summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c51
1 files changed, 22 insertions, 29 deletions
diff --git a/sshd.c b/sshd.c
index cc8ecaff4..b345c9f9a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -95,6 +95,7 @@
95#include "log.h" 95#include "log.h"
96#include "buffer.h" 96#include "buffer.h"
97#include "misc.h" 97#include "misc.h"
98#include "match.h"
98#include "servconf.h" 99#include "servconf.h"
99#include "uidswap.h" 100#include "uidswap.h"
100#include "compat.h" 101#include "compat.h"
@@ -809,8 +810,15 @@ list_hostkey_types(void)
809 key = sensitive_data.host_keys[i]; 810 key = sensitive_data.host_keys[i];
810 if (key == NULL) 811 if (key == NULL)
811 key = sensitive_data.host_pubkeys[i]; 812 key = sensitive_data.host_pubkeys[i];
812 if (key == NULL) 813 if (key == NULL || key->type == KEY_RSA1)
814 continue;
815 /* Check that the key is accepted in HostkeyAlgorithms */
816 if (match_pattern_list(sshkey_ssh_name(key),
817 options.hostkeyalgorithms, 0) != 1) {
818 debug3("%s: %s key not permitted by HostkeyAlgorithms",
819 __func__, sshkey_ssh_name(key));
813 continue; 820 continue;
821 }
814 switch (key->type) { 822 switch (key->type) {
815 case KEY_RSA: 823 case KEY_RSA:
816 case KEY_DSA: 824 case KEY_DSA:
@@ -827,8 +835,6 @@ list_hostkey_types(void)
827 if (key == NULL) 835 if (key == NULL)
828 continue; 836 continue;
829 switch (key->type) { 837 switch (key->type) {
830 case KEY_RSA_CERT_V00:
831 case KEY_DSA_CERT_V00:
832 case KEY_RSA_CERT: 838 case KEY_RSA_CERT:
833 case KEY_DSA_CERT: 839 case KEY_DSA_CERT:
834 case KEY_ECDSA_CERT: 840 case KEY_ECDSA_CERT:
@@ -855,8 +861,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
855 861
856 for (i = 0; i < options.num_host_key_files; i++) { 862 for (i = 0; i < options.num_host_key_files; i++) {
857 switch (type) { 863 switch (type) {
858 case KEY_RSA_CERT_V00:
859 case KEY_DSA_CERT_V00:
860 case KEY_RSA_CERT: 864 case KEY_RSA_CERT:
861 case KEY_DSA_CERT: 865 case KEY_DSA_CERT:
862 case KEY_ECDSA_CERT: 866 case KEY_ECDSA_CERT:
@@ -1893,8 +1897,8 @@ main(int ac, char **av)
1893#ifdef WITH_SSH1 1897#ifdef WITH_SSH1
1894 /* Check certain values for sanity. */ 1898 /* Check certain values for sanity. */
1895 if (options.protocol & SSH_PROTO_1) { 1899 if (options.protocol & SSH_PROTO_1) {
1896 if (options.server_key_bits < 512 || 1900 if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
1897 options.server_key_bits > 32768) { 1901 options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) {
1898 fprintf(stderr, "Bad server key size.\n"); 1902 fprintf(stderr, "Bad server key size.\n");
1899 exit(1); 1903 exit(1);
1900 } 1904 }
@@ -2624,9 +2628,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,
2624 return 0; 2628 return 0;
2625} 2629}
2626 2630
2627/* 2631/* SSH2 key exchange */
2628 * SSH2 key exchange: diffie-hellman-group1-sha1
2629 */
2630static void 2632static void
2631do_ssh2_kex(void) 2633do_ssh2_kex(void)
2632{ 2634{
@@ -2634,19 +2636,15 @@ do_ssh2_kex(void)
2634 struct kex *kex; 2636 struct kex *kex;
2635 int r; 2637 int r;
2636 2638
2637 if (options.ciphers != NULL) { 2639 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
2638 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 2640 options.kex_algorithms);
2639 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; 2641 myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
2640 } 2642 options.ciphers);
2641 myproposal[PROPOSAL_ENC_ALGS_CTOS] = 2643 myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
2642 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); 2644 options.ciphers);
2643 myproposal[PROPOSAL_ENC_ALGS_STOC] = 2645 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
2644 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); 2646 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
2645 2647
2646 if (options.macs != NULL) {
2647 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
2648 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
2649 }
2650 if (options.compression == COMP_NONE) { 2648 if (options.compression == COMP_NONE) {
2651 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 2649 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2652 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; 2650 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
@@ -2654,11 +2652,6 @@ do_ssh2_kex(void)
2654 myproposal[PROPOSAL_COMP_ALGS_CTOS] = 2652 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
2655 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; 2653 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
2656 } 2654 }
2657 if (options.kex_algorithms != NULL)
2658 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2659
2660 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
2661 myproposal[PROPOSAL_KEX_ALGS]);
2662 2655
2663 if (options.rekey_limit || options.rekey_interval) 2656 if (options.rekey_limit || options.rekey_interval)
2664 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2657 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 04:03:54 +0000