MSG("NOTICE AUTH :*** Checking Ident\r\n"),
MSG("NOTICE AUTH :*** Got ident response\r\n"),
MSG("NOTICE AUTH :*** No ident response\r\n"),
+ MSG("NOTICE AUTH :*** \r\n"),
MSG("NOTICE AUTH :*** Your forward and reverse DNS do not match, "
"ignoring hostname.\r\n"),
MSG("NOTICE AUTH :*** Invalid hostname\r\n")
REPORT_DO_ID,
REPORT_FIN_ID,
REPORT_FAIL_ID,
+ REPORT_FAIL_IAUTH,
REPORT_IP_MISMATCH,
REPORT_INVAL_DNS
} ReportType;
#define i_debug(iauth) ((iauth)->i_debug)
/** Active instance of IAuth. */
-struct IAuth *iauth;
+static struct IAuth *iauth;
+/** Freelist of AuthRequest structures. */
+static struct AuthRequest *auth_freelist;
static void iauth_sock_callback(struct Event *ev);
static void iauth_stderr_callback(struct Event *ev);
* destroy \a auth, clear the password, set the username, and register
* the client.
* @param[in] auth Authorization request to check.
- * @param[in] send_reports Passed to destroy_auth_request() if \a auth
- * is complete.
* @return Zero if client is kept, CPTR_KILLED if client rejected.
*/
-static int check_auth_finished(struct AuthRequest *auth, int send_reports)
+static int check_auth_finished(struct AuthRequest *auth)
{
enum AuthRequestFlag flag;
int res;
* as possible so that iauth's challenge/response (which uses PASS
* for responses) is not confused with the client's password.
*/
- if (!FlagHas(&auth->flags, AR_PASSWORD_CHECKED))
+ if (IsUserPort(auth->client)
+ && !FlagHas(&auth->flags, AR_PASSWORD_CHECKED))
{
struct ConfItem *aconf;
aconf = cli_confs(auth->client)->value.aconf;
- if (!EmptyString(aconf->passwd)
+ if (aconf
+ && !EmptyString(aconf->passwd)
&& strcmp(cli_passwd(auth->client), aconf->passwd))
{
ServerStats->is_ref++;
else
FlagSet(&auth->flags, AR_IAUTH_HURRY);
- destroy_auth_request(auth, send_reports);
- if (!IsUserPort(auth->client))
- return 0;
- memset(cli_passwd(auth->client), 0, sizeof(cli_passwd(auth->client)));
- res = auth_set_username(auth);
- if (res == 0)
+ if (IsUserPort(auth->client))
+ {
+ memset(cli_passwd(auth->client), 0, sizeof(cli_passwd(auth->client)));
+ res = auth_set_username(auth);
+ if (res == 0)
res = register_user(auth->client, auth->client);
+ }
+ else
+ res = 0;
+ if (res == 0)
+ destroy_auth_request(auth);
return res;
}
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_FAIL_ID);
FlagClr(&auth->flags, AR_AUTH_PENDING);
- check_auth_finished(auth, 0);
+ check_auth_finished(auth);
}
}
}
FlagClr(&auth->flags, AR_AUTH_PENDING);
- check_auth_finished(auth, 0);
+ check_auth_finished(auth);
}
/** Handle socket I/O activity.
/** Stop an auth request completely.
* @param[in] auth The struct AuthRequest to cancel.
- * @param[in] send_reports If non-zero, report the failure to the user.
*/
-void destroy_auth_request(struct AuthRequest* auth, int send_reports)
+void destroy_auth_request(struct AuthRequest* auth)
{
Debug((DEBUG_INFO, "Deleting auth request for %p", auth->client));
- if (FlagHas(&auth->flags, AR_AUTH_PENDING)) {
- if (send_reports && IsUserPort(auth->client))
- sendheader(auth->client, REPORT_FAIL_ID);
- }
-
if (FlagHas(&auth->flags, AR_DNS_PENDING)) {
delete_resolver_queries(auth);
- if (send_reports && IsUserPort(auth->client))
- sendheader(auth->client, REPORT_FAIL_DNS);
}
if (-1 < s_fd(&auth->socket)) {
if (t_active(&auth->timeout))
timer_del(&auth->timeout);
+
cli_auth(auth->client) = NULL;
+ auth->next = auth_freelist;
+ auth_freelist = auth;
+}
+
+/** Handle a 'ping' (authorization) timeout for a client.
+ * @param[in] cptr The client whose session authorization has timed out.
+ * @return Zero if client is kept, CPTR_KILLED if client rejected.
+ */
+int auth_ping_timeout(struct Client *cptr)
+{
+ struct AuthRequest *auth;
+ enum AuthRequestFlag flag;
+
+ auth = cli_auth(cptr);
+
+ /* Check whether the auth request is gone (more likely, it never
+ * existed, as in an outbound server connection). */
+ if (!auth)
+ return exit_client_msg(cptr, cptr, &me, "Registration Timeout");
+
+ /* Check for a user-controlled timeout. */
+ for (flag = 0; flag <= AR_LAST_SCAN; ++flag) {
+ if (FlagHas(&auth->flags, flag)) {
+ /* Display message if they have sent a NICK and a USER but no
+ * nospoof PONG.
+ */
+ if (*(cli_name(cptr)) && cli_user(cptr) && *(cli_user(cptr))->username) {
+ send_reply(cptr, SND_EXPLICIT | ERR_BADPING,
+ ":Your client may not be compatible with this server.");
+ send_reply(cptr, SND_EXPLICIT | ERR_BADPING,
+ ":Compatible clients are available at %s",
+ feature_str(FEAT_URL_CLIENTS));
+ }
+ return exit_client_msg(cptr, cptr, &me, "Registration Timeout");
+ }
+ }
+
+ /* Check for iauth timeout. */
+ if (FlagHas(&auth->flags, AR_IAUTH_PENDING)) {
+ sendto_iauth(cptr, "T");
+ if (IAuthHas(iauth, IAUTH_REQUIRED)) {
+ sendheader(cptr, REPORT_FAIL_IAUTH);
+ return exit_client_msg(cptr, cptr, &me, "Authorization Timeout");
+ }
+ FlagClr(&auth->flags, AR_IAUTH_PENDING);
+ return check_auth_finished(auth);
+ }
+
+ assert(0 && "Unexpectedly reached end of auth_ping_timeout()");
+ return 0;
}
/** Timeout a given auth request.
/* Report the timeout in the log. */
log_write(LS_RESOLVER, L_INFO, 0, "Registration timeout %s",
get_client_name(auth->client, HIDE_IP));
- /* Tell iauth if we will let the client on. */
- if (FlagHas(&auth->flags, AR_IAUTH_PENDING)
- && !IAuthHas(iauth, IAUTH_REQUIRED))
- {
- sendto_iauth(auth->client, "T");
- FlagClr(&auth->flags , AR_IAUTH_PENDING);
+
+ /* Notify client if ident lookup failed. */
+ if (FlagHas(&auth->flags, AR_AUTH_PENDING)) {
+ FlagClr(&auth->flags, AR_AUTH_PENDING);
+ if (IsUserPort(auth->client))
+ sendheader(auth->client, REPORT_FAIL_ID);
+ }
+
+ /* Likewise if dns lookup failed. */
+ if (FlagHas(&auth->flags, AR_DNS_PENDING)) {
+ FlagClr(&auth->flags, AR_DNS_PENDING);
+ delete_resolver_queries(auth);
+ if (IsUserPort(auth->client))
+ sendheader(auth->client, REPORT_FAIL_DNS);
}
+
/* Try to register the client. */
- check_auth_finished(auth, 1);
+ check_auth_finished(auth);
}
}
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_FAIL_DNS);
sendto_iauth(auth->client, "d");
- } else if (irc_in_addr_cmp(addr, &cli_ip(auth->client))
- && irc_in_addr_cmp(addr, &auth->original)) {
+ } else if (!irc_in_addr_valid(addr)
+ || (irc_in_addr_cmp(&cli_ip(auth->client), addr)
+ && irc_in_addr_cmp(&auth->original, addr))) {
/* IP for hostname did not match client's IP. */
sendto_opmask_butone(0, SNO_IPMISMATCH, "IP# Mismatch: %s != %s[%s]",
cli_sock_ip(auth->client), h_name,
ircd_ntoa(addr));
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_IP_MISMATCH);
- /* Clear DNS pending flag so free_client doesn't ask the resolver
- * to delete the query that just finished.
- */
if (feature_bool(FEAT_KILL_IPMISMATCH)) {
- IPcheck_disconnect(auth->client);
- Count_unknowndisconnects(UserStats);
- free_client(auth->client);
+ exit_client(auth->client, auth->client, &me, "IP mismatch");
+ return;
}
} else if (!auth_verify_hostname(h_name, HOSTLEN)) {
/* Hostname did not look valid. */
ircd_strncpy(cli_sockhost(auth->client), h_name, HOSTLEN);
sendto_iauth(auth->client, "N %s", h_name);
}
- check_auth_finished(auth, 0);
+ check_auth_finished(auth);
}
/** Flag the client to show an attempt to contact the ident server on
socket_events(&(cli_socket(client)), SOCK_ACTION_SET | SOCK_EVENT_READABLE);
/* Allocate the AuthRequest. */
- auth = MyCalloc(1, sizeof(*auth));
+ auth = auth_freelist;
+ if (auth)
+ auth_freelist = auth->next;
+ else
+ auth = MyMalloc(sizeof(*auth));
assert(0 != auth);
+ memset(auth, 0, sizeof(*auth));
auth->client = client;
cli_auth(client) = auth;
s_fd(&auth->socket) = -1;
++ServerStats->is_abad;
if (IsUserPort(auth->client))
sendheader(auth->client, REPORT_FAIL_ID);
- IPcheck_disconnect(auth->client);
- Count_unknowndisconnects(UserStats);
- free_client(auth->client);
+ exit_client(auth->client, auth->client, &me, "Socket local/peer lookup failed");
return;
}
auth->port = remote.port;
add_client_to_list(client);
/* Check which auth events remain pending. */
- check_auth_finished(auth, 0);
+ check_auth_finished(auth);
}
/** Mark that a user has PONGed while unregistered.
":To connect, type /QUOTE PONG %u", auth->cookie);
return 0;
}
+ cli_lasttime(auth->client) = CurrentTime;
FlagClr(&auth->flags, AR_NEEDS_PONG);
- return check_auth_finished(auth, 0);
+ return check_auth_finished(auth);
}
/** Record a user's claimed username and userinfo.
* @param[in] auth Authorization request for client.
* @param[in] username Client's asserted username.
+ * @param[in] hostname Third argument of USER command (client's
+ * hostname, per RFC 1459).
+ * @param[in] servername Fourth argument of USER command (server's
+ * name, per RFC 1459).
* @param[in] userinfo Client's asserted self-description.
* @return Zero if client should be kept, CPTR_KILLED if rejected.
*/
-int auth_set_user(struct AuthRequest *auth, const char *username, const char *userinfo)
+int auth_set_user(struct AuthRequest *auth, const char *username, const char *hostname, const char *servername, const char *userinfo)
{
struct Client *cptr;
ircd_strncpy(cli_user(cptr)->username, username, USERLEN);
ircd_strncpy(cli_user(cptr)->host, cli_sockhost(cptr), HOSTLEN);
if (IAuthHas(iauth, IAUTH_UNDERNET))
- sendto_iauth(cptr, "U %s :%s", username, userinfo);
+ sendto_iauth(cptr, "U %s %s %s :%s", username, hostname, servername, userinfo);
else if (IAuthHas(iauth, IAUTH_ADDLINFO))
sendto_iauth(cptr, "U %s", username);
- return check_auth_finished(auth, 0);
+ return check_auth_finished(auth);
}
/** Handle authorization-related aspects of initial nickname selection.
}
if (IAuthHas(iauth, IAUTH_UNDERNET))
sendto_iauth(auth->client, "n %s", nickname);
- return check_auth_finished(auth, 0);
+ return check_auth_finished(auth);
}
/** Record a user's password.
{
assert(auth != NULL);
FlagClr(&auth->flags, AR_CAP_PENDING);
- return check_auth_finished(auth, 0);
+ return check_auth_finished(auth);
}
/** Attempt to spawn the process for an IAuth instance.
/* Tack it onto the iauth sendq and try to write it. */
++iauth->i_sendM;
msgq_add(i_sendQ(iauth), mb, 0);
+ msgq_clean(mb);
iauth_write(iauth);
return 1;
}
return 0;
}
+/** Change a client's usermode.
+ * @param[in] iauth Active IAuth session.
+ * @param[in] cli Client referenced by command.
+ * @param[in] parc Number of parameters (at least one).
+ * @param[in] params Usermode arguments for client (with the first
+ * starting with '+').
+ * @return Zero.
+ */
+static int iauth_cmd_usermode(struct IAuth *iauth, struct Client *cli,
+ int parc, char **params)
+{
+ if (params[0][0] == '+')
+ {
+ set_user_mode(cli, cli, parc + 2, params - 2, ALLOWMODES_ANY);
+ }
+ return 0;
+}
+
+
/** Send a challenge string to the client.
* @param[in] iauth Active IAuth session.
* @param[in] cli Client referenced by command.
case 'u': handler = iauth_cmd_username_bad; has_cli = 1; break;
case 'N': handler = iauth_cmd_hostname; has_cli = 1; break;
case 'I': handler = iauth_cmd_ip_address; has_cli = 1; break;
+ case 'M': handler = iauth_cmd_usermode; has_cli = 1; break;
case 'C': handler = iauth_cmd_challenge; has_cli = 1; break;
case 'D': handler = iauth_cmd_done_client; has_cli = 1; break;
case 'R': handler = iauth_cmd_done_account; has_cli = 1; break;
} else {
/* Try to find the client associated with the request. */
id = strtol(params[0], NULL, 10);
- if (id < 0 || id > HighestFd || !(cli = LocalClientArray[id]))
+ if (parc < 3)
+ sendto_iauth(NULL, "E Missing :Need <id> <ip> <port>");
+ else if (id < 0 || id > HighestFd || !(cli = LocalClientArray[id]))
/* Client no longer exists (or never existed). */
sendto_iauth(NULL, "E Gone :[%s %s %s]", params[0], params[1],
params[2]);
ircd_ntoa(&cli_ip(cli)));
else if (handler(iauth, cli, parc - 3, params + 3))
/* Handler indicated a possible state change. */
- check_auth_finished(auth, 0);
+ check_auth_finished(auth);
}
}
}
send_reply(cptr, SND_EXPLICIT | RPL_STATSDEBUG, ":%s",
link->value.cp);
}
- send_reply(cptr, SND_EXPLICIT | RPL_STATSDEBUG, ":End of IAuth configuration.");
}
/** Report active iauth's statistics to \a cptr.
send_reply(cptr, SND_EXPLICIT | RPL_STATSDEBUG, ":%s",
link->value.cp);
}
- send_reply(cptr, SND_EXPLICIT | RPL_STATSDEBUG, ":End of IAuth statistics.");
}