📄 xtunnelsauthentication.cpp
字号:
/* File: XTunnelsDatabaseAccess.cp Contains: The X-Tunnels server's database name/IP validation routines. Copyright: (c) 2003 by Xten Networks, Inc., all rights reserved.*/#if DEBUG#include <iostream>#endif //DEBUG#include <sstream>#include <vector>#include <map>#include <algorithm>#include <stdio.h>#include <limits.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <fcntl.h>#include <errno.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>//#include <sys/types.h>#include <netinet/in.h>#if VS_TARGET_OS_OPENBSD// -- need a fully qualified path for the makefile built version#include </usr/local/pgsql/include/libpq-fe.h>#else#include <libpq-fe.h> #endif // VS_TARGET_OS_OPENBSD#include "restart.h"#include "uiciname.h"#include "XTunnelsCVsDES.h"#include "XTunnelsCVsAES.h"#include "XTunnelsProtocol.h"#include "XTunnelsFamilyData.h"#include "XTunnelsChildData.h"#include "XTunnelsParentData.h"#include "XTunnelsXCipher.h"#if DEBUGusing std::cout;using std::endl;#endif //DEBUGusing std::istrstream;using std::ostrstream;using std::ostream;using std::vector;using std::map;using std::pair;using namespace XTunnels;namespace {// filename containing runtime optionsconst char* g_szConfigFileName = "xtunnels.cfg";// server runtime optionsconst char* g_szConfigFileLineListenPort = "listenport=";const char* g_szConfigFileLineMaxClients = "maxclients=";// X-Cipher optionsconst char* g_szConfigFileLineXCipherEnabled = "xcipherenabled=";const char* g_szConfigFileLineXCipherGlobal = "xcipherglobal=";const char* g_szConfigFileLineXCipherHost = "xcipherhost=";const char* g_szConfigFileLineXCipherPassword = "xcipherpassword=";// PostgreSQL connection string optionsconst char* g_szConfigFileLineDBHost = "host=";const char* g_szConfigFileLineDBPort = "port=";const char* g_szConfigFileLineDBUsername = "user=";const char* g_szConfigFileLineDBPassword = "password=";const char* g_szConfigFileLineDBName = "dbname=";char g_szDBHost[EMaxSmallBufferSize] = { 0 };char g_szDBPort[EMaxSmallBufferSize] = { 0 };char g_szDBUsername[EMaxSmallBufferSize] = { 0 };char g_szDBPassword[EMaxSmallBufferSize] = { 0 };char g_szDBName[EMaxSmallBufferSize] = { 0 };// how to connect to a PostgreSQL serverPGconn* g_pDBConnection = NULL;// we cache rules from database at startup and on updatetypedef struct { char* m_szHost; int m_iRuleType; in_addr_t m_ulFromIP; in_addr_t m_ulToIP; } THostRule;vector<THostRule> g_cHostSourceRules;vector<THostRule> g_cHostDestinationRules;// keep track of data size by validated destinationtypedef struct { unsigned long m_ulIncomingTraffic; unsigned long m_ulOutgoingTraffic; } TDestinationTraffic;//map<unsigned long, unsigned long> g_cDestinationIPs;map<unsigned long, TDestinationTraffic> g_cDestinationIPs;int GetPeerFromSocket(int inAttemptingSocket, struct sockaddr_in* outAttempter, char outName[MAX_CANON]) { socklen_t len = sizeof(struct sockaddr_in); int retval = 0; while ( ((retval = getpeername(inAttemptingSocket, (struct sockaddr *)outAttempter, &len)) == -1) && (errno == EINTR) ) { } if (-1 == retval) {#if DEBUG cout << "X-Tunnels: GetPeerFromSocket failed to get connector's socket IP" << endl;#endif //DEBUG return 1; } if (outName) addr2name(outAttempter->sin_addr, outName, MAX_CANON); return 0; }bool IsIPInRange(in_addr_t tAddr, in_addr_t tMinAddr, in_addr_t tMaxAddr) { if (ntohl(tAddr) < ntohl(tMinAddr)) {#if DEBUG cout << "IsIPInRange: " << ntohl(tAddr) << " < " << ntohl(tMinAddr) << " -- returning false!" << endl;#endif //DEBUG return false; } if (ntohl(tAddr) > ntohl(tMaxAddr)) {#if DEBUG cout << "IsIPInRange: " << ntohl(tAddr) << " > " << ntohl(tMaxAddr) << " -- returning false!" << endl;#endif //DEBUG return false; }#if DEBUG cout << "IsIPInRange: " << ntohl(tMinAddr) << " < " << ntohl(tAddr) << " < " << ntohl(tMaxAddr) << " -- returning true!" << endl;#endif //DEBUG return true; }bool VerifyConnectingIPIsRejected(struct in_addr tAddr, const char* szHost) { for (vector<THostRule>::const_iterator iter = g_cHostSourceRules.begin(); iter != g_cHostSourceRules.end(); ++iter) { if (strcmp(iter->m_szHost, szHost)) continue; switch (iter->m_iRuleType) { case ERuleDenyConnection: if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP)) return true; break; default: break; } } return false; } bool VerifyConnectingIPIsPermitted(struct in_addr tAddr, const char* szHost, bool bAnonymously) {#if DEBUG struct in_addr tFromAddr; struct in_addr tToAddr;#endif //DEBUG /* we're going to load rules for all hosts as a set if (!LoadRulesIfNeeded(szHost)) { return false; } */ bool bOnlyRuleExists = false; for (vector<THostRule>::const_iterator iter = g_cHostSourceRules.begin(); iter != g_cHostSourceRules.end(); ++iter) { if (strcmp(iter->m_szHost, szHost)) continue; switch (iter->m_iRuleType) { case ERuleAcceptConnection: bOnlyRuleExists = true; if (bAnonymously) break;#if DEBUG/* cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleAcceptConnection:" << endl; cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl; tFromAddr.s_addr = iter->m_ulFromIP; cout << " minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl; tToAddr.s_addr = iter->m_ulToIP; cout << " maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;*/#endif //DEBUG if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP)) {#if DEBUG cout << " connecting was in range -- returning true!" << endl;#endif //DEBUG return true; }#if DEBUG cout << " connecting was not in range -- looking for more rules" << endl;#endif //DEBUG break; case ERuleAcceptAnonymousConnection: if (!bAnonymously) break;#if DEBUG cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleAcceptAnonymousConnection:" << endl; cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl; tFromAddr.s_addr = iter->m_ulFromIP; cout << " minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl; tToAddr.s_addr = iter->m_ulToIP; cout << " maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;#endif //DEBUG if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP)) {#if DEBUG cout << " connecting was in range -- returning true!" << endl;#endif //DEBUG return true; }#if DEBUG cout << " connecting was not in range -- looking for more rules" << endl;#endif //DEBUG break; case ERuleDenyConnection:#if DEBUG cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleDenyConnection:" << endl; cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl; tFromAddr.s_addr = iter->m_ulFromIP; cout << " minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl; tToAddr.s_addr = iter->m_ulToIP; cout << " maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;#endif //DEBUG if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP)) {#if DEBUG cout << " connecting was in range -- returning false!" << endl;#endif //DEBUG return false; }#if DEBUG cout << " connecting was not in range -- looking for more rules" << endl;#endif //DEBUG break; //case ERuleOnlyTransmitTo: default: // not applicable#if DEBUG cout << "X-Tunnels: VerifyConnectingIPIsPermitted unknown rule type " << iter->m_iRuleType << endl;#endif //DEBUG break; } } bool bAcceptWithoutRule = !bAnonymously && !bOnlyRuleExists; // if we didn't see any only rules, accept anything. // if we did, exclude all others#if DEBUG cout << "X-Tunnels: VerifyConnectingIPIsPermitted found no applicable rules, returning " << (bAcceptWithoutRule ? "true!" : "false!") << endl;#endif //DEBUG return bAcceptWithoutRule; }} // end anonymous namespacenamespace XTunnels {unsigned long GetUniqueDestinations() { return g_cDestinationIPs.size(); } void GetDestinationsTraffic(unsigned long ulCount, TDestinationInfo* pInfo) { memset(pInfo, 0, ulCount * sizeof(TDestinationInfo)); if (!ulCount) return; ulCount--; // we'll fill in array from the end //for (map<unsigned long,unsigned long>::const_iterator pIter = g_cDestinationIPs.begin(); pIter != g_cDestinationIPs.end(); ++pIter) for (map<unsigned long,TDestinationTraffic>::const_iterator pIter = g_cDestinationIPs.begin(); pIter != g_cDestinationIPs.end(); ++pIter) { pInfo[ulCount].m_ulIPAddress = pIter->first; pInfo[ulCount].m_ulIncomingTraffic = pIter->second.m_ulIncomingTraffic; pInfo[ulCount].m_ulOutgoingTraffic = pIter->second.m_ulOutgoingTraffic; if (!ulCount) return; ulCount--; } }bool LogDestinationIPIncomingTraffic(unsigned long ulDestinationIP, unsigned long ulPacketSize) { // always true if no active database if (!g_pDBConnection) return true; //map<unsigned long, unsigned long>::iterator pIter = g_cDestinationIPs.find(ulDestinationIP); map<unsigned long, TDestinationTraffic>::iterator pIter = g_cDestinationIPs.find(ulDestinationIP); if (pIter != g_cDestinationIPs.end()) { pIter->second.m_ulIncomingTraffic += ulPacketSize; return true; } //pair<unsigned long, unsigned long> cNewEntry(ulDestinationIP, ulPacketSize); TDestinationTraffic tTraffic;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -