ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/branches/8.2.x/src/auth.c
Revision: 7996
Committed: Tue Mar 14 13:17:39 2017 UTC (7 years ago) by michael
Content type: text/x-csrc
File size: 13895 byte(s)
Log Message:
- Rename get_client_name() to client_get_name()

File Contents

# User Rev Content
1 adx 30 /*
2 michael 2916 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 adx 30 *
4 michael 7925 * Copyright (c) 1997-2017 ircd-hybrid development team
5 adx 30 *
6     * This program is free software; you can redistribute it and/or modify
7     * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11     * This program is distributed in the hope that it will be useful,
12     * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18 michael 4564 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 adx 30 * USA
20     */
21    
22 michael 3324 /*! \file auth.c
23 michael 2916 * \brief Functions for querying a users ident.
24     * \version $Id$
25     */
26    
27 adx 30 /*
28     * Changes:
29     * July 6, 1999 - Rewrote most of the code here. When a client connects
30     * to the server and passes initial socket validation checks, it
31     * is owned by this module (auth) which returns it to the rest of the
32     * server when dns and auth queries are finished. Until the client is
33     * released, the server does not know it exists and does not process
34     * any messages from it.
35     * --Bleep Thomas Helvey <tomh@inxpress.net>
36     */
37 michael 1309
38 adx 30 #include "stdinc.h"
39     #include "list.h"
40 michael 1011 #include "ircd_defs.h"
41     #include "fdlist.h"
42 michael 3324 #include "auth.h"
43 michael 1309 #include "conf.h"
44 adx 30 #include "client.h"
45     #include "event.h"
46     #include "irc_string.h"
47     #include "ircd.h"
48     #include "packet.h"
49 michael 3322 #include "res.h"
50 adx 30 #include "s_bsd.h"
51 michael 1309 #include "log.h"
52 adx 30 #include "send.h"
53 michael 1654 #include "mempool.h"
54 adx 30
55 michael 1011
56 michael 2916 enum
57     {
58 adx 30 REPORT_DO_DNS,
59     REPORT_FIN_DNS,
60     REPORT_FAIL_DNS,
61     REPORT_DO_ID,
62     REPORT_FIN_ID,
63     REPORT_FAIL_ID,
64     REPORT_IP_MISMATCH,
65     REPORT_HOST_TOOLONG
66     };
67    
68 michael 5889 static const char *const HeaderMessages[] =
69     {
70     [REPORT_DO_DNS] = ":*** Looking up your hostname",
71     [REPORT_FIN_DNS] = ":*** Found your hostname",
72     [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
73     [REPORT_DO_ID] = ":*** Checking Ident",
74     [REPORT_FIN_ID] = ":*** Got Ident response",
75     [REPORT_FAIL_ID] = ":*** No Ident response",
76     [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
77     [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname"
78     };
79    
80 michael 5496 #define sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
81 adx 30
82 michael 6477 static dlink_list auth_list;
83 michael 7954 static void auth_read_reply(fde_t *, void *);
84 michael 4463 static void auth_connect_callback(fde_t *, int, void *);
85 adx 30
86 michael 4095
87 adx 30 /*
88     * make_auth_request - allocate a new auth request
89     */
90     static struct AuthRequest *
91     make_auth_request(struct Client *client)
92     {
93 michael 6689 struct AuthRequest *const auth = &client->connection->auth;
94 adx 30
95 michael 6689 memset(auth, 0, sizeof(*auth));
96 adx 30
97 michael 6689 auth->client = client;
98     auth->timeout = CurrentTime + CONNECTTIMEOUT;
99 michael 2181
100 michael 6689 return auth;
101 adx 30 }
102    
103     /*
104     * release_auth_client - release auth client from auth system
105     * this adds the client into the local client lists so it can be read by
106     * the main io processing loop
107     */
108     void
109 michael 992 release_auth_client(struct AuthRequest *auth)
110 adx 30 {
111 michael 4853 struct Client *const client = auth->client;
112 michael 992
113     if (IsDoingAuth(auth) || IsDNSPending(auth))
114     return;
115    
116 michael 2929 if (IsInAuth(auth))
117     {
118 michael 6477 dlinkDelete(&auth->node, &auth_list);
119 michael 2929 ClearInAuth(auth);
120     }
121 michael 992
122 adx 30 /*
123     * When a client has auth'ed, we want to start reading what it sends
124     * us. This is what read_packet() does.
125     * -- adrian
126     */
127 michael 4589 client->connection->allow_read = MAX_FLOOD;
128     comm_setflush(&client->connection->fd, 1000, flood_recalc, client);
129 michael 650
130 michael 4589 client->connection->since = CurrentTime;
131     client->connection->lasttime = CurrentTime;
132     client->connection->firsttime = CurrentTime;
133 michael 664 client->flags |= FLAGS_FINISHED_AUTH;
134 michael 650
135 michael 4589 read_packet(&client->connection->fd, client);
136 adx 30 }
137 michael 2916
138 adx 30 /*
139     * auth_dns_callback - called when resolver query finishes
140 michael 998 * if the query resulted in a successful search, name will contain
141     * a non-NULL pointer, otherwise name will be NULL.
142 adx 30 * set the client on it's way to a connection completion, regardless
143     * of success of failure
144     */
145     static void
146 michael 4409 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
147 adx 30 {
148 michael 4853 struct AuthRequest *const auth = vptr;
149 adx 30
150     ClearDNSPending(auth);
151    
152 michael 4409 if (!EmptyString(name))
153 adx 30 {
154 michael 4589 if (auth->client->connection->ip.ss.ss_family == AF_INET6)
155 adx 30 {
156 michael 4857 const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->connection->ip;
157     const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;
158 michael 3250
159 michael 5901 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
160 adx 30 {
161     sendheader(auth->client, REPORT_IP_MISMATCH);
162 michael 4409 release_auth_client(auth);
163     return;
164 adx 30 }
165     }
166     else
167     {
168 michael 4857 const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->connection->ip;
169     const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;
170 michael 3250
171     if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
172 adx 30 {
173     sendheader(auth->client, REPORT_IP_MISMATCH);
174 michael 4409 release_auth_client(auth);
175     return;
176 adx 30 }
177     }
178 michael 3250
179 michael 4409 if (namelength > HOSTLEN)
180     sendheader(auth->client, REPORT_HOST_TOOLONG);
181     else
182 adx 30 {
183 michael 4409 strlcpy(auth->client->host, name, sizeof(auth->client->host));
184 adx 30 sendheader(auth->client, REPORT_FIN_DNS);
185     }
186     }
187     else
188 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
189 adx 30
190 michael 992 release_auth_client(auth);
191 adx 30 }
192    
193     /*
194     * authsenderr - handle auth send errors
195     */
196     static void
197     auth_error(struct AuthRequest *auth)
198     {
199 michael 896 ++ServerStats.is_abad;
200 adx 30
201     fd_close(&auth->fd);
202    
203     ClearAuth(auth);
204    
205     sendheader(auth->client, REPORT_FAIL_ID);
206    
207 michael 992 release_auth_client(auth);
208 adx 30 }
209    
210     /*
211 michael 2916 * start_auth_query - Flag the client to show that an attempt to
212 adx 30 * contact the ident server on
213     * the client's host. The connect and subsequently the socket are all put
214     * into 'non-blocking' mode. Should the connect or any later phase of the
215     * identifing process fail, it is aborted and the user is given a username
216     * of "unknown".
217     */
218 michael 6978 static void
219 adx 30 start_auth_query(struct AuthRequest *auth)
220     {
221     struct irc_ssaddr localaddr;
222     socklen_t locallen = sizeof(struct irc_ssaddr);
223     struct sockaddr_in6 *v6;
224    
225     /* open a socket of the same type as the client socket */
226 michael 4589 if (comm_open(&auth->fd, auth->client->connection->ip.ss.ss_family,
227 adx 30 SOCK_STREAM, 0, "ident") == -1)
228     {
229 michael 2916 report_error(L_ALL, "creating auth stream socket %s:%s",
230 michael 7996 client_get_name(auth->client, SHOW_IP), errno);
231 michael 896 ++ServerStats.is_abad;
232 michael 6978 return;
233 adx 30 }
234    
235 michael 6977 SetDoingAuth(auth);
236 adx 30 sendheader(auth->client, REPORT_DO_ID);
237    
238 michael 2916 /*
239 michael 4866 * Get the local address of the client and bind to that to
240     * make the auth request.
241 adx 30 */
242     memset(&localaddr, 0, locallen);
243 michael 4589 getsockname(auth->client->connection->fd.fd, (struct sockaddr*)&localaddr,
244 adx 30 &locallen);
245    
246     remove_ipv6_mapping(&localaddr);
247     v6 = (struct sockaddr_in6 *)&localaddr;
248     v6->sin6_port = htons(0);
249     localaddr.ss_port = htons(0);
250    
251 michael 4310 comm_connect_tcp(&auth->fd, auth->client->sockhost, RFC1413_PORT,
252 michael 2916 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
253 michael 4589 auth, auth->client->connection->ip.ss.ss_family,
254 adx 30 GlobalSetOptions.ident_timeout);
255     }
256    
257     /*
258 michael 7954 * auth_start
259 adx 30 *
260     * inputs - pointer to client to auth
261     * output - NONE
262     * side effects - starts auth (identd) and dns queries for a client
263     */
264 michael 2916 void
265 michael 7954 auth_start(struct Client *client_p)
266 adx 30 {
267 michael 4853 struct AuthRequest *const auth = make_auth_request(client_p);
268 adx 30
269 michael 2929 SetInAuth(auth);
270 michael 6477 dlinkAddTail(auth, &auth->node, &auth_list);
271 adx 30
272 michael 3250 sendheader(client_p, REPORT_DO_DNS);
273 adx 30
274 michael 992 SetDNSPending(auth);
275    
276 michael 4341 if (ConfigGeneral.disable_auth == 0)
277 adx 30 start_auth_query(auth);
278    
279 michael 4589 gethost_byaddr(auth_dns_callback, auth, &client_p->connection->ip);
280 adx 30 }
281    
282     /*
283     * timeout_auth_queries - timeout resolver and identd requests
284     * allow clients through if requests failed
285     */
286     static void
287     timeout_auth_queries_event(void *notused)
288     {
289 michael 7913 dlink_node *node, *node_next;
290 adx 30
291 michael 6477 DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
292 adx 30 {
293 michael 4816 struct AuthRequest *auth = node->data;
294 adx 30
295 michael 992 if (auth->timeout > CurrentTime)
296 michael 2929 break;
297 adx 30
298 michael 992 if (IsDoingAuth(auth))
299 michael 2916 {
300 michael 896 ++ServerStats.is_abad;
301 michael 1000 fd_close(&auth->fd);
302 michael 998 ClearAuth(auth);
303 adx 30 sendheader(auth->client, REPORT_FAIL_ID);
304 michael 992 }
305 adx 30
306 michael 992 if (IsDNSPending(auth))
307     {
308     delete_resolver_queries(auth);
309 michael 998 ClearDNSPending(auth);
310 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
311     }
312 adx 30
313 michael 992 release_auth_client(auth);
314 adx 30 }
315     }
316    
317     /*
318     * auth_connect_callback() - deal with the result of comm_connect_tcp()
319     *
320     * If the connection failed, we simply close the auth fd and report
321     * a failure. If the connection suceeded send the ident server a query
322     * giving "theirport , ourport". The write is only attempted *once* so
323     * it is deemed to be a fail if the entire write doesn't write all the
324     * data given. This shouldnt be a problem since the socket should have
325     * a write buffer far greater than this message to store it in should
326     * problems arise. -avalon
327     */
328     static void
329     auth_connect_callback(fde_t *fd, int error, void *data)
330     {
331 michael 4861 struct AuthRequest *const auth = data;
332 adx 30 struct irc_ssaddr us;
333     struct irc_ssaddr them;
334 michael 4860 char authbuf[16];
335 michael 5721 ssize_t len = 0;
336 adx 30 socklen_t ulen = sizeof(struct irc_ssaddr);
337     socklen_t tlen = sizeof(struct irc_ssaddr);
338 michael 1032 uint16_t uport, tport;
339 adx 30 struct sockaddr_in6 *v6;
340    
341     if (error != COMM_OK)
342     {
343     auth_error(auth);
344     return;
345     }
346    
347 michael 4589 if (getsockname(auth->client->connection->fd.fd, (struct sockaddr *)&us, &ulen) ||
348     getpeername(auth->client->connection->fd.fd, (struct sockaddr *)&them, &tlen))
349 adx 30 {
350 michael 4863 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
351 michael 7996 client_get_name(auth->client, SHOW_IP), errno);
352 adx 30 auth_error(auth);
353     return;
354     }
355    
356     v6 = (struct sockaddr_in6 *)&us;
357     uport = ntohs(v6->sin6_port);
358     v6 = (struct sockaddr_in6 *)&them;
359     tport = ntohs(v6->sin6_port);
360 michael 2916
361 michael 5721 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
362 adx 30
363 michael 5721 if (send(fd->fd, authbuf, len, 0) != len)
364 adx 30 {
365     auth_error(auth);
366     return;
367     }
368 michael 696
369 michael 7954 comm_setselect(fd, COMM_SELECT_READ, auth_read_reply, auth, 0);
370 adx 30 }
371    
372 michael 4310 /** Enum used to index ident reply fields in a human-readable way. */
373     enum IdentReplyFields
374     {
375     IDENT_PORT_NUMBERS,
376     IDENT_REPLY_TYPE,
377     IDENT_OS_TYPE,
378     IDENT_INFO,
379     USERID_TOKEN_COUNT
380     };
381    
382     /** Parse an ident reply line and extract the userid from it.
383     * \param reply The ident reply line.
384     * \return The userid, or NULL on parse failure.
385     */
386     static const char *
387 michael 4861 check_ident_reply(char *const reply)
388 michael 4310 {
389     char *token = NULL, *end = NULL;
390     char *vector[USERID_TOKEN_COUNT];
391 michael 7583 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
392 michael 4310
393     if (USERID_TOKEN_COUNT != count)
394     return NULL;
395    
396     /*
397     * Second token is the reply type
398     */
399     token = vector[IDENT_REPLY_TYPE];
400    
401     if (EmptyString(token))
402     return NULL;
403    
404     while (IsSpace(*token))
405     ++token;
406    
407     if (strncmp(token, "USERID", 6))
408     return NULL;
409    
410     /*
411     * Third token is the os type
412     */
413     token = vector[IDENT_OS_TYPE];
414    
415     if (EmptyString(token))
416     return NULL;
417    
418     while (IsSpace(*token))
419     ++token;
420    
421     /*
422     * Unless "OTHER" is specified as the operating system type, the server
423     * is expected to return the "normal" user identification of the owner
424     * of this connection. "Normal" in this context may be taken to mean a
425     * string of characters which uniquely identifies the connection owner
426     * such as a user identifier assigned by the system administrator and
427     * used by such user as a mail identifier, or as the "user" part of a
428     * user/password pair used to gain access to system resources. When an
429     * operating system is specified (e.g., anything but "OTHER"), the user
430     * identifier is expected to be in a more or less immediately useful
431     * form - e.g., something that could be used as an argument to "finger"
432     * or as a mail address.
433     */
434     if (!strncmp(token, "OTHER", 5))
435     return NULL;
436    
437     /*
438     * Fourth token is the username
439     */
440     token = vector[IDENT_INFO];
441    
442     if (EmptyString(token))
443     return NULL;
444    
445     while (IsSpace(*token))
446     ++token;
447    
448     while (*token == '~' || *token == '^')
449     ++token;
450    
451     /*
452     * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
453     */
454     for (end = token; *end; ++end)
455     if (IsSpace(*end) || '@' == *end || ':' == *end)
456     break;
457     *end = '\0';
458    
459     return token;
460     }
461    
462 adx 30 /*
463 michael 7954 * auth_read_reply - read the reply (if any) from the ident server
464 adx 30 * we connected to.
465     * We only give it one shot, if the reply isn't good the first time
466     * fail the authentication entirely. --Bleep
467     */
468     static void
469 michael 7954 auth_read_reply(fde_t *fd, void *data)
470 adx 30 {
471 michael 4853 struct AuthRequest *const auth = data;
472 michael 4310 const char *username = NULL;
473     ssize_t len = 0;
474     char buf[RFC1413_BUFSIZ + 1];
475 adx 30
476 michael 4310 if ((len = recv(fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
477 adx 30 {
478     buf[len] = '\0';
479 michael 4310 username = check_ident_reply(buf);
480 adx 30 }
481    
482     fd_close(fd);
483    
484     ClearAuth(auth);
485    
486 michael 4310 if (EmptyString(username))
487 adx 30 {
488     sendheader(auth->client, REPORT_FAIL_ID);
489 michael 896 ++ServerStats.is_abad;
490 adx 30 }
491     else
492     {
493 michael 4310 strlcpy(auth->client->username, username, sizeof(auth->client->username));
494 adx 30 sendheader(auth->client, REPORT_FIN_ID);
495 michael 896 ++ServerStats.is_asuc;
496 michael 6314 AddFlag(auth->client, FLAGS_GOTID);
497 adx 30 }
498    
499 michael 992 release_auth_client(auth);
500 adx 30 }
501    
502     /*
503 michael 7954 * auth_delete()
504 adx 30 */
505 michael 2916 void
506 michael 7954 auth_delete(struct AuthRequest *auth)
507 adx 30 {
508 michael 992 if (IsDNSPending(auth))
509     delete_resolver_queries(auth);
510 adx 30
511 michael 1000 if (IsDoingAuth(auth))
512     fd_close(&auth->fd);
513    
514 michael 2929 if (IsInAuth(auth))
515     {
516 michael 6477 dlinkDelete(&auth->node, &auth_list);
517 michael 2929 ClearInAuth(auth);
518     }
519 adx 30 }
520 michael 4310
521     /* auth_init
522     *
523     * Initialise the auth code
524     */
525     void
526     auth_init(void)
527     {
528     static struct event timeout_auth_queries =
529     {
530     .name = "timeout_auth_queries_event",
531     .handler = timeout_auth_queries_event,
532     .when = 1
533     };
534    
535     event_add(&timeout_auth_queries, NULL);
536     }

Properties

Name Value
svn:eol-style native
svn:keywords Id