diff options
-rw-r--r-- | kex.c | 15 | ||||
-rw-r--r-- | readconf.c | 14 | ||||
-rw-r--r-- | servconf.c | 14 | ||||
-rw-r--r-- | ssh.c | 4 | ||||
-rw-r--r-- | ssh_config.5 | 28 | ||||
-rw-r--r-- | sshd_config.5 | 24 |
6 files changed, 80 insertions, 19 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -213,8 +213,9 @@ kex_names_cat(const char *a, const char *b) | |||
213 | /* | 213 | /* |
214 | * Assemble a list of algorithms from a default list and a string from a | 214 | * Assemble a list of algorithms from a default list and a string from a |
215 | * configuration file. The user-provided string may begin with '+' to | 215 | * configuration file. The user-provided string may begin with '+' to |
216 | * indicate that it should be appended to the default or '-' that the | 216 | * indicate that it should be appended to the default, '-' that the |
217 | * specified names should be removed. | 217 | * specified names should be removed, or '^' that they should be placed |
218 | * at the head. | ||
218 | */ | 219 | */ |
219 | int | 220 | int |
220 | kex_assemble_names(char **listp, const char *def, const char *all) | 221 | kex_assemble_names(char **listp, const char *def, const char *all) |
@@ -251,6 +252,14 @@ kex_assemble_names(char **listp, const char *def, const char *all) | |||
251 | free(list); | 252 | free(list); |
252 | /* filtering has already been done */ | 253 | /* filtering has already been done */ |
253 | return 0; | 254 | return 0; |
255 | } else if (*list == '^') { | ||
256 | /* Place names at head of default list */ | ||
257 | if ((tmp = kex_names_cat(list + 1, def)) == NULL) { | ||
258 | r = SSH_ERR_ALLOC_FAIL; | ||
259 | goto fail; | ||
260 | } | ||
261 | free(list); | ||
262 | list = tmp; | ||
254 | } else { | 263 | } else { |
255 | /* Explicit list, overrides default - just use "list" as is */ | 264 | /* Explicit list, overrides default - just use "list" as is */ |
256 | } | 265 | } |
diff --git a/readconf.c b/readconf.c index d1b7871ec..f78b4d6fe 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.308 2019/08/09 05:05:54 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1199,7 +1199,8 @@ parse_int: | |||
1199 | arg = strdelim(&s); | 1199 | arg = strdelim(&s); |
1200 | if (!arg || *arg == '\0') | 1200 | if (!arg || *arg == '\0') |
1201 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1201 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1202 | if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) | 1202 | if (*arg != '-' && |
1203 | !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) | ||
1203 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", | 1204 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", |
1204 | filename, linenum, arg ? arg : "<NONE>"); | 1205 | filename, linenum, arg ? arg : "<NONE>"); |
1205 | if (*activep && options->ciphers == NULL) | 1206 | if (*activep && options->ciphers == NULL) |
@@ -1210,7 +1211,8 @@ parse_int: | |||
1210 | arg = strdelim(&s); | 1211 | arg = strdelim(&s); |
1211 | if (!arg || *arg == '\0') | 1212 | if (!arg || *arg == '\0') |
1212 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1213 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1213 | if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) | 1214 | if (*arg != '-' && |
1215 | !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) | ||
1214 | fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.", | 1216 | fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.", |
1215 | filename, linenum, arg ? arg : "<NONE>"); | 1217 | filename, linenum, arg ? arg : "<NONE>"); |
1216 | if (*activep && options->macs == NULL) | 1218 | if (*activep && options->macs == NULL) |
@@ -1223,7 +1225,8 @@ parse_int: | |||
1223 | fatal("%.200s line %d: Missing argument.", | 1225 | fatal("%.200s line %d: Missing argument.", |
1224 | filename, linenum); | 1226 | filename, linenum); |
1225 | if (*arg != '-' && | 1227 | if (*arg != '-' && |
1226 | !kex_names_valid(*arg == '+' ? arg + 1 : arg)) | 1228 | !kex_names_valid(*arg == '+' || *arg == '^' ? |
1229 | arg + 1 : arg)) | ||
1227 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1230 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1228 | filename, linenum, arg ? arg : "<NONE>"); | 1231 | filename, linenum, arg ? arg : "<NONE>"); |
1229 | if (*activep && options->kex_algorithms == NULL) | 1232 | if (*activep && options->kex_algorithms == NULL) |
@@ -1238,7 +1241,8 @@ parse_keytypes: | |||
1238 | fatal("%.200s line %d: Missing argument.", | 1241 | fatal("%.200s line %d: Missing argument.", |
1239 | filename, linenum); | 1242 | filename, linenum); |
1240 | if (*arg != '-' && | 1243 | if (*arg != '-' && |
1241 | !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | 1244 | !sshkey_names_valid2(*arg == '+' || *arg == '^' ? |
1245 | arg + 1 : arg, 1)) | ||
1242 | fatal("%s line %d: Bad key types '%s'.", | 1246 | fatal("%s line %d: Bad key types '%s'.", |
1243 | filename, linenum, arg ? arg : "<NONE>"); | 1247 | filename, linenum, arg ? arg : "<NONE>"); |
1244 | if (*activep && *charptr == NULL) | 1248 | if (*activep && *charptr == NULL) |
diff --git a/servconf.c b/servconf.c index 340045b28..e76f9c39e 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.351 2019/04/18 18:56:16 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -1444,7 +1444,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1444 | fatal("%s line %d: Missing argument.", | 1444 | fatal("%s line %d: Missing argument.", |
1445 | filename, linenum); | 1445 | filename, linenum); |
1446 | if (*arg != '-' && | 1446 | if (*arg != '-' && |
1447 | !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | 1447 | !sshkey_names_valid2(*arg == '+' || *arg == '^' ? |
1448 | arg + 1 : arg, 1)) | ||
1448 | fatal("%s line %d: Bad key types '%s'.", | 1449 | fatal("%s line %d: Bad key types '%s'.", |
1449 | filename, linenum, arg ? arg : "<NONE>"); | 1450 | filename, linenum, arg ? arg : "<NONE>"); |
1450 | if (*activep && *charptr == NULL) | 1451 | if (*activep && *charptr == NULL) |
@@ -1715,7 +1716,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1715 | arg = strdelim(&cp); | 1716 | arg = strdelim(&cp); |
1716 | if (!arg || *arg == '\0') | 1717 | if (!arg || *arg == '\0') |
1717 | fatal("%s line %d: Missing argument.", filename, linenum); | 1718 | fatal("%s line %d: Missing argument.", filename, linenum); |
1718 | if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) | 1719 | if (*arg != '-' && |
1720 | !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) | ||
1719 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", | 1721 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", |
1720 | filename, linenum, arg ? arg : "<NONE>"); | 1722 | filename, linenum, arg ? arg : "<NONE>"); |
1721 | if (options->ciphers == NULL) | 1723 | if (options->ciphers == NULL) |
@@ -1726,7 +1728,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1726 | arg = strdelim(&cp); | 1728 | arg = strdelim(&cp); |
1727 | if (!arg || *arg == '\0') | 1729 | if (!arg || *arg == '\0') |
1728 | fatal("%s line %d: Missing argument.", filename, linenum); | 1730 | fatal("%s line %d: Missing argument.", filename, linenum); |
1729 | if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) | 1731 | if (*arg != '-' && |
1732 | !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) | ||
1730 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", | 1733 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", |
1731 | filename, linenum, arg ? arg : "<NONE>"); | 1734 | filename, linenum, arg ? arg : "<NONE>"); |
1732 | if (options->macs == NULL) | 1735 | if (options->macs == NULL) |
@@ -1739,7 +1742,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1739 | fatal("%s line %d: Missing argument.", | 1742 | fatal("%s line %d: Missing argument.", |
1740 | filename, linenum); | 1743 | filename, linenum); |
1741 | if (*arg != '-' && | 1744 | if (*arg != '-' && |
1742 | !kex_names_valid(*arg == '+' ? arg + 1 : arg)) | 1745 | !kex_names_valid(*arg == '+' || *arg == '^' ? |
1746 | arg + 1 : arg)) | ||
1743 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1747 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1744 | filename, linenum, arg ? arg : "<NONE>"); | 1748 | filename, linenum, arg ? arg : "<NONE>"); |
1745 | if (options->kex_algorithms == NULL) | 1749 | if (options->kex_algorithms == NULL) |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.c,v 1.505 2019/06/28 13:35:04 deraadt Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -877,7 +877,7 @@ main(int ac, char **av) | |||
877 | } | 877 | } |
878 | break; | 878 | break; |
879 | case 'c': | 879 | case 'c': |
880 | if (!ciphers_valid(*optarg == '+' ? | 880 | if (!ciphers_valid(*optarg == '+' || *optarg == '^' ? |
881 | optarg + 1 : optarg)) { | 881 | optarg + 1 : optarg)) { |
882 | fprintf(stderr, "Unknown cipher type '%s'\n", | 882 | fprintf(stderr, "Unknown cipher type '%s'\n", |
883 | optarg); | 883 | optarg); |
diff --git a/ssh_config.5 b/ssh_config.5 index 14d96beaf..e114b1dfe 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $ |
37 | .Dd $Mdocdate: September 4 2019 $ | 37 | .Dd $Mdocdate: September 6 2019 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -430,6 +430,10 @@ If the specified list begins with a | |||
430 | .Sq - | 430 | .Sq - |
431 | character, then the specified ciphers (including wildcards) will be removed | 431 | character, then the specified ciphers (including wildcards) will be removed |
432 | from the default set instead of replacing them. | 432 | from the default set instead of replacing them. |
433 | If the specified list begins with a | ||
434 | .Sq ^ | ||
435 | character, then the specified ciphers will be placed at the head of the | ||
436 | default set. | ||
433 | .Pp | 437 | .Pp |
434 | The supported ciphers are: | 438 | The supported ciphers are: |
435 | .Bd -literal -offset indent | 439 | .Bd -literal -offset indent |
@@ -794,6 +798,10 @@ If the specified list begins with a | |||
794 | .Sq - | 798 | .Sq - |
795 | character, then the specified key types (including wildcards) will be removed | 799 | character, then the specified key types (including wildcards) will be removed |
796 | from the default set instead of replacing them. | 800 | from the default set instead of replacing them. |
801 | If the specified list begins with a | ||
802 | .Sq ^ | ||
803 | character, then the specified key types will be placed at the head of the | ||
804 | default set. | ||
797 | The default for this option is: | 805 | The default for this option is: |
798 | .Bd -literal -offset 3n | 806 | .Bd -literal -offset 3n |
799 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 807 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -822,6 +830,10 @@ If the specified list begins with a | |||
822 | .Sq - | 830 | .Sq - |
823 | character, then the specified key types (including wildcards) will be removed | 831 | character, then the specified key types (including wildcards) will be removed |
824 | from the default set instead of replacing them. | 832 | from the default set instead of replacing them. |
833 | If the specified list begins with a | ||
834 | .Sq ^ | ||
835 | character, then the specified key types will be placed at the head of the | ||
836 | default set. | ||
825 | The default for this option is: | 837 | The default for this option is: |
826 | .Bd -literal -offset 3n | 838 | .Bd -literal -offset 3n |
827 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 839 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -1051,6 +1063,10 @@ If the specified list begins with a | |||
1051 | .Sq - | 1063 | .Sq - |
1052 | character, then the specified methods (including wildcards) will be removed | 1064 | character, then the specified methods (including wildcards) will be removed |
1053 | from the default set instead of replacing them. | 1065 | from the default set instead of replacing them. |
1066 | If the specified list begins with a | ||
1067 | .Sq ^ | ||
1068 | character, then the specified methods will be placed at the head of the | ||
1069 | default set. | ||
1054 | The default is: | 1070 | The default is: |
1055 | .Bd -literal -offset indent | 1071 | .Bd -literal -offset indent |
1056 | curve25519-sha256,curve25519-sha256@libssh.org, | 1072 | curve25519-sha256,curve25519-sha256@libssh.org, |
@@ -1132,6 +1148,10 @@ If the specified list begins with a | |||
1132 | .Sq - | 1148 | .Sq - |
1133 | character, then the specified algorithms (including wildcards) will be removed | 1149 | character, then the specified algorithms (including wildcards) will be removed |
1134 | from the default set instead of replacing them. | 1150 | from the default set instead of replacing them. |
1151 | If the specified list begins with a | ||
1152 | .Sq ^ | ||
1153 | character, then the specified algorithms will be placed at the head of the | ||
1154 | default set. | ||
1135 | .Pp | 1155 | .Pp |
1136 | The algorithms that contain | 1156 | The algorithms that contain |
1137 | .Qq -etm | 1157 | .Qq -etm |
@@ -1289,6 +1309,10 @@ If the specified list begins with a | |||
1289 | .Sq - | 1309 | .Sq - |
1290 | character, then the specified key types (including wildcards) will be removed | 1310 | character, then the specified key types (including wildcards) will be removed |
1291 | from the default set instead of replacing them. | 1311 | from the default set instead of replacing them. |
1312 | If the specified list begins with a | ||
1313 | .Sq ^ | ||
1314 | character, then the specified key types will be placed at the head of the | ||
1315 | default set. | ||
1292 | The default for this option is: | 1316 | The default for this option is: |
1293 | .Bd -literal -offset 3n | 1317 | .Bd -literal -offset 3n |
1294 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1318 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
diff --git a/sshd_config.5 b/sshd_config.5 index f42d10417..9486f2a1c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ |
37 | .Dd $Mdocdate: September 4 2019 $ | 37 | .Dd $Mdocdate: September 6 2019 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -462,6 +462,10 @@ If the specified list begins with a | |||
462 | .Sq - | 462 | .Sq - |
463 | character, then the specified ciphers (including wildcards) will be removed | 463 | character, then the specified ciphers (including wildcards) will be removed |
464 | from the default set instead of replacing them. | 464 | from the default set instead of replacing them. |
465 | If the specified list begins with a | ||
466 | .Sq ^ | ||
467 | character, then the specified ciphers will be placed at the head of the | ||
468 | default set. | ||
465 | .Pp | 469 | .Pp |
466 | The supported ciphers are: | 470 | The supported ciphers are: |
467 | .Pp | 471 | .Pp |
@@ -676,6 +680,10 @@ If the specified list begins with a | |||
676 | .Sq - | 680 | .Sq - |
677 | character, then the specified key types (including wildcards) will be removed | 681 | character, then the specified key types (including wildcards) will be removed |
678 | from the default set instead of replacing them. | 682 | from the default set instead of replacing them. |
683 | If the specified list begins with a | ||
684 | .Sq ^ | ||
685 | character, then the specified key types will be placed at the head of the | ||
686 | default set. | ||
679 | The default for this option is: | 687 | The default for this option is: |
680 | .Bd -literal -offset 3n | 688 | .Bd -literal -offset 3n |
681 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 689 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -881,6 +889,10 @@ If the specified list begins with a | |||
881 | .Sq - | 889 | .Sq - |
882 | character, then the specified methods (including wildcards) will be removed | 890 | character, then the specified methods (including wildcards) will be removed |
883 | from the default set instead of replacing them. | 891 | from the default set instead of replacing them. |
892 | If the specified list begins with a | ||
893 | .Sq ^ | ||
894 | character, then the specified methods will be placed at the head of the | ||
895 | default set. | ||
884 | The supported algorithms are: | 896 | The supported algorithms are: |
885 | .Pp | 897 | .Pp |
886 | .Bl -item -compact -offset indent | 898 | .Bl -item -compact -offset indent |
@@ -998,6 +1010,10 @@ If the specified list begins with a | |||
998 | .Sq - | 1010 | .Sq - |
999 | character, then the specified algorithms (including wildcards) will be removed | 1011 | character, then the specified algorithms (including wildcards) will be removed |
1000 | from the default set instead of replacing them. | 1012 | from the default set instead of replacing them. |
1013 | If the specified list begins with a | ||
1014 | .Sq ^ | ||
1015 | character, then the specified algorithms will be placed at the head of the | ||
1016 | default set. | ||
1001 | .Pp | 1017 | .Pp |
1002 | The algorithms that contain | 1018 | The algorithms that contain |
1003 | .Qq -etm | 1019 | .Qq -etm |
@@ -1403,6 +1419,10 @@ If the specified list begins with a | |||
1403 | .Sq - | 1419 | .Sq - |
1404 | character, then the specified key types (including wildcards) will be removed | 1420 | character, then the specified key types (including wildcards) will be removed |
1405 | from the default set instead of replacing them. | 1421 | from the default set instead of replacing them. |
1422 | If the specified list begins with a | ||
1423 | .Sq ^ | ||
1424 | character, then the specified key types will be placed at the head of the | ||
1425 | default set. | ||
1406 | The default for this option is: | 1426 | The default for this option is: |
1407 | .Bd -literal -offset 3n | 1427 | .Bd -literal -offset 3n |
1408 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1428 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |