[openssh-commits] [openssh] 03/04: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jul 29 19:36:15 AEST 2015
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit f319912b0d0e1675b8bb051ed8213792c788bcb2
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Jul 29 04:43:06 2015 +0000
upstream commit
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
---
kex.c | 31 ++++++++++++++++++++++++-------
kex.h | 3 ++-
packet.c | 13 ++++++++++++-
3 files changed, 38 insertions(+), 9 deletions(-)
diff --git a/kex.c b/kex.c
index dbc55ef..5e8b513 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.106 2015/04/17 13:25:52 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.107 2015/07/29 04:43:06 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -448,6 +448,7 @@ kex_free(struct kex *kex)
free(kex->session_id);
free(kex->client_version_string);
free(kex->server_version_string);
+ free(kex->failed_choice);
free(kex);
}
@@ -626,17 +627,26 @@ kex_choose_conf(struct ssh *ssh)
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
if ((r = choose_enc(&newkeys->enc, cprop[nenc],
- sprop[nenc])) != 0)
+ sprop[nenc])) != 0) {
+ kex->failed_choice = peer[nenc];
+ peer[nenc] = NULL;
goto out;
+ }
authlen = cipher_authlen(newkeys->enc.cipher);
/* ignore mac for authenticated encryption */
if (authlen == 0 &&
(r = choose_mac(ssh, &newkeys->mac, cprop[nmac],
- sprop[nmac])) != 0)
+ sprop[nmac])) != 0) {
+ kex->failed_choice = peer[nmac];
+ peer[nmac] = NULL;
goto out;
+ }
if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
- sprop[ncomp])) != 0)
+ sprop[ncomp])) != 0) {
+ kex->failed_choice = peer[ncomp];
+ peer[ncomp] = NULL;
goto out;
+ }
debug("kex: %s %s %s %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
@@ -644,10 +654,17 @@ kex_choose_conf(struct ssh *ssh)
newkeys->comp.name);
}
if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
- sprop[PROPOSAL_KEX_ALGS])) != 0 ||
- (r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
- sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0)
+ sprop[PROPOSAL_KEX_ALGS])) != 0) {
+ kex->failed_choice = peer[PROPOSAL_KEX_ALGS];
+ peer[PROPOSAL_KEX_ALGS] = NULL;
goto out;
+ }
+ if ((r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0) {
+ kex->failed_choice = cprop[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ cprop[PROPOSAL_SERVER_HOST_KEY_ALGS] = NULL;
+ goto out;
+ }
need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
diff --git a/kex.h b/kex.h
index f70b81f..fea5a75 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.71 2015/02/16 22:13:32 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.72 2015/07/29 04:43:06 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -141,6 +141,7 @@ struct kex {
int ec_nid;
char *client_version_string;
char *server_version_string;
+ char *failed_choice;
int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
diff --git a/packet.c b/packet.c
index a7727ef..6008c2d 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.212 2015/05/01 07:10:01 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.213 2015/07/29 04:43:06 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1933,6 +1933,17 @@ sshpkt_fatal(struct ssh *ssh, const char *tag, int r)
cleanup_exit(255);
}
/* FALLTHROUGH */
+ case SSH_ERR_NO_CIPHER_ALG_MATCH:
+ case SSH_ERR_NO_MAC_ALG_MATCH:
+ case SSH_ERR_NO_COMPRESS_ALG_MATCH:
+ case SSH_ERR_NO_KEX_ALG_MATCH:
+ case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
+ if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ fatal("Unable to negotiate with %.200s: %s. "
+ "Their offer: %s", ssh_remote_ipaddr(ssh),
+ ssh_err(r), ssh->kex->failed_choice);
+ }
+ /* FALLTHROUGH */
default:
fatal("%s%sConnection to %.200s: %s",
tag != NULL ? tag : "", tag != NULL ? ": " : "",
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list