Annotation of acopm/src/check.c, Revision 1.1.1.1
1.1 bountyht 1: /*
2: * Copyright (C) 2017 Aaron M. D. Jones <aaronmdjones@gmail.com>
3: *
4: * Redistribution and use in source and binary forms, with or without
5: * modification, are permitted provided that the following
6: * conditions are met:
7: *
8: * 1. Redistributions of source code must retain the above copyright
9: * notice, this list of conditions and the following disclaimer.
10: *
11: * 2. Redistributions in binary form must reproduce the above copyright
12: * notice, this list of conditions and the following disclaimer in the
13: * documentation and/or other materials provided with the distribution.
14: *
15: * 3. Neither the name of the copyright holder nor the names of its
16: * contributors may be used to endorse or promote products derived from
17: * this software without specific prior written permission.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
20: * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21: * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22: * PARTICULAR PURPOSE ARE DISCLAIMED.
23: *
24: * IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY
25: * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30: * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31: * POSSIBILITY OF SUCH DAMAGE.
32: */
33:
34: #include "acopm-common.h"
35:
36: #include <assert.h> /* assert() */
37: #include <errno.h> /* errno */
38: #include <inttypes.h> /* PRIu16 */
39: #include <string.h> /* strerror(), memset() */
40: #include <strings.h> /* strcasecmp() */
41: #include <time.h> /* struct timeval, time_t */
42:
43: #include <event2/event.h> /* event_*(), struct event */
44:
45: #include "check.h" /* decls for own functions */
46: #include "exec.h" /* acopm_exec_proxy_program() */
47: #include "vars.h" /* global variable definitions */
48:
49: #include "3rdparty/utlist.h" /* LL_*() */
50: #include "irc/client.h" /* acopm_irc_writev() */
51: #include "dnsbl/lookup.h" /* acopm_dnsbl_lookup_new() */
52: #include "proxy/host.h" /* acopm_proxy_host_new() */
53: #include "utils/cidr.h" /* acopm_cidr_*(), struct acopm_cidr_address */
54: #include "utils/log.h" /* acopm_log_*() */
55: #include "utils/siphash24.h" /* HASH_*() */
56:
57: #define DNSBL_HIT_STR "IP address %s is listed on DNSBL %s (%s, %s)"
58: #define OPEN_PROXY_STR "IP address %s has open proxy on port %" PRIu16 " of type %s"
59: #define ACOPM_ADDR_GC_AGE 300U
60:
61: struct acopm_cached_address
62: {
63: UT_hash_handle hh;
64: time_t timestamp;
65: char address[INET6_ADDRSTRLEN];
66: } acopm_attr_packed;
67:
68: static struct acopm_cached_address *cached_addresses = NULL;
69: static struct acopm_cidr_address *exempt_addresses = NULL;
70: static struct event *ev_cached_gc = NULL;
71:
72: static void
73: acopm_cached_gc(const evutil_socket_t fd, const short events, void *const restrict data)
74: {
75: (void) fd;
76: (void) events;
77: (void) data;
78:
79: assert(fd == -1);
80: assert(events == EV_TIMEOUT);
81: assert(data == NULL);
82:
83: if (! cached_addresses)
84: return;
85:
86: (void) acopm_log_debug("%s: executing cached addresses garbage collector", __func__);
87:
88: const time_t time_now = time(NULL);
89: if (time_now == -1)
90: {
91: (void) acopm_log_error("%s: time: %s", __func__, strerror(errno));
92: return;
93: }
94:
95: struct acopm_cached_address *cached, *tmp;
96: HASH_ITER(hh, cached_addresses, cached, tmp)
97: {
98: if (! cached_addresses)
99: break;
100:
101: if (cached->timestamp >= 0 && ((time_now - cached->timestamp) < ACOPM_ADDR_GC_AGE))
102: continue;
103:
104: (void) acopm_log_debug("%s: freeing address %s", __func__, cached->address);
105: HASH_DELETE(hh, cached_addresses, cached);
106: (void) free(cached);
107: }
108: }
109:
110: static void
111: acopm_dnsbl_hit_cb(struct acopm_dnsbl_client *const restrict client, const char *const restrict domain,
112: const char *const restrict address, const char *const restrict dnsbl_ip,
113: const char *restrict description)
114: {
115: assert(client == acopm_dnsbl_client);
116:
117: (void) client;
118:
119: if (! description)
120: description = "<unknown>";
121:
122: if (! acopm_irc_log(acopm_irc_client, DNSBL_HIT_STR, address, domain, dnsbl_ip, description))
123: {
124: (void) event_base_loopbreak(ev_base);
125: return;
126: }
127:
128: if (! *dnsbl_hit_cmd)
129: return;
130:
131: #ifdef __GNUC__
132: # pragma GCC diagnostic push
133: # pragma GCC diagnostic ignored "-Wformat-nonliteral"
134: #endif
135: if (! acopm_irc_writev(acopm_irc_client, dnsbl_hit_cmd, address, domain, description))
136: #ifdef __GNUC__
137: # pragma GCC diagnostic pop
138: #endif
139: {
140: (void) event_base_loopbreak(ev_base);
141: return;
142: }
143: }
144:
145: static void
146: acopm_proxy_hit_cb(struct acopm_proxy_client *const restrict client, const char *const restrict address,
147: const uint16_t port, const enum acopm_proxy_type type)
148: {
149: assert(client == acopm_proxy_client);
150: assert(port != 0);
151: assert(type != ACOPM_PROXY_TYPE_NONE);
152: assert(address != NULL);
153: assert(*address != 0x00);
154:
155: (void) client;
156:
157: if (type == ACOPM_PROXY_TYPE_NONE)
158: return;
159:
160: if (! acopm_irc_log(acopm_irc_client, OPEN_PROXY_STR, address, port, acopm_proxy_type_str(type)))
161: {
162: (void) event_base_loopbreak(ev_base);
163: return;
164: }
165:
166: #ifdef __GNUC__
167: # pragma GCC diagnostic push
168: # pragma GCC diagnostic ignored "-Wformat-nonliteral"
169: #endif
170: if (*proxy_hit_cmd && ! acopm_irc_writev(acopm_irc_client, proxy_hit_cmd, address))
171: #ifdef __GNUC__
172: # pragma GCC diagnostic pop
173: #endif
174: {
175: (void) event_base_loopbreak(ev_base);
176: return;
177: }
178:
179: if (*proxy_hit_exe)
180: (void) acopm_exec_proxy_program(address, port, type);
181: }
182:
183: bool
184: acopm_check_init(void)
185: {
186: (void) acopm_log_debug("%s: initialising negative cache garbage collector", __func__);
187:
188: assert(ev_cached_gc == NULL);
189:
190: struct timeval timeout;
191: (void) memset(&timeout, 0x00, sizeof timeout);
192: timeout.tv_sec = ACOPM_ADDR_GC_AGE;
193:
194: if (! (ev_cached_gc = event_new(ev_base, -1, EV_PERSIST, acopm_cached_gc, NULL)))
195: {
196: (void) acopm_log_error("%s: event_new: %s", __func__, strerror(errno));
197: return false;
198: }
199:
200: if (event_add(ev_cached_gc, &timeout) != 0)
201: {
202: (void) acopm_log_error("%s: event_add: %s", __func__, strerror(errno));
203: (void) event_free(ev_cached_gc);
204: ev_cached_gc = NULL;
205: return false;
206: }
207:
208: return true;
209: }
210:
211: bool
212: acopm_check_add_exemption(const char *const restrict address)
213: {
214: assert(address != NULL);
215:
216: struct acopm_cidr_address *const exemption = acopm_cidr_new(address);
217:
218: if (! exemption)
219: return false;
220:
221: const struct acopm_cidr_address *match;
222: LL_FOREACH(exempt_addresses, match)
223: {
224: if (match->family == exemption->family && acopm_cidr_match(address, match))
225: {
226: (void) acopm_log_warning("Cannot add exemption for address '%s': already exempt", address);
227: (void) acopm_cidr_free(exemption);
228: return true;
229: }
230: }
231:
232: LL_APPEND(exempt_addresses, exemption);
233: return true;
234: }
235:
236: void
237: acopm_check_user(const char *const restrict nickname, const char *const restrict address)
238: {
239: assert(nickname != NULL);
240: assert(address != NULL);
241:
242: (void) acopm_log_info("Client connection detected: %s (%s)", nickname, address);
243:
244: const struct acopm_cidr_address *match;
245: LL_FOREACH(exempt_addresses, match)
246: {
247: if (acopm_cidr_match(address, match))
248: {
249: (void) acopm_log_info("Not checking address %s because it is exempt", address);
250: return;
251: }
252: }
253:
254: struct acopm_cached_address *cached = NULL;
255: HASH_FIND_STR(cached_addresses, address, cached);
256: if (cached)
257: {
258: assert(strcasecmp(cached->address, address) == 0);
259: (void) acopm_log_debug("%s: not checking %s (%s): cached", __func__, nickname, address);
260:
261: if ((cached->timestamp = time(NULL)) == -1)
262: (void) acopm_log_warning("%s: time: %s", __func__, strerror(errno));
263:
264: return;
265: }
266: else if (! (cached = calloc(1, sizeof *cached)))
267: {
268: (void) acopm_log_warning("%s: calloc: %s", __func__, strerror(errno));
269: }
270: else
271: {
272: (void) acopm_strset_buf(cached->address, address);
273:
274: if ((cached->timestamp = time(NULL)) == -1)
275: (void) acopm_log_warning("%s: time: %s", __func__, strerror(errno));
276:
277: HASH_ADD_STR(cached_addresses, address, cached);
278: }
279:
280: if (*client_notice_msg)
281: (void) acopm_irc_writev(acopm_irc_client, "NOTICE %s :%s", nickname, client_notice_msg);
282:
283: (void) acopm_dnsbl_lookup_new(acopm_dnsbl_client, address, acopm_dnsbl_hit_cb);
284: (void) acopm_proxy_host_new(acopm_proxy_client, address, acopm_proxy_hit_cb);
285: }
286:
287: void
288: acopm_check_free(void)
289: {
290: (void) acopm_log_debug("%s: destroying negative cache and garbage collector", __func__);
291:
292: if (cached_addresses)
293: {
294: struct acopm_cached_address *copy = cached_addresses;
295: HASH_CLEAR(hh, copy);
296:
297: struct acopm_cached_address *cached, *tmp;
298: HASH_ITER(hh, cached_addresses, cached, tmp)
299: (void) free(cached);
300:
301: cached_addresses = NULL;
302: }
303:
304: if (exempt_addresses)
305: {
306: struct acopm_cidr_address *cur, *tmp;
307: LL_FOREACH_SAFE(exempt_addresses, cur, tmp)
308: {
309: LL_DELETE(exempt_addresses, cur);
310: (void) acopm_cidr_free(cur);
311: }
312: }
313:
314: if (ev_cached_gc)
315: {
316: (void) event_free(ev_cached_gc);
317: ev_cached_gc = NULL;
318: }
319: }
CVSweb