# HG changeset patch # User Matthias Förste # Date 1403101051 -7200 # Node ID 70b0d05afad21fecc7be8a7a87f3249ccd5469fe # Parent 8baf084f58c56a97dc79e726f8b7bee98de978df [import] current ius diff -r 8baf084f58c5 -r 70b0d05afad2 .gitignore --- a/.gitignore Wed Jun 18 16:16:36 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,4 +0,0 @@ -*~ -*.old -*.orig -*.rej diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/.quilt_patches --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/.quilt_patches Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,1 @@ +debian/patches diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/.quilt_series --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/.quilt_series Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,1 @@ +series diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/.version --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/.version Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,1 @@ +2 diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/03_havp.config.patch/etc/havp/havp.config.in --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/03_havp.config.patch/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,664 @@ +# +# This is the configuration file for HAVP +# +# All lines starting with a hash (#) or empty lines are ignored. +# Uncomment parameters you want to change! +# +# All parameters configurable in this file are explained and their default +# values are shown. If no default value is defined "NONE" is specified. +# +# General syntax: Parameter Value +# Value can be: true/false, number, or path +# +# Extra spaces and tabs are ignored. +# + +# You must remove this line for HAVP to start. +# This makes sure you have (hopefully) reviewed the configuration. :) +# Hint: You must enable some scanner! Find them in the end.. +REMOVETHISLINE deleteme + +# +# For reasons of security it is recommended to run a proxy program +# without root rights. It is recommended to create user that is not +# used by any other program. +# +# Default: +# USER havp +# GROUP havp + +# If this is true HAVP is running as daemon in background. +# For testing you may run HAVP at your text console. +# +# Default: +# DAEMON true + +# +# Process id (PID) of the main HAVP process is written to this file. +# Be sure that it is writeable by the user under which HAVP is running. +# /etc/init.d/havp script requires this to work. +# +# Default: +# PIDFILE @localstatedir@/run/havp/havp.pid + +# +# For performance reasons several instances of HAVP have to run. +# Specify how many servers (child processes) are simultaneously +# listening on port PORT for a connection. Minimum value should be +# the peak requests-per-second expected + 5 for headroom. For best +# performance, you should have atleast 1 CPU core per 16 processes. +# +# For single user home use, 8 should be minimum. +# For 500+ users corporate use, start at 40. +# +# Value can and should be higher than recommended. Memory and +# CPU usage is only affected by the number of concurrent requests. +# +# More childs are automatically created when needed, up to MAXSERVERS. +# +# Default: +# SERVERNUMBER 8 +# MAXSERVERS 100 + +# +# Files where to log requests and info/errors. +# Needs to have write permission for HAVP user. +# +# Default: +# ACCESSLOG @localstatedir@/log/havp/access.log +# ERRORLOG @localstatedir@/log/havp/havp.log +# VIRUSLOG (same as ACCESSLOG) + +# +# Format for timestamps in logfile messages. +# See: man strftime +# +# Default: +# TIMEFORMAT %d/%m/%Y %H:%M:%S + +# +# Syslog can be used instead of logging to file. +# For facilities and levels, see "man syslog". +# +# Default: +# USESYSLOG false +# SYSLOGNAME havp +# SYSLOGFACILITY daemon +# SYSLOGLEVEL info +# SYSLOGVIRUSLEVEL warning + +# +# true: Log every request to access log +# false: Log only viruses to access log +# +# Default: +# LOG_OKS true + +# +# Level of HAVP logging +# 0 = Only serious errors and information +# 1 = Less interesting information is included +# +# Default: +# LOGLEVEL 0 + +# +# Temporary scan file. +# This file must reside on a partition for which mandatory +# locking is enabled. For Linux, use "-o mand" in mount command. +# See "man mount" for details. Solaris does not need any special +# steps, it works directly. +# +# Specify absolute path to a file which name must contain "XXXXXX". +# These characters are used by system to create unique named files. +# +# Default: +# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX + +# +# Directory for ClamAV and other scanner created tempfiles. +# Needs to be writable by HAVP user. Use ramdisk for best performance. +# +# Default: +# TEMPDIR /var/tmp + +# +# HAVP reloads scanners virus database by receiving a signal +# (send SIGHUP to PID from PIDFILE, see "man kill") or after +# a specified period of time. Specify here the number of +# minutes to wait for reloading. +# +# This only affects library scanners (clamlib, trophie). +# Other scanners must be updated manually. +# +# Default: +# DBRELOAD 60 + +# +# Run HAVP as transparent Proxy? +# +# If you don't know what this means read the mini-howto +# TransparentProxy written by Daniel Kiracofe. +# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) +# Definitely you have more to do than setting this to true. +# You are warned! +# +# Default: +# TRANSPARENT false + +# +# Specify a parent proxy (e.g. Squid) HAVP should use. +# If needed, user and password authentication can be used, +# but only Basic-authentication scheme is supported. +# +# Default: NONE +# PARENTPROXY localhost +# PARENTPORT 3128 +# PARENTUSER username +# PARENTPASSWORD password + +# +# Write X-Forwarded-For: to log instead of connecters IP? +# +# If HAVP is used as parent proxy by some other proxy, this allows +# to write the real users IP to log, instead of proxy IP. +# +# Default: +# FORWARDED_IP false + +# +# Send X-Forwarded-For: header to servers? +# +# If client sent this header, FORWARDED_IP setting defines the value, +# then it is passed on. You might want to keep this disabled for security +# reasons. Enable this if you use your own parent proxy after HAVP, so it +# will see the original client IP. +# +# Disabling this also disables Via: header generation. +# +# Default: +# X_FORWARDED_FOR false + +# +# Port HAVP is listening on. +# +# Default: +# PORT 8080 + +# +# IP address that HAVP listens on. +# Let it be undefined to bind all addresses. +# +# Default: NONE +# BIND_ADDRESS 127.0.0.1 + +# +# IP address used for sending outbound packets. +# Let it be undefined if you want OS to handle right address. +# +# Default: NONE +# SOURCE_ADDRESS 1.2.3.4 + +# +# Path to template files. +# +# Default: +# TEMPLATEPATH @sysconfdir@/havp/templates/en + +# +# Set to true if you want to prefer Whitelist. +# If URL is Whitelisted, then Blacklist is ignored. +# Otherwise Blacklist is preferred. +# +# Default: +# WHITELISTFIRST true + +# +# List of URLs not to scan. +# +# Default: +# WHITELIST @sysconfdir@/havp/whitelist + +# +# List of URLs that are denied access. +# +# Default: +# BLACKLIST @sysconfdir@/havp/blacklist + +# +# Is scanner error fatal? +# +# For example, archive types that are not supported by scanner +# may return error. Also if scanner has invalid pattern files etc. +# +# true: User gets error page +# false: No error is reported (viruses might not be detected) +# +# Default: +# FAILSCANERROR true + +# +# When scanning takes longer than this, it will be aborted. +# Timer is started after HAVP has fully received all data. +# If set too low, complex files/archives might produce timeout. +# Timeout is always a fatal error regardless of FAILSCANERROR. +# +# Time in minutes! +# +# Default: +# SCANNERTIMEOUT 10 + +# +# Allow HTTP Range requests? +# +# false: Broken downloads can NOT be resumed +# true: Broken downloads can be resumed +# +# Allowing Range is a security risk, because partial +# HTTP requests may not be properly scanned. +# +# Whitelisted sites are allowed to use Range in any case. +# +# Default: +# RANGE false + +# +# Allow HTTP Range request to get the ZIP header first? +# +# This allows (partial) scanning of ZIP files that are bigger than +# MAXSCANSIZE. Scanning is done up to that many bytes into the file. +# +# Default: +# PRELOADZIPHEADER true + +# +# If you really need more performance, you can disable scanning of +# JPG, GIF and PNG files. These are probably the most common files +# around, so it will save lots of CPU. But be warned, image exploits +# exist and more could be found. Think twice if you want to disable! +# +# In addition of checking Content-Type: image/*, this setting uses +# file magic to make sure the file is really image. +# +# Also see SCANMIME/SKIPMIME settings to control scanning based +# on just the Content-Type header. +# +# Default: +# SCANIMAGES true + +# +# What MIME types NOT to scan. For performance reasons, you could +# exclude all media types. +# +# Based on Content-Type: header as given by the HTTP server. +# Note that it is easy to forge and should not be trusted. +# +# Basic wildcard match supported. +# +# Default: NONE +# SKIPMIME image/* video/* audio/* + +# +# If set, then ONLY these MIME types will be scanned. +# +# Based on Content-Type: header as given by the HTTP server. +# Note that it is easy to forge and should not be trusted. +# +# Basic wildcard match supported. +# +# Default: NONE +# SCANMIME application/* + +# +# Temporary file will grow only up to this size. This means scanner +# will scan data until this limit is reached. +# +# There are two sides to this setting. By limiting the size, you gain +# performance, less waiting for big files and less needed temporary space. +# But there is slightly higher chance of virus slipping through (though +# scanning large archives should not be gateways function, HAVP is more +# geared towards small exploit detection etc). +# +# VALUE IN BYTES NOT KB OR MB!!!! +# 0 = No size limit +# +# Default: +# MAXSCANSIZE 5000000 + +# +# Amount of data going to browser that is held back, until it +# is scanned. When we know file is clean, this held back data +# can be sent to browser. You can safely set bigger value, only +# thing you will notice is some "delay" in beginning of download. +# Virus found in files bigger than this might not produce HAVP +# error page, but result in a "broken" download. +# +# VALUE IN BYTES NOT KB OR MB!!!! +# +# Default: +# KEEPBACKBUFFER 200000 + +# +# This setting complements KEEPBACKBUFFER. It tells how many Seconds to +# initially receive data from server, before sending anything to client. +# Even trickling is not done before this time elapses. This way files that +# are received fast are more secure and user can get virus report page for +# files bigger than KEEPBACKBUFFER. +# +# Setting to 0 will disable this, and only KEEPBACKBUFFER is used. +# +# Default: +# KEEPBACKTIME 5 + +# +# After Trickling Time (seconds), some bytes are sent to browser +# to keep the connection alive. Trickling is not needed if timeouts +# are not expected for files smaller than KEEPBACKBUFFER, but it is +# recommended to set anyway. +# +# 0 = No Trickling +# +# Default: +# TRICKLING 30 + +# +# Send this many bytes to browser every TRICKLING seconds, see above +# +# Default: +# TRICKLINGBYTES 1 + +# +# Downloads larger than MAXDOWNLOADSIZE will be blocked. +# Only if not Whitelisted! +# +# VALUE IN BYTES NOT KB OR MB!!!! +# 0 = Unlimited Downloads +# +# Default: +# MAXDOWNLOADSIZE 0 + +# +# Space separated list of strings to partially match User-Agent: header. +# These are used for streaming content, so scanning is generally not needed +# and tempfiles grow unnecessary. Remember when enabled, that user could +# fake header and pass some scanning. HTTP Range requests are allowed for +# these, so players can seek content. +# +# You can uncomment here a list of most popular players. +# +# Default: NONE +# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS + +# +# Bytes to scan from beginning of streams. +# When set to 0, STREAMUSERAGENT scanning will be completely disabled. +# It is not recommended as there are some exploits for players. +# +# Default: +# STREAMSCANSIZE 20000 + +# +# Disable mandatory locking (dynamic scanning) for certain file types. +# This is intended for fixing cases where a scanner forces use of mmap() +# call. Mandatory locking might not allow this, so you could get errors +# regarding memory allocation or I/O. You can test the "None" option +# anyway, as it might even work depending on your OS (some Linux seems +# to allow mand+mmap). +# +# Allowed values: +# None +# ClamAV:BinHex (mmap forced in versions older than 0.96) +# ClamAV:PDF (mmap forced in versions older than 0.96) +# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) +# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED) +# +# Default: +# DISABLELOCKINGFOR AVG:ALL + +# +# Whitelist specific viruses by case-insensitive substring match. +# For example, "Oversized." and "Encrypted." are good candidates, +# if you can't disable those checks any other way. +# +# Default: NONE +# IGNOREVIRUS Oversized. Encrypted. Phishing. + + +##### +##### ClamAV Library Scanner (libclamav) +##### + +ENABLECLAMLIB false + +# HAVP uses libclamav hardcoded pattern directory, which usually is +# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are +# using non-default DatabaseDirectory setting in clamd.conf. +# +# Default: NONE +# CLAMDBDIR /path/to/directory + +# Should we block broken executables? +# +# Default: +# CLAMBLOCKBROKEN false + +# Should we block encrypted archives? +# +# Default: +# CLAMBLOCKENCRYPTED false + +# Should we block files that go over maximum archive limits? +# +# Default: +# CLAMBLOCKMAX false + +# Scanning limits? +# You can find some additional info from documentation or clamd.conf +# +# Stop when this many total bytes scanned (MB) +# CLAMMAXSCANSIZE 20 +# +# Stop when this many files have been scanned +# CLAMMAXFILES 50 +# +# Don't scan files over this size (MB) +# CLAMMAXFILESIZE 100 +# +# Maximum archive recursion +# CLAMMAXRECURSION 8 + + +##### +##### ClamAV Socket Scanner (clamd) +##### +##### NOTE: ClamAV Library Scanner should be preferred (less overhead) +##### + +ENABLECLAMD false + +# Path to clamd socket +# +# Default: +# CLAMDSOCKET /tmp/clamd + +# ..OR if you use clamd TCP socket, uncomment to enable use +# +# Clamd daemon needs to run on the same server as HAVP +# +# Default: NONE +# CLAMDSERVER 127.0.0.1 +# CLAMDPORT 3310 + + +##### +##### F-Prot Socket Scanner +##### + +ENABLEFPROT false + +# F-Prot daemon needs to run on same server as HAVP +# +# Default: +# FPROTSERVER 127.0.0.1 +# FPROTPORT 10200 + +# F-Prot options (only for version 6+ !) +# +# See "fpscand-client.sh --help" for possible options. +# +# At the moment: +# --scanlevel= Which scanlevel to use, 0-4 (2). +# --heurlevel= How aggressive heuristics should be used, 0-4 (2). +# --archive= Scan inside supported archives n levels deep 1-99 (5). +# --adware Instructs the daemon to flag adware. +# --applications Instructs the daemon to flag potentially unwanted applications. +# +# Default: NONE +# FPROTOPTIONS --scanlevel=2 --heurlevel=2 + + +##### +##### AVG Socket Scanner +##### + +ENABLEAVG false + +# AVG daemon needs to run on the same server as HAVP +# +# Default: +# AVGSERVER 127.0.0.1 +# AVGPORT 55555 + + +##### +##### Kaspersky Socket Scanner +##### + +ENABLEAVESERVER false + +# Path to aveserver socket +# +# Default: +# AVESOCKET /var/run/aveserver + + +##### +##### Sophos Scanner (Sophie) +##### + +ENABLESOPHIE false + +# Path to sophie socket +# +# Default: +# SOPHIESOCKET /var/run/sophie + + +##### +##### Trend Micro Library Scanner (Trophie) +##### + +ENABLETROPHIE false + +# Scanning limits inside archives (filesize = MB): +# +# Default: +# TROPHIEMAXFILES 50 +# TROPHIEMAXFILESIZE 10 +# TROPHIEMAXRATIO 250 + + +##### +##### NOD32 Socket Scanner +##### + +ENABLENOD32 false + +# Path to nod32d socket +# +# For 3.0+ version, try /tmp/esets.sock +# +# Default: +# NOD32SOCKET /tmp/nod32d.sock + +# Used NOD32 Version +# +# 30 = 3.0+ +# 25 = 2.5+ +# 21 = 2.x (very old) +# +# Default: +# NOD32VERSION 25 + + +##### +##### Avast! Socket Scanner +##### + +ENABLEAVAST false + +# Path to avastd socket +# +# Default: +# AVASTSOCKET /var/run/avast4/local.sock + +# ..OR if you use avastd TCP socket, uncomment to enable use +# +# Avast daemon needs to run on the same server as HAVP +# +# Default: NONE +# AVASTSERVER 127.0.0.1 +# AVASTPORT 5036 + + +##### +##### Arcavir Socket Scanner +##### + +ENABLEARCAVIR false + +# Path to arcavird socket +# +# For version 2008, default socket is /var/run/arcad.ctl +# +# Default: +# ARCAVIRSOCKET /var/run/arcavird.socket + +# Used Arcavir version +# 2007 = Version 2007 and earlier +# 2008 = Version 2008 and later +# +# Default: +# ARCAVIRVERSION 2007 + + +##### +##### DrWeb Socket Scanner +##### + +ENABLEDRWEB false + +# Enable heuristic scanning? +# +# Default: +# DRWEBHEURISTIC true + +# Enable malware detection? +# (Adware, Dialer, Joke, Riskware, Hacktool) +# +# Default: +# DRWEBMALWARE true + +# Path to drwebd socket +# +# Default: +# DRWEBSOCKET /var/drweb/run/.daemon + +# ..OR if you use drwebd TCP socket, uncomment to enable use +# +# DrWeb daemon needs to run on the same server as HAVP +# +# Default: NONE +# DRWEBSERVER 127.0.0.1 +# DRWEBPORT 3000 + diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/04_params.cpp.patch/havp/params.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/04_params.cpp.patch/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,443 @@ +/*************************************************************************** + params.cpp - description + ------------------- + begin : So Feb 20 2005 + copyright : (C) 2005 by Peter Sebald / Christian Hilgers + email : christian@hilgers.ag + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + +#include "default.h" +#include "params.h" +#include "utils.h" + +#include +#include +#include +#include +#include +#include + +#ifndef INADDR_NONE +#define INADDR_NONE ((unsigned long) -1) +#endif + +map Params::params; + +void Params::SetDefaults() +{ + SetConfig("DISPLAYINITIALMESSAGES", "true"); + SetConfig("USER", "havp"); + SetConfig("GROUP", "havp"); + SetConfig("DAEMON", "true"); + SetConfig("SERVERNUMBER", "8"); + SetConfig("MAXSERVERS", "150"); + SetConfig("PORT", "8080"); + SetConfig("BIND_ADDRESS", ""); + SetConfig("SOURCE_ADDRESS", ""); + SetConfig("PARENTPROXY", ""); + SetConfig("PARENTPORT", "0"); + SetConfig("PARENTUSER", ""); + SetConfig("PARENTPASSWORD", ""); + SetConfig("ACCESSLOG", ACCESSLOG); + SetConfig("VIRUSLOG", ""); + SetConfig("ERRORLOG", ERRORLOG); + SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S"); + SetConfig("LOG_OKS", "true"); + SetConfig("LOGLEVEL", "0"); + SetConfig("USESYSLOG", "false"); + SetConfig("SYSLOGNAME", "havp"); + SetConfig("SYSLOGFACILITY", "daemon"); + SetConfig("SYSLOGLEVEL", "info"); + SetConfig("SYSLOGVIRUSLEVEL","warning"); + SetConfig("SCANIMAGES", "true"); + SetConfig("SKIPMIME", ""); + SetConfig("SCANMIME", ""); + SetConfig("MAXSCANSIZE", "5000000"); + SetConfig("KEEPBACKBUFFER", "200000"); + SetConfig("KEEPBACKTIME", "5"); + SetConfig("TRICKLING", "30"); + SetConfig("TRICKLINGBYTES", "1"); + SetConfig("WHITELISTFIRST", "true"); + SetConfig("WHITELIST", WHITELISTFILE); + SetConfig("BLACKLIST", BLACKLISTFILE); + SetConfig("TEMPLATEPATH", TEMPLATEPATH); + SetConfig("TEMPDIR", "/var/tmp"); + SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); + SetConfig("PIDFILE", PIDFILE); + SetConfig("TRANSPARENT", "false"); + SetConfig("RANGE", "false"); + SetConfig("PRELOADZIPHEADER","true"); + SetConfig("FORWARDED_IP", "false"); + SetConfig("X_FORWARDED_FOR","false"); + SetConfig("STREAMUSERAGENT",""); + SetConfig("STREAMSCANSIZE", "20000"); + SetConfig("DBRELOAD", "60"); + SetConfig("FAILSCANERROR", "true"); + SetConfig("MAXDOWNLOADSIZE","0"); + SetConfig("SCANNERTIMEOUT", "10"); + SetConfig("IGNOREVIRUS", ""); + SetConfig("DISABLELOCKINGFOR","AVG:ALL"); +//SCANNERS + SetConfig("ENABLECLAMLIB","false"); + SetConfig("CLAMDBDIR",""); + SetConfig("CLAMBLOCKBROKEN","false"); + SetConfig("CLAMBLOCKMAX","false"); + SetConfig("CLAMBLOCKENCRYPTED","false"); + SetConfig("CLAMMAXSCANSIZE","20"); + SetConfig("CLAMMAXFILES","50"); + SetConfig("CLAMMAXFILESIZE","100"); + SetConfig("CLAMMAXRECURSION","8"); + SetConfig("ENABLECLAMD","false"); + SetConfig("CLAMDSOCKET","/tmp/clamd"); + SetConfig("CLAMDSERVER",""); + SetConfig("CLAMDPORT","3310"); + SetConfig("ENABLEAVG","false"); + SetConfig("AVGSERVER","127.0.0.1"); + SetConfig("AVGPORT","55555"); + SetConfig("ENABLEAVESERVER","false"); + SetConfig("AVESOCKET","/var/run/aveserver"); + SetConfig("ENABLEFPROT","false"); + SetConfig("FPROTPORT","10200"); + SetConfig("FPROTSERVER","127.0.0.1"); + SetConfig("FPROTOPTIONS",""); + SetConfig("ENABLENOD32","false"); + SetConfig("NOD32SOCKET","/tmp/nod32d.sock"); + SetConfig("NOD32VERSION","25"); + SetConfig("ENABLETROPHIE","false"); + SetConfig("TROPHIEMAXFILES","50"); + SetConfig("TROPHIEMAXFILESIZE","10"); + SetConfig("TROPHIEMAXRATIO","250"); + SetConfig("ENABLESOPHIE","false"); + SetConfig("SOPHIESOCKET","/var/run/sophie"); + SetConfig("ENABLEAVAST","false"); + SetConfig("AVASTSOCKET","/var/run/avast4/local.sock"); + SetConfig("AVASTSERVER",""); + SetConfig("AVASTPORT","5036"); + SetConfig("ENABLEARCAVIR","false"); + SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket"); + SetConfig("ARCAVIRVERSION","2007"); + SetConfig("ENABLEDRWEB","false"); + SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon"); + SetConfig("DRWEBSERVER",""); + SetConfig("DRWEBPORT","3000"); + SetConfig("DRWEBHEURISTIC","true"); + SetConfig("DRWEBMALWARE","true"); +} + +bool Params::ReadConfig( string file ) +{ + ifstream input( file.c_str() ); + + if ( !input ) + { + cerr << "Could not open config file: " << file << endl; + return false; + } + + string::size_type Position; + string line, key, val; + + while ( input ) + { + getline( input, line ); + + //Strip whitespace from beginning and end + if ( (Position = line.find_first_not_of(" \t")) != string::npos ) + { + line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1); + } + + //Read next if nothing found + if ( (Position == string::npos) || (line.size() == 0) ) continue; + + //Read next if commented + if ( line.substr(0, 1) == "#" ) continue; + + //Find key and value + if ( (Position = line.find_first_of(" \t")) != string::npos ) + { + key = line.substr(0, Position); + + if ( key == "REMOVETHISLINE" ) + { + cout << "Configuration is not edited!" << endl; + cout << "You must delete REMOVETHISLINE option." << endl; + cout << "Review the configuration carefully. :)" << endl; + return false; + } + + if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos ) + { + cout << "Invalid Config Line: " << line << endl; + return false; + } + + val = line.substr( Position ); + + Params::SetConfig( key, val ); + } + else + { + cout << "Invalid Config Line: " << line << endl; + return false; + } + } + + input.close(); + + return true; +} + +void Params::SetConfig( string param, string value ) +{ + string TempParams[] = {CONFIGPARAMS}; + bool ParamFound = false; + + param = UpperCase(param); + + for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ ) + { + if ( param == TempParams[i] ) + { + ParamFound = true; + } + } + + if ( ParamFound ) + { + if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" ) + { + value = UpperCase(value); + } + + params[param] = value; + } + else + { + cout << "Unknown Config Parameter: " << param << endl; + cout << "Exiting.." << endl; + exit(1); + } +} + +int Params::GetConfigInt( string param ) +{ + return atoi( params[param].c_str() ); +} + +bool Params::GetConfigBool( string param ) +{ + if ( params[param] == "TRUE" ) + { + return true; + } + else + { + return false; + } +} + +string Params::GetConfigString( string param ) +{ + return params[param]; +} + +void Params::ShowConfig( string cfgfile ) +{ + cout << endl << "# Using HAVP config: " << cfgfile << endl << endl; + typedef map::const_iterator CI; + for(CI p = params.begin(); p != params.end(); ++p) + { + cout << p->first << "=" << p->second << '\n'; + } + cout << endl; +} + +void Params::Usage() +{ + cout << endl << "Usage: havp [Options]" << endl << endl; + cout << "HAVP Version " << VERSION << endl << endl; + cout << "Possible options are:" << endl; + cout << "--help | -h This pamphlet" << endl; + cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl; + cout << "--show-config | -s Show configuration HAVP is using" << endl << endl; +} + +bool Params::SetParams( int argvT, char* argcT[] ) +{ + string option, value; + string::size_type i1, i2; + + string cfgfile = CONFIGFILE; + bool showconf = false; + + SetDefaults(); + + while ( --argvT ) + { + value = *++argcT; + i1 = value.find_first_not_of("-"); + + //No GNU options + if ( i1 == 1 ) + { + option = value.substr(i1, 1); + + if ( option == "c" ) + { + --argvT; + + if ( argvT == 0 ) + { + Usage(); + return false; + } + value = *++argcT; + } + else if ( option == "s" ) + { + showconf = true; + } + else + { + Usage(); + return false; + } + } + //GNU options + else if ( i1 == 2 ) + { + if ( (i2 = value.find("=")) != string::npos ) + { + option = value.substr(i1, i2 - i1); + + if ( value.size() > i2 + 1 ) + { + value = value.substr(i2 + 1); + } + else + { + Usage(); + return false; + } + } + else + { + option = value.substr(i1); + value = ""; + } + } + else + { + Usage(); + return false; + } + + if ( option == "help" ) + { + Usage(); + return false; + } + else if ( option == "show-config" ) + { + showconf = true; + } + else if ( option == "conf-file" || option == "c" ) + { + if (value == "") + { + Usage(); + return false; + } + + cfgfile = value; + } + else if ( showconf == true ) + { + //Nothing: prevent Usage + } + else + { + Usage(); + return false; + } + } + + if ( ReadConfig( cfgfile ) == false ) + { + return false; + } + + if ( showconf == true ) + { + ShowConfig( cfgfile ); + return false; + } + + return TestConfig(); +} + +//Test that some options are sane +bool Params::TestConfig() +{ + if ( Params::GetConfigInt("SERVERNUMBER") < 1 ) + { + cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl; + return false; + } + if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/" + || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/") + || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" ) + { + cout << "Invalid Config: Log paths need to be abolute" << endl; + return false; + } + if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos ) + { + cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl; + return false; + } + if ( Params::GetConfigInt("MAXSERVERS") > 500 ) + { + cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl; + } + if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS",""); + if ( Params::GetConfigString("BIND_ADDRESS") != "" ) + { + if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE ) + { + cout << "Invalid Config: Invalid BIND_ADDRESS" << endl; + return false; + } + } + if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS",""); + if ( Params::GetConfigString("SOURCE_ADDRESS") != "" ) + { + if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE ) + { + cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl; + return false; + } + } + if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 ) + { + cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl; + return false; + } + if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 ) + { + cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl; + return false; + } + + return true; +} diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/05_add_ssltimeout_option.patch/etc/havp/havp.config.in --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/05_add_ssltimeout_option.patch/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,670 @@ +# +# This is the configuration file for HAVP +# +# All lines starting with a hash (#) or empty lines are ignored. +# Uncomment parameters you want to change! +# +# All parameters configurable in this file are explained and their default +# values are shown. If no default value is defined "NONE" is specified. +# +# General syntax: Parameter Value +# Value can be: true/false, number, or path +# +# Extra spaces and tabs are ignored. +# + +# You must remove this line for HAVP to start. +# This makes sure you have (hopefully) reviewed the configuration. :) +# Hint: You must enable some scanner! Find them in the end.. +# REMOVETHISLINE deleteme + +# +# For reasons of security it is recommended to run a proxy program +# without root rights. It is recommended to create user that is not +# used by any other program. +# +# Default: +# USER havp +# GROUP havp + +# If this is true HAVP is running as daemon in background. +# For testing you may run HAVP at your text console. +# +# Default: +# DAEMON true + +# +# Process id (PID) of the main HAVP process is written to this file. +# Be sure that it is writeable by the user under which HAVP is running. +# /etc/init.d/havp script requires this to work. +# +# Default: +# PIDFILE @localstatedir@/run/havp/havp.pid + +# +# For performance reasons several instances of HAVP have to run. +# Specify how many servers (child processes) are simultaneously +# listening on port PORT for a connection. Minimum value should be +# the peak requests-per-second expected + 5 for headroom. For best +# performance, you should have atleast 1 CPU core per 16 processes. +# +# For single user home use, 8 should be minimum. +# For 500+ users corporate use, start at 40. +# +# Value can and should be higher than recommended. Memory and +# CPU usage is only affected by the number of concurrent requests. +# +# More childs are automatically created when needed, up to MAXSERVERS. +# +# Default: +# SERVERNUMBER 8 +# MAXSERVERS 100 + +# +# Files where to log requests and info/errors. +# Needs to have write permission for HAVP user. +# +# Default: +# ACCESSLOG @localstatedir@/log/havp/access.log +# ERRORLOG @localstatedir@/log/havp/havp.log +# VIRUSLOG (same as ACCESSLOG) + +# +# Format for timestamps in logfile messages. +# See: man strftime +# +# Default: +# TIMEFORMAT %d/%m/%Y %H:%M:%S + +# +# Syslog can be used instead of logging to file. +# For facilities and levels, see "man syslog". +# +# Default: +# USESYSLOG false +# SYSLOGNAME havp +# SYSLOGFACILITY daemon +# SYSLOGLEVEL info +# SYSLOGVIRUSLEVEL warning + +# +# true: Log every request to access log +# false: Log only viruses to access log +# +# Default: +# LOG_OKS true + +# +# Level of HAVP logging +# 0 = Only serious errors and information +# 1 = Less interesting information is included +# +# Default: +# LOGLEVEL 0 + +# +# Temporary scan file. +# This file must reside on a partition for which mandatory +# locking is enabled. For Linux, use "-o mand" in mount command. +# See "man mount" for details. Solaris does not need any special +# steps, it works directly. +# +# Specify absolute path to a file which name must contain "XXXXXX". +# These characters are used by system to create unique named files. +# +# Default: +# SCANTEMPFILE /var/spool/havp/havp-XXXXXX + +# +# Directory for ClamAV and other scanner created tempfiles. +# Needs to be writable by HAVP user. Use ramdisk for best performance. +# +# Default: +# TEMPDIR /var/tmp + +# +# HAVP reloads scanners virus database by receiving a signal +# (send SIGHUP to PID from PIDFILE, see "man kill") or after +# a specified period of time. Specify here the number of +# minutes to wait for reloading. +# +# This only affects library scanners (clamlib, trophie). +# Other scanners must be updated manually. +# +# Default: +# DBRELOAD 60 + +# +# Run HAVP as transparent Proxy? +# +# If you don't know what this means read the mini-howto +# TransparentProxy written by Daniel Kiracofe. +# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) +# Definitely you have more to do than setting this to true. +# You are warned! +# +# Default: +# TRANSPARENT false + +# +# Specify a parent proxy (e.g. Squid) HAVP should use. +# If needed, user and password authentication can be used, +# but only Basic-authentication scheme is supported. +# +# Default: NONE +# PARENTPROXY localhost +# PARENTPORT 3128 +# PARENTUSER username +# PARENTPASSWORD password + +# +# Write X-Forwarded-For: to log instead of connecters IP? +# +# If HAVP is used as parent proxy by some other proxy, this allows +# to write the real users IP to log, instead of proxy IP. +# +# Default: +# FORWARDED_IP false + +# +# Send X-Forwarded-For: header to servers? +# +# If client sent this header, FORWARDED_IP setting defines the value, +# then it is passed on. You might want to keep this disabled for security +# reasons. Enable this if you use your own parent proxy after HAVP, so it +# will see the original client IP. +# +# Disabling this also disables Via: header generation. +# +# Default: +# X_FORWARDED_FOR false + +# +# Port HAVP is listening on. +# +# Default: +# PORT 8080 + +# +# IP address that HAVP listens on. +# Let it be undefined to bind all addresses. +# +# Default: NONE +# BIND_ADDRESS 127.0.0.1 + +# +# IP address used for sending outbound packets. +# Let it be undefined if you want OS to handle right address. +# +# Default: NONE +# SOURCE_ADDRESS 1.2.3.4 + +# +# Path to template files. +# +# Default: +# TEMPLATEPATH @sysconfdir@/havp/templates/en + +# +# Set to true if you want to prefer Whitelist. +# If URL is Whitelisted, then Blacklist is ignored. +# Otherwise Blacklist is preferred. +# +# Default: +# WHITELISTFIRST true + +# +# List of URLs not to scan. +# +# Default: +# WHITELIST @sysconfdir@/havp/whitelist + +# +# List of URLs that are denied access. +# +# Default: +# BLACKLIST @sysconfdir@/havp/blacklist + +# +# Is scanner error fatal? +# +# For example, archive types that are not supported by scanner +# may return error. Also if scanner has invalid pattern files etc. +# +# true: User gets error page +# false: No error is reported (viruses might not be detected) +# +# Default: +# FAILSCANERROR true + +# SSL connections may be silent for a while (mostly when "abused" +# for other communication than HTTP). HAVP disconnects these connections +# after several seconds. +# +# Default: +# SSLTIMEOUT 20 + +# +# When scanning takes longer than this, it will be aborted. +# Timer is started after HAVP has fully received all data. +# If set too low, complex files/archives might produce timeout. +# Timeout is always a fatal error regardless of FAILSCANERROR. +# +# Time in minutes! +# +# Default: +# SCANNERTIMEOUT 10 + +# +# Allow HTTP Range requests? +# +# false: Broken downloads can NOT be resumed +# true: Broken downloads can be resumed +# +# Allowing Range is a security risk, because partial +# HTTP requests may not be properly scanned. +# +# Whitelisted sites are allowed to use Range in any case. +# +# Default: +# RANGE false + +# +# Allow HTTP Range request to get the ZIP header first? +# +# This allows (partial) scanning of ZIP files that are bigger than +# MAXSCANSIZE. Scanning is done up to that many bytes into the file. +# +# Default: +# PRELOADZIPHEADER true + +# +# If you really need more performance, you can disable scanning of +# JPG, GIF and PNG files. These are probably the most common files +# around, so it will save lots of CPU. But be warned, image exploits +# exist and more could be found. Think twice if you want to disable! +# +# In addition of checking Content-Type: image/*, this setting uses +# file magic to make sure the file is really image. +# +# Also see SCANMIME/SKIPMIME settings to control scanning based +# on just the Content-Type header. +# +# Default: +# SCANIMAGES true + +# +# What MIME types NOT to scan. For performance reasons, you could +# exclude all media types. +# +# Based on Content-Type: header as given by the HTTP server. +# Note that it is easy to forge and should not be trusted. +# +# Basic wildcard match supported. +# +# Default: NONE +# SKIPMIME image/* video/* audio/* + +# +# If set, then ONLY these MIME types will be scanned. +# +# Based on Content-Type: header as given by the HTTP server. +# Note that it is easy to forge and should not be trusted. +# +# Basic wildcard match supported. +# +# Default: NONE +# SCANMIME application/* + +# +# Temporary file will grow only up to this size. This means scanner +# will scan data until this limit is reached. +# +# There are two sides to this setting. By limiting the size, you gain +# performance, less waiting for big files and less needed temporary space. +# But there is slightly higher chance of virus slipping through (though +# scanning large archives should not be gateways function, HAVP is more +# geared towards small exploit detection etc). +# +# VALUE IN BYTES NOT KB OR MB!!!! +# 0 = No size limit +# +# Default: +# MAXSCANSIZE 5000000 + +# +# Amount of data going to browser that is held back, until it +# is scanned. When we know file is clean, this held back data +# can be sent to browser. You can safely set bigger value, only +# thing you will notice is some "delay" in beginning of download. +# Virus found in files bigger than this might not produce HAVP +# error page, but result in a "broken" download. +# +# VALUE IN BYTES NOT KB OR MB!!!! +# +# Default: +# KEEPBACKBUFFER 200000 + +# +# This setting complements KEEPBACKBUFFER. It tells how many Seconds to +# initially receive data from server, before sending anything to client. +# Even trickling is not done before this time elapses. This way files that +# are received fast are more secure and user can get virus report page for +# files bigger than KEEPBACKBUFFER. +# +# Setting to 0 will disable this, and only KEEPBACKBUFFER is used. +# +# Default: +# KEEPBACKTIME 5 + +# +# After Trickling Time (seconds), some bytes are sent to browser +# to keep the connection alive. Trickling is not needed if timeouts +# are not expected for files smaller than KEEPBACKBUFFER, but it is +# recommended to set anyway. +# +# 0 = No Trickling +# +# Default: +# TRICKLING 30 + +# +# Send this many bytes to browser every TRICKLING seconds, see above +# +# Default: +# TRICKLINGBYTES 1 + +# +# Downloads larger than MAXDOWNLOADSIZE will be blocked. +# Only if not Whitelisted! +# +# VALUE IN BYTES NOT KB OR MB!!!! +# 0 = Unlimited Downloads +# +# Default: +# MAXDOWNLOADSIZE 0 + +# +# Space separated list of strings to partially match User-Agent: header. +# These are used for streaming content, so scanning is generally not needed +# and tempfiles grow unnecessary. Remember when enabled, that user could +# fake header and pass some scanning. HTTP Range requests are allowed for +# these, so players can seek content. +# +# You can uncomment here a list of most popular players. +# +# Default: NONE +# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS + +# +# Bytes to scan from beginning of streams. +# When set to 0, STREAMUSERAGENT scanning will be completely disabled. +# It is not recommended as there are some exploits for players. +# +# Default: +# STREAMSCANSIZE 20000 + +# +# Disable mandatory locking (dynamic scanning) for certain file types. +# This is intended for fixing cases where a scanner forces use of mmap() +# call. Mandatory locking might not allow this, so you could get errors +# regarding memory allocation or I/O. You can test the "None" option +# anyway, as it might even work depending on your OS (some Linux seems +# to allow mand+mmap). +# +# Allowed values: +# None +# ClamAV:BinHex (mmap forced in versions older than 0.96) +# ClamAV:PDF (mmap forced in versions older than 0.96) +# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) +# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED) +# +# Default: +# DISABLELOCKINGFOR AVG:ALL + +# +# Whitelist specific viruses by case-insensitive substring match. +# For example, "Oversized." and "Encrypted." are good candidates, +# if you can't disable those checks any other way. +# +# Default: NONE +# IGNOREVIRUS Oversized. Encrypted. Phishing. + + +##### +##### ClamAV Library Scanner (libclamav) +##### + +ENABLECLAMLIB true + +# HAVP uses libclamav hardcoded pattern directory, which usually is +# /usr/share/clamav. You only need to set CLAMDBDIR, if you are +# using non-default DatabaseDirectory setting in clamd.conf. +# +# Default: NONE +# CLAMDBDIR /var/lib/clamav + +# Should we block broken executables? +# +# Default: +# CLAMBLOCKBROKEN false + +# Should we block encrypted archives? +# +# Default: +# CLAMBLOCKENCRYPTED false + +# Should we block files that go over maximum archive limits? +# +# Default: +# CLAMBLOCKMAX false + +# Scanning limits? +# You can find some additional info from documentation or clamd.conf +# +# Stop when this many total bytes scanned (MB) +# CLAMMAXSCANSIZE 20 +# +# Stop when this many files have been scanned +# CLAMMAXFILES 50 +# +# Don't scan files over this size (MB) +# CLAMMAXFILESIZE 100 +# +# Maximum archive recursion +# CLAMMAXRECURSION 8 + + +##### +##### ClamAV Socket Scanner (clamd) +##### +##### NOTE: ClamAV Library Scanner should be preferred (less overhead) +##### + +ENABLECLAMD false + +# Path to clamd socket +# +# Default: +# CLAMDSOCKET /tmp/clamd + +# ..OR if you use clamd TCP socket, uncomment to enable use +# +# Clamd daemon needs to run on the same server as HAVP +# +# Default: NONE +# CLAMDSERVER 127.0.0.1 +# CLAMDPORT 3310 + + +##### +##### F-Prot Socket Scanner +##### + +ENABLEFPROT false + +# F-Prot daemon needs to run on same server as HAVP +# +# Default: +# FPROTSERVER 127.0.0.1 +# FPROTPORT 10200 + +# F-Prot options (only for version 6+ !) +# +# See "fpscand-client.sh --help" for possible options. +# +# At the moment: +# --scanlevel= Which scanlevel to use, 0-4 (2). +# --heurlevel= How aggressive heuristics should be used, 0-4 (2). +# --archive= Scan inside supported archives n levels deep 1-99 (5). +# --adware Instructs the daemon to flag adware. +# --applications Instructs the daemon to flag potentially unwanted applications. +# +# Default: NONE +# FPROTOPTIONS --scanlevel=2 --heurlevel=2 + + +##### +##### AVG Socket Scanner +##### + +ENABLEAVG false + +# AVG daemon needs to run on the same server as HAVP +# +# Default: +# AVGSERVER 127.0.0.1 +# AVGPORT 55555 + + +##### +##### Kaspersky Socket Scanner +##### + +ENABLEAVESERVER false + +# Path to aveserver socket +# +# Default: +# AVESOCKET /var/run/aveserver + + +##### +##### Sophos Scanner (Sophie) +##### + +ENABLESOPHIE false + +# Path to sophie socket +# +# Default: +# SOPHIESOCKET /var/run/sophie + + +##### +##### Trend Micro Library Scanner (Trophie) +##### + +ENABLETROPHIE false + +# Scanning limits inside archives (filesize = MB): +# +# Default: +# TROPHIEMAXFILES 50 +# TROPHIEMAXFILESIZE 10 +# TROPHIEMAXRATIO 250 + + +##### +##### NOD32 Socket Scanner +##### + +ENABLENOD32 false + +# Path to nod32d socket +# +# For 3.0+ version, try /tmp/esets.sock +# +# Default: +# NOD32SOCKET /tmp/nod32d.sock + +# Used NOD32 Version +# +# 30 = 3.0+ +# 25 = 2.5+ +# 21 = 2.x (very old) +# +# Default: +# NOD32VERSION 25 + + +##### +##### Avast! Socket Scanner +##### + +ENABLEAVAST false + +# Path to avastd socket +# +# Default: +# AVASTSOCKET /var/run/avast4/local.sock + +# ..OR if you use avastd TCP socket, uncomment to enable use +# +# Avast daemon needs to run on the same server as HAVP +# +# Default: NONE +# AVASTSERVER 127.0.0.1 +# AVASTPORT 5036 + + +##### +##### Arcavir Socket Scanner +##### + +ENABLEARCAVIR false + +# Path to arcavird socket +# +# For version 2008, default socket is /var/run/arcad.ctl +# +# Default: +# ARCAVIRSOCKET /var/run/arcavird.socket + +# Used Arcavir version +# 2007 = Version 2007 and earlier +# 2008 = Version 2008 and later +# +# Default: +# ARCAVIRVERSION 2007 + + +##### +##### DrWeb Socket Scanner +##### + +ENABLEDRWEB false + +# Enable heuristic scanning? +# +# Default: +# DRWEBHEURISTIC true + +# Enable malware detection? +# (Adware, Dialer, Joke, Riskware, Hacktool) +# +# Default: +# DRWEBMALWARE true + +# Path to drwebd socket +# +# Default: +# DRWEBSOCKET /var/drweb/run/.daemon + +# ..OR if you use drwebd TCP socket, uncomment to enable use +# +# DrWeb daemon needs to run on the same server as HAVP +# +# Default: NONE +# DRWEBSERVER 127.0.0.1 +# DRWEBPORT 3000 diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/05_add_ssltimeout_option.patch/havp/default.h.in --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/05_add_ssltimeout_option.patch/havp/default.h.in Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,120 @@ +/*************************************************************************** + default.h - description + ------------------- + begin : Sa Feb 12 2005 + copyright : (C) 2005 by Christian Hilgers + email : christian@hilgers.ag + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + + +#ifndef DEFAULT_H +#define DEFAULT_H + +#define VERSION "0.92" + +//############################################################## +//Define if you want to rewrite a URL +//#define REWRITE URLRewrite["havp"]="www.server-side.de"; URLRewrite["www.havp"]="www.server-side.de"; + +//############################################################## +//Parameters in Configurationfile + +#define CONFIGPARAMS \ + "WHITELISTFIRST","TEMPDIR","RANGE", "PRELOADZIPHEADER", "USER","GROUP", \ + "SERVERNUMBER","PORT","BIND_ADDRESS","SOURCE_ADDRESS","KEEPBACKBUFFER", \ + "KEEPBACKTIME","TRICKLING","TRICKLINGBYTES","MAXSCANSIZE","WHITELIST","BLACKLIST","PIDFILE", \ + "DAEMON","TRANSPARENT","LOG_OKS","ACCESSLOG","VIRUSLOG","ERRORLOG","TIMEFORMAT","LOGLEVEL", \ + "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ + "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ + "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ + "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ + "SKIPMIME","SCANMIME", \ + "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ + "CLAMMAXFILES","CLAMMAXFILESIZE","CLAMMAXRECURSION","CLAMMAXSCANSIZE", \ + "ENABLEAVG","AVGSERVER","AVGPORT", \ + "ENABLEAVESERVER","AVESOCKET", \ + "ENABLEFPROT","FPROTSERVER","FPROTPORT","FPROTOPTIONS", \ + "ENABLETROPHIE","TROPHIEMAXFILES","TROPHIEMAXFILESIZE","TROPHIEMAXRATIO", \ + "ENABLENOD32","NOD32SOCKET","NOD32VERSION", \ + "ENABLECLAMD","CLAMDSOCKET","CLAMDSERVER","CLAMDPORT", \ + "ENABLESOPHIE","SOPHIESOCKET", \ + "ENABLEAVAST","AVASTSOCKET","AVASTSERVER","AVASTPORT", \ + "ENABLEARCAVIR","ARCAVIRSOCKET","ARCAVIRVERSION", \ + "ENABLEDRWEB","DRWEBSOCKET","DRWEBSERVER","DRWEBPORT","DRWEBHEURISTIC","DRWEBMALWARE", \ + "PARENTUSER", "PARENTPASSWORD" +//SCANNERS + + +//############################################################## +//Configuration not setable in havp.config + +//CONNTIMEOUT in seconds +#define CONNTIMEOUT 60 + +//RECVTIMEOUT in seconds +#define RECVTIMEOUT 120 + +//SENDTIMEOUT in seconds +#define SENDTIMEOUT 120 + +//Maximum client connection waiting for accept +#define MAXCONNECTIONS 1024 + +//Maximum bytes received in one request +#define MAXRECV 14600 + +//Maximum logfile line length +#define STRINGLENGTH 1000 + +//Maximum hardlock size - do not change +#define MAXFILELOCKSIZE 1000000000 + +//Valid Methods +#define METHODS \ + "GET","POST","HEAD","CONNECT","PUT","TRACE","PURGE","OPTIONS","UNLOCK", \ + "SEARCH","PROPFIND","BPROPFIND","PROPPATCH","BPROPPATCH","MKCOL","COPY", \ + "BCOPY","MOVE","LOCK","BMOVE","DELETE","BDELETE","SUBSCRIBE","UNSUBSCRIBE", \ + "POLL","REPORT","ERROR","NONE","MKACTIVITY","CHECKOUT","MERGE" + +//Maximum length of SCANTEMPFILE +#define MAXSCANTEMPFILELENGTH 200 + +//Maximum length of http headers +#define MAXHTTPHEADERLENGTH 65536 + +// HTML Error String +#define ERROR_DNS "dns.html" +#define VIRUS_FOUND "virus.html" +#define ERROR_SCANNER "scanner.html" +#define ERROR_DOWN "down.html" +#define ERROR_INVALID "invalid.html" +#define ERROR_REQUEST "request.html" +#define ERROR_BODY "error.html" +#define ERROR_BLACKLIST "blacklist.html" +#define ERROR_MAXSIZE "maxsize.html" + +// DONT TOUCH - run configure +#undef CONFIGFILE +#undef WHITELISTFILE +#undef BLACKLISTFILE +#undef TEMPLATEPATH +#undef ACCESSLOG +#undef ERRORLOG +#undef PIDFILE +#undef NOMAND +#undef SSLTUNNEL +#undef USECLAMLIB +#undef USETROPHIE +#undef HAVE_SETGROUPS +#undef HAVE_INITGROUPS + +#endif diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/05_add_ssltimeout_option.patch/havp/params.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/05_add_ssltimeout_option.patch/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,443 @@ +/*************************************************************************** + params.cpp - description + ------------------- + begin : So Feb 20 2005 + copyright : (C) 2005 by Peter Sebald / Christian Hilgers + email : christian@hilgers.ag + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + +#include "default.h" +#include "params.h" +#include "utils.h" + +#include +#include +#include +#include +#include +#include + +#ifndef INADDR_NONE +#define INADDR_NONE ((unsigned long) -1) +#endif + +map Params::params; + +void Params::SetDefaults() +{ + SetConfig("DISPLAYINITIALMESSAGES", "true"); + SetConfig("USER", "havp"); + SetConfig("GROUP", "havp"); + SetConfig("DAEMON", "true"); + SetConfig("SERVERNUMBER", "8"); + SetConfig("MAXSERVERS", "150"); + SetConfig("PORT", "8080"); + SetConfig("BIND_ADDRESS", ""); + SetConfig("SOURCE_ADDRESS", ""); + SetConfig("PARENTPROXY", ""); + SetConfig("PARENTPORT", "0"); + SetConfig("PARENTUSER", ""); + SetConfig("PARENTPASSWORD", ""); + SetConfig("ACCESSLOG", ACCESSLOG); + SetConfig("VIRUSLOG", ""); + SetConfig("ERRORLOG", ERRORLOG); + SetConfig("TIMEFORMAT", "%d/%m/%Y %H:%M:%S"); + SetConfig("LOG_OKS", "true"); + SetConfig("LOGLEVEL", "0"); + SetConfig("USESYSLOG", "false"); + SetConfig("SYSLOGNAME", "havp"); + SetConfig("SYSLOGFACILITY", "daemon"); + SetConfig("SYSLOGLEVEL", "info"); + SetConfig("SYSLOGVIRUSLEVEL","warning"); + SetConfig("SCANIMAGES", "true"); + SetConfig("SKIPMIME", ""); + SetConfig("SCANMIME", ""); + SetConfig("MAXSCANSIZE", "5000000"); + SetConfig("KEEPBACKBUFFER", "200000"); + SetConfig("KEEPBACKTIME", "5"); + SetConfig("TRICKLING", "30"); + SetConfig("TRICKLINGBYTES", "1"); + SetConfig("WHITELISTFIRST", "true"); + SetConfig("WHITELIST", WHITELISTFILE); + SetConfig("BLACKLIST", BLACKLISTFILE); + SetConfig("TEMPLATEPATH", TEMPLATEPATH); + SetConfig("TEMPDIR", "/var/spool/havp"); + SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); + SetConfig("PIDFILE", PIDFILE); + SetConfig("TRANSPARENT", "false"); + SetConfig("RANGE", "false"); + SetConfig("PRELOADZIPHEADER","true"); + SetConfig("FORWARDED_IP", "false"); + SetConfig("X_FORWARDED_FOR","false"); + SetConfig("STREAMUSERAGENT",""); + SetConfig("STREAMSCANSIZE", "20000"); + SetConfig("DBRELOAD", "60"); + SetConfig("FAILSCANERROR", "true"); + SetConfig("MAXDOWNLOADSIZE","0"); + SetConfig("SCANNERTIMEOUT", "10"); + SetConfig("IGNOREVIRUS", ""); + SetConfig("DISABLELOCKINGFOR","AVG:ALL"); +//SCANNERS + SetConfig("ENABLECLAMLIB","false"); + SetConfig("CLAMDBDIR",""); + SetConfig("CLAMBLOCKBROKEN","false"); + SetConfig("CLAMBLOCKMAX","false"); + SetConfig("CLAMBLOCKENCRYPTED","false"); + SetConfig("CLAMMAXSCANSIZE","20"); + SetConfig("CLAMMAXFILES","50"); + SetConfig("CLAMMAXFILESIZE","100"); + SetConfig("CLAMMAXRECURSION","8"); + SetConfig("ENABLECLAMD","false"); + SetConfig("CLAMDSOCKET","/tmp/clamd"); + SetConfig("CLAMDSERVER",""); + SetConfig("CLAMDPORT","3310"); + SetConfig("ENABLEAVG","false"); + SetConfig("AVGSERVER","127.0.0.1"); + SetConfig("AVGPORT","55555"); + SetConfig("ENABLEAVESERVER","false"); + SetConfig("AVESOCKET","/var/run/aveserver"); + SetConfig("ENABLEFPROT","false"); + SetConfig("FPROTPORT","10200"); + SetConfig("FPROTSERVER","127.0.0.1"); + SetConfig("FPROTOPTIONS",""); + SetConfig("ENABLENOD32","false"); + SetConfig("NOD32SOCKET","/tmp/nod32d.sock"); + SetConfig("NOD32VERSION","25"); + SetConfig("ENABLETROPHIE","false"); + SetConfig("TROPHIEMAXFILES","50"); + SetConfig("TROPHIEMAXFILESIZE","10"); + SetConfig("TROPHIEMAXRATIO","250"); + SetConfig("ENABLESOPHIE","false"); + SetConfig("SOPHIESOCKET","/var/run/sophie"); + SetConfig("ENABLEAVAST","false"); + SetConfig("AVASTSOCKET","/var/run/avast4/local.sock"); + SetConfig("AVASTSERVER",""); + SetConfig("AVASTPORT","5036"); + SetConfig("ENABLEARCAVIR","false"); + SetConfig("ARCAVIRSOCKET","/var/run/arcavird.socket"); + SetConfig("ARCAVIRVERSION","2007"); + SetConfig("ENABLEDRWEB","false"); + SetConfig("DRWEBSOCKET","/var/drweb/run/.daemon"); + SetConfig("DRWEBSERVER",""); + SetConfig("DRWEBPORT","3000"); + SetConfig("DRWEBHEURISTIC","true"); + SetConfig("DRWEBMALWARE","true"); +} + +bool Params::ReadConfig( string file ) +{ + ifstream input( file.c_str() ); + + if ( !input ) + { + cerr << "Could not open config file: " << file << endl; + return false; + } + + string::size_type Position; + string line, key, val; + + while ( input ) + { + getline( input, line ); + + //Strip whitespace from beginning and end + if ( (Position = line.find_first_not_of(" \t")) != string::npos ) + { + line = line.substr(Position, (line.find_last_not_of(" \t", string::npos) - Position) + 1); + } + + //Read next if nothing found + if ( (Position == string::npos) || (line.size() == 0) ) continue; + + //Read next if commented + if ( line.substr(0, 1) == "#" ) continue; + + //Find key and value + if ( (Position = line.find_first_of(" \t")) != string::npos ) + { + key = line.substr(0, Position); + + if ( key == "REMOVETHISLINE" ) + { + cout << "Configuration is not edited!" << endl; + cout << "You must delete REMOVETHISLINE option." << endl; + cout << "Review the configuration carefully. :)" << endl; + return false; + } + + if ( (Position = line.find_first_not_of(" \t", Position + 1)) == string::npos ) + { + cout << "Invalid Config Line: " << line << endl; + return false; + } + + val = line.substr( Position ); + + Params::SetConfig( key, val ); + } + else + { + cout << "Invalid Config Line: " << line << endl; + return false; + } + } + + input.close(); + + return true; +} + +void Params::SetConfig( string param, string value ) +{ + string TempParams[] = {CONFIGPARAMS}; + bool ParamFound = false; + + param = UpperCase(param); + + for ( unsigned int i = 0; i < sizeof(TempParams)/sizeof(string); i++ ) + { + if ( param == TempParams[i] ) + { + ParamFound = true; + } + } + + if ( ParamFound ) + { + if ( UpperCase(value) == "TRUE" || UpperCase(value) == "FALSE" ) + { + value = UpperCase(value); + } + + params[param] = value; + } + else + { + cout << "Unknown Config Parameter: " << param << endl; + cout << "Exiting.." << endl; + exit(1); + } +} + +int Params::GetConfigInt( string param ) +{ + return atoi( params[param].c_str() ); +} + +bool Params::GetConfigBool( string param ) +{ + if ( params[param] == "TRUE" ) + { + return true; + } + else + { + return false; + } +} + +string Params::GetConfigString( string param ) +{ + return params[param]; +} + +void Params::ShowConfig( string cfgfile ) +{ + cout << endl << "# Using HAVP config: " << cfgfile << endl << endl; + typedef map::const_iterator CI; + for(CI p = params.begin(); p != params.end(); ++p) + { + cout << p->first << "=" << p->second << '\n'; + } + cout << endl; +} + +void Params::Usage() +{ + cout << endl << "Usage: havp [Options]" << endl << endl; + cout << "HAVP Version " << VERSION << endl << endl; + cout << "Possible options are:" << endl; + cout << "--help | -h This pamphlet" << endl; + cout << "--conf-file=FileName | -c Filename Use this Config-File" << endl; + cout << "--show-config | -s Show configuration HAVP is using" << endl << endl; +} + +bool Params::SetParams( int argvT, char* argcT[] ) +{ + string option, value; + string::size_type i1, i2; + + string cfgfile = CONFIGFILE; + bool showconf = false; + + SetDefaults(); + + while ( --argvT ) + { + value = *++argcT; + i1 = value.find_first_not_of("-"); + + //No GNU options + if ( i1 == 1 ) + { + option = value.substr(i1, 1); + + if ( option == "c" ) + { + --argvT; + + if ( argvT == 0 ) + { + Usage(); + return false; + } + value = *++argcT; + } + else if ( option == "s" ) + { + showconf = true; + } + else + { + Usage(); + return false; + } + } + //GNU options + else if ( i1 == 2 ) + { + if ( (i2 = value.find("=")) != string::npos ) + { + option = value.substr(i1, i2 - i1); + + if ( value.size() > i2 + 1 ) + { + value = value.substr(i2 + 1); + } + else + { + Usage(); + return false; + } + } + else + { + option = value.substr(i1); + value = ""; + } + } + else + { + Usage(); + return false; + } + + if ( option == "help" ) + { + Usage(); + return false; + } + else if ( option == "show-config" ) + { + showconf = true; + } + else if ( option == "conf-file" || option == "c" ) + { + if (value == "") + { + Usage(); + return false; + } + + cfgfile = value; + } + else if ( showconf == true ) + { + //Nothing: prevent Usage + } + else + { + Usage(); + return false; + } + } + + if ( ReadConfig( cfgfile ) == false ) + { + return false; + } + + if ( showconf == true ) + { + ShowConfig( cfgfile ); + return false; + } + + return TestConfig(); +} + +//Test that some options are sane +bool Params::TestConfig() +{ + if ( Params::GetConfigInt("SERVERNUMBER") < 1 ) + { + cout << "Invalid Config: SERVERNUMBER needs to be greater than 0" << endl; + return false; + } + if ( Params::GetConfigString("ACCESSLOG").substr(0,1) != "/" + || (Params::GetConfigString("VIRUSLOG") != "" && Params::GetConfigString("VIRUSLOG").substr(0,1) != "/") + || Params::GetConfigString("ERRORLOG").substr(0,1) != "/" ) + { + cout << "Invalid Config: Log paths need to be abolute" << endl; + return false; + } + if ( Params::GetConfigString("SCANTEMPFILE").find("XXXXXX") == string::npos ) + { + cout << "Invalid Config: SCANTEMPFILE must contain string \"XXXXXX\"" << endl; + return false; + } + if ( Params::GetConfigInt("MAXSERVERS") > 500 ) + { + cout << "Note: MAXSERVERS is unusually high! You are sure you want this?" << endl; + } + if ( Params::GetConfigString("BIND_ADDRESS") == "NULL" ) Params::SetConfig("BIND_ADDRESS",""); + if ( Params::GetConfigString("BIND_ADDRESS") != "" ) + { + if ( inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) == INADDR_NONE ) + { + cout << "Invalid Config: Invalid BIND_ADDRESS" << endl; + return false; + } + } + if ( Params::GetConfigString("SOURCE_ADDRESS") == "NULL" ) Params::SetConfig("SOURCE_ADDRESS",""); + if ( Params::GetConfigString("SOURCE_ADDRESS") != "" ) + { + if ( inet_addr( Params::GetConfigString("SOURCE_ADDRESS").c_str() ) == INADDR_NONE ) + { + cout << "Invalid Config: Invalid SOURCE_ADDRESS" << endl; + return false; + } + } + if ( Params::GetConfigString("PARENTPROXY") != "" && Params::GetConfigInt("PARENTPORT") < 1 ) + { + cout << "Invalid Config: Invalid PARENTPROXY/PARENTPORT" << endl; + return false; + } + if ( Params::GetConfigInt("TRICKLING") > 0 && Params::GetConfigInt("TRICKLINGBYTES") < 1 ) + { + cout << "Invalid Config: TRICKLINGBYTES needs to be greater than 0" << endl; + return false; + } + + return true; +} diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/05_add_ssltimeout_option.patch/havp/sockethandler.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/05_add_ssltimeout_option.patch/havp/sockethandler.cpp Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,654 @@ +/*************************************************************************** + sockethandler.cpp - description + ------------------- + begin : Sa Feb 12 2005 + copyright : (C) 2005 by Christian Hilgers + email : christian@hilgers.ag + ***************************************************************************/ + +/*************************************************************************** + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ***************************************************************************/ + +#include "sockethandler.h" +#include "logfile.h" +#include "params.h" +#include "utils.h" + +#include +#include +#include +#include + +#ifndef INADDR_NONE +#define INADDR_NONE ((unsigned long) -1) +#endif +#ifndef AF_LOCAL +#define AF_LOCAL AF_UNIX +#endif + +//Create Server Socket +bool SocketHandler::CreateServer( int portT, in_addr_t bind_addrT ) +{ + int i = 1; + + my_s_addr.sin_addr.s_addr = bind_addrT; + my_s_addr.sin_port = htons(portT); + + if ( (sock_fd = socket( AF_INET, SOCK_STREAM, 0 )) < 0 ) + { + LogFile::ErrorMessage("socket() failed: %s\n", strerror(errno)); + return false; + } + + // Enable re-use Socket + if ( setsockopt( sock_fd, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(i) ) < 0 ) + { + LogFile::ErrorMessage("setsockopt() failed: %s\n", strerror(errno)); + return false; + } + + if ( ::bind( sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr) ) < 0 ) + { + LogFile::ErrorMessage("bind() failed: %s\n", strerror(errno)); + return false; + } + + if ( ::listen( sock_fd, MAXCONNECTIONS ) < 0 ) + { + LogFile::ErrorMessage("listen() failed: %s\n", strerror(errno)); + return false; + } + + return true; +} + + +//Create Server Socket, convert ASCII address representation into binary one +bool SocketHandler::CreateServer( int portT, string bind_addrT ) +{ + if ( bind_addrT == "" ) + { + return CreateServer( portT, INADDR_ANY ); + } + else + { + return CreateServer( portT, inet_addr( Params::GetConfigString("BIND_ADDRESS").c_str() ) ); + } +} + + +//Connect to Server +bool SocketHandler::ConnectToServer() +{ + if ( (sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) + { + LogFile::ErrorMessage("ConnectToServer socket() failed: %s\n", strerror(errno)); + return false; + } + + if ( source_address != "" ) + { + if ( ::bind(sock_fd, (struct sockaddr *) &l_addr, sizeof(l_addr)) < 0 ) + { + LogFile::ErrorMessage("ConnectoToServer bind() failed: %s\n", strerror(errno)); + Close(); + return false; + } + } + + int flags, ret; + + //Nonblocking connect to get a proper timeout + while ( (flags = fcntl(sock_fd, F_GETFL, 0)) < 0 ) + { + if (errno == EINTR) continue; + + LogFile::ErrorMessage("ConnectToServer fcntl() get failed: %s\n", strerror(errno)); + Close(); + return false; + } + while ( fcntl(sock_fd, F_SETFL, flags | O_NONBLOCK) < 0 ) + { + if (errno == EINTR) continue; + + LogFile::ErrorMessage("ConnectToServer fcntl() O_NONBLOCK failed: %s\n", strerror(errno)); + Close(); + return false; + } + + while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_s_addr, sizeof(my_s_addr))) < 0 ) + { + if (errno == EINTR) continue; + + if (errno != EINPROGRESS) + { + if (errno != EINVAL) LogFile::ErrorMessage("connect() failed: %s\n", strerror(errno)); + Close(); + return false; + } + + break; + } + + if ( ret != 0 ) + { + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + wset = checkfd; + + Timeout.tv_sec = CONNTIMEOUT; + Timeout.tv_usec = 0; + + ret = select_eintr(sock_fd+1, &checkfd, &wset, NULL, &Timeout); + + if ( ret <= 0 ) + { + Close(); + return false; + } + + addr_len = sizeof(peer_addr); + + if ( getpeername(sock_fd, (struct sockaddr *) &peer_addr, (socklen_t *) &addr_len) < 0 ) + { + Close(); + return false; + } + } + + while ( fcntl(sock_fd, F_SETFL, flags) < 0 ) + { + if (errno == EINTR) continue; + + LogFile::ErrorMessage("ConnectToServer fcntl() set failed: %s\n", strerror(errno)); + Close(); + return false; + } + + return true; +} + + +bool SocketHandler::ConnectToSocket( string SocketPath, int retry ) +{ + strncpy(my_u_addr.sun_path, SocketPath.c_str(), sizeof(my_u_addr.sun_path)-1); + + if ( (sock_fd = socket(AF_LOCAL, SOCK_STREAM, 0)) < 0 ) + { + LogFile::ErrorMessage("ConnectToSocket socket() failed: %s\n", strerror(errno)); + return false; + } + + int tries = 0; + int ret; + + for(;;) + { + while ( (ret = ::connect(sock_fd, (struct sockaddr *) &my_u_addr, sizeof(my_u_addr))) < 0 ) + { + if (errno == EINTR) continue; + + if (errno != ENOENT) LogFile::ErrorMessage("ConnectToSocket connect() failed: %s\n", strerror(errno)); + break; + } + + //Success? + if ( ret == 0 ) return true; + + //All retried? + if ( ++tries > retry ) break; + + //Try again in one second + sleep(1); + continue; + } + + Close(); + return false; +} + + +//Accept Client +bool SocketHandler::AcceptClient( SocketHandler &accept_socketT ) +{ + addr_len = sizeof(my_s_addr); + + while ((accept_socketT.sock_fd = ::accept(sock_fd, (sockaddr *) &my_s_addr, (socklen_t *) &addr_len)) < 0) + { + if (errno == EINTR) continue; + + LogFile::ErrorMessage("accept() failed: %s\n", strerror(errno)); + + return false; + } + + //Save IP to ToBrowser + accept_socketT.my_s_addr = my_s_addr; + + return true; +} + +//Send String +bool SocketHandler::Send( const char *sock_outT, int len ) +{ + int total_sent = 0; + int ret, buffer_count; + + do + { + Timeout.tv_sec = SENDTIMEOUT; + Timeout.tv_usec = 0; + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + + ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout); + + if (ret <= 0) + { + return false; + } + + while ((buffer_count = ::send(sock_fd, sock_outT + total_sent, len - total_sent, 0)) < 0) + { + if (errno == EINTR) continue; + + return false; + } + if (buffer_count == 0) + { + return false; + } + + total_sent += buffer_count; + } + while (total_sent < len); + + return true; +} + +//Send String +bool SocketHandler::Send( string &sock_outT ) +{ + int total_sent = 0; + int len = sock_outT.size(); + int ret, buffer_count; + + do + { + Timeout.tv_sec = SENDTIMEOUT; + Timeout.tv_usec = 0; + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + + ret = select_eintr(sock_fd+1, NULL, &checkfd, NULL, &Timeout); + + if (ret <= 0) + { + return false; + } + + while ((buffer_count = ::send(sock_fd, sock_outT.substr(total_sent).c_str(), len - total_sent, 0)) < 0) + { + if (errno == EINTR) continue; + + return false; + } + if (buffer_count == 0) + { + return false; + } + + total_sent += buffer_count; + } + while (total_sent < len); + + return true; +} + + +//Receive String - Maximal MAXRECV +//sock_del = false : Do not delete Data from Socket +ssize_t SocketHandler::Recv( string &sock_inT, bool sock_delT, int timeout ) +{ + if ( RecvBuf.size() > 0 ) + { + sock_inT.append( RecvBuf ); + + if ( sock_delT == true ) + { + ssize_t tempsize = RecvBuf.size(); + + RecvBuf = ""; + + return tempsize; + } + + return RecvBuf.size(); + } + + char buffer[MAXRECV+1]; + ssize_t buffer_count; + int ret; + + if ( timeout != -1 ) + { + Timeout.tv_sec = timeout; + } + else + { + Timeout.tv_sec = RECVTIMEOUT; + } + Timeout.tv_usec = 0; + + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + + ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); + + if (ret <= 0) + { + return -1; + } + + while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0) + { + if (errno == EINTR) continue; + + return -1; + } + + if ( sock_delT == false ) + { + RecvBuf.append( buffer, buffer_count ); + } + + if ( buffer_count == 0 ) + { + return 0; + } + + sock_inT.append( buffer, buffer_count ); + + return buffer_count; +} + + +//Receive String of length sock_length +bool SocketHandler::RecvLength( string &sock_inT, unsigned int sock_lengthT ) +{ + if ( RecvBuf.size() >= sock_lengthT ) + { + sock_inT.append( RecvBuf.substr( 0, sock_lengthT ) ); + + RecvBuf.erase( 0, sock_lengthT ); + + return true; + } + + char buffer[MAXRECV+1]; + ssize_t buffer_count; + unsigned int received = 0; + + if ( RecvBuf.size() > 0 ) + { + sock_inT.append( RecvBuf ); + received += RecvBuf.size(); + + RecvBuf = ""; + } + + for(;;) + { + Timeout.tv_sec = RECVTIMEOUT; + Timeout.tv_usec = 0; + + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + + int ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); + + if ( ret <= 0 ) + { + return false; + } + + while ((buffer_count = ::recv(sock_fd, buffer, MAXRECV, 0)) < 0 && errno == EINTR); + + if ( buffer_count < 1 ) + { + return false; + } + + if ( received + buffer_count >= sock_lengthT ) + { + string Rest; + Rest.append( buffer, buffer_count ); + + unsigned int needed = sock_lengthT - received; + + sock_inT.append( Rest.substr( 0, needed ) ); + if ( Rest.size() > needed ) RecvBuf.append( Rest.substr( needed ) ); + + return true; + } + + sock_inT.append( buffer, buffer_count ); + received += buffer_count; + } + + return true; +} + + +//Wait and get something from socket until separator +bool SocketHandler::GetLine( string &lineT, string separator, int timeout ) +{ + lineT = ""; + + string TempLine; + string::size_type Position; + + do + { + if ( Recv( TempLine, false, timeout ) == false ) + { + return false; + } + } + while ( (Position = TempLine.find( separator )) == string::npos ); + + TempLine = ""; + + if ( RecvLength( TempLine, Position + separator.size() ) == false ) + { + return false; + } + + lineT = TempLine.erase( Position ); + + return true; +} + + +//Resolve and set hostname/port for connecting +bool SocketHandler::SetDomainAndPort( string domainT, int portT ) +{ + if ( domainT == "" ) return false; + if ( portT < 1 || portT > 65536 ) return false; + + int domlen = domainT.length(); + + if (domlen > 250) domainT = domainT.substr(0, 250); + my_s_addr.sin_port = htons(portT); + + //IP? + if ( domlen >= 7 && domlen <= 15 && domainT.find_first_not_of("0123456789.") == string::npos ) + { + LastHost = ""; + if ( inet_aton( domainT.c_str(), &my_s_addr.sin_addr ) != 0 ) return true; + return false; + } + + //Same host as last time, use next IP + if ( server && LastHost == domainT ) + { + if ( ips == 1 ) return true; + + if ( ++ip_count == ips ) ip_count = 0; + memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[ip_count], server->h_length); + + return true; + } + + //Resolve host + if ( (server = gethostbyname( domainT.c_str() )) ) + { + //Count IPs + for ( ips = 0; server->h_addr_list[ips] != NULL && server->h_addrtype == AF_INET && ips != 16; ips++ ); + + if ( !ips ) return false; + + memcpy((char *) &my_s_addr.sin_addr.s_addr, server->h_addr_list[0], server->h_length); + + ip_count = 0; + LastHost = domainT; + + return true; + } + + LastHost = ""; + return false; +} + +int SocketHandler::IPCount() +{ + return ips; +} + +string SocketHandler::GetIP() +{ + string ip = inet_ntoa(my_s_addr.sin_addr); + return ip; +} + +bool SocketHandler::CheckForData( int timeout ) +{ + if ( RecvBuf.size() > 0 ) + { + return true; + } + + int ret; + + Timeout.tv_sec = timeout; + Timeout.tv_usec = 0; + + FD_ZERO(&checkfd); + FD_SET(sock_fd,&checkfd); + + ret = select_eintr(sock_fd+1, &checkfd, NULL, NULL, &Timeout); + + if (ret <= 0) + { + return false; + } + + return true; +} + + +#ifdef SSLTUNNEL +int SocketHandler::CheckForSSLData( int sockBrowser, int sockServer ) +{ + fd_set readfd; + int fds; + + FD_ZERO(&readfd); + FD_SET(sockBrowser,&readfd); + FD_SET(sockServer,&readfd); + + if ( sockBrowser > sockServer ) + { + fds = sockBrowser; + } + else + { + fds = sockServer; + } + + Timeout.tv_sec = 20; + Timeout.tv_usec = 0; + + int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout); + + if (ret <= 0) return 0; + + if (FD_ISSET(sockBrowser,&readfd)) return 1; + + return 2; +} +#endif + + +void SocketHandler::Close() +{ + //Clear receive buffer + RecvBuf = ""; + + //Check that we have a real fd + if ( sock_fd > -1 ) + { + while ( ::close(sock_fd) < 0 ) + { + if (errno == EINTR) continue; + if (errno == EBADF) break; + + //IO error? + LogFile::ErrorMessage("close() failed: %s\n", strerror(errno)); + } + + //Mark socket unused + sock_fd = -1; + } +} + + +//Constructor +SocketHandler::SocketHandler() +{ + memset(&my_s_addr, 0, sizeof(my_s_addr)); + my_s_addr.sin_family = AF_INET; + + memset(&my_u_addr, 0, sizeof(my_u_addr)); + my_u_addr.sun_family = AF_LOCAL; + + ip_count = 0; + ips = 0; + + //No socket exists yet + sock_fd = -1; + + source_address = Params::GetConfigString("SOURCE_ADDRESS"); + + if ( source_address != "" ) + { + l_addr.sin_family = AF_INET; + l_addr.sin_port = htons(0); + l_addr.sin_addr.s_addr = inet_addr( source_address.c_str() ); + } + + RecvBuf.reserve(1500); + RecvBuf = ""; +} + + +//Destructor +SocketHandler::~SocketHandler() +{ +} diff -r 8baf084f58c5 -r 70b0d05afad2 .pc/applied-patches --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.pc/applied-patches Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,3 @@ +03_havp.config.patch +04_params.cpp.patch +05_add_ssltimeout_option.patch diff -r 8baf084f58c5 -r 70b0d05afad2 debian/changelog --- a/debian/changelog Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/changelog Wed Jun 18 16:17:31 2014 +0200 @@ -1,3 +1,34 @@ +havp (0.92a-2.ius.2) stable; urgency=low + + * Non-maintainer upload. + * cosmetic for SSLTIMEOUT option in sockethandler.cpp + * displace SSLTIMEOUT in config file + + -- Christian Arnold Tue, 11 Oct 2011 11:34:14 +0200 + +havp (0.92a-2.ius.1) stable; urgency=low + + * Non-maintainer upload. + * fixed version string to ius + + -- Heiko Schlittermann Fri, 07 Oct 2011 15:51:29 +0200 + +havp (0.92a-2.1) stable; urgency=low + + * Non-maintainer upload. + * fixed init script and init script invocation + * pushed to 3.0 (quilt) source format + * added example config line to havp.config + + -- Heiko Schlittermann Fri, 07 Oct 2011 15:41:23 +0200 + +havp (0.92a-2) stable; urgency=low + + * Non-maintainer upload. + * buld for squeeze + + -- Heiko Schlittermann Fri, 07 Oct 2011 13:48:22 +0200 + havp (0.92a-2) unstable; urgency=low * Include debconf language updates from previous NMU and new updates. diff -r 8baf084f58c5 -r 70b0d05afad2 debian/compat --- a/debian/compat Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/compat Wed Jun 18 16:17:31 2014 +0200 @@ -1,1 +1,1 @@ -4 +7 diff -r 8baf084f58c5 -r 70b0d05afad2 debian/control --- a/debian/control Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/control Wed Jun 18 16:17:31 2014 +0200 @@ -2,8 +2,9 @@ Section: net Priority: optional Maintainer: Rene Mayrhofer -Build-Depends: debhelper (>= 4.0.0), autotools-dev, libssl-dev, libclamav-dev, dpatch, docbook-to-man, po-debconf -Standards-Version: 3.8.1 +Build-Depends: debhelper (>= 7.0.0), autotools-dev, libssl-dev, libclamav-dev, docbook-to-man, po-debconf, + quilt (>= 0.46-7~) +Standards-Version: 3.9.1 Package: havp Architecture: any diff -r 8baf084f58c5 -r 70b0d05afad2 debian/havp.init --- a/debian/havp.init Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/havp.init Wed Jun 18 16:17:31 2014 +0200 @@ -1,11 +1,11 @@ #! /bin/sh ### BEGIN INIT INFO # Provides: havp -# Required-Start: $network -# Required-Stop: +# Required-Start: $network $remote_fs +# Required-Stop: $remote_fs $network # Should-Start: $named $time # Default-Start: 2 3 4 5 -# Default-Stop: 0 6 +# Default-Stop: 0 1 6 # Short-Description: HAVP virus-scanning HTTP proxy # Description: HAVP is a HTTP proxy that transparently scans all traffic for # viruses and blocks all infected files. @@ -95,9 +95,9 @@ # option to the "reload" entry above. If not, "force-reload" is # just the same as "restart". # -+ $0 stop + $0 stop sleep 1 -+ $0 start + $0 start ;; status) if [ ! -r $PIDFILE ]; then diff -r 8baf084f58c5 -r 70b0d05afad2 debian/havp.postinst --- a/debian/havp.postinst Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/havp.postinst Wed Jun 18 16:17:31 2014 +0200 @@ -37,7 +37,6 @@ fi # care for proper ownership in any case (e.g. updating from an earlier # havp package with different paths) - chown havp:havp /var/run/havp chown havp:havp /var/log/havp chown havp:havp /var/lib/havp chown havp:havp /var/spool/havp diff -r 8baf084f58c5 -r 70b0d05afad2 debian/havp.prerm --- a/debian/havp.prerm Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/havp.prerm Wed Jun 18 16:17:31 2014 +0200 @@ -1,4 +1,5 @@ #! /bin/sh +set -e # prerm script for havp # # see: dh_installdeb(1) diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/00list --- a/debian/patches/00list Wed Jun 18 16:16:36 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3 +0,0 @@ -03_havp.config -04_params.cpp -05_add_ssltimeout_option \ No newline at end of file diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/03_havp.config.dpatch --- a/debian/patches/03_havp.config.dpatch Wed Jun 18 16:16:36 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,47 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 03_havp.config.dpatch by -## adapted and cleaned up by Rene Mayrhofer -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Set PID file and SCANTEMPFILE to correct locations - -@DPATCH@ - ---- havp-0.85/etc/havp/havp.config.in.orig 2007-03-13 11:49:25.482732863 +0100 -+++ havp-0.85/etc/havp/havp.config.in 2007-03-13 11:50:33.667542226 +0100 -@@ -16,7 +16,7 @@ - # You must remove this line for HAVP to start. - # This makes sure you have (hopefully) reviewed the configuration. :) - # Hint: You must enable some scanner! Find them in the end.. --REMOVETHISLINE deleteme -+# REMOVETHISLINE deleteme - - # - # For reasons of security it is recommended to run a proxy program -@@ -103,7 +103,7 @@ - # These characters are used by system to create unique named files. - # - # Default: --# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX -+# SCANTEMPFILE /var/spool/havp/havp-XXXXXX - - # - # Is scanner error fatal? -@@ -342,14 +342,14 @@ - ##### ClamAV Library Scanner (libclamav) - ##### - --ENABLECLAMLIB false -+ENABLECLAMLIB true - - # HAVP uses libclamav hardcoded pattern directory, which usually is --# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are -+# /usr/share/clamav. You only need to set CLAMDBDIR, if you are - # using non-default DatabaseDirectory setting in clamd.conf. - # - # Default: NONE --# CLAMDBDIR /path/to/directory -+# CLAMDBDIR /var/lib/clamav - - # Should we block encrypted archives? - # diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/03_havp.config.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/patches/03_havp.config.patch Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,57 @@ +--- a/etc/havp/havp.config.in ++++ b/etc/havp/havp.config.in +@@ -16,7 +16,7 @@ + # You must remove this line for HAVP to start. + # This makes sure you have (hopefully) reviewed the configuration. :) + # Hint: You must enable some scanner! Find them in the end.. +-REMOVETHISLINE deleteme ++# REMOVETHISLINE deleteme + + # + # For reasons of security it is recommended to run a proxy program +@@ -113,7 +113,7 @@ + # These characters are used by system to create unique named files. + # + # Default: +-# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX ++# SCANTEMPFILE /var/spool/havp/havp-XXXXXX + + # + # Directory for ClamAV and other scanner created tempfiles. +@@ -237,6 +237,13 @@ + # Default: + # FAILSCANERROR true + ++# SSL connections may be silent for a while (mostly when "abused" ++# for other communication than HTTP). HAVP disconnects these connections ++# after several seconds. ++# ++# Default: ++# SSLTIMEOUT 20 ++ + # + # When scanning takes longer than this, it will be aborted. + # Timer is started after HAVP has fully received all data. +@@ -428,14 +435,14 @@ + ##### ClamAV Library Scanner (libclamav) + ##### + +-ENABLECLAMLIB false ++ENABLECLAMLIB true + + # HAVP uses libclamav hardcoded pattern directory, which usually is +-# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are ++# /usr/share/clamav. You only need to set CLAMDBDIR, if you are + # using non-default DatabaseDirectory setting in clamd.conf. + # + # Default: NONE +-# CLAMDBDIR /path/to/directory ++# CLAMDBDIR /var/lib/clamav + + # Should we block broken executables? + # +@@ -661,4 +668,3 @@ + # Default: NONE + # DRWEBSERVER 127.0.0.1 + # DRWEBPORT 3000 +- diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/04_params.cpp.dpatch --- a/debian/patches/04_params.cpp.dpatch Wed Jun 18 16:16:36 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,21 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 04_params.cpp.dpatch by -## adapted and cleaned up by Rene Mayrhofer -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Set PID file and SCANTEMPFILE to correct locations - -@DPATCH@ - ---- havp-0.85/havp/params.cpp.orig 2007-03-13 11:50:45.812848266 +0100 -+++ havp-0.85/havp/params.cpp 2007-03-13 11:51:19.209457684 +0100 -@@ -62,7 +62,7 @@ - SetConfig("BLACKLIST", BLACKLISTFILE); - SetConfig("TEMPLATEPATH", TEMPLATEPATH); -- SetConfig("TEMPDIR", "/var/tmp"); -+ SetConfig("TEMPDIR", "/var/spool/havp"); -- SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); -+ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); - SetConfig("PIDFILE", PIDFILE); - SetConfig("TRANSPARENT", "false"); - SetConfig("RANGE", "false"); diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/04_params.cpp.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/patches/04_params.cpp.patch Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,13 @@ +--- a/havp/params.cpp ++++ b/havp/params.cpp +@@ -70,8 +70,8 @@ + SetConfig("WHITELIST", WHITELISTFILE); + SetConfig("BLACKLIST", BLACKLISTFILE); + SetConfig("TEMPLATEPATH", TEMPLATEPATH); +- SetConfig("TEMPDIR", "/var/tmp"); +- SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); ++ SetConfig("TEMPDIR", "/var/spool/havp"); ++ SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); + SetConfig("PIDFILE", PIDFILE); + SetConfig("TRANSPARENT", "false"); + SetConfig("RANGE", "false"); diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/05_add_ssltimeout_option.dpatch --- a/debian/patches/05_add_ssltimeout_option.dpatch Wed Jun 18 16:16:36 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,44 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 05_add_ssltimeout_option.dpatch by Rene Mayrhofer, adapted from a patch by -## Heiko Schlittermann -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Add SSLTIMEOUT config option - -@DPATCH@ - ---- a/havp/default.h.in -+++ b/havp/default.h.in -@@ -36,6 +36,7 @@ - "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ - "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ - "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ -+ "SSLTIMEOUT", \ - "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ - "SKIPMIME","SCANMIME", \ - "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ -diff --git a/havp/params.cpp b/havp/params.cpp -index 0f83c0c..5a18913 100644 ---- a/havp/params.cpp -+++ b/havp/params.cpp -@@ -86,6 +86,7 @@ void Params::SetDefaults() - SetConfig("SCANNERTIMEOUT", "10"); - SetConfig("IGNOREVIRUS", ""); - SetConfig("DISABLELOCKINGFOR","AVG:ALL"); -+ SetConfig("SSLTIMEOUT", "20"); - //SCANNERS - SetConfig("ENABLECLAMLIB","false"); - SetConfig("CLAMDBDIR",""); -diff --git a/havp/sockethandler.cpp b/havp/sockethandler.cpp -index 28a119a..4cb5f24 100644 ---- a/havp/sockethandler.cpp -+++ b/havp/sockethandler.cpp -@@ -582,7 +582,7 @@ int SocketHandler::CheckForSSLData( int sockBrowser, int sockServer ) - fds = sockServer; - } - -- Timeout.tv_sec = 20; -+ Timeout.tv_sec = Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT");; - Timeout.tv_usec = 0; - - int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout); diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/05_add_ssltimeout_option.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/patches/05_add_ssltimeout_option.patch Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,47 @@ +--- a/havp/default.h.in ++++ b/havp/default.h.in +@@ -36,6 +36,7 @@ + "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ + "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ + "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ ++ "SSLTIMEOUT", \ + "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ + "SKIPMIME","SCANMIME", \ + "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ +--- a/havp/params.cpp ++++ b/havp/params.cpp +@@ -86,6 +86,7 @@ + SetConfig("SCANNERTIMEOUT", "10"); + SetConfig("IGNOREVIRUS", ""); + SetConfig("DISABLELOCKINGFOR","AVG:ALL"); ++ SetConfig("SSLTIMEOUT", "20"); + //SCANNERS + SetConfig("ENABLECLAMLIB","false"); + SetConfig("CLAMDBDIR",""); +--- a/havp/sockethandler.cpp ++++ b/havp/sockethandler.cpp +@@ -582,7 +582,7 @@ + fds = sockServer; + } + +- Timeout.tv_sec = 20; ++ Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT"); + Timeout.tv_usec = 0; + + int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout); +--- a/etc/havp/havp.config.in ++++ b/etc/havp/havp.config.in +@@ -255,6 +255,13 @@ + # Default: + # SCANNERTIMEOUT 10 + ++# SSL connections may be silent for a while (mostly when "abused" ++# for other communication than HTTP). HAVP disconnects these connections ++# after several seconds. ++# ++# Default: ++# SSLTIMEOUT 20 ++ + # + # Allow HTTP Range requests? + # diff -r 8baf084f58c5 -r 70b0d05afad2 debian/patches/series --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/patches/series Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,3 @@ +03_havp.config.patch +04_params.cpp.patch +05_add_ssltimeout_option.patch diff -r 8baf084f58c5 -r 70b0d05afad2 debian/rules --- a/debian/rules Wed Jun 18 16:16:36 2014 +0200 +++ b/debian/rules Wed Jun 18 16:17:31 2014 +0200 @@ -72,11 +72,12 @@ install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs # Add here commands to install the package into debian/havp. $(MAKE) install DESTDIR=$(CURDIR)/debian/havp + rmdir $(CURDIR)/debian/havp/var/run/havp # clean up to make lintian shut up... rm -r $(CURDIR)/debian/havp/var/tmp @@ -96,7 +97,7 @@ dh_installdocs dh_installexamples dh_installlogrotate - dh_installinit --error-handler=init_error + dh_installinit --error-handler=init_error dh_installman havp.1 dh_link dh_strip @@ -110,12 +111,12 @@ patch: patch-stamp patch-stamp: - dpatch apply-all - dpatch cat-all >patch-stamp + dh_quilt_patch + touch patch-stamp unpatch: - dpatch deapply-all - rm -rf patch-stamp debian/patched + dh_quilt_unpatch + rm -rf patch-stamp binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install diff -r 8baf084f58c5 -r 70b0d05afad2 debian/source/format --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/source/format Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,1 @@ +3.0 (quilt) diff -r 8baf084f58c5 -r 70b0d05afad2 debian/source/options --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/debian/source/options Wed Jun 18 16:17:31 2014 +0200 @@ -0,0 +1,1 @@ +tar-ignore diff -r 8baf084f58c5 -r 70b0d05afad2 etc/havp/havp.config.in --- a/etc/havp/havp.config.in Wed Jun 18 16:16:36 2014 +0200 +++ b/etc/havp/havp.config.in Wed Jun 18 16:17:31 2014 +0200 @@ -16,7 +16,7 @@ # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. :) # Hint: You must enable some scanner! Find them in the end.. -REMOVETHISLINE deleteme +# REMOVETHISLINE deleteme # # For reasons of security it is recommended to run a proxy program @@ -113,7 +113,7 @@ # These characters are used by system to create unique named files. # # Default: -# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX +# SCANTEMPFILE /var/spool/havp/havp-XXXXXX # # Directory for ClamAV and other scanner created tempfiles. @@ -237,6 +237,13 @@ # Default: # FAILSCANERROR true +# SSL connections may be silent for a while (mostly when "abused" +# for other communication than HTTP). HAVP disconnects these connections +# after several seconds. +# +# Default: +# SSLTIMEOUT 20 + # # When scanning takes longer than this, it will be aborted. # Timer is started after HAVP has fully received all data. @@ -248,6 +255,13 @@ # Default: # SCANNERTIMEOUT 10 +# SSL connections may be silent for a while (mostly when "abused" +# for other communication than HTTP). HAVP disconnects these connections +# after several seconds. +# +# Default: +# SSLTIMEOUT 20 + # # Allow HTTP Range requests? # @@ -428,14 +442,14 @@ ##### ClamAV Library Scanner (libclamav) ##### -ENABLECLAMLIB false +ENABLECLAMLIB true # HAVP uses libclamav hardcoded pattern directory, which usually is -# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are +# /usr/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE -# CLAMDBDIR /path/to/directory +# CLAMDBDIR /var/lib/clamav # Should we block broken executables? # @@ -661,4 +675,3 @@ # Default: NONE # DRWEBSERVER 127.0.0.1 # DRWEBPORT 3000 - diff -r 8baf084f58c5 -r 70b0d05afad2 havp/default.h.in --- a/havp/default.h.in Wed Jun 18 16:16:36 2014 +0200 +++ b/havp/default.h.in Wed Jun 18 16:17:31 2014 +0200 @@ -36,6 +36,7 @@ "USESYSLOG","SYSLOGNAME","SYSLOGFACILITY","SYSLOGLEVEL","SYSLOGVIRUSLEVEL","IGNOREVIRUS", \ "DISPLAYINITIALMESSAGES","DBRELOAD","SCANTEMPFILE","TEMPLATEPATH","DISABLELOCKINGFOR", \ "PARENTPROXY","PARENTPORT","MAXSERVERS","FORWARDED_IP","X_FORWARDED_FOR","FAILSCANERROR", \ + "SSLTIMEOUT", \ "MAXDOWNLOADSIZE","SCANNERTIMEOUT","STREAMUSERAGENT","STREAMSCANSIZE","SCANIMAGES", \ "SKIPMIME","SCANMIME", \ "ENABLECLAMLIB","CLAMDBDIR","CLAMBLOCKBROKEN","CLAMBLOCKMAX","CLAMBLOCKENCRYPTED", \ diff -r 8baf084f58c5 -r 70b0d05afad2 havp/params.cpp --- a/havp/params.cpp Wed Jun 18 16:16:36 2014 +0200 +++ b/havp/params.cpp Wed Jun 18 16:17:31 2014 +0200 @@ -70,8 +70,8 @@ SetConfig("WHITELIST", WHITELISTFILE); SetConfig("BLACKLIST", BLACKLISTFILE); SetConfig("TEMPLATEPATH", TEMPLATEPATH); - SetConfig("TEMPDIR", "/var/tmp"); - SetConfig("SCANTEMPFILE", "/var/tmp/havp/havp-XXXXXX"); + SetConfig("TEMPDIR", "/var/spool/havp"); + SetConfig("SCANTEMPFILE", "/var/spool/havp/havp-XXXXXX"); SetConfig("PIDFILE", PIDFILE); SetConfig("TRANSPARENT", "false"); SetConfig("RANGE", "false"); @@ -86,6 +86,7 @@ SetConfig("SCANNERTIMEOUT", "10"); SetConfig("IGNOREVIRUS", ""); SetConfig("DISABLELOCKINGFOR","AVG:ALL"); + SetConfig("SSLTIMEOUT", "20"); //SCANNERS SetConfig("ENABLECLAMLIB","false"); SetConfig("CLAMDBDIR",""); diff -r 8baf084f58c5 -r 70b0d05afad2 havp/sockethandler.cpp --- a/havp/sockethandler.cpp Wed Jun 18 16:16:36 2014 +0200 +++ b/havp/sockethandler.cpp Wed Jun 18 16:17:31 2014 +0200 @@ -582,7 +582,7 @@ fds = sockServer; } - Timeout.tv_sec = 20; + Timeout.tv_sec = Params::GetConfigInt("SSLTIMEOUT"); Timeout.tv_usec = 0; int ret = select_eintr(fds+1, &readfd, NULL, NULL, &Timeout);