1 files changed, 29 insertions, 25 deletions
diff --git a/readconf.c b/readconf.c
index db7d0bbbf..1d03bdf72 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -157,6 +157,7 @@ typedef enum {
        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
        oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
        oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
+        oPubkeyAcceptedKeyTypes,
        oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
@@ -275,6 +276,7 @@ static struct {
        { "fingerprinthash", oFingerprintHash },
        { "updatehostkeys", oUpdateHostkeys },
        { "hostbasedkeytypes", oHostbasedKeyTypes },
+        { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
        { "ignoreunknown", oIgnoreUnknown },
        { NULL, oBadOption }
@@ -1084,7 +1086,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(arg))
+                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->ciphers == NULL)
@@ -1095,7 +1097,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(arg))
+                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->macs == NULL)
@@ -1107,7 +1109,7 @@ parse_int:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(arg))
+                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->kex_algorithms == NULL)
@@ -1115,14 +1117,17 @@ parse_int:
                break;
        case oHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+parse_keytypes:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.", filename, linenum);
+                        fatal("%.200s line %d: Missing argument.",
-                if (!sshkey_names_valid2(arg, 1))
+                            filename, linenum);
-                        fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
+                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
-                            filename, linenum, arg ? arg : "<NONE>");
+                        fatal("%s line %d: Bad key types '%s'.",
-                if (*activep && options->hostkeyalgorithms == NULL)
+                                filename, linenum, arg ? arg : "<NONE>");
-                        options->hostkeyalgorithms = xstrdup(arg);
+                if (*activep && *charptr == NULL)
+                        *charptr = xstrdup(arg);
                break;
        case oProtocol:
@@ -1485,16 +1490,11 @@ parse_int:
        case oHostbasedKeyTypes:
                charptr = &options->hostbased_key_types;
-                arg = strdelim(&s);
+                goto parse_keytypes;
-                if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.",
+        case oPubkeyAcceptedKeyTypes:
-                            filename, linenum);
+                charptr = &options->pubkey_key_types;
-                if (!sshkey_names_valid2(arg, 1))
+                goto parse_keytypes;
-                        fatal("%s line %d: Bad key types '%s'.",
-                                filename, linenum, arg ? arg : "<NONE>");
-                if (*activep && *charptr == NULL)
-                        *charptr = xstrdup(arg);
-                break;
        case oDeprecated:
                debug("%s line %d: Deprecated option \"%s\"",
@@ -1676,6 +1676,7 @@ initialize_options(Options * options)
        options->fingerprint_hash = -1;
        options->update_hostkeys = -1;
        options->hostbased_key_types = NULL;
+        options->pubkey_key_types = NULL;
 }
 /*
@@ -1761,9 +1762,6 @@ fill_default_options(Options * options)
        /* Selected in ssh_login(). */
        if (options->cipher == -1)
                options->cipher = SSH_CIPHER_NOT_SET;
-        /* options->ciphers, default set in myproposals.h */
-        /* options->macs, default set in myproposals.h */
-        /* options->kex_algorithms, default set in myproposals.h */
        /* options->hostkeyalgorithms, default set in myproposals.h */
        if (options->protocol == SSH_PROTO_UNKNOWN)
                options->protocol = SSH_PROTO_2;
@@ -1857,8 +1855,14 @@ fill_default_options(Options * options)
                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
        if (options->update_hostkeys == -1)
                options->update_hostkeys = 0;
-        if (options->hostbased_key_types == NULL)
+        if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
-                options->hostbased_key_types = xstrdup("*");
+            kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
+            kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->hostbased_key_types) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->pubkey_key_types) != 0)
+                fatal("%s: kex_assemble_names failed", __func__);
 #define CLEAR_ON_NONE(v) \
        do { \

diff --git a/readconf.c b/readconf.c index db7d0bbbf..1d03bdf72 100644 --- a/readconf.c +++ b/readconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */	1	/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -157,6 +157,7 @@ typedef enum {
157	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	157	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
158	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,	158	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
159	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,	159	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
		160	oPubkeyAcceptedKeyTypes,
160	oIgnoredUnknownOption, oDeprecated, oUnsupported	161	oIgnoredUnknownOption, oDeprecated, oUnsupported
161	} OpCodes;	162	} OpCodes;
162		163
@@ -275,6 +276,7 @@ static struct {
275	{ "fingerprinthash", oFingerprintHash },	276	{ "fingerprinthash", oFingerprintHash },
276	{ "updatehostkeys", oUpdateHostkeys },	277	{ "updatehostkeys", oUpdateHostkeys },
277	{ "hostbasedkeytypes", oHostbasedKeyTypes },	278	{ "hostbasedkeytypes", oHostbasedKeyTypes },
		279	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
278	{ "ignoreunknown", oIgnoreUnknown },	280	{ "ignoreunknown", oIgnoreUnknown },
279		281
280	{ NULL, oBadOption }	282	{ NULL, oBadOption }
@@ -1084,7 +1086,7 @@ parse_int:
1084	arg = strdelim(&s);	1086	arg = strdelim(&s);
1085	if (!arg \|\| *arg == '\0')	1087	if (!arg \|\| *arg == '\0')
1086	fatal("%.200s line %d: Missing argument.", filename, linenum);	1088	fatal("%.200s line %d: Missing argument.", filename, linenum);
1087	if (!ciphers_valid(arg))	1089	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1088	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",	1090	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1089	filename, linenum, arg ? arg : "<NONE>");	1091	filename, linenum, arg ? arg : "<NONE>");
1090	if (*activep && options->ciphers == NULL)	1092	if (*activep && options->ciphers == NULL)
@@ -1095,7 +1097,7 @@ parse_int:
1095	arg = strdelim(&s);	1097	arg = strdelim(&s);
1096	if (!arg \|\| *arg == '\0')	1098	if (!arg \|\| *arg == '\0')
1097	fatal("%.200s line %d: Missing argument.", filename, linenum);	1099	fatal("%.200s line %d: Missing argument.", filename, linenum);
1098	if (!mac_valid(arg))	1100	if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1099	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",	1101	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1100	filename, linenum, arg ? arg : "<NONE>");	1102	filename, linenum, arg ? arg : "<NONE>");
1101	if (*activep && options->macs == NULL)	1103	if (*activep && options->macs == NULL)
@@ -1107,7 +1109,7 @@ parse_int:
1107	if (!arg \|\| *arg == '\0')	1109	if (!arg \|\| *arg == '\0')
1108	fatal("%.200s line %d: Missing argument.",	1110	fatal("%.200s line %d: Missing argument.",
1109	filename, linenum);	1111	filename, linenum);
1110	if (!kex_names_valid(arg))	1112	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1111	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",	1113	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1112	filename, linenum, arg ? arg : "<NONE>");	1114	filename, linenum, arg ? arg : "<NONE>");
1113	if (*activep && options->kex_algorithms == NULL)	1115	if (*activep && options->kex_algorithms == NULL)
@@ -1115,14 +1117,17 @@ parse_int:
1115	break;	1117	break;
1116		1118
1117	case oHostKeyAlgorithms:	1119	case oHostKeyAlgorithms:
		1120	charptr = &options->hostkeyalgorithms;
		1121	parse_keytypes:
1118	arg = strdelim(&s);	1122	arg = strdelim(&s);
1119	if (!arg \|\| *arg == '\0')	1123	if (!arg \|\| *arg == '\0')
1120	fatal("%.200s line %d: Missing argument.", filename, linenum);	1124	fatal("%.200s line %d: Missing argument.",
1121	if (!sshkey_names_valid2(arg, 1))	1125	filename, linenum);
1122	fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",	1126	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1123	filename, linenum, arg ? arg : "<NONE>");	1127	fatal("%s line %d: Bad key types '%s'.",
1124	if (*activep && options->hostkeyalgorithms == NULL)	1128	filename, linenum, arg ? arg : "<NONE>");
1125	options->hostkeyalgorithms = xstrdup(arg);	1129	if (activep && charptr == NULL)
		1130	*charptr = xstrdup(arg);
1126	break;	1131	break;
1127		1132
1128	case oProtocol:	1133	case oProtocol:
@@ -1485,16 +1490,11 @@ parse_int:
1485		1490
1486	case oHostbasedKeyTypes:	1491	case oHostbasedKeyTypes:
1487	charptr = &options->hostbased_key_types;	1492	charptr = &options->hostbased_key_types;
1488	arg = strdelim(&s);	1493	goto parse_keytypes;
1489	if (!arg \|\| *arg == '\0')	1494
1490	fatal("%.200s line %d: Missing argument.",	1495	case oPubkeyAcceptedKeyTypes:
1491	filename, linenum);	1496	charptr = &options->pubkey_key_types;
1492	if (!sshkey_names_valid2(arg, 1))	1497	goto parse_keytypes;
1493	fatal("%s line %d: Bad key types '%s'.",
1494	filename, linenum, arg ? arg : "<NONE>");
1495	if (activep && charptr == NULL)
1496	*charptr = xstrdup(arg);
1497	break;
1498		1498
1499	case oDeprecated:	1499	case oDeprecated:
1500	debug("%s line %d: Deprecated option \"%s\"",	1500	debug("%s line %d: Deprecated option \"%s\"",
@@ -1676,6 +1676,7 @@ initialize_options(Options * options)
1676	options->fingerprint_hash = -1;	1676	options->fingerprint_hash = -1;
1677	options->update_hostkeys = -1;	1677	options->update_hostkeys = -1;
1678	options->hostbased_key_types = NULL;	1678	options->hostbased_key_types = NULL;
		1679	options->pubkey_key_types = NULL;
1679	}	1680	}
1680		1681
1681	/*	1682	/*
@@ -1761,9 +1762,6 @@ fill_default_options(Options * options)
1761	/* Selected in ssh_login(). */	1762	/* Selected in ssh_login(). */
1762	if (options->cipher == -1)	1763	if (options->cipher == -1)
1763	options->cipher = SSH_CIPHER_NOT_SET;	1764	options->cipher = SSH_CIPHER_NOT_SET;
1764	/* options->ciphers, default set in myproposals.h */
1765	/* options->macs, default set in myproposals.h */
1766	/* options->kex_algorithms, default set in myproposals.h */
1767	/* options->hostkeyalgorithms, default set in myproposals.h */	1765	/* options->hostkeyalgorithms, default set in myproposals.h */
1768	if (options->protocol == SSH_PROTO_UNKNOWN)	1766	if (options->protocol == SSH_PROTO_UNKNOWN)
1769	options->protocol = SSH_PROTO_2;	1767	options->protocol = SSH_PROTO_2;
@@ -1857,8 +1855,14 @@ fill_default_options(Options * options)
1857	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	1855	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1858	if (options->update_hostkeys == -1)	1856	if (options->update_hostkeys == -1)
1859	options->update_hostkeys = 0;	1857	options->update_hostkeys = 0;
1860	if (options->hostbased_key_types == NULL)	1858	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 \|\|
1861	options->hostbased_key_types = xstrdup("*");	1859	kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 \|\|
		1860	kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 \|\|
		1861	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		1862	&options->hostbased_key_types) != 0 \|\|
		1863	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		1864	&options->pubkey_key_types) != 0)
		1865	fatal("%s: kex_assemble_names failed", __func__);
1862		1866
1863	#define CLEAR_ON_NONE(v) \	1867	#define CLEAR_ON_NONE(v) \
1864	do { \	1868	do { \