From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 30 Sep 2024 18:10:11 +0000 (-0400)
Subject: track configuration versions
X-Git-Tag: release_3_2_7~188
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42ce5c19f78cf32efea56983abf132d29197ef82;p=thirdparty%2Ffreeradius-server.git

track configuration versions

so we can tell if someone mangles the config, and claims otherwise
---

diff --git a/src/include/conffile.h b/src/include/conffile.h
index 237469c8806..fb3dd805970 100644
--- a/src/include/conffile.h
+++ b/src/include/conffile.h
@@ -300,6 +300,10 @@ int cf_file_changed(CONF_SECTION *cs, rb_walker_t callback);
 extern CONF_SECTION *root_config;
 extern bool cf_new_escape;
 
+
+void cf_md5_init(void);
+void cf_md5_final(uint8_t *digest);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/main/conffile.c b/src/main/conffile.c
index 4ed7d055b05..92dc4b64939 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -30,6 +30,7 @@ RCSID("$Id$")
 
 #include <freeradius-devel/radiusd.h>
 #include <freeradius-devel/parser.h>
+#include <freeradius-devel/md5.h>
 #include <freeradius-devel/rad_assert.h>
 
 #ifdef HAVE_DIRENT_H
@@ -2333,6 +2334,34 @@ static char const *cf_local_file(char const *base, char const *filename,
 	return buffer;
 }
 
+static bool cf_md5_initted = false;
+static FR_MD5_CTX conf_context;
+
+void cf_md5_init(void)
+{
+	fr_md5_init(&conf_context);
+	cf_md5_initted = true;
+}
+
+
+static void cf_md5_update(char const *p)
+{
+	if (!cf_md5_initted) return;
+
+	fr_md5_update(&conf_context, p, strlen(p));
+}
+
+void cf_md5_final(uint8_t *digest)
+{
+	if (!cf_md5_initted) {
+		memset(digest, 0, MD5_DIGEST_LENGTH);
+		return;
+	}
+
+	fr_md5_final(digest, &conf_context);
+	cf_md5_initted = false;
+}
+
 
 /*
  *	Read a part of the config file.
@@ -2369,6 +2398,7 @@ static int cf_section_read(char const *filename, int *lineno, FILE *fp,
 		 *	Get data, and remember if we are at EOF.
 		 */
 		at_eof = (fgets(cbuf, sizeof(buf) - (cbuf - buf), fp) == NULL);
+		cf_md5_update(cbuf);
 		(*lineno)++;
 
 		/*
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 2b2dda804b0..6cb8a25c4e7 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -1006,6 +1006,11 @@ do {\
 	}
 	version_init_numbers(subcs);
 
+	/*
+	 *	Track the status of the configuration.
+	 */
+	if (rad_debug_lvl) cf_md5_init();
+
 	/* Read the configuration file */
 	snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", radius_dir, main_config.name);
 	if (cf_file_read(cs, buffer) < 0) {
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index f2acec7dd90..f43f4e5767f 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -360,6 +360,18 @@ int main(int argc, char *argv[])
 	 */
 	INFO("%s", fr_debug_state_to_msg(fr_debug_state));
 
+	/*
+	 *	Track configuration versions.  This lets us know if the configuration changed.
+	 */
+	if (rad_debug_lvl) {
+		uint8_t digest[16];
+
+		cf_md5_final(digest);
+
+		INFO("Configuration version: %02x%02x-%02x%02x-%02x%02x-%02x%02x",
+		     digest[0], digest[1], digest[2], digest[3], digest[4], digest[5], digest[6], digest[7]);
+	}
+
 	/*
 	 *  Check for vulnerabilities in the version of libssl were linked against.
 	 */