diff options
author | Darren Tucker <dtucker@zip.com.au> | 2011-10-02 18:57:35 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2011-10-02 18:57:35 +1100 |
commit | 1338b9e067055259033a05e14db0bc2ad5536482 (patch) | |
tree | 1aa3cda3c8b3136f8aabb0e329006fc6da3f49a7 /channels.c | |
parent | b0b29cc0c5befffd9902a8e6e634c4473c8687a1 (diff) |
- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.
Diffstat (limited to 'channels.c')
-rw-r--r-- | channels.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/channels.c b/channels.c index b6663de8f..00e9af84a 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.313 2011/09/10 22:26:34 markus Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.314 2011/09/23 00:22:04 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -125,6 +125,9 @@ static int num_permitted_opens = 0; | |||
125 | /* Number of permitted host/port pair in the array permitted by the admin. */ | 125 | /* Number of permitted host/port pair in the array permitted by the admin. */ |
126 | static int num_adm_permitted_opens = 0; | 126 | static int num_adm_permitted_opens = 0; |
127 | 127 | ||
128 | /* special-case port number meaning allow any port */ | ||
129 | #define FWD_PERMIT_ANY_PORT 0 | ||
130 | |||
128 | /* | 131 | /* |
129 | * If this is true, all opens are permitted. This is the case on the server | 132 | * If this is true, all opens are permitted. This is the case on the server |
130 | * on which we have to trust the client anyway, and the user could do | 133 | * on which we have to trust the client anyway, and the user could do |
@@ -3135,6 +3138,28 @@ channel_print_adm_permitted_opens(void) | |||
3135 | printf("\n"); | 3138 | printf("\n"); |
3136 | } | 3139 | } |
3137 | 3140 | ||
3141 | /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ | ||
3142 | int | ||
3143 | permitopen_port(const char *p) | ||
3144 | { | ||
3145 | int port; | ||
3146 | |||
3147 | if (strcmp(p, "*") == 0) | ||
3148 | return FWD_PERMIT_ANY_PORT; | ||
3149 | if ((port = a2port(p)) > 0) | ||
3150 | return port; | ||
3151 | return -1; | ||
3152 | } | ||
3153 | |||
3154 | static int | ||
3155 | port_match(u_short allowedport, u_short requestedport) | ||
3156 | { | ||
3157 | if (allowedport == FWD_PERMIT_ANY_PORT || | ||
3158 | allowedport == requestedport) | ||
3159 | return 1; | ||
3160 | return 0; | ||
3161 | } | ||
3162 | |||
3138 | /* Try to start non-blocking connect to next host in cctx list */ | 3163 | /* Try to start non-blocking connect to next host in cctx list */ |
3139 | static int | 3164 | static int |
3140 | connect_next(struct channel_connect *cctx) | 3165 | connect_next(struct channel_connect *cctx) |
@@ -3237,7 +3262,7 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) | |||
3237 | 3262 | ||
3238 | for (i = 0; i < num_permitted_opens; i++) { | 3263 | for (i = 0; i < num_permitted_opens; i++) { |
3239 | if (permitted_opens[i].host_to_connect != NULL && | 3264 | if (permitted_opens[i].host_to_connect != NULL && |
3240 | permitted_opens[i].listen_port == listen_port) { | 3265 | port_match(permitted_opens[i].listen_port, listen_port)) { |
3241 | return connect_to( | 3266 | return connect_to( |
3242 | permitted_opens[i].host_to_connect, | 3267 | permitted_opens[i].host_to_connect, |
3243 | permitted_opens[i].port_to_connect, ctype, rname); | 3268 | permitted_opens[i].port_to_connect, ctype, rname); |
@@ -3258,7 +3283,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname) | |||
3258 | if (!permit) { | 3283 | if (!permit) { |
3259 | for (i = 0; i < num_permitted_opens; i++) | 3284 | for (i = 0; i < num_permitted_opens; i++) |
3260 | if (permitted_opens[i].host_to_connect != NULL && | 3285 | if (permitted_opens[i].host_to_connect != NULL && |
3261 | permitted_opens[i].port_to_connect == port && | 3286 | port_match(permitted_opens[i].port_to_connect, port) && |
3262 | strcmp(permitted_opens[i].host_to_connect, host) == 0) | 3287 | strcmp(permitted_opens[i].host_to_connect, host) == 0) |
3263 | permit = 1; | 3288 | permit = 1; |
3264 | } | 3289 | } |
@@ -3267,7 +3292,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname) | |||
3267 | permit_adm = 0; | 3292 | permit_adm = 0; |
3268 | for (i = 0; i < num_adm_permitted_opens; i++) | 3293 | for (i = 0; i < num_adm_permitted_opens; i++) |
3269 | if (permitted_adm_opens[i].host_to_connect != NULL && | 3294 | if (permitted_adm_opens[i].host_to_connect != NULL && |
3270 | permitted_adm_opens[i].port_to_connect == port && | 3295 | port_match(permitted_adm_opens[i].port_to_connect, port) && |
3271 | strcmp(permitted_adm_opens[i].host_to_connect, host) | 3296 | strcmp(permitted_adm_opens[i].host_to_connect, host) |
3272 | == 0) | 3297 | == 0) |
3273 | permit_adm = 1; | 3298 | permit_adm = 1; |