diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2020-01-23 02:46:49 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2020-01-23 14:40:15 +1100 |
commit | c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch) | |
tree | 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /servconf.c | |
parent | 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff) |
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 47 |
1 files changed, 27 insertions, 20 deletions
diff --git a/servconf.c b/servconf.c index 09e9df8bd..1a4c49907 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -195,6 +195,7 @@ static void | |||
195 | assemble_algorithms(ServerOptions *o) | 195 | assemble_algorithms(ServerOptions *o) |
196 | { | 196 | { |
197 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; | 197 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
198 | char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; | ||
198 | int r; | 199 | int r; |
199 | 200 | ||
200 | all_cipher = cipher_alg_list(',', 0); | 201 | all_cipher = cipher_alg_list(',', 0); |
@@ -202,24 +203,35 @@ assemble_algorithms(ServerOptions *o) | |||
202 | all_kex = kex_alg_list(','); | 203 | all_kex = kex_alg_list(','); |
203 | all_key = sshkey_alg_list(0, 0, 1, ','); | 204 | all_key = sshkey_alg_list(0, 0, 1, ','); |
204 | all_sig = sshkey_alg_list(0, 1, 1, ','); | 205 | all_sig = sshkey_alg_list(0, 1, 1, ','); |
206 | /* remove unsupported algos from default lists */ | ||
207 | def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); | ||
208 | def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); | ||
209 | def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); | ||
210 | def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); | ||
211 | def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
205 | #define ASSEMBLE(what, defaults, all) \ | 212 | #define ASSEMBLE(what, defaults, all) \ |
206 | do { \ | 213 | do { \ |
207 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ | 214 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ |
208 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ | 215 | fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
209 | } while (0) | 216 | } while (0) |
210 | ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); | 217 | ASSEMBLE(ciphers, def_cipher, all_cipher); |
211 | ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); | 218 | ASSEMBLE(macs, def_mac, all_mac); |
212 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | 219 | ASSEMBLE(kex_algorithms, def_kex, all_kex); |
213 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); | 220 | ASSEMBLE(hostkeyalgorithms, def_key, all_key); |
214 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 221 | ASSEMBLE(hostbased_key_types, def_key, all_key); |
215 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 222 | ASSEMBLE(pubkey_key_types, def_key, all_key); |
216 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | 223 | ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); |
217 | #undef ASSEMBLE | 224 | #undef ASSEMBLE |
218 | free(all_cipher); | 225 | free(all_cipher); |
219 | free(all_mac); | 226 | free(all_mac); |
220 | free(all_kex); | 227 | free(all_kex); |
221 | free(all_key); | 228 | free(all_key); |
222 | free(all_sig); | 229 | free(all_sig); |
230 | free(def_cipher); | ||
231 | free(def_mac); | ||
232 | free(def_kex); | ||
233 | free(def_key); | ||
234 | free(def_sig); | ||
223 | } | 235 | } |
224 | 236 | ||
225 | static void | 237 | static void |
@@ -2660,8 +2672,8 @@ dump_config(ServerOptions *o) | |||
2660 | /* string arguments */ | 2672 | /* string arguments */ |
2661 | dump_cfg_string(sPidFile, o->pid_file); | 2673 | dump_cfg_string(sPidFile, o->pid_file); |
2662 | dump_cfg_string(sXAuthLocation, o->xauth_location); | 2674 | dump_cfg_string(sXAuthLocation, o->xauth_location); |
2663 | dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); | 2675 | dump_cfg_string(sCiphers, o->ciphers); |
2664 | dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); | 2676 | dump_cfg_string(sMacs, o->macs); |
2665 | dump_cfg_string(sBanner, o->banner); | 2677 | dump_cfg_string(sBanner, o->banner); |
2666 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 2678 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
2667 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2679 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
@@ -2677,16 +2689,11 @@ dump_config(ServerOptions *o) | |||
2677 | dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); | 2689 | dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); |
2678 | dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); | 2690 | dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); |
2679 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | 2691 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
2680 | dump_cfg_string(sKexAlgorithms, | 2692 | dump_cfg_string(sKexAlgorithms, o->kex_algorithms); |
2681 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); | 2693 | dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms); |
2682 | dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ? | 2694 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types); |
2683 | o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | 2695 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms); |
2684 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? | 2696 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types); |
2685 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); | ||
2686 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | ||
2687 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | ||
2688 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | ||
2689 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); | ||
2690 | dump_cfg_string(sRDomain, o->routing_domain); | 2697 | dump_cfg_string(sRDomain, o->routing_domain); |
2691 | 2698 | ||
2692 | /* string arguments requiring a lookup */ | 2699 | /* string arguments requiring a lookup */ |