diff options
Diffstat (limited to 'meta/recipes-extended/tcp-wrappers')
26 files changed, 3005 insertions, 0 deletions
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff new file mode 100644 index 0000000000..16d6719cbc --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff | |||
@@ -0,0 +1,77 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.5 1995-01-30 19:51:47.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-09 16:59:45.000000000 +0200 | ||
6 | @@ -173,7 +173,7 @@ | ||
7 | Patterns like these can be used when the machine has different internet | ||
8 | addresses with different internet hostnames. Service providers can use | ||
9 | this facility to offer FTP, GOPHER or WWW archives with internet names | ||
10 | -that may even belong to different organizations. See also the `twist' | ||
11 | +that may even belong to different organizations. See also the `twist\' | ||
12 | option in the hosts_options(5) document. Some systems (Solaris, | ||
13 | FreeBSD) can have more than one internet address on one physical | ||
14 | interface; with other systems you may have to resort to SLIP or PPP | ||
15 | @@ -236,10 +236,10 @@ | ||
16 | Before accepting a client request, the wrappers can use the IDENT | ||
17 | service to find out that the client did not send the request at all. | ||
18 | When the client host provides IDENT service, a negative IDENT lookup | ||
19 | -result (the client matches `UNKNOWN@host') is strong evidence of a host | ||
20 | +result (the client matches `UNKNOWN@host\') is strong evidence of a host | ||
21 | spoofing attack. | ||
22 | .PP | ||
23 | -A positive IDENT lookup result (the client matches `KNOWN@host') is | ||
24 | +A positive IDENT lookup result (the client matches `KNOWN@host\') is | ||
25 | less trustworthy. It is possible for an intruder to spoof both the | ||
26 | client connection and the IDENT lookup, although doing so is much | ||
27 | harder than spoofing just a client connection. It may also be that | ||
28 | diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 | ||
29 | --- tcp_wrappers_7.6.orig/hosts_options.5 1994-12-28 17:42:29.000000000 +0100 | ||
30 | +++ tcp_wrappers_7.6/hosts_options.5 2004-04-09 16:59:49.000000000 +0200 | ||
31 | @@ -124,7 +124,7 @@ | ||
32 | value is taken. | ||
33 | .SH MISCELLANEOUS | ||
34 | .IP "banners /some/directory" | ||
35 | -Look for a file in `/some/directory' with the same name as the daemon | ||
36 | +Look for a file in `/some/directory\' with the same name as the daemon | ||
37 | process (for example in.telnetd for the telnet service), and copy its | ||
38 | contents to the client. Newline characters are replaced by | ||
39 | carriage-return newline, and %<letter> sequences are expanded (see | ||
40 | diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 | ||
41 | --- tcp_wrappers_7.6.orig/tcpdmatch.8 1996-02-11 17:01:36.000000000 +0100 | ||
42 | +++ tcp_wrappers_7.6/tcpdmatch.8 2004-04-09 17:00:49.000000000 +0200 | ||
43 | @@ -26,7 +26,7 @@ | ||
44 | A daemon process name. Typically, the last component of a daemon | ||
45 | executable pathname. | ||
46 | .IP client | ||
47 | -A host name or network address, or one of the `unknown' or `paranoid' | ||
48 | +A host name or network address, or one of the `unknown\' or `paranoid\' | ||
49 | wildcard patterns. | ||
50 | .sp | ||
51 | When a client host name is specified, \fItcpdmatch\fR gives a | ||
52 | @@ -37,13 +37,13 @@ | ||
53 | .PP | ||
54 | Optional information specified with the \fIdaemon@server\fR form: | ||
55 | .IP server | ||
56 | -A host name or network address, or one of the `unknown' or `paranoid' | ||
57 | -wildcard patterns. The default server name is `unknown'. | ||
58 | +A host name or network address, or one of the `unknown\' or `paranoid\' | ||
59 | +wildcard patterns. The default server name is `unknown\'. | ||
60 | .PP | ||
61 | Optional information specified with the \fIuser@client\fR form: | ||
62 | .IP user | ||
63 | A client user identifier. Typically, a login name or a numeric userid. | ||
64 | -The default user name is `unknown'. | ||
65 | +The default user name is `unknown\'. | ||
66 | .SH OPTIONS | ||
67 | .IP -d | ||
68 | Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current | ||
69 | @@ -70,7 +70,7 @@ | ||
70 | .ti +5 | ||
71 | tcpdmatch in.telnetd paranoid | ||
72 | .PP | ||
73 | -On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR | ||
74 | +On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR | ||
75 | may need some help to locate the inetd configuration file. | ||
76 | .SH FILES | ||
77 | .PP | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch new file mode 100644 index 0000000000..9a735bff6d --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch | |||
@@ -0,0 +1,250 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 | ||
6 | @@ -3,7 +3,7 @@ | ||
7 | hosts_access, hosts_ctl, request_init, request_set \- access control library | ||
8 | .SH SYNOPSIS | ||
9 | .nf | ||
10 | -#include "tcpd.h" | ||
11 | +#include <tcpd.h> | ||
12 | |||
13 | extern int allow_severity; | ||
14 | extern int deny_severity; | ||
15 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
16 | --- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 | ||
17 | +++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 | ||
18 | @@ -8,9 +8,9 @@ name, host name/address) patterns. Exam | ||
19 | impatient reader is encouraged to skip to the EXAMPLES section for a | ||
20 | quick introduction. | ||
21 | .PP | ||
22 | -An extended version of the access control language is described in the | ||
23 | -\fIhosts_options\fR(5) document. The extensions are turned on at | ||
24 | -program build time by building with -DPROCESS_OPTIONS. | ||
25 | +The extended version of the access control language is described in the | ||
26 | +\fIhosts_options\fR(5) document. \fBNote that this language supersedes | ||
27 | +the meaning of \fIshell_command\fB as documented below.\fR | ||
28 | .PP | ||
29 | In the following text, \fIdaemon\fR is the the process name of a | ||
30 | network daemon process, and \fIclient\fR is the name and/or address of | ||
31 | @@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain | ||
32 | /etc/hosts.deny: | ||
33 | .in +3 | ||
34 | .nf | ||
35 | -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ | ||
36 | - /usr/ucb/mail -s %d-%h root) & | ||
37 | +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ | ||
38 | + /usr/bin/mail -s %d-%h root) & | ||
39 | .fi | ||
40 | .PP | ||
41 | The safe_finger command comes with the tcpd wrapper and should be | ||
42 | @@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor | ||
43 | .fi | ||
44 | .SH SEE ALSO | ||
45 | .nf | ||
46 | +hosts_options(5) extended syntax. | ||
47 | tcpd(8) tcp/ip daemon wrapper program. | ||
48 | tcpdchk(8), tcpdmatch(8), test programs. | ||
49 | .SH BUGS | ||
50 | diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 | ||
51 | --- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 | ||
52 | +++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 | ||
53 | @@ -2,10 +2,8 @@ | ||
54 | .SH NAME | ||
55 | hosts_options \- host access control language extensions | ||
56 | .SH DESCRIPTION | ||
57 | -This document describes optional extensions to the language described | ||
58 | -in the hosts_access(5) document. The extensions are enabled at program | ||
59 | -build time. For example, by editing the Makefile and turning on the | ||
60 | -PROCESS_OPTIONS compile-time option. | ||
61 | +This document describes extensions to the language described | ||
62 | +in the hosts_access(5) document. | ||
63 | .PP | ||
64 | The extensible language uses the following format: | ||
65 | .sp | ||
66 | @@ -58,12 +56,12 @@ Notice the leading dot on the domain nam | ||
67 | Execute, in a child process, the specified shell command, after | ||
68 | performing the %<letter> expansions described in the hosts_access(5) | ||
69 | manual page. The command is executed with stdin, stdout and stderr | ||
70 | -connected to the null device, so that it won\'t mess up the | ||
71 | +connected to the null device, so that it won't mess up the | ||
72 | conversation with the client host. Example: | ||
73 | .sp | ||
74 | .nf | ||
75 | .ti +3 | ||
76 | -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & | ||
77 | +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & | ||
78 | .fi | ||
79 | .sp | ||
80 | executes, in a background child process, the shell command "safe_finger | ||
81 | diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c | ||
82 | --- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 | ||
83 | +++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 | ||
84 | @@ -26,13 +26,17 @@ extern void exit(); | ||
85 | * guesses. Shorter names follow longer ones. | ||
86 | */ | ||
87 | char *inet_files[] = { | ||
88 | +#if 0 | ||
89 | "/private/etc/inetd.conf", /* NEXT */ | ||
90 | "/etc/inet/inetd.conf", /* SYSV4 */ | ||
91 | "/usr/etc/inetd.conf", /* IRIX?? */ | ||
92 | +#endif | ||
93 | "/etc/inetd.conf", /* BSD */ | ||
94 | +#if 0 | ||
95 | "/etc/net/tlid.conf", /* SYSV4?? */ | ||
96 | "/etc/saf/tlid.conf", /* SYSV4?? */ | ||
97 | "/etc/tlid.conf", /* SYSV4?? */ | ||
98 | +#endif | ||
99 | 0, | ||
100 | }; | ||
101 | |||
102 | diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 | ||
103 | --- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 | ||
104 | +++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 | ||
105 | @@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s | ||
106 | TLI. Functionality may be limited when the protocol underneath TLI is | ||
107 | not an internet protocol. | ||
108 | .PP | ||
109 | -Operation is as follows: whenever a request for service arrives, the | ||
110 | +There are two possible modes of operation: execution of \fItcpd\fP | ||
111 | +before a service started by \fIinetd\fP, or linking a daemon with | ||
112 | +the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) | ||
113 | +manual page. Operation when started by \fIinetd\fP | ||
114 | +is as follows: whenever a request for service arrives, the | ||
115 | \fIinetd\fP daemon is tricked into running the \fItcpd\fP program | ||
116 | instead of the desired server. \fItcpd\fP logs the request and does | ||
117 | some additional checks. When all is well, \fItcpd\fP runs the | ||
118 | @@ -88,11 +92,11 @@ configuration files. | ||
119 | .sp | ||
120 | .in +5 | ||
121 | # mkdir /other/place | ||
122 | -# mv /usr/etc/in.fingerd /other/place | ||
123 | -# cp tcpd /usr/etc/in.fingerd | ||
124 | +# mv /usr/sbin/in.fingerd /other/place | ||
125 | +# cp tcpd /usr/sbin/in.fingerd | ||
126 | .fi | ||
127 | .PP | ||
128 | -The example assumes that the network daemons live in /usr/etc. On some | ||
129 | +The example assumes that the network daemons live in /usr/sbin. On some | ||
130 | systems, network daemons live in /usr/sbin or in /usr/libexec, or have | ||
131 | no `in.\' prefix to their name. | ||
132 | .SH EXAMPLE 2 | ||
133 | @@ -101,35 +105,34 @@ are left in their original place. | ||
134 | .PP | ||
135 | In order to monitor access to the \fIfinger\fR service, perform the | ||
136 | following edits on the \fIinetd\fR configuration file (usually | ||
137 | -\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): | ||
138 | +\fI/etc/inetd.conf\fR): | ||
139 | .nf | ||
140 | .sp | ||
141 | .ti +5 | ||
142 | -finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd | ||
143 | +finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd | ||
144 | .sp | ||
145 | becomes: | ||
146 | .sp | ||
147 | .ti +5 | ||
148 | -finger stream tcp nowait nobody /some/where/tcpd in.fingerd | ||
149 | +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd | ||
150 | .sp | ||
151 | .fi | ||
152 | .PP | ||
153 | -The example assumes that the network daemons live in /usr/etc. On some | ||
154 | +The example assumes that the network daemons live in /usr/sbin. On some | ||
155 | systems, network daemons live in /usr/sbin or in /usr/libexec, the | ||
156 | daemons have no `in.\' prefix to their name, or there is no userid | ||
157 | field in the inetd configuration file. | ||
158 | .PP | ||
159 | Similar changes will be needed for the other services that are to be | ||
160 | covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) | ||
161 | -process to make the changes effective. AIX users may also have to | ||
162 | -execute the `inetimp\' command. | ||
163 | +process to make the changes effective. | ||
164 | .SH EXAMPLE 3 | ||
165 | In the case of daemons that do not live in a common directory ("secret" | ||
166 | or otherwise), edit the \fIinetd\fR configuration file so that it | ||
167 | specifies an absolute path name for the process name field. For example: | ||
168 | .nf | ||
169 | .sp | ||
170 | - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd | ||
171 | + ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd | ||
172 | .sp | ||
173 | .fi | ||
174 | .PP | ||
175 | @@ -164,6 +167,7 @@ The default locations of the host access | ||
176 | .SH SEE ALSO | ||
177 | .na | ||
178 | .nf | ||
179 | +hosts_access(3), functions provided by the libwrap library. | ||
180 | hosts_access(5), format of the tcpd access control tables. | ||
181 | syslog.conf(5), format of the syslogd control file. | ||
182 | inetd.conf(5), format of the inetd control file. | ||
183 | diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 | ||
184 | --- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 | ||
185 | +++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 | ||
186 | @@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] | ||
187 | potential and real problems it can find. The program examines the | ||
188 | \fItcpd\fR access control files (by default, these are | ||
189 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the | ||
190 | -entries in these files against entries in the \fIinetd\fR or \fItlid\fR | ||
191 | -network configuration files. | ||
192 | +entries in these files against entries in the \fIinetd\fR | ||
193 | +network configuration file. | ||
194 | .PP | ||
195 | \fItcpdchk\fR reports problems such as non-existent pathnames; services | ||
196 | that appear in \fItcpd\fR access control rules, but are not controlled | ||
197 | @@ -26,14 +26,13 @@ problem. | ||
198 | .SH OPTIONS | ||
199 | .IP -a | ||
200 | Report access control rules that permit access without an explicit | ||
201 | -ALLOW keyword. This applies only when the extended access control | ||
202 | -language is enabled (build with -DPROCESS_OPTIONS). | ||
203 | +ALLOW keyword. | ||
204 | .IP -d | ||
205 | Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current | ||
206 | directory instead of the default ones. | ||
207 | .IP "-i inet_conf" | ||
208 | Specify this option when \fItcpdchk\fR is unable to find your | ||
209 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when | ||
210 | +\fIinetd.conf\fR network configuration file, or when | ||
211 | you suspect that the program uses the wrong one. | ||
212 | .IP -v | ||
213 | Display the contents of each access control rule. Daemon lists, client | ||
214 | @@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do | ||
215 | hosts_access(5), format of the tcpd access control tables. | ||
216 | hosts_options(5), format of the language extensions. | ||
217 | inetd.conf(5), format of the inetd control file. | ||
218 | -tlid.conf(5), format of the tlid control file. | ||
219 | .SH AUTHORS | ||
220 | .na | ||
221 | .nf | ||
222 | diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 | ||
223 | --- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 | ||
224 | +++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 | ||
225 | @@ -13,7 +13,7 @@ request for service. Examples are given | ||
226 | The program examines the \fItcpd\fR access control tables (default | ||
227 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its | ||
228 | conclusion. For maximal accuracy, it extracts additional information | ||
229 | -from your \fIinetd\fR or \fItlid\fR network configuration file. | ||
230 | +from your \fIinetd\fR network configuration file. | ||
231 | .PP | ||
232 | When \fItcpdmatch\fR finds a match in the access control tables, it | ||
233 | identifies the matched rule. In addition, it displays the optional | ||
234 | @@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d | ||
235 | directory instead of the default ones. | ||
236 | .IP "-i inet_conf" | ||
237 | Specify this option when \fItcpdmatch\fR is unable to find your | ||
238 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when | ||
239 | +\fIinetd.conf\fR network configuration file, or when | ||
240 | you suspect that the program uses the wrong one. | ||
241 | .SH EXAMPLES | ||
242 | To predict how \fItcpd\fR would handle a telnet request from the local | ||
243 | @@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker | ||
244 | hosts_access(5), format of the tcpd access control tables. | ||
245 | hosts_options(5), format of the language extensions. | ||
246 | inetd.conf(5), format of the inetd control file. | ||
247 | -tlid.conf(5), format of the tlid control file. | ||
248 | .SH AUTHORS | ||
249 | .na | ||
250 | .nf | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch new file mode 100644 index 0000000000..9e188027fc --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 | ||
4 | |||
5 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
6 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 | ||
7 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 | ||
8 | @@ -89,6 +89,10 @@ | ||
9 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
10 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
11 | range `131.155.72.0\' through `131.155.73.255\'. | ||
12 | +.IP \(bu | ||
13 | +Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
14 | +method of matching cannot be used in conjunction with `net/mask\' matching, | ||
15 | +hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
16 | .SH WILDCARDS | ||
17 | The access control language supports explicit wildcards: | ||
18 | .IP ALL | ||
19 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
20 | --- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 | ||
21 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 | ||
22 | @@ -289,6 +289,11 @@ | ||
23 | { | ||
24 | int n; | ||
25 | |||
26 | +#ifndef DISABLE_WILDCARD_MATCHING | ||
27 | + if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ | ||
28 | + return (match_pattern_ylo(string,tok)); | ||
29 | + } else | ||
30 | +#endif | ||
31 | if (tok[0] == '.') { /* suffix */ | ||
32 | n = strlen(string) - strlen(tok); | ||
33 | return (n > 0 && STR_EQ(tok, string + n)); | ||
34 | @@ -329,3 +334,71 @@ | ||
35 | } | ||
36 | return ((addr & mask) == net); | ||
37 | } | ||
38 | + | ||
39 | +#ifndef DISABLE_WILDCARD_MATCHING | ||
40 | +/* Note: this feature has been adapted in a pretty straightforward way | ||
41 | + from Tatu Ylonen's last SSH version under free license by | ||
42 | + Pekka Savola <pekkas@netcore.fi>. | ||
43 | + | ||
44 | + Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
45 | +*/ | ||
46 | + | ||
47 | +/* Returns true if the given string matches the pattern (which may contain | ||
48 | + ? and * as wildcards), and zero if it does not match. */ | ||
49 | + | ||
50 | +int match_pattern_ylo(const char *s, const char *pattern) | ||
51 | +{ | ||
52 | + while (1) | ||
53 | + { | ||
54 | + /* If at end of pattern, accept if also at end of string. */ | ||
55 | + if (!*pattern) | ||
56 | + return !*s; | ||
57 | + | ||
58 | + /* Process '*'. */ | ||
59 | + if (*pattern == '*') | ||
60 | + { | ||
61 | + /* Skip the asterisk. */ | ||
62 | + pattern++; | ||
63 | + | ||
64 | + /* If at end of pattern, accept immediately. */ | ||
65 | + if (!*pattern) | ||
66 | + return 1; | ||
67 | + | ||
68 | + /* If next character in pattern is known, optimize. */ | ||
69 | + if (*pattern != '?' && *pattern != '*') | ||
70 | + { | ||
71 | + /* Look instances of the next character in pattern, and try | ||
72 | + to match starting from those. */ | ||
73 | + for (; *s; s++) | ||
74 | + if (*s == *pattern && | ||
75 | + match_pattern_ylo(s + 1, pattern + 1)) | ||
76 | + return 1; | ||
77 | + /* Failed. */ | ||
78 | + return 0; | ||
79 | + } | ||
80 | + | ||
81 | + /* Move ahead one character at a time and try to match at each | ||
82 | + position. */ | ||
83 | + for (; *s; s++) | ||
84 | + if (match_pattern_ylo(s, pattern)) | ||
85 | + return 1; | ||
86 | + /* Failed. */ | ||
87 | + return 0; | ||
88 | + } | ||
89 | + | ||
90 | + /* There must be at least one more character in the string. If we are | ||
91 | + at the end, fail. */ | ||
92 | + if (!*s) | ||
93 | + return 0; | ||
94 | + | ||
95 | + /* Check if the next character of the string is acceptable. */ | ||
96 | + if (*pattern != '?' && *pattern != *s) | ||
97 | + return 0; | ||
98 | + | ||
99 | + /* Move to the next character, both in string and in pattern. */ | ||
100 | + s++; | ||
101 | + pattern++; | ||
102 | + } | ||
103 | + /*NOTREACHED*/ | ||
104 | +} | ||
105 | +#endif /* DISABLE_WILDCARD_MATCHING */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch new file mode 100644 index 0000000000..725f4b5957 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | * Mon Feb 5 2001 Preston Brown <pbrown@redhat.com> | ||
4 | - fix gethostbyname to work better with dot "." notation (#16949) | ||
5 | |||
6 | --- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997 | ||
7 | +++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001 | ||
8 | @@ -52,7 +52,8 @@ | ||
9 | char *name; | ||
10 | { | ||
11 | char dot_name[MAXHOSTNAMELEN + 1]; | ||
12 | - | ||
13 | + struct hostent *hp; | ||
14 | + | ||
15 | /* | ||
16 | * Don't append dots to unqualified names. Such names are likely to come | ||
17 | * from local hosts files or from NIS. | ||
18 | @@ -61,8 +62,12 @@ | ||
19 | if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { | ||
20 | return (gethostbyname(name)); | ||
21 | } else { | ||
22 | - sprintf(dot_name, "%s.", name); | ||
23 | - return (gethostbyname(dot_name)); | ||
24 | + sprintf(dot_name, "%s.", name); | ||
25 | + hp = gethostbyname(dot_name); | ||
26 | + if (hp) | ||
27 | + return hp; | ||
28 | + else | ||
29 | + return (gethostbyname(name)); | ||
30 | } | ||
31 | } | ||
32 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch new file mode 100644 index 0000000000..96d47c39f4 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch | |||
@@ -0,0 +1,1255 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c | ||
4 | --- tcp_wrappers_7.6.orig/fix_options.c 1997-04-08 02:29:19.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/fix_options.c 2004-04-10 19:07:43.000000000 +0200 | ||
6 | @@ -11,6 +11,9 @@ | ||
7 | |||
8 | #include <sys/types.h> | ||
9 | #include <sys/param.h> | ||
10 | +#ifdef INET6 | ||
11 | +#include <sys/socket.h> | ||
12 | +#endif | ||
13 | #include <netinet/in.h> | ||
14 | #include <netinet/in_systm.h> | ||
15 | #include <netinet/ip.h> | ||
16 | @@ -41,6 +44,22 @@ | ||
17 | unsigned int opt; | ||
18 | int optlen; | ||
19 | struct in_addr dummy; | ||
20 | +#ifdef INET6 | ||
21 | + struct sockaddr_storage ss; | ||
22 | + int sslen; | ||
23 | + | ||
24 | + /* | ||
25 | + * check if this is AF_INET socket | ||
26 | + * XXX IPv6 support? | ||
27 | + */ | ||
28 | + sslen = sizeof(ss); | ||
29 | + if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { | ||
30 | + syslog(LOG_ERR, "getpeername: %m"); | ||
31 | + clean_exit(request); | ||
32 | + } | ||
33 | + if (ss.ss_family != AF_INET) | ||
34 | + return; | ||
35 | +#endif | ||
36 | |||
37 | if ((ip = getprotobyname("ip")) != 0) | ||
38 | ipproto = ip->p_proto; | ||
39 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
40 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:22:58.000000000 +0200 | ||
41 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:07:43.000000000 +0200 | ||
42 | @@ -85,11 +85,18 @@ | ||
43 | for daemon process names or for client user names. | ||
44 | .IP \(bu | ||
45 | An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a | ||
46 | -`net/mask\' pair. A host address is matched if `net\' is equal to the | ||
47 | +`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the | ||
48 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
49 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
50 | range `131.155.72.0\' through `131.155.73.255\'. | ||
51 | .IP \(bu | ||
52 | +An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a | ||
53 | +`[net]/prefixlen\' pair. An IPv6 host address is matched if | ||
54 | +`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the | ||
55 | +address. For example, the [net]/prefixlen pattern | ||
56 | +`[3ffe:505:2:1::]/64\' matches every address in the range | ||
57 | +`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. | ||
58 | +.IP \(bu | ||
59 | Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
60 | method of matching cannot be used in conjunction with `net/mask\' matching, | ||
61 | hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
62 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
63 | --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:22:58.000000000 +0200 | ||
64 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:07:43.000000000 +0200 | ||
65 | @@ -24,7 +24,13 @@ | ||
66 | /* System libraries. */ | ||
67 | |||
68 | #include <sys/types.h> | ||
69 | +#ifdef INT32_T | ||
70 | + typedef uint32_t u_int32_t; | ||
71 | +#endif | ||
72 | #include <sys/param.h> | ||
73 | +#ifdef INET6 | ||
74 | +#include <sys/socket.h> | ||
75 | +#endif | ||
76 | #include <netinet/in.h> | ||
77 | #include <arpa/inet.h> | ||
78 | #include <stdio.h> | ||
79 | @@ -33,6 +39,9 @@ | ||
80 | #include <errno.h> | ||
81 | #include <setjmp.h> | ||
82 | #include <string.h> | ||
83 | +#ifdef INET6 | ||
84 | +#include <netdb.h> | ||
85 | +#endif | ||
86 | |||
87 | extern char *fgets(); | ||
88 | extern int errno; | ||
89 | @@ -82,6 +91,10 @@ | ||
90 | static int host_match(); | ||
91 | static int string_match(); | ||
92 | static int masked_match(); | ||
93 | +#ifdef INET6 | ||
94 | +static int masked_match4(); | ||
95 | +static int masked_match6(); | ||
96 | +#endif | ||
97 | |||
98 | /* Size of logical line buffer. */ | ||
99 | |||
100 | @@ -289,6 +302,13 @@ | ||
101 | { | ||
102 | int n; | ||
103 | |||
104 | +#ifdef INET6 | ||
105 | + /* convert IPv4 mapped IPv6 address to IPv4 address */ | ||
106 | + if (STRN_EQ(string, "::ffff:", 7) | ||
107 | + && dot_quad_addr(string + 7) != INADDR_NONE) { | ||
108 | + string += 7; | ||
109 | + } | ||
110 | +#endif | ||
111 | #ifndef DISABLE_WILDCARD_MATCHING | ||
112 | if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ | ||
113 | return (match_pattern_ylo(string,tok)); | ||
114 | @@ -304,20 +324,72 @@ | ||
115 | } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ | ||
116 | return (STRN_EQ(tok, string, n)); | ||
117 | } else { /* exact match */ | ||
118 | +#ifdef INET6 | ||
119 | + struct addrinfo hints, *res; | ||
120 | + struct sockaddr_in6 pat, addr; | ||
121 | + int len, ret; | ||
122 | + char ch; | ||
123 | + | ||
124 | + len = strlen(tok); | ||
125 | + if (*tok == '[' && tok[len - 1] == ']') { | ||
126 | + ch = tok[len - 1]; | ||
127 | + tok[len - 1] = '\0'; | ||
128 | + memset(&hints, 0, sizeof(hints)); | ||
129 | + hints.ai_family = AF_INET6; | ||
130 | + hints.ai_socktype = SOCK_STREAM; | ||
131 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
132 | + if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) { | ||
133 | + memcpy(&pat, res->ai_addr, sizeof(pat)); | ||
134 | + freeaddrinfo(res); | ||
135 | + } | ||
136 | + tok[len - 1] = ch; | ||
137 | + if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0) | ||
138 | + return NO; | ||
139 | + memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
140 | + freeaddrinfo(res); | ||
141 | +#ifdef NI_WITHSCOPEID | ||
142 | + if (pat.sin6_scope_id != 0 && | ||
143 | + addr.sin6_scope_id != pat.sin6_scope_id) | ||
144 | + return NO; | ||
145 | +#endif | ||
146 | + return (!memcmp(&pat.sin6_addr, &addr.sin6_addr, | ||
147 | + sizeof(struct in6_addr))); | ||
148 | + return (ret); | ||
149 | + } | ||
150 | +#endif | ||
151 | return (STR_EQ(tok, string)); | ||
152 | } | ||
153 | } | ||
154 | |||
155 | /* masked_match - match address against netnumber/netmask */ | ||
156 | |||
157 | +#ifdef INET6 | ||
158 | static int masked_match(net_tok, mask_tok, string) | ||
159 | char *net_tok; | ||
160 | char *mask_tok; | ||
161 | char *string; | ||
162 | { | ||
163 | + return (masked_match4(net_tok, mask_tok, string) || | ||
164 | + masked_match6(net_tok, mask_tok, string)); | ||
165 | +} | ||
166 | + | ||
167 | +static int masked_match4(net_tok, mask_tok, string) | ||
168 | +#else | ||
169 | +static int masked_match(net_tok, mask_tok, string) | ||
170 | +#endif | ||
171 | +char *net_tok; | ||
172 | +char *mask_tok; | ||
173 | +char *string; | ||
174 | +{ | ||
175 | +#ifdef INET6 | ||
176 | + u_int32_t net; | ||
177 | + u_int32_t mask; | ||
178 | + u_int32_t addr; | ||
179 | +#else | ||
180 | unsigned long net; | ||
181 | unsigned long mask; | ||
182 | unsigned long addr; | ||
183 | +#endif | ||
184 | |||
185 | /* | ||
186 | * Disallow forms other than dotted quad: the treatment that inet_addr() | ||
187 | @@ -329,12 +401,78 @@ | ||
188 | return (NO); | ||
189 | if ((net = dot_quad_addr(net_tok)) == INADDR_NONE | ||
190 | || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { | ||
191 | +#ifndef INET6 | ||
192 | tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); | ||
193 | +#endif | ||
194 | return (NO); /* not tcpd_jump() */ | ||
195 | } | ||
196 | return ((addr & mask) == net); | ||
197 | } | ||
198 | |||
199 | +#ifdef INET6 | ||
200 | +static int masked_match6(net_tok, mask_tok, string) | ||
201 | +char *net_tok; | ||
202 | +char *mask_tok; | ||
203 | +char *string; | ||
204 | +{ | ||
205 | + struct addrinfo hints, *res; | ||
206 | + struct sockaddr_in6 net, addr; | ||
207 | + u_int32_t mask; | ||
208 | + int len, mask_len, i = 0; | ||
209 | + char ch; | ||
210 | + | ||
211 | + memset(&hints, 0, sizeof(hints)); | ||
212 | + hints.ai_family = AF_INET6; | ||
213 | + hints.ai_socktype = SOCK_STREAM; | ||
214 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
215 | + if (getaddrinfo(string, NULL, &hints, &res) != 0) | ||
216 | + return NO; | ||
217 | + memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
218 | + freeaddrinfo(res); | ||
219 | + | ||
220 | + if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { | ||
221 | + if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE | ||
222 | + || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) | ||
223 | + return (NO); | ||
224 | + return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); | ||
225 | + } | ||
226 | + | ||
227 | + /* match IPv6 address against netnumber/prefixlen */ | ||
228 | + len = strlen(net_tok); | ||
229 | + if (*net_tok != '[' || net_tok[len - 1] != ']') | ||
230 | + return NO; | ||
231 | + ch = net_tok[len - 1]; | ||
232 | + net_tok[len - 1] = '\0'; | ||
233 | + if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) { | ||
234 | + net_tok[len - 1] = ch; | ||
235 | + return NO; | ||
236 | + } | ||
237 | + memcpy(&net, res->ai_addr, sizeof(net)); | ||
238 | + freeaddrinfo(res); | ||
239 | + net_tok[len - 1] = ch; | ||
240 | + if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) | ||
241 | + return NO; | ||
242 | + | ||
243 | +#ifdef NI_WITHSCOPEID | ||
244 | + if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id) | ||
245 | + return NO; | ||
246 | +#endif | ||
247 | + while (mask_len > 0) { | ||
248 | + if (mask_len < 32) { | ||
249 | + mask = htonl(~(0xffffffff >> mask_len)); | ||
250 | + if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask)) | ||
251 | + return NO; | ||
252 | + break; | ||
253 | + } | ||
254 | + if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i]) | ||
255 | + return NO; | ||
256 | + i += 4; | ||
257 | + mask_len -= 32; | ||
258 | + } | ||
259 | + return YES; | ||
260 | +} | ||
261 | +#endif /* INET6 */ | ||
262 | + | ||
263 | #ifndef DISABLE_WILDCARD_MATCHING | ||
264 | /* Note: this feature has been adapted in a pretty straightforward way | ||
265 | from Tatu Ylonen's last SSH version under free license by | ||
266 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
267 | --- tcp_wrappers_7.6.orig/Makefile 1997-03-21 19:27:21.000000000 +0100 | ||
268 | +++ tcp_wrappers_7.6/Makefile 2004-04-10 19:22:44.000000000 +0200 | ||
269 | @@ -21,7 +21,7 @@ | ||
270 | @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" | ||
271 | @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" | ||
272 | @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" | ||
273 | - @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" | ||
274 | + @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" | ||
275 | @echo " uts215 uxp" | ||
276 | @echo | ||
277 | @echo "If none of these match your environment, edit the system" | ||
278 | @@ -131,20 +131,34 @@ | ||
279 | NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all | ||
280 | |||
281 | # Freebsd and linux by default have no NIS. | ||
282 | -386bsd netbsd bsdos: | ||
283 | +386bsd bsdos: | ||
284 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
285 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
286 | EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all | ||
287 | |||
288 | freebsd: | ||
289 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
290 | + LIBS="-L/usr/local/v6/lib -linet6" \ | ||
291 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
292 | - EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all | ||
293 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \ | ||
294 | + VSYSLOG= all | ||
295 | + | ||
296 | +netbsd: | ||
297 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
298 | + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
299 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all | ||
300 | |||
301 | linux: | ||
302 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
303 | - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ | ||
304 | - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all | ||
305 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
306 | + NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ | ||
307 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
308 | + | ||
309 | +gnu: | ||
310 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
311 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
312 | + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ | ||
313 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all | ||
314 | |||
315 | # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. | ||
316 | hpux hpux8 hpux9 hpux10: | ||
317 | @@ -196,6 +210,13 @@ | ||
318 | NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ | ||
319 | BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all | ||
320 | |||
321 | +# SunOS 5.8 is another SYSV4 variant, but has IPv6 support | ||
322 | +solaris8: | ||
323 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
324 | + LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ | ||
325 | + NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ | ||
326 | + EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all | ||
327 | + | ||
328 | # Generic SYSV40 | ||
329 | esix sysv4: | ||
330 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
331 | diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c | ||
332 | --- tcp_wrappers_7.6.orig/misc.c 1996-02-11 17:01:30.000000000 +0100 | ||
333 | +++ tcp_wrappers_7.6/misc.c 2004-04-10 19:07:43.000000000 +0200 | ||
334 | @@ -58,9 +58,31 @@ | ||
335 | { | ||
336 | char *cp; | ||
337 | |||
338 | +#ifdef INET6 | ||
339 | + int bracket = 0; | ||
340 | + | ||
341 | + for (cp = string; cp && *cp; cp++) { | ||
342 | + switch (*cp) { | ||
343 | + case '[': | ||
344 | + bracket++; | ||
345 | + break; | ||
346 | + case ']': | ||
347 | + bracket--; | ||
348 | + break; | ||
349 | + default: | ||
350 | + if (bracket == 0 && *cp == delimiter) { | ||
351 | + *cp++ = 0; | ||
352 | + return cp; | ||
353 | + } | ||
354 | + break; | ||
355 | + } | ||
356 | + } | ||
357 | + return (NULL); | ||
358 | +#else | ||
359 | if ((cp = strchr(string, delimiter)) != 0) | ||
360 | *cp++ = 0; | ||
361 | return (cp); | ||
362 | +#endif | ||
363 | } | ||
364 | |||
365 | /* dot_quad_addr - convert dotted quad to internal form */ | ||
366 | diff -ruN tcp_wrappers_7.6.orig/refuse.c tcp_wrappers_7.6/refuse.c | ||
367 | --- tcp_wrappers_7.6.orig/refuse.c 1994-12-28 17:42:40.000000000 +0100 | ||
368 | +++ tcp_wrappers_7.6/refuse.c 2004-04-10 19:07:43.000000000 +0200 | ||
369 | @@ -25,7 +25,12 @@ | ||
370 | void refuse(request) | ||
371 | struct request_info *request; | ||
372 | { | ||
373 | +#ifdef INET6 | ||
374 | + syslog(deny_severity, "refused connect from %s (%s)", | ||
375 | + eval_client(request), eval_hostaddr(request->client)); | ||
376 | +#else | ||
377 | syslog(deny_severity, "refused connect from %s", eval_client(request)); | ||
378 | +#endif | ||
379 | clean_exit(request); | ||
380 | /* NOTREACHED */ | ||
381 | } | ||
382 | diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
383 | --- tcp_wrappers_7.6.orig/rfc931.c 1995-01-02 16:11:34.000000000 +0100 | ||
384 | +++ tcp_wrappers_7.6/rfc931.c 2004-04-10 19:07:43.000000000 +0200 | ||
385 | @@ -68,20 +68,50 @@ | ||
386 | /* rfc931 - return remote user name, given socket structures */ | ||
387 | |||
388 | void rfc931(rmt_sin, our_sin, dest) | ||
389 | +#ifdef INET6 | ||
390 | +struct sockaddr *rmt_sin; | ||
391 | +struct sockaddr *our_sin; | ||
392 | +#else | ||
393 | struct sockaddr_in *rmt_sin; | ||
394 | struct sockaddr_in *our_sin; | ||
395 | +#endif | ||
396 | char *dest; | ||
397 | { | ||
398 | unsigned rmt_port; | ||
399 | unsigned our_port; | ||
400 | +#ifdef INET6 | ||
401 | + struct sockaddr_storage rmt_query_sin; | ||
402 | + struct sockaddr_storage our_query_sin; | ||
403 | + int alen; | ||
404 | +#else | ||
405 | struct sockaddr_in rmt_query_sin; | ||
406 | struct sockaddr_in our_query_sin; | ||
407 | +#endif | ||
408 | char user[256]; /* XXX */ | ||
409 | char buffer[512]; /* XXX */ | ||
410 | char *cp; | ||
411 | char *result = unknown; | ||
412 | FILE *fp; | ||
413 | |||
414 | +#ifdef INET6 | ||
415 | + /* address family must be the same */ | ||
416 | + if (rmt_sin->sa_family != our_sin->sa_family) { | ||
417 | + STRN_CPY(dest, result, STRING_LENGTH); | ||
418 | + return; | ||
419 | + } | ||
420 | + switch (our_sin->sa_family) { | ||
421 | + case AF_INET: | ||
422 | + alen = sizeof(struct sockaddr_in); | ||
423 | + break; | ||
424 | + case AF_INET6: | ||
425 | + alen = sizeof(struct sockaddr_in6); | ||
426 | + break; | ||
427 | + default: | ||
428 | + STRN_CPY(dest, result, STRING_LENGTH); | ||
429 | + return; | ||
430 | + } | ||
431 | +#endif | ||
432 | + | ||
433 | /* | ||
434 | * Use one unbuffered stdio stream for writing to and for reading from | ||
435 | * the RFC931 etc. server. This is done because of a bug in the SunOS | ||
436 | @@ -92,7 +122,11 @@ | ||
437 | * sockets. | ||
438 | */ | ||
439 | |||
440 | +#ifdef INET6 | ||
441 | + if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { | ||
442 | +#else | ||
443 | if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { | ||
444 | +#endif | ||
445 | setbuf(fp, (char *) 0); | ||
446 | |||
447 | /* | ||
448 | @@ -112,6 +146,25 @@ | ||
449 | * addresses from the query socket. | ||
450 | */ | ||
451 | |||
452 | +#ifdef INET6 | ||
453 | + memcpy(&our_query_sin, our_sin, alen); | ||
454 | + memcpy(&rmt_query_sin, rmt_sin, alen); | ||
455 | + switch (our_sin->sa_family) { | ||
456 | + case AF_INET: | ||
457 | + ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); | ||
458 | + ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); | ||
459 | + break; | ||
460 | + case AF_INET6: | ||
461 | + ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); | ||
462 | + ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); | ||
463 | + break; | ||
464 | + } | ||
465 | + | ||
466 | + if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, | ||
467 | + alen) >= 0 && | ||
468 | + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, | ||
469 | + alen) >= 0) { | ||
470 | +#else | ||
471 | our_query_sin = *our_sin; | ||
472 | our_query_sin.sin_port = htons(ANY_PORT); | ||
473 | rmt_query_sin = *rmt_sin; | ||
474 | @@ -121,6 +174,7 @@ | ||
475 | sizeof(our_query_sin)) >= 0 && | ||
476 | connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, | ||
477 | sizeof(rmt_query_sin)) >= 0) { | ||
478 | +#endif | ||
479 | |||
480 | /* | ||
481 | * Send query to server. Neglect the risk that a 13-byte | ||
482 | @@ -129,8 +183,13 @@ | ||
483 | */ | ||
484 | |||
485 | fprintf(fp, "%u,%u\r\n", | ||
486 | +#ifdef INET6 | ||
487 | + ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), | ||
488 | + ntohs(((struct sockaddr_in *)our_sin)->sin_port)); | ||
489 | +#else | ||
490 | ntohs(rmt_sin->sin_port), | ||
491 | ntohs(our_sin->sin_port)); | ||
492 | +#endif | ||
493 | fflush(fp); | ||
494 | |||
495 | /* | ||
496 | @@ -144,8 +203,13 @@ | ||
497 | && ferror(fp) == 0 && feof(fp) == 0 | ||
498 | && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", | ||
499 | &rmt_port, &our_port, user) == 3 | ||
500 | +#ifdef INET6 | ||
501 | + && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port | ||
502 | + && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { | ||
503 | +#else | ||
504 | && ntohs(rmt_sin->sin_port) == rmt_port | ||
505 | && ntohs(our_sin->sin_port) == our_port) { | ||
506 | +#endif | ||
507 | |||
508 | /* | ||
509 | * Strip trailing carriage return. It is part of the | ||
510 | diff -ruN tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c | ||
511 | --- tcp_wrappers_7.6.orig/scaffold.c 1997-03-21 19:27:24.000000000 +0100 | ||
512 | +++ tcp_wrappers_7.6/scaffold.c 2004-04-10 19:07:43.000000000 +0200 | ||
513 | @@ -25,7 +25,9 @@ | ||
514 | #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ | ||
515 | #endif | ||
516 | |||
517 | +#ifndef INET6 | ||
518 | extern char *malloc(); | ||
519 | +#endif | ||
520 | |||
521 | /* Application-specific. */ | ||
522 | |||
523 | @@ -39,6 +41,7 @@ | ||
524 | int deny_severity = LOG_WARNING; | ||
525 | int rfc931_timeout = RFC931_TIMEOUT; | ||
526 | |||
527 | +#ifndef INET6 | ||
528 | /* dup_hostent - create hostent in one memory block */ | ||
529 | |||
530 | static struct hostent *dup_hostent(hp) | ||
531 | @@ -73,9 +76,46 @@ | ||
532 | } | ||
533 | return (&hb->host); | ||
534 | } | ||
535 | +#endif | ||
536 | |||
537 | /* find_inet_addr - find all addresses for this host, result to free() */ | ||
538 | |||
539 | +#ifdef INET6 | ||
540 | +struct addrinfo *find_inet_addr(host) | ||
541 | +char *host; | ||
542 | +{ | ||
543 | + struct addrinfo hints, *res; | ||
544 | + | ||
545 | + memset(&hints, 0, sizeof(hints)); | ||
546 | + hints.ai_family = PF_UNSPEC; | ||
547 | + hints.ai_socktype = SOCK_STREAM; | ||
548 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
549 | + if (getaddrinfo(host, NULL, &hints, &res) == 0) | ||
550 | + return (res); | ||
551 | + | ||
552 | + memset(&hints, 0, sizeof(hints)); | ||
553 | + hints.ai_family = PF_UNSPEC; | ||
554 | + hints.ai_socktype = SOCK_STREAM; | ||
555 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; | ||
556 | + if (getaddrinfo(host, NULL, &hints, &res) != 0) { | ||
557 | + tcpd_warn("%s: host not found", host); | ||
558 | + return (0); | ||
559 | + } | ||
560 | + if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { | ||
561 | + tcpd_warn("%d: not an internet host", res->ai_family); | ||
562 | + freeaddrinfo(res); | ||
563 | + return (0); | ||
564 | + } | ||
565 | + if (!res->ai_canonname) { | ||
566 | + tcpd_warn("%s: hostname alias", host); | ||
567 | + tcpd_warn("(cannot obtain official name)", res->ai_canonname); | ||
568 | + } else if (STR_NE(host, res->ai_canonname)) { | ||
569 | + tcpd_warn("%s: hostname alias", host); | ||
570 | + tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); | ||
571 | + } | ||
572 | + return (res); | ||
573 | +} | ||
574 | +#else | ||
575 | struct hostent *find_inet_addr(host) | ||
576 | char *host; | ||
577 | { | ||
578 | @@ -118,6 +158,7 @@ | ||
579 | } | ||
580 | return (dup_hostent(hp)); | ||
581 | } | ||
582 | +#endif | ||
583 | |||
584 | /* check_dns - give each address thorough workout, return address count */ | ||
585 | |||
586 | @@ -125,8 +166,13 @@ | ||
587 | char *host; | ||
588 | { | ||
589 | struct request_info request; | ||
590 | +#ifdef INET6 | ||
591 | + struct sockaddr_storage sin; | ||
592 | + struct addrinfo *hp, *res; | ||
593 | +#else | ||
594 | struct sockaddr_in sin; | ||
595 | struct hostent *hp; | ||
596 | +#endif | ||
597 | int count; | ||
598 | char *addr; | ||
599 | |||
600 | @@ -134,11 +180,18 @@ | ||
601 | return (0); | ||
602 | request_init(&request, RQ_CLIENT_SIN, &sin, 0); | ||
603 | sock_methods(&request); | ||
604 | +#ifndef INET6 | ||
605 | memset((char *) &sin, 0, sizeof(sin)); | ||
606 | sin.sin_family = AF_INET; | ||
607 | +#endif | ||
608 | |||
609 | +#ifdef INET6 | ||
610 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
611 | + memcpy(&sin, res->ai_addr, res->ai_addrlen); | ||
612 | +#else | ||
613 | for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { | ||
614 | memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); | ||
615 | +#endif | ||
616 | |||
617 | /* | ||
618 | * Force host name and address conversions. Use the request structure | ||
619 | @@ -151,7 +204,11 @@ | ||
620 | tcpd_warn("host address %s->name lookup failed", | ||
621 | eval_hostaddr(request.client)); | ||
622 | } | ||
623 | +#ifdef INET6 | ||
624 | + freeaddrinfo(hp); | ||
625 | +#else | ||
626 | free((char *) hp); | ||
627 | +#endif | ||
628 | return (count); | ||
629 | } | ||
630 | |||
631 | diff -ruN tcp_wrappers_7.6.orig/scaffold.h tcp_wrappers_7.6/scaffold.h | ||
632 | --- tcp_wrappers_7.6.orig/scaffold.h 1994-12-31 18:19:20.000000000 +0100 | ||
633 | +++ tcp_wrappers_7.6/scaffold.h 2004-04-10 19:07:43.000000000 +0200 | ||
634 | @@ -4,6 +4,10 @@ | ||
635 | * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
636 | */ | ||
637 | |||
638 | +#ifdef INET6 | ||
639 | +extern struct addrinfo *find_inet_addr(); | ||
640 | +#else | ||
641 | extern struct hostent *find_inet_addr(); | ||
642 | +#endif | ||
643 | extern int check_dns(); | ||
644 | extern int check_path(); | ||
645 | diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c | ||
646 | --- tcp_wrappers_7.6.orig/socket.c 2004-04-10 19:22:58.000000000 +0200 | ||
647 | +++ tcp_wrappers_7.6/socket.c 2004-04-10 19:07:43.000000000 +0200 | ||
648 | @@ -24,13 +24,22 @@ | ||
649 | #include <sys/types.h> | ||
650 | #include <sys/param.h> | ||
651 | #include <sys/socket.h> | ||
652 | +#ifdef INT32_T | ||
653 | +typedef uint32_t u_int32_t; | ||
654 | +#endif | ||
655 | #include <netinet/in.h> | ||
656 | #include <netdb.h> | ||
657 | #include <stdio.h> | ||
658 | #include <syslog.h> | ||
659 | #include <string.h> | ||
660 | |||
661 | +#ifdef INET6 | ||
662 | +#ifndef NI_WITHSCOPEID | ||
663 | +#define NI_WITHSCOPEID 0 | ||
664 | +#endif | ||
665 | +#else | ||
666 | extern char *inet_ntoa(); | ||
667 | +#endif | ||
668 | |||
669 | /* Local stuff. */ | ||
670 | |||
671 | @@ -79,8 +88,13 @@ | ||
672 | void sock_host(request) | ||
673 | struct request_info *request; | ||
674 | { | ||
675 | +#ifdef INET6 | ||
676 | + static struct sockaddr_storage client; | ||
677 | + static struct sockaddr_storage server; | ||
678 | +#else | ||
679 | static struct sockaddr_in client; | ||
680 | static struct sockaddr_in server; | ||
681 | +#endif | ||
682 | int len; | ||
683 | char buf[BUFSIZ]; | ||
684 | int fd = request->fd; | ||
685 | @@ -109,7 +123,11 @@ | ||
686 | memset(buf, 0 sizeof(buf)); | ||
687 | #endif | ||
688 | } | ||
689 | +#ifdef INET6 | ||
690 | + request->client->sin = (struct sockaddr *)&client; | ||
691 | +#else | ||
692 | request->client->sin = &client; | ||
693 | +#endif | ||
694 | |||
695 | /* | ||
696 | * Determine the server binding. This is used for client username | ||
697 | @@ -122,7 +140,11 @@ | ||
698 | tcpd_warn("getsockname: %m"); | ||
699 | return; | ||
700 | } | ||
701 | +#ifdef INET6 | ||
702 | + request->server->sin = (struct sockaddr *)&server; | ||
703 | +#else | ||
704 | request->server->sin = &server; | ||
705 | +#endif | ||
706 | } | ||
707 | |||
708 | /* sock_hostaddr - map endpoint address to printable form */ | ||
709 | @@ -130,10 +152,26 @@ | ||
710 | void sock_hostaddr(host) | ||
711 | struct host_info *host; | ||
712 | { | ||
713 | +#ifdef INET6 | ||
714 | + struct sockaddr *sin = host->sin; | ||
715 | + int salen; | ||
716 | + | ||
717 | + if (!sin) | ||
718 | + return; | ||
719 | +#ifdef SIN6_LEN | ||
720 | + salen = sin->sa_len; | ||
721 | +#else | ||
722 | + salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in) | ||
723 | + : sizeof(struct sockaddr_in6); | ||
724 | +#endif | ||
725 | + getnameinfo(sin, salen, host->addr, sizeof(host->addr), | ||
726 | + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); | ||
727 | +#else | ||
728 | struct sockaddr_in *sin = host->sin; | ||
729 | |||
730 | if (sin != 0) | ||
731 | STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); | ||
732 | +#endif | ||
733 | } | ||
734 | |||
735 | /* sock_hostname - map endpoint address to host name */ | ||
736 | @@ -141,6 +179,160 @@ | ||
737 | void sock_hostname(host) | ||
738 | struct host_info *host; | ||
739 | { | ||
740 | +#ifdef INET6 | ||
741 | + struct sockaddr *sin = host->sin; | ||
742 | + struct sockaddr_in sin4; | ||
743 | + struct addrinfo hints, *res, *res0 = NULL; | ||
744 | + int salen, alen, err = 1; | ||
745 | + char *ap = NULL, *rap, hname[NI_MAXHOST]; | ||
746 | + | ||
747 | + if (sin != NULL) { | ||
748 | + if (sin->sa_family == AF_INET6) { | ||
749 | + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin; | ||
750 | + | ||
751 | + if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { | ||
752 | + memset(&sin4, 0, sizeof(sin4)); | ||
753 | +#ifdef SIN6_LEN | ||
754 | + sin4.sin_len = sizeof(sin4); | ||
755 | +#endif | ||
756 | + sin4.sin_family = AF_INET; | ||
757 | + sin4.sin_port = sin6->sin6_port; | ||
758 | + sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; | ||
759 | + sin = (struct sockaddr *)&sin4; | ||
760 | + } | ||
761 | + } | ||
762 | + switch (sin->sa_family) { | ||
763 | + case AF_INET: | ||
764 | + ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; | ||
765 | + alen = sizeof(struct in_addr); | ||
766 | + salen = sizeof(struct sockaddr_in); | ||
767 | + break; | ||
768 | + case AF_INET6: | ||
769 | + ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; | ||
770 | + alen = sizeof(struct in6_addr); | ||
771 | + salen = sizeof(struct sockaddr_in6); | ||
772 | + break; | ||
773 | + default: | ||
774 | + break; | ||
775 | + } | ||
776 | + if (ap) | ||
777 | + err = getnameinfo(sin, salen, hname, sizeof(hname), | ||
778 | + NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD); | ||
779 | + } | ||
780 | + if (!err) { | ||
781 | + | ||
782 | + STRN_CPY(host->name, hname, sizeof(host->name)); | ||
783 | + | ||
784 | + /* reject numeric addresses */ | ||
785 | + memset(&hints, 0, sizeof(hints)); | ||
786 | + hints.ai_family = sin->sa_family; | ||
787 | + hints.ai_socktype = SOCK_STREAM; | ||
788 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; | ||
789 | + if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { | ||
790 | + freeaddrinfo(res0); | ||
791 | + res0 = NULL; | ||
792 | + tcpd_warn("host name/name mismatch: " | ||
793 | + "reverse lookup results in non-FQDN %s", | ||
794 | + host->name); | ||
795 | + strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
796 | + } | ||
797 | + err = !err; | ||
798 | + } | ||
799 | + if (!err) { | ||
800 | + /* we are now sure that this is non-numeric */ | ||
801 | + | ||
802 | + /* | ||
803 | + * Verify that the address is a member of the address list returned | ||
804 | + * by gethostbyname(hostname). | ||
805 | + * | ||
806 | + * Verify also that gethostbyaddr() and gethostbyname() return the same | ||
807 | + * hostname, or rshd and rlogind may still end up being spoofed. | ||
808 | + * | ||
809 | + * On some sites, gethostbyname("localhost") returns "localhost.domain". | ||
810 | + * This is a DNS artefact. We treat it as a special case. When we | ||
811 | + * can't believe the address list from gethostbyname("localhost") | ||
812 | + * we're in big trouble anyway. | ||
813 | + */ | ||
814 | + | ||
815 | + memset(&hints, 0, sizeof(hints)); | ||
816 | + hints.ai_family = sin->sa_family; | ||
817 | + hints.ai_socktype = SOCK_STREAM; | ||
818 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; | ||
819 | + if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) { | ||
820 | + | ||
821 | + /* | ||
822 | + * Unable to verify that the host name matches the address. This | ||
823 | + * may be a transient problem or a botched name server setup. | ||
824 | + */ | ||
825 | + | ||
826 | + tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", | ||
827 | + host->name, | ||
828 | + (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); | ||
829 | + | ||
830 | + } else if ((res0->ai_canonname == NULL | ||
831 | + || STR_NE(host->name, res0->ai_canonname)) | ||
832 | + && STR_NE(host->name, "localhost")) { | ||
833 | + | ||
834 | + /* | ||
835 | + * The gethostbyaddr() and gethostbyname() calls did not return | ||
836 | + * the same hostname. This could be a nameserver configuration | ||
837 | + * problem. It could also be that someone is trying to spoof us. | ||
838 | + */ | ||
839 | + | ||
840 | + tcpd_warn("host name/name mismatch: %s != %.*s", | ||
841 | + host->name, STRING_LENGTH, | ||
842 | + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); | ||
843 | + | ||
844 | + } else { | ||
845 | + | ||
846 | + /* | ||
847 | + * The address should be a member of the address list returned by | ||
848 | + * gethostbyname(). We should first verify that the h_addrtype | ||
849 | + * field is AF_INET, but this program has already caused too much | ||
850 | + * grief on systems with broken library code. | ||
851 | + */ | ||
852 | + | ||
853 | + for (res = res0; res; res = res->ai_next) { | ||
854 | + if (res->ai_family != sin->sa_family) | ||
855 | + continue; | ||
856 | + switch (res->ai_family) { | ||
857 | + case AF_INET: | ||
858 | + rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr; | ||
859 | + break; | ||
860 | + case AF_INET6: | ||
861 | + /* need to check scope_id */ | ||
862 | + if (((struct sockaddr_in6 *)sin)->sin6_scope_id != | ||
863 | + ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { | ||
864 | + continue; | ||
865 | + } | ||
866 | + rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; | ||
867 | + break; | ||
868 | + default: | ||
869 | + continue; | ||
870 | + } | ||
871 | + if (memcmp(rap, ap, alen) == 0) { | ||
872 | + freeaddrinfo(res0); | ||
873 | + return; /* name is good, keep it */ | ||
874 | + } | ||
875 | + } | ||
876 | + | ||
877 | + /* | ||
878 | + * The host name does not map to the initial address. Perhaps | ||
879 | + * someone has messed up. Perhaps someone compromised a name | ||
880 | + * server. | ||
881 | + */ | ||
882 | + | ||
883 | + getnameinfo(sin, salen, hname, sizeof(hname), | ||
884 | + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); | ||
885 | + tcpd_warn("host name/address mismatch: %s != %.*s", | ||
886 | + hname, STRING_LENGTH, | ||
887 | + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); | ||
888 | + } | ||
889 | + strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
890 | + if (res0) | ||
891 | + freeaddrinfo(res0); | ||
892 | + } | ||
893 | +#else /* INET6 */ | ||
894 | struct sockaddr_in *sin = host->sin; | ||
895 | struct hostent *hp; | ||
896 | int i; | ||
897 | @@ -220,6 +412,7 @@ | ||
898 | } | ||
899 | strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
900 | } | ||
901 | +#endif /* INET6 */ | ||
902 | } | ||
903 | |||
904 | /* sock_sink - absorb unreceived IP datagram */ | ||
905 | @@ -228,7 +421,11 @@ | ||
906 | int fd; | ||
907 | { | ||
908 | char buf[BUFSIZ]; | ||
909 | +#ifdef INET6 | ||
910 | + struct sockaddr_storage sin; | ||
911 | +#else | ||
912 | struct sockaddr_in sin; | ||
913 | +#endif | ||
914 | int size = sizeof(sin); | ||
915 | |||
916 | /* | ||
917 | diff -ruN tcp_wrappers_7.6.orig/tcpd.c tcp_wrappers_7.6/tcpd.c | ||
918 | --- tcp_wrappers_7.6.orig/tcpd.c 1996-02-11 17:01:33.000000000 +0100 | ||
919 | +++ tcp_wrappers_7.6/tcpd.c 2004-04-10 19:07:43.000000000 +0200 | ||
920 | @@ -120,7 +120,12 @@ | ||
921 | |||
922 | /* Report request and invoke the real daemon program. */ | ||
923 | |||
924 | +#ifdef INET6 | ||
925 | + syslog(allow_severity, "connect from %s (%s)", | ||
926 | + eval_client(&request), eval_hostaddr(request.client)); | ||
927 | +#else | ||
928 | syslog(allow_severity, "connect from %s", eval_client(&request)); | ||
929 | +#endif | ||
930 | closelog(); | ||
931 | (void) execv(path, argv); | ||
932 | syslog(LOG_ERR, "error: cannot execute %s: %m", path); | ||
933 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
934 | --- tcp_wrappers_7.6.orig/tcpdchk.c 1997-02-12 02:13:25.000000000 +0100 | ||
935 | +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:07:43.000000000 +0200 | ||
936 | @@ -22,6 +22,9 @@ | ||
937 | |||
938 | #include <sys/types.h> | ||
939 | #include <sys/stat.h> | ||
940 | +#ifdef INET6 | ||
941 | +#include <sys/socket.h> | ||
942 | +#endif | ||
943 | #include <netinet/in.h> | ||
944 | #include <arpa/inet.h> | ||
945 | #include <stdio.h> | ||
946 | @@ -397,6 +400,31 @@ | ||
947 | } | ||
948 | } | ||
949 | |||
950 | +#ifdef INET6 | ||
951 | +static int is_inet6_addr(pat) | ||
952 | + char *pat; | ||
953 | +{ | ||
954 | + struct addrinfo hints, *res; | ||
955 | + int len, ret; | ||
956 | + char ch; | ||
957 | + | ||
958 | + if (*pat != '[') | ||
959 | + return (0); | ||
960 | + len = strlen(pat); | ||
961 | + if ((ch = pat[len - 1]) != ']') | ||
962 | + return (0); | ||
963 | + pat[len - 1] = '\0'; | ||
964 | + memset(&hints, 0, sizeof(hints)); | ||
965 | + hints.ai_family = AF_INET6; | ||
966 | + hints.ai_socktype = SOCK_STREAM; | ||
967 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
968 | + if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) | ||
969 | + freeaddrinfo(res); | ||
970 | + pat[len - 1] = ch; | ||
971 | + return (ret == 0); | ||
972 | +} | ||
973 | +#endif | ||
974 | + | ||
975 | /* check_host - criticize host pattern */ | ||
976 | |||
977 | static int check_host(pat) | ||
978 | @@ -423,14 +451,27 @@ | ||
979 | #endif | ||
980 | #endif | ||
981 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ | ||
982 | +#ifdef INET6 | ||
983 | + int mask_len; | ||
984 | + | ||
985 | + if ((dot_quad_addr(pat) == INADDR_NONE | ||
986 | + || dot_quad_addr(mask) == INADDR_NONE) | ||
987 | + && (!is_inet6_addr(pat) | ||
988 | + || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) | ||
989 | +#else | ||
990 | if (dot_quad_addr(pat) == INADDR_NONE | ||
991 | || dot_quad_addr(mask) == INADDR_NONE) | ||
992 | +#endif | ||
993 | tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); | ||
994 | } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ | ||
995 | tcpd_warn("FAIL is no longer recognized"); | ||
996 | tcpd_warn("(use EXCEPT or DENY instead)"); | ||
997 | } else if (reserved_name(pat)) { /* other reserved */ | ||
998 | /* void */ ; | ||
999 | +#ifdef INET6 | ||
1000 | + } else if (is_inet6_addr(pat)) { /* IPv6 address */ | ||
1001 | + addr_count = 1; | ||
1002 | +#endif | ||
1003 | } else if (NOT_INADDR(pat)) { /* internet name */ | ||
1004 | if (pat[strlen(pat) - 1] == '.') { | ||
1005 | tcpd_warn("%s: domain or host name ends in dot", pat); | ||
1006 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
1007 | --- tcp_wrappers_7.6.orig/tcpd.h 1996-03-19 16:22:25.000000000 +0100 | ||
1008 | +++ tcp_wrappers_7.6/tcpd.h 2004-04-10 19:07:43.000000000 +0200 | ||
1009 | @@ -11,7 +11,11 @@ | ||
1010 | struct host_info { | ||
1011 | char name[STRING_LENGTH]; /* access via eval_hostname(host) */ | ||
1012 | char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ | ||
1013 | +#ifdef INET6 | ||
1014 | + struct sockaddr *sin; /* socket address or 0 */ | ||
1015 | +#else | ||
1016 | struct sockaddr_in *sin; /* socket address or 0 */ | ||
1017 | +#endif | ||
1018 | struct t_unitdata *unit; /* TLI transport address or 0 */ | ||
1019 | struct request_info *request; /* for shared information */ | ||
1020 | }; | ||
1021 | diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.c tcp_wrappers_7.6/tcpdmatch.c | ||
1022 | --- tcp_wrappers_7.6.orig/tcpdmatch.c 1996-02-11 17:01:36.000000000 +0100 | ||
1023 | +++ tcp_wrappers_7.6/tcpdmatch.c 2004-04-10 19:07:43.000000000 +0200 | ||
1024 | @@ -57,7 +57,11 @@ | ||
1025 | int argc; | ||
1026 | char **argv; | ||
1027 | { | ||
1028 | +#ifdef INET6 | ||
1029 | + struct addrinfo hints, *hp, *res; | ||
1030 | +#else | ||
1031 | struct hostent *hp; | ||
1032 | +#endif | ||
1033 | char *myname = argv[0]; | ||
1034 | char *client; | ||
1035 | char *server; | ||
1036 | @@ -68,8 +72,13 @@ | ||
1037 | int ch; | ||
1038 | char *inetcf = 0; | ||
1039 | int count; | ||
1040 | +#ifdef INET6 | ||
1041 | + struct sockaddr_storage server_sin; | ||
1042 | + struct sockaddr_storage client_sin; | ||
1043 | +#else | ||
1044 | struct sockaddr_in server_sin; | ||
1045 | struct sockaddr_in client_sin; | ||
1046 | +#endif | ||
1047 | struct stat st; | ||
1048 | |||
1049 | /* | ||
1050 | @@ -172,13 +181,20 @@ | ||
1051 | if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { | ||
1052 | if ((hp = find_inet_addr(server)) == 0) | ||
1053 | exit(1); | ||
1054 | +#ifndef INET6 | ||
1055 | memset((char *) &server_sin, 0, sizeof(server_sin)); | ||
1056 | server_sin.sin_family = AF_INET; | ||
1057 | +#endif | ||
1058 | request_set(&request, RQ_SERVER_SIN, &server_sin, 0); | ||
1059 | |||
1060 | +#ifdef INET6 | ||
1061 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
1062 | + memcpy(&server_sin, res->ai_addr, res->ai_addrlen); | ||
1063 | +#else | ||
1064 | for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { | ||
1065 | memcpy((char *) &server_sin.sin_addr, addr, | ||
1066 | sizeof(server_sin.sin_addr)); | ||
1067 | +#endif | ||
1068 | |||
1069 | /* | ||
1070 | * Force evaluation of server host name and address. Host name | ||
1071 | @@ -194,7 +210,11 @@ | ||
1072 | fprintf(stderr, "Please specify an address instead\n"); | ||
1073 | exit(1); | ||
1074 | } | ||
1075 | +#ifdef INET6 | ||
1076 | + freeaddrinfo(hp); | ||
1077 | +#else | ||
1078 | free((char *) hp); | ||
1079 | +#endif | ||
1080 | } else { | ||
1081 | request_set(&request, RQ_SERVER_NAME, server, 0); | ||
1082 | } | ||
1083 | @@ -208,6 +228,18 @@ | ||
1084 | tcpdmatch(&request); | ||
1085 | exit(0); | ||
1086 | } | ||
1087 | +#ifdef INET6 | ||
1088 | + memset(&hints, 0, sizeof(hints)); | ||
1089 | + hints.ai_family = AF_INET6; | ||
1090 | + hints.ai_socktype = SOCK_STREAM; | ||
1091 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
1092 | + if (getaddrinfo(client, NULL, &hints, &res) == 0) { | ||
1093 | + freeaddrinfo(res); | ||
1094 | + request_set(&request, RQ_CLIENT_ADDR, client, 0); | ||
1095 | + tcpdmatch(&request); | ||
1096 | + exit(0); | ||
1097 | + } | ||
1098 | +#endif | ||
1099 | |||
1100 | /* | ||
1101 | * Perhaps they are testing special client hostname patterns that aren't | ||
1102 | @@ -229,6 +261,34 @@ | ||
1103 | */ | ||
1104 | if ((hp = find_inet_addr(client)) == 0) | ||
1105 | exit(1); | ||
1106 | +#ifdef INET6 | ||
1107 | + request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); | ||
1108 | + | ||
1109 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
1110 | + memcpy(&client_sin, res->ai_addr, res->ai_addrlen); | ||
1111 | + | ||
1112 | + /* | ||
1113 | + * getnameinfo() doesn't do reverse lookup against link-local | ||
1114 | + * address. So, we pass through host name evaluation against | ||
1115 | + * such addresses. | ||
1116 | + */ | ||
1117 | + if (res->ai_family != AF_INET6 || | ||
1118 | + !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { | ||
1119 | + /* | ||
1120 | + * Force evaluation of client host name and address. Host name | ||
1121 | + * conflicts will be reported while eval_hostname() does its job. | ||
1122 | + */ | ||
1123 | + request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); | ||
1124 | + if (STR_EQ(eval_hostname(request.client), unknown)) | ||
1125 | + tcpd_warn("host address %s->name lookup failed", | ||
1126 | + eval_hostaddr(request.client)); | ||
1127 | + } | ||
1128 | + tcpdmatch(&request); | ||
1129 | + if (res->ai_next) | ||
1130 | + printf("\n"); | ||
1131 | + } | ||
1132 | + freeaddrinfo(hp); | ||
1133 | +#else | ||
1134 | memset((char *) &client_sin, 0, sizeof(client_sin)); | ||
1135 | client_sin.sin_family = AF_INET; | ||
1136 | request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); | ||
1137 | @@ -250,6 +310,7 @@ | ||
1138 | printf("\n"); | ||
1139 | } | ||
1140 | free((char *) hp); | ||
1141 | +#endif | ||
1142 | exit(0); | ||
1143 | } | ||
1144 | |||
1145 | diff -ruN tcp_wrappers_7.6.orig/tli.c tcp_wrappers_7.6/tli.c | ||
1146 | --- tcp_wrappers_7.6.orig/tli.c 1997-03-21 19:27:26.000000000 +0100 | ||
1147 | +++ tcp_wrappers_7.6/tli.c 2004-04-10 19:07:43.000000000 +0200 | ||
1148 | @@ -65,8 +65,13 @@ | ||
1149 | void tli_host(request) | ||
1150 | struct request_info *request; | ||
1151 | { | ||
1152 | +#ifdef INET6 | ||
1153 | + static struct sockaddr_storage client; | ||
1154 | + static struct sockaddr_storage server; | ||
1155 | +#else | ||
1156 | static struct sockaddr_in client; | ||
1157 | static struct sockaddr_in server; | ||
1158 | +#endif | ||
1159 | |||
1160 | /* | ||
1161 | * If we discover that we are using an IP transport, pretend we never | ||
1162 | @@ -76,14 +81,29 @@ | ||
1163 | |||
1164 | tli_endpoints(request); | ||
1165 | if ((request->config = tli_transport(request->fd)) != 0 | ||
1166 | +#ifdef INET6 | ||
1167 | + && (STR_EQ(request->config->nc_protofmly, "inet") || | ||
1168 | + STR_EQ(request->config->nc_protofmly, "inet6"))) { | ||
1169 | +#else | ||
1170 | && STR_EQ(request->config->nc_protofmly, "inet")) { | ||
1171 | +#endif | ||
1172 | if (request->client->unit != 0) { | ||
1173 | +#ifdef INET6 | ||
1174 | + client = *(struct sockaddr_storage *) request->client->unit->addr.buf; | ||
1175 | + request->client->sin = (struct sockaddr *) &client; | ||
1176 | +#else | ||
1177 | client = *(struct sockaddr_in *) request->client->unit->addr.buf; | ||
1178 | request->client->sin = &client; | ||
1179 | +#endif | ||
1180 | } | ||
1181 | if (request->server->unit != 0) { | ||
1182 | +#ifdef INET6 | ||
1183 | + server = *(struct sockaddr_storage *) request->server->unit->addr.buf; | ||
1184 | + request->server->sin = (struct sockaddr *) &server; | ||
1185 | +#else | ||
1186 | server = *(struct sockaddr_in *) request->server->unit->addr.buf; | ||
1187 | request->server->sin = &server; | ||
1188 | +#endif | ||
1189 | } | ||
1190 | tli_cleanup(request); | ||
1191 | sock_methods(request); | ||
1192 | @@ -187,7 +207,15 @@ | ||
1193 | } | ||
1194 | while (config = getnetconfig(handlep)) { | ||
1195 | if (stat(config->nc_device, &from_config) == 0) { | ||
1196 | +#ifdef NO_CLONE_DEVICE | ||
1197 | + /* | ||
1198 | + * If the network devices are not cloned (as is the case for | ||
1199 | + * Solaris 8 Beta), we must compare the major device numbers. | ||
1200 | + */ | ||
1201 | + if (major(from_config.st_rdev) == major(from_client.st_rdev)) | ||
1202 | +#else | ||
1203 | if (minor(from_config.st_rdev) == major(from_client.st_rdev)) | ||
1204 | +#endif | ||
1205 | break; | ||
1206 | } | ||
1207 | } | ||
1208 | diff -ruN tcp_wrappers_7.6.orig/update.c tcp_wrappers_7.6/update.c | ||
1209 | --- tcp_wrappers_7.6.orig/update.c 1994-12-28 17:42:56.000000000 +0100 | ||
1210 | +++ tcp_wrappers_7.6/update.c 2004-04-10 19:07:43.000000000 +0200 | ||
1211 | @@ -46,10 +46,18 @@ | ||
1212 | request->fd = va_arg(ap, int); | ||
1213 | continue; | ||
1214 | case RQ_CLIENT_SIN: | ||
1215 | +#ifdef INET6 | ||
1216 | + request->client->sin = va_arg(ap, struct sockaddr *); | ||
1217 | +#else | ||
1218 | request->client->sin = va_arg(ap, struct sockaddr_in *); | ||
1219 | +#endif | ||
1220 | continue; | ||
1221 | case RQ_SERVER_SIN: | ||
1222 | +#ifdef INET6 | ||
1223 | + request->server->sin = va_arg(ap, struct sockaddr *); | ||
1224 | +#else | ||
1225 | request->server->sin = va_arg(ap, struct sockaddr_in *); | ||
1226 | +#endif | ||
1227 | continue; | ||
1228 | |||
1229 | /* | ||
1230 | diff -ruN tcp_wrappers_7.6.orig/workarounds.c tcp_wrappers_7.6/workarounds.c | ||
1231 | --- tcp_wrappers_7.6.orig/workarounds.c 1996-03-19 16:22:26.000000000 +0100 | ||
1232 | +++ tcp_wrappers_7.6/workarounds.c 2004-04-10 19:07:43.000000000 +0200 | ||
1233 | @@ -166,11 +166,22 @@ | ||
1234 | int *len; | ||
1235 | { | ||
1236 | int ret; | ||
1237 | +#ifdef INET6 | ||
1238 | + struct sockaddr *sin = sa; | ||
1239 | +#else | ||
1240 | struct sockaddr_in *sin = (struct sockaddr_in *) sa; | ||
1241 | +#endif | ||
1242 | |||
1243 | if ((ret = getpeername(sock, sa, len)) >= 0 | ||
1244 | +#ifdef INET6 | ||
1245 | + && ((sin->su_si.si_family == AF_INET6 | ||
1246 | + && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr)) | ||
1247 | + || (sin->su_si.si_family == AF_INET | ||
1248 | + && sin->su_sin.sin_addr.s_addr == 0))) { | ||
1249 | +#else | ||
1250 | && sa->sa_family == AF_INET | ||
1251 | && sin->sin_addr.s_addr == 0) { | ||
1252 | +#endif | ||
1253 | errno = ENOTCONN; | ||
1254 | return (-1); | ||
1255 | } else { | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch new file mode 100644 index 0000000000..226106f4ff --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch | |||
@@ -0,0 +1,153 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Path: news.porcupine.org!news.porcupine.org!not-for-mail | ||
4 | From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl> | ||
5 | Newsgroups: comp.mail.sendmail,comp.security.unix | ||
6 | Subject: TCP Wrapper Blacklist Extension | ||
7 | Followup-To: poster | ||
8 | Date: 8 Sep 1997 18:53:13 -0400 | ||
9 | Organization: Wietse's hangout while on sabattical in the USA | ||
10 | Lines: 147 | ||
11 | Sender: wietse@spike.porcupine.org | ||
12 | Message-ID: <5v1vkp$h4f$1@spike.porcupine.org> | ||
13 | NNTP-Posting-Host: spike.porcupine.org | ||
14 | Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158 | ||
15 | |||
16 | The patch below adds a new host pattern to the TCP Wrapper access | ||
17 | control language. Instead of a host name or address pattern, you | ||
18 | can specify an external /file/name with host name or address | ||
19 | patterns. The feature can be used recursively. | ||
20 | |||
21 | The /file/name extension makes it easy to blacklist bad sites, for | ||
22 | example, to block unwanted electronic mail when libwrap is linked | ||
23 | into sendmail. Adding hosts to a simple text file is much easier | ||
24 | than having to edit a more complex hosts.allow/deny file. | ||
25 | |||
26 | I developed this a year or so ago as a substitute for NIS netgroups. | ||
27 | At that time, I did not consider it of sufficient interest for | ||
28 | inclusion in the TCP Wrapper distribution. How times have changed. | ||
29 | |||
30 | The patch is relative to TCP Wrappers version 7.6. The main archive | ||
31 | site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz | ||
32 | |||
33 | Thanks to the Debian LINUX folks for expressing their interest in | ||
34 | this patch. | ||
35 | |||
36 | Wietse | ||
37 | |||
38 | |||
39 | [diff updated by Md] | ||
40 | |||
41 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
42 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200 | ||
43 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200 | ||
44 | @@ -97,6 +97,13 @@ | ||
45 | `[3ffe:505:2:1::]/64\' matches every address in the range | ||
46 | `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. | ||
47 | .IP \(bu | ||
48 | +A string that begins with a `/\' character is treated as a file | ||
49 | +name. A host name or address is matched if it matches any host name | ||
50 | +or address pattern listed in the named file. The file format is | ||
51 | +zero or more lines with zero or more host name or address patterns | ||
52 | +separated by whitespace. A file name pattern can be used anywhere | ||
53 | +a host name or address pattern can be used. | ||
54 | +.IP \(bu | ||
55 | Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
56 | method of matching cannot be used in conjunction with `net/mask\' matching, | ||
57 | hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
58 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
59 | --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200 | ||
60 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200 | ||
61 | @@ -253,6 +253,26 @@ | ||
62 | } | ||
63 | } | ||
64 | |||
65 | +/* hostfile_match - look up host patterns from file */ | ||
66 | + | ||
67 | +static int hostfile_match(path, host) | ||
68 | +char *path; | ||
69 | +struct hosts_info *host; | ||
70 | +{ | ||
71 | + char tok[BUFSIZ]; | ||
72 | + int match = NO; | ||
73 | + FILE *fp; | ||
74 | + | ||
75 | + if ((fp = fopen(path, "r")) != 0) { | ||
76 | + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) | ||
77 | + /* void */ ; | ||
78 | + fclose(fp); | ||
79 | + } else if (errno != ENOENT) { | ||
80 | + tcpd_warn("open %s: %m", path); | ||
81 | + } | ||
82 | + return (match); | ||
83 | +} | ||
84 | + | ||
85 | /* host_match - match host name and/or address against pattern */ | ||
86 | |||
87 | static int host_match(tok, host) | ||
88 | @@ -280,6 +300,8 @@ | ||
89 | tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ | ||
90 | return (NO); | ||
91 | #endif | ||
92 | + } else if (tok[0] == '/') { /* /file hack */ | ||
93 | + return (hostfile_match(tok, host)); | ||
94 | } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ | ||
95 | char *name = eval_hostname(host); | ||
96 | return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); | ||
97 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
98 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200 | ||
99 | +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200 | ||
100 | @@ -353,6 +353,8 @@ | ||
101 | { | ||
102 | if (pat[0] == '@') { | ||
103 | tcpd_warn("%s: daemon name begins with \"@\"", pat); | ||
104 | + } else if (pat[0] == '/') { | ||
105 | + tcpd_warn("%s: daemon name begins with \"/\"", pat); | ||
106 | } else if (pat[0] == '.') { | ||
107 | tcpd_warn("%s: daemon name begins with dot", pat); | ||
108 | } else if (pat[strlen(pat) - 1] == '.') { | ||
109 | @@ -385,6 +387,8 @@ | ||
110 | { | ||
111 | if (pat[0] == '@') { /* @netgroup */ | ||
112 | tcpd_warn("%s: user name begins with \"@\"", pat); | ||
113 | + } else if (pat[0] == '/') { | ||
114 | + tcpd_warn("%s: user name begins with \"/\"", pat); | ||
115 | } else if (pat[0] == '.') { | ||
116 | tcpd_warn("%s: user name begins with dot", pat); | ||
117 | } else if (pat[strlen(pat) - 1] == '.') { | ||
118 | @@ -430,8 +434,13 @@ | ||
119 | static int check_host(pat) | ||
120 | char *pat; | ||
121 | { | ||
122 | + char buf[BUFSIZ]; | ||
123 | char *mask; | ||
124 | int addr_count = 1; | ||
125 | + FILE *fp; | ||
126 | + struct tcpd_context saved_context; | ||
127 | + char *cp; | ||
128 | + char *wsp = " \t\r\n"; | ||
129 | |||
130 | if (pat[0] == '@') { /* @netgroup */ | ||
131 | #ifdef NO_NETGRENT | ||
132 | @@ -450,6 +459,21 @@ | ||
133 | tcpd_warn("netgroup support disabled"); | ||
134 | #endif | ||
135 | #endif | ||
136 | + } else if (pat[0] == '/') { /* /path/name */ | ||
137 | + if ((fp = fopen(pat, "r")) != 0) { | ||
138 | + saved_context = tcpd_context; | ||
139 | + tcpd_context.file = pat; | ||
140 | + tcpd_context.line = 0; | ||
141 | + while (fgets(buf, sizeof(buf), fp)) { | ||
142 | + tcpd_context.line++; | ||
143 | + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) | ||
144 | + check_host(cp); | ||
145 | + } | ||
146 | + tcpd_context = saved_context; | ||
147 | + fclose(fp); | ||
148 | + } else if (errno != ENOENT) { | ||
149 | + tcpd_warn("open %s: %m", pat); | ||
150 | + } | ||
151 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ | ||
152 | #ifdef INET6 | ||
153 | int mask_len; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch new file mode 100644 index 0000000000..260e8d3138 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c | ||
4 | --- tcp_wrappers_7.6/hosts_access.c Mon May 20 14:00:56 2002 | ||
5 | +++ tcp_wrappers_7.6.new/hosts_access.c Mon May 20 14:25:05 2002 | ||
6 | @@ -448,6 +448,15 @@ | ||
7 | int len, mask_len, i = 0; | ||
8 | char ch; | ||
9 | |||
10 | + /* | ||
11 | + * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is | ||
12 | + * different between KAME and Solaris8. While KAME returns | ||
13 | + * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here. | ||
14 | + */ | ||
15 | + if (STRN_EQ(string, "::ffff:", 7) | ||
16 | + && dot_quad_addr(string + 7) != INADDR_NONE) | ||
17 | + return (masked_match4(net_tok, mask_tok, string + 7)); | ||
18 | + | ||
19 | memset(&hints, 0, sizeof(hints)); | ||
20 | hints.ai_family = AF_INET6; | ||
21 | hints.ai_socktype = SOCK_STREAM; | ||
22 | @@ -457,13 +466,6 @@ | ||
23 | memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
24 | freeaddrinfo(res); | ||
25 | |||
26 | - if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { | ||
27 | - if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE | ||
28 | - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) | ||
29 | - return (NO); | ||
30 | - return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); | ||
31 | - } | ||
32 | - | ||
33 | /* match IPv6 address against netnumber/prefixlen */ | ||
34 | len = strlen(net_tok); | ||
35 | if (*net_tok != '[' || net_tok[len - 1] != ']') | ||
36 | diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c | ||
37 | --- tcp_wrappers_7.6/socket.c Mon May 20 13:48:35 2002 | ||
38 | +++ tcp_wrappers_7.6.new/socket.c Mon May 20 14:22:27 2002 | ||
39 | @@ -228,7 +228,7 @@ | ||
40 | hints.ai_family = sin->sa_family; | ||
41 | hints.ai_socktype = SOCK_STREAM; | ||
42 | hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; | ||
43 | - if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { | ||
44 | + if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) { | ||
45 | freeaddrinfo(res0); | ||
46 | res0 = NULL; | ||
47 | tcpd_warn("host name/name mismatch: " | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch new file mode 100644 index 0000000000..e8289e44d9 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
4 | --- tcp_wrappers_7.6.orig/Makefile 2003-08-21 01:43:39.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/Makefile 2003-08-21 01:43:35.000000000 +0200 | ||
6 | @@ -45,7 +45,7 @@ | ||
7 | # | ||
8 | # SysV.4 Solaris 2.x OSF AIX | ||
9 | #REAL_DAEMON_DIR=/usr/sbin | ||
10 | -# | ||
11 | +REAL_DAEMON_DIR=/usr/sbin | ||
12 | # BSD 4.4 | ||
13 | #REAL_DAEMON_DIR=/usr/libexec | ||
14 | # | ||
15 | @@ -512,6 +519,7 @@ | ||
16 | # (examples: allow, deny, banners, twist and spawn). | ||
17 | # | ||
18 | #STYLE = -DPROCESS_OPTIONS # Enable language extensions. | ||
19 | +STYLE = -DPROCESS_OPTIONS | ||
20 | |||
21 | ################################################################ | ||
22 | # Optional: Changing the default disposition of logfile records | ||
23 | @@ -535,6 +543,7 @@ | ||
24 | # The LOG_XXX names below are taken from the /usr/include/syslog.h file. | ||
25 | |||
26 | FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use | ||
27 | +FACILITY= LOG_DAEMON | ||
28 | |||
29 | # The syslog priority at which successful connections are logged. | ||
30 | |||
31 | @@ -631,6 +640,7 @@ | ||
32 | # lookups altogether, see the next section. | ||
33 | |||
34 | PARANOID= -DPARANOID | ||
35 | +PARANOID= | ||
36 | |||
37 | ######################################## | ||
38 | # Optional: turning off hostname lookups | ||
39 | @@ -644,6 +654,7 @@ | ||
40 | # mode (see previous section) and comment out the following definition. | ||
41 | |||
42 | HOSTNAME= -DALWAYS_HOSTNAME | ||
43 | +HOSTNAME= | ||
44 | |||
45 | ############################################# | ||
46 | # Optional: Turning on host ADDRESS checking | ||
47 | @@ -670,6 +681,7 @@ | ||
48 | # Solaris 2.x, and Linux. See your system documentation for details. | ||
49 | # | ||
50 | # KILL_OPT= -DKILL_IP_OPTIONS | ||
51 | +KILL_OPT= -DKILL_IP_OPTIONS | ||
52 | |||
53 | ## End configuration options | ||
54 | ############################ | ||
55 | @@ -677,9 +689,10 @@ | ||
56 | # Protection against weird shells or weird make programs. | ||
57 | |||
58 | SHELL = /bin/sh | ||
59 | -.c.o:; $(CC) $(CFLAGS) -c $*.c | ||
60 | +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c | ||
61 | |||
62 | -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ | ||
63 | +COPTS = -O2 -g | ||
64 | +CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ | ||
65 | $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ | ||
66 | -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ | ||
67 | -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ | ||
68 | @@ -712,10 +725,11 @@ | ||
69 | |||
70 | config-check: | ||
71 | @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } | ||
72 | - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ | ||
73 | - if cmp cflags /tmp/cflags.$$$$ ; \ | ||
74 | - then rm /tmp/cflags.$$$$ ; \ | ||
75 | - else mv /tmp/cflags.$$$$ cflags ; \ | ||
76 | + @set +e; echo $(CFLAGS) >cflags.new ; \ | ||
77 | + if cmp cflags cflags.new ; \ | ||
78 | + then rm cflags.new ; \ | ||
79 | + else mv cflags.new cflags ; \ | ||
80 | fi >/dev/null 2>/dev/null | ||
81 | + @if [ ! -d shared ]; then mkdir shared; fi | ||
82 | |||
83 | $(LIB): $(LIB_OBJ) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch new file mode 100644 index 0000000000..bd1396bc79 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch | |||
@@ -0,0 +1,255 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
4 | --- tcp_wrappers_7.6.orig/Makefile 2004-05-02 15:37:59.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/Makefile 2004-05-02 15:31:09.000000000 +0200 | ||
6 | @@ -150,15 +150,15 @@ | ||
7 | |||
8 | linux: | ||
9 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
10 | - LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
11 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ | ||
12 | NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ | ||
13 | - EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
14 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
15 | |||
16 | gnu: | ||
17 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
18 | - LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
19 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ | ||
20 | NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ | ||
21 | - EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all | ||
22 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all | ||
23 | |||
24 | # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. | ||
25 | hpux hpux8 hpux9 hpux10: | ||
26 | @@ -713,7 +713,22 @@ | ||
27 | |||
28 | LIB = libwrap.a | ||
29 | |||
30 | -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk | ||
31 | +shared/%.o: %.c | ||
32 | + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ | ||
33 | + | ||
34 | +SOMAJOR = 0 | ||
35 | +SOMINOR = 7.6 | ||
36 | + | ||
37 | +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) | ||
38 | +SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR) | ||
39 | +SHLIBSO = shared/libwrap.so | ||
40 | +SHLIBFLAGS = -Lshared -lwrap | ||
41 | + | ||
42 | +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) | ||
43 | +SHCFLAGS = -fPIC -shared -D_REENTRANT | ||
44 | +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); | ||
45 | + | ||
46 | +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) | ||
47 | |||
48 | # Invalidate all object files when the compiler options (CFLAGS) have changed. | ||
49 | |||
50 | @@ -731,27 +746,33 @@ | ||
51 | $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) | ||
52 | -$(RANLIB) $(LIB) | ||
53 | |||
54 | -tcpd: tcpd.o $(LIB) | ||
55 | - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) | ||
56 | +$(SHLIB): $(SHLIB_OBJ) | ||
57 | + rm -f $(SHLIB) | ||
58 | + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
59 | + ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) | ||
60 | + ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) | ||
61 | + | ||
62 | +tcpd: tcpd.o $(SHLIB) | ||
63 | + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
64 | |||
65 | miscd: miscd.o $(LIB) | ||
66 | $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
67 | |||
68 | -safe_finger: safe_finger.o $(LIB) | ||
69 | - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) | ||
70 | +safe_finger: safe_finger.o $(SHLIB) | ||
71 | + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
72 | |||
73 | TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o | ||
74 | |||
75 | -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) | ||
76 | - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) | ||
77 | +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) | ||
78 | + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
79 | |||
80 | -try-from: try-from.o fakelog.o $(LIB) | ||
81 | - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) | ||
82 | +try-from: try-from.o fakelog.o $(SHLIB) | ||
83 | + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
84 | |||
85 | TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o | ||
86 | |||
87 | -tcpdchk: $(TCPDCHK_OBJ) $(LIB) | ||
88 | - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) | ||
89 | +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) | ||
90 | + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
91 | |||
92 | shar: $(KIT) | ||
93 | @shar $(KIT) | ||
94 | @@ -767,7 +788,9 @@ | ||
95 | |||
96 | clean: | ||
97 | rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ | ||
98 | + libwrap*.so* \ | ||
99 | cflags | ||
100 | + rm -rf shared/ | ||
101 | |||
102 | tidy: clean | ||
103 | chmod -R a+r . | ||
104 | @@ -913,5 +936,6 @@ | ||
105 | update.o: mystdarg.h | ||
106 | update.o: tcpd.h | ||
107 | vfprintf.o: cflags | ||
108 | +weak_symbols.o: tcpd.h | ||
109 | workarounds.o: cflags | ||
110 | workarounds.o: tcpd.h | ||
111 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
112 | --- tcp_wrappers_7.6.orig/tcpd.h 2004-05-02 15:37:59.000000000 +0200 | ||
113 | +++ tcp_wrappers_7.6/tcpd.h 2004-05-02 15:37:49.000000000 +0200 | ||
114 | @@ -4,6 +4,15 @@ | ||
115 | * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
116 | */ | ||
117 | |||
118 | +#ifndef _TCPWRAPPERS_TCPD_H | ||
119 | +#define _TCPWRAPPERS_TCPD_H | ||
120 | + | ||
121 | +/* Need definitions of struct sockaddr_in and FILE. */ | ||
122 | +#include <netinet/in.h> | ||
123 | +#include <stdio.h> | ||
124 | + | ||
125 | +__BEGIN_DECLS | ||
126 | + | ||
127 | /* Structure to describe one communications endpoint. */ | ||
128 | |||
129 | #define STRING_LENGTH 128 /* hosts, users, processes */ | ||
130 | @@ -29,10 +38,10 @@ | ||
131 | char pid[10]; /* access via eval_pid(request) */ | ||
132 | struct host_info client[1]; /* client endpoint info */ | ||
133 | struct host_info server[1]; /* server endpoint info */ | ||
134 | - void (*sink) (); /* datagram sink function or 0 */ | ||
135 | - void (*hostname) (); /* address to printable hostname */ | ||
136 | - void (*hostaddr) (); /* address to printable address */ | ||
137 | - void (*cleanup) (); /* cleanup function or 0 */ | ||
138 | + void (*sink) (int); /* datagram sink function or 0 */ | ||
139 | + void (*hostname) (struct host_info *); /* address to printable hostname */ | ||
140 | + void (*hostaddr) (struct host_info *); /* address to printable address */ | ||
141 | + void (*cleanup) (struct request_info *); /* cleanup function or 0 */ | ||
142 | struct netconfig *config; /* netdir handle */ | ||
143 | }; | ||
144 | |||
145 | @@ -70,20 +79,27 @@ | ||
146 | #define fromhost sock_host /* no TLI support needed */ | ||
147 | #endif | ||
148 | |||
149 | -extern int hosts_access(); /* access control */ | ||
150 | -extern void shell_cmd(); /* execute shell command */ | ||
151 | -extern char *percent_x(); /* do %<char> expansion */ | ||
152 | -extern void rfc931(); /* client name from RFC 931 daemon */ | ||
153 | -extern void clean_exit(); /* clean up and exit */ | ||
154 | -extern void refuse(); /* clean up and exit */ | ||
155 | -extern char *xgets(); /* fgets() on steroids */ | ||
156 | -extern char *split_at(); /* strchr() and split */ | ||
157 | -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ | ||
158 | +extern int hosts_access(struct request_info *request); /* access control */ | ||
159 | +extern void shell_cmd(char *); /* execute shell command */ | ||
160 | +extern char *percent_x(char *, int, char *, struct request_info *); | ||
161 | + /* do %<char> expansion */ | ||
162 | +extern void rfc931(struct sockaddr *, struct sockaddr *, char *); | ||
163 | + /* client name from RFC 931 daemon */ | ||
164 | +extern void clean_exit(struct request_info *); /* clean up and exit */ | ||
165 | +extern void refuse(struct request_info *); /* clean up and exit */ | ||
166 | +extern char *xgets(char *, int, FILE *); /* fgets() on steroids */ | ||
167 | +extern char *split_at(char *, int); /* strchr() and split */ | ||
168 | +extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */ | ||
169 | |||
170 | /* Global variables. */ | ||
171 | |||
172 | +#ifdef HAVE_WEAKSYMS | ||
173 | +extern int allow_severity __attribute__ ((weak)); /* for connection logging */ | ||
174 | +extern int deny_severity __attribute__ ((weak)); /* for connection logging */ | ||
175 | +#else | ||
176 | extern int allow_severity; /* for connection logging */ | ||
177 | extern int deny_severity; /* for connection logging */ | ||
178 | +#endif | ||
179 | extern char *hosts_allow_table; /* for verification mode redirection */ | ||
180 | extern char *hosts_deny_table; /* for verification mode redirection */ | ||
181 | extern int hosts_access_verbose; /* for verbose matching mode */ | ||
182 | @@ -98,6 +114,8 @@ | ||
183 | #ifdef __STDC__ | ||
184 | extern struct request_info *request_init(struct request_info *,...); | ||
185 | extern struct request_info *request_set(struct request_info *,...); | ||
186 | +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, | ||
187 | + char *client_user); | ||
188 | #else | ||
189 | extern struct request_info *request_init(); /* initialize request */ | ||
190 | extern struct request_info *request_set(); /* update request structure */ | ||
191 | @@ -121,20 +139,23 @@ | ||
192 | * host_info structures serve as caches for the lookup results. | ||
193 | */ | ||
194 | |||
195 | -extern char *eval_user(); /* client user */ | ||
196 | -extern char *eval_hostname(); /* printable hostname */ | ||
197 | -extern char *eval_hostaddr(); /* printable host address */ | ||
198 | -extern char *eval_hostinfo(); /* host name or address */ | ||
199 | -extern char *eval_client(); /* whatever is available */ | ||
200 | -extern char *eval_server(); /* whatever is available */ | ||
201 | +extern char *eval_user(struct request_info *); /* client user */ | ||
202 | +extern char *eval_hostname(struct host_info *); /* printable hostname */ | ||
203 | +extern char *eval_hostaddr(struct host_info *); /* printable host address */ | ||
204 | +extern char *eval_hostinfo(struct host_info *); /* host name or address */ | ||
205 | +extern char *eval_client(struct request_info *);/* whatever is available */ | ||
206 | +extern char *eval_server(struct request_info *);/* whatever is available */ | ||
207 | #define eval_daemon(r) ((r)->daemon) /* daemon process name */ | ||
208 | #define eval_pid(r) ((r)->pid) /* process id */ | ||
209 | |||
210 | /* Socket-specific methods, including DNS hostname lookups. */ | ||
211 | |||
212 | -extern void sock_host(); /* look up endpoint addresses */ | ||
213 | -extern void sock_hostname(); /* translate address to hostname */ | ||
214 | -extern void sock_hostaddr(); /* address to printable address */ | ||
215 | +/* look up endpoint addresses */ | ||
216 | +extern void sock_host(struct request_info *); | ||
217 | +/* translate address to hostname */ | ||
218 | +extern void sock_hostname(struct host_info *); | ||
219 | +/* address to printable address */ | ||
220 | +extern void sock_hostaddr(struct host_info *); | ||
221 | #define sock_methods(r) \ | ||
222 | { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } | ||
223 | |||
224 | @@ -182,7 +203,7 @@ | ||
225 | * behavior. | ||
226 | */ | ||
227 | |||
228 | -extern void process_options(); /* execute options */ | ||
229 | +extern void process_options(char *, struct request_info *);/* execute options */ | ||
230 | extern int dry_run; /* verification flag */ | ||
231 | |||
232 | /* Bug workarounds. */ | ||
233 | @@ -221,3 +242,7 @@ | ||
234 | #define strtok my_strtok | ||
235 | extern char *my_strtok(); | ||
236 | #endif | ||
237 | + | ||
238 | +__END_DECLS | ||
239 | + | ||
240 | +#endif | ||
241 | diff -ruN tcp_wrappers_7.6.orig/weak_symbols.c tcp_wrappers_7.6/weak_symbols.c | ||
242 | --- tcp_wrappers_7.6.orig/weak_symbols.c 1970-01-01 01:00:00.000000000 +0100 | ||
243 | +++ tcp_wrappers_7.6/weak_symbols.c 2004-05-02 15:31:09.000000000 +0200 | ||
244 | @@ -0,0 +1,11 @@ | ||
245 | + /* | ||
246 | + * @(#) weak_symbols.h 1.5 99/12/29 23:50 | ||
247 | + * | ||
248 | + * Author: Anthony Towns <ajt@debian.org> | ||
249 | + */ | ||
250 | + | ||
251 | +#ifdef HAVE_WEAKSYMS | ||
252 | +#include <syslog.h> | ||
253 | +int deny_severity = LOG_WARNING; | ||
254 | +int allow_severity = SEVERITY; | ||
255 | +#endif | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch new file mode 100644 index 0000000000..eb5685c576 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.5 2003-08-21 03:15:36.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.5 2003-08-21 03:15:31.000000000 +0200 | ||
6 | @@ -90,6 +90,10 @@ | ||
7 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
8 | range `131.155.72.0\' through `131.155.73.255\'. | ||
9 | .IP \(bu | ||
10 | +An expression of the form `n.n.n.n/mm' is interpreted as a | ||
11 | +`net/masklength' pair, where `mm' is the number of consecutive `1' | ||
12 | +bits in the netmask applied to the `n.n.n.n' address. | ||
13 | +.IP \(bu | ||
14 | An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a | ||
15 | `[net]/prefixlen\' pair. An IPv6 host address is matched if | ||
16 | `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the | ||
17 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
18 | --- tcp_wrappers_7.6.orig/hosts_access.c 2003-08-21 03:15:36.000000000 +0200 | ||
19 | +++ tcp_wrappers_7.6/hosts_access.c 2003-08-21 03:09:30.000000000 +0200 | ||
20 | @@ -417,7 +417,8 @@ | ||
21 | if ((addr = dot_quad_addr(string)) == INADDR_NONE) | ||
22 | return (NO); | ||
23 | if ((net = dot_quad_addr(net_tok)) == INADDR_NONE | ||
24 | - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { | ||
25 | + || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE | ||
26 | + && (mask = cidr_mask_addr(mask_tok)) == 0)) { | ||
27 | #ifndef INET6 | ||
28 | tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); | ||
29 | #endif | ||
30 | diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c | ||
31 | --- tcp_wrappers_7.6.orig/misc.c 2003-08-21 03:15:36.000000000 +0200 | ||
32 | +++ tcp_wrappers_7.6/misc.c 2003-08-21 03:09:30.000000000 +0200 | ||
33 | @@ -107,3 +107,17 @@ | ||
34 | } | ||
35 | return (runs == 4 ? inet_addr(str) : INADDR_NONE); | ||
36 | } | ||
37 | + | ||
38 | +/* cidr_mask_addr - convert cidr netmask length to internal form */ | ||
39 | + | ||
40 | +unsigned long cidr_mask_addr(str) | ||
41 | +char *str; | ||
42 | +{ | ||
43 | + int maskbits; | ||
44 | + | ||
45 | + maskbits = atoi(str); | ||
46 | + if (maskbits < 1 || maskbits > 32) | ||
47 | + return (0); | ||
48 | + return htonl(0xFFFFFFFF << (32 - maskbits)); | ||
49 | +} | ||
50 | + | ||
51 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
52 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 03:15:36.000000000 +0200 | ||
53 | +++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 03:09:30.000000000 +0200 | ||
54 | @@ -497,12 +497,12 @@ | ||
55 | int mask_len; | ||
56 | |||
57 | if ((dot_quad_addr(pat) == INADDR_NONE | ||
58 | - || dot_quad_addr(mask) == INADDR_NONE) | ||
59 | + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) | ||
60 | && (!is_inet6_addr(pat) | ||
61 | || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) | ||
62 | #else | ||
63 | if (dot_quad_addr(pat) == INADDR_NONE | ||
64 | - || dot_quad_addr(mask) == INADDR_NONE) | ||
65 | + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) | ||
66 | #endif | ||
67 | tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); | ||
68 | } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch new file mode 100644 index 0000000000..3ca6874119 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch | |||
@@ -0,0 +1,14 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-25 12:17:59.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-25 12:17:53.000000000 +0200 | ||
6 | @@ -89,6 +89,8 @@ | ||
7 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
8 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
9 | range `131.155.72.0\' through `131.155.73.255\'. | ||
10 | +`255.255.255.255\' is not a valid mask value, so a single host can be | ||
11 | +matched just by its IP. | ||
12 | .IP \(bu | ||
13 | An expression of the form `n.n.n.n/mm' is interpreted as a | ||
14 | `net/masklength' pair, where `mm' is the number of consecutive `1' | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch new file mode 100644 index 0000000000..3087377976 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/eval.c tcp_wrappers_7.6/eval.c | ||
4 | --- tcp_wrappers_7.6.orig/eval.c 1995-01-30 19:51:46.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/eval.c 2004-11-04 13:59:01.000000000 +0100 | ||
6 | @@ -98,6 +98,28 @@ | ||
7 | } | ||
8 | } | ||
9 | |||
10 | +/* eval_port - return string with the port */ | ||
11 | +char *eval_port(saddr) | ||
12 | +#ifdef INET6 | ||
13 | +struct sockaddr *saddr; | ||
14 | +#else | ||
15 | +struct sockaddr_in *saddr; | ||
16 | +#endif | ||
17 | +{ | ||
18 | + static char port[16]; | ||
19 | + if (saddr != 0) { | ||
20 | + sprintf(port, "%u", | ||
21 | +#ifdef INET6 | ||
22 | + ntohs(((struct sockaddr_in *)saddr)->sin_port)); | ||
23 | +#else | ||
24 | + ntohs(saddr->sin_port)); | ||
25 | +#endif | ||
26 | + } else { | ||
27 | + strcpy(port, "0"); | ||
28 | + } | ||
29 | + return (port); | ||
30 | +} | ||
31 | + | ||
32 | /* eval_client - return string with as much about the client as we know */ | ||
33 | |||
34 | char *eval_client(request) | ||
35 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
36 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-11-04 13:17:45.000000000 +0100 | ||
37 | +++ tcp_wrappers_7.6/hosts_access.5 2004-11-04 13:55:32.000000000 +0100 | ||
38 | @@ -175,6 +175,8 @@ | ||
39 | unavailable. | ||
40 | .IP "%n (%N)" | ||
41 | The client (server) host name (or "unknown" or "paranoid"). | ||
42 | +.IP "%r (%R)" | ||
43 | +The clients (servers) port number (or "0"). | ||
44 | .IP %p | ||
45 | The daemon process id. | ||
46 | .IP %s | ||
47 | diff -ruN tcp_wrappers_7.6.orig/percent_x.c tcp_wrappers_7.6/percent_x.c | ||
48 | --- tcp_wrappers_7.6.orig/percent_x.c 1994-12-28 17:42:38.000000000 +0100 | ||
49 | +++ tcp_wrappers_7.6/percent_x.c 2004-11-04 13:19:29.000000000 +0100 | ||
50 | @@ -63,6 +63,8 @@ | ||
51 | ch == 'n' ? eval_hostname(request->client) : | ||
52 | ch == 'N' ? eval_hostname(request->server) : | ||
53 | ch == 'p' ? eval_pid(request) : | ||
54 | + ch == 'r' ? eval_port(request->client->sin) : | ||
55 | + ch == 'R' ? eval_port(request->server->sin) : | ||
56 | ch == 's' ? eval_server(request) : | ||
57 | ch == 'u' ? eval_user(request) : | ||
58 | ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), ""); | ||
59 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
60 | --- tcp_wrappers_7.6.orig/tcpd.h 2004-11-04 13:17:45.000000000 +0100 | ||
61 | +++ tcp_wrappers_7.6/tcpd.h 2004-11-04 13:19:13.000000000 +0100 | ||
62 | @@ -145,6 +145,11 @@ | ||
63 | extern char *eval_hostinfo(struct host_info *); /* host name or address */ | ||
64 | extern char *eval_client(struct request_info *);/* whatever is available */ | ||
65 | extern char *eval_server(struct request_info *);/* whatever is available */ | ||
66 | +#ifdef INET6 | ||
67 | +extern char *eval_port(struct sockaddr *); | ||
68 | +#else | ||
69 | +extern char *eval_port(struct sockaddr_in *); | ||
70 | +#endif | ||
71 | #define eval_daemon(r) ((r)->daemon) /* daemon process name */ | ||
72 | #define eval_pid(r) ((r)->pid) /* process id */ | ||
73 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch new file mode 100644 index 0000000000..4cc554fc38 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/percent_m.c tcp_wrappers_7.6/percent_m.c | ||
4 | --- tcp_wrappers_7.6.orig/percent_m.c 1994-12-28 17:42:37.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/percent_m.c 2003-08-21 02:45:31.000000000 +0200 | ||
6 | @@ -29,11 +29,15 @@ | ||
7 | |||
8 | while (*bp = *cp) | ||
9 | if (*cp == '%' && cp[1] == 'm') { | ||
10 | +#ifdef HAVE_STRERROR | ||
11 | + strcpy(bp, strerror(errno)); | ||
12 | +#else | ||
13 | if (errno < sys_nerr && errno > 0) { | ||
14 | strcpy(bp, sys_errlist[errno]); | ||
15 | } else { | ||
16 | sprintf(bp, "Unknown error %d", errno); | ||
17 | } | ||
18 | +#endif | ||
19 | bp += strlen(bp); | ||
20 | cp += 2; | ||
21 | } else { | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch new file mode 100644 index 0000000000..3ba214d241 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: tcp_wrappers_7.6.orig/Makefile | ||
4 | =================================================================== | ||
5 | --- tcp_wrappers_7.6.orig.orig/Makefile 2009-04-06 10:55:47.000000000 +0000 | ||
6 | +++ tcp_wrappers_7.6.orig/Makefile 2009-04-06 10:57:04.000000000 +0000 | ||
7 | @@ -748,31 +748,31 @@ | ||
8 | |||
9 | $(SHLIB): $(SHLIB_OBJ) | ||
10 | rm -f $(SHLIB) | ||
11 | - $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
12 | + $(CC) $(LDFLAGS) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
13 | ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) | ||
14 | ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) | ||
15 | |||
16 | tcpd: tcpd.o $(SHLIB) | ||
17 | - $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
18 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
19 | |||
20 | miscd: miscd.o $(LIB) | ||
21 | - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
22 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
23 | |||
24 | safe_finger: safe_finger.o $(SHLIB) | ||
25 | - $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
26 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
27 | |||
28 | TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o | ||
29 | |||
30 | tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) | ||
31 | - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
32 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
33 | |||
34 | try-from: try-from.o fakelog.o $(SHLIB) | ||
35 | - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
36 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
37 | |||
38 | TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o | ||
39 | |||
40 | tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) | ||
41 | - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
42 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
43 | |||
44 | shar: $(KIT) | ||
45 | @shar $(KIT) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch new file mode 100644 index 0000000000..19bd7d3c0f --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.3 2004-04-25 00:10:48.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.3 2004-04-25 00:09:36.000000000 +0200 | ||
6 | @@ -14,6 +14,9 @@ | ||
7 | struct request_info *request_set(request, key, value, ..., 0) | ||
8 | struct request_info *request; | ||
9 | |||
10 | +void fromhost(request) | ||
11 | +struct request_info *request; | ||
12 | + | ||
13 | int hosts_access(request) | ||
14 | struct request_info *request; | ||
15 | |||
16 | @@ -60,6 +63,7 @@ | ||
17 | is available, host names and client user names are looked up on demand, | ||
18 | using the request structure as a cache. hosts_access() returns zero if | ||
19 | access should be denied. | ||
20 | +fromhost() must be called before hosts_access(). | ||
21 | .PP | ||
22 | hosts_ctl() is a wrapper around the request_init() and hosts_access() | ||
23 | routines with a perhaps more convenient interface (though it does not | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rename_strings_variable.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rename_strings_variable.patch new file mode 100644 index 0000000000..7650600ab5 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rename_strings_variable.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | STRINGS name conflicts with variable for strings tools (e.g. i586-oe-linux-strings) | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
6 | |||
7 | --- tcp_wrappers_7.6/Makefile.orig 2013-04-18 23:41:58.277981740 +0200 | ||
8 | +++ tcp_wrappers_7.6/Makefile 2013-04-18 23:42:42.513978966 +0200 | ||
9 | @@ -309,7 +309,7 @@ | ||
10 | pyramid: | ||
11 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
12 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="environ.o vfprintf.o" \ | ||
13 | - STRINGS="-Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy" \ | ||
14 | + STRINGS_FLAGS="-Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy" \ | ||
15 | NETGROUP="-DNETGROUP -DUSE_GETDOMAIN" TLI= all | ||
16 | |||
17 | # Untested. | ||
18 | @@ -419,7 +419,7 @@ | ||
19 | # Uncomment the following if your C library does not provide the | ||
20 | # strchr/strrchr/memcmp routines, but comes with index/rindex/bcmp. | ||
21 | # | ||
22 | -#STRINGS= -Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy | ||
23 | +#STRINGS_FLAGS= -Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy | ||
24 | |||
25 | ################################################################# | ||
26 | # System dependencies: selection of non-default object libraries. | ||
27 | @@ -690,7 +690,7 @@ | ||
28 | $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ | ||
29 | -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ | ||
30 | -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ | ||
31 | - $(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ | ||
32 | + $(UCHAR) $(TABLES) $(STRINGS_FLAGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \ | ||
33 | $(VSYSLOG) $(HOSTNAME) | ||
34 | |||
35 | LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch new file mode 100644 index 0000000000..5875b81b2f --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
4 | --- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:40:08.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:40:02.000000000 +0200 | ||
6 | @@ -92,6 +92,8 @@ | ||
7 | char *cp; | ||
8 | char *result = unknown; | ||
9 | FILE *fp; | ||
10 | + unsigned saved_timeout; | ||
11 | + struct sigaction nact, oact; | ||
12 | |||
13 | #ifdef INET6 | ||
14 | /* address family must be the same */ | ||
15 | @@ -134,7 +136,12 @@ | ||
16 | */ | ||
17 | |||
18 | if (setjmp(timebuf) == 0) { | ||
19 | - signal(SIGALRM, timeout); | ||
20 | + /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
21 | + saved_timeout = alarm(0); | ||
22 | + nact.sa_handler = timeout; | ||
23 | + nact.sa_flags = 0; | ||
24 | + (void) sigemptyset(&nact.sa_mask); | ||
25 | + (void) sigaction(SIGALRM, &nact, &oact); | ||
26 | alarm(rfc931_timeout); | ||
27 | |||
28 | /* | ||
29 | @@ -223,6 +230,10 @@ | ||
30 | } | ||
31 | alarm(0); | ||
32 | } | ||
33 | + /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
34 | + (void) sigaction(SIGALRM, &oact, NULL); | ||
35 | + if (saved_timeout > 0) | ||
36 | + alarm(saved_timeout); | ||
37 | fclose(fp); | ||
38 | } | ||
39 | STRN_CPY(dest, result, STRING_LENGTH); | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff new file mode 100644 index 0000000000..723f4f136a --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c | ||
4 | --- tcp_wrappers_7.6.orig/scaffold.c 2005-03-09 18:22:04.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/scaffold.c 2005-03-09 18:20:47.000000000 +0100 | ||
6 | @@ -237,10 +237,17 @@ struct request_info *request; | ||
7 | |||
8 | /* ARGSUSED */ | ||
9 | |||
10 | -void rfc931(request) | ||
11 | -struct request_info *request; | ||
12 | +void rfc931(rmt_sin, our_sin, dest) | ||
13 | +#ifdef INET6 | ||
14 | +struct sockaddr *rmt_sin; | ||
15 | +struct sockaddr *our_sin; | ||
16 | +#else | ||
17 | +struct sockaddr_in *rmt_sin; | ||
18 | +struct sockaddr_in *our_sin; | ||
19 | +#endif | ||
20 | +char *dest; | ||
21 | { | ||
22 | - strcpy(request->user, unknown); | ||
23 | + strcpy(dest, unknown); | ||
24 | } | ||
25 | |||
26 | /* check_path - examine accessibility */ | ||
27 | diff -ruNp tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
28 | --- tcp_wrappers_7.6.orig/tcpd.h 2005-03-09 18:22:04.000000000 +0100 | ||
29 | +++ tcp_wrappers_7.6/tcpd.h 2005-03-09 18:21:23.000000000 +0100 | ||
30 | @@ -83,7 +83,11 @@ extern int hosts_access(struct request_i | ||
31 | extern void shell_cmd(char *); /* execute shell command */ | ||
32 | extern char *percent_x(char *, int, char *, struct request_info *); | ||
33 | /* do %<char> expansion */ | ||
34 | +#ifdef INET6 | ||
35 | extern void rfc931(struct sockaddr *, struct sockaddr *, char *); | ||
36 | +#else | ||
37 | +extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *); | ||
38 | +#endif | ||
39 | /* client name from RFC 931 daemon */ | ||
40 | extern void clean_exit(struct request_info *); /* clean up and exit */ | ||
41 | extern void refuse(struct request_info *); /* clean up and exit */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 new file mode 100644 index 0000000000..875616b9ea --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 | |||
@@ -0,0 +1,34 @@ | |||
1 | .TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" | ||
2 | .SH NAME | ||
3 | safe_finger \- finger client wrapper that protects against nasty stuff | ||
4 | from finger servers | ||
5 | .SH SYNOPSIS | ||
6 | .B safe_finger [finger_options] | ||
7 | .SH DESCRIPTION | ||
8 | The | ||
9 | .B safe_finger | ||
10 | command protects against nasty stuff from finger servers. Use this | ||
11 | program for automatic reverse finger probes from the | ||
12 | .B tcp_wrapper | ||
13 | .B (tcpd) | ||
14 | , not the raw finger command. The | ||
15 | .B safe_finger | ||
16 | command makes sure that the finger client is not run with root | ||
17 | privileges. It also runs the finger client with a defined PATH | ||
18 | environment. | ||
19 | .B safe_finger | ||
20 | will also protect you from problems caused by the output of some | ||
21 | finger servers. The problem: some programs may react to stuff in | ||
22 | the first column. Other programs may get upset by thrash anywhere | ||
23 | on a line. File systems may fill up as the finger server keeps | ||
24 | sending data. Text editors may bomb out on extremely long lines. | ||
25 | The finger server may take forever because it is somehow wedged. | ||
26 | .B safe_finger | ||
27 | takes care of all this badness. | ||
28 | .SH SEE ALSO | ||
29 | .BR hosts_access (5), | ||
30 | .BR hosts_options (5), | ||
31 | .BR tcpd (8) | ||
32 | .SH AUTHOR | ||
33 | Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
34 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch new file mode 100644 index 0000000000..fc2afeef15 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | --- tcp-wrappers-7.6-ipv6.1.orig/safe_finger.c | ||
4 | +++ tcp-wrappers-7.6-ipv6.1/safe_finger.c | ||
5 | @@ -26,21 +26,24 @@ | ||
6 | #include <stdio.h> | ||
7 | #include <ctype.h> | ||
8 | #include <pwd.h> | ||
9 | +#include <syslog.h> | ||
10 | |||
11 | extern void exit(); | ||
12 | |||
13 | /* Local stuff */ | ||
14 | |||
15 | -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; | ||
16 | +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; | ||
17 | |||
18 | #define TIME_LIMIT 60 /* Do not keep listinging forever */ | ||
19 | #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ | ||
20 | #define LINE_LENGTH 128 /* Editors can choke on long lines */ | ||
21 | #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ | ||
22 | #define UNPRIV_NAME "nobody" /* Preferred privilege level */ | ||
23 | -#define UNPRIV_UGID 32767 /* Default uid and gid */ | ||
24 | +#define UNPRIV_UGID 65534 /* Default uid and gid */ | ||
25 | |||
26 | int finger_pid; | ||
27 | +int allow_severity = SEVERITY; | ||
28 | +int deny_severity = LOG_WARNING; | ||
29 | |||
30 | void cleanup(sig) | ||
31 | int sig; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch new file mode 100644 index 0000000000..9d7ea042b2 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | * Mon Feb 10 2003 Harald Hoyer <harald@redhat.de> 7.6-29 | ||
4 | - added security patch tcp_wrappers-7.6-sig.patch | ||
5 | |||
6 | --- tcp_wrappers_7.6/hosts_access.c.sig 2003-02-10 16:18:31.000000000 +0100 | ||
7 | +++ tcp_wrappers_7.6/hosts_access.c 2003-02-10 16:50:38.000000000 +0100 | ||
8 | @@ -66,6 +66,7 @@ | ||
9 | |||
10 | #define YES 1 | ||
11 | #define NO 0 | ||
12 | +#define ERR -1 | ||
13 | |||
14 | /* | ||
15 | * These variables are globally visible so that they can be redirected in | ||
16 | @@ -129,9 +129,9 @@ | ||
17 | return (verdict == AC_PERMIT); | ||
18 | if (table_match(hosts_allow_table, request)) | ||
19 | return (YES); | ||
20 | - if (table_match(hosts_deny_table, request)) | ||
21 | - return (NO); | ||
22 | - return (YES); | ||
23 | + if (table_match(hosts_deny_table, request) == NO) | ||
24 | + return (YES); | ||
25 | + return (NO); | ||
26 | } | ||
27 | |||
28 | /* table_match - match table entries with (daemon, client) pair */ | ||
29 | @@ -175,6 +175,7 @@ | ||
30 | (void) fclose(fp); | ||
31 | } else if (errno != ENOENT) { | ||
32 | tcpd_warn("cannot open %s: %m", table); | ||
33 | + match = ERR; | ||
34 | } | ||
35 | if (match) { | ||
36 | if (hosts_access_verbose > 1) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch new file mode 100644 index 0000000000..76dd6340b2 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruNp tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
4 | --- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:42:25.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:41:04.000000000 +0200 | ||
6 | @@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1. | ||
7 | |||
8 | int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ | ||
9 | |||
10 | -static jmp_buf timebuf; | ||
11 | +static sigjmp_buf timebuf; | ||
12 | |||
13 | /* fsocket - open stdio stream on top of socket */ | ||
14 | |||
15 | @@ -62,7 +62,7 @@ int protocol; | ||
16 | static void timeout(sig) | ||
17 | int sig; | ||
18 | { | ||
19 | - longjmp(timebuf, sig); | ||
20 | + siglongjmp(timebuf, sig); | ||
21 | } | ||
22 | |||
23 | /* rfc931 - return remote user name, given socket structures */ | ||
24 | @@ -135,7 +135,7 @@ char *dest; | ||
25 | * Set up a timer so we won't get stuck while waiting for the server. | ||
26 | */ | ||
27 | |||
28 | - if (setjmp(timebuf) == 0) { | ||
29 | + if (sigsetjmp(timebuf, 0) == 0) { | ||
30 | /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
31 | saved_timeout = alarm(0); | ||
32 | nact.sa_handler = timeout; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/socklen_t.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/socklen_t.patch new file mode 100644 index 0000000000..8e46df8e1e --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/socklen_t.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | commit 88b6984ef0bf3b703c1c851092662b95e91db1ff | ||
2 | Author: farrah rashid <farrah.rashid@windriver.com> | ||
3 | Date: Tue Feb 12 09:53:50 2013 -0500 | ||
4 | |||
5 | tcp-wrappers Support for building with glibc | ||
6 | |||
7 | Added support for socklen_t type to len argument passed to socket related | ||
8 | calls. This fixes a bug that causes tcp wrappers to fail when using sshd. | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Signed-off-by: farrah rashid <farrah.rashid@windriver.com> | ||
13 | |||
14 | diff --git a/fix_options.c b/fix_options.c | ||
15 | index 7473adf..fe2b442 100644 | ||
16 | --- a/fix_options.c | ||
17 | +++ b/fix_options.c | ||
18 | @@ -38,7 +38,12 @@ struct request_info *request; | ||
19 | #ifdef IP_OPTIONS | ||
20 | unsigned char optbuf[BUFFER_SIZE / 3], *cp; | ||
21 | char lbuf[BUFFER_SIZE], *lp; | ||
22 | - int optsize = sizeof(optbuf), ipproto; | ||
23 | +#ifdef __GLIBC__ | ||
24 | + socklen_t optsize = sizeof(optbuf); | ||
25 | +#else | ||
26 | + int optsize = sizeof(optbuf); | ||
27 | +#endif | ||
28 | + int ipproto; | ||
29 | struct protoent *ip; | ||
30 | int fd = request->fd; | ||
31 | unsigned int opt; | ||
32 | diff --git a/socket.c b/socket.c | ||
33 | index 4b2c575..a0d2987 100644 | ||
34 | --- a/socket.c | ||
35 | +++ b/socket.c | ||
36 | @@ -95,7 +95,11 @@ struct request_info *request; | ||
37 | static struct sockaddr_in client; | ||
38 | static struct sockaddr_in server; | ||
39 | #endif | ||
40 | +#ifdef __GLIBC__ | ||
41 | + socklen_t len; | ||
42 | +#else | ||
43 | int len; | ||
44 | +#endif | ||
45 | char buf[BUFSIZ]; | ||
46 | int fd = request->fd; | ||
47 | |||
48 | @@ -426,7 +430,11 @@ int fd; | ||
49 | #else | ||
50 | struct sockaddr_in sin; | ||
51 | #endif | ||
52 | +#ifdef __GLIBC__ | ||
53 | + socklen_t size = sizeof(sin); | ||
54 | +#else | ||
55 | int size = sizeof(sin); | ||
56 | +#endif | ||
57 | |||
58 | /* | ||
59 | * Eat up the not-yet received datagram. Some systems insist on a | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch new file mode 100644 index 0000000000..be29bdcfaa --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
4 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 02:50:37.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 02:50:33.000000000 +0200 | ||
6 | @@ -53,6 +53,24 @@ | ||
7 | #include "inetcf.h" | ||
8 | #include "scaffold.h" | ||
9 | |||
10 | +/* list of programs which are known to be linked with libwrap in debian */ | ||
11 | +static const char *const libwrap_programs[] = { | ||
12 | + "portmap", "mountd", "statd", "ugidd", | ||
13 | + "redir", "rlinetd", | ||
14 | + "sshd", | ||
15 | + "atftpd", | ||
16 | + "diald", | ||
17 | + "esound", | ||
18 | + "gdm", "gnome-session", | ||
19 | + "icecast", "icecast_admin", "icecast_client", "icecast_source", | ||
20 | + "mysqld", | ||
21 | + "ntop", | ||
22 | + "pptpd", | ||
23 | + "rquotad", | ||
24 | + "sendmail", "smail", | ||
25 | + NULL | ||
26 | +}; | ||
27 | + | ||
28 | /* | ||
29 | * Stolen from hosts_access.c... | ||
30 | */ | ||
31 | @@ -147,8 +165,8 @@ | ||
32 | /* | ||
33 | * These are not run from inetd but may have built-in access control. | ||
34 | */ | ||
35 | - inet_set("portmap", WR_NOT); | ||
36 | - inet_set("rpcbind", WR_NOT); | ||
37 | + for (c = 0; libwrap_programs[c]; c++) | ||
38 | + inet_set(libwrap_programs[c], WR_YES); | ||
39 | |||
40 | /* | ||
41 | * Check accessibility of access control files. | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 new file mode 100644 index 0000000000..9c8f30543e --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 | |||
@@ -0,0 +1,28 @@ | |||
1 | .TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" | ||
2 | .SH NAME | ||
3 | try-from \- test program for the tcp_wrapper | ||
4 | .SH SYNOPSIS | ||
5 | .B try-from | ||
6 | .SH DESCRIPTION | ||
7 | The | ||
8 | .B try-from | ||
9 | command can be called via a remote shell command to find out | ||
10 | if the hostname and address are properly recognized | ||
11 | by the | ||
12 | .B tcp_wrapper | ||
13 | library, if username lookup works, and (SysV only) if the TLI | ||
14 | on top of IP heuristics work. Diagnostics are reported through | ||
15 | .BR syslog (3) | ||
16 | and redirected to stderr. | ||
17 | |||
18 | Example: | ||
19 | |||
20 | rsh host /some/where/try-from | ||
21 | |||
22 | .SH SEE ALSO | ||
23 | .BR hosts_access (5), | ||
24 | .BR hosts_options (5), | ||
25 | .BR tcpd (8) | ||
26 | .SH AUTHOR | ||
27 | Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
28 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb new file mode 100644 index 0000000000..4d6430634e --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb | |||
@@ -0,0 +1,128 @@ | |||
1 | SUMMARY = "Security tool that is a wrapper for TCP daemons" | ||
2 | DESCRIPTION = "Tools for monitoring and filtering incoming requests for tcp \ | ||
3 | services." | ||
4 | SECTION = "console/network" | ||
5 | |||
6 | LICENSE = "BSD" | ||
7 | LIC_FILES_CHKSUM = "file://DISCLAIMER;md5=071bd69cb78b18888ea5e3da5c3127fa" | ||
8 | PR ="r10" | ||
9 | |||
10 | |||
11 | PACKAGES = "${PN}-dbg libwrap libwrap-doc libwrap-dev libwrap-staticdev ${PN} ${PN}-doc" | ||
12 | FILES_libwrap = "${base_libdir}/lib*${SOLIBS}" | ||
13 | FILES_libwrap-doc = "${mandir}/man3 ${mandir}/man5" | ||
14 | FILES_libwrap-dev = "${libdir}/lib*${SOLIBSDEV} ${includedir}" | ||
15 | FILES_libwrap-staticdev = "${libdir}/lib*.a" | ||
16 | FILES_${PN} = "${sbindir}" | ||
17 | FILES_${PN}-doc = "${mandir}/man8" | ||
18 | |||
19 | SRC_URI = "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_${PV}.tar.gz \ | ||
20 | file://00_man_quoting.diff \ | ||
21 | file://01_man_portability.patch \ | ||
22 | file://05_wildcard_matching.patch \ | ||
23 | file://06_fix_gethostbyname.patch \ | ||
24 | file://10_usagi-ipv6.patch \ | ||
25 | file://11_tcpd_blacklist.patch \ | ||
26 | file://11_usagi_fix.patch \ | ||
27 | file://12_makefile_config.patch \ | ||
28 | file://13_shlib_weaksym.patch \ | ||
29 | file://14_cidr_support.patch \ | ||
30 | file://15_match_clarify.patch \ | ||
31 | file://expand_remote_port.patch \ | ||
32 | file://have_strerror.patch \ | ||
33 | file://man_fromhost.patch \ | ||
34 | file://restore_sigalarm.patch \ | ||
35 | file://rfc931.diff \ | ||
36 | file://safe_finger.patch \ | ||
37 | file://sig_fix.patch \ | ||
38 | file://siglongjmp.patch \ | ||
39 | file://socklen_t.patch \ | ||
40 | file://tcpdchk_libwrapped.patch \ | ||
41 | file://ldflags.patch \ | ||
42 | file://rename_strings_variable.patch \ | ||
43 | \ | ||
44 | file://try-from.8 \ | ||
45 | file://safe_finger.8" | ||
46 | |||
47 | SRC_URI[md5sum] = "e6fa25f71226d090f34de3f6b122fb5a" | ||
48 | SRC_URI[sha256sum] = "9543d7adedf78a6de0b221ccbbd1952e08b5138717f4ade814039bb489a4315d" | ||
49 | |||
50 | S = "${WORKDIR}/tcp_wrappers_${PV}" | ||
51 | |||
52 | PARALLEL_MAKE = "" | ||
53 | EXTRA_OEMAKE = "'CC=${CC}' \ | ||
54 | 'AR=${AR}' \ | ||
55 | 'RANLIB=${RANLIB}' \ | ||
56 | 'REAL_DAEMON_DIR=${sbindir}' \ | ||
57 | 'STYLE=-DPROCESS_OPTIONS' \ | ||
58 | 'FACILITY=LOG_DAEMON' \ | ||
59 | 'SEVERITY=LOG_INFO' \ | ||
60 | 'BUGS=' \ | ||
61 | 'VSYSLOG=' \ | ||
62 | 'RFC931_TIMEOUT=10' \ | ||
63 | 'ACCESS=-DHOSTS_ACCESS' \ | ||
64 | 'KILL_OPT=-DKILL_IP_OPTIONS' \ | ||
65 | 'UMASK=-DDAEMON_UMASK=022' \ | ||
66 | 'NETGROUP=${EXTRA_OEMAKE_NETGROUP}' \ | ||
67 | 'LIBS=-lnsl' \ | ||
68 | 'ARFLAGS=rv' \ | ||
69 | 'AUX_OBJ=weak_symbols.o' \ | ||
70 | 'TLI=' \ | ||
71 | 'COPTS=' \ | ||
72 | 'EXTRA_CFLAGS=${CFLAGS} -DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len'" | ||
73 | |||
74 | EXTRA_OEMAKE_NETGROUP = "-DNETGROUP -DUSE_GETDOMAIN" | ||
75 | EXTRA_OEMAKE_NETGROUP_libc-uclibc = "-DUSE_GETDOMAIN" | ||
76 | |||
77 | do_compile () { | ||
78 | oe_runmake 'TABLES=-DHOSTS_DENY=\"${sysconfdir}/hosts.deny\" -DHOSTS_ALLOW=\"${sysconfdir}/hosts.allow\"' \ | ||
79 | all | ||
80 | } | ||
81 | |||
82 | BINS = "safe_finger tcpd tcpdchk try-from tcpdmatch" | ||
83 | MANS3 = "hosts_access" | ||
84 | MANS5 = "hosts_options" | ||
85 | MANS8 = "tcpd tcpdchk tcpdmatch" | ||
86 | do_install () { | ||
87 | oe_libinstall -a libwrap ${D}${libdir} | ||
88 | oe_libinstall -C shared -so libwrap ${D}${base_libdir} | ||
89 | |||
90 | if [ "${libdir}" != "${base_libdir}" ] ; then | ||
91 | rel_lib_prefix=`echo ${libdir} | sed 's,\(^/\|\)[^/][^/]*,..,g'` | ||
92 | libname=`readlink ${D}${base_libdir}/libwrap.so | xargs basename` | ||
93 | ln -s ${rel_lib_prefix}${base_libdir}/${libname} ${D}${libdir}/libwrap.so | ||
94 | rm -f ${D}${base_libdir}/libwrap.so | ||
95 | fi | ||
96 | |||
97 | install -d ${D}${sbindir} | ||
98 | for b in ${BINS}; do | ||
99 | install -m 0755 $b ${D}${sbindir}/ || exit 1 | ||
100 | done | ||
101 | |||
102 | install -d ${D}${mandir}/man3 | ||
103 | for m in ${MANS3}; do | ||
104 | install -m 0644 $m.3 ${D}${mandir}/man3/ || exit 1 | ||
105 | done | ||
106 | |||
107 | install -d ${D}${mandir}/man5 | ||
108 | for m in ${MANS5}; do | ||
109 | install -m 0644 $m.5 ${D}${mandir}/man5/ || exit 1 | ||
110 | done | ||
111 | |||
112 | install -d ${D}${mandir}/man8 | ||
113 | for m in ${MANS8}; do | ||
114 | install -m 0644 $m.8 ${D}${mandir}/man8/ || exit 1 | ||
115 | done | ||
116 | |||
117 | install -m 0644 ${WORKDIR}/try-from.8 ${D}${mandir}/man8/ | ||
118 | install -m 0644 ${WORKDIR}/safe_finger.8 ${D}${mandir}/man8/ | ||
119 | |||
120 | install -d ${D}${includedir} | ||
121 | install -m 0644 tcpd.h ${D}${includedir}/ | ||
122 | |||
123 | install -d ${D}${sysconfdir} | ||
124 | touch ${D}${sysconfdir}/hosts.allow | ||
125 | touch ${D}${sysconfdir}/hosts.deny | ||
126 | } | ||
127 | |||
128 | FILES_${PN} += "${sysconfdir}/hosts.allow ${sysconfdir}/hosts.deny" | ||