static void
bsd_connect(
const char * hostname,
char * (*conf_fn)(char *, void *),
void (*fn)(void *, security_handle_t *, security_status_t),
void * arg,
void * datap)
{
struct sec_handle *bh;
in_port_t port = 0;
struct timeval sequence_time;
int sequence;
char *handle;
int result;
struct addrinfo *res, *res_addr;
char *canonname;
int result_bind;
char *service;
assert(hostname != NULL);
(void)conf_fn; /* Quiet unused parameter warning */
(void)datap; /* Quiet unused parameter warning */
bh = g_new0(struct sec_handle, 1);
bh->proto_handle=NULL;
security_handleinit(&bh->sech, &bsd_security_driver);
result = resolve_hostname(hostname, SOCK_DGRAM, &res, &canonname);
if(result != 0) {
dbprintf(_("resolve_hostname(%s): %s\n"), hostname, gai_strerror(result));
security_seterror(&bh->sech, _("resolve_hostname(%s): %s\n"), hostname,
gai_strerror(result));
(*fn)(arg, &bh->sech, S_ERROR);
return;
}
if (canonname == NULL) {
dbprintf(_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
security_seterror(&bh->sech,
_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
(*fn)(arg, &bh->sech, S_ERROR);
if (res) freeaddrinfo(res);
return;
}
if (res == NULL) {
dbprintf(_("resolve_hostname(%s): no results\n"), hostname);
security_seterror(&bh->sech,
_("resolve_hostname(%s): no results\n"), hostname);
(*fn)(arg, &bh->sech, S_ERROR);
amfree(canonname);
return;
}
for (res_addr = res; res_addr != NULL; res_addr = res_addr->ai_next) {
#ifdef WORKING_IPV6
/* IPv6 socket already bound */
if (res_addr->ai_addr->sa_family == AF_INET6 && not_init6 == 0) {
break;
}
/*
* Only init the IPv6 socket once
*/
if (res_addr->ai_addr->sa_family == AF_INET6 && not_init6 == 1) {
uid_t euid;
dgram_zero(&netfd6.dgram);
euid = geteuid();
set_root_privs(1);
result_bind = dgram_bind(&netfd6.dgram,
res_addr->ai_addr->sa_family, &port);
set_root_privs(0);
if (result_bind != 0) {
continue;
}
netfd6.handle = NULL;
netfd6.pkt.body = NULL;
netfd6.recv_security_ok = &bsd_recv_security_ok;
netfd6.prefix_packet = &bsd_prefix_packet;
/*
* We must have a reserved port. Bomb if we didn't get one.
*/
if (port >= IPPORT_RESERVED) {
security_seterror(&bh->sech,
_("unable to bind to a reserved port (got port %u)"),
(unsigned int)port);
(*fn)(arg, &bh->sech, S_ERROR);
freeaddrinfo(res);
amfree(canonname);
return;
}
not_init6 = 0;
bh->udp = &netfd6;
break;
}
#endif
/* IPv4 socket already bound */
if (res_addr->ai_addr->sa_family == AF_INET && not_init4 == 0) {
break;
}
/*
* Only init the IPv4 socket once
*/
if (res_addr->ai_addr->sa_family == AF_INET && not_init4 == 1) {
uid_t euid;
dgram_zero(&netfd4.dgram);
euid = geteuid();
set_root_privs(1);
result_bind = dgram_bind(&netfd4.dgram,
res_addr->ai_addr->sa_family, &port);
set_root_privs(0);
if (result_bind != 0) {
continue;
}
netfd4.handle = NULL;
netfd4.pkt.body = NULL;
netfd4.recv_security_ok = &bsd_recv_security_ok;
netfd4.prefix_packet = &bsd_prefix_packet;
/*
* We must have a reserved port. Bomb if we didn't get one.
*/
if (port >= IPPORT_RESERVED) {
security_seterror(&bh->sech,
"unable to bind to a reserved port (got port %u)",
(unsigned int)port);
(*fn)(arg, &bh->sech, S_ERROR);
freeaddrinfo(res);
amfree(canonname);
return;
}
not_init4 = 0;
bh->udp = &netfd4;
break;
}
}
if (res_addr == NULL) {
dbprintf(_("Can't bind a socket to connect to %s\n"), hostname);
security_seterror(&bh->sech,
_("Can't bind a socket to connect to %s\n"), hostname);
(*fn)(arg, &bh->sech, S_ERROR);
amfree(canonname);
freeaddrinfo(res);
return;
}
#ifdef WORKING_IPV6
if (res_addr->ai_addr->sa_family == AF_INET6)
bh->udp = &netfd6;
else
#endif
bh->udp = &netfd4;
auth_debug(1, _("Resolved hostname=%s\n"), canonname);
if (conf_fn) {
service = conf_fn("client_port", datap);
if (!service || strlen(service) <= 1)
service = "amanda";
} else {
service = "amanda";
}
port = find_port_for_service(service, "udp");
if (port == 0) {
security_seterror(&bh->sech, _("%s/udp unknown protocol"), service);
(*fn)(arg, &bh->sech, S_ERROR);
amfree(canonname);
freeaddrinfo(res);
return;
}
amanda_gettimeofday(&sequence_time);
sequence = (int)sequence_time.tv_sec ^ (int)sequence_time.tv_usec;
handle=g_malloc(15);
g_snprintf(handle, 14, "000-%08x", (unsigned)newhandle++);
if (udp_inithandle(bh->udp, bh, canonname,
(sockaddr_union *)res_addr->ai_addr, port, handle, sequence) < 0) {
(*fn)(arg, &bh->sech, S_ERROR);
amfree(bh->hostname);
amfree(bh);
}
else {
(*fn)(arg, &bh->sech, S_OK);
}
amfree(handle);
amfree(canonname);
freeaddrinfo(res);
}
/*
* bsdtcp version of a security handle allocator. Logically sets
* up a network "connection".
*/
static void
bsdtcp_connect(
const char *hostname,
char * (*conf_fn)(char *, void *),
void (*fn)(void *, security_handle_t *, security_status_t),
void * arg,
void * datap)
{
struct sec_handle *rh;
int result;
char *canonname;
char *service;
in_port_t port;
assert(fn != NULL);
assert(hostname != NULL);
(void)conf_fn; /* Quiet unused parameter warning */
(void)datap; /* Quiet unused parameter warning */
auth_debug(1, _("bsdtcp: bsdtcp_connect: %s\n"), hostname);
rh = alloc(sizeof(*rh));
security_handleinit(&rh->sech, &bsdtcp_security_driver);
rh->hostname = NULL;
rh->rs = NULL;
rh->ev_timeout = NULL;
rh->rc = NULL;
result = resolve_hostname(hostname, 0, NULL, &canonname);
if(result != 0) {
dbprintf(_("resolve_hostname(%s): %s\n"), hostname, gai_strerror(result));
security_seterror(&rh->sech, _("resolve_hostname(%s): %s\n"), hostname,
gai_strerror(result));
(*fn)(arg, &rh->sech, S_ERROR);
return;
}
if (canonname == NULL) {
dbprintf(_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
security_seterror(&rh->sech,
_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
(*fn)(arg, &rh->sech, S_ERROR);
return;
}
rh->hostname = canonname; /* will be replaced */
canonname = NULL; /* steal reference */
rh->rs = tcpma_stream_client(rh, newhandle++);
rh->rc->recv_security_ok = &bsd_recv_security_ok;
rh->rc->prefix_packet = &bsd_prefix_packet;
if (rh->rs == NULL)
goto error;
amfree(rh->hostname);
rh->hostname = stralloc(rh->rs->rc->hostname);
if (conf_fn) {
service = conf_fn("client_port", datap);
if (strlen(service) <= 1)
service = "amanda";
} else {
service = "amanda";
}
port = find_port_for_service(service, "tcp");
if (port == 0) {
security_seterror(&rh->sech, _("%s/tcp unknown protocol"), service);
goto error;
}
/*
* We need to open a new connection.
*
* XXX need to eventually limit number of outgoing connections here.
*/
if(rh->rc->read == -1) {
if (runbsdtcp(rh, port) < 0)
goto error;
rh->rc->refcnt++;
}
/*
* The socket will be opened async so hosts that are down won't
* block everything. We need to register a write event
* so we will know when the socket comes alive.
*
* Overload rh->rs->ev_read to provide a write event handle.
* We also register a timeout.
*/
rh->fn.connect = fn;
rh->arg = arg;
rh->rs->ev_read = event_register((event_id_t)(rh->rs->rc->write),
EV_WRITEFD, sec_connect_callback, rh);
rh->ev_timeout = event_register(CONNECT_TIMEOUT, EV_TIME,
sec_connect_timeout, rh);
return;
error:
(*fn)(arg, &rh->sech, S_ERROR);
}
/*
* ssl version of a security handle allocator. Logically sets
* up a network "connection".
*/
static void
ssl_connect(
const char *hostname,
char * (*conf_fn)(char *, void *),
void (*fn)(void *, security_handle_t *, security_status_t),
void * arg,
void * datap)
{
struct sec_handle *rh;
int result;
char *canonname;
char *service;
in_port_t port;
char *src_ip = NULL;
char *ssl_dir = NULL;
char *ssl_fingerprint_file = NULL;
char *ssl_cert_file = NULL;
char *ssl_key_file = NULL;
char *ssl_ca_cert_file = NULL;
char *ssl_cipher_list = NULL;
int ssl_check_certificate_host = 1;
assert(fn != NULL);
assert(hostname != NULL);
auth_debug(1, _("ssl: ssl_connect: %s\n"), hostname);
rh = g_new0(struct sec_handle, 1);
security_handleinit(&rh->sech, &ssl_security_driver);
rh->hostname = NULL;
rh->rs = NULL;
rh->ev_timeout = NULL;
rh->rc = NULL;
result = resolve_hostname(hostname, 0, NULL, &canonname);
if(result != 0) {
g_debug(_("resolve_hostname(%s): %s"), hostname, gai_strerror(result));
security_seterror(&rh->sech, _("resolve_hostname(%s): %s\n"), hostname,
gai_strerror(result));
(*fn)(arg, &rh->sech, S_ERROR);
return;
}
if (canonname == NULL) {
g_debug(_("resolve_hostname(%s) did not return a canonical name"), hostname);
security_seterror(&rh->sech,
_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
(*fn)(arg, &rh->sech, S_ERROR);
return;
}
rh->hostname = canonname; /* will be replaced */
canonname = NULL; /* steal reference */
rh->rs = tcpma_stream_client(rh, newhandle++);
rh->rc->recv_security_ok = &bsd_recv_security_ok;
rh->rc->prefix_packet = &bsd_prefix_packet;
rh->rc->need_priv_port = 0;
if (rh->rs == NULL)
goto error;
amfree(rh->hostname);
rh->hostname = g_strdup(rh->rs->rc->hostname);
ssl_dir = getconf_str(CNF_SSL_DIR);
if (conf_fn) {
service = conf_fn("remote_port", datap);
if (!service || strlen(service) <= 1)
service = AMANDA_SERVICE_NAME;
g_debug("Connecting to service '%s'", service);
src_ip = conf_fn("src_ip", datap);
ssl_fingerprint_file = g_strdup(conf_fn("ssl_fingerprint_file", datap));
ssl_cert_file = g_strdup(conf_fn("ssl_cert_file", datap));
ssl_key_file = g_strdup(conf_fn("ssl_key_file", datap));
ssl_ca_cert_file = g_strdup(conf_fn("ssl_ca_cert_file", datap));
ssl_cipher_list = conf_fn("ssl_cipher_list", datap);
ssl_check_certificate_host =
atoi(conf_fn("ssl_check_certificate_host", datap));
} else {
service = AMANDA_SERVICE_NAME;
}
if (ssl_dir) {
if (!ssl_cert_file || ssl_cert_file == '\0') {
ssl_cert_file = g_strdup_printf("%s/me/crt.pem", ssl_dir);
}
if (!ssl_key_file || ssl_key_file == '\0') {
ssl_key_file = g_strdup_printf("%s/me/private/key.pem", ssl_dir);
}
if (!ssl_ca_cert_file || ssl_ca_cert_file == '\0') {
ssl_ca_cert_file = g_strdup_printf("%s/CA/crt.pem", ssl_dir);
}
if (!ssl_fingerprint_file || ssl_fingerprint_file == '\0') {
struct stat statbuf;
ssl_fingerprint_file = g_strdup_printf("%s/remote/%s/fingerprint", ssl_dir, rh->hostname);
if (stat(ssl_fingerprint_file, &statbuf) == -1) {
g_free(ssl_fingerprint_file);
ssl_fingerprint_file = NULL;
}
}
}
port = find_port_for_service(service, "tcp");
if (port == 0) {
security_seterror(&rh->sech, _("%s/tcp unknown protocol"), service);
goto error;
}
/*
* We need to open a new connection.
*/
if(rh->rc->read == -1) {
if (runssl(rh, port, src_ip, ssl_fingerprint_file,
ssl_cert_file, ssl_key_file,
ssl_ca_cert_file, ssl_cipher_list,
ssl_check_certificate_host) < 0)
goto error;
rh->rc->refcnt++;
}
g_free(ssl_fingerprint_file);
g_free(ssl_cert_file);
g_free(ssl_key_file);
g_free(ssl_ca_cert_file);
/*
* The socket will be opened async so hosts that are down won't
* block everything. We need to register a write event
* so we will know when the socket comes alive.
*
* Overload rh->rs->ev_read to provide a write event handle.
* We also register a timeout.
*/
rh->fn.connect = fn;
rh->arg = arg;
rh->rs->ev_read = event_register((event_id_t)(rh->rs->rc->write),
EV_WRITEFD, sec_connect_callback, rh);
rh->ev_timeout = event_register(CONNECT_TIMEOUT, EV_TIME,
sec_connect_timeout, rh);
return;
error:
(*fn)(arg, &rh->sech, S_ERROR);
}
/*
* bsdtcp version of a security handle allocator. Logically sets
* up a network "connection".
*/
static void
bsdtcp_connect(
const char *hostname,
char * (*conf_fn)(char *, void *),
void (*fn)(void *, security_handle_t *, security_status_t),
void * arg,
void * datap)
{
struct sec_handle *rh;
int result;
char *canonname;
char *service;
char *src_ip;
in_port_t port;
struct addrinfo *res = NULL;
assert(fn != NULL);
assert(hostname != NULL);
(void)conf_fn; /* Quiet unused parameter warning */
(void)datap; /* Quiet unused parameter warning */
auth_debug(1, _("bsdtcp: bsdtcp_connect: %s\n"), hostname);
rh = g_new0(struct sec_handle, 1);
security_handleinit(&rh->sech, &bsdtcp_security_driver);
rh->dle_hostname = g_strdup(hostname);
rh->hostname = NULL;
rh->rs = NULL;
rh->ev_timeout = NULL;
rh->rc = NULL;
result = resolve_hostname(hostname, SOCK_STREAM, &res, &canonname);
if(result != 0) {
dbprintf(_("resolve_hostname(%s): %s\n"), hostname, gai_strerror(result));
security_seterror(&rh->sech, _("resolve_hostname(%s): %s"), hostname,
gai_strerror(result));
(*fn)(arg, &rh->sech, S_ERROR);
if (res) freeaddrinfo(res);
return;
}
if (canonname == NULL) {
dbprintf(_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
security_seterror(&rh->sech,
_("resolve_hostname(%s) did not return a canonical name"), hostname);
(*fn)(arg, &rh->sech, S_ERROR);
if (res) freeaddrinfo(res);
return;
}
rh->hostname = canonname; /* will be replaced */
canonname = NULL; /* steal reference */
rh->rs = tcpma_stream_client(rh, newhandle++);
if (rh->rc == NULL)
goto error;
rh->rc->recv_security_ok = &bsd_recv_security_ok;
rh->rc->prefix_packet = &bsd_prefix_packet;
rh->rc->need_priv_port = 1;
if (rh->rs == NULL)
goto error;
amfree(rh->hostname);
rh->hostname = g_strdup(rh->rs->rc->hostname);
if (conf_fn) {
service = conf_fn("client_port", datap);
if (!service || strlen(service) <= 1)
service = AMANDA_SERVICE_NAME;
src_ip = conf_fn("src_ip", datap);
} else {
service = AMANDA_SERVICE_NAME;
src_ip = NULL;
}
port = find_port_for_service(service, "tcp");
if (port == 0) {
security_seterror(&rh->sech, _("%s/tcp unknown protocol"), service);
goto error;
}
/*
* We need to open a new connection.
*
* XXX need to eventually limit number of outgoing connections here.
*/
rh->res = res;
rh->next_res = res;
rh->src_ip = src_ip;
rh->port = port;
if(rh->rc->read == -1) {
int result = -1;
while (rh->next_res) {
result = runbsdtcp(rh, rh->src_ip, rh->port);
if (result >=0 )
break;
}
if (result < 0)
goto error;
rh->rc->refcnt++;
}
/*
* The socket will be opened async so hosts that are down won't
* block everything. We need to register a write event
* so we will know when the socket comes alive.
*
* Overload rh->rs->ev_read to provide a write event handle.
* We also register a timeout.
*/
rh->fn.connect = &bsdtcp_fn_connect;
rh->arg = rh;
rh->connect_callback = fn;
rh->connect_arg = arg;
g_mutex_lock(security_mutex);
rh->rs->rc->ev_write = event_create((event_id_t)(rh->rs->rc->write),
EV_WRITEFD, sec_connect_callback, rh);
rh->ev_timeout = event_create(CONNECT_TIMEOUT, EV_TIME,
sec_connect_timeout, rh);
event_activate(rh->rs->rc->ev_write);
event_activate(rh->ev_timeout);
g_mutex_unlock(security_mutex);
return;
error:
if (res) {
freeaddrinfo(res);
}
rh->res = NULL;
rh->next_res = NULL;
(*fn)(arg, &rh->sech, S_ERROR);
}
