upstream commit
deprecate ancient, pre-RFC4419 and undocumented SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message; ok markus@ deraadt@ "seems reasonable" dtucker@
This commit is contained in:
parent
d8f391caef
commit
318be28cda
24
compat.c
24
compat.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: compat.c,v 1.89 2015/04/10 05:16:50 dtucker Exp $ */
|
||||
/* $OpenBSD: compat.c,v 1.90 2015/04/13 02:04:08 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -165,6 +165,7 @@ compat_datafellows(const char *version)
|
|||
"OSU_1.5alpha3*", SSH_BUG_PASSWORDPAD },
|
||||
{ "*SSH_Version_Mapper*",
|
||||
SSH_BUG_SCANNER },
|
||||
{ "PuTTY*", SSH_OLD_DHGEX },
|
||||
{ "Probe-*",
|
||||
SSH_BUG_PROBE },
|
||||
{ "TeraTerm SSH*,"
|
||||
|
@ -284,15 +285,20 @@ compat_pkalg_proposal(char *pkalg_prop)
|
|||
}
|
||||
|
||||
char *
|
||||
compat_kex_proposal(char *kex_prop)
|
||||
compat_kex_proposal(char *p)
|
||||
{
|
||||
if (!(datafellows & SSH_BUG_CURVE25519PAD))
|
||||
return kex_prop;
|
||||
debug2("%s: original KEX proposal: %s", __func__, kex_prop);
|
||||
kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
|
||||
debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
|
||||
if (*kex_prop == '\0')
|
||||
if ((datafellows & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
|
||||
return p;
|
||||
debug2("%s: original KEX proposal: %s", __func__, p);
|
||||
if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
|
||||
p = filter_proposal(p, "curve25519-sha256@libssh.org");
|
||||
if ((datafellows & SSH_OLD_DHGEX) != 0) {
|
||||
p = filter_proposal(p, "diffie-hellman-group-exchange-sha256");
|
||||
p = filter_proposal(p, "diffie-hellman-group-exchange-sha1");
|
||||
}
|
||||
debug2("%s: compat KEX proposal: %s", __func__, p);
|
||||
if (*p == '\0')
|
||||
fatal("No supported key exchange algorithms found");
|
||||
return kex_prop;
|
||||
return p;
|
||||
}
|
||||
|
||||
|
|
12
kexgexc.c
12
kexgexc.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexgexc.c,v 1.20 2015/01/26 06:10:03 djm Exp $ */
|
||||
/* $OpenBSD: kexgexc.c,v 1.21 2015/04/13 02:04:08 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -65,15 +65,6 @@ kexgex_client(struct ssh *ssh)
|
|||
kex->min = DH_GRP_MIN;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (ssh->compat & SSH_OLD_DHGEX) {
|
||||
/* Old GEX request */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
|
||||
!= 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
||||
(r = sshpkt_send(ssh)) != 0)
|
||||
goto out;
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", kex->nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
||||
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
||||
|
@ -83,7 +74,6 @@ kexgex_client(struct ssh *ssh)
|
|||
goto out;
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent",
|
||||
kex->min, kex->nbits, kex->max);
|
||||
}
|
||||
#ifdef DEBUG_KEXDH
|
||||
fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
|
||||
kex->min, kex->nbits, kex->max);
|
||||
|
|
25
kexgexs.c
25
kexgexs.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexgexs.c,v 1.24 2015/01/26 06:10:03 djm Exp $ */
|
||||
/* $OpenBSD: kexgexs.c,v 1.25 2015/04/13 02:04:08 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -60,8 +60,6 @@ static int input_kex_dh_gex_init(int, u_int32_t, void *);
|
|||
int
|
||||
kexgex_server(struct ssh *ssh)
|
||||
{
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD,
|
||||
&input_kex_dh_gex_request);
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
||||
&input_kex_dh_gex_request);
|
||||
debug("expecting SSH2_MSG_KEX_DH_GEX_REQUEST");
|
||||
|
@ -76,8 +74,6 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
|
|||
int r;
|
||||
u_int min = 0, max = 0, nbits = 0;
|
||||
|
||||
switch (type) {
|
||||
case SSH2_MSG_KEX_DH_GEX_REQUEST:
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
|
||||
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
||||
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
||||
|
@ -91,21 +87,6 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
|
|||
max = MIN(DH_GRP_MAX, max);
|
||||
nbits = MAX(DH_GRP_MIN, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
break;
|
||||
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
|
||||
if ((r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
||||
(r = sshpkt_get_end(ssh)) != 0)
|
||||
goto out;
|
||||
kex->nbits = nbits;
|
||||
/* unused for old GEX */
|
||||
kex->min = min = DH_GRP_MIN;
|
||||
kex->max = max = DH_GRP_MAX;
|
||||
break;
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
kex->max < kex->nbits) {
|
||||
|
@ -131,10 +112,6 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
|
|||
if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
|
||||
goto out;
|
||||
|
||||
/* old KEX does not use min/max in kexgex_hash() */
|
||||
if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
|
||||
kex->min = kex->max = -1;
|
||||
|
||||
debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &input_kex_dh_gex_init);
|
||||
r = 0;
|
||||
|
|
Loading…
Reference in New Issue