diff options
Diffstat (limited to '')
-rw-r--r-- | src/main/util.c | 1732 |
1 files changed, 1732 insertions, 0 deletions
diff --git a/src/main/util.c b/src/main/util.c new file mode 100644 index 0000000..607bcaa --- /dev/null +++ b/src/main/util.c @@ -0,0 +1,1732 @@ +/* + * util.c Various utility functions. + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2000,2006 The FreeRADIUS server project + */ + +RCSID("$Id$") + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/rad_assert.h> + +#include <ctype.h> + +#include <sys/stat.h> +#include <fcntl.h> + +/* + * The signal() function in Solaris 2.5.1 sets SA_NODEFER in + * sa_flags, which causes grief if signal() is called in the + * handler before the cause of the signal has been cleared. + * (Infinite recursion). + * + * The same problem appears on HPUX, so we avoid it, if we can. + * + * Using sigaction() to reset the signal handler fixes the problem, + * so where available, we prefer that solution. + */ + +void (*reset_signal(int signo, void (*func)(int)))(int) +{ +#ifdef HAVE_SIGACTION + struct sigaction act, oact; + + memset(&act, 0, sizeof(act)); + act.sa_handler = func; + sigemptyset(&act.sa_mask); + act.sa_flags = 0; +#ifdef SA_INTERRUPT /* SunOS */ + act.sa_flags |= SA_INTERRUPT; +#endif + if (sigaction(signo, &act, &oact) < 0) + return SIG_ERR; + return oact.sa_handler; +#else + + /* + * re-set by calling the 'signal' function, which + * may cause infinite recursion and core dumps due to + * stack growth. + * + * However, the system is too dumb to implement sigaction(), + * so we don't have a choice. + */ + signal(signo, func); + + return NULL; +#endif +} + +/* + * Per-request data, added by modules... + */ +struct request_data_t { + request_data_t *next; + + void *unique_ptr; + int unique_int; + void *opaque; + bool free_opaque; +}; + +/* + * Add opaque data (with a "free" function) to a REQUEST. + * + * The unique ptr is meant to be a module configuration, + * and the unique integer allows the caller to have multiple + * opaque data associated with a REQUEST. + */ +int request_data_add(REQUEST *request, void *unique_ptr, int unique_int, void *opaque, bool free_opaque) +{ + request_data_t *this, **last, *next; + + /* + * Some simple sanity checks. + */ + if (!request || !opaque) return -1; + + this = next = NULL; + for (last = &(request->data); + *last != NULL; + last = &((*last)->next)) { + if (((*last)->unique_ptr == unique_ptr) && + ((*last)->unique_int == unique_int)) { + this = *last; + next = this->next; + + /* + * If caller requires custom behaviour on free + * they must set a destructor. + */ + if (this->opaque && this->free_opaque) talloc_free(this->opaque); + + break; /* replace the existing entry */ + } + } + + /* + * Only alloc new memory if we're not replacing + * an existing entry. + */ + if (!this) this = talloc_zero(request, request_data_t); + if (!this) return -1; + + this->next = next; + this->unique_ptr = unique_ptr; + this->unique_int = unique_int; + this->opaque = opaque; + this->free_opaque = free_opaque; + + *last = this; + + return 0; +} + +/* + * Get opaque data from a request. + */ +void *request_data_get(REQUEST *request, void *unique_ptr, int unique_int) +{ + request_data_t **last; + + if (!request) return NULL; + + for (last = &(request->data); + *last != NULL; + last = &((*last)->next)) { + if (((*last)->unique_ptr == unique_ptr) && + ((*last)->unique_int == unique_int)) { + request_data_t *this; + void *ptr; + + this = *last; + ptr = this->opaque; + + /* + * Remove the entry from the list, and free it. + */ + *last = this->next; + talloc_free(this); + + return ptr; /* don't free it, the caller does that */ + } + } + + return NULL; /* wasn't found, too bad... */ +} + +/* + * Get opaque data from a request without removing it. + */ +void *request_data_reference(REQUEST *request, void *unique_ptr, int unique_int) +{ + request_data_t **last; + + for (last = &(request->data); + *last != NULL; + last = &((*last)->next)) { + if (((*last)->unique_ptr == unique_ptr) && + ((*last)->unique_int == unique_int)) { + return (*last)->opaque; + } + } + + return NULL; /* wasn't found, too bad... */ +} + +/** Create possibly many directories. + * + * @note that the input directory name is NOT treated as a constant. This is so that + * if an error is returned, the 'directory' ptr points to the name of the file + * which caused the error. + * + * @param dir path to directory to create. + * @param mode for new directories. + * @param uid to set on new directories, may be -1 to use effective uid. + * @param gid to set on new directories, may be -1 to use effective gid. + * @return 0 on success, -1 on error. Error available as errno. + */ +int rad_mkdir(char *dir, mode_t mode, uid_t uid, gid_t gid) +{ + int rcode, fd; + char *p; + + /* + * Try to make the dir. If it exists, chmod it. + * If a path doesn't exist, that's OK. Otherwise + * return with an error. + * + * Directories permissions are initially set so + * that only we should have access. This prevents + * an attacker removing them and swapping them + * out for a link to somewhere else. + * We change them to the correct permissions later. + */ + rcode = mkdir(dir, 0700); + if (rcode < 0) { + switch (errno) { + case EEXIST: + return 0; /* don't change permissions */ + + case ENOENT: + break; + + default: + return rcode; + } + + /* + * A component in the dir path doesn't + * exist. Look for the LAST dir name. Try + * to create that. If there's an error, we leave + * the dir path as the one at which the + * error occured. + */ + p = strrchr(dir, FR_DIR_SEP); + if (!p || (p == dir)) return -1; + + *p = '\0'; + rcode = rad_mkdir(dir, mode, uid, gid); + if (rcode < 0) return rcode; + + /* + * Reset the dir path, and try again to + * make the dir. + */ + *p = FR_DIR_SEP; + rcode = mkdir(dir, 0700); + if (rcode < 0) return rcode; + } /* else we successfully created the dir */ + + /* + * Set the permissions on the directory we created + * this should never fail unless there's a race. + */ + fd = open(dir, O_DIRECTORY); + if (fd < 0) return -1; + + rcode = fchmod(fd, mode); + if (rcode < 0) { + close(fd); + return rcode; + } + + if ((uid != (uid_t)-1) || (gid != (gid_t)-1)) { + rad_suid_up(); + rcode = fchown(fd, uid, gid); + rad_suid_down(); + } + close(fd); + + return rcode; +} + +/** Ensures that a filename cannot walk up the directory structure + * + * Also sanitizes control chars. + * + * @param request Current request (may be NULL). + * @param out Output buffer. + * @param outlen Size of the output buffer. + * @param in string to escape. + * @param arg Context arguments (unused, should be NULL). + */ +size_t rad_filename_make_safe(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg) +{ + char const *q = in; + char *p = out; + size_t left = outlen; + + while (*q) { + if (*q != '/') { + if (left < 2) break; + + /* + * Smash control characters and spaces to + * something simpler. + */ + if (*q < ' ') { + *(p++) = '_'; + q++; + continue; + } + + *(p++) = *(q++); + left--; + continue; + } + + /* + * For now, allow slashes in the expanded + * filename. This allows the admin to set + * attributes which create sub-directories. + * Unfortunately, it also allows users to send + * attributes which *may* end up creating + * sub-directories. + */ + if (left < 2) break; + *(p++) = *(q++); + + /* + * Get rid of ////../.././///.///..// + */ + redo: + /* + * Get rid of //// + */ + if (*q == '/') { + q++; + goto redo; + } + + /* + * Get rid of /./././ + */ + if ((q[0] == '.') && + (q[1] == '/')) { + q += 2; + goto redo; + } + + /* + * Get rid of /../../../ + */ + if ((q[0] == '.') && (q[1] == '.') && + (q[2] == '/')) { + q += 3; + goto redo; + } + } + *p = '\0'; + + return (p - out); +} + +/** Escapes the raw string such that it should be safe to use as part of a file path + * + * This function is designed to produce a string that's still readable but portable + * across the majority of file systems. + * + * For security reasons it cannot remove characters from the name, and must not allow + * collisions to occur between different strings. + * + * With that in mind '-' has been chosen as the escape character, and will be double + * escaped '-' -> '--' to avoid collisions. + * + * Escaping should be reversible if the original string needs to be extracted. + * + * @note function takes additional arguments so that it may be used as an xlat escape + * function but it's fine to call it directly. + * + * @note OSX/Unix/NTFS/VFAT have a max filename size of 255 bytes. + * + * @param request Current request (may be NULL). + * @param out Output buffer. + * @param outlen Size of the output buffer. + * @param in string to escape. + * @param arg Context arguments (unused, should be NULL). + */ +size_t rad_filename_escape(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg) +{ + size_t freespace = outlen; + + while (*in != '\0') { + size_t utf8_len; + + /* + * Encode multibyte UTF8 chars + */ + utf8_len = fr_utf8_char((uint8_t const *) in, -1); + if (utf8_len > 1) { + if (freespace <= (utf8_len * 3)) break; + + switch (utf8_len) { + case 2: + snprintf(out, freespace, "-%x-%x", (uint8_t)in[0], (uint8_t)in[1]); + break; + + case 3: + snprintf(out, freespace, "-%x-%x-%x", (uint8_t)in[0], (uint8_t)in[1], (uint8_t)in[2]); + break; + + case 4: + snprintf(out, freespace, "-%x-%x-%x-%x", (uint8_t)in[0], (uint8_t)in[1], (uint8_t)in[2], (uint8_t)in[3]); + break; + } + + freespace -= (utf8_len * 3); + out += (utf8_len * 3); + in += utf8_len; + + continue; + } + + /* + * Safe chars + */ + if (((*in >= 'A') && (*in <= 'Z')) || + ((*in >= 'a') && (*in <= 'z')) || + ((*in >= '0') && (*in <= '9')) || + (*in == '_')) { + if (freespace <= 1) break; + + *out++ = *in++; + freespace--; + continue; + } + if (freespace <= 2) break; + + /* + * Double escape '-' (like \\) + */ + if (*in == '-') { + *out++ = '-'; + *out++ = '-'; + + freespace -= 2; + in++; + continue; + } + + /* + * Unsafe chars + */ + *out++ = '-'; + fr_bin2hex(out, (uint8_t const *)in++, 1); + out += 2; + freespace -= 3; + } + *out = '\0'; + + return outlen - freespace; +} + +/** Converts data stored in a file name back to its original form + * + * @param out Where to write the unescaped string (may be the same as in). + * @param outlen Length of the output buffer. + * @param in Input filename. + * @param inlen Length of input. + * @return number of bytes written to output buffer, or offset where parse error + * occurred on failure. + */ +ssize_t rad_filename_unescape(char *out, size_t outlen, char const *in, size_t inlen) +{ + char const *p, *end = in + inlen; + size_t freespace = outlen; + + for (p = in; p < end; p++) { + if (freespace <= 1) break; + + if (((*p >= 'A') && (*p <= 'Z')) || + ((*p >= 'a') && (*p <= 'z')) || + ((*p >= '0') && (*p <= '9')) || + (*p == '_')) { + *out++ = *p; + freespace--; + continue; + } + + if (p[0] == '-') { + /* + * End of input, '-' needs at least one extra char after + * it to be valid. + */ + if ((end - p) < 2) return in - p; + if (p[1] == '-') { + p++; + *out++ = '-'; + freespace--; + continue; + } + + /* + * End of input, '-' must be followed by <hex><hex> + * but there aren't enough chars left + */ + if ((end - p) < 3) return in - p; + + /* + * If hex2bin returns 0 the next two chars weren't hexits. + */ + if (fr_hex2bin((uint8_t *) out, 1, in, 1) == 0) return in - (p + 1); + in += 2; + out++; + freespace--; + } + + return in - p; /* offset we found the bad char at */ + } + *out = '\0'; + + return outlen - freespace; /* how many bytes were written */ +} + +/* + * Allocate memory, or exit. + * + * This call ALWAYS succeeds! + */ +void *rad_malloc(size_t size) +{ + void *ptr = malloc(size); + + if (ptr == NULL) { + ERROR("no memory"); + fr_exit(1); + } + + return ptr; +} + + +void rad_const_free(void const *ptr) +{ + void *tmp; + if (!ptr) return; + + memcpy(&tmp, &ptr, sizeof(tmp)); + talloc_free(tmp); +} + + +/* + * Logs an error message and aborts the program + * + */ + +void NEVER_RETURNS rad_assert_fail(char const *file, unsigned int line, char const *expr) +{ + ERROR("ASSERT FAILED %s[%u]: %s", file, line, expr); + fr_fault(SIGABRT); + fr_exit_now(1); +} + +/* + * Free a REQUEST struct. + */ +static int _request_free(REQUEST *request) +{ + rad_assert(!request->in_request_hash); +#ifdef WITH_PROXY + rad_assert(!request->in_proxy_hash); +#endif + rad_assert(!request->ev); + +#ifdef WITH_COA + rad_assert(request->coa == NULL); +#endif + +#ifndef NDEBUG + request->magic = 0x01020304; /* set the request to be nonsense */ +#endif + request->client = NULL; +#ifdef WITH_PROXY + request->home_server = NULL; +#endif + + /* + * This is parented separately. + */ + if (request->state_ctx) { + talloc_free(request->state_ctx); + } + + return 0; +} + +/* + * Create a new REQUEST data structure. + */ +REQUEST *request_alloc(TALLOC_CTX *ctx) +{ + REQUEST *request; + + request = talloc_zero(ctx, REQUEST); + if (!request) return NULL; + talloc_set_destructor(request, _request_free); +#ifndef NDEBUG + request->magic = REQUEST_MAGIC; +#endif +#ifdef WITH_PROXY + request->proxy = NULL; +#endif + request->reply = NULL; +#ifdef WITH_PROXY + request->proxy_reply = NULL; +#endif + request->config = NULL; + request->username = NULL; + request->password = NULL; + request->timestamp = time(NULL); + request->log.lvl = rad_debug_lvl; /* Default to global debug level */ + + request->module = ""; + request->component = "<core>"; + request->log.func = vradlog_request; + + request->state_ctx = talloc_init("session-state"); + + return request; +} + + +/* + * Create a new REQUEST, based on an old one. + * + * This function allows modules to inject fake requests + * into the server, for tunneled protocols like TTLS & PEAP. + */ +REQUEST *request_alloc_fake(REQUEST *request) +{ + REQUEST *fake; + + fake = request_alloc(request); + if (!fake) return NULL; + + fake->number = request->number; +#ifdef HAVE_PTHREAD_H + fake->child_pid = request->child_pid; +#endif + fake->parent = request; + fake->root = request->root; + fake->client = request->client; + + /* + * For new server support. + * + * FIXME: Key instead off of a "virtual server" data structure. + * + * FIXME: Permit different servers for inner && outer sessions? + */ + fake->server = request->server; + + fake->packet = rad_alloc(fake, true); + if (!fake->packet) { + talloc_free(fake); + return NULL; + } + + fake->reply = rad_alloc(fake, false); + if (!fake->reply) { + talloc_free(fake); + return NULL; + } + + fake->master_state = REQUEST_ACTIVE; + fake->child_state = REQUEST_RUNNING; + + /* + * Fill in the fake request. + */ + fake->packet->sockfd = -1; + fake->packet->src_ipaddr = request->packet->src_ipaddr; + fake->packet->src_port = request->packet->src_port; + fake->packet->dst_ipaddr = request->packet->dst_ipaddr; + fake->packet->dst_port = 0; + + /* + * This isn't STRICTLY required, as the fake request MUST NEVER + * be put into the request list. However, it's still reasonable + * practice. + */ + fake->packet->id = fake->number & 0xff; + fake->packet->code = request->packet->code; + fake->timestamp = request->timestamp; + fake->packet->timestamp = request->packet->timestamp; + + /* + * Required for new identity support + */ + fake->listener = request->listener; + + /* + * Fill in the fake reply, based on the fake request. + */ + fake->reply->sockfd = fake->packet->sockfd; + fake->reply->src_ipaddr = fake->packet->dst_ipaddr; + fake->reply->src_port = fake->packet->dst_port; + fake->reply->dst_ipaddr = fake->packet->src_ipaddr; + fake->reply->dst_port = fake->packet->src_port; + fake->reply->id = fake->packet->id; + fake->reply->code = 0; /* UNKNOWN code */ + + /* + * Copy debug information. + */ + memcpy(&(fake->log), &(request->log), sizeof(fake->log)); + fake->log.indent = 0; /* Apart from the indent which we reset */ + + return fake; +} + +#ifdef WITH_COA +static int null_handler(UNUSED REQUEST *request) +{ + return 0; +} + +REQUEST *request_alloc_coa(REQUEST *request) +{ + if (!request || request->coa) return NULL; + + /* + * Originate CoA requests only when necessary. + */ + if ((request->packet->code != PW_CODE_ACCESS_REQUEST) && + (request->packet->code != PW_CODE_ACCOUNTING_REQUEST)) return NULL; + + request->coa = request_alloc_fake(request); + if (!request->coa) return NULL; + + request->coa->handle = null_handler; + request->coa->options = RAD_REQUEST_OPTION_COA; /* is a CoA packet */ + request->coa->packet->code = 0; /* unknown, as of yet */ + request->coa->child_state = REQUEST_RUNNING; + request->coa->proxy = rad_alloc(request->coa, false); + if (!request->coa->proxy) { + TALLOC_FREE(request->coa); + return NULL; + } + + return request->coa; +} +#endif + +/* + * Copy a quoted string. + */ +int rad_copy_string(char *to, char const *from) +{ + int length = 0; + char quote = *from; + + do { + if (*from == '\\') { + *(to++) = *(from++); + length++; + } + *(to++) = *(from++); + length++; + } while (*from && (*from != quote)); + + if (*from != quote) return -1; /* not properly quoted */ + + *(to++) = quote; + length++; + *to = '\0'; + + return length; +} + +/* + * Copy a quoted string but without the quotes. The length + * returned is the number of chars written; the number of + * characters consumed is 2 more than this. + */ +int rad_copy_string_bare(char *to, char const *from) +{ + int length = 0; + char quote = *from; + + from++; + while (*from && (*from != quote)) { + if (*from == '\\') { + *(to++) = *(from++); + length++; + } + *(to++) = *(from++); + length++; + } + + if (*from != quote) return -1; /* not properly quoted */ + + *to = '\0'; + + return length; +} + + +/* + * Copy a %{} string. + */ +int rad_copy_variable(char *to, char const *from) +{ + int length = 0; + int sublen; + + *(to++) = *(from++); + length++; + + while (*from) { + switch (*from) { + case '"': + case '\'': + sublen = rad_copy_string(to, from); + if (sublen < 0) return sublen; + from += sublen; + to += sublen; + length += sublen; + break; + + case '}': /* end of variable expansion */ + *(to++) = *(from++); + *to = '\0'; + length++; + return length; /* proper end of variable */ + + case '\\': + *(to++) = *(from++); + *(to++) = *(from++); + length += 2; + break; + + case '%': /* start of variable expansion */ + if (from[1] == '{') { + *(to++) = *(from++); + length++; + + sublen = rad_copy_variable(to, from); + if (sublen < 0) return sublen; + from += sublen; + to += sublen; + length += sublen; + break; + } /* else FIXME: catch %%{ ?*/ + + /* FALL-THROUGH */ + default: + *(to++) = *(from++); + length++; + break; + } + } /* loop over the input string */ + + /* + * We ended the string before a trailing '}' + */ + + return -1; +} + +#ifndef USEC +#define USEC 1000000 +#endif + +uint32_t rad_pps(uint32_t *past, uint32_t *present, time_t *then, struct timeval *now) +{ + uint32_t pps; + + if (*then != now->tv_sec) { + *then = now->tv_sec; + *past = *present; + *present = 0; + } + + /* + * Bootstrap PPS by looking at a percentage of + * the previous PPS. This lets us take a moving + * count, without doing a moving average. If + * we're a fraction "f" (0..1) into the current + * second, we can get a good guess for PPS by + * doing: + * + * PPS = pps_now + pps_old * (1 - f) + * + * It's an instantaneous measurement, rather than + * a moving average. This will hopefully let it + * respond better to sudden spikes. + * + * Doing the calculations by thousands allows us + * to not overflow 2^32, AND to not underflow + * when we divide by USEC. + */ + pps = USEC - now->tv_usec; /* useconds left in previous second */ + pps /= 1000; /* scale to milliseconds */ + pps *= *past; /* multiply by past count to get fraction */ + pps /= 1000; /* scale to usec again */ + pps += *present; /* add in current count */ + + return pps; +} + +/** Split string into words and expand each one + * + * @param request Current request. + * @param cmd string to split. + * @param max_argc the maximum number of arguments to split into. + * @param argv Where to write the pointers into argv_buf. + * @param can_fail If false, stop processing if any of the xlat expansions fail. + * @param argv_buflen size of argv_buf. + * @param argv_buf temporary buffer we used to mangle/expand cmd. + * Pointers to offsets of this buffer will be written to argv. + * @return argc or -1 on failure. + */ + +int rad_expand_xlat(REQUEST *request, char const *cmd, + int max_argc, char const *argv[], bool can_fail, + size_t argv_buflen, char *argv_buf) +{ + char const *from; + char *to; + int argc = -1; + int i; + int left; + + if (strlen(cmd) > (argv_buflen - 1)) { + ERROR("rad_expand_xlat: Command line is too long"); + return -1; + } + + /* + * Check for bad escapes. + */ + if (cmd[strlen(cmd) - 1] == '\\') { + ERROR("rad_expand_xlat: Command line has final backslash, without a following character"); + return -1; + } + + strlcpy(argv_buf, cmd, argv_buflen); + + /* + * Split the string into argv's BEFORE doing radius_xlat... + */ + from = cmd; + to = argv_buf; + argc = 0; + while (*from) { + int length; + + /* + * Skip spaces. + */ + if ((*from == ' ') || (*from == '\t')) { + from++; + continue; + } + + argv[argc] = to; + argc++; + + if (argc >= (max_argc - 1)) break; + + /* + * Copy the argv over to our buffer. + */ + while (*from && (*from != ' ') && (*from != '\t')) { + if (to >= argv_buf + argv_buflen - 1) { + ERROR("rad_expand_xlat: Ran out of space in command line"); + return -1; + } + + switch (*from) { + case '"': + case '\'': + length = rad_copy_string_bare(to, from); + if (length < 0) { + ERROR("rad_expand_xlat: Invalid string passed as argument"); + return -1; + } + from += length+2; + to += length; + break; + + case '%': + if (from[1] == '{') { + *(to++) = *(from++); + + length = rad_copy_variable(to, from); + if (length < 0) { + ERROR("rad_expand_xlat: Invalid variable expansion passed as argument"); + return -1; + } + from += length; + to += length; + } else { /* FIXME: catch %%{ ? */ + *(to++) = *(from++); + } + break; + + case '\\': + if (from[1] == ' ') from++; + /* FALL-THROUGH */ + + default: + *(to++) = *(from++); + } + } /* end of string, or found a space */ + + *(to++) = '\0'; /* terminate the string */ + } + + /* + * We have to have SOMETHING, at least. + */ + if (argc <= 0) { + ERROR("rad_expand_xlat: Empty command line"); + return -1; + } + + /* + * Expand each string, as appropriate. + */ + left = argv_buf + argv_buflen - to; + for (i = 0; i < argc; i++) { + int sublen; + + /* + * Don't touch argv's which won't be translated. + */ + if (strchr(argv[i], '%') == NULL) continue; + + if (!request) continue; + + sublen = radius_xlat(to, left - 1, request, argv[i], NULL, NULL); + if (sublen <= 0) { + if (can_fail) { + /* + * Fail to be backwards compatible. + * + * It's yucky, but it won't break anything, + * and it won't cause security problems. + */ + sublen = 0; + } else { + ERROR("rad_expand_xlat: xlat failed"); + return -1; + } + } + + argv[i] = to; + to += sublen; + *(to++) = '\0'; + left -= sublen; + left--; + + if (left <= 0) { + ERROR("rad_expand_xlat: Ran out of space while expanding arguments"); + return -1; + } + } + argv[argc] = NULL; + + return argc; +} + +#ifndef NDEBUG +/* + * Verify a packet. + */ +static void verify_packet(char const *file, int line, REQUEST *request, RADIUS_PACKET *packet, char const *name) +{ + TALLOC_CTX *parent; + + if (!packet) { + fprintf(stderr, "CONSISTENCY CHECK FAILED %s[%i]: RADIUS_PACKET %s pointer was NULL", file, line, name); + fr_assert(0); + fr_exit_now(0); + } + + parent = talloc_parent(packet); + if (parent != request) { + ERROR("CONSISTENCY CHECK FAILED %s[%i]: Expected RADIUS_PACKET %s to be parented by %p (%s), " + "but parented by %p (%s)", file, line, name, request, talloc_get_name(request), + parent, parent ? talloc_get_name(parent) : "NULL"); + + fr_log_talloc_report(packet); + if (parent) fr_log_talloc_report(parent); + + rad_assert(0); + } + + VERIFY_PACKET(packet); + + if (!packet->vps) return; + +#ifdef WITH_VERIFY_PTR + fr_pair_list_verify(file, line, packet, packet->vps, name); +#endif +} +/* + * Catch horrible talloc errors. + */ +void verify_request(char const *file, int line, REQUEST *request) +{ + if (!request) { + fprintf(stderr, "CONSISTENCY CHECK FAILED %s[%i]: REQUEST pointer was NULL", file, line); + fr_assert(0); + fr_exit_now(0); + } + + (void) talloc_get_type_abort(request, REQUEST); + +#ifdef WITH_VERIFY_PTR + fr_pair_list_verify(file, line, request, request->config, "config"); + fr_pair_list_verify(file, line, request->state_ctx, request->state, "state"); +#endif + + if (request->packet) verify_packet(file, line, request, request->packet, "request"); + if (request->reply) verify_packet(file, line, request, request->reply, "reply"); +#ifdef WITH_PROXY + if (request->proxy) verify_packet(file, line, request, request->proxy, "proxy-request"); + if (request->proxy_reply) verify_packet(file, line, request, request->proxy_reply, "proxy-reply"); +#endif + +#ifdef WITH_COA + if (request->coa) { + void *parent; + + (void) talloc_get_type_abort(request->coa, REQUEST); + parent = talloc_parent(request->coa); + + rad_assert(parent == request); + + verify_request(file, line, request->coa); + } +#endif +} +#endif + +/** Convert mode_t into humanly readable permissions flags + * + * @author Jonathan Leffler. + * + * @param mode to convert. + * @param out Where to write the string to, must be exactly 10 bytes long. + */ +void rad_mode_to_str(char out[10], mode_t mode) +{ + static char const *rwx[] = {"---", "--x", "-w-", "-wx", "r--", "r-x", "rw-", "rwx"}; + + strcpy(&out[0], rwx[(mode >> 6) & 0x07]); + strcpy(&out[3], rwx[(mode >> 3) & 0x07]); + strcpy(&out[6], rwx[(mode & 7)]); + if (mode & S_ISUID) out[2] = (mode & 0100) ? 's' : 'S'; + if (mode & S_ISGID) out[5] = (mode & 0010) ? 's' : 'l'; + if (mode & S_ISVTX) out[8] = (mode & 0100) ? 't' : 'T'; + out[9] = '\0'; +} + +void rad_mode_to_oct(char out[5], mode_t mode) +{ + out[0] = '0' + ((mode >> 9) & 0x07); + out[1] = '0' + ((mode >> 6) & 0x07); + out[2] = '0' + ((mode >> 3) & 0x07); + out[3] = '0' + (mode & 0x07); + out[4] = '\0'; +} + +/** Resolve a uid to a passwd entry + * + * Resolves a uid to a passwd entry. The memory to hold the + * passwd entry is talloced under ctx, and must be freed when no + * longer required. + * + * @param ctx to allocate passwd entry in. + * @param out Where to write pointer to entry. + * @param uid to resolve. + * @return 0 on success, -1 on error. + */ +int rad_getpwuid(TALLOC_CTX *ctx, struct passwd **out, uid_t uid) +{ + static size_t len; + uint8_t *buff; + int ret; + + *out = NULL; + + /* + * We assume this won't change between calls, + * and that the value is the same, so races don't + * matter. + */ + if (len == 0) { +#ifdef _SC_GETPW_R_SIZE_MAX + long int sc_len; + + sc_len = sysconf(_SC_GETPW_R_SIZE_MAX); + if (sc_len <= 0) sc_len = 1024; + len = (size_t)sc_len; +#else + len = 1024; +#endif + } + + buff = talloc_array(ctx, uint8_t, sizeof(struct passwd) + len); + if (!buff) return -1; + + /* + * In some cases we may need to dynamically + * grow the string buffer. + */ + while ((ret = getpwuid_r(uid, (struct passwd *)buff, (char *)(buff + sizeof(struct passwd)), + talloc_array_length(buff) - sizeof(struct passwd), out)) == ERANGE) { + buff = talloc_realloc_size(ctx, buff, talloc_array_length(buff) * 2); + if (!buff) { + talloc_free(buff); + return -1; + } + } + + if ((ret != 0) || !*out) { + fr_strerror_printf("Failed resolving UID: %s", fr_syserror(ret)); + talloc_free(buff); + errno = ret; + return -1; + } + + talloc_set_type(buff, struct passwd); + *out = (struct passwd *)buff; + + return 0; +} + +/** Resolve a username to a passwd entry + * + * Resolves a username to a passwd entry. The memory to hold the + * passwd entry is talloced under ctx, and must be freed when no + * longer required. + * + * @param ctx to allocate passwd entry in. + * @param out Where to write pointer to entry. + * @param name to resolve. + * @return 0 on success, -1 on error. + */ +int rad_getpwnam(TALLOC_CTX *ctx, struct passwd **out, char const *name) +{ + static size_t len; + uint8_t *buff; + int ret; + + *out = NULL; + + /* + * We assume this won't change between calls, + * and that the value is the same, so races don't + * matter. + */ + if (len == 0) { +#ifdef _SC_GETPW_R_SIZE_MAX + long int sc_len; + + sc_len = sysconf(_SC_GETPW_R_SIZE_MAX); + if (sc_len <= 0) sc_len = 1024; + len = (size_t)sc_len; +#else + sc_len = 1024; +#endif + } + + buff = talloc_array(ctx, uint8_t, sizeof(struct passwd) + len); + if (!buff) return -1; + + /* + * In some cases we may need to dynamically + * grow the string buffer. + */ + while ((ret = getpwnam_r(name, (struct passwd *)buff, (char *)(buff + sizeof(struct passwd)), + talloc_array_length(buff) - sizeof(struct passwd), out)) == ERANGE) { + buff = talloc_realloc_size(ctx, buff, talloc_array_length(buff) * 2); + if (!buff) { + talloc_free(buff); + return -1; + } + } + + if ((ret != 0) || !*out) { + fr_strerror_printf("Failed resolving UID: %s", fr_syserror(ret)); + talloc_free(buff); + errno = ret; + return -1; + } + + talloc_set_type(buff, struct passwd); + *out = (struct passwd *)buff; + + return 0; +} + +/** Resolve a gid to a group database entry + * + * Resolves a gid to a group database entry. The memory to hold the + * group entry is talloced under ctx, and must be freed when no + * longer required. + * + * @param ctx to allocate passwd entry in. + * @param out Where to write pointer to entry. + * @param gid to resolve. + * @return 0 on success, -1 on error. + */ +int rad_getgrgid(TALLOC_CTX *ctx, struct group **out, gid_t gid) +{ + static size_t len; + uint8_t *buff; + int ret; + + *out = NULL; + + /* + * We assume this won't change between calls, + * and that the value is the same, so races don't + * matter. + */ + if (len == 0) { +#ifdef _SC_GETGR_R_SIZE_MAX + long int sc_len; + + sc_len = sysconf(_SC_GETGR_R_SIZE_MAX); + if (sc_len <= 0) sc_len = 1024; + len = (size_t)sc_len; +#else + sc_len = 1024; +#endif + } + + buff = talloc_array(ctx, uint8_t, sizeof(struct group) + len); + if (!buff) return -1; + + /* + * In some cases we may need to dynamically + * grow the string buffer. + */ + while ((ret = getgrgid_r(gid, (struct group *)buff, (char *)(buff + sizeof(struct group)), + talloc_array_length(buff) - sizeof(struct group), out)) == ERANGE) { + buff = talloc_realloc_size(ctx, buff, talloc_array_length(buff) * 2); + if (!buff) { + talloc_free(buff); + return -1; + } + } + + if ((ret != 0) || !*out) { + fr_strerror_printf("Failed resolving GID: %s", fr_syserror(ret)); + talloc_free(buff); + errno = ret; + return -1; + } + + talloc_set_type(buff, struct group); + *out = (struct group *)buff; + + return 0; +} + +/** Resolve a group name to a group database entry + * + * Resolves a group name to a group database entry. + * The memory to hold the group entry is talloced under ctx, + * and must be freed when no longer required. + * + * @param ctx to allocate passwd entry in. + * @param out Where to write pointer to entry. + * @param name to resolve. + * @return 0 on success, -1 on error. + */ +int rad_getgrnam(TALLOC_CTX *ctx, struct group **out, char const *name) +{ + static size_t len; + uint8_t *buff; + int ret; + + *out = NULL; + + /* + * We assume this won't change between calls, + * and that the value is the same, so races don't + * matter. + */ + if (len == 0) { +#ifdef _SC_GETGR_R_SIZE_MAX + long int sc_len; + + sc_len = sysconf(_SC_GETGR_R_SIZE_MAX); + if (sc_len <= 0) sc_len = 1024; + len = (size_t)sc_len; +#else + len = 1024; +#endif + } + + buff = talloc_array(ctx, uint8_t, sizeof(struct group) + len); + if (!buff) return -1; + + /* + * In some cases we may need to dynamically + * grow the string buffer. + */ + while ((ret = getgrnam_r(name, (struct group *)buff, (char *)(buff + sizeof(struct group)), + talloc_array_length(buff) - sizeof(struct group), out)) == ERANGE) { + buff = talloc_realloc_size(ctx, buff, talloc_array_length(buff) * 2); + if (!buff) { + talloc_free(buff); + return -1; + } + } + + if ((ret != 0) || !*out) { + fr_strerror_printf("Failed resolving GID: %s", fr_syserror(ret)); + talloc_free(buff); + errno = ret; + return -1; + } + + talloc_set_type(buff, struct group); + *out = (struct group *)buff; + + return 0; +} + +/** Resolve a group name to a GID + * + * @param ctx TALLOC_CTX for temporary allocations. + * @param name of group. + * @param out where to write gid. + * @return 0 on success, -1 on error; + */ +int rad_getgid(TALLOC_CTX *ctx, gid_t *out, char const *name) +{ + int ret; + struct group *result; + + ret = rad_getgrnam(ctx, &result, name); + if (ret < 0) return -1; + + *out = result->gr_gid; + talloc_free(result); + return 0; +} + +/** Print uid to a string + * + * @note The reason for taking a fixed buffer is pure laziness. + * It means the caller doesn't have to free the string. + * + * @note Will always \0 terminate the buffer, even on error. + * + * @param ctx TALLOC_CTX for temporary allocations. + * @param out Where to write the uid string. + * @param outlen length of output buffer. + * @param uid to resolve. + * @return 0 on success, -1 on failure. + */ +int rad_prints_uid(TALLOC_CTX *ctx, char *out, size_t outlen, uid_t uid) +{ + struct passwd *result; + + rad_assert(outlen > 0); + + *out = '\0'; + + if (rad_getpwuid(ctx, &result, uid) < 0) return -1; + strlcpy(out, result->pw_name, outlen); + talloc_free(result); + + return 0; +} + +/** Print gid to a string + * + * @note The reason for taking a fixed buffer is pure laziness. + * It means the caller doesn't have to free the string. + * + * @note Will always \0 terminate the buffer, even on error. + * + * @param ctx TALLOC_CTX for temporary allocations. + * @param out Where to write the uid string. + * @param outlen length of output buffer. + * @param gid to resolve. + * @return 0 on success, -1 on failure. + */ +int rad_prints_gid(TALLOC_CTX *ctx, char *out, size_t outlen, gid_t gid) +{ + struct group *result; + + rad_assert(outlen > 0); + + *out = '\0'; + + if (rad_getgrgid(ctx, &result, gid) < 0) return -1; + strlcpy(out, result->gr_name, outlen); + talloc_free(result); + + return 0; +} + +#ifdef HAVE_SETUID +static bool doing_setuid = false; +static uid_t suid_down_uid = (uid_t)-1; + +/** Set the uid and gid used when dropping privileges + * + * @note if this function hasn't been called, rad_suid_down will have no effect. + * + * @param uid to drop down to. + */ +void rad_suid_set_down_uid(uid_t uid) +{ + suid_down_uid = uid; + doing_setuid = true; +} + +# if defined(HAVE_SETRESUID) && defined (HAVE_GETRESUID) +void rad_suid_up(void) +{ + uid_t ruid, euid, suid; + + if (getresuid(&ruid, &euid, &suid) < 0) { + ERROR("Failed getting saved UID's"); + fr_exit_now(1); + } + + if (setresuid(-1, suid, -1) < 0) { + ERROR("Failed switching to privileged user"); + fr_exit_now(1); + } + + if (geteuid() != suid) { + ERROR("Switched to unknown UID"); + fr_exit_now(1); + } +} + +void rad_suid_down(void) +{ + if (!doing_setuid) return; + + if (setresuid(-1, suid_down_uid, geteuid()) < 0) { + struct passwd *passwd; + char const *name; + + name = (rad_getpwuid(NULL, &passwd, suid_down_uid) < 0) ? "unknown" : passwd->pw_name; + ERROR("Failed switching to uid %s: %s", name, fr_syserror(errno)); + talloc_free(passwd); + fr_exit_now(1); + } + + if (geteuid() != suid_down_uid) { + ERROR("Failed switching uid: UID is incorrect"); + fr_exit_now(1); + } + + fr_reset_dumpable(); +} + +void rad_suid_down_permanent(void) +{ + if (!doing_setuid) return; + + if (setresuid(suid_down_uid, suid_down_uid, suid_down_uid) < 0) { + struct passwd *passwd; + char const *name; + + name = (rad_getpwuid(NULL, &passwd, suid_down_uid) < 0) ? "unknown" : passwd->pw_name; + ERROR("Failed in permanent switch to uid %s: %s", name, fr_syserror(errno)); + talloc_free(passwd); + fr_exit_now(1); + } + + if (geteuid() != suid_down_uid) { + ERROR("Switched to unknown uid"); + fr_exit_now(1); + } + + fr_reset_dumpable(); +} +# else +/* + * Much less secure... + */ +void rad_suid_up(void) +{ + if (!doing_setuid) return; + + if (seteuid(0) < 0) { + ERROR("Failed switching up to euid 0: %s", fr_syserror(errno)); + fr_exit_now(1); + } + +} + +void rad_suid_down(void) +{ + if (!doing_setuid) return; + + if (geteuid() == suid_down_uid) return; + + if (seteuid(suid_down_uid) < 0) { + struct passwd *passwd; + char const *name; + + name = (rad_getpwuid(NULL, &passwd, suid_down_uid) < 0) ? "unknown": passwd->pw_name; + ERROR("Failed switching to euid %s: %s", name, fr_syserror(errno)); + talloc_free(passwd); + fr_exit_now(1); + } + + fr_reset_dumpable(); +} + +void rad_suid_down_permanent(void) +{ + if (!doing_setuid) return; + + /* + * Already done. Don't do anything else. + */ + if (getuid() == suid_down_uid) return; + + /* + * We're root, but running as a normal user. Fix that, + * so we can call setuid(). + */ + if (geteuid() == suid_down_uid) { + rad_suid_up(); + } + + if (setuid(suid_down_uid) < 0) { + struct passwd *passwd; + char const *name; + + name = (rad_getpwuid(NULL, &passwd, suid_down_uid) < 0) ? "unknown": passwd->pw_name; + ERROR("Failed switching permanently to uid %s: %s", name, fr_syserror(errno)); + talloc_free(passwd); + fr_exit_now(1); + } + + fr_reset_dumpable(); +} +# endif /* HAVE_SETRESUID && HAVE_GETRESUID */ +#else /* HAVE_SETUID */ +void rad_suid_set_down_uid(uid_t uid) +{ +} +void rad_suid_up(void) +{ +} +void rad_suid_down(void) +{ + fr_reset_dumpable(); +} +void rad_suid_down_permanent(void) +{ + fr_reset_dumpable(); +} +#endif /* HAVE_SETUID */ + +/** Alter the effective user id + * + * @param uid to set + * @return 0 on success -1 on failure. + */ +int rad_seuid(uid_t uid) +{ + if (seteuid(uid) < 0) { + struct passwd *passwd; + + if (rad_getpwuid(NULL, &passwd, uid) < 0) return -1; + fr_strerror_printf("Failed setting euid to %s", passwd->pw_name); + talloc_free(passwd); + + return -1; + } + return 0; +} + +/** Alter the effective user id + * + * @param gid to set + * @return 0 on success -1 on failure. + */ +int rad_segid(gid_t gid) +{ + if (setegid(gid) < 0) { + struct group *group; + + if (rad_getgrgid(NULL, &group, gid) < 0) return -1; + fr_strerror_printf("Failed setting egid to %s", group->gr_name); + talloc_free(group); + + return -1; + } + return 0; +} + +/** Determine the elapsed time between two timevals + * + * @param end timeval nearest to the present + * @param start timeval furthest from the present + * @param elapsed Where to write the elapsed time + */ +void rad_tv_sub(struct timeval const *end, struct timeval const *start, struct timeval *elapsed) +{ + elapsed->tv_sec = end->tv_sec - start->tv_sec; + if (elapsed->tv_sec > 0) { + elapsed->tv_sec--; + elapsed->tv_usec = USEC; + } else { + elapsed->tv_usec = 0; + } + elapsed->tv_usec += end->tv_usec; + elapsed->tv_usec -= start->tv_usec; + + if (elapsed->tv_usec >= USEC) { + elapsed->tv_usec -= USEC; + elapsed->tv_sec++; + } +} |