ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/trunk/src/auth.c
Revision: 1001
Committed: Sat Aug 29 22:44:44 2009 UTC (14 years, 7 months ago) by michael
Content type: text/x-csrc
Original Path: ircd-hybrid-7.2/src/s_auth.c
File size: 15587 byte(s)
Log Message:
- remove half done and broken win32 support

File Contents

# User Rev Content
1 adx 30 /*
2     * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3     * s_auth.c: Functions for querying a users ident.
4     *
5     * Copyright (C) 2002 by the past and present ircd coders, and others.
6     *
7     * This program is free software; you can redistribute it and/or modify
8     * it under the terms of the GNU General Public License as published by
9     * the Free Software Foundation; either version 2 of the License, or
10     * (at your option) any later version.
11     *
12     * This program is distributed in the hope that it will be useful,
13     * but WITHOUT ANY WARRANTY; without even the implied warranty of
14     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     * GNU General Public License for more details.
16     *
17     * You should have received a copy of the GNU General Public License
18     * along with this program; if not, write to the Free Software
19     * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20     * USA
21     *
22 knight 31 * $Id$
23 adx 30 */
24    
25     /*
26     * Changes:
27     * July 6, 1999 - Rewrote most of the code here. When a client connects
28     * to the server and passes initial socket validation checks, it
29     * is owned by this module (auth) which returns it to the rest of the
30     * server when dns and auth queries are finished. Until the client is
31     * released, the server does not know it exists and does not process
32     * any messages from it.
33     * --Bleep Thomas Helvey <tomh@inxpress.net>
34     */
35     #include "stdinc.h"
36     #include "tools.h"
37     #include "list.h"
38     #include "s_auth.h"
39     #include "s_conf.h"
40 michael 998 #include "balloc.h"
41 adx 30 #include "client.h"
42     #include "common.h"
43     #include "event.h"
44     #include "fdlist.h" /* fdlist_add */
45     #include "hook.h"
46     #include "irc_string.h"
47     #include "sprintf_irc.h"
48     #include "ircd.h"
49     #include "numeric.h"
50     #include "packet.h"
51     #include "irc_res.h"
52     #include "s_bsd.h"
53     #include "s_log.h"
54     #include "send.h"
55     #include "memory.h"
56    
57     static const char *HeaderMessages[] = {
58     ":%s NOTICE AUTH :*** Looking up your hostname...",
59     ":%s NOTICE AUTH :*** Found your hostname",
60     ":%s NOTICE AUTH :*** Couldn't look up your hostname",
61     ":%s NOTICE AUTH :*** Checking Ident",
62     ":%s NOTICE AUTH :*** Got Ident response",
63     ":%s NOTICE AUTH :*** No Ident response",
64     ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
65     ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
66     };
67    
68     enum {
69     REPORT_DO_DNS,
70     REPORT_FIN_DNS,
71     REPORT_FAIL_DNS,
72     REPORT_DO_ID,
73     REPORT_FIN_ID,
74     REPORT_FAIL_ID,
75     REPORT_IP_MISMATCH,
76     REPORT_HOST_TOOLONG
77     };
78    
79     #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
80    
81 michael 998 static BlockHeap *auth_heap = NULL;
82 michael 992 static dlink_list auth_doing_list = { NULL, NULL, 0 };
83 adx 30
84     static EVH timeout_auth_queries_event;
85    
86     static PF read_auth_reply;
87     static CNCB auth_connect_callback;
88     static CBFUNC start_auth;
89    
90     struct Callback *auth_cb = NULL;
91    
92     /* init_auth()
93     *
94     * Initialise the auth code
95     */
96     void
97     init_auth(void)
98     {
99 michael 998 auth_heap = BlockHeapCreate("auth", sizeof(struct AuthRequest), AUTH_HEAP_SIZE);
100 adx 30 auth_cb = register_callback("start_auth", start_auth);
101     eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
102     }
103    
104     /*
105     * make_auth_request - allocate a new auth request
106     */
107     static struct AuthRequest *
108     make_auth_request(struct Client *client)
109     {
110 michael 998 struct AuthRequest *request = BlockHeapAlloc(auth_heap);
111 adx 30
112 michael 992 client->localClient->auth = request;
113     request->client = client;
114     request->timeout = CurrentTime + CONNECTTIMEOUT;
115 adx 30
116 michael 650 return request;
117 adx 30 }
118    
119     /*
120     * release_auth_client - release auth client from auth system
121     * this adds the client into the local client lists so it can be read by
122     * the main io processing loop
123     */
124     void
125 michael 992 release_auth_client(struct AuthRequest *auth)
126 adx 30 {
127 michael 992 struct Client *client = auth->client;
128    
129     if (IsDoingAuth(auth) || IsDNSPending(auth))
130     return;
131    
132     client->localClient->auth = NULL;
133     dlinkDelete(&auth->node, &auth_doing_list);
134 michael 998 BlockHeapFree(auth_heap, auth);
135 michael 992
136 adx 30 /*
137     * When a client has auth'ed, we want to start reading what it sends
138     * us. This is what read_packet() does.
139     * -- adrian
140     */
141     client->localClient->allow_read = MAX_FLOOD;
142     comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
143 michael 650
144 michael 992 dlinkAdd(client, &client->node, &global_client_list);
145 michael 650
146 michael 664 client->since = client->lasttime = client->firsttime = CurrentTime;
147     client->flags |= FLAGS_FINISHED_AUTH;
148 michael 650
149 adx 30 read_packet(&client->localClient->fd, client);
150     }
151    
152     /*
153     * auth_dns_callback - called when resolver query finishes
154 michael 998 * if the query resulted in a successful search, name will contain
155     * a non-NULL pointer, otherwise name will be NULL.
156 adx 30 * set the client on it's way to a connection completion, regardless
157     * of success of failure
158     */
159     static void
160 michael 992 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name)
161 adx 30 {
162 michael 992 struct AuthRequest *auth = vptr;
163 adx 30
164     ClearDNSPending(auth);
165    
166 michael 992 if (name != NULL)
167 adx 30 {
168 michael 992 const struct sockaddr_in *v4, *v4dns;
169 adx 30 #ifdef IPV6
170 michael 992 const struct sockaddr_in6 *v6, *v6dns;
171 adx 30 #endif
172     int good = 1;
173    
174     #ifdef IPV6
175     if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
176     {
177 michael 992 v6 = (const struct sockaddr_in6 *)&auth->client->localClient->ip;
178     v6dns = (const struct sockaddr_in6 *)addr;
179 adx 30 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
180     {
181     sendheader(auth->client, REPORT_IP_MISMATCH);
182     good = 0;
183     }
184     }
185     else
186     #endif
187     {
188 michael 992 v4 = (const struct sockaddr_in *)&auth->client->localClient->ip;
189     v4dns = (const struct sockaddr_in *)addr;
190 adx 30 if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
191     {
192     sendheader(auth->client, REPORT_IP_MISMATCH);
193     good = 0;
194     }
195     }
196 michael 992 if (good && strlen(name) <= HOSTLEN)
197 adx 30 {
198 michael 992 strlcpy(auth->client->host, name,
199 adx 30 sizeof(auth->client->host));
200     sendheader(auth->client, REPORT_FIN_DNS);
201     }
202 michael 992 else if (strlen(name) > HOSTLEN)
203 adx 30 sendheader(auth->client, REPORT_HOST_TOOLONG);
204     }
205     else
206 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
207 adx 30
208 michael 992 release_auth_client(auth);
209 adx 30 }
210    
211     /*
212     * authsenderr - handle auth send errors
213     */
214     static void
215     auth_error(struct AuthRequest *auth)
216     {
217 michael 896 ++ServerStats.is_abad;
218 adx 30
219     fd_close(&auth->fd);
220    
221     ClearAuth(auth);
222    
223     sendheader(auth->client, REPORT_FAIL_ID);
224    
225 michael 992 release_auth_client(auth);
226 adx 30 }
227    
228     /*
229     * start_auth_query - Flag the client to show that an attempt to
230     * contact the ident server on
231     * the client's host. The connect and subsequently the socket are all put
232     * into 'non-blocking' mode. Should the connect or any later phase of the
233     * identifing process fail, it is aborted and the user is given a username
234     * of "unknown".
235     */
236     static int
237     start_auth_query(struct AuthRequest *auth)
238     {
239     struct irc_ssaddr localaddr;
240     socklen_t locallen = sizeof(struct irc_ssaddr);
241     #ifdef IPV6
242     struct sockaddr_in6 *v6;
243     #else
244     struct sockaddr_in *v4;
245     #endif
246    
247     /* open a socket of the same type as the client socket */
248     if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
249     SOCK_STREAM, 0, "ident") == -1)
250     {
251     report_error(L_ALL, "creating auth stream socket %s:%s",
252     get_client_name(auth->client, SHOW_IP), errno);
253     ilog(L_ERROR, "Unable to create auth socket for %s",
254     get_client_name(auth->client, SHOW_IP));
255 michael 896 ++ServerStats.is_abad;
256 adx 30 return 0;
257     }
258    
259     sendheader(auth->client, REPORT_DO_ID);
260    
261     /*
262     * get the local address of the client and bind to that to
263     * make the auth request. This used to be done only for
264     * ifdef VIRTUAL_HOST, but needs to be done for all clients
265     * since the ident request must originate from that same address--
266     * and machines with multiple IP addresses are common now
267     */
268     memset(&localaddr, 0, locallen);
269     getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
270     &locallen);
271    
272     #ifdef IPV6
273     remove_ipv6_mapping(&localaddr);
274     v6 = (struct sockaddr_in6 *)&localaddr;
275     v6->sin6_port = htons(0);
276     #else
277     localaddr.ss_len = locallen;
278     v4 = (struct sockaddr_in *)&localaddr;
279     v4->sin_port = htons(0);
280     #endif
281     localaddr.ss_port = htons(0);
282    
283     comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
284     (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
285     auth, auth->client->localClient->ip.ss.ss_family,
286     GlobalSetOptions.ident_timeout);
287     return 1; /* We suceed here for now */
288     }
289    
290     /*
291     * GetValidIdent - parse ident query reply from identd server
292     *
293     * Inputs - pointer to ident buf
294     * Output - NULL if no valid ident found, otherwise pointer to name
295     * Side effects -
296     */
297     /*
298     * A few questions have been asked about this mess, obviously
299     * it should have been commented better the first time.
300     * The original idea was to remove all references to libc from ircd-hybrid.
301     * Instead of having to write a replacement for sscanf(), I did a
302     * rather gruseome parser here so we could remove this function call.
303     * Note, that I had also removed a few floating point printfs as well (though
304     * now we are still stuck with a few...)
305     * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
306     * it would have been nice to remove some unneeded code.
307     * Oh well. If we don't remove libc stuff totally, then it would be
308     * far cleaner to use sscanf()
309     *
310     * - Dianora
311     */
312     static char *
313     GetValidIdent(char *buf)
314     {
315     int remp = 0;
316     int locp = 0;
317     char* colon1Ptr;
318     char* colon2Ptr;
319     char* colon3Ptr;
320     char* commaPtr;
321     char* remotePortString;
322    
323     /* All this to get rid of a sscanf() fun. */
324     remotePortString = buf;
325    
326     if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
327     return 0;
328     *colon1Ptr = '\0';
329     colon1Ptr++;
330    
331     if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
332     return 0;
333     *colon2Ptr = '\0';
334     colon2Ptr++;
335    
336     if ((commaPtr = strchr(remotePortString, ',')) == NULL)
337     return 0;
338     *commaPtr = '\0';
339     commaPtr++;
340    
341     if ((remp = atoi(remotePortString)) == 0)
342     return 0;
343    
344     if ((locp = atoi(commaPtr)) == 0)
345     return 0;
346    
347     /* look for USERID bordered by first pair of colons */
348     if (strstr(colon1Ptr, "USERID") == NULL)
349     return 0;
350    
351     if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
352     return 0;
353     *colon3Ptr = '\0';
354     colon3Ptr++;
355     return (colon3Ptr);
356     }
357    
358     /*
359     * start_auth
360     *
361     * inputs - pointer to client to auth
362     * output - NONE
363     * side effects - starts auth (identd) and dns queries for a client
364     */
365     static void *
366     start_auth(va_list args)
367     {
368     struct Client *client = va_arg(args, struct Client *);
369     struct AuthRequest *auth = NULL;
370    
371     assert(client != NULL);
372    
373     auth = make_auth_request(client);
374 michael 1000 dlinkAdd(auth, &auth->node, &auth_doing_list);
375 adx 30
376     sendheader(client, REPORT_DO_DNS);
377    
378 michael 992 SetDNSPending(auth);
379    
380 adx 30 if (ConfigFileEntry.disable_auth == 0)
381 michael 992 {
382     SetDoingAuth(auth);
383 adx 30 start_auth_query(auth);
384 michael 992 }
385 adx 30
386 michael 992 gethost_byaddr(auth_dns_callback, auth, &client->localClient->ip);
387    
388 adx 30 return NULL;
389     }
390    
391     /*
392     * timeout_auth_queries - timeout resolver and identd requests
393     * allow clients through if requests failed
394     */
395     static void
396     timeout_auth_queries_event(void *notused)
397     {
398 michael 992 dlink_node *ptr = NULL, *next_ptr = NULL;
399 adx 30
400 michael 992 DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_list.head)
401 adx 30 {
402 michael 992 struct AuthRequest *auth = ptr->data;
403 adx 30
404 michael 992 if (auth->timeout > CurrentTime)
405     continue;
406 adx 30
407 michael 992 if (IsDoingAuth(auth))
408     {
409 michael 896 ++ServerStats.is_abad;
410 michael 1000 fd_close(&auth->fd);
411 michael 998 ClearAuth(auth);
412 adx 30 sendheader(auth->client, REPORT_FAIL_ID);
413 michael 992 }
414 adx 30
415 michael 992 if (IsDNSPending(auth))
416     {
417     delete_resolver_queries(auth);
418 michael 998 ClearDNSPending(auth);
419 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
420     }
421 adx 30
422 michael 992 ilog(L_INFO, "DNS/AUTH timeout %s",
423     get_client_name(auth->client, SHOW_IP));
424     release_auth_client(auth);
425 adx 30 }
426     }
427    
428     /*
429     * auth_connect_callback() - deal with the result of comm_connect_tcp()
430     *
431     * If the connection failed, we simply close the auth fd and report
432     * a failure. If the connection suceeded send the ident server a query
433     * giving "theirport , ourport". The write is only attempted *once* so
434     * it is deemed to be a fail if the entire write doesn't write all the
435     * data given. This shouldnt be a problem since the socket should have
436     * a write buffer far greater than this message to store it in should
437     * problems arise. -avalon
438     */
439     static void
440     auth_connect_callback(fde_t *fd, int error, void *data)
441     {
442     struct AuthRequest *auth = data;
443     struct irc_ssaddr us;
444     struct irc_ssaddr them;
445     char authbuf[32];
446     socklen_t ulen = sizeof(struct irc_ssaddr);
447     socklen_t tlen = sizeof(struct irc_ssaddr);
448     u_int16_t uport, tport;
449     #ifdef IPV6
450     struct sockaddr_in6 *v6;
451     #else
452     struct sockaddr_in *v4;
453     #endif
454    
455     if (error != COMM_OK)
456     {
457     auth_error(auth);
458     return;
459     }
460    
461     if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *) &us,
462     (socklen_t *) &ulen) ||
463     getpeername(auth->client->localClient->fd.fd, (struct sockaddr *) &them,
464     (socklen_t *) &tlen))
465     {
466     ilog(L_INFO, "auth get{sock,peer}name error for %s",
467     get_client_name(auth->client, SHOW_IP));
468     auth_error(auth);
469     return;
470     }
471    
472     #ifdef IPV6
473     v6 = (struct sockaddr_in6 *)&us;
474     uport = ntohs(v6->sin6_port);
475     v6 = (struct sockaddr_in6 *)&them;
476     tport = ntohs(v6->sin6_port);
477     remove_ipv6_mapping(&us);
478     remove_ipv6_mapping(&them);
479     #else
480     v4 = (struct sockaddr_in *)&us;
481     uport = ntohs(v4->sin_port);
482     v4 = (struct sockaddr_in *)&them;
483     tport = ntohs(v4->sin_port);
484     us.ss_len = ulen;
485     them.ss_len = tlen;
486     #endif
487    
488     ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
489    
490     if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
491     {
492     auth_error(auth);
493     return;
494     }
495 michael 696
496 adx 30 read_auth_reply(&auth->fd, auth);
497     }
498    
499     /*
500     * read_auth_reply - read the reply (if any) from the ident server
501     * we connected to.
502     * We only give it one shot, if the reply isn't good the first time
503     * fail the authentication entirely. --Bleep
504     */
505     #define AUTH_BUFSIZ 128
506    
507     static void
508     read_auth_reply(fde_t *fd, void *data)
509     {
510     struct AuthRequest *auth = data;
511     char *s = NULL;
512     char *t = NULL;
513     int len;
514     int count;
515     char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
516    
517 nenolod 397 /* Why?
518     * Well, recv() on many POSIX systems is a per-packet operation,
519     * and we do not necessarily want this, because on lowspec machines,
520     * the ident response may come back fragmented, thus resulting in an
521     * invalid ident response, even if the ident response was really OK.
522     *
523     * So PLEASE do not change this code to recv without being aware of the
524     * consequences.
525     *
526     * --nenolod
527     */
528     len = read(fd->fd, buf, AUTH_BUFSIZ);
529 michael 1001
530 adx 30 if (len < 0)
531     {
532     if (ignoreErrno(errno))
533     comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
534     else
535     auth_error(auth);
536     return;
537     }
538    
539     if (len > 0)
540     {
541     buf[len] = '\0';
542    
543     if ((s = GetValidIdent(buf)))
544     {
545     t = auth->client->username;
546    
547     while (*s == '~' || *s == '^')
548     s++;
549    
550     for (count = USERLEN; *s && count; s++)
551     {
552     if (*s == '@')
553     break;
554     if (!IsSpace(*s) && *s != ':' && *s != '[')
555     {
556     *t++ = *s;
557     count--;
558     }
559     }
560    
561     *t = '\0';
562     }
563     }
564    
565     fd_close(fd);
566    
567     ClearAuth(auth);
568    
569     if (s == NULL)
570     {
571     sendheader(auth->client, REPORT_FAIL_ID);
572 michael 896 ++ServerStats.is_abad;
573 adx 30 }
574     else
575     {
576     sendheader(auth->client, REPORT_FIN_ID);
577 michael 896 ++ServerStats.is_asuc;
578 adx 30 SetGotId(auth->client);
579     }
580    
581 michael 992 release_auth_client(auth);
582 adx 30 }
583    
584     /*
585     * delete_auth()
586     */
587     void
588 michael 992 delete_auth(struct AuthRequest *auth)
589 adx 30 {
590 michael 992 if (IsDNSPending(auth))
591     delete_resolver_queries(auth);
592 adx 30
593 michael 1000 if (IsDoingAuth(auth))
594     fd_close(&auth->fd);
595    
596 michael 992 dlinkDelete(&auth->node, &auth_doing_list);
597 michael 998 BlockHeapFree(auth_heap, auth);
598 adx 30 }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision