xref: /illumos-gate/usr/src/lib/libwrap/tcpd.h (revision e7cbe64f7a72dae5cb44f100db60ca88f3313c65)
1 /*
2  * Copyright 2001 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 #pragma ident	"%Z%%M%	%I%	%E% SMI"
6 
7  /*
8   * @(#) tcpd.h 1.5 96/03/19 16:22:24
9   *
10   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
11   */
12 
13 /*
14  * HAVE_IPV6 is traditionally configured at tcp_wrappers build time but for
15  * Solaris it must always be defined to keep the library interface binary
16  * compatible.
17  */
18 #define	HAVE_IPV6
19 
20 /* Structure to describe one communications endpoint. */
21 
22 #define STRING_LENGTH	128		/* hosts, users, processes */
23 
24 #include <sys/socket.h>
25 #include <netinet/in.h>
26 
27 typedef struct sockaddr_gen {
28     union {
29 	struct sockaddr	_sg_sa;
30 	struct sockaddr_in	_sg_sin;
31 #ifdef HAVE_IPV6
32 	struct sockaddr_in6	_sg_sin6;
33 #endif
34     } sg_addr;
35 } sockaddr_gen;
36 
37 typedef union gen_addr {
38     struct in_addr	ga_in;
39 #ifdef HAVE_IPV6
40     struct in6_addr	ga_in6;
41 #endif
42 } gen_addr;
43 
44 extern void sockgen_simplify();
45 
46 #define sg_sa		sg_addr._sg_sa
47 #define sg_sin		sg_addr._sg_sin
48 #define sg_sin6		sg_addr._sg_sin6
49 #define sg_family	sg_sa.sa_family
50 #ifdef HAVE_IPV6
51 #define SGADDRSZ(sag)		((sag)->sg_family == AF_INET6 ? \
52 				    sizeof (struct in6_addr) : \
53 				    sizeof (struct in_addr))
54 #define SGSOCKADDRSZ(sag)	((sag)->sg_family == AF_INET6 ? \
55 				    sizeof (struct sockaddr_in6) : \
56 				    sizeof (struct sockaddr_in))
57 #define SGPORT(sag)		(*((sag)->sg_family == AF_INET6 ? \
58 				    &(sag)->sg_sin6.sin6_port : \
59 				    &(sag)->sg_sin.sin_port))
60 #define SGADDRP(sag)		(((sag)->sg_family == AF_INET6 ? \
61 				    (char *) &(sag)->sg_sin6.sin6_addr : \
62 				    (char *) &(sag)->sg_sin.sin_addr))
63 #define SGFAM(sag)		((sag)->sg_family == AF_INET6 ? \
64 				    AF_INET6 : AF_INET)
65 
66 #define SG_IS_UNSPECIFIED(sag) \
67 		((sag)->sg_family == AF_INET6 ? \
68 			IN6_IS_ADDR_UNSPECIFIED(&(sag)->sg_sin6.sin6_addr) : \
69 			(sag)->sg_sin.sin_addr.s_addr == 0)
70 
71 #define VALID_ADDRTYPE(t)	((t) == AF_INET || (t) == AF_INET6)
72 
73 #ifndef IPV6_ABITS
74 #define IPV6_ABITS 128			/* Size of IPV6 address in bits */
75 #endif
76 
77 #else /* HAVE_IPV6 */
78 
79 #define SGADDRSZ(sag)		sizeof(struct in_addr)
80 #define SGSOCKADDRSZ(sag)	sizeof(struct sockaddr_in)
81 #define SGPORT(sag)		((sag)->sg_sin.sin_port)
82 #define SGADDRP(sag)		((char*) &(sag)->sg_sin.sin_addr)
83 #define SGFAM(sag)		AF_INET
84 #define SG_IS_UNSPECIFIED(sag)  ((sag)->sg_sin.sin_addr.s_addr == 0)
85 
86 #define VALID_ADDRTYPE(t)	((t) == AF_INET)
87 
88 #endif /* HAVE_IPV6 */
89 
90 struct host_info {
91     char    name[STRING_LENGTH];	/* access via eval_hostname(host) */
92     char    addr[STRING_LENGTH];	/* access via eval_hostaddr(host) */
93     struct sockaddr_gen *sin;		/* socket address or 0 */
94     struct t_unitdata *unit;		/* TLI transport address or 0 */
95     struct request_info *request;	/* for shared information */
96 };
97 
98 /* Structure to describe what we know about a service request. */
99 
100 struct request_info {
101     int     fd;				/* socket handle */
102     char    user[STRING_LENGTH];	/* access via eval_user(request) */
103     char    daemon[STRING_LENGTH];	/* access via eval_daemon(request) */
104     char    pid[10];			/* access via eval_pid(request) */
105     struct host_info client[1];		/* client endpoint info */
106     struct host_info server[1];		/* server endpoint info */
107     void  (*sink) ();			/* datagram sink function or 0 */
108     void  (*hostname) ();		/* address to printable hostname */
109     void  (*hostaddr) ();		/* address to printable address */
110     void  (*cleanup) ();		/* cleanup function or 0 */
111     struct netconfig *config;		/* netdir handle */
112 };
113 
114 /* Common string operations. Less clutter should be more readable. */
115 
116 #define STRN_CPY(d,s,l)	{ strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
117 
118 #define STRN_EQ(x,y,l)	(strncasecmp((x),(y),(l)) == 0)
119 #define STRN_NE(x,y,l)	(strncasecmp((x),(y),(l)) != 0)
120 #define STR_EQ(x,y)	(strcasecmp((x),(y)) == 0)
121 #define STR_NE(x,y)	(strcasecmp((x),(y)) != 0)
122 
123  /*
124   * Initially, all above strings have the empty value. Information that
125   * cannot be determined at runtime is set to "unknown", so that we can
126   * distinguish between `unavailable' and `not yet looked up'. A hostname
127   * that we do not believe in is set to "paranoid".
128   */
129 
130 #define STRING_UNKNOWN	"unknown"	/* lookup failed */
131 #define STRING_PARANOID	"paranoid"	/* hostname conflict */
132 
133 extern char unknown[];
134 extern char paranoid[];
135 
136 #define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
137 
138 #ifdef HAVE_IPV6
139 #define NOT_INADDR(s) (strchr(s,':') == 0 && s[strspn(s,"0123456789./")] != 0)
140 #else
141 #define NOT_INADDR(s) (s[strspn(s,"0123456789./")] != 0)
142 #endif
143 
144 /* Global functions. */
145 
146 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
147 extern void fromhost();			/* get/validate client host info */
148 #else
149 #define fromhost sock_host		/* no TLI support needed */
150 #endif
151 
152 extern int hosts_access();		/* access control */
153 extern void shell_cmd();		/* execute shell command */
154 extern char *percent_x();		/* do %<char> expansion */
155 extern void rfc931();			/* client name from RFC 931 daemon */
156 extern void clean_exit();		/* clean up and exit */
157 extern void refuse();			/* clean up and exit */
158 extern char *xgets();			/* fgets() on steroids */
159 extern char *split_at();		/* strchr() and split */
160 extern unsigned long dot_quad_addr();	/* restricted inet_addr() */
161 extern int numeric_addr();		/* IP4/IP6 inet_addr (restricted) */
162 extern struct hostent *tcpd_gethostbyname();
163 					/* IP4/IP6 gethostbyname */
164 #ifdef HAVE_IPV6
165 extern char *skip_ipv6_addrs();		/* skip over colons in IPv6 addrs */
166 #else
167 #define skip_ipv6_addrs(x)	x
168 #endif
169 
170 /* Global variables. */
171 
172 extern int allow_severity;		/* for connection logging */
173 extern int deny_severity;		/* for connection logging */
174 extern char *hosts_allow_table;		/* for verification mode redirection */
175 extern char *hosts_deny_table;		/* for verification mode redirection */
176 extern int hosts_access_verbose;	/* for verbose matching mode */
177 extern int rfc931_timeout;		/* user lookup timeout */
178 extern int resident;			/* > 0 if resident process */
179 
180  /*
181   * Routines for controlled initialization and update of request structure
182   * attributes. Each attribute has its own key.
183   */
184 
185 #ifdef __STDC__
186 extern struct request_info *request_init(struct request_info *,...);
187 extern struct request_info *request_set(struct request_info *,...);
188 #else
189 extern struct request_info *request_init();	/* initialize request */
190 extern struct request_info *request_set();	/* update request structure */
191 #endif
192 
193 #define RQ_FILE		1		/* file descriptor */
194 #define RQ_DAEMON	2		/* server process (argv[0]) */
195 #define RQ_USER		3		/* client user name */
196 #define RQ_CLIENT_NAME	4		/* client host name */
197 #define RQ_CLIENT_ADDR	5		/* client host address */
198 #define RQ_CLIENT_SIN	6		/* client endpoint (internal) */
199 #define RQ_SERVER_NAME	7		/* server host name */
200 #define RQ_SERVER_ADDR	8		/* server host address */
201 #define RQ_SERVER_SIN	9		/* server endpoint (internal) */
202 
203  /*
204   * Routines for delayed evaluation of request attributes. Each attribute
205   * type has its own access method. The trivial ones are implemented by
206   * macros. The other ones are wrappers around the transport-specific host
207   * name, address, and client user lookup methods. The request_info and
208   * host_info structures serve as caches for the lookup results.
209   */
210 
211 extern char *eval_user();		/* client user */
212 extern char *eval_hostname();		/* printable hostname */
213 extern char *eval_hostaddr();		/* printable host address */
214 extern char *eval_hostinfo();		/* host name or address */
215 extern char *eval_client();		/* whatever is available */
216 extern char *eval_server();		/* whatever is available */
217 #define eval_daemon(r)	((r)->daemon)	/* daemon process name */
218 #define eval_pid(r)	((r)->pid)	/* process id */
219 
220 /* Socket-specific methods, including DNS hostname lookups. */
221 
222 extern void sock_host();		/* look up endpoint addresses */
223 extern void sock_hostname();		/* translate address to hostname */
224 extern void sock_hostaddr();		/* address to printable address */
225 #define sock_methods(r) \
226 	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
227 
228 /* The System V Transport-Level Interface (TLI) interface. */
229 
230 #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
231 extern void tli_host();			/* look up endpoint addresses etc. */
232 #endif
233 
234  /*
235   * Problem reporting interface. Additional file/line context is reported
236   * when available. The jump buffer (tcpd_buf) is not declared here, or
237   * everyone would have to include <setjmp.h>.
238   */
239 
240 #ifdef __STDC__
241 extern void tcpd_warn(char *, ...);	/* report problem and proceed */
242 extern void tcpd_jump(char *, ...);	/* report problem and jump */
243 #else
244 extern void tcpd_warn();
245 extern void tcpd_jump();
246 #endif
247 
248 struct tcpd_context {
249     char   *file;			/* current file */
250     int     line;			/* current line */
251 };
252 extern struct tcpd_context tcpd_context;
253 
254  /*
255   * While processing access control rules, error conditions are handled by
256   * jumping back into the hosts_access() routine. This is cleaner than
257   * checking the return value of each and every silly little function. The
258   * (-1) returns are here because zero is already taken by longjmp().
259   */
260 
261 #define AC_PERMIT	1		/* permit access */
262 #define AC_DENY		(-1)		/* deny_access */
263 #define AC_ERROR	AC_DENY		/* XXX */
264 
265  /*
266   * In verification mode an option function should just say what it would do,
267   * instead of really doing it. An option function that would not return
268   * should clear the dry_run flag to inform the caller of this unusual
269   * behavior.
270   */
271 
272 extern void process_options();		/* execute options */
273 extern int dry_run;			/* verification flag */
274 
275 /* Bug workarounds. */
276 
277 #ifdef INET_ADDR_BUG			/* inet_addr() returns struct */
278 #define inet_addr fix_inet_addr
279 extern long fix_inet_addr();
280 #endif
281 
282 #ifdef BROKEN_FGETS			/* partial reads from sockets */
283 #define fgets fix_fgets
284 extern char *fix_fgets();
285 #endif
286 
287 #ifdef RECVFROM_BUG			/* no address family info */
288 #define recvfrom fix_recvfrom
289 extern int fix_recvfrom();
290 #endif
291 
292 #ifdef GETPEERNAME_BUG			/* claims success with UDP */
293 #define getpeername fix_getpeername
294 extern int fix_getpeername();
295 #endif
296 
297 #ifdef SOLARIS_24_GETHOSTBYNAME_BUG	/* lists addresses as aliases */
298 #define gethostbyname fix_gethostbyname
299 extern struct hostent *fix_gethostbyname();
300 #endif
301 
302 #ifdef USE_STRSEP			/* libc calls strtok() */
303 #define strtok	fix_strtok
304 extern char *fix_strtok();
305 #endif
306 
307 #ifdef LIBC_CALLS_STRTOK		/* libc calls strtok() */
308 #define strtok	my_strtok
309 extern char *my_strtok();
310 #endif
311