[openssh-commits] [openssh] 03/04: upstream: Remove bug compatibility for implementations that don't
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Dec 30 11:37:53 AEDT 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit dd49a87bf4e4a219978bf20f03e2a72041f57b2f
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Tue Dec 30 00:35:37 2025 +0000
upstream: Remove bug compatibility for implementations that don't
support rekeying. AFAIK this is only an ancient Sun SSH version.
If such an implementation tries to interoperate with OpenSSH, it
will eventually fail when the transport needs rekeying.
This is probably long enough to use it to download a modern SSH
implementation that lacks this problem :)
ok markus@ deraadt@
OpenBSD-Commit-ID: 228a502fee808cf8b7caee23169eb6a1ab1c331a
---
packet.c | 12 +++---------
sshconnect.c | 8 +++++++-
sshd-session.c | 5 ++++-
3 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/packet.c b/packet.c
index 2df7a97b7..1c781763c 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.328 2025/12/30 00:22:58 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.329 2025/12/30 00:35:37 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1118,10 +1118,6 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
if (ssh_packet_is_rekeying(ssh))
return 0;
- /* Peer can't rekey */
- if (ssh->compat & SSH_BUG_NOREKEY)
- return 0;
-
/*
* Permit one packet in or out per rekey - this allows us to
* make progress when rekey limits are very small.
@@ -1368,8 +1364,7 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
logit("outgoing seqnr wraps around");
}
if (++state->p_send.packets == 0)
- if (!(ssh->compat & SSH_BUG_NOREKEY))
- return SSH_ERR_NEED_REKEY;
+ return SSH_ERR_NEED_REKEY;
state->p_send.blocks += len / block_size;
state->p_send.bytes += len;
sshbuf_reset(state->outgoing_packet);
@@ -1784,8 +1779,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
logit("incoming seqnr wraps around");
}
if (++state->p_read.packets == 0)
- if (!(ssh->compat & SSH_BUG_NOREKEY))
- return SSH_ERR_NEED_REKEY;
+ return SSH_ERR_NEED_REKEY;
state->p_read.blocks += (state->packlen + 4) / block_size;
state->p_read.bytes += state->packlen + 4;
diff --git a/sshconnect.c b/sshconnect.c
index 4b4a90189..9dd1d02ea 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.377 2025/12/22 01:49:03 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.378 2025/12/30 00:35:37 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -44,6 +44,7 @@
#include "xmalloc.h"
#include "hostfile.h"
#include "ssh.h"
+#include "compat.h"
#include "sshbuf.h"
#include "packet.h"
#include "sshkey.h"
@@ -1609,6 +1610,11 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
+ if ((ssh->compat & SSH_BUG_NOREKEY)) {
+ logit("Warning: this server does not support rekeying.");
+ logit("This session will eventually fail");
+ }
+
/* Put the connection into non-blocking mode. */
ssh_packet_set_nonblocking(ssh);
diff --git a/sshd-session.c b/sshd-session.c
index 5d384fa2f..5f34f6444 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd-session.c,v 1.18 2025/12/16 08:32:50 dtucker Exp $ */
+/* $OpenBSD: sshd-session.c,v 1.19 2025/12/30 00:35:37 djm Exp $ */
/*
* SSH2 implementation:
* Privilege Separation:
@@ -1252,6 +1252,9 @@ main(int ac, char **av)
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
+ if ((ssh->compat & SSH_BUG_NOREKEY))
+ debug("client does not support rekeying");
+
ssh_packet_set_nonblocking(ssh);
/* allocate authentication context */
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list