1 /* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Simple pattern matching, with '*' and '?' as wildcards. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 /* 15 * Copyright (c) 2000 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include "includes.h" 39 40 #include <sys/types.h> 41 42 #include <ctype.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <stdio.h> 46 47 #include "xmalloc.h" 48 #include "match.h" 49 #include "misc.h" 50 51 /* 52 * Returns true if the given string matches the pattern (which may contain ? 53 * and * as wildcards), and zero if it does not match. 54 */ 55 56 int 57 match_pattern(const char *s, const char *pattern) 58 { 59 for (;;) { 60 /* If at end of pattern, accept if also at end of string. */ 61 if (!*pattern) 62 return !*s; 63 64 if (*pattern == '*') { 65 /* Skip the asterisk. */ 66 pattern++; 67 68 /* If at end of pattern, accept immediately. */ 69 if (!*pattern) 70 return 1; 71 72 /* If next character in pattern is known, optimize. */ 73 if (*pattern != '?' && *pattern != '*') { 74 /* 75 * Look instances of the next character in 76 * pattern, and try to match starting from 77 * those. 78 */ 79 for (; *s; s++) 80 if (*s == *pattern && 81 match_pattern(s + 1, pattern + 1)) 82 return 1; 83 /* Failed. */ 84 return 0; 85 } 86 /* 87 * Move ahead one character at a time and try to 88 * match at each position. 89 */ 90 for (; *s; s++) 91 if (match_pattern(s, pattern)) 92 return 1; 93 /* Failed. */ 94 return 0; 95 } 96 /* 97 * There must be at least one more character in the string. 98 * If we are at the end, fail. 99 */ 100 if (!*s) 101 return 0; 102 103 /* Check if the next character of the string is acceptable. */ 104 if (*pattern != '?' && *pattern != *s) 105 return 0; 106 107 /* Move to the next character, both in string and in pattern. */ 108 s++; 109 pattern++; 110 } 111 /* NOTREACHED */ 112 } 113 114 /* 115 * Tries to match the string against the 116 * comma-separated sequence of subpatterns (each possibly preceded by ! to 117 * indicate negation). Returns -1 if negation matches, 1 if there is 118 * a positive match, 0 if there is no match at all. 119 */ 120 int 121 match_pattern_list(const char *string, const char *pattern, int dolower) 122 { 123 char sub[1024]; 124 int negated; 125 int got_positive; 126 u_int i, subi, len = strlen(pattern); 127 128 got_positive = 0; 129 for (i = 0; i < len;) { 130 /* Check if the subpattern is negated. */ 131 if (pattern[i] == '!') { 132 negated = 1; 133 i++; 134 } else 135 negated = 0; 136 137 /* 138 * Extract the subpattern up to a comma or end. Convert the 139 * subpattern to lowercase. 140 */ 141 for (subi = 0; 142 i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; 143 subi++, i++) 144 sub[subi] = dolower && isupper((u_char)pattern[i]) ? 145 tolower((u_char)pattern[i]) : pattern[i]; 146 /* If subpattern too long, return failure (no match). */ 147 if (subi >= sizeof(sub) - 1) 148 return 0; 149 150 /* If the subpattern was terminated by a comma, then skip it. */ 151 if (i < len && pattern[i] == ',') 152 i++; 153 154 /* Null-terminate the subpattern. */ 155 sub[subi] = '\0'; 156 157 /* Try to match the subpattern against the string. */ 158 if (match_pattern(string, sub)) { 159 if (negated) 160 return -1; /* Negative */ 161 else 162 got_positive = 1; /* Positive */ 163 } 164 } 165 166 /* 167 * Return success if got a positive match. If there was a negative 168 * match, we have already returned -1 and never get here. 169 */ 170 return got_positive; 171 } 172 173 /* 174 * Tries to match the host name (which must be in all lowercase) against the 175 * comma-separated sequence of subpatterns (each possibly preceded by ! to 176 * indicate negation). Returns -1 if negation matches, 1 if there is 177 * a positive match, 0 if there is no match at all. 178 */ 179 int 180 match_hostname(const char *host, const char *pattern) 181 { 182 char *hostcopy = xstrdup(host); 183 int r; 184 185 lowercase(hostcopy); 186 r = match_pattern_list(hostcopy, pattern, 1); 187 free(hostcopy); 188 return r; 189 } 190 191 /* 192 * returns 0 if we get a negative match for the hostname or the ip 193 * or if we get no match at all. returns -1 on error, or 1 on 194 * successful match. 195 */ 196 int 197 match_host_and_ip(const char *host, const char *ipaddr, 198 const char *patterns) 199 { 200 int mhost, mip; 201 202 if ((mip = addr_match_list(ipaddr, patterns)) == -2) 203 return -1; /* error in ipaddr match */ 204 else if (host == NULL || ipaddr == NULL || mip == -1) 205 return 0; /* negative ip address match, or testing pattern */ 206 207 /* negative hostname match */ 208 if ((mhost = match_hostname(host, patterns)) == -1) 209 return 0; 210 /* no match at all */ 211 if (mhost == 0 && mip == 0) 212 return 0; 213 return 1; 214 } 215 216 /* 217 * Match user, user@host_or_ip, user@host_or_ip_list against pattern. 218 * If user, host and ipaddr are all NULL then validate pattern/ 219 * Returns -1 on invalid pattern, 0 on no match, 1 on match. 220 */ 221 int 222 match_user(const char *user, const char *host, const char *ipaddr, 223 const char *pattern) 224 { 225 char *p, *pat; 226 int ret; 227 228 /* test mode */ 229 if (user == NULL && host == NULL && ipaddr == NULL) { 230 if ((p = strchr(pattern, '@')) != NULL && 231 match_host_and_ip(NULL, NULL, p + 1) < 0) 232 return -1; 233 return 0; 234 } 235 236 if ((p = strchr(pattern,'@')) == NULL) 237 return match_pattern(user, pattern); 238 239 pat = xstrdup(pattern); 240 p = strchr(pat, '@'); 241 *p++ = '\0'; 242 243 if ((ret = match_pattern(user, pat)) == 1) 244 ret = match_host_and_ip(host, ipaddr, p); 245 free(pat); 246 247 return ret; 248 } 249 250 /* 251 * Returns first item from client-list that is also supported by server-list, 252 * caller must free the returned string. 253 */ 254 #define MAX_PROP 40 255 #define SEP "," 256 char * 257 match_list(const char *client, const char *server, u_int *next) 258 { 259 char *sproposals[MAX_PROP]; 260 char *c, *s, *p, *ret, *cp, *sp; 261 int i, j, nproposals; 262 263 c = cp = xstrdup(client); 264 s = sp = xstrdup(server); 265 266 for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0'; 267 (p = strsep(&sp, SEP)), i++) { 268 if (i < MAX_PROP) 269 sproposals[i] = p; 270 else 271 break; 272 } 273 nproposals = i; 274 275 for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0'; 276 (p = strsep(&cp, SEP)), i++) { 277 for (j = 0; j < nproposals; j++) { 278 if (strcmp(p, sproposals[j]) == 0) { 279 ret = xstrdup(p); 280 if (next != NULL) 281 *next = (cp == NULL) ? 282 strlen(c) : (u_int)(cp - c); 283 free(c); 284 free(s); 285 return ret; 286 } 287 } 288 } 289 if (next != NULL) 290 *next = strlen(c); 291 free(c); 292 free(s); 293 return NULL; 294 } 295 296 /* 297 * Filter proposal using pattern-list filter. 298 * "blacklist" determines sense of filter: 299 * non-zero indicates that items matching filter should be excluded. 300 * zero indicates that only items matching filter should be included. 301 * returns NULL on allocation error, otherwise caller must free result. 302 */ 303 static char * 304 filter_list(const char *proposal, const char *filter, int blacklist) 305 { 306 size_t len = strlen(proposal) + 1; 307 char *fix_prop = malloc(len); 308 char *orig_prop = strdup(proposal); 309 char *cp, *tmp; 310 int r; 311 312 if (fix_prop == NULL || orig_prop == NULL) { 313 free(orig_prop); 314 free(fix_prop); 315 return NULL; 316 } 317 318 tmp = orig_prop; 319 *fix_prop = '\0'; 320 while ((cp = strsep(&tmp, ",")) != NULL) { 321 r = match_pattern_list(cp, filter, 0); 322 if ((blacklist && r != 1) || (!blacklist && r == 1)) { 323 if (*fix_prop != '\0') 324 strlcat(fix_prop, ",", len); 325 strlcat(fix_prop, cp, len); 326 } 327 } 328 free(orig_prop); 329 return fix_prop; 330 } 331 332 /* 333 * Filters a comma-separated list of strings, excluding any entry matching 334 * the 'filter' pattern list. Caller must free returned string. 335 */ 336 char * 337 match_filter_blacklist(const char *proposal, const char *filter) 338 { 339 return filter_list(proposal, filter, 1); 340 } 341 342 /* 343 * Filters a comma-separated list of strings, including only entries matching 344 * the 'filter' pattern list. Caller must free returned string. 345 */ 346 char * 347 match_filter_whitelist(const char *proposal, const char *filter) 348 { 349 return filter_list(proposal, filter, 0); 350 } 351