[openssh-commits] [openssh] 07/07: upstream: remove ext-info-* in the kex.c code, not in callers;
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jan 8 13:26:57 AEDT 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit a72833d00788ef91100c643536ac08ada46440e1
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jan 8 00:34:33 2024 +0000
upstream: remove ext-info-* in the kex.c code, not in callers;
with/ok markus@
OpenBSD-Commit-ID: c06fe2d3a0605c517ff7d65e38ec7b2d1b0b2799
---
kex.c | 31 +++++++++++++++++++++++++++----
sshconnect2.c | 21 ++++++---------------
sshd.c | 4 ++--
3 files changed, 35 insertions(+), 21 deletions(-)
diff --git a/kex.c b/kex.c
index cbb2af59..8a0f1651 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.184 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.185 2024/01/08 00:34:33 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -772,10 +772,11 @@ static int
kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
{
struct kex *kex = ssh->kex;
- int r;
+ int r, initial = (kex->flags & KEX_INITIAL) != 0;
+ char *cp, **prop;
debug("SSH2_MSG_NEWKEYS received");
- if (kex->ext_info_c && (kex->flags & KEX_INITIAL) != 0)
+ if (kex->ext_info_c && initial)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info);
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
@@ -783,10 +784,32 @@ kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh)
return r;
if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
return r;
+ if (initial) {
+ /* Remove initial KEX signalling from proposal for rekeying */
+ if ((r = kex_buf2prop(kex->my, NULL, &prop)) != 0)
+ return r;
+ if ((cp = match_filter_denylist(prop[PROPOSAL_KEX_ALGS],
+ kex->server ?
+ "ext-info-s,kex-strict-s-v00 at openssh.com" :
+ "ext-info-c,kex-strict-c-v00 at openssh.com")) == NULL) {
+ error_f("match_filter_denylist failed");
+ goto fail;
+ }
+ free(prop[PROPOSAL_KEX_ALGS]);
+ prop[PROPOSAL_KEX_ALGS] = cp;
+ if ((r = kex_prop2buf(ssh->kex->my, prop)) != 0) {
+ error_f("kex_prop2buf failed");
+ fail:
+ kex_proposal_free_entries(prop);
+ free(prop);
+ return SSH_ERR_INTERNAL_ERROR;
+ }
+ kex_proposal_free_entries(prop);
+ free(prop);
+ }
kex->done = 1;
kex->flags &= ~KEX_INITIAL;
sshbuf_reset(kex->peer);
- /* sshbuf_reset(kex->my); */
kex->flags &= ~KEX_INIT_SENT;
free(kex->name);
kex->name = NULL;
diff --git a/sshconnect2.c b/sshconnect2.c
index fab1e36b..745c2a05 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.371 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.372 2024/01/08 00:34:34 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{
char *myproposal[PROPOSAL_MAX];
- char *s, *all_key, *hkalgs = NULL;
+ char *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
xxx_host = host;
@@ -249,14 +249,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
fatal_fr(r, "kex_assemble_namelist");
free(all_key);
- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
- fatal_f("kex_names_cat");
-
if (use_known_hosts_order)
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
- kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers,
- options.macs, compression_alg_list(options.compression),
+ kex_proposal_populate_entries(ssh, myproposal,
+ options.kex_algorithms, options.ciphers, options.macs,
+ compression_alg_list(options.compression),
hkalgs ? hkalgs : options.hostkeyalgorithms);
free(hkalgs);
@@ -281,13 +279,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
ssh->kex->verify_host_key=&verify_host_key_callback;
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
-
- /* remove ext-info from the KEX proposals for rekeying */
- free(myproposal[PROPOSAL_KEX_ALGS]);
- myproposal[PROPOSAL_KEX_ALGS] =
- compat_kex_proposal(ssh, options.kex_algorithms);
- if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
- fatal_r(r, "kex_prop2buf");
+ kex_proposal_free_entries(myproposal);
#ifdef DEBUG_KEXDH
/* send 1st encrypted/maced/compressed message */
@@ -297,7 +289,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send packet");
#endif
- kex_proposal_free_entries(myproposal);
}
/*
diff --git a/sshd.c b/sshd.c
index 9cbe9229..b4f2b974 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.601 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.602 2024/01/08 00:34:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2428,6 +2428,7 @@ do_ssh2_kex(struct ssh *ssh)
kex->sign = sshd_hostkey_sign;
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &kex->done);
+ kex_proposal_free_entries(myproposal);
#ifdef DEBUG_KEXDH
/* send 1st encrypted/maced/compressed message */
@@ -2437,7 +2438,6 @@ do_ssh2_kex(struct ssh *ssh)
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send test");
#endif
- kex_proposal_free_entries(myproposal);
debug("KEX done");
}
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list