]> jfr.im git - irc/rqf/shadowircd.git/blob - src/s_auth.c
projects / irc / rqf / shadowircd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[svn] - the new plan:
[irc/rqf/shadowircd.git] / src / s_auth.c
1 /*
2 * ircd-ratbox: A slightly useful ircd.
3 * s_auth.c: Functions for querying a users ident.
4 *
5 * Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
6 * Copyright (C) 1996-2002 Hybrid Development Team
7 * Copyright (C) 2002-2005 ircd-ratbox development team
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
22 * USA
23 *
24 * $Id: s_auth.c 1683 2006-06-20 14:26:16Z jilles $ */
25
26 /*
27 * Changes:
28 * July 6, 1999 - Rewrote most of the code here. When a client connects
29 * to the server and passes initial socket validation checks, it
30 * is owned by this module (auth) which returns it to the rest of the
31 * server when dns and auth queries are finished. Until the client is
32 * released, the server does not know it exists and does not process
33 * any messages from it.
34 * --Bleep Thomas Helvey <tomh@inxpress.net>
35 */
36 #include "stdinc.h"
37 #include "config.h"
38 #include "tools.h"
39 #include "s_auth.h"
40 #include "s_conf.h"
41 #include "client.h"
42 #include "common.h"
43 #include "event.h"
44 #include "irc_string.h"
45 #include "sprintf_irc.h"
46 #include "ircd.h"
47 #include "numeric.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "commio.h"
51 #include "s_log.h"
52 #include "s_stats.h"
53 #include "send.h"
54 #include "memory.h"
55 #include "hook.h"
56 #include "blacklist.h"
57
58 /*
59 * a bit different approach
60 * this replaces the original sendheader macros
61 */
62
63 static const char *HeaderMessages[] =
64 {
65 "NOTICE AUTH :*** Looking up your hostname...",
66 "NOTICE AUTH :*** Found your hostname",
67 "NOTICE AUTH :*** Couldn't look up your hostname",
68 "NOTICE AUTH :*** Checking Ident",
69 "NOTICE AUTH :*** Got Ident response",
70 "NOTICE AUTH :*** No Ident response",
71 "NOTICE AUTH :*** Your hostname is too long, ignoring hostname",
72 "NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname",
73 "NOTICE AUTH :*** Cannot verify hostname validity, ignoring hostname",
74 };
75
76 typedef enum
77 {
78 REPORT_DO_DNS,
79 REPORT_FIN_DNS,
80 REPORT_FAIL_DNS,
81 REPORT_DO_ID,
82 REPORT_FIN_ID,
83 REPORT_FAIL_ID,
84 REPORT_HOST_TOOLONG,
85 REPORT_HOST_MISMATCH,
86 REPORT_HOST_UNKNOWN
87 }
88 ReportType;
89
90 #define sendheader(c, r) sendto_one(c, HeaderMessages[(r)])
91
92 static dlink_list auth_poll_list;
93 static BlockHeap *auth_heap;
94 static EVH timeout_auth_queries_event;
95
96 static PF read_auth_reply;
97 static CNCB auth_connect_callback;
98
99 /*
100 * init_auth()
101 *
102 * Initialise the auth code
103 */
104 void
105 init_auth(void)
106 {
107 /* This hook takes a struct Client for its argument */
108 memset(&auth_poll_list, 0, sizeof(auth_poll_list));
109 eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
110 auth_heap = BlockHeapCreate(sizeof(struct AuthRequest), LCLIENT_HEAP_SIZE);
111 }
112
113 /*
114 * make_auth_request - allocate a new auth request
115 */
116 static struct AuthRequest *
117 make_auth_request(struct Client *client)
118 {
119 struct AuthRequest *request = BlockHeapAlloc(auth_heap);
120 client->localClient->auth_request = request;
121 request->fd = -1;
122 request->client = client;
123 request->timeout = CurrentTime + ConfigFileEntry.connect_timeout;
124 return request;
125 }
126
127 /*
128 * free_auth_request - cleanup auth request allocations
129 */
130 static void
131 free_auth_request(struct AuthRequest *request)
132 {
133 BlockHeapFree(auth_heap, request);
134 }
135
136 /*
137 * release_auth_client - release auth client from auth system
138 * this adds the client into the local client lists so it can be read by
139 * the main io processing loop
140 */
141 static void
142 release_auth_client(struct AuthRequest *auth)
143 {
144 struct Client *client = auth->client;
145
146 if(IsDNSPending(auth) || IsDoingAuth(auth))
147 return;
148
149 client->localClient->auth_request = NULL;
150 dlinkDelete(&auth->node, &auth_poll_list);
151 free_auth_request(auth);
152 if(client->localClient->fd > highest_fd)
153 highest_fd = client->localClient->fd;
154
155 /*
156 * When a client has auth'ed, we want to start reading what it sends
157 * us. This is what read_packet() does.
158 * -- adrian
159 */
160 client->localClient->allow_read = MAX_FLOOD;
161 comm_setflush(client->localClient->fd, 1000, flood_recalc, client);
162 dlinkAddTail(client, &client->node, &global_client_list);
163 read_packet(client->localClient->fd, client);
164 }
165
166 /*
167 * auth_dns_callback - called when resolver query finishes
168 * if the query resulted in a successful search, hp will contain
169 * a non-null pointer, otherwise hp will be null.
170 * set the client on it's way to a connection completion, regardless
171 * of success of failure
172 */
173 static void
174 auth_dns_callback(void *vptr, struct DNSReply *reply)
175 {
176 struct AuthRequest *auth = (struct AuthRequest *) vptr;
177 ClearDNSPending(auth);
178
179 /* XXX: this shouldn't happen, but it does. -nenolod */
180 if(auth->client->localClient == NULL)
181 {
182 sendto_realops_snomask(SNO_GENERAL, L_ALL,
183 "auth_dns_callback(): auth->client->localClient (%s) is NULL", get_client_name(auth->client, HIDE_IP));
184
185 dlinkDelete(&auth->node, &auth_poll_list);
186 free_auth_request(auth);
187
188 /* and they will silently drop through and all will hopefully be ok... -nenolod */
189 return;
190 }
191
192 if(reply)
193 {
194 int good = 1;
195
196 if(auth->client->localClient->ip.ss_family == AF_INET)
197 {
198 struct sockaddr_in *ip, *ip_fwd;
199
200 ip = (struct sockaddr_in *) &auth->client->localClient->ip;
201 ip_fwd = (struct sockaddr_in *) &reply->addr;
202
203 if(ip->sin_addr.s_addr != ip_fwd->sin_addr.s_addr)
204 {
205 sendheader(auth->client, REPORT_HOST_MISMATCH);
206 good = 0;
207 }
208 }
209 #ifdef IPV6
210 else if(auth->client->localClient->ip.ss_family == AF_INET6)
211 {
212 struct sockaddr_in6 *ip, *ip_fwd;
213
214 ip = (struct sockaddr_in6 *) &auth->client->localClient->ip;
215 ip_fwd = (struct sockaddr_in6 *) &reply->addr;
216
217 if(memcmp(&ip->sin6_addr, &ip_fwd->sin6_addr, sizeof(struct in6_addr)) != 0)
218 {
219 sendheader(auth->client, REPORT_HOST_MISMATCH);
220 good = 0;
221 }
222 }
223 #endif
224 else /* can't verify it, don't know how. reject it. */
225 {
226 sendheader(auth->client, REPORT_HOST_UNKNOWN);
227 good = 0;
228 }
229
230 if(good && strlen(reply->h_name) <= HOSTLEN)
231 {
232 strlcpy(auth->client->host, reply->h_name, sizeof(auth->client->host));
233 sendheader(auth->client, REPORT_FIN_DNS);
234 }
235 else if (strlen(reply->h_name) > HOSTLEN)
236 sendheader(auth->client, REPORT_HOST_TOOLONG);
237 }
238 else
239 sendheader(auth->client, REPORT_FAIL_DNS);
240
241 release_auth_client(auth);
242 }
243
244 /*
245 * authsenderr - handle auth send errors
246 */
247 static void
248 auth_error(struct AuthRequest *auth)
249 {
250 ++ServerStats->is_abad;
251
252 comm_close(auth->fd);
253 auth->fd = -1;
254
255 ClearAuth(auth);
256 sendheader(auth->client, REPORT_FAIL_ID);
257
258 release_auth_client(auth);
259 }
260
261 /*
262 * start_auth_query - Flag the client to show that an attempt to
263 * contact the ident server on
264 * the client's host. The connect and subsequently the socket are all put
265 * into 'non-blocking' mode. Should the connect or any later phase of the
266 * identifing process fail, it is aborted and the user is given a username
267 * of "unknown".
268 */
269 static int
270 start_auth_query(struct AuthRequest *auth)
271 {
272 struct irc_sockaddr_storage localaddr;
273 socklen_t locallen = sizeof(struct irc_sockaddr_storage);
274 int fd;
275 int family;
276
277 if(IsAnyDead(auth->client))
278 return 0;
279
280 family = auth->client->localClient->ip.ss_family;
281 if((fd = comm_socket(family, SOCK_STREAM, 0, "ident")) == -1)
282 {
283 report_error("creating auth stream socket %s:%s",
284 get_client_name(auth->client, SHOW_IP),
285 log_client_name(auth->client, SHOW_IP), errno);
286 ++ServerStats->is_abad;
287 return 0;
288 }
289 if((MAXCONNECTIONS - 10) < fd)
290 {
291 sendto_realops_snomask(SNO_GENERAL, L_ALL,
292 "Can't allocate fd for auth on %s",
293 get_client_name(auth->client, SHOW_IP));
294 comm_close(fd);
295 return 0;
296 }
297
298 sendheader(auth->client, REPORT_DO_ID);
299
300 /*
301 * get the local address of the client and bind to that to
302 * make the auth request. This used to be done only for
303 * ifdef VIRTUAL_HOST, but needs to be done for all clients
304 * since the ident request must originate from that same address--
305 * and machines with multiple IP addresses are common now
306 */
307 memset(&localaddr, 0, locallen);
308 getsockname(auth->client->localClient->fd,
309 (struct sockaddr *) &localaddr, &locallen);
310
311 mangle_mapped_sockaddr((struct sockaddr *)&localaddr);
312 #ifdef IPV6
313 if(localaddr.ss_family == AF_INET6)
314 {
315 ((struct sockaddr_in6 *)&localaddr)->sin6_port = 0;
316 } else
317 #endif
318 ((struct sockaddr_in *)&localaddr)->sin_port = 0;
319
320 auth->fd = fd;
321 SetAuthConnect(auth);
322
323 comm_connect_tcp(fd, auth->client->sockhost, 113,
324 (struct sockaddr *) &localaddr, GET_SS_LEN(localaddr),
325 auth_connect_callback, auth,
326 localaddr.ss_family, GlobalSetOptions.ident_timeout);
327 return 1; /* We suceed here for now */
328 }
329
330 /*
331 * GetValidIdent - parse ident query reply from identd server
332 *
333 * Inputs - pointer to ident buf
334 * Output - NULL if no valid ident found, otherwise pointer to name
335 * Side effects -
336 */
337 static char *
338 GetValidIdent(char *buf)
339 {
340 int remp = 0;
341 int locp = 0;
342 char *colon1Ptr;
343 char *colon2Ptr;
344 char *colon3Ptr;
345 char *commaPtr;
346 char *remotePortString;
347
348 /* All this to get rid of a sscanf() fun. */
349 remotePortString = buf;
350
351 colon1Ptr = strchr(remotePortString, ':');
352 if(!colon1Ptr)
353 return 0;
354
355 *colon1Ptr = '\0';
356 colon1Ptr++;
357 colon2Ptr = strchr(colon1Ptr, ':');
358 if(!colon2Ptr)
359 return 0;
360
361 *colon2Ptr = '\0';
362 colon2Ptr++;
363 commaPtr = strchr(remotePortString, ',');
364
365 if(!commaPtr)
366 return 0;
367
368 *commaPtr = '\0';
369 commaPtr++;
370
371 remp = atoi(remotePortString);
372 if(!remp)
373 return 0;
374
375 locp = atoi(commaPtr);
376 if(!locp)
377 return 0;
378
379 /* look for USERID bordered by first pair of colons */
380 if(!strstr(colon1Ptr, "USERID"))
381 return 0;
382
383 colon3Ptr = strchr(colon2Ptr, ':');
384 if(!colon3Ptr)
385 return 0;
386
387 *colon3Ptr = '\0';
388 colon3Ptr++;
389 return (colon3Ptr);
390 }
391
392 /*
393 * start_auth - starts auth (identd) and dns queries for a client
394 */
395 void
396 start_auth(struct Client *client)
397 {
398 struct AuthRequest *auth = 0;
399 s_assert(0 != client);
400 if(client == NULL)
401 return;
402
403 /* to aid bopm which needs something unique to match against */
404 sendto_one(client, "NOTICE AUTH :*** Processing connection to %s",
405 me.name);
406
407 auth = make_auth_request(client);
408
409 auth->dns_query.ptr = auth;
410 auth->dns_query.callback = auth_dns_callback;
411
412 sendheader(client, REPORT_DO_DNS);
413
414 /* No DNS cache now, remember? -- adrian */
415 gethost_byaddr(&client->localClient->ip, &auth->dns_query);
416
417 SetDNSPending(auth);
418
419 if(ConfigFileEntry.disable_auth == 0)
420 start_auth_query(auth);
421
422 dlinkAdd(auth, &auth->node, &auth_poll_list);
423 }
424
425 /*
426 * timeout_auth_queries - timeout resolver and identd requests
427 * allow clients through if requests failed
428 */
429 static void
430 timeout_auth_queries_event(void *notused)
431 {
432 dlink_node *ptr;
433 dlink_node *next_ptr;
434 struct AuthRequest *auth;
435
436 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_poll_list.head)
437 {
438 auth = ptr->data;
439
440 if(auth->timeout < CurrentTime)
441 {
442 if(auth->fd >= 0)
443 comm_close(auth->fd);
444
445 if(IsDoingAuth(auth))
446 {
447 ClearAuth(auth);
448 ++ServerStats->is_abad;
449 sendheader(auth->client, REPORT_FAIL_ID);
450 auth->client->localClient->auth_request = NULL;
451 }
452 if(IsDNSPending(auth))
453 {
454 ClearDNSPending(auth);
455 delete_resolver_queries(&auth->dns_query);
456 sendheader(auth->client, REPORT_FAIL_DNS);
457 }
458
459 auth->client->localClient->lasttime = CurrentTime;
460 release_auth_client(auth);
461 }
462 }
463 }
464
465 /*
466 * auth_connect_callback() - deal with the result of comm_connect_tcp()
467 *
468 * If the connection failed, we simply close the auth fd and report
469 * a failure. If the connection suceeded send the ident server a query
470 * giving "theirport , ourport". The write is only attempted *once* so
471 * it is deemed to be a fail if the entire write doesn't write all the
472 * data given. This shouldnt be a problem since the socket should have
473 * a write buffer far greater than this message to store it in should
474 * problems arise. -avalon
475 */
476 static void
477 auth_connect_callback(int fd, int error, void *data)
478 {
479 struct AuthRequest *auth = data;
480 struct sockaddr_in us;
481 struct sockaddr_in them;
482 char authbuf[32];
483 socklen_t ulen = sizeof(struct sockaddr_in);
484 socklen_t tlen = sizeof(struct sockaddr_in);
485
486 /* Check the error */
487 if(error != COMM_OK)
488 {
489 /* We had an error during connection :( */
490 auth_error(auth);
491 return;
492 }
493
494 if(getsockname
495 (auth->client->localClient->fd, (struct sockaddr *) &us,
496 (socklen_t *) & ulen)
497 || getpeername(auth->client->localClient->fd,
498 (struct sockaddr *) &them, (socklen_t *) & tlen))
499 {
500 ilog(L_IOERROR, "auth get{sock,peer}name error for %s:%m",
501 log_client_name(auth->client, SHOW_IP));
502 auth_error(auth);
503 return;
504 }
505 ircsnprintf(authbuf, sizeof(authbuf), "%u , %u\r\n",
506 (unsigned int) ntohs(them.sin_port), (unsigned int) ntohs(us.sin_port));
507
508 if(write(auth->fd, authbuf, strlen(authbuf)) == -1)
509 {
510 auth_error(auth);
511 return;
512 }
513 ClearAuthConnect(auth);
514 SetAuthPending(auth);
515 read_auth_reply(auth->fd, auth);
516 }
517
518
519 /*
520 * read_auth_reply - read the reply (if any) from the ident server
521 * we connected to.
522 * We only give it one shot, if the reply isn't good the first time
523 * fail the authentication entirely. --Bleep
524 */
525 #define AUTH_BUFSIZ 128
526
527 static void
528 read_auth_reply(int fd, void *data)
529 {
530 struct AuthRequest *auth = data;
531 char *s = NULL;
532 char *t = NULL;
533 int len;
534 int count;
535 char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
536
537 len = read(auth->fd, buf, AUTH_BUFSIZ);
538
539 if(len < 0 && ignoreErrno(errno))
540 {
541 comm_setselect(fd, FDLIST_IDLECLIENT, COMM_SELECT_READ, read_auth_reply, auth, 0);
542 return;
543 }
544
545 if(len > 0)
546 {
547 buf[len] = '\0';
548
549 if((s = GetValidIdent(buf)))
550 {
551 t = auth->client->username;
552
553 while (*s == '~' || *s == '^')
554 s++;
555
556 for (count = USERLEN; *s && count; s++)
557 {
558 if(*s == '@')
559 {
560 break;
561 }
562 if(!IsSpace(*s) && *s != ':' && *s != '[')
563 {
564 *t++ = *s;
565 count--;
566 }
567 }
568 *t = '\0';
569 }
570 }
571
572 comm_close(auth->fd);
573 auth->fd = -1;
574 ClearAuth(auth);
575
576 if(s == NULL)
577 {
578 ++ServerStats->is_abad;
579 strcpy(auth->client->username, "unknown");
580 sendheader(auth->client, REPORT_FAIL_ID);
581 }
582 else
583 {
584 sendheader(auth->client, REPORT_FIN_ID);
585 ++ServerStats->is_asuc;
586 SetGotId(auth->client);
587 }
588
589 release_auth_client(auth);
590 }
591
592
593
594 /*
595 * delete_auth_queries()
596 *
597 */
598 void
599 delete_auth_queries(struct Client *target_p)
600 {
601 struct AuthRequest *auth;
602
603 if(target_p == NULL || target_p->localClient == NULL ||
604 target_p->localClient->auth_request == NULL)
605 return;
606
607 auth = target_p->localClient->auth_request;
608 target_p->localClient->auth_request = NULL;
609
610 if(IsDNSPending(auth))
611 delete_resolver_queries(&auth->dns_query);
612
613 if(auth->fd >= 0)
614 comm_close(auth->fd);
615
616 dlinkDelete(&auth->node, &auth_poll_list);
617 free_auth_request(auth);
618 }
Unnamed repository; edit this file 'description' to name the repository.