From 5a12f03c680c41791f7036384fa821fb77991d33 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 26 May 2010 09:53:08 -0700 Subject: tcp-wrappers: Add .patch extention to patch files. Signed-off-by: Khem Raj --- .../tcp-wrappers-7.6/01_man_portability | 248 ---- .../tcp-wrappers-7.6/01_man_portability.patch | 248 ++++ .../tcp-wrappers-7.6/05_wildcard_matching | 103 -- .../tcp-wrappers-7.6/05_wildcard_matching.patch | 103 ++ .../tcp-wrappers-7.6/06_fix_gethostbyname | 30 - .../tcp-wrappers-7.6/06_fix_gethostbyname.patch | 30 + .../tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6 | 1253 -------------------- .../tcp-wrappers-7.6/10_usagi-ipv6.patch | 1253 ++++++++++++++++++++ .../tcp-wrappers-7.6/11_tcpd_blacklist | 151 --- .../tcp-wrappers-7.6/11_tcpd_blacklist.patch | 151 +++ recipes/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix | 45 - .../tcp-wrappers-7.6/11_usagi_fix.patch | 45 + .../tcp-wrappers-7.6/12_makefile_config | 81 -- .../tcp-wrappers-7.6/12_makefile_config.patch | 81 ++ .../tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym | 253 ---- .../tcp-wrappers-7.6/13_shlib_weaksym.patch | 253 ++++ .../tcp-wrappers/tcp-wrappers-7.6/14_cidr_support | 66 -- .../tcp-wrappers-7.6/14_cidr_support.patch | 66 ++ .../tcp-wrappers/tcp-wrappers-7.6/15_match_clarify | 12 - .../tcp-wrappers-7.6/15_match_clarify.patch | 12 + .../tcp-wrappers-7.6/expand_remote_port | 71 -- .../tcp-wrappers-7.6/expand_remote_port.patch | 71 ++ .../tcp-wrappers/tcp-wrappers-7.6/have_strerror | 19 - .../tcp-wrappers-7.6/have_strerror.patch | 19 + recipes/tcp-wrappers/tcp-wrappers-7.6/ldflags | 43 - .../tcp-wrappers/tcp-wrappers-7.6/ldflags.patch | 43 + recipes/tcp-wrappers/tcp-wrappers-7.6/man_fromhost | 21 - .../tcp-wrappers-7.6/man_fromhost.patch | 21 + .../tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm | 37 - .../tcp-wrappers-7.6/restore_sigalarm.patch | 37 + recipes/tcp-wrappers/tcp-wrappers-7.6/safe_finger | 29 - .../tcp-wrappers-7.6/safe_finger.patch | 29 + recipes/tcp-wrappers/tcp-wrappers-7.6/sig_fix | 34 - .../tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch | 34 + recipes/tcp-wrappers/tcp-wrappers-7.6/siglongjmp | 30 - .../tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch | 30 + recipes/tcp-wrappers/tcp-wrappers-7.6/size_t | 42 - recipes/tcp-wrappers/tcp-wrappers-7.6/size_t.patch | 42 + .../tcp-wrappers-7.6/tcpdchk_libwrapped | 39 - .../tcp-wrappers-7.6/tcpdchk_libwrapped.patch | 39 + recipes/tcp-wrappers/tcp-wrappers_7.6.bb | 40 +- 41 files changed, 2627 insertions(+), 2627 deletions(-) delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6 create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/11_tcpd_blacklist.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/11_usagi_fix.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/12_makefile_config.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/13_shlib_weaksym.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/14_cidr_support.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/15_match_clarify.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/expand_remote_port.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/have_strerror create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/have_strerror.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/ldflags create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/ldflags.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/man_fromhost create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/man_fromhost.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/restore_sigalarm.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/safe_finger create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/safe_finger.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/sig_fix create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/sig_fix.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/siglongjmp create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/siglongjmp.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/size_t create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/size_t.patch delete mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped create mode 100644 recipes/tcp-wrappers/tcp-wrappers-7.6/tcpdchk_libwrapped.patch diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability b/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability deleted file mode 100644 index 4963f82eb8..0000000000 --- a/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability +++ /dev/null @@ -1,248 +0,0 @@ -diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 ---- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 -+++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 -@@ -3,7 +3,7 @@ - hosts_access, hosts_ctl, request_init, request_set \- access control library - .SH SYNOPSIS - .nf --#include "tcpd.h" -+#include - - extern int allow_severity; - extern int deny_severity; -diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 ---- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 -+++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 -@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam - impatient reader is encouraged to skip to the EXAMPLES section for a - quick introduction. - .PP --An extended version of the access control language is described in the --\fIhosts_options\fR(5) document. The extensions are turned on at --program build time by building with -DPROCESS_OPTIONS. -+The extended version of the access control language is described in the -+\fIhosts_options\fR(5) document. \fBNote that this language supersedes -+the meaning of \fIshell_command\fB as documented below.\fR - .PP - In the following text, \fIdaemon\fR is the the process name of a - network daemon process, and \fIclient\fR is the name and/or address of -@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain - /etc/hosts.deny: - .in +3 - .nf --in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ -- /usr/ucb/mail -s %d-%h root) & -+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ -+ /usr/bin/mail -s %d-%h root) & - .fi - .PP - The safe_finger command comes with the tcpd wrapper and should be -@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor - .fi - .SH SEE ALSO - .nf -+hosts_options(5) extended syntax. - tcpd(8) tcp/ip daemon wrapper program. - tcpdchk(8), tcpdmatch(8), test programs. - .SH BUGS -diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 ---- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 -+++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 -@@ -2,10 +2,8 @@ - .SH NAME - hosts_options \- host access control language extensions - .SH DESCRIPTION --This document describes optional extensions to the language described --in the hosts_access(5) document. The extensions are enabled at program --build time. For example, by editing the Makefile and turning on the --PROCESS_OPTIONS compile-time option. -+This document describes extensions to the language described -+in the hosts_access(5) document. - .PP - The extensible language uses the following format: - .sp -@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam - Execute, in a child process, the specified shell command, after - performing the % expansions described in the hosts_access(5) - manual page. The command is executed with stdin, stdout and stderr --connected to the null device, so that it won\'t mess up the -+connected to the null device, so that it won't mess up the - conversation with the client host. Example: - .sp - .nf - .ti +3 --spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & -+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & - .fi - .sp - executes, in a background child process, the shell command "safe_finger -diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c ---- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 -+++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 -@@ -26,13 +26,17 @@ extern void exit(); - * guesses. Shorter names follow longer ones. - */ - char *inet_files[] = { -+#if 0 - "/private/etc/inetd.conf", /* NEXT */ - "/etc/inet/inetd.conf", /* SYSV4 */ - "/usr/etc/inetd.conf", /* IRIX?? */ -+#endif - "/etc/inetd.conf", /* BSD */ -+#if 0 - "/etc/net/tlid.conf", /* SYSV4?? */ - "/etc/saf/tlid.conf", /* SYSV4?? */ - "/etc/tlid.conf", /* SYSV4?? */ -+#endif - 0, - }; - -diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 ---- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 -+++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 -@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s - TLI. Functionality may be limited when the protocol underneath TLI is - not an internet protocol. - .PP --Operation is as follows: whenever a request for service arrives, the -+There are two possible modes of operation: execution of \fItcpd\fP -+before a service started by \fIinetd\fP, or linking a daemon with -+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) -+manual page. Operation when started by \fIinetd\fP -+is as follows: whenever a request for service arrives, the - \fIinetd\fP daemon is tricked into running the \fItcpd\fP program - instead of the desired server. \fItcpd\fP logs the request and does - some additional checks. When all is well, \fItcpd\fP runs the -@@ -88,11 +92,11 @@ configuration files. - .sp - .in +5 - # mkdir /other/place --# mv /usr/etc/in.fingerd /other/place --# cp tcpd /usr/etc/in.fingerd -+# mv /usr/sbin/in.fingerd /other/place -+# cp tcpd /usr/sbin/in.fingerd - .fi - .PP --The example assumes that the network daemons live in /usr/etc. On some -+The example assumes that the network daemons live in /usr/sbin. On some - systems, network daemons live in /usr/sbin or in /usr/libexec, or have - no `in.\' prefix to their name. - .SH EXAMPLE 2 -@@ -101,35 +105,34 @@ are left in their original place. - .PP - In order to monitor access to the \fIfinger\fR service, perform the - following edits on the \fIinetd\fR configuration file (usually --\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): -+\fI/etc/inetd.conf\fR): - .nf - .sp - .ti +5 --finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd -+finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd - .sp - becomes: - .sp - .ti +5 --finger stream tcp nowait nobody /some/where/tcpd in.fingerd -+finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd - .sp - .fi - .PP --The example assumes that the network daemons live in /usr/etc. On some -+The example assumes that the network daemons live in /usr/sbin. On some - systems, network daemons live in /usr/sbin or in /usr/libexec, the - daemons have no `in.\' prefix to their name, or there is no userid - field in the inetd configuration file. - .PP - Similar changes will be needed for the other services that are to be - covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) --process to make the changes effective. AIX users may also have to --execute the `inetimp\' command. -+process to make the changes effective. - .SH EXAMPLE 3 - In the case of daemons that do not live in a common directory ("secret" - or otherwise), edit the \fIinetd\fR configuration file so that it - specifies an absolute path name for the process name field. For example: - .nf - .sp -- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd -+ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd - .sp - .fi - .PP -@@ -164,6 +167,7 @@ The default locations of the host access - .SH SEE ALSO - .na - .nf -+hosts_access(3), functions provided by the libwrap library. - hosts_access(5), format of the tcpd access control tables. - syslog.conf(5), format of the syslogd control file. - inetd.conf(5), format of the inetd control file. -diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 ---- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 -+++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 -@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] - potential and real problems it can find. The program examines the - \fItcpd\fR access control files (by default, these are - \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the --entries in these files against entries in the \fIinetd\fR or \fItlid\fR --network configuration files. -+entries in these files against entries in the \fIinetd\fR -+network configuration file. - .PP - \fItcpdchk\fR reports problems such as non-existent pathnames; services - that appear in \fItcpd\fR access control rules, but are not controlled -@@ -26,14 +26,13 @@ problem. - .SH OPTIONS - .IP -a - Report access control rules that permit access without an explicit --ALLOW keyword. This applies only when the extended access control --language is enabled (build with -DPROCESS_OPTIONS). -+ALLOW keyword. - .IP -d - Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current - directory instead of the default ones. - .IP "-i inet_conf" - Specify this option when \fItcpdchk\fR is unable to find your --\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when -+\fIinetd.conf\fR network configuration file, or when - you suspect that the program uses the wrong one. - .IP -v - Display the contents of each access control rule. Daemon lists, client -@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do - hosts_access(5), format of the tcpd access control tables. - hosts_options(5), format of the language extensions. - inetd.conf(5), format of the inetd control file. --tlid.conf(5), format of the tlid control file. - .SH AUTHORS - .na - .nf -diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 ---- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 -+++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 -@@ -13,7 +13,7 @@ request for service. Examples are given - The program examines the \fItcpd\fR access control tables (default - \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its - conclusion. For maximal accuracy, it extracts additional information --from your \fIinetd\fR or \fItlid\fR network configuration file. -+from your \fIinetd\fR network configuration file. - .PP - When \fItcpdmatch\fR finds a match in the access control tables, it - identifies the matched rule. In addition, it displays the optional -@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d - directory instead of the default ones. - .IP "-i inet_conf" - Specify this option when \fItcpdmatch\fR is unable to find your --\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when -+\fIinetd.conf\fR network configuration file, or when - you suspect that the program uses the wrong one. - .SH EXAMPLES - To predict how \fItcpd\fR would handle a telnet request from the local -@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker - hosts_access(5), format of the tcpd access control tables. - hosts_options(5), format of the language extensions. - inetd.conf(5), format of the inetd control file. --tlid.conf(5), format of the tlid control file. - .SH AUTHORS - .na - .nf diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch b/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch new file mode 100644 index 0000000000..4963f82eb8 --- /dev/null +++ b/recipes/tcp-wrappers/tcp-wrappers-7.6/01_man_portability.patch @@ -0,0 +1,248 @@ +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3 +--- tcp_wrappers_7.6.orig/hosts_access.3 2005-03-09 18:30:25.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.3 2005-03-09 18:27:03.000000000 +0100 +@@ -3,7 +3,7 @@ + hosts_access, hosts_ctl, request_init, request_set \- access control library + .SH SYNOPSIS + .nf +-#include "tcpd.h" ++#include + + extern int allow_severity; + extern int deny_severity; +diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2005-03-09 18:30:25.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.5 2005-03-09 18:30:18.000000000 +0100 +@@ -8,9 +8,9 @@ name, host name/address) patterns. Exam + impatient reader is encouraged to skip to the EXAMPLES section for a + quick introduction. + .PP +-An extended version of the access control language is described in the +-\fIhosts_options\fR(5) document. The extensions are turned on at +-program build time by building with -DPROCESS_OPTIONS. ++The extended version of the access control language is described in the ++\fIhosts_options\fR(5) document. \fBNote that this language supersedes ++the meaning of \fIshell_command\fB as documented below.\fR + .PP + In the following text, \fIdaemon\fR is the the process name of a + network daemon process, and \fIclient\fR is the name and/or address of +@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain + /etc/hosts.deny: + .in +3 + .nf +-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\ +- /usr/ucb/mail -s %d-%h root) & ++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\ ++ /usr/bin/mail -s %d-%h root) & + .fi + .PP + The safe_finger command comes with the tcpd wrapper and should be +@@ -383,6 +383,7 @@ that shouldn\'t. All problems are repor + .fi + .SH SEE ALSO + .nf ++hosts_options(5) extended syntax. + tcpd(8) tcp/ip daemon wrapper program. + tcpdchk(8), tcpdmatch(8), test programs. + .SH BUGS +diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5 +--- tcp_wrappers_7.6.orig/hosts_options.5 2005-03-09 18:30:24.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_options.5 2005-03-09 18:27:03.000000000 +0100 +@@ -2,10 +2,8 @@ + .SH NAME + hosts_options \- host access control language extensions + .SH DESCRIPTION +-This document describes optional extensions to the language described +-in the hosts_access(5) document. The extensions are enabled at program +-build time. For example, by editing the Makefile and turning on the +-PROCESS_OPTIONS compile-time option. ++This document describes extensions to the language described ++in the hosts_access(5) document. + .PP + The extensible language uses the following format: + .sp +@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam + Execute, in a child process, the specified shell command, after + performing the % expansions described in the hosts_access(5) + manual page. The command is executed with stdin, stdout and stderr +-connected to the null device, so that it won\'t mess up the ++connected to the null device, so that it won't mess up the + conversation with the client host. Example: + .sp + .nf + .ti +3 +-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) & ++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) & + .fi + .sp + executes, in a background child process, the shell command "safe_finger +diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c +--- tcp_wrappers_7.6.orig/inetcf.c 1997-02-12 02:13:24.000000000 +0100 ++++ tcp_wrappers_7.6/inetcf.c 2005-03-09 18:27:03.000000000 +0100 +@@ -26,13 +26,17 @@ extern void exit(); + * guesses. Shorter names follow longer ones. + */ + char *inet_files[] = { ++#if 0 + "/private/etc/inetd.conf", /* NEXT */ + "/etc/inet/inetd.conf", /* SYSV4 */ + "/usr/etc/inetd.conf", /* IRIX?? */ ++#endif + "/etc/inetd.conf", /* BSD */ ++#if 0 + "/etc/net/tlid.conf", /* SYSV4?? */ + "/etc/saf/tlid.conf", /* SYSV4?? */ + "/etc/tlid.conf", /* SYSV4?? */ ++#endif + 0, + }; + +diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8 +--- tcp_wrappers_7.6.orig/tcpd.8 1996-02-21 16:39:16.000000000 +0100 ++++ tcp_wrappers_7.6/tcpd.8 2005-03-09 18:27:03.000000000 +0100 +@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s + TLI. Functionality may be limited when the protocol underneath TLI is + not an internet protocol. + .PP +-Operation is as follows: whenever a request for service arrives, the ++There are two possible modes of operation: execution of \fItcpd\fP ++before a service started by \fIinetd\fP, or linking a daemon with ++the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3) ++manual page. Operation when started by \fIinetd\fP ++is as follows: whenever a request for service arrives, the + \fIinetd\fP daemon is tricked into running the \fItcpd\fP program + instead of the desired server. \fItcpd\fP logs the request and does + some additional checks. When all is well, \fItcpd\fP runs the +@@ -88,11 +92,11 @@ configuration files. + .sp + .in +5 + # mkdir /other/place +-# mv /usr/etc/in.fingerd /other/place +-# cp tcpd /usr/etc/in.fingerd ++# mv /usr/sbin/in.fingerd /other/place ++# cp tcpd /usr/sbin/in.fingerd + .fi + .PP +-The example assumes that the network daemons live in /usr/etc. On some ++The example assumes that the network daemons live in /usr/sbin. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, or have + no `in.\' prefix to their name. + .SH EXAMPLE 2 +@@ -101,35 +105,34 @@ are left in their original place. + .PP + In order to monitor access to the \fIfinger\fR service, perform the + following edits on the \fIinetd\fR configuration file (usually +-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): ++\fI/etc/inetd.conf\fR): + .nf + .sp + .ti +5 +-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd ++finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd + .sp + becomes: + .sp + .ti +5 +-finger stream tcp nowait nobody /some/where/tcpd in.fingerd ++finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd + .sp + .fi + .PP +-The example assumes that the network daemons live in /usr/etc. On some ++The example assumes that the network daemons live in /usr/sbin. On some + systems, network daemons live in /usr/sbin or in /usr/libexec, the + daemons have no `in.\' prefix to their name, or there is no userid + field in the inetd configuration file. + .PP + Similar changes will be needed for the other services that are to be + covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) +-process to make the changes effective. AIX users may also have to +-execute the `inetimp\' command. ++process to make the changes effective. + .SH EXAMPLE 3 + In the case of daemons that do not live in a common directory ("secret" + or otherwise), edit the \fIinetd\fR configuration file so that it + specifies an absolute path name for the process name field. For example: + .nf + .sp +- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd ++ ntalk dgram udp wait root /usr/sbin/tcpd /usr/local/lib/ntalkd + .sp + .fi + .PP +@@ -164,6 +167,7 @@ The default locations of the host access + .SH SEE ALSO + .na + .nf ++hosts_access(3), functions provided by the libwrap library. + hosts_access(5), format of the tcpd access control tables. + syslog.conf(5), format of the syslogd control file. + inetd.conf(5), format of the inetd control file. +diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8 +--- tcp_wrappers_7.6.orig/tcpdchk.8 1995-01-08 17:00:31.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdchk.8 2005-03-09 18:27:03.000000000 +0100 +@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v] + potential and real problems it can find. The program examines the + \fItcpd\fR access control files (by default, these are + \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the +-entries in these files against entries in the \fIinetd\fR or \fItlid\fR +-network configuration files. ++entries in these files against entries in the \fIinetd\fR ++network configuration file. + .PP + \fItcpdchk\fR reports problems such as non-existent pathnames; services + that appear in \fItcpd\fR access control rules, but are not controlled +@@ -26,14 +26,13 @@ problem. + .SH OPTIONS + .IP -a + Report access control rules that permit access without an explicit +-ALLOW keyword. This applies only when the extended access control +-language is enabled (build with -DPROCESS_OPTIONS). ++ALLOW keyword. + .IP -d + Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current + directory instead of the default ones. + .IP "-i inet_conf" + Specify this option when \fItcpdchk\fR is unable to find your +-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when ++\fIinetd.conf\fR network configuration file, or when + you suspect that the program uses the wrong one. + .IP -v + Display the contents of each access control rule. Daemon lists, client +@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do + hosts_access(5), format of the tcpd access control tables. + hosts_options(5), format of the language extensions. + inetd.conf(5), format of the inetd control file. +-tlid.conf(5), format of the tlid control file. + .SH AUTHORS + .na + .nf +diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8 +--- tcp_wrappers_7.6.orig/tcpdmatch.8 2005-03-09 18:30:24.000000000 +0100 ++++ tcp_wrappers_7.6/tcpdmatch.8 2005-03-09 18:27:03.000000000 +0100 +@@ -13,7 +13,7 @@ request for service. Examples are given + The program examines the \fItcpd\fR access control tables (default + \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its + conclusion. For maximal accuracy, it extracts additional information +-from your \fIinetd\fR or \fItlid\fR network configuration file. ++from your \fIinetd\fR network configuration file. + .PP + When \fItcpdmatch\fR finds a match in the access control tables, it + identifies the matched rule. In addition, it displays the optional +@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d + directory instead of the default ones. + .IP "-i inet_conf" + Specify this option when \fItcpdmatch\fR is unable to find your +-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when ++\fIinetd.conf\fR network configuration file, or when + you suspect that the program uses the wrong one. + .SH EXAMPLES + To predict how \fItcpd\fR would handle a telnet request from the local +@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker + hosts_access(5), format of the tcpd access control tables. + hosts_options(5), format of the language extensions. + inetd.conf(5), format of the inetd control file. +-tlid.conf(5), format of the tlid control file. + .SH AUTHORS + .na + .nf diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching b/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching deleted file mode 100644 index a168f6d5a5..0000000000 --- a/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching +++ /dev/null @@ -1,103 +0,0 @@ -See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 - -diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 ---- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 -@@ -89,6 +89,10 @@ - bitwise AND of the address and the `mask\'. For example, the net/mask - pattern `131.155.72.0/255.255.254.0\' matches every address in the - range `131.155.72.0\' through `131.155.73.255\'. -+.IP \(bu -+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This -+method of matching cannot be used in conjunction with `net/mask\' matching, -+hostname matching beginning with `.\' or IP address matching ending with `.\'. - .SH WILDCARDS - The access control language supports explicit wildcards: - .IP ALL -diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c ---- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 -+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 -@@ -289,6 +289,11 @@ - { - int n; - -+#ifndef DISABLE_WILDCARD_MATCHING -+ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ -+ return (match_pattern_ylo(string,tok)); -+ } else -+#endif - if (tok[0] == '.') { /* suffix */ - n = strlen(string) - strlen(tok); - return (n > 0 && STR_EQ(tok, string + n)); -@@ -329,3 +334,71 @@ - } - return ((addr & mask) == net); - } -+ -+#ifndef DISABLE_WILDCARD_MATCHING -+/* Note: this feature has been adapted in a pretty straightforward way -+ from Tatu Ylonen's last SSH version under free license by -+ Pekka Savola . -+ -+ Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -+*/ -+ -+/* Returns true if the given string matches the pattern (which may contain -+ ? and * as wildcards), and zero if it does not match. */ -+ -+int match_pattern_ylo(const char *s, const char *pattern) -+{ -+ while (1) -+ { -+ /* If at end of pattern, accept if also at end of string. */ -+ if (!*pattern) -+ return !*s; -+ -+ /* Process '*'. */ -+ if (*pattern == '*') -+ { -+ /* Skip the asterisk. */ -+ pattern++; -+ -+ /* If at end of pattern, accept immediately. */ -+ if (!*pattern) -+ return 1; -+ -+ /* If next character in pattern is known, optimize. */ -+ if (*pattern != '?' && *pattern != '*') -+ { -+ /* Look instances of the next character in pattern, and try -+ to match starting from those. */ -+ for (; *s; s++) -+ if (*s == *pattern && -+ match_pattern_ylo(s + 1, pattern + 1)) -+ return 1; -+ /* Failed. */ -+ return 0; -+ } -+ -+ /* Move ahead one character at a time and try to match at each -+ position. */ -+ for (; *s; s++) -+ if (match_pattern_ylo(s, pattern)) -+ return 1; -+ /* Failed. */ -+ return 0; -+ } -+ -+ /* There must be at least one more character in the string. If we are -+ at the end, fail. */ -+ if (!*s) -+ return 0; -+ -+ /* Check if the next character of the string is acceptable. */ -+ if (*pattern != '?' && *pattern != *s) -+ return 0; -+ -+ /* Move to the next character, both in string and in pattern. */ -+ s++; -+ pattern++; -+ } -+ /*NOTREACHED*/ -+} -+#endif /* DISABLE_WILDCARD_MATCHING */ diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch b/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch new file mode 100644 index 0000000000..a168f6d5a5 --- /dev/null +++ b/recipes/tcp-wrappers/tcp-wrappers-7.6/05_wildcard_matching.patch @@ -0,0 +1,103 @@ +See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 + +diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 ++++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 +@@ -89,6 +89,10 @@ + bitwise AND of the address and the `mask\'. For example, the net/mask + pattern `131.155.72.0/255.255.254.0\' matches every address in the + range `131.155.72.0\' through `131.155.73.255\'. ++.IP \(bu ++Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This ++method of matching cannot be used in conjunction with `net/mask\' matching, ++hostname matching beginning with `.\' or IP address matching ending with `.\'. + .SH WILDCARDS + The access control language supports explicit wildcards: + .IP ALL +diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 ++++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 +@@ -289,6 +289,11 @@ + { + int n; + ++#ifndef DISABLE_WILDCARD_MATCHING ++ if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ ++ return (match_pattern_ylo(string,tok)); ++ } else ++#endif + if (tok[0] == '.') { /* suffix */ + n = strlen(string) - strlen(tok); + return (n > 0 && STR_EQ(tok, string + n)); +@@ -329,3 +334,71 @@ + } + return ((addr & mask) == net); + } ++ ++#ifndef DISABLE_WILDCARD_MATCHING ++/* Note: this feature has been adapted in a pretty straightforward way ++ from Tatu Ylonen's last SSH version under free license by ++ Pekka Savola . ++ ++ Copyright (c) 1995 Tatu Ylonen , Espoo, Finland ++*/ ++ ++/* Returns true if the given string matches the pattern (which may contain ++ ? and * as wildcards), and zero if it does not match. */ ++ ++int match_pattern_ylo(const char *s, const char *pattern) ++{ ++ while (1) ++ { ++ /* If at end of pattern, accept if also at end of string. */ ++ if (!*pattern) ++ return !*s; ++ ++ /* Process '*'. */ ++ if (*pattern == '*') ++ { ++ /* Skip the asterisk. */ ++ pattern++; ++ ++ /* If at end of pattern, accept immediately. */ ++ if (!*pattern) ++ return 1; ++ ++ /* If next character in pattern is known, optimize. */ ++ if (*pattern != '?' && *pattern != '*') ++ { ++ /* Look instances of the next character in pattern, and try ++ to match starting from those. */ ++ for (; *s; s++) ++ if (*s == *pattern && ++ match_pattern_ylo(s + 1, pattern + 1)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* Move ahead one character at a time and try to match at each ++ position. */ ++ for (; *s; s++) ++ if (match_pattern_ylo(s, pattern)) ++ return 1; ++ /* Failed. */ ++ return 0; ++ } ++ ++ /* There must be at least one more character in the string. If we are ++ at the end, fail. */ ++ if (!*s) ++ return 0; ++ ++ /* Check if the next character of the string is acceptable. */ ++ if (*pattern != '?' && *pattern != *s) ++ return 0; ++ ++ /* Move to the next character, both in string and in pattern. */ ++ s++; ++ pattern++; ++ } ++ /*NOTREACHED*/ ++} ++#endif /* DISABLE_WILDCARD_MATCHING */ diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname b/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname deleted file mode 100644 index d06aaef13b..0000000000 --- a/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname +++ /dev/null @@ -1,30 +0,0 @@ -* Mon Feb 5 2001 Preston Brown -- fix gethostbyname to work better with dot "." notation (#16949) - ---- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997 -+++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001 -@@ -52,7 +52,8 @@ - char *name; - { - char dot_name[MAXHOSTNAMELEN + 1]; -- -+ struct hostent *hp; -+ - /* - * Don't append dots to unqualified names. Such names are likely to come - * from local hosts files or from NIS. -@@ -61,8 +62,12 @@ - if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { - return (gethostbyname(name)); - } else { -- sprintf(dot_name, "%s.", name); -- return (gethostbyname(dot_name)); -+ sprintf(dot_name, "%s.", name); -+ hp = gethostbyname(dot_name); -+ if (hp) -+ return hp; -+ else -+ return (gethostbyname(name)); - } - } - diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch b/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch new file mode 100644 index 0000000000..d06aaef13b --- /dev/null +++ b/recipes/tcp-wrappers/tcp-wrappers-7.6/06_fix_gethostbyname.patch @@ -0,0 +1,30 @@ +* Mon Feb 5 2001 Preston Brown +- fix gethostbyname to work better with dot "." notation (#16949) + +--- tcp_wrappers_7.6/socket.c.fixgethostbyname Fri Mar 21 13:27:25 1997 ++++ tcp_wrappers_7.6/socket.c Mon Feb 5 14:09:40 2001 +@@ -52,7 +52,8 @@ + char *name; + { + char dot_name[MAXHOSTNAMELEN + 1]; +- ++ struct hostent *hp; ++ + /* + * Don't append dots to unqualified names. Such names are likely to come + * from local hosts files or from NIS. +@@ -61,8 +62,12 @@ + if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) { + return (gethostbyname(name)); + } else { +- sprintf(dot_name, "%s.", name); +- return (gethostbyname(dot_name)); ++ sprintf(dot_name, "%s.", name); ++ hp = gethostbyname(dot_name); ++ if (hp) ++ return hp; ++ else ++ return (gethostbyname(name)); + } + } + diff --git a/recipes/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6 b/recipes/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6 deleted file mode 100644 index 5c8be5c27c..0000000000 --- a/recipes/tcp-wrappers/tcp-wrappers-7.6/10_usagi-ipv6 +++ /dev/null @@ -1,1253 +0,0 @@ -diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c ---- tcp_wrappers_7.6.orig/fix_options.c 1997-04-08 02:29:19.000000000 +0200 -+++ tcp_wrappers_7.6/fix_options.c 2004-04-10 19:07:43.000000000 +0200 -@@ -11,6 +11,9 @@ - - #include - #include -+#ifdef INET6 -+#include -+#endif - #include - #include - #include -@@ -41,6 +44,22 @@ - unsigned int opt; - int optlen; - struct in_addr dummy; -+#ifdef INET6 -+ struct sockaddr_storage ss; -+ int sslen; -+ -+ /* -+ * check if this is AF_INET socket -+ * XXX IPv6 support? -+ */ -+ sslen = sizeof(ss); -+ if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { -+ syslog(LOG_ERR, "getpeername: %m"); -+ clean_exit(request); -+ } -+ if (ss.ss_family != AF_INET) -+ return; -+#endif - - if ((ip = getprotobyname("ip")) != 0) - ipproto = ip->p_proto; -diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 ---- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:22:58.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:07:43.000000000 +0200 -@@ -85,11 +85,18 @@ - for daemon process names or for client user names. - .IP \(bu - An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a --`net/mask\' pair. A host address is matched if `net\' is equal to the -+`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the - bitwise AND of the address and the `mask\'. For example, the net/mask - pattern `131.155.72.0/255.255.254.0\' matches every address in the - range `131.155.72.0\' through `131.155.73.255\'. - .IP \(bu -+An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a -+`[net]/prefixlen\' pair. An IPv6 host address is matched if -+`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the -+address. For example, the [net]/prefixlen pattern -+`[3ffe:505:2:1::]/64\' matches every address in the range -+`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'. -+.IP \(bu - Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This - method of matching cannot be used in conjunction with `net/mask\' matching, - hostname matching beginning with `.\' or IP address matching ending with `.\'. -diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c ---- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:22:58.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:07:43.000000000 +0200 -@@ -24,7 +24,13 @@ - /* System libraries. */ - - #include -+#ifdef INT32_T -+ typedef uint32_t u_int32_t; -+#endif - #include -+#ifdef INET6 -+#include -+#endif - #include - #include - #include -@@ -33,6 +39,9 @@ - #include - #include - #include -+#ifdef INET6 -+#include -+#endif - - extern char *fgets(); - extern int errno; -@@ -82,6 +91,10 @@ - static int host_match(); - static int string_match(); - static int masked_match(); -+#ifdef INET6 -+static int masked_match4(); -+static int masked_match6(); -+#endif - - /* Size of logical line buffer. */ - -@@ -289,6 +302,13 @@ - { - int n; - -+#ifdef INET6 -+ /* convert IPv4 mapped IPv6 address to IPv4 address */ -+ if (STRN_EQ(string, "::ffff:", 7) -+ && dot_quad_addr(string + 7) != INADDR_NONE) { -+ string += 7; -+ } -+#endif - #ifndef DISABLE_WILDCARD_MATCHING - if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ - return (match_pattern_ylo(string,tok)); -@@ -304,20 +324,72 @@ - } else if (tok[(n = strlen(tok)) - 1] == '.') { /* prefix */ - return (STRN_EQ(tok, string, n)); - } else { /* exact match */ -+#ifdef INET6 -+ struct addrinfo hints, *res; -+ struct sockaddr_in6 pat, addr; -+ int len, ret; -+ char ch; -+ -+ len = strlen(tok); -+ if (*tok == '[' && tok[len - 1] == ']') { -+ ch = tok[len - 1]; -+ tok[len - 1] = '\0'; -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = AF_INET6; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; -+ if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) { -+ memcpy(&pat, res->ai_addr, sizeof(pat)); -+ freeaddrinfo(res); -+ } -+ tok[len - 1] = ch; -+ if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0) -+ return NO; -+ memcpy(&addr, res->ai_addr, sizeof(addr)); -+ freeaddrinfo(res); -+#ifdef NI_WITHSCOPEID -+ if (pat.sin6_scope_id != 0 && -+ addr.sin6_scope_id != pat.sin6_scope_id) -+ return NO; -+#endif -+ return (!memcmp(&pat.sin6_addr, &addr.sin6_addr, -+ sizeof(struct in6_addr))); -+ return (ret); -+ } -+#endif - return (STR_EQ(tok, string)); - } - } - - /* masked_match - match address against netnumber/netmask */ - -+#ifdef INET6 - static int masked_match(net_tok, mask_tok, string) - char *net_tok; - char *mask_tok; - char *string; - { -+ return (masked_match4(net_tok, mask_tok, string) || -+ masked_match6(net_tok, mask_tok, string)); -+} -+ -+static int masked_match4(net_tok, mask_tok, string) -+#else -+static int masked_match(net_tok, mask_tok, string) -+#endif -+char *net_tok; -+char *mask_tok; -+char *string; -+{ -+#ifdef INET6 -+ u_int32_t net; -+ u_int32_t mask; -+ u_int32_t addr; -+#else - unsigned long net; - unsigned long mask; - unsigned long addr; -+#endif - - /* - * Disallow forms other than dotted quad: the treatment that inet_addr() -@@ -329,12 +401,78 @@ - return (NO); - if ((net = dot_quad_addr(net_tok)) == INADDR_NONE - || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) { -+#ifndef INET6 - tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok); -+#endif - return (NO); /* not tcpd_jump() */ - } - return ((addr & mask) == net); - } - -+#ifdef INET6 -+static int masked_match6(net_tok, mask_tok, string) -+char *net_tok; -+char *mask_tok; -+char *string; -+{ -+ struct addrinfo hints, *res; -+ struct sockaddr_in6 net, addr; -+ u_int32_t mask; -+ int len, mask_len, i = 0; -+ char ch; -+ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = AF_INET6; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; -+ if (getaddrinfo(string, NULL, &hints, &res) != 0) -+ return NO; -+ memcpy(&addr, res->ai_addr, sizeof(addr)); -+ freeaddrinfo(res); -+ -+ if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) { -+ if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE -+ || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) -+ return (NO); -+ return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]); -+ } -+ -+ /* match IPv6 address against netnumber/prefixlen */ -+ len = strlen(net_tok); -+ if (*net_tok != '[' || net_tok[len - 1] != ']') -+ return NO; -+ ch = net_tok[len - 1]; -+ net_tok[len - 1] = '\0'; -+ if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) { -+ net_tok[len - 1] = ch; -+ return NO; -+ } -+ memcpy(&net, res->ai_addr, sizeof(net)); -+ freeaddrinfo(res); -+ net_tok[len - 1] = ch; -+ if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128) -+ return NO; -+ -+#ifdef NI_WITHSCOPEID -+ if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id) -+ return NO; -+#endif -+ while (mask_len > 0) { -+ if (mask_len < 32) { -+ mask = htonl(~(0xffffffff >> mask_len)); -+ if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask)) -+ return NO; -+ break; -+ } -+ if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i]) -+ return NO; -+ i += 4; -+ mask_len -= 32; -+ } -+ return YES; -+} -+#endif /* INET6 */ -+ - #ifndef DISABLE_WILDCARD_MATCHING - /* Note: this feature has been adapted in a pretty straightforward way - from Tatu Ylonen's last SSH version under free license by -diff -ruN tcp_wrappers_7.6.orig/Makefile tcp_wrappers_7.6/Makefile ---- tcp_wrappers_7.6.orig/Makefile 1997-03-21 19:27:21.000000000 +0100 -+++ tcp_wrappers_7.6/Makefile 2004-04-10 19:22:44.000000000 +0200 -@@ -21,7 +21,7 @@ - @echo " dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix" - @echo " linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211" - @echo " ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4" -- @echo " sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" -+ @echo " sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2" - @echo " uts215 uxp" - @echo - @echo "If none of these match your environment, edit the system" -@@ -131,20 +131,34 @@ - NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all - - # Freebsd and linux by default have no NIS. --386bsd netbsd bsdos: -+386bsd bsdos: - @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ - EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all - - freebsd: - @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -+ LIBS="-L/usr/local/v6/lib -linet6" \ - LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ -- EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all -+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \ -+ VSYSLOG= all -+ -+netbsd: -+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -+ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \ -+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all - - linux: - @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -- LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \ -- NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all -+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ -+ NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \ -+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all -+ -+gnu: -+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -+ LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \ -+ NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \ -+ EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all - - # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x. - hpux hpux8 hpux9 hpux10: -@@ -196,6 +210,13 @@ - NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ - BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all - -+# SunOS 5.8 is another SYSV4 variant, but has IPv6 support -+solaris8: -+ @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -+ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ -+ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ -+ EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all -+ - # Generic SYSV40 - esix sysv4: - @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ -diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c ---- tcp_wrappers_7.6.orig/misc.c 1996-02-11 17:01:30.000000000 +0100 -+++ tcp_wrappers_7.6/misc.c 2004-04-10 19:07:43.000000000 +0200 -@@ -58,9 +58,31 @@ - { - char *cp; - -+#ifdef INET6 -+ int bracket = 0; -+ -+ for (cp = string; cp && *cp; cp++) { -+ switch (*cp) { -+ case '[': -+ bracket++; -+ break; -+ case ']': -+ bracket--; -+ break; -+ default: -+ if (bracket == 0 && *cp == delimiter) { -+ *cp++ = 0; -+ return cp; -+ } -+ break; -+ } -+ } -+ return (NULL); -+#else - if ((cp = strchr(string, delimiter)) != 0) - *cp++ = 0; - return (cp); -+#endif - } - - /* dot_quad_addr - convert dotted quad to internal form */ -diff -ruN tcp_wrappers_7.6.orig/refuse.c tcp_wrappers_7.6/refuse.c ---- tcp_wrappers_7.6.orig/refuse.c 1994-12-28 17:42:40.000000000 +0100 -+++ tcp_wrappers_7.6/refuse.c 2004-04-10 19:07:43.000000000 +0200 -@@ -25,7 +25,12 @@ - void refuse(request) - struct request_info *request; - { -+#ifdef INET6 -+ syslog(deny_severity, "refused connect from %s (%s)", -+ eval_client(request), eval_hostaddr(request->client)); -+#else - syslog(deny_severity, "refused connect from %s", eval_client(request)); -+#endif - clean_exit(request); - /* NOTREACHED */ - } -diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c ---- tcp_wrappers_7.6.orig/rfc931.c 1995-01-02 16:11:34.000000000 +0100 -+++ tcp_wrappers_7.6/rfc931.c 2004-04-10 19:07:43.000000000 +0200 -@@ -68,20 +68,50 @@ - /* rfc931 - return remote user name, given socket structures */ - - void rfc931(rmt_sin, our_sin, dest) -+#ifdef INET6 -+struct sockaddr *rmt_sin; -+struct sockaddr *our_sin; -+#else - struct sockaddr_in *rmt_sin; - struct sockaddr_in *our_sin; -+#endif - char *dest; - { - unsigned rmt_port; - unsigned our_port; -+#ifdef INET6 -+ struct sockaddr_storage rmt_query_sin; -+ struct sockaddr_storage our_query_sin; -+ int alen; -+#else - struct sockaddr_in rmt_query_sin; - struct sockaddr_in our_query_sin; -+#endif - char user[256]; /* XXX */ - char buffer[512]; /* XXX */ - char *cp; - char *result = unknown; - FILE *fp; - -+#ifdef INET6 -+ /* address family must be the same */ -+ if (rmt_sin->sa_family != our_sin->sa_family) { -+ STRN_CPY(dest, result, STRING_LENGTH); -+ return; -+ } -+ switch (our_sin->sa_family) { -+ case AF_INET: -+ alen = sizeof(struct sockaddr_in); -+ break; -+ case AF_INET6: -+ alen = sizeof(struct sockaddr_in6); -+ break; -+ default: -+ STRN_CPY(dest, result, STRING_LENGTH); -+ return; -+ } -+#endif -+ - /* - * Use one unbuffered stdio stream for writing to and for reading from - * the RFC931 etc. server. This is done because of a bug in the SunOS -@@ -92,7 +122,11 @@ - * sockets. - */ - -+#ifdef INET6 -+ if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) { -+#else - if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) { -+#endif - setbuf(fp, (char *) 0); - - /* -@@ -112,6 +146,25 @@ - * addresses from the query socket. - */ - -+#ifdef INET6 -+ memcpy(&our_query_sin, our_sin, alen); -+ memcpy(&rmt_query_sin, rmt_sin, alen); -+ switch (our_sin->sa_family) { -+ case AF_INET: -+ ((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT); -+ ((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT); -+ break; -+ case AF_INET6: -+ ((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT); -+ ((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT); -+ break; -+ } -+ -+ if (bind(fileno(fp), (struct sockaddr *) & our_query_sin, -+ alen) >= 0 && -+ connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, -+ alen) >= 0) { -+#else - our_query_sin = *our_sin; - our_query_sin.sin_port = htons(ANY_PORT); - rmt_query_sin = *rmt_sin; -@@ -121,6 +174,7 @@ - sizeof(our_query_sin)) >= 0 && - connect(fileno(fp), (struct sockaddr *) & rmt_query_sin, - sizeof(rmt_query_sin)) >= 0) { -+#endif - - /* - * Send query to server. Neglect the risk that a 13-byte -@@ -129,8 +183,13 @@ - */ - - fprintf(fp, "%u,%u\r\n", -+#ifdef INET6 -+ ntohs(((struct sockaddr_in *)rmt_sin)->sin_port), -+ ntohs(((struct sockaddr_in *)our_sin)->sin_port)); -+#else - ntohs(rmt_sin->sin_port), - ntohs(our_sin->sin_port)); -+#endif - fflush(fp); - - /* -@@ -144,8 +203,13 @@ - && ferror(fp) == 0 && feof(fp) == 0 - && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s", - &rmt_port, &our_port, user) == 3 -+#ifdef INET6 -+ && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port -+ && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) { -+#else - && ntohs(rmt_sin->sin_port) == rmt_port - && ntohs(our_sin->sin_port) == our_port) { -+#endif - - /* - * Strip trailing carriage return. It is part of the -diff -ruN tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c ---- tcp_wrappers_7.6.orig/scaffold.c 1997-03-21 19:27:24.000000000 +0100 -+++ tcp_wrappers_7.6/scaffold.c 2004-04-10 19:07:43.000000000 +0200 -@@ -25,7 +25,9 @@ - #define INADDR_NONE (-1) /* XXX should be 0xffffffff */ - #endif - -+#ifndef INET6 - extern char *malloc(); -+#endif - - /* Application-specific. */ - -@@ -39,6 +41,7 @@ - int deny_severity = LOG_WARNING; - int rfc931_timeout = RFC931_TIMEOUT; - -+#ifndef INET6 - /* dup_hostent - create hostent in one memory block */ - - static struct hostent *dup_hostent(hp) -@@ -73,9 +76,46 @@ - } - return (&hb->host); - } -+#endif - - /* find_inet_addr - find all addresses for this host, result to free() */ - -+#ifdef INET6 -+struct addrinfo *find_inet_addr(host) -+char *host; -+{ -+ struct addrinfo hints, *res; -+ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = PF_UNSPEC; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; -+ if (getaddrinfo(host, NULL, &hints, &res) == 0) -+ return (res); -+ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = PF_UNSPEC; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME; -+ if (getaddrinfo(host, NULL, &hints, &res) != 0) { -+ tcpd_warn("%s: host not found", host); -+ return (0); -+ } -+ if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) { -+ tcpd_warn("%d: not an internet host", res->ai_family); -+ freeaddrinfo(res); -+ return (0); -+ } -+ if (!res->ai_canonname) { -+ tcpd_warn("%s: hostname alias", host); -+ tcpd_warn("(cannot obtain official name)", res->ai_canonname); -+ } else if (STR_NE(host, res->ai_canonname)) { -+ tcpd_warn("%s: hostname alias", host); -+ tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname); -+ } -+ return (res); -+} -+#else - struct hostent *find_inet_addr(host) - char *host; - { -@@ -118,6 +158,7 @@ - } - return (dup_hostent(hp)); - } -+#endif - - /* check_dns - give each address thorough workout, return address count */ - -@@ -125,8 +166,13 @@ - char *host; - { - struct request_info request; -+#ifdef INET6 -+ struct sockaddr_storage sin; -+ struct addrinfo *hp, *res; -+#else - struct sockaddr_in sin; - struct hostent *hp; -+#endif - int count; - char *addr; - -@@ -134,11 +180,18 @@ - return (0); - request_init(&request, RQ_CLIENT_SIN, &sin, 0); - sock_methods(&request); -+#ifndef INET6 - memset((char *) &sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; -+#endif - -+#ifdef INET6 -+ for (res = hp, count = 0; res; res = res->ai_next, count++) { -+ memcpy(&sin, res->ai_addr, res->ai_addrlen); -+#else - for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) { - memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr)); -+#endif - - /* - * Force host name and address conversions. Use the request structure -@@ -151,7 +204,11 @@ - tcpd_warn("host address %s->name lookup failed", - eval_hostaddr(request.client)); - } -+#ifdef INET6 -+ freeaddrinfo(hp); -+#else - free((char *) hp); -+#endif - return (count); - } - -diff -ruN tcp_wrappers_7.6.orig/scaffold.h tcp_wrappers_7.6/scaffold.h ---- tcp_wrappers_7.6.orig/scaffold.h 1994-12-31 18:19:20.000000000 +0100 -+++ tcp_wrappers_7.6/scaffold.h 2004-04-10 19:07:43.000000000 +0200 -@@ -4,6 +4,10 @@ - * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. - */ - -+#ifdef INET6 -+extern struct addrinfo *find_inet_addr(); -+#else - extern struct hostent *find_inet_addr(); -+#endif - extern int check_dns(); - extern int check_path(); -diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c ---- tcp_wrappers_7.6.orig/socket.c 2004-04-10 19:22:58.000000000 +0200 -+++ tcp_wrappers_7.6/socket.c 2004-04-10 19:07:43.000000000 +0200 -@@ -24,13 +24,22 @@ - #include - #include - #include -+#ifdef INT32_T -+typedef uint32_t u_int32_t; -+#endif - #include - #include - #include - #include - #include - -+#ifdef INET6 -+#ifndef NI_WITHSCOPEID -+#define NI_WITHSCOPEID 0 -+#endif -+#else - extern char *inet_ntoa(); -+#endif - - /* Local stuff. */ - -@@ -79,8 +88,13 @@ - void sock_host(request) - struct request_info *request; - { -+#ifdef INET6 -+ static struct sockaddr_storage client; -+ static struct sockaddr_storage server; -+#else - static struct sockaddr_in client; - static struct sockaddr_in server; -+#endif - int len; - char buf[BUFSIZ]; - int fd = request->fd; -@@ -109,7 +123,11 @@ - memset(buf, 0 sizeof(buf)); - #endif - } -+#ifdef INET6 -+ request->client->sin = (struct sockaddr *)&client; -+#else - request->client->sin = &client; -+#endif - - /* - * Determine the server binding. This is used for client username -@@ -122,7 +140,11 @@ - tcpd_warn("getsockname: %m"); - return; - } -+#ifdef INET6 -+ request->server->sin = (struct sockaddr *)&server; -+#else - request->server->sin = &server; -+#endif - } - - /* sock_hostaddr - map endpoint address to printable form */ -@@ -130,10 +152,26 @@ - void sock_hostaddr(host) - struct host_info *host; - { -+#ifdef INET6 -+ struct sockaddr *sin = host->sin; -+ int salen; -+ -+ if (!sin) -+ return; -+#ifdef SIN6_LEN -+ salen = sin->sa_len; -+#else -+ salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in) -+ : sizeof(struct sockaddr_in6); -+#endif -+ getnameinfo(sin, salen, host->addr, sizeof(host->addr), -+ NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); -+#else - struct sockaddr_in *sin = host->sin; - - if (sin != 0) - STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr)); -+#endif - } - - /* sock_hostname - map endpoint address to host name */ -@@ -141,6 +179,160 @@ - void sock_hostname(host) - struct host_info *host; - { -+#ifdef INET6 -+ struct sockaddr *sin = host->sin; -+ struct sockaddr_in sin4; -+ struct addrinfo hints, *res, *res0 = NULL; -+ int salen, alen, err = 1; -+ char *ap = NULL, *rap, hname[NI_MAXHOST]; -+ -+ if (sin != NULL) { -+ if (sin->sa_family == AF_INET6) { -+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin; -+ -+ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { -+ memset(&sin4, 0, sizeof(sin4)); -+#ifdef SIN6_LEN -+ sin4.sin_len = sizeof(sin4); -+#endif -+ sin4.sin_family = AF_INET; -+ sin4.sin_port = sin6->sin6_port; -+ sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; -+ sin = (struct sockaddr *)&sin4; -+ } -+ } -+ switch (sin->sa_family) { -+ case AF_INET: -+ ap = (char *)&((struct sockaddr_in *)sin)->sin_addr; -+ alen = sizeof(struct in_addr); -+ salen = sizeof(struct sockaddr_in); -+ break; -+ case AF_INET6: -+ ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr; -+ alen = sizeof(struct in6_addr); -+ salen = sizeof(struct sockaddr_in6); -+ break; -+ default: -+ break; -+ } -+ if (ap) -+ err = getnameinfo(sin, salen, hname, sizeof(hname), -+ NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD); -+ } -+ if (!err) { -+ -+ STRN_CPY(host->name, hname, sizeof(host->name)); -+ -+ /* reject numeric addresses */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = sin->sa_family; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST; -+ if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) { -+ freeaddrinfo(res0); -+ res0 = NULL; -+ tcpd_warn("host name/name mismatch: " -+ "reverse lookup results in non-FQDN %s", -+ host->name); -+ strcpy(host->name, paranoid); /* name is bad, clobber it */ -+ } -+ err = !err; -+ } -+ if (!err) { -+ /* we are now sure that this is non-numeric */ -+ -+ /* -+ * Verify that the address is a member of the address list returned -+ * by gethostbyname(hostname). -+ * -+ * Verify also that gethostbyaddr() and gethostbyname() return the same -+ * hostname, or rshd and rlogind may still end up being spoofed. -+ * -+ * On some sites, gethostbyname("localhost") returns "localhost.domain". -+ * This is a DNS artefact. We treat it as a special case. When we -+ * can't believe the address list from gethostbyname("localhost") -+ * we're in big trouble anyway. -+ */ -+ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = sin->sa_family; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_PASSIVE | AI_CANONNAME; -+ if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) { -+ -+ /* -+ * Unable to verify that the host name matches the address. This -+ * may be a transient problem or a botched name server setup. -+ */ -+ -+ tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed", -+ host->name, -+ (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6"); -+ -+ } else if ((res0->ai_canonname == NULL -+ || STR_NE(host->name, res0->ai_canonname)) -+ && STR_NE(host->name, "localhost")) { -+ -+ /* -+ * The gethostbyaddr() and gethostbyname() calls did not return -+ * the same hostname. This could be a nameserver configuration -+ * problem. It could also be that someone is trying to spoof us. -+ */ -+ -+ tcpd_warn("host name/name mismatch: %s != %.*s", -+ host->name, STRING_LENGTH, -+ (res0->ai_canonname == NULL) ? "" : res0->ai_canonname); -+ -+ } else { -+ -+ /* -+ * The address should be a member of the address list returned by -+ * gethostbyname(). We should first verify that the h_addrtype -+ * field is AF_INET, but this program has already caused too much -+ * grief on systems with broken library code. -+ */ -+ -+ for (res = res0; res; res = res->ai_next) { -+ if (res->ai_family != sin->sa_family) -+ continue; -+ switch (res->ai_family) { -+ case AF_INET: -+ rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr; -+ break; -+ case AF_INET6: -+ /* need to check scope_id */ -+ if (((struct sockaddr_in6 *)sin)->sin6_scope_id != -+ ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { -+ continue; -+ } -+ rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; -+ break; -+ default: -+ continue; -+ } -+ if (memcmp(rap, ap, alen) == 0) { -+ freeaddrinfo(res0); -+ return; /* name is good, keep it */ -+ } -+ } -+ -+ /* -+