8.2.x/src/auth.c

/*
 *  ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
 *
 *  Copyright (c) 1997-2018 ircd-hybrid development team
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
 *  USA
 */

/*! \file auth.c
 * \brief Implementation of DNS and ident lookups.
 * \version $Id$
 */

/*
 * Changes:
 *   July 6, 1999 - Rewrote most of the code here. When a client connects
 *     to the server and passes initial socket validation checks, it
 *     is owned by this module (auth) which returns it to the rest of the
 *     server when dns and auth queries are finished. Until the client is
 *     released, the server does not know it exists and does not process
 *     any messages from it.
 *     --Bleep  Thomas Helvey <tomh@inxpress.net>
 */

#include "stdinc.h"
#include "list.h"
#include "ircd_defs.h"
#include "fdlist.h"
#include "auth.h"
#include "conf.h"
#include "client.h"
#include "event.h"
#include "irc_string.h"
#include "ircd.h"
#include "packet.h"
#include "res.h"
#include "s_bsd.h"
#include "log.h"
#include "send.h"
#include "memory.h"


enum
{
  REPORT_DO_DNS,
  REPORT_FIN_DNS,
  REPORT_FAIL_DNS,
  REPORT_DO_ID,
  REPORT_FIN_ID,
  REPORT_FAIL_ID,
  REPORT_IP_MISMATCH,
  REPORT_HOST_TOOLONG,
  REPORT_HOST_INVALID
};

static const char *const HeaderMessages[] =
{
  [REPORT_DO_DNS] = ":*** Looking up your hostname",
  [REPORT_FIN_DNS] = ":*** Found your hostname",
  [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
  [REPORT_DO_ID] = ":*** Checking Ident",
  [REPORT_FIN_ID] = ":*** Got Ident response",
  [REPORT_FAIL_ID] = ":*** No Ident response",
  [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
  [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
  [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
};

#define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])

static dlink_list auth_list;


/*! \brief Allocate a new auth request.
 * \param client The client being looked up.
 * \return The newly allocated auth request.
 */
static struct AuthRequest *
auth_make(struct Client *client)
{
  struct AuthRequest *auth = xcalloc(sizeof(*auth));

  auth->client = client;
  auth->client->connection->auth = auth;
  auth->timeout = CurrentTime + CONNECTTIMEOUT;

  return auth;
}

/*! \brief Unlink auth request from auth_list and free memory
 * \param auth The allocated auth request to cleanup.
 */
static void
auth_free(struct AuthRequest *auth)
{
  assert(dlinkFind(&auth_list, auth));
  dlinkDelete(&auth->node, &auth_list);
  assert(dlinkFind(&auth_list, auth) == NULL);

  xfree(auth);
}

/*! \brief Release auth client from auth system. This adds the client into the
 *         local client lists so it can be read by the main io processing loop.
 * \param auth Pointer to AuthRequest struct to release
 */
static void
auth_release_client(struct AuthRequest *auth)
{
  struct Client *client = auth->client;

  if (IsDoingAuth(auth) || IsDNSPending(auth))
    return;

  auth_free(auth);
  client->connection->auth = NULL;

  /*
   * When a client has auth'ed, we want to start reading what it sends
   * us. This is what read_packet() does.
   *     -- adrian
   */
  client->connection->allow_read = MAX_FLOOD;
  comm_setflush(client->connection->fd, 1000, flood_recalc, client);

  client->connection->since     = CurrentTime;
  client->connection->lasttime  = CurrentTime;
  client->connection->firsttime = CurrentTime;
  AddFlag(client, FLAGS_FINISHED_AUTH);

  strlcpy(client->realhost, client->host, sizeof(client->realhost));

  read_packet(client->connection->fd, client);
}

/*! Checks if a hostname is valid and doesn't contain illegal characters
 * \param hostname The string to verify
 * \return 1 if it is valid, 0 if it isn't
 */
static bool
auth_verify_hostname(const char *hostname)
{
  const char *p = hostname;

  assert(p);

  if (EmptyString(p) || *p == '.' || *p == ':')
    return false;

  for (; *p; ++p)
    if (!IsHostChar(*p))
      return false;

  return true;
}

/*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
 *         completion, regardless of success or failure.
 * \param vptr The pending struct AuthRequest.
 * \param addr IP address being resolved.
 * \param name Resolved name, or NULL if lookup failed.
 * \param namelength String length of the resolved hostname pointed by 'name'
 */
static void
auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
{
  struct AuthRequest *const auth = vptr;

  ClearDNSPending(auth);

  if (EmptyString(name))
    auth_sendheader(auth->client, REPORT_FAIL_DNS);
  else
  {
    if (auth->client->ip.ss.ss_family == AF_INET6)
    {
      const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->ip;
      const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;

      if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
      {
        auth_sendheader(auth->client, REPORT_IP_MISMATCH);
        auth_release_client(auth);
        return;
      }
    }
    else
    {
      const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->ip;
      const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;

      if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
      {
        auth_sendheader(auth->client, REPORT_IP_MISMATCH);
        auth_release_client(auth);
        return;
      }
    }

    if (namelength > HOSTLEN)
      auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
    else if (auth_verify_hostname(name) == false)
      auth_sendheader(auth->client, REPORT_HOST_INVALID);
    else
    {
      strlcpy(auth->client->host, name, sizeof(auth->client->host));
      auth_sendheader(auth->client, REPORT_FIN_DNS);
    }
  }

  auth_release_client(auth);
}

/*
 * auth_error - handle auth send errors
 */
static void
auth_error(struct AuthRequest *auth)
{
  assert(auth);
  assert(auth->fd);

  ++ServerStats.is_abad;

  fd_close(auth->fd);
  auth->fd = NULL;

  ClearAuth(auth);

  auth_sendheader(auth->client, REPORT_FAIL_ID);

  auth_release_client(auth);
}

/** Enum used to index ident reply fields in a human-readable way. */
enum IdentReplyFields
{
  IDENT_PORT_NUMBERS,
  IDENT_REPLY_TYPE,
  IDENT_OS_TYPE,
  IDENT_INFO,
  USERID_TOKEN_COUNT
};

/** Parse an ident reply line and extract the userid from it.
 * \param reply The ident reply line.
 * \return The userid, or NULL on parse failure.
 */
static const char *
auth_check_ident_reply(char *const reply)
{
  char *token = NULL, *end = NULL;
  char *vector[USERID_TOKEN_COUNT];
  const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);

  if (USERID_TOKEN_COUNT != count)
    return NULL;

  /*
   * Second token is the reply type
   */
  token = vector[IDENT_REPLY_TYPE];

  if (EmptyString(token))
    return NULL;

  while (IsSpace(*token))
    ++token;

  if (strncmp(token, "USERID", 6))
    return NULL;

  /*
   * Third token is the os type
   */
  token = vector[IDENT_OS_TYPE];

  if (EmptyString(token))
    return NULL;

  while (IsSpace(*token))
   ++token;

  /*
   * Unless "OTHER" is specified as the operating system type, the server
   * is expected to return the "normal" user identification of the owner
   * of this connection. "Normal" in this context may be taken to mean a
   * string of characters which uniquely identifies the connection owner
   * such as a user identifier assigned by the system administrator and
   * used by such user as a mail identifier, or as the "user" part of a
   * user/password pair used to gain access to system resources. When an
   * operating system is specified (e.g., anything but "OTHER"), the user
   * identifier is expected to be in a more or less immediately useful
   * form - e.g., something that could be used as an argument to "finger"
   * or as a mail address.
   */
  if (strncmp(token, "OTHER", 5) == 0)
    return NULL;

  /*
   * Fourth token is the username
   */
  token = vector[IDENT_INFO];

  if (EmptyString(token))
    return NULL;

  while (IsSpace(*token))
    ++token;

  while (*token == '~' || *token == '^')
    ++token;

  /*
   * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
   */
  for (end = token; *end; ++end)
    if (IsSpace(*end) || '@' == *end || ':' == *end)
      break;
  *end = '\0';

  return token;
}

/*! \brief Read the reply (if any) from the ident server we connected to. We
 *         only give it one shot, if the reply isn't good the first time fail
 *         the authentication entirely. --Bleep
 * \param F The socket/fd to read from.
 * \param data The request to read.
 */
static void
auth_read_reply(fde_t *F, void *data)
{
  struct AuthRequest *const auth = data;
  const char *username = NULL;
  ssize_t len = 0;
  char buf[RFC1413_BUFSIZ + 1];

  assert(auth->fd == F);

  if ((len = recv(auth->fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
  {
    buf[len] = '\0';
    username = auth_check_ident_reply(buf);
  }

  fd_close(auth->fd);
  auth->fd = NULL;

  ClearAuth(auth);

  if (EmptyString(username))
  {
    auth_sendheader(auth->client, REPORT_FAIL_ID);
    ++ServerStats.is_abad;
  }
  else
  {
    strlcpy(auth->client->username, username, sizeof(auth->client->username));
    auth_sendheader(auth->client, REPORT_FIN_ID);
    ++ServerStats.is_asuc;
    AddFlag(auth->client, FLAGS_GOTID);
  }

  auth_release_client(auth);
}

/*
 * auth_connect_callback() - deal with the result of comm_connect_tcp()
 *
 * If the connection failed, we simply close the auth fd and report
 * a failure. If the connection suceeded send the ident server a query
 * giving "theirport , ourport". The write is only attempted *once* so
 * it is deemed to be a fail if the entire write doesn't write all the
 * data given.  This shouldnt be a problem since the socket should have
 * a write buffer far greater than this message to store it in should
 * problems arise. -avalon
 */
static void
auth_connect_callback(fde_t *F, int error, void *data)
{
  struct AuthRequest *const auth = data;
  struct irc_ssaddr us;
  struct irc_ssaddr them;
  char authbuf[16];
  ssize_t len = 0;
  socklen_t ulen = sizeof(struct irc_ssaddr);
  socklen_t tlen = sizeof(struct irc_ssaddr);
  uint16_t uport, tport;
  struct sockaddr_in6 *v6;

  if (error != COMM_OK)
  {
    auth_error(auth);
    return;
  }

  assert(auth->fd == F);

  if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
      getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
  {
    report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
                 client_get_name(auth->client, SHOW_IP), errno);
    auth_error(auth);
    return;
  }

  v6 = (struct sockaddr_in6 *)&us;
  uport = ntohs(v6->sin6_port);
  v6 = (struct sockaddr_in6 *)&them;
  tport = ntohs(v6->sin6_port);

  len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);

  if (send(F->fd, authbuf, len, 0) != len)
  {
    auth_error(auth);
    return;
  }

  comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
}

/*! \brief Flag the client to show an attempt to contact the ident server on
 *         the client's host. Should the connect or any later phase of the
 *         identifying process fail, it is aborted and the user is given a
 *         username of "unknown".
 * \param auth The request for which to start the ident lookup.
 */
static void
auth_start_query(struct AuthRequest *auth)
{
  struct irc_ssaddr localaddr;
  socklen_t locallen = sizeof(struct irc_ssaddr);
  struct sockaddr_in6 *v6;

  /* Open a socket of the same type as the client socket */
  int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
  if (fd == -1)
  {
    report_error(L_ALL, "creating auth stream socket %s:%s",
                 client_get_name(auth->client, SHOW_IP), errno);
    ++ServerStats.is_abad;
    return;
  }

  auth->fd = fd_open(fd, 1, "ident");

  SetDoingAuth(auth);
  auth_sendheader(auth->client, REPORT_DO_ID);

  /*
   * Get the local address of the client and bind to that to
   * make the auth request.
   */
  memset(&localaddr, 0, locallen);
  getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);

  remove_ipv6_mapping(&localaddr);
  v6 = (struct sockaddr_in6 *)&localaddr;
  v6->sin6_port = htons(0);
  localaddr.ss_port = htons(0);

  comm_connect_tcp(auth->fd, auth->client->sockhost, RFC1413_PORT,
      (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
      auth, auth->client->ip.ss.ss_family,
      GlobalSetOptions.ident_timeout);
}

/*
 * auth_start
 *
 * inputs       - pointer to client to auth
 * output       - NONE
 * side effects - starts auth (identd) and dns queries for a client
 */
void
auth_start(struct Client *client_p)
{
  struct AuthRequest *auth = auth_make(client_p);

  dlinkAddTail(auth, &auth->node, &auth_list);

  auth_sendheader(client_p, REPORT_DO_DNS);

  SetDNSPending(auth);

  if (ConfigGeneral.disable_auth == 0)
    auth_start_query(auth);

  gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
}

/*
 * auth_delete()
 */
void
auth_delete(struct AuthRequest *auth)
{
  if (IsDoingAuth(auth))
  {
    fd_close(auth->fd);
    auth->fd = NULL;

    ClearAuth(auth);
  }

  if (IsDNSPending(auth))
  {
    delete_resolver_queries(auth);
    ClearDNSPending(auth);
  }

  auth_free(auth);
}

/*
 * auth_timeout_queries - timeout resolver and identd requests
 * allow clients through if requests failed
 */
static void
auth_timeout_queries(void *notused)
{
  dlink_node *node, *node_next;

  DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
  {
    struct AuthRequest *auth = node->data;

    if (auth->timeout > CurrentTime)
      break;

    if (IsDoingAuth(auth))
    {
      ++ServerStats.is_abad;

      fd_close(auth->fd);
      auth->fd = NULL;

      ClearAuth(auth);

      auth_sendheader(auth->client, REPORT_FAIL_ID);
    }

    if (IsDNSPending(auth))
    {
      delete_resolver_queries(auth);
      ClearDNSPending(auth);

      auth_sendheader(auth->client, REPORT_FAIL_DNS);
    }

    auth_release_client(auth);
  }
}

/* auth_init
 *
 * Initialise the auth code
 */
void
auth_init(void)
{
  static struct event timeout_auth_queries =
  {
    .name = "auth_timeout_queries",
    .handler = auth_timeout_queries,
    .when = 1
  };

  event_add(&timeout_auth_queries, NULL);
}
Revision:	8655
Committed:	Sun Nov 11 20:18:54 2018 UTC (5 years, 5 months ago) by michael
Content type:	text/x-csrc
File size:	15184 byte(s)
Log Message:	- Make use of the bool data type in some places
#	User	Rev	Content
1	adx	30	/*
2	michael	2916	* ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3	adx	30	*
4	michael	8280	* Copyright (c) 1997-2018 ircd-hybrid development team
5	adx	30	*
6			* This program is free software; you can redistribute it and/or modify
7			* it under the terms of the GNU General Public License as published by
8			* the Free Software Foundation; either version 2 of the License, or
9			* (at your option) any later version.
10			*
11			* This program is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14			* GNU General Public License for more details.
15			*
16			* You should have received a copy of the GNU General Public License
17			* along with this program; if not, write to the Free Software
18	michael	4564	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19	adx	30	* USA
20			*/
21
22	michael	3324	/*! \file auth.c
23	michael	8305	* \brief Implementation of DNS and ident lookups.
24	michael	2916	* \version $Id$
25			*/
26
27	adx	30	/*
28			* Changes:
29			* July 6, 1999 - Rewrote most of the code here. When a client connects
30			* to the server and passes initial socket validation checks, it
31			* is owned by this module (auth) which returns it to the rest of the
32			* server when dns and auth queries are finished. Until the client is
33			* released, the server does not know it exists and does not process
34			* any messages from it.
35			* --Bleep Thomas Helvey <tomh@inxpress.net>
36			*/
37	michael	1309
38	adx	30	#include "stdinc.h"
39			#include "list.h"
40	michael	1011	#include "ircd_defs.h"
41			#include "fdlist.h"
42	michael	3324	#include "auth.h"
43	michael	1309	#include "conf.h"
44	adx	30	#include "client.h"
45			#include "event.h"
46			#include "irc_string.h"
47			#include "ircd.h"
48			#include "packet.h"
49	michael	3322	#include "res.h"
50	adx	30	#include "s_bsd.h"
51	michael	1309	#include "log.h"
52	adx	30	#include "send.h"
53	michael	8384	#include "memory.h"
54	adx	30
55	michael	1011
56	michael	2916	enum
57			{
58	adx	30	REPORT_DO_DNS,
59			REPORT_FIN_DNS,
60			REPORT_FAIL_DNS,
61			REPORT_DO_ID,
62			REPORT_FIN_ID,
63			REPORT_FAIL_ID,
64			REPORT_IP_MISMATCH,
65	michael	8216	REPORT_HOST_TOOLONG,
66			REPORT_HOST_INVALID
67	adx	30	};
68
69	michael	5889	static const char *const HeaderMessages[] =
70			{
71			[REPORT_DO_DNS] = ":*** Looking up your hostname",
72			[REPORT_FIN_DNS] = ":*** Found your hostname",
73			[REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
74			[REPORT_DO_ID] = ":*** Checking Ident",
75			[REPORT_FIN_ID] = ":*** Got Ident response",
76			[REPORT_FAIL_ID] = ":*** No Ident response",
77			[REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
78	michael	8216	[REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
79			[REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
80	michael	5889	};
81
82	michael	8305	#define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
83	adx	30
84	michael	6477	static dlink_list auth_list;
85	adx	30
86	michael	4095
87	michael	8348	/*! \brief Allocate a new auth request.
88			* \param client The client being looked up.
89			* \return The newly allocated auth request.
90	adx	30	*/
91			static struct AuthRequest *
92	michael	8338	auth_make(struct Client *client)
93	adx	30	{
94	michael	8384	struct AuthRequest auth = xcalloc(sizeof(auth));
95	adx	30
96	michael	6689	auth->client = client;
97	michael	8469	auth->client->connection->auth = auth;
98	michael	6689	auth->timeout = CurrentTime + CONNECTTIMEOUT;
99	michael	2181
100	michael	6689	return auth;
101	adx	30	}
102
103	michael	8469	/*! \brief Unlink auth request from auth_list and free memory
104			* \param auth The allocated auth request to cleanup.
105			*/
106			static void
107			auth_free(struct AuthRequest *auth)
108			{
109			assert(dlinkFind(&auth_list, auth));
110			dlinkDelete(&auth->node, &auth_list);
111			assert(dlinkFind(&auth_list, auth) == NULL);
112
113			xfree(auth);
114			}
115
116	michael	8305	/*! \brief Release auth client from auth system. This adds the client into the
117			* local client lists so it can be read by the main io processing loop.
118			* \param auth Pointer to AuthRequest struct to release
119	adx	30	*/
120	michael	8303	static void
121	michael	8305	auth_release_client(struct AuthRequest *auth)
122	adx	30	{
123	michael	8469	struct Client *client = auth->client;
124	michael	992
125			if (IsDoingAuth(auth) \|\| IsDNSPending(auth))
126			return;
127
128	michael	8469	auth_free(auth);
129	michael	8338	client->connection->auth = NULL;
130
131	adx	30	/*
132			* When a client has auth'ed, we want to start reading what it sends
133			* us. This is what read_packet() does.
134			* -- adrian
135			*/
136	michael	4589	client->connection->allow_read = MAX_FLOOD;
137	michael	8338	comm_setflush(client->connection->fd, 1000, flood_recalc, client);
138	michael	650
139	michael	4589	client->connection->since = CurrentTime;
140			client->connection->lasttime = CurrentTime;
141			client->connection->firsttime = CurrentTime;
142	michael	8297	AddFlag(client, FLAGS_FINISHED_AUTH);
143	michael	650
144	michael	8213	strlcpy(client->realhost, client->host, sizeof(client->realhost));
145
146	michael	8338	read_packet(client->connection->fd, client);
147	adx	30	}
148	michael	2916
149	michael	8219	/*! Checks if a hostname is valid and doesn't contain illegal characters
150			* \param hostname The string to verify
151			* \return 1 if it is valid, 0 if it isn't
152			*/
153	michael	8655	static bool
154	michael	8216	auth_verify_hostname(const char *hostname)
155			{
156			const char *p = hostname;
157
158			assert(p);
159
160			if (EmptyString(p) \|\| p == '.' \|\| p == ':')
161	michael	8655	return false;
162	michael	8216
163			for (; *p; ++p)
164			if (!IsHostChar(*p))
165	michael	8655	return false;
166	michael	8216
167	michael	8655	return true;
168	michael	8216	}
169
170	michael	8305	/*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
171			* completion, regardless of success or failure.
172			* \param vptr The pending struct AuthRequest.
173			* \param addr IP address being resolved.
174			* \param name Resolved name, or NULL if lookup failed.
175			* \param namelength String length of the resolved hostname pointed by 'name'
176	adx	30	*/
177			static void
178	michael	4409	auth_dns_callback(void vptr, const struct irc_ssaddr addr, const char *name, size_t namelength)
179	adx	30	{
180	michael	4853	struct AuthRequest *const auth = vptr;
181	adx	30
182			ClearDNSPending(auth);
183
184	michael	8430	if (EmptyString(name))
185			auth_sendheader(auth->client, REPORT_FAIL_DNS);
186			else
187	adx	30	{
188	michael	8495	if (auth->client->ip.ss.ss_family == AF_INET6)
189	adx	30	{
190	michael	8495	const struct sockaddr_in6 const v6 = (const struct sockaddr_in6 )&auth->client->ip;
191	michael	4857	const struct sockaddr_in6 const v6dns = (const struct sockaddr_in6 )addr;
192	michael	3250
193	michael	5901	if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
194	adx	30	{
195	michael	8305	auth_sendheader(auth->client, REPORT_IP_MISMATCH);
196			auth_release_client(auth);
197	michael	4409	return;
198	adx	30	}
199			}
200			else
201			{
202	michael	8495	const struct sockaddr_in const v4 = (const struct sockaddr_in )&auth->client->ip;
203	michael	4857	const struct sockaddr_in const v4dns = (const struct sockaddr_in )addr;
204	michael	3250
205			if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
206	adx	30	{
207	michael	8305	auth_sendheader(auth->client, REPORT_IP_MISMATCH);
208			auth_release_client(auth);
209	michael	4409	return;
210	adx	30	}
211			}
212	michael	3250
213	michael	4409	if (namelength > HOSTLEN)
214	michael	8305	auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
215	michael	8655	else if (auth_verify_hostname(name) == false)
216	michael	8305	auth_sendheader(auth->client, REPORT_HOST_INVALID);
217	michael	4409	else
218	adx	30	{
219	michael	4409	strlcpy(auth->client->host, name, sizeof(auth->client->host));
220	michael	8305	auth_sendheader(auth->client, REPORT_FIN_DNS);
221	adx	30	}
222			}
223
224	michael	8305	auth_release_client(auth);
225	adx	30	}
226
227			/*
228	michael	8305	* auth_error - handle auth send errors
229	adx	30	*/
230			static void
231			auth_error(struct AuthRequest *auth)
232			{
233	michael	8523	assert(auth);
234			assert(auth->fd);
235
236	michael	896	++ServerStats.is_abad;
237	adx	30
238	michael	8338	fd_close(auth->fd);
239			auth->fd = NULL;
240
241	adx	30	ClearAuth(auth);
242
243	michael	8305	auth_sendheader(auth->client, REPORT_FAIL_ID);
244	adx	30
245	michael	8305	auth_release_client(auth);
246	adx	30	}
247
248	michael	4310	/** Enum used to index ident reply fields in a human-readable way. */
249			enum IdentReplyFields
250			{
251			IDENT_PORT_NUMBERS,
252			IDENT_REPLY_TYPE,
253			IDENT_OS_TYPE,
254			IDENT_INFO,
255			USERID_TOKEN_COUNT
256			};
257
258			/** Parse an ident reply line and extract the userid from it.
259			* \param reply The ident reply line.
260			* \return The userid, or NULL on parse failure.
261			*/
262			static const char *
263	michael	8305	auth_check_ident_reply(char *const reply)
264	michael	4310	{
265			char token = NULL, end = NULL;
266			char *vector[USERID_TOKEN_COUNT];
267	michael	7583	const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
268	michael	4310
269			if (USERID_TOKEN_COUNT != count)
270			return NULL;
271
272			/*
273			* Second token is the reply type
274			*/
275			token = vector[IDENT_REPLY_TYPE];
276
277			if (EmptyString(token))
278			return NULL;
279
280			while (IsSpace(*token))
281			++token;
282
283			if (strncmp(token, "USERID", 6))
284			return NULL;
285
286			/*
287			* Third token is the os type
288			*/
289			token = vector[IDENT_OS_TYPE];
290
291			if (EmptyString(token))
292			return NULL;
293
294			while (IsSpace(*token))
295			++token;
296
297			/*
298			* Unless "OTHER" is specified as the operating system type, the server
299			* is expected to return the "normal" user identification of the owner
300			* of this connection. "Normal" in this context may be taken to mean a
301			* string of characters which uniquely identifies the connection owner
302			* such as a user identifier assigned by the system administrator and
303			* used by such user as a mail identifier, or as the "user" part of a
304			* user/password pair used to gain access to system resources. When an
305			* operating system is specified (e.g., anything but "OTHER"), the user
306			* identifier is expected to be in a more or less immediately useful
307			* form - e.g., something that could be used as an argument to "finger"
308			* or as a mail address.
309			*/
310	michael	8621	if (strncmp(token, "OTHER", 5) == 0)
311	michael	4310	return NULL;
312
313			/*
314			* Fourth token is the username
315			*/
316			token = vector[IDENT_INFO];
317
318			if (EmptyString(token))
319			return NULL;
320
321			while (IsSpace(*token))
322			++token;
323
324			while (token == '~' \|\| token == '^')
325			++token;
326
327			/*
328			* Look for the end of the username, terminators are '\0, @, <SPACE>, :'
329			*/
330			for (end = token; *end; ++end)
331			if (IsSpace(end) \|\| '@' == end \|\| ':' == *end)
332			break;
333			*end = '\0';
334
335			return token;
336			}
337
338	michael	8305	/*! \brief Read the reply (if any) from the ident server we connected to. We
339			* only give it one shot, if the reply isn't good the first time fail
340			* the authentication entirely. --Bleep
341	michael	8348	* \param F The socket/fd to read from.
342	michael	8305	* \param data The request to read.
343	adx	30	*/
344			static void
345	michael	8348	auth_read_reply(fde_t F, void data)
346	adx	30	{
347	michael	4853	struct AuthRequest *const auth = data;
348	michael	4310	const char *username = NULL;
349			ssize_t len = 0;
350			char buf[RFC1413_BUFSIZ + 1];
351	adx	30
352	michael	8348	assert(auth->fd == F);
353	michael	8338
354			if ((len = recv(auth->fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
355	adx	30	{
356			buf[len] = '\0';
357	michael	8305	username = auth_check_ident_reply(buf);
358	adx	30	}
359
360	michael	8338	fd_close(auth->fd);
361			auth->fd = NULL;
362
363	adx	30	ClearAuth(auth);
364
365	michael	4310	if (EmptyString(username))
366	adx	30	{
367	michael	8305	auth_sendheader(auth->client, REPORT_FAIL_ID);
368	michael	896	++ServerStats.is_abad;
369	adx	30	}
370			else
371			{
372	michael	4310	strlcpy(auth->client->username, username, sizeof(auth->client->username));
373	michael	8305	auth_sendheader(auth->client, REPORT_FIN_ID);
374	michael	896	++ServerStats.is_asuc;
375	michael	6314	AddFlag(auth->client, FLAGS_GOTID);
376	adx	30	}
377
378	michael	8305	auth_release_client(auth);
379	adx	30	}
380
381			/*
382	michael	8305	* auth_connect_callback() - deal with the result of comm_connect_tcp()
383			*
384			* If the connection failed, we simply close the auth fd and report
385			* a failure. If the connection suceeded send the ident server a query
386			* giving "theirport , ourport". The write is only attempted once so
387			* it is deemed to be a fail if the entire write doesn't write all the
388			* data given. This shouldnt be a problem since the socket should have
389			* a write buffer far greater than this message to store it in should
390			* problems arise. -avalon
391			*/
392			static void
393	michael	8348	auth_connect_callback(fde_t F, int error, void data)
394	michael	8305	{
395			struct AuthRequest *const auth = data;
396			struct irc_ssaddr us;
397			struct irc_ssaddr them;
398			char authbuf[16];
399			ssize_t len = 0;
400			socklen_t ulen = sizeof(struct irc_ssaddr);
401			socklen_t tlen = sizeof(struct irc_ssaddr);
402			uint16_t uport, tport;
403			struct sockaddr_in6 *v6;
404
405			if (error != COMM_OK)
406			{
407			auth_error(auth);
408			return;
409			}
410
411	michael	8348	assert(auth->fd == F);
412	michael	8338
413			if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) \|\|
414			getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
415	michael	8305	{
416			report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
417			client_get_name(auth->client, SHOW_IP), errno);
418			auth_error(auth);
419			return;
420			}
421
422			v6 = (struct sockaddr_in6 *)&us;
423			uport = ntohs(v6->sin6_port);
424			v6 = (struct sockaddr_in6 *)&them;
425			tport = ntohs(v6->sin6_port);
426
427			len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
428
429	michael	8348	if (send(F->fd, authbuf, len, 0) != len)
430	michael	8305	{
431			auth_error(auth);
432			return;
433			}
434
435	michael	8348	comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
436	michael	8305	}
437
438			/*! \brief Flag the client to show an attempt to contact the ident server on
439			* the client's host. Should the connect or any later phase of the
440			* identifying process fail, it is aborted and the user is given a
441			* username of "unknown".
442			* \param auth The request for which to start the ident lookup.
443			*/
444			static void
445			auth_start_query(struct AuthRequest *auth)
446			{
447			struct irc_ssaddr localaddr;
448			socklen_t locallen = sizeof(struct irc_ssaddr);
449			struct sockaddr_in6 *v6;
450
451			/* Open a socket of the same type as the client socket */
452	michael	8495	int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
453	michael	8338	if (fd == -1)
454	michael	8305	{
455			report_error(L_ALL, "creating auth stream socket %s:%s",
456			client_get_name(auth->client, SHOW_IP), errno);
457			++ServerStats.is_abad;
458			return;
459			}
460
461	michael	8338	auth->fd = fd_open(fd, 1, "ident");
462
463	michael	8305	SetDoingAuth(auth);
464			auth_sendheader(auth->client, REPORT_DO_ID);
465
466			/*
467			* Get the local address of the client and bind to that to
468			* make the auth request.
469			*/
470			memset(&localaddr, 0, locallen);
471	michael	8338	getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
472	michael	8305
473			remove_ipv6_mapping(&localaddr);
474			v6 = (struct sockaddr_in6 *)&localaddr;
475			v6->sin6_port = htons(0);
476			localaddr.ss_port = htons(0);
477
478	michael	8338	comm_connect_tcp(auth->fd, auth->client->sockhost, RFC1413_PORT,
479	michael	8305	(struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
480	michael	8495	auth, auth->client->ip.ss.ss_family,
481	michael	8305	GlobalSetOptions.ident_timeout);
482			}
483
484			/*
485			* auth_start
486			*
487			* inputs - pointer to client to auth
488			* output - NONE
489			* side effects - starts auth (identd) and dns queries for a client
490			*/
491			void
492			auth_start(struct Client *client_p)
493			{
494	michael	8338	struct AuthRequest *auth = auth_make(client_p);
495	michael	8305
496			dlinkAddTail(auth, &auth->node, &auth_list);
497
498			auth_sendheader(client_p, REPORT_DO_DNS);
499
500			SetDNSPending(auth);
501
502			if (ConfigGeneral.disable_auth == 0)
503			auth_start_query(auth);
504
505	michael	8495	gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
506	michael	8305	}
507
508			/*
509	michael	7954	* auth_delete()
510	adx	30	*/
511	michael	2916	void
512	michael	7954	auth_delete(struct AuthRequest *auth)
513	adx	30	{
514	michael	8305	if (IsDoingAuth(auth))
515			{
516	michael	8338	fd_close(auth->fd);
517			auth->fd = NULL;
518	michael	8348
519	michael	8305	ClearAuth(auth);
520			}
521
522	michael	992	if (IsDNSPending(auth))
523	michael	8299	{
524	michael	992	delete_resolver_queries(auth);
525	michael	8299	ClearDNSPending(auth);
526			}
527	adx	30
528	michael	8469	auth_free(auth);
529	adx	30	}
530	michael	4310
531	michael	8305	/*
532			* auth_timeout_queries - timeout resolver and identd requests
533			* allow clients through if requests failed
534			*/
535			static void
536			auth_timeout_queries(void *notused)
537			{
538			dlink_node node, node_next;
539
540			DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
541			{
542			struct AuthRequest *auth = node->data;
543
544			if (auth->timeout > CurrentTime)
545			break;
546
547			if (IsDoingAuth(auth))
548			{
549			++ServerStats.is_abad;
550	michael	8348
551	michael	8338	fd_close(auth->fd);
552			auth->fd = NULL;
553
554	michael	8305	ClearAuth(auth);
555
556			auth_sendheader(auth->client, REPORT_FAIL_ID);
557			}
558
559			if (IsDNSPending(auth))
560			{
561			delete_resolver_queries(auth);
562			ClearDNSPending(auth);
563
564			auth_sendheader(auth->client, REPORT_FAIL_DNS);
565			}
566
567			auth_release_client(auth);
568			}
569			}
570
571	michael	4310	/* auth_init
572			*
573			* Initialise the auth code
574			*/
575			void
576			auth_init(void)
577			{
578			static struct event timeout_auth_queries =
579			{
580	michael	8305	.name = "auth_timeout_queries",
581			.handler = auth_timeout_queries,
582	michael	4310	.when = 1
583			};
584
585			event_add(&timeout_auth_queries, NULL);
586			}