1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
/*++
/* NAME
/* match_ops 3
/* SUMMARY
/* simple string or host pattern matching
/* SYNOPSIS
/* #include <match_list.h>
/*
/* int match_string(list, string, pattern)
/* MATCH_LIST *list;
/* const char *string;
/* const char *pattern;
/*
/* int match_hostname(list, name, pattern)
/* MATCH_LIST *list;
/* const char *name;
/* const char *pattern;
/*
/* int match_hostaddr(list, addr, pattern)
/* MATCH_LIST *list;
/* const char *addr;
/* const char *pattern;
/* DESCRIPTION
/* This module implements simple string and host name or address
/* matching. The matching process is case insensitive. If a pattern
/* has the form type:name, table lookup is used instead of string
/* or address comparison.
/*
/* match_string() matches the string against the pattern, requiring
/* an exact (case-insensitive) match. The flags argument is not used.
/*
/* match_hostname() matches the host name when the hostname matches
/* the pattern exactly, or when the pattern matches a parent domain
/* of the named host. The flags argument specifies the bit-wise OR
/* of zero or more of the following:
/* .IP MATCH_FLAG_PARENT
/* The hostname pattern foo.com matches itself and any name below
/* the domain foo.com. If this flag is cleared, foo.com matches itself
/* only, and .foo.com matches any name below the domain foo.com.
/* .IP MATCH_FLAG_RETURN
/* Log a warning, return "not found", and set list->error to
/* a non-zero dictionary error code, instead of raising a fatal
/* run-time error.
/* .RE
/* Specify MATCH_FLAG_NONE to request none of the above.
/*
/* match_hostaddr() matches a host address when the pattern is
/* identical to the host address, or when the pattern is a net/mask
/* that contains the address. The mask specifies the number of
/* bits in the network part of the pattern. The flags argument is
/* not used.
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
/* Wietse Venema
/* Google, Inc.
/* 111 8th Avenue
/* New York, NY 10011, USA
/*--*/
/* System library. */
#include <sys_defs.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdlib.h>
/* Utility library. */
#include <msg.h>
#include <mymalloc.h>
#include <split_at.h>
#include <dict.h>
#include <match_list.h>
#include <stringops.h>
#include <cidr_match.h>
#define MATCH_DICTIONARY(pattern) \
((pattern)[0] != '[' && strchr((pattern), ':') != 0)
/* match_error - return or raise fatal error */
static int match_error(MATCH_LIST *list, const char *fmt,...)
{
VSTRING *buf = vstring_alloc(100);
va_list ap;
/*
* Report, and maybe return.
*/
va_start(ap, fmt);
vstring_vsprintf(buf, fmt, ap);
va_end(ap);
if (list->flags & MATCH_FLAG_RETURN) {
msg_warn("%s: %s", list->pname, vstring_str(buf));
} else {
msg_fatal("%s: %s", list->pname, vstring_str(buf));
}
vstring_free(buf);
return (0);
}
/* match_string - match a string literal */
int match_string(MATCH_LIST *list, const char *string, const char *pattern)
{
const char *myname = "match_string";
DICT *dict;
if (msg_verbose)
msg_info("%s: %s: %s ~? %s", myname, list->pname, string, pattern);
/*
* Try dictionary lookup: exact match.
*/
if (MATCH_DICTIONARY(pattern)) {
if ((dict = dict_handle(pattern)) == 0)
msg_panic("%s: unknown dictionary: %s", myname, pattern);
if (dict_get(dict, string) != 0)
return (1);
if ((list->error = dict->error) != 0)
return (match_error(list, "%s:%s: table lookup problem",
dict->type, dict->name));
return (0);
}
/*
* Try an exact string match. Note that the string and pattern are
* already casefolded.
*/
if (strcmp(string, pattern) == 0) {
return (1);
}
/*
* No match found.
*/
return (0);
}
/* match_hostname - match a host by name */
int match_hostname(MATCH_LIST *list, const char *name, const char *pattern)
{
const char *myname = "match_hostname";
const char *pd;
const char *entry;
const char *next;
int match;
DICT *dict;
if (msg_verbose)
msg_info("%s: %s: %s ~? %s", myname, list->pname, name, pattern);
/*
* Try dictionary lookup: exact match and parent domains.
*
* Don't look up parent domain substrings with regexp maps etc.
*/
if (MATCH_DICTIONARY(pattern)) {
if ((dict = dict_handle(pattern)) == 0)
msg_panic("%s: unknown dictionary: %s", myname, pattern);
match = 0;
for (entry = name; *entry != 0; entry = next) {
if (entry == name || (dict->flags & DICT_FLAG_FIXED)) {
match = (dict_get(dict, entry) != 0);
if (msg_verbose > 1)
msg_info("%s: %s: lookup %s:%s %s: %s",
myname, list->pname, dict->type, dict->name,
entry, match ? "found" : "notfound");
if (match != 0)
break;
if ((list->error = dict->error) != 0)
return (match_error(list, "%s:%s: table lookup problem",
dict->type, dict->name));
}
if ((next = strchr(entry + 1, '.')) == 0)
break;
if (list->flags & MATCH_FLAG_PARENT)
next += 1;
}
return (match);
}
/*
* Try an exact match with the host name. Note that the name and the
* pattern are already casefolded.
*/
if (strcmp(name, pattern) == 0) {
return (1);
}
/*
* See if the pattern is a parent domain of the hostname. Note that the
* name and the pattern are already casefolded.
*/
else {
if (list->flags & MATCH_FLAG_PARENT) {
pd = name + strlen(name) - strlen(pattern);
if (pd > name && pd[-1] == '.' && strcmp(pd, pattern) == 0)
return (1);
} else if (pattern[0] == '.') {
pd = name + strlen(name) - strlen(pattern);
if (pd > name && strcmp(pd, pattern) == 0)
return (1);
}
}
return (0);
}
/* match_hostaddr - match host by address */
int match_hostaddr(MATCH_LIST *list, const char *addr, const char *pattern)
{
const char *myname = "match_hostaddr";
char *saved_patt;
CIDR_MATCH match_info;
DICT *dict;
VSTRING *err;
int rc;
if (msg_verbose)
msg_info("%s: %s: %s ~? %s", myname, list->pname, addr, pattern);
#define V4_ADDR_STRING_CHARS "01234567890."
#define V6_ADDR_STRING_CHARS V4_ADDR_STRING_CHARS "abcdefABCDEF:"
if (addr[strspn(addr, V6_ADDR_STRING_CHARS)] != 0)
return (0);
/*
* Try dictionary lookup. This can be case insensitive.
*/
if (MATCH_DICTIONARY(pattern)) {
if ((dict = dict_handle(pattern)) == 0)
msg_panic("%s: unknown dictionary: %s", myname, pattern);
if (dict_get(dict, addr) != 0)
return (1);
if ((list->error = dict->error) != 0)
return (match_error(list, "%s:%s: table lookup problem",
dict->type, dict->name));
return (0);
}
/*
* Try an exact match with the host address. Note that the address and
* pattern are already casefolded.
*/
if (pattern[0] != '[') {
if (strcmp(addr, pattern) == 0)
return (1);
} else {
size_t addr_len = strlen(addr);
if (strncmp(addr, pattern + 1, addr_len) == 0
&& strcmp(pattern + 1 + addr_len, "]") == 0)
return (1);
}
/*
* Light-weight tests before we get into expensive operations.
*
* - Don't bother matching IPv4 against IPv6. Postfix transforms
* IPv4-in-IPv6 to native IPv4 form when IPv4 support is enabled in
* Postfix; if not, then Postfix has no business dealing with IPv4
* addresses anyway.
*
* - Don't bother unless the pattern is either an IPv6 address or net/mask.
*
* We can safely skip IPv4 address patterns because their form is
* unambiguous and they did not match in the strcmp() calls above.
*
* XXX We MUST skip (parent) domain names, which may appear in NAMADR_LIST
* input, to avoid triggering false cidr_match_parse() errors.
*
* The last two conditions below are for backwards compatibility with
* earlier Postfix versions: don't abort with fatal errors on junk that
* was silently ignored (principle of least astonishment).
*/
if (!strchr(addr, ':') != !strchr(pattern, ':')
|| pattern[strcspn(pattern, ":/")] == 0
|| pattern[strspn(pattern, V4_ADDR_STRING_CHARS)] == 0
|| pattern[strspn(pattern, V6_ADDR_STRING_CHARS "[]/")] != 0)
return (0);
/*
* No escape from expensive operations: either we have a net/mask
* pattern, or we have an address that can have multiple valid
* representations (e.g., 0:0:0:0:0:0:0:1 versus ::1, etc.). The only way
* to find out if the address matches the pattern is to transform
* everything into to binary form, and to do the comparison there.
*/
saved_patt = mystrdup(pattern);
err = cidr_match_parse(&match_info, saved_patt, CIDR_MATCH_TRUE,
(VSTRING *) 0);
myfree(saved_patt);
if (err != 0) {
list->error = DICT_ERR_RETRY;
rc = match_error(list, "%s", vstring_str(err));
vstring_free(err);
return (rc);
}
return (cidr_match_execute(&match_info, addr) != 0);
}
|