- markus@cvs.openbsd.org 2001/02/12 12:45:06
[sshconnect1.c]
fix xmalloc(0), ok dugsong@
+ - markus@cvs.openbsd.org 2001/02/11 12:59:25
+ [Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c
+ sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c]
+ 1) clean up the MAC support for SSH-2
+ 2) allow you to specify the MAC with 'ssh -m'
+ 3) or the 'MACs' keyword in ssh(d)_config
+ 4) add hmac-{md5,sha1}-96
+ ok stevesk@, provos@
20010214
- (djm) Don't try to close PAM session or delete credentials if the
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) $(SFTP_PROGS)
-LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dispatch.o hmac.o hostfile.o key.o kex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o
+LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dispatch.o mac.o hostfile.o key.o kex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
+++ /dev/null
-/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: hmac.c,v 1.7 2001/02/08 19:30:51 itojun Exp $");
-
-#include "xmalloc.h"
-#include "getput.h"
-#include "log.h"
-
-#include <openssl/hmac.h>
-
-#include "hmac.h"
-
-u_char *
-hmac(
- EVP_MD *evp_md,
- u_int seqno,
- u_char *data, int datalen,
- u_char *key, int keylen)
-{
- HMAC_CTX c;
- static u_char m[EVP_MAX_MD_SIZE];
- u_char b[4];
-
- if (key == NULL)
- fatal("hmac: no key");
- HMAC_Init(&c, key, keylen, evp_md);
- PUT_32BIT(b, seqno);
- HMAC_Update(&c, b, sizeof b);
- HMAC_Update(&c, data, datalen);
- HMAC_Final(&c, m, NULL);
- HMAC_cleanup(&c);
- return(m);
-}
*/
#include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.20 2001/02/08 19:30:51 itojun Exp $");
+RCSID("$OpenBSD: kex.c,v 1.21 2001/02/11 12:59:24 markus Exp $");
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include "kex.h"
#include "key.h"
#include "log.h"
+#include "mac.h"
#define KEX_COOKIE_LEN 16
char *name = get_match(client, server);
if (name == NULL)
fatal("no matching mac found: client %s server %s", client, server);
- if (strcmp(name, "hmac-md5") == 0) {
- mac->md = EVP_md5();
- } else if (strcmp(name, "hmac-sha1") == 0) {
- mac->md = EVP_sha1();
- } else if (strcmp(name, "hmac-ripemd160@openssh.com") == 0) {
- mac->md = EVP_ripemd160();
- } else {
+ if (mac_init(mac, name) < 0)
fatal("unsupported mac %s", name);
- }
+ /* truncate the key */
+ if (datafellows & SSH_BUG_HMAC)
+ mac->key_len = 16;
mac->name = name;
- mac->mac_len = mac->md->md_size;
- mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len;
mac->key = NULL;
mac->enabled = 0;
}
-/* $OpenBSD: kex.h,v 1.13 2001/02/04 15:32:24 stevesk Exp $ */
+/* $OpenBSD: kex.h,v 1.14 2001/02/11 12:59:24 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
#ifndef KEX_H
#define KEX_H
+#include <openssl/evp.h>
+#include "buffer.h"
+
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
-#define KEX_DSS "ssh-dss"
enum kex_init_proposals {
PROPOSAL_KEX_ALGS,
--- /dev/null
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: mac.c,v 1.1 2001/02/11 12:59:24 markus Exp $");
+
+#include <openssl/hmac.h>
+
+#include "xmalloc.h"
+#include "getput.h"
+#include "log.h"
+#include "cipher.h"
+#include "kex.h"
+#include "mac.h"
+
+struct {
+ char *name;
+ EVP_MD * (*mdfunc)(void);
+ int truncatebits; /* truncate digest if != 0 */
+} macs[] = {
+ { "hmac-sha1", EVP_sha1, 0, },
+ { "hmac-sha1-96", EVP_sha1, 96 },
+ { "hmac-md5", EVP_md5, 0 },
+ { "hmac-md5-96", EVP_md5, 96 },
+ { "hmac-ripemd160", EVP_ripemd160, 0 },
+ { "hmac-ripemd160@openssh.com", EVP_ripemd160, 0 },
+ { NULL, NULL, 0 }
+};
+
+int
+mac_init(Mac *mac, char *name)
+{
+ int i;
+ for (i = 0; macs[i].name; i++) {
+ if (strcmp(name, macs[i].name) == 0) {
+ if (mac != NULL) {
+ mac->md = (*macs[i].mdfunc)();
+ mac->key_len = mac->mac_len = mac->md->md_size;
+ if (macs[i].truncatebits != 0)
+ mac->mac_len = macs[i].truncatebits/8;
+ }
+ debug2("mac_init: found %s", name);
+ return (0);
+ }
+ }
+ debug2("mac_init: unknown %s", name);
+ return (-1);
+}
+
+u_char *
+mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
+{
+ HMAC_CTX c;
+ static u_char m[EVP_MAX_MD_SIZE];
+ u_char b[4];
+
+ if (mac->key == NULL)
+ fatal("mac_compute: no key");
+ if (mac->mac_len > sizeof(m))
+ fatal("mac_compute: mac too long");
+ HMAC_Init(&c, mac->key, mac->key_len, mac->md);
+ PUT_32BIT(b, seqno);
+ HMAC_Update(&c, b, sizeof(b));
+ HMAC_Update(&c, data, datalen);
+ HMAC_Final(&c, m, NULL);
+ HMAC_cleanup(&c);
+ return (m);
+}
+
+/* XXX copied from ciphers_valid */
+#define MAC_SEP ","
+int
+mac_valid(const char *names)
+{
+ char *maclist, *cp, *p;
+
+ if (names == NULL || strcmp(names, "") == 0)
+ return (0);
+ maclist = cp = xstrdup(names);
+ for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
+ (p = strsep(&cp, MAC_SEP))) {
+ if (mac_init(NULL, p) < 0) {
+ debug("bad mac %s [%s]", p, names);
+ xfree(maclist);
+ return (0);
+ } else {
+ debug3("mac ok: %s [%s]", p, names);
+ }
+ }
+ debug3("macs ok: [%s]", names);
+ xfree(maclist);
+ return (1);
+}
-/* $OpenBSD: hmac.h,v 1.4 2001/01/29 01:58:15 niklas Exp $ */
-
+/* $OpenBSD: mac.h,v 1.1 2001/02/11 12:59:24 markus Exp $ */
/*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifndef HMAC_H
-#define HMAC_H
-
-u_char *
-hmac(
- EVP_MD *evp_md,
- u_int seqno,
- u_char *data, int datalen,
- u_char *key, int len);
-#endif
+int mac_valid(const char *names);
+int mac_init(Mac *mac, char *name);
+u_char *mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen);
-/* $OpenBSD: myproposal.h,v 1.10 2001/01/29 01:58:17 niklas Exp $ */
+/* $OpenBSD: myproposal.h,v 1.11 2001/02/11 12:59:24 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
"aes128-cbc,aes192-cbc,aes256-cbc," \
"rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \
"rijndael-cbc@lysator.liu.se"
-#define KEX_DEFAULT_MAC "hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com"
+#define KEX_DEFAULT_MAC \
+ "hmac-sha1,hmac-md5,hmac-ripemd160," \
+ "hmac-ripemd160@openssh.com," \
+ "hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib"
#define KEX_DEFAULT_LANG ""
*/
#include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.49 2001/02/08 19:30:52 itojun Exp $");
+RCSID("$OpenBSD: packet.c,v 1.50 2001/02/11 12:59:25 markus Exp $");
#include "xmalloc.h"
#include "buffer.h"
#include "ssh1.h"
#include "ssh2.h"
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/hmac.h>
#include "cipher.h"
#include "kex.h"
-#include "hmac.h"
+#include "mac.h"
#include "log.h"
#include "canohost.h"
void
packet_send2(void)
{
+ static u_int32_t seqnr = 0;
u_char *macbuf = NULL;
char *cp;
u_int packet_length = 0;
u_int i, padlen, len;
u_int32_t rand = 0;
- static u_int seqnr = 0;
int type;
Enc *enc = NULL;
Mac *mac = NULL;
/* compute MAC over seqnr and packet(length fields, payload, padding) */
if (mac && mac->enabled) {
- macbuf = hmac( mac->md, seqnr,
+ macbuf = mac_compute(mac, seqnr,
(u_char *) buffer_ptr(&outgoing_packet),
- buffer_len(&outgoing_packet),
- mac->key, mac->key_len
- );
+ buffer_len(&outgoing_packet));
DBG(debug("done calc MAC out #%d", seqnr));
}
/* encrypt packet and append to output buffer. */
int
packet_read_poll2(int *payload_len_ptr)
{
+ static u_int32_t seqnr = 0;
+ static u_int packet_length = 0;
u_int padlen, need;
u_char buf[8], *macbuf;
u_char *ucp;
char *cp;
- static u_int packet_length = 0;
- static u_int seqnr = 0;
int type;
int maclen, block_size;
Enc *enc = NULL;
* increment sequence number for incoming packet
*/
if (mac && mac->enabled) {
- macbuf = hmac( mac->md, seqnr,
+ macbuf = mac_compute(mac, seqnr,
(u_char *) buffer_ptr(&incoming_packet),
- buffer_len(&incoming_packet),
- mac->key, mac->key_len
- );
+ buffer_len(&incoming_packet));
if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
packet_disconnect("Corrupted MAC on input.");
DBG(debug("MAC #%d ok", seqnr));
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.61 2001/02/08 14:39:36 deraadt Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.62 2001/02/11 12:59:25 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
#include "readconf.h"
#include "match.h"
#include "misc.h"
+#include "kex.h"
+#include "mac.h"
/* Format of the configuration file:
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
- oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol,
+ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias
} OpCodes;
{ "port", oPort },
{ "cipher", oCipher },
{ "ciphers", oCiphers },
+ { "macs", oMacs },
{ "protocol", oProtocol },
{ "remoteforward", oRemoteForward },
{ "localforward", oLocalForward },
options->ciphers = xstrdup(arg);
break;
+ case oMacs:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (!mac_valid(arg))
+ fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*activep && options->macs == NULL)
+ options->macs = xstrdup(arg);
+ break;
+
case oProtocol:
intptr = &options->protocol;
arg = strdelim(&s);
options->number_of_password_prompts = -1;
options->cipher = -1;
options->ciphers = NULL;
+ options->macs = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
options->num_identity_files = 0;
options->hostname = NULL;
if (options->cipher == -1)
options->cipher = SSH_CIPHER_NOT_SET;
/* options->ciphers, default set in myproposals.h */
+ /* options->macs, default set in myproposals.h */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED;
if (options->num_identity_files == 0) {
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: readconf.h,v 1.25 2001/01/22 23:06:39 markus Exp $"); */
+/* RCSID("$OpenBSD: readconf.h,v 1.26 2001/02/11 12:59:25 markus Exp $"); */
#ifndef READCONF_H
#define READCONF_H
* prompts. */
int cipher; /* Cipher to use. */
char *ciphers; /* SSH2 ciphers in order of preference. */
+ char *macs; /* SSH2 macs in order of preference. */
int protocol; /* Protocol in order of preference. */
char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.65 2001/02/04 15:32:24 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.66 2001/02/11 12:59:25 markus Exp $");
#ifdef KRB4
#include <krb.h>
#include "tildexpand.h"
#include "misc.h"
#include "cipher.h"
+#include "kex.h"
+#include "mac.h"
/* add listen address */
void add_listen_addr(ServerOptions *options, char *addr);
options->num_allow_groups = 0;
options->num_deny_groups = 0;
options->ciphers = NULL;
+ options->macs = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
options->gateway_ports = -1;
options->num_subsystems = 0;
sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
sUseLogin, sAllowTcpForwarding,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
- sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile,
+ sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sReverseMappingCheck
} ServerOpCodes;
{ "allowgroups", sAllowGroups },
{ "denygroups", sDenyGroups },
{ "ciphers", sCiphers },
+ { "macs", sMacs },
{ "protocol", sProtocol },
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
options->ciphers = xstrdup(arg);
break;
+ case sMacs:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing argument.", filename, linenum);
+ if (!mac_valid(arg))
+ fatal("%s line %d: Bad SSH2 mac spec '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (options->macs == NULL)
+ options->macs = xstrdup(arg);
+ break;
+
case sProtocol:
intptr = &options->protocol;
arg = strdelim(&cp);
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.36 2001/02/03 10:08:37 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.37 2001/02/11 12:59:25 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
char *xauth_location; /* Location of xauth program */
int strict_modes; /* If true, require string home dir modes. */
int keepalives; /* If true, set SO_KEEPALIVE. */
- char *ciphers; /* Ciphers in order of preference. */
- int protocol; /* Protocol in order of preference. */
+ char *ciphers; /* Supported SSH2 ciphers. */
+ char *macs; /* Supported SSH2 macs. */
+ int protocol; /* Supported protocol versions. */
int gateway_ports; /* If true, allow remote connects to forwarded ports. */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.90 2001/02/10 16:03:29 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.91 2001/02/11 12:59:25 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
.Op Fl e Ar escape_char
.Op Fl i Ar identity_file
.Op Fl l Ar login_name
+.Op Fl m Ar mac_spec
.Op Fl o Ar option
.Op Fl p Ar port
.Oo Fl L Xo
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.
This also may be specified on a per-host basis in the configuration file.
+.It Fl m Ar mac_spec
+Additionally, for protocol version 2 a comma-separated list of MAC
+(message authentication code) algorithms can
+be specified in order of preference.
+See the
+.Cm MACs
+keyword for more information.
.It Fl n
Redirects stdin from
.Pa /dev/null
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
The default is INFO.
+.It Cm MACs
+Specifies the MAC (message authentication code) algorithms
+in order of preference.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+ ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+ hmac-sha1-96,hmac-md5-96''
+.Ed
.It Cm NumberOfPasswordPrompts
Specifies the number of password prompts before giving up.
The argument to this keyword must be an integer.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.94 2001/02/10 01:46:28 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.95 2001/02/11 12:59:25 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
#include "tildexpand.h"
#include "dispatch.h"
#include "misc.h"
+#include "kex.h"
+#include "mac.h"
#ifdef HAVE___PROGNAME
extern char *__progname;
opt = av[optind][1];
if (!opt)
usage();
- if (strchr("eilcpLRo", opt)) { /* options with arguments */
+ if (strchr("eilcmpLRo", opt)) { /* options with arguments */
optarg = av[optind] + 2;
if (strcmp(optarg, "") == 0) {
if (optind >= ac - 1)
}
}
break;
+ case 'm':
+ if (mac_valid(optarg))
+ options.macs = xstrdup(optarg);
+ else {
+ fprintf(stderr, "Unknown mac type '%s'\n", optarg);
+ exit(1);
+ }
+ break;
case 'p':
options.port = atoi(optarg);
break;
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.46 2001/02/10 12:09:21 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.47 2001/02/11 12:59:25 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
}
if (options.compression) {
- myproposal[PROPOSAL_COMP_ALGS_CTOS] = "zlib";
+ myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib";
} else {
- myproposal[PROPOSAL_COMP_ALGS_CTOS] = "none";
+ myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
}
+ if (options.macs != NULL) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ }
/* buffers with raw kexinit messages */
server_kexinit = xmalloc(sizeof(*server_kexinit));
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.92 2001/02/09 23:38:11 deraadt Exp $
+.\" $OpenBSD: sshd.8,v 1.93 2001/02/11 12:59:25 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
The default is INFO.
Logging with level DEBUG violates the privacy of users
and is not recommended.
+.It Cm MACs
+Specifies the available MAC (message authentication code) algorithms.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+ ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,
+ hmac-sha1-96,hmac-md5-96''
+.Ed
.It Cm MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the
.Nm
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.165 2001/02/08 19:30:53 itojun Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.166 2001/02/11 12:59:25 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
}
+ if (options.macs != NULL) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ }
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
server_kexinit = kex_init(myproposal);