diff options
Diffstat (limited to 'crypto/openssh/sshconnect2.c')
| -rw-r--r-- | crypto/openssh/sshconnect2.c | 81 |
1 files changed, 21 insertions, 60 deletions
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 58fe98db2200..bc05f02142fd 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.361 2022/09/17 10:33:18 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.366 2023/03/09 07:11:05 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -56,7 +56,6 @@ #include "cipher.h" #include "sshkey.h" #include "kex.h" -#include "myproposal.h" #include "sshconnect.h" #include "authfile.h" #include "dh.h" @@ -221,15 +220,18 @@ void ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, const struct ssh_conn_info *cinfo) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; - char *s, *all_key; - char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + char *myproposal[PROPOSAL_MAX]; + char *s, *all_key, *hkalgs = NULL; int r, use_known_hosts_order = 0; xxx_host = host; xxx_hostaddr = hostaddr; xxx_conn_info = cinfo; + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); + /* * If the user has not specified HostkeyAlgorithms, or has only * appended or removed algorithms from that list then prefer algorithms @@ -249,29 +251,15 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) fatal_f("kex_names_cat"); - myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = - compat_cipher_proposal(ssh, options.ciphers); - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = - (char *)compression_alg_list(options.compression); - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - if (use_known_hosts_order) { - /* Query known_hosts and prefer algorithms that appear there */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = - compat_pkalg_proposal(ssh, - order_hostkeyalgs(host, hostaddr, port, cinfo)); - } else { - /* Use specified HostkeyAlgorithms exactly */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = - compat_pkalg_proposal(ssh, options.hostkeyalgorithms); - } - if (options.rekey_limit || options.rekey_interval) - ssh_packet_set_rekey_limits(ssh, options.rekey_limit, - options.rekey_interval); + if (use_known_hosts_order) + hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo); + + kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, + options.macs, compression_alg_list(options.compression), + hkalgs ? hkalgs : options.hostkeyalgorithms); + + free(hkalgs); /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) @@ -295,6 +283,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); /* remove ext-info from the KEX proposals for rekeying */ + free(myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, options.kex_algorithms); if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) @@ -308,10 +297,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, (r = ssh_packet_write_wait(ssh)) != 0) fatal_fr(r, "send packet"); #endif - /* Free only parts of proposal that were dynamically allocated here. */ - free(prop_kex); - free(prop_enc); - free(prop_hostkey); + kex_proposal_free_entries(myproposal); } /* @@ -506,7 +492,6 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, } } -/* ARGSUSED */ static int input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) { @@ -538,7 +523,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) { @@ -583,7 +567,6 @@ userauth(struct ssh *ssh, char *authlist) } } -/* ARGSUSED */ static int input_userauth_error(int type, u_int32_t seq, struct ssh *ssh) { @@ -591,7 +574,6 @@ input_userauth_error(int type, u_int32_t seq, struct ssh *ssh) return 0; } -/* ARGSUSED */ static int input_userauth_banner(int type, u_int32_t seq, struct ssh *ssh) { @@ -611,7 +593,6 @@ input_userauth_banner(int type, u_int32_t seq, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) { @@ -644,7 +625,6 @@ input_userauth_success_unexpected(int type, u_int32_t seq, struct ssh *ssh) } #endif -/* ARGSUSED */ static int input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) { @@ -705,7 +685,6 @@ format_identity(Identity *id) return ret; } -/* ARGSUSED */ static int input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) { @@ -913,7 +892,6 @@ process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok) return status; } -/* ARGSUSED */ static int input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) { @@ -958,7 +936,6 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) { @@ -991,7 +968,6 @@ input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) return r; } -/* ARGSUSED */ static int input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) { @@ -1026,7 +1002,6 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) return 0; } -/* ARGSUSED */ static int input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) { @@ -1104,7 +1079,6 @@ userauth_passwd(struct ssh *ssh) /* * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST */ -/* ARGSUSED */ static int input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) { @@ -1875,20 +1849,6 @@ pubkey_reset(Authctxt *authctxt) } static int -try_identity(struct ssh *ssh, Identity *id) -{ - if (!id->key) - return (0); - if (sshkey_type_plain(id->key->type) == KEY_RSA && - (ssh->compat & SSH_BUG_RSASIGMD5) != 0) { - debug("Skipped %s key %s for RSA/MD5 server", - sshkey_type(id->key), id->filename); - return (0); - } - return 1; -} - -static int userauth_pubkey(struct ssh *ssh) { Authctxt *authctxt = (Authctxt *)ssh->authctxt; @@ -1908,7 +1868,7 @@ userauth_pubkey(struct ssh *ssh) * private key instead */ if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { ident = format_identity(id); debug("Offering public key: %s", ident); free(ident); @@ -1918,7 +1878,7 @@ userauth_pubkey(struct ssh *ssh) debug("Trying private key: %s", id->filename); id->key = load_identity_file(id); if (id->key != NULL) { - if (try_identity(ssh, id)) { + if (id->key != NULL) { id->isprivate = 1; sent = sign_and_send_pubkey(ssh, id); } @@ -2089,7 +2049,8 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, if (dup2(sock, STDERR_FILENO + 1) == -1) fatal_f("dup2: %s", strerror(errno)); sock = STDERR_FILENO + 1; - fcntl(sock, F_SETFD, 0); /* keep the socket on exec */ + if (fcntl(sock, F_SETFD, 0) == -1) /* keep the socket on exec */ + debug3_f("fcntl F_SETFD: %s", strerror(errno)); closefrom(sock + 1); debug3_f("[child] pid=%ld, exec %s", |