Commit 5bf8f82e authored by Niels Möller's avatar Niels Möller

*** empty log message ***

Rev: ChangeLog:1.243
Rev: doc/TODO:1.90
Rev: doc/lsh.texinfo:1.18
Rev: src/spki.c:1.22
parent 3672ad2e
2000-09-15 Niels Mller <nisse@cuckoo.localdomain>
* src/parse.c (parse_next_atom): Updated comment. Return error for
empty atoms.
(parse_atoms): Handle the empty list case better.
(parse_atom_list): Simplified.
* src/keyexchange.c (do_handle_kexinit): Check kex_state.
(do_handle_kexinit): Check length of received kex_algorithms list.
(do_handle_kexinit): Set kex_state to KEX_STATE_IGNORE or
KEX_STATE_IN_PROGRESS as appropriate.
(do_handle_newkeys): Clear kexinits and literal_kexinits when
resetting kex_state (fixes key renegotiation bug reported by jps).
(kexinit_filter): New command.
* src/dh_exchange.c (init_dh_instance): Don't clear
connection->kexinits and connection->literal_kexinits here.
* src/connection_commands.c (handshake_command): Added
make_kexinit argument (and deleted the corresponding field from
handshake_info). Updated all callers.
* src/client_keyexchange.c (do_init_client_dh): Don't touch connection->kex_state.
(do_init_client_srp): Likewise.
* src/server_keyexchange.c: Likewise.
* src/algorithms.c (list_hostkey_algorithms): New function.
(lookup_hostkey_algorithm): New function.
(algorithms_options): New option --hostkey-algorithm.
(filter_algorithms): New function.
(filter_algorithms_l): New function.
* src/lshd.c: Renamed lshd_listen to make_lshd_listen and
lshd_connection_service to make_lshd_connection_service.
(make_lshd_listen): Use kexinit_filter to restrict announced
hostkey algorithms to those that we actually have keys for.
(make_lshd_listen): Use listen_callback, in order to get the right
evaluation order.
2000-09-14 Niels Mller <nisse@cuckoo.localdomain>
* src/algorithms.c (default_crypto_algorithms): Make the default
list more restrictive.
(all_crypto_algorithms): New function, returning a less
conservative algorithm list.
* src/connection.h (ssh_connection): Deleted obsolete newkeys
attribute.
* src/process_atoms (atom2define): Replace @domain suffix with
"_LOCAL".
* src/lsh-writekey.c (make_lsh_writekey_options): Use
all_symmetric_algorithms() and all_symmetric_algorithms().
* src/lsh.c (make_options): Likewise.
* src/lsh_proxy.c (main): Likewise.
* src/lshd.c (make_lshd_options): Likewise.
* src/atoms.in: Added @lysator.liu.se suffix to non-standard
algorithms.
2000-09-14 Niels Mller <nisse@lysator.liu.se> 2000-09-14 Niels Mller <nisse@lysator.liu.se>
* src/keyexchange.c (do_handle_newkeys): Clear * src/keyexchange.c (do_handle_newkeys): Clear
......
...@@ -242,3 +242,5 @@ supported algorithms in the list? ...@@ -242,3 +242,5 @@ supported algorithms in the list?
Use static objects for crypto algorithms with fixed key sizes and Use static objects for crypto algorithms with fixed key sizes and
other parameters. other parameters.
Replace most defines with enums, for improved type checking.
...@@ -948,12 +948,14 @@ algorithm negotiation will fail because the peer doesn't support ...@@ -948,12 +948,14 @@ algorithm negotiation will fail because the peer doesn't support
prefers not to use it. prefers not to use it.
@item @option{-c} @tab Encryption @item @option{-c} @tab Encryption
@tab @code{3dec-cbc}, @code{blowfish-cbc}, @code{cast128-cbc}, @tab @code{3dec-cbc}, @code{blowfish-cbc}, @code{arcfour}
@code{serpent-cbc}, @code{twofish-cbc}, @code{rijndael-cbc},
@code{arcfour} @code{arcfour}
@tab The default encryption algorithm is triple-DES in CBC mode. This @tab The default encryption algorithm is triple-DES in CBC mode. This
seems to be the algorithm of choice among conservative cryptographers. seems to be the algorithm of choice among conservative cryptographers.
The default list includes only quite old and well studied algorithms.
There is a special algorithm name @code{all} to enable all supported
encryption algorithms (except @code{none}).
@item @option{-m} @tab Message Authentication @item @option{-m} @tab Message Authentication
@tab @code{hmac-sha1}, @code{hmac-md5} @tab @code{hmac-sha1}, @code{hmac-md5}
......
...@@ -299,7 +299,7 @@ parse_private_key(struct alist *algorithms, ...@@ -299,7 +299,7 @@ parse_private_key(struct alist *algorithms,
} }
else else
{ {
werror("spki.c: Unknown key type (only dsa is supported)."); werror("spki.c: Unknown key type (only dsa is supported).\n");
SPKI_ERROR(e, "spki.c: Unknown key type (only dsa is supported).", expr); SPKI_ERROR(e, "spki.c: Unknown key type (only dsa is supported).", expr);
} }
} }
...@@ -989,6 +989,10 @@ do_spki_lookup(struct spki_context *s, ...@@ -989,6 +989,10 @@ do_spki_lookup(struct spki_context *s,
return subject; return subject;
} }
case ATOM_SEQUENCE:
werror("do_spki_lookup: spki sequences not yet supported.\n");
return NULL;
case ATOM_NAME: case ATOM_NAME:
werror("do_spki_lookup: names not yet supported.\n"); werror("do_spki_lookup: names not yet supported.\n");
return NULL; return NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment