xref: /freebsd/crypto/openssh/addrmatch.c (revision 124981e1) 
1 /*	$OpenBSD: addrmatch.c,v 1.17 2021/04/03 06:18:40 djm Exp $ */
2 
3 /*
4  * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "includes.h"
20 
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <netinet/in.h>
24 #include <arpa/inet.h>
25 
26 #include <netdb.h>
27 #include <string.h>
28 #include <stdlib.h>
29 #include <stdio.h>
30 #include <stdarg.h>
31 
32 #include "addr.h"
33 #include "match.h"
34 #include "log.h"
35 
36 /*
37  * Match "addr" against list pattern list "_list", which may contain a
38  * mix of CIDR addresses and old-school wildcards.
39  *
40  * If addr is NULL, then no matching is performed, but _list is parsed
41  * and checked for well-formedness.
42  *
43  * Returns 1 on match found (never returned when addr == NULL).
44  * Returns 0 on if no match found, or no errors found when addr == NULL.
45  * Returns -1 on negated match found (never returned when addr == NULL).
46  * Returns -2 on invalid list entry.
47  */
48 int
addr_match_list(const char * addr,const char * _list)49 addr_match_list(const char *addr, const char *_list)
50 {
51 	char *list, *cp, *o;
52 	struct xaddr try_addr, match_addr;
53 	u_int masklen, neg;
54 	int ret = 0, r;
55 
56 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
57 		debug2_f("couldn't parse address %.100s", addr);
58 		return 0;
59 	}
60 	if ((o = list = strdup(_list)) == NULL)
61 		return -1;
62 	while ((cp = strsep(&list, ",")) != NULL) {
63 		neg = *cp == '!';
64 		if (neg)
65 			cp++;
66 		if (*cp == '\0') {
67 			ret = -2;
68 			break;
69 		}
70 		/* Prefer CIDR address matching */
71 		r = addr_pton_cidr(cp, &match_addr, &masklen);
72 		if (r == -2) {
73 			debug2_f("inconsistent mask length for "
74 			    "match network \"%.100s\"", cp);
75 			ret = -2;
76 			break;
77 		} else if (r == 0) {
78 			if (addr != NULL && addr_netmatch(&try_addr,
79 			    &match_addr, masklen) == 0) {
80  foundit:
81 				if (neg) {
82 					ret = -1;
83 					break;
84 				}
85 				ret = 1;
86 			}
87 			continue;
88 		} else {
89 			/* If CIDR parse failed, try wildcard string match */
90 			if (addr != NULL && match_pattern(addr, cp) == 1)
91 				goto foundit;
92 		}
93 	}
94 	free(o);
95 
96 	return ret;
97 }
98 
99 /*
100  * Match "addr" against list CIDR list "_list". Lexical wildcards and
101  * negation are not supported. If "addr" == NULL, will verify structure
102  * of "_list".
103  *
104  * Returns 1 on match found (never returned when addr == NULL).
105  * Returns 0 on if no match found, or no errors found when addr == NULL.
106  * Returns -1 on error
107  */
108 int
addr_match_cidr_list(const char * addr,const char * _list)109 addr_match_cidr_list(const char *addr, const char *_list)
110 {
111 	char *list, *cp, *o;
112 	struct xaddr try_addr, match_addr;
113 	u_int masklen;
114 	int ret = 0, r;
115 
116 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
117 		debug2_f("couldn't parse address %.100s", addr);
118 		return 0;
119 	}
120 	if ((o = list = strdup(_list)) == NULL)
121 		return -1;
122 	while ((cp = strsep(&list, ",")) != NULL) {
123 		if (*cp == '\0') {
124 			error_f("empty entry in list \"%.100s\"", o);
125 			ret = -1;
126 			break;
127 		}
128 
129 		/*
130 		 * NB. This function is called in pre-auth with untrusted data,
131 		 * so be extra paranoid about junk reaching getaddrino (via
132 		 * addr_pton_cidr).
133 		 */
134 
135 		/* Stop junk from reaching getaddrinfo. +3 is for masklen */
136 		if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
137 			error_f("list entry \"%.100s\" too long", cp);
138 			ret = -1;
139 			break;
140 		}
141 #define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
142 		if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
143 			error_f("list entry \"%.100s\" contains invalid "
144 			    "characters", cp);
145 			ret = -1;
146 		}
147 
148 		/* Prefer CIDR address matching */
149 		r = addr_pton_cidr(cp, &match_addr, &masklen);
150 		if (r == -1) {
151 			error("Invalid network entry \"%.100s\"", cp);
152 			ret = -1;
153 			break;
154 		} else if (r == -2) {
155 			error("Inconsistent mask length for "
156 			    "network \"%.100s\"", cp);
157 			ret = -1;
158 			break;
159 		} else if (r == 0 && addr != NULL) {
160 			if (addr_netmatch(&try_addr, &match_addr,
161 			    masklen) == 0)
162 				ret = 1;
163 			continue;
164 		}
165 	}
166 	free(o);
167 
168 	return ret;
169 }
170