Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 312d2f2861a2598ed08587cb6c45c0e98a85408f^! / . / readconf.c
commit312d2f2861a2598ed08587cb6c45c0e98a85408f[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Wed Jul 04 13:49:31 2018 +0000
committerDamien Miller <djm@mindrot.org>Wed Jul 04 23:51:52 2018 +1000
treee3bdc4facef48a89cd76fa793d9e70211b7ff8d2
parent303af5803bd74bf05d375c04e1a83b40c30b2be5 [diff] [blame]
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA

signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207

diff --git a/readconf.c b/readconf.c
index 8d20295..2bc2707 100644
--- a/readconf.c
+++ b/readconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.291 2018/06/10 23:45:41 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.292 2018/07/04 13:49:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1936,6 +1936,8 @@
 void
 fill_default_options(Options * options)
 {
+	char *all_cipher, *all_mac, *all_kex, *all_key;
+
 	if (options->forward_agent == -1)
 		options->forward_agent = 0;
 	if (options->forward_x11 == -1)
@@ -2082,14 +2084,27 @@
 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
-	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
-	    kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
-	    kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
-	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
-	    &options->hostbased_key_types) != 0 ||
-	    kex_assemble_names(KEX_DEFAULT_PK_ALG,
-	    &options->pubkey_key_types) != 0)
+
+	/* Expand KEX name lists */
+	all_cipher = cipher_alg_list(',', 0);
+	all_mac = mac_alg_list(',');
+	all_kex = kex_alg_list(',');
+	all_key = sshkey_alg_list(0, 0, 1, ',');
+	if (kex_assemble_names(&options->ciphers,
+	    KEX_CLIENT_ENCRYPT, all_cipher) != 0 ||
+	    kex_assemble_names(&options->macs,
+	    KEX_CLIENT_MAC, all_mac) != 0 ||
+	    kex_assemble_names(&options->kex_algorithms,
+	    KEX_CLIENT_KEX, all_kex) != 0 ||
+	    kex_assemble_names(&options->hostbased_key_types,
+	    KEX_DEFAULT_PK_ALG, all_key) != 0 ||
+	    kex_assemble_names(&options->pubkey_key_types,
+	    KEX_DEFAULT_PK_ALG, all_key) != 0)
 		fatal("%s: kex_assemble_names failed", __func__);
+	free(all_cipher);
+	free(all_mac);
+	free(all_kex);
+	free(all_key);
 
 #define CLEAR_ON_NONE(v) \
 	do { \
@@ -2537,11 +2552,14 @@
 dump_client_config(Options *o, const char *host)
 {
 	int i;
-	char buf[8];
+	char buf[8], *all_key;
 
 	/* This is normally prepared in ssh_kex2 */
-	if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+	all_key = sshkey_alg_list(0, 0, 1, ',');
+	if (kex_assemble_names( &o->hostkeyalgorithms,
+	    KEX_DEFAULT_PK_ALG, all_key) != 0)
 		fatal("%s: kex_assemble_names failed", __func__);
+	free(all_key);
 
 	/* Most interesting options first: user, host, port */
 	dump_cfg_string(oUser, o->user);