Date: Mon, 16 Aug 2010 00:22:26 GMT From: Sergio Ligregni <ligregni@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 182451 for review Message-ID: <201008160022.o7G0MQPx014823@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@182451?ac=10 Change 182451 by ligregni@ligPhenom on 2010/08/16 00:21:50 The FINAL deliverable of the project (at GSoC), still pending some integration issues that will be reviewed with my mentor and the administrators of the project, in order to get it implemented in the next version of FreeBSD. Affected files ... .. //depot/projects/soc2010/disaudit/Makefile#4 edit .. //depot/projects/soc2010/disaudit/audit_warn#1 add .. //depot/projects/soc2010/disaudit/damasterd.c#8 edit .. //depot/projects/soc2010/disaudit/damasterd_control#2 edit .. //depot/projects/soc2010/disaudit/msocket_work.c#9 edit .. //depot/projects/soc2010/disaudit/msocket_work.h#10 edit .. //depot/projects/soc2010/disaudit/server-key.pem#1 add .. //depot/projects/soc2010/disaudit/server-req.pem#1 add .. //depot/projects/soc2010/disaudit/shipd.c#11 edit .. //depot/projects/soc2010/disaudit/shipd_control#2 edit .. //depot/projects/soc2010/disaudit/ssocket_work.c#9 edit .. //depot/projects/soc2010/disaudit/ssocket_work.h#11 edit .. //depot/projects/soc2010/disaudit/utils.c#4 edit .. //depot/projects/soc2010/disaudit/utils.h#4 edit Differences ... ==== //depot/projects/soc2010/disaudit/Makefile#4 (text+ko) ==== @@ -1,11 +1,12 @@ # CC = cc -CFLAGS = -Wall -O2 -g +CFLAGS = -Wall -O2 -g -D_SSL_ TARGETS = shipd damasterd -DOBJ = damasterd.o msocket_work.o utils.o -SOBJ = shipd.o ssocket_work.o utils.o -LIBS = -lmd +DOBJ = damasterd.o msocket_work.o utils.o sha_utils.o +SOBJ = shipd.o ssocket_work.o utils.o sha_utils.o +LIBS = -lmd -lssl -lcrypto +#LIBS = -lssl -lcrypto all: $(TARGETS) ==== //depot/projects/soc2010/disaudit/damasterd.c#8 (text+ko) ==== @@ -42,7 +42,6 @@ #include <unistd.h> #include <sys/types.h> -#include <sha256.h> #include <sys/socket.h> #include <sys/stat.h> @@ -51,12 +50,29 @@ #include <arpa/inet.h> +#ifdef _SSL_ +/* OpenSSL headers */ +#include <openssl/rsa.h> /* SSLeay stuff */ +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#else +#include <sha256.h> +#endif /* _SSL_ */ + #define AUDIT_DAMASTERD_FILE "/etc/security/damasterd_control" +/* define HOME to be dir for key and cert files... */ +#define HOME "./" +/* Make these what you want for cert & key files */ +#define CERTF HOME "server-req.pem" +#define KEYF HOME "server-key.pem" /*** DECLARATIONS ***/ /* local prototypes */ -static int +static int check_files_equal(char *pathslave, char *sha256slave, char *hostname, char *path, char *fullpath); static int do_master_daemon(); @@ -65,9 +81,13 @@ static int receive_trail(int sfd, struct sockaddr *clientinfo); static int search_trail(int sfd, struct sockaddr *clientinfo); +/* extern prototypes */ +void get_SHA256_File(char *, char *); + +/* Global variables */ + /* Directory settings took from audit_control */ char slave_trails_dir[MAX_DIR_SIZE + 1]; -char *ptr_std; int slave_dirs; /* The level of trust the shipping process will have (0 means disabled) */ @@ -87,6 +107,16 @@ */ int lookup_host; +#ifdef _SSL_ +/* SSL Enabled */ +char ssl_enabled; + +SSL_CTX *ctx; +SSL *ssl; +SSL_METHOD *meth; +#endif /* _SSL_ */ + + /* * DAMasterD Distributed Audit Master Daemon * @@ -119,8 +149,6 @@ to_log("Can't get the parameters to work!"); exit(1); } - ptr_std = slave_trails_dir + strlen(slave_trails_dir); - /* * There is no shipd enabled and it wasn't called by AUDIT (normally * the unique way to get 'last' on). @@ -129,6 +157,31 @@ to_log("DAMasterd disabled"); exit(0); } +#ifdef _SSL_ + if (ssl_enabled) { + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); + meth = SSLv23_server_method(); + ctx = SSL_CTX_new(meth); + if (!ctx) { + ERR_print_errors_fp(stderr); + exit(2); + } + if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) { + ERR_print_errors_fp(stderr); + exit(3); + } + if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) { + ERR_print_errors_fp(stderr); + exit(4); + } + if (!SSL_CTX_check_private_key(ctx)) { + fprintf(stderr, "Private key does not match the certificate public key\n"); + exit(5); + } + } +#endif /* _SSL_ */ + if (do_master_daemon() == -1) exit(1); @@ -138,7 +191,7 @@ static int do_master_daemon() { - int socketfd , newsockfd, childpid; + int socketfd , newsockfd, childpid, res; char message [256]; struct sockaddr clientinfo; @@ -156,6 +209,16 @@ to_log(message); return (-1); } +#ifdef _SSL_ + else if (ssl_enabled) { + ssl = SSL_new(ctx); + CHK_NULL(ssl); + SSL_set_fd(ssl, newsockfd); + res = SSL_accept(ssl); + CHK_SSL(res); + } +#endif /* _SSL_ */ + if (!debug && (childpid = fork()) < 0) { to_log("Error forking the process"); return (-1); @@ -165,9 +228,9 @@ return (-1); } if (!debug) - close(socketfd); + close_socket(socketfd); } - close(newsockfd); + close_socket(newsockfd); usleep(1000); } @@ -186,6 +249,7 @@ char sslave_dirs[10]; char lkup_host [10]; + char opt [4]; /* yes / no */ if (!fpars) return (-1); @@ -198,6 +262,10 @@ fscanf(fpars, "%d", &panic_level); fscanf(fpars, "%d", &port_number); fscanf(fpars, "%s", lkup_host); +#ifdef _SSL_ + fscanf(fpars, "%s", opt); + ssl_enabled = strcmp(opt, "no"); +#endif if (strcmp(sslave_dirs, "no")) slave_dirs = 1; @@ -241,7 +309,7 @@ get_from_socket(sfd, opt, sizeof(opt)); } - close(sfd); + close_socket(sfd); return (res); } @@ -347,7 +415,7 @@ } if (!strncmp(path, path_to_find, strlen(path_to_find))) { char *sha256 = (char *)malloc(sizeof(char) * SHA256_SIZE); - sha256 = SHA256_File(fullpath, sha256); + get_SHA256_File(fullpath, sha256); if (!strcmp(sha256, sha256slave)) return (1); @@ -370,6 +438,8 @@ char dirpath [MAX_DIR_SIZE + 1]; char buffer [MAX_BUF_SIZE + 1]; int brecv; + uint32_t file_size_net; + uint16_t bytes_net; time_t mtime; struct tm *ltime; unsigned file_size; @@ -426,7 +496,13 @@ to_log(message); /* We get the trail size */ - recv(sfd, &file_size, sizeof(file_size), 0); +#ifdef _SSL_ + if (ssl_enabled) + SSL_read(ssl, &file_size_net, sizeof(file_size_net)); + else +#endif /* _SSL */ + recv(sfd, &file_size_net, sizeof(file_size_net), 0); + file_size = ntohl(file_size_net); fd = open(fullpath, O_CREAT | O_WRONLY); if (fd < 0) { @@ -434,12 +510,24 @@ return (-1); } while (file_size) { - brecv = recv(sfd, &bread, sizeof(bread), 0); +#ifdef _SSL_ + if (ssl_enabled) + brecv = SSL_read(ssl, &bytes_net, sizeof(bytes_net)); + else +#endif /* _SSL */ + brecv = recv(sfd, &bytes_net, sizeof(bytes_net), 0); if (brecv < 0) { to_log("Error receiving the file"); return (-1); } - brecv = recv(sfd, buffer, bread, 0); + bread = ntohs(bytes_net); + +#ifdef _SSL_ + if (ssl_enabled) + brecv = SSL_read(ssl, buffer, bread); + else +#endif /* _SSL */ + brecv = recv(sfd, buffer, bread, 0); if (brecv < 0) { to_log("Error receiving the file"); ==== //depot/projects/soc2010/disaudit/damasterd_control#2 (text+ko) ==== @@ -3,3 +3,4 @@ 2 53686 yes +yes ==== //depot/projects/soc2010/disaudit/msocket_work.c#9 (text+ko) ==== @@ -40,6 +40,23 @@ #include <arpa/inet.h> +#ifdef _SSL_ +/* OpenSSL headers */ +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#endif /* _SSL_ */ + +/* Globals declared at damasterd.c */ +#ifdef _SSL_ +extern SSL_CTX *ctx; +extern SSL *ssl; +extern X509 *server_cert; +extern SSL_METHOD *meth; +#endif /* _SSL_ */ + int init_socket(int port) { @@ -81,3 +98,19 @@ return (retval); } + +void +close_socket(int sockfd) +{ +#ifdef _SSL_ + if (ssl_enabled) + SSL_shutdown(ssl); /* send SSL/TLS close_notify */ +#endif /* _SSL_ */ + + close(sockfd); + +#ifdef _SSL_ + if (ssl_enabled) + SSL_free(ssl); +#endif /* _SSL_ */ +} ==== //depot/projects/soc2010/disaudit/msocket_work.h#10 (text+ko) ==== @@ -30,7 +30,8 @@ #include <netinet/in.h> -int init_socket(int); -int accept_connection(int, struct sockaddr *); +int init_socket(int); +int accept_connection(int, struct sockaddr *); +void close_socket(int); #endif ==== //depot/projects/soc2010/disaudit/shipd.c#11 (text+ko) ==== @@ -31,17 +31,29 @@ #include "utils.h" #include <ctype.h> +#include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <memory.h> #include <dirent.h> #include <syslog.h> #include <stdarg.h> #include <unistd.h> #include <sys/types.h> +#include <sys/stat.h> + +#ifdef _SSL_ +/* OpenSSL headers */ +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#else #include <sha256.h> -#include <sys/stat.h> +#endif /* _SSL_ */ #define PANIC_DATE 2 #define PANIC_ALL 3 @@ -92,6 +104,11 @@ static void delete_audit_dir_entry(audit_dir_entry ** root); static void set_dir_id(audit_dir_entry ** temp, unsigned id); +/* extern prototypes */ +void get_SHA256_File(char *, char *); + +/* Global variables */ + /* Directory settings took from audit_control */ char master_host[MAX_HOST_SIZE + 1]; audit_dir_entry *audit_dir_root; @@ -105,6 +122,16 @@ /* Port number */ int port_number; +#ifdef _SSL_ +/* SSL Enabled */ +char ssl_enabled; + +SSL_CTX *ctx; +SSL *ssl; +SSL_METHOD *meth; +#endif /* _SSL_ */ + + /* * ShipD Shipping Daemon * @@ -147,13 +174,23 @@ exit(1); } /* - * There is no shipd enabled and it wasn't called by AUDIT (normally - * the unique way to get 'last' on). + * There is no shipd enabled and it wasn't called by AUDIT_WARN + * (normally the unique way to get 'last' on). */ if (panic_level < 2 && last == 0) { to_log("Shipd disabled"); exit(0); } +#ifdef _SSL_ + if (ssl_enabled) { + SSLeay_add_ssl_algorithms(); + meth = SSLv2_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + CHK_NULL(ctx); + } +#endif /* _SSL_ */ + /* * This means that the daemon will only search for the last closed * trail and send to the master system. @@ -185,6 +222,10 @@ char audit_trails_dir[MAX_DIR_SIZE + 1]; +#ifdef _SSL_ + char opt [4]; /* yes / no */ +#endif /* _SSL_ */ + unsigned dir_id = 0; if (!fpars) @@ -207,6 +248,10 @@ fscanf(fpars, "%d", &panic_level); fscanf(fpars, "%d", &msec_freq); fscanf(fpars, "%d", &port_number); +#ifdef _SSL_ + fscanf(fpars, "%s", opt); + ssl_enabled = strcmp(opt, "no"); +#endif fclose(fpars); @@ -410,7 +455,7 @@ /* Here we tell master we are done for now */ do_socket_check_file(sockfd, NULL, NULL); - close(sockfd); + close_socket(sockfd); return (ret_val); } @@ -576,12 +621,6 @@ int sockfd; audit_dir_entry *trail_directory; - /* - * XXX replaced with aspsrintf()... strlcpy(fullpath, - * audit_trails_dir, sizeof (fullpath)); ptr = fullpath + - * strlen(fullpath); ptr = '/'; (++ptr) = 0; - */ - if (init_socket(master_host, port_number, &sockfd) == -1) return (0); @@ -594,7 +633,7 @@ * use the fullpath). */ asprintf(&ptr, "%s/%s", trail_directory ? trail_directory->name : "NULL", cur->name); - sha256 = SHA256_File(ptr, sha256); + get_SHA256_File(ptr, sha256); sprintf(message, "The SHA256 checksum for %s is %s", cur->name, sha256); to_log(message); @@ -618,7 +657,7 @@ /* Here we tell master we are done for now */ do_socket_check_file(sockfd, NULL, NULL); - close(sockfd); + close_socket(sockfd); if (first_found != NULL) *first_found = counter; ==== //depot/projects/soc2010/disaudit/shipd_control#2 (text+ko) ==== @@ -1,5 +1,8 @@ /var/audit +/var/audit2 +/var/audit3 master -2 +3 10000 53686 +yes ==== //depot/projects/soc2010/disaudit/ssocket_work.c#9 (text+ko) ==== @@ -44,6 +44,23 @@ #include <arpa/inet.h> +#ifdef _SSL_ +/* OpenSSL headers */ +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#endif /* _SSL_ */ + +/* Globals declared at shipd.c */ +#ifdef _SSL_ +extern SSL_CTX *ctx; +extern SSL *ssl; +extern X509 *server_cert; +extern SSL_METHOD *meth; +#endif /* _SSL_ */ + int do_socket_check_file(int sockfd, char *path, char *sha256) { @@ -74,8 +91,10 @@ send_to_socket(sockfd, path ? "2" : "0"); if (path) { int fd = open(fullpath, O_RDONLY); - unsigned file_size; - int bread; + unsigned long file_size; + uint16_t bytes_net; + uint32_t file_size_net; + int bread , bsend; struct stat statbuf; /* If there is a file to send through the socket */ @@ -91,8 +110,19 @@ return -1; } file_size = statbuf.st_size; - send(sockfd, &file_size, sizeof(file_size), 0); + file_size_net = htonl(file_size); + +#ifdef _SSL_ + if (ssl_enabled) + bsend = SSL_write(ssl, &file_size_net, sizeof(file_size_net)); + else +#endif /* _SSL_ */ + bsend = send(sockfd, &file_size_net, sizeof(file_size_net), 0); + if (bsend <= 0) { + to_log("Sending trail size"); + return -1; + } while (file_size) { bread = read(fd, buffer, min(file_size, MAX_BUF_SIZE)); @@ -102,9 +132,27 @@ } else if (bread == 0) break; - send(sockfd, &bread, sizeof(bread), 0); - send(sockfd, buffer, bread, 0); - + bytes_net = htons((unsigned)bread); +#ifdef _SSL_ + if (ssl_enabled) + bsend = SSL_write(ssl, &bytes_net, sizeof(bytes_net)); + else +#endif /* _SSL_ */ + bsend = send(sockfd, &bytes_net, sizeof(bytes_net), 0); + if (bsend <= 0) { + to_log("Sending bytes to send"); + return -1; + } +#ifdef _SSL_ + if (ssl_enabled) + bsend = SSL_write(ssl, buffer, bread); + else +#endif /* _SSL_ */ + bsend = send(sockfd, buffer, bread, 0); + if (bsend <= 0) { + to_log("Sending trail contents"); + return -1; + } file_size -= bread; } } @@ -187,5 +235,34 @@ to_log(message); *sfd = sockfd; + +#ifdef _SSL_ + if (ssl_enabled) { + ssl = SSL_new(ctx); + CHK_NULL(ssl); + SSL_set_fd(ssl, sockfd); + res = SSL_connect(ssl); + CHK_SSL(res); + snprintf(message, sizeof(message), "SSL connection using %s\n", SSL_get_cipher(ssl)); + to_log(message); + } +#endif /* _SSL_ */ + return (0); } + +void +close_socket(int sockfd) +{ +#ifdef _SSL_ + if (ssl_enabled) + SSL_shutdown(ssl); /* send SSL/TLS close_notify */ +#endif /* _SSL_ */ + + close(sockfd); + +#ifdef _SSL_ + if (ssl_enabled) + SSL_free(ssl); +#endif /* _SSL_ */ +} ==== //depot/projects/soc2010/disaudit/ssocket_work.h#11 (text+ko) ==== @@ -28,9 +28,9 @@ #ifndef _SSOCKET_WORK_H_ #define _SSOCKET_WORK_H_ -int do_socket_check_file(int, char *, char *); -int do_socket_send_file(int, char *, char *); -int init_socket(char *, int, int *); +int do_socket_check_file(int, char *, char *); +int do_socket_send_file(int, char *, char *); +int init_socket(char *, int, int *); +void close_socket(int); #endif - ==== //depot/projects/soc2010/disaudit/utils.c#4 (text+ko) ==== @@ -8,7 +8,24 @@ #include <sys/types.h> #include <sys/socket.h> +#include <netinet/in.h> + +#ifdef _SSL_ +/* OpenSSL headers */ +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#endif /* _SSL_ */ + int debug; +char ssl_enabled; + +/* To be declared at shipd.c or damasterd.c */ +#ifdef _SSL_ +SSL *ssl; +#endif /* _SSL_ */ void to_log(char *message) @@ -26,19 +43,29 @@ void get_from_socket(int sfd, char *dest, size_t dest_size) { - int len , left; + int left; int brecv; + uint16_t bytes_net; unsigned char buffer[MAX_BUF_SIZE + 1]; - brecv = recv(sfd, buffer, sizeof(int), 0); +#ifdef _SSL_ + if (ssl_enabled) + brecv = SSL_read(ssl, &bytes_net, sizeof(bytes_net)); + else +#endif /* _SSL_ */ + brecv = recv(sfd, &bytes_net, sizeof(bytes_net), 0); - memcpy(&len, buffer, sizeof(int)); + left = ntohs(bytes_net); - left = len; dest[0] = '\0'; while (left > 0) { - brecv = recv(sfd, buffer, min(MAX_BUF_SIZE, left), 0); +#ifdef _SSL_ + if (ssl_enabled) + brecv = SSL_read(ssl, buffer, min(MAX_BUF_SIZE, left)); + else +#endif /* _SSL_ */ + brecv = recv(sfd, buffer, min(MAX_BUF_SIZE, left), 0); buffer[brecv] = 0; strlcat(dest, (char *)buffer, dest_size); @@ -53,7 +80,21 @@ send_to_socket(int sfd, char *data) { int len = strlen(data); + uint16_t bytes_net; - send(sfd, &len, sizeof(int), 0); - send(sfd, data, len, 0); + bytes_net = htons((unsigned)len); + +#ifdef _SSL_ + if (ssl_enabled) + SSL_write(ssl, &bytes_net, sizeof(bytes_net)); + else +#endif /* _SSL_ */ + send(sfd, &bytes_net, sizeof(bytes_net), 0); + +#ifdef _SSL_ + if (ssl_enabled) + SSL_write(ssl, data, len); + else +#endif /* _SSL_ */ + send(sfd, data, len, 0); } ==== //depot/projects/soc2010/disaudit/utils.h#4 (text+ko) ==== @@ -32,6 +32,10 @@ #include <sys/types.h> +#ifdef _SSL_ +#include <openssl/ssl.h> +#endif /* _SSL_ */ + #define MAX_DIR_SIZE 255 #define MAX_PATH_SIZE MAX_DIR_SIZE + 50 #define MAX_HOST_SIZE 255 @@ -39,7 +43,13 @@ #define MAX_BUF_SIZE 1024 #define MESSAGE_DESC_SIZE 50 #define SHA256_SIZE 66 -#define CHAR_ID_SIZE 10 + +#define CHK_NULL(x) if ((x)==NULL) { to_log("Reached NULL"); exit (1); } +#define CHK_ERR(err,s) if ((err)==-1) { to_log(s); exit(1); } + +#ifdef _SSL_ +#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); } +#endif /* _SSL_ */ #define min(a,b) (a < b ? a : b) @@ -47,10 +57,15 @@ * Two main things to be set by this variable, if daemonize or not, and the * destination of the messages. */ -extern int debug; +extern int debug; +extern char ssl_enabled; +/* To be declared at shipd.c or damasterd.c */ +#ifdef _SSL_ +extern SSL *ssl; +#endif /* _SSL_ */ -void get_from_socket(int std, char *dest, size_t dest_size); -void send_to_socket(int sfd, char *data); -void to_log(char *message); +void get_from_socket(int std, char *dest, size_t dest_size); +void send_to_socket(int sfd, char *data); +void to_log (char *message); -#endif /* ! _UTILS_H_ */ +#endif /* ! _UTILS_H_ */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008160022.o7G0MQPx014823>