diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-11-21 13:04:43 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-11-21 13:04:43 +0000 |
commit | 5d26d48cabb053e50519583e074292f3c86aecac (patch) | |
tree | 4b23ce6256f2f600c9aaa411981bb1b1373e7cc2 /usr.sbin | |
parent | 58a45bd3fc8545f2f426bf7208337a15505fabdb (diff) |
allow the http digest type to be either SHA1 or MD5 determined by the
digest string length; it is compatible to any existing SHA1-only
configurations.
ok pyr@ gilles@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/hoststated/check_tcp.c | 15 | ||||
-rw-r--r-- | usr.sbin/hoststated/hoststated.conf.5 | 8 | ||||
-rw-r--r-- | usr.sbin/hoststated/hoststated.h | 8 | ||||
-rw-r--r-- | usr.sbin/hoststated/parse.y | 20 | ||||
-rw-r--r-- | usr.sbin/relayd/check_tcp.c | 15 | ||||
-rw-r--r-- | usr.sbin/relayd/parse.y | 20 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 8 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.h | 8 |
8 files changed, 78 insertions, 24 deletions
diff --git a/usr.sbin/hoststated/check_tcp.c b/usr.sbin/hoststated/check_tcp.c index 6b054bf2d6f..fe9299d446e 100644 --- a/usr.sbin/hoststated/check_tcp.c +++ b/usr.sbin/hoststated/check_tcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: check_tcp.c,v 1.27 2007/11/19 15:20:18 reyk Exp $ */ +/* $OpenBSD: check_tcp.c,v 1.28 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -33,6 +33,7 @@ #include <errno.h> #include <fnmatch.h> #include <sha1.h> +#include <md5.h> #include <openssl/ssl.h> @@ -353,7 +354,7 @@ check_http_digest(struct ctl_tcp_event *cte) { char *head; u_char *b; - char digest[(SHA1_DIGEST_LENGTH*2)+1]; + char digest[SHA1_DIGEST_STRING_LENGTH]; struct host *host; /* @@ -373,7 +374,15 @@ check_http_digest(struct ctl_tcp_event *cte) return (1); } head += strlen("\r\n\r\n"); - SHA1Data(head, strlen(head), digest); + + switch (cte->table->conf.digest_type) { + case DIGEST_SHA1: + SHA1Data(head, strlen(head), digest); + break; + case DIGEST_MD5: + MD5Data(head, strlen(head), digest); + break; + } if (strcmp(cte->table->conf.digest, digest)) { log_warnx("check_http_digest: %s failed " diff --git a/usr.sbin/hoststated/hoststated.conf.5 b/usr.sbin/hoststated/hoststated.conf.5 index 18c7c9d5ed8..8ebf4f306e5 100644 --- a/usr.sbin/hoststated/hoststated.conf.5 +++ b/usr.sbin/hoststated/hoststated.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: hoststated.conf.5,v 1.58 2007/11/21 10:19:34 pyr Exp $ +.\" $OpenBSD: hoststated.conf.5,v 1.59 2007/11/21 13:04:42 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -188,8 +188,10 @@ This has the same effect as above but wraps the HTTP request in SSL. .Xc For each host in the table, verify that retrieving the URL .Ar path -produces a content whose SHA1 digest is -.Ar digest . +produces a content whose message digest matches the defined string. +The used algorithm is determined by the string length of the +.Ar digest +argument, it is either SHA1 (40 characters) or MD5 (32 characters). If .Ar hostname is specified, it is used as the diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h index f895a401175..9f092475756 100644 --- a/usr.sbin/hoststated/hoststated.h +++ b/usr.sbin/hoststated/hoststated.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hoststated.h,v 1.76 2007/11/20 15:54:55 reyk Exp $ */ +/* $OpenBSD: hoststated.h,v 1.77 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -337,6 +337,11 @@ enum host_status { }; #define HOST_ISUP(x) (x == HOST_UP) +enum digest_type { + DIGEST_SHA1 = 0, + DIGEST_MD5 = 1 +}; + struct table_config { objid_t id; objid_t serviceid; @@ -351,6 +356,7 @@ struct table_config { char path[MAXPATHLEN]; char exbuf[64]; char digest[41]; /* length of sha1 digest * 2 */ + enum digest_type digest_type; }; struct table { diff --git a/usr.sbin/hoststated/parse.y b/usr.sbin/hoststated/parse.y index ab4c572e476..e5ddea110a2 100644 --- a/usr.sbin/hoststated/parse.y +++ b/usr.sbin/hoststated/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.87 2007/11/20 17:08:44 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.88 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -523,6 +523,8 @@ tableoptsl : host { table->sendbuf_len = strlen(table->sendbuf); } | CHECK http_type STRING hostname DIGEST STRING { + size_t digest_len; + if ($2) { conf->flags |= F_SSL; table->conf.flags |= F_SSL; @@ -536,10 +538,18 @@ tableoptsl : host { if (table->sendbuf == NULL) fatal("out of memory"); table->sendbuf_len = strlen(table->sendbuf); - if (strlcpy(table->conf.digest, $6, - sizeof(table->conf.digest)) >= - sizeof(table->conf.digest)) { - yyerror("http digest truncated"); + + digest_len = strlcpy(table->conf.digest, $6, + sizeof(table->conf.digest)); + switch (digest_len) { + case 40: + table->conf.digest_type = DIGEST_SHA1; + break; + case 32: + table->conf.digest_type = DIGEST_MD5; + break; + default: + yyerror("invalid http digest"); free($6); YYERROR; } diff --git a/usr.sbin/relayd/check_tcp.c b/usr.sbin/relayd/check_tcp.c index 6b054bf2d6f..fe9299d446e 100644 --- a/usr.sbin/relayd/check_tcp.c +++ b/usr.sbin/relayd/check_tcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: check_tcp.c,v 1.27 2007/11/19 15:20:18 reyk Exp $ */ +/* $OpenBSD: check_tcp.c,v 1.28 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -33,6 +33,7 @@ #include <errno.h> #include <fnmatch.h> #include <sha1.h> +#include <md5.h> #include <openssl/ssl.h> @@ -353,7 +354,7 @@ check_http_digest(struct ctl_tcp_event *cte) { char *head; u_char *b; - char digest[(SHA1_DIGEST_LENGTH*2)+1]; + char digest[SHA1_DIGEST_STRING_LENGTH]; struct host *host; /* @@ -373,7 +374,15 @@ check_http_digest(struct ctl_tcp_event *cte) return (1); } head += strlen("\r\n\r\n"); - SHA1Data(head, strlen(head), digest); + + switch (cte->table->conf.digest_type) { + case DIGEST_SHA1: + SHA1Data(head, strlen(head), digest); + break; + case DIGEST_MD5: + MD5Data(head, strlen(head), digest); + break; + } if (strcmp(cte->table->conf.digest, digest)) { log_warnx("check_http_digest: %s failed " diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index ab4c572e476..e5ddea110a2 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.87 2007/11/20 17:08:44 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.88 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -523,6 +523,8 @@ tableoptsl : host { table->sendbuf_len = strlen(table->sendbuf); } | CHECK http_type STRING hostname DIGEST STRING { + size_t digest_len; + if ($2) { conf->flags |= F_SSL; table->conf.flags |= F_SSL; @@ -536,10 +538,18 @@ tableoptsl : host { if (table->sendbuf == NULL) fatal("out of memory"); table->sendbuf_len = strlen(table->sendbuf); - if (strlcpy(table->conf.digest, $6, - sizeof(table->conf.digest)) >= - sizeof(table->conf.digest)) { - yyerror("http digest truncated"); + + digest_len = strlcpy(table->conf.digest, $6, + sizeof(table->conf.digest)); + switch (digest_len) { + case 40: + table->conf.digest_type = DIGEST_SHA1; + break; + case 32: + table->conf.digest_type = DIGEST_MD5; + break; + default: + yyerror("invalid http digest"); free($6); YYERROR; } diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 10e6699e20e..77506e1d3da 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.58 2007/11/21 10:19:34 pyr Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.59 2007/11/21 13:04:42 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -188,8 +188,10 @@ This has the same effect as above but wraps the HTTP request in SSL. .Xc For each host in the table, verify that retrieving the URL .Ar path -produces a content whose SHA1 digest is -.Ar digest . +produces a content whose message digest matches the defined string. +The used algorithm is determined by the string length of the +.Ar digest +argument, it is either SHA1 (40 characters) or MD5 (32 characters). If .Ar hostname is specified, it is used as the diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index eddc059a11b..16f8c3ec955 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.76 2007/11/20 15:54:55 reyk Exp $ */ +/* $OpenBSD: relayd.h,v 1.77 2007/11/21 13:04:42 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -337,6 +337,11 @@ enum host_status { }; #define HOST_ISUP(x) (x == HOST_UP) +enum digest_type { + DIGEST_SHA1 = 0, + DIGEST_MD5 = 1 +}; + struct table_config { objid_t id; objid_t serviceid; @@ -351,6 +356,7 @@ struct table_config { char path[MAXPATHLEN]; char exbuf[64]; char digest[41]; /* length of sha1 digest * 2 */ + enum digest_type digest_type; }; struct table { |