summaryrefslogtreecommitdiffstats
path: root/readconf.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-20 03:30:44 +0000
committerDamien Miller <djm@mindrot.org>2018-09-20 14:00:29 +1000
commitecac7e1f7add6b28874959a11f2238d149dc2c07 (patch)
tree58cde218f604646101ff838423b7beeafb46b909 /readconf.c
parent86e5737c39153af134158f24d0cab5827cbd5852 (diff)
upstream: add CASignatureAlgorithms option for the client, allowing
it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c
index db5f2d54..057726d0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.297 2018/08/12 20:19:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -172,7 +172,7 @@ typedef enum {
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
- oPubkeyAcceptedKeyTypes, oProxyJump,
+ oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -266,6 +266,7 @@ static struct {
{ "dynamicforward", oDynamicForward },
{ "preferredauthentications", oPreferredAuthentications },
{ "hostkeyalgorithms", oHostKeyAlgorithms },
+ { "casignaturealgorithms", oCASignatureAlgorithms },
{ "bindaddress", oBindAddress },
{ "bindinterface", oBindInterface },
{ "clearallforwardings", oClearAllForwardings },
@@ -1221,6 +1222,10 @@ parse_keytypes:
*charptr = xstrdup(arg);
break;
+ case oCASignatureAlgorithms:
+ charptr = &options->ca_sign_algorithms;
+ goto parse_keytypes;
+
case oLogLevel:
log_level_ptr = &options->log_level;
arg = strdelim(&s);
@@ -1836,6 +1841,7 @@ initialize_options(Options * options)
options->macs = NULL;
options->kex_algorithms = NULL;
options->hostkeyalgorithms = NULL;
+ options->ca_sign_algorithms = NULL;
options->num_identity_files = 0;
options->num_certificate_files = 0;
options->hostname = NULL;
@@ -1924,7 +1930,7 @@ fill_default_options_for_canonicalization(Options *options)
void
fill_default_options(Options * options)
{
- char *all_cipher, *all_mac, *all_kex, *all_key;
+ char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
int r;
if (options->forward_agent == -1)
@@ -2077,6 +2083,7 @@ fill_default_options(Options * options)
all_mac = mac_alg_list(',');
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
+ all_sig = sshkey_alg_list(0, 1, 1, ',');
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
@@ -2088,11 +2095,13 @@ fill_default_options(Options * options)
ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
free(all_kex);
free(all_key);
+ free(all_sig);
#define CLEAR_ON_NONE(v) \
do { \
@@ -2614,6 +2623,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
+ dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
dump_cfg_string(oLocalCommand, o->local_command);
dump_cfg_string(oRemoteCommand, o->remote_command);
dump_cfg_string(oLogLevel, log_level_name(o->log_level));
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 23:05:34 +0000