diff --new-file -ru ipscromp-2.4.2/CHANGES ipscromp-2.4.3/CHANGES --- ipscromp-2.4.2/CHANGES Thu Aug 7 03:38:22 2003 +++ ipscromp-2.4.3/CHANGES Wed Sep 24 19:31:17 2003 @@ -110,3 +110,14 @@ 2.4.2 07/08/2003, Cheesy Fixed bug in in.ipscrompd.c where the alt_ip in IPERMIT was ignored + +2.4.3 24/09/2003, Cheesy + ipscromp.c re-written so you can use one password with multiple hosts + Added fw_touch.c, FW_OBJ that creates files + - Files are named with the IP that was opened, like for open_ip + - Each file contains the name of the user the opened that IP + Fixed bug in in.ipscrompd.c where sending no data and + closing the connection caused a core + Fixed bug in the open_ip from 2.4 or newer that simply didn't work + - open_ip now writes the username as in fw_touch.c + Fixed to compile under solaris/i386 diff --new-file -ru ipscromp-2.4.2/Makefile ipscromp-2.4.3/Makefile --- ipscromp-2.4.2/Makefile Sun May 11 08:32:17 2003 +++ ipscromp-2.4.3/Makefile Wed Sep 24 19:48:34 2003 @@ -4,6 +4,8 @@ RM = rm -f +## For Solaris +#LIBS += -lsocket -lnsl -lresolv ### Firewall code selection ### @@ -11,6 +13,10 @@ FW_OBJS=fw_program.o #CFLAGS += -DFW_PROGRAM=\"/your/fw/program\" +## For the touch a file based system. +#FW_OBJS=fw_touch.o +#CFLAGS += -DFW_DIRECTORY=\"/var/spool/ipscromp\" + ## For the built-in Linux method. ## Note that this only works with 2.2 kernels. ## Porting to 2.4 should be easy but I havn't done it :) @@ -20,10 +26,10 @@ ### Digest code selection ### # For libcrpyto/OpenSSL -MD_LIBS=-lcrypto +LIBS += -lcrypto # For libmd (http://www.penguin.cz/~mhi/libmd/) -#MD_LIBS=-lmd +#LIBS += =-lmd #CFLAGS += -DUSE_MD TARGETS = in.ipscrompd ipscromp fw_test @@ -35,14 +41,14 @@ install -m 755 -s in.ipscrompd /usr/local/sbin ipscromp: ipscromp.o common.o - $(CC) $(CFLAGS) -o ipscromp ipscromp.o common.o $(MD_LIBS) + $(CC) $(CFLAGS) -o ipscromp ipscromp.o common.o $(LIBS) in.ipscrompd: $(FW_OBJS) in.ipscrompd.o common.o auth_proto_v2.o $(CC) $(CFLAGS) -o in.ipscrompd in.ipscrompd.o common.o \ - auth_proto_v2.o $(FW_OBJS) $(MD_LIBS) + auth_proto_v2.o $(FW_OBJS) $(LIBS) fw_test: $(FW_OBJS) common.o fw_test.o - $(CC) $(CFLAGS) -o fw_test $(FW_OBJS) common.o fw_test.o $(MD_LIBS) + $(CC) $(CFLAGS) -o fw_test $(FW_OBJS) common.o fw_test.o $(LIBS) clean:; $(RM) *.o core *.core *~ $(TARGETS) diff --new-file -ru ipscromp-2.4.2/auth_proto_v2.c ipscromp-2.4.3/auth_proto_v2.c --- ipscromp-2.4.2/auth_proto_v2.c Sat Apr 26 09:06:40 2003 +++ ipscromp-2.4.3/auth_proto_v2.c Wed Sep 24 19:45:06 2003 @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include diff --new-file -ru ipscromp-2.4.2/common.c ipscromp-2.4.3/common.c --- ipscromp-2.4.2/common.c Sun May 11 08:07:08 2003 +++ ipscromp-2.4.3/common.c Wed Sep 24 19:37:11 2003 @@ -3,6 +3,7 @@ #include #include #include +#include #include #include #include @@ -115,7 +116,7 @@ if (nread == 0) { - fprintf(stderr, "read(): EOF on socket.\n"); + syslog(LOG_INFO, "read(): EOF on socket.\n"); return NULL; } diff --new-file -ru ipscromp-2.4.2/fw_touch.c ipscromp-2.4.3/fw_touch.c --- ipscromp-2.4.2/fw_touch.c Wed Dec 31 16:00:00 1969 +++ ipscromp-2.4.3/fw_touch.c Wed Sep 24 18:47:00 2003 @@ -0,0 +1,45 @@ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "in.ipscrompd.h" + +#ifndef FW_DIRECTORY +#error You must define FW_DIRECTORY for fw_touch.c +#endif + +int fw_add_ip(struct in_addr ip, char *user) +{ + FILE *fp; + + /* 21 includes 19 byes for the IP, a slash and a NULL */ + char *path = malloc(strlen(FW_DIRECTORY) + 21); + + if (path == NULL) + { + syslog(LOG_ERR, "malloc failed in fw_touch.c"); + return -ENOMEM; + } + + sprintf(path, "%s/%s", FW_DIRECTORY, inet_ntoa(ip)); + + if ((fp = fopen(path, "w")) == NULL) + { + syslog(LOG_ERR, "Unable to open '%s': %m", path); + free(path); + return -errno; + } + + fprintf(fp, "%s\n", user); + fclose(fp); + free(path); + + return 0; +} diff --new-file -ru ipscromp-2.4.2/in.ipscrompd.c ipscromp-2.4.3/in.ipscrompd.c --- ipscromp-2.4.2/in.ipscrompd.c Thu Aug 7 03:31:20 2003 +++ ipscromp-2.4.3/in.ipscrompd.c Wed Sep 24 19:42:19 2003 @@ -3,6 +3,7 @@ #include #include #include +#include #include #include #include @@ -15,6 +16,10 @@ #include "in.ipscrompd.h" #include "common.h" +#if defined(__svr4__) && defined(__sun__) && !defined(LOG_AUTHPRIV) +#define LOG_AUTHPRIV LOG_AUTH +#endif + #ifndef PASS_FILE #define PASS_FILE "/usr/local/etc/ipscromp_pass" #endif @@ -123,7 +128,7 @@ response = recv_sock(STDIN_FILENO); /* strtok() inserts NULLs into a string, so we make a safe copy */ - if ((command = strdup(response)) != NULL) + if (response != NULL && (command = strdup(response)) != NULL) { command = strtok(command, " "); user = strtok(NULL, " "); @@ -131,12 +136,18 @@ } /* Check for protocol sanity */ - if ( command == NULL + if ( response == NULL + || command == NULL || user == NULL || proto_version == NULL || (proto_version_num = atoi(proto_version)) <= 0 || strcmp(command, "USER")) { + if (response == NULL) + { + response = "(null)"; + } + syslog(LOG_ERR, "Received invalid USER string '%s'", response); send_sock(STDOUT_FILENO, errormsgs[ERROR_PROTOCOL]); return 1; diff --new-file -ru ipscromp-2.4.2/ipscromp.c ipscromp-2.4.3/ipscromp.c --- ipscromp-2.4.2/ipscromp.c Sun May 11 08:09:18 2003 +++ ipscromp-2.4.3/ipscromp.c Wed Sep 24 19:52:36 2003 @@ -2,6 +2,7 @@ #include #include #include +#include #include #include #include @@ -141,7 +142,7 @@ t.c_lflag &= (~ECHO); } - if(tcsetattr(fileno(stdin), 0, &t) < 0) + if(tcsetattr(fileno(stdin), TCSANOW, &t) < 0) { perror("tcsetattr()"); return -1; @@ -151,103 +152,38 @@ void usage(char *progpath) { - printf("Usage: %s [options] [[@]host[:]]\n" + printf("Usage: %s [options] [[@]host[:]] [..]\n" " Options:\n" " -1 : switch to version 1 (MD5) protocol\n" " -d : enable debug messages\n" " -l user: specify user name if different from current\n" " -i ip : specity alternate hostname or IP to open\n" - " Deprecated options:\n" - " -h host: specify host other than %s\n" - " -p port: use port other than %d\n" - " -u user: same as -l\n" "\n", - progname(progpath), DEFAULT_HOST, DEFAULT_PORT + progname(progpath) ); } -int main(int argc, char *argv[]) +int connect_ipscrompd(char *host, char *dflt_user, char *password, + int version, char *alt_ip) { - int opt, fd, auth_len, port = DEFAULT_PORT, version = 2; - char *host = DEFAULT_HOST, - *user = getlogin(), - *pass = NULL, - *alt_ip = NULL, - *auth_str, *tmp; + char *challenge, *response, + *auth_str, *at_symbol, *user = dflt_user; - char *challenge, *response; + int port, auth_len, fd; - while ((opt = getopt(argc, argv, "1dh:i:l:p:u:")) != EOF) + if ((at_symbol = index(host, '@')) != NULL) { - switch(opt) + user = malloc(at_symbol - host + 1); + if (user == NULL) { - case '1': - version = 1; - break; - - case 'd': - debug++; - break; - - case 'h': - fprintf(stderr, "WARNING: The use of -h is deprecated\n"); - host = optarg; - break; - - case 'i': - alt_ip = optarg; - break; - - case 'l': - user = optarg; - break; - - case 'p': - fprintf(stderr, "WARNING: The use of -p is deprecated\n"); - port = atoi(optarg); - break; - - case 'u': - fprintf(stderr, "WARNING: The use of -u is deprecated\n"); - user = optarg; - break; - - case '?': - usage(argv[0]); - return 1; - break; - - default: - fprintf(stderr, "INTERNAL ERRROR: Untrapped getopt() char '%c'\n", - opt); + fprintf(stderr, "Unable to malloc() space for user string.\n"); + return 1; } - } - if (argc - optind > 1) - { - usage(argv[0]); - return 1; - } - - if (argc - optind == 1) - { - char *at_symbol; - host = argv[optind]; - - if ((at_symbol = index(host, '@')) != NULL) - { - user = malloc(at_symbol - host + 1); - if (user == NULL) - { - fprintf(stderr, "Unable to malloc() space for user string.\n"); - return 1; - } - - strncpy(user, host, at_symbol - host); - user[at_symbol - host] = '\0'; - - host = at_symbol + 1; - } + strncpy(user, host, at_symbol - host); + user[at_symbol - host] = '\0'; + + host = at_symbol + 1; } #ifdef __CYGWIN__ @@ -260,50 +196,18 @@ if (user == NULL) { fprintf(stderr, "Cannot determine username; please use -l\n"); + if (user != dflt_user) free(user); return 2; } - if (alt_ip != NULL && version < 2) - { - fprintf(stderr, "WARNING: Alternative IP unsupported with old protocol\n"); - } - - if (alt_ip != NULL) - { - tmp = ip_string(alt_ip); - if (tmp == NULL) - { - fprintf(stderr, "Cannot resolve '%s' to an IP address\n", alt_ip); - exit(1); - } - alt_ip = tmp; - } - - if (set_echo(0) < 0) - { - return 3; - } - - pass = ask_user("Your password: "); - printf("\n"); - - /* Do we really care if this fails? What can we do? */ - set_echo(1); - - if (port != DEFAULT_PORT) - { - port = find_port(host, NULL, port); - } - else - { - port = find_port(host, DEFAULT_SERVICE, port); - } + port = find_port(host, DEFAULT_SERVICE, DEFAULT_PORT); dbg("Connecting to %s:%d\n", host, port); if ((fd = connect_host(host, port)) < 0) { - return 5; + if (user != dflt_user) free(user); + return 1; } send_sock(fd, "USER %s %d\n", user, version); @@ -313,18 +217,22 @@ if (response == NULL) { printf("Server closed connection instead of responding\n"); - return 6; + if (user != dflt_user) free(user); + close(fd); + return 1; } if (strncmp(response, "AUTH ", 5) != 0) { printf("Server responded incorrectly: '%s'\n", response); - return 6; + if (user != dflt_user) free(user); + close(fd); + return 1; } challenge = &response[5]; - auth_len = strlen(user) + strlen(challenge) + strlen(pass) + 3; + auth_len = strlen(user) + strlen(challenge) + strlen(password) + 3; if (alt_ip != NULL) { auth_len += strlen(alt_ip) + 1; @@ -333,19 +241,20 @@ if ((auth_str = malloc(auth_len)) == NULL) { fprintf(stderr, "Unable to malloc() space for auth string.\n"); + if (user != dflt_user) free(user); close(fd); - return 8; + return 1; } if (alt_ip == NULL) { snprintf(auth_str, auth_len, "%s:%s:%s", - user, challenge, pass); + user, challenge, password); } else { snprintf(auth_str, auth_len, "%s:%s:%s:%s", - user, alt_ip, challenge, pass); + user, alt_ip, challenge, password); } if (debug > 1) @@ -363,12 +272,98 @@ } response = recv_sock(fd); + close(fd); + if (user != dflt_user) free(user); + if (strncmp(response, "OK ", 3) != 0) { printf("Server reports an error: '%s'\n", response); - return 7; + return 1; } printf("%s\n", response); return 0; } + +int main(int argc, char *argv[]) +{ + int opt, version = 2, rc; + char *user = getlogin(), + *pass = NULL, + *alt_ip = NULL, *tmp; + + while ((opt = getopt(argc, argv, "1dh:i:l:p:u:")) != EOF) + { + switch(opt) + { + case '1': + version = 1; + break; + + case 'd': + debug++; + break; + + case 'i': + alt_ip = optarg; + break; + + case 'l': + user = optarg; + break; + + case '?': + usage(argv[0]); + return 1; + break; + + default: + fprintf(stderr, "INTERNAL ERRROR: Untrapped getopt() char '%c'\n", + opt); + } + } + + if (alt_ip != NULL && version < 2) + { + fprintf(stderr, "WARNING: Alternative IP unsupported with old protocol\n"); + } + + if (alt_ip != NULL) + { + tmp = ip_string(alt_ip); + if (tmp == NULL) + { + fprintf(stderr, "Cannot resolve '%s' to an IP address\n", alt_ip); + exit(1); + } + alt_ip = tmp; + } + + if (set_echo(0) < 0) + { + return 3; + } + + pass = ask_user("Your password: "); + printf("\n"); + + /* Do we really care if this fails? What can we do? */ + set_echo(1); + + rc = 0; + + if (argc - optind == 0) + { + rc += connect_ipscrompd(DEFAULT_HOST, user, pass, version, alt_ip); + } + else + { + for (; optind < argc; optind++) + { + rc += connect_ipscrompd(argv[optind], user, pass, version, alt_ip); + } + } + + return rc; +} + diff --new-file -ru ipscromp-2.4.2/scripts/open_ip ipscromp-2.4.3/scripts/open_ip --- ipscromp-2.4.2/scripts/open_ip Sat Apr 26 10:11:42 2003 +++ ipscromp-2.4.3/scripts/open_ip Wed Sep 24 18:54:47 2003 @@ -12,13 +12,13 @@ IP_LIST_DIR=/var/spool/ipscromp FW_UPD_SCRIPT=/usr/local/sbin/reload_ipf -if [ $# -lt 1 -o $# -gt 2] +if [ $# -lt 1 -o $# -gt 2 ] then echo Usage: $(basename $0) '' '[]' >&2 exit 1 fi -touch $IP_LIST_DIR/$1 +echo "$2" > $IP_LIST_DIR/$1 rc=$? if [ $rc -eq 0 ]