2 * Routines to authenticate access to a daemon (hosts allow/deny).
4 * Copyright (C) 1998 Andrew Tridgell
5 * Copyright (C) 2004-2009 Wayne Davison
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, visit the http://fsf.org website.
23 static int allow_forward_dns
;
25 extern const char undetermined_hostname
[];
27 static int match_hostname(const char **host_ptr
, const char *addr
, const char *tok
)
31 const char *host
= *host_ptr
;
36 /* First check if the reverse-DNS-determined hostname matches. */
37 if (iwildmatch(tok
, host
))
40 if (!allow_forward_dns
)
43 /* Fail quietly if tok is an address or wildcarded entry, not a simple hostname. */
44 if (!tok
[strspn(tok
, ".0123456789")] || tok
[strcspn(tok
, ":/*?[")])
47 /* Now try forward-DNS on the token (config-specified hostname) and see if the IP matches. */
48 if (!(hp
= gethostbyname(tok
)))
51 for (i
= 0; hp
->h_addr_list
[i
] != NULL
; i
++) {
52 if (strcmp(addr
, inet_ntoa(*(struct in_addr
*)(hp
->h_addr_list
[i
]))) == 0) {
53 /* If reverse lookups are off, we'll use the conf-specified
54 * hostname in preference to UNDETERMINED. */
55 if (host
== undetermined_hostname
) {
56 if (!(*host_ptr
= strdup(tok
)))
57 *host_ptr
= undetermined_hostname
;
66 static int match_binary(const char *b1
, const char *b2
, const char *mask
, int addrlen
)
70 for (i
= 0; i
< addrlen
; i
++) {
71 if ((b1
[i
] ^ b2
[i
]) & mask
[i
])
78 static void make_mask(char *mask
, int plen
, int addrlen
)
86 memset(mask
, 0xff, w
);
88 mask
[w
] = 0xff & (0xff<<(8-b
));
90 memset(mask
+w
+1, 0, addrlen
-w
-1);
95 static int match_address(const char *addr
, const char *tok
)
98 struct addrinfo hints
, *resa
, *rest
;
108 char *a
= NULL
, *t
= NULL
;
117 /* Fail quietly if tok is a hostname, not an address. */
118 if (tok
[strspn(tok
, ".0123456789")] && strchr(tok
, ':') == NULL
) {
124 memset(&hints
, 0, sizeof(hints
));
125 hints
.ai_family
= PF_UNSPEC
;
126 hints
.ai_socktype
= SOCK_STREAM
;
127 #ifdef AI_NUMERICHOST
128 hints
.ai_flags
= AI_NUMERICHOST
;
131 if (getaddrinfo(addr
, NULL
, &hints
, &resa
) != 0) {
137 gai
= getaddrinfo(tok
, NULL
, &hints
, &rest
);
141 rprintf(FLOG
, "error matching address %s: %s\n",
142 tok
, gai_strerror(gai
));
147 if (rest
->ai_family
!= resa
->ai_family
) {
152 switch(resa
->ai_family
) {
154 a
= (char *)&((struct sockaddr_in
*)resa
->ai_addr
)->sin_addr
;
155 t
= (char *)&((struct sockaddr_in
*)rest
->ai_addr
)->sin_addr
;
163 struct sockaddr_in6
*sin6a
, *sin6t
;
165 sin6a
= (struct sockaddr_in6
*)resa
->ai_addr
;
166 sin6t
= (struct sockaddr_in6
*)rest
->ai_addr
;
168 a
= (char *)&sin6a
->sin6_addr
;
169 t
= (char *)&sin6t
->sin6_addr
;
173 #ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
174 if (sin6t
->sin6_scope_id
&&
175 sin6a
->sin6_scope_id
!= sin6t
->sin6_scope_id
) {
185 rprintf(FLOG
, "unknown family %u\n", rest
->ai_family
);
192 if (inet_pton(resa
->ai_addr
->sa_family
, p
, mask
) <= 0) {
200 bits
= strtol(p
, &ep
, 10);
202 rprintf(FLOG
, "malformed mask in %s\n", tok
);
207 for (pp
= (unsigned char *)p
; *pp
; pp
++) {
208 if (!isascii(*pp
) || !isdigit(*pp
)) {
209 rprintf(FLOG
, "malformed mask in %s\n", tok
);
220 if (bits
< 0 || bits
> (addrlen
<< 3)) {
221 rprintf(FLOG
, "malformed mask in %s\n", tok
);
231 make_mask(mask
, bits
, addrlen
);
233 ret
= match_binary(a
, t
, mask
, addrlen
);
241 static int access_match(const char *list
, const char *addr
, const char **host_ptr
)
244 char *list2
= strdup(list
);
247 out_of_memory("access_match");
251 for (tok
= strtok(list2
, " ,\t"); tok
; tok
= strtok(NULL
, " ,\t")) {
252 if (match_hostname(host_ptr
, addr
, tok
) || match_address(addr
, tok
)) {
262 int allow_access(const char *addr
, const char **host_ptr
, int i
)
264 const char *allow_list
= lp_hosts_allow(i
);
265 const char *deny_list
= lp_hosts_deny(i
);
267 if (allow_list
&& !*allow_list
)
269 if (deny_list
&& !*deny_list
)
272 allow_forward_dns
= lp_forward_lookup(i
);
274 /* If we match an allow-list item, we always allow access. */
276 if (access_match(allow_list
, addr
, host_ptr
))
278 /* For an allow-list w/o a deny-list, disallow non-matches. */
283 /* If we match a deny-list item (and got past any allow-list
284 * items), we always disallow access. */
285 if (deny_list
&& access_match(deny_list
, addr
, host_ptr
))
288 /* Allow all other access. */