diff options
| author | Colin Watson <cjwatson@debian.org> | 2015-08-22 10:05:45 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2015-08-22 10:05:45 +0100 |
| commit | 58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch) | |
| tree | c55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /sshconnect2.c | |
| parent | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff) | |
| parent | 1dc8d93ce69d6565747eb44446ed117187621b26 (diff) | |
Import openssh_7.0p1.orig.tar.gz
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 70 |
1 files changed, 37 insertions, 33 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index fcaed6b01..775103185 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
| 163 | xxx_host = host; | 163 | xxx_host = host; |
| 164 | xxx_hostaddr = hostaddr; | 164 | xxx_hostaddr = hostaddr; |
| 165 | 165 | ||
| 166 | if (options.ciphers == (char *)-1) { | 166 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
| 167 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 167 | options.kex_algorithms); |
| 168 | options.ciphers = NULL; | ||
| 169 | } | ||
| 170 | if (options.ciphers != NULL) { | ||
| 171 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
| 172 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
| 173 | } | ||
| 174 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 168 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
| 175 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); | 169 | compat_cipher_proposal(options.ciphers); |
| 176 | myproposal[PROPOSAL_ENC_ALGS_STOC] = | 170 | myproposal[PROPOSAL_ENC_ALGS_STOC] = |
| 177 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 171 | compat_cipher_proposal(options.ciphers); |
| 178 | if (options.compression) { | 172 | if (options.compression) { |
| 179 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 173 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
| 180 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; | 174 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
| @@ -182,23 +176,22 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
| 182 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 176 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
| 183 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; | 177 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
| 184 | } | 178 | } |
| 185 | if (options.macs != NULL) { | 179 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
| 186 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 180 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
| 187 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | 181 | if (options.hostkeyalgorithms != NULL) { |
| 188 | } | 182 | if (kex_assemble_names(KEX_DEFAULT_PK_ALG, |
| 189 | if (options.hostkeyalgorithms != NULL) | 183 | &options.hostkeyalgorithms) != 0) |
| 184 | fatal("%s: kex_assemble_namelist", __func__); | ||
| 190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 185 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
| 191 | compat_pkalg_proposal(options.hostkeyalgorithms); | 186 | compat_pkalg_proposal(options.hostkeyalgorithms); |
| 192 | else { | 187 | } else { |
| 188 | /* Enforce default */ | ||
| 189 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
| 193 | /* Prefer algorithms that we already have keys for */ | 190 | /* Prefer algorithms that we already have keys for */ |
| 194 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 191 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
| 195 | compat_pkalg_proposal( | 192 | compat_pkalg_proposal( |
| 196 | order_hostkeyalgs(host, hostaddr, port)); | 193 | order_hostkeyalgs(host, hostaddr, port)); |
| 197 | } | 194 | } |
| 198 | if (options.kex_algorithms != NULL) | ||
| 199 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
| 200 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
| 201 | myproposal[PROPOSAL_KEX_ALGS]); | ||
| 202 | 195 | ||
| 203 | if (options.rekey_limit || options.rekey_interval) | 196 | if (options.rekey_limit || options.rekey_interval) |
| 204 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 197 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
| @@ -1315,6 +1308,26 @@ pubkey_cleanup(Authctxt *authctxt) | |||
| 1315 | } | 1308 | } |
| 1316 | } | 1309 | } |
| 1317 | 1310 | ||
| 1311 | static int | ||
| 1312 | try_identity(Identity *id) | ||
| 1313 | { | ||
| 1314 | if (!id->key) | ||
| 1315 | return (0); | ||
| 1316 | if (match_pattern_list(sshkey_ssh_name(id->key), | ||
| 1317 | options.pubkey_key_types, 0) != 1) { | ||
| 1318 | debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", | ||
| 1319 | sshkey_ssh_name(id->key), id->filename); | ||
| 1320 | return (0); | ||
| 1321 | } | ||
| 1322 | if (key_type_plain(id->key->type) == KEY_RSA && | ||
| 1323 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
| 1324 | debug("Skipped %s key %s for RSA/MD5 server", | ||
| 1325 | key_type(id->key), id->filename); | ||
| 1326 | return (0); | ||
| 1327 | } | ||
| 1328 | return (id->key->type != KEY_RSA1); | ||
| 1329 | } | ||
| 1330 | |||
| 1318 | int | 1331 | int |
| 1319 | userauth_pubkey(Authctxt *authctxt) | 1332 | userauth_pubkey(Authctxt *authctxt) |
| 1320 | { | 1333 | { |
| @@ -1333,11 +1346,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 1333 | * private key instead | 1346 | * private key instead |
| 1334 | */ | 1347 | */ |
| 1335 | if (id->key != NULL) { | 1348 | if (id->key != NULL) { |
| 1336 | if (key_type_plain(id->key->type) == KEY_RSA && | 1349 | if (try_identity(id)) { |
| 1337 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
| 1338 | debug("Skipped %s key %s for RSA/MD5 server", | ||
| 1339 | key_type(id->key), id->filename); | ||
| 1340 | } else if (id->key->type != KEY_RSA1) { | ||
| 1341 | debug("Offering %s public key: %s", | 1350 | debug("Offering %s public key: %s", |
| 1342 | key_type(id->key), id->filename); | 1351 | key_type(id->key), id->filename); |
| 1343 | sent = send_pubkey_test(authctxt, id); | 1352 | sent = send_pubkey_test(authctxt, id); |
| @@ -1347,13 +1356,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 1347 | id->key = load_identity_file(id->filename, | 1356 | id->key = load_identity_file(id->filename, |
| 1348 | id->userprovided); | 1357 | id->userprovided); |
| 1349 | if (id->key != NULL) { | 1358 | if (id->key != NULL) { |
| 1350 | id->isprivate = 1; | 1359 | if (try_identity(id)) { |
| 1351 | if (key_type_plain(id->key->type) == KEY_RSA && | 1360 | id->isprivate = 1; |
| 1352 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
| 1353 | debug("Skipped %s key %s for RSA/MD5 " | ||
| 1354 | "server", key_type(id->key), | ||
| 1355 | id->filename); | ||
| 1356 | } else { | ||
| 1357 | sent = sign_and_send_pubkey( | 1361 | sent = sign_and_send_pubkey( |
| 1358 | authctxt, id); | 1362 | authctxt, id); |
| 1359 | } | 1363 | } |