]>
Commit | Line | Data |
---|---|---|
2b0cc3d3 EM |
1 | /* authd/providers/ident.c - ident lookup provider for authd |
2 | * Copyright (c) 2016 Elizabeth Myers <elizabeth@interlinked.me> | |
3 | * | |
4 | * Permission to use, copy, modify, and/or distribute this software for any | |
5 | * purpose with or without fee is hereby granted, provided that the above | |
6 | * copyright notice and this permission notice is present in all copies. | |
7 | * | |
8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
9 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
10 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
11 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
12 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
13 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
14 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
16 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
17 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
18 | * POSSIBILITY OF SUCH DAMAGE. | |
19 | */ | |
20 | ||
06f3496a EM |
21 | /* Largely adapted from old s_auth.c, but reworked for authd. rDNS code |
22 | * moved to its own provider. | |
23 | * | |
24 | * --Elizafox 13 March 2016 | |
25 | */ | |
26 | ||
2b0cc3d3 EM |
27 | #include "stdinc.h" |
28 | #include "match.h" | |
29 | #include "authd.h" | |
db821ee9 | 30 | #include "notice.h" |
2b0cc3d3 EM |
31 | #include "provider.h" |
32 | #include "res.h" | |
33 | ||
34 | #define IDENT_BUFSIZE 128 | |
35 | ||
36 | struct ident_query | |
37 | { | |
2b0cc3d3 EM |
38 | time_t timeout; /* Timeout interval */ |
39 | rb_fde_t *F; /* Our FD */ | |
40 | }; | |
41 | ||
42 | /* Goinked from old s_auth.c --Elizafox */ | |
43 | static const char *messages[] = | |
44 | { | |
f875cb84 EM |
45 | "*** Checking Ident", |
46 | "*** Got Ident response", | |
47 | "*** No Ident response", | |
22946d30 | 48 | "*** Cannot verify ident validity, ignoring ident", |
1345a41d | 49 | "*** Ident disabled, not checking ident", |
2b0cc3d3 EM |
50 | }; |
51 | ||
52 | typedef enum | |
53 | { | |
54 | REPORT_LOOKUP, | |
55 | REPORT_FOUND, | |
56 | REPORT_FAIL, | |
22946d30 | 57 | REPORT_INVALID, |
1345a41d | 58 | REPORT_DISABLED, |
2b0cc3d3 EM |
59 | } ident_message; |
60 | ||
61 | static EVH timeout_ident_queries_event; | |
62 | static CNCB ident_connected; | |
63 | static PF read_ident_reply; | |
64 | ||
3e875f62 EM |
65 | static void client_fail(struct auth_client *auth, ident_message message); |
66 | static void client_success(struct auth_client *auth); | |
2b0cc3d3 EM |
67 | static char * get_valid_ident(char *buf); |
68 | ||
2b0cc3d3 EM |
69 | static struct ev_entry *timeout_ev; |
70 | static int ident_timeout = 5; | |
54fb109d | 71 | static bool ident_enable = true; |
2b0cc3d3 EM |
72 | |
73 | ||
2b0cc3d3 | 74 | /* Timeout outstanding queries */ |
06f3496a | 75 | static void |
d1b70e35 | 76 | timeout_ident_queries_event(void *notused __unused) |
2b0cc3d3 | 77 | { |
3e875f62 | 78 | struct auth_client *auth; |
aba29d5a | 79 | rb_dictionary_iter iter; |
2b0cc3d3 | 80 | |
ab33d608 | 81 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) |
2b0cc3d3 | 82 | { |
3e875f62 | 83 | struct ident_query *query = auth->data[PROVIDER_IDENT]; |
2b0cc3d3 | 84 | |
3e875f62 EM |
85 | if(query != NULL && query->timeout < rb_current_time()) |
86 | client_fail(auth, REPORT_FAIL); | |
2b0cc3d3 EM |
87 | } |
88 | } | |
89 | ||
90 | /* | |
91 | * ident_connected() - deal with the result of rb_connect_tcp() | |
92 | * | |
93 | * If the connection failed, we simply close the auth fd and report | |
94 | * a failure. If the connection suceeded send the ident server a query | |
95 | * giving "theirport , ourport". The write is only attempted *once* so | |
96 | * it is deemed to be a fail if the entire write doesn't write all the | |
97 | * data given. This shouldnt be a problem since the socket should have | |
98 | * a write buffer far greater than this message to store it in should | |
99 | * problems arise. -avalon | |
100 | */ | |
06f3496a | 101 | static void |
d1b70e35 | 102 | ident_connected(rb_fde_t *F __unused, int error, void *data) |
2b0cc3d3 | 103 | { |
3e875f62 | 104 | struct auth_client *auth = data; |
d1b70e35 | 105 | struct ident_query *query; |
2b0cc3d3 EM |
106 | char authbuf[32]; |
107 | int authlen; | |
108 | ||
d1b70e35 EM |
109 | if(auth == NULL) |
110 | return; | |
111 | ||
112 | query = auth->data[PROVIDER_IDENT]; | |
113 | ||
f875cb84 EM |
114 | if(query == NULL) |
115 | return; | |
116 | ||
2b0cc3d3 EM |
117 | /* Check the error */ |
118 | if(error != RB_OK) | |
119 | { | |
120 | /* We had an error during connection :( */ | |
3e875f62 | 121 | client_fail(auth, REPORT_FAIL); |
2b0cc3d3 EM |
122 | return; |
123 | } | |
124 | ||
125 | snprintf(authbuf, sizeof(authbuf), "%u , %u\r\n", | |
126 | auth->c_port, auth->l_port); | |
127 | authlen = strlen(authbuf); | |
128 | ||
129 | if(rb_write(query->F, authbuf, authlen) != authlen) | |
130 | { | |
3e875f62 | 131 | client_fail(auth, REPORT_FAIL); |
2b0cc3d3 EM |
132 | return; |
133 | } | |
134 | ||
3e875f62 | 135 | read_ident_reply(query->F, auth); |
2b0cc3d3 EM |
136 | } |
137 | ||
138 | static void | |
139 | read_ident_reply(rb_fde_t *F, void *data) | |
140 | { | |
3e875f62 | 141 | struct auth_client *auth = data; |
d1b70e35 | 142 | struct ident_query *query; |
22946d30 EM |
143 | char buf[IDENT_BUFSIZE + 1]; /* buffer to read auth reply into */ |
144 | ident_message message = REPORT_FAIL; | |
2b0cc3d3 EM |
145 | char *s = NULL; |
146 | char *t = NULL; | |
22946d30 | 147 | ssize_t len; |
2b0cc3d3 | 148 | int count; |
2b0cc3d3 | 149 | |
d1b70e35 EM |
150 | if(auth == NULL) |
151 | return; | |
152 | ||
153 | query = auth->data[PROVIDER_IDENT]; | |
154 | ||
f875cb84 EM |
155 | if(query == NULL) |
156 | return; | |
157 | ||
2b0cc3d3 EM |
158 | len = rb_read(F, buf, IDENT_BUFSIZE); |
159 | if(len < 0 && rb_ignore_errno(errno)) | |
160 | { | |
d1b70e35 | 161 | rb_setselect(F, RB_SELECT_READ, read_ident_reply, auth); |
2b0cc3d3 EM |
162 | return; |
163 | } | |
164 | ||
165 | if(len > 0) | |
166 | { | |
22946d30 | 167 | if((s = get_valid_ident(buf)) != NULL) |
2b0cc3d3 EM |
168 | { |
169 | t = auth->username; | |
170 | ||
171 | while (*s == '~' || *s == '^') | |
172 | s++; | |
173 | ||
174 | for (count = USERLEN; *s && count; s++) | |
175 | { | |
22946d30 | 176 | if(*s == '@' || *s == '\r' || *s == '\n') |
2b0cc3d3 | 177 | break; |
22946d30 | 178 | |
2b0cc3d3 EM |
179 | if(*s != ' ' && *s != ':' && *s != '[') |
180 | { | |
181 | *t++ = *s; | |
182 | count--; | |
183 | } | |
184 | } | |
185 | *t = '\0'; | |
186 | } | |
22946d30 EM |
187 | else |
188 | message = REPORT_INVALID; | |
2b0cc3d3 EM |
189 | } |
190 | ||
191 | if(s == NULL) | |
22946d30 | 192 | client_fail(auth, message); |
2b0cc3d3 | 193 | else |
3e875f62 | 194 | client_success(auth); |
2b0cc3d3 EM |
195 | } |
196 | ||
06f3496a EM |
197 | static void |
198 | client_fail(struct auth_client *auth, ident_message report) | |
2b0cc3d3 | 199 | { |
3e875f62 | 200 | struct ident_query *query = auth->data[PROVIDER_IDENT]; |
2b0cc3d3 | 201 | |
f875cb84 EM |
202 | if(query == NULL) |
203 | return; | |
204 | ||
3e875f62 | 205 | rb_strlcpy(auth->username, "*", sizeof(auth->username)); |
2b0cc3d3 | 206 | |
f875cb84 EM |
207 | if(query->F != NULL) |
208 | rb_close(query->F); | |
209 | ||
3e875f62 EM |
210 | rb_free(query); |
211 | auth->data[PROVIDER_IDENT] = NULL; | |
2b0cc3d3 | 212 | |
db821ee9 | 213 | notice_client(auth->cid, messages[report]); |
3e875f62 | 214 | provider_done(auth, PROVIDER_IDENT); |
2b0cc3d3 EM |
215 | } |
216 | ||
06f3496a EM |
217 | static void |
218 | client_success(struct auth_client *auth) | |
2b0cc3d3 | 219 | { |
3e875f62 | 220 | struct ident_query *query = auth->data[PROVIDER_IDENT]; |
2b0cc3d3 | 221 | |
f875cb84 EM |
222 | if(query == NULL) |
223 | return; | |
224 | ||
225 | if(query->F != NULL) | |
226 | rb_close(query->F); | |
227 | ||
3e875f62 EM |
228 | rb_free(query); |
229 | auth->data[PROVIDER_IDENT] = NULL; | |
2b0cc3d3 | 230 | |
db821ee9 | 231 | notice_client(auth->cid, messages[REPORT_FOUND]); |
3e875f62 | 232 | provider_done(auth, PROVIDER_IDENT); |
2b0cc3d3 EM |
233 | } |
234 | ||
235 | /* get_valid_ident | |
236 | * parse ident query reply from identd server | |
237 | * | |
06f3496a | 238 | * Taken from old s_auth.c --Elizafox |
2b0cc3d3 EM |
239 | * |
240 | * Inputs - pointer to ident buf | |
241 | * Outputs - NULL if no valid ident found, otherwise pointer to name | |
242 | * Side effects - None | |
243 | */ | |
244 | static char * | |
245 | get_valid_ident(char *buf) | |
246 | { | |
247 | int remp = 0; | |
248 | int locp = 0; | |
249 | char *colon1Ptr; | |
250 | char *colon2Ptr; | |
251 | char *colon3Ptr; | |
252 | char *commaPtr; | |
253 | char *remotePortString; | |
254 | ||
255 | /* All this to get rid of a sscanf() fun. */ | |
256 | remotePortString = buf; | |
257 | ||
258 | colon1Ptr = strchr(remotePortString, ':'); | |
259 | if(!colon1Ptr) | |
22946d30 | 260 | return NULL; |
2b0cc3d3 EM |
261 | |
262 | *colon1Ptr = '\0'; | |
263 | colon1Ptr++; | |
264 | colon2Ptr = strchr(colon1Ptr, ':'); | |
265 | if(!colon2Ptr) | |
22946d30 | 266 | return NULL; |
2b0cc3d3 EM |
267 | |
268 | *colon2Ptr = '\0'; | |
269 | colon2Ptr++; | |
270 | commaPtr = strchr(remotePortString, ','); | |
271 | ||
272 | if(!commaPtr) | |
22946d30 | 273 | return NULL; |
2b0cc3d3 EM |
274 | |
275 | *commaPtr = '\0'; | |
276 | commaPtr++; | |
277 | ||
278 | remp = atoi(remotePortString); | |
279 | if(!remp) | |
22946d30 | 280 | return NULL; |
2b0cc3d3 EM |
281 | |
282 | locp = atoi(commaPtr); | |
283 | if(!locp) | |
22946d30 | 284 | return NULL; |
2b0cc3d3 EM |
285 | |
286 | /* look for USERID bordered by first pair of colons */ | |
287 | if(!strstr(colon1Ptr, "USERID")) | |
22946d30 | 288 | return NULL; |
2b0cc3d3 EM |
289 | |
290 | colon3Ptr = strchr(colon2Ptr, ':'); | |
291 | if(!colon3Ptr) | |
22946d30 | 292 | return NULL; |
2b0cc3d3 EM |
293 | |
294 | *colon3Ptr = '\0'; | |
295 | colon3Ptr++; | |
296 | return (colon3Ptr); | |
297 | } | |
298 | ||
06f3496a EM |
299 | static bool |
300 | ident_init(void) | |
301 | { | |
302 | timeout_ev = rb_event_addish("timeout_ident_queries_event", timeout_ident_queries_event, NULL, 1); | |
303 | return (timeout_ev != NULL); | |
304 | } | |
305 | ||
306 | static void | |
307 | ident_destroy(void) | |
308 | { | |
309 | struct auth_client *auth; | |
310 | rb_dictionary_iter iter; | |
311 | ||
312 | /* Nuke all ident queries */ | |
313 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) | |
314 | { | |
315 | if(auth->data[PROVIDER_IDENT] != NULL) | |
316 | client_fail(auth, REPORT_FAIL); | |
317 | } | |
318 | } | |
319 | ||
320 | static bool ident_start(struct auth_client *auth) | |
321 | { | |
322 | struct ident_query *query = rb_malloc(sizeof(struct ident_query)); | |
323 | struct rb_sockaddr_storage l_addr, c_addr; | |
47ab6f6e EM |
324 | int family = GET_SS_FAMILY(&auth->c_addr); |
325 | ||
1345a41d | 326 | if(auth->data[PROVIDER_IDENT] != NULL) |
54fb109d EM |
327 | { |
328 | set_provider_done(auth, PROVIDER_IDENT); /* for blacklists */ | |
f681e277 | 329 | return true; |
54fb109d | 330 | } |
1345a41d EM |
331 | else if(!ident_enable) |
332 | { | |
333 | notice_client(auth->cid, messages[REPORT_DISABLED]); | |
334 | set_provider_done(auth, PROVIDER_IDENT); | |
335 | return true; | |
336 | } | |
f681e277 | 337 | |
47ab6f6e | 338 | notice_client(auth->cid, messages[REPORT_LOOKUP]); |
06f3496a EM |
339 | |
340 | auth->data[PROVIDER_IDENT] = query; | |
341 | query->timeout = rb_current_time() + ident_timeout; | |
342 | ||
47ab6f6e | 343 | if((query->F = rb_socket(family, SOCK_STREAM, 0, "ident")) == NULL) |
06f3496a | 344 | { |
47ab6f6e | 345 | warn_opers(L_DEBUG, "Could not create ident socket: %s", strerror(errno)); |
06f3496a EM |
346 | client_fail(auth, REPORT_FAIL); |
347 | return true; /* Not a fatal error */ | |
348 | } | |
349 | ||
06f3496a EM |
350 | /* Build sockaddr_storages for rb_connect_tcp below */ |
351 | memcpy(&l_addr, &auth->l_addr, sizeof(l_addr)); | |
352 | memcpy(&c_addr, &auth->c_addr, sizeof(c_addr)); | |
353 | ||
354 | /* Set the ports correctly */ | |
355 | #ifdef RB_IPV6 | |
356 | if(GET_SS_FAMILY(&l_addr) == AF_INET6) | |
357 | ((struct sockaddr_in6 *)&l_addr)->sin6_port = 0; | |
358 | else | |
359 | #endif | |
360 | ((struct sockaddr_in *)&l_addr)->sin_port = 0; | |
361 | ||
362 | #ifdef RB_IPV6 | |
363 | if(GET_SS_FAMILY(&c_addr) == AF_INET6) | |
364 | ((struct sockaddr_in6 *)&c_addr)->sin6_port = htons(113); | |
365 | else | |
366 | #endif | |
367 | ((struct sockaddr_in *)&c_addr)->sin_port = htons(113); | |
368 | ||
47ab6f6e | 369 | rb_connect_tcp(query->F, (struct sockaddr *)&c_addr, |
06f3496a EM |
370 | (struct sockaddr *)&l_addr, |
371 | GET_SS_LEN(&l_addr), ident_connected, | |
d1b70e35 | 372 | auth, ident_timeout); |
06f3496a | 373 | |
06f3496a EM |
374 | set_provider_on(auth, PROVIDER_IDENT); |
375 | ||
376 | return true; | |
377 | } | |
378 | ||
379 | static void | |
380 | ident_cancel(struct auth_client *auth) | |
381 | { | |
382 | struct ident_query *query = auth->data[PROVIDER_IDENT]; | |
383 | ||
384 | if(query != NULL) | |
385 | client_fail(auth, REPORT_FAIL); | |
386 | } | |
387 | ||
67acafca | 388 | static void |
d1b70e35 | 389 | add_conf_ident_timeout(const char *key __unused, int parc __unused, const char **parv) |
67acafca EM |
390 | { |
391 | int timeout = atoi(parv[0]); | |
392 | ||
393 | if(timeout < 0) | |
394 | { | |
395 | warn_opers(L_CRIT, "BUG: ident timeout < 0 (value: %d)", timeout); | |
396 | return; | |
397 | } | |
398 | ||
399 | ident_timeout = timeout; | |
400 | } | |
401 | ||
54fb109d EM |
402 | static void |
403 | set_ident_enabled(const char *key __unused, int parc __unused, const char **parv) | |
404 | { | |
1345a41d | 405 | ident_enable = (*parv[0] == '1'); |
54fb109d EM |
406 | } |
407 | ||
67acafca EM |
408 | struct auth_opts_handler ident_options[] = |
409 | { | |
410 | { "ident_timeout", 1, add_conf_ident_timeout }, | |
54fb109d | 411 | { "ident_enabled", 1, set_ident_enabled }, |
67acafca EM |
412 | { NULL, 0, NULL }, |
413 | }; | |
414 | ||
2b0cc3d3 EM |
415 | |
416 | struct auth_provider ident_provider = | |
417 | { | |
418 | .id = PROVIDER_IDENT, | |
419 | .init = ident_init, | |
420 | .destroy = ident_destroy, | |
421 | .start = ident_start, | |
422 | .cancel = ident_cancel, | |
423 | .completed = NULL, | |
67acafca | 424 | .opt_handlers = ident_options, |
2b0cc3d3 | 425 | }; |