upstream: Remove unsupported algorithms from list of defaults at run

time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
author: dtucker@openbsd.org <dtucker@openbsd.org> 2020-01-23 02:46:49 +0000
committer: Darren Tucker <dtucker@dtucker.net> 2020-01-23 14:40:15 +1100
commit: c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch)
tree: 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /servconf.c
parent: 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff)
1 files changed, 27 insertions, 20 deletions
diff --git a/servconf.c b/servconf.c
index 09e9df8bd..1a4c49907 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -195,6 +195,7 @@ static void
 assemble_algorithms(ServerOptions *o)
 {
        char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+        char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
        int r;
        all_cipher = cipher_alg_list(',', 0);
@@ -202,24 +203,35 @@ assemble_algorithms(ServerOptions *o)
        all_kex = kex_alg_list(',');
        all_key = sshkey_alg_list(0, 0, 1, ',');
        all_sig = sshkey_alg_list(0, 1, 1, ',');
+        /* remove unsupported algos from default lists */
+        def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+        def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+        def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+        def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+        def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 #define ASSEMBLE(what, defaults, all) \
        do { \
                if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
                        fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
        } while (0)
-        ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
+        ASSEMBLE(ciphers, def_cipher, all_cipher);
-        ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
+        ASSEMBLE(macs, def_mac, all_mac);
-        ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
+        ASSEMBLE(kex_algorithms, def_kex, all_kex);
-        ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
+        ASSEMBLE(hostkeyalgorithms, def_key, all_key);
-        ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
+        ASSEMBLE(hostbased_key_types, def_key, all_key);
-        ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
+        ASSEMBLE(pubkey_key_types, def_key, all_key);
-        ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+        ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
        free(all_cipher);
        free(all_mac);
        free(all_kex);
        free(all_key);
        free(all_sig);
+        free(def_cipher);
+        free(def_mac);
+        free(def_kex);
+        free(def_key);
+        free(def_sig);
 }
 static void
@@ -2660,8 +2672,8 @@ dump_config(ServerOptions *o)
        /* string arguments */
        dump_cfg_string(sPidFile, o->pid_file);
        dump_cfg_string(sXAuthLocation, o->xauth_location);
-        dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
+        dump_cfg_string(sCiphers, o->ciphers);
-        dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+        dump_cfg_string(sMacs, o->macs);
        dump_cfg_string(sBanner, o->banner);
        dump_cfg_string(sForceCommand, o->adm_forced_command);
        dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2677,16 +2689,11 @@ dump_config(ServerOptions *o)
        dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
        dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
        dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-        dump_cfg_string(sKexAlgorithms,
+        dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
-            o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+        dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
-        dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
+        dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
-            o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
+        dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
-        dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
+        dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
-            o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
-        dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
-            o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
-        dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
-            o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
        dump_cfg_string(sRDomain, o->routing_domain);
        /* string arguments requiring a lookup */
author	dtucker@openbsd.org <dtucker@openbsd.org>	2020-01-23 02:46:49 +0000
committer	Darren Tucker <dtucker@dtucker.net>	2020-01-23 14:40:15 +1100
commit	c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch)
tree	60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /servconf.c
parent	56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff)