diff options
author | des <des@FreeBSD.org> | 2016-01-20 22:57:10 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2016-01-20 22:57:10 +0000 |
commit | 9b2207f86007504b58fbb42ce7f30946bbd50cea (patch) | |
tree | c90d6531b4082060e49583793ca124b381f7ffd6 /crypto/openssh/sshd.c | |
parent | e86fa364ca07e2714edcfb3790ae4ea2b1d460c9 (diff) | |
download | FreeBSD-src-9b2207f86007504b58fbb42ce7f30946bbd50cea.zip FreeBSD-src-9b2207f86007504b58fbb42ce7f30946bbd50cea.tar.gz |
Upgrade to OpenSSH 7.0p1.
Diffstat (limited to 'crypto/openssh/sshd.c')
-rw-r--r-- | crypto/openssh/sshd.c | 51 |
1 files changed, 22 insertions, 29 deletions
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index faeb7a6..8cc5562 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.457 2015/07/30 00:01:34 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -106,6 +106,7 @@ __RCSID("$FreeBSD$"); #include "log.h" #include "buffer.h" #include "misc.h" +#include "match.h" #include "servconf.h" #include "uidswap.h" #include "compat.h" @@ -815,8 +816,15 @@ list_hostkey_types(void) key = sensitive_data.host_keys[i]; if (key == NULL) key = sensitive_data.host_pubkeys[i]; - if (key == NULL) + if (key == NULL || key->type == KEY_RSA1) + continue; + /* Check that the key is accepted in HostkeyAlgorithms */ + if (match_pattern_list(sshkey_ssh_name(key), + options.hostkeyalgorithms, 0) != 1) { + debug3("%s: %s key not permitted by HostkeyAlgorithms", + __func__, sshkey_ssh_name(key)); continue; + } switch (key->type) { case KEY_RSA: case KEY_DSA: @@ -833,8 +841,6 @@ list_hostkey_types(void) if (key == NULL) continue; switch (key->type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -861,8 +867,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) for (i = 0; i < options.num_host_key_files; i++) { switch (type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -1901,8 +1905,8 @@ main(int ac, char **av) #ifdef WITH_SSH1 /* Check certain values for sanity. */ if (options.protocol & SSH_PROTO_1) { - if (options.server_key_bits < 512 || - options.server_key_bits > 32768) { + if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE || + options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { fprintf(stderr, "Bad server key size.\n"); exit(1); } @@ -2595,9 +2599,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, return 0; } -/* - * SSH2 key exchange: diffie-hellman-group1-sha1 - */ +/* SSH2 key exchange */ static void do_ssh2_kex(void) { @@ -2605,19 +2607,15 @@ do_ssh2_kex(void) struct kex *kex; int r; - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); - myproposal[PROPOSAL_ENC_ALGS_STOC] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); - - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - } + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + options.kex_algorithms); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( + options.ciphers); + myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal( + options.ciphers); + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; @@ -2625,11 +2623,6 @@ do_ssh2_kex(void) myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, |