src - OpenBSD base system

diff options


context:
space:
mode:

author	Darren Tucker <dtucker@cvs.openbsd.org>	2020-01-23 02:46:50 +0000
committer	Darren Tucker <dtucker@cvs.openbsd.org>	2020-01-23 02:46:50 +0000
commit	29d30f156b987a307de2a95232f367d8c43246cb (patch)
tree	56f2afec5a6f49e63a254cd3eba132f929cd6a8c
parent	dc5b7cea52e52603b9b2e86befb0cf5cbf974bc5 (diff)

Remove unsupported algorithms from list of defaults at run time and

remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@

Diffstat

-rw-r--r--

usr.bin/ssh/clientloop.c

-rw-r--r--

usr.bin/ssh/myproposal.h

-rw-r--r--

usr.bin/ssh/readconf.c

-rw-r--r--

usr.bin/ssh/readconf.h

-rw-r--r--

usr.bin/ssh/servconf.c

-rw-r--r--

usr.bin/ssh/sshconnect2.c

6 files changed, 70 insertions, 81 deletions

diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index 9264eee43f5..6eefb0ee9d6 100644
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: clientloop.c,v 1.330 2019/12/21 02:19:13 djm Exp $ */

+/* $OpenBSD: clientloop.c,v 1.331 2020/01/23 02:46:49 dtucker Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -2032,8 +2032,7 @@ static int

key_accepted_by_hostkeyalgs(const struct sshkey *key)

{

const char *ktype = sshkey_ssh_name(key);

- const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?

- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;

+ const char *hostkeyalgs = options.hostkeyalgorithms;

if (key == NULL || key->type == KEY_UNSPEC)

return 0;

diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h
index 86408dbf406..dd2499d661a 100644
--- a/usr.bin/ssh/myproposal.h
+++ b/usr.bin/ssh/myproposal.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */

+/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */

@@ -24,8 +24,6 @@

* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-#ifdef WITH_OPENSSL

#define KEX_SERVER_KEX \

"curve25519-sha256," \

"curve25519-sha256@libssh.org," \

@@ -92,37 +90,6 @@

"rsa-sha2-256," \

"ssh-rsa"

-#else /* WITH_OPENSSL */

-#define KEX_SERVER_KEX \

- "curve25519-sha256," \

- "curve25519-sha256@libssh.org"

-#define KEX_DEFAULT_PK_ALG \

- "ssh-ed25519-cert-v01@openssh.com," \

- "ssh-ed25519"

-#define KEX_SERVER_ENCRYPT \

- "chacha20-poly1305@openssh.com," \

- "aes128-ctr,aes192-ctr,aes256-ctr"

-#define KEX_SERVER_MAC \

- "umac-64-etm@openssh.com," \

- "umac-128-etm@openssh.com," \

- "hmac-sha2-256-etm@openssh.com," \

- "hmac-sha2-512-etm@openssh.com," \

- "hmac-sha1-etm@openssh.com," \

- "umac-64@openssh.com," \

- "umac-128@openssh.com," \

- "hmac-sha2-256," \

- "hmac-sha2-512," \

- "hmac-sha1"

-#define KEX_CLIENT_KEX KEX_SERVER_KEX

-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT

-#define KEX_CLIENT_MAC KEX_SERVER_MAC

-#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com"

-#endif /* WITH_OPENSSL */

#define KEX_DEFAULT_COMP "none,zlib@openssh.com"

#define KEX_DEFAULT_LANG ""

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 1ed98ec1025..ed550277fec 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */

+/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -300,6 +300,16 @@ static struct {

{ NULL, oBadOption }

};

+static char *kex_default_pk_alg_filtered;

+const char *

+kex_default_pk_alg(void)

+ if (kex_default_pk_alg_filtered == NULL)

+ fatal("kex_default_pk_alg not initialized.");

+ return kex_default_pk_alg_filtered;

* Adds a local TCP/IP port forward to options. Never returns if there is an

* error.

@@ -1989,6 +1999,7 @@ void

fill_default_options(Options * options)

{

char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;

+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;

int r;

if (options->forward_agent == -1)

@@ -2146,24 +2157,35 @@ fill_default_options(Options * options)

all_kex = kex_alg_list(',');

all_key = sshkey_alg_list(0, 0, 1, ',');

all_sig = sshkey_alg_list(0, 1, 1, ',');

+ /* remove unsupported algos from default lists */

+ def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);

+ def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);

+ def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);

+ def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);

+ def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);

#define ASSEMBLE(what, defaults, all) \

do { \

if ((r = kex_assemble_names(&options->what, \

defaults, all)) != 0) \

fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \

} while (0)

- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);

- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);

- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);

- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);

- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);

- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);

+ ASSEMBLE(ciphers, def_cipher, all_cipher);

+ ASSEMBLE(macs, def_mac, all_mac);

+ ASSEMBLE(kex_algorithms, def_kex, all_kex);

+ ASSEMBLE(hostbased_key_types, def_key, all_key);

+ ASSEMBLE(pubkey_key_types, def_key, all_key);

+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);

#undef ASSEMBLE

free(all_cipher);

free(all_mac);

free(all_kex);

free(all_key);

free(all_sig);

+ free(def_cipher);

+ free(def_mac);

+ free(def_kex);

+ kex_default_pk_alg_filtered = def_key; /* save for later use */

+ free(def_sig);

#define CLEAR_ON_NONE(v) \

do { \

@@ -2613,14 +2635,7 @@ void

dump_client_config(Options *o, const char *host)

{

int i;

- char buf[8], *all_key;

- /* This is normally prepared in ssh_kex2 */

- all_key = sshkey_alg_list(0, 0, 1, ',');

- if (kex_assemble_names( &o->hostkeyalgorithms,

- KEX_DEFAULT_PK_ALG, all_key) != 0)

- fatal("%s: kex_assemble_names failed", __func__);

- free(all_key);

+ char buf[8];

/* Most interesting options first: user, host, port */

dump_cfg_string(oUser, o->user);

@@ -2677,7 +2692,7 @@ dump_client_config(Options *o, const char *host)

/* String options */

dump_cfg_string(oBindAddress, o->bind_address);

dump_cfg_string(oBindInterface, o->bind_interface);

- dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);

+ dump_cfg_string(oCiphers, o->ciphers);

dump_cfg_string(oControlPath, o->control_path);

dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);

dump_cfg_string(oHostKeyAlias, o->host_key_alias);

@@ -2685,12 +2700,12 @@ dump_client_config(Options *o, const char *host)

dump_cfg_string(oIdentityAgent, o->identity_agent);

dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);

dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);

- dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);

- dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);

+ dump_cfg_string(oKexAlgorithms, o->kex_algorithms);

+ dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms);

dump_cfg_string(oLocalCommand, o->local_command);

dump_cfg_string(oRemoteCommand, o->remote_command);

dump_cfg_string(oLogLevel, log_level_name(o->log_level));

- dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);

+ dump_cfg_string(oMacs, o->macs);

#ifdef ENABLE_PKCS11

dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);

#endif

diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index dcecfc54afe..feedb3d202c 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: readconf.h,v 1.131 2019/12/21 02:19:13 djm Exp $ */

+/* $OpenBSD: readconf.h,v 1.132 2020/01/23 02:46:49 dtucker Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -199,6 +199,7 @@ typedef struct {

#define SSH_STRICT_HOSTKEY_YES 2

#define SSH_STRICT_HOSTKEY_ASK 3

+const char *kex_default_pk_alg(void);

void initialize_options(Options *);

void fill_default_options(Options *);

void fill_default_options_for_canonicalization(Options *);

diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index d6edb42268e..ad5fa8f76be 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c

@@ -1,5 +1,5 @@

-/* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */

+/* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */

@@ -181,6 +181,7 @@ static void

assemble_algorithms(ServerOptions *o)

{

char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;

+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;

int r;

all_cipher = cipher_alg_list(',', 0);

@@ -188,24 +189,35 @@ assemble_algorithms(ServerOptions *o)

all_kex = kex_alg_list(',');

all_key = sshkey_alg_list(0, 0, 1, ',');

all_sig = sshkey_alg_list(0, 1, 1, ',');

+ /* remove unsupported algos from default lists */

+ def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);

+ def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);

+ def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);

+ def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);

+ def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);

#define ASSEMBLE(what, defaults, all) \

do { \

if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \

fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \

} while (0)

- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);

- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);

- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);

- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);

- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);

- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);

- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);

+ ASSEMBLE(ciphers, def_cipher, all_cipher);

+ ASSEMBLE(macs, def_mac, all_mac);

+ ASSEMBLE(kex_algorithms, def_kex, all_kex);

+ ASSEMBLE(hostkeyalgorithms, def_key, all_key);

+ ASSEMBLE(hostbased_key_types, def_key, all_key);

+ ASSEMBLE(pubkey_key_types, def_key, all_key);

+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);

#undef ASSEMBLE

free(all_cipher);

free(all_mac);

free(all_kex);

free(all_key);

free(all_sig);

+ free(def_cipher);

+ free(def_mac);

+ free(def_kex);

+ free(def_key);

+ free(def_sig);

}

static void

@@ -2590,8 +2602,8 @@ dump_config(ServerOptions *o)

/* string arguments */

dump_cfg_string(sPidFile, o->pid_file);

dump_cfg_string(sXAuthLocation, o->xauth_location);

- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);

- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);

+ dump_cfg_string(sCiphers, o->ciphers);

+ dump_cfg_string(sMacs, o->macs);

dump_cfg_string(sBanner, o->banner);

dump_cfg_string(sForceCommand, o->adm_forced_command);

dump_cfg_string(sChrootDirectory, o->chroot_directory);

@@ -2607,16 +2619,11 @@ dump_config(ServerOptions *o)

dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);

dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);

dump_cfg_string(sHostKeyAgent, o->host_key_agent);

- dump_cfg_string(sKexAlgorithms,

- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);

- dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?

- o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);

- dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?

- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);

- dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?

- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);

- dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?

- o->pubkey_key_types : KEX_DEFAULT_PK_ALG);

+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms);

+ dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);

+ dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);

+ dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);

+ dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);

dump_cfg_string(sRDomain, o->routing_domain);

/* string arguments requiring a lookup */

diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 4a690eda58c..13b3c0753ee 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sshconnect2.c,v 1.315 2020/01/21 05:56:27 djm Exp $ */

+/* $OpenBSD: sshconnect2.c,v 1.316 2020/01/23 02:46:49 dtucker Exp $ */

@@ -114,7 +114,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)

for (i = 0; i < options.num_system_hostfiles; i++)

load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);

- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);

+ oavail = avail = xstrdup(kex_default_pk_alg());

maxlen = strlen(avail) + 1;

first = xmalloc(maxlen);

last = xmalloc(maxlen);

@@ -176,14 +176,14 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)

if (options.hostkeyalgorithms != NULL) {

all_key = sshkey_alg_list(0, 0, 1, ',');

if (kex_assemble_names(&options.hostkeyalgorithms,

- KEX_DEFAULT_PK_ALG, all_key) != 0)

+ kex_default_pk_alg(), all_key) != 0)

fatal("%s: kex_assemble_namelist", __func__);

free(all_key);

myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =

compat_pkalg_proposal(options.hostkeyalgorithms);

} else {

/* Enforce default */

- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);

+ options.hostkeyalgorithms = xstrdup(kex_default_pk_alg());

/* Prefer algorithms that we already have keys for */

myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =

compat_pkalg_proposal(