diff options
Diffstat (limited to 'sshconnect2.c')
-rw-r--r-- | sshconnect2.c | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index 70e3cd8c9..8acffc5c3 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect2.c,v 1.198 2013/06/05 12:52:38 dtucker Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.201 2014/01/09 23:20:00 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
@@ -188,11 +188,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
188 | } | 188 | } |
189 | if (options.hostkeyalgorithms != NULL) | 189 | if (options.hostkeyalgorithms != NULL) |
190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 190 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
191 | options.hostkeyalgorithms; | 191 | compat_pkalg_proposal(options.hostkeyalgorithms); |
192 | else { | 192 | else { |
193 | /* Prefer algorithms that we already have keys for */ | 193 | /* Prefer algorithms that we already have keys for */ |
194 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 194 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
195 | order_hostkeyalgs(host, hostaddr, port); | 195 | compat_pkalg_proposal( |
196 | order_hostkeyalgs(host, hostaddr, port)); | ||
196 | } | 197 | } |
197 | if (options.kex_algorithms != NULL) | 198 | if (options.kex_algorithms != NULL) |
198 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 199 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
@@ -208,6 +209,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
208 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 209 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
209 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 210 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
210 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 211 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
212 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | ||
211 | kex->client_version_string=client_version_string; | 213 | kex->client_version_string=client_version_string; |
212 | kex->server_version_string=server_version_string; | 214 | kex->server_version_string=server_version_string; |
213 | kex->verify_host_key=&verify_host_key_callback; | 215 | kex->verify_host_key=&verify_host_key_callback; |
@@ -1004,7 +1006,7 @@ jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme, | |||
1004 | debug3("%s: crypted = %s", __func__, crypted); | 1006 | debug3("%s: crypted = %s", __func__, crypted); |
1005 | #endif | 1007 | #endif |
1006 | 1008 | ||
1007 | if (hash_buffer(crypted, strlen(crypted), EVP_sha256(), | 1009 | if (hash_buffer(crypted, strlen(crypted), SSH_DIGEST_SHA1, |
1008 | &secret, &secret_len) != 0) | 1010 | &secret, &secret_len) != 0) |
1009 | fatal("%s: hash_buffer", __func__); | 1011 | fatal("%s: hash_buffer", __func__); |
1010 | 1012 | ||
@@ -1488,17 +1490,31 @@ userauth_pubkey(Authctxt *authctxt) | |||
1488 | * encrypted keys we cannot do this and have to load the | 1490 | * encrypted keys we cannot do this and have to load the |
1489 | * private key instead | 1491 | * private key instead |
1490 | */ | 1492 | */ |
1491 | if (id->key && id->key->type != KEY_RSA1) { | 1493 | if (id->key != NULL) { |
1492 | debug("Offering %s public key: %s", key_type(id->key), | 1494 | if (key_type_plain(id->key->type) == KEY_RSA && |
1493 | id->filename); | 1495 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { |
1494 | sent = send_pubkey_test(authctxt, id); | 1496 | debug("Skipped %s key %s for RSA/MD5 server", |
1495 | } else if (id->key == NULL) { | 1497 | key_type(id->key), id->filename); |
1498 | } else if (id->key->type != KEY_RSA1) { | ||
1499 | debug("Offering %s public key: %s", | ||
1500 | key_type(id->key), id->filename); | ||
1501 | sent = send_pubkey_test(authctxt, id); | ||
1502 | } | ||
1503 | } else { | ||
1496 | debug("Trying private key: %s", id->filename); | 1504 | debug("Trying private key: %s", id->filename); |
1497 | id->key = load_identity_file(id->filename, | 1505 | id->key = load_identity_file(id->filename, |
1498 | id->userprovided); | 1506 | id->userprovided); |
1499 | if (id->key != NULL) { | 1507 | if (id->key != NULL) { |
1500 | id->isprivate = 1; | 1508 | id->isprivate = 1; |
1501 | sent = sign_and_send_pubkey(authctxt, id); | 1509 | if (key_type_plain(id->key->type) == KEY_RSA && |
1510 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | ||
1511 | debug("Skipped %s key %s for RSA/MD5 " | ||
1512 | "server", key_type(id->key), | ||
1513 | id->filename); | ||
1514 | } else { | ||
1515 | sent = sign_and_send_pubkey( | ||
1516 | authctxt, id); | ||
1517 | } | ||
1502 | key_free(id->key); | 1518 | key_free(id->key); |
1503 | id->key = NULL; | 1519 | id->key = NULL; |
1504 | } | 1520 | } |