summaryrefslogtreecommitdiff
path: root/compat.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-12-31 12:25:40 +1100
committerDamien Miller <djm@mindrot.org>2013-12-31 12:25:40 +1100
commit324541e5264e1489ca0babfaf2b39612eb80dfb3 (patch)
tree3adbfd162c3704e6aeb36f30ca09e4c04fbd25e2 /compat.c
parent9f4c8e797ea002a883307ca906f1f1f815010e78 (diff)
- djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] refuse RSA keys from old proprietary clients/servers that use the obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
Diffstat (limited to 'compat.c')
-rw-r--r--compat.c61
1 files changed, 44 insertions, 17 deletions
diff --git a/compat.c b/compat.c
index ac353a706..9d9fabef3 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */ 1/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -171,8 +171,9 @@ compat_datafellows(const char *version)
171 for (i = 0; check[i].pat; i++) { 171 for (i = 0; check[i].pat; i++) {
172 if (match_pattern_list(version, check[i].pat, 172 if (match_pattern_list(version, check[i].pat,
173 strlen(check[i].pat), 0) == 1) { 173 strlen(check[i].pat), 0) == 1) {
174 debug("match: %s pat %s", version, check[i].pat);
175 datafellows = check[i].bugs; 174 datafellows = check[i].bugs;
175 debug("match: %s pat %s compat 0x%08x",
176 version, check[i].pat, datafellows);
176 return; 177 return;
177 } 178 }
178 } 179 }
@@ -208,33 +209,59 @@ proto_spec(const char *spec)
208 return ret; 209 return ret;
209} 210}
210 211
211char * 212/*
212compat_cipher_proposal(char *cipher_prop) 213 * Filters a proposal string, excluding any algorithm matching the 'filter'
214 * pattern list.
215 */
216static char *
217filter_proposal(char *proposal, const char *filter)
213{ 218{
214 Buffer b; 219 Buffer b;
215 char *orig_prop, *fix_ciphers; 220 char *orig_prop, *fix_prop;
216 char *cp, *tmp; 221 char *cp, *tmp;
217 222
218 if (!(datafellows & SSH_BUG_BIGENDIANAES))
219 return(cipher_prop);
220
221 buffer_init(&b); 223 buffer_init(&b);
222 tmp = orig_prop = xstrdup(cipher_prop); 224 tmp = orig_prop = xstrdup(proposal);
223 while ((cp = strsep(&tmp, ",")) != NULL) { 225 while ((cp = strsep(&tmp, ",")) != NULL) {
224 if (strncmp(cp, "aes", 3) != 0) { 226 if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
225 if (buffer_len(&b) > 0) 227 if (buffer_len(&b) > 0)
226 buffer_append(&b, ",", 1); 228 buffer_append(&b, ",", 1);
227 buffer_append(&b, cp, strlen(cp)); 229 buffer_append(&b, cp, strlen(cp));
228 } 230 } else
231 debug2("Compat: skipping algorithm \"%s\"", cp);
229 } 232 }
230 buffer_append(&b, "\0", 1); 233 buffer_append(&b, "\0", 1);
231 fix_ciphers = xstrdup(buffer_ptr(&b)); 234 fix_prop = xstrdup(buffer_ptr(&b));
232 buffer_free(&b); 235 buffer_free(&b);
233 free(orig_prop); 236 free(orig_prop);
234 debug2("Original cipher proposal: %s", cipher_prop);
235 debug2("Compat cipher proposal: %s", fix_ciphers);
236 if (!*fix_ciphers)
237 fatal("No available ciphers found.");
238 237
239 return(fix_ciphers); 238 return fix_prop;
240} 239}
240
241char *
242compat_cipher_proposal(char *cipher_prop)
243{
244 if (!(datafellows & SSH_BUG_BIGENDIANAES))
245 return cipher_prop;
246 debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
247 cipher_prop = filter_proposal(cipher_prop, "aes*");
248 debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
249 if (*cipher_prop == '\0')
250 fatal("No supported ciphers found");
251 return cipher_prop;
252}
253
254
255char *
256compat_pkalg_proposal(char *pkalg_prop)
257{
258 if (!(datafellows & SSH_BUG_RSASIGMD5))
259 return pkalg_prop;
260 debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
261 pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");
262 debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
263 if (*pkalg_prop == '\0')
264 fatal("No supported PK algorithms found");
265 return pkalg_prop;
266}
267