- (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]

OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly, causing connection failures about 0.2% of the time when this method is used against a peer that implements the method properly. Fix the problem and disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 to enable the compatability code.
author: djm <djm> 2014-04-20 03:44:47 +0000
committer: djm <djm> 2014-04-20 03:44:47 +0000
commit: ec35f75247ab05a95ef3da3b53230e5eaab329d7 (patch)
tree: c60c0f977c603e27d1043c99ba40433ccd726bc6
parent: 5dc3fd328d685fca7563fb6754d880b226be1665 (diff)
download: openssh-ec35f75247ab05a95ef3da3b53230e5eaab329d7.tar.gz
6 files changed, 43 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 9c59cc43..60f181a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+20140420
+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
+   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
+   key exchange incorrectly, causing connection failures about 0.2% of
+   the time when this method is used against a peer that implements
+   the method properly.
+
+   Fix the problem and disable the curve25519 KEX when speaking to
+   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
+   to enable the compatability code.
+
 20140313
  - (djm) Release OpenSSH 6.6
 
diff --git a/compat.c b/compat.c
index 4d286e8e..2709dc5c 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.85 2014/04/20 02:49:32 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
diff --git a/compat.h b/compat.h
index 2e25d5ba..a6c3f3d7 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.45 2014/04/18 23:52:25 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
diff --git a/sshconnect2.c b/sshconnect2.c
index b1aa69c2..ec3ad6a5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.206 2014/04/18 23:52:25 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -156,7 +156,6 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 void
 ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 {
-	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	Kex *kex;
 
 	xxx_host = host;
diff --git a/sshd.c b/sshd.c
index b955f192..e9084b72 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.425 2014/04/19 14:53:48 tedu Exp $ */
+/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -122,6 +122,13 @@
 #include "ssh-sandbox.h"
 #include "version.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -2027,6 +2034,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+	allow_severity = options.log_facility|LOG_INFO;
+	deny_severity = options.log_facility|LOG_WARNING;
+	/* Check whether logins are denied from this host. */
+	if (packet_connection_is_on_socket()) {
+		struct request_info req;
+
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			debug("Connection refused by tcp wrapper");
+			refuse(&req);
+			/* NOTREACHED */
+			fatal("libwrap refuse returns");
+		}
+	}
+#endif /* LIBWRAP */
 
 	/* Log the connection. */
 	verbose("Connection from %s port %d on %s port %d",
@@ -2412,7 +2437,6 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
 static void
 do_ssh2_kex(void)
 {
-	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	Kex *kex;
 
 	if (options.ciphers != NULL) {
@@ -2487,8 +2511,7 @@ cleanup_exit(int i)
 {
 	if (the_authctxt) {
 		do_cleanup(the_authctxt);
-		if (use_privsep && privsep_is_preauth &&
-		    pmonitor != NULL && pmonitor->m_pid > 1) {
+		if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
 			debug("Killing privsep child %d", pmonitor->m_pid);
 			if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
 			    errno != ESRCH)
diff --git a/version.h b/version.h
index cc8a079a..a33e77c9 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.71 2014/04/18 23:52:25 djm Exp $ */
+/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
 
-#define SSH_VERSION	"OpenSSH_6.7"
+#define SSH_VERSION	"OpenSSH_6.6.1"
 
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
author	djm <djm>	2014-04-20 03:44:47 +0000
committer	djm <djm>	2014-04-20 03:44:47 +0000
commit	ec35f75247ab05a95ef3da3b53230e5eaab329d7 (patch)
tree	c60c0f977c603e27d1043c99ba40433ccd726bc6
parent	5dc3fd328d685fca7563fb6754d880b226be1665 (diff)
download	openssh-ec35f75247ab05a95ef3da3b53230e5eaab329d7.tar.gz