upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok

markus@

OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
This commit is contained in:
djm@openbsd.org 2021-09-15 06:56:01 +00:00 committed by Damien Miller
parent d0fffc88c8
commit a4bee1934b
4 changed files with 60 additions and 17 deletions

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */ /* $OpenBSD: readconf.c,v 1.362 2021/09/15 06:56:01 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2011,11 +2011,23 @@ parse_pubkey_algos:
case oCanonicalizePermittedCNAMEs: case oCanonicalizePermittedCNAMEs:
value = options->num_permitted_cnames != 0; value = options->num_permitted_cnames != 0;
i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) { while ((arg = argv_next(&ac, &av)) != NULL) {
/* Either '*' for everything or 'list:list' */ /*
if (strcmp(arg, "*") == 0) * Either 'none' (only in first position), '*' for
* everything or 'list:list'
*/
if (strcasecmp(arg, "none") == 0) {
if (i > 0 || ac > 0) {
error("%s line %d: keyword %s \"none\" "
"argument must appear alone.",
filename, linenum, keyword);
goto out;
}
arg2 = "";
} else if (strcmp(arg, "*") == 0) {
arg2 = arg; arg2 = arg;
else { } else {
lowercase(arg); lowercase(arg);
if ((arg2 = strchr(arg, ':')) == NULL || if ((arg2 = strchr(arg, ':')) == NULL ||
arg2[1] == '\0') { arg2[1] == '\0') {
@ -2027,6 +2039,7 @@ parse_pubkey_algos:
*arg2 = '\0'; *arg2 = '\0';
arg2++; arg2++;
} }
i++;
if (!*activep || value) if (!*activep || value)
continue; continue;
if (options->num_permitted_cnames >= if (options->num_permitted_cnames >=
@ -2280,6 +2293,20 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0; return o == NULL || strcasecmp(o, "none") == 0;
} }
/*
* Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
* Allowed to be called on non-final configuration.
*/
int
config_has_permitted_cnames(Options *options)
{
if (options->num_permitted_cnames == 1 &&
strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
strcmp(options->permitted_cnames[0].target_list, "") == 0)
return 0;
return options->num_permitted_cnames > 0;
}
/* /*
* Initializes options to special values that indicate that they have not yet * Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options * been set. Read_config_file will only set options with this value. Options
@ -2648,6 +2675,15 @@ fill_default_options(Options * options)
free(options->jump_host); free(options->jump_host);
options->jump_host = NULL; options->jump_host = NULL;
} }
if (options->num_permitted_cnames == 1 &&
!config_has_permitted_cnames(options)) {
/* clean up CanonicalizePermittedCNAMEs=none */
free(options->permitted_cnames[0].source_list);
free(options->permitted_cnames[0].target_list);
memset(options->permitted_cnames, '\0',
sizeof(*options->permitted_cnames));
options->num_permitted_cnames = 0;
}
/* options->identity_agent distinguishes NULL from 'none' */ /* options->identity_agent distinguishes NULL from 'none' */
/* options->user will be set in the main program if appropriate */ /* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */
@ -3363,14 +3399,14 @@ dump_client_config(Options *o, const char *host)
printf("\n"); printf("\n");
/* oCanonicalizePermittedCNAMEs */ /* oCanonicalizePermittedCNAMEs */
if ( o->num_permitted_cnames > 0) {
printf("canonicalizePermittedcnames"); printf("canonicalizePermittedcnames");
if (o->num_permitted_cnames == 0)
printf("none");
for (i = 0; i < o->num_permitted_cnames; i++) { for (i = 0; i < o->num_permitted_cnames; i++) {
printf(" %s:%s", o->permitted_cnames[i].source_list, printf(" %s:%s", o->permitted_cnames[i].source_list,
o->permitted_cnames[i].target_list); o->permitted_cnames[i].target_list);
} }
printf("\n"); printf("\n");
}
/* oControlPersist */ /* oControlPersist */
if (o->control_persist == 0 || o->control_persist_timeout == 0) if (o->control_persist == 0 || o->control_persist_timeout == 0)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */ /* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -228,6 +228,7 @@ int parse_jump(const char *, Options *, int);
int parse_ssh_uri(const char *, char **, char **, int *); int parse_ssh_uri(const char *, char **, char **, int *);
int default_ssh_port(void); int default_ssh_port(void);
int option_clear_or_none(const char *); int option_clear_or_none(const char *);
int config_has_permitted_cnames(Options *);
void dump_client_config(Options *o, const char *host); void dump_client_config(Options *o, const char *host);
void add_local_forward(Options *, const struct Forward *); void add_local_forward(Options *, const struct Forward *);

7
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.567 2021/09/10 10:26:02 dtucker Exp $ */ /* $OpenBSD: ssh.c,v 1.568 2021/09/15 06:56:01 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -259,6 +259,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
port = default_ssh_port(); port = default_ssh_port();
if (cname != NULL) if (cname != NULL)
*cname = '\0'; *cname = '\0';
debug3_f("lookup %s:%d", name, port);
snprintf(strport, sizeof strport, "%d", port); snprintf(strport, sizeof strport, "%d", port);
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
@ -382,7 +383,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
int i; int i;
struct allowed_cname *rule; struct allowed_cname *rule;
if (*cname == '\0' || options.num_permitted_cnames == 0 || if (*cname == '\0' || !config_has_permitted_cnames(&options) ||
strcmp(*namep, cname) == 0) strcmp(*namep, cname) == 0)
return 0; return 0;
if (options.canonicalize_hostname == SSH_CANONICALISE_NO) if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
@ -1186,7 +1187,7 @@ main(int ac, char **av)
*/ */
direct = option_clear_or_none(options.proxy_command) && direct = option_clear_or_none(options.proxy_command) &&
options.jump_host == NULL; options.jump_host == NULL;
if (addrs == NULL && options.num_permitted_cnames != 0 && (direct || if (addrs == NULL && config_has_permitted_cnames(&options) && (direct ||
options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
if ((addrs = resolve_host(host, options.port, if ((addrs = resolve_host(host, options.port,
direct, cname, sizeof(cname))) == NULL) { direct, cname, sizeof(cname))) == NULL) {

View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.364 2021/09/03 07:43:23 dtucker Exp $ .\" $OpenBSD: ssh_config.5,v 1.365 2021/09/15 06:56:01 djm Exp $
.Dd $Mdocdate: September 3 2021 $ .Dd $Mdocdate: September 15 2021 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -372,6 +372,11 @@ to be canonicalized to names in the
or or
.Qq *.c.example.com .Qq *.c.example.com
domains. domains.
.Pp
A single argument of
.Qq none
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs). by certificate authorities (CAs).