upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok
markus@ OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
d0fffc88c8
commit
a4bee1934b
58
readconf.c
58
readconf.c
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */
|
/* $OpenBSD: readconf.c,v 1.362 2021/09/15 06:56:01 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
|
@ -2011,11 +2011,23 @@ parse_pubkey_algos:
|
||||||
|
|
||||||
case oCanonicalizePermittedCNAMEs:
|
case oCanonicalizePermittedCNAMEs:
|
||||||
value = options->num_permitted_cnames != 0;
|
value = options->num_permitted_cnames != 0;
|
||||||
|
i = 0;
|
||||||
while ((arg = argv_next(&ac, &av)) != NULL) {
|
while ((arg = argv_next(&ac, &av)) != NULL) {
|
||||||
/* Either '*' for everything or 'list:list' */
|
/*
|
||||||
if (strcmp(arg, "*") == 0)
|
* Either 'none' (only in first position), '*' for
|
||||||
|
* everything or 'list:list'
|
||||||
|
*/
|
||||||
|
if (strcasecmp(arg, "none") == 0) {
|
||||||
|
if (i > 0 || ac > 0) {
|
||||||
|
error("%s line %d: keyword %s \"none\" "
|
||||||
|
"argument must appear alone.",
|
||||||
|
filename, linenum, keyword);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
arg2 = "";
|
||||||
|
} else if (strcmp(arg, "*") == 0) {
|
||||||
arg2 = arg;
|
arg2 = arg;
|
||||||
else {
|
} else {
|
||||||
lowercase(arg);
|
lowercase(arg);
|
||||||
if ((arg2 = strchr(arg, ':')) == NULL ||
|
if ((arg2 = strchr(arg, ':')) == NULL ||
|
||||||
arg2[1] == '\0') {
|
arg2[1] == '\0') {
|
||||||
|
|
@ -2027,6 +2039,7 @@ parse_pubkey_algos:
|
||||||
*arg2 = '\0';
|
*arg2 = '\0';
|
||||||
arg2++;
|
arg2++;
|
||||||
}
|
}
|
||||||
|
i++;
|
||||||
if (!*activep || value)
|
if (!*activep || value)
|
||||||
continue;
|
continue;
|
||||||
if (options->num_permitted_cnames >=
|
if (options->num_permitted_cnames >=
|
||||||
|
|
@ -2280,6 +2293,20 @@ option_clear_or_none(const char *o)
|
||||||
return o == NULL || strcasecmp(o, "none") == 0;
|
return o == NULL || strcasecmp(o, "none") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
|
||||||
|
* Allowed to be called on non-final configuration.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
config_has_permitted_cnames(Options *options)
|
||||||
|
{
|
||||||
|
if (options->num_permitted_cnames == 1 &&
|
||||||
|
strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
|
||||||
|
strcmp(options->permitted_cnames[0].target_list, "") == 0)
|
||||||
|
return 0;
|
||||||
|
return options->num_permitted_cnames > 0;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initializes options to special values that indicate that they have not yet
|
* Initializes options to special values that indicate that they have not yet
|
||||||
* been set. Read_config_file will only set options with this value. Options
|
* been set. Read_config_file will only set options with this value. Options
|
||||||
|
|
@ -2648,6 +2675,15 @@ fill_default_options(Options * options)
|
||||||
free(options->jump_host);
|
free(options->jump_host);
|
||||||
options->jump_host = NULL;
|
options->jump_host = NULL;
|
||||||
}
|
}
|
||||||
|
if (options->num_permitted_cnames == 1 &&
|
||||||
|
!config_has_permitted_cnames(options)) {
|
||||||
|
/* clean up CanonicalizePermittedCNAMEs=none */
|
||||||
|
free(options->permitted_cnames[0].source_list);
|
||||||
|
free(options->permitted_cnames[0].target_list);
|
||||||
|
memset(options->permitted_cnames, '\0',
|
||||||
|
sizeof(*options->permitted_cnames));
|
||||||
|
options->num_permitted_cnames = 0;
|
||||||
|
}
|
||||||
/* options->identity_agent distinguishes NULL from 'none' */
|
/* options->identity_agent distinguishes NULL from 'none' */
|
||||||
/* options->user will be set in the main program if appropriate */
|
/* options->user will be set in the main program if appropriate */
|
||||||
/* options->hostname will be set in the main program if appropriate */
|
/* options->hostname will be set in the main program if appropriate */
|
||||||
|
|
@ -3363,14 +3399,14 @@ dump_client_config(Options *o, const char *host)
|
||||||
printf("\n");
|
printf("\n");
|
||||||
|
|
||||||
/* oCanonicalizePermittedCNAMEs */
|
/* oCanonicalizePermittedCNAMEs */
|
||||||
if ( o->num_permitted_cnames > 0) {
|
printf("canonicalizePermittedcnames");
|
||||||
printf("canonicalizePermittedcnames");
|
if (o->num_permitted_cnames == 0)
|
||||||
for (i = 0; i < o->num_permitted_cnames; i++) {
|
printf("none");
|
||||||
printf(" %s:%s", o->permitted_cnames[i].source_list,
|
for (i = 0; i < o->num_permitted_cnames; i++) {
|
||||||
o->permitted_cnames[i].target_list);
|
printf(" %s:%s", o->permitted_cnames[i].source_list,
|
||||||
}
|
o->permitted_cnames[i].target_list);
|
||||||
printf("\n");
|
|
||||||
}
|
}
|
||||||
|
printf("\n");
|
||||||
|
|
||||||
/* oControlPersist */
|
/* oControlPersist */
|
||||||
if (o->control_persist == 0 || o->control_persist_timeout == 0)
|
if (o->control_persist == 0 || o->control_persist_timeout == 0)
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
|
/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
|
@ -228,6 +228,7 @@ int parse_jump(const char *, Options *, int);
|
||||||
int parse_ssh_uri(const char *, char **, char **, int *);
|
int parse_ssh_uri(const char *, char **, char **, int *);
|
||||||
int default_ssh_port(void);
|
int default_ssh_port(void);
|
||||||
int option_clear_or_none(const char *);
|
int option_clear_or_none(const char *);
|
||||||
|
int config_has_permitted_cnames(Options *);
|
||||||
void dump_client_config(Options *o, const char *host);
|
void dump_client_config(Options *o, const char *host);
|
||||||
|
|
||||||
void add_local_forward(Options *, const struct Forward *);
|
void add_local_forward(Options *, const struct Forward *);
|
||||||
|
|
|
||||||
7
ssh.c
7
ssh.c
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh.c,v 1.567 2021/09/10 10:26:02 dtucker Exp $ */
|
/* $OpenBSD: ssh.c,v 1.568 2021/09/15 06:56:01 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
|
@ -259,6 +259,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
|
||||||
port = default_ssh_port();
|
port = default_ssh_port();
|
||||||
if (cname != NULL)
|
if (cname != NULL)
|
||||||
*cname = '\0';
|
*cname = '\0';
|
||||||
|
debug3_f("lookup %s:%d", name, port);
|
||||||
|
|
||||||
snprintf(strport, sizeof strport, "%d", port);
|
snprintf(strport, sizeof strport, "%d", port);
|
||||||
memset(&hints, 0, sizeof(hints));
|
memset(&hints, 0, sizeof(hints));
|
||||||
|
|
@ -382,7 +383,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
|
||||||
int i;
|
int i;
|
||||||
struct allowed_cname *rule;
|
struct allowed_cname *rule;
|
||||||
|
|
||||||
if (*cname == '\0' || options.num_permitted_cnames == 0 ||
|
if (*cname == '\0' || !config_has_permitted_cnames(&options) ||
|
||||||
strcmp(*namep, cname) == 0)
|
strcmp(*namep, cname) == 0)
|
||||||
return 0;
|
return 0;
|
||||||
if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
|
if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
|
||||||
|
|
@ -1186,7 +1187,7 @@ main(int ac, char **av)
|
||||||
*/
|
*/
|
||||||
direct = option_clear_or_none(options.proxy_command) &&
|
direct = option_clear_or_none(options.proxy_command) &&
|
||||||
options.jump_host == NULL;
|
options.jump_host == NULL;
|
||||||
if (addrs == NULL && options.num_permitted_cnames != 0 && (direct ||
|
if (addrs == NULL && config_has_permitted_cnames(&options) && (direct ||
|
||||||
options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
|
options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
|
||||||
if ((addrs = resolve_host(host, options.port,
|
if ((addrs = resolve_host(host, options.port,
|
||||||
direct, cname, sizeof(cname))) == NULL) {
|
direct, cname, sizeof(cname))) == NULL) {
|
||||||
|
|
|
||||||
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: ssh_config.5,v 1.364 2021/09/03 07:43:23 dtucker Exp $
|
.\" $OpenBSD: ssh_config.5,v 1.365 2021/09/15 06:56:01 djm Exp $
|
||||||
.Dd $Mdocdate: September 3 2021 $
|
.Dd $Mdocdate: September 15 2021 $
|
||||||
.Dt SSH_CONFIG 5
|
.Dt SSH_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
|
@ -372,6 +372,11 @@ to be canonicalized to names in the
|
||||||
or
|
or
|
||||||
.Qq *.c.example.com
|
.Qq *.c.example.com
|
||||||
domains.
|
domains.
|
||||||
|
.Pp
|
||||||
|
A single argument of
|
||||||
|
.Qq none
|
||||||
|
causes no CNAMEs to be considered for canonicalization.
|
||||||
|
This is the default behaviour.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue