[openssh-commits] [openssh] branch master updated: upstream: As defined in the RFC, the SSH protocol has negotiable

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Aug 27 09:05:50 AEST 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new 10ccf611 upstream: As defined in the RFC, the SSH protocol has negotiable
10ccf611 is described below

commit 10ccf611ab8ecba9ce6b0548c5ccd8c1220baf92
Author: deraadt at openbsd.org <deraadt at openbsd.org>
AuthorDate: Fri Aug 23 04:51:00 2024 +0000

    upstream: As defined in the RFC, the SSH protocol has negotiable
    
    compression support (which is requested as the name "zlib"). Compression
    starts very early in the session. Relative early in OpenSSH lifetime, privsep
    was added to sshd, and this required a shared-memory hack so the two
    processes could see what was going on in the dataflow.  This shared-memory
    hack was soon recognized as a tremendous complexity risk, because it put libz
    (which very much trusts it's memory) in a dangerous place, and a new option
    ("zlib at openssh.com") was added begins compression after authentication (aka
    delayed-compression).  That change also permitted removal of the
    shared-memory hack. Despite removal from the server, the old "zlib" support
    remained in the client, to allow negotiation with non-OpenSSH daemons which
    lack the delayed-compression option. This commit deletes support for the
    older "zlib" option in the client. It reduces our featureset in a small way,
    and encourages other servers to move to a better design. The SSH protocol is
    different enough that compressed-key-material attacks like BEAST are
    unlikely, but who wants to take the chance? We encourage other ssh servers
    who care about optional compression support to add delayed-zlib support.
    (Some already do "zlib at openssh.com") ok djm markus
    
    OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
---
 cipher.c   | 6 +++---
 kex.c      | 4 +---
 kex.h      | 4 +---
 packet.c   | 7 +++----
 readconf.c | 4 ++--
 5 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/cipher.c b/cipher.c
index 9c2fbd6c..7d6e7d8c 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.122 2024/08/14 15:42:18 tobias Exp $ */
+/* $OpenBSD: cipher.c,v 1.123 2024/08/23 04:51:00 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -143,8 +143,8 @@ const char *
 compression_alg_list(int compression)
 {
 #ifdef WITH_ZLIB
-	return compression ? "zlib at openssh.com,zlib,none" :
-	    "none,zlib at openssh.com,zlib";
+	return compression ? "zlib at openssh.com,none" :
+	    "none,zlib at openssh.com";
 #else
 	return "none";
 #endif
diff --git a/kex.c b/kex.c
index 63aae5d7..6b957e5e 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.186 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.187 2024/08/23 04:51:00 deraadt Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -842,8 +842,6 @@ choose_comp(struct sshcomp *comp, char *client, char *server)
 #ifdef WITH_ZLIB
 	if (strcmp(name, "zlib at openssh.com") == 0) {
 		comp->type = COMP_DELAYED;
-	} else if (strcmp(name, "zlib") == 0) {
-		comp->type = COMP_ZLIB;
 	} else
 #endif	/* WITH_ZLIB */
 	if (strcmp(name, "none") == 0) {
diff --git a/kex.h b/kex.h
index 4b3ece66..67003021 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.124 2024/08/22 23:11:30 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.125 2024/08/23 04:51:00 deraadt Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -66,8 +66,6 @@
 #define	KEX_SNTRUP761X25519_SHA512_OLD	"sntrup761x25519-sha512 at openssh.com"
 
 #define COMP_NONE	0
-/* pre-auth compression (COMP_ZLIB) is only supported in the client */
-#define COMP_ZLIB	1
 #define COMP_DELAYED	2
 
 #define CURVE25519_SIZE 32
diff --git a/packet.c b/packet.c
index e6ae2013..486f8515 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.316 2024/08/15 00:51:51 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.317 2024/08/23 04:51:00 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1015,9 +1015,8 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 	/* explicit_bzero(enc->iv,  enc->block_size);
 	   explicit_bzero(enc->key, enc->key_len);
 	   explicit_bzero(mac->key, mac->key_len); */
-	if ((comp->type == COMP_ZLIB ||
-	    (comp->type == COMP_DELAYED &&
-	    state->after_authentication)) && comp->enabled == 0) {
+	if (((comp->type == COMP_DELAYED && state->after_authentication)) &&
+	    comp->enabled == 0) {
 		if ((r = ssh_packet_init_compression(ssh)) < 0)
 			return r;
 		if (mode == MODE_OUT) {
diff --git a/readconf.c b/readconf.c
index 4e3791cb..1d0ba0e7 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.387 2024/05/17 02:39:11 jsg Exp $ */
+/* $OpenBSD: readconf.c,v 1.388 2024/08/23 04:51:00 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1002,7 +1002,7 @@ static const struct multistate multistate_pubkey_auth[] = {
 };
 static const struct multistate multistate_compression[] = {
 #ifdef WITH_ZLIB
-	{ "yes",			COMP_ZLIB },
+	{ "yes",			COMP_DELAYED },
 #endif
 	{ "no",				COMP_NONE },
 	{ NULL, -1 }

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list