From 86e5737c39153af134158f24d0cab5827cbd5852 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 20 Sep 2018 03:28:06 +0000 Subject: upstream: Add sshd_config CASignatureAlgorithms option to allow control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac --- servconf.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index c0f6af0be..5411640fc 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.340 2018/08/12 20:19:13 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.341 2018/09/20 03:28:06 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -145,6 +145,7 @@ initialize_server_options(ServerOptions *options) options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; + options->ca_sign_algorithms = NULL; options->fwd_opts.gateway_ports = -1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; @@ -191,13 +192,14 @@ option_clear_or_none(const char *o) static void assemble_algorithms(ServerOptions *o) { - char *all_cipher, *all_mac, *all_kex, *all_key; + char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; int r; all_cipher = cipher_alg_list(',', 0); all_mac = mac_alg_list(','); all_kex = kex_alg_list(','); all_key = sshkey_alg_list(0, 0, 1, ','); + all_sig = sshkey_alg_list(0, 1, 1, ','); #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ @@ -209,11 +211,13 @@ assemble_algorithms(ServerOptions *o) ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); + ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); #undef ASSEMBLE free(all_cipher); free(all_mac); free(all_kex); free(all_key); + free(all_sig); } static void @@ -487,7 +491,7 @@ typedef enum { sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, - sKexAlgorithms, sIPQoS, sVersionAddendum, + sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, @@ -1431,6 +1435,10 @@ process_server_config_line(ServerOptions *options, char *line, charptr = &options->hostkeyalgorithms; goto parse_keytypes; + case sCASignatureAlgorithms: + charptr = &options->ca_sign_algorithms; + goto parse_keytypes; + case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; @@ -2601,6 +2609,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sHostKeyAgent, o->host_key_agent); dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); + dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ? + o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? o->hostbased_key_types : KEX_DEFAULT_PK_ALG); dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? -- cgit v1.2.3