diff options
author | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-05-15 14:24:09 +1000 |
commit | 1f0311c7c7d10c94ff7f823de9c5b2ed79368b14 (patch) | |
tree | ae708c2a25f84a04bcb04f2dbf3e8039e0f692bc /sshd.c | |
parent | c5893785564498cea73cb60d2cf199490483e080 (diff) | |
download | openssh-git-1f0311c7c7d10c94ff7f823de9c5b2ed79368b14.tar.gz |
- markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 42 |
1 files changed, 38 insertions, 4 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.425 2014/04/19 14:53:48 tedu Exp $ */ +/* $OpenBSD: sshd.c,v 1.426 2014/04/29 18:01:49 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -72,10 +72,12 @@ #include <string.h> #include <unistd.h> +#ifdef WITH_OPENSSL #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/rand.h> #include "openbsd-compat/openssl-compat.h" +#endif #ifdef HAVE_SECUREWARE #include <sys/security.h> @@ -98,7 +100,6 @@ #include "digest.h" #include "key.h" #include "kex.h" -#include "dh.h" #include "myproposal.h" #include "authfile.h" #include "pathnames.h" @@ -256,7 +257,9 @@ struct passwd *privsep_pw = NULL; void destroy_sensitive_data(void); void demote_sensitive_data(void); +#ifdef WITH_SSH1 static void do_ssh1_kex(void); +#endif static void do_ssh2_kex(void); /* @@ -931,7 +934,13 @@ static void usage(void) { fprintf(stderr, "%s, %s\n", - SSH_RELEASE, SSLeay_version(SSLEAY_VERSION)); + SSH_RELEASE, +#ifdef WITH_OPENSSL + SSLeay_version(SSLEAY_VERSION) +#else + "without OpenSSL" +#endif + ); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" @@ -964,6 +973,7 @@ send_rexec_state(int fd, Buffer *conf) buffer_init(&m); buffer_put_cstring(&m, buffer_ptr(conf)); +#ifdef WITH_SSH1 if (sensitive_data.server_key != NULL && sensitive_data.server_key->type == KEY_RSA1) { buffer_put_int(&m, 1); @@ -974,6 +984,7 @@ send_rexec_state(int fd, Buffer *conf) buffer_put_bignum(&m, sensitive_data.server_key->rsa->p); buffer_put_bignum(&m, sensitive_data.server_key->rsa->q); } else +#endif buffer_put_int(&m, 0); #ifndef OPENSSL_PRNG_ONLY @@ -1010,6 +1021,7 @@ recv_rexec_state(int fd, Buffer *conf) free(cp); if (buffer_get_int(&m)) { +#ifdef WITH_SSH1 if (sensitive_data.server_key != NULL) key_free(sensitive_data.server_key); sensitive_data.server_key = key_new_private(KEY_RSA1); @@ -1021,6 +1033,9 @@ recv_rexec_state(int fd, Buffer *conf) buffer_get_bignum(&m, sensitive_data.server_key->rsa->q); rsa_generate_additional_parameters( sensitive_data.server_key->rsa); +#else + fatal("ssh1 not supported"); +#endif } #ifndef OPENSSL_PRNG_ONLY @@ -1543,7 +1558,9 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); +#ifdef WITH_OPENSSL OpenSSL_add_all_algorithms(); +#endif /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) { @@ -1648,7 +1665,12 @@ main(int ac, char **av) } debug("sshd version %s, %s", SSH_VERSION, - SSLeay_version(SSLEAY_VERSION)); +#ifdef WITH_OPENSSL + SSLeay_version(SSLEAY_VERSION) +#else + "without OpenSSL" +#endif + ); /* Store privilege separation user for later use if required. */ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { @@ -1770,6 +1792,8 @@ main(int ac, char **av) debug("host certificate: #%d type %d %s", j, key->type, key_type(key)); } + +#ifdef WITH_SSH1 /* Check certain values for sanity. */ if (options.protocol & SSH_PROTO_1) { if (options.server_key_bits < 512 || @@ -1794,6 +1818,7 @@ main(int ac, char **av) options.server_key_bits); } } +#endif if (use_privsep) { struct stat st; @@ -2077,8 +2102,12 @@ main(int ac, char **av) do_ssh2_kex(); do_authentication2(authctxt); } else { +#ifdef WITH_SSH1 do_ssh1_kex(); do_authentication(authctxt); +#else + fatal("ssh1 not supported"); +#endif } /* * If we use privilege separation, the unprivileged child transfers @@ -2162,6 +2191,7 @@ main(int ac, char **av) exit(0); } +#ifdef WITH_SSH1 /* * Decrypt session_key_int using our private server key and private host key * (key with larger modulus first). @@ -2211,6 +2241,7 @@ ssh1_session_key(BIGNUM *session_key_int) } return (rsafail); } + /* * SSH1 key exchange */ @@ -2388,6 +2419,7 @@ do_ssh1_kex(void) packet_send(); packet_write_wait(); } +#endif void sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen, @@ -2450,11 +2482,13 @@ do_ssh2_kex(void) /* start key exchange */ kex = kex_setup(myproposal); +#ifdef WITH_OPENSSL kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; +#endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->client_version_string=client_version_string; |