summaryrefslogtreecommitdiff
path: root/compat.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2014-04-20 13:25:30 +1000
committerDamien Miller <djm@mindrot.org>2014-04-20 13:25:30 +1000
commit9395b28223334826837c15e8c1bb4dfb3b0d2ca5 (patch)
treeeea6ad14b14f5fe4f3eb0b791a76f73b706635dc /compat.c
parent8c492da58f8ceb85cf5f7066f23e26fb813a963d (diff)
- djm@cvs.openbsd.org 2014/04/18 23:52:25
[compat.c compat.h sshconnect2.c sshd.c version.h] OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the spec properly. Disable this KEX method when speaking to one of the affected versions. reported by Aris Adamantiadis; ok markus@
Diffstat (limited to 'compat.c')
-rw-r--r--compat.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/compat.c b/compat.c
index 9d9fabef3..64f9790a8 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ 1/* $OpenBSD: compat.c,v 1.83 2014/04/18 23:52:25 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4 * 4 *
@@ -95,6 +95,8 @@ compat_datafellows(const char *version)
95 { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, 95 { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
96 { "OpenSSH_4*", 0 }, 96 { "OpenSSH_4*", 0 },
97 { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, 97 { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
98 { "OpenSSH_6.5*,"
99 "OpenSSH_6.6", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
98 { "OpenSSH*", SSH_NEW_OPENSSH }, 100 { "OpenSSH*", SSH_NEW_OPENSSH },
99 { "*MindTerm*", 0 }, 101 { "*MindTerm*", 0 },
100 { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| 102 { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +253,6 @@ compat_cipher_proposal(char *cipher_prop)
251 return cipher_prop; 253 return cipher_prop;
252} 254}
253 255
254
255char * 256char *
256compat_pkalg_proposal(char *pkalg_prop) 257compat_pkalg_proposal(char *pkalg_prop)
257{ 258{
@@ -265,3 +266,16 @@ compat_pkalg_proposal(char *pkalg_prop)
265 return pkalg_prop; 266 return pkalg_prop;
266} 267}
267 268
269char *
270compat_kex_proposal(char *kex_prop)
271{
272 if (!(datafellows & SSH_BUG_CURVE25519PAD))
273 return kex_prop;
274 debug2("%s: original KEX proposal: %s", __func__, kex_prop);
275 kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
276 debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
277 if (*kex_prop == '\0')
278 fatal("No supported key exchange algorithms found");
279 return kex_prop;
280}
281
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 09:31:14 +0000