]> jfr.im git - solanum.git/blob - authd/providers/blacklist.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Clean up the provider status logic.
[solanum.git] / authd / providers / blacklist.c
1 /*
2 * charybdis: A slightly useful ircd.
3 * blacklist.c: Manages DNS blacklist entries and lookups
4 *
5 * Copyright (C) 2006-2011 charybdis development team
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are
9 * met:
10 *
11 * 1. Redistributions of source code must retain the above copyright notice,
12 * this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
23 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 /* Originally written for charybdis circa 2006 (by nenolod?).
35 * Tweaked for authd. Some functions and structs renamed. Public/private
36 * interfaces have been shifted around. Some code has been cleaned up too.
37 * -- Elizafox 24 March 2016
38 */
39
40 #include "authd.h"
41 #include "provider.h"
42 #include "notice.h"
43 #include "stdinc.h"
44 #include "dns.h"
45
46 typedef enum filter_t
47 {
48 FILTER_ALL = 1,
49 FILTER_LAST = 2,
50 } filter_t;
51
52 /* Blacklist accepted IP types */
53 #define IPTYPE_IPV4 1
54 #define IPTYPE_IPV6 2
55
56 /* A configured DNSBL */
57 struct blacklist
58 {
59 char host[IRCD_RES_HOSTLEN + 1];
60 char reason[BUFSIZE]; /* Reason template (ircd fills in the blanks) */
61 uint8_t iptype; /* IP types supported */
62 rb_dlink_list filters; /* Filters for queries */
63
64 bool delete; /* If true delete when no clients */
65 int refcount; /* When 0 and delete is set, remove this blacklist */
66 unsigned int hits;
67
68 time_t lastwarning; /* Last warning about garbage replies sent */
69 };
70
71 /* A lookup in progress for a particular DNSBL for a particular client */
72 struct blacklist_lookup
73 {
74 struct blacklist *bl; /* Blacklist we're checking */
75 struct auth_client *auth; /* Client */
76 struct dns_query *query; /* DNS query pointer */
77
78 rb_dlink_node node;
79 };
80
81 /* A blacklist filter */
82 struct blacklist_filter
83 {
84 filter_t type; /* Type of filter */
85 char filter[HOSTIPLEN]; /* The filter itself */
86
87 rb_dlink_node node;
88 };
89
90 /* Blacklist user data attached to auth_client instance */
91 struct blacklist_user
92 {
93 rb_dlink_list queries; /* Blacklist queries in flight */
94 };
95
96 /* public interfaces */
97 static void blacklists_destroy(void);
98
99 static bool blacklists_start(struct auth_client *);
100 static void blacklists_cancel(struct auth_client *);
101
102 /* private interfaces */
103 static void unref_blacklist(struct blacklist *);
104 static struct blacklist *new_blacklist(const char *, const char *, uint8_t, rb_dlink_list *);
105 static struct blacklist *find_blacklist(const char *);
106 static bool blacklist_check_reply(struct blacklist_lookup *, const char *);
107 static void blacklist_dns_callback(const char *, bool, query_type, void *);
108 static void initiate_blacklist_dnsquery(struct blacklist *, struct auth_client *);
109
110 /* Variables */
111 static rb_dlink_list blacklist_list = { NULL, NULL, 0 };
112 static int blacklist_timeout = 15;
113
114 /* private interfaces */
115
116 static void
117 unref_blacklist(struct blacklist *bl)
118 {
119 rb_dlink_node *ptr, *nptr;
120
121 bl->refcount--;
122 if (bl->delete && bl->refcount <= 0)
123 {
124 RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head)
125 {
126 rb_dlinkDelete(ptr, &bl->filters);
127 rb_free(ptr);
128 }
129
130 rb_dlinkFindDestroy(bl, &blacklist_list);
131 rb_free(bl);
132 }
133 }
134
135 static struct blacklist *
136 new_blacklist(const char *name, const char *reason, uint8_t iptype, rb_dlink_list *filters)
137 {
138 struct blacklist *bl;
139
140 if (name == NULL || reason == NULL || iptype == 0)
141 return NULL;
142
143 if((bl = find_blacklist(name)) == NULL)
144 {
145 bl = rb_malloc(sizeof(struct blacklist));
146 rb_dlinkAddAlloc(bl, &blacklist_list);
147 }
148 else
149 bl->delete = false;
150
151 rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1);
152 rb_strlcpy(bl->reason, reason, BUFSIZE);
153 bl->iptype = iptype;
154
155 rb_dlinkMoveList(filters, &bl->filters);
156
157 bl->lastwarning = 0;
158
159 return bl;
160 }
161
162 static struct blacklist *
163 find_blacklist(const char *name)
164 {
165 rb_dlink_node *ptr;
166
167 RB_DLINK_FOREACH(ptr, blacklist_list.head)
168 {
169 struct blacklist *bl = (struct blacklist *)ptr->data;
170
171 if (!strcasecmp(bl->host, name))
172 return bl;
173 }
174
175 return NULL;
176 }
177
178 static inline bool
179 blacklist_check_reply(struct blacklist_lookup *bllookup, const char *ipaddr)
180 {
181 struct blacklist *bl = bllookup->bl;
182 const char *lastoctet;
183 rb_dlink_node *ptr;
184
185 /* No filters and entry found - thus positive match */
186 if (!rb_dlink_list_length(&bl->filters))
187 return true;
188
189 /* Below will prolly have to change if IPv6 address replies are sent back */
190 if ((lastoctet = strrchr(ipaddr, '.')) == NULL || *(++lastoctet) == '\0')
191 goto blwarn;
192
193 RB_DLINK_FOREACH(ptr, bl->filters.head)
194 {
195 struct blacklist_filter *filter = ptr->data;
196 const char *cmpstr;
197
198 if (filter->type == FILTER_ALL)
199 cmpstr = ipaddr;
200 else if (filter->type == FILTER_LAST)
201 cmpstr = lastoctet;
202 else
203 {
204 warn_opers(L_CRIT, "Blacklist: Unknown blacklist filter type (host %s): %d",
205 bl->host, filter->type);
206 exit(EX_PROVIDER_ERROR);
207 }
208
209 if (strcmp(cmpstr, filter->filter) == 0)
210 /* Match! */
211 return true;
212 }
213
214 return false;
215 blwarn:
216 if (bl->lastwarning + 3600 < rb_current_time())
217 {
218 warn_opers(L_WARN, "Garbage/undecipherable reply received from blacklist %s (reply %s)",
219 bl->host, ipaddr);
220 bl->lastwarning = rb_current_time();
221 }
222
223 return false;
224 }
225
226 static void
227 blacklist_dns_callback(const char *result, bool status, query_type type, void *data)
228 {
229 struct blacklist_lookup *bllookup = (struct blacklist_lookup *)data;
230 struct blacklist_user *bluser;
231 struct blacklist *bl;
232 struct auth_client *auth;
233
234 lrb_assert(bllookup != NULL);
235 lrb_assert(bllookup->auth != NULL);
236
237 bl = bllookup->bl;
238 auth = bllookup->auth;
239
240 if((bluser = get_provider_data(auth, PROVIDER_BLACKLIST)) == NULL)
241 return;
242
243 if (result != NULL && status && blacklist_check_reply(bllookup, result))
244 {
245 /* Match found, so proceed no further */
246 bl->hits++;
247 blacklists_cancel(auth);
248 reject_client(auth, PROVIDER_BLACKLIST, bl->host, bl->reason);
249 return;
250 }
251
252 unref_blacklist(bl);
253 cancel_query(bllookup->query); /* Ignore future responses */
254 rb_dlinkDelete(&bllookup->node, &bluser->queries);
255 rb_free(bllookup);
256
257 if(!rb_dlink_list_length(&bluser->queries))
258 {
259 /* Done here */
260 notice_client(auth->cid, "*** IP not found in DNS blacklist%s",
261 rb_dlink_list_length(&blacklist_list) > 1 ? "s" : "");
262 rb_free(bluser);
263 set_provider_data(auth, PROVIDER_BLACKLIST, NULL);
264 set_provider_timeout_absolute(auth, PROVIDER_BLACKLIST, 0);
265 provider_done(auth, PROVIDER_BLACKLIST);
266 }
267 }
268
269 static void
270 initiate_blacklist_dnsquery(struct blacklist *bl, struct auth_client *auth)
271 {
272 struct blacklist_lookup *bllookup = rb_malloc(sizeof(struct blacklist_lookup));
273 struct blacklist_user *bluser = get_provider_data(auth, PROVIDER_BLACKLIST);
274 char buf[IRCD_RES_HOSTLEN + 1];
275 int aftype;
276
277 bllookup->bl = bl;
278 bllookup->auth = auth;
279
280 aftype = GET_SS_FAMILY(&auth->c_addr);
281 if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) ||
282 (aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0))
283 /* Incorrect blacklist type for this IP... */
284 {
285 rb_free(bllookup);
286 return;
287 }
288
289 build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host);
290
291 bllookup->query = lookup_ip(buf, AF_INET, blacklist_dns_callback, bllookup);
292
293 rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries);
294 bl->refcount++;
295 }
296
297 static inline void
298 lookup_all_blacklists(struct auth_client *auth)
299 {
300 struct blacklist_user *bluser = get_provider_data(auth, PROVIDER_BLACKLIST);
301 rb_dlink_node *ptr;
302
303 notice_client(auth->cid, "*** Checking your IP against DNS blacklist%s",
304 rb_dlink_list_length(&blacklist_list) > 1 ? "s" : "");
305
306 RB_DLINK_FOREACH(ptr, blacklist_list.head)
307 {
308 struct blacklist *bl = (struct blacklist *)ptr->data;
309
310 if (!bl->delete)
311 initiate_blacklist_dnsquery(bl, auth);
312 }
313
314 set_provider_timeout_relative(auth, PROVIDER_BLACKLIST, blacklist_timeout);
315 }
316
317 static inline void
318 delete_blacklist(struct blacklist *bl)
319 {
320 if (bl->refcount > 0)
321 bl->delete = true;
322 else
323 {
324 rb_dlinkFindDestroy(bl, &blacklist_list);
325 rb_free(bl);
326 }
327 }
328
329 static void
330 delete_all_blacklists(void)
331 {
332 rb_dlink_node *ptr, *nptr;
333
334 RB_DLINK_FOREACH_SAFE(ptr, nptr, blacklist_list.head)
335 {
336 delete_blacklist(ptr->data);
337 }
338 }
339
340 /* public interfaces */
341 static bool
342 blacklists_start(struct auth_client *auth)
343 {
344 lrb_assert(get_provider_data(auth, PROVIDER_BLACKLIST) == NULL);
345
346 if(!rb_dlink_list_length(&blacklist_list))
347 {
348 /* Nothing to do... */
349 notice_client(auth->cid, "*** No DNS blacklists configured, not checking your IP");
350 return true;
351 }
352
353 set_provider_data(auth, PROVIDER_BLACKLIST, rb_malloc(sizeof(struct blacklist_user)));
354
355 if(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT))
356 /* This probably can't happen but let's handle this case anyway */
357 lookup_all_blacklists(auth);
358
359 set_provider_running(auth, PROVIDER_BLACKLIST);
360 return true;
361 }
362
363 /* This is called every time a provider is completed as long as we are marked not done */
364 static void
365 blacklists_initiate(struct auth_client *auth, provider_t provider)
366 {
367 struct blacklist_user *bluser = get_provider_data(auth, PROVIDER_BLACKLIST);
368
369 lrb_assert(provider != PROVIDER_BLACKLIST);
370 lrb_assert(!is_provider_done(auth, PROVIDER_BLACKLIST));
371 lrb_assert(rb_dlink_list_length(&blacklist_list) > 0);
372
373 if(bluser == NULL || rb_dlink_list_length(&bluser->queries))
374 /* Nothing to do */
375 return;
376 else if(!(is_provider_done(auth, PROVIDER_RDNS) && is_provider_done(auth, PROVIDER_IDENT)))
377 /* Don't start until we've completed these */
378 return;
379 else
380 lookup_all_blacklists(auth);
381 }
382
383 static void
384 blacklists_cancel(struct auth_client *auth)
385 {
386 rb_dlink_node *ptr, *nptr;
387 struct blacklist_user *bluser = get_provider_data(auth, PROVIDER_BLACKLIST);
388
389 if(bluser == NULL)
390 return;
391
392 if(rb_dlink_list_length(&bluser->queries))
393 {
394 notice_client(auth->cid, "*** Aborting DNS blacklist queries");
395
396 RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head)
397 {
398 struct blacklist_lookup *bllookup = ptr->data;
399
400 cancel_query(bllookup->query);
401 unref_blacklist(bllookup->bl);
402
403 rb_dlinkDelete(&bllookup->node, &bluser->queries);
404 rb_free(bllookup);
405 }
406 }
407
408 rb_free(bluser);
409 set_provider_data(auth, PROVIDER_BLACKLIST, NULL);
410 set_provider_timeout_absolute(auth, PROVIDER_BLACKLIST, 0);
411 provider_done(auth, PROVIDER_BLACKLIST);
412 }
413
414 static void
415 blacklists_destroy(void)
416 {
417 rb_dictionary_iter iter;
418 struct auth_client *auth;
419
420 RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
421 {
422 blacklists_cancel(auth);
423 }
424
425 delete_all_blacklists();
426 }
427
428 static void
429 add_conf_blacklist(const char *key, int parc, const char **parv)
430 {
431 rb_dlink_list filters = { NULL, NULL, 0 };
432 char *tmp, *elemlist = rb_strdup(parv[2]);
433 uint8_t iptype;
434
435 if(*elemlist == '*')
436 goto end;
437
438 for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp))
439 {
440 struct blacklist_filter *filter = rb_malloc(sizeof(struct blacklist_filter));
441 int dot_c = 0;
442 filter_t type = FILTER_LAST;
443
444 /* Check blacklist filter type and for validity */
445 for(char *c = elem; *c != '\0'; c++)
446 {
447 if(*c == '.')
448 {
449 if(++dot_c > 3)
450 {
451 warn_opers(L_CRIT, "Blacklist: addr_conf_blacklist got a bad filter (too many octets)");
452 exit(EX_PROVIDER_ERROR);
453 }
454
455 type = FILTER_ALL;
456 }
457 else if(!isdigit(*c))
458 {
459 warn_opers(L_CRIT, "Blacklist: addr_conf_blacklist got a bad filter (invalid character in blacklist filter: %c)",
460 *c);
461 exit(EX_PROVIDER_ERROR);
462 }
463 }
464
465 if(dot_c > 0 && dot_c < 3)
466 {
467 warn_opers(L_CRIT, "Blacklist: addr_conf_blacklist got a bad filter (insufficient octets)");
468 exit(EX_PROVIDER_ERROR);
469 }
470
471 filter->type = type;
472 rb_strlcpy(filter->filter, elem, sizeof(filter->filter));
473 rb_dlinkAdd(filter, &filter->node, &filters);
474 }
475
476 end:
477 rb_free(elemlist);
478
479 iptype = atoi(parv[1]) & 0x3;
480 if(new_blacklist(parv[0], parv[3], iptype, &filters) == NULL)
481 {
482 warn_opers(L_CRIT, "Blacklist: addr_conf_blacklist got a malformed blacklist");
483 exit(EX_PROVIDER_ERROR);
484 }
485 }
486
487 static void
488 del_conf_blacklist(const char *key, int parc, const char **parv)
489 {
490 struct blacklist *bl = find_blacklist(parv[0]);
491 if(bl == NULL)
492 {
493 /* Not fatal for now... */
494 warn_opers(L_WARN, "Blacklist: tried to remove nonexistent blacklist %s", parv[0]);
495 return;
496 }
497
498 delete_blacklist(bl);
499 }
500
501 static void
502 del_conf_blacklist_all(const char *key, int parc, const char **parv)
503 {
504 delete_all_blacklists();
505 }
506
507 static void
508 add_conf_blacklist_timeout(const char *key, int parc, const char **parv)
509 {
510 int timeout = atoi(parv[0]);
511
512 if(timeout < 0)
513 {
514 warn_opers(L_CRIT, "Blacklist: blacklist timeout < 0 (value: %d)", timeout);
515 exit(EX_PROVIDER_ERROR);
516 }
517
518 blacklist_timeout = timeout;
519 }
520
521 #if 0
522 static void
523 blacklist_stats(uint32_t rid, char letter)
524 {
525 rb_dlink_node *ptr;
526
527 RB_DLINK_FOREACH(ptr, blacklist_list.head)
528 {
529 struct blacklist *bl = ptr->data;
530
531 if(bl->delete)
532 continue;
533
534 stats_result(rid, letter, "%s %hhu %u", bl->host, bl->iptype, bl->hits);
535 }
536
537 stats_done(rid, letter);
538 }
539 #endif
540
541 struct auth_opts_handler blacklist_options[] =
542 {
543 { "rbl", 4, add_conf_blacklist },
544 { "rbl_del", 1, del_conf_blacklist },
545 { "rbl_del_all", 0, del_conf_blacklist_all },
546 { "rbl_timeout", 1, add_conf_blacklist_timeout },
547 { NULL, 0, NULL },
548 };
549
550 struct auth_provider blacklist_provider =
551 {
552 .id = PROVIDER_BLACKLIST,
553 .destroy = blacklists_destroy,
554 .start = blacklists_start,
555 .cancel = blacklists_cancel,
556 .timeout = blacklists_cancel,
557 .completed = blacklists_initiate,
558 .opt_handlers = blacklist_options,
559 /* .stats_handler = { 'B', blacklist_stats }, */
560 };
Fork of solanum ircd, history is rebased regularly