Attachment #1280 for bug #1314

View | Details | Raw Unified | Return to bug 1314
Collapse All | Expand All

Lines 162-167 Key *get_hostkey_by_index(int); Link Here

(-)auth.h (+1 lines)
162	Key *get_hostkey_by_type(int);	162	Key *get_hostkey_by_type(int);
163	int get_hostkey_index(Key *);	163	int get_hostkey_index(Key *);
164	int ssh1_session_key(BIGNUM *);	164	int ssh1_session_key(BIGNUM *);
		165	Key *get_ssh2_rsakex_key(void);
165		166
166	/* debug messages during authentication */	167	/* debug messages during authentication */
167	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));	168	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));




static void kex_kexinit_finish(Kex *);
static void kex_choose_conf(Kex *);

/* Validate KEX method name list */
int
kexmeth_names_valid(const char *names)
{
	char *s, *cp, *p;

	if (names == NULL || strcmp(names, "") == 0)
		return 0;
	s = cp = xstrdup(names);
	for ((p = strsep(&cp, ",")); p && *p != '\0';
	    (p = strsep(&cp, ","))) {
	    	if (strcmp(p, KEX_DHGEX_SHA256) != 0 &&
		    strcmp(p, KEX_DHGEX_SHA1) != 0 &&
		    strcmp(p, KEX_DH14) != 0 &&
		    strcmp(p, KEX_DH1) != 0 &&
		    strcmp(p, KEX_RSA) != 0) {
			xfree(s);
			return 0;
		}
	}
	debug3("kex names ok: [%s]", names);
	xfree(s);
	return 1;
}


/* put algorithm proposal into buffer */
static void
kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])

	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
		k->kex_type = KEX_DH_GEX_SHA256;
		k->evp_md = evp_ssh_sha256();
	} else if (strcmp(k->name, KEX_RSA) == 0) {
		k->kex_type = KEX_RSA_SHA1;
		k->evp_md = EVP_sha1();
	} else
		fatal("bad kex alg %s", k->name);
}

Lines 32-37 Link Here

(-)kex.h (-3 / +13 lines)
32	#define KEX_DH14 "diffie-hellman-group14-sha1"	32	#define KEX_DH14 "diffie-hellman-group14-sha1"
33	#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"	33	#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
34	#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"	34	#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
		35	#define KEX_RSA "rsa1024-sha1"
35		36
36	#define COMP_NONE 0	37	#define COMP_NONE 0
37	#define COMP_ZLIB 1	38	#define COMP_ZLIB 1
Lines 62-67 enum kex_exchange { Link Here
62	KEX_DH_GRP14_SHA1,	63	KEX_DH_GRP14_SHA1,
63	KEX_DH_GEX_SHA1,	64	KEX_DH_GEX_SHA1,
64	KEX_DH_GEX_SHA256,	65	KEX_DH_GEX_SHA256,
		66	KEX_RSA_SHA1,
65	KEX_MAX	67	KEX_MAX
66	};	68	};
67		69
Lines 122-127 struct Kex { Link Here
122	void (kex[KEX_MAX])(Kex );	124	void (kex[KEX_MAX])(Kex );
123	};	125	};
124		126
		127	int kexmeth_names_valid(const char *);
		128
125	Kex kex_setup(char [PROPOSAL_MAX]);	129	Kex kex_setup(char [PROPOSAL_MAX]);
126	void kex_finish(Kex *);	130	void kex_finish(Kex *);
127		131
Lines 135-148 void kexdh_client(Kex *); Link Here
135	void kexdh_server(Kex *);	139	void kexdh_server(Kex *);
136	void kexgex_client(Kex *);	140	void kexgex_client(Kex *);
137	void kexgex_server(Kex *);	141	void kexgex_server(Kex *);
		142	void kexrsa_client(Kex *);
		143	void kexrsa_server(Kex *);
		144	int kexrsa_decrypt(u_char *, u_int , u_char *, u_int);
138		145
139	void	146	void
140	kex_dh_hash(char , char , char , int, char , int, u_char *, int,	147	kex_dh_hash(char , char , char , u_int, char , u_int, u_char *, u_int,
141	BIGNUM , BIGNUM , BIGNUM , u_char , u_int );	148	BIGNUM , BIGNUM , BIGNUM , u_char , u_int );
142	void	149	void
143	kexgex_hash(const EVP_MD , char , char , char , int, char *,	150	kexgex_hash(const EVP_MD , char , char , char , u_int, char *,
144	int, u_char , int, int, int, int, BIGNUM , BIGNUM , BIGNUM ,	151	u_int, u_char , u_int, int, int, int, BIGNUM , BIGNUM , BIGNUM ,
145	BIGNUM , BIGNUM , u_char *, u_int );	152	BIGNUM , BIGNUM , u_char *, u_int );
		153	void
		154	kexrsa_hash(char , char , char , u_int, char , u_int, u_char *, u_int,
		155	u_char , u_int, u_char , u_int, BIGNUM , u_char , u_int );
146		156
147	void	157	void
148	derive_ssh1_session_id(BIGNUM , BIGNUM , u_int8_t[8], u_int8_t[16]);	158	derive_ssh1_session_id(BIGNUM , BIGNUM , u_int8_t[8], u_int8_t[16]);

Lines 39-47 void Link Here

(-)kexdh.c (-3 / +3 lines)
39	kex_dh_hash(	39	kex_dh_hash(
40	char *client_version_string,	40	char *client_version_string,
41	char *server_version_string,	41	char *server_version_string,
42	char *ckexinit, int ckexinitlen,	42	char *ckexinit, u_int ckexinitlen,
43	char *skexinit, int skexinitlen,	43	char *skexinit, u_int skexinitlen,
44	u_char *serverhostkeyblob, int sbloblen,	44	u_char *serverhostkeyblob, u_int sbloblen,
45	BIGNUM *client_dh_pub,	45	BIGNUM *client_dh_pub,
46	BIGNUM *server_dh_pub,	46	BIGNUM *server_dh_pub,
47	BIGNUM *shared_secret,	47	BIGNUM *shared_secret,

Lines 40-48 kexgex_hash( Link Here

(-)kexgex.c (-3 / +3 lines)
40	const EVP_MD *evp_md,	40	const EVP_MD *evp_md,
41	char *client_version_string,	41	char *client_version_string,
42	char *server_version_string,	42	char *server_version_string,
43	char *ckexinit, int ckexinitlen,	43	char *ckexinit, u_int ckexinitlen,
44	char *skexinit, int skexinitlen,	44	char *skexinit, u_int skexinitlen,
45	u_char *serverhostkeyblob, int sbloblen,	45	u_char *serverhostkeyblob, u_int sbloblen,
46	int min, int wantbits, int max, BIGNUM prime, BIGNUM gen,	46	int min, int wantbits, int max, BIGNUM prime, BIGNUM gen,
47	BIGNUM *client_dh_pub,	47	BIGNUM *client_dh_pub,
48	BIGNUM *server_dh_pub,	48	BIGNUM *server_dh_pub,




/*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/types.h>

#include <openssl/evp.h>
#include <signal.h>

#include "buffer.h"
#include "key.h"
#include "cipher.h"
#include "kex.h"
#include "ssh2.h"

void
kexrsa_hash(
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, u_int ckexinitlen,
    char *skexinit, u_int skexinitlen,
    u_char *serverhostkeyblob, u_int sbloblen,
    u_char *servertranskeyblob, u_int tbloblen,
    u_char *encsecret, u_int encseclen,
    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
{
	Buffer b;
	static u_char digest[EVP_MAX_MD_SIZE];
	const EVP_MD *evp_md = EVP_sha1();
	EVP_MD_CTX md;

	buffer_init(&b);
	buffer_put_cstring(&b, client_version_string);
	buffer_put_cstring(&b, server_version_string);

	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
	buffer_put_int(&b, ckexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, ckexinit, ckexinitlen);
	buffer_put_int(&b, skexinitlen+1);
	buffer_put_char(&b, SSH2_MSG_KEXINIT);
	buffer_append(&b, skexinit, skexinitlen);

	buffer_put_string(&b, serverhostkeyblob, sbloblen);
	buffer_put_string(&b, servertranskeyblob, tbloblen);
	buffer_put_string(&b, encsecret, encseclen);
	buffer_put_bignum2(&b, shared_secret);

#ifdef DEBUG_KEX
	buffer_dump(&b);
#endif
	EVP_DigestInit(&md, evp_md);
	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
	EVP_DigestFinal(&md, digest, NULL);

	buffer_free(&b);

#ifdef DEBUG_KEX
	dump_digest("hash", digest, EVP_MD_size(evp_md));
#endif
	*hash = digest;
	*hashlen = EVP_MD_size(evp_md);
}




/*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/types.h>

#include <stdio.h>
#include <string.h>
#include <signal.h>

#include <openssl/evp.h>
#include <openssl/err.h>

#include "xmalloc.h"
#include "buffer.h"
#include "key.h"
#include "cipher.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "dh.h"
#include "ssh2.h"
#include "compat.h"

void
kexrsa_client(Kex *kex)
{
	BIGNUM *shared_secret = NULL;
	Key *server_host_key, *server_transient_key;
	u_char *server_transient_key_blob = NULL;
	u_char *server_host_key_blob = NULL, *signature = NULL;
	u_char *seccbuf, *hash;
	u_int slen, sbloblen, tbloblen, hashlen, secclen;
	int rc, secret_bits;
	Buffer secbuffer;

	debug("expecting SSH2_MSG_KEXRSA_PUBKEY");
	packet_read_expect(SSH2_MSG_KEXRSA_PUBKEY);

	/* server public host key and certificates (K_S) */
	server_host_key_blob = packet_get_string(&sbloblen);
	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
	if (server_host_key == NULL)
		fatal("cannot decode server_host_key_blob");
	if (server_host_key->type != kex->hostkey_type)
		fatal("type mismatch for decoded server_host_key_blob");
	if (kex->verify_host_key == NULL)
		fatal("cannot verify server_host_key");
	if (kex->verify_host_key(server_host_key) == -1)
		fatal("server_host_key verification failed");

	/* K_T, transient RSA key */
	server_transient_key_blob = packet_get_string(&tbloblen);
	server_transient_key = key_from_blob(server_transient_key_blob,
	    tbloblen);

	if (server_transient_key->type != KEY_RSA)
		fatal("kexrsa_client: non-RSA transient key");
	if (key_size(server_transient_key) < 1024)
		fatal("kexrsa_client: transient key too small");

	packet_check_eom();

	secret_bits = key_size(server_transient_key) - 49 - 
	    EVP_MD_size(kex->evp_md) * 8 * 2;
	if ((shared_secret = BN_new()) == NULL)
		fatal("kexrsa_client: BN_new failed");
	if (!BN_rand(shared_secret, secret_bits, -1, 0))
		fatal("kexrsa_client: BN_rand failed");

	seccbuf = xmalloc(RSA_size(server_transient_key->rsa));
	buffer_init(&secbuffer);
	buffer_put_bignum2(&secbuffer, shared_secret);
	if ((rc = RSA_public_encrypt(buffer_len(&secbuffer),
	    buffer_ptr(&secbuffer), seccbuf, server_transient_key->rsa,
	    RSA_PKCS1_OAEP_PADDING)) < 0) {
		fatal("kexrsa_client: encryption failed: %s",
			ERR_error_string(ERR_get_error(), NULL));
	}
	secclen = rc;
	buffer_free(&secbuffer);
	key_free(server_transient_key);
	packet_start(SSH2_MSG_KEXRSA_SECRET);
	packet_put_string(seccbuf, secclen);
	packet_send();
	debug("sending SSH2_MSG_KEXRSA_SECRET");

	debug("expecting SSH2_MSG_KEXRSA_DONE");
	packet_read_expect(SSH2_MSG_KEXRSA_DONE);

	/* signed H */
	signature = packet_get_string(&slen);
	packet_check_eom();

	/* calc and verify H */
	kexrsa_hash(
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->my), buffer_len(&kex->my),
	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
	    server_host_key_blob, sbloblen,
	    server_transient_key_blob, tbloblen,
	    seccbuf, secclen,
	    shared_secret,
	    &hash, &hashlen
	);
	xfree(server_host_key_blob);
	xfree(server_transient_key_blob);
	xfree(seccbuf);

	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
		fatal("key_verify failed for server_host_key");
	key_free(server_host_key);
	xfree(signature);

	/* save session id */
	if (kex->session_id == NULL) {
		kex->session_id_len = 20;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}

	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);
	kex_finish(kex);
}




/*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/param.h>

#include <stdio.h>
#include <string.h>
#include <signal.h>

#include "xmalloc.h"
#include "buffer.h"
#include "key.h"
#include "cipher.h"
#include "kex.h"
#include "log.h"
#include "packet.h"
#include "dh.h"
#include "ssh2.h"
#include "compat.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "misc.h"
#include "hostfile.h"
#include "auth.h"
#include "monitor_wrap.h"

#define KEXRSA_KEYLEN 1024

void
kexrsa_server(Kex *kex)
{
	BIGNUM *shared_secret = NULL;
	Key *server_host_key, *server_transient_key;
	u_char *secc, *secp, *hash, *signature = NULL;
	u_char *server_host_key_blob = NULL;
	u_char *server_transient_key_blob = NULL;
	u_int sbloblen, tbloblen, secclen, slen, hashlen, secplen;

	/* generate transient RSA key pair */
	server_transient_key = get_ssh2_rsakex_key();
	key_to_blob(server_transient_key, &server_transient_key_blob,
	    &tbloblen);

	if (kex->load_host_key == NULL)
		fatal("Cannot load hostkey");
	server_host_key = kex->load_host_key(kex->hostkey_type);
	if (server_host_key == NULL)
		fatal("Unsupported hostkey type %d", kex->hostkey_type);

	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);

	packet_start(SSH2_MSG_KEXRSA_PUBKEY);
	packet_put_string(server_host_key_blob, sbloblen);
	packet_put_string(server_transient_key_blob, tbloblen);
	packet_send();

	debug("expecting SSH2_MSG_KEXRSA_SECRET");
	packet_read_expect(SSH2_MSG_KEXRSA_SECRET);
	debug("got it");

	secc = packet_get_string(&secclen);
	if (PRIVSEP(kexrsa_decrypt(&secp, &secplen, secc, secclen)))
		fatal("kexrsa: decryption error");
	if (secplen < 4 || get_u32(secp) > secplen - 4)
		fatal("kexrsa_server: bad shared secret");
	if ((shared_secret = BN_new()) == NULL)
		fatal("kexrsa_server: BN_new failed");
	BN_bin2bn(secp + 4, get_u32(secp), shared_secret);
	bzero(secp, secplen);
	xfree(secp);

	/* calc H */
	kexrsa_hash(
	    kex->client_version_string,
	    kex->server_version_string,
	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
	    buffer_ptr(&kex->my), buffer_len(&kex->my),
	    server_host_key_blob, sbloblen,
	    server_transient_key_blob, tbloblen,
	    secc, secclen,
	    shared_secret,
	    &hash, &hashlen
	);
	xfree(server_host_key_blob);
	xfree(server_transient_key_blob);
	xfree(secc);

	/* save session id := H */
	if (kex->session_id == NULL) {
		kex->session_id_len = hashlen;
		kex->session_id = xmalloc(kex->session_id_len);
		memcpy(kex->session_id, hash, kex->session_id_len);
	}

	/* sign H */
	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));

	/* destroy_sensitive_data(); */

	/* send server hostkey and singed H */
	packet_start(SSH2_MSG_KEXRSA_DONE);
	packet_put_string(signature, slen);
	packet_send();

	xfree(signature);

	kex_derive_keys(kex, hash, hashlen, shared_secret);
	BN_clear_free(shared_secret);
	kex_finish(kex);
}

int
kexrsa_decrypt(u_char **secpp, u_int *secplenp, u_char *secc, u_int secclen)
{
	Key *server_transient_key;
	int rc;

	server_transient_key = get_ssh2_rsakex_key();
	*secpp = xmalloc(KEXRSA_KEYLEN / 8);
	if ((rc = RSA_private_decrypt(secclen, secc, *secpp,
	    server_transient_key->rsa, RSA_PKCS1_OAEP_PADDING)) < 0)
		return 1;
	*secplenp = rc;
	return 0;
}





int mm_answer_moduli(int, Buffer *);
int mm_answer_sign(int, Buffer *);
int mm_answer_kexrsa_decrypt(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);

struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
    {MONITOR_REQ_KEXRSA_DECRYPT, MON_ONCE, mm_answer_kexrsa_decrypt},
    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},

struct mon_table mon_dispatch_postauth20[] = {
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_KEXRSA_DECRYPT, 0, mm_answer_kexrsa_decrypt},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
    {MONITOR_REQ_TERM, 0, mm_answer_term},

		/* Permit requests for moduli and signatures */
		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_KEXRSA_DECRYPT, 1);
	} else {
		mon_dispatch = mon_dispatch_proto15;


		/* Permit requests for moduli and signatures */
		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_KEXRSA_DECRYPT, 1);
		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
	} else {
		mon_dispatch = mon_dispatch_postauth15;

	return (0);
}

int
mm_answer_kexrsa_decrypt(int sock, Buffer *m)
{
	u_char *secc;
	u_char *secp;
	u_int secplen, secclen;
	int rsafail;

	debug3("%s", __func__);

	secc = buffer_get_string(m, &secclen);
	rsafail = kexrsa_decrypt(&secp, &secplen, secc, secclen);

	buffer_clear(m);
	buffer_put_int(m, rsafail);
	if (!rsafail)
		buffer_put_string(m, secp, secplen);

	xfree(secc);
	xfree(secp);

	mm_request_send(sock, MONITOR_ANS_KEXRSA_DECRYPT, m);

	return (0);
}

/* Retrieves the password entry and also checks if the user is permitted */

int

	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
	kex->kex[KEX_RSA_SHA1] = kexrsa_server;
	kex->server = 1;
	kex->hostkey_type = buffer_get_int(m);
	kex->kex_type = buffer_get_int(m);

Lines 32-37 enum monitor_reqtype { Link Here

(-)monitor.h (+1 lines)
32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,	32	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,	33	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
34	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,	34	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
		35	MONITOR_REQ_KEXRSA_DECRYPT, MONITOR_ANS_KEXRSA_DECRYPT,
35	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,	36	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
36	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,	37	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
37	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,	38	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,




	return (rsafail);
}

int
mm_kexrsa_decrypt(u_char **secpp, u_int *secplenp,
    u_char *secc, u_int secclen)
{
	int rsafail;
	Buffer m;

	buffer_init(&m);
	buffer_put_string(&m, secc, secclen);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEXRSA_DECRYPT, &m);
	mm_request_receive_expect(pmonitor->m_recvfd,
	    MONITOR_ANS_KEXRSA_DECRYPT, &m);
	rsafail = buffer_get_int(&m);
	if (!rsafail)*secpp  = buffer_get_string(&m, secplenp);
	buffer_free(&m);

	return (rsafail);
}

static void
mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
    char ***prompts, u_int **echo_on)

Lines 40-45 struct Authctxt; Link Here

(-)monitor_wrap.h (+1 lines)
40	int mm_is_monitor(void);	40	int mm_is_monitor(void);
41	DH *mm_choose_dh(int, int, int);	41	DH *mm_choose_dh(int, int, int);
42	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);	42	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
		43	int mm_kexrsa_decrypt(u_char *, u_int , u_char *, u_int);
43	void mm_inform_authserv(char , char );	44	void mm_inform_authserv(char , char );
44	struct passwd mm_getpwnamallow(const char );	45	struct passwd mm_getpwnamallow(const char );
45	char *mm_auth2_read_banner(void);	46	char *mm_auth2_read_banner(void);




	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
	oKexMethods,
	oDeprecated, oUnsupported
} OpCodes;


	{ "tunneldevice", oTunnelDevice },
	{ "localcommand", oLocalCommand },
	{ "permitlocalcommand", oPermitLocalCommand },
	{ "kexmethods", oKexMethods },
	{ NULL, oBadOption }
};


			options->macs = xstrdup(arg);
		break;

	case oKexMethods:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (!kexmeth_names_valid(arg))
			fatal("%.200s line %d: Bad SSH2 KexMethods spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && options->kexmethods == NULL)
			options->kexmethods = xstrdup(arg);
		break;

	case oHostKeyAlgorithms:
		arg = strdelim(&s);
		if (!arg || *arg == '\0')

	options->cipher = -1;
	options->ciphers = NULL;
	options->macs = NULL;
	options->kexmethods = NULL;
	options->hostkeyalgorithms = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->num_identity_files = 0;

		options->cipher = SSH_CIPHER_NOT_SET;
	/* options->ciphers, default set in myproposals.h */
	/* options->macs, default set in myproposals.h */
	/* options->kexmethods, default set in myproposals.h */
	/* options->hostkeyalgorithms, default set in myproposals.h */
	if (options->protocol == SSH_PROTO_UNKNOWN)
		options->protocol = SSH_PROTO_1|SSH_PROTO_2;

Lines 70-75 typedef struct { Link Here

(-)readconf.h (+1 lines)
70	char ciphers; / SSH2 ciphers in order of preference. */	70	char ciphers; / SSH2 ciphers in order of preference. */
71	char macs; / SSH2 macs in order of preference. */	71	char macs; / SSH2 macs in order of preference. */
72	char hostkeyalgorithms; / SSH2 server key types in order of preference. */	72	char hostkeyalgorithms; / SSH2 server key types in order of preference. */
		73	char kexmethods; / SSH2 kex methods in order of preference. */
73	int protocol; /* Protocol in order of preference. */	74	int protocol; /* Protocol in order of preference. */
74	char hostname; / Real host to connect. */	75	char hostname; / Real host to connect. */
75	char host_key_alias; / hostname alias for .ssh/known_hosts */	76	char host_key_alias; / hostname alias for .ssh/known_hosts */




	options->num_deny_groups = 0;
	options->ciphers = NULL;
	options->macs = NULL;
	options->kexmethods = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->gateway_ports = -1;
	options->num_subsystems = 0;

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sForceCommand, sKexMethods,
	sUsePrivilegeSeparation,
	sDeprecated, sUnsupported
} ServerOpCodes;

	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
	{ "macs", sMacs, SSHCFG_GLOBAL },
	{ "kexmethods", sKexMethods, SSHCFG_GLOBAL },
	{ "protocol", sProtocol, SSHCFG_GLOBAL },
	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },

			    filename, linenum, arg ? arg : "<NONE>");
		if (options->macs == NULL)
			options->macs = xstrdup(arg);
		break;

	case sKexMethods:
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.", filename, linenum);
		if (!kexmeth_names_valid(arg))
			fatal("%s line %d: Bad SSH2 KexMethods spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (options->kexmethods == NULL)
			options->kexmethods = xstrdup(arg);
		break;

	case sProtocol:

Lines 65-70 typedef struct { Link Here

(-)servconf.h (+1 lines)
65	int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */	65	int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
66	char ciphers; / Supported SSH2 ciphers. */	66	char ciphers; / Supported SSH2 ciphers. */
67	char macs; / Supported SSH2 macs. */	67	char macs; / Supported SSH2 macs. */
		68	char kexmethods; / SSH2 kex methods in order of preference. */
68	int protocol; /* Supported protocol versions. */	69	int protocol; /* Supported protocol versions. */
69	int gateway_ports; /* If true, allow remote connects to forwarded ports. */	70	int gateway_ports; /* If true, allow remote connects to forwarded ports. */
70	SyslogFacility log_facility; /* Facility for system logging. */	71	SyslogFacility log_facility; /* Facility for system logging. */

Lines 352-357 keygrab_ssh2(con *c) Link Here

(-)ssh-keyscan.c (+1 lines)
352	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;	352	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
353	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;	353	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
354	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;	354	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
		355	c->c_kex->kex[KEX_RSA_SHA1] = kexrsa_client;
355	c->c_kex->verify_host_key = hostjump;	356	c->c_kex->verify_host_key = hostjump;
356		357
357	if (!(j = setjmp(kexjmp))) {	358	if (!(j = setjmp(kexjmp))) {

Lines 466-471 For full details of the options listed b Link Here

(-)ssh.1 (+1 lines)
466	.It IdentityFile	466	.It IdentityFile
467	.It IdentitiesOnly	467	.It IdentitiesOnly
468	.It KbdInteractiveDevices	468	.It KbdInteractiveDevices
		469	.It KexMethods
469	.It LocalCommand	470	.It LocalCommand
470	.It LocalForward	471	.It LocalForward
471	.It LogLevel	472	.It LogLevel

Lines 98-103 Link Here

(-)ssh2.h (+5 lines)
98	#define SSH2_MSG_KEX_DH_GEX_REPLY 33	98	#define SSH2_MSG_KEX_DH_GEX_REPLY 33
99	#define SSH2_MSG_KEX_DH_GEX_REQUEST 34	99	#define SSH2_MSG_KEX_DH_GEX_REQUEST 34
100		100
		101	/* rsa key exchange */
		102	#define SSH2_MSG_KEXRSA_PUBKEY 30
		103	#define SSH2_MSG_KEXRSA_SECRET 31
		104	#define SSH2_MSG_KEXRSA_DONE 32
		105
101	/* user authentication: generic */	106	/* user authentication: generic */
102		107
103	#define SSH2_MSG_USERAUTH_REQUEST 50	108	#define SSH2_MSG_USERAUTH_REQUEST 50




.Dq pam ,
and
.Dq skey .
.It Cm KexMethods
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
Available methods are
.Dq diffie-hellman-group-exchange-sha256 , 
.Dq diffie-hellman-group-exchange-sha1 ,
.Dq diffie-hellman-group14-sha1 ,
.Dq diffie-hellman-group1-sha1 ,
and
.Dq rsa1024-sha1 .
The default is:
.Bd -literal -offset 3n
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
.Ed
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.

Lines 123-128 ssh_kex2(char host, struct sockaddr ho Link Here

(-)sshconnect2.c (+3 lines)
123	if (options.hostkeyalgorithms != NULL)	123	if (options.hostkeyalgorithms != NULL)
124	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =	124	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
125	options.hostkeyalgorithms;	125	options.hostkeyalgorithms;
		126	if (options.kexmethods != NULL)
		127	myproposal[PROPOSAL_KEX_ALGS] = options.kexmethods;
126		128
127	if (options.rekey_limit)	129	if (options.rekey_limit)
128	packet_set_rekey_limit(options.rekey_limit);	130	packet_set_rekey_limit(options.rekey_limit);
Lines 133-138 ssh_kex2(char host, struct sockaddr ho Link Here
133	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;	135	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
134	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;	136	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
135	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;	137	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
		138	kex->kex[KEX_RSA_SHA1] = kexrsa_client;
136	kex->client_version_string=client_version_string;	139	kex->client_version_string=client_version_string;
137	kex->server_version_string=server_version_string;	140	kex->server_version_string=server_version_string;
138	kex->verify_host_key=&verify_host_key_callback;	141	kex->verify_host_key=&verify_host_key_callback;





#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/md5.h>
#include <openssl/rand.h>


 */
struct {
	Key	*server_key;		/* ephemeral server key */
	Key	*ssh2_rsakex_key;	/* ssh2 RSA KEX key */
	Key	*ssh1_host_key;		/* ssh1 host key */
	Key	**host_keys;		/* all private host keys */
	int	have_ssh1_key;

	u_int32_t rnd = 0;
	int i;

	if (options.protocol & SSH_PROTO_1) {
		verbose("Generating %s%d bit RSA key.",
		    sensitive_data.server_key ? "new " : "",
		    options.server_key_bits);
		if (sensitive_data.server_key != NULL)
			key_free(sensitive_data.server_key);
		sensitive_data.server_key = key_generate(KEY_RSA1,
		    options.server_key_bits);
		verbose("RSA key generation complete.");

		for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
			if (i % 4 == 0)
				rnd = arc4random();
			sensitive_data.ssh1_cookie[i] = rnd & 0xff;
			rnd >>= 8;
		}
		arc4random_stir();
	}

	if (options.protocol & SSH_PROTO_2) {
		verbose("Generating %s1024 bit RSA key for SSH-2.",
		    sensitive_data.ssh2_rsakex_key ? "new " : "");
		if (sensitive_data.ssh2_rsakex_key != NULL)
			key_free(sensitive_data.ssh2_rsakex_key);
		sensitive_data.ssh2_rsakex_key = key_generate(KEY_RSA, 1024);
		verbose("RSA key generation complete.");
	}
	arc4random_stir();
}

/*ARGSUSED*/

		key_free(sensitive_data.server_key);
		sensitive_data.server_key = NULL;
	}
	if (sensitive_data.ssh2_rsakex_key) {
		key_free(sensitive_data.ssh2_rsakex_key);
		sensitive_data.ssh2_rsakex_key = NULL;
	}
	for (i = 0; i < options.num_host_key_files; i++) {
		if (sensitive_data.host_keys[i]) {
			key_free(sensitive_data.host_keys[i]);

		sensitive_data.server_key = tmp;
	}

	if (sensitive_data.ssh2_rsakex_key) {
		tmp = key_demote(sensitive_data.ssh2_rsakex_key);
		key_free(sensitive_data.ssh2_rsakex_key);
		sensitive_data.ssh2_rsakex_key = tmp;
	}

	for (i = 0; i < options.num_host_key_files; i++) {
		if (sensitive_data.host_keys[i]) {
			tmp = key_demote(sensitive_data.host_keys[i]);

	return (-1);
}

Key *
get_ssh2_rsakex_key(void)
{

	return (sensitive_data.ssh2_rsakex_key);
}

/*
 * returns 1 if connection should be dropped, 0 otherwise.
 * dropping starts at connection #max_startups_begin with a probability

	 *	bignum	iqmp			"
	 *	bignum	p			"
	 *	bignum	q			"
	 *	u_int	ephemeral_ssh2_key_follows
	 *	bignum	e	     (only if ephemeral_ssh2_key_follows == 1)
	 *	bignum	n			"
	 *	bignum	d			"
	 *	bignum	iqmp			"
	 *	bignum	p			"
	 *	bignum	q			"
	 */
	buffer_init(&m);
	buffer_put_cstring(&m, buffer_ptr(conf));

	} else
		buffer_put_int(&m, 0);

	if (sensitive_data.ssh2_rsakex_key != NULL &&
	    sensitive_data.ssh2_rsakex_key->type == KEY_RSA) {
		buffer_put_int(&m, 1);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->e);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->n);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->d);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->iqmp);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->p);
		buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->q);
	} else
		buffer_put_int(&m, 0);

	if (ssh_msg_send(fd, 0, &m) == -1)
		fatal("%s: ssh_msg_send failed", __func__);


		rsa_generate_additional_parameters(
		    sensitive_data.server_key->rsa);
	}
	if (buffer_get_int(&m)) {
		if (sensitive_data.ssh2_rsakex_key != NULL)
			key_free(sensitive_data.ssh2_rsakex_key);
		sensitive_data.ssh2_rsakex_key = key_new_private(KEY_RSA);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->e);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->n);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->d);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->iqmp);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->p);
		buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->q);
		rsa_generate_additional_parameters(
		    sensitive_data.ssh2_rsakex_key->rsa);
	}
	buffer_free(&m);

	debug3("%s: done", __func__);

			 * Mark that the key has been used (it
			 * was "given" to the child).
			 */
			if (key_used == 0) {
			    key_used == 0) {
				/* Schedule server key regeneration alarm. */
				signal(SIGALRM, key_regeneration_alarm);
				alarm(options.key_regeneration_time);

		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);

	SSLeay_add_all_algorithms();
	ERR_load_crypto_strings();

	/*
	 * Force logging to stderr until we have loaded the private host

	    log_stderr || !inetd_flag);

	sensitive_data.server_key = NULL;
	sensitive_data.ssh2_rsakex_key = NULL;
	sensitive_data.ssh1_host_key = NULL;
	sensitive_data.have_ssh1_key = 0;
	sensitive_data.have_ssh2_key = 0;

	if (inetd_flag) {
		server_accept_inetd(&sock_in, &sock_out);

		if (((options.protocol & SSH_PROTO_1) &&
		    sensitive_data.server_key == NULL) ||
		    ((options.protocol & SSH_PROTO_2) &&
		    sensitive_data.ssh2_rsakex_key == NULL))
 			generate_ephemeral_server_key();
	} else {
		server_listen();

		generate_ephemeral_server_key();
			generate_ephemeral_server_key();

		signal(SIGHUP, sighup_handler);
		signal(SIGCHLD, main_sigchld_handler);

		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
	}
	if (options.kexmethods != NULL)
		myproposal[PROPOSAL_KEX_ALGS] = options.kexmethods;

	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();


	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
	kex->kex[KEX_RSA_SHA1] = kexrsa_server;
	kex->server = 1;
	kex->client_version_string=client_version_string;
	kex->server_version_string=server_version_string;




file on logout.
The default is
.Dq yes .
.It Cm KexMethods
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
Available methods are
.Dq diffie-hellman-group-exchange-sha256 , 
.Dq diffie-hellman-group-exchange-sha1 ,
.Dq diffie-hellman-group14-sha1 ,
.Dq diffie-hellman-group1-sha1 ,
and
.Dq rsa1024-sha1 .
The default is:
.Bd -literal -offset 3n
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
.Ed
.It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated
after this many seconds (if it has been used).

Lines 10-17 SRCS= authfd.c authfile.c bufaux.c bufbn Link Here

(-)lib/Makefile (-2 / +2 lines)
10	hostfile.c log.c match.c nchan.c packet.c readpass.c \	10	hostfile.c log.c match.c nchan.c packet.c readpass.c \
11	rsa.c ttymodes.c xmalloc.c atomicio.c \	11	rsa.c ttymodes.c xmalloc.c atomicio.c \
12	key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \	12	key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \
13	ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \	13	ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c kexrsa.c \
14	kexdhc.c kexgexc.c scard.c msg.c progressmeter.c dns.c \	14	kexdhc.c kexgexc.c kexrsac.c scard.c msg.c progressmeter.c dns.c \
15	monitor_fdpass.c md-sha256.c	15	monitor_fdpass.c md-sha256.c
16		16
17	DEBUGLIBS= no	17	DEBUGLIBS= no

Lines 16-22 SRCS= sshd.c auth-rhosts.c auth-passwd.c Link Here

(-)sshd/Makefile (-1 / +1 lines)
16	auth-skey.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \	16	auth-skey.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
17	auth2-none.c auth2-passwd.c auth2-pubkey.c \	17	auth2-none.c auth2-passwd.c auth2-pubkey.c \
18	monitor_mm.c monitor.c monitor_wrap.c \	18	monitor_mm.c monitor.c monitor_wrap.c \
19	kexdhs.c kexgexs.c	19	kexdhs.c kexgexs.c kexrsas.c
20		20
21	.include <bsd.own.mk> # for KERBEROS and AFS	21	.include <bsd.own.mk> # for KERBEROS and AFS
22		22

Return to bug 1314

Lines 118-123 struct { Link Here

(-)monitor.c (+32 lines)
118		118
119	int mm_answer_moduli(int, Buffer *);	119	int mm_answer_moduli(int, Buffer *);
120	int mm_answer_sign(int, Buffer *);	120	int mm_answer_sign(int, Buffer *);
		121	int mm_answer_kexrsa_decrypt(int, Buffer *);
121	int mm_answer_pwnamallow(int, Buffer *);	122	int mm_answer_pwnamallow(int, Buffer *);
122	int mm_answer_auth2_read_banner(int, Buffer *);	123	int mm_answer_auth2_read_banner(int, Buffer *);
123	int mm_answer_authserv(int, Buffer *);	124	int mm_answer_authserv(int, Buffer *);
Lines 176-181 struct mon_table { Link Here
176	struct mon_table mon_dispatch_proto20[] = {	177	struct mon_table mon_dispatch_proto20[] = {
177	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},	178	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
178	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	179	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
		180	{MONITOR_REQ_KEXRSA_DECRYPT, MON_ONCE, mm_answer_kexrsa_decrypt},
179	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	181	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
180	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	182	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
181	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	183	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
Lines 202-207 struct mon_table mon_dispatch_proto20[] Link Here
202	struct mon_table mon_dispatch_postauth20[] = {	204	struct mon_table mon_dispatch_postauth20[] = {
203	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	205	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
204	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	206	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
		207	{MONITOR_REQ_KEXRSA_DECRYPT, 0, mm_answer_kexrsa_decrypt},
205	{MONITOR_REQ_PTY, 0, mm_answer_pty},	208	{MONITOR_REQ_PTY, 0, mm_answer_pty},
206	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},	209	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
207	{MONITOR_REQ_TERM, 0, mm_answer_term},	210	{MONITOR_REQ_TERM, 0, mm_answer_term},
Lines 283-288 monitor_child_preauth(Authctxt *_authctx Link Here
283	/* Permit requests for moduli and signatures */	286	/* Permit requests for moduli and signatures */
284	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	287	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
285	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	288	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		289	monitor_permit(mon_dispatch, MONITOR_REQ_KEXRSA_DECRYPT, 1);
286	} else {	290	} else {
287	mon_dispatch = mon_dispatch_proto15;	291	mon_dispatch = mon_dispatch_proto15;
288		292
Lines 346-351 monitor_child_postauth(struct monitor *p Link Here
346	/* Permit requests for moduli and signatures */	350	/* Permit requests for moduli and signatures */
347	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	351	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
348	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	352	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		353	monitor_permit(mon_dispatch, MONITOR_REQ_KEXRSA_DECRYPT, 1);
349	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	354	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
350	} else {	355	} else {
351	mon_dispatch = mon_dispatch_postauth15;	356	mon_dispatch = mon_dispatch_postauth15;
Lines 528-533 mm_answer_sign(int sock, Buffer *m) Link Here
528	return (0);	533	return (0);
529	}	534	}
530		535
		536	int
		537	mm_answer_kexrsa_decrypt(int sock, Buffer *m)
		538	{
		539	u_char *secc;
		540	u_char *secp;
		541	u_int secplen, secclen;
		542	int rsafail;
		543
		544	debug3("%s", __func__);
		545
		546	secc = buffer_get_string(m, &secclen);
		547	rsafail = kexrsa_decrypt(&secp, &secplen, secc, secclen);
		548
		549	buffer_clear(m);
		550	buffer_put_int(m, rsafail);
		551	if (!rsafail)
		552	buffer_put_string(m, secp, secplen);
		553
		554	xfree(secc);
		555	xfree(secp);
		556
		557	mm_request_send(sock, MONITOR_ANS_KEXRSA_DECRYPT, m);
		558
		559	return (0);
		560	}
		561
531	/* Retrieves the password entry and also checks if the user is permitted */	562	/* Retrieves the password entry and also checks if the user is permitted */
532		563
533	int	564	int
Lines 1412-1417 mm_get_kex(Buffer *m) Link Here
1412	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1443	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1413	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1444	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1414	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1445	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1446	kex->kex[KEX_RSA_SHA1] = kexrsa_server;
1415	kex->server = 1;	1447	kex->server = 1;
1416	kex->hostkey_type = buffer_get_int(m);	1448	kex->hostkey_type = buffer_get_int(m);
1417	kex->kex_type = buffer_get_int(m);	1449	kex->kex_type = buffer_get_int(m);

Lines 735-740 mm_ssh1_session_key(BIGNUM *num) Link Here

(-)monitor_wrap.c (+20 lines)
735	return (rsafail);	735	return (rsafail);
736	}	736	}
737		737
		738	int
		739	mm_kexrsa_decrypt(u_char *secpp, u_int secplenp,
		740	u_char *secc, u_int secclen)
		741	{
		742	int rsafail;
		743	Buffer m;
		744
		745	buffer_init(&m);
		746	buffer_put_string(&m, secc, secclen);
		747
		748	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEXRSA_DECRYPT, &m);
		749	mm_request_receive_expect(pmonitor->m_recvfd,
		750	MONITOR_ANS_KEXRSA_DECRYPT, &m);
		751	rsafail = buffer_get_int(&m);
		752	if (!rsafail)*secpp = buffer_get_string(&m, secplenp);
		753	buffer_free(&m);
		754
		755	return (rsafail);
		756	}
		757
738	static void	758	static void
739	mm_chall_setup(char name, char infotxt, u_int *numprompts,	759	mm_chall_setup(char name, char infotxt, u_int *numprompts,
740	char *prompts, u_int echo_on)	760	char *prompts, u_int echo_on)

Lines 587-592 it may be zero or more of: Link Here

(-)ssh_config.5 (+17 lines)
587	.Dq pam ,	587	.Dq pam ,
588	and	588	and
589	.Dq skey .	589	.Dq skey .
		590	.It Cm KexMethods
		591	Specifies the available KEX (Key Exchange) algorithms.
		592	Multiple algorithms must be comma-separated.
		593	Available methods are
		594	.Dq diffie-hellman-group-exchange-sha256 ,
		595	.Dq diffie-hellman-group-exchange-sha1 ,
		596	.Dq diffie-hellman-group14-sha1 ,
		597	.Dq diffie-hellman-group1-sha1 ,
		598	and
		599	.Dq rsa1024-sha1 .
		600	The default is:
		601	.Bd -literal -offset 3n
		602	diffie-hellman-group-exchange-sha256,
		603	diffie-hellman-group-exchange-sha1,
		604	diffie-hellman-group14-sha1,
		605	diffie-hellman-group1-sha1
		606	.Ed
590	.It Cm LocalCommand	607	.It Cm LocalCommand
591	Specifies a command to execute on the local machine after successfully	608	Specifies a command to execute on the local machine after successfully
592	connecting to the server.	609	connecting to the server.

Lines 422-427 Specifies whether to automatically destr Link Here

(-)sshd_config.5 (+17 lines)
422	file on logout.	422	file on logout.
423	The default is	423	The default is
424	.Dq yes .	424	.Dq yes .
		425	.It Cm KexMethods
		426	Specifies the available KEX (Key Exchange) algorithms.
		427	Multiple algorithms must be comma-separated.
		428	Available methods are
		429	.Dq diffie-hellman-group-exchange-sha256 ,
		430	.Dq diffie-hellman-group-exchange-sha1 ,
		431	.Dq diffie-hellman-group14-sha1 ,
		432	.Dq diffie-hellman-group1-sha1 ,
		433	and
		434	.Dq rsa1024-sha1 .
		435	The default is:
		436	.Bd -literal -offset 3n
		437	diffie-hellman-group-exchange-sha256,
		438	diffie-hellman-group-exchange-sha1,
		439	diffie-hellman-group14-sha1,
		440	diffie-hellman-group1-sha1
		441	.Ed
425	.It Cm KeyRegenerationInterval	442	.It Cm KeyRegenerationInterval
426	In protocol version 1, the ephemeral server key is automatically regenerated	443	In protocol version 1, the ephemeral server key is automatically regenerated
427	after this many seconds (if it has been used).	444	after this many seconds (if it has been used).

Lines 54-59 extern const EVP_MD *evp_ssh_sha256(void Link Here

(-)kex.c (+29 lines)
54	static void kex_kexinit_finish(Kex *);	54	static void kex_kexinit_finish(Kex *);
55	static void kex_choose_conf(Kex *);	55	static void kex_choose_conf(Kex *);
56		56
		57	/* Validate KEX method name list */
		58	int
		59	kexmeth_names_valid(const char *names)
		60	{
		61	char s, cp, *p;
		62
		63	if (names == NULL \|\| strcmp(names, "") == 0)
		64	return 0;
		65	s = cp = xstrdup(names);
		66	for ((p = strsep(&cp, ",")); p && *p != '\0';
		67	(p = strsep(&cp, ","))) {
		68	if (strcmp(p, KEX_DHGEX_SHA256) != 0 &&
		69	strcmp(p, KEX_DHGEX_SHA1) != 0 &&
		70	strcmp(p, KEX_DH14) != 0 &&
		71	strcmp(p, KEX_DH1) != 0 &&
		72	strcmp(p, KEX_RSA) != 0) {
		73	xfree(s);
		74	return 0;
		75	}
		76	}
		77	debug3("kex names ok: [%s]", names);
		78	xfree(s);
		79	return 1;
		80	}
		81
		82
57	/* put algorithm proposal into buffer */	83	/* put algorithm proposal into buffer */
58	static void	84	static void
59	kex_prop2buf(Buffer b, char proposal[PROPOSAL_MAX])	85	kex_prop2buf(Buffer b, char proposal[PROPOSAL_MAX])
Lines 312-317 choose_kex(Kex k, char client, char *s Link Here
312	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {	342	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
313	k->kex_type = KEX_DH_GEX_SHA256;	343	k->kex_type = KEX_DH_GEX_SHA256;
314	k->evp_md = evp_ssh_sha256();	344	k->evp_md = evp_ssh_sha256();
		345	} else if (strcmp(k->name, KEX_RSA) == 0) {
		346	k->kex_type = KEX_RSA_SHA1;
		347	k->evp_md = EVP_sha1();
315	} else	348	} else
316	fatal("bad kex alg %s", k->name);	349	fatal("bad kex alg %s", k->name);
317	}	350	}

Added Link Here

(-)kexrsa.c (+84 lines)
1	/*
2	* Copyright (c) 2001 Markus Friedl. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include <sys/types.h>
26
27	#include <openssl/evp.h>
28	#include <signal.h>
29
30	#include "buffer.h"
31	#include "key.h"
32	#include "cipher.h"
33	#include "kex.h"
34	#include "ssh2.h"
35
36	void
37	kexrsa_hash(
38	char *client_version_string,
39	char *server_version_string,
40	char *ckexinit, u_int ckexinitlen,
41	char *skexinit, u_int skexinitlen,
42	u_char *serverhostkeyblob, u_int sbloblen,
43	u_char *servertranskeyblob, u_int tbloblen,
44	u_char *encsecret, u_int encseclen,
45	BIGNUM *shared_secret,
46	u_char *hash, u_int hashlen)
47	{
48	Buffer b;
49	static u_char digest[EVP_MAX_MD_SIZE];
50	const EVP_MD *evp_md = EVP_sha1();
51	EVP_MD_CTX md;
52
53	buffer_init(&b);
54	buffer_put_cstring(&b, client_version_string);
55	buffer_put_cstring(&b, server_version_string);
56
57	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
58	buffer_put_int(&b, ckexinitlen+1);
59	buffer_put_char(&b, SSH2_MSG_KEXINIT);
60	buffer_append(&b, ckexinit, ckexinitlen);
61	buffer_put_int(&b, skexinitlen+1);
62	buffer_put_char(&b, SSH2_MSG_KEXINIT);
63	buffer_append(&b, skexinit, skexinitlen);
64
65	buffer_put_string(&b, serverhostkeyblob, sbloblen);
66	buffer_put_string(&b, servertranskeyblob, tbloblen);
67	buffer_put_string(&b, encsecret, encseclen);
68	buffer_put_bignum2(&b, shared_secret);
69
70	#ifdef DEBUG_KEX
71	buffer_dump(&b);
72	#endif
73	EVP_DigestInit(&md, evp_md);
74	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
75	EVP_DigestFinal(&md, digest, NULL);
76
77	buffer_free(&b);
78
79	#ifdef DEBUG_KEX
80	dump_digest("hash", digest, EVP_MD_size(evp_md));
81	#endif
82	*hash = digest;
83	*hashlen = EVP_MD_size(evp_md);
84	}

Added Link Here

(-)kexrsac.c (+146 lines)
1	/*
2	* Copyright (c) 2001 Markus Friedl. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include <sys/types.h>
26
27	#include <stdio.h>
28	#include <string.h>
29	#include <signal.h>
30
31	#include <openssl/evp.h>
32	#include <openssl/err.h>
33
34	#include "xmalloc.h"
35	#include "buffer.h"
36	#include "key.h"
37	#include "cipher.h"
38	#include "kex.h"
39	#include "log.h"
40	#include "packet.h"
41	#include "dh.h"
42	#include "ssh2.h"
43	#include "compat.h"
44
45	void
46	kexrsa_client(Kex *kex)
47	{
48	BIGNUM *shared_secret = NULL;
49	Key server_host_key, server_transient_key;
50	u_char *server_transient_key_blob = NULL;
51	u_char server_host_key_blob = NULL, signature = NULL;
52	u_char seccbuf, hash;
53	u_int slen, sbloblen, tbloblen, hashlen, secclen;
54	int rc, secret_bits;
55	Buffer secbuffer;
56
57	debug("expecting SSH2_MSG_KEXRSA_PUBKEY");
58	packet_read_expect(SSH2_MSG_KEXRSA_PUBKEY);
59
60	/* server public host key and certificates (K_S) */
61	server_host_key_blob = packet_get_string(&sbloblen);
62	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
63	if (server_host_key == NULL)
64	fatal("cannot decode server_host_key_blob");
65	if (server_host_key->type != kex->hostkey_type)
66	fatal("type mismatch for decoded server_host_key_blob");
67	if (kex->verify_host_key == NULL)
68	fatal("cannot verify server_host_key");
69	if (kex->verify_host_key(server_host_key) == -1)
70	fatal("server_host_key verification failed");
71
72	/* K_T, transient RSA key */
73	server_transient_key_blob = packet_get_string(&tbloblen);
74	server_transient_key = key_from_blob(server_transient_key_blob,
75	tbloblen);
76
77	if (server_transient_key->type != KEY_RSA)
78	fatal("kexrsa_client: non-RSA transient key");
79	if (key_size(server_transient_key) < 1024)
80	fatal("kexrsa_client: transient key too small");
81
82	packet_check_eom();
83
84	secret_bits = key_size(server_transient_key) - 49 -
85	EVP_MD_size(kex->evp_md) * 8 * 2;
86	if ((shared_secret = BN_new()) == NULL)
87	fatal("kexrsa_client: BN_new failed");
88	if (!BN_rand(shared_secret, secret_bits, -1, 0))
89	fatal("kexrsa_client: BN_rand failed");
90
91	seccbuf = xmalloc(RSA_size(server_transient_key->rsa));
92	buffer_init(&secbuffer);
93	buffer_put_bignum2(&secbuffer, shared_secret);
94	if ((rc = RSA_public_encrypt(buffer_len(&secbuffer),
95	buffer_ptr(&secbuffer), seccbuf, server_transient_key->rsa,
96	RSA_PKCS1_OAEP_PADDING)) < 0) {
97	fatal("kexrsa_client: encryption failed: %s",
98	ERR_error_string(ERR_get_error(), NULL));
99	}
100	secclen = rc;
101	buffer_free(&secbuffer);
102	key_free(server_transient_key);
103	packet_start(SSH2_MSG_KEXRSA_SECRET);
104	packet_put_string(seccbuf, secclen);
105	packet_send();
106	debug("sending SSH2_MSG_KEXRSA_SECRET");
107
108	debug("expecting SSH2_MSG_KEXRSA_DONE");
109	packet_read_expect(SSH2_MSG_KEXRSA_DONE);
110
111	/* signed H */
112	signature = packet_get_string(&slen);
113	packet_check_eom();
114
115	/* calc and verify H */
116	kexrsa_hash(
117	kex->client_version_string,
118	kex->server_version_string,
119	buffer_ptr(&kex->my), buffer_len(&kex->my),
120	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
121	server_host_key_blob, sbloblen,
122	server_transient_key_blob, tbloblen,
123	seccbuf, secclen,
124	shared_secret,
125	&hash, &hashlen
126	);
127	xfree(server_host_key_blob);
128	xfree(server_transient_key_blob);
129	xfree(seccbuf);
130
131	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
132	fatal("key_verify failed for server_host_key");
133	key_free(server_host_key);
134	xfree(signature);
135
136	/* save session id */
137	if (kex->session_id == NULL) {
138	kex->session_id_len = 20;
139	kex->session_id = xmalloc(kex->session_id_len);
140	memcpy(kex->session_id, hash, kex->session_id_len);
141	}
142
143	kex_derive_keys(kex, hash, hashlen, shared_secret);
144	BN_clear_free(shared_secret);
145	kex_finish(kex);
146	}

Added Link Here

(-)kexrsas.c (+147 lines)
1	/*
2	* Copyright (c) 2001 Markus Friedl. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include <sys/param.h>
26
27	#include <stdio.h>
28	#include <string.h>
29	#include <signal.h>
30
31	#include "xmalloc.h"
32	#include "buffer.h"
33	#include "key.h"
34	#include "cipher.h"
35	#include "kex.h"
36	#include "log.h"
37	#include "packet.h"
38	#include "dh.h"
39	#include "ssh2.h"
40	#include "compat.h"
41	#ifdef GSSAPI
42	#include "ssh-gss.h"
43	#endif
44	#include "misc.h"
45	#include "hostfile.h"
46	#include "auth.h"
47	#include "monitor_wrap.h"
48
49	#define KEXRSA_KEYLEN 1024
50
51	void
52	kexrsa_server(Kex *kex)
53	{
54	BIGNUM *shared_secret = NULL;
55	Key server_host_key, server_transient_key;
56	u_char secc, secp, hash, signature = NULL;
57	u_char *server_host_key_blob = NULL;
58	u_char *server_transient_key_blob = NULL;
59	u_int sbloblen, tbloblen, secclen, slen, hashlen, secplen;
60
61	/* generate transient RSA key pair */
62	server_transient_key = get_ssh2_rsakex_key();
63	key_to_blob(server_transient_key, &server_transient_key_blob,
64	&tbloblen);
65
66	if (kex->load_host_key == NULL)
67	fatal("Cannot load hostkey");
68	server_host_key = kex->load_host_key(kex->hostkey_type);
69	if (server_host_key == NULL)
70	fatal("Unsupported hostkey type %d", kex->hostkey_type);
71
72	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
73
74	packet_start(SSH2_MSG_KEXRSA_PUBKEY);
75	packet_put_string(server_host_key_blob, sbloblen);
76	packet_put_string(server_transient_key_blob, tbloblen);
77	packet_send();
78
79	debug("expecting SSH2_MSG_KEXRSA_SECRET");
80	packet_read_expect(SSH2_MSG_KEXRSA_SECRET);
81	debug("got it");
82
83	secc = packet_get_string(&secclen);
84	if (PRIVSEP(kexrsa_decrypt(&secp, &secplen, secc, secclen)))
85	fatal("kexrsa: decryption error");
86	if (secplen < 4 \|\| get_u32(secp) > secplen - 4)
87	fatal("kexrsa_server: bad shared secret");
88	if ((shared_secret = BN_new()) == NULL)
89	fatal("kexrsa_server: BN_new failed");
90	BN_bin2bn(secp + 4, get_u32(secp), shared_secret);
91	bzero(secp, secplen);
92	xfree(secp);
93
94	/* calc H */
95	kexrsa_hash(
96	kex->client_version_string,
97	kex->server_version_string,
98	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
99	buffer_ptr(&kex->my), buffer_len(&kex->my),
100	server_host_key_blob, sbloblen,
101	server_transient_key_blob, tbloblen,
102	secc, secclen,
103	shared_secret,
104	&hash, &hashlen
105	);
106	xfree(server_host_key_blob);
107	xfree(server_transient_key_blob);
108	xfree(secc);
109
110	/* save session id := H */
111	if (kex->session_id == NULL) {
112	kex->session_id_len = hashlen;
113	kex->session_id = xmalloc(kex->session_id_len);
114	memcpy(kex->session_id, hash, kex->session_id_len);
115	}
116
117	/* sign H */
118	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
119
120	/* destroy_sensitive_data(); */
121
122	/* send server hostkey and singed H */
123	packet_start(SSH2_MSG_KEXRSA_DONE);
124	packet_put_string(signature, slen);
125	packet_send();
126
127	xfree(signature);
128
129	kex_derive_keys(kex, hash, hashlen, shared_secret);
130	BN_clear_free(shared_secret);
131	kex_finish(kex);
132	}
133
134	int
135	kexrsa_decrypt(u_char *secpp, u_int secplenp, u_char *secc, u_int secclen)
136	{
137	Key *server_transient_key;
138	int rc;
139
140	server_transient_key = get_ssh2_rsakex_key();
141	*secpp = xmalloc(KEXRSA_KEYLEN / 8);
142	if ((rc = RSA_private_decrypt(secclen, secc, *secpp,
143	server_transient_key->rsa, RSA_PKCS1_OAEP_PADDING)) < 0)
144	return 1;
145	*secplenp = rc;
146	return 0;
147	}

Lines 127-132 typedef enum { Link Here

(-)readconf.c (+15 lines)
127	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,	127	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
128	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,	128	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
129	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,	129	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
		130	oKexMethods,
130	oDeprecated, oUnsupported	131	oDeprecated, oUnsupported
131	} OpCodes;	132	} OpCodes;
132		133
Lines 223-228 static struct { Link Here
223	{ "tunneldevice", oTunnelDevice },	224	{ "tunneldevice", oTunnelDevice },
224	{ "localcommand", oLocalCommand },	225	{ "localcommand", oLocalCommand },
225	{ "permitlocalcommand", oPermitLocalCommand },	226	{ "permitlocalcommand", oPermitLocalCommand },
		227	{ "kexmethods", oKexMethods },
226	{ NULL, oBadOption }	228	{ NULL, oBadOption }
227	};	229	};
228		230
Lines 662-667 parse_int: Link Here
662	options->macs = xstrdup(arg);	664	options->macs = xstrdup(arg);
663	break;	665	break;
664		666
		667	case oKexMethods:
		668	arg = strdelim(&s);
		669	if (!arg \|\| *arg == '\0')
		670	fatal("%.200s line %d: Missing argument.", filename, linenum);
		671	if (!kexmeth_names_valid(arg))
		672	fatal("%.200s line %d: Bad SSH2 KexMethods spec '%s'.",
		673	filename, linenum, arg ? arg : "<NONE>");
		674	if (*activep && options->kexmethods == NULL)
		675	options->kexmethods = xstrdup(arg);
		676	break;
		677
665	case oHostKeyAlgorithms:	678	case oHostKeyAlgorithms:
666	arg = strdelim(&s);	679	arg = strdelim(&s);
667	if (!arg \|\| *arg == '\0')	680	if (!arg \|\| *arg == '\0')
Lines 1025-1030 initialize_options(Options * options) Link Here
1025	options->cipher = -1;	1038	options->cipher = -1;
1026	options->ciphers = NULL;	1039	options->ciphers = NULL;
1027	options->macs = NULL;	1040	options->macs = NULL;
		1041	options->kexmethods = NULL;
1028	options->hostkeyalgorithms = NULL;	1042	options->hostkeyalgorithms = NULL;
1029	options->protocol = SSH_PROTO_UNKNOWN;	1043	options->protocol = SSH_PROTO_UNKNOWN;
1030	options->num_identity_files = 0;	1044	options->num_identity_files = 0;
Lines 1129-1134 fill_default_options(Options * options) Link Here
1129	options->cipher = SSH_CIPHER_NOT_SET;	1143	options->cipher = SSH_CIPHER_NOT_SET;
1130	/* options->ciphers, default set in myproposals.h */	1144	/* options->ciphers, default set in myproposals.h */
1131	/* options->macs, default set in myproposals.h */	1145	/* options->macs, default set in myproposals.h */
		1146	/* options->kexmethods, default set in myproposals.h */
1132	/* options->hostkeyalgorithms, default set in myproposals.h */	1147	/* options->hostkeyalgorithms, default set in myproposals.h */
1133	if (options->protocol == SSH_PROTO_UNKNOWN)	1148	if (options->protocol == SSH_PROTO_UNKNOWN)
1134	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;	1149	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;

Lines 98-103 initialize_server_options(ServerOptions Link Here

(-)servconf.c (-1 / +14 lines)
98	options->num_deny_groups = 0;	98	options->num_deny_groups = 0;
99	options->ciphers = NULL;	99	options->ciphers = NULL;
100	options->macs = NULL;	100	options->macs = NULL;
		101	options->kexmethods = NULL;
101	options->protocol = SSH_PROTO_UNKNOWN;	102	options->protocol = SSH_PROTO_UNKNOWN;
102	options->gateway_ports = -1;	103	options->gateway_ports = -1;
103	options->num_subsystems = 0;	104	options->num_subsystems = 0;
Lines 266-272 typedef enum { Link Here
266	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	267	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
267	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,	268	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
268	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	269	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
269	sMatch, sPermitOpen, sForceCommand,	270	sMatch, sPermitOpen, sForceCommand, sKexMethods,
270	sUsePrivilegeSeparation,	271	sUsePrivilegeSeparation,
271	sDeprecated, sUnsupported	272	sDeprecated, sUnsupported
272	} ServerOpCodes;	273	} ServerOpCodes;
Lines 347-352 static struct { Link Here
347	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },	348	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
348	{ "ciphers", sCiphers, SSHCFG_GLOBAL },	349	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
349	{ "macs", sMacs, SSHCFG_GLOBAL },	350	{ "macs", sMacs, SSHCFG_GLOBAL },
		351	{ "kexmethods", sKexMethods, SSHCFG_GLOBAL },
350	{ "protocol", sProtocol, SSHCFG_GLOBAL },	352	{ "protocol", sProtocol, SSHCFG_GLOBAL },
351	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },	353	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
352	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },	354	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
Lines 1021-1026 parse_flag: Link Here
1021	filename, linenum, arg ? arg : "<NONE>");	1023	filename, linenum, arg ? arg : "<NONE>");
1022	if (options->macs == NULL)	1024	if (options->macs == NULL)
1023	options->macs = xstrdup(arg);	1025	options->macs = xstrdup(arg);
		1026	break;
		1027
		1028	case sKexMethods:
		1029	arg = strdelim(&cp);
		1030	if (!arg \|\| *arg == '\0')
		1031	fatal("%s line %d: Missing argument.", filename, linenum);
		1032	if (!kexmeth_names_valid(arg))
		1033	fatal("%s line %d: Bad SSH2 KexMethods spec '%s'.",
		1034	filename, linenum, arg ? arg : "<NONE>");
		1035	if (options->kexmethods == NULL)
		1036	options->kexmethods = xstrdup(arg);
1024	break;	1037	break;
1025		1038
1026	case sProtocol:	1039	case sProtocol:

Lines 64-69 Link Here

(-)sshd.c (-21 / +89 lines)
64		64
65	#include <openssl/dh.h>	65	#include <openssl/dh.h>
66	#include <openssl/bn.h>	66	#include <openssl/bn.h>
		67	#include <openssl/err.h>
67	#include <openssl/md5.h>	68	#include <openssl/md5.h>
68	#include <openssl/rand.h>	69	#include <openssl/rand.h>
69		70
Lines 186-191 Kex *xxx_kex; Link Here
186	*/	187	*/
187	struct {	188	struct {
188	Key server_key; / ephemeral server key */	189	Key server_key; / ephemeral server key */
		190	Key ssh2_rsakex_key; / ssh2 RSA KEX key */
189	Key ssh1_host_key; / ssh1 host key */	191	Key ssh1_host_key; / ssh1 host key */
190	Key *host_keys; / all private host keys */	192	Key *host_keys; / all private host keys */
191	int have_ssh1_key;	193	int have_ssh1_key;
Lines 352-372 generate_ephemeral_server_key(void) Link Here
352	u_int32_t rnd = 0;	354	u_int32_t rnd = 0;
353	int i;	355	int i;
354		356
355	verbose("Generating %s%d bit RSA key.",	357	if (options.protocol & SSH_PROTO_1) {
356	sensitive_data.server_key ? "new " : "", options.server_key_bits);	358	verbose("Generating %s%d bit RSA key.",
357	if (sensitive_data.server_key != NULL)	359	sensitive_data.server_key ? "new " : "",
358	key_free(sensitive_data.server_key);	360	options.server_key_bits);
359	sensitive_data.server_key = key_generate(KEY_RSA1,	361	if (sensitive_data.server_key != NULL)
360	options.server_key_bits);	362	key_free(sensitive_data.server_key);
361	verbose("RSA key generation complete.");	363	sensitive_data.server_key = key_generate(KEY_RSA1,
362		364	options.server_key_bits);
363	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {	365	verbose("RSA key generation complete.");
364	if (i % 4 == 0)	366
365	rnd = arc4random();	367	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
366	sensitive_data.ssh1_cookie[i] = rnd & 0xff;	368	if (i % 4 == 0)
367	rnd >>= 8;	369	rnd = arc4random();
		370	sensitive_data.ssh1_cookie[i] = rnd & 0xff;
		371	rnd >>= 8;
		372	}
		373	arc4random_stir();
		374	}
		375
		376	if (options.protocol & SSH_PROTO_2) {
		377	verbose("Generating %s1024 bit RSA key for SSH-2.",
		378	sensitive_data.ssh2_rsakex_key ? "new " : "");
		379	if (sensitive_data.ssh2_rsakex_key != NULL)
		380	key_free(sensitive_data.ssh2_rsakex_key);
		381	sensitive_data.ssh2_rsakex_key = key_generate(KEY_RSA, 1024);
		382	verbose("RSA key generation complete.");
368	}	383	}
369	arc4random_stir();
370	}	384	}
371		385
372	/ARGSUSED/	386	/ARGSUSED/
Lines 525-530 destroy_sensitive_data(void) Link Here
525	key_free(sensitive_data.server_key);	539	key_free(sensitive_data.server_key);
526	sensitive_data.server_key = NULL;	540	sensitive_data.server_key = NULL;
527	}	541	}
		542	if (sensitive_data.ssh2_rsakex_key) {
		543	key_free(sensitive_data.ssh2_rsakex_key);
		544	sensitive_data.ssh2_rsakex_key = NULL;
		545	}
528	for (i = 0; i < options.num_host_key_files; i++) {	546	for (i = 0; i < options.num_host_key_files; i++) {
529	if (sensitive_data.host_keys[i]) {	547	if (sensitive_data.host_keys[i]) {
530	key_free(sensitive_data.host_keys[i]);	548	key_free(sensitive_data.host_keys[i]);
Lines 548-553 demote_sensitive_data(void) Link Here
548	sensitive_data.server_key = tmp;	566	sensitive_data.server_key = tmp;
549	}	567	}
550		568
		569	if (sensitive_data.ssh2_rsakex_key) {
		570	tmp = key_demote(sensitive_data.ssh2_rsakex_key);
		571	key_free(sensitive_data.ssh2_rsakex_key);
		572	sensitive_data.ssh2_rsakex_key = tmp;
		573	}
		574
551	for (i = 0; i < options.num_host_key_files; i++) {	575	for (i = 0; i < options.num_host_key_files; i++) {
552	if (sensitive_data.host_keys[i]) {	576	if (sensitive_data.host_keys[i]) {
553	tmp = key_demote(sensitive_data.host_keys[i]);	577	tmp = key_demote(sensitive_data.host_keys[i]);
Lines 756-761 get_hostkey_index(Key *key) Link Here
756	return (-1);	780	return (-1);
757	}	781	}
758		782
		783	Key *
		784	get_ssh2_rsakex_key(void)
		785	{
		786
		787	return (sensitive_data.ssh2_rsakex_key);
		788	}
		789
759	/*	790	/*
760	* returns 1 if connection should be dropped, 0 otherwise.	791	* returns 1 if connection should be dropped, 0 otherwise.
761	* dropping starts at connection #max_startups_begin with a probability	792	* dropping starts at connection #max_startups_begin with a probability
Lines 814-819 send_rexec_state(int fd, Buffer *conf) Link Here
814	* bignum iqmp "	845	* bignum iqmp "
815	* bignum p "	846	* bignum p "
816	* bignum q "	847	* bignum q "
		848	* u_int ephemeral_ssh2_key_follows
		849	* bignum e (only if ephemeral_ssh2_key_follows == 1)
		850	* bignum n "
		851	* bignum d "
		852	* bignum iqmp "
		853	* bignum p "
		854	* bignum q "
817	*/	855	*/
818	buffer_init(&m);	856	buffer_init(&m);
819	buffer_put_cstring(&m, buffer_ptr(conf));	857	buffer_put_cstring(&m, buffer_ptr(conf));
Lines 830-835 send_rexec_state(int fd, Buffer *conf) Link Here
830	} else	868	} else
831	buffer_put_int(&m, 0);	869	buffer_put_int(&m, 0);
832		870
		871	if (sensitive_data.ssh2_rsakex_key != NULL &&
		872	sensitive_data.ssh2_rsakex_key->type == KEY_RSA) {
		873	buffer_put_int(&m, 1);
		874	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->e);
		875	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->n);
		876	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->d);
		877	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->iqmp);
		878	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->p);
		879	buffer_put_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->q);
		880	} else
		881	buffer_put_int(&m, 0);
		882
833	if (ssh_msg_send(fd, 0, &m) == -1)	883	if (ssh_msg_send(fd, 0, &m) == -1)
834	fatal("%s: ssh_msg_send failed", __func__);	884	fatal("%s: ssh_msg_send failed", __func__);
835		885
Lines 872-877 recv_rexec_state(int fd, Buffer *conf) Link Here
872	rsa_generate_additional_parameters(	922	rsa_generate_additional_parameters(
873	sensitive_data.server_key->rsa);	923	sensitive_data.server_key->rsa);
874	}	924	}
		925	if (buffer_get_int(&m)) {
		926	if (sensitive_data.ssh2_rsakex_key != NULL)
		927	key_free(sensitive_data.ssh2_rsakex_key);
		928	sensitive_data.ssh2_rsakex_key = key_new_private(KEY_RSA);
		929	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->e);
		930	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->n);
		931	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->d);
		932	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->iqmp);
		933	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->p);
		934	buffer_get_bignum(&m, sensitive_data.ssh2_rsakex_key->rsa->q);
		935	rsa_generate_additional_parameters(
		936	sensitive_data.ssh2_rsakex_key->rsa);
		937	}
875	buffer_free(&m);	938	buffer_free(&m);
876		939
877	debug3("%s: done", __func__);	940	debug3("%s: done", __func__);
Lines 1169-1176 server_accept_loop(int sock_in, int so Link Here
1169	* Mark that the key has been used (it	1232	* Mark that the key has been used (it
1170	* was "given" to the child).	1233	* was "given" to the child).
1171	*/	1234	*/
1172	if ((options.protocol & SSH_PROTO_1) &&	1235	if (key_used == 0) {
1173	key_used == 0) {
1174	/* Schedule server key regeneration alarm. */	1236	/* Schedule server key regeneration alarm. */
1175	signal(SIGALRM, key_regeneration_alarm);	1237	signal(SIGALRM, key_regeneration_alarm);
1176	alarm(options.key_regeneration_time);	1238	alarm(options.key_regeneration_time);
Lines 1329-1334 main(int ac, char **av) Link Here
1329	closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);	1391	closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
1330		1392
1331	SSLeay_add_all_algorithms();	1393	SSLeay_add_all_algorithms();
		1394	ERR_load_crypto_strings();
1332		1395
1333	/*	1396	/*
1334	* Force logging to stderr until we have loaded the private host	1397	* Force logging to stderr until we have loaded the private host
Lines 1342-1347 main(int ac, char **av) Link Here
1342	log_stderr \|\| !inetd_flag);	1405	log_stderr \|\| !inetd_flag);
1343		1406
1344	sensitive_data.server_key = NULL;	1407	sensitive_data.server_key = NULL;
		1408	sensitive_data.ssh2_rsakex_key = NULL;
1345	sensitive_data.ssh1_host_key = NULL;	1409	sensitive_data.ssh1_host_key = NULL;
1346	sensitive_data.have_ssh1_key = 0;	1410	sensitive_data.have_ssh1_key = 0;
1347	sensitive_data.have_ssh2_key = 0;	1411	sensitive_data.have_ssh2_key = 0;
Lines 1509-1522 main(int ac, char **av) Link Here
1509	if (inetd_flag) {	1573	if (inetd_flag) {
1510	server_accept_inetd(&sock_in, &sock_out);	1574	server_accept_inetd(&sock_in, &sock_out);
1511		1575
1512	if ((options.protocol & SSH_PROTO_1) &&	1576	if (((options.protocol & SSH_PROTO_1) &&
1513	sensitive_data.server_key == NULL)	1577	sensitive_data.server_key == NULL) \|\|
1514	generate_ephemeral_server_key();	1578	((options.protocol & SSH_PROTO_2) &&
		1579	sensitive_data.ssh2_rsakex_key == NULL))
		1580	generate_ephemeral_server_key();
1515	} else {	1581	} else {
1516	server_listen();	1582	server_listen();
1517		1583
1518	if (options.protocol & SSH_PROTO_1)	1584	generate_ephemeral_server_key();
1519	generate_ephemeral_server_key();
1520		1585
1521	signal(SIGHUP, sighup_handler);	1586	signal(SIGHUP, sighup_handler);
1522	signal(SIGCHLD, main_sigchld_handler);	1587	signal(SIGCHLD, main_sigchld_handler);
Lines 1995-2000 do_ssh2_kex(void) Link Here
1995	myproposal[PROPOSAL_COMP_ALGS_CTOS] =	2060	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
1996	myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";	2061	myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
1997	}	2062	}
		2063	if (options.kexmethods != NULL)
		2064	myproposal[PROPOSAL_KEX_ALGS] = options.kexmethods;
1998		2065
1999	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();	2066	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2000		2067
Lines 2004-2009 do_ssh2_kex(void) Link Here
2004	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	2071	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
2005	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	2072	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2006	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	2073	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		2074	kex->kex[KEX_RSA_SHA1] = kexrsa_server;
2007	kex->server = 1;	2075	kex->server = 1;
2008	kex->client_version_string=client_version_string;	2076	kex->client_version_string=client_version_string;
2009	kex->server_version_string=server_version_string;	2077	kex->server_version_string=server_version_string;