From 06278882d5ca252756511d7e8bb05ccf64a9b142bbee53d78ebf329f81c562aa Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Mon, 13 Oct 2008 16:39:38 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tcpd?expand=0&rev=4 --- tcp_wrappers_7.6-fedora-bug11881.diff | 35 + tcp_wrappers_7.6-fedora-bug141110.diff | 20 + tcp_wrappers_7.6-fedora-bug17795.diff | 54 + tcp_wrappers_7.6-fedora-bug17847.diff | 100 ++ tcp_wrappers_7.6-fedora-bug220015.diff | 92 ++ tcp_wrappers_7.6-fedora-docu.diff | 11 + tcp_wrappers_7.6-fedora-fixgethostbyname.diff | 25 + tcp_wrappers_7.6-fedora-sig.diff | 39 + tcp_wrappers_7.6-fedora-sigalarm.diff | 36 + tcp_wrappers_7.6-fedora-sigchld.diff | 87 ++ tcp_wrappers_7.6-fedora-sigjmp.diff | 29 + tcp_wrappers_7.6-fedora-strerror.diff | 27 + tcp_wrappers_7.6-ipv6-1.6.diff | 1146 +++++++++++++++++ tcp_wrappers_7.6-ipv6-1.6.diff.gz | 3 - tcp_wrappers_7.6-ipv6-fix.diff | 493 ++++--- tcp_wrappers_7.6-ipv6.fix.fix.diff | 4 +- tcp_wrappers_7.6-nonvoid.diff | 2 +- tcp_wrappers_7.6-prototypes.diff | 120 +- tcp_wrappers_7.6-shared-lib.diff | 2 +- tcp_wrappers_7.6-shared-lib2.diff | 18 + tcp_wrappers_7.6.dif => tcp_wrappers_7.6.diff | 36 +- tcpd.changes | 17 + tcpd.spec | 116 +- 23 files changed, 2146 insertions(+), 366 deletions(-) create mode 100644 tcp_wrappers_7.6-fedora-bug11881.diff create mode 100644 tcp_wrappers_7.6-fedora-bug141110.diff create mode 100644 tcp_wrappers_7.6-fedora-bug17795.diff create mode 100644 tcp_wrappers_7.6-fedora-bug17847.diff create mode 100644 tcp_wrappers_7.6-fedora-bug220015.diff create mode 100644 tcp_wrappers_7.6-fedora-docu.diff create mode 100644 tcp_wrappers_7.6-fedora-fixgethostbyname.diff create mode 100644 tcp_wrappers_7.6-fedora-sig.diff create mode 100644 tcp_wrappers_7.6-fedora-sigalarm.diff create mode 100644 tcp_wrappers_7.6-fedora-sigchld.diff create mode 100644 tcp_wrappers_7.6-fedora-sigjmp.diff create mode 100644 tcp_wrappers_7.6-fedora-strerror.diff create mode 100644 tcp_wrappers_7.6-ipv6-1.6.diff delete mode 100644 tcp_wrappers_7.6-ipv6-1.6.diff.gz create mode 100644 tcp_wrappers_7.6-shared-lib2.diff rename tcp_wrappers_7.6.dif => tcp_wrappers_7.6.diff (96%) diff --git a/tcp_wrappers_7.6-fedora-bug11881.diff b/tcp_wrappers_7.6-fedora-bug11881.diff new file mode 100644 index 0000000..7b1693f --- /dev/null +++ b/tcp_wrappers_7.6-fedora-bug11881.diff @@ -0,0 +1,35 @@ +--- eval.c ++++ eval.c +@@ -111,7 +111,7 @@ + return (hostinfo); + #endif + if (STR_NE(eval_user(request), unknown)) { +- sprintf(both, "%s@%s", request->user, hostinfo); ++ snprintf(both, sizeof(both), "%s@%s", request->user, hostinfo); + return (both); + } else { + return (hostinfo); +@@ -128,7 +128,7 @@ + char *daemon = eval_daemon(request); + + if (STR_NE(host, unknown)) { +- sprintf(both, "%s@%s", daemon, host); ++ snprintf(both, sizeof(both), "%s@%s", daemon, host); + return (both); + } else { + return (daemon); +--- tcpd.c ++++ tcpd.c +@@ -61,10 +61,10 @@ + */ + + if (argv[0][0] == '/') { +- strcpy(path, argv[0]); ++ strncpy(path, argv[0], sizeof(path)); + argv[0] = strrchr(argv[0], '/') + 1; + } else { +- sprintf(path, "%s/%s", REAL_DAEMON_DIR, argv[0]); ++ snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]); + } + + /* diff --git a/tcp_wrappers_7.6-fedora-bug141110.diff b/tcp_wrappers_7.6-fedora-bug141110.diff new file mode 100644 index 0000000..46a4bd5 --- /dev/null +++ b/tcp_wrappers_7.6-fedora-bug141110.diff @@ -0,0 +1,20 @@ +--- hosts_access.c ++++ hosts_access.c +@@ -146,7 +146,7 @@ + verdict = setjmp(tcpd_buf); + if (verdict != 0) + return (verdict == AC_PERMIT); +- if (table_match(hosts_allow_table, request)) ++ if (table_match(hosts_allow_table, request) == YES) + return (YES); + if (table_match(hosts_deny_table, request)) + return (NO); +@@ -195,7 +195,7 @@ + } else if (errno != ENOENT) { + tcpd_warn("cannot open %s: %m", table); + } +- if (match) { ++ if (match == YES) { + if (hosts_access_verbose > 1) + syslog(LOG_DEBUG, "matched: %s line %d", + tcpd_context.file, tcpd_context.line); diff --git a/tcp_wrappers_7.6-fedora-bug17795.diff b/tcp_wrappers_7.6-fedora-bug17795.diff new file mode 100644 index 0000000..f1f046c --- /dev/null +++ b/tcp_wrappers_7.6-fedora-bug17795.diff @@ -0,0 +1,54 @@ +--- hosts_access.5 ++++ hosts_access.5 +@@ -90,6 +90,13 @@ + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. + .IP \(bu ++A string that begins with a `/\' character is treated as a file ++name. A host name or address is matched if it matches any host name ++or address pattern listed in the named file. The file format is ++zero or more lines with zero or more host name or address patterns ++separated by whitespace. A file name pattern can be used anywhere ++a host name or address pattern can be used. ++.IP \(bu + An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a + `[net]/prefixlen\' pair. A IPv6 host address is matched if + `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the +--- hosts_access.c ++++ hosts_access.c +@@ -273,6 +273,26 @@ + } + } + ++/* hostfile_match - look up host patterns from file */ ++ ++static int hostfile_match(path, host) ++char *path; ++struct hosts_info *host; ++{ ++ char tok[BUFSIZ]; ++ int match = NO; ++ FILE *fp; ++ ++ if ((fp = fopen(path, "r")) != 0) { ++ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) ++ /* void */ ; ++ fclose(fp); ++ } else if (errno != ENOENT) { ++ tcpd_warn("open %s: %m", path); ++ } ++ return (match); ++} ++ + /* host_match - match host name and/or address against pattern */ + + static int host_match(tok, host) +@@ -300,6 +320,8 @@ + tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */ + return (NO); + #endif ++ } else if (tok[0] == '/') { /* /file hack */ ++ return (hostfile_match(tok, host)); + } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */ + char *name = eval_hostname(host); + return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name)); diff --git a/tcp_wrappers_7.6-fedora-bug17847.diff b/tcp_wrappers_7.6-fedora-bug17847.diff new file mode 100644 index 0000000..5682639 --- /dev/null +++ b/tcp_wrappers_7.6-fedora-bug17847.diff @@ -0,0 +1,100 @@ +--- hosts_access.5 ++++ hosts_access.5 +@@ -103,6 +103,10 @@ + address. For example, the [net]/prefixlen pattern + `[3ffe:505:2:1::]/64\' matches every address in the range + `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. ++.IP \(bu ++Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This ++method of matching cannot be used in conjunction with `net/mask\' matching, ++hostname matching beginning with `.\' or IP address matching ending with `.\'. + .SH WILDCARDS + The access control language supports explicit wildcards: + .IP ALL +--- hosts_access.c ++++ hosts_access.c +@@ -346,6 +346,12 @@ + { + int n; + ++#ifndef DISABLE_WILDCARD_MATCHING ++ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ ++ return (match_pattern_ylo(string,tok)); ++ } else ++#endif ++ + if (tok[0] == '.') { /* suffix */ + n = strlen(string) - strlen(tok); + return (n > 0 && STR_EQ(tok, string + n)); +@@ -454,3 +460,71 @@ + } + #endif + } ++ ++#ifndef DISABLE_WILDCARD_MATCHING ++/* Note: this feature has been adapted in a pretty straightforward way ++ from Tatu Ylonen's last SSH version under free license by ++ Pekka Savola . ++ ++ Copyright (c) 1995 Tatu Ylonen , Espoo, Finland ++*/ ++ ++/* Returns true if the given string matches the pattern (which may contain ++ ? and * as wildcards), and zero if it does not match. */ ++ ++int match_pattern_ylo(const char *s, const char *pattern) ++{ ++ while (1) ++ { ++ /* If at end of pattern, accept if also at end of string. */ ++ if (!*pattern) ++ return !*s; ++ ++ /* Process '*'. */ ++ if (*pattern == '*') ++ { ++ /* Skip the asterisk. */ ++ pattern++; ++ ++ /* If at end of pattern, accept immediately. */ ++ if (!*pattern) ++ return 1; ++ ++ /* If next character in pattern is known, optimize. */ ++ if (*pattern != '?' && *pattern != '*') ++ { ++ /* Look instances of the next character in pattern, and try ++ to match starting from those. */ ++ for (; *s; s++) ++ if (*s == *pattern && ++ match_pattern_ylo(s + 1, pattern + 1)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* Move ahead one character at a time and try to match at each ++ position. */ ++ for (; *s; s++) ++ if (match_pattern_ylo(s, pattern)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* There must be at least one more character in the string. If we are ++ at the end, fail. */ ++ if (!*s) ++ return 0; ++ ++ /* Check if the next character of the string is acceptable. */ ++ if (*pattern != '?' && *pattern != *s) ++ return 0; ++ ++ /* Move to the next character, both in string and in pattern. */ ++ s++; ++ pattern++; ++ } ++ /*NOTREACHED*/ ++} ++#endif /* DISABLE_WILDCARD_MATCHING */ diff --git a/tcp_wrappers_7.6-fedora-bug220015.diff b/tcp_wrappers_7.6-fedora-bug220015.diff new file mode 100644 index 0000000..faec7aa --- /dev/null +++ b/tcp_wrappers_7.6-fedora-bug220015.diff @@ -0,0 +1,92 @@ +--- hosts_ctl.c ++++ hosts_ctl.c +@@ -29,10 +29,12 @@ + { + struct request_info request; + +- return (hosts_access(request_init(&request, +- RQ_DAEMON, daemon, +- RQ_CLIENT_NAME, name, +- RQ_CLIENT_ADDR, addr, +- RQ_USER, user, +- 0))); ++ request_init(&request, RQ_DAEMON, daemon, ++ RQ_CLIENT_NAME, name, ++ RQ_CLIENT_ADDR, addr, ++ RQ_USER, user, ++ 0); ++ sock_hostnofd(&request); ++ ++ return (hosts_access(&request)); + } +--- socket.c ++++ socket.c +@@ -140,6 +140,53 @@ + #endif + } + ++ ++ ++/* sock_hostnofd - look up endpoint addresses and install conversion methods */ ++ ++void sock_hostnofd(request) ++struct request_info *request; ++{ ++ static struct sockaddr_storage client; ++ struct addrinfo hints, *res; ++ int ret; ++ char *host; ++ ++ /* If the address field is non-empty and non-unknown and if the hostname ++ * field is empty or unknown, use the address field to get the sockaddr ++ * and hostname. */ ++ if (strlen(request->client->addr) && ++ HOSTNAME_KNOWN(request->client->addr) && ++ (!strlen(request->client->addr) || ++ !HOSTNAME_KNOWN(request->client->name))) ++ host = request->client->addr; ++ else ++ return; ++ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_INET6; ++ hints.ai_socktype = SOCK_STREAM; ++ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ++ ++ ret = getaddrinfo(host, NULL, &hints, &res); ++ if (ret != 0) { ++ hints.ai_family = AF_INET; ++ ret = getaddrinfo(host, NULL, &hints, &res); ++ } ++ ++ if (ret != 0) { ++ tcpd_warn("can't resolve hostname (%s): %s", host, gai_strerror(ret)); ++ } else { ++ sock_methods(request); ++ ++ memcpy(&client, res->ai_addr, res->ai_addrlen); ++ request->client->sin = (struct sockaddr *)&client; ++ freeaddrinfo(res); ++ ++ request->client->name[0] = 0; ++ } ++} ++ + /* sock_hostaddr - map endpoint address to printable form */ + + void sock_hostaddr(host) +--- tcpd.h ++++ tcpd.h +@@ -174,10 +174,12 @@ + + #ifdef __STDC__ + extern void sock_host(struct request_info *); ++extern void sock_hostnofd(struct request_info *); + extern void sock_hostname(struct host_info *); + extern void sock_hostaddr(struct host_info *); + #else + extern void sock_host(); /* look up endpoint addresses */ ++extern void sock_hostnofd(); + extern void sock_hostname(); /* translate address to hostname */ + extern void sock_hostaddr(); /* address to printable address */ + #endif diff --git a/tcp_wrappers_7.6-fedora-docu.diff b/tcp_wrappers_7.6-fedora-docu.diff new file mode 100644 index 0000000..b23c5e9 --- /dev/null +++ b/tcp_wrappers_7.6-fedora-docu.diff @@ -0,0 +1,11 @@ +--- hosts_access.5 ++++ hosts_access.5 +@@ -329,7 +329,7 @@ + /etc/hosts.deny: + .in +3 + .nf +-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ ++in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \\ + /usr/ucb/mail -s %d-%h root) & + .fi + .PP diff --git a/tcp_wrappers_7.6-fedora-fixgethostbyname.diff b/tcp_wrappers_7.6-fedora-fixgethostbyname.diff new file mode 100644 index 0000000..e2b7ffd --- /dev/null +++ b/tcp_wrappers_7.6-fedora-fixgethostbyname.diff @@ -0,0 +1,25 @@ +--- socket.c ++++ socket.c +@@ -54,6 +54,7 @@ + char *name; + { + char dot_name[MAXHOSTNAMELEN + 1]; ++ struct hostent *hp; + + /* + * Don't append dots to unqualified names. Such names are likely to come +@@ -63,8 +64,12 @@ + if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { + return (gethostbyname(name)); + } else { +- sprintf(dot_name, "%s.", name); +- return (gethostbyname(dot_name)); ++ sprintf(dot_name, "%s.", name); ++ hp = gethostbyname(dot_name); ++ if (hp) ++ return hp; ++ else ++ return (gethostbyname(name)); + } + } + diff --git a/tcp_wrappers_7.6-fedora-sig.diff b/tcp_wrappers_7.6-fedora-sig.diff new file mode 100644 index 0000000..3c5e4f7 --- /dev/null +++ b/tcp_wrappers_7.6-fedora-sig.diff @@ -0,0 +1,39 @@ +--- hosts_access.c ++++ hosts_access.c +@@ -63,6 +63,7 @@ + + #define YES 1 + #define NO 0 ++#define ERR -1 + + /* + * These variables are globally visible so that they can be redirected in +@@ -125,7 +126,6 @@ + struct request_info *request; + { + int verdict; +- + /* + * If the (daemon, client) pair is matched by an entry in the file + * /etc/hosts.allow, access is granted. Otherwise, if the (daemon, +@@ -148,9 +148,9 @@ + return (verdict == AC_PERMIT); + if (table_match(hosts_allow_table, request) == YES) + return (YES); +- if (table_match(hosts_deny_table, request)) +- return (NO); +- return (YES); ++ if (table_match(hosts_deny_table, request) == NO) ++ return (YES); ++ return (NO); + } + + /* table_match - match table entries with (daemon, client) pair */ +@@ -194,6 +194,7 @@ + (void) fclose(fp); + } else if (errno != ENOENT) { + tcpd_warn("cannot open %s: %m", table); ++ match = ERR; + } + if (match == YES) { + if (hosts_access_verbose > 1) diff --git a/tcp_wrappers_7.6-fedora-sigalarm.diff b/tcp_wrappers_7.6-fedora-sigalarm.diff new file mode 100644 index 0000000..e37ae82 --- /dev/null +++ b/tcp_wrappers_7.6-fedora-sigalarm.diff @@ -0,0 +1,36 @@ +--- rfc931.c ++++ rfc931.c +@@ -92,6 +92,8 @@ + char *cp; + char *result = unknown; + FILE *fp; ++ unsigned saved_timeout; ++ struct sigaction nact, oact; + + #ifdef INET6 + /* address family must be the same */ +@@ -134,7 +136,12 @@ + */ + + if (sigsetjmp(timebuf, 1) == 0) { +- signal(SIGALRM, timeout); ++ /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ ++ saved_timeout = alarm(0); ++ nact.sa_handler = timeout; ++ nact.sa_flags = 0; ++ (void) sigemptyset(&nact.sa_mask); ++ (void) sigaction(SIGALRM, &nact, &oact); + alarm(rfc931_timeout); + + /* +@@ -223,6 +230,10 @@ + } + alarm(0); + } ++ /* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */ ++ (void) sigaction(SIGALRM, &oact, NULL); ++ if (saved_timeout > 0) ++ alarm(saved_timeout); + fclose(fp); + } + STRN_CPY(dest, result, STRING_LENGTH); diff --git a/tcp_wrappers_7.6-fedora-sigchld.diff b/tcp_wrappers_7.6-fedora-sigchld.diff new file mode 100644 index 0000000..5cf9d9b --- /dev/null +++ b/tcp_wrappers_7.6-fedora-sigchld.diff @@ -0,0 +1,87 @@ +--- shell_cmd.c ++++ shell_cmd.c +@@ -24,6 +24,11 @@ + #include + #include + #include ++#include ++#include ++#include ++#include ++#include + + extern void exit(); + +@@ -35,13 +40,42 @@ + + static void do_child(); + ++/* ++ * The sigchld handler. If there is a SIGCHLD caused by a child other than ++ * ours, we set a flag and raise the signal later. ++ */ ++volatile static int foreign_sigchld; ++volatile static int our_child_pid; ++static void sigchld(int sig, siginfo_t *si, void *unused) ++{ ++ if (si && si->si_pid != our_child_pid) ++ foreign_sigchld = 1; ++} ++ + /* shell_cmd - execute shell command */ + + void shell_cmd(command) + char *command; + { + int child_pid; +- int wait_pid; ++ ++ struct sigaction new_action, old_action; ++ sigset_t new_mask, old_mask, empty_mask; ++ ++ new_action.sa_sigaction = &sigchld; ++ new_action.sa_flags = SA_SIGINFO; ++ sigemptyset(&new_action.sa_mask); ++ sigemptyset(&new_mask); ++ sigemptyset(&empty_mask); ++ sigaddset(&new_mask, SIGCHLD); ++ ++ /* ++ * Set the variables for handler, set the handler and block the signal ++ * until we have the pid. ++ */ ++ foreign_sigchld = 0; our_child_pid = 0; ++ sigprocmask(SIG_BLOCK, &new_mask, &old_mask); ++ sigaction(SIGCHLD, &new_action, &old_action); + + /* + * Most of the work is done within the child process, to minimize the +@@ -53,12 +87,26 @@ + tcpd_warn("cannot fork: %m"); + break; + case 00: /* child */ ++ /* Clear the blocked mask for the child not to be surprised. */ ++ sigprocmask(SIG_SETMASK, &empty_mask, 0); + do_child(command); + /* NOTREACHED */ + default: /* parent */ +- while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid) +- /* void */ ; ++ our_child_pid = child_pid; ++ sigprocmask(SIG_UNBLOCK, &new_mask, 0); ++ while (waitpid(child_pid, (int *) 0, 0) == -1 && errno == EINTR); + } ++ ++ /* ++ * Revert the signal mask and the SIGCHLD handler. ++ */ ++ sigprocmask(SIG_SETMASK, &old_mask, 0); ++ sigaction(SIGCHLD, &old_action, 0); ++ ++ /* If there was a foreign SIGCHLD, raise it after we have restored the old ++ * mask and handler. */ ++ if (foreign_sigchld) ++ raise(SIGCHLD); + } + + /* do_child - exec command with { stdin, stdout, stderr } to /dev/null */ diff --git a/tcp_wrappers_7.6-fedora-sigjmp.diff b/tcp_wrappers_7.6-fedora-sigjmp.diff new file mode 100644 index 0000000..6556a9a --- /dev/null +++ b/tcp_wrappers_7.6-fedora-sigjmp.diff @@ -0,0 +1,29 @@ +--- rfc931.c ++++ rfc931.c +@@ -33,7 +33,7 @@ + + int rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */ + +-static jmp_buf timebuf; ++static sigjmp_buf timebuf; + + /* fsocket - open stdio stream on top of socket */ + +@@ -62,7 +62,7 @@ + static void timeout(sig) + int sig; + { +- longjmp(timebuf, sig); ++ siglongjmp(timebuf, sig); + } + + /* rfc931 - return remote user name, given socket structures */ +@@ -133,7 +133,7 @@ + * Set up a timer so we won't get stuck while waiting for the server. + */ + +- if (setjmp(timebuf) == 0) { ++ if (sigsetjmp(timebuf, 1) == 0) { + signal(SIGALRM, timeout); + alarm(rfc931_timeout); + diff --git a/tcp_wrappers_7.6-fedora-strerror.diff b/tcp_wrappers_7.6-fedora-strerror.diff new file mode 100644 index 0000000..907482f --- /dev/null +++ b/tcp_wrappers_7.6-fedora-strerror.diff @@ -0,0 +1,27 @@ +--- percent_m.c ++++ percent_m.c +@@ -13,7 +13,7 @@ + #include + + extern int errno; +-#ifndef SYS_ERRLIST_DEFINED ++#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR) + extern char *sys_errlist[]; + extern int sys_nerr; + #endif +@@ -29,11 +29,15 @@ + + while (*bp = *cp) + if (*cp == '%' && cp[1] == 'm') { ++#ifdef HAVE_STRERROR ++ strcpy(bp, strerror(errno)); ++#else + if (errno < sys_nerr && errno > 0) { + strcpy(bp, sys_errlist[errno]); + } else { + sprintf(bp, "Unknown error %d", errno); + } ++#endif + bp += strlen(bp); + cp += 2; + } else { diff --git a/tcp_wrappers_7.6-ipv6-1.6.diff b/tcp_wrappers_7.6-ipv6-1.6.diff new file mode 100644 index 0000000..406fb39 --- /dev/null +++ b/tcp_wrappers_7.6-ipv6-1.6.diff @@ -0,0 +1,1146 @@ +;; IPv6 patch for tcp_wrappers_7.6 1.6 +;; Aug 23, 1999 by Hajimu UMEMOTO +;; +;; This patch supports IPv4/IPv6 dual stack and IPv4-mapped IPv6 address. +;; You can replace stock tcpd or libwrap.a with this. +;; IPv6 address pattern is as a `[net]/prefixlen' pair. +;; This patch was tested on KAME/FreeBSD, KAME/FreeBSD3, KAME/NetBSD, +;; RedHat 5.1 with kernel 2.1.126, and RedHat 6.0 with kernel 2.2.10. +;; +;; CAUTION: +;; Back out change for field separater. Now, field separater is `:' +;; not `|'. To specify IPv6 address, enclose IPv6 address with `[' +;; and `]'. +;; +;; For Linux users: +;; If your libc doesn't have sockaddr_storage, try target `linux-old'. + +================================================================================ +--- fix_options.c ++++ fix_options.c +@@ -11,6 +11,9 @@ + + #include + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -41,6 +44,22 @@ + unsigned int opt; + int optlen; + struct in_addr dummy; ++#ifdef INET6 ++ struct sockaddr_storage ss; ++ int sslen; ++ ++ /* ++ * check if this is AF_INET socket ++ * XXX IPv6 support? ++ */ ++ sslen = sizeof(ss); ++ if (getsockname(fd, (struct sockaddr *)&ss, &sslen < 0)) { ++ syslog(LOG_ERR, "getpeername: %m"); ++ clean_exit(request); ++ } ++ if (ss.ss_family != AF_INET) ++ return; ++#endif + + if ((ip = getprotobyname("ip")) != 0) + ipproto = ip->p_proto; +--- hosts_access.5 ++++ hosts_access.5 +@@ -85,10 +85,17 @@ + for daemon process names or for client user names. + .IP \(bu + An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a +-`net/mask\' pair. A host address is matched if `net\' is equal to the ++`net/mask\' pair. A IPv4 host address is matched if `net\' is equal to the + bitwise AND of the address and the `mask\'. For example, the net/mask + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. ++.IP \(bu ++An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a ++`[net]/prefixlen\' pair. A IPv6 host address is matched if ++`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the ++address. For example, the [net]/prefixlen pattern ++`[3ffe:505:2:1::]/64\' matches every address in the range ++`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. + .SH WILDCARDS + The access control language supports explicit wildcards: + .IP ALL +--- hosts_access.c ++++ hosts_access.c +@@ -25,6 +25,9 @@ + + #include + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -83,6 +86,10 @@ + static int host_match(); + static int string_match(); + static int masked_match(); ++#ifdef INET6 ++static int masked_match4(); ++static int masked_match6(); ++#endif + + /* Size of logical line buffer. */ + +@@ -317,6 +324,13 @@ + { + int n; + ++#ifdef INET6 ++ /* convert IPv4 mapped IPv6 address to IPv4 address */ ++ if (STRN_EQ(string, "::ffff:", 7) ++ && dot_quad_addr(string + 7) != INADDR_NONE) { ++ string += 7; ++ } ++#endif + if (tok[0] == '.') { /* suffix */ + n = strlen(string) - strlen(tok); + return (n > 0 && STR_EQ(tok, string + n)); +@@ -327,20 +341,55 @@ + } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ + return (STRN_EQ(tok, string, n)); + } else { /* exact match */ ++#ifdef INET6 ++ struct in6_addr pat, addr; ++ int len, ret; ++ char ch; ++ ++ len = strlen(tok); ++ if (*tok == '[' && tok[len - 1] == ']') { ++ ch = tok[len - 1]; ++ tok[len - 1] = '\0'; ++ ret = inet_pton(AF_INET6, tok + 1, pat.s6_addr); ++ tok[len - 1] = ch; ++ if (ret != 1 || inet_pton(AF_INET6, string, addr.s6_addr) != 1) ++ return NO; ++ return (!memcmp(&pat, &addr, sizeof(struct in6_addr))); ++ } ++#endif + return (STR_EQ(tok, string)); + } + } + + /* masked_match - match address against netnumber/netmask */ + ++#ifdef INET6 + static int masked_match(net_tok, mask_tok, string) + char *net_tok; + char *mask_tok; + char *string; + { ++ return (masked_match4(net_tok, mask_tok, string) || ++ masked_match6(net_tok, mask_tok, string)); ++} ++ ++static int masked_match4(net_tok, mask_tok, string) ++#else ++static int masked_match(net_tok, mask_tok, string) ++#endif ++char *net_tok; ++char *mask_tok; ++char *string; ++{ ++#ifdef INET6 ++ u_int32_t net; ++ u_int32_t mask; ++ u_int32_t addr; ++#else + unsigned long net; + unsigned long mask; + unsigned long addr; ++#endif + + /* + * Disallow forms other than dotted quad: the treatment that inet_addr() +@@ -352,8 +401,61 @@ + return (NO); + if ((net = dot_quad_addr(net_tok)) == INADDR_NONE + || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { ++#ifndef INET6 + tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); ++#endif + return (NO); /* not tcpd_jump() */ + } + return ((addr & mask) == net); + } ++ ++#ifdef INET6 ++static int masked_match6(net_tok, mask_tok, string) ++char *net_tok; ++char *mask_tok; ++char *string; ++{ ++ struct in6_addr net, addr; ++ u_int32_t mask; ++ int len, mask_len, i = 0; ++ char ch; ++ ++ if (inet_pton(AF_INET6, string, addr.s6_addr) != 1) ++ return NO; ++ ++ if (IN6_IS_ADDR_V4MAPPED(&addr)) { ++ if ((*(u_int32_t *)&net.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE ++ || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) ++ return (NO); ++ return ((*(u_int32_t *)&addr.s6_addr[12] & mask) == *(u_int32_t *)&net.s6_addr[12]); ++ } ++ ++ /* match IPv6 address against netnumber/prefixlen */ ++ len = strlen(net_tok); ++ if (*net_tok != '[' || net_tok[len - 1] != ']') ++ return NO; ++ ch = net_tok[len - 1]; ++ net_tok[len - 1] = '\0'; ++ if (inet_pton(AF_INET6, net_tok + 1, net.s6_addr) != 1) { ++ net_tok[len - 1] = ch; ++ return NO; ++ } ++ net_tok[len - 1] = ch; ++ if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) ++ return NO; ++ ++ while (mask_len > 0) { ++ if (mask_len < 32) { ++ mask = htonl(~(0xffffffff >> mask_len)); ++ if ((*(u_int32_t *)&addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.s6_addr[i] & mask)) ++ return NO; ++ break; ++ } ++ if (*(u_int32_t *)&addr.s6_addr[i] != *(u_int32_t *)&net.s6_addr[i]) ++ return NO; ++ i += 4; ++ mask_len -= 32; ++ } ++ return YES; ++} ++#endif /* INET6 */ +--- inetcf.c ++++ inetcf.c +@@ -26,6 +26,9 @@ + * guesses. Shorter names follow longer ones. + */ + char *inet_files[] = { ++#ifdef INET6 ++ "/usr/local/v6/etc/inet6d.conf", /* KAME */ ++#endif + "/private/etc/inetd.conf", /* NEXT */ + "/etc/inet/inetd.conf", /* SYSV4 */ + "/usr/etc/inetd.conf", /* IRIX?? */ +--- misc.c ++++ misc.c +@@ -58,9 +58,31 @@ + { + char *cp; + ++#ifdef INET6 ++ int bracket = 0; ++ ++ for (cp = string; cp && *cp; cp++) { ++ switch (*cp) { ++ case '[': ++ bracket++; ++ break; ++ case ']': ++ bracket--; ++ break; ++ default: ++ if (bracket == 0 && *cp == delimiter) { ++ *cp++ = 0; ++ return cp; ++ } ++ break; ++ } ++ } ++ return (NULL); ++#else + if ((cp = strchr(string, delimiter)) != 0) + *cp++ = 0; + return (cp); ++#endif + } + + /* dot_quad_addr - convert dotted quad to internal form */ +--- refuse.c ++++ refuse.c +@@ -25,7 +25,12 @@ + void refuse(request) + struct request_info *request; + { ++#ifdef INET6 ++ syslog(deny_severity, "refused connect from %s (%s)", ++ eval_client(request), eval_hostaddr(request->client)); ++#else + syslog(deny_severity, "refused connect from %s", eval_client(request)); ++#endif + clean_exit(request); + /* NOTREACHED */ + } +--- rfc931.c ++++ rfc931.c +@@ -68,20 +68,50 @@ + /* rfc931 - return remote user name, given socket structures */ + + void rfc931(rmt_sin, our_sin, dest) ++#ifdef INET6 ++struct sockaddr *rmt_sin; ++struct sockaddr *our_sin; ++#else + struct sockaddr_in *rmt_sin; + struct sockaddr_in *our_sin; ++#endif + char *dest; + { + unsigned rmt_port; + unsigned our_port; ++#ifdef INET6 ++ struct sockaddr_storage rmt_query_sin; ++ struct sockaddr_storage our_query_sin; ++ int alen; ++#else + struct sockaddr_in rmt_query_sin; + struct sockaddr_in our_query_sin; ++#endif + char user[256]; /* XXX */ + char buffer[512]; /* XXX */ + char *cp; + char *result = unknown; + FILE *fp; + ++#ifdef INET6 ++ /* address family must be the same */ ++ if (rmt_sin->sa_family != our_sin->sa_family) { ++ STRN_CPY(dest, result, STRING_LENGTH); ++ return; ++ } ++ switch (our_sin->sa_family) { ++ case AF_INET: ++ alen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ alen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ STRN_CPY(dest, result, STRING_LENGTH); ++ return; ++ } ++#endif ++ + /* + * Use one unbuffered stdio stream for writing to and for reading from + * the RFC931 etc. server. This is done because of a bug in the SunOS +@@ -92,7 +122,11 @@ + * sockets. + */ + ++#ifdef INET6 ++ if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { ++#else + if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { ++#endif + setbuf(fp, (char *) 0); + + /* +@@ -112,6 +146,25 @@ + * addresses from the query socket. + */ + ++#ifdef INET6 ++ memcpy(&our_query_sin, our_sin, alen); ++ memcpy(&rmt_query_sin, rmt_sin, alen); ++ switch (our_sin->sa_family) { ++ case AF_INET: ++ ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); ++ ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); ++ break; ++ case AF_INET6: ++ ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); ++ ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); ++ break; ++ } ++ ++ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, ++ alen) >= 0 && ++ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, ++ alen) >= 0) { ++#else + our_query_sin = *our_sin; + our_query_sin.sin_port = htons(ANY_PORT); + rmt_query_sin = *rmt_sin; +@@ -121,6 +174,7 @@ + sizeof(our_query_sin)) >= 0 && + connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, + sizeof(rmt_query_sin)) >= 0) { ++#endif + + /* + * Send query to server. Neglect the risk that a 13-byte +@@ -129,8 +183,13 @@ + */ + + fprintf(fp, "%u,%u\r\n", ++#ifdef INET6 ++ ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), ++ ntohs(((struct sockaddr_in *)our_sin)->sin_port)); ++#else + ntohs(rmt_sin->sin_port), + ntohs(our_sin->sin_port)); ++#endif + fflush(fp); + + /* +@@ -144,8 +203,13 @@ + && ferror(fp) == 0 && feof(fp) == 0 + && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", + &rmt_port, &our_port, user) == 3 ++#ifdef INET6 ++ && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port ++ && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { ++#else + && ntohs(rmt_sin->sin_port) == rmt_port + && ntohs(our_sin->sin_port) == our_port) { ++#endif + + /* + * Strip trailing carriage return. It is part of the +--- scaffold.c ++++ scaffold.c +@@ -20,6 +20,9 @@ + #include + #include + #include ++#if defined(INET6) && !defined(USE_GETIPNODEBY) ++#include ++#endif + + #ifndef INADDR_NONE + #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ +@@ -57,6 +60,9 @@ + /* void */ ; + + if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block) ++#ifdef INET6 ++ + strlen(hp->h_name) + 1 ++#endif + + (hp->h_length + sizeof(char *)) * count)) == 0) { + fprintf(stderr, "Sorry, out of memory\n"); + exit(1); +@@ -66,6 +72,11 @@ + hb->host.h_addr_list = hb->addr_list; + hb->host.h_addr_list[count] = 0; + data = (char *) (hb->host.h_addr_list + count + 1); ++#ifdef INET6 ++ hb->host.h_name = data + hp->h_length * count; ++ strcpy(hb->host.h_name, hp->h_name); ++ hb->host.h_addrtype = hp->h_addrtype; ++#endif + + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { + hb->host.h_addr_list[count] = data + hp->h_length * count; +@@ -74,6 +85,100 @@ + return (&hb->host); + } + ++#if defined(INET6) && !defined(USE_GETIPNODEBY) ++/* merge_hostent - merge hostent in one memory block */ ++ ++static struct hostent *merge_hostent(hp1, hp2) ++struct hostent *hp1, *hp2; ++{ ++ struct hostent_block { ++ struct hostent host; ++ char *addr_list[1]; ++ }; ++ struct hostent_block *hb; ++ int count, count2; ++ char *data; ++ char *addr; ++ ++ for (count = 0; hp1->h_addr_list[count] != 0; count++) ++ /* void */ ; ++ for (count2 = 0; hp2->h_addr_list[count2] != 0; count2++) ++ /* void */ ; ++ count += count2; ++ ++ if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block) ++ + strlen(hp1->h_name) + 1 ++ + (hp1->h_length + sizeof(char *)) * count)) == 0) { ++ fprintf(stderr, "Sorry, out of memory\n"); ++ exit(1); ++ } ++ memset((char *) &hb->host, 0, sizeof(hb->host)); ++ hb->host.h_length = hp1->h_length; ++ hb->host.h_addr_list = hb->addr_list; ++ hb->host.h_addr_list[count] = 0; ++ data = (char *) (hb->host.h_addr_list + count + 1); ++ hb->host.h_name = data + hp1->h_length * count; ++ strcpy(hb->host.h_name, hp1->h_name); ++ hb->host.h_addrtype = hp1->h_addrtype; ++ ++ for (count = 0; (addr = hp1->h_addr_list[count]) != 0; count++) { ++ hb->host.h_addr_list[count] = data + hp1->h_length * count; ++ memcpy(hb->host.h_addr_list[count], addr, hp1->h_length); ++ } ++ for (count2 = 0; (addr = hp2->h_addr_list[count2]) != 0; count2++) { ++ hb->host.h_addr_list[count] = data + hp1->h_length * count; ++ memcpy(hb->host.h_addr_list[count], addr, hp1->h_length); ++ ++count; ++ } ++ return (&hb->host); ++} ++#endif ++ ++static struct hostent *gethostbyname64(host) ++char *host; ++{ ++ struct hostent *hp, *hp2; ++#ifdef USE_GETIPNODEBY ++ int h_error; ++ ++ if ((hp = getipnodebyname(host, AF_INET6, ++ AI_V4MAPPED | AI_ADDRCONFIG | AI_ALL, ++ &h_error)) != 0) { ++ hp2 = dup_hostent(hp); ++ freehostent(hp); ++ return (hp2); ++ } ++#else ++ struct hostent *hp1; ++ u_long res_options; ++ ++ if ((_res.options & RES_INIT) == 0) { ++ if (res_init() < 0) { ++ tcpd_warn("%s: res_init() failed", host); ++ return (NULL); ++ } ++ } ++ res_options = _res.options; ++ _res.options |= RES_USE_INET6; ++ if ((hp1 = gethostbyname2(host, AF_INET6)) != NULL) ++ hp1 = dup_hostent(hp1); ++ if ((hp2 = gethostbyname2(host, AF_INET)) != NULL) ++ hp2 = dup_hostent(hp2); ++ _res.options = res_options; ++ if (hp1 && hp2) { ++ hp = merge_hostent(hp1, hp2); ++ free((char *) hp1); ++ free((char *) hp2); ++ return (hp); ++ } ++ if (hp1) ++ return (hp1); ++ if (hp2) ++ return (hp2); ++#endif ++ return (NULL); ++} ++ + /* find_inet_addr - find all addresses for this host, result to free() */ + + struct hostent *find_inet_addr(host) +@@ -91,6 +196,15 @@ + h.h_addr_list = addr_list; + h.h_addr_list[0] = (char *) &addr; + h.h_length = sizeof(addr); ++#ifdef INET6 ++ h.h_addrtype = AF_INET; ++ h.h_name = (char *) malloc(strlen(host)+1); ++ if (! h.h_name){ ++ fprintf(stderr, "Sorry, out of memory\n"); ++ exit(1); ++ } ++ strncpy(h.h_name, host, strlen(host)+1); ++#endif + return (dup_hostent(&h)); + } + +@@ -104,19 +218,33 @@ + tcpd_warn("%s: not an internet address", host); + return (0); + } ++#ifdef INET6 ++ if ((hp = gethostbyname64(host)) == 0) { ++#else + if ((hp = gethostbyname(host)) == 0) { ++#endif + tcpd_warn("%s: host not found", host); + return (0); + } ++#ifdef INET6 ++ if (hp->h_addrtype != AF_INET6) { ++ tcpd_warn("%d: not an internet host", hp->h_addrtype); ++ free((char *) hp); ++#else + if (hp->h_addrtype != AF_INET) { + tcpd_warn("%d: not an internet host", hp->h_addrtype); ++#endif + return (0); + } + if (STR_NE(host, hp->h_name)) { + tcpd_warn("%s: hostname alias", host); + tcpd_warn("(official name: %.*s)", STRING_LENGTH, hp->h_name); + } ++#ifdef INET6 ++ return (hp); ++#else + return (dup_hostent(hp)); ++#endif + } + + /* check_dns - give each address thorough workout, return address count */ +@@ -125,7 +253,13 @@ + char *host; + { + struct request_info request; ++#ifdef INET6 ++ struct sockaddr_storage sin; ++ char *ap; ++ int alen; ++#else + struct sockaddr_in sin; ++#endif + struct hostent *hp; + int count; + char *addr; +@@ -135,10 +269,30 @@ + request_init(&request, RQ_CLIENT_SIN, &sin, 0); + sock_methods(&request); + memset((char *) &sin, 0, sizeof(sin)); ++#ifdef INET6 ++ sin.ss_family = hp->h_addrtype; ++ switch (hp->h_addrtype) { ++ case AF_INET: ++ ap = (char *)&((struct sockaddr_in *)&sin)->sin_addr; ++ alen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ ap = (char *)&((struct sockaddr_in6 *)&sin)->sin6_addr; ++ alen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ return (0); ++ } ++#else + sin.sin_family = AF_INET; ++#endif + + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { ++#ifdef INET6 ++ memcpy(ap, addr, alen); ++#else + memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); ++#endif + + /* + * Force host name and address conversions. Use the request structure +--- socket.c ++++ socket.c +@@ -30,6 +30,12 @@ + #include + #include + ++#ifdef INET6 ++#ifndef USE_GETIPNODEBY ++#include ++#endif ++#endif ++ + extern char *inet_ntoa(); + + /* Local stuff. */ +@@ -74,8 +80,13 @@ + void sock_host(request) + struct request_info *request; + { ++#ifdef INET6 ++ static struct sockaddr_storage client; ++ static struct sockaddr_storage server; ++#else + static struct sockaddr_in client; + static struct sockaddr_in server; ++#endif + int len; + char buf[BUFSIZ]; + int fd = request->fd; +@@ -104,7 +115,11 @@ + memset(buf, 0 sizeof(buf)); + #endif + } ++#ifdef INET6 ++ request->client->sin = (struct sockaddr *)&client; ++#else + request->client->sin = &client; ++#endif + + /* + * Determine the server binding. This is used for client username +@@ -117,7 +132,11 @@ + tcpd_warn("getsockname: %m"); + return; + } ++#ifdef INET6 ++ request->server->sin = (struct sockaddr *)&server; ++#else + request->server->sin = &server; ++#endif + } + + /* sock_hostaddr - map endpoint address to printable form */ +@@ -125,10 +144,33 @@ + void sock_hostaddr(host) + struct host_info *host; + { ++#ifdef INET6 ++ struct sockaddr *sin = host->sin; ++ char *ap; ++ int alen; ++ ++ if (!sin) ++ return; ++ switch (sin->sa_family) { ++ case AF_INET: ++ ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; ++ alen = sizeof(struct in_addr); ++ break; ++ case AF_INET6: ++ ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; ++ alen = sizeof(struct in6_addr); ++ break; ++ default: ++ return; ++ } ++ host->addr[0] = '\0'; ++ inet_ntop(sin->sa_family, ap, host->addr, sizeof(host->addr)); ++#else + struct sockaddr_in *sin = host->sin; + + if (sin != 0) + STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); ++#endif + } + + /* sock_hostname - map endpoint address to host name */ +@@ -136,8 +178,21 @@ + void sock_hostname(host) + struct host_info *host; + { ++#ifdef INET6 ++ struct sockaddr *sin = host->sin; ++ char addr[128]; ++#ifdef USE_GETIPNODEBY ++ int h_error; ++#else ++ u_long res_options; ++#endif ++ struct hostent *hp = NULL; ++ char *ap; ++ int alen; ++#else + struct sockaddr_in *sin = host->sin; + struct hostent *hp; ++#endif + int i; + + /* +@@ -147,11 +202,42 @@ + * have to special-case 0.0.0.0, in order to avoid false alerts from the + * host name/address checking code below. + */ ++#ifdef INET6 ++ if (sin != NULL) { ++ switch (sin->sa_family) { ++ case AF_INET: ++ if (((struct sockaddr_in *)sin)->sin_addr.s_addr == 0) { ++ strcpy(host->name, paranoid); /* name is bad, clobber it */ ++ return; ++ } ++ ap = (char *) &((struct sockaddr_in *)sin)->sin_addr; ++ alen = sizeof(struct in_addr); ++ break; ++ case AF_INET6: ++ ap = (char *) &((struct sockaddr_in6 *)sin)->sin6_addr; ++ alen = sizeof(struct in6_addr); ++ break; ++ defalut: ++ strcpy(host->name, paranoid); /* name is bad, clobber it */ ++ return; ++ } ++#ifdef USE_GETIPNODEBY ++ hp = getipnodebyaddr(ap, alen, sin->sa_family, &h_error); ++#else ++ hp = gethostbyaddr(ap, alen, sin->sa_family); ++#endif ++ } ++ if (hp) { ++#else + if (sin != 0 && sin->sin_addr.s_addr != 0 + && (hp = gethostbyaddr((char *) &(sin->sin_addr), + sizeof(sin->sin_addr), AF_INET)) != 0) { ++#endif + + STRN_CPY(host->name, hp->h_name, sizeof(host->name)); ++#if defined(INET6) && defined(USE_GETIPNODEBY) ++ freehostent(hp); ++#endif + + /* + * Verify that the address is a member of the address list returned +@@ -166,15 +252,53 @@ + * we're in big trouble anyway. + */ + ++#ifdef INET6 ++#ifdef USE_GETIPNODEBY ++ hp = getipnodebyname(host->name, sin->sa_family, ++ AI_V4MAPPED | AI_ADDRCONFIG | AI_ALL, &h_error); ++#else ++ if ((_res.options & RES_INIT) == 0) { ++ if (res_init() < 0) { ++ inet_ntop(sin->sa_family, ap, addr, sizeof(addr)); ++ tcpd_warn("can't verify hostname: res_init() for %s failed", ++ addr); ++ strcpy(host->name, paranoid); /* name is bad, clobber it */ ++ return; ++ } ++ } ++ res_options = _res.options; ++ if (sin->sa_family == AF_INET6) ++ _res.options |= RES_USE_INET6; ++ else ++ _res.options &= ~RES_USE_INET6; ++ hp = gethostbyname2(host->name, ++ (sin->sa_family == AF_INET6 && ++ IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sin)->sin6_addr)) ? ++ AF_INET : sin->sa_family); ++ _res.options = res_options; ++#endif ++ if (!hp) { ++#else + if ((hp = gethostbyname(host->name)) == 0) { ++#endif + + /* + * Unable to verify that the host name matches the address. This + * may be a transient problem or a botched name server setup. + */ + ++#ifdef INET6 ++#ifdef USE_GETIPNODEBY ++ tcpd_warn("can't verify hostname: getipnodebyname(%s, %s) failed", ++#else ++ tcpd_warn("can't verify hostname: gethostbyname2(%s, %s) failed", ++#endif ++ host->name, ++ (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); ++#else + tcpd_warn("can't verify hostname: gethostbyname(%s) failed", + host->name); ++#endif + + } else if (STR_NE(host->name, hp->h_name) + && STR_NE(host->name, "localhost")) { +@@ -198,10 +322,19 @@ + */ + + for (i = 0; hp->h_addr_list[i]; i++) { ++#ifdef INET6 ++ if (memcmp(hp->h_addr_list[i], ap, alen) == 0) { ++#ifdef USE_GETIPNODEBY ++ freehostent(hp); ++#endif ++ return; /* name is good, keep it */ ++ } ++#else + if (memcmp(hp->h_addr_list[i], + (char *) &sin->sin_addr, + sizeof(sin->sin_addr)) == 0) + return; /* name is good, keep it */ ++#endif + } + + /* +@@ -210,10 +343,20 @@ + * server. + */ + ++#ifdef INET6 ++ inet_ntop(sin->sa_family, ap, addr, sizeof(addr)); ++ tcpd_warn("host name/address mismatch: %s != %.*s", ++ addr, STRING_LENGTH, hp->h_name); ++#else + tcpd_warn("host name/address mismatch: %s != %.*s", + inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name); ++#endif + } + strcpy(host->name, paranoid); /* name is bad, clobber it */ ++#if defined(INET6) && defined(USE_GETIPNODEBY) ++ if (hp) ++ freehostent(hp); ++#endif + } + } + +@@ -223,7 +366,11 @@ + int fd; + { + char buf[BUFSIZ]; ++#ifdef INET6 ++ struct sockaddr_storage sin; ++#else + struct sockaddr_in sin; ++#endif + int size = sizeof(sin); + + /* +--- tcpd.c ++++ tcpd.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #ifndef MAXPATHNAMELEN + #define MAXPATHNAMELEN BUFSIZ +@@ -120,7 +121,12 @@ + + /* Report request and invoke the real daemon program. */ + ++#ifdef INET6 ++ syslog(allow_severity, "connect from %s (%s)", ++ eval_client(&request), eval_hostaddr(request.client)); ++#else + syslog(allow_severity, "connect from %s", eval_client(&request)); ++#endif + closelog(); + (void) execv(path, argv); + syslog(LOG_ERR, "error: cannot execute %s: %m", path); +--- tcpd.h ++++ tcpd.h +@@ -17,7 +17,11 @@ + struct host_info { + char name[STRING_LENGTH]; /* access via eval_hostname(host) */ + char addr[STRING_LENGTH]; /* access via eval_hostaddr(host) */ ++#ifdef INET6 ++ struct sockaddr *sin; /* socket address or 0 */ ++#else + struct sockaddr_in *sin; /* socket address or 0 */ ++#endif + struct t_unitdata *unit; /* TLI transport address or 0 */ + struct request_info *request; /* for shared information */ + }; +--- tcpdchk.c ++++ tcpdchk.c +@@ -22,6 +22,9 @@ + + #include + #include ++#ifdef INET6 ++#include ++#endif + #include + #include + #include +@@ -397,6 +400,26 @@ + } + } + ++#ifdef INET6 ++static int is_inet6_addr(pat) ++ char *pat; ++{ ++ struct in6_addr addr; ++ int len, ret; ++ char ch; ++ ++ if (*pat != '[') ++ return (0); ++ len = strlen(pat); ++ if ((ch = pat[len - 1]) != ']') ++ return (0); ++ pat[len - 1] = '\0'; ++ ret = inet_pton(AF_INET6, pat + 1, &addr); ++ pat[len - 1] = ch; ++ return (ret == 1); ++} ++#endif ++ + /* check_host - criticize host pattern */ + + static int check_host(pat) +@@ -423,14 +446,27 @@ + #endif + #endif + } else if (mask = split_at(pat, '/')) { /* network/netmask */ ++#ifdef INET6 ++ int mask_len; ++ ++ if ((dot_quad_addr(pat) == INADDR_NONE ++ || dot_quad_addr(mask) == INADDR_NONE) ++ && (!is_inet6_addr(pat) ++ || ((mask_len = atoi(mask)) < 0 || mask_len > 128))) ++#else + if (dot_quad_addr(pat) == INADDR_NONE + || dot_quad_addr(mask) == INADDR_NONE) ++#endif + tcpd_warn("%s/%s: bad net/mask pattern", pat, mask); + } else if (STR_EQ(pat, "FAIL")) { /* obsolete */ + tcpd_warn("FAIL is no longer recognized"); + tcpd_warn("(use EXCEPT or DENY instead)"); + } else if (reserved_name(pat)) { /* other reserved */ + /* void */ ; ++#ifdef INET6 ++ } else if (is_inet6_addr(pat)) { /* IPv6 address */ ++ addr_count = 1; ++#endif + } else if (NOT_INADDR(pat)) { /* internet name */ + if (pat[strlen(pat) - 1] == '.') { + tcpd_warn("%s: domain or host name ends in dot", pat); +--- tcpdmatch.c ++++ tcpdmatch.c +@@ -68,8 +68,15 @@ + int ch; + char *inetcf = 0; + int count; ++#ifdef INET6 ++ struct sockaddr_storage server_sin; ++ struct sockaddr_storage client_sin; ++ char *ap; ++ int alen; ++#else + struct sockaddr_in server_sin; + struct sockaddr_in client_sin; ++#endif + struct stat st; + + /* +@@ -173,12 +180,35 @@ + if ((hp = find_inet_addr(server)) == 0) + exit(1); + memset((char *) &server_sin, 0, sizeof(server_sin)); ++#ifdef INET6 ++ server_sin.ss_family = hp->h_addrtype; ++ switch (hp->h_addrtype) { ++ case AF_INET: ++ ap = (char *)&((struct sockaddr_in *)&server_sin)->sin_addr; ++ alen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ ap = (char *)&((struct sockaddr_in6 *)&server_sin)->sin6_addr; ++ alen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ exit(1); ++ } ++#ifdef SIN6_LEN ++ server_sin.ss_len = alen; ++#endif ++#else + server_sin.sin_family = AF_INET; ++#endif + request_set(&request, RQ_SERVER_SIN, &server_sin, 0); + + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { ++#ifdef INET6 ++ memcpy(ap, addr, alen); ++#else + memcpy((char *) &server_sin.sin_addr, addr, + sizeof(server_sin.sin_addr)); ++#endif + + /* + * Force evaluation of server host name and address. Host name +@@ -230,12 +260,35 @@ + if ((hp = find_inet_addr(client)) == 0) + exit(1); + memset((char *) &client_sin, 0, sizeof(client_sin)); ++#ifdef INET6 ++ client_sin.ss_family = hp->h_addrtype; ++ switch (hp->h_addrtype) { ++ case AF_INET: ++ ap = (char *)&((struct sockaddr_in *)&client_sin)->sin_addr; ++ alen = sizeof(struct sockaddr_in); ++ break; ++ case AF_INET6: ++ ap = (char *)&((struct sockaddr_in6 *)&client_sin)->sin6_addr; ++ alen = sizeof(struct sockaddr_in6); ++ break; ++ default: ++ exit(1); ++ } ++#ifdef SIN6_LEN ++ client_sin.ss_len = alen; ++#endif ++#else + client_sin.sin_family = AF_INET; ++#endif + request_set(&request, RQ_CLIENT_SIN, &client_sin, 0); + + for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { ++#ifdef INET6 ++ memcpy(ap, addr, alen); ++#else + memcpy((char *) &client_sin.sin_addr, addr, + sizeof(client_sin.sin_addr)); ++#endif + + /* + * Force evaluation of client host name and address. Host name +--- update.c ++++ update.c +@@ -46,10 +46,18 @@ + request->fd = va_arg(ap, int); + continue; + case RQ_CLIENT_SIN: ++#ifdef INET6 ++ request->client->sin = va_arg(ap, struct sockaddr *); ++#else + request->client->sin = va_arg(ap, struct sockaddr_in *); ++#endif + continue; + case RQ_SERVER_SIN: ++#ifdef INET6 ++ request->server->sin = va_arg(ap, struct sockaddr *); ++#else + request->server->sin = va_arg(ap, struct sockaddr_in *); ++#endif + continue; + + /* +--- workarounds.c ++++ workarounds.c +@@ -166,11 +166,22 @@ + int *len; + { + int ret; ++#ifdef INET6 ++ struct sockaddr_storage *sin = (struct sockaddr_storage *) sa; ++#else + struct sockaddr_in *sin = (struct sockaddr_in *) sa; ++#endif + + if ((ret = getpeername(sock, sa, len)) >= 0 ++#ifdef INET6 ++ && ((sin->__ss_family == AF_INET6 ++ && IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)sin)->sin6_addr)) ++ || (sin->ss_family == AF_INET ++ && ((struct sockaddr_in *)sin)->sin_addr.s_addr == 0))) { ++#else + && sa->sa_family == AF_INET + && sin->sin_addr.s_addr == 0) { ++#endif + errno = ENOTCONN; + return (-1); + } else { diff --git a/tcp_wrappers_7.6-ipv6-1.6.diff.gz b/tcp_wrappers_7.6-ipv6-1.6.diff.gz deleted file mode 100644 index 4c1a199..0000000 --- a/tcp_wrappers_7.6-ipv6-1.6.diff.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4cc4bdc5a86f2b7aaa8257507e19de5cc36fc8f128e815f44c33da017048971f -size 8070 diff --git a/tcp_wrappers_7.6-ipv6-fix.diff b/tcp_wrappers_7.6-ipv6-fix.diff index 68c2934..a066585 100644 --- a/tcp_wrappers_7.6-ipv6-fix.diff +++ b/tcp_wrappers_7.6-ipv6-fix.diff @@ -12,10 +12,45 @@ # Made by Michal Ludvig , # November , 2002 # -diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access.c ---- tcp_wrappers_7.6/hosts_access.c 2002-11-29 16:09:02.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/hosts_access.c 2002-11-29 12:52:15.000000000 +0100 -@@ -85,11 +85,6 @@ static int server_match(); +================================================================================ +--- Makefile ++++ Makefile +@@ -1,5 +1,7 @@ + # @(#) Makefile 1.23 97/03/21 19:27:20 + ++really-all: linux ++ + what: + @echo + @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" +@@ -670,7 +672,7 @@ + LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ + hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ + $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ +- update.o misc.o diag.o percent_m.o myvsyslog.o ++ update.o misc.o diag.o percent_m.o myvsyslog.o ip6utils.o + + FROM_OBJ= fromhost.o + +@@ -683,6 +685,7 @@ + tli-sequent.h misc.c diag.c ncr.c tcpdchk.c percent_m.c \ + myvsyslog.c mystdarg.h printf.ck README.IRIX Banners.Makefile \ + refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ ++ ip6utils.c ip6utils.h \ + scaffold.h tcpdmatch.8 README.NIS + + LIB = libwrap.a +@@ -812,6 +815,7 @@ + + # Internal compilation dependencies. + ++tcpd.h: ip6utils.h + clean_exit.o: cflags + clean_exit.o: tcpd.h + diag.o: cflags +--- hosts_access.c ++++ hosts_access.c +@@ -85,11 +85,6 @@ static int client_match(); static int host_match(); static int string_match(); @@ -27,7 +62,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access /* Size of logical line buffer. */ -@@ -308,15 +303,17 @@ struct host_info *host; +@@ -308,15 +303,17 @@ } else if (STR_EQ(tok, "LOCAL")) { /* local: no dots in name */ char *name = eval_hostname(host); return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name)); @@ -48,7 +83,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access static int string_match(tok, string) char *tok; -@@ -324,13 +321,6 @@ char *string; +@@ -324,13 +321,6 @@ { int n; @@ -62,7 +97,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access if (tok[0] == '.') { /* suffix */ n = strlen(string) - strlen(tok); return (n > 0 && STR_EQ(tok, string + n)); -@@ -340,122 +330,65 @@ char *string; +@@ -340,122 +330,65 @@ return (STR_NE(string, unknown)); } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ return (STRN_EQ(tok, string, n)); @@ -239,9 +274,200 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access +#endif } -#endif /* INET6 */ ---- tcp_wrappers_7.6/socket.c 2002-11-29 16:08:40.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/socket.c 2002-11-29 16:16:56.000000000 +0100 -@@ -25,16 +25,12 @@ static char sccsid[] = "@(#) socket.c 1. +--- ip6utils.c ++++ ip6utils.c +@@ -0,0 +1,152 @@ ++#include ++#include ++#include ++#include ++#include ++ ++#include "ip6utils.h" ++ ++/* inet_pton_mapped() ++ - works like inet_pton(3) but always returns IPv6 address ++ in dst - either "real" or v4mapped (::ffff:1.2.3.4) in ++ the case, when src points to IPv4 address (eg. to 1.2.3.4). */ ++int ++inet_pton_mapped (int af, const char *src, void *dst) ++{ ++ int ret; ++ ++ /* Mapped address is v6. */ ++ if (af != AF_INET6) ++ { ++ errno = EAFNOSUPPORT; ++ return -1; ++ } ++ ++ /* We must put the result somewhere. */ ++ if (!dst) ++ { ++ errno = EFAULT; ++ return -1; ++ } ++ ++ /* First try whether the address IPv6. */ ++ ret = inet_pton (AF_INET6, src, dst); ++ if (ret > 0) ++ return ret; ++ ++ /* Because we're here, it apparently wasn't IPv6. Try IPv4 now. */ ++ ret = inet_pton (AF_INET, src, &((struct in6_addr *)dst)->s6_addr32[3]); ++ if (ret > 0) ++ { ++ /* Good, it was IPv4, map it now. */ ++ ((struct in6_addr *)dst)->s6_addr32[0] = 0; ++ ((struct in6_addr *)dst)->s6_addr32[1] = 0; ++ ((struct in6_addr *)dst)->s6_addr32[2] = htonl(0x0000ffffL); ++ } ++ return ret; ++} ++ ++/* inet_ntop2() ++ - works like inet_ntop(3) but doesn't need an external ++ buffer. Usefull eg. for printing addresses via printf(). */ ++const char * ++inet_ntop2 (int af, const void *src) ++{ ++ static char address[INET6_ADDRSTRLEN]; ++ ++ return inet_ntop(af, src, address, sizeof(address)); ++} ++ ++/* sa_map_v4_to_v6() ++ - Take an IPv4 address in first argument and map it to ++ IPv4-mapped (::ffff:1.2.3.4) IPv6 address. */ ++struct sockaddr_in6 * ++sa_map_v4_to_v6 (struct sockaddr_in *sin, struct sockaddr_in6 *sin6) ++{ ++ /* Both pointers must be not-NULL or we'll segfault. */ ++ if (!sin || !sin6) ++ { ++ errno = EFAULT; ++ return NULL; ++ } ++ ++ /* We can map only IPv4 addresses. */ ++ if (sin->sin_family != AF_INET) ++ return NULL; ++ ++ /* Map it now... */ ++ memset(sin6, 0, sizeof(*sin6)); ++ ++ sin6->sin6_family = AF_INET6; ++ sin6->sin6_port = sin->sin_port; ++ sin6->sin6_addr.s6_addr16[5] = 0xffff; ++ sin6->sin6_addr.s6_addr32[3] = sin->sin_addr.s_addr; ++ ++ return sin6; ++} ++ ++/* is_v4_string(), is_v6_string() ++ - Return 1 when src is a string representing a valid ++ IPv4, resp. IPv6 address. Return 0 otherwise. */ ++int ++is_v4_string (const char *src) ++{ ++ struct in_addr result; ++ ++ return (inet_pton (AF_INET, src, &result) > 0); ++} ++ ++int ++is_v6_string (const char *src) ++{ ++ struct in6_addr result; ++ ++ return (inet_pton (AF_INET6, src, &result) > 0); ++} ++ ++/* apply_v6_prefix() ++ - mask the address given in 'src' with 'prefixlen' netmask. Clear ++ all bits not covered by prefixlen. */ ++int ++apply_v6_prefix (struct in6_addr *src, int prefixlen) ++{ ++ int i; ++ ++ /* Check prefix for a valid length. */ ++ if (prefixlen < 0 || prefixlen > 128) ++ return -1; ++ ++ /* Prefixes will quite often end up on 16b boundary, ++ so we'll walk thorugh 16b blocks and possibly avoid ++ creating bitmasks. */ ++ for (i=0; i<8; i++) ++ { ++ /* Prefix fully covers this block -> leave as is. */ ++ if (prefixlen >= (i+1)*16) ++ continue; ++ /* Prefix doesn't cover this block -> zero it. */ ++ if (prefixlen <= i*16) ++ { ++ src->s6_addr16[i] = 0; ++ continue; ++ } ++ /* Prefix ends somewhere inside in this block. Let's ++ build and apply a bitmask for this block. */ ++ { ++ uint16_t mask=0; ++ int bits; ++ ++ bits = prefixlen - i*16; ++ ++ while (bits) ++ { ++ mask |= (1 << (16-bits)); ++ bits --; ++ } ++ ++ src->s6_addr16[i] &= htons(mask); ++ } ++ } ++ ++ return 0; ++} +--- ip6utils.h ++++ ip6utils.h +@@ -0,0 +1,33 @@ ++#ifndef IP6UTILS_H ++#define IP6UTILS_H ++ ++/* inet_pton_mapped() ++ - works like inet_pton(3) but always returns IPv6 address ++ in dst - either "real" or v4mapped (::ffff:1.2.3.4) in ++ the case, when src points to IPv4 address (eg. to 1.2.3.4). ++ Return value is as with inet_pton(), dst remains untouched on ++ an address translation failure. */ ++int inet_pton_mapped (int af, const char *src, void *dst); ++ ++/* inet_ntop2() ++ - works like inet_ntop(3) but doesn't need an external ++ buffer. Usefull eg. for printing addresses via printf(). */ ++const char *inet_ntop2 (int af, const void *src); ++ ++/* sa_map_v4_to_v6() ++ - Take an IPv4 address in form 1.2.3.4 and map it to ++ IPv4-mapped form ::ffff:1.2.3.4 */ ++struct sockaddr_in6 *sa_map_v4_to_v6 (struct sockaddr_in *sin, struct sockaddr_in6 *sin6); ++ ++/* is_v4_string(), is_v6_string() ++ - Return 1 when src is a string representing a valid ++ IPv4, resp. IPv6 address. Return 0 otherwise. */ ++int is_v4_string (const char *src); ++int is_v6_string (const char *src); ++ ++/* apply_v6_prefix() ++ - mask the address given in 'src' with 'prefixlen' netmask. Clear ++ all bits not covered by prefixlen. Return -1 on a failure, else 0. */ ++int apply_v6_prefix (struct in6_addr *src, int prefixlen); ++ ++#endif /* IP6UTILS_H */ +--- socket.c ++++ socket.c +@@ -25,16 +25,12 @@ #include #include #include @@ -260,7 +486,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access extern char *inet_ntoa(); -@@ -65,10 +61,10 @@ char *name; +@@ -65,10 +61,10 @@ */ if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { @@ -274,7 +500,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access } } -@@ -104,15 +100,15 @@ struct request_info *request; +@@ -104,15 +100,15 @@ len = sizeof(client); if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) { @@ -298,7 +524,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access #endif } #ifdef INET6 -@@ -129,8 +125,8 @@ struct request_info *request; +@@ -129,8 +125,8 @@ len = sizeof(server); if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) { @@ -309,7 +535,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access } #ifdef INET6 request->server->sin = (struct sockaddr *)&server; -@@ -150,18 +146,18 @@ struct host_info *host; +@@ -150,18 +146,18 @@ int alen; if (!sin) @@ -339,7 +565,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access } host->addr[0] = '\0'; inet_ntop(sin->sa_family, ap, host->addr, sizeof(host->addr)); -@@ -169,30 +165,139 @@ struct host_info *host; +@@ -169,30 +165,139 @@ struct sockaddr_in *sin = host->sin; if (sin != 0) @@ -494,7 +720,7 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access int i; /* -@@ -202,163 +307,76 @@ struct host_info *host; +@@ -202,163 +307,76 @@ * have to special-case 0.0.0.0, in order to avoid false alerts from the * host name/address checking code below. */ @@ -717,202 +943,8 @@ diff -upNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.mludvig/hosts_access /* sock_sink - absorb unreceived IP datagram */ -diff -upNr tcp_wrappers_7.6/ip6utils.c tcp_wrappers_7.6.mludvig/ip6utils.c ---- tcp_wrappers_7.6/ip6utils.c 1970-01-01 01:00:00.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/ip6utils.c 2002-11-29 14:31:52.000000000 +0100 -@@ -0,0 +1,152 @@ -+#include -+#include -+#include -+#include -+#include -+ -+#include "ip6utils.h" -+ -+/* inet_pton_mapped() -+ - works like inet_pton(3) but always returns IPv6 address -+ in dst - either "real" or v4mapped (::ffff:1.2.3.4) in -+ the case, when src points to IPv4 address (eg. to 1.2.3.4). */ -+int -+inet_pton_mapped (int af, const char *src, void *dst) -+{ -+ int ret; -+ -+ /* Mapped address is v6. */ -+ if (af != AF_INET6) -+ { -+ errno = EAFNOSUPPORT; -+ return -1; -+ } -+ -+ /* We must put the result somewhere. */ -+ if (!dst) -+ { -+ errno = EFAULT; -+ return -1; -+ } -+ -+ /* First try whether the address IPv6. */ -+ ret = inet_pton (AF_INET6, src, dst); -+ if (ret > 0) -+ return ret; -+ -+ /* Because we're here, it apparently wasn't IPv6. Try IPv4 now. */ -+ ret = inet_pton (AF_INET, src, &((struct in6_addr *)dst)->s6_addr32[3]); -+ if (ret > 0) -+ { -+ /* Good, it was IPv4, map it now. */ -+ ((struct in6_addr *)dst)->s6_addr32[0] = 0; -+ ((struct in6_addr *)dst)->s6_addr32[1] = 0; -+ ((struct in6_addr *)dst)->s6_addr32[2] = htonl(0x0000ffffL); -+ } -+ return ret; -+} -+ -+/* inet_ntop2() -+ - works like inet_ntop(3) but doesn't need an external -+ buffer. Usefull eg. for printing addresses via printf(). */ -+const char * -+inet_ntop2 (int af, const void *src) -+{ -+ static char address[INET6_ADDRSTRLEN]; -+ -+ return inet_ntop(af, src, address, sizeof(address)); -+} -+ -+/* sa_map_v4_to_v6() -+ - Take an IPv4 address in first argument and map it to -+ IPv4-mapped (::ffff:1.2.3.4) IPv6 address. */ -+struct sockaddr_in6 * -+sa_map_v4_to_v6 (struct sockaddr_in *sin, struct sockaddr_in6 *sin6) -+{ -+ /* Both pointers must be not-NULL or we'll segfault. */ -+ if (!sin || !sin6) -+ { -+ errno = EFAULT; -+ return NULL; -+ } -+ -+ /* We can map only IPv4 addresses. */ -+ if (sin->sin_family != AF_INET) -+ return NULL; -+ -+ /* Map it now... */ -+ memset(sin6, 0, sizeof(*sin6)); -+ -+ sin6->sin6_family = AF_INET6; -+ sin6->sin6_port = sin->sin_port; -+ sin6->sin6_addr.s6_addr16[5] = 0xffff; -+ sin6->sin6_addr.s6_addr32[3] = sin->sin_addr.s_addr; -+ -+ return sin6; -+} -+ -+/* is_v4_string(), is_v6_string() -+ - Return 1 when src is a string representing a valid -+ IPv4, resp. IPv6 address. Return 0 otherwise. */ -+int -+is_v4_string (const char *src) -+{ -+ struct in_addr result; -+ -+ return (inet_pton (AF_INET, src, &result) > 0); -+} -+ -+int -+is_v6_string (const char *src) -+{ -+ struct in6_addr result; -+ -+ return (inet_pton (AF_INET6, src, &result) > 0); -+} -+ -+/* apply_v6_prefix() -+ - mask the address given in 'src' with 'prefixlen' netmask. Clear -+ all bits not covered by prefixlen. */ -+int -+apply_v6_prefix (struct in6_addr *src, int prefixlen) -+{ -+ int i; -+ -+ /* Check prefix for a valid length. */ -+ if (prefixlen < 0 || prefixlen > 128) -+ return -1; -+ -+ /* Prefixes will quite often end up on 16b boundary, -+ so we'll walk thorugh 16b blocks and possibly avoid -+ creating bitmasks. */ -+ for (i=0; i<8; i++) -+ { -+ /* Prefix fully covers this block -> leave as is. */ -+ if (prefixlen >= (i+1)*16) -+ continue; -+ /* Prefix doesn't cover this block -> zero it. */ -+ if (prefixlen <= i*16) -+ { -+ src->s6_addr16[i] = 0; -+ continue; -+ } -+ /* Prefix ends somewhere inside in this block. Let's -+ build and apply a bitmask for this block. */ -+ { -+ uint16_t mask=0; -+ int bits; -+ -+ bits = prefixlen - i*16; -+ -+ while (bits) -+ { -+ mask |= (1 << (16-bits)); -+ bits --; -+ } -+ -+ src->s6_addr16[i] &= htons(mask); -+ } -+ } -+ -+ return 0; -+} -diff -upNr tcp_wrappers_7.6/ip6utils.h tcp_wrappers_7.6.mludvig/ip6utils.h ---- tcp_wrappers_7.6/ip6utils.h 1970-01-01 01:00:00.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/ip6utils.h 2002-11-29 12:53:06.000000000 +0100 -@@ -0,0 +1,33 @@ -+#ifndef IP6UTILS_H -+#define IP6UTILS_H -+ -+/* inet_pton_mapped() -+ - works like inet_pton(3) but always returns IPv6 address -+ in dst - either "real" or v4mapped (::ffff:1.2.3.4) in -+ the case, when src points to IPv4 address (eg. to 1.2.3.4). -+ Return value is as with inet_pton(), dst remains untouched on -+ an address translation failure. */ -+int inet_pton_mapped (int af, const char *src, void *dst); -+ -+/* inet_ntop2() -+ - works like inet_ntop(3) but doesn't need an external -+ buffer. Usefull eg. for printing addresses via printf(). */ -+const char *inet_ntop2 (int af, const void *src); -+ -+/* sa_map_v4_to_v6() -+ - Take an IPv4 address in form 1.2.3.4 and map it to -+ IPv4-mapped form ::ffff:1.2.3.4 */ -+struct sockaddr_in6 *sa_map_v4_to_v6 (struct sockaddr_in *sin, struct sockaddr_in6 *sin6); -+ -+/* is_v4_string(), is_v6_string() -+ - Return 1 when src is a string representing a valid -+ IPv4, resp. IPv6 address. Return 0 otherwise. */ -+int is_v4_string (const char *src); -+int is_v6_string (const char *src); -+ -+/* apply_v6_prefix() -+ - mask the address given in 'src' with 'prefixlen' netmask. Clear -+ all bits not covered by prefixlen. Return -1 on a failure, else 0. */ -+int apply_v6_prefix (struct in6_addr *src, int prefixlen); -+ -+#endif /* IP6UTILS_H */ -diff -upNr tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.mludvig/tcpd.h ---- tcp_wrappers_7.6/tcpd.h 2002-11-29 16:09:02.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/tcpd.h 2002-11-29 12:54:16.000000000 +0100 +--- tcpd.h ++++ tcpd.h @@ -10,6 +10,8 @@ #include #endif @@ -922,40 +954,3 @@ diff -upNr tcp_wrappers_7.6/tcpd.h tcp_wrappers_7.6.mludvig/tcpd.h /* Structure to describe one communications endpoint. */ #define STRING_LENGTH 128 /* hosts, users, processes */ -diff -upNr tcp_wrappers_7.6/Makefile tcp_wrappers_7.6.mludvig/Makefile ---- tcp_wrappers_7.6/Makefile 2002-11-29 16:09:02.000000000 +0100 -+++ tcp_wrappers_7.6.mludvig/Makefile 2002-11-29 12:54:04.000000000 +0100 -@@ -1,5 +1,7 @@ - # @(#) Makefile 1.23 97/03/21 19:27:20 - -+really-all: linux -+ - what: - @echo - @echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:" -@@ -670,7 +672,7 @@ CFLAGS = -O2 -pipe -DFACILITY=$(FACILITY - LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \ - hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \ - $(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \ -- update.o misc.o diag.o percent_m.o myvsyslog.o -+ update.o misc.o diag.o percent_m.o myvsyslog.o ip6utils.o - - FROM_OBJ= fromhost.o - -@@ -683,6 +685,7 @@ KIT = README miscd.c tcpd.c fromhost.c h - tli-sequent.h misc.c diag.c ncr.c tcpdchk.c percent_m.c \ - myvsyslog.c mystdarg.h printf.ck README.IRIX Banners.Makefile \ - refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \ -+ ip6utils.c ip6utils.h \ - scaffold.h tcpdmatch.8 README.NIS - - LIB = libwrap.a -@@ -812,6 +815,7 @@ printfck: - - # Internal compilation dependencies. - -+tcpd.h: ip6utils.h - clean_exit.o: cflags - clean_exit.o: tcpd.h - diag.o: cflags - diff --git a/tcp_wrappers_7.6-ipv6.fix.fix.diff b/tcp_wrappers_7.6-ipv6.fix.fix.diff index eb8bfb4..eae9179 100644 --- a/tcp_wrappers_7.6-ipv6.fix.fix.diff +++ b/tcp_wrappers_7.6-ipv6.fix.fix.diff @@ -1,5 +1,5 @@ ---- hosts_access.c 2003/03/15 15:12:36 1.1 -+++ hosts_access.c 2003/03/15 15:47:18 +--- hosts_access.c ++++ hosts_access.c @@ -354,7 +354,26 @@ /* If prefix was given, handle it */ if ((mask = split_at(token, '/')) != 0) diff --git a/tcp_wrappers_7.6-nonvoid.diff b/tcp_wrappers_7.6-nonvoid.diff index d0fac79..d33e3e3 100644 --- a/tcp_wrappers_7.6-nonvoid.diff +++ b/tcp_wrappers_7.6-nonvoid.diff @@ -59,7 +59,7 @@ /* severity_option - change logging severity for this event (Dave Mitchell) */ --- tcpd.c +++ tcpd.c -@@ -131,4 +131,5 @@ +@@ -132,4 +132,5 @@ syslog(LOG_ERR, "error: cannot execute %s: %m", path); clean_exit(&request); /* NOTREACHED */ diff --git a/tcp_wrappers_7.6-prototypes.diff b/tcp_wrappers_7.6-prototypes.diff index 6f1c69c..bd6d3a3 100644 --- a/tcp_wrappers_7.6-prototypes.diff +++ b/tcp_wrappers_7.6-prototypes.diff @@ -1,37 +1,5 @@ ---- tcp_wrappers_7.6/inetcf.c.xx 2005-09-16 22:00:05.000000000 +0200 -+++ tcp_wrappers_7.6/inetcf.c 2005-09-16 22:13:38.000000000 +0200 -@@ -88,7 +88,7 @@ - } else { - for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++) - /* void */ ; -- if (fp == 0) { -+ if (!fp) { - fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n"); - fprintf(stderr, "Please specify its location.\n"); - exit(1); ---- tcp_wrappers_7.6/ip6utils.c.xx 2005-09-16 22:00:35.000000000 +0200 -+++ tcp_wrappers_7.6/ip6utils.c 2005-09-16 22:13:38.000000000 +0200 -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include - - #include "ip6utils.h" ---- tcp_wrappers_7.6/options.c.xx 2005-09-16 22:05:35.000000000 +0200 -+++ tcp_wrappers_7.6/options.c 2005-09-16 22:13:38.000000000 +0200 -@@ -41,6 +41,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include ---- tcp_wrappers_7.6/clean_exit.c.xx 2005-09-16 22:09:34.000000000 +0200 -+++ tcp_wrappers_7.6/clean_exit.c 2005-09-16 22:13:38.000000000 +0200 +--- clean_exit.c ++++ clean_exit.c @@ -13,6 +13,8 @@ #endif @@ -41,8 +9,62 @@ extern void exit(); ---- tcp_wrappers_7.6/shell_cmd.c.xx 2005-09-16 22:06:55.000000000 +0200 -+++ tcp_wrappers_7.6/shell_cmd.c 2005-09-16 22:13:38.000000000 +0200 +--- hosts_access.c ++++ hosts_access.c +@@ -31,6 +31,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +--- inetcf.c ++++ inetcf.c +@@ -88,7 +88,7 @@ + } else { + for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++) + /* void */ ; +- if (fp == 0) { ++ if (!fp) { + fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n"); + fprintf(stderr, "Please specify its location.\n"); + exit(1); +--- ip6utils.c ++++ ip6utils.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + + #include "ip6utils.h" +--- options.c ++++ options.c +@@ -41,6 +41,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +--- percent_x.c ++++ percent_x.c +@@ -18,6 +18,8 @@ + + #include + #include ++#include ++#include + #include + + extern void exit(); +--- shell_cmd.c ++++ shell_cmd.c @@ -15,9 +15,13 @@ /* System libraries. */ @@ -57,19 +79,8 @@ #include #include ---- tcp_wrappers_7.6/percent_x.c.xx 2005-09-16 22:09:19.000000000 +0200 -+++ tcp_wrappers_7.6/percent_x.c 2005-09-16 22:13:38.000000000 +0200 -@@ -18,6 +18,8 @@ - - #include - #include -+#include -+#include - #include - - extern void exit(); ---- tcp_wrappers_7.6/update.c.xx 2005-09-16 22:10:09.000000000 +0200 -+++ tcp_wrappers_7.6/update.c 2005-09-16 22:13:38.000000000 +0200 +--- update.c ++++ update.c @@ -21,6 +21,7 @@ #include @@ -78,14 +89,3 @@ #include /* Local stuff. */ ---- tcp_wrappers_7.6/hosts_access.c.xx 2005-09-16 22:12:08.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.c 2005-09-16 22:13:38.000000000 +0200 -@@ -31,6 +31,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include diff --git a/tcp_wrappers_7.6-shared-lib.diff b/tcp_wrappers_7.6-shared-lib.diff index 4ed2a5e..2beed23 100644 --- a/tcp_wrappers_7.6-shared-lib.diff +++ b/tcp_wrappers_7.6-shared-lib.diff @@ -159,5 +159,5 @@ +#ifdef HAVE_WEAKSYMS +#include +int deny_severity = LOG_WARNING; -+int allow_severity = SEVERITY; ++int allow_severity = SEVERITY; +#endif diff --git a/tcp_wrappers_7.6-shared-lib2.diff b/tcp_wrappers_7.6-shared-lib2.diff new file mode 100644 index 0000000..cd2a21a --- /dev/null +++ b/tcp_wrappers_7.6-shared-lib2.diff @@ -0,0 +1,18 @@ +--- tcpd.h ++++ tcpd.h +@@ -126,10 +126,15 @@ + */ + + #ifdef __STDC__ ++extern int hosts_access(struct request_info *request); ++extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, ++ char *client_user); + extern struct request_info *request_init(struct request_info *,...); + extern struct request_info *request_set(struct request_info *,...); + extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, char *client_user); + #else ++extern int hosts_access(); ++extern int hosts_ctl(); + extern struct request_info *request_init(); /* initialize request */ + extern struct request_info *request_set(); /* update request structure */ + #endif diff --git a/tcp_wrappers_7.6.dif b/tcp_wrappers_7.6.diff similarity index 96% rename from tcp_wrappers_7.6.dif rename to tcp_wrappers_7.6.diff index c52be2a..7360733 100644 --- a/tcp_wrappers_7.6.dif +++ b/tcp_wrappers_7.6.diff @@ -121,7 +121,7 @@ + --- hosts_access.c +++ hosts_access.c -@@ -36,6 +36,7 @@ +@@ -33,6 +33,7 @@ #include #include #include @@ -129,11 +129,10 @@ extern char *fgets(); extern int errno; -@@ -95,6 +96,33 @@ - #define BUFLEN 2048 +@@ -89,6 +90,33 @@ /* hosts_access - host access control facility */ -+ + +int +yp_get_default_domain (char **outdomain) +{ @@ -160,9 +159,10 @@ + return result; +} + - ++ int hosts_access(request) struct request_info *request; + { --- safe_finger.c +++ safe_finger.c @@ -31,7 +31,7 @@ @@ -176,18 +176,24 @@ #define INPUT_LENGTH 100000 /* Do not keep listinging forever */ --- scaffold.c +++ scaffold.c -@@ -334,10 +334,11 @@ +@@ -180,10 +180,17 @@ /* ARGSUSED */ -void rfc931(request) -struct request_info *request; -+void rfc931(request, dummy1, dummy2) -+struct sockaddr *request, *dummy1; -+char *dummy2; ++void rfc931(rmt_sin, our_sin, dest) ++#ifndef INET6 ++struct sockaddr_in *rmt_sin; ++struct sockaddr_in *our_sin; ++#else ++struct sockaddr *rmt_sin; ++struct sockaddr *our_sin; ++#endif ++char *dest; { - strcpy(request->user, unknown); -+ strcpy(((struct request_info *)request)->user, unknown); ++ strcpy(dest, unknown); } /* check_path - examine accessibility */ @@ -206,7 +212,7 @@ /* Structure to describe one communications endpoint. */ #define STRING_LENGTH 128 /* hosts, users, processes */ -@@ -65,11 +71,26 @@ +@@ -61,11 +67,26 @@ /* Global functions. */ #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT) @@ -233,7 +239,7 @@ extern int hosts_access(); /* access control */ extern void shell_cmd(); /* execute shell command */ extern char *percent_x(); /* do % expansion */ -@@ -79,6 +100,7 @@ +@@ -75,6 +96,7 @@ extern char *xgets(); /* fgets() on steroids */ extern char *split_at(); /* strchr() and split */ extern unsigned long dot_quad_addr(); /* restricted inet_addr() */ @@ -241,7 +247,7 @@ /* Global variables. */ -@@ -121,28 +143,47 @@ +@@ -117,28 +139,47 @@ * host_info structures serve as caches for the lookup results. */ @@ -289,7 +295,7 @@ /* * Problem reporting interface. Additional file/line context is reported -@@ -182,42 +223,74 @@ +@@ -178,42 +219,74 @@ * behavior. */ @@ -362,5 +368,5 @@ +extern char *my_strtok(char *, char *); +#else extern char *my_strtok(); -+#endif #endif ++#endif diff --git a/tcpd.changes b/tcpd.changes index 4ea0cc5..9eb667f 100644 --- a/tcpd.changes +++ b/tcpd.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Oct 13 18:29:57 CEST 2008 - prusnak@suse.cz + +- applied patches from Fedora package + * fedora-bug11881.diff - replace sprintf with snprintf + * fedora-bug17795.diff - add hostfile matching + * fedora-bug17847.diff - add wildcard matching + * fedora-bug141110.diff - fix table_match usage + * fedora-bug220015.diff - add sock_hostnofd function + * fedora-docu.diff - fix manpage + * fedora-fixgethostbyname.diff - fix gethostbyname usage + * fedora-sig.diff - fix signal usage + * fedora-sigalarm.diff - fix signal usage + * fedora-sigchld.diff - fix signal usage + * fedora-sigjmp.diff - fix signal usage + * fedora-strerror.diff - fix strerror usage + ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de diff --git a/tcpd.spec b/tcpd.spec index 318479b..b95b818 100644 --- a/tcpd.spec +++ b/tcpd.spec @@ -2,9 +2,16 @@ # spec file for package tcpd (Version 7.6) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -16,13 +23,14 @@ Url: ftp://ftp.porcupine.org/pub/security/index.html License: BSD 3-Clause Group: Productivity/Networking/System Provides: nkitb:/usr/sbin/tcpd +BuildRequires: linux-kernel-headers AutoReqProv: on Version: 7.6 -Release: 820 +Release: 854 Summary: A security wrapper for TCP daemons Source: tcp_wrappers_%{version}.tar.bz2 -Patch: tcp_wrappers_%{version}.dif -Patch1: tcp_wrappers_%{version}-ipv6-1.6.diff.gz +Patch0: tcp_wrappers_%{version}.diff +Patch1: tcp_wrappers_%{version}-ipv6-1.6.diff Patch2: tcp_wrappers_%{version}-ipv6-fix.diff Patch3: tcp_wrappers_%{version}-ipv6.fix.fix.diff Patch4: tcp_wrappers_%{version}-ipv6.fix.fix2.diff @@ -31,11 +39,24 @@ Patch6: tcp_wrappers_%{version}-fix_options-fix.diff Patch7: tcp_wrappers_%{version}-shared-lib.diff Patch8: tcp_wrappers_%{version}-builtin.diff Patch9: tcp_wrappers_%{version}-multi_local_interfaces-fix.diff -Patch10: tcp_wrappers_7.6-optflags.diff -Patch11: tcp_wrappers_7.6-nonvoid.diff -Patch12: tcp_wrappers_7.6-prototypes.diff -Patch13: tcp_wrappers_7.6-hosts_ctl.diff -Patch14: tcp_wrappers_7.6-uninitialized.diff +Patch10: tcp_wrappers_%{version}-optflags.diff +Patch11: tcp_wrappers_%{version}-nonvoid.diff +Patch12: tcp_wrappers_%{version}-prototypes.diff +Patch13: tcp_wrappers_%{version}-hosts_ctl.diff +Patch14: tcp_wrappers_%{version}-uninitialized.diff +Patch15: tcp_wrappers_%{version}-fedora-bug11881.diff +Patch16: tcp_wrappers_%{version}-fedora-bug141110.diff +Patch17: tcp_wrappers_%{version}-fedora-docu.diff +Patch18: tcp_wrappers_%{version}-fedora-sig.diff +Patch19: tcp_wrappers_%{version}-fedora-sigchld.diff +Patch20: tcp_wrappers_%{version}-fedora-sigjmp.diff +Patch21: tcp_wrappers_%{version}-fedora-sigalarm.diff +Patch22: tcp_wrappers_%{version}-fedora-strerror.diff +Patch23: tcp_wrappers_%{version}-fedora-fixgethostbyname.diff +Patch24: tcp_wrappers_%{version}-fedora-bug220015.diff +Patch25: tcp_wrappers_%{version}-shared-lib2.diff +Patch26: tcp_wrappers_%{version}-fedora-bug17795.diff +Patch27: tcp_wrappers_%{version}-fedora-bug17847.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -53,7 +74,6 @@ Authors: License: BSD 3-Clause Summary: Include Files and Libraries for the TCP wrapper library Group: Productivity/Networking/System -Prefix: %{_prefix} Requires: %{name} = %{version} Requires: glibc-devel @@ -64,10 +84,10 @@ to compile and link programs against the TCP wrapper library. %prep -%setup -n tcp_wrappers_%{version} -%patch1 -p2 -%patch -%patch2 -p1 +%setup -q -n tcp_wrappers_%{version} +%patch0 +%patch1 +%patch2 %patch3 %patch4 %patch5 @@ -77,55 +97,81 @@ to compile and link programs against the TCP wrapper library. %patch9 %patch10 %patch11 -%patch12 -p1 +%patch12 %patch13 %patch14 +%patch15 +%patch16 +%patch17 +%patch18 +%patch19 +%patch20 +%patch21 +%patch22 +%patch23 +%patch24 +%patch25 +%patch26 +%patch27 %build -#RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIE -Wformat=2" +# make RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -DPIC -D_REENTRANT -DHAVE_STRERROR" LDFLAGS="-pie" MAJOR=%{LIB_MAJOR} MINOR=%{LIB_MINOR} REL=%{LIB_REL} linux make linux %install -install -d -m 755 $RPM_BUILD_ROOT/usr/{%{_lib},include,sbin} +install -d -m 755 $RPM_BUILD_ROOT%{_includedir} +install -d -m 755 $RPM_BUILD_ROOT%{_libdir} +install -d -m 755 $RPM_BUILD_ROOT%{_sbindir} install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man{1,3,5,8} -install -m 755 tcpd tcpdchk tcpdmatch safe_finger try-from $RPM_BUILD_ROOT/usr/sbin/ -install -m 644 tcpd.8 tcpdchk.8 tcpdmatch.8 $RPM_BUILD_ROOT%{_mandir}/man8/ -install -m 644 hosts_access.3 $RPM_BUILD_ROOT%{_mandir}/man3/ -install -m 644 hosts_access.5 hosts_options.5 $RPM_BUILD_ROOT%{_mandir}/man5/ -install -m 644 libwrap.a $RPM_BUILD_ROOT/%{_libdir} -install -m 644 tcpd.h $RPM_BUILD_ROOT/usr/include/ -install -m 644 ip6utils.h $RPM_BUILD_ROOT/usr/include/ install -d -m 755 $RPM_BUILD_ROOT/%{_lib} +install -m 644 ip6utils.h tcpd.h $RPM_BUILD_ROOT%{_includedir} +install -m 644 libwrap.a $RPM_BUILD_ROOT/%{_libdir} +install -m 755 safe_finger tcpd tcpdchk tcpdmatch try-from $RPM_BUILD_ROOT%{_sbindir} +install -m 644 hosts_access.3 $RPM_BUILD_ROOT%{_mandir}/man3 +install -m 644 hosts_access.5 hosts_options.5 $RPM_BUILD_ROOT%{_mandir}/man5 +install -m 644 tcpd.8 tcpdchk.8 tcpdmatch.8 $RPM_BUILD_ROOT%{_mandir}/man8 install -m 644 shared/libwrap.so.0.%{version} $RPM_BUILD_ROOT/%{_lib} cd $RPM_BUILD_ROOT/%{_lib} ln -sf libwrap.so.0.%{version} libwrap.so.0 -cd $RPM_BUILD_ROOT/%{_libdir} +cd $RPM_BUILD_ROOT%{_libdir} ln -sf /%{_lib}/libwrap.so.0.%{version} libwrap.so %clean -[ -d %{buildroot} -a "%{buildroot}" != "" ] && rm -rf %{buildroot} +[ -d $RPM_BUILD_ROOT -a "$RPM_BUILD_ROOT" != "" ] && rm -rf $RPM_BUILD_ROOT -%post -%run_ldconfig +%post -p /sbin/ldconfig -%postun -%run_ldconfig +%postun -p /sbin/ldconfig %files %defattr(644,root,root,755) %doc BLURB CHANGES DISCLAIMER README README.ipv6 README.NIS -%attr(755,root,root) /%{_lib}/libwrap.so.* %doc %{_mandir}/man?/* -%attr(755,root,root) /usr/sbin/* +%attr(755,root,root) /%{_lib}/libwrap.so.* +%attr(755,root,root) %{_sbindir}/* %files devel %defattr(644,root,root,755) -/usr/include/tcpd.h -/usr/include/ip6utils.h +%{_includedir}/tcpd.h +%{_includedir}/ip6utils.h %{_libdir}/libwrap.a %{_libdir}/libwrap.so %changelog +* Mon Oct 13 2008 prusnak@suse.cz +- applied patches from Fedora package + * fedora-bug11881.diff - replace sprintf with snprintf + * fedora-bug17795.diff - add hostfile matching + * fedora-bug17847.diff - add wildcard matching + * fedora-bug141110.diff - fix table_match usage + * fedora-bug220015.diff - add sock_hostnofd function + * fedora-docu.diff - fix manpage + * fedora-fixgethostbyname.diff - fix gethostbyname usage + * fedora-sig.diff - fix signal usage + * fedora-sigalarm.diff - fix signal usage + * fedora-sigchld.diff - fix signal usage + * fedora-sigjmp.diff - fix signal usage + * fedora-strerror.diff - fix strerror usage * Thu Apr 10 2008 ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support