[openssh-commits] [openssh] 01/04: upstream: Remove unsupported algorithms from list of defaults at run

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jan 23 15:49:22 AEDT 2020


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Thu Jan 23 02:46:49 2020 +0000

    upstream: Remove unsupported algorithms from list of defaults at run
    
    time and remove ifdef and distinct settings for OPENSSL=no case.
    
    This will make things much simpler for -portable where the exact set
    of algos depends on the configuration of both OpenSSH and the libcrypto
    it's linked against (if any).  ok djm@
    
    OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
---
 clientloop.c  |   5 +--
 myproposal.h  | 138 ++++++++++------------------------------------------------
 readconf.c    |  53 ++++++++++++++--------
 readconf.h    |   3 +-
 servconf.c    |  47 +++++++++++---------
 sshconnect2.c |   8 ++--
 6 files changed, 92 insertions(+), 162 deletions(-)

diff --git a/clientloop.c b/clientloop.c
index 8f0332df..4acf2806 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.330 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.331 2020/01/23 02:46:49 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2046,8 +2046,7 @@ static int
 key_accepted_by_hostkeyalgs(const struct sshkey *key)
 {
 	const char *ktype = sshkey_ssh_name(key);
-	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
-	    options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
+	const char *hostkeyalgs = options.hostkeyalgorithms;
 
 	if (key == NULL || key->type == KEY_UNSPEC)
 		return 0;
diff --git a/myproposal.h b/myproposal.h
index 145704f4..dd2499d6 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */
+/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -24,110 +24,47 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifdef WITH_OPENSSL
-#include <openssl/opensslv.h>
-#endif
-
-/* conditional algorithm support */
-
-#ifdef OPENSSL_HAS_ECC
-# ifdef OPENSSL_HAS_NISTP521
-#  define KEX_ECDH_METHODS \
+#define KEX_SERVER_KEX	\
+	"curve25519-sha256," \
+	"curve25519-sha256 at libssh.org," \
 	"ecdh-sha2-nistp256," \
 	"ecdh-sha2-nistp384," \
-	"ecdh-sha2-nistp521,"
-#  define HOSTKEY_ECDSA_CERT_METHODS \
-	"ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
-	"ecdsa-sha2-nistp384-cert-v01 at openssh.com," \
-	"ecdsa-sha2-nistp521-cert-v01 at openssh.com," \
-	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,"
-#  define HOSTKEY_ECDSA_METHODS \
-	"ecdsa-sha2-nistp256," \
-	"ecdsa-sha2-nistp384," \
-	"ecdsa-sha2-nistp521," \
-	"sk-ecdsa-sha2-nistp256 at openssh.com,"
-# else /* OPENSSL_HAS_NISTP521 */
-#  define KEX_ECDH_METHODS \
-	"ecdh-sha2-nistp256," \
-	"ecdh-sha2-nistp384,"
-#  define HOSTKEY_ECDSA_CERT_METHODS \
-	"ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
-	"ecdsa-sha2-nistp384-cert-v01 at openssh.com," \
-	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,"
-#  define HOSTKEY_ECDSA_METHODS \
-	"ecdsa-sha2-nistp256," \
-	"ecdsa-sha2-nistp384," \
-	"sk-ecdsa-sha2-nistp256 at openssh.com,"
-# endif /* OPENSSL_HAS_NISTP521 */
-#else /* OPENSSL_HAS_ECC */
-# define KEX_ECDH_METHODS
-# define HOSTKEY_ECDSA_CERT_METHODS
-# define HOSTKEY_ECDSA_METHODS
-#endif /* OPENSSL_HAS_ECC */
-
-#ifdef OPENSSL_HAVE_EVPGCM
-# define AESGCM_CIPHER_MODES \
-	",aes128-gcm at openssh.com,aes256-gcm at openssh.com"
-#else
-# define AESGCM_CIPHER_MODES
-#endif
-
-#ifdef HAVE_EVP_SHA256
-# define KEX_SHA2_METHODS \
+	"ecdh-sha2-nistp521," \
 	"diffie-hellman-group-exchange-sha256," \
 	"diffie-hellman-group16-sha512," \
-	"diffie-hellman-group18-sha512,"
-# define KEX_SHA2_GROUP14 \
-	"diffie-hellman-group14-sha256,"
-#define	SHA2_HMAC_MODES \
-	"hmac-sha2-256," \
-	"hmac-sha2-512,"
-#else
-# define KEX_SHA2_METHODS
-# define KEX_SHA2_GROUP14
-# define SHA2_HMAC_MODES
-#endif
-
-#ifdef WITH_OPENSSL
-# ifdef HAVE_EVP_SHA256
-#  define KEX_CURVE25519_METHODS \
-	"curve25519-sha256," \
-	"curve25519-sha256 at libssh.org,"
-# else
-#  define KEX_CURVE25519_METHODS ""
-# endif
-#define KEX_SERVER_KEX \
-	KEX_CURVE25519_METHODS \
-	KEX_ECDH_METHODS \
-	KEX_SHA2_METHODS \
-	KEX_SHA2_GROUP14
+	"diffie-hellman-group18-sha512," \
+	"diffie-hellman-group14-sha256"
 
 #define KEX_CLIENT_KEX KEX_SERVER_KEX
 
 #define	KEX_DEFAULT_PK_ALG	\
-	HOSTKEY_ECDSA_CERT_METHODS \
+	"ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
+	"ecdsa-sha2-nistp384-cert-v01 at openssh.com," \
+	"ecdsa-sha2-nistp521-cert-v01 at openssh.com," \
+	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
 	"ssh-ed25519-cert-v01 at openssh.com," \
 	"sk-ssh-ed25519-cert-v01 at openssh.com," \
 	"rsa-sha2-512-cert-v01 at openssh.com," \
 	"rsa-sha2-256-cert-v01 at openssh.com," \
 	"ssh-rsa-cert-v01 at openssh.com," \
-	HOSTKEY_ECDSA_METHODS \
+	"ecdsa-sha2-nistp256," \
+	"ecdsa-sha2-nistp384," \
+	"ecdsa-sha2-nistp521," \
+	"sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"ssh-ed25519," \
 	"sk-ssh-ed25519 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256," \
 	"ssh-rsa"
 
-/* the actual algorithms */
-
-#define KEX_SERVER_ENCRYPT \
+#define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305 at openssh.com," \
-	"aes128-ctr,aes192-ctr,aes256-ctr" \
-	AESGCM_CIPHER_MODES
+	"aes128-ctr,aes192-ctr,aes256-ctr," \
+	"aes128-gcm at openssh.com,aes256-gcm at openssh.com"
 
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
 
-#define KEX_SERVER_MAC \
+#define	KEX_SERVER_MAC \
 	"umac-64-etm at openssh.com," \
 	"umac-128-etm at openssh.com," \
 	"hmac-sha2-256-etm at openssh.com," \
@@ -143,44 +80,16 @@
 
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define	SSH_ALLOWED_CA_SIGALGS	\
-	HOSTKEY_ECDSA_METHODS \
+	"ecdsa-sha2-nistp256," \
+	"ecdsa-sha2-nistp384," \
+	"ecdsa-sha2-nistp521," \
+	"sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"ssh-ed25519," \
 	"sk-ssh-ed25519 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256," \
 	"ssh-rsa"
 
-#else /* WITH_OPENSSL */
-
-#define KEX_SERVER_KEX		\
-	"curve25519-sha256," \
-	"curve25519-sha256 at libssh.org"
-#define	KEX_DEFAULT_PK_ALG	\
-	"ssh-ed25519-cert-v01 at openssh.com," \
-	"ssh-ed25519"
-#define	KEX_SERVER_ENCRYPT \
-	"chacha20-poly1305 at openssh.com," \
-	"aes128-ctr,aes192-ctr,aes256-ctr"
-#define	KEX_SERVER_MAC \
-	"umac-64-etm at openssh.com," \
-	"umac-128-etm at openssh.com," \
-	"hmac-sha2-256-etm at openssh.com," \
-	"hmac-sha2-512-etm at openssh.com," \
-	"hmac-sha1-etm at openssh.com," \
-	"umac-64 at openssh.com," \
-	"umac-128 at openssh.com," \
-	"hmac-sha2-256," \
-	"hmac-sha2-512," \
-	"hmac-sha1"
-
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-#define	KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC
-
-#define	SSH_ALLOWED_CA_SIGALGS	"ssh-ed25519,sk-ssh-ed25519 at openssh.com"
-
-#endif /* WITH_OPENSSL */
-
 #define	KEX_DEFAULT_COMP	"none,zlib at openssh.com"
 #define	KEX_DEFAULT_LANG	""
 
@@ -207,4 +116,3 @@
 	KEX_DEFAULT_COMP, \
 	KEX_DEFAULT_LANG, \
 	KEX_DEFAULT_LANG
-
diff --git a/readconf.c b/readconf.c
index cb3ae6dc..ff551c85 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.319 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -314,6 +314,16 @@ static struct {
 	{ NULL, oBadOption }
 };
 
+static char *kex_default_pk_alg_filtered;
+
+const char *
+kex_default_pk_alg(void)
+{
+	if (kex_default_pk_alg_filtered == NULL)
+		fatal("kex_default_pk_alg not initialized.");
+	return kex_default_pk_alg_filtered;
+}
+
 /*
  * Adds a local TCP/IP port forward to options.  Never returns if there is an
  * error.
@@ -2003,6 +2013,7 @@ void
 fill_default_options(Options * options)
 {
 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
 	int r;
 
 	if (options->forward_agent == -1)
@@ -2167,24 +2178,35 @@ fill_default_options(Options * options)
 	all_kex = kex_alg_list(',');
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
+	/* remove unsupported algos from default lists */
+	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&options->what, \
 		    defaults, all)) != 0) \
 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
 	} while (0)
-	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
-	ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
-	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
-	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+	ASSEMBLE(ciphers, def_cipher, all_cipher);
+	ASSEMBLE(macs, def_mac, all_mac);
+	ASSEMBLE(kex_algorithms, def_kex, all_kex);
+	ASSEMBLE(hostbased_key_types, def_key, all_key);
+	ASSEMBLE(pubkey_key_types, def_key, all_key);
+	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
 	free(all_cipher);
 	free(all_mac);
 	free(all_kex);
 	free(all_key);
 	free(all_sig);
+	free(def_cipher);
+	free(def_mac);
+	free(def_kex);
+	kex_default_pk_alg_filtered = def_key; /* save for later use */
+	free(def_sig);
 
 #define CLEAR_ON_NONE(v) \
 	do { \
@@ -2634,14 +2656,7 @@ void
 dump_client_config(Options *o, const char *host)
 {
 	int i;
-	char buf[8], *all_key;
-
-	/* This is normally prepared in ssh_kex2 */
-	all_key = sshkey_alg_list(0, 0, 1, ',');
-	if (kex_assemble_names( &o->hostkeyalgorithms,
-	    KEX_DEFAULT_PK_ALG, all_key) != 0)
-		fatal("%s: kex_assemble_names failed", __func__);
-	free(all_key);
+	char buf[8];
 
 	/* Most interesting options first: user, host, port */
 	dump_cfg_string(oUser, o->user);
@@ -2698,7 +2713,7 @@ dump_client_config(Options *o, const char *host)
 	/* String options */
 	dump_cfg_string(oBindAddress, o->bind_address);
 	dump_cfg_string(oBindInterface, o->bind_interface);
-	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
+	dump_cfg_string(oCiphers, o->ciphers);
 	dump_cfg_string(oControlPath, o->control_path);
 	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
 	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
@@ -2706,12 +2721,12 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_string(oIdentityAgent, o->identity_agent);
 	dump_cfg_string(oIgnoreUnknown, o->ignored_unknown);
 	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
-	dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
-	dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
+	dump_cfg_string(oKexAlgorithms, o->kex_algorithms);
+	dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms);
 	dump_cfg_string(oLocalCommand, o->local_command);
 	dump_cfg_string(oRemoteCommand, o->remote_command);
 	dump_cfg_string(oLogLevel, log_level_name(o->log_level));
-	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+	dump_cfg_string(oMacs, o->macs);
 #ifdef ENABLE_PKCS11
 	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
 #endif
diff --git a/readconf.h b/readconf.h
index dcecfc54..feedb3d2 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.131 2019/12/21 02:19:13 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.132 2020/01/23 02:46:49 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -199,6 +199,7 @@ typedef struct {
 #define SSH_STRICT_HOSTKEY_YES	2
 #define SSH_STRICT_HOSTKEY_ASK	3
 
+const char *kex_default_pk_alg(void);
 void     initialize_options(Options *);
 void     fill_default_options(Options *);
 void	 fill_default_options_for_canonicalization(Options *);
diff --git a/servconf.c b/servconf.c
index 09e9df8b..1a4c4990 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.357 2019/12/15 20:59:23 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.358 2020/01/23 02:46:49 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -195,6 +195,7 @@ static void
 assemble_algorithms(ServerOptions *o)
 {
 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
 	int r;
 
 	all_cipher = cipher_alg_list(',', 0);
@@ -202,24 +203,35 @@ assemble_algorithms(ServerOptions *o)
 	all_kex = kex_alg_list(',');
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
+	/* remove unsupported algos from default lists */
+	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
 	} while (0)
-	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
-	ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
-	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
-	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
-	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+	ASSEMBLE(ciphers, def_cipher, all_cipher);
+	ASSEMBLE(macs, def_mac, all_mac);
+	ASSEMBLE(kex_algorithms, def_kex, all_kex);
+	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
+	ASSEMBLE(hostbased_key_types, def_key, all_key);
+	ASSEMBLE(pubkey_key_types, def_key, all_key);
+	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
 	free(all_cipher);
 	free(all_mac);
 	free(all_kex);
 	free(all_key);
 	free(all_sig);
+	free(def_cipher);
+	free(def_mac);
+	free(def_kex);
+	free(def_key);
+	free(def_sig);
 }
 
 static void
@@ -2660,8 +2672,8 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
-	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
-	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+	dump_cfg_string(sCiphers, o->ciphers);
+	dump_cfg_string(sMacs, o->macs);
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2677,16 +2689,11 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
 	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-	dump_cfg_string(sKexAlgorithms,
-	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
-	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms ?
-	    o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS);
-	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
-	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
-	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
-	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
-	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
-	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
+	dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
+	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
+	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
+	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
+	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
 	dump_cfg_string(sRDomain, o->routing_domain);
 
 	/* string arguments requiring a lookup */
diff --git a/sshconnect2.c b/sshconnect2.c
index 6f9ee42c..7f52cc55 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.315 2020/01/21 05:56:27 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.316 2020/01/23 02:46:49 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -119,7 +119,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 	for (i = 0; i < options.num_system_hostfiles; i++)
 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
 
-	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+	oavail = avail = xstrdup(kex_default_pk_alg());
 	maxlen = strlen(avail) + 1;
 	first = xmalloc(maxlen);
 	last = xmalloc(maxlen);
@@ -181,14 +181,14 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
 	if (options.hostkeyalgorithms != NULL) {
 		all_key = sshkey_alg_list(0, 0, 1, ',');
 		if (kex_assemble_names(&options.hostkeyalgorithms,
-		    KEX_DEFAULT_PK_ALG, all_key) != 0)
+		    kex_default_pk_alg(), all_key) != 0)
 			fatal("%s: kex_assemble_namelist", __func__);
 		free(all_key);
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(options.hostkeyalgorithms);
 	} else {
 		/* Enforce default */
-		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+		options.hostkeyalgorithms = xstrdup(kex_default_pk_alg());
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list