~mdw / yaid / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
yaid.c: Beef up `reply' with an extra token argument.
[yaid] / yaid.c
CommitLineData
9da480be
MW		 1/* -*-c-*-
2 *
3 * Main daemon
4 *
5 * (c) 2012 Straylight/Edgeware
6 */
7
8/*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Yet Another Ident Daemon (YAID).
11 *
12 * YAID is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * YAID is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with YAID; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
27/*----- Header files ------------------------------------------------------*/
28
29#include "yaid.h"
30
31/*----- Data structures ---------------------------------------------------*/
32
33struct listen {
bf4d9761 34 const struct addrops *ao;
9da480be
MW		 35 sel_file f;
36};
37
38#define WRBUFSZ 1024
39struct writebuf {
40 size_t o, n;
41 sel_file wr;
42 void (*func)(int, void *);
43 void *p;
44 unsigned char buf[WRBUFSZ];
45};
46
47struct proxy {
48 struct client *c;
49 int fd;
50 conn cn;
51 selbuf b;
52 struct writebuf wb;
53 char nat[ADDRLEN];
54};
55
56struct client {
57 selbuf b;
58 int fd;
59 struct query q;
60 struct listen *l;
61 struct writebuf wb;
62 struct proxy *px;
63};
64
65/*----- Static variables --------------------------------------------------*/
66
67static sel_state sel;
68
69static policy_v policy = DA_INIT;
70static fwatch polfw;
71
72static unsigned char tokenbuf[4096];
73static size_t tokenptr = sizeof(tokenbuf);
74static int randfd;
75
76/*----- Main code ---------------------------------------------------------*/
77
9da480be
MW		 78void logmsg(const struct query *q, int prio, const char *msg, ...)
79{
80 va_list ap;
81 dstr d = DSTR_INIT;
82
83 va_start(ap, msg);
84 if (q) {
bf4d9761 85 dputsock(&d, q->ao, &q->s[L]);
9da480be 86 dstr_puts(&d, " <-> ");
bf4d9761 87 dputsock(&d, q->ao, &q->s[R]);
9da480be
MW		 88 dstr_puts(&d, ": ");
89 }
90 dstr_vputf(&d, msg, &ap);
91 va_end(ap);
92 fprintf(stderr, "yaid: %s\n", d.buf);
93 dstr_destroy(&d);
94}
95
96static void write_out(int fd, unsigned mode, void *p)
97{
98 ssize_t n;
99 struct writebuf *wb = p;
100
101 if ((n = write(fd, wb->buf + wb->o, wb->n)) < 0) {
102 if (errno == EAGAIN || errno == EWOULDBLOCK) return;
103 wb->n = 0;
104 sel_rmfile(&wb->wr);
105 wb->func(errno, wb->p);
106 }
107 wb->o += n;
108 wb->n -= n;
109 if (!wb->n) {
110 wb->o = 0;
111 sel_rmfile(&wb->wr);
112 wb->func(0, wb->p);
113 }
114}
115
116static int queue_write(struct writebuf *wb, const void *p, size_t n)
117{
118 if (!n) return (0);
119 if (wb->n - wb->o + n > WRBUFSZ) return (-1);
120 if (wb->o) {
121 memmove(wb->buf, wb->buf + wb->o, wb->n);
122 wb->o = 0;
123 }
124 memcpy(wb->buf + wb->n, p, n);
125 if (!wb->n) {
126 sel_addfile(&wb->wr);
127 sel_force(&wb->wr);
128 }
129 wb->n += n;
130 return (0);
131}
132
133static void free_writebuf(struct writebuf *wb)
134 { if (wb->n) sel_rmfile(&wb->wr); }
135
136static void init_writebuf(struct writebuf *wb,
137 int fd, void (*func)(int, void *), void *p)
138{
139 sel_initfile(&sel, &wb->wr, fd, SEL_WRITE, write_out, wb);
140 wb->func = func;
141 wb->p = p;
142 wb->n = wb->o = 0;
143}
144
145static void cancel_proxy(struct proxy *px)
146{
147 if (px->fd == -1)
148 conn_kill(&px->cn);
149 else {
150 close(px->fd);
151 selbuf_destroy(&px->b);
152 free_writebuf(&px->wb);
153 }
154 selbuf_enable(&px->c->b);
155 px->c->px = 0;
156 xfree(px);
157}
158
159static void disconnect_client(struct client *c)
160{
161 close(c->fd);
162 selbuf_destroy(&c->b);
163 free_writebuf(&c->wb);
164 if (c->px) cancel_proxy(c->px);
165 xfree(c);
166}
167
168static void done_client_write(int err, void *p)
169{
170 struct client *c = p;
171
172 if (!err)
173 selbuf_enable(&c->b);
174 else {
175 logmsg(&c->q, LOG_ERR, "failed to send reply: %s", strerror(err));
176 disconnect_client(c);
177 }
178}
179
180static void write_to_client(struct client *c, const char *fmt, ...)
181{
182 va_list ap;
183 char buf[WRBUFSZ];
184 ssize_t n;
185
186 va_start(ap, fmt);
187 n = vsnprintf(buf, sizeof(buf), fmt, ap);
188 if (n < 0) {
189 logmsg(&c->q, LOG_ERR, "failed to format output: %s", strerror(errno));
190 disconnect_client(c);
191 return;
192 } else if (n > sizeof(buf)) {
193 logmsg(&c->q, LOG_ERR, "output too long for client send buffer");
194 disconnect_client(c);
195 return;
196 }
197
198 selbuf_disable(&c->b);
199 if (queue_write(&c->wb, buf, n)) {
200 logmsg(&c->q, LOG_ERR, "write buffer overflow");
201 disconnect_client(c);
202 }
203}
204
c809f908
MW		 205static void reply(struct client *c, const char *ty,
206 const char *tok0, const char *tok1)
9da480be 207{
c809f908
MW		 208 write_to_client(c, "%u,%u:%s:%s%s%s\r\n",
209 c->q.s[L].port, c->q.s[R].port, ty,
210 tok0, tok1 ? ":" : "", tok1 ? tok1 : "");
9da480be
MW		 211}
212
bf4d9761
MW		 213const char *const errtok[] = {
214#define DEFTOK(err, tok) tok,
215 ERROR(DEFTOK)
216#undef DEFTOK
217};
218
9da480be
MW		 219static void reply_error(struct client *c, unsigned err)
220{
221 assert(err < E_LIMIT);
c809f908 222 reply(c, "ERROR", errtok[err], 0);
9da480be
MW		 223}
224
225static void skipws(const char **pp)
226 { while (isspace((unsigned char )**pp)) (*pp)++; }
227
228static int idtoken(const char **pp, char *q, size_t n)
229{
230 const char *p = *pp;
231
232 skipws(&p);
233 n--;
234 for (;;) {
235 if (*p == ':' || *p <= 32 || *p >= 127) break;
236 if (!n) return (-1);
237 *q++ = *p++;
238 n--;
239 }
240 *q++ = 0;
241 *pp = p;
242 return (0);
243}
244
245static int unum(const char **pp, unsigned *ii, unsigned min, unsigned max)
246{
247 char *q;
248 unsigned long i;
249 int e;
250
251 skipws(pp);
252 if (!isdigit((unsigned char)**pp)) return (-1);
253 e = errno; errno = 0;
254 i = strtoul(*pp, &q, 10);
255 if (errno) return (-1);
256 *pp = q;
257 errno = e;
258 if (i < min || i > max) return (-1);
259 *ii = i;
260 return (0);
261}
262
263static void proxy_line(char *line, size_t sz, void *p)
264{
265 struct proxy *px = p;
266 char buf[1024];
267 const char *q = line;
268 unsigned lp, rp;
269
270 while (sz && isspace((unsigned char)line[sz - 1])) sz--;
271 printf("received proxy line from %s: %s\n", px->nat, line);
272
273 if (unum(&q, &lp, 1, 65535)) goto syntax;
274 skipws(&q); if (*q != ',') goto syntax; q++;
275 if (unum(&q, &rp, 1, 65535)) goto syntax;
276 skipws(&q); if (*q != ':') goto syntax; q++;
277 if (lp != px->c->q.u.nat.port || rp != px->c->q.s[R].port) goto syntax;
278 if (idtoken(&q, buf, sizeof(buf))) goto syntax;
279 skipws(&q); if (*q != ':') goto syntax; q++;
280 if (strcmp(buf, "ERROR") == 0) {
281 skipws(&q);
282 logmsg(&px->c->q, LOG_ERR, "proxy error from %s: %s", px->nat, q);
c809f908 283 reply(px->c, "ERROR", q, 0);
9da480be
MW		 284 } else if (strcmp(buf, "USERID") == 0) {
285 if (idtoken(&q, buf, sizeof(buf))) goto syntax;
286 skipws(&q); if (*q != ':') goto syntax; q++;
287 skipws(&q);
288 logmsg(&px->c->q, LOG_ERR, "user `%s'; proxy = %s, os = %s",
289 q, px->nat, buf);
c809f908 290 reply(px->c, "USERID", buf, q);
9da480be
MW		 291 } else
292 goto syntax;
293 goto done;
294
295syntax:
296 logmsg(&px->c->q, LOG_ERR, "failed to parse response from %s", px->nat);
297 reply_error(px->c, E_UNKNOWN);
298done:
299 cancel_proxy(px);
300}
301
302static void done_proxy_write(int err, void *p)
303{
304 struct proxy *px = p;
305
306 if (err) {
307 logmsg(&px->c->q, LOG_ERR, "failed to proxy query to %s: %s",
308 px->nat, strerror(errno));
309 reply_error(px->c, E_UNKNOWN);
310 cancel_proxy(px);
311 return;
312 }
313 selbuf_enable(&px->b);
314}
315
316static void proxy_connected(int fd, void *p)
317{
318 struct proxy *px = p;
319 char buf[16];
320 int n;
321
322 if (fd < 0) {
323 logmsg(&px->c->q, LOG_ERR,
324 "failed to make %s proxy connection to %s: %s",
bf4d9761 325 px->c->l->ao->name, px->nat, strerror(errno));
9da480be
MW		 326 reply_error(px->c, E_UNKNOWN);
327 cancel_proxy(px);
328 return;
329 }
330
331 px->fd = fd;
332 selbuf_init(&px->b, &sel, fd, proxy_line, px);
333 selbuf_setsize(&px->b, 1024);
334 selbuf_disable(&px->b);
335 init_writebuf(&px->wb, fd, done_proxy_write, px);
336
337 n = sprintf(buf, "%u,%u\r\n", px->c->q.u.nat.port, px->c->q.s[R].port);
338 queue_write(&px->wb, buf, n);
339}
340
341static void proxy_query(struct client *c)
342{
343 struct socket s;
344 struct sockaddr_storage ss;
345 size_t ssz;
346 struct proxy *px;
9da480be
MW		 347 int fd;
348
349 px = xmalloc(sizeof(*px));
bf4d9761 350 inet_ntop(c->q.ao->af, &c->q.u.nat.addr, px->nat, sizeof(px->nat));
9da480be 351
bf4d9761 352 if ((fd = socket(c->q.ao->af, SOCK_STREAM, 0)) < 0) {
9da480be 353 logmsg(&c->q, LOG_ERR, "failed to make %s socket for proxy: %s",
bf4d9761 354 c->l->ao->name, strerror(errno));
9da480be
MW		 355 goto err_0;
356 }
357
bf4d9761 358 if (fdflags(fd, O_NONBLOCK, O_NONBLOCK, 0, 0)) {
9da480be 359 logmsg(&c->q, LOG_ERR, "failed to set %s proxy socket nonblocking: %s",
bf4d9761 360 c->l->ao->name, strerror(errno));
9da480be
MW		 361 goto err_1;
362 }
363
364 s = c->q.u.nat;
365 s.port = 113;
bf4d9761 366 c->l->ao->socket_to_sockaddr(&s, &ss, &ssz);
9da480be
MW		 367 selbuf_disable(&c->b);
368 if (conn_init(&px->cn, &sel, fd, (struct sockaddr *)&ss, ssz,
369 proxy_connected, px)) {
370 logmsg(&c->q, LOG_ERR, "failed to make %s proxy connection to %s: %s",
bf4d9761 371 c->l->ao->name, px->nat, strerror(errno));
9da480be
MW		 372 goto err_2;
373 }
374
375 c->px = px; px->c = c;
376 px->fd = -1;
377 return;
378
379err_2:
380 selbuf_enable(&c->b);
381err_1:
382 close(px->fd);
383err_0:
384 xfree(px);
385 reply_error(c, E_UNKNOWN);
386}
387
388static const struct policy default_policy = POLICY_INIT(A_NAME);
389
390static void user_token(char *p)
391{
392 static const char tokmap[64] =
393 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.-";
394 unsigned a = 0;
395 unsigned b = 0;
396 int i;
397#define TOKENSZ 8
398
399 if (tokenptr + TOKENSZ >= sizeof(tokenbuf)) {
400 if (read(randfd, tokenbuf, sizeof(tokenbuf)) < sizeof(tokenbuf))
401 die(1, "unexpected short read or error from `/dev/urandom'");
402 tokenptr = 0;
403 }
404
405 for (i = 0; i < TOKENSZ; i++) {
406 a = (a << 8) | tokenbuf[tokenptr++]; b += 8;
407 while (b >= 6) {
408 b -= 6;
409 *p++ = tokmap[(a >> b) & 0x3f];
410 }
411 }
412 if (b)
413 *p++ = tokmap[(a << (6 - b)) & 0x3f];
414 *p++ = 0;
415}
416
417static void client_line(char *line, size_t len, void *p)
418{
419 struct client *c = p;
420 const char *q;
421 struct passwd *pw = 0;
422 const struct policy *pol;
423 dstr d = DSTR_INIT;
424 struct policy upol = POLICY_INIT(A_LIMIT);
425 struct policy_file pf;
426 char buf[16];
427 int i;
428
429 c->q.s[L].port = c->q.s[R].port = 0;
430 if (!line) {
431 disconnect_client(c);
432 return;
433 }
434
435 if (fwatch_update(&polfw, "yaid.policy")) {
436 logmsg(0, LOG_INFO, "reload master policy file `%s'", "yaid.policy");
437 load_policy_file("yaid.policy", &policy);
438 }
439
440 q = line;
441 if (unum(&q, &c->q.s[L].port, 1, 65535)) goto bad;
442 skipws(&q); if (*q != ',') goto bad; q++;
443 if (unum(&q, &c->q.s[R].port, 1, 65535)) goto bad;
444 skipws(&q); if (*q) goto bad;
445
446 identify(&c->q);
447 switch (c->q.resp) {
448 case R_UID:
449 if ((pw = getpwuid(c->q.u.uid)) == 0) {
450 logmsg(&c->q, LOG_ERR, "no passwd entry for user %d", c->q.u.uid);
451 reply_error(c, E_NOUSER);
452 return;
453 }
454 break;
455 case R_NAT:
456 proxy_query(c);
457 return;
458 case R_ERROR:
459 /* Should already be logged. */
460 reply_error(c, c->q.u.error);
461 return;
462 default:
463 abort();
464 }
465
466 for (i = 0; i < DA_LEN(&policy); i++) {
467 pol = &DA(&policy)[i];
468 if (!match_policy(pol, &c->q)) continue;
469 if (pol->act.act != A_USER)
470 goto match;
471 DRESET(&d);
472 dstr_putf(&d, "%s/.yaid.policy", pw->pw_dir);
473 if (open_policy_file(&pf, d.buf, "user policy file", &c->q))
474 continue;
475 while (!read_policy_file(&pf)) {
476 if (pf.lno > 100) {
477 logmsg(&c->q, LOG_ERR, "%s:%d: user policy file too long",
478 pf.name, pf.lno);
479 break;
480 }
481 if (!match_policy(&pf.p, &c->q)) continue;
482 if (!(pol->act.u.user & (1 << pf.p.act.act))) {
483 logmsg(&c->q, LOG_ERR,
484 "%s:%d: user action forbidden by global policy",
485 pf.name, pf.lno);
486 continue;
487 }
488 upol = pf.p; pol = &upol;
489 init_policy(&pf.p);
490 close_policy_file(&pf);
491 goto match;
492 }
493 close_policy_file(&pf);
494 }
495 pol = &default_policy;
496
497match:
498 DDESTROY(&d);
499 switch (pol->act.act) {
500 case A_NAME:
501 logmsg(&c->q, LOG_INFO, "user `%s' (%d)", pw->pw_name, c->q.u.uid);
c809f908 502 reply(c, "USERID", "UNIX", pw->pw_name);
9da480be
MW		 503 break;
504 case A_TOKEN:
505 user_token(buf);
506 logmsg(&c->q, LOG_INFO, "user `%s' (%d); token = %s",
507 pw->pw_name, c->q.u.uid, buf);
c809f908 508 reply(c, "USERID", "OTHER", buf);
9da480be
MW		 509 break;
510 case A_DENY:
511 logmsg(&c->q, LOG_INFO, "user `%s' (%d); denying",
512 pw->pw_name, c->q.u.uid);
513 break;
514 case A_HIDE:
515 logmsg(&c->q, LOG_INFO, "user `%s' (%d); hiding",
516 pw->pw_name, c->q.u.uid);
517 reply_error(c, E_HIDDEN);
518 break;
519 case A_LIE:
520 logmsg(&c->q, LOG_INFO, "user `%s' (%d); lie = `%s'",
521 pw->pw_name, c->q.u.uid, pol->act.u.lie);
c809f908 522 reply(c, "USERID", "UNIX", pol->act.u.lie);
9da480be
MW		 523 break;
524 default:
525 abort();
526 }
527
528 free_policy(&upol);
529 return;
530
531bad:
532 logmsg(&c->q, LOG_ERR, "failed to parse query from client");
533 disconnect_client(c);
534}
535
536static void accept_client(int fd, unsigned mode, void *p)
537{
538 struct listen *l = p;
539 struct client *c;
540 struct sockaddr_storage ssr, ssl;
541 size_t ssz = sizeof(ssr);
542 int sk;
543
544 if ((sk = accept(fd, (struct sockaddr *)&ssr, &ssz)) < 0) {
545 if (errno != EAGAIN && errno == EWOULDBLOCK) {
546 logmsg(0, LOG_ERR, "failed to accept incoming %s connection: %s",
bf4d9761 547 l->ao->name, strerror(errno));
9da480be
MW		 548 }
549 return;
550 }
551
552 c = xmalloc(sizeof(*c));
553 c->l = l;
bf4d9761
MW		 554 c->q.ao = l->ao;
555 l->ao->sockaddr_to_addr(&ssr, &c->q.s[R].addr);
9da480be
MW		 556 ssz = sizeof(ssl);
557 if (getsockname(sk, (struct sockaddr *)&ssl, &ssz)) {
558 logmsg(0, LOG_ERR,
559 "failed to read local address for incoming %s connection: %s",
bf4d9761 560 l->ao->name, strerror(errno));
9da480be
MW		 561 close(sk);
562 xfree(c);
563 return;
564 }
bf4d9761 565 l->ao->sockaddr_to_addr(&ssl, &c->q.s[L].addr);
9da480be
MW		 566 c->q.s[L].port = c->q.s[R].port = 0;
567
bf4d9761 568 /* logmsg(&c->q, LOG_INFO, "accepted %s connection", l->ao->name); */
9da480be
MW		 569
570 selbuf_init(&c->b, &sel, sk, client_line, c);
571 selbuf_setsize(&c->b, 1024);
572 c->fd = sk;
573 c->px = 0;
574 init_writebuf(&c->wb, sk, done_client_write, c);
575}
576
bf4d9761 577static int make_listening_socket(const struct addrops *ao, int port)
9da480be
MW		 578{
579 int fd;
bf4d9761
MW		 580 int yes = 1;
581 struct socket s;
9da480be
MW		 582 struct sockaddr_storage ss;
583 struct listen *l;
584 size_t ssz;
585
bf4d9761 586 if ((fd = socket(ao->af, SOCK_STREAM, 0)) < 0) {
a20696ca 587 if (errno == EAFNOSUPPORT) return (-1);
9da480be 588 die(1, "failed to create %s listening socket: %s",
bf4d9761 589 ao->name, strerror(errno));
9da480be 590 }
bf4d9761
MW		 591 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes));
592 s.addr = *ao->any;
593 s.port = port;
594 ao->socket_to_sockaddr(&s, &ss, &ssz);
595 if (ao->init_listen_socket(fd)) {
596 die(1, "failed to initialize %s listening socket: %s",
597 ao->name, strerror(errno));
598 }
599 if (bind(fd, (struct sockaddr *)&ss, ssz)) {
600 die(1, "failed to bind %s listening socket: %s",
601 ao->name, strerror(errno));
9da480be 602 }
bf4d9761 603 if (fdflags(fd, O_NONBLOCK, O_NONBLOCK, 0, 0)) {
9da480be 604 die(1, "failed to set %s listening socket nonblocking: %s",
bf4d9761 605 ao->name, strerror(errno));
9da480be
MW		 606 }
607 if (listen(fd, 5))
bf4d9761 608 die(1, "failed to listen for %s: %s", ao->name, strerror(errno));
9da480be
MW		 609
610 l = xmalloc(sizeof(*l));
bf4d9761 611 l->ao = ao;
9da480be
MW		 612 sel_initfile(&sel, &l->f, fd, SEL_READ, accept_client, l);
613 sel_addfile(&l->f);
614
a20696ca 615 return (0);
9da480be
MW		 616}
617
618int main(int argc, char *argv[])
619{
620 int port = 113;
bf4d9761
MW		 621 const struct addrops *ao;
622 int any = 0;
9da480be
MW		 623
624 ego(argv[0]);
625
626 fwatch_init(&polfw, "yaid.policy");
b093b41d 627 init_sys();
9da480be
MW		 628 if (load_policy_file("yaid.policy", &policy))
629 exit(1);
630 { int i;
631 for (i = 0; i < DA_LEN(&policy); i++)
632 print_policy(&DA(&policy)[i]);
633 }
634
635 if ((randfd = open("/dev/urandom", O_RDONLY)) < 0) {
636 die(1, "failed to open `/dev/urandom' for reading: %s",
637 strerror(errno));
638 }
639
9da480be 640 sel_init(&sel);
bf4d9761
MW		 641 for (ao = addroptab; ao->name; ao++)
642 if (!make_listening_socket(ao, port)) any = 1;
643 if (!any)
a20696ca 644 die(1, "no IP protocols supported");
9da480be
MW		 645
646 for (;;)
647 if (sel_select(&sel)) die(1, "select failed: %s", strerror(errno));
648
649 return (0);
650}
651
652/*----- That's all, folks -------------------------------------------------*/
Yet Another Ident Daemon.