authd/providers/ident.c

   1 /* authd/providers/ident.c - ident lookup provider for authd
   2  * Copyright (c) 2016 Elizabeth Myers <elizabeth@interlinked.me>
   3  *
   4  * Permission to use, copy, modify, and/or distribute this software for any
   5  * purpose with or without fee is hereby granted, provided that the above
   6  * copyright notice and this permission notice is present in all copies.
   7  *
   8  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   9  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  10  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  11  * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  12  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  13  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  14  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  15  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  16  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  17  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  18  * POSSIBILITY OF SUCH DAMAGE.
  19  */
  20
  21 /* Largely adapted from old s_auth.c, but reworked for authd. rDNS code
  22  * moved to its own provider.
  23  *
  24  * --Elizafox 13 March 2016
  25  */
  26
  27 #include "stdinc.h"
  28 #include "match.h"
  29 #include "authd.h"
  30 #include "notice.h"
  31 #include "provider.h"
  32 #include "res.h"
  33
  34 #define IDENT_BUFSIZE 128
  35
  36 struct ident_query
  37 {
  38         time_t timeout;                         /* Timeout interval */
  39         rb_fde_t *F;                            /* Our FD */
  40 };
  41
  42 /* Goinked from old s_auth.c --Elizafox */
  43 static const char *messages[] =
  44 {
  45         "*** Checking Ident",
  46         "*** Got Ident response",
  47         "*** No Ident response",
  48         "*** Cannot verify ident validity, ignoring ident",
  49 };
  50
  51 typedef enum
  52 {
  53         REPORT_LOOKUP,
  54         REPORT_FOUND,
  55         REPORT_FAIL,
  56         REPORT_INVALID,
  57 } ident_message;
  58
  59 static EVH timeout_ident_queries_event;
  60 static CNCB ident_connected;
  61 static PF read_ident_reply;
  62
  63 static void client_fail(struct auth_client *auth, ident_message message);
  64 static void client_success(struct auth_client *auth);
  65 static char * get_valid_ident(char *buf);
  66
  67 static struct ev_entry *timeout_ev;
  68 static int ident_timeout = 5;
  69 static bool ident_enable = true;
  70
  71
  72 /* Timeout outstanding queries */
  73 static void
  74 timeout_ident_queries_event(void *notused __unused)
  75 {
  76         struct auth_client *auth;
  77         rb_dictionary_iter iter;
  78
  79         RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
  80         {
  81                 struct ident_query *query = auth->data[PROVIDER_IDENT];
  82
  83                 if(query != NULL && query->timeout < rb_current_time())
  84                         client_fail(auth, REPORT_FAIL);
  85         }
  86 }
  87
  88 /*
  89  * ident_connected() - deal with the result of rb_connect_tcp()
  90  *
  91  * If the connection failed, we simply close the auth fd and report
  92  * a failure. If the connection suceeded send the ident server a query
  93  * giving "theirport , ourport". The write is only attempted *once* so
  94  * it is deemed to be a fail if the entire write doesn't write all the
  95  * data given.  This shouldnt be a problem since the socket should have
  96  * a write buffer far greater than this message to store it in should
  97  * problems arise. -avalon
  98  */
  99 static void
 100 ident_connected(rb_fde_t *F __unused, int error, void *data)
 101 {
 102         struct auth_client *auth = data;
 103         struct ident_query *query;
 104         char authbuf[32];
 105         int authlen;
 106
 107         if(auth == NULL)
 108                 return;
 109
 110         query = auth->data[PROVIDER_IDENT];
 111
 112         if(query == NULL)
 113                 return;
 114
 115         /* Check the error */
 116         if(error != RB_OK)
 117         {
 118                 /* We had an error during connection :( */
 119                 client_fail(auth, REPORT_FAIL);
 120                 return;
 121         }
 122
 123         snprintf(authbuf, sizeof(authbuf), "%u , %u\r\n",
 124                         auth->c_port, auth->l_port);
 125         authlen = strlen(authbuf);
 126
 127         if(rb_write(query->F, authbuf, authlen) != authlen)
 128         {
 129                 client_fail(auth, REPORT_FAIL);
 130                 return;
 131         }
 132
 133         read_ident_reply(query->F, auth);
 134 }
 135
 136 static void
 137 read_ident_reply(rb_fde_t *F, void *data)
 138 {
 139         struct auth_client *auth = data;
 140         struct ident_query *query;
 141         char buf[IDENT_BUFSIZE + 1];    /* buffer to read auth reply into */
 142         ident_message message = REPORT_FAIL;
 143         char *s = NULL;
 144         char *t = NULL;
 145         ssize_t len;
 146         int count;
 147
 148         if(auth == NULL)
 149                 return;
 150
 151         query = auth->data[PROVIDER_IDENT];
 152
 153         if(query == NULL)
 154                 return;
 155
 156         len = rb_read(F, buf, IDENT_BUFSIZE);
 157         if(len < 0 && rb_ignore_errno(errno))
 158         {
 159                 rb_setselect(F, RB_SELECT_READ, read_ident_reply, auth);
 160                 return;
 161         }
 162
 163         if(len > 0)
 164         {
 165                 if((s = get_valid_ident(buf)) != NULL)
 166                 {
 167                         t = auth->username;
 168
 169                         while (*s == '~' || *s == '^')
 170                                 s++;
 171
 172                         for (count = USERLEN; *s && count; s++)
 173                         {
 174                                 if(*s == '@' || *s == '\r' || *s == '\n')
 175                                         break;
 176
 177                                 if(*s != ' ' && *s != ':' && *s != '[')
 178                                 {
 179                                         *t++ = *s;
 180                                         count--;
 181                                 }
 182                         }
 183                         *t = '\0';
 184                 }
 185                 else
 186                         message = REPORT_INVALID;
 187         }
 188
 189         if(s == NULL)
 190                 client_fail(auth, message);
 191         else
 192                 client_success(auth);
 193 }
 194
 195 static void
 196 client_fail(struct auth_client *auth, ident_message report)
 197 {
 198         struct ident_query *query = auth->data[PROVIDER_IDENT];
 199
 200         if(query == NULL)
 201                 return;
 202
 203         rb_strlcpy(auth->username, "*", sizeof(auth->username));
 204
 205         if(query->F != NULL)
 206                 rb_close(query->F);
 207
 208         rb_free(query);
 209         auth->data[PROVIDER_IDENT] = NULL;
 210
 211         notice_client(auth->cid, messages[report]);
 212         provider_done(auth, PROVIDER_IDENT);
 213 }
 214
 215 static void
 216 client_success(struct auth_client *auth)
 217 {
 218         struct ident_query *query = auth->data[PROVIDER_IDENT];
 219
 220         if(query == NULL)
 221                 return;
 222
 223         if(query->F != NULL)
 224                 rb_close(query->F);
 225
 226         rb_free(query);
 227         auth->data[PROVIDER_IDENT] = NULL;
 228
 229         notice_client(auth->cid, messages[REPORT_FOUND]);
 230         provider_done(auth, PROVIDER_IDENT);
 231 }
 232
 233 /* get_valid_ident
 234  * parse ident query reply from identd server
 235  *
 236  * Taken from old s_auth.c --Elizafox
 237  *
 238  * Inputs       - pointer to ident buf
 239  * Outputs      - NULL if no valid ident found, otherwise pointer to name
 240  * Side effects - None
 241  */
 242 static char *
 243 get_valid_ident(char *buf)
 244 {
 245         int remp = 0;
 246         int locp = 0;
 247         char *colon1Ptr;
 248         char *colon2Ptr;
 249         char *colon3Ptr;
 250         char *commaPtr;
 251         char *remotePortString;
 252
 253         /* All this to get rid of a sscanf() fun. */
 254         remotePortString = buf;
 255
 256         colon1Ptr = strchr(remotePortString, ':');
 257         if(!colon1Ptr)
 258                 return NULL;
 259
 260         *colon1Ptr = '\0';
 261         colon1Ptr++;
 262         colon2Ptr = strchr(colon1Ptr, ':');
 263         if(!colon2Ptr)
 264                 return NULL;
 265
 266         *colon2Ptr = '\0';
 267         colon2Ptr++;
 268         commaPtr = strchr(remotePortString, ',');
 269
 270         if(!commaPtr)
 271                 return NULL;
 272
 273         *commaPtr = '\0';
 274         commaPtr++;
 275
 276         remp = atoi(remotePortString);
 277         if(!remp)
 278                 return NULL;
 279
 280         locp = atoi(commaPtr);
 281         if(!locp)
 282                 return NULL;
 283
 284         /* look for USERID bordered by first pair of colons */
 285         if(!strstr(colon1Ptr, "USERID"))
 286                 return NULL;
 287
 288         colon3Ptr = strchr(colon2Ptr, ':');
 289         if(!colon3Ptr)
 290                 return NULL;
 291
 292         *colon3Ptr = '\0';
 293         colon3Ptr++;
 294         return (colon3Ptr);
 295 }
 296
 297 static bool
 298 ident_init(void)
 299 {
 300         timeout_ev = rb_event_addish("timeout_ident_queries_event", timeout_ident_queries_event, NULL, 1);
 301         return (timeout_ev != NULL);
 302 }
 303
 304 static void
 305 ident_destroy(void)
 306 {
 307         struct auth_client *auth;
 308         rb_dictionary_iter iter;
 309
 310         /* Nuke all ident queries */
 311         RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
 312         {
 313                 if(auth->data[PROVIDER_IDENT] != NULL)
 314                         client_fail(auth, REPORT_FAIL);
 315         }
 316 }
 317
 318 static bool ident_start(struct auth_client *auth)
 319 {
 320         struct ident_query *query = rb_malloc(sizeof(struct ident_query));
 321         struct rb_sockaddr_storage l_addr, c_addr;
 322         int family = GET_SS_FAMILY(&auth->c_addr);
 323
 324         if(!ident_enable || auth->data[PROVIDER_IDENT] != NULL)
 325         {
 326                 set_provider_done(auth, PROVIDER_IDENT); /* for blacklists */
 327                 return true;
 328         }
 329
 330         notice_client(auth->cid, messages[REPORT_LOOKUP]);
 331
 332         auth->data[PROVIDER_IDENT] = query;
 333         query->timeout = rb_current_time() + ident_timeout;
 334
 335         if((query->F = rb_socket(family, SOCK_STREAM, 0, "ident")) == NULL)
 336         {
 337                 warn_opers(L_DEBUG, "Could not create ident socket: %s", strerror(errno));
 338                 client_fail(auth, REPORT_FAIL);
 339                 return true;    /* Not a fatal error */
 340         }
 341
 342         /* Build sockaddr_storages for rb_connect_tcp below */
 343         memcpy(&l_addr, &auth->l_addr, sizeof(l_addr));
 344         memcpy(&c_addr, &auth->c_addr, sizeof(c_addr));
 345
 346         /* Set the ports correctly */
 347 #ifdef RB_IPV6
 348         if(GET_SS_FAMILY(&l_addr) == AF_INET6)
 349                 ((struct sockaddr_in6 *)&l_addr)->sin6_port = 0;
 350         else
 351 #endif
 352                 ((struct sockaddr_in *)&l_addr)->sin_port = 0;
 353
 354 #ifdef RB_IPV6
 355         if(GET_SS_FAMILY(&c_addr) == AF_INET6)
 356                 ((struct sockaddr_in6 *)&c_addr)->sin6_port = htons(113);
 357         else
 358 #endif
 359                 ((struct sockaddr_in *)&c_addr)->sin_port = htons(113);
 360
 361         rb_connect_tcp(query->F, (struct sockaddr *)&c_addr,
 362                         (struct sockaddr *)&l_addr,
 363                         GET_SS_LEN(&l_addr), ident_connected,
 364                         auth, ident_timeout);
 365
 366         set_provider_on(auth, PROVIDER_IDENT);
 367
 368         return true;
 369 }
 370
 371 static void
 372 ident_cancel(struct auth_client *auth)
 373 {
 374         struct ident_query *query = auth->data[PROVIDER_IDENT];
 375
 376         if(query != NULL)
 377                 client_fail(auth, REPORT_FAIL);
 378 }
 379
 380 static void
 381 add_conf_ident_timeout(const char *key __unused, int parc __unused, const char **parv)
 382 {
 383         int timeout = atoi(parv[0]);
 384
 385         if(timeout < 0)
 386         {
 387                 warn_opers(L_CRIT, "BUG: ident timeout < 0 (value: %d)", timeout);
 388                 return;
 389         }
 390
 391         ident_timeout = timeout;
 392 }
 393
 394 static void
 395 set_ident_enabled(const char *key __unused, int parc __unused, const char **parv)
 396 {
 397         enable_ident = (strcasecmp(parv[0], "true") == 0 ||
 398                         strcasecmp(parv[0], "1") == 0 ||
 399                         strcasecmp(parv[0], "enable") == 0);
 400 }
 401
 402 struct auth_opts_handler ident_options[] =
 403 {
 404         { "ident_timeout", 1, add_conf_ident_timeout },
 405         { "ident_enabled", 1, set_ident_enabled },
 406         { NULL, 0, NULL },
 407 };
 408
 409
 410 struct auth_provider ident_provider =
 411 {
 412         .id = PROVIDER_IDENT,
 413         .init = ident_init,
 414         .destroy = ident_destroy,
 415         .start = ident_start,
 416         .cancel = ident_cancel,
 417         .completed = NULL,
 418         .opt_handlers = ident_options,
 419 };