added patch to allow tcp wrappers to be used for connection authentiction

diff --git a/src/spong-server.pl b/src/spong-server.pl
index 4a15fc0eeaae9825abc2e180711d187590099bfe..944c58d38c366fe8f220d5d75da58dc8cd792883 100755 (executable)
--- a/src/spong-server.pl
+++ b/src/spong-server.pl
@@ -6,7 +6,7 @@
 # There are one or more update processes that listen for status updates 
 # from client programs.
 
-# $Id: spong-server.pl,v 1.45 2001/08/16 13:08:29 sljohnson Exp $
+# $Id: spong-server.pl,v 1.46 2001/11/14 17:02:20 sljohnson Exp $
 
 use lib "@@LIBDIR@@";
 
@@ -30,6 +30,13 @@ use Time::Local;
 use Getopt::Long;
 use POSIX qw(:sys_wait_h);
 
+# Check to see if we have the TCP Wrappers library installed
+eval { 
+  require Authen::Libwrap;
+  import Authen::Libwrap qw(hosts_ctl STRING_UNKNOWN);
+};
+if (! $@) { $wrappers = 1;} else { $wrappers = 0; } 
+
 my $numchild;
 $MAX_CHILDREN = 10;
 
@@ -185,9 +192,7 @@ sub listen_for_clients {
    while( 1 ) {
       next unless ( $client = $sock->accept() );
 
-      $paddr = $client->peerhost();
-
-      # &validate_connection( $paddr );  - need to do something here...
+      &validate_connection("spong-client", $client) or next;
 
       # Read all from the client, and disconnect, we process the message next.
 
@@ -243,7 +248,7 @@ sub listen_for_updates {
       &debug("Connection from $paddr",6);
       $0 = "spong-server (spong-update) connection from $paddr";
 
-      # &validate_connection( $paddr );  - need to do something here...
+      &validate_connection("spong-update", $client) or next;
 
       # Now fork and allow the kid to process the message
       my $pid = fork();
@@ -337,7 +342,7 @@ sub listen_for_bb_updates {
       &debug("Connection from $paddr",6);
       $0 = "spong-server (spong-bb-update) connection from $paddr";
 
-      # &validate_connection( $paddr );  - need to do something here...
+      &validate_connection("spong-bb-update", $client) or next;
 
 
       # Now fork and allow the kid to process the message
@@ -437,7 +442,7 @@ sub listen_for_queries {
               }
             }
           }
-          $next_update += $localTimeOut * 60;
+          $next_update = $localTimeOut * 60;
        } else {
           &debug(time() . " < $next_update");
       }
@@ -449,7 +454,7 @@ sub listen_for_queries {
       &debug("[$$] update: Connection from $paddr",6);
       $0 = "spong-server (query) connection from $paddr";
 
-      # &validate_connection( $paddr );  - need to do something here...
+      &validate_connection("spong-query", $client) or next;
 
 
       # Now fork and allow the kid to process the message
@@ -1485,4 +1490,39 @@ sub load_data_funcs {
 
 }
 
+# ---------------------------------------------------------------------------
+# Validate an incoming connection
+# ---------------------------------------------------------------------------
 
+sub validate_connection {
+    my ($type, $client) = @_;
+
+    # If TCP Wrappers not found, every connection is valid
+    if ( ! $wrappers ) { return 1; }
+
+    my $client_ip = $client->peerhost();
+    my $client_addr = $client->peeraddr();
+
+    my $client_name = gethostbyaddr($client_addr, AF_INET);
+    unless ($client_name) {
+       &error("gethostbyaddr for $client_ip failed - denying access\n");
+       return 0;
+    }
+
+# Do we need to do this lookup, or will hosts_ctl() take care of it
+# for us?
+#    my @addr = gethostbyname($client_name)
+#      or &error("gethostbyname for $client_name failed\n");
+#    unless (grep { $client_addr == $_ } @addr[4..$#addr]) {
+#      &error("Host name does not match IP address: denying access\n");
+#      return 0;
+#    }
+
+    unless (hosts_ctl($type, $client_name, $client_ip, STRING_UNKNOWN)) {
+       &error("Denying $type access to $client_name [$client_ip]\n");
+       return 0;
+    }
+
+    &debug("Allowing $type access to $client_name [$client_ip]\n");
+    return 1;
+}