Bugzilla – Attachment 2939 Details for
Bug 2671
make possible to remove default ciphers/kexalgorithms/mac algorithms
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Support =- syntax for algorithms
bz2671.diff (text/plain), 13.52 KB, created by
Damien Miller
on 2017-02-03 18:00:30 AEDT
(
hide
)
Description:
Support =- syntax for algorithms
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-02-03 18:00:30 AEDT
Size:
13.52 KB
patch
obsolete
>diff --git a/compat.c b/compat.c >index 97d040a..b94f8f6 100644 >--- a/compat.c >+++ b/compat.c >@@ -35,6 +35,7 @@ > #include "compat.h" > #include "log.h" > #include "match.h" >+#include "kex.h" > > int compat13 = 0; > int compat20 = 0; >@@ -248,42 +249,14 @@ proto_spec(const char *spec) > return ret; > } > >-/* >- * Filters a proposal string, excluding any algorithm matching the 'filter' >- * pattern list. >- */ >-static char * >-filter_proposal(char *proposal, const char *filter) >-{ >- Buffer b; >- char *orig_prop, *fix_prop; >- char *cp, *tmp; >- >- buffer_init(&b); >- tmp = orig_prop = xstrdup(proposal); >- while ((cp = strsep(&tmp, ",")) != NULL) { >- if (match_pattern_list(cp, filter, 0) != 1) { >- if (buffer_len(&b) > 0) >- buffer_append(&b, ",", 1); >- buffer_append(&b, cp, strlen(cp)); >- } else >- debug2("Compat: skipping algorithm \"%s\"", cp); >- } >- buffer_append(&b, "\0", 1); >- fix_prop = xstrdup((char *)buffer_ptr(&b)); >- buffer_free(&b); >- free(orig_prop); >- >- return fix_prop; >-} >- > char * > compat_cipher_proposal(char *cipher_prop) > { > if (!(datafellows & SSH_BUG_BIGENDIANAES)) > return cipher_prop; > debug2("%s: original cipher proposal: %s", __func__, cipher_prop); >- cipher_prop = filter_proposal(cipher_prop, "aes*"); >+ if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL) >+ fatal("match_filter_list failed"); > debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); > if (*cipher_prop == '\0') > fatal("No supported ciphers found"); >@@ -296,7 +269,8 @@ compat_pkalg_proposal(char *pkalg_prop) > if (!(datafellows & SSH_BUG_RSASIGMD5)) > return pkalg_prop; > debug2("%s: original public key proposal: %s", __func__, pkalg_prop); >- pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); >+ if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL) >+ fatal("match_filter_list failed"); > debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); > if (*pkalg_prop == '\0') > fatal("No supported PK algorithms found"); >@@ -310,10 +284,14 @@ compat_kex_proposal(char *p) > return p; > debug2("%s: original KEX proposal: %s", __func__, p); > if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) >- p = filter_proposal(p, "curve25519-sha256@libssh.org"); >+ if ((p = match_filter_list(p, >+ "curve25519-sha256@libssh.org")) == NULL) >+ fatal("match_filter_list failed"); > if ((datafellows & SSH_OLD_DHGEX) != 0) { >- p = filter_proposal(p, "diffie-hellman-group-exchange-sha256"); >- p = filter_proposal(p, "diffie-hellman-group-exchange-sha1"); >+ if ((p = match_filter_list(p, >+ "diffie-hellman-group-exchange-sha256," >+ "diffie-hellman-group-exchange-sha1")) == NULL) >+ fatal("match_filter_list failed"); > } > debug2("%s: compat KEX proposal: %s", __func__, p); > if (*p == '\0') >diff --git a/kex.c b/kex.c >index 4147b23..5d0016d 100644 >--- a/kex.c >+++ b/kex.c >@@ -191,7 +191,8 @@ kex_names_cat(const char *a, const char *b) > /* > * Assemble a list of algorithms from a default list and a string from a > * configuration file. The user-provided string may begin with '+' to >- * indicate that it should be appended to the default. >+ * indicate that it should be appended to the default or '-' that the >+ * specified names should be removed. > */ > int > kex_assemble_names(const char *def, char **list) >@@ -202,14 +203,18 @@ kex_assemble_names(const char *def, char **list) > *list = strdup(def); > return 0; > } >- if (**list != '+') { >- return 0; >+ if (**list == '+') { >+ if ((ret = kex_names_cat(def, *list + 1)) == NULL) >+ return SSH_ERR_ALLOC_FAIL; >+ free(*list); >+ *list = ret; >+ } else if (**list == '-') { >+ if ((ret = match_filter_list(def, *list + 1)) == NULL) >+ return SSH_ERR_ALLOC_FAIL; >+ free(*list); >+ *list = ret; > } > >- if ((ret = kex_names_cat(def, *list + 1)) == NULL) >- return SSH_ERR_ALLOC_FAIL; >- free(*list); >- *list = ret; > return 0; > } > >diff --git a/match.c b/match.c >index 8fd1c9b..73d9342 100644 >--- a/match.c >+++ b/match.c >@@ -282,3 +282,32 @@ match_list(const char *client, const char *server, u_int *next) > free(s); > return NULL; > } >+ >+/* >+ * Filters a comma-separated list of strings, excluding any entry matching >+ * the 'filter' pattern list. Caller must free returned string. >+ */ >+char * >+match_filter_list(const char *proposal, const char *filter) >+{ >+ size_t len = strlen(proposal) + 1; >+ char *fix_prop = malloc(len); >+ char *orig_prop = strdup(proposal); >+ char *cp, *tmp; >+ >+ if (fix_prop == NULL || orig_prop == NULL) >+ return NULL; >+ >+ tmp = orig_prop; >+ *fix_prop = '\0'; >+ while ((cp = strsep(&tmp, ",")) != NULL) { >+ if (match_pattern_list(cp, filter, 0) != 1) { >+ if (*fix_prop != '\0') >+ strlcat(fix_prop, ",", len); >+ strlcat(fix_prop, cp, len); >+ } >+ } >+ free(orig_prop); >+ return fix_prop; >+} >+ >diff --git a/match.h b/match.h >index db97ca8..34f21f0 100644 >--- a/match.h >+++ b/match.h >@@ -20,6 +20,7 @@ int match_hostname(const char *, const char *); > int match_host_and_ip(const char *, const char *, const char *); > int match_user(const char *, const char *, const char *, const char *); > char *match_list(const char *, const char *, u_int *); >+char *match_filter_list(const char *, const char *); > > /* addrmatch.c */ > int addr_match_list(const char *, const char *); >diff --git a/readconf.c b/readconf.c >index bccd0f3..298988f 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -1179,7 +1179,7 @@ parse_int: > arg = strdelim(&s); > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", filename, linenum); >- if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->ciphers == NULL) >@@ -1190,7 +1190,7 @@ parse_int: > arg = strdelim(&s); > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", filename, linenum); >- if (!mac_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->macs == NULL) >@@ -1202,7 +1202,8 @@ parse_int: > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", > filename, linenum); >- if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && >+ !kex_names_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && options->kex_algorithms == NULL) >@@ -1216,7 +1217,8 @@ parse_keytypes: > if (!arg || *arg == '\0') > fatal("%.200s line %d: Missing argument.", > filename, linenum); >- if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) >+ if (*arg != '-' && >+ !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) > fatal("%s line %d: Bad key types '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && *charptr == NULL) >diff --git a/servconf.c b/servconf.c >index 6412de7..d68700c 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -1116,7 +1116,8 @@ process_server_config_line(ServerOptions *options, char *line, > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", > filename, linenum); >- if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) >+ if (*arg != '-' && >+ !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) > fatal("%s line %d: Bad key types '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (*activep && *charptr == NULL) >@@ -1375,7 +1376,7 @@ process_server_config_line(ServerOptions *options, char *line, > arg = strdelim(&cp); > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", filename, linenum); >- if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 cipher spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->ciphers == NULL) >@@ -1386,7 +1387,7 @@ process_server_config_line(ServerOptions *options, char *line, > arg = strdelim(&cp); > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", filename, linenum); >- if (!mac_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 mac spec '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->macs == NULL) >@@ -1398,7 +1399,8 @@ process_server_config_line(ServerOptions *options, char *line, > if (!arg || *arg == '\0') > fatal("%s line %d: Missing argument.", > filename, linenum); >- if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) >+ if (*arg != '-' && >+ !kex_names_valid(*arg == '+' ? arg + 1 : arg)) > fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", > filename, linenum, arg ? arg : "<NONE>"); > if (options->kex_algorithms == NULL) >diff --git a/ssh_config.5 b/ssh_config.5 >index 591365f..57f6003 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -415,6 +415,10 @@ If the specified value begins with a > .Sq + > character, then the specified ciphers will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified ciphers (including wildcards) will be removed >+from the default set instead of replacing them. > .Pp > The supported ciphers are: > .Bd -literal -offset indent >@@ -784,6 +788,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified key types will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified key types (including wildcards) will be removed >+from the default set instead of replacing them. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com, >@@ -807,6 +815,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified key types will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified key types (including wildcards) will be removed >+from the default set instead of replacing them. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com, >@@ -1027,6 +1039,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified methods will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified methods (including wildcards) will be removed >+from the default set instead of replacing them. > The default is: > .Bd -literal -offset indent > curve25519-sha256,curve25519-sha256@libssh.org, >@@ -1102,6 +1118,10 @@ If the specified value begins with a > .Sq + > character, then the specified algorithms will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified algorithms (including wildcards) will be removed >+from the default set instead of replacing them. > .Pp > The algorithms that contain > .Qq -etm >@@ -1264,6 +1284,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the key types after it will be appended to the default > instead of replacing it. >+If the specified value begins with a >+.Sq - >+character, then the specified key types (including wildcards) will be removed >+from the default set instead of replacing them. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com, >diff --git a/sshd_config.5 b/sshd_config.5 >index 620dfd0..39b8044 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -438,6 +438,10 @@ If the specified value begins with a > .Sq + > character, then the specified ciphers will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified ciphers (including wildcards) will be removed >+from the default set instead of replacing them. > .Pp > The supported ciphers are: > .Pp >@@ -650,6 +654,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified key types will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified key types (including wildcards) will be removed >+from the default set instead of replacing them. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com, >@@ -844,6 +852,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified methods will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified methods (including wildcards) will be removed >+from the default set instead of replacing them. > The supported algorithms are: > .Pp > .Bl -item -compact -offset indent >@@ -934,6 +946,10 @@ If the specified value begins with a > .Sq + > character, then the specified algorithms will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified algorithms (including wildcards) will be removed >+from the default set instead of replacing them. > .Pp > The algorithms that contain > .Qq -etm >@@ -1281,6 +1297,10 @@ Alternately if the specified value begins with a > .Sq + > character, then the specified key types will be appended to the default set > instead of replacing them. >+If the specified value begins with a >+.Sq - >+character, then the specified key types (including wildcards) will be removed >+from the default set instead of replacing them. > The default for this option is: > .Bd -literal -offset 3n > ecdsa-sha2-nistp256-cert-v01@openssh.com,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2939">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2671
: 2939