xref: /illumos-gate/usr/src/lib/libwrap/tcpd.h (revision 9adfa60d484ce2435f5af77cc99dcd4e692b6660)
1 /*
2  * Copyright 2014 Sachidananda Urs <sacchi@gmail.com>
3  * Copyright 2001 Sun Microsystems, Inc.  All rights reserved.
4  * Use is subject to license terms.
5  */
6 
7 /*
8  * @(#) tcpd.h 1.5 96/03/19 16:22:24
9  *
10  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
11  */
12 
13 #ifndef	_TCPD_H
14 #define	_TCPD_H
15 
16 /*
17  * HAVE_IPV6 is traditionally configured at tcp_wrappers build time but for
18  * Solaris it must always be defined to keep the library interface binary
19  * compatible.
20  */
21 #define	HAVE_IPV6
22 
23 /* Structure to describe one communications endpoint. */
24 
25 #define	STRING_LENGTH	128		/* hosts, users, processes */
26 
27 #include <sys/socket.h>
28 #include <netinet/in.h>
29 
30 typedef struct sockaddr_gen {
31     union {
32 	struct sockaddr	_sg_sa;
33 	struct sockaddr_in	_sg_sin;
34 #ifdef HAVE_IPV6
35 	struct sockaddr_in6	_sg_sin6;
36 #endif
37 	} sg_addr;
38 } sockaddr_gen;
39 
40 typedef union gen_addr {
41     struct in_addr	ga_in;
42 #ifdef HAVE_IPV6
43     struct in6_addr	ga_in6;
44 #endif
45 } gen_addr;
46 
47 extern void sockgen_simplify();
48 
49 #define	sg_sa		sg_addr._sg_sa
50 #define	sg_sin		sg_addr._sg_sin
51 #define	sg_sin6		sg_addr._sg_sin6
52 #define	sg_family	sg_sa.sa_family
53 #ifdef HAVE_IPV6
54 #define	SGADDRSZ(sag)		((sag)->sg_family == AF_INET6 ? \
55 				    sizeof (struct in6_addr) : \
56 				    sizeof (struct in_addr))
57 #define	SGSOCKADDRSZ(sag)	((sag)->sg_family == AF_INET6 ? \
58 				    sizeof (struct sockaddr_in6) : \
59 				    sizeof (struct sockaddr_in))
60 #define	SGPORT(sag)		(*((sag)->sg_family == AF_INET6 ? \
61 				    &(sag)->sg_sin6.sin6_port : \
62 				    &(sag)->sg_sin.sin_port))
63 #define	SGADDRP(sag)		(((sag)->sg_family == AF_INET6 ? \
64 				    (char *)&(sag)->sg_sin6.sin6_addr : \
65 				    (char *)&(sag)->sg_sin.sin_addr))
66 #define	SGFAM(sag)		((sag)->sg_family == AF_INET6 ? \
67 				    AF_INET6 : AF_INET)
68 
69 #define	SG_IS_UNSPECIFIED(sag) \
70 		((sag)->sg_family == AF_INET6 ? \
71 			IN6_IS_ADDR_UNSPECIFIED(&(sag)->sg_sin6.sin6_addr) : \
72 			(sag)->sg_sin.sin_addr.s_addr == 0)
73 
74 #define	VALID_ADDRTYPE(t)	((t) == AF_INET || (t) == AF_INET6)
75 
76 #ifndef IPV6_ABITS
77 #define	IPV6_ABITS 128			/* Size of IPV6 address in bits */
78 #endif
79 
80 #else /* HAVE_IPV6 */
81 
82 #define	SGADDRSZ(sag)		sizeof (struct in_addr)
83 #define	SGSOCKADDRSZ(sag)	sizeof (struct sockaddr_in)
84 #define	SGPORT(sag)		((sag)->sg_sin.sin_port)
85 #define	SGADDRP(sag)		((char *)&(sag)->sg_sin.sin_addr)
86 #define	SGFAM(sag)		AF_INET
87 #define	SG_IS_UNSPECIFIED(sag)  ((sag)->sg_sin.sin_addr.s_addr == 0)
88 
89 #define	VALID_ADDRTYPE(t)	((t) == AF_INET)
90 
91 #endif /* HAVE_IPV6 */
92 
93 struct host_info {
94     char    name[STRING_LENGTH];	/* access via eval_hostname(host) */
95     char    addr[STRING_LENGTH];	/* access via eval_hostaddr(host) */
96     struct sockaddr_gen *sin;		/* socket address or 0 */
97     struct t_unitdata *unit;		/* TLI transport address or 0 */
98     struct request_info *request;	/* for shared information */
99 };
100 
101 /* Structure to describe what we know about a service request. */
102 
103 struct request_info {
104     int	    fd;				/* socket handle */
105     char    user[STRING_LENGTH];	/* access via eval_user(request) */
106     char    daemon[STRING_LENGTH];	/* access via eval_daemon(request) */
107     char    pid[10];			/* access via eval_pid(request) */
108     struct host_info client[1];		/* client endpoint info */
109     struct host_info server[1];		/* server endpoint info */
110     void  (*sink) ();			/* datagram sink function or 0 */
111     void  (*hostname) ();		/* address to printable hostname */
112     void  (*hostaddr) ();		/* address to printable address */
113     void  (*cleanup) ();		/* cleanup function or 0 */
114     struct netconfig *config;		/* netdir handle */
115 };
116 
117 /* Common string operations. Less clutter should be more readable. */
118 
119 #define	STRN_CPY(d, s, l)	{ strncpy((d), (s), (l)); (d)[(l)-1] = 0; }
120 
121 #define	STRN_EQ(x, y, l)	(strncasecmp((x), (y), (l)) == 0)
122 #define	STRN_NE(x, y, l)	(strncasecmp((x), (y), (l)) != 0)
123 #define	STR_EQ(x, y)		(strcasecmp((x), (y)) == 0)
124 #define	STR_NE(x, y)		(strcasecmp((x), (y)) != 0)
125 
126 /*
127  * Initially, all above strings have the empty value. Information that
128  * cannot be determined at runtime is set to "unknown", so that we can
129  * distinguish between `unavailable' and `not yet looked up'. A hostname
130  * that we do not believe in is set to "paranoid".
131  */
132 
133 #define	STRING_UNKNOWN	"unknown"	/* lookup failed */
134 #define	STRING_PARANOID	"paranoid"	/* hostname conflict */
135 
136 extern char unknown[];
137 extern char paranoid[];
138 
139 #define	HOSTNAME_KNOWN(s) (STR_NE((s), unknown) && STR_NE((s), paranoid))
140 
141 #ifdef HAVE_IPV6
142 #define	NOT_INADDR(s) (strchr(s, ':') == 0 && s[strspn(s, "0123456789./")] != 0)
143 #else
144 #define	NOT_INADDR(s) (s[strspn(s, "0123456789./")] != 0)
145 #endif
146 
147 /* Global functions. */
148 
149 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
150 extern void fromhost();			/* get/validate client host info */
151 #else
152 #define	fromhost sock_host		/* no TLI support needed */
153 #endif
154 
155 extern int hosts_ctl();			/* wrapper around request_init() */
156 extern int hosts_access();		/* access control */
157 extern void shell_cmd();		/* execute shell command */
158 extern char *percent_x();		/* do %<char> expansion */
159 extern void rfc931();			/* client name from RFC 931 daemon */
160 extern void clean_exit();		/* clean up and exit */
161 extern void refuse();			/* clean up and exit */
162 extern char *xgets();			/* fgets() on steroids */
163 extern char *split_at();		/* strchr() and split */
164 extern unsigned long dot_quad_addr();	/* restricted inet_addr() */
165 extern int numeric_addr();		/* IP4/IP6 inet_addr (restricted) */
166 extern struct hostent *tcpd_gethostbyname();
167 					/* IP4/IP6 gethostbyname */
168 #ifdef HAVE_IPV6
169 extern char *skip_ipv6_addrs();		/* skip over colons in IPv6 addrs */
170 #else
171 #define	skip_ipv6_addrs(x)	x
172 #endif
173 
174 /* Global variables. */
175 
176 extern int allow_severity;		/* for connection logging */
177 extern int deny_severity;		/* for connection logging */
178 extern char *hosts_allow_table;		/* for verification mode redirection */
179 extern char *hosts_deny_table;		/* for verification mode redirection */
180 extern int hosts_access_verbose;	/* for verbose matching mode */
181 extern int rfc931_timeout;		/* user lookup timeout */
182 extern int resident;			/* > 0 if resident process */
183 
184 /*
185  * Routines for controlled initialization and update of request structure
186  * attributes. Each attribute has its own key.
187  */
188 
189 #ifdef __STDC__
190 extern struct request_info *request_init(struct request_info *, ...);
191 extern struct request_info *request_set(struct request_info *, ...);
192 #else
193 extern struct request_info *request_init();	/* initialize request */
194 extern struct request_info *request_set();	/* update request structure */
195 #endif
196 
197 #define	RQ_FILE		1		/* file descriptor */
198 #define	RQ_DAEMON	2		/* server process (argv[0]) */
199 #define	RQ_USER		3		/* client user name */
200 #define	RQ_CLIENT_NAME	4		/* client host name */
201 #define	RQ_CLIENT_ADDR	5		/* client host address */
202 #define	RQ_CLIENT_SIN	6		/* client endpoint (internal) */
203 #define	RQ_SERVER_NAME	7		/* server host name */
204 #define	RQ_SERVER_ADDR	8		/* server host address */
205 #define	RQ_SERVER_SIN	9		/* server endpoint (internal) */
206 
207 /*
208  * Routines for delayed evaluation of request attributes. Each attribute
209  * type has its own access method. The trivial ones are implemented by
210  * macros. The other ones are wrappers around the transport-specific host
211  * name, address, and client user lookup methods. The request_info and
212  * host_info structures serve as caches for the lookup results.
213  */
214 
215 extern char *eval_user();		/* client user */
216 extern char *eval_hostname();		/* printable hostname */
217 extern char *eval_hostaddr();		/* printable host address */
218 extern char *eval_hostinfo();		/* host name or address */
219 extern char *eval_client();		/* whatever is available */
220 extern char *eval_server();		/* whatever is available */
221 #define	eval_daemon(r)	((r)->daemon)	/* daemon process name */
222 #define	eval_pid(r)	((r)->pid)	/* process id */
223 
224 /* Socket-specific methods, including DNS hostname lookups. */
225 
226 extern void sock_host();		/* look up endpoint addresses */
227 extern void sock_hostname();		/* translate address to hostname */
228 extern void sock_hostaddr();		/* address to printable address */
229 #define	sock_methods(r) \
230 	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
231 
232 /* The System V Transport-Level Interface (TLI) interface. */
233 
234 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
235 extern void tli_host();			/* look up endpoint addresses etc. */
236 #endif
237 
238 /*
239  * Problem reporting interface. Additional file/line context is reported
240  * when available. The jump buffer (tcpd_buf) is not declared here, or
241  * everyone would have to include <setjmp.h>.
242  */
243 
244 #ifdef __STDC__
245 extern void tcpd_warn(char *, ...);	/* report problem and proceed */
246 extern void tcpd_jump(char *, ...);	/* report problem and jump */
247 #else
248 extern void tcpd_warn();
249 extern void tcpd_jump();
250 #endif
251 
252 struct tcpd_context {
253     char   *file;			/* current file */
254     int	    line;			/* current line */
255 };
256 extern struct tcpd_context tcpd_context;
257 
258 /*
259  * While processing access control rules, error conditions are handled by
260  * jumping back into the hosts_access() routine. This is cleaner than
261  * checking the return value of each and every silly little function. The
262  * (-1) returns are here because zero is already taken by longjmp().
263  */
264 
265 #define	AC_PERMIT	1		/* permit access */
266 #define	AC_DENY		(-1)		/* deny_access */
267 #define	AC_ERROR	AC_DENY		/* XXX */
268 
269 /*
270  * In verification mode an option function should just say what it would do,
271  * instead of really doing it. An option function that would not return
272  * should clear the dry_run flag to inform the caller of this unusual
273  * behavior.
274  */
275 
276 extern void process_options();		/* execute options */
277 extern int dry_run;			/* verification flag */
278 
279 /* Bug workarounds. */
280 
281 #ifdef INET_ADDR_BUG			/* inet_addr() returns struct */
282 #define	inet_addr fix_inet_addr
283 extern long fix_inet_addr();
284 #endif
285 
286 #ifdef BROKEN_FGETS			/* partial reads from sockets */
287 #define	fgets fix_fgets
288 extern char *fix_fgets();
289 #endif
290 
291 #ifdef RECVFROM_BUG			/* no address family info */
292 #define	recvfrom fix_recvfrom
293 extern int fix_recvfrom();
294 #endif
295 
296 #ifdef GETPEERNAME_BUG			/* claims success with UDP */
297 #define	getpeername fix_getpeername
298 extern int fix_getpeername();
299 #endif
300 
301 #ifdef SOLARIS_24_GETHOSTBYNAME_BUG	/* lists addresses as aliases */
302 #define	gethostbyname fix_gethostbyname
303 extern struct hostent *fix_gethostbyname();
304 #endif
305 
306 #ifdef USE_STRSEP			/* libc calls strtok() */
307 #define	strtok	fix_strtok
308 extern char *fix_strtok();
309 #endif
310 
311 #ifdef LIBC_CALLS_STRTOK		/* libc calls strtok() */
312 #define	strtok	my_strtok
313 extern char *my_strtok();
314 #endif
315 
316 #endif /* _TCPD_H */
317