diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2020-01-23 02:46:49 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2020-01-23 14:40:15 +1100 |
commit | c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch) | |
tree | 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /readconf.c | |
parent | 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff) |
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 53 |
1 files changed, 34 insertions, 19 deletions
diff --git a/readconf.c b/readconf.c index cb3ae6dc7..ff551c856 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -314,6 +314,16 @@ static struct { | |||
314 | { NULL, oBadOption } | 314 | { NULL, oBadOption } |
315 | }; | 315 | }; |
316 | 316 | ||
317 | static char *kex_default_pk_alg_filtered; | ||
318 | |||
319 | const char * | ||
320 | kex_default_pk_alg(void) | ||
321 | { | ||
322 | if (kex_default_pk_alg_filtered == NULL) | ||
323 | fatal("kex_default_pk_alg not initialized."); | ||
324 | return kex_default_pk_alg_filtered; | ||
325 | } | ||
326 | |||
317 | /* | 327 | /* |
318 | * Adds a local TCP/IP port forward to options. Never returns if there is an | 328 | * Adds a local TCP/IP port forward to options. Never returns if there is an |
319 | * error. | 329 | * error. |
@@ -2003,6 +2013,7 @@ void | |||
2003 | fill_default_options(Options * options) | 2013 | fill_default_options(Options * options) |
2004 | { | 2014 | { |
2005 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 2015 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
2016 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
2006 | int r; | 2017 | int r; |
2007 | 2018 | ||
2008 | if (options->forward_agent == -1) | 2019 | if (options->forward_agent == -1) |
@@ -2167,24 +2178,35 @@ fill_default_options(Options * options) | |||
2167 | all_kex = kex_alg_list(','); | 2178 | all_kex = kex_alg_list(','); |
2168 | all_key = sshkey_alg_list(0, 0, 1, ','); | 2179 | all_key = sshkey_alg_list(0, 0, 1, ','); |
2169 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 2180 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
2181 | /* remove unsupported algos from default lists */ | ||
2182 | def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); | ||
2183 | def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); | ||
2184 | def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); | ||
2185 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
2186 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
2170 | #define ASSEMBLE(what, defaults, all) \ | 2187 | #define ASSEMBLE(what, defaults, all) \ |
2171 | do { \ | 2188 | do { \ |
2172 | if ((r = kex_assemble_names(&options->what, \ | 2189 | if ((r = kex_assemble_names(&options->what, \ |
2173 | defaults, all)) != 0) \ | 2190 | defaults, all)) != 0) \ |
2174 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 2191 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
2175 | } while (0) | 2192 | } while (0) |
2176 | ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); | 2193 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
2177 | ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); | 2194 | ASSEMBLE(macs, def_mac, all_mac); |
2178 | ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); | 2195 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
2179 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2196 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
2180 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 2197 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
2181 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 2198 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
2182 | #undef ASSEMBLE | 2199 | #undef ASSEMBLE |
2183 | free(all_cipher); | 2200 | free(all_cipher); |
2184 | free(all_mac); | 2201 | free(all_mac); |
2185 | free(all_kex); | 2202 | free(all_kex); |
2186 | free(all_key); | 2203 | free(all_key); |
2187 | free(all_sig); | 2204 | free(all_sig); |
2205 | free(def_cipher); | ||
2206 | free(def_mac); | ||
2207 | free(def_kex); | ||
2208 | kex_default_pk_alg_filtered = def_key; /* save for later use */ | ||
2209 | free(def_sig); | ||
2188 | 2210 | ||
2189 | #define CLEAR_ON_NONE(v) \ | 2211 | #define CLEAR_ON_NONE(v) \ |
2190 | do { \ | 2212 | do { \ |
@@ -2634,14 +2656,7 @@ void | |||
2634 | dump_client_config(Options *o, const char *host) | 2656 | dump_client_config(Options *o, const char *host) |
2635 | { | 2657 | { |
2636 | int i; | 2658 | int i; |
2637 | char buf[8], *all_key; | 2659 | char buf[8]; |
2638 | |||
2639 | /* This is normally prepared in ssh_kex2 */ | ||
2640 | all_key = sshkey_alg_list(0, 0, 1, ','); | ||
2641 | if (kex_assemble_names( &o->hostkeyalgorithms, | ||
2642 | KEX_DEFAULT_PK_ALG, all_key) != 0) | ||
2643 | fatal("%s: kex_assemble_names failed", __func__); | ||
2644 | free(all_key); | ||
2645 | 2660 | ||
2646 | /* Most interesting options first: user, host, port */ | 2661 | /* Most interesting options first: user, host, port */ |
2647 | dump_cfg_string(oUser, o->user); | 2662 | dump_cfg_string(oUser, o->user); |
@@ -2698,7 +2713,7 @@ dump_client_config(Options *o, const char *host) | |||
2698 | /* String options */ | 2713 | /* String options */ |
2699 | dump_cfg_string(oBindAddress, o->bind_address); | 2714 | dump_cfg_string(oBindAddress, o->bind_address); |
2700 | dump_cfg_string(oBindInterface, o->bind_interface); | 2715 | dump_cfg_string(oBindInterface, o->bind_interface); |
2701 | dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); | 2716 | dump_cfg_string(oCiphers, o->ciphers); |
2702 | dump_cfg_string(oControlPath, o->control_path); | 2717 | dump_cfg_string(oControlPath, o->control_path); |
2703 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); | 2718 | dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); |
2704 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); | 2719 | dump_cfg_string(oHostKeyAlias, o->host_key_alias); |
@@ -2706,12 +2721,12 @@ dump_client_config(Options *o, const char *host) | |||
2706 | dump_cfg_string(oIdentityAgent, o->identity_agent); | 2721 | dump_cfg_string(oIdentityAgent, o->identity_agent); |
2707 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | 2722 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); |
2708 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | 2723 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); |
2709 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | 2724 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms); |
2710 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2725 | dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms); |
2711 | dump_cfg_string(oLocalCommand, o->local_command); | 2726 | dump_cfg_string(oLocalCommand, o->local_command); |
2712 | dump_cfg_string(oRemoteCommand, o->remote_command); | 2727 | dump_cfg_string(oRemoteCommand, o->remote_command); |
2713 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); | 2728 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
2714 | dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); | 2729 | dump_cfg_string(oMacs, o->macs); |
2715 | #ifdef ENABLE_PKCS11 | 2730 | #ifdef ENABLE_PKCS11 |
2716 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); | 2731 | dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); |
2717 | #endif | 2732 | #endif |