]> jfr.im git - solanum.git/blob - authd/providers/blacklist.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
authd: misc fixes
[solanum.git] / authd / providers / blacklist.c
1 /*
2 * charybdis: A slightly useful ircd.
3 * blacklist.c: Manages DNS blacklist entries and lookups
4 *
5 * Copyright (C) 2006-2011 charybdis development team
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are
9 * met:
10 *
11 * 1. Redistributions of source code must retain the above copyright notice,
12 * this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
23 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 /* Originally written for charybdis circa 2006 (by nenolod?).
35 * Tweaked for authd. Some functions and structs renamed. Public/private
36 * interfaces have been shifted around. Some code has been cleaned up too.
37 * -- Elizafox 24 March 2016
38 */
39
40 #include "authd.h"
41 #include "provider.h"
42 #include "notice.h"
43 #include "stdinc.h"
44 #include "dns.h"
45
46 typedef enum filter_t
47 {
48 FILTER_ALL = 1,
49 FILTER_LAST = 2,
50 } filter_t;
51
52 /* Blacklist accepted IP types */
53 #define IPTYPE_IPV4 1
54 #define IPTYPE_IPV6 2
55
56 /* A configured DNSBL */
57 struct blacklist
58 {
59 char host[IRCD_RES_HOSTLEN + 1];
60 char reason[BUFSIZE]; /* Reason template (ircd fills in the blanks) */
61 uint8_t iptype; /* IP types supported */
62 rb_dlink_list filters; /* Filters for queries */
63
64 bool delete; /* If true delete when no clients */
65 int refcount; /* When 0 and delete is set, remove this blacklist */
66 unsigned int hits;
67
68 time_t lastwarning; /* Last warning about garbage replies sent */
69 };
70
71 /* A lookup in progress for a particular DNSBL for a particular client */
72 struct blacklist_lookup
73 {
74 struct blacklist *bl; /* Blacklist we're checking */
75 struct auth_client *auth; /* Client */
76 struct dns_query *query; /* DNS query pointer */
77
78 rb_dlink_node node;
79 };
80
81 /* A blacklist filter */
82 struct blacklist_filter
83 {
84 filter_t type; /* Type of filter */
85 char filter[HOSTIPLEN]; /* The filter itself */
86
87 rb_dlink_node node;
88 };
89
90 /* Blacklist user data attached to auth_client instance */
91 struct blacklist_user
92 {
93 rb_dlink_list queries; /* Blacklist queries in flight */
94 time_t timeout; /* When this times out */
95 };
96
97 /* public interfaces */
98 static bool blacklists_init(void);
99 static void blacklists_destroy(void);
100
101 static bool blacklists_start(struct auth_client *);
102 static void blacklists_cancel(struct auth_client *);
103
104 /* private interfaces */
105 static void unref_blacklist(struct blacklist *);
106 static struct blacklist *new_blacklist(const char *, const char *, uint8_t, rb_dlink_list *);
107 static struct blacklist *find_blacklist(const char *);
108 static bool blacklist_check_reply(struct blacklist_lookup *, const char *);
109 static void blacklist_dns_callback(const char *, bool, query_type, void *);
110 static void initiate_blacklist_dnsquery(struct blacklist *, struct auth_client *);
111 static void timeout_blacklist_queries_event(void *);
112
113 /* Variables */
114 static rb_dlink_list blacklist_list = { NULL, NULL, 0 };
115 static struct ev_entry *timeout_ev;
116 static int blacklist_timeout = 15;
117
118 /* private interfaces */
119
120 static void
121 unref_blacklist(struct blacklist *bl)
122 {
123 rb_dlink_node *ptr, *nptr;
124
125 bl->refcount--;
126 if (bl->delete && bl->refcount <= 0)
127 {
128 RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head)
129 {
130 rb_dlinkDelete(ptr, &bl->filters);
131 rb_free(ptr);
132 }
133
134 rb_dlinkFindDestroy(bl, &blacklist_list);
135 rb_free(bl);
136 }
137 }
138
139 static struct blacklist *
140 new_blacklist(const char *name, const char *reason, uint8_t iptype, rb_dlink_list *filters)
141 {
142 struct blacklist *bl;
143
144 if (name == NULL || reason == NULL || iptype == 0)
145 return NULL;
146
147 if((bl = find_blacklist(name)) == NULL)
148 {
149 bl = rb_malloc(sizeof(struct blacklist));
150 rb_dlinkAddAlloc(bl, &blacklist_list);
151 }
152 else
153 bl->delete = false;
154
155 rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1);
156 rb_strlcpy(bl->reason, reason, BUFSIZE);
157 bl->iptype = iptype;
158
159 rb_dlinkMoveList(filters, &bl->filters);
160
161 bl->lastwarning = 0;
162
163 return bl;
164 }
165
166 static struct blacklist *
167 find_blacklist(const char *name)
168 {
169 rb_dlink_node *ptr;
170
171 RB_DLINK_FOREACH(ptr, blacklist_list.head)
172 {
173 struct blacklist *bl = (struct blacklist *)ptr->data;
174
175 if (!strcasecmp(bl->host, name))
176 return bl;
177 }
178
179 return NULL;
180 }
181
182 static inline bool
183 blacklist_check_reply(struct blacklist_lookup *bllookup, const char *ipaddr)
184 {
185 struct blacklist *bl = bllookup->bl;
186 const char *lastoctet;
187 rb_dlink_node *ptr;
188
189 /* No filters and entry found - thus positive match */
190 if (!rb_dlink_list_length(&bl->filters))
191 return true;
192
193 /* Below will prolly have to change if IPv6 address replies are sent back */
194 if ((lastoctet = strrchr(ipaddr, '.')) == NULL || *(++lastoctet) == '\0')
195 goto blwarn;
196
197 RB_DLINK_FOREACH(ptr, bl->filters.head)
198 {
199 struct blacklist_filter *filter = ptr->data;
200 const char *cmpstr;
201
202 if (filter->type == FILTER_ALL)
203 cmpstr = ipaddr;
204 else if (filter->type == FILTER_LAST)
205 cmpstr = lastoctet;
206 else
207 {
208 warn_opers(L_CRIT, "BUG: Unknown blacklist filter type on blacklist %s: %d",
209 bl->host, filter->type);
210 continue;
211 }
212
213 if (strcmp(cmpstr, filter->filter) == 0)
214 /* Match! */
215 return true;
216 }
217
218 return false;
219 blwarn:
220 if (bl->lastwarning + 3600 < rb_current_time())
221 {
222 warn_opers(L_WARN, "Garbage/undecipherable reply received from blacklist %s (reply %s)",
223 bl->host, ipaddr);
224 bl->lastwarning = rb_current_time();
225 }
226 return false;
227 }
228
229 static void
230 blacklist_dns_callback(const char *result, bool status, query_type type, void *data)
231 {
232 struct blacklist_lookup *bllookup = (struct blacklist_lookup *)data;
233 struct blacklist_user *bluser;
234 struct blacklist *bl;
235 struct auth_client *auth;
236
237 if (bllookup == NULL || bllookup->auth == NULL)
238 return;
239
240 bl = bllookup->bl;
241 auth = bllookup->auth;
242 bluser = auth->data[PROVIDER_BLACKLIST];
243 if(bluser == NULL)
244 return;
245
246 if (result != NULL && status && blacklist_check_reply(bllookup, result))
247 {
248 /* Match found, so proceed no further */
249 bl->hits++;
250 blacklists_cancel(auth);
251 reject_client(auth, PROVIDER_BLACKLIST, bl->host, bl->reason);
252 return;
253 }
254
255 unref_blacklist(bl);
256 cancel_query(bllookup->query); /* Ignore future responses */
257 rb_dlinkDelete(&bllookup->node, &bluser->queries);
258 rb_free(bllookup);
259
260 if(!rb_dlink_list_length(&bluser->queries))
261 {
262 /* Done here */
263 rb_free(bluser);
264 auth->data[PROVIDER_BLACKLIST] = NULL;
265 provider_done(auth, PROVIDER_BLACKLIST);
266 }
267 }
268
269 static void
270 initiate_blacklist_dnsquery(struct blacklist *bl, struct auth_client *auth)
271 {
272 struct blacklist_lookup *bllookup = rb_malloc(sizeof(struct blacklist_lookup));
273 struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
274 char buf[IRCD_RES_HOSTLEN + 1];
275 int aftype;
276
277 bllookup->bl = bl;
278 bllookup->auth = auth;
279
280 aftype = GET_SS_FAMILY(&auth->c_addr);
281 if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) ||
282 (aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0))
283 /* Incorrect blacklist type for this IP... */
284 return;
285
286 build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host);
287
288 bllookup->query = lookup_ip(buf, AF_INET, blacklist_dns_callback, bllookup);
289
290 rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries);
291 bl->refcount++;
292 }
293
294 /* Timeout outstanding queries */
295 static void
296 timeout_blacklist_queries_event(void *notused)
297 {
298 struct auth_client *auth;
299 rb_dictionary_iter iter;
300
301 RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
302 {
303 struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
304
305 if(bluser != NULL && bluser->timeout < rb_current_time())
306 {
307 blacklists_cancel(auth);
308 provider_done(auth, PROVIDER_BLACKLIST);
309 }
310 }
311 }
312
313 static inline void
314 lookup_all_blacklists(struct auth_client *auth)
315 {
316 struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
317 rb_dlink_node *ptr;
318
319 RB_DLINK_FOREACH(ptr, blacklist_list.head)
320 {
321 struct blacklist *bl = (struct blacklist *)ptr->data;
322
323 if (!bl->delete)
324 initiate_blacklist_dnsquery(bl, auth);
325 }
326
327 bluser->timeout = rb_current_time() + blacklist_timeout;
328 }
329
330 static inline void
331 delete_blacklist(struct blacklist *bl)
332 {
333 if (bl->refcount > 0)
334 bl->delete = true;
335 else
336 {
337 rb_dlinkFindDestroy(bl, &blacklist_list);
338 rb_free(bl);
339 }
340 }
341
342 static void
343 delete_all_blacklists(void)
344 {
345 rb_dlink_node *ptr, *nptr;
346
347 RB_DLINK_FOREACH_SAFE(ptr, nptr, blacklist_list.head)
348 {
349 delete_blacklist(ptr->data);
350 }
351 }
352
353 /* public interfaces */
354 static bool
355 blacklists_start(struct auth_client *auth)
356 {
357 if(auth->data[PROVIDER_BLACKLIST] != NULL)
358 return true;
359
360 if(!rb_dlink_list_length(&blacklist_list))
361 /* Nothing to do... */
362 return true;
363
364 auth->data[PROVIDER_BLACKLIST] = rb_malloc(sizeof(struct blacklist_user));
365
366 if(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT))
367 /* This probably can't happen but let's handle this case anyway */
368 lookup_all_blacklists(auth);
369
370 set_provider_on(auth, PROVIDER_BLACKLIST);
371 return true;
372 }
373
374 /* This is called every time a provider is completed as long as we are marked not done */
375 static void
376 blacklists_initiate(struct auth_client *auth, provider_t provider)
377 {
378 struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
379
380 lrb_assert(provider != PROVIDER_BLACKLIST);
381 lrb_assert(!is_provider_done(auth, PROVIDER_BLACKLIST));
382 lrb_assert(rb_dlink_list_length(&blacklist_list) > 0);
383
384 if(bluser == NULL || rb_dlink_list_length(&bluser->queries))
385 /* Nothing to do */
386 return;
387 else if(!(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT)))
388 /* Don't start until we've completed these */
389 return;
390 else
391 lookup_all_blacklists(auth);
392 }
393
394 static void
395 blacklists_cancel(struct auth_client *auth)
396 {
397 rb_dlink_node *ptr, *nptr;
398 struct blacklist_user *bluser = auth->data[PROVIDER_BLACKLIST];
399
400 if(bluser == NULL)
401 return;
402
403 RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head)
404 {
405 struct blacklist_lookup *bllookup = ptr->data;
406
407 cancel_query(bllookup->query);
408 unref_blacklist(bllookup->bl);
409
410 rb_dlinkDelete(&bllookup->node, &bluser->queries);
411 rb_free(bllookup);
412 }
413
414 rb_free(bluser);
415 auth->data[PROVIDER_BLACKLIST] = NULL;
416 }
417
418 static bool
419 blacklists_init(void)
420 {
421 timeout_ev = rb_event_addish("timeout_blacklist_queries_event", timeout_blacklist_queries_event, NULL, 1);
422 return (timeout_ev != NULL);
423 }
424
425 static void
426 blacklists_destroy(void)
427 {
428 rb_dlink_node *ptr, *nptr;
429 rb_dictionary_iter iter;
430 struct blacklist *bl;
431 struct auth_client *auth;
432
433 RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
434 {
435 blacklists_cancel(auth);
436 }
437
438 delete_all_blacklists();
439 rb_event_delete(timeout_ev);
440 }
441
442 static void
443 add_conf_blacklist(const char *key, int parc, const char **parv)
444 {
445 rb_dlink_list filters = { NULL, NULL, 0 };
446 char *tmp, *elemlist = rb_strdup(parv[2]);
447 uint8_t iptype;
448
449 if(*elemlist == '*')
450 goto end;
451
452 for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp))
453 {
454 struct blacklist_filter *filter = rb_malloc(sizeof(struct blacklist_filter));
455 int dot_c = 0;
456 filter_t type = FILTER_LAST;
457 bool valid = true;
458
459 /* Check blacklist filter type and for validity */
460 for(char *c = elem; *c != '\0'; c++)
461 {
462 if(*c == '.')
463 {
464 if(++dot_c > 3)
465 {
466 warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (too many octets)");
467 valid = false;
468 break;
469 }
470
471 type = FILTER_ALL;
472 }
473 else if(!isdigit(*c))
474 {
475 warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (invalid character in blacklist filter: %c)", *c);
476 valid = false;
477 break;
478 }
479 }
480
481 if(valid && dot_c > 0 && dot_c < 3)
482 {
483 warn_opers(L_CRIT, "addr_conf_blacklist got a bad filter (insufficient octets)");
484 valid = false;
485 }
486
487 if(!valid)
488 {
489 rb_free(filter);
490 continue;
491 }
492
493 filter->type = type;
494 rb_strlcpy(filter->filter, elem, sizeof(filter->filter));
495 rb_dlinkAdd(filter, &filter->node, &filters);
496 }
497
498 end:
499 rb_free(elemlist);
500
501 iptype = atoi(parv[1]) & 0x3;
502 if(new_blacklist(parv[0], parv[3], iptype, &filters) == NULL)
503 {
504 rb_dlink_node *ptr, *nptr;
505
506 warn_opers(L_CRIT, "addr_conf_blacklist got a malformed blacklist");
507
508 RB_DLINK_FOREACH_SAFE(ptr, nptr, filters.head)
509 {
510 rb_free(ptr->data);
511 rb_dlinkDelete(ptr, &filters);
512 }
513 }
514 }
515
516 static void
517 del_conf_blacklist(const char *key, int parc, const char **parv)
518 {
519 struct blacklist *bl = find_blacklist(parv[0]);
520 if(bl == NULL)
521 {
522 warn_opers(L_CRIT, "BUG: tried to remove nonexistent blacklist %s", parv[0]);
523 return;
524 }
525
526 delete_blacklist(bl);
527 }
528
529 static void
530 del_conf_blacklist_all(const char *key, int parc, const char **parv)
531 {
532 delete_all_blacklists();
533 }
534
535 static void
536 add_conf_blacklist_timeout(const char *key, int parc, const char **parv)
537 {
538 int timeout = atoi(parv[0]);
539
540 if(timeout < 0)
541 {
542 warn_opers(L_CRIT, "BUG: blacklist timeout < 0 (value: %d)", timeout);
543 return;
544 }
545
546 blacklist_timeout = timeout;
547 }
548
549 static void
550 blacklist_stats(uint32_t rid, char letter)
551 {
552 rb_dlink_node *ptr;
553
554 RB_DLINK_FOREACH(ptr, blacklist_list.head)
555 {
556 struct blacklist *bl = ptr->data;
557
558 if(bl->delete)
559 continue;
560
561 stats_result(rid, letter, "%s %hhu %u", bl->host, bl->iptype, bl->hits);
562 }
563
564 stats_done(rid, letter);
565 }
566
567 struct auth_opts_handler blacklist_options[] =
568 {
569 { "rbl", 4, add_conf_blacklist },
570 { "rbl_del", 1, del_conf_blacklist },
571 { "rbl_del_all", 0, del_conf_blacklist_all },
572 { "rbl_timeout", 1, add_conf_blacklist_timeout },
573 { NULL, 0, NULL },
574 };
575
576 struct auth_provider blacklist_provider =
577 {
578 .id = PROVIDER_BLACKLIST,
579 .init = blacklists_init,
580 .destroy = blacklists_destroy,
581 .start = blacklists_start,
582 .cancel = blacklists_cancel,
583 .completed = blacklists_initiate,
584 .opt_handlers = blacklist_options,
585 .stats_handler = { 'B', blacklist_stats },
586 };
Fork of solanum ircd, history is rebased regularly