- (dtucker) OpenBSD CVS Sync

   - djm@cvs.openbsd.org 2008/06/10 03:57:27
     [servconf.c match.h sshd_config.5]
     support CIDR address matching in sshd_config "Match address" blocks, with
     full support for negation and fall-back to classic wildcard matching.
     For example:
     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
         PasswordAuthentication yes
     addrmatch.c code mostly lifted from flowd's addr.c
     feedback and ok dtucker@

6 files changed, 473 insertions, 14 deletions

diff --git a/ChangeLog b/ChangeLog
index d60967404..65f97df7f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+20080610
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2008/06/10 03:57:27
+     [servconf.c match.h sshd_config.5]
+     support CIDR address matching in sshd_config "Match address" blocks, with
+     full support for negation and fall-back to classic wildcard matching.
+     For example:
+     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
+         PasswordAuthentication yes
+     addrmatch.c code mostly lifted from flowd's addr.c
+     feedback and ok dtucker@
+
 20080609
  - (dtucker) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2008/06/08 17:04:41
@@ -4083,4 +4095,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4948 2008/06/09 13:52:22 dtucker Exp $
+$Id: ChangeLog,v 1.4949 2008/06/10 12:59:10 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index b57b9b72d..5debe2533 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.290 2008/05/19 06:00:08 djm Exp $
+# $Id: Makefile.in,v 1.291 2008/06/10 12:59:10 dtucker Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -83,7 +83,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
         auth2-none.o auth2-passwd.o auth2-pubkey.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
-        auth-krb5.o \
+        auth-krb5.o addrmatch.o \
         auth2-gss.o gss-serv.o gss-serv-krb5.o \
         loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
         audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
diff --git a/addrmatch.c b/addrmatch.c
new file mode 100644
index 000000000..a0559efa0
--- /dev/null
+++ b/addrmatch.c
@@ -0,0 +1,420 @@
+/*      $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */
+
+/*
+ * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "match.h"
+#include "log.h"
+
+struct xaddr {
+        sa_family_t     af;
+        union {
+                struct in_addr          v4;
+                struct in6_addr         v6;
+                u_int8_t                addr8[16];
+                u_int32_t               addr32[4];
+        } xa;               /* 128-bit address */
+        u_int32_t       scope_id;       /* iface scope id for v6 */
+#define v4      xa.v4
+#define v6      xa.v6
+#define addr8   xa.addr8
+#define addr32  xa.addr32
+};
+
+static int
+addr_unicast_masklen(int af)
+{
+        switch (af) {
+        case AF_INET:
+                return 32;
+        case AF_INET6:
+                return 128;
+        default:
+                return -1;
+        }
+}
+
+static inline int
+masklen_valid(int af, u_int masklen)
+{
+        switch (af) {
+        case AF_INET:
+                return masklen <= 32 ? 0 : -1;
+        case AF_INET6:
+                return masklen <= 128 ? 0 : -1;
+        default:
+                return -1;
+        }
+}
+
+/*
+ * Convert struct sockaddr to struct xaddr
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa)
+{
+        struct sockaddr_in *in4 = (struct sockaddr_in *)sa;
+        struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
+
+        memset(xa, '\0', sizeof(*xa));
+
+        switch (sa->sa_family) {
+        case AF_INET:
+                if (slen < sizeof(*in4))
+                        return -1;
+                xa->af = AF_INET;
+                memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4));
+                break;
+        case AF_INET6:
+                if (slen < sizeof(*in6))
+                        return -1;
+                xa->af = AF_INET6;
+                memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6));
+                xa->scope_id = in6->sin6_scope_id;
+                break;
+        default:
+                return -1;
+        }
+
+        return 0;
+}
+
+/*
+ * Calculate a netmask of length 'l' for address family 'af' and
+ * store it in 'n'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_netmask(int af, u_int l, struct xaddr *n)
+{
+        int i;
+
+        if (masklen_valid(af, l) != 0 || n == NULL)
+                return -1;
+
+        memset(n, '\0', sizeof(*n));
+        switch (af) {
+        case AF_INET:
+                n->af = AF_INET;
+                n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff);
+                return 0;
+        case AF_INET6:
+                n->af = AF_INET6;
+                for (i = 0; i < 4 && l >= 32; i++, l -= 32)
+                        n->addr32[i] = 0xffffffffU;
+                if (i < 4 && l != 0)
+                        n->addr32[i] = htonl((0xffffffff << (32 - l)) &
+                            0xffffffff);
+                return 0;
+        default:
+                return -1;
+        }
+}
+
+/*
+ * Perform logical AND of addresses 'a' and 'b', storing result in 'dst'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b)
+{
+        int i;
+
+        if (dst == NULL || a == NULL || b == NULL || a->af != b->af)
+                return -1;
+
+        memcpy(dst, a, sizeof(*dst));
+        switch (a->af) {
+        case AF_INET:
+                dst->v4.s_addr &= b->v4.s_addr;
+                return 0;
+        case AF_INET6:
+                dst->scope_id = a->scope_id;
+                for (i = 0; i < 4; i++)
+                        dst->addr32[i] &= b->addr32[i];
+                return 0;
+        default:
+                return -1;
+        }
+}
+
+/*
+ * Compare addresses 'a' and 'b'
+ * Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b)
+ */
+static int
+addr_cmp(const struct xaddr *a, const struct xaddr *b)
+{
+        int i;
+
+        if (a->af != b->af)
+                return a->af == AF_INET6 ? 1 : -1;
+
+        switch (a->af) {
+        case AF_INET:
+                if (a->v4.s_addr == b->v4.s_addr)
+                        return 0;
+                return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1;
+        case AF_INET6:
+                for (i = 0; i < 16; i++)
+                        if (a->addr8[i] - b->addr8[i] != 0)
+                                return a->addr8[i] > b->addr8[i] ? 1 : -1;
+                if (a->scope_id == b->scope_id)
+                        return 0;
+                return a->scope_id > b->scope_id ? 1 : -1;
+        default:
+                return -1;
+        }
+}
+
+/*
+ * Parse string address 'p' into 'n'
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_pton(const char *p, struct xaddr *n)
+{
+        struct addrinfo hints, *ai;
+
+        memset(&hints, '\0', sizeof(hints));
+        hints.ai_flags = AI_NUMERICHOST;
+
+        if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
+                return -1;
+
+        if (ai == NULL || ai->ai_addr == NULL)
+                return -1;
+
+        if (n != NULL &&
+            addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) {
+                freeaddrinfo(ai);
+                return -1;
+        }
+
+        freeaddrinfo(ai);
+        return 0;
+}
+
+/*
+ * Perform bitwise negation of address
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_invert(struct xaddr *n)
+{
+        int i;
+
+        if (n == NULL)
+                return (-1);
+
+        switch (n->af) {
+        case AF_INET:
+                n->v4.s_addr = ~n->v4.s_addr;
+                return (0);
+        case AF_INET6:
+                for (i = 0; i < 4; i++)
+                        n->addr32[i] = ~n->addr32[i];
+                return (0);
+        default:
+                return (-1);
+        }
+}
+
+/*
+ * Calculate a netmask of length 'l' for address family 'af' and
+ * store it in 'n'.
+ * Returns 0 on success, -1 on failure.
+ */
+static int
+addr_hostmask(int af, u_int l, struct xaddr *n)
+{
+        if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1)
+                return (-1);
+        return (0);
+}
+
+/*
+ * Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::)
+ * Returns 0 on if address is all-zeros, -1 if not all zeros or on failure.
+ */
+static int
+addr_is_all0s(const struct xaddr *a)
+{
+        int i;
+
+        switch (a->af) {
+        case AF_INET:
+                return (a->v4.s_addr == 0 ? 0 : -1);
+        case AF_INET6:;
+                for (i = 0; i < 4; i++)
+                        if (a->addr32[i] != 0)
+                                return (-1);
+                return (0);
+        default:
+                return (-1);
+        }
+}
+
+/*
+ * Test whether host portion of address 'a', as determined by 'masklen'
+ * is all zeros.
+ * Returns 0 on if host portion of address is all-zeros,
+ * -1 if not all zeros or on failure.
+ */
+static int
+addr_host_is_all0s(const struct xaddr *a, u_int masklen)
+{
+        struct xaddr tmp_addr, tmp_mask, tmp_result;
+
+        memcpy(&tmp_addr, a, sizeof(tmp_addr));
+        if (addr_hostmask(a->af, masklen, &tmp_mask) == -1)
+                return (-1);
+        if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1)
+                return (-1);
+        return (addr_is_all0s(&tmp_result));
+}
+
+/*
+ * Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z).
+ * Return -1 on parse error, -2 on inconsistency or 0 on success.
+ */
+static int
+addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
+{
+        struct xaddr tmp;
+        long unsigned int masklen = 999;
+        char addrbuf[64], *mp, *cp;
+
+        /* Don't modify argument */
+        if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf))
+                return -1;
+
+        if ((mp = strchr(addrbuf, '/')) != NULL) {
+                *mp = '\0';
+                mp++;
+                masklen = strtoul(mp, &cp, 10);
+                if (*mp == '\0' || *cp != '\0' || masklen > 128)
+                        return -1;
+        }
+
+        if (addr_pton(addrbuf, &tmp) == -1)
+                return -1;
+
+        if (mp == NULL)
+                masklen = addr_unicast_masklen(tmp.af);
+        if (masklen_valid(tmp.af, masklen) == -1)
+                return -2;
+        if (addr_host_is_all0s(&tmp, masklen) != 0)
+                return -2;
+
+        if (n != NULL)
+                memcpy(n, &tmp, sizeof(*n));
+        if (l != NULL)
+                *l = masklen;
+
+        return 0;
+}
+
+static int
+addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen)
+{
+        struct xaddr tmp_mask, tmp_result;
+
+        if (host->af != net->af)
+                return -1;
+
+        if (addr_netmask(host->af, masklen, &tmp_mask) == -1)
+                return -1;
+        if (addr_and(&tmp_result, host, &tmp_mask) == -1)
+                return -1;
+        return addr_cmp(&tmp_result, net);
+}
+
+/*
+ * Match "addr" against list pattern list "_list", which may contain a
+ * mix of CIDR addresses and old-school wildcards.
+ *
+ * If addr is NULL, then no matching is performed, but _list is parsed
+ * and checked for well-formedness.
+ *
+ * Returns 1 on match found (never returned when addr == NULL).
+ * Returns 0 on if no match found, or no errors found when addr == NULL.
+ * Returns -1 on invalid list entry.
+ */
+int
+addr_match_list(const char *addr, const char *_list)
+{
+        char *list, *cp, *o;
+        struct xaddr try_addr, match_addr;
+        u_int masklen, neg;
+        int ret = 0, r;
+
+        if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
+                debug2("%s: couldn't parse address %.100s", __func__, addr);
+                return 0;
+        }
+        if ((o = list = strdup(_list)) == NULL)
+                return -1;
+        while ((cp = strsep(&list, ",")) != NULL) {
+                neg = *cp == '!';
+                if (neg)
+                        cp++;
+                if (*cp == '\0') {
+                        ret = -1;
+                        break;
+                }
+                /* Prefer CIDR address matching */
+                r = addr_pton_cidr(cp, &match_addr, &masklen);
+                if (r == -2) {
+                        error("Inconsistent mask length for "
+                            "network \"%.100s\"", cp);
+                        ret = -1;
+                        break;
+                } else if (r == 0) {
+                        if (addr != NULL && addr_netmatch(&try_addr,
+                           &match_addr, masklen) == 0) {
+ foundit:
+                                if (neg) {
+                                        ret = 0;
+                                        break;
+                                }
+                                ret = 1;
+                        }
+                        continue;
+                } else {
+                        /* If CIDR parse failed, try wildcard string match */
+                        if (addr != NULL && match_pattern(addr, cp) == 1)
+                                goto foundit;
+                }
+        }
+        free(o);
+
+        return ret;
+}
diff --git a/match.h b/match.h
index d1d538654..18f683070 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: match.h,v 1.14 2008/06/10 03:57:27 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -21,4 +21,7 @@ int	 match_host_and_ip(const char *, const char *, const char *);
 int      match_user(const char *, const char *, const char *, const char *);
 char    *match_list(const char *, const char *, u_int *);
 
+/* addrmatch.c */
+int      addr_match_list(const char *, const char *);
+
 #endif
diff --git a/servconf.c b/servconf.c
index 94dff1fd6..07a201034 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.181 2008/06/10 03:57:27 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -603,15 +603,17 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
                                 debug("connection from %.100s matched 'Host "
                                     "%.100s' at line %d", host, arg, line);
                 } else if (strcasecmp(attrib, "address") == 0) {
-                        if (!address) {
-                                result = 0;
-                                continue;
-                        }
-                        if (match_hostname(address, arg, len) != 1)
-                                result = 0;
-                        else
+                        switch (addr_match_list(address, arg)) {
+                        case 1:
                                 debug("connection from %.100s matched 'Address "
                                     "%.100s' at line %d", address, arg, line);
+                                break;
+                        case 0:
+                                result = 0;
+                                break;
+                        case -1:
+                                return -1;
+                        }
                 } else {
                         error("Unsupported Match attribute %s", attrib);
                         return -1;
diff --git a/sshd_config.5 b/sshd_config.5
index 0d8c140bf..dc42959e2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $
-.Dd $Mdocdate: May 8 2008 $
+.\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $
+.Dd $Mdocdate: June 10 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those
 set in the global section of the config file, until either another
 .Cm Match
 line or the end of the file.
+.Pp
 The arguments to
 .Cm Match
 are one or more criteria-pattern pairs.
@@ -566,6 +567,27 @@ The available criteria are
 .Cm Host ,
 and
 .Cm Address .
+The match patterns may consist of single entries or comma-separated
+lists and may use the wildcard and negation operators described in the
+.Sx SSH_KNOWN_HOSTS FILE FORMAT
+section of
+.Xr sshd 8 .
+.Pp
+The patterns in an
+.Cm Address
+criteria may additionally contain addresses to match in CIDR
+address/masklen format, e.g.
+.Dq 192.0.2.0/24
+or
+.Dq 3ffe:ffff::/32 .
+Note that the mask length provided must be consistent with the address -
+it is an error to specify a mask length that is too long for the address
+or one with bits set in this host portion of the address. For example,
+.Dq 192.0.2.0/33
+and
+.Dq 192.0.2.0/8 
+respectively.
+.Pp
 Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.