]>
Commit | Line | Data |
---|---|---|
add80afd EM |
1 | /* |
2 | * charybdis: A slightly useful ircd. | |
3 | * blacklist.c: Manages DNS blacklist entries and lookups | |
4 | * | |
5 | * Copyright (C) 2006-2011 charybdis development team | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions are | |
9 | * met: | |
10 | * | |
11 | * 1. Redistributions of source code must retain the above copyright notice, | |
12 | * this list of conditions and the following disclaimer. | |
13 | * | |
14 | * 2. Redistributions in binary form must reproduce the above copyright | |
15 | * notice, this list of conditions and the following disclaimer in the | |
16 | * documentation and/or other materials provided with the distribution. | |
17 | * | |
18 | * 3. The name of the author may not be used to endorse or promote products | |
19 | * derived from this software without specific prior written permission. | |
20 | * | |
21 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
22 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
23 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
24 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
25 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
26 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
27 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
29 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
30 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
31 | * POSSIBILITY OF SUCH DAMAGE. | |
32 | */ | |
33 | ||
34 | /* Originally written for charybdis circa 2006 (by nenolod?). | |
35 | * Tweaked for authd. Some functions and structs renamed. Public/private | |
36 | * interfaces have been shifted around. Some code has been cleaned up too. | |
37 | * -- Elizafox 24 March 2016 | |
38 | */ | |
39 | ||
40 | #include "authd.h" | |
41 | #include "provider.h" | |
db821ee9 | 42 | #include "notice.h" |
add80afd EM |
43 | #include "stdinc.h" |
44 | #include "dns.h" | |
45 | ||
46 | typedef enum filter_t | |
47 | { | |
48 | FILTER_ALL = 1, | |
49 | FILTER_LAST = 2, | |
50 | } filter_t; | |
51 | ||
52 | /* Blacklist accepted IP types */ | |
53 | #define IPTYPE_IPV4 1 | |
54 | #define IPTYPE_IPV6 2 | |
55 | ||
56 | /* A configured DNSBL */ | |
57 | struct blacklist | |
58 | { | |
59 | char host[IRCD_RES_HOSTLEN + 1]; | |
60 | char reason[BUFSIZE]; /* Reason template (ircd fills in the blanks) */ | |
61 | unsigned char iptype; /* IP types supported */ | |
62 | rb_dlink_list filters; /* Filters for queries */ | |
63 | ||
64 | bool delete; /* If true delete when no clients */ | |
65 | int refcount; /* When 0 and delete is set, remove this blacklist */ | |
66 | ||
67 | time_t lastwarning; /* Last warning about garbage replies sent */ | |
68 | }; | |
69 | ||
70 | /* A lookup in progress for a particular DNSBL for a particular client */ | |
71 | struct blacklist_lookup | |
72 | { | |
73 | struct blacklist *bl; /* Blacklist we're checking */ | |
74 | struct auth_client *auth; /* Client */ | |
75 | struct dns_query *query; /* DNS query pointer */ | |
76 | ||
77 | rb_dlink_node node; | |
78 | }; | |
79 | ||
80 | /* A blacklist filter */ | |
81 | struct blacklist_filter | |
82 | { | |
83 | filter_t type; /* Type of filter */ | |
3f2695ac | 84 | char filter[HOSTIPLEN]; /* The filter itself */ |
add80afd EM |
85 | |
86 | rb_dlink_node node; | |
87 | }; | |
88 | ||
89 | /* Blacklist user data attached to auth_client instance */ | |
90 | struct blacklist_user | |
91 | { | |
92 | rb_dlink_list queries; /* Blacklist queries in flight */ | |
93 | time_t timeout; /* When this times out */ | |
94 | }; | |
95 | ||
96 | /* public interfaces */ | |
97 | static bool blacklists_init(void); | |
98 | static void blacklists_destroy(void); | |
99 | ||
100 | static bool blacklists_start(struct auth_client *); | |
101 | static void blacklists_cancel(struct auth_client *); | |
102 | ||
103 | /* private interfaces */ | |
104 | static void unref_blacklist(struct blacklist *); | |
3f2695ac EM |
105 | static struct blacklist *new_blacklist(const char *, const char *, unsigned char, rb_dlink_list *); |
106 | static struct blacklist *find_blacklist(const char *); | |
add80afd EM |
107 | static bool blacklist_check_reply(struct blacklist_lookup *, const char *); |
108 | static void blacklist_dns_callback(const char *, bool, query_type, void *); | |
109 | static void initiate_blacklist_dnsquery(struct blacklist *, struct auth_client *); | |
110 | static void timeout_blacklist_queries_event(void *); | |
111 | ||
112 | /* Variables */ | |
113 | static rb_dlink_list blacklist_list = { NULL, NULL, 0 }; | |
114 | static struct ev_entry *timeout_ev; | |
115 | static EVH timeout_blacklists; | |
116 | static int blacklist_timeout = 15; | |
117 | ||
118 | /* private interfaces */ | |
119 | ||
120 | static void | |
121 | unref_blacklist(struct blacklist *bl) | |
122 | { | |
123 | rb_dlink_node *ptr, *nptr; | |
124 | ||
125 | bl->refcount--; | |
126 | if (bl->delete && bl->refcount <= 0) | |
127 | { | |
128 | RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head) | |
129 | { | |
130 | rb_dlinkDelete(ptr, &bl->filters); | |
131 | rb_free(ptr); | |
132 | } | |
133 | ||
134 | rb_dlinkFindDestroy(bl, &blacklist_list); | |
135 | rb_free(bl); | |
136 | } | |
137 | } | |
138 | ||
139 | static struct blacklist * | |
3f2695ac | 140 | new_blacklist(const char *name, const char *reason, unsigned char iptype, rb_dlink_list *filters) |
add80afd EM |
141 | { |
142 | struct blacklist *bl; | |
143 | ||
3f2695ac | 144 | if (name == NULL || reason == NULL || iptype == 0) |
add80afd EM |
145 | return NULL; |
146 | ||
147 | if((bl = find_blacklist(name)) == NULL) | |
148 | { | |
149 | bl = rb_malloc(sizeof(struct blacklist)); | |
150 | rb_dlinkAddAlloc(bl, &blacklist_list); | |
151 | } | |
152 | else | |
153 | bl->delete = false; | |
154 | ||
155 | rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1); | |
156 | rb_strlcpy(bl->reason, reason, BUFSIZE); | |
3f2695ac | 157 | bl->iptype = iptype; |
add80afd EM |
158 | |
159 | rb_dlinkMoveList(filters, &bl->filters); | |
160 | ||
161 | bl->lastwarning = 0; | |
162 | ||
163 | return bl; | |
164 | } | |
165 | ||
166 | static struct blacklist * | |
3f2695ac | 167 | find_blacklist(const char *name) |
add80afd EM |
168 | { |
169 | rb_dlink_node *ptr; | |
170 | ||
171 | RB_DLINK_FOREACH(ptr, blacklist_list.head) | |
172 | { | |
173 | struct blacklist *bl = (struct blacklist *)ptr->data; | |
174 | ||
175 | if (!strcasecmp(bl->host, name)) | |
176 | return bl; | |
177 | } | |
178 | ||
179 | return NULL; | |
180 | } | |
181 | ||
182 | static inline bool | |
183 | blacklist_check_reply(struct blacklist_lookup *bllookup, const char *ipaddr) | |
184 | { | |
185 | struct blacklist *bl = bllookup->bl; | |
186 | const char *lastoctet; | |
187 | rb_dlink_node *ptr; | |
188 | ||
189 | /* No filters and entry found - thus positive match */ | |
190 | if (!rb_dlink_list_length(&bl->filters)) | |
191 | return true; | |
192 | ||
193 | /* Below will prolly have to change if IPv6 address replies are sent back */ | |
194 | if ((lastoctet = strrchr(ipaddr, '.')) == NULL || *(++lastoctet) == '\0') | |
195 | goto blwarn; | |
196 | ||
197 | RB_DLINK_FOREACH(ptr, bl->filters.head) | |
198 | { | |
199 | struct blacklist_filter *filter = ptr->data; | |
200 | const char *cmpstr; | |
201 | ||
202 | if (filter->type == FILTER_ALL) | |
203 | cmpstr = ipaddr; | |
204 | else if (filter->type == FILTER_LAST) | |
205 | cmpstr = lastoctet; | |
206 | else | |
207 | { | |
208 | warn_opers(L_CRIT, "BUG: Unknown blacklist filter type on blacklist %s: %d", | |
209 | bl->host, filter->type); | |
210 | continue; | |
211 | } | |
212 | ||
3f2695ac | 213 | if (strcmp(cmpstr, filter->filter) == 0) |
add80afd EM |
214 | /* Match! */ |
215 | return true; | |
216 | } | |
217 | ||
218 | return false; | |
219 | blwarn: | |
220 | if (bl->lastwarning + 3600 < rb_current_time()) | |
221 | { | |
222 | warn_opers(L_WARN, "Garbage/undecipherable reply received from blacklist %s (reply %s)", | |
223 | bl->host, ipaddr); | |
224 | bl->lastwarning = rb_current_time(); | |
225 | } | |
226 | return false; | |
227 | } | |
228 | ||
229 | static void | |
230 | blacklist_dns_callback(const char *result, bool status, query_type type, void *data) | |
231 | { | |
232 | struct blacklist_lookup *bllookup = (struct blacklist_lookup *)data; | |
233 | struct blacklist_user *bluser; | |
234 | struct auth_client *auth; | |
235 | ||
236 | if (bllookup == NULL || bllookup->auth == NULL) | |
237 | return; | |
238 | ||
239 | auth = bllookup->auth; | |
240 | bluser = auth->data[PROVIDER_BLACKLIST]; | |
241 | if(bluser == NULL) | |
242 | return; | |
243 | ||
244 | if (result != NULL && status && blacklist_check_reply(bllookup, result)) | |
245 | { | |
246 | /* Match found, so proceed no further */ | |
247 | blacklists_cancel(auth); | |
248 | reject_client(auth, PROVIDER_BLACKLIST, bllookup->bl->reason); | |
249 | return; | |
250 | } | |
251 | ||
252 | unref_blacklist(bllookup->bl); | |
253 | rb_dlinkDelete(&bllookup->node, &bluser->queries); | |
254 | rb_free(bllookup); | |
255 | ||
256 | if(!rb_dlink_list_length(&bluser->queries)) | |
257 | { | |
258 | /* Done here */ | |
a7d5aea1 | 259 | provider_done(auth, PROVIDER_BLACKLIST); |
add80afd EM |
260 | rb_free(bluser); |
261 | auth->data[PROVIDER_BLACKLIST] = NULL; | |
262 | } | |
263 | } | |
264 | ||
265 | static void | |
266 | initiate_blacklist_dnsquery(struct blacklist *bl, struct auth_client *auth) | |
267 | { | |
268 | struct blacklist_lookup *bllookup = rb_malloc(sizeof(struct blacklist_lookup)); | |
269 | struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST]; | |
270 | char buf[IRCD_RES_HOSTLEN + 1]; | |
271 | int aftype; | |
272 | ||
273 | bllookup->bl = bl; | |
274 | bllookup->auth = auth; | |
275 | ||
276 | aftype = GET_SS_FAMILY(&auth->c_addr); | |
277 | if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) || | |
278 | (aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0)) | |
279 | /* Incorrect blacklist type for this IP... */ | |
280 | return; | |
281 | ||
282 | build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host); | |
283 | ||
284 | bllookup->query = lookup_ip(buf, AF_INET, blacklist_dns_callback, bllookup); | |
285 | ||
286 | rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries); | |
287 | bl->refcount++; | |
288 | } | |
289 | ||
290 | /* Timeout outstanding queries */ | |
291 | static void | |
292 | timeout_blacklist_queries_event(void *notused) | |
293 | { | |
294 | struct auth_client *auth; | |
295 | rb_dictionary_iter iter; | |
296 | ||
297 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) | |
298 | { | |
299 | struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST]; | |
300 | ||
301 | if(bluser != NULL && bluser->timeout < rb_current_time()) | |
302 | { | |
303 | blacklists_cancel(auth); | |
304 | provider_done(auth, PROVIDER_BLACKLIST); | |
305 | } | |
306 | } | |
307 | } | |
308 | ||
a7d5aea1 EM |
309 | static inline void |
310 | lookup_all_blacklists(struct auth_client *auth) | |
311 | { | |
312 | struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST]; | |
313 | rb_dlink_node *ptr; | |
314 | ||
315 | RB_DLINK_FOREACH(ptr, blacklist_list.head) | |
316 | { | |
317 | struct blacklist *bl = (struct blacklist *)ptr->data; | |
318 | ||
319 | if (!bl->delete) | |
320 | initiate_blacklist_dnsquery(bl, auth); | |
321 | } | |
322 | ||
323 | bluser->timeout = rb_current_time() + blacklist_timeout; | |
324 | } | |
325 | ||
add80afd EM |
326 | /* public interfaces */ |
327 | static bool | |
328 | blacklists_start(struct auth_client *auth) | |
329 | { | |
add80afd EM |
330 | if(auth->data[PROVIDER_BLACKLIST] != NULL) |
331 | return true; | |
332 | ||
333 | if(!rb_dlink_list_length(&blacklist_list)) | |
334 | /* Nothing to do... */ | |
335 | return true; | |
336 | ||
a7d5aea1 | 337 | auth->data[PROVIDER_BLACKLIST] = rb_malloc(sizeof(struct blacklist_user)); |
add80afd | 338 | |
a7d5aea1 EM |
339 | if(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT)) |
340 | /* This probably can't happen but let's handle this case anyway */ | |
341 | lookup_all_blacklists(auth); | |
add80afd | 342 | |
a7d5aea1 EM |
343 | set_provider_on(auth, PROVIDER_BLACKLIST); |
344 | return true; | |
345 | } | |
add80afd | 346 | |
6c88869f | 347 | /* This is called every time a provider is completed as long as we are marked not done */ |
a7d5aea1 EM |
348 | static void |
349 | blacklists_initiate(struct auth_client *auth, provider_t provider) | |
350 | { | |
351 | struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST]; | |
add80afd | 352 | |
6c88869f EM |
353 | lrb_assert(provider != PROVIDER_BLACKLIST); |
354 | lrb_assert(!is_provider_done(auth, PROVIDER_BLACKLIST)); | |
355 | lrb_assert(rb_dlink_list_length(&blacklist_list) > 0); | |
356 | ||
357 | if(bluser == NULL || rb_dlink_list_length(&bluser->queries)) | |
a7d5aea1 EM |
358 | /* Nothing to do */ |
359 | return; | |
6c88869f | 360 | else if(!(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT))) |
a7d5aea1 EM |
361 | /* Don't start until we've completed these */ |
362 | return; | |
363 | else | |
364 | lookup_all_blacklists(auth); | |
add80afd EM |
365 | } |
366 | ||
367 | static void | |
368 | blacklists_cancel(struct auth_client *auth) | |
369 | { | |
370 | rb_dlink_node *ptr, *nptr; | |
371 | struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST]; | |
372 | ||
373 | if(bluser == NULL) | |
374 | return; | |
375 | ||
376 | RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head) | |
377 | { | |
378 | struct blacklist_lookup *bllookup = ptr->data; | |
379 | rb_dlinkDelete(&bllookup->node, &bluser->queries); | |
380 | unref_blacklist(bllookup->bl); | |
381 | cancel_query(bllookup->query); | |
382 | rb_free(bllookup); | |
383 | } | |
384 | ||
385 | rb_free(bluser); | |
386 | auth->data[PROVIDER_BLACKLIST] = NULL; | |
387 | } | |
388 | ||
389 | static bool | |
390 | blacklists_init(void) | |
391 | { | |
392 | timeout_ev = rb_event_addish("timeout_blacklist_queries_event", timeout_blacklist_queries_event, NULL, 1); | |
393 | return (timeout_ev != NULL); | |
394 | } | |
395 | ||
396 | static void | |
397 | blacklists_destroy(void) | |
398 | { | |
399 | rb_dlink_node *ptr, *nptr; | |
400 | rb_dictionary_iter iter; | |
401 | struct blacklist *bl; | |
402 | struct auth_client *auth; | |
403 | ||
404 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) | |
405 | { | |
406 | blacklists_cancel(auth); | |
407 | } | |
408 | ||
409 | RB_DLINK_FOREACH_SAFE(ptr, nptr, blacklist_list.head) | |
410 | { | |
411 | bl = ptr->data; | |
412 | if (bl->refcount > 0) | |
413 | bl->delete = true; | |
414 | else | |
415 | { | |
416 | rb_free(ptr->data); | |
417 | rb_dlinkDestroy(ptr, &blacklist_list); | |
418 | } | |
419 | } | |
420 | } | |
421 | ||
3f2695ac EM |
422 | static void |
423 | add_conf_blacklist(const char *key, int parc, const char **parv) | |
424 | { | |
425 | rb_dlink_list filters; | |
426 | char *tmp, *elemlist = rb_strdup(parv[2]); | |
427 | unsigned char iptype; | |
428 | ||
429 | for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp)) | |
430 | { | |
431 | struct blacklist_filter *filter = rb_malloc(sizeof(struct blacklist_filter)); | |
432 | int dot_c = 0; | |
433 | filter_t type = FILTER_LAST; | |
434 | bool valid = true; | |
435 | ||
436 | /* Check blacklist filter type and for validity */ | |
437 | for(char *c = elem; *c != '\0'; c++) | |
438 | { | |
439 | if(*c == '.') | |
440 | { | |
441 | if(++dot_c > 3) | |
442 | { | |
443 | warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (too many octets)"); | |
444 | valid = false; | |
445 | break; | |
446 | } | |
447 | ||
448 | type = FILTER_ALL; | |
449 | } | |
450 | else if(!isdigit(*c)) | |
451 | { | |
452 | warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (invalid character in blacklist filter: %c)", *c); | |
453 | valid = false; | |
454 | break; | |
455 | } | |
456 | } | |
457 | ||
458 | if(valid && dot_c > 0 && dot_c < 3) | |
459 | { | |
460 | warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (insufficient octets)"); | |
461 | valid = false; | |
462 | } | |
463 | ||
464 | if(!valid) | |
465 | { | |
466 | rb_free(filter); | |
467 | continue; | |
468 | } | |
469 | ||
470 | filter->type = type; | |
471 | rb_strlcpy(filter->filter, elem, sizeof(filter->filter)); | |
472 | rb_dlinkAdd(filter, &filter->node, &filters); | |
473 | } | |
474 | ||
475 | rb_free(elemlist); | |
476 | ||
477 | iptype = atoi(parv[1]) & 0x3; | |
478 | if(new_blacklist(parv[0], parv[3], iptype, &filters) == NULL) | |
479 | { | |
480 | rb_dlink_node *ptr, *nptr; | |
481 | ||
482 | warn_opers(L_CRIT, "addr_conf_blacklist got a malformed blacklist"); | |
483 | ||
484 | RB_DLINK_FOREACH_SAFE(ptr, nptr, filters.head) | |
485 | { | |
486 | rb_free(ptr->data); | |
487 | rb_dlinkDelete(ptr, &filters); | |
488 | } | |
489 | } | |
490 | } | |
491 | ||
492 | static void | |
493 | add_conf_blacklist_timeout(const char *key, int parc, const char **parv) | |
494 | { | |
495 | int timeout = atoi(parv[0]); | |
496 | ||
497 | if(timeout < 0) | |
498 | { | |
646e6567 | 499 | warn_opers(L_CRIT, "BUG: blacklist timeout < 0 (value: %d)", timeout); |
3f2695ac EM |
500 | return; |
501 | } | |
502 | ||
503 | blacklist_timeout = timeout; | |
504 | } | |
505 | ||
506 | struct auth_opts_handler blacklist_options[] = | |
507 | { | |
508 | { "rbl", 4, add_conf_blacklist }, | |
509 | { "rbl_timeout", 1, add_conf_blacklist_timeout }, | |
510 | { NULL, 0, NULL }, | |
511 | }; | |
512 | ||
add80afd EM |
513 | struct auth_provider blacklist_provider = |
514 | { | |
515 | .id = PROVIDER_BLACKLIST, | |
516 | .init = blacklists_init, | |
517 | .destroy = blacklists_destroy, | |
518 | .start = blacklists_start, | |
519 | .cancel = blacklists_cancel, | |
a7d5aea1 | 520 | .completed = blacklists_initiate, |
3f2695ac | 521 | .opt_handlers = blacklist_options, |
add80afd | 522 | }; |