+ /* Read the username */
+ BUFFER_READ (pss.username, username_len);
+ pss.username[username_len] = 0;
+
+ assert (buffer_offset == pss_head_length);
+
+ /* Query the password */
+ secret = fbh_get (se->data.server.userdb, pss.username);
+ if (secret == NULL)
+ {
+ ERROR ("network plugin: Unknown user: %s", pss.username);
+ sfree (pss.username);
+ return (-ENOENT);
+ }
+
+ /* Create a hash device and check the HMAC */
+ hd = NULL;
+ err = gcry_md_open (&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_HMAC);
+ if (err != 0)
+ {
+ ERROR ("network plugin: Creating HMAC-SHA-256 object failed: %s",
+ gcry_strerror (err));
+ sfree (secret);
+ sfree (pss.username);
+ return (-1);
+ }
+
+ err = gcry_md_setkey (hd, secret, strlen (secret));
+ if (err != 0)
+ {
+ ERROR ("network plugin: gcry_md_setkey failed: %s", gcry_strerror (err));
+ gcry_md_close (hd);
+ sfree (secret);
+ sfree (pss.username);
+ return (-1);
+ }
+
+ gcry_md_write (hd,
+ buffer + PART_SIGNATURE_SHA256_SIZE,
+ buffer_len - PART_SIGNATURE_SHA256_SIZE);
+ hash_ptr = gcry_md_read (hd, GCRY_MD_SHA256);
+ if (hash_ptr == NULL)
+ {
+ ERROR ("network plugin: gcry_md_read failed.");
+ gcry_md_close (hd);
+ sfree (secret);
+ sfree (pss.username);
+ return (-1);
+ }
+ memcpy (hash, hash_ptr, sizeof (hash));
+
+ /* Clean up */
+ gcry_md_close (hd);
+ hd = NULL;
+
+ if (memcmp (pss.hash, hash, sizeof (pss.hash)) != 0)
+ {
+ WARNING ("network plugin: Verifying HMAC-SHA-256 signature failed: "
+ "Hash mismatch.");
+ }
+ else
+ {
+ parse_packet (se, buffer + buffer_offset, buffer_len - buffer_offset,
+ flags | PP_SIGNED, pss.username);
+ }
+
+ sfree (secret);
+ sfree (pss.username);
+
+ *ret_buffer = buffer + buffer_len;
+ *ret_buffer_len = 0;
+
+ return (0);
+} /* }}} int parse_part_sign_sha256 */
+/* #endif HAVE_LIBGCRYPT */
+
+#else /* if !HAVE_LIBGCRYPT */
+static int parse_part_sign_sha256 (sockent_t *se, /* {{{ */
+ void **ret_buffer, size_t *ret_buffer_size, int flags)
+{
+ static int warning_has_been_printed = 0;
+
+ char *buffer;
+ size_t buffer_size;
+ size_t buffer_offset;
+ uint16_t part_len;
+
+ part_signature_sha256_t pss;
+
+ buffer = *ret_buffer;
+ buffer_size = *ret_buffer_size;
+ buffer_offset = 0;
+
+ if (buffer_size <= PART_SIGNATURE_SHA256_SIZE)
+ return (-ENOMEM);
+
+ BUFFER_READ (&pss.head.type, sizeof (pss.head.type));
+ BUFFER_READ (&pss.head.length, sizeof (pss.head.length));
+ part_len = ntohs (pss.head.length);
+
+ if ((part_len <= PART_SIGNATURE_SHA256_SIZE)
+ || (part_len > buffer_size))
+ return (-EINVAL);
+
+ if (warning_has_been_printed == 0)
+ {
+ WARNING ("network plugin: Received signed packet, but the network "
+ "plugin was not linked with libgcrypt, so I cannot "
+ "verify the signature. The packet will be accepted.");
+ warning_has_been_printed = 1;
+ }
+
+ parse_packet (se, buffer + part_len, buffer_size - part_len, flags,
+ /* username = */ NULL);
+
+ *ret_buffer = buffer + buffer_size;
+ *ret_buffer_size = 0;
+
+ return (0);
+} /* }}} int parse_part_sign_sha256 */
+#endif /* !HAVE_LIBGCRYPT */
+
+#if HAVE_LIBGCRYPT
+static int parse_part_encr_aes256 (sockent_t *se, /* {{{ */
+ void **ret_buffer, size_t *ret_buffer_len,
+ int flags)
+{
+ char *buffer = *ret_buffer;
+ size_t buffer_len = *ret_buffer_len;
+ size_t payload_len;
+ size_t part_size;
+ size_t buffer_offset;
+ uint16_t username_len;
+ part_encryption_aes256_t pea;
+ unsigned char hash[sizeof (pea.hash)];
+
+ gcry_cipher_hd_t cypher;
+ gcry_error_t err;
+
+ /* Make sure at least the header if available. */
+ if (buffer_len <= PART_ENCRYPTION_AES256_SIZE)
+ {
+ NOTICE ("network plugin: parse_part_encr_aes256: "
+ "Discarding short packet.");
+ return (-1);
+ }
+
+ buffer_offset = 0;
+
+ /* Copy the unencrypted information into `pea'. */
+ BUFFER_READ (&pea.head.type, sizeof (pea.head.type));
+ BUFFER_READ (&pea.head.length, sizeof (pea.head.length));
+
+ /* Check the `part size'. */
+ part_size = ntohs (pea.head.length);
+ if ((part_size <= PART_ENCRYPTION_AES256_SIZE)
+ || (part_size > buffer_len))
+ {
+ NOTICE ("network plugin: parse_part_encr_aes256: "
+ "Discarding part with invalid size.");
+ return (-1);
+ }
+
+ /* Read the username */
+ BUFFER_READ (&username_len, sizeof (username_len));
+ username_len = ntohs (username_len);
+
+ if ((username_len <= 0)
+ || (username_len > (part_size - (PART_ENCRYPTION_AES256_SIZE + 1))))
+ {
+ NOTICE ("network plugin: parse_part_encr_aes256: "
+ "Discarding part with invalid username length.");
+ return (-1);
+ }
+
+ assert (username_len > 0);
+ pea.username = malloc (username_len + 1);
+ if (pea.username == NULL)
+ return (-ENOMEM);
+ BUFFER_READ (pea.username, username_len);
+ pea.username[username_len] = 0;
+
+ /* Last but not least, the initialization vector */
+ BUFFER_READ (pea.iv, sizeof (pea.iv));
+
+ /* Make sure we are at the right position */
+ assert (buffer_offset == (username_len +
+ PART_ENCRYPTION_AES256_SIZE - sizeof (pea.hash)));
+
+ cypher = network_get_aes256_cypher (se, pea.iv, sizeof (pea.iv),
+ pea.username);
+ if (cypher == NULL)
+ {
+ sfree (pea.username);
+ return (-1);
+ }
+
+ payload_len = part_size - (PART_ENCRYPTION_AES256_SIZE + username_len);
+ assert (payload_len > 0);
+
+ /* Decrypt the packet in-place */
+ err = gcry_cipher_decrypt (cypher,
+ buffer + buffer_offset,
+ part_size - buffer_offset,
+ /* in = */ NULL, /* in len = */ 0);
+ if (err != 0)
+ {
+ sfree (pea.username);
+ ERROR ("network plugin: gcry_cipher_decrypt returned: %s",
+ gcry_strerror (err));
+ return (-1);
+ }
+
+ /* Read the hash */
+ BUFFER_READ (pea.hash, sizeof (pea.hash));
+
+ /* Make sure we're at the right position - again */
+ assert (buffer_offset == (username_len + PART_ENCRYPTION_AES256_SIZE));
+ assert (buffer_offset == (part_size - payload_len));
+
+ /* Check hash sum */
+ memset (hash, 0, sizeof (hash));
+ gcry_md_hash_buffer (GCRY_MD_SHA1, hash,
+ buffer + buffer_offset, payload_len);
+ if (memcmp (hash, pea.hash, sizeof (hash)) != 0)
+ {
+ sfree (pea.username);
+ ERROR ("network plugin: Decryption failed: Checksum mismatch.");
+ return (-1);
+ }
+
+ parse_packet (se, buffer + buffer_offset, payload_len,
+ flags | PP_ENCRYPTED, pea.username);
+
+ /* XXX: Free pea.username?!? */
+
+ /* Update return values */
+ *ret_buffer = buffer + part_size;
+ *ret_buffer_len = buffer_len - part_size;
+
+ sfree (pea.username);
+
+ return (0);
+} /* }}} int parse_part_encr_aes256 */
+/* #endif HAVE_LIBGCRYPT */
+
+#else /* if !HAVE_LIBGCRYPT */
+static int parse_part_encr_aes256 (sockent_t *se, /* {{{ */
+ void **ret_buffer, size_t *ret_buffer_size, int flags)
+{
+ static int warning_has_been_printed = 0;
+
+ char *buffer;
+ size_t buffer_size;
+ size_t buffer_offset;
+
+ part_header_t ph;
+ size_t ph_length;
+
+ buffer = *ret_buffer;
+ buffer_size = *ret_buffer_size;
+ buffer_offset = 0;
+
+ /* parse_packet assures this minimum size. */
+ assert (buffer_size >= (sizeof (ph.type) + sizeof (ph.length)));
+
+ BUFFER_READ (&ph.type, sizeof (ph.type));
+ BUFFER_READ (&ph.length, sizeof (ph.length));
+ ph_length = ntohs (ph.length);
+
+ if ((ph_length <= PART_ENCRYPTION_AES256_SIZE)
+ || (ph_length > buffer_size))
+ {
+ ERROR ("network plugin: AES-256 encrypted part "
+ "with invalid length received.");
+ return (-1);
+ }
+
+ if (warning_has_been_printed == 0)
+ {
+ WARNING ("network plugin: Received encrypted packet, but the network "
+ "plugin was not linked with libgcrypt, so I cannot "
+ "decrypt it. The part will be discarded.");
+ warning_has_been_printed = 1;
+ }
+
+ *ret_buffer += ph_length;
+ *ret_buffer_size -= ph_length;
+
+ return (0);
+} /* }}} int parse_part_encr_aes256 */
+#endif /* !HAVE_LIBGCRYPT */
+
+#undef BUFFER_READ
+
+static int parse_packet (sockent_t *se, /* {{{ */
+ void *buffer, size_t buffer_size, int flags,
+ const char *username)
+{
+ int status;
+
+ value_list_t vl = VALUE_LIST_INIT;
+ notification_t n;
+
+#if HAVE_LIBGCRYPT
+ int packet_was_signed = (flags & PP_SIGNED);
+ int packet_was_encrypted = (flags & PP_ENCRYPTED);
+ int printed_ignore_warning = 0;
+#endif /* HAVE_LIBGCRYPT */
+
+
+ memset (&vl, '\0', sizeof (vl));
+ memset (&n, '\0', sizeof (n));
+ status = 0;
+
+ while ((status == 0) && (0 < buffer_size)
+ && ((unsigned int) buffer_size > sizeof (part_header_t)))
+ {
+ uint16_t pkg_length;
+ uint16_t pkg_type;
+
+ memcpy ((void *) &pkg_type,
+ (void *) buffer,
+ sizeof (pkg_type));
+ memcpy ((void *) &pkg_length,
+ (void *) (buffer + sizeof (pkg_type)),
+ sizeof (pkg_length));
+
+ pkg_length = ntohs (pkg_length);
+ pkg_type = ntohs (pkg_type);
+
+ if (pkg_length > buffer_size)
+ break;
+ /* Ensure that this loop terminates eventually */
+ if (pkg_length < (2 * sizeof (uint16_t)))
+ break;
+
+ if (pkg_type == TYPE_ENCR_AES256)
+ {
+ status = parse_part_encr_aes256 (se,
+ &buffer, &buffer_size, flags);
+ if (status != 0)
+ {
+ ERROR ("network plugin: Decrypting AES256 "
+ "part failed "
+ "with status %i.", status);
+ break;
+ }
+ }
+#if HAVE_LIBGCRYPT
+ else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT)
+ && (packet_was_encrypted == 0))
+ {
+ if (printed_ignore_warning == 0)
+ {
+ INFO ("network plugin: Unencrypted packet or "
+ "part has been ignored.");
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
+ continue;
+ }
+#endif /* HAVE_LIBGCRYPT */
+ else if (pkg_type == TYPE_SIGN_SHA256)
+ {
+ status = parse_part_sign_sha256 (se,
+ &buffer, &buffer_size, flags);
+ if (status != 0)
+ {
+ ERROR ("network plugin: Verifying HMAC-SHA-256 "
+ "signature failed "
+ "with status %i.", status);
+ break;
+ }
+ }
+#if HAVE_LIBGCRYPT
+ else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN)
+ && (packet_was_encrypted == 0)
+ && (packet_was_signed == 0))
+ {
+ if (printed_ignore_warning == 0)
+ {
+ INFO ("network plugin: Unsigned packet or "
+ "part has been ignored.");
+ printed_ignore_warning = 1;
+ }
+ buffer = ((char *) buffer) + pkg_length;
+ continue;
+ }
+#endif /* HAVE_LIBGCRYPT */
+ else if (pkg_type == TYPE_VALUES)
+ {
+ status = parse_part_values (&buffer, &buffer_size,
+ &vl.values, &vl.values_len);
+ if (status != 0)
+ break;
+
+ network_dispatch_values (&vl, username);
+
+ sfree (vl.values);
+ }
+ else if (pkg_type == TYPE_TIME)
+ {
+ uint64_t tmp = 0;
+ status = parse_part_number (&buffer, &buffer_size,
+ &tmp);
+ if (status == 0)
+ {
+ vl.time = (time_t) tmp;
+ n.time = (time_t) tmp;
+ }
+ }
+ else if (pkg_type == TYPE_INTERVAL)
+ {
+ uint64_t tmp = 0;
+ status = parse_part_number (&buffer, &buffer_size,
+ &tmp);
+ if (status == 0)
+ vl.interval = (int) tmp;
+ }
+ else if (pkg_type == TYPE_HOST)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ vl.host, sizeof (vl.host));
+ if (status == 0)
+ sstrncpy (n.host, vl.host, sizeof (n.host));
+ }
+ else if (pkg_type == TYPE_PLUGIN)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ vl.plugin, sizeof (vl.plugin));
+ if (status == 0)
+ sstrncpy (n.plugin, vl.plugin,
+ sizeof (n.plugin));
+ }
+ else if (pkg_type == TYPE_PLUGIN_INSTANCE)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ vl.plugin_instance,
+ sizeof (vl.plugin_instance));
+ if (status == 0)
+ sstrncpy (n.plugin_instance,
+ vl.plugin_instance,
+ sizeof (n.plugin_instance));
+ }
+ else if (pkg_type == TYPE_TYPE)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ vl.type, sizeof (vl.type));
+ if (status == 0)
+ sstrncpy (n.type, vl.type, sizeof (n.type));
+ }
+ else if (pkg_type == TYPE_TYPE_INSTANCE)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ vl.type_instance,
+ sizeof (vl.type_instance));
+ if (status == 0)
+ sstrncpy (n.type_instance, vl.type_instance,
+ sizeof (n.type_instance));
+ }
+ else if (pkg_type == TYPE_MESSAGE)
+ {
+ status = parse_part_string (&buffer, &buffer_size,
+ n.message, sizeof (n.message));
+
+ if (status != 0)
+ {
+ /* do nothing */
+ }
+ else if ((n.severity != NOTIF_FAILURE)
+ && (n.severity != NOTIF_WARNING)
+ && (n.severity != NOTIF_OKAY))
+ {
+ INFO ("network plugin: "
+ "Ignoring notification with "
+ "unknown severity %i.",
+ n.severity);
+ }
+ else if (n.time <= 0)
+ {
+ INFO ("network plugin: "
+ "Ignoring notification with "
+ "time == 0.");
+ }
+ else if (strlen (n.message) <= 0)
+ {
+ INFO ("network plugin: "
+ "Ignoring notification with "
+ "an empty message.");
+ }