mirror of git://anongit.mindrot.org/openssh.git
upstream commit
Cap DH-GEX group size at 4kbits for Cisco implementations. Some of them will choke when asked for preferred sizes >4k instead of returning the 4k group that they do have. bz#2209, ok djm@ Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
This commit is contained in:
parent
3e91b4e8b0
commit
b282fec1aa
3
compat.c
3
compat.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: compat.c,v 1.93 2015/05/06 04:07:18 dtucker Exp $ */
|
/* $OpenBSD: compat.c,v 1.94 2015/05/26 23:23:40 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -152,6 +152,7 @@ compat_datafellows(const char *version)
|
||||||
"1.2.22*", SSH_BUG_IGNOREMSG },
|
"1.2.22*", SSH_BUG_IGNOREMSG },
|
||||||
{ "1.3.2*", /* F-Secure */
|
{ "1.3.2*", /* F-Secure */
|
||||||
SSH_BUG_IGNOREMSG },
|
SSH_BUG_IGNOREMSG },
|
||||||
|
{ "Cisco-1.*", SSH_BUG_DHGEX_LARGE },
|
||||||
{ "*SSH Compatible Server*", /* Netscreen */
|
{ "*SSH Compatible Server*", /* Netscreen */
|
||||||
SSH_BUG_PASSWORDPAD },
|
SSH_BUG_PASSWORDPAD },
|
||||||
{ "*OSU_0*,"
|
{ "*OSU_0*,"
|
||||||
|
|
3
compat.h
3
compat.h
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: compat.h,v 1.47 2015/04/10 05:16:50 dtucker Exp $ */
|
/* $OpenBSD: compat.h,v 1.48 2015/05/26 23:23:40 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
|
@ -61,6 +61,7 @@
|
||||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||||
#define SSH_BUG_CURVE25519PAD 0x10000000
|
#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||||
#define SSH_BUG_HOSTKEYS 0x20000000
|
#define SSH_BUG_HOSTKEYS 0x20000000
|
||||||
|
#define SSH_BUG_DHGEX_LARGE 0x40000000
|
||||||
|
|
||||||
void enable_compat13(void);
|
void enable_compat13(void);
|
||||||
void enable_compat20(void);
|
void enable_compat20(void);
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: kexgexc.c,v 1.21 2015/04/13 02:04:08 djm Exp $ */
|
/* $OpenBSD: kexgexc.c,v 1.22 2015/05/26 23:23:40 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||||
|
@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
|
|
||||||
|
#include <sys/param.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
|
@ -65,6 +66,8 @@ kexgex_client(struct ssh *ssh)
|
||||||
kex->min = DH_GRP_MIN;
|
kex->min = DH_GRP_MIN;
|
||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
|
kex->nbits = MIN(kex->nbits, 4096);
|
||||||
/* New GEX request */
|
/* New GEX request */
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
||||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
||||||
|
|
Loading…
Reference in New Issue