/*	File:       XTunnelsDatabaseAccess.cp	Contains:   The X-Tunnels server's database name/IP validation routines.	Copyright:  (c) 2003 by Xten Networks, Inc., all rights reserved.*/#if DEBUG#include <iostream>#endif //DEBUG#include <sstream>#include <vector>#include <map>#include <algorithm>#include <stdio.h>#include <limits.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <fcntl.h>#include <errno.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>//#include <sys/types.h>#include <netinet/in.h>#if VS_TARGET_OS_OPENBSD// -- need a fully qualified path for the makefile built version#include </usr/local/pgsql/include/libpq-fe.h>#else#include <libpq-fe.h> #endif // VS_TARGET_OS_OPENBSD#include "restart.h"#include "uiciname.h"#include "XTunnelsCVsDES.h"#include "XTunnelsCVsAES.h"#include "XTunnelsProtocol.h"#include "XTunnelsFamilyData.h"#include "XTunnelsChildData.h"#include "XTunnelsParentData.h"#include "XTunnelsXCipher.h"#if DEBUGusing std::cout;using std::endl;#endif //DEBUGusing std::istrstream;using std::ostrstream;using std::ostream;using std::vector;using std::map;using std::pair;using namespace XTunnels;namespace {// filename containing runtime optionsconst char* g_szConfigFileName = "xtunnels.cfg";// server runtime optionsconst char* g_szConfigFileLineListenPort = "listenport=";const char* g_szConfigFileLineMaxClients = "maxclients=";// X-Cipher optionsconst char* g_szConfigFileLineXCipherEnabled = "xcipherenabled=";const char* g_szConfigFileLineXCipherGlobal = "xcipherglobal=";const char* g_szConfigFileLineXCipherHost = "xcipherhost=";const char* g_szConfigFileLineXCipherPassword = "xcipherpassword=";// PostgreSQL connection string optionsconst char* g_szConfigFileLineDBHost = "host=";const char* g_szConfigFileLineDBPort = "port=";const char* g_szConfigFileLineDBUsername = "user=";const char* g_szConfigFileLineDBPassword = "password=";const char* g_szConfigFileLineDBName = "dbname=";char g_szDBHost[EMaxSmallBufferSize] = { 0 };char g_szDBPort[EMaxSmallBufferSize] = { 0 };char g_szDBUsername[EMaxSmallBufferSize] = { 0 };char g_szDBPassword[EMaxSmallBufferSize] = { 0 };char g_szDBName[EMaxSmallBufferSize] = { 0 };// how to connect to a PostgreSQL serverPGconn* g_pDBConnection = NULL;// we cache rules from database at startup and on updatetypedef struct   {   char* m_szHost;   int m_iRuleType;   in_addr_t m_ulFromIP;   in_addr_t m_ulToIP;   } THostRule;vector<THostRule> g_cHostSourceRules;vector<THostRule> g_cHostDestinationRules;// keep track of data size by validated destinationtypedef struct   {   unsigned long m_ulIncomingTraffic;   unsigned long m_ulOutgoingTraffic;   } TDestinationTraffic;//map<unsigned long, unsigned long> g_cDestinationIPs;map<unsigned long, TDestinationTraffic> g_cDestinationIPs;int GetPeerFromSocket(int inAttemptingSocket, struct sockaddr_in* outAttempter, char outName[MAX_CANON])	{	socklen_t len = sizeof(struct sockaddr_in);	int retval = 0;	while ( ((retval = getpeername(inAttemptingSocket, (struct sockaddr *)outAttempter, &len)) == -1) && (errno == EINTR) )		{		}	if (-1 == retval)		{#if DEBUG		cout << "X-Tunnels: GetPeerFromSocket failed to get connector's socket IP" << endl;#endif //DEBUG		return 1;		}			if (outName)		addr2name(outAttempter->sin_addr, outName, MAX_CANON);		return 0;	}bool IsIPInRange(in_addr_t tAddr, in_addr_t tMinAddr, in_addr_t tMaxAddr)   {   if (ntohl(tAddr) < ntohl(tMinAddr))      {#if DEBUG      cout << "IsIPInRange: " << ntohl(tAddr) << " < " << ntohl(tMinAddr) << " -- returning false!" << endl;#endif //DEBUG      return false;      }   if (ntohl(tAddr) > ntohl(tMaxAddr))      {#if DEBUG      cout << "IsIPInRange: " << ntohl(tAddr) << " > " << ntohl(tMaxAddr) << " -- returning false!" << endl;#endif //DEBUG      return false;      }#if DEBUG   cout << "IsIPInRange: " << ntohl(tMinAddr) << " < "  << ntohl(tAddr) << " < " << ntohl(tMaxAddr) << " -- returning true!" << endl;#endif //DEBUG   return true;   }bool VerifyConnectingIPIsRejected(struct in_addr tAddr, const char* szHost)   {   for (vector<THostRule>::const_iterator iter = g_cHostSourceRules.begin(); iter != g_cHostSourceRules.end(); ++iter)      {      if (strcmp(iter->m_szHost, szHost))         continue;               switch (iter->m_iRuleType)         {         case ERuleDenyConnection:            if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP))               return true;            break;         default:            break;         }      }      	return false;   }   bool VerifyConnectingIPIsPermitted(struct in_addr tAddr, const char* szHost, bool bAnonymously)	{#if DEBUG   struct in_addr tFromAddr;   struct in_addr tToAddr;#endif //DEBUG   /* we're going to load rules for all hosts as a set   if (!LoadRulesIfNeeded(szHost))      {      return false;      }      */      	bool bOnlyRuleExists = false;   for (vector<THostRule>::const_iterator iter = g_cHostSourceRules.begin(); iter != g_cHostSourceRules.end(); ++iter)      {      if (strcmp(iter->m_szHost, szHost))         continue;               switch (iter->m_iRuleType)         {         case ERuleAcceptConnection:            bOnlyRuleExists = true;            if (bAnonymously)               break;#if DEBUG/*		      cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleAcceptConnection:" << endl;		      cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl;		      tFromAddr.s_addr = iter->m_ulFromIP;		      cout << "   minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl;		      tToAddr.s_addr = iter->m_ulToIP;		      cout << "   maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;*/#endif //DEBUG            if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP))               {#if DEBUG		         cout << "   connecting was in range -- returning true!" << endl;#endif //DEBUG               return true;               }#if DEBUG		      cout << "   connecting was not in range -- looking for more rules" << endl;#endif //DEBUG            break;         case ERuleAcceptAnonymousConnection:            if (!bAnonymously)               break;#if DEBUG		      cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleAcceptAnonymousConnection:" << endl;		      cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl;		      tFromAddr.s_addr = iter->m_ulFromIP;		      cout << "   minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl;		      tToAddr.s_addr = iter->m_ulToIP;		      cout << "   maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;#endif //DEBUG            if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP))               {#if DEBUG		         cout << "   connecting was in range -- returning true!" << endl;#endif //DEBUG               return true;               }#if DEBUG		      cout << "   connecting was not in range -- looking for more rules" << endl;#endif //DEBUG            break;         case ERuleDenyConnection:#if DEBUG		      cout << "X-Tunnels: VerifyConnectingIPIsPermitted checking ERuleDenyConnection:" << endl;		      cout << "connecting in_addr: " << ntohl(tAddr.s_addr) << " (" << inet_ntoa(tAddr) << ") " << endl;		      tFromAddr.s_addr = iter->m_ulFromIP;		      cout << "   minimum in_addr: " << ntohl(iter->m_ulFromIP) << " (" << inet_ntoa(tFromAddr) << ") " << endl;		      tToAddr.s_addr = iter->m_ulToIP;		      cout << "   maximum in_addr: " << ntohl(iter->m_ulToIP) << " (" << inet_ntoa(tToAddr) << ") " << endl;#endif //DEBUG            if (IsIPInRange(tAddr.s_addr, iter->m_ulFromIP, iter->m_ulToIP))               {#if DEBUG		         cout << "   connecting was in range -- returning false!" << endl;#endif //DEBUG               return false;               }#if DEBUG		      cout << "   connecting was not in range -- looking for more rules" << endl;#endif //DEBUG            break;         //case ERuleOnlyTransmitTo:         default:            // not applicable#if DEBUG		      cout << "X-Tunnels: VerifyConnectingIPIsPermitted unknown rule type " << iter->m_iRuleType << endl;#endif //DEBUG            break;         }      }   bool bAcceptWithoutRule = !bAnonymously && !bOnlyRuleExists;   // if we didn't see any only rules, accept anything.   // if we did, exclude all others#if DEBUG   cout << "X-Tunnels: VerifyConnectingIPIsPermitted found no applicable rules, returning " << (bAcceptWithoutRule ? "true!" : "false!") << endl;#endif //DEBUG	return bAcceptWithoutRule;	}} // end anonymous namespacenamespace XTunnels {unsigned long GetUniqueDestinations()   {   return g_cDestinationIPs.size();   }   void GetDestinationsTraffic(unsigned long ulCount, TDestinationInfo* pInfo)   {   memset(pInfo, 0, ulCount * sizeof(TDestinationInfo));   if (!ulCount)      return;	ulCount--; // we'll fill in array from the end	//for (map<unsigned long,unsigned long>::const_iterator pIter = g_cDestinationIPs.begin(); pIter != g_cDestinationIPs.end(); ++pIter)	for (map<unsigned long,TDestinationTraffic>::const_iterator pIter = g_cDestinationIPs.begin(); pIter != g_cDestinationIPs.end(); ++pIter)	   {	   pInfo[ulCount].m_ulIPAddress = pIter->first;	   pInfo[ulCount].m_ulIncomingTraffic = pIter->second.m_ulIncomingTraffic;	   pInfo[ulCount].m_ulOutgoingTraffic = pIter->second.m_ulOutgoingTraffic;	   if (!ulCount)	      return;	   ulCount--;	   }   }bool LogDestinationIPIncomingTraffic(unsigned long ulDestinationIP, unsigned long ulPacketSize)   {	// always true if no active database   if (!g_pDBConnection)      return true;	//map<unsigned long, unsigned long>::iterator pIter = g_cDestinationIPs.find(ulDestinationIP);	map<unsigned long, TDestinationTraffic>::iterator pIter = g_cDestinationIPs.find(ulDestinationIP);	if (pIter != g_cDestinationIPs.end())      {      pIter->second.m_ulIncomingTraffic += ulPacketSize;      return true;      }	   //pair<unsigned long, unsigned long> cNewEntry(ulDestinationIP, ulPacketSize);   TDestinationTraffic tTraffic;