From 2a35862e664afde774d4a72497d394fe7306ccb5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Nov 2018 03:26:01 +0000 Subject: upstream: use path_absolute() for pathname checks; from Manoj Ampalam OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925 --- servconf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index 932d363bb..a8727c0fa 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.342 2018/09/20 23:40:16 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.343 2018/11/16 03:26:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -702,7 +702,7 @@ derelativise_path(const char *path) if (strcasecmp(path, "none") == 0) return xstrdup("none"); expanded = tilde_expand_filename(path, getuid()); - if (*expanded == '/') + if (path_absolute(expanded)) return expanded; if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); -- cgit v1.2.3 From 928f1231f65f88cd4c73e6e0edd63d2cf6295d77 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 19 Nov 2018 04:12:32 +0000 Subject: upstream: silence (to log level debug2) failure messages when MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit loading the default hostkeys. Hostkeys explicitly specified in the configuration or on the command-line are still reported as errors, and failure to load at least one host key remains a fatal error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch from Dag-Erling Smørgrav via https://github.com/openssh/openssh-portable/pull/103 ok markus@ OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684 --- servconf.c | 40 ++++++++++++++++++++++++++++------------ servconf.h | 5 +++-- sshd.c | 13 ++++++++----- 3 files changed, 39 insertions(+), 19 deletions(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index a8727c0fa..52d9be429 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.343 2018/11/16 03:26:01 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.344 2018/11/19 04:12:32 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -221,26 +221,40 @@ assemble_algorithms(ServerOptions *o) } static void -array_append(const char *file, const int line, const char *directive, - char ***array, u_int *lp, const char *s) +array_append2(const char *file, const int line, const char *directive, + char ***array, int **iarray, u_int *lp, const char *s, int i) { if (*lp >= INT_MAX) fatal("%s line %d: Too many %s entries", file, line, directive); + if (iarray != NULL) { + *iarray = xrecallocarray(*iarray, *lp, *lp + 1, + sizeof(**iarray)); + (*iarray)[*lp] = i; + } + *array = xrecallocarray(*array, *lp, *lp + 1, sizeof(**array)); (*array)[*lp] = xstrdup(s); (*lp)++; } +static void +array_append(const char *file, const int line, const char *directive, + char ***array, u_int *lp, const char *s) +{ + array_append2(file, line, directive, array, NULL, lp, s, 0); +} + void servconf_add_hostkey(const char *file, const int line, - ServerOptions *options, const char *path) + ServerOptions *options, const char *path, int userprovided) { char *apath = derelativise_path(path); - array_append(file, line, "HostKey", - &options->host_key_files, &options->num_host_key_files, apath); + array_append2(file, line, "HostKey", + &options->host_key_files, &options->host_key_file_userprovided, + &options->num_host_key_files, apath, userprovided); free(apath); } @@ -268,16 +282,16 @@ fill_default_server_options(ServerOptions *options) if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ servconf_add_hostkey("[default]", 0, options, - _PATH_HOST_RSA_KEY_FILE); + _PATH_HOST_RSA_KEY_FILE, 0); #ifdef OPENSSL_HAS_ECC servconf_add_hostkey("[default]", 0, options, - _PATH_HOST_ECDSA_KEY_FILE); + _PATH_HOST_ECDSA_KEY_FILE, 0); #endif servconf_add_hostkey("[default]", 0, options, - _PATH_HOST_ED25519_KEY_FILE); + _PATH_HOST_ED25519_KEY_FILE, 0); #ifdef WITH_XMSS servconf_add_hostkey("[default]", 0, options, - _PATH_HOST_XMSS_KEY_FILE); + _PATH_HOST_XMSS_KEY_FILE, 0); #endif /* WITH_XMSS */ } /* No certificates by default */ @@ -1355,8 +1369,10 @@ process_server_config_line(ServerOptions *options, char *line, if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", filename, linenum); - if (*activep) - servconf_add_hostkey(filename, linenum, options, arg); + if (*activep) { + servconf_add_hostkey(filename, linenum, + options, arg, 1); + } break; case sHostKeyAgent: diff --git a/servconf.h b/servconf.h index 0175e00e8..548ad5a0c 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.137 2018/09/20 03:28:06 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.138 2018/11/19 04:12:32 djm Exp $ */ /* * Author: Tatu Ylonen @@ -75,6 +75,7 @@ typedef struct { char *routing_domain; /* Bind session to routing domain */ char **host_key_files; /* Files containing host keys. */ + int *host_key_file_userprovided; /* Key was specified by user. */ u_int num_host_key_files; /* Number of files for host keys. */ char **host_cert_files; /* Files containing host certs. */ u_int num_host_cert_files; /* Number of files for host certs. */ @@ -273,7 +274,7 @@ void copy_set_server_options(ServerOptions *, ServerOptions *, int); void dump_config(ServerOptions *); char *derelativise_path(const char *); void servconf_add_hostkey(const char *, const int, - ServerOptions *, const char *path); + ServerOptions *, const char *path, int); void servconf_add_hostcert(const char *, const int, ServerOptions *, const char *path); diff --git a/sshd.c b/sshd.c index 362736977..afd959329 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.518 2018/11/16 03:26:01 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.519 2018/11/19 04:12:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1588,7 +1588,7 @@ main(int ac, char **av) break; case 'h': servconf_add_hostkey("[command-line]", 0, - &options, optarg); + &options, optarg, 1); break; case 't': test_flag = 1; @@ -1760,15 +1760,18 @@ main(int ac, char **av) } for (i = 0; i < options.num_host_key_files; i++) { + int ll = options.host_key_file_userprovided[i] ? + SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1; + if (options.host_key_files[i] == NULL) continue; if ((r = sshkey_load_private(options.host_key_files[i], "", &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) - error("Error loading host key \"%s\": %s", + do_log2(ll, "Unable to load host key \"%s\": %s", options.host_key_files[i], ssh_err(r)); if ((r = sshkey_load_public(options.host_key_files[i], &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) - error("Error loading host key \"%s\": %s", + do_log2(ll, "Unable to load host key \"%s\": %s", options.host_key_files[i], ssh_err(r)); if (pubkey == NULL && key != NULL) if ((r = sshkey_from_private(key, &pubkey)) != 0) @@ -1785,7 +1788,7 @@ main(int ac, char **av) keytype = key->type; accumulate_host_timing_secret(cfg, key); } else { - error("Could not load host key: %s", + do_log2(ll, "Unable to load host key: %s", options.host_key_files[i]); sensitive_data.host_keys[i] = NULL; sensitive_data.host_pubkeys[i] = NULL; -- cgit v1.2.3 From 0fa174ebe129f3d0aeaf4e2d1dd8de745870d0ff Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 19 Jan 2019 21:31:32 +0000 Subject: upstream: begin landing remaining refactoring of packet parsing API, started almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@ OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4 --- auth.c | 5 ++++- auth2-hostbased.c | 4 +++- auth2.c | 5 ++++- channels.c | 5 ++++- clientloop.c | 5 ++++- monitor.c | 5 ++++- monitor_wrap.c | 5 ++++- mux.c | 5 ++++- opacket.c | 3 ++- packet.h | 6 +----- servconf.c | 5 ++++- serverloop.c | 5 ++++- session.c | 5 ++++- ssh.c | 5 ++++- sshconnect.c | 5 ++++- sshconnect2.c | 5 ++++- sshd.c | 5 ++++- 17 files changed, 62 insertions(+), 21 deletions(-) (limited to 'servconf.c') diff --git a/auth.c b/auth.c index 7d48d07a8..94f43a6c2 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.135 2019/01/17 04:20:53 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.136 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -77,6 +77,9 @@ #include "compat.h" #include "channels.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* import */ extern ServerOptions options; extern int use_privsep; diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 764ceff74..e28a48fb3 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.39 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -51,6 +51,8 @@ #include "ssherr.h" #include "match.h" +extern struct ssh *active_state; /* XXX */ + /* import */ extern ServerOptions options; extern u_char *session_id2; diff --git a/auth2.c b/auth2.c index 4415c11ec..3df2acf78 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.151 2019/01/17 04:20:53 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.152 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -61,6 +61,9 @@ #include "ssherr.h" #include "digest.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* import */ extern ServerOptions options; extern u_char *session_id2; diff --git a/channels.c b/channels.c index 6d2e1c6a6..dcda44b07 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.387 2018/12/07 02:31:20 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.388 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -84,6 +84,9 @@ #include "pathnames.h" #include "match.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* -- agent forwarding */ #define NUM_SOCKS 10 diff --git a/clientloop.c b/clientloop.c index 8d312cdaa..d29ec00bc 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.318 2018/09/21 12:46:22 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.319 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -112,6 +112,9 @@ #include "ssherr.h" #include "hostfile.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* import options */ extern Options options; diff --git a/monitor.c b/monitor.c index 09d3a27fd..e15a5225d 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.189 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -96,6 +96,9 @@ #include "match.h" #include "ssherr.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + #ifdef GSSAPI static Gssctxt *gsscontext = NULL; #endif diff --git a/monitor_wrap.c b/monitor_wrap.c index 732fb3476..6ceaa3716 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.107 2018/07/20 03:46:34 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.108 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -76,6 +76,9 @@ #include "ssherr.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* Imports */ extern struct monitor *pmonitor; extern struct sshbuf *loginmsg; diff --git a/mux.c b/mux.c index 8e4b60827..abc1e05ab 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.77 2018/09/26 07:32:44 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.78 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -68,6 +68,9 @@ #include "clientloop.h" #include "ssherr.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* from ssh.c */ extern int tty_flag; extern Options options; diff --git a/opacket.c b/opacket.c index e637d7a71..56a76939e 100644 --- a/opacket.c +++ b/opacket.c @@ -2,11 +2,12 @@ /* Written by Markus Friedl. Placed in the public domain. */ #include "includes.h" - +/* $OpenBSD: opacket.c,v 1.8 2019/01/19 21:31:32 djm Exp $ */ #include #include "ssherr.h" #include "packet.h" +#include "opacket.h" /* XXX */ #include "log.h" struct ssh *active_state, *backup_state; diff --git a/packet.h b/packet.h index 170203cab..c58b52d39 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.86 2018/07/09 21:20:26 markus Exp $ */ +/* $OpenBSD: packet.h,v 1.87 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen @@ -204,10 +204,6 @@ int sshpkt_get_end(struct ssh *ssh); void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); -/* OLD API */ -extern struct ssh *active_state; -#include "opacket.h" - #if !defined(WITH_OPENSSL) # undef BIGNUM # undef EC_KEY diff --git a/servconf.c b/servconf.c index 52d9be429..0ec095bd0 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.344 2018/11/19 04:12:32 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.345 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -65,6 +65,9 @@ #include "myproposal.h" #include "digest.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + static void add_listen_addr(ServerOptions *, const char *, const char *, int); static void add_one_listen_addr(ServerOptions *, const char *, diff --git a/serverloop.c b/serverloop.c index 7be83e2d3..e0c26bbbc 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.209 2018/07/27 05:13:02 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.210 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -78,6 +78,9 @@ #include "serverloop.h" #include "ssherr.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + extern ServerOptions options; /* XXX */ diff --git a/session.c b/session.c index 0452f507a..f0dabe111 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.309 2019/01/17 04:45:09 djm Exp $ */ +/* $OpenBSD: session.c,v 1.310 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -105,6 +105,9 @@ #include #endif +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + #define IS_INTERNAL_SFTP(c) \ (!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \ (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \ diff --git a/ssh.c b/ssh.c index 16536a97a..a206a5fca 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.497 2018/12/27 03:25:25 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.498 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -113,6 +113,9 @@ #include "ssh-pkcs11.h" #endif +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX move here */ + extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ diff --git a/sshconnect.c b/sshconnect.c index 884e33628..346f979d1 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.309 2018/12/27 03:25:25 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.310 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -70,6 +70,9 @@ #include "authfd.h" #include "kex.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + struct sshkey *previous_host_key = NULL; static int matching_host_key_dns = 0; diff --git a/sshconnect2.c b/sshconnect2.c index 0e8f323d6..73ffe77a9 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.292 2019/01/04 03:27:50 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.293 2019/01/19 21:31:32 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -77,6 +77,9 @@ #include "ssh-gss.h" #endif +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX */ + /* import */ extern char *client_version_string; extern char *server_version_string; diff --git a/sshd.c b/sshd.c index 1d25c88f3..ad8c152a5 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.521 2019/01/17 01:50:24 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.522 2019/01/19 21:31:32 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -123,6 +123,9 @@ #include "version.h" #include "ssherr.h" +#include "opacket.h" /* XXX */ +extern struct ssh *active_state; /* XXX move decl to this file */ + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -- cgit v1.2.3 From 172a592a53ebe8649c4ac0d7946e6c08eb151af6 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 19 Jan 2019 21:37:48 +0000 Subject: upstream: convert servconf.c to new packet API with & ok markus@ OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4 --- auth.c | 5 +++-- servconf.c | 10 +++------- servconf.h | 4 ++-- sshd.c | 6 +++--- 4 files changed, 11 insertions(+), 14 deletions(-) (limited to 'servconf.c') diff --git a/auth.c b/auth.c index 94f43a6c2..d82b40683 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.136 2019/01/19 21:31:32 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.137 2019/01/19 21:37:48 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -572,8 +572,9 @@ getpwnamallow(const char *user) #endif #endif struct passwd *pw; - struct connection_info *ci = get_connection_info(1, options.use_dns); + struct connection_info *ci; + ci = get_connection_info(ssh, 1, options.use_dns); ci->user = user; parse_server_match_config(&options, ci); log_change_level(options.log_level); diff --git a/servconf.c b/servconf.c index 0ec095bd0..86c631bb0 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.345 2019/01/19 21:31:32 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.346 2019/01/19 21:37:48 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -65,9 +65,6 @@ #include "myproposal.h" #include "digest.h" -#include "opacket.h" /* XXX */ -extern struct ssh *active_state; /* XXX */ - static void add_listen_addr(ServerOptions *, const char *, const char *, int); static void add_one_listen_addr(ServerOptions *, const char *, @@ -926,12 +923,11 @@ process_permitopen(struct ssh *ssh, ServerOptions *options) } struct connection_info * -get_connection_info(int populate, int use_dns) +get_connection_info(struct ssh *ssh, int populate, int use_dns) { - struct ssh *ssh = active_state; /* XXX */ static struct connection_info ci; - if (!populate) + if (ssh == NULL || !populate) return &ci; ci.host = auth_get_canonical_hostname(ssh, use_dns); ci.address = ssh_remote_ipaddr(ssh); diff --git a/servconf.h b/servconf.h index 548ad5a0c..54e0a8d8d 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.138 2018/11/19 04:12:32 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.139 2019/01/19 21:37:48 djm Exp $ */ /* * Author: Tatu Ylonen @@ -258,7 +258,7 @@ struct connection_info { M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \ } while (0) -struct connection_info *get_connection_info(int, int); +struct connection_info *get_connection_info(struct ssh *, int, int); void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int, diff --git a/sshd.c b/sshd.c index ad8c152a5..64f27a7bb 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.522 2019/01/19 21:31:32 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.523 2019/01/19 21:37:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1493,7 +1493,7 @@ main(int ac, char **av) test_flag = 2; break; case 'C': - connection_info = get_connection_info(0, 0); + connection_info = get_connection_info(ssh, 0, 0); if (parse_server_match_testspec(connection_info, optarg) == -1) exit(1); @@ -1776,7 +1776,7 @@ main(int ac, char **av) * use a blank one that will cause no predicate to match. */ if (connection_info == NULL) - connection_info = get_connection_info(0, 0); + connection_info = get_connection_info(ssh, 0, 0); parse_server_match_config(&options, connection_info); dump_config(&options); } -- cgit v1.2.3 From d05ea255678d9402beda4416cd0360f3e5dfe938 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Wed, 23 Jan 2019 21:50:56 +0000 Subject: upstream: Remove support for obsolete host/port syntax. host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@ OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7 --- misc.c | 4 ++-- misc.h | 3 ++- servconf.c | 20 ++++++++++++-------- 3 files changed, 16 insertions(+), 11 deletions(-) (limited to 'servconf.c') diff --git a/misc.c b/misc.c index bfd786ef8..009e02bc5 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.136 2018/12/27 03:25:25 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.137 2019/01/23 21:50:56 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -564,7 +564,7 @@ put_host_port(const char *host, u_short port) * The delimiter char, if present, is stored in delim. * If this is the last field, *cp is set to NULL. */ -static char * +char * hpdelim2(char **cp, char *delim) { char *s, *old; diff --git a/misc.h b/misc.h index 47177d838..5b4325aba 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.78 2018/12/27 03:25:25 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.79 2019/01/23 21:50:56 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -57,6 +57,7 @@ int timeout_connect(int, const struct sockaddr *, socklen_t, int *); int a2port(const char *); int a2tun(const char *, int *); char *put_host_port(const char *, u_short); +char *hpdelim2(char **, char *); char *hpdelim(char **); char *cleanhostname(char *); char *colon(char *); diff --git a/servconf.c b/servconf.c index 86c631bb0..1562bd875 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.346 2019/01/19 21:37:48 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.347 2019/01/23 21:50:56 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -878,7 +878,7 @@ process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode, { u_int i; int port; - char *host, *arg, *oarg; + char *host, *arg, *oarg, ch; int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE; const char *what = lookup_opcode_name(opcode); @@ -896,8 +896,8 @@ process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode, /* Otherwise treat it as a list of permitted host:port */ for (i = 0; i < num_opens; i++) { oarg = arg = xstrdup(opens[i]); - host = hpdelim(&arg); - if (host == NULL) + host = hpdelim2(&arg, &ch); + if (host == NULL || ch == '/') fatal("%s: missing host in %s", __func__, what); host = cleanhostname(host); if (arg == NULL || ((port = permitopen_port(arg)) < 0)) @@ -1314,8 +1314,10 @@ process_server_config_line(ServerOptions *options, char *line, port = 0; p = arg; } else { - p = hpdelim(&arg); - if (p == NULL) + char ch; + arg2 = NULL; + p = hpdelim2(&arg, &ch); + if (p == NULL || ch == '/') fatal("%s line %d: bad address:port usage", filename, linenum); p = cleanhostname(p); @@ -1942,9 +1944,11 @@ process_server_config_line(ServerOptions *options, char *line, */ xasprintf(&arg2, "*:%s", arg); } else { + char ch; + arg2 = xstrdup(arg); - p = hpdelim(&arg); - if (p == NULL) { + p = hpdelim2(&arg, &ch); + if (p == NULL || ch == '/') { fatal("%s line %d: missing host in %s", filename, linenum, lookup_opcode_name(opcode)); -- cgit v1.2.3 From 281ce042579b834cdc1e74314f1fb2eeb75d2612 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 24 Jan 2019 02:34:52 +0000 Subject: upstream: Always initialize 2nd arg to hpdelim2. It populates that *ONLY IF* there's a delimiter. If there's not (the common case) it checked uninitialized memory, which usually passed, but if not would cause spurious failures when the uninitialized memory happens to contain "/". ok deraadt. OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3 --- servconf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index 1562bd875..d9680aba1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.347 2019/01/23 21:50:56 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.348 2019/01/24 02:34:52 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -896,6 +896,7 @@ process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode, /* Otherwise treat it as a list of permitted host:port */ for (i = 0; i < num_opens; i++) { oarg = arg = xstrdup(opens[i]); + ch = '\0'; host = hpdelim2(&arg, &ch); if (host == NULL || ch == '/') fatal("%s: missing host in %s", __func__, what); @@ -1214,7 +1215,7 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo) { - char *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; + char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; int cmdline = 0, *intptr, value, value2, n, port; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; @@ -1314,8 +1315,8 @@ process_server_config_line(ServerOptions *options, char *line, port = 0; p = arg; } else { - char ch; arg2 = NULL; + ch = '\0'; p = hpdelim2(&arg, &ch); if (p == NULL || ch == '/') fatal("%s line %d: bad address:port usage", @@ -1944,9 +1945,8 @@ process_server_config_line(ServerOptions *options, char *line, */ xasprintf(&arg2, "*:%s", arg); } else { - char ch; - arg2 = xstrdup(arg); + ch = '\0'; p = hpdelim2(&arg, &ch); if (p == NULL || ch == '/') { fatal("%s line %d: missing host in %s", -- cgit v1.2.3 From f02afa350afac1b2f2d1413259a27a4ba1e2ca24 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Wed, 20 Feb 2019 13:41:24 +0100 Subject: Revert "[auth.c] On Cygwin, refuse usernames that have differences in case" This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c. Signed-off-by: Corinna Vinschen --- auth.c | 13 ---- groupaccess.c | 4 ++ match.c | 4 ++ openbsd-compat/bsd-cygwin_util.c | 146 +++++++++++++++++++++++++++++++++++++++ servconf.c | 4 ++ 5 files changed, 158 insertions(+), 13 deletions(-) (limited to 'servconf.c') diff --git a/auth.c b/auth.c index 62c58e72f..332b6220c 100644 --- a/auth.c +++ b/auth.c @@ -583,19 +583,6 @@ getpwnamallow(struct ssh *ssh, const char *user) #if defined(_AIX) && defined(HAVE_SETAUTHDB) aix_restoreauthdb(); -#endif -#ifdef HAVE_CYGWIN - /* - * Windows usernames are case-insensitive. To avoid later problems - * when trying to match the username, the user is only allowed to - * login if the username is given in the same case as stored in the - * user database. - */ - if (pw != NULL && strcmp(user, pw->pw_name) != 0) { - logit("Login name %.100s does not match stored username %.100s", - user, pw->pw_name); - pw = NULL; - } #endif if (pw == NULL) { logit("Invalid user %.100s from %.100s port %d", diff --git a/groupaccess.c b/groupaccess.c index 9e4d25521..43367990d 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -103,7 +103,11 @@ ga_match_pattern_list(const char *group_pattern) int i, found = 0; for (i = 0; i < ngroups; i++) { +#ifndef HAVE_CYGWIN switch (match_pattern_list(groups_byname[i], group_pattern, 0)) { +#else + switch (match_pattern_list(groups_byname[i], group_pattern, 1)) { +#endif case -1: return 0; /* Negated match wins */ case 0: diff --git a/match.c b/match.c index bb3e95f67..b50ae4057 100644 --- a/match.c +++ b/match.c @@ -111,6 +111,8 @@ match_pattern(const char *s, const char *pattern) /* NOTREACHED */ } +#ifndef HAVE_CYGWIN /* Cygwin version in openbsd-compat/bsd-cygwin_util.c */ + /* * Tries to match the string against the * comma-separated sequence of subpatterns (each possibly preceded by ! to @@ -170,6 +172,8 @@ match_pattern_list(const char *string, const char *pattern, int dolower) return got_positive; } +#endif + /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index fb49e30f5..f721fca9d 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -37,6 +37,8 @@ #include #include #include +#include +#include #include "xmalloc.h" @@ -117,4 +119,148 @@ free_windows_environment(char **p) free(p); } +/* + * Returns true if the given string matches the pattern (which may contain ? + * and * as wildcards), and zero if it does not match. + * + * The Cygwin version of this function must be case-insensitive and take + * Unicode characters into account. + */ + +static int +__match_pattern (const wchar_t *s, const wchar_t *pattern, int caseinsensitive) +{ + for (;;) { + /* If at end of pattern, accept if also at end of string. */ + if (!*pattern) + return !*s; + + if (*pattern == '*') { + /* Skip the asterisk. */ + pattern++; + + /* If at end of pattern, accept immediately. */ + if (!*pattern) + return 1; + + /* If next character in pattern is known, optimize. */ + if (*pattern != '?' && *pattern != '*') { + /* + * Look instances of the next character in + * pattern, and try to match starting from + * those. + */ + for (; *s; s++) + if (*s == *pattern && + __match_pattern(s + 1, pattern + 1, + caseinsensitive)) + return 1; + /* Failed. */ + return 0; + } + /* + * Move ahead one character at a time and try to + * match at each position. + */ + for (; *s; s++) + if (__match_pattern(s, pattern, caseinsensitive)) + return 1; + /* Failed. */ + return 0; + } + /* + * There must be at least one more character in the string. + * If we are at the end, fail. + */ + if (!*s) + return 0; + + /* Check if the next character of the string is acceptable. */ + if (*pattern != '?' && (*pattern != *s && + (!caseinsensitive || towlower(*pattern) != towlower(*s)))) + return 0; + + /* Move to the next character, both in string and in pattern. */ + s++; + pattern++; + } + /* NOTREACHED */ +} + +static int +_match_pattern(const char *s, const char *pattern, int caseinsensitive) +{ + wchar_t *ws; + wchar_t *wpattern; + size_t len; + + if ((len = mbstowcs(NULL, s, 0)) < 0) + return 0; + ws = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); + mbstowcs(ws, s, len + 1); + if ((len = mbstowcs(NULL, pattern, 0)) < 0) + return 0; + wpattern = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); + mbstowcs(wpattern, pattern, len + 1); + return __match_pattern (ws, wpattern, caseinsensitive); +} + +/* + * Tries to match the string against the + * comma-separated sequence of subpatterns (each possibly preceded by ! to + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. + */ +int +match_pattern_list(const char *string, const char *pattern, int caseinsensitive) +{ + char sub[1024]; + int negated; + int got_positive; + u_int i, subi, len = strlen(pattern); + + got_positive = 0; + for (i = 0; i < len;) { + /* Check if the subpattern is negated. */ + if (pattern[i] == '!') { + negated = 1; + i++; + } else + negated = 0; + + /* + * Extract the subpattern up to a comma or end. Convert the + * subpattern to lowercase. + */ + for (subi = 0; + i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; + subi++, i++) + sub[subi] = pattern[i]; + /* If subpattern too long, return failure (no match). */ + if (subi >= sizeof(sub) - 1) + return 0; + + /* If the subpattern was terminated by a comma, then skip it. */ + if (i < len && pattern[i] == ',') + i++; + + /* Null-terminate the subpattern. */ + sub[subi] = '\0'; + + /* Try to match the subpattern against the string. */ + if (_match_pattern(string, sub, caseinsensitive)) { + if (negated) + return -1; /* Negative */ + else + got_positive = 1; /* Positive */ + } + } + + /* + * Return success if got a positive match. If there was a negative + * match, we have already returned -1 and never get here. + */ + return got_positive; +} + #endif /* HAVE_CYGWIN */ diff --git a/servconf.c b/servconf.c index d9680aba1..4fa896fd4 100644 --- a/servconf.c +++ b/servconf.c @@ -1049,7 +1049,11 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) } if (ci->user == NULL) match_test_missing_fatal("User", "user"); +#ifndef HAVE_CYGWIN if (match_pattern_list(ci->user, arg, 0) != 1) +#else + if (match_pattern_list(ci->user, arg, 1) != 1) +#endif result = 0; else debug("user %.100s matched 'User %.100s' at " -- cgit v1.2.3 From bed1d43698807a07bb4ddb93a46b0bd84b9970b3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 22 Feb 2019 15:21:21 +1100 Subject: Revert unintended parts of previous commit. --- groupaccess.c | 4 -- match.c | 4 -- openbsd-compat/bsd-cygwin_util.c | 146 --------------------------------------- servconf.c | 4 -- 4 files changed, 158 deletions(-) (limited to 'servconf.c') diff --git a/groupaccess.c b/groupaccess.c index 43367990d..9e4d25521 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -103,11 +103,7 @@ ga_match_pattern_list(const char *group_pattern) int i, found = 0; for (i = 0; i < ngroups; i++) { -#ifndef HAVE_CYGWIN switch (match_pattern_list(groups_byname[i], group_pattern, 0)) { -#else - switch (match_pattern_list(groups_byname[i], group_pattern, 1)) { -#endif case -1: return 0; /* Negated match wins */ case 0: diff --git a/match.c b/match.c index b50ae4057..bb3e95f67 100644 --- a/match.c +++ b/match.c @@ -111,8 +111,6 @@ match_pattern(const char *s, const char *pattern) /* NOTREACHED */ } -#ifndef HAVE_CYGWIN /* Cygwin version in openbsd-compat/bsd-cygwin_util.c */ - /* * Tries to match the string against the * comma-separated sequence of subpatterns (each possibly preceded by ! to @@ -172,8 +170,6 @@ match_pattern_list(const char *string, const char *pattern, int dolower) return got_positive; } -#endif - /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index f721fca9d..fb49e30f5 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -37,8 +37,6 @@ #include #include #include -#include -#include #include "xmalloc.h" @@ -119,148 +117,4 @@ free_windows_environment(char **p) free(p); } -/* - * Returns true if the given string matches the pattern (which may contain ? - * and * as wildcards), and zero if it does not match. - * - * The Cygwin version of this function must be case-insensitive and take - * Unicode characters into account. - */ - -static int -__match_pattern (const wchar_t *s, const wchar_t *pattern, int caseinsensitive) -{ - for (;;) { - /* If at end of pattern, accept if also at end of string. */ - if (!*pattern) - return !*s; - - if (*pattern == '*') { - /* Skip the asterisk. */ - pattern++; - - /* If at end of pattern, accept immediately. */ - if (!*pattern) - return 1; - - /* If next character in pattern is known, optimize. */ - if (*pattern != '?' && *pattern != '*') { - /* - * Look instances of the next character in - * pattern, and try to match starting from - * those. - */ - for (; *s; s++) - if (*s == *pattern && - __match_pattern(s + 1, pattern + 1, - caseinsensitive)) - return 1; - /* Failed. */ - return 0; - } - /* - * Move ahead one character at a time and try to - * match at each position. - */ - for (; *s; s++) - if (__match_pattern(s, pattern, caseinsensitive)) - return 1; - /* Failed. */ - return 0; - } - /* - * There must be at least one more character in the string. - * If we are at the end, fail. - */ - if (!*s) - return 0; - - /* Check if the next character of the string is acceptable. */ - if (*pattern != '?' && (*pattern != *s && - (!caseinsensitive || towlower(*pattern) != towlower(*s)))) - return 0; - - /* Move to the next character, both in string and in pattern. */ - s++; - pattern++; - } - /* NOTREACHED */ -} - -static int -_match_pattern(const char *s, const char *pattern, int caseinsensitive) -{ - wchar_t *ws; - wchar_t *wpattern; - size_t len; - - if ((len = mbstowcs(NULL, s, 0)) < 0) - return 0; - ws = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); - mbstowcs(ws, s, len + 1); - if ((len = mbstowcs(NULL, pattern, 0)) < 0) - return 0; - wpattern = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); - mbstowcs(wpattern, pattern, len + 1); - return __match_pattern (ws, wpattern, caseinsensitive); -} - -/* - * Tries to match the string against the - * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns -1 if negation matches, 1 if there is - * a positive match, 0 if there is no match at all. - */ -int -match_pattern_list(const char *string, const char *pattern, int caseinsensitive) -{ - char sub[1024]; - int negated; - int got_positive; - u_int i, subi, len = strlen(pattern); - - got_positive = 0; - for (i = 0; i < len;) { - /* Check if the subpattern is negated. */ - if (pattern[i] == '!') { - negated = 1; - i++; - } else - negated = 0; - - /* - * Extract the subpattern up to a comma or end. Convert the - * subpattern to lowercase. - */ - for (subi = 0; - i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; - subi++, i++) - sub[subi] = pattern[i]; - /* If subpattern too long, return failure (no match). */ - if (subi >= sizeof(sub) - 1) - return 0; - - /* If the subpattern was terminated by a comma, then skip it. */ - if (i < len && pattern[i] == ',') - i++; - - /* Null-terminate the subpattern. */ - sub[subi] = '\0'; - - /* Try to match the subpattern against the string. */ - if (_match_pattern(string, sub, caseinsensitive)) { - if (negated) - return -1; /* Negative */ - else - got_positive = 1; /* Positive */ - } - } - - /* - * Return success if got a positive match. If there was a negative - * match, we have already returned -1 and never get here. - */ - return got_positive; -} - #endif /* HAVE_CYGWIN */ diff --git a/servconf.c b/servconf.c index 4fa896fd4..d9680aba1 100644 --- a/servconf.c +++ b/servconf.c @@ -1049,11 +1049,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) } if (ci->user == NULL) match_test_missing_fatal("User", "user"); -#ifndef HAVE_CYGWIN if (match_pattern_list(ci->user, arg, 0) != 1) -#else - if (match_pattern_list(ci->user, arg, 1) != 1) -#endif result = 0; else debug("user %.100s matched 'User %.100s' at " -- cgit v1.2.3 From 37638c752041d591371900df820f070037878a2d Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Wed, 20 Feb 2019 13:41:25 +0100 Subject: Cygwin: implement case-insensitive Unicode user and group name matching The previous revert enabled case-insensitive user names again. This patch implements the case-insensitive user and group name matching. To allow Unicode chars, implement the matcher using wchar_t chars in Cygwin-specific code. Keep the generic code changes as small as possible. Cygwin: implement case-insensitive Unicode user and group name matching Signed-off-by: Corinna Vinschen --- groupaccess.c | 4 ++ match.c | 4 ++ openbsd-compat/bsd-cygwin_util.c | 146 +++++++++++++++++++++++++++++++++++++++ servconf.c | 4 ++ 4 files changed, 158 insertions(+) (limited to 'servconf.c') diff --git a/groupaccess.c b/groupaccess.c index 9e4d25521..43367990d 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -103,7 +103,11 @@ ga_match_pattern_list(const char *group_pattern) int i, found = 0; for (i = 0; i < ngroups; i++) { +#ifndef HAVE_CYGWIN switch (match_pattern_list(groups_byname[i], group_pattern, 0)) { +#else + switch (match_pattern_list(groups_byname[i], group_pattern, 1)) { +#endif case -1: return 0; /* Negated match wins */ case 0: diff --git a/match.c b/match.c index bb3e95f67..b50ae4057 100644 --- a/match.c +++ b/match.c @@ -111,6 +111,8 @@ match_pattern(const char *s, const char *pattern) /* NOTREACHED */ } +#ifndef HAVE_CYGWIN /* Cygwin version in openbsd-compat/bsd-cygwin_util.c */ + /* * Tries to match the string against the * comma-separated sequence of subpatterns (each possibly preceded by ! to @@ -170,6 +172,8 @@ match_pattern_list(const char *string, const char *pattern, int dolower) return got_positive; } +#endif + /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index fb49e30f5..f721fca9d 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c @@ -37,6 +37,8 @@ #include #include #include +#include +#include #include "xmalloc.h" @@ -117,4 +119,148 @@ free_windows_environment(char **p) free(p); } +/* + * Returns true if the given string matches the pattern (which may contain ? + * and * as wildcards), and zero if it does not match. + * + * The Cygwin version of this function must be case-insensitive and take + * Unicode characters into account. + */ + +static int +__match_pattern (const wchar_t *s, const wchar_t *pattern, int caseinsensitive) +{ + for (;;) { + /* If at end of pattern, accept if also at end of string. */ + if (!*pattern) + return !*s; + + if (*pattern == '*') { + /* Skip the asterisk. */ + pattern++; + + /* If at end of pattern, accept immediately. */ + if (!*pattern) + return 1; + + /* If next character in pattern is known, optimize. */ + if (*pattern != '?' && *pattern != '*') { + /* + * Look instances of the next character in + * pattern, and try to match starting from + * those. + */ + for (; *s; s++) + if (*s == *pattern && + __match_pattern(s + 1, pattern + 1, + caseinsensitive)) + return 1; + /* Failed. */ + return 0; + } + /* + * Move ahead one character at a time and try to + * match at each position. + */ + for (; *s; s++) + if (__match_pattern(s, pattern, caseinsensitive)) + return 1; + /* Failed. */ + return 0; + } + /* + * There must be at least one more character in the string. + * If we are at the end, fail. + */ + if (!*s) + return 0; + + /* Check if the next character of the string is acceptable. */ + if (*pattern != '?' && (*pattern != *s && + (!caseinsensitive || towlower(*pattern) != towlower(*s)))) + return 0; + + /* Move to the next character, both in string and in pattern. */ + s++; + pattern++; + } + /* NOTREACHED */ +} + +static int +_match_pattern(const char *s, const char *pattern, int caseinsensitive) +{ + wchar_t *ws; + wchar_t *wpattern; + size_t len; + + if ((len = mbstowcs(NULL, s, 0)) < 0) + return 0; + ws = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); + mbstowcs(ws, s, len + 1); + if ((len = mbstowcs(NULL, pattern, 0)) < 0) + return 0; + wpattern = (wchar_t *) alloca((len + 1) * sizeof (wchar_t)); + mbstowcs(wpattern, pattern, len + 1); + return __match_pattern (ws, wpattern, caseinsensitive); +} + +/* + * Tries to match the string against the + * comma-separated sequence of subpatterns (each possibly preceded by ! to + * indicate negation). Returns -1 if negation matches, 1 if there is + * a positive match, 0 if there is no match at all. + */ +int +match_pattern_list(const char *string, const char *pattern, int caseinsensitive) +{ + char sub[1024]; + int negated; + int got_positive; + u_int i, subi, len = strlen(pattern); + + got_positive = 0; + for (i = 0; i < len;) { + /* Check if the subpattern is negated. */ + if (pattern[i] == '!') { + negated = 1; + i++; + } else + negated = 0; + + /* + * Extract the subpattern up to a comma or end. Convert the + * subpattern to lowercase. + */ + for (subi = 0; + i < len && subi < sizeof(sub) - 1 && pattern[i] != ','; + subi++, i++) + sub[subi] = pattern[i]; + /* If subpattern too long, return failure (no match). */ + if (subi >= sizeof(sub) - 1) + return 0; + + /* If the subpattern was terminated by a comma, then skip it. */ + if (i < len && pattern[i] == ',') + i++; + + /* Null-terminate the subpattern. */ + sub[subi] = '\0'; + + /* Try to match the subpattern against the string. */ + if (_match_pattern(string, sub, caseinsensitive)) { + if (negated) + return -1; /* Negative */ + else + got_positive = 1; /* Positive */ + } + } + + /* + * Return success if got a positive match. If there was a negative + * match, we have already returned -1 and never get here. + */ + return got_positive; +} + #endif /* HAVE_CYGWIN */ diff --git a/servconf.c b/servconf.c index d9680aba1..4fa896fd4 100644 --- a/servconf.c +++ b/servconf.c @@ -1049,7 +1049,11 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) } if (ci->user == NULL) match_test_missing_fatal("User", "user"); +#ifndef HAVE_CYGWIN if (match_pattern_list(ci->user, arg, 0) != 1) +#else + if (match_pattern_list(ci->user, arg, 1) != 1) +#endif result = 0; else debug("user %.100s matched 'User %.100s' at " -- cgit v1.2.3 From fd10cf027b56f9aaa80c9e3844626a05066589a4 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Wed, 6 Mar 2019 22:14:23 +0000 Subject: upstream: Move checks for lists of users or groups into their own function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@ OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e --- groupaccess.c | 9 +++------ match.c | 15 ++++++++++++++- match.h | 3 ++- servconf.c | 8 ++------ 4 files changed, 21 insertions(+), 14 deletions(-) (limited to 'servconf.c') diff --git a/groupaccess.c b/groupaccess.c index 43367990d..80d301915 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.16 2015/05/04 06:10:48 djm Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.17 2019/03/06 22:14:23 dtucker Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -103,11 +103,8 @@ ga_match_pattern_list(const char *group_pattern) int i, found = 0; for (i = 0; i < ngroups; i++) { -#ifndef HAVE_CYGWIN - switch (match_pattern_list(groups_byname[i], group_pattern, 0)) { -#else - switch (match_pattern_list(groups_byname[i], group_pattern, 1)) { -#endif + switch (match_usergroup_pattern_list(groups_byname[i], + group_pattern)) { case -1: return 0; /* Negated match wins */ case 0: diff --git a/match.c b/match.c index b50ae4057..ff0815ef9 100644 --- a/match.c +++ b/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */ +/* $OpenBSD: match.c,v 1.39 2019/03/06 22:14:23 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -174,6 +174,19 @@ match_pattern_list(const char *string, const char *pattern, int dolower) #endif +/* Match a list representing users or groups. */ +int +match_usergroup_pattern_list(const char *string, const char *pattern) +{ +#ifndef HAVE_CYGWIN + /* Case sensitive match */ + return match_pattern_list(string, pattern, 0); +#else + /* Case insensitive match */ + return match_pattern_list(string, pattern, 1); +#endif +} + /* * Tries to match the host name (which must be in all lowercase) against the * comma-separated sequence of subpatterns (each possibly preceded by ! to diff --git a/match.h b/match.h index 852b1a5cb..3a8a6ecdc 100644 --- a/match.h +++ b/match.h @@ -1,4 +1,4 @@ -/* $OpenBSD: match.h,v 1.18 2018/07/04 13:49:31 djm Exp $ */ +/* $OpenBSD: match.h,v 1.19 2019/03/06 22:14:23 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -16,6 +16,7 @@ int match_pattern(const char *, const char *); int match_pattern_list(const char *, const char *, int); +int match_usergroup_pattern_list(const char *, const char *); int match_hostname(const char *, const char *); int match_host_and_ip(const char *, const char *, const char *); int match_user(const char *, const char *, const char *, const char *); diff --git a/servconf.c b/servconf.c index 4fa896fd4..a7bfba827 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.348 2019/01/24 02:34:52 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.349 2019/03/06 22:14:23 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1049,11 +1049,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) } if (ci->user == NULL) match_test_missing_fatal("User", "user"); -#ifndef HAVE_CYGWIN - if (match_pattern_list(ci->user, arg, 0) != 1) -#else - if (match_pattern_list(ci->user, arg, 1) != 1) -#endif + if (match_usergroup_pattern_list(ci->user, arg) != 1) result = 0; else debug("user %.100s matched 'User %.100s' at " -- cgit v1.2.3 From d6e5def308610f194c0ec3ef97a34a3e9630e190 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 25 Mar 2019 22:33:44 +0000 Subject: upstream: whitespace OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07 --- servconf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index a7bfba827..ffac5d2c7 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.349 2019/03/06 22:14:23 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.350 2019/03/25 22:33:44 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -470,7 +470,6 @@ fill_default_server_options(ServerOptions *options) options->compression = 0; } #endif - } /* Keyword tokens. */ -- cgit v1.2.3