ViewVC Help
View File | Revision Log | Show Annotations | View Changeset | Root Listing
root/svn/ircd-hybrid/trunk/src/auth.c
Revision: 896
Committed: Sat Nov 3 08:54:09 2007 UTC (17 years, 9 months ago) by michael
Content type: text/x-csrc
Original Path: ircd-hybrid-7.2/src/s_auth.c
File size: 17819 byte(s)
Log Message: 
- Killed s_stats.c

File Contents

# User Rev Content
1 adx 30 /*
2     * ircd-hybrid: an advanced Internet Relay Chat Daemon(ircd).
3     * s_auth.c: Functions for querying a users ident.
4     *
5     * Copyright (C) 2002 by the past and present ircd coders, and others.
6     *
7     * This program is free software; you can redistribute it and/or modify
8     * it under the terms of the GNU General Public License as published by
9     * the Free Software Foundation; either version 2 of the License, or
10     * (at your option) any later version.
11     *
12     * This program is distributed in the hope that it will be useful,
13     * but WITHOUT ANY WARRANTY; without even the implied warranty of
14     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15     * GNU General Public License for more details.
16     *
17     * You should have received a copy of the GNU General Public License
18     * along with this program; if not, write to the Free Software
19     * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
20     * USA
21     *
22 knight 31 * $Id$
23 adx 30 */
24    
25     /*
26     * Changes:
27     * July 6, 1999 - Rewrote most of the code here. When a client connects
28     * to the server and passes initial socket validation checks, it
29     * is owned by this module (auth) which returns it to the rest of the
30     * server when dns and auth queries are finished. Until the client is
31     * released, the server does not know it exists and does not process
32     * any messages from it.
33     * --Bleep Thomas Helvey <tomh@inxpress.net>
34     */
35     #include "stdinc.h"
36     #include "tools.h"
37     #include "list.h"
38     #include "s_auth.h"
39     #include "s_conf.h"
40     #include "client.h"
41     #include "common.h"
42     #include "event.h"
43     #include "fdlist.h" /* fdlist_add */
44     #include "hook.h"
45     #include "irc_string.h"
46     #include "sprintf_irc.h"
47     #include "ircd.h"
48     #include "numeric.h"
49     #include "packet.h"
50     #include "irc_res.h"
51     #include "s_bsd.h"
52     #include "s_log.h"
53     #include "send.h"
54     #include "memory.h"
55    
56     static const char *HeaderMessages[] = {
57     ":%s NOTICE AUTH :*** Looking up your hostname...",
58     ":%s NOTICE AUTH :*** Found your hostname",
59     ":%s NOTICE AUTH :*** Couldn't look up your hostname",
60     ":%s NOTICE AUTH :*** Checking Ident",
61     ":%s NOTICE AUTH :*** Got Ident response",
62     ":%s NOTICE AUTH :*** No Ident response",
63     ":%s NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.",
64     ":%s NOTICE AUTH :*** Your hostname is too long, ignoring hostname"
65     };
66    
67     enum {
68     REPORT_DO_DNS,
69     REPORT_FIN_DNS,
70     REPORT_FAIL_DNS,
71     REPORT_DO_ID,
72     REPORT_FIN_ID,
73     REPORT_FAIL_ID,
74     REPORT_IP_MISMATCH,
75     REPORT_HOST_TOOLONG
76     };
77    
78     #define sendheader(c, i) sendto_one((c), HeaderMessages[(i)], me.name)
79    
80     /*
81     * Ok, the original was confusing.
82     * Now there are two lists, an auth request can be on both at the same time
83     * or only on one or the other.
84     * - Dianora
85     */
86     static dlink_list auth_doing_dns_list = { NULL, NULL, 0 };
87     static dlink_list auth_doing_ident_list = { NULL, NULL, 0 };
88    
89     static EVH timeout_auth_queries_event;
90    
91     static PF read_auth_reply;
92     static CNCB auth_connect_callback;
93     static CBFUNC start_auth;
94    
95     struct Callback *auth_cb = NULL;
96    
97     /* init_auth()
98     *
99     * Initialise the auth code
100     */
101     void
102     init_auth(void)
103     {
104     auth_cb = register_callback("start_auth", start_auth);
105     eventAddIsh("timeout_auth_queries_event", timeout_auth_queries_event, NULL, 1);
106     }
107    
108     /*
109     * make_auth_request - allocate a new auth request
110     */
111     static struct AuthRequest *
112     make_auth_request(struct Client *client)
113     {
114     struct AuthRequest *request = MyMalloc(sizeof(struct AuthRequest));
115    
116     request->client = client;
117     request->timeout = CurrentTime + CONNECTTIMEOUT;
118    
119 michael 650 return request;
120 adx 30 }
121    
122     /*
123     * release_auth_client - release auth client from auth system
124     * this adds the client into the local client lists so it can be read by
125     * the main io processing loop
126     */
127     void
128     release_auth_client(struct Client *client)
129     {
130     /*
131     * When a client has auth'ed, we want to start reading what it sends
132     * us. This is what read_packet() does.
133     * -- adrian
134     */
135     client->localClient->allow_read = MAX_FLOOD;
136     comm_setflush(&client->localClient->fd, 1000, flood_recalc, client);
137 michael 650
138 adx 30 if ((client->node.prev != NULL) || (client->node.next != NULL))
139     {
140     sendto_realops_flags(UMODE_ALL, L_OPER,
141     "already linked %s at %s:%d", client->name,
142     __FILE__, __LINE__);
143     ilog(L_ERROR, "already linked %s at %s:%d", client->name,
144     __FILE__, __LINE__);
145     assert(0==5);
146     }
147     else
148     dlinkAdd(client, &client->node, &global_client_list);
149 michael 650
150 michael 664 client->since = client->lasttime = client->firsttime = CurrentTime;
151     client->flags |= FLAGS_FINISHED_AUTH;
152 michael 650
153 adx 30 read_packet(&client->localClient->fd, client);
154     }
155    
156     /*
157     * auth_dns_callback - called when resolver query finishes
158     * if the query resulted in a successful search, hp will contain
159     * a non-null pointer, otherwise hp will be null.
160     * set the client on it's way to a connection completion, regardless
161     * of success of failure
162     */
163     static void
164     auth_dns_callback(void *vptr, struct DNSReply *reply)
165     {
166     struct AuthRequest *auth = (struct AuthRequest *)vptr;
167    
168     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
169     ClearDNSPending(auth);
170    
171     if (reply != NULL)
172     {
173     struct sockaddr_in *v4, *v4dns;
174     #ifdef IPV6
175     struct sockaddr_in6 *v6, *v6dns;
176     #endif
177     int good = 1;
178    
179     #ifdef IPV6
180     if (auth->client->localClient->ip.ss.ss_family == AF_INET6)
181     {
182     v6 = (struct sockaddr_in6 *)&auth->client->localClient->ip;
183     v6dns = (struct sockaddr_in6 *)&reply->addr;
184     if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)) != 0)
185     {
186     sendheader(auth->client, REPORT_IP_MISMATCH);
187     good = 0;
188     }
189     }
190     else
191     #endif
192     {
193     v4 = (struct sockaddr_in *)&auth->client->localClient->ip;
194     v4dns = (struct sockaddr_in *)&reply->addr;
195     if(v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
196     {
197     sendheader(auth->client, REPORT_IP_MISMATCH);
198     good = 0;
199     }
200     }
201     if (good && strlen(reply->h_name) <= HOSTLEN)
202     {
203     strlcpy(auth->client->host, reply->h_name,
204     sizeof(auth->client->host));
205     sendheader(auth->client, REPORT_FIN_DNS);
206     }
207     else if (strlen(reply->h_name) > HOSTLEN)
208     sendheader(auth->client, REPORT_HOST_TOOLONG);
209     }
210     else
211     sendheader(auth->client, REPORT_FAIL_DNS);
212    
213     MyFree(auth->client->localClient->dns_query);
214     auth->client->localClient->dns_query = NULL;
215    
216     if (!IsDoingAuth(auth))
217     {
218     struct Client *client_p = auth->client;
219     MyFree(auth);
220     release_auth_client(client_p);
221     }
222     }
223    
224     /*
225     * authsenderr - handle auth send errors
226     */
227     static void
228     auth_error(struct AuthRequest *auth)
229     {
230 michael 896 ++ServerStats.is_abad;
231 adx 30
232     fd_close(&auth->fd);
233    
234     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
235     ClearAuth(auth);
236    
237     sendheader(auth->client, REPORT_FAIL_ID);
238    
239     if (!IsDNSPending(auth) && !IsCrit(auth))
240     {
241     release_auth_client(auth->client);
242     MyFree(auth);
243     }
244     }
245    
246     /*
247     * start_auth_query - Flag the client to show that an attempt to
248     * contact the ident server on
249     * the client's host. The connect and subsequently the socket are all put
250     * into 'non-blocking' mode. Should the connect or any later phase of the
251     * identifing process fail, it is aborted and the user is given a username
252     * of "unknown".
253     */
254     static int
255     start_auth_query(struct AuthRequest *auth)
256     {
257     struct irc_ssaddr localaddr;
258     socklen_t locallen = sizeof(struct irc_ssaddr);
259     #ifdef IPV6
260     struct sockaddr_in6 *v6;
261     #else
262     struct sockaddr_in *v4;
263     #endif
264    
265     /* open a socket of the same type as the client socket */
266     if (comm_open(&auth->fd, auth->client->localClient->ip.ss.ss_family,
267     SOCK_STREAM, 0, "ident") == -1)
268     {
269     report_error(L_ALL, "creating auth stream socket %s:%s",
270     get_client_name(auth->client, SHOW_IP), errno);
271     ilog(L_ERROR, "Unable to create auth socket for %s",
272     get_client_name(auth->client, SHOW_IP));
273 michael 896 ++ServerStats.is_abad;
274 adx 30 return 0;
275     }
276    
277     sendheader(auth->client, REPORT_DO_ID);
278    
279     /*
280     * get the local address of the client and bind to that to
281     * make the auth request. This used to be done only for
282     * ifdef VIRTUAL_HOST, but needs to be done for all clients
283     * since the ident request must originate from that same address--
284     * and machines with multiple IP addresses are common now
285     */
286     memset(&localaddr, 0, locallen);
287     getsockname(auth->client->localClient->fd.fd, (struct sockaddr*)&localaddr,
288     &locallen);
289    
290     #ifdef IPV6
291     remove_ipv6_mapping(&localaddr);
292     v6 = (struct sockaddr_in6 *)&localaddr;
293     v6->sin6_port = htons(0);
294     #else
295     localaddr.ss_len = locallen;
296     v4 = (struct sockaddr_in *)&localaddr;
297     v4->sin_port = htons(0);
298     #endif
299     localaddr.ss_port = htons(0);
300    
301     SetDoingAuth(auth);
302     dlinkAdd(auth, &auth->ident_node, &auth_doing_ident_list);
303    
304     comm_connect_tcp(&auth->fd, auth->client->sockhost, 113,
305     (struct sockaddr *)&localaddr, localaddr.ss_len, auth_connect_callback,
306     auth, auth->client->localClient->ip.ss.ss_family,
307     GlobalSetOptions.ident_timeout);
308     return 1; /* We suceed here for now */
309     }
310    
311     /*
312     * GetValidIdent - parse ident query reply from identd server
313     *
314     * Inputs - pointer to ident buf
315     * Output - NULL if no valid ident found, otherwise pointer to name
316     * Side effects -
317     */
318     /*
319     * A few questions have been asked about this mess, obviously
320     * it should have been commented better the first time.
321     * The original idea was to remove all references to libc from ircd-hybrid.
322     * Instead of having to write a replacement for sscanf(), I did a
323     * rather gruseome parser here so we could remove this function call.
324     * Note, that I had also removed a few floating point printfs as well (though
325     * now we are still stuck with a few...)
326     * Remember, we have a replacement ircd sprintf, we have bleeps fputs lib
327     * it would have been nice to remove some unneeded code.
328     * Oh well. If we don't remove libc stuff totally, then it would be
329     * far cleaner to use sscanf()
330     *
331     * - Dianora
332     */
333     static char *
334     GetValidIdent(char *buf)
335     {
336     int remp = 0;
337     int locp = 0;
338     char* colon1Ptr;
339     char* colon2Ptr;
340     char* colon3Ptr;
341     char* commaPtr;
342     char* remotePortString;
343    
344     /* All this to get rid of a sscanf() fun. */
345     remotePortString = buf;
346    
347     if ((colon1Ptr = strchr(remotePortString,':')) == NULL)
348     return 0;
349     *colon1Ptr = '\0';
350     colon1Ptr++;
351    
352     if ((colon2Ptr = strchr(colon1Ptr,':')) == NULL)
353     return 0;
354     *colon2Ptr = '\0';
355     colon2Ptr++;
356    
357     if ((commaPtr = strchr(remotePortString, ',')) == NULL)
358     return 0;
359     *commaPtr = '\0';
360     commaPtr++;
361    
362     if ((remp = atoi(remotePortString)) == 0)
363     return 0;
364    
365     if ((locp = atoi(commaPtr)) == 0)
366     return 0;
367    
368     /* look for USERID bordered by first pair of colons */
369     if (strstr(colon1Ptr, "USERID") == NULL)
370     return 0;
371    
372     if ((colon3Ptr = strchr(colon2Ptr,':')) == NULL)
373     return 0;
374     *colon3Ptr = '\0';
375     colon3Ptr++;
376     return (colon3Ptr);
377     }
378    
379     /*
380     * start_auth
381     *
382     * inputs - pointer to client to auth
383     * output - NONE
384     * side effects - starts auth (identd) and dns queries for a client
385     */
386     static void *
387     start_auth(va_list args)
388     {
389     struct Client *client = va_arg(args, struct Client *);
390     struct AuthRequest *auth = NULL;
391    
392     assert(client != NULL);
393    
394     auth = make_auth_request(client);
395     SetCrit(auth);
396    
397     client->localClient->dns_query = MyMalloc(sizeof(struct DNSQuery));
398     client->localClient->dns_query->ptr = auth;
399     client->localClient->dns_query->callback = auth_dns_callback;
400    
401     sendheader(client, REPORT_DO_DNS);
402    
403     if (ConfigFileEntry.disable_auth == 0)
404     start_auth_query(auth);
405    
406     /* auth order changed, before gethost_byaddr can immediately call
407     * dns callback under win32 when the lookup cannot be started.
408     * And that would do MyFree(auth) etc -adx */
409     SetDNSPending(auth);
410     dlinkAdd(auth, &auth->dns_node, &auth_doing_dns_list);
411     ClearCrit(auth);
412     gethost_byaddr(&client->localClient->ip, client->localClient->dns_query);
413    
414     return NULL;
415     }
416    
417     /*
418     * timeout_auth_queries - timeout resolver and identd requests
419     * allow clients through if requests failed
420     */
421     static void
422     timeout_auth_queries_event(void *notused)
423     {
424     dlink_node *ptr;
425     dlink_node *next_ptr;
426     struct AuthRequest* auth;
427    
428     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
429     {
430     auth = ptr->data;
431    
432     if (auth->timeout <= CurrentTime)
433     {
434     fd_close(&auth->fd);
435    
436 michael 896 ++ServerStats.is_abad;
437 adx 30 sendheader(auth->client, REPORT_FAIL_ID);
438    
439     if (IsDNSPending(auth))
440     {
441     struct Client *client_p = auth->client;
442    
443     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
444     if (client_p->localClient->dns_query != NULL)
445     {
446     delete_resolver_queries(client_p->localClient->dns_query);
447     MyFree(client_p->localClient->dns_query);
448     }
449     auth->client->localClient->dns_query = NULL;
450     sendheader(client_p, REPORT_FAIL_DNS);
451     }
452    
453     ilog(L_INFO, "DNS/AUTH timeout %s",
454     get_client_name(auth->client, SHOW_IP));
455    
456     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
457     release_auth_client(auth->client);
458     MyFree(auth);
459     }
460     }
461     }
462    
463     /*
464     * auth_connect_callback() - deal with the result of comm_connect_tcp()
465     *
466     * If the connection failed, we simply close the auth fd and report
467     * a failure. If the connection suceeded send the ident server a query
468     * giving "theirport , ourport". The write is only attempted *once* so
469     * it is deemed to be a fail if the entire write doesn't write all the
470     * data given. This shouldnt be a problem since the socket should have
471     * a write buffer far greater than this message to store it in should
472     * problems arise. -avalon
473     */
474     static void
475     auth_connect_callback(fde_t *fd, int error, void *data)
476     {
477     struct AuthRequest *auth = data;
478     struct irc_ssaddr us;
479     struct irc_ssaddr them;
480     char authbuf[32];
481     socklen_t ulen = sizeof(struct irc_ssaddr);
482     socklen_t tlen = sizeof(struct irc_ssaddr);
483     u_int16_t uport, tport;
484     #ifdef IPV6
485     struct sockaddr_in6 *v6;
486     #else
487     struct sockaddr_in *v4;
488     #endif
489    
490     if (error != COMM_OK)
491     {
492     auth_error(auth);
493     return;
494     }
495    
496     if (getsockname(auth->client->localClient->fd.fd, (struct sockaddr *) &us,
497     (socklen_t *) &ulen) ||
498     getpeername(auth->client->localClient->fd.fd, (struct sockaddr *) &them,
499     (socklen_t *) &tlen))
500     {
501     ilog(L_INFO, "auth get{sock,peer}name error for %s",
502     get_client_name(auth->client, SHOW_IP));
503     auth_error(auth);
504     return;
505     }
506    
507     #ifdef IPV6
508     v6 = (struct sockaddr_in6 *)&us;
509     uport = ntohs(v6->sin6_port);
510     v6 = (struct sockaddr_in6 *)&them;
511     tport = ntohs(v6->sin6_port);
512     remove_ipv6_mapping(&us);
513     remove_ipv6_mapping(&them);
514     #else
515     v4 = (struct sockaddr_in *)&us;
516     uport = ntohs(v4->sin_port);
517     v4 = (struct sockaddr_in *)&them;
518     tport = ntohs(v4->sin_port);
519     us.ss_len = ulen;
520     them.ss_len = tlen;
521     #endif
522    
523     ircsprintf(authbuf, "%u , %u\r\n", tport, uport);
524    
525     if (send(fd->fd, authbuf, strlen(authbuf), 0) == -1)
526     {
527     auth_error(auth);
528     return;
529     }
530 michael 696
531 adx 30 read_auth_reply(&auth->fd, auth);
532     }
533    
534     /*
535     * read_auth_reply - read the reply (if any) from the ident server
536     * we connected to.
537     * We only give it one shot, if the reply isn't good the first time
538     * fail the authentication entirely. --Bleep
539     */
540     #define AUTH_BUFSIZ 128
541    
542     static void
543     read_auth_reply(fde_t *fd, void *data)
544     {
545     struct AuthRequest *auth = data;
546     char *s = NULL;
547     char *t = NULL;
548     int len;
549     int count;
550     char buf[AUTH_BUFSIZ + 1]; /* buffer to read auth reply into */
551    
552 nenolod 397 /* Why?
553     * Well, recv() on many POSIX systems is a per-packet operation,
554     * and we do not necessarily want this, because on lowspec machines,
555     * the ident response may come back fragmented, thus resulting in an
556     * invalid ident response, even if the ident response was really OK.
557     *
558     * So PLEASE do not change this code to recv without being aware of the
559     * consequences.
560     *
561     * --nenolod
562     */
563     #ifndef _WIN32
564     len = read(fd->fd, buf, AUTH_BUFSIZ);
565     #else
566 adx 30 len = recv(fd->fd, buf, AUTH_BUFSIZ, 0);
567 nenolod 397 #endif
568 adx 30
569     if (len < 0)
570     {
571     #ifdef _WIN32
572     errno = WSAGetLastError();
573     #endif
574     if (ignoreErrno(errno))
575     comm_setselect(fd, COMM_SELECT_READ, read_auth_reply, auth, 0);
576     else
577     auth_error(auth);
578     return;
579     }
580    
581     if (len > 0)
582     {
583     buf[len] = '\0';
584    
585     if ((s = GetValidIdent(buf)))
586     {
587     t = auth->client->username;
588    
589     while (*s == '~' || *s == '^')
590     s++;
591    
592     for (count = USERLEN; *s && count; s++)
593     {
594     if (*s == '@')
595     break;
596     if (!IsSpace(*s) && *s != ':' && *s != '[')
597     {
598     *t++ = *s;
599     count--;
600     }
601     }
602    
603     *t = '\0';
604     }
605     }
606    
607     fd_close(fd);
608    
609     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
610     ClearAuth(auth);
611    
612     if (s == NULL)
613     {
614     sendheader(auth->client, REPORT_FAIL_ID);
615 michael 896 ++ServerStats.is_abad;
616 adx 30 }
617     else
618     {
619     sendheader(auth->client, REPORT_FIN_ID);
620 michael 896 ++ServerStats.is_asuc;
621 adx 30 SetGotId(auth->client);
622     }
623    
624     if (!IsDNSPending(auth) && !IsCrit(auth))
625     {
626     release_auth_client(auth->client);
627     MyFree(auth);
628     }
629     }
630    
631     /*
632     * delete_auth()
633     */
634     void
635     delete_auth(struct Client *target_p)
636     {
637     dlink_node *ptr;
638     dlink_node *next_ptr;
639     struct AuthRequest *auth;
640    
641     if (!IsUnknown(target_p))
642     return;
643    
644     if (target_p->localClient->dns_query != NULL)
645     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_dns_list.head)
646     {
647     auth = ptr->data;
648    
649     if (auth->client == target_p)
650     {
651     delete_resolver_queries(target_p->localClient->dns_query);
652 michael 696 MyFree(target_p->localClient->dns_query);
653     target_p->localClient->dns_query = NULL;
654 adx 30
655     dlinkDelete(&auth->dns_node, &auth_doing_dns_list);
656 michael 696
657 adx 30 if (!IsDoingAuth(auth))
658     {
659     MyFree(auth);
660     return;
661     }
662     }
663     }
664    
665     DLINK_FOREACH_SAFE(ptr, next_ptr, auth_doing_ident_list.head)
666     {
667     auth = ptr->data;
668    
669     if (auth->client == target_p)
670     {
671     fd_close(&auth->fd);
672    
673     dlinkDelete(&auth->ident_node, &auth_doing_ident_list);
674     MyFree(auth);
675     }
676     }
677     }

Properties

Name Value
svn:eol-style native
svn:keywords Id Revision