summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2020-01-23 02:46:50 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2020-01-23 02:46:50 +0000
commit29d30f156b987a307de2a95232f367d8c43246cb (patch)
tree56f2afec5a6f49e63a254cd3eba132f929cd6a8c /usr.bin/ssh
parentdc5b7cea52e52603b9b2e86befb0cf5cbf974bc5 (diff)
Remove unsupported algorithms from list of defaults at run time and
remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/clientloop.c5
-rw-r--r--usr.bin/ssh/myproposal.h35
-rw-r--r--usr.bin/ssh/readconf.c53
-rw-r--r--usr.bin/ssh/readconf.h3
-rw-r--r--usr.bin/ssh/servconf.c47
-rw-r--r--usr.bin/ssh/sshconnect2.c8
6 files changed, 70 insertions, 81 deletions
diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index 9264eee43f5..6eefb0ee9d6 100644
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.330 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.331 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2032,8 +2032,7 @@ static int
key_accepted_by_hostkeyalgs(const struct sshkey *key)
{
const char *ktype = sshkey_ssh_name(key);
- const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
+ const char *hostkeyalgs = options.hostkeyalgorithms;
if (key == NULL || key->type == KEY_UNSPEC)
return 0;
diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h
index 86408dbf406..dd2499d661a 100644
--- a/usr.bin/ssh/myproposal.h
+++ b/usr.bin/ssh/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */
+/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -24,8 +24,6 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifdef WITH_OPENSSL
-
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"curve25519-sha256@libssh.org," \
@@ -92,37 +90,6 @@
"rsa-sha2-256," \
"ssh-rsa"
-#else /* WITH_OPENSSL */
-
-#define KEX_SERVER_KEX \
- "curve25519-sha256," \
- "curve25519-sha256@libssh.org"
-#define KEX_DEFAULT_PK_ALG \
- "ssh-ed25519-cert-v01@openssh.com," \
- "ssh-ed25519"
-#define KEX_SERVER_ENCRYPT \
- "chacha20-poly1305@openssh.com," \
- "aes128-ctr,aes192-ctr,aes256-ctr"
-#define KEX_SERVER_MAC \
- "umac-64-etm@openssh.com," \
- "umac-128-etm@openssh.com," \
- "hmac-sha2-256-etm@openssh.com," \
- "hmac-sha2-512-etm@openssh.com," \
- "hmac-sha1-etm@openssh.com," \
- "umac-64@openssh.com," \
- "umac-128@openssh.com," \
- "hmac-sha2-256," \
- "hmac-sha2-512," \
- "hmac-sha1"
-
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC
-
-#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com"
-
-#endif /* WITH_OPENSSL */
-
#define KEX_DEFAULT_COMP "none,zlib@openssh.com"
#define KEX_DEFAULT_LANG ""
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 1ed98ec1025..ed550277fec 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -300,6 +300,16 @@ static struct {
{ NULL, oBadOption }
};
+static char *kex_default_pk_alg_filtered;
+
+const char *
+kex_default_pk_alg(void)
+{
+ if (kex_default_pk_alg_filtered == NULL)
+ fatal("kex_default_pk_alg not initialized.");
+ return kex_default_pk_alg_filtered;
+}
+
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
@@ -1989,6 +1999,7 @@ void
fill_default_options(Options * options)
{
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
int r;
if (options->forward_agent == -1)
@@ -2146,24 +2157,35 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
+ /* remove unsupported algos from default lists */
+ def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+ def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+ def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+ def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+ def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
defaults, all)) != 0) \
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
} while (0)
- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, def_cipher, all_cipher);
+ ASSEMBLE(macs, def_mac, all_mac);
+ ASSEMBLE(kex_algorithms, def_kex, all_kex);
+ ASSEMBLE(hostbased_key_types, def_key, all_key);
+ ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
free(all_kex);
free(all_key);
free(all_sig);
+ free(def_cipher);
+ free(def_mac);
+ free(def_kex);
+ kex_default_pk_alg_filtered = def_key; /* save for later use */
+ free(def_sig);
#define CLEAR_ON_NONE(v) \
do { \
@@ -2613,14 +2635,7 @@ void
dump_client_config(Options *o, const char *host)
{
int i;
- char buf[8], *all_key;
-
- /* This is normally prepared in ssh_kex2 */
- all_key = sshkey_alg_list(0, 0, 1, ',');
- if (kex_assemble_names( &o->hostkeyalgorithms,
- KEX_DEFAULT_PK_ALG, all_key) != 0)
- fatal("%s: kex_assemble_names failed", __func__);
- free(all_key);
+ char buf[8];
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
@@ -2677,7 +2692,7 @@ dump_client_config(Options *o, const char *host)
/* String options */
dump_cfg_string(oBindAddress, o->bind_address);
dump_cfg_string(oBindInterface, o->bind_interface);
- dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
+ dump_cfg_string(oCiphers, o->ciphers);
dump_cfg_string(oControlPath, o->control_path);
dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
@@ -2685,12 +2700,12 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oIdentityAgent, o->identity_agent);
dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
- dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
- dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
+ dump_cfg_string(oKexAlgorithms, o->kex_algorithms);
+ dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms);
dump_cfg_string(oLocalCommand, o->local_command);
dump_cfg_string(oRemoteCommand, o->remote_command);
dump_cfg_string(oLogLevel, log_level_name(o->log_level));
- dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+ dump_cfg_string(oMacs, o->macs);
#ifdef ENABLE_PKCS11
dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
#endif
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index dcecfc54afe..feedb3d202c 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.131 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.132 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -199,6 +199,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
+const char *kex_default_pk_alg(void);
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index d6edb42268e..ad5fa8f76be 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -181,6 +181,7 @@ static void
assemble_algorithms(ServerOptions *o)
{
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
int r;
all_cipher = cipher_alg_list(',', 0);
@@ -188,24 +189,35 @@ assemble_algorithms(ServerOptions *o)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
+ /* remove unsupported algos from default lists */
+ def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+ def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+ def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+ def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+ def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
} while (0)
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, def_cipher, all_cipher);
+ ASSEMBLE(macs, def_mac, all_mac);
+ ASSEMBLE(kex_algorithms, def_kex, all_kex);
+ ASSEMBLE(hostkeyalgorithms, def_key, all_key);
+ ASSEMBLE(hostbased_key_types, def_key, all_key);
+ ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
free(all_kex);
free(all_key);
free(all_sig);
+ free(def_cipher);
+ free(def_mac);
+ free(def_kex);
+ free(def_key);
+ free(def_sig);
}
static void
@@ -2590,8 +2602,8 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers);
+ dump_cfg_string(sMacs, o->macs);
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2607,16 +2619,11 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
- dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
- o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
- dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
- o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
- dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
- dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
- o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
+ dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
+ dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
+ dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
+ dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
dump_cfg_string(sRDomain, o->routing_domain);
/* string arguments requiring a lookup */
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 4a690eda58c..13b3c0753ee 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.315 2020/01/21 05:56:27 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.316 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -114,7 +114,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup(kex_default_pk_alg());
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -176,14 +176,14 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
if (options.hostkeyalgorithms != NULL) {
all_key = sshkey_alg_list(0, 0, 1, ',');
if (kex_assemble_names(&options.hostkeyalgorithms,
- KEX_DEFAULT_PK_ALG, all_key) != 0)
+ kex_default_pk_alg(), all_key) != 0)
fatal("%s: kex_assemble_namelist", __func__);
free(all_key);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
} else {
/* Enforce default */
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ options.hostkeyalgorithms = xstrdup(kex_default_pk_alg());
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(