123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 |
- /* $OpenBSD: addrmatch.c,v 1.14 2018/07/31 03:07:24 djm Exp $ */
- /*
- * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
- #include "includes.h"
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <netdb.h>
- #include <string.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdarg.h>
- #include "addr.h"
- #include "match.h"
- #include "log.h"
- /*
- * Match "addr" against list pattern list "_list", which may contain a
- * mix of CIDR addresses and old-school wildcards.
- *
- * If addr is NULL, then no matching is performed, but _list is parsed
- * and checked for well-formedness.
- *
- * Returns 1 on match found (never returned when addr == NULL).
- * Returns 0 on if no match found, or no errors found when addr == NULL.
- * Returns -1 on negated match found (never returned when addr == NULL).
- * Returns -2 on invalid list entry.
- */
- int
- addr_match_list(const char *addr, const char *_list)
- {
- char *list, *cp, *o;
- struct xaddr try_addr, match_addr;
- u_int masklen, neg;
- int ret = 0, r;
- if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
- debug2("%s: couldn't parse address %.100s", __func__, addr);
- return 0;
- }
- if ((o = list = strdup(_list)) == NULL)
- return -1;
- while ((cp = strsep(&list, ",")) != NULL) {
- neg = *cp == '!';
- if (neg)
- cp++;
- if (*cp == '\0') {
- ret = -2;
- break;
- }
- /* Prefer CIDR address matching */
- r = addr_pton_cidr(cp, &match_addr, &masklen);
- if (r == -2) {
- debug2("%s: inconsistent mask length for "
- "match network \"%.100s\"", __func__, cp);
- ret = -2;
- break;
- } else if (r == 0) {
- if (addr != NULL && addr_netmatch(&try_addr,
- &match_addr, masklen) == 0) {
- foundit:
- if (neg) {
- ret = -1;
- break;
- }
- ret = 1;
- }
- continue;
- } else {
- /* If CIDR parse failed, try wildcard string match */
- if (addr != NULL && match_pattern(addr, cp) == 1)
- goto foundit;
- }
- }
- free(o);
- return ret;
- }
- /*
- * Match "addr" against list CIDR list "_list". Lexical wildcards and
- * negation are not supported. If "addr" == NULL, will verify structure
- * of "_list".
- *
- * Returns 1 on match found (never returned when addr == NULL).
- * Returns 0 on if no match found, or no errors found when addr == NULL.
- * Returns -1 on error
- */
- int
- addr_match_cidr_list(const char *addr, const char *_list)
- {
- char *list, *cp, *o;
- struct xaddr try_addr, match_addr;
- u_int masklen;
- int ret = 0, r;
- if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
- debug2("%s: couldn't parse address %.100s", __func__, addr);
- return 0;
- }
- if ((o = list = strdup(_list)) == NULL)
- return -1;
- while ((cp = strsep(&list, ",")) != NULL) {
- if (*cp == '\0') {
- error("%s: empty entry in list \"%.100s\"",
- __func__, o);
- ret = -1;
- break;
- }
- /*
- * NB. This function is called in pre-auth with untrusted data,
- * so be extra paranoid about junk reaching getaddrino (via
- * addr_pton_cidr).
- */
- /* Stop junk from reaching getaddrinfo. +3 is for masklen */
- if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
- error("%s: list entry \"%.100s\" too long",
- __func__, cp);
- ret = -1;
- break;
- }
- #define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
- if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
- error("%s: list entry \"%.100s\" contains invalid "
- "characters", __func__, cp);
- ret = -1;
- }
- /* Prefer CIDR address matching */
- r = addr_pton_cidr(cp, &match_addr, &masklen);
- if (r == -1) {
- error("Invalid network entry \"%.100s\"", cp);
- ret = -1;
- break;
- } else if (r == -2) {
- error("Inconsistent mask length for "
- "network \"%.100s\"", cp);
- ret = -1;
- break;
- } else if (r == 0 && addr != NULL) {
- if (addr_netmatch(&try_addr, &match_addr,
- masklen) == 0)
- ret = 1;
- continue;
- }
- }
- free(o);
- return ret;
- }
|