Adding upstream version 3.2.7.upstream/3.2.7

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 292 insertions, 0 deletions

diff --git a/access.c b/access.c
new file mode 100644
index 0000000..b6afce3
--- /dev/null
+++ b/access.c
@@ -0,0 +1,292 @@
+/*
+ * Routines to authenticate access to a daemon (hosts allow/deny).
+ *
+ * Copyright (C) 1998 Andrew Tridgell
+ * Copyright (C) 2004-2022 Wayne Davison
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, visit the http://fsf.org website.
+ */
+
+#include "rsync.h"
+#include "ifuncs.h"
+#ifdef HAVE_NETGROUP_H
+#include <netgroup.h>
+#endif
+
+static int allow_forward_dns;
+
+extern const char undetermined_hostname[];
+
+static int match_hostname(const char **host_ptr, const char *addr, const char *tok)
+{
+	struct hostent *hp;
+	unsigned int i;
+	const char *host = *host_ptr;
+
+	if (!host || !*host)
+		return 0;
+
+#ifdef HAVE_INNETGR
+	if (*tok == '@' && tok[1])
+		return innetgr(tok + 1, host, NULL, NULL);
+#endif
+
+	/* First check if the reverse-DNS-determined hostname matches. */
+	if (iwildmatch(tok, host))
+		return 1;
+
+	if (!allow_forward_dns)
+		return 0;
+
+	/* Fail quietly if tok is an address or wildcarded entry, not a simple hostname. */
+	if (!tok[strspn(tok, ".0123456789")] || tok[strcspn(tok, ":/*?[")])
+		return 0;
+
+	/* Now try forward-DNS on the token (config-specified hostname) and see if the IP matches. */
+	if (!(hp = gethostbyname(tok)))
+		return 0;
+
+	for (i = 0; hp->h_addr_list[i] != NULL; i++) {
+		if (strcmp(addr, inet_ntoa(*(struct in_addr*)(hp->h_addr_list[i]))) == 0) {
+			/* If reverse lookups are off, we'll use the conf-specified
+			 * hostname in preference to UNDETERMINED. */
+			if (host == undetermined_hostname)
+				*host_ptr = strdup(tok);
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+static int match_binary(const char *b1, const char *b2, const char *mask, int addrlen)
+{
+	int i;
+
+	for (i = 0; i < addrlen; i++) {
+		if ((b1[i] ^ b2[i]) & mask[i])
+			return 0;
+	}
+
+	return 1;
+}
+
+static void make_mask(char *mask, int plen, int addrlen)
+{
+	int w, b;
+
+	w = plen >> 3;
+	b = plen & 0x7;
+
+	if (w)
+		memset(mask, 0xff, w);
+	if (w < addrlen)
+		mask[w] = 0xff & (0xff<<(8-b));
+	if (w+1 < addrlen)
+		memset(mask+w+1, 0, addrlen-w-1);
+
+	return;
+}
+
+static int match_address(const char *addr, const char *tok)
+{
+	char *p;
+	struct addrinfo hints, *resa, *rest;
+	int gai;
+	int ret = 0;
+	int addrlen = 0;
+#ifdef HAVE_STRTOL
+	long int bits;
+#else
+	int bits;
+#endif
+	char mask[16];
+	char *a = NULL, *t = NULL;
+
+	if (!addr || !*addr)
+		return 0;
+
+	p = strchr(tok,'/');
+	if (p)
+		*p = '\0';
+
+	/* Fail quietly if tok is a hostname, not an address. */
+	if (tok[strspn(tok, ".0123456789")] && strchr(tok, ':') == NULL) {
+		if (p)
+			*p = '/';
+		return 0;
+	}
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_socktype = SOCK_STREAM;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_NUMERICHOST;
+#endif
+
+	if (getaddrinfo(addr, NULL, &hints, &resa) != 0) {
+		if (p)
+			*p = '/';
+		return 0;
+	}
+
+	gai = getaddrinfo(tok, NULL, &hints, &rest);
+	if (p)
+		*p++ = '/';
+	if (gai != 0) {
+		rprintf(FLOG, "error matching address %s: %s\n",
+			tok, gai_strerror(gai));
+		freeaddrinfo(resa);
+		return 0;
+	}
+
+	if (rest->ai_family != resa->ai_family) {
+		ret = 0;
+		goto out;
+	}
+
+	switch(resa->ai_family) {
+	case PF_INET:
+		a = (char *)&((struct sockaddr_in *)resa->ai_addr)->sin_addr;
+		t = (char *)&((struct sockaddr_in *)rest->ai_addr)->sin_addr;
+		addrlen = 4;
+
+		break;
+
+#ifdef INET6
+	case PF_INET6: {
+		struct sockaddr_in6 *sin6a, *sin6t;
+
+		sin6a = (struct sockaddr_in6 *)resa->ai_addr;
+		sin6t = (struct sockaddr_in6 *)rest->ai_addr;
+
+		a = (char *)&sin6a->sin6_addr;
+		t = (char *)&sin6t->sin6_addr;
+
+		addrlen = 16;
+
+#ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
+		if (sin6t->sin6_scope_id && sin6a->sin6_scope_id != sin6t->sin6_scope_id) {
+			ret = 0;
+			goto out;
+		}
+#endif
+
+		break;
+	}
+#endif
+	default:
+		rprintf(FLOG, "unknown family %u\n", rest->ai_family);
+		ret = 0;
+		goto out;
+	}
+
+	bits = -1;
+	if (p) {
+		if (inet_pton(resa->ai_addr->sa_family, p, mask) <= 0) {
+#ifdef HAVE_STRTOL
+			char *ep = NULL;
+#else
+			unsigned char *pp;
+#endif
+
+#ifdef HAVE_STRTOL
+			bits = strtol(p, &ep, 10);
+			if (!*p || *ep) {
+				rprintf(FLOG, "malformed mask in %s\n", tok);
+				ret = 0;
+				goto out;
+			}
+#else
+			for (pp = (unsigned char *)p; *pp; pp++) {
+				if (!isascii(*pp) || !isdigit(*pp)) {
+					rprintf(FLOG, "malformed mask in %s\n", tok);
+					ret = 0;
+					goto out;
+				}
+			}
+			bits = atoi(p);
+#endif
+			if (bits == 0) {
+				ret = 1;
+				goto out;
+			}
+			if (bits < 0 || bits > (addrlen << 3)) {
+				rprintf(FLOG, "malformed mask in %s\n", tok);
+				ret = 0;
+				goto out;
+			}
+		}
+	} else {
+		bits = 128;
+	}
+
+	if (bits >= 0)
+		make_mask(mask, bits, addrlen);
+
+	ret = match_binary(a, t, mask, addrlen);
+
+  out:
+	freeaddrinfo(resa);
+	freeaddrinfo(rest);
+	return ret;
+}
+
+static int access_match(const char *list, const char *addr, const char **host_ptr)
+{
+	char *tok;
+	char *list2 = strdup(list);
+
+	strlower(list2);
+
+	for (tok = strtok(list2, " ,\t"); tok; tok = strtok(NULL, " ,\t")) {
+		if (match_hostname(host_ptr, addr, tok) || match_address(addr, tok)) {
+			free(list2);
+			return 1;
+		}
+	}
+
+	free(list2);
+	return 0;
+}
+
+int allow_access(const char *addr, const char **host_ptr, int i)
+{
+	const char *allow_list = lp_hosts_allow(i);
+	const char *deny_list = lp_hosts_deny(i);
+
+	if (allow_list && !*allow_list)
+		allow_list = NULL;
+	if (deny_list && !*deny_list)
+		deny_list = NULL;
+
+	allow_forward_dns = lp_forward_lookup(i);
+
+	/* If we match an allow-list item, we always allow access. */
+	if (allow_list) {
+		if (access_match(allow_list, addr, host_ptr))
+			return 1;
+		/* For an allow-list w/o a deny-list, disallow non-matches. */
+		if (!deny_list)
+			return 0;
+	}
+
+	/* If we match a deny-list item (and got past any allow-list
+	 * items), we always disallow access. */
+	if (deny_list && access_match(deny_list, addr, host_ptr))
+		return 0;
+
+	/* Allow all other access. */
+	return 1;
+}