summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-20 03:28:06 +0000
committerDamien Miller <djm@mindrot.org>2018-09-20 14:00:29 +1000
commit86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree1add30c99e83b544792233280451f70f03053586 /servconf.c
parentf80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)
upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/servconf.c b/servconf.c
index c0f6af0b..5411640f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.340 2018/08/12 20:19:13 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.341 2018/09/20 03:28:06 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions *options)
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->ca_sign_algorithms = NULL;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -191,13 +192,14 @@ option_clear_or_none(const char *o)
static void
assemble_algorithms(ServerOptions *o)
{
- char *all_cipher, *all_mac, *all_kex, *all_key;
+ char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
int r;
all_cipher = cipher_alg_list(',', 0);
all_mac = mac_alg_list(',');
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
+ all_sig = sshkey_alg_list(0, 1, 1, ',');
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
@@ -209,11 +211,13 @@ assemble_algorithms(ServerOptions *o)
ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
free(all_kex);
free(all_key);
+ free(all_sig);
}
static void
@@ -487,7 +491,7 @@ typedef enum {
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -1431,6 +1435,10 @@ process_server_config_line(ServerOptions *options, char *line,
charptr = &options->hostkeyalgorithms;
goto parse_keytypes;
+ case sCASignatureAlgorithms:
+ charptr = &options->ca_sign_algorithms;
+ goto parse_keytypes;
+
case sPubkeyAuthentication:
intptr = &options->pubkey_authentication;
goto parse_flag;
@@ -2601,6 +2609,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
dump_cfg_string(sKexAlgorithms,
o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
+ o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?