modules/metadata/mod_ident.c

   1 /* Licensed to the Apache Software Foundation (ASF) under one or more
   2  * contributor license agreements.  See the NOTICE file distributed with
   3  * this work for additional information regarding copyright ownership.
   4  * The ASF licenses this file to You under the Apache License, Version 2.0
   5  * (the "License"); you may not use this file except in compliance with
   6  * the License.  You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /*
  18  * mod_ident: Handle RFC 1413 ident request
  19  * obtained from rfc1413.c
  20  *
  21  * rfc1413() speaks a common subset of the RFC 1413, AUTH, TAP and IDENT
  22  * protocols. The code queries an RFC 1413 etc. compatible daemon on a remote
  23  * host to look up the owner of a connection. The information should not be
  24  * used for authentication purposes. This routine intercepts alarm signals.
  25  *
  26  * Author: Wietse Venema, Eindhoven University of Technology,
  27  * The Netherlands.
  28  */
  29
  30 /* Some small additions for Apache --- ditch the "sccsid" var if
  31  * compiling with gcc (it *has* changed), include ap_config.h for the
  32  * prototypes it defines on at least one system (SunlOSs) which has
  33  * them missing from the standard header files, and one minor change
  34  * below (extra parens around assign "if (foo = bar) ..." to shut up
  35  * gcc -Wall).
  36  */
  37
  38 /* Rewritten by David Robinson */
  39
  40 #include "apr.h"
  41 #include "apr_network_io.h"
  42 #include "apr_strings.h"
  43 #include "apr_optional.h"
  44
  45 #define APR_WANT_STDIO
  46 #define APR_WANT_STRFUNC
  47 #include "apr_want.h"
  48
  49 #include "httpd.h"              /* for server_rec, conn_rec, etc. */
  50 #include "http_config.h"
  51 #include "http_core.h"
  52 #include "http_log.h"           /* for aplog_error */
  53 #include "util_ebcdic.h"
  54
  55 /* Whether we should enable rfc1413 identity checking */
  56 #ifndef DEFAULT_RFC1413
  57 #define DEFAULT_RFC1413    0
  58 #endif
  59
  60 #define RFC1413_UNSET 2
  61
  62 /* request timeout (sec) */
  63 #ifndef RFC1413_TIMEOUT
  64 #define RFC1413_TIMEOUT   30
  65 #endif
  66
  67 /* Local stuff. */
  68
  69 /* Semi-well-known port */
  70 #define RFC1413_PORT     113
  71
  72 /* maximum allowed length of userid */
  73 #define RFC1413_USERLEN  512
  74
  75 /* rough limit on the amount of data we accept. */
  76 #define RFC1413_MAXDATA 1000
  77
  78 /* default username, if it could not determined */
  79 #define FROM_UNKNOWN  "unknown"
  80
  81 typedef struct {
  82     int do_rfc1413;
  83     int timeout_unset;
  84     apr_time_t timeout;
  85 } ident_config_rec;
  86
  87 static apr_status_t rfc1413_connect(apr_socket_t **newsock, conn_rec *conn,
  88                                     server_rec *srv, apr_time_t timeout)
  89 {
  90     apr_status_t rv;
  91     apr_sockaddr_t *localsa, *destsa;
  92
  93     if ((rv = apr_sockaddr_info_get(&localsa, conn->local_ip, APR_UNSPEC,
  94                               0, /* ephemeral port */
  95                               0, conn->pool)) != APR_SUCCESS) {
  96         /* This should not fail since we have a numeric address string
  97          * as the host. */
  98         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv,
  99                      "rfc1413: apr_sockaddr_info_get(%s) failed",
 100                      conn->local_ip);
 101         return rv;
 102     }
 103
 104     if ((rv = apr_sockaddr_info_get(&destsa, conn->remote_ip,
 105                               localsa->family, /* has to match */
 106                               RFC1413_PORT, 0, conn->pool)) != APR_SUCCESS) {
 107         /* This should not fail since we have a numeric address string
 108          * as the host. */
 109         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv,
 110                      "rfc1413: apr_sockaddr_info_get(%s) failed",
 111                      conn->remote_ip);
 112         return rv;
 113     }
 114
 115     if ((rv = apr_socket_create(newsock,
 116                                 localsa->family, /* has to match */
 117                                 SOCK_STREAM, 0, conn->pool)) != APR_SUCCESS) {
 118         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv,
 119                      "rfc1413: error creating query socket");
 120         return rv;
 121     }
 122
 123     if ((rv = apr_socket_timeout_set(*newsock, timeout)) != APR_SUCCESS) {
 124         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv,
 125                      "rfc1413: error setting query socket timeout");
 126         apr_socket_close(*newsock);
 127         return rv;
 128     }
 129
 130 /*
 131  * Bind the local and remote ends of the query socket to the same
 132  * IP addresses as the connection under investigation. We go
 133  * through all this trouble because the local or remote system
 134  * might have more than one network address. The RFC1413 etc.
 135  * client sends only port numbers; the server takes the IP
 136  * addresses from the query socket.
 137  */
 138
 139     if ((rv = apr_socket_bind(*newsock, localsa)) != APR_SUCCESS) {
 140         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, srv,
 141                      "rfc1413: Error binding query socket to local port");
 142         apr_socket_close(*newsock);
 143         return rv;
 144     }
 145
 146 /*
 147  * errors from connect usually imply the remote machine doesn't support
 148  * the service; don't log such an error
 149  */
 150     if ((rv = apr_socket_connect(*newsock, destsa)) != APR_SUCCESS) {
 151         apr_socket_close(*newsock);
 152         return rv;
 153     }
 154
 155     return APR_SUCCESS;
 156 }
 157
 158 static apr_status_t rfc1413_query(apr_socket_t *sock, conn_rec *conn,
 159                                   server_rec *srv)
 160 {
 161     apr_port_t rmt_port, our_port;
 162     apr_port_t sav_rmt_port, sav_our_port;
 163     apr_size_t i;
 164     char *cp;
 165     char buffer[RFC1413_MAXDATA + 1];
 166     char user[RFC1413_USERLEN + 1];     /* XXX */
 167     apr_size_t buflen;
 168
 169     sav_our_port = conn->local_addr->port;
 170     sav_rmt_port = conn->remote_addr->port;
 171
 172     /* send the data */
 173     buflen = apr_snprintf(buffer, sizeof(buffer), "%hu,%hu\r\n", sav_rmt_port,
 174                           sav_our_port);
 175     ap_xlate_proto_to_ascii(buffer, buflen);
 176
 177     /* send query to server. Handle short write. */
 178     i = 0;
 179     while (i < buflen) {
 180         apr_size_t j = strlen(buffer + i);
 181         apr_status_t status;
 182         status  = apr_socket_send(sock, buffer+i, &j);
 183         if (status != APR_SUCCESS) {
 184             ap_log_error(APLOG_MARK, APLOG_CRIT, status, srv,
 185                          "write: rfc1413: error sending request");
 186             return status;
 187         }
 188         else if (j > 0) {
 189             i+=j;
 190         }
 191     }
 192
 193     /*
 194      * Read response from server. - the response should be newline
 195      * terminated according to rfc - make sure it doesn't stomp its
 196      * way out of the buffer.
 197      */
 198
 199     i = 0;
 200     memset(buffer, '\0', sizeof(buffer));
 201     /*
 202      * Note that the strchr function below checks for \012 instead of '\n'
 203      * this allows it to work on both ASCII and EBCDIC machines.
 204      */
 205     while((cp = strchr(buffer, '\012')) == NULL && i < sizeof(buffer) - 1) {
 206         apr_size_t j = sizeof(buffer) - 1 - i;
 207         apr_status_t status;
 208         status = apr_socket_recv(sock, buffer+i, &j);
 209         if (status != APR_SUCCESS) {
 210             ap_log_error(APLOG_MARK, APLOG_CRIT, status, srv,
 211                          "read: rfc1413: error reading response");
 212             return status;
 213         }
 214         else if (j > 0) {
 215             i+=j;
 216         }
 217         else if (status == APR_SUCCESS && j == 0) {
 218             /* Oops... we ran out of data before finding newline */
 219             return APR_EINVAL;
 220         }
 221     }
 222
 223 /* RFC1413_USERLEN = 512 */
 224     ap_xlate_proto_from_ascii(buffer, i);
 225     if (sscanf(buffer, "%hu , %hu : USERID :%*[^:]:%512s", &rmt_port, &our_port,
 226                user) != 3 || sav_rmt_port != rmt_port
 227         || sav_our_port != our_port)
 228         return APR_EINVAL;
 229
 230     /*
 231      * Strip trailing carriage return. It is part of the
 232      * protocol, not part of the data.
 233      */
 234
 235     if ((cp = strchr(user, '\r')))
 236         *cp = '\0';
 237
 238     conn->remote_logname = apr_pstrdup(conn->pool, user);
 239
 240     return APR_SUCCESS;
 241 }
 242
 243 static const char *set_idcheck(cmd_parms *cmd, void *d_, int arg)
 244 {
 245     ident_config_rec *d = d_;
 246
 247     d->do_rfc1413 = arg ? 1 : 0;
 248     return NULL;
 249 }
 250
 251 static const char *set_timeout(cmd_parms *cmd, void *d_, const char *arg)
 252 {
 253     ident_config_rec *d = d_;
 254
 255     d->timeout = apr_time_from_sec(atoi(arg));
 256     d->timeout_unset = 0;
 257     return NULL;
 258 }
 259
 260 static void *create_ident_dir_config(apr_pool_t *p, char *d)
 261 {
 262     ident_config_rec *conf = apr_palloc(p, sizeof(*conf));
 263
 264     conf->do_rfc1413 = DEFAULT_RFC1413 | RFC1413_UNSET;
 265     conf->timeout = apr_time_from_sec(RFC1413_TIMEOUT);
 266     conf->timeout_unset = 1;
 267
 268     return (void *)conf;
 269 }
 270
 271 static void *merge_ident_dir_config(apr_pool_t *p, void *old_, void *new_)
 272 {
 273     ident_config_rec *conf = (ident_config_rec *)apr_pcalloc(p, sizeof(*conf));
 274     ident_config_rec *old = (ident_config_rec *) old_;
 275     ident_config_rec *new = (ident_config_rec *) new_;
 276
 277     conf->timeout = new->timeout_unset
 278                         ? old->timeout
 279                         : new->timeout;
 280
 281     conf->do_rfc1413 = new->do_rfc1413 & RFC1413_UNSET
 282                            ? old->do_rfc1413
 283                            : new->do_rfc1413;
 284
 285     return (void *)conf;
 286 }
 287
 288 static const command_rec ident_cmds[] =
 289 {
 290     AP_INIT_FLAG("IdentityCheck", set_idcheck, NULL, RSRC_CONF|ACCESS_CONF,
 291                  "Enable identd (RFC 1413) user lookups - SLOW"),
 292     AP_INIT_TAKE1("IdentityCheckTimeout", set_timeout, NULL,
 293                   RSRC_CONF|ACCESS_CONF,
 294                   "Identity check (RFC 1413) timeout duration (sec)"),
 295     {NULL}
 296 };
 297
 298 module AP_MODULE_DECLARE_DATA ident_module;
 299
 300 /*
 301  * Optional function for the core to to the actual ident request
 302  */
 303 static const char *ap_ident_lookup(request_rec *r)
 304 {
 305     ident_config_rec *conf;
 306     apr_socket_t *sock;
 307     apr_status_t rv;
 308     conn_rec *conn = r->connection;
 309     server_rec *srv = r->server;
 310
 311     conf = ap_get_module_config(r->per_dir_config, &ident_module);
 312
 313     /* return immediately if ident requests are disabled */
 314     if (!(conf->do_rfc1413 & ~RFC1413_UNSET)) {
 315         return NULL;
 316     }
 317
 318     rv = rfc1413_connect(&sock, conn, srv, conf->timeout);
 319     if (rv == APR_SUCCESS) {
 320         rv = rfc1413_query(sock, conn, srv);
 321         apr_socket_close(sock);
 322     }
 323     if (rv != APR_SUCCESS) {
 324         conn->remote_logname = FROM_UNKNOWN;
 325     }
 326
 327     return (const char *)conn->remote_logname;
 328 }
 329
 330 static void register_hooks(apr_pool_t *p)
 331 {
 332     APR_REGISTER_OPTIONAL_FN(ap_ident_lookup);
 333 }
 334
 335 module AP_MODULE_DECLARE_DATA ident_module =
 336 {
 337     STANDARD20_MODULE_STUFF,
 338     create_ident_dir_config,       /* dir config creater */
 339     merge_ident_dir_config,        /* dir merger --- default is to override */
 340     NULL,                          /* server config */
 341     NULL,                          /* merge server config */
 342     ident_cmds,                    /* command apr_table_t */
 343     register_hooks                 /* register hooks */
 344 };