Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"

This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
author: Corinna Vinschen <vinschen@redhat.com> 2019-02-20 13:41:24 +0100
committer: Darren Tucker <dtucker@dtucker.net> 2019-02-22 15:04:16 +1100
commit: f02afa350afac1b2f2d1413259a27a4ba1e2ca24 (patch)
tree: c568d26fa3747cfe35d86b46df84d5bcc0417245
parent: 4c55b674835478eb80a1a7aeae588aa654e2a433 (diff)
5 files changed, 158 insertions, 13 deletions
diff --git a/auth.c b/auth.c
index 62c58e72..332b6220 100644
--- a/auth.c
+++ b/auth.c
@@ -584,19 +584,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
 	aix_restoreauthdb();
 #endif
-#ifdef HAVE_CYGWIN
-	/*
-	 * Windows usernames are case-insensitive.  To avoid later problems
-	 * when trying to match the username, the user is only allowed to
-	 * login if the username is given in the same case as stored in the
-	 * user database.
-	 */
-	if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
-		logit("Login name %.100s does not match stored username %.100s",
-		    user, pw->pw_name);
-		pw = NULL;
-	}
-#endif
 	if (pw == NULL) {
 		logit("Invalid user %.100s from %.100s port %d",
 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
diff --git a/groupaccess.c b/groupaccess.c
index 9e4d2552..43367990 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -103,7 +103,11 @@ ga_match_pattern_list(const char *group_pattern)
 	int i, found = 0;
 
 	for (i = 0; i < ngroups; i++) {
+#ifndef HAVE_CYGWIN
 		switch (match_pattern_list(groups_byname[i], group_pattern, 0)) {
+#else
+		switch (match_pattern_list(groups_byname[i], group_pattern, 1)) {
+#endif
 		case -1:
 			return 0;	/* Negated match wins */
 		case 0:
diff --git a/match.c b/match.c
index bb3e95f6..b50ae405 100644
--- a/match.c
+++ b/match.c
@@ -111,6 +111,8 @@ match_pattern(const char *s, const char *pattern)
 	/* NOTREACHED */
 }
 
+#ifndef HAVE_CYGWIN /* Cygwin version in openbsd-compat/bsd-cygwin_util.c */
+
 /*
  * Tries to match the string against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
@@ -170,6 +172,8 @@ match_pattern_list(const char *string, const char *pattern, int dolower)
 	return got_positive;
 }
 
+#endif
+
 /*
  * Tries to match the host name (which must be in all lowercase) against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index fb49e30f..f721fca9 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -37,6 +37,8 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdarg.h>
+#include <wchar.h>
+#include <wctype.h>
 
 #include "xmalloc.h"
 
@@ -117,4 +119,148 @@ free_windows_environment(char **p)
 	free(p);
 }
 
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ *
+ * The Cygwin version of this function must be case-insensitive and take
+ * Unicode characters into account.
+ */
+
+static int
+__match_pattern (const wchar_t *s, const wchar_t *pattern, int caseinsensitive)
+{
+	for (;;) {
+		/* If at end of pattern, accept if also at end of string. */
+		if (!*pattern)
+			return !*s;
+
+		if (*pattern == '*') {
+			/* Skip the asterisk. */
+			pattern++;
+
+			/* If at end of pattern, accept immediately. */
+			if (!*pattern)
+				return 1;
+
+			/* If next character in pattern is known, optimize. */
+			if (*pattern != '?' && *pattern != '*') {
+				/*
+				 * Look instances of the next character in
+				 * pattern, and try to match starting from
+				 * those.
+				 */
+				for (; *s; s++)
+					if (*s == *pattern &&
+					    __match_pattern(s + 1, pattern + 1,
+							    caseinsensitive))
+						return 1;
+				/* Failed. */
+				return 0;
+			}
+			/*
+			 * Move ahead one character at a time and try to
+			 * match at each position.
+			 */
+			for (; *s; s++)
+				if (__match_pattern(s, pattern, caseinsensitive))
+					return 1;
+			/* Failed. */
+			return 0;
+		}
+		/*
+		 * There must be at least one more character in the string.
+		 * If we are at the end, fail.
+		 */
+		if (!*s)
+			return 0;
+
+		/* Check if the next character of the string is acceptable. */
+		if (*pattern != '?' && (*pattern != *s &&
+		     (!caseinsensitive || towlower(*pattern) != towlower(*s))))
+			return 0;
+
+		/* Move to the next character, both in string and in pattern. */
+		s++;
+		pattern++;
+	}
+	/* NOTREACHED */
+}
+
+static int
+_match_pattern(const char *s, const char *pattern, int caseinsensitive)
+{
+	wchar_t *ws;
+	wchar_t *wpattern;
+	size_t len;
+
+	if ((len = mbstowcs(NULL, s, 0)) < 0)
+		return 0;
+	ws = (wchar_t *) alloca((len + 1) * sizeof (wchar_t));
+	mbstowcs(ws, s, len + 1);
+	if ((len = mbstowcs(NULL, pattern, 0)) < 0)
+		return 0;
+	wpattern = (wchar_t *) alloca((len + 1) * sizeof (wchar_t));
+	mbstowcs(wpattern, pattern, len + 1);
+	return __match_pattern (ws, wpattern, caseinsensitive);
+}
+
+/*
+ * Tries to match the string against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
+ */
+int
+match_pattern_list(const char *string, const char *pattern, int caseinsensitive)
+{
+	char sub[1024];
+	int negated;
+	int got_positive;
+	u_int i, subi, len = strlen(pattern);
+
+	got_positive = 0;
+	for (i = 0; i < len;) {
+		/* Check if the subpattern is negated. */
+		if (pattern[i] == '!') {
+			negated = 1;
+			i++;
+		} else
+			negated = 0;
+
+		/*
+		 * Extract the subpattern up to a comma or end.  Convert the
+		 * subpattern to lowercase.
+		 */
+		for (subi = 0;
+		    i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
+		    subi++, i++)
+			sub[subi] = pattern[i];
+		/* If subpattern too long, return failure (no match). */
+		if (subi >= sizeof(sub) - 1)
+			return 0;
+
+		/* If the subpattern was terminated by a comma, then skip it. */
+		if (i < len && pattern[i] == ',')
+			i++;
+
+		/* Null-terminate the subpattern. */
+		sub[subi] = '\0';
+
+		/* Try to match the subpattern against the string. */
+		if (_match_pattern(string, sub, caseinsensitive)) {
+			if (negated)
+				return -1;		/* Negative */
+			else
+				got_positive = 1;	/* Positive */
+		}
+	}
+
+	/*
+	 * Return success if got a positive match.  If there was a negative
+	 * match, we have already returned -1 and never get here.
+	 */
+	return got_positive;
+}
+
 #endif /* HAVE_CYGWIN */
diff --git a/servconf.c b/servconf.c
index d9680aba..4fa896fd 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1049,7 +1049,11 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 			}
 			if (ci->user == NULL)
 				match_test_missing_fatal("User", "user");
+#ifndef HAVE_CYGWIN
 			if (match_pattern_list(ci->user, arg, 0) != 1)
+#else
+			if (match_pattern_list(ci->user, arg, 1) != 1)
+#endif
 				result = 0;
 			else
 				debug("user %.100s matched 'User %.100s' at "
author	Corinna Vinschen <vinschen@redhat.com>	2019-02-20 13:41:24 +0100
committer	Darren Tucker <dtucker@dtucker.net>	2019-02-22 15:04:16 +1100
commit	f02afa350afac1b2f2d1413259a27a4ba1e2ca24 (patch)
tree	c568d26fa3747cfe35d86b46df84d5bcc0417245
parent	4c55b674835478eb80a1a7aeae588aa654e2a433 (diff)