[rsync/rsync.git] / access.c

/*
 * Routines to authenticate access to a daemon (hosts allow/deny).
 *
 * Copyright (C) 1998 Andrew Tridgell
 * Copyright (C) 2004-2009 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, visit the http://fsf.org website.
 */

#include "rsync.h"

static int match_hostname(const char *host, const char *tok)
{
	if (!host || !*host)
		return 0;
	return iwildmatch(tok, host);
}

static int match_binary(const char *b1, const char *b2, const char *mask, int addrlen)
{
	int i;

	for (i = 0; i < addrlen; i++) {
		if ((b1[i] ^ b2[i]) & mask[i])
			return 0;
	}

	return 1;
}

static void make_mask(char *mask, int plen, int addrlen)
{
	int w, b;

	w = plen >> 3;
	b = plen & 0x7;

	if (w)
		memset(mask, 0xff, w);
	if (w < addrlen)
		mask[w] = 0xff & (0xff<<(8-b));
	if (w+1 < addrlen)
		memset(mask+w+1, 0, addrlen-w-1);

	return;
}

static int match_address(const char *addr, const char *tok)
{
	char *p;
	struct addrinfo hints, *resa, *rest;
	int gai;
	int ret = 0;
	int addrlen = 0;
#ifdef HAVE_STRTOL
	long int bits;
#else
	int bits;
#endif
	char mask[16];
	char *a = NULL, *t = NULL;
	unsigned int len;

	if (!addr || !*addr)
		return 0;

	p = strchr(tok,'/');
	if (p) {
		*p = '\0';
		len = p - tok;
	} else
		len = strlen(tok);

	/* Fail quietly if tok is a hostname (not an address) */
	if (strspn(tok, ".0123456789") != len
#ifdef INET6
	    && strchr(tok, ':') == NULL
#endif
	) {
		if (p)
			*p = '/';
		return 0;
	}

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
#ifdef AI_NUMERICHOST
	hints.ai_flags = AI_NUMERICHOST;
#endif

	if (getaddrinfo(addr, NULL, &hints, &resa) != 0) {
		if (p)
			*p = '/';
		return 0;
	}

	gai = getaddrinfo(tok, NULL, &hints, &rest);
	if (p)
		*p++ = '/';
	if (gai != 0) {
		rprintf(FLOG, "error matching address %s: %s\n",
			tok, gai_strerror(gai));
		freeaddrinfo(resa);
		return 0;
	}

	if (rest->ai_family != resa->ai_family) {
		ret = 0;
		goto out;
	}

	switch(resa->ai_family) {
	case PF_INET:
		a = (char *)&((struct sockaddr_in *)resa->ai_addr)->sin_addr;
		t = (char *)&((struct sockaddr_in *)rest->ai_addr)->sin_addr;
		addrlen = 4;

		break;

#ifdef INET6
	case PF_INET6:
	    {
		struct sockaddr_in6 *sin6a, *sin6t;

		sin6a = (struct sockaddr_in6 *)resa->ai_addr;
		sin6t = (struct sockaddr_in6 *)rest->ai_addr;

		a = (char *)&sin6a->sin6_addr;
		t = (char *)&sin6t->sin6_addr;

		addrlen = 16;

#ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
		if (sin6t->sin6_scope_id &&
		    sin6a->sin6_scope_id != sin6t->sin6_scope_id) {
			ret = 0;
			goto out;
		}
#endif

		break;
	    }
#endif
	default:
	    rprintf(FLOG, "unknown family %u\n", rest->ai_family);
	    ret = 0;
	    goto out;
	}

	bits = -1;
	if (p) {
		if (inet_pton(resa->ai_addr->sa_family, p, mask) <= 0) {
#ifdef HAVE_STRTOL
			char *ep = NULL;
#else
			unsigned char *pp;
#endif

#ifdef HAVE_STRTOL
			bits = strtol(p, &ep, 10);
			if (!*p || *ep) {
				rprintf(FLOG, "malformed mask in %s\n", tok);
				ret = 0;
				goto out;
			}
#else
			for (pp = (unsigned char *)p; *pp; pp++) {
				if (!isascii(*pp) || !isdigit(*pp)) {
					rprintf(FLOG, "malformed mask in %s\n", tok);
					ret = 0;
					goto out;
				}
			}
			bits = atoi(p);
#endif
			if (bits == 0) {
				ret = 1;
				goto out;
			}
			if (bits < 0 || bits > (addrlen << 3)) {
				rprintf(FLOG, "malformed mask in %s\n", tok);
				ret = 0;
				goto out;
			}
		}
	} else {
		bits = 128;
	}

	if (bits >= 0)
		make_mask(mask, bits, addrlen);

	ret = match_binary(a, t, mask, addrlen);

  out:
	freeaddrinfo(resa);
	freeaddrinfo(rest);
	return ret;
}

static int access_match(const char *list, const char *addr, const char *host)
{
	char *tok;
	char *list2 = strdup(list);

	if (!list2)
		out_of_memory("access_match");

	strlower(list2);

	for (tok = strtok(list2, " ,\t"); tok; tok = strtok(NULL, " ,\t")) {
		if (match_hostname(host, tok) || match_address(addr, tok)) {
			free(list2);
			return 1;
		}
	}

	free(list2);
	return 0;
}

int allow_access(const char *addr, const char *host,
		 const char *allow_list, const char *deny_list)
{
	if (allow_list && !*allow_list)
		allow_list = NULL;
	if (deny_list && !*deny_list)
		deny_list = NULL;

	/* If we match an allow-list item, we always allow access. */
	if (allow_list) {
		if (access_match(allow_list, addr, host))
			return 1;
		/* For an allow-list w/o a deny-list, disallow non-matches. */
		if (!deny_list)
			return 0;
	}

	/* If we match a deny-list item (and got past any allow-list
	 * items), we always disallow access. */
	if (deny_list && access_match(deny_list, addr, host))
		return 0;

	/* Allow all other access. */
	return 1;
}
Commit	Line	Data
56c473b7	1	/*
0f78b815 WD	2	* Routines to authenticate access to a daemon (hosts allow/deny).
	3	*
	4	* Copyright (C) 1998 Andrew Tridgell
b3bf9b9d	5	* Copyright (C) 2004-2009 Wayne Davison
0f78b815 WD	6	*
0f78b815 WD	7	* This program is free software; you can redistribute it and/or modify
8e41b68e WD	8	* it under the terms of the GNU General Public License as published by
	9	* the Free Software Foundation; either version 3 of the License, or
	10	* (at your option) any later version.
0f78b815 WD	11	*
	12	* This program is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	* GNU General Public License for more details.
	16	*
e7c67065	17	* You should have received a copy of the GNU General Public License along
4fd842f9	18	* with this program; if not, visit the http://fsf.org website.
0f78b815	19	*/
56c473b7 AT	20
	21	#include "rsync.h"
	22
df694f72	23	static int match_hostname(const char host, const char tok)
56c473b7	24	{
36142821 WD	25	if (!host \|\| !*host)
36142821 WD	26	return 0;
df694f72	27	return iwildmatch(tok, host);
56c473b7 AT	28	}
56c473b7 AT	29
df694f72	30	static int match_binary(const char b1, const char b2, const char *mask, int addrlen)
bc2b4963 DD	31	{
	32	int i;
	33
36142821 WD	34	for (i = 0; i < addrlen; i++) {
36142821 WD	35	if ((b1[i] ^ b2[i]) & mask[i])
bc2b4963	36	return 0;
bc2b4963 DD	37	}
	38
	39	return 1;
	40	}
	41
36142821 WD	42	static void make_mask(char *mask, int plen, int addrlen)
36142821 WD	43	{
bc2b4963 DD	44	int w, b;
	45
	46	w = plen >> 3;
	47	b = plen & 0x7;
	48
	49	if (w)
	50	memset(mask, 0xff, w);
7bc8218d DD	51	if (w < addrlen)
7bc8218d DD	52	mask[w] = 0xff & (0xff<<(8-b));
bc2b4963 DD	53	if (w+1 < addrlen)
	54	memset(mask+w+1, 0, addrlen-w-1);
	55
	56	return;
	57	}
56c473b7	58
df694f72	59	static int match_address(const char addr, const char tok)
56c473b7 AT	60	{
56c473b7 AT	61	char *p;
bc2b4963 DD	62	struct addrinfo hints, resa, rest;
	63	int gai;
	64	int ret = 0;
	65	int addrlen = 0;
4f5b0756	66	#ifdef HAVE_STRTOL
bc2b4963 DD	67	long int bits;
	68	#else
	69	int bits;
	70	#endif
	71	char mask[16];
	72	char a = NULL, t = NULL;
32f60a6e	73	unsigned int len;
56c473b7	74
36142821 WD	75	if (!addr \|\| !*addr)
36142821 WD	76	return 0;
56c473b7	77
56c473b7	78	p = strchr(tok,'/');
32f60a6e WD	79	if (p) {
	80	*p = '\0';
	81	len = p - tok;
36142821	82	} else
32f60a6e	83	len = strlen(tok);
56c473b7	84
32f60a6e	85	/* Fail quietly if tok is a hostname (not an address) */
b49d381d	86	if (strspn(tok, ".0123456789") != len
4f5b0756	87	#ifdef INET6
be7cf822	88	&& strchr(tok, ':') == NULL
32f60a6e	89	#endif
be7cf822 WD	90	) {
	91	if (p)
	92	*p = '/';
	93	return 0;
	94	}
70a6051c	95
bc2b4963 DD	96	memset(&hints, 0, sizeof(hints));
	97	hints.ai_family = PF_UNSPEC;
	98	hints.ai_socktype = SOCK_STREAM;
8d2aad49	99	#ifdef AI_NUMERICHOST
bc2b4963	100	hints.ai_flags = AI_NUMERICHOST;
8d2aad49	101	#endif
56c473b7	102
be7cf822 WD	103	if (getaddrinfo(addr, NULL, &hints, &resa) != 0) {
	104	if (p)
	105	*p = '/';
	106	return 0;
	107	}
56c473b7	108
bc2b4963 DD	109	gai = getaddrinfo(tok, NULL, &hints, &rest);
	110	if (p)
	111	*p++ = '/';
be7cf822 WD	112	if (gai != 0) {
	113	rprintf(FLOG, "error matching address %s: %s\n",
	114	tok, gai_strerror(gai));
bc2b4963	115	freeaddrinfo(resa);
56c473b7 AT	116	return 0;
	117	}
	118
bc2b4963 DD	119	if (rest->ai_family != resa->ai_family) {
	120	ret = 0;
	121	goto out;
	122	}
	123
	124	switch(resa->ai_family) {
	125	case PF_INET:
	126	a = (char )&((struct sockaddr_in )resa->ai_addr)->sin_addr;
	127	t = (char )&((struct sockaddr_in )rest->ai_addr)->sin_addr;
	128	addrlen = 4;
	129
	130	break;
	131
4f5b0756	132	#ifdef INET6
bc2b4963 DD	133	case PF_INET6:
	134	{
	135	struct sockaddr_in6 sin6a, sin6t;
56c473b7	136
bc2b4963 DD	137	sin6a = (struct sockaddr_in6 *)resa->ai_addr;
	138	sin6t = (struct sockaddr_in6 *)rest->ai_addr;
	139
	140	a = (char *)&sin6a->sin6_addr;
	141	t = (char *)&sin6t->sin6_addr;
	142
7bc8218d DD	143	addrlen = 16;
7bc8218d DD	144
4f5b0756	145	#ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
bc2b4963 DD	146	if (sin6t->sin6_scope_id &&
	147	sin6a->sin6_scope_id != sin6t->sin6_scope_id) {
	148	ret = 0;
	149	goto out;
	150	}
	151	#endif
	152
bc2b4963 DD	153	break;
	154	}
	155	#endif
	156	default:
be7cf822	157	rprintf(FLOG, "unknown family %u\n", rest->ai_family);
bc2b4963 DD	158	ret = 0;
	159	goto out;
	160	}
	161
	162	bits = -1;
56c473b7	163	if (p) {
bc2b4963	164	if (inet_pton(resa->ai_addr->sa_family, p, mask) <= 0) {
4f5b0756	165	#ifdef HAVE_STRTOL
bc2b4963 DD	166	char *ep = NULL;
	167	#else
	168	unsigned char *pp;
	169	#endif
	170
4f5b0756	171	#ifdef HAVE_STRTOL
bc2b4963 DD	172	bits = strtol(p, &ep, 10);
bc2b4963 DD	173	if (!p \|\| ep) {
be7cf822	174	rprintf(FLOG, "malformed mask in %s\n", tok);
bc2b4963 DD	175	ret = 0;
	176	goto out;
	177	}
	178	#else
	179	for (pp = (unsigned char )p; pp; pp++) {
	180	if (!isascii(pp) \|\| !isdigit(pp)) {
be7cf822	181	rprintf(FLOG, "malformed mask in %s\n", tok);
bc2b4963 DD	182	ret = 0;
	183	goto out;
	184	}
56c473b7	185	}
bc2b4963 DD	186	bits = atoi(p);
	187	#endif
	188	if (bits == 0) {
	189	ret = 1;
	190	goto out;
	191	}
	192	if (bits < 0 \|\| bits > (addrlen << 3)) {
be7cf822	193	rprintf(FLOG, "malformed mask in %s\n", tok);
bc2b4963 DD	194	ret = 0;
bc2b4963 DD	195	goto out;
56c473b7	196	}
56c473b7	197	}
bc2b4963 DD	198	} else {
bc2b4963 DD	199	bits = 128;
56c473b7 AT	200	}
56c473b7 AT	201
bc2b4963 DD	202	if (bits >= 0)
	203	make_mask(mask, bits, addrlen);
	204
	205	ret = match_binary(a, t, mask, addrlen);
	206
2997e9f7	207	out:
bc2b4963 DD	208	freeaddrinfo(resa);
	209	freeaddrinfo(rest);
	210	return ret;
56c473b7 AT	211	}
56c473b7 AT	212
df694f72	213	static int access_match(const char list, const char addr, const char *host)
56c473b7 AT	214	{
	215	char *tok;
	216	char *list2 = strdup(list);
	217
36142821 WD	218	if (!list2)
36142821 WD	219	out_of_memory("access_match");
56c473b7	220
5a96ee05	221	strlower(list2);
5a96ee05	222
36142821	223	for (tok = strtok(list2, " ,\t"); tok; tok = strtok(NULL, " ,\t")) {
56c473b7 AT	224	if (match_hostname(host, tok) \|\| match_address(addr, tok)) {
	225	free(list2);
	226	return 1;
	227	}
	228	}
	229
	230	free(list2);
	231	return 0;
	232	}
	233
df694f72 WD	234	int allow_access(const char addr, const char host,
df694f72 WD	235	const char allow_list, const char deny_list)
56c473b7	236	{
36142821 WD	237	if (allow_list && !*allow_list)
	238	allow_list = NULL;
	239	if (deny_list && !*deny_list)
	240	deny_list = NULL;
	241
	242	/* If we match an allow-list item, we always allow access. */
	243	if (allow_list) {
	244	if (access_match(allow_list, addr, host))
	245	return 1;
	246	/* For an allow-list w/o a deny-list, disallow non-matches. */
	247	if (!deny_list)
	248	return 0;
	249	}
	250
	251	/* If we match a deny-list item (and got past any allow-list
	252	* items), we always disallow access. */
	253	if (deny_list && access_match(deny_list, addr, host))
56c473b7 AT	254	return 0;
56c473b7 AT	255
36142821	256	/* Allow all other access. */
56c473b7 AT	257	return 1;
56c473b7 AT	258	}