4 files changed, 40 insertions, 37 deletions

diff --git a/ChangeLog b/ChangeLog
index a638c64c..590ac587 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -92,6 +92,9 @@
      [sshconnect1.c]
      consistent with ssh2: skip key if empty passphrase is entered,
      retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
+   - markus@cvs.openbsd.org 2001/06/24 05:25:10
+     [auth-options.c match.c match.h]
+     move ip+hostname check to match.c
 
 20010622
  - (stevesk) handle systems without pw_expire and pw_change.
@@ -5776,4 +5779,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $
+$Id: ChangeLog,v 1.1320 2001/06/25 05:17:53 mouring Exp $
diff --git a/auth-options.c b/auth-options.c
index 210fbe7e..83ef02c4 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -167,7 +167,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "from=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			int mname, mip;
 			const char *remote_ip = get_remote_ipaddr();
 			const char *remote_host = get_canonical_hostname(
 			    options.reverse_mapping_check);
@@ -195,18 +194,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			}
 			patterns[i] = 0;
 			opts++;
-			/*
-			 * Deny access if we get a negative
-			 * match for the hostname or the ip
-			 * or if we get not match at all
-			 */
-			mname = match_hostname(remote_host, patterns,
-			    strlen(patterns));
-			mip = match_hostname(remote_ip, patterns,
-			    strlen(patterns));
-			xfree(patterns);
-			if (mname == -1 || mip == -1 ||
-			    (mname != 1 && mip != 1)) {
+			if (match_host_and_ip(remote_host, remote_ip,
+			    patterns) != 1) {
+				xfree(patterns);
 				log("Authentication tried for %.100s with "
 				    "correct key but not from a permitted "
 				    "host (host=%.200s, ip=%.200s).",
@@ -217,6 +207,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				/* deny access */
 				return 0;
 			}
+			xfree(patterns);
 			/* Host name matches. */
 			goto next_option;
 		}
diff --git a/match.c b/match.c
index ebb562ab..2e2d6309 100644
--- a/match.c
+++ b/match.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $");
+RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $");
 
 #include "match.h"
 #include "xmalloc.h"
@@ -162,7 +162,32 @@ match_hostname(const char *host, const char *pattern, u_int len)
 	return got_positive;
 }
 
+/*
+ * returns 0 if we get a negative match for the hostname or the ip
+ * or if we get no match at all.  returns 1 otherwise.
+ */
+int
+match_host_and_ip(const char *host, const char *ipaddr,
+    const char *patterns)
+{
+	int mhost, mip;
+
+	/* negative ipaddr match */
+	if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
+		return 0;
+	/* negative hostname match */
+	if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
+		return 0;
+	/* no match at all */
+	if (mhost == 0 && mip == 0)
+		return 0;
+	return 1;
+}
 
+/*
+ * Returns first item from client-list that is also supported by server-list,
+ * caller must xfree() returned string.
+ */
 #define	MAX_PROP	20
 #define	SEP	","
 char *
diff --git a/match.h b/match.h
index 09c93116..5faf6681 100644
--- a/match.h
+++ b/match.h
@@ -1,11 +1,9 @@
-/*	$OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $	*/
+/*	$OpenBSD: match.h,v 1.8 2001/06/24 05:25:10 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
- * This file contains various auxiliary functions related to multiple
- * precision integers.
  *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
@@ -16,24 +14,10 @@
 #ifndef MATCH_H
 #define MATCH_H
 
-/*
- * Returns true if the given string matches the pattern (which may contain ?
- * and * as wildcards), and zero if it does not match.
- */
-int     match_pattern(const char *s, const char *pattern);
-
-/*
- * Tries to match the host name (which must be in all lowercase) against the
- * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns -1 if negation matches, 1 if there is
- * a positive match, 0 if there is no match at all.
- */
-int     match_hostname(const char *host, const char *pattern, u_int len);
-
-/*
- * Returns first item from client-list that is also supported by server-list,
- * caller must xfree() returned string.
- */
+int      match_pattern(const char *s, const char *pattern);
+int      match_hostname(const char *host, const char *pattern, u_int len);
+int	 match_host_and_ip(const char *host, const char *ip, const char *p);
+int	 match_user(const char *u, const char *h, const char *i, const char *p);
 char	*match_list(const char *client, const char *server, u_int *next);
 
 #endif