[openssh-commits] [openssh] 01/01: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Wed May 27 13:47:27 AEST 2015


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b282fec1aa05246ed3482270eb70fc3ec5f39a00
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Tue May 26 23:23:40 2015 +0000

    upstream commit
    
    Cap DH-GEX group size at 4kbits for Cisco implementations.
     Some of them will choke when asked for preferred sizes >4k instead of
     returning the 4k group that they do have.  bz#2209, ok djm@
    
    Upstream-ID: 54b863a19713446b7431f9d06ad0532b4fcfef8d
---
 compat.c  | 3 ++-
 compat.h  | 3 ++-
 kexgexc.c | 5 ++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/compat.c b/compat.c
index 337bbe0..0631024 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.93 2015/05/06 04:07:18 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.94 2015/05/26 23:23:40 dtucker Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -152,6 +152,7 @@ compat_datafellows(const char *version)
 		  "1.2.22*",		SSH_BUG_IGNOREMSG },
 		{ "1.3.2*",		/* F-Secure */
 					SSH_BUG_IGNOREMSG },
+		{ "Cisco-1.*",		SSH_BUG_DHGEX_LARGE },
 		{ "*SSH Compatible Server*",			/* Netscreen */
 					SSH_BUG_PASSWORDPAD },
 		{ "*OSU_0*,"
diff --git a/compat.h b/compat.h
index 83507f0..2be290a 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.47 2015/04/10 05:16:50 dtucker Exp $ */
+/* $OpenBSD: compat.h,v 1.48 2015/05/26 23:23:40 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -61,6 +61,7 @@
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
 #define SSH_BUG_CURVE25519PAD	0x10000000
 #define SSH_BUG_HOSTKEYS	0x20000000
+#define SSH_BUG_DHGEX_LARGE	0x40000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
diff --git a/kexgexc.c b/kexgexc.c
index 3f20491..71ff133 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.21 2015/04/13 02:04:08 djm Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.22 2015/05/26 23:23:40 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -28,6 +28,7 @@
 
 #ifdef WITH_OPENSSL
 
+#include <sys/param.h>
 #include <sys/types.h>
 
 #include <openssl/dh.h>
@@ -65,6 +66,8 @@ kexgex_client(struct ssh *ssh)
 	kex->min = DH_GRP_MIN;
 	kex->max = DH_GRP_MAX;
 	kex->nbits = nbits;
+	if (datafellows & SSH_BUG_DHGEX_LARGE)
+		kex->nbits = MIN(kex->nbits, 4096);
 	/* New GEX request */
 	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
 	    (r = sshpkt_put_u32(ssh, kex->min)) != 0 ||

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list