460
460
slog(LOG_DEBUG, "userid:\n%s",
461
461
userids2string(&sockscf->uid, "", buf, sizeof(buf)));
463
slog(LOG_DEBUG, "child.maxidlenumber: %d",
464
sockscf->child.maxidlenumber);
463
slog(LOG_DEBUG, "child.maxidle: %d",
464
sockscf->child.maxidle);
466
466
bufused = snprintfn(buf, sizeof(buf), "method(s): ");
467
467
for (i = 0; (size_t)i < sockscf->methodc; ++i)
830
834
SERRX(state->version);
833
/* current rule allows for selected authentication? */
838
* This is a little tricky. For some commands we may not
839
* have all info at time of (preliminary) rulechecks.
840
* What we want to do if there is no (complete) address given is
841
* to see if there's any chance at all the rules will permit this
842
* request when the address (later) becomes available.
843
* We therefore continue to scan the rules until we either get
844
* a pass (ignoring peer with missing info), or the default block
847
* This is the case for e.g. bindreply and udp, where we will
848
* have to call this function again when we get the addresses
853
if (!addressmatch(&rule->src, src, state->protocol, 0))
857
if (rule->verdict == VERDICT_BLOCK)
858
continue; /* continue scan. It's possible we will get a pass. */
861
if (!addressmatch(&rule->dst, dst, state->protocol, 0))
865
if (rule->verdict == VERDICT_BLOCK)
866
continue; /* continue scan. It's possible we will get a pass. */
868
/* current rule authentication matches selected authentication? */
834
869
if (!methodisset(state->auth.method, rule->state.methodv,
835
870
rule->state.methodc)) {
839
* There are some "extra" (non-standard) methods that are independent
840
* of socks protocol negotiation and it's thus possible
841
* to get a match on them even if above check failed, i.e.
842
* it's possible to "upgrade" the method.
872
* There are some "extra" (non-standard) methods that are
873
* independent of socks protocol negotiation, and it's possible
874
* to get a match on them, even if above check failed. I.e.
875
* it's possible to change the method. E.g. PAM is based
876
* on UNAME; if we have UNAME, we can also get PAM.
844
878
* We therefor look at what methods this rule wants and see
845
* if can match it with what we have, or get it.
879
* if can match it with what the client _can_ provide, if we
880
* do some extra work to get the information.
847
881
* Currently these methods are: rfc931 and pam.
850
for (i = methodisok = 0; i < methodc; ++i) {
885
* This variable only says if current client has provided the
886
* neccessary information to to check it's access with
887
* one of the methods required by the current rule.
889
* XXX would be nice to cache this, so we don't have to
890
* copy memory around each time.
892
size_t methodischeckable = 0;
894
for (i = 0; i < methodc; ++i) {
851
895
if (methodisset(methodv[i], rule->state.methodv,
852
896
rule->state.methodc)) {
853
897
switch (methodv[i]) {
861
905
if (strcmp((char *)state->auth.mdata.rfc931.name,
862
906
STRING_UNKNOWN) == 0)
863
907
*state->auth.mdata.rfc931.name = NUL;
865
if (state->auth.mdata.rfc931.name[
908
else if (state->auth.mdata.rfc931.name[
866
909
sizeof(state->auth.mdata.rfc931.name) - 1] != NUL) {
867
slog(LOG_NOTICE, "%s: rfc931 name truncated", function);
868
910
state->auth.mdata.rfc931.name[
869
911
sizeof(state->auth.mdata.rfc931.name) - 1] = NUL;
912
swarnx("%s: rfc931 name \"%s\" truncated", function,
913
state->auth.mdata.rfc931.name);
871
/* better safe than sorry. */
872
915
*state->auth.mdata.rfc931.name = NUL;
875
918
if (*state->auth.mdata.rfc931.name != NUL)
919
methodischeckable = 1;
878
921
#endif /* HAVE_LIBWRAP */
881
924
case AUTHMETHOD_PAM:
926
* PAM can support username/password, just username,
927
* or neither username nor password.
882
930
slog(LOG_DEBUG, "%s: trying to find match for pam ...",
885
933
switch (state->auth.method) {
886
934
case AUTHMETHOD_UNAME: {
887
/* it's a union, make a copy first. */
888
const struct authmethod_uname_t uname
889
= state->auth.mdata.uname;
891
/* similar enough, just copy name/password. */
893
strcpy((char *)state->auth.mdata.pam.name,
894
(const char *)uname.name);
895
strcpy((char *)state->auth.mdata.pam.password,
896
(const char *)uname.password);
935
/* it's a union, make a copy first. */
936
const struct authmethod_uname_t uname
937
= state->auth.mdata.uname;
939
/* similar enough, just copy name/password. */
940
strcpy((char *)state->auth.mdata.pam.name,
941
(const char *)uname.name);
942
strcpy((char *)state->auth.mdata.pam.password,
943
(const char *)uname.password);
945
methodischeckable = 1;
902
949
case AUTHMETHOD_RFC931: {
903
/* it's a union, make a copy first. */
904
const struct authmethod_rfc931_t rfc931
905
= state->auth.mdata.rfc931;
907
strcpy((char *)state->auth.mdata.pam.name,
908
(const char *)rfc931.name);
950
/* it's a union, make a copy first. */
951
const struct authmethod_rfc931_t rfc931
952
= state->auth.mdata.rfc931;
955
* no password, but we can check for the username
956
* we got from ident, with an empty password.
959
strcpy((char *)state->auth.mdata.pam.name,
960
(const char *)rfc931.name);
909
962
*state->auth.mdata.pam.password = NUL;
964
methodischeckable = 1;
914
968
case AUTHMETHOD_NONE:
970
* PAM can also support no username/password.
915
973
*state->auth.mdata.pam.name = NUL;
916
974
*state->auth.mdata.pam.password = NUL;
976
methodischeckable = 1;
924
983
#endif /* HAVE_PAM */
928
state->auth.method = methodv[i];
986
if (methodischeckable) {
987
state->auth.method = methodv[i]; /* chainging method. */
934
993
if (i == methodc)
935
continue; /* no usable method found. */
995
* current rules methods differs from what client can
996
* provide us with. Go to next rule.
999
/* else; XXX should try other methods if acccess fails on this. */
939
1002
SASSERTX(methodisset(state->auth.method, rule->state.methodv,
940
1003
rule->state.methodc));
942
i = accessmatch(s, &state->auth, peer, local, rule->user, msg, msgsize);
944
/* two fields we want to copy. */
1005
/* rule requires a user, and covers current user? */
1006
if (rule->user != NULL)
1007
if (!usermatch(&state->auth, rule->user))
1008
continue; /* no match. */
1010
/* last step. Does the authentication match? */
1011
i = accesscheck(s, &state->auth, peer, local, msg, msgsize);
1014
* two fields we want to copy. This is to speed things up so
1015
* we don't re-check the same method.
945
1017
memcpy(ostate.auth.methodv, state->auth.methodv,
946
1018
state->auth.methodc * sizeof(*state->auth.methodv));
947
1019
ostate.auth.methodc = state->auth.methodc;
949
1021
state->auth.badmethodc * sizeof(*state->auth.badmethodv));
950
1022
ostate.auth.badmethodc = state->auth.badmethodc;
954
* The reason for the continue is the fact that we can
955
* "upgrade" the method if we have a rule specifying a
956
* non-socks method. That means "name" and "password"
957
* gotten for this method/rule need not be the same as gotten
963
* This is a little tricky. For some commands we may not
964
* have all info at time of (preliminary) rulechecks.
965
* What we want to do if there is no (complete) address given is
966
* to see if there's any chance at all the rules will permit this
967
* request when the address (later) becomes available.
968
* We therefore continue to scan the rules until we either get
969
* a pass (ignoring peer with missing info), or the default block
974
if (!addressmatch(&rule->src, src, state->protocol, 0))
978
if (rule->verdict == VERDICT_BLOCK)
979
continue; /* continue scan. */
982
if (!addressmatch(&rule->dst, dst, state->protocol, 0))
986
if (rule->verdict == VERDICT_BLOCK)
987
continue; /* continue scan. */
1025
match->verdict = VERDICT_BLOCK;
1181
1224
yywarn("method \"%s\" set in rule but not in global methodline",
1182
1225
method2string(rule->state.methodv[i]));
1184
/* if no protocol set, set all. */
1227
/* if no protocol set, set all for socks-rules, tcp for client-rules. */
1185
1228
if (memcmp(&state.protocol, &rule->state.protocol, sizeof(state.protocol))
1187
memset(&rule->state.protocol, UCHAR_MAX, sizeof(rule->state.protocol));
1231
rule->state.protocol.tcp = 1;
1233
memset(&rule->state.protocol, UCHAR_MAX, sizeof(rule->state.protocol));
1189
1235
/* if no proxyprotocol set, set all socks protocols. */
1190
1236
if (memcmp(&state.proxyprotocol, &rule->state.proxyprotocol,