[openssh-commits] [openssh] 01/04: upstream: avoid validating bad cipher or mac lists in config files

git+noreply at mindrot.org git+noreply at mindrot.org
Thu May 21 14:06:48 AEST 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 33392024f46e7aabaeaf947cc3b110d60a9fd9e3
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed May 13 05:58:58 2026 +0000

    upstream: avoid validating bad cipher or mac lists in config files
    
    / commandline arguments as valid.
    
    Identified by SUSE and reported by Camila Camargo de Matos
    
    ok deraadt@ tb@
    
    OpenBSD-Commit-ID: 45d51154f2418549e08b80fa33df6c6532046054
---
 cipher.c | 8 +++++---
 mac.c    | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/cipher.c b/cipher.c
index f770e666c..b42baf967 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.126 2026/02/14 00:18:34 jsg Exp $ */
+/* $OpenBSD: cipher.c,v 1.127 2026/05/13 05:58:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -206,6 +206,7 @@ ciphers_valid(const char *names)
 	const struct sshcipher *c;
 	char *cipher_list, *cp;
 	char *p;
+	int found = 0;
 
 	if (names == NULL || strcmp(names, "") == 0)
 		return 0;
@@ -217,10 +218,11 @@ ciphers_valid(const char *names)
 		if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
 			free(cipher_list);
 			return 0;
-		}
+		} else
+			found = 1;
 	}
 	free(cipher_list);
-	return 1;
+	return found;
 }
 
 const char *
diff --git a/mac.c b/mac.c
index 17607830c..30496b402 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.38 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: mac.c,v 1.39 2026/05/13 05:58:58 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -236,6 +236,7 @@ int
 mac_valid(const char *names)
 {
 	char *maclist, *cp, *p;
+	int found = 0;
 
 	if (names == NULL || strcmp(names, "") == 0)
 		return 0;
@@ -246,8 +247,9 @@ mac_valid(const char *names)
 		if (mac_setup(NULL, p) < 0) {
 			free(maclist);
 			return 0;
-		}
+		} else
+			found = 1;
 	}
 	free(maclist);
-	return 1;
+	return found;
 }

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list