summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornaddy@openbsd.org <naddy@openbsd.org>2019-09-06 14:45:34 +0000
committerDamien Miller <djm@mindrot.org>2019-09-08 14:49:04 +1000
commit91a2135f32acdd6378476c5bae475a6e7811a6a2 (patch)
treeda8ddb5e4236cb12f3c70ab939e3abe674aa8ba4
parentc8bdd2db77ac2369d5cdee237656f266c8f41552 (diff)
upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
-rw-r--r--kex.c15
-rw-r--r--readconf.c14
-rw-r--r--servconf.c14
-rw-r--r--ssh.c4
-rw-r--r--ssh_config.528
-rw-r--r--sshd_config.524
6 files changed, 80 insertions, 19 deletions
diff --git a/kex.c b/kex.c
index 84f8e2aa..5a8a03aa 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -213,8 +213,9 @@ kex_names_cat(const char *a, const char *b)
/*
* Assemble a list of algorithms from a default list and a string from a
* configuration file. The user-provided string may begin with '+' to
- * indicate that it should be appended to the default or '-' that the
- * specified names should be removed.
+ * indicate that it should be appended to the default, '-' that the
+ * specified names should be removed, or '^' that they should be placed
+ * at the head.
*/
int
kex_assemble_names(char **listp, const char *def, const char *all)
@@ -251,6 +252,14 @@ kex_assemble_names(char **listp, const char *def, const char *all)
free(list);
/* filtering has already been done */
return 0;
+ } else if (*list == '^') {
+ /* Place names at head of default list */
+ if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto fail;
+ }
+ free(list);
+ list = tmp;
} else {
/* Explicit list, overrides default - just use "list" as is */
}
diff --git a/readconf.c b/readconf.c
index d1b7871e..f78b4d6f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.308 2019/08/09 05:05:54 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1199,7 +1199,8 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->ciphers == NULL)
@@ -1210,7 +1211,8 @@ parse_int:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->macs == NULL)
@@ -1223,7 +1225,8 @@ parse_int:
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ !kex_names_valid(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg))
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && options->kex_algorithms == NULL)
@@ -1238,7 +1241,8 @@ parse_keytypes:
fatal("%.200s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
diff --git a/servconf.c b/servconf.c
index 340045b2..e76f9c39 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.351 2019/04/18 18:56:16 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1444,7 +1444,8 @@ process_server_config_line(ServerOptions *options, char *line,
fatal("%s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+ !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg, 1))
fatal("%s line %d: Bad key types '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (*activep && *charptr == NULL)
@@ -1715,7 +1716,8 @@ process_server_config_line(ServerOptions *options, char *line,
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->ciphers == NULL)
@@ -1726,7 +1728,8 @@ process_server_config_line(ServerOptions *options, char *line,
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.", filename, linenum);
- if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
+ if (*arg != '-' &&
+ !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
fatal("%s line %d: Bad SSH2 mac spec '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->macs == NULL)
@@ -1739,7 +1742,8 @@ process_server_config_line(ServerOptions *options, char *line,
fatal("%s line %d: Missing argument.",
filename, linenum);
if (*arg != '-' &&
- !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ !kex_names_valid(*arg == '+' || *arg == '^' ?
+ arg + 1 : arg))
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
filename, linenum, arg ? arg : "<NONE>");
if (options->kex_algorithms == NULL)
diff --git a/ssh.c b/ssh.c
index 65437698..cb321bcf 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.505 2019/06/28 13:35:04 deraadt Exp $ */
+/* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -877,7 +877,7 @@ main(int ac, char **av)
}
break;
case 'c':
- if (!ciphers_valid(*optarg == '+' ?
+ if (!ciphers_valid(*optarg == '+' || *optarg == '^' ?
optarg + 1 : optarg)) {
fprintf(stderr, "Unknown cipher type '%s'\n",
optarg);
diff --git a/ssh_config.5 b/ssh_config.5
index 14d96bea..e114b1df 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $
-.Dd $Mdocdate: September 4 2019 $
+.\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $
+.Dd $Mdocdate: September 6 2019 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -430,6 +430,10 @@ If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -794,6 +798,10 @@ If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -822,6 +830,10 @@ If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1051,6 +1063,10 @@ If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
The default is:
.Bd -literal -offset indent
curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1132,6 +1148,10 @@ If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1289,6 +1309,10 @@ If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
diff --git a/sshd_config.5 b/sshd_config.5
index f42d1041..9486f2a1 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $
-.Dd $Mdocdate: September 4 2019 $
+.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
+.Dd $Mdocdate: September 6 2019 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -462,6 +462,10 @@ If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
.Pp
The supported ciphers are:
.Pp
@@ -676,6 +680,10 @@ If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -881,6 +889,10 @@ If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -998,6 +1010,10 @@ If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1403,6 +1419,10 @@ If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
The default for this option is:
.Bd -literal -offset 3n
ecdsa-sha2-nistp256-cert-v01@openssh.com,