authd/providers/ident.c

   1 /* authd/providers/ident.c - ident lookup provider for authd
   2  * Copyright (c) 2016 Elizabeth Myers <elizabeth@interlinked.me>
   3  *
   4  * Permission to use, copy, modify, and/or distribute this software for any
   5  * purpose with or without fee is hereby granted, provided that the above
   6  * copyright notice and this permission notice is present in all copies.
   7  *
   8  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   9  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  10  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  11  * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  12  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  13  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  14  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  15  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  16  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  17  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  18  * POSSIBILITY OF SUCH DAMAGE.
  19  */
  20
  21 /* Largely adapted from old s_auth.c, but reworked for authd. rDNS code
  22  * moved to its own provider.
  23  *
  24  * --Elizafox 13 March 2016
  25  */
  26
  27 #include "stdinc.h"
  28 #include "match.h"
  29 #include "authd.h"
  30 #include "notice.h"
  31 #include "provider.h"
  32 #include "res.h"
  33
  34 #define IDENT_BUFSIZE 128
  35
  36 struct ident_query
  37 {
  38         time_t timeout;                         /* Timeout interval */
  39         rb_fde_t *F;                            /* Our FD */
  40 };
  41
  42 /* Goinked from old s_auth.c --Elizafox */
  43 static const char *messages[] =
  44 {
  45         "*** Checking Ident",
  46         "*** Got Ident response",
  47         "*** No Ident response",
  48         "*** Cannot verify ident validity, ignoring ident",
  49         "*** Ident disabled, not checking ident",
  50 };
  51
  52 typedef enum
  53 {
  54         REPORT_LOOKUP,
  55         REPORT_FOUND,
  56         REPORT_FAIL,
  57         REPORT_INVALID,
  58         REPORT_DISABLED,
  59 } ident_message;
  60
  61 static EVH timeout_ident_queries_event;
  62 static CNCB ident_connected;
  63 static PF read_ident_reply;
  64
  65 static void client_fail(struct auth_client *auth, ident_message message);
  66 static void client_success(struct auth_client *auth);
  67 static char * get_valid_ident(char *buf);
  68
  69 static struct ev_entry *timeout_ev;
  70 static int ident_timeout = 5;
  71 static bool ident_enable = true;
  72
  73
  74 /* Timeout outstanding queries */
  75 static void
  76 timeout_ident_queries_event(void *notused __unused)
  77 {
  78         struct auth_client *auth;
  79         rb_dictionary_iter iter;
  80
  81         RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
  82         {
  83                 struct ident_query *query = auth->data[PROVIDER_IDENT];
  84
  85                 if(query != NULL && query->timeout < rb_current_time())
  86                         client_fail(auth, REPORT_FAIL);
  87         }
  88 }
  89
  90 /*
  91  * ident_connected() - deal with the result of rb_connect_tcp()
  92  *
  93  * If the connection failed, we simply close the auth fd and report
  94  * a failure. If the connection suceeded send the ident server a query
  95  * giving "theirport , ourport". The write is only attempted *once* so
  96  * it is deemed to be a fail if the entire write doesn't write all the
  97  * data given.  This shouldnt be a problem since the socket should have
  98  * a write buffer far greater than this message to store it in should
  99  * problems arise. -avalon
 100  */
 101 static void
 102 ident_connected(rb_fde_t *F __unused, int error, void *data)
 103 {
 104         struct auth_client *auth = data;
 105         struct ident_query *query;
 106         char authbuf[32];
 107         int authlen;
 108
 109         if(auth == NULL)
 110                 return;
 111
 112         query = auth->data[PROVIDER_IDENT];
 113
 114         if(query == NULL)
 115                 return;
 116
 117         /* Check the error */
 118         if(error != RB_OK)
 119         {
 120                 /* We had an error during connection :( */
 121                 client_fail(auth, REPORT_FAIL);
 122                 return;
 123         }
 124
 125         snprintf(authbuf, sizeof(authbuf), "%u , %u\r\n",
 126                         auth->c_port, auth->l_port);
 127         authlen = strlen(authbuf);
 128
 129         if(rb_write(query->F, authbuf, authlen) != authlen)
 130         {
 131                 client_fail(auth, REPORT_FAIL);
 132                 return;
 133         }
 134
 135         read_ident_reply(query->F, auth);
 136 }
 137
 138 static void
 139 read_ident_reply(rb_fde_t *F, void *data)
 140 {
 141         struct auth_client *auth = data;
 142         struct ident_query *query;
 143         char buf[IDENT_BUFSIZE + 1];    /* buffer to read auth reply into */
 144         ident_message message = REPORT_FAIL;
 145         char *s = NULL;
 146         char *t = NULL;
 147         ssize_t len;
 148         int count;
 149
 150         if(auth == NULL)
 151                 return;
 152
 153         query = auth->data[PROVIDER_IDENT];
 154
 155         if(query == NULL)
 156                 return;
 157
 158         len = rb_read(F, buf, IDENT_BUFSIZE);
 159         if(len < 0 && rb_ignore_errno(errno))
 160         {
 161                 rb_setselect(F, RB_SELECT_READ, read_ident_reply, auth);
 162                 return;
 163         }
 164
 165         if(len > 0)
 166         {
 167                 if((s = get_valid_ident(buf)) != NULL)
 168                 {
 169                         t = auth->username;
 170
 171                         while (*s == '~' || *s == '^')
 172                                 s++;
 173
 174                         for (count = USERLEN; *s && count; s++)
 175                         {
 176                                 if(*s == '@' || *s == '\r' || *s == '\n')
 177                                         break;
 178
 179                                 if(*s != ' ' && *s != ':' && *s != '[')
 180                                 {
 181                                         *t++ = *s;
 182                                         count--;
 183                                 }
 184                         }
 185                         *t = '\0';
 186                 }
 187                 else
 188                         message = REPORT_INVALID;
 189         }
 190
 191         if(s == NULL)
 192                 client_fail(auth, message);
 193         else
 194                 client_success(auth);
 195 }
 196
 197 static void
 198 client_fail(struct auth_client *auth, ident_message report)
 199 {
 200         struct ident_query *query = auth->data[PROVIDER_IDENT];
 201
 202         if(query == NULL)
 203                 return;
 204
 205         rb_strlcpy(auth->username, "*", sizeof(auth->username));
 206
 207         if(query->F != NULL)
 208                 rb_close(query->F);
 209
 210         rb_free(query);
 211         auth->data[PROVIDER_IDENT] = NULL;
 212
 213         notice_client(auth->cid, messages[report]);
 214         provider_done(auth, PROVIDER_IDENT);
 215 }
 216
 217 static void
 218 client_success(struct auth_client *auth)
 219 {
 220         struct ident_query *query = auth->data[PROVIDER_IDENT];
 221
 222         if(query == NULL)
 223                 return;
 224
 225         if(query->F != NULL)
 226                 rb_close(query->F);
 227
 228         rb_free(query);
 229         auth->data[PROVIDER_IDENT] = NULL;
 230
 231         notice_client(auth->cid, messages[REPORT_FOUND]);
 232         provider_done(auth, PROVIDER_IDENT);
 233 }
 234
 235 /* get_valid_ident
 236  * parse ident query reply from identd server
 237  *
 238  * Taken from old s_auth.c --Elizafox
 239  *
 240  * Inputs       - pointer to ident buf
 241  * Outputs      - NULL if no valid ident found, otherwise pointer to name
 242  * Side effects - None
 243  */
 244 static char *
 245 get_valid_ident(char *buf)
 246 {
 247         int remp = 0;
 248         int locp = 0;
 249         char *colon1Ptr;
 250         char *colon2Ptr;
 251         char *colon3Ptr;
 252         char *commaPtr;
 253         char *remotePortString;
 254
 255         /* All this to get rid of a sscanf() fun. */
 256         remotePortString = buf;
 257
 258         colon1Ptr = strchr(remotePortString, ':');
 259         if(!colon1Ptr)
 260                 return NULL;
 261
 262         *colon1Ptr = '\0';
 263         colon1Ptr++;
 264         colon2Ptr = strchr(colon1Ptr, ':');
 265         if(!colon2Ptr)
 266                 return NULL;
 267
 268         *colon2Ptr = '\0';
 269         colon2Ptr++;
 270         commaPtr = strchr(remotePortString, ',');
 271
 272         if(!commaPtr)
 273                 return NULL;
 274
 275         *commaPtr = '\0';
 276         commaPtr++;
 277
 278         remp = atoi(remotePortString);
 279         if(!remp)
 280                 return NULL;
 281
 282         locp = atoi(commaPtr);
 283         if(!locp)
 284                 return NULL;
 285
 286         /* look for USERID bordered by first pair of colons */
 287         if(!strstr(colon1Ptr, "USERID"))
 288                 return NULL;
 289
 290         colon3Ptr = strchr(colon2Ptr, ':');
 291         if(!colon3Ptr)
 292                 return NULL;
 293
 294         *colon3Ptr = '\0';
 295         colon3Ptr++;
 296         return (colon3Ptr);
 297 }
 298
 299 static bool
 300 ident_init(void)
 301 {
 302         timeout_ev = rb_event_addish("timeout_ident_queries_event", timeout_ident_queries_event, NULL, 1);
 303         return (timeout_ev != NULL);
 304 }
 305
 306 static void
 307 ident_destroy(void)
 308 {
 309         struct auth_client *auth;
 310         rb_dictionary_iter iter;
 311
 312         /* Nuke all ident queries */
 313         RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
 314         {
 315                 if(auth->data[PROVIDER_IDENT] != NULL)
 316                         client_fail(auth, REPORT_FAIL);
 317         }
 318 }
 319
 320 static bool ident_start(struct auth_client *auth)
 321 {
 322         struct ident_query *query = rb_malloc(sizeof(struct ident_query));
 323         struct rb_sockaddr_storage l_addr, c_addr;
 324         int family = GET_SS_FAMILY(&auth->c_addr);
 325
 326         if(auth->data[PROVIDER_IDENT] != NULL)
 327         {
 328                 set_provider_done(auth, PROVIDER_IDENT); /* for blacklists */
 329                 return true;
 330         }
 331         else if(!ident_enable)
 332         {
 333                 notice_client(auth->cid, messages[REPORT_DISABLED]);
 334                 set_provider_done(auth, PROVIDER_IDENT);
 335                 return true;
 336         }
 337
 338         notice_client(auth->cid, messages[REPORT_LOOKUP]);
 339
 340         auth->data[PROVIDER_IDENT] = query;
 341         query->timeout = rb_current_time() + ident_timeout;
 342
 343         if((query->F = rb_socket(family, SOCK_STREAM, 0, "ident")) == NULL)
 344         {
 345                 warn_opers(L_DEBUG, "Could not create ident socket: %s", strerror(errno));
 346                 client_fail(auth, REPORT_FAIL);
 347                 return true;    /* Not a fatal error */
 348         }
 349
 350         /* Build sockaddr_storages for rb_connect_tcp below */
 351         memcpy(&l_addr, &auth->l_addr, sizeof(l_addr));
 352         memcpy(&c_addr, &auth->c_addr, sizeof(c_addr));
 353
 354         /* Set the ports correctly */
 355 #ifdef RB_IPV6
 356         if(GET_SS_FAMILY(&l_addr) == AF_INET6)
 357                 ((struct sockaddr_in6 *)&l_addr)->sin6_port = 0;
 358         else
 359 #endif
 360                 ((struct sockaddr_in *)&l_addr)->sin_port = 0;
 361
 362 #ifdef RB_IPV6
 363         if(GET_SS_FAMILY(&c_addr) == AF_INET6)
 364                 ((struct sockaddr_in6 *)&c_addr)->sin6_port = htons(113);
 365         else
 366 #endif
 367                 ((struct sockaddr_in *)&c_addr)->sin_port = htons(113);
 368
 369         rb_connect_tcp(query->F, (struct sockaddr *)&c_addr,
 370                         (struct sockaddr *)&l_addr,
 371                         GET_SS_LEN(&l_addr), ident_connected,
 372                         auth, ident_timeout);
 373
 374         set_provider_on(auth, PROVIDER_IDENT);
 375
 376         return true;
 377 }
 378
 379 static void
 380 ident_cancel(struct auth_client *auth)
 381 {
 382         struct ident_query *query = auth->data[PROVIDER_IDENT];
 383
 384         if(query != NULL)
 385                 client_fail(auth, REPORT_FAIL);
 386 }
 387
 388 static void
 389 add_conf_ident_timeout(const char *key __unused, int parc __unused, const char **parv)
 390 {
 391         int timeout = atoi(parv[0]);
 392
 393         if(timeout < 0)
 394         {
 395                 warn_opers(L_CRIT, "BUG: ident timeout < 0 (value: %d)", timeout);
 396                 return;
 397         }
 398
 399         ident_timeout = timeout;
 400 }
 401
 402 static void
 403 set_ident_enabled(const char *key __unused, int parc __unused, const char **parv)
 404 {
 405         ident_enable = (*parv[0] == '1');
 406 }
 407
 408 struct auth_opts_handler ident_options[] =
 409 {
 410         { "ident_timeout", 1, add_conf_ident_timeout },
 411         { "ident_enabled", 1, set_ident_enabled },
 412         { NULL, 0, NULL },
 413 };
 414
 415
 416 struct auth_provider ident_provider =
 417 {
 418         .id = PROVIDER_IDENT,
 419         .init = ident_init,
 420         .destroy = ident_destroy,
 421         .start = ident_start,
 422         .cancel = ident_cancel,
 423         .completed = NULL,
 424         .opt_handlers = ident_options,
 425 };