ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/trunk/src/s_auth.c
Revision: 1029
Committed: Sun Nov 8 13:10:50 2009 UTC (14 years, 4 months ago) by michael
Content type: text/x-csrc
Original Path: ircd-hybrid-7.3/src/s_auth.c
File size: 15512 byte(s)
Log Message:
- branch off trunk to create 7.3 branch

File Contents

# Content
1 /*
2 * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3 * s_auth.c: Functions for querying a users ident.
4 *
5 * Copyright (C) 2002 by the past and present ircd coders, and others.
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20 * USA
21 *
22 * $Id$
23 */
24
25 /*
26 * Changes:
27 * July 6, 1999 - Rewrote most of the code here. When a client connects
28 * to the server and passes initial socket validation checks, it
29 * is owned by this module (auth) which returns it to the rest of the
30 * server when dns and auth queries are finished. Until the client is
31 * released, the server does not know it exists and does not process
32 * any messages from it.
33 * --Bleep Thomas Helvey <tomh@inxpress.net>
34 */
35 #include "stdinc.h"
36 #include "list.h"
37 #include "ircd_defs.h"
38 #include "fdlist.h"
39 #include "s_auth.h"
40 #include "s_conf.h"
41 #include "balloc.h"
42 #include "client.h"
43 #include "common.h"
44 #include "event.h"
45 #include "hook.h"
46 #include "irc_string.h"
47 #include "sprintf_irc.h"
48 #include "ircd.h"
49 #include "numeric.h"
50 #include "packet.h"
51 #include "irc_res.h"
52 #include "s_bsd.h"
53 #include "s_log.h"
54 #include "send.h"
55
56
57 static const char *HeaderMessages[] = {
58 ":%s NOTICE AUTH :*** Looking up your hostname...",
59 ":%s NOTICE AUTH :*** Found your hostname",
60 ":%s NOTICE AUTH :*** Couldn't look up your hostname",
61 ":%s NOTICE AUTH :*** Checking Ident",
62 ":%s NOTICE AUTH :*** Got Ident response",
63 ":%s NOTICE AUTH :*** No Ident response",
64 ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
65 ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
66 };
67
68 enum {
69 REPORT_DO_DNS,
70 REPORT_FIN_DNS,
71 REPORT_FAIL_DNS,
72 REPORT_DO_ID,
73 REPORT_FIN_ID,
74 REPORT_FAIL_ID,
75 REPORT_IP_MISMATCH,
76 REPORT_HOST_TOOLONG
77 };
78
79 #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
80
81 static BlockHeap *auth_heap = NULL;
82 static dlink_list auth_doing_list = { NULL, NULL, 0 };
83
84 static EVH timeout_auth_queries_event;
85
86 static PF read_auth_reply;
87 static CNCB auth_connect_callback;
88 static CBFUNC start_auth;
89
90 struct Callback *auth_cb = NULL;
91
92 /* init_auth()
93 *
94 * Initialise the auth code
95 */
96 void
97 init_auth(void)
98 {
99 auth_heap = BlockHeapCreate("auth", sizeof(struct AuthRequest), AUTH_HEAP_SIZE);
100 auth_cb = register_callback("start_auth", start_auth);
101 eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
102 }
103
104 /*
105 * make_auth_request - allocate a new auth request
106 */
107 static struct AuthRequest *
108 make_auth_request(struct Client *client)
109 {
110 struct AuthRequest *request = BlockHeapAlloc(auth_heap);
111
112 client->localClient->auth = request;
113 request->client = client;
114 request->timeout = CurrentTime + CONNECTTIMEOUT;
115
116 return request;
117 }
118
119 /*
120 * release_auth_client - release auth client from auth system
121 * this adds the client into the local client lists so it can be read by
122 * the main io processing loop
123 */
124 void
125 release_auth_client(struct AuthRequest *auth)
126 {
127 struct Client *client = auth->client;
128
129 if (IsDoingAuth(auth) || IsDNSPending(auth))
130 return;
131
132 client->localClient->auth = NULL;
133 dlinkDelete(&auth->node, &auth_doing_list);
134 BlockHeapFree(auth_heap, auth);
135
136 /*
137 * When a client has auth'ed, we want to start reading what it sends
138 * us. This is what read_packet() does.
139 * -- adrian
140 */
141 client->localClient->allow_read = MAX_FLOOD;
142 comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
143
144 dlinkAdd(client, &client->node, &global_client_list);
145
146 client->since = client->lasttime = client->firsttime = CurrentTime;
147 client->flags |= FLAGS_FINISHED_AUTH;
148
149 read_packet(&client->localClient->fd, client);
150 }
151
152 /*
153 * auth_dns_callback - called when resolver query finishes
154 * if the query resulted in a successful search, name will contain
155 * a non-NULL pointer, otherwise name will be NULL.
156 * set the client on it's way to a connection completion, regardless
157 * of success of failure
158 */
159 static void
160 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name)
161 {
162 struct AuthRequest *auth = vptr;
163
164 ClearDNSPending(auth);
165
166 if (name != NULL)
167 {
168 const struct sockaddr_in *v4, *v4dns;
169 #ifdef IPV6
170 const struct sockaddr_in6 *v6, *v6dns;
171 #endif
172 int good = 1;
173
174 #ifdef IPV6
175 if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
176 {
177 v6 = (const struct sockaddr_in6 *)&auth->client->localClient->ip;
178 v6dns = (const struct sockaddr_in6 *)addr;
179 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
180 {
181 sendheader(auth->client, REPORT_IP_MISMATCH);
182 good = 0;
183 }
184 }
185 else
186 #endif
187 {
188 v4 = (const struct sockaddr_in *)&auth->client->localClient->ip;
189 v4dns = (const struct sockaddr_in *)addr;
190 if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
191 {
192 sendheader(auth->client, REPORT_IP_MISMATCH);
193 good = 0;
194 }
195 }
196 if (good && strlen(name) <= HOSTLEN)
197 {
198 strlcpy(auth->client->host, name,
199 sizeof(auth->client->host));
200 sendheader(auth->client, REPORT_FIN_DNS);
201 }
202 else if (strlen(name) > HOSTLEN)
203 sendheader(auth->client, REPORT_HOST_TOOLONG);
204 }
205 else
206 sendheader(auth->client, REPORT_FAIL_DNS);
207
208 release_auth_client(auth);
209 }
210
211 /*
212 * authsenderr - handle auth send errors
213 */
214 static void
215 auth_error(struct AuthRequest *auth)
216 {
217 ++ServerStats.is_abad;
218
219 fd_close(&auth->fd);
220
221 ClearAuth(auth);
222
223 sendheader(auth->client, REPORT_FAIL_ID);
224
225 release_auth_client(auth);
226 }
227
228 /*
229 * start_auth_query - Flag the client to show that an attempt to
230 * contact the ident server on
231 * the client's host. The connect and subsequently the socket are all put
232 * into 'non-blocking' mode. Should the connect or any later phase of the
233 * identifing process fail, it is aborted and the user is given a username
234 * of "unknown".
235 */
236 static int
237 start_auth_query(struct AuthRequest *auth)
238 {
239 struct irc_ssaddr localaddr;
240 socklen_t locallen = sizeof(struct irc_ssaddr);
241 #ifdef IPV6
242 struct sockaddr_in6 *v6;
243 #else
244 struct sockaddr_in *v4;
245 #endif
246
247 /* open a socket of the same type as the client socket */
248 if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
249 SOCK_STREAM, 0, "ident") == -1)
250 {
251 report_error(L_ALL, "creating auth stream socket %s:%s",
252 get_client_name(auth->client, SHOW_IP), errno);
253 ilog(L_ERROR, "Unable to create auth socket for %s",
254 get_client_name(auth->client, SHOW_IP));
255 ++ServerStats.is_abad;
256 return 0;
257 }
258
259 sendheader(auth->client, REPORT_DO_ID);
260
261 /*
262 * get the local address of the client and bind to that to
263 * make the auth request. This used to be done only for
264 * ifdef VIRTUAL_HOST, but needs to be done for all clients
265 * since the ident request must originate from that same address--
266 * and machines with multiple IP addresses are common now
267 */
268 memset(&localaddr, 0, locallen);
269 getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
270 &locallen);
271
272 #ifdef IPV6
273 remove_ipv6_mapping(&localaddr);
274 v6 = (struct sockaddr_in6 *)&localaddr;
275 v6->sin6_port = htons(0);
276 #else
277 localaddr.ss_len = locallen;
278 v4 = (struct sockaddr_in *)&localaddr;
279 v4->sin_port = htons(0);
280 #endif
281 localaddr.ss_port = htons(0);
282
283 comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
284 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
285 auth, auth->client->localClient->ip.ss.ss_family,
286 GlobalSetOptions.ident_timeout);
287 return 1; /* We suceed here for now */
288 }
289
290 /*
291 * GetValidIdent - parse ident query reply from identd server
292 *
293 * Inputs - pointer to ident buf
294 * Output - NULL if no valid ident found, otherwise pointer to name
295 * Side effects -
296 */
297 /*
298 * A few questions have been asked about this mess, obviously
299 * it should have been commented better the first time.
300 * The original idea was to remove all references to libc from ircd-hybrid.
301 * Instead of having to write a replacement for sscanf(), I did a
302 * rather gruseome parser here so we could remove this function call.
303 * Note, that I had also removed a few floating point printfs as well (though
304 * now we are still stuck with a few...)
305 * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
306 * it would have been nice to remove some unneeded code.
307 * Oh well. If we don't remove libc stuff totally, then it would be
308 * far cleaner to use sscanf()
309 *
310 * - Dianora
311 */
312 static char *
313 GetValidIdent(char *buf)
314 {
315 int remp = 0;
316 int locp = 0;
317 char* colon1Ptr;
318 char* colon2Ptr;
319 char* colon3Ptr;
320 char* commaPtr;
321 char* remotePortString;
322
323 /* All this to get rid of a sscanf() fun. */
324 remotePortString = buf;
325
326 if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
327 return 0;
328 *colon1Ptr = '\0';
329 colon1Ptr++;
330
331 if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
332 return 0;
333 *colon2Ptr = '\0';
334 colon2Ptr++;
335
336 if ((commaPtr = strchr(remotePortString, ',')) == NULL)
337 return 0;
338 *commaPtr = '\0';
339 commaPtr++;
340
341 if ((remp = atoi(remotePortString)) == 0)
342 return 0;
343
344 if ((locp = atoi(commaPtr)) == 0)
345 return 0;
346
347 /* look for USERID bordered by first pair of colons */
348 if (strstr(colon1Ptr, "USERID") == NULL)
349 return 0;
350
351 if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
352 return 0;
353 *colon3Ptr = '\0';
354 colon3Ptr++;
355 return (colon3Ptr);
356 }
357
358 /*
359 * start_auth
360 *
361 * inputs - pointer to client to auth
362 * output - NONE
363 * side effects - starts auth (identd) and dns queries for a client
364 */
365 static void *
366 start_auth(va_list args)
367 {
368 struct Client *client = va_arg(args, struct Client *);
369 struct AuthRequest *auth = NULL;
370
371 assert(client != NULL);
372
373 auth = make_auth_request(client);
374 dlinkAdd(auth, &auth->node, &auth_doing_list);
375
376 sendheader(client, REPORT_DO_DNS);
377
378 SetDNSPending(auth);
379
380 if (ConfigFileEntry.disable_auth == 0)
381 {
382 SetDoingAuth(auth);
383 start_auth_query(auth);
384 }
385
386 gethost_byaddr(auth_dns_callback, auth, &client->localClient->ip);
387
388 return NULL;
389 }
390
391 /*
392 * timeout_auth_queries - timeout resolver and identd requests
393 * allow clients through if requests failed
394 */
395 static void
396 timeout_auth_queries_event(void *notused)
397 {
398 dlink_node *ptr = NULL, *next_ptr = NULL;
399
400 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_list.head)
401 {
402 struct AuthRequest *auth = ptr->data;
403
404 if (auth->timeout > CurrentTime)
405 continue;
406
407 if (IsDoingAuth(auth))
408 {
409 ++ServerStats.is_abad;
410 fd_close(&auth->fd);
411 ClearAuth(auth);
412 sendheader(auth->client, REPORT_FAIL_ID);
413 }
414
415 if (IsDNSPending(auth))
416 {
417 delete_resolver_queries(auth);
418 ClearDNSPending(auth);
419 sendheader(auth->client, REPORT_FAIL_DNS);
420 }
421
422 ilog(L_INFO, "DNS/AUTH timeout %s",
423 get_client_name(auth->client, SHOW_IP));
424 release_auth_client(auth);
425 }
426 }
427
428 /*
429 * auth_connect_callback() - deal with the result of comm_connect_tcp()
430 *
431 * If the connection failed, we simply close the auth fd and report
432 * a failure. If the connection suceeded send the ident server a query
433 * giving "theirport , ourport". The write is only attempted *once* so
434 * it is deemed to be a fail if the entire write doesn't write all the
435 * data given. This shouldnt be a problem since the socket should have
436 * a write buffer far greater than this message to store it in should
437 * problems arise. -avalon
438 */
439 static void
440 auth_connect_callback(fde_t *fd, int error, void *data)
441 {
442 struct AuthRequest *auth = data;
443 struct irc_ssaddr us;
444 struct irc_ssaddr them;
445 char authbuf[32];
446 socklen_t ulen = sizeof(struct irc_ssaddr);
447 socklen_t tlen = sizeof(struct irc_ssaddr);
448 u_int16_t uport, tport;
449 #ifdef IPV6
450 struct sockaddr_in6 *v6;
451 #else
452 struct sockaddr_in *v4;
453 #endif
454
455 if (error != COMM_OK)
456 {
457 auth_error(auth);
458 return;
459 }
460
461 if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *)&us,
462 &ulen) ||
463 getpeername(auth->client->localClient->fd.fd, (struct sockaddr *)&them,
464 &tlen))
465 {
466 ilog(L_INFO, "auth get{sock,peer}name error for %s",
467 get_client_name(auth->client, SHOW_IP));
468 auth_error(auth);
469 return;
470 }
471
472 #ifdef IPV6
473 v6 = (struct sockaddr_in6 *)&us;
474 uport = ntohs(v6->sin6_port);
475 v6 = (struct sockaddr_in6 *)&them;
476 tport = ntohs(v6->sin6_port);
477 remove_ipv6_mapping(&us);
478 remove_ipv6_mapping(&them);
479 #else
480 v4 = (struct sockaddr_in *)&us;
481 uport = ntohs(v4->sin_port);
482 v4 = (struct sockaddr_in *)&them;
483 tport = ntohs(v4->sin_port);
484 us.ss_len = ulen;
485 them.ss_len = tlen;
486 #endif
487
488 ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
489
490 if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
491 {
492 auth_error(auth);
493 return;
494 }
495
496 read_auth_reply(&auth->fd, auth);
497 }
498
499 /*
500 * read_auth_reply - read the reply (if any) from the ident server
501 * we connected to.
502 * We only give it one shot, if the reply isn't good the first time
503 * fail the authentication entirely. --Bleep
504 */
505 #define AUTH_BUFSIZ 128
506
507 static void
508 read_auth_reply(fde_t *fd, void *data)
509 {
510 struct AuthRequest *auth = data;
511 char *s = NULL;
512 char *t = NULL;
513 int len;
514 int count;
515 char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
516
517 /* Why?
518 * Well, recv() on many POSIX systems is a per-packet operation,
519 * and we do not necessarily want this, because on lowspec machines,
520 * the ident response may come back fragmented, thus resulting in an
521 * invalid ident response, even if the ident response was really OK.
522 *
523 * So PLEASE do not change this code to recv without being aware of the
524 * consequences.
525 *
526 * --nenolod
527 */
528 len = read(fd->fd, buf, AUTH_BUFSIZ);
529
530 if (len < 0)
531 {
532 if (ignoreErrno(errno))
533 comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
534 else
535 auth_error(auth);
536 return;
537 }
538
539 if (len > 0)
540 {
541 buf[len] = '\0';
542
543 if ((s = GetValidIdent(buf)))
544 {
545 t = auth->client->username;
546
547 while (*s == '~' || *s == '^')
548 s++;
549
550 for (count = USERLEN; *s && count; s++)
551 {
552 if (*s == '@')
553 break;
554 if (!IsSpace(*s) && *s != ':' && *s != '[')
555 {
556 *t++ = *s;
557 count--;
558 }
559 }
560
561 *t = '\0';
562 }
563 }
564
565 fd_close(fd);
566
567 ClearAuth(auth);
568
569 if (s == NULL)
570 {
571 sendheader(auth->client, REPORT_FAIL_ID);
572 ++ServerStats.is_abad;
573 }
574 else
575 {
576 sendheader(auth->client, REPORT_FIN_ID);
577 ++ServerStats.is_asuc;
578 SetGotId(auth->client);
579 }
580
581 release_auth_client(auth);
582 }
583
584 /*
585 * delete_auth()
586 */
587 void
588 delete_auth(struct AuthRequest *auth)
589 {
590 if (IsDNSPending(auth))
591 delete_resolver_queries(auth);
592
593 if (IsDoingAuth(auth))
594 fd_close(&auth->fd);
595
596 dlinkDelete(&auth->node, &auth_doing_list);
597 BlockHeapFree(auth_heap, auth);
598 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision