- markus@cvs.openbsd.org 2001/06/24 05:25:10
[auth-options.c match.c match.h]
move ip+hostname check to match.c
diff --git a/ChangeLog b/ChangeLog
index a638c64..590ac58 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -92,6 +92,9 @@
[sshconnect1.c]
consistent with ssh2: skip key if empty passphrase is entered,
retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@
+ - markus@cvs.openbsd.org 2001/06/24 05:25:10
+ [auth-options.c match.c match.h]
+ move ip+hostname check to match.c
20010622
- (stevesk) handle systems without pw_expire and pw_change.
@@ -5776,4 +5779,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1319 2001/06/25 05:16:02 mouring Exp $
+$Id: ChangeLog,v 1.1320 2001/06/25 05:17:53 mouring Exp $
diff --git a/auth-options.c b/auth-options.c
index 210fbe7..83ef02c 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.18 2001/05/31 10:30:12 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -167,7 +167,6 @@
}
cp = "from=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- int mname, mip;
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
options.reverse_mapping_check);
@@ -195,18 +194,9 @@
}
patterns[i] = 0;
opts++;
- /*
- * Deny access if we get a negative
- * match for the hostname or the ip
- * or if we get not match at all
- */
- mname = match_hostname(remote_host, patterns,
- strlen(patterns));
- mip = match_hostname(remote_ip, patterns,
- strlen(patterns));
- xfree(patterns);
- if (mname == -1 || mip == -1 ||
- (mname != 1 && mip != 1)) {
+ if (match_host_and_ip(remote_host, remote_ip,
+ patterns) != 1) {
+ xfree(patterns);
log("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
@@ -217,6 +207,7 @@
/* deny access */
return 0;
}
+ xfree(patterns);
/* Host name matches. */
goto next_option;
}
diff --git a/match.c b/match.c
index ebb562a..2e2d630 100644
--- a/match.c
+++ b/match.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $");
+RCSID("$OpenBSD: match.c,v 1.13 2001/06/24 05:25:10 markus Exp $");
#include "match.h"
#include "xmalloc.h"
@@ -162,7 +162,32 @@
return got_positive;
}
+/*
+ * returns 0 if we get a negative match for the hostname or the ip
+ * or if we get no match at all. returns 1 otherwise.
+ */
+int
+match_host_and_ip(const char *host, const char *ipaddr,
+ const char *patterns)
+{
+ int mhost, mip;
+ /* negative ipaddr match */
+ if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
+ return 0;
+ /* negative hostname match */
+ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
+ return 0;
+ /* no match at all */
+ if (mhost == 0 && mip == 0)
+ return 0;
+ return 1;
+}
+
+/*
+ * Returns first item from client-list that is also supported by server-list,
+ * caller must xfree() returned string.
+ */
#define MAX_PROP 20
#define SEP ","
char *
diff --git a/match.h b/match.h
index 09c9311..5faf668 100644
--- a/match.h
+++ b/match.h
@@ -1,11 +1,9 @@
-/* $OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $ */
+/* $OpenBSD: match.h,v 1.8 2001/06/24 05:25:10 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
- * This file contains various auxiliary functions related to multiple
- * precision integers.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
@@ -16,24 +14,10 @@
#ifndef MATCH_H
#define MATCH_H
-/*
- * Returns true if the given string matches the pattern (which may contain ?
- * and * as wildcards), and zero if it does not match.
- */
-int match_pattern(const char *s, const char *pattern);
-
-/*
- * Tries to match the host name (which must be in all lowercase) against the
- * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation). Returns -1 if negation matches, 1 if there is
- * a positive match, 0 if there is no match at all.
- */
-int match_hostname(const char *host, const char *pattern, u_int len);
-
-/*
- * Returns first item from client-list that is also supported by server-list,
- * caller must xfree() returned string.
- */
+int match_pattern(const char *s, const char *pattern);
+int match_hostname(const char *host, const char *pattern, u_int len);
+int match_host_and_ip(const char *host, const char *ip, const char *p);
+int match_user(const char *u, const char *h, const char *i, const char *p);
char *match_list(const char *client, const char *server, u_int *next);
#endif