From 75ac444324fa49de669b88be7fbec17d4ae48eaa Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Sat, 22 Oct 2022 01:16:00 +0100 Subject: [PATCH] Document subdomain matching of cert expr wildcards. In the manual, in comments, and in a new test. --- doc/config.but | 12 ++++++++---- utils/cert-expr.c | 5 ++++- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/doc/config.but b/doc/config.but index 21ff0bb5..f258a356 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2724,10 +2724,14 @@ hosts} The simplest thing you can enter in the \q{Valid hosts this key is trusted to certify} edit box is just a hostname wildcard such as -\cq{*.example.com}. But you can also enter multiple host name -wildcards, and port number ranges, and make complicated Boolean -expressions out of them using the operators \cq{&&} for \q{and}, -\cq{||} for \q{or}, \cq{!} for \q{not}, and parentheses. +\cq{*.example.com}. This matches any host in any subdomain, so +both \cq{ssh.example.com} and \cq{login.dept.example.com} would +match, but \cq{prod.example.net} would not. + +But you can also enter multiple host name wildcards, and port number +ranges, and make complicated Boolean expressions out of them using the +operators \cq{&&} for \q{and}, \cq{||} for \q{or}, \cq{!} for \q{not}, +and parentheses. For example, here are some other things you could enter. diff --git a/utils/cert-expr.c b/utils/cert-expr.c index 880239e4..b22b380c 100644 --- a/utils/cert-expr.c +++ b/utils/cert-expr.c @@ -41,7 +41,9 @@ Syntax layer: all of those types of atom are interpreted as predicates applied to the (hostname, port) data configured for the SSH connection for which the certificate is being validated. -Wildcards are handled using the syntax in wildcard.c. +Wildcards are handled using the syntax in wildcard.c. The dot- +separated structure of hostnames is thus not special; the '*' in +"*.example.com" will match any number of subdomains under example.com. More complex boolean expressions can be made by combining those predicates using the boolean operators and parentheses, in the obvious @@ -778,6 +780,7 @@ static const struct EvalTest { T("*.example.com", "hostname.example.com", 22, true), T("*.example.com", "hostname.example.org", 22, false), + T("*.example.com", "hostname.dept.example.com", 22, true), T("*.example.com && port:22", "hostname.example.com", 21, false), T("*.example.com && port:22", "hostname.example.com", 22, true), T("*.example.com && port:22", "hostname.example.com", 23, false),