- djm@cvs.openbsd.org 2010/09/22 05:01:30

[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
author: Damien Miller <djm@mindrot.org> 2010-09-24 22:11:14 +1000
committer: Damien Miller <djm@mindrot.org> 2010-09-24 22:11:14 +1000
commit: d5f62bf280b0798d7009d4424594a648a4e887fb (patch)
tree: 5f18078ea61f6c5503dc4addfb2f17d13844692c /kex.c
parent: 603134e077e667b4819effb0e121803842df621f (diff)
1 files changed, 29 insertions, 1 deletions
diff --git a/kex.c b/kex.c
index 7c8763191..c65e28f94 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 *
@@ -62,6 +62,34 @@ extern const EVP_MD *evp_ssh_sha256(void);
 static void kex_kexinit_finish(Kex *);
 static void kex_choose_conf(Kex *);
+/* Validate KEX method name list */
+int
+kex_names_valid(const char *names)
+{
+        char *s, *cp, *p;
+        if (names == NULL || strcmp(names, "") == 0)
+                return 0;
+        s = cp = xstrdup(names);
+        for ((p = strsep(&cp, ",")); p && *p != '\0';
+            (p = strsep(&cp, ","))) {
+                if (strcmp(p, KEX_DHGEX_SHA256) != 0 &&
+                    strcmp(p, KEX_DHGEX_SHA1) != 0 &&
+                    strcmp(p, KEX_DH14) != 0 &&
+                    strcmp(p, KEX_DH1) != 0 &&
+                    (strncmp(p, KEX_ECDH_SHA2_STEM,
+                    sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 ||
+                    kex_ecdh_name_to_nid(p) == -1)) {
+                        error("Unsupported KEX algorithm \"%.100s\"", p);
+                        xfree(s);
+                        return 0;
+                }
+        }
+        debug3("kex names ok: [%s]", names);
+        xfree(s);
+        return 1;
+}
 /* put algorithm proposal into buffer */
 static void
 kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
author	Damien Miller <djm@mindrot.org>	2010-09-24 22:11:14 +1000
committer	Damien Miller <djm@mindrot.org>	2010-09-24 22:11:14 +1000
commit	d5f62bf280b0798d7009d4424594a648a4e887fb (patch)
tree	5f18078ea61f6c5503dc4addfb2f17d13844692c /kex.c
parent	603134e077e667b4819effb0e121803842df621f (diff)

diff --git a/kex.c b/kex.c index 7c8763191..c65e28f94 100644 --- a/kex.c +++ b/kex.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: kex.c,v 1.85 2010/09/09 10:45:45 djm Exp $ */	1	/* $OpenBSD: kex.c,v 1.86 2010/09/22 05:01:29 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4	*	4	*
@@ -62,6 +62,34 @@ extern const EVP_MD *evp_ssh_sha256(void);
62	static void kex_kexinit_finish(Kex *);	62	static void kex_kexinit_finish(Kex *);
63	static void kex_choose_conf(Kex *);	63	static void kex_choose_conf(Kex *);
64		64
		65	/* Validate KEX method name list */
		66	int
		67	kex_names_valid(const char *names)
		68	{
		69	char s, cp, *p;
		70
		71	if (names == NULL \|\| strcmp(names, "") == 0)
		72	return 0;
		73	s = cp = xstrdup(names);
		74	for ((p = strsep(&cp, ",")); p && *p != '\0';
		75	(p = strsep(&cp, ","))) {
		76	if (strcmp(p, KEX_DHGEX_SHA256) != 0 &&
		77	strcmp(p, KEX_DHGEX_SHA1) != 0 &&
		78	strcmp(p, KEX_DH14) != 0 &&
		79	strcmp(p, KEX_DH1) != 0 &&
		80	(strncmp(p, KEX_ECDH_SHA2_STEM,
		81	sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 \|\|
		82	kex_ecdh_name_to_nid(p) == -1)) {
		83	error("Unsupported KEX algorithm \"%.100s\"", p);
		84	xfree(s);
		85	return 0;
		86	}
		87	}
		88	debug3("kex names ok: [%s]", names);
		89	xfree(s);
		90	return 1;
		91	}
		92
65	/* put algorithm proposal into buffer */	93	/* put algorithm proposal into buffer */
66	static void	94	static void
67	kex_prop2buf(Buffer b, char proposal[PROPOSAL_MAX])	95	kex_prop2buf(Buffer b, char proposal[PROPOSAL_MAX])