ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/branches/8.2.x/src/auth.c
Revision: 1156
Committed: Tue Aug 9 20:29:20 2011 UTC (12 years, 8 months ago) by michael
Content type: text/x-csrc
Original Path: ircd-hybrid-8/src/s_auth.c
File size: 15479 byte(s)
Log Message: 
- create ircd-hybrid-8 "branch"

File Contents

# User Rev Content
1 adx 30 /*
2     * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3     * s_auth.c: Functions for querying a users ident.
4     *
5     * Copyright (C) 2002 by the past and present ircd coders, and others.
6     *
7     * This program is free software; you can redistribute it and/or modify
8     * it under the terms of the GNU General Public License as published by
9     * the Free Software Foundation; either version 2 of the License, or
10     * (at your option) any later version.
11     *
12     * This program is distributed in the hope that it will be useful,
13     * but WITHOUT ANY WARRANTY; without even the implied warranty of
14     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     * GNU General Public License for more details.
16     *
17     * You should have received a copy of the GNU General Public License
18     * along with this program; if not, write to the Free Software
19     * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20     * USA
21     *
22 knight 31 * $Id$
23 adx 30 */
24    
25     /*
26     * Changes:
27     * July 6, 1999 - Rewrote most of the code here. When a client connects
28     * to the server and passes initial socket validation checks, it
29     * is owned by this module (auth) which returns it to the rest of the
30     * server when dns and auth queries are finished. Until the client is
31     * released, the server does not know it exists and does not process
32     * any messages from it.
33     * --Bleep Thomas Helvey <tomh@inxpress.net>
34     */
35     #include "stdinc.h"
36     #include "list.h"
37 michael 1011 #include "ircd_defs.h"
38     #include "fdlist.h"
39 adx 30 #include "s_auth.h"
40     #include "s_conf.h"
41 michael 998 #include "balloc.h"
42 adx 30 #include "client.h"
43     #include "common.h"
44     #include "event.h"
45     #include "hook.h"
46     #include "irc_string.h"
47     #include "ircd.h"
48     #include "packet.h"
49     #include "irc_res.h"
50     #include "s_bsd.h"
51     #include "s_log.h"
52     #include "send.h"
53    
54 michael 1011
55 adx 30 static const char *HeaderMessages[] = {
56     ":%s NOTICE AUTH :*** Looking up your hostname...",
57     ":%s NOTICE AUTH :*** Found your hostname",
58     ":%s NOTICE AUTH :*** Couldn't look up your hostname",
59     ":%s NOTICE AUTH :*** Checking Ident",
60     ":%s NOTICE AUTH :*** Got Ident response",
61     ":%s NOTICE AUTH :*** No Ident response",
62     ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
63     ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
64     };
65    
66     enum {
67     REPORT_DO_DNS,
68     REPORT_FIN_DNS,
69     REPORT_FAIL_DNS,
70     REPORT_DO_ID,
71     REPORT_FIN_ID,
72     REPORT_FAIL_ID,
73     REPORT_IP_MISMATCH,
74     REPORT_HOST_TOOLONG
75     };
76    
77     #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
78    
79 michael 998 static BlockHeap *auth_heap = NULL;
80 michael 992 static dlink_list auth_doing_list = { NULL, NULL, 0 };
81 adx 30
82     static EVH timeout_auth_queries_event;
83    
84     static PF read_auth_reply;
85     static CNCB auth_connect_callback;
86     static CBFUNC start_auth;
87    
88     struct Callback *auth_cb = NULL;
89    
90     /* init_auth()
91     *
92     * Initialise the auth code
93     */
94     void
95     init_auth(void)
96     {
97 michael 998 auth_heap = BlockHeapCreate("auth", sizeof(struct AuthRequest), AUTH_HEAP_SIZE);
98 adx 30 auth_cb = register_callback("start_auth", start_auth);
99     eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
100     }
101    
102     /*
103     * make_auth_request - allocate a new auth request
104     */
105     static struct AuthRequest *
106     make_auth_request(struct Client *client)
107     {
108 michael 998 struct AuthRequest *request = BlockHeapAlloc(auth_heap);
109 adx 30
110 michael 992 client->localClient->auth = request;
111     request->client = client;
112     request->timeout = CurrentTime + CONNECTTIMEOUT;
113 adx 30
114 michael 650 return request;
115 adx 30 }
116    
117     /*
118     * release_auth_client - release auth client from auth system
119     * this adds the client into the local client lists so it can be read by
120     * the main io processing loop
121     */
122     void
123 michael 992 release_auth_client(struct AuthRequest *auth)
124 adx 30 {
125 michael 992 struct Client *client = auth->client;
126    
127     if (IsDoingAuth(auth) || IsDNSPending(auth))
128     return;
129    
130     client->localClient->auth = NULL;
131     dlinkDelete(&auth->node, &auth_doing_list);
132 michael 998 BlockHeapFree(auth_heap, auth);
133 michael 992
134 adx 30 /*
135     * When a client has auth'ed, we want to start reading what it sends
136     * us. This is what read_packet() does.
137     * -- adrian
138     */
139     client->localClient->allow_read = MAX_FLOOD;
140     comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
141 michael 650
142 michael 992 dlinkAdd(client, &client->node, &global_client_list);
143 michael 650
144 michael 664 client->since = client->lasttime = client->firsttime = CurrentTime;
145     client->flags |= FLAGS_FINISHED_AUTH;
146 michael 650
147 adx 30 read_packet(&client->localClient->fd, client);
148     }
149    
150     /*
151     * auth_dns_callback - called when resolver query finishes
152 michael 998 * if the query resulted in a successful search, name will contain
153     * a non-NULL pointer, otherwise name will be NULL.
154 adx 30 * set the client on it's way to a connection completion, regardless
155     * of success of failure
156     */
157     static void
158 michael 992 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name)
159 adx 30 {
160 michael 992 struct AuthRequest *auth = vptr;
161 adx 30
162     ClearDNSPending(auth);
163    
164 michael 992 if (name != NULL)
165 adx 30 {
166 michael 992 const struct sockaddr_in *v4, *v4dns;
167 adx 30 #ifdef IPV6
168 michael 992 const struct sockaddr_in6 *v6, *v6dns;
169 adx 30 #endif
170     int good = 1;
171    
172     #ifdef IPV6
173     if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
174     {
175 michael 992 v6 = (const struct sockaddr_in6 *)&auth->client->localClient->ip;
176     v6dns = (const struct sockaddr_in6 *)addr;
177 adx 30 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
178     {
179     sendheader(auth->client, REPORT_IP_MISMATCH);
180     good = 0;
181     }
182     }
183     else
184     #endif
185     {
186 michael 992 v4 = (const struct sockaddr_in *)&auth->client->localClient->ip;
187     v4dns = (const struct sockaddr_in *)addr;
188 adx 30 if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
189     {
190     sendheader(auth->client, REPORT_IP_MISMATCH);
191     good = 0;
192     }
193     }
194 michael 992 if (good && strlen(name) <= HOSTLEN)
195 adx 30 {
196 michael 992 strlcpy(auth->client->host, name,
197 adx 30 sizeof(auth->client->host));
198     sendheader(auth->client, REPORT_FIN_DNS);
199     }
200 michael 992 else if (strlen(name) > HOSTLEN)
201 adx 30 sendheader(auth->client, REPORT_HOST_TOOLONG);
202     }
203     else
204 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
205 adx 30
206 michael 992 release_auth_client(auth);
207 adx 30 }
208    
209     /*
210     * authsenderr - handle auth send errors
211     */
212     static void
213     auth_error(struct AuthRequest *auth)
214     {
215 michael 896 ++ServerStats.is_abad;
216 adx 30
217     fd_close(&auth->fd);
218    
219     ClearAuth(auth);
220    
221     sendheader(auth->client, REPORT_FAIL_ID);
222    
223 michael 992 release_auth_client(auth);
224 adx 30 }
225    
226     /*
227     * start_auth_query - Flag the client to show that an attempt to
228     * contact the ident server on
229     * the client's host. The connect and subsequently the socket are all put
230     * into 'non-blocking' mode. Should the connect or any later phase of the
231     * identifing process fail, it is aborted and the user is given a username
232     * of "unknown".
233     */
234     static int
235     start_auth_query(struct AuthRequest *auth)
236     {
237     struct irc_ssaddr localaddr;
238     socklen_t locallen = sizeof(struct irc_ssaddr);
239     #ifdef IPV6
240     struct sockaddr_in6 *v6;
241     #else
242     struct sockaddr_in *v4;
243     #endif
244    
245     /* open a socket of the same type as the client socket */
246     if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
247     SOCK_STREAM, 0, "ident") == -1)
248     {
249     report_error(L_ALL, "creating auth stream socket %s:%s",
250     get_client_name(auth->client, SHOW_IP), errno);
251     ilog(L_ERROR, "Unable to create auth socket for %s",
252     get_client_name(auth->client, SHOW_IP));
253 michael 896 ++ServerStats.is_abad;
254 adx 30 return 0;
255     }
256    
257     sendheader(auth->client, REPORT_DO_ID);
258    
259     /*
260     * get the local address of the client and bind to that to
261     * make the auth request. This used to be done only for
262     * ifdef VIRTUAL_HOST, but needs to be done for all clients
263     * since the ident request must originate from that same address--
264     * and machines with multiple IP addresses are common now
265     */
266     memset(&localaddr, 0, locallen);
267     getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
268     &locallen);
269    
270     #ifdef IPV6
271     remove_ipv6_mapping(&localaddr);
272     v6 = (struct sockaddr_in6 *)&localaddr;
273     v6->sin6_port = htons(0);
274     #else
275     localaddr.ss_len = locallen;
276     v4 = (struct sockaddr_in *)&localaddr;
277     v4->sin_port = htons(0);
278     #endif
279     localaddr.ss_port = htons(0);
280    
281     comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
282     (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
283     auth, auth->client->localClient->ip.ss.ss_family,
284     GlobalSetOptions.ident_timeout);
285     return 1; /* We suceed here for now */
286     }
287    
288     /*
289     * GetValidIdent - parse ident query reply from identd server
290     *
291     * Inputs - pointer to ident buf
292     * Output - NULL if no valid ident found, otherwise pointer to name
293     * Side effects -
294     */
295     /*
296     * A few questions have been asked about this mess, obviously
297     * it should have been commented better the first time.
298     * The original idea was to remove all references to libc from ircd-hybrid.
299     * Instead of having to write a replacement for sscanf(), I did a
300     * rather gruseome parser here so we could remove this function call.
301     * Note, that I had also removed a few floating point printfs as well (though
302     * now we are still stuck with a few...)
303     * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
304     * it would have been nice to remove some unneeded code.
305     * Oh well. If we don't remove libc stuff totally, then it would be
306     * far cleaner to use sscanf()
307     *
308     * - Dianora
309     */
310     static char *
311     GetValidIdent(char *buf)
312     {
313     int remp = 0;
314     int locp = 0;
315     char* colon1Ptr;
316     char* colon2Ptr;
317     char* colon3Ptr;
318     char* commaPtr;
319     char* remotePortString;
320    
321     /* All this to get rid of a sscanf() fun. */
322     remotePortString = buf;
323    
324     if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
325     return 0;
326     *colon1Ptr = '\0';
327     colon1Ptr++;
328    
329     if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
330     return 0;
331     *colon2Ptr = '\0';
332     colon2Ptr++;
333    
334     if ((commaPtr = strchr(remotePortString, ',')) == NULL)
335     return 0;
336     *commaPtr = '\0';
337     commaPtr++;
338    
339     if ((remp = atoi(remotePortString)) == 0)
340     return 0;
341    
342     if ((locp = atoi(commaPtr)) == 0)
343     return 0;
344    
345     /* look for USERID bordered by first pair of colons */
346     if (strstr(colon1Ptr, "USERID") == NULL)
347     return 0;
348    
349     if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
350     return 0;
351     *colon3Ptr = '\0';
352     colon3Ptr++;
353     return (colon3Ptr);
354     }
355    
356     /*
357     * start_auth
358     *
359     * inputs - pointer to client to auth
360     * output - NONE
361     * side effects - starts auth (identd) and dns queries for a client
362     */
363     static void *
364     start_auth(va_list args)
365     {
366     struct Client *client = va_arg(args, struct Client *);
367     struct AuthRequest *auth = NULL;
368    
369     assert(client != NULL);
370    
371     auth = make_auth_request(client);
372 michael 1000 dlinkAdd(auth, &auth->node, &auth_doing_list);
373 adx 30
374     sendheader(client, REPORT_DO_DNS);
375    
376 michael 992 SetDNSPending(auth);
377    
378 adx 30 if (ConfigFileEntry.disable_auth == 0)
379 michael 992 {
380     SetDoingAuth(auth);
381 adx 30 start_auth_query(auth);
382 michael 992 }
383 adx 30
384 michael 992 gethost_byaddr(auth_dns_callback, auth, &client->localClient->ip);
385    
386 adx 30 return NULL;
387     }
388    
389     /*
390     * timeout_auth_queries - timeout resolver and identd requests
391     * allow clients through if requests failed
392     */
393     static void
394     timeout_auth_queries_event(void *notused)
395     {
396 michael 992 dlink_node *ptr = NULL, *next_ptr = NULL;
397 adx 30
398 michael 992 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_list.head)
399 adx 30 {
400 michael 992 struct AuthRequest *auth = ptr->data;
401 adx 30
402 michael 992 if (auth->timeout > CurrentTime)
403     continue;
404 adx 30
405 michael 992 if (IsDoingAuth(auth))
406     {
407 michael 896 ++ServerStats.is_abad;
408 michael 1000 fd_close(&auth->fd);
409 michael 998 ClearAuth(auth);
410 adx 30 sendheader(auth->client, REPORT_FAIL_ID);
411 michael 992 }
412 adx 30
413 michael 992 if (IsDNSPending(auth))
414     {
415     delete_resolver_queries(auth);
416 michael 998 ClearDNSPending(auth);
417 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
418     }
419 adx 30
420 michael 992 ilog(L_INFO, "DNS/AUTH timeout %s",
421     get_client_name(auth->client, SHOW_IP));
422     release_auth_client(auth);
423 adx 30 }
424     }
425    
426     /*
427     * auth_connect_callback() - deal with the result of comm_connect_tcp()
428     *
429     * If the connection failed, we simply close the auth fd and report
430     * a failure. If the connection suceeded send the ident server a query
431     * giving "theirport , ourport". The write is only attempted *once* so
432     * it is deemed to be a fail if the entire write doesn't write all the
433     * data given. This shouldnt be a problem since the socket should have
434     * a write buffer far greater than this message to store it in should
435     * problems arise. -avalon
436     */
437     static void
438     auth_connect_callback(fde_t *fd, int error, void *data)
439     {
440     struct AuthRequest *auth = data;
441     struct irc_ssaddr us;
442     struct irc_ssaddr them;
443     char authbuf[32];
444     socklen_t ulen = sizeof(struct irc_ssaddr);
445     socklen_t tlen = sizeof(struct irc_ssaddr);
446 michael 1032 uint16_t uport, tport;
447 adx 30 #ifdef IPV6
448     struct sockaddr_in6 *v6;
449     #else
450     struct sockaddr_in *v4;
451     #endif
452    
453     if (error != COMM_OK)
454     {
455     auth_error(auth);
456     return;
457     }
458    
459 michael 1013 if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *)&us,
460     &ulen) ||
461     getpeername(auth->client->localClient->fd.fd, (struct sockaddr *)&them,
462     &tlen))
463 adx 30 {
464     ilog(L_INFO, "auth get{sock,peer}name error for %s",
465     get_client_name(auth->client, SHOW_IP));
466     auth_error(auth);
467     return;
468     }
469    
470     #ifdef IPV6
471     v6 = (struct sockaddr_in6 *)&us;
472     uport = ntohs(v6->sin6_port);
473     v6 = (struct sockaddr_in6 *)&them;
474     tport = ntohs(v6->sin6_port);
475     remove_ipv6_mapping(&us);
476     remove_ipv6_mapping(&them);
477     #else
478     v4 = (struct sockaddr_in *)&us;
479     uport = ntohs(v4->sin_port);
480     v4 = (struct sockaddr_in *)&them;
481     tport = ntohs(v4->sin_port);
482     us.ss_len = ulen;
483     them.ss_len = tlen;
484     #endif
485    
486 michael 1124 snprintf(authbuf, sizeof(authbuf), "%u , %u\r\n", tport, uport);
487 adx 30
488     if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
489     {
490     auth_error(auth);
491     return;
492     }
493 michael 696
494 adx 30 read_auth_reply(&auth->fd, auth);
495     }
496    
497     /*
498     * read_auth_reply - read the reply (if any) from the ident server
499     * we connected to.
500     * We only give it one shot, if the reply isn't good the first time
501     * fail the authentication entirely. --Bleep
502     */
503     #define AUTH_BUFSIZ 128
504    
505     static void
506     read_auth_reply(fde_t *fd, void *data)
507     {
508     struct AuthRequest *auth = data;
509     char *s = NULL;
510     char *t = NULL;
511     int len;
512     int count;
513     char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
514    
515 nenolod 397 /* Why?
516     * Well, recv() on many POSIX systems is a per-packet operation,
517     * and we do not necessarily want this, because on lowspec machines,
518     * the ident response may come back fragmented, thus resulting in an
519     * invalid ident response, even if the ident response was really OK.
520     *
521     * So PLEASE do not change this code to recv without being aware of the
522     * consequences.
523     *
524     * --nenolod
525     */
526     len = read(fd->fd, buf, AUTH_BUFSIZ);
527 michael 1001
528 adx 30 if (len < 0)
529     {
530     if (ignoreErrno(errno))
531     comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
532     else
533     auth_error(auth);
534     return;
535     }
536    
537     if (len > 0)
538     {
539     buf[len] = '\0';
540    
541     if ((s = GetValidIdent(buf)))
542     {
543     t = auth->client->username;
544    
545     while (*s == '~' || *s == '^')
546     s++;
547    
548     for (count = USERLEN; *s && count; s++)
549     {
550     if (*s == '@')
551     break;
552     if (!IsSpace(*s) && *s != ':' && *s != '[')
553     {
554     *t++ = *s;
555     count--;
556     }
557     }
558    
559     *t = '\0';
560     }
561     }
562    
563     fd_close(fd);
564    
565     ClearAuth(auth);
566    
567     if (s == NULL)
568     {
569     sendheader(auth->client, REPORT_FAIL_ID);
570 michael 896 ++ServerStats.is_abad;
571 adx 30 }
572     else
573     {
574     sendheader(auth->client, REPORT_FIN_ID);
575 michael 896 ++ServerStats.is_asuc;
576 adx 30 SetGotId(auth->client);
577     }
578    
579 michael 992 release_auth_client(auth);
580 adx 30 }
581    
582     /*
583     * delete_auth()
584     */
585     void
586 michael 992 delete_auth(struct AuthRequest *auth)
587 adx 30 {
588 michael 992 if (IsDNSPending(auth))
589     delete_resolver_queries(auth);
590 adx 30
591 michael 1000 if (IsDoingAuth(auth))
592     fd_close(&auth->fd);
593    
594 michael 992 dlinkDelete(&auth->node, &auth_doing_list);
595 michael 998 BlockHeapFree(auth_heap, auth);
596 adx 30 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision