Commit Graph

16 Commits

Author SHA1 Message Date
dtucker@openbsd.org d9a2bc7169 upstream: Move address handling functions out into their own file
in order to reuse them for per-source maxstartups limiting.  Supplement with
some additional functions from djm's flowtools that we'll also need.  ok djm@
(as part of a larger diff).

OpenBSD-Commit-ID: e3e7d9ccc6c9b82e25cfef0ec83598e8e2327cbf
2021-01-11 15:04:12 +11:00
djm@openbsd.org 816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org 1a66079c06 upstream: fix some memory leaks spotted by Coverity via Jakub Jelen
in bz#2366 feedback and ok dtucker@

OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563
2018-07-31 13:13:26 +10:00
djm@openbsd.org a5ad3a9db5 upstream commit
Revert two recent changes to negated address matching. The
new behaviour offers unintuitive surprises. We'll find a better way to deal
with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6
2016-09-22 03:14:59 +10:00
djm@openbsd.org 23555eb13a upstream commit
downgrade an error() to a debug2() to match similar cases
in addr_match_list()

Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c
2016-08-29 11:17:08 +10:00
djm@openbsd.org cc182d01ce upstream commit
fix negated address matching where the address list
consists of a single negated match, e.g. "Match addr !192.20.0.1"

Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8
2016-08-23 14:29:08 +10:00
markus@openbsd.org a635bd06b5 upstream commit
xmalloc.h is unused

Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
2015-07-15 15:36:54 +10:00
Darren Tucker 7eee358d7a - dtucker@cvs.openbsd.org 2014/01/19 11:21:51
[addrmatch.c]
     Cast the sizeof to socklen_t so it'll work even if the supplied len is
     negative.  Suggested by and ok djm, ok deraadt.
2014-01-19 22:37:02 +11:00
Darren Tucker 7b1ded04ad - dtucker@cvs.openbsd.org 2014/01/19 04:17:29
[canohost.c addrmatch.c]
     Cast socklen_t when comparing to size_t and use socklen_t to iterate over
     the ip options, both to prevent signed/unsigned comparison warnings.
     Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
2014-01-19 15:30:02 +11:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller 97f43bbfc9 - dtucker@cvs.openbsd.org 2012/06/21 00:16:07
[addrmatch.c]
     fix strlcpy truncation check.  from carsten at debian org, ok markus
2012-06-30 08:32:29 +10:00
Damien Miller 0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller 7375fe2c6d - stevesk@cvs.openbsd.org 2008/12/10 03:55:20
[addrmatch.c]
     o cannot be NULL here but use xfree() to be consistent; ok djm@
2009-01-28 16:16:00 +11:00
Tim Rice 0f4d2c02f2 - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id
member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and
   feedback by djm@
2008-11-18 21:26:41 -08:00
Darren Tucker 896ad5a4e4 - djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
     support CIDR address matching in .ssh/authorized_keys from="..." stanzas
     ok and extensive testing dtucker@
2008-06-11 09:34:46 +10:00
Darren Tucker 7a3935de2f - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
     [servconf.c match.h sshd_config.5]
     support CIDR address matching in sshd_config "Match address" blocks, with
     full support for negation and fall-back to classic wildcard matching.
     For example:
     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
         PasswordAuthentication yes
     addrmatch.c code mostly lifted from flowd's addr.c
     feedback and ok dtucker@
2008-06-10 22:59:10 +10:00