[become] / src / check.c

/* -*-c-*-
 *
 * $Id: check.c,v 1.12 2003/11/29 23:39:16 mdw Exp $
 *
 * Check validity of requests
 *
 * (c) 1998 EBI
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of `become'
 *
 * `Become' is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * `Become' is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with `become'; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------*
 *
 * $Log: check.c,v $
 * Revision 1.12  2003/11/29 23:39:16  mdw
 * Debianization.
 *
 * Revision 1.11  2003/10/12 00:14:55  mdw
 * Major overhaul.  Now uses DSA signatures rather than the bogus symmetric
 * encrypt-and-hope thing.  Integrated with mLib and Catacomb.
 *
 * Revision 1.10  1999/05/04 16:17:12  mdw
 * Change to header file name for parser.  See log for `parse.h' for
 * details.
 *
 * Revision 1.9  1998/06/19  13:48:16  mdw
 * Set close-on-exec flag for UDP socket.
 *
 * Revision 1.8  1998/06/18 15:10:44  mdw
 * SECURITY HOLE: the file descriptor for the secret key was left open and
 * inherited by the target process.  This is now fixed.  Also set
 * close-on-exec flags on key file, close config file carefully, and close
 * UDP socket after receiving reply from server.
 *
 * Revision 1.7  1998/04/23 13:22:08  mdw
 * Support no-network configuration option, and new interface to
 * configuration file parser.
 *
 * Revision 1.6  1998/01/12 16:45:47  mdw
 * Fix copyright date.
 *
 * Revision 1.5  1997/09/26 09:14:58  mdw
 * Merged blowfish branch into trunk.
 *
 * Revision 1.4.2.1  1997/09/26 09:08:01  mdw
 * Use the Blowfish encryption algorithm instead of IDEA.  This is partly
 * because I prefer Blowfish (without any particularly strong evidence) but
 * mainly because IDEA is patented and Blowfish isn't.
 *
 * Revision 1.4  1997/08/07 09:52:05  mdw
 * (Log entry for previous version is bogus.)  Added support for multiple
 * servers.
 *
 * Revision 1.2  1997/08/04 10:24:20  mdw
 * Sources placed under CVS control.
 *
 * Revision 1.1  1997/07/21  13:47:53  mdw
 * Initial revision
 *
 */

/*----- Header files ------------------------------------------------------*/

/* --- ANSI headers --- */

#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

/* --- Unix headers --- */

#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>

/* --- mLib headers --- */

#include <mLib/alloc.h>
#include <mLib/quis.h>
#include <mLib/report.h>
#include <mLib/sym.h>
#include <mLib/trace.h>

/* --- Catacomb headers --- */

#include <catacomb/buf.h>
#include <catacomb/dsa.h>
#include <catacomb/key.h>
#include <catacomb/mp.h>
#include <catacomb/noise.h>
#include <catacomb/rand.h>
#include <catacomb/sha.h>

/* --- Local headers --- */

#include "become.h"
#include "config.h"
#include "lexer.h"
#include "name.h"
#include "netg.h"
#include "rule.h"
#include "parse.h"
#include "userdb.h"

/*----- Client-end network support ----------------------------------------*/

#ifndef NONETWORK

/* --- @check__send@ --- *
 *
 * Arguments:	@char *buf@ = pointer to encrypted request
 *		@size_t sz@ = size of request
 *		@int fd@ = socket to send from
 *		@struct sockaddr_in *serv@ = pointer to table of servers
 *		@size_t n_serv@ = number of servers
 *
 * Returns:	---
 *
 * Use:		Sends the request packet to the list of servers.  If the
 *		message couldn't be sent to any of them, an error is
 *		reported.
 */

static void check__send(char *buf, size_t sz, int fd,
			struct sockaddr_in *serv, size_t n_serv)
{
  size_t i;
  int ok = 0;
  int err = 0;

  for (i = 0; i < n_serv; i++) {
    if (sendto(fd, buf, sz, 0,
	       (struct sockaddr *)(serv + i), sizeof(serv[i])) < 0) {
      T( trace(TRACE_CLIENT, "client: send to %s failed: %s",
	       inet_ntoa(serv[i].sin_addr), strerror(errno)); )
      err = errno;
    } else
      ok = 1;
  }

  if (!ok)
    die(1, "couldn't send request to server: %s", strerror(err));
}

/* --- @check__ask@ --- *
 *
 * Arguments:	@request *rq@ = pointer to request buffer
 *		@struct sockaddr_in *serv@ = pointer to table of servers
 *		@size_t n_serv@ = number of servers
 *
 * Returns:	Nonzero if OK, zero if forbidden
 *
 * Use:		Contacts a number of servers to decide whether the request
 *		is OK.
 */

static int check__ask(request *rq, struct sockaddr_in *serv, size_t n_serv)
{
  static int tbl[] = { 0, 5, 10, 20, -1 };

  char buff[2048], rbuff[2048];
  size_t rqlen;
  octet hmsg[SHA_HASHSZ];
  octet h[SHA_HASHSZ];
  key_packstruct kps[DSA_PUBFETCHSZ];
  key_packdef *kp;
  dsa_pub kpub;
  buf b;
  sha_ctx hc;
  int fd;
  struct sockaddr_in sin;
  socklen_t slen;
  ssize_t sz;
  int ans;
  fd_set fds;
  struct timeval start, now, tv;
  mp *m, *r, *s;
  key_file f;
  key *k;
  key_iter ki;
  int ind;
  size_t i;

  /* --- Open the public keyring --- */

  if ((key_open(&f, file_PUBKEY, KOPEN_READ, key_moan, 0)) != 0)
    die(1, "couldn't open public keyring");
  kp = key_fetchinit(dsa_pubfetch, kps, &kpub);

  /* --- Build the request packet --- */

  rand_noisesrc(RAND_GLOBAL, &noise_source);
  rand_seed(RAND_GLOBAL, 160);
  buf_init(&b, buff, sizeof(buff));
  rand_get(RAND_GLOBAL, buf_get(&b, SHA_HASHSZ), SHA_HASHSZ);
  buf_putu32(&b, rq->from);
  buf_putu32(&b, rq->to);
  buf_putu16(&b, strlen(rq->cmd));
  buf_put(&b, rq->cmd, strlen(rq->cmd));
  rqlen = BLEN(&b);
  sha_init(&hc);
  sha_hash(&hc, buff, rqlen);
  sha_done(&hc, hmsg);

  /* --- Create my socket --- */

  if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
    die(1, "couldn't create socket: %s", strerror(errno));
  if (fcntl(fd, F_SETFD, 1) < 0)
    die(1, "couldn't set close-on-exec flag for socket: %s", strerror(errno));

  /* --- Bind myself to some address --- */

  sin.sin_family = AF_INET;
  sin.sin_port = 0;
  sin.sin_addr.s_addr = htonl(INADDR_ANY);

  if (bind(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0)
    die(1, "couldn't bind socket to address: %s", strerror(errno));

  /* --- Find out when we are --- */

  gettimeofday(&start, 0);
  ind = 0;

  /* --- Now loop until everything's done --- */

  for (;;) {
    gettimeofday(&now, 0);

    /* --- If the current timer has expired, find one that hasn't --- *
     *
     * Also resend the request after I've found a timer which is still
     * extant.  If there aren't any, report an error.
     */

    if (now.tv_sec >= start.tv_sec + tbl[ind] &&
	now.tv_usec >= start.tv_usec) {
      do {
	ind++;
	if (tbl[ind] < 0)
	  die(1, "no reply from servers");
      } while (now.tv_sec >= start.tv_sec + tbl[ind] &&
	       now.tv_usec >= start.tv_usec);
      check__send(buff, rqlen, fd, serv, n_serv);
      T( trace(TRACE_CLIENT, "client: send request to servers"); )
    }

    /* --- Now wait for a packet to arrive --- */

    if (now.tv_usec > start.tv_usec) {
      now.tv_usec -= 1000000;
      now.tv_sec += 1;
    }
    tv.tv_sec = start.tv_sec + tbl[ind] - now.tv_sec;
    tv.tv_usec = start.tv_usec - now.tv_usec;

    /* --- Sort out file descriptors to watch --- */

    FD_ZERO(&fds);
    FD_SET(fd, &fds);

    /* --- Wait for them --- */

    i = select(FD_SETSIZE, &fds, 0, 0, &tv);
    if (i == 0 || (i < 0 && errno == EINTR))
      continue;
    if (i < 0)
      die(1, "error waiting for reply: %s", strerror(errno));

    /* --- Read the reply data --- */

    slen = sizeof(sin);
    if ((sz = recvfrom(fd, (char *)rbuff, sizeof(rbuff), 0,
		       (struct sockaddr *)&sin, &slen)) < 0)
      die(1, "error reading server's reply: %s", strerror(errno));

    IF_TRACING(TRACE_CLIENT, {
      struct hostent *h = gethostbyaddr((char *)&sin.sin_addr,
					sizeof(sin.sin_addr), AF_INET);
      trace(TRACE_CLIENT, "client: reply received from %s port %i",
	    h ? h->h_name : inet_ntoa(sin.sin_addr),
	    ntohs(sin.sin_port));
    })

    /* --- Verify the sender --- *
     *
     * This is more to avoid confusion than for security: an active
     * attacker is quite capable of forging the source address.  We rely
     * on the signature in the reply packet for authentication.
     */

    for (i = 0; i < n_serv; i++) {
      if (sin.sin_addr.s_addr == serv[i].sin_addr.s_addr &&
	  sin.sin_port == serv[i].sin_port)
	break;
    }
    if (i >= n_serv) {
      T( trace(TRACE_CLIENT, "client: reply from unknown host"); )
      continue;
    }

    /* --- Unpack and verify the response --- */

    buf_init(&b, rbuff, sz);
    if (buf_ensure(&b, sizeof(hmsg))) goto bad;
    if (memcmp(BCUR(&b), hmsg, sizeof(hmsg)) != 0) goto bad;
    BSTEP(&b, sizeof(hmsg));
    if ((ans = buf_getbyte(&b)) < 0) goto bad;

    sha_init(&hc);
    sha_hash(&hc, BBASE(&b), BLEN(&b));
    sha_done(&hc, h);
    if ((r = buf_getmp(&b)) == 0 || (s = buf_getmp(&b)) == 0) goto bad;
    m = mp_loadb(MP_NEW, h, sizeof(h));

    key_mkiter(&ki, &f);
    while ((k = key_next(&ki)) != 0) {
      if (key_expired(k)) continue;
      if (strcmp(k->type, "become-dsa") != 0) continue;
      if (key_fetch(kp, k)) continue;
      i = dsa_vrfy(&kpub.dp, kpub.y, m, r, s);
      dsa_pubfree(&kpub);
      if (i) {
	key_fetchdone(kp);
	key_close(&f);
	close(fd);
	mp_drop(m);
	mp_drop(r);
	mp_drop(s);
	return (ans);
      }
    }
    
  bad:
    T( trace(TRACE_CLIENT,
	     "client: invalid or corrupt reply packet"); )
  }

  die(1, "internal error: can't get here in check__ask");
  return (0);
}

/* --- @check__client@ --- *
 *
 * Arguments:	@request *rq@ = pointer to a request block
 *		@FILE *fp@ = file containing server configuration
 *
 * Returns:	Nonzero if OK, zero if forbidden
 *
 * Use:		Asks one or several servers whether a request is acceptable.
 */

int check__client(request *rq, FILE *fp)
{
  /* --- Format of the file --- *
   *
   * The `servers' file contains entries of the form
   *
   *    %%\syntax{<host> [`:' <port>]}%%
   *
   * separates by whitespace.  I build them all into an array of socket
   * addresses and pass the whole lot to another function.
   */

  struct sockaddr_in *serv;		/* Array of servers */
  size_t n_serv, max_serv;		/* Number and maximum number */

  /* --- Initialise the server array --- */

  T( trace(TRACE_CLIENT, "client: reading server definitions"); )
  n_serv = 0; max_serv = 4;		/* Four seems reasonable */
  serv = xmalloc(sizeof(*serv) * max_serv);

  /* --- Start reading the file --- */

  {
    char buff[256], *p, *l;		/* A buffer and pointers for it */
    int port;				/* Default port for servers */
    int state;				/* Current parser state */
    struct in_addr t_host;		/* Temp place for an address*/
    int t_port;				/* Temp place for a port */
    int ch;				/* The current character */

    /* --- Parser states --- */

    enum {
      st_start,				/* Waiting to begin */
      st_host,				/* Reading a new hostname */
      st_colon,				/* Expecting a colon, maybe */
      st_preport,			/* Waiting before reading port */
      st_port,				/* Reading a port number */
      st_commit,			/* Commit a newly read server */
      st_done				/* Finished reading the file */
    };

    /* --- Find a default port --- */

    {
      struct servent *s = getservbyname(quis(), "udp");
      port = (s ? s->s_port : htons(SERVER_PORT));
    }

    /* --- Initialise for scanning the file --- */

    state = st_host;
    p = buff;
    l = buff + sizeof(buff);
    t_port = port;
    ch = getc(fp);

    /* --- Go for it --- */

    while (state != st_done) {
      switch (state) {

	/* --- Initial whitespace before hostname --- */

	case st_start:
	  if (ch == EOF)
	    state = st_done;
	  else if (isspace((unsigned char)ch))
	    ch = getc(fp);
	  else
	    state = st_host;
	  break;

	/* --- Read a host name --- */

	case st_host:
	  if (p == l)
	    die(1, "string too long in `" file_SERVER "'");
	  if (ch != EOF && !isspace((unsigned char)ch) && ch != ':') {
	    *p++ = ch;
	    ch = getc(fp);
	  } else {
	    struct hostent *h;

	    *p++ = 0;
	    if ((h = gethostbyname(buff)) == 0)
	      die(1, "unknown host `%s' in `" file_SERVER "'", buff);
	    memcpy(&t_host, h->h_addr, sizeof(t_host));
	    state = st_colon;
	  }
	  break;

	/* --- Waiting for a colon coming up --- */

	case st_colon:
	  if (ch == EOF)
	    state = st_commit;
	  else if (isspace((unsigned char)ch))
	    ch = getc(fp);
	  else if (ch == ':') {
	    state = st_preport;
	    ch = getc(fp);
	  }
	  else
	    state = st_commit;
	  break;

	/* --- Clearing whitespace before a port number --- */

	case st_preport:
	  if (ch == EOF)
	    state = st_commit;
	  else if (isspace((unsigned char)ch))
	    ch = getc(fp);
	  else {
	    state = st_port;
	    p = buff;
	  }
	  break;

	/* --- Read a port number --- */

	case st_port:
	  if (p == l)
	    die(1, "string too long in `" file_SERVER "'");
	  if (ch != EOF && !isspace((unsigned char)ch) && ch != ':') {
	    *p++ = ch;
	    ch = getc(fp);
	  } else {
	    struct servent *s;

	    *p++ = 0;
	    s = getservbyname(buff, "udp");
	    if (!s && isdigit((unsigned char)buff[0]))
	      t_port = htons(atoi(buff));
	    else if (!s)
	      die(1, "unknown service `%s' in `" file_SERVER "'", buff);
	    else
	      t_port = s->s_port;
	    state = st_commit;
	  }
	  break;

	/* --- A server has been read successfully --- */

	case st_commit:
	  if (n_serv == max_serv) {
	    max_serv *= 2;
	    serv = xrealloc(serv, n_serv * sizeof(*serv),
			    max_serv * sizeof(*serv));
	  }
	  serv[n_serv].sin_family = AF_INET;
	  serv[n_serv].sin_addr = t_host;
	  serv[n_serv].sin_port = t_port;
	  n_serv++;
	  state = st_start;
	  p = buff;
	  t_port = port;
	  break;

	/* --- A safety net for a broken parser --- */

	default:
	  die(1, "internal error: can't get here in check__client");
	  break;	  
      }
    }
  }

  fclose(fp);

  /* --- Now start sending requests --- */

  if (!n_serv)
    die(1, "no servers specified in `" file_SERVER "'");

  IF_TRACING(TRACE_CLIENT, {
    size_t i;

    for (i = 0; i < n_serv; i++) {
      trace(TRACE_CLIENT, "client: server %s port %i",
	    inet_ntoa(serv[i].sin_addr), ntohs(serv[i].sin_port));
    }
  })
  return (check__ask(rq, serv, n_serv));
}

#endif

/*----- Main checking function --------------------------------------------*/

/* --- @check@ --- *
 *
 * Arguments:	@request *rq@ = pointer to request buffer
 *
 * Returns:	Nonzero if OK, zero if forbidden
 *
 * Use:		Checks to see if the request is acceptable.
 */

int check(request *rq)
{
  FILE *fp;

  /* --- Check if we need to talk to a server --- */

#ifndef NONETWORK
  if ((fp = fopen(file_SERVER, "r")) != 0)
    return (check__client(rq, fp));
#endif

  /* --- Otherwise do this all the old-fashioned way --- */

  if ((fp = fopen(file_RULES, "r")) == 0) {
    die(1, "couldn't read configuration file `%s': %s",
	file_RULES, strerror(errno));
  }

  userdb_init();
  userdb_local();
  userdb_yp();
  netg_init();
  name_init();
  rule_init();
  lexer_scan(fp);
  parse();
  fclose(fp);

  return (rule_check(rq));
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
c4f2d992	1	/* --c--
c4f2d992	2	*
b0f66028	3	* $Id: check.c,v 1.12 2003/11/29 23:39:16 mdw Exp $
c4f2d992	4	*
	5	* Check validity of requests
	6	*
c758e654	7	* (c) 1998 EBI
c4f2d992	8	*/
c4f2d992	9
03f996bd	10	/----- Licensing notice --------------------------------------------------
c4f2d992	11	*
	12	* This file is part of `become'
	13	*
	14	* `Become' is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU General Public License as published by
	16	* the Free Software Foundation; either version 2 of the License, or
	17	* (at your option) any later version.
	18	*
	19	* `Become' is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU General Public License
03f996bd	25	* along with `become'; if not, write to the Free Software Foundation,
03f996bd	26	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
c4f2d992	27	*/
	28
	29	/----- Revision history --------------------------------------------------
	30	*
	31	* $Log: check.c,v $
b0f66028	32	* Revision 1.12 2003/11/29 23:39:16 mdw
	33	* Debianization.
	34	*
f60a3434	35	* Revision 1.11 2003/10/12 00:14:55 mdw
	36	* Major overhaul. Now uses DSA signatures rather than the bogus symmetric
	37	* encrypt-and-hope thing. Integrated with mLib and Catacomb.
	38	*
79fae27d	39	* Revision 1.10 1999/05/04 16:17:12 mdw
	40	* Change to header file name for parser. See log for `parse.h' for
	41	* details.
	42	*
	43	* Revision 1.9 1998/06/19 13:48:16 mdw
9739ca83	44	* Set close-on-exec flag for UDP socket.
9739ca83	45	*
ff2d3282	46	* Revision 1.8 1998/06/18 15:10:44 mdw
	47	* SECURITY HOLE: the file descriptor for the secret key was left open and
	48	* inherited by the target process. This is now fixed. Also set
	49	* close-on-exec flags on key file, close config file carefully, and close
	50	* UDP socket after receiving reply from server.
	51	*
318c0b91	52	* Revision 1.7 1998/04/23 13:22:08 mdw
	53	* Support no-network configuration option, and new interface to
	54	* configuration file parser.
	55	*
c758e654	56	* Revision 1.6 1998/01/12 16:45:47 mdw
	57	* Fix copyright date.
	58	*
9e5602f0	59	* Revision 1.5 1997/09/26 09:14:58 mdw
	60	* Merged blowfish branch into trunk.
	61	*
	62	* Revision 1.4.2.1 1997/09/26 09:08:01 mdw
	63	* Use the Blowfish encryption algorithm instead of IDEA. This is partly
	64	* because I prefer Blowfish (without any particularly strong evidence) but
	65	* mainly because IDEA is patented and Blowfish isn't.
	66	*
27d7bfc2	67	* Revision 1.4 1997/08/07 09:52:05 mdw
	68	* (Log entry for previous version is bogus.) Added support for multiple
	69	* servers.
607937a4	70	*
03f996bd	71	* Revision 1.2 1997/08/04 10:24:20 mdw
	72	* Sources placed under CVS control.
	73	*
	74	* Revision 1.1 1997/07/21 13:47:53 mdw
c4f2d992	75	* Initial revision
	76	*
	77	*/
	78
	79	/----- Header files ------------------------------------------------------/
	80
	81	/* --- ANSI headers --- */
	82
	83	#include <ctype.h>
	84	#include <errno.h>
	85	#include <stdio.h>
	86	#include <stdlib.h>
	87	#include <string.h>
	88	#include <time.h>
	89
	90	/* --- Unix headers --- */
	91
	92	#include <sys/time.h>
	93	#include <sys/types.h>
	94	#include <sys/socket.h>
	95
	96	#include <netinet/in.h>
	97
	98	#include <arpa/inet.h>
	99
ff2d3282	100	#include <fcntl.h>
c4f2d992	101	#include <netdb.h>
	102	#include <unistd.h>
	103
f60a3434	104	/* --- mLib headers --- */
	105
	106	#include <mLib/alloc.h>
	107	#include <mLib/quis.h>
	108	#include <mLib/report.h>
	109	#include <mLib/sym.h>
	110	#include <mLib/trace.h>
	111
	112	/* --- Catacomb headers --- */
	113
	114	#include <catacomb/buf.h>
	115	#include <catacomb/dsa.h>
	116	#include <catacomb/key.h>
	117	#include <catacomb/mp.h>
	118	#include <catacomb/noise.h>
	119	#include <catacomb/rand.h>
	120	#include <catacomb/sha.h>
	121
c4f2d992	122	/* --- Local headers --- */
	123
	124	#include "become.h"
	125	#include "config.h"
c4f2d992	126	#include "lexer.h"
c4f2d992	127	#include "name.h"
607937a4	128	#include "netg.h"
c4f2d992	129	#include "rule.h"
79fae27d	130	#include "parse.h"
03f996bd	131	#include "userdb.h"
c4f2d992	132
318c0b91	133	/----- Client-end network support ----------------------------------------/
	134
	135	#ifndef NONETWORK
c4f2d992	136
03f996bd	137	/* --- @check__send@ --- *
03f996bd	138	*
f60a3434	139	* Arguments: @char *buf@ = pointer to encrypted request
f60a3434	140	* @size_t sz@ = size of request
03f996bd	141	* @int fd@ = socket to send from
	142	* @struct sockaddr_in *serv@ = pointer to table of servers
	143	* @size_t n_serv@ = number of servers
	144	*
	145	* Returns: ---
	146	*
	147	* Use: Sends the request packet to the list of servers. If the
	148	* message couldn't be sent to any of them, an error is
	149	* reported.
	150	*/
	151
f60a3434	152	static void check__send(char *buf, size_t sz, int fd,
03f996bd	153	struct sockaddr_in *serv, size_t n_serv)
	154	{
	155	size_t i;
	156	int ok = 0;
	157	int err = 0;
	158
	159	for (i = 0; i < n_serv; i++) {
f60a3434	160	if (sendto(fd, buf, sz, 0,
03f996bd	161	(struct sockaddr *)(serv + i), sizeof(serv[i])) < 0) {
	162	T( trace(TRACE_CLIENT, "client: send to %s failed: %s",
	163	inet_ntoa(serv[i].sin_addr), strerror(errno)); )
	164	err = errno;
	165	} else
	166	ok = 1;
	167	}
	168
	169	if (!ok)
f60a3434	170	die(1, "couldn't send request to server: %s", strerror(err));
03f996bd	171	}
	172
	173	/* --- @check__ask@ --- *
c4f2d992	174	*
c4f2d992	175	* Arguments: @request *rq@ = pointer to request buffer
03f996bd	176	* @struct sockaddr_in *serv@ = pointer to table of servers
03f996bd	177	* @size_t n_serv@ = number of servers
c4f2d992	178	*
	179	* Returns: Nonzero if OK, zero if forbidden
	180	*
03f996bd	181	* Use: Contacts a number of servers to decide whether the request
03f996bd	182	* is OK.
c4f2d992	183	*/
c4f2d992	184
03f996bd	185	static int check__ask(request rq, struct sockaddr_in serv, size_t n_serv)
c4f2d992	186	{
f60a3434	187	static int tbl[] = { 0, 5, 10, 20, -1 };
	188
	189	char buff[2048], rbuff[2048];
	190	size_t rqlen;
	191	octet hmsg[SHA_HASHSZ];
	192	octet h[SHA_HASHSZ];
	193	key_packstruct kps[DSA_PUBFETCHSZ];
	194	key_packdef *kp;
	195	dsa_pub kpub;
	196	buf b;
	197	sha_ctx hc;
c4f2d992	198	int fd;
f60a3434	199	struct sockaddr_in sin;
	200	socklen_t slen;
	201	ssize_t sz;
	202	int ans;
	203	fd_set fds;
	204	struct timeval start, now, tv;
	205	mp m, r, *s;
	206	key_file f;
	207	key *k;
	208	key_iter ki;
	209	int ind;
	210	size_t i;
c4f2d992	211
f60a3434	212	/* --- Open the public keyring --- */
c4f2d992	213
f60a3434	214	if ((key_open(&f, file_PUBKEY, KOPEN_READ, key_moan, 0)) != 0)
	215	die(1, "couldn't open public keyring");
	216	kp = key_fetchinit(dsa_pubfetch, kps, &kpub);
c4f2d992	217
f60a3434	218	/* --- Build the request packet --- */
c4f2d992	219
f60a3434	220	rand_noisesrc(RAND_GLOBAL, &noise_source);
	221	rand_seed(RAND_GLOBAL, 160);
	222	buf_init(&b, buff, sizeof(buff));
	223	rand_get(RAND_GLOBAL, buf_get(&b, SHA_HASHSZ), SHA_HASHSZ);
	224	buf_putu32(&b, rq->from);
	225	buf_putu32(&b, rq->to);
	226	buf_putu16(&b, strlen(rq->cmd));
	227	buf_put(&b, rq->cmd, strlen(rq->cmd));
	228	rqlen = BLEN(&b);
	229	sha_init(&hc);
	230	sha_hash(&hc, buff, rqlen);
	231	sha_done(&hc, hmsg);
c4f2d992	232
03f996bd	233	/* --- Create my socket --- */
c4f2d992	234
f60a3434	235	if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
	236	die(1, "couldn't create socket: %s", strerror(errno));
	237	if (fcntl(fd, F_SETFD, 1) < 0)
	238	die(1, "couldn't set close-on-exec flag for socket: %s", strerror(errno));
c4f2d992	239
f60a3434	240	/* --- Bind myself to some address --- */
c4f2d992	241
f60a3434	242	sin.sin_family = AF_INET;
	243	sin.sin_port = 0;
	244	sin.sin_addr.s_addr = htonl(INADDR_ANY);
c4f2d992	245
f60a3434	246	if (bind(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0)
f60a3434	247	die(1, "couldn't bind socket to address: %s", strerror(errno));
c4f2d992	248
f60a3434	249	/* --- Find out when we are --- */
c4f2d992	250
f60a3434	251	gettimeofday(&start, 0);
f60a3434	252	ind = 0;
c4f2d992	253
f60a3434	254	/* --- Now loop until everything's done --- */
	255
	256	for (;;) {
	257	gettimeofday(&now, 0);
c4f2d992	258
f60a3434	259	/* --- If the current timer has expired, find one that hasn't --- *
03f996bd	260	*
f60a3434	261	* Also resend the request after I've found a timer which is still
f60a3434	262	* extant. If there aren't any, report an error.
03f996bd	263	*/
c4f2d992	264
f60a3434	265	if (now.tv_sec >= start.tv_sec + tbl[ind] &&
	266	now.tv_usec >= start.tv_usec) {
	267	do {
	268	ind++;
	269	if (tbl[ind] < 0)
	270	die(1, "no reply from servers");
	271	} while (now.tv_sec >= start.tv_sec + tbl[ind] &&
	272	now.tv_usec >= start.tv_usec);
	273	check__send(buff, rqlen, fd, serv, n_serv);
	274	T( trace(TRACE_CLIENT, "client: send request to servers"); )
	275	}
	276
	277	/* --- Now wait for a packet to arrive --- */
c4f2d992	278
f60a3434	279	if (now.tv_usec > start.tv_usec) {
	280	now.tv_usec -= 1000000;
	281	now.tv_sec += 1;
	282	}
	283	tv.tv_sec = start.tv_sec + tbl[ind] - now.tv_sec;
	284	tv.tv_usec = start.tv_usec - now.tv_usec;
c4f2d992	285
f60a3434	286	/* --- Sort out file descriptors to watch --- */
c4f2d992	287
f60a3434	288	FD_ZERO(&fds);
f60a3434	289	FD_SET(fd, &fds);
c4f2d992	290
f60a3434	291	/* --- Wait for them --- */
c4f2d992	292
f60a3434	293	i = select(FD_SETSIZE, &fds, 0, 0, &tv);
	294	if (i == 0 \|\| (i < 0 && errno == EINTR))
	295	continue;
	296	if (i < 0)
	297	die(1, "error waiting for reply: %s", strerror(errno));
03f996bd	298
f60a3434	299	/* --- Read the reply data --- */
c4f2d992	300
f60a3434	301	slen = sizeof(sin);
	302	if ((sz = recvfrom(fd, (char *)rbuff, sizeof(rbuff), 0,
	303	(struct sockaddr *)&sin, &slen)) < 0)
	304	die(1, "error reading server's reply: %s", strerror(errno));
03f996bd	305
f60a3434	306	IF_TRACING(TRACE_CLIENT, {
	307	struct hostent h = gethostbyaddr((char )&sin.sin_addr,
	308	sizeof(sin.sin_addr), AF_INET);
	309	trace(TRACE_CLIENT, "client: reply received from %s port %i",
	310	h ? h->h_name : inet_ntoa(sin.sin_addr),
	311	ntohs(sin.sin_port));
	312	})
	313
	314	/* --- Verify the sender --- *
	315	*
	316	* This is more to avoid confusion than for security: an active
	317	* attacker is quite capable of forging the source address. We rely
	318	* on the signature in the reply packet for authentication.
	319	*/
	320
	321	for (i = 0; i < n_serv; i++) {
	322	if (sin.sin_addr.s_addr == serv[i].sin_addr.s_addr &&
	323	sin.sin_port == serv[i].sin_port)
	324	break;
	325	}
	326	if (i >= n_serv) {
	327	T( trace(TRACE_CLIENT, "client: reply from unknown host"); )
	328	continue;
	329	}
	330
	331	/* --- Unpack and verify the response --- */
	332
	333	buf_init(&b, rbuff, sz);
	334	if (buf_ensure(&b, sizeof(hmsg))) goto bad;
	335	if (memcmp(BCUR(&b), hmsg, sizeof(hmsg)) != 0) goto bad;
	336	BSTEP(&b, sizeof(hmsg));
	337	if ((ans = buf_getbyte(&b)) < 0) goto bad;
	338
	339	sha_init(&hc);
	340	sha_hash(&hc, BBASE(&b), BLEN(&b));
	341	sha_done(&hc, h);
	342	if ((r = buf_getmp(&b)) == 0 \|\| (s = buf_getmp(&b)) == 0) goto bad;
	343	m = mp_loadb(MP_NEW, h, sizeof(h));
	344
	345	key_mkiter(&ki, &f);
	346	while ((k = key_next(&ki)) != 0) {
	347	if (key_expired(k)) continue;
	348	if (strcmp(k->type, "become-dsa") != 0) continue;
	349	if (key_fetch(kp, k)) continue;
	350	i = dsa_vrfy(&kpub.dp, kpub.y, m, r, s);
	351	dsa_pubfree(&kpub);
	352	if (i) {
	353	key_fetchdone(kp);
	354	key_close(&f);
ff2d3282	355	close(fd);
f60a3434	356	mp_drop(m);
	357	mp_drop(r);
	358	mp_drop(s);
	359	return (ans);
c4f2d992	360	}
c4f2d992	361	}
f60a3434	362
	363	bad:
	364	T( trace(TRACE_CLIENT,
	365	"client: invalid or corrupt reply packet"); )
c4f2d992	366	}
c4f2d992	367
f60a3434	368	die(1, "internal error: can't get here in check__ask");
c4f2d992	369	return (0);
	370	}
	371
03f996bd	372	/* --- @check__client@ --- *
	373	*
	374	* Arguments: @request *rq@ = pointer to a request block
	375	* @FILE *fp@ = file containing server configuration
	376	*
	377	* Returns: Nonzero if OK, zero if forbidden
	378	*
	379	* Use: Asks one or several servers whether a request is acceptable.
	380	*/
	381
	382	int check__client(request rq, FILE fp)
	383	{
	384	/* --- Format of the file --- *
	385	*
	386	* The `servers' file contains entries of the form
	387	*
	388	* %%\syntax{<host> [`:' <port>]}%%
	389	*
	390	* separates by whitespace. I build them all into an array of socket
	391	* addresses and pass the whole lot to another function.
	392	*/
	393
	394	struct sockaddr_in serv; / Array of servers */
	395	size_t n_serv, max_serv; /* Number and maximum number */
	396
	397	/* --- Initialise the server array --- */
	398
	399	T( trace(TRACE_CLIENT, "client: reading server definitions"); )
	400	n_serv = 0; max_serv = 4; /* Four seems reasonable */
	401	serv = xmalloc(sizeof(serv) max_serv);
	402
	403	/* --- Start reading the file --- */
	404
	405	{
	406	char buff[256], p, l; /* A buffer and pointers for it */
	407	int port; /* Default port for servers */
	408	int state; /* Current parser state */
	409	struct in_addr t_host; /* Temp place for an address*/
	410	int t_port; /* Temp place for a port */
	411	int ch; /* The current character */
	412
	413	/* --- Parser states --- */
	414
	415	enum {
	416	st_start, /* Waiting to begin */
	417	st_host, /* Reading a new hostname */
	418	st_colon, /* Expecting a colon, maybe */
	419	st_preport, /* Waiting before reading port */
	420	st_port, /* Reading a port number */
	421	st_commit, /* Commit a newly read server */
	422	st_done /* Finished reading the file */
	423	};
	424
	425	/* --- Find a default port --- */
	426
	427	{
	428	struct servent *s = getservbyname(quis(), "udp");
b0f66028	429	port = (s ? s->s_port : htons(SERVER_PORT));
03f996bd	430	}
	431
	432	/* --- Initialise for scanning the file --- */
	433
	434	state = st_host;
	435	p = buff;
	436	l = buff + sizeof(buff);
	437	t_port = port;
	438	ch = getc(fp);
	439
	440	/* --- Go for it --- */
	441
	442	while (state != st_done) {
	443	switch (state) {
	444
	445	/* --- Initial whitespace before hostname --- */
	446
	447	case st_start:
	448	if (ch == EOF)
	449	state = st_done;
	450	else if (isspace((unsigned char)ch))
	451	ch = getc(fp);
	452	else
	453	state = st_host;
	454	break;
	455
	456	/* --- Read a host name --- */
	457
	458	case st_host:
	459	if (p == l)
f60a3434	460	die(1, "string too long in `" file_SERVER "'");
03f996bd	461	if (ch != EOF && !isspace((unsigned char)ch) && ch != ':') {
	462	*p++ = ch;
	463	ch = getc(fp);
	464	} else {
	465	struct hostent *h;
	466
	467	*p++ = 0;
	468	if ((h = gethostbyname(buff)) == 0)
f60a3434	469	die(1, "unknown host `%s' in `" file_SERVER "'", buff);
03f996bd	470	memcpy(&t_host, h->h_addr, sizeof(t_host));
	471	state = st_colon;
	472	}
	473	break;
	474
	475	/* --- Waiting for a colon coming up --- */
	476
	477	case st_colon:
	478	if (ch == EOF)
	479	state = st_commit;
	480	else if (isspace((unsigned char)ch))
	481	ch = getc(fp);
	482	else if (ch == ':') {
	483	state = st_preport;
	484	ch = getc(fp);
	485	}
	486	else
	487	state = st_commit;
	488	break;
	489
	490	/* --- Clearing whitespace before a port number --- */
	491
	492	case st_preport:
	493	if (ch == EOF)
	494	state = st_commit;
	495	else if (isspace((unsigned char)ch))
	496	ch = getc(fp);
	497	else {
	498	state = st_port;
	499	p = buff;
	500	}
	501	break;
	502
	503	/* --- Read a port number --- */
	504
	505	case st_port:
	506	if (p == l)
f60a3434	507	die(1, "string too long in `" file_SERVER "'");
03f996bd	508	if (ch != EOF && !isspace((unsigned char)ch) && ch != ':') {
	509	*p++ = ch;
	510	ch = getc(fp);
	511	} else {
	512	struct servent *s;
	513
	514	*p++ = 0;
	515	s = getservbyname(buff, "udp");
	516	if (!s && isdigit((unsigned char)buff[0]))
	517	t_port = htons(atoi(buff));
	518	else if (!s)
f60a3434	519	die(1, "unknown service `%s' in `" file_SERVER "'", buff);
03f996bd	520	else
	521	t_port = s->s_port;
	522	state = st_commit;
	523	}
	524	break;
	525
	526	/* --- A server has been read successfully --- */
	527
	528	case st_commit:
	529	if (n_serv == max_serv) {
	530	max_serv *= 2;
f60a3434	531	serv = xrealloc(serv, n_serv * sizeof(*serv),
f60a3434	532	max_serv * sizeof(*serv));
03f996bd	533	}
	534	serv[n_serv].sin_family = AF_INET;
	535	serv[n_serv].sin_addr = t_host;
	536	serv[n_serv].sin_port = t_port;
	537	n_serv++;
	538	state = st_start;
	539	p = buff;
	540	t_port = port;
	541	break;
	542
	543	/* --- A safety net for a broken parser --- */
	544
	545	default:
f60a3434	546	die(1, "internal error: can't get here in check__client");
03f996bd	547	break;
	548	}
	549	}
	550	}
	551
	552	fclose(fp);
	553
	554	/* --- Now start sending requests --- */
	555
	556	if (!n_serv)
f60a3434	557	die(1, "no servers specified in `" file_SERVER "'");
03f996bd	558
	559	IF_TRACING(TRACE_CLIENT, {
	560	size_t i;
	561
	562	for (i = 0; i < n_serv; i++) {
	563	trace(TRACE_CLIENT, "client: server %s port %i",
	564	inet_ntoa(serv[i].sin_addr), ntohs(serv[i].sin_port));
	565	}
	566	})
	567	return (check__ask(rq, serv, n_serv));
	568	}
	569
318c0b91	570	#endif
	571
	572	/----- Main checking function --------------------------------------------/
	573
c4f2d992	574	/* --- @check@ --- *
	575	*
	576	* Arguments: @request *rq@ = pointer to request buffer
	577	*
	578	* Returns: Nonzero if OK, zero if forbidden
	579	*
	580	* Use: Checks to see if the request is acceptable.
	581	*/
	582
	583	int check(request *rq)
	584	{
	585	FILE *fp;
	586
	587	/* --- Check if we need to talk to a server --- */
	588
318c0b91	589	#ifndef NONETWORK
03f996bd	590	if ((fp = fopen(file_SERVER, "r")) != 0)
03f996bd	591	return (check__client(rq, fp));
318c0b91	592	#endif
c4f2d992	593
03f996bd	594	/* --- Otherwise do this all the old-fashioned way --- */
c4f2d992	595
c4f2d992	596	if ((fp = fopen(file_RULES, "r")) == 0) {
f60a3434	597	die(1, "couldn't read configuration file `%s': %s",
c4f2d992	598	file_RULES, strerror(errno));
	599	}
	600
03f996bd	601	userdb_init();
	602	userdb_local();
	603	userdb_yp();
607937a4	604	netg_init();
c4f2d992	605	name_init();
	606	rule_init();
	607	lexer_scan(fp);
318c0b91	608	parse();
ff2d3282	609	fclose(fp);
c4f2d992	610
	611	return (rule_check(rq));
	612	}
	613
	614	/----- That's all, folks -------------------------------------------------/