]> jfr.im git - solanum.git/blob - ircd/s_auth.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
authd/provider: some fixes
[solanum.git] / ircd / s_auth.c
1 /*
2 * ircd-ratbox: A slightly useful ircd.
3 * s_auth.c: Functions for querying a users ident.
4 *
5 * Copyright (C) 1990 Jarkko Oikarinen and University of Oulu, Co Center
6 * Copyright (C) 1996-2002 Hybrid Development Team
7 * Copyright (C) 2002-2005 ircd-ratbox development team
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
22 * USA
23 *
24 */
25
26 /*
27 * Changes:
28 * July 6, 1999 - Rewrote most of the code here. When a client connects
29 * to the server and passes initial socket validation checks, it
30 * is owned by this module (auth) which returns it to the rest of the
31 * server when dns and auth queries are finished. Until the client is
32 * released, the server does not know it exists and does not process
33 * any messages from it.
34 * --Bleep Thomas Helvey <tomh@inxpress.net>
35 */
36 #include "stdinc.h"
37 #include "defaults.h"
38 #include "s_auth.h"
39 #include "s_conf.h"
40 #include "client.h"
41 #include "match.h"
42 #include "ircd.h"
43 #include "numeric.h"
44 #include "packet.h"
45 #include "dns.h"
46 #include "logger.h"
47 #include "s_stats.h"
48 #include "send.h"
49 #include "hook.h"
50 #include "blacklist.h"
51 #include "s_assert.h"
52
53 struct AuthRequest
54 {
55 rb_dlink_node node;
56 struct Client *client; /* pointer to client struct for request */
57 uint16_t dns_id; /* DNS Query */
58 unsigned int flags; /* current state of request */
59 rb_fde_t *F; /* file descriptor for auth queries */
60 time_t timeout; /* time when query expires */
61 uint16_t lport;
62 uint16_t rport;
63 };
64
65 /*
66 * flag values for AuthRequest
67 * NAMESPACE: AM_xxx - Authentication Module
68 */
69 #define AM_AUTH_CONNECTING (1 << 0)
70 #define AM_AUTH_PENDING (1 << 1)
71 #define AM_DNS_PENDING (1 << 2)
72
73 #define SetDNSPending(x) ((x)->flags |= AM_DNS_PENDING)
74 #define ClearDNSPending(x) ((x)->flags &= ~AM_DNS_PENDING)
75 #define IsDNSPending(x) ((x)->flags & AM_DNS_PENDING)
76
77 #define SetAuthConnect(x) ((x)->flags |= AM_AUTH_CONNECTING)
78 #define ClearAuthConnect(x) ((x)->flags &= ~AM_AUTH_CONNECTING)
79 #define IsAuthConnect(x) ((x)->flags & AM_AUTH_CONNECTING)
80
81 #define SetAuthPending(x) ((x)->flags |= AM_AUTH_PENDING)
82 #define ClearAuthPending(x) ((x)->flags &= AM_AUTH_PENDING)
83 #define IsAuthPending(x) ((x)->flags & AM_AUTH_PENDING)
84
85 #define ClearAuth(x) ((x)->flags &= ~(AM_AUTH_PENDING | AM_AUTH_CONNECTING))
86 #define IsDoingAuth(x) ((x)->flags & (AM_AUTH_PENDING | AM_AUTH_CONNECTING))
87
88 /*
89 * a bit different approach
90 * this replaces the original sendheader macros
91 */
92
93 static const char *HeaderMessages[] =
94 {
95 ":*** Looking up your hostname...",
96 ":*** Found your hostname",
97 ":*** Couldn't look up your hostname",
98 ":*** Checking Ident",
99 ":*** Got Ident response",
100 ":*** No Ident response",
101 ":*** Your hostname is too long, ignoring hostname",
102 ":*** Your forward and reverse DNS do not match, ignoring hostname",
103 ":*** Cannot verify hostname validity, ignoring hostname",
104 };
105
106 typedef enum
107 {
108 REPORT_DO_DNS,
109 REPORT_FIN_DNS,
110 REPORT_FAIL_DNS,
111 REPORT_DO_ID,
112 REPORT_FIN_ID,
113 REPORT_FAIL_ID,
114 REPORT_HOST_TOOLONG,
115 REPORT_HOST_MISMATCH,
116 REPORT_HOST_UNKNOWN
117 }
118 ReportType;
119
120 #define sendheader(c, r) sendto_one_notice(c, "%s", HeaderMessages[(r)])
121
122 static rb_dlink_list auth_poll_list;
123 static rb_bh *auth_heap;
124 static EVH timeout_auth_queries_event;
125
126 static PF read_auth_reply;
127 static CNCB auth_connect_callback;
128
129 /*
130 * init_auth()
131 *
132 * Initialise the auth code
133 */
134 void
135 init_auth(void)
136 {
137 /* This hook takes a struct Client for its argument */
138 memset(&auth_poll_list, 0, sizeof(auth_poll_list));
139 rb_event_addish("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
140 auth_heap = rb_bh_create(sizeof(struct AuthRequest), LCLIENT_HEAP_SIZE, "auth_heap");
141 }
142
143 /*
144 * make_auth_request - allocate a new auth request
145 */
146 static struct AuthRequest *
147 make_auth_request(struct Client *client)
148 {
149 struct AuthRequest *request = rb_bh_alloc(auth_heap);
150 client->localClient->auth_request = request;
151 request->F = NULL;
152 request->client = client;
153 request->timeout = rb_current_time() + ConfigFileEntry.connect_timeout;
154 return request;
155 }
156
157 /*
158 * free_auth_request - cleanup auth request allocations
159 */
160 static void
161 free_auth_request(struct AuthRequest *request)
162 {
163 rb_bh_free(auth_heap, request);
164 }
165
166 /*
167 * release_auth_client - release auth client from auth system
168 * this adds the client into the local client lists so it can be read by
169 * the main io processing loop
170 */
171 static void
172 release_auth_client(struct AuthRequest *auth)
173 {
174 struct Client *client = auth->client;
175
176 if(IsDNSPending(auth) || IsDoingAuth(auth))
177 return;
178
179 client->localClient->auth_request = NULL;
180 rb_dlinkDelete(&auth->node, &auth_poll_list);
181 free_auth_request(auth);
182
183 /*
184 * When a client has auth'ed, we want to start reading what it sends
185 * us. This is what read_packet() does.
186 * -- adrian
187 */
188 rb_dlinkAddTail(client, &client->node, &global_client_list);
189 read_packet(client->localClient->F, client);
190 }
191
192 /*
193 * auth_dns_callback - called when resolver query finishes
194 * if the query resulted in a successful search, hp will contain
195 * a non-null pointer, otherwise hp will be null.
196 * set the client on it's way to a connection completion, regardless
197 * of success of failure
198 */
199 static void
200 auth_dns_callback(const char *result, int status, int aftype, void *vptr)
201 {
202 struct AuthRequest *auth = (struct AuthRequest *) vptr;
203 ClearDNSPending(auth);
204
205 /* XXX: this shouldn't happen, but it does. -nenolod */
206 if(auth->client->localClient == NULL)
207 {
208 sendto_realops_snomask(SNO_GENERAL, L_ALL,
209 "auth_dns_callback(): auth->client->localClient (%s) is NULL", get_client_name(auth->client, HIDE_IP));
210
211 rb_dlinkDelete(&auth->node, &auth_poll_list);
212 free_auth_request(auth);
213
214 /* and they will silently drop through and all will hopefully be ok... -nenolod */
215 return;
216 }
217
218 if(result != NULL && status)
219 {
220 int good = 1;
221
222 if(good && strlen(result) <= HOSTLEN)
223 {
224 rb_strlcpy(auth->client->host, result, sizeof(auth->client->host));
225 sendheader(auth->client, REPORT_FIN_DNS);
226 }
227 else if (strlen(result) > HOSTLEN)
228 sendheader(auth->client, REPORT_HOST_TOOLONG);
229 }
230 else
231 sendheader(auth->client, REPORT_FAIL_DNS);
232
233 release_auth_client(auth);
234 }
235
236 /*
237 * authsenderr - handle auth send errors
238 */
239 static void
240 auth_error(struct AuthRequest *auth)
241 {
242 ++ServerStats.is_abad;
243
244 rb_close(auth->F);
245 auth->F = NULL;
246
247 ClearAuth(auth);
248 sendheader(auth->client, REPORT_FAIL_ID);
249
250 release_auth_client(auth);
251 }
252
253 /*
254 * start_auth_query - Flag the client to show that an attempt to
255 * contact the ident server on
256 * the client's host. The connect and subsequently the socket are all put
257 * into 'non-blocking' mode. Should the connect or any later phase of the
258 * identifing process fail, it is aborted and the user is given a username
259 * of "unknown".
260 */
261 static int
262 start_auth_query(struct AuthRequest *auth)
263 {
264 struct rb_sockaddr_storage localaddr, destaddr;
265 rb_fde_t *F;
266 int family;
267
268 if(IsAnyDead(auth->client))
269 return 0;
270
271 family = GET_SS_FAMILY(&auth->client->localClient->ip);
272 if((F = rb_socket(family, SOCK_STREAM, 0, "ident")) == NULL)
273 {
274 ilog_error("creating auth stream socket");
275 ++ServerStats.is_abad;
276 return 0;
277 }
278
279 /*
280 * TBD: this is a pointless arbitrary limit .. we either have a socket or not. -nenolod
281 */
282 if((maxconnections - 10) < rb_get_fd(F))
283 {
284 sendto_realops_snomask(SNO_GENERAL, L_ALL,
285 "Can't allocate fd for auth on %s",
286 get_client_name(auth->client, SHOW_IP));
287 rb_close(F);
288 return 0;
289 }
290
291 sendheader(auth->client, REPORT_DO_ID);
292
293 /*
294 * get the local address of the client and bind to that to
295 * make the auth request. This used to be done only for
296 * ifdef VIRTUAL_HOST, but needs to be done for all clients
297 * since the ident request must originate from that same address--
298 * and machines with multiple IP addresses are common now
299 */
300 localaddr = auth->client->preClient->lip;
301
302 /* XXX mangle_mapped_sockaddr((struct sockaddr *)&localaddr); */
303 #ifdef RB_IPV6
304 if(GET_SS_FAMILY(&localaddr) == AF_INET6)
305 {
306 auth->lport = ntohs(((struct sockaddr_in6 *)&localaddr)->sin6_port);
307 ((struct sockaddr_in6 *)&localaddr)->sin6_port = 0;
308 }
309 else
310 #endif
311 {
312 auth->lport = ntohs(((struct sockaddr_in *)&localaddr)->sin_port);
313 ((struct sockaddr_in *)&localaddr)->sin_port = 0;
314 }
315
316 destaddr = auth->client->localClient->ip;
317 #ifdef RB_IPV6
318 if(GET_SS_FAMILY(&localaddr) == AF_INET6)
319 {
320 auth->rport = ntohs(((struct sockaddr_in6 *)&destaddr)->sin6_port);
321 ((struct sockaddr_in6 *)&destaddr)->sin6_port = htons(113);
322 }
323 else
324 #endif
325 {
326 auth->rport = ntohs(((struct sockaddr_in *)&destaddr)->sin_port);
327 ((struct sockaddr_in *)&destaddr)->sin_port = htons(113);
328 }
329
330 auth->F = F;
331 SetAuthConnect(auth);
332
333 rb_connect_tcp(F, (struct sockaddr *)&destaddr,
334 (struct sockaddr *) &localaddr, GET_SS_LEN(&localaddr),
335 auth_connect_callback, auth,
336 GlobalSetOptions.ident_timeout);
337 return 1; /* We suceed here for now */
338 }
339
340 /*
341 * GetValidIdent - parse ident query reply from identd server
342 *
343 * Inputs - pointer to ident buf
344 * Output - NULL if no valid ident found, otherwise pointer to name
345 * Side effects -
346 */
347 static char *
348 GetValidIdent(char *buf)
349 {
350 int remp = 0;
351 int locp = 0;
352 char *colon1Ptr;
353 char *colon2Ptr;
354 char *colon3Ptr;
355 char *commaPtr;
356 char *remotePortString;
357
358 /* All this to get rid of a sscanf() fun. */
359 remotePortString = buf;
360
361 colon1Ptr = strchr(remotePortString, ':');
362 if(!colon1Ptr)
363 return 0;
364
365 *colon1Ptr = '\0';
366 colon1Ptr++;
367 colon2Ptr = strchr(colon1Ptr, ':');
368 if(!colon2Ptr)
369 return 0;
370
371 *colon2Ptr = '\0';
372 colon2Ptr++;
373 commaPtr = strchr(remotePortString, ',');
374
375 if(!commaPtr)
376 return 0;
377
378 *commaPtr = '\0';
379 commaPtr++;
380
381 remp = atoi(remotePortString);
382 if(!remp)
383 return 0;
384
385 locp = atoi(commaPtr);
386 if(!locp)
387 return 0;
388
389 /* look for USERID bordered by first pair of colons */
390 if(!strstr(colon1Ptr, "USERID"))
391 return 0;
392
393 colon3Ptr = strchr(colon2Ptr, ':');
394 if(!colon3Ptr)
395 return 0;
396
397 *colon3Ptr = '\0';
398 colon3Ptr++;
399 return (colon3Ptr);
400 }
401
402 /*
403 * start_auth - starts auth (identd) and dns queries for a client
404 */
405 void
406 start_auth(struct Client *client)
407 {
408 struct AuthRequest *auth = 0;
409 s_assert(0 != client);
410 if(client == NULL)
411 return;
412
413 auth = make_auth_request(client);
414
415 sendheader(client, REPORT_DO_DNS);
416
417 /* No DNS cache now, remember? -- adrian */
418 auth->dns_id = lookup_ip(client->sockhost, GET_SS_FAMILY(&client->localClient->ip), auth_dns_callback, auth);
419
420 SetDNSPending(auth);
421
422 if(ConfigFileEntry.disable_auth == 0)
423 start_auth_query(auth);
424
425 rb_dlinkAdd(auth, &auth->node, &auth_poll_list);
426 }
427
428 /*
429 * timeout_auth_queries - timeout resolver and identd requests
430 * allow clients through if requests failed
431 */
432 static void
433 timeout_auth_queries_event(void *notused)
434 {
435 rb_dlink_node *ptr;
436 rb_dlink_node *next_ptr;
437 struct AuthRequest *auth;
438
439 RB_DLINK_FOREACH_SAFE(ptr, next_ptr, auth_poll_list.head)
440 {
441 auth = ptr->data;
442
443 if(auth->timeout < rb_current_time())
444 {
445 if(auth->F != NULL)
446 rb_close(auth->F);
447
448 if(IsDoingAuth(auth))
449 {
450 ClearAuth(auth);
451 ++ServerStats.is_abad;
452 sendheader(auth->client, REPORT_FAIL_ID);
453 auth->client->localClient->auth_request = NULL;
454 }
455 if(IsDNSPending(auth))
456 {
457 ClearDNSPending(auth);
458 cancel_lookup(auth->dns_id);
459 sendheader(auth->client, REPORT_FAIL_DNS);
460 }
461
462 auth->client->localClient->lasttime = rb_current_time();
463 release_auth_client(auth);
464 }
465 }
466 }
467
468 /*
469 * auth_connect_callback() - deal with the result of rb_connect_tcp()
470 *
471 * If the connection failed, we simply close the auth fd and report
472 * a failure. If the connection suceeded send the ident server a query
473 * giving "theirport , ourport". The write is only attempted *once* so
474 * it is deemed to be a fail if the entire write doesn't write all the
475 * data given. This shouldnt be a problem since the socket should have
476 * a write buffer far greater than this message to store it in should
477 * problems arise. -avalon
478 */
479 static void
480 auth_connect_callback(rb_fde_t *F, int error, void *data)
481 {
482 struct AuthRequest *auth = data;
483 char authbuf[32];
484 int authlen;
485
486 /* Check the error */
487 if(error != RB_OK)
488 {
489 /* We had an error during connection :( */
490 auth_error(auth);
491 return;
492 }
493
494 snprintf(authbuf, sizeof(authbuf), "%u , %u\r\n",
495 auth->rport, auth->lport);
496 authlen = strlen(authbuf);
497
498 if(rb_write(auth->F, authbuf, authlen) != authlen)
499 {
500 auth_error(auth);
501 return;
502 }
503 ClearAuthConnect(auth);
504 SetAuthPending(auth);
505 read_auth_reply(auth->F, auth);
506 }
507
508
509 /*
510 * read_auth_reply - read the reply (if any) from the ident server
511 * we connected to.
512 * We only give it one shot, if the reply isn't good the first time
513 * fail the authentication entirely. --Bleep
514 */
515 #define AUTH_BUFSIZ 128
516
517 static void
518 read_auth_reply(rb_fde_t *F, void *data)
519 {
520 struct AuthRequest *auth = data;
521 char *s = NULL;
522 char *t = NULL;
523 int len;
524 int count;
525 char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
526
527 len = rb_read(F, buf, AUTH_BUFSIZ);
528
529 if(len < 0 && rb_ignore_errno(errno))
530 {
531 rb_setselect(F, RB_SELECT_READ, read_auth_reply, auth);
532 return;
533 }
534
535 if(len > 0)
536 {
537 buf[len] = '\0';
538
539 if((s = GetValidIdent(buf)))
540 {
541 t = auth->client->username;
542
543 while (*s == '~' || *s == '^')
544 s++;
545
546 for (count = USERLEN; *s && count; s++)
547 {
548 if(*s == '@')
549 {
550 break;
551 }
552 if(!IsSpace(*s) && *s != ':' && *s != '[')
553 {
554 *t++ = *s;
555 count--;
556 }
557 }
558 *t = '\0';
559 }
560 }
561
562 rb_close(auth->F);
563 auth->F = NULL;
564 ClearAuth(auth);
565
566 if(s == NULL)
567 {
568 ++ServerStats.is_abad;
569 strcpy(auth->client->username, "unknown");
570 sendheader(auth->client, REPORT_FAIL_ID);
571 }
572 else
573 {
574 sendheader(auth->client, REPORT_FIN_ID);
575 ++ServerStats.is_asuc;
576 SetGotId(auth->client);
577 }
578
579 release_auth_client(auth);
580 }
581
582
583
584 /*
585 * delete_auth_queries()
586 */
587 void
588 delete_auth_queries(struct Client *target_p)
589 {
590 struct AuthRequest *auth;
591
592 if(target_p == NULL || target_p->localClient == NULL ||
593 target_p->localClient->auth_request == NULL)
594 return;
595
596 auth = target_p->localClient->auth_request;
597 target_p->localClient->auth_request = NULL;
598
599 if(IsDNSPending(auth))
600 cancel_lookup(auth->dns_id);
601
602 if(auth->F != NULL)
603 rb_close(auth->F);
604
605 rb_dlinkDelete(&auth->node, &auth_poll_list);
606 free_auth_request(auth);
607 }
Fork of solanum ircd, history is rebased regularly