src/ngircd/login.c

   1 /*
   2  * ngIRCd -- The Next Generation IRC Daemon
   3  * Copyright (c)2001-2012 Alexander Barton (alex@barton.de) and Contributors.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  * Please read the file COPYING, README and AUTHORS for more information.
  10  */
  11
  12 #include "portab.h"
  13
  14 /**
  15  * @file
  16  * Functions to deal with client logins
  17  */
  18
  19 #include "imp.h"
  20 #include <assert.h>
  21 #include <stdlib.h>
  22 #include <string.h>
  23 #include <strings.h>
  24 #include <unistd.h>
  25
  26 #include "defines.h"
  27 #include "conn.h"
  28 #include "class.h"
  29 #include "client.h"
  30 #include "client-cap.h"
  31 #include "channel.h"
  32 #include "conf.h"
  33 #include "io.h"
  34 #include "parse.h"
  35 #include "log.h"
  36 #include "messages.h"
  37 #include "ngircd.h"
  38 #include "pam.h"
  39 #include "irc-info.h"
  40 #include "irc-write.h"
  41
  42 #include "exp.h"
  43 #include "login.h"
  44
  45 #ifdef PAM
  46 static void cb_Read_Auth_Result PARAMS((int r_fd, UNUSED short events));
  47 #endif
  48
  49 /**
  50  * Initiate client login.
  51  *
  52  * This function is called after the daemon received the required NICK and
  53  * USER commands of a new client. If the daemon is compiled with support for
  54  * PAM, the authentication sub-processs is forked; otherwise the global server
  55  * password is checked.
  56  *
  57  * @param Client The client logging in.
  58  * @returns CONNECTED or DISCONNECTED.
  59  */
  60 GLOBAL bool
  61 Login_User(CLIENT * Client)
  62 {
  63 #ifdef PAM
  64         int pipefd[2], result;
  65         pid_t pid;
  66 #endif
  67         CONN_ID conn;
  68
  69         assert(Client != NULL);
  70         conn = Client_Conn(Client);
  71
  72 #ifndef STRICT_RFC
  73         if (Conf_AuthPing) {
  74                 /* Did we receive the "auth PONG" already? */
  75                 if (Conn_GetAuthPing(conn)) {
  76                         Client_SetType(Client, CLIENT_WAITAUTHPING);
  77                         LogDebug("Connection %d: Waiting for AUTH PONG ...", conn);
  78                         return CONNECTED;
  79                 }
  80         }
  81 #endif
  82
  83         /* Still waiting for "CAP END" command? */
  84         if (Client_Cap(Client) & CLIENT_CAP_PENDING) {
  85                 Client_SetType(Client, CLIENT_WAITCAPEND);
  86                 LogDebug("Connection %d: Waiting for CAP END ...", conn);
  87                 return CONNECTED;
  88         }
  89
  90 #ifdef PAM
  91         if (!Conf_PAM) {
  92                 /* Don't do any PAM authentication at all, instead emulate
  93                  * the beahiour of the daemon compiled without PAM support:
  94                  * because there can't be any "server password", all
  95                  * passwords supplied are classified as "wrong". */
  96                 if(Client_Password(Client)[0] == '\0')
  97                         return Login_User_PostAuth(Client);
  98                 Client_Reject(Client, "Non-empty password", false);
  99                 return DISCONNECTED;
 100         }
 101
 102         if (Conf_PAMIsOptional && strcmp(Client_Password(Client), "") == 0) {
 103                 /* Clients are not required to send a password and to be PAM-
 104                  * authenticated at all. If not, they won't become "identified"
 105                  * and keep the "~" in their supplied user name.
 106                  * Therefore it is sensible to either set Conf_PAMisOptional or
 107                  * to enable IDENT lookups -- not both. */
 108                 return Login_User_PostAuth(Client);
 109         }
 110
 111         /* Fork child process for PAM authentication; and make sure that the
 112          * process timeout is set higher than the login timeout! */
 113         pid = Proc_Fork(Conn_GetProcStat(conn), pipefd,
 114                         cb_Read_Auth_Result, Conf_PongTimeout + 1);
 115         if (pid > 0) {
 116                 LogDebug("Authenticator for connection %d created (PID %d).",
 117                          conn, pid);
 118                 return CONNECTED;
 119         } else {
 120                 /* Sub process */
 121                 Log_Init_Subprocess("Auth");
 122                 Conn_CloseAllSockets(NONE);
 123                 result = PAM_Authenticate(Client);
 124                 if (write(pipefd[1], &result, sizeof(result)) != sizeof(result))
 125                         Log_Subprocess(LOG_ERR,
 126                                        "Failed to pipe result to parent!");
 127                 Log_Exit_Subprocess("Auth");
 128                 exit(0);
 129         }
 130 #else
 131         /* Check global server password ... */
 132         if (strcmp(Client_Password(Client), Conf_ServerPwd) != 0) {
 133                 /* Bad password! */
 134                 Client_Reject(Client, "Bad server password", false);
 135                 return DISCONNECTED;
 136         }
 137         return Login_User_PostAuth(Client);
 138 #endif
 139 }
 140
 141 /**
 142  * Finish client registration.
 143  *
 144  * Introduce the new client to the network and send all "hello messages"
 145  * to it after authentication has been succeeded.
 146  *
 147  * @param Client The client logging in.
 148  * @return CONNECTED or DISCONNECTED.
 149  */
 150 GLOBAL bool
 151 Login_User_PostAuth(CLIENT *Client)
 152 {
 153         assert(Client != NULL);
 154
 155         if (Class_HandleServerBans(Client) != CONNECTED)
 156                 return DISCONNECTED;
 157
 158         Client_Introduce(NULL, Client, CLIENT_USER);
 159
 160         if (!IRC_WriteStrClient
 161             (Client, RPL_WELCOME_MSG, Client_ID(Client), Client_Mask(Client)))
 162                 return false;
 163         if (!IRC_WriteStrClient
 164             (Client, RPL_YOURHOST_MSG, Client_ID(Client),
 165              Client_ID(Client_ThisServer()), PACKAGE_VERSION, TARGET_CPU,
 166              TARGET_VENDOR, TARGET_OS))
 167                 return false;
 168         if (!IRC_WriteStrClient
 169             (Client, RPL_CREATED_MSG, Client_ID(Client), NGIRCd_StartStr))
 170                 return false;
 171         if (!IRC_WriteStrClient
 172             (Client, RPL_MYINFO_MSG, Client_ID(Client),
 173              Client_ID(Client_ThisServer()), PACKAGE_VERSION, USERMODES,
 174              CHANMODES))
 175                 return false;
 176
 177         /* Features supported by this server (005 numeric, ISUPPORT),
 178          * see <http://www.irc.org/tech_docs/005.html> for details. */
 179         if (!IRC_Send_ISUPPORT(Client))
 180                 return DISCONNECTED;
 181
 182         if (!IRC_Send_LUSERS(Client))
 183                 return DISCONNECTED;
 184         if (!IRC_Show_MOTD(Client))
 185                 return DISCONNECTED;
 186
 187         /* Suspend the client for a second ... */
 188         IRC_SetPenalty(Client, 1);
 189
 190         return CONNECTED;
 191 }
 192
 193 #ifdef PAM
 194
 195 /**
 196  * Read result of the authenticatior sub-process from pipe
 197  *
 198  * @param r_fd          File descriptor of the pipe.
 199  * @param events        (ignored IO specification)
 200  */
 201 static void
 202 cb_Read_Auth_Result(int r_fd, UNUSED short events)
 203 {
 204         CONN_ID conn;
 205         CLIENT *client;
 206         int result;
 207         size_t len;
 208         PROC_STAT *proc;
 209
 210         LogDebug("Auth: Got callback on fd %d, events %d", r_fd, events);
 211         conn = Conn_GetFromProc(r_fd);
 212         if (conn == NONE) {
 213                 /* Ops, none found? Probably the connection has already
 214                  * been closed!? We'll ignore that ... */
 215                 io_close(r_fd);
 216                 LogDebug("Auth: Got callback for unknown connection!?");
 217                 return;
 218         }
 219         proc = Conn_GetProcStat(conn);
 220         client = Conn_GetClient(conn);
 221
 222         /* Read result from pipe */
 223         len = Proc_Read(proc, &result, sizeof(result));
 224         Proc_Close(proc);
 225         if (len == 0)
 226                 return;
 227
 228         if (len != sizeof(result)) {
 229                 Log(LOG_CRIT, "Auth: Got malformed result!");
 230                 Client_Reject(client, "Internal error", false);
 231                 return;
 232         }
 233
 234         if (result == true) {
 235                 Client_SetUser(client, Client_OrigUser(client), true);
 236                 (void)Login_User_PostAuth(client);
 237         } else
 238                 Client_Reject(client, "Bad password", false);
 239 }
 240
 241 #endif
 242
 243 /* -eof- */