// Replaces the contents of buf with the base64 representation of the data // after encryption with the given key. // The key is a word as used in gosa-si.conf whose md5sum will be used as // the actual AES key. buf is empty, it won't be changed. func GosaEncryptBuffer(buf *bytes.Buffer, key string) { datalen := buf.Len() if datalen == 0 { return } ciph, _ := aes.NewCipher([]byte(util.Md5sum(key))) crypter := cipher.NewCBCEncrypter(ciph, config.InitializationVector) cryptpad := (aes.BlockSize - datalen%aes.BlockSize) &^ aes.BlockSize cryptlen := cryptpad + datalen b64len := ((cryptlen + 2) / 3) << 2 for i := datalen; i < b64len; i++ { buf.WriteByte(0) } data := buf.Bytes() copy(data[b64len-datalen:], data) // move data back idx := b64len - cryptlen copy(data[idx:], make([]byte, cryptpad)) // insert 0s in front crypter.CryptBlocks(data[idx:], data[idx:]) util.Base64EncodeInPlace(data, idx) }
// Like GosaDecrypt() but operates in-place on buf. // Returns true if decryption successful and false if not. // If false is returned, the buffer contents may be destroyed, but only // if further decryption attempts with other keys would be pointless anyway, // because of some fatal condition (such as the data not being a multiple of // the cipher's block size). func GosaDecryptBuffer(buf *bytes.Buffer, key string) bool { buf.TrimSpace() if buf.Len() < 11 { return false } // minimum length of unencrypted <xml></xml> data := buf.Bytes() if string(data[0:5]) == "<xml>" { return true } // Fixes the following: // * gosa-si bug in the following line: // if( $client_answer =~ s/session_id=(\d+)$// ) { // This leaves the "." before "session_id" which breaks base64 // * new gosa-si protocol has ";IP:PORT" appended to message // which also breaks base64 for semicolon_period := 0; semicolon_period < len(data); semicolon_period++ { if data[semicolon_period] == ';' || data[semicolon_period] == '.' { buf.Trim(0, semicolon_period) data = buf.Bytes() break } } aescipher, _ := aes.NewCipher([]byte(util.Md5sum(key))) crypter := cipher.NewCBCDecrypter(aescipher, config.InitializationVector) cryptotest := make([]byte, (((3*aes.BlockSize)+2)/3)<<2) n := copy(cryptotest, data) cryptotest = cryptotest[0:n] cryptotest = util.Base64DecodeInPlace(cryptotest) n = (len(cryptotest) / aes.BlockSize) * aes.BlockSize cryptotest = cryptotest[0:n] crypter.CryptBlocks(cryptotest, cryptotest) if !strings.Contains(string(cryptotest), "<xml>") { return false } data = util.Base64DecodeInPlace(data) buf.Trim(0, len(data)) data = buf.Bytes() if buf.Len()%aes.BlockSize != 0 { // this condition is fatal => further decryption attempts are pointless buf.Reset() return false } crypter = cipher.NewCBCDecrypter(aescipher, config.InitializationVector) crypter.CryptBlocks(data, data) buf.TrimSpace() // removes 0 padding, too return true }
// Handles the message "gosa_get_log_file_by_date_and_mac". // xmlmsg: the decrypted and parsed message // Returns: // unencrypted reply func gosa_get_log_file_by_date_and_mac(xmlmsg *xml.Hash) *xml.Hash { macaddress := xmlmsg.Text("mac") lmac := strings.ToLower(macaddress) subdir := xmlmsg.Text("date") log_file := xmlmsg.Text("log_file") header := "get_log_file_by_date_and_mac" x := xml.NewHash("xml", "header", header) x.Add(header) x.Add("source", config.ServerSourceAddress) x.Add("target", "GOSA") x.Add("session_id", "1") if !macAddressRegexp.MatchString(macaddress) { emsg := fmt.Sprintf("Illegal or missing <mac> element in message: %v", xmlmsg) util.Log(0, "ERROR! %v", emsg) return ErrorReplyXML(emsg) } // As a precaution, make sure subdir and log_file contain no slashes. subdir = strings.Replace(subdir, "/", "_", -1) log_file = strings.Replace(log_file, "/", "_", -1) if subdir == "" { // When you open the installation logs in GOsa for the first time, GOsa sends // a broken request that is characterized by an empty <date> and log_file==0. // If we return an error, GOsa presents it to the user which // gives a bad experience. So we instead return an empty reply in this special case. if log_file == "0" { return x } emsg := fmt.Sprintf("Missing or empty <date> element in message: %v", xmlmsg) util.Log(0, "ERROR! %v", emsg) return ErrorReplyXML(emsg) } if log_file == "" { emsg := fmt.Sprintf("Missing or empty <log_file> element in message: %v", xmlmsg) util.Log(0, "ERROR! %v", emsg) return ErrorReplyXML(emsg) } f, err := os.Open(path.Join(config.FAILogPath, lmac, subdir, log_file)) if err != nil { emsg := fmt.Sprintf("gosa_get_log_file_by_date_and_mac: %v", err) util.Log(0, "ERROR! %v", emsg) return ErrorReplyXML(emsg) } defer f.Close() var b bytes.Buffer defer b.Reset() buffy := make([]byte, 65536) for { n, err := f.Read(buffy) b.Write(buffy[0:n]) if err == io.EOF { break } if err != nil { emsg := fmt.Sprintf("gosa_get_log_file_by_date_and_mac: %v", err) util.Log(0, "ERROR! %v", emsg) return ErrorReplyXML(emsg) } if n == 0 { util.Log(0, "WARNING! Read returned 0 bytes but no error. Assuming EOF") break } } idx := (((b.Len() + 2) / 3) << 2) - b.Len() b.Write0(idx) data := b.Bytes() copy(data[idx:], data) data = util.Base64EncodeInPlace(data, idx) data_element := x.Add(log_file) // To reduce memory leak potential, we append in pieces rather than as one large string end := xml.MaxFragmentLength for ; end < len(data); end += xml.MaxFragmentLength { data_element.AppendString(string(data[end-xml.MaxFragmentLength : end])) } data_element.AppendString(string(data[end-xml.MaxFragmentLength:])) return x }
// Converts LDIF data into a Hash. The outermost tag will always be "xml". // If an error occurs the returned Hash may contain partial data but it // is never nil. // // itemtag: If non-empty, each object in the LDIF will be inside an element // whose outermosttag is itemtag. If itemtag == "", all objects in the // LDIF are merged, i.e. all their combined attributes are directly // inside the surrounding "xml" tag. // casefold: If true, all attribute names are converted to lowercase. // If false, they are left exactly as found in the LDIF. // ldif: A []byte, string, io.Reader or *exec.Cmd that provides the LDIF data. // Understands all ldapsearch formats with an arbitrary number of "-L" switches. // elementInfo: If one or more ElementInfo structs are passed, only attributes // matching one of them will be accepted and the first match in the // elementInfo list determines how the attribute in the LDIF will be // converted to an element in the result Hash. // If casefold==true, matching is done case-insensitive. This requires that // the LDIFAttributeName fields are all lowercase. func LdifToHash(itemtag string, casefold bool, ldif interface{}, elementInfo ...*ElementInfo) (xml *Hash, err error) { x := NewHash("xml") var xmldata []byte switch ld := ldif.(type) { case []byte: xmldata = ld case string: xmldata = []byte(ld) case io.Reader: xmldata, err = ioutil.ReadAll(ld) if err != nil { return x, err } case *exec.Cmd: var outbuf bytes.Buffer defer outbuf.Reset() var errbuf bytes.Buffer defer errbuf.Reset() oldout := ld.Stdout olderr := ld.Stderr ld.Stdout = &outbuf ld.Stderr = &errbuf err := ld.Run() ld.Stdout = oldout ld.Stderr = olderr errstr := errbuf.String() if errstr != "" { err = fmt.Errorf(errstr) } if err != nil { return x, err } xmldata = outbuf.Bytes() default: return x, fmt.Errorf("ldif argument has unsupported type") } item := x var attr *Hash new_item := true end := len(xmldata) b64 := false var info *ElementInfo = nil skip := false i := 0 start := 0 if !match(xmldata, i, "version:") { goto wait_for_item } /////////////////////////////////////////////////////////////////////// skip_line: /////////////////////////////////////////////////////////////////////// for { if i == end { goto end_of_input } if xmldata[i] == '\n' { break } i++ } // Even comments can have line continuations in LDIF, so we need to // continue skipping if there is a continuation. i++ if i < end && (xmldata[i] == ' ' || xmldata[i] == '\t') { goto skip_line } /////////////////////////////////////////////////////////////////////// wait_for_item: /////////////////////////////////////////////////////////////////////// new_item = true for { if i == end { goto end_of_input } if ch := xmldata[i]; ch > ' ' { if match(xmldata, i, "# search result") { goto end_of_input } if ch < 'A' { goto skip_line } // skip garbage (typically comments) break } i++ } /////////////////////////////////////////////////////////////////////// scan_attribute_name: /////////////////////////////////////////////////////////////////////// start = i b64 = false info = nil skip = false for { if i == end { goto end_of_input } if xmldata[i] == '#' { goto skip_broken_attribute } if xmldata[i] == ':' { colon := i if colon == start { goto skip_broken_attribute } // line that starts with ":" => Skip i++ if i < end && xmldata[i] == ':' { b64 = true i++ } // See if we have an ElementInfo. if len(elementInfo) > 0 { for _, inf := range elementInfo { if equals(casefold, xmldata[start:colon], inf.LDIFAttributeName) { info = inf break } } skip = (info == nil) } // if separate items are requested, create <itemtag></itemtag> element as new item // otherwise item == x stays as it is if new_item && itemtag != "" && !skip { item = x.Add(itemtag) new_item = false } // If no elementInfo arguments have been provided, we create a new element // directly from the LDIF attribute's name. if len(elementInfo) == 0 { attrname := string(xmldata[start:colon]) if casefold { attrname = strings.ToLower(attrname) } attr = item.Add(attrname) } else { // We create the new element from the ElementInfo if !skip { attr = item.Add(info.ElementName) } } if i == end { goto end_of_input } // skip 1 space or tab after colon if xmldata[i] == ' ' || xmldata[i] == '\t' { i++ } break } i++ } /////////////////////////////////////////////////////////////////////// //scan_value_fragment: /////////////////////////////////////////////////////////////////////// start = i for { if i-start > MaxFragmentLength { if !skip { attr.AppendString(string(xmldata[start:i])) } start = i } if i == end || xmldata[i] == '\n' { if !skip { attr.AppendString(string(xmldata[start:i])) } i++ // 1 tab or space is a line continuation, everything else ends the value if i >= end || (xmldata[i] != ' ' && xmldata[i] != '\t') { break } start = i + 1 // start next fragment after line continuation marker } i++ } /////////////////////////////////////////////////////////////////////// //attribute_value_scanned: /////////////////////////////////////////////////////////////////////// if !skip { if info != nil { if b64 { if !info.Base64 { attr.DecodeBase64() } } else { if info.Base64 { attr.EncodeBase64() } } } else { if b64 { attr.DecodeBase64() } } } if i >= end { goto end_of_input } if xmldata[i] == '\n' { goto wait_for_item } // empty line => next item goto scan_attribute_name /////////////////////////////////////////////////////////////////////// skip_broken_attribute: /////////////////////////////////////////////////////////////////////// for { if i == end { goto end_of_input } if xmldata[i] == '\n' { break } i++ } i++ if i >= end { goto end_of_input } if xmldata[i] == '\n' { goto wait_for_item } // empty line => next item // Even comments can have line continuations in LDIF, so we need to // continue skipping if there is a continuation. if xmldata[i] == ' ' || xmldata[i] == '\t' { goto skip_broken_attribute } goto scan_attribute_name /////////////////////////////////////////////////////////////////////// end_of_input: /////////////////////////////////////////////////////////////////////// // NOTE: // Don't assume anything about i here. // i > len(xmldata) is possible, as well as i < len(xmldata) return x, nil }
// Handles the message "CLMSG_save_fai_log". // buf: the decrypted message func clmsg_save_fai_log(buf *bytes.Buffer) { macaddress := "" action := "" start := 0 end := 0 data := buf.Bytes() for i := 0; i < len(data)-19; i++ { if data[i] == '<' { if i+12+17 <= len(data) && match(data, i, "<macaddress>") { macaddress = string(data[i+12 : i+12+17]) } else if match(data, i, "<fai_action>") { for k := i + 12; k < len(data); k++ { if data[k] == '<' { action = string(data[i+12 : k]) i = k break } } } else if match(data, i, "<CLMSG_save_fai_log>") { start = i + 20 } else if match(data, i, "</CLMSG_save_fai_log>") { end = i } } } if !macAddressRegexp.MatchString(macaddress) { util.Log(0, "ERROR! CLMSG_save_fai_log with illegal <macaddress> \"%v\"", macaddress) return } if !actionRegexp.MatchString(action) { util.Log(0, "ERROR! CLMSG_save_fai_log with illegal <fai_action> \"%v\"", action) return } util.Log(1, "INFO! Received log files from client %v. Assuming CLMSG_PROGRESS 100", macaddress) progress_msg := xml.NewHash("xml", "CLMSG_PROGRESS", "100") progress_msg.Add("macaddress", macaddress) clmsg_progress(progress_msg) timestamp := util.MakeTimestamp(time.Now()) logname := action + "_" + timestamp[0:8] + "_" + timestamp[8:] logdir := path.Join(config.FAILogPath, strings.ToLower(macaddress), logname) // NOTE: 1kB = 1000B, 1kiB = 1024B util.Log(1, "INFO! Storing %vkB of %v log files from %v in %v", len(data)/1000, action, macaddress, logdir) err := os.MkdirAll(logdir, 0755) if err != nil { util.Log(0, "ERROR! Error creating log directory \"%v\": %v", logdir, err) return } // Create convenience symlink with the system's name as alias for MAC address. go util.WithPanicHandler(func() { if plainname := db.SystemPlainnameForMAC(macaddress); plainname != "none" { linkpath := path.Join(config.FAILogPath, strings.ToLower(plainname)) link_target, err := os.Readlink(linkpath) if err != nil && !os.IsNotExist(err.(*os.PathError).Err) { util.Log(0, "ERROR! %v exists but is not a symlink: %v", linkpath, err) return } if err == nil { if link_target == strings.ToLower(macaddress) { return // symlink is already correct => nothing to do } util.Log(0, "WARNING! Machine %v has a new MAC %v . Removing old symlink %v => %v", plainname, macaddress, linkpath, link_target) err = os.Remove(linkpath) if err != nil { util.Log(0, "ERROR! Removing %v failed: %v", linkpath, err) // Don't bail out. Maybe we can create the new symlink anyway. } } err = os.Symlink(strings.ToLower(macaddress), linkpath) if err != nil && !os.IsExist(err.(*os.LinkError).Err) { util.Log(0, "ERROR! Could not create symlink %v => %v: %v", linkpath, strings.ToLower(macaddress), err) } } }) files := []int{} for i := start; i < end; i++ { if data[i] == ':' && match(data, i-8, "log_file") { k := i i++ for i < end { if data[i] == ':' { if k+1 < i { files = append(files, k+1, i) } break } i++ } } } files = append(files, end+8) for i := 0; i < len(files)-1; i += 2 { fname := string(data[files[i]:files[i+1]]) logdata := data[files[i+1]+1 : files[i+2]-8] util.Log(1, "INFO! Processing \"%v\" (%vkB)", fname, len(logdata)/1000) logdata = util.Base64DecodeInPlace(logdata) // As a precaution, make sure fname contains no slashes. fname = strings.Replace(fname, "/", "_", -1) err = ioutil.WriteFile(path.Join(logdir, fname), logdata, 0644) if err != nil { util.Log(0, "ERROR! Could not store \"%v\": %v", path.Join(logdir, fname), err) continue } } }
func testBuffer() { var b bytes.Buffer check(b.String(), "") // String() on fresh variable b.Reset() // Reset() on fresh variable check(b.String(), "") // String() after Reset() b.Reset() // Reset() after Reset() check(b.String(), "") check(b.Len(), 0) // same tests as above with pointer b2 := &bytes.Buffer{} check(b2.String(), "") b2.Reset() check(b2.String(), "") b2.Reset() check(b2.String(), "") check(b2.Len(), 0) b2.WriteString("Dies ist ein Test!") check(b2.String(), "Dies ist ein Test!") check(b2.Len(), 18) n, err := b.Write(nil) check(n, 0) check(err, nil) check(b.String(), "") n, err = b.Write([]byte{}) check(n, 0) check(err, nil) check(b.String(), "") check(b.Pointer(), nil) check(b.Capacity(), 0) check(b.Len(), 0) func() { defer func() { check(recover(), bytes.ErrTooLarge) }() b.Grow(-1) }() n, err = b.Write([]byte{'a'}) check(n, 1) check(err, nil) check(b.String(), "a") check(b.Capacity() >= 1, true) check(b.Len(), 1) check(b.Pointer() != nil, true) check(b.Grow(11), 1) check(b.Capacity() >= 12, true) c := b.Capacity() p := b.Pointer() check(b.Grow(11), 1) // should not cause actual growth check(b.Pointer(), p) check(b.Capacity(), c) check(b.Len(), 1) ((*[2]byte)(b.Pointer()))[1] = 'z' check(b.Contains("z"), false) n, err = b.WriteString("Hallo") check(n, 5) check(err, nil) check(b.String(), "aHallo") check(b.Pointer(), p) check(b.Capacity(), c) check(b.Len(), 6) b.Reset() check(b.String(), "") check(b.Pointer(), nil) check(b.Capacity(), 0) check(b.Contains(""), true) check(b.Contains("a"), false) b.WriteString("Hallo") b.WriteByte(' ') b.Write([]byte{'d', 'i', 'e', 's'}) b.WriteByte(' ') b.WriteString("ist ") b.WriteString("ein ") b.Write([]byte("Test")) check(b.String(), "Hallo dies ist ein Test") check(b.Contains("Hallo dies ist ein Test"), true) check(b.Contains("Test"), true) check(b.Contains("Hallo"), true) check(b.Contains("allo"), true) check(b.Contains(""), true) check(b.Split(" "), []string{"Hallo", "dies", "ist", "ein", "Test"}) check(b.Split("X"), []string{"Hallo dies ist ein Test"}) check(b.Split("Hallo dies ist ein Test"), []string{"", ""}) check(b.Split("H"), []string{"", "allo dies ist ein Test"}) check(b.Split("Test"), []string{"Hallo dies ist ein ", ""}) check(b.Split("es"), []string{"Hallo di", " ist ein T", "t"}) b.Reset() b.WriteString(" \n\t Hallo \t\v\n") check(b.Len(), 15) p = b.Pointer() b.TrimSpace() check(b.String(), "Hallo") check(b.Len(), 5) check(b.Pointer(), p) b.Reset() b.WriteString(" \n\t \t\v\n") check(b.Len(), 10) b.TrimSpace() check(b.Pointer(), nil) check(b.Len(), 0) check(b.Capacity(), 0) b.TrimSpace() check(b.Pointer(), nil) check(b.Len(), 0) check(b.Capacity(), 0) b.Reset() b.WriteString(" \n\t Hallo") check(b.Len(), 10) p = b.Pointer() b.TrimSpace() check(b.String(), "Hallo") check(b.Len(), 5) check(b.Pointer(), p) b.Reset() b.WriteString("Hallo \t\v\n") check(b.Len(), 10) p = b.Pointer() b.TrimSpace() check(b.String(), "Hallo") check(b.Len(), 5) check(b.Pointer(), p) b.Reset() b.WriteString(" ") check(b.Len(), 1) b.TrimSpace() check(b.Pointer(), nil) check(b.Len(), 0) check(b.Capacity(), 0) b.Reset() b.WriteString("Der Cottbuser Postkutscher kotzt in den Cottbuser Postkotzkasten") n = b.Len() c = b.Capacity() p = b.Pointer() b.Trim(-10, 2000) check(b.Len(), n) check(b.Capacity(), c) check(b.Pointer(), p) b.Trim(2000, -10) check(b.Len(), 0) check(b.Capacity(), 0) check(b.Pointer(), nil) b.WriteString("Der Cottbuser Postkutscher kotzt in den Cottbuser Postkotzkasten") b.Trim(4, 4) check(b.Len(), 0) check(b.Capacity(), 0) check(b.Pointer(), nil) b.WriteString("Der Cottbuser Postkutscher kotzt in den Cottbuser Postkotzkasten") n = b.Len() c = b.Capacity() p = b.Pointer() b.Trim(0, b.Len()-6) check(b.Len(), n-6) check(b.Capacity(), c) check(b.Pointer(), p) check(b.String(), "Der Cottbuser Postkutscher kotzt in den Cottbuser Postkotz") b.Trim(27, b.Len()) check(b.Len(), n-6-27) check(b.Capacity(), c) check(b.Pointer(), p) check(b.String(), "kotzt in den Cottbuser Postkotz") b.Trim(1, b.Len()-1) check(b.Len(), n-6-27-2) check(b.Capacity(), c) check(b.Pointer(), p) check(b.String(), "otzt in den Cottbuser Postkot") b.Reset() b.Write0(-1) b.Write0(-100) b.Write0(0) check(b.Len(), 0) check(b.Capacity(), 0) check(b.Pointer(), nil) b.Write0(1) check(b.Len(), 1) check(b.Capacity(), 1) check(b.Bytes(), []byte{0}) b.WriteByte(111) b.Write0(1) b.WriteByte(222) b.Write0(2) b.WriteByte(99) check(b.Len(), 7) check(b.Bytes(), []byte{0, 111, 0, 222, 0, 0, 99}) b2.Reset() slices := [][]byte{} total := 0 numfakeerrs := 0 for total < 100000 { c = rand.Intn(30000) total += c sl := make([]byte, c) for i := range sl { sl[i] = byte(rand.Intn(256)) } slices = append(slices, sl) b2.Write(sl) if total/30000 > numfakeerrs { slices = append(slices, nil) numfakeerrs++ } } check(numfakeerrs, 3) slcopy := make([][]byte, len(slices)) copy(slcopy, slices) slret := &sliceReturner{Slices: slcopy} b.Reset() check(b.Capacity(), 0) check(b.Len(), 0) check(b.Pointer(), nil) n = 0 for i := 0; i < numfakeerrs; i++ { n64, err := b.ReadFrom(slret) n += int(n64) check(err, FakeError) } n64, err := b.ReadFrom(slret) n += int(n64) check(err, nil) check(n, total) check(b.Capacity() > b.Len(), true) check(b.Len(), total) contents := b.Bytes() contents2 := b2.Bytes() check(len(contents), len(contents2)) n = 0 for i := range contents { if contents[i] != contents2[i] { break } n++ } check(n, total) b2.Reset() for i := range slices { for k := range slices[i] { slices[i][k] = 11 } n, err = b.Read(slices[i]) check(n, len(slices[i])) check(err, nil) b2.Write(slices[i]) } check(b2.Len(), total) n, err = b.Read(slices[0]) check(n, 0) check(err, io.EOF) contents = b.Bytes() contents2 = b2.Bytes() check(len(contents), len(contents2)) n = 0 for i := range contents { if contents[i] != contents2[i] { break } n++ } check(n, total) b.WriteString("foo") foo := make([]byte, 10) n, err = b.Read(foo) check(n, 3) check(err, nil) check(string(foo[0:3]), "foo") n64, err = b.Seek(6700, 0) check(n64, 6700) check(err, nil) n64, err = b.Seek(-6000, 1) check(n64, 700) check(err, nil) n64, err = b.Seek(815, 1) check(n64, 1515) check(err, nil) n, err = b.Read(foo) check(n, len(foo)) check(err, nil) check(foo, b2.Bytes()[1515:1515+len(foo)]) n64, err = b.Seek(-3, 2) check(n64, total) check(err, nil) n, err = b.Read(foo) check(n, 3) check(err, nil) check(string(foo[0:3]), "foo") n64, err = b.Seek(999999, 0) check(n64, b.Len()) check(err, nil) n64, err = b.Seek(-3, 1) check(n64, total) check(err, nil) n, err = b.Read(foo) check(n, 3) check(err, nil) check(string(foo[0:3]), "foo") n64, err = b.Seek(-815, 0) check(n64, 0) check(err, nil) n, err = b.Read(foo) check(n, len(foo)) check(err, nil) check(foo, b2.Bytes()[0:len(foo)]) }
// Reads the output from the program config.PackageListHookPath (LDIF) and // uses it to replace packagedb. // debconf is passed as PackageListDebconf environment var to the hook. // See manual section on package-list-hook for more info. func PackageListHook(debconf string) { start := time.Now() timestamp := util.MakeTimestamp(start) cmd := exec.Command(config.PackageListHookPath) cmd.Env = append(config.HookEnvironment(), os.Environ()...) fairepos := []string{} for repo := FAIServers().First("repository"); repo != nil; repo = repo.Next() { fairepos = append(fairepos, fmt.Sprintf("%v||%v|%v", repo.Text("server"), repo.Text("repopath"), repo.Text("sections"))) } package_list_params := []string{"PackageListDebconf=" + debconf, "PackageListCacheDir=" + config.PackageCacheDir, "PackageListFAIrepository=" + strings.Join(fairepos, " ")} cmd.Env = append(cmd.Env, package_list_params...) util.Log(1, "INFO! Running package-list-hook: %v %v", strings.Join(package_list_params, " "), config.PackageListHookPath) var outbuf bytes.Buffer defer outbuf.Reset() var errbuf bytes.Buffer defer errbuf.Reset() cmd.Stdout = &outbuf cmd.Stderr = &errbuf err := cmd.Run() if err != nil { util.Log(0, "ERROR! package-list-hook %v: %v (%v)", config.PackageListHookPath, err, errbuf.String()) return } else if errbuf.Len() != 0 { // if the command prints to stderr but does not return non-0 exit status (which // would result in err != nil), we just log a WARNING, but use the stdout data // anyway. util.Log(0, "WARNING! package-list-hook %v: %v", config.PackageListHookPath, errbuf.String()) } plist, err := xml.LdifToHash("pkg", true, outbuf.Bytes(), packageListFormat...) if err != nil { util.Log(0, "ERROR! package-list-hook %v: %v", config.PackageListHookPath, err) return } if plist.First("pkg") == nil { util.Log(0, "ERROR! package-list-hook %v returned no data", config.PackageListHookPath) return } util.Log(1, "INFO! Finished package-list-hook. Running time: %v", time.Since(start)) start = time.Now() plist.Rename("packagedb") new_mapRepoPath2FAIrelease := map[string]string{} accepted := 0 total := 0 for pkg := plist.FirstChild(); pkg != nil; pkg = pkg.Next() { total++ p := pkg.Element() release := p.First("distribution") // packageListFormat translates "release" => "distribution" if release == nil { util.Log(0, "ERROR! package-list-hook %v returned entry without \"Release\": %v", config.PackageListHookPath, p) pkg.Remove() continue } for repopath := p.First("repository"); repopath != nil; repopath = repopath.Next() { new_mapRepoPath2FAIrelease[repopath.Text()] = release.Text() } pkgname := p.Get("package") if len(pkgname) == 0 { if p.First("repository") == nil { // Release/Repository groups without Package are okay, so only log error if there is no Repository util.Log(0, "ERROR! package-list-hook %v returned entry without \"Package\": %v", config.PackageListHookPath, p) } pkg.Remove() continue } if len(pkgname) > 1 { util.Log(0, "ERROR! package-list-hook %v returned entry with multiple \"Package\" values: %v", config.PackageListHookPath, p) pkg.Remove() continue } version := p.First("version") if version == nil { util.Log(0, "WARNING! package-list-hook %v returned entry for \"%v\" without \"Version\". Assuming \"1.0\"", config.PackageListHookPath, pkgname[0]) p.Add("version", "1.0") } section := p.First("section") if section == nil { util.Log(0, "WARNING! package-list-hook %v returned entry for \"%v\" without \"Section\". Assuming \"main\"", config.PackageListHookPath, pkgname[0]) p.Add("section", "main") } p.FirstOrAdd("timestamp").SetText(timestamp) description := p.First("description") if description == nil { description = p.Add("description", pkgname[0]) description.EncodeBase64() } // add empty <template></template> if there is no <template> element. if p.First("template") == nil { p.Add("template") } accepted++ } if accepted == 0 { util.Log(0, "ERROR! package-list-hook %v returned no valid entries", config.PackageListHookPath) } else { util.Log(1, "INFO! package-list-hook: %v/%v entries accepted into database. Processing time: %v", accepted, total, time.Since(start)) packagedb.Init(plist) mapRepoPath2FAIrelease_mutex.Lock() defer mapRepoPath2FAIrelease_mutex.Unlock() mapRepoPath2FAIrelease = new_mapRepoPath2FAIrelease util.Log(1, "INFO! Repository path => FAI release %v", mapRepoPath2FAIrelease) } }
// Takes a possibly encrypted message in buf and processes it, returning a reply. // context is the security context. // Returns: // buffer containing the reply to return (MUST BE FREED BY CALLER VIA Reset()!) // disconnect == true if connection should be terminated due to error // // NOTE: buf IS NOT FREED BY THIS FUNCTION BUT ITS CONTENTS ARE CHANGED! func ProcessEncryptedMessage(buf *bytes.Buffer, context *security.Context) (reply *bytes.Buffer, disconnect bool) { if buf.Len() > 4096 { util.Log(2, "DEBUG! Processing LONG message: (truncated)%v\n.\n.\n.\n%v", string(buf.Bytes()[0:2048]), string(buf.Bytes()[buf.Len()-2048:])) } else { util.Log(2, "DEBUG! Processing message: %v", buf.String()) } for attempt := 0; attempt < 4; attempt++ { if attempt != 0 && config.TLSRequired { util.Log(1, "INFO! [SECURITY] TLS-only mode => Decryption with old protocol will not be attempted") //NOTE: This prevents the last ditch attempt to decrypt with all known // server and client keys. This attempt might still have produced a // result in case the connecting party is pre-TLS and we happen to // have its key in our database (from a time before our server was // configured to be TLS-only). However if the admin configured our // server to be TLS-only (by not putting any keys // in the config) we assume that he does not want pre-TLS // parties to connect. break } var keys_to_try []string switch attempt { case 0: keys_to_try = config.ModuleKeys case 1: host := context.PeerID.IP.String() { keys_to_try = append(db.ServerKeys(host), db.ClientKeys(host)...) if host == "127.0.0.1" { // make sure we find the key even if registered under our external IP address keys_to_try = append(db.ServerKeys(config.IP), db.ClientKeys(config.IP)...) } } case 2: util.Log(1, "INFO! Last resort attempt to decrypt message from %v with all server keys", context.PeerID.IP) keys_to_try = db.ServerKeysForAllServers() case 3: util.Log(1, "INFO! Last resort attempt to decrypt message from %v with all client keys", context.PeerID.IP) keys_to_try = db.ClientKeysForAllClients() } for _, key := range keys_to_try { if security.GosaDecryptBuffer(buf, key) { if buf.Len() > 4096 { util.Log(2, "DEBUG! Decrypted LONG message from %v with key %v: (truncated)%v\n.\n.\n.\n%v", context.PeerID.IP, key, string(buf.Bytes()[0:2048]), string(buf.Bytes()[buf.Len()-2048:])) } else { util.Log(2, "DEBUG! Decrypted message from %v with key %v: %v", context.PeerID.IP, key, buf.String()) } // special case for CLMSG_save_fai_log because this kind of message // is so large and parsing it to XML doesn't really gain us anything. if buf.Contains("<CLMSG_save_fai_log>") { if handleServerMessage() { clmsg_save_fai_log(buf) } return &bytes.Buffer{}, false } xml, err := xml.StringToHash(buf.String()) if err != nil { util.Log(0, "ERROR! %v", err) return ErrorReplyBuffer(err), true } // At this point we have successfully decrypted and parsed the message return ProcessXMLMessage(xml, context, key) } } } // This part is only reached if none of the keys opened the message util.Log(0, "ERROR! Could not decrypt message from %v", context.PeerID.IP) // Maybe we got out of sync with the sender's encryption key // (e.g. by missing a new_key message). Try to re-establish communcation. ip := context.PeerID.IP.To4() if ip == nil { util.Log(0, "ERROR! Cannot convert sender address to IPv4 address: %v", context.PeerID.IP) } else { go tryToReestablishCommunicationWith(ip.String()) } return ErrorReplyBuffer("Could not decrypt message"), true }