Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: addrmatch.c,v 1.17 2021/04/03 06:18:40 djm Exp $ */ |
2 | | |
3 | | /* |
4 | | * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org> |
5 | | * |
6 | | * Permission to use, copy, modify, and distribute this software for any |
7 | | * purpose with or without fee is hereby granted, provided that the above |
8 | | * copyright notice and this permission notice appear in all copies. |
9 | | * |
10 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | | */ |
18 | | |
19 | | #include "includes.h" |
20 | | |
21 | | #include <sys/types.h> |
22 | | #include <sys/socket.h> |
23 | | #include <netinet/in.h> |
24 | | #include <arpa/inet.h> |
25 | | |
26 | | #include <netdb.h> |
27 | | #include <string.h> |
28 | | #include <stdlib.h> |
29 | | #include <stdio.h> |
30 | | #include <stdarg.h> |
31 | | |
32 | | #include "addr.h" |
33 | | #include "match.h" |
34 | | #include "log.h" |
35 | | |
36 | | /* |
37 | | * Match "addr" against list pattern list "_list", which may contain a |
38 | | * mix of CIDR addresses and old-school wildcards. |
39 | | * |
40 | | * If addr is NULL, then no matching is performed, but _list is parsed |
41 | | * and checked for well-formedness. |
42 | | * |
43 | | * Returns 1 on match found (never returned when addr == NULL). |
44 | | * Returns 0 on if no match found, or no errors found when addr == NULL. |
45 | | * Returns -1 on negated match found (never returned when addr == NULL). |
46 | | * Returns -2 on invalid list entry. |
47 | | */ |
48 | | int |
49 | | addr_match_list(const char *addr, const char *_list) |
50 | 0 | { |
51 | 0 | char *list, *cp, *o; |
52 | 0 | struct xaddr try_addr, match_addr; |
53 | 0 | u_int masklen, neg; |
54 | 0 | int ret = 0, r; |
55 | |
|
56 | 0 | if (addr != NULL && addr_pton(addr, &try_addr) != 0) { |
57 | 0 | debug2_f("couldn't parse address %.100s", addr); |
58 | 0 | return 0; |
59 | 0 | } |
60 | 0 | if ((o = list = strdup(_list)) == NULL) |
61 | 0 | return -1; |
62 | 0 | while ((cp = strsep(&list, ",")) != NULL) { |
63 | 0 | neg = *cp == '!'; |
64 | 0 | if (neg) |
65 | 0 | cp++; |
66 | 0 | if (*cp == '\0') { |
67 | 0 | ret = -2; |
68 | 0 | break; |
69 | 0 | } |
70 | | /* Prefer CIDR address matching */ |
71 | 0 | r = addr_pton_cidr(cp, &match_addr, &masklen); |
72 | 0 | if (r == -2) { |
73 | 0 | debug2_f("inconsistent mask length for " |
74 | 0 | "match network \"%.100s\"", cp); |
75 | 0 | ret = -2; |
76 | 0 | break; |
77 | 0 | } else if (r == 0) { |
78 | 0 | if (addr != NULL && addr_netmatch(&try_addr, |
79 | 0 | &match_addr, masklen) == 0) { |
80 | 0 | foundit: |
81 | 0 | if (neg) { |
82 | 0 | ret = -1; |
83 | 0 | break; |
84 | 0 | } |
85 | 0 | ret = 1; |
86 | 0 | } |
87 | 0 | continue; |
88 | 0 | } else { |
89 | | /* If CIDR parse failed, try wildcard string match */ |
90 | 0 | if (addr != NULL && match_pattern(addr, cp) == 1) |
91 | 0 | goto foundit; |
92 | 0 | } |
93 | 0 | } |
94 | 0 | free(o); |
95 | |
|
96 | 0 | return ret; |
97 | 0 | } |
98 | | |
99 | | /* |
100 | | * Match "addr" against list CIDR list "_list". Lexical wildcards and |
101 | | * negation are not supported. If "addr" == NULL, will verify structure |
102 | | * of "_list". |
103 | | * |
104 | | * Returns 1 on match found (never returned when addr == NULL). |
105 | | * Returns 0 on if no match found, or no errors found when addr == NULL. |
106 | | * Returns -1 on error |
107 | | */ |
108 | | int |
109 | | addr_match_cidr_list(const char *addr, const char *_list) |
110 | 0 | { |
111 | 0 | char *list, *cp, *o; |
112 | 0 | struct xaddr try_addr, match_addr; |
113 | 0 | u_int masklen; |
114 | 0 | int ret = 0, r; |
115 | |
|
116 | 0 | if (addr != NULL && addr_pton(addr, &try_addr) != 0) { |
117 | 0 | debug2_f("couldn't parse address %.100s", addr); |
118 | 0 | return 0; |
119 | 0 | } |
120 | 0 | if ((o = list = strdup(_list)) == NULL) |
121 | 0 | return -1; |
122 | 0 | while ((cp = strsep(&list, ",")) != NULL) { |
123 | 0 | if (*cp == '\0') { |
124 | 0 | error_f("empty entry in list \"%.100s\"", o); |
125 | 0 | ret = -1; |
126 | 0 | break; |
127 | 0 | } |
128 | | |
129 | | /* |
130 | | * NB. This function is called in pre-auth with untrusted data, |
131 | | * so be extra paranoid about junk reaching getaddrino (via |
132 | | * addr_pton_cidr). |
133 | | */ |
134 | | |
135 | | /* Stop junk from reaching getaddrinfo. +3 is for masklen */ |
136 | 0 | if (strlen(cp) > INET6_ADDRSTRLEN + 3) { |
137 | 0 | error_f("list entry \"%.100s\" too long", cp); |
138 | 0 | ret = -1; |
139 | 0 | break; |
140 | 0 | } |
141 | 0 | #define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/" |
142 | 0 | if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) { |
143 | 0 | error_f("list entry \"%.100s\" contains invalid " |
144 | 0 | "characters", cp); |
145 | 0 | ret = -1; |
146 | 0 | } |
147 | | |
148 | | /* Prefer CIDR address matching */ |
149 | 0 | r = addr_pton_cidr(cp, &match_addr, &masklen); |
150 | 0 | if (r == -1) { |
151 | 0 | error("Invalid network entry \"%.100s\"", cp); |
152 | 0 | ret = -1; |
153 | 0 | break; |
154 | 0 | } else if (r == -2) { |
155 | 0 | error("Inconsistent mask length for " |
156 | 0 | "network \"%.100s\"", cp); |
157 | 0 | ret = -1; |
158 | 0 | break; |
159 | 0 | } else if (r == 0 && addr != NULL) { |
160 | 0 | if (addr_netmatch(&try_addr, &match_addr, |
161 | 0 | masklen) == 0) |
162 | 0 | ret = 1; |
163 | 0 | continue; |
164 | 0 | } |
165 | 0 | } |
166 | 0 | free(o); |
167 | |
|
168 | 0 | return ret; |
169 | 0 | } |