summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-22 10:05:45 +0100
committerColin Watson <cjwatson@debian.org>2015-08-22 10:05:45 +0100
commit58ddb8ad21f21f5358db0204c4ba9abf94a1ca11 (patch)
treec55df1f23e6fa0fb87a96d8ec4c06a68c3a82b45 /sshconnect2.c
parent544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
parent1dc8d93ce69d6565747eb44446ed117187621b26 (diff)
Import openssh_7.0p1.orig.tar.gz
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c70
1 files changed, 37 insertions, 33 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index fcaed6b01..775103185 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
163 xxx_host = host; 163 xxx_host = host;
164 xxx_hostaddr = hostaddr; 164 xxx_hostaddr = hostaddr;
165 165
166 if (options.ciphers == (char *)-1) { 166 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
167 logit("No valid ciphers for protocol version 2 given, using defaults."); 167 options.kex_algorithms);
168 options.ciphers = NULL;
169 }
170 if (options.ciphers != NULL) {
171 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
172 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
173 }
174 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 168 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
175 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); 169 compat_cipher_proposal(options.ciphers);
176 myproposal[PROPOSAL_ENC_ALGS_STOC] = 170 myproposal[PROPOSAL_ENC_ALGS_STOC] =
177 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 171 compat_cipher_proposal(options.ciphers);
178 if (options.compression) { 172 if (options.compression) {
179 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 173 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
180 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; 174 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
@@ -182,23 +176,22 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
182 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 176 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
183 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; 177 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
184 } 178 }
185 if (options.macs != NULL) { 179 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
186 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 180 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
187 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 181 if (options.hostkeyalgorithms != NULL) {
188 } 182 if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
189 if (options.hostkeyalgorithms != NULL) 183 &options.hostkeyalgorithms) != 0)
184 fatal("%s: kex_assemble_namelist", __func__);
190 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 185 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
191 compat_pkalg_proposal(options.hostkeyalgorithms); 186 compat_pkalg_proposal(options.hostkeyalgorithms);
192 else { 187 } else {
188 /* Enforce default */
189 options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
193 /* Prefer algorithms that we already have keys for */ 190 /* Prefer algorithms that we already have keys for */
194 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 191 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
195 compat_pkalg_proposal( 192 compat_pkalg_proposal(
196 order_hostkeyalgs(host, hostaddr, port)); 193 order_hostkeyalgs(host, hostaddr, port));
197 } 194 }
198 if (options.kex_algorithms != NULL)
199 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
200 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
201 myproposal[PROPOSAL_KEX_ALGS]);
202 195
203 if (options.rekey_limit || options.rekey_interval) 196 if (options.rekey_limit || options.rekey_interval)
204 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 197 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
@@ -1315,6 +1308,26 @@ pubkey_cleanup(Authctxt *authctxt)
1315 } 1308 }
1316} 1309}
1317 1310
1311static int
1312try_identity(Identity *id)
1313{
1314 if (!id->key)
1315 return (0);
1316 if (match_pattern_list(sshkey_ssh_name(id->key),
1317 options.pubkey_key_types, 0) != 1) {
1318 debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
1319 sshkey_ssh_name(id->key), id->filename);
1320 return (0);
1321 }
1322 if (key_type_plain(id->key->type) == KEY_RSA &&
1323 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1324 debug("Skipped %s key %s for RSA/MD5 server",
1325 key_type(id->key), id->filename);
1326 return (0);
1327 }
1328 return (id->key->type != KEY_RSA1);
1329}
1330
1318int 1331int
1319userauth_pubkey(Authctxt *authctxt) 1332userauth_pubkey(Authctxt *authctxt)
1320{ 1333{
@@ -1333,11 +1346,7 @@ userauth_pubkey(Authctxt *authctxt)
1333 * private key instead 1346 * private key instead
1334 */ 1347 */
1335 if (id->key != NULL) { 1348 if (id->key != NULL) {
1336 if (key_type_plain(id->key->type) == KEY_RSA && 1349 if (try_identity(id)) {
1337 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1338 debug("Skipped %s key %s for RSA/MD5 server",
1339 key_type(id->key), id->filename);
1340 } else if (id->key->type != KEY_RSA1) {
1341 debug("Offering %s public key: %s", 1350 debug("Offering %s public key: %s",
1342 key_type(id->key), id->filename); 1351 key_type(id->key), id->filename);
1343 sent = send_pubkey_test(authctxt, id); 1352 sent = send_pubkey_test(authctxt, id);
@@ -1347,13 +1356,8 @@ userauth_pubkey(Authctxt *authctxt)
1347 id->key = load_identity_file(id->filename, 1356 id->key = load_identity_file(id->filename,
1348 id->userprovided); 1357 id->userprovided);
1349 if (id->key != NULL) { 1358 if (id->key != NULL) {
1350 id->isprivate = 1; 1359 if (try_identity(id)) {
1351 if (key_type_plain(id->key->type) == KEY_RSA && 1360 id->isprivate = 1;
1352 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1353 debug("Skipped %s key %s for RSA/MD5 "
1354 "server", key_type(id->key),
1355 id->filename);
1356 } else {
1357 sent = sign_and_send_pubkey( 1361 sent = sign_and_send_pubkey(
1358 authctxt, id); 1362 authctxt, id);
1359 } 1363 }