ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid-7.2/src/s_auth.c
Revision: 33
Committed: Sun Oct 2 20:50:00 2005 UTC (18 years, 6 months ago) by knight
Content type: text/x-csrc
Original Path: ircd-hybrid/src/s_auth.c
File size: 17147 byte(s)
Log Message: 
- svn:keywords

File Contents

# User Rev Content
1 adx 30 /*
2     * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3     * s_auth.c: Functions for querying a users ident.
4     *
5     * Copyright (C) 2002 by the past and present ircd coders, and others.
6     *
7     * This program is free software; you can redistribute it and/or modify
8     * it under the terms of the GNU General Public License as published by
9     * the Free Software Foundation; either version 2 of the License, or
10     * (at your option) any later version.
11     *
12     * This program is distributed in the hope that it will be useful,
13     * but WITHOUT ANY WARRANTY; without even the implied warranty of
14     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     * GNU General Public License for more details.
16     *
17     * You should have received a copy of the GNU General Public License
18     * along with this program; if not, write to the Free Software
19     * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20     * USA
21     *
22 knight 31 * $Id$
23 adx 30 */
24    
25     /*
26     * Changes:
27     * July 6, 1999 - Rewrote most of the code here. When a client connects
28     * to the server and passes initial socket validation checks, it
29     * is owned by this module (auth) which returns it to the rest of the
30     * server when dns and auth queries are finished. Until the client is
31     * released, the server does not know it exists and does not process
32     * any messages from it.
33     * --Bleep Thomas Helvey <tomh@inxpress.net>
34     */
35     #include "stdinc.h"
36     #include "tools.h"
37     #include "list.h"
38     #include "s_auth.h"
39     #include "s_conf.h"
40     #include "client.h"
41     #include "common.h"
42     #include "event.h"
43     #include "fdlist.h" /* fdlist_add */
44     #include "hook.h"
45     #include "irc_string.h"
46     #include "sprintf_irc.h"
47     #include "ircd.h"
48     #include "numeric.h"
49     #include "packet.h"
50     #include "irc_res.h"
51     #include "s_bsd.h"
52     #include "s_log.h"
53     #include "s_stats.h"
54     #include "send.h"
55     #include "memory.h"
56    
57     static const char *HeaderMessages[] = {
58     ":%s NOTICE AUTH :*** Looking up your hostname...",
59     ":%s NOTICE AUTH :*** Found your hostname",
60     ":%s NOTICE AUTH :*** Couldn't look up your hostname",
61     ":%s NOTICE AUTH :*** Checking Ident",
62     ":%s NOTICE AUTH :*** Got Ident response",
63     ":%s NOTICE AUTH :*** No Ident response",
64     ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
65     ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
66     };
67    
68     enum {
69     REPORT_DO_DNS,
70     REPORT_FIN_DNS,
71     REPORT_FAIL_DNS,
72     REPORT_DO_ID,
73     REPORT_FIN_ID,
74     REPORT_FAIL_ID,
75     REPORT_IP_MISMATCH,
76     REPORT_HOST_TOOLONG
77     };
78    
79     #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
80    
81     /*
82     * Ok, the original was confusing.
83     * Now there are two lists, an auth request can be on both at the same time
84     * or only on one or the other.
85     * - Dianora
86     */
87     static dlink_list auth_doing_dns_list = { NULL, NULL, 0 };
88     static dlink_list auth_doing_ident_list = { NULL, NULL, 0 };
89    
90     static EVH timeout_auth_queries_event;
91    
92     static PF read_auth_reply;
93     static CNCB auth_connect_callback;
94     static CBFUNC start_auth;
95    
96     struct Callback *auth_cb = NULL;
97    
98     /* init_auth()
99     *
100     * Initialise the auth code
101     */
102     void
103     init_auth(void)
104     {
105     auth_cb = register_callback("start_auth", start_auth);
106     eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
107     }
108    
109     /*
110     * make_auth_request - allocate a new auth request
111     */
112     static struct AuthRequest *
113     make_auth_request(struct Client *client)
114     {
115     struct AuthRequest *request = MyMalloc(sizeof(struct AuthRequest));
116    
117     request->client = client;
118     request->timeout = CurrentTime + CONNECTTIMEOUT;
119    
120     return (request);
121     }
122    
123     /*
124     * release_auth_client - release auth client from auth system
125     * this adds the client into the local client lists so it can be read by
126     * the main io processing loop
127     */
128     void
129     release_auth_client(struct Client *client)
130     {
131     /*
132     * When a client has auth'ed, we want to start reading what it sends
133     * us. This is what read_packet() does.
134     * -- adrian
135     */
136     client->localClient->allow_read = MAX_FLOOD;
137     comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
138     if ((client->node.prev != NULL) || (client->node.next != NULL))
139     {
140     sendto_realops_flags(UMODE_ALL, L_OPER,
141     "already linked %s at %s:%d", client->name,
142     __FILE__, __LINE__);
143     ilog(L_ERROR, "already linked %s at %s:%d", client->name,
144     __FILE__, __LINE__);
145     assert(0==5);
146     }
147     else
148     dlinkAdd(client, &client->node, &global_client_list);
149     read_packet(&client->localClient->fd, client);
150     }
151    
152     /*
153     * auth_dns_callback - called when resolver query finishes
154     * if the query resulted in a successful search, hp will contain
155     * a non-null pointer, otherwise hp will be null.
156     * set the client on it's way to a connection completion, regardless
157     * of success of failure
158     */
159     static void
160     auth_dns_callback(void *vptr, struct DNSReply *reply)
161     {
162     struct AuthRequest *auth = (struct AuthRequest *)vptr;
163    
164     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
165     ClearDNSPending(auth);
166    
167     if (reply != NULL)
168     {
169     struct sockaddr_in *v4, *v4dns;
170     #ifdef IPV6
171     struct sockaddr_in6 *v6, *v6dns;
172     #endif
173     int good = 1;
174    
175     #ifdef IPV6
176     if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
177     {
178     v6 = (struct sockaddr_in6 *)&auth->client->localClient->ip;
179     v6dns = (struct sockaddr_in6 *)&reply->addr;
180     if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
181     {
182     sendheader(auth->client, REPORT_IP_MISMATCH);
183     good = 0;
184     }
185     }
186     else
187     #endif
188     {
189     v4 = (struct sockaddr_in *)&auth->client->localClient->ip;
190     v4dns = (struct sockaddr_in *)&reply->addr;
191     if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
192     {
193     sendheader(auth->client, REPORT_IP_MISMATCH);
194     good = 0;
195     }
196     }
197     if (good && strlen(reply->h_name) <= HOSTLEN)
198     {
199     strlcpy(auth->client->host, reply->h_name,
200     sizeof(auth->client->host));
201     sendheader(auth->client, REPORT_FIN_DNS);
202     }
203     else if (strlen(reply->h_name) > HOSTLEN)
204     sendheader(auth->client, REPORT_HOST_TOOLONG);
205     }
206     else
207     sendheader(auth->client, REPORT_FAIL_DNS);
208    
209     MyFree(auth->client->localClient->dns_query);
210     auth->client->localClient->dns_query = NULL;
211    
212     if (!IsDoingAuth(auth))
213     {
214     struct Client *client_p = auth->client;
215     MyFree(auth);
216     release_auth_client(client_p);
217     }
218     }
219    
220     /*
221     * authsenderr - handle auth send errors
222     */
223     static void
224     auth_error(struct AuthRequest *auth)
225     {
226     ++ServerStats->is_abad;
227    
228     fd_close(&auth->fd);
229    
230     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
231     ClearAuth(auth);
232    
233     sendheader(auth->client, REPORT_FAIL_ID);
234    
235     if (!IsDNSPending(auth) && !IsCrit(auth))
236     {
237     release_auth_client(auth->client);
238     MyFree(auth);
239     }
240     }
241    
242     /*
243     * start_auth_query - Flag the client to show that an attempt to
244     * contact the ident server on
245     * the client's host. The connect and subsequently the socket are all put
246     * into 'non-blocking' mode. Should the connect or any later phase of the
247     * identifing process fail, it is aborted and the user is given a username
248     * of "unknown".
249     */
250     static int
251     start_auth_query(struct AuthRequest *auth)
252     {
253     struct irc_ssaddr localaddr;
254     socklen_t locallen = sizeof(struct irc_ssaddr);
255     #ifdef IPV6
256     struct sockaddr_in6 *v6;
257     #else
258     struct sockaddr_in *v4;
259     #endif
260    
261     /* open a socket of the same type as the client socket */
262     if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
263     SOCK_STREAM, 0, "ident") == -1)
264     {
265     report_error(L_ALL, "creating auth stream socket %s:%s",
266     get_client_name(auth->client, SHOW_IP), errno);
267     ilog(L_ERROR, "Unable to create auth socket for %s",
268     get_client_name(auth->client, SHOW_IP));
269     ++ServerStats->is_abad;
270     return 0;
271     }
272    
273     sendheader(auth->client, REPORT_DO_ID);
274    
275     /*
276     * get the local address of the client and bind to that to
277     * make the auth request. This used to be done only for
278     * ifdef VIRTUAL_HOST, but needs to be done for all clients
279     * since the ident request must originate from that same address--
280     * and machines with multiple IP addresses are common now
281     */
282     memset(&localaddr, 0, locallen);
283     getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
284     &locallen);
285    
286     #ifdef IPV6
287     remove_ipv6_mapping(&localaddr);
288     v6 = (struct sockaddr_in6 *)&localaddr;
289     v6->sin6_port = htons(0);
290     #else
291     localaddr.ss_len = locallen;
292     v4 = (struct sockaddr_in *)&localaddr;
293     v4->sin_port = htons(0);
294     #endif
295     localaddr.ss_port = htons(0);
296    
297     SetDoingAuth(auth);
298     dlinkAdd(auth, &auth->ident_node, &auth_doing_ident_list);
299    
300     comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
301     (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
302     auth, auth->client->localClient->ip.ss.ss_family,
303     GlobalSetOptions.ident_timeout);
304     return 1; /* We suceed here for now */
305     }
306    
307     /*
308     * GetValidIdent - parse ident query reply from identd server
309     *
310     * Inputs - pointer to ident buf
311     * Output - NULL if no valid ident found, otherwise pointer to name
312     * Side effects -
313     */
314     /*
315     * A few questions have been asked about this mess, obviously
316     * it should have been commented better the first time.
317     * The original idea was to remove all references to libc from ircd-hybrid.
318     * Instead of having to write a replacement for sscanf(), I did a
319     * rather gruseome parser here so we could remove this function call.
320     * Note, that I had also removed a few floating point printfs as well (though
321     * now we are still stuck with a few...)
322     * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
323     * it would have been nice to remove some unneeded code.
324     * Oh well. If we don't remove libc stuff totally, then it would be
325     * far cleaner to use sscanf()
326     *
327     * - Dianora
328     */
329     static char *
330     GetValidIdent(char *buf)
331     {
332     int remp = 0;
333     int locp = 0;
334     char* colon1Ptr;
335     char* colon2Ptr;
336     char* colon3Ptr;
337     char* commaPtr;
338     char* remotePortString;
339    
340     /* All this to get rid of a sscanf() fun. */
341     remotePortString = buf;
342    
343     if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
344     return 0;
345     *colon1Ptr = '\0';
346     colon1Ptr++;
347    
348     if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
349     return 0;
350     *colon2Ptr = '\0';
351     colon2Ptr++;
352    
353     if ((commaPtr = strchr(remotePortString, ',')) == NULL)
354     return 0;
355     *commaPtr = '\0';
356     commaPtr++;
357    
358     if ((remp = atoi(remotePortString)) == 0)
359     return 0;
360    
361     if ((locp = atoi(commaPtr)) == 0)
362     return 0;
363    
364     /* look for USERID bordered by first pair of colons */
365     if (strstr(colon1Ptr, "USERID") == NULL)
366     return 0;
367    
368     if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
369     return 0;
370     *colon3Ptr = '\0';
371     colon3Ptr++;
372     return (colon3Ptr);
373     }
374    
375     /*
376     * start_auth
377     *
378     * inputs - pointer to client to auth
379     * output - NONE
380     * side effects - starts auth (identd) and dns queries for a client
381     */
382     static void *
383     start_auth(va_list args)
384     {
385     struct Client *client = va_arg(args, struct Client *);
386     struct AuthRequest *auth = NULL;
387    
388     assert(client != NULL);
389    
390     auth = make_auth_request(client);
391     SetCrit(auth);
392    
393     client->localClient->dns_query = MyMalloc(sizeof(struct DNSQuery));
394     client->localClient->dns_query->ptr = auth;
395     client->localClient->dns_query->callback = auth_dns_callback;
396    
397     sendheader(client, REPORT_DO_DNS);
398    
399     if (ConfigFileEntry.disable_auth == 0)
400     start_auth_query(auth);
401    
402     /* auth order changed, before gethost_byaddr can immediately call
403     * dns callback under win32 when the lookup cannot be started.
404     * And that would do MyFree(auth) etc -adx */
405     SetDNSPending(auth);
406     dlinkAdd(auth, &auth->dns_node, &auth_doing_dns_list);
407     ClearCrit(auth);
408     gethost_byaddr(&client->localClient->ip, client->localClient->dns_query);
409    
410     return NULL;
411     }
412    
413     /*
414     * timeout_auth_queries - timeout resolver and identd requests
415     * allow clients through if requests failed
416     */
417     static void
418     timeout_auth_queries_event(void *notused)
419     {
420     dlink_node *ptr;
421     dlink_node *next_ptr;
422     struct AuthRequest* auth;
423    
424     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
425     {
426     auth = ptr->data;
427    
428     if (auth->timeout <= CurrentTime)
429     {
430     fd_close(&auth->fd);
431    
432     ++ServerStats->is_abad;
433     sendheader(auth->client, REPORT_FAIL_ID);
434    
435     if (IsDNSPending(auth))
436     {
437     struct Client *client_p = auth->client;
438    
439     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
440     if (client_p->localClient->dns_query != NULL)
441     {
442     delete_resolver_queries(client_p->localClient->dns_query);
443     MyFree(client_p->localClient->dns_query);
444     }
445     auth->client->localClient->dns_query = NULL;
446     sendheader(client_p, REPORT_FAIL_DNS);
447     }
448    
449     ilog(L_INFO, "DNS/AUTH timeout %s",
450     get_client_name(auth->client, SHOW_IP));
451    
452     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
453     release_auth_client(auth->client);
454     MyFree(auth);
455     }
456     }
457     }
458    
459     /*
460     * auth_connect_callback() - deal with the result of comm_connect_tcp()
461     *
462     * If the connection failed, we simply close the auth fd and report
463     * a failure. If the connection suceeded send the ident server a query
464     * giving "theirport , ourport". The write is only attempted *once* so
465     * it is deemed to be a fail if the entire write doesn't write all the
466     * data given. This shouldnt be a problem since the socket should have
467     * a write buffer far greater than this message to store it in should
468     * problems arise. -avalon
469     */
470     static void
471     auth_connect_callback(fde_t *fd, int error, void *data)
472     {
473     struct AuthRequest *auth = data;
474     struct irc_ssaddr us;
475     struct irc_ssaddr them;
476     char authbuf[32];
477     socklen_t ulen = sizeof(struct irc_ssaddr);
478     socklen_t tlen = sizeof(struct irc_ssaddr);
479     u_int16_t uport, tport;
480     #ifdef IPV6
481     struct sockaddr_in6 *v6;
482     #else
483     struct sockaddr_in *v4;
484     #endif
485    
486     if (error != COMM_OK)
487     {
488     auth_error(auth);
489     return;
490     }
491    
492     if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *) &us,
493     (socklen_t *) &ulen) ||
494     getpeername(auth->client->localClient->fd.fd, (struct sockaddr *) &them,
495     (socklen_t *) &tlen))
496     {
497     ilog(L_INFO, "auth get{sock,peer}name error for %s",
498     get_client_name(auth->client, SHOW_IP));
499     auth_error(auth);
500     return;
501     }
502    
503     #ifdef IPV6
504     v6 = (struct sockaddr_in6 *)&us;
505     uport = ntohs(v6->sin6_port);
506     v6 = (struct sockaddr_in6 *)&them;
507     tport = ntohs(v6->sin6_port);
508     remove_ipv6_mapping(&us);
509     remove_ipv6_mapping(&them);
510     #else
511     v4 = (struct sockaddr_in *)&us;
512     uport = ntohs(v4->sin_port);
513     v4 = (struct sockaddr_in *)&them;
514     tport = ntohs(v4->sin_port);
515     us.ss_len = ulen;
516     them.ss_len = tlen;
517     #endif
518    
519     ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
520    
521     if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
522     {
523     auth_error(auth);
524     return;
525     }
526     read_auth_reply(&auth->fd, auth);
527     }
528    
529     /*
530     * read_auth_reply - read the reply (if any) from the ident server
531     * we connected to.
532     * We only give it one shot, if the reply isn't good the first time
533     * fail the authentication entirely. --Bleep
534     */
535     #define AUTH_BUFSIZ 128
536    
537     static void
538     read_auth_reply(fde_t *fd, void *data)
539     {
540     struct AuthRequest *auth = data;
541     char *s = NULL;
542     char *t = NULL;
543     int len;
544     int count;
545     char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
546    
547     len = recv(fd->fd, buf, AUTH_BUFSIZ, 0);
548    
549     if (len < 0)
550     {
551     #ifdef _WIN32
552     errno = WSAGetLastError();
553     #endif
554     if (ignoreErrno(errno))
555     comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
556     else
557     auth_error(auth);
558     return;
559     }
560    
561     if (len > 0)
562     {
563     buf[len] = '\0';
564    
565     if ((s = GetValidIdent(buf)))
566     {
567     t = auth->client->username;
568    
569     while (*s == '~' || *s == '^')
570     s++;
571    
572     for (count = USERLEN; *s && count; s++)
573     {
574     if (*s == '@')
575     break;
576     if (!IsSpace(*s) && *s != ':' && *s != '[')
577     {
578     *t++ = *s;
579     count--;
580     }
581     }
582    
583     *t = '\0';
584     }
585     }
586    
587     fd_close(fd);
588    
589     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
590     ClearAuth(auth);
591    
592     if (s == NULL)
593     {
594     sendheader(auth->client, REPORT_FAIL_ID);
595     ++ServerStats->is_abad;
596     }
597     else
598     {
599     sendheader(auth->client, REPORT_FIN_ID);
600     ++ServerStats->is_asuc;
601     SetGotId(auth->client);
602     }
603    
604     if (!IsDNSPending(auth) && !IsCrit(auth))
605     {
606     release_auth_client(auth->client);
607     MyFree(auth);
608     }
609     }
610    
611     /*
612     * delete_auth()
613     */
614     void
615     delete_auth(struct Client *target_p)
616     {
617     dlink_node *ptr;
618     dlink_node *next_ptr;
619     struct AuthRequest *auth;
620    
621     if (!IsUnknown(target_p))
622     return;
623    
624     if (target_p->localClient->dns_query != NULL)
625     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_dns_list.head)
626     {
627     auth = ptr->data;
628    
629     if (auth->client == target_p)
630     {
631     delete_resolver_queries(target_p->localClient->dns_query);
632    
633     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
634     if (!IsDoingAuth(auth))
635     {
636     MyFree(auth);
637     return;
638     }
639     }
640     }
641    
642     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
643     {
644     auth = ptr->data;
645    
646     if (auth->client == target_p)
647     {
648     fd_close(&auth->fd);
649    
650     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
651     MyFree(auth);
652     }
653     }
654     }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision