diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/servconf.c b/servconf.c index bb43a649c..c5dd617ef 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.340 2018/08/12 20:19:13 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.342 2018/09/20 23:40:16 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions *options) | |||
147 | options->ciphers = NULL; | 147 | options->ciphers = NULL; |
148 | options->macs = NULL; | 148 | options->macs = NULL; |
149 | options->kex_algorithms = NULL; | 149 | options->kex_algorithms = NULL; |
150 | options->ca_sign_algorithms = NULL; | ||
150 | options->fwd_opts.gateway_ports = -1; | 151 | options->fwd_opts.gateway_ports = -1; |
151 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; | 152 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; |
152 | options->fwd_opts.streamlocal_bind_unlink = -1; | 153 | options->fwd_opts.streamlocal_bind_unlink = -1; |
@@ -194,13 +195,14 @@ option_clear_or_none(const char *o) | |||
194 | static void | 195 | static void |
195 | assemble_algorithms(ServerOptions *o) | 196 | assemble_algorithms(ServerOptions *o) |
196 | { | 197 | { |
197 | char *all_cipher, *all_mac, *all_kex, *all_key; | 198 | char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
198 | int r; | 199 | int r; |
199 | 200 | ||
200 | all_cipher = cipher_alg_list(',', 0); | 201 | all_cipher = cipher_alg_list(',', 0); |
201 | all_mac = mac_alg_list(','); | 202 | all_mac = mac_alg_list(','); |
202 | all_kex = kex_alg_list(','); | 203 | all_kex = kex_alg_list(','); |
203 | all_key = sshkey_alg_list(0, 0, 1, ','); | 204 | all_key = sshkey_alg_list(0, 0, 1, ','); |
205 | all_sig = sshkey_alg_list(0, 1, 1, ','); | ||
204 | #define ASSEMBLE(what, defaults, all) \ | 206 | #define ASSEMBLE(what, defaults, all) \ |
205 | do { \ | 207 | do { \ |
206 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ | 208 | if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ |
@@ -212,11 +214,13 @@ assemble_algorithms(ServerOptions *o) | |||
212 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); | 214 | ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); |
213 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | 215 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
214 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | 216 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); |
217 | ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); | ||
215 | #undef ASSEMBLE | 218 | #undef ASSEMBLE |
216 | free(all_cipher); | 219 | free(all_cipher); |
217 | free(all_mac); | 220 | free(all_mac); |
218 | free(all_kex); | 221 | free(all_kex); |
219 | free(all_key); | 222 | free(all_key); |
223 | free(all_sig); | ||
220 | } | 224 | } |
221 | 225 | ||
222 | static void | 226 | static void |
@@ -497,7 +501,7 @@ typedef enum { | |||
497 | sHostCertificate, | 501 | sHostCertificate, |
498 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 502 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
499 | sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, | 503 | sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, |
500 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 504 | sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, |
501 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 505 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
502 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 506 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
503 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 507 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
@@ -660,6 +664,7 @@ static struct { | |||
660 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | 664 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
661 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 665 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
662 | { "rdomain", sRDomain, SSHCFG_ALL }, | 666 | { "rdomain", sRDomain, SSHCFG_ALL }, |
667 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | ||
663 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 668 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
664 | { NULL, sBadOption, 0 } | 669 | { NULL, sBadOption, 0 } |
665 | }; | 670 | }; |
@@ -1452,6 +1457,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1452 | charptr = &options->hostkeyalgorithms; | 1457 | charptr = &options->hostkeyalgorithms; |
1453 | goto parse_keytypes; | 1458 | goto parse_keytypes; |
1454 | 1459 | ||
1460 | case sCASignatureAlgorithms: | ||
1461 | charptr = &options->ca_sign_algorithms; | ||
1462 | goto parse_keytypes; | ||
1463 | |||
1455 | case sPubkeyAuthentication: | 1464 | case sPubkeyAuthentication: |
1456 | intptr = &options->pubkey_authentication; | 1465 | intptr = &options->pubkey_authentication; |
1457 | goto parse_flag; | 1466 | goto parse_flag; |
@@ -2637,6 +2646,8 @@ dump_config(ServerOptions *o) | |||
2637 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | 2646 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
2638 | dump_cfg_string(sKexAlgorithms, | 2647 | dump_cfg_string(sKexAlgorithms, |
2639 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); | 2648 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); |
2649 | dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ? | ||
2650 | o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); | ||
2640 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? | 2651 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? |
2641 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); | 2652 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); |
2642 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | 2653 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? |