Import openssh_7.5p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2017-03-29 01:35:00 +0100
committer: Colin Watson <cjwatson@debian.org> 2017-03-29 01:35:00 +0100
commit: 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (patch)
tree: b4377d09196e24e2c6f2c2128f66f92cf7891105 /readconf.c
parent: 971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
parent: d38f05dbdd291212bc95ea80648b72b7177e9f4e (diff)
1 files changed, 66 insertions, 38 deletions
diff --git a/readconf.c b/readconf.c
index fa3fab8f0..9d59493f0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.262 2016/10/25 04:08:13 jsg Exp $ */
+/* $OpenBSD: readconf.c,v 1.270 2017/03/10 04:27:32 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,7 +93,7 @@
   Host books.com
     RemoteForward 9999 shadows.cs.hut.fi:9999
-     Cipher 3des
+     Ciphers 3des-cbc
   Host fascist.blob.com
     Port 23123
@@ -108,7 +108,7 @@
     PublicKeyAuthentication no
   Host *.su
-     Cipher none
+     Ciphers aes128-ctr
     PasswordAuthentication no
   Host vpn.fake.com
@@ -180,6 +180,44 @@ static struct {
        const char *name;
        OpCodes opcode;
 } keywords[] = {
+        /* Deprecated options */
+        { "fallbacktorsh", oDeprecated },
+        { "globalknownhostsfile2", oDeprecated },
+        { "rhostsauthentication", oDeprecated },
+        { "userknownhostsfile2", oDeprecated },
+        { "useroaming", oDeprecated },
+        { "usersh", oDeprecated },
+        /* Unsupported options */
+        { "afstokenpassing", oUnsupported },
+        { "kerberosauthentication", oUnsupported },
+        { "kerberostgtpassing", oUnsupported },
+        /* Sometimes-unsupported options */
+#if defined(GSSAPI)
+        { "gssapiauthentication", oGssAuthentication },
+        { "gssapidelegatecredentials", oGssDelegateCreds },
+# else
+        { "gssapiauthentication", oUnsupported },
+        { "gssapidelegatecredentials", oUnsupported },
+#endif
+#ifdef ENABLE_PKCS11
+        { "smartcarddevice", oPKCS11Provider },
+        { "pkcs11provider", oPKCS11Provider },
+# else
+        { "smartcarddevice", oUnsupported },
+        { "pkcs11provider", oUnsupported },
+#endif
+#ifdef WITH_SSH1
+        { "rsaauthentication", oRSAAuthentication },
+        { "rhostsrsaauthentication", oRhostsRSAAuthentication },
+        { "compressionlevel", oCompressionLevel },
+# else
+        { "rsaauthentication", oUnsupported },
+        { "rhostsrsaauthentication", oUnsupported },
+        { "compressionlevel", oUnsupported },
+#endif
        { "forwardagent", oForwardAgent },
        { "forwardx11", oForwardX11 },
        { "forwardx11trusted", oForwardX11Trusted },
@@ -188,30 +226,15 @@ static struct {
        { "xauthlocation", oXAuthLocation },
        { "gatewayports", oGatewayPorts },
        { "useprivilegedport", oUsePrivilegedPort },
-        { "rhostsauthentication", oDeprecated },
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
-        { "rsaauthentication", oRSAAuthentication },
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-        { "rhostsrsaauthentication", oRhostsRSAAuthentication },
        { "hostbasedauthentication", oHostbasedAuthentication },
        { "challengeresponseauthentication", oChallengeResponseAuthentication },
        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
-        { "kerberosauthentication", oUnsupported },
-        { "kerberostgtpassing", oUnsupported },
-        { "afstokenpassing", oUnsupported },
-#if defined(GSSAPI)
-        { "gssapiauthentication", oGssAuthentication },
-        { "gssapidelegatecredentials", oGssDelegateCreds },
-#else
-        { "gssapiauthentication", oUnsupported },
-        { "gssapidelegatecredentials", oUnsupported },
-#endif
-        { "fallbacktorsh", oDeprecated },
-        { "usersh", oDeprecated },
        { "identityfile", oIdentityFile },
        { "identityfile2", oIdentityFile },                     /* obsolete */
        { "identitiesonly", oIdentitiesOnly },
@@ -233,15 +256,12 @@ static struct {
        { "match", oMatch },
        { "escapechar", oEscapeChar },
        { "globalknownhostsfile", oGlobalKnownHostsFile },
-        { "globalknownhostsfile2", oDeprecated },
        { "userknownhostsfile", oUserKnownHostsFile },
-        { "userknownhostsfile2", oDeprecated },
        { "connectionattempts", oConnectionAttempts },
        { "batchmode", oBatchMode },
        { "checkhostip", oCheckHostIP },
        { "stricthostkeychecking", oStrictHostKeyChecking },
        { "compression", oCompression },
-        { "compressionlevel", oCompressionLevel },
        { "tcpkeepalive", oTCPKeepAlive },
        { "keepalive", oTCPKeepAlive },                         /* obsolete */
        { "numberofpasswordprompts", oNumberOfPasswordPrompts },
@@ -250,13 +270,6 @@ static struct {
        { "preferredauthentications", oPreferredAuthentications },
        { "hostkeyalgorithms", oHostKeyAlgorithms },
        { "bindaddress", oBindAddress },
-#ifdef ENABLE_PKCS11
-        { "smartcarddevice", oPKCS11Provider },
-        { "pkcs11provider", oPKCS11Provider },
-#else
-        { "smartcarddevice", oUnsupported },
-        { "pkcs11provider", oUnsupported },
-#endif
        { "clearallforwardings", oClearAllForwardings },
        { "enablesshkeysign", oEnableSSHKeysign },
        { "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -277,7 +290,6 @@ static struct {
        { "localcommand", oLocalCommand },
        { "permitlocalcommand", oPermitLocalCommand },
        { "visualhostkey", oVisualHostKey },
-        { "useroaming", oDeprecated },
        { "kexalgorithms", oKexAlgorithms },
        { "ipqos", oIPQoS },
        { "requesttty", oRequestTTY },
@@ -830,11 +842,11 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
                activep = &cmdline;
        }
-        /* Strip trailing whitespace */
+        /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
        if ((len = strlen(line)) == 0)
                return 0;
        for (len--; len > 0; len--) {
-                if (strchr(WHITESPACE, line[len]) == NULL)
+                if (strchr(WHITESPACE "\f", line[len]) == NULL)
                        break;
                line[len] = '\0';
        }
@@ -1182,7 +1194,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->ciphers == NULL)
@@ -1193,7 +1205,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->macs == NULL)
@@ -1205,7 +1217,8 @@ parse_int:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->kex_algorithms == NULL)
@@ -1219,7 +1232,8 @@ parse_keytypes:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+                if (*arg != '-' &&
+                    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
                        fatal("%s line %d: Bad key types '%s'.",
                                filename, linenum, arg ? arg : "<NONE>");
                if (*activep && *charptr == NULL)
@@ -1486,6 +1500,7 @@ parse_keytypes:
                        if (r == GLOB_NOMATCH) {
                                debug("%.200s line %d: include %s matched no "
                                    "files",filename, linenum, arg2);
+                                free(arg2);
                                continue;
                        } else if (r != 0 || gl.gl_pathc < 0)
                                fatal("%.200s line %d: glob failed for %s.",
@@ -1502,6 +1517,11 @@ parse_keytypes:
                                    flags | SSHCONF_CHECKPERM |
                                    (oactive ? 0 : SSHCONF_NEVERMATCH),
                                    activep, depth + 1);
+                                if (r != 1 && errno != ENOENT) {
+                                        fatal("Can't open user config file "
+                                            "%.100s: %.100s", gl.gl_pathv[i],
+                                            strerror(errno));
+                                }
                                /*
                                 * don't let Match in includes clobber the
                                 * containing file's Match state.
@@ -1700,7 +1720,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
    int flags, int *activep, int depth)
 {
        FILE *f;
-        char line[1024];
+        char line[4096];
        int linenum;
        int bad_options = 0;
@@ -1730,6 +1750,8 @@ read_config_file_depth(const char *filename, struct passwd *pw,
        while (fgets(line, sizeof(line), f)) {
                /* Update line number counter. */
                linenum++;
+                if (strlen(line) == sizeof(line) - 1)
+                        fatal("%s line %d too long", filename, linenum);
                if (process_config_line_depth(options, pw, host, original_host,
                    line, filename, linenum, activep, flags, depth) != 0)
                        bad_options++;
@@ -2446,10 +2468,10 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
        /* oDynamicForward */
        for (i = 0; i < count; i++) {
                fwd = &fwds[i];
-                if (code == oDynamicForward &&
+                if (code == oDynamicForward && fwd->connect_host != NULL &&
                    strcmp(fwd->connect_host, "socks") != 0)
                        continue;
-                if (code == oLocalForward &&
+                if (code == oLocalForward && fwd->connect_host != NULL &&
                    strcmp(fwd->connect_host, "socks") == 0)
                        continue;
                printf("%s", lookup_opcode_name(code));
@@ -2522,8 +2544,10 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
        dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
        dump_cfg_fmtint(oRequestTTY, o->request_tty);
+#ifdef WITH_RSA1
        dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
        dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
+#endif
        dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
        dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
        dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
@@ -2535,7 +2559,9 @@ dump_client_config(Options *o, const char *host)
        /* Integer options */
        dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
+#ifdef WITH_SSH1
        dump_cfg_int(oCompressionLevel, o->compression_level);
+#endif
        dump_cfg_int(oConnectionAttempts, o->connection_attempts);
        dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);
        dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
@@ -2555,7 +2581,9 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_string(oLocalCommand, o->local_command);
        dump_cfg_string(oLogLevel, log_level_name(o->log_level));
        dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+#ifdef ENABLE_PKCS11
        dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
+#endif
        dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
        dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
        dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
author	Colin Watson <cjwatson@debian.org>	2017-03-29 01:35:00 +0100
committer	Colin Watson <cjwatson@debian.org>	2017-03-29 01:35:00 +0100
commit	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (patch)
tree	b4377d09196e24e2c6f2c2128f66f92cf7891105 /readconf.c
parent	971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
parent	d38f05dbdd291212bc95ea80648b72b7177e9f4e (diff)