summaryrefslogtreecommitdiff
path: root/compat.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2014-04-20 13:25:30 +1000
committerDamien Miller <djm@mindrot.org>2014-04-20 13:25:30 +1000
commit9395b28223334826837c15e8c1bb4dfb3b0d2ca5 (patch)
treeeea6ad14b14f5fe4f3eb0b791a76f73b706635dc /compat.c
parent8c492da58f8ceb85cf5f7066f23e26fb813a963d (diff)
- djm@cvs.openbsd.org 2014/04/18 23:52:25
[compat.c compat.h sshconnect2.c sshd.c version.h] OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the spec properly. Disable this KEX method when speaking to one of the affected versions. reported by Aris Adamantiadis; ok markus@
Diffstat (limited to 'compat.c')
-rw-r--r--compat.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/compat.c b/compat.c
index 9d9fabef..64f9790a 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.83 2014/04/18 23:52:25 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -95,6 +95,8 @@ compat_datafellows(const char *version)
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH_4*", 0 },
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+ { "OpenSSH_6.5*,"
+ "OpenSSH_6.6", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
{ "OpenSSH*", SSH_NEW_OPENSSH },
{ "*MindTerm*", 0 },
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +253,6 @@ compat_cipher_proposal(char *cipher_prop)
return cipher_prop;
}
-
char *
compat_pkalg_proposal(char *pkalg_prop)
{
@@ -265,3 +266,16 @@ compat_pkalg_proposal(char *pkalg_prop)
return pkalg_prop;
}
+char *
+compat_kex_proposal(char *kex_prop)
+{
+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
+ return kex_prop;
+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+ if (*kex_prop == '\0')
+ fatal("No supported key exchange algorithms found");
+ return kex_prop;
+}
+