xref: /freebsd/crypto/openssh/addrmatch.c (revision 19261079b74319502c6ffa1249920079f0f69a72) 
1*19261079SEd Maste /*	$OpenBSD: addrmatch.c,v 1.17 2021/04/03 06:18:40 djm Exp $ */
2d4af9e69SDag-Erling Smørgrav 
3d4af9e69SDag-Erling Smørgrav /*
4d4af9e69SDag-Erling Smørgrav  * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
5d4af9e69SDag-Erling Smørgrav  *
6d4af9e69SDag-Erling Smørgrav  * Permission to use, copy, modify, and distribute this software for any
7d4af9e69SDag-Erling Smørgrav  * purpose with or without fee is hereby granted, provided that the above
8d4af9e69SDag-Erling Smørgrav  * copyright notice and this permission notice appear in all copies.
9d4af9e69SDag-Erling Smørgrav  *
10d4af9e69SDag-Erling Smørgrav  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11d4af9e69SDag-Erling Smørgrav  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12d4af9e69SDag-Erling Smørgrav  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13d4af9e69SDag-Erling Smørgrav  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14d4af9e69SDag-Erling Smørgrav  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15d4af9e69SDag-Erling Smørgrav  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16d4af9e69SDag-Erling Smørgrav  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17d4af9e69SDag-Erling Smørgrav  */
18d4af9e69SDag-Erling Smørgrav 
19d4af9e69SDag-Erling Smørgrav #include "includes.h"
20d4af9e69SDag-Erling Smørgrav 
21d4af9e69SDag-Erling Smørgrav #include <sys/types.h>
22d4af9e69SDag-Erling Smørgrav #include <sys/socket.h>
23d4af9e69SDag-Erling Smørgrav #include <netinet/in.h>
24d4af9e69SDag-Erling Smørgrav #include <arpa/inet.h>
25d4af9e69SDag-Erling Smørgrav 
26d4af9e69SDag-Erling Smørgrav #include <netdb.h>
27d4af9e69SDag-Erling Smørgrav #include <string.h>
28d4af9e69SDag-Erling Smørgrav #include <stdlib.h>
29d4af9e69SDag-Erling Smørgrav #include <stdio.h>
30d4af9e69SDag-Erling Smørgrav #include <stdarg.h>
31d4af9e69SDag-Erling Smørgrav 
32*19261079SEd Maste #include "addr.h"
33d4af9e69SDag-Erling Smørgrav #include "match.h"
34d4af9e69SDag-Erling Smørgrav #include "log.h"
35d4af9e69SDag-Erling Smørgrav 
36d4af9e69SDag-Erling Smørgrav /*
37d4af9e69SDag-Erling Smørgrav  * Match "addr" against list pattern list "_list", which may contain a
38d4af9e69SDag-Erling Smørgrav  * mix of CIDR addresses and old-school wildcards.
39d4af9e69SDag-Erling Smørgrav  *
40d4af9e69SDag-Erling Smørgrav  * If addr is NULL, then no matching is performed, but _list is parsed
41d4af9e69SDag-Erling Smørgrav  * and checked for well-formedness.
42d4af9e69SDag-Erling Smørgrav  *
43d4af9e69SDag-Erling Smørgrav  * Returns 1 on match found (never returned when addr == NULL).
44d4af9e69SDag-Erling Smørgrav  * Returns 0 on if no match found, or no errors found when addr == NULL.
45d4af9e69SDag-Erling Smørgrav  * Returns -1 on negated match found (never returned when addr == NULL).
46d4af9e69SDag-Erling Smørgrav  * Returns -2 on invalid list entry.
47d4af9e69SDag-Erling Smørgrav  */
48d4af9e69SDag-Erling Smørgrav int
addr_match_list(const char * addr,const char * _list)49d4af9e69SDag-Erling Smørgrav addr_match_list(const char *addr, const char *_list)
50d4af9e69SDag-Erling Smørgrav {
51d4af9e69SDag-Erling Smørgrav 	char *list, *cp, *o;
52d4af9e69SDag-Erling Smørgrav 	struct xaddr try_addr, match_addr;
53d4af9e69SDag-Erling Smørgrav 	u_int masklen, neg;
54d4af9e69SDag-Erling Smørgrav 	int ret = 0, r;
55d4af9e69SDag-Erling Smørgrav 
56d4af9e69SDag-Erling Smørgrav 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
57*19261079SEd Maste 		debug2_f("couldn't parse address %.100s", addr);
58d4af9e69SDag-Erling Smørgrav 		return 0;
59d4af9e69SDag-Erling Smørgrav 	}
60d4af9e69SDag-Erling Smørgrav 	if ((o = list = strdup(_list)) == NULL)
61d4af9e69SDag-Erling Smørgrav 		return -1;
62d4af9e69SDag-Erling Smørgrav 	while ((cp = strsep(&list, ",")) != NULL) {
63d4af9e69SDag-Erling Smørgrav 		neg = *cp == '!';
64d4af9e69SDag-Erling Smørgrav 		if (neg)
65d4af9e69SDag-Erling Smørgrav 			cp++;
66d4af9e69SDag-Erling Smørgrav 		if (*cp == '\0') {
67d4af9e69SDag-Erling Smørgrav 			ret = -2;
68d4af9e69SDag-Erling Smørgrav 			break;
69d4af9e69SDag-Erling Smørgrav 		}
70d4af9e69SDag-Erling Smørgrav 		/* Prefer CIDR address matching */
71d4af9e69SDag-Erling Smørgrav 		r = addr_pton_cidr(cp, &match_addr, &masklen);
72d4af9e69SDag-Erling Smørgrav 		if (r == -2) {
73*19261079SEd Maste 			debug2_f("inconsistent mask length for "
74*19261079SEd Maste 			    "match network \"%.100s\"", cp);
75d4af9e69SDag-Erling Smørgrav 			ret = -2;
76d4af9e69SDag-Erling Smørgrav 			break;
77d4af9e69SDag-Erling Smørgrav 		} else if (r == 0) {
78d4af9e69SDag-Erling Smørgrav 			if (addr != NULL && addr_netmatch(&try_addr,
79d4af9e69SDag-Erling Smørgrav 			    &match_addr, masklen) == 0) {
80d4af9e69SDag-Erling Smørgrav  foundit:
81d4af9e69SDag-Erling Smørgrav 				if (neg) {
82d4af9e69SDag-Erling Smørgrav 					ret = -1;
83d4af9e69SDag-Erling Smørgrav 					break;
84d4af9e69SDag-Erling Smørgrav 				}
85d4af9e69SDag-Erling Smørgrav 				ret = 1;
86d4af9e69SDag-Erling Smørgrav 			}
87d4af9e69SDag-Erling Smørgrav 			continue;
88d4af9e69SDag-Erling Smørgrav 		} else {
89d4af9e69SDag-Erling Smørgrav 			/* If CIDR parse failed, try wildcard string match */
90d4af9e69SDag-Erling Smørgrav 			if (addr != NULL && match_pattern(addr, cp) == 1)
91d4af9e69SDag-Erling Smørgrav 				goto foundit;
92d4af9e69SDag-Erling Smørgrav 		}
93d4af9e69SDag-Erling Smørgrav 	}
94e4a9863fSDag-Erling Smørgrav 	free(o);
95d4af9e69SDag-Erling Smørgrav 
96d4af9e69SDag-Erling Smørgrav 	return ret;
97d4af9e69SDag-Erling Smørgrav }
98b15c8340SDag-Erling Smørgrav 
99b15c8340SDag-Erling Smørgrav /*
100b15c8340SDag-Erling Smørgrav  * Match "addr" against list CIDR list "_list". Lexical wildcards and
101b15c8340SDag-Erling Smørgrav  * negation are not supported. If "addr" == NULL, will verify structure
102b15c8340SDag-Erling Smørgrav  * of "_list".
103b15c8340SDag-Erling Smørgrav  *
104b15c8340SDag-Erling Smørgrav  * Returns 1 on match found (never returned when addr == NULL).
105b15c8340SDag-Erling Smørgrav  * Returns 0 on if no match found, or no errors found when addr == NULL.
106b15c8340SDag-Erling Smørgrav  * Returns -1 on error
107b15c8340SDag-Erling Smørgrav  */
108b15c8340SDag-Erling Smørgrav int
addr_match_cidr_list(const char * addr,const char * _list)109b15c8340SDag-Erling Smørgrav addr_match_cidr_list(const char *addr, const char *_list)
110b15c8340SDag-Erling Smørgrav {
111b15c8340SDag-Erling Smørgrav 	char *list, *cp, *o;
112b15c8340SDag-Erling Smørgrav 	struct xaddr try_addr, match_addr;
113b15c8340SDag-Erling Smørgrav 	u_int masklen;
114b15c8340SDag-Erling Smørgrav 	int ret = 0, r;
115b15c8340SDag-Erling Smørgrav 
116b15c8340SDag-Erling Smørgrav 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
117*19261079SEd Maste 		debug2_f("couldn't parse address %.100s", addr);
118b15c8340SDag-Erling Smørgrav 		return 0;
119b15c8340SDag-Erling Smørgrav 	}
120b15c8340SDag-Erling Smørgrav 	if ((o = list = strdup(_list)) == NULL)
121b15c8340SDag-Erling Smørgrav 		return -1;
122b15c8340SDag-Erling Smørgrav 	while ((cp = strsep(&list, ",")) != NULL) {
123b15c8340SDag-Erling Smørgrav 		if (*cp == '\0') {
124*19261079SEd Maste 			error_f("empty entry in list \"%.100s\"", o);
125b15c8340SDag-Erling Smørgrav 			ret = -1;
126b15c8340SDag-Erling Smørgrav 			break;
127b15c8340SDag-Erling Smørgrav 		}
128b15c8340SDag-Erling Smørgrav 
129b15c8340SDag-Erling Smørgrav 		/*
130b15c8340SDag-Erling Smørgrav 		 * NB. This function is called in pre-auth with untrusted data,
131b15c8340SDag-Erling Smørgrav 		 * so be extra paranoid about junk reaching getaddrino (via
132b15c8340SDag-Erling Smørgrav 		 * addr_pton_cidr).
133b15c8340SDag-Erling Smørgrav 		 */
134b15c8340SDag-Erling Smørgrav 
135b15c8340SDag-Erling Smørgrav 		/* Stop junk from reaching getaddrinfo. +3 is for masklen */
136b15c8340SDag-Erling Smørgrav 		if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
137*19261079SEd Maste 			error_f("list entry \"%.100s\" too long", cp);
138b15c8340SDag-Erling Smørgrav 			ret = -1;
139b15c8340SDag-Erling Smørgrav 			break;
140b15c8340SDag-Erling Smørgrav 		}
141b15c8340SDag-Erling Smørgrav #define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
142b15c8340SDag-Erling Smørgrav 		if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
143*19261079SEd Maste 			error_f("list entry \"%.100s\" contains invalid "
144*19261079SEd Maste 			    "characters", cp);
145b15c8340SDag-Erling Smørgrav 			ret = -1;
146b15c8340SDag-Erling Smørgrav 		}
147b15c8340SDag-Erling Smørgrav 
148b15c8340SDag-Erling Smørgrav 		/* Prefer CIDR address matching */
149b15c8340SDag-Erling Smørgrav 		r = addr_pton_cidr(cp, &match_addr, &masklen);
150b15c8340SDag-Erling Smørgrav 		if (r == -1) {
151b15c8340SDag-Erling Smørgrav 			error("Invalid network entry \"%.100s\"", cp);
152b15c8340SDag-Erling Smørgrav 			ret = -1;
153b15c8340SDag-Erling Smørgrav 			break;
154b15c8340SDag-Erling Smørgrav 		} else if (r == -2) {
155b15c8340SDag-Erling Smørgrav 			error("Inconsistent mask length for "
156b15c8340SDag-Erling Smørgrav 			    "network \"%.100s\"", cp);
157b15c8340SDag-Erling Smørgrav 			ret = -1;
158b15c8340SDag-Erling Smørgrav 			break;
159b15c8340SDag-Erling Smørgrav 		} else if (r == 0 && addr != NULL) {
160b15c8340SDag-Erling Smørgrav 			if (addr_netmatch(&try_addr, &match_addr,
161b15c8340SDag-Erling Smørgrav 			    masklen) == 0)
162b15c8340SDag-Erling Smørgrav 				ret = 1;
163b15c8340SDag-Erling Smørgrav 			continue;
164b15c8340SDag-Erling Smørgrav 		}
165b15c8340SDag-Erling Smørgrav 	}
166e4a9863fSDag-Erling Smørgrav 	free(o);
167b15c8340SDag-Erling Smørgrav 
168b15c8340SDag-Erling Smørgrav 	return ret;
169b15c8340SDag-Erling Smørgrav }
170