[solanum.git] / ircd / authd.c

/*
 *  authd.c: An interface to authd.
 *  (based somewhat on ircd-ratbox dns.c)
 *
 *  Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
 *  Copyright (C) 2005-2012 ircd-ratbox development team
 *  Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
 *  USA
 */

#include "stdinc.h"
#include "rb_lib.h"
#include "client.h"
#include "ircd_defs.h"
#include "parse.h"
#include "authd.h"
#include "match.h"
#include "logger.h"
#include "s_conf.h"
#include "s_stats.h"
#include "client.h"
#include "packet.h"
#include "hash.h"
#include "send.h"
#include "numeric.h"
#include "msg.h"
#include "dns.h"

static int start_authd(void);
static void parse_authd_reply(rb_helper * helper);
static void restart_authd_cb(rb_helper * helper);
static EVH timeout_dead_authd_clients;

rb_helper *authd_helper;
static char *authd_path;

uint32_t cid;
static rb_dictionary *cid_clients;
static struct ev_entry *timeout_ev;

rb_dictionary *bl_stats;

static int
start_authd(void)
{
	char fullpath[PATH_MAX + 1];
#ifdef _WIN32
	const char *suffix = ".exe";
#else
	const char *suffix = "";
#endif
	if(authd_path == NULL)
	{
		snprintf(fullpath, sizeof(fullpath), "%s%cauthd%s", ircd_paths[IRCD_PATH_LIBEXEC], RB_PATH_SEPARATOR, suffix);

		if(access(fullpath, X_OK) == -1)
		{
			snprintf(fullpath, sizeof(fullpath), "%s%cbin%cauthd%s",
				 ConfigFileEntry.dpath, RB_PATH_SEPARATOR, RB_PATH_SEPARATOR, suffix);
			if(access(fullpath, X_OK) == -1)
			{
				ierror("Unable to execute authd in %s or %s/bin",
					ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
				sendto_realops_snomask(SNO_GENERAL, L_ALL,
						       "Unable to execute authd in %s or %s/bin",
						       ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
				return 1;
			}

		}

		authd_path = rb_strdup(fullpath);
	}

	if(cid_clients == NULL)
		cid_clients = rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp);

	if(bl_stats == NULL)
		bl_stats = rb_dictionary_create("blacklist statistics", strcasecmp);

	if(timeout_ev == NULL)
		timeout_ev = rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients, NULL, 1);

	authd_helper = rb_helper_start("authd", authd_path, parse_authd_reply, restart_authd_cb);

	if(authd_helper == NULL)
	{
		ierror("Unable to start authd helper: %s", strerror(errno));
		sendto_realops_snomask(SNO_GENERAL, L_ALL, "Unable to start authd helper: %s", strerror(errno));
		return 1;
	}
	ilog(L_MAIN, "authd helper started");
	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd helper started");
	rb_helper_run(authd_helper);
	return 0;
}

static inline uint32_t
str_to_cid(const char *str)
{
	long lcid = strtol(str, NULL, 16);

	if(lcid > UINT32_MAX || lcid <= 0)
	{
		iwarn("authd sent us back a bad client ID: %lx", lcid);
		restart_authd();
		return 0;
	}

	return (uint32_t)lcid;
}

static inline struct Client *
cid_to_client(uint32_t cid, bool delete)
{
	struct Client *client_p;

	if(delete)
		client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid));
	else
		client_p = rb_dictionary_retrieve(cid_clients, RB_UINT_TO_POINTER(cid));

	if(client_p == NULL)
	{
		iwarn("authd sent us back a bad client ID: %ux", cid);
		restart_authd();
		return NULL;
	}

	return client_p;
}

static inline struct Client *
str_cid_to_client(const char *str, bool delete)
{
	uint32_t cid = str_to_cid(str);

	if(cid == 0)
		return NULL;

	return cid_to_client(cid, delete);
}

static void
parse_authd_reply(rb_helper * helper)
{
	ssize_t len;
	int parc;
	char authdBuf[READBUF_SIZE];
	char *parv[MAXPARA + 1];
	struct Client *client_p;

	while((len = rb_helper_read(helper, authdBuf, sizeof(authdBuf))) > 0)
	{
		parc = rb_string_to_array(authdBuf, parv, MAXPARA+1);

		switch (*parv[0])
		{
		case 'A':	/* Accepted a client */
			if(parc != 4)
			{
				iwarn("authd sent a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			/* cid to uid (retrieve and delete) */
			if((client_p = str_cid_to_client(parv[1], true)) == NULL)
				return;

			authd_accept_client(client_p, parv[2], parv[3]);
			break;
		case 'R':	/* Reject client */
			if(parc != 7)
			{
				iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			/* cid to uid (retrieve and delete) */
			if((client_p = str_cid_to_client(parv[1], true)) == NULL)
				return;

			authd_reject_client(client_p, parv[3], parv[4], toupper(*parv[2]), parv[5], parv[6]);
			break;
		case 'N':	/* Notice to client */
			if(parc != 3)
			{
				iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			if((client_p = str_cid_to_client(parv[1], false)) == NULL)
				return;

			sendto_one_notice(client_p, ":%s", parv[2]);
			break;
		case 'E':	/* DNS Result */
			if(parc != 5)
			{
				iwarn("authd sent a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			dns_results_callback(parv[1], parv[2], parv[3], parv[4]);
			break;
		case 'W':	/* Oper warning */
			if(parc != 3)
			{
				iwarn("authd sent a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			switch(*parv[2])
			{
			case 'D':	/* Debug */
				sendto_realops_snomask(SNO_DEBUG, L_ALL, "authd debug: %s", parv[3]);
				idebug("authd: %s", parv[3]);
				break;
			case 'I':	/* Info */
				sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd info: %s", parv[3]);
				inotice("authd: %s", parv[3]);
				break;
			case 'W':	/* Warning */
				sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd WARNING: %s", parv[3]);
				iwarn("authd: %s", parv[3]);
				break;
			case 'C':	/* Critical (error) */
				sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd CRITICAL: %s", parv[3]);
				ierror("authd: %s", parv[3]);
				break;
			default:	/* idk */
				sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd sent us an unknown oper notice type (%s): %s", parv[2], parv[3]);
				ilog(L_MAIN, "authd unknown oper notice type (%s): %s", parv[2], parv[3]);
				break;
			}

			/* NOTREACHED */
			break;
		case 'X':	/* Stats error */
		case 'Y':	/* Stats reply */
		case 'Z':	/* End of stats reply */
			if(parc < 3)
			{
				iwarn("authd sent a result with wrong number of arguments: got %d", parc);
				restart_authd();
				return;
			}

			/* Select by type */
			switch(*parv[2])
			{
			case 'D':
				/* parv[0] conveys status */
				if(parc < 4)
				{
					iwarn("authd sent a result with wrong number of arguments: got %d", parc);
					restart_authd();
					return;
				}
				dns_stats_results_callback(parv[1], parv[0], parc - 3, (const char **)&parv[3]);
				break;
			default:
				break;
			}
			break;
		default:
			break;
		}
	}
}

void
init_authd(void)
{
	if(start_authd())
	{
		ierror("Unable to start authd helper: %s", strerror(errno));
		exit(0);
	}
}

void
configure_authd(void)
{
	/* These will do for now */
	set_authd_timeout("ident_timeout", GlobalSetOptions.ident_timeout);
	set_authd_timeout("rdns_timeout", ConfigFileEntry.connect_timeout);
	set_authd_timeout("rbl_timeout", ConfigFileEntry.connect_timeout);
	ident_check_enable(!ConfigFileEntry.disable_auth);
}

static void
restart_authd_cb(rb_helper * helper)
{
	rb_dictionary_iter iter;
	struct Client *client_p;

	iwarn("authd: restart_authd_cb called, authd died?");
	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd: restart_authd_cb called, authd died?");

	if(helper != NULL)
	{
		rb_helper_close(helper);
		authd_helper = NULL;
	}

	RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
	{
		/* Abort any existing clients */
		authd_abort_client(client_p);
	}

	start_authd();
}

void
restart_authd(void)
{
	restart_authd_cb(authd_helper);
}

void
rehash_authd(void)
{
	rb_helper_write(authd_helper, "R");
	configure_authd();
}

void
check_authd(void)
{
	if(authd_helper == NULL)
		restart_authd();
}

static inline uint32_t
generate_cid(void)
{
	if(++cid == 0)
		cid = 1;

	return cid;
}

/* Basically when this is called we begin handing off the client to authd for
 * processing. authd "owns" the client until processing is finished, or we
 * timeout from authd. authd will make a decision whether or not to accept the
 * client, but it's up to other parts of the code (for now) to decide if we're
 * gonna accept the client and ignore authd's suggestion.
 *
 * --Elizafox
 */
void
authd_initiate_client(struct Client *client_p)
{
	char client_ipaddr[HOSTIPLEN+1];
	char listen_ipaddr[HOSTIPLEN+1];
	uint16_t client_port, listen_port;
	uint32_t authd_cid;

	if(client_p->preClient == NULL || client_p->preClient->authd_cid != 0)
		return;

	authd_cid = client_p->preClient->authd_cid = generate_cid();

	/* Collisions are extremely unlikely, so disregard the possibility */
	rb_dictionary_add(cid_clients, RB_UINT_TO_POINTER(authd_cid), client_p);

	/* Retrieve listener and client IP's */
	rb_inet_ntop_sock((struct sockaddr *)&client_p->preClient->lip, listen_ipaddr, sizeof(listen_ipaddr));
	rb_inet_ntop_sock((struct sockaddr *)&client_p->localClient->ip, client_ipaddr, sizeof(client_ipaddr));

	/* Retrieve listener and client ports */
	listen_port = ntohs(GET_SS_PORT(&client_p->preClient->lip));
	client_port = ntohs(GET_SS_PORT(&client_p->localClient->ip));

	/* Add a bit of a fudge factor... */
	client_p->preClient->authd_timeout = rb_current_time() + ConfigFileEntry.connect_timeout + 10;

	rb_helper_write(authd_helper, "C %x %s %hu %s %hu", authd_cid, listen_ipaddr, listen_port, client_ipaddr, client_port);
}

/* When this is called we have a decision on client acceptance.
 *
 * After this point authd no longer "owns" the client.
 */
static inline void
authd_decide_client(struct Client *client_p, const char *ident, const char *host, bool accept, char cause, const char *data, const char *reason)
{
	if(client_p->preClient == NULL || client_p->preClient->authd_cid == 0)
		return;

	if(*ident != '*')
	{
		rb_strlcpy(client_p->username, ident, sizeof(client_p->username));
		ServerStats.is_asuc++;
	}
	else
		ServerStats.is_abad++; /* s_auth used to do this, stay compatible */

	if(*host != '*')
		rb_strlcpy(client_p->host, host, sizeof(client_p->host));

	client_p->preClient->authd_accepted = accept;
	client_p->preClient->authd_cause = cause;
	client_p->preClient->authd_data = (data == NULL ? NULL : rb_strdup(data));
	client_p->preClient->authd_reason = (reason == NULL ? NULL : rb_strdup(reason));

	rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
	client_p->preClient->authd_cid = 0;

	/*
	 * When a client has auth'ed, we want to start reading what it sends
	 * us. This is what read_packet() does.
	 *     -- adrian
	 *
	 * Above comment was originally in s_auth.c, but moved here with below code.
	 * --Elizafox
	 */
	rb_dlinkAddTail(client_p, &client_p->node, &global_client_list);
	read_packet(client_p->localClient->F, client_p);
}

/* Convenience function to accept client */
void
authd_accept_client(struct Client *client_p, const char *ident, const char *host)
{
	authd_decide_client(client_p, ident, host, true, '\0', NULL, NULL);
}

/* Convenience function to reject client */
void
authd_reject_client(struct Client *client_p, const char *ident, const char *host, char cause, const char *data, const char *reason)
{
	authd_decide_client(client_p, ident, host, false, cause, data, reason);
}

void
authd_abort_client(struct Client *client_p)
{
	if(client_p == NULL || client_p->preClient == NULL)
		return;

	if(client_p->preClient->authd_cid == 0)
		return;

	rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));

	if(authd_helper != NULL)
		rb_helper_write(authd_helper, "E %x", client_p->preClient->authd_cid);

	/* XXX should we blindly allow like this? */
	authd_accept_client(client_p, "*", "*");
	client_p->preClient->authd_cid = 0;
}

static void
timeout_dead_authd_clients(void *notused __unused)
{
	rb_dictionary_iter iter;
	struct Client *client_p;

	RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
	{
		if(client_p->preClient->authd_timeout < rb_current_time())
			authd_abort_client(client_p);
	}
}

/* Turn a cause char (who rejected us) into the name of the provider */
const char *
get_provider_string(char cause)
{
	switch(cause)
	{
	case 'B':
		return "Blacklist";
	case 'D':
		return "rDNS";
	case 'I':
		return "Ident";
	default:
		return "Unknown";
	}
}

/* Send a new blacklist to authd */
void
add_blacklist(const char *host, const char *reason, uint8_t iptype, rb_dlink_list *filters)
{
	rb_dlink_node *ptr;
	struct blacklist_stats *stats = rb_malloc(sizeof(struct blacklist_stats));
	char filterbuf[BUFSIZE] = "*";
	size_t s = 0;

	/* Build a list of comma-separated values for authd.
	 * We don't check for validity - do it elsewhere.
	 */
	RB_DLINK_FOREACH(ptr, filters->head)
	{
		char *filter = ptr->data;
		size_t filterlen = strlen(filter) + 1;

		if(s + filterlen > sizeof(filterbuf))
			break;

		snprintf(&filterbuf[s], sizeof(filterbuf) - s, "%s,", filter);

		s += filterlen;
	}

	if(s)
		filterbuf[s - 1] = '\0';

	stats->iptype = iptype;
	stats->hits = 0;
	rb_dictionary_add(bl_stats, host, stats);

	rb_helper_write(authd_helper, "O rbl %s %hhu %s :%s", host, iptype, filterbuf, reason);
}

/* Delete a blacklist */
void
del_blacklist(const char *host)
{
	rb_dictionary_delete(bl_stats, host);

	rb_helper_write(authd_helper, "O rbl_del %s", host);
}

/* Delete all the blacklists */
void
del_blacklist_all(void)
{
	struct blacklist_stats *stats;
	rb_dictionary_iter iter;

	RB_DICTIONARY_FOREACH(stats, &iter, bl_stats)
	{
		rb_free(stats);
		rb_dictionary_delete(bl_stats, iter.cur->key);
	}

	rb_helper_write(authd_helper, "O rbl_del_all");
}

/* Adjust an authd timeout value */
bool
set_authd_timeout(const char *key, int timeout)
{
	if(timeout <= 0)
		return false;

	rb_helper_write(authd_helper, "O %s %d", key, timeout);
	return true;
}

/* Enable identd checks */
void
ident_check_enable(bool enabled)
{
	rb_helper_write(authd_helper, "O ident_enabled %d", enabled ? 1 : 0);
}

/* Create an OPM listener */
void
create_opm_listener(const char *ip, uint16_t port)
{
	rb_helper_write(authd_helper, "O opm_listener %s %hu", ip, port);
}

/* Disable all OPM scans */
void
opm_check_enable(bool enabled)
{
	rb_helper_write(authd_helper, "O opm_enable %d", enabled ? 1 : 0);
}

/* Create an OPM proxy scanner */
void
create_opm_proxy_scanner(const char *type, uint16_t port)
{
	rb_helper_write(authd_helper, "O opm_scanner %s %hu", type, port);
}
Commit	Line	Data
fb7d74ef AC	1	/*
	2	* authd.c: An interface to authd.
	3	* (based somewhat on ircd-ratbox dns.c)
	4	*
	5	* Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
	6	* Copyright (C) 2005-2012 ircd-ratbox development team
	7	* Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
	8	*
	9	* This program is free software; you can redistribute it and/or modify
	10	* it under the terms of the GNU General Public License as published by
	11	* the Free Software Foundation; either version 2 of the License, or
	12	* (at your option) any later version.
	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	22	* USA
	23	*/
	24
d3f6b808 EM	25	#include "stdinc.h"
	26	#include "rb_lib.h"
	27	#include "client.h"
	28	#include "ircd_defs.h"
	29	#include "parse.h"
	30	#include "authd.h"
	31	#include "match.h"
	32	#include "logger.h"
	33	#include "s_conf.h"
	34	#include "s_stats.h"
	35	#include "client.h"
	36	#include "packet.h"
	37	#include "hash.h"
	38	#include "send.h"
	39	#include "numeric.h"
	40	#include "msg.h"
	41	#include "dns.h"
fb7d74ef AC	42
	43	static int start_authd(void);
	44	static void parse_authd_reply(rb_helper * helper);
	45	static void restart_authd_cb(rb_helper * helper);
ef0b13b9	46	static EVH timeout_dead_authd_clients;
fb7d74ef AC	47
	48	rb_helper *authd_helper;
	49	static char *authd_path;
	50
50808796	51	uint32_t cid;
d3f6b808	52	static rb_dictionary *cid_clients;
ef0b13b9	53	static struct ev_entry *timeout_ev;
d3f6b808 EM	54
	55	rb_dictionary *bl_stats;
	56
fb7d74ef AC	57	static int
	58	start_authd(void)
	59	{
	60	char fullpath[PATH_MAX + 1];
	61	#ifdef _WIN32
	62	const char *suffix = ".exe";
	63	#else
	64	const char *suffix = "";
	65	#endif
	66	if(authd_path == NULL)
	67	{
4d8cfacd	68	snprintf(fullpath, sizeof(fullpath), "%s%cauthd%s", ircd_paths[IRCD_PATH_LIBEXEC], RB_PATH_SEPARATOR, suffix);
fb7d74ef AC	69
	70	if(access(fullpath, X_OK) == -1)
	71	{
4d8cfacd AC	72	snprintf(fullpath, sizeof(fullpath), "%s%cbin%cauthd%s",
4d8cfacd AC	73	ConfigFileEntry.dpath, RB_PATH_SEPARATOR, RB_PATH_SEPARATOR, suffix);
fb7d74ef AC	74	if(access(fullpath, X_OK) == -1)
fb7d74ef AC	75	{
7ad083b0 EM	76	ierror("Unable to execute authd in %s or %s/bin",
7ad083b0 EM	77	ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
fb7d74ef	78	sendto_realops_snomask(SNO_GENERAL, L_ALL,
4d8cfacd AC	79	"Unable to execute authd in %s or %s/bin",
4d8cfacd AC	80	ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
fb7d74ef AC	81	return 1;
	82	}
	83
	84	}
	85
	86	authd_path = rb_strdup(fullpath);
	87	}
	88
d3f6b808 EM	89	if(cid_clients == NULL)
	90	cid_clients = rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp);
	91
	92	if(bl_stats == NULL)
	93	bl_stats = rb_dictionary_create("blacklist statistics", strcasecmp);
	94
ef0b13b9 EM	95	if(timeout_ev == NULL)
	96	timeout_ev = rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients, NULL, 1);
	97
fb7d74ef AC	98	authd_helper = rb_helper_start("authd", authd_path, parse_authd_reply, restart_authd_cb);
	99
	100	if(authd_helper == NULL)
	101	{
7ad083b0	102	ierror("Unable to start authd helper: %s", strerror(errno));
fb7d74ef AC	103	sendto_realops_snomask(SNO_GENERAL, L_ALL, "Unable to start authd helper: %s", strerror(errno));
	104	return 1;
	105	}
	106	ilog(L_MAIN, "authd helper started");
	107	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd helper started");
	108	rb_helper_run(authd_helper);
	109	return 0;
	110	}
	111
6a7bb6f1 EM	112	static inline uint32_t
	113	str_to_cid(const char *str)
	114	{
	115	long lcid = strtol(str, NULL, 16);
	116
	117	if(lcid > UINT32_MAX \|\| lcid <= 0)
	118	{
	119	iwarn("authd sent us back a bad client ID: %lx", lcid);
	120	restart_authd();
	121	return 0;
	122	}
	123
	124	return (uint32_t)lcid;
	125	}
	126
	127	static inline struct Client *
	128	cid_to_client(uint32_t cid, bool delete)
	129	{
	130	struct Client *client_p;
	131
	132	if(delete)
	133	client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid));
	134	else
	135	client_p = rb_dictionary_retrieve(cid_clients, RB_UINT_TO_POINTER(cid));
	136
	137	if(client_p == NULL)
	138	{
	139	iwarn("authd sent us back a bad client ID: %ux", cid);
	140	restart_authd();
	141	return NULL;
	142	}
	143
	144	return client_p;
	145	}
	146
adfe7b83 EM	147	static inline struct Client *
	148	str_cid_to_client(const char *str, bool delete)
	149	{
	150	uint32_t cid = str_to_cid(str);
	151
	152	if(cid == 0)
	153	return NULL;
	154
	155	return cid_to_client(cid, delete);
	156	}
	157
fb7d74ef AC	158	static void
	159	parse_authd_reply(rb_helper * helper)
	160	{
	161	ssize_t len;
	162	int parc;
50808796	163	char authdBuf[READBUF_SIZE];
fb7d74ef	164	char *parv[MAXPARA + 1];
d3f6b808	165	struct Client *client_p;
394b8dde	166
50808796	167	while((len = rb_helper_read(helper, authdBuf, sizeof(authdBuf))) > 0)
fb7d74ef	168	{
50808796	169	parc = rb_string_to_array(authdBuf, parv, MAXPARA+1);
fb7d74ef	170
3949459b	171	switch (*parv[0])
fb7d74ef	172	{
d3f6b808 EM	173	case 'A': /* Accepted a client */
	174	if(parc != 4)
	175	{
	176	iwarn("authd sent a result with wrong number of arguments: got %d", parc);
	177	restart_authd();
	178	return;
	179	}
	180
d3f6b808	181	/* cid to uid (retrieve and delete) */
adfe7b83	182	if((client_p = str_cid_to_client(parv[1], true)) == NULL)
d3f6b808	183	return;
d3f6b808	184
b1a577f2	185	authd_accept_client(client_p, parv[2], parv[3]);
d3f6b808 EM	186	break;
	187	case 'R': /* Reject client */
	188	if(parc != 7)
	189	{
	190	iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
	191	restart_authd();
	192	return;
	193	}
	194
d3f6b808	195	/* cid to uid (retrieve and delete) */
adfe7b83	196	if((client_p = str_cid_to_client(parv[1], true)) == NULL)
d3f6b808	197	return;
d3f6b808	198
b1a577f2	199	authd_reject_client(client_p, parv[3], parv[4], toupper(*parv[2]), parv[5], parv[6]);
cc4d3931 EM	200	break;
cc4d3931 EM	201	case 'N': /* Notice to client */
ef0b13b9	202	if(parc != 3)
cc4d3931 EM	203	{
	204	iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
	205	restart_authd();
	206	return;
	207	}
50808796	208
adfe7b83	209	if((client_p = str_cid_to_client(parv[1], false)) == NULL)
cc4d3931	210	return;
cc4d3931	211
cc4d3931 EM	212	sendto_one_notice(client_p, ":%s", parv[2]);
cc4d3931 EM	213	break;
d3f6b808	214	case 'E': /* DNS Result */
fb7d74ef AC	215	if(parc != 5)
fb7d74ef AC	216	{
7ad083b0	217	iwarn("authd sent a result with wrong number of arguments: got %d", parc);
fb7d74ef AC	218	restart_authd();
	219	return;
	220	}
adfe7b83	221
fb7d74ef	222	dns_results_callback(parv[1], parv[2], parv[3], parv[4]);
3949459b	223	break;
d3f6b808	224	case 'W': /* Oper warning */
0a659bf0 EM	225	if(parc != 3)
0a659bf0 EM	226	{
7ad083b0	227	iwarn("authd sent a result with wrong number of arguments: got %d", parc);
0a659bf0 EM	228	restart_authd();
	229	return;
	230	}
	231
	232	switch(*parv[2])
	233	{
d3f6b808	234	case 'D': /* Debug */
0a659bf0	235	sendto_realops_snomask(SNO_DEBUG, L_ALL, "authd debug: %s", parv[3]);
7ad083b0	236	idebug("authd: %s", parv[3]);
0a659bf0	237	break;
938f93f4	238	case 'I': /* Info */
0a659bf0	239	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd info: %s", parv[3]);
7ad083b0	240	inotice("authd: %s", parv[3]);
0a659bf0	241	break;
938f93f4	242	case 'W': /* Warning */
0a659bf0	243	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd WARNING: %s", parv[3]);
7ad083b0	244	iwarn("authd: %s", parv[3]);
0a659bf0	245	break;
938f93f4	246	case 'C': /* Critical (error) */
0a659bf0	247	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd CRITICAL: %s", parv[3]);
7ad083b0	248	ierror("authd: %s", parv[3]);
0a659bf0	249	break;
938f93f4	250	default: /* idk */
0a659bf0 EM	251	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd sent us an unknown oper notice type (%s): %s", parv[2], parv[3]);
	252	ilog(L_MAIN, "authd unknown oper notice type (%s): %s", parv[2], parv[3]);
	253	break;
	254	}
	255
	256	/* NOTREACHED */
	257	break;
d3f6b808 EM	258	case 'X': /* Stats error */
	259	case 'Y': /* Stats reply */
	260	case 'Z': /* End of stats reply */
394b8dde EM	261	if(parc < 3)
394b8dde EM	262	{
7ad083b0	263	iwarn("authd sent a result with wrong number of arguments: got %d", parc);
394b8dde EM	264	restart_authd();
	265	return;
	266	}
	267
	268	/* Select by type */
	269	switch(*parv[2])
	270	{
	271	case 'D':
	272	/* parv[0] conveys status */
	273	if(parc < 4)
	274	{
7ad083b0	275	iwarn("authd sent a result with wrong number of arguments: got %d", parc);
394b8dde EM	276	restart_authd();
	277	return;
	278	}
	279	dns_stats_results_callback(parv[1], parv[0], parc - 3, (const char **)&parv[3]);
	280	break;
	281	default:
	282	break;
	283	}
	284	break;
3949459b AC	285	default:
3949459b AC	286	break;
fb7d74ef	287	}
fb7d74ef AC	288	}
	289	}
	290
	291	void
	292	init_authd(void)
	293	{
	294	if(start_authd())
	295	{
7ad083b0	296	ierror("Unable to start authd helper: %s", strerror(errno));
fb7d74ef AC	297	exit(0);
	298	}
	299	}
	300
d3f6b808 EM	301	void
	302	configure_authd(void)
	303	{
	304	/* These will do for now */
	305	set_authd_timeout("ident_timeout", GlobalSetOptions.ident_timeout);
	306	set_authd_timeout("rdns_timeout", ConfigFileEntry.connect_timeout);
50808796 EM	307	set_authd_timeout("rbl_timeout", ConfigFileEntry.connect_timeout);
50808796 EM	308	ident_check_enable(!ConfigFileEntry.disable_auth);
d3f6b808 EM	309	}
d3f6b808 EM	310
fb7d74ef AC	311	static void
	312	restart_authd_cb(rb_helper * helper)
	313	{
e1582810 EM	314	rb_dictionary_iter iter;
	315	struct Client *client_p;
	316
7ad083b0	317	iwarn("authd: restart_authd_cb called, authd died?");
3949459b	318	sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd: restart_authd_cb called, authd died?");
e1582810	319
fb7d74ef AC	320	if(helper != NULL)
	321	{
	322	rb_helper_close(helper);
	323	authd_helper = NULL;
	324	}
e1582810 EM	325
	326	RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
	327	{
	328	/* Abort any existing clients */
	329	authd_abort_client(client_p);
	330	}
	331
fb7d74ef AC	332	start_authd();
	333	}
	334
	335	void
	336	restart_authd(void)
	337	{
	338	restart_authd_cb(authd_helper);
	339	}
	340
	341	void
	342	rehash_authd(void)
	343	{
	344	rb_helper_write(authd_helper, "R");
d3f6b808	345	configure_authd();
fb7d74ef AC	346	}
	347
	348	void
	349	check_authd(void)
	350	{
	351	if(authd_helper == NULL)
	352	restart_authd();
	353	}
d3f6b808 EM	354
	355	static inline uint32_t
	356	generate_cid(void)
	357	{
	358	if(++cid == 0)
	359	cid = 1;
	360
	361	return cid;
	362	}
	363
	364	/* Basically when this is called we begin handing off the client to authd for
	365	* processing. authd "owns" the client until processing is finished, or we
	366	* timeout from authd. authd will make a decision whether or not to accept the
	367	* client, but it's up to other parts of the code (for now) to decide if we're
	368	* gonna accept the client and ignore authd's suggestion.
	369	*
	370	* --Elizafox
	371	*/
	372	void
	373	authd_initiate_client(struct Client *client_p)
	374	{
	375	char client_ipaddr[HOSTIPLEN+1];
	376	char listen_ipaddr[HOSTIPLEN+1];
	377	uint16_t client_port, listen_port;
	378	uint32_t authd_cid;
	379
50808796	380	if(client_p->preClient == NULL \|\| client_p->preClient->authd_cid != 0)
d3f6b808 EM	381	return;
	382
	383	authd_cid = client_p->preClient->authd_cid = generate_cid();
	384
	385	/* Collisions are extremely unlikely, so disregard the possibility */
50808796	386	rb_dictionary_add(cid_clients, RB_UINT_TO_POINTER(authd_cid), client_p);
d3f6b808 EM	387
	388	/* Retrieve listener and client IP's */
	389	rb_inet_ntop_sock((struct sockaddr *)&client_p->preClient->lip, listen_ipaddr, sizeof(listen_ipaddr));
	390	rb_inet_ntop_sock((struct sockaddr *)&client_p->localClient->ip, client_ipaddr, sizeof(client_ipaddr));
	391
	392	/* Retrieve listener and client ports */
d86692fa EM	393	listen_port = ntohs(GET_SS_PORT(&client_p->preClient->lip));
d86692fa EM	394	client_port = ntohs(GET_SS_PORT(&client_p->localClient->ip));
d3f6b808	395
59d42a9f	396	/* Add a bit of a fudge factor... */
d86692fa	397	client_p->preClient->authd_timeout = rb_current_time() + ConfigFileEntry.connect_timeout + 10;
d3f6b808 EM	398
	399	rb_helper_write(authd_helper, "C %x %s %hu %s %hu", authd_cid, listen_ipaddr, listen_port, client_ipaddr, client_port);
	400	}
	401
	402	/* When this is called we have a decision on client acceptance.
	403	*
	404	* After this point authd no longer "owns" the client.
	405	*/
b1a577f2	406	static inline void
d3f6b808 EM	407	authd_decide_client(struct Client client_p, const char ident, const char host, bool accept, char cause, const char data, const char *reason)
	408	{
	409	if(client_p->preClient == NULL \|\| client_p->preClient->authd_cid == 0)
	410	return;
	411
	412	if(ident != '')
	413	{
	414	rb_strlcpy(client_p->username, ident, sizeof(client_p->username));
4f6119cd	415	ServerStats.is_asuc++;
d3f6b808 EM	416	}
d3f6b808 EM	417	else
4f6119cd	418	ServerStats.is_abad++; /* s_auth used to do this, stay compatible */
d3f6b808 EM	419
	420	if(host != '')
	421	rb_strlcpy(client_p->host, host, sizeof(client_p->host));
	422
	423	client_p->preClient->authd_accepted = accept;
	424	client_p->preClient->authd_cause = cause;
	425	client_p->preClient->authd_data = (data == NULL ? NULL : rb_strdup(data));
	426	client_p->preClient->authd_reason = (reason == NULL ? NULL : rb_strdup(reason));
	427
	428	rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
d3f6b808 EM	429	client_p->preClient->authd_cid = 0;
	430
	431	/*
	432	* When a client has auth'ed, we want to start reading what it sends
	433	* us. This is what read_packet() does.
	434	* -- adrian
	435	*
	436	* Above comment was originally in s_auth.c, but moved here with below code.
	437	* --Elizafox
	438	*/
	439	rb_dlinkAddTail(client_p, &client_p->node, &global_client_list);
	440	read_packet(client_p->localClient->F, client_p);
	441	}
	442
b1a577f2 EM	443	/* Convenience function to accept client */
	444	void
	445	authd_accept_client(struct Client client_p, const char ident, const char *host)
	446	{
	447	authd_decide_client(client_p, ident, host, true, '\0', NULL, NULL);
	448	}
	449
	450	/* Convenience function to reject client */
	451	void
	452	authd_reject_client(struct Client client_p, const char ident, const char host, char cause, const char data, const char *reason)
	453	{
	454	authd_decide_client(client_p, ident, host, false, cause, data, reason);
	455	}
	456
d3f6b808 EM	457	void
	458	authd_abort_client(struct Client *client_p)
	459	{
e1582810	460	if(client_p == NULL \|\| client_p->preClient == NULL)
d3f6b808 EM	461	return;
	462
	463	if(client_p->preClient->authd_cid == 0)
	464	return;
	465
	466	rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
	467
e1582810 EM	468	if(authd_helper != NULL)
	469	rb_helper_write(authd_helper, "E %x", client_p->preClient->authd_cid);
	470
	471	/* XXX should we blindly allow like this? */
b1a577f2	472	authd_accept_client(client_p, "", "");
d3f6b808 EM	473	client_p->preClient->authd_cid = 0;
	474	}
	475
ef0b13b9 EM	476	static void
	477	timeout_dead_authd_clients(void *notused __unused)
	478	{
	479	rb_dictionary_iter iter;
0bb5d3f0	480	struct Client *client_p;
ef0b13b9	481
0bb5d3f0	482	RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
ef0b13b9	483	{
ef0b13b9	484	if(client_p->preClient->authd_timeout < rb_current_time())
e1582810	485	authd_abort_client(client_p);
ef0b13b9 EM	486	}
	487	}
	488
d3f6b808 EM	489	/* Turn a cause char (who rejected us) into the name of the provider */
	490	const char *
	491	get_provider_string(char cause)
	492	{
	493	switch(cause)
	494	{
	495	case 'B':
	496	return "Blacklist";
	497	case 'D':
	498	return "rDNS";
	499	case 'I':
	500	return "Ident";
	501	default:
	502	return "Unknown";
	503	}
	504	}
	505
	506	/* Send a new blacklist to authd */
	507	void
	508	add_blacklist(const char host, const char reason, uint8_t iptype, rb_dlink_list *filters)
	509	{
	510	rb_dlink_node *ptr;
	511	struct blacklist_stats *stats = rb_malloc(sizeof(struct blacklist_stats));
50808796	512	char filterbuf[BUFSIZE] = "*";
d3f6b808 EM	513	size_t s = 0;
	514
	515	/* Build a list of comma-separated values for authd.
	516	* We don't check for validity - do it elsewhere.
	517	*/
	518	RB_DLINK_FOREACH(ptr, filters->head)
	519	{
	520	char *filter = ptr->data;
	521	size_t filterlen = strlen(filter) + 1;
	522
	523	if(s + filterlen > sizeof(filterbuf))
	524	break;
	525
	526	snprintf(&filterbuf[s], sizeof(filterbuf) - s, "%s,", filter);
	527
	528	s += filterlen;
	529	}
	530
	531	if(s)
	532	filterbuf[s - 1] = '\0';
	533
	534	stats->iptype = iptype;
	535	stats->hits = 0;
	536	rb_dictionary_add(bl_stats, host, stats);
	537
	538	rb_helper_write(authd_helper, "O rbl %s %hhu %s :%s", host, iptype, filterbuf, reason);
	539	}
	540
	541	/* Delete a blacklist */
	542	void
	543	del_blacklist(const char *host)
	544	{
	545	rb_dictionary_delete(bl_stats, host);
	546
	547	rb_helper_write(authd_helper, "O rbl_del %s", host);
	548	}
	549
	550	/* Delete all the blacklists */
	551	void
	552	del_blacklist_all(void)
	553	{
	554	struct blacklist_stats *stats;
	555	rb_dictionary_iter iter;
	556
	557	RB_DICTIONARY_FOREACH(stats, &iter, bl_stats)
	558	{
	559	rb_free(stats);
	560	rb_dictionary_delete(bl_stats, iter.cur->key);
	561	}
	562
	563	rb_helper_write(authd_helper, "O rbl_del_all");
	564	}
	565
	566	/* Adjust an authd timeout value */
4f6119cd	567	bool
d3f6b808 EM	568	set_authd_timeout(const char *key, int timeout)
d3f6b808 EM	569	{
4f6119cd EM	570	if(timeout <= 0)
	571	return false;
	572
d3f6b808	573	rb_helper_write(authd_helper, "O %s %d", key, timeout);
4f6119cd	574	return true;
d3f6b808	575	}
ad043803	576
4f6119cd	577	/* Enable identd checks */
ad043803 EM	578	void
	579	ident_check_enable(bool enabled)
	580	{
	581	rb_helper_write(authd_helper, "O ident_enabled %d", enabled ? 1 : 0);
	582	}
4f6119cd EM	583
4f6119cd EM	584	/* Create an OPM listener */
b1a577f2	585	void
34f16c46	586	create_opm_listener(const char *ip, uint16_t port)
4f6119cd	587	{
34f16c46	588	rb_helper_write(authd_helper, "O opm_listener %s %hu", ip, port);
b1a577f2 EM	589	}
	590
	591	/* Disable all OPM scans */
	592	void
	593	opm_check_enable(bool enabled)
	594	{
	595	rb_helper_write(authd_helper, "O opm_enable %d", enabled ? 1 : 0);
	596	}
	597
51fa2ab8	598	/* Create an OPM proxy scanner */
b1a577f2	599	void
51fa2ab8	600	create_opm_proxy_scanner(const char *type, uint16_t port)
b1a577f2	601	{
51fa2ab8	602	rb_helper_write(authd_helper, "O opm_scanner %s %hu", type, port);
4f6119cd	603	}