From 7a3935de2facb227ea1fc2ce2de046b569a2ebc7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Jun 2008 22:59:10 +1000 Subject: - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@ --- addrmatch.c | 420 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 420 insertions(+) create mode 100644 addrmatch.c (limited to 'addrmatch.c') diff --git a/addrmatch.c b/addrmatch.c new file mode 100644 index 000000000..a0559efa0 --- /dev/null +++ b/addrmatch.c @@ -0,0 +1,420 @@ +/* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */ + +/* + * Copyright (c) 2004-2008 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "match.h" +#include "log.h" + +struct xaddr { + sa_family_t af; + union { + struct in_addr v4; + struct in6_addr v6; + u_int8_t addr8[16]; + u_int32_t addr32[4]; + } xa; /* 128-bit address */ + u_int32_t scope_id; /* iface scope id for v6 */ +#define v4 xa.v4 +#define v6 xa.v6 +#define addr8 xa.addr8 +#define addr32 xa.addr32 +}; + +static int +addr_unicast_masklen(int af) +{ + switch (af) { + case AF_INET: + return 32; + case AF_INET6: + return 128; + default: + return -1; + } +} + +static inline int +masklen_valid(int af, u_int masklen) +{ + switch (af) { + case AF_INET: + return masklen <= 32 ? 0 : -1; + case AF_INET6: + return masklen <= 128 ? 0 : -1; + default: + return -1; + } +} + +/* + * Convert struct sockaddr to struct xaddr + * Returns 0 on success, -1 on failure. + */ +static int +addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa) +{ + struct sockaddr_in *in4 = (struct sockaddr_in *)sa; + struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa; + + memset(xa, '\0', sizeof(*xa)); + + switch (sa->sa_family) { + case AF_INET: + if (slen < sizeof(*in4)) + return -1; + xa->af = AF_INET; + memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4)); + break; + case AF_INET6: + if (slen < sizeof(*in6)) + return -1; + xa->af = AF_INET6; + memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6)); + xa->scope_id = in6->sin6_scope_id; + break; + default: + return -1; + } + + return 0; +} + +/* + * Calculate a netmask of length 'l' for address family 'af' and + * store it in 'n'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_netmask(int af, u_int l, struct xaddr *n) +{ + int i; + + if (masklen_valid(af, l) != 0 || n == NULL) + return -1; + + memset(n, '\0', sizeof(*n)); + switch (af) { + case AF_INET: + n->af = AF_INET; + n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff); + return 0; + case AF_INET6: + n->af = AF_INET6; + for (i = 0; i < 4 && l >= 32; i++, l -= 32) + n->addr32[i] = 0xffffffffU; + if (i < 4 && l != 0) + n->addr32[i] = htonl((0xffffffff << (32 - l)) & + 0xffffffff); + return 0; + default: + return -1; + } +} + +/* + * Perform logical AND of addresses 'a' and 'b', storing result in 'dst'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b) +{ + int i; + + if (dst == NULL || a == NULL || b == NULL || a->af != b->af) + return -1; + + memcpy(dst, a, sizeof(*dst)); + switch (a->af) { + case AF_INET: + dst->v4.s_addr &= b->v4.s_addr; + return 0; + case AF_INET6: + dst->scope_id = a->scope_id; + for (i = 0; i < 4; i++) + dst->addr32[i] &= b->addr32[i]; + return 0; + default: + return -1; + } +} + +/* + * Compare addresses 'a' and 'b' + * Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b) + */ +static int +addr_cmp(const struct xaddr *a, const struct xaddr *b) +{ + int i; + + if (a->af != b->af) + return a->af == AF_INET6 ? 1 : -1; + + switch (a->af) { + case AF_INET: + if (a->v4.s_addr == b->v4.s_addr) + return 0; + return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1; + case AF_INET6: + for (i = 0; i < 16; i++) + if (a->addr8[i] - b->addr8[i] != 0) + return a->addr8[i] > b->addr8[i] ? 1 : -1; + if (a->scope_id == b->scope_id) + return 0; + return a->scope_id > b->scope_id ? 1 : -1; + default: + return -1; + } +} + +/* + * Parse string address 'p' into 'n' + * Returns 0 on success, -1 on failure. + */ +static int +addr_pton(const char *p, struct xaddr *n) +{ + struct addrinfo hints, *ai; + + memset(&hints, '\0', sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST; + + if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0) + return -1; + + if (ai == NULL || ai->ai_addr == NULL) + return -1; + + if (n != NULL && + addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) { + freeaddrinfo(ai); + return -1; + } + + freeaddrinfo(ai); + return 0; +} + +/* + * Perform bitwise negation of address + * Returns 0 on success, -1 on failure. + */ +static int +addr_invert(struct xaddr *n) +{ + int i; + + if (n == NULL) + return (-1); + + switch (n->af) { + case AF_INET: + n->v4.s_addr = ~n->v4.s_addr; + return (0); + case AF_INET6: + for (i = 0; i < 4; i++) + n->addr32[i] = ~n->addr32[i]; + return (0); + default: + return (-1); + } +} + +/* + * Calculate a netmask of length 'l' for address family 'af' and + * store it in 'n'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_hostmask(int af, u_int l, struct xaddr *n) +{ + if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1) + return (-1); + return (0); +} + +/* + * Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::) + * Returns 0 on if address is all-zeros, -1 if not all zeros or on failure. + */ +static int +addr_is_all0s(const struct xaddr *a) +{ + int i; + + switch (a->af) { + case AF_INET: + return (a->v4.s_addr == 0 ? 0 : -1); + case AF_INET6:; + for (i = 0; i < 4; i++) + if (a->addr32[i] != 0) + return (-1); + return (0); + default: + return (-1); + } +} + +/* + * Test whether host portion of address 'a', as determined by 'masklen' + * is all zeros. + * Returns 0 on if host portion of address is all-zeros, + * -1 if not all zeros or on failure. + */ +static int +addr_host_is_all0s(const struct xaddr *a, u_int masklen) +{ + struct xaddr tmp_addr, tmp_mask, tmp_result; + + memcpy(&tmp_addr, a, sizeof(tmp_addr)); + if (addr_hostmask(a->af, masklen, &tmp_mask) == -1) + return (-1); + if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1) + return (-1); + return (addr_is_all0s(&tmp_result)); +} + +/* + * Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z). + * Return -1 on parse error, -2 on inconsistency or 0 on success. + */ +static int +addr_pton_cidr(const char *p, struct xaddr *n, u_int *l) +{ + struct xaddr tmp; + long unsigned int masklen = 999; + char addrbuf[64], *mp, *cp; + + /* Don't modify argument */ + if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf)) + return -1; + + if ((mp = strchr(addrbuf, '/')) != NULL) { + *mp = '\0'; + mp++; + masklen = strtoul(mp, &cp, 10); + if (*mp == '\0' || *cp != '\0' || masklen > 128) + return -1; + } + + if (addr_pton(addrbuf, &tmp) == -1) + return -1; + + if (mp == NULL) + masklen = addr_unicast_masklen(tmp.af); + if (masklen_valid(tmp.af, masklen) == -1) + return -2; + if (addr_host_is_all0s(&tmp, masklen) != 0) + return -2; + + if (n != NULL) + memcpy(n, &tmp, sizeof(*n)); + if (l != NULL) + *l = masklen; + + return 0; +} + +static int +addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen) +{ + struct xaddr tmp_mask, tmp_result; + + if (host->af != net->af) + return -1; + + if (addr_netmask(host->af, masklen, &tmp_mask) == -1) + return -1; + if (addr_and(&tmp_result, host, &tmp_mask) == -1) + return -1; + return addr_cmp(&tmp_result, net); +} + +/* + * Match "addr" against list pattern list "_list", which may contain a + * mix of CIDR addresses and old-school wildcards. + * + * If addr is NULL, then no matching is performed, but _list is parsed + * and checked for well-formedness. + * + * Returns 1 on match found (never returned when addr == NULL). + * Returns 0 on if no match found, or no errors found when addr == NULL. + * Returns -1 on invalid list entry. + */ +int +addr_match_list(const char *addr, const char *_list) +{ + char *list, *cp, *o; + struct xaddr try_addr, match_addr; + u_int masklen, neg; + int ret = 0, r; + + if (addr != NULL && addr_pton(addr, &try_addr) != 0) { + debug2("%s: couldn't parse address %.100s", __func__, addr); + return 0; + } + if ((o = list = strdup(_list)) == NULL) + return -1; + while ((cp = strsep(&list, ",")) != NULL) { + neg = *cp == '!'; + if (neg) + cp++; + if (*cp == '\0') { + ret = -1; + break; + } + /* Prefer CIDR address matching */ + r = addr_pton_cidr(cp, &match_addr, &masklen); + if (r == -2) { + error("Inconsistent mask length for " + "network \"%.100s\"", cp); + ret = -1; + break; + } else if (r == 0) { + if (addr != NULL && addr_netmatch(&try_addr, + &match_addr, masklen) == 0) { + foundit: + if (neg) { + ret = 0; + break; + } + ret = 1; + } + continue; + } else { + /* If CIDR parse failed, try wildcard string match */ + if (addr != NULL && match_pattern(addr, cp) == 1) + goto foundit; + } + } + free(o); + + return ret; +} -- cgit v1.2.3 From 896ad5a4e40c48fa9bea71624830cc9cc3ce4fe0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 11 Jun 2008 09:34:46 +1000 Subject: - djm@cvs.openbsd.org 2008/06/10 23:06:19 [auth-options.c match.c servconf.c addrmatch.c sshd.8] support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@ --- ChangeLog | 6 +++++- addrmatch.c | 11 ++++++----- auth-options.c | 25 +++++++++++++++++-------- match.c | 12 ++++++++---- servconf.c | 5 +++-- sshd.8 | 30 +++++++++++++++++------------- 6 files changed, 56 insertions(+), 33 deletions(-) (limited to 'addrmatch.c') diff --git a/ChangeLog b/ChangeLog index 9701f255a..48b51a4eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -51,6 +51,10 @@ requests? It could have been attacked with something like SSH'jack: http://www.storm.net.nz/projects/7 feedback & ok markus + - djm@cvs.openbsd.org 2008/06/10 23:06:19 + [auth-options.c match.c servconf.c addrmatch.c sshd.8] + support CIDR address matching in .ssh/authorized_keys from="..." stanzas + ok and extensive testing dtucker@ - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 since the new CIDR code in addmatch.c references it. - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 @@ -4143,4 +4147,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4962 2008/06/10 23:34:01 dtucker Exp $ +$Id: ChangeLog,v 1.4963 2008/06/10 23:34:46 dtucker Exp $ diff --git a/addrmatch.c b/addrmatch.c index a0559efa0..2086afe84 100644 --- a/addrmatch.c +++ b/addrmatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */ +/* $OpenBSD: addrmatch.c,v 1.3 2008/06/10 23:06:19 djm Exp $ */ /* * Copyright (c) 2004-2008 Damien Miller @@ -366,7 +366,8 @@ addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen) * * Returns 1 on match found (never returned when addr == NULL). * Returns 0 on if no match found, or no errors found when addr == NULL. - * Returns -1 on invalid list entry. + * Returns -1 on negated match found (never returned when addr == NULL). + * Returns -2 on invalid list entry. */ int addr_match_list(const char *addr, const char *_list) @@ -387,7 +388,7 @@ addr_match_list(const char *addr, const char *_list) if (neg) cp++; if (*cp == '\0') { - ret = -1; + ret = -2; break; } /* Prefer CIDR address matching */ @@ -395,14 +396,14 @@ addr_match_list(const char *addr, const char *_list) if (r == -2) { error("Inconsistent mask length for " "network \"%.100s\"", cp); - ret = -1; + ret = -2; break; } else if (r == 0) { if (addr != NULL && addr_netmatch(&try_addr, &match_addr, masklen) == 0) { foundit: if (neg) { - ret = 0; + ret = -1; break; } ret = 1; diff --git a/auth-options.c b/auth-options.c index 3a6c3c0f3..25361455e 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.42 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.43 2008/06/10 23:06:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -226,8 +226,19 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } patterns[i] = '\0'; opts++; - if (match_host_and_ip(remote_host, remote_ip, - patterns) != 1) { + switch (match_host_and_ip(remote_host, remote_ip, + patterns)) { + case 1: + xfree(patterns); + /* Host name matches. */ + goto next_option; + case -1: + debug("%.100s, line %lu: invalid criteria", + file, linenum); + auth_debug_add("%.100s, line %lu: " + "invalid criteria", file, linenum); + /* FALLTHROUGH */ + case 0: xfree(patterns); logit("Authentication tried for %.100s with " "correct key but not from a permitted " @@ -236,12 +247,10 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) auth_debug_add("Your host '%.200s' is not " "permitted to use this key for login.", remote_host); - /* deny access */ - return 0; + break; } - xfree(patterns); - /* Host name matches. */ - goto next_option; + /* deny access */ + return 0; } cp = "permitopen=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { diff --git a/match.c b/match.c index e3c993073..238947778 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -183,7 +183,8 @@ match_hostname(const char *host, const char *pattern, u_int len) /* * returns 0 if we get a negative match for the hostname or the ip - * or if we get no match at all. returns 1 otherwise. + * or if we get no match at all. returns -1 on error, or 1 on + * successful match. */ int match_host_and_ip(const char *host, const char *ipaddr, @@ -191,9 +192,12 @@ match_host_and_ip(const char *host, const char *ipaddr, { int mhost, mip; - /* negative ipaddr match */ - if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) + /* error in ipaddr match */ + if ((mip = addr_match_list(ipaddr, patterns)) == -2) + return -1; + else if (mip == -1) /* negative ip address match */ return 0; + /* negative hostname match */ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) return 0; diff --git a/servconf.c b/servconf.c index 63704fb33..8f5ddbd33 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.182 2008/06/10 04:50:25 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.183 2008/06/10 23:06:19 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -621,9 +621,10 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, "%.100s' at line %d", address, arg, line); break; case 0: + case -1: result = 0; break; - case -1: + case -2: return -1; } } else { diff --git a/sshd.8 b/sshd.8 index 1ec135ca9..0ae02ea3e 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $ .Dd $Mdocdate: June 10 2008 $ .Dt SSHD 8 .Os @@ -531,23 +531,27 @@ This option is automatically disabled if .Cm UseLogin is enabled. .It Cm from="pattern-list" -Specifies that in addition to public key authentication, the canonical name -of the remote host must be present in the comma-separated list of -patterns. -The purpose -of this option is to optionally increase security: public key authentication -by itself does not trust the network or name servers or anything (but -the key); however, if somebody somehow steals the key, the key -permits an intruder to log in from anywhere in the world. -This additional option makes using a stolen key more difficult (name -servers and/or routers would have to be compromised in addition to -just the key). -.Pp +Specifies that in addition to public key authentication, either the canonical +name of the remote host or its IP address must be present in the +comma-separated list of patterns. See .Sx PATTERNS in .Xr ssh_config 5 for more information on patterns. +.Pp +In addition to the wildcard matching that may be applied to hostnames or +addresses, a +.Cm from +stanza may match IP addressess using CIDR address/masklen notation. +.Pp +The purpose of this option is to optionally increase security: public key +authentication by itself does not trust the network or name servers or +anything (but the key); however, if somebody somehow steals the key, the key +permits an intruder to log in from anywhere in the world. +This additional option makes using a stolen key more difficult (name +servers and/or routers would have to be compromised in addition to +just the key). .It Cm no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. -- cgit v1.2.3