diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-04 23:51:52 +1000 |
commit | 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch) | |
tree | e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /readconf.c | |
parent | 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff) |
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 38 |
1 files changed, 28 insertions, 10 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.291 2018/06/10 23:45:41 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.292 2018/07/04 13:49:31 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1936,6 +1936,8 @@ fill_default_options_for_canonicalization(Options *options) void fill_default_options(Options * options) { + char *all_cipher, *all_mac, *all_kex, *all_key; + if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) @@ -2082,14 +2084,27 @@ fill_default_options(Options * options) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->update_hostkeys == -1) options->update_hostkeys = 0; - if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || - kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->pubkey_key_types) != 0) + + /* Expand KEX name lists */ + all_cipher = cipher_alg_list(',', 0); + all_mac = mac_alg_list(','); + all_kex = kex_alg_list(','); + all_key = sshkey_alg_list(0, 0, 1, ','); + if (kex_assemble_names(&options->ciphers, + KEX_CLIENT_ENCRYPT, all_cipher) != 0 || + kex_assemble_names(&options->macs, + KEX_CLIENT_MAC, all_mac) != 0 || + kex_assemble_names(&options->kex_algorithms, + KEX_CLIENT_KEX, all_kex) != 0 || + kex_assemble_names(&options->hostbased_key_types, + KEX_DEFAULT_PK_ALG, all_key) != 0 || + kex_assemble_names(&options->pubkey_key_types, + KEX_DEFAULT_PK_ALG, all_key) != 0) fatal("%s: kex_assemble_names failed", __func__); + free(all_cipher); + free(all_mac); + free(all_kex); + free(all_key); #define CLEAR_ON_NONE(v) \ do { \ @@ -2537,11 +2552,14 @@ void dump_client_config(Options *o, const char *host) { int i; - char buf[8]; + char buf[8], *all_key; /* This is normally prepared in ssh_kex2 */ - if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) + all_key = sshkey_alg_list(0, 0, 1, ','); + if (kex_assemble_names( &o->hostkeyalgorithms, + KEX_DEFAULT_PK_ALG, all_key) != 0) fatal("%s: kex_assemble_names failed", __func__); + free(all_key); /* Most interesting options first: user, host, port */ dump_cfg_string(oUser, o->user); |