From ecac7e1f7add6b28874959a11f2238d149dc2c07 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 20 Sep 2018 03:30:44 +0000 Subject: upstream: add CASignatureAlgorithms option for the client, allowing it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f --- readconf.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'readconf.c') diff --git a/readconf.c b/readconf.c index db5f2d547..057726d0e 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.297 2018/08/12 20:19:13 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -172,7 +172,7 @@ typedef enum { oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, - oPubkeyAcceptedKeyTypes, oProxyJump, + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -266,6 +266,7 @@ static struct { { "dynamicforward", oDynamicForward }, { "preferredauthentications", oPreferredAuthentications }, { "hostkeyalgorithms", oHostKeyAlgorithms }, + { "casignaturealgorithms", oCASignatureAlgorithms }, { "bindaddress", oBindAddress }, { "bindinterface", oBindInterface }, { "clearallforwardings", oClearAllForwardings }, @@ -1221,6 +1222,10 @@ parse_keytypes: *charptr = xstrdup(arg); break; + case oCASignatureAlgorithms: + charptr = &options->ca_sign_algorithms; + goto parse_keytypes; + case oLogLevel: log_level_ptr = &options->log_level; arg = strdelim(&s); @@ -1836,6 +1841,7 @@ initialize_options(Options * options) options->macs = NULL; options->kex_algorithms = NULL; options->hostkeyalgorithms = NULL; + options->ca_sign_algorithms = NULL; options->num_identity_files = 0; options->num_certificate_files = 0; options->hostname = NULL; @@ -1924,7 +1930,7 @@ fill_default_options_for_canonicalization(Options *options) void fill_default_options(Options * options) { - char *all_cipher, *all_mac, *all_kex, *all_key; + char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; int r; if (options->forward_agent == -1) @@ -2077,6 +2083,7 @@ fill_default_options(Options * options) all_mac = mac_alg_list(','); all_kex = kex_alg_list(','); all_key = sshkey_alg_list(0, 0, 1, ','); + all_sig = sshkey_alg_list(0, 1, 1, ','); #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&options->what, \ @@ -2088,11 +2095,13 @@ fill_default_options(Options * options) ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); + ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); #undef ASSEMBLE free(all_cipher); free(all_mac); free(all_kex); free(all_key); + free(all_sig); #define CLEAR_ON_NONE(v) \ do { \ @@ -2614,6 +2623,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); + dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); dump_cfg_string(oLocalCommand, o->local_command); dump_cfg_string(oRemoteCommand, o->remote_command); dump_cfg_string(oLogLevel, log_level_name(o->log_level)); -- cgit v1.2.3 From 5eff5b858e717e901e6af6596306a114de9f79f2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 3 Oct 2018 06:38:35 +0000 Subject: upstream: Allow ssh_config IdentityAgent directive to accept environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b --- auth-options.c | 17 ++++++++++------- misc.c | 21 ++++++++++++++++++++- misc.h | 3 ++- readconf.c | 15 +++++++++++++-- ssh.c | 24 +++++++++++++++++++++--- ssh_config.5 | 8 ++++++-- 6 files changed, 72 insertions(+), 16 deletions(-) (limited to 'readconf.c') diff --git a/auth-options.c b/auth-options.c index 27c0eb05e..b05d6d6f3 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.84 2018/10/03 06:38:35 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -469,13 +469,16 @@ sshauthopt_parse(const char *opts, const char **errstrp) errstr = "invalid environment string"; goto fail; } - for (cp = opt; cp < tmp; cp++) { - if (!isalnum((u_char)*cp) && *cp != '_') { - free(opt); - errstr = "invalid environment string"; - goto fail; - } + if ((cp = strdup(opt)) == NULL) + goto alloc_fail; + cp[tmp - opt] = '\0'; /* truncate at '=' */ + if (!valid_env_name(cp)) { + free(cp); + free(opt); + errstr = "invalid environment string"; + goto fail; } + free(cp); /* Append it. */ oarray = ret->env; if ((ret->env = recallocarray(ret->env, ret->nenv, diff --git a/misc.c b/misc.c index ae4d29b84..c4ca12560 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.131 2018/07/27 05:13:02 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.132 2018/10/03 06:38:35 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -1948,6 +1948,25 @@ bad: return 0; } +/* + * Verify that a environment variable name (not including initial '$') is + * valid; consisting of one or more alphanumeric or underscore characters only. + * Returns 1 on valid, 0 otherwise. + */ +int +valid_env_name(const char *name) +{ + const char *cp; + + if (name[0] == '\0') + return 0; + for (cp = name; *cp != '\0'; cp++) { + if (!isalnum((u_char)*cp) && *cp != '_') + return 0; + } + return 1; +} + const char * atoi_err(const char *nptr, int *val) { diff --git a/misc.h b/misc.h index 6be289fd2..31b207a8d 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.74 2018/07/27 05:13:02 dtucker Exp $ */ +/* $OpenBSD: misc.h,v 1.75 2018/10/03 06:38:35 djm Exp $ */ /* * Author: Tatu Ylonen @@ -74,6 +74,7 @@ double monotime_double(void); void lowercase(char *s); int unix_listener(const char *, int, int); int valid_domain(char *, int, const char **); +int valid_env_name(const char *); const char *atoi_err(const char *, int *); int parse_absolute_time(const char *, uint64_t *); void format_absolute_time(uint64_t, char *, size_t); diff --git a/readconf.c b/readconf.c index 057726d0e..d39cfa3c5 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.299 2018/10/03 06:38:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1700,7 +1700,18 @@ parse_keytypes: case oIdentityAgent: charptr = &options->identity_agent; - goto parse_string; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); + /* Extra validation if the string represents an env var. */ + if (arg[0] == '$' && !valid_env_name(arg + 1)) { + fatal("%.200s line %d: Invalid environment name %s.", + filename, linenum, arg); + } + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", diff --git a/ssh.c b/ssh.c index 849fae355..0777c31e4 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.493 2018/09/21 03:11:36 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.494 2018/10/03 06:38:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1453,9 +1453,27 @@ main(int ac, char **av) "r", options.user, "u", pw->pw_name, (char *)NULL); - setenv(SSH_AUTHSOCKET_ENV_NAME, cp, 1); - free(cp); free(p); + /* + * If identity_agent represents an environment variable + * then recheck that it is valid (since processing with + * percent_expand() may have changed it) and substitute + * its value. + */ + if (cp[0] == '$') { + if (!valid_env_name(cp + 1)) { + fatal("Invalid IdentityAgent " + "environment variable name %s", cp); + } + if ((p = getenv(cp + 1)) == NULL) + unsetenv(SSH_AUTHSOCKET_ENV_NAME); + else + setenv(SSH_AUTHSOCKET_ENV_NAME, p, 1); + } else { + /* identity_agent specifies a path directly */ + setenv(SSH_AUTHSOCKET_ENV_NAME, cp, 1); + } + free(cp); } } diff --git a/ssh_config.5 b/ssh_config.5 index 27136dbd6..4d5b01d3e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.285 2018/09/21 12:46:22 djm Exp $ -.Dd $Mdocdate: September 21 2018 $ +.\" $OpenBSD: ssh_config.5,v 1.286 2018/10/03 06:38:35 djm Exp $ +.Dd $Mdocdate: October 3 2018 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -877,6 +877,10 @@ If the string is specified, the location of the socket will be read from the .Ev SSH_AUTH_SOCK environment variable. +Otherwise if the specified value begins with a +.Sq $ +character, then it will be treated as an environment variable containing +the location of the socket. .Pp Arguments to .Cm IdentityAgent -- cgit v1.2.3 From 2581333d564d8697837729b3d07d45738eaf5a54 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Fri, 5 Oct 2018 14:26:09 +0000 Subject: upstream: Support using service names for port numbers. * Try to resolve a port specification with getservbyname(3) if a numeric conversion fails. * Make the "Port" option in ssh_config handle its argument as a port rather than a plain integer. ok dtucker@ deraadt@ OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d --- misc.c | 12 ++++++++---- readconf.c | 21 +++++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) (limited to 'readconf.c') diff --git a/misc.c b/misc.c index c4ca12560..bdc06fdb3 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.132 2018/10/03 06:38:35 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.133 2018/10/05 14:26:09 naddy Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -50,6 +50,7 @@ #include #include #include +#include #include #include @@ -332,13 +333,16 @@ pwcopy(struct passwd *pw) int a2port(const char *s) { + struct servent *se; long long port; const char *errstr; port = strtonum(s, 0, 65535, &errstr); - if (errstr != NULL) - return -1; - return (int)port; + if (errstr == NULL) + return (int)port; + if ((se = getservbyname(s, "tcp")) != NULL) + return ntohs(se->s_port); + return -1; } int diff --git a/readconf.c b/readconf.c index d39cfa3c5..433811521 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.299 2018/10/03 06:38:35 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.300 2018/10/05 14:26:09 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1158,7 +1158,20 @@ parse_command: return 0; case oPort: - intptr = &options->port; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); + value = a2port(arg); + if (value <= 0) + fatal("%.200s line %d: Bad port '%s'.", + filename, linenum, arg); + if (*activep && options->port == -1) + options->port = value; + break; + + case oConnectionAttempts: + intptr = &options->connection_attempts; parse_int: arg = strdelim(&s); if ((errstr = atoi_err(arg, &value)) != NULL) @@ -1168,10 +1181,6 @@ parse_int: *intptr = value; break; - case oConnectionAttempts: - intptr = &options->connection_attempts; - goto parse_int; - case oCiphers: arg = strdelim(&s); if (!arg || *arg == '\0') -- cgit v1.2.3