/* an FQDN will match another FQDN with a trailing . */
void t5(void)
{
struct id a,b;
zero(&a); zero(&b);
printf("t5\n");
atoid("example.com", &a, FALSE);
atoid("example.com.", &b,FALSE);
passert(same_exact_id(&a,&b) == 1);
}
/* an FROMCERT will not match FQDN */
void t6(void)
{
struct id a,b;
zero(&a); zero(&b);
printf("t6\n");
atoid("%fromcert", &a, FALSE);
atoid("example.com", &b,FALSE);
passert(same_exact_id(&a,&b) == 0);
}
struct secret *pick_key(struct secret *host_secrets
, char *idname)
{
struct id id;
struct secret *s;
err_t e;
e = atoid(idname, &id, FALSE);
if(e) {
printf("%s: key '%s' is invalid\n", progname, idname);
exit(4);
}
s = osw_find_secret_by_id(host_secrets, PPK_RSA
, &id, NULL, TRUE /* asymmetric */);
if(s==NULL) {
char abuf[IDTOA_BUF];
idtoa(&id, abuf, IDTOA_BUF);
printf("%s: can not find key: %s (%s)\n", progname, idname, abuf);
exit(5);
}
return s;
}
/*
* Returns true if "user" is a member of "group", else false.
*/
static int
sysgroup_query(const char *user, const char *group, const struct passwd *pwd)
{
char **member;
struct group *grp;
grp = sysgroup_getgrnam(group);
if (grp == NULL && group[0] == '#' && group[1] != '\0') {
const char *errstr;
gid_t gid = atoid(group + 1, NULL, NULL, &errstr);
if (errstr == NULL)
grp = sysgroup_getgrgid(gid);
}
if (grp != NULL) {
if (grp->gr_mem != NULL) {
for (member = grp->gr_mem; *member != NULL; member++) {
if (strcasecmp(user, *member) == 0) {
if (sysgroup_gr_delref)
sysgroup_gr_delref(grp);
return true;
}
}
}
if (sysgroup_gr_delref)
sysgroup_gr_delref(grp);
}
return false;
}
void set_myid(enum myid_state s, char *idstr)
{
if (idstr != NULL) {
struct id id;
err_t ugh = atoid(idstr, &id, FALSE, FALSE);
if (ugh != NULL) {
loglog(RC_BADID, "myid malformed: %s \"%s\"", ugh,
idstr);
} else {
free_id_content(&myids[s]);
unshare_id_content(&id);
myids[s] = id;
if (s == MYID_SPECIFIED)
myid_state = MYID_SPECIFIED;
calc_myid_str(s);
}
}
}
/*
* BSD-compatible getgrouplist(3) using getgrset(3)
*/
int
getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
{
char *cp, *grset = NULL;
int i, ngroups = 1;
int grpsize = *ngroupsp;
int rval = -1;
gid_t gid;
/* We support BSD semantics where the first element is the base gid */
if (grpsize <= 0)
return -1;
groups[0] = basegid;
#ifdef HAVE_SETAUTHDB
aix_setauthdb((char *) name);
#endif
if ((grset = getgrset(name)) != NULL) {
const char *errstr;
for (cp = strtok(grset, ","); cp != NULL; cp = strtok(NULL, ",")) {
gid = atoid(cp, NULL, NULL, &errstr);
if (errstr == NULL && gid != basegid) {
if (ngroups == grpsize)
goto done;
groups[ngroups++] = gid;
}
}
}
rval = 0;
done:
free(grset);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
*ngroupsp = ngroups;
return rval;
}
static void key_add_request(const struct whack_message *msg)
{
struct id keyid;
err_t ugh = atoid(msg->keyid, &keyid, FALSE, FALSE);
if (ugh != NULL) {
loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
} else {
if (!msg->whack_addkey)
delete_public_keys(&pluto_pubkeys, &keyid,
msg->pubkey_alg);
if (msg->keyval.len == 0) {
struct key_add_common *oc =
alloc_thing(struct key_add_common,
"key add common things");
enum key_add_attempt kaa;
/* initialize state shared by queries */
oc->refCount = 0;
oc->whack_fd = dup_any(whack_log_fd);
oc->success = FALSE;
for (kaa = ka_TXT; kaa != ka_roof; kaa++) {
struct key_add_continuation *kc =
alloc_thing(
struct key_add_continuation,
"key add continuation");
oc->diag[kaa] = NULL;
oc->refCount++;
kc->common = oc;
kc->lookingfor = kaa;
switch (kaa) {
case ka_TXT:
ugh = start_adns_query(&keyid,
&keyid, /* same */
ns_t_txt,
key_add_continue,
&kc->ac);
break;
#ifdef USE_KEYRR
case ka_KEY:
ugh = start_adns_query(&keyid,
NULL,
ns_t_key,
key_add_continue,
&kc->ac);
break;
#endif /* USE_KEYRR */
default:
bad_case(kaa); /* suppress gcc warning */
}
if (ugh != NULL) {
oc->diag[kaa] = clone_str(ugh,
"early key add failure");
oc->refCount--;
}
}
/* Done launching queries.
* Handle total failure case.
*/
key_add_merge(oc, &keyid);
} else {
ugh = add_public_key(&keyid, DAL_LOCAL,
msg->pubkey_alg,
&msg->keyval, &pluto_pubkeys);
if (ugh != NULL)
loglog(RC_LOG_SERIOUS, "%s", ugh);
}
}
main(int argc, char *argv[]){
int len;
char *infile;
FILE *idfile;
char idbuf[256];
int lineno = 0;
EF_PROTECT_FREE = 1;
EF_FREE_WIPES = 1;
lsw_init_rootdir("../../../baseconfigs/all");
progname = argv[0];
leak_detective = 1;
if (argc != 3 ) {
fprintf(stderr, "Usage: %s <whackrecord> <idfile>\n",
progname);
exit(10);
}
/* argv[1] == "-r" */
tool_init_log();
infile = argv[1];
readwhackmsg(infile);
idfile = fopen(argv[2], "r");
if (!idfile) {
perror(argv[2]);
exit(11);
}
cur_debugging = DBG_CONTROL | DBG_CONTROLMORE;
while (fgets(idbuf, sizeof(idbuf), idfile) != NULL) {
struct state *st1;
struct connection *nc;
struct id peer_id;
int aggrmode, initiate;
char id1[256];
/* ignore comments */
if (idbuf[0] == '#')
continue;
st1 = new_state();
sscanf(idbuf, "%s %u %u", id1, &initiate, &aggrmode);
/* set it to the first connection, there may be only one?? */
st1->st_connection = connections; /* safe: from new_state */
st1->st_oakley.auth = OAKLEY_RSA_SIG;
passert(connections != NULL);
atoid(id1, &peer_id, TRUE);
nc = refine_host_connection(st1, &peer_id, initiate, aggrmode);
printf("%u: %s -> conn: %s\n", ++lineno, id1,
nc ? nc->name : "<none>");
}
report_leaks();
tool_close_log();
exit(0);
}
void
chord_main(char *conf_file, int parent_sock)
{
fd_set interesting, readable;
int nfound, nfds;
struct in_addr ia;
char id[4*ID_LEN];
FILE *fp;
int64_t stabilize_wait;
struct timeval timeout;
setprogname("chord");
srandom(getpid() ^ time(0));
memset(&srv, 0, sizeof(Server));
srv.to_fix_finger = NFINGERS-1;
fp = fopen(conf_file, "r");
if (fp == NULL)
eprintf("fopen(%s,\"r\") failed:", conf_file);
if (fscanf(fp, "%hd", (short*)&srv.node.port) != 1)
eprintf("Didn't find port in \"%s\"", conf_file);
if (fscanf(fp, " %s\n", id) != 1)
eprintf("Didn't find id in \"%s\"", conf_file);
srv.node.id = atoid(id);
/* Figure out one's own address somehow */
srv.node.addr = ntohl(get_addr());
ia.s_addr = htonl(srv.node.addr);
fprintf(stderr, "Chord started.\n");
fprintf(stderr, "id="); print_id(stderr, &srv.node.id);
fprintf(stderr, "\n");
fprintf(stderr, "ip=%s\n", inet_ntoa(ia));
fprintf(stderr, "port=%d\n", srv.node.port);
initialize(&srv);
srv_ref = &srv;
join(&srv, fp);
fclose(fp);
FD_ZERO(&interesting);
FD_SET(srv.in_sock, &interesting);
FD_SET(parent_sock, &interesting);
nfds = MAX(srv.in_sock, parent_sock) + 1;
NumKeys = read_keys(ACCLIST_FILE, KeyArray, MAX_KEY_NUM);
if (NumKeys == -1) {
printf("Error opening file: %s\n", ACCLIST_FILE);
}
if (NumKeys == 0) {
printf("No key found in %s\n", ACCLIST_FILE);
}
/* Loop on input */
for (;;) {
readable = interesting;
stabilize_wait = (int64_t)(srv.next_stabilize_us - wall_time());
stabilize_wait = MAX(stabilize_wait,0);
timeout.tv_sec = stabilize_wait / 1000000UL;
timeout.tv_usec = stabilize_wait % 1000000UL;
nfound = select(nfds, &readable, NULL, NULL, &timeout);
if (nfound < 0 && errno == EINTR) {
continue;
}
if (nfound == 0) {
stabilize_wait = (int64_t)(srv.next_stabilize_us - wall_time());
if( stabilize_wait <= 0 ) {
stabilize( &srv );
}
continue;
}
if (FD_ISSET(srv.in_sock, &readable)) {
handle_packet(srv.in_sock);
}
else if (FD_ISSET(parent_sock, &readable)) {
handle_packet(parent_sock);
}
else {
assert(0);
}
}
}
int
main(int argc, char *argv[])
{
struct passwd pw, rpw;
size_t len;
FILE *fp;
char line[2048];
char *file_in = NULL, *file_out = NULL;
char *dir_in = NULL, *dir_out = NULL;
const char *errstr;
int state = 0;
int errors = 0;
int tests = 0;
initprogname(argc > 0 ? argv[0] : "check_iolog_path");
if (argc != 2)
usage();
fp = fopen(argv[1], "r");
if (fp == NULL)
fatalx("unable to open %s", argv[1]);
memset(&pw, 0, sizeof(pw));
memset(&rpw, 0, sizeof(rpw));
sudo_user.pw = &pw;
sudo_user._runas_pw = &rpw;
/*
* Input consists of 12 lines:
* sequence number
* user name
* user gid
* runas user name
* runas gid
* hostname [short form]
* command
* dir [with escapes]
* file [with escapes]
* expanded dir
* expanded file
* empty line
*/
while (fgets(line, sizeof(line), fp) != NULL) {
len = strcspn(line, "\n");
line[len] = '\0';
switch (state) {
case 0:
strlcpy(sessid, line, sizeof(sessid));
break;
case 1:
if (user_name != NULL)
free(user_name);
user_name = strdup(line);
break;
case 2:
user_gid = (gid_t)atoid(line, NULL, NULL, &errstr);
if (errstr != NULL)
fatalx("group ID %s: %s", line, errstr);
break;
case 3:
if (runas_pw->pw_name != NULL)
free(runas_pw->pw_name);
runas_pw->pw_name = strdup(line);
break;
case 4:
runas_pw->pw_gid = (gid_t)atoid(line, NULL, NULL, &errstr);
if (errstr != NULL)
fatalx("group ID %s: %s", line, errstr);
break;
case 5:
user_shost = strdup(line);
break;
case 6:
user_base = strdup(line);
break;
case 7:
dir_in = strdup(line);
break;
case 8:
file_in = strdup(line);
break;
case 9:
dir_out = strdup(line);
break;
case 10:
file_out = strdup(line);
break;
case 11:
errors += do_check(dir_in, file_in, dir_out, file_out);
tests++;
break;
default:
fatalx("internal error, invalid state %d", state);
}
state = (state + 1) % MAX_STATE;
}
if (tests != 0) {
printf("iolog_path: %d test%s run, %d errors, %d%% success rate\n",
tests, tests == 1 ? "" : "s", errors,
(tests - errors) * 100 / tests);
}
exit(errors);
}
/* Handle a kernel request. Supposedly, there's a message in
* the kernelsock socket.
*/
void
whack_handle(int whackctlfd)
{
struct whack_message msg;
struct sockaddr_un whackaddr;
int whackaddrlen = sizeof(whackaddr);
int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
ssize_t n;
if (whackfd < 0)
{
log_errno((e, "accept() failed in whack_handle()"));
return;
}
n = read(whackfd, &msg, sizeof(msg));
if (n == -1)
{
log_errno((e, "read() failed in whack_handle()"));
close(whackfd);
return;
}
whack_log_fd = whackfd;
/* sanity check message */
{
err_t ugh = NULL;
next_str = msg.string;
str_roof = (char *)&msg + n;
if (next_str > str_roof)
{
ugh = builddiag("truncated message from whack: got %d bytes; expected %d. Message ignored."
, n, (int) sizeof(msg));
}
else if (msg.magic != WHACK_MAGIC)
{
ugh = builddiag("message from whack has bad magic %d; should be %d; probably wrong version. Message ignored"
, msg.magic, WHACK_MAGIC);
}
else if (!unpack_str(&msg.name) /* string 1 */
|| !unpack_str(&msg.left.id) /* string 2 */
|| !unpack_str(&msg.left.cert) /* string 3 */
|| !unpack_str(&msg.left.updown) /* string 4 */
#ifdef VIRTUAL_IP
|| !unpack_str(&msg.left.virt)
#endif
|| !unpack_str(&msg.right.id) /* string 5 */
|| !unpack_str(&msg.right.cert) /* string 6 */
|| !unpack_str(&msg.right.updown) /* string 7 */
#ifdef VIRTUAL_IP
|| !unpack_str(&msg.right.virt)
#endif
|| !unpack_str(&msg.keyid) /* string 8 */
|| !unpack_str(&msg.ike) /* string 9 */
|| !unpack_str(&msg.esp) /* string 10 */
|| !unpack_str(&msg.dnshostname) /* string 11 */
|| str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */
{
ugh = "message from whack contains bad string";
}
else
{
msg.keyval.ptr = next_str; /* grab chunk */
}
if (ugh != NULL)
{
loglog(RC_BADWHACKMESSAGE, "%s", ugh);
whack_log_fd = NULL_FD;
close(whackfd);
return;
}
}
if (msg.whack_options)
{
#ifdef DEBUG
if (msg.name == NULL)
{
/* we do a two-step so that if either old or new would
* cause the message to print, it will be printed.
*/
cur_debugging |= msg.debugging;
DBG(DBG_CONTROL
, DBG_log("base debugging = %s"
, bitnamesof(debug_bit_names, msg.debugging)));
cur_debugging = base_debugging = msg.debugging;
}
else if (!msg.whack_connection)
{
struct connection *c = con_by_name(msg.name, TRUE);
if (c != NULL)
{
c->extra_debugging = msg.debugging;
DBG(DBG_CONTROL
, DBG_log("\"%s\" extra_debugging = %s"
, c->name
, bitnamesof(debug_bit_names, c->extra_debugging)));
}
}
#endif
}
/* Deleting combined with adding a connection works as replace.
* To make this more useful, in only this combination,
* delete will silently ignore the lack of the connection.
*/
if (msg.whack_delete)
{
struct connection *c = con_by_name(msg.name, !msg.whack_connection);
/* note: this is a "while" because road warrior
* leads to multiple connections with the same name.
*/
for (; c != NULL; c = con_by_name(msg.name, FALSE))
delete_connection(c);
}
if (msg.whack_deletestate)
{
struct state *st = state_with_serialno(msg.whack_deletestateno);
if (st == NULL)
{
loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
, msg.whack_deletestateno);
}
else
{
delete_state(st);
}
}
if (msg.whack_connection)
add_connection(&msg);
/* process "listen" before any operation that could require it */
if (msg.whack_listen)
{
log("listening for IKE messages");
listening = TRUE;
find_ifaces();
load_preshared_secrets();
}
if (msg.whack_unlisten)
{
log("no longer listening for IKE messages");
listening = FALSE;
}
if (msg.whack_reread & REREAD_SECRETS)
{
load_preshared_secrets();
}
if (msg.whack_reread & REREAD_MYCERT)
{
load_mycert();
}
if (msg.whack_reread & REREAD_CACERTS)
{
load_cacerts();
}
if (msg.whack_reread & REREAD_CRLS)
{
load_crls();
}
if (msg.whack_list & LIST_PUBKEYS)
{
list_public_keys(msg.whack_utc);
}
if (msg.whack_list & LIST_CERTS)
{
list_certs(msg.whack_utc);
}
if (msg.whack_list & LIST_CACERTS)
{
list_cacerts(msg.whack_utc);
}
if (msg.whack_list & LIST_CRLS)
{
list_crls(msg.whack_utc);
}
if (msg.whack_key)
{
/* add a public key */
struct id keyid;
err_t ugh = atoid(msg.keyid, &keyid);
if (ugh != NULL)
{
loglog(RC_BADID, "bad --keyid \"%s\": %s", msg.keyid, ugh);
}
else
{
if (!msg.whack_addkey)
delete_public_keys(&keyid, msg.pubkey_alg);
if (msg.keyval.len == 0)
{
struct key_add_continuation *kc
= alloc_thing(struct key_add_continuation
, "key add continuation");
int wfd = dup_any(whackfd);
kc->whack_fd = wfd;
ugh = start_adns_query(&keyid
, NULL
, T_KEY
, key_add_continue
, &kc->ac);
if (ugh != NULL)
{
key_add_ugh(&keyid, ugh);
close_any(wfd);
}
}
else
{
ugh = add_public_key(&keyid, DAL_LOCAL, msg.pubkey_alg
, &msg.keyval, &pubkeys);
if (ugh != NULL)
loglog(RC_LOG_SERIOUS, "%s", ugh);
}
}
}
