diff --git a/ChangeLog b/ChangeLog index a638c64c2..590ac5873 100644 --- a/ChangeLog +++ b/ChangeLog @@ -92,6 +92,9 @@ [sshconnect1.c] consistent with ssh2: skip key if empty passphrase is entered, retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@ + - markus@cvs.openbsd.org 2001/06/24 05:25:10 + [auth-options.c match.c match.h] + move ip+hostname check to match.c 20010622 - (stevesk) handle systems without pw_expire and pw_change. @@ -5776,4 +5779,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $ +$Id: ChangeLog,v 1.1320 2001/06/25 05:17:53 mouring Exp $ diff --git a/auth-options.c b/auth-options.c index 210fbe7ea..83ef02c42 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -167,7 +167,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } cp = "from=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - int mname, mip; const char *remote_ip = get_remote_ipaddr(); const char *remote_host = get_canonical_hostname( options.reverse_mapping_check); @@ -195,18 +194,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) } patterns[i] = 0; opts++; - /* - * Deny access if we get a negative - * match for the hostname or the ip - * or if we get not match at all - */ - mname = match_hostname(remote_host, patterns, - strlen(patterns)); - mip = match_hostname(remote_ip, patterns, - strlen(patterns)); - xfree(patterns); - if (mname == -1 || mip == -1 || - (mname != 1 && mip != 1)) { + if (match_host_and_ip(remote_host, remote_ip, + patterns) != 1) { + xfree(patterns); log("Authentication tried for %.100s with " "correct key but not from a permitted " "host (host=%.200s, ip=%.200s).", @@ -217,6 +207,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) /* deny access */ return 0; } + xfree(patterns); /* Host name matches. */ goto next_option; } diff --git a/match.c b/match.c index ebb562ab3..2e2d63092 100644 --- a/match.c +++ b/match.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $"); +RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $"); #include "match.h" #include "xmalloc.h" @@ -162,7 +162,32 @@ match_hostname(const char *host, const char *pattern, u_int len) return got_positive; } +/* + * returns 0 if we get a negative match for the hostname or the ip + * or if we get no match at all. returns 1 otherwise. + */ +int +match_host_and_ip(const char *host, const char *ipaddr, + const char *patterns) +{ + int mhost, mip; + /* negative ipaddr match */ + if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) + return 0; + /* negative hostname match */ + if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) + return 0; + /* no match at all */ + if (mhost == 0 && mip == 0) + return 0; + return 1; +} + +/* + * Returns first item from client-list that is also supported by server-list, + * caller must xfree() returned string. + */ #define MAX_PROP 20 #define SEP "," char * diff --git a/match.h b/match.h index 09c931168..5faf66819 100644 --- a/match.h +++ b/match.h @@ -1,11 +1,9 @@ -/* $OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $ */ +/* $OpenBSD: match.h,v 1.8 2001/06/24 05:25:10 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved - * This file contains various auxiliary functions related to multiple - * precision integers. * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this @@ -16,24 +14,10 @@ #ifndef MATCH_H #define MATCH_H -/* - * Returns true if the given string matches the pattern (which may contain ? - * and * as wildcards), and zero if it does not match. - */ -int match_pattern(const char *s, const char *pattern); - -/* - * Tries to match the host name (which must be in all lowercase) against the - * comma-separated sequence of subpatterns (each possibly preceded by ! to - * indicate negation). Returns -1 if negation matches, 1 if there is - * a positive match, 0 if there is no match at all. - */ -int match_hostname(const char *host, const char *pattern, u_int len); - -/* - * Returns first item from client-list that is also supported by server-list, - * caller must xfree() returned string. - */ +int match_pattern(const char *s, const char *pattern); +int match_hostname(const char *host, const char *pattern, u_int len); +int match_host_and_ip(const char *host, const char *ip, const char *p); +int match_user(const char *u, const char *h, const char *i, const char *p); char *match_list(const char *client, const char *server, u_int *next); #endif