xref: /openbsd/usr.bin/ssh/addrmatch.c (revision 74cb32ae) 
1*74cb32aeSdjm /*	$OpenBSD: addrmatch.c,v 1.17 2021/04/03 06:18:40 djm Exp $ */
24e6f7e3dSdjm 
34e6f7e3dSdjm /*
44e6f7e3dSdjm  * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
54e6f7e3dSdjm  *
64e6f7e3dSdjm  * Permission to use, copy, modify, and distribute this software for any
74e6f7e3dSdjm  * purpose with or without fee is hereby granted, provided that the above
84e6f7e3dSdjm  * copyright notice and this permission notice appear in all copies.
94e6f7e3dSdjm  *
104e6f7e3dSdjm  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
114e6f7e3dSdjm  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
124e6f7e3dSdjm  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
134e6f7e3dSdjm  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
144e6f7e3dSdjm  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
154e6f7e3dSdjm  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
164e6f7e3dSdjm  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
174e6f7e3dSdjm  */
184e6f7e3dSdjm 
194e6f7e3dSdjm #include <sys/types.h>
204e6f7e3dSdjm #include <sys/socket.h>
214e6f7e3dSdjm #include <netinet/in.h>
224e6f7e3dSdjm #include <arpa/inet.h>
234e6f7e3dSdjm 
244e6f7e3dSdjm #include <netdb.h>
254e6f7e3dSdjm #include <string.h>
264e6f7e3dSdjm #include <stdlib.h>
274e6f7e3dSdjm #include <stdio.h>
284e6f7e3dSdjm #include <stdarg.h>
294e6f7e3dSdjm 
304b59ce38Sdtucker #include "addr.h"
314e6f7e3dSdjm #include "match.h"
324e6f7e3dSdjm #include "log.h"
334e6f7e3dSdjm 
344e6f7e3dSdjm /*
354e6f7e3dSdjm  * Match "addr" against list pattern list "_list", which may contain a
364e6f7e3dSdjm  * mix of CIDR addresses and old-school wildcards.
374e6f7e3dSdjm  *
384e6f7e3dSdjm  * If addr is NULL, then no matching is performed, but _list is parsed
394e6f7e3dSdjm  * and checked for well-formedness.
404e6f7e3dSdjm  *
414e6f7e3dSdjm  * Returns 1 on match found (never returned when addr == NULL).
424e6f7e3dSdjm  * Returns 0 on if no match found, or no errors found when addr == NULL.
43c1f5f430Sdjm  * Returns -1 on negated match found (never returned when addr == NULL).
44c1f5f430Sdjm  * Returns -2 on invalid list entry.
454e6f7e3dSdjm  */
464e6f7e3dSdjm int
addr_match_list(const char * addr,const char * _list)474e6f7e3dSdjm addr_match_list(const char *addr, const char *_list)
484e6f7e3dSdjm {
494e6f7e3dSdjm 	char *list, *cp, *o;
504e6f7e3dSdjm 	struct xaddr try_addr, match_addr;
514e6f7e3dSdjm 	u_int masklen, neg;
524e6f7e3dSdjm 	int ret = 0, r;
534e6f7e3dSdjm 
54952f5cdcSdjm 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
5548e6b99dSdjm 		debug2_f("couldn't parse address %.100s", addr);
56952f5cdcSdjm 		return 0;
57952f5cdcSdjm 	}
584e6f7e3dSdjm 	if ((o = list = strdup(_list)) == NULL)
594e6f7e3dSdjm 		return -1;
604e6f7e3dSdjm 	while ((cp = strsep(&list, ",")) != NULL) {
614e6f7e3dSdjm 		neg = *cp == '!';
624e6f7e3dSdjm 		if (neg)
634e6f7e3dSdjm 			cp++;
644e6f7e3dSdjm 		if (*cp == '\0') {
65c1f5f430Sdjm 			ret = -2;
664e6f7e3dSdjm 			break;
674e6f7e3dSdjm 		}
684e6f7e3dSdjm 		/* Prefer CIDR address matching */
694e6f7e3dSdjm 		r = addr_pton_cidr(cp, &match_addr, &masklen);
704e6f7e3dSdjm 		if (r == -2) {
7148e6b99dSdjm 			debug2_f("inconsistent mask length for "
7248e6b99dSdjm 			    "match network \"%.100s\"", cp);
73c1f5f430Sdjm 			ret = -2;
744e6f7e3dSdjm 			break;
754e6f7e3dSdjm 		} else if (r == 0) {
764e6f7e3dSdjm 			if (addr != NULL && addr_netmatch(&try_addr,
774e6f7e3dSdjm 			    &match_addr, masklen) == 0) {
784e6f7e3dSdjm  foundit:
794e6f7e3dSdjm 				if (neg) {
80c1f5f430Sdjm 					ret = -1;
814e6f7e3dSdjm 					break;
824e6f7e3dSdjm 				}
834e6f7e3dSdjm 				ret = 1;
849213469fSdjm 			}
854e6f7e3dSdjm 			continue;
864e6f7e3dSdjm 		} else {
874e6f7e3dSdjm 			/* If CIDR parse failed, try wildcard string match */
884e6f7e3dSdjm 			if (addr != NULL && match_pattern(addr, cp) == 1)
894e6f7e3dSdjm 				goto foundit;
904e6f7e3dSdjm 		}
914e6f7e3dSdjm 	}
920d40fefdSdjm 	free(o);
934e6f7e3dSdjm 
944e6f7e3dSdjm 	return ret;
954e6f7e3dSdjm }
96b94e498eSdjm 
97b94e498eSdjm /*
98b94e498eSdjm  * Match "addr" against list CIDR list "_list". Lexical wildcards and
99b94e498eSdjm  * negation are not supported. If "addr" == NULL, will verify structure
100b94e498eSdjm  * of "_list".
101b94e498eSdjm  *
102b94e498eSdjm  * Returns 1 on match found (never returned when addr == NULL).
103b94e498eSdjm  * Returns 0 on if no match found, or no errors found when addr == NULL.
104b94e498eSdjm  * Returns -1 on error
105b94e498eSdjm  */
106b94e498eSdjm int
addr_match_cidr_list(const char * addr,const char * _list)107b94e498eSdjm addr_match_cidr_list(const char *addr, const char *_list)
108b94e498eSdjm {
109b94e498eSdjm 	char *list, *cp, *o;
110b94e498eSdjm 	struct xaddr try_addr, match_addr;
111b94e498eSdjm 	u_int masklen;
112b94e498eSdjm 	int ret = 0, r;
113b94e498eSdjm 
114b94e498eSdjm 	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
11548e6b99dSdjm 		debug2_f("couldn't parse address %.100s", addr);
116b94e498eSdjm 		return 0;
117b94e498eSdjm 	}
118b94e498eSdjm 	if ((o = list = strdup(_list)) == NULL)
119b94e498eSdjm 		return -1;
120b94e498eSdjm 	while ((cp = strsep(&list, ",")) != NULL) {
121b94e498eSdjm 		if (*cp == '\0') {
12248e6b99dSdjm 			error_f("empty entry in list \"%.100s\"", o);
123b94e498eSdjm 			ret = -1;
124b94e498eSdjm 			break;
125b94e498eSdjm 		}
126b94e498eSdjm 
127b94e498eSdjm 		/*
128b94e498eSdjm 		 * NB. This function is called in pre-auth with untrusted data,
129b94e498eSdjm 		 * so be extra paranoid about junk reaching getaddrino (via
130b94e498eSdjm 		 * addr_pton_cidr).
131b94e498eSdjm 		 */
132b94e498eSdjm 
133b94e498eSdjm 		/* Stop junk from reaching getaddrinfo. +3 is for masklen */
134b94e498eSdjm 		if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
13548e6b99dSdjm 			error_f("list entry \"%.100s\" too long", cp);
136b94e498eSdjm 			ret = -1;
137b94e498eSdjm 			break;
138b94e498eSdjm 		}
139b94e498eSdjm #define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
140b94e498eSdjm 		if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
14148e6b99dSdjm 			error_f("list entry \"%.100s\" contains invalid "
14248e6b99dSdjm 			    "characters", cp);
143b94e498eSdjm 			ret = -1;
144b94e498eSdjm 		}
145b94e498eSdjm 
146b94e498eSdjm 		/* Prefer CIDR address matching */
147b94e498eSdjm 		r = addr_pton_cidr(cp, &match_addr, &masklen);
148b94e498eSdjm 		if (r == -1) {
149b94e498eSdjm 			error("Invalid network entry \"%.100s\"", cp);
150b94e498eSdjm 			ret = -1;
151b94e498eSdjm 			break;
152b94e498eSdjm 		} else if (r == -2) {
153b94e498eSdjm 			error("Inconsistent mask length for "
154b94e498eSdjm 			    "network \"%.100s\"", cp);
155b94e498eSdjm 			ret = -1;
156b94e498eSdjm 			break;
157b94e498eSdjm 		} else if (r == 0 && addr != NULL) {
158b94e498eSdjm 			if (addr_netmatch(&try_addr, &match_addr,
159b94e498eSdjm 			    masklen) == 0)
160b94e498eSdjm 				ret = 1;
161b94e498eSdjm 			continue;
162b94e498eSdjm 		}
163b94e498eSdjm 	}
1640d40fefdSdjm 	free(o);
165b94e498eSdjm 
166b94e498eSdjm 	return ret;
167b94e498eSdjm }
168