From 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 28 Sep 2016 16:33:06 +0000 Subject: upstream commit Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf --- monitor.h | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'monitor.h') diff --git a/monitor.h b/monitor.h index 93b8b66dd..d68f67458 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.19 2015/01/19 19:52:16 markus Exp $ */ +/* $OpenBSD: monitor.h,v 1.20 2016/09/28 16:33:07 djm Exp $ */ /* * Copyright 2002 Niels Provos @@ -67,21 +67,17 @@ enum monitor_reqtype { }; -struct mm_master; struct monitor { int m_recvfd; int m_sendfd; int m_log_recvfd; int m_log_sendfd; - struct mm_master *m_zback; - struct mm_master *m_zlib; struct kex **m_pkex; pid_t m_pid; }; struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); -void monitor_sync(struct monitor *); struct Authctxt; void monitor_child_preauth(struct Authctxt *, struct monitor *); -- cgit v1.2.3