1
/* $OpenBSD: addrmatch.c,v 1.3 2008/06/10 23:06:19 djm Exp $ */
4
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
6
* Permission to use, copy, modify, and distribute this software for any
7
* purpose with or without fee is hereby granted, provided that the above
8
* copyright notice and this permission notice appear in all copies.
10
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21
#include <sys/types.h>
22
#include <sys/socket.h>
23
#include <netinet/in.h>
24
#include <arpa/inet.h>
42
} xa; /* 128-bit address */
43
u_int32_t scope_id; /* iface scope id for v6 */
46
#define addr8 xa.addr8
47
#define addr32 xa.addr32
51
addr_unicast_masklen(int af)
64
masklen_valid(int af, u_int masklen)
68
return masklen <= 32 ? 0 : -1;
70
return masklen <= 128 ? 0 : -1;
77
* Convert struct sockaddr to struct xaddr
78
* Returns 0 on success, -1 on failure.
81
addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa)
83
struct sockaddr_in *in4 = (struct sockaddr_in *)sa;
84
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
86
memset(xa, '\0', sizeof(*xa));
88
switch (sa->sa_family) {
90
if (slen < sizeof(*in4))
93
memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4));
96
if (slen < sizeof(*in6))
99
memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6));
100
xa->scope_id = in6->sin6_scope_id;
110
* Calculate a netmask of length 'l' for address family 'af' and
112
* Returns 0 on success, -1 on failure.
115
addr_netmask(int af, u_int l, struct xaddr *n)
119
if (masklen_valid(af, l) != 0 || n == NULL)
122
memset(n, '\0', sizeof(*n));
126
n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff);
130
for (i = 0; i < 4 && l >= 32; i++, l -= 32)
131
n->addr32[i] = 0xffffffffU;
133
n->addr32[i] = htonl((0xffffffff << (32 - l)) &
142
* Perform logical AND of addresses 'a' and 'b', storing result in 'dst'.
143
* Returns 0 on success, -1 on failure.
146
addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b)
150
if (dst == NULL || a == NULL || b == NULL || a->af != b->af)
153
memcpy(dst, a, sizeof(*dst));
156
dst->v4.s_addr &= b->v4.s_addr;
159
dst->scope_id = a->scope_id;
160
for (i = 0; i < 4; i++)
161
dst->addr32[i] &= b->addr32[i];
169
* Compare addresses 'a' and 'b'
170
* Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b)
173
addr_cmp(const struct xaddr *a, const struct xaddr *b)
178
return a->af == AF_INET6 ? 1 : -1;
182
if (a->v4.s_addr == b->v4.s_addr)
184
return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1;
186
for (i = 0; i < 16; i++)
187
if (a->addr8[i] - b->addr8[i] != 0)
188
return a->addr8[i] > b->addr8[i] ? 1 : -1;
189
if (a->scope_id == b->scope_id)
191
return a->scope_id > b->scope_id ? 1 : -1;
198
* Parse string address 'p' into 'n'
199
* Returns 0 on success, -1 on failure.
202
addr_pton(const char *p, struct xaddr *n)
204
struct addrinfo hints, *ai;
206
memset(&hints, '\0', sizeof(hints));
207
hints.ai_flags = AI_NUMERICHOST;
209
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
212
if (ai == NULL || ai->ai_addr == NULL)
216
addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) {
226
* Perform bitwise negation of address
227
* Returns 0 on success, -1 on failure.
230
addr_invert(struct xaddr *n)
239
n->v4.s_addr = ~n->v4.s_addr;
242
for (i = 0; i < 4; i++)
243
n->addr32[i] = ~n->addr32[i];
251
* Calculate a netmask of length 'l' for address family 'af' and
253
* Returns 0 on success, -1 on failure.
256
addr_hostmask(int af, u_int l, struct xaddr *n)
258
if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1)
264
* Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::)
265
* Returns 0 on if address is all-zeros, -1 if not all zeros or on failure.
268
addr_is_all0s(const struct xaddr *a)
274
return (a->v4.s_addr == 0 ? 0 : -1);
276
for (i = 0; i < 4; i++)
277
if (a->addr32[i] != 0)
286
* Test whether host portion of address 'a', as determined by 'masklen'
288
* Returns 0 on if host portion of address is all-zeros,
289
* -1 if not all zeros or on failure.
292
addr_host_is_all0s(const struct xaddr *a, u_int masklen)
294
struct xaddr tmp_addr, tmp_mask, tmp_result;
296
memcpy(&tmp_addr, a, sizeof(tmp_addr));
297
if (addr_hostmask(a->af, masklen, &tmp_mask) == -1)
299
if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1)
301
return (addr_is_all0s(&tmp_result));
305
* Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z).
306
* Return -1 on parse error, -2 on inconsistency or 0 on success.
309
addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
312
long unsigned int masklen = 999;
313
char addrbuf[64], *mp, *cp;
315
/* Don't modify argument */
316
if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf))
319
if ((mp = strchr(addrbuf, '/')) != NULL) {
322
masklen = strtoul(mp, &cp, 10);
323
if (*mp == '\0' || *cp != '\0' || masklen > 128)
327
if (addr_pton(addrbuf, &tmp) == -1)
331
masklen = addr_unicast_masklen(tmp.af);
332
if (masklen_valid(tmp.af, masklen) == -1)
334
if (addr_host_is_all0s(&tmp, masklen) != 0)
338
memcpy(n, &tmp, sizeof(*n));
346
addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen)
348
struct xaddr tmp_mask, tmp_result;
350
if (host->af != net->af)
353
if (addr_netmask(host->af, masklen, &tmp_mask) == -1)
355
if (addr_and(&tmp_result, host, &tmp_mask) == -1)
357
return addr_cmp(&tmp_result, net);
361
* Match "addr" against list pattern list "_list", which may contain a
362
* mix of CIDR addresses and old-school wildcards.
364
* If addr is NULL, then no matching is performed, but _list is parsed
365
* and checked for well-formedness.
367
* Returns 1 on match found (never returned when addr == NULL).
368
* Returns 0 on if no match found, or no errors found when addr == NULL.
369
* Returns -1 on negated match found (never returned when addr == NULL).
370
* Returns -2 on invalid list entry.
373
addr_match_list(const char *addr, const char *_list)
376
struct xaddr try_addr, match_addr;
380
if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
381
debug2("%s: couldn't parse address %.100s", __func__, addr);
384
if ((o = list = strdup(_list)) == NULL)
386
while ((cp = strsep(&list, ",")) != NULL) {
394
/* Prefer CIDR address matching */
395
r = addr_pton_cidr(cp, &match_addr, &masklen);
397
error("Inconsistent mask length for "
398
"network \"%.100s\"", cp);
402
if (addr != NULL && addr_netmatch(&try_addr,
403
&match_addr, masklen) == 0) {
413
/* If CIDR parse failed, try wildcard string match */
414
if (addr != NULL && match_pattern(addr, cp) == 1)