s,backlog) == -1)
errint(EHARD,"unable to listen: ");
ndelay_off(s);
if (gid) if (prot_gid(gid) == -1)
errint(EHARD,"unable to set gid: ");
if (uid) if (prot_uid(uid) == -1)
errint(EHARD,"unable to set uid: ");
localportstr[fmt_ulong(localportstr,localport)] = 0;
if (flag1) {
buffer_init(&b,write,1,bspace,sizeof bspace);
buffer_puts(&b,localportstr);
buffer_puts(&b,"\n");
buffer_flush(&b);
}
close(0);
close(1);
printstatus();
for (;;) {
while (numchildren >= limit) sig_pause();
sig_unblock(sig_child);
t = socket_accept(s,remoteip,&remoteport,&netif);
sig_block(sig_child);
if (t == -1) continue;
++numchildren; printstatus();
switch(fork()) {
case 0:
close(s);
doit(t);
if ((fd_move(0,t) == -1) || (fd_copy(1,0) == -1))
errint(EHARD,"unable to set up descriptors: ");
sig_uncatch(sig_child);
sig_unblock(sig_child);
sig_uncatch(sig_term);
sig_uncatch(sig_pipe);
pathexec(argv);
errint(EHARD,B("unable to run ",*argv,": "));
case -1:
errlog(ESOFT,NOTICE,"unable to fork: ");
--numchildren; printstatus();
}
close(t);
}
}
void pgrphack(int argc, const char *const *argv) {
if (! *++argv) pgrphack_usage();
setsid();
pathexec(argv);
fatal2("unable to run", *argv);
}
int ssl_io(unsigned int newsession, const char **prog) {
if (client) { fdstdin =6; fdstdou =7; }
bad_certificate = env_get("SSLIO_BAD_CERTIFICATE");
if ((s =env_get("SSLIO_BUFIN"))) scan_ulong(s, &bufsizein);
if ((s =env_get("SSLIO_BUFOU"))) scan_ulong(s, &bufsizeou);
if (bufsizein < 64) bufsizein =64;
if (bufsizeou < 64) bufsizeou =64;
if ((s =env_get("SSLIO_HANDSHAKE_TIMEOUT")))
scan_ulong(s, &handshake_timeout);
if (handshake_timeout < 1) handshake_timeout =1;
if (pipe(encpipe) == -1) fatalm("unable to create pipe for encoding");
if (pipe(decpipe) == -1) fatalm("unable to create pipe for decoding");
if ((pid =fork()) == -1) fatalm("unable to fork");
if (pid == 0) {
if (close(encpipe[1]) == -1)
fatalm("unable to close encoding pipe output");
if (close(decpipe[0]) == -1)
fatalm("unable to close decoding pipe input");
if (newsession) if (matrixSslOpen() < 0) fatalm("unable to initialize ssl");
if (root) {
if (chdir(root) == -1) fatalm("unable to change to new root directory");
if (chroot(".") == -1) fatalm("unable to chroot");
}
if (ssluser) {
/* drop permissions */
if (setgroups(sslugid.gids, sslugid.gid) == -1)
fatal("unable to set groups");
if (setgid(*sslugid.gid) == -1) fatal("unable to set gid");
if (prot_uid(sslugid.uid) == -1) fatalm("unable to set uid");
}
if (newsession) {
if (matrixSslReadKeys(&keys, cert, key, 0, ca) < 0) {
if (client) fatalm("unable to read cert, key, or ca file");
fatalm("unable to read cert or key file");
}
if (matrixSslNewSession(&ssl, keys, 0, client?0:SSL_FLAGS_SERVER) < 0)
fatalmx("unable to create ssl session");
}
if (client)
if (ca || bad_certificate) matrixSslSetCertValidator(ssl, &validate, 0);
sig_catch(sig_term, sig_term_handler);
sig_ignore(sig_pipe);
doio();
finish();
_exit(0);
}
if (close(encpipe[0]) == -1) fatalm("unable to close encoding pipe input");
if (close(decpipe[1]) == -1) fatalm("unable to close decoding pipe output");
if (fd_move(fdstdin, decpipe[0]) == -1)
fatalm("unable to setup filedescriptor for decoding");
if (fd_move(fdstdou, encpipe[1]) == -1)
fatalm("unable to setup filedescriptor for encoding");
sslCloseOsdep();
if (svuser) {
if (setgroups(ugid.gids, ugid.gid) == -1)
fatal("unable to set groups for prog");
if (setgid(*ugid.gid) == -1) fatal("unable to set gid for prog");
if (prot_uid(ugid.uid) == -1) fatalm("unable to set uid for prog");
}
pathexec(prog);
fatalm("unable to run prog");
return(111);
}
int main(int argc,char * const *argv) {
int opt;
const char *path;
mode_t m;
iopause_fd x;
struct taia deadline;
struct taia stamp;
int pid = 0;
char ch;
int wstat;
while ((opt = getopt(argc,argv,"wWdDt:")) != opteof)
switch(opt) {
case 't': scan_uint(optarg,&timeout); break;
case 'w': flagwait = 1; break;
case 'W': flagwait = 0; break;
case 'd': flagdelete = 1; break;
case 'D': flagdelete = 0; break;
default: usage();
}
argv += optind;
path = *argv++;
if (!path) usage();
if (flagdelete) {
m = umask(0);
unlink(path);
fifo_make(path,0666);
umask(m);
}
fdr = open_read(path);
if (fdr == -1)
strerr_die4sys(111,FATAL,"cannot read ",path,": ");
ndelay_on(fdr);
fdw = open_write(path);
if (fdw == -1)
strerr_die4sys(111,FATAL,"cannot write ",path,": ");
if (*argv) {
pid = fork();
switch (pid) {
case 0:
close(fdr); close(fdw);
pathexec(argv);
strerr_die4sys(111,FATAL,"cannot run ",*argv,": ");
case -1:
strerr_die4sys(111,FATAL,"cannot fork ",*argv,": ");
break;
default:
break;
}
}
else
flagwait = 0;
x.fd = fdr;
x.events = IOPAUSE_READ;
taia_now(&stamp);
taia_uint(&deadline,timeout);
taia_add(&deadline,&stamp,&deadline);
for (;;) {
taia_now(&stamp);
iopause(&x,1,&deadline,&stamp);
if (x.revents) {
waiting = 0;
break;
}
if (taia_less(&deadline,&stamp)) {
waiting = 99;
break;
}
}
if (!waiting)
if (read(fdr,&ch,1) != 1)
waiting = 0;
if (flagwait)
if (wait_pid(&wstat,pid) != pid)
strerr_die2x(111,FATAL,"cannot reap child process");
_exit(waiting);
}
