diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..2976c3a --- /dev/null +++ b/.clang-format @@ -0,0 +1,192 @@ +--- +Language: Cpp +# BasedOnStyle: LLVM +AccessModifierOffset: -2 +AlignAfterOpenBracket: Align +AlignArrayOfStructures: None +AlignConsecutiveMacros: None +AlignConsecutiveAssignments: None +AlignConsecutiveBitFields: None +AlignConsecutiveDeclarations: None +AlignEscapedNewlines: Right +AlignOperands: Align +AlignTrailingComments: true +AllowAllArgumentsOnNextLine: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortEnumsOnASingleLine: true +AllowShortBlocksOnASingleLine: Never +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortLambdasOnASingleLine: All +AllowShortIfStatementsOnASingleLine: Never +AllowShortLoopsOnASingleLine: false +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: MultiLine +AttributeMacros: + - __capability +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterCaseLabel: false + AfterClass: false + AfterControlStatement: Never + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + BeforeLambdaBody: false + BeforeWhile: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeConceptDeclarations: true +BreakBeforeBraces: Attach +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 120 +CommentPragmas: '^ IWYU pragma:' +QualifierAlignment: Leave +CompactNamespaces: false +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DeriveLineEnding: true +DerivePointerAlignment: false +DisableFormat: false +EmptyLineAfterAccessModifier: Never +EmptyLineBeforeAccessModifier: LogicalBlock +ExperimentalAutoDetectBinPacking: false +PackConstructorInitializers: BinPack +BasedOnStyle: '' +ConstructorInitializerAllOnOneLineOrOnePerLine: false +AllowAllConstructorInitializersOnNextLine: true +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IfMacros: + - KJ_IF_MAYBE +IncludeBlocks: Preserve +IncludeCategories: + - Regex: '^"(llvm|llvm-c|clang|clang-c)/' + Priority: 2 + SortPriority: 0 + CaseSensitive: false + - Regex: '^(<|"(gtest|gmock|isl|json)/)' + Priority: 3 + SortPriority: 0 + CaseSensitive: false + - Regex: '.*' + Priority: 1 + SortPriority: 0 + CaseSensitive: false +IncludeIsMainRegex: '(Test)?$' +IncludeIsMainSourceRegex: '' +IndentAccessModifiers: false +IndentCaseLabels: false +IndentCaseBlocks: false +IndentGotoLabels: true +IndentPPDirectives: None +IndentExternBlock: AfterExternBlock +IndentRequires: false +IndentWidth: 2 +IndentWrappedFunctionNames: false +InsertTrailingCommas: None +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: true +LambdaBodyIndentation: Signature +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Auto +ObjCBlockIndentWidth: 2 +ObjCBreakBeforeNestedBlockParam: true +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 19 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakOpenParenthesis: 0 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 60 +PenaltyIndentedWhitespace: 0 +PointerAlignment: Right +PPIndentWidth: -1 +ReferenceAlignment: Pointer +ReflowComments: true +RemoveBracesLLVM: false +SeparateDefinitionBlocks: Leave +ShortNamespaceLines: 1 +SortIncludes: CaseSensitive +SortJavaStaticImport: Before +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterLogicalNot: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCaseColon: false +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeParensOptions: + AfterControlStatements: true + AfterForeachMacros: true + AfterFunctionDefinitionName: false + AfterFunctionDeclarationName: false + AfterIfMacros: true + AfterOverloadedOperator: false + BeforeNonEmptyParentheses: false +SpaceAroundPointerQualifiers: Default +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyBlock: false +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: Never +SpacesInConditionalStatement: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInLineCommentPrefix: + Minimum: 1 + Maximum: -1 +SpacesInParentheses: false +SpacesInSquareBrackets: false +SpaceBeforeSquareBrackets: false +BitFieldColonSpacing: Both +Standard: Latest +StatementAttributeLikeMacros: + - Q_EMIT +StatementMacros: + - Q_UNUSED + - QT_REQUIRE_VERSION +TabWidth: 4 +UseCRLF: false +UseTab: Never +WhitespaceSensitiveMacros: + - STRINGIZE + - PP_STRINGIZE + - BOOST_PP_STRINGIZE + - NS_SWIFT_NAME + - CF_SWIFT_NAME +... + diff --git a/pam_shield.c b/pam_shield.c index 9065b85..07f87e5 100644 --- a/pam_shield.c +++ b/pam_shield.c @@ -1,36 +1,36 @@ /* - pam_shield.c - - Copyright (C) 2007-2024 - Walter de Jong - Jonathan Niehof - Jeffrey Clark - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + pam_shield.c + + Copyright (C) 2007-2024 + Walter de Jong + Jonathan Niehof + Jeffrey Clark + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* - pam_shield is a PAM module that uses route/iptables to lock out script - kiddies that probe your machine for open logins and/or easy guessable - passwords. + pam_shield is a PAM module that uses route/iptables to lock out script + kiddies that probe your machine for open logins and/or easy guessable + passwords. - You can run this module with + You can run this module with - auth optional pam_shield.so + auth optional pam_shield.so - But just make sure it's not the only auth module you run..! - This module does not do any authentication, it just monitors access. + But just make sure it's not the only auth module you run..! + This module does not do any authentication, it just monitors access. */ #include "pam_shield.h" @@ -95,8 +95,7 @@ static _pam_shield_db_rec_t *new_db_record(int window_size) { size = sizeof(_pam_shield_db_rec_t) + (window_size - 1) * sizeof(time_t); if ((record = (_pam_shield_db_rec_t *)malloc(size)) == NULL) { - logmsg(LOG_CRIT, "new_db_record(): out of memory allocating %d bytes", - size); + logmsg(LOG_CRIT, "new_db_record(): out of memory allocating %d bytes", size); return NULL; } memset(record, 0, size); @@ -110,9 +109,9 @@ static void destroy_db_record(_pam_shield_db_rec_t *record) { } /* - get remote IPs for the rhost + get remote IPs for the rhost - the return value must be freed with freeaddrinfo() + the return value must be freed with freeaddrinfo() */ static struct addrinfo *get_addr_info(char *rhost) { struct addrinfo hints, *res; @@ -132,11 +131,10 @@ static struct addrinfo *get_addr_info(char *rhost) { #pragma GCC visibility pop /* - the authenticate function always returns PAM_IGNORE, because this - module does not really authenticate + the authenticate function always returns PAM_IGNORE, because this + module does not really authenticate */ -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) { +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user, *rhost; struct passwd *pwd; unsigned int retry_count; @@ -148,8 +146,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, logmsg(LOG_DEBUG, "this is version " PAM_SHIELD_VERSION); /* - read_config() may fail (due to syntax errors, etc.), try to make the - best of it by continuing anyway + read_config() may fail (due to syntax errors, etc.), try to make the + best of it by continuing anyway */ read_config(); get_options(argc, (char **)argv); @@ -164,16 +162,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, logmsg(LOG_DEBUG, "user %s", (user == NULL) ? "(unknown)" : user); /* if not blocking all and the user is known, let go */ - if (!(options & OPT_BLOCK_ALL) && user != NULL && - (pwd = getpwnam(user)) != NULL) { + if (!(options & OPT_BLOCK_ALL) && user != NULL && (pwd = getpwnam(user)) != NULL) { logmsg(LOG_DEBUG, "ignoring known user %s", user); deinit_module(); return PAM_IGNORE; } /* get the remotehost address */ - if (pam_get_item(pamh, PAM_RHOST, (const void **)(void *)&rhost) != - PAM_SUCCESS) + if (pam_get_item(pamh, PAM_RHOST, (const void **)(void *)&rhost) != PAM_SUCCESS) rhost = NULL; if (rhost != NULL && !*rhost) @@ -182,9 +178,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, logmsg(LOG_DEBUG, "remotehost %s", (rhost == NULL) ? "(unknown)" : rhost); /* - if rhost is NULL, pam_shield is probably being used for a local - service here Because pam_shield only makes sense in a networked - environment, bail out now + if rhost is NULL, pam_shield is probably being used for a local + service here Because pam_shield only makes sense in a networked + environment, bail out now */ if (rhost == NULL) { deinit_module(); @@ -193,8 +189,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, /* if rhost is completely numeric, then it has no DNS entry */ suspicious_dns = 0; - if (strspn(rhost, "0123456789.") == strlen(rhost) || - strspn(rhost, "0123456789:abcdefABCDEF") == strlen(rhost)) { + if (strspn(rhost, "0123456789.") == strlen(rhost) || strspn(rhost, "0123456789:abcdefABCDEF") == strlen(rhost)) { if (options & OPT_MISSING_DNS) logmsg(LOG_DEBUG, "missing DNS entry for %s (allowed)", rhost); else { @@ -216,8 +211,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, datum key, data; int whitelisted; - if ((addr_info = get_addr_info(rhost)) == - NULL) { /* missing reverse DNS entry */ + if ((addr_info = get_addr_info(rhost)) == NULL) { /* missing reverse DNS entry */ if (options & OPT_MISSING_REVERSE) logmsg(LOG_DEBUG, "missing reverse DNS entry for %s (allowed)", rhost); else { @@ -230,43 +224,31 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, whitelisted = 0; switch (addr_p->ai_family) { case PF_INET: - saddr = - (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr.s_addr; + saddr = (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr.s_addr; if (match_ipv4_list((unsigned char *)saddr)) { logmsg( LOG_DEBUG, "remoteip %s (whitelisted)", - inet_ntop( - AF_INET, - (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr, - ipbuf, sizeof(ipbuf))); + inet_ntop(AF_INET, (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr, ipbuf, sizeof(ipbuf))); whitelisted = 1; } else logmsg( LOG_DEBUG, "remoteip %s", - inet_ntop( - AF_INET, - (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr, - ipbuf, sizeof(ipbuf))); + inet_ntop(AF_INET, (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr, ipbuf, sizeof(ipbuf))); break; case PF_INET6: - saddr = (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr)) - ->sin6_addr.s6_addr; + saddr = (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr))->sin6_addr.s6_addr; if (match_ipv6_list((unsigned char *)saddr)) { logmsg(LOG_DEBUG, "remoteip %s (whitelisted)", - inet_ntop(AF_INET6, - (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr)) - ->sin6_addr, - ipbuf, sizeof(ipbuf))); + inet_ntop(AF_INET6, (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr))->sin6_addr, ipbuf, + sizeof(ipbuf))); whitelisted = 1; } else logmsg(LOG_DEBUG, "remoteip %s", - inet_ntop(AF_INET6, - (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr)) - ->sin6_addr, - ipbuf, sizeof(ipbuf))); + inet_ntop(AF_INET6, (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr))->sin6_addr, ipbuf, + sizeof(ipbuf))); break; default: @@ -285,11 +267,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, } /* open the database */ retry_count = 0; - while ((dbf = gdbm_open(dbfile, 512, GDBM_WRCREAT, (mode_t)0600, - fatal_func)) == NULL) { + while ((dbf = gdbm_open(dbfile, 512, GDBM_WRCREAT, (mode_t)0600, fatal_func)) == NULL) { if (gdbm_errno != GDBM_CANT_BE_WRITER || retry_count > 500) { - logmsg(LOG_ERR, "failed to open gdbm file '%s' : %s", dbfile, - gdbm_strerror(gdbm_errno)); + logmsg(LOG_ERR, "failed to open gdbm file '%s' : %s", dbfile, gdbm_strerror(gdbm_errno)); freeaddrinfo(addr_info); deinit_module(); return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE; @@ -304,15 +284,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, switch (addr_p->ai_family) { case PF_INET: addr_family = PAM_SHIELD_ADDR_IPV4; - key.dptr = saddr = - (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr.s_addr; + key.dptr = saddr = (char *)&((struct sockaddr_in *)(addr_p->ai_addr))->sin_addr.s_addr; key.dsize = sizeof(struct in_addr); break; case PF_INET6: addr_family = PAM_SHIELD_ADDR_IPV6; - key.dptr = saddr = (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr)) - ->sin6_addr.s6_addr; + key.dptr = saddr = (char *)&((struct sockaddr_in6 *)(addr_p->ai_addr))->sin6_addr.s6_addr; key.dsize = sizeof(struct in6_addr); break; @@ -328,30 +306,27 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, if (data.dptr != NULL) { record = (_pam_shield_db_rec_t *)data.dptr; /* - Although this code does some expiration, it only does so for - "this ip"; it is still necessary to run an external database cleanup - process every now and then (eg, from cron.daily) + Although this code does some expiration, it only does so for + "this ip"; it is still necessary to run an external database cleanup + process every now and then (eg, from cron.daily) */ expire_record(record); if (record->count >= record->max_entries) { /* shift, so we always log the most recent time */ - memmove(record->timestamps, &record->timestamps[1], - (record->max_entries - 1) * sizeof(time_t)); + memmove(record->timestamps, &record->timestamps[1], (record->max_entries - 1) * sizeof(time_t)); record->count--; } record->timestamps[record->count++] = this_time; logmsg(LOG_DEBUG, "%u times from %s", record->count, rhost); /* - too many in the interval, so trigger + too many in the interval, so trigger - trigger "add" is subject to a race, so try to be smart about it - and do not add the same block within 20 seconds + trigger "add" is subject to a race, so try to be smart about it + and do not add the same block within 20 seconds */ - if (record->count >= max_conns && - this_time - record->trigger_active > 20 && - !run_trigger("add", record)) + if (record->count >= max_conns && this_time - record->trigger_active > 20 && !run_trigger("add", record)) record->trigger_active = this_time; } else { if ((record = new_db_record(max_conns)) != NULL) { @@ -369,8 +344,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, } if (record != NULL) { data.dptr = (char *)record; - data.dsize = sizeof(_pam_shield_db_rec_t) + - (record->max_entries - 1) * sizeof(time_t); + data.dsize = sizeof(_pam_shield_db_rec_t) + (record->max_entries - 1) * sizeof(time_t); /* key.dptr and key.dsize are still set to saddr and addr_size */ @@ -387,7 +361,4 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, return (suspicious_dns) ? PAM_AUTH_ERR : PAM_IGNORE; } -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) { - return PAM_SUCCESS; -} +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { return PAM_SUCCESS; } diff --git a/pam_shield.h b/pam_shield.h index ec106dd..764f035 100644 --- a/pam_shield.h +++ b/pam_shield.h @@ -1,24 +1,24 @@ /* - pam_shield.h - - Copyright (C) 2007-2024 - Walter de Jong - Jonathan Niehof - Jeffrey Clark - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + pam_shield.h + + Copyright (C) 2007-2024 + Walter de Jong + Jonathan Niehof + Jeffrey Clark + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PAM_SHIELD diff --git a/pam_shield_lib.c b/pam_shield_lib.c index fe63954..64e13f9 100644 --- a/pam_shield_lib.c +++ b/pam_shield_lib.c @@ -1,24 +1,24 @@ /* - pam_shield_lib.c - - Copyright (C) 2007-2024 - Walter de Jong - Jonathan Niehof - Jeffrey Clark - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + pam_shield_lib.c + + Copyright (C) 2007-2024 + Walter de Jong + Jonathan Niehof + Jeffrey Clark + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include @@ -90,14 +90,11 @@ void add_ip_list(ip_list **root, ip_list *ip) { if (options & OPT_DEBUG) { char addr[INET6_ADDRSTRLEN], mask[INET6_ADDRSTRLEN]; - if (*root == - allow_ipv4_list) /* (butt ugly check, just to get nice debug output) */ - logmsg(LOG_DEBUG, "allowing from %s/%s", - inet_ntop(AF_INET, &ip->ip.in, addr, sizeof(addr)), + if (*root == allow_ipv4_list) /* (butt ugly check, just to get nice debug output) */ + logmsg(LOG_DEBUG, "allowing from %s/%s", inet_ntop(AF_INET, &ip->ip.in, addr, sizeof(addr)), inet_ntop(AF_INET, &ip->mask.in, mask, sizeof(mask))); else - logmsg(LOG_DEBUG, "allowing from %s/%s", - inet_ntop(AF_INET6, &ip->ip.in6, addr, sizeof(addr)), + logmsg(LOG_DEBUG, "allowing from %s/%s", inet_ntop(AF_INET6, &ip->ip.in6, addr, sizeof(addr)), inet_ntop(AF_INET6, &ip->mask.in6, mask, sizeof(mask))); } ip->prev = ip->next = NULL; @@ -113,8 +110,8 @@ void add_ip_list(ip_list **root, ip_list *ip) { } /* - try to match an IP number against the allow list - returns 1 if it matches + try to match an IP number against the allow list + returns 1 if it matches */ int match_ipv4_list(unsigned char *saddr) { ip_list *ip; @@ -129,11 +126,9 @@ int match_ipv4_list(unsigned char *saddr) { } } if (match) { - char addr1[INET_ADDRSTRLEN], addr2[INET_ADDRSTRLEN], - mask[INET_ADDRSTRLEN]; + char addr1[INET_ADDRSTRLEN], addr2[INET_ADDRSTRLEN], mask[INET_ADDRSTRLEN]; - logmsg(LOG_DEBUG, "whitelist match: %s %s/%s", - inet_ntop(AF_INET, saddr, addr1, sizeof(addr1)), + logmsg(LOG_DEBUG, "whitelist match: %s %s/%s", inet_ntop(AF_INET, saddr, addr1, sizeof(addr1)), inet_ntop(AF_INET, &ip->ip.in, addr2, sizeof(addr2)), inet_ntop(AF_INET, &ip->mask.in, mask, sizeof(mask))); return 1; @@ -155,11 +150,9 @@ int match_ipv6_list(unsigned char *saddr) { } } if (match) { - char addr1[INET6_ADDRSTRLEN], addr2[INET6_ADDRSTRLEN], - mask[INET6_ADDRSTRLEN]; + char addr1[INET6_ADDRSTRLEN], addr2[INET6_ADDRSTRLEN], mask[INET6_ADDRSTRLEN]; - logmsg(LOG_DEBUG, "whitelist match: %s %s/%s", - inet_ntop(AF_INET6, saddr, addr1, sizeof(addr1)), + logmsg(LOG_DEBUG, "whitelist match: %s %s/%s", inet_ntop(AF_INET6, saddr, addr1, sizeof(addr1)), inet_ntop(AF_INET6, &ip->ip.in6, addr2, sizeof(addr2)), inet_ntop(AF_INET6, &ip->mask.in6, mask, sizeof(mask))); return 1; @@ -212,8 +205,8 @@ void add_name_list(name_list **root, name_list *n) { } /* - see if 'name' matches our whitelist - return 1 if it does + see if 'name' matches our whitelist + return 1 if it does */ int match_name_list(char *name) { name_list *n; @@ -223,10 +216,8 @@ int match_name_list(char *name) { for (n = allow_names; n != NULL; n = n->next) { if (n->name[0] == '.') { - if ((strlen(name) > strlen(n->name)) && - !strcasecmp(n->name, name + strlen(name) - strlen(n->name))) { - logmsg(LOG_DEBUG, "whitelist match: host %s in domain %s", name, - n->name); + if ((strlen(name) > strlen(n->name)) && !strcasecmp(n->name, name + strlen(name) - strlen(n->name))) { + logmsg(LOG_DEBUG, "whitelist match: host %s in domain %s", name, n->name); return 1; } } else { @@ -294,23 +285,22 @@ void strip(char *str) { memmove(str, p, strlen(p) + 1); } i = strlen(str) - 1; - while (i >= 0 && - (str[i] == ' ' || str[i] == '\t' || str[i] == '\r' || str[i] == '\n')) + while (i >= 0 && (str[i] == ' ' || str[i] == '\t' || str[i] == '\r' || str[i] == '\n')) str[i--] = 0; } /* - multipliers: - 1s second - 1m minute - 1h hour - 1d day - 1w week - 1M month - 1y year - - default is 1 - returns 0 on error + multipliers: + 1s second + 1m minute + 1h hour + 1d day + 1w week + 1M month + 1y year + + default is 1 + returns 0 on error */ long get_multiplier(char *str) { if (str == NULL || !*str) @@ -346,10 +336,10 @@ long get_multiplier(char *str) { } /* - generate bitmask from '/24' notation + generate bitmask from '/24' notation - mask is struct in_addr.saddr, size is the size of the array - (4 for IPv4, 16 for IPv6) + mask is struct in_addr.saddr, size is the size of the array + (4 for IPv4, 16 for IPv6) */ void ip_bitmask(int bits, unsigned char *mask, int size) { int i, num, rest; @@ -379,8 +369,8 @@ void ip_bitmask(int bits, unsigned char *mask, int size) { } /* - allow network/netmask, for both IPv4 and IPv6 - netmask can be in canonical or decimal notation + allow network/netmask, for both IPv4 and IPv6 + netmask can be in canonical or decimal notation */ int allow_ip(char *ipnum, int line_no) { char *netmask; @@ -396,14 +386,12 @@ int allow_ip(char *ipnum, int line_no) { *netmask = 0; netmask++; if (!*netmask) { - logmsg(LOG_ALERT, "%s:%d: missing netmask, assuming it is a host", - conffile, line_no); + logmsg(LOG_ALERT, "%s:%d: missing netmask, assuming it is a host", conffile, line_no); netmask = NULL; } } if ((ip = new_ip_list()) == NULL) { - logmsg(LOG_ALERT, "%s:%d: out of memory adding 'allow' line", conffile, - line_no); + logmsg(LOG_ALERT, "%s:%d: out of memory adding 'allow' line", conffile, line_no); return -1; } /* try network address as IPv4 */ @@ -421,8 +409,7 @@ int allow_ip(char *ipnum, int line_no) { destroy_ip_list(ip); return -1; } - ip_bitmask(bits, (unsigned char *)&ip->mask.in.s_addr, - sizeof(ip->mask.in.s_addr)); + ip_bitmask(bits, (unsigned char *)&ip->mask.in.s_addr, sizeof(ip->mask.in.s_addr)); add_ip_list(&allow_ipv4_list, ip); return 0; @@ -451,8 +438,7 @@ int allow_ip(char *ipnum, int line_no) { destroy_ip_list(ip); return -1; } - ip_bitmask(bits, (unsigned char *)ip->mask.in6.s6_addr, - sizeof(ip->mask.in6.s6_addr)); + ip_bitmask(bits, (unsigned char *)ip->mask.in6.s6_addr, sizeof(ip->mask.in6.s6_addr)); add_ip_list(&allow_ipv6_list, ip); return 0; @@ -467,20 +453,18 @@ int allow_ip(char *ipnum, int line_no) { return -1; } /* - when we get here it's either a syntax error or a hostname or a network - name with names, you can not specify a netmask + when we get here it's either a syntax error or a hostname or a network + name with names, you can not specify a netmask */ destroy_ip_list(ip); ip = NULL; if (netmask != NULL) { - logmsg(LOG_ALERT, "%s:%d: syntax error in internet address", conffile, - line_no); + logmsg(LOG_ALERT, "%s:%d: syntax error in internet address", conffile, line_no); return -1; } if ((name = new_name_list(ipnum)) == NULL) { - logmsg(LOG_ALERT, "%s:%d: out of memory while adding 'allow' line", - conffile, line_no); + logmsg(LOG_ALERT, "%s:%d: out of memory while adding 'allow' line", conffile, line_no); return -1; } add_name_list(&allow_names, name); @@ -553,8 +537,7 @@ int read_config(void) { p); continue; } - logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'debug'", conffile, - line_no, p); + logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'debug'", conffile, line_no, p); continue; } if (!strcmp(buf, "block")) { @@ -566,41 +549,33 @@ int read_config(void) { options &= ~OPT_BLOCK_ALL; continue; } - logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'block'", conffile, - line_no, p); + logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'block'", conffile, line_no, p); err--; continue; } if (!strcmp(buf, "allow_missing_dns")) { - if (!strcasecmp(p, "yes") || !strcasecmp(p, "allow") || - !strcasecmp(p, "on")) { + if (!strcasecmp(p, "yes") || !strcasecmp(p, "allow") || !strcasecmp(p, "on")) { options |= OPT_MISSING_DNS; continue; } - if (!strcasecmp(p, "no") || !strcasecmp(p, "deny") || - !strcasecmp(p, "off")) { + if (!strcasecmp(p, "no") || !strcasecmp(p, "deny") || !strcasecmp(p, "off")) { options &= ~OPT_MISSING_DNS; continue; } - logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'allow_missing_dns'", - conffile, line_no, p); + logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'allow_missing_dns'", conffile, line_no, p); err--; continue; } if (!strcmp(buf, "allow_missing_reverse")) { - if (!strcasecmp(p, "yes") || !strcasecmp(p, "allow") || - !strcasecmp(p, "on")) { + if (!strcasecmp(p, "yes") || !strcasecmp(p, "allow") || !strcasecmp(p, "on")) { options |= OPT_MISSING_REVERSE; continue; } - if (!strcasecmp(p, "no") || !strcasecmp(p, "deny") || - !strcasecmp(p, "off")) { + if (!strcasecmp(p, "no") || !strcasecmp(p, "deny") || !strcasecmp(p, "off")) { options &= ~OPT_MISSING_REVERSE; continue; } - logmsg(LOG_ALERT, - "%s:%d: unknown argument '%s' to 'allow_missing_reverse'", - conffile, line_no, p); + logmsg(LOG_ALERT, "%s:%d: unknown argument '%s' to 'allow_missing_reverse'", conffile, line_no, p); err--; continue; } @@ -624,8 +599,7 @@ int read_config(void) { err--; } if (stat(trigger_cmd, &statbuf) == -1) { - logmsg(LOG_ALERT, "%s:%d: command '%s' not found", conffile, line_no, - trigger_cmd); + logmsg(LOG_ALERT, "%s:%d: command '%s' not found", conffile, line_no, trigger_cmd); err--; } continue; @@ -670,8 +644,8 @@ int read_config(void) { } /* - print the IP number of a db_record - return NULL on error, or buf on success + print the IP number of a db_record + return NULL on error, or buf on success */ const char *print_ip(_pam_shield_db_rec_t *record, char *buf, int buflen) { if (buf == NULL || buflen <= 1) @@ -728,8 +702,7 @@ int run_trigger(char *cmd, _pam_shield_db_rec_t *record) { execvp(argv[0], argv); - logmsg(LOG_CRIT, "failed to execute command '%s %s %s'", trigger_cmd, cmd, - ipbuf); + logmsg(LOG_CRIT, "failed to execute command '%s %s %s'", trigger_cmd, cmd, ipbuf); exit(-1); } else { pid_t err; @@ -753,10 +726,8 @@ int expire_record(_pam_shield_db_rec_t *record) { updated = 0; /* expire entries that are no longer in this interval (sliding window) */ - while (record->count > 0 && - difftime(this_time, record->timestamps[0]) >= (double)interval) { - memmove(record->timestamps, &record->timestamps[1], - (record->max_entries - 1) * sizeof(time_t)); + while (record->count > 0 && difftime(this_time, record->timestamps[0]) >= (double)interval) { + memmove(record->timestamps, &record->timestamps[1], (record->max_entries - 1) * sizeof(time_t)); record->count--; updated++; } @@ -764,8 +735,7 @@ int expire_record(_pam_shield_db_rec_t *record) { if (difftime(this_time, record->trigger_active) >= (double)retention) { /* expire old trigger, but only do this if the sliding window is clean */ if (!record->count) { - logmsg(LOG_DEBUG, "expiring old trigger for %s", - print_ip(record, ipbuf, sizeof(ipbuf))); + logmsg(LOG_DEBUG, "expiring old trigger for %s", print_ip(record, ipbuf, sizeof(ipbuf))); record->trigger_active = (time_t)0L; run_trigger("del", record); updated++; @@ -781,14 +751,11 @@ int expire_record(_pam_shield_db_rec_t *record) { /* gdbm has encountered a fatal error */ void fatal_func(const char *str) { - logmsg(LOG_ERR, "gdbm encountered a fatal error : %s; resetting the database", - str); + logmsg(LOG_ERR, "gdbm encountered a fatal error : %s; resetting the database", str); gdbm_close(dbf); - if ((dbf = gdbm_open(dbfile, 512, GDBM_NEWDB, (mode_t)0600, fatal_func)) == - NULL) - logmsg(LOG_ERR, "failed to create new gdbm file '%s' : %s", dbfile, - gdbm_strerror(gdbm_errno)); + if ((dbf = gdbm_open(dbfile, 512, GDBM_NEWDB, (mode_t)0600, fatal_func)) == NULL) + logmsg(LOG_ERR, "failed to create new gdbm file '%s' : %s", dbfile, gdbm_strerror(gdbm_errno)); } #pragma GCC visibility pop diff --git a/pam_shield_lib.h b/pam_shield_lib.h index 5189b09..3698ec8 100644 --- a/pam_shield_lib.h +++ b/pam_shield_lib.h @@ -1,24 +1,24 @@ /* - pam_shield_lib.h - - Copyright (C) 2007-2024 - Walter de Jong - Jonathan Niehof - Jeffrey Clark - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + pam_shield_lib.h + + Copyright (C) 2007-2024 + Walter de Jong + Jonathan Niehof + Jeffrey Clark + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include @@ -89,15 +89,15 @@ void destroy_ip_list(ip_list *list); void add_ip_list(ip_list **root, ip_list *ip); /* - try to match an IP number against the allow list - returns 1 if it matches + try to match an IP number against the allow list + returns 1 if it matches */ int match_ipv4_list(unsigned char *saddr); int match_ipv6_list(unsigned char *saddr); /* - name_lists are hostnames and/or network names + name_lists are hostnames and/or network names */ name_list *new_name_list(char *name); @@ -106,8 +106,8 @@ void destroy_name_list(name_list *list); void add_name_list(name_list **root, name_list *n); /* - see if 'name' matches our whitelist - return 1 if it does + see if 'name' matches our whitelist + return 1 if it does */ int match_name_list(char *name); @@ -120,31 +120,31 @@ void deinit_module(void); void strip(char *str); /* - multipliers: - 1s second - 1m minute - 1h hour - 1d day - 1w week - 1M month - 1y year - - default is 1 - returns 0 on error + multipliers: + 1s second + 1m minute + 1h hour + 1d day + 1w week + 1M month + 1y year + + default is 1 + returns 0 on error */ long get_multiplier(char *str); /* - generate bitmask from '/24' notation + generate bitmask from '/24' notation - mask is struct in_addr.saddr, size is the size of the array - (4 for IPv4, 16 for IPv6) + mask is struct in_addr.saddr, size is the size of the array + (4 for IPv4, 16 for IPv6) */ void ip_bitmask(int bits, unsigned char *mask, int size); /* - allow network/netmask, for both IPv4 and IPv6 - netmask can be in canonical or decimal notation + allow network/netmask, for both IPv4 and IPv6 + netmask can be in canonical or decimal notation */ int allow_ip(char *ipnum, int line_no); @@ -152,8 +152,8 @@ int allow_ip(char *ipnum, int line_no); int read_config(void); /* - print the IP number of a db_record - return NULL on error, or buf on success + print the IP number of a db_record + return NULL on error, or buf on success */ const char *print_ip(_pam_shield_db_rec_t *record, char *buf, int buflen); diff --git a/shield_purge.c b/shield_purge.c index bd0cb1c..23dcb26 100644 --- a/shield_purge.c +++ b/shield_purge.c @@ -45,8 +45,7 @@ static void usage(char *progname) { "usage: %s \n" "options:\n" " -h, --help Display this information\n" - " -c, --conf=file Specify config file (default: " DEFAULT_CONFFILE - ")\n" + " -c, --conf=file Specify config file (default: " DEFAULT_CONFFILE ")\n" " -d, --debug Verbose output for debugging purposes\n" " -n, --dry-run Do not perform any updates\n" " -l, --list List all database entries\n" @@ -56,31 +55,27 @@ static void usage(char *progname) { " (rebuild/verify firewall rules)\n", basename(progname)); - printf( - "\n" - "This program is part of the PAM-shield package.\n" - "PAM-shield comes with ABSOLUTELY NO WARRANTY. This is free software, " - "and you\n" - "are welcome to redistribute it under certain conditions. See the GNU\n" - "General Public Licence for details.\n" - "\n" - "Copyright (C) 2007-2011 by Walter de Jong \n" - "Copyright 2010 Jonathan Niehof \n"); + printf("\n" + "This program is part of the PAM-shield package.\n" + "PAM-shield comes with ABSOLUTELY NO WARRANTY. This is free software, " + "and you\n" + "are welcome to redistribute it under certain conditions. See the GNU\n" + "General Public Licence for details.\n" + "\n" + "Copyright (C) 2007-2011 by Walter de Jong \n" + "Copyright 2010 Jonathan Niehof \n"); exit(1); } static void get_options(int argc, char **argv) { int opt; struct option long_options[] = { - {"help", 0, NULL, 'h'}, {"debug", 0, NULL, 'd'}, - {"conf", 1, NULL, 'c'}, {"dry-run", 0, NULL, 'n'}, - {"list", 0, NULL, 'l'}, {"force", 0, NULL, 'f'}, - {"remove", 1, NULL, 'r'}, {"sync", 0, NULL, 's'}, - {NULL, 0, NULL, 0}, + {"help", 0, NULL, 'h'}, {"debug", 0, NULL, 'd'}, {"conf", 1, NULL, 'c'}, + {"dry-run", 0, NULL, 'n'}, {"list", 0, NULL, 'l'}, {"force", 0, NULL, 'f'}, + {"remove", 1, NULL, 'r'}, {"sync", 0, NULL, 's'}, {NULL, 0, NULL, 0}, }; - while ((opt = getopt_long(argc, argv, "hdc:nlfr:s", long_options, NULL)) != - -1) { + while ((opt = getopt_long(argc, argv, "hdc:nlfr:s", long_options, NULL)) != -1) { switch (opt) { case 'h': case '?': @@ -157,14 +152,12 @@ static void print_record(_pam_shield_db_rec_t *record) { " \"count\": %u,\n" " \"trigger_active\": \"%s\",\n" " \"timestamps\": [\n", - ipbuf, record->max_entries, record->count, - (record->trigger_active > 0) ? time : ""); + ipbuf, record->max_entries, record->count, (record->trigger_active > 0) ? time : ""); for (i = 0; i < record->max_entries; i++) if (record->timestamps[i] > 0) { time = ctime(&record->timestamps[i]); time[strlen(time) - 1] = '\0'; - printf(" \"%s\"%s\n", time, - (record->timestamps[(i + 1)] > 0) ? "," : ""); + printf(" \"%s\"%s\n", time, (record->timestamps[(i + 1)] > 0) ? "," : ""); } printf(" ]\n }"); @@ -314,10 +307,8 @@ int main(int argc, char **argv) { this_time = time(NULL); - if ((dbf = gdbm_open(dbfile, 512, GDBM_WRITER, (mode_t)0600, fatal_func)) == - NULL) { - logmsg(LOG_ERR, "failed to open db '%s' : %s", dbfile, - gdbm_strerror(gdbm_errno)); + if ((dbf = gdbm_open(dbfile, 512, GDBM_WRITER, (mode_t)0600, fatal_func)) == NULL) { + logmsg(LOG_ERR, "failed to open db '%s' : %s", dbfile, gdbm_strerror(gdbm_errno)); return -1; } if (options & OPT_LISTDB)