1 files changed, 62 insertions, 22 deletions

diff --git a/readconf.c b/readconf.c
index 6d046f063..2ba312441 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.300 2018/10/05 14:26:09 naddy Exp $ */
+/* $OpenBSD: readconf.c,v 1.304 2019/03/01 02:08:50 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "ssh-gss.h"
 
 /* Format of the configuration file:
 
@@ -133,10 +134,11 @@
 
 static int read_config_file_depth(const char *filename, struct passwd *pw,
     const char *host, const char *original_host, Options *options,
-    int flags, int *activep, int depth);
+    int flags, int *activep, int *want_final_pass, int depth);
 static int process_config_line_depth(Options *options, struct passwd *pw,
     const char *host, const char *original_host, char *line,
-    const char *filename, int linenum, int *activep, int flags, int depth);
+    const char *filename, int linenum, int *activep, int flags,
+    int *want_final_pass, int depth);
 
 /* Keyword tokens. */
 
@@ -162,7 +164,7 @@ typedef enum {
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
         oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
-        oGssServerIdentity, 
+        oGssServerIdentity, oGssKexAlgorithms,
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
@@ -211,6 +213,7 @@ static struct {
         { "gssapiclientidentity", oGssClientIdentity },
         { "gssapiserveridentity", oGssServerIdentity },
         { "gssapirenewalforcesrekey", oGssRenewalRekey },
+        { "gssapikexalgorithms", oGssKexAlgorithms },
 # else
         { "gssapiauthentication", oUnsupported },
         { "gssapikeyexchange", oUnsupported },
@@ -219,10 +222,11 @@ static struct {
         { "gssapiclientidentity", oUnsupported },
         { "gssapiserveridentity", oUnsupported },
         { "gssapirenewalforcesrekey", oUnsupported },
+        { "gssapikexalgorithms", oUnsupported },
 #endif
 #ifdef ENABLE_PKCS11
-        { "smartcarddevice", oPKCS11Provider },
         { "pkcs11provider", oPKCS11Provider },
+        { "smartcarddevice", oPKCS11Provider },
 # else
         { "smartcarddevice", oUnsupported },
         { "pkcs11provider", oUnsupported },
@@ -555,8 +559,8 @@ execute_in_shell(const char *cmd)
  */
 static int
 match_cfg_line(Options *options, char **condition, struct passwd *pw,
-    const char *host_arg, const char *original_host, int post_canon,
-    const char *filename, int linenum)
+    const char *host_arg, const char *original_host, int final_pass,
+    int *want_final_pass, const char *filename, int linenum)
 {
         char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
         const char *ruser;
@@ -570,7 +574,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
          */
         port = options->port <= 0 ? default_ssh_port() : options->port;
         ruser = options->user == NULL ? pw->pw_name : options->user;
-        if (post_canon) {
+        if (final_pass) {
                 host = xstrdup(options->hostname);
         } else if (options->hostname != NULL) {
                 /* NB. Please keep in sync with ssh.c:main() */
@@ -602,8 +606,16 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
                         goto out;
                 }
                 attributes++;
-                if (strcasecmp(attrib, "canonical") == 0) {
-                        r = !!post_canon;  /* force bitmask member to boolean */
+                if (strcasecmp(attrib, "canonical") == 0 ||
+                    strcasecmp(attrib, "final") == 0) {
+                        /*
+                         * If the config requests "Match final" then remember
+                         * this so we can perform a second pass later.
+                         */
+                        if (strcasecmp(attrib, "final") == 0 &&
+                            want_final_pass != NULL)
+                                *want_final_pass = 1;
+                        r = !!final_pass;  /* force bitmask member to boolean */
                         if (r == (negate ? 1 : 0))
                                 this_result = result = 0;
                         debug3("%.200s line %d: %smatched '%s'",
@@ -840,14 +852,14 @@ process_config_line(Options *options, struct passwd *pw, const char *host,
     int linenum, int *activep, int flags)
 {
         return process_config_line_depth(options, pw, host, original_host,
-            line, filename, linenum, activep, flags, 0);
+            line, filename, linenum, activep, flags, NULL, 0);
 }
 
 #define WHITESPACE " \t\r\n"
 static int
 process_config_line_depth(Options *options, struct passwd *pw, const char *host,
     const char *original_host, char *line, const char *filename,
-    int linenum, int *activep, int flags, int depth)
+    int linenum, int *activep, int flags, int *want_final_pass, int depth)
 {
         char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
         char **cpptr, fwdarg[256];
@@ -1014,6 +1026,18 @@ parse_time:
                 intptr = &options->gss_renewal_rekey;
                 goto parse_flag;
 
+        case oGssKexAlgorithms:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                if (!kex_gss_names_valid(arg))
+                        fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+                            filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && options->gss_kex_algorithms == NULL)
+                        options->gss_kex_algorithms = xstrdup(arg);
+                break;
+
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
@@ -1375,7 +1399,8 @@ parse_keytypes:
                         fatal("Host directive not supported as a command-line "
                             "option");
                 value = match_cfg_line(options, &s, pw, host, original_host,
-                    flags & SSHCONF_POSTCANON, filename, linenum);
+                    flags & SSHCONF_FINAL, want_final_pass,
+                    filename, linenum);
                 if (value < 0)
                         fatal("%.200s line %d: Bad Match condition", filename,
                             linenum);
@@ -1559,7 +1584,7 @@ parse_keytypes:
                         if (*arg == '~' && (flags & SSHCONF_USERCONF) == 0)
                                 fatal("%.200s line %d: bad include path %s.",
                                     filename, linenum, arg);
-                        if (*arg != '/' && *arg != '~') {
+                        if (!path_absolute(arg) && *arg != '~') {
                                 xasprintf(&arg2, "%s/%s",
                                     (flags & SSHCONF_USERCONF) ?
                                     "~/" _PATH_SSH_USER_DIR : SSHDIR, arg);
@@ -1586,7 +1611,7 @@ parse_keytypes:
                                     pw, host, original_host, options,
                                     flags | SSHCONF_CHECKPERM |
                                     (oactive ? 0 : SSHCONF_NEVERMATCH),
-                                    activep, depth + 1);
+                                    activep, want_final_pass, depth + 1);
                                 if (r != 1 && errno != ENOENT) {
                                         fatal("Can't open user config file "
                                             "%.100s: %.100s", gl.gl_pathv[i],
@@ -1789,19 +1814,20 @@ parse_keytypes:
  */
 int
 read_config_file(const char *filename, struct passwd *pw, const char *host,
-    const char *original_host, Options *options, int flags)
+    const char *original_host, Options *options, int flags,
+    int *want_final_pass)
 {
         int active = 1;
 
         return read_config_file_depth(filename, pw, host, original_host,
-            options, flags, &active, 0);
+            options, flags, &active, want_final_pass, 0);
 }
 
 #define READCONF_MAX_DEPTH      16
 static int
 read_config_file_depth(const char *filename, struct passwd *pw,
     const char *host, const char *original_host, Options *options,
-    int flags, int *activep, int depth)
+    int flags, int *activep, int *want_final_pass, int depth)
 {
         FILE *f;
         char *line = NULL;
@@ -1835,7 +1861,8 @@ read_config_file_depth(const char *filename, struct passwd *pw,
                 /* Update line number counter. */
                 linenum++;
                 if (process_config_line_depth(options, pw, host, original_host,
-                    line, filename, linenum, activep, flags, depth) != 0)
+                    line, filename, linenum, activep, flags, want_final_pass,
+                    depth) != 0)
                         bad_options++;
         }
         free(line);
@@ -1885,6 +1912,7 @@ initialize_options(Options * options)
         options->gss_renewal_rekey = -1;
         options->gss_client_identity = NULL;
         options->gss_server_identity = NULL;
+        options->gss_kex_algorithms = NULL;
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
@@ -2038,6 +2066,10 @@ fill_default_options(Options * options)
                 options->gss_trust_dns = 0;
         if (options->gss_renewal_rekey == -1)
                 options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+        if (options->gss_kex_algorithms == NULL)
+                options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
@@ -2163,9 +2195,9 @@ fill_default_options(Options * options)
                     defaults, all)) != 0) \
                         fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
         } while (0)
-        ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
-        ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
-        ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
+        ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
+        ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
+        ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
         ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
         ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
         ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
@@ -2188,6 +2220,7 @@ fill_default_options(Options * options)
         CLEAR_ON_NONE(options->proxy_command);
         CLEAR_ON_NONE(options->control_path);
         CLEAR_ON_NONE(options->revoked_host_keys);
+        CLEAR_ON_NONE(options->pkcs11_provider);
         if (options->jump_host != NULL &&
             strcmp(options->jump_host, "none") == 0 &&
             options->jump_port == 0 && options->jump_user == NULL) {
@@ -2656,7 +2689,14 @@ dump_client_config(Options *o, const char *host)
         dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
         dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
+        dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
         dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
+        dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
+        dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
+        dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
+        dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
+        dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
+            o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
 #endif /* GSSAPI */
         dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
         dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);