/[svn]/ircd-hybrid/branches/8.2.x/src/auth.c
ViewVC logotype

Contents of /ircd-hybrid/branches/8.2.x/src/auth.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 4697 - (show annotations)
Fri Oct 3 15:23:34 2014 UTC (5 years, 9 months ago) by michael
File MIME type: text/x-chdr
File size: 14143 byte(s)
- auth.c:timeout_auth_queries_event(): removed logging

1 /*
2 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 *
4 * Copyright (c) 1997-2014 ircd-hybrid development team
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 * USA
20 */
21
22 /*! \file auth.c
23 * \brief Functions for querying a users ident.
24 * \version $Id$
25 */
26
27 /*
28 * Changes:
29 * July 6, 1999 - Rewrote most of the code here. When a client connects
30 * to the server and passes initial socket validation checks, it
31 * is owned by this module (auth) which returns it to the rest of the
32 * server when dns and auth queries are finished. Until the client is
33 * released, the server does not know it exists and does not process
34 * any messages from it.
35 * --Bleep Thomas Helvey <tomh@inxpress.net>
36 */
37
38 #include "stdinc.h"
39 #include "list.h"
40 #include "ircd_defs.h"
41 #include "fdlist.h"
42 #include "auth.h"
43 #include "conf.h"
44 #include "client.h"
45 #include "event.h"
46 #include "irc_string.h"
47 #include "ircd.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "s_bsd.h"
51 #include "log.h"
52 #include "send.h"
53 #include "mempool.h"
54
55
56 static const char *const HeaderMessages[] =
57 {
58 ":*** Looking up your hostname",
59 ":*** Found your hostname",
60 ":*** Couldn't look up your hostname",
61 ":*** Checking Ident",
62 ":*** Got Ident response",
63 ":*** No Ident response",
64 ":*** Your forward and reverse DNS do not match, ignoring hostname",
65 ":*** Your hostname is too long, ignoring hostname"
66 };
67
68 enum
69 {
70 REPORT_DO_DNS,
71 REPORT_FIN_DNS,
72 REPORT_FAIL_DNS,
73 REPORT_DO_ID,
74 REPORT_FIN_ID,
75 REPORT_FAIL_ID,
76 REPORT_IP_MISMATCH,
77 REPORT_HOST_TOOLONG
78 };
79
80 #define sendheader(c, i) sendto_one_notice((c), &me, HeaderMessages[(i)])
81
82 static dlink_list auth_pending_list;
83 static void read_auth_reply(fde_t *, void *);
84 static void auth_connect_callback(fde_t *, int, void *);
85
86
87 /*
88 * make_auth_request - allocate a new auth request
89 */
90 static struct AuthRequest *
91 make_auth_request(struct Client *client)
92 {
93 struct AuthRequest *request = &client->connection->auth;
94
95 memset(request, 0, sizeof(*request));
96
97 request->client = client;
98 request->timeout = CurrentTime + CONNECTTIMEOUT;
99
100 return request;
101 }
102
103 /*
104 * release_auth_client - release auth client from auth system
105 * this adds the client into the local client lists so it can be read by
106 * the main io processing loop
107 */
108 void
109 release_auth_client(struct AuthRequest *auth)
110 {
111 struct Client *client = auth->client;
112
113 if (IsDoingAuth(auth) || IsDNSPending(auth))
114 return;
115
116 if (IsInAuth(auth))
117 {
118 dlinkDelete(&auth->node, &auth_pending_list);
119 ClearInAuth(auth);
120 }
121
122 /*
123 * When a client has auth'ed, we want to start reading what it sends
124 * us. This is what read_packet() does.
125 * -- adrian
126 */
127 client->connection->allow_read = MAX_FLOOD;
128 comm_setflush(&client->connection->fd, 1000, flood_recalc, client);
129
130 client->connection->since = CurrentTime;
131 client->connection->lasttime = CurrentTime;
132 client->connection->firsttime = CurrentTime;
133 client->flags |= FLAGS_FINISHED_AUTH;
134
135 read_packet(&client->connection->fd, client);
136 }
137
138 /*
139 * auth_dns_callback - called when resolver query finishes
140 * if the query resulted in a successful search, name will contain
141 * a non-NULL pointer, otherwise name will be NULL.
142 * set the client on it's way to a connection completion, regardless
143 * of success of failure
144 */
145 static void
146 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
147 {
148 struct AuthRequest *auth = vptr;
149
150 ClearDNSPending(auth);
151
152 if (!EmptyString(name))
153 {
154 const struct sockaddr_in *v4, *v4dns;
155 const struct sockaddr_in6 *v6, *v6dns;
156
157 if (auth->client->connection->ip.ss.ss_family == AF_INET6)
158 {
159 v6 = (const struct sockaddr_in6 *)&auth->client->connection->ip;
160 v6dns = (const struct sockaddr_in6 *)addr;
161
162 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
163 {
164 sendheader(auth->client, REPORT_IP_MISMATCH);
165 release_auth_client(auth);
166 return;
167 }
168 }
169 else
170 {
171 v4 = (const struct sockaddr_in *)&auth->client->connection->ip;
172 v4dns = (const struct sockaddr_in *)addr;
173
174 if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
175 {
176 sendheader(auth->client, REPORT_IP_MISMATCH);
177 release_auth_client(auth);
178 return;
179 }
180 }
181
182 if (namelength > HOSTLEN)
183 sendheader(auth->client, REPORT_HOST_TOOLONG);
184 else
185 {
186 strlcpy(auth->client->host, name, sizeof(auth->client->host));
187 sendheader(auth->client, REPORT_FIN_DNS);
188 }
189 }
190 else
191 sendheader(auth->client, REPORT_FAIL_DNS);
192
193 release_auth_client(auth);
194 }
195
196 /*
197 * authsenderr - handle auth send errors
198 */
199 static void
200 auth_error(struct AuthRequest *auth)
201 {
202 ++ServerStats.is_abad;
203
204 fd_close(&auth->fd);
205
206 ClearAuth(auth);
207
208 sendheader(auth->client, REPORT_FAIL_ID);
209
210 release_auth_client(auth);
211 }
212
213 /*
214 * start_auth_query - Flag the client to show that an attempt to
215 * contact the ident server on
216 * the client's host. The connect and subsequently the socket are all put
217 * into 'non-blocking' mode. Should the connect or any later phase of the
218 * identifing process fail, it is aborted and the user is given a username
219 * of "unknown".
220 */
221 static int
222 start_auth_query(struct AuthRequest *auth)
223 {
224 struct irc_ssaddr localaddr;
225 socklen_t locallen = sizeof(struct irc_ssaddr);
226 struct sockaddr_in6 *v6;
227
228 /* open a socket of the same type as the client socket */
229 if (comm_open(&auth->fd, auth->client->connection->ip.ss.ss_family,
230 SOCK_STREAM, 0, "ident") == -1)
231 {
232 report_error(L_ALL, "creating auth stream socket %s:%s",
233 get_client_name(auth->client, SHOW_IP), errno);
234 ilog(LOG_TYPE_IRCD, "Unable to create auth socket for %s",
235 get_client_name(auth->client, SHOW_IP));
236 ++ServerStats.is_abad;
237 return 0;
238 }
239
240 sendheader(auth->client, REPORT_DO_ID);
241
242 /*
243 * get the local address of the client and bind to that to
244 * make the auth request. This used to be done only for
245 * ifdef VIRTUAL_HOST, but needs to be done for all clients
246 * since the ident request must originate from that same address--
247 * and machines with multiple IP addresses are common now
248 */
249 memset(&localaddr, 0, locallen);
250 getsockname(auth->client->connection->fd.fd, (struct sockaddr*)&localaddr,
251 &locallen);
252
253 remove_ipv6_mapping(&localaddr);
254 v6 = (struct sockaddr_in6 *)&localaddr;
255 v6->sin6_port = htons(0);
256 localaddr.ss_port = htons(0);
257
258 comm_connect_tcp(&auth->fd, auth->client->sockhost, RFC1413_PORT,
259 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
260 auth, auth->client->connection->ip.ss.ss_family,
261 GlobalSetOptions.ident_timeout);
262 return 1; /* We suceed here for now */
263 }
264
265 /*
266 * start_auth
267 *
268 * inputs - pointer to client to auth
269 * output - NONE
270 * side effects - starts auth (identd) and dns queries for a client
271 */
272 void
273 start_auth(struct Client *client_p)
274 {
275 struct AuthRequest *auth = NULL;
276
277 assert(client_p);
278
279 auth = make_auth_request(client_p);
280 SetInAuth(auth);
281 dlinkAddTail(auth, &auth->node, &auth_pending_list);
282
283 sendheader(client_p, REPORT_DO_DNS);
284
285 SetDNSPending(auth);
286
287 if (ConfigGeneral.disable_auth == 0)
288 {
289 SetDoingAuth(auth);
290 start_auth_query(auth);
291 }
292
293 gethost_byaddr(auth_dns_callback, auth, &client_p->connection->ip);
294 }
295
296 /*
297 * timeout_auth_queries - timeout resolver and identd requests
298 * allow clients through if requests failed
299 */
300 static void
301 timeout_auth_queries_event(void *notused)
302 {
303 dlink_node *ptr = NULL, *ptr_next = NULL;
304
305 DLINK_FOREACH_SAFE(ptr, ptr_next, auth_pending_list.head)
306 {
307 struct AuthRequest *auth = ptr->data;
308
309 if (auth->timeout > CurrentTime)
310 break;
311
312 if (IsDoingAuth(auth))
313 {
314 ++ServerStats.is_abad;
315 fd_close(&auth->fd);
316 ClearAuth(auth);
317 sendheader(auth->client, REPORT_FAIL_ID);
318 }
319
320 if (IsDNSPending(auth))
321 {
322 delete_resolver_queries(auth);
323 ClearDNSPending(auth);
324 sendheader(auth->client, REPORT_FAIL_DNS);
325 }
326
327 release_auth_client(auth);
328 }
329 }
330
331 /*
332 * auth_connect_callback() - deal with the result of comm_connect_tcp()
333 *
334 * If the connection failed, we simply close the auth fd and report
335 * a failure. If the connection suceeded send the ident server a query
336 * giving "theirport , ourport". The write is only attempted *once* so
337 * it is deemed to be a fail if the entire write doesn't write all the
338 * data given. This shouldnt be a problem since the socket should have
339 * a write buffer far greater than this message to store it in should
340 * problems arise. -avalon
341 */
342 static void
343 auth_connect_callback(fde_t *fd, int error, void *data)
344 {
345 struct AuthRequest *auth = data;
346 struct irc_ssaddr us;
347 struct irc_ssaddr them;
348 char authbuf[32];
349 socklen_t ulen = sizeof(struct irc_ssaddr);
350 socklen_t tlen = sizeof(struct irc_ssaddr);
351 uint16_t uport, tport;
352 struct sockaddr_in6 *v6;
353
354 if (error != COMM_OK)
355 {
356 auth_error(auth);
357 return;
358 }
359
360 if (getsockname(auth->client->connection->fd.fd, (struct sockaddr *)&us, &ulen) ||
361 getpeername(auth->client->connection->fd.fd, (struct sockaddr *)&them, &tlen))
362 {
363 ilog(LOG_TYPE_IRCD, "auth get{sock,peer}name error for %s",
364 get_client_name(auth->client, SHOW_IP));
365 auth_error(auth);
366 return;
367 }
368
369 v6 = (struct sockaddr_in6 *)&us;
370 uport = ntohs(v6->sin6_port);
371 v6 = (struct sockaddr_in6 *)&them;
372 tport = ntohs(v6->sin6_port);
373 remove_ipv6_mapping(&us);
374 remove_ipv6_mapping(&them);
375
376 snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
377
378 if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
379 {
380 auth_error(auth);
381 return;
382 }
383
384 comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
385 }
386
387 /** Enum used to index ident reply fields in a human-readable way. */
388 enum IdentReplyFields
389 {
390 IDENT_PORT_NUMBERS,
391 IDENT_REPLY_TYPE,
392 IDENT_OS_TYPE,
393 IDENT_INFO,
394 USERID_TOKEN_COUNT
395 };
396
397 /** Parse an ident reply line and extract the userid from it.
398 * \param reply The ident reply line.
399 * \return The userid, or NULL on parse failure.
400 */
401 static const char *
402 check_ident_reply(char *reply)
403 {
404 char *token = NULL, *end = NULL;
405 char *vector[USERID_TOKEN_COUNT];
406 int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
407
408 if (USERID_TOKEN_COUNT != count)
409 return NULL;
410
411 /*
412 * Second token is the reply type
413 */
414 token = vector[IDENT_REPLY_TYPE];
415
416 if (EmptyString(token))
417 return NULL;
418
419 while (IsSpace(*token))
420 ++token;
421
422 if (strncmp(token, "USERID", 6))
423 return NULL;
424
425 /*
426 * Third token is the os type
427 */
428 token = vector[IDENT_OS_TYPE];
429
430 if (EmptyString(token))
431 return NULL;
432
433 while (IsSpace(*token))
434 ++token;
435
436 /*
437 * Unless "OTHER" is specified as the operating system type, the server
438 * is expected to return the "normal" user identification of the owner
439 * of this connection. "Normal" in this context may be taken to mean a
440 * string of characters which uniquely identifies the connection owner
441 * such as a user identifier assigned by the system administrator and
442 * used by such user as a mail identifier, or as the "user" part of a
443 * user/password pair used to gain access to system resources. When an
444 * operating system is specified (e.g., anything but "OTHER"), the user
445 * identifier is expected to be in a more or less immediately useful
446 * form - e.g., something that could be used as an argument to "finger"
447 * or as a mail address.
448 */
449 if (!strncmp(token, "OTHER", 5))
450 return NULL;
451
452 /*
453 * Fourth token is the username
454 */
455 token = vector[IDENT_INFO];
456
457 if (EmptyString(token))
458 return NULL;
459
460 while (IsSpace(*token))
461 ++token;
462
463 while (*token == '~' || *token == '^')
464 ++token;
465
466 /*
467 * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
468 */
469 for (end = token; *end; ++end)
470 if (IsSpace(*end) || '@' == *end || ':' == *end)
471 break;
472 *end = '\0';
473
474 return token;
475 }
476
477 /*
478 * read_auth_reply - read the reply (if any) from the ident server
479 * we connected to.
480 * We only give it one shot, if the reply isn't good the first time
481 * fail the authentication entirely. --Bleep
482 */
483 static void
484 read_auth_reply(fde_t *fd, void *data)
485 {
486 struct AuthRequest *auth = data;
487 const char *username = NULL;
488 ssize_t len = 0;
489 char buf[RFC1413_BUFSIZ + 1];
490
491 if ((len = recv(fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
492 {
493 buf[len] = '\0';
494 username = check_ident_reply(buf);
495 }
496
497 fd_close(fd);
498
499 ClearAuth(auth);
500
501 if (EmptyString(username))
502 {
503 sendheader(auth->client, REPORT_FAIL_ID);
504 ++ServerStats.is_abad;
505 }
506 else
507 {
508 strlcpy(auth->client->username, username, sizeof(auth->client->username));
509 sendheader(auth->client, REPORT_FIN_ID);
510 ++ServerStats.is_asuc;
511 SetGotId(auth->client);
512 }
513
514 release_auth_client(auth);
515 }
516
517 /*
518 * delete_auth()
519 */
520 void
521 delete_auth(struct AuthRequest *auth)
522 {
523 if (IsDNSPending(auth))
524 delete_resolver_queries(auth);
525
526 if (IsDoingAuth(auth))
527 fd_close(&auth->fd);
528
529 if (IsInAuth(auth))
530 {
531 dlinkDelete(&auth->node, &auth_pending_list);
532 ClearInAuth(auth);
533 }
534 }
535
536 /* auth_init
537 *
538 * Initialise the auth code
539 */
540 void
541 auth_init(void)
542 {
543 static struct event timeout_auth_queries =
544 {
545 .name = "timeout_auth_queries_event",
546 .handler = timeout_auth_queries_event,
547 .when = 1
548 };
549
550 event_add(&timeout_auth_queries, NULL);
551 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28