/[svn]/ircd-hybrid/branches/8.2.x/src/auth.c
ViewVC logotype

Contents of /ircd-hybrid/branches/8.2.x/src/auth.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 8892 - (show annotations)
Sun Apr 21 14:10:43 2019 UTC (3 years, 9 months ago) by michael
File MIME type: text/x-chdr
File size: 13583 byte(s)
- auth.c: remove auth_timeout_queries() and related code. Just let the dns and identd timeouts finish the request
- Removed IDENTTIMEOUT from '/set' options. We now no longer allow users to change this on runtime. identd timeout is 5 seconds now

1 /*
2 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 *
4 * Copyright (c) 1997-2019 ircd-hybrid development team
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 * USA
20 */
21
22 /*! \file auth.c
23 * \brief Implementation of DNS and ident lookups.
24 * \version $Id$
25 */
26
27 /*
28 * Changes:
29 * July 6, 1999 - Rewrote most of the code here. When a client connects
30 * to the server and passes initial socket validation checks, it
31 * is owned by this module (auth) which returns it to the rest of the
32 * server when dns and auth queries are finished. Until the client is
33 * released, the server does not know it exists and does not process
34 * any messages from it.
35 * --Bleep Thomas Helvey <tomh@inxpress.net>
36 */
37
38 #include "stdinc.h"
39 #include "list.h"
40 #include "ircd_defs.h"
41 #include "fdlist.h"
42 #include "auth.h"
43 #include "conf.h"
44 #include "client.h"
45 #include "event.h"
46 #include "irc_string.h"
47 #include "ircd.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "s_bsd.h"
51 #include "log.h"
52 #include "send.h"
53 #include "memory.h"
54 #include "misc.h"
55
56
57 enum
58 {
59 REPORT_DO_DNS,
60 REPORT_FIN_DNS,
61 REPORT_FAIL_DNS,
62 REPORT_DO_ID,
63 REPORT_FIN_ID,
64 REPORT_FAIL_ID,
65 REPORT_IP_MISMATCH,
66 REPORT_HOST_TOOLONG,
67 REPORT_HOST_INVALID
68 };
69
70 static const char *const HeaderMessages[] =
71 {
72 [REPORT_DO_DNS] = ":*** Looking up your hostname",
73 [REPORT_FIN_DNS] = ":*** Found your hostname",
74 [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
75 [REPORT_DO_ID] = ":*** Checking Ident",
76 [REPORT_FIN_ID] = ":*** Got Ident response",
77 [REPORT_FAIL_ID] = ":*** No Ident response",
78 [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
79 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
80 [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
81 };
82
83 #define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
84
85
86
87 /*! \brief Allocate a new auth request.
88 * \param client The client being looked up.
89 * \return The newly allocated auth request.
90 */
91 static struct AuthRequest *
92 auth_make(struct Client *client)
93 {
94 struct AuthRequest *auth = xcalloc(sizeof(*auth));
95
96 auth->client = client;
97 auth->client->connection->auth = auth;
98
99 return auth;
100 }
101
102 /*! \brief Free memory
103 * \param auth The allocated auth request to cleanup.
104 */
105 static void
106 auth_free(struct AuthRequest *auth)
107 {
108 auth->client = NULL;
109 xfree(auth);
110 }
111
112 /*! \brief Release auth client from auth system. This adds the client into the
113 * local client lists so it can be read by the main io processing loop.
114 * \param auth Pointer to AuthRequest struct to release
115 */
116 static void
117 auth_release_client(struct AuthRequest *auth)
118 {
119 struct Client *client = auth->client;
120
121 assert(client);
122 assert(client->connection);
123
124 if (auth->ident_pending == true || auth->dns_pending == true)
125 return;
126
127 auth_free(auth);
128 client->connection->auth = NULL;
129
130 /*
131 * When a client has auth'ed, we want to start reading what it sends
132 * us. This is what read_packet() does.
133 * -- adrian
134 */
135 comm_setflush(client->connection->fd, 1000, flood_recalc, client);
136
137 client->connection->since = CurrentTime;
138 client->connection->lasttime = CurrentTime;
139 client->connection->firsttime = CurrentTime;
140 AddFlag(client, FLAGS_FINISHED_AUTH);
141
142 strlcpy(client->realhost, client->host, sizeof(client->realhost));
143
144 read_packet(client->connection->fd, client);
145 }
146
147 /*! Checks if a hostname is valid and doesn't contain illegal characters
148 * \param hostname The string to verify
149 * \return 1 if it is valid, 0 if it isn't
150 */
151 static bool
152 auth_verify_hostname(const char *hostname)
153 {
154 const char *p = hostname;
155
156 assert(p);
157
158 if (EmptyString(p) || *p == '.' || *p == ':')
159 return false;
160
161 for (; *p; ++p)
162 if (!IsHostChar(*p))
163 return false;
164
165 return true;
166 }
167
168 /*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
169 * completion, regardless of success or failure.
170 * \param vptr The pending struct AuthRequest.
171 * \param addr IP address being resolved.
172 * \param name Resolved name, or NULL if lookup failed.
173 * \param namelength String length of the resolved hostname pointed by 'name'
174 */
175 static void
176 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
177 {
178 struct AuthRequest *const auth = vptr;
179
180 assert(auth->client);
181 assert(auth->client->connection);
182
183 auth->dns_pending = false;
184
185 if (namelength == 0)
186 auth_sendheader(auth->client, REPORT_FAIL_DNS);
187 else if (address_compare(addr, &auth->client->ip, false) == false)
188 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
189 else if (namelength > HOSTLEN)
190 auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
191 else if (auth_verify_hostname(name) == false)
192 auth_sendheader(auth->client, REPORT_HOST_INVALID);
193 else
194 {
195 strlcpy(auth->client->host, name, sizeof(auth->client->host));
196 auth_sendheader(auth->client, REPORT_FIN_DNS);
197 }
198
199 auth_release_client(auth);
200 }
201
202 /*
203 * auth_error - handle auth send errors
204 */
205 static void
206 auth_error(struct AuthRequest *auth)
207 {
208 assert(auth);
209 assert(auth->fd);
210 assert(auth->client);
211 assert(auth->client->connection);
212
213 ++ServerStats.is_abad;
214
215 fd_close(auth->fd);
216 auth->fd = NULL;
217 auth->ident_pending = false;
218
219 auth_sendheader(auth->client, REPORT_FAIL_ID);
220
221 auth_release_client(auth);
222 }
223
224 /** Enum used to index ident reply fields in a human-readable way. */
225 enum IdentReplyFields
226 {
227 IDENT_PORT_NUMBERS,
228 IDENT_REPLY_TYPE,
229 IDENT_OS_TYPE,
230 IDENT_INFO,
231 USERID_TOKEN_COUNT
232 };
233
234 /** Parse an ident reply line and extract the userid from it.
235 * \param reply The ident reply line.
236 * \return The userid, or NULL on parse failure.
237 */
238 static const char *
239 auth_check_ident_reply(char *const reply)
240 {
241 char *token = NULL, *end = NULL;
242 char *vector[USERID_TOKEN_COUNT];
243 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
244
245 if (USERID_TOKEN_COUNT != count)
246 return NULL;
247
248 /*
249 * Second token is the reply type
250 */
251 token = vector[IDENT_REPLY_TYPE];
252
253 if (EmptyString(token))
254 return NULL;
255
256 while (IsSpace(*token))
257 ++token;
258
259 if (strncmp(token, "USERID", 6))
260 return NULL;
261
262 /*
263 * Third token is the os type
264 */
265 token = vector[IDENT_OS_TYPE];
266
267 if (EmptyString(token))
268 return NULL;
269
270 while (IsSpace(*token))
271 ++token;
272
273 /*
274 * Unless "OTHER" is specified as the operating system type, the server
275 * is expected to return the "normal" user identification of the owner
276 * of this connection. "Normal" in this context may be taken to mean a
277 * string of characters which uniquely identifies the connection owner
278 * such as a user identifier assigned by the system administrator and
279 * used by such user as a mail identifier, or as the "user" part of a
280 * user/password pair used to gain access to system resources. When an
281 * operating system is specified (e.g., anything but "OTHER"), the user
282 * identifier is expected to be in a more or less immediately useful
283 * form - e.g., something that could be used as an argument to "finger"
284 * or as a mail address.
285 */
286 if (strncmp(token, "OTHER", 5) == 0)
287 return NULL;
288
289 /*
290 * Fourth token is the username
291 */
292 token = vector[IDENT_INFO];
293
294 if (EmptyString(token))
295 return NULL;
296
297 while (IsSpace(*token))
298 ++token;
299
300 while (*token == '~' || *token == '^')
301 ++token;
302
303 /*
304 * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
305 */
306 for (end = token; *end; ++end)
307 if (IsSpace(*end) || '@' == *end || ':' == *end)
308 break;
309 *end = '\0';
310
311 return token;
312 }
313
314 /*! \brief Read the reply (if any) from the ident server we connected to. We
315 * only give it one shot, if the reply isn't good the first time fail
316 * the authentication entirely. --Bleep
317 * \param F The socket/fd to read from.
318 * \param data The request to read.
319 */
320 static void
321 auth_read_reply(fde_t *F, void *data)
322 {
323 struct AuthRequest *const auth = data;
324 const char *username = NULL;
325 ssize_t len = 0;
326 char buf[RFC1413_BUFSIZ + 1];
327
328 assert(auth->fd == F);
329 assert(auth->client);
330 assert(auth->client->connection);
331
332 if ((len = recv(auth->fd->fd, buf, sizeof(buf) - 1, 0)) > 0)
333 {
334 buf[len] = '\0';
335 username = auth_check_ident_reply(buf);
336 }
337
338 fd_close(auth->fd);
339 auth->fd = NULL;
340 auth->ident_pending = false;
341
342 if (EmptyString(username))
343 {
344 auth_sendheader(auth->client, REPORT_FAIL_ID);
345 ++ServerStats.is_abad;
346 }
347 else
348 {
349 strlcpy(auth->client->username, username, sizeof(auth->client->username));
350 auth_sendheader(auth->client, REPORT_FIN_ID);
351 ++ServerStats.is_asuc;
352 AddFlag(auth->client, FLAGS_GOTID);
353 }
354
355 auth_release_client(auth);
356 }
357
358 /*
359 * auth_connect_callback() - deal with the result of comm_connect_tcp()
360 *
361 * If the connection failed, we simply close the auth fd and report
362 * a failure. If the connection suceeded send the ident server a query
363 * giving "theirport , ourport". The write is only attempted *once* so
364 * it is deemed to be a fail if the entire write doesn't write all the
365 * data given. This shouldnt be a problem since the socket should have
366 * a write buffer far greater than this message to store it in should
367 * problems arise. -avalon
368 */
369 static void
370 auth_connect_callback(fde_t *F, int error, void *data)
371 {
372 struct AuthRequest *const auth = data;
373 struct irc_ssaddr us;
374 struct irc_ssaddr them;
375 char authbuf[16];
376 ssize_t len = 0;
377 socklen_t ulen = sizeof(struct irc_ssaddr);
378 socklen_t tlen = sizeof(struct irc_ssaddr);
379 uint16_t uport, tport;
380 struct sockaddr_in6 *v6;
381
382 assert(auth->fd == F);
383 assert(auth->client);
384 assert(auth->client->connection);
385
386 if (error != COMM_OK)
387 {
388 auth_error(auth);
389 return;
390 }
391
392 if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
393 getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
394 {
395 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
396 client_get_name(auth->client, SHOW_IP), errno);
397 auth_error(auth);
398 return;
399 }
400
401 v6 = (struct sockaddr_in6 *)&us;
402 uport = ntohs(v6->sin6_port);
403 v6 = (struct sockaddr_in6 *)&them;
404 tport = ntohs(v6->sin6_port);
405
406 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
407
408 if (send(F->fd, authbuf, len, 0) != len)
409 {
410 auth_error(auth);
411 return;
412 }
413
414 comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
415 }
416
417 /*! \brief Flag the client to show an attempt to contact the ident server on
418 * the client's host. Should the connect or any later phase of the
419 * identifying process fail, it is aborted and the user is given a
420 * username of "unknown".
421 * \param auth The request for which to start the ident lookup.
422 */
423 static void
424 auth_start_query(struct AuthRequest *auth)
425 {
426 struct irc_ssaddr localaddr;
427 socklen_t locallen = sizeof(struct irc_ssaddr);
428 struct sockaddr_in6 *v6;
429
430 assert(auth->client);
431 assert(auth->client->connection);
432
433 /* Open a socket of the same type as the client socket */
434 int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
435 if (fd == -1)
436 {
437 report_error(L_ALL, "creating auth stream socket %s:%s",
438 client_get_name(auth->client, SHOW_IP), errno);
439 ++ServerStats.is_abad;
440 return;
441 }
442
443 auth->fd = fd_open(fd, true, "ident");
444 auth->ident_pending = true;
445
446 auth_sendheader(auth->client, REPORT_DO_ID);
447
448 /*
449 * Get the local address of the client and bind to that to
450 * make the auth request.
451 */
452 memset(&localaddr, 0, locallen);
453 getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
454
455 remove_ipv6_mapping(&localaddr);
456 v6 = (struct sockaddr_in6 *)&localaddr;
457 v6->sin6_port = htons(0);
458
459 comm_connect_tcp(auth->fd, &auth->client->ip, RFC1413_PORT, &localaddr,
460 auth_connect_callback, auth, 5);
461 }
462
463 /*
464 * auth_start
465 *
466 * inputs - pointer to client to auth
467 * output - NONE
468 * side effects - starts auth (identd) and dns queries for a client
469 */
470 void
471 auth_start(struct Client *client_p)
472 {
473 struct AuthRequest *auth = auth_make(client_p);
474
475 assert(client_p);
476 assert(client_p->connection);
477
478 auth_sendheader(client_p, REPORT_DO_DNS);
479
480 auth->dns_pending = true;
481
482 if (ConfigGeneral.disable_auth == 0)
483 auth_start_query(auth);
484
485 gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
486 }
487
488 /*
489 * auth_delete()
490 */
491 void
492 auth_delete(struct AuthRequest *auth)
493 {
494 assert(auth->client);
495 assert(auth->client->connection);
496
497 if (auth->ident_pending == true)
498 {
499 fd_close(auth->fd);
500 auth->fd = NULL;
501 auth->ident_pending = false;
502 }
503
504 if (auth->dns_pending == true)
505 {
506 delete_resolver_queries(auth);
507 auth->dns_pending = false;
508 }
509
510 auth_free(auth);
511 }

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28