diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2020-01-23 02:46:49 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2020-01-23 14:40:15 +1100 |
| commit | c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch) | |
| tree | 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /readconf.c | |
| parent | 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff) | |
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
Diffstat (limited to 'readconf.c')
| -rw-r--r-- | readconf.c | 53 |
1 files changed, 34 insertions, 19 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -314,6 +314,16 @@ static struct { { NULL, oBadOption } }; +static char *kex_default_pk_alg_filtered; + +const char * +kex_default_pk_alg(void) +{ + if (kex_default_pk_alg_filtered == NULL) + fatal("kex_default_pk_alg not initialized."); + return kex_default_pk_alg_filtered; +} + /* * Adds a local TCP/IP port forward to options. Never returns if there is an * error. @@ -2003,6 +2013,7 @@ void fill_default_options(Options * options) { char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; + char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; int r; if (options->forward_agent == -1) @@ -2167,24 +2178,35 @@ fill_default_options(Options * options) all_kex = kex_alg_list(','); all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); + /* remove unsupported algos from default lists */ + def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); + def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); + def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); + def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); + def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&options->what, \ defaults, all)) != 0) \ fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ } while (0) - ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); - ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); - ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); - ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); + ASSEMBLE(ciphers, def_cipher, all_cipher); + ASSEMBLE(macs, def_mac, all_mac); + ASSEMBLE(kex_algorithms, def_kex, all_kex); + ASSEMBLE(hostbased_key_types, def_key, all_key); + ASSEMBLE(pubkey_key_types, def_key, all_key); + ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE free(all_cipher); free(all_mac); free(all_kex); free(all_key); free(all_sig); + free(def_cipher); + free(def_mac); + free(def_kex); + kex_default_pk_alg_filtered = def_key; /* save for later use */ + free(def_sig); #define CLEAR_ON_NONE(v) \ do { \ @@ -2634,14 +2656,7 @@ void dump_client_config(Options *o, const char *host) { int i; - char buf[8], *all_key; - - /* This is normally prepared in ssh_kex2 */ - all_key = sshkey_alg_list(0, 0, 1, ','); - if (kex_assemble_names( &o->hostkeyalgorithms, - KEX_DEFAULT_PK_ALG, all_key) != 0) - fatal("%s: kex_assemble_names failed", __func__); - free(all_key); + char buf[8]; /* Most interesting options first: user, host, port */ dump_cfg_string(oUser, o->user); @@ -2698,7 +2713,7 @@ dump_client_config(Options *o, const char *host) /* String options */ dump_cfg_string(oBindAddress, o->bind_address); dump_cfg_string(oBindInterface, o->bind_interface); - dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); + dump_cfg_string(oCiphers, o->ciphers); dump_cfg_string(oControlPath, o->control_path); dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); dump_cfg_string(oHostKeyAlias, o->host_key_alias); @@ -2706,12 +2721,12 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oIdentityAgent, o->identity_agent); dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); - dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); - dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); + dump_cfg_string(oKexAlgorithms, o->kex_algorithms); + dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms); dump_cfg_string(oLocalCommand, o->local_command); dump_cfg_string(oRemoteCommand, o->remote_command); dump_cfg_string(oLogLevel, log_level_name(o->log_level)); - dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); + dump_cfg_string(oMacs, o->macs); #ifdef ENABLE_PKCS11 dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); #endif |