summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2008-06-10 22:59:10 +1000
committerDarren Tucker <dtucker@zip.com.au>2008-06-10 22:59:10 +1000
commit7a3935de2facb227ea1fc2ce2de046b569a2ebc7 (patch)
treed0545c3c568f1de7f3edd0a3254ab3b5547a6059
parent588fe0efa4e7cb74fc071c5271348d13ea06528b (diff)
downloadopenssh-git-7a3935de2facb227ea1fc2ce2de046b569a2ebc7.tar.gz
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
-rw-r--r--ChangeLog14
-rw-r--r--Makefile.in4
-rw-r--r--addrmatch.c420
-rw-r--r--match.h5
-rw-r--r--servconf.c18
-rw-r--r--sshd_config.526
6 files changed, 473 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index d6096740..65f97df7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+20080610
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2008/06/10 03:57:27
+ [servconf.c match.h sshd_config.5]
+ support CIDR address matching in sshd_config "Match address" blocks, with
+ full support for negation and fall-back to classic wildcard matching.
+ For example:
+ Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
+ PasswordAuthentication yes
+ addrmatch.c code mostly lifted from flowd's addr.c
+ feedback and ok dtucker@
+
20080609
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2008/06/08 17:04:41
@@ -4083,4 +4095,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.4948 2008/06/09 13:52:22 dtucker Exp $
+$Id: ChangeLog,v 1.4949 2008/06/10 12:59:10 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index b57b9b72..5debe253 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.290 2008/05/19 06:00:08 djm Exp $
+# $Id: Makefile.in,v 1.291 2008/06/10 12:59:10 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -83,7 +83,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
- auth-krb5.o \
+ auth-krb5.o addrmatch.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
diff --git a/addrmatch.c b/addrmatch.c
new file mode 100644
index 00000000..a0559efa
--- /dev/null
+++ b/addrmatch.c
@@ -0,0 +1,420 @@
+/* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */
+
+/*
+ * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "match.h"
+#include "log.h"
+
+struct xaddr {
+ sa_family_t af;
+ union {
+ struct in_addr v4;
+ struct in6_addr v6;
+ u_int8_t addr8[16];
+ u_int32_t addr32[4];
+ } xa; /* 128-bit address */
+ u_int32_t scope_id; /* iface scope id for v6 */
+#define v4 xa.v4
+#define v6 xa.v6
+#define addr8 xa.addr8
+#define addr32 xa.addr32
+};
+
+static int
+addr_unicast_masklen(int af)
+{
+ switch (af) {
+ case AF_INET:
+ return 32;
+ case AF_INET6:
+ return 128;
+ default:
+ return -1;
+ }
+}
+
+static inline int
+masklen_valid(int af, u_int masklen)
+{
+ switch (af) {
+ case AF_INET:
+ return masklen <= 32 ? 0 : -1;
+ case AF_INET6:
+ return masklen <= 128 ? 0 : -1;
+ default:
+ return -1;
+ }
+}
+
+/*
+ * Convert struct sockaddr to struct xaddr
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa)
+{
+ struct sockaddr_in *in4 = (struct sockaddr_in *)sa;
+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
+
+ memset(xa, '\0', sizeof(*xa));
+
+ switch (sa->sa_family) {
+ case AF_INET:
+ if (slen < sizeof(*in4))
+ return -1;
+ xa->af = AF_INET;
+ memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4));
+ break;
+ case AF_INET6:
+ if (slen < sizeof(*in6))
+ return -1;
+ xa->af = AF_INET6;
+ memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6));
+ xa->scope_id = in6->sin6_scope_id;
+ break;
+ default:
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Calculate a netmask of length 'l' for address family 'af' and
+ * store it in 'n'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_netmask(int af, u_int l, struct xaddr *n)
+{
+ int i;
+
+ if (masklen_valid(af, l) != 0 || n == NULL)
+ return -1;
+
+ memset(n, '\0', sizeof(*n));
+ switch (af) {
+ case AF_INET:
+ n->af = AF_INET;
+ n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff);
+ return 0;
+ case AF_INET6:
+ n->af = AF_INET6;
+ for (i = 0; i < 4 && l >= 32; i++, l -= 32)
+ n->addr32[i] = 0xffffffffU;
+ if (i < 4 && l != 0)
+ n->addr32[i] = htonl((0xffffffff << (32 - l)) &
+ 0xffffffff);
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+/*
+ * Perform logical AND of addresses 'a' and 'b', storing result in 'dst'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b)
+{
+ int i;
+
+ if (dst == NULL || a == NULL || b == NULL || a->af != b->af)
+ return -1;
+
+ memcpy(dst, a, sizeof(*dst));
+ switch (a->af) {
+ case AF_INET:
+ dst->v4.s_addr &= b->v4.s_addr;
+ return 0;
+ case AF_INET6:
+ dst->scope_id = a->scope_id;
+ for (i = 0; i < 4; i++)
+ dst->addr32[i] &= b->addr32[i];
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+/*
+ * Compare addresses 'a' and 'b'
+ * Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b)
+ */
+static int
+addr_cmp(const struct xaddr *a, const struct xaddr *b)
+{
+ int i;
+
+ if (a->af != b->af)
+ return a->af == AF_INET6 ? 1 : -1;
+
+ switch (a->af) {
+ case AF_INET:
+ if (a->v4.s_addr == b->v4.s_addr)
+ return 0;
+ return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1;
+ case AF_INET6:
+ for (i = 0; i < 16; i++)
+ if (a->addr8[i] - b->addr8[i] != 0)
+ return a->addr8[i] > b->addr8[i] ? 1 : -1;
+ if (a->scope_id == b->scope_id)
+ return 0;
+ return a->scope_id > b->scope_id ? 1 : -1;
+ default:
+ return -1;
+ }
+}
+
+/*
+ * Parse string address 'p' into 'n'
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_pton(const char *p, struct xaddr *n)
+{
+ struct addrinfo hints, *ai;
+
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_flags = AI_NUMERICHOST;
+
+ if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
+ return -1;
+
+ if (ai == NULL || ai->ai_addr == NULL)
+ return -1;
+
+ if (n != NULL &&
+ addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) {
+ freeaddrinfo(ai);
+ return -1;
+ }
+
+ freeaddrinfo(ai);
+ return 0;
+}
+
+/*
+ * Perform bitwise negation of address
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_invert(struct xaddr *n)
+{
+ int i;
+
+ if (n == NULL)
+ return (-1);
+
+ switch (n->af) {
+ case AF_INET:
+ n->v4.s_addr = ~n->v4.s_addr;
+ return (0);
+ case AF_INET6:
+ for (i = 0; i < 4; i++)
+ n->addr32[i] = ~n->addr32[i];
+ return (0);
+ default:
+ return (-1);
+ }
+}
+
+/*
+ * Calculate a netmask of length 'l' for address family 'af' and
+ * store it in 'n'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_hostmask(int af, u_int l, struct xaddr *n)
+{
+ if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1)
+ return (-1);
+ return (0);
+}
+
+/*
+ * Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::)
+ * Returns 0 on if address is all-zeros, -1 if not all zeros or on failure.
+ */
+static int
+addr_is_all0s(const struct xaddr *a)
+{
+ int i;
+
+ switch (a->af) {
+ case AF_INET:
+ return (a->v4.s_addr == 0 ? 0 : -1);
+ case AF_INET6:;
+ for (i = 0; i < 4; i++)
+ if (a->addr32[i] != 0)
+ return (-1);
+ return (0);
+ default:
+ return (-1);
+ }
+}
+
+/*
+ * Test whether host portion of address 'a', as determined by 'masklen'
+ * is all zeros.
+ * Returns 0 on if host portion of address is all-zeros,
+ * -1 if not all zeros or on failure.
+ */
+static int
+addr_host_is_all0s(const struct xaddr *a, u_int masklen)
+{
+ struct xaddr tmp_addr, tmp_mask, tmp_result;
+
+ memcpy(&tmp_addr, a, sizeof(tmp_addr));
+ if (addr_hostmask(a->af, masklen, &tmp_mask) == -1)
+ return (-1);
+ if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1)
+ return (-1);
+ return (addr_is_all0s(&tmp_result));
+}
+
+/*
+ * Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z).
+ * Return -1 on parse error, -2 on inconsistency or 0 on success.
+ */
+static int
+addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
+{
+ struct xaddr tmp;
+ long unsigned int masklen = 999;
+ char addrbuf[64], *mp, *cp;
+
+ /* Don't modify argument */
+ if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf))
+ return -1;
+
+ if ((mp = strchr(addrbuf, '/')) != NULL) {
+ *mp = '\0';
+ mp++;
+ masklen = strtoul(mp, &cp, 10);
+ if (*mp == '\0' || *cp != '\0' || masklen > 128)
+ return -1;
+ }
+
+ if (addr_pton(addrbuf, &tmp) == -1)
+ return -1;
+
+ if (mp == NULL)
+ masklen = addr_unicast_masklen(tmp.af);
+ if (masklen_valid(tmp.af, masklen) == -1)
+ return -2;
+ if (addr_host_is_all0s(&tmp, masklen) != 0)
+ return -2;
+
+ if (n != NULL)
+ memcpy(n, &tmp, sizeof(*n));
+ if (l != NULL)
+ *l = masklen;
+
+ return 0;
+}
+
+static int
+addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen)
+{
+ struct xaddr tmp_mask, tmp_result;
+
+ if (host->af != net->af)
+ return -1;
+
+ if (addr_netmask(host->af, masklen, &tmp_mask) == -1)
+ return -1;
+ if (addr_and(&tmp_result, host, &tmp_mask) == -1)
+ return -1;
+ return addr_cmp(&tmp_result, net);
+}
+
+/*
+ * Match "addr" against list pattern list "_list", which may contain a
+ * mix of CIDR addresses and old-school wildcards.
+ *
+ * If addr is NULL, then no matching is performed, but _list is parsed
+ * and checked for well-formedness.
+ *
+ * Returns 1 on match found (never returned when addr == NULL).
+ * Returns 0 on if no match found, or no errors found when addr == NULL.
+ * Returns -1 on invalid list entry.
+ */
+int
+addr_match_list(const char *addr, const char *_list)
+{
+ char *list, *cp, *o;
+ struct xaddr try_addr, match_addr;
+ u_int masklen, neg;
+ int ret = 0, r;
+
+ if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
+ debug2("%s: couldn't parse address %.100s", __func__, addr);
+ return 0;
+ }
+ if ((o = list = strdup(_list)) == NULL)
+ return -1;
+ while ((cp = strsep(&list, ",")) != NULL) {
+ neg = *cp == '!';
+ if (neg)
+ cp++;
+ if (*cp == '\0') {
+ ret = -1;
+ break;
+ }
+ /* Prefer CIDR address matching */
+ r = addr_pton_cidr(cp, &match_addr, &masklen);
+ if (r == -2) {
+ error("Inconsistent mask length for "
+ "network \"%.100s\"", cp);
+ ret = -1;
+ break;
+ } else if (r == 0) {
+ if (addr != NULL && addr_netmatch(&try_addr,
+ &match_addr, masklen) == 0) {
+ foundit:
+ if (neg) {
+ ret = 0;
+ break;
+ }
+ ret = 1;
+ }
+ continue;
+ } else {
+ /* If CIDR parse failed, try wildcard string match */
+ if (addr != NULL && match_pattern(addr, cp) == 1)
+ goto foundit;
+ }
+ }
+ free(o);
+
+ return ret;
+}
diff --git a/match.h b/match.h
index d1d53865..18f68307 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: match.h,v 1.14 2008/06/10 03:57:27 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -21,4 +21,7 @@ int match_host_and_ip(const char *, const char *, const char *);
int match_user(const char *, const char *, const char *, const char *);
char *match_list(const char *, const char *, u_int *);
+/* addrmatch.c */
+int addr_match_list(const char *, const char *);
+
#endif
diff --git a/servconf.c b/servconf.c
index 94dff1fd..07a20103 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.181 2008/06/10 03:57:27 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -603,15 +603,17 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
- if (!address) {
- result = 0;
- continue;
- }
- if (match_hostname(address, arg, len) != 1)
- result = 0;
- else
+ switch (addr_match_list(address, arg)) {
+ case 1:
debug("connection from %.100s matched 'Address "
"%.100s' at line %d", address, arg, line);
+ break;
+ case 0:
+ result = 0;
+ break;
+ case -1:
+ return -1;
+ }
} else {
error("Unsupported Match attribute %s", attrib);
return -1;
diff --git a/sshd_config.5 b/sshd_config.5
index 0d8c140b..dc42959e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $
-.Dd $Mdocdate: May 8 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $
+.Dd $Mdocdate: June 10 2008 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those
set in the global section of the config file, until either another
.Cm Match
line or the end of the file.
+.Pp
The arguments to
.Cm Match
are one or more criteria-pattern pairs.
@@ -566,6 +567,27 @@ The available criteria are
.Cm Host ,
and
.Cm Address .
+The match patterns may consist of single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx SSH_KNOWN_HOSTS FILE FORMAT
+section of
+.Xr sshd 8 .
+.Pp
+The patterns in an
+.Cm Address
+criteria may additionally contain addresses to match in CIDR
+address/masklen format, e.g.
+.Dq 192.0.2.0/24
+or
+.Dq 3ffe:ffff::/32 .
+Note that the mask length provided must be consistent with the address -
+it is an error to specify a mask length that is too long for the address
+or one with bits set in this host portion of the address. For example,
+.Dq 192.0.2.0/33
+and
+.Dq 192.0.2.0/8
+respectively.
+.Pp
Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.