version 1.344, 2021/01/26 05:32:22 |
version 1.345, 2021/01/27 09:26:54 |
|
|
|
|
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) |
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) |
fatal_f("kex_names_cat"); |
fatal_f("kex_names_cat"); |
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); |
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); |
myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
myproposal[PROPOSAL_ENC_ALGS_CTOS] = |
compat_cipher_proposal(options.ciphers); |
compat_cipher_proposal(ssh, options.ciphers); |
myproposal[PROPOSAL_ENC_ALGS_STOC] = |
myproposal[PROPOSAL_ENC_ALGS_STOC] = |
compat_cipher_proposal(options.ciphers); |
compat_cipher_proposal(ssh, options.ciphers); |
myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
myproposal[PROPOSAL_COMP_ALGS_STOC] = |
myproposal[PROPOSAL_COMP_ALGS_STOC] = |
(char *)compression_alg_list(options.compression); |
(char *)compression_alg_list(options.compression); |
|
|
if (use_known_hosts_order) { |
if (use_known_hosts_order) { |
/* Query known_hosts and prefer algorithms that appear there */ |
/* Query known_hosts and prefer algorithms that appear there */ |
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
compat_pkalg_proposal( |
compat_pkalg_proposal(ssh, |
order_hostkeyalgs(host, hostaddr, port, cinfo)); |
order_hostkeyalgs(host, hostaddr, port, cinfo)); |
} else { |
} else { |
/* Use specified HostkeyAlgorithms exactly */ |
/* Use specified HostkeyAlgorithms exactly */ |
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = |
compat_pkalg_proposal(options.hostkeyalgorithms); |
compat_pkalg_proposal(ssh, options.hostkeyalgorithms); |
} |
} |
|
|
if (options.rekey_limit || options.rekey_interval) |
if (options.rekey_limit || options.rekey_interval) |
|
|
|
|
/* remove ext-info from the KEX proposals for rekeying */ |
/* remove ext-info from the KEX proposals for rekeying */ |
myproposal[PROPOSAL_KEX_ALGS] = |
myproposal[PROPOSAL_KEX_ALGS] = |
compat_kex_proposal(options.kex_algorithms); |
compat_kex_proposal(ssh, options.kex_algorithms); |
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) |
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) |
fatal_r(r, "kex_prop2buf"); |
fatal_r(r, "kex_prop2buf"); |
|
|
|
|
*/ |
*/ |
if (ssh == NULL || ssh->kex->server_sig_algs == NULL || |
if (ssh == NULL || ssh->kex->server_sig_algs == NULL || |
(key->type != KEY_RSA && key->type != KEY_RSA_CERT) || |
(key->type != KEY_RSA && key->type != KEY_RSA_CERT) || |
(key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { |
(key->type == KEY_RSA_CERT && (ssh->compat & SSH_BUG_SIGTYPE))) { |
/* Filter base key signature alg against our configuration */ |
/* Filter base key signature alg against our configuration */ |
return match_list(sshkey_ssh_name(key), |
return match_list(sshkey_ssh_name(key), |
options.pubkey_accepted_algos, NULL); |
options.pubkey_accepted_algos, NULL); |
|
|
sshbuf_free(b); |
sshbuf_free(b); |
if ((b = sshbuf_new()) == NULL) |
if ((b = sshbuf_new()) == NULL) |
fatal_f("sshbuf_new failed"); |
fatal_f("sshbuf_new failed"); |
if (datafellows & SSH_OLD_SESSIONID) { |
if (ssh->compat & SSH_OLD_SESSIONID) { |
if ((r = sshbuf_put(b, session_id2, |
if ((r = sshbuf_put(b, session_id2, |
session_id2_len)) != 0) |
session_id2_len)) != 0) |
fatal_fr(r, "sshbuf_put"); |
fatal_fr(r, "sshbuf_put"); |
|
|
|
|
/* generate signature */ |
/* generate signature */ |
r = identity_sign(sign_id, &signature, &slen, |
r = identity_sign(sign_id, &signature, &slen, |
sshbuf_ptr(b), sshbuf_len(b), datafellows, alg); |
sshbuf_ptr(b), sshbuf_len(b), ssh->compat, alg); |
if (r == 0) |
if (r == 0) |
break; |
break; |
else if (r == SSH_ERR_KEY_NOT_FOUND) |
else if (r == SSH_ERR_KEY_NOT_FOUND) |
|
|
} |
} |
|
|
static int |
static int |
try_identity(Identity *id) |
try_identity(struct ssh *ssh, Identity *id) |
{ |
{ |
if (!id->key) |
if (!id->key) |
return (0); |
return (0); |
if (sshkey_type_plain(id->key->type) == KEY_RSA && |
if (sshkey_type_plain(id->key->type) == KEY_RSA && |
(datafellows & SSH_BUG_RSASIGMD5) != 0) { |
(ssh->compat & SSH_BUG_RSASIGMD5) != 0) { |
debug("Skipped %s key %s for RSA/MD5 server", |
debug("Skipped %s key %s for RSA/MD5 server", |
sshkey_type(id->key), id->filename); |
sshkey_type(id->key), id->filename); |
return (0); |
return (0); |
|
|
* private key instead |
* private key instead |
*/ |
*/ |
if (id->key != NULL) { |
if (id->key != NULL) { |
if (try_identity(id)) { |
if (try_identity(ssh, id)) { |
ident = format_identity(id); |
ident = format_identity(id); |
debug("Offering public key: %s", ident); |
debug("Offering public key: %s", ident); |
free(ident); |
free(ident); |
|
|
debug("Trying private key: %s", id->filename); |
debug("Trying private key: %s", id->filename); |
id->key = load_identity_file(id); |
id->key = load_identity_file(id); |
if (id->key != NULL) { |
if (id->key != NULL) { |
if (try_identity(id)) { |
if (try_identity(ssh, id)) { |
id->isprivate = 1; |
id->isprivate = 1; |
sent = sign_and_send_pubkey(ssh, id); |
sent = sign_and_send_pubkey(ssh, id); |
} |
} |