diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2018-03-08 22:25:33 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2018-03-08 22:25:33 +0800 |
| commit | 56855744b8309f6ca672e224ce8f287b5b6ba774 (patch) | |
| tree | 09925d28900c8af2eee0526c60035915457a3d5d | |
| parent | b4b11c8155b09e4d56925d2d4336c10d802adf11 (diff) | |
Only advertise a single server ecdsa key when -R (generate as required) is
specified. Fixes -R now that default ecdsa key size has changed.
| -rw-r--r-- | svr-runopts.c | 59 |
1 files changed, 35 insertions, 24 deletions
diff --git a/svr-runopts.c b/svr-runopts.c index 2c65009..d6c78df 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -526,8 +526,10 @@ static void addhostkey(const char *keyfile) { void load_all_hostkeys() { int i; - int disable_unset_keys = 1; int any_keys = 0; +#ifdef DROPBEAR_ECDSA + int loaded_any_ecdsa = 0; +#endif svr_opts.hostkey = new_sign_key(); @@ -552,14 +554,8 @@ void load_all_hostkeys() { #endif } -#if DROPBEAR_DELAY_HOSTKEY - if (svr_opts.delay_hostkey) { - disable_unset_keys = 0; - } -#endif - #if DROPBEAR_RSA - if (disable_unset_keys && !svr_opts.hostkey->rsakey) { + if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) { disablekey(DROPBEAR_SIGNKEY_RSA); } else { any_keys = 1; @@ -567,39 +563,54 @@ void load_all_hostkeys() { #endif #if DROPBEAR_DSS - if (disable_unset_keys && !svr_opts.hostkey->dsskey) { + if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) { disablekey(DROPBEAR_SIGNKEY_DSS); } else { any_keys = 1; } #endif - #if DROPBEAR_ECDSA + /* We want to advertise a single ecdsa algorithm size. + - If there is a ecdsa hostkey at startup we choose that that size. + - If we generate at runtime we choose the default ecdsa size. + - Otherwise no ecdsa keys will be advertised */ + + /* check if any keys were loaded at startup */ + loaded_any_ecdsa = + 0 +#if DROPBEAR_ECC_256 + || svr_opts.hostkey->ecckey256 +#endif +#if DROPBEAR_ECC_384 + || svr_opts.hostkey->ecckey384 +#endif +#if DROPBEAR_ECC_521 + || svr_opts.hostkey->ecckey521 +#endif + ; + any_keys |= loaded_any_ecdsa; + + /* Or an ecdsa key could be generated at runtime */ + any_keys |= svr_opts.delay_hostkey; + + /* At most one ecdsa key size will be left enabled */ #if DROPBEAR_ECC_256 - if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 256) - && !svr_opts.hostkey->ecckey256) { + if (!svr_opts.hostkey->ecckey256 + && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); - } else { - any_keys = 1; } #endif - #if DROPBEAR_ECC_384 - if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 384) - && !svr_opts.hostkey->ecckey384) { + if (!svr_opts.hostkey->ecckey384 + && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); - } else { - any_keys = 1; } #endif - #if DROPBEAR_ECC_521 - if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 521) - && !svr_opts.hostkey->ecckey521) { + if (!svr_opts.hostkey->ecckey521 + && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) { disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); - } else { - any_keys = 1; } #endif #endif /* DROPBEAR_ECDSA */ |