From 162433398e320c45f3c8a523814518aa6b78372e Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sun, 27 Mar 2011 19:33:48 +0200 Subject: [PATCH 1/2] New configuration option "RequireAuthPing": PING-PONG on login When enabled, this configuration option lets ngIRCd send a PING with an numeric "token" to clients logging in; and it will not become registered in the network until the client responds with the correct PONG. This is used by QuakeNet for example (ircu/snircd), and looks like this: NICK nick :irc.example.net PING :1858979527 USER user . . :real name PONG 1858979527 :irc.example.net 001 nick :Welcome to the Internet Relay Network ... --- src/ngircd/client.h | 3 ++ src/ngircd/conf.c | 19 ++++++++-- src/ngircd/conf.h | 7 ++++ src/ngircd/conn.c | 19 ++++++++++ src/ngircd/conn.h | 8 +++++ src/ngircd/irc-login.c | 82 +++++++++++++++++++++++++++++++++++------- src/ngircd/ngircd.c | 2 ++ src/ngircd/parse.c | 2 +- 8 files changed, 126 insertions(+), 16 deletions(-) diff --git a/src/ngircd/client.h b/src/ngircd/client.h index ff4ff2ff..fecf5d97 100644 --- a/src/ngircd/client.h +++ b/src/ngircd/client.h @@ -26,6 +26,9 @@ #define CLIENT_SERVICE 64 /* client is a service */ #define CLIENT_UNKNOWNSERVER 128 /* unregistered server connection */ #define CLIENT_GOTPASS_2813 256 /* client did send PASS, RFC 2813 style */ +#ifndef STRICT_RFC +# define CLIENT_WAITAUTHPING 512 /* waiting for AUTH PONG from client */ +#endif #define CLIENT_TYPE int diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index 32461f35..452f744f 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -353,9 +353,12 @@ Conf_Test( void ) printf(" MaxJoins = %d\n", Conf_MaxJoins > 0 ? Conf_MaxJoins : -1); printf(" MaxNickLength = %u\n", Conf_MaxNickLength - 1); printf(" CloakHost = %s\n", Conf_CloakHost); - printf(" CloakUserToNick = %s\n\n", yesno_to_str(Conf_CloakUserToNick)); + printf(" CloakUserToNick = %s\n", yesno_to_str(Conf_CloakUserToNick)); +#ifndef STRICT_RFC + printf(" RequireAuthPing = %s\n", yesno_to_str(Conf_AuthPing)); +#endif - puts("[FEATURES]"); + printf("\n[FEATURES]\n"); printf(" DNS = %s\n", yesno_to_str(Conf_DNS)); printf(" Ident = %s\n", yesno_to_str(Conf_Ident)); printf(" PAM = %s\n", yesno_to_str(Conf_PAM)); @@ -641,6 +644,11 @@ Set_Defaults(bool InitServers) Conf_SyslogFacility = 0; #endif #endif + +#ifndef STRICT_RFC + Conf_AuthPing = false; +#endif + Set_Defaults_Optional(); /* Initialize server configuration structures */ @@ -1248,6 +1256,13 @@ Handle_GLOBAL( int Line, char *Var, char *Arg ) Conf_SyslogFacility); return; } +#endif +#ifndef STRICT_RFC + if (strcasecmp(Var, "RequireAuthPing") == 0 ) { + /* Require new clients to do an "autheticatin PING-PONG" */ + Conf_AuthPing = Check_ArgIsTrue(Arg); + return; + } #endif Config_Error(LOG_ERR, "%s, line %d (section \"Global\"): Unknown variable \"%s\"!", NGIRCd_ConfFile, Line, Var); diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index 305ccaa1..a183fcec 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -199,6 +199,13 @@ GLOBAL int Conf_MaxConnectionsIP; /** Maximum length of a nick name */ GLOBAL unsigned int Conf_MaxNickLength; +#ifndef STRICT_RFC + +/** Require "AUTH PING-PONG" on login */ +GLOBAL bool Conf_AuthPing; + +#endif + #ifdef SYSLOG /* Syslog "facility" */ diff --git a/src/ngircd/conn.c b/src/ngircd/conn.c index 63093c25..275215d6 100644 --- a/src/ngircd/conn.c +++ b/src/ngircd/conn.c @@ -2283,6 +2283,25 @@ Conn_GetFromProc(int fd) } /* Conn_GetFromProc */ +#ifndef STRICT_RFC + +GLOBAL long +Conn_GetAuthPing(CONN_ID Idx) +{ + assert (Idx != NONE); + return My_Connections[Idx].auth_ping; +} /* Conn_GetAuthPing */ + +GLOBAL void +Conn_SetAuthPing(CONN_ID Idx, long ID) +{ + assert (Idx != NONE); + My_Connections[Idx].auth_ping = ID; +} /* Conn_SetAuthPing */ + +#endif + + #ifdef SSL_SUPPORT /** diff --git a/src/ngircd/conn.h b/src/ngircd/conn.h index 4228c9e4..c813729f 100644 --- a/src/ngircd/conn.h +++ b/src/ngircd/conn.h @@ -91,6 +91,9 @@ typedef struct _Connection #ifdef SSL_SUPPORT struct ConnSSL_State ssl_state; /* SSL/GNUTLS state information */ #endif +#ifndef STRICT_RFC + long auth_ping; /** PING response expected on login */ +#endif } CONNECTION; GLOBAL CONNECTION *My_Connections; @@ -132,6 +135,11 @@ GLOBAL long Conn_Count PARAMS((void)); GLOBAL long Conn_CountMax PARAMS((void)); GLOBAL long Conn_CountAccepted PARAMS((void)); +#ifndef STRICT_RFC +GLOBAL long Conn_GetAuthPing PARAMS((CONN_ID Idx)); +GLOBAL void Conn_SetAuthPing PARAMS((CONN_ID Idx, long ID)); +#endif + #ifdef DEBUG GLOBAL void Conn_DebugDump PARAMS((void)); #endif diff --git a/src/ngircd/irc-login.c b/src/ngircd/irc-login.c index 92d54ab1..2e99d66e 100644 --- a/src/ngircd/irc-login.c +++ b/src/ngircd/irc-login.c @@ -271,6 +271,17 @@ IRC_NICK( CLIENT *Client, REQUEST *Req ) /* Register new nickname of this client */ Client_SetID( target, Req->argv[0] ); +#ifndef STRICT_RFC + if (Conf_AuthPing) { + Conn_SetAuthPing(Client_Conn(Client), random()); + IRC_WriteStrClient(Client, "PING :%ld", + Conn_GetAuthPing(Client_Conn(Client))); + LogDebug("Connection %d: sent AUTH PING %ld ...", + Client_Conn(Client), + Conn_GetAuthPing(Client_Conn(Client))); + } +#endif + /* If we received a valid USER command already then * register the new client! */ if( Client_Type( Client ) == CLIENT_GOTUSER ) @@ -797,18 +808,32 @@ GLOBAL bool IRC_PONG(CLIENT *Client, REQUEST *Req) { CLIENT *target, *from; + CONN_ID conn; +#ifndef STRICT_RFC + long auth_ping; +#endif char *s; assert(Client != NULL); assert(Req != NULL); /* Wrong number of arguments? */ - if (Req->argc < 1) - return IRC_WriteStrClient(Client, ERR_NOORIGIN_MSG, - Client_ID(Client)); - if (Req->argc > 2) - return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG, - Client_ID(Client), Req->command); + if (Req->argc < 1) { + if (Client_Type(Client) == CLIENT_USER) + return IRC_WriteStrClient(Client, ERR_NOORIGIN_MSG, + Client_ID(Client)); + else + return CONNECTED; + } + if (Req->argc > 2) { + if (Client_Type(Client) == CLIENT_USER) + return IRC_WriteStrClient(Client, + ERR_NEEDMOREPARAMS_MSG, + Client_ID(Client), + Req->command); + else + return CONNECTED; + } /* Forward? */ if (Req->argc == 2 && Client_Type(Client) == CLIENT_SERVER) { @@ -837,15 +862,35 @@ IRC_PONG(CLIENT *Client, REQUEST *Req) /* The connection timestamp has already been updated when the data has * been read from so socket, so we don't need to update it here. */ + + conn = Client_Conn(Client); + +#ifndef STRICT_RFC + /* Check authentication PING-PONG ... */ + auth_ping = Conn_GetAuthPing(conn); + if (auth_ping) { + LogDebug("AUTH PONG: waiting for token \"%ld\", got \"%s\" ...", + auth_ping, Req->argv[0]); + if (auth_ping == atoi(Req->argv[0])) { + Conn_SetAuthPing(conn, 0); + if (Client_Type(Client) == CLIENT_WAITAUTHPING) + Hello_User(Client); + } else + if (!IRC_WriteStrClient(Client, + "To connect, type /QUOTE PONG %ld", + auth_ping)) + return DISCONNECTED; + } +#endif + #ifdef DEBUG - if (Client_Conn(Client) > NONE) + if (conn > NONE) Log(LOG_DEBUG, - "Connection %d: received PONG. Lag: %ld seconds.", - Client_Conn(Client), + "Connection %d: received PONG. Lag: %ld seconds.", conn, time(NULL) - Conn_LastPing(Client_Conn(Client))); else Log(LOG_DEBUG, - "Connection %d: received PONG.", Client_Conn(Client)); + "Connection %d: received PONG.", conn); #endif return CONNECTED; } /* IRC_PONG */ @@ -867,12 +912,25 @@ Hello_User(CLIENT * Client) { #ifdef PAM int pipefd[2], result; - CONN_ID conn; pid_t pid; +#endif + CONN_ID conn; assert(Client != NULL); conn = Client_Conn(Client); +#ifndef STRICT_RFC + if (Conf_AuthPing) { + /* Did we receive the "auth PONG" already? */ + if (Conn_GetAuthPing(conn)) { + Client_SetType(Client, CLIENT_WAITAUTHPING); + LogDebug("Connection %d: Waiting for AUTH PONG ...", conn); + return CONNECTED; + } + } +#endif + +#ifdef PAM if (!Conf_PAM) { /* Don't do any PAM authentication at all, instead emulate * the beahiour of the daemon compiled without PAM support: @@ -903,8 +961,6 @@ Hello_User(CLIENT * Client) exit(0); } #else - assert(Client != NULL); - /* Check global server password ... */ if (strcmp(Client_Password(Client), Conf_ServerPwd) != 0) { /* Bad password! */ diff --git a/src/ngircd/ngircd.c b/src/ngircd/ngircd.c index 4b49ec6c..74a99880 100644 --- a/src/ngircd/ngircd.c +++ b/src/ngircd/ngircd.c @@ -289,6 +289,8 @@ main( int argc, const char *argv[] ) exit(1); } + srandom(getpid()); + /* Create protocol and server identification. The syntax * used by ngIRCd in PASS commands and the known "extended * flags" are described in doc/Protocol.txt. */ diff --git a/src/ngircd/parse.c b/src/ngircd/parse.c index 31f048cf..8f5e6019 100644 --- a/src/ngircd/parse.c +++ b/src/ngircd/parse.c @@ -82,7 +82,7 @@ static COMMAND My_Commands[] = { "PART", IRC_PART, CLIENT_USER|CLIENT_SERVER, 0, 0, 0 }, { "PASS", IRC_PASS, 0xFFFF, 0, 0, 0 }, { "PING", IRC_PING, CLIENT_USER|CLIENT_SERVER, 0, 0, 0 }, - { "PONG", IRC_PONG, CLIENT_USER|CLIENT_SERVER, 0, 0, 0 }, + { "PONG", IRC_PONG, 0xFFFF, 0, 0, 0 }, { "PRIVMSG", IRC_PRIVMSG, CLIENT_USER|CLIENT_SERVER, 0, 0, 0 }, { "QUIT", IRC_QUIT, 0xFFFF, 0, 0, 0 }, { "REHASH", IRC_REHASH, CLIENT_USER, 0, 0, 0 }, From fc0b0261496d2251e9917da96d5741da771f4bc1 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Sun, 27 Mar 2011 20:34:44 +0200 Subject: [PATCH 2/2] Add documentation for "RequireAuthPing" configuration option --- doc/sample-ngircd.conf.tmpl | 5 +++++ man/ngircd.conf.5.tmpl | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl index e07b5205..6e02048f 100644 --- a/doc/sample-ngircd.conf.tmpl +++ b/doc/sample-ngircd.conf.tmpl @@ -154,6 +154,11 @@ # maximum nick name length! ;MaxNickLength = 9 + # Let ngIRCd send an "authentication PING" when a new client connects, + # and register this client only after receiving the corresponding + # "PONG" reply. + ;RequireAuthPing = no + # Set this hostname for every client instead of the real one. # Please note: don't use the percentage sign ("%"), it is reserved for # future extensions! diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl index e53cf3cc..bcdad1f8 100644 --- a/man/ngircd.conf.5.tmpl +++ b/man/ngircd.conf.5.tmpl @@ -251,6 +251,11 @@ Maximum length of an user nick name (Default: 9, as in RFC 2812). Please note that all servers in an IRC network MUST use the same maximum nick name length! .TP +\fBRequireAuthPing\fR +Let ngIRCd send an "authentication PING" when a new client connects, and +register this client only after receiving the corresponding "PONG" reply. +Default: no. +.TP \fBCloakHost\fR Set this hostname for every client instead of the real one. Default: empty, don't change.