comparison svr-runopts.c @ 1603:0dc3103a5900

Only advertise a single server ecdsa key when -R (generate as required) is specified. Fixes -R now that default ecdsa key size has changed.
author Matt Johnston <matt@ucc.asn.au>
date Thu, 08 Mar 2018 22:25:33 +0800
parents 61a793b6e471
children 76189c9ffea2
comparison
equal deleted inserted replaced
1602:0f149d63068d 1603:0dc3103a5900
524 } 524 }
525 525
526 526
527 void load_all_hostkeys() { 527 void load_all_hostkeys() {
528 int i; 528 int i;
529 int disable_unset_keys = 1;
530 int any_keys = 0; 529 int any_keys = 0;
530 #ifdef DROPBEAR_ECDSA
531 int loaded_any_ecdsa = 0;
532 #endif
531 533
532 svr_opts.hostkey = new_sign_key(); 534 svr_opts.hostkey = new_sign_key();
533 535
534 for (i = 0; i < svr_opts.num_hostkey_files; i++) { 536 for (i = 0; i < svr_opts.num_hostkey_files; i++) {
535 char *hostkey_file = svr_opts.hostkey_files[i]; 537 char *hostkey_file = svr_opts.hostkey_files[i];
550 #if DROPBEAR_ECDSA 552 #if DROPBEAR_ECDSA
551 loadhostkey(ECDSA_PRIV_FILENAME, 0); 553 loadhostkey(ECDSA_PRIV_FILENAME, 0);
552 #endif 554 #endif
553 } 555 }
554 556
555 #if DROPBEAR_DELAY_HOSTKEY
556 if (svr_opts.delay_hostkey) {
557 disable_unset_keys = 0;
558 }
559 #endif
560
561 #if DROPBEAR_RSA 557 #if DROPBEAR_RSA
562 if (disable_unset_keys && !svr_opts.hostkey->rsakey) { 558 if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
563 disablekey(DROPBEAR_SIGNKEY_RSA); 559 disablekey(DROPBEAR_SIGNKEY_RSA);
564 } else { 560 } else {
565 any_keys = 1; 561 any_keys = 1;
566 } 562 }
567 #endif 563 #endif
568 564
569 #if DROPBEAR_DSS 565 #if DROPBEAR_DSS
570 if (disable_unset_keys && !svr_opts.hostkey->dsskey) { 566 if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
571 disablekey(DROPBEAR_SIGNKEY_DSS); 567 disablekey(DROPBEAR_SIGNKEY_DSS);
572 } else { 568 } else {
573 any_keys = 1; 569 any_keys = 1;
574 } 570 }
575 #endif 571 #endif
576 572
577
578 #if DROPBEAR_ECDSA 573 #if DROPBEAR_ECDSA
574 /* We want to advertise a single ecdsa algorithm size.
575 - If there is a ecdsa hostkey at startup we choose that that size.
576 - If we generate at runtime we choose the default ecdsa size.
577 - Otherwise no ecdsa keys will be advertised */
578
579 /* check if any keys were loaded at startup */
580 loaded_any_ecdsa =
581 0
579 #if DROPBEAR_ECC_256 582 #if DROPBEAR_ECC_256
580 if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 256) 583 || svr_opts.hostkey->ecckey256
581 && !svr_opts.hostkey->ecckey256) { 584 #endif
585 #if DROPBEAR_ECC_384
586 || svr_opts.hostkey->ecckey384
587 #endif
588 #if DROPBEAR_ECC_521
589 || svr_opts.hostkey->ecckey521
590 #endif
591 ;
592 any_keys |= loaded_any_ecdsa;
593
594 /* Or an ecdsa key could be generated at runtime */
595 any_keys |= svr_opts.delay_hostkey;
596
597 /* At most one ecdsa key size will be left enabled */
598 #if DROPBEAR_ECC_256
599 if (!svr_opts.hostkey->ecckey256
600 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
582 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); 601 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
583 } else { 602 }
584 any_keys = 1; 603 #endif
585 }
586 #endif
587
588 #if DROPBEAR_ECC_384 604 #if DROPBEAR_ECC_384
589 if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 384) 605 if (!svr_opts.hostkey->ecckey384
590 && !svr_opts.hostkey->ecckey384) { 606 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
591 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); 607 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
592 } else { 608 }
593 any_keys = 1; 609 #endif
594 }
595 #endif
596
597 #if DROPBEAR_ECC_521 610 #if DROPBEAR_ECC_521
598 if ((disable_unset_keys || ECDSA_DEFAULT_SIZE != 521) 611 if (!svr_opts.hostkey->ecckey521
599 && !svr_opts.hostkey->ecckey521) { 612 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
600 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); 613 disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
601 } else {
602 any_keys = 1;
603 } 614 }
604 #endif 615 #endif
605 #endif /* DROPBEAR_ECDSA */ 616 #endif /* DROPBEAR_ECDSA */
606 617
607 if (!any_keys) { 618 if (!any_keys) {