RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2025-01-03 00:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/01/09 23:26:48

Browse Source 
[sshconnect.c sshd.c]
     ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
     deranged and might make some attacks on KEX easier; ok markus@
This commit is contained in:
Damien Miller 2014-01-10 10:59:24 +11:00
parent b3051d01e5
commit 58cd63bc63
3 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -18,6 +18,10 @@
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
- djm@cvs.openbsd.org 2014/01/09 23:26:48
[sshconnect.c sshd.c]
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
20140108
- (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@

5
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */
/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -662,6 +662,9 @@ ssh_exchange_identification(int timeout_ms)
fatal("Protocol major versions differ: %d vs. %d",
(options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
remote_major);
if ((datafellows & SSH_BUG_DERIVEKEY) != 0)
fatal("Server version \"%.100s\" uses unsafe key agreement; "
"refusing connection", remote_version);
if ((datafellows & SSH_BUG_RSASIGMD5) != 0)
logit("Server version \"%.100s\" uses unsafe RSA signature "
"scheme; disabling use of RSA keys", remote_version);

9
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -502,9 +502,14 @@ sshd_exchange_identification(int sock_in, int sock_out)
get_remote_ipaddr(), client_version_string);
cleanup_exit(255);
}
if ((datafellows & SSH_BUG_RSASIGMD5) != 0)
if ((datafellows & SSH_BUG_RSASIGMD5) != 0) {
logit("Client version \"%.100s\" uses unsafe RSA signature "
"scheme; disabling use of RSA keys", remote_version);
}
if ((datafellows & SSH_BUG_DERIVEKEY) != 0) {
fatal("Client version \"%.100s\" uses unsafe key agreement; "
"refusing connection", remote_version);
}
mismatch = 0;
switch (remote_major) {