diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2020-01-23 02:46:49 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2020-01-23 14:40:15 +1100 |
commit | c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch) | |
tree | 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 | |
parent | 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff) |
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
-rw-r--r-- | clientloop.c | 5 | ||||
-rw-r--r-- | myproposal.h | 138 | ||||
-rw-r--r-- | readconf.c | 53 | ||||
-rw-r--r-- | readconf.h | 3 | ||||
-rw-r--r-- | servconf.c | 47 | ||||
-rw-r--r-- | sshconnect2.c | 8 |
6 files changed, 92 insertions, 162 deletions
diff --git a/clientloop.c b/clientloop.c index 8f0332df4..4acf2806d 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.330 2019/12/21 02:19:13 djm Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.331 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2046,8 +2046,7 @@ static int | |||
2046 | key_accepted_by_hostkeyalgs(const struct sshkey *key) | 2046 | key_accepted_by_hostkeyalgs(const struct sshkey *key) |
2047 | { | 2047 | { |
2048 | const char *ktype = sshkey_ssh_name(key); | 2048 | const char *ktype = sshkey_ssh_name(key); |
2049 | const char *hostkeyalgs = options.hostkeyalgorithms != NULL ? | 2049 | const char *hostkeyalgs = options.hostkeyalgorithms; |
2050 | options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG; | ||
2051 | 2050 | ||
2052 | if (key == NULL || key->type == KEY_UNSPEC) | 2051 | if (key == NULL || key->type == KEY_UNSPEC) |
2053 | return 0; | 2052 | return 0; |
diff --git a/myproposal.h b/myproposal.h index 145704f49..dd2499d66 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -24,110 +24,47 @@ | |||
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | */ | 25 | */ |
26 | 26 | ||
27 | #ifdef WITH_OPENSSL | 27 | #define KEX_SERVER_KEX \ |
28 | #include <openssl/opensslv.h> | 28 | "curve25519-sha256," \ |
29 | #endif | 29 | "curve25519-sha256@libssh.org," \ |
30 | |||
31 | /* conditional algorithm support */ | ||
32 | |||
33 | #ifdef OPENSSL_HAS_ECC | ||
34 | # ifdef OPENSSL_HAS_NISTP521 | ||
35 | # define KEX_ECDH_METHODS \ | ||
36 | "ecdh-sha2-nistp256," \ | 30 | "ecdh-sha2-nistp256," \ |
37 | "ecdh-sha2-nistp384," \ | 31 | "ecdh-sha2-nistp384," \ |
38 | "ecdh-sha2-nistp521," | 32 | "ecdh-sha2-nistp521," \ |
39 | # define HOSTKEY_ECDSA_CERT_METHODS \ | ||
40 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
41 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
42 | "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ | ||
43 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," | ||
44 | # define HOSTKEY_ECDSA_METHODS \ | ||
45 | "ecdsa-sha2-nistp256," \ | ||
46 | "ecdsa-sha2-nistp384," \ | ||
47 | "ecdsa-sha2-nistp521," \ | ||
48 | "sk-ecdsa-sha2-nistp256@openssh.com," | ||
49 | # else /* OPENSSL_HAS_NISTP521 */ | ||
50 | # define KEX_ECDH_METHODS \ | ||
51 | "ecdh-sha2-nistp256," \ | ||
52 | "ecdh-sha2-nistp384," | ||
53 | # define HOSTKEY_ECDSA_CERT_METHODS \ | ||
54 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
55 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
56 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," | ||
57 | # define HOSTKEY_ECDSA_METHODS \ | ||
58 | "ecdsa-sha2-nistp256," \ | ||
59 | "ecdsa-sha2-nistp384," \ | ||
60 | "sk-ecdsa-sha2-nistp256@openssh.com," | ||
61 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
62 | #else /* OPENSSL_HAS_ECC */ | ||
63 | # define KEX_ECDH_METHODS | ||
64 | # define HOSTKEY_ECDSA_CERT_METHODS | ||
65 | # define HOSTKEY_ECDSA_METHODS | ||
66 | #endif /* OPENSSL_HAS_ECC */ | ||
67 | |||
68 | #ifdef OPENSSL_HAVE_EVPGCM | ||
69 | # define AESGCM_CIPHER_MODES \ | ||
70 | ",aes128-gcm@openssh.com,aes256-gcm@openssh.com" | ||
71 | #else | ||
72 | # define AESGCM_CIPHER_MODES | ||
73 | #endif | ||
74 | |||
75 | #ifdef HAVE_EVP_SHA256 | ||
76 | # define KEX_SHA2_METHODS \ | ||
77 | "diffie-hellman-group-exchange-sha256," \ | 33 | "diffie-hellman-group-exchange-sha256," \ |
78 | "diffie-hellman-group16-sha512," \ | 34 | "diffie-hellman-group16-sha512," \ |
79 | "diffie-hellman-group18-sha512," | 35 | "diffie-hellman-group18-sha512," \ |
80 | # define KEX_SHA2_GROUP14 \ | 36 | "diffie-hellman-group14-sha256" |
81 | "diffie-hellman-group14-sha256," | ||
82 | #define SHA2_HMAC_MODES \ | ||
83 | "hmac-sha2-256," \ | ||
84 | "hmac-sha2-512," | ||
85 | #else | ||
86 | # define KEX_SHA2_METHODS | ||
87 | # define KEX_SHA2_GROUP14 | ||
88 | # define SHA2_HMAC_MODES | ||
89 | #endif | ||
90 | |||
91 | #ifdef WITH_OPENSSL | ||
92 | # ifdef HAVE_EVP_SHA256 | ||
93 | # define KEX_CURVE25519_METHODS \ | ||
94 | "curve25519-sha256," \ | ||
95 | "curve25519-sha256@libssh.org," | ||
96 | # else | ||
97 | # define KEX_CURVE25519_METHODS "" | ||
98 | # endif | ||
99 | #define KEX_SERVER_KEX \ | ||
100 | KEX_CURVE25519_METHODS \ | ||
101 | KEX_ECDH_METHODS \ | ||
102 | KEX_SHA2_METHODS \ | ||
103 | KEX_SHA2_GROUP14 | ||
104 | 37 | ||
105 | #define KEX_CLIENT_KEX KEX_SERVER_KEX | 38 | #define KEX_CLIENT_KEX KEX_SERVER_KEX |
106 | 39 | ||
107 | #define KEX_DEFAULT_PK_ALG \ | 40 | #define KEX_DEFAULT_PK_ALG \ |
108 | HOSTKEY_ECDSA_CERT_METHODS \ | 41 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ |
42 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
43 | "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ | ||
44 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
109 | "ssh-ed25519-cert-v01@openssh.com," \ | 45 | "ssh-ed25519-cert-v01@openssh.com," \ |
110 | "sk-ssh-ed25519-cert-v01@openssh.com," \ | 46 | "sk-ssh-ed25519-cert-v01@openssh.com," \ |
111 | "rsa-sha2-512-cert-v01@openssh.com," \ | 47 | "rsa-sha2-512-cert-v01@openssh.com," \ |
112 | "rsa-sha2-256-cert-v01@openssh.com," \ | 48 | "rsa-sha2-256-cert-v01@openssh.com," \ |
113 | "ssh-rsa-cert-v01@openssh.com," \ | 49 | "ssh-rsa-cert-v01@openssh.com," \ |
114 | HOSTKEY_ECDSA_METHODS \ | 50 | "ecdsa-sha2-nistp256," \ |
51 | "ecdsa-sha2-nistp384," \ | ||
52 | "ecdsa-sha2-nistp521," \ | ||
53 | "sk-ecdsa-sha2-nistp256@openssh.com," \ | ||
115 | "ssh-ed25519," \ | 54 | "ssh-ed25519," \ |
116 | "sk-ssh-ed25519@openssh.com," \ | 55 | "sk-ssh-ed25519@openssh.com," \ |
117 | "rsa-sha2-512," \ | 56 | "rsa-sha2-512," \ |
118 | "rsa-sha2-256," \ | 57 | "rsa-sha2-256," \ |
119 | "ssh-rsa" | 58 | "ssh-rsa" |
120 | 59 | ||
121 | /* the actual algorithms */ | 60 | #define KEX_SERVER_ENCRYPT \ |
122 | |||
123 | #define KEX_SERVER_ENCRYPT \ | ||
124 | "chacha20-poly1305@openssh.com," \ | 61 | "chacha20-poly1305@openssh.com," \ |
125 | "aes128-ctr,aes192-ctr,aes256-ctr" \ | 62 | "aes128-ctr,aes192-ctr,aes256-ctr," \ |
126 | AESGCM_CIPHER_MODES | 63 | "aes128-gcm@openssh.com,aes256-gcm@openssh.com" |
127 | 64 | ||
128 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT | 65 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT |
129 | 66 | ||
130 | #define KEX_SERVER_MAC \ | 67 | #define KEX_SERVER_MAC \ |
131 | "umac-64-etm@openssh.com," \ | 68 | "umac-64-etm@openssh.com," \ |
132 | "umac-128-etm@openssh.com," \ | 69 | "umac-128-etm@openssh.com," \ |
133 | "hmac-sha2-256-etm@openssh.com," \ | 70 | "hmac-sha2-256-etm@openssh.com," \ |
@@ -143,44 +80,16 @@ | |||
143 | 80 | ||
144 | /* Not a KEX value, but here so all the algorithm defaults are together */ | 81 | /* Not a KEX value, but here so all the algorithm defaults are together */ |
145 | #define SSH_ALLOWED_CA_SIGALGS \ | 82 | #define SSH_ALLOWED_CA_SIGALGS \ |
146 | HOSTKEY_ECDSA_METHODS \ | 83 | "ecdsa-sha2-nistp256," \ |
84 | "ecdsa-sha2-nistp384," \ | ||
85 | "ecdsa-sha2-nistp521," \ | ||
86 | "sk-ecdsa-sha2-nistp256@openssh.com," \ | ||
147 | "ssh-ed25519," \ | 87 | "ssh-ed25519," \ |
148 | "sk-ssh-ed25519@openssh.com," \ | 88 | "sk-ssh-ed25519@openssh.com," \ |
149 | "rsa-sha2-512," \ | 89 | "rsa-sha2-512," \ |
150 | "rsa-sha2-256," \ | 90 | "rsa-sha2-256," \ |
151 | "ssh-rsa" | 91 | "ssh-rsa" |
152 | 92 | ||
153 | #else /* WITH_OPENSSL */ | ||
154 | |||
155 | #define KEX_SERVER_KEX \ | ||
156 | "curve25519-sha256," \ | ||
157 | "curve25519-sha256@libssh.org" | ||
158 | #define KEX_DEFAULT_PK_ALG \ | ||
159 | "ssh-ed25519-cert-v01@openssh.com," \ | ||
160 | "ssh-ed25519" | ||
161 | #define KEX_SERVER_ENCRYPT \ | ||
162 | "chacha20-poly1305@openssh.com," \ | ||
163 | "aes128-ctr,aes192-ctr,aes256-ctr" | ||
164 | #define KEX_SERVER_MAC \ | ||
165 | "umac-64-etm@openssh.com," \ | ||
166 | "umac-128-etm@openssh.com," \ | ||
167 | "hmac-sha2-256-etm@openssh.com," \ | ||
168 | "hmac-sha2-512-etm@openssh.com," \ | ||
169 | "hmac-sha1-etm@openssh.com," \ | ||
170 | "umac-64@openssh.com," \ | ||
171 | "umac-128@openssh.com," \ | ||
172 | "hmac-sha2-256," \ | ||
173 | "hmac-sha2-512," \ | ||
174 | "hmac-sha1" | ||
175 | |||
176 | #define KEX_CLIENT_KEX KEX_SERVER_KEX | ||
177 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT | ||
178 | #define KEX_CLIENT_MAC KEX_SERVER_MAC | ||
179 | |||
180 | #define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com" | ||
181 | |||
182 | #endif /* WITH_OPENSSL */ | ||
183 | |||
184 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com" | 93 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com" |
185 | #define KEX_DEFAULT_LANG "" | 94 | #define KEX_DEFAULT_LANG "" |
186 | 95 | ||
@@ -207,4 +116,3 @@ | |||
207 | KEX_DEFAULT_COMP, \ | 116 | KEX_DEFAULT_COMP, \ |
208 | KEX_DEFAULT_LANG, \ | 117 | KEX_DEFAULT_LANG, \ |
209 | KEX_DEFAULT_LANG | 118 | KEX_DEFAULT_LANG |
210 | |||
diff --git a/readconf.c b/readconf.c index cb3ae6dc7..ff551c856 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -314,6 +314,16 @@ static struct { | |||
314 | { NULL, oBadOption } | 314 | { NULL, oBadOption } |
315 | }; | 315 | }; |
316 | 316 | ||
317 | static char *kex_default_pk_alg_filtered; | ||
318 | |||
319 | const char * | ||
320 | kex_default_pk_alg(void) | ||
321 | { | ||
322 | if (kex_default_pk_alg_filtered == NULL) | ||
323 | fatal("kex_default_pk_alg not initialized."); | ||
324 | return kex_default_pk_alg_filtered; | ||
325 | } | ||
326 | |||
317 | /* | 327 | /* |
318 | * Adds a local TCP/IP port forward to options. Never returns if there is an | 328 | * Adds a local TCP/IP port forward to options. Never returns if there is an |
319 | * error. | 329 | * error. |
@@ -2003,6 +2013,7 @@ void | |||
2003 | fill_default_options(Options * options) | 2013 | fill_default_options(Options * options) |
2004 | { | 2014 | { |
2005 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 2015 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
2016 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
2006 | int r; | 2017 | int r; |
2007 | 2018 | ||
2008 | if (options->forward_agent == -1) | 2019 | if (options->forward_agent == -1) |
@@ -2167,24 +2178,35 @@ fill_default_options(Options * options) | |||
2167 | all_kex = kex_alg_list(','); | 2178 | all_kex = kex_alg_list(','); |
2168 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2179 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2169 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 2180 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
2181 | /* remove unsupported algos from default lists */ | ||
2182 | def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); | ||
2183 | def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); | ||
2184 | def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); | ||
2185 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
2186 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
2170 | #define ASSEMBLE(what, defaults, all) \ | 2187 | #define ASSEMBLE(what, defaults, all) \ |
2171 | do { \ | 2188 | do { \ |
2172 | if ((r = kex_assemble_names(&options->what, \ | 2189 | if ((r = kex_assemble_names(&options->what, \ |
2173 | defaults, all)) != 0) \ | 2190 | defaults, all)) != 0) \ |
2174 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 2191 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
2175 | } while (0) | 2192 | } while (0) |
2176 | ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); | 2193 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
2177 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2194 | ASSEMBLE(macs, def_mac, all_mac); |
2178 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2195 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
2179 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2196 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
2180 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2197 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
2181 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2198 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
2182 | #undef ASSEMBLE | 2199 | #undef ASSEMBLE |
2183 | free(all_cipher); | 2200 | free(all_cipher); |
2184 | free(all_mac); | 2201 | free(all_mac); |
2185 | free(all_kex); | 2202 | free(all_kex); |
2186 | free(all_key); | 2203 | free(all_key); |
2187 | free(all_sig); | 2204 | free(all_sig); |
2205 | free(def_cipher); | ||
2206 | free(def_mac); | ||
2207 | free(def_kex); | ||
2208 | kex_default_pk_alg_filtered = def_key; /* save for later use */ | ||
2209 | free(def_sig); | ||
2188 | 2210 | ||
2189 | #define CLEAR_ON_NONE(v) \ | 2211 | #define CLEAR_ON_NONE(v) \ |
2190 | do { \ | 2212 | do { \ |
@@ -2634,14 +2656,7 @@ void | |||
2634 | dump_client_config(Options *o, const char *host) | 2656 | dump_client_config(Options *o, const char *host) |
2635 | { | 2657 | { |
2636 | int i; | 2658 | int i; |
2637 | char buf[8], *all_key; | 2659 | char buf[8]; |
2638 | |||
2639 | /* This is normally prepared in ssh_kex2 */ | ||
2640 | all_key = sshkey_alg_list(0, 0, 1, ','); | ||
2641 | if (kex_assemble_names( &o->hostkeyalgorithms, | ||
2642 | KEX_DEFAULT_PK_ALG, all_key) != 0) | ||
2643 | fatal("%s: kex_assemble_names failed", __func__); | ||
2644 | free(all_key); | ||
2645 | 2660 | ||
2646 | /* Most interesting options first: user, host, port */ | 2661 | /* Most interesting options first: user, host, port */ |
2647 | dump_cfg_string(oUser, o->user); | 2662 | dump_cfg_string(oUser, o->user); |
@@ -2698,7 +2713,7 @@ dump_client_config(Options *o, const char *host) | |||
2698 | /* String options */ | 2713 | /* String options */ |
2699 | dump_cfg_string(oBindAddress, o->bind_address); | 2714 | dump_cfg_string(oBindAddress, o->bind_address); |
2700 | dump_cfg_string(oBindInterface, o->bind_interface); | 2715 | dump_cfg_string(oBindInterface, o->bind_interface); |
2701 | dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); | 2716 | dump_cfg_string(oCiphers, o->ciphers); |
2702 | dump_cfg_string(oControlPath, o->control_path); | 2717 | dump_cfg_string(oControlPath, o->control_path); |
2703 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); | 2718 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); |
2704 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); | 2719 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); |
@@ -2706,12 +2721,12 @@ dump_client_config(Options *o, const char *host) | |||
2706 | dump_cfg_string(oIdentityAgent, o->identity_agent); | 2721 | dump_cfg_string(oIdentityAgent, o->identity_agent); |
2707 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | 2722 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); |
2708 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | 2723 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); |
2709 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | 2724 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms); |
2710 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2725 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms); |
2711 | dump_cfg_string(oLocalCommand, o->local_command); | 2726 | dump_cfg_string(oLocalCommand, o->local_command); |
2712 | dump_cfg_string(oRemoteCommand, o->remote_command); | 2727 | dump_cfg_string(oRemoteCommand, o->remote_command); |
2713 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); | 2728 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
2714 | dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); | 2729 | dump_cfg_string(oMacs, o->macs); |
2715 | #ifdef ENABLE_PKCS11 | 2730 | #ifdef ENABLE_PKCS11 |
2716 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2731 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
2717 | #endif | 2732 | #endif |
diff --git a/readconf.h b/readconf.h index dcecfc54a..feedb3d20 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.h,v 1.131 2019/12/21 02:19:13 djm Exp $ */ | 1 | /* $OpenBSD: readconf.h,v 1.132 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -199,6 +199,7 @@ typedef struct { | |||
199 | #define SSH_STRICT_HOSTKEY_YES 2 | 199 | #define SSH_STRICT_HOSTKEY_YES 2 |
200 | #define SSH_STRICT_HOSTKEY_ASK 3 | 200 | #define SSH_STRICT_HOSTKEY_ASK 3 |
201 | 201 | ||
202 | const char *kex_default_pk_alg(void); | ||
202 | void initialize_options(Options *); | 203 | void initialize_options(Options *); |
203 | void fill_default_options(Options *); | 204 | void fill_default_options(Options *); |
204 | void fill_default_options_for_canonicalization(Options *); | 205 | void fill_default_options_for_canonicalization(Options *); |
diff --git a/servconf.c b/servconf.c index 09e9df8bd..1a4c49907 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -195,6 +195,7 @@ static void | |||
195 | assemble_algorithms(ServerOptions *o) | 195 | assemble_algorithms(ServerOptions *o) |
196 | { | 196 | { |
197 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 197 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
198 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
198 | int r; | 199 | int r; |
199 | 200 | ||
200 | all_cipher = cipher_alg_list(',', 0); | 201 | all_cipher = cipher_alg_list(',', 0); |
@@ -202,24 +203,35 @@ assemble_algorithms(ServerOptions *o) | |||
202 | all_kex = kex_alg_list(','); | 203 | all_kex = kex_alg_list(','); |
203 | all_key = sshkey_alg_list(0, 0, 1, ','); | 204 | all_key = sshkey_alg_list(0, 0, 1, ','); |
204 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 205 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
206 | /* remove unsupported algos from default lists */ | ||
207 | def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); | ||
208 | def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); | ||
209 | def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); | ||
210 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
211 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
205 | #define ASSEMBLE(what, defaults, all) \ | 212 | #define ASSEMBLE(what, defaults, all) \ |
206 | do { \ | 213 | do { \ |
207 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ | 214 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ |
208 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 215 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
209 | } while (0) | 216 | } while (0) |
210 | ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); | 217 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
211 | ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); | 218 | ASSEMBLE(macs, def_mac, all_mac); |
212 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | 219 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
213 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); | 220 | ASSEMBLE(hostkeyalgorithms, def_key, all_key); |
214 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 221 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
215 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 222 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
216 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 223 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
217 | #undef ASSEMBLE | 224 | #undef ASSEMBLE |
218 | free(all_cipher); | 225 | free(all_cipher); |
219 | free(all_mac); | 226 | free(all_mac); |
220 | free(all_kex); | 227 | free(all_kex); |
221 | free(all_key); | 228 | free(all_key); |
222 | free(all_sig); | 229 | free(all_sig); |
230 | free(def_cipher); | ||
231 | free(def_mac); | ||
232 | free(def_kex); | ||
233 | free(def_key); | ||
234 | free(def_sig); | ||
223 | } | 235 | } |
224 | 236 | ||
225 | static void | 237 | static void |
@@ -2660,8 +2672,8 @@ dump_config(ServerOptions *o) | |||
2660 | /* string arguments */ | 2672 | /* string arguments */ |
2661 | dump_cfg_string(sPidFile, o->pid_file); | 2673 | dump_cfg_string(sPidFile, o->pid_file); |
2662 | dump_cfg_string(sXAuthLocation, o->xauth_location); | 2674 | dump_cfg_string(sXAuthLocation, o->xauth_location); |
2663 | dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); | 2675 | dump_cfg_string(sCiphers, o->ciphers); |
2664 | dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); | 2676 | dump_cfg_string(sMacs, o->macs); |
2665 | dump_cfg_string(sBanner, o->banner); | 2677 | dump_cfg_string(sBanner, o->banner); |
2666 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 2678 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
2667 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2679 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
@@ -2677,16 +2689,11 @@ dump_config(ServerOptions *o) | |||
2677 | dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); | 2689 | dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); |
2678 | dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); | 2690 | dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); |
2679 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | 2691 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
2680 | dump_cfg_string(sKexAlgorithms, | 2692 | dump_cfg_string(sKexAlgorithms, o->kex_algorithms); |
2681 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); | 2693 | dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms); |
2682 | dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ? | 2694 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types); |
2683 | o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2695 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms); |
2684 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? | 2696 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
2685 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); | ||
2686 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | ||
2687 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | ||
2688 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | ||
2689 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); | ||
2690 | dump_cfg_string(sRDomain, o->routing_domain); | 2697 | dump_cfg_string(sRDomain, o->routing_domain); |
2691 | 2698 | ||
2692 | /* string arguments requiring a lookup */ | 2699 | /* string arguments requiring a lookup */ |
diff --git a/sshconnect2.c b/sshconnect2.c index 6f9ee42cd..7f52cc55e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.315 2020/01/21 05:56:27 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.316 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -119,7 +119,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) | |||
119 | for (i = 0; i < options.num_system_hostfiles; i++) | 119 | for (i = 0; i < options.num_system_hostfiles; i++) |
120 | load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); | 120 | load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); |
121 | 121 | ||
122 | oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); | 122 | oavail = avail = xstrdup(kex_default_pk_alg()); |
123 | maxlen = strlen(avail) + 1; | 123 | maxlen = strlen(avail) + 1; |
124 | first = xmalloc(maxlen); | 124 | first = xmalloc(maxlen); |
125 | last = xmalloc(maxlen); | 125 | last = xmalloc(maxlen); |
@@ -181,14 +181,14 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) | |||
181 | if (options.hostkeyalgorithms != NULL) { | 181 | if (options.hostkeyalgorithms != NULL) { |
182 | all_key = sshkey_alg_list(0, 0, 1, ','); | 182 | all_key = sshkey_alg_list(0, 0, 1, ','); |
183 | if (kex_assemble_names(&options.hostkeyalgorithms, | 183 | if (kex_assemble_names(&options.hostkeyalgorithms, |
184 | KEX_DEFAULT_PK_ALG, all_key) != 0) | 184 | kex_default_pk_alg(), all_key) != 0) |
185 | fatal("%s: kex_assemble_namelist", __func__); | 185 | fatal("%s: kex_assemble_namelist", __func__); |
186 | free(all_key); | 186 | free(all_key); |
187 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 187 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
188 | compat_pkalg_proposal(options.hostkeyalgorithms); | 188 | compat_pkalg_proposal(options.hostkeyalgorithms); |
189 | } else { | 189 | } else { |
190 | /* Enforce default */ | 190 | /* Enforce default */ |
191 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | 191 | options.hostkeyalgorithms = xstrdup(kex_default_pk_alg()); |
192 | /* Prefer algorithms that we already have keys for */ | 192 | /* Prefer algorithms that we already have keys for */ |
193 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 193 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
194 | compat_pkalg_proposal( | 194 | compat_pkalg_proposal( |