[solanum.git] / authd / providers / blacklist.c

/*
 * charybdis: A slightly useful ircd.
 * blacklist.c: Manages DNS blacklist entries and lookups
 *
 * Copyright (C) 2006-2011 charybdis development team
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/* Originally written for charybdis circa 2006 (by nenolod?).
 * Tweaked for authd. Some functions and structs renamed. Public/private
 * interfaces have been shifted around. Some code has been cleaned up too.
 * -- Elizafox 24 March 2016
 */

#include "authd.h"
#include "provider.h"
#include "notice.h"
#include "stdinc.h"
#include "dns.h"

typedef enum filter_t
{
	FILTER_ALL = 1,
	FILTER_LAST = 2,
} filter_t;

/* Blacklist accepted IP types */
#define IPTYPE_IPV4	1
#define IPTYPE_IPV6	2

/* A configured DNSBL */
struct blacklist
{
	char host[IRCD_RES_HOSTLEN + 1];
	char reason[BUFSIZE];		/* Reason template (ircd fills in the blanks) */
	uint8_t iptype;			/* IP types supported */
	rb_dlink_list filters;		/* Filters for queries */

	bool delete;			/* If true delete when no clients */
	int refcount;			/* When 0 and delete is set, remove this blacklist */
	unsigned int hits;

	time_t lastwarning;		/* Last warning about garbage replies sent */
};

/* A lookup in progress for a particular DNSBL for a particular client */
struct blacklist_lookup
{
	struct blacklist *bl;		/* Blacklist we're checking */
	struct auth_client *auth;	/* Client */
	struct dns_query *query;	/* DNS query pointer */

	rb_dlink_node node;
};

/* A blacklist filter */
struct blacklist_filter
{
	filter_t type;			/* Type of filter */
	char filter[HOSTIPLEN];		/* The filter itself */

	rb_dlink_node node;
};

/* Blacklist user data attached to auth_client instance */
struct blacklist_user
{
	rb_dlink_list queries;		/* Blacklist queries in flight */
	time_t timeout;			/* When this times out */
};

/* public interfaces */
static bool blacklists_init(void);
static void blacklists_destroy(void);

static bool blacklists_start(struct auth_client *);
static void blacklists_cancel(struct auth_client *);

/* private interfaces */
static void unref_blacklist(struct blacklist *);
static struct blacklist *new_blacklist(const char *, const char *, uint8_t, rb_dlink_list *);
static struct blacklist *find_blacklist(const char *);
static bool blacklist_check_reply(struct blacklist_lookup *, const char *);
static void blacklist_dns_callback(const char *, bool, query_type, void *);
static void initiate_blacklist_dnsquery(struct blacklist *, struct auth_client *);
static void timeout_blacklist_queries_event(void *);

/* Variables */
static rb_dlink_list blacklist_list = { NULL, NULL, 0 };
static struct ev_entry *timeout_ev;
static int blacklist_timeout = 15;

/* private interfaces */

static void
unref_blacklist(struct blacklist *bl)
{
	rb_dlink_node *ptr, *nptr;

	bl->refcount--;
	if (bl->delete && bl->refcount <= 0)
	{
		RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head)
		{
			rb_dlinkDelete(ptr, &bl->filters);
			rb_free(ptr);
		}

		rb_dlinkFindDestroy(bl, &blacklist_list);
		rb_free(bl);
	}
}

static struct blacklist *
new_blacklist(const char *name, const char *reason, uint8_t iptype, rb_dlink_list *filters)
{
	struct blacklist *bl;

	if (name == NULL || reason == NULL || iptype == 0)
		return NULL;

	if((bl = find_blacklist(name)) == NULL)
	{
		bl = rb_malloc(sizeof(struct blacklist));
		rb_dlinkAddAlloc(bl, &blacklist_list);
	}
	else
		bl->delete = false;

	rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1);
	rb_strlcpy(bl->reason, reason, BUFSIZE);
	bl->iptype = iptype;

	rb_dlinkMoveList(filters, &bl->filters);

	bl->lastwarning = 0;

	return bl;
}

static struct blacklist *
find_blacklist(const char *name)
{
	rb_dlink_node *ptr;

	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	{
		struct blacklist *bl = (struct blacklist *)ptr->data;

		if (!strcasecmp(bl->host, name))
			return bl;
	}

	return NULL;
}

static inline bool
blacklist_check_reply(struct blacklist_lookup *bllookup, const char *ipaddr)
{
	struct blacklist *bl = bllookup->bl;
	const char *lastoctet;
	rb_dlink_node *ptr;

	/* No filters and entry found - thus positive match */
	if (!rb_dlink_list_length(&bl->filters))
		return true;

	/* Below will prolly have to change if IPv6 address replies are sent back */
	if ((lastoctet = strrchr(ipaddr, '.')) == NULL || *(++lastoctet) == '\0')
		goto blwarn;

	RB_DLINK_FOREACH(ptr, bl->filters.head)
	{
		struct blacklist_filter *filter = ptr->data;
		const char *cmpstr;

		if (filter->type == FILTER_ALL)
			cmpstr = ipaddr;
		else if (filter->type == FILTER_LAST)
			cmpstr = lastoctet;
		else
		{
			warn_opers(L_CRIT, "BUG: Unknown blacklist filter type on blacklist %s: %d",
					bl->host, filter->type);
			continue;
		}

		if (strcmp(cmpstr, filter->filter) == 0)
			/* Match! */
			return true;
	}

	return false;
blwarn:
	if (bl->lastwarning + 3600 < rb_current_time())
	{
		warn_opers(L_WARN, "Garbage/undecipherable reply received from blacklist %s (reply %s)",
				bl->host, ipaddr);
		bl->lastwarning = rb_current_time();
	}
	return false;
}

static void
blacklist_dns_callback(const char *result, bool status, query_type type, void *data)
{
	struct blacklist_lookup *bllookup = (struct blacklist_lookup *)data;
	struct blacklist_user *bluser;
	struct blacklist *bl;
	struct auth_client *auth;

	if (bllookup == NULL || bllookup->auth == NULL)
		return;

	bl = bllookup->bl;
	auth = bllookup->auth;
	bluser = auth->data[PROVIDER_BLACKLIST];
	if(bluser == NULL)
		return;

	if (result != NULL && status && blacklist_check_reply(bllookup, result))
	{
		/* Match found, so proceed no further */
		bl->hits++;
		blacklists_cancel(auth);
		reject_client(auth, PROVIDER_BLACKLIST, bl->host, bl->reason);
		return;
	}

	unref_blacklist(bl);
	cancel_query(bllookup->query);	/* Ignore future responses */
	rb_dlinkDelete(&bllookup->node, &bluser->queries);
	rb_free(bllookup);

	if(!rb_dlink_list_length(&bluser->queries))
	{
		/* Done here */
		rb_free(bluser);
		auth->data[PROVIDER_BLACKLIST] = NULL;
		provider_done(auth, PROVIDER_BLACKLIST);
	}
}

static void
initiate_blacklist_dnsquery(struct blacklist *bl, struct auth_client *auth)
{
	struct blacklist_lookup *bllookup = rb_malloc(sizeof(struct blacklist_lookup));
	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	char buf[IRCD_RES_HOSTLEN + 1];
	int aftype;

	bllookup->bl = bl;
	bllookup->auth = auth;

	aftype = GET_SS_FAMILY(&auth->c_addr);
	if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) ||
		(aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0))
		/* Incorrect blacklist type for this IP... */
		return;

	build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host);

	bllookup->query = lookup_ip(buf, AF_INET, blacklist_dns_callback, bllookup);

	rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries);
	bl->refcount++;
}

/* Timeout outstanding queries */
static void
timeout_blacklist_queries_event(void *notused)
{
	struct auth_client *auth;
	rb_dictionary_iter iter;

	RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
	{
		struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];

		if(bluser != NULL && bluser->timeout < rb_current_time())
		{
			blacklists_cancel(auth);
			provider_done(auth, PROVIDER_BLACKLIST);
		}
	}
}

static inline void
lookup_all_blacklists(struct auth_client *auth)
{
	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	rb_dlink_node *ptr;

	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	{
		struct blacklist *bl = (struct blacklist *)ptr->data;

		if (!bl->delete)
			initiate_blacklist_dnsquery(bl, auth);
	}

	bluser->timeout = rb_current_time() + blacklist_timeout;
}

static inline void
delete_blacklist(struct blacklist *bl)
{
	if (bl->refcount > 0)
		bl->delete = true;
	else
	{
		rb_dlinkFindDestroy(bl, &blacklist_list);
		rb_free(bl);
	}
}

static void
delete_all_blacklists(void)
{
	rb_dlink_node *ptr, *nptr;

	RB_DLINK_FOREACH_SAFE(ptr, nptr, blacklist_list.head)
	{
		delete_blacklist(ptr->data);
	}
}

/* public interfaces */
static bool
blacklists_start(struct auth_client *auth)
{
	if(auth->data[PROVIDER_BLACKLIST] != NULL)
		return true;

	if(!rb_dlink_list_length(&blacklist_list))
		/* Nothing to do... */
		return true;

	auth->data[PROVIDER_BLACKLIST] = rb_malloc(sizeof(struct blacklist_user));

	if(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT))
		/* This probably can't happen but let's handle this case anyway */
		lookup_all_blacklists(auth);

	set_provider_on(auth, PROVIDER_BLACKLIST);
	return true;
}

/* This is called every time a provider is completed as long as we are marked not done */
static void
blacklists_initiate(struct auth_client *auth, provider_t provider)
{
	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];

	lrb_assert(provider != PROVIDER_BLACKLIST);
	lrb_assert(!is_provider_done(auth, PROVIDER_BLACKLIST));
	lrb_assert(rb_dlink_list_length(&blacklist_list) > 0);

	if(bluser == NULL || rb_dlink_list_length(&bluser->queries))
		/* Nothing to do */
		return;
	else if(!(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT)))
		/* Don't start until we've completed these */
		return;
	else
		lookup_all_blacklists(auth);
}

static void
blacklists_cancel(struct auth_client *auth)
{
	rb_dlink_node *ptr, *nptr;
	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];

	if(bluser == NULL)
		return;

	RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head)
	{
		struct blacklist_lookup *bllookup = ptr->data;

		cancel_query(bllookup->query);
		unref_blacklist(bllookup->bl);

		rb_dlinkDelete(&bllookup->node, &bluser->queries);
		rb_free(bllookup);
	}

	rb_free(bluser);
	auth->data[PROVIDER_BLACKLIST] = NULL;
}

static bool
blacklists_init(void)
{
	timeout_ev = rb_event_addish("timeout_blacklist_queries_event", timeout_blacklist_queries_event, NULL, 1);
	return (timeout_ev != NULL);
}

static void
blacklists_destroy(void)
{
	rb_dlink_node *ptr, *nptr;
	rb_dictionary_iter iter;
	struct blacklist *bl;
	struct auth_client *auth;

	RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
	{
		blacklists_cancel(auth);
	}

	delete_all_blacklists();
	rb_event_delete(timeout_ev);
}

static void
add_conf_blacklist(const char *key, int parc, const char **parv)
{
	rb_dlink_list filters = { NULL, NULL, 0 };
	char *tmp, *elemlist = rb_strdup(parv[2]);
	uint8_t iptype;

	if(*elemlist == '*')
		goto end;

	for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp))
	{
		struct blacklist_filter *filter = rb_malloc(sizeof(struct blacklist_filter));
		int dot_c = 0;
		filter_t type = FILTER_LAST;
		bool valid = true;

		/* Check blacklist filter type and for validity */
		for(char *c = elem; *c != '\0'; c++)
		{
			if(*c == '.')
			{
				if(++dot_c > 3)
				{
					warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (too many octets)");
					valid = false;
					break;
				}

				type = FILTER_ALL;
			}
			else if(!isdigit(*c))
			{
				warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (invalid character in blacklist filter: %c)", *c);
				valid = false;
				break;
			}
		}

		if(valid && dot_c > 0 && dot_c < 3)
		{
			warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (insufficient octets)");
			valid = false;
		}

		if(!valid)
		{
			rb_free(filter);
			continue;
		}

		filter->type = type;
		rb_strlcpy(filter->filter, elem, sizeof(filter->filter));
		rb_dlinkAdd(filter, &filter->node, &filters);
	}

end:
	rb_free(elemlist);

	iptype = atoi(parv[1]) & 0x3;
	if(new_blacklist(parv[0], parv[3], iptype, &filters) == NULL)
	{
		rb_dlink_node *ptr, *nptr;

		warn_opers(L_CRIT, "addr_conf_blacklist got a malformed blacklist");

		RB_DLINK_FOREACH_SAFE(ptr, nptr, filters.head)
		{
			rb_free(ptr->data);
			rb_dlinkDelete(ptr, &filters);
		}
	}
}

static void
del_conf_blacklist(const char *key, int parc, const char **parv)
{
	struct blacklist *bl = find_blacklist(parv[0]);
	if(bl == NULL)
	{
		warn_opers(L_CRIT, "BUG: tried to remove nonexistent blacklist %s", parv[0]);
		return;
	}

	delete_blacklist(bl);
}

static void
del_conf_blacklist_all(const char *key, int parc, const char **parv)
{
	delete_all_blacklists();
}

static void
add_conf_blacklist_timeout(const char *key, int parc, const char **parv)
{
	int timeout = atoi(parv[0]);

	if(timeout < 0)
	{
		warn_opers(L_CRIT, "BUG: blacklist timeout < 0 (value: %d)", timeout);
		return;
	}

	blacklist_timeout = timeout;
}

static void
blacklist_stats(uint32_t rid, char letter)
{
	rb_dlink_node *ptr;

	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	{
		struct blacklist *bl = ptr->data;

		if(bl->delete)
			continue;

		stats_result(rid, letter, "%s %hhu %u", bl->host, bl->iptype, bl->hits);
	}

	stats_done(rid, letter);
}

struct auth_opts_handler blacklist_options[] =
{
	{ "rbl", 4, add_conf_blacklist },
	{ "rbl_del", 1, del_conf_blacklist },
	{ "rbl_del_all", 0, del_conf_blacklist_all },
	{ "rbl_timeout", 1, add_conf_blacklist_timeout },
	{ NULL, 0, NULL },
};

struct auth_provider blacklist_provider =
{
	.id = PROVIDER_BLACKLIST,
	.init = blacklists_init,
	.destroy = blacklists_destroy,
	.start = blacklists_start,
	.cancel = blacklists_cancel,
	.completed = blacklists_initiate,
	.opt_handlers = blacklist_options,
	.stats_handler = { 'B', blacklist_stats },
};
Commit	Line	Data
add80afd EM	1	/*
	2	* charybdis: A slightly useful ircd.
	3	* blacklist.c: Manages DNS blacklist entries and lookups
	4	*
	5	* Copyright (C) 2006-2011 charybdis development team
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions are
	9	* met:
	10	*
	11	* 1. Redistributions of source code must retain the above copyright notice,
	12	* this list of conditions and the following disclaimer.
	13	*
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
	17	*
	18	* 3. The name of the author may not be used to endorse or promote products
	19	* derived from this software without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	22	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	23	* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	24	* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
	25	* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
	26	* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	27	* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	29	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
	30	* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	31	* POSSIBILITY OF SUCH DAMAGE.
	32	*/
	33
	34	/* Originally written for charybdis circa 2006 (by nenolod?).
	35	* Tweaked for authd. Some functions and structs renamed. Public/private
	36	* interfaces have been shifted around. Some code has been cleaned up too.
	37	* -- Elizafox 24 March 2016
	38	*/
	39
	40	#include "authd.h"
	41	#include "provider.h"
db821ee9	42	#include "notice.h"
add80afd EM	43	#include "stdinc.h"
	44	#include "dns.h"
	45
	46	typedef enum filter_t
	47	{
	48	FILTER_ALL = 1,
	49	FILTER_LAST = 2,
	50	} filter_t;
	51
	52	/* Blacklist accepted IP types */
	53	#define IPTYPE_IPV4 1
	54	#define IPTYPE_IPV6 2
	55
	56	/* A configured DNSBL */
	57	struct blacklist
	58	{
	59	char host[IRCD_RES_HOSTLEN + 1];
	60	char reason[BUFSIZE]; /* Reason template (ircd fills in the blanks) */
eccc44ed	61	uint8_t iptype; /* IP types supported */
add80afd EM	62	rb_dlink_list filters; /* Filters for queries */
	63
	64	bool delete; /* If true delete when no clients */
	65	int refcount; /* When 0 and delete is set, remove this blacklist */
a90465f7	66	unsigned int hits;
add80afd EM	67
	68	time_t lastwarning; /* Last warning about garbage replies sent */
	69	};
	70
	71	/* A lookup in progress for a particular DNSBL for a particular client */
	72	struct blacklist_lookup
	73	{
	74	struct blacklist bl; / Blacklist we're checking */
	75	struct auth_client auth; / Client */
	76	struct dns_query query; / DNS query pointer */
e43e61f7	77
add80afd EM	78	rb_dlink_node node;
	79	};
	80
	81	/* A blacklist filter */
	82	struct blacklist_filter
	83	{
	84	filter_t type; /* Type of filter */
a90465f7	85	char filter[HOSTIPLEN]; /* The filter itself */
add80afd EM	86
	87	rb_dlink_node node;
	88	};
	89
	90	/* Blacklist user data attached to auth_client instance */
	91	struct blacklist_user
	92	{
	93	rb_dlink_list queries; /* Blacklist queries in flight */
	94	time_t timeout; /* When this times out */
	95	};
	96
	97	/* public interfaces */
	98	static bool blacklists_init(void);
	99	static void blacklists_destroy(void);
	100
	101	static bool blacklists_start(struct auth_client *);
	102	static void blacklists_cancel(struct auth_client *);
	103
	104	/* private interfaces */
	105	static void unref_blacklist(struct blacklist *);
eccc44ed	106	static struct blacklist new_blacklist(const char , const char , uint8_t, rb_dlink_list );
3f2695ac	107	static struct blacklist find_blacklist(const char );
add80afd EM	108	static bool blacklist_check_reply(struct blacklist_lookup , const char );
	109	static void blacklist_dns_callback(const char , bool, query_type, void );
	110	static void initiate_blacklist_dnsquery(struct blacklist , struct auth_client );
	111	static void timeout_blacklist_queries_event(void *);
	112
	113	/* Variables */
	114	static rb_dlink_list blacklist_list = { NULL, NULL, 0 };
	115	static struct ev_entry *timeout_ev;
add80afd EM	116	static int blacklist_timeout = 15;
	117
	118	/* private interfaces */
	119
	120	static void
	121	unref_blacklist(struct blacklist *bl)
	122	{
	123	rb_dlink_node ptr, nptr;
	124
	125	bl->refcount--;
	126	if (bl->delete && bl->refcount <= 0)
	127	{
	128	RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head)
	129	{
	130	rb_dlinkDelete(ptr, &bl->filters);
	131	rb_free(ptr);
	132	}
	133
	134	rb_dlinkFindDestroy(bl, &blacklist_list);
	135	rb_free(bl);
	136	}
	137	}
	138
	139	static struct blacklist *
eccc44ed	140	new_blacklist(const char name, const char reason, uint8_t iptype, rb_dlink_list *filters)
add80afd EM	141	{
	142	struct blacklist *bl;
	143
3f2695ac	144	if (name == NULL \|\| reason == NULL \|\| iptype == 0)
add80afd EM	145	return NULL;
	146
	147	if((bl = find_blacklist(name)) == NULL)
	148	{
	149	bl = rb_malloc(sizeof(struct blacklist));
	150	rb_dlinkAddAlloc(bl, &blacklist_list);
	151	}
	152	else
	153	bl->delete = false;
	154
	155	rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1);
	156	rb_strlcpy(bl->reason, reason, BUFSIZE);
3f2695ac	157	bl->iptype = iptype;
add80afd EM	158
	159	rb_dlinkMoveList(filters, &bl->filters);
	160
	161	bl->lastwarning = 0;
	162
	163	return bl;
	164	}
	165
	166	static struct blacklist *
3f2695ac	167	find_blacklist(const char *name)
add80afd EM	168	{
	169	rb_dlink_node *ptr;
	170
	171	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	172	{
	173	struct blacklist bl = (struct blacklist )ptr->data;
	174
	175	if (!strcasecmp(bl->host, name))
	176	return bl;
	177	}
	178
	179	return NULL;
	180	}
	181
	182	static inline bool
	183	blacklist_check_reply(struct blacklist_lookup bllookup, const char ipaddr)
	184	{
	185	struct blacklist *bl = bllookup->bl;
	186	const char *lastoctet;
	187	rb_dlink_node *ptr;
	188
	189	/* No filters and entry found - thus positive match */
	190	if (!rb_dlink_list_length(&bl->filters))
	191	return true;
	192
	193	/* Below will prolly have to change if IPv6 address replies are sent back */
	194	if ((lastoctet = strrchr(ipaddr, '.')) == NULL \|\| *(++lastoctet) == '\0')
	195	goto blwarn;
	196
	197	RB_DLINK_FOREACH(ptr, bl->filters.head)
	198	{
	199	struct blacklist_filter *filter = ptr->data;
	200	const char *cmpstr;
	201
	202	if (filter->type == FILTER_ALL)
	203	cmpstr = ipaddr;
	204	else if (filter->type == FILTER_LAST)
	205	cmpstr = lastoctet;
	206	else
	207	{
	208	warn_opers(L_CRIT, "BUG: Unknown blacklist filter type on blacklist %s: %d",
	209	bl->host, filter->type);
	210	continue;
	211	}
	212
3f2695ac	213	if (strcmp(cmpstr, filter->filter) == 0)
add80afd EM	214	/* Match! */
	215	return true;
	216	}
	217
	218	return false;
	219	blwarn:
	220	if (bl->lastwarning + 3600 < rb_current_time())
	221	{
	222	warn_opers(L_WARN, "Garbage/undecipherable reply received from blacklist %s (reply %s)",
	223	bl->host, ipaddr);
	224	bl->lastwarning = rb_current_time();
	225	}
	226	return false;
	227	}
	228
	229	static void
	230	blacklist_dns_callback(const char result, bool status, query_type type, void data)
	231	{
	232	struct blacklist_lookup bllookup = (struct blacklist_lookup )data;
	233	struct blacklist_user *bluser;
e43e61f7	234	struct blacklist *bl;
add80afd EM	235	struct auth_client *auth;
	236
	237	if (bllookup == NULL \|\| bllookup->auth == NULL)
	238	return;
	239
e43e61f7	240	bl = bllookup->bl;
add80afd EM	241	auth = bllookup->auth;
	242	bluser = auth->data[PROVIDER_BLACKLIST];
	243	if(bluser == NULL)
	244	return;
	245
	246	if (result != NULL && status && blacklist_check_reply(bllookup, result))
	247	{
	248	/* Match found, so proceed no further */
a90465f7	249	bl->hits++;
add80afd	250	blacklists_cancel(auth);
6535177f	251	reject_client(auth, PROVIDER_BLACKLIST, bl->host, bl->reason);
add80afd EM	252	return;
	253	}
	254
e43e61f7 EM	255	unref_blacklist(bl);
e43e61f7 EM	256	cancel_query(bllookup->query); /* Ignore future responses */
add80afd EM	257	rb_dlinkDelete(&bllookup->node, &bluser->queries);
	258	rb_free(bllookup);
	259
	260	if(!rb_dlink_list_length(&bluser->queries))
	261	{
	262	/* Done here */
add80afd EM	263	rb_free(bluser);
add80afd EM	264	auth->data[PROVIDER_BLACKLIST] = NULL;
e43e61f7	265	provider_done(auth, PROVIDER_BLACKLIST);
add80afd EM	266	}
	267	}
	268
	269	static void
	270	initiate_blacklist_dnsquery(struct blacklist bl, struct auth_client auth)
	271	{
	272	struct blacklist_lookup *bllookup = rb_malloc(sizeof(struct blacklist_lookup));
	273	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	274	char buf[IRCD_RES_HOSTLEN + 1];
	275	int aftype;
	276
	277	bllookup->bl = bl;
	278	bllookup->auth = auth;
	279
	280	aftype = GET_SS_FAMILY(&auth->c_addr);
	281	if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) \|\|
	282	(aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0))
	283	/* Incorrect blacklist type for this IP... */
	284	return;
	285
	286	build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host);
	287
	288	bllookup->query = lookup_ip(buf, AF_INET, blacklist_dns_callback, bllookup);
	289
	290	rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries);
	291	bl->refcount++;
	292	}
	293
	294	/* Timeout outstanding queries */
	295	static void
	296	timeout_blacklist_queries_event(void *notused)
	297	{
	298	struct auth_client *auth;
	299	rb_dictionary_iter iter;
	300
	301	RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
	302	{
	303	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	304
	305	if(bluser != NULL && bluser->timeout < rb_current_time())
	306	{
	307	blacklists_cancel(auth);
	308	provider_done(auth, PROVIDER_BLACKLIST);
	309	}
	310	}
	311	}
	312
a7d5aea1 EM	313	static inline void
	314	lookup_all_blacklists(struct auth_client *auth)
	315	{
	316	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	317	rb_dlink_node *ptr;
	318
	319	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	320	{
	321	struct blacklist bl = (struct blacklist )ptr->data;
	322
	323	if (!bl->delete)
	324	initiate_blacklist_dnsquery(bl, auth);
	325	}
	326
	327	bluser->timeout = rb_current_time() + blacklist_timeout;
	328	}
	329
a0a218ba EM	330	static inline void
	331	delete_blacklist(struct blacklist *bl)
	332	{
	333	if (bl->refcount > 0)
	334	bl->delete = true;
	335	else
	336	{
	337	rb_dlinkFindDestroy(bl, &blacklist_list);
	338	rb_free(bl);
	339	}
	340	}
	341
	342	static void
	343	delete_all_blacklists(void)
	344	{
	345	rb_dlink_node ptr, nptr;
	346
	347	RB_DLINK_FOREACH_SAFE(ptr, nptr, blacklist_list.head)
	348	{
	349	delete_blacklist(ptr->data);
	350	}
	351	}
	352
add80afd EM	353	/* public interfaces */
	354	static bool
	355	blacklists_start(struct auth_client *auth)
	356	{
add80afd EM	357	if(auth->data[PROVIDER_BLACKLIST] != NULL)
	358	return true;
	359
	360	if(!rb_dlink_list_length(&blacklist_list))
	361	/* Nothing to do... */
	362	return true;
	363
a7d5aea1	364	auth->data[PROVIDER_BLACKLIST] = rb_malloc(sizeof(struct blacklist_user));
add80afd	365
a7d5aea1 EM	366	if(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT))
	367	/* This probably can't happen but let's handle this case anyway */
	368	lookup_all_blacklists(auth);
add80afd	369
a7d5aea1 EM	370	set_provider_on(auth, PROVIDER_BLACKLIST);
	371	return true;
	372	}
add80afd	373
6c88869f	374	/* This is called every time a provider is completed as long as we are marked not done */
a7d5aea1 EM	375	static void
	376	blacklists_initiate(struct auth_client *auth, provider_t provider)
	377	{
	378	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
add80afd	379
6c88869f EM	380	lrb_assert(provider != PROVIDER_BLACKLIST);
	381	lrb_assert(!is_provider_done(auth, PROVIDER_BLACKLIST));
	382	lrb_assert(rb_dlink_list_length(&blacklist_list) > 0);
	383
	384	if(bluser == NULL \|\| rb_dlink_list_length(&bluser->queries))
a7d5aea1 EM	385	/* Nothing to do */
a7d5aea1 EM	386	return;
6c88869f	387	else if(!(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT)))
a7d5aea1 EM	388	/* Don't start until we've completed these */
	389	return;
	390	else
	391	lookup_all_blacklists(auth);
add80afd EM	392	}
	393
	394	static void
	395	blacklists_cancel(struct auth_client *auth)
	396	{
	397	rb_dlink_node ptr, nptr;
	398	struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
	399
	400	if(bluser == NULL)
	401	return;
	402
	403	RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head)
	404	{
	405	struct blacklist_lookup *bllookup = ptr->data;
e43e61f7	406
add80afd	407	cancel_query(bllookup->query);
e43e61f7 EM	408	unref_blacklist(bllookup->bl);
	409
	410	rb_dlinkDelete(&bllookup->node, &bluser->queries);
add80afd EM	411	rb_free(bllookup);
	412	}
	413
	414	rb_free(bluser);
	415	auth->data[PROVIDER_BLACKLIST] = NULL;
	416	}
	417
	418	static bool
	419	blacklists_init(void)
	420	{
	421	timeout_ev = rb_event_addish("timeout_blacklist_queries_event", timeout_blacklist_queries_event, NULL, 1);
	422	return (timeout_ev != NULL);
	423	}
	424
	425	static void
	426	blacklists_destroy(void)
	427	{
	428	rb_dlink_node ptr, nptr;
	429	rb_dictionary_iter iter;
	430	struct blacklist *bl;
	431	struct auth_client *auth;
	432
	433	RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
	434	{
	435	blacklists_cancel(auth);
	436	}
	437
a0a218ba EM	438	delete_all_blacklists();
a0a218ba EM	439	rb_event_delete(timeout_ev);
add80afd EM	440	}
add80afd EM	441
3f2695ac EM	442	static void
	443	add_conf_blacklist(const char key, int parc, const char *parv)
	444	{
f5586c3a	445	rb_dlink_list filters = { NULL, NULL, 0 };
3f2695ac	446	char tmp, elemlist = rb_strdup(parv[2]);
eccc44ed	447	uint8_t iptype;
3f2695ac	448
f5586c3a EM	449	if(elemlist == '')
	450	goto end;
	451
3f2695ac EM	452	for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp))
	453	{
	454	struct blacklist_filter *filter = rb_malloc(sizeof(struct blacklist_filter));
	455	int dot_c = 0;
	456	filter_t type = FILTER_LAST;
	457	bool valid = true;
	458
	459	/* Check blacklist filter type and for validity */
	460	for(char c = elem; c != '\0'; c++)
	461	{
	462	if(*c == '.')
	463	{
	464	if(++dot_c > 3)
	465	{
	466	warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (too many octets)");
	467	valid = false;
	468	break;
	469	}
	470
	471	type = FILTER_ALL;
	472	}
	473	else if(!isdigit(*c))
	474	{
	475	warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (invalid character in blacklist filter: %c)", *c);
	476	valid = false;
	477	break;
	478	}
	479	}
	480
	481	if(valid && dot_c > 0 && dot_c < 3)
	482	{
	483	warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (insufficient octets)");
	484	valid = false;
	485	}
	486
	487	if(!valid)
	488	{
	489	rb_free(filter);
	490	continue;
	491	}
	492
	493	filter->type = type;
	494	rb_strlcpy(filter->filter, elem, sizeof(filter->filter));
	495	rb_dlinkAdd(filter, &filter->node, &filters);
	496	}
	497
f5586c3a	498	end:
3f2695ac EM	499	rb_free(elemlist);
	500
	501	iptype = atoi(parv[1]) & 0x3;
	502	if(new_blacklist(parv[0], parv[3], iptype, &filters) == NULL)
	503	{
	504	rb_dlink_node ptr, nptr;
	505
	506	warn_opers(L_CRIT, "addr_conf_blacklist got a malformed blacklist");
	507
	508	RB_DLINK_FOREACH_SAFE(ptr, nptr, filters.head)
	509	{
	510	rb_free(ptr->data);
	511	rb_dlinkDelete(ptr, &filters);
	512	}
	513	}
	514	}
	515
a0a218ba EM	516	static void
	517	del_conf_blacklist(const char key, int parc, const char *parv)
	518	{
	519	struct blacklist *bl = find_blacklist(parv[0]);
	520	if(bl == NULL)
	521	{
	522	warn_opers(L_CRIT, "BUG: tried to remove nonexistent blacklist %s", parv[0]);
	523	return;
	524	}
	525
	526	delete_blacklist(bl);
	527	}
	528
	529	static void
	530	del_conf_blacklist_all(const char key, int parc, const char *parv)
	531	{
	532	delete_all_blacklists();
	533	}
	534
3f2695ac EM	535	static void
	536	add_conf_blacklist_timeout(const char key, int parc, const char *parv)
	537	{
	538	int timeout = atoi(parv[0]);
	539
	540	if(timeout < 0)
	541	{
646e6567	542	warn_opers(L_CRIT, "BUG: blacklist timeout < 0 (value: %d)", timeout);
3f2695ac EM	543	return;
	544	}
	545
	546	blacklist_timeout = timeout;
	547	}
	548
a90465f7 EM	549	static void
	550	blacklist_stats(uint32_t rid, char letter)
	551	{
	552	rb_dlink_node *ptr;
	553
	554	RB_DLINK_FOREACH(ptr, blacklist_list.head)
	555	{
	556	struct blacklist *bl = ptr->data;
	557
	558	if(bl->delete)
	559	continue;
	560
	561	stats_result(rid, letter, "%s %hhu %u", bl->host, bl->iptype, bl->hits);
	562	}
	563
	564	stats_done(rid, letter);
	565	}
	566
3f2695ac EM	567	struct auth_opts_handler blacklist_options[] =
	568	{
	569	{ "rbl", 4, add_conf_blacklist },
a0a218ba EM	570	{ "rbl_del", 1, del_conf_blacklist },
a0a218ba EM	571	{ "rbl_del_all", 0, del_conf_blacklist_all },
3f2695ac EM	572	{ "rbl_timeout", 1, add_conf_blacklist_timeout },
	573	{ NULL, 0, NULL },
	574	};
	575
add80afd EM	576	struct auth_provider blacklist_provider =
	577	{
	578	.id = PROVIDER_BLACKLIST,
	579	.init = blacklists_init,
	580	.destroy = blacklists_destroy,
	581	.start = blacklists_start,
	582	.cancel = blacklists_cancel,
a7d5aea1	583	.completed = blacklists_initiate,
3f2695ac	584	.opt_handlers = blacklist_options,
a90465f7	585	.stats_handler = { 'B', blacklist_stats },
add80afd	586	};