crates/nonstick: src/pam_ffi/response.rs comparison

comparison src/pam_ffi/response.rs @ 73:ac6881304c78

Do conversations, along with way too much stuff. This implements conversations, along with all the memory management brouhaha that goes along with it. The conversation now lives directly on the handle rather than being a thing you have to get from it and then call manually. It Turns Out this makes things a lot easier! I guess we reorganized things again. For the last time. For real. I promise. This all passes ASAN, so it seems Pretty Good!

author	Paul Fisher <paul@pfish.zone>
date	Thu, 05 Jun 2025 03:41:38 -0400
parents	47eb242a4f88
children

comparison

equal deleted inserted replaced

-:47eb242a4f88
+:ac6881304c78
 //! Types used when dealing with PAM conversations.
+use crate::conv::BinaryData;
 use crate::pam_ffi::memory;
 use crate::pam_ffi::memory::{CBinaryData, Immovable, NulError, TooBigError};
-use std::ffi::{c_char, c_int, c_void, CStr};
+use crate::Response;
+use std::ffi::{c_int, c_void, CStr};
 use std::ops::{Deref, DerefMut};
 use std::result::Result as StdResult;
 use std::str::Utf8Error;
-use std::{mem, ptr, slice};
+use std::{iter, mem, ptr, slice};
 #[repr(transparent)]
 #[derive(Debug)]
 pub struct RawTextResponse(RawResponse);
 impl RawTextResponse {
-/// Allocates a new text response on the C heap.
+/// Interprets the provided `RawResponse` as a text response.
 ///
-/// Both `self` and its internal pointer are located on the C heap.
+/// # Safety
+///
+/// It's up to you to provide a response that is a `RawTextResponse`.
+pub unsafe fn upcast(from: &mut RawResponse) -> &mut Self {
+// SAFETY: We're provided a valid reference.
+&mut *(from as *mut RawResponse).cast::<Self>()
+}
+/// Fills in the provided `RawResponse` with the given text.
+///
 /// You are responsible for calling [`free`](Self::free_contents)
 /// on the pointer you get back when you're done with it.
 pub fn fill(dest: &mut RawResponse, text: impl AsRef<str>) -> StdResult<&mut Self, NulError> {
 dest.data = memory::malloc_str(text)?.cast();
-Ok(unsafe { &mut *(dest as *mut RawResponse as *mut Self) })
+// SAFETY: We just filled this in so we know it's a text response.
+Ok(unsafe { Self::upcast(dest) })
 }
 /// Gets the string stored in this response.
 pub fn contents(&self) -> StdResult<&str, Utf8Error> {
-// SAFETY: This data is either passed from PAM (so we are forced to
+if self.0.data.is_null() {
-// trust it) or was created by us in TextResponseInner::alloc.
+Ok("")
-// In either case, it's going to be a valid null-terminated string.
+} else {
-unsafe { CStr::from_ptr(self.0.data as *const c_char) }.to_str()
+// SAFETY: This data is either passed from PAM (so we are forced to
+// trust it) or was created by us in TextResponseInner::alloc.
+// In either case, it's going to be a valid null-terminated string.
+unsafe { CStr::from_ptr(self.0.data.cast()) }.to_str()
+}
 }
 /// Releases memory owned by this response.
-///
+pub fn free_contents(&mut self) {
-/// # Safety
+// SAFETY: We know we own this data.
-///
+// After we're done, it will be null.
-/// You are responsible for no longer using this after calling free.
+unsafe {
-pub unsafe fn free_contents(&mut self) {
+memory::zero_c_string(self.0.data);
-let data = self.0.data;
+libc::free(self.0.data);
-memory::zero_c_string(data);
+self.0.data = ptr::null_mut()
-libc::free(data);
+}
-self.0.data = ptr::null_mut()
 }
 }
 /// A [`RawResponse`] with [`CBinaryData`] in it.
 #[repr(transparent)]
 #[derive(Debug)]
 pub struct RawBinaryResponse(RawResponse);
 impl RawBinaryResponse {
-/// Allocates a new binary response on the C heap.
+/// Interprets the provided `RawResponse` as a binary response.
+///
+/// # Safety
+///
+/// It's up to you to provide a response that is a `RawBinaryResponse`.
+pub unsafe fn upcast(from: &mut RawResponse) -> &mut Self {
+// SAFETY: We're provided a valid reference.
+&mut *(from as *mut RawResponse).cast::<Self>()
+}
+/// Fills in a `RawResponse` with the provided binary data.
 ///
 /// The `data_type` is a tag you can use for whatever.
 /// It is passed through PAM unchanged.
 ///
 /// The referenced data is copied to the C heap. We do not take ownership.
 pub fn fill<'a>(
 dest: &'a mut RawResponse,
 data: &[u8],
 data_type: u8,
 ) -> StdResult<&'a mut Self, TooBigError> {
-dest.data = CBinaryData::alloc(data, data_type)? as *mut c_void;
+dest.data = CBinaryData::alloc(data, data_type)?.cast();
-Ok(unsafe {
+// SAFETY: We just filled this in, so we know it's binary.
-(dest as *mut RawResponse)
+Ok(unsafe { Self::upcast(dest) })
-.cast::<RawBinaryResponse>()
-.as_mut()
-.unwrap()
-})
 }
 /// Gets the binary data in this response.
-pub fn contents(&self) -> &[u8] {
+pub fn data(&self) -> &[u8] {
-self.data().contents()
+self.contents().map(CBinaryData::contents).unwrap_or(&[])
 }
 /// Gets the `data_type` tag that was embedded with the message.
 pub fn data_type(&self) -> u8 {
-self.data().data_type()
+self.contents().map(CBinaryData::data_type).unwrap_or(0)
 }
-#[inline]
+fn contents(&self) -> Option<&CBinaryData> {
-fn data(&self) -> &CBinaryData {
 // SAFETY: This was either something we got from PAM (in which case
 // we trust it), or something that was created with
 // BinaryResponseInner::alloc. In both cases, it points to valid data.
-unsafe { &*(self.0.data as *const CBinaryData) }
+unsafe { self.0.data.cast::<CBinaryData>().as_ref() }
+}
+pub fn to_owned(&self) -> BinaryData {
+BinaryData::new(self.data().into(), self.data_type())
 }
 /// Releases memory owned by this response.
-///
+pub fn free_contents(&mut self) {
-/// # Safety
+// SAFETY: We know that our data pointer is either valid or null.
-///
+// Once we're done, it's null and the response is safe.
-/// You are responsible for not using this after calling free.
+unsafe {
-pub unsafe fn free_contents(&mut self) {
+let data_ref = self.0.data.cast::<CBinaryData>().as_mut();
-let data_ref = (self.0.data as *mut CBinaryData).as_mut();
+if let Some(d) = data_ref {
-if let Some(d) = data_ref {
+d.zero_contents()
-d.zero_contents()
+}
-}
+libc::free(self.0.data);
-libc::free(self.0.data);
+self.0.data = ptr::null_mut()
-self.0.data = ptr::null_mut()
+}
 }
 }
 /// Generic version of response data.
 ///
 _marker: Immovable,
 }
 /// A contiguous block of responses.
 #[derive(Debug)]
-#[repr(C)]
 pub struct OwnedResponses {
 base: *mut RawResponse,
 count: usize,
 }
 impl OwnedResponses {
 /// Allocates an owned list of responses on the C heap.
 fn alloc(count: usize) -> Self {
 OwnedResponses {
 // SAFETY: We are doing allocation here.
-base: unsafe { libc::calloc(count, size_of::<RawResponse>()) } as *mut RawResponse,
+base: unsafe { libc::calloc(count, size_of::<RawResponse>()) }.cast(),
 count,
 }
 }
+pub fn build(value: &[Response]) -> StdResult<Self, FillError> {
+let mut outputs = OwnedResponses::alloc(value.len());
+// If we fail in here after allocating OwnedResponses,
+// we still free all memory, even though we don't zero it first.
+// This is an acceptable level of risk.
+for (input, output) in iter::zip(value.iter(), outputs.iter_mut()) {
+match input {
+Response::NoResponse => {
+RawTextResponse::fill(output, "")?;
+}
+Response::Text(data) => {
+RawTextResponse::fill(output, data)?;
+}
+Response::MaskedText(data) => {
+RawTextResponse::fill(output, data.unsecure())?;
+}
+Response::Binary(data) => {
+RawBinaryResponse::fill(output, data.data(), data.data_type())?;
+}
+}
+}
+Ok(outputs)
+}
+/// Converts this into a `*RawResponse` for passing to PAM.
+///
+/// The pointer "owns" its own data (i.e., this will not be dropped).
+pub fn into_ptr(self) -> *mut RawResponse {
+let ret = self.base;
+mem::forget(self);
+ret
+}
 /// Takes ownership of a list of responses allocated on the C heap.
 ///
 /// # Safety
 ///
 /// It's up to you to make sure you pass a valid pointer.
-unsafe fn from_c_heap(base: *mut RawResponse, count: usize) -> Self {
+pub unsafe fn from_c_heap(base: *mut RawResponse, count: usize) -> Self {
 OwnedResponses { base, count }
 }
 }
-impl From<OwnedResponses> for *mut RawResponse {
+#[derive(Debug, thiserror::Error)]
-/// Converts this into a pointer to `RawResponse`.
+#[error("error converting responses: {0}")]
-///
+pub enum FillError {
-/// The backing data is no longer freed.
+NulError(#[from] NulError),
-fn from(value: OwnedResponses) -> Self {
+TooBigError(#[from] TooBigError),
-let ret = value.base;
-mem::forget(value);
-ret
-}
 }
 impl Deref for OwnedResponses {
 type Target = [RawResponse];
 fn deref(&self) -> &Self::Target {
-// SAFETY: We allocated this ourselves, or it was provided to us by PAM.
+// SAFETY: This is the memory we manage ourselves.
 unsafe { slice::from_raw_parts(self.base, self.count) }
 }
 }
 impl DerefMut for OwnedResponses {
 fn deref_mut(&mut self) -> &mut Self::Target {
-// SAFETY: We allocated this ourselves, or it was provided to us by PAM.
+// SAFETY: This is the memory we manage ourselves.
 unsafe { slice::from_raw_parts_mut(self.base, self.count) }
 }
 }
 impl Drop for OwnedResponses {
 // SAFETY: We allocated this ourselves, or it was provided to us by PAM.
 unsafe {
 for resp in self.iter_mut() {
 libc::free(resp.data)
 }
-libc::free(self.base as *mut c_void)
+libc::free(self.base.cast())
 }
 }
 }
 #[cfg(test)]
 mod tests {
+use super::{BinaryData, OwnedResponses, RawBinaryResponse, RawTextResponse, Response};
-use super::{OwnedResponses, RawBinaryResponse, RawTextResponse};
+#[test]
+fn test_round_trip() {
+let responses = [
+Response::Binary(BinaryData::new(vec![1, 2, 3], 99)),
+Response::Text("whats going on".to_owned()),
+Response::MaskedText("well then".into()),
+Response::NoResponse,
+Response::Text("bogus".to_owned()),
+];
+let sent = OwnedResponses::build(&responses).unwrap();
+let heap_resps = sent.into_ptr();
+let mut received = unsafe { OwnedResponses::from_c_heap(heap_resps, 5) };
+let assert_text = |want, raw| {
+let up = unsafe { RawTextResponse::upcast(raw) };
+assert_eq!(want, up.contents().unwrap());
+up.free_contents();
+assert_eq!("", up.contents().unwrap());
+};
+let assert_bin = |want_data: &[u8], want_type, raw| {
+let up = unsafe { RawBinaryResponse::upcast(raw) };
+assert_eq!(want_data, up.data());
+assert_eq!(want_type, up.data_type());
+up.free_contents();
+let empty: [u8; 0] = [];
+assert_eq!(&empty, up.data());
+assert_eq!(0, up.data_type());
+};
+if let [zero, one, two, three, four] = &mut received[..] {
+assert_bin(&[1, 2, 3], 99, zero);
+assert_text("whats going on", one);
+assert_text("well then", two);
+assert_text("", three);
+assert_text("bogus", four);
+} else {
+panic!("wrong size!")
+}
+}
 #[test]
 fn test_text_response() {
 let mut responses = OwnedResponses::alloc(2);
 let text = RawTextResponse::fill(&mut responses[0], "hello").unwrap();
 let data = text.contents().expect("valid");
 assert_eq!("hello", data);
-unsafe {
+text.free_contents();
 text.free_contents();
-text.free_contents();
-}
 RawTextResponse::fill(&mut responses[1], "hell\0").expect_err("should error; contains nul");
 }
 #[test]
 fn test_binary_response() {
 let mut responses = OwnedResponses::alloc(1);
 let real_data = [1, 2, 3, 4, 5, 6, 7, 8];
 let resp = RawBinaryResponse::fill(&mut responses[0], &real_data, 7)
 .expect("alloc should succeed");
-let data = resp.contents();
+let data = resp.data();
 assert_eq!(&real_data, data);
 assert_eq!(7, resp.data_type());
-unsafe {
+resp.free_contents();
 resp.free_contents();
-resp.free_contents();
-}
 }
 #[test]
 #[ignore]
 fn test_binary_response_too_big() {

Mercurial > crates > nonstick

comparison src/pam_ffi/response.rs @ 73:ac6881304c78