- djm@cvs.openbsd.org 2014/01/09 23:26:48
[sshconnect.c sshd.c] ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, deranged and might make some attacks on KEX easier; ok markus@
This commit is contained in:
parent
b3051d01e5
commit
58cd63bc63
|
@ -18,6 +18,10 @@
|
|||
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
|
||||
to build a reduced-feature OpenSSH without OpenSSL in future;
|
||||
feedback, ok markus@
|
||||
- djm@cvs.openbsd.org 2014/01/09 23:26:48
|
||||
[sshconnect.c sshd.c]
|
||||
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
|
||||
deranged and might make some attacks on KEX easier; ok markus@
|
||||
|
||||
20140108
|
||||
- (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -662,6 +662,9 @@ ssh_exchange_identification(int timeout_ms)
|
|||
fatal("Protocol major versions differ: %d vs. %d",
|
||||
(options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
|
||||
remote_major);
|
||||
if ((datafellows & SSH_BUG_DERIVEKEY) != 0)
|
||||
fatal("Server version \"%.100s\" uses unsafe key agreement; "
|
||||
"refusing connection", remote_version);
|
||||
if ((datafellows & SSH_BUG_RSASIGMD5) != 0)
|
||||
logit("Server version \"%.100s\" uses unsafe RSA signature "
|
||||
"scheme; disabling use of RSA keys", remote_version);
|
||||
|
|
9
sshd.c
9
sshd.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -502,9 +502,14 @@ sshd_exchange_identification(int sock_in, int sock_out)
|
|||
get_remote_ipaddr(), client_version_string);
|
||||
cleanup_exit(255);
|
||||
}
|
||||
if ((datafellows & SSH_BUG_RSASIGMD5) != 0)
|
||||
if ((datafellows & SSH_BUG_RSASIGMD5) != 0) {
|
||||
logit("Client version \"%.100s\" uses unsafe RSA signature "
|
||||
"scheme; disabling use of RSA keys", remote_version);
|
||||
}
|
||||
if ((datafellows & SSH_BUG_DERIVEKEY) != 0) {
|
||||
fatal("Client version \"%.100s\" uses unsafe key agreement; "
|
||||
"refusing connection", remote_version);
|
||||
}
|
||||
|
||||
mismatch = 0;
|
||||
switch (remote_major) {
|
||||
|
|
Loading…
Reference in New Issue