diff options
author | des <des@FreeBSD.org> | 2017-09-02 14:25:20 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2017-09-02 14:25:20 +0000 |
commit | ce0d6faba2a9fd27ff0fc0942a4e51f5203bb88f (patch) | |
tree | e29bf4f30ea560420ac21b41c62cc53b42547a0b /crypto/openssh/sshconnect2.c | |
parent | fa127d1375fbc969c65e8d8a5f9f2f8efe4e36fc (diff) | |
download | FreeBSD-src-ce0d6faba2a9fd27ff0fc0942a4e51f5203bb88f.zip FreeBSD-src-ce0d6faba2a9fd27ff0fc0942a4e51f5203bb88f.tar.gz |
MFH (r314527,r314576,r314601,r317998): Upgrade OpenSSH to 7.3p1.
Diffstat (limited to 'crypto/openssh/sshconnect2.c')
-rw-r--r-- | crypto/openssh/sshconnect2.c | 96 |
1 files changed, 43 insertions, 53 deletions
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index f79c96b..fae8b0f 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.247 2016/07/22 05:46:11 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -71,6 +71,7 @@ #include "uidswap.h" #include "hostfile.h" #include "ssherr.h" +#include "utf8.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -171,13 +172,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) compat_cipher_proposal(options.ciphers); myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(options.ciphers); - if (options.compression) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; - } else { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = - myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; - } + myproposal[PROPOSAL_COMP_ALGS_CTOS] = + myproposal[PROPOSAL_COMP_ALGS_STOC] = options.compression ? + "zlib@openssh.com,zlib,none" : "none,zlib@openssh.com,zlib"; myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; if (options.hostkeyalgorithms != NULL) { @@ -206,6 +203,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) #ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; + kex->kex[KEX_DH_GRP14_SHA256] = kexdh_client; + kex->kex[KEX_DH_GRP16_SHA512] = kexdh_client; + kex->kex[KEX_DH_GRP18_SHA512] = kexdh_client; kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; # ifdef OPENSSL_HAS_ECC @@ -496,21 +496,15 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt) int input_userauth_banner(int type, u_int32_t seq, void *ctxt) { - char *msg, *raw, *lang; + char *msg, *lang; u_int len; - debug3("input_userauth_banner"); - raw = packet_get_string(&len); + debug3("%s", __func__); + msg = packet_get_string(&len); lang = packet_get_string(NULL); - if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) { - if (len > 65536) - len = 65536; - msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ - strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); - fprintf(stderr, "%s", msg); - free(msg); - } - free(raw); + if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) + fmprintf(stderr, "%s", msg); + free(msg); free(lang); return 0; } @@ -562,7 +556,7 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt) packet_check_eom(); if (partial != 0) { - logit("Authenticated with partial success."); + verbose("Authenticated with partial success."); /* reset state */ pubkey_cleanup(authctxt); pubkey_prepare(authctxt); @@ -1094,8 +1088,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) /* * If the key is an certificate, try to find a matching private key * and use it to complete the signature. - * If no such private key exists, return failure and continue with - * other methods of authentication. + * If no such private key exists, fall back to trying the certificate + * key itself in case it has a private half already loaded. */ if (key_is_cert(id->key)) { matched = 0; @@ -1112,12 +1106,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) "certificate", __func__, id->filename, id->agent_fd != -1 ? " from agent" : ""); } else { - /* XXX maybe verbose/error? */ - debug("%s: no private key for certificate " + debug("%s: no separate private key for certificate " "\"%s\"", __func__, id->filename); - free(blob); - buffer_free(&b); - return 0; } } @@ -1300,29 +1290,6 @@ pubkey_prepare(Authctxt *authctxt) id->userprovided = options.identity_file_userprovided[i]; TAILQ_INSERT_TAIL(&files, id, next); } - /* Prefer PKCS11 keys that are explicitly listed */ - TAILQ_FOREACH_SAFE(id, &files, next, tmp) { - if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0) - continue; - found = 0; - TAILQ_FOREACH(id2, &files, next) { - if (id2->key == NULL || - (id2->key->flags & SSHKEY_FLAG_EXT) == 0) - continue; - if (sshkey_equal(id->key, id2->key)) { - TAILQ_REMOVE(&files, id, next); - TAILQ_INSERT_TAIL(preferred, id, next); - found = 1; - break; - } - } - /* If IdentitiesOnly set and key not found then don't use it */ - if (!found && options.identities_only) { - TAILQ_REMOVE(&files, id, next); - explicit_bzero(id, sizeof(*id)); - free(id); - } - } /* list of certificates specified by user */ for (i = 0; i < options.num_certificate_files; i++) { key = options.certificates[i]; @@ -1381,6 +1348,29 @@ pubkey_prepare(Authctxt *authctxt) } authctxt->agent_fd = agent_fd; } + /* Prefer PKCS11 keys that are explicitly listed */ + TAILQ_FOREACH_SAFE(id, &files, next, tmp) { + if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0) + continue; + found = 0; + TAILQ_FOREACH(id2, &files, next) { + if (id2->key == NULL || + (id2->key->flags & SSHKEY_FLAG_EXT) == 0) + continue; + if (sshkey_equal(id->key, id2->key)) { + TAILQ_REMOVE(&files, id, next); + TAILQ_INSERT_TAIL(preferred, id, next); + found = 1; + break; + } + } + /* If IdentitiesOnly set and key not found then don't use it */ + if (!found && options.identities_only) { + TAILQ_REMOVE(&files, id, next); + explicit_bzero(id, sizeof(*id)); + free(id); + } + } /* append remaining keys from the config file */ for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) { TAILQ_REMOVE(&files, id, next); @@ -1926,8 +1916,8 @@ authmethods_get(void) buffer_append(&b, method->name, strlen(method->name)); } } - buffer_append(&b, "\0", 1); - list = xstrdup(buffer_ptr(&b)); + if ((list = sshbuf_dup_string(&b)) == NULL) + fatal("%s: sshbuf_dup_string failed", __func__); buffer_free(&b); return list; } |