summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/tcp-wrappers
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/tcp-wrappers')
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff75
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch248
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch103
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch30
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch1253
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch151
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch45
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch81
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch253
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch66
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch12
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch71
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch19
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch43
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch21
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch37
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff39
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.834
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch29
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch34
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch30
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch42
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch39
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.828
-rw-r--r--meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb117
25 files changed, 2900 insertions, 0 deletions
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff
new file mode 100644
index 0000000000..ff60a843e4
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff
@@ -0,0 +1,75 @@
1diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
2--- tcp_wrappers_7.6.orig/hosts_access.5 1995-01-30 19:51:47.000000000 +0100
3+++ tcp_wrappers_7.6/hosts_access.5 2004-04-09 16:59:45.000000000 +0200
4@@ -173,7 +173,7 @@
5 Patterns like these can be used when the machine has different internet
6 addresses with different internet hostnames. Service providers can use
7 this facility to offer FTP, GOPHER or WWW archives with internet names
8-that may even belong to different organizations. See also the `twist'
9+that may even belong to different organizations. See also the `twist\'
10 option in the hosts_options(5) document. Some systems (Solaris,
11 FreeBSD) can have more than one internet address on one physical
12 interface; with other systems you may have to resort to SLIP or PPP
13@@ -236,10 +236,10 @@
14 Before accepting a client request, the wrappers can use the IDENT
15 service to find out that the client did not send the request at all.
16 When the client host provides IDENT service, a negative IDENT lookup
17-result (the client matches `UNKNOWN@host') is strong evidence of a host
18+result (the client matches `UNKNOWN@host\') is strong evidence of a host
19 spoofing attack.
20 .PP
21-A positive IDENT lookup result (the client matches `KNOWN@host') is
22+A positive IDENT lookup result (the client matches `KNOWN@host\') is
23 less trustworthy. It is possible for an intruder to spoof both the
24 client connection and the IDENT lookup, although doing so is much
25 harder than spoofing just a client connection. It may also be that
26diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
27--- tcp_wrappers_7.6.orig/hosts_options.5 1994-12-28 17:42:29.000000000 +0100
28+++ tcp_wrappers_7.6/hosts_options.5 2004-04-09 16:59:49.000000000 +0200
29@@ -124,7 +124,7 @@
30 value is taken.
31 .SH MISCELLANEOUS
32 .IP "banners /some/directory"
33-Look for a file in `/some/directory' with the same name as the daemon
34+Look for a file in `/some/directory\' with the same name as the daemon
35 process (for example in.telnetd for the telnet service), and copy its
36 contents to the client. Newline characters are replaced by
37 carriage-return newline, and %<letter> sequences are expanded (see
38diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
39--- tcp_wrappers_7.6.orig/tcpdmatch.8 1996-02-11 17:01:36.000000000 +0100
40+++ tcp_wrappers_7.6/tcpdmatch.8 2004-04-09 17:00:49.000000000 +0200
41@@ -26,7 +26,7 @@
42 A daemon process name. Typically, the last component of a daemon
43 executable pathname.
44 .IP client
45-A host name or network address, or one of the `unknown' or `paranoid'
46+A host name or network address, or one of the `unknown\' or `paranoid\'
47 wildcard patterns.
48 .sp
49 When a client host name is specified, \fItcpdmatch\fR gives a
50@@ -37,13 +37,13 @@
51 .PP
52 Optional information specified with the \fIdaemon@server\fR form:
53 .IP server
54-A host name or network address, or one of the `unknown' or `paranoid'
55-wildcard patterns. The default server name is `unknown'.
56+A host name or network address, or one of the `unknown\' or `paranoid\'
57+wildcard patterns. The default server name is `unknown\'.
58 .PP
59 Optional information specified with the \fIuser@client\fR form:
60 .IP user
61 A client user identifier. Typically, a login name or a numeric userid.
62-The default user name is `unknown'.
63+The default user name is `unknown\'.
64 .SH OPTIONS
65 .IP -d
66 Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
67@@ -70,7 +70,7 @@
68 .ti +5
69 tcpdmatch in.telnetd paranoid
70 .PP
71-On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR
72+On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR
73 may need some help to locate the inetd configuration file.
74 .SH FILES
75 .PP
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch
new file mode 100644
index 0000000000..4963f82eb8
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch
@@ -0,0 +1,248 @@
1diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
2--- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100
3+++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100
4@@ -3,7 +3,7 @@
5 hosts_access, hosts_ctl, request_init, request_set \- access control library
6 .SH SYNOPSIS
7 .nf
8-#include "tcpd.h"
9+#include <tcpd.h>
10
11 extern int allow_severity;
12 extern int deny_severity;
13diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
14--- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100
15+++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100
16@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam
17 impatient reader is encouraged to skip to the EXAMPLES section for a
18 quick introduction.
19 .PP
20-An extended version of the access control language is described in the
21-\fIhosts_options\fR(5) document. The extensions are turned on at
22-program build time by building with -DPROCESS_OPTIONS.
23+The extended version of the access control language is described in the
24+\fIhosts_options\fR(5) document. \fBNote that this language supersedes
25+the meaning of \fIshell_command\fB as documented below.\fR
26 .PP
27 In the following text, \fIdaemon\fR is the the process name of a
28 network daemon process, and \fIclient\fR is the name and/or address of
29@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain
30 /etc/hosts.deny:
31 .in +3
32 .nf
33-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
34- /usr/ucb/mail -s %d-%h root) &
35+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
36+ /usr/bin/mail -s %d-%h root) &
37 .fi
38 .PP
39 The safe_finger command comes with the tcpd wrapper and should be
40@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor
41 .fi
42 .SH SEE ALSO
43 .nf
44+hosts_options(5) extended syntax.
45 tcpd(8) tcp/ip daemon wrapper program.
46 tcpdchk(8), tcpdmatch(8), test programs.
47 .SH BUGS
48diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
49--- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100
50+++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100
51@@ -2,10 +2,8 @@
52 .SH NAME
53 hosts_options \- host access control language extensions
54 .SH DESCRIPTION
55-This document describes optional extensions to the language described
56-in the hosts_access(5) document. The extensions are enabled at program
57-build time. For example, by editing the Makefile and turning on the
58-PROCESS_OPTIONS compile-time option.
59+This document describes extensions to the language described
60+in the hosts_access(5) document.
61 .PP
62 The extensible language uses the following format:
63 .sp
64@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam
65 Execute, in a child process, the specified shell command, after
66 performing the %<letter> expansions described in the hosts_access(5)
67 manual page. The command is executed with stdin, stdout and stderr
68-connected to the null device, so that it won\'t mess up the
69+connected to the null device, so that it won't mess up the
70 conversation with the client host. Example:
71 .sp
72 .nf
73 .ti +3
74-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
75+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
76 .fi
77 .sp
78 executes, in a background child process, the shell command "safe_finger
79diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c
80--- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100
81+++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100
82@@ -26,13 +26,17 @@ extern void exit();
83 * guesses. Shorter names follow longer ones.
84 */
85 char *inet_files[] = {
86+#if 0
87 "/private/etc/inetd.conf", /* NEXT */
88 "/etc/inet/inetd.conf", /* SYSV4 */
89 "/usr/etc/inetd.conf", /* IRIX?? */
90+#endif
91 "/etc/inetd.conf", /* BSD */
92+#if 0
93 "/etc/net/tlid.conf", /* SYSV4?? */
94 "/etc/saf/tlid.conf", /* SYSV4?? */
95 "/etc/tlid.conf", /* SYSV4?? */
96+#endif
97 0,
98 };
99
100diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8
101--- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100
102+++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100
103@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s
104 TLI. Functionality may be limited when the protocol underneath TLI is
105 not an internet protocol.
106 .PP
107-Operation is as follows: whenever a request for service arrives, the
108+There are two possible modes of operation: execution of \fItcpd\fP
109+before a service started by \fIinetd\fP, or linking a daemon with
110+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
111+manual page. Operation when started by \fIinetd\fP
112+is as follows: whenever a request for service arrives, the
113 \fIinetd\fP daemon is tricked into running the \fItcpd\fP program
114 instead of the desired server. \fItcpd\fP logs the request and does
115 some additional checks. When all is well, \fItcpd\fP runs the
116@@ -88,11 +92,11 @@ configuration files.
117 .sp
118 .in +5
119 # mkdir /other/place
120-# mv /usr/etc/in.fingerd /other/place
121-# cp tcpd /usr/etc/in.fingerd
122+# mv /usr/sbin/in.fingerd /other/place
123+# cp tcpd /usr/sbin/in.fingerd
124 .fi
125 .PP
126-The example assumes that the network daemons live in /usr/etc. On some
127+The example assumes that the network daemons live in /usr/sbin. On some
128 systems, network daemons live in /usr/sbin or in /usr/libexec, or have
129 no `in.\' prefix to their name.
130 .SH EXAMPLE 2
131@@ -101,35 +105,34 @@ are left in their original place.
132 .PP
133 In order to monitor access to the \fIfinger\fR service, perform the
134 following edits on the \fIinetd\fR configuration file (usually
135-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
136+\fI/etc/inetd.conf\fR):
137 .nf
138 .sp
139 .ti +5
140-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
141+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
142 .sp
143 becomes:
144 .sp
145 .ti +5
146-finger stream tcp nowait nobody /some/where/tcpd in.fingerd
147+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
148 .sp
149 .fi
150 .PP
151-The example assumes that the network daemons live in /usr/etc. On some
152+The example assumes that the network daemons live in /usr/sbin. On some
153 systems, network daemons live in /usr/sbin or in /usr/libexec, the
154 daemons have no `in.\' prefix to their name, or there is no userid
155 field in the inetd configuration file.
156 .PP
157 Similar changes will be needed for the other services that are to be
158 covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
159-process to make the changes effective. AIX users may also have to
160-execute the `inetimp\' command.
161+process to make the changes effective.
162 .SH EXAMPLE 3
163 In the case of daemons that do not live in a common directory ("secret"
164 or otherwise), edit the \fIinetd\fR configuration file so that it
165 specifies an absolute path name for the process name field. For example:
166 .nf
167 .sp
168- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
169+ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd
170 .sp
171 .fi
172 .PP
173@@ -164,6 +167,7 @@ The default locations of the host access
174 .SH SEE ALSO
175 .na
176 .nf
177+hosts_access(3), functions provided by the libwrap library.
178 hosts_access(5), format of the tcpd access control tables.
179 syslog.conf(5), format of the syslogd control file.
180 inetd.conf(5), format of the inetd control file.
181diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8
182--- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100
183+++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100
184@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v]
185 potential and real problems it can find. The program examines the
186 \fItcpd\fR access control files (by default, these are
187 \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
188-entries in these files against entries in the \fIinetd\fR or \fItlid\fR
189-network configuration files.
190+entries in these files against entries in the \fIinetd\fR
191+network configuration file.
192 .PP
193 \fItcpdchk\fR reports problems such as non-existent pathnames; services
194 that appear in \fItcpd\fR access control rules, but are not controlled
195@@ -26,14 +26,13 @@ problem.
196 .SH OPTIONS
197 .IP -a
198 Report access control rules that permit access without an explicit
199-ALLOW keyword. This applies only when the extended access control
200-language is enabled (build with -DPROCESS_OPTIONS).
201+ALLOW keyword.
202 .IP -d
203 Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
204 directory instead of the default ones.
205 .IP "-i inet_conf"
206 Specify this option when \fItcpdchk\fR is unable to find your
207-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
208+\fIinetd.conf\fR network configuration file, or when
209 you suspect that the program uses the wrong one.
210 .IP -v
211 Display the contents of each access control rule. Daemon lists, client
212@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do
213 hosts_access(5), format of the tcpd access control tables.
214 hosts_options(5), format of the language extensions.
215 inetd.conf(5), format of the inetd control file.
216-tlid.conf(5), format of the tlid control file.
217 .SH AUTHORS
218 .na
219 .nf
220diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
221--- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100
222+++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100
223@@ -13,7 +13,7 @@ request for service. Examples are given
224 The program examines the \fItcpd\fR access control tables (default
225 \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its
226 conclusion. For maximal accuracy, it extracts additional information
227-from your \fIinetd\fR or \fItlid\fR network configuration file.
228+from your \fIinetd\fR network configuration file.
229 .PP
230 When \fItcpdmatch\fR finds a match in the access control tables, it
231 identifies the matched rule. In addition, it displays the optional
232@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d
233 directory instead of the default ones.
234 .IP "-i inet_conf"
235 Specify this option when \fItcpdmatch\fR is unable to find your
236-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
237+\fIinetd.conf\fR network configuration file, or when
238 you suspect that the program uses the wrong one.
239 .SH EXAMPLES
240 To predict how \fItcpd\fR would handle a telnet request from the local
241@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker
242 hosts_access(5), format of the tcpd access control tables.
243 hosts_options(5), format of the language extensions.
244 inetd.conf(5), format of the inetd control file.
245-tlid.conf(5), format of the tlid control file.
246 .SH AUTHORS
247 .na
248 .nf
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch
new file mode 100644
index 0000000000..a168f6d5a5
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch
@@ -0,0 +1,103 @@
1See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847
2
3diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
4--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200
5+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200
6@@ -89,6 +89,10 @@
7 bitwise AND of the address and the `mask\'. For example, the net/mask
8 pattern `131.155.72.0/255.255.254.0\' matches every address in the
9 range `131.155.72.0\' through `131.155.73.255\'.
10+.IP \(bu
11+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
12+method of matching cannot be used in conjunction with `net/mask\' matching,
13+hostname matching beginning with `.\' or IP address matching ending with `.\'.
14 .SH WILDCARDS
15 The access control language supports explicit wildcards:
16 .IP ALL
17diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
18--- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100
19+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200
20@@ -289,6 +289,11 @@
21 {
22 int n;
23
24+#ifndef DISABLE_WILDCARD_MATCHING
25+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
26+ return (match_pattern_ylo(string,tok));
27+ } else
28+#endif
29 if (tok[0] == '.') { /* suffix */
30 n = strlen(string) - strlen(tok);
31 return (n > 0 && STR_EQ(tok, string + n));
32@@ -329,3 +334,71 @@
33 }
34 return ((addr & mask) == net);
35 }
36+
37+#ifndef DISABLE_WILDCARD_MATCHING
38+/* Note: this feature has been adapted in a pretty straightforward way
39+ from Tatu Ylonen's last SSH version under free license by
40+ Pekka Savola <pekkas@netcore.fi>.
41+
42+ Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
43+*/
44+
45+/* Returns true if the given string matches the pattern (which may contain
46+ ? and * as wildcards), and zero if it does not match. */
47+
48+int match_pattern_ylo(const char *s, const char *pattern)
49+{
50+ while (1)
51+ {
52+ /* If at end of pattern, accept if also at end of string. */
53+ if (!*pattern)
54+ return !*s;
55+
56+ /* Process '*'. */
57+ if (*pattern == '*')
58+ {
59+ /* Skip the asterisk. */
60+ pattern++;
61+
62+ /* If at end of pattern, accept immediately. */
63+ if (!*pattern)
64+ return 1;
65+
66+ /* If next character in pattern is known, optimize. */
67+ if (*pattern != '?' && *pattern != '*')
68+ {
69+ /* Look instances of the next character in pattern, and try
70+ to match starting from those. */
71+ for (; *s; s++)
72+ if (*s == *pattern &&
73+ match_pattern_ylo(s + 1, pattern + 1))
74+ return 1;
75+ /* Failed. */
76+ return 0;
77+ }
78+
79+ /* Move ahead one character at a time and try to match at each
80+ position. */
81+ for (; *s; s++)
82+ if (match_pattern_ylo(s, pattern))
83+ return 1;
84+ /* Failed. */
85+ return 0;
86+ }
87+
88+ /* There must be at least one more character in the string. If we are
89+ at the end, fail. */
90+ if (!*s)
91+ return 0;
92+
93+ /* Check if the next character of the string is acceptable. */
94+ if (*pattern != '?' && *pattern != *s)
95+ return 0;
96+
97+ /* Move to the next character, both in string and in pattern. */
98+ s++;
99+ pattern++;
100+ }
101+ /*NOTREACHED*/
102+}
103+#endif /* DISABLE_WILDCARD_MATCHING */
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch
new file mode 100644
index 0000000000..d06aaef13b
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch
@@ -0,0 +1,30 @@
1* Mon Feb 5 2001 Preston Brown <pbrown@redhat.com>
2- fix gethostbyname to work better with dot "." notation (#16949)
3
4--- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997
5+++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001
6@@ -52,7 +52,8 @@
7 char *name;
8 {
9 char dot_name[MAXHOSTNAMELEN + 1];
10-
11+ struct hostent *hp;
12+
13 /*
14 * Don't append dots to unqualified names. Such names are likely to come
15 * from local hosts files or from NIS.
16@@ -61,8 +62,12 @@
17 if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
18 return (gethostbyname(name));
19 } else {
20- sprintf(dot_name, "%s.", name);
21- return (gethostbyname(dot_name));
22+ sprintf(dot_name, "%s.", name);
23+ hp = gethostbyname(dot_name);
24+ if (hp)
25+ return hp;
26+ else
27+ return (gethostbyname(name));
28 }
29 }
30
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch
new file mode 100644
index 0000000000..5c8be5c27c
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch
@@ -0,0 +1,1253 @@
1diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c
2--- tcp_wrappers_7.6.orig/fix_options.c 1997-04-08 02:29:19.000000000 +0200
3+++ tcp_wrappers_7.6/fix_options.c 2004-04-10 19:07:43.000000000 +0200
4@@ -11,6 +11,9 @@
5
6 #include <sys/types.h>
7 #include <sys/param.h>
8+#ifdef INET6
9+#include <sys/socket.h>
10+#endif
11 #include <netinet/in.h>
12 #include <netinet/in_systm.h>
13 #include <netinet/ip.h>
14@@ -41,6 +44,22 @@
15 unsigned int opt;
16 int optlen;
17 struct in_addr dummy;
18+#ifdef INET6
19+ struct sockaddr_storage ss;
20+ int sslen;
21+
22+ /*
23+ * check if this is AF_INET socket
24+ * XXX IPv6 support?
25+ */
26+ sslen = sizeof(ss);
27+ if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
28+ syslog(LOG_ERR, "getpeername: %m");
29+ clean_exit(request);
30+ }
31+ if (ss.ss_family != AF_INET)
32+ return;
33+#endif
34
35 if ((ip = getprotobyname("ip")) != 0)
36 ipproto = ip->p_proto;
37diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
38--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:22:58.000000000 +0200
39+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:07:43.000000000 +0200
40@@ -85,11 +85,18 @@
41 for daemon process names or for client user names.
42 .IP \(bu
43 An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
44-`net/mask\' pair. A host address is matched if `net\' is equal to the
45+`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the
46 bitwise AND of the address and the `mask\'. For example, the net/mask
47 pattern `131.155.72.0/255.255.254.0\' matches every address in the
48 range `131.155.72.0\' through `131.155.73.255\'.
49 .IP \(bu
50+An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
51+`[net]/prefixlen\' pair. An IPv6 host address is matched if
52+`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
53+address. For example, the [net]/prefixlen pattern
54+`[3ffe:505:2:1::]/64\' matches every address in the range
55+`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
56+.IP \(bu
57 Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
58 method of matching cannot be used in conjunction with `net/mask\' matching,
59 hostname matching beginning with `.\' or IP address matching ending with `.\'.
60diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
61--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:22:58.000000000 +0200
62+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:07:43.000000000 +0200
63@@ -24,7 +24,13 @@
64 /* System libraries. */
65
66 #include <sys/types.h>
67+#ifdef INT32_T
68+ typedef uint32_t u_int32_t;
69+#endif
70 #include <sys/param.h>
71+#ifdef INET6
72+#include <sys/socket.h>
73+#endif
74 #include <netinet/in.h>
75 #include <arpa/inet.h>
76 #include <stdio.h>
77@@ -33,6 +39,9 @@
78 #include <errno.h>
79 #include <setjmp.h>
80 #include <string.h>
81+#ifdef INET6
82+#include <netdb.h>
83+#endif
84
85 extern char *fgets();
86 extern int errno;
87@@ -82,6 +91,10 @@
88 static int host_match();
89 static int string_match();
90 static int masked_match();
91+#ifdef INET6
92+static int masked_match4();
93+static int masked_match6();
94+#endif
95
96 /* Size of logical line buffer. */
97
98@@ -289,6 +302,13 @@
99 {
100 int n;
101
102+#ifdef INET6
103+ /* convert IPv4 mapped IPv6 address to IPv4 address */
104+ if (STRN_EQ(string, "::ffff:", 7)
105+ && dot_quad_addr(string + 7) != INADDR_NONE) {
106+ string += 7;
107+ }
108+#endif
109 #ifndef DISABLE_WILDCARD_MATCHING
110 if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */
111 return (match_pattern_ylo(string,tok));
112@@ -304,20 +324,72 @@
113 } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */
114 return (STRN_EQ(tok, string, n));
115 } else { /* exact match */
116+#ifdef INET6
117+ struct addrinfo hints, *res;
118+ struct sockaddr_in6 pat, addr;
119+ int len, ret;
120+ char ch;
121+
122+ len = strlen(tok);
123+ if (*tok == '[' && tok[len - 1] == ']') {
124+ ch = tok[len - 1];
125+ tok[len - 1] = '\0';
126+ memset(&hints, 0, sizeof(hints));
127+ hints.ai_family = AF_INET6;
128+ hints.ai_socktype = SOCK_STREAM;
129+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
130+ if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) {
131+ memcpy(&pat, res->ai_addr, sizeof(pat));
132+ freeaddrinfo(res);
133+ }
134+ tok[len - 1] = ch;
135+ if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0)
136+ return NO;
137+ memcpy(&addr, res->ai_addr, sizeof(addr));
138+ freeaddrinfo(res);
139+#ifdef NI_WITHSCOPEID
140+ if (pat.sin6_scope_id != 0 &&
141+ addr.sin6_scope_id != pat.sin6_scope_id)
142+ return NO;
143+#endif
144+ return (!memcmp(&pat.sin6_addr, &addr.sin6_addr,
145+ sizeof(struct in6_addr)));
146+ return (ret);
147+ }
148+#endif
149 return (STR_EQ(tok, string));
150 }
151 }
152
153 /* masked_match - match address against netnumber/netmask */
154
155+#ifdef INET6
156 static int masked_match(net_tok, mask_tok, string)
157 char *net_tok;
158 char *mask_tok;
159 char *string;
160 {
161+ return (masked_match4(net_tok, mask_tok, string) ||
162+ masked_match6(net_tok, mask_tok, string));
163+}
164+
165+static int masked_match4(net_tok, mask_tok, string)
166+#else
167+static int masked_match(net_tok, mask_tok, string)
168+#endif
169+char *net_tok;
170+char *mask_tok;
171+char *string;
172+{
173+#ifdef INET6
174+ u_int32_t net;
175+ u_int32_t mask;
176+ u_int32_t addr;
177+#else
178 unsigned long net;
179 unsigned long mask;
180 unsigned long addr;
181+#endif
182
183 /*
184 * Disallow forms other than dotted quad: the treatment that inet_addr()
185@@ -329,12 +401,78 @@
186 return (NO);
187 if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
188 || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
189+#ifndef INET6
190 tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
191+#endif
192 return (NO); /* not tcpd_jump() */
193 }
194 return ((addr & mask) == net);
195 }
196
197+#ifdef INET6
198+static int masked_match6(net_tok, mask_tok, string)
199+char *net_tok;
200+char *mask_tok;
201+char *string;
202+{
203+ struct addrinfo hints, *res;
204+ struct sockaddr_in6 net, addr;
205+ u_int32_t mask;
206+ int len, mask_len, i = 0;
207+ char ch;
208+
209+ memset(&hints, 0, sizeof(hints));
210+ hints.ai_family = AF_INET6;
211+ hints.ai_socktype = SOCK_STREAM;
212+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
213+ if (getaddrinfo(string, NULL, &hints, &res) != 0)
214+ return NO;
215+ memcpy(&addr, res->ai_addr, sizeof(addr));
216+ freeaddrinfo(res);
217+
218+ if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
219+ if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
220+ || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
221+ return (NO);
222+ return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
223+ }
224+
225+ /* match IPv6 address against netnumber/prefixlen */
226+ len = strlen(net_tok);
227+ if (*net_tok != '[' || net_tok[len - 1] != ']')
228+ return NO;
229+ ch = net_tok[len - 1];
230+ net_tok[len - 1] = '\0';
231+ if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) {
232+ net_tok[len - 1] = ch;
233+ return NO;
234+ }
235+ memcpy(&net, res->ai_addr, sizeof(net));
236+ freeaddrinfo(res);
237+ net_tok[len - 1] = ch;
238+ if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128)
239+ return NO;
240+
241+#ifdef NI_WITHSCOPEID
242+ if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id)
243+ return NO;
244+#endif
245+ while (mask_len > 0) {
246+ if (mask_len < 32) {
247+ mask = htonl(~(0xffffffff >> mask_len));
248+ if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask))
249+ return NO;
250+ break;
251+ }
252+ if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i])
253+ return NO;
254+ i += 4;
255+ mask_len -= 32;
256+ }
257+ return YES;
258+}
259+#endif /* INET6 */
260+
261 #ifndef DISABLE_WILDCARD_MATCHING
262 /* Note: this feature has been adapted in a pretty straightforward way
263 from Tatu Ylonen's last SSH version under free license by
264diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
265--- tcp_wrappers_7.6.orig/Makefile 1997-03-21 19:27:21.000000000 +0100
266+++ tcp_wrappers_7.6/Makefile 2004-04-10 19:22:44.000000000 +0200
267@@ -21,7 +21,7 @@
268 @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
269 @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
270 @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
271- @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
272+ @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
273 @echo " uts215 uxp"
274 @echo
275 @echo "If none of these match your environment, edit the system"
276@@ -131,20 +131,34 @@
277 NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all
278
279 # Freebsd and linux by default have no NIS.
280-386bsd netbsd bsdos:
281+386bsd bsdos:
282 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
283 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
284 EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
285
286 freebsd:
287 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
288+ LIBS="-L/usr/local/v6/lib -linet6" \
289 LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
290- EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
291+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \
292+ VSYSLOG= all
293+
294+netbsd:
295+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
296+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
297+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all
298
299 linux:
300 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
301- LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
302- NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
303+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
304+ NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
305+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
306+
307+gnu:
308+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
309+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
310+ NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
311+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all
312
313 # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
314 hpux hpux8 hpux9 hpux10:
315@@ -196,6 +210,13 @@
316 NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
317 BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
318
319+# SunOS 5.8 is another SYSV4 variant, but has IPv6 support
320+solaris8:
321+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
322+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
323+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
324+ EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all
325+
326 # Generic SYSV40
327 esix sysv4:
328 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
329diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c
330--- tcp_wrappers_7.6.orig/misc.c 1996-02-11 17:01:30.000000000 +0100
331+++ tcp_wrappers_7.6/misc.c 2004-04-10 19:07:43.000000000 +0200
332@@ -58,9 +58,31 @@
333 {
334 char *cp;
335
336+#ifdef INET6
337+ int bracket = 0;
338+
339+ for (cp = string; cp && *cp; cp++) {
340+ switch (*cp) {
341+ case '[':
342+ bracket++;
343+ break;
344+ case ']':
345+ bracket--;
346+ break;
347+ default:
348+ if (bracket == 0 && *cp == delimiter) {
349+ *cp++ = 0;
350+ return cp;
351+ }
352+ break;
353+ }
354+ }
355+ return (NULL);
356+#else
357 if ((cp = strchr(string, delimiter)) != 0)
358 *cp++ = 0;
359 return (cp);
360+#endif
361 }
362
363 /* dot_quad_addr - convert dotted quad to internal form */
364diff -ruN tcp_wrappers_7.6.orig/refuse.c tcp_wrappers_7.6/refuse.c
365--- tcp_wrappers_7.6.orig/refuse.c 1994-12-28 17:42:40.000000000 +0100
366+++ tcp_wrappers_7.6/refuse.c 2004-04-10 19:07:43.000000000 +0200
367@@ -25,7 +25,12 @@
368 void refuse(request)
369 struct request_info *request;
370 {
371+#ifdef INET6
372+ syslog(deny_severity, "refused connect from %s (%s)",
373+ eval_client(request), eval_hostaddr(request->client));
374+#else
375 syslog(deny_severity, "refused connect from %s", eval_client(request));
376+#endif
377 clean_exit(request);
378 /* NOTREACHED */
379 }
380diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
381--- tcp_wrappers_7.6.orig/rfc931.c 1995-01-02 16:11:34.000000000 +0100
382+++ tcp_wrappers_7.6/rfc931.c 2004-04-10 19:07:43.000000000 +0200
383@@ -68,20 +68,50 @@
384 /* rfc931 - return remote user name, given socket structures */
385
386 void rfc931(rmt_sin, our_sin, dest)
387+#ifdef INET6
388+struct sockaddr *rmt_sin;
389+struct sockaddr *our_sin;
390+#else
391 struct sockaddr_in *rmt_sin;
392 struct sockaddr_in *our_sin;
393+#endif
394 char *dest;
395 {
396 unsigned rmt_port;
397 unsigned our_port;
398+#ifdef INET6
399+ struct sockaddr_storage rmt_query_sin;
400+ struct sockaddr_storage our_query_sin;
401+ int alen;
402+#else
403 struct sockaddr_in rmt_query_sin;
404 struct sockaddr_in our_query_sin;
405+#endif
406 char user[256]; /* XXX */
407 char buffer[512]; /* XXX */
408 char *cp;
409 char *result = unknown;
410 FILE *fp;
411
412+#ifdef INET6
413+ /* address family must be the same */
414+ if (rmt_sin->sa_family != our_sin->sa_family) {
415+ STRN_CPY(dest, result, STRING_LENGTH);
416+ return;
417+ }
418+ switch (our_sin->sa_family) {
419+ case AF_INET:
420+ alen = sizeof(struct sockaddr_in);
421+ break;
422+ case AF_INET6:
423+ alen = sizeof(struct sockaddr_in6);
424+ break;
425+ default:
426+ STRN_CPY(dest, result, STRING_LENGTH);
427+ return;
428+ }
429+#endif
430+
431 /*
432 * Use one unbuffered stdio stream for writing to and for reading from
433 * the RFC931 etc. server. This is done because of a bug in the SunOS
434@@ -92,7 +122,11 @@
435 * sockets.
436 */
437
438+#ifdef INET6
439+ if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) {
440+#else
441 if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) {
442+#endif
443 setbuf(fp, (char *) 0);
444
445 /*
446@@ -112,6 +146,25 @@
447 * addresses from the query socket.
448 */
449
450+#ifdef INET6
451+ memcpy(&our_query_sin, our_sin, alen);
452+ memcpy(&rmt_query_sin, rmt_sin, alen);
453+ switch (our_sin->sa_family) {
454+ case AF_INET:
455+ ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT);
456+ ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT);
457+ break;
458+ case AF_INET6:
459+ ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT);
460+ ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT);
461+ break;
462+ }
463+
464+ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
465+ alen) >= 0 &&
466+ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
467+ alen) >= 0) {
468+#else
469 our_query_sin = *our_sin;
470 our_query_sin.sin_port = htons(ANY_PORT);
471 rmt_query_sin = *rmt_sin;
472@@ -121,6 +174,7 @@
473 sizeof(our_query_sin)) >= 0 &&
474 connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
475 sizeof(rmt_query_sin)) >= 0) {
476+#endif
477
478 /*
479 * Send query to server. Neglect the risk that a 13-byte
480@@ -129,8 +183,13 @@
481 */
482
483 fprintf(fp, "%u,%u\r\n",
484+#ifdef INET6
485+ ntohs(((struct sockaddr_in *)rmt_sin)->sin_port),
486+ ntohs(((struct sockaddr_in *)our_sin)->sin_port));
487+#else
488 ntohs(rmt_sin->sin_port),
489 ntohs(our_sin->sin_port));
490+#endif
491 fflush(fp);
492
493 /*
494@@ -144,8 +203,13 @@
495 && ferror(fp) == 0 && feof(fp) == 0
496 && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s",
497 &rmt_port, &our_port, user) == 3
498+#ifdef INET6
499+ && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port
500+ && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) {
501+#else
502 && ntohs(rmt_sin->sin_port) == rmt_port
503 && ntohs(our_sin->sin_port) == our_port) {
504+#endif
505
506 /*
507 * Strip trailing carriage return. It is part of the
508diff -ruN tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c
509--- tcp_wrappers_7.6.orig/scaffold.c 1997-03-21 19:27:24.000000000 +0100
510+++ tcp_wrappers_7.6/scaffold.c 2004-04-10 19:07:43.000000000 +0200
511@@ -25,7 +25,9 @@
512 #define INADDR_NONE (-1) /* XXX should be 0xffffffff */
513 #endif
514
515+#ifndef INET6
516 extern char *malloc();
517+#endif
518
519 /* Application-specific. */
520
521@@ -39,6 +41,7 @@
522 int deny_severity = LOG_WARNING;
523 int rfc931_timeout = RFC931_TIMEOUT;
524
525+#ifndef INET6
526 /* dup_hostent - create hostent in one memory block */
527
528 static struct hostent *dup_hostent(hp)
529@@ -73,9 +76,46 @@
530 }
531 return (&hb->host);
532 }
533+#endif
534
535 /* find_inet_addr - find all addresses for this host, result to free() */
536
537+#ifdef INET6
538+struct addrinfo *find_inet_addr(host)
539+char *host;
540+{
541+ struct addrinfo hints, *res;
542+
543+ memset(&hints, 0, sizeof(hints));
544+ hints.ai_family = PF_UNSPEC;
545+ hints.ai_socktype = SOCK_STREAM;
546+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
547+ if (getaddrinfo(host, NULL, &hints, &res) == 0)
548+ return (res);
549+
550+ memset(&hints, 0, sizeof(hints));
551+ hints.ai_family = PF_UNSPEC;
552+ hints.ai_socktype = SOCK_STREAM;
553+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
554+ if (getaddrinfo(host, NULL, &hints, &res) != 0) {
555+ tcpd_warn("%s: host not found", host);
556+ return (0);
557+ }
558+ if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) {
559+ tcpd_warn("%d: not an internet host", res->ai_family);
560+ freeaddrinfo(res);
561+ return (0);
562+ }
563+ if (!res->ai_canonname) {
564+ tcpd_warn("%s: hostname alias", host);
565+ tcpd_warn("(cannot obtain official name)", res->ai_canonname);
566+ } else if (STR_NE(host, res->ai_canonname)) {
567+ tcpd_warn("%s: hostname alias", host);
568+ tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
569+ }
570+ return (res);
571+}
572+#else
573 struct hostent *find_inet_addr(host)
574 char *host;
575 {
576@@ -118,6 +158,7 @@
577 }
578 return (dup_hostent(hp));
579 }
580+#endif
581
582 /* check_dns - give each address thorough workout, return address count */
583
584@@ -125,8 +166,13 @@
585 char *host;
586 {
587 struct request_info request;
588+#ifdef INET6
589+ struct sockaddr_storage sin;
590+ struct addrinfo *hp, *res;
591+#else
592 struct sockaddr_in sin;
593 struct hostent *hp;
594+#endif
595 int count;
596 char *addr;
597
598@@ -134,11 +180,18 @@
599 return (0);
600 request_init(&request, RQ_CLIENT_SIN, &sin, 0);
601 sock_methods(&request);
602+#ifndef INET6
603 memset((char *) &sin, 0, sizeof(sin));
604 sin.sin_family = AF_INET;
605+#endif
606
607+#ifdef INET6
608+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
609+ memcpy(&sin, res->ai_addr, res->ai_addrlen);
610+#else
611 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
612 memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr));
613+#endif
614
615 /*
616 * Force host name and address conversions. Use the request structure
617@@ -151,7 +204,11 @@
618 tcpd_warn("host address %s->name lookup failed",
619 eval_hostaddr(request.client));
620 }
621+#ifdef INET6
622+ freeaddrinfo(hp);
623+#else
624 free((char *) hp);
625+#endif
626 return (count);
627 }
628
629diff -ruN tcp_wrappers_7.6.orig/scaffold.h tcp_wrappers_7.6/scaffold.h
630--- tcp_wrappers_7.6.orig/scaffold.h 1994-12-31 18:19:20.000000000 +0100
631+++ tcp_wrappers_7.6/scaffold.h 2004-04-10 19:07:43.000000000 +0200
632@@ -4,6 +4,10 @@
633 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
634 */
635
636+#ifdef INET6
637+extern struct addrinfo *find_inet_addr();
638+#else
639 extern struct hostent *find_inet_addr();
640+#endif
641 extern int check_dns();
642 extern int check_path();
643diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c
644--- tcp_wrappers_7.6.orig/socket.c 2004-04-10 19:22:58.000000000 +0200
645+++ tcp_wrappers_7.6/socket.c 2004-04-10 19:07:43.000000000 +0200
646@@ -24,13 +24,22 @@
647 #include <sys/types.h>
648 #include <sys/param.h>
649 #include <sys/socket.h>
650+#ifdef INT32_T
651+typedef uint32_t u_int32_t;
652+#endif
653 #include <netinet/in.h>
654 #include <netdb.h>
655 #include <stdio.h>
656 #include <syslog.h>
657 #include <string.h>
658
659+#ifdef INET6
660+#ifndef NI_WITHSCOPEID
661+#define NI_WITHSCOPEID 0
662+#endif
663+#else
664 extern char *inet_ntoa();
665+#endif
666
667 /* Local stuff. */
668
669@@ -79,8 +88,13 @@
670 void sock_host(request)
671 struct request_info *request;
672 {
673+#ifdef INET6
674+ static struct sockaddr_storage client;
675+ static struct sockaddr_storage server;
676+#else
677 static struct sockaddr_in client;
678 static struct sockaddr_in server;
679+#endif
680 int len;
681 char buf[BUFSIZ];
682 int fd = request->fd;
683@@ -109,7 +123,11 @@
684 memset(buf, 0 sizeof(buf));
685 #endif
686 }
687+#ifdef INET6
688+ request->client->sin = (struct sockaddr *)&client;
689+#else
690 request->client->sin = &client;
691+#endif
692
693 /*
694 * Determine the server binding. This is used for client username
695@@ -122,7 +140,11 @@
696 tcpd_warn("getsockname: %m");
697 return;
698 }
699+#ifdef INET6
700+ request->server->sin = (struct sockaddr *)&server;
701+#else
702 request->server->sin = &server;
703+#endif
704 }
705
706 /* sock_hostaddr - map endpoint address to printable form */
707@@ -130,10 +152,26 @@
708 void sock_hostaddr(host)
709 struct host_info *host;
710 {
711+#ifdef INET6
712+ struct sockaddr *sin = host->sin;
713+ int salen;
714+
715+ if (!sin)
716+ return;
717+#ifdef SIN6_LEN
718+ salen = sin->sa_len;
719+#else
720+ salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
721+ : sizeof(struct sockaddr_in6);
722+#endif
723+ getnameinfo(sin, salen, host->addr, sizeof(host->addr),
724+ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
725+#else
726 struct sockaddr_in *sin = host->sin;
727
728 if (sin != 0)
729 STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
730+#endif
731 }
732
733 /* sock_hostname - map endpoint address to host name */
734@@ -141,6 +179,160 @@
735 void sock_hostname(host)
736 struct host_info *host;
737 {
738+#ifdef INET6
739+ struct sockaddr *sin = host->sin;
740+ struct sockaddr_in sin4;
741+ struct addrinfo hints, *res, *res0 = NULL;
742+ int salen, alen, err = 1;
743+ char *ap = NULL, *rap, hname[NI_MAXHOST];
744+
745+ if (sin != NULL) {
746+ if (sin->sa_family == AF_INET6) {
747+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
748+
749+ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
750+ memset(&sin4, 0, sizeof(sin4));
751+#ifdef SIN6_LEN
752+ sin4.sin_len = sizeof(sin4);
753+#endif
754+ sin4.sin_family = AF_INET;
755+ sin4.sin_port = sin6->sin6_port;
756+ sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
757+ sin = (struct sockaddr *)&sin4;
758+ }
759+ }
760+ switch (sin->sa_family) {
761+ case AF_INET:
762+ ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
763+ alen = sizeof(struct in_addr);
764+ salen = sizeof(struct sockaddr_in);
765+ break;
766+ case AF_INET6:
767+ ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
768+ alen = sizeof(struct in6_addr);
769+ salen = sizeof(struct sockaddr_in6);
770+ break;
771+ default:
772+ break;
773+ }
774+ if (ap)
775+ err = getnameinfo(sin, salen, hname, sizeof(hname),
776+ NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
777+ }
778+ if (!err) {
779+
780+ STRN_CPY(host->name, hname, sizeof(host->name));
781+
782+ /* reject numeric addresses */
783+ memset(&hints, 0, sizeof(hints));
784+ hints.ai_family = sin->sa_family;
785+ hints.ai_socktype = SOCK_STREAM;
786+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
787+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
788+ freeaddrinfo(res0);
789+ res0 = NULL;
790+ tcpd_warn("host name/name mismatch: "
791+ "reverse lookup results in non-FQDN %s",
792+ host->name);
793+ strcpy(host->name, paranoid); /* name is bad, clobber it */
794+ }
795+ err = !err;
796+ }
797+ if (!err) {
798+ /* we are now sure that this is non-numeric */
799+
800+ /*
801+ * Verify that the address is a member of the address list returned
802+ * by gethostbyname(hostname).
803+ *
804+ * Verify also that gethostbyaddr() and gethostbyname() return the same
805+ * hostname, or rshd and rlogind may still end up being spoofed.
806+ *
807+ * On some sites, gethostbyname("localhost") returns "localhost.domain".
808+ * This is a DNS artefact. We treat it as a special case. When we
809+ * can't believe the address list from gethostbyname("localhost")
810+ * we're in big trouble anyway.
811+ */
812+
813+ memset(&hints, 0, sizeof(hints));
814+ hints.ai_family = sin->sa_family;
815+ hints.ai_socktype = SOCK_STREAM;
816+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
817+ if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
818+
819+ /*
820+ * Unable to verify that the host name matches the address. This
821+ * may be a transient problem or a botched name server setup.
822+ */
823+
824+ tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
825+ host->name,
826+ (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
827+
828+ } else if ((res0->ai_canonname == NULL
829+ || STR_NE(host->name, res0->ai_canonname))
830+ && STR_NE(host->name, "localhost")) {
831+
832+ /*
833+ * The gethostbyaddr() and gethostbyname() calls did not return
834+ * the same hostname. This could be a nameserver configuration
835+ * problem. It could also be that someone is trying to spoof us.
836+ */
837+
838+ tcpd_warn("host name/name mismatch: %s != %.*s",
839+ host->name, STRING_LENGTH,
840+ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
841+
842+ } else {
843+
844+ /*
845+ * The address should be a member of the address list returned by
846+ * gethostbyname(). We should first verify that the h_addrtype
847+ * field is AF_INET, but this program has already caused too much
848+ * grief on systems with broken library code.
849+ */
850+
851+ for (res = res0; res; res = res->ai_next) {
852+ if (res->ai_family != sin->sa_family)
853+ continue;
854+ switch (res->ai_family) {
855+ case AF_INET:
856+ rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
857+ break;
858+ case AF_INET6:
859+ /* need to check scope_id */
860+ if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
861+ ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
862+ continue;
863+ }
864+ rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
865+ break;
866+ default:
867+ continue;
868+ }
869+ if (memcmp(rap, ap, alen) == 0) {
870+ freeaddrinfo(res0);
871+ return; /* name is good, keep it */
872+ }
873+ }
874+
875+ /*
876+ * The host name does not map to the initial address. Perhaps
877+ * someone has messed up. Perhaps someone compromised a name
878+ * server.
879+ */
880+
881+ getnameinfo(sin, salen, hname, sizeof(hname),
882+ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
883+ tcpd_warn("host name/address mismatch: %s != %.*s",
884+ hname, STRING_LENGTH,
885+ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
886+ }
887+ strcpy(host->name, paranoid); /* name is bad, clobber it */
888+ if (res0)
889+ freeaddrinfo(res0);
890+ }
891+#else /* INET6 */
892 struct sockaddr_in *sin = host->sin;
893 struct hostent *hp;
894 int i;
895@@ -220,6 +412,7 @@
896 }
897 strcpy(host->name, paranoid); /* name is bad, clobber it */
898 }
899+#endif /* INET6 */
900 }
901
902 /* sock_sink - absorb unreceived IP datagram */
903@@ -228,7 +421,11 @@
904 int fd;
905 {
906 char buf[BUFSIZ];
907+#ifdef INET6
908+ struct sockaddr_storage sin;
909+#else
910 struct sockaddr_in sin;
911+#endif
912 int size = sizeof(sin);
913
914 /*
915diff -ruN tcp_wrappers_7.6.orig/tcpd.c tcp_wrappers_7.6/tcpd.c
916--- tcp_wrappers_7.6.orig/tcpd.c 1996-02-11 17:01:33.000000000 +0100
917+++ tcp_wrappers_7.6/tcpd.c 2004-04-10 19:07:43.000000000 +0200
918@@ -120,7 +120,12 @@
919
920 /* Report request and invoke the real daemon program. */
921
922+#ifdef INET6
923+ syslog(allow_severity, "connect from %s (%s)",
924+ eval_client(&request), eval_hostaddr(request.client));
925+#else
926 syslog(allow_severity, "connect from %s", eval_client(&request));
927+#endif
928 closelog();
929 (void) execv(path, argv);
930 syslog(LOG_ERR, "error: cannot execute %s: %m", path);
931diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
932--- tcp_wrappers_7.6.orig/tcpdchk.c 1997-02-12 02:13:25.000000000 +0100
933+++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:07:43.000000000 +0200
934@@ -22,6 +22,9 @@
935
936 #include <sys/types.h>
937 #include <sys/stat.h>
938+#ifdef INET6
939+#include <sys/socket.h>
940+#endif
941 #include <netinet/in.h>
942 #include <arpa/inet.h>
943 #include <stdio.h>
944@@ -397,6 +400,31 @@
945 }
946 }
947
948+#ifdef INET6
949+static int is_inet6_addr(pat)
950+ char *pat;
951+{
952+ struct addrinfo hints, *res;
953+ int len, ret;
954+ char ch;
955+
956+ if (*pat != '[')
957+ return (0);
958+ len = strlen(pat);
959+ if ((ch = pat[len - 1]) != ']')
960+ return (0);
961+ pat[len - 1] = '\0';
962+ memset(&hints, 0, sizeof(hints));
963+ hints.ai_family = AF_INET6;
964+ hints.ai_socktype = SOCK_STREAM;
965+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
966+ if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
967+ freeaddrinfo(res);
968+ pat[len - 1] = ch;
969+ return (ret == 0);
970+}
971+#endif
972+
973 /* check_host - criticize host pattern */
974
975 static int check_host(pat)
976@@ -423,14 +451,27 @@
977 #endif
978 #endif
979 } else if (mask = split_at(pat, '/')) { /* network/netmask */
980+#ifdef INET6
981+ int mask_len;
982+
983+ if ((dot_quad_addr(pat) == INADDR_NONE
984+ || dot_quad_addr(mask) == INADDR_NONE)
985+ && (!is_inet6_addr(pat)
986+ || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
987+#else
988 if (dot_quad_addr(pat) == INADDR_NONE
989 || dot_quad_addr(mask) == INADDR_NONE)
990+#endif
991 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
992 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
993 tcpd_warn("FAIL is no longer recognized");
994 tcpd_warn("(use EXCEPT or DENY instead)");
995 } else if (reserved_name(pat)) { /* other reserved */
996 /* void */ ;
997+#ifdef INET6
998+ } else if (is_inet6_addr(pat)) { /* IPv6 address */
999+ addr_count = 1;
1000+#endif
1001 } else if (NOT_INADDR(pat)) { /* internet name */
1002 if (pat[strlen(pat) - 1] == '.') {
1003 tcpd_warn("%s: domain or host name ends in dot", pat);
1004diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
1005--- tcp_wrappers_7.6.orig/tcpd.h 1996-03-19 16:22:25.000000000 +0100
1006+++ tcp_wrappers_7.6/tcpd.h 2004-04-10 19:07:43.000000000 +0200
1007@@ -11,7 +11,11 @@
1008 struct host_info {
1009 char name[STRING_LENGTH]; /* access via eval_hostname(host) */
1010 char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */
1011+#ifdef INET6
1012+ struct sockaddr *sin; /* socket address or 0 */
1013+#else
1014 struct sockaddr_in *sin; /* socket address or 0 */
1015+#endif
1016 struct t_unitdata *unit; /* TLI transport address or 0 */
1017 struct request_info *request; /* for shared information */
1018 };
1019diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.c tcp_wrappers_7.6/tcpdmatch.c
1020--- tcp_wrappers_7.6.orig/tcpdmatch.c 1996-02-11 17:01:36.000000000 +0100
1021+++ tcp_wrappers_7.6/tcpdmatch.c 2004-04-10 19:07:43.000000000 +0200
1022@@ -57,7 +57,11 @@
1023 int argc;
1024 char **argv;
1025 {
1026+#ifdef INET6
1027+ struct addrinfo hints, *hp, *res;
1028+#else
1029 struct hostent *hp;
1030+#endif
1031 char *myname = argv[0];
1032 char *client;
1033 char *server;
1034@@ -68,8 +72,13 @@
1035 int ch;
1036 char *inetcf = 0;
1037 int count;
1038+#ifdef INET6
1039+ struct sockaddr_storage server_sin;
1040+ struct sockaddr_storage client_sin;
1041+#else
1042 struct sockaddr_in server_sin;
1043 struct sockaddr_in client_sin;
1044+#endif
1045 struct stat st;
1046
1047 /*
1048@@ -172,13 +181,20 @@
1049 if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
1050 if ((hp = find_inet_addr(server)) == 0)
1051 exit(1);
1052+#ifndef INET6
1053 memset((char *) &server_sin, 0, sizeof(server_sin));
1054 server_sin.sin_family = AF_INET;
1055+#endif
1056 request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
1057
1058+#ifdef INET6
1059+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
1060+ memcpy(&server_sin, res->ai_addr, res->ai_addrlen);
1061+#else
1062 for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
1063 memcpy((char *) &server_sin.sin_addr, addr,
1064 sizeof(server_sin.sin_addr));
1065+#endif
1066
1067 /*
1068 * Force evaluation of server host name and address. Host name
1069@@ -194,7 +210,11 @@
1070 fprintf(stderr, "Please specify an address instead\n");
1071 exit(1);
1072 }
1073+#ifdef INET6
1074+ freeaddrinfo(hp);
1075+#else
1076 free((char *) hp);
1077+#endif
1078 } else {
1079 request_set(&request, RQ_SERVER_NAME, server, 0);
1080 }
1081@@ -208,6 +228,18 @@
1082 tcpdmatch(&request);
1083 exit(0);
1084 }
1085+#ifdef INET6
1086+ memset(&hints, 0, sizeof(hints));
1087+ hints.ai_family = AF_INET6;
1088+ hints.ai_socktype = SOCK_STREAM;
1089+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
1090+ if (getaddrinfo(client, NULL, &hints, &res) == 0) {
1091+ freeaddrinfo(res);
1092+ request_set(&request, RQ_CLIENT_ADDR, client, 0);
1093+ tcpdmatch(&request);
1094+ exit(0);
1095+ }
1096+#endif
1097
1098 /*
1099 * Perhaps they are testing special client hostname patterns that aren't
1100@@ -229,6 +261,34 @@
1101 */
1102 if ((hp = find_inet_addr(client)) == 0)
1103 exit(1);
1104+#ifdef INET6
1105+ request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
1106+
1107+ for (res = hp, count = 0; res; res = res->ai_next, count++) {
1108+ memcpy(&client_sin, res->ai_addr, res->ai_addrlen);
1109+
1110+ /*
1111+ * getnameinfo() doesn't do reverse lookup against link-local
1112+ * address. So, we pass through host name evaluation against
1113+ * such addresses.
1114+ */
1115+ if (res->ai_family != AF_INET6 ||
1116+ !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
1117+ /*
1118+ * Force evaluation of client host name and address. Host name
1119+ * conflicts will be reported while eval_hostname() does its job.
1120+ */
1121+ request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
1122+ if (STR_EQ(eval_hostname(request.client), unknown))
1123+ tcpd_warn("host address %s->name lookup failed",
1124+ eval_hostaddr(request.client));
1125+ }
1126+ tcpdmatch(&request);
1127+ if (res->ai_next)
1128+ printf("\n");
1129+ }
1130+ freeaddrinfo(hp);
1131+#else
1132 memset((char *) &client_sin, 0, sizeof(client_sin));
1133 client_sin.sin_family = AF_INET;
1134 request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
1135@@ -250,6 +310,7 @@
1136 printf("\n");
1137 }
1138 free((char *) hp);
1139+#endif
1140 exit(0);
1141 }
1142
1143diff -ruN tcp_wrappers_7.6.orig/tli.c tcp_wrappers_7.6/tli.c
1144--- tcp_wrappers_7.6.orig/tli.c 1997-03-21 19:27:26.000000000 +0100
1145+++ tcp_wrappers_7.6/tli.c 2004-04-10 19:07:43.000000000 +0200
1146@@ -65,8 +65,13 @@
1147 void tli_host(request)
1148 struct request_info *request;
1149 {
1150+#ifdef INET6
1151+ static struct sockaddr_storage client;
1152+ static struct sockaddr_storage server;
1153+#else
1154 static struct sockaddr_in client;
1155 static struct sockaddr_in server;
1156+#endif
1157
1158 /*
1159 * If we discover that we are using an IP transport, pretend we never
1160@@ -76,14 +81,29 @@
1161
1162 tli_endpoints(request);
1163 if ((request->config = tli_transport(request->fd)) != 0
1164+#ifdef INET6
1165+ && (STR_EQ(request->config->nc_protofmly, "inet") ||
1166+ STR_EQ(request->config->nc_protofmly, "inet6"))) {
1167+#else
1168 && STR_EQ(request->config->nc_protofmly, "inet")) {
1169+#endif
1170 if (request->client->unit != 0) {
1171+#ifdef INET6
1172+ client = *(struct sockaddr_storage *) request->client->unit->addr.buf;
1173+ request->client->sin = (struct sockaddr *) &client;
1174+#else
1175 client = *(struct sockaddr_in *) request->client->unit->addr.buf;
1176 request->client->sin = &client;
1177+#endif
1178 }
1179 if (request->server->unit != 0) {
1180+#ifdef INET6
1181+ server = *(struct sockaddr_storage *) request->server->unit->addr.buf;
1182+ request->server->sin = (struct sockaddr *) &server;
1183+#else
1184 server = *(struct sockaddr_in *) request->server->unit->addr.buf;
1185 request->server->sin = &server;
1186+#endif
1187 }
1188 tli_cleanup(request);
1189 sock_methods(request);
1190@@ -187,7 +207,15 @@
1191 }
1192 while (config = getnetconfig(handlep)) {
1193 if (stat(config->nc_device, &from_config) == 0) {
1194+#ifdef NO_CLONE_DEVICE
1195+ /*
1196+ * If the network devices are not cloned (as is the case for
1197+ * Solaris 8 Beta), we must compare the major device numbers.
1198+ */
1199+ if (major(from_config.st_rdev) == major(from_client.st_rdev))
1200+#else
1201 if (minor(from_config.st_rdev) == major(from_client.st_rdev))
1202+#endif
1203 break;
1204 }
1205 }
1206diff -ruN tcp_wrappers_7.6.orig/update.c tcp_wrappers_7.6/update.c
1207--- tcp_wrappers_7.6.orig/update.c 1994-12-28 17:42:56.000000000 +0100
1208+++ tcp_wrappers_7.6/update.c 2004-04-10 19:07:43.000000000 +0200
1209@@ -46,10 +46,18 @@
1210 request->fd = va_arg(ap, int);
1211 continue;
1212 case RQ_CLIENT_SIN:
1213+#ifdef INET6
1214+ request->client->sin = va_arg(ap, struct sockaddr *);
1215+#else
1216 request->client->sin = va_arg(ap, struct sockaddr_in *);
1217+#endif
1218 continue;
1219 case RQ_SERVER_SIN:
1220+#ifdef INET6
1221+ request->server->sin = va_arg(ap, struct sockaddr *);
1222+#else
1223 request->server->sin = va_arg(ap, struct sockaddr_in *);
1224+#endif
1225 continue;
1226
1227 /*
1228diff -ruN tcp_wrappers_7.6.orig/workarounds.c tcp_wrappers_7.6/workarounds.c
1229--- tcp_wrappers_7.6.orig/workarounds.c 1996-03-19 16:22:26.000000000 +0100
1230+++ tcp_wrappers_7.6/workarounds.c 2004-04-10 19:07:43.000000000 +0200
1231@@ -166,11 +166,22 @@
1232 int *len;
1233 {
1234 int ret;
1235+#ifdef INET6
1236+ struct sockaddr *sin = sa;
1237+#else
1238 struct sockaddr_in *sin = (struct sockaddr_in *) sa;
1239+#endif
1240
1241 if ((ret = getpeername(sock, sa, len)) >= 0
1242+#ifdef INET6
1243+ && ((sin->su_si.si_family == AF_INET6
1244+ && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr))
1245+ || (sin->su_si.si_family == AF_INET
1246+ && sin->su_sin.sin_addr.s_addr == 0))) {
1247+#else
1248 && sa->sa_family == AF_INET
1249 && sin->sin_addr.s_addr == 0) {
1250+#endif
1251 errno = ENOTCONN;
1252 return (-1);
1253 } else {
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch
new file mode 100644
index 0000000000..0238e35208
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch
@@ -0,0 +1,151 @@
1Path: news.porcupine.org!news.porcupine.org!not-for-mail
2From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
3Newsgroups: comp.mail.sendmail,comp.security.unix
4Subject: TCP Wrapper Blacklist Extension
5Followup-To: poster
6Date: 8 Sep 1997 18:53:13 -0400
7Organization: Wietse's hangout while on sabattical in the USA
8Lines: 147
9Sender: wietse@spike.porcupine.org
10Message-ID: <5v1vkp$h4f$1@spike.porcupine.org>
11NNTP-Posting-Host: spike.porcupine.org
12Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158
13
14The patch below adds a new host pattern to the TCP Wrapper access
15control language. Instead of a host name or address pattern, you
16can specify an external /file/name with host name or address
17patterns. The feature can be used recursively.
18
19The /file/name extension makes it easy to blacklist bad sites, for
20example, to block unwanted electronic mail when libwrap is linked
21into sendmail. Adding hosts to a simple text file is much easier
22than having to edit a more complex hosts.allow/deny file.
23
24I developed this a year or so ago as a substitute for NIS netgroups.
25At that time, I did not consider it of sufficient interest for
26inclusion in the TCP Wrapper distribution. How times have changed.
27
28The patch is relative to TCP Wrappers version 7.6. The main archive
29site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
30
31Thanks to the Debian LINUX folks for expressing their interest in
32this patch.
33
34 Wietse
35
36
37[diff updated by Md]
38
39diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
40--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200
41+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200
42@@ -97,6 +97,13 @@
43 `[3ffe:505:2:1::]/64\' matches every address in the range
44 `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
45 .IP \(bu
46+A string that begins with a `/\' character is treated as a file
47+name. A host name or address is matched if it matches any host name
48+or address pattern listed in the named file. The file format is
49+zero or more lines with zero or more host name or address patterns
50+separated by whitespace. A file name pattern can be used anywhere
51+a host name or address pattern can be used.
52+.IP \(bu
53 Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
54 method of matching cannot be used in conjunction with `net/mask\' matching,
55 hostname matching beginning with `.\' or IP address matching ending with `.\'.
56diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
57--- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200
58+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200
59@@ -253,6 +253,26 @@
60 }
61 }
62
63+/* hostfile_match - look up host patterns from file */
64+
65+static int hostfile_match(path, host)
66+char *path;
67+struct hosts_info *host;
68+{
69+ char tok[BUFSIZ];
70+ int match = NO;
71+ FILE *fp;
72+
73+ if ((fp = fopen(path, "r")) != 0) {
74+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
75+ /* void */ ;
76+ fclose(fp);
77+ } else if (errno != ENOENT) {
78+ tcpd_warn("open %s: %m", path);
79+ }
80+ return (match);
81+}
82+
83 /* host_match - match host name and/or address against pattern */
84
85 static int host_match(tok, host)
86@@ -280,6 +300,8 @@
87 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
88 return (NO);
89 #endif
90+ } else if (tok[0] == '/') { /* /file hack */
91+ return (hostfile_match(tok, host));
92 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
93 char *name = eval_hostname(host);
94 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
95diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
96--- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200
97+++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200
98@@ -353,6 +353,8 @@
99 {
100 if (pat[0] == '@') {
101 tcpd_warn("%s: daemon name begins with \"@\"", pat);
102+ } else if (pat[0] == '/') {
103+ tcpd_warn("%s: daemon name begins with \"/\"", pat);
104 } else if (pat[0] == '.') {
105 tcpd_warn("%s: daemon name begins with dot", pat);
106 } else if (pat[strlen(pat) - 1] == '.') {
107@@ -385,6 +387,8 @@
108 {
109 if (pat[0] == '@') { /* @netgroup */
110 tcpd_warn("%s: user name begins with \"@\"", pat);
111+ } else if (pat[0] == '/') {
112+ tcpd_warn("%s: user name begins with \"/\"", pat);
113 } else if (pat[0] == '.') {
114 tcpd_warn("%s: user name begins with dot", pat);
115 } else if (pat[strlen(pat) - 1] == '.') {
116@@ -430,8 +434,13 @@
117 static int check_host(pat)
118 char *pat;
119 {
120+ char buf[BUFSIZ];
121 char *mask;
122 int addr_count = 1;
123+ FILE *fp;
124+ struct tcpd_context saved_context;
125+ char *cp;
126+ char *wsp = " \t\r\n";
127
128 if (pat[0] == '@') { /* @netgroup */
129 #ifdef NO_NETGRENT
130@@ -450,6 +459,21 @@
131 tcpd_warn("netgroup support disabled");
132 #endif
133 #endif
134+ } else if (pat[0] == '/') { /* /path/name */
135+ if ((fp = fopen(pat, "r")) != 0) {
136+ saved_context = tcpd_context;
137+ tcpd_context.file = pat;
138+ tcpd_context.line = 0;
139+ while (fgets(buf, sizeof(buf), fp)) {
140+ tcpd_context.line++;
141+ for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
142+ check_host(cp);
143+ }
144+ tcpd_context = saved_context;
145+ fclose(fp);
146+ } else if (errno != ENOENT) {
147+ tcpd_warn("open %s: %m", pat);
148+ }
149 } else if (mask = split_at(pat, '/')) { /* network/netmask */
150 #ifdef INET6
151 int mask_len;
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch
new file mode 100644
index 0000000000..88a2b5e43b
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch
@@ -0,0 +1,45 @@
1diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c
2--- tcp_wrappers_7.6/hosts_access.c Mon May 20 14:00:56 2002
3+++ tcp_wrappers_7.6.new/hosts_access.c Mon May 20 14:25:05 2002
4@@ -448,6 +448,15 @@
5 int len, mask_len, i = 0;
6 char ch;
7
8+ /*
9+ * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
10+ * different between KAME and Solaris8. While KAME returns
11+ * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here.
12+ */
13+ if (STRN_EQ(string, "::ffff:", 7)
14+ && dot_quad_addr(string + 7) != INADDR_NONE)
15+ return (masked_match4(net_tok, mask_tok, string + 7));
16+
17 memset(&hints, 0, sizeof(hints));
18 hints.ai_family = AF_INET6;
19 hints.ai_socktype = SOCK_STREAM;
20@@ -457,13 +466,6 @@
21 memcpy(&addr, res->ai_addr, sizeof(addr));
22 freeaddrinfo(res);
23
24- if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
25- if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
26- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
27- return (NO);
28- return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
29- }
30-
31 /* match IPv6 address against netnumber/prefixlen */
32 len = strlen(net_tok);
33 if (*net_tok != '[' || net_tok[len - 1] != ']')
34diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c
35--- tcp_wrappers_7.6/socket.c Mon May 20 13:48:35 2002
36+++ tcp_wrappers_7.6.new/socket.c Mon May 20 14:22:27 2002
37@@ -228,7 +228,7 @@
38 hints.ai_family = sin->sa_family;
39 hints.ai_socktype = SOCK_STREAM;
40 hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
41- if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
42+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
43 freeaddrinfo(res0);
44 res0 = NULL;
45 tcpd_warn("host name/name mismatch: "
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch
new file mode 100644
index 0000000000..60ca594bee
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch
@@ -0,0 +1,81 @@
1diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
2--- tcp_wrappers_7.6.orig/Makefile 2003-08-21 01:43:39.000000000 +0200
3+++ tcp_wrappers_7.6/Makefile 2003-08-21 01:43:35.000000000 +0200
4@@ -45,7 +45,7 @@
5 #
6 # SysV.4 Solaris 2.x OSF AIX
7 #REAL_DAEMON_DIR=/usr/sbin
8-#
9+REAL_DAEMON_DIR=/usr/sbin
10 # BSD 4.4
11 #REAL_DAEMON_DIR=/usr/libexec
12 #
13@@ -512,6 +519,7 @@
14 # (examples: allow, deny, banners, twist and spawn).
15 #
16 #STYLE = -DPROCESS_OPTIONS # Enable language extensions.
17+STYLE = -DPROCESS_OPTIONS
18
19 ################################################################
20 # Optional: Changing the default disposition of logfile records
21@@ -535,6 +543,7 @@
22 # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
23
24 FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
25+FACILITY= LOG_DAEMON
26
27 # The syslog priority at which successful connections are logged.
28
29@@ -631,6 +640,7 @@
30 # lookups altogether, see the next section.
31
32 PARANOID= -DPARANOID
33+PARANOID=
34
35 ########################################
36 # Optional: turning off hostname lookups
37@@ -644,6 +654,7 @@
38 # mode (see previous section) and comment out the following definition.
39
40 HOSTNAME= -DALWAYS_HOSTNAME
41+HOSTNAME=
42
43 #############################################
44 # Optional: Turning on host ADDRESS checking
45@@ -670,6 +681,7 @@
46 # Solaris 2.x, and Linux. See your system documentation for details.
47 #
48 # KILL_OPT= -DKILL_IP_OPTIONS
49+KILL_OPT= -DKILL_IP_OPTIONS
50
51 ## End configuration options
52 ############################
53@@ -677,9 +689,10 @@
54 # Protection against weird shells or weird make programs.
55
56 SHELL = /bin/sh
57-.c.o:; $(CC) $(CFLAGS) -c $*.c
58+.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c
59
60-CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
61+COPTS = -O2 -g
62+CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
63 $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
64 -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
65 -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
66@@ -712,10 +725,11 @@
67
68 config-check:
69 @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
70- @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
71- if cmp cflags /tmp/cflags.$$$$ ; \
72- then rm /tmp/cflags.$$$$ ; \
73- else mv /tmp/cflags.$$$$ cflags ; \
74+ @set +e; echo $(CFLAGS) >cflags.new ; \
75+ if cmp cflags cflags.new ; \
76+ then rm cflags.new ; \
77+ else mv cflags.new cflags ; \
78 fi >/dev/null 2>/dev/null
79+ @if [ ! -d shared ]; then mkdir shared; fi
80
81 $(LIB): $(LIB_OBJ)
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch
new file mode 100644
index 0000000000..c089b33257
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch
@@ -0,0 +1,253 @@
1diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile
2--- tcp_wrappers_7.6.orig/Makefile 2004-05-02 15:37:59.000000000 +0200
3+++ tcp_wrappers_7.6/Makefile 2004-05-02 15:31:09.000000000 +0200
4@@ -150,15 +150,15 @@
5
6 linux:
7 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
8- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
9+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
10 NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
11- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
12+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
13
14 gnu:
15 @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
16- LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
17+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
18 NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
19- EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all
20+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all
21
22 # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
23 hpux hpux8 hpux9 hpux10:
24@@ -713,7 +713,22 @@
25
26 LIB = libwrap.a
27
28-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
29+shared/%.o: %.c
30+ $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
31+
32+SOMAJOR = 0
33+SOMINOR = 7.6
34+
35+SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
36+SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR)
37+SHLIBSO = shared/libwrap.so
38+SHLIBFLAGS = -Lshared -lwrap
39+
40+SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
41+SHCFLAGS = -fPIC -shared -D_REENTRANT
42+SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
43+
44+all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
45
46 # Invalidate all object files when the compiler options (CFLAGS) have changed.
47
48@@ -731,27 +746,33 @@
49 $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
50 -$(RANLIB) $(LIB)
51
52-tcpd: tcpd.o $(LIB)
53- $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
54+$(SHLIB): $(SHLIB_OBJ)
55+ rm -f $(SHLIB)
56+ $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
57+ ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
58+ ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
59+
60+tcpd: tcpd.o $(SHLIB)
61+ $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
62
63 miscd: miscd.o $(LIB)
64 $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
65
66-safe_finger: safe_finger.o $(LIB)
67- $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
68+safe_finger: safe_finger.o $(SHLIB)
69+ $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
70
71 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
72
73-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
74- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
75+tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
76+ $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
77
78-try-from: try-from.o fakelog.o $(LIB)
79- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
80+try-from: try-from.o fakelog.o $(SHLIB)
81+ $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
82
83 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
84
85-tcpdchk: $(TCPDCHK_OBJ) $(LIB)
86- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
87+tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
88+ $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
89
90 shar: $(KIT)
91 @shar $(KIT)
92@@ -767,7 +788,9 @@
93
94 clean:
95 rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
96+ libwrap*.so* \
97 cflags
98+ rm -rf shared/
99
100 tidy: clean
101 chmod -R a+r .
102@@ -913,5 +936,6 @@
103 update.o: mystdarg.h
104 update.o: tcpd.h
105 vfprintf.o: cflags
106+weak_symbols.o: tcpd.h
107 workarounds.o: cflags
108 workarounds.o: tcpd.h
109diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
110--- tcp_wrappers_7.6.orig/tcpd.h 2004-05-02 15:37:59.000000000 +0200
111+++ tcp_wrappers_7.6/tcpd.h 2004-05-02 15:37:49.000000000 +0200
112@@ -4,6 +4,15 @@
113 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
114 */
115
116+#ifndef _TCPWRAPPERS_TCPD_H
117+#define _TCPWRAPPERS_TCPD_H
118+
119+/* Need definitions of struct sockaddr_in and FILE. */
120+#include <netinet/in.h>
121+#include <stdio.h>
122+
123+__BEGIN_DECLS
124+
125 /* Structure to describe one communications endpoint. */
126
127 #define STRING_LENGTH 128 /* hosts, users, processes */
128@@ -29,10 +38,10 @@
129 char pid[10]; /* access via eval_pid(request) */
130 struct host_info client[1]; /* client endpoint info */
131 struct host_info server[1]; /* server endpoint info */
132- void (*sink) (); /* datagram sink function or 0 */
133- void (*hostname) (); /* address to printable hostname */
134- void (*hostaddr) (); /* address to printable address */
135- void (*cleanup) (); /* cleanup function or 0 */
136+ void (*sink) (int); /* datagram sink function or 0 */
137+ void (*hostname) (struct host_info *); /* address to printable hostname */
138+ void (*hostaddr) (struct host_info *); /* address to printable address */
139+ void (*cleanup) (struct request_info *); /* cleanup function or 0 */
140 struct netconfig *config; /* netdir handle */
141 };
142
143@@ -70,20 +79,27 @@
144 #define fromhost sock_host /* no TLI support needed */
145 #endif
146
147-extern int hosts_access(); /* access control */
148-extern void shell_cmd(); /* execute shell command */
149-extern char *percent_x(); /* do %<char> expansion */
150-extern void rfc931(); /* client name from RFC 931 daemon */
151-extern void clean_exit(); /* clean up and exit */
152-extern void refuse(); /* clean up and exit */
153-extern char *xgets(); /* fgets() on steroids */
154-extern char *split_at(); /* strchr() and split */
155-extern unsigned long dot_quad_addr(); /* restricted inet_addr() */
156+extern int hosts_access(struct request_info *request); /* access control */
157+extern void shell_cmd(char *); /* execute shell command */
158+extern char *percent_x(char *, int, char *, struct request_info *);
159+ /* do %<char> expansion */
160+extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
161+ /* client name from RFC 931 daemon */
162+extern void clean_exit(struct request_info *); /* clean up and exit */
163+extern void refuse(struct request_info *); /* clean up and exit */
164+extern char *xgets(char *, int, FILE *); /* fgets() on steroids */
165+extern char *split_at(char *, int); /* strchr() and split */
166+extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */
167
168 /* Global variables. */
169
170+#ifdef HAVE_WEAKSYMS
171+extern int allow_severity __attribute__ ((weak)); /* for connection logging */
172+extern int deny_severity __attribute__ ((weak)); /* for connection logging */
173+#else
174 extern int allow_severity; /* for connection logging */
175 extern int deny_severity; /* for connection logging */
176+#endif
177 extern char *hosts_allow_table; /* for verification mode redirection */
178 extern char *hosts_deny_table; /* for verification mode redirection */
179 extern int hosts_access_verbose; /* for verbose matching mode */
180@@ -98,6 +114,8 @@
181 #ifdef __STDC__
182 extern struct request_info *request_init(struct request_info *,...);
183 extern struct request_info *request_set(struct request_info *,...);
184+extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
185+ char *client_user);
186 #else
187 extern struct request_info *request_init(); /* initialize request */
188 extern struct request_info *request_set(); /* update request structure */
189@@ -121,20 +139,23 @@
190 * host_info structures serve as caches for the lookup results.
191 */
192
193-extern char *eval_user(); /* client user */
194-extern char *eval_hostname(); /* printable hostname */
195-extern char *eval_hostaddr(); /* printable host address */
196-extern char *eval_hostinfo(); /* host name or address */
197-extern char *eval_client(); /* whatever is available */
198-extern char *eval_server(); /* whatever is available */
199+extern char *eval_user(struct request_info *); /* client user */
200+extern char *eval_hostname(struct host_info *); /* printable hostname */
201+extern char *eval_hostaddr(struct host_info *); /* printable host address */
202+extern char *eval_hostinfo(struct host_info *); /* host name or address */
203+extern char *eval_client(struct request_info *);/* whatever is available */
204+extern char *eval_server(struct request_info *);/* whatever is available */
205 #define eval_daemon(r) ((r)->daemon) /* daemon process name */
206 #define eval_pid(r) ((r)->pid) /* process id */
207
208 /* Socket-specific methods, including DNS hostname lookups. */
209
210-extern void sock_host(); /* look up endpoint addresses */
211-extern void sock_hostname(); /* translate address to hostname */
212-extern void sock_hostaddr(); /* address to printable address */
213+/* look up endpoint addresses */
214+extern void sock_host(struct request_info *);
215+/* translate address to hostname */
216+extern void sock_hostname(struct host_info *);
217+/* address to printable address */
218+extern void sock_hostaddr(struct host_info *);
219 #define sock_methods(r) \
220 { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
221
222@@ -182,7 +203,7 @@
223 * behavior.
224 */
225
226-extern void process_options(); /* execute options */
227+extern void process_options(char *, struct request_info *);/* execute options */
228 extern int dry_run; /* verification flag */
229
230 /* Bug workarounds. */
231@@ -221,3 +242,7 @@
232 #define strtok my_strtok
233 extern char *my_strtok();
234 #endif
235+
236+__END_DECLS
237+
238+#endif
239diff -ruN tcp_wrappers_7.6.orig/weak_symbols.c tcp_wrappers_7.6/weak_symbols.c
240--- tcp_wrappers_7.6.orig/weak_symbols.c 1970-01-01 01:00:00.000000000 +0100
241+++ tcp_wrappers_7.6/weak_symbols.c 2004-05-02 15:31:09.000000000 +0200
242@@ -0,0 +1,11 @@
243+ /*
244+ * @(#) weak_symbols.h 1.5 99/12/29 23:50
245+ *
246+ * Author: Anthony Towns <ajt@debian.org>
247+ */
248+
249+#ifdef HAVE_WEAKSYMS
250+#include <syslog.h>
251+int deny_severity = LOG_WARNING;
252+int allow_severity = SEVERITY;
253+#endif
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch
new file mode 100644
index 0000000000..0e1ecf5b4a
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch
@@ -0,0 +1,66 @@
1diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
2--- tcp_wrappers_7.6.orig/hosts_access.5 2003-08-21 03:15:36.000000000 +0200
3+++ tcp_wrappers_7.6/hosts_access.5 2003-08-21 03:15:31.000000000 +0200
4@@ -90,6 +90,10 @@
5 pattern `131.155.72.0/255.255.254.0\' matches every address in the
6 range `131.155.72.0\' through `131.155.73.255\'.
7 .IP \(bu
8+An expression of the form `n.n.n.n/mm' is interpreted as a
9+`net/masklength' pair, where `mm' is the number of consecutive `1'
10+bits in the netmask applied to the `n.n.n.n' address.
11+.IP \(bu
12 An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
13 `[net]/prefixlen\' pair. An IPv6 host address is matched if
14 `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
15diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
16--- tcp_wrappers_7.6.orig/hosts_access.c 2003-08-21 03:15:36.000000000 +0200
17+++ tcp_wrappers_7.6/hosts_access.c 2003-08-21 03:09:30.000000000 +0200
18@@ -417,7 +417,8 @@
19 if ((addr = dot_quad_addr(string)) == INADDR_NONE)
20 return (NO);
21 if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
22- || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
23+ || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
24+ && (mask = cidr_mask_addr(mask_tok)) == 0)) {
25 #ifndef INET6
26 tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
27 #endif
28diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c
29--- tcp_wrappers_7.6.orig/misc.c 2003-08-21 03:15:36.000000000 +0200
30+++ tcp_wrappers_7.6/misc.c 2003-08-21 03:09:30.000000000 +0200
31@@ -107,3 +107,17 @@
32 }
33 return (runs == 4 ? inet_addr(str) : INADDR_NONE);
34 }
35+
36+/* cidr_mask_addr - convert cidr netmask length to internal form */
37+
38+unsigned long cidr_mask_addr(str)
39+char *str;
40+{
41+ int maskbits;
42+
43+ maskbits = atoi(str);
44+ if (maskbits < 1 || maskbits > 32)
45+ return (0);
46+ return htonl(0xFFFFFFFF << (32 - maskbits));
47+}
48+
49diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
50--- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 03:15:36.000000000 +0200
51+++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 03:09:30.000000000 +0200
52@@ -497,12 +497,12 @@
53 int mask_len;
54
55 if ((dot_quad_addr(pat) == INADDR_NONE
56- || dot_quad_addr(mask) == INADDR_NONE)
57+ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
58 && (!is_inet6_addr(pat)
59 || ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
60 #else
61 if (dot_quad_addr(pat) == INADDR_NONE
62- || dot_quad_addr(mask) == INADDR_NONE)
63+ || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
64 #endif
65 tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
66 } else if (STR_EQ(pat, "FAIL")) { /* obsolete */
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch
new file mode 100644
index 0000000000..913ed987d6
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch
@@ -0,0 +1,12 @@
1diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
2--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-25 12:17:59.000000000 +0200
3+++ tcp_wrappers_7.6/hosts_access.5 2004-04-25 12:17:53.000000000 +0200
4@@ -89,6 +89,8 @@
5 bitwise AND of the address and the `mask\'. For example, the net/mask
6 pattern `131.155.72.0/255.255.254.0\' matches every address in the
7 range `131.155.72.0\' through `131.155.73.255\'.
8+`255.255.255.255\' is not a valid mask value, so a single host can be
9+matched just by its IP.
10 .IP \(bu
11 An expression of the form `n.n.n.n/mm' is interpreted as a
12 `net/masklength' pair, where `mm' is the number of consecutive `1'
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch
new file mode 100644
index 0000000000..e35fc7ecd9
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch
@@ -0,0 +1,71 @@
1diff -ruN tcp_wrappers_7.6.orig/eval.c tcp_wrappers_7.6/eval.c
2--- tcp_wrappers_7.6.orig/eval.c 1995-01-30 19:51:46.000000000 +0100
3+++ tcp_wrappers_7.6/eval.c 2004-11-04 13:59:01.000000000 +0100
4@@ -98,6 +98,28 @@
5 }
6 }
7
8+/* eval_port - return string with the port */
9+char *eval_port(saddr)
10+#ifdef INET6
11+struct sockaddr *saddr;
12+#else
13+struct sockaddr_in *saddr;
14+#endif
15+{
16+ static char port[16];
17+ if (saddr != 0) {
18+ sprintf(port, "%u",
19+#ifdef INET6
20+ ntohs(((struct sockaddr_in *)saddr)->sin_port));
21+#else
22+ ntohs(saddr->sin_port));
23+#endif
24+ } else {
25+ strcpy(port, "0");
26+ }
27+ return (port);
28+}
29+
30 /* eval_client - return string with as much about the client as we know */
31
32 char *eval_client(request)
33diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
34--- tcp_wrappers_7.6.orig/hosts_access.5 2004-11-04 13:17:45.000000000 +0100
35+++ tcp_wrappers_7.6/hosts_access.5 2004-11-04 13:55:32.000000000 +0100
36@@ -175,6 +175,8 @@
37 unavailable.
38 .IP "%n (%N)"
39 The client (server) host name (or "unknown" or "paranoid").
40+.IP "%r (%R)"
41+The clients (servers) port number (or "0").
42 .IP %p
43 The daemon process id.
44 .IP %s
45diff -ruN tcp_wrappers_7.6.orig/percent_x.c tcp_wrappers_7.6/percent_x.c
46--- tcp_wrappers_7.6.orig/percent_x.c 1994-12-28 17:42:38.000000000 +0100
47+++ tcp_wrappers_7.6/percent_x.c 2004-11-04 13:19:29.000000000 +0100
48@@ -63,6 +63,8 @@
49 ch == 'n' ? eval_hostname(request->client) :
50 ch == 'N' ? eval_hostname(request->server) :
51 ch == 'p' ? eval_pid(request) :
52+ ch == 'r' ? eval_port(request->client->sin) :
53+ ch == 'R' ? eval_port(request->server->sin) :
54 ch == 's' ? eval_server(request) :
55 ch == 'u' ? eval_user(request) :
56 ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), "");
57diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
58--- tcp_wrappers_7.6.orig/tcpd.h 2004-11-04 13:17:45.000000000 +0100
59+++ tcp_wrappers_7.6/tcpd.h 2004-11-04 13:19:13.000000000 +0100
60@@ -145,6 +145,11 @@
61 extern char *eval_hostinfo(struct host_info *); /* host name or address */
62 extern char *eval_client(struct request_info *);/* whatever is available */
63 extern char *eval_server(struct request_info *);/* whatever is available */
64+#ifdef INET6
65+extern char *eval_port(struct sockaddr *);
66+#else
67+extern char *eval_port(struct sockaddr_in *);
68+#endif
69 #define eval_daemon(r) ((r)->daemon) /* daemon process name */
70 #define eval_pid(r) ((r)->pid) /* process id */
71
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch
new file mode 100644
index 0000000000..31c2b92278
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch
@@ -0,0 +1,19 @@
1diff -ruN tcp_wrappers_7.6.orig/percent_m.c tcp_wrappers_7.6/percent_m.c
2--- tcp_wrappers_7.6.orig/percent_m.c 1994-12-28 17:42:37.000000000 +0100
3+++ tcp_wrappers_7.6/percent_m.c 2003-08-21 02:45:31.000000000 +0200
4@@ -29,11 +29,15 @@
5
6 while (*bp = *cp)
7 if (*cp == '%' && cp[1] == 'm') {
8+#ifdef HAVE_STRERROR
9+ strcpy(bp, strerror(errno));
10+#else
11 if (errno < sys_nerr && errno > 0) {
12 strcpy(bp, sys_errlist[errno]);
13 } else {
14 sprintf(bp, "Unknown error %d", errno);
15 }
16+#endif
17 bp += strlen(bp);
18 cp += 2;
19 } else {
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch
new file mode 100644
index 0000000000..2e897650e0
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch
@@ -0,0 +1,43 @@
1Index: tcp_wrappers_7.6.orig/Makefile
2===================================================================
3--- tcp_wrappers_7.6.orig.orig/Makefile 2009-04-06 10:55:47.000000000 +0000
4+++ tcp_wrappers_7.6.orig/Makefile 2009-04-06 10:57:04.000000000 +0000
5@@ -748,31 +748,31 @@
6
7 $(SHLIB): $(SHLIB_OBJ)
8 rm -f $(SHLIB)
9- $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
10+ $(CC) $(LDFLAGS) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
11 ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
12 ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
13
14 tcpd: tcpd.o $(SHLIB)
15- $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
16+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
17
18 miscd: miscd.o $(LIB)
19- $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
20+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
21
22 safe_finger: safe_finger.o $(SHLIB)
23- $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
24+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
25
26 TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
27
28 tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
29- $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
30+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
31
32 try-from: try-from.o fakelog.o $(SHLIB)
33- $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
34+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
35
36 TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
37
38 tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
39- $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
40+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
41
42 shar: $(KIT)
43 @shar $(KIT)
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch
new file mode 100644
index 0000000000..afaa9c8ac3
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch
@@ -0,0 +1,21 @@
1diff -ruN tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
2--- tcp_wrappers_7.6.orig/hosts_access.3 2004-04-25 00:10:48.000000000 +0200
3+++ tcp_wrappers_7.6/hosts_access.3 2004-04-25 00:09:36.000000000 +0200
4@@ -14,6 +14,9 @@
5 struct request_info *request_set(request, key, value, ..., 0)
6 struct request_info *request;
7
8+void fromhost(request)
9+struct request_info *request;
10+
11 int hosts_access(request)
12 struct request_info *request;
13
14@@ -60,6 +63,7 @@
15 is available, host names and client user names are looked up on demand,
16 using the request structure as a cache. hosts_access() returns zero if
17 access should be denied.
18+fromhost() must be called before hosts_access().
19 .PP
20 hosts_ctl() is a wrapper around the request_init() and hosts_access()
21 routines with a perhaps more convenient interface (though it does not
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch
new file mode 100644
index 0000000000..ece7da35fe
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch
@@ -0,0 +1,37 @@
1diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
2--- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:40:08.000000000 +0200
3+++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:40:02.000000000 +0200
4@@ -92,6 +92,8 @@
5 char *cp;
6 char *result = unknown;
7 FILE *fp;
8+ unsigned saved_timeout;
9+ struct sigaction nact, oact;
10
11 #ifdef INET6
12 /* address family must be the same */
13@@ -134,7 +136,12 @@
14 */
15
16 if (setjmp(timebuf) == 0) {
17- signal(SIGALRM, timeout);
18+ /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
19+ saved_timeout = alarm(0);
20+ nact.sa_handler = timeout;
21+ nact.sa_flags = 0;
22+ (void) sigemptyset(&nact.sa_mask);
23+ (void) sigaction(SIGALRM, &nact, &oact);
24 alarm(rfc931_timeout);
25
26 /*
27@@ -223,6 +230,10 @@
28 }
29 alarm(0);
30 }
31+ /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
32+ (void) sigaction(SIGALRM, &oact, NULL);
33+ if (saved_timeout > 0)
34+ alarm(saved_timeout);
35 fclose(fp);
36 }
37 STRN_CPY(dest, result, STRING_LENGTH);
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff
new file mode 100644
index 0000000000..a926d0edfd
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff
@@ -0,0 +1,39 @@
1diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c
2--- tcp_wrappers_7.6.orig/scaffold.c 2005-03-09 18:22:04.000000000 +0100
3+++ tcp_wrappers_7.6/scaffold.c 2005-03-09 18:20:47.000000000 +0100
4@@ -237,10 +237,17 @@ struct request_info *request;
5
6 /* ARGSUSED */
7
8-void rfc931(request)
9-struct request_info *request;
10+void rfc931(rmt_sin, our_sin, dest)
11+#ifdef INET6
12+struct sockaddr *rmt_sin;
13+struct sockaddr *our_sin;
14+#else
15+struct sockaddr_in *rmt_sin;
16+struct sockaddr_in *our_sin;
17+#endif
18+char *dest;
19 {
20- strcpy(request->user, unknown);
21+ strcpy(dest, unknown);
22 }
23
24 /* check_path - examine accessibility */
25diff -ruNp tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
26--- tcp_wrappers_7.6.orig/tcpd.h 2005-03-09 18:22:04.000000000 +0100
27+++ tcp_wrappers_7.6/tcpd.h 2005-03-09 18:21:23.000000000 +0100
28@@ -83,7 +83,11 @@ extern int hosts_access(struct request_i
29 extern void shell_cmd(char *); /* execute shell command */
30 extern char *percent_x(char *, int, char *, struct request_info *);
31 /* do %<char> expansion */
32+#ifdef INET6
33 extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
34+#else
35+extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *);
36+#endif
37 /* client name from RFC 931 daemon */
38 extern void clean_exit(struct request_info *); /* clean up and exit */
39 extern void refuse(struct request_info *); /* clean up and exit */
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8
new file mode 100644
index 0000000000..875616b9ea
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8
@@ -0,0 +1,34 @@
1.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
2.SH NAME
3safe_finger \- finger client wrapper that protects against nasty stuff
4from finger servers
5.SH SYNOPSIS
6.B safe_finger [finger_options]
7.SH DESCRIPTION
8The
9.B safe_finger
10command protects against nasty stuff from finger servers. Use this
11program for automatic reverse finger probes from the
12.B tcp_wrapper
13.B (tcpd)
14, not the raw finger command. The
15.B safe_finger
16command makes sure that the finger client is not run with root
17privileges. It also runs the finger client with a defined PATH
18environment.
19.B safe_finger
20will also protect you from problems caused by the output of some
21finger servers. The problem: some programs may react to stuff in
22the first column. Other programs may get upset by thrash anywhere
23on a line. File systems may fill up as the finger server keeps
24sending data. Text editors may bomb out on extremely long lines.
25The finger server may take forever because it is somehow wedged.
26.B safe_finger
27takes care of all this badness.
28.SH SEE ALSO
29.BR hosts_access (5),
30.BR hosts_options (5),
31.BR tcpd (8)
32.SH AUTHOR
33Wietse Venema, Eindhoven University of Technology, The Netherlands.
34
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch
new file mode 100644
index 0000000000..5c8c9a1548
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch
@@ -0,0 +1,29 @@
1--- tcp-wrappers-7.6-ipv6.1.orig/safe_finger.c
2+++ tcp-wrappers-7.6-ipv6.1/safe_finger.c
3@@ -26,21 +26,24 @@
4 #include <stdio.h>
5 #include <ctype.h>
6 #include <pwd.h>
7+#include <syslog.h>
8
9 extern void exit();
10
11 /* Local stuff */
12
13-char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
14+char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
15
16 #define TIME_LIMIT 60 /* Do not keep listinging forever */
17 #define INPUT_LENGTH 100000 /* Do not keep listinging forever */
18 #define LINE_LENGTH 128 /* Editors can choke on long lines */
19 #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
20 #define UNPRIV_NAME "nobody" /* Preferred privilege level */
21-#define UNPRIV_UGID 32767 /* Default uid and gid */
22+#define UNPRIV_UGID 65534 /* Default uid and gid */
23
24 int finger_pid;
25+int allow_severity = SEVERITY;
26+int deny_severity = LOG_WARNING;
27
28 void cleanup(sig)
29 int sig;
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch
new file mode 100644
index 0000000000..f286605bfd
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch
@@ -0,0 +1,34 @@
1* Mon Feb 10 2003 Harald Hoyer <harald@redhat.de> 7.6-29
2- added security patch tcp_wrappers-7.6-sig.patch
3
4--- tcp_wrappers_7.6/hosts_access.c.sig 2003-02-10 16:18:31.000000000 +0100
5+++ tcp_wrappers_7.6/hosts_access.c 2003-02-10 16:50:38.000000000 +0100
6@@ -66,6 +66,7 @@
7
8 #define YES 1
9 #define NO 0
10+#define ERR -1
11
12 /*
13 * These variables are globally visible so that they can be redirected in
14@@ -129,9 +129,9 @@
15 return (verdict == AC_PERMIT);
16 if (table_match(hosts_allow_table, request))
17 return (YES);
18- if (table_match(hosts_deny_table, request))
19- return (NO);
20- return (YES);
21+ if (table_match(hosts_deny_table, request) == NO)
22+ return (YES);
23+ return (NO);
24 }
25
26 /* table_match - match table entries with (daemon, client) pair */
27@@ -175,6 +175,7 @@
28 (void) fclose(fp);
29 } else if (errno != ENOENT) {
30 tcpd_warn("cannot open %s: %m", table);
31+ match = ERR;
32 }
33 if (match) {
34 if (hosts_access_verbose > 1)
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch
new file mode 100644
index 0000000000..71be340a07
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch
@@ -0,0 +1,30 @@
1diff -ruNp tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
2--- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:42:25.000000000 +0200
3+++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:41:04.000000000 +0200
4@@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1.
5
6 int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
7
8-static jmp_buf timebuf;
9+static sigjmp_buf timebuf;
10
11 /* fsocket - open stdio stream on top of socket */
12
13@@ -62,7 +62,7 @@ int protocol;
14 static void timeout(sig)
15 int sig;
16 {
17- longjmp(timebuf, sig);
18+ siglongjmp(timebuf, sig);
19 }
20
21 /* rfc931 - return remote user name, given socket structures */
22@@ -135,7 +135,7 @@ char *dest;
23 * Set up a timer so we won't get stuck while waiting for the server.
24 */
25
26- if (setjmp(timebuf) == 0) {
27+ if (sigsetjmp(timebuf, 0) == 0) {
28 /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
29 saved_timeout = alarm(0);
30 nact.sa_handler = timeout;
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch
new file mode 100644
index 0000000000..4db40f4c7b
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch
@@ -0,0 +1,42 @@
1diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c
2--- tcp_wrappers_7.6.orig/fix_options.c 2003-08-21 03:41:33.000000000 +0200
3+++ tcp_wrappers_7.6/fix_options.c 2003-08-21 03:41:27.000000000 +0200
4@@ -38,7 +38,11 @@
5 #ifdef IP_OPTIONS
6 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
7 char lbuf[BUFFER_SIZE], *lp;
8+#ifdef __GLIBC__
9+ size_t optsize = sizeof(optbuf), ipproto;
10+#else
11 int optsize = sizeof(optbuf), ipproto;
12+#endif
13 struct protoent *ip;
14 int fd = request->fd;
15 unsigned int opt;
16diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c
17--- tcp_wrappers_7.6.orig/socket.c 2003-08-21 03:41:33.000000000 +0200
18+++ tcp_wrappers_7.6/socket.c 2003-08-21 03:40:51.000000000 +0200
19@@ -90,7 +90,11 @@
20 static struct sockaddr_in client;
21 static struct sockaddr_in server;
22 #endif
23+#ifdef __GLIBC__
24+ size_t len;
25+#else
26 int len;
27+#endif
28 char buf[BUFSIZ];
29 int fd = request->fd;
30
31@@ -421,7 +425,11 @@
32 #else
33 struct sockaddr_in sin;
34 #endif
35+#ifdef __GLIBC__
36+ size_t size = sizeof(sin);
37+#else
38 int size = sizeof(sin);
39+#endif
40
41 /*
42 * Eat up the not-yet received datagram. Some systems insist on a
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch
new file mode 100644
index 0000000000..3beae39306
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch
@@ -0,0 +1,39 @@
1diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
2--- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 02:50:37.000000000 +0200
3+++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 02:50:33.000000000 +0200
4@@ -53,6 +53,24 @@
5 #include "inetcf.h"
6 #include "scaffold.h"
7
8+/* list of programs which are known to be linked with libwrap in debian */
9+static const char *const libwrap_programs[] = {
10+ "portmap", "mountd", "statd", "ugidd",
11+ "redir", "rlinetd",
12+ "sshd",
13+ "atftpd",
14+ "diald",
15+ "esound",
16+ "gdm", "gnome-session",
17+ "icecast", "icecast_admin", "icecast_client", "icecast_source",
18+ "mysqld",
19+ "ntop",
20+ "pptpd",
21+ "rquotad",
22+ "sendmail", "smail",
23+ NULL
24+};
25+
26 /*
27 * Stolen from hosts_access.c...
28 */
29@@ -147,8 +165,8 @@
30 /*
31 * These are not run from inetd but may have built-in access control.
32 */
33- inet_set("portmap", WR_NOT);
34- inet_set("rpcbind", WR_NOT);
35+ for (c = 0; libwrap_programs[c]; c++)
36+ inet_set(libwrap_programs[c], WR_YES);
37
38 /*
39 * Check accessibility of access control files.
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8
new file mode 100644
index 0000000000..9c8f30543e
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8
@@ -0,0 +1,28 @@
1.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual"
2.SH NAME
3try-from \- test program for the tcp_wrapper
4.SH SYNOPSIS
5.B try-from
6.SH DESCRIPTION
7The
8.B try-from
9command can be called via a remote shell command to find out
10if the hostname and address are properly recognized
11by the
12.B tcp_wrapper
13library, if username lookup works, and (SysV only) if the TLI
14on top of IP heuristics work. Diagnostics are reported through
15.BR syslog (3)
16and redirected to stderr.
17
18Example:
19
20rsh host /some/where/try-from
21
22.SH SEE ALSO
23.BR hosts_access (5),
24.BR hosts_options (5),
25.BR tcpd (8)
26.SH AUTHOR
27Wietse Venema, Eindhoven University of Technology, The Netherlands.
28
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb
new file mode 100644
index 0000000000..308a8b63b4
--- /dev/null
+++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb
@@ -0,0 +1,117 @@
1DESCRIPTION = "Tools for monitoring and filtering incoming requests for tcp \
2 services."
3PRIORITY = "optional"
4SECTION = "console/network"
5
6LICENSE = "tcp-wrappers"
7LIC_FILES_CHKSUM = "file://DISCLAIMER;md5=071bd69cb78b18888ea5e3da5c3127fa"
8PR ="r0"
9
10
11PACKAGES = "${PN}-dbg libwrap libwrap-doc libwrap-dev tcp-wrappers tcp-wrappers-doc"
12FILES_libwrap = "${base_libdir}/lib*.so.*"
13FILES_libwrap-doc = "${mandir}/man3 ${mandir}/man5"
14FILES_libwrap-dev = "${libdir}/lib*.so ${libdir}/lib*.a ${includedir}"
15FILES_tcp-wrappers = "${bindir}"
16FILES_tcp-wrappers-doc = "${mandir}/man8"
17
18SRC_URI = "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_${PV}.tar.gz \
19 file://00_man_quoting.diff \
20 file://01_man_portability.patch \
21 file://05_wildcard_matching.patch \
22 file://06_fix_gethostbyname.patch \
23 file://10_usagi-ipv6.patch \
24 file://11_tcpd_blacklist.patch \
25 file://11_usagi_fix.patch \
26 file://12_makefile_config.patch \
27 file://13_shlib_weaksym.patch \
28 file://14_cidr_support.patch \
29 file://15_match_clarify.patch \
30 file://expand_remote_port.patch \
31 file://have_strerror.patch \
32 file://man_fromhost.patch \
33 file://restore_sigalarm.patch \
34 file://rfc931.diff \
35 file://safe_finger.patch \
36 file://sig_fix.patch \
37 file://siglongjmp.patch \
38 file://size_t.patch \
39 file://tcpdchk_libwrapped.patch \
40 file://ldflags.patch \
41 \
42 file://try-from.8 \
43 file://safe_finger.8"
44
45S = "${WORKDIR}/tcp_wrappers_${PV}"
46
47PARALLEL_MAKE = ""
48EXTRA_OEMAKE = "'CC=${CC}' \
49 'AR=${AR}' \
50 'RANLIB=${RANLIB}' \
51 'REAL_DAEMON_DIR=${sbindir}' \
52 'STYLE=-DPROCESS_OPTIONS' \
53 'FACILITY=LOG_DAEMON' \
54 'SEVERITY=LOG_INFO' \
55 'BUGS=' \
56 'VSYSLOG=' \
57 'RFC931_TIMEOUT=10' \
58 'ACCESS=-DHOSTS_ACCESS' \
59 'KILL_OPT=-DKILL_IP_OPTIONS' \
60 'UMASK=-DDAEMON_UMASK=022' \
61 'NETGROUP=${EXTRA_OEMAKE_NETGROUP}' \
62 'LIBS=-lnsl' \
63 'ARFLAGS=rv' \
64 'AUX_OBJ=weak_symbols.o' \
65 'TLI=' \
66 'COPTS=' \
67 'EXTRA_CFLAGS=${CFLAGS} -DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len'"
68
69EXTRA_OEMAKE_NETGROUP = "-DNETGROUP -DUSE_GETDOMAIN"
70EXTRA_OEMAKE_NETGROUP_linux-uclibc = "-DUSE_GETDOMAIN"
71EXTRA_OEMAKE_NETGROUP_linux-uclibceabi = "-DUSE_GETDOMAIN"
72
73do_compile () {
74 oe_runmake 'TABLES=-DHOSTS_DENY=\"${sysconfdir}/hosts.deny\" -DHOSTS_ALLOW=\"${sysconfdir}/hosts.allow\"' \
75 all
76}
77
78BINS = "safe_finger tcpd tcpdchk try-from tcpdmatch"
79MANS3 = "hosts_access"
80MANS5 = "hosts_options"
81MANS8 = "tcpd tcpdchk tcpdmatch"
82do_install () {
83 oe_libinstall -a libwrap ${D}${libdir}
84 oe_libinstall -C shared -so libwrap ${D}${base_libdir}
85
86 rel_lib_prefix=`echo ${libdir} | sed 's,\(^/\|\)[^/][^/]*,..,g'`
87 libname=`readlink ${D}${base_libdir}/libwrap.so | xargs basename`
88 ln -s ${rel_lib_prefix}${base_libdir}/${libname} ${D}${libdir}/libwrap.so
89 rm -f ${D}${base_libdir}/libwrap.so
90
91 install -d ${D}${sbindir}
92 for b in ${BINS}; do
93 install -m 0755 $b ${D}${sbindir}/ || exit 1
94 done
95
96 install -d ${D}${mandir}/man3
97 for m in ${MANS3}; do
98 install -m 0644 $m.3 ${D}${mandir}/man3/ || exit 1
99 done
100
101 install -d ${D}${mandir}/man5
102 for m in ${MANS5}; do
103 install -m 0644 $m.5 ${D}${mandir}/man5/ || exit 1
104 done
105
106 install -d ${D}${mandir}/man8
107 for m in ${MANS8}; do
108 install -m 0644 $m.8 ${D}${mandir}/man8/ || exit 1
109 done
110
111 install -m 0644 ${WORKDIR}/try-from.8 ${D}${mandir}/man8/
112 install -m 0644 ${WORKDIR}/safe_finger.8 ${D}${mandir}/man8/
113
114 install -d ${D}${includedir}
115 install -m 0644 tcpd.h ${D}${includedir}/
116}
117