From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 2 Oct 2024 20:17:26 +0000 (-0400)
Subject: track configuration versions
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0069ef2a0b9e088fece5d19aeeb3f6c18a1e8b0;p=thirdparty%2Ffreeradius-server.git

track configuration versions

so we can tell if someone mangles the config, and claims otherwise
---

diff --git a/src/bin/radiusd.c b/src/bin/radiusd.c
index aedfd93ec75..8c40080fd64 100644
--- a/src/bin/radiusd.c
+++ b/src/bin/radiusd.c
@@ -637,6 +637,18 @@ int main(int argc, char *argv[])
 	 */
 	INFO("%s", fr_debug_state_to_msg(fr_debug_state));
 
+	/*
+	 *	Track configuration versions.  This lets us know if the configuration changed.
+	 */
+	if (fr_debug_lvl) {
+		uint8_t digest[16];
+
+		cf_md5_final(digest);
+
+		INFO("Configuration version: %02x%02x-%02x%02x-%02x%02x-%02x%02x",
+		     digest[0], digest[1], digest[2], digest[3], digest[4], digest[5], digest[6], digest[7]);
+	}
+
 	/*
 	 *  Call this again now we've loaded the configuration. Yes I know...
 	 */
diff --git a/src/lib/server/cf_file.c b/src/lib/server/cf_file.c
index 62b8717cb4b..743632f41a8 100644
--- a/src/lib/server/cf_file.c
+++ b/src/lib/server/cf_file.c
@@ -40,6 +40,7 @@ RCSID("$Id$")
 #include <freeradius-devel/util/file.h>
 #include <freeradius-devel/util/misc.h>
 #include <freeradius-devel/util/perm.h>
+#include <freeradius-devel/util/md5.h>
 #include <freeradius-devel/util/syserror.h>
 
 #include <sys/types.h>
@@ -3058,6 +3059,33 @@ static int frame_readdir(cf_stack_t *stack)
 }
 
 
+static fr_md5_ctx_t *cf_md5_ctx = NULL;
+
+void cf_md5_init(void)
+{
+	cf_md5_ctx = fr_md5_ctx_alloc();
+}
+
+
+static void cf_md5_update(char const *p)
+{
+	if (!cf_md5_ctx) return;
+
+	fr_md5_update(cf_md5_ctx, (uint8_t const *)p, strlen(p));
+}
+
+void cf_md5_final(uint8_t *digest)
+{
+	if (!cf_md5_ctx) {
+		memset(digest, 0, MD5_DIGEST_LENGTH);
+		return;
+	}
+
+	fr_md5_final(digest, cf_md5_ctx);
+	fr_md5_ctx_free(cf_md5_ctx);
+	cf_md5_ctx = NULL;
+}
+
 static int cf_file_fill(cf_stack_t *stack)
 {
 	bool at_eof, has_spaces;
@@ -3073,6 +3101,7 @@ read_continuation:
 	 *	Get data, and remember if we are at EOF.
 	 */
 	at_eof = (fgets(stack->fill, stack->bufsize - (stack->fill - stack->buff[0]), frame->fp) == NULL);
+	cf_md5_update(stack->fill);
 	frame->lineno++;
 
 	/*
diff --git a/src/lib/server/cf_file.h b/src/lib/server/cf_file.h
index 429fbd3bf22..3fd9fce5485 100644
--- a/src/lib/server/cf_file.h
+++ b/src/lib/server/cf_file.h
@@ -49,6 +49,9 @@ void		cf_file_free(CONF_SECTION *cs);
 bool		cf_file_check(CONF_PAIR *cp, bool check_perms);
 void		cf_file_check_user(uid_t uid, gid_t gid);
 
+void		cf_md5_init(void);
+void		cf_md5_final(uint8_t *digest);
+
 /*
  *	Config file writing
  */
diff --git a/src/lib/server/main_config.c b/src/lib/server/main_config.c
index 431db312a03..55eec15082c 100644
--- a/src/lib/server/main_config.c
+++ b/src/lib/server/main_config.c
@@ -1170,6 +1170,11 @@ do {\
 	if (cf_section_rules_push(cs, lib_dir_on_read_config) < 0) goto failure;
 	if (cf_section_rules_push(cs, virtual_servers_on_read_config) < 0) goto failure;
 
+	/*
+	 *	Track the status of the configuration.
+	 */
+	if (fr_debug_lvl) cf_md5_init();
+
 	/* Read the configuration file */
 	snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", config->raddb_dir, config->name);
 	if (cf_file_read(cs, buffer) < 0) {