summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/servconf.c b/servconf.c
index bb43a649c..c5dd617ef 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.340 2018/08/12 20:19:13 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.342 2018/09/20 23:40:16 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions *options)
147 options->ciphers = NULL; 147 options->ciphers = NULL;
148 options->macs = NULL; 148 options->macs = NULL;
149 options->kex_algorithms = NULL; 149 options->kex_algorithms = NULL;
150 options->ca_sign_algorithms = NULL;
150 options->fwd_opts.gateway_ports = -1; 151 options->fwd_opts.gateway_ports = -1;
151 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; 152 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
152 options->fwd_opts.streamlocal_bind_unlink = -1; 153 options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -194,13 +195,14 @@ option_clear_or_none(const char *o)
194static void 195static void
195assemble_algorithms(ServerOptions *o) 196assemble_algorithms(ServerOptions *o)
196{ 197{
197 char *all_cipher, *all_mac, *all_kex, *all_key; 198 char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
198 int r; 199 int r;
199 200
200 all_cipher = cipher_alg_list(',', 0); 201 all_cipher = cipher_alg_list(',', 0);
201 all_mac = mac_alg_list(','); 202 all_mac = mac_alg_list(',');
202 all_kex = kex_alg_list(','); 203 all_kex = kex_alg_list(',');
203 all_key = sshkey_alg_list(0, 0, 1, ','); 204 all_key = sshkey_alg_list(0, 0, 1, ',');
205 all_sig = sshkey_alg_list(0, 1, 1, ',');
204#define ASSEMBLE(what, defaults, all) \ 206#define ASSEMBLE(what, defaults, all) \
205 do { \ 207 do { \
206 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ 208 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
@@ -212,11 +214,13 @@ assemble_algorithms(ServerOptions *o)
212 ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); 214 ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
213 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); 215 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
214 ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); 216 ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
217 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
215#undef ASSEMBLE 218#undef ASSEMBLE
216 free(all_cipher); 219 free(all_cipher);
217 free(all_mac); 220 free(all_mac);
218 free(all_kex); 221 free(all_kex);
219 free(all_key); 222 free(all_key);
223 free(all_sig);
220} 224}
221 225
222static void 226static void
@@ -497,7 +501,7 @@ typedef enum {
497 sHostCertificate, 501 sHostCertificate,
498 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 502 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
499 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, 503 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
500 sKexAlgorithms, sIPQoS, sVersionAddendum, 504 sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
501 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 505 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
502 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 506 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
503 sStreamLocalBindMask, sStreamLocalBindUnlink, 507 sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -660,6 +664,7 @@ static struct {
660 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 664 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
661 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 665 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
662 { "rdomain", sRDomain, SSHCFG_ALL }, 666 { "rdomain", sRDomain, SSHCFG_ALL },
667 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
663 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 668 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
664 { NULL, sBadOption, 0 } 669 { NULL, sBadOption, 0 }
665}; 670};
@@ -1452,6 +1457,10 @@ process_server_config_line(ServerOptions *options, char *line,
1452 charptr = &options->hostkeyalgorithms; 1457 charptr = &options->hostkeyalgorithms;
1453 goto parse_keytypes; 1458 goto parse_keytypes;
1454 1459
1460 case sCASignatureAlgorithms:
1461 charptr = &options->ca_sign_algorithms;
1462 goto parse_keytypes;
1463
1455 case sPubkeyAuthentication: 1464 case sPubkeyAuthentication:
1456 intptr = &options->pubkey_authentication; 1465 intptr = &options->pubkey_authentication;
1457 goto parse_flag; 1466 goto parse_flag;
@@ -2637,6 +2646,8 @@ dump_config(ServerOptions *o)
2637 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2646 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2638 dump_cfg_string(sKexAlgorithms, 2647 dump_cfg_string(sKexAlgorithms,
2639 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); 2648 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2649 dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
2650 o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
2640 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? 2651 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2641 o->hostbased_key_types : KEX_DEFAULT_PK_ALG); 2652 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2642 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2653 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 07:45:46 +0000