]> jfr.im git - solanum.git/blob - authd/providers/dnsbl.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
make some authd warnings L_NETWIDE
[solanum.git] / authd / providers / dnsbl.c
1 /*
2 * Solanum: a slightly advanced ircd
3 * dnsbl.c: Manages DNSBL entries and lookups
4 *
5 * Copyright (C) 2006-2011 charybdis development team
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are
9 * met:
10 *
11 * 1. Redistributions of source code must retain the above copyright notice,
12 * this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
23 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
30 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 */
33
34 /* Originally written for charybdis circa 2006 (by nenolod?).
35 * Tweaked for authd. Some functions and structs renamed. Public/private
36 * interfaces have been shifted around. Some code has been cleaned up too.
37 * -- Elizafox 24 March 2016
38 */
39
40 #include "authd.h"
41 #include "defaults.h"
42 #include "provider.h"
43 #include "notice.h"
44 #include "stdinc.h"
45 #include "dns.h"
46
47 #define SELF_PID (dnsbl_provider.id)
48
49 typedef enum filter_t
50 {
51 FILTER_ALL = 1,
52 FILTER_LAST = 2,
53 } filter_t;
54
55 /* dnsbl accepted IP types */
56 #define IPTYPE_IPV4 1
57 #define IPTYPE_IPV6 2
58
59 /* A configured DNSBL */
60 struct dnsbl
61 {
62 char host[IRCD_RES_HOSTLEN + 1];
63 char reason[BUFSIZE]; /* Reason template (ircd fills in the blanks) */
64 uint8_t iptype; /* IP types supported */
65 rb_dlink_list filters; /* Filters for queries */
66
67 bool delete; /* If true delete when no clients */
68 int refcount; /* When 0 and delete is set, remove this dnsbl */
69 unsigned int hits;
70
71 time_t lastwarning; /* Last warning about garbage replies sent */
72 };
73
74 /* A lookup in progress for a particular DNSBL for a particular client */
75 struct dnsbl_lookup
76 {
77 struct dnsbl *bl; /* dnsbl we're checking */
78 struct auth_client *auth; /* Client */
79 struct dns_query *query; /* DNS query pointer */
80
81 rb_dlink_node node;
82 };
83
84 /* A dnsbl filter */
85 struct dnsbl_filter
86 {
87 filter_t type; /* Type of filter */
88 char filter[HOSTIPLEN]; /* The filter itself */
89
90 rb_dlink_node node;
91 };
92
93 /* dnsbl user data attached to auth_client instance */
94 struct dnsbl_user
95 {
96 bool started;
97 rb_dlink_list queries; /* dnsbl queries in flight */
98 };
99
100 /* public interfaces */
101 static void dnsbls_destroy(void);
102
103 static bool dnsbls_start(struct auth_client *);
104 static inline void dnsbls_generic_cancel(struct auth_client *, const char *);
105 static void dnsbls_timeout(struct auth_client *);
106 static void dnsbls_cancel(struct auth_client *);
107 static void dnsbls_cancel_none(struct auth_client *);
108
109 /* private interfaces */
110 static void unref_dnsbl(struct dnsbl *);
111 static struct dnsbl *new_dnsbl(const char *, const char *, uint8_t, rb_dlink_list *);
112 static struct dnsbl *find_dnsbl(const char *);
113 static bool dnsbl_check_reply(struct dnsbl_lookup *, const char *);
114 static void dnsbl_dns_callback(const char *, bool, query_type, void *);
115 static void initiate_dnsbl_dnsquery(struct dnsbl *, struct auth_client *);
116
117 /* Variables */
118 static rb_dlink_list dnsbl_list = { NULL, NULL, 0 };
119 static int dnsbl_timeout = DNSBL_TIMEOUT_DEFAULT;
120
121 /* private interfaces */
122
123 static void
124 unref_dnsbl(struct dnsbl *bl)
125 {
126 rb_dlink_node *ptr, *nptr;
127
128 bl->refcount--;
129 if (bl->delete && bl->refcount <= 0)
130 {
131 RB_DLINK_FOREACH_SAFE(ptr, nptr, bl->filters.head)
132 {
133 rb_dlinkDelete(ptr, &bl->filters);
134 rb_free(ptr);
135 }
136
137 rb_dlinkFindDestroy(bl, &dnsbl_list);
138 rb_free(bl);
139 }
140 }
141
142 static struct dnsbl *
143 new_dnsbl(const char *name, const char *reason, uint8_t iptype, rb_dlink_list *filters)
144 {
145 struct dnsbl *bl;
146
147 if (name == NULL || reason == NULL || iptype == 0)
148 return NULL;
149
150 if((bl = find_dnsbl(name)) == NULL)
151 {
152 bl = rb_malloc(sizeof(struct dnsbl));
153 rb_dlinkAddAlloc(bl, &dnsbl_list);
154 }
155 else
156 bl->delete = false;
157
158 rb_strlcpy(bl->host, name, IRCD_RES_HOSTLEN + 1);
159 rb_strlcpy(bl->reason, reason, BUFSIZE);
160 bl->iptype = iptype;
161
162 rb_dlinkMoveList(filters, &bl->filters);
163
164 bl->lastwarning = 0;
165
166 return bl;
167 }
168
169 static struct dnsbl *
170 find_dnsbl(const char *name)
171 {
172 rb_dlink_node *ptr;
173
174 RB_DLINK_FOREACH(ptr, dnsbl_list.head)
175 {
176 struct dnsbl *bl = (struct dnsbl *)ptr->data;
177
178 if (!strcasecmp(bl->host, name))
179 return bl;
180 }
181
182 return NULL;
183 }
184
185 static inline bool
186 dnsbl_check_reply(struct dnsbl_lookup *bllookup, const char *ipaddr)
187 {
188 struct dnsbl *bl = bllookup->bl;
189 const char *lastoctet;
190 rb_dlink_node *ptr;
191
192 /* No filters and entry found - thus positive match */
193 if (!rb_dlink_list_length(&bl->filters))
194 return true;
195
196 /* Below will prolly have to change if IPv6 address replies are sent back */
197 if ((lastoctet = strrchr(ipaddr, '.')) == NULL || *(++lastoctet) == '\0')
198 goto blwarn;
199
200 RB_DLINK_FOREACH(ptr, bl->filters.head)
201 {
202 struct dnsbl_filter *filter = ptr->data;
203 const char *cmpstr;
204
205 if (filter->type == FILTER_ALL)
206 cmpstr = ipaddr;
207 else if (filter->type == FILTER_LAST)
208 cmpstr = lastoctet;
209 else
210 {
211 warn_opers(L_CRIT, "dnsbl: Unknown dnsbl filter type (host %s): %d",
212 bl->host, filter->type);
213 exit(EX_PROVIDER_ERROR);
214 }
215
216 if (strcmp(cmpstr, filter->filter) == 0)
217 /* Match! */
218 return true;
219 }
220
221 return false;
222 blwarn:
223 if (bl->lastwarning + 3600 < rb_current_time())
224 {
225 warn_opers(L_WARN, "Garbage/undecipherable reply received from dnsbl %s (reply %s)",
226 bl->host, ipaddr);
227 bl->lastwarning = rb_current_time();
228 }
229
230 return false;
231 }
232
233 static void
234 dnsbl_dns_callback(const char *result, bool status, query_type type, void *data)
235 {
236 struct dnsbl_lookup *bllookup = (struct dnsbl_lookup *)data;
237 struct dnsbl_user *bluser;
238 struct dnsbl *bl;
239 struct auth_client *auth;
240
241 lrb_assert(bllookup != NULL);
242 lrb_assert(bllookup->auth != NULL);
243
244 bl = bllookup->bl;
245 auth = bllookup->auth;
246
247 if((bluser = get_provider_data(auth, SELF_PID)) == NULL)
248 return;
249
250 if (result != NULL && status && dnsbl_check_reply(bllookup, result))
251 {
252 /* Match found, so proceed no further */
253 bl->hits++;
254 reject_client(auth, SELF_PID, bl->host, bl->reason);
255 dnsbls_cancel(auth);
256 return;
257 }
258
259 unref_dnsbl(bl);
260 cancel_query(bllookup->query); /* Ignore future responses */
261 rb_dlinkDelete(&bllookup->node, &bluser->queries);
262 rb_free(bllookup);
263
264 if(!rb_dlink_list_length(&bluser->queries))
265 {
266 /* Done here */
267 notice_client(auth->cid, "*** No DNSBL entry found for this IP");
268 rb_free(bluser);
269 set_provider_data(auth, SELF_PID, NULL);
270 set_provider_timeout_absolute(auth, SELF_PID, 0);
271 provider_done(auth, SELF_PID);
272
273 auth_client_unref(auth);
274 }
275 }
276
277 static void
278 initiate_dnsbl_dnsquery(struct dnsbl *bl, struct auth_client *auth)
279 {
280 struct dnsbl_lookup *bllookup = rb_malloc(sizeof(struct dnsbl_lookup));
281 struct dnsbl_user *bluser = get_provider_data(auth, SELF_PID);
282 char buf[IRCD_RES_HOSTLEN + 1];
283 int aftype;
284
285 bllookup->bl = bl;
286 bllookup->auth = auth;
287
288 aftype = GET_SS_FAMILY(&auth->c_addr);
289 if((aftype == AF_INET && (bl->iptype & IPTYPE_IPV4) == 0) ||
290 (aftype == AF_INET6 && (bl->iptype & IPTYPE_IPV6) == 0))
291 /* Incorrect dnsbl type for this IP... */
292 {
293 rb_free(bllookup);
294 return;
295 }
296
297 build_rdns(buf, sizeof(buf), &auth->c_addr, bl->host);
298 bllookup->query = lookup_ip(buf, AF_INET, dnsbl_dns_callback, bllookup);
299
300 rb_dlinkAdd(bllookup, &bllookup->node, &bluser->queries);
301 bl->refcount++;
302 }
303
304 static inline bool
305 lookup_all_dnsbls(struct auth_client *auth)
306 {
307 struct dnsbl_user *bluser = get_provider_data(auth, SELF_PID);
308 rb_dlink_node *ptr;
309 int iptype;
310
311 if(GET_SS_FAMILY(&auth->c_addr) == AF_INET)
312 iptype = IPTYPE_IPV4;
313 else if(GET_SS_FAMILY(&auth->c_addr) == AF_INET6)
314 iptype = IPTYPE_IPV6;
315 else
316 return false;
317
318 bluser->started = true;
319 notice_client(auth->cid, "*** Checking your IP against DNSBLs");
320
321 RB_DLINK_FOREACH(ptr, dnsbl_list.head)
322 {
323 struct dnsbl *bl = (struct dnsbl *)ptr->data;
324
325 if (!bl->delete && (bl->iptype & iptype))
326 initiate_dnsbl_dnsquery(bl, auth);
327 }
328
329 if(!rb_dlink_list_length(&bluser->queries))
330 /* None checked. */
331 return false;
332
333 set_provider_timeout_relative(auth, SELF_PID, dnsbl_timeout);
334
335 return true;
336 }
337
338 static inline void
339 delete_dnsbl(struct dnsbl *bl)
340 {
341 if (bl->refcount > 0)
342 bl->delete = true;
343 else
344 {
345 rb_dlinkFindDestroy(bl, &dnsbl_list);
346 rb_free(bl);
347 }
348 }
349
350 static void
351 delete_all_dnsbls(void)
352 {
353 rb_dlink_node *ptr, *nptr;
354
355 RB_DLINK_FOREACH_SAFE(ptr, nptr, dnsbl_list.head)
356 {
357 delete_dnsbl(ptr->data);
358 }
359 }
360
361 /* public interfaces */
362 static bool
363 dnsbls_start(struct auth_client *auth)
364 {
365 lrb_assert(get_provider_data(auth, SELF_PID) == NULL);
366
367 if (!rb_dlink_list_length(&dnsbl_list)) {
368 /* Nothing to do... */
369 provider_done(auth, SELF_PID);
370 return true;
371 }
372
373 auth_client_ref(auth);
374
375 set_provider_data(auth, SELF_PID, rb_malloc(sizeof(struct dnsbl_user)));
376
377 if (run_after_provider(auth, "rdns") && run_after_provider(auth, "ident")) {
378 /* Start the lookup if ident and rdns are finished, or not loaded. */
379 if (!lookup_all_dnsbls(auth)) {
380 dnsbls_cancel_none(auth);
381 return true;
382 }
383 }
384
385 return true;
386 }
387
388 /* This is called every time a provider is completed as long as we are marked not done */
389 static void
390 dnsbls_initiate(struct auth_client *auth, uint32_t provider)
391 {
392 struct dnsbl_user *bluser = get_provider_data(auth, SELF_PID);
393
394 lrb_assert(provider != SELF_PID);
395 lrb_assert(!is_provider_done(auth, SELF_PID));
396 lrb_assert(rb_dlink_list_length(&dnsbl_list) > 0);
397
398 if (bluser == NULL || bluser->started) {
399 /* Nothing to do */
400 return;
401 } else if (run_after_provider(auth, "rdns") && run_after_provider(auth, "ident")) {
402 /* Start the lookup if ident and rdns are finished, or not loaded. */
403 if (!lookup_all_dnsbls(auth)) {
404 dnsbls_cancel_none(auth);
405 }
406 }
407 }
408
409 static inline void
410 dnsbls_generic_cancel(struct auth_client *auth, const char *message)
411 {
412 rb_dlink_node *ptr, *nptr;
413 struct dnsbl_user *bluser = get_provider_data(auth, SELF_PID);
414
415 if(bluser == NULL)
416 return;
417
418 if(rb_dlink_list_length(&bluser->queries))
419 {
420 notice_client(auth->cid, message);
421
422 RB_DLINK_FOREACH_SAFE(ptr, nptr, bluser->queries.head)
423 {
424 struct dnsbl_lookup *bllookup = ptr->data;
425
426 cancel_query(bllookup->query);
427 unref_dnsbl(bllookup->bl);
428
429 rb_dlinkDelete(&bllookup->node, &bluser->queries);
430 rb_free(bllookup);
431 }
432 }
433
434 rb_free(bluser);
435 set_provider_data(auth, SELF_PID, NULL);
436 set_provider_timeout_absolute(auth, SELF_PID, 0);
437 provider_done(auth, SELF_PID);
438
439 auth_client_unref(auth);
440 }
441
442 static void
443 dnsbls_timeout(struct auth_client *auth)
444 {
445 dnsbls_generic_cancel(auth, "*** No response from DNSBLs");
446 }
447
448 static void
449 dnsbls_cancel(struct auth_client *auth)
450 {
451 dnsbls_generic_cancel(auth, "*** Aborting DNSBL checks");
452 }
453
454 static void
455 dnsbls_cancel_none(struct auth_client *auth)
456 {
457 dnsbls_generic_cancel(auth, "*** Could not check DNSBLs");
458 }
459
460 static void
461 dnsbls_destroy(void)
462 {
463 rb_dictionary_iter iter;
464 struct auth_client *auth;
465
466 RB_DICTIONARY_FOREACH(auth, &iter, auth_clients)
467 {
468 dnsbls_cancel(auth);
469 /* auth is now invalid as we have no reference */
470 }
471
472 delete_all_dnsbls();
473 }
474
475 static void
476 add_conf_dnsbl(const char *key, int parc, const char **parv)
477 {
478 rb_dlink_list filters = { NULL, NULL, 0 };
479 char *tmp, *elemlist = rb_strdup(parv[2]);
480 uint8_t iptype;
481
482 if(*elemlist == '*')
483 goto end;
484
485 for(char *elem = rb_strtok_r(elemlist, ",", &tmp); elem; elem = rb_strtok_r(NULL, ",", &tmp))
486 {
487 struct dnsbl_filter *filter = rb_malloc(sizeof(struct dnsbl_filter));
488 int dot_c = 0;
489 filter_t type = FILTER_LAST;
490
491 /* Check dnsbl filter type and for validity */
492 for(char *c = elem; *c != '\0'; c++)
493 {
494 if(*c == '.')
495 {
496 if(++dot_c > 3)
497 {
498 warn_opers(L_CRIT, "dnsbl: addr_conf_dnsbl got a bad filter (too many octets)");
499 exit(EX_PROVIDER_ERROR);
500 }
501
502 type = FILTER_ALL;
503 }
504 else if(!isdigit(*c))
505 {
506 warn_opers(L_CRIT, "dnsbl: addr_conf_dnsbl got a bad filter (invalid character in dnsbl filter: %c)",
507 *c);
508 exit(EX_PROVIDER_ERROR);
509 }
510 }
511
512 if(dot_c > 0 && dot_c < 3)
513 {
514 warn_opers(L_CRIT, "dnsbl: addr_conf_dnsbl got a bad filter (insufficient octets)");
515 exit(EX_PROVIDER_ERROR);
516 }
517
518 filter->type = type;
519 rb_strlcpy(filter->filter, elem, sizeof(filter->filter));
520 rb_dlinkAdd(filter, &filter->node, &filters);
521 }
522
523 end:
524 rb_free(elemlist);
525
526 iptype = atoi(parv[1]) & 0x3;
527 if(new_dnsbl(parv[0], parv[3], iptype, &filters) == NULL)
528 {
529 warn_opers(L_CRIT, "dnsbl: addr_conf_dnsbl got a malformed dnsbl");
530 exit(EX_PROVIDER_ERROR);
531 }
532 }
533
534 static void
535 del_conf_dnsbl(const char *key, int parc, const char **parv)
536 {
537 struct dnsbl *bl = find_dnsbl(parv[0]);
538 if(bl == NULL)
539 {
540 /* Not fatal for now... */
541 warn_opers(L_WARN, "dnsbl: tried to remove nonexistent dnsbl %s", parv[0]);
542 return;
543 }
544
545 delete_dnsbl(bl);
546 }
547
548 static void
549 del_conf_dnsbl_all(const char *key, int parc, const char **parv)
550 {
551 delete_all_dnsbls();
552 }
553
554 static void
555 add_conf_dnsbl_timeout(const char *key, int parc, const char **parv)
556 {
557 int timeout = atoi(parv[0]);
558
559 if(timeout < 0)
560 {
561 warn_opers(L_CRIT, "dnsbl: dnsbl timeout < 0 (value: %d)", timeout);
562 exit(EX_PROVIDER_ERROR);
563 }
564
565 dnsbl_timeout = timeout;
566 }
567
568 #if 0
569 static void
570 dnsbl_stats(uint32_t rid, char letter)
571 {
572 rb_dlink_node *ptr;
573
574 RB_DLINK_FOREACH(ptr, dnsbl_list.head)
575 {
576 struct dnsbl *bl = ptr->data;
577
578 if(bl->delete)
579 continue;
580
581 stats_result(rid, letter, "%s %hhu %u", bl->host, bl->iptype, bl->hits);
582 }
583
584 stats_done(rid, letter);
585 }
586 #endif
587
588 struct auth_opts_handler dnsbl_options[] =
589 {
590 { "rbl", 4, add_conf_dnsbl },
591 { "rbl_del", 1, del_conf_dnsbl },
592 { "rbl_del_all", 0, del_conf_dnsbl_all },
593 { "rbl_timeout", 1, add_conf_dnsbl_timeout },
594 { NULL, 0, NULL },
595 };
596
597 struct auth_provider dnsbl_provider =
598 {
599 .name = "dnsbl",
600 .letter = 'B',
601 .destroy = dnsbls_destroy,
602 .start = dnsbls_start,
603 .cancel = dnsbls_cancel,
604 .timeout = dnsbls_timeout,
605 .completed = dnsbls_initiate,
606 .opt_handlers = dnsbl_options,
607 /* .stats_handler = { 'B', dnsbl_stats }, */
608 };
Fork of solanum ircd, history is rebased regularly