diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | compat.c | 18 | ||||
| -rw-r--r-- | compat.h | 4 | ||||
| -rw-r--r-- | sshconnect2.c | 4 | ||||
| -rw-r--r-- | sshd.c | 5 | ||||
| -rw-r--r-- | version.h | 4 |
6 files changed, 38 insertions, 7 deletions
| @@ -98,6 +98,16 @@ | |||
| 98 | remove the identity files from this manpage - ssh-agent doesn't deal | 98 | remove the identity files from this manpage - ssh-agent doesn't deal |
| 99 | with them at all and the same information is duplicated in ssh-add.1 | 99 | with them at all and the same information is duplicated in ssh-add.1 |
| 100 | (which does deal with them); prodded by deraadt@ | 100 | (which does deal with them); prodded by deraadt@ |
| 101 | - djm@cvs.openbsd.org 2014/04/18 23:52:25 | ||
| 102 | [compat.c compat.h sshconnect2.c sshd.c version.h] | ||
| 103 | OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections | ||
| 104 | using the curve25519-sha256@libssh.org KEX exchange method to fail | ||
| 105 | when connecting with something that implements the spec properly. | ||
| 106 | |||
| 107 | Disable this KEX method when speaking to one of the affected | ||
| 108 | versions. | ||
| 109 | |||
| 110 | reported by Aris Adamantiadis; ok markus@ | ||
| 101 | 111 | ||
| 102 | 20140401 | 112 | 20140401 |
| 103 | - (djm) On platforms that support it, use prctl() to prevent sftp-server | 113 | - (djm) On platforms that support it, use prctl() to prevent sftp-server |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ | 1 | /* $OpenBSD: compat.c,v 1.83 2014/04/18 23:52:25 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -95,6 +95,8 @@ compat_datafellows(const char *version) | |||
| 95 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | 95 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, |
| 96 | { "OpenSSH_4*", 0 }, | 96 | { "OpenSSH_4*", 0 }, |
| 97 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | 97 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, |
| 98 | { "OpenSSH_6.5*," | ||
| 99 | "OpenSSH_6.6", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
| 98 | { "OpenSSH*", SSH_NEW_OPENSSH }, | 100 | { "OpenSSH*", SSH_NEW_OPENSSH }, |
| 99 | { "*MindTerm*", 0 }, | 101 | { "*MindTerm*", 0 }, |
| 100 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | 102 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| |
| @@ -251,7 +253,6 @@ compat_cipher_proposal(char *cipher_prop) | |||
| 251 | return cipher_prop; | 253 | return cipher_prop; |
| 252 | } | 254 | } |
| 253 | 255 | ||
| 254 | |||
| 255 | char * | 256 | char * |
| 256 | compat_pkalg_proposal(char *pkalg_prop) | 257 | compat_pkalg_proposal(char *pkalg_prop) |
| 257 | { | 258 | { |
| @@ -265,3 +266,16 @@ compat_pkalg_proposal(char *pkalg_prop) | |||
| 265 | return pkalg_prop; | 266 | return pkalg_prop; |
| 266 | } | 267 | } |
| 267 | 268 | ||
| 269 | char * | ||
| 270 | compat_kex_proposal(char *kex_prop) | ||
| 271 | { | ||
| 272 | if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
| 273 | return kex_prop; | ||
| 274 | debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
| 275 | kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
| 276 | debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
| 277 | if (*kex_prop == '\0') | ||
| 278 | fatal("No supported key exchange algorithms found"); | ||
| 279 | return kex_prop; | ||
| 280 | } | ||
| 281 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */ | 1 | /* $OpenBSD: compat.h,v 1.45 2014/04/18 23:52:25 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. |
| @@ -59,6 +59,7 @@ | |||
| 59 | #define SSH_BUG_RFWD_ADDR 0x02000000 | 59 | #define SSH_BUG_RFWD_ADDR 0x02000000 |
| 60 | #define SSH_NEW_OPENSSH 0x04000000 | 60 | #define SSH_NEW_OPENSSH 0x04000000 |
| 61 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | 61 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 |
| 62 | #define SSH_BUG_CURVE25519PAD 0x10000000 | ||
| 62 | 63 | ||
| 63 | void enable_compat13(void); | 64 | void enable_compat13(void); |
| 64 | void enable_compat20(void); | 65 | void enable_compat20(void); |
| @@ -66,6 +67,7 @@ void compat_datafellows(const char *); | |||
| 66 | int proto_spec(const char *); | 67 | int proto_spec(const char *); |
| 67 | char *compat_cipher_proposal(char *); | 68 | char *compat_cipher_proposal(char *); |
| 68 | char *compat_pkalg_proposal(char *); | 69 | char *compat_pkalg_proposal(char *); |
| 70 | char *compat_kex_proposal(char *); | ||
| 69 | 71 | ||
| 70 | extern int compat13; | 72 | extern int compat13; |
| 71 | extern int compat20; | 73 | extern int compat20; |
diff --git a/sshconnect2.c b/sshconnect2.c index f123194b0..b1aa69c24 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.205 2014/03/27 23:01:27 markus Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.206 2014/04/18 23:52:25 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -196,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | |||
| 196 | } | 196 | } |
| 197 | if (options.kex_algorithms != NULL) | 197 | if (options.kex_algorithms != NULL) |
| 198 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 198 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
| 199 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
| 200 | myproposal[PROPOSAL_KEX_ALGS]); | ||
| 199 | 201 | ||
| 200 | if (options.rekey_limit || options.rekey_interval) | 202 | if (options.rekey_limit || options.rekey_interval) |
| 201 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 203 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshd.c,v 1.423 2014/04/12 04:55:53 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.424 2014/04/18 23:52:25 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2438,6 +2438,9 @@ do_ssh2_kex(void) | |||
| 2438 | if (options.kex_algorithms != NULL) | 2438 | if (options.kex_algorithms != NULL) |
| 2439 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2439 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
| 2440 | 2440 | ||
| 2441 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
| 2442 | myproposal[PROPOSAL_KEX_ALGS]); | ||
| 2443 | |||
| 2441 | if (options.rekey_limit || options.rekey_interval) | 2444 | if (options.rekey_limit || options.rekey_interval) |
| 2442 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2445 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
| 2443 | (time_t)options.rekey_interval); | 2446 | (time_t)options.rekey_interval); |
| @@ -1,6 +1,6 @@ | |||
| 1 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | 1 | /* $OpenBSD: version.h,v 1.71 2014/04/18 23:52:25 djm Exp $ */ |
| 2 | 2 | ||
| 3 | #define SSH_VERSION "OpenSSH_6.6" | 3 | #define SSH_VERSION "OpenSSH_6.7" |
| 4 | 4 | ||
| 5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
| 6 | #define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |