/[svn]/ircd-hybrid/trunk/src/auth.c
ViewVC logotype

Annotation of /ircd-hybrid/trunk/src/auth.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 8881 - (hide annotations)
Sun Apr 14 16:03:29 2019 UTC (17 months ago) by michael
File MIME type: text/x-chdr
File size: 15035 byte(s)
- Add address_compare() and make use of it in some places

1 adx 30 /*
2 michael 2916 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 adx 30 *
4 michael 8752 * Copyright (c) 1997-2019 ircd-hybrid development team
5 adx 30 *
6     * This program is free software; you can redistribute it and/or modify
7     * it under the terms of the GNU General Public License as published by
8     * the Free Software Foundation; either version 2 of the License, or
9     * (at your option) any later version.
10     *
11     * This program is distributed in the hope that it will be useful,
12     * but WITHOUT ANY WARRANTY; without even the implied warranty of
13     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14     * GNU General Public License for more details.
15     *
16     * You should have received a copy of the GNU General Public License
17     * along with this program; if not, write to the Free Software
18 michael 4565 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 adx 30 * USA
20     */
21    
22 michael 3324 /*! \file auth.c
23 michael 8306 * \brief Implementation of DNS and ident lookups.
24 michael 2916 * \version $Id$
25     */
26    
27 adx 30 /*
28     * Changes:
29     * July 6, 1999 - Rewrote most of the code here. When a client connects
30     * to the server and passes initial socket validation checks, it
31     * is owned by this module (auth) which returns it to the rest of the
32     * server when dns and auth queries are finished. Until the client is
33     * released, the server does not know it exists and does not process
34     * any messages from it.
35     * --Bleep Thomas Helvey <tomh@inxpress.net>
36     */
37 michael 1309
38 adx 30 #include "stdinc.h"
39     #include "list.h"
40 michael 1011 #include "ircd_defs.h"
41     #include "fdlist.h"
42 michael 3324 #include "auth.h"
43 michael 1309 #include "conf.h"
44 adx 30 #include "client.h"
45     #include "event.h"
46     #include "irc_string.h"
47     #include "ircd.h"
48     #include "packet.h"
49 michael 3322 #include "res.h"
50 adx 30 #include "s_bsd.h"
51 michael 1309 #include "log.h"
52 adx 30 #include "send.h"
53 michael 8385 #include "memory.h"
54 michael 8881 #include "misc.h"
55 adx 30
56 michael 1011
57 michael 2916 enum
58     {
59 adx 30 REPORT_DO_DNS,
60     REPORT_FIN_DNS,
61     REPORT_FAIL_DNS,
62     REPORT_DO_ID,
63     REPORT_FIN_ID,
64     REPORT_FAIL_ID,
65     REPORT_IP_MISMATCH,
66 michael 8217 REPORT_HOST_TOOLONG,
67     REPORT_HOST_INVALID
68 adx 30 };
69    
70 michael 5888 static const char *const HeaderMessages[] =
71     {
72     [REPORT_DO_DNS] = ":*** Looking up your hostname",
73     [REPORT_FIN_DNS] = ":*** Found your hostname",
74     [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
75     [REPORT_DO_ID] = ":*** Checking Ident",
76     [REPORT_FIN_ID] = ":*** Got Ident response",
77     [REPORT_FAIL_ID] = ":*** No Ident response",
78     [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
79 michael 8217 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
80     [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
81 michael 5888 };
82    
83 michael 8306 #define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
84 adx 30
85 michael 6478 static dlink_list auth_list;
86 adx 30
87 michael 4094
88 michael 8349 /*! \brief Allocate a new auth request.
89     * \param client The client being looked up.
90     * \return The newly allocated auth request.
91 adx 30 */
92     static struct AuthRequest *
93 michael 8339 auth_make(struct Client *client)
94 adx 30 {
95 michael 8385 struct AuthRequest *auth = xcalloc(sizeof(*auth));
96 adx 30
97 michael 6690 auth->client = client;
98 michael 8470 auth->client->connection->auth = auth;
99 michael 6690 auth->timeout = CurrentTime + CONNECTTIMEOUT;
100 michael 2181
101 michael 6690 return auth;
102 adx 30 }
103    
104 michael 8470 /*! \brief Unlink auth request from auth_list and free memory
105     * \param auth The allocated auth request to cleanup.
106     */
107     static void
108     auth_free(struct AuthRequest *auth)
109     {
110     assert(dlinkFind(&auth_list, auth));
111     dlinkDelete(&auth->node, &auth_list);
112     assert(dlinkFind(&auth_list, auth) == NULL);
113    
114     xfree(auth);
115     }
116    
117 michael 8306 /*! \brief Release auth client from auth system. This adds the client into the
118     * local client lists so it can be read by the main io processing loop.
119     * \param auth Pointer to AuthRequest struct to release
120 adx 30 */
121 michael 8304 static void
122 michael 8306 auth_release_client(struct AuthRequest *auth)
123 adx 30 {
124 michael 8470 struct Client *client = auth->client;
125 michael 992
126 michael 8813 assert(client);
127     assert(client->connection);
128    
129 michael 8721 if (auth->ident_pending == true || auth->dns_pending == true)
130 michael 992 return;
131    
132 michael 8470 auth_free(auth);
133 michael 8339 client->connection->auth = NULL;
134    
135 adx 30 /*
136     * When a client has auth'ed, we want to start reading what it sends
137     * us. This is what read_packet() does.
138     * -- adrian
139     */
140 michael 8339 comm_setflush(client->connection->fd, 1000, flood_recalc, client);
141 michael 650
142 michael 4588 client->connection->since = CurrentTime;
143     client->connection->lasttime = CurrentTime;
144     client->connection->firsttime = CurrentTime;
145 michael 8298 AddFlag(client, FLAGS_FINISHED_AUTH);
146 michael 650
147 michael 8214 strlcpy(client->realhost, client->host, sizeof(client->realhost));
148    
149 michael 8339 read_packet(client->connection->fd, client);
150 adx 30 }
151 michael 2916
152 michael 8218 /*! Checks if a hostname is valid and doesn't contain illegal characters
153     * \param hostname The string to verify
154     * \return 1 if it is valid, 0 if it isn't
155     */
156 michael 8656 static bool
157 michael 8217 auth_verify_hostname(const char *hostname)
158     {
159     const char *p = hostname;
160    
161     assert(p);
162    
163     if (EmptyString(p) || *p == '.' || *p == ':')
164 michael 8656 return false;
165 michael 8217
166     for (; *p; ++p)
167     if (!IsHostChar(*p))
168 michael 8656 return false;
169 michael 8217
170 michael 8656 return true;
171 michael 8217 }
172    
173 michael 8306 /*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
174     * completion, regardless of success or failure.
175     * \param vptr The pending struct AuthRequest.
176     * \param addr IP address being resolved.
177     * \param name Resolved name, or NULL if lookup failed.
178     * \param namelength String length of the resolved hostname pointed by 'name'
179 adx 30 */
180     static void
181 michael 4408 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
182 adx 30 {
183 michael 4854 struct AuthRequest *const auth = vptr;
184 adx 30
185 michael 8813 assert(auth->client);
186     assert(auth->client->connection);
187    
188 michael 8721 auth->dns_pending = false;
189 adx 30
190 michael 8431 if (EmptyString(name))
191     auth_sendheader(auth->client, REPORT_FAIL_DNS);
192     else
193 adx 30 {
194 michael 8881 if (address_compare(addr, &auth->client->ip, false) == false)
195     auth_sendheader(auth->client, REPORT_IP_MISMATCH);
196     else if (namelength > HOSTLEN)
197 michael 8306 auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
198 michael 8656 else if (auth_verify_hostname(name) == false)
199 michael 8306 auth_sendheader(auth->client, REPORT_HOST_INVALID);
200 michael 4408 else
201 adx 30 {
202 michael 4408 strlcpy(auth->client->host, name, sizeof(auth->client->host));
203 michael 8306 auth_sendheader(auth->client, REPORT_FIN_DNS);
204 adx 30 }
205     }
206    
207 michael 8306 auth_release_client(auth);
208 adx 30 }
209    
210     /*
211 michael 8306 * auth_error - handle auth send errors
212 adx 30 */
213     static void
214     auth_error(struct AuthRequest *auth)
215     {
216 michael 8524 assert(auth);
217     assert(auth->fd);
218 michael 8813 assert(auth->client);
219     assert(auth->client->connection);
220 michael 8524
221 michael 896 ++ServerStats.is_abad;
222 adx 30
223 michael 8339 fd_close(auth->fd);
224     auth->fd = NULL;
225 michael 8721 auth->ident_pending = false;
226 michael 8339
227 michael 8306 auth_sendheader(auth->client, REPORT_FAIL_ID);
228 adx 30
229 michael 8306 auth_release_client(auth);
230 adx 30 }
231    
232 michael 4309 /** Enum used to index ident reply fields in a human-readable way. */
233     enum IdentReplyFields
234     {
235     IDENT_PORT_NUMBERS,
236     IDENT_REPLY_TYPE,
237     IDENT_OS_TYPE,
238     IDENT_INFO,
239     USERID_TOKEN_COUNT
240     };
241    
242     /** Parse an ident reply line and extract the userid from it.
243     * \param reply The ident reply line.
244     * \return The userid, or NULL on parse failure.
245     */
246     static const char *
247 michael 8306 auth_check_ident_reply(char *const reply)
248 michael 4309 {
249     char *token = NULL, *end = NULL;
250     char *vector[USERID_TOKEN_COUNT];
251 michael 7584 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
252 michael 4309
253     if (USERID_TOKEN_COUNT != count)
254     return NULL;
255    
256     /*
257     * Second token is the reply type
258     */
259     token = vector[IDENT_REPLY_TYPE];
260    
261     if (EmptyString(token))
262     return NULL;
263    
264     while (IsSpace(*token))
265     ++token;
266    
267     if (strncmp(token, "USERID", 6))
268     return NULL;
269    
270     /*
271     * Third token is the os type
272     */
273     token = vector[IDENT_OS_TYPE];
274    
275     if (EmptyString(token))
276     return NULL;
277    
278     while (IsSpace(*token))
279     ++token;
280    
281     /*
282     * Unless "OTHER" is specified as the operating system type, the server
283     * is expected to return the "normal" user identification of the owner
284     * of this connection. "Normal" in this context may be taken to mean a
285     * string of characters which uniquely identifies the connection owner
286     * such as a user identifier assigned by the system administrator and
287     * used by such user as a mail identifier, or as the "user" part of a
288     * user/password pair used to gain access to system resources. When an
289     * operating system is specified (e.g., anything but "OTHER"), the user
290     * identifier is expected to be in a more or less immediately useful
291     * form - e.g., something that could be used as an argument to "finger"
292     * or as a mail address.
293     */
294 michael 8620 if (strncmp(token, "OTHER", 5) == 0)
295 michael 4309 return NULL;
296    
297     /*
298     * Fourth token is the username
299     */
300     token = vector[IDENT_INFO];
301    
302     if (EmptyString(token))
303     return NULL;
304    
305     while (IsSpace(*token))
306     ++token;
307    
308     while (*token == '~' || *token == '^')
309     ++token;
310    
311     /*
312     * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
313     */
314     for (end = token; *end; ++end)
315     if (IsSpace(*end) || '@' == *end || ':' == *end)
316     break;
317     *end = '\0';
318    
319     return token;
320     }
321    
322 michael 8306 /*! \brief Read the reply (if any) from the ident server we connected to. We
323     * only give it one shot, if the reply isn't good the first time fail
324     * the authentication entirely. --Bleep
325 michael 8349 * \param F The socket/fd to read from.
326 michael 8306 * \param data The request to read.
327 adx 30 */
328     static void
329 michael 8349 auth_read_reply(fde_t *F, void *data)
330 adx 30 {
331 michael 4854 struct AuthRequest *const auth = data;
332 michael 4309 const char *username = NULL;
333     ssize_t len = 0;
334     char buf[RFC1413_BUFSIZ + 1];
335 adx 30
336 michael 8349 assert(auth->fd == F);
337 michael 8813 assert(auth->client);
338     assert(auth->client->connection);
339 michael 8339
340 michael 8819 if ((len = recv(auth->fd->fd, buf, sizeof(buf) - 1, 0)) > 0)
341 adx 30 {
342     buf[len] = '\0';
343 michael 8306 username = auth_check_ident_reply(buf);
344 adx 30 }
345    
346 michael 8339 fd_close(auth->fd);
347     auth->fd = NULL;
348 michael 8721 auth->ident_pending = false;
349 michael 8339
350 michael 4309 if (EmptyString(username))
351 adx 30 {
352 michael 8306 auth_sendheader(auth->client, REPORT_FAIL_ID);
353 michael 896 ++ServerStats.is_abad;
354 adx 30 }
355     else
356     {
357 michael 4309 strlcpy(auth->client->username, username, sizeof(auth->client->username));
358 michael 8306 auth_sendheader(auth->client, REPORT_FIN_ID);
359 michael 896 ++ServerStats.is_asuc;
360 michael 6313 AddFlag(auth->client, FLAGS_GOTID);
361 adx 30 }
362    
363 michael 8306 auth_release_client(auth);
364 adx 30 }
365    
366     /*
367 michael 8306 * auth_connect_callback() - deal with the result of comm_connect_tcp()
368     *
369     * If the connection failed, we simply close the auth fd and report
370     * a failure. If the connection suceeded send the ident server a query
371     * giving "theirport , ourport". The write is only attempted *once* so
372     * it is deemed to be a fail if the entire write doesn't write all the
373     * data given. This shouldnt be a problem since the socket should have
374     * a write buffer far greater than this message to store it in should
375     * problems arise. -avalon
376     */
377     static void
378 michael 8349 auth_connect_callback(fde_t *F, int error, void *data)
379 michael 8306 {
380     struct AuthRequest *const auth = data;
381     struct irc_ssaddr us;
382     struct irc_ssaddr them;
383     char authbuf[16];
384     ssize_t len = 0;
385     socklen_t ulen = sizeof(struct irc_ssaddr);
386     socklen_t tlen = sizeof(struct irc_ssaddr);
387     uint16_t uport, tport;
388     struct sockaddr_in6 *v6;
389    
390 michael 8813 assert(auth->fd == F);
391     assert(auth->client);
392     assert(auth->client->connection);
393    
394 michael 8306 if (error != COMM_OK)
395     {
396     auth_error(auth);
397     return;
398     }
399    
400 michael 8339 if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
401     getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
402 michael 8306 {
403     report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
404     client_get_name(auth->client, SHOW_IP), errno);
405     auth_error(auth);
406     return;
407     }
408    
409     v6 = (struct sockaddr_in6 *)&us;
410     uport = ntohs(v6->sin6_port);
411     v6 = (struct sockaddr_in6 *)&them;
412     tport = ntohs(v6->sin6_port);
413    
414     len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
415    
416 michael 8349 if (send(F->fd, authbuf, len, 0) != len)
417 michael 8306 {
418     auth_error(auth);
419     return;
420     }
421    
422 michael 8349 comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
423 michael 8306 }
424    
425     /*! \brief Flag the client to show an attempt to contact the ident server on
426     * the client's host. Should the connect or any later phase of the
427     * identifying process fail, it is aborted and the user is given a
428     * username of "unknown".
429     * \param auth The request for which to start the ident lookup.
430     */
431     static void
432     auth_start_query(struct AuthRequest *auth)
433     {
434     struct irc_ssaddr localaddr;
435     socklen_t locallen = sizeof(struct irc_ssaddr);
436     struct sockaddr_in6 *v6;
437    
438 michael 8813 assert(auth->client);
439     assert(auth->client->connection);
440    
441 michael 8306 /* Open a socket of the same type as the client socket */
442 michael 8496 int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
443 michael 8339 if (fd == -1)
444 michael 8306 {
445     report_error(L_ALL, "creating auth stream socket %s:%s",
446     client_get_name(auth->client, SHOW_IP), errno);
447     ++ServerStats.is_abad;
448     return;
449     }
450    
451 michael 8658 auth->fd = fd_open(fd, true, "ident");
452 michael 8721 auth->ident_pending = true;
453 michael 8339
454 michael 8306 auth_sendheader(auth->client, REPORT_DO_ID);
455    
456     /*
457     * Get the local address of the client and bind to that to
458     * make the auth request.
459     */
460     memset(&localaddr, 0, locallen);
461 michael 8339 getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
462 michael 8306
463     remove_ipv6_mapping(&localaddr);
464     v6 = (struct sockaddr_in6 *)&localaddr;
465     v6->sin6_port = htons(0);
466    
467 michael 8872 comm_connect_tcp(auth->fd, &auth->client->ip, RFC1413_PORT,
468     &localaddr, auth_connect_callback, auth,
469     GlobalSetOptions.ident_timeout);
470 michael 8306 }
471    
472     /*
473     * auth_start
474     *
475     * inputs - pointer to client to auth
476     * output - NONE
477     * side effects - starts auth (identd) and dns queries for a client
478     */
479     void
480     auth_start(struct Client *client_p)
481     {
482 michael 8339 struct AuthRequest *auth = auth_make(client_p);
483 michael 8306
484 michael 8813 assert(client_p);
485     assert(client_p->connection);
486    
487 michael 8306 dlinkAddTail(auth, &auth->node, &auth_list);
488    
489     auth_sendheader(client_p, REPORT_DO_DNS);
490    
491 michael 8721 auth->dns_pending = true;
492 michael 8306
493     if (ConfigGeneral.disable_auth == 0)
494     auth_start_query(auth);
495    
496 michael 8496 gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
497 michael 8306 }
498    
499     /*
500 michael 7955 * auth_delete()
501 adx 30 */
502 michael 2916 void
503 michael 7955 auth_delete(struct AuthRequest *auth)
504 adx 30 {
505 michael 8813 assert(auth->client);
506     assert(auth->client->connection);
507    
508 michael 8721 if (auth->ident_pending == true)
509 michael 8306 {
510 michael 8339 fd_close(auth->fd);
511     auth->fd = NULL;
512 michael 8721 auth->ident_pending = false;
513 michael 8306 }
514    
515 michael 8721 if (auth->dns_pending == true)
516 michael 8300 {
517 michael 992 delete_resolver_queries(auth);
518 michael 8721 auth->dns_pending = false;
519 michael 8300 }
520 adx 30
521 michael 8470 auth_free(auth);
522 adx 30 }
523 michael 4309
524 michael 8306 /*
525     * auth_timeout_queries - timeout resolver and identd requests
526     * allow clients through if requests failed
527     */
528     static void
529     auth_timeout_queries(void *notused)
530     {
531     dlink_node *node, *node_next;
532    
533     DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
534     {
535     struct AuthRequest *auth = node->data;
536    
537 michael 8813 assert(auth->client);
538     assert(auth->client->connection);
539    
540 michael 8306 if (auth->timeout > CurrentTime)
541     break;
542    
543 michael 8721 if (auth->ident_pending == true)
544 michael 8306 {
545     ++ServerStats.is_abad;
546 michael 8349
547 michael 8339 fd_close(auth->fd);
548     auth->fd = NULL;
549 michael 8721 auth->ident_pending = false;
550 michael 8339
551 michael 8306 auth_sendheader(auth->client, REPORT_FAIL_ID);
552     }
553    
554 michael 8721 if (auth->dns_pending == true)
555 michael 8306 {
556     delete_resolver_queries(auth);
557 michael 8721 auth->dns_pending = false;
558 michael 8306
559     auth_sendheader(auth->client, REPORT_FAIL_DNS);
560     }
561    
562     auth_release_client(auth);
563     }
564     }
565    
566 michael 4309 /* auth_init
567     *
568     * Initialise the auth code
569     */
570     void
571     auth_init(void)
572     {
573     static struct event timeout_auth_queries =
574     {
575 michael 8306 .name = "auth_timeout_queries",
576     .handler = auth_timeout_queries,
577 michael 4309 .when = 1
578     };
579    
580     event_add(&timeout_auth_queries, NULL);
581     }

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28