1 files changed, 52 insertions, 33 deletions

diff --git a/servconf.c b/servconf.c
index ba0a92c7b..f08e37477 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.369 2020/08/28 03:15:52 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -15,6 +15,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
 #ifdef __OpenBSD__
 #include <sys/sysctl.h>
 #endif
@@ -74,8 +75,8 @@ static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
 static void add_one_listen_addr(ServerOptions *, const char *,
     const char *, int);
-void parse_server_config_depth(ServerOptions *options, const char *filename,
-    struct sshbuf *conf, struct include_list *includes,
+static void parse_server_config_depth(ServerOptions *options,
+    const char *filename, struct sshbuf *conf, struct include_list *includes,
     struct connection_info *connectinfo, int flags, int *activep, int depth);
 
 /* Use of privilege separation or not */
@@ -140,7 +141,7 @@ initialize_server_options(ServerOptions *options)
         options->challenge_response_authentication = -1;
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
-        options->permit_user_env_whitelist = NULL;
+        options->permit_user_env_allowlist = NULL;
         options->compression = -1;
         options->rekey_limit = -1;
         options->rekey_interval = -1;
@@ -212,11 +213,11 @@ assemble_algorithms(ServerOptions *o)
         all_key = sshkey_alg_list(0, 0, 1, ',');
         all_sig = sshkey_alg_list(0, 1, 1, ',');
         /* remove unsupported algos from default lists */
-        def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
-        def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
-        def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
-        def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
-        def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+        def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
+        def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
+        def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
+        def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
+        def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 #define ASSEMBLE(what, defaults, all) \
         do { \
                 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
@@ -389,7 +390,7 @@ fill_default_server_options(ServerOptions *options)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1) {
                 options->permit_user_env = 0;
-                options->permit_user_env_whitelist = NULL;
+                options->permit_user_env_allowlist = NULL;
         }
         if (options->compression == -1)
 #ifdef WITH_ZLIB
@@ -494,15 +495,6 @@ fill_default_server_options(ServerOptions *options)
                 options->auth_methods[0] = NULL;
                 options->num_auth_methods = 0;
         }
-
-#ifndef HAVE_MMAP
-        if (use_privsep && options->compression == 1) {
-                error("This platform does not support both privilege "
-                    "separation and compression");
-                error("Compression disabled");
-                options->compression = 0;
-        }
-#endif
 }
 
 /* Keyword tokens. */
@@ -550,6 +542,7 @@ typedef enum {
 #define SSHCFG_MATCH            0x02    /* allowed inside a Match section */
 #define SSHCFG_ALL              (SSHCFG_GLOBAL|SSHCFG_MATCH)
 #define SSHCFG_NEVERMATCH       0x04  /* Match never matches; internal only */
+#define SSHCFG_MATCH_ONLY       0x08  /* Match only in conditional blocks; internal only */
 
 /* Textual representation of the tokens. */
 static struct {
@@ -1117,6 +1110,9 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
                                     "%.100s' at line %d", ci->host, arg, line);
                 } else if (strcasecmp(attrib, "address") == 0) {
                         if (ci == NULL || (ci->test && ci->address == NULL)) {
+                                if (addr_match_list(NULL, arg) != 0)
+                                        fatal("Invalid Match address argument "
+                                            "'%s' at line %d", arg, line);
                                 result = 0;
                                 continue;
                         }
@@ -1136,6 +1132,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
                         }
                 } else if (strcasecmp(attrib, "localaddress") == 0){
                         if (ci == NULL || (ci->test && ci->laddress == NULL)) {
+                                if (addr_match_list(NULL, arg) != 0)
+                                        fatal("Invalid Match localaddress "
+                                            "argument '%s' at line %d", arg,
+                                            line);
                                 result = 0;
                                 continue;
                         }
@@ -1259,7 +1259,7 @@ static const struct multistate multistate_tcpfwd[] = {
 static int
 process_server_config_line_depth(ServerOptions *options, char *line,
     const char *filename, int linenum, int *activep,
-    struct connection_info *connectinfo, int inc_flags, int depth,
+    struct connection_info *connectinfo, int *inc_flags, int depth,
     struct include_list *includes)
 {
         char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
@@ -1525,6 +1525,8 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                                 continue;
                         if (strcasecmp(arg, "touch-required") == 0)
                                 value |= PUBKEYAUTH_TOUCH_REQUIRED;
+                        else if (strcasecmp(arg, "verify-required") == 0)
+                                value |= PUBKEYAUTH_VERIFY_REQUIRED;
                         else {
                                 fatal("%s line %d: unsupported "
                                     "PubkeyAuthOptions option %s",
@@ -1628,7 +1630,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 
         case sPermitUserEnvironment:
                 intptr = &options->permit_user_env;
-                charptr = &options->permit_user_env_whitelist;
+                charptr = &options->permit_user_env_allowlist;
                 arg = strdelim(&cp);
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: missing argument.",
@@ -2002,7 +2004,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                                         parse_server_config_depth(options,
                                             item->filename, item->contents,
                                             includes, connectinfo,
-                                            (oactive ? 0 : SSHCFG_NEVERMATCH),
+                                            (*inc_flags & SSHCFG_MATCH_ONLY
+                                                ? SSHCFG_MATCH_ONLY : (oactive
+                                                    ? 0 : SSHCFG_NEVERMATCH)),
                                             activep, depth + 1);
                                 }
                                 found = 1;
@@ -2050,7 +2054,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                                 parse_server_config_depth(options,
                                     item->filename, item->contents,
                                     includes, connectinfo,
-                                    (oactive ? 0 : SSHCFG_NEVERMATCH),
+                                    (*inc_flags & SSHCFG_MATCH_ONLY
+                                        ? SSHCFG_MATCH_ONLY : (oactive
+                                            ? 0 : SSHCFG_NEVERMATCH)),
                                     activep, depth + 1);
                                 *activep = oactive;
                                 TAILQ_INSERT_TAIL(includes, item, entry);
@@ -2068,11 +2074,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                 if (cmdline)
                         fatal("Match directive not supported as a command-line "
                            "option");
-                value = match_cfg_line(&cp, linenum, connectinfo);
+                value = match_cfg_line(&cp, linenum,
+                    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
                 if (value < 0)
                         fatal("%s line %d: Bad Match condition", filename,
                             linenum);
-                *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+                *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+                /* The MATCH_ONLY is applicable only until the first match block */
+                *inc_flags &= ~SSHCFG_MATCH_ONLY;
                 break;
 
         case sPermitListen:
@@ -2375,8 +2384,10 @@ process_server_config_line(ServerOptions *options, char *line,
     const char *filename, int linenum, int *activep,
     struct connection_info *connectinfo, struct include_list *includes)
 {
+        int inc_flags = 0;
+
         return process_server_config_line_depth(options, line, filename,
-            linenum, activep, connectinfo, 0, 0, includes);
+            linenum, activep, connectinfo, &inc_flags, 0, includes);
 }
 
 
@@ -2385,6 +2396,7 @@ process_server_config_line(ServerOptions *options, char *line,
 void
 load_server_config(const char *filename, struct sshbuf *conf)
 {
+        struct stat st;
         char *line = NULL, *cp;
         size_t linesize = 0;
         FILE *f;
@@ -2396,6 +2408,10 @@ load_server_config(const char *filename, struct sshbuf *conf)
                 exit(1);
         }
         sshbuf_reset(conf);
+        /* grow buffer, so realloc is avoided for large config files */
+        if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
+            (r = sshbuf_allocate(conf, st.st_size)) != 0)
+                fatal("%s: allocate failed: %s", __func__, ssh_err(r));
         while (getline(&line, &linesize, f) != -1) {
                 lineno++;
                 /*
@@ -2570,7 +2586,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 #undef M_CP_STRARRAYOPT
 
 #define SERVCONF_MAX_DEPTH      16
-void
+static void
 parse_server_config_depth(ServerOptions *options, const char *filename,
     struct sshbuf *conf, struct include_list *includes,
     struct connection_info *connectinfo, int flags, int *activep, int depth)
@@ -2581,14 +2597,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
         if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
                 fatal("Too many recursive configuration includes");
 
-        debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
+        debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
+            (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
 
         if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
                 fatal("%s: sshbuf_dup_string failed", __func__);
         linenum = 1;
         while ((cp = strsep(&cbuf, "\n")) != NULL) {
                 if (process_server_config_line_depth(options, cp,
-                    filename, linenum++, activep, connectinfo, flags,
+                    filename, linenum++, activep, connectinfo, &flags,
                     depth, includes) != 0)
                         bad_options++;
         }
@@ -2596,7 +2613,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
         if (bad_options > 0)
                 fatal("%s: terminating, %d bad configuration options",
                     filename, bad_options);
-        process_queued_listen_addrs(options);
 }
 
 void
@@ -2606,7 +2622,8 @@ parse_server_config(ServerOptions *options, const char *filename,
 {
         int active = connectinfo ? 0 : 1;
         parse_server_config_depth(options, filename, conf, includes,
-            connectinfo, 0, &active, 0);
+            connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
+        process_queued_listen_addrs(options);
 }
 
 static const char *
@@ -2908,11 +2925,11 @@ dump_config(ServerOptions *o)
         }
         printf("\n");
 
-        if (o->permit_user_env_whitelist == NULL) {
+        if (o->permit_user_env_allowlist == NULL) {
                 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
         } else {
                 printf("permituserenvironment %s\n",
-                    o->permit_user_env_whitelist);
+                    o->permit_user_env_allowlist);
         }
 
         printf("pubkeyauthoptions");
@@ -2920,5 +2937,7 @@ dump_config(ServerOptions *o)
                 printf(" none");
         if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
                 printf(" touch-required");
+        if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
+                printf(" verify-required");
         printf("\n");
 }