diff options
Diffstat (limited to 'meta/recipes-extended/tcp-wrappers')
25 files changed, 2900 insertions, 0 deletions
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff new file mode 100644 index 0000000000..ff60a843e4 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/00_man_quoting.diff | |||
@@ -0,0 +1,75 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
2 | --- tcp_wrappers_7.6.orig/hosts_access.5 1995-01-30 19:51:47.000000000 +0100 | ||
3 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-09 16:59:45.000000000 +0200 | ||
4 | @@ -173,7 +173,7 @@ | ||
5 | Patterns like these can be used when the machine has different internet | ||
6 | addresses with different internet hostnames. Service providers can use | ||
7 | this facility to offer FTP, GOPHER or WWW archives with internet names | ||
8 | -that may even belong to different organizations. See also the `twist' | ||
9 | +that may even belong to different organizations. See also the `twist\' | ||
10 | option in the hosts_options(5) document. Some systems (Solaris, | ||
11 | FreeBSD) can have more than one internet address on one physical | ||
12 | interface; with other systems you may have to resort to SLIP or PPP | ||
13 | @@ -236,10 +236,10 @@ | ||
14 | Before accepting a client request, the wrappers can use the IDENT | ||
15 | service to find out that the client did not send the request at all. | ||
16 | When the client host provides IDENT service, a negative IDENT lookup | ||
17 | -result (the client matches `UNKNOWN@host') is strong evidence of a host | ||
18 | +result (the client matches `UNKNOWN@host\') is strong evidence of a host | ||
19 | spoofing attack. | ||
20 | .PP | ||
21 | -A positive IDENT lookup result (the client matches `KNOWN@host') is | ||
22 | +A positive IDENT lookup result (the client matches `KNOWN@host\') is | ||
23 | less trustworthy. It is possible for an intruder to spoof both the | ||
24 | client connection and the IDENT lookup, although doing so is much | ||
25 | harder than spoofing just a client connection. It may also be that | ||
26 | diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 | ||
27 | --- tcp_wrappers_7.6.orig/hosts_options.5 1994-12-28 17:42:29.000000000 +0100 | ||
28 | +++ tcp_wrappers_7.6/hosts_options.5 2004-04-09 16:59:49.000000000 +0200 | ||
29 | @@ -124,7 +124,7 @@ | ||
30 | value is taken. | ||
31 | .SH MISCELLANEOUS | ||
32 | .IP "banners /some/directory" | ||
33 | -Look for a file in `/some/directory' with the same name as the daemon | ||
34 | +Look for a file in `/some/directory\' with the same name as the daemon | ||
35 | process (for example in.telnetd for the telnet service), and copy its | ||
36 | contents to the client. Newline characters are replaced by | ||
37 | carriage-return newline, and %<letter> sequences are expanded (see | ||
38 | diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 | ||
39 | --- tcp_wrappers_7.6.orig/tcpdmatch.8 1996-02-11 17:01:36.000000000 +0100 | ||
40 | +++ tcp_wrappers_7.6/tcpdmatch.8 2004-04-09 17:00:49.000000000 +0200 | ||
41 | @@ -26,7 +26,7 @@ | ||
42 | A daemon process name. Typically, the last component of a daemon | ||
43 | executable pathname. | ||
44 | .IP client | ||
45 | -A host name or network address, or one of the `unknown' or `paranoid' | ||
46 | +A host name or network address, or one of the `unknown\' or `paranoid\' | ||
47 | wildcard patterns. | ||
48 | .sp | ||
49 | When a client host name is specified, \fItcpdmatch\fR gives a | ||
50 | @@ -37,13 +37,13 @@ | ||
51 | .PP | ||
52 | Optional information specified with the \fIdaemon@server\fR form: | ||
53 | .IP server | ||
54 | -A host name or network address, or one of the `unknown' or `paranoid' | ||
55 | -wildcard patterns. The default server name is `unknown'. | ||
56 | +A host name or network address, or one of the `unknown\' or `paranoid\' | ||
57 | +wildcard patterns. The default server name is `unknown\'. | ||
58 | .PP | ||
59 | Optional information specified with the \fIuser@client\fR form: | ||
60 | .IP user | ||
61 | A client user identifier. Typically, a login name or a numeric userid. | ||
62 | -The default user name is `unknown'. | ||
63 | +The default user name is `unknown\'. | ||
64 | .SH OPTIONS | ||
65 | .IP -d | ||
66 | Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current | ||
67 | @@ -70,7 +70,7 @@ | ||
68 | .ti +5 | ||
69 | tcpdmatch in.telnetd paranoid | ||
70 | .PP | ||
71 | -On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR | ||
72 | +On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR | ||
73 | may need some help to locate the inetd configuration file. | ||
74 | .SH FILES | ||
75 | .PP | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch new file mode 100644 index 0000000000..4963f82eb8 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch | |||
@@ -0,0 +1,248 @@ | |||
1 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 | ||
2 | --- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 | ||
3 | +++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 | ||
4 | @@ -3,7 +3,7 @@ | ||
5 | hosts_access, hosts_ctl, request_init, request_set \- access control library | ||
6 | .SH SYNOPSIS | ||
7 | .nf | ||
8 | -#include "tcpd.h" | ||
9 | +#include <tcpd.h> | ||
10 | |||
11 | extern int allow_severity; | ||
12 | extern int deny_severity; | ||
13 | diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
14 | --- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 | ||
15 | +++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 | ||
16 | @@ -8,9 +8,9 @@ name, host name/address) patterns. Exam | ||
17 | impatient reader is encouraged to skip to the EXAMPLES section for a | ||
18 | quick introduction. | ||
19 | .PP | ||
20 | -An extended version of the access control language is described in the | ||
21 | -\fIhosts_options\fR(5) document. The extensions are turned on at | ||
22 | -program build time by building with -DPROCESS_OPTIONS. | ||
23 | +The extended version of the access control language is described in the | ||
24 | +\fIhosts_options\fR(5) document. \fBNote that this language supersedes | ||
25 | +the meaning of \fIshell_command\fB as documented below.\fR | ||
26 | .PP | ||
27 | In the following text, \fIdaemon\fR is the the process name of a | ||
28 | network daemon process, and \fIclient\fR is the name and/or address of | ||
29 | @@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain | ||
30 | /etc/hosts.deny: | ||
31 | .in +3 | ||
32 | .nf | ||
33 | -in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ | ||
34 | - /usr/ucb/mail -s %d-%h root) & | ||
35 | +in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ | ||
36 | + /usr/bin/mail -s %d-%h root) & | ||
37 | .fi | ||
38 | .PP | ||
39 | The safe_finger command comes with the tcpd wrapper and should be | ||
40 | @@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor | ||
41 | .fi | ||
42 | .SH SEE ALSO | ||
43 | .nf | ||
44 | +hosts_options(5) extended syntax. | ||
45 | tcpd(8) tcp/ip daemon wrapper program. | ||
46 | tcpdchk(8), tcpdmatch(8), test programs. | ||
47 | .SH BUGS | ||
48 | diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 | ||
49 | --- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 | ||
50 | +++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 | ||
51 | @@ -2,10 +2,8 @@ | ||
52 | .SH NAME | ||
53 | hosts_options \- host access control language extensions | ||
54 | .SH DESCRIPTION | ||
55 | -This document describes optional extensions to the language described | ||
56 | -in the hosts_access(5) document. The extensions are enabled at program | ||
57 | -build time. For example, by editing the Makefile and turning on the | ||
58 | -PROCESS_OPTIONS compile-time option. | ||
59 | +This document describes extensions to the language described | ||
60 | +in the hosts_access(5) document. | ||
61 | .PP | ||
62 | The extensible language uses the following format: | ||
63 | .sp | ||
64 | @@ -58,12 +56,12 @@ Notice the leading dot on the domain nam | ||
65 | Execute, in a child process, the specified shell command, after | ||
66 | performing the %<letter> expansions described in the hosts_access(5) | ||
67 | manual page. The command is executed with stdin, stdout and stderr | ||
68 | -connected to the null device, so that it won\'t mess up the | ||
69 | +connected to the null device, so that it won't mess up the | ||
70 | conversation with the client host. Example: | ||
71 | .sp | ||
72 | .nf | ||
73 | .ti +3 | ||
74 | -spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & | ||
75 | +spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & | ||
76 | .fi | ||
77 | .sp | ||
78 | executes, in a background child process, the shell command "safe_finger | ||
79 | diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c | ||
80 | --- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 | ||
81 | +++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 | ||
82 | @@ -26,13 +26,17 @@ extern void exit(); | ||
83 | * guesses. Shorter names follow longer ones. | ||
84 | */ | ||
85 | char *inet_files[] = { | ||
86 | +#if 0 | ||
87 | "/private/etc/inetd.conf", /* NEXT */ | ||
88 | "/etc/inet/inetd.conf", /* SYSV4 */ | ||
89 | "/usr/etc/inetd.conf", /* IRIX?? */ | ||
90 | +#endif | ||
91 | "/etc/inetd.conf", /* BSD */ | ||
92 | +#if 0 | ||
93 | "/etc/net/tlid.conf", /* SYSV4?? */ | ||
94 | "/etc/saf/tlid.conf", /* SYSV4?? */ | ||
95 | "/etc/tlid.conf", /* SYSV4?? */ | ||
96 | +#endif | ||
97 | 0, | ||
98 | }; | ||
99 | |||
100 | diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 | ||
101 | --- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 | ||
102 | +++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 | ||
103 | @@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s | ||
104 | TLI. Functionality may be limited when the protocol underneath TLI is | ||
105 | not an internet protocol. | ||
106 | .PP | ||
107 | -Operation is as follows: whenever a request for service arrives, the | ||
108 | +There are two possible modes of operation: execution of \fItcpd\fP | ||
109 | +before a service started by \fIinetd\fP, or linking a daemon with | ||
110 | +the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) | ||
111 | +manual page. Operation when started by \fIinetd\fP | ||
112 | +is as follows: whenever a request for service arrives, the | ||
113 | \fIinetd\fP daemon is tricked into running the \fItcpd\fP program | ||
114 | instead of the desired server. \fItcpd\fP logs the request and does | ||
115 | some additional checks. When all is well, \fItcpd\fP runs the | ||
116 | @@ -88,11 +92,11 @@ configuration files. | ||
117 | .sp | ||
118 | .in +5 | ||
119 | # mkdir /other/place | ||
120 | -# mv /usr/etc/in.fingerd /other/place | ||
121 | -# cp tcpd /usr/etc/in.fingerd | ||
122 | +# mv /usr/sbin/in.fingerd /other/place | ||
123 | +# cp tcpd /usr/sbin/in.fingerd | ||
124 | .fi | ||
125 | .PP | ||
126 | -The example assumes that the network daemons live in /usr/etc. On some | ||
127 | +The example assumes that the network daemons live in /usr/sbin. On some | ||
128 | systems, network daemons live in /usr/sbin or in /usr/libexec, or have | ||
129 | no `in.\' prefix to their name. | ||
130 | .SH EXAMPLE 2 | ||
131 | @@ -101,35 +105,34 @@ are left in their original place. | ||
132 | .PP | ||
133 | In order to monitor access to the \fIfinger\fR service, perform the | ||
134 | following edits on the \fIinetd\fR configuration file (usually | ||
135 | -\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): | ||
136 | +\fI/etc/inetd.conf\fR): | ||
137 | .nf | ||
138 | .sp | ||
139 | .ti +5 | ||
140 | -finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd | ||
141 | +finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd | ||
142 | .sp | ||
143 | becomes: | ||
144 | .sp | ||
145 | .ti +5 | ||
146 | -finger stream tcp nowait nobody /some/where/tcpd in.fingerd | ||
147 | +finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd | ||
148 | .sp | ||
149 | .fi | ||
150 | .PP | ||
151 | -The example assumes that the network daemons live in /usr/etc. On some | ||
152 | +The example assumes that the network daemons live in /usr/sbin. On some | ||
153 | systems, network daemons live in /usr/sbin or in /usr/libexec, the | ||
154 | daemons have no `in.\' prefix to their name, or there is no userid | ||
155 | field in the inetd configuration file. | ||
156 | .PP | ||
157 | Similar changes will be needed for the other services that are to be | ||
158 | covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) | ||
159 | -process to make the changes effective. AIX users may also have to | ||
160 | -execute the `inetimp\' command. | ||
161 | +process to make the changes effective. | ||
162 | .SH EXAMPLE 3 | ||
163 | In the case of daemons that do not live in a common directory ("secret" | ||
164 | or otherwise), edit the \fIinetd\fR configuration file so that it | ||
165 | specifies an absolute path name for the process name field. For example: | ||
166 | .nf | ||
167 | .sp | ||
168 | - ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd | ||
169 | + ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd | ||
170 | .sp | ||
171 | .fi | ||
172 | .PP | ||
173 | @@ -164,6 +167,7 @@ The default locations of the host access | ||
174 | .SH SEE ALSO | ||
175 | .na | ||
176 | .nf | ||
177 | +hosts_access(3), functions provided by the libwrap library. | ||
178 | hosts_access(5), format of the tcpd access control tables. | ||
179 | syslog.conf(5), format of the syslogd control file. | ||
180 | inetd.conf(5), format of the inetd control file. | ||
181 | diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 | ||
182 | --- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 | ||
183 | +++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 | ||
184 | @@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] | ||
185 | potential and real problems it can find. The program examines the | ||
186 | \fItcpd\fR access control files (by default, these are | ||
187 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the | ||
188 | -entries in these files against entries in the \fIinetd\fR or \fItlid\fR | ||
189 | -network configuration files. | ||
190 | +entries in these files against entries in the \fIinetd\fR | ||
191 | +network configuration file. | ||
192 | .PP | ||
193 | \fItcpdchk\fR reports problems such as non-existent pathnames; services | ||
194 | that appear in \fItcpd\fR access control rules, but are not controlled | ||
195 | @@ -26,14 +26,13 @@ problem. | ||
196 | .SH OPTIONS | ||
197 | .IP -a | ||
198 | Report access control rules that permit access without an explicit | ||
199 | -ALLOW keyword. This applies only when the extended access control | ||
200 | -language is enabled (build with -DPROCESS_OPTIONS). | ||
201 | +ALLOW keyword. | ||
202 | .IP -d | ||
203 | Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current | ||
204 | directory instead of the default ones. | ||
205 | .IP "-i inet_conf" | ||
206 | Specify this option when \fItcpdchk\fR is unable to find your | ||
207 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when | ||
208 | +\fIinetd.conf\fR network configuration file, or when | ||
209 | you suspect that the program uses the wrong one. | ||
210 | .IP -v | ||
211 | Display the contents of each access control rule. Daemon lists, client | ||
212 | @@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do | ||
213 | hosts_access(5), format of the tcpd access control tables. | ||
214 | hosts_options(5), format of the language extensions. | ||
215 | inetd.conf(5), format of the inetd control file. | ||
216 | -tlid.conf(5), format of the tlid control file. | ||
217 | .SH AUTHORS | ||
218 | .na | ||
219 | .nf | ||
220 | diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 | ||
221 | --- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 | ||
222 | +++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 | ||
223 | @@ -13,7 +13,7 @@ request for service. Examples are given | ||
224 | The program examines the \fItcpd\fR access control tables (default | ||
225 | \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its | ||
226 | conclusion. For maximal accuracy, it extracts additional information | ||
227 | -from your \fIinetd\fR or \fItlid\fR network configuration file. | ||
228 | +from your \fIinetd\fR network configuration file. | ||
229 | .PP | ||
230 | When \fItcpdmatch\fR finds a match in the access control tables, it | ||
231 | identifies the matched rule. In addition, it displays the optional | ||
232 | @@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d | ||
233 | directory instead of the default ones. | ||
234 | .IP "-i inet_conf" | ||
235 | Specify this option when \fItcpdmatch\fR is unable to find your | ||
236 | -\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when | ||
237 | +\fIinetd.conf\fR network configuration file, or when | ||
238 | you suspect that the program uses the wrong one. | ||
239 | .SH EXAMPLES | ||
240 | To predict how \fItcpd\fR would handle a telnet request from the local | ||
241 | @@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker | ||
242 | hosts_access(5), format of the tcpd access control tables. | ||
243 | hosts_options(5), format of the language extensions. | ||
244 | inetd.conf(5), format of the inetd control file. | ||
245 | -tlid.conf(5), format of the tlid control file. | ||
246 | .SH AUTHORS | ||
247 | .na | ||
248 | .nf | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch new file mode 100644 index 0000000000..a168f6d5a5 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 | ||
2 | |||
3 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
4 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 | ||
6 | @@ -89,6 +89,10 @@ | ||
7 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
8 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
9 | range `131.155.72.0\' through `131.155.73.255\'. | ||
10 | +.IP \(bu | ||
11 | +Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
12 | +method of matching cannot be used in conjunction with `net/mask\' matching, | ||
13 | +hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
14 | .SH WILDCARDS | ||
15 | The access control language supports explicit wildcards: | ||
16 | .IP ALL | ||
17 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
18 | --- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 | ||
19 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 | ||
20 | @@ -289,6 +289,11 @@ | ||
21 | { | ||
22 | int n; | ||
23 | |||
24 | +#ifndef DISABLE_WILDCARD_MATCHING | ||
25 | + if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ | ||
26 | + return (match_pattern_ylo(string,tok)); | ||
27 | + } else | ||
28 | +#endif | ||
29 | if (tok[0] == '.') { /* suffix */ | ||
30 | n = strlen(string) - strlen(tok); | ||
31 | return (n > 0 && STR_EQ(tok, string + n)); | ||
32 | @@ -329,3 +334,71 @@ | ||
33 | } | ||
34 | return ((addr & mask) == net); | ||
35 | } | ||
36 | + | ||
37 | +#ifndef DISABLE_WILDCARD_MATCHING | ||
38 | +/* Note: this feature has been adapted in a pretty straightforward way | ||
39 | + from Tatu Ylonen's last SSH version under free license by | ||
40 | + Pekka Savola <pekkas@netcore.fi>. | ||
41 | + | ||
42 | + Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
43 | +*/ | ||
44 | + | ||
45 | +/* Returns true if the given string matches the pattern (which may contain | ||
46 | + ? and * as wildcards), and zero if it does not match. */ | ||
47 | + | ||
48 | +int match_pattern_ylo(const char *s, const char *pattern) | ||
49 | +{ | ||
50 | + while (1) | ||
51 | + { | ||
52 | + /* If at end of pattern, accept if also at end of string. */ | ||
53 | + if (!*pattern) | ||
54 | + return !*s; | ||
55 | + | ||
56 | + /* Process '*'. */ | ||
57 | + if (*pattern == '*') | ||
58 | + { | ||
59 | + /* Skip the asterisk. */ | ||
60 | + pattern++; | ||
61 | + | ||
62 | + /* If at end of pattern, accept immediately. */ | ||
63 | + if (!*pattern) | ||
64 | + return 1; | ||
65 | + | ||
66 | + /* If next character in pattern is known, optimize. */ | ||
67 | + if (*pattern != '?' && *pattern != '*') | ||
68 | + { | ||
69 | + /* Look instances of the next character in pattern, and try | ||
70 | + to match starting from those. */ | ||
71 | + for (; *s; s++) | ||
72 | + if (*s == *pattern && | ||
73 | + match_pattern_ylo(s + 1, pattern + 1)) | ||
74 | + return 1; | ||
75 | + /* Failed. */ | ||
76 | + return 0; | ||
77 | + } | ||
78 | + | ||
79 | + /* Move ahead one character at a time and try to match at each | ||
80 | + position. */ | ||
81 | + for (; *s; s++) | ||
82 | + if (match_pattern_ylo(s, pattern)) | ||
83 | + return 1; | ||
84 | + /* Failed. */ | ||
85 | + return 0; | ||
86 | + } | ||
87 | + | ||
88 | + /* There must be at least one more character in the string. If we are | ||
89 | + at the end, fail. */ | ||
90 | + if (!*s) | ||
91 | + return 0; | ||
92 | + | ||
93 | + /* Check if the next character of the string is acceptable. */ | ||
94 | + if (*pattern != '?' && *pattern != *s) | ||
95 | + return 0; | ||
96 | + | ||
97 | + /* Move to the next character, both in string and in pattern. */ | ||
98 | + s++; | ||
99 | + pattern++; | ||
100 | + } | ||
101 | + /*NOTREACHED*/ | ||
102 | +} | ||
103 | +#endif /* DISABLE_WILDCARD_MATCHING */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch new file mode 100644 index 0000000000..d06aaef13b --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | * Mon Feb 5 2001 Preston Brown <pbrown@redhat.com> | ||
2 | - fix gethostbyname to work better with dot "." notation (#16949) | ||
3 | |||
4 | --- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997 | ||
5 | +++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001 | ||
6 | @@ -52,7 +52,8 @@ | ||
7 | char *name; | ||
8 | { | ||
9 | char dot_name[MAXHOSTNAMELEN + 1]; | ||
10 | - | ||
11 | + struct hostent *hp; | ||
12 | + | ||
13 | /* | ||
14 | * Don't append dots to unqualified names. Such names are likely to come | ||
15 | * from local hosts files or from NIS. | ||
16 | @@ -61,8 +62,12 @@ | ||
17 | if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { | ||
18 | return (gethostbyname(name)); | ||
19 | } else { | ||
20 | - sprintf(dot_name, "%s.", name); | ||
21 | - return (gethostbyname(dot_name)); | ||
22 | + sprintf(dot_name, "%s.", name); | ||
23 | + hp = gethostbyname(dot_name); | ||
24 | + if (hp) | ||
25 | + return hp; | ||
26 | + else | ||
27 | + return (gethostbyname(name)); | ||
28 | } | ||
29 | } | ||
30 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch new file mode 100644 index 0000000000..5c8be5c27c --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch | |||
@@ -0,0 +1,1253 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c | ||
2 | --- tcp_wrappers_7.6.orig/fix_options.c 1997-04-08 02:29:19.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/fix_options.c 2004-04-10 19:07:43.000000000 +0200 | ||
4 | @@ -11,6 +11,9 @@ | ||
5 | |||
6 | #include <sys/types.h> | ||
7 | #include <sys/param.h> | ||
8 | +#ifdef INET6 | ||
9 | +#include <sys/socket.h> | ||
10 | +#endif | ||
11 | #include <netinet/in.h> | ||
12 | #include <netinet/in_systm.h> | ||
13 | #include <netinet/ip.h> | ||
14 | @@ -41,6 +44,22 @@ | ||
15 | unsigned int opt; | ||
16 | int optlen; | ||
17 | struct in_addr dummy; | ||
18 | +#ifdef INET6 | ||
19 | + struct sockaddr_storage ss; | ||
20 | + int sslen; | ||
21 | + | ||
22 | + /* | ||
23 | + * check if this is AF_INET socket | ||
24 | + * XXX IPv6 support? | ||
25 | + */ | ||
26 | + sslen = sizeof(ss); | ||
27 | + if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { | ||
28 | + syslog(LOG_ERR, "getpeername: %m"); | ||
29 | + clean_exit(request); | ||
30 | + } | ||
31 | + if (ss.ss_family != AF_INET) | ||
32 | + return; | ||
33 | +#endif | ||
34 | |||
35 | if ((ip = getprotobyname("ip")) != 0) | ||
36 | ipproto = ip->p_proto; | ||
37 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
38 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:22:58.000000000 +0200 | ||
39 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:07:43.000000000 +0200 | ||
40 | @@ -85,11 +85,18 @@ | ||
41 | for daemon process names or for client user names. | ||
42 | .IP \(bu | ||
43 | An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a | ||
44 | -`net/mask\' pair. A host address is matched if `net\' is equal to the | ||
45 | +`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the | ||
46 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
47 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
48 | range `131.155.72.0\' through `131.155.73.255\'. | ||
49 | .IP \(bu | ||
50 | +An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a | ||
51 | +`[net]/prefixlen\' pair. An IPv6 host address is matched if | ||
52 | +`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the | ||
53 | +address. For example, the [net]/prefixlen pattern | ||
54 | +`[3ffe:505:2:1::]/64\' matches every address in the range | ||
55 | +`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. | ||
56 | +.IP \(bu | ||
57 | Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
58 | method of matching cannot be used in conjunction with `net/mask\' matching, | ||
59 | hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
60 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
61 | --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:22:58.000000000 +0200 | ||
62 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:07:43.000000000 +0200 | ||
63 | @@ -24,7 +24,13 @@ | ||
64 | /* System libraries. */ | ||
65 | |||
66 | #include <sys/types.h> | ||
67 | +#ifdef INT32_T | ||
68 | + typedef uint32_t u_int32_t; | ||
69 | +#endif | ||
70 | #include <sys/param.h> | ||
71 | +#ifdef INET6 | ||
72 | +#include <sys/socket.h> | ||
73 | +#endif | ||
74 | #include <netinet/in.h> | ||
75 | #include <arpa/inet.h> | ||
76 | #include <stdio.h> | ||
77 | @@ -33,6 +39,9 @@ | ||
78 | #include <errno.h> | ||
79 | #include <setjmp.h> | ||
80 | #include <string.h> | ||
81 | +#ifdef INET6 | ||
82 | +#include <netdb.h> | ||
83 | +#endif | ||
84 | |||
85 | extern char *fgets(); | ||
86 | extern int errno; | ||
87 | @@ -82,6 +91,10 @@ | ||
88 | static int host_match(); | ||
89 | static int string_match(); | ||
90 | static int masked_match(); | ||
91 | +#ifdef INET6 | ||
92 | +static int masked_match4(); | ||
93 | +static int masked_match6(); | ||
94 | +#endif | ||
95 | |||
96 | /* Size of logical line buffer. */ | ||
97 | |||
98 | @@ -289,6 +302,13 @@ | ||
99 | { | ||
100 | int n; | ||
101 | |||
102 | +#ifdef INET6 | ||
103 | + /* convert IPv4 mapped IPv6 address to IPv4 address */ | ||
104 | + if (STRN_EQ(string, "::ffff:", 7) | ||
105 | + && dot_quad_addr(string + 7) != INADDR_NONE) { | ||
106 | + string += 7; | ||
107 | + } | ||
108 | +#endif | ||
109 | #ifndef DISABLE_WILDCARD_MATCHING | ||
110 | if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ | ||
111 | return (match_pattern_ylo(string,tok)); | ||
112 | @@ -304,20 +324,72 @@ | ||
113 | } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ | ||
114 | return (STRN_EQ(tok, string, n)); | ||
115 | } else { /* exact match */ | ||
116 | +#ifdef INET6 | ||
117 | + struct addrinfo hints, *res; | ||
118 | + struct sockaddr_in6 pat, addr; | ||
119 | + int len, ret; | ||
120 | + char ch; | ||
121 | + | ||
122 | + len = strlen(tok); | ||
123 | + if (*tok == '[' && tok[len - 1] == ']') { | ||
124 | + ch = tok[len - 1]; | ||
125 | + tok[len - 1] = '\0'; | ||
126 | + memset(&hints, 0, sizeof(hints)); | ||
127 | + hints.ai_family = AF_INET6; | ||
128 | + hints.ai_socktype = SOCK_STREAM; | ||
129 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
130 | + if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) { | ||
131 | + memcpy(&pat, res->ai_addr, sizeof(pat)); | ||
132 | + freeaddrinfo(res); | ||
133 | + } | ||
134 | + tok[len - 1] = ch; | ||
135 | + if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0) | ||
136 | + return NO; | ||
137 | + memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
138 | + freeaddrinfo(res); | ||
139 | +#ifdef NI_WITHSCOPEID | ||
140 | + if (pat.sin6_scope_id != 0 && | ||
141 | + addr.sin6_scope_id != pat.sin6_scope_id) | ||
142 | + return NO; | ||
143 | +#endif | ||
144 | + return (!memcmp(&pat.sin6_addr, &addr.sin6_addr, | ||
145 | + sizeof(struct in6_addr))); | ||
146 | + return (ret); | ||
147 | + } | ||
148 | +#endif | ||
149 | return (STR_EQ(tok, string)); | ||
150 | } | ||
151 | } | ||
152 | |||
153 | /* masked_match - match address against netnumber/netmask */ | ||
154 | |||
155 | +#ifdef INET6 | ||
156 | static int masked_match(net_tok, mask_tok, string) | ||
157 | char *net_tok; | ||
158 | char *mask_tok; | ||
159 | char *string; | ||
160 | { | ||
161 | + return (masked_match4(net_tok, mask_tok, string) || | ||
162 | + masked_match6(net_tok, mask_tok, string)); | ||
163 | +} | ||
164 | + | ||
165 | +static int masked_match4(net_tok, mask_tok, string) | ||
166 | +#else | ||
167 | +static int masked_match(net_tok, mask_tok, string) | ||
168 | +#endif | ||
169 | +char *net_tok; | ||
170 | +char *mask_tok; | ||
171 | +char *string; | ||
172 | +{ | ||
173 | +#ifdef INET6 | ||
174 | + u_int32_t net; | ||
175 | + u_int32_t mask; | ||
176 | + u_int32_t addr; | ||
177 | +#else | ||
178 | unsigned long net; | ||
179 | unsigned long mask; | ||
180 | unsigned long addr; | ||
181 | +#endif | ||
182 | |||
183 | /* | ||
184 | * Disallow forms other than dotted quad: the treatment that inet_addr() | ||
185 | @@ -329,12 +401,78 @@ | ||
186 | return (NO); | ||
187 | if ((net = dot_quad_addr(net_tok)) == INADDR_NONE | ||
188 | || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { | ||
189 | +#ifndef INET6 | ||
190 | tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); | ||
191 | +#endif | ||
192 | return (NO); /* not tcpd_jump() */ | ||
193 | } | ||
194 | return ((addr & mask) == net); | ||
195 | } | ||
196 | |||
197 | +#ifdef INET6 | ||
198 | +static int masked_match6(net_tok, mask_tok, string) | ||
199 | +char *net_tok; | ||
200 | +char *mask_tok; | ||
201 | +char *string; | ||
202 | +{ | ||
203 | + struct addrinfo hints, *res; | ||
204 | + struct sockaddr_in6 net, addr; | ||
205 | + u_int32_t mask; | ||
206 | + int len, mask_len, i = 0; | ||
207 | + char ch; | ||
208 | + | ||
209 | + memset(&hints, 0, sizeof(hints)); | ||
210 | + hints.ai_family = AF_INET6; | ||
211 | + hints.ai_socktype = SOCK_STREAM; | ||
212 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
213 | + if (getaddrinfo(string, NULL, &hints, &res) != 0) | ||
214 | + return NO; | ||
215 | + memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
216 | + freeaddrinfo(res); | ||
217 | + | ||
218 | + if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { | ||
219 | + if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE | ||
220 | + || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) | ||
221 | + return (NO); | ||
222 | + return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); | ||
223 | + } | ||
224 | + | ||
225 | + /* match IPv6 address against netnumber/prefixlen */ | ||
226 | + len = strlen(net_tok); | ||
227 | + if (*net_tok != '[' || net_tok[len - 1] != ']') | ||
228 | + return NO; | ||
229 | + ch = net_tok[len - 1]; | ||
230 | + net_tok[len - 1] = '\0'; | ||
231 | + if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) { | ||
232 | + net_tok[len - 1] = ch; | ||
233 | + return NO; | ||
234 | + } | ||
235 | + memcpy(&net, res->ai_addr, sizeof(net)); | ||
236 | + freeaddrinfo(res); | ||
237 | + net_tok[len - 1] = ch; | ||
238 | + if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) | ||
239 | + return NO; | ||
240 | + | ||
241 | +#ifdef NI_WITHSCOPEID | ||
242 | + if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id) | ||
243 | + return NO; | ||
244 | +#endif | ||
245 | + while (mask_len > 0) { | ||
246 | + if (mask_len < 32) { | ||
247 | + mask = htonl(~(0xffffffff >> mask_len)); | ||
248 | + if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask)) | ||
249 | + return NO; | ||
250 | + break; | ||
251 | + } | ||
252 | + if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i]) | ||
253 | + return NO; | ||
254 | + i += 4; | ||
255 | + mask_len -= 32; | ||
256 | + } | ||
257 | + return YES; | ||
258 | +} | ||
259 | +#endif /* INET6 */ | ||
260 | + | ||
261 | #ifndef DISABLE_WILDCARD_MATCHING | ||
262 | /* Note: this feature has been adapted in a pretty straightforward way | ||
263 | from Tatu Ylonen's last SSH version under free license by | ||
264 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
265 | --- tcp_wrappers_7.6.orig/Makefile 1997-03-21 19:27:21.000000000 +0100 | ||
266 | +++ tcp_wrappers_7.6/Makefile 2004-04-10 19:22:44.000000000 +0200 | ||
267 | @@ -21,7 +21,7 @@ | ||
268 | @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" | ||
269 | @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" | ||
270 | @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" | ||
271 | - @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" | ||
272 | + @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" | ||
273 | @echo " uts215 uxp" | ||
274 | @echo | ||
275 | @echo "If none of these match your environment, edit the system" | ||
276 | @@ -131,20 +131,34 @@ | ||
277 | NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all | ||
278 | |||
279 | # Freebsd and linux by default have no NIS. | ||
280 | -386bsd netbsd bsdos: | ||
281 | +386bsd bsdos: | ||
282 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
283 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
284 | EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all | ||
285 | |||
286 | freebsd: | ||
287 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
288 | + LIBS="-L/usr/local/v6/lib -linet6" \ | ||
289 | LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
290 | - EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all | ||
291 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \ | ||
292 | + VSYSLOG= all | ||
293 | + | ||
294 | +netbsd: | ||
295 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
296 | + LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ | ||
297 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all | ||
298 | |||
299 | linux: | ||
300 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
301 | - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ | ||
302 | - NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all | ||
303 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
304 | + NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ | ||
305 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
306 | + | ||
307 | +gnu: | ||
308 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
309 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
310 | + NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ | ||
311 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all | ||
312 | |||
313 | # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. | ||
314 | hpux hpux8 hpux9 hpux10: | ||
315 | @@ -196,6 +210,13 @@ | ||
316 | NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ | ||
317 | BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all | ||
318 | |||
319 | +# SunOS 5.8 is another SYSV4 variant, but has IPv6 support | ||
320 | +solaris8: | ||
321 | + @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
322 | + LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ | ||
323 | + NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ | ||
324 | + EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all | ||
325 | + | ||
326 | # Generic SYSV40 | ||
327 | esix sysv4: | ||
328 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
329 | diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c | ||
330 | --- tcp_wrappers_7.6.orig/misc.c 1996-02-11 17:01:30.000000000 +0100 | ||
331 | +++ tcp_wrappers_7.6/misc.c 2004-04-10 19:07:43.000000000 +0200 | ||
332 | @@ -58,9 +58,31 @@ | ||
333 | { | ||
334 | char *cp; | ||
335 | |||
336 | +#ifdef INET6 | ||
337 | + int bracket = 0; | ||
338 | + | ||
339 | + for (cp = string; cp && *cp; cp++) { | ||
340 | + switch (*cp) { | ||
341 | + case '[': | ||
342 | + bracket++; | ||
343 | + break; | ||
344 | + case ']': | ||
345 | + bracket--; | ||
346 | + break; | ||
347 | + default: | ||
348 | + if (bracket == 0 && *cp == delimiter) { | ||
349 | + *cp++ = 0; | ||
350 | + return cp; | ||
351 | + } | ||
352 | + break; | ||
353 | + } | ||
354 | + } | ||
355 | + return (NULL); | ||
356 | +#else | ||
357 | if ((cp = strchr(string, delimiter)) != 0) | ||
358 | *cp++ = 0; | ||
359 | return (cp); | ||
360 | +#endif | ||
361 | } | ||
362 | |||
363 | /* dot_quad_addr - convert dotted quad to internal form */ | ||
364 | diff -ruN tcp_wrappers_7.6.orig/refuse.c tcp_wrappers_7.6/refuse.c | ||
365 | --- tcp_wrappers_7.6.orig/refuse.c 1994-12-28 17:42:40.000000000 +0100 | ||
366 | +++ tcp_wrappers_7.6/refuse.c 2004-04-10 19:07:43.000000000 +0200 | ||
367 | @@ -25,7 +25,12 @@ | ||
368 | void refuse(request) | ||
369 | struct request_info *request; | ||
370 | { | ||
371 | +#ifdef INET6 | ||
372 | + syslog(deny_severity, "refused connect from %s (%s)", | ||
373 | + eval_client(request), eval_hostaddr(request->client)); | ||
374 | +#else | ||
375 | syslog(deny_severity, "refused connect from %s", eval_client(request)); | ||
376 | +#endif | ||
377 | clean_exit(request); | ||
378 | /* NOTREACHED */ | ||
379 | } | ||
380 | diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
381 | --- tcp_wrappers_7.6.orig/rfc931.c 1995-01-02 16:11:34.000000000 +0100 | ||
382 | +++ tcp_wrappers_7.6/rfc931.c 2004-04-10 19:07:43.000000000 +0200 | ||
383 | @@ -68,20 +68,50 @@ | ||
384 | /* rfc931 - return remote user name, given socket structures */ | ||
385 | |||
386 | void rfc931(rmt_sin, our_sin, dest) | ||
387 | +#ifdef INET6 | ||
388 | +struct sockaddr *rmt_sin; | ||
389 | +struct sockaddr *our_sin; | ||
390 | +#else | ||
391 | struct sockaddr_in *rmt_sin; | ||
392 | struct sockaddr_in *our_sin; | ||
393 | +#endif | ||
394 | char *dest; | ||
395 | { | ||
396 | unsigned rmt_port; | ||
397 | unsigned our_port; | ||
398 | +#ifdef INET6 | ||
399 | + struct sockaddr_storage rmt_query_sin; | ||
400 | + struct sockaddr_storage our_query_sin; | ||
401 | + int alen; | ||
402 | +#else | ||
403 | struct sockaddr_in rmt_query_sin; | ||
404 | struct sockaddr_in our_query_sin; | ||
405 | +#endif | ||
406 | char user[256]; /* XXX */ | ||
407 | char buffer[512]; /* XXX */ | ||
408 | char *cp; | ||
409 | char *result = unknown; | ||
410 | FILE *fp; | ||
411 | |||
412 | +#ifdef INET6 | ||
413 | + /* address family must be the same */ | ||
414 | + if (rmt_sin->sa_family != our_sin->sa_family) { | ||
415 | + STRN_CPY(dest, result, STRING_LENGTH); | ||
416 | + return; | ||
417 | + } | ||
418 | + switch (our_sin->sa_family) { | ||
419 | + case AF_INET: | ||
420 | + alen = sizeof(struct sockaddr_in); | ||
421 | + break; | ||
422 | + case AF_INET6: | ||
423 | + alen = sizeof(struct sockaddr_in6); | ||
424 | + break; | ||
425 | + default: | ||
426 | + STRN_CPY(dest, result, STRING_LENGTH); | ||
427 | + return; | ||
428 | + } | ||
429 | +#endif | ||
430 | + | ||
431 | /* | ||
432 | * Use one unbuffered stdio stream for writing to and for reading from | ||
433 | * the RFC931 etc. server. This is done because of a bug in the SunOS | ||
434 | @@ -92,7 +122,11 @@ | ||
435 | * sockets. | ||
436 | */ | ||
437 | |||
438 | +#ifdef INET6 | ||
439 | + if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { | ||
440 | +#else | ||
441 | if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { | ||
442 | +#endif | ||
443 | setbuf(fp, (char *) 0); | ||
444 | |||
445 | /* | ||
446 | @@ -112,6 +146,25 @@ | ||
447 | * addresses from the query socket. | ||
448 | */ | ||
449 | |||
450 | +#ifdef INET6 | ||
451 | + memcpy(&our_query_sin, our_sin, alen); | ||
452 | + memcpy(&rmt_query_sin, rmt_sin, alen); | ||
453 | + switch (our_sin->sa_family) { | ||
454 | + case AF_INET: | ||
455 | + ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); | ||
456 | + ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); | ||
457 | + break; | ||
458 | + case AF_INET6: | ||
459 | + ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); | ||
460 | + ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); | ||
461 | + break; | ||
462 | + } | ||
463 | + | ||
464 | + if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, | ||
465 | + alen) >= 0 && | ||
466 | + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, | ||
467 | + alen) >= 0) { | ||
468 | +#else | ||
469 | our_query_sin = *our_sin; | ||
470 | our_query_sin.sin_port = htons(ANY_PORT); | ||
471 | rmt_query_sin = *rmt_sin; | ||
472 | @@ -121,6 +174,7 @@ | ||
473 | sizeof(our_query_sin)) >= 0 && | ||
474 | connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, | ||
475 | sizeof(rmt_query_sin)) >= 0) { | ||
476 | +#endif | ||
477 | |||
478 | /* | ||
479 | * Send query to server. Neglect the risk that a 13-byte | ||
480 | @@ -129,8 +183,13 @@ | ||
481 | */ | ||
482 | |||
483 | fprintf(fp, "%u,%u\r\n", | ||
484 | +#ifdef INET6 | ||
485 | + ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), | ||
486 | + ntohs(((struct sockaddr_in *)our_sin)->sin_port)); | ||
487 | +#else | ||
488 | ntohs(rmt_sin->sin_port), | ||
489 | ntohs(our_sin->sin_port)); | ||
490 | +#endif | ||
491 | fflush(fp); | ||
492 | |||
493 | /* | ||
494 | @@ -144,8 +203,13 @@ | ||
495 | && ferror(fp) == 0 && feof(fp) == 0 | ||
496 | && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", | ||
497 | &rmt_port, &our_port, user) == 3 | ||
498 | +#ifdef INET6 | ||
499 | + && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port | ||
500 | + && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { | ||
501 | +#else | ||
502 | && ntohs(rmt_sin->sin_port) == rmt_port | ||
503 | && ntohs(our_sin->sin_port) == our_port) { | ||
504 | +#endif | ||
505 | |||
506 | /* | ||
507 | * Strip trailing carriage return. It is part of the | ||
508 | diff -ruN tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c | ||
509 | --- tcp_wrappers_7.6.orig/scaffold.c 1997-03-21 19:27:24.000000000 +0100 | ||
510 | +++ tcp_wrappers_7.6/scaffold.c 2004-04-10 19:07:43.000000000 +0200 | ||
511 | @@ -25,7 +25,9 @@ | ||
512 | #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ | ||
513 | #endif | ||
514 | |||
515 | +#ifndef INET6 | ||
516 | extern char *malloc(); | ||
517 | +#endif | ||
518 | |||
519 | /* Application-specific. */ | ||
520 | |||
521 | @@ -39,6 +41,7 @@ | ||
522 | int deny_severity = LOG_WARNING; | ||
523 | int rfc931_timeout = RFC931_TIMEOUT; | ||
524 | |||
525 | +#ifndef INET6 | ||
526 | /* dup_hostent - create hostent in one memory block */ | ||
527 | |||
528 | static struct hostent *dup_hostent(hp) | ||
529 | @@ -73,9 +76,46 @@ | ||
530 | } | ||
531 | return (&hb->host); | ||
532 | } | ||
533 | +#endif | ||
534 | |||
535 | /* find_inet_addr - find all addresses for this host, result to free() */ | ||
536 | |||
537 | +#ifdef INET6 | ||
538 | +struct addrinfo *find_inet_addr(host) | ||
539 | +char *host; | ||
540 | +{ | ||
541 | + struct addrinfo hints, *res; | ||
542 | + | ||
543 | + memset(&hints, 0, sizeof(hints)); | ||
544 | + hints.ai_family = PF_UNSPEC; | ||
545 | + hints.ai_socktype = SOCK_STREAM; | ||
546 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
547 | + if (getaddrinfo(host, NULL, &hints, &res) == 0) | ||
548 | + return (res); | ||
549 | + | ||
550 | + memset(&hints, 0, sizeof(hints)); | ||
551 | + hints.ai_family = PF_UNSPEC; | ||
552 | + hints.ai_socktype = SOCK_STREAM; | ||
553 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; | ||
554 | + if (getaddrinfo(host, NULL, &hints, &res) != 0) { | ||
555 | + tcpd_warn("%s: host not found", host); | ||
556 | + return (0); | ||
557 | + } | ||
558 | + if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { | ||
559 | + tcpd_warn("%d: not an internet host", res->ai_family); | ||
560 | + freeaddrinfo(res); | ||
561 | + return (0); | ||
562 | + } | ||
563 | + if (!res->ai_canonname) { | ||
564 | + tcpd_warn("%s: hostname alias", host); | ||
565 | + tcpd_warn("(cannot obtain official name)", res->ai_canonname); | ||
566 | + } else if (STR_NE(host, res->ai_canonname)) { | ||
567 | + tcpd_warn("%s: hostname alias", host); | ||
568 | + tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); | ||
569 | + } | ||
570 | + return (res); | ||
571 | +} | ||
572 | +#else | ||
573 | struct hostent *find_inet_addr(host) | ||
574 | char *host; | ||
575 | { | ||
576 | @@ -118,6 +158,7 @@ | ||
577 | } | ||
578 | return (dup_hostent(hp)); | ||
579 | } | ||
580 | +#endif | ||
581 | |||
582 | /* check_dns - give each address thorough workout, return address count */ | ||
583 | |||
584 | @@ -125,8 +166,13 @@ | ||
585 | char *host; | ||
586 | { | ||
587 | struct request_info request; | ||
588 | +#ifdef INET6 | ||
589 | + struct sockaddr_storage sin; | ||
590 | + struct addrinfo *hp, *res; | ||
591 | +#else | ||
592 | struct sockaddr_in sin; | ||
593 | struct hostent *hp; | ||
594 | +#endif | ||
595 | int count; | ||
596 | char *addr; | ||
597 | |||
598 | @@ -134,11 +180,18 @@ | ||
599 | return (0); | ||
600 | request_init(&request, RQ_CLIENT_SIN, &sin, 0); | ||
601 | sock_methods(&request); | ||
602 | +#ifndef INET6 | ||
603 | memset((char *) &sin, 0, sizeof(sin)); | ||
604 | sin.sin_family = AF_INET; | ||
605 | +#endif | ||
606 | |||
607 | +#ifdef INET6 | ||
608 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
609 | + memcpy(&sin, res->ai_addr, res->ai_addrlen); | ||
610 | +#else | ||
611 | for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { | ||
612 | memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); | ||
613 | +#endif | ||
614 | |||
615 | /* | ||
616 | * Force host name and address conversions. Use the request structure | ||
617 | @@ -151,7 +204,11 @@ | ||
618 | tcpd_warn("host address %s->name lookup failed", | ||
619 | eval_hostaddr(request.client)); | ||
620 | } | ||
621 | +#ifdef INET6 | ||
622 | + freeaddrinfo(hp); | ||
623 | +#else | ||
624 | free((char *) hp); | ||
625 | +#endif | ||
626 | return (count); | ||
627 | } | ||
628 | |||
629 | diff -ruN tcp_wrappers_7.6.orig/scaffold.h tcp_wrappers_7.6/scaffold.h | ||
630 | --- tcp_wrappers_7.6.orig/scaffold.h 1994-12-31 18:19:20.000000000 +0100 | ||
631 | +++ tcp_wrappers_7.6/scaffold.h 2004-04-10 19:07:43.000000000 +0200 | ||
632 | @@ -4,6 +4,10 @@ | ||
633 | * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
634 | */ | ||
635 | |||
636 | +#ifdef INET6 | ||
637 | +extern struct addrinfo *find_inet_addr(); | ||
638 | +#else | ||
639 | extern struct hostent *find_inet_addr(); | ||
640 | +#endif | ||
641 | extern int check_dns(); | ||
642 | extern int check_path(); | ||
643 | diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c | ||
644 | --- tcp_wrappers_7.6.orig/socket.c 2004-04-10 19:22:58.000000000 +0200 | ||
645 | +++ tcp_wrappers_7.6/socket.c 2004-04-10 19:07:43.000000000 +0200 | ||
646 | @@ -24,13 +24,22 @@ | ||
647 | #include <sys/types.h> | ||
648 | #include <sys/param.h> | ||
649 | #include <sys/socket.h> | ||
650 | +#ifdef INT32_T | ||
651 | +typedef uint32_t u_int32_t; | ||
652 | +#endif | ||
653 | #include <netinet/in.h> | ||
654 | #include <netdb.h> | ||
655 | #include <stdio.h> | ||
656 | #include <syslog.h> | ||
657 | #include <string.h> | ||
658 | |||
659 | +#ifdef INET6 | ||
660 | +#ifndef NI_WITHSCOPEID | ||
661 | +#define NI_WITHSCOPEID 0 | ||
662 | +#endif | ||
663 | +#else | ||
664 | extern char *inet_ntoa(); | ||
665 | +#endif | ||
666 | |||
667 | /* Local stuff. */ | ||
668 | |||
669 | @@ -79,8 +88,13 @@ | ||
670 | void sock_host(request) | ||
671 | struct request_info *request; | ||
672 | { | ||
673 | +#ifdef INET6 | ||
674 | + static struct sockaddr_storage client; | ||
675 | + static struct sockaddr_storage server; | ||
676 | +#else | ||
677 | static struct sockaddr_in client; | ||
678 | static struct sockaddr_in server; | ||
679 | +#endif | ||
680 | int len; | ||
681 | char buf[BUFSIZ]; | ||
682 | int fd = request->fd; | ||
683 | @@ -109,7 +123,11 @@ | ||
684 | memset(buf, 0 sizeof(buf)); | ||
685 | #endif | ||
686 | } | ||
687 | +#ifdef INET6 | ||
688 | + request->client->sin = (struct sockaddr *)&client; | ||
689 | +#else | ||
690 | request->client->sin = &client; | ||
691 | +#endif | ||
692 | |||
693 | /* | ||
694 | * Determine the server binding. This is used for client username | ||
695 | @@ -122,7 +140,11 @@ | ||
696 | tcpd_warn("getsockname: %m"); | ||
697 | return; | ||
698 | } | ||
699 | +#ifdef INET6 | ||
700 | + request->server->sin = (struct sockaddr *)&server; | ||
701 | +#else | ||
702 | request->server->sin = &server; | ||
703 | +#endif | ||
704 | } | ||
705 | |||
706 | /* sock_hostaddr - map endpoint address to printable form */ | ||
707 | @@ -130,10 +152,26 @@ | ||
708 | void sock_hostaddr(host) | ||
709 | struct host_info *host; | ||
710 | { | ||
711 | +#ifdef INET6 | ||
712 | + struct sockaddr *sin = host->sin; | ||
713 | + int salen; | ||
714 | + | ||
715 | + if (!sin) | ||
716 | + return; | ||
717 | +#ifdef SIN6_LEN | ||
718 | + salen = sin->sa_len; | ||
719 | +#else | ||
720 | + salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in) | ||
721 | + : sizeof(struct sockaddr_in6); | ||
722 | +#endif | ||
723 | + getnameinfo(sin, salen, host->addr, sizeof(host->addr), | ||
724 | + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); | ||
725 | +#else | ||
726 | struct sockaddr_in *sin = host->sin; | ||
727 | |||
728 | if (sin != 0) | ||
729 | STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); | ||
730 | +#endif | ||
731 | } | ||
732 | |||
733 | /* sock_hostname - map endpoint address to host name */ | ||
734 | @@ -141,6 +179,160 @@ | ||
735 | void sock_hostname(host) | ||
736 | struct host_info *host; | ||
737 | { | ||
738 | +#ifdef INET6 | ||
739 | + struct sockaddr *sin = host->sin; | ||
740 | + struct sockaddr_in sin4; | ||
741 | + struct addrinfo hints, *res, *res0 = NULL; | ||
742 | + int salen, alen, err = 1; | ||
743 | + char *ap = NULL, *rap, hname[NI_MAXHOST]; | ||
744 | + | ||
745 | + if (sin != NULL) { | ||
746 | + if (sin->sa_family == AF_INET6) { | ||
747 | + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin; | ||
748 | + | ||
749 | + if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { | ||
750 | + memset(&sin4, 0, sizeof(sin4)); | ||
751 | +#ifdef SIN6_LEN | ||
752 | + sin4.sin_len = sizeof(sin4); | ||
753 | +#endif | ||
754 | + sin4.sin_family = AF_INET; | ||
755 | + sin4.sin_port = sin6->sin6_port; | ||
756 | + sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; | ||
757 | + sin = (struct sockaddr *)&sin4; | ||
758 | + } | ||
759 | + } | ||
760 | + switch (sin->sa_family) { | ||
761 | + case AF_INET: | ||
762 | + ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; | ||
763 | + alen = sizeof(struct in_addr); | ||
764 | + salen = sizeof(struct sockaddr_in); | ||
765 | + break; | ||
766 | + case AF_INET6: | ||
767 | + ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; | ||
768 | + alen = sizeof(struct in6_addr); | ||
769 | + salen = sizeof(struct sockaddr_in6); | ||
770 | + break; | ||
771 | + default: | ||
772 | + break; | ||
773 | + } | ||
774 | + if (ap) | ||
775 | + err = getnameinfo(sin, salen, hname, sizeof(hname), | ||
776 | + NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD); | ||
777 | + } | ||
778 | + if (!err) { | ||
779 | + | ||
780 | + STRN_CPY(host->name, hname, sizeof(host->name)); | ||
781 | + | ||
782 | + /* reject numeric addresses */ | ||
783 | + memset(&hints, 0, sizeof(hints)); | ||
784 | + hints.ai_family = sin->sa_family; | ||
785 | + hints.ai_socktype = SOCK_STREAM; | ||
786 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; | ||
787 | + if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { | ||
788 | + freeaddrinfo(res0); | ||
789 | + res0 = NULL; | ||
790 | + tcpd_warn("host name/name mismatch: " | ||
791 | + "reverse lookup results in non-FQDN %s", | ||
792 | + host->name); | ||
793 | + strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
794 | + } | ||
795 | + err = !err; | ||
796 | + } | ||
797 | + if (!err) { | ||
798 | + /* we are now sure that this is non-numeric */ | ||
799 | + | ||
800 | + /* | ||
801 | + * Verify that the address is a member of the address list returned | ||
802 | + * by gethostbyname(hostname). | ||
803 | + * | ||
804 | + * Verify also that gethostbyaddr() and gethostbyname() return the same | ||
805 | + * hostname, or rshd and rlogind may still end up being spoofed. | ||
806 | + * | ||
807 | + * On some sites, gethostbyname("localhost") returns "localhost.domain". | ||
808 | + * This is a DNS artefact. We treat it as a special case. When we | ||
809 | + * can't believe the address list from gethostbyname("localhost") | ||
810 | + * we're in big trouble anyway. | ||
811 | + */ | ||
812 | + | ||
813 | + memset(&hints, 0, sizeof(hints)); | ||
814 | + hints.ai_family = sin->sa_family; | ||
815 | + hints.ai_socktype = SOCK_STREAM; | ||
816 | + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; | ||
817 | + if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) { | ||
818 | + | ||
819 | + /* | ||
820 | + * Unable to verify that the host name matches the address. This | ||
821 | + * may be a transient problem or a botched name server setup. | ||
822 | + */ | ||
823 | + | ||
824 | + tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", | ||
825 | + host->name, | ||
826 | + (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); | ||
827 | + | ||
828 | + } else if ((res0->ai_canonname == NULL | ||
829 | + || STR_NE(host->name, res0->ai_canonname)) | ||
830 | + && STR_NE(host->name, "localhost")) { | ||
831 | + | ||
832 | + /* | ||
833 | + * The gethostbyaddr() and gethostbyname() calls did not return | ||
834 | + * the same hostname. This could be a nameserver configuration | ||
835 | + * problem. It could also be that someone is trying to spoof us. | ||
836 | + */ | ||
837 | + | ||
838 | + tcpd_warn("host name/name mismatch: %s != %.*s", | ||
839 | + host->name, STRING_LENGTH, | ||
840 | + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); | ||
841 | + | ||
842 | + } else { | ||
843 | + | ||
844 | + /* | ||
845 | + * The address should be a member of the address list returned by | ||
846 | + * gethostbyname(). We should first verify that the h_addrtype | ||
847 | + * field is AF_INET, but this program has already caused too much | ||
848 | + * grief on systems with broken library code. | ||
849 | + */ | ||
850 | + | ||
851 | + for (res = res0; res; res = res->ai_next) { | ||
852 | + if (res->ai_family != sin->sa_family) | ||
853 | + continue; | ||
854 | + switch (res->ai_family) { | ||
855 | + case AF_INET: | ||
856 | + rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr; | ||
857 | + break; | ||
858 | + case AF_INET6: | ||
859 | + /* need to check scope_id */ | ||
860 | + if (((struct sockaddr_in6 *)sin)->sin6_scope_id != | ||
861 | + ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { | ||
862 | + continue; | ||
863 | + } | ||
864 | + rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; | ||
865 | + break; | ||
866 | + default: | ||
867 | + continue; | ||
868 | + } | ||
869 | + if (memcmp(rap, ap, alen) == 0) { | ||
870 | + freeaddrinfo(res0); | ||
871 | + return; /* name is good, keep it */ | ||
872 | + } | ||
873 | + } | ||
874 | + | ||
875 | + /* | ||
876 | + * The host name does not map to the initial address. Perhaps | ||
877 | + * someone has messed up. Perhaps someone compromised a name | ||
878 | + * server. | ||
879 | + */ | ||
880 | + | ||
881 | + getnameinfo(sin, salen, hname, sizeof(hname), | ||
882 | + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); | ||
883 | + tcpd_warn("host name/address mismatch: %s != %.*s", | ||
884 | + hname, STRING_LENGTH, | ||
885 | + (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); | ||
886 | + } | ||
887 | + strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
888 | + if (res0) | ||
889 | + freeaddrinfo(res0); | ||
890 | + } | ||
891 | +#else /* INET6 */ | ||
892 | struct sockaddr_in *sin = host->sin; | ||
893 | struct hostent *hp; | ||
894 | int i; | ||
895 | @@ -220,6 +412,7 @@ | ||
896 | } | ||
897 | strcpy(host->name, paranoid); /* name is bad, clobber it */ | ||
898 | } | ||
899 | +#endif /* INET6 */ | ||
900 | } | ||
901 | |||
902 | /* sock_sink - absorb unreceived IP datagram */ | ||
903 | @@ -228,7 +421,11 @@ | ||
904 | int fd; | ||
905 | { | ||
906 | char buf[BUFSIZ]; | ||
907 | +#ifdef INET6 | ||
908 | + struct sockaddr_storage sin; | ||
909 | +#else | ||
910 | struct sockaddr_in sin; | ||
911 | +#endif | ||
912 | int size = sizeof(sin); | ||
913 | |||
914 | /* | ||
915 | diff -ruN tcp_wrappers_7.6.orig/tcpd.c tcp_wrappers_7.6/tcpd.c | ||
916 | --- tcp_wrappers_7.6.orig/tcpd.c 1996-02-11 17:01:33.000000000 +0100 | ||
917 | +++ tcp_wrappers_7.6/tcpd.c 2004-04-10 19:07:43.000000000 +0200 | ||
918 | @@ -120,7 +120,12 @@ | ||
919 | |||
920 | /* Report request and invoke the real daemon program. */ | ||
921 | |||
922 | +#ifdef INET6 | ||
923 | + syslog(allow_severity, "connect from %s (%s)", | ||
924 | + eval_client(&request), eval_hostaddr(request.client)); | ||
925 | +#else | ||
926 | syslog(allow_severity, "connect from %s", eval_client(&request)); | ||
927 | +#endif | ||
928 | closelog(); | ||
929 | (void) execv(path, argv); | ||
930 | syslog(LOG_ERR, "error: cannot execute %s: %m", path); | ||
931 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
932 | --- tcp_wrappers_7.6.orig/tcpdchk.c 1997-02-12 02:13:25.000000000 +0100 | ||
933 | +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:07:43.000000000 +0200 | ||
934 | @@ -22,6 +22,9 @@ | ||
935 | |||
936 | #include <sys/types.h> | ||
937 | #include <sys/stat.h> | ||
938 | +#ifdef INET6 | ||
939 | +#include <sys/socket.h> | ||
940 | +#endif | ||
941 | #include <netinet/in.h> | ||
942 | #include <arpa/inet.h> | ||
943 | #include <stdio.h> | ||
944 | @@ -397,6 +400,31 @@ | ||
945 | } | ||
946 | } | ||
947 | |||
948 | +#ifdef INET6 | ||
949 | +static int is_inet6_addr(pat) | ||
950 | + char *pat; | ||
951 | +{ | ||
952 | + struct addrinfo hints, *res; | ||
953 | + int len, ret; | ||
954 | + char ch; | ||
955 | + | ||
956 | + if (*pat != '[') | ||
957 | + return (0); | ||
958 | + len = strlen(pat); | ||
959 | + if ((ch = pat[len - 1]) != ']') | ||
960 | + return (0); | ||
961 | + pat[len - 1] = '\0'; | ||
962 | + memset(&hints, 0, sizeof(hints)); | ||
963 | + hints.ai_family = AF_INET6; | ||
964 | + hints.ai_socktype = SOCK_STREAM; | ||
965 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
966 | + if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0) | ||
967 | + freeaddrinfo(res); | ||
968 | + pat[len - 1] = ch; | ||
969 | + return (ret == 0); | ||
970 | +} | ||
971 | +#endif | ||
972 | + | ||
973 | /* check_host - criticize host pattern */ | ||
974 | |||
975 | static int check_host(pat) | ||
976 | @@ -423,14 +451,27 @@ | ||
977 | #endif | ||
978 | #endif | ||
979 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ | ||
980 | +#ifdef INET6 | ||
981 | + int mask_len; | ||
982 | + | ||
983 | + if ((dot_quad_addr(pat) == INADDR_NONE | ||
984 | + || dot_quad_addr(mask) == INADDR_NONE) | ||
985 | + && (!is_inet6_addr(pat) | ||
986 | + || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) | ||
987 | +#else | ||
988 | if (dot_quad_addr(pat) == INADDR_NONE | ||
989 | || dot_quad_addr(mask) == INADDR_NONE) | ||
990 | +#endif | ||
991 | tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); | ||
992 | } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ | ||
993 | tcpd_warn("FAIL is no longer recognized"); | ||
994 | tcpd_warn("(use EXCEPT or DENY instead)"); | ||
995 | } else if (reserved_name(pat)) { /* other reserved */ | ||
996 | /* void */ ; | ||
997 | +#ifdef INET6 | ||
998 | + } else if (is_inet6_addr(pat)) { /* IPv6 address */ | ||
999 | + addr_count = 1; | ||
1000 | +#endif | ||
1001 | } else if (NOT_INADDR(pat)) { /* internet name */ | ||
1002 | if (pat[strlen(pat) - 1] == '.') { | ||
1003 | tcpd_warn("%s: domain or host name ends in dot", pat); | ||
1004 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
1005 | --- tcp_wrappers_7.6.orig/tcpd.h 1996-03-19 16:22:25.000000000 +0100 | ||
1006 | +++ tcp_wrappers_7.6/tcpd.h 2004-04-10 19:07:43.000000000 +0200 | ||
1007 | @@ -11,7 +11,11 @@ | ||
1008 | struct host_info { | ||
1009 | char name[STRING_LENGTH]; /* access via eval_hostname(host) */ | ||
1010 | char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ | ||
1011 | +#ifdef INET6 | ||
1012 | + struct sockaddr *sin; /* socket address or 0 */ | ||
1013 | +#else | ||
1014 | struct sockaddr_in *sin; /* socket address or 0 */ | ||
1015 | +#endif | ||
1016 | struct t_unitdata *unit; /* TLI transport address or 0 */ | ||
1017 | struct request_info *request; /* for shared information */ | ||
1018 | }; | ||
1019 | diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.c tcp_wrappers_7.6/tcpdmatch.c | ||
1020 | --- tcp_wrappers_7.6.orig/tcpdmatch.c 1996-02-11 17:01:36.000000000 +0100 | ||
1021 | +++ tcp_wrappers_7.6/tcpdmatch.c 2004-04-10 19:07:43.000000000 +0200 | ||
1022 | @@ -57,7 +57,11 @@ | ||
1023 | int argc; | ||
1024 | char **argv; | ||
1025 | { | ||
1026 | +#ifdef INET6 | ||
1027 | + struct addrinfo hints, *hp, *res; | ||
1028 | +#else | ||
1029 | struct hostent *hp; | ||
1030 | +#endif | ||
1031 | char *myname = argv[0]; | ||
1032 | char *client; | ||
1033 | char *server; | ||
1034 | @@ -68,8 +72,13 @@ | ||
1035 | int ch; | ||
1036 | char *inetcf = 0; | ||
1037 | int count; | ||
1038 | +#ifdef INET6 | ||
1039 | + struct sockaddr_storage server_sin; | ||
1040 | + struct sockaddr_storage client_sin; | ||
1041 | +#else | ||
1042 | struct sockaddr_in server_sin; | ||
1043 | struct sockaddr_in client_sin; | ||
1044 | +#endif | ||
1045 | struct stat st; | ||
1046 | |||
1047 | /* | ||
1048 | @@ -172,13 +181,20 @@ | ||
1049 | if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) { | ||
1050 | if ((hp = find_inet_addr(server)) == 0) | ||
1051 | exit(1); | ||
1052 | +#ifndef INET6 | ||
1053 | memset((char *) &server_sin, 0, sizeof(server_sin)); | ||
1054 | server_sin.sin_family = AF_INET; | ||
1055 | +#endif | ||
1056 | request_set(&request, RQ_SERVER_SIN, &server_sin, 0); | ||
1057 | |||
1058 | +#ifdef INET6 | ||
1059 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
1060 | + memcpy(&server_sin, res->ai_addr, res->ai_addrlen); | ||
1061 | +#else | ||
1062 | for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { | ||
1063 | memcpy((char *) &server_sin.sin_addr, addr, | ||
1064 | sizeof(server_sin.sin_addr)); | ||
1065 | +#endif | ||
1066 | |||
1067 | /* | ||
1068 | * Force evaluation of server host name and address. Host name | ||
1069 | @@ -194,7 +210,11 @@ | ||
1070 | fprintf(stderr, "Please specify an address instead\n"); | ||
1071 | exit(1); | ||
1072 | } | ||
1073 | +#ifdef INET6 | ||
1074 | + freeaddrinfo(hp); | ||
1075 | +#else | ||
1076 | free((char *) hp); | ||
1077 | +#endif | ||
1078 | } else { | ||
1079 | request_set(&request, RQ_SERVER_NAME, server, 0); | ||
1080 | } | ||
1081 | @@ -208,6 +228,18 @@ | ||
1082 | tcpdmatch(&request); | ||
1083 | exit(0); | ||
1084 | } | ||
1085 | +#ifdef INET6 | ||
1086 | + memset(&hints, 0, sizeof(hints)); | ||
1087 | + hints.ai_family = AF_INET6; | ||
1088 | + hints.ai_socktype = SOCK_STREAM; | ||
1089 | + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; | ||
1090 | + if (getaddrinfo(client, NULL, &hints, &res) == 0) { | ||
1091 | + freeaddrinfo(res); | ||
1092 | + request_set(&request, RQ_CLIENT_ADDR, client, 0); | ||
1093 | + tcpdmatch(&request); | ||
1094 | + exit(0); | ||
1095 | + } | ||
1096 | +#endif | ||
1097 | |||
1098 | /* | ||
1099 | * Perhaps they are testing special client hostname patterns that aren't | ||
1100 | @@ -229,6 +261,34 @@ | ||
1101 | */ | ||
1102 | if ((hp = find_inet_addr(client)) == 0) | ||
1103 | exit(1); | ||
1104 | +#ifdef INET6 | ||
1105 | + request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); | ||
1106 | + | ||
1107 | + for (res = hp, count = 0; res; res = res->ai_next, count++) { | ||
1108 | + memcpy(&client_sin, res->ai_addr, res->ai_addrlen); | ||
1109 | + | ||
1110 | + /* | ||
1111 | + * getnameinfo() doesn't do reverse lookup against link-local | ||
1112 | + * address. So, we pass through host name evaluation against | ||
1113 | + * such addresses. | ||
1114 | + */ | ||
1115 | + if (res->ai_family != AF_INET6 || | ||
1116 | + !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) { | ||
1117 | + /* | ||
1118 | + * Force evaluation of client host name and address. Host name | ||
1119 | + * conflicts will be reported while eval_hostname() does its job. | ||
1120 | + */ | ||
1121 | + request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); | ||
1122 | + if (STR_EQ(eval_hostname(request.client), unknown)) | ||
1123 | + tcpd_warn("host address %s->name lookup failed", | ||
1124 | + eval_hostaddr(request.client)); | ||
1125 | + } | ||
1126 | + tcpdmatch(&request); | ||
1127 | + if (res->ai_next) | ||
1128 | + printf("\n"); | ||
1129 | + } | ||
1130 | + freeaddrinfo(hp); | ||
1131 | +#else | ||
1132 | memset((char *) &client_sin, 0, sizeof(client_sin)); | ||
1133 | client_sin.sin_family = AF_INET; | ||
1134 | request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); | ||
1135 | @@ -250,6 +310,7 @@ | ||
1136 | printf("\n"); | ||
1137 | } | ||
1138 | free((char *) hp); | ||
1139 | +#endif | ||
1140 | exit(0); | ||
1141 | } | ||
1142 | |||
1143 | diff -ruN tcp_wrappers_7.6.orig/tli.c tcp_wrappers_7.6/tli.c | ||
1144 | --- tcp_wrappers_7.6.orig/tli.c 1997-03-21 19:27:26.000000000 +0100 | ||
1145 | +++ tcp_wrappers_7.6/tli.c 2004-04-10 19:07:43.000000000 +0200 | ||
1146 | @@ -65,8 +65,13 @@ | ||
1147 | void tli_host(request) | ||
1148 | struct request_info *request; | ||
1149 | { | ||
1150 | +#ifdef INET6 | ||
1151 | + static struct sockaddr_storage client; | ||
1152 | + static struct sockaddr_storage server; | ||
1153 | +#else | ||
1154 | static struct sockaddr_in client; | ||
1155 | static struct sockaddr_in server; | ||
1156 | +#endif | ||
1157 | |||
1158 | /* | ||
1159 | * If we discover that we are using an IP transport, pretend we never | ||
1160 | @@ -76,14 +81,29 @@ | ||
1161 | |||
1162 | tli_endpoints(request); | ||
1163 | if ((request->config = tli_transport(request->fd)) != 0 | ||
1164 | +#ifdef INET6 | ||
1165 | + && (STR_EQ(request->config->nc_protofmly, "inet") || | ||
1166 | + STR_EQ(request->config->nc_protofmly, "inet6"))) { | ||
1167 | +#else | ||
1168 | && STR_EQ(request->config->nc_protofmly, "inet")) { | ||
1169 | +#endif | ||
1170 | if (request->client->unit != 0) { | ||
1171 | +#ifdef INET6 | ||
1172 | + client = *(struct sockaddr_storage *) request->client->unit->addr.buf; | ||
1173 | + request->client->sin = (struct sockaddr *) &client; | ||
1174 | +#else | ||
1175 | client = *(struct sockaddr_in *) request->client->unit->addr.buf; | ||
1176 | request->client->sin = &client; | ||
1177 | +#endif | ||
1178 | } | ||
1179 | if (request->server->unit != 0) { | ||
1180 | +#ifdef INET6 | ||
1181 | + server = *(struct sockaddr_storage *) request->server->unit->addr.buf; | ||
1182 | + request->server->sin = (struct sockaddr *) &server; | ||
1183 | +#else | ||
1184 | server = *(struct sockaddr_in *) request->server->unit->addr.buf; | ||
1185 | request->server->sin = &server; | ||
1186 | +#endif | ||
1187 | } | ||
1188 | tli_cleanup(request); | ||
1189 | sock_methods(request); | ||
1190 | @@ -187,7 +207,15 @@ | ||
1191 | } | ||
1192 | while (config = getnetconfig(handlep)) { | ||
1193 | if (stat(config->nc_device, &from_config) == 0) { | ||
1194 | +#ifdef NO_CLONE_DEVICE | ||
1195 | + /* | ||
1196 | + * If the network devices are not cloned (as is the case for | ||
1197 | + * Solaris 8 Beta), we must compare the major device numbers. | ||
1198 | + */ | ||
1199 | + if (major(from_config.st_rdev) == major(from_client.st_rdev)) | ||
1200 | +#else | ||
1201 | if (minor(from_config.st_rdev) == major(from_client.st_rdev)) | ||
1202 | +#endif | ||
1203 | break; | ||
1204 | } | ||
1205 | } | ||
1206 | diff -ruN tcp_wrappers_7.6.orig/update.c tcp_wrappers_7.6/update.c | ||
1207 | --- tcp_wrappers_7.6.orig/update.c 1994-12-28 17:42:56.000000000 +0100 | ||
1208 | +++ tcp_wrappers_7.6/update.c 2004-04-10 19:07:43.000000000 +0200 | ||
1209 | @@ -46,10 +46,18 @@ | ||
1210 | request->fd = va_arg(ap, int); | ||
1211 | continue; | ||
1212 | case RQ_CLIENT_SIN: | ||
1213 | +#ifdef INET6 | ||
1214 | + request->client->sin = va_arg(ap, struct sockaddr *); | ||
1215 | +#else | ||
1216 | request->client->sin = va_arg(ap, struct sockaddr_in *); | ||
1217 | +#endif | ||
1218 | continue; | ||
1219 | case RQ_SERVER_SIN: | ||
1220 | +#ifdef INET6 | ||
1221 | + request->server->sin = va_arg(ap, struct sockaddr *); | ||
1222 | +#else | ||
1223 | request->server->sin = va_arg(ap, struct sockaddr_in *); | ||
1224 | +#endif | ||
1225 | continue; | ||
1226 | |||
1227 | /* | ||
1228 | diff -ruN tcp_wrappers_7.6.orig/workarounds.c tcp_wrappers_7.6/workarounds.c | ||
1229 | --- tcp_wrappers_7.6.orig/workarounds.c 1996-03-19 16:22:26.000000000 +0100 | ||
1230 | +++ tcp_wrappers_7.6/workarounds.c 2004-04-10 19:07:43.000000000 +0200 | ||
1231 | @@ -166,11 +166,22 @@ | ||
1232 | int *len; | ||
1233 | { | ||
1234 | int ret; | ||
1235 | +#ifdef INET6 | ||
1236 | + struct sockaddr *sin = sa; | ||
1237 | +#else | ||
1238 | struct sockaddr_in *sin = (struct sockaddr_in *) sa; | ||
1239 | +#endif | ||
1240 | |||
1241 | if ((ret = getpeername(sock, sa, len)) >= 0 | ||
1242 | +#ifdef INET6 | ||
1243 | + && ((sin->su_si.si_family == AF_INET6 | ||
1244 | + && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr)) | ||
1245 | + || (sin->su_si.si_family == AF_INET | ||
1246 | + && sin->su_sin.sin_addr.s_addr == 0))) { | ||
1247 | +#else | ||
1248 | && sa->sa_family == AF_INET | ||
1249 | && sin->sin_addr.s_addr == 0) { | ||
1250 | +#endif | ||
1251 | errno = ENOTCONN; | ||
1252 | return (-1); | ||
1253 | } else { | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch new file mode 100644 index 0000000000..0238e35208 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | Path: news.porcupine.org!news.porcupine.org!not-for-mail | ||
2 | From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl> | ||
3 | Newsgroups: comp.mail.sendmail,comp.security.unix | ||
4 | Subject: TCP Wrapper Blacklist Extension | ||
5 | Followup-To: poster | ||
6 | Date: 8 Sep 1997 18:53:13 -0400 | ||
7 | Organization: Wietse's hangout while on sabattical in the USA | ||
8 | Lines: 147 | ||
9 | Sender: wietse@spike.porcupine.org | ||
10 | Message-ID: <5v1vkp$h4f$1@spike.porcupine.org> | ||
11 | NNTP-Posting-Host: spike.porcupine.org | ||
12 | Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158 | ||
13 | |||
14 | The patch below adds a new host pattern to the TCP Wrapper access | ||
15 | control language. Instead of a host name or address pattern, you | ||
16 | can specify an external /file/name with host name or address | ||
17 | patterns. The feature can be used recursively. | ||
18 | |||
19 | The /file/name extension makes it easy to blacklist bad sites, for | ||
20 | example, to block unwanted electronic mail when libwrap is linked | ||
21 | into sendmail. Adding hosts to a simple text file is much easier | ||
22 | than having to edit a more complex hosts.allow/deny file. | ||
23 | |||
24 | I developed this a year or so ago as a substitute for NIS netgroups. | ||
25 | At that time, I did not consider it of sufficient interest for | ||
26 | inclusion in the TCP Wrapper distribution. How times have changed. | ||
27 | |||
28 | The patch is relative to TCP Wrappers version 7.6. The main archive | ||
29 | site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz | ||
30 | |||
31 | Thanks to the Debian LINUX folks for expressing their interest in | ||
32 | this patch. | ||
33 | |||
34 | Wietse | ||
35 | |||
36 | |||
37 | [diff updated by Md] | ||
38 | |||
39 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
40 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200 | ||
41 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200 | ||
42 | @@ -97,6 +97,13 @@ | ||
43 | `[3ffe:505:2:1::]/64\' matches every address in the range | ||
44 | `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. | ||
45 | .IP \(bu | ||
46 | +A string that begins with a `/\' character is treated as a file | ||
47 | +name. A host name or address is matched if it matches any host name | ||
48 | +or address pattern listed in the named file. The file format is | ||
49 | +zero or more lines with zero or more host name or address patterns | ||
50 | +separated by whitespace. A file name pattern can be used anywhere | ||
51 | +a host name or address pattern can be used. | ||
52 | +.IP \(bu | ||
53 | Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This | ||
54 | method of matching cannot be used in conjunction with `net/mask\' matching, | ||
55 | hostname matching beginning with `.\' or IP address matching ending with `.\'. | ||
56 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
57 | --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200 | ||
58 | +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200 | ||
59 | @@ -253,6 +253,26 @@ | ||
60 | } | ||
61 | } | ||
62 | |||
63 | +/* hostfile_match - look up host patterns from file */ | ||
64 | + | ||
65 | +static int hostfile_match(path, host) | ||
66 | +char *path; | ||
67 | +struct hosts_info *host; | ||
68 | +{ | ||
69 | + char tok[BUFSIZ]; | ||
70 | + int match = NO; | ||
71 | + FILE *fp; | ||
72 | + | ||
73 | + if ((fp = fopen(path, "r")) != 0) { | ||
74 | + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) | ||
75 | + /* void */ ; | ||
76 | + fclose(fp); | ||
77 | + } else if (errno != ENOENT) { | ||
78 | + tcpd_warn("open %s: %m", path); | ||
79 | + } | ||
80 | + return (match); | ||
81 | +} | ||
82 | + | ||
83 | /* host_match - match host name and/or address against pattern */ | ||
84 | |||
85 | static int host_match(tok, host) | ||
86 | @@ -280,6 +300,8 @@ | ||
87 | tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ | ||
88 | return (NO); | ||
89 | #endif | ||
90 | + } else if (tok[0] == '/') { /* /file hack */ | ||
91 | + return (hostfile_match(tok, host)); | ||
92 | } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ | ||
93 | char *name = eval_hostname(host); | ||
94 | return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); | ||
95 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
96 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200 | ||
97 | +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200 | ||
98 | @@ -353,6 +353,8 @@ | ||
99 | { | ||
100 | if (pat[0] == '@') { | ||
101 | tcpd_warn("%s: daemon name begins with \"@\"", pat); | ||
102 | + } else if (pat[0] == '/') { | ||
103 | + tcpd_warn("%s: daemon name begins with \"/\"", pat); | ||
104 | } else if (pat[0] == '.') { | ||
105 | tcpd_warn("%s: daemon name begins with dot", pat); | ||
106 | } else if (pat[strlen(pat) - 1] == '.') { | ||
107 | @@ -385,6 +387,8 @@ | ||
108 | { | ||
109 | if (pat[0] == '@') { /* @netgroup */ | ||
110 | tcpd_warn("%s: user name begins with \"@\"", pat); | ||
111 | + } else if (pat[0] == '/') { | ||
112 | + tcpd_warn("%s: user name begins with \"/\"", pat); | ||
113 | } else if (pat[0] == '.') { | ||
114 | tcpd_warn("%s: user name begins with dot", pat); | ||
115 | } else if (pat[strlen(pat) - 1] == '.') { | ||
116 | @@ -430,8 +434,13 @@ | ||
117 | static int check_host(pat) | ||
118 | char *pat; | ||
119 | { | ||
120 | + char buf[BUFSIZ]; | ||
121 | char *mask; | ||
122 | int addr_count = 1; | ||
123 | + FILE *fp; | ||
124 | + struct tcpd_context saved_context; | ||
125 | + char *cp; | ||
126 | + char *wsp = " \t\r\n"; | ||
127 | |||
128 | if (pat[0] == '@') { /* @netgroup */ | ||
129 | #ifdef NO_NETGRENT | ||
130 | @@ -450,6 +459,21 @@ | ||
131 | tcpd_warn("netgroup support disabled"); | ||
132 | #endif | ||
133 | #endif | ||
134 | + } else if (pat[0] == '/') { /* /path/name */ | ||
135 | + if ((fp = fopen(pat, "r")) != 0) { | ||
136 | + saved_context = tcpd_context; | ||
137 | + tcpd_context.file = pat; | ||
138 | + tcpd_context.line = 0; | ||
139 | + while (fgets(buf, sizeof(buf), fp)) { | ||
140 | + tcpd_context.line++; | ||
141 | + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp)) | ||
142 | + check_host(cp); | ||
143 | + } | ||
144 | + tcpd_context = saved_context; | ||
145 | + fclose(fp); | ||
146 | + } else if (errno != ENOENT) { | ||
147 | + tcpd_warn("open %s: %m", pat); | ||
148 | + } | ||
149 | } else if (mask = split_at(pat, '/')) { /* network/netmask */ | ||
150 | #ifdef INET6 | ||
151 | int mask_len; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch new file mode 100644 index 0000000000..88a2b5e43b --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c | ||
2 | --- tcp_wrappers_7.6/hosts_access.c Mon May 20 14:00:56 2002 | ||
3 | +++ tcp_wrappers_7.6.new/hosts_access.c Mon May 20 14:25:05 2002 | ||
4 | @@ -448,6 +448,15 @@ | ||
5 | int len, mask_len, i = 0; | ||
6 | char ch; | ||
7 | |||
8 | + /* | ||
9 | + * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is | ||
10 | + * different between KAME and Solaris8. While KAME returns | ||
11 | + * AF_INET6, Solaris8 returns AF_INET. So, we avoid this here. | ||
12 | + */ | ||
13 | + if (STRN_EQ(string, "::ffff:", 7) | ||
14 | + && dot_quad_addr(string + 7) != INADDR_NONE) | ||
15 | + return (masked_match4(net_tok, mask_tok, string + 7)); | ||
16 | + | ||
17 | memset(&hints, 0, sizeof(hints)); | ||
18 | hints.ai_family = AF_INET6; | ||
19 | hints.ai_socktype = SOCK_STREAM; | ||
20 | @@ -457,13 +466,6 @@ | ||
21 | memcpy(&addr, res->ai_addr, sizeof(addr)); | ||
22 | freeaddrinfo(res); | ||
23 | |||
24 | - if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { | ||
25 | - if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE | ||
26 | - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) | ||
27 | - return (NO); | ||
28 | - return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); | ||
29 | - } | ||
30 | - | ||
31 | /* match IPv6 address against netnumber/prefixlen */ | ||
32 | len = strlen(net_tok); | ||
33 | if (*net_tok != '[' || net_tok[len - 1] != ']') | ||
34 | diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c | ||
35 | --- tcp_wrappers_7.6/socket.c Mon May 20 13:48:35 2002 | ||
36 | +++ tcp_wrappers_7.6.new/socket.c Mon May 20 14:22:27 2002 | ||
37 | @@ -228,7 +228,7 @@ | ||
38 | hints.ai_family = sin->sa_family; | ||
39 | hints.ai_socktype = SOCK_STREAM; | ||
40 | hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; | ||
41 | - if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { | ||
42 | + if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) { | ||
43 | freeaddrinfo(res0); | ||
44 | res0 = NULL; | ||
45 | tcpd_warn("host name/name mismatch: " | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch new file mode 100644 index 0000000000..60ca594bee --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
2 | --- tcp_wrappers_7.6.orig/Makefile 2003-08-21 01:43:39.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/Makefile 2003-08-21 01:43:35.000000000 +0200 | ||
4 | @@ -45,7 +45,7 @@ | ||
5 | # | ||
6 | # SysV.4 Solaris 2.x OSF AIX | ||
7 | #REAL_DAEMON_DIR=/usr/sbin | ||
8 | -# | ||
9 | +REAL_DAEMON_DIR=/usr/sbin | ||
10 | # BSD 4.4 | ||
11 | #REAL_DAEMON_DIR=/usr/libexec | ||
12 | # | ||
13 | @@ -512,6 +519,7 @@ | ||
14 | # (examples: allow, deny, banners, twist and spawn). | ||
15 | # | ||
16 | #STYLE = -DPROCESS_OPTIONS # Enable language extensions. | ||
17 | +STYLE = -DPROCESS_OPTIONS | ||
18 | |||
19 | ################################################################ | ||
20 | # Optional: Changing the default disposition of logfile records | ||
21 | @@ -535,6 +543,7 @@ | ||
22 | # The LOG_XXX names below are taken from the /usr/include/syslog.h file. | ||
23 | |||
24 | FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use | ||
25 | +FACILITY= LOG_DAEMON | ||
26 | |||
27 | # The syslog priority at which successful connections are logged. | ||
28 | |||
29 | @@ -631,6 +640,7 @@ | ||
30 | # lookups altogether, see the next section. | ||
31 | |||
32 | PARANOID= -DPARANOID | ||
33 | +PARANOID= | ||
34 | |||
35 | ######################################## | ||
36 | # Optional: turning off hostname lookups | ||
37 | @@ -644,6 +654,7 @@ | ||
38 | # mode (see previous section) and comment out the following definition. | ||
39 | |||
40 | HOSTNAME= -DALWAYS_HOSTNAME | ||
41 | +HOSTNAME= | ||
42 | |||
43 | ############################################# | ||
44 | # Optional: Turning on host ADDRESS checking | ||
45 | @@ -670,6 +681,7 @@ | ||
46 | # Solaris 2.x, and Linux. See your system documentation for details. | ||
47 | # | ||
48 | # KILL_OPT= -DKILL_IP_OPTIONS | ||
49 | +KILL_OPT= -DKILL_IP_OPTIONS | ||
50 | |||
51 | ## End configuration options | ||
52 | ############################ | ||
53 | @@ -677,9 +689,10 @@ | ||
54 | # Protection against weird shells or weird make programs. | ||
55 | |||
56 | SHELL = /bin/sh | ||
57 | -.c.o:; $(CC) $(CFLAGS) -c $*.c | ||
58 | +.c.o:; $(CC) $(CFLAGS) -o $*.o -c $*.c | ||
59 | |||
60 | -CFLAGS = -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ | ||
61 | +COPTS = -O2 -g | ||
62 | +CFLAGS = $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \ | ||
63 | $(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \ | ||
64 | -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \ | ||
65 | -DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \ | ||
66 | @@ -712,10 +725,11 @@ | ||
67 | |||
68 | config-check: | ||
69 | @set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; } | ||
70 | - @set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \ | ||
71 | - if cmp cflags /tmp/cflags.$$$$ ; \ | ||
72 | - then rm /tmp/cflags.$$$$ ; \ | ||
73 | - else mv /tmp/cflags.$$$$ cflags ; \ | ||
74 | + @set +e; echo $(CFLAGS) >cflags.new ; \ | ||
75 | + if cmp cflags cflags.new ; \ | ||
76 | + then rm cflags.new ; \ | ||
77 | + else mv cflags.new cflags ; \ | ||
78 | fi >/dev/null 2>/dev/null | ||
79 | + @if [ ! -d shared ]; then mkdir shared; fi | ||
80 | |||
81 | $(LIB): $(LIB_OBJ) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch new file mode 100644 index 0000000000..c089b33257 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch | |||
@@ -0,0 +1,253 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile | ||
2 | --- tcp_wrappers_7.6.orig/Makefile 2004-05-02 15:37:59.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/Makefile 2004-05-02 15:31:09.000000000 +0200 | ||
4 | @@ -150,15 +150,15 @@ | ||
5 | |||
6 | linux: | ||
7 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
8 | - LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
9 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ | ||
10 | NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ | ||
11 | - EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
12 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all | ||
13 | |||
14 | gnu: | ||
15 | @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ | ||
16 | - LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ | ||
17 | + LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \ | ||
18 | NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ | ||
19 | - EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all | ||
20 | + EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all | ||
21 | |||
22 | # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. | ||
23 | hpux hpux8 hpux9 hpux10: | ||
24 | @@ -713,7 +713,22 @@ | ||
25 | |||
26 | LIB = libwrap.a | ||
27 | |||
28 | -all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk | ||
29 | +shared/%.o: %.c | ||
30 | + $(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@ | ||
31 | + | ||
32 | +SOMAJOR = 0 | ||
33 | +SOMINOR = 7.6 | ||
34 | + | ||
35 | +SHLIB = shared/libwrap.so.$(SOMAJOR).$(SOMINOR) | ||
36 | +SHLIBSOMAJ = shared/libwrap.so.$(SOMAJOR) | ||
37 | +SHLIBSO = shared/libwrap.so | ||
38 | +SHLIBFLAGS = -Lshared -lwrap | ||
39 | + | ||
40 | +SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS) | ||
41 | +SHCFLAGS = -fPIC -shared -D_REENTRANT | ||
42 | +SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ)); | ||
43 | + | ||
44 | +all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB) | ||
45 | |||
46 | # Invalidate all object files when the compiler options (CFLAGS) have changed. | ||
47 | |||
48 | @@ -731,27 +746,33 @@ | ||
49 | $(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ) | ||
50 | -$(RANLIB) $(LIB) | ||
51 | |||
52 | -tcpd: tcpd.o $(LIB) | ||
53 | - $(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS) | ||
54 | +$(SHLIB): $(SHLIB_OBJ) | ||
55 | + rm -f $(SHLIB) | ||
56 | + $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
57 | + ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) | ||
58 | + ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) | ||
59 | + | ||
60 | +tcpd: tcpd.o $(SHLIB) | ||
61 | + $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
62 | |||
63 | miscd: miscd.o $(LIB) | ||
64 | $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
65 | |||
66 | -safe_finger: safe_finger.o $(LIB) | ||
67 | - $(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS) | ||
68 | +safe_finger: safe_finger.o $(SHLIB) | ||
69 | + $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
70 | |||
71 | TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o | ||
72 | |||
73 | -tcpdmatch: $(TCPDMATCH_OBJ) $(LIB) | ||
74 | - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS) | ||
75 | +tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) | ||
76 | + $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
77 | |||
78 | -try-from: try-from.o fakelog.o $(LIB) | ||
79 | - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS) | ||
80 | +try-from: try-from.o fakelog.o $(SHLIB) | ||
81 | + $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
82 | |||
83 | TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o | ||
84 | |||
85 | -tcpdchk: $(TCPDCHK_OBJ) $(LIB) | ||
86 | - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS) | ||
87 | +tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) | ||
88 | + $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
89 | |||
90 | shar: $(KIT) | ||
91 | @shar $(KIT) | ||
92 | @@ -767,7 +788,9 @@ | ||
93 | |||
94 | clean: | ||
95 | rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \ | ||
96 | + libwrap*.so* \ | ||
97 | cflags | ||
98 | + rm -rf shared/ | ||
99 | |||
100 | tidy: clean | ||
101 | chmod -R a+r . | ||
102 | @@ -913,5 +936,6 @@ | ||
103 | update.o: mystdarg.h | ||
104 | update.o: tcpd.h | ||
105 | vfprintf.o: cflags | ||
106 | +weak_symbols.o: tcpd.h | ||
107 | workarounds.o: cflags | ||
108 | workarounds.o: tcpd.h | ||
109 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
110 | --- tcp_wrappers_7.6.orig/tcpd.h 2004-05-02 15:37:59.000000000 +0200 | ||
111 | +++ tcp_wrappers_7.6/tcpd.h 2004-05-02 15:37:49.000000000 +0200 | ||
112 | @@ -4,6 +4,15 @@ | ||
113 | * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
114 | */ | ||
115 | |||
116 | +#ifndef _TCPWRAPPERS_TCPD_H | ||
117 | +#define _TCPWRAPPERS_TCPD_H | ||
118 | + | ||
119 | +/* Need definitions of struct sockaddr_in and FILE. */ | ||
120 | +#include <netinet/in.h> | ||
121 | +#include <stdio.h> | ||
122 | + | ||
123 | +__BEGIN_DECLS | ||
124 | + | ||
125 | /* Structure to describe one communications endpoint. */ | ||
126 | |||
127 | #define STRING_LENGTH 128 /* hosts, users, processes */ | ||
128 | @@ -29,10 +38,10 @@ | ||
129 | char pid[10]; /* access via eval_pid(request) */ | ||
130 | struct host_info client[1]; /* client endpoint info */ | ||
131 | struct host_info server[1]; /* server endpoint info */ | ||
132 | - void (*sink) (); /* datagram sink function or 0 */ | ||
133 | - void (*hostname) (); /* address to printable hostname */ | ||
134 | - void (*hostaddr) (); /* address to printable address */ | ||
135 | - void (*cleanup) (); /* cleanup function or 0 */ | ||
136 | + void (*sink) (int); /* datagram sink function or 0 */ | ||
137 | + void (*hostname) (struct host_info *); /* address to printable hostname */ | ||
138 | + void (*hostaddr) (struct host_info *); /* address to printable address */ | ||
139 | + void (*cleanup) (struct request_info *); /* cleanup function or 0 */ | ||
140 | struct netconfig *config; /* netdir handle */ | ||
141 | }; | ||
142 | |||
143 | @@ -70,20 +79,27 @@ | ||
144 | #define fromhost sock_host /* no TLI support needed */ | ||
145 | #endif | ||
146 | |||
147 | -extern int hosts_access(); /* access control */ | ||
148 | -extern void shell_cmd(); /* execute shell command */ | ||
149 | -extern char *percent_x(); /* do %<char> expansion */ | ||
150 | -extern void rfc931(); /* client name from RFC 931 daemon */ | ||
151 | -extern void clean_exit(); /* clean up and exit */ | ||
152 | -extern void refuse(); /* clean up and exit */ | ||
153 | -extern char *xgets(); /* fgets() on steroids */ | ||
154 | -extern char *split_at(); /* strchr() and split */ | ||
155 | -extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ | ||
156 | +extern int hosts_access(struct request_info *request); /* access control */ | ||
157 | +extern void shell_cmd(char *); /* execute shell command */ | ||
158 | +extern char *percent_x(char *, int, char *, struct request_info *); | ||
159 | + /* do %<char> expansion */ | ||
160 | +extern void rfc931(struct sockaddr *, struct sockaddr *, char *); | ||
161 | + /* client name from RFC 931 daemon */ | ||
162 | +extern void clean_exit(struct request_info *); /* clean up and exit */ | ||
163 | +extern void refuse(struct request_info *); /* clean up and exit */ | ||
164 | +extern char *xgets(char *, int, FILE *); /* fgets() on steroids */ | ||
165 | +extern char *split_at(char *, int); /* strchr() and split */ | ||
166 | +extern unsigned long dot_quad_addr(char *); /* restricted inet_addr() */ | ||
167 | |||
168 | /* Global variables. */ | ||
169 | |||
170 | +#ifdef HAVE_WEAKSYMS | ||
171 | +extern int allow_severity __attribute__ ((weak)); /* for connection logging */ | ||
172 | +extern int deny_severity __attribute__ ((weak)); /* for connection logging */ | ||
173 | +#else | ||
174 | extern int allow_severity; /* for connection logging */ | ||
175 | extern int deny_severity; /* for connection logging */ | ||
176 | +#endif | ||
177 | extern char *hosts_allow_table; /* for verification mode redirection */ | ||
178 | extern char *hosts_deny_table; /* for verification mode redirection */ | ||
179 | extern int hosts_access_verbose; /* for verbose matching mode */ | ||
180 | @@ -98,6 +114,8 @@ | ||
181 | #ifdef __STDC__ | ||
182 | extern struct request_info *request_init(struct request_info *,...); | ||
183 | extern struct request_info *request_set(struct request_info *,...); | ||
184 | +extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, | ||
185 | + char *client_user); | ||
186 | #else | ||
187 | extern struct request_info *request_init(); /* initialize request */ | ||
188 | extern struct request_info *request_set(); /* update request structure */ | ||
189 | @@ -121,20 +139,23 @@ | ||
190 | * host_info structures serve as caches for the lookup results. | ||
191 | */ | ||
192 | |||
193 | -extern char *eval_user(); /* client user */ | ||
194 | -extern char *eval_hostname(); /* printable hostname */ | ||
195 | -extern char *eval_hostaddr(); /* printable host address */ | ||
196 | -extern char *eval_hostinfo(); /* host name or address */ | ||
197 | -extern char *eval_client(); /* whatever is available */ | ||
198 | -extern char *eval_server(); /* whatever is available */ | ||
199 | +extern char *eval_user(struct request_info *); /* client user */ | ||
200 | +extern char *eval_hostname(struct host_info *); /* printable hostname */ | ||
201 | +extern char *eval_hostaddr(struct host_info *); /* printable host address */ | ||
202 | +extern char *eval_hostinfo(struct host_info *); /* host name or address */ | ||
203 | +extern char *eval_client(struct request_info *);/* whatever is available */ | ||
204 | +extern char *eval_server(struct request_info *);/* whatever is available */ | ||
205 | #define eval_daemon(r) ((r)->daemon) /* daemon process name */ | ||
206 | #define eval_pid(r) ((r)->pid) /* process id */ | ||
207 | |||
208 | /* Socket-specific methods, including DNS hostname lookups. */ | ||
209 | |||
210 | -extern void sock_host(); /* look up endpoint addresses */ | ||
211 | -extern void sock_hostname(); /* translate address to hostname */ | ||
212 | -extern void sock_hostaddr(); /* address to printable address */ | ||
213 | +/* look up endpoint addresses */ | ||
214 | +extern void sock_host(struct request_info *); | ||
215 | +/* translate address to hostname */ | ||
216 | +extern void sock_hostname(struct host_info *); | ||
217 | +/* address to printable address */ | ||
218 | +extern void sock_hostaddr(struct host_info *); | ||
219 | #define sock_methods(r) \ | ||
220 | { (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; } | ||
221 | |||
222 | @@ -182,7 +203,7 @@ | ||
223 | * behavior. | ||
224 | */ | ||
225 | |||
226 | -extern void process_options(); /* execute options */ | ||
227 | +extern void process_options(char *, struct request_info *);/* execute options */ | ||
228 | extern int dry_run; /* verification flag */ | ||
229 | |||
230 | /* Bug workarounds. */ | ||
231 | @@ -221,3 +242,7 @@ | ||
232 | #define strtok my_strtok | ||
233 | extern char *my_strtok(); | ||
234 | #endif | ||
235 | + | ||
236 | +__END_DECLS | ||
237 | + | ||
238 | +#endif | ||
239 | diff -ruN tcp_wrappers_7.6.orig/weak_symbols.c tcp_wrappers_7.6/weak_symbols.c | ||
240 | --- tcp_wrappers_7.6.orig/weak_symbols.c 1970-01-01 01:00:00.000000000 +0100 | ||
241 | +++ tcp_wrappers_7.6/weak_symbols.c 2004-05-02 15:31:09.000000000 +0200 | ||
242 | @@ -0,0 +1,11 @@ | ||
243 | + /* | ||
244 | + * @(#) weak_symbols.h 1.5 99/12/29 23:50 | ||
245 | + * | ||
246 | + * Author: Anthony Towns <ajt@debian.org> | ||
247 | + */ | ||
248 | + | ||
249 | +#ifdef HAVE_WEAKSYMS | ||
250 | +#include <syslog.h> | ||
251 | +int deny_severity = LOG_WARNING; | ||
252 | +int allow_severity = SEVERITY; | ||
253 | +#endif | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch new file mode 100644 index 0000000000..0e1ecf5b4a --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
2 | --- tcp_wrappers_7.6.orig/hosts_access.5 2003-08-21 03:15:36.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/hosts_access.5 2003-08-21 03:15:31.000000000 +0200 | ||
4 | @@ -90,6 +90,10 @@ | ||
5 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
6 | range `131.155.72.0\' through `131.155.73.255\'. | ||
7 | .IP \(bu | ||
8 | +An expression of the form `n.n.n.n/mm' is interpreted as a | ||
9 | +`net/masklength' pair, where `mm' is the number of consecutive `1' | ||
10 | +bits in the netmask applied to the `n.n.n.n' address. | ||
11 | +.IP \(bu | ||
12 | An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a | ||
13 | `[net]/prefixlen\' pair. An IPv6 host address is matched if | ||
14 | `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the | ||
15 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c | ||
16 | --- tcp_wrappers_7.6.orig/hosts_access.c 2003-08-21 03:15:36.000000000 +0200 | ||
17 | +++ tcp_wrappers_7.6/hosts_access.c 2003-08-21 03:09:30.000000000 +0200 | ||
18 | @@ -417,7 +417,8 @@ | ||
19 | if ((addr = dot_quad_addr(string)) == INADDR_NONE) | ||
20 | return (NO); | ||
21 | if ((net = dot_quad_addr(net_tok)) == INADDR_NONE | ||
22 | - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { | ||
23 | + || ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE | ||
24 | + && (mask = cidr_mask_addr(mask_tok)) == 0)) { | ||
25 | #ifndef INET6 | ||
26 | tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); | ||
27 | #endif | ||
28 | diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c | ||
29 | --- tcp_wrappers_7.6.orig/misc.c 2003-08-21 03:15:36.000000000 +0200 | ||
30 | +++ tcp_wrappers_7.6/misc.c 2003-08-21 03:09:30.000000000 +0200 | ||
31 | @@ -107,3 +107,17 @@ | ||
32 | } | ||
33 | return (runs == 4 ? inet_addr(str) : INADDR_NONE); | ||
34 | } | ||
35 | + | ||
36 | +/* cidr_mask_addr - convert cidr netmask length to internal form */ | ||
37 | + | ||
38 | +unsigned long cidr_mask_addr(str) | ||
39 | +char *str; | ||
40 | +{ | ||
41 | + int maskbits; | ||
42 | + | ||
43 | + maskbits = atoi(str); | ||
44 | + if (maskbits < 1 || maskbits > 32) | ||
45 | + return (0); | ||
46 | + return htonl(0xFFFFFFFF << (32 - maskbits)); | ||
47 | +} | ||
48 | + | ||
49 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
50 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 03:15:36.000000000 +0200 | ||
51 | +++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 03:09:30.000000000 +0200 | ||
52 | @@ -497,12 +497,12 @@ | ||
53 | int mask_len; | ||
54 | |||
55 | if ((dot_quad_addr(pat) == INADDR_NONE | ||
56 | - || dot_quad_addr(mask) == INADDR_NONE) | ||
57 | + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) | ||
58 | && (!is_inet6_addr(pat) | ||
59 | || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) | ||
60 | #else | ||
61 | if (dot_quad_addr(pat) == INADDR_NONE | ||
62 | - || dot_quad_addr(mask) == INADDR_NONE) | ||
63 | + || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0) | ||
64 | #endif | ||
65 | tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); | ||
66 | } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch new file mode 100644 index 0000000000..913ed987d6 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch | |||
@@ -0,0 +1,12 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
2 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-25 12:17:59.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/hosts_access.5 2004-04-25 12:17:53.000000000 +0200 | ||
4 | @@ -89,6 +89,8 @@ | ||
5 | bitwise AND of the address and the `mask\'. For example, the net/mask | ||
6 | pattern `131.155.72.0/255.255.254.0\' matches every address in the | ||
7 | range `131.155.72.0\' through `131.155.73.255\'. | ||
8 | +`255.255.255.255\' is not a valid mask value, so a single host can be | ||
9 | +matched just by its IP. | ||
10 | .IP \(bu | ||
11 | An expression of the form `n.n.n.n/mm' is interpreted as a | ||
12 | `net/masklength' pair, where `mm' is the number of consecutive `1' | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch new file mode 100644 index 0000000000..e35fc7ecd9 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/eval.c tcp_wrappers_7.6/eval.c | ||
2 | --- tcp_wrappers_7.6.orig/eval.c 1995-01-30 19:51:46.000000000 +0100 | ||
3 | +++ tcp_wrappers_7.6/eval.c 2004-11-04 13:59:01.000000000 +0100 | ||
4 | @@ -98,6 +98,28 @@ | ||
5 | } | ||
6 | } | ||
7 | |||
8 | +/* eval_port - return string with the port */ | ||
9 | +char *eval_port(saddr) | ||
10 | +#ifdef INET6 | ||
11 | +struct sockaddr *saddr; | ||
12 | +#else | ||
13 | +struct sockaddr_in *saddr; | ||
14 | +#endif | ||
15 | +{ | ||
16 | + static char port[16]; | ||
17 | + if (saddr != 0) { | ||
18 | + sprintf(port, "%u", | ||
19 | +#ifdef INET6 | ||
20 | + ntohs(((struct sockaddr_in *)saddr)->sin_port)); | ||
21 | +#else | ||
22 | + ntohs(saddr->sin_port)); | ||
23 | +#endif | ||
24 | + } else { | ||
25 | + strcpy(port, "0"); | ||
26 | + } | ||
27 | + return (port); | ||
28 | +} | ||
29 | + | ||
30 | /* eval_client - return string with as much about the client as we know */ | ||
31 | |||
32 | char *eval_client(request) | ||
33 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 | ||
34 | --- tcp_wrappers_7.6.orig/hosts_access.5 2004-11-04 13:17:45.000000000 +0100 | ||
35 | +++ tcp_wrappers_7.6/hosts_access.5 2004-11-04 13:55:32.000000000 +0100 | ||
36 | @@ -175,6 +175,8 @@ | ||
37 | unavailable. | ||
38 | .IP "%n (%N)" | ||
39 | The client (server) host name (or "unknown" or "paranoid"). | ||
40 | +.IP "%r (%R)" | ||
41 | +The clients (servers) port number (or "0"). | ||
42 | .IP %p | ||
43 | The daemon process id. | ||
44 | .IP %s | ||
45 | diff -ruN tcp_wrappers_7.6.orig/percent_x.c tcp_wrappers_7.6/percent_x.c | ||
46 | --- tcp_wrappers_7.6.orig/percent_x.c 1994-12-28 17:42:38.000000000 +0100 | ||
47 | +++ tcp_wrappers_7.6/percent_x.c 2004-11-04 13:19:29.000000000 +0100 | ||
48 | @@ -63,6 +63,8 @@ | ||
49 | ch == 'n' ? eval_hostname(request->client) : | ||
50 | ch == 'N' ? eval_hostname(request->server) : | ||
51 | ch == 'p' ? eval_pid(request) : | ||
52 | + ch == 'r' ? eval_port(request->client->sin) : | ||
53 | + ch == 'R' ? eval_port(request->server->sin) : | ||
54 | ch == 's' ? eval_server(request) : | ||
55 | ch == 'u' ? eval_user(request) : | ||
56 | ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), ""); | ||
57 | diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
58 | --- tcp_wrappers_7.6.orig/tcpd.h 2004-11-04 13:17:45.000000000 +0100 | ||
59 | +++ tcp_wrappers_7.6/tcpd.h 2004-11-04 13:19:13.000000000 +0100 | ||
60 | @@ -145,6 +145,11 @@ | ||
61 | extern char *eval_hostinfo(struct host_info *); /* host name or address */ | ||
62 | extern char *eval_client(struct request_info *);/* whatever is available */ | ||
63 | extern char *eval_server(struct request_info *);/* whatever is available */ | ||
64 | +#ifdef INET6 | ||
65 | +extern char *eval_port(struct sockaddr *); | ||
66 | +#else | ||
67 | +extern char *eval_port(struct sockaddr_in *); | ||
68 | +#endif | ||
69 | #define eval_daemon(r) ((r)->daemon) /* daemon process name */ | ||
70 | #define eval_pid(r) ((r)->pid) /* process id */ | ||
71 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch new file mode 100644 index 0000000000..31c2b92278 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/percent_m.c tcp_wrappers_7.6/percent_m.c | ||
2 | --- tcp_wrappers_7.6.orig/percent_m.c 1994-12-28 17:42:37.000000000 +0100 | ||
3 | +++ tcp_wrappers_7.6/percent_m.c 2003-08-21 02:45:31.000000000 +0200 | ||
4 | @@ -29,11 +29,15 @@ | ||
5 | |||
6 | while (*bp = *cp) | ||
7 | if (*cp == '%' && cp[1] == 'm') { | ||
8 | +#ifdef HAVE_STRERROR | ||
9 | + strcpy(bp, strerror(errno)); | ||
10 | +#else | ||
11 | if (errno < sys_nerr && errno > 0) { | ||
12 | strcpy(bp, sys_errlist[errno]); | ||
13 | } else { | ||
14 | sprintf(bp, "Unknown error %d", errno); | ||
15 | } | ||
16 | +#endif | ||
17 | bp += strlen(bp); | ||
18 | cp += 2; | ||
19 | } else { | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch new file mode 100644 index 0000000000..2e897650e0 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | Index: tcp_wrappers_7.6.orig/Makefile | ||
2 | =================================================================== | ||
3 | --- tcp_wrappers_7.6.orig.orig/Makefile 2009-04-06 10:55:47.000000000 +0000 | ||
4 | +++ tcp_wrappers_7.6.orig/Makefile 2009-04-06 10:57:04.000000000 +0000 | ||
5 | @@ -748,31 +748,31 @@ | ||
6 | |||
7 | $(SHLIB): $(SHLIB_OBJ) | ||
8 | rm -f $(SHLIB) | ||
9 | - $(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
10 | + $(CC) $(LDFLAGS) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ) | ||
11 | ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ) | ||
12 | ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO) | ||
13 | |||
14 | tcpd: tcpd.o $(SHLIB) | ||
15 | - $(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
16 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ tcpd.o $(SHLIBFLAGS) | ||
17 | |||
18 | miscd: miscd.o $(LIB) | ||
19 | - $(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
20 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ miscd.o $(LIB) $(LIBS) | ||
21 | |||
22 | safe_finger: safe_finger.o $(SHLIB) | ||
23 | - $(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
24 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS) | ||
25 | |||
26 | TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o | ||
27 | |||
28 | tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB) | ||
29 | - $(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
30 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS) | ||
31 | |||
32 | try-from: try-from.o fakelog.o $(SHLIB) | ||
33 | - $(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
34 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS) | ||
35 | |||
36 | TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o | ||
37 | |||
38 | tcpdchk: $(TCPDCHK_OBJ) $(SHLIB) | ||
39 | - $(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
40 | + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS) | ||
41 | |||
42 | shar: $(KIT) | ||
43 | @shar $(KIT) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch new file mode 100644 index 0000000000..afaa9c8ac3 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 | ||
2 | --- tcp_wrappers_7.6.orig/hosts_access.3 2004-04-25 00:10:48.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/hosts_access.3 2004-04-25 00:09:36.000000000 +0200 | ||
4 | @@ -14,6 +14,9 @@ | ||
5 | struct request_info *request_set(request, key, value, ..., 0) | ||
6 | struct request_info *request; | ||
7 | |||
8 | +void fromhost(request) | ||
9 | +struct request_info *request; | ||
10 | + | ||
11 | int hosts_access(request) | ||
12 | struct request_info *request; | ||
13 | |||
14 | @@ -60,6 +63,7 @@ | ||
15 | is available, host names and client user names are looked up on demand, | ||
16 | using the request structure as a cache. hosts_access() returns zero if | ||
17 | access should be denied. | ||
18 | +fromhost() must be called before hosts_access(). | ||
19 | .PP | ||
20 | hosts_ctl() is a wrapper around the request_init() and hosts_access() | ||
21 | routines with a perhaps more convenient interface (though it does not | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch new file mode 100644 index 0000000000..ece7da35fe --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
2 | --- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:40:08.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:40:02.000000000 +0200 | ||
4 | @@ -92,6 +92,8 @@ | ||
5 | char *cp; | ||
6 | char *result = unknown; | ||
7 | FILE *fp; | ||
8 | + unsigned saved_timeout; | ||
9 | + struct sigaction nact, oact; | ||
10 | |||
11 | #ifdef INET6 | ||
12 | /* address family must be the same */ | ||
13 | @@ -134,7 +136,12 @@ | ||
14 | */ | ||
15 | |||
16 | if (setjmp(timebuf) == 0) { | ||
17 | - signal(SIGALRM, timeout); | ||
18 | + /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
19 | + saved_timeout = alarm(0); | ||
20 | + nact.sa_handler = timeout; | ||
21 | + nact.sa_flags = 0; | ||
22 | + (void) sigemptyset(&nact.sa_mask); | ||
23 | + (void) sigaction(SIGALRM, &nact, &oact); | ||
24 | alarm(rfc931_timeout); | ||
25 | |||
26 | /* | ||
27 | @@ -223,6 +230,10 @@ | ||
28 | } | ||
29 | alarm(0); | ||
30 | } | ||
31 | + /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
32 | + (void) sigaction(SIGALRM, &oact, NULL); | ||
33 | + if (saved_timeout > 0) | ||
34 | + alarm(saved_timeout); | ||
35 | fclose(fp); | ||
36 | } | ||
37 | STRN_CPY(dest, result, STRING_LENGTH); | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff new file mode 100644 index 0000000000..a926d0edfd --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/rfc931.diff | |||
@@ -0,0 +1,39 @@ | |||
1 | diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c | ||
2 | --- tcp_wrappers_7.6.orig/scaffold.c 2005-03-09 18:22:04.000000000 +0100 | ||
3 | +++ tcp_wrappers_7.6/scaffold.c 2005-03-09 18:20:47.000000000 +0100 | ||
4 | @@ -237,10 +237,17 @@ struct request_info *request; | ||
5 | |||
6 | /* ARGSUSED */ | ||
7 | |||
8 | -void rfc931(request) | ||
9 | -struct request_info *request; | ||
10 | +void rfc931(rmt_sin, our_sin, dest) | ||
11 | +#ifdef INET6 | ||
12 | +struct sockaddr *rmt_sin; | ||
13 | +struct sockaddr *our_sin; | ||
14 | +#else | ||
15 | +struct sockaddr_in *rmt_sin; | ||
16 | +struct sockaddr_in *our_sin; | ||
17 | +#endif | ||
18 | +char *dest; | ||
19 | { | ||
20 | - strcpy(request->user, unknown); | ||
21 | + strcpy(dest, unknown); | ||
22 | } | ||
23 | |||
24 | /* check_path - examine accessibility */ | ||
25 | diff -ruNp tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h | ||
26 | --- tcp_wrappers_7.6.orig/tcpd.h 2005-03-09 18:22:04.000000000 +0100 | ||
27 | +++ tcp_wrappers_7.6/tcpd.h 2005-03-09 18:21:23.000000000 +0100 | ||
28 | @@ -83,7 +83,11 @@ extern int hosts_access(struct request_i | ||
29 | extern void shell_cmd(char *); /* execute shell command */ | ||
30 | extern char *percent_x(char *, int, char *, struct request_info *); | ||
31 | /* do %<char> expansion */ | ||
32 | +#ifdef INET6 | ||
33 | extern void rfc931(struct sockaddr *, struct sockaddr *, char *); | ||
34 | +#else | ||
35 | +extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *); | ||
36 | +#endif | ||
37 | /* client name from RFC 931 daemon */ | ||
38 | extern void clean_exit(struct request_info *); /* clean up and exit */ | ||
39 | extern void refuse(struct request_info *); /* clean up and exit */ | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 new file mode 100644 index 0000000000..875616b9ea --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.8 | |||
@@ -0,0 +1,34 @@ | |||
1 | .TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual" | ||
2 | .SH NAME | ||
3 | safe_finger \- finger client wrapper that protects against nasty stuff | ||
4 | from finger servers | ||
5 | .SH SYNOPSIS | ||
6 | .B safe_finger [finger_options] | ||
7 | .SH DESCRIPTION | ||
8 | The | ||
9 | .B safe_finger | ||
10 | command protects against nasty stuff from finger servers. Use this | ||
11 | program for automatic reverse finger probes from the | ||
12 | .B tcp_wrapper | ||
13 | .B (tcpd) | ||
14 | , not the raw finger command. The | ||
15 | .B safe_finger | ||
16 | command makes sure that the finger client is not run with root | ||
17 | privileges. It also runs the finger client with a defined PATH | ||
18 | environment. | ||
19 | .B safe_finger | ||
20 | will also protect you from problems caused by the output of some | ||
21 | finger servers. The problem: some programs may react to stuff in | ||
22 | the first column. Other programs may get upset by thrash anywhere | ||
23 | on a line. File systems may fill up as the finger server keeps | ||
24 | sending data. Text editors may bomb out on extremely long lines. | ||
25 | The finger server may take forever because it is somehow wedged. | ||
26 | .B safe_finger | ||
27 | takes care of all this badness. | ||
28 | .SH SEE ALSO | ||
29 | .BR hosts_access (5), | ||
30 | .BR hosts_options (5), | ||
31 | .BR tcpd (8) | ||
32 | .SH AUTHOR | ||
33 | Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
34 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch new file mode 100644 index 0000000000..5c8c9a1548 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | --- tcp-wrappers-7.6-ipv6.1.orig/safe_finger.c | ||
2 | +++ tcp-wrappers-7.6-ipv6.1/safe_finger.c | ||
3 | @@ -26,21 +26,24 @@ | ||
4 | #include <stdio.h> | ||
5 | #include <ctype.h> | ||
6 | #include <pwd.h> | ||
7 | +#include <syslog.h> | ||
8 | |||
9 | extern void exit(); | ||
10 | |||
11 | /* Local stuff */ | ||
12 | |||
13 | -char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; | ||
14 | +char path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin"; | ||
15 | |||
16 | #define TIME_LIMIT 60 /* Do not keep listinging forever */ | ||
17 | #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ | ||
18 | #define LINE_LENGTH 128 /* Editors can choke on long lines */ | ||
19 | #define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */ | ||
20 | #define UNPRIV_NAME "nobody" /* Preferred privilege level */ | ||
21 | -#define UNPRIV_UGID 32767 /* Default uid and gid */ | ||
22 | +#define UNPRIV_UGID 65534 /* Default uid and gid */ | ||
23 | |||
24 | int finger_pid; | ||
25 | +int allow_severity = SEVERITY; | ||
26 | +int deny_severity = LOG_WARNING; | ||
27 | |||
28 | void cleanup(sig) | ||
29 | int sig; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch new file mode 100644 index 0000000000..f286605bfd --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | * Mon Feb 10 2003 Harald Hoyer <harald@redhat.de> 7.6-29 | ||
2 | - added security patch tcp_wrappers-7.6-sig.patch | ||
3 | |||
4 | --- tcp_wrappers_7.6/hosts_access.c.sig 2003-02-10 16:18:31.000000000 +0100 | ||
5 | +++ tcp_wrappers_7.6/hosts_access.c 2003-02-10 16:50:38.000000000 +0100 | ||
6 | @@ -66,6 +66,7 @@ | ||
7 | |||
8 | #define YES 1 | ||
9 | #define NO 0 | ||
10 | +#define ERR -1 | ||
11 | |||
12 | /* | ||
13 | * These variables are globally visible so that they can be redirected in | ||
14 | @@ -129,9 +129,9 @@ | ||
15 | return (verdict == AC_PERMIT); | ||
16 | if (table_match(hosts_allow_table, request)) | ||
17 | return (YES); | ||
18 | - if (table_match(hosts_deny_table, request)) | ||
19 | - return (NO); | ||
20 | - return (YES); | ||
21 | + if (table_match(hosts_deny_table, request) == NO) | ||
22 | + return (YES); | ||
23 | + return (NO); | ||
24 | } | ||
25 | |||
26 | /* table_match - match table entries with (daemon, client) pair */ | ||
27 | @@ -175,6 +175,7 @@ | ||
28 | (void) fclose(fp); | ||
29 | } else if (errno != ENOENT) { | ||
30 | tcpd_warn("cannot open %s: %m", table); | ||
31 | + match = ERR; | ||
32 | } | ||
33 | if (match) { | ||
34 | if (hosts_access_verbose > 1) | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch new file mode 100644 index 0000000000..71be340a07 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | diff -ruNp tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c | ||
2 | --- tcp_wrappers_7.6.orig/rfc931.c 2004-08-29 18:42:25.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/rfc931.c 2004-08-29 18:41:04.000000000 +0200 | ||
4 | @@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1. | ||
5 | |||
6 | int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ | ||
7 | |||
8 | -static jmp_buf timebuf; | ||
9 | +static sigjmp_buf timebuf; | ||
10 | |||
11 | /* fsocket - open stdio stream on top of socket */ | ||
12 | |||
13 | @@ -62,7 +62,7 @@ int protocol; | ||
14 | static void timeout(sig) | ||
15 | int sig; | ||
16 | { | ||
17 | - longjmp(timebuf, sig); | ||
18 | + siglongjmp(timebuf, sig); | ||
19 | } | ||
20 | |||
21 | /* rfc931 - return remote user name, given socket structures */ | ||
22 | @@ -135,7 +135,7 @@ char *dest; | ||
23 | * Set up a timer so we won't get stuck while waiting for the server. | ||
24 | */ | ||
25 | |||
26 | - if (setjmp(timebuf) == 0) { | ||
27 | + if (sigsetjmp(timebuf, 0) == 0) { | ||
28 | /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ | ||
29 | saved_timeout = alarm(0); | ||
30 | nact.sa_handler = timeout; | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch new file mode 100644 index 0000000000..4db40f4c7b --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/size_t.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c | ||
2 | --- tcp_wrappers_7.6.orig/fix_options.c 2003-08-21 03:41:33.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/fix_options.c 2003-08-21 03:41:27.000000000 +0200 | ||
4 | @@ -38,7 +38,11 @@ | ||
5 | #ifdef IP_OPTIONS | ||
6 | unsigned char optbuf[BUFFER_SIZE / 3], *cp; | ||
7 | char lbuf[BUFFER_SIZE], *lp; | ||
8 | +#ifdef __GLIBC__ | ||
9 | + size_t optsize = sizeof(optbuf), ipproto; | ||
10 | +#else | ||
11 | int optsize = sizeof(optbuf), ipproto; | ||
12 | +#endif | ||
13 | struct protoent *ip; | ||
14 | int fd = request->fd; | ||
15 | unsigned int opt; | ||
16 | diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c | ||
17 | --- tcp_wrappers_7.6.orig/socket.c 2003-08-21 03:41:33.000000000 +0200 | ||
18 | +++ tcp_wrappers_7.6/socket.c 2003-08-21 03:40:51.000000000 +0200 | ||
19 | @@ -90,7 +90,11 @@ | ||
20 | static struct sockaddr_in client; | ||
21 | static struct sockaddr_in server; | ||
22 | #endif | ||
23 | +#ifdef __GLIBC__ | ||
24 | + size_t len; | ||
25 | +#else | ||
26 | int len; | ||
27 | +#endif | ||
28 | char buf[BUFSIZ]; | ||
29 | int fd = request->fd; | ||
30 | |||
31 | @@ -421,7 +425,11 @@ | ||
32 | #else | ||
33 | struct sockaddr_in sin; | ||
34 | #endif | ||
35 | +#ifdef __GLIBC__ | ||
36 | + size_t size = sizeof(sin); | ||
37 | +#else | ||
38 | int size = sizeof(sin); | ||
39 | +#endif | ||
40 | |||
41 | /* | ||
42 | * Eat up the not-yet received datagram. Some systems insist on a | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch new file mode 100644 index 0000000000..3beae39306 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c | ||
2 | --- tcp_wrappers_7.6.orig/tcpdchk.c 2003-08-21 02:50:37.000000000 +0200 | ||
3 | +++ tcp_wrappers_7.6/tcpdchk.c 2003-08-21 02:50:33.000000000 +0200 | ||
4 | @@ -53,6 +53,24 @@ | ||
5 | #include "inetcf.h" | ||
6 | #include "scaffold.h" | ||
7 | |||
8 | +/* list of programs which are known to be linked with libwrap in debian */ | ||
9 | +static const char *const libwrap_programs[] = { | ||
10 | + "portmap", "mountd", "statd", "ugidd", | ||
11 | + "redir", "rlinetd", | ||
12 | + "sshd", | ||
13 | + "atftpd", | ||
14 | + "diald", | ||
15 | + "esound", | ||
16 | + "gdm", "gnome-session", | ||
17 | + "icecast", "icecast_admin", "icecast_client", "icecast_source", | ||
18 | + "mysqld", | ||
19 | + "ntop", | ||
20 | + "pptpd", | ||
21 | + "rquotad", | ||
22 | + "sendmail", "smail", | ||
23 | + NULL | ||
24 | +}; | ||
25 | + | ||
26 | /* | ||
27 | * Stolen from hosts_access.c... | ||
28 | */ | ||
29 | @@ -147,8 +165,8 @@ | ||
30 | /* | ||
31 | * These are not run from inetd but may have built-in access control. | ||
32 | */ | ||
33 | - inet_set("portmap", WR_NOT); | ||
34 | - inet_set("rpcbind", WR_NOT); | ||
35 | + for (c = 0; libwrap_programs[c]; c++) | ||
36 | + inet_set(libwrap_programs[c], WR_YES); | ||
37 | |||
38 | /* | ||
39 | * Check accessibility of access control files. | ||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 new file mode 100644 index 0000000000..9c8f30543e --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers-7.6/try-from.8 | |||
@@ -0,0 +1,28 @@ | |||
1 | .TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual" | ||
2 | .SH NAME | ||
3 | try-from \- test program for the tcp_wrapper | ||
4 | .SH SYNOPSIS | ||
5 | .B try-from | ||
6 | .SH DESCRIPTION | ||
7 | The | ||
8 | .B try-from | ||
9 | command can be called via a remote shell command to find out | ||
10 | if the hostname and address are properly recognized | ||
11 | by the | ||
12 | .B tcp_wrapper | ||
13 | library, if username lookup works, and (SysV only) if the TLI | ||
14 | on top of IP heuristics work. Diagnostics are reported through | ||
15 | .BR syslog (3) | ||
16 | and redirected to stderr. | ||
17 | |||
18 | Example: | ||
19 | |||
20 | rsh host /some/where/try-from | ||
21 | |||
22 | .SH SEE ALSO | ||
23 | .BR hosts_access (5), | ||
24 | .BR hosts_options (5), | ||
25 | .BR tcpd (8) | ||
26 | .SH AUTHOR | ||
27 | Wietse Venema, Eindhoven University of Technology, The Netherlands. | ||
28 | |||
diff --git a/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb new file mode 100644 index 0000000000..308a8b63b4 --- /dev/null +++ b/meta/recipes-extended/tcp-wrappers/tcp-wrappers_7.6.bb | |||
@@ -0,0 +1,117 @@ | |||
1 | DESCRIPTION = "Tools for monitoring and filtering incoming requests for tcp \ | ||
2 | services." | ||
3 | PRIORITY = "optional" | ||
4 | SECTION = "console/network" | ||
5 | |||
6 | LICENSE = "tcp-wrappers" | ||
7 | LIC_FILES_CHKSUM = "file://DISCLAIMER;md5=071bd69cb78b18888ea5e3da5c3127fa" | ||
8 | PR ="r0" | ||
9 | |||
10 | |||
11 | PACKAGES = "${PN}-dbg libwrap libwrap-doc libwrap-dev tcp-wrappers tcp-wrappers-doc" | ||
12 | FILES_libwrap = "${base_libdir}/lib*.so.*" | ||
13 | FILES_libwrap-doc = "${mandir}/man3 ${mandir}/man5" | ||
14 | FILES_libwrap-dev = "${libdir}/lib*.so ${libdir}/lib*.a ${includedir}" | ||
15 | FILES_tcp-wrappers = "${bindir}" | ||
16 | FILES_tcp-wrappers-doc = "${mandir}/man8" | ||
17 | |||
18 | SRC_URI = "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_${PV}.tar.gz \ | ||
19 | file://00_man_quoting.diff \ | ||
20 | file://01_man_portability.patch \ | ||
21 | file://05_wildcard_matching.patch \ | ||
22 | file://06_fix_gethostbyname.patch \ | ||
23 | file://10_usagi-ipv6.patch \ | ||
24 | file://11_tcpd_blacklist.patch \ | ||
25 | file://11_usagi_fix.patch \ | ||
26 | file://12_makefile_config.patch \ | ||
27 | file://13_shlib_weaksym.patch \ | ||
28 | file://14_cidr_support.patch \ | ||
29 | file://15_match_clarify.patch \ | ||
30 | file://expand_remote_port.patch \ | ||
31 | file://have_strerror.patch \ | ||
32 | file://man_fromhost.patch \ | ||
33 | file://restore_sigalarm.patch \ | ||
34 | file://rfc931.diff \ | ||
35 | file://safe_finger.patch \ | ||
36 | file://sig_fix.patch \ | ||
37 | file://siglongjmp.patch \ | ||
38 | file://size_t.patch \ | ||
39 | file://tcpdchk_libwrapped.patch \ | ||
40 | file://ldflags.patch \ | ||
41 | \ | ||
42 | file://try-from.8 \ | ||
43 | file://safe_finger.8" | ||
44 | |||
45 | S = "${WORKDIR}/tcp_wrappers_${PV}" | ||
46 | |||
47 | PARALLEL_MAKE = "" | ||
48 | EXTRA_OEMAKE = "'CC=${CC}' \ | ||
49 | 'AR=${AR}' \ | ||
50 | 'RANLIB=${RANLIB}' \ | ||
51 | 'REAL_DAEMON_DIR=${sbindir}' \ | ||
52 | 'STYLE=-DPROCESS_OPTIONS' \ | ||
53 | 'FACILITY=LOG_DAEMON' \ | ||
54 | 'SEVERITY=LOG_INFO' \ | ||
55 | 'BUGS=' \ | ||
56 | 'VSYSLOG=' \ | ||
57 | 'RFC931_TIMEOUT=10' \ | ||
58 | 'ACCESS=-DHOSTS_ACCESS' \ | ||
59 | 'KILL_OPT=-DKILL_IP_OPTIONS' \ | ||
60 | 'UMASK=-DDAEMON_UMASK=022' \ | ||
61 | 'NETGROUP=${EXTRA_OEMAKE_NETGROUP}' \ | ||
62 | 'LIBS=-lnsl' \ | ||
63 | 'ARFLAGS=rv' \ | ||
64 | 'AUX_OBJ=weak_symbols.o' \ | ||
65 | 'TLI=' \ | ||
66 | 'COPTS=' \ | ||
67 | 'EXTRA_CFLAGS=${CFLAGS} -DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len'" | ||
68 | |||
69 | EXTRA_OEMAKE_NETGROUP = "-DNETGROUP -DUSE_GETDOMAIN" | ||
70 | EXTRA_OEMAKE_NETGROUP_linux-uclibc = "-DUSE_GETDOMAIN" | ||
71 | EXTRA_OEMAKE_NETGROUP_linux-uclibceabi = "-DUSE_GETDOMAIN" | ||
72 | |||
73 | do_compile () { | ||
74 | oe_runmake 'TABLES=-DHOSTS_DENY=\"${sysconfdir}/hosts.deny\" -DHOSTS_ALLOW=\"${sysconfdir}/hosts.allow\"' \ | ||
75 | all | ||
76 | } | ||
77 | |||
78 | BINS = "safe_finger tcpd tcpdchk try-from tcpdmatch" | ||
79 | MANS3 = "hosts_access" | ||
80 | MANS5 = "hosts_options" | ||
81 | MANS8 = "tcpd tcpdchk tcpdmatch" | ||
82 | do_install () { | ||
83 | oe_libinstall -a libwrap ${D}${libdir} | ||
84 | oe_libinstall -C shared -so libwrap ${D}${base_libdir} | ||
85 | |||
86 | rel_lib_prefix=`echo ${libdir} | sed 's,\(^/\|\)[^/][^/]*,..,g'` | ||
87 | libname=`readlink ${D}${base_libdir}/libwrap.so | xargs basename` | ||
88 | ln -s ${rel_lib_prefix}${base_libdir}/${libname} ${D}${libdir}/libwrap.so | ||
89 | rm -f ${D}${base_libdir}/libwrap.so | ||
90 | |||
91 | install -d ${D}${sbindir} | ||
92 | for b in ${BINS}; do | ||
93 | install -m 0755 $b ${D}${sbindir}/ || exit 1 | ||
94 | done | ||
95 | |||
96 | install -d ${D}${mandir}/man3 | ||
97 | for m in ${MANS3}; do | ||
98 | install -m 0644 $m.3 ${D}${mandir}/man3/ || exit 1 | ||
99 | done | ||
100 | |||
101 | install -d ${D}${mandir}/man5 | ||
102 | for m in ${MANS5}; do | ||
103 | install -m 0644 $m.5 ${D}${mandir}/man5/ || exit 1 | ||
104 | done | ||
105 | |||
106 | install -d ${D}${mandir}/man8 | ||
107 | for m in ${MANS8}; do | ||
108 | install -m 0644 $m.8 ${D}${mandir}/man8/ || exit 1 | ||
109 | done | ||
110 | |||
111 | install -m 0644 ${WORKDIR}/try-from.8 ${D}${mandir}/man8/ | ||
112 | install -m 0644 ${WORKDIR}/safe_finger.8 ${D}${mandir}/man8/ | ||
113 | |||
114 | install -d ${D}${includedir} | ||
115 | install -m 0644 tcpd.h ${D}${includedir}/ | ||
116 | } | ||
117 | |||