summaryrefslogtreecommitdiff
path: root/sshconnect2.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshconnect2.c')
-rw-r--r--sshconnect2.c70
1 files changed, 37 insertions, 33 deletions
diff --git a/sshconnect2.c b/sshconnect2.c
index 44c89e691..e2ea82656 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -188,18 +188,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
188 } 188 }
189#endif 189#endif
190 190
191 if (options.ciphers == (char *)-1) { 191 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
192 logit("No valid ciphers for protocol version 2 given, using defaults."); 192 options.kex_algorithms);
193 options.ciphers = NULL;
194 }
195 if (options.ciphers != NULL) {
196 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
197 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
198 }
199 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 193 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
200 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); 194 compat_cipher_proposal(options.ciphers);
201 myproposal[PROPOSAL_ENC_ALGS_STOC] = 195 myproposal[PROPOSAL_ENC_ALGS_STOC] =
202 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 196 compat_cipher_proposal(options.ciphers);
203 if (options.compression) { 197 if (options.compression) {
204 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 198 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
205 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; 199 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
@@ -207,23 +201,22 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
207 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 201 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
208 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; 202 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
209 } 203 }
210 if (options.macs != NULL) { 204 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
211 myproposal[PROPOSAL_MAC_ALGS_CTOS] = 205 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
212 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 206 if (options.hostkeyalgorithms != NULL) {
213 } 207 if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
214 if (options.hostkeyalgorithms != NULL) 208 &options.hostkeyalgorithms) != 0)
209 fatal("%s: kex_assemble_namelist", __func__);
215 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 210 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
216 compat_pkalg_proposal(options.hostkeyalgorithms); 211 compat_pkalg_proposal(options.hostkeyalgorithms);
217 else { 212 } else {
213 /* Enforce default */
214 options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
218 /* Prefer algorithms that we already have keys for */ 215 /* Prefer algorithms that we already have keys for */
219 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 216 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
220 compat_pkalg_proposal( 217 compat_pkalg_proposal(
221 order_hostkeyalgs(host, hostaddr, port)); 218 order_hostkeyalgs(host, hostaddr, port));
222 } 219 }
223 if (options.kex_algorithms != NULL)
224 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
225 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
226 myproposal[PROPOSAL_KEX_ALGS]);
227 220
228#ifdef GSSAPI 221#ifdef GSSAPI
229 /* If we've got GSSAPI algorithms, then we also support the 222 /* If we've got GSSAPI algorithms, then we also support the
@@ -1431,6 +1424,26 @@ pubkey_cleanup(Authctxt *authctxt)
1431 } 1424 }
1432} 1425}
1433 1426
1427static int
1428try_identity(Identity *id)
1429{
1430 if (!id->key)
1431 return (0);
1432 if (match_pattern_list(sshkey_ssh_name(id->key),
1433 options.pubkey_key_types, 0) != 1) {
1434 debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
1435 sshkey_ssh_name(id->key), id->filename);
1436 return (0);
1437 }
1438 if (key_type_plain(id->key->type) == KEY_RSA &&
1439 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1440 debug("Skipped %s key %s for RSA/MD5 server",
1441 key_type(id->key), id->filename);
1442 return (0);
1443 }
1444 return (id->key->type != KEY_RSA1);
1445}
1446
1434int 1447int
1435userauth_pubkey(Authctxt *authctxt) 1448userauth_pubkey(Authctxt *authctxt)
1436{ 1449{
@@ -1449,11 +1462,7 @@ userauth_pubkey(Authctxt *authctxt)
1449 * private key instead 1462 * private key instead
1450 */ 1463 */
1451 if (id->key != NULL) { 1464 if (id->key != NULL) {
1452 if (key_type_plain(id->key->type) == KEY_RSA && 1465 if (try_identity(id)) {
1453 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1454 debug("Skipped %s key %s for RSA/MD5 server",
1455 key_type(id->key), id->filename);
1456 } else if (id->key->type != KEY_RSA1) {
1457 debug("Offering %s public key: %s", 1466 debug("Offering %s public key: %s",
1458 key_type(id->key), id->filename); 1467 key_type(id->key), id->filename);
1459 sent = send_pubkey_test(authctxt, id); 1468 sent = send_pubkey_test(authctxt, id);
@@ -1463,13 +1472,8 @@ userauth_pubkey(Authctxt *authctxt)
1463 id->key = load_identity_file(id->filename, 1472 id->key = load_identity_file(id->filename,
1464 id->userprovided); 1473 id->userprovided);
1465 if (id->key != NULL) { 1474 if (id->key != NULL) {
1466 id->isprivate = 1; 1475 if (try_identity(id)) {
1467 if (key_type_plain(id->key->type) == KEY_RSA && 1476 id->isprivate = 1;
1468 (datafellows & SSH_BUG_RSASIGMD5) != 0) {
1469 debug("Skipped %s key %s for RSA/MD5 "
1470 "server", key_type(id->key),
1471 id->filename);
1472 } else {
1473 sent = sign_and_send_pubkey( 1477 sent = sign_and_send_pubkey(
1474 authctxt, id); 1478 authctxt, id);
1475 } 1479 }
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 02:02:13 +0000