/[svn]/ircd-hybrid/trunk/src/auth.c
ViewVC logotype

Contents of /ircd-hybrid/trunk/src/auth.c

Parent Directory Parent Directory | Revision Log Revision Log


Revision 8881 - (show annotations)
Sun Apr 14 16:03:29 2019 UTC (15 months, 3 weeks ago) by michael
File MIME type: text/x-chdr
File size: 15035 byte(s)
- Add address_compare() and make use of it in some places

1 /*
2 * ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd)
3 *
4 * Copyright (c) 1997-2019 ircd-hybrid development team
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
19 * USA
20 */
21
22 /*! \file auth.c
23 * \brief Implementation of DNS and ident lookups.
24 * \version $Id$
25 */
26
27 /*
28 * Changes:
29 * July 6, 1999 - Rewrote most of the code here. When a client connects
30 * to the server and passes initial socket validation checks, it
31 * is owned by this module (auth) which returns it to the rest of the
32 * server when dns and auth queries are finished. Until the client is
33 * released, the server does not know it exists and does not process
34 * any messages from it.
35 * --Bleep Thomas Helvey <tomh@inxpress.net>
36 */
37
38 #include "stdinc.h"
39 #include "list.h"
40 #include "ircd_defs.h"
41 #include "fdlist.h"
42 #include "auth.h"
43 #include "conf.h"
44 #include "client.h"
45 #include "event.h"
46 #include "irc_string.h"
47 #include "ircd.h"
48 #include "packet.h"
49 #include "res.h"
50 #include "s_bsd.h"
51 #include "log.h"
52 #include "send.h"
53 #include "memory.h"
54 #include "misc.h"
55
56
57 enum
58 {
59 REPORT_DO_DNS,
60 REPORT_FIN_DNS,
61 REPORT_FAIL_DNS,
62 REPORT_DO_ID,
63 REPORT_FIN_ID,
64 REPORT_FAIL_ID,
65 REPORT_IP_MISMATCH,
66 REPORT_HOST_TOOLONG,
67 REPORT_HOST_INVALID
68 };
69
70 static const char *const HeaderMessages[] =
71 {
72 [REPORT_DO_DNS] = ":*** Looking up your hostname",
73 [REPORT_FIN_DNS] = ":*** Found your hostname",
74 [REPORT_FAIL_DNS] = ":*** Couldn't look up your hostname",
75 [REPORT_DO_ID] = ":*** Checking Ident",
76 [REPORT_FIN_ID] = ":*** Got Ident response",
77 [REPORT_FAIL_ID] = ":*** No Ident response",
78 [REPORT_IP_MISMATCH] = ":*** Your forward and reverse DNS do not match, ignoring hostname",
79 [REPORT_HOST_TOOLONG] = ":*** Your hostname is too long, ignoring hostname",
80 [REPORT_HOST_INVALID] = ":*** Your hostname contains illegal characters, ignoring hostname"
81 };
82
83 #define auth_sendheader(c, i) sendto_one_notice((c), &me, "%s", HeaderMessages[(i)])
84
85 static dlink_list auth_list;
86
87
88 /*! \brief Allocate a new auth request.
89 * \param client The client being looked up.
90 * \return The newly allocated auth request.
91 */
92 static struct AuthRequest *
93 auth_make(struct Client *client)
94 {
95 struct AuthRequest *auth = xcalloc(sizeof(*auth));
96
97 auth->client = client;
98 auth->client->connection->auth = auth;
99 auth->timeout = CurrentTime + CONNECTTIMEOUT;
100
101 return auth;
102 }
103
104 /*! \brief Unlink auth request from auth_list and free memory
105 * \param auth The allocated auth request to cleanup.
106 */
107 static void
108 auth_free(struct AuthRequest *auth)
109 {
110 assert(dlinkFind(&auth_list, auth));
111 dlinkDelete(&auth->node, &auth_list);
112 assert(dlinkFind(&auth_list, auth) == NULL);
113
114 xfree(auth);
115 }
116
117 /*! \brief Release auth client from auth system. This adds the client into the
118 * local client lists so it can be read by the main io processing loop.
119 * \param auth Pointer to AuthRequest struct to release
120 */
121 static void
122 auth_release_client(struct AuthRequest *auth)
123 {
124 struct Client *client = auth->client;
125
126 assert(client);
127 assert(client->connection);
128
129 if (auth->ident_pending == true || auth->dns_pending == true)
130 return;
131
132 auth_free(auth);
133 client->connection->auth = NULL;
134
135 /*
136 * When a client has auth'ed, we want to start reading what it sends
137 * us. This is what read_packet() does.
138 * -- adrian
139 */
140 comm_setflush(client->connection->fd, 1000, flood_recalc, client);
141
142 client->connection->since = CurrentTime;
143 client->connection->lasttime = CurrentTime;
144 client->connection->firsttime = CurrentTime;
145 AddFlag(client, FLAGS_FINISHED_AUTH);
146
147 strlcpy(client->realhost, client->host, sizeof(client->realhost));
148
149 read_packet(client->connection->fd, client);
150 }
151
152 /*! Checks if a hostname is valid and doesn't contain illegal characters
153 * \param hostname The string to verify
154 * \return 1 if it is valid, 0 if it isn't
155 */
156 static bool
157 auth_verify_hostname(const char *hostname)
158 {
159 const char *p = hostname;
160
161 assert(p);
162
163 if (EmptyString(p) || *p == '.' || *p == ':')
164 return false;
165
166 for (; *p; ++p)
167 if (!IsHostChar(*p))
168 return false;
169
170 return true;
171 }
172
173 /*! \brief Handle a complete DNS lookup. Send the client on its way to a connection
174 * completion, regardless of success or failure.
175 * \param vptr The pending struct AuthRequest.
176 * \param addr IP address being resolved.
177 * \param name Resolved name, or NULL if lookup failed.
178 * \param namelength String length of the resolved hostname pointed by 'name'
179 */
180 static void
181 auth_dns_callback(void *vptr, const struct irc_ssaddr *addr, const char *name, size_t namelength)
182 {
183 struct AuthRequest *const auth = vptr;
184
185 assert(auth->client);
186 assert(auth->client->connection);
187
188 auth->dns_pending = false;
189
190 if (EmptyString(name))
191 auth_sendheader(auth->client, REPORT_FAIL_DNS);
192 else
193 {
194 if (address_compare(addr, &auth->client->ip, false) == false)
195 auth_sendheader(auth->client, REPORT_IP_MISMATCH);
196 else if (namelength > HOSTLEN)
197 auth_sendheader(auth->client, REPORT_HOST_TOOLONG);
198 else if (auth_verify_hostname(name) == false)
199 auth_sendheader(auth->client, REPORT_HOST_INVALID);
200 else
201 {
202 strlcpy(auth->client->host, name, sizeof(auth->client->host));
203 auth_sendheader(auth->client, REPORT_FIN_DNS);
204 }
205 }
206
207 auth_release_client(auth);
208 }
209
210 /*
211 * auth_error - handle auth send errors
212 */
213 static void
214 auth_error(struct AuthRequest *auth)
215 {
216 assert(auth);
217 assert(auth->fd);
218 assert(auth->client);
219 assert(auth->client->connection);
220
221 ++ServerStats.is_abad;
222
223 fd_close(auth->fd);
224 auth->fd = NULL;
225 auth->ident_pending = false;
226
227 auth_sendheader(auth->client, REPORT_FAIL_ID);
228
229 auth_release_client(auth);
230 }
231
232 /** Enum used to index ident reply fields in a human-readable way. */
233 enum IdentReplyFields
234 {
235 IDENT_PORT_NUMBERS,
236 IDENT_REPLY_TYPE,
237 IDENT_OS_TYPE,
238 IDENT_INFO,
239 USERID_TOKEN_COUNT
240 };
241
242 /** Parse an ident reply line and extract the userid from it.
243 * \param reply The ident reply line.
244 * \return The userid, or NULL on parse failure.
245 */
246 static const char *
247 auth_check_ident_reply(char *const reply)
248 {
249 char *token = NULL, *end = NULL;
250 char *vector[USERID_TOKEN_COUNT];
251 const unsigned int count = token_vector(reply, ':', vector, USERID_TOKEN_COUNT);
252
253 if (USERID_TOKEN_COUNT != count)
254 return NULL;
255
256 /*
257 * Second token is the reply type
258 */
259 token = vector[IDENT_REPLY_TYPE];
260
261 if (EmptyString(token))
262 return NULL;
263
264 while (IsSpace(*token))
265 ++token;
266
267 if (strncmp(token, "USERID", 6))
268 return NULL;
269
270 /*
271 * Third token is the os type
272 */
273 token = vector[IDENT_OS_TYPE];
274
275 if (EmptyString(token))
276 return NULL;
277
278 while (IsSpace(*token))
279 ++token;
280
281 /*
282 * Unless "OTHER" is specified as the operating system type, the server
283 * is expected to return the "normal" user identification of the owner
284 * of this connection. "Normal" in this context may be taken to mean a
285 * string of characters which uniquely identifies the connection owner
286 * such as a user identifier assigned by the system administrator and
287 * used by such user as a mail identifier, or as the "user" part of a
288 * user/password pair used to gain access to system resources. When an
289 * operating system is specified (e.g., anything but "OTHER"), the user
290 * identifier is expected to be in a more or less immediately useful
291 * form - e.g., something that could be used as an argument to "finger"
292 * or as a mail address.
293 */
294 if (strncmp(token, "OTHER", 5) == 0)
295 return NULL;
296
297 /*
298 * Fourth token is the username
299 */
300 token = vector[IDENT_INFO];
301
302 if (EmptyString(token))
303 return NULL;
304
305 while (IsSpace(*token))
306 ++token;
307
308 while (*token == '~' || *token == '^')
309 ++token;
310
311 /*
312 * Look for the end of the username, terminators are '\0, @, <SPACE>, :'
313 */
314 for (end = token; *end; ++end)
315 if (IsSpace(*end) || '@' == *end || ':' == *end)
316 break;
317 *end = '\0';
318
319 return token;
320 }
321
322 /*! \brief Read the reply (if any) from the ident server we connected to. We
323 * only give it one shot, if the reply isn't good the first time fail
324 * the authentication entirely. --Bleep
325 * \param F The socket/fd to read from.
326 * \param data The request to read.
327 */
328 static void
329 auth_read_reply(fde_t *F, void *data)
330 {
331 struct AuthRequest *const auth = data;
332 const char *username = NULL;
333 ssize_t len = 0;
334 char buf[RFC1413_BUFSIZ + 1];
335
336 assert(auth->fd == F);
337 assert(auth->client);
338 assert(auth->client->connection);
339
340 if ((len = recv(auth->fd->fd, buf, sizeof(buf) - 1, 0)) > 0)
341 {
342 buf[len] = '\0';
343 username = auth_check_ident_reply(buf);
344 }
345
346 fd_close(auth->fd);
347 auth->fd = NULL;
348 auth->ident_pending = false;
349
350 if (EmptyString(username))
351 {
352 auth_sendheader(auth->client, REPORT_FAIL_ID);
353 ++ServerStats.is_abad;
354 }
355 else
356 {
357 strlcpy(auth->client->username, username, sizeof(auth->client->username));
358 auth_sendheader(auth->client, REPORT_FIN_ID);
359 ++ServerStats.is_asuc;
360 AddFlag(auth->client, FLAGS_GOTID);
361 }
362
363 auth_release_client(auth);
364 }
365
366 /*
367 * auth_connect_callback() - deal with the result of comm_connect_tcp()
368 *
369 * If the connection failed, we simply close the auth fd and report
370 * a failure. If the connection suceeded send the ident server a query
371 * giving "theirport , ourport". The write is only attempted *once* so
372 * it is deemed to be a fail if the entire write doesn't write all the
373 * data given. This shouldnt be a problem since the socket should have
374 * a write buffer far greater than this message to store it in should
375 * problems arise. -avalon
376 */
377 static void
378 auth_connect_callback(fde_t *F, int error, void *data)
379 {
380 struct AuthRequest *const auth = data;
381 struct irc_ssaddr us;
382 struct irc_ssaddr them;
383 char authbuf[16];
384 ssize_t len = 0;
385 socklen_t ulen = sizeof(struct irc_ssaddr);
386 socklen_t tlen = sizeof(struct irc_ssaddr);
387 uint16_t uport, tport;
388 struct sockaddr_in6 *v6;
389
390 assert(auth->fd == F);
391 assert(auth->client);
392 assert(auth->client->connection);
393
394 if (error != COMM_OK)
395 {
396 auth_error(auth);
397 return;
398 }
399
400 if (getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&us, &ulen) ||
401 getpeername(auth->client->connection->fd->fd, (struct sockaddr *)&them, &tlen))
402 {
403 report_error(L_ALL, "auth get{sock,peer}name error %s:%s",
404 client_get_name(auth->client, SHOW_IP), errno);
405 auth_error(auth);
406 return;
407 }
408
409 v6 = (struct sockaddr_in6 *)&us;
410 uport = ntohs(v6->sin6_port);
411 v6 = (struct sockaddr_in6 *)&them;
412 tport = ntohs(v6->sin6_port);
413
414 len = snprintf(authbuf, sizeof(authbuf), "%u, %u\r\n", tport, uport);
415
416 if (send(F->fd, authbuf, len, 0) != len)
417 {
418 auth_error(auth);
419 return;
420 }
421
422 comm_setselect(F, COMM_SELECT_READ, auth_read_reply, auth, 0);
423 }
424
425 /*! \brief Flag the client to show an attempt to contact the ident server on
426 * the client's host. Should the connect or any later phase of the
427 * identifying process fail, it is aborted and the user is given a
428 * username of "unknown".
429 * \param auth The request for which to start the ident lookup.
430 */
431 static void
432 auth_start_query(struct AuthRequest *auth)
433 {
434 struct irc_ssaddr localaddr;
435 socklen_t locallen = sizeof(struct irc_ssaddr);
436 struct sockaddr_in6 *v6;
437
438 assert(auth->client);
439 assert(auth->client->connection);
440
441 /* Open a socket of the same type as the client socket */
442 int fd = comm_socket(auth->client->ip.ss.ss_family, SOCK_STREAM, 0);
443 if (fd == -1)
444 {
445 report_error(L_ALL, "creating auth stream socket %s:%s",
446 client_get_name(auth->client, SHOW_IP), errno);
447 ++ServerStats.is_abad;
448 return;
449 }
450
451 auth->fd = fd_open(fd, true, "ident");
452 auth->ident_pending = true;
453
454 auth_sendheader(auth->client, REPORT_DO_ID);
455
456 /*
457 * Get the local address of the client and bind to that to
458 * make the auth request.
459 */
460 memset(&localaddr, 0, locallen);
461 getsockname(auth->client->connection->fd->fd, (struct sockaddr *)&localaddr, &locallen);
462
463 remove_ipv6_mapping(&localaddr);
464 v6 = (struct sockaddr_in6 *)&localaddr;
465 v6->sin6_port = htons(0);
466
467 comm_connect_tcp(auth->fd, &auth->client->ip, RFC1413_PORT,
468 &localaddr, auth_connect_callback, auth,
469 GlobalSetOptions.ident_timeout);
470 }
471
472 /*
473 * auth_start
474 *
475 * inputs - pointer to client to auth
476 * output - NONE
477 * side effects - starts auth (identd) and dns queries for a client
478 */
479 void
480 auth_start(struct Client *client_p)
481 {
482 struct AuthRequest *auth = auth_make(client_p);
483
484 assert(client_p);
485 assert(client_p->connection);
486
487 dlinkAddTail(auth, &auth->node, &auth_list);
488
489 auth_sendheader(client_p, REPORT_DO_DNS);
490
491 auth->dns_pending = true;
492
493 if (ConfigGeneral.disable_auth == 0)
494 auth_start_query(auth);
495
496 gethost_byaddr(auth_dns_callback, auth, &client_p->ip);
497 }
498
499 /*
500 * auth_delete()
501 */
502 void
503 auth_delete(struct AuthRequest *auth)
504 {
505 assert(auth->client);
506 assert(auth->client->connection);
507
508 if (auth->ident_pending == true)
509 {
510 fd_close(auth->fd);
511 auth->fd = NULL;
512 auth->ident_pending = false;
513 }
514
515 if (auth->dns_pending == true)
516 {
517 delete_resolver_queries(auth);
518 auth->dns_pending = false;
519 }
520
521 auth_free(auth);
522 }
523
524 /*
525 * auth_timeout_queries - timeout resolver and identd requests
526 * allow clients through if requests failed
527 */
528 static void
529 auth_timeout_queries(void *notused)
530 {
531 dlink_node *node, *node_next;
532
533 DLINK_FOREACH_SAFE(node, node_next, auth_list.head)
534 {
535 struct AuthRequest *auth = node->data;
536
537 assert(auth->client);
538 assert(auth->client->connection);
539
540 if (auth->timeout > CurrentTime)
541 break;
542
543 if (auth->ident_pending == true)
544 {
545 ++ServerStats.is_abad;
546
547 fd_close(auth->fd);
548 auth->fd = NULL;
549 auth->ident_pending = false;
550
551 auth_sendheader(auth->client, REPORT_FAIL_ID);
552 }
553
554 if (auth->dns_pending == true)
555 {
556 delete_resolver_queries(auth);
557 auth->dns_pending = false;
558
559 auth_sendheader(auth->client, REPORT_FAIL_DNS);
560 }
561
562 auth_release_client(auth);
563 }
564 }
565
566 /* auth_init
567 *
568 * Initialise the auth code
569 */
570 void
571 auth_init(void)
572 {
573 static struct event timeout_auth_queries =
574 {
575 .name = "auth_timeout_queries",
576 .handler = auth_timeout_queries,
577 .when = 1
578 };
579
580 event_add(&timeout_auth_queries, NULL);
581 }

Properties

Name Value
svn:eol-style native
svn:keywords Id

svnadmin@ircd-hybrid.org
ViewVC Help
Powered by ViewVC 1.1.28