History log of /openssh-portable/addrmatch.c (Results 1 - 25 of 28)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 816036f1 18-Oct-2020 djm@openbsd.org

upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8


Revision tags: V_8_4_P1, V_8_3_P1, V_8_2_P1, V_8_1_P1, V_8_0_P1, V_7_9_P1, V_7_8_P1
# 1a66079c 30-Jul-2018 djm@openbsd.org

upstream: fix some memory leaks spotted by Coverity via Jakub Jelen

in bz#2366 feedback and ok dtucker@

OpenBSD-Commit-ID: 8402bbae67d578bedbadb0ce68ff7c5a136ef563


Revision tags: V_7_7_P1, V_7_6_P1, V_7_5_P1, V_7_4_P1
# a5ad3a9d 21-Sep-2016 djm@openbsd.org

upstream commit

Revert two recent changes to negated address matching. The
new behaviour offers unintuitive surprises. We'll find a better way to deal
with single negated matches.

upstream commit

Revert two recent changes to negated address matching. The
new behaviour offers unintuitive surprises. We'll find a better way to deal
with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6

show more ...


# 23555eb1 23-Aug-2016 djm@openbsd.org

upstream commit

downgrade an error() to a debug2() to match similar cases
in addr_match_list()

Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c


# cc182d01 22-Aug-2016 djm@openbsd.org

upstream commit

fix negated address matching where the address list
consists of a single negated match, e.g. "Match addr !192.20.0.1"

Report and patch from Jakub Jelen. bz#2397

upstream commit

fix negated address matching where the address list
consists of a single negated match, e.g. "Match addr !192.20.0.1"

Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8

show more ...


Revision tags: V_7_3_P1, V_7_2_P2, V_7_2_P1, V_7_1_P2, V_7_1_P1, V_7_0_P1
# a635bd06 08-Jul-2015 markus@openbsd.org

upstream commit

xmalloc.h is unused

Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58


Revision tags: V_6_9_P1, V_6_8_P1, V_6_7_P1, V_6_6_P1, V_6_5_P1
# 7eee358d 19-Jan-2014 Darren Tucker

- dtucker@cvs.openbsd.org 2014/01/19 11:21:51
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok de

- dtucker@cvs.openbsd.org 2014/01/19 11:21:51
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok deraadt.

show more ...


# 7b1ded04 18-Jan-2014 Darren Tucker

- dtucker@cvs.openbsd.org 2014/01/19 04:17:29
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to pre

- dtucker@cvs.openbsd.org 2014/01/19 04:17:29
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to prevent signed/unsigned comparison warnings.
Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.

show more ...


Revision tags: V_6_4_P1, V_6_3_P1
# a627d42e 01-Jun-2013 Darren Tucker

- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c

- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@

show more ...


Revision tags: V_6_2_P2, V_6_2_P1, V_6_1_P1
# 97f43bbf 29-Jun-2012 Damien Miller

- dtucker@cvs.openbsd.org 2012/06/21 00:16:07
[addrmatch.c]
fix strlcpy truncation check. from carsten at debian org, ok markus


Revision tags: V_6_0_P1, V_5_9_P1, V_5_8_P2, V_5_8_P1, V_5_7_P1, V_5_6_P1, V_5_5_P1, V_5_4_P1
# 0a80ca19 26-Feb-2010 Damien Miller

- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c auth

- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.

OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.

Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.

Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.

Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.

Documentation on the format of certificates is in the file
PROTOCOL.certkeys

feedback and ok markus@

show more ...


Revision tags: V_5_3_P1, V_5_2_P1
# 7375fe2c 28-Jan-2009 Damien Miller

- stevesk@cvs.openbsd.org 2008/12/10 03:55:20
[addrmatch.c]
o cannot be NULL here but use xfree() to be consistent; ok djm@


# 0f4d2c02 19-Nov-2008 Tim Rice

- (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id
member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and
feedback by djm@


Revision tags: V_5_1_P1
# 896ad5a4 10-Jun-2008 Darren Tucker

- djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok

- djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@

show more ...


# 7a3935de 10-Jun-2008 Darren Tucker

- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
[servconf.c match.h sshd_config.5]
support CIDR address matching in sshd_config "Match address" blocks,

- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
[servconf.c match.h sshd_config.5]
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@

show more ...


# a5ad3a9d 21-Sep-2016 djm@openbsd.org

upstream commit

Revert two recent changes to negated address matching. The
new behaviour offers unintuitive surprises. We'll find a better way to deal
with single negated matches.

upstream commit

Revert two recent changes to negated address matching. The
new behaviour offers unintuitive surprises. We'll find a better way to deal
with single negated matches.

match.c 1.31:
> fix matching for pattern lists that contain a single negated match,
> e.g. "Host !example"
>
> report and patch from Robin Becker. bz#1918 ok dtucker@

addrmatch.c 1.11:
> fix negated address matching where the address list consists of a
> single negated match, e.g. "Match addr !192.20.0.1"
>
> Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: ec96c770f0f5b9a54e5e72fda25387545e9c80c6

show more ...


# 23555eb1 23-Aug-2016 djm@openbsd.org

upstream commit

downgrade an error() to a debug2() to match similar cases
in addr_match_list()

Upstream-ID: 07c3d53e357214153d9d08f234411e0d1a3d6f5c


# cc182d01 22-Aug-2016 djm@openbsd.org

upstream commit

fix negated address matching where the address list
consists of a single negated match, e.g. "Match addr !192.20.0.1"

Report and patch from Jakub Jelen. bz#2397

upstream commit

fix negated address matching where the address list
consists of a single negated match, e.g. "Match addr !192.20.0.1"

Report and patch from Jakub Jelen. bz#2397 ok dtucker@

Upstream-ID: 01dcac3f3e6ca47518cf293e31c73597a4bb40d8

show more ...


# a635bd06 08-Jul-2015 markus@openbsd.org

upstream commit

xmalloc.h is unused

Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58


# 7eee358d 19-Jan-2014 Darren Tucker

- dtucker@cvs.openbsd.org 2014/01/19 11:21:51
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok de

- dtucker@cvs.openbsd.org 2014/01/19 11:21:51
[addrmatch.c]
Cast the sizeof to socklen_t so it'll work even if the supplied len is
negative. Suggested by and ok djm, ok deraadt.

show more ...


# 7b1ded04 18-Jan-2014 Darren Tucker

- dtucker@cvs.openbsd.org 2014/01/19 04:17:29
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to pre

- dtucker@cvs.openbsd.org 2014/01/19 04:17:29
[canohost.c addrmatch.c]
Cast socklen_t when comparing to size_t and use socklen_t to iterate over
the ip options, both to prevent signed/unsigned comparison warnings.
Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.

show more ...


# a627d42e 01-Jun-2013 Darren Tucker

- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c

- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@

show more ...


# 97f43bbf 29-Jun-2012 Damien Miller

- dtucker@cvs.openbsd.org 2012/06/21 00:16:07
[addrmatch.c]
fix strlcpy truncation check. from carsten at debian org, ok markus


# 0a80ca19 26-Feb-2010 Damien Miller

- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c auth

- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.

OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.

Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.

Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.

Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.

Documentation on the format of certificates is in the file
PROTOCOL.certkeys

feedback and ok markus@

show more ...


# 7375fe2c 28-Jan-2009 Damien Miller

- stevesk@cvs.openbsd.org 2008/12/10 03:55:20
[addrmatch.c]
o cannot be NULL here but use xfree() to be consistent; ok djm@


12