diff options
| author |   djm <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
| commit | 16f6611564a06dfb208b20f7a3ac3e982251911e (patch) | |
| tree | 40298893e96865a87cec1ef07f55c42b7e9d6677 /usr.bin/ssh/readconf.c | |
| parent | Cleanup some whitespace. (diff) | |
| download | wireguard-openbsd-16f6611564a06dfb208b20f7a3ac3e982251911e.tar.xz wireguard-openbsd-16f6611564a06dfb208b20f7a3ac3e982251911e.zip | |
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
Diffstat (limited to 'usr.bin/ssh/readconf.c')
| -rw-r--r-- | usr.bin/ssh/readconf.c | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 6f1adbeccc0..53f56c6968f 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.291 2018/06/10 23:45:41 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.292 2018/07/04 13:49:31 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1921,6 +1921,8 @@ fill_default_options_for_canonicalization(Options *options) void fill_default_options(Options * options) { + char *all_cipher, *all_mac, *all_kex, *all_key; + if (options->forward_agent == -1) options->forward_agent = 0; if (options->forward_x11 == -1) @@ -2065,14 +2067,27 @@ fill_default_options(Options * options) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->update_hostkeys == -1) options->update_hostkeys = 0; - if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || - kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->pubkey_key_types) != 0) + + /* Expand KEX name lists */ + all_cipher = cipher_alg_list(',', 0); + all_mac = mac_alg_list(','); + all_kex = kex_alg_list(','); + all_key = sshkey_alg_list(0, 0, 1, ','); + if (kex_assemble_names(&options->ciphers, + KEX_CLIENT_ENCRYPT, all_cipher) != 0 || + kex_assemble_names(&options->macs, + KEX_CLIENT_MAC, all_mac) != 0 || + kex_assemble_names(&options->kex_algorithms, + KEX_CLIENT_KEX, all_kex) != 0 || + kex_assemble_names(&options->hostbased_key_types, + KEX_DEFAULT_PK_ALG, all_key) != 0 || + kex_assemble_names(&options->pubkey_key_types, + KEX_DEFAULT_PK_ALG, all_key) != 0) fatal("%s: kex_assemble_names failed", __func__); + free(all_cipher); + free(all_mac); + free(all_kex); + free(all_key); #define CLEAR_ON_NONE(v) \ do { \ @@ -2520,11 +2535,14 @@ void dump_client_config(Options *o, const char *host) { int i; - char buf[8]; + char buf[8], *all_key; /* This is normally prepared in ssh_kex2 */ - if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) + all_key = sshkey_alg_list(0, 0, 1, ','); + if (kex_assemble_names( &o->hostkeyalgorithms, + KEX_DEFAULT_PK_ALG, all_key) != 0) fatal("%s: kex_assemble_names failed", __func__); + free(all_key); /* Most interesting options first: user, host, port */ dump_cfg_string(oUser, o->user); |