1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright (c) 1999 by Sun Microsystems, Inc. 24*7c478bd9Sstevel@tonic-gate * All rights reserved. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate #include <sys/types.h> 30*7c478bd9Sstevel@tonic-gate #include <sys/socket.h> 31*7c478bd9Sstevel@tonic-gate #include <netinet/in.h> 32*7c478bd9Sstevel@tonic-gate #include <arpa/inet.h> 33*7c478bd9Sstevel@tonic-gate #include <stdlib.h> 34*7c478bd9Sstevel@tonic-gate #include <unistd.h> 35*7c478bd9Sstevel@tonic-gate #include <stdio.h> 36*7c478bd9Sstevel@tonic-gate #include <string.h> 37*7c478bd9Sstevel@tonic-gate #include <malloc.h> 38*7c478bd9Sstevel@tonic-gate #include <syslog.h> 39*7c478bd9Sstevel@tonic-gate #include <sys/tiuser.h> 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate #define ACCFILE "/var/yp/securenets" 42*7c478bd9Sstevel@tonic-gate #define MAXLINE 128 43*7c478bd9Sstevel@tonic-gate 44*7c478bd9Sstevel@tonic-gate typedef union { 45*7c478bd9Sstevel@tonic-gate struct in_addr in4; 46*7c478bd9Sstevel@tonic-gate struct in6_addr in6; 47*7c478bd9Sstevel@tonic-gate } inaddr_t; 48*7c478bd9Sstevel@tonic-gate 49*7c478bd9Sstevel@tonic-gate struct seclist { 50*7c478bd9Sstevel@tonic-gate sa_family_t af; 51*7c478bd9Sstevel@tonic-gate inaddr_t mask; 52*7c478bd9Sstevel@tonic-gate inaddr_t net; 53*7c478bd9Sstevel@tonic-gate struct seclist *next; 54*7c478bd9Sstevel@tonic-gate }; 55*7c478bd9Sstevel@tonic-gate 56*7c478bd9Sstevel@tonic-gate static int string2inaddr(char *, sa_family_t *, inaddr_t *); 57*7c478bd9Sstevel@tonic-gate static int addrequal(sa_family_t af, inaddr_t *laddr, inaddr_t *mask, 58*7c478bd9Sstevel@tonic-gate inaddr_t *caddr); 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gate static struct seclist *slist; 61*7c478bd9Sstevel@tonic-gate static int nofile = 0; 62*7c478bd9Sstevel@tonic-gate 63*7c478bd9Sstevel@tonic-gate void 64*7c478bd9Sstevel@tonic-gate get_secure_nets(char *daemon_name) 65*7c478bd9Sstevel@tonic-gate { 66*7c478bd9Sstevel@tonic-gate FILE *fp; 67*7c478bd9Sstevel@tonic-gate char strung[MAXLINE], nmask[MAXLINE], net[MAXLINE]; 68*7c478bd9Sstevel@tonic-gate inaddr_t maskin, netin; 69*7c478bd9Sstevel@tonic-gate sa_family_t maskaf, netaf; 70*7c478bd9Sstevel@tonic-gate struct seclist *tmp1, *tmp2; 71*7c478bd9Sstevel@tonic-gate int items = 0, line = 0; 72*7c478bd9Sstevel@tonic-gate if (fp = fopen(ACCFILE, "r")) { 73*7c478bd9Sstevel@tonic-gate tmp1 = (struct seclist *) malloc(sizeof (struct seclist)); 74*7c478bd9Sstevel@tonic-gate slist = tmp2 = tmp1; 75*7c478bd9Sstevel@tonic-gate while (fgets(strung, MAXLINE, fp)) { 76*7c478bd9Sstevel@tonic-gate line++; 77*7c478bd9Sstevel@tonic-gate if (strung[strlen(strung) - 1] != '\n') { 78*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, 79*7c478bd9Sstevel@tonic-gate "%s: %s line %d: too long\n", 80*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE, line); 81*7c478bd9Sstevel@tonic-gate exit(1); 82*7c478bd9Sstevel@tonic-gate } 83*7c478bd9Sstevel@tonic-gate if (strung[0] != '#') { 84*7c478bd9Sstevel@tonic-gate items++; 85*7c478bd9Sstevel@tonic-gate if (sscanf(strung, 86*7c478bd9Sstevel@tonic-gate "%46s%46s", nmask, net) < 2) { 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, 89*7c478bd9Sstevel@tonic-gate "%s: %s line %d: missing fields\n", 90*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE, line); 91*7c478bd9Sstevel@tonic-gate exit(1); 92*7c478bd9Sstevel@tonic-gate } 93*7c478bd9Sstevel@tonic-gate netaf = AF_UNSPEC; 94*7c478bd9Sstevel@tonic-gate if (! string2inaddr(net, &netaf, &netin)) { 95*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, 96*7c478bd9Sstevel@tonic-gate "%s: %s line %d: error in address\n", 97*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE, line); 98*7c478bd9Sstevel@tonic-gate exit(1); 99*7c478bd9Sstevel@tonic-gate } 100*7c478bd9Sstevel@tonic-gate maskaf = netaf; 101*7c478bd9Sstevel@tonic-gate if (! string2inaddr(nmask, &maskaf, &maskin) || 102*7c478bd9Sstevel@tonic-gate maskaf != netaf) { 103*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, 104*7c478bd9Sstevel@tonic-gate "%s: %s line %d: error in netmask\n", 105*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE, line); 106*7c478bd9Sstevel@tonic-gate exit(1); 107*7c478bd9Sstevel@tonic-gate } 108*7c478bd9Sstevel@tonic-gate if (! addrequal(netaf, &netin, &maskin, 109*7c478bd9Sstevel@tonic-gate &netin)) { 110*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, 111*7c478bd9Sstevel@tonic-gate "%s: %s line %d: netmask does not match network\n", 112*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE, line); 113*7c478bd9Sstevel@tonic-gate exit(1); 114*7c478bd9Sstevel@tonic-gate } 115*7c478bd9Sstevel@tonic-gate 116*7c478bd9Sstevel@tonic-gate tmp1->af = netaf; 117*7c478bd9Sstevel@tonic-gate tmp1->mask = maskin; 118*7c478bd9Sstevel@tonic-gate tmp1->net = netin; 119*7c478bd9Sstevel@tonic-gate tmp1->next = (struct seclist *) 120*7c478bd9Sstevel@tonic-gate malloc(sizeof (struct seclist)); 121*7c478bd9Sstevel@tonic-gate tmp2 = tmp1; 122*7c478bd9Sstevel@tonic-gate tmp1 = tmp1->next; 123*7c478bd9Sstevel@tonic-gate } 124*7c478bd9Sstevel@tonic-gate } 125*7c478bd9Sstevel@tonic-gate tmp2->next = NULL; 126*7c478bd9Sstevel@tonic-gate /* if nothing to process, set nofile flag and free up memory */ 127*7c478bd9Sstevel@tonic-gate if (items == 0) { 128*7c478bd9Sstevel@tonic-gate free(slist); 129*7c478bd9Sstevel@tonic-gate nofile = 1; 130*7c478bd9Sstevel@tonic-gate } 131*7c478bd9Sstevel@tonic-gate } else { 132*7c478bd9Sstevel@tonic-gate syslog(LOG_WARNING|LOG_DAEMON, "%s: no %s file\n", 133*7c478bd9Sstevel@tonic-gate daemon_name, ACCFILE); 134*7c478bd9Sstevel@tonic-gate nofile = 1; 135*7c478bd9Sstevel@tonic-gate } 136*7c478bd9Sstevel@tonic-gate } 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate int 139*7c478bd9Sstevel@tonic-gate check_secure_net_ti(struct netbuf *caller, char *ypname) { 140*7c478bd9Sstevel@tonic-gate struct seclist *tmp; 141*7c478bd9Sstevel@tonic-gate sa_family_t af; 142*7c478bd9Sstevel@tonic-gate inaddr_t addr; 143*7c478bd9Sstevel@tonic-gate char buf[INET6_ADDRSTRLEN]; 144*7c478bd9Sstevel@tonic-gate 145*7c478bd9Sstevel@tonic-gate if (nofile) 146*7c478bd9Sstevel@tonic-gate return (1); 147*7c478bd9Sstevel@tonic-gate 148*7c478bd9Sstevel@tonic-gate af = ((struct sockaddr_storage *)caller->buf)->ss_family; 149*7c478bd9Sstevel@tonic-gate if (af == AF_INET) { 150*7c478bd9Sstevel@tonic-gate addr.in4 = ((struct sockaddr_in *)caller->buf)->sin_addr; 151*7c478bd9Sstevel@tonic-gate } else if (af == AF_INET6) { 152*7c478bd9Sstevel@tonic-gate addr.in6 = ((struct sockaddr_in6 *)caller->buf)->sin6_addr; 153*7c478bd9Sstevel@tonic-gate } else { 154*7c478bd9Sstevel@tonic-gate return (1); 155*7c478bd9Sstevel@tonic-gate } 156*7c478bd9Sstevel@tonic-gate 157*7c478bd9Sstevel@tonic-gate tmp = slist; 158*7c478bd9Sstevel@tonic-gate while (tmp != NULL) { 159*7c478bd9Sstevel@tonic-gate if (af == tmp->af && 160*7c478bd9Sstevel@tonic-gate addrequal(af, &tmp->net, &tmp->mask, &addr)) { 161*7c478bd9Sstevel@tonic-gate return (1); 162*7c478bd9Sstevel@tonic-gate } 163*7c478bd9Sstevel@tonic-gate tmp = tmp->next; 164*7c478bd9Sstevel@tonic-gate } 165*7c478bd9Sstevel@tonic-gate syslog(LOG_ERR|LOG_DAEMON, "%s: access denied for %s\n", 166*7c478bd9Sstevel@tonic-gate ypname, inet_ntop(af, 167*7c478bd9Sstevel@tonic-gate (af == AF_INET6) ? (void *)&addr.in6 : 168*7c478bd9Sstevel@tonic-gate (void *)&addr.in4, buf, sizeof (buf))); 169*7c478bd9Sstevel@tonic-gate 170*7c478bd9Sstevel@tonic-gate return (0); 171*7c478bd9Sstevel@tonic-gate } 172*7c478bd9Sstevel@tonic-gate 173*7c478bd9Sstevel@tonic-gate 174*7c478bd9Sstevel@tonic-gate static int 175*7c478bd9Sstevel@tonic-gate string2inaddr(char *string, sa_family_t *af, inaddr_t *addr) { 176*7c478bd9Sstevel@tonic-gate 177*7c478bd9Sstevel@tonic-gate sa_family_t stringaf = AF_UNSPEC; 178*7c478bd9Sstevel@tonic-gate 179*7c478bd9Sstevel@tonic-gate stringaf = (strchr(string, ':') != 0) ? AF_INET6 : AF_INET; 180*7c478bd9Sstevel@tonic-gate 181*7c478bd9Sstevel@tonic-gate if (*af != AF_UNSPEC && strcmp(string, "host") == 0) { 182*7c478bd9Sstevel@tonic-gate if (*af == AF_INET) { 183*7c478bd9Sstevel@tonic-gate string = "255.255.255.255"; 184*7c478bd9Sstevel@tonic-gate stringaf = AF_INET; 185*7c478bd9Sstevel@tonic-gate } else if (*af == AF_INET6) { 186*7c478bd9Sstevel@tonic-gate string = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"; 187*7c478bd9Sstevel@tonic-gate stringaf = AF_INET6; 188*7c478bd9Sstevel@tonic-gate } 189*7c478bd9Sstevel@tonic-gate } 190*7c478bd9Sstevel@tonic-gate 191*7c478bd9Sstevel@tonic-gate *af = stringaf; 192*7c478bd9Sstevel@tonic-gate if (inet_pton(*af, string, (*af == AF_INET6) ? (void *)&addr->in6 : 193*7c478bd9Sstevel@tonic-gate (void *)&addr->in4) != 1) { 194*7c478bd9Sstevel@tonic-gate return (0); 195*7c478bd9Sstevel@tonic-gate } 196*7c478bd9Sstevel@tonic-gate 197*7c478bd9Sstevel@tonic-gate return (1); 198*7c478bd9Sstevel@tonic-gate } 199*7c478bd9Sstevel@tonic-gate 200*7c478bd9Sstevel@tonic-gate 201*7c478bd9Sstevel@tonic-gate static int 202*7c478bd9Sstevel@tonic-gate addrequal(sa_family_t af, inaddr_t *laddr, inaddr_t *mask, inaddr_t *caddr) { 203*7c478bd9Sstevel@tonic-gate 204*7c478bd9Sstevel@tonic-gate if (af == AF_INET6) { 205*7c478bd9Sstevel@tonic-gate int i; 206*7c478bd9Sstevel@tonic-gate for (i = 0; i < sizeof (laddr->in6.s6_addr); i++) { 207*7c478bd9Sstevel@tonic-gate if ((caddr->in6.s6_addr[i] & mask->in6.s6_addr[i]) != 208*7c478bd9Sstevel@tonic-gate laddr->in6.s6_addr[i]) 209*7c478bd9Sstevel@tonic-gate return (0); 210*7c478bd9Sstevel@tonic-gate } 211*7c478bd9Sstevel@tonic-gate return (1); 212*7c478bd9Sstevel@tonic-gate } else if (af == AF_INET) { 213*7c478bd9Sstevel@tonic-gate return ((caddr->in4.s_addr & mask->in4.s_addr) == 214*7c478bd9Sstevel@tonic-gate laddr->in4.s_addr); 215*7c478bd9Sstevel@tonic-gate } else { 216*7c478bd9Sstevel@tonic-gate return (0); 217*7c478bd9Sstevel@tonic-gate } 218*7c478bd9Sstevel@tonic-gate } 219*7c478bd9Sstevel@tonic-gate 220*7c478bd9Sstevel@tonic-gate 221*7c478bd9Sstevel@tonic-gate static void 222*7c478bd9Sstevel@tonic-gate print_inaddr(char *string, sa_family_t af, inaddr_t *addr) { 223*7c478bd9Sstevel@tonic-gate 224*7c478bd9Sstevel@tonic-gate char buf[INET6_ADDRSTRLEN]; 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate printf("%s %s %s\n", 227*7c478bd9Sstevel@tonic-gate string, (af == AF_INET6)?"AF_INET6":"AF_INET", 228*7c478bd9Sstevel@tonic-gate inet_ntop(af, (af == AF_INET6) ? (void *)&addr->in6 : 229*7c478bd9Sstevel@tonic-gate (void *)&addr->in4, buf, sizeof (buf))); 230*7c478bd9Sstevel@tonic-gate } 231