Attachment #3399 for bug #3122




_EOF

trace "disallow invalid with no argument"
${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
    -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
	fail "sshd allowed Include with no argument"

# Ensure the Include before any Match block works as expected (bug #3122)
cat > $OBJ/sshd_config.i << _EOF
Banner /xx
HostKey $OBJ/host.ssh-ed25519
Include $OBJ/sshd_config.i.2
Match host a
	Banner /aaaa
_EOF
cat > $OBJ/sshd_config.i.2 << _EOF
Match host a
	Banner /aa
_EOF

trace "Include before match blocks"
trial a /aa "included file before match blocks is properly evaluated"

# Port in included file is correctly interpretted (bug #3169)
cat > $OBJ/sshd_config.i << _EOF
Include $OBJ/sshd_config.i.2
Port 7722
_EOF
cat > $OBJ/sshd_config.i.2 << _EOF
HostKey $OBJ/host.ssh-ed25519
_EOF

trace "Port after included files"
${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
    -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
	fail "failed to parse Port after included files"
_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
if test "x7722" != "x$_port" ; then
	fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
fi

# cleanup
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
- 
included file
--
servconf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)




    const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *,
    const char *, int);
static void parse_server_config_depth(ServerOptions *options, const char *filename,
    struct sshbuf *conf, struct include_list *includes,
    struct connection_info *connectinfo, int flags, int *activep, int depth);


#undef M_CP_STRARRAYOPT

#define SERVCONF_MAX_DEPTH	16
static void
parse_server_config_depth(ServerOptions *options, const char *filename,
    struct sshbuf *conf, struct include_list *includes,
    struct connection_info *connectinfo, int flags, int *activep, int depth)

	if (bad_options > 0)
		fatal("%s: terminating, %d bad configuration options",
		    filename, bad_options);
	process_queued_listen_addrs(options);
}

void

	int active = connectinfo ? 0 : 1;
	parse_server_config_depth(options, filename, conf, includes,
	    connectinfo, 0, &active, 0);
	process_queued_listen_addrs(options);
}

static const char *
- 
(#3122)
--
servconf.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)

Lines 554-559 typedef enum { Link Here

(-)a/servconf.c (-10 / +19 lines)
554	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */	554	#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
555	#define SSHCFG_ALL (SSHCFG_GLOBAL\|SSHCFG_MATCH)	555	#define SSHCFG_ALL (SSHCFG_GLOBAL\|SSHCFG_MATCH)
556	#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */	556	#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
		557	#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
557		558
558	/* Textual representation of the tokens. */	559	/* Textual representation of the tokens. */
559	static struct {	560	static struct {
Lines 1265-1271 static const struct multistate multistate_tcpfwd[] = { Link Here
1265	static int	1266	static int
1266	process_server_config_line_depth(ServerOptions options, char line,	1267	process_server_config_line_depth(ServerOptions options, char line,
1267	const char filename, int linenum, int activep,	1268	const char filename, int linenum, int activep,
1268	struct connection_info *connectinfo, int inc_flags, int depth,	1269	struct connection_info connectinfo, int inc_flags, int depth,
1269	struct include_list *includes)	1270	struct include_list *includes)
1270	{	1271	{
1271	char ch, cp, chararrayptr, charptr, arg, arg2, *p;	1272	char ch, cp, chararrayptr, charptr, arg, arg2, *p;
Lines 2012-2018 process_server_config_line_depth(ServerOptions options, char line, Link Here
2012	parse_server_config_depth(options,	2013	parse_server_config_depth(options,
2013	item->filename, item->contents,	2014	item->filename, item->contents,
2014	includes, connectinfo,	2015	includes, connectinfo,
2015	(oactive ? 0 : SSHCFG_NEVERMATCH),	2016	(*inc_flags & SSHCFG_MATCH_ONLY
		2017	? SSHCFG_MATCH_ONLY : (oactive
		2018	? 0 : SSHCFG_NEVERMATCH)),
2016	activep, depth + 1);	2019	activep, depth + 1);
2017	}	2020	}
2018	found = 1;	2021	found = 1;
Lines 2060-2066 process_server_config_line_depth(ServerOptions options, char line, Link Here
2060	parse_server_config_depth(options,	2063	parse_server_config_depth(options,
2061	item->filename, item->contents,	2064	item->filename, item->contents,
2062	includes, connectinfo,	2065	includes, connectinfo,
2063	(oactive ? 0 : SSHCFG_NEVERMATCH),	2066	(*inc_flags & SSHCFG_MATCH_ONLY
		2067	? SSHCFG_MATCH_ONLY : (oactive
		2068	? 0 : SSHCFG_NEVERMATCH)),
2064	activep, depth + 1);	2069	activep, depth + 1);
2065	*activep = oactive;	2070	*activep = oactive;
2066	TAILQ_INSERT_TAIL(includes, item, entry);	2071	TAILQ_INSERT_TAIL(includes, item, entry);
Lines 2078-2088 process_server_config_line_depth(ServerOptions options, char line, Link Here
2078	if (cmdline)	2083	if (cmdline)
2079	fatal("Match directive not supported as a command-line "	2084	fatal("Match directive not supported as a command-line "
2080	"option");	2085	"option");
2081	value = match_cfg_line(&cp, linenum, connectinfo);	2086	value = match_cfg_line(&cp, linenum,
		2087	(*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2082	if (value < 0)	2088	if (value < 0)
2083	fatal("%s line %d: Bad Match condition", filename,	2089	fatal("%s line %d: Bad Match condition", filename,
2084	linenum);	2090	linenum);
2085	*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;	2091	activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
		2092	/* The MATCH_ONLY is applicable only until the first match block */
		2093	*inc_flags &= ~SSHCFG_MATCH_ONLY;
2086	break;	2094	break;
2087		2095
2088	case sPermitListen:	2096	case sPermitListen:
Lines 2385-2392 process_server_config_line(ServerOptions options, char line, Link Here
2385	const char filename, int linenum, int activep,	2393	const char filename, int linenum, int activep,
2386	struct connection_info connectinfo, struct include_list includes)	2394	struct connection_info connectinfo, struct include_list includes)
2387	{	2395	{
		2396	int inc_flags = 0;
2388	return process_server_config_line_depth(options, line, filename,	2397	return process_server_config_line_depth(options, line, filename,
2389	linenum, activep, connectinfo, 0, 0, includes);	2398	linenum, activep, connectinfo, &inc_flags, 0, includes);
2390	}	2399	}
2391		2400
2392		2401
Lines 2591-2604 parse_server_config_depth(ServerOptions options, const char filename, Link Here
2591	if (depth < 0 \|\| depth > SERVCONF_MAX_DEPTH)	2600	if (depth < 0 \|\| depth > SERVCONF_MAX_DEPTH)
2592	fatal("Too many recursive configuration includes");	2601	fatal("Too many recursive configuration includes");
2593		2602
2594	debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));	2603	debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
		2604	(flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2595		2605
2596	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)	2606	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2597	fatal("%s: sshbuf_dup_string failed", __func__);	2607	fatal("%s: sshbuf_dup_string failed", __func__);
2598	linenum = 1;	2608	linenum = 1;
2599	while ((cp = strsep(&cbuf, "\n")) != NULL) {	2609	while ((cp = strsep(&cbuf, "\n")) != NULL) {
2600	if (process_server_config_line_depth(options, cp,	2610	if (process_server_config_line_depth(options, cp,
2601	filename, linenum++, activep, connectinfo, flags,	2611	filename, linenum++, activep, connectinfo, &flags,
2602	depth, includes) != 0)	2612	depth, includes) != 0)
2603	bad_options++;	2613	bad_options++;
2604	}	2614	}
Lines 2615-2621 parse_server_config(ServerOptions options, const char filename, Link Here
2615	{	2625	{
2616	int active = connectinfo ? 0 : 1;	2626	int active = connectinfo ? 0 : 1;
2617	parse_server_config_depth(options, filename, conf, includes,	2627	parse_server_config_depth(options, filename, conf, includes,
2618	connectinfo, 0, &active, 0);	2628	connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2619	process_queued_listen_addrs(options);	2629	process_queued_listen_addrs(options);
2620	}	2630	}
2621		2631
2622	-

Return to bug 3122

Lines 146-154 Include Link Here

(-)a/regress/servcfginclude.sh (-3 / +35 lines)
146	_EOF	146	_EOF
147		147
148	trace "disallow invalid with no argument"	148	trace "disallow invalid with no argument"
149	${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \	149	${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
150	-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \	150	-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
151	fail "sshd allowed Include with no argument"	151	fail "sshd allowed Include with no argument"
152		152
		153	# Ensure the Include before any Match block works as expected (bug #3122)
		154	cat > $OBJ/sshd_config.i << _EOF
		155	Banner /xx
		156	HostKey $OBJ/host.ssh-ed25519
		157	Include $OBJ/sshd_config.i.2
		158	Match host a
		159	Banner /aaaa
		160	_EOF
		161	cat > $OBJ/sshd_config.i.2 << _EOF
		162	Match host a
		163	Banner /aa
		164	_EOF
		165
		166	trace "Include before match blocks"
		167	trial a /aa "included file before match blocks is properly evaluated"
		168
		169	# Port in included file is correctly interpretted (bug #3169)
		170	cat > $OBJ/sshd_config.i << _EOF
		171	Include $OBJ/sshd_config.i.2
		172	Port 7722
		173	_EOF
		174	cat > $OBJ/sshd_config.i.2 << _EOF
		175	HostKey $OBJ/host.ssh-ed25519
		176	_EOF
		177
		178	trace "Port after included files"
		179	${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
		180	-C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out \|\| \
		181	fail "failed to parse Port after included files"
		182	_port=`grep -i '^port ' $OBJ/sshd_config.out \| awk '{print $2}'`
		183	if test "x7722" != "x$_port" ; then
		184	fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
		185	fi
		186
153	# cleanup	187	# cleanup
154	rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out	188	rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
155	-
156	included file	189	included file
157	--
158	servconf.c \| 6 +++---	190	servconf.c \| 6 +++---
159	1 file changed, 3 insertions(+), 3 deletions(-)	191	1 file changed, 3 insertions(+), 3 deletions(-)

Lines 74-80 static void add_listen_addr(ServerOptions , const char , Link Here

(-)a/servconf.c (-5 / +3 lines)
74	const char *, int);	74	const char *, int);
75	static void add_one_listen_addr(ServerOptions , const char ,	75	static void add_one_listen_addr(ServerOptions , const char ,
76	const char *, int);	76	const char *, int);
77	void parse_server_config_depth(ServerOptions options, const char filename,	77	static void parse_server_config_depth(ServerOptions options, const char filename,
78	struct sshbuf conf, struct include_list includes,	78	struct sshbuf conf, struct include_list includes,
79	struct connection_info connectinfo, int flags, int activep, int depth);	79	struct connection_info connectinfo, int flags, int activep, int depth);
80		80
Lines 2580-2586 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
2580	#undef M_CP_STRARRAYOPT	2580	#undef M_CP_STRARRAYOPT
2581		2581
2582	#define SERVCONF_MAX_DEPTH 16	2582	#define SERVCONF_MAX_DEPTH 16
2583	void	2583	static void
2584	parse_server_config_depth(ServerOptions options, const char filename,	2584	parse_server_config_depth(ServerOptions options, const char filename,
2585	struct sshbuf conf, struct include_list includes,	2585	struct sshbuf conf, struct include_list includes,
2586	struct connection_info connectinfo, int flags, int activep, int depth)	2586	struct connection_info connectinfo, int flags, int activep, int depth)
Lines 2606-2612 parse_server_config_depth(ServerOptions options, const char filename, Link Here
2606	if (bad_options > 0)	2606	if (bad_options > 0)
2607	fatal("%s: terminating, %d bad configuration options",	2607	fatal("%s: terminating, %d bad configuration options",
2608	filename, bad_options);	2608	filename, bad_options);
2609	process_queued_listen_addrs(options);
2610	}	2609	}
2611		2610
2612	void	2611	void
Lines 2617-2622 parse_server_config(ServerOptions options, const char filename, Link Here
2617	int active = connectinfo ? 0 : 1;	2616	int active = connectinfo ? 0 : 1;
2618	parse_server_config_depth(options, filename, conf, includes,	2617	parse_server_config_depth(options, filename, conf, includes,
2619	connectinfo, 0, &active, 0);	2618	connectinfo, 0, &active, 0);
		2619	process_queued_listen_addrs(options);
2620	}	2620	}
2621		2621
2622	static const char *	2622	static const char *
2623	-
2624	(#3122)	2623	(#3122)
2625	--
2626	servconf.c \| 28 +++++++++++++++++++---------	2624	servconf.c \| 28 +++++++++++++++++++---------
2627	1 file changed, 19 insertions(+), 9 deletions(-)	2625	1 file changed, 19 insertions(+), 9 deletions(-)