diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | sshconnect.c | 5 | ||||
-rw-r--r-- | sshd.c | 9 |
3 files changed, 15 insertions, 3 deletions
@@ -18,6 +18,10 @@ | |||
18 | rather than calling OpenSSL EVP_Digest* directly. Will make it easier | 18 | rather than calling OpenSSL EVP_Digest* directly. Will make it easier |
19 | to build a reduced-feature OpenSSH without OpenSSL in future; | 19 | to build a reduced-feature OpenSSH without OpenSSL in future; |
20 | feedback, ok markus@ | 20 | feedback, ok markus@ |
21 | - djm@cvs.openbsd.org 2014/01/09 23:26:48 | ||
22 | [sshconnect.c sshd.c] | ||
23 | ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, | ||
24 | deranged and might make some attacks on KEX easier; ok markus@ | ||
21 | 25 | ||
22 | 20140108 | 26 | 20140108 |
23 | - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ | 27 | - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ |
diff --git a/sshconnect.c b/sshconnect.c index 791b31c12..d21781ea4 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -662,6 +662,9 @@ ssh_exchange_identification(int timeout_ms) | |||
662 | fatal("Protocol major versions differ: %d vs. %d", | 662 | fatal("Protocol major versions differ: %d vs. %d", |
663 | (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | 663 | (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
664 | remote_major); | 664 | remote_major); |
665 | if ((datafellows & SSH_BUG_DERIVEKEY) != 0) | ||
666 | fatal("Server version \"%.100s\" uses unsafe key agreement; " | ||
667 | "refusing connection", remote_version); | ||
665 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0) | 668 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0) |
666 | logit("Server version \"%.100s\" uses unsafe RSA signature " | 669 | logit("Server version \"%.100s\" uses unsafe RSA signature " |
667 | "scheme; disabling use of RSA keys", remote_version); | 670 | "scheme; disabling use of RSA keys", remote_version); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -502,9 +502,14 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
502 | get_remote_ipaddr(), client_version_string); | 502 | get_remote_ipaddr(), client_version_string); |
503 | cleanup_exit(255); | 503 | cleanup_exit(255); |
504 | } | 504 | } |
505 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0) | 505 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0) { |
506 | logit("Client version \"%.100s\" uses unsafe RSA signature " | 506 | logit("Client version \"%.100s\" uses unsafe RSA signature " |
507 | "scheme; disabling use of RSA keys", remote_version); | 507 | "scheme; disabling use of RSA keys", remote_version); |
508 | } | ||
509 | if ((datafellows & SSH_BUG_DERIVEKEY) != 0) { | ||
510 | fatal("Client version \"%.100s\" uses unsafe key agreement; " | ||
511 | "refusing connection", remote_version); | ||
512 | } | ||
508 | 513 | ||
509 | mismatch = 0; | 514 | mismatch = 0; |
510 | switch (remote_major) { | 515 | switch (remote_major) { |