/[svn]/ircd-hybrid/trunk/src/auth.c
ViewVC logotype

Contents of /ircd-hybrid/trunk/src/auth.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 8872 - (show annotations)
Sat Feb 16 21:49:34 2019 UTC (19 months ago) by michael
File MIME type: text/x-chdr
File size: 15707 byte(s)
- Cleanup server connecting related code even further
- Make comm_connect_tcp() take less arguments and remove unused dns resolving functionality

1 /*
2 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 *
4 * Copyright (c) 1997-2019 ircd-hybrid development team
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 * USA
20 */
21
22 /*! \file auth.c
23 * \brief Implementation of DNS and ident lookups.
24 * \version $Id$
25 */
26
27 /*
28 * Changes:
29 * July 6, 1999 - Rewrote most of the code here. When a client connects
30 * to the server and passes initial socket validation checks, it
31 * is owned by this module (auth) which returns it to the rest of the
32 * server when dns and auth queries are finished. Until the client is
33 * released, the server does not know it exists and does not process
34 * any messages from it.
35 * --Bleep Thomas Helvey <tomh@inxpress.net>
36 */
37
38 #include "stdinc.h"
39 #include "list.h"
40 #include "ircd_defs.h"
41 #include "fdlist.h"
42 #include "auth.h"
43 #include "conf.h"
44 #include "client.h"
45 #include "event.h"
46 #include "irc_string.h"
47 #include "ircd.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "s_bsd.h"
51 #include "log.h"
52 #include "send.h"
53 #include "memory.h"
54
55
56 enum
57 {
58 REPORT_DO_DNS,
59 REPORT_FIN_DNS,
60 REPORT_FAIL_DNS,
61 REPORT_DO_ID,
62 REPORT_FIN_ID,
63 REPORT_FAIL_ID,
64 REPORT_IP_MISMATCH,
65 REPORT_HOST_TOOLONG,
66 REPORT_HOST_INVALID
67 };
68
69 static const char *const HeaderMessages[] =
70 {
71 [REPORT_DO_DNS] = ":*** Looking up your hostname",
72 [REPORT_FIN_DNS] = ":*** Found your hostname",
73 [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
74 [REPORT_DO_ID] = ":*** Checking Ident",
75 [REPORT_FIN_ID] = ":*** Got Ident response",
76 [REPORT_FAIL_ID] = ":*** No Ident response",
77 [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
78 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
79 [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
80 };
81
82 #define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
83
84 static dlink_list auth_list;
85
86
87 /*! \brief Allocate a new auth request.
88 * \param client The client being looked up.
89 * \return The newly allocated auth request.
90 */
91 static struct AuthRequest *
92 auth_make(struct Client *client)
93 {
94 struct AuthRequest *auth = xcalloc(sizeof(*auth));
95
96 auth->client = client;
97 auth->client->connection->auth = auth;
98 auth->timeout = CurrentTime + CONNECTTIMEOUT;
99
100 return auth;
101 }
102
103 /*! \brief Unlink auth request from auth_list and free memory
104 * \param auth The allocated auth request to cleanup.
105 */
106 static void
107 auth_free(struct AuthRequest *auth)
108 {
109 assert(dlinkFind(&auth_list, auth));
110 dlinkDelete(&auth->node, &auth_list);
111 assert(dlinkFind(&auth_list, auth) == NULL);
112
113 xfree(auth);
114 }
115
116 /*! \brief Release auth client from auth system. This adds the client into the
117 * local client lists so it can be read by the main io processing loop.
118 * \param auth Pointer to AuthRequest struct to release
119 */
120 static void
121 auth_release_client(struct AuthRequest *auth)
122 {
123 struct Client *client = auth->client;
124
125 assert(client);
126 assert(client->connection);
127
128 if (auth->ident_pending == true || auth->dns_pending == true)
129 return;
130
131 auth_free(auth);
132 client->connection->auth = NULL;
133
134 /*
135 * When a client has auth'ed, we want to start reading what it sends
136 * us. This is what read_packet() does.
137 * -- adrian
138 */
139 comm_setflush(client->connection->fd, 1000, flood_recalc, client);
140
141 client->connection->since = CurrentTime;
142 client->connection->lasttime = CurrentTime;
143 client->connection->firsttime = CurrentTime;
144 AddFlag(client, FLAGS_FINISHED_AUTH);
145
146 strlcpy(client->realhost, client->host, sizeof(client->realhost));
147
148 read_packet(client->connection->fd, client);
149 }
150
151 /*! Checks if a hostname is valid and doesn't contain illegal characters
152 * \param hostname The string to verify
153 * \return 1 if it is valid, 0 if it isn't
154 */
155 static bool
156 auth_verify_hostname(const char *hostname)
157 {
158 const char *p = hostname;
159
160 assert(p);
161
162 if (EmptyString(p) || *p == '.' || *p == ':')
163 return false;
164
165 for (; *p; ++p)
166 if (!IsHostChar(*p))
167 return false;
168
169 return true;
170 }
171
172 /*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
173 * completion, regardless of success or failure.
174 * \param vptr The pending struct AuthRequest.
175 * \param addr IP address being resolved.
176 * \param name Resolved name, or NULL if lookup failed.
177 * \param namelength String length of the resolved hostname pointed by 'name'
178 */
179 static void
180 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
181 {
182 struct AuthRequest *const auth = vptr;
183
184 assert(auth->client);
185 assert(auth->client->connection);
186
187 auth->dns_pending = false;
188
189 if (EmptyString(name))
190 auth_sendheader(auth->client, REPORT_FAIL_DNS);
191 else
192 {
193 if (auth->client->ip.ss.ss_family == AF_INET6)
194 {
195 const struct sockaddr_in6 *const v6 = (const struct sockaddr_in6 *)&auth->client->ip;
196 const struct sockaddr_in6 *const v6dns = (const struct sockaddr_in6 *)addr;
197
198 if (memcmp(&v6->sin6_addr, &v6dns->sin6_addr, sizeof(struct in6_addr)))
199 {
200 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
201 auth_release_client(auth);
202 return;
203 }
204 }
205 else
206 {
207 const struct sockaddr_in *const v4 = (const struct sockaddr_in *)&auth->client->ip;
208 const struct sockaddr_in *const v4dns = (const struct sockaddr_in *)addr;
209
210 if (v4->sin_addr.s_addr != v4dns->sin_addr.s_addr)
211 {
212 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
213 auth_release_client(auth);
214 return;
215 }
216 }
217
218 if (namelength > HOSTLEN)
219 auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
220 else if (auth_verify_hostname(name) == false)
221 auth_sendheader(auth->client, REPORT_HOST_INVALID);
222 else
223 {
224 strlcpy(auth->client->host, name, sizeof(auth->client->host));
225 auth_sendheader(auth->client, REPORT_FIN_DNS);
226 }
227 }
228
229 auth_release_client(auth);
230 }
231
232 /*
233 * auth_error - handle auth send errors
234 */
235 static void
236 auth_error(struct AuthRequest *auth)
237 {
238 assert(auth);
239 assert(auth->fd);
240 assert(auth->client);
241 assert(auth->client->connection);
242
243 ++ServerStats.is_abad;
244
245 fd_close(auth->fd);
246 auth->fd = NULL;
247 auth->ident_pending = false;
248
249 auth_sendheader(auth->client, REPORT_FAIL_ID);
250
251 auth_release_client(auth);
252 }
253
254 /** Enum used to index ident reply fields in a human-readable way. */
255 enum IdentReplyFields
256 {
257 IDENT_PORT_NUMBERS,
258 IDENT_REPLY_TYPE,
259 IDENT_OS_TYPE,
260 IDENT_INFO,
261 USERID_TOKEN_COUNT
262 };
263
264 /** Parse an ident reply line and extract the userid from it.
265 * \param reply The ident reply line.
266 * \return The userid, or NULL on parse failure.
267 */
268 static const char *
269 auth_check_ident_reply(char *const reply)
270 {
271 char *token = NULL, *end = NULL;
272 char *vector[USERID_TOKEN_COUNT];
273 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
274
275 if (USERID_TOKEN_COUNT != count)
276 return NULL;
277
278 /*
279 * Second token is the reply type
280 */
281 token = vector[IDENT_REPLY_TYPE];
282
283 if (EmptyString(token))
284 return NULL;
285
286 while (IsSpace(*token))
287 ++token;
288
289 if (strncmp(token, "USERID", 6))
290 return NULL;
291
292 /*
293 * Third token is the os type
294 */
295 token = vector[IDENT_OS_TYPE];
296
297 if (EmptyString(token))
298 return NULL;
299
300 while (IsSpace(*token))
301 ++token;
302
303 /*
304 * Unless "OTHER" is specified as the operating system type, the server
305 * is expected to return the "normal" user identification of the owner
306 * of this connection. "Normal" in this context may be taken to mean a
307 * string of characters which uniquely identifies the connection owner
308 * such as a user identifier assigned by the system administrator and
309 * used by such user as a mail identifier, or as the "user" part of a
310 * user/password pair used to gain access to system resources. When an
311 * operating system is specified (e.g., anything but "OTHER"), the user
312 * identifier is expected to be in a more or less immediately useful
313 * form - e.g., something that could be used as an argument to "finger"
314 * or as a mail address.
315 */
316 if (strncmp(token, "OTHER", 5) == 0)
317 return NULL;
318
319 /*
320 * Fourth token is the username
321 */
322 token = vector[IDENT_INFO];
323
324 if (EmptyString(token))
325 return NULL;
326
327 while (IsSpace(*token))
328 ++token;
329
330 while (*token == '~' || *token == '^')
331 ++token;
332
333 /*
334 * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
335 */
336 for (end = token; *end; ++end)
337 if (IsSpace(*end) || '@' == *end || ':' == *end)
338 break;
339 *end = '\0';
340
341 return token;
342 }
343
344 /*! \brief Read the reply (if any) from the ident server we connected to. We
345 * only give it one shot, if the reply isn't good the first time fail
346 * the authentication entirely. --Bleep
347 * \param F The socket/fd to read from.
348 * \param data The request to read.
349 */
350 static void
351 auth_read_reply(fde_t *F, void *data)
352 {
353 struct AuthRequest *const auth = data;
354 const char *username = NULL;
355 ssize_t len = 0;
356 char buf[RFC1413_BUFSIZ + 1];
357
358 assert(auth->fd == F);
359 assert(auth->client);
360 assert(auth->client->connection);
361
362 if ((len = recv(auth->fd->fd, buf, sizeof(buf) - 1, 0)) > 0)
363 {
364 buf[len] = '\0';
365 username = auth_check_ident_reply(buf);
366 }
367
368 fd_close(auth->fd);
369 auth->fd = NULL;
370 auth->ident_pending = false;
371
372 if (EmptyString(username))
373 {
374 auth_sendheader(auth->client, REPORT_FAIL_ID);
375 ++ServerStats.is_abad;
376 }
377 else
378 {
379 strlcpy(auth->client->username, username, sizeof(auth->client->username));
380 auth_sendheader(auth->client, REPORT_FIN_ID);
381 ++ServerStats.is_asuc;
382 AddFlag(auth->client, FLAGS_GOTID);
383 }
384
385 auth_release_client(auth);
386 }
387
388 /*
389 * auth_connect_callback() - deal with the result of comm_connect_tcp()
390 *
391 * If the connection failed, we simply close the auth fd and report
392 * a failure. If the connection suceeded send the ident server a query
393 * giving "theirport , ourport". The write is only attempted *once* so
394 * it is deemed to be a fail if the entire write doesn't write all the
395 * data given. This shouldnt be a problem since the socket should have
396 * a write buffer far greater than this message to store it in should
397 * problems arise. -avalon
398 */
399 static void
400 auth_connect_callback(fde_t *F, int error, void *data)
401 {
402 struct AuthRequest *const auth = data;
403 struct irc_ssaddr us;
404 struct irc_ssaddr them;
405 char authbuf[16];
406 ssize_t len = 0;
407 socklen_t ulen = sizeof(struct irc_ssaddr);
408 socklen_t tlen = sizeof(struct irc_ssaddr);
409 uint16_t uport, tport;
410 struct sockaddr_in6 *v6;
411
412 assert(auth->fd == F);
413 assert(auth->client);
414 assert(auth->client->connection);
415
416 if (error != COMM_OK)
417 {
418 auth_error(auth);
419 return;
420 }
421
422 if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
423 getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
424 {
425 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
426 client_get_name(auth->client, SHOW_IP), errno);
427 auth_error(auth);
428 return;
429 }
430
431 v6 = (struct sockaddr_in6 *)&us;
432 uport = ntohs(v6->sin6_port);
433 v6 = (struct sockaddr_in6 *)&them;
434 tport = ntohs(v6->sin6_port);
435
436 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
437
438 if (send(F->fd, authbuf, len, 0) != len)
439 {
440 auth_error(auth);
441 return;
442 }
443
444 comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
445 }
446
447 /*! \brief Flag the client to show an attempt to contact the ident server on
448 * the client's host. Should the connect or any later phase of the
449 * identifying process fail, it is aborted and the user is given a
450 * username of "unknown".
451 * \param auth The request for which to start the ident lookup.
452 */
453 static void
454 auth_start_query(struct AuthRequest *auth)
455 {
456 struct irc_ssaddr localaddr;
457 socklen_t locallen = sizeof(struct irc_ssaddr);
458 struct sockaddr_in6 *v6;
459
460 assert(auth->client);
461 assert(auth->client->connection);
462
463 /* Open a socket of the same type as the client socket */
464 int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
465 if (fd == -1)
466 {
467 report_error(L_ALL, "creating auth stream socket %s:%s",
468 client_get_name(auth->client, SHOW_IP), errno);
469 ++ServerStats.is_abad;
470 return;
471 }
472
473 auth->fd = fd_open(fd, true, "ident");
474 auth->ident_pending = true;
475
476 auth_sendheader(auth->client, REPORT_DO_ID);
477
478 /*
479 * Get the local address of the client and bind to that to
480 * make the auth request.
481 */
482 memset(&localaddr, 0, locallen);
483 getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
484
485 remove_ipv6_mapping(&localaddr);
486 v6 = (struct sockaddr_in6 *)&localaddr;
487 v6->sin6_port = htons(0);
488
489 comm_connect_tcp(auth->fd, &auth->client->ip, RFC1413_PORT,
490 &localaddr, auth_connect_callback, auth,
491 GlobalSetOptions.ident_timeout);
492 }
493
494 /*
495 * auth_start
496 *
497 * inputs - pointer to client to auth
498 * output - NONE
499 * side effects - starts auth (identd) and dns queries for a client
500 */
501 void
502 auth_start(struct Client *client_p)
503 {
504 struct AuthRequest *auth = auth_make(client_p);
505
506 assert(client_p);
507 assert(client_p->connection);
508
509 dlinkAddTail(auth, &auth->node, &auth_list);
510
511 auth_sendheader(client_p, REPORT_DO_DNS);
512
513 auth->dns_pending = true;
514
515 if (ConfigGeneral.disable_auth == 0)
516 auth_start_query(auth);
517
518 gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
519 }
520
521 /*
522 * auth_delete()
523 */
524 void
525 auth_delete(struct AuthRequest *auth)
526 {
527 assert(auth->client);
528 assert(auth->client->connection);
529
530 if (auth->ident_pending == true)
531 {
532 fd_close(auth->fd);
533 auth->fd = NULL;
534 auth->ident_pending = false;
535 }
536
537 if (auth->dns_pending == true)
538 {
539 delete_resolver_queries(auth);
540 auth->dns_pending = false;
541 }
542
543 auth_free(auth);
544 }
545
546 /*
547 * auth_timeout_queries - timeout resolver and identd requests
548 * allow clients through if requests failed
549 */
550 static void
551 auth_timeout_queries(void *notused)
552 {
553 dlink_node *node, *node_next;
554
555 DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
556 {
557 struct AuthRequest *auth = node->data;
558
559 assert(auth->client);
560 assert(auth->client->connection);
561
562 if (auth->timeout > CurrentTime)
563 break;
564
565 if (auth->ident_pending == true)
566 {
567 ++ServerStats.is_abad;
568
569 fd_close(auth->fd);
570 auth->fd = NULL;
571 auth->ident_pending = false;
572
573 auth_sendheader(auth->client, REPORT_FAIL_ID);
574 }
575
576 if (auth->dns_pending == true)
577 {
578 delete_resolver_queries(auth);
579 auth->dns_pending = false;
580
581 auth_sendheader(auth->client, REPORT_FAIL_DNS);
582 }
583
584 auth_release_client(auth);
585 }
586 }
587
588 /* auth_init
589 *
590 * Initialise the auth code
591 */
592 void
593 auth_init(void)
594 {
595 static struct event timeout_auth_queries =
596 {
597 .name = "auth_timeout_queries",
598 .handler = auth_timeout_queries,
599 .when = 1
600 };
601
602 event_add(&timeout_auth_queries, NULL);
603 }

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28