3 files changed, 37 insertions, 37 deletions
diff --git a/sftp-server.c b/sftp-server.c
index 359204fa7..b1d8c88cb 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.117 2019/07/05 04:55:40 djm Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.118 2020/06/22 05:52:05 djm Exp $ */
 /*
 * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
 *
@@ -74,7 +74,7 @@ static int init_done;
 static int readonly;
 /* Requests that are allowed/denied */
-static char *request_whitelist, *request_blacklist;
+static char *request_allowlist, *request_denylist;
 /* portable attributes, etc. */
 typedef struct Stat Stat;
@@ -164,20 +164,20 @@ request_permitted(const struct sftp_handler *h)
                verbose("Refusing %s request in read-only mode", h->name);
                return 0;
        }
-        if (request_blacklist != NULL &&
+        if (request_denylist != NULL &&
-            ((result = match_list(h->name, request_blacklist, NULL))) != NULL) {
+            ((result = match_list(h->name, request_denylist, NULL))) != NULL) {
                free(result);
-                verbose("Refusing blacklisted %s request", h->name);
+                verbose("Refusing denylisted %s request", h->name);
                return 0;
        }
-        if (request_whitelist != NULL &&
+        if (request_allowlist != NULL &&
-            ((result = match_list(h->name, request_whitelist, NULL))) != NULL) {
+            ((result = match_list(h->name, request_allowlist, NULL))) != NULL) {
                free(result);
-                debug2("Permitting whitelisted %s request", h->name);
+                debug2("Permitting allowlisted %s request", h->name);
                return 1;
        }
-        if (request_whitelist != NULL) {
+        if (request_allowlist != NULL) {
-                verbose("Refusing non-whitelisted %s request", h->name);
+                verbose("Refusing non-allowlisted %s request", h->name);
                return 0;
        }
        return 1;
@@ -1556,8 +1556,8 @@ sftp_server_usage(void)
        fprintf(stderr,
            "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
-            "[-l log_level]\n\t[-P blacklisted_requests] "
+            "[-l log_level]\n\t[-P denied_requests] "
-            "[-p whitelisted_requests] [-u umask]\n"
+            "[-p allowed_requests] [-u umask]\n"
            "       %s -Q protocol_feature\n",
            __progname, __progname);
        exit(1);
@@ -1627,14 +1627,14 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
                        free(cp);
                        break;
                case 'p':
-                        if (request_whitelist != NULL)
+                        if (request_allowlist != NULL)
                                fatal("Permitted requests already set");
-                        request_whitelist = xstrdup(optarg);
+                        request_allowlist = xstrdup(optarg);
                        break;
                case 'P':
-                        if (request_blacklist != NULL)
+                        if (request_denylist != NULL)
                                fatal("Refused requests already set");
-                        request_blacklist = xstrdup(optarg);
+                        request_denylist = xstrdup(optarg);
                        break;
                case 'u':
                        errno = 0;
diff --git a/ssh-agent.1 b/ssh-agent.1
index 8e9295e9d..2cf46160b 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.71 2020/06/19 07:21:42 dtucker Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 19 2020 $
+.Dd $Mdocdate: June 22 2020 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -46,12 +46,12 @@
 .Op Fl \&Dd
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
 .Op Fl t Ar life
 .Nm ssh-agent
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
 .Op Fl t Ar life
 .Ar command Op Ar arg ...
 .Nm ssh-agent
@@ -102,19 +102,19 @@ The default is
 Kill the current agent (given by the
 .Ev SSH_AGENT_PID
 environment variable).
-.It Fl P Ar provider_whitelist
+.It Fl P Ar allowed_providers
-Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
-shared libraries that may be used with the
+authenticator middleware shared libraries that may be used with the
 .Fl S
 or
 .Fl s
 options to
 .Xr ssh-add 1 .
-Libraries that do not match the whitelist will be refused.
+Libraries that do not match the pattern list will be refused.
 See PATTERNS in
 .Xr ssh_config 5
 for a description of pattern-list syntax.
-The default whitelist is
+The default list is
 .Dq /usr/lib/*,/usr/local/lib/* .
 .It Fl s
 Generate Bourne shell commands on
diff --git a/ssh-agent.c b/ssh-agent.c
index 596c39582..d2f00e5ba 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.259 2020/06/19 07:21:42 dtucker Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.260 2020/06/22 05:52:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -150,8 +150,8 @@ pid_t cleanup_pid = 0;
 char socket_name[PATH_MAX];
 char socket_dir[PATH_MAX];
-/* PKCS#11/Security key path whitelist */
+/* Pattern-list of allowed PKCS#11/Security key paths */
-static char *provider_whitelist;
+static char *allowed_providers;
 /* locking */
 #define LOCK_SIZE       32
@@ -612,9 +612,9 @@ process_add_identity(SocketEntry *e)
                        free(sk_provider);
                        sk_provider = xstrdup(canonical_provider);
                        if (match_pattern_list(sk_provider,
-                            provider_whitelist, 0) != 1) {
+                            allowed_providers, 0) != 1) {
                                error("Refusing add key: "
-                                    "provider %s not whitelisted", sk_provider);
+                                    "provider %s not allowed", sk_provider);
                                free(sk_provider);
                                goto send;
                        }
@@ -769,9 +769,9 @@ process_add_smartcard_key(SocketEntry *e)
                    provider, strerror(errno));
                goto send;
        }
-        if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+        if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
                verbose("refusing PKCS#11 add of \"%.100s\": "
-                    "provider not whitelisted", canonical_provider);
+                    "provider not allowed", canonical_provider);
                goto send;
        }
        debug("%s: add %.100s", __func__, canonical_provider);
@@ -1255,7 +1255,7 @@ usage(void)
        fprintf(stderr,
            "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
            "                 [-P provider_whitelist] [-t life]\n"
-            "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist]\n"
+            "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
            "                 [-t life] command [arg ...]\n"
            "       ssh-agent [-c | -s] -k\n");
        exit(1);
@@ -1320,9 +1320,9 @@ main(int ac, char **av)
                                fatal("Unknown -O option");
                        break;
                case 'P':
-                        if (provider_whitelist != NULL)
+                        if (allowed_providers != NULL)
                                fatal("-P option already specified");
-                        provider_whitelist = xstrdup(optarg);
+                        allowed_providers = xstrdup(optarg);
                        break;
                case 's':
                        if (c_flag)
@@ -1358,8 +1358,8 @@ main(int ac, char **av)
        if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
                usage();
-        if (provider_whitelist == NULL)
+        if (allowed_providers == NULL)
-                provider_whitelist = xstrdup(DEFAULT_PROVIDER_WHITELIST);
+                allowed_providers = xstrdup(DEFAULT_PROVIDER_WHITELIST);
        if (ac == 0 && !c_flag && !s_flag) {
                shell = getenv("SHELL");

diff --git a/sftp-server.c b/sftp-server.c index 359204fa7..b1d8c88cb 100644 --- a/sftp-server.c +++ b/sftp-server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sftp-server.c,v 1.117 2019/07/05 04:55:40 djm Exp $ */	1	/* $OpenBSD: sftp-server.c,v 1.118 2020/06/22 05:52:05 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
4	*	4	*
@@ -74,7 +74,7 @@ static int init_done;
74	static int readonly;	74	static int readonly;
75		75
76	/* Requests that are allowed/denied */	76	/* Requests that are allowed/denied */
77	static char request_whitelist, request_blacklist;	77	static char request_allowlist, request_denylist;
78		78
79	/* portable attributes, etc. */	79	/* portable attributes, etc. */
80	typedef struct Stat Stat;	80	typedef struct Stat Stat;
@@ -164,20 +164,20 @@ request_permitted(const struct sftp_handler *h)
164	verbose("Refusing %s request in read-only mode", h->name);	164	verbose("Refusing %s request in read-only mode", h->name);
165	return 0;	165	return 0;
166	}	166	}
167	if (request_blacklist != NULL &&	167	if (request_denylist != NULL &&
168	((result = match_list(h->name, request_blacklist, NULL))) != NULL) {	168	((result = match_list(h->name, request_denylist, NULL))) != NULL) {
169	free(result);	169	free(result);
170	verbose("Refusing blacklisted %s request", h->name);	170	verbose("Refusing denylisted %s request", h->name);
171	return 0;	171	return 0;
172	}	172	}
173	if (request_whitelist != NULL &&	173	if (request_allowlist != NULL &&
174	((result = match_list(h->name, request_whitelist, NULL))) != NULL) {	174	((result = match_list(h->name, request_allowlist, NULL))) != NULL) {
175	free(result);	175	free(result);
176	debug2("Permitting whitelisted %s request", h->name);	176	debug2("Permitting allowlisted %s request", h->name);
177	return 1;	177	return 1;
178	}	178	}
179	if (request_whitelist != NULL) {	179	if (request_allowlist != NULL) {
180	verbose("Refusing non-whitelisted %s request", h->name);	180	verbose("Refusing non-allowlisted %s request", h->name);
181	return 0;	181	return 0;
182	}	182	}
183	return 1;	183	return 1;
@@ -1556,8 +1556,8 @@ sftp_server_usage(void)
1556		1556
1557	fprintf(stderr,	1557	fprintf(stderr,
1558	"usage: %s [-ehR] [-d start_directory] [-f log_facility] "	1558	"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
1559	"[-l log_level]\n\t[-P blacklisted_requests] "	1559	"[-l log_level]\n\t[-P denied_requests] "
1560	"[-p whitelisted_requests] [-u umask]\n"	1560	"[-p allowed_requests] [-u umask]\n"
1561	" %s -Q protocol_feature\n",	1561	" %s -Q protocol_feature\n",
1562	__progname, __progname);	1562	__progname, __progname);
1563	exit(1);	1563	exit(1);
@@ -1627,14 +1627,14 @@ sftp_server_main(int argc, char *argv, struct passwd user_pw)
1627	free(cp);	1627	free(cp);
1628	break;	1628	break;
1629	case 'p':	1629	case 'p':
1630	if (request_whitelist != NULL)	1630	if (request_allowlist != NULL)
1631	fatal("Permitted requests already set");	1631	fatal("Permitted requests already set");
1632	request_whitelist = xstrdup(optarg);	1632	request_allowlist = xstrdup(optarg);
1633	break;	1633	break;
1634	case 'P':	1634	case 'P':
1635	if (request_blacklist != NULL)	1635	if (request_denylist != NULL)
1636	fatal("Refused requests already set");	1636	fatal("Refused requests already set");
1637	request_blacklist = xstrdup(optarg);	1637	request_denylist = xstrdup(optarg);
1638	break;	1638	break;
1639	case 'u':	1639	case 'u':
1640	errno = 0;	1640	errno = 0;


diff --git a/ssh-agent.1 b/ssh-agent.1 index 8e9295e9d..2cf46160b 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-agent.1,v 1.71 2020/06/19 07:21:42 dtucker Exp $	1	.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.Dd $Mdocdate: June 19 2020 $	37	.Dd $Mdocdate: June 22 2020 $
38	.Dt SSH-AGENT 1	38	.Dt SSH-AGENT 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -46,12 +46,12 @@
46	.Op Fl \&Dd	46	.Op Fl \&Dd
47	.Op Fl a Ar bind_address	47	.Op Fl a Ar bind_address
48	.Op Fl E Ar fingerprint_hash	48	.Op Fl E Ar fingerprint_hash
49	.Op Fl P Ar provider_whitelist	49	.Op Fl P Ar allowed_providers
50	.Op Fl t Ar life	50	.Op Fl t Ar life
51	.Nm ssh-agent	51	.Nm ssh-agent
52	.Op Fl a Ar bind_address	52	.Op Fl a Ar bind_address
53	.Op Fl E Ar fingerprint_hash	53	.Op Fl E Ar fingerprint_hash
54	.Op Fl P Ar provider_whitelist	54	.Op Fl P Ar allowed_providers
55	.Op Fl t Ar life	55	.Op Fl t Ar life
56	.Ar command Op Ar arg ...	56	.Ar command Op Ar arg ...
57	.Nm ssh-agent	57	.Nm ssh-agent
@@ -102,19 +102,19 @@ The default is
102	Kill the current agent (given by the	102	Kill the current agent (given by the
103	.Ev SSH_AGENT_PID	103	.Ev SSH_AGENT_PID
104	environment variable).	104	environment variable).
105	.It Fl P Ar provider_whitelist	105	.It Fl P Ar allowed_providers
106	Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator	106	Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
107	shared libraries that may be used with the	107	authenticator middleware shared libraries that may be used with the
108	.Fl S	108	.Fl S
109	or	109	or
110	.Fl s	110	.Fl s
111	options to	111	options to
112	.Xr ssh-add 1 .	112	.Xr ssh-add 1 .
113	Libraries that do not match the whitelist will be refused.	113	Libraries that do not match the pattern list will be refused.
114	See PATTERNS in	114	See PATTERNS in
115	.Xr ssh_config 5	115	.Xr ssh_config 5
116	for a description of pattern-list syntax.	116	for a description of pattern-list syntax.
117	The default whitelist is	117	The default list is
118	.Dq /usr/lib/,/usr/local/lib/ .	118	.Dq /usr/lib/,/usr/local/lib/ .
119	.It Fl s	119	.It Fl s
120	Generate Bourne shell commands on	120	Generate Bourne shell commands on


diff --git a/ssh-agent.c b/ssh-agent.c index 596c39582..d2f00e5ba 100644 --- a/ssh-agent.c +++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-agent.c,v 1.259 2020/06/19 07:21:42 dtucker Exp $ */	1	/* $OpenBSD: ssh-agent.c,v 1.260 2020/06/22 05:52:05 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -150,8 +150,8 @@ pid_t cleanup_pid = 0;
150	char socket_name[PATH_MAX];	150	char socket_name[PATH_MAX];
151	char socket_dir[PATH_MAX];	151	char socket_dir[PATH_MAX];
152		152
153	/* PKCS#11/Security key path whitelist */	153	/* Pattern-list of allowed PKCS#11/Security key paths */
154	static char *provider_whitelist;	154	static char *allowed_providers;
155		155
156	/* locking */	156	/* locking */
157	#define LOCK_SIZE 32	157	#define LOCK_SIZE 32
@@ -612,9 +612,9 @@ process_add_identity(SocketEntry *e)
612	free(sk_provider);	612	free(sk_provider);
613	sk_provider = xstrdup(canonical_provider);	613	sk_provider = xstrdup(canonical_provider);
614	if (match_pattern_list(sk_provider,	614	if (match_pattern_list(sk_provider,
615	provider_whitelist, 0) != 1) {	615	allowed_providers, 0) != 1) {
616	error("Refusing add key: "	616	error("Refusing add key: "
617	"provider %s not whitelisted", sk_provider);	617	"provider %s not allowed", sk_provider);
618	free(sk_provider);	618	free(sk_provider);
619	goto send;	619	goto send;
620	}	620	}
@@ -769,9 +769,9 @@ process_add_smartcard_key(SocketEntry *e)
769	provider, strerror(errno));	769	provider, strerror(errno));
770	goto send;	770	goto send;
771	}	771	}
772	if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {	772	if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
773	verbose("refusing PKCS#11 add of \"%.100s\": "	773	verbose("refusing PKCS#11 add of \"%.100s\": "
774	"provider not whitelisted", canonical_provider);	774	"provider not allowed", canonical_provider);
775	goto send;	775	goto send;
776	}	776	}
777	debug("%s: add %.100s", __func__, canonical_provider);	777	debug("%s: add %.100s", __func__, canonical_provider);
@@ -1255,7 +1255,7 @@ usage(void)
1255	fprintf(stderr,	1255	fprintf(stderr,
1256	"usage: ssh-agent [-c \| -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"	1256	"usage: ssh-agent [-c \| -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
1257	" [-P provider_whitelist] [-t life]\n"	1257	" [-P provider_whitelist] [-t life]\n"
1258	" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist]\n"	1258	" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
1259	" [-t life] command [arg ...]\n"	1259	" [-t life] command [arg ...]\n"
1260	" ssh-agent [-c \| -s] -k\n");	1260	" ssh-agent [-c \| -s] -k\n");
1261	exit(1);	1261	exit(1);
@@ -1320,9 +1320,9 @@ main(int ac, char **av)
1320	fatal("Unknown -O option");	1320	fatal("Unknown -O option");
1321	break;	1321	break;
1322	case 'P':	1322	case 'P':
1323	if (provider_whitelist != NULL)	1323	if (allowed_providers != NULL)
1324	fatal("-P option already specified");	1324	fatal("-P option already specified");
1325	provider_whitelist = xstrdup(optarg);	1325	allowed_providers = xstrdup(optarg);
1326	break;	1326	break;
1327	case 's':	1327	case 's':
1328	if (c_flag)	1328	if (c_flag)
@@ -1358,8 +1358,8 @@ main(int ac, char **av)
1358	if (ac > 0 && (c_flag \|\| k_flag \|\| s_flag \|\| d_flag \|\| D_flag))	1358	if (ac > 0 && (c_flag \|\| k_flag \|\| s_flag \|\| d_flag \|\| D_flag))
1359	usage();	1359	usage();
1360		1360
1361	if (provider_whitelist == NULL)	1361	if (allowed_providers == NULL)
1362	provider_whitelist = xstrdup(DEFAULT_PROVIDER_WHITELIST);	1362	allowed_providers = xstrdup(DEFAULT_PROVIDER_WHITELIST);
1363		1363
1364	if (ac == 0 && !c_flag && !s_flag) {	1364	if (ac == 0 && !c_flag && !s_flag) {
1365	shell = getenv("SHELL");	1365	shell = getenv("SHELL");