[openssh-commits] [openssh] 03/04: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jul 29 19:36:15 AEST 2015


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit f319912b0d0e1675b8bb051ed8213792c788bcb2
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 29 04:43:06 2015 +0000

    upstream commit
    
    include the peer's offer when logging a failure to
     negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
    
    Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
---
 kex.c    | 31 ++++++++++++++++++++++++-------
 kex.h    |  3 ++-
 packet.c | 13 ++++++++++++-
 3 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/kex.c b/kex.c
index dbc55ef..5e8b513 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.106 2015/04/17 13:25:52 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.107 2015/07/29 04:43:06 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -448,6 +448,7 @@ kex_free(struct kex *kex)
 	free(kex->session_id);
 	free(kex->client_version_string);
 	free(kex->server_version_string);
+	free(kex->failed_choice);
 	free(kex);
 }
 
@@ -626,17 +627,26 @@ kex_choose_conf(struct ssh *ssh)
 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
 		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
-		    sprop[nenc])) != 0)
+		    sprop[nenc])) != 0) {
+			kex->failed_choice = peer[nenc];
+			peer[nenc] = NULL;
 			goto out;
+		}
 		authlen = cipher_authlen(newkeys->enc.cipher);
 		/* ignore mac for authenticated encryption */
 		if (authlen == 0 &&
 		    (r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
-		    sprop[nmac])) != 0)
+		    sprop[nmac])) != 0) {
+			kex->failed_choice = peer[nmac];
+			peer[nmac] = NULL;
 			goto out;
+		}
 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
-		    sprop[ncomp])) != 0)
+		    sprop[ncomp])) != 0) {
+			kex->failed_choice = peer[ncomp];
+			peer[ncomp] = NULL;
 			goto out;
+		}
 		debug("kex: %s %s %s %s",
 		    ctos ? "client->server" : "server->client",
 		    newkeys->enc.name,
@@ -644,10 +654,17 @@ kex_choose_conf(struct ssh *ssh)
 		    newkeys->comp.name);
 	}
 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
-	    sprop[PROPOSAL_KEX_ALGS])) != 0 ||
-	    (r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0)
+	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
+		kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
+		peer[PROPOSAL_KEX_ALGS] = NULL;
 		goto out;
+	}
+	if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
+		kex->failed_choice = cprop[PROPOSAL_SERVER_HOST_KEY_ALGS];
+		cprop[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
+		goto out;
+	}
 	need = dh_need = 0;
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		newkeys = kex->newkeys[mode];
diff --git a/kex.h b/kex.h
index f70b81f..fea5a75 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.71 2015/02/16 22:13:32 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.72 2015/07/29 04:43:06 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -141,6 +141,7 @@ struct kex {
 	int	ec_nid;
 	char	*client_version_string;
 	char	*server_version_string;
+	char	*failed_choice;
 	int	(*verify_host_key)(struct sshkey *, struct ssh *);
 	struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
 	struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
diff --git a/packet.c b/packet.c
index a7727ef..6008c2d 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.212 2015/05/01 07:10:01 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1933,6 +1933,17 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
 			cleanup_exit(255);
 		}
 		/* FALLTHROUGH */
+	case SSH_ERR_NO_CIPHER_ALG_MATCH:
+	case SSH_ERR_NO_MAC_ALG_MATCH:
+	case SSH_ERR_NO_COMPRESS_ALG_MATCH:
+	case SSH_ERR_NO_KEX_ALG_MATCH:
+	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
+		if (ssh && ssh->kex && ssh->kex->failed_choice) {
+			fatal("Unable to negotiate with %.200s: %s. "
+			    "Their offer: %s", ssh_remote_ipaddr(ssh),
+			    ssh_err(r), ssh->kex->failed_choice);
+		}
+		/* FALLTHROUGH */
 	default:
 		fatal("%s%sConnection to %.200s: %s",
 		    tag != NULL ? tag : "", tag != NULL ? ": " : "",

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list