diff options
author | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
commit | 324541e5264e1489ca0babfaf2b39612eb80dfb3 (patch) | |
tree | 3adbfd162c3704e6aeb36f30ca09e4c04fbd25e2 /compat.c | |
parent | 9f4c8e797ea002a883307ca906f1f1f815010e78 (diff) |
- djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
Diffstat (limited to 'compat.c')
-rw-r--r-- | compat.c | 61 |
1 files changed, 44 insertions, 17 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */ | 1 | /* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -171,8 +171,9 @@ compat_datafellows(const char *version) | |||
171 | for (i = 0; check[i].pat; i++) { | 171 | for (i = 0; check[i].pat; i++) { |
172 | if (match_pattern_list(version, check[i].pat, | 172 | if (match_pattern_list(version, check[i].pat, |
173 | strlen(check[i].pat), 0) == 1) { | 173 | strlen(check[i].pat), 0) == 1) { |
174 | debug("match: %s pat %s", version, check[i].pat); | ||
175 | datafellows = check[i].bugs; | 174 | datafellows = check[i].bugs; |
175 | debug("match: %s pat %s compat 0x%08x", | ||
176 | version, check[i].pat, datafellows); | ||
176 | return; | 177 | return; |
177 | } | 178 | } |
178 | } | 179 | } |
@@ -208,33 +209,59 @@ proto_spec(const char *spec) | |||
208 | return ret; | 209 | return ret; |
209 | } | 210 | } |
210 | 211 | ||
211 | char * | 212 | /* |
212 | compat_cipher_proposal(char *cipher_prop) | 213 | * Filters a proposal string, excluding any algorithm matching the 'filter' |
214 | * pattern list. | ||
215 | */ | ||
216 | static char * | ||
217 | filter_proposal(char *proposal, const char *filter) | ||
213 | { | 218 | { |
214 | Buffer b; | 219 | Buffer b; |
215 | char *orig_prop, *fix_ciphers; | 220 | char *orig_prop, *fix_prop; |
216 | char *cp, *tmp; | 221 | char *cp, *tmp; |
217 | 222 | ||
218 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) | ||
219 | return(cipher_prop); | ||
220 | |||
221 | buffer_init(&b); | 223 | buffer_init(&b); |
222 | tmp = orig_prop = xstrdup(cipher_prop); | 224 | tmp = orig_prop = xstrdup(proposal); |
223 | while ((cp = strsep(&tmp, ",")) != NULL) { | 225 | while ((cp = strsep(&tmp, ",")) != NULL) { |
224 | if (strncmp(cp, "aes", 3) != 0) { | 226 | if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { |
225 | if (buffer_len(&b) > 0) | 227 | if (buffer_len(&b) > 0) |
226 | buffer_append(&b, ",", 1); | 228 | buffer_append(&b, ",", 1); |
227 | buffer_append(&b, cp, strlen(cp)); | 229 | buffer_append(&b, cp, strlen(cp)); |
228 | } | 230 | } else |
231 | debug2("Compat: skipping algorithm \"%s\"", cp); | ||
229 | } | 232 | } |
230 | buffer_append(&b, "\0", 1); | 233 | buffer_append(&b, "\0", 1); |
231 | fix_ciphers = xstrdup(buffer_ptr(&b)); | 234 | fix_prop = xstrdup(buffer_ptr(&b)); |
232 | buffer_free(&b); | 235 | buffer_free(&b); |
233 | free(orig_prop); | 236 | free(orig_prop); |
234 | debug2("Original cipher proposal: %s", cipher_prop); | ||
235 | debug2("Compat cipher proposal: %s", fix_ciphers); | ||
236 | if (!*fix_ciphers) | ||
237 | fatal("No available ciphers found."); | ||
238 | 237 | ||
239 | return(fix_ciphers); | 238 | return fix_prop; |
240 | } | 239 | } |
240 | |||
241 | char * | ||
242 | compat_cipher_proposal(char *cipher_prop) | ||
243 | { | ||
244 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) | ||
245 | return cipher_prop; | ||
246 | debug2("%s: original cipher proposal: %s", __func__, cipher_prop); | ||
247 | cipher_prop = filter_proposal(cipher_prop, "aes*"); | ||
248 | debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); | ||
249 | if (*cipher_prop == '\0') | ||
250 | fatal("No supported ciphers found"); | ||
251 | return cipher_prop; | ||
252 | } | ||
253 | |||
254 | |||
255 | char * | ||
256 | compat_pkalg_proposal(char *pkalg_prop) | ||
257 | { | ||
258 | if (!(datafellows & SSH_BUG_RSASIGMD5)) | ||
259 | return pkalg_prop; | ||
260 | debug2("%s: original public key proposal: %s", __func__, pkalg_prop); | ||
261 | pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); | ||
262 | debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); | ||
263 | if (*pkalg_prop == '\0') | ||
264 | fatal("No supported PK algorithms found"); | ||
265 | return pkalg_prop; | ||
266 | } | ||
267 | |||