dropbear: svr-runopts.c comparison

comparison svr-runopts.c @ 1603:0dc3103a5900

Only advertise a single server ecdsa key when -R (generate as required) is specified. Fixes -R now that default ecdsa key size has changed.

author	Matt Johnston <matt@ucc.asn.au>
date	Thu, 08 Mar 2018 22:25:33 +0800
parents	61a793b6e471
children	76189c9ffea2

comparison

equal deleted inserted replaced

-:0f149d63068d
+:0dc3103a5900
 }
 void load_all_hostkeys() {
 	int i;
-	int disable_unset_keys = 1;
 	int any_keys = 0;
+#ifdef DROPBEAR_ECDSA
+	int loaded_any_ecdsa = 0;
+#endif
 	svr_opts.hostkey = new_sign_key();
 	for (i = 0; i < svr_opts.num_hostkey_files; i++) {
 		char *hostkey_file = svr_opts.hostkey_files[i];
 #if DROPBEAR_ECDSA
 		loadhostkey(ECDSA_PRIV_FILENAME, 0);
 #endif
 	}
-#if DROPBEAR_DELAY_HOSTKEY
-	if (svr_opts.delay_hostkey) {
-		disable_unset_keys = 0;
-	}
-#endif
 #if DROPBEAR_RSA
-	if (disable_unset_keys && !svr_opts.hostkey->rsakey) {
+	if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
 		disablekey(DROPBEAR_SIGNKEY_RSA);
 	} else {
 		any_keys = 1;
 	}
 #endif
 #if DROPBEAR_DSS
-	if (disable_unset_keys && !svr_opts.hostkey->dsskey) {
+	if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
 		disablekey(DROPBEAR_SIGNKEY_DSS);
 	} else {
 		any_keys = 1;
 	}
 #endif
 #if DROPBEAR_ECDSA
+	/* We want to advertise a single ecdsa algorithm size.
+	- If there is a ecdsa hostkey at startup we choose that that size.
+	- If we generate at runtime we choose the default ecdsa size.
+	- Otherwise no ecdsa keys will be advertised */
+	/* check if any keys were loaded at startup */
+	loaded_any_ecdsa =
+		0
 #if DROPBEAR_ECC_256
-	if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 256)
+		|| svr_opts.hostkey->ecckey256
-		&& !svr_opts.hostkey->ecckey256) {
+#endif
+#if DROPBEAR_ECC_384
+		|| svr_opts.hostkey->ecckey384
+#endif
+#if DROPBEAR_ECC_521
+		|| svr_opts.hostkey->ecckey521
+#endif
+		;
+	any_keys |= loaded_any_ecdsa;
+	/* Or an ecdsa key could be generated at runtime */
+	any_keys |= svr_opts.delay_hostkey;
+	/* At most one ecdsa key size will be left enabled */
+#if DROPBEAR_ECC_256
+	if (!svr_opts.hostkey->ecckey256
+		&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
 		disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
-	} else {
+	}
-		any_keys = 1;
+#endif
-	}
-#endif
 #if DROPBEAR_ECC_384
-	if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 384)
+	if (!svr_opts.hostkey->ecckey384
-		&& !svr_opts.hostkey->ecckey384) {
+		&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
 		disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
-	} else {
+	}
-		any_keys = 1;
+#endif
-	}
-#endif
 #if DROPBEAR_ECC_521
-	if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 521)
+	if (!svr_opts.hostkey->ecckey521
-		&& !svr_opts.hostkey->ecckey521) {
+		&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
 		disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
-	} else {
-		any_keys = 1;
 	}
 #endif
 #endif /* DROPBEAR_ECDSA */
 	if (!any_keys) {

Mercurial > dropbear

comparison svr-runopts.c @ 1603:0dc3103a5900