ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/branches/8.2.x/src/auth.c
Revision: 6977
Committed: Mon Dec 21 17:07:58 2015 UTC (8 years, 3 months ago) by michael
Content type: text/x-csrc
File size: 13942 byte(s)
Log Message:
- auth.c: fixed core on ident lookup if comm_open() fails

File Contents

# Content
1 /*
2 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 *
4 * Copyright (c) 1997-2015 ircd-hybrid development team
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 * USA
20 */
21
22 /*! \file auth.c
23 * \brief Functions for querying a users ident.
24 * \version $Id$
25 */
26
27 /*
28 * Changes:
29 * July 6, 1999 - Rewrote most of the code here. When a client connects
30 * to the server and passes initial socket validation checks, it
31 * is owned by this module (auth) which returns it to the rest of the
32 * server when dns and auth queries are finished. Until the client is
33 * released, the server does not know it exists and does not process
34 * any messages from it.
35 * --Bleep Thomas Helvey <tomh@inxpress.net>
36 */
37
38 #include "stdinc.h"
39 #include "list.h"
40 #include "ircd_defs.h"
41 #include "fdlist.h"
42 #include "auth.h"
43 #include "conf.h"
44 #include "client.h"
45 #include "event.h"
46 #include "irc_string.h"
47 #include "ircd.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "s_bsd.h"
51 #include "log.h"
52 #include "send.h"
53 #include "mempool.h"
54
55
56 enum
57 {
58 REPORT_DO_DNS,
59 REPORT_FIN_DNS,
60 REPORT_FAIL_DNS,
61 REPORT_DO_ID,
62 REPORT_FIN_ID,
63 REPORT_FAIL_ID,
64 REPORT_IP_MISMATCH,
65 REPORT_HOST_TOOLONG
66 };
67
68 static const char *const HeaderMessages[] =
69 {
70 [REPORT_DO_DNS] = ":*** Looking up your hostname",
71 [REPORT_FIN_DNS] = ":*** Found your hostname",
72 [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
73 [REPORT_DO_ID] = ":*** Checking Ident",
74 [REPORT_FIN_ID] = ":*** Got Ident response",
75 [REPORT_FAIL_ID] = ":*** No Ident response",
76 [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
77 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname"
78 };
79
80 #define sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
81
82 static dlink_list auth_list;
83 static void read_auth_reply(fde_t *, void *);
84 static void auth_connect_callback(fde_t *, int, void *);
85
86
87 /*
88 * make_auth_request - allocate a new auth request
89 */
90 static struct AuthRequest *
91 make_auth_request(struct Client *client)
92 {
93 struct AuthRequest *const auth = &client->connection->auth;
94
95 memset(auth, 0, sizeof(*auth));
96
97 auth->client = client;
98 auth->timeout = CurrentTime + CONNECTTIMEOUT;
99
100 return auth;
101 }
102
103 /*
104 * release_auth_client - release auth client from auth system
105 * this adds the client into the local client lists so it can be read by
106 * the main io processing loop
107 */
108 void
109 release_auth_client(struct AuthRequest *auth)
110 {
111 struct Client *const client = auth->client;
112
113 if (IsDoingAuth(auth) || IsDNSPending(auth))
114 return;
115
116 if (IsInAuth(auth))
117 {
118 dlinkDelete(&auth->node, &auth_list);
119 ClearInAuth(auth);
120 }
121
122 /*
123 * When a client has auth'ed, we want to start reading what it sends
124 * us. This is what read_packet() does.
125 * -- adrian
126 */
127 client->connection->allow_read = MAX_FLOOD;
128 comm_setflush(&client->connection->fd, 1000, flood_recalc, client);
129
130 client->connection->since = CurrentTime;
131 client->connection->lasttime = CurrentTime;
132 client->connection->firsttime = CurrentTime;
133 client->flags |= FLAGS_FINISHED_AUTH;
134
135 read_packet(&client->connection->fd, client);
136 }
137
138 /*
139 * auth_dns_callback - called when resolver query finishes
140 * if the query resulted in a successful search, name will contain
141 * a non-NULL pointer, otherwise name will be NULL.
142 * set the client on it's way to a connection completion, regardless
143 * of success of failure
144 */
145 static void
146 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
147 {
148 struct AuthRequest *const auth = vptr;
149
150 ClearDNSPending(auth);
151
152 if (!EmptyString(name))
153 {
154 if (auth->client->connection->ip.ss.ss_family == AF_INET6)
155 {
156 const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->connection->ip;
157 const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;
158
159 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
160 {
161 sendheader(auth->client, REPORT_IP_MISMATCH);
162 release_auth_client(auth);
163 return;
164 }
165 }
166 else
167 {
168 const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->connection->ip;
169 const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;
170
171 if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
172 {
173 sendheader(auth->client, REPORT_IP_MISMATCH);
174 release_auth_client(auth);
175 return;
176 }
177 }
178
179 if (namelength > HOSTLEN)
180 sendheader(auth->client, REPORT_HOST_TOOLONG);
181 else
182 {
183 strlcpy(auth->client->host, name, sizeof(auth->client->host));
184 sendheader(auth->client, REPORT_FIN_DNS);
185 }
186 }
187 else
188 sendheader(auth->client, REPORT_FAIL_DNS);
189
190 release_auth_client(auth);
191 }
192
193 /*
194 * authsenderr - handle auth send errors
195 */
196 static void
197 auth_error(struct AuthRequest *auth)
198 {
199 ++ServerStats.is_abad;
200
201 fd_close(&auth->fd);
202
203 ClearAuth(auth);
204
205 sendheader(auth->client, REPORT_FAIL_ID);
206
207 release_auth_client(auth);
208 }
209
210 /*
211 * start_auth_query - Flag the client to show that an attempt to
212 * contact the ident server on
213 * the client's host. The connect and subsequently the socket are all put
214 * into 'non-blocking' mode. Should the connect or any later phase of the
215 * identifing process fail, it is aborted and the user is given a username
216 * of "unknown".
217 */
218 static int
219 start_auth_query(struct AuthRequest *auth)
220 {
221 struct irc_ssaddr localaddr;
222 socklen_t locallen = sizeof(struct irc_ssaddr);
223 struct sockaddr_in6 *v6;
224
225 /* open a socket of the same type as the client socket */
226 if (comm_open(&auth->fd, auth->client->connection->ip.ss.ss_family,
227 SOCK_STREAM, 0, "ident") == -1)
228 {
229 report_error(L_ALL, "creating auth stream socket %s:%s",
230 get_client_name(auth->client, SHOW_IP), errno);
231 ++ServerStats.is_abad;
232 return 0;
233 }
234
235 SetDoingAuth(auth);
236 sendheader(auth->client, REPORT_DO_ID);
237
238 /*
239 * Get the local address of the client and bind to that to
240 * make the auth request.
241 */
242 memset(&localaddr, 0, locallen);
243 getsockname(auth->client->connection->fd.fd, (struct sockaddr*)&localaddr,
244 &locallen);
245
246 remove_ipv6_mapping(&localaddr);
247 v6 = (struct sockaddr_in6 *)&localaddr;
248 v6->sin6_port = htons(0);
249 localaddr.ss_port = htons(0);
250
251 comm_connect_tcp(&auth->fd, auth->client->sockhost, RFC1413_PORT,
252 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
253 auth, auth->client->connection->ip.ss.ss_family,
254 GlobalSetOptions.ident_timeout);
255 return 1; /* We suceed here for now */
256 }
257
258 /*
259 * start_auth
260 *
261 * inputs - pointer to client to auth
262 * output - NONE
263 * side effects - starts auth (identd) and dns queries for a client
264 */
265 void
266 start_auth(struct Client *client_p)
267 {
268 struct AuthRequest *const auth = make_auth_request(client_p);
269
270 SetInAuth(auth);
271 dlinkAddTail(auth, &auth->node, &auth_list);
272
273 sendheader(client_p, REPORT_DO_DNS);
274
275 SetDNSPending(auth);
276
277 if (ConfigGeneral.disable_auth == 0)
278 start_auth_query(auth);
279
280 gethost_byaddr(auth_dns_callback, auth, &client_p->connection->ip);
281 }
282
283 /*
284 * timeout_auth_queries - timeout resolver and identd requests
285 * allow clients through if requests failed
286 */
287 static void
288 timeout_auth_queries_event(void *notused)
289 {
290 dlink_node *node = NULL, *node_next = NULL;
291
292 DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
293 {
294 struct AuthRequest *auth = node->data;
295
296 if (auth->timeout > CurrentTime)
297 break;
298
299 if (IsDoingAuth(auth))
300 {
301 ++ServerStats.is_abad;
302 fd_close(&auth->fd);
303 ClearAuth(auth);
304 sendheader(auth->client, REPORT_FAIL_ID);
305 }
306
307 if (IsDNSPending(auth))
308 {
309 delete_resolver_queries(auth);
310 ClearDNSPending(auth);
311 sendheader(auth->client, REPORT_FAIL_DNS);
312 }
313
314 release_auth_client(auth);
315 }
316 }
317
318 /*
319 * auth_connect_callback() - deal with the result of comm_connect_tcp()
320 *
321 * If the connection failed, we simply close the auth fd and report
322 * a failure. If the connection suceeded send the ident server a query
323 * giving "theirport , ourport". The write is only attempted *once* so
324 * it is deemed to be a fail if the entire write doesn't write all the
325 * data given. This shouldnt be a problem since the socket should have
326 * a write buffer far greater than this message to store it in should
327 * problems arise. -avalon
328 */
329 static void
330 auth_connect_callback(fde_t *fd, int error, void *data)
331 {
332 struct AuthRequest *const auth = data;
333 struct irc_ssaddr us;
334 struct irc_ssaddr them;
335 char authbuf[16];
336 ssize_t len = 0;
337 socklen_t ulen = sizeof(struct irc_ssaddr);
338 socklen_t tlen = sizeof(struct irc_ssaddr);
339 uint16_t uport, tport;
340 struct sockaddr_in6 *v6;
341
342 if (error != COMM_OK)
343 {
344 auth_error(auth);
345 return;
346 }
347
348 if (getsockname(auth->client->connection->fd.fd, (struct sockaddr *)&us, &ulen) ||
349 getpeername(auth->client->connection->fd.fd, (struct sockaddr *)&them, &tlen))
350 {
351 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
352 get_client_name(auth->client, SHOW_IP), errno);
353 auth_error(auth);
354 return;
355 }
356
357 v6 = (struct sockaddr_in6 *)&us;
358 uport = ntohs(v6->sin6_port);
359 v6 = (struct sockaddr_in6 *)&them;
360 tport = ntohs(v6->sin6_port);
361
362 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
363
364 if (send(fd->fd, authbuf, len, 0) != len)
365 {
366 auth_error(auth);
367 return;
368 }
369
370 comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
371 }
372
373 /** Enum used to index ident reply fields in a human-readable way. */
374 enum IdentReplyFields
375 {
376 IDENT_PORT_NUMBERS,
377 IDENT_REPLY_TYPE,
378 IDENT_OS_TYPE,
379 IDENT_INFO,
380 USERID_TOKEN_COUNT
381 };
382
383 /** Parse an ident reply line and extract the userid from it.
384 * \param reply The ident reply line.
385 * \return The userid, or NULL on parse failure.
386 */
387 static const char *
388 check_ident_reply(char *const reply)
389 {
390 char *token = NULL, *end = NULL;
391 char *vector[USERID_TOKEN_COUNT];
392 const int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
393
394 if (USERID_TOKEN_COUNT != count)
395 return NULL;
396
397 /*
398 * Second token is the reply type
399 */
400 token = vector[IDENT_REPLY_TYPE];
401
402 if (EmptyString(token))
403 return NULL;
404
405 while (IsSpace(*token))
406 ++token;
407
408 if (strncmp(token, "USERID", 6))
409 return NULL;
410
411 /*
412 * Third token is the os type
413 */
414 token = vector[IDENT_OS_TYPE];
415
416 if (EmptyString(token))
417 return NULL;
418
419 while (IsSpace(*token))
420 ++token;
421
422 /*
423 * Unless "OTHER" is specified as the operating system type, the server
424 * is expected to return the "normal" user identification of the owner
425 * of this connection. "Normal" in this context may be taken to mean a
426 * string of characters which uniquely identifies the connection owner
427 * such as a user identifier assigned by the system administrator and
428 * used by such user as a mail identifier, or as the "user" part of a
429 * user/password pair used to gain access to system resources. When an
430 * operating system is specified (e.g., anything but "OTHER"), the user
431 * identifier is expected to be in a more or less immediately useful
432 * form - e.g., something that could be used as an argument to "finger"
433 * or as a mail address.
434 */
435 if (!strncmp(token, "OTHER", 5))
436 return NULL;
437
438 /*
439 * Fourth token is the username
440 */
441 token = vector[IDENT_INFO];
442
443 if (EmptyString(token))
444 return NULL;
445
446 while (IsSpace(*token))
447 ++token;
448
449 while (*token == '~' || *token == '^')
450 ++token;
451
452 /*
453 * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
454 */
455 for (end = token; *end; ++end)
456 if (IsSpace(*end) || '@' == *end || ':' == *end)
457 break;
458 *end = '\0';
459
460 return token;
461 }
462
463 /*
464 * read_auth_reply - read the reply (if any) from the ident server
465 * we connected to.
466 * We only give it one shot, if the reply isn't good the first time
467 * fail the authentication entirely. --Bleep
468 */
469 static void
470 read_auth_reply(fde_t *fd, void *data)
471 {
472 struct AuthRequest *const auth = data;
473 const char *username = NULL;
474 ssize_t len = 0;
475 char buf[RFC1413_BUFSIZ + 1];
476
477 if ((len = recv(fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
478 {
479 buf[len] = '\0';
480 username = check_ident_reply(buf);
481 }
482
483 fd_close(fd);
484
485 ClearAuth(auth);
486
487 if (EmptyString(username))
488 {
489 sendheader(auth->client, REPORT_FAIL_ID);
490 ++ServerStats.is_abad;
491 }
492 else
493 {
494 strlcpy(auth->client->username, username, sizeof(auth->client->username));
495 sendheader(auth->client, REPORT_FIN_ID);
496 ++ServerStats.is_asuc;
497 AddFlag(auth->client, FLAGS_GOTID);
498 }
499
500 release_auth_client(auth);
501 }
502
503 /*
504 * delete_auth()
505 */
506 void
507 delete_auth(struct AuthRequest *auth)
508 {
509 if (IsDNSPending(auth))
510 delete_resolver_queries(auth);
511
512 if (IsDoingAuth(auth))
513 fd_close(&auth->fd);
514
515 if (IsInAuth(auth))
516 {
517 dlinkDelete(&auth->node, &auth_list);
518 ClearInAuth(auth);
519 }
520 }
521
522 /* auth_init
523 *
524 * Initialise the auth code
525 */
526 void
527 auth_init(void)
528 {
529 static struct event timeout_auth_queries =
530 {
531 .name = "timeout_auth_queries_event",
532 .handler = timeout_auth_queries_event,
533 .when = 1
534 };
535
536 event_add(&timeout_auth_queries, NULL);
537 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision