]> jfr.im git - solanum.git/blob - ircd/authd.c
projects / solanum.git / blob
? search:


c12a055ee8174156d80643cfd5ba75dee0a6ba59
[solanum.git] / ircd / authd.c
1 /*
2 * authd.c: An interface to authd.
3 * (based somewhat on ircd-ratbox dns.c)
4 *
5 * Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
6 * Copyright (C) 2005-2012 ircd-ratbox development team
7 * Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
22 * USA
23 */
24
25 #include "stdinc.h"
26 #include "rb_lib.h"
27 #include "client.h"
28 #include "ircd_defs.h"
29 #include "parse.h"
30 #include "authd.h"
31 #include "match.h"
32 #include "logger.h"
33 #include "s_conf.h"
34 #include "s_stats.h"
35 #include "client.h"
36 #include "packet.h"
37 #include "hash.h"
38 #include "send.h"
39 #include "numeric.h"
40 #include "msg.h"
41 #include "dns.h"
42
43 static int start_authd(void);
44 static void parse_authd_reply(rb_helper * helper);
45 static void restart_authd_cb(rb_helper * helper);
46 static EVH timeout_dead_authd_clients;
47
48 rb_helper *authd_helper;
49 static char *authd_path;
50
51 uint32_t cid;
52 static rb_dictionary *cid_clients;
53 static struct ev_entry *timeout_ev;
54
55 rb_dictionary *bl_stats;
56
57 static int
58 start_authd(void)
59 {
60 char fullpath[PATH_MAX + 1];
61 #ifdef _WIN32
62 const char *suffix = ".exe";
63 #else
64 const char *suffix = "";
65 #endif
66 if(authd_path == NULL)
67 {
68 snprintf(fullpath, sizeof(fullpath), "%s%cauthd%s", ircd_paths[IRCD_PATH_LIBEXEC], RB_PATH_SEPARATOR, suffix);
69
70 if(access(fullpath, X_OK) == -1)
71 {
72 snprintf(fullpath, sizeof(fullpath), "%s%cbin%cauthd%s",
73 ConfigFileEntry.dpath, RB_PATH_SEPARATOR, RB_PATH_SEPARATOR, suffix);
74 if(access(fullpath, X_OK) == -1)
75 {
76 ierror("Unable to execute authd in %s or %s/bin",
77 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
78 sendto_realops_snomask(SNO_GENERAL, L_ALL,
79 "Unable to execute authd in %s or %s/bin",
80 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
81 return 1;
82 }
83
84 }
85
86 authd_path = rb_strdup(fullpath);
87 }
88
89 if(cid_clients == NULL)
90 cid_clients = rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp);
91
92 if(bl_stats == NULL)
93 bl_stats = rb_dictionary_create("blacklist statistics", strcasecmp);
94
95 if(timeout_ev == NULL)
96 timeout_ev = rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients, NULL, 1);
97
98 authd_helper = rb_helper_start("authd", authd_path, parse_authd_reply, restart_authd_cb);
99
100 if(authd_helper == NULL)
101 {
102 ierror("Unable to start authd helper: %s", strerror(errno));
103 sendto_realops_snomask(SNO_GENERAL, L_ALL, "Unable to start authd helper: %s", strerror(errno));
104 return 1;
105 }
106 ilog(L_MAIN, "authd helper started");
107 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd helper started");
108 rb_helper_run(authd_helper);
109 return 0;
110 }
111
112 static void
113 parse_authd_reply(rb_helper * helper)
114 {
115 ssize_t len;
116 int parc;
117 char authdBuf[READBUF_SIZE];
118 char *parv[MAXPARA + 1];
119 long lcid;
120 uint32_t cid;
121 struct Client *client_p;
122
123 while((len = rb_helper_read(helper, authdBuf, sizeof(authdBuf))) > 0)
124 {
125 parc = rb_string_to_array(authdBuf, parv, MAXPARA+1);
126
127 switch (*parv[0])
128 {
129 case 'A': /* Accepted a client */
130 if(parc != 4)
131 {
132 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
133 restart_authd();
134 return;
135 }
136
137 if((lcid = strtol(parv[1], NULL, 16)) > UINT32_MAX || lcid < 0)
138 {
139 iwarn("authd sent us back a bad client ID: %ld", lcid);
140 restart_authd();
141 return;
142 }
143
144 cid = (uint32_t)lcid;
145
146 /* cid to uid (retrieve and delete) */
147 if((client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid))) == NULL)
148 {
149 iwarn("authd sent us back an unknown client ID %x", cid);
150 restart_authd();
151 return;
152 }
153
154 authd_decide_client(client_p, parv[2], parv[3], true, '\0', NULL, NULL);
155 break;
156 case 'R': /* Reject client */
157 if(parc != 7)
158 {
159 iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
160 restart_authd();
161 return;
162 }
163
164 if((lcid = strtol(parv[1], NULL, 16)) > UINT32_MAX || lcid < 0)
165 {
166 iwarn("authd sent us back a bad client ID %ld", lcid);
167 restart_authd();
168 return;
169 }
170
171 cid = (uint32_t)lcid;
172
173 /* cid to uid (retrieve and delete) */
174 if((client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid))) == NULL)
175 {
176 iwarn("authd sent us back an unknown client ID %x", cid);
177 restart_authd();
178 return;
179 }
180
181 authd_decide_client(client_p, parv[3], parv[4], false, toupper(*parv[2]), parv[5], parv[6]);
182 break;
183 case 'N': /* Notice to client */
184 if(parc != 3)
185 {
186 iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
187 restart_authd();
188 return;
189 }
190
191 if((lcid = strtol(parv[1], NULL, 16)) > UINT32_MAX || lcid < 0)
192 {
193 iwarn("authd sent us back a bad client ID %ld", lcid);
194 restart_authd();
195 return;
196 }
197
198 cid = (uint32_t)lcid;
199
200 /* cid to uid */
201 if((client_p = rb_dictionary_retrieve(cid_clients, RB_UINT_TO_POINTER(cid))) == NULL)
202 {
203 iwarn("authd sent us back an unknown client ID %x", cid);
204 restart_authd();
205 return;
206 }
207
208 sendto_one_notice(client_p, ":%s", parv[2]);
209 break;
210 case 'E': /* DNS Result */
211 if(parc != 5)
212 {
213 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
214 restart_authd();
215 return;
216 }
217 dns_results_callback(parv[1], parv[2], parv[3], parv[4]);
218 break;
219 case 'W': /* Oper warning */
220 if(parc != 3)
221 {
222 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
223 restart_authd();
224 return;
225 }
226
227 switch(*parv[2])
228 {
229 case 'D': /* Debug */
230 sendto_realops_snomask(SNO_DEBUG, L_ALL, "authd debug: %s", parv[3]);
231 idebug("authd: %s", parv[3]);
232 break;
233 case 'I': /* Info */
234 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd info: %s", parv[3]);
235 inotice("authd: %s", parv[3]);
236 break;
237 case 'W': /* Warning */
238 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd WARNING: %s", parv[3]);
239 iwarn("authd: %s", parv[3]);
240 break;
241 case 'C': /* Critical (error) */
242 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd CRITICAL: %s", parv[3]);
243 ierror("authd: %s", parv[3]);
244 break;
245 default: /* idk */
246 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd sent us an unknown oper notice type (%s): %s", parv[2], parv[3]);
247 ilog(L_MAIN, "authd unknown oper notice type (%s): %s", parv[2], parv[3]);
248 break;
249 }
250
251 /* NOTREACHED */
252 break;
253 case 'X': /* Stats error */
254 case 'Y': /* Stats reply */
255 case 'Z': /* End of stats reply */
256 if(parc < 3)
257 {
258 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
259 restart_authd();
260 return;
261 }
262
263 /* Select by type */
264 switch(*parv[2])
265 {
266 case 'D':
267 /* parv[0] conveys status */
268 if(parc < 4)
269 {
270 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
271 restart_authd();
272 return;
273 }
274 dns_stats_results_callback(parv[1], parv[0], parc - 3, (const char **)&parv[3]);
275 break;
276 default:
277 break;
278 }
279 break;
280 default:
281 break;
282 }
283 }
284 }
285
286 void
287 init_authd(void)
288 {
289 if(start_authd())
290 {
291 ierror("Unable to start authd helper: %s", strerror(errno));
292 exit(0);
293 }
294 }
295
296 void
297 configure_authd(void)
298 {
299 /* These will do for now */
300 set_authd_timeout("ident_timeout", GlobalSetOptions.ident_timeout);
301 set_authd_timeout("rdns_timeout", ConfigFileEntry.connect_timeout);
302 set_authd_timeout("rbl_timeout", ConfigFileEntry.connect_timeout);
303 ident_check_enable(!ConfigFileEntry.disable_auth);
304 }
305
306 static void
307 restart_authd_cb(rb_helper * helper)
308 {
309 rb_dictionary_iter iter;
310 struct Client *client_p;
311
312 iwarn("authd: restart_authd_cb called, authd died?");
313 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd: restart_authd_cb called, authd died?");
314
315 if(helper != NULL)
316 {
317 rb_helper_close(helper);
318 authd_helper = NULL;
319 }
320
321 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
322 {
323 /* Abort any existing clients */
324 authd_abort_client(client_p);
325 }
326
327 start_authd();
328 }
329
330 void
331 restart_authd(void)
332 {
333 restart_authd_cb(authd_helper);
334 }
335
336 void
337 rehash_authd(void)
338 {
339 rb_helper_write(authd_helper, "R");
340 configure_authd();
341 }
342
343 void
344 check_authd(void)
345 {
346 if(authd_helper == NULL)
347 restart_authd();
348 }
349
350 static inline uint32_t
351 generate_cid(void)
352 {
353 if(++cid == 0)
354 cid = 1;
355
356 return cid;
357 }
358
359 /* Basically when this is called we begin handing off the client to authd for
360 * processing. authd "owns" the client until processing is finished, or we
361 * timeout from authd. authd will make a decision whether or not to accept the
362 * client, but it's up to other parts of the code (for now) to decide if we're
363 * gonna accept the client and ignore authd's suggestion.
364 *
365 * --Elizafox
366 */
367 void
368 authd_initiate_client(struct Client *client_p)
369 {
370 char client_ipaddr[HOSTIPLEN+1];
371 char listen_ipaddr[HOSTIPLEN+1];
372 uint16_t client_port, listen_port;
373 uint32_t authd_cid;
374
375 if(client_p->preClient == NULL || client_p->preClient->authd_cid != 0)
376 return;
377
378 authd_cid = client_p->preClient->authd_cid = generate_cid();
379
380 /* Collisions are extremely unlikely, so disregard the possibility */
381 rb_dictionary_add(cid_clients, RB_UINT_TO_POINTER(authd_cid), client_p);
382
383 /* Retrieve listener and client IP's */
384 rb_inet_ntop_sock((struct sockaddr *)&client_p->preClient->lip, listen_ipaddr, sizeof(listen_ipaddr));
385 rb_inet_ntop_sock((struct sockaddr *)&client_p->localClient->ip, client_ipaddr, sizeof(client_ipaddr));
386
387 /* Retrieve listener and client ports */
388 listen_port = ntohs(GET_SS_PORT(&client_p->preClient->lip));
389 client_port = ntohs(GET_SS_PORT(&client_p->localClient->ip));
390
391 /* Add a bit of a fudge factor... */
392 client_p->preClient->authd_timeout = rb_current_time() + ConfigFileEntry.connect_timeout + 10;
393
394 rb_helper_write(authd_helper, "C %x %s %hu %s %hu", authd_cid, listen_ipaddr, listen_port, client_ipaddr, client_port);
395 }
396
397 /* When this is called we have a decision on client acceptance.
398 *
399 * After this point authd no longer "owns" the client.
400 */
401 void
402 authd_decide_client(struct Client *client_p, const char *ident, const char *host, bool accept, char cause, const char *data, const char *reason)
403 {
404 if(client_p->preClient == NULL || client_p->preClient->authd_cid == 0)
405 return;
406
407 if(*ident != '*')
408 {
409 rb_strlcpy(client_p->username, ident, sizeof(client_p->username));
410 ServerStats.is_abad++; /* s_auth used to do this, stay compatible */
411 }
412 else
413 ServerStats.is_asuc++;
414
415 if(*host != '*')
416 rb_strlcpy(client_p->host, host, sizeof(client_p->host));
417
418 client_p->preClient->authd_accepted = accept;
419 client_p->preClient->authd_cause = cause;
420 client_p->preClient->authd_data = (data == NULL ? NULL : rb_strdup(data));
421 client_p->preClient->authd_reason = (reason == NULL ? NULL : rb_strdup(reason));
422
423 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
424 client_p->preClient->authd_cid = 0;
425
426 /*
427 * When a client has auth'ed, we want to start reading what it sends
428 * us. This is what read_packet() does.
429 * -- adrian
430 *
431 * Above comment was originally in s_auth.c, but moved here with below code.
432 * --Elizafox
433 */
434 rb_dlinkAddTail(client_p, &client_p->node, &global_client_list);
435 read_packet(client_p->localClient->F, client_p);
436 }
437
438 void
439 authd_abort_client(struct Client *client_p)
440 {
441 if(client_p == NULL || client_p->preClient == NULL)
442 return;
443
444 if(client_p->preClient->authd_cid == 0)
445 return;
446
447 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
448
449 if(authd_helper != NULL)
450 rb_helper_write(authd_helper, "E %x", client_p->preClient->authd_cid);
451
452 /* XXX should we blindly allow like this? */
453 authd_decide_client(client_p, "*", "*", true, '\0', NULL, NULL);
454
455 client_p->preClient->authd_cid = 0;
456 }
457
458 static void
459 timeout_dead_authd_clients(void *notused __unused)
460 {
461 rb_dictionary_iter iter;
462 struct Client *client_p;
463
464 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
465 {
466 if(client_p->preClient->authd_timeout < rb_current_time())
467 authd_abort_client(client_p);
468 }
469 }
470
471 /* Turn a cause char (who rejected us) into the name of the provider */
472 const char *
473 get_provider_string(char cause)
474 {
475 switch(cause)
476 {
477 case 'B':
478 return "Blacklist";
479 case 'D':
480 return "rDNS";
481 case 'I':
482 return "Ident";
483 default:
484 return "Unknown";
485 }
486 }
487
488 /* Send a new blacklist to authd */
489 void
490 add_blacklist(const char *host, const char *reason, uint8_t iptype, rb_dlink_list *filters)
491 {
492 rb_dlink_node *ptr;
493 struct blacklist_stats *stats = rb_malloc(sizeof(struct blacklist_stats));
494 char filterbuf[BUFSIZE] = "*";
495 size_t s = 0;
496
497 /* Build a list of comma-separated values for authd.
498 * We don't check for validity - do it elsewhere.
499 */
500 RB_DLINK_FOREACH(ptr, filters->head)
501 {
502 char *filter = ptr->data;
503 size_t filterlen = strlen(filter) + 1;
504
505 if(s + filterlen > sizeof(filterbuf))
506 break;
507
508 snprintf(&filterbuf[s], sizeof(filterbuf) - s, "%s,", filter);
509
510 s += filterlen;
511 }
512
513 if(s)
514 filterbuf[s - 1] = '\0';
515
516 stats->iptype = iptype;
517 stats->hits = 0;
518 rb_dictionary_add(bl_stats, host, stats);
519
520 rb_helper_write(authd_helper, "O rbl %s %hhu %s :%s", host, iptype, filterbuf, reason);
521 }
522
523 /* Delete a blacklist */
524 void
525 del_blacklist(const char *host)
526 {
527 rb_dictionary_delete(bl_stats, host);
528
529 rb_helper_write(authd_helper, "O rbl_del %s", host);
530 }
531
532 /* Delete all the blacklists */
533 void
534 del_blacklist_all(void)
535 {
536 struct blacklist_stats *stats;
537 rb_dictionary_iter iter;
538
539 RB_DICTIONARY_FOREACH(stats, &iter, bl_stats)
540 {
541 rb_free(stats);
542 rb_dictionary_delete(bl_stats, iter.cur->key);
543 }
544
545 rb_helper_write(authd_helper, "O rbl_del_all");
546 }
547
548 /* Adjust an authd timeout value */
549 void
550 set_authd_timeout(const char *key, int timeout)
551 {
552 rb_helper_write(authd_helper, "O %s %d", key, timeout);
553 }
554
555 void
556 ident_check_enable(bool enabled)
557 {
558 rb_helper_write(authd_helper, "O ident_enabled %d", enabled ? 1 : 0);
559 }
Fork of solanum ircd, history is rebased regularly