- markus@cvs.openbsd.org 2001/06/24 05:25:10

     [auth-options.c match.c match.h]
     move ip+hostname check to match.c

4 files changed, 40 insertions, 37 deletions

diff --git a/ChangeLog b/ChangeLog
index a638c64c2..590ac5873 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -92,6 +92,9 @@
      [sshconnect1.c]
      consistent with ssh2: skip key if empty passphrase is entered,
      retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
+   - markus@cvs.openbsd.org 2001/06/24 05:25:10
+     [auth-options.c match.c match.h]
+     move ip+hostname check to match.c
 
 20010622
  - (stevesk) handle systems without pw_expire and pw_change.
@@ -5776,4 +5779,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $
+$Id: ChangeLog,v 1.1320 2001/06/25 05:17:53 mouring Exp $
diff --git a/auth-options.c b/auth-options.c
index 210fbe7ea..83ef02c42 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -167,7 +167,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                 }
                 cp = "from=\"";
                 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                        int mname, mip;
                         const char *remote_ip = get_remote_ipaddr();
                         const char *remote_host = get_canonical_hostname(
                             options.reverse_mapping_check);
@@ -195,18 +194,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                         }
                         patterns[i] = 0;
                         opts++;
-                        /*
-                         * Deny access if we get a negative
-                         * match for the hostname or the ip
-                         * or if we get not match at all
-                         */
-                        mname = match_hostname(remote_host, patterns,
-                            strlen(patterns));
-                        mip = match_hostname(remote_ip, patterns,
-                            strlen(patterns));
-                        xfree(patterns);
-                        if (mname == -1 || mip == -1 ||
-                            (mname != 1 && mip != 1)) {
+                        if (match_host_and_ip(remote_host, remote_ip,
+                            patterns) != 1) {
+                                xfree(patterns);
                                 log("Authentication tried for %.100s with "
                                     "correct key but not from a permitted "
                                     "host (host=%.200s, ip=%.200s).",
@@ -217,6 +207,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 /* deny access */
                                 return 0;
                         }
+                        xfree(patterns);
                         /* Host name matches. */
                         goto next_option;
                 }
diff --git a/match.c b/match.c
index ebb562ab3..2e2d63092 100644
--- a/match.c
+++ b/match.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $");
+RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $");
 
 #include "match.h"
 #include "xmalloc.h"
@@ -162,7 +162,32 @@ match_hostname(const char *host, const char *pattern, u_int len)
         return got_positive;
 }
 
+/*
+ * returns 0 if we get a negative match for the hostname or the ip
+ * or if we get no match at all.  returns 1 otherwise.
+ */
+int
+match_host_and_ip(const char *host, const char *ipaddr,
+    const char *patterns)
+{
+        int mhost, mip;
+
+        /* negative ipaddr match */
+        if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
+                return 0;
+        /* negative hostname match */
+        if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
+                return 0;
+        /* no match at all */
+        if (mhost == 0 && mip == 0)
+                return 0;
+        return 1;
+}
 
+/*
+ * Returns first item from client-list that is also supported by server-list,
+ * caller must xfree() returned string.
+ */
 #define MAX_PROP        20
 #define SEP     ","
 char *
diff --git a/match.h b/match.h
index 09c931168..5faf66819 100644
--- a/match.h
+++ b/match.h
@@ -1,11 +1,9 @@
-/*      $OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $        */
+/*      $OpenBSD: match.h,v 1.8 2001/06/24 05:25:10 markus Exp $        */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
- * This file contains various auxiliary functions related to multiple
- * precision integers.
  *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
@@ -16,24 +14,10 @@
 #ifndef MATCH_H
 #define MATCH_H
 
-/*
- * Returns true if the given string matches the pattern (which may contain ?
- * and * as wildcards), and zero if it does not match.
- */
-int     match_pattern(const char *s, const char *pattern);
-
-/*
- * Tries to match the host name (which must be in all lowercase) against the
- * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns -1 if negation matches, 1 if there is
- * a positive match, 0 if there is no match at all.
- */
-int     match_hostname(const char *host, const char *pattern, u_int len);
-
-/*
- * Returns first item from client-list that is also supported by server-list,
- * caller must xfree() returned string.
- */
+int      match_pattern(const char *s, const char *pattern);
+int      match_hostname(const char *host, const char *pattern, u_int len);
+int      match_host_and_ip(const char *host, const char *ip, const char *p);
+int      match_user(const char *u, const char *h, const char *i, const char *p);
 char    *match_list(const char *client, const char *server, u_int *next);
 
 #endif