version 1.116, 2020/10/18 11:32:01 |
version 1.117, 2021/01/27 09:26:54 |
|
|
#include "match.h" |
#include "match.h" |
#include "kex.h" |
#include "kex.h" |
|
|
int datafellows = 0; |
/* determine bug flags from SSH protocol banner */ |
|
void |
/* datafellows bug compatibility */ |
compat_banner(struct ssh *ssh, const char *version) |
u_int |
|
compat_datafellows(const char *version) |
|
{ |
{ |
int i; |
int i; |
static struct { |
static struct { |
|
|
}; |
}; |
|
|
/* process table, return first match */ |
/* process table, return first match */ |
|
ssh->compat = 0; |
for (i = 0; check[i].pat; i++) { |
for (i = 0; check[i].pat; i++) { |
if (match_pattern_list(version, check[i].pat, 0) == 1) { |
if (match_pattern_list(version, check[i].pat, 0) == 1) { |
debug("match: %s pat %s compat 0x%08x", |
debug_f("match: %s pat %s compat 0x%08x", |
version, check[i].pat, check[i].bugs); |
version, check[i].pat, check[i].bugs); |
datafellows = check[i].bugs; /* XXX for now */ |
ssh->compat = check[i].bugs; |
return check[i].bugs; |
return; |
} |
} |
} |
} |
debug("no match: %s", version); |
debug_f("no match: %s", version); |
return 0; |
|
} |
} |
|
|
char * |
char * |
compat_cipher_proposal(char *cipher_prop) |
compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) |
{ |
{ |
if (!(datafellows & SSH_BUG_BIGENDIANAES)) |
if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) |
return cipher_prop; |
return cipher_prop; |
debug2_f("original cipher proposal: %s", cipher_prop); |
debug2_f("original cipher proposal: %s", cipher_prop); |
if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) |
if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) |
|
|
} |
} |
|
|
char * |
char * |
compat_pkalg_proposal(char *pkalg_prop) |
compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) |
{ |
{ |
if (!(datafellows & SSH_BUG_RSASIGMD5)) |
if (!(ssh->compat & SSH_BUG_RSASIGMD5)) |
return pkalg_prop; |
return pkalg_prop; |
debug2_f("original public key proposal: %s", pkalg_prop); |
debug2_f("original public key proposal: %s", pkalg_prop); |
if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) |
if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) |
|
|
} |
} |
|
|
char * |
char * |
compat_kex_proposal(char *p) |
compat_kex_proposal(struct ssh *ssh, char *p) |
{ |
{ |
if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) |
if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) |
return p; |
return p; |
debug2_f("original KEX proposal: %s", p); |
debug2_f("original KEX proposal: %s", p); |
if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) |
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) |
if ((p = match_filter_denylist(p, |
if ((p = match_filter_denylist(p, |
"curve25519-sha256@libssh.org")) == NULL) |
"curve25519-sha256@libssh.org")) == NULL) |
fatal("match_filter_denylist failed"); |
fatal("match_filter_denylist failed"); |
if ((datafellows & SSH_OLD_DHGEX) != 0) { |
if ((ssh->compat & SSH_OLD_DHGEX) != 0) { |
if ((p = match_filter_denylist(p, |
if ((p = match_filter_denylist(p, |
"diffie-hellman-group-exchange-sha256," |
"diffie-hellman-group-exchange-sha256," |
"diffie-hellman-group-exchange-sha1")) == NULL) |
"diffie-hellman-group-exchange-sha1")) == NULL) |