ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/branches/8.2.x/src/auth.c
Revision: 650
Committed: Thu Jun 8 07:00:17 2006 UTC (17 years, 9 months ago) by michael
Content type: text/x-csrc
Original Path: ircd-hybrid-7.2/src/s_auth.c
File size: 17752 byte(s)
Log Message:
- Fixed bug that would exit unknown clients in check_unknowns_list() that are
  still processing auth/dns queries.
  Basically check_unknowns_list() should only exit clients that have finished
  auth/dns and didn't send a NICK/USER combination since they have been
  released from auth.

  Reported by ThaPrince.

File Contents

# User Rev Content
1 adx 30 /*
2     * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3     * s_auth.c: Functions for querying a users ident.
4     *
5     * Copyright (C) 2002 by the past and present ircd coders, and others.
6     *
7     * This program is free software; you can redistribute it and/or modify
8     * it under the terms of the GNU General Public License as published by
9     * the Free Software Foundation; either version 2 of the License, or
10     * (at your option) any later version.
11     *
12     * This program is distributed in the hope that it will be useful,
13     * but WITHOUT ANY WARRANTY; without even the implied warranty of
14     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     * GNU General Public License for more details.
16     *
17     * You should have received a copy of the GNU General Public License
18     * along with this program; if not, write to the Free Software
19     * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20     * USA
21     *
22 knight 31 * $Id$
23 adx 30 */
24    
25     /*
26     * Changes:
27     * July 6, 1999 - Rewrote most of the code here. When a client connects
28     * to the server and passes initial socket validation checks, it
29     * is owned by this module (auth) which returns it to the rest of the
30     * server when dns and auth queries are finished. Until the client is
31     * released, the server does not know it exists and does not process
32     * any messages from it.
33     * --Bleep Thomas Helvey <tomh@inxpress.net>
34     */
35     #include "stdinc.h"
36     #include "tools.h"
37     #include "list.h"
38     #include "s_auth.h"
39     #include "s_conf.h"
40     #include "client.h"
41     #include "common.h"
42     #include "event.h"
43     #include "fdlist.h" /* fdlist_add */
44     #include "hook.h"
45     #include "irc_string.h"
46     #include "sprintf_irc.h"
47     #include "ircd.h"
48     #include "numeric.h"
49     #include "packet.h"
50     #include "irc_res.h"
51     #include "s_bsd.h"
52     #include "s_log.h"
53     #include "s_stats.h"
54     #include "send.h"
55     #include "memory.h"
56    
57     static const char *HeaderMessages[] = {
58     ":%s NOTICE AUTH :*** Looking up your hostname...",
59     ":%s NOTICE AUTH :*** Found your hostname",
60     ":%s NOTICE AUTH :*** Couldn't look up your hostname",
61     ":%s NOTICE AUTH :*** Checking Ident",
62     ":%s NOTICE AUTH :*** Got Ident response",
63     ":%s NOTICE AUTH :*** No Ident response",
64     ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
65     ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
66     };
67    
68     enum {
69     REPORT_DO_DNS,
70     REPORT_FIN_DNS,
71     REPORT_FAIL_DNS,
72     REPORT_DO_ID,
73     REPORT_FIN_ID,
74     REPORT_FAIL_ID,
75     REPORT_IP_MISMATCH,
76     REPORT_HOST_TOOLONG
77     };
78    
79     #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
80    
81     /*
82     * Ok, the original was confusing.
83     * Now there are two lists, an auth request can be on both at the same time
84     * or only on one or the other.
85     * - Dianora
86     */
87     static dlink_list auth_doing_dns_list = { NULL, NULL, 0 };
88     static dlink_list auth_doing_ident_list = { NULL, NULL, 0 };
89    
90     static EVH timeout_auth_queries_event;
91    
92     static PF read_auth_reply;
93     static CNCB auth_connect_callback;
94     static CBFUNC start_auth;
95    
96     struct Callback *auth_cb = NULL;
97    
98     /* init_auth()
99     *
100     * Initialise the auth code
101     */
102     void
103     init_auth(void)
104     {
105     auth_cb = register_callback("start_auth", start_auth);
106     eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
107     }
108    
109     /*
110     * make_auth_request - allocate a new auth request
111     */
112     static struct AuthRequest *
113     make_auth_request(struct Client *client)
114     {
115     struct AuthRequest *request = MyMalloc(sizeof(struct AuthRequest));
116    
117     request->client = client;
118     request->timeout = CurrentTime + CONNECTTIMEOUT;
119    
120 michael 650 return request;
121 adx 30 }
122    
123     /*
124     * release_auth_client - release auth client from auth system
125     * this adds the client into the local client lists so it can be read by
126     * the main io processing loop
127     */
128     void
129     release_auth_client(struct Client *client)
130     {
131     /*
132     * When a client has auth'ed, we want to start reading what it sends
133     * us. This is what read_packet() does.
134     * -- adrian
135     */
136     client->localClient->allow_read = MAX_FLOOD;
137     comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
138 michael 650
139 adx 30 if ((client->node.prev != NULL) || (client->node.next != NULL))
140     {
141     sendto_realops_flags(UMODE_ALL, L_OPER,
142     "already linked %s at %s:%d", client->name,
143     __FILE__, __LINE__);
144     ilog(L_ERROR, "already linked %s at %s:%d", client->name,
145     __FILE__, __LINE__);
146     assert(0==5);
147     }
148     else
149     dlinkAdd(client, &client->node, &global_client_list);
150 michael 650
151     client_p->since = client_p->lasttime = client_p->firsttime = CurrentTime;
152     client_p->flags |= FLAGS_FINISHED_AUTH;
153    
154 adx 30 read_packet(&client->localClient->fd, client);
155     }
156    
157     /*
158     * auth_dns_callback - called when resolver query finishes
159     * if the query resulted in a successful search, hp will contain
160     * a non-null pointer, otherwise hp will be null.
161     * set the client on it's way to a connection completion, regardless
162     * of success of failure
163     */
164     static void
165     auth_dns_callback(void *vptr, struct DNSReply *reply)
166     {
167     struct AuthRequest *auth = (struct AuthRequest *)vptr;
168    
169     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
170     ClearDNSPending(auth);
171    
172     if (reply != NULL)
173     {
174     struct sockaddr_in *v4, *v4dns;
175     #ifdef IPV6
176     struct sockaddr_in6 *v6, *v6dns;
177     #endif
178     int good = 1;
179    
180     #ifdef IPV6
181     if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
182     {
183     v6 = (struct sockaddr_in6 *)&auth->client->localClient->ip;
184     v6dns = (struct sockaddr_in6 *)&reply->addr;
185     if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
186     {
187     sendheader(auth->client, REPORT_IP_MISMATCH);
188     good = 0;
189     }
190     }
191     else
192     #endif
193     {
194     v4 = (struct sockaddr_in *)&auth->client->localClient->ip;
195     v4dns = (struct sockaddr_in *)&reply->addr;
196     if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
197     {
198     sendheader(auth->client, REPORT_IP_MISMATCH);
199     good = 0;
200     }
201     }
202     if (good && strlen(reply->h_name) <= HOSTLEN)
203     {
204     strlcpy(auth->client->host, reply->h_name,
205     sizeof(auth->client->host));
206     sendheader(auth->client, REPORT_FIN_DNS);
207     }
208     else if (strlen(reply->h_name) > HOSTLEN)
209     sendheader(auth->client, REPORT_HOST_TOOLONG);
210     }
211     else
212     sendheader(auth->client, REPORT_FAIL_DNS);
213    
214     MyFree(auth->client->localClient->dns_query);
215     auth->client->localClient->dns_query = NULL;
216    
217     if (!IsDoingAuth(auth))
218     {
219     struct Client *client_p = auth->client;
220     MyFree(auth);
221     release_auth_client(client_p);
222     }
223     }
224    
225     /*
226     * authsenderr - handle auth send errors
227     */
228     static void
229     auth_error(struct AuthRequest *auth)
230     {
231     ++ServerStats->is_abad;
232    
233     fd_close(&auth->fd);
234    
235     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
236     ClearAuth(auth);
237    
238     sendheader(auth->client, REPORT_FAIL_ID);
239    
240     if (!IsDNSPending(auth) && !IsCrit(auth))
241     {
242     release_auth_client(auth->client);
243     MyFree(auth);
244     }
245     }
246    
247     /*
248     * start_auth_query - Flag the client to show that an attempt to
249     * contact the ident server on
250     * the client's host. The connect and subsequently the socket are all put
251     * into 'non-blocking' mode. Should the connect or any later phase of the
252     * identifing process fail, it is aborted and the user is given a username
253     * of "unknown".
254     */
255     static int
256     start_auth_query(struct AuthRequest *auth)
257     {
258     struct irc_ssaddr localaddr;
259     socklen_t locallen = sizeof(struct irc_ssaddr);
260     #ifdef IPV6
261     struct sockaddr_in6 *v6;
262     #else
263     struct sockaddr_in *v4;
264     #endif
265    
266     /* open a socket of the same type as the client socket */
267     if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
268     SOCK_STREAM, 0, "ident") == -1)
269     {
270     report_error(L_ALL, "creating auth stream socket %s:%s",
271     get_client_name(auth->client, SHOW_IP), errno);
272     ilog(L_ERROR, "Unable to create auth socket for %s",
273     get_client_name(auth->client, SHOW_IP));
274     ++ServerStats->is_abad;
275     return 0;
276     }
277    
278     sendheader(auth->client, REPORT_DO_ID);
279    
280     /*
281     * get the local address of the client and bind to that to
282     * make the auth request. This used to be done only for
283     * ifdef VIRTUAL_HOST, but needs to be done for all clients
284     * since the ident request must originate from that same address--
285     * and machines with multiple IP addresses are common now
286     */
287     memset(&localaddr, 0, locallen);
288     getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
289     &locallen);
290    
291     #ifdef IPV6
292     remove_ipv6_mapping(&localaddr);
293     v6 = (struct sockaddr_in6 *)&localaddr;
294     v6->sin6_port = htons(0);
295     #else
296     localaddr.ss_len = locallen;
297     v4 = (struct sockaddr_in *)&localaddr;
298     v4->sin_port = htons(0);
299     #endif
300     localaddr.ss_port = htons(0);
301    
302     SetDoingAuth(auth);
303     dlinkAdd(auth, &auth->ident_node, &auth_doing_ident_list);
304    
305     comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
306     (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
307     auth, auth->client->localClient->ip.ss.ss_family,
308     GlobalSetOptions.ident_timeout);
309     return 1; /* We suceed here for now */
310     }
311    
312     /*
313     * GetValidIdent - parse ident query reply from identd server
314     *
315     * Inputs - pointer to ident buf
316     * Output - NULL if no valid ident found, otherwise pointer to name
317     * Side effects -
318     */
319     /*
320     * A few questions have been asked about this mess, obviously
321     * it should have been commented better the first time.
322     * The original idea was to remove all references to libc from ircd-hybrid.
323     * Instead of having to write a replacement for sscanf(), I did a
324     * rather gruseome parser here so we could remove this function call.
325     * Note, that I had also removed a few floating point printfs as well (though
326     * now we are still stuck with a few...)
327     * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
328     * it would have been nice to remove some unneeded code.
329     * Oh well. If we don't remove libc stuff totally, then it would be
330     * far cleaner to use sscanf()
331     *
332     * - Dianora
333     */
334     static char *
335     GetValidIdent(char *buf)
336     {
337     int remp = 0;
338     int locp = 0;
339     char* colon1Ptr;
340     char* colon2Ptr;
341     char* colon3Ptr;
342     char* commaPtr;
343     char* remotePortString;
344    
345     /* All this to get rid of a sscanf() fun. */
346     remotePortString = buf;
347    
348     if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
349     return 0;
350     *colon1Ptr = '\0';
351     colon1Ptr++;
352    
353     if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
354     return 0;
355     *colon2Ptr = '\0';
356     colon2Ptr++;
357    
358     if ((commaPtr = strchr(remotePortString, ',')) == NULL)
359     return 0;
360     *commaPtr = '\0';
361     commaPtr++;
362    
363     if ((remp = atoi(remotePortString)) == 0)
364     return 0;
365    
366     if ((locp = atoi(commaPtr)) == 0)
367     return 0;
368    
369     /* look for USERID bordered by first pair of colons */
370     if (strstr(colon1Ptr, "USERID") == NULL)
371     return 0;
372    
373     if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
374     return 0;
375     *colon3Ptr = '\0';
376     colon3Ptr++;
377     return (colon3Ptr);
378     }
379    
380     /*
381     * start_auth
382     *
383     * inputs - pointer to client to auth
384     * output - NONE
385     * side effects - starts auth (identd) and dns queries for a client
386     */
387     static void *
388     start_auth(va_list args)
389     {
390     struct Client *client = va_arg(args, struct Client *);
391     struct AuthRequest *auth = NULL;
392    
393     assert(client != NULL);
394    
395     auth = make_auth_request(client);
396     SetCrit(auth);
397    
398     client->localClient->dns_query = MyMalloc(sizeof(struct DNSQuery));
399     client->localClient->dns_query->ptr = auth;
400     client->localClient->dns_query->callback = auth_dns_callback;
401    
402     sendheader(client, REPORT_DO_DNS);
403    
404     if (ConfigFileEntry.disable_auth == 0)
405     start_auth_query(auth);
406    
407     /* auth order changed, before gethost_byaddr can immediately call
408     * dns callback under win32 when the lookup cannot be started.
409     * And that would do MyFree(auth) etc -adx */
410     SetDNSPending(auth);
411     dlinkAdd(auth, &auth->dns_node, &auth_doing_dns_list);
412     ClearCrit(auth);
413     gethost_byaddr(&client->localClient->ip, client->localClient->dns_query);
414    
415     return NULL;
416     }
417    
418     /*
419     * timeout_auth_queries - timeout resolver and identd requests
420     * allow clients through if requests failed
421     */
422     static void
423     timeout_auth_queries_event(void *notused)
424     {
425     dlink_node *ptr;
426     dlink_node *next_ptr;
427     struct AuthRequest* auth;
428    
429     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
430     {
431     auth = ptr->data;
432    
433     if (auth->timeout <= CurrentTime)
434     {
435     fd_close(&auth->fd);
436    
437     ++ServerStats->is_abad;
438     sendheader(auth->client, REPORT_FAIL_ID);
439    
440     if (IsDNSPending(auth))
441     {
442     struct Client *client_p = auth->client;
443    
444     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
445     if (client_p->localClient->dns_query != NULL)
446     {
447     delete_resolver_queries(client_p->localClient->dns_query);
448     MyFree(client_p->localClient->dns_query);
449     }
450     auth->client->localClient->dns_query = NULL;
451     sendheader(client_p, REPORT_FAIL_DNS);
452     }
453    
454     ilog(L_INFO, "DNS/AUTH timeout %s",
455     get_client_name(auth->client, SHOW_IP));
456    
457     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
458     release_auth_client(auth->client);
459     MyFree(auth);
460     }
461     }
462     }
463    
464     /*
465     * auth_connect_callback() - deal with the result of comm_connect_tcp()
466     *
467     * If the connection failed, we simply close the auth fd and report
468     * a failure. If the connection suceeded send the ident server a query
469     * giving "theirport , ourport". The write is only attempted *once* so
470     * it is deemed to be a fail if the entire write doesn't write all the
471     * data given. This shouldnt be a problem since the socket should have
472     * a write buffer far greater than this message to store it in should
473     * problems arise. -avalon
474     */
475     static void
476     auth_connect_callback(fde_t *fd, int error, void *data)
477     {
478     struct AuthRequest *auth = data;
479     struct irc_ssaddr us;
480     struct irc_ssaddr them;
481     char authbuf[32];
482     socklen_t ulen = sizeof(struct irc_ssaddr);
483     socklen_t tlen = sizeof(struct irc_ssaddr);
484     u_int16_t uport, tport;
485     #ifdef IPV6
486     struct sockaddr_in6 *v6;
487     #else
488     struct sockaddr_in *v4;
489     #endif
490    
491     if (error != COMM_OK)
492     {
493     auth_error(auth);
494     return;
495     }
496    
497     if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *) &us,
498     (socklen_t *) &ulen) ||
499     getpeername(auth->client->localClient->fd.fd, (struct sockaddr *) &them,
500     (socklen_t *) &tlen))
501     {
502     ilog(L_INFO, "auth get{sock,peer}name error for %s",
503     get_client_name(auth->client, SHOW_IP));
504     auth_error(auth);
505     return;
506     }
507    
508     #ifdef IPV6
509     v6 = (struct sockaddr_in6 *)&us;
510     uport = ntohs(v6->sin6_port);
511     v6 = (struct sockaddr_in6 *)&them;
512     tport = ntohs(v6->sin6_port);
513     remove_ipv6_mapping(&us);
514     remove_ipv6_mapping(&them);
515     #else
516     v4 = (struct sockaddr_in *)&us;
517     uport = ntohs(v4->sin_port);
518     v4 = (struct sockaddr_in *)&them;
519     tport = ntohs(v4->sin_port);
520     us.ss_len = ulen;
521     them.ss_len = tlen;
522     #endif
523    
524     ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
525    
526     if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
527     {
528     auth_error(auth);
529     return;
530     }
531     read_auth_reply(&auth->fd, auth);
532     }
533    
534     /*
535     * read_auth_reply - read the reply (if any) from the ident server
536     * we connected to.
537     * We only give it one shot, if the reply isn't good the first time
538     * fail the authentication entirely. --Bleep
539     */
540     #define AUTH_BUFSIZ 128
541    
542     static void
543     read_auth_reply(fde_t *fd, void *data)
544     {
545     struct AuthRequest *auth = data;
546     char *s = NULL;
547     char *t = NULL;
548     int len;
549     int count;
550     char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
551    
552 nenolod 397 /* Why?
553     * Well, recv() on many POSIX systems is a per-packet operation,
554     * and we do not necessarily want this, because on lowspec machines,
555     * the ident response may come back fragmented, thus resulting in an
556     * invalid ident response, even if the ident response was really OK.
557     *
558     * So PLEASE do not change this code to recv without being aware of the
559     * consequences.
560     *
561     * --nenolod
562     */
563     #ifndef _WIN32
564     len = read(fd->fd, buf, AUTH_BUFSIZ);
565     #else
566 adx 30 len = recv(fd->fd, buf, AUTH_BUFSIZ, 0);
567 nenolod 397 #endif
568 adx 30
569     if (len < 0)
570     {
571     #ifdef _WIN32
572     errno = WSAGetLastError();
573     #endif
574     if (ignoreErrno(errno))
575     comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
576     else
577     auth_error(auth);
578     return;
579     }
580    
581     if (len > 0)
582     {
583     buf[len] = '\0';
584    
585     if ((s = GetValidIdent(buf)))
586     {
587     t = auth->client->username;
588    
589     while (*s == '~' || *s == '^')
590     s++;
591    
592     for (count = USERLEN; *s && count; s++)
593     {
594     if (*s == '@')
595     break;
596     if (!IsSpace(*s) && *s != ':' && *s != '[')
597     {
598     *t++ = *s;
599     count--;
600     }
601     }
602    
603     *t = '\0';
604     }
605     }
606    
607     fd_close(fd);
608    
609     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
610     ClearAuth(auth);
611    
612     if (s == NULL)
613     {
614     sendheader(auth->client, REPORT_FAIL_ID);
615     ++ServerStats->is_abad;
616     }
617     else
618     {
619     sendheader(auth->client, REPORT_FIN_ID);
620     ++ServerStats->is_asuc;
621     SetGotId(auth->client);
622     }
623    
624     if (!IsDNSPending(auth) && !IsCrit(auth))
625     {
626     release_auth_client(auth->client);
627     MyFree(auth);
628     }
629     }
630    
631     /*
632     * delete_auth()
633     */
634     void
635     delete_auth(struct Client *target_p)
636     {
637     dlink_node *ptr;
638     dlink_node *next_ptr;
639     struct AuthRequest *auth;
640    
641     if (!IsUnknown(target_p))
642     return;
643    
644     if (target_p->localClient->dns_query != NULL)
645     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_dns_list.head)
646     {
647     auth = ptr->data;
648    
649     if (auth->client == target_p)
650     {
651     delete_resolver_queries(target_p->localClient->dns_query);
652    
653     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
654     if (!IsDoingAuth(auth))
655     {
656     MyFree(auth);
657     return;
658     }
659     }
660     }
661    
662     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
663     {
664     auth = ptr->data;
665    
666     if (auth->client == target_p)
667     {
668     fd_close(&auth->fd);
669    
670     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
671     MyFree(auth);
672     }
673     }
674     }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision