From d96bc56aecb1bb0c3eb0d3ee588a9333f2bb65b6 Mon Sep 17 00:00:00 2001 From: Jeroen Nijhof Date: Wed, 18 Dec 2013 14:53:14 +0100 Subject: [PATCH] Reformat merge, cleanup, fix wrong free --- cache.c | 6 ++--- openufp.c | 70 +++++++++------------------------------------------- squidguard.c | 68 ++++++++------------------------------------------ squidguard.h | 3 +-- websense.c | 25 +++++++++---------- 5 files changed, 36 insertions(+), 136 deletions(-) diff --git a/cache.c b/cache.c index a0fc4b0..86a6b07 100644 --- a/cache.c +++ b/cache.c @@ -25,14 +25,12 @@ DB *open_cache() { int ret; if ((ret = db_create(&dbp, NULL, 0)) != 0) { - syslog(LOG_WARNING, "cache: %s.", db_strerror(ret)); - free(dbp); + syslog(LOG_WARNING, "cache db_create: %s.", db_strerror(ret)); return NULL; } if ((ret = dbp->open(dbp, NULL, DATABASE, NULL, DB_BTREE, DB_CREATE, 0664)) != 0) { - syslog(LOG_WARNING, "cache: %s.", db_strerror(ret)); + syslog(LOG_WARNING, "cache open: %s.", db_strerror(ret)); close_cache(dbp, 0); - free(dbp); return NULL; } return dbp; diff --git a/openufp.c b/openufp.c index 5481db2..4a8365e 100644 --- a/openufp.c +++ b/openufp.c @@ -24,7 +24,6 @@ void usage() { printf("OPTIONS:\n"); printf(" -l PORT on which port openufp will listen for incoming requests\n"); printf(" -r URL when url is denied the client will be redirected to this url; n2h2 only\n"); - printf(" -u utilize User Identity info from capable Cisco products. Must use with -w as frontend\n"); printf(" -c SECS cache expire time in seconds; default 3600; 0 disables caching\n"); printf(" -C URL remove specified URL from cache\n"); printf(" -d LEVEL debug level 1-3\n\n"); @@ -63,10 +62,8 @@ int main(int argc, char**argv) { char *proxy_deny_pattern = NULL; char *blacklist = NULL; int squidguard = 0; - int usrid = 0; int c; char *https = "https://"; -// bool isIp; while ((c = getopt(argc, argv, "l:r:c:C:d:nwp:f:gu")) != -1) { char *p; @@ -120,15 +117,12 @@ int main(int argc, char**argv) { case 'g': squidguard = 1; break; - case 'u': - usrid = 1; - break; default: usage(); exit(1); } } - if (frontend == 0 || (frontend != WEBSNS && usrid == 1) || ((proxy_ip == NULL || proxy_port == 0 || proxy_deny_pattern == NULL) + if (frontend == 0 || ((proxy_ip == NULL || proxy_port == 0 || proxy_deny_pattern == NULL) && blacklist == NULL && squidguard == 0)) { usage(); exit(1); @@ -177,14 +171,9 @@ int main(int argc, char**argv) { printf("openufp v%s: started.\n", VERSION); openlog("openufp", LOG_PID|LOG_CONS, LOG_DAEMON); - syslog(LOG_INFO, "v%s: Jeroen Nijhof ", VERSION); + syslog(LOG_INFO, "v%s: Jeroen Nijhof ", VERSION); syslog(LOG_INFO, "started listening on %d, waiting for requests...", local_port); - if (usrid == 1 && debug > 0) - { - printf("openufp started with usrname support\n"); - } - if ((pid = fork()) == 0) { struct sockaddr_in cli_addr; socklen_t cli_size; @@ -274,19 +263,9 @@ int main(int argc, char**argv) { // Handle HTTPS for N2H2 only since IP is provided in URI: if (strstr(https, request.url) != NULL && request.type == N2H2_REQ) { - //char substr[URL_SIZE]; - //substr = strndup(request.url+8, URL_SIZE); - //isIp = isValidIpAddress(substr); - if (debug > 0) { syslog(LOG_INFO, "received HTTPS url request"); - //if (isIp) { - // syslog(LOG_INFO, "received HTTPS url request. Substring passed IP validation"); - //} } - - //request.url = strndup(substr, strlen(substr)); - //free(substr); } // check if cached @@ -307,48 +286,23 @@ int main(int argc, char**argv) { // parse url to squidguard if (!cached && !denied && squidguard) { - // check whether srcip or srcip+usrid will be used: - - if (usrid == 1) - { - denied = squidguard_backend_uid(sg_fd, request.srcip, request.usr, request.url, sg_redirect, debug); - } - else - { - denied = squidguard_backend(sg_fd, request.srcip, request.url, sg_redirect, debug); - } + denied = squidguard_backend(sg_fd, request.srcip, request.usr, request.url, sg_redirect, debug); } if (denied) { - if (frontend == N2H2 && squidguard) - { + if (frontend == N2H2 && squidguard) { n2h2_deny(cli_fd, n2h2_request, sg_redirect); - } - else if (frontend == WEBSNS && squidguard) - { + } else if (frontend == WEBSNS && squidguard) { websns_deny(cli_fd, websns_request, sg_redirect); + } else if (frontend == N2H2) { + n2h2_deny(cli_fd, n2h2_request, redirect_url); + } else { + websns_deny(cli_fd, websns_request, redirect_url); } - else if (frontend == N2H2) - { - n2h2_deny(cli_fd, n2h2_request, redirect_url); - } - else - { - websns_deny(cli_fd, websns_request, redirect_url); - } - if (debug > 0) - { - if (usrid == 1) - { - syslog(LOG_INFO, "url denied: srcip %s, srcusr %s, dstip %s, url %s", - request.srcip, request.usr, request.dstip, request.url); - } - else - { - syslog(LOG_INFO, "url denied: srcip %s, dstip %s, url %s", - request.srcip, request.dstip, request.url); - } + if (debug > 0) { + syslog(LOG_INFO, "url denied: srcip %s, srcusr %s, dstip %s, url %s", + request.srcip, request.usr, request.dstip, request.url); } } else { if (frontend == N2H2) { diff --git a/squidguard.c b/squidguard.c index 04f8ae7..19f4dd6 100644 --- a/squidguard.c +++ b/squidguard.c @@ -67,52 +67,20 @@ int squidguard_closefd(FILE *sg_fd[2]) { return 0; } -int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], char *sg_redirect, int debug) { +int squidguard_backend(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug) { char redirect_url[URL_SIZE]; - if (debug > 2) - { - syslog(LOG_INFO, "squidguard: url check using IP only: %s for url %s", srcip, url); + //Check user; if empty, use ip only: + if (strlen(srcusr) < 1) { + if (debug > 2) { + syslog(LOG_INFO, "squidguard input: username missing, defaulting to IP notation"); + } + srcusr[0] = '-'; + srcusr[1] = '\0'; } - if (sg_fd[1] == NULL) { - syslog(LOG_WARNING, "squidguard: could not open fd for input."); - return 0; - } - - fprintf(sg_fd[1], "%s %s/ - - GET\n", url, srcip); - fflush(sg_fd[1]); - - if (sg_fd[0] == NULL) { - syslog(LOG_WARNING, "squidguard: could not open fd for output."); - return 0; - } - while (fgets(redirect_url, URL_SIZE, sg_fd[0]) != NULL) { - if (debug > 1) - syslog(LOG_INFO, "squidguard: redirect_url (%s).", redirect_url); - if (strlen(redirect_url) > 1) { - char *parse; - parse = strtok (redirect_url, " "); - strcpy(sg_redirect, parse); - - if (debug > 0) - syslog(LOG_INFO, "squidguard: url blocked. parsed_red: %s -- sg_redirectURL: %s", parse, sg_redirect ); - - return 1; - } - if (debug > 0) - syslog(LOG_INFO, "squidguard: url accepted."); - return 0; - } - return 0; -} - -int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug) { - char redirect_url[URL_SIZE]; - - if (debug > 2) - { - syslog(LOG_INFO, "squidguard: url check using IP and Username : IP: %s User: %s for url %s", srcip, srcusr, url); + if (debug > 2) { + syslog(LOG_INFO, "squidguard: url check using ip and user: ip: %s user: %s for url %s", srcip, srcusr, url); } if (sg_fd[1] == NULL) { @@ -120,16 +88,6 @@ int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE] return 0; } - //Check username length; if there's nothing there, use the IP only: - if (strlen(srcusr) < 1) - { - if (debug > 2) - { - syslog(LOG_INFO, "squidguard input: username missing, defaulting to IP notation"); - } - srcusr[strlen(srcusr)] = '-'; - } - fprintf(sg_fd[1], "%s %s/ %s - GET\n", url, srcip, srcusr); fflush(sg_fd[1]); @@ -155,9 +113,3 @@ int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE] return 0; } -bool isValidIpAddress(char *ipAddress) -{ - struct sockaddr_in sa; - int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr)); - return result != 0; -} diff --git a/squidguard.h b/squidguard.h index fd3c34d..a7f64e8 100644 --- a/squidguard.h +++ b/squidguard.h @@ -8,5 +8,4 @@ extern int squidguard_getfd(FILE *sg_fd[2]); extern int squidguard_closefd(FILE *sg_fd[2]); -extern int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], char *sg_redirect, int debug); -extern int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug); +extern int squidguard_backend(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug); diff --git a/websense.c b/websense.c index 8ff5591..c18426f 100644 --- a/websense.c +++ b/websense.c @@ -89,18 +89,16 @@ struct uf_request websns_validate(struct websns_req *websns_request, int msgsize snprintf(request.srcip, sizeof(request.srcip), "%s", inet_ntoa(srcip)); snprintf(request.dstip, sizeof(request.dstip), "%s", inet_ntoa(dstip)); - for(i = 0; i < ntohs(websns_request->urlsize); i++) - { - request.url[i] = websns_request->url[i]; - } + for (i = 0; i < ntohs(websns_request->urlsize); i++) { + request.url[i] = websns_request->url[i]; + } //get remaining info in payload i = 0; - //Offset is 2+10 for the preceding TACACS:/// string - for(j = (ntohs(websns_request->urlsize)+12); j < ntohs(websns_request->size); j++) - { - request.usr[i] = websns_request->url[j]; - i++; - } + //offset is 2+10 for the preceding TACACS:/// string + for (j = (ntohs(websns_request->urlsize)+12); j < ntohs(websns_request->size); j++) { + request.usr[i] = websns_request->url[j]; + i++; + } return request; } @@ -115,10 +113,9 @@ void websns_convert(struct websns_req *websns_request, char msg[REQ_SIZE], int m // check if it's version 1 if (msgsize > WEBSNS_REQ_SIZE && ntohs(websns_request->code) == WEBSNS_REQ && ntohs(websns_request->urlsize) == 0) { - if (debug > 2) - { - syslog(LOG_INFO,"Websense v1 packet received; converting to v4"); - } + if (debug > 2) { + syslog(LOG_INFO,"Websense v1 packet received; converting to v4"); + } // convert to version 4 for (i = 0; i < (msgsize - 2); i++) { if (i == 24)