2 * Functions for looking up the remote name or addr of a socket.
4 * Copyright (C) 1992-2001 Andrew Tridgell <tridge@samba.org>
5 * Copyright (C) 2001, 2002 Martin Pool <mbp@samba.org>
6 * Copyright (C) 2002-2007 Wayne Davison
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, visit the http://fsf.org website.
23 * This file is now converted to use the new-style getaddrinfo()
24 * interface, which supports IPv6 but is also supported on recent
25 * IPv4-only machines. On systems that don't have that interface, we
26 * emulate it using the KAME implementation.
31 static const char default_name
[] = "UNKNOWN";
36 * Return the IP addr of the client as a string
38 char *client_addr(int fd
)
40 static char addr_buf
[100];
41 static int initialised
;
42 struct sockaddr_storage ss
;
43 socklen_t length
= sizeof ss
;
51 if (am_server
) { /* daemon over --rsh mode */
52 strlcpy(addr_buf
, "0.0.0.0", sizeof addr_buf
);
53 if ((ssh_info
= getenv("SSH_CONNECTION")) != NULL
54 || (ssh_info
= getenv("SSH_CLIENT")) != NULL
55 || (ssh_info
= getenv("SSH2_CLIENT")) != NULL
) {
56 strlcpy(addr_buf
, ssh_info
, sizeof addr_buf
);
57 /* Truncate the value to just the IP address. */
58 if ((p
= strchr(addr_buf
, ' ')) != NULL
)
62 client_sockaddr(fd
, &ss
, &length
);
63 getnameinfo((struct sockaddr
*)&ss
, length
,
64 addr_buf
, sizeof addr_buf
, NULL
, 0, NI_NUMERICHOST
);
71 static int get_sockaddr_family(const struct sockaddr_storage
*ss
)
73 return ((struct sockaddr
*) ss
)->sa_family
;
78 * Return the DNS name of the client.
80 * The name is statically cached so that repeated lookups are quick,
81 * so there is a limit of one lookup per customer.
83 * If anything goes wrong, including the name->addr->name check, then
84 * we just use "UNKNOWN", so you can use that value in hosts allow
87 * After translation from sockaddr to name we do a forward lookup to
88 * make sure nobody is spoofing PTR records.
90 char *client_name(int fd
)
92 static char name_buf
[100];
93 static char port_buf
[100];
94 static int initialised
;
95 struct sockaddr_storage ss
;
101 strlcpy(name_buf
, default_name
, sizeof name_buf
);
104 memset(&ss
, 0, sizeof ss
);
106 if (am_server
) { /* daemon over --rsh mode */
107 char *addr
= client_addr(fd
);
108 struct addrinfo hint
, *answer
;
111 memset(&hint
, 0, sizeof hint
);
113 #ifdef AI_NUMERICHOST
114 hint
.ai_flags
= AI_NUMERICHOST
;
116 hint
.ai_socktype
= SOCK_STREAM
;
118 if ((err
= getaddrinfo(addr
, NULL
, &hint
, &answer
)) != 0) {
119 rprintf(FLOG
, "malformed address %s: %s\n",
120 addr
, gai_strerror(err
));
124 switch (answer
->ai_family
) {
126 ss_len
= sizeof (struct sockaddr_in
);
127 memcpy(&ss
, answer
->ai_addr
, ss_len
);
131 ss_len
= sizeof (struct sockaddr_in6
);
132 memcpy(&ss
, answer
->ai_addr
, ss_len
);
136 exit_cleanup(RERR_SOCKETIO
);
138 freeaddrinfo(answer
);
141 client_sockaddr(fd
, &ss
, &ss_len
);
144 if (lookup_name(fd
, &ss
, ss_len
, name_buf
, sizeof name_buf
,
145 port_buf
, sizeof port_buf
) == 0)
146 check_name(fd
, &ss
, name_buf
, sizeof name_buf
);
154 * Get the sockaddr for the client.
156 * If it comes in as an ipv4 address mapped into IPv6 format then we
157 * convert it back to a regular IPv4.
159 void client_sockaddr(int fd
,
160 struct sockaddr_storage
*ss
,
163 memset(ss
, 0, sizeof *ss
);
165 if (getpeername(fd
, (struct sockaddr
*) ss
, ss_len
)) {
166 /* FIXME: Can we really not continue? */
167 rsyserr(FLOG
, errno
, "getpeername on fd%d failed", fd
);
168 exit_cleanup(RERR_SOCKETIO
);
172 if (get_sockaddr_family(ss
) == AF_INET6
&&
173 IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6
*)ss
)->sin6_addr
)) {
174 /* OK, so ss is in the IPv6 family, but it is really
175 * an IPv4 address: something like
176 * "::ffff:10.130.1.2". If we use it as-is, then the
177 * reverse lookup might fail or perhaps something else
178 * bad might happen. So instead we convert it to an
179 * equivalent address in the IPv4 address family. */
180 struct sockaddr_in6 sin6
;
181 struct sockaddr_in
*sin
;
183 memcpy(&sin6
, ss
, sizeof sin6
);
184 sin
= (struct sockaddr_in
*)ss
;
185 memset(sin
, 0, sizeof *sin
);
186 sin
->sin_family
= AF_INET
;
187 *ss_len
= sizeof (struct sockaddr_in
);
188 #ifdef HAVE_SOCKADDR_IN_LEN
189 sin
->sin_len
= *ss_len
;
191 sin
->sin_port
= sin6
.sin6_port
;
193 /* There is a macro to extract the mapped part
194 * (IN6_V4MAPPED_TO_SINADDR ?), but it does not seem
195 * to be present in the Linux headers. */
196 memcpy(&sin
->sin_addr
, &sin6
.sin6_addr
.s6_addr
[12],
197 sizeof sin
->sin_addr
);
204 * Look up a name from @p ss into @p name_buf.
206 * @param fd file descriptor for client socket.
208 int lookup_name(int fd
, const struct sockaddr_storage
*ss
,
210 char *name_buf
, size_t name_buf_size
,
211 char *port_buf
, size_t port_buf_size
)
216 name_err
= getnameinfo((struct sockaddr
*) ss
, ss_len
,
217 name_buf
, name_buf_size
,
218 port_buf
, port_buf_size
,
219 NI_NAMEREQD
| NI_NUMERICSERV
);
221 strlcpy(name_buf
, default_name
, name_buf_size
);
222 rprintf(FLOG
, "name lookup failed for %s: %s\n",
223 client_addr(fd
), gai_strerror(name_err
));
233 * Compare an addrinfo from the resolver to a sockinfo.
235 * Like strcmp, returns 0 for identical.
237 int compare_addrinfo_sockaddr(const struct addrinfo
*ai
,
238 const struct sockaddr_storage
*ss
)
240 int ss_family
= get_sockaddr_family(ss
);
241 const char fn
[] = "compare_addrinfo_sockaddr";
243 if (ai
->ai_family
!= ss_family
) {
244 rprintf(FLOG
, "%s: response family %d != %d\n",
245 fn
, ai
->ai_family
, ss_family
);
249 /* The comparison method depends on the particular AF. */
250 if (ss_family
== AF_INET
) {
251 const struct sockaddr_in
*sin1
, *sin2
;
253 sin1
= (const struct sockaddr_in
*) ss
;
254 sin2
= (const struct sockaddr_in
*) ai
->ai_addr
;
256 return memcmp(&sin1
->sin_addr
, &sin2
->sin_addr
,
257 sizeof sin1
->sin_addr
);
261 if (ss_family
== AF_INET6
) {
262 const struct sockaddr_in6
*sin1
, *sin2
;
264 sin1
= (const struct sockaddr_in6
*) ss
;
265 sin2
= (const struct sockaddr_in6
*) ai
->ai_addr
;
267 if (ai
->ai_addrlen
< sizeof (struct sockaddr_in6
)) {
268 rprintf(FLOG
, "%s: too short sockaddr_in6; length=%d\n",
273 if (memcmp(&sin1
->sin6_addr
, &sin2
->sin6_addr
,
274 sizeof sin1
->sin6_addr
))
277 #ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
278 if (sin1
->sin6_scope_id
!= sin2
->sin6_scope_id
)
291 * Do a forward lookup on @p name_buf and make sure it corresponds to
292 * @p ss -- otherwise we may be being spoofed. If we suspect we are,
293 * then we don't abort the connection but just emit a warning, and
294 * change @p name_buf to be "UNKNOWN".
296 * We don't do anything with the service when checking the name,
297 * because it doesn't seem that it could be spoofed in any way, and
298 * getaddrinfo on random service names seems to cause problems on AIX.
300 int check_name(int fd
,
301 const struct sockaddr_storage
*ss
,
302 char *name_buf
, size_t name_buf_size
)
304 struct addrinfo hints
, *res
, *res0
;
306 int ss_family
= get_sockaddr_family(ss
);
308 memset(&hints
, 0, sizeof hints
);
309 hints
.ai_family
= ss_family
;
310 hints
.ai_flags
= AI_CANONNAME
;
311 hints
.ai_socktype
= SOCK_STREAM
;
312 error
= getaddrinfo(name_buf
, NULL
, &hints
, &res0
);
314 rprintf(FLOG
, "forward name lookup for %s failed: %s\n",
315 name_buf
, gai_strerror(error
));
316 strlcpy(name_buf
, default_name
, name_buf_size
);
320 /* Given all these results, we expect that one of them will be
321 * the same as ss. The comparison is a bit complicated. */
322 for (res
= res0
; res
; res
= res
->ai_next
) {
323 if (!compare_addrinfo_sockaddr(res
, ss
))
324 break; /* OK, identical */
328 /* We hit the end of the list without finding an
329 * address that was the same as ss. */
330 rprintf(FLOG
, "no known address for \"%s\": "
331 "spoofed address?\n", name_buf
);
332 strlcpy(name_buf
, default_name
, name_buf_size
);
333 } else if (res
== NULL
) {
334 /* We hit the end of the list without finding an
335 * address that was the same as ss. */
336 rprintf(FLOG
, "%s is not a known address for \"%s\": "
337 "spoofed address?\n", client_addr(fd
), name_buf
);
338 strlcpy(name_buf
, default_name
, name_buf_size
);