[openssh-commits] [openssh] 01/04: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Sat Feb 4 10:10:18 AEDT 2017
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri Feb 3 23:01:19 2017 +0000
upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@
Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
---
compat.c | 48 +++++++++++++-----------------------------------
kex.c | 21 +++++++++++++--------
match.c | 31 ++++++++++++++++++++++++++++++-
match.h | 3 ++-
readconf.c | 12 +++++++-----
servconf.c | 12 +++++++-----
ssh_config.5 | 28 ++++++++++++++++++++++++++--
sshd_config.5 | 24 ++++++++++++++++++++++--
8 files changed, 120 insertions(+), 59 deletions(-)
diff --git a/compat.c b/compat.c
index 69a104f..1e80cfa 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.100 2017/02/03 23:01:19 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -37,6 +37,7 @@
#include "compat.h"
#include "log.h"
#include "match.h"
+#include "kex.h"
int compat13 = 0;
int compat20 = 0;
@@ -250,42 +251,14 @@ proto_spec(const char *spec)
return ret;
}
-/*
- * Filters a proposal string, excluding any algorithm matching the 'filter'
- * pattern list.
- */
-static char *
-filter_proposal(char *proposal, const char *filter)
-{
- Buffer b;
- char *orig_prop, *fix_prop;
- char *cp, *tmp;
-
- buffer_init(&b);
- tmp = orig_prop = xstrdup(proposal);
- while ((cp = strsep(&tmp, ",")) != NULL) {
- if (match_pattern_list(cp, filter, 0) != 1) {
- if (buffer_len(&b) > 0)
- buffer_append(&b, ",", 1);
- buffer_append(&b, cp, strlen(cp));
- } else
- debug2("Compat: skipping algorithm \"%s\"", cp);
- }
- buffer_append(&b, "\0", 1);
- fix_prop = xstrdup((char *)buffer_ptr(&b));
- buffer_free(&b);
- free(orig_prop);
-
- return fix_prop;
-}
-
char *
compat_cipher_proposal(char *cipher_prop)
{
if (!(datafellows & SSH_BUG_BIGENDIANAES))
return cipher_prop;
debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
- cipher_prop = filter_proposal(cipher_prop, "aes*");
+ if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)
+ fatal("match_filter_list failed");
debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
if (*cipher_prop == '\0')
fatal("No supported ciphers found");
@@ -298,7 +271,8 @@ compat_pkalg_proposal(char *pkalg_prop)
if (!(datafellows & SSH_BUG_RSASIGMD5))
return pkalg_prop;
debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
- pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");
+ if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)
+ fatal("match_filter_list failed");
debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
if (*pkalg_prop == '\0')
fatal("No supported PK algorithms found");
@@ -312,10 +286,14 @@ compat_kex_proposal(char *p)
return p;
debug2("%s: original KEX proposal: %s", __func__, p);
if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
- p = filter_proposal(p, "curve25519-sha256 at libssh.org");
+ if ((p = match_filter_list(p,
+ "curve25519-sha256 at libssh.org")) == NULL)
+ fatal("match_filter_list failed");
if ((datafellows & SSH_OLD_DHGEX) != 0) {
- p = filter_proposal(p, "diffie-hellman-group-exchange-sha256");
- p = filter_proposal(p, "diffie-hellman-group-exchange-sha1");
+ if ((p = match_filter_list(p,
+ "diffie-hellman-group-exchange-sha256,"
+ "diffie-hellman-group-exchange-sha1")) == NULL)
+ fatal("match_filter_list failed");
}
debug2("%s: compat KEX proposal: %s", __func__, p);
if (*p == '\0')
diff --git a/kex.c b/kex.c
index 6a94bc5..a30dabe 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
+/* $OpenBSD: kex.c,v 1.128 2017/02/03 23:01:19 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -211,7 +211,8 @@ kex_names_cat(const char *a, const char *b)
/*
* Assemble a list of algorithms from a default list and a string from a
* configuration file. The user-provided string may begin with '+' to
- * indicate that it should be appended to the default.
+ * indicate that it should be appended to the default or '-' that the
+ * specified names should be removed.
*/
int
kex_assemble_names(const char *def, char **list)
@@ -222,14 +223,18 @@ kex_assemble_names(const char *def, char **list)
*list = strdup(def);
return 0;
}
- if (**list != '+') {
- return 0;
+ if (**list == '+') {
+ if ((ret = kex_names_cat(def, *list + 1)) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ free(*list);
+ *list = ret;
+ } else if (**list == '-') {
+ if ((ret = match_filter_list(def, *list + 1)) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ free(*list);
+ *list = ret;
}
- if ((ret = kex_names_cat(def, *list + 1)) == NULL)
- return SSH_ERR_ALLOC_FAIL;
- free(*list);
- *list = ret;
return 0;
}
diff --git a/match.c b/match.c
index c15dcd1..aeba4bb 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.33 2016/11/06 05:46:37 djm Exp $ */
+/* $OpenBSD: match.c,v 1.34 2017/02/03 23:01:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -284,3 +284,32 @@ match_list(const char *client, const char *server, u_int *next)
free(s);
return NULL;
}
+
+/*
+ * Filters a comma-separated list of strings, excluding any entry matching
+ * the 'filter' pattern list. Caller must free returned string.
+ */
+char *
+match_filter_list(const char *proposal, const char *filter)
+{
+ size_t len = strlen(proposal) + 1;
+ char *fix_prop = malloc(len);
+ char *orig_prop = strdup(proposal);
+ char *cp, *tmp;
+
+ if (fix_prop == NULL || orig_prop == NULL)
+ return NULL;
+
+ tmp = orig_prop;
+ *fix_prop = '\0';
+ while ((cp = strsep(&tmp, ",")) != NULL) {
+ if (match_pattern_list(cp, filter, 0) != 1) {
+ if (*fix_prop != '\0')
+ strlcat(fix_prop, ",", len);
+ strlcat(fix_prop, cp, len);
+ }
+ }
+ free(orig_prop);
+ return fix_prop;
+}
+
diff --git a/match.h b/match.h
index db97ca8..937ba04 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.h,v 1.16 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: match.h,v 1.17 2017/02/03 23:01:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -20,6 +20,7 @@ int match_hostname(const char *, const char *);
int match_host_and_ip(const char *, const char *, const char *);
int match_user(const char *, const char *, const char *, const char *);
char *match_list(const char *, const char *, u_int *);
+char *match_filter_list(const char *, const char *);
/* addrmatch.c */
int addr_match_list(const char *, const char *);
diff --git a/readconf.c b/readconf.c
index 6c93440..e51481b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.267 2017/02/03 05:05:56 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.268 2017/02/03 23:01:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1194,7 +1194,7 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->ciphers == NULL)
@@ -1205,7 +1205,7 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (!mac_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->macs == NULL)
@@ -1217,7 +1217,8 @@ parse_int:
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
filename, linenum);
- if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->kex_algorithms == NULL)
@@ -1231,7 +1232,8 @@ parse_keytypes:
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
filename, linenum);
- if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ if (*arg != '-' &&
+ !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
diff --git a/servconf.c b/servconf.c
index 1880b8c..2f8e29d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.303 2017/02/03 05:05:56 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.304 2017/02/03 23:01:19 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1177,7 +1177,8 @@ process_server_config_line(ServerOptions *options, char *line,
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
filename, linenum);
- if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ if (*arg != '-' &&
+ !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
@@ -1436,7 +1437,7 @@ process_server_config_line(ServerOptions *options, char *line,
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->ciphers == NULL)
@@ -1447,7 +1448,7 @@ process_server_config_line(ServerOptions *options, char *line,
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (!mac_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->macs == NULL)
@@ -1459,7 +1460,8 @@ process_server_config_line(ServerOptions *options, char *line,
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
filename, linenum);
- if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !kex_names_valid(*arg == '+' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->kex_algorithms == NULL)
diff --git a/ssh_config.5 b/ssh_config.5
index 591365f..016adbc 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.240 2016/10/15 19:56:25 jmc Exp $
-.Dd $Mdocdate: October 15 2016 $
+.\" $OpenBSD: ssh_config.5,v 1.241 2017/02/03 23:01:19 djm Exp $
+.Dd $Mdocdate: February 3 2017 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -415,6 +415,10 @@ If the specified value begins with a
.Sq +
character, then the specified ciphers will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified ciphers (including wildcards) will be removed
+from the default set instead of replacing them.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -784,6 +788,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -807,6 +815,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -1027,6 +1039,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified methods will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified methods (including wildcards) will be removed
+from the default set instead of replacing them.
The default is:
.Bd -literal -offset indent
curve25519-sha256,curve25519-sha256 at libssh.org,
@@ -1102,6 +1118,10 @@ If the specified value begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
.Pp
The algorithms that contain
.Qq -etm
@@ -1264,6 +1284,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the key types after it will be appended to the default
instead of replacing it.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
diff --git a/sshd_config.5 b/sshd_config.5
index 935fda4..454e46e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.241 2017/01/06 16:28:12 jmc Exp $
-.Dd $Mdocdate: January 6 2017 $
+.\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $
+.Dd $Mdocdate: February 3 2017 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -437,6 +437,10 @@ If the specified value begins with a
.Sq +
character, then the specified ciphers will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified ciphers (including wildcards) will be removed
+from the default set instead of replacing them.
.Pp
The supported ciphers are:
.Pp
@@ -649,6 +653,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
@@ -843,6 +851,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified methods will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified methods (including wildcards) will be removed
+from the default set instead of replacing them.
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -933,6 +945,10 @@ If the specified value begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
.Pp
The algorithms that contain
.Qq -etm
@@ -1280,6 +1296,10 @@ Alternately if the specified value begins with a
.Sq +
character, then the specified key types will be appended to the default set
instead of replacing them.
+If the specified value begins with a
+.Sq -
+character, then the specified key types (including wildcards) will be removed
+from the default set instead of replacing them.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01 at openssh.com,
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list