1 files changed, 29 insertions, 25 deletions
diff --git a/readconf.c b/readconf.c
index f0769b574..e4e1cbae3 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -161,6 +161,7 @@ typedef enum {
        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
        oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
        oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
+        oPubkeyAcceptedKeyTypes,
        oProtocolKeepAlives, oSetupTimeOut,
        oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
@@ -290,6 +291,7 @@ static struct {
        { "fingerprinthash", oFingerprintHash },
        { "updatehostkeys", oUpdateHostkeys },
        { "hostbasedkeytypes", oHostbasedKeyTypes },
+        { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
        { "ignoreunknown", oIgnoreUnknown },
        { "protocolkeepalives", oProtocolKeepAlives },
        { "setuptimeout", oSetupTimeOut },
@@ -1121,7 +1123,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(arg))
+                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->ciphers == NULL)
@@ -1132,7 +1134,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(arg))
+                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->macs == NULL)
@@ -1144,7 +1146,7 @@ parse_int:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(arg))
+                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->kex_algorithms == NULL)
@@ -1152,14 +1154,17 @@ parse_int:
                break;
        case oHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+parse_keytypes:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.", filename, linenum);
+                        fatal("%.200s line %d: Missing argument.",
-                if (!sshkey_names_valid2(arg, 1))
+                            filename, linenum);
-                        fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
+                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
-                            filename, linenum, arg ? arg : "<NONE>");
+                        fatal("%s line %d: Bad key types '%s'.",
-                if (*activep && options->hostkeyalgorithms == NULL)
+                                filename, linenum, arg ? arg : "<NONE>");
-                        options->hostkeyalgorithms = xstrdup(arg);
+                if (*activep && *charptr == NULL)
+                        *charptr = xstrdup(arg);
                break;
        case oProtocol:
@@ -1524,16 +1529,11 @@ parse_int:
        case oHostbasedKeyTypes:
                charptr = &options->hostbased_key_types;
-                arg = strdelim(&s);
+                goto parse_keytypes;
-                if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.",
+        case oPubkeyAcceptedKeyTypes:
-                            filename, linenum);
+                charptr = &options->pubkey_key_types;
-                if (!sshkey_names_valid2(arg, 1))
+                goto parse_keytypes;
-                        fatal("%s line %d: Bad key types '%s'.",
-                                filename, linenum, arg ? arg : "<NONE>");
-                if (*activep && *charptr == NULL)
-                        *charptr = xstrdup(arg);
-                break;
        case oDeprecated:
                debug("%s line %d: Deprecated option \"%s\"",
@@ -1719,6 +1719,7 @@ initialize_options(Options * options)
        options->fingerprint_hash = -1;
        options->update_hostkeys = -1;
        options->hostbased_key_types = NULL;
+        options->pubkey_key_types = NULL;
 }
 /*
@@ -1810,9 +1811,6 @@ fill_default_options(Options * options)
        /* Selected in ssh_login(). */
        if (options->cipher == -1)
                options->cipher = SSH_CIPHER_NOT_SET;
-        /* options->ciphers, default set in myproposals.h */
-        /* options->macs, default set in myproposals.h */
-        /* options->kex_algorithms, default set in myproposals.h */
        /* options->hostkeyalgorithms, default set in myproposals.h */
        if (options->protocol == SSH_PROTO_UNKNOWN)
                options->protocol = SSH_PROTO_2;
@@ -1911,8 +1909,14 @@ fill_default_options(Options * options)
                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
        if (options->update_hostkeys == -1)
                options->update_hostkeys = 0;
-        if (options->hostbased_key_types == NULL)
+        if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
-                options->hostbased_key_types = xstrdup("*");
+            kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
+            kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->hostbased_key_types) != 0 ||
+            kex_assemble_names(KEX_DEFAULT_PK_ALG,
+            &options->pubkey_key_types) != 0)
+                fatal("%s: kex_assemble_names failed", __func__);
 #define CLEAR_ON_NONE(v) \
        do { \

diff --git a/readconf.c b/readconf.c index f0769b574..e4e1cbae3 100644 --- a/readconf.c +++ b/readconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */	1	/* $OpenBSD: readconf.c,v 1.239 2015/07/30 00:01:34 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -161,6 +161,7 @@ typedef enum {
161	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	161	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
162	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,	162	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
163	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,	163	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
		164	oPubkeyAcceptedKeyTypes,
164	oProtocolKeepAlives, oSetupTimeOut,	165	oProtocolKeepAlives, oSetupTimeOut,
165	oIgnoredUnknownOption, oDeprecated, oUnsupported	166	oIgnoredUnknownOption, oDeprecated, oUnsupported
166	} OpCodes;	167	} OpCodes;
@@ -290,6 +291,7 @@ static struct {
290	{ "fingerprinthash", oFingerprintHash },	291	{ "fingerprinthash", oFingerprintHash },
291	{ "updatehostkeys", oUpdateHostkeys },	292	{ "updatehostkeys", oUpdateHostkeys },
292	{ "hostbasedkeytypes", oHostbasedKeyTypes },	293	{ "hostbasedkeytypes", oHostbasedKeyTypes },
		294	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
293	{ "ignoreunknown", oIgnoreUnknown },	295	{ "ignoreunknown", oIgnoreUnknown },
294	{ "protocolkeepalives", oProtocolKeepAlives },	296	{ "protocolkeepalives", oProtocolKeepAlives },
295	{ "setuptimeout", oSetupTimeOut },	297	{ "setuptimeout", oSetupTimeOut },
@@ -1121,7 +1123,7 @@ parse_int:
1121	arg = strdelim(&s);	1123	arg = strdelim(&s);
1122	if (!arg \|\| *arg == '\0')	1124	if (!arg \|\| *arg == '\0')
1123	fatal("%.200s line %d: Missing argument.", filename, linenum);	1125	fatal("%.200s line %d: Missing argument.", filename, linenum);
1124	if (!ciphers_valid(arg))	1126	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1125	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",	1127	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1126	filename, linenum, arg ? arg : "<NONE>");	1128	filename, linenum, arg ? arg : "<NONE>");
1127	if (*activep && options->ciphers == NULL)	1129	if (*activep && options->ciphers == NULL)
@@ -1132,7 +1134,7 @@ parse_int:
1132	arg = strdelim(&s);	1134	arg = strdelim(&s);
1133	if (!arg \|\| *arg == '\0')	1135	if (!arg \|\| *arg == '\0')
1134	fatal("%.200s line %d: Missing argument.", filename, linenum);	1136	fatal("%.200s line %d: Missing argument.", filename, linenum);
1135	if (!mac_valid(arg))	1137	if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1136	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",	1138	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1137	filename, linenum, arg ? arg : "<NONE>");	1139	filename, linenum, arg ? arg : "<NONE>");
1138	if (*activep && options->macs == NULL)	1140	if (*activep && options->macs == NULL)
@@ -1144,7 +1146,7 @@ parse_int:
1144	if (!arg \|\| *arg == '\0')	1146	if (!arg \|\| *arg == '\0')
1145	fatal("%.200s line %d: Missing argument.",	1147	fatal("%.200s line %d: Missing argument.",
1146	filename, linenum);	1148	filename, linenum);
1147	if (!kex_names_valid(arg))	1149	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1148	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",	1150	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1149	filename, linenum, arg ? arg : "<NONE>");	1151	filename, linenum, arg ? arg : "<NONE>");
1150	if (*activep && options->kex_algorithms == NULL)	1152	if (*activep && options->kex_algorithms == NULL)
@@ -1152,14 +1154,17 @@ parse_int:
1152	break;	1154	break;
1153		1155
1154	case oHostKeyAlgorithms:	1156	case oHostKeyAlgorithms:
		1157	charptr = &options->hostkeyalgorithms;
		1158	parse_keytypes:
1155	arg = strdelim(&s);	1159	arg = strdelim(&s);
1156	if (!arg \|\| *arg == '\0')	1160	if (!arg \|\| *arg == '\0')
1157	fatal("%.200s line %d: Missing argument.", filename, linenum);	1161	fatal("%.200s line %d: Missing argument.",
1158	if (!sshkey_names_valid2(arg, 1))	1162	filename, linenum);
1159	fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",	1163	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1160	filename, linenum, arg ? arg : "<NONE>");	1164	fatal("%s line %d: Bad key types '%s'.",
1161	if (*activep && options->hostkeyalgorithms == NULL)	1165	filename, linenum, arg ? arg : "<NONE>");
1162	options->hostkeyalgorithms = xstrdup(arg);	1166	if (activep && charptr == NULL)
		1167	*charptr = xstrdup(arg);
1163	break;	1168	break;
1164		1169
1165	case oProtocol:	1170	case oProtocol:
@@ -1524,16 +1529,11 @@ parse_int:
1524		1529
1525	case oHostbasedKeyTypes:	1530	case oHostbasedKeyTypes:
1526	charptr = &options->hostbased_key_types;	1531	charptr = &options->hostbased_key_types;
1527	arg = strdelim(&s);	1532	goto parse_keytypes;
1528	if (!arg \|\| *arg == '\0')	1533
1529	fatal("%.200s line %d: Missing argument.",	1534	case oPubkeyAcceptedKeyTypes:
1530	filename, linenum);	1535	charptr = &options->pubkey_key_types;
1531	if (!sshkey_names_valid2(arg, 1))	1536	goto parse_keytypes;
1532	fatal("%s line %d: Bad key types '%s'.",
1533	filename, linenum, arg ? arg : "<NONE>");
1534	if (activep && charptr == NULL)
1535	*charptr = xstrdup(arg);
1536	break;
1537		1537
1538	case oDeprecated:	1538	case oDeprecated:
1539	debug("%s line %d: Deprecated option \"%s\"",	1539	debug("%s line %d: Deprecated option \"%s\"",
@@ -1719,6 +1719,7 @@ initialize_options(Options * options)
1719	options->fingerprint_hash = -1;	1719	options->fingerprint_hash = -1;
1720	options->update_hostkeys = -1;	1720	options->update_hostkeys = -1;
1721	options->hostbased_key_types = NULL;	1721	options->hostbased_key_types = NULL;
		1722	options->pubkey_key_types = NULL;
1722	}	1723	}
1723		1724
1724	/*	1725	/*
@@ -1810,9 +1811,6 @@ fill_default_options(Options * options)
1810	/* Selected in ssh_login(). */	1811	/* Selected in ssh_login(). */
1811	if (options->cipher == -1)	1812	if (options->cipher == -1)
1812	options->cipher = SSH_CIPHER_NOT_SET;	1813	options->cipher = SSH_CIPHER_NOT_SET;
1813	/* options->ciphers, default set in myproposals.h */
1814	/* options->macs, default set in myproposals.h */
1815	/* options->kex_algorithms, default set in myproposals.h */
1816	/* options->hostkeyalgorithms, default set in myproposals.h */	1814	/* options->hostkeyalgorithms, default set in myproposals.h */
1817	if (options->protocol == SSH_PROTO_UNKNOWN)	1815	if (options->protocol == SSH_PROTO_UNKNOWN)
1818	options->protocol = SSH_PROTO_2;	1816	options->protocol = SSH_PROTO_2;
@@ -1911,8 +1909,14 @@ fill_default_options(Options * options)
1911	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;	1909	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1912	if (options->update_hostkeys == -1)	1910	if (options->update_hostkeys == -1)
1913	options->update_hostkeys = 0;	1911	options->update_hostkeys = 0;
1914	if (options->hostbased_key_types == NULL)	1912	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 \|\|
1915	options->hostbased_key_types = xstrdup("*");	1913	kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 \|\|
		1914	kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 \|\|
		1915	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		1916	&options->hostbased_key_types) != 0 \|\|
		1917	kex_assemble_names(KEX_DEFAULT_PK_ALG,
		1918	&options->pubkey_key_types) != 0)
		1919	fatal("%s: kex_assemble_names failed", __func__);
1916		1920
1917	#define CLEAR_ON_NONE(v) \	1921	#define CLEAR_ON_NONE(v) \
1918	do { \	1922	do { \