From 33392024f46e7aabaeaf947cc3b110d60a9fd9e3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 13 May 2026 05:58:58 +0000 Subject: [PATCH] upstream: avoid validating bad cipher or mac lists in config files / commandline arguments as valid. Identified by SUSE and reported by Camila Camargo de Matos ok deraadt@ tb@ OpenBSD-Commit-ID: 45d51154f2418549e08b80fa33df6c6532046054 --- cipher.c | 8 +++++--- mac.c | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/cipher.c b/cipher.c index f770e666c..b42baf967 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.126 2026/02/14 00:18:34 jsg Exp $ */ +/* $OpenBSD: cipher.c,v 1.127 2026/05/13 05:58:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -206,6 +206,7 @@ ciphers_valid(const char *names) const struct sshcipher *c; char *cipher_list, *cp; char *p; + int found = 0; if (names == NULL || strcmp(names, "") == 0) return 0; @@ -217,10 +218,11 @@ ciphers_valid(const char *names) if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { free(cipher_list); return 0; - } + } else + found = 1; } free(cipher_list); - return 1; + return found; } const char * diff --git a/mac.c b/mac.c index 17607830c..30496b402 100644 --- a/mac.c +++ b/mac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.38 2026/03/03 09:57:25 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.39 2026/05/13 05:58:58 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -236,6 +236,7 @@ int mac_valid(const char *names) { char *maclist, *cp, *p; + int found = 0; if (names == NULL || strcmp(names, "") == 0) return 0; @@ -246,8 +247,9 @@ mac_valid(const char *names) if (mac_setup(NULL, p) < 0) { free(maclist); return 0; - } + } else + found = 1; } free(maclist); - return 1; + return found; }