ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/branches/8.2.x/src/auth.c
Revision: 8344
Committed: Sun Mar 4 00:05:53 2018 UTC (6 years ago) by michael
Content type: text/x-csrc
File size: 15015 byte(s)
Log Message:
- auth.c:make_auth(): properly assign 'auth' to 'auth->client->connection->auth'

File Contents

# User Rev Content
1 adx 30 /*
2 michael 2916 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 adx 30 *
4 michael 8280 * Copyright (c) 1997-2018 ircd-hybrid development team
5 adx 30 *
6     * This program is free software; you can redistribute it and/or modify
7     * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11     * This program is distributed in the hope that it will be useful,
12     * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18 michael 4564 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 adx 30 * USA
20     */
21    
22 michael 3324 /*! \file auth.c
23 michael 8305 * \brief Implementation of DNS and ident lookups.
24 michael 2916 * \version $Id$
25     */
26    
27 adx 30 /*
28     * Changes:
29     * July 6, 1999 - Rewrote most of the code here. When a client connects
30     * to the server and passes initial socket validation checks, it
31     * is owned by this module (auth) which returns it to the rest of the
32     * server when dns and auth queries are finished. Until the client is
33     * released, the server does not know it exists and does not process
34     * any messages from it.
35     * --Bleep Thomas Helvey <tomh@inxpress.net>
36     */
37 michael 1309
38 adx 30 #include "stdinc.h"
39     #include "list.h"
40 michael 1011 #include "ircd_defs.h"
41     #include "fdlist.h"
42 michael 3324 #include "auth.h"
43 michael 1309 #include "conf.h"
44 adx 30 #include "client.h"
45     #include "event.h"
46     #include "irc_string.h"
47     #include "ircd.h"
48     #include "packet.h"
49 michael 3322 #include "res.h"
50 adx 30 #include "s_bsd.h"
51 michael 1309 #include "log.h"
52 adx 30 #include "send.h"
53 michael 1654 #include "mempool.h"
54 adx 30
55 michael 1011
56 michael 2916 enum
57     {
58 adx 30 REPORT_DO_DNS,
59     REPORT_FIN_DNS,
60     REPORT_FAIL_DNS,
61     REPORT_DO_ID,
62     REPORT_FIN_ID,
63     REPORT_FAIL_ID,
64     REPORT_IP_MISMATCH,
65 michael 8216 REPORT_HOST_TOOLONG,
66     REPORT_HOST_INVALID
67 adx 30 };
68    
69 michael 5889 static const char *const HeaderMessages[] =
70     {
71     [REPORT_DO_DNS] = ":*** Looking up your hostname",
72     [REPORT_FIN_DNS] = ":*** Found your hostname",
73     [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
74     [REPORT_DO_ID] = ":*** Checking Ident",
75     [REPORT_FIN_ID] = ":*** Got Ident response",
76     [REPORT_FAIL_ID] = ":*** No Ident response",
77     [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
78 michael 8216 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
79     [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
80 michael 5889 };
81    
82 michael 8305 #define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
83 adx 30
84 michael 8338 static mp_pool_t *auth_pool;
85 michael 6477 static dlink_list auth_list;
86 adx 30
87 michael 4095
88 adx 30 /*
89 michael 8305 * auth_make_request - allocate a new auth request
90 adx 30 */
91     static struct AuthRequest *
92 michael 8338 auth_make(struct Client *client)
93 adx 30 {
94 michael 8338 struct AuthRequest *auth = mp_pool_get(auth_pool);;
95 adx 30
96 michael 8344 auth->client->connection->auth = auth;
97 michael 6689 auth->client = client;
98     auth->timeout = CurrentTime + CONNECTTIMEOUT;
99 michael 2181
100 michael 6689 return auth;
101 adx 30 }
102    
103 michael 8305 /*! \brief Release auth client from auth system. This adds the client into the
104     * local client lists so it can be read by the main io processing loop.
105     * \param auth Pointer to AuthRequest struct to release
106 adx 30 */
107 michael 8303 static void
108 michael 8305 auth_release_client(struct AuthRequest *auth)
109 adx 30 {
110 michael 4853 struct Client *const client = auth->client;
111 michael 992
112     if (IsDoingAuth(auth) || IsDNSPending(auth))
113     return;
114    
115 michael 8338 dlinkDelete(&auth->node, &auth_list);
116 michael 992
117 michael 8338 mp_pool_release(auth);
118     client->connection->auth = NULL;
119    
120 adx 30 /*
121     * When a client has auth'ed, we want to start reading what it sends
122     * us. This is what read_packet() does.
123     * -- adrian
124     */
125 michael 4589 client->connection->allow_read = MAX_FLOOD;
126 michael 8338 comm_setflush(client->connection->fd, 1000, flood_recalc, client);
127 michael 650
128 michael 4589 client->connection->since = CurrentTime;
129     client->connection->lasttime = CurrentTime;
130     client->connection->firsttime = CurrentTime;
131 michael 8297 AddFlag(client, FLAGS_FINISHED_AUTH);
132 michael 650
133 michael 8213 strlcpy(client->realhost, client->host, sizeof(client->realhost));
134    
135 michael 8338 read_packet(client->connection->fd, client);
136 adx 30 }
137 michael 2916
138 michael 8219 /*! Checks if a hostname is valid and doesn't contain illegal characters
139     * \param hostname The string to verify
140     * \return 1 if it is valid, 0 if it isn't
141     */
142 michael 8216 static int
143     auth_verify_hostname(const char *hostname)
144     {
145     const char *p = hostname;
146    
147     assert(p);
148    
149     if (EmptyString(p) || *p == '.' || *p == ':')
150     return 0;
151    
152     for (; *p; ++p)
153     if (!IsHostChar(*p))
154     return 0;
155    
156     return 1;
157     }
158    
159 michael 8305 /*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
160     * completion, regardless of success or failure.
161     * \param vptr The pending struct AuthRequest.
162     * \param addr IP address being resolved.
163     * \param name Resolved name, or NULL if lookup failed.
164     * \param namelength String length of the resolved hostname pointed by 'name'
165 adx 30 */
166     static void
167 michael 4409 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
168 adx 30 {
169 michael 4853 struct AuthRequest *const auth = vptr;
170 adx 30
171     ClearDNSPending(auth);
172    
173 michael 4409 if (!EmptyString(name))
174 adx 30 {
175 michael 4589 if (auth->client->connection->ip.ss.ss_family == AF_INET6)
176 adx 30 {
177 michael 4857 const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->connection->ip;
178     const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;
179 michael 3250
180 michael 5901 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
181 adx 30 {
182 michael 8305 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
183     auth_release_client(auth);
184 michael 4409 return;
185 adx 30 }
186     }
187     else
188     {
189 michael 4857 const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->connection->ip;
190     const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;
191 michael 3250
192     if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
193 adx 30 {
194 michael 8305 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
195     auth_release_client(auth);
196 michael 4409 return;
197 adx 30 }
198     }
199 michael 3250
200 michael 4409 if (namelength > HOSTLEN)
201 michael 8305 auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
202 michael 8216 else if (!auth_verify_hostname(name))
203 michael 8305 auth_sendheader(auth->client, REPORT_HOST_INVALID);
204 michael 4409 else
205 adx 30 {
206 michael 4409 strlcpy(auth->client->host, name, sizeof(auth->client->host));
207 michael 8305 auth_sendheader(auth->client, REPORT_FIN_DNS);
208 adx 30 }
209     }
210     else
211 michael 8305 auth_sendheader(auth->client, REPORT_FAIL_DNS);
212 adx 30
213 michael 8305 auth_release_client(auth);
214 adx 30 }
215    
216     /*
217 michael 8305 * auth_error - handle auth send errors
218 adx 30 */
219     static void
220     auth_error(struct AuthRequest *auth)
221     {
222 michael 896 ++ServerStats.is_abad;
223 adx 30
224 michael 8338 fd_close(auth->fd);
225     auth->fd = NULL;
226    
227 adx 30 ClearAuth(auth);
228    
229 michael 8305 auth_sendheader(auth->client, REPORT_FAIL_ID);
230 adx 30
231 michael 8305 auth_release_client(auth);
232 adx 30 }
233    
234 michael 4310 /** Enum used to index ident reply fields in a human-readable way. */
235     enum IdentReplyFields
236     {
237     IDENT_PORT_NUMBERS,
238     IDENT_REPLY_TYPE,
239     IDENT_OS_TYPE,
240     IDENT_INFO,
241     USERID_TOKEN_COUNT
242     };
243    
244     /** Parse an ident reply line and extract the userid from it.
245     * \param reply The ident reply line.
246     * \return The userid, or NULL on parse failure.
247     */
248     static const char *
249 michael 8305 auth_check_ident_reply(char *const reply)
250 michael 4310 {
251     char *token = NULL, *end = NULL;
252     char *vector[USERID_TOKEN_COUNT];
253 michael 7583 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
254 michael 4310
255     if (USERID_TOKEN_COUNT != count)
256     return NULL;
257    
258     /*
259     * Second token is the reply type
260     */
261     token = vector[IDENT_REPLY_TYPE];
262    
263     if (EmptyString(token))
264     return NULL;
265    
266     while (IsSpace(*token))
267     ++token;
268    
269     if (strncmp(token, "USERID", 6))
270     return NULL;
271    
272     /*
273     * Third token is the os type
274     */
275     token = vector[IDENT_OS_TYPE];
276    
277     if (EmptyString(token))
278     return NULL;
279    
280     while (IsSpace(*token))
281     ++token;
282    
283     /*
284     * Unless "OTHER" is specified as the operating system type, the server
285     * is expected to return the "normal" user identification of the owner
286     * of this connection. "Normal" in this context may be taken to mean a
287     * string of characters which uniquely identifies the connection owner
288     * such as a user identifier assigned by the system administrator and
289     * used by such user as a mail identifier, or as the "user" part of a
290     * user/password pair used to gain access to system resources. When an
291     * operating system is specified (e.g., anything but "OTHER"), the user
292     * identifier is expected to be in a more or less immediately useful
293     * form - e.g., something that could be used as an argument to "finger"
294     * or as a mail address.
295     */
296     if (!strncmp(token, "OTHER", 5))
297     return NULL;
298    
299     /*
300     * Fourth token is the username
301     */
302     token = vector[IDENT_INFO];
303    
304     if (EmptyString(token))
305     return NULL;
306    
307     while (IsSpace(*token))
308     ++token;
309    
310     while (*token == '~' || *token == '^')
311     ++token;
312    
313     /*
314     * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
315     */
316     for (end = token; *end; ++end)
317     if (IsSpace(*end) || '@' == *end || ':' == *end)
318     break;
319     *end = '\0';
320    
321     return token;
322     }
323    
324 michael 8305 /*! \brief Read the reply (if any) from the ident server we connected to. We
325     * only give it one shot, if the reply isn't good the first time fail
326     * the authentication entirely. --Bleep
327     * \param fd The socket/fd to read from.
328     * \param data The request to read.
329 adx 30 */
330     static void
331 michael 7954 auth_read_reply(fde_t *fd, void *data)
332 adx 30 {
333 michael 4853 struct AuthRequest *const auth = data;
334 michael 4310 const char *username = NULL;
335     ssize_t len = 0;
336     char buf[RFC1413_BUFSIZ + 1];
337 adx 30
338 michael 8338 assert(fd == auth->fd);
339    
340     if ((len = recv(auth->fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
341 adx 30 {
342     buf[len] = '\0';
343 michael 8305 username = auth_check_ident_reply(buf);
344 adx 30 }
345    
346 michael 8338 fd_close(auth->fd);
347     auth->fd = NULL;
348    
349 adx 30 ClearAuth(auth);
350    
351 michael 4310 if (EmptyString(username))
352 adx 30 {
353 michael 8305 auth_sendheader(auth->client, REPORT_FAIL_ID);
354 michael 896 ++ServerStats.is_abad;
355 adx 30 }
356     else
357     {
358 michael 4310 strlcpy(auth->client->username, username, sizeof(auth->client->username));
359 michael 8305 auth_sendheader(auth->client, REPORT_FIN_ID);
360 michael 896 ++ServerStats.is_asuc;
361 michael 6314 AddFlag(auth->client, FLAGS_GOTID);
362 adx 30 }
363    
364 michael 8305 auth_release_client(auth);
365 adx 30 }
366    
367     /*
368 michael 8305 * auth_connect_callback() - deal with the result of comm_connect_tcp()
369     *
370     * If the connection failed, we simply close the auth fd and report
371     * a failure. If the connection suceeded send the ident server a query
372     * giving "theirport , ourport". The write is only attempted *once* so
373     * it is deemed to be a fail if the entire write doesn't write all the
374     * data given. This shouldnt be a problem since the socket should have
375     * a write buffer far greater than this message to store it in should
376     * problems arise. -avalon
377     */
378     static void
379     auth_connect_callback(fde_t *fd, int error, void *data)
380     {
381     struct AuthRequest *const auth = data;
382     struct irc_ssaddr us;
383     struct irc_ssaddr them;
384     char authbuf[16];
385     ssize_t len = 0;
386     socklen_t ulen = sizeof(struct irc_ssaddr);
387     socklen_t tlen = sizeof(struct irc_ssaddr);
388     uint16_t uport, tport;
389     struct sockaddr_in6 *v6;
390    
391     if (error != COMM_OK)
392     {
393     auth_error(auth);
394     return;
395     }
396    
397 michael 8338 assert(fd == auth->fd);
398    
399     if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
400     getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
401 michael 8305 {
402     report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
403     client_get_name(auth->client, SHOW_IP), errno);
404     auth_error(auth);
405     return;
406     }
407    
408     v6 = (struct sockaddr_in6 *)&us;
409     uport = ntohs(v6->sin6_port);
410     v6 = (struct sockaddr_in6 *)&them;
411     tport = ntohs(v6->sin6_port);
412    
413     len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
414    
415     if (send(fd->fd, authbuf, len, 0) != len)
416     {
417     auth_error(auth);
418     return;
419     }
420    
421     comm_setselect(fd, COMM_SELECT_READ, auth_read_reply, auth, 0);
422     }
423    
424     /*! \brief Flag the client to show an attempt to contact the ident server on
425     * the client's host. Should the connect or any later phase of the
426     * identifying process fail, it is aborted and the user is given a
427     * username of "unknown".
428     * \param auth The request for which to start the ident lookup.
429     */
430     static void
431     auth_start_query(struct AuthRequest *auth)
432     {
433     struct irc_ssaddr localaddr;
434     socklen_t locallen = sizeof(struct irc_ssaddr);
435     struct sockaddr_in6 *v6;
436    
437     /* Open a socket of the same type as the client socket */
438 michael 8338 int fd = comm_socket(auth->client->connection->ip.ss.ss_family, SOCK_STREAM, 0);
439     if (fd == -1)
440 michael 8305 {
441     report_error(L_ALL, "creating auth stream socket %s:%s",
442     client_get_name(auth->client, SHOW_IP), errno);
443     ++ServerStats.is_abad;
444     return;
445     }
446    
447 michael 8338 auth->fd = fd_open(fd, 1, "ident");
448    
449 michael 8305 SetDoingAuth(auth);
450     auth_sendheader(auth->client, REPORT_DO_ID);
451    
452     /*
453     * Get the local address of the client and bind to that to
454     * make the auth request.
455     */
456     memset(&localaddr, 0, locallen);
457 michael 8338 getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
458 michael 8305
459     remove_ipv6_mapping(&localaddr);
460     v6 = (struct sockaddr_in6 *)&localaddr;
461     v6->sin6_port = htons(0);
462     localaddr.ss_port = htons(0);
463    
464 michael 8338 comm_connect_tcp(auth->fd, auth->client->sockhost, RFC1413_PORT,
465 michael 8305 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
466     auth, auth->client->connection->ip.ss.ss_family,
467     GlobalSetOptions.ident_timeout);
468     }
469    
470     /*
471     * auth_start
472     *
473     * inputs - pointer to client to auth
474     * output - NONE
475     * side effects - starts auth (identd) and dns queries for a client
476     */
477     void
478     auth_start(struct Client *client_p)
479     {
480 michael 8338 struct AuthRequest *auth = auth_make(client_p);
481 michael 8305
482     dlinkAddTail(auth, &auth->node, &auth_list);
483    
484     auth_sendheader(client_p, REPORT_DO_DNS);
485    
486     SetDNSPending(auth);
487    
488     if (ConfigGeneral.disable_auth == 0)
489     auth_start_query(auth);
490    
491     gethost_byaddr(auth_dns_callback, auth, &client_p->connection->ip);
492     }
493    
494     /*
495 michael 7954 * auth_delete()
496 adx 30 */
497 michael 2916 void
498 michael 7954 auth_delete(struct AuthRequest *auth)
499 adx 30 {
500 michael 8305 if (IsDoingAuth(auth))
501     {
502 michael 8338 fd_close(auth->fd);
503     auth->fd = NULL;
504 michael 8305 ClearAuth(auth);
505     }
506    
507 michael 992 if (IsDNSPending(auth))
508 michael 8299 {
509 michael 992 delete_resolver_queries(auth);
510 michael 8299 ClearDNSPending(auth);
511     }
512 adx 30
513 michael 8338 dlinkDelete(&auth->node, &auth_list);
514     mp_pool_release(auth);
515 adx 30 }
516 michael 4310
517 michael 8305 /*
518     * auth_timeout_queries - timeout resolver and identd requests
519     * allow clients through if requests failed
520     */
521     static void
522     auth_timeout_queries(void *notused)
523     {
524     dlink_node *node, *node_next;
525    
526     DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
527     {
528     struct AuthRequest *auth = node->data;
529    
530     if (auth->timeout > CurrentTime)
531     break;
532    
533     if (IsDoingAuth(auth))
534     {
535     ++ServerStats.is_abad;
536 michael 8338 fd_close(auth->fd);
537     auth->fd = NULL;
538    
539 michael 8305 ClearAuth(auth);
540    
541     auth_sendheader(auth->client, REPORT_FAIL_ID);
542     }
543    
544     if (IsDNSPending(auth))
545     {
546     delete_resolver_queries(auth);
547     ClearDNSPending(auth);
548    
549     auth_sendheader(auth->client, REPORT_FAIL_DNS);
550     }
551    
552     auth_release_client(auth);
553     }
554     }
555    
556 michael 4310 /* auth_init
557     *
558     * Initialise the auth code
559     */
560     void
561     auth_init(void)
562     {
563     static struct event timeout_auth_queries =
564     {
565 michael 8305 .name = "auth_timeout_queries",
566     .handler = auth_timeout_queries,
567 michael 4310 .when = 1
568     };
569    
570 michael 8338 auth_pool = mp_pool_new(sizeof(struct AuthRequest), MP_CHUNK_SIZE_AUTH);
571 michael 4310 event_add(&timeout_auth_queries, NULL);
572     }

Properties

Name Value
svn:eol-style native
svn:keywords Id