From 0ea332497b2b2fc3995f72f6bafe9d664c0195b3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 5 Sep 2019 09:25:13 +0000 Subject: upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtucker OpenBSD-Commit-ID: 00f5c6062f6863769f5447c6346f78c05d2e4a63 --- kex.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index 34808b5c3..ff88dd7e3 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.150 2019/01/21 12:08:13 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.151 2019/09/05 09:25:13 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -409,6 +409,7 @@ kex_send_ext_info(struct ssh *ssh) int r; char *algs; + debug("Sending SSH2_MSG_EXT_INFO"); if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) return SSH_ERR_ALLOC_FAIL; /* XXX filter algs list by allowed pubkey/hostbased types */ @@ -435,11 +436,11 @@ kex_send_newkeys(struct ssh *ssh) (r = sshpkt_send(ssh)) != 0) return r; debug("SSH2_MSG_NEWKEYS sent"); - debug("expecting SSH2_MSG_NEWKEYS"); ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys); - if (ssh->kex->ext_info_c) + if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0) if ((r = kex_send_ext_info(ssh)) != 0) return r; + debug("expecting SSH2_MSG_NEWKEYS"); return 0; } -- cgit v1.2.3 From 76f09bd95917862101b740afb19f4db5ccc752bf Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 5 Sep 2019 09:35:19 +0000 Subject: upstream: sprinkle in some explicit errors here, otherwise the percolate all the way up to dispatch_run_fatal() and lose all meaninful context to help with bz#3063; ok dtucker@ OpenBSD-Commit-ID: 5b2da83bb1c4a3471444b7910b2120ae36438a0a --- kex.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 20 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index ff88dd7e3..1eb27264a 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.151 2019/09/05 09:25:13 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.152 2019/09/05 09:35:19 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -345,18 +345,25 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp) r = SSH_ERR_ALLOC_FAIL; goto out; } - if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) /* skip cookie */ + if ((r = sshbuf_consume(b, KEX_COOKIE_LEN)) != 0) { /* skip cookie */ + error("%s: consume cookie: %s", __func__, ssh_err(r)); goto out; + } /* extract kex init proposal strings */ for (i = 0; i < PROPOSAL_MAX; i++) { - if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) + if ((r = sshbuf_get_cstring(b, &(proposal[i]), NULL)) != 0) { + error("%s: parse proposal %u: %s", __func__, + i, ssh_err(r)); goto out; + } debug2("%s: %s", proposal_names[i], proposal[i]); } /* first kex follows / reserved */ if ((r = sshbuf_get_u8(b, &v)) != 0 || /* first_kex_follows */ - (r = sshbuf_get_u32(b, &i)) != 0) /* reserved */ + (r = sshbuf_get_u32(b, &i)) != 0) { /* reserved */ + error("%s: parse: %s", __func__, ssh_err(r)); goto out; + } if (first_kex_follows != NULL) *first_kex_follows = v; debug2("first_kex_follows %d ", v); @@ -417,8 +424,10 @@ kex_send_ext_info(struct ssh *ssh) (r = sshpkt_put_u32(ssh, 1)) != 0 || (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || (r = sshpkt_put_cstring(ssh, algs)) != 0 || - (r = sshpkt_send(ssh)) != 0) + (r = sshpkt_send(ssh)) != 0) { + error("%s: compose: %s", __func__, ssh_err(r)); goto out; + } /* success */ r = 0; out: @@ -512,23 +521,32 @@ kex_send_kexinit(struct ssh *ssh) struct kex *kex = ssh->kex; int r; - if (kex == NULL) + if (kex == NULL) { + error("%s: no hex", __func__); return SSH_ERR_INTERNAL_ERROR; + } if (kex->flags & KEX_INIT_SENT) return 0; kex->done = 0; /* generate a random cookie */ - if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) + if (sshbuf_len(kex->my) < KEX_COOKIE_LEN) { + error("%s: bad kex length: %zu < %d", __func__, + sshbuf_len(kex->my), KEX_COOKIE_LEN); return SSH_ERR_INVALID_FORMAT; - if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) + } + if ((cookie = sshbuf_mutable_ptr(kex->my)) == NULL) { + error("%s: buffer error", __func__); return SSH_ERR_INTERNAL_ERROR; + } arc4random_buf(cookie, KEX_COOKIE_LEN); if ((r = sshpkt_start(ssh, SSH2_MSG_KEXINIT)) != 0 || (r = sshpkt_putb(ssh, kex->my)) != 0 || - (r = sshpkt_send(ssh)) != 0) + (r = sshpkt_send(ssh)) != 0) { + error("%s: compose reply: %s", __func__, ssh_err(r)); return r; + } debug("SSH2_MSG_KEXINIT sent"); kex->flags |= KEX_INIT_SENT; return 0; @@ -545,21 +563,28 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) int r; debug("SSH2_MSG_KEXINIT received"); - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - + if (kex == NULL) { + error("%s: no hex", __func__); + return SSH_ERR_INTERNAL_ERROR; + } ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ptr = sshpkt_ptr(ssh, &dlen); if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) return r; /* discard packet */ - for (i = 0; i < KEX_COOKIE_LEN; i++) - if ((r = sshpkt_get_u8(ssh, NULL)) != 0) + for (i = 0; i < KEX_COOKIE_LEN; i++) { + if ((r = sshpkt_get_u8(ssh, NULL)) != 0) { + error("%s: discard cookie: %s", __func__, ssh_err(r)); return r; - for (i = 0; i < PROPOSAL_MAX; i++) - if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) + } + } + for (i = 0; i < PROPOSAL_MAX; i++) { + if ((r = sshpkt_get_string(ssh, NULL, NULL)) != 0) { + error("%s: discard proposal: %s", __func__, ssh_err(r)); return r; + } + } /* * XXX RFC4253 sec 7: "each side MAY guess" - currently no supported * KEX method has the server move first, but a server might be using @@ -584,6 +609,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) return (kex->kex[kex->kex_type])(ssh); + error("%s: unknown kex type %u", __func__, kex->kex_type); return SSH_ERR_INTERNAL_ERROR; } @@ -719,6 +745,7 @@ choose_enc(struct sshenc *enc, char *client, char *server) if (name == NULL) return SSH_ERR_NO_CIPHER_ALG_MATCH; if ((enc->cipher = cipher_by_name(name)) == NULL) { + error("%s: unsupported cipher %s", __func__, name); free(name); return SSH_ERR_INTERNAL_ERROR; } @@ -740,6 +767,7 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server) if (name == NULL) return SSH_ERR_NO_MAC_ALG_MATCH; if (mac_setup(mac, name) < 0) { + error("%s: unsupported MAC %s", __func__, name); free(name); return SSH_ERR_INTERNAL_ERROR; } @@ -763,6 +791,7 @@ choose_comp(struct sshcomp *comp, char *client, char *server) } else if (strcmp(name, "none") == 0) { comp->type = COMP_NONE; } else { + error("%s: unsupported compression scheme %s", __func__, name); free(name); return SSH_ERR_INTERNAL_ERROR; } @@ -780,8 +809,10 @@ choose_kex(struct kex *k, char *client, char *server) debug("kex: algorithm: %s", k->name ? k->name : "(no match)"); if (k->name == NULL) return SSH_ERR_NO_KEX_ALG_MATCH; - if ((kexalg = kex_alg_by_name(k->name)) == NULL) + if ((kexalg = kex_alg_by_name(k->name)) == NULL) { + error("%s: unsupported KEX method %s", __func__, k->name); return SSH_ERR_INTERNAL_ERROR; + } k->kex_type = kexalg->type; k->hash_alg = kexalg->hash_alg; k->ec_nid = kexalg->ec_nid; @@ -798,8 +829,11 @@ choose_hostkeyalg(struct kex *k, char *client, char *server) if (k->hostkey_alg == NULL) return SSH_ERR_NO_HOSTKEY_ALG_MATCH; k->hostkey_type = sshkey_type_from_name(k->hostkey_alg); - if (k->hostkey_type == KEY_UNSPEC) + if (k->hostkey_type == KEY_UNSPEC) { + error("%s: unsupported hostkey algorithm %s", __func__, + k->hostkey_alg); return SSH_ERR_INTERNAL_ERROR; + } k->hostkey_nid = sshkey_ecdsa_nid_from_name(k->hostkey_alg); return 0; } @@ -968,6 +1002,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, kex->session_id_len) != 0 || ssh_digest_final(hashctx, digest, mdsz) != 0) { r = SSH_ERR_LIBCRYPTO_ERROR; + error("%s: KEX hash failed", __func__); goto out; } ssh_digest_free(hashctx); @@ -984,6 +1019,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, ssh_digest_update(hashctx, hash, hashlen) != 0 || ssh_digest_update(hashctx, digest, have) != 0 || ssh_digest_final(hashctx, digest + have, mdsz) != 0) { + error("%s: KDF failed", __func__); r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -1047,8 +1083,10 @@ kex_load_hostkey(struct ssh *ssh, struct sshkey **prvp, struct sshkey **pubp) *pubp = NULL; *prvp = NULL; if (kex->load_host_public_key == NULL || - kex->load_host_private_key == NULL) + kex->load_host_private_key == NULL) { + error("%s: missing hostkey loader", __func__); return SSH_ERR_INVALID_ARGUMENT; + } *pubp = kex->load_host_public_key(kex->hostkey_type, kex->hostkey_nid, ssh); *prvp = kex->load_host_private_key(kex->hostkey_type, @@ -1063,8 +1101,10 @@ kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key) { struct kex *kex = ssh->kex; - if (kex->verify_host_key == NULL) + if (kex->verify_host_key == NULL) { + error("%s: missing hostkey verifier", __func__); return SSH_ERR_INVALID_ARGUMENT; + } if (server_host_key->type != kex->hostkey_type || (kex->hostkey_type == KEY_ECDSA && server_host_key->ecdsa_nid != kex->hostkey_nid)) -- cgit v1.2.3 From 00865c29690003b4523cc09a0e104724b9f911a4 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 6 Sep 2019 01:58:50 +0000 Subject: upstream: better error code for bad arguments; inspired by OpenBSD-Commit-ID: dfc263b6041de7f0ed921a1de0b81ddebfab1e0a --- kex.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index 1eb27264a..84f8e2aa9 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.152 2019/09/05 09:35:19 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -223,7 +223,10 @@ kex_assemble_names(char **listp, const char *def, const char *all) char *list = NULL, *ret = NULL, *matching = NULL, *opatterns = NULL; int r = SSH_ERR_INTERNAL_ERROR; - if (listp == NULL || *listp == NULL || **listp == '\0') { + if (listp == NULL || def == NULL || all == NULL) + return SSH_ERR_INVALID_ARGUMENT; + + if (*listp == NULL || **listp == '\0') { if ((*listp = strdup(def)) == NULL) return SSH_ERR_ALLOC_FAIL; return 0; -- cgit v1.2.3 From 91a2135f32acdd6378476c5bae475a6e7811a6a2 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Fri, 6 Sep 2019 14:45:34 +0000 Subject: upstream: Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97 --- kex.c | 15 ++++++++++++--- readconf.c | 14 +++++++++----- servconf.c | 14 +++++++++----- ssh.c | 4 ++-- ssh_config.5 | 28 ++++++++++++++++++++++++++-- sshd_config.5 | 24 ++++++++++++++++++++++-- 6 files changed, 80 insertions(+), 19 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index 84f8e2aa9..5a8a03aad 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -213,8 +213,9 @@ kex_names_cat(const char *a, const char *b) /* * Assemble a list of algorithms from a default list and a string from a * configuration file. The user-provided string may begin with '+' to - * indicate that it should be appended to the default or '-' that the - * specified names should be removed. + * indicate that it should be appended to the default, '-' that the + * specified names should be removed, or '^' that they should be placed + * at the head. */ int kex_assemble_names(char **listp, const char *def, const char *all) @@ -251,6 +252,14 @@ kex_assemble_names(char **listp, const char *def, const char *all) free(list); /* filtering has already been done */ return 0; + } else if (*list == '^') { + /* Place names at head of default list */ + if ((tmp = kex_names_cat(list + 1, def)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto fail; + } + free(list); + list = tmp; } else { /* Explicit list, overrides default - just use "list" as is */ } diff --git a/readconf.c b/readconf.c index d1b7871ec..f78b4d6fe 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.308 2019/08/09 05:05:54 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1199,7 +1199,8 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->ciphers == NULL) @@ -1210,7 +1211,8 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->macs == NULL) @@ -1223,7 +1225,8 @@ parse_int: fatal("%.200s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) + !kex_names_valid(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->kex_algorithms == NULL) @@ -1238,7 +1241,8 @@ parse_keytypes: fatal("%.200s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? + arg + 1 : arg, 1)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) diff --git a/servconf.c b/servconf.c index 340045b28..e76f9c39e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.351 2019/04/18 18:56:16 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1444,7 +1444,8 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? + arg + 1 : arg, 1)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) @@ -1715,7 +1716,8 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (options->ciphers == NULL) @@ -1726,7 +1728,8 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 mac spec '%s'.", filename, linenum, arg ? arg : ""); if (options->macs == NULL) @@ -1739,7 +1742,8 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) + !kex_names_valid(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (options->kex_algorithms == NULL) diff --git a/ssh.c b/ssh.c index 654376981..cb321bcf3 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.505 2019/06/28 13:35:04 deraadt Exp $ */ +/* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -877,7 +877,7 @@ main(int ac, char **av) } break; case 'c': - if (!ciphers_valid(*optarg == '+' ? + if (!ciphers_valid(*optarg == '+' || *optarg == '^' ? optarg + 1 : optarg)) { fprintf(stderr, "Unknown cipher type '%s'\n", optarg); diff --git a/ssh_config.5 b/ssh_config.5 index 14d96beaf..e114b1dfe 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $ -.Dd $Mdocdate: September 4 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $ +.Dd $Mdocdate: September 6 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -430,6 +430,10 @@ If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. .Pp The supported ciphers are: .Bd -literal -offset indent @@ -794,6 +798,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -822,6 +830,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -1051,6 +1063,10 @@ If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified methods will be placed at the head of the +default set. The default is: .Bd -literal -offset indent curve25519-sha256,curve25519-sha256@libssh.org, @@ -1132,6 +1148,10 @@ If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. .Pp The algorithms that contain .Qq -etm @@ -1289,6 +1309,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, diff --git a/sshd_config.5 b/sshd_config.5 index f42d10417..9486f2a1c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $ -.Dd $Mdocdate: September 4 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ +.Dd $Mdocdate: September 6 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -462,6 +462,10 @@ If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. .Pp The supported ciphers are: .Pp @@ -676,6 +680,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -881,6 +889,10 @@ If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified methods will be placed at the head of the +default set. The supported algorithms are: .Pp .Bl -item -compact -offset indent @@ -998,6 +1010,10 @@ If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. .Pp The algorithms that contain .Qq -etm @@ -1403,6 +1419,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, -- cgit v1.2.3 From c2cc25480ba36ab48c1a577bebb12493865aad87 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Tue, 8 Oct 2019 22:40:39 +0000 Subject: upstream: Correct type for end-of-list sentinel; fixes initializer warnings on some platforms. ok deraadt. OpenBSD-Commit-ID: a990dbc2dac25bdfa07e79321349c73fd991efa2 --- kex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index 5a8a03aad..49d701568 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */ +/* $OpenBSD: kex.c,v 1.155 2019/10/08 22:40:39 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -111,7 +111,7 @@ static const struct kexalg kexalgs[] = { { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ - { NULL, -1, -1, -1}, + { NULL, 0, -1, -1}, }; char * -- cgit v1.2.3