]> jfr.im git - solanum.git/blob - ircd/authproc.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
wsockd: try to flush ircd-side recvq when we call close_conn()
[solanum.git] / ircd / authproc.c
1 /*
2 * authd.c: An interface to authd.
3 * (based somewhat on ircd-ratbox dns.c)
4 *
5 * Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
6 * Copyright (C) 2005-2012 ircd-ratbox development team
7 * Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
22 * USA
23 */
24
25 #include "stdinc.h"
26 #include "rb_lib.h"
27 #include "client.h"
28 #include "ircd_defs.h"
29 #include "parse.h"
30 #include "authproc.h"
31 #include "match.h"
32 #include "logger.h"
33 #include "s_conf.h"
34 #include "s_stats.h"
35 #include "client.h"
36 #include "packet.h"
37 #include "hash.h"
38 #include "send.h"
39 #include "numeric.h"
40 #include "msg.h"
41 #include "dns.h"
42
43 typedef void (*authd_cb_t)(int, char **);
44
45 struct authd_cb
46 {
47 authd_cb_t fn;
48 int min_parc;
49 };
50
51 static int start_authd(void);
52 static void parse_authd_reply(rb_helper * helper);
53 static void restart_authd_cb(rb_helper * helper);
54 static EVH timeout_dead_authd_clients;
55
56 static void cmd_accept_client(int parc, char **parv);
57 static void cmd_reject_client(int parc, char **parv);
58 static void cmd_dns_result(int parc, char **parv);
59 static void cmd_notice_client(int parc, char **parv);
60 static void cmd_oper_warn(int parc, char **parv);
61 static void cmd_stats_results(int parc, char **parv);
62
63 rb_helper *authd_helper;
64 static char *authd_path;
65
66 uint32_t cid;
67 static rb_dictionary *cid_clients;
68 static struct ev_entry *timeout_ev;
69
70 rb_dictionary *bl_stats;
71
72 static struct authd_cb authd_cmd_tab[256] =
73 {
74 ['A'] = { cmd_accept_client, 4 },
75 ['E'] = { cmd_dns_result, 5 },
76 ['N'] = { cmd_notice_client, 3 },
77 ['R'] = { cmd_reject_client, 7 },
78 ['W'] = { cmd_oper_warn, 3 },
79 ['X'] = { cmd_stats_results, 3 },
80 ['Y'] = { cmd_stats_results, 3 },
81 ['Z'] = { cmd_stats_results, 3 },
82 };
83
84 static int
85 start_authd(void)
86 {
87 char fullpath[PATH_MAX + 1];
88 #ifdef _WIN32
89 const char *suffix = ".exe";
90 #else
91 const char *suffix = "";
92 #endif
93 if(authd_path == NULL)
94 {
95 snprintf(fullpath, sizeof(fullpath), "%s%cauthd%s", ircd_paths[IRCD_PATH_LIBEXEC], RB_PATH_SEPARATOR, suffix);
96
97 if(access(fullpath, X_OK) == -1)
98 {
99 snprintf(fullpath, sizeof(fullpath), "%s%cbin%cauthd%s",
100 ConfigFileEntry.dpath, RB_PATH_SEPARATOR, RB_PATH_SEPARATOR, suffix);
101 if(access(fullpath, X_OK) == -1)
102 {
103 ierror("Unable to execute authd in %s or %s/bin",
104 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
105 sendto_realops_snomask(SNO_GENERAL, L_ALL,
106 "Unable to execute authd in %s or %s/bin",
107 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
108 return 1;
109 }
110
111 }
112
113 authd_path = rb_strdup(fullpath);
114 }
115
116 if(cid_clients == NULL)
117 cid_clients = rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp);
118
119 if(bl_stats == NULL)
120 bl_stats = rb_dictionary_create("blacklist statistics", strcasecmp);
121
122 if(timeout_ev == NULL)
123 timeout_ev = rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients, NULL, 1);
124
125 authd_helper = rb_helper_start("authd", authd_path, parse_authd_reply, restart_authd_cb);
126
127 if(authd_helper == NULL)
128 {
129 ierror("Unable to start authd helper: %s", strerror(errno));
130 sendto_realops_snomask(SNO_GENERAL, L_ALL, "Unable to start authd helper: %s", strerror(errno));
131 return 1;
132 }
133 ilog(L_MAIN, "authd helper started");
134 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd helper started");
135 rb_helper_run(authd_helper);
136 return 0;
137 }
138
139 static inline uint32_t
140 str_to_cid(const char *str)
141 {
142 long lcid = strtol(str, NULL, 16);
143
144 if(lcid > UINT32_MAX || lcid <= 0)
145 {
146 iwarn("authd sent us back a bad client ID: %lx", lcid);
147 restart_authd();
148 return 0;
149 }
150
151 return (uint32_t)lcid;
152 }
153
154 static inline struct Client *
155 cid_to_client(uint32_t cid, bool delete)
156 {
157 struct Client *client_p;
158
159 if(delete)
160 client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid));
161 else
162 client_p = rb_dictionary_retrieve(cid_clients, RB_UINT_TO_POINTER(cid));
163
164 /* If the client's not found, that's okay, it may have already gone away.
165 * --Elizafox */
166
167 return client_p;
168 }
169
170 static inline struct Client *
171 str_cid_to_client(const char *str, bool delete)
172 {
173 uint32_t cid = str_to_cid(str);
174
175 if(cid == 0)
176 return NULL;
177
178 return cid_to_client(cid, delete);
179 }
180
181 static void
182 cmd_accept_client(int parc, char **parv)
183 {
184 struct Client *client_p;
185
186 /* cid to uid (retrieve and delete) */
187 if((client_p = str_cid_to_client(parv[1], true)) == NULL)
188 return;
189
190 authd_accept_client(client_p, parv[2], parv[3]);
191 }
192
193 static void
194 cmd_dns_result(int parc, char **parv)
195 {
196 dns_results_callback(parv[1], parv[2], parv[3], parv[4]);
197 }
198
199 static void
200 cmd_notice_client(int parc, char **parv)
201 {
202 struct Client *client_p;
203
204 if((client_p = str_cid_to_client(parv[1], false)) == NULL)
205 return;
206
207 sendto_one_notice(client_p, ":%s", parv[2]);
208 }
209
210 static void
211 cmd_reject_client(int parc, char **parv)
212 {
213 struct Client *client_p;
214
215 /* cid to uid (retrieve and delete) */
216 if((client_p = str_cid_to_client(parv[1], true)) == NULL)
217 return;
218
219 authd_reject_client(client_p, parv[3], parv[4], toupper(*parv[2]), parv[5], parv[6]);
220 }
221
222 static void
223 cmd_oper_warn(int parc, char **parv)
224 {
225 switch(*parv[1])
226 {
227 case 'D': /* Debug */
228 sendto_realops_snomask(SNO_DEBUG, L_ALL, "authd debug: %s", parv[2]);
229 idebug("authd: %s", parv[2]);
230 break;
231 case 'I': /* Info */
232 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd info: %s", parv[2]);
233 inotice("authd: %s", parv[2]);
234 break;
235 case 'W': /* Warning */
236 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd WARNING: %s", parv[2]);
237 iwarn("authd: %s", parv[2]);
238 break;
239 case 'C': /* Critical (error) */
240 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd CRITICAL: %s", parv[2]);
241 ierror("authd: %s", parv[2]);
242 break;
243 default: /* idk */
244 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd sent us an unknown oper notice type (%s): %s", parv[1], parv[2]);
245 ilog(L_MAIN, "authd unknown oper notice type (%s): %s", parv[1], parv[2]);
246 break;
247 }
248 }
249
250 static void
251 cmd_stats_results(int parc, char **parv)
252 {
253 /* Select by type */
254 switch(*parv[2])
255 {
256 case 'D':
257 /* parv[0] conveys status */
258 if(parc < 4)
259 {
260 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
261 restart_authd();
262 return;
263 }
264 dns_stats_results_callback(parv[1], parv[0], parc - 3, (const char **)&parv[3]);
265 break;
266 default:
267 break;
268 }
269 }
270
271 static void
272 parse_authd_reply(rb_helper * helper)
273 {
274 ssize_t len;
275 int parc;
276 char buf[READBUF_SIZE];
277 char *parv[MAXPARA + 1];
278
279 while((len = rb_helper_read(helper, buf, sizeof(buf))) > 0)
280 {
281 struct authd_cb *cmd;
282
283 parc = rb_string_to_array(buf, parv, MAXPARA+1);
284 cmd = &authd_cmd_tab[*parv[0]];
285 if(cmd->fn != NULL)
286 {
287 if(cmd->min_parc > parc)
288 {
289 iwarn("authd sent a result with wrong number of arguments: expected %d, got %d",
290 cmd->min_parc, parc);
291 restart_authd();
292 continue;
293 }
294
295 cmd->fn(parc, parv);
296 }
297 else
298 {
299 iwarn("authd sent us a bad command type: %c", *parv[0]);
300 restart_authd();
301 continue;
302 }
303 }
304 }
305
306 void
307 init_authd(void)
308 {
309 if(start_authd())
310 {
311 ierror("Unable to start authd helper: %s", strerror(errno));
312 exit(0);
313 }
314 }
315
316 void
317 configure_authd(void)
318 {
319 /* These will do for now */
320 set_authd_timeout("ident_timeout", GlobalSetOptions.ident_timeout);
321 set_authd_timeout("rdns_timeout", ConfigFileEntry.connect_timeout);
322 set_authd_timeout("rbl_timeout", ConfigFileEntry.connect_timeout);
323 ident_check_enable(!ConfigFileEntry.disable_auth);
324 }
325
326 static void
327 restart_authd_cb(rb_helper * helper)
328 {
329 rb_dictionary_iter iter;
330 struct Client *client_p;
331
332 iwarn("authd: restart_authd_cb called, authd died?");
333 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd: restart_authd_cb called, authd died?");
334
335 if(helper != NULL)
336 {
337 rb_helper_close(helper);
338 authd_helper = NULL;
339 }
340
341 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
342 {
343 /* Abort any existing clients */
344 authd_abort_client(client_p);
345 }
346
347 start_authd();
348 configure_authd();
349 rehash(false); /* FIXME - needed to reload authd configuration */
350 }
351
352 void
353 restart_authd(void)
354 {
355 restart_authd_cb(authd_helper);
356 }
357
358 void
359 rehash_authd(void)
360 {
361 rb_helper_write(authd_helper, "R");
362 }
363
364 void
365 check_authd(void)
366 {
367 if(authd_helper == NULL)
368 restart_authd();
369 }
370
371 static inline uint32_t
372 generate_cid(void)
373 {
374 if(++cid == 0)
375 cid = 1;
376
377 return cid;
378 }
379
380 /* Basically when this is called we begin handing off the client to authd for
381 * processing. authd "owns" the client until processing is finished, or we
382 * timeout from authd. authd will make a decision whether or not to accept the
383 * client, but it's up to other parts of the code (for now) to decide if we're
384 * gonna accept the client and ignore authd's suggestion.
385 *
386 * --Elizafox
387 */
388 void
389 authd_initiate_client(struct Client *client_p)
390 {
391 char client_ipaddr[HOSTIPLEN+1];
392 char listen_ipaddr[HOSTIPLEN+1];
393 uint16_t client_port, listen_port;
394 uint32_t authd_cid;
395
396 if(client_p->preClient == NULL || client_p->preClient->authd_cid != 0)
397 return;
398
399 authd_cid = client_p->preClient->authd_cid = generate_cid();
400
401 /* Collisions are extremely unlikely, so disregard the possibility */
402 rb_dictionary_add(cid_clients, RB_UINT_TO_POINTER(authd_cid), client_p);
403
404 /* Retrieve listener and client IP's */
405 rb_inet_ntop_sock((struct sockaddr *)&client_p->preClient->lip, listen_ipaddr, sizeof(listen_ipaddr));
406 rb_inet_ntop_sock((struct sockaddr *)&client_p->localClient->ip, client_ipaddr, sizeof(client_ipaddr));
407
408 /* Retrieve listener and client ports */
409 listen_port = ntohs(GET_SS_PORT(&client_p->preClient->lip));
410 client_port = ntohs(GET_SS_PORT(&client_p->localClient->ip));
411
412 /* Add a bit of a fudge factor... */
413 client_p->preClient->authd_timeout = rb_current_time() + ConfigFileEntry.connect_timeout + 10;
414
415 rb_helper_write(authd_helper, "C %x %s %hu %s %hu", authd_cid, listen_ipaddr, listen_port, client_ipaddr, client_port);
416 }
417
418 /* When this is called we have a decision on client acceptance.
419 *
420 * After this point authd no longer "owns" the client.
421 */
422 static inline void
423 authd_decide_client(struct Client *client_p, const char *ident, const char *host, bool accept, char cause, const char *data, const char *reason)
424 {
425 if(client_p->preClient == NULL || client_p->preClient->authd_cid == 0)
426 return;
427
428 if(*ident != '*')
429 {
430 rb_strlcpy(client_p->username, ident, sizeof(client_p->username));
431 ServerStats.is_asuc++;
432 }
433 else
434 ServerStats.is_abad++; /* s_auth used to do this, stay compatible */
435
436 if(*host != '*')
437 rb_strlcpy(client_p->host, host, sizeof(client_p->host));
438
439 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
440
441 client_p->preClient->authd_accepted = accept;
442 client_p->preClient->authd_cause = cause;
443 client_p->preClient->authd_data = (data == NULL ? NULL : rb_strdup(data));
444 client_p->preClient->authd_reason = (reason == NULL ? NULL : rb_strdup(reason));
445 client_p->preClient->authd_cid = 0;
446
447 /*
448 * When a client has auth'ed, we want to start reading what it sends
449 * us. This is what read_packet() does.
450 * -- adrian
451 *
452 * Above comment was originally in s_auth.c, but moved here with below code.
453 * --Elizafox
454 */
455 rb_dlinkAddTail(client_p, &client_p->node, &global_client_list);
456 read_packet(client_p->localClient->F, client_p);
457 }
458
459 /* Convenience function to accept client */
460 void
461 authd_accept_client(struct Client *client_p, const char *ident, const char *host)
462 {
463 authd_decide_client(client_p, ident, host, true, '\0', NULL, NULL);
464 }
465
466 /* Convenience function to reject client */
467 void
468 authd_reject_client(struct Client *client_p, const char *ident, const char *host, char cause, const char *data, const char *reason)
469 {
470 authd_decide_client(client_p, ident, host, false, cause, data, reason);
471 }
472
473 void
474 authd_abort_client(struct Client *client_p)
475 {
476 if(client_p == NULL || client_p->preClient == NULL)
477 return;
478
479 if(client_p->preClient->authd_cid == 0)
480 return;
481
482 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
483
484 if(authd_helper != NULL)
485 rb_helper_write(authd_helper, "E %x", client_p->preClient->authd_cid);
486
487 client_p->preClient->authd_accepted = true;
488 client_p->preClient->authd_cid = 0;
489 }
490
491 static void
492 timeout_dead_authd_clients(void *notused __unused)
493 {
494 rb_dictionary_iter iter;
495 struct Client *client_p;
496
497 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
498 {
499 if(client_p->preClient->authd_timeout < rb_current_time())
500 authd_abort_client(client_p);
501 }
502 }
503
504 /* Send a new blacklist to authd */
505 void
506 add_blacklist(const char *host, const char *reason, uint8_t iptype, rb_dlink_list *filters)
507 {
508 rb_dlink_node *ptr;
509 struct blacklist_stats *stats = rb_malloc(sizeof(struct blacklist_stats));
510 char filterbuf[BUFSIZE] = "*";
511 size_t s = 0;
512
513 /* Build a list of comma-separated values for authd.
514 * We don't check for validity - do it elsewhere.
515 */
516 RB_DLINK_FOREACH(ptr, filters->head)
517 {
518 char *filter = ptr->data;
519 size_t filterlen = strlen(filter) + 1;
520
521 if(s + filterlen > sizeof(filterbuf))
522 break;
523
524 snprintf(&filterbuf[s], sizeof(filterbuf) - s, "%s,", filter);
525
526 s += filterlen;
527 }
528
529 if(s)
530 filterbuf[s - 1] = '\0';
531
532 stats->iptype = iptype;
533 stats->hits = 0;
534 rb_dictionary_add(bl_stats, host, stats);
535
536 rb_helper_write(authd_helper, "O rbl %s %hhu %s :%s", host, iptype, filterbuf, reason);
537 }
538
539 /* Delete a blacklist */
540 void
541 del_blacklist(const char *host)
542 {
543 rb_free(rb_dictionary_delete(bl_stats, host));
544
545 rb_helper_write(authd_helper, "O rbl_del %s", host);
546 }
547
548 /* Delete all the blacklists */
549 void
550 del_blacklist_all(void)
551 {
552 struct blacklist_stats *stats;
553 rb_dictionary_iter iter;
554
555 RB_DICTIONARY_FOREACH(stats, &iter, bl_stats)
556 {
557 rb_free(stats);
558 rb_dictionary_delete(bl_stats, iter.cur->key);
559 }
560
561 rb_helper_write(authd_helper, "O rbl_del_all");
562 }
563
564 /* Adjust an authd timeout value */
565 bool
566 set_authd_timeout(const char *key, int timeout)
567 {
568 if(timeout <= 0)
569 return false;
570
571 rb_helper_write(authd_helper, "O %s %d", key, timeout);
572 return true;
573 }
574
575 /* Enable identd checks */
576 void
577 ident_check_enable(bool enabled)
578 {
579 rb_helper_write(authd_helper, "O ident_enabled %d", enabled ? 1 : 0);
580 }
581
582 /* Create an OPM listener */
583 void
584 create_opm_listener(const char *ip, uint16_t port)
585 {
586 char ipbuf[HOSTIPLEN];
587 rb_strlcpy(ipbuf, ip, sizeof(ipbuf));
588 if(ipbuf[0] == ':')
589 {
590 memmove(ipbuf + 1, ipbuf, sizeof(ipbuf) - 1);
591 ipbuf[0] = '0';
592 }
593
594 rb_helper_write(authd_helper, "O opm_listener %s %hu", ipbuf, port);
595 }
596
597 /* Disable all OPM scans */
598 void
599 opm_check_enable(bool enabled)
600 {
601 rb_helper_write(authd_helper, "O opm_enabled %d", enabled ? 1 : 0);
602 }
603
604 /* Create an OPM proxy scanner */
605 void
606 create_opm_proxy_scanner(const char *type, uint16_t port)
607 {
608 rb_helper_write(authd_helper, "O opm_scanner %s %hu", type, port);
609 }
610
611 void
612 delete_opm_proxy_scanner(const char *type, uint16_t port)
613 {
614 rb_helper_write(authd_helper, "O opm_scanner_del %s %hu", type, port);
615 }
616
617 void
618 delete_opm_proxy_scanner_all(void)
619 {
620 rb_helper_write(authd_helper, "O opm_scanner_del_all");
621 }
Fork of solanum ircd, history is rebased regularly