Attachment #3150 for bug #2858




}

/*
 * Return a connection_info structure that can never match, which is used
 * for sshd -T test mode.  We can't use NULL since that's already used
 * for "not provided".
 */
static const char *param_nevermatch = "this can never match";
struct connection_info *
nevermatch_connection_info(void)
{
	struct connection_info *ci = get_connection_info(0,0);

	ci->user = param_nevermatch;
	ci->host = param_nevermatch;
	ci->address = param_nevermatch;
	ci->laddress = param_nevermatch;
	ci->rdomain = param_nevermatch;
	ci->lport = -1;
	return ci;
}

/*
 * All of the attributes on a single Match line are ANDed together, so we need
 * to check every attribute and set the result to zero if any attribute does
 * not match.

			return -1;
		}
		if (strcasecmp(attrib, "user") == 0) {
			if (ci == NULL || ci->user == param_nevermatch) {
				result = 0;
				continue;
			}

				debug("user %.100s matched 'User %.100s' at "
				    "line %d", ci->user, arg, line);
		} else if (strcasecmp(attrib, "group") == 0) {
			if (ci == NULL || ci->user == param_nevermatch) {
				result = 0;
				continue;
			}

				result = 0;
			}
		} else if (strcasecmp(attrib, "host") == 0) {
			if (ci == NULL || ci->host == param_nevermatch) {
				result = 0;
				continue;
			}

				debug("connection from %.100s matched 'Host "
				    "%.100s' at line %d", ci->host, arg, line);
		} else if (strcasecmp(attrib, "address") == 0) {
			if (ci == NULL || ci->address == param_nevermatch) {
				result = 0;
				continue;
			}

				return -1;
			}
		} else if (strcasecmp(attrib, "localaddress") == 0){
			if (ci == NULL || ci->laddress == param_nevermatch) {
				result = 0;
				continue;
			}

				    arg);
				return -1;
			}
			if (ci == NULL || ci->lport == -1) {
				result = 0;
				continue;
			}

			else
				result = 0;
		} else if (strcasecmp(attrib, "rdomain") == 0) {
			if (ci == NULL || ci->rdomain == param_nevermatch) {
				result = 0;
				continue;
			}
			if (ci->rdomain == NULL)
				match_test_missing_fatal("RDomain", "rdomain");
			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
				result = 0;
			else

Lines 271-275 void servconf_add_hostkey(const char *, Link Here

(-)usr.bin/ssh/servconf.h (+1 lines)
271	ServerOptions , const char path);	271	ServerOptions , const char path);
272	void servconf_add_hostcert(const char *, const int,	272	void servconf_add_hostcert(const char *, const int,
273	ServerOptions , const char path);	273	ServerOptions , const char path);
		274	struct connection_info * nevermatch_connection_info(void);
274		275
275	#endif /* SERVCONF_H */	276	#endif /* SERVCONF_H */

Lines 1731-1737 main(int ac, char **av) Link Here

(-)usr.bin/ssh/sshd.c (-1 / +1 lines)
1731	* use a blank one that will cause no predicate to match.	1731	* use a blank one that will cause no predicate to match.
1732	*/	1732	*/
1733	if (connection_info == NULL)	1733	if (connection_info == NULL)
1734	connection_info = get_connection_info(0, 0);	1734	connection_info = nevermatch_connection_info();
1735	parse_server_match_config(&options, connection_info);	1735	parse_server_match_config(&options, connection_info);
1736	dump_config(&options);	1736	dump_config(&options);
1737	}	1737	}




echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy

${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
    fail "config w/match fails config test"

start_sshd

# Test Match + PermitOpen in sshd_config.  This should be permitted
trace "match permitopen localhost"

${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
    fail "nomatch override permitopen"
stop_client

# Test parsing of available Match criteria (with the exception of Group which
# requires knowing actual group memberships.
params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
    localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
echo 'Banner /nomatch' >>$OBJ/sshd_config
for i in $params; do
	config=`echo $i | cut -f1 -d:`
	criteria=`echo $i | cut -f2 -d:`
	value=`echo $i | cut -f3 -d:`
	cat >>$OBJ/sshd_config <<EOD
	    Match $config $value
	      Banner /$value
EOD
done

${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
    fail "validate config for w/out spec"

# Test matching each criteria.
for i in $params; do
	testcriteria=`echo $i | cut -f2 -d:`
	expected=/`echo $i | cut -f3 -d:`
	spec=""
	for j in $params; do
		config=`echo $j | cut -f1 -d:`
		criteria=`echo $j | cut -f2 -d:`
		value=`echo $j | cut -f3 -d:`
		if [ "$criteria" = "$testcriteria" ]; then
			spec="$criteria=$value,$spec"
		else
			spec="$criteria=1$value,$spec"
		fi
	done
	trace "test spec $spec"
	result=`${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \
	    awk '$1=="banner"{print $2}'`
	if [ "$result" != "$expected" ]; then
		fail "match $config expected $expected got $result"
	fi
done


Return to bug 2858

Lines 879-884 match_test_missing_fatal(const char *cri Link Here

(-)usr.bin/ssh/servconf.c (-7 / +29 lines)
879	}	879	}
880		880
881	/*	881	/*
		882	* Return a connection_info structure that can never match, which is used
		883	* for sshd -T test mode. We can't use NULL since that's already used
		884	* for "not provided".
		885	*/
		886	static const char *param_nevermatch = "this can never match";
		887	struct connection_info *
		888	nevermatch_connection_info(void)
		889	{
		890	struct connection_info *ci = get_connection_info(0,0);
		891
		892	ci->user = param_nevermatch;
		893	ci->host = param_nevermatch;
		894	ci->address = param_nevermatch;
		895	ci->laddress = param_nevermatch;
		896	ci->rdomain = param_nevermatch;
		897	ci->lport = -1;
		898	return ci;
		899	}
		900
		901	/*
882	* All of the attributes on a single Match line are ANDed together, so we need	902	* All of the attributes on a single Match line are ANDed together, so we need
883	* to check every attribute and set the result to zero if any attribute does	903	* to check every attribute and set the result to zero if any attribute does
884	* not match.	904	* not match.
Lines 915-921 match_cfg_line(char **condition, int lin Link Here
915	return -1;	935	return -1;
916	}	936	}
917	if (strcasecmp(attrib, "user") == 0) {	937	if (strcasecmp(attrib, "user") == 0) {
918	if (ci == NULL) {	938	if (ci == NULL \|\| ci->user == param_nevermatch) {
919	result = 0;	939	result = 0;
920	continue;	940	continue;
921	}	941	}
Lines 927-933 match_cfg_line(char **condition, int lin Link Here
927	debug("user %.100s matched 'User %.100s' at "	947	debug("user %.100s matched 'User %.100s' at "
928	"line %d", ci->user, arg, line);	948	"line %d", ci->user, arg, line);
929	} else if (strcasecmp(attrib, "group") == 0) {	949	} else if (strcasecmp(attrib, "group") == 0) {
930	if (ci == NULL) {	950	if (ci == NULL \|\| ci->user == param_nevermatch) {
931	result = 0;	951	result = 0;
932	continue;	952	continue;
933	}	953	}
Lines 940-946 match_cfg_line(char **condition, int lin Link Here
940	result = 0;	960	result = 0;
941	}	961	}
942	} else if (strcasecmp(attrib, "host") == 0) {	962	} else if (strcasecmp(attrib, "host") == 0) {
943	if (ci == NULL) {	963	if (ci == NULL \|\| ci->host == param_nevermatch) {
944	result = 0;	964	result = 0;
945	continue;	965	continue;
946	}	966	}
Lines 952-958 match_cfg_line(char **condition, int lin Link Here
952	debug("connection from %.100s matched 'Host "	972	debug("connection from %.100s matched 'Host "
953	"%.100s' at line %d", ci->host, arg, line);	973	"%.100s' at line %d", ci->host, arg, line);
954	} else if (strcasecmp(attrib, "address") == 0) {	974	} else if (strcasecmp(attrib, "address") == 0) {
955	if (ci == NULL) {	975	if (ci == NULL \|\| ci->address == param_nevermatch) {
956	result = 0;	976	result = 0;
957	continue;	977	continue;
958	}	978	}
Lines 971-977 match_cfg_line(char **condition, int lin Link Here
971	return -1;	991	return -1;
972	}	992	}
973	} else if (strcasecmp(attrib, "localaddress") == 0){	993	} else if (strcasecmp(attrib, "localaddress") == 0){
974	if (ci == NULL) {	994	if (ci == NULL \|\| ci->laddress == param_nevermatch) {
975	result = 0;	995	result = 0;
976	continue;	996	continue;
977	}	997	}
Lines 997-1003 match_cfg_line(char **condition, int lin Link Here
997	arg);	1017	arg);
998	return -1;	1018	return -1;
999	}	1019	}
1000	if (ci == NULL) {	1020	if (ci == NULL \|\| ci->lport == -1) {
1001	result = 0;	1021	result = 0;
1002	continue;	1022	continue;
1003	}	1023	}
Lines 1011-1020 match_cfg_line(char **condition, int lin Link Here
1011	else	1031	else
1012	result = 0;	1032	result = 0;
1013	} else if (strcasecmp(attrib, "rdomain") == 0) {	1033	} else if (strcasecmp(attrib, "rdomain") == 0) {
1014	if (ci == NULL \|\| ci->rdomain == NULL) {	1034	if (ci == NULL \|\| ci->rdomain == param_nevermatch) {
1015	result = 0;	1035	result = 0;
1016	continue;	1036	continue;
1017	}	1037	}
		1038	if (ci->rdomain == NULL)
		1039	match_test_missing_fatal("RDomain", "rdomain");
1018	if (match_pattern_list(ci->rdomain, arg, 0) != 1)	1040	if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1019	result = 0;	1041	result = 0;
1020	else	1042	else

Lines 51-59 echo "AuthorizedKeysFile /dev/null $OBJ/ Link Here

(-)regress/usr.bin/ssh/cfgmatch.sh (-2 / +46 lines)
51	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy	51	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52	echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy	52	echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53		53
54	start_sshd	54	${SSHD} -f $OBJ/sshd_config -T >/dev/null \|\| \
		55	fail "config w/match fails config test"
55		56
56	#set -x	57	start_sshd
57		58
58	# Test Match + PermitOpen in sshd_config. This should be permitted	59	# Test Match + PermitOpen in sshd_config. This should be permitted
59	trace "match permitopen localhost"	60	trace "match permitopen localhost"
Lines 113-115 start_client -F $OBJ/ssh_proxy Link Here
113	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	114	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
114	fail "nomatch override permitopen"	115	fail "nomatch override permitopen"
115	stop_client	116	stop_client
		117
		118	# Test parsing of available Match criteria (with the exception of Group which
		119	# requires knowing actual group memberships.
		120	params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
		121	localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
		122	cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
		123	echo 'Banner /nomatch' >>$OBJ/sshd_config
		124	for i in $params; do
		125	config=`echo $i \| cut -f1 -d:`
		126	criteria=`echo $i \| cut -f2 -d:`
		127	value=`echo $i \| cut -f3 -d:`
		128	cat >>$OBJ/sshd_config <<EOD
		129	Match $config $value
		130	Banner /$value
		131	EOD
		132	done
		133
		134	${SSHD} -f $OBJ/sshd_config -T >/dev/null \|\| \
		135	fail "validate config for w/out spec"
		136
		137	# Test matching each criteria.
		138	for i in $params; do
		139	testcriteria=`echo $i \| cut -f2 -d:`
		140	expected=/`echo $i \| cut -f3 -d:`
		141	spec=""
		142	for j in $params; do
		143	config=`echo $j \| cut -f1 -d:`
		144	criteria=`echo $j \| cut -f2 -d:`
		145	value=`echo $j \| cut -f3 -d:`
		146	if [ "$criteria" = "$testcriteria" ]; then
		147	spec="$criteria=$value,$spec"
		148	else
		149	spec="$criteria=1$value,$spec"
		150	fi
		151	done
		152	trace "test spec $spec"
		153	result=`${SSHD} -f $OBJ/sshd_config -T -C "$spec" \| \
		154	awk '$1=="banner"{print $2}'`
		155	if [ "$result" != "$expected" ]; then
		156	fail "match $config expected $expected got $result"
		157	fi
		158	done
		159