summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2020-01-23 02:46:49 +0000
committerDarren Tucker <dtucker@dtucker.net>2020-01-23 14:40:15 +1100
commitc4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch)
tree60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /readconf.c
parent56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff)
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c53
1 files changed, 34 insertions, 19 deletions
diff --git a/readconf.c b/readconf.c
index cb3ae6dc..ff551c85 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -314,6 +314,16 @@ static struct {
{ NULL, oBadOption }
};
+static char *kex_default_pk_alg_filtered;
+
+const char *
+kex_default_pk_alg(void)
+{
+ if (kex_default_pk_alg_filtered == NULL)
+ fatal("kex_default_pk_alg not initialized.");
+ return kex_default_pk_alg_filtered;
+}
+
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
@@ -2003,6 +2013,7 @@ void
fill_default_options(Options * options)
{
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
int r;
if (options->forward_agent == -1)
@@ -2167,24 +2178,35 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
+ /* remove unsupported algos from default lists */
+ def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+ def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+ def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+ def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+ def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
defaults, all)) != 0) \
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
} while (0)
- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, def_cipher, all_cipher);
+ ASSEMBLE(macs, def_mac, all_mac);
+ ASSEMBLE(kex_algorithms, def_kex, all_kex);
+ ASSEMBLE(hostbased_key_types, def_key, all_key);
+ ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
free(all_kex);
free(all_key);
free(all_sig);
+ free(def_cipher);
+ free(def_mac);
+ free(def_kex);
+ kex_default_pk_alg_filtered = def_key; /* save for later use */
+ free(def_sig);
#define CLEAR_ON_NONE(v) \
do { \
@@ -2634,14 +2656,7 @@ void
dump_client_config(Options *o, const char *host)
{
int i;
- char buf[8], *all_key;
-
- /* This is normally prepared in ssh_kex2 */
- all_key = sshkey_alg_list(0, 0, 1, ',');
- if (kex_assemble_names( &o->hostkeyalgorithms,
- KEX_DEFAULT_PK_ALG, all_key) != 0)
- fatal("%s: kex_assemble_names failed", __func__);
- free(all_key);
+ char buf[8];
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
@@ -2698,7 +2713,7 @@ dump_client_config(Options *o, const char *host)
/* String options */
dump_cfg_string(oBindAddress, o->bind_address);
dump_cfg_string(oBindInterface, o->bind_interface);
- dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
+ dump_cfg_string(oCiphers, o->ciphers);
dump_cfg_string(oControlPath, o->control_path);
dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
@@ -2706,12 +2721,12 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oIdentityAgent, o->identity_agent);
dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
- dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
- dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
+ dump_cfg_string(oKexAlgorithms, o->kex_algorithms);
+ dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms);
dump_cfg_string(oLocalCommand, o->local_command);
dump_cfg_string(oRemoteCommand, o->remote_command);
dump_cfg_string(oLogLevel, log_level_name(o->log_level));
- dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+ dump_cfg_string(oMacs, o->macs);
#ifdef ENABLE_PKCS11
dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
#endif