Date: Sun, 18 Mar 2001 02:49:57 +0900 (JST) From: Hajimu UMEMOTO <ume@FreeBSD.org> To: audit@FreeBSD.org, net@FreeBSD.org Subject: Re: [CFR] IPv6 support for skeyaccess(3) Message-ID: <20010318.024957.70172896.ume@FreeBSD.org> In-Reply-To: <20010317.233758.21880242.ume@FreeBSD.org> References: <20010317.233758.21880242.ume@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> On Sat, 17 Mar 2001 23:37:58 +0900 (JST) >>>>> Hajimu UMEMOTO <ume@FreeBSD.org> said: ume> I wish to support IPv6 for skeyaccess(3). With this patch, you can ume> specify IPv6 address using `internet' keyword into /etc/skey.access. ume> Please review it. Oops, previous patch touched the memory already freed. This is corrected version. Sorry for my inconvenience. Index: lib/libskey/skeyaccess.c diff -u lib/libskey/skeyaccess.c.orig lib/libskey/skeyaccess.c --- lib/libskey/skeyaccess.c.orig Mon Oct 26 20:54:36 1998 +++ lib/libskey/skeyaccess.c Sun Mar 18 01:29:48 2001 @@ -63,8 +63,8 @@ static int match_group __P((struct login_info *)); static int match_token __P((char *)); static int is_internet_addr __P((char *)); -static struct in_addr *convert_internet_addr __P((char *)); -static struct in_addr *lookup_internet_addr __P((char *)); +static struct addrinfo *convert_internet_addr __P((char *)); +static struct addrinfo *lookup_internet_addr __P((char *)); #define MAX_ADDR 32 #define PERMIT 1 @@ -79,7 +79,7 @@ struct login_info { char *host_name; /* host name */ - struct in_addr *internet_addr; /* null terminated list */ + struct addrinfo *internet_addr; /* addrinfo chain */ char *user; /* user name */ char *port; /* login port */ }; @@ -120,22 +120,22 @@ login_info.user = user; login_info.port = port; - if (host != 0 && !is_internet_addr(host)) { + if (host != NULL && !is_internet_addr(host)) { login_info.host_name = host; } else { - login_info.host_name = 0; + login_info.host_name = NULL; } - if (addr != 0 && is_internet_addr(addr)) { + if (addr != NULL && is_internet_addr(addr)) { login_info.internet_addr = convert_internet_addr(addr); - } else if (host != 0) { + } else if (host != NULL) { if (is_internet_addr(host)) { login_info.internet_addr = convert_internet_addr(host); } else { login_info.internet_addr = lookup_internet_addr(host); } } else { - login_info.internet_addr = 0; + login_info.internet_addr = NULL; } /* @@ -146,19 +146,23 @@ printf("user: %s\n", login_info.user); printf("host: %s\n", login_info.host_name ? login_info.host_name : "none"); printf("addr: "); - if (login_info.internet_addr == 0) { + if (login_info.internet_addr == NULL) { printf("none\n"); } else { - int i; + struct addrinfo *res; + char haddr[NI_MAXHOST]; - for (i = 0; login_info.internet_addr[i].s_addr; i++) - printf("%s%s", login_info.internet_addr[i].s_addr == -1 ? - "(see error log)" : inet_ntoa(login_info.internet_addr[i]), - login_info.internet_addr[i + 1].s_addr ? " " : "\n"); + for (res = login_info.internet_addr; res; res = res->ai_next) { + getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); + printf("%s%s", haddr, res->ai_next ? " " : "\n"); + } } #endif result = _skeyaccess(fp, &login_info); fclose(fp); + if (login_info.internet_addr) + freeaddrinfo(login_info.internet_addr); return (result); } @@ -226,33 +230,99 @@ return (match ? permission : DENY); } +/* translate IPv4 mapped IPv6 address to IPv4 address */ + +static void +ai_unmapped(struct addrinfo *ai) +{ + struct sockaddr_in6 *sin6; + struct sockaddr_in *sin4; + u_int32_t addr; + int port; + + if (ai->ai_family != AF_INET6) + return; + sin6 = (struct sockaddr_in6 *)ai->ai_addr; + if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) + return; + sin4 = (struct sockaddr_in *)ai->ai_addr; + addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; + port = sin6->sin6_port; + memset(sin4, 0, sizeof(struct sockaddr_in)); + sin4->sin_addr.s_addr = addr; + sin4->sin_port = port; + sin4->sin_family = AF_INET; + sin4->sin_len = sizeof(struct sockaddr_in); + ai->ai_family = AF_INET; + ai->ai_addrlen = sizeof(struct sockaddr_in); +} + /* match_internet_addr - match internet network address */ static int match_internet_addr(login_info) struct login_info *login_info; { - char * tok; - u_int32_t pattern; - u_int32_t mask; - struct in_addr *addrp; + char *tok; + struct addrinfo *res; + struct sockaddr_storage pattern, mask; + struct sockaddr_in *addr4, *pattern4, *mask4; + struct sockaddr_in6 *addr6, *pattern6, *mask6; + int i, match; - if (login_info->internet_addr == 0) + if (login_info->internet_addr == NULL) return (0); if ((tok = need_internet_addr()) == 0) return (0); - pattern = inet_addr(tok); + if ((res = convert_internet_addr(tok)) == NULL) + return (0); + memcpy(&pattern, res->ai_addr, res->ai_addrlen); + freeaddrinfo(res); if ((tok = need_internet_addr()) == 0) return (0); - mask = inet_addr(tok); + if ((res = convert_internet_addr(tok)) == NULL) + return (0); + memcpy(&mask, res->ai_addr, res->ai_addrlen); + freeaddrinfo(res); + if (pattern.ss_family != mask.ss_family) + return (0); + mask4 = (struct sockaddr_in *)&mask; + pattern4 = (struct sockaddr_in *)&pattern; + mask6 = (struct sockaddr_in6 *)&mask; + pattern6 = (struct sockaddr_in6 *)&pattern; /* * See if any of the addresses matches a pattern in the control file. We * have already tried to drop addresses that belong to someone else. */ - for (addrp = login_info->internet_addr; addrp->s_addr; addrp++) - if (addrp->s_addr != INADDR_NONE && (addrp->s_addr & mask) == pattern) - return (1); + for (res = login_info->internet_addr; res; res = res->ai_next) { + ai_unmapped(res); + if (res->ai_family != pattern.ss_family) + continue; + switch (res->ai_family) { + case AF_INET: + addr4 = (struct sockaddr_in *)res->ai_addr; + if (addr4->sin_addr.s_addr != INADDR_NONE && + (addr4->sin_addr.s_addr & mask4->sin_addr.s_addr) == pattern4->sin_addr.s_addr) + return (1); + break; + case AF_INET6: + addr6 = (struct sockaddr_in6 *)res->ai_addr; + if (pattern6->sin6_scope_id != 0 && + addr6->sin6_scope_id != pattern6->sin6_scope_id) + break; + match = 1; + for (i = 0; i < 16; ++i) { + if ((addr6->sin6_addr.s6_addr[i] & mask6->sin6_addr.s6_addr[i]) != pattern6->sin6_addr.s6_addr[i]) { + match = 0; + break; + } + } + if (match) + return (1); + break; + } + } return (0); } @@ -369,53 +439,50 @@ static int is_internet_addr(str) char *str; { - int in_run = 0; - int runs = 0; + struct addrinfo *res; - /* Count the number of runs of characters between the dots. */ - - while (*str) { - if (*str == '.') { - in_run = 0; - } else { - if (!isdigit(*str)) - return (0); - if (in_run == 0) { - in_run = 1; - runs++; - } - } - str++; + if ((res = convert_internet_addr(str)) != NULL) + freeaddrinfo(res); + return (res != NULL); +} + +/* + * Nuke addrinfo entry from list. + * XXX: Depending on the implementation of KAME's getaddrinfo(3). + */ +static struct addrinfo *nuke_ai(rp, res) +struct addrinfo **rp, *res; +{ + *rp = res->ai_next; + if (res->ai_canonname) { + if (res->ai_next && !res->ai_next->ai_canonname) + res->ai_next->ai_canonname = res->ai_canonname; + else + free(res->ai_canonname); } - return (runs == 4); + free(res); + return (*rp); } /* lookup_internet_addr - look up internet addresses with extreme prejudice */ -static struct in_addr *lookup_internet_addr(host) +static struct addrinfo *lookup_internet_addr(host) char *host; { - struct hostent *hp; - static struct in_addr list[MAX_ADDR + 1]; - char buf[MAXHOSTNAMELEN + 1]; - int length; - int i; - - if ((hp = gethostbyname(host)) == 0 || hp->h_addrtype != AF_INET) - return (0); - - /* - * Save a copy of the results before gethostbyaddr() clobbers them. - */ - - for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++) - memcpy((char *) &list[i], - hp->h_addr_list[i], (size_t)hp->h_length); - list[i].s_addr = 0; - - strncpy(buf, hp->h_name, MAXHOSTNAMELEN); - buf[MAXHOSTNAMELEN] = 0; - length = hp->h_length; + struct addrinfo hints, *res0, *res, **rp; + char hname[NI_MAXHOST], haddr[NI_MAXHOST]; + int error; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; + if (getaddrinfo(host, NULL, &hints, &res0) != 0) + return (NULL); + if (res0->ai_canonname == NULL) { + freeaddrinfo(res0); + return (NULL); + } /* * Wipe addresses that appear to belong to someone else. We will get @@ -425,31 +492,53 @@ #define NEQ(x,y) (strcasecmp((x),(y)) != 0) #define NEQ3(x,y,n) (strncasecmp((x),(y), (n)) != 0) - while (--i >= 0) { - if ((hp = gethostbyaddr((char *) &list[i], length, AF_INET)) == 0) { + res = res0; + rp = &res0; + while (res) { + if (res->ai_family != AF_INET && res->ai_family != AF_INET6) { + res = nuke_ai(rp, res); + continue; + } + error = getnameinfo(res->ai_addr, res->ai_addrlen, + hname, sizeof(hname), + NULL, 0, NI_NAMEREQD | NI_WITHSCOPEID); + if (error) { + getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); syslog(LOG_ERR, "address %s not registered for host %s", - inet_ntoa(list[i]), buf); - list[i].s_addr = (u_int32_t) -1; + haddr, res0->ai_canonname); + res = nuke_ai(rp, res); + continue; } - if (NEQ(buf, hp->h_name) && NEQ3(buf, "localhost.", 10)) { + if (NEQ(res0->ai_canonname, hname) && + NEQ3(res0->ai_canonname, "localhost.", 10)) { + getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), + NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); syslog(LOG_ERR, "address %s registered for host %s and %s", - inet_ntoa(list[i]), hp->h_name, buf); - list[i].s_addr = (u_int32_t) -1; + haddr, hname, res0->ai_canonname); + res = nuke_ai(rp, res); + continue; } + res = res->ai_next; + rp = &res->ai_next; } - return (list); + return (res0); } /* convert_internet_addr - convert string to internet address */ -static struct in_addr *convert_internet_addr(string) +static struct addrinfo *convert_internet_addr(string) char *string; { - static struct in_addr list[2]; + struct addrinfo hints, *res; - list[0].s_addr = inet_addr(string); - list[1].s_addr = 0; - return (list); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if (getaddrinfo(string, NULL, &hints, &res) != 0) + return (NULL); + return (res); } #ifdef TEST @@ -458,7 +547,7 @@ int argc; char **argv; { - struct hostent *hp; + struct addrinfo hints, *res; char host[MAXHOSTNAMELEN + 1]; int verdict; char *user; @@ -475,8 +564,18 @@ user = argv[1]; port = argv[2]; if (argv[3]) { - strncpy(host, (hp = gethostbyname(argv[3])) ? - hp->h_name : argv[3], MAXHOSTNAMELEN); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_CANONNAME; + if (getaddrinfo(argv[3], NULL, &hints, &res) == 0) { + if (res->ai_canonname == NULL) + strncpy(host, argv[3], MAXHOSTNAMELEN); + else + strncpy(host, res->ai_canonname, MAXHOSTNAMELEN); + freeaddrinfo(res); + } else + strncpy(host, argv[3], MAXHOSTNAMELEN); host[MAXHOSTNAMELEN] = 0; } verdict = skeyaccess(user, port, argv[3] ? host : (char *) 0, (char *) 0); -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010318.024957.70172896.ume>