/*
* Copyright (C) 2002, 2003 Tomasz Kojm <zolw@konarski.edu.pl>
* HTTP/1.1 compliance by Arkadiusz Miskiewicz <misiek@pld.org.pl>
* Proxy support by Nigel Horne <njh@bandsman.co.uk>
* Proxy authorization support by Gernot Tenchio <g.tenchio@telco-tech.de>
* (uses fmt_base64() from libowfat (http://www.fefe.de))
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <time.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <clamav.h>
#include "others.h"
#include "options.h"
#include "defaults.h"
#include "manager.h"
#include "shared.h"
#include "notify.h"
int downloadmanager(const struct optstruct *opt, const char *hostname)
{
time_t currtime;
int ret, updated = 0, signo = 0;
char ipaddr[16];
time(&currtime);
mprintf("ClamAV update process started at %s", ctime(&currtime));
logg("ClamAV update process started at %s", ctime(&currtime));
#ifndef HAVE_GMP
mprintf("SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES\n");
logg("SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES\n");
#endif
memset(ipaddr, 0, sizeof(ipaddr));
if((ret = downloaddb(DB1NAME, "main.cvd", hostname, ipaddr, &signo, opt)) > 50)
return ret;
else if(ret == 0)
updated = 1;
/* if ipaddr[0] != 0 it will use it to connect to the web host */
if((ret = downloaddb(DB2NAME, "daily.cvd", hostname, ipaddr, &signo, opt)) > 50)
return ret;
else if(ret == 0)
updated = 1;
if(updated) {
if(optl(opt, "http-proxy")) {
mprintf("Database updated (%d signatures) from %s.\n", signo, hostname);
logg("Database updated (%d signatures) from %s.\n", signo, hostname);
} else {
mprintf("Database updated (%d signatures) from %s (%s).\n", signo, hostname, ipaddr);
logg("Database updated (%d signatures) from %s (%s).\n", signo, hostname, ipaddr);
}
#ifdef BUILD_CLAMD
if(optl(opt, "daemon-notify")) {
const char *clamav_conf = getargl(opt, "daemon-notify");
if(!clamav_conf)
clamav_conf = DEFAULT_CFG;
notify(clamav_conf);
}
#endif
if(optl(opt, "on-update-execute"))
system(getargl(opt, "on-update-execute"));
return 0;
} else
return 1;
}
int downloaddb(const char *localname, const char *remotename, const char *hostname, char *ip, int *signo, const struct optstruct *opt)
{
struct cl_cvd *current, *remote;
int hostfd, nodb = 0, ret;
char *tempname, ipaddr[16];
const char *proxy, *user;
if((current = cl_cvdhead(localname)) == NULL)
nodb = 1;
if(optl(opt, "proxy-user"))
user = getargl(opt, "proxy-user");
else
user = NULL;
/*
* njh@bandsman.co.uk: added proxy support. Tested using squid 2.4
*/
if(optl(opt, "http-proxy")) {
proxy = getargl(opt, "http-proxy");
if(strncasecmp(proxy, "http://", 7) == 0)
proxy += 7;
} else if((proxy = getenv("http_proxy"))) {
char *no_proxy;
if(strncasecmp(proxy, "http://", 7) == 0)
proxy = &proxy[7];
if((no_proxy = getenv("no_proxy"))) {
const char *ptr;
for(ptr = strtok(no_proxy, ","); ptr; ptr = strtok(NULL, ","))
if(strcasecmp(ptr, hostname) == 0) {
proxy = NULL;
break;
}
}
if(proxy && strlen(proxy) == 0)
proxy = NULL;
}
if(proxy)
mprintf("Connecting via %s\n", proxy);
if(ip[0])
hostfd = wwwconnect(ip, proxy, NULL); /* we use ip to connect */
else
hostfd = wwwconnect(hostname, proxy, ipaddr);
if(hostfd < 0) {
mprintf("@Connection with %s (IP: %s) failed.\n", hostname, ipaddr);
return 52;
} else
mprintf("*Connected to %s (%s).\n", hostname, ipaddr);
if(!ip[0])
strcpy(ip, ipaddr);
if(!(remote = remote_cvdhead(remotename, hostfd, hostname, proxy, user))) {
mprintf("@Can't read %s header from %s (%s)\n", remotename, hostname, ipaddr);
close(hostfd);
return 52;
}
*signo += remote->sigs; /* we need to do it just here */
if(current && (current->version >= remote->version)) {
mprintf("%s is up to date (version: %d, sigs: %d, f-level: %d, builder: %s)\n", localname, current->version, current->sigs, current->fl, current->builder);
logg("%s is up to date (version: %d, sigs: %d, f-level: %d, builder: %s)\n", localname, current->version, current->sigs, current->fl, current->builder);
close(hostfd);
cl_cvdfree(current);
cl_cvdfree(remote);
return 1;
}
if(current)
cl_cvdfree(current);
cl_cvdfree(remote);
/* FIXME: We need to reconnect, because we may not be able to download
* the database. The problem doesn't exist with my local apache.
* Some code change is needed in get_md5_checksum().
*/
/* begin bug work-around */
close(hostfd);
hostfd = wwwconnect(ipaddr, proxy, NULL); /* we use ipaddr to connect
* to the same mirror
*/
if(hostfd < 0) {
mprintf("@Connection with %s failed.\n", ipaddr);
return 52;
};
/* end */
/* temporary file is created in clamav's directory thus we don't need
* to create it immediately because race condition is not possible here
*/
tempname = cl_gentemp(".");
if(get_database(remotename, hostfd, tempname, hostname, proxy, user)) {
mprintf("@Can't download %s from %s\n", remotename, ipaddr);
unlink(tempname);
free(tempname);
close(hostfd);
return 52;
}
close(hostfd);
if((ret = cl_cvdverify(tempname))) {
mprintf("@Verification: %s\n", cl_strerror(ret));
unlink(tempname);
free(tempname);
return 54;
}
if(!nodb && unlink(localname)) {
mprintf("@Can't unlink %s. Please fix it and try again.\n", localname);
unlink(tempname);
free(tempname);
return 53;
} else
rename(tempname, localname);
if((current = cl_cvdhead(localname)) == NULL) {
mprintf("@Can't read CVD header of new %s database.\n", localname);
return 54;
}
mprintf("%s updated (version: %d, sigs: %d, f-level: %d, builder: %s)\n", localname, current->version, current->sigs, current->fl, current->builder);
logg("%s updated (version: %d, sigs: %d, f-level: %d, builder: %s)\n", localname, current->version, current->sigs, current->fl, current->builder);
cl_cvdfree(current);
free(tempname);
return 0;
}
/* this function returns socket descriptor */
/* proxy support finshed by njh@bandsman.co.uk */
int wwwconnect(const char *server, const char *proxy, char *ip)
{
int socketfd, port;
struct sockaddr_in name;
struct hostent *host;
char *portpt, *proxycpy = NULL, ipaddr[16];
unsigned char *ia;
const char *hostpt;
if(ip)
strcpy(ip, "???");
/* njh@bandsman.co.uk: for BEOS */
#ifdef PF_INET
socketfd = socket(PF_INET, SOCK_STREAM, 0);
#else
socketfd = socket(AF_INET, SOCK_STREAM, 0);
#endif
name.sin_family = AF_INET;
if(proxy) {
proxycpy = strdup(proxy);
hostpt = proxycpy;
portpt = strchr(proxycpy, ':');
if(portpt) {
*portpt = 0;
port = atoi(++portpt);
} else {
#ifndef C_CYGWIN
const struct servent *webcache = getservbyname("webcache", "TCP");
if(webcache)
port = ntohs(webcache->s_port);
else
port = 8080;
endservent();
#else
port = 8080;
#endif
}
} else {
hostpt = server;
port = 80;
}
if((host = gethostbyname(hostpt)) == NULL) {
mprintf("@Can't get information about %s host.\n", hostpt);
if(proxycpy)
free(proxycpy);
return -1;
}
/* this dirty hack comes from pink - Nosuid TCP/IP ping 1.6 */
ia = (unsigned char *) host->h_addr;
sprintf(ipaddr, "%u.%u.%u.%u", ia[0], ia[1], ia[2], ia[3]);
if(ip)
strcpy(ip, ipaddr);
name.sin_addr = *((struct in_addr *) host->h_addr);
name.sin_port = htons(port);
if(connect(socketfd, (struct sockaddr *) &name, sizeof(struct sockaddr_in)) == -1) {
mprintf("@Can't connect to port %d of host %s (%s)\n", port, hostpt, ipaddr);
close(socketfd);
if(proxycpy)
free(proxycpy);
return -2;
}
if(proxycpy)
free(proxycpy);
return socketfd;
}
/* njh@bandsman.co.uk: added proxy support */
/* TODO: use a HEAD instruction to see if the file has been changed */
struct cl_cvd *remote_cvdhead(const char *file, int socketfd, const char *hostname, const char *proxy, const char *user)
{
char cmd[512], head[513], buffer[FILEBUFF], *ch, *tmp;
int i, j, bread, cnt;
char *remotename = NULL, *authorization = NULL;
struct cl_cvd *cvd;
if(proxy) {
remotename = mmalloc(strlen(hostname) + 8);
sprintf(remotename, "http://%s", hostname);
if(user) {
int len;
char* buf = mmalloc(strlen(user)*2+4);
len=fmt_base64(buf,user,strlen(user));
buf[len]='\0';
authorization = mmalloc(strlen(buf) + 30);
sprintf(authorization, "Proxy-Authorization: Basic %s\r\n", buf);
free(buf);
}
}
mprintf("Reading CVD header (%s): ", file);
#ifdef NO_SNPRINTF
sprintf(cmd, "GET %s/%s HTTP/1.1\r\n"
"Host: %s\r\n%s"
"User-Agent: "PACKAGE"/"VERSION"\r\n"
"Cache-Control: no-cache\r\n"
"Connection: close\r\n"
"\r\n", (remotename != NULL)?remotename:"", file, hostname, (authorization != NULL)?authorization:"");
#else
snprintf(cmd, sizeof(cmd), "GET %s/%s HTTP/1.1\r\n"
"Host: %s\r\n%s"
"User-Agent: "PACKAGE"/"VERSION"\r\n"
"Cache-Control: no-cache\r\n"
"Connection: close\r\n"
"\r\n", (remotename != NULL)?remotename:"", file, hostname, (authorization != NULL)?authorization:"");
#endif
write(socketfd, cmd, strlen(cmd));
free(remotename);
free(authorization);
tmp = buffer;
cnt = FILEBUFF;
while ((bread = recv(socketfd, tmp, cnt, 0)) > 0) {
tmp+=bread;
cnt-=bread;
if (cnt <= 0) break;
}
if(bread == -1) {
mprintf("@Error while reading CVD header of database from %s\n", hostname);
return NULL;
}
if ((strstr(buffer, "HTTP/1.1 404")) != NULL) {
mprintf("@CVD file not found on remote server\n");
return NULL;
}
ch = buffer;
i = 0;
while (1) {
if (*ch == '\n' && *(ch - 1) == '\r' && *(ch - 2) == '\n' && *(ch - 3) == '\r') {
ch++;
i++;
break;
}
ch++;
i++;
}
memset(head, 0, sizeof(head));
for (j=0; j<512; j++) {
if (!ch || (ch && !*ch) || (ch && !isprint(ch[j]))) {
mprintf("@Malformed CVD header detected.\n");
return NULL;
}
head[j] = ch[j];
}
if((cvd = cl_cvdparse(head)) == NULL)
mprintf("@Broken CVD header.\n");
else
mprintf("OK\n");
return cvd;
}
/* njh@bandsman.co.uk: added proxy support */
/* TODO: use a HEAD instruction to see if the file has been changed */
int
get_database(const char *dbfile, int socketfd, const char *file, const char *hostname, const char *proxy, const char *user)
{
char cmd[512], buffer[FILEBUFF];
char *ch;
int bread, fd, i, rot = 0;
char *remotename = NULL, *authorization = NULL;
const char *rotation = "|/-\\";
if(proxy) {
remotename = mmalloc(strlen(hostname) + 8);
sprintf(remotename, "http://%s", hostname);
if(user) {
int len;
char* buf = mmalloc(strlen(user)*2+4);
len=fmt_base64(buf,user,strlen(user));
buf[len]='\0';
authorization = mmalloc(strlen(buf) + 30);
sprintf(authorization, "Proxy-Authorization: Basic %s\r\n", buf);
free(buf);
}
}
if((fd = open(file, O_WRONLY|O_CREAT|O_EXCL, 0644)) == -1) {
mprintf("@Can't open new file %s to write\n", file);
perror("open");
return -1;
}
#ifdef NO_SNPRINTF
sprintf(cmd, "GET %s/%s HTTP/1.1\r\n"
"Host: %s\r\n%s"
"User-Agent: "PACKAGE"/"VERSION"\r\n"
"Cache-Control: no-cache\r\n"
"Connection: close\r\n"
"\r\n", (remotename != NULL)?remotename:"", dbfile, hostname, (authorization != NULL)?authorization:"");
#else
snprintf(cmd, sizeof(cmd), "GET %s/%s HTTP/1.1\r\n"
"Host: %s\r\n%s"
"User-Agent: "PACKAGE"/"VERSION"\r\n"
"Cache-Control: no-cache\r\n"
"Connection: close\r\n"
"\r\n", (remotename != NULL)?remotename:"", dbfile, hostname, (authorization != NULL)?authorization:"");
#endif
write(socketfd, cmd, strlen(cmd));
free(remotename);
free(authorization);
if ((bread = recv(socketfd, buffer, FILEBUFF, 0)) == -1) {
mprintf("@Error while reading database from %s\n", hostname);
return -1;
}
if ((strstr(buffer, "HTTP/1.1 404")) != NULL) {
mprintf("@%s not found on remote server\n", dbfile);
return -1;
}
ch = buffer;
i = 0;
while (1) {
if (*ch == '\n' && *(ch - 1) == '\r' && *(ch - 2) == '\n' && *(ch - 3) == '\r') {
ch++;
i++;
break;
}
ch++;
i++;
}
write(fd, ch, bread - i);
while((bread = read(socketfd, buffer, FILEBUFF))) {
write(fd, buffer, bread);
mprintf("Downloading %s [%c]\r", dbfile, rotation[rot]);
fflush(stdout);
rot = ++rot % 4;
}
mprintf("Downloading %s [*]\n", dbfile);
close(fd);
return 0;
}
const char base64[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
unsigned int fmt_base64(char* dest,const char* src,unsigned int len) {
register const unsigned char* s=(const unsigned char*) src;
unsigned short bits=0,temp=0;
unsigned long written=0,i;
for (i=0; i< len; ++i) {
temp<<=8; temp+=s[i]; bits+=8;
while (bits>6) {
if (dest) dest[written]=base64[((temp>>(bits-6))&63)];
++written; bits-=6;
}
}
if (bits) {
temp<<=(6-bits);
if (dest) dest[written]=base64[temp&63];
++written;
}
while (written&3) { if (dest) dest[written]='='; ++written; }
return written;
}