2 * authd.c: An interface to authd.
3 * (based somewhat on ircd-ratbox dns.c)
5 * Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
6 * Copyright (C) 2005-2012 ircd-ratbox development team
7 * Copyright (C) 2016 Ariadne Conill <ariadne@dereferenced.org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
28 #include "ircd_defs.h"
43 typedef void (*authd_cb_t
)(int, char **);
51 static int start_authd(void);
52 static void parse_authd_reply(rb_helper
* helper
);
53 static void restart_authd_cb(rb_helper
* helper
);
54 static EVH timeout_dead_authd_clients
;
56 static void cmd_accept_client(int parc
, char **parv
);
57 static void cmd_reject_client(int parc
, char **parv
);
58 static void cmd_dns_result(int parc
, char **parv
);
59 static void cmd_notice_client(int parc
, char **parv
);
60 static void cmd_oper_warn(int parc
, char **parv
);
61 static void cmd_stats_results(int parc
, char **parv
);
63 rb_helper
*authd_helper
;
64 static char *authd_path
;
67 static rb_dictionary
*cid_clients
;
68 static struct ev_entry
*timeout_ev
;
70 rb_dictionary
*dnsbl_stats
= NULL
;
72 rb_dlink_list opm_list
;
73 struct OPMListener opm_listeners
[LISTEN_LAST
];
75 static struct authd_cb authd_cmd_tab
[256] =
77 ['A'] = { cmd_accept_client
, 4 },
78 ['E'] = { cmd_dns_result
, 5 },
79 ['N'] = { cmd_notice_client
, 3 },
80 ['R'] = { cmd_reject_client
, 7 },
81 ['W'] = { cmd_oper_warn
, 3 },
82 ['X'] = { cmd_stats_results
, 3 },
83 ['Y'] = { cmd_stats_results
, 3 },
84 ['Z'] = { cmd_stats_results
, 3 },
90 char fullpath
[PATH_MAX
+ 1];
92 if(authd_path
== NULL
)
94 snprintf(fullpath
, sizeof(fullpath
), "%s/authd", ircd_paths
[IRCD_PATH_LIBEXEC
]);
96 if(access(fullpath
, X_OK
) == -1)
98 snprintf(fullpath
, sizeof(fullpath
), "%s/bin/authd", ConfigFileEntry
.dpath
);
99 if(access(fullpath
, X_OK
) == -1)
101 ierror("Unable to execute authd in %s or %s/bin",
102 ircd_paths
[IRCD_PATH_LIBEXEC
], ConfigFileEntry
.dpath
);
103 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
,
104 "Unable to execute authd in %s or %s/bin",
105 ircd_paths
[IRCD_PATH_LIBEXEC
], ConfigFileEntry
.dpath
);
111 authd_path
= rb_strdup(fullpath
);
114 if(cid_clients
== NULL
)
115 cid_clients
= rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp
);
117 if(timeout_ev
== NULL
)
118 timeout_ev
= rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients
, NULL
, 1);
120 authd_helper
= rb_helper_start("authd", authd_path
, parse_authd_reply
, restart_authd_cb
);
122 if(authd_helper
== NULL
)
124 ierror("Unable to start authd helper: %s", strerror(errno
));
125 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "Unable to start authd helper: %s", strerror(errno
));
129 ilog(L_MAIN
, "authd helper started");
130 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "authd helper started");
131 rb_helper_run(authd_helper
);
135 static inline uint32_t
136 str_to_cid(const char *str
)
138 long lcid
= strtol(str
, NULL
, 16);
140 if(lcid
> UINT32_MAX
|| lcid
<= 0)
142 iwarn("authd sent us back a bad client ID: %lx", lcid
);
147 return (uint32_t)lcid
;
150 static inline struct Client
*
151 cid_to_client(uint32_t ncid
, bool del
)
153 struct Client
*client_p
;
156 client_p
= rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(ncid
));
158 client_p
= rb_dictionary_retrieve(cid_clients
, RB_UINT_TO_POINTER(ncid
));
160 /* If the client's not found, that's okay, it may have already gone away.
166 static inline struct Client
*
167 str_cid_to_client(const char *str
, bool del
)
169 uint32_t ncid
= str_to_cid(str
);
174 return cid_to_client(ncid
, del
);
178 cmd_accept_client(int parc
, char **parv
)
180 struct Client
*client_p
;
182 /* cid to uid (retrieve and delete) */
183 if((client_p
= str_cid_to_client(parv
[1], true)) == NULL
)
186 authd_accept_client(client_p
, parv
[2], parv
[3]);
190 cmd_dns_result(int parc
, char **parv
)
192 dns_results_callback(parv
[1], parv
[2], parv
[3], parv
[4]);
196 cmd_notice_client(int parc
, char **parv
)
198 struct Client
*client_p
;
200 if ((client_p
= str_cid_to_client(parv
[1], false)) == NULL
)
203 if (IsAnyDead(client_p
))
206 sendto_one_notice(client_p
, ":%s", parv
[2]);
210 cmd_reject_client(int parc
, char **parv
)
212 struct Client
*client_p
;
214 /* cid to uid (retrieve and delete) */
215 if((client_p
= str_cid_to_client(parv
[1], true)) == NULL
)
218 authd_reject_client(client_p
, parv
[3], parv
[4], toupper(*parv
[2]), parv
[5], parv
[6]);
222 cmd_oper_warn(int parc
, char **parv
)
226 case 'D': /* Debug */
227 sendto_realops_snomask(SNO_DEBUG
, L_NETWIDE
, "authd debug: %s", parv
[2]);
228 idebug("authd: %s", parv
[2]);
231 sendto_realops_snomask(SNO_DEBUG
, L_NETWIDE
, "authd info: %s", parv
[2]);
232 inotice("authd: %s", parv
[2]);
234 case 'W': /* Warning */
235 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "authd WARNING: %s", parv
[2]);
236 iwarn("authd: %s", parv
[2]);
238 case 'C': /* Critical (error) */
239 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "authd CRITICAL: %s", parv
[2]);
240 ierror("authd: %s", parv
[2]);
243 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "authd sent us an unknown oper notice type (%s): %s", parv
[1], parv
[2]);
244 ilog(L_MAIN
, "authd unknown oper notice type (%s): %s", parv
[1], parv
[2]);
250 cmd_stats_results(int parc
, char **parv
)
256 /* parv[0] conveys status */
259 iwarn("authd sent a result with wrong number of arguments: got %d", parc
);
263 dns_stats_results_callback(parv
[1], parv
[0], parc
- 3, (const char **)&parv
[3]);
271 parse_authd_reply(rb_helper
* helper
)
275 char buf
[READBUF_SIZE
];
278 while((len
= rb_helper_read(helper
, buf
, sizeof(buf
))) > 0)
280 struct authd_cb
*cmd
;
282 parc
= rb_string_to_array(buf
, parv
, sizeof(parv
));
283 cmd
= &authd_cmd_tab
[(unsigned char)*parv
[0]];
286 if(cmd
->min_parc
> parc
)
288 iwarn("authd sent a result with wrong number of arguments: expected %d, got %d",
289 cmd
->min_parc
, parc
);
298 iwarn("authd sent us a bad command type: %c", *parv
[0]);
310 ierror("Unable to start authd helper: %s", strerror(errno
));
316 configure_authd(void)
319 set_authd_timeout("ident_timeout", GlobalSetOptions
.ident_timeout
);
320 set_authd_timeout("rdns_timeout", ConfigFileEntry
.connect_timeout
);
321 set_authd_timeout("rbl_timeout", ConfigFileEntry
.connect_timeout
);
323 ident_check_enable(!ConfigFileEntry
.disable_auth
);
326 if(rb_dlink_list_length(&opm_list
) > 0 &&
327 (opm_listeners
[LISTEN_IPV4
].ipaddr
[0] != '\0' ||
328 opm_listeners
[LISTEN_IPV6
].ipaddr
[0] != '\0'))
332 if(opm_listeners
[LISTEN_IPV4
].ipaddr
[0] != '\0')
333 rb_helper_write(authd_helper
, "O opm_listener %s %hu",
334 opm_listeners
[LISTEN_IPV4
].ipaddr
, opm_listeners
[LISTEN_IPV4
].port
);
336 if(opm_listeners
[LISTEN_IPV6
].ipaddr
[0] != '\0')
337 rb_helper_write(authd_helper
, "O opm_listener %s %hu",
338 opm_listeners
[LISTEN_IPV6
].ipaddr
, opm_listeners
[LISTEN_IPV6
].port
);
340 RB_DLINK_FOREACH(ptr
, opm_list
.head
)
342 struct OPMScanner
*scanner
= ptr
->data
;
343 rb_helper_write(authd_helper
, "O opm_scanner %s %hu",
344 scanner
->type
, scanner
->port
);
347 opm_check_enable(true);
350 opm_check_enable(false);
352 /* Configure DNSBLs */
353 if (dnsbl_stats
!= NULL
)
355 rb_dictionary_iter iter
;
356 struct DNSBLEntry
*entry
;
357 RB_DICTIONARY_FOREACH(entry
, &iter
, dnsbl_stats
)
359 rb_helper_write(authd_helper
, "O rbl %s %hhu %s :%s", entry
->host
,
360 entry
->iptype
, entry
->filters
, entry
->reason
);
366 authd_free_client(struct Client
*client_p
)
368 if(client_p
== NULL
|| client_p
->preClient
== NULL
)
371 if(client_p
->preClient
->auth
.cid
== 0)
374 if(authd_helper
!= NULL
)
375 rb_helper_write(authd_helper
, "E %x", client_p
->preClient
->auth
.cid
);
377 client_p
->preClient
->auth
.accepted
= true;
378 client_p
->preClient
->auth
.cid
= 0;
382 authd_free_client_cb(rb_dictionary_element
*delem
, void *unused
)
384 struct Client
*client_p
= delem
->data
;
385 authd_free_client(client_p
);
389 authd_abort_client(struct Client
*client_p
)
391 rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(client_p
->preClient
->auth
.cid
));
392 authd_free_client(client_p
);
396 restart_authd_cb(rb_helper
* helper
)
398 iwarn("authd helper died - attempting to restart");
399 sendto_realops_snomask(SNO_GENERAL
, L_NETWIDE
, "authd helper died - attempting to restart");
403 rb_helper_close(helper
);
407 rb_dictionary_destroy(cid_clients
, authd_free_client_cb
, NULL
);
417 ierror("authd restarting...");
418 restart_authd_cb(authd_helper
);
424 rb_helper_write(authd_helper
, "R");
430 if(authd_helper
== NULL
)
434 static inline uint32_t
443 /* Basically when this is called we begin handing off the client to authd for
444 * processing. authd "owns" the client until processing is finished, or we
445 * timeout from authd. authd will make a decision whether or not to accept the
446 * client, but it's up to other parts of the code (for now) to decide if we're
447 * gonna accept the client and ignore authd's suggestion.
451 * If this is an SSL connection we must defer handing off the client for
452 * reading until it is open and we have the certificate fingerprint, otherwise
453 * it's possible for the client to immediately send data before authd completes
454 * and before the status of the connection is communicated via ssld. This data
455 * could then be processed too early by read_packet().
458 authd_initiate_client(struct Client
*client_p
, bool defer
)
460 char client_ipaddr
[HOSTIPLEN
+1];
461 char listen_ipaddr
[HOSTIPLEN
+1];
462 uint16_t client_port
, listen_port
;
465 if(client_p
->preClient
== NULL
|| client_p
->preClient
->auth
.cid
!= 0)
468 authd_cid
= client_p
->preClient
->auth
.cid
= generate_cid();
470 /* Collisions are extremely unlikely, so disregard the possibility */
471 rb_dictionary_add(cid_clients
, RB_UINT_TO_POINTER(authd_cid
), client_p
);
473 /* Retrieve listener and client IP's */
474 rb_inet_ntop_sock((struct sockaddr
*)&client_p
->preClient
->lip
, listen_ipaddr
, sizeof(listen_ipaddr
));
475 rb_inet_ntop_sock((struct sockaddr
*)&client_p
->localClient
->ip
, client_ipaddr
, sizeof(client_ipaddr
));
477 /* Retrieve listener and client ports */
478 listen_port
= ntohs(GET_SS_PORT(&client_p
->preClient
->lip
));
479 client_port
= ntohs(GET_SS_PORT(&client_p
->localClient
->ip
));
482 client_p
->preClient
->auth
.flags
|= AUTHC_F_DEFERRED
;
484 /* Add a bit of a fudge factor... */
485 client_p
->preClient
->auth
.timeout
= rb_current_time() + ConfigFileEntry
.connect_timeout
+ 10;
487 rb_helper_write(authd_helper
, "C %x %s %hu %s %hu %x", authd_cid
, listen_ipaddr
, listen_port
, client_ipaddr
, client_port
,
489 IsSCTP(client_p
) ? IPPROTO_SCTP
: IPPROTO_TCP
);
496 authd_read_client(struct Client
*client_p
)
499 * When a client has auth'ed, we want to start reading what it sends
500 * us. This is what read_packet() does.
503 * Above comment was originally in s_auth.c, but moved here with below code.
506 rb_dlinkAddTail(client_p
, &client_p
->node
, &global_client_list
);
507 read_packet(client_p
->localClient
->F
, client_p
);
510 /* When this is called we have a decision on client acceptance.
512 * After this point authd no longer "owns" the client, but if
513 * it's flagged as deferred then we're still waiting for a call
514 * to authd_deferred_client().
517 authd_decide_client(struct Client
*client_p
, const char *ident
, const char *host
, bool accept
, char cause
, const char *data
, const char *reason
)
519 if(client_p
->preClient
== NULL
|| client_p
->preClient
->auth
.cid
== 0)
524 rb_strlcpy(client_p
->username
, ident
, sizeof(client_p
->username
));
526 ServerStats
.is_asuc
++;
529 ServerStats
.is_abad
++; /* s_auth used to do this, stay compatible */
532 rb_strlcpy(client_p
->host
, host
, sizeof(client_p
->host
));
534 rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(client_p
->preClient
->auth
.cid
));
536 client_p
->preClient
->auth
.accepted
= accept
;
537 client_p
->preClient
->auth
.cause
= cause
;
538 client_p
->preClient
->auth
.data
= (data
== NULL
? NULL
: rb_strdup(data
));
539 client_p
->preClient
->auth
.reason
= (reason
== NULL
? NULL
: rb_strdup(reason
));
540 client_p
->preClient
->auth
.cid
= 0;
542 client_p
->preClient
->auth
.flags
|= AUTHC_F_COMPLETE
;
543 if((client_p
->preClient
->auth
.flags
& AUTHC_F_DEFERRED
) == 0)
544 authd_read_client(client_p
);
548 authd_deferred_client(struct Client
*client_p
)
550 client_p
->preClient
->auth
.flags
&= ~AUTHC_F_DEFERRED
;
551 if(client_p
->preClient
->auth
.flags
& AUTHC_F_COMPLETE
)
552 authd_read_client(client_p
);
555 /* Convenience function to accept client */
557 authd_accept_client(struct Client
*client_p
, const char *ident
, const char *host
)
559 authd_decide_client(client_p
, ident
, host
, true, '\0', NULL
, NULL
);
562 /* Convenience function to reject client */
564 authd_reject_client(struct Client
*client_p
, const char *ident
, const char *host
, char cause
, const char *data
, const char *reason
)
566 authd_decide_client(client_p
, ident
, host
, false, cause
, data
, reason
);
570 timeout_dead_authd_clients(void *notused __unused
)
572 rb_dictionary_iter iter
;
573 struct Client
*client_p
;
574 rb_dlink_list freelist
= { NULL
, NULL
, 0 };
575 rb_dlink_node
*ptr
, *nptr
;
577 RB_DICTIONARY_FOREACH(client_p
, &iter
, cid_clients
)
579 if(client_p
->preClient
->auth
.timeout
< rb_current_time())
581 rb_dlinkAddAlloc(client_p
, &freelist
);
585 /* RB_DICTIONARY_FOREACH is not safe for deletion, so we do this crap */
586 RB_DLINK_FOREACH_SAFE(ptr
, nptr
, freelist
.head
)
588 client_p
= ptr
->data
;
589 authd_abort_client(client_p
);
590 rb_dlinkDestroy(ptr
, &freelist
);
594 /* Send a new DNSBL entry to authd */
596 add_dnsbl_entry(const char *host
, const char *reason
, uint8_t iptype
, rb_dlink_list
*filters
)
599 struct DNSBLEntry
*entry
= rb_malloc(sizeof(*entry
));
600 char filterbuf
[BUFSIZE
] = "*";
603 if(dnsbl_stats
== NULL
)
604 dnsbl_stats
= rb_dictionary_create("dnsbl statistics", rb_strcasecmp
);
606 /* Build a list of comma-separated values for authd.
607 * We don't check for validity - do it elsewhere.
609 RB_DLINK_FOREACH(ptr
, filters
->head
)
611 char *filter
= ptr
->data
;
612 size_t filterlen
= strlen(filter
) + 1;
614 if(s
+ filterlen
> sizeof(filterbuf
))
617 snprintf(&filterbuf
[s
], sizeof(filterbuf
) - s
, "%s,", filter
);
623 filterbuf
[s
- 1] = '\0';
625 entry
->host
= rb_strdup(host
);
626 entry
->reason
= rb_strdup(reason
);
627 entry
->filters
= rb_strdup(filterbuf
);
628 entry
->iptype
= iptype
;
631 rb_dictionary_add(dnsbl_stats
, entry
->host
, entry
);
632 rb_helper_write(authd_helper
, "O rbl %s %hhu %s :%s", host
, iptype
, filterbuf
, reason
);
635 /* Delete a DNSBL entry. */
637 del_dnsbl_entry(const char *host
)
639 struct DNSBLEntry
*entry
= rb_dictionary_retrieve(dnsbl_stats
, host
);
643 rb_dictionary_delete(dnsbl_stats
, entry
->host
);
644 rb_free(entry
->host
);
645 rb_free(entry
->reason
);
646 rb_free(entry
->filters
);
650 rb_helper_write(authd_helper
, "O rbl_del %s", host
);
654 dnsbl_delete_elem(rb_dictionary_element
*delem
, void *unused
)
656 struct DNSBLEntry
*entry
= delem
->data
;
658 rb_free(entry
->host
);
659 rb_free(entry
->reason
);
660 rb_free(entry
->filters
);
664 /* Delete all the DNSBL entries. */
666 del_dnsbl_entry_all(void)
668 if(dnsbl_stats
!= NULL
)
669 rb_dictionary_destroy(dnsbl_stats
, dnsbl_delete_elem
, NULL
);
672 rb_helper_write(authd_helper
, "O rbl_del_all");
675 /* Adjust an authd timeout value */
677 set_authd_timeout(const char *key
, int timeout
)
682 rb_helper_write(authd_helper
, "O %s %d", key
, timeout
);
686 /* Enable identd checks */
688 ident_check_enable(bool enabled
)
690 rb_helper_write(authd_helper
, "O ident_enabled %d", enabled
? 1 : 0);
693 /* Create an OPM listener
694 * XXX - This is a big nasty hack, but it avoids resending duplicate data when
695 * configure_authd() is called.
698 conf_create_opm_listener(const char *ip
, uint16_t port
)
700 char ipbuf
[HOSTIPLEN
];
701 struct OPMListener
*listener
;
703 rb_strlcpy(ipbuf
, ip
, sizeof(ipbuf
));
706 memmove(ipbuf
+ 1, ipbuf
, sizeof(ipbuf
) - 1);
710 /* I am much too lazy to use rb_inet_pton and GET_SS_FAMILY for now --Elizafox */
711 listener
= &opm_listeners
[(strchr(ipbuf
, ':') != NULL
? LISTEN_IPV6
: LISTEN_IPV4
)];
712 rb_strlcpy(listener
->ipaddr
, ipbuf
, sizeof(listener
->ipaddr
));
713 listener
->port
= port
;
717 create_opm_listener(const char *ip
, uint16_t port
)
719 char ipbuf
[HOSTIPLEN
];
721 /* XXX duplicated in conf_create_opm_listener */
722 rb_strlcpy(ipbuf
, ip
, sizeof(ipbuf
));
725 memmove(ipbuf
+ 1, ipbuf
, sizeof(ipbuf
) - 1);
729 conf_create_opm_listener(ip
, port
);
730 rb_helper_write(authd_helper
, "O opm_listener %s %hu", ipbuf
, port
);
734 delete_opm_listener_all(void)
736 memset(&opm_listeners
, 0, sizeof(opm_listeners
));
737 rb_helper_write(authd_helper
, "O opm_listener_del_all");
740 /* Disable all OPM scans */
742 opm_check_enable(bool enabled
)
744 rb_helper_write(authd_helper
, "O opm_enabled %d", enabled
? 1 : 0);
747 /* Create an OPM proxy scanner
748 * XXX - This is a big nasty hack, but it avoids resending duplicate data when
749 * configure_authd() is called.
752 conf_create_opm_proxy_scanner(const char *type
, uint16_t port
)
754 struct OPMScanner
*scanner
= rb_malloc(sizeof(struct OPMScanner
));
756 rb_strlcpy(scanner
->type
, type
, sizeof(scanner
->type
));
757 scanner
->port
= port
;
758 rb_dlinkAdd(scanner
, &scanner
->node
, &opm_list
);
762 create_opm_proxy_scanner(const char *type
, uint16_t port
)
764 conf_create_opm_proxy_scanner(type
, port
);
765 rb_helper_write(authd_helper
, "O opm_scanner %s %hu", type
, port
);
769 delete_opm_proxy_scanner(const char *type
, uint16_t port
)
771 rb_dlink_node
*ptr
, *nptr
;
773 RB_DLINK_FOREACH_SAFE(ptr
, nptr
, opm_list
.head
)
775 struct OPMScanner
*scanner
= ptr
->data
;
777 if(rb_strncasecmp(scanner
->type
, type
, sizeof(scanner
->type
)) == 0 &&
778 scanner
->port
== port
)
780 rb_dlinkDelete(ptr
, &opm_list
);
786 rb_helper_write(authd_helper
, "O opm_scanner_del %s %hu", type
, port
);
790 delete_opm_proxy_scanner_all(void)
792 rb_dlink_node
*ptr
, *nptr
;
794 RB_DLINK_FOREACH_SAFE(ptr
, nptr
, opm_list
.head
)
796 struct OPMScanner
*scanner
= ptr
->data
;
798 rb_dlinkDelete(ptr
, &opm_list
);
802 rb_helper_write(authd_helper
, "O opm_scanner_del_all");