search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
amd64 - add kvtop and add back ed(4) to AMD64_GENERIC
[dragonfly.git] / contrib / tcp_wrappers / socket.c
blob3795a8cbcac4e95a66c87b06b3a41eb966b489ab
1 /*
2 * This module determines the type of socket (datagram, stream), the client
3 * socket address and port, the server socket address and port. In addition,
4 * it provides methods to map a transport address to a printable host name
5 * or address. Socket address information results are in static memory.
6 *
7 * The result from the hostname lookup method is STRING_PARANOID when a host
8 * pretends to have someone elses name, or when a host name is available but
9 * could not be verified.
10 *
11 * When lookup or conversion fails the result is set to STRING_UNKNOWN.
12 *
13 * Diagnostics are reported through syslog(3).
14 *
15 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
16 *
17 * $FreeBSD: src/contrib/tcp_wrappers/socket.c,v 1.2.2.3 2001/07/04 20:18:11 kris Exp $
18 * $DragonFly: src/contrib/tcp_wrappers/socket.c,v 1.2 2003/06/17 04:24:06 dillon Exp $
19 */
20
21 #ifndef lint
22 static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24";
23 #endif
24
25 /* System libraries. */
26
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/socket.h>
30 #include <netinet/in.h>
31 #include <netdb.h>
32 #include <stdio.h>
33 #include <syslog.h>
34 #include <string.h>
35
36 #ifdef INET6
37 #ifndef NI_WITHSCOPEID
38 #define NI_WITHSCOPEID 0
39 #endif
40 #else
41 extern char *inet_ntoa();
42 #endif
43
44 /* Local stuff. */
45
46 #include "tcpd.h"
47
48 /* Forward declarations. */
49
50 static void sock_sink();
51
52 #ifdef APPEND_DOT
53
54 /*
55 * Speed up DNS lookups by terminating the host name with a dot. Should be
56 * done with care. The speedup can give problems with lookups from sources
57 * that lack DNS-style trailing dot magic, such as local files or NIS maps.
58 */
59
60 static struct hostent *gethostbyname_dot(name)
61 char *name;
62 {
63 char dot_name[MAXHOSTNAMELEN + 1];
64
65 /*
66 * Don't append dots to unqualified names. Such names are likely to come
67 * from local hosts files or from NIS.
68 */
69
70 if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
71 return (gethostbyname(name));
72 } else {
73 sprintf(dot_name, "%s.", name);
74 return (gethostbyname(dot_name));
75 }
76 }
77
78 #define gethostbyname gethostbyname_dot
79 #endif
80
81 /* sock_host - look up endpoint addresses and install conversion methods */
82
83 void sock_host(request)
84 struct request_info *request;
85 {
86 #ifdef INET6
87 static struct sockaddr_storage client;
88 static struct sockaddr_storage server;
89 #else
90 static struct sockaddr_in client;
91 static struct sockaddr_in server;
92 #endif
93 int len;
94 char buf[BUFSIZ];
95 int fd = request->fd;
96
97 sock_methods(request);
98
99 /*
100 * Look up the client host address. Hal R. Brand <BRAND@addvax.llnl.gov>
101 * suggested how to get the client host info in case of UDP connections:
102 * peek at the first message without actually looking at its contents. We
103 * really should verify that client.sin_family gets the value AF_INET,
104 * but this program has already caused too much grief on systems with
105 * broken library code.
106 */
107
108 len = sizeof(client);
109 if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) {
110 request->sink = sock_sink;
111 len = sizeof(client);
112 if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK,
113 (struct sockaddr *) & client, &len) < 0) {
114 tcpd_warn("can't get client address: %m");
115 return; /* give up */
116 }
117 #ifdef really_paranoid
118 memset(buf, 0 sizeof(buf));
119 #endif
120 }
121 #ifdef INET6
122 request->client->sin = (struct sockaddr *)&client;
123 #else
124 request->client->sin = &client;
125 #endif
126
127 /*
128 * Determine the server binding. This is used for client username
129 * lookups, and for access control rules that trigger on the server
130 * address or name.
131 */
132
133 len = sizeof(server);
134 if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) {
135 tcpd_warn("getsockname: %m");
136 return;
137 }
138 #ifdef INET6
139 request->server->sin = (struct sockaddr *)&server;
140 #else
141 request->server->sin = &server;
142 #endif
143 }
144
145 /* sock_hostaddr - map endpoint address to printable form */
146
147 void sock_hostaddr(host)
148 struct host_info *host;
149 {
150 #ifdef INET6
151 struct sockaddr *sin = host->sin;
152 int salen;
153
154 if (!sin)
155 return;
156 #ifdef SIN6_LEN
157 salen = sin->sa_len;
158 #else
159 salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
160 : sizeof(struct sockaddr_in6);
161 #endif
162 getnameinfo(sin, salen, host->addr, sizeof(host->addr),
163 NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
164 #else
165 struct sockaddr_in *sin = host->sin;
166
167 if (sin != 0)
168 STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
169 #endif
170 }
171
172 /* sock_hostname - map endpoint address to host name */
173
174 void sock_hostname(host)
175 struct host_info *host;
176 {
177 #ifdef INET6
178 struct sockaddr *sin = host->sin;
179 struct sockaddr_in sin4;
180 struct addrinfo hints, *res, *res0 = NULL;
181 int salen, alen, err = 1;
182 char *ap = NULL, *rap, hname[NI_MAXHOST];
183
184 if (sin != NULL) {
185 if (sin->sa_family == AF_INET6) {
186 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
187
188 if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
189 memset(&sin4, 0, sizeof(sin4));
190 #ifdef SIN6_LEN
191 sin4.sin_len = sizeof(sin4);
192 #endif
193 sin4.sin_family = AF_INET;
194 sin4.sin_port = sin6->sin6_port;
195 sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
196 sin = (struct sockaddr *)&sin4;
197 }
198 }
199 switch (sin->sa_family) {
200 case AF_INET:
201 ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
202 alen = sizeof(struct in_addr);
203 salen = sizeof(struct sockaddr_in);
204 break;
205 case AF_INET6:
206 ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
207 alen = sizeof(struct in6_addr);
208 salen = sizeof(struct sockaddr_in6);
209 break;
210 default:
211 break;
212 }
213 if (ap)
214 err = getnameinfo(sin, salen, hname, sizeof(hname),
215 NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
216 }
217 if (!err) {
218
219 STRN_CPY(host->name, hname, sizeof(host->name));
220
221 /* reject numeric addresses */
222 memset(&hints, 0, sizeof(hints));
223 hints.ai_family = sin->sa_family;
224 hints.ai_socktype = SOCK_STREAM;
225 hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
226 if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
227 freeaddrinfo(res0);
228 tcpd_warn("host name/name mismatch: "
229 "reverse lookup results in non-FQDN %s",
230 host->name);
231 strcpy(host->name, paranoid); /* name is bad, clobber it */
232 }
233 err = !err;
234 }
235 if (!err) {
236 /* we are now sure that this is non-numeric */
237
238 /*
239 * Verify that the address is a member of the address list returned
240 * by gethostbyname(hostname).
241 *
242 * Verify also that gethostbyaddr() and gethostbyname() return the same
243 * hostname, or rshd and rlogind may still end up being spoofed.
244 *
245 * On some sites, gethostbyname("localhost") returns "localhost.domain".
246 * This is a DNS artefact. We treat it as a special case. When we
247 * can't believe the address list from gethostbyname("localhost")
248 * we're in big trouble anyway.
249 */
250
251 memset(&hints, 0, sizeof(hints));
252 hints.ai_family = sin->sa_family;
253 hints.ai_socktype = SOCK_STREAM;
254 hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
255 if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
256
257 /*
258 * Unable to verify that the host name matches the address. This
259 * may be a transient problem or a botched name server setup.
260 */
261
262 tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
263 host->name,
264 (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
265
266 } else if ((res0->ai_canonname == NULL
267 || STR_NE(host->name, res0->ai_canonname))
268 && STR_NE(host->name, "localhost")) {
269
270 /*
271 * The gethostbyaddr() and gethostbyname() calls did not return
272 * the same hostname. This could be a nameserver configuration
273 * problem. It could also be that someone is trying to spoof us.
274 */
275
276 tcpd_warn("host name/name mismatch: %s != %.*s",
277 host->name, STRING_LENGTH,
278 (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
279
280 } else {
281
282 /*
283 * The address should be a member of the address list returned by
284 * gethostbyname(). We should first verify that the h_addrtype
285 * field is AF_INET, but this program has already caused too much
286 * grief on systems with broken library code.
287 */
288
289 for (res = res0; res; res = res->ai_next) {
290 if (res->ai_family != sin->sa_family)
291 continue;
292 switch (res->ai_family) {
293 case AF_INET:
294 rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
295 break;
296 case AF_INET6:
297 /* need to check scope_id */
298 if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
299 ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
300 continue;
301 }
302 rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
303 break;
304 default:
305 continue;
306 }
307 if (memcmp(rap, ap, alen) == 0) {
308 freeaddrinfo(res0);
309 return; /* name is good, keep it */
310 }
311 }
312
313 /*
314 * The host name does not map to the initial address. Perhaps
315 * someone has messed up. Perhaps someone compromised a name
316 * server.
317 */
318
319 getnameinfo(sin, salen, hname, sizeof(hname),
320 NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
321 tcpd_warn("host name/address mismatch: %s != %.*s",
322 hname, STRING_LENGTH,
323 (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
324 }
325 strcpy(host->name, paranoid); /* name is bad, clobber it */
326 if (res0)
327 freeaddrinfo(res0);
328 }
329 #else /* INET6 */
330 struct sockaddr_in *sin = host->sin;
331 struct hostent *hp;
332 int i;
333
334 /*
335 * On some systems, for example Solaris 2.3, gethostbyaddr(0.0.0.0) does
336 * not fail. Instead it returns "INADDR_ANY". Unfortunately, this does
337 * not work the other way around: gethostbyname("INADDR_ANY") fails. We
338 * have to special-case 0.0.0.0, in order to avoid false alerts from the
339 * host name/address checking code below.
340 */
341 if (sin != 0 && sin->sin_addr.s_addr != 0
342 && (hp = gethostbyaddr((char *) &(sin->sin_addr),
343 sizeof(sin->sin_addr), AF_INET)) != 0) {
344
345 STRN_CPY(host->name, hp->h_name, sizeof(host->name));
346
347 /*
348 * Verify that the address is a member of the address list returned
349 * by gethostbyname(hostname).
350 *
351 * Verify also that gethostbyaddr() and gethostbyname() return the same
352 * hostname, or rshd and rlogind may still end up being spoofed.
353 *
354 * On some sites, gethostbyname("localhost") returns "localhost.domain".
355 * This is a DNS artefact. We treat it as a special case. When we
356 * can't believe the address list from gethostbyname("localhost")
357 * we're in big trouble anyway.
358 */
359
360 if ((hp = gethostbyname(host->name)) == 0) {
361
362 /*
363 * Unable to verify that the host name matches the address. This
364 * may be a transient problem or a botched name server setup.
365 */
366
367 tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
368 host->name);
369
370 } else if (STR_NE(host->name, hp->h_name)
371 && STR_NE(host->name, "localhost")) {
372
373 /*
374 * The gethostbyaddr() and gethostbyname() calls did not return
375 * the same hostname. This could be a nameserver configuration
376 * problem. It could also be that someone is trying to spoof us.
377 */
378
379 tcpd_warn("host name/name mismatch: %s != %.*s",
380 host->name, STRING_LENGTH, hp->h_name);
381
382 } else {
383
384 /*
385 * The address should be a member of the address list returned by
386 * gethostbyname(). We should first verify that the h_addrtype
387 * field is AF_INET, but this program has already caused too much
388 * grief on systems with broken library code.
389 */
390
391 for (i = 0; hp->h_addr_list[i]; i++) {
392 if (memcmp(hp->h_addr_list[i],
393 (char *) &sin->sin_addr,
394 sizeof(sin->sin_addr)) == 0)
395 return; /* name is good, keep it */
396 }
397
398 /*
399 * The host name does not map to the initial address. Perhaps
400 * someone has messed up. Perhaps someone compromised a name
401 * server.
402 */
403
404 tcpd_warn("host name/address mismatch: %s != %.*s",
405 inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
406 }
407 strcpy(host->name, paranoid); /* name is bad, clobber it */
408 }
409 #endif /* INET6 */
410 }
411
412 /* sock_sink - absorb unreceived IP datagram */
413
414 static void sock_sink(fd)
415 int fd;
416 {
417 char buf[BUFSIZ];
418 #ifdef INET6
419 struct sockaddr_storage sin;
420 #else
421 struct sockaddr_in sin;
422 #endif
423 int size = sizeof(sin);
424
425 /*
426 * Eat up the not-yet received datagram. Some systems insist on a
427 * non-zero source address argument in the recvfrom() call below.
428 */
429
430 (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & sin, &size);
431 }
DragonFly BSD