diff options
author | djm <djm> | 2014-04-20 03:44:47 +0000 |
---|---|---|
committer | djm <djm> | 2014-04-20 03:44:47 +0000 |
commit | ec35f75247ab05a95ef3da3b53230e5eaab329d7 (patch) | |
tree | c60c0f977c603e27d1043c99ba40433ccd726bc6 | |
parent | 5dc3fd328d685fca7563fb6754d880b226be1665 (diff) | |
download | openssh-ec35f75247ab05a95ef3da3b53230e5eaab329d7.tar.gz |
- (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
key exchange incorrectly, causing connection failures about 0.2% of
the time when this method is used against a peer that implements
the method properly.
Fix the problem and disable the curve25519 KEX when speaking to
OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
to enable the compatability code.
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | compat.c | 2 | ||||
-rw-r--r-- | compat.h | 2 | ||||
-rw-r--r-- | sshconnect2.c | 3 | ||||
-rw-r--r-- | sshd.c | 31 | ||||
-rw-r--r-- | version.h | 4 |
6 files changed, 43 insertions, 10 deletions
@@ -1,3 +1,14 @@ +20140420 + - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h] + OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 + key exchange incorrectly, causing connection failures about 0.2% of + the time when this method is used against a peer that implements + the method properly. + + Fix the problem and disable the curve25519 KEX when speaking to + OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 + to enable the compatability code. + 20140313 - (djm) Release OpenSSH 6.6 @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.85 2014/04/20 02:49:32 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.45 2014/04/18 23:52:25 djm Exp $ */ +/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. diff --git a/sshconnect2.c b/sshconnect2.c index b1aa69c2..ec3ad6a5 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.206 2014/04/18 23:52:25 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -156,7 +156,6 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) void ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; Kex *kex; xxx_host = host; @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.425 2014/04/19 14:53:48 tedu Exp $ */ +/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -122,6 +122,13 @@ #include "ssh-sandbox.h" #include "version.h" +#ifdef LIBWRAP +#include <tcpd.h> +#include <syslog.h> +int allow_severity; +int deny_severity; +#endif /* LIBWRAP */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -2027,6 +2034,24 @@ main(int ac, char **av) #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; + /* Check whether logins are denied from this host. */ + if (packet_connection_is_on_socket()) { + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); + fromhost(&req); + + if (!hosts_access(&req)) { + debug("Connection refused by tcp wrapper"); + refuse(&req); + /* NOTREACHED */ + fatal("libwrap refuse returns"); + } + } +#endif /* LIBWRAP */ /* Log the connection. */ verbose("Connection from %s port %d on %s port %d", @@ -2412,7 +2437,6 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen, static void do_ssh2_kex(void) { - char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; Kex *kex; if (options.ciphers != NULL) { @@ -2487,8 +2511,7 @@ cleanup_exit(int i) { if (the_authctxt) { do_cleanup(the_authctxt); - if (use_privsep && privsep_is_preauth && - pmonitor != NULL && pmonitor->m_pid > 1) { + if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.71 2014/04/18 23:52:25 djm Exp $ */ +/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.7" +#define SSH_VERSION "OpenSSH_6.6.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |