diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-03-24 04:53:32 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-03-24 04:53:32 +0000 |
commit | 09573fcc7ca8a516a8ed404f00889469e0264309 (patch) | |
tree | e76dfe41af975f81662df4a7f45c772c4bb1023d | |
parent | af2ce50f8b158ebe22228a540c9504b9f0ee9185 (diff) |
- djm@cvs.openbsd.org 2001/03/23 11:04:07
[compat.c compat.h sshconnect2.c sshd.c]
Compat for OpenSSH with broken Rijndael/AES. ok markus@
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | compat.c | 36 | ||||
-rw-r--r-- | compat.h | 4 | ||||
-rw-r--r-- | sshconnect2.c | 5 | ||||
-rw-r--r-- | sshd.c | 5 |
5 files changed, 49 insertions, 6 deletions
@@ -7,6 +7,9 @@ - deraadt@cvs.openbsd.org 2001/03/22 20:22:55 [sshd.c] do not place linefeeds in buffer + - djm@cvs.openbsd.org 2001/03/23 11:04:07 + [compat.c compat.h sshconnect2.c sshd.c] + Compat for OpenSSH with broken Rijndael/AES. ok markus@ 20010322 - (djm) Better AIX no tty fix, spotted by Gert Doering <gert@greenie.muc.de> @@ -4670,4 +4673,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.991.2.9 2001/03/24 04:51:43 mouring Exp $ +$Id: ChangeLog,v 1.991.2.10 2001/03/24 04:53:32 mouring Exp $ @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.39 2001/03/18 23:30:55 deraadt Exp $"); +RCSID("$OpenBSD: compat.c,v 1.40 2001/03/23 11:04:06 djm Exp $"); #ifdef HAVE_LIBPCRE # include <pcreposix.h> @@ -69,7 +69,9 @@ compat_datafellows(const char *version) } check[] = { { "^OpenSSH[-_]2\\.[012]", SSH_OLD_SESSIONID|SSH_BUG_BANNER }, - { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER }, + { "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES }, + { "^OpenSSH_2\\.5\\.[01]p1", + SSH_BUG_BIGENDIANAES }, { "^OpenSSH", 0 }, { "MindTerm", 0 }, { "^2\\.1\\.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| @@ -149,3 +151,33 @@ proto_spec(const char *spec) xfree(s); return ret; } + +char * +compat_cipher_proposal(char *cipher_prop) +{ + char *orig_prop, *fix_ciphers; + char *cp, *tmp; + size_t len; + + if (!(datafellows & SSH_BUG_BIGENDIANAES)) + return(cipher_prop); + + len = strlen(cipher_prop) + 1; + fix_ciphers = xmalloc(len); + *fix_ciphers = '\0'; + tmp = orig_prop = xstrdup(cipher_prop); + while((cp = strsep(&tmp, ",")) != NULL) { + if (strncmp(cp, "aes", 3) && strncmp(cp, "rijndael", 8)) { + if (*fix_ciphers) + strlcat(fix_ciphers, ",", len); + strlcat(fix_ciphers, cp, len); + } + } + xfree(orig_prop); + debug2("Original cipher proposal: %s", cipher_prop); + debug2("Compat cipher proposal: %s", fix_ciphers); + if (!*fix_ciphers) + fatal("No available ciphers found."); + + return(fix_ciphers); +} @@ -21,7 +21,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: compat.h,v 1.18 2001/03/18 23:30:55 deraadt Exp $"); */ +/* RCSID("$OpenBSD: compat.h,v 1.19 2001/03/23 11:04:06 djm Exp $"); */ #ifndef COMPAT_H #define COMPAT_H @@ -43,11 +43,13 @@ #define SSH_BUG_PKOK 0x0200 #define SSH_BUG_PASSWORDPAD 0x0400 #define SSH_BUG_SCANNER 0x0800 +#define SSH_BUG_BIGENDIANAES 0x1000 void enable_compat13(void); void enable_compat20(void); void compat_datafellows(const char *s); int proto_spec(const char *spec); +char *compat_cipher_proposal(char *cipher_prop); extern int compat13; extern int compat20; extern int datafellows; diff --git a/sshconnect2.c b/sshconnect2.c index 046d746a..86f3bb9b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.54 2001/03/12 22:02:02 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.55 2001/03/23 11:04:07 djm Exp $"); #include <openssl/bn.h> #include <openssl/md5.h> @@ -96,6 +96,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + myproposal[PROPOSAL_ENC_ALGS_STOC] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); + /* buffers with raw kexinit messages */ server_kexinit = xmalloc(sizeof(*server_kexinit)); buffer_init(server_kexinit); @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.176 2001/03/22 20:22:55 deraadt Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.177 2001/03/23 11:04:07 djm Exp $"); #include <openssl/dh.h> #include <openssl/bn.h> @@ -1450,6 +1450,9 @@ do_ssh2_kex(void) } myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + myproposal[PROPOSAL_ENC_ALGS_STOC] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); + server_kexinit = kex_init(myproposal); client_kexinit = xmalloc(sizeof(*client_kexinit)); buffer_init(client_kexinit); |