diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-07-04 23:51:52 +1000 |
| commit | 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch) | |
| tree | e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /servconf.c | |
| parent | 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff) | |
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index a41fdc26a..a54219f01 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.335 2018/07/04 13:49:31 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -190,15 +190,29 @@ option_clear_or_none(const char *o) | |||
| 190 | static void | 190 | static void |
| 191 | assemble_algorithms(ServerOptions *o) | 191 | assemble_algorithms(ServerOptions *o) |
| 192 | { | 192 | { |
| 193 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || | 193 | char *all_cipher, *all_mac, *all_kex, *all_key; |
| 194 | kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || | 194 | |
| 195 | kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || | 195 | all_cipher = cipher_alg_list(',', 0); |
| 196 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | 196 | all_mac = mac_alg_list(','); |
| 197 | &o->hostkeyalgorithms) != 0 || | 197 | all_kex = kex_alg_list(','); |
| 198 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | 198 | all_key = sshkey_alg_list(0, 0, 1, ','); |
| 199 | &o->hostbased_key_types) != 0 || | 199 | if (kex_assemble_names(&o->ciphers, |
| 200 | kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) | 200 | KEX_SERVER_ENCRYPT, all_cipher) != 0 || |
| 201 | kex_assemble_names(&o->macs, | ||
| 202 | KEX_SERVER_MAC, all_mac) != 0 || | ||
| 203 | kex_assemble_names(&o->kex_algorithms, | ||
| 204 | KEX_SERVER_KEX, all_kex) != 0 || | ||
| 205 | kex_assemble_names(&o->hostkeyalgorithms, | ||
| 206 | KEX_DEFAULT_PK_ALG, all_key) != 0 || | ||
| 207 | kex_assemble_names(&o->hostbased_key_types, | ||
| 208 | KEX_DEFAULT_PK_ALG, all_key) != 0 || | ||
| 209 | kex_assemble_names(&o->pubkey_key_types, | ||
| 210 | KEX_DEFAULT_PK_ALG, all_key) != 0) | ||
| 201 | fatal("kex_assemble_names failed"); | 211 | fatal("kex_assemble_names failed"); |
| 212 | free(all_cipher); | ||
| 213 | free(all_mac); | ||
| 214 | free(all_kex); | ||
| 215 | free(all_key); | ||
| 202 | } | 216 | } |
| 203 | 217 | ||
| 204 | static void | 218 | static void |