diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-22 10:05:45 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-22 10:05:45 +0100 |
commit | 58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch) | |
tree | c55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /sshconnect2.c | |
parent | 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff) | |
parent | 1dc8d93ce69d6565747eb44446ed117187621b26 (diff) |
Import openssh_7.0p1.orig.tar.gz
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 70 |
1 files changed, 37 insertions, 33 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index fcaed6b01..775103185 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
163 | xxx_host = host; | 163 | xxx_host = host; |
164 | xxx_hostaddr = hostaddr; | 164 | xxx_hostaddr = hostaddr; |
165 | 165 | ||
166 | if (options.ciphers == (char *)-1) { | 166 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
167 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 167 | options.kex_algorithms); |
168 | options.ciphers = NULL; | ||
169 | } | ||
170 | if (options.ciphers != NULL) { | ||
171 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | ||
172 | myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; | ||
173 | } | ||
174 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = | 168 | myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
175 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); | 169 | compat_cipher_proposal(options.ciphers); |
176 | myproposal[PROPOSAL_ENC_ALGS_STOC] = | 170 | myproposal[PROPOSAL_ENC_ALGS_STOC] = |
177 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 171 | compat_cipher_proposal(options.ciphers); |
178 | if (options.compression) { | 172 | if (options.compression) { |
179 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 173 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
180 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; | 174 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
@@ -182,23 +176,22 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
182 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 176 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
183 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; | 177 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
184 | } | 178 | } |
185 | if (options.macs != NULL) { | 179 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
186 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 180 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
187 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | 181 | if (options.hostkeyalgorithms != NULL) { |
188 | } | 182 | if (kex_assemble_names(KEX_DEFAULT_PK_ALG, |
189 | if (options.hostkeyalgorithms != NULL) | 183 | &options.hostkeyalgorithms) != 0) |
184 | fatal("%s: kex_assemble_namelist", __func__); | ||
190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 185 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
191 | compat_pkalg_proposal(options.hostkeyalgorithms); | 186 | compat_pkalg_proposal(options.hostkeyalgorithms); |
192 | else { | 187 | } else { |
188 | /* Enforce default */ | ||
189 | options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
193 | /* Prefer algorithms that we already have keys for */ | 190 | /* Prefer algorithms that we already have keys for */ |
194 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 191 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
195 | compat_pkalg_proposal( | 192 | compat_pkalg_proposal( |
196 | order_hostkeyalgs(host, hostaddr, port)); | 193 | order_hostkeyalgs(host, hostaddr, port)); |
197 | } | 194 | } |
198 | if (options.kex_algorithms != NULL) | ||
199 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
200 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
201 | myproposal[PROPOSAL_KEX_ALGS]); | ||
202 | 195 | ||
203 | if (options.rekey_limit || options.rekey_interval) | 196 | if (options.rekey_limit || options.rekey_interval) |
204 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 197 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
@@ -1315,6 +1308,26 @@ pubkey_cleanup(Authctxt *authctxt) | |||
1315 | } | 1308 | } |
1316 | } | 1309 | } |
1317 | 1310 | ||
1311 | static int | ||
1312 | try_identity(Identity *id) | ||
1313 | { | ||
1314 | if (!id->key) | ||
1315 | return (0); | ||
1316 | if (match_pattern_list(sshkey_ssh_name(id->key), | ||
1317 | options.pubkey_key_types, 0) != 1) { | ||
1318 | debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", | ||
1319 | sshkey_ssh_name(id->key), id->filename); | ||
1320 | return (0); | ||
1321 | } | ||
1322 | if (key_type_plain(id->key->type) == KEY_RSA && | ||
1323 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1324 | debug("Skipped %s key %s for RSA/MD5 server", | ||
1325 | key_type(id->key), id->filename); | ||
1326 | return (0); | ||
1327 | } | ||
1328 | return (id->key->type != KEY_RSA1); | ||
1329 | } | ||
1330 | |||
1318 | int | 1331 | int |
1319 | userauth_pubkey(Authctxt *authctxt) | 1332 | userauth_pubkey(Authctxt *authctxt) |
1320 | { | 1333 | { |
@@ -1333,11 +1346,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
1333 | * private key instead | 1346 | * private key instead |
1334 | */ | 1347 | */ |
1335 | if (id->key != NULL) { | 1348 | if (id->key != NULL) { |
1336 | if (key_type_plain(id->key->type) == KEY_RSA && | 1349 | if (try_identity(id)) { |
1337 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1338 | debug("Skipped %s key %s for RSA/MD5 server", | ||
1339 | key_type(id->key), id->filename); | ||
1340 | } else if (id->key->type != KEY_RSA1) { | ||
1341 | debug("Offering %s public key: %s", | 1350 | debug("Offering %s public key: %s", |
1342 | key_type(id->key), id->filename); | 1351 | key_type(id->key), id->filename); |
1343 | sent = send_pubkey_test(authctxt, id); | 1352 | sent = send_pubkey_test(authctxt, id); |
@@ -1347,13 +1356,8 @@ userauth_pubkey(Authctxt *authctxt) | |||
1347 | id->key = load_identity_file(id->filename, | 1356 | id->key = load_identity_file(id->filename, |
1348 | id->userprovided); | 1357 | id->userprovided); |
1349 | if (id->key != NULL) { | 1358 | if (id->key != NULL) { |
1350 | id->isprivate = 1; | 1359 | if (try_identity(id)) { |
1351 | if (key_type_plain(id->key->type) == KEY_RSA && | 1360 | id->isprivate = 1; |
1352 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1353 | debug("Skipped %s key %s for RSA/MD5 " | ||
1354 | "server", key_type(id->key), | ||
1355 | id->filename); | ||
1356 | } else { | ||
1357 | sent = sign_and_send_pubkey( | 1361 | sent = sign_and_send_pubkey( |
1358 | authctxt, id); | 1362 | authctxt, id); |
1359 | } | 1363 | } |