]> jfr.im git - solanum.git/blob - ircd/authd.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ircd: integrate ircd side of wsockd support
[solanum.git] / ircd / authd.c
1 /*
2 * authd.c: An interface to authd.
3 * (based somewhat on ircd-ratbox dns.c)
4 *
5 * Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
6 * Copyright (C) 2005-2012 ircd-ratbox development team
7 * Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
22 * USA
23 */
24
25 #include "stdinc.h"
26 #include "rb_lib.h"
27 #include "client.h"
28 #include "ircd_defs.h"
29 #include "parse.h"
30 #include "authd.h"
31 #include "match.h"
32 #include "logger.h"
33 #include "s_conf.h"
34 #include "s_stats.h"
35 #include "client.h"
36 #include "packet.h"
37 #include "hash.h"
38 #include "send.h"
39 #include "numeric.h"
40 #include "msg.h"
41 #include "dns.h"
42
43 static int start_authd(void);
44 static void parse_authd_reply(rb_helper * helper);
45 static void restart_authd_cb(rb_helper * helper);
46 static EVH timeout_dead_authd_clients;
47
48 rb_helper *authd_helper;
49 static char *authd_path;
50
51 uint32_t cid;
52 static rb_dictionary *cid_clients;
53 static struct ev_entry *timeout_ev;
54
55 rb_dictionary *bl_stats;
56
57 static int
58 start_authd(void)
59 {
60 char fullpath[PATH_MAX + 1];
61 #ifdef _WIN32
62 const char *suffix = ".exe";
63 #else
64 const char *suffix = "";
65 #endif
66 if(authd_path == NULL)
67 {
68 snprintf(fullpath, sizeof(fullpath), "%s%cauthd%s", ircd_paths[IRCD_PATH_LIBEXEC], RB_PATH_SEPARATOR, suffix);
69
70 if(access(fullpath, X_OK) == -1)
71 {
72 snprintf(fullpath, sizeof(fullpath), "%s%cbin%cauthd%s",
73 ConfigFileEntry.dpath, RB_PATH_SEPARATOR, RB_PATH_SEPARATOR, suffix);
74 if(access(fullpath, X_OK) == -1)
75 {
76 ierror("Unable to execute authd in %s or %s/bin",
77 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
78 sendto_realops_snomask(SNO_GENERAL, L_ALL,
79 "Unable to execute authd in %s or %s/bin",
80 ircd_paths[IRCD_PATH_LIBEXEC], ConfigFileEntry.dpath);
81 return 1;
82 }
83
84 }
85
86 authd_path = rb_strdup(fullpath);
87 }
88
89 if(cid_clients == NULL)
90 cid_clients = rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp);
91
92 if(bl_stats == NULL)
93 bl_stats = rb_dictionary_create("blacklist statistics", strcasecmp);
94
95 if(timeout_ev == NULL)
96 timeout_ev = rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients, NULL, 1);
97
98 authd_helper = rb_helper_start("authd", authd_path, parse_authd_reply, restart_authd_cb);
99
100 if(authd_helper == NULL)
101 {
102 ierror("Unable to start authd helper: %s", strerror(errno));
103 sendto_realops_snomask(SNO_GENERAL, L_ALL, "Unable to start authd helper: %s", strerror(errno));
104 return 1;
105 }
106 ilog(L_MAIN, "authd helper started");
107 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd helper started");
108 rb_helper_run(authd_helper);
109 return 0;
110 }
111
112 static inline uint32_t
113 str_to_cid(const char *str)
114 {
115 long lcid = strtol(str, NULL, 16);
116
117 if(lcid > UINT32_MAX || lcid <= 0)
118 {
119 iwarn("authd sent us back a bad client ID: %lx", lcid);
120 restart_authd();
121 return 0;
122 }
123
124 return (uint32_t)lcid;
125 }
126
127 static inline struct Client *
128 cid_to_client(uint32_t cid, bool delete)
129 {
130 struct Client *client_p;
131
132 if(delete)
133 client_p = rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(cid));
134 else
135 client_p = rb_dictionary_retrieve(cid_clients, RB_UINT_TO_POINTER(cid));
136
137 if(client_p == NULL)
138 {
139 iwarn("authd sent us back a bad client ID: %ux", cid);
140 restart_authd();
141 return NULL;
142 }
143
144 return client_p;
145 }
146
147 static inline struct Client *
148 str_cid_to_client(const char *str, bool delete)
149 {
150 uint32_t cid = str_to_cid(str);
151
152 if(cid == 0)
153 return NULL;
154
155 return cid_to_client(cid, delete);
156 }
157
158 static void
159 parse_authd_reply(rb_helper * helper)
160 {
161 ssize_t len;
162 int parc;
163 char authdBuf[READBUF_SIZE];
164 char *parv[MAXPARA + 1];
165 struct Client *client_p;
166
167 while((len = rb_helper_read(helper, authdBuf, sizeof(authdBuf))) > 0)
168 {
169 parc = rb_string_to_array(authdBuf, parv, MAXPARA+1);
170
171 switch (*parv[0])
172 {
173 case 'A': /* Accepted a client */
174 if(parc != 4)
175 {
176 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
177 restart_authd();
178 return;
179 }
180
181 /* cid to uid (retrieve and delete) */
182 if((client_p = str_cid_to_client(parv[1], true)) == NULL)
183 return;
184
185 authd_accept_client(client_p, parv[2], parv[3]);
186 break;
187 case 'R': /* Reject client */
188 if(parc != 7)
189 {
190 iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
191 restart_authd();
192 return;
193 }
194
195 /* cid to uid (retrieve and delete) */
196 if((client_p = str_cid_to_client(parv[1], true)) == NULL)
197 return;
198
199 authd_reject_client(client_p, parv[3], parv[4], toupper(*parv[2]), parv[5], parv[6]);
200 break;
201 case 'N': /* Notice to client */
202 if(parc != 3)
203 {
204 iwarn("authd sent us a result with wrong number of arguments: got %d", parc);
205 restart_authd();
206 return;
207 }
208
209 if((client_p = str_cid_to_client(parv[1], false)) == NULL)
210 return;
211
212 sendto_one_notice(client_p, ":%s", parv[2]);
213 break;
214 case 'E': /* DNS Result */
215 if(parc != 5)
216 {
217 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
218 restart_authd();
219 return;
220 }
221
222 dns_results_callback(parv[1], parv[2], parv[3], parv[4]);
223 break;
224 case 'W': /* Oper warning */
225 if(parc != 3)
226 {
227 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
228 restart_authd();
229 return;
230 }
231
232 switch(*parv[2])
233 {
234 case 'D': /* Debug */
235 sendto_realops_snomask(SNO_DEBUG, L_ALL, "authd debug: %s", parv[3]);
236 idebug("authd: %s", parv[3]);
237 break;
238 case 'I': /* Info */
239 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd info: %s", parv[3]);
240 inotice("authd: %s", parv[3]);
241 break;
242 case 'W': /* Warning */
243 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd WARNING: %s", parv[3]);
244 iwarn("authd: %s", parv[3]);
245 break;
246 case 'C': /* Critical (error) */
247 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd CRITICAL: %s", parv[3]);
248 ierror("authd: %s", parv[3]);
249 break;
250 default: /* idk */
251 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd sent us an unknown oper notice type (%s): %s", parv[2], parv[3]);
252 ilog(L_MAIN, "authd unknown oper notice type (%s): %s", parv[2], parv[3]);
253 break;
254 }
255
256 /* NOTREACHED */
257 break;
258 case 'X': /* Stats error */
259 case 'Y': /* Stats reply */
260 case 'Z': /* End of stats reply */
261 if(parc < 3)
262 {
263 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
264 restart_authd();
265 return;
266 }
267
268 /* Select by type */
269 switch(*parv[2])
270 {
271 case 'D':
272 /* parv[0] conveys status */
273 if(parc < 4)
274 {
275 iwarn("authd sent a result with wrong number of arguments: got %d", parc);
276 restart_authd();
277 return;
278 }
279 dns_stats_results_callback(parv[1], parv[0], parc - 3, (const char **)&parv[3]);
280 break;
281 default:
282 break;
283 }
284 break;
285 default:
286 break;
287 }
288 }
289 }
290
291 void
292 init_authd(void)
293 {
294 if(start_authd())
295 {
296 ierror("Unable to start authd helper: %s", strerror(errno));
297 exit(0);
298 }
299 }
300
301 void
302 configure_authd(void)
303 {
304 /* These will do for now */
305 set_authd_timeout("ident_timeout", GlobalSetOptions.ident_timeout);
306 set_authd_timeout("rdns_timeout", ConfigFileEntry.connect_timeout);
307 set_authd_timeout("rbl_timeout", ConfigFileEntry.connect_timeout);
308 ident_check_enable(!ConfigFileEntry.disable_auth);
309 }
310
311 static void
312 restart_authd_cb(rb_helper * helper)
313 {
314 rb_dictionary_iter iter;
315 struct Client *client_p;
316
317 iwarn("authd: restart_authd_cb called, authd died?");
318 sendto_realops_snomask(SNO_GENERAL, L_ALL, "authd: restart_authd_cb called, authd died?");
319
320 if(helper != NULL)
321 {
322 rb_helper_close(helper);
323 authd_helper = NULL;
324 }
325
326 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
327 {
328 /* Abort any existing clients */
329 authd_abort_client(client_p);
330 }
331
332 start_authd();
333 }
334
335 void
336 restart_authd(void)
337 {
338 restart_authd_cb(authd_helper);
339 }
340
341 void
342 rehash_authd(void)
343 {
344 rb_helper_write(authd_helper, "R");
345 configure_authd();
346 }
347
348 void
349 check_authd(void)
350 {
351 if(authd_helper == NULL)
352 restart_authd();
353 }
354
355 static inline uint32_t
356 generate_cid(void)
357 {
358 if(++cid == 0)
359 cid = 1;
360
361 return cid;
362 }
363
364 /* Basically when this is called we begin handing off the client to authd for
365 * processing. authd "owns" the client until processing is finished, or we
366 * timeout from authd. authd will make a decision whether or not to accept the
367 * client, but it's up to other parts of the code (for now) to decide if we're
368 * gonna accept the client and ignore authd's suggestion.
369 *
370 * --Elizafox
371 */
372 void
373 authd_initiate_client(struct Client *client_p)
374 {
375 char client_ipaddr[HOSTIPLEN+1];
376 char listen_ipaddr[HOSTIPLEN+1];
377 uint16_t client_port, listen_port;
378 uint32_t authd_cid;
379
380 if(client_p->preClient == NULL || client_p->preClient->authd_cid != 0)
381 return;
382
383 authd_cid = client_p->preClient->authd_cid = generate_cid();
384
385 /* Collisions are extremely unlikely, so disregard the possibility */
386 rb_dictionary_add(cid_clients, RB_UINT_TO_POINTER(authd_cid), client_p);
387
388 /* Retrieve listener and client IP's */
389 rb_inet_ntop_sock((struct sockaddr *)&client_p->preClient->lip, listen_ipaddr, sizeof(listen_ipaddr));
390 rb_inet_ntop_sock((struct sockaddr *)&client_p->localClient->ip, client_ipaddr, sizeof(client_ipaddr));
391
392 /* Retrieve listener and client ports */
393 listen_port = ntohs(GET_SS_PORT(&client_p->preClient->lip));
394 client_port = ntohs(GET_SS_PORT(&client_p->localClient->ip));
395
396 /* Add a bit of a fudge factor... */
397 client_p->preClient->authd_timeout = rb_current_time() + ConfigFileEntry.connect_timeout + 10;
398
399 rb_helper_write(authd_helper, "C %x %s %hu %s %hu", authd_cid, listen_ipaddr, listen_port, client_ipaddr, client_port);
400 }
401
402 /* When this is called we have a decision on client acceptance.
403 *
404 * After this point authd no longer "owns" the client.
405 */
406 static inline void
407 authd_decide_client(struct Client *client_p, const char *ident, const char *host, bool accept, char cause, const char *data, const char *reason)
408 {
409 if(client_p->preClient == NULL || client_p->preClient->authd_cid == 0)
410 return;
411
412 if(*ident != '*')
413 {
414 rb_strlcpy(client_p->username, ident, sizeof(client_p->username));
415 ServerStats.is_asuc++;
416 }
417 else
418 ServerStats.is_abad++; /* s_auth used to do this, stay compatible */
419
420 if(*host != '*')
421 rb_strlcpy(client_p->host, host, sizeof(client_p->host));
422
423 client_p->preClient->authd_accepted = accept;
424 client_p->preClient->authd_cause = cause;
425 client_p->preClient->authd_data = (data == NULL ? NULL : rb_strdup(data));
426 client_p->preClient->authd_reason = (reason == NULL ? NULL : rb_strdup(reason));
427
428 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
429 client_p->preClient->authd_cid = 0;
430
431 /*
432 * When a client has auth'ed, we want to start reading what it sends
433 * us. This is what read_packet() does.
434 * -- adrian
435 *
436 * Above comment was originally in s_auth.c, but moved here with below code.
437 * --Elizafox
438 */
439 rb_dlinkAddTail(client_p, &client_p->node, &global_client_list);
440 read_packet(client_p->localClient->F, client_p);
441 }
442
443 /* Convenience function to accept client */
444 void
445 authd_accept_client(struct Client *client_p, const char *ident, const char *host)
446 {
447 authd_decide_client(client_p, ident, host, true, '\0', NULL, NULL);
448 }
449
450 /* Convenience function to reject client */
451 void
452 authd_reject_client(struct Client *client_p, const char *ident, const char *host, char cause, const char *data, const char *reason)
453 {
454 authd_decide_client(client_p, ident, host, false, cause, data, reason);
455 }
456
457 void
458 authd_abort_client(struct Client *client_p)
459 {
460 if(client_p == NULL || client_p->preClient == NULL)
461 return;
462
463 if(client_p->preClient->authd_cid == 0)
464 return;
465
466 rb_dictionary_delete(cid_clients, RB_UINT_TO_POINTER(client_p->preClient->authd_cid));
467
468 if(authd_helper != NULL)
469 rb_helper_write(authd_helper, "E %x", client_p->preClient->authd_cid);
470
471 /* XXX should we blindly allow like this? */
472 authd_accept_client(client_p, "*", "*");
473 client_p->preClient->authd_cid = 0;
474 }
475
476 static void
477 timeout_dead_authd_clients(void *notused __unused)
478 {
479 rb_dictionary_iter iter;
480 struct Client *client_p;
481
482 RB_DICTIONARY_FOREACH(client_p, &iter, cid_clients)
483 {
484 if(client_p->preClient->authd_timeout < rb_current_time())
485 authd_abort_client(client_p);
486 }
487 }
488
489 /* Turn a cause char (who rejected us) into the name of the provider */
490 const char *
491 get_provider_string(char cause)
492 {
493 switch(cause)
494 {
495 case 'B':
496 return "Blacklist";
497 case 'D':
498 return "rDNS";
499 case 'I':
500 return "Ident";
501 default:
502 return "Unknown";
503 }
504 }
505
506 /* Send a new blacklist to authd */
507 void
508 add_blacklist(const char *host, const char *reason, uint8_t iptype, rb_dlink_list *filters)
509 {
510 rb_dlink_node *ptr;
511 struct blacklist_stats *stats = rb_malloc(sizeof(struct blacklist_stats));
512 char filterbuf[BUFSIZE] = "*";
513 size_t s = 0;
514
515 /* Build a list of comma-separated values for authd.
516 * We don't check for validity - do it elsewhere.
517 */
518 RB_DLINK_FOREACH(ptr, filters->head)
519 {
520 char *filter = ptr->data;
521 size_t filterlen = strlen(filter) + 1;
522
523 if(s + filterlen > sizeof(filterbuf))
524 break;
525
526 snprintf(&filterbuf[s], sizeof(filterbuf) - s, "%s,", filter);
527
528 s += filterlen;
529 }
530
531 if(s)
532 filterbuf[s - 1] = '\0';
533
534 stats->iptype = iptype;
535 stats->hits = 0;
536 rb_dictionary_add(bl_stats, host, stats);
537
538 rb_helper_write(authd_helper, "O rbl %s %hhu %s :%s", host, iptype, filterbuf, reason);
539 }
540
541 /* Delete a blacklist */
542 void
543 del_blacklist(const char *host)
544 {
545 rb_dictionary_delete(bl_stats, host);
546
547 rb_helper_write(authd_helper, "O rbl_del %s", host);
548 }
549
550 /* Delete all the blacklists */
551 void
552 del_blacklist_all(void)
553 {
554 struct blacklist_stats *stats;
555 rb_dictionary_iter iter;
556
557 RB_DICTIONARY_FOREACH(stats, &iter, bl_stats)
558 {
559 rb_free(stats);
560 rb_dictionary_delete(bl_stats, iter.cur->key);
561 }
562
563 rb_helper_write(authd_helper, "O rbl_del_all");
564 }
565
566 /* Adjust an authd timeout value */
567 bool
568 set_authd_timeout(const char *key, int timeout)
569 {
570 if(timeout <= 0)
571 return false;
572
573 rb_helper_write(authd_helper, "O %s %d", key, timeout);
574 return true;
575 }
576
577 /* Enable identd checks */
578 void
579 ident_check_enable(bool enabled)
580 {
581 rb_helper_write(authd_helper, "O ident_enabled %d", enabled ? 1 : 0);
582 }
583
584 /* Create an OPM listener */
585 void
586 create_opm_listener(const char *ip, uint16_t port)
587 {
588 rb_helper_write(authd_helper, "O opm_listener %s %hu", ip, port);
589 }
590
591 /* Disable all OPM scans */
592 void
593 opm_check_enable(bool enabled)
594 {
595 rb_helper_write(authd_helper, "O opm_enable %d", enabled ? 1 : 0);
596 }
597
598 /* Create an OPM proxy scanner */
599 void
600 create_opm_proxy_scanner(const char *type, uint16_t port)
601 {
602 rb_helper_write(authd_helper, "O opm_scanner %s %hu", type, port);
603 }
Fork of solanum ircd, history is rebased regularly