Context Navigation

source: trunk/third/openssh/compat.c @ 16804

Visit:

Revision 16804, 6.1 KB checked in by ghudson, 23 years ago (diff)
From jhawk: Add server-side compatibility with SSH.COM's V1 krb5 implementation: Factor out TGT passing handling from do_authenticate1() into do_auth1_kerberos_tgt_pass(). Also call do_auth1_kerberos_tgt_pass() from do_authloop(). Adjust auth_krb5_tgt() so that it will handle being called before auth_krb5() -- i.e. initialize contexts, etc.

Line
1	/*
2	* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include "includes.h"
26	RCSID("$OpenBSD: compat.c,v 1.53 2001/09/20 13:50:40 markus Exp $");
27
28	#ifdef HAVE_LIBPCRE
29	# include <pcreposix.h>
30	#else /* Use native regex libraries */
31	# ifdef HAVE_REGEX_H
32	# include <regex.h>
33	# else
34	# include "openbsd-compat/fake-regex.h"
35	# endif
36	#endif /* HAVE_LIBPCRE */
37
38	#include "packet.h"
39	#include "xmalloc.h"
40	#include "compat.h"
41	#include "log.h"
42
43	int compat13 = 0;
44	int compat20 = 0;
45	int datafellows = 0;
46
47	void
48	enable_compat20(void)
49	{
50	verbose("Enabling compatibility mode for protocol 2.0");
51	compat20 = 1;
52	}
53	void
54	enable_compat13(void)
55	{
56	verbose("Enabling compatibility mode for protocol 1.3");
57	compat13 = 1;
58	}
59	/* datafellows bug compatibility */
60	void
61	compat_datafellows(const char *version)
62	{
63	int i, ret;
64	char ebuf[1024];
65	regex_t reg;
66	static struct {
67	char *pat;
68	int bugs;
69	} check[] = {
70	{ "^OpenSSH[-_]2\\.[012]",
71	SSH_OLD_SESSIONID\|SSH_BUG_BANNER\|
72	SSH_OLD_DHGEX\|SSH_BUG_NOREKEY },
73	{ "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER\|SSH_BUG_BIGENDIANAES\|
74	SSH_OLD_DHGEX\|SSH_BUG_NOREKEY},
75	{ "^OpenSSH_2\\.3\\.", SSH_BUG_BIGENDIANAES\|SSH_OLD_DHGEX\|
76	SSH_BUG_NOREKEY},
77	{ "^OpenSSH_2\\.5\\.[01]p1",
78	SSH_BUG_BIGENDIANAES\|SSH_OLD_DHGEX\|
79	SSH_BUG_NOREKEY },
80	{ "^OpenSSH_2\\.5\\.[012]",
81	SSH_OLD_DHGEX\|SSH_BUG_NOREKEY },
82	{ "^OpenSSH_2\\.5\\.3",
83	SSH_BUG_NOREKEY },
84	{ "^OpenSSH", 0 },
85	{ "MindTerm", 0 },
86	{ "^2\\.1\\.0", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
87	SSH_OLD_SESSIONID\|SSH_BUG_DEBUG\|
88	SSH_BUG_RSASIGMD5\|SSH_BUG_HBSERVICE },
89	{ "^2\\.1 ", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
90	SSH_OLD_SESSIONID\|SSH_BUG_DEBUG\|
91	SSH_BUG_RSASIGMD5\|SSH_BUG_HBSERVICE },
92	{ "^2\\.0\\.1[3-9]", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
93	SSH_OLD_SESSIONID\|SSH_BUG_DEBUG\|
94	SSH_BUG_PKSERVICE\|SSH_BUG_X11FWD\|
95	SSH_BUG_PKOK\|SSH_BUG_RSASIGMD5\|
96	SSH_BUG_HBSERVICE\|SSH_BUG_OPENFAILURE\|
97	SSH_BUG_DUMMYCHAN },
98	{ "^2\\.0\\.1[1-2]", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
99	SSH_OLD_SESSIONID\|SSH_BUG_DEBUG\|
100	SSH_BUG_PKSERVICE\|SSH_BUG_X11FWD\|
101	SSH_BUG_PKAUTH\|SSH_BUG_PKOK\|
102	SSH_BUG_RSASIGMD5\|SSH_BUG_OPENFAILURE\|
103	SSH_BUG_DUMMYCHAN },
104	{ "^2\\.0\\.", SSH_BUG_SIGBLOB\|SSH_BUG_HMAC\|
105	SSH_OLD_SESSIONID\|SSH_BUG_DEBUG\|
106	SSH_BUG_PKSERVICE\|SSH_BUG_X11FWD\|
107	SSH_BUG_PKAUTH\|SSH_BUG_PKOK\|
108	SSH_BUG_RSASIGMD5\|SSH_BUG_OPENFAILURE\|
109	SSH_BUG_DERIVEKEY\|SSH_BUG_DUMMYCHAN },
110	{ "^2\\.[23]\\.0", SSH_BUG_HMAC\|SSH_BUG_DEBUG\|
111	SSH_BUG_RSASIGMD5 },
112	{ "^2\\.3\\.", SSH_BUG_DEBUG\|SSH_BUG_RSASIGMD5 },
113	{ "^2\\.[2-9]\\.", SSH_BUG_DEBUG },
114	{ "^3\\.0\\.", SSH_BUG_DEBUG },
115	{ "^2\\.4$", SSH_OLD_SESSIONID }, /* Van Dyke */
116	{ "^3\\.0 SecureCRT", SSH_OLD_SESSIONID },
117	{ "^1\\.7 SecureFX", SSH_OLD_SESSIONID },
118	{ "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG\|SSH_OLD_KRB5 },
119	{ "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG\|SSH_OLD_KRB5 },
120	{ "^1\\.3\\.2", SSH_BUG_IGNOREMSG\|SSH_OLD_KRB5 },
121	/* f-secure */
122	{ "^1\\.", SSH_OLD_KRB5 },
123	{ "^SSH Compatible Server", /* Netscreen */
124	SSH_BUG_PASSWORDPAD },
125	{ "^OSU_0", SSH_BUG_PASSWORDPAD },
126	{ "^OSU_1\\.[0-4]", SSH_BUG_PASSWORDPAD },
127	{ "^OSU_1\\.5alpha[1-3]",
128	SSH_BUG_PASSWORDPAD },
129	{ "^SSH_Version_Mapper",
130	SSH_BUG_SCANNER },
131	{ NULL, 0 }
132	};
133	/* process table, return first match */
134	for (i = 0; check[i].pat; i++) {
135	ret = regcomp(&reg, check[i].pat, REG_EXTENDED\|REG_NOSUB);
136	if (ret != 0) {
137	regerror(ret, &reg, ebuf, sizeof(ebuf));
138	ebuf[sizeof(ebuf)-1] = '\0';
139	error("regerror: %s", ebuf);
140	continue;
141	}
142	ret = regexec(&reg, version, 0, NULL, 0);
143	regfree(&reg);
144	if (ret == 0) {
145	debug("match: %s pat %s", version, check[i].pat);
146	datafellows = check[i].bugs;
147	return;
148	}
149	}
150	debug("no match: %s", version);
151	}
152
153	#define SEP ","
154	int
155	proto_spec(const char *spec)
156	{
157	char s, p, *q;
158	int ret = SSH_PROTO_UNKNOWN;
159
160	if (spec == NULL)
161	return ret;
162	q = s = xstrdup(spec);
163	for ((p = strsep(&q, SEP)); p && *p != '\0'; (p = strsep(&q, SEP))) {
164	switch(atoi(p)) {
165	case 1:
166	if (ret == SSH_PROTO_UNKNOWN)
167	ret \|= SSH_PROTO_1_PREFERRED;
168	ret \|= SSH_PROTO_1;
169	break;
170	case 2:
171	ret \|= SSH_PROTO_2;
172	break;
173	default:
174	log("ignoring bad proto spec: '%s'.", p);
175	break;
176	}
177	}
178	xfree(s);
179	return ret;
180	}
181
182	char *
183	compat_cipher_proposal(char *cipher_prop)
184	{
185	char orig_prop, fix_ciphers;
186	char cp, tmp;
187	size_t len;
188
189	if (!(datafellows & SSH_BUG_BIGENDIANAES))
190	return(cipher_prop);
191
192	len = strlen(cipher_prop) + 1;
193	fix_ciphers = xmalloc(len);
194	*fix_ciphers = '\0';
195	tmp = orig_prop = xstrdup(cipher_prop);
196	while((cp = strsep(&tmp, ",")) != NULL) {
197	if (strncmp(cp, "aes", 3) && strncmp(cp, "rijndael", 8)) {
198	if (*fix_ciphers)
199	strlcat(fix_ciphers, ",", len);
200	strlcat(fix_ciphers, cp, len);
201	}
202	}
203	xfree(orig_prop);
204	debug2("Original cipher proposal: %s", cipher_prop);
205	debug2("Compat cipher proposal: %s", fix_ciphers);
206	if (!*fix_ciphers)
207	fatal("No available ciphers found.");
208
209	return(fix_ciphers);
210	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: