ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/trunk/src/auth.c
Revision: 8217
Committed: Sun Apr 16 12:19:09 2017 UTC (6 years, 11 months ago) by michael
Content type: text/x-csrc
File size: 14415 byte(s)
Log Message:
- auth.c: have auth_dns_callback() to check for invalid hostnames rather than in user.c:register_local_user()

File Contents

# User Rev Content
1 adx 30 /*
2 michael 2916 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 adx 30 *
4 michael 7924 * Copyright (c) 1997-2017 ircd-hybrid development team
5 adx 30 *
6     * This program is free software; you can redistribute it and/or modify
7     * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11     * This program is distributed in the hope that it will be useful,
12     * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18 michael 4565 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 adx 30 * USA
20     */
21    
22 michael 3324 /*! \file auth.c
23 michael 2916 * \brief Functions for querying a users ident.
24     * \version $Id$
25     */
26    
27 adx 30 /*
28     * Changes:
29     * July 6, 1999 - Rewrote most of the code here. When a client connects
30     * to the server and passes initial socket validation checks, it
31     * is owned by this module (auth) which returns it to the rest of the
32     * server when dns and auth queries are finished. Until the client is
33     * released, the server does not know it exists and does not process
34     * any messages from it.
35     * --Bleep Thomas Helvey <tomh@inxpress.net>
36     */
37 michael 1309
38 adx 30 #include "stdinc.h"
39     #include "list.h"
40 michael 1011 #include "ircd_defs.h"
41     #include "fdlist.h"
42 michael 3324 #include "auth.h"
43 michael 1309 #include "conf.h"
44 adx 30 #include "client.h"
45     #include "event.h"
46     #include "irc_string.h"
47     #include "ircd.h"
48     #include "packet.h"
49 michael 3322 #include "res.h"
50 adx 30 #include "s_bsd.h"
51 michael 1309 #include "log.h"
52 adx 30 #include "send.h"
53 michael 1654 #include "mempool.h"
54 adx 30
55 michael 1011
56 michael 2916 enum
57     {
58 adx 30 REPORT_DO_DNS,
59     REPORT_FIN_DNS,
60     REPORT_FAIL_DNS,
61     REPORT_DO_ID,
62     REPORT_FIN_ID,
63     REPORT_FAIL_ID,
64     REPORT_IP_MISMATCH,
65 michael 8217 REPORT_HOST_TOOLONG,
66     REPORT_HOST_INVALID
67 adx 30 };
68    
69 michael 5888 static const char *const HeaderMessages[] =
70     {
71     [REPORT_DO_DNS] = ":*** Looking up your hostname",
72     [REPORT_FIN_DNS] = ":*** Found your hostname",
73     [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
74     [REPORT_DO_ID] = ":*** Checking Ident",
75     [REPORT_FIN_ID] = ":*** Got Ident response",
76     [REPORT_FAIL_ID] = ":*** No Ident response",
77     [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
78 michael 8217 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
79     [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
80 michael 5888 };
81    
82 michael 5497 #define sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
83 adx 30
84 michael 6478 static dlink_list auth_list;
85 michael 7955 static void auth_read_reply(fde_t *, void *);
86 michael 4464 static void auth_connect_callback(fde_t *, int, void *);
87 adx 30
88 michael 4094
89 adx 30 /*
90     * make_auth_request - allocate a new auth request
91     */
92     static struct AuthRequest *
93     make_auth_request(struct Client *client)
94     {
95 michael 6690 struct AuthRequest *const auth = &client->connection->auth;
96 adx 30
97 michael 6690 memset(auth, 0, sizeof(*auth));
98 adx 30
99 michael 6690 auth->client = client;
100     auth->timeout = CurrentTime + CONNECTTIMEOUT;
101 michael 2181
102 michael 6690 return auth;
103 adx 30 }
104    
105     /*
106     * release_auth_client - release auth client from auth system
107     * this adds the client into the local client lists so it can be read by
108     * the main io processing loop
109     */
110     void
111 michael 992 release_auth_client(struct AuthRequest *auth)
112 adx 30 {
113 michael 4854 struct Client *const client = auth->client;
114 michael 992
115     if (IsDoingAuth(auth) || IsDNSPending(auth))
116     return;
117    
118 michael 2929 if (IsInAuth(auth))
119     {
120 michael 6478 dlinkDelete(&auth->node, &auth_list);
121 michael 2929 ClearInAuth(auth);
122     }
123 michael 992
124 adx 30 /*
125     * When a client has auth'ed, we want to start reading what it sends
126     * us. This is what read_packet() does.
127     * -- adrian
128     */
129 michael 4588 client->connection->allow_read = MAX_FLOOD;
130     comm_setflush(&client->connection->fd, 1000, flood_recalc, client);
131 michael 650
132 michael 4588 client->connection->since = CurrentTime;
133     client->connection->lasttime = CurrentTime;
134     client->connection->firsttime = CurrentTime;
135 michael 664 client->flags |= FLAGS_FINISHED_AUTH;
136 michael 650
137 michael 8214 strlcpy(client->realhost, client->host, sizeof(client->realhost));
138    
139 michael 4588 read_packet(&client->connection->fd, client);
140 adx 30 }
141 michael 2916
142 michael 8217 static int
143     auth_verify_hostname(const char *hostname)
144     {
145     const char *p = hostname;
146    
147     assert(p);
148    
149     if (EmptyString(p) || *p == '.' || *p == ':')
150     return 0;
151    
152     for (; *p; ++p)
153     if (!IsHostChar(*p))
154     return 0;
155    
156     return 1;
157     }
158    
159 adx 30 /*
160     * auth_dns_callback - called when resolver query finishes
161 michael 998 * if the query resulted in a successful search, name will contain
162     * a non-NULL pointer, otherwise name will be NULL.
163 adx 30 * set the client on it's way to a connection completion, regardless
164     * of success of failure
165     */
166     static void
167 michael 4408 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
168 adx 30 {
169 michael 4854 struct AuthRequest *const auth = vptr;
170 adx 30
171     ClearDNSPending(auth);
172    
173 michael 4408 if (!EmptyString(name))
174 adx 30 {
175 michael 4588 if (auth->client->connection->ip.ss.ss_family == AF_INET6)
176 adx 30 {
177 michael 4858 const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->connection->ip;
178     const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;
179 michael 3250
180 michael 5902 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
181 adx 30 {
182     sendheader(auth->client, REPORT_IP_MISMATCH);
183 michael 4408 release_auth_client(auth);
184     return;
185 adx 30 }
186     }
187     else
188     {
189 michael 4858 const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->connection->ip;
190     const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;
191 michael 3250
192     if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
193 adx 30 {
194     sendheader(auth->client, REPORT_IP_MISMATCH);
195 michael 4408 release_auth_client(auth);
196     return;
197 adx 30 }
198     }
199 michael 3250
200 michael 4408 if (namelength > HOSTLEN)
201     sendheader(auth->client, REPORT_HOST_TOOLONG);
202 michael 8217 else if (!auth_verify_hostname(name))
203     sendheader(auth->client, REPORT_HOST_INVALID);
204 michael 4408 else
205 adx 30 {
206 michael 4408 strlcpy(auth->client->host, name, sizeof(auth->client->host));
207 adx 30 sendheader(auth->client, REPORT_FIN_DNS);
208     }
209     }
210     else
211 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
212 adx 30
213 michael 992 release_auth_client(auth);
214 adx 30 }
215    
216     /*
217     * authsenderr - handle auth send errors
218     */
219     static void
220     auth_error(struct AuthRequest *auth)
221     {
222 michael 896 ++ServerStats.is_abad;
223 adx 30
224     fd_close(&auth->fd);
225    
226     ClearAuth(auth);
227    
228     sendheader(auth->client, REPORT_FAIL_ID);
229    
230 michael 992 release_auth_client(auth);
231 adx 30 }
232    
233     /*
234 michael 2916 * start_auth_query - Flag the client to show that an attempt to
235 adx 30 * contact the ident server on
236     * the client's host. The connect and subsequently the socket are all put
237     * into 'non-blocking' mode. Should the connect or any later phase of the
238     * identifing process fail, it is aborted and the user is given a username
239     * of "unknown".
240     */
241 michael 6979 static void
242 adx 30 start_auth_query(struct AuthRequest *auth)
243     {
244     struct irc_ssaddr localaddr;
245     socklen_t locallen = sizeof(struct irc_ssaddr);
246     struct sockaddr_in6 *v6;
247    
248     /* open a socket of the same type as the client socket */
249 michael 4588 if (comm_open(&auth->fd, auth->client->connection->ip.ss.ss_family,
250 adx 30 SOCK_STREAM, 0, "ident") == -1)
251     {
252 michael 2916 report_error(L_ALL, "creating auth stream socket %s:%s",
253 michael 7997 client_get_name(auth->client, SHOW_IP), errno);
254 michael 896 ++ServerStats.is_abad;
255 michael 6979 return;
256 adx 30 }
257    
258 michael 6976 SetDoingAuth(auth);
259 adx 30 sendheader(auth->client, REPORT_DO_ID);
260    
261 michael 2916 /*
262 michael 4865 * Get the local address of the client and bind to that to
263     * make the auth request.
264 adx 30 */
265     memset(&localaddr, 0, locallen);
266 michael 4588 getsockname(auth->client->connection->fd.fd, (struct sockaddr*)&localaddr,
267 adx 30 &locallen);
268    
269     remove_ipv6_mapping(&localaddr);
270     v6 = (struct sockaddr_in6 *)&localaddr;
271     v6->sin6_port = htons(0);
272     localaddr.ss_port = htons(0);
273    
274 michael 4309 comm_connect_tcp(&auth->fd, auth->client->sockhost, RFC1413_PORT,
275 michael 2916 (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
276 michael 4588 auth, auth->client->connection->ip.ss.ss_family,
277 adx 30 GlobalSetOptions.ident_timeout);
278     }
279    
280     /*
281 michael 7955 * auth_start
282 adx 30 *
283     * inputs - pointer to client to auth
284     * output - NONE
285     * side effects - starts auth (identd) and dns queries for a client
286     */
287 michael 2916 void
288 michael 7955 auth_start(struct Client *client_p)
289 adx 30 {
290 michael 4854 struct AuthRequest *const auth = make_auth_request(client_p);
291 adx 30
292 michael 2929 SetInAuth(auth);
293 michael 6478 dlinkAddTail(auth, &auth->node, &auth_list);
294 adx 30
295 michael 3250 sendheader(client_p, REPORT_DO_DNS);
296 adx 30
297 michael 992 SetDNSPending(auth);
298    
299 michael 4340 if (ConfigGeneral.disable_auth == 0)
300 adx 30 start_auth_query(auth);
301    
302 michael 4588 gethost_byaddr(auth_dns_callback, auth, &client_p->connection->ip);
303 adx 30 }
304    
305     /*
306     * timeout_auth_queries - timeout resolver and identd requests
307     * allow clients through if requests failed
308     */
309     static void
310     timeout_auth_queries_event(void *notused)
311     {
312 michael 7914 dlink_node *node, *node_next;
313 adx 30
314 michael 6478 DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
315 adx 30 {
316 michael 4815 struct AuthRequest *auth = node->data;
317 adx 30
318 michael 992 if (auth->timeout > CurrentTime)
319 michael 2929 break;
320 adx 30
321 michael 992 if (IsDoingAuth(auth))
322 michael 2916 {
323 michael 896 ++ServerStats.is_abad;
324 michael 1000 fd_close(&auth->fd);
325 michael 998 ClearAuth(auth);
326 adx 30 sendheader(auth->client, REPORT_FAIL_ID);
327 michael 992 }
328 adx 30
329 michael 992 if (IsDNSPending(auth))
330     {
331     delete_resolver_queries(auth);
332 michael 998 ClearDNSPending(auth);
333 michael 992 sendheader(auth->client, REPORT_FAIL_DNS);
334     }
335 adx 30
336 michael 992 release_auth_client(auth);
337 adx 30 }
338     }
339    
340     /*
341     * auth_connect_callback() - deal with the result of comm_connect_tcp()
342     *
343     * If the connection failed, we simply close the auth fd and report
344     * a failure. If the connection suceeded send the ident server a query
345     * giving "theirport , ourport". The write is only attempted *once* so
346     * it is deemed to be a fail if the entire write doesn't write all the
347     * data given. This shouldnt be a problem since the socket should have
348     * a write buffer far greater than this message to store it in should
349     * problems arise. -avalon
350     */
351     static void
352     auth_connect_callback(fde_t *fd, int error, void *data)
353     {
354 michael 4862 struct AuthRequest *const auth = data;
355 adx 30 struct irc_ssaddr us;
356     struct irc_ssaddr them;
357 michael 4859 char authbuf[16];
358 michael 5720 ssize_t len = 0;
359 adx 30 socklen_t ulen = sizeof(struct irc_ssaddr);
360     socklen_t tlen = sizeof(struct irc_ssaddr);
361 michael 1032 uint16_t uport, tport;
362 adx 30 struct sockaddr_in6 *v6;
363    
364     if (error != COMM_OK)
365     {
366     auth_error(auth);
367     return;
368     }
369    
370 michael 4588 if (getsockname(auth->client->connection->fd.fd, (struct sockaddr *)&us, &ulen) ||
371     getpeername(auth->client->connection->fd.fd, (struct sockaddr *)&them, &tlen))
372 adx 30 {
373 michael 4864 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
374 michael 7997 client_get_name(auth->client, SHOW_IP), errno);
375 adx 30 auth_error(auth);
376     return;
377     }
378    
379     v6 = (struct sockaddr_in6 *)&us;
380     uport = ntohs(v6->sin6_port);
381     v6 = (struct sockaddr_in6 *)&them;
382     tport = ntohs(v6->sin6_port);
383 michael 2916
384 michael 5720 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
385 adx 30
386 michael 5720 if (send(fd->fd, authbuf, len, 0) != len)
387 adx 30 {
388     auth_error(auth);
389     return;
390     }
391 michael 696
392 michael 7955 comm_setselect(fd, COMM_SELECT_READ, auth_read_reply, auth, 0);
393 adx 30 }
394    
395 michael 4309 /** Enum used to index ident reply fields in a human-readable way. */
396     enum IdentReplyFields
397     {
398     IDENT_PORT_NUMBERS,
399     IDENT_REPLY_TYPE,
400     IDENT_OS_TYPE,
401     IDENT_INFO,
402     USERID_TOKEN_COUNT
403     };
404    
405     /** Parse an ident reply line and extract the userid from it.
406     * \param reply The ident reply line.
407     * \return The userid, or NULL on parse failure.
408     */
409     static const char *
410 michael 4862 check_ident_reply(char *const reply)
411 michael 4309 {
412     char *token = NULL, *end = NULL;
413     char *vector[USERID_TOKEN_COUNT];
414 michael 7584 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
415 michael 4309
416     if (USERID_TOKEN_COUNT != count)
417     return NULL;
418    
419     /*
420     * Second token is the reply type
421     */
422     token = vector[IDENT_REPLY_TYPE];
423    
424     if (EmptyString(token))
425     return NULL;
426    
427     while (IsSpace(*token))
428     ++token;
429    
430     if (strncmp(token, "USERID", 6))
431     return NULL;
432    
433     /*
434     * Third token is the os type
435     */
436     token = vector[IDENT_OS_TYPE];
437    
438     if (EmptyString(token))
439     return NULL;
440    
441     while (IsSpace(*token))
442     ++token;
443    
444     /*
445     * Unless "OTHER" is specified as the operating system type, the server
446     * is expected to return the "normal" user identification of the owner
447     * of this connection. "Normal" in this context may be taken to mean a
448     * string of characters which uniquely identifies the connection owner
449     * such as a user identifier assigned by the system administrator and
450     * used by such user as a mail identifier, or as the "user" part of a
451     * user/password pair used to gain access to system resources. When an
452     * operating system is specified (e.g., anything but "OTHER"), the user
453     * identifier is expected to be in a more or less immediately useful
454     * form - e.g., something that could be used as an argument to "finger"
455     * or as a mail address.
456     */
457     if (!strncmp(token, "OTHER", 5))
458     return NULL;
459    
460     /*
461     * Fourth token is the username
462     */
463     token = vector[IDENT_INFO];
464    
465     if (EmptyString(token))
466     return NULL;
467    
468     while (IsSpace(*token))
469     ++token;
470    
471     while (*token == '~' || *token == '^')
472     ++token;
473    
474     /*
475     * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
476     */
477     for (end = token; *end; ++end)
478     if (IsSpace(*end) || '@' == *end || ':' == *end)
479     break;
480     *end = '\0';
481    
482     return token;
483     }
484    
485 adx 30 /*
486 michael 7955 * auth_read_reply - read the reply (if any) from the ident server
487 adx 30 * we connected to.
488     * We only give it one shot, if the reply isn't good the first time
489     * fail the authentication entirely. --Bleep
490     */
491     static void
492 michael 7955 auth_read_reply(fde_t *fd, void *data)
493 adx 30 {
494 michael 4854 struct AuthRequest *const auth = data;
495 michael 4309 const char *username = NULL;
496     ssize_t len = 0;
497     char buf[RFC1413_BUFSIZ + 1];
498 adx 30
499 michael 4309 if ((len = recv(fd->fd, buf, RFC1413_BUFSIZ, 0)) > 0)
500 adx 30 {
501     buf[len] = '\0';
502 michael 4309 username = check_ident_reply(buf);
503 adx 30 }
504    
505     fd_close(fd);
506    
507     ClearAuth(auth);
508    
509 michael 4309 if (EmptyString(username))
510 adx 30 {
511     sendheader(auth->client, REPORT_FAIL_ID);
512 michael 896 ++ServerStats.is_abad;
513 adx 30 }
514     else
515     {
516 michael 4309 strlcpy(auth->client->username, username, sizeof(auth->client->username));
517 adx 30 sendheader(auth->client, REPORT_FIN_ID);
518 michael 896 ++ServerStats.is_asuc;
519 michael 6313 AddFlag(auth->client, FLAGS_GOTID);
520 adx 30 }
521    
522 michael 992 release_auth_client(auth);
523 adx 30 }
524    
525     /*
526 michael 7955 * auth_delete()
527 adx 30 */
528 michael 2916 void
529 michael 7955 auth_delete(struct AuthRequest *auth)
530 adx 30 {
531 michael 992 if (IsDNSPending(auth))
532     delete_resolver_queries(auth);
533 adx 30
534 michael 1000 if (IsDoingAuth(auth))
535     fd_close(&auth->fd);
536    
537 michael 2929 if (IsInAuth(auth))
538     {
539 michael 6478 dlinkDelete(&auth->node, &auth_list);
540 michael 2929 ClearInAuth(auth);
541     }
542 adx 30 }
543 michael 4309
544     /* auth_init
545     *
546     * Initialise the auth code
547     */
548     void
549     auth_init(void)
550     {
551     static struct event timeout_auth_queries =
552     {
553     .name = "timeout_auth_queries_event",
554     .handler = timeout_auth_queries_event,
555     .when = 1
556     };
557    
558     event_add(&timeout_auth_queries, NULL);
559     }

Properties

Name Value
svn:eol-style native
svn:keywords Id