mirror of git://anongit.mindrot.org/openssh.git
Three commits in one (since they touch the same heavily-diverged file
repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
This commit is contained in:
parent
6e1777f592
commit
9235a030ad
19
ChangeLog
19
ChangeLog
|
@ -32,6 +32,25 @@
|
||||||
[scp.1]
|
[scp.1]
|
||||||
there is no need for rcp anymore
|
there is no need for rcp anymore
|
||||||
ok deraadt millert
|
ok deraadt millert
|
||||||
|
- markus@cvs.openbsd.org 2014/03/25 09:40:03
|
||||||
|
[myproposal.h]
|
||||||
|
trimm default proposals.
|
||||||
|
|
||||||
|
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
|
||||||
|
(arcfour), and the broken modes (CBC) from the default configuration
|
||||||
|
(the patch only changes the default, all the modes are still available
|
||||||
|
for the config files).
|
||||||
|
|
||||||
|
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
||||||
|
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
|
||||||
|
[myproposal.h]
|
||||||
|
The current sharing of myproposal[] between both client and server code
|
||||||
|
makes the previous diff highly unpallatable. We want to go in that
|
||||||
|
direction for the server, but not for the client. Sigh.
|
||||||
|
Brought up by naddy.
|
||||||
|
- markus@cvs.openbsd.org 2014/03/27 23:01:27
|
||||||
|
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
|
||||||
|
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
||||||
|
|
||||||
20140401
|
20140401
|
||||||
- (djm) On platforms that support it, use prctl() to prevent sftp-server
|
- (djm) On platforms that support it, use prctl() to prevent sftp-server
|
||||||
|
|
71
myproposal.h
71
myproposal.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */
|
/* $OpenBSD: myproposal.h,v 1.38 2014/03/27 23:01:27 markus Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
|
@ -69,23 +69,22 @@
|
||||||
#ifdef HAVE_EVP_SHA256
|
#ifdef HAVE_EVP_SHA256
|
||||||
# define KEX_SHA256_METHODS \
|
# define KEX_SHA256_METHODS \
|
||||||
"diffie-hellman-group-exchange-sha256,"
|
"diffie-hellman-group-exchange-sha256,"
|
||||||
#define KEX_CURVE25519_METHODS \
|
|
||||||
"curve25519-sha256@libssh.org,"
|
|
||||||
#define SHA2_HMAC_MODES \
|
#define SHA2_HMAC_MODES \
|
||||||
"hmac-sha2-256," \
|
"hmac-sha2-256," \
|
||||||
"hmac-sha2-512,"
|
"hmac-sha2-512,"
|
||||||
#else
|
#else
|
||||||
# define KEX_SHA256_METHODS
|
# define KEX_SHA256_METHODS
|
||||||
# define KEX_CURVE25519_METHODS
|
|
||||||
# define SHA2_HMAC_MODES
|
# define SHA2_HMAC_MODES
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
# define KEX_DEFAULT_KEX \
|
#define KEX_SERVER_KEX \
|
||||||
KEX_CURVE25519_METHODS \
|
"curve25519-sha256@libssh.org," \
|
||||||
KEX_ECDH_METHODS \
|
KEX_ECDH_METHODS \
|
||||||
KEX_SHA256_METHODS \
|
KEX_SHA256_METHODS \
|
||||||
|
"diffie-hellman-group14-sha1"
|
||||||
|
|
||||||
|
#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
|
||||||
"diffie-hellman-group-exchange-sha1," \
|
"diffie-hellman-group-exchange-sha1," \
|
||||||
"diffie-hellman-group14-sha1," \
|
|
||||||
"diffie-hellman-group1-sha1"
|
"diffie-hellman-group1-sha1"
|
||||||
|
|
||||||
#define KEX_DEFAULT_PK_ALG \
|
#define KEX_DEFAULT_PK_ALG \
|
||||||
|
@ -102,29 +101,34 @@
|
||||||
|
|
||||||
/* the actual algorithms */
|
/* the actual algorithms */
|
||||||
|
|
||||||
#define KEX_DEFAULT_ENCRYPT \
|
#define KEX_SERVER_ENCRYPT \
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
"arcfour256,arcfour128," \
|
|
||||||
AESGCM_CIPHER_MODES \
|
AESGCM_CIPHER_MODES \
|
||||||
"chacha20-poly1305@openssh.com," \
|
"chacha20-poly1305@openssh.com"
|
||||||
|
|
||||||
|
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
|
||||||
|
"arcfour256,arcfour128," \
|
||||||
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
|
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
|
||||||
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
|
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
|
||||||
|
|
||||||
#define KEX_DEFAULT_MAC \
|
#define KEX_SERVER_MAC \
|
||||||
"hmac-md5-etm@openssh.com," \
|
|
||||||
"hmac-sha1-etm@openssh.com," \
|
|
||||||
"umac-64-etm@openssh.com," \
|
"umac-64-etm@openssh.com," \
|
||||||
"umac-128-etm@openssh.com," \
|
"umac-128-etm@openssh.com," \
|
||||||
"hmac-sha2-256-etm@openssh.com," \
|
"hmac-sha2-256-etm@openssh.com," \
|
||||||
"hmac-sha2-512-etm@openssh.com," \
|
"hmac-sha2-512-etm@openssh.com," \
|
||||||
|
"umac-64@openssh.com," \
|
||||||
|
"umac-128@openssh.com," \
|
||||||
|
"hmac-sha2-256," \
|
||||||
|
"hmac-sha2-512"
|
||||||
|
|
||||||
|
#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
|
||||||
|
"hmac-md5-etm@openssh.com," \
|
||||||
|
"hmac-sha1-etm@openssh.com," \
|
||||||
"hmac-ripemd160-etm@openssh.com," \
|
"hmac-ripemd160-etm@openssh.com," \
|
||||||
"hmac-sha1-96-etm@openssh.com," \
|
"hmac-sha1-96-etm@openssh.com," \
|
||||||
"hmac-md5-96-etm@openssh.com," \
|
"hmac-md5-96-etm@openssh.com," \
|
||||||
"hmac-md5," \
|
"hmac-md5," \
|
||||||
"hmac-sha1," \
|
"hmac-sha1," \
|
||||||
"umac-64@openssh.com," \
|
|
||||||
"umac-128@openssh.com," \
|
|
||||||
SHA2_HMAC_MODES \
|
|
||||||
"hmac-ripemd160," \
|
"hmac-ripemd160," \
|
||||||
"hmac-ripemd160@openssh.com," \
|
"hmac-ripemd160@openssh.com," \
|
||||||
"hmac-sha1-96," \
|
"hmac-sha1-96," \
|
||||||
|
@ -133,16 +137,27 @@
|
||||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||||
#define KEX_DEFAULT_LANG ""
|
#define KEX_DEFAULT_LANG ""
|
||||||
|
|
||||||
|
#define KEX_CLIENT \
|
||||||
static char *myproposal[PROPOSAL_MAX] = {
|
KEX_CLIENT_KEX, \
|
||||||
KEX_DEFAULT_KEX,
|
KEX_DEFAULT_PK_ALG, \
|
||||||
KEX_DEFAULT_PK_ALG,
|
KEX_CLIENT_ENCRYPT, \
|
||||||
KEX_DEFAULT_ENCRYPT,
|
KEX_CLIENT_ENCRYPT, \
|
||||||
KEX_DEFAULT_ENCRYPT,
|
KEX_CLIENT_MAC, \
|
||||||
KEX_DEFAULT_MAC,
|
KEX_CLIENT_MAC, \
|
||||||
KEX_DEFAULT_MAC,
|
KEX_DEFAULT_COMP, \
|
||||||
KEX_DEFAULT_COMP,
|
KEX_DEFAULT_COMP, \
|
||||||
KEX_DEFAULT_COMP,
|
KEX_DEFAULT_LANG, \
|
||||||
KEX_DEFAULT_LANG,
|
|
||||||
KEX_DEFAULT_LANG
|
KEX_DEFAULT_LANG
|
||||||
};
|
|
||||||
|
#define KEX_SERVER \
|
||||||
|
KEX_SERVER_KEX, \
|
||||||
|
KEX_DEFAULT_PK_ALG, \
|
||||||
|
KEX_SERVER_ENCRYPT, \
|
||||||
|
KEX_SERVER_ENCRYPT, \
|
||||||
|
KEX_SERVER_MAC, \
|
||||||
|
KEX_SERVER_MAC, \
|
||||||
|
KEX_DEFAULT_COMP, \
|
||||||
|
KEX_DEFAULT_COMP, \
|
||||||
|
KEX_DEFAULT_LANG, \
|
||||||
|
KEX_DEFAULT_LANG
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh-keyscan.c,v 1.90 2014/03/12 04:44:58 djm Exp $ */
|
/* $OpenBSD: ssh-keyscan.c,v 1.91 2014/03/27 23:01:27 markus Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||||
*
|
*
|
||||||
|
@ -242,6 +242,7 @@ ssh2_capable(int remote_major, int remote_minor)
|
||||||
static Key *
|
static Key *
|
||||||
keygrab_ssh2(con *c)
|
keygrab_ssh2(con *c)
|
||||||
{
|
{
|
||||||
|
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||||
int j;
|
int j;
|
||||||
|
|
||||||
packet_set_connection(c->c_fd, c->c_fd);
|
packet_set_connection(c->c_fd, c->c_fd);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */
|
/* $OpenBSD: sshconnect2.c,v 1.205 2014/03/27 23:01:27 markus Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
|
@ -156,6 +156,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
void
|
void
|
||||||
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
{
|
{
|
||||||
|
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||||
Kex *kex;
|
Kex *kex;
|
||||||
|
|
||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
|
|
3
sshd.c
3
sshd.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */
|
/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -2437,6 +2437,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
|
||||||
static void
|
static void
|
||||||
do_ssh2_kex(void)
|
do_ssh2_kex(void)
|
||||||
{
|
{
|
||||||
|
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
|
||||||
Kex *kex;
|
Kex *kex;
|
||||||
|
|
||||||
if (options.ciphers != NULL) {
|
if (options.ciphers != NULL) {
|
||||||
|
|
Loading…
Reference in New Issue