2 * authd.c: An interface to authd.
3 * (based somewhat on ircd-ratbox dns.c)
5 * Copyright (C) 2005 Aaron Sethman <androsyn@ratbox.org>
6 * Copyright (C) 2005-2012 ircd-ratbox development team
7 * Copyright (C) 2016 William Pitcock <nenolod@dereferenced.org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
28 #include "ircd_defs.h"
43 typedef void (*authd_cb_t
)(int, char **);
51 static int start_authd(void);
52 static void parse_authd_reply(rb_helper
* helper
);
53 static void restart_authd_cb(rb_helper
* helper
);
54 static EVH timeout_dead_authd_clients
;
56 static void cmd_accept_client(int parc
, char **parv
);
57 static void cmd_reject_client(int parc
, char **parv
);
58 static void cmd_dns_result(int parc
, char **parv
);
59 static void cmd_notice_client(int parc
, char **parv
);
60 static void cmd_oper_warn(int parc
, char **parv
);
61 static void cmd_stats_results(int parc
, char **parv
);
63 rb_helper
*authd_helper
;
64 static char *authd_path
;
67 static rb_dictionary
*cid_clients
;
68 static struct ev_entry
*timeout_ev
;
70 rb_dictionary
*bl_stats
;
72 static struct authd_cb authd_cmd_tab
[256] =
74 ['A'] = { cmd_accept_client
, 4 },
75 ['E'] = { cmd_dns_result
, 5 },
76 ['N'] = { cmd_notice_client
, 3 },
77 ['R'] = { cmd_reject_client
, 7 },
78 ['W'] = { cmd_oper_warn
, 3 },
79 ['X'] = { cmd_stats_results
, 3 },
80 ['Y'] = { cmd_stats_results
, 3 },
81 ['Z'] = { cmd_stats_results
, 3 },
87 char fullpath
[PATH_MAX
+ 1];
89 const char *suffix
= ".exe";
91 const char *suffix
= "";
93 if(authd_path
== NULL
)
95 snprintf(fullpath
, sizeof(fullpath
), "%s%cauthd%s", ircd_paths
[IRCD_PATH_LIBEXEC
], RB_PATH_SEPARATOR
, suffix
);
97 if(access(fullpath
, X_OK
) == -1)
99 snprintf(fullpath
, sizeof(fullpath
), "%s%cbin%cauthd%s",
100 ConfigFileEntry
.dpath
, RB_PATH_SEPARATOR
, RB_PATH_SEPARATOR
, suffix
);
101 if(access(fullpath
, X_OK
) == -1)
103 ierror("Unable to execute authd in %s or %s/bin",
104 ircd_paths
[IRCD_PATH_LIBEXEC
], ConfigFileEntry
.dpath
);
105 sendto_realops_snomask(SNO_GENERAL
, L_ALL
,
106 "Unable to execute authd in %s or %s/bin",
107 ircd_paths
[IRCD_PATH_LIBEXEC
], ConfigFileEntry
.dpath
);
113 authd_path
= rb_strdup(fullpath
);
116 if(cid_clients
== NULL
)
117 cid_clients
= rb_dictionary_create("authd cid to uid mapping", rb_uint32cmp
);
120 bl_stats
= rb_dictionary_create("blacklist statistics", rb_strcasecmp
);
122 if(timeout_ev
== NULL
)
123 timeout_ev
= rb_event_addish("timeout_dead_authd_clients", timeout_dead_authd_clients
, NULL
, 1);
125 authd_helper
= rb_helper_start("authd", authd_path
, parse_authd_reply
, restart_authd_cb
);
127 if(authd_helper
== NULL
)
129 ierror("Unable to start authd helper: %s", strerror(errno
));
130 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "Unable to start authd helper: %s", strerror(errno
));
133 ilog(L_MAIN
, "authd helper started");
134 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd helper started");
135 rb_helper_run(authd_helper
);
139 static inline uint32_t
140 str_to_cid(const char *str
)
142 long lcid
= strtol(str
, NULL
, 16);
144 if(lcid
> UINT32_MAX
|| lcid
<= 0)
146 iwarn("authd sent us back a bad client ID: %lx", lcid
);
151 return (uint32_t)lcid
;
154 static inline struct Client
*
155 cid_to_client(uint32_t cid
, bool delete)
157 struct Client
*client_p
;
160 client_p
= rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(cid
));
162 client_p
= rb_dictionary_retrieve(cid_clients
, RB_UINT_TO_POINTER(cid
));
164 /* If the client's not found, that's okay, it may have already gone away.
170 static inline struct Client
*
171 str_cid_to_client(const char *str
, bool delete)
173 uint32_t cid
= str_to_cid(str
);
178 return cid_to_client(cid
, delete);
182 cmd_accept_client(int parc
, char **parv
)
184 struct Client
*client_p
;
186 /* cid to uid (retrieve and delete) */
187 if((client_p
= str_cid_to_client(parv
[1], true)) == NULL
)
190 authd_accept_client(client_p
, parv
[2], parv
[3]);
194 cmd_dns_result(int parc
, char **parv
)
196 dns_results_callback(parv
[1], parv
[2], parv
[3], parv
[4]);
200 cmd_notice_client(int parc
, char **parv
)
202 struct Client
*client_p
;
204 if((client_p
= str_cid_to_client(parv
[1], false)) == NULL
)
207 sendto_one_notice(client_p
, ":%s", parv
[2]);
211 cmd_reject_client(int parc
, char **parv
)
213 struct Client
*client_p
;
215 /* cid to uid (retrieve and delete) */
216 if((client_p
= str_cid_to_client(parv
[1], true)) == NULL
)
219 authd_reject_client(client_p
, parv
[3], parv
[4], toupper(*parv
[2]), parv
[5], parv
[6]);
223 cmd_oper_warn(int parc
, char **parv
)
227 case 'D': /* Debug */
228 sendto_realops_snomask(SNO_DEBUG
, L_ALL
, "authd debug: %s", parv
[2]);
229 idebug("authd: %s", parv
[2]);
232 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd info: %s", parv
[2]);
233 inotice("authd: %s", parv
[2]);
235 case 'W': /* Warning */
236 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd WARNING: %s", parv
[2]);
237 iwarn("authd: %s", parv
[2]);
239 case 'C': /* Critical (error) */
240 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd CRITICAL: %s", parv
[2]);
241 ierror("authd: %s", parv
[2]);
244 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd sent us an unknown oper notice type (%s): %s", parv
[1], parv
[2]);
245 ilog(L_MAIN
, "authd unknown oper notice type (%s): %s", parv
[1], parv
[2]);
251 cmd_stats_results(int parc
, char **parv
)
257 /* parv[0] conveys status */
260 iwarn("authd sent a result with wrong number of arguments: got %d", parc
);
264 dns_stats_results_callback(parv
[1], parv
[0], parc
- 3, (const char **)&parv
[3]);
272 parse_authd_reply(rb_helper
* helper
)
276 char buf
[READBUF_SIZE
];
277 char *parv
[MAXPARA
+ 1];
279 while((len
= rb_helper_read(helper
, buf
, sizeof(buf
))) > 0)
281 struct authd_cb
*cmd
;
283 parc
= rb_string_to_array(buf
, parv
, MAXPARA
+1);
284 cmd
= &authd_cmd_tab
[*parv
[0]];
287 if(cmd
->min_parc
> parc
)
289 iwarn("authd sent a result with wrong number of arguments: expected %d, got %d",
290 cmd
->min_parc
, parc
);
299 iwarn("authd sent us a bad command type: %c", *parv
[0]);
311 ierror("Unable to start authd helper: %s", strerror(errno
));
317 configure_authd(void)
319 /* These will do for now */
320 set_authd_timeout("ident_timeout", GlobalSetOptions
.ident_timeout
);
321 set_authd_timeout("rdns_timeout", ConfigFileEntry
.connect_timeout
);
322 set_authd_timeout("rbl_timeout", ConfigFileEntry
.connect_timeout
);
323 ident_check_enable(!ConfigFileEntry
.disable_auth
);
327 restart_authd_cb(rb_helper
* helper
)
329 rb_dictionary_iter iter
;
330 struct Client
*client_p
;
332 iwarn("authd: restart_authd_cb called, authd died?");
333 sendto_realops_snomask(SNO_GENERAL
, L_ALL
, "authd: restart_authd_cb called, authd died?");
337 rb_helper_close(helper
);
341 RB_DICTIONARY_FOREACH(client_p
, &iter
, cid_clients
)
343 /* Abort any existing clients */
344 authd_abort_client(client_p
);
349 rehash(false); /* FIXME - needed to reload authd configuration */
355 ierror("authd restarting...");
356 restart_authd_cb(authd_helper
);
362 rb_helper_write(authd_helper
, "R");
368 if(authd_helper
== NULL
)
372 static inline uint32_t
381 /* Basically when this is called we begin handing off the client to authd for
382 * processing. authd "owns" the client until processing is finished, or we
383 * timeout from authd. authd will make a decision whether or not to accept the
384 * client, but it's up to other parts of the code (for now) to decide if we're
385 * gonna accept the client and ignore authd's suggestion.
390 authd_initiate_client(struct Client
*client_p
)
392 char client_ipaddr
[HOSTIPLEN
+1];
393 char listen_ipaddr
[HOSTIPLEN
+1];
394 uint16_t client_port
, listen_port
;
397 if(client_p
->preClient
== NULL
|| client_p
->preClient
->auth
.cid
!= 0)
400 authd_cid
= client_p
->preClient
->auth
.cid
= generate_cid();
402 /* Collisions are extremely unlikely, so disregard the possibility */
403 rb_dictionary_add(cid_clients
, RB_UINT_TO_POINTER(authd_cid
), client_p
);
405 /* Retrieve listener and client IP's */
406 rb_inet_ntop_sock((struct sockaddr
*)&client_p
->preClient
->lip
, listen_ipaddr
, sizeof(listen_ipaddr
));
407 rb_inet_ntop_sock((struct sockaddr
*)&client_p
->localClient
->ip
, client_ipaddr
, sizeof(client_ipaddr
));
409 /* Retrieve listener and client ports */
410 listen_port
= ntohs(GET_SS_PORT(&client_p
->preClient
->lip
));
411 client_port
= ntohs(GET_SS_PORT(&client_p
->localClient
->ip
));
413 /* Add a bit of a fudge factor... */
414 client_p
->preClient
->auth
.timeout
= rb_current_time() + ConfigFileEntry
.connect_timeout
+ 10;
416 rb_helper_write(authd_helper
, "C %x %s %hu %s %hu", authd_cid
, listen_ipaddr
, listen_port
, client_ipaddr
, client_port
);
419 /* When this is called we have a decision on client acceptance.
421 * After this point authd no longer "owns" the client.
424 authd_decide_client(struct Client
*client_p
, const char *ident
, const char *host
, bool accept
, char cause
, const char *data
, const char *reason
)
426 if(client_p
->preClient
== NULL
|| client_p
->preClient
->auth
.cid
== 0)
431 rb_strlcpy(client_p
->username
, ident
, sizeof(client_p
->username
));
432 ServerStats
.is_asuc
++;
435 ServerStats
.is_abad
++; /* s_auth used to do this, stay compatible */
438 rb_strlcpy(client_p
->host
, host
, sizeof(client_p
->host
));
440 rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(client_p
->preClient
->auth
.cid
));
442 client_p
->preClient
->auth
.accepted
= accept
;
443 client_p
->preClient
->auth
.cause
= cause
;
444 client_p
->preClient
->auth
.data
= (data
== NULL
? NULL
: rb_strdup(data
));
445 client_p
->preClient
->auth
.reason
= (reason
== NULL
? NULL
: rb_strdup(reason
));
446 client_p
->preClient
->auth
.cid
= 0;
449 * When a client has auth'ed, we want to start reading what it sends
450 * us. This is what read_packet() does.
453 * Above comment was originally in s_auth.c, but moved here with below code.
456 rb_dlinkAddTail(client_p
, &client_p
->node
, &global_client_list
);
457 read_packet(client_p
->localClient
->F
, client_p
);
460 /* Convenience function to accept client */
462 authd_accept_client(struct Client
*client_p
, const char *ident
, const char *host
)
464 authd_decide_client(client_p
, ident
, host
, true, '\0', NULL
, NULL
);
467 /* Convenience function to reject client */
469 authd_reject_client(struct Client
*client_p
, const char *ident
, const char *host
, char cause
, const char *data
, const char *reason
)
471 authd_decide_client(client_p
, ident
, host
, false, cause
, data
, reason
);
475 authd_abort_client(struct Client
*client_p
)
477 if(client_p
== NULL
|| client_p
->preClient
== NULL
)
480 if(client_p
->preClient
->auth
.cid
== 0)
483 rb_dictionary_delete(cid_clients
, RB_UINT_TO_POINTER(client_p
->preClient
->auth
.cid
));
485 if(authd_helper
!= NULL
)
486 rb_helper_write(authd_helper
, "E %x", client_p
->preClient
->auth
.cid
);
488 client_p
->preClient
->auth
.accepted
= true;
489 client_p
->preClient
->auth
.cid
= 0;
493 timeout_dead_authd_clients(void *notused __unused
)
495 rb_dictionary_iter iter
;
496 struct Client
*client_p
;
498 RB_DICTIONARY_FOREACH(client_p
, &iter
, cid_clients
)
500 if(client_p
->preClient
->auth
.timeout
< rb_current_time())
501 authd_abort_client(client_p
);
505 /* Send a new blacklist to authd */
507 add_blacklist(const char *host
, const char *reason
, uint8_t iptype
, rb_dlink_list
*filters
)
510 struct blacklist_stats
*stats
= rb_malloc(sizeof(struct blacklist_stats
));
511 char filterbuf
[BUFSIZE
] = "*";
514 /* Build a list of comma-separated values for authd.
515 * We don't check for validity - do it elsewhere.
517 RB_DLINK_FOREACH(ptr
, filters
->head
)
519 char *filter
= ptr
->data
;
520 size_t filterlen
= strlen(filter
) + 1;
522 if(s
+ filterlen
> sizeof(filterbuf
))
525 snprintf(&filterbuf
[s
], sizeof(filterbuf
) - s
, "%s,", filter
);
531 filterbuf
[s
- 1] = '\0';
533 stats
->iptype
= iptype
;
535 rb_dictionary_add(bl_stats
, host
, stats
);
537 rb_helper_write(authd_helper
, "O rbl %s %hhu %s :%s", host
, iptype
, filterbuf
, reason
);
540 /* Delete a blacklist */
542 del_blacklist(const char *host
)
544 rb_free(rb_dictionary_delete(bl_stats
, host
));
546 rb_helper_write(authd_helper
, "O rbl_del %s", host
);
549 /* Delete all the blacklists */
551 del_blacklist_all(void)
553 struct blacklist_stats
*stats
;
554 rb_dictionary_iter iter
;
556 RB_DICTIONARY_FOREACH(stats
, &iter
, bl_stats
)
559 rb_dictionary_delete(bl_stats
, iter
.cur
->key
);
562 rb_helper_write(authd_helper
, "O rbl_del_all");
565 /* Adjust an authd timeout value */
567 set_authd_timeout(const char *key
, int timeout
)
572 rb_helper_write(authd_helper
, "O %s %d", key
, timeout
);
576 /* Enable identd checks */
578 ident_check_enable(bool enabled
)
580 rb_helper_write(authd_helper
, "O ident_enabled %d", enabled
? 1 : 0);
583 /* Create an OPM listener */
585 create_opm_listener(const char *ip
, uint16_t port
)
587 char ipbuf
[HOSTIPLEN
];
588 rb_strlcpy(ipbuf
, ip
, sizeof(ipbuf
));
591 memmove(ipbuf
+ 1, ipbuf
, sizeof(ipbuf
) - 1);
595 rb_helper_write(authd_helper
, "O opm_listener %s %hu", ipbuf
, port
);
598 /* Disable all OPM scans */
600 opm_check_enable(bool enabled
)
602 rb_helper_write(authd_helper
, "O opm_enabled %d", enabled
? 1 : 0);
605 /* Create an OPM proxy scanner */
607 create_opm_proxy_scanner(const char *type
, uint16_t port
)
609 rb_helper_write(authd_helper
, "O opm_scanner %s %hu", type
, port
);
613 delete_opm_proxy_scanner(const char *type
, uint16_t port
)
615 rb_helper_write(authd_helper
, "O opm_scanner_del %s %hu", type
, port
);
619 delete_opm_proxy_scanner_all(void)
621 rb_helper_write(authd_helper
, "O opm_scanner_del_all");