src - FreeBSD source tree

diff options


context:
space:
mode:

author	Dag-Erling Smørgrav <des@FreeBSD.org>	2015-08-26 09:25:17 +0000
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2015-08-26 09:25:17 +0000
commit	d994eeedda788efc28b630e10a33548453293473 (patch)
tree	17adf9bed3cc39b4f8db3c235622326d1cdcc34f /sshd.c
parent	b5a1b3a82df411cb95b6a850e9d9d90bc3d082f9 (diff)
download	src-d994eeedda788efc28b630e10a33548453293473.tar.gz src-d994eeedda788efc28b630e10a33548453293473.zip

Vendor import of OpenSSH 7.0p1vendor/openssh/7.0p1

Notes

Notes: svn path=/vendor-crypto/openssh/dist/; revision=287156 svn path=/vendor-crypto/openssh/7.0p1/; revision=287157; tag=vendor/openssh/7.0p1

Diffstat (limited to 'sshd.c')

-rw-r--r--

sshd.c

1 files changed, 22 insertions, 29 deletions

diff --git a/sshd.c b/sshd.c
index 6f8c6f2b1089..c7dd8cb7a064 100644
--- a/sshd.c
+++ b/sshd.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */

+/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */

* Author: Tatu Ylonen <ylo@cs.hut.fi>

@@ -95,6 +95,7 @@

#include "log.h"

#include "buffer.h"

#include "misc.h"

+#include "match.h"

#include "servconf.h"

#include "uidswap.h"

#include "compat.h"

@@ -797,8 +798,15 @@ list_hostkey_types(void)

key = sensitive_data.host_keys[i];

if (key == NULL)

key = sensitive_data.host_pubkeys[i];

- if (key == NULL)

+ if (key == NULL || key->type == KEY_RSA1)

+ continue;

+ /* Check that the key is accepted in HostkeyAlgorithms */

+ if (match_pattern_list(sshkey_ssh_name(key),

+ options.hostkeyalgorithms, 0) != 1) {

+ debug3("%s: %s key not permitted by HostkeyAlgorithms",

+ __func__, sshkey_ssh_name(key));

continue;

+ }

switch (key->type) {

case KEY_RSA:

case KEY_DSA:

@@ -815,8 +823,6 @@ list_hostkey_types(void)

if (key == NULL)

continue;

switch (key->type) {

- case KEY_RSA_CERT_V00:

- case KEY_DSA_CERT_V00:

case KEY_RSA_CERT:

case KEY_DSA_CERT:

case KEY_ECDSA_CERT:

@@ -843,8 +849,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)

for (i = 0; i < options.num_host_key_files; i++) {

switch (type) {

- case KEY_RSA_CERT_V00:

- case KEY_DSA_CERT_V00:

case KEY_RSA_CERT:

case KEY_DSA_CERT:

case KEY_ECDSA_CERT:

@@ -1878,8 +1882,8 @@ main(int ac, char **av)

#ifdef WITH_SSH1

/* Check certain values for sanity. */

if (options.protocol & SSH_PROTO_1) {

- if (options.server_key_bits < 512 ||

- options.server_key_bits > 32768) {

+ if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||

+ options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) {

fprintf(stderr, "Bad server key size.\n");

exit(1);

}

@@ -2527,9 +2531,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,

return 0;

}

-/*

- * SSH2 key exchange: diffie-hellman-group1-sha1

- */

+/* SSH2 key exchange */

static void

do_ssh2_kex(void)

{

@@ -2537,19 +2539,15 @@ do_ssh2_kex(void)

struct kex *kex;

int r;

- if (options.ciphers != NULL) {

- myproposal[PROPOSAL_ENC_ALGS_CTOS] =

- myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;

- }

- myproposal[PROPOSAL_ENC_ALGS_CTOS] =

- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);

- myproposal[PROPOSAL_ENC_ALGS_STOC] =

- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);

- if (options.macs != NULL) {

- myproposal[PROPOSAL_MAC_ALGS_CTOS] =

- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

- }

+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(

+ options.kex_algorithms);

+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(

+ options.ciphers);

+ myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(

+ options.ciphers);

+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =

+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

if (options.compression == COMP_NONE) {

myproposal[PROPOSAL_COMP_ALGS_CTOS] =

myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";

@@ -2557,11 +2555,6 @@ do_ssh2_kex(void)

myproposal[PROPOSAL_COMP_ALGS_CTOS] =

myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";

}

- if (options.kex_algorithms != NULL)

- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;

- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(

- myproposal[PROPOSAL_KEX_ALGS]);

if (options.rekey_limit || options.rekey_interval)

packet_set_rekey_limits((u_int32_t)options.rekey_limit,