Import openssh_8.2p1.orig.tar.gz

1 files changed, 122 insertions, 38 deletions

diff --git a/readconf.c b/readconf.c
index f78b4d6fe..f3cac6b3a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */
+/* $OpenBSD: readconf.c,v 1.326 2020/02/06 22:46:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,9 +35,9 @@
 #endif
 #include <pwd.h>
 #include <signal.h>
-#include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
+#include <stdarg.h>
 #include <unistd.h>
 #ifdef USE_SYSTEM_GLOB
 # include <glob.h>
@@ -121,8 +121,6 @@
      ForwardAgent no
      ForwardX11 no
      PasswordAuthentication yes
-     RSAAuthentication yes
-     RhostsRSAAuthentication yes
      StrictHostKeyChecking yes
      TcpKeepAlive no
      IdentityFile ~/.ssh/identity
@@ -146,15 +144,15 @@ typedef enum {
         oHost, oMatch, oInclude,
         oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
         oGatewayPorts, oExitOnForwardFailure,
-        oPasswordAuthentication, oRSAAuthentication,
+        oPasswordAuthentication,
         oChallengeResponseAuthentication, oXAuthLocation,
-        oIdentityFile, oHostname, oPort, oCipher, oRemoteForward, oLocalForward,
+        oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward,
         oCertificateFile, oAddKeysToAgent, oIdentityAgent,
-        oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
+        oUser, oEscapeChar, oProxyCommand,
         oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
         oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-        oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
-        oUsePrivilegedPort, oLogFacility, oLogLevel, oCiphers, oMacs,
+        oTCPKeepAlive, oNumberOfPasswordPrompts,
+        oLogFacility, oLogLevel, oCiphers, oMacs,
         oPubkeyAuthentication,
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
         oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -174,6 +172,7 @@ typedef enum {
         oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
         oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
         oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
+        oSecurityKeyProvider,
         oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -198,6 +197,9 @@ static struct {
         { "afstokenpassing", oUnsupported },
         { "kerberosauthentication", oUnsupported },
         { "kerberostgtpassing", oUnsupported },
+        { "rsaauthentication", oUnsupported },
+        { "rhostsrsaauthentication", oUnsupported },
+        { "compressionlevel", oUnsupported },
 
         /* Sometimes-unsupported options */
 #if defined(GSSAPI)
@@ -214,9 +216,6 @@ static struct {
         { "smartcarddevice", oUnsupported },
         { "pkcs11provider", oUnsupported },
 #endif
-        { "rsaauthentication", oUnsupported },
-        { "rhostsrsaauthentication", oUnsupported },
-        { "compressionlevel", oUnsupported },
 
         { "forwardagent", oForwardAgent },
         { "forwardx11", oForwardX11 },
@@ -310,10 +309,21 @@ static struct {
         { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
         { "ignoreunknown", oIgnoreUnknown },
         { "proxyjump", oProxyJump },
+        { "securitykeyprovider", oSecurityKeyProvider },
 
         { NULL, oBadOption }
 };
 
+static char *kex_default_pk_alg_filtered;
+
+const char *
+kex_default_pk_alg(void)
+{
+        if (kex_default_pk_alg_filtered == NULL)
+                fatal("kex_default_pk_alg not initialized.");
+        return kex_default_pk_alg_filtered;
+}
+
 /*
  * Adds a local TCP/IP port forward to options.  Never returns if there is an
  * error.
@@ -518,7 +528,7 @@ execute_in_shell(const char *cmd)
                 execv(argv[0], argv);
                 error("Unable to execute '%.100s': %s", cmd, strerror(errno));
                 /* Die with signal to make this error apparent to parent. */
-                signal(SIGTERM, SIG_DFL);
+                ssh_signal(SIGTERM, SIG_DFL);
                 kill(getpid(), SIGTERM);
                 _exit(1);
         }
@@ -827,6 +837,13 @@ static const struct multistate multistate_canonicalizehostname[] = {
         { "always",                     SSH_CANONICALISE_ALWAYS },
         { NULL, -1 }
 };
+static const struct multistate multistate_compression[] = {
+#ifdef WITH_ZLIB
+        { "yes",                        COMP_ZLIB },
+#endif
+        { "no",                         COMP_NONE },
+        { NULL, -1 }
+};
 
 /*
  * Processes a single option line as used in the configuration files. This
@@ -919,6 +936,34 @@ parse_time:
 
         case oForwardAgent:
                 intptr = &options->forward_agent;
+
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing argument.",
+                            filename, linenum);
+
+                value = -1;
+                multistate_ptr = multistate_flag;
+                for (i = 0; multistate_ptr[i].key != NULL; i++) {
+                        if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
+                                value = multistate_ptr[i].value;
+                                break;
+                        }
+                }
+                if (value != -1) {
+                        if (*activep && *intptr == -1)
+                                *intptr = value;
+                        break;
+                }
+                /* ForwardAgent wasn't 'yes' or 'no', assume a path */
+                if (*activep && *intptr == -1)
+                        *intptr = 1;
+
+                charptr = &options->forward_agent_sock_path;
+                goto parse_agent_path;
+
+        case oForwardX11:
+                intptr = &options->forward_x11;
  parse_flag:
                 multistate_ptr = multistate_flag;
  parse_multistate:
@@ -940,10 +985,6 @@ parse_time:
                         *intptr = value;
                 break;
 
-        case oForwardX11:
-                intptr = &options->forward_x11;
-                goto parse_flag;
-
         case oForwardX11Trusted:
                 intptr = &options->forward_x11_trusted;
                 goto parse_flag;
@@ -1012,7 +1053,8 @@ parse_time:
 
         case oCompression:
                 intptr = &options->compression;
-                goto parse_flag;
+                multistate_ptr = multistate_compression;
+                goto parse_multistate;
 
         case oTCPKeepAlive:
                 intptr = &options->tcp_keep_alive;
@@ -1146,6 +1188,10 @@ parse_char_array:
                 charptr = &options->pkcs11_provider;
                 goto parse_string;
 
+        case oSecurityKeyProvider:
+                charptr = &options->sk_provider;
+                goto parse_string;
+
         case oProxyCommand:
                 charptr = &options->proxy_command;
                 /* Ignore ProxyCommand if ProxyJump already specified */
@@ -1553,12 +1599,12 @@ parse_keytypes:
                                     "files",filename, linenum, arg2);
                                 free(arg2);
                                 continue;
-                        } else if (r != 0 || gl.gl_pathc < 0)
+                        } else if (r != 0)
                                 fatal("%.200s line %d: glob failed for %s.",
                                     filename, linenum, arg2);
                         free(arg2);
                         oactive = *activep;
-                        for (i = 0; i < (u_int)gl.gl_pathc; i++) {
+                        for (i = 0; i < gl.gl_pathc; i++) {
                                 debug3("%.200s line %d: Including file %s "
                                     "depth %d%s", filename, linenum,
                                     gl.gl_pathv[i], depth,
@@ -1732,6 +1778,7 @@ parse_keytypes:
                 if (!arg || *arg == '\0')
                         fatal("%.200s line %d: Missing argument.",
                             filename, linenum);
+  parse_agent_path:
                 /* Extra validation if the string represents an env var. */
                 if (arg[0] == '$' && !valid_env_name(arg + 1)) {
                         fatal("%.200s line %d: Invalid environment name %s.",
@@ -1849,6 +1896,7 @@ initialize_options(Options * options)
 {
         memset(options, 'X', sizeof(*options));
         options->forward_agent = -1;
+        options->forward_agent_sock_path = NULL;
         options->forward_x11 = -1;
         options->forward_x11_trusted = -1;
         options->forward_x11_timeout = -1;
@@ -1906,6 +1954,7 @@ initialize_options(Options * options)
         options->bind_address = NULL;
         options->bind_interface = NULL;
         options->pkcs11_provider = NULL;
+        options->sk_provider = NULL;
         options->enable_ssh_keysign = - 1;
         options->no_host_authentication_for_localhost = - 1;
         options->identities_only = - 1;
@@ -1972,6 +2021,7 @@ void
 fill_default_options(Options * options)
 {
         char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+        char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
         int r;
 
         if (options->forward_agent == -1)
@@ -2043,9 +2093,13 @@ fill_default_options(Options * options)
                 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
 #ifdef OPENSSL_HAS_ECC
                 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
+                add_identity_file(options, "~/",
+                    _PATH_SSH_CLIENT_ID_ECDSA_SK, 0);
 #endif
                 add_identity_file(options, "~/",
                     _PATH_SSH_CLIENT_ID_ED25519, 0);
+                add_identity_file(options, "~/",
+                    _PATH_SSH_CLIENT_ID_ED25519_SK, 0);
                 add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0);
         }
         if (options->escape_char == -1)
@@ -2056,6 +2110,8 @@ fill_default_options(Options * options)
                 options->system_hostfiles[options->num_system_hostfiles++] =
                     xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
         }
+        if (options->update_hostkeys == -1)
+                        options->update_hostkeys = SSH_UPDATE_HOSTKEYS_NO;
         if (options->num_user_hostfiles == 0) {
                 options->user_hostfiles[options->num_user_hostfiles++] =
                     xstrdup(_PATH_SSH_USER_HOSTFILE);
@@ -2116,8 +2172,13 @@ fill_default_options(Options * options)
                 options->canonicalize_hostname = SSH_CANONICALISE_NO;
         if (options->fingerprint_hash == -1)
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
-        if (options->update_hostkeys == -1)
-                options->update_hostkeys = 0;
+#ifdef ENABLE_SK_INTERNAL
+        if (options->sk_provider == NULL)
+                options->sk_provider = xstrdup("internal");
+#else
+        if (options->sk_provider == NULL)
+                options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+#endif
 
         /* Expand KEX name lists */
         all_cipher = cipher_alg_list(',', 0);
@@ -2125,24 +2186,35 @@ fill_default_options(Options * options)
         all_kex = kex_alg_list(',');
         all_key = sshkey_alg_list(0, 0, 1, ',');
         all_sig = sshkey_alg_list(0, 1, 1, ',');
+        /* remove unsupported algos from default lists */
+        def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+        def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+        def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+        def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+        def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 #define ASSEMBLE(what, defaults, all) \
         do { \
                 if ((r = kex_assemble_names(&options->what, \
                     defaults, all)) != 0) \
                         fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
         } while (0)
-        ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
-        ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
-        ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
-        ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-        ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-        ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+        ASSEMBLE(ciphers, def_cipher, all_cipher);
+        ASSEMBLE(macs, def_mac, all_mac);
+        ASSEMBLE(kex_algorithms, def_kex, all_kex);
+        ASSEMBLE(hostbased_key_types, def_key, all_key);
+        ASSEMBLE(pubkey_key_types, def_key, all_key);
+        ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
         free(all_cipher);
         free(all_mac);
         free(all_kex);
         free(all_key);
         free(all_sig);
+        free(def_cipher);
+        free(def_mac);
+        free(def_kex);
+        kex_default_pk_alg_filtered = def_key; /* save for later use */
+        free(def_sig);
 
 #define CLEAR_ON_NONE(v) \
         do { \
@@ -2157,6 +2229,7 @@ fill_default_options(Options * options)
         CLEAR_ON_NONE(options->control_path);
         CLEAR_ON_NONE(options->revoked_host_keys);
         CLEAR_ON_NONE(options->pkcs11_provider);
+        CLEAR_ON_NONE(options->sk_provider);
         if (options->jump_host != NULL &&
             strcmp(options->jump_host, "none") == 0 &&
             options->jump_port == 0 && options->jump_user == NULL) {
@@ -2590,14 +2663,19 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
 void
 dump_client_config(Options *o, const char *host)
 {
-        int i;
+        int i, r;
         char buf[8], *all_key;
 
-        /* This is normally prepared in ssh_kex2 */
+        /*
+         * Expand HostKeyAlgorithms name lists. This isn't handled in
+         * fill_default_options() like the other algorithm lists because
+         * the host key algorithms are by default dynamically chosen based
+         * on the host's keys found in known_hosts.
+         */
         all_key = sshkey_alg_list(0, 0, 1, ',');
-        if (kex_assemble_names( &o->hostkeyalgorithms,
-            KEX_DEFAULT_PK_ALG, all_key) != 0)
-                fatal("%s: kex_assemble_names failed", __func__);
+        if ((r = kex_assemble_names(&o->hostkeyalgorithms, kex_default_pk_alg(),
+            all_key)) != 0)
+                fatal("%s: expand HostKeyAlgorithms: %s", __func__, ssh_err(r));
         free(all_key);
 
         /* Most interesting options first: user, host, port */
@@ -2619,7 +2697,6 @@ dump_client_config(Options *o, const char *host)
         dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
         dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
         dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
-        dump_cfg_fmtint(oForwardAgent, o->forward_agent);
         dump_cfg_fmtint(oForwardX11, o->forward_x11);
         dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
         dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
@@ -2656,7 +2733,7 @@ dump_client_config(Options *o, const char *host)
         /* String options */
         dump_cfg_string(oBindAddress, o->bind_address);
         dump_cfg_string(oBindInterface, o->bind_interface);
-        dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
+        dump_cfg_string(oCiphers, o->ciphers);
         dump_cfg_string(oControlPath, o->control_path);
         dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
         dump_cfg_string(oHostKeyAlias, o->host_key_alias);
@@ -2664,15 +2741,16 @@ dump_client_config(Options *o, const char *host)
         dump_cfg_string(oIdentityAgent, o->identity_agent);
         dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
         dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
-        dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
-        dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
+        dump_cfg_string(oKexAlgorithms, o->kex_algorithms);
+        dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms);
         dump_cfg_string(oLocalCommand, o->local_command);
         dump_cfg_string(oRemoteCommand, o->remote_command);
         dump_cfg_string(oLogLevel, log_level_name(o->log_level));
-        dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+        dump_cfg_string(oMacs, o->macs);
 #ifdef ENABLE_PKCS11
         dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
 #endif
+        dump_cfg_string(oSecurityKeyProvider, o->sk_provider);
         dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
         dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
         dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
@@ -2694,6 +2772,12 @@ dump_client_config(Options *o, const char *host)
 
         /* Special cases */
 
+        /* oForwardAgent */
+        if (o->forward_agent_sock_path == NULL)
+                dump_cfg_fmtint(oForwardAgent, o->forward_agent);
+        else
+                dump_cfg_string(oForwardAgent, o->forward_agent_sock_path);
+
         /* oConnectTimeout */
         if (o->connection_timeout == -1)
                 printf("connecttimeout none\n");