ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid-7.2/src/s_auth.c
Revision: 34
Committed: Sun Oct 2 21:05:51 2005 UTC (18 years, 5 months ago) by lusky
Content type: text/x-csrc
File size: 17147 byte(s)
Log Message:
create 7.2 branch, we can move/rename it as needed.


File Contents

# Content
1 /*
2 * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3 * s_auth.c: Functions for querying a users ident.
4 *
5 * Copyright (C) 2002 by the past and present ircd coders, and others.
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20 * USA
21 *
22 * $Id$
23 */
24
25 /*
26 * Changes:
27 * July 6, 1999 - Rewrote most of the code here. When a client connects
28 * to the server and passes initial socket validation checks, it
29 * is owned by this module (auth) which returns it to the rest of the
30 * server when dns and auth queries are finished. Until the client is
31 * released, the server does not know it exists and does not process
32 * any messages from it.
33 * --Bleep Thomas Helvey <tomh@inxpress.net>
34 */
35 #include "stdinc.h"
36 #include "tools.h"
37 #include "list.h"
38 #include "s_auth.h"
39 #include "s_conf.h"
40 #include "client.h"
41 #include "common.h"
42 #include "event.h"
43 #include "fdlist.h" /* fdlist_add */
44 #include "hook.h"
45 #include "irc_string.h"
46 #include "sprintf_irc.h"
47 #include "ircd.h"
48 #include "numeric.h"
49 #include "packet.h"
50 #include "irc_res.h"
51 #include "s_bsd.h"
52 #include "s_log.h"
53 #include "s_stats.h"
54 #include "send.h"
55 #include "memory.h"
56
57 static const char *HeaderMessages[] = {
58 ":%s NOTICE AUTH :*** Looking up your hostname...",
59 ":%s NOTICE AUTH :*** Found your hostname",
60 ":%s NOTICE AUTH :*** Couldn't look up your hostname",
61 ":%s NOTICE AUTH :*** Checking Ident",
62 ":%s NOTICE AUTH :*** Got Ident response",
63 ":%s NOTICE AUTH :*** No Ident response",
64 ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
65 ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
66 };
67
68 enum {
69 REPORT_DO_DNS,
70 REPORT_FIN_DNS,
71 REPORT_FAIL_DNS,
72 REPORT_DO_ID,
73 REPORT_FIN_ID,
74 REPORT_FAIL_ID,
75 REPORT_IP_MISMATCH,
76 REPORT_HOST_TOOLONG
77 };
78
79 #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
80
81 /*
82 * Ok, the original was confusing.
83 * Now there are two lists, an auth request can be on both at the same time
84 * or only on one or the other.
85 * - Dianora
86 */
87 static dlink_list auth_doing_dns_list = { NULL, NULL, 0 };
88 static dlink_list auth_doing_ident_list = { NULL, NULL, 0 };
89
90 static EVH timeout_auth_queries_event;
91
92 static PF read_auth_reply;
93 static CNCB auth_connect_callback;
94 static CBFUNC start_auth;
95
96 struct Callback *auth_cb = NULL;
97
98 /* init_auth()
99 *
100 * Initialise the auth code
101 */
102 void
103 init_auth(void)
104 {
105 auth_cb = register_callback("start_auth", start_auth);
106 eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
107 }
108
109 /*
110 * make_auth_request - allocate a new auth request
111 */
112 static struct AuthRequest *
113 make_auth_request(struct Client *client)
114 {
115 struct AuthRequest *request = MyMalloc(sizeof(struct AuthRequest));
116
117 request->client = client;
118 request->timeout = CurrentTime + CONNECTTIMEOUT;
119
120 return (request);
121 }
122
123 /*
124 * release_auth_client - release auth client from auth system
125 * this adds the client into the local client lists so it can be read by
126 * the main io processing loop
127 */
128 void
129 release_auth_client(struct Client *client)
130 {
131 /*
132 * When a client has auth'ed, we want to start reading what it sends
133 * us. This is what read_packet() does.
134 * -- adrian
135 */
136 client->localClient->allow_read = MAX_FLOOD;
137 comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
138 if ((client->node.prev != NULL) || (client->node.next != NULL))
139 {
140 sendto_realops_flags(UMODE_ALL, L_OPER,
141 "already linked %s at %s:%d", client->name,
142 __FILE__, __LINE__);
143 ilog(L_ERROR, "already linked %s at %s:%d", client->name,
144 __FILE__, __LINE__);
145 assert(0==5);
146 }
147 else
148 dlinkAdd(client, &client->node, &global_client_list);
149 read_packet(&client->localClient->fd, client);
150 }
151
152 /*
153 * auth_dns_callback - called when resolver query finishes
154 * if the query resulted in a successful search, hp will contain
155 * a non-null pointer, otherwise hp will be null.
156 * set the client on it's way to a connection completion, regardless
157 * of success of failure
158 */
159 static void
160 auth_dns_callback(void *vptr, struct DNSReply *reply)
161 {
162 struct AuthRequest *auth = (struct AuthRequest *)vptr;
163
164 dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
165 ClearDNSPending(auth);
166
167 if (reply != NULL)
168 {
169 struct sockaddr_in *v4, *v4dns;
170 #ifdef IPV6
171 struct sockaddr_in6 *v6, *v6dns;
172 #endif
173 int good = 1;
174
175 #ifdef IPV6
176 if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
177 {
178 v6 = (struct sockaddr_in6 *)&auth->client->localClient->ip;
179 v6dns = (struct sockaddr_in6 *)&reply->addr;
180 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
181 {
182 sendheader(auth->client, REPORT_IP_MISMATCH);
183 good = 0;
184 }
185 }
186 else
187 #endif
188 {
189 v4 = (struct sockaddr_in *)&auth->client->localClient->ip;
190 v4dns = (struct sockaddr_in *)&reply->addr;
191 if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
192 {
193 sendheader(auth->client, REPORT_IP_MISMATCH);
194 good = 0;
195 }
196 }
197 if (good && strlen(reply->h_name) <= HOSTLEN)
198 {
199 strlcpy(auth->client->host, reply->h_name,
200 sizeof(auth->client->host));
201 sendheader(auth->client, REPORT_FIN_DNS);
202 }
203 else if (strlen(reply->h_name) > HOSTLEN)
204 sendheader(auth->client, REPORT_HOST_TOOLONG);
205 }
206 else
207 sendheader(auth->client, REPORT_FAIL_DNS);
208
209 MyFree(auth->client->localClient->dns_query);
210 auth->client->localClient->dns_query = NULL;
211
212 if (!IsDoingAuth(auth))
213 {
214 struct Client *client_p = auth->client;
215 MyFree(auth);
216 release_auth_client(client_p);
217 }
218 }
219
220 /*
221 * authsenderr - handle auth send errors
222 */
223 static void
224 auth_error(struct AuthRequest *auth)
225 {
226 ++ServerStats->is_abad;
227
228 fd_close(&auth->fd);
229
230 dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
231 ClearAuth(auth);
232
233 sendheader(auth->client, REPORT_FAIL_ID);
234
235 if (!IsDNSPending(auth) && !IsCrit(auth))
236 {
237 release_auth_client(auth->client);
238 MyFree(auth);
239 }
240 }
241
242 /*
243 * start_auth_query - Flag the client to show that an attempt to
244 * contact the ident server on
245 * the client's host. The connect and subsequently the socket are all put
246 * into 'non-blocking' mode. Should the connect or any later phase of the
247 * identifing process fail, it is aborted and the user is given a username
248 * of "unknown".
249 */
250 static int
251 start_auth_query(struct AuthRequest *auth)
252 {
253 struct irc_ssaddr localaddr;
254 socklen_t locallen = sizeof(struct irc_ssaddr);
255 #ifdef IPV6
256 struct sockaddr_in6 *v6;
257 #else
258 struct sockaddr_in *v4;
259 #endif
260
261 /* open a socket of the same type as the client socket */
262 if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
263 SOCK_STREAM, 0, "ident") == -1)
264 {
265 report_error(L_ALL, "creating auth stream socket %s:%s",
266 get_client_name(auth->client, SHOW_IP), errno);
267 ilog(L_ERROR, "Unable to create auth socket for %s",
268 get_client_name(auth->client, SHOW_IP));
269 ++ServerStats->is_abad;
270 return 0;
271 }
272
273 sendheader(auth->client, REPORT_DO_ID);
274
275 /*
276 * get the local address of the client and bind to that to
277 * make the auth request. This used to be done only for
278 * ifdef VIRTUAL_HOST, but needs to be done for all clients
279 * since the ident request must originate from that same address--
280 * and machines with multiple IP addresses are common now
281 */
282 memset(&localaddr, 0, locallen);
283 getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
284 &locallen);
285
286 #ifdef IPV6
287 remove_ipv6_mapping(&localaddr);
288 v6 = (struct sockaddr_in6 *)&localaddr;
289 v6->sin6_port = htons(0);
290 #else
291 localaddr.ss_len = locallen;
292 v4 = (struct sockaddr_in *)&localaddr;
293 v4->sin_port = htons(0);
294 #endif
295 localaddr.ss_port = htons(0);
296
297 SetDoingAuth(auth);
298 dlinkAdd(auth, &auth->ident_node, &auth_doing_ident_list);
299
300 comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
301 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
302 auth, auth->client->localClient->ip.ss.ss_family,
303 GlobalSetOptions.ident_timeout);
304 return 1; /* We suceed here for now */
305 }
306
307 /*
308 * GetValidIdent - parse ident query reply from identd server
309 *
310 * Inputs - pointer to ident buf
311 * Output - NULL if no valid ident found, otherwise pointer to name
312 * Side effects -
313 */
314 /*
315 * A few questions have been asked about this mess, obviously
316 * it should have been commented better the first time.
317 * The original idea was to remove all references to libc from ircd-hybrid.
318 * Instead of having to write a replacement for sscanf(), I did a
319 * rather gruseome parser here so we could remove this function call.
320 * Note, that I had also removed a few floating point printfs as well (though
321 * now we are still stuck with a few...)
322 * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
323 * it would have been nice to remove some unneeded code.
324 * Oh well. If we don't remove libc stuff totally, then it would be
325 * far cleaner to use sscanf()
326 *
327 * - Dianora
328 */
329 static char *
330 GetValidIdent(char *buf)
331 {
332 int remp = 0;
333 int locp = 0;
334 char* colon1Ptr;
335 char* colon2Ptr;
336 char* colon3Ptr;
337 char* commaPtr;
338 char* remotePortString;
339
340 /* All this to get rid of a sscanf() fun. */
341 remotePortString = buf;
342
343 if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
344 return 0;
345 *colon1Ptr = '\0';
346 colon1Ptr++;
347
348 if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
349 return 0;
350 *colon2Ptr = '\0';
351 colon2Ptr++;
352
353 if ((commaPtr = strchr(remotePortString, ',')) == NULL)
354 return 0;
355 *commaPtr = '\0';
356 commaPtr++;
357
358 if ((remp = atoi(remotePortString)) == 0)
359 return 0;
360
361 if ((locp = atoi(commaPtr)) == 0)
362 return 0;
363
364 /* look for USERID bordered by first pair of colons */
365 if (strstr(colon1Ptr, "USERID") == NULL)
366 return 0;
367
368 if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
369 return 0;
370 *colon3Ptr = '\0';
371 colon3Ptr++;
372 return (colon3Ptr);
373 }
374
375 /*
376 * start_auth
377 *
378 * inputs - pointer to client to auth
379 * output - NONE
380 * side effects - starts auth (identd) and dns queries for a client
381 */
382 static void *
383 start_auth(va_list args)
384 {
385 struct Client *client = va_arg(args, struct Client *);
386 struct AuthRequest *auth = NULL;
387
388 assert(client != NULL);
389
390 auth = make_auth_request(client);
391 SetCrit(auth);
392
393 client->localClient->dns_query = MyMalloc(sizeof(struct DNSQuery));
394 client->localClient->dns_query->ptr = auth;
395 client->localClient->dns_query->callback = auth_dns_callback;
396
397 sendheader(client, REPORT_DO_DNS);
398
399 if (ConfigFileEntry.disable_auth == 0)
400 start_auth_query(auth);
401
402 /* auth order changed, before gethost_byaddr can immediately call
403 * dns callback under win32 when the lookup cannot be started.
404 * And that would do MyFree(auth) etc -adx */
405 SetDNSPending(auth);
406 dlinkAdd(auth, &auth->dns_node, &auth_doing_dns_list);
407 ClearCrit(auth);
408 gethost_byaddr(&client->localClient->ip, client->localClient->dns_query);
409
410 return NULL;
411 }
412
413 /*
414 * timeout_auth_queries - timeout resolver and identd requests
415 * allow clients through if requests failed
416 */
417 static void
418 timeout_auth_queries_event(void *notused)
419 {
420 dlink_node *ptr;
421 dlink_node *next_ptr;
422 struct AuthRequest* auth;
423
424 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
425 {
426 auth = ptr->data;
427
428 if (auth->timeout <= CurrentTime)
429 {
430 fd_close(&auth->fd);
431
432 ++ServerStats->is_abad;
433 sendheader(auth->client, REPORT_FAIL_ID);
434
435 if (IsDNSPending(auth))
436 {
437 struct Client *client_p = auth->client;
438
439 dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
440 if (client_p->localClient->dns_query != NULL)
441 {
442 delete_resolver_queries(client_p->localClient->dns_query);
443 MyFree(client_p->localClient->dns_query);
444 }
445 auth->client->localClient->dns_query = NULL;
446 sendheader(client_p, REPORT_FAIL_DNS);
447 }
448
449 ilog(L_INFO, "DNS/AUTH timeout %s",
450 get_client_name(auth->client, SHOW_IP));
451
452 dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
453 release_auth_client(auth->client);
454 MyFree(auth);
455 }
456 }
457 }
458
459 /*
460 * auth_connect_callback() - deal with the result of comm_connect_tcp()
461 *
462 * If the connection failed, we simply close the auth fd and report
463 * a failure. If the connection suceeded send the ident server a query
464 * giving "theirport , ourport". The write is only attempted *once* so
465 * it is deemed to be a fail if the entire write doesn't write all the
466 * data given. This shouldnt be a problem since the socket should have
467 * a write buffer far greater than this message to store it in should
468 * problems arise. -avalon
469 */
470 static void
471 auth_connect_callback(fde_t *fd, int error, void *data)
472 {
473 struct AuthRequest *auth = data;
474 struct irc_ssaddr us;
475 struct irc_ssaddr them;
476 char authbuf[32];
477 socklen_t ulen = sizeof(struct irc_ssaddr);
478 socklen_t tlen = sizeof(struct irc_ssaddr);
479 u_int16_t uport, tport;
480 #ifdef IPV6
481 struct sockaddr_in6 *v6;
482 #else
483 struct sockaddr_in *v4;
484 #endif
485
486 if (error != COMM_OK)
487 {
488 auth_error(auth);
489 return;
490 }
491
492 if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *) &us,
493 (socklen_t *) &ulen) ||
494 getpeername(auth->client->localClient->fd.fd, (struct sockaddr *) &them,
495 (socklen_t *) &tlen))
496 {
497 ilog(L_INFO, "auth get{sock,peer}name error for %s",
498 get_client_name(auth->client, SHOW_IP));
499 auth_error(auth);
500 return;
501 }
502
503 #ifdef IPV6
504 v6 = (struct sockaddr_in6 *)&us;
505 uport = ntohs(v6->sin6_port);
506 v6 = (struct sockaddr_in6 *)&them;
507 tport = ntohs(v6->sin6_port);
508 remove_ipv6_mapping(&us);
509 remove_ipv6_mapping(&them);
510 #else
511 v4 = (struct sockaddr_in *)&us;
512 uport = ntohs(v4->sin_port);
513 v4 = (struct sockaddr_in *)&them;
514 tport = ntohs(v4->sin_port);
515 us.ss_len = ulen;
516 them.ss_len = tlen;
517 #endif
518
519 ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
520
521 if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
522 {
523 auth_error(auth);
524 return;
525 }
526 read_auth_reply(&auth->fd, auth);
527 }
528
529 /*
530 * read_auth_reply - read the reply (if any) from the ident server
531 * we connected to.
532 * We only give it one shot, if the reply isn't good the first time
533 * fail the authentication entirely. --Bleep
534 */
535 #define AUTH_BUFSIZ 128
536
537 static void
538 read_auth_reply(fde_t *fd, void *data)
539 {
540 struct AuthRequest *auth = data;
541 char *s = NULL;
542 char *t = NULL;
543 int len;
544 int count;
545 char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
546
547 len = recv(fd->fd, buf, AUTH_BUFSIZ, 0);
548
549 if (len < 0)
550 {
551 #ifdef _WIN32
552 errno = WSAGetLastError();
553 #endif
554 if (ignoreErrno(errno))
555 comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
556 else
557 auth_error(auth);
558 return;
559 }
560
561 if (len > 0)
562 {
563 buf[len] = '\0';
564
565 if ((s = GetValidIdent(buf)))
566 {
567 t = auth->client->username;
568
569 while (*s == '~' || *s == '^')
570 s++;
571
572 for (count = USERLEN; *s && count; s++)
573 {
574 if (*s == '@')
575 break;
576 if (!IsSpace(*s) && *s != ':' && *s != '[')
577 {
578 *t++ = *s;
579 count--;
580 }
581 }
582
583 *t = '\0';
584 }
585 }
586
587 fd_close(fd);
588
589 dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
590 ClearAuth(auth);
591
592 if (s == NULL)
593 {
594 sendheader(auth->client, REPORT_FAIL_ID);
595 ++ServerStats->is_abad;
596 }
597 else
598 {
599 sendheader(auth->client, REPORT_FIN_ID);
600 ++ServerStats->is_asuc;
601 SetGotId(auth->client);
602 }
603
604 if (!IsDNSPending(auth) && !IsCrit(auth))
605 {
606 release_auth_client(auth->client);
607 MyFree(auth);
608 }
609 }
610
611 /*
612 * delete_auth()
613 */
614 void
615 delete_auth(struct Client *target_p)
616 {
617 dlink_node *ptr;
618 dlink_node *next_ptr;
619 struct AuthRequest *auth;
620
621 if (!IsUnknown(target_p))
622 return;
623
624 if (target_p->localClient->dns_query != NULL)
625 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_dns_list.head)
626 {
627 auth = ptr->data;
628
629 if (auth->client == target_p)
630 {
631 delete_resolver_queries(target_p->localClient->dns_query);
632
633 dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
634 if (!IsDoingAuth(auth))
635 {
636 MyFree(auth);
637 return;
638 }
639 }
640 }
641
642 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
643 {
644 auth = ptr->data;
645
646 if (auth->client == target_p)
647 {
648 fd_close(&auth->fd);
649
650 dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
651 MyFree(auth);
652 }
653 }
654 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision