- djm@cvs.openbsd.org 2010/09/09 10:45:45

[kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@
author: Damien Miller <djm@mindrot.org> 2010-09-10 11:23:34 +1000
committer: Damien Miller <djm@mindrot.org> 2010-09-10 11:23:34 +1000
commit: 041ab7c1e7d6514ed84a539a767f79ffb356e807 (patch)
tree: c6528487bfc1cfa824655e48ef884b2c268c8588 /ChangeLog
parent: 3796ab47d3f68f69512c360f178b77bf0fb12b4f (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 32f82369d..87fee3bf0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -49,6 +49,19 @@
     gcc, at least in earlier versions, but this does not forgive your current
     transgressions) seen between zlib and openssl
     ok djm
+   - djm@cvs.openbsd.org 2010/09/09 10:45:45
+     [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
+     ECDH/ECDSA compliance fix: these methods vary the hash function they use
+     (SHA256/384/512) depending on the length of the curve in use. The previous
+     code incorrectly used SHA256 in all cases.
+     
+     This fix will cause authentication failure when using 384 or 521-bit curve
+     keys if one peer hasn't been upgraded and the other has. (256-bit curve
+     keys work ok). In particular you may need to specify HostkeyAlgorithms
+     when connecting to a server that has not been upgraded from an upgraded
+     client.
+     
+     ok naddy@
 20100831
 - OpenBSD CVS Sync
author	Damien Miller <djm@mindrot.org>	2010-09-10 11:23:34 +1000
committer	Damien Miller <djm@mindrot.org>	2010-09-10 11:23:34 +1000
commit	041ab7c1e7d6514ed84a539a767f79ffb356e807 (patch)
tree	c6528487bfc1cfa824655e48ef884b2c268c8588 /ChangeLog
parent	3796ab47d3f68f69512c360f178b77bf0fb12b4f (diff)

diff --git a/ChangeLog b/ChangeLog index 32f82369d..87fee3bf0 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -49,6 +49,19 @@
49	gcc, at least in earlier versions, but this does not forgive your current	49	gcc, at least in earlier versions, but this does not forgive your current
50	transgressions) seen between zlib and openssl	50	transgressions) seen between zlib and openssl
51	ok djm	51	ok djm
		52	- djm@cvs.openbsd.org 2010/09/09 10:45:45
		53	[kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
		54	ECDH/ECDSA compliance fix: these methods vary the hash function they use
		55	(SHA256/384/512) depending on the length of the curve in use. The previous
		56	code incorrectly used SHA256 in all cases.
		57
		58	This fix will cause authentication failure when using 384 or 521-bit curve
		59	keys if one peer hasn't been upgraded and the other has. (256-bit curve
		60	keys work ok). In particular you may need to specify HostkeyAlgorithms
		61	when connecting to a server that has not been upgraded from an upgraded
		62	client.
		63
		64	ok naddy@
52		65
53	20100831	66	20100831
54	- OpenBSD CVS Sync	67	- OpenBSD CVS Sync