Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f
commit0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Wed Sep 28 16:33:06 2016 +0000
committerDamien Miller <djm@mindrot.org>Thu Sep 29 03:11:32 2016 +1000
treeb0271896ec4d6c0e716821954212677438824a05
parent27c3a9c2aede2184856b5de1e6eca414bb751c38 [diff]
upstream commit

Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
13 files changed
tree: b0271896ec4d6c0e716821954212677438824a05
  1. contrib/
  2. openbsd-compat/
  3. regress/
  4. .skipped-commit-ids
  5. aclocal.m4
  6. addrmatch.c
  7. atomicio.c
  8. atomicio.h
  9. audit-bsm.c
  10. audit-linux.c
  11. audit.c
  12. audit.h
  13. auth-bsdauth.c
  14. auth-krb5.c
  15. auth-options.c
  16. auth-options.h
  17. auth-pam.c
  18. auth-pam.h
  19. auth-passwd.c
  20. auth-rhosts.c
  21. auth-shadow.c
  22. auth-sia.c
  23. auth-sia.h
  24. auth-skey.c
  25. auth.c
  26. auth.h
  27. auth2-chall.c
  28. auth2-gss.c
  29. auth2-hostbased.c
  30. auth2-kbdint.c
  31. auth2-none.c
  32. auth2-passwd.c
  33. auth2-pubkey.c
  34. auth2.c
  35. authfd.c
  36. authfd.h
  37. authfile.c
  38. authfile.h
  39. bitmap.c
  40. bitmap.h
  41. blocks.c
  42. bufaux.c
  43. bufbn.c
  44. bufec.c
  45. buffer.c
  46. buffer.h
  47. buildpkg.sh.in
  48. canohost.c
  49. canohost.h
  50. chacha.c
  51. chacha.h
  52. channels.c
  53. channels.h
  54. cipher-3des1.c
  55. cipher-aes.c
  56. cipher-aesctr.c
  57. cipher-aesctr.h
  58. cipher-bf1.c
  59. cipher-chachapoly.c
  60. cipher-chachapoly.h
  61. cipher-ctr.c
  62. cipher.c
  63. cipher.h
  64. cleanup.c
  65. clientloop.c
  66. clientloop.h
  67. compat.c
  68. compat.h
  69. config.guess
  70. config.sub
  71. configure.ac
  72. crc32.c
  73. crc32.h
  74. CREDITS
  75. crypto_api.h
  76. deattack.c
  77. deattack.h
  78. defines.h
  79. dh.c
  80. dh.h
  81. digest-libc.c
  82. digest-openssl.c
  83. digest.h
  84. dispatch.c
  85. dispatch.h
  86. dns.c
  87. dns.h
  88. ed25519.c
  89. entropy.c
  90. entropy.h
  91. fatal.c
  92. fe25519.c
  93. fe25519.h
  94. fixalgorithms
  95. fixpaths
  96. fixprogs
  97. ge25519.c
  98. ge25519.h
  99. ge25519_base.data
  100. groupaccess.c
  101. groupaccess.h
  102. gss-genr.c
  103. gss-serv-krb5.c
  104. gss-serv.c
  105. hash.c
  106. hmac.c
  107. hmac.h
  108. hostfile.c
  109. hostfile.h
  110. includes.h
  111. INSTALL
  112. install-sh
  113. kex.c
  114. kex.h
  115. kexc25519.c
  116. kexc25519c.c
  117. kexc25519s.c
  118. kexdh.c
  119. kexdhc.c
  120. kexdhs.c
  121. kexecdh.c
  122. kexecdhc.c
  123. kexecdhs.c
  124. kexgex.c
  125. kexgexc.c
  126. kexgexs.c
  127. key.c
  128. key.h
  129. krl.c
  130. krl.h
  131. LICENCE
  132. log.c
  133. log.h
  134. loginrec.c
  135. loginrec.h
  136. logintest.c
  137. mac.c
  138. mac.h
  139. Makefile.in
  140. match.c
  141. match.h
  142. md-sha256.c
  143. md5crypt.c
  144. md5crypt.h
  145. mdoc2man.awk
  146. misc.c
  147. misc.h
  148. mkinstalldirs
  149. moduli
  150. moduli.5
  151. moduli.c
  152. monitor.c
  153. monitor.h
  154. monitor_fdpass.c
  155. monitor_fdpass.h
  156. monitor_wrap.c
  157. monitor_wrap.h
  158. msg.c
  159. msg.h
  160. mux.c
  161. myproposal.h
  162. nchan.c
  163. nchan.ms
  164. nchan2.ms
  165. opacket.c
  166. opacket.h
  167. openssh.xml.in
  168. opensshd.init.in
  169. OVERVIEW
  170. packet.c
  171. packet.h
  172. pathnames.h
  173. pkcs11.h
  174. platform-pledge.c
  175. platform-tracing.c
  176. platform.c
  177. platform.h
  178. poly1305.c
  179. poly1305.h
  180. progressmeter.c
  181. progressmeter.h
  182. PROTOCOL
  183. PROTOCOL.agent
  184. PROTOCOL.certkeys
  185. PROTOCOL.chacha20poly1305
  186. PROTOCOL.key
  187. PROTOCOL.krl
  188. PROTOCOL.mux
  189. readconf.c
  190. readconf.h
  191. README
  192. README.dns
  193. README.platform
  194. README.privsep
  195. README.tun
  196. readpass.c
  197. rijndael.c
  198. rijndael.h
  199. rsa.c
  200. rsa.h
  201. sandbox-capsicum.c
  202. sandbox-darwin.c
  203. sandbox-null.c
  204. sandbox-pledge.c
  205. sandbox-rlimit.c
  206. sandbox-seccomp-filter.c
  207. sandbox-solaris.c
  208. sandbox-systrace.c
  209. sc25519.c
  210. sc25519.h
  211. scp.1
  212. scp.c
  213. servconf.c
  214. servconf.h
  215. serverloop.c
  216. serverloop.h
  217. session.c
  218. session.h
  219. sftp-client.c
  220. sftp-client.h
  221. sftp-common.c
  222. sftp-common.h
  223. sftp-glob.c
  224. sftp-server-main.c
  225. sftp-server.8
  226. sftp-server.c
  227. sftp.1
  228. sftp.c
  229. sftp.h
  230. smult_curve25519_ref.c
  231. ssh-add.1
  232. ssh-add.c
  233. ssh-agent.1
  234. ssh-agent.c
  235. ssh-dss.c
  236. ssh-ecdsa.c
  237. ssh-ed25519.c
  238. ssh-gss.h
  239. ssh-keygen.1
  240. ssh-keygen.c
  241. ssh-keyscan.1
  242. ssh-keyscan.c
  243. ssh-keysign.8
  244. ssh-keysign.c
  245. ssh-pkcs11-client.c
  246. ssh-pkcs11-helper.8
  247. ssh-pkcs11-helper.c
  248. ssh-pkcs11.c
  249. ssh-pkcs11.h
  250. ssh-rsa.c
  251. ssh-sandbox.h
  252. ssh.1
  253. ssh.c
  254. ssh.h
  255. ssh1.h
  256. ssh2.h
  257. ssh_api.c
  258. ssh_api.h
  259. ssh_config
  260. ssh_config.5
  261. sshbuf-getput-basic.c
  262. sshbuf-getput-crypto.c
  263. sshbuf-misc.c
  264. sshbuf.c
  265. sshbuf.h
  266. sshconnect.c
  267. sshconnect.h
  268. sshconnect1.c
  269. sshconnect2.c
  270. sshd.8
  271. sshd.c
  272. sshd_config
  273. sshd_config.5
  274. ssherr.c
  275. ssherr.h
  276. sshkey.c
  277. sshkey.h
  278. sshlogin.c
  279. sshlogin.h
  280. sshpty.c
  281. sshpty.h
  282. sshtty.c
  283. survey.sh.in
  284. TODO
  285. ttymodes.c
  286. ttymodes.h
  287. uidswap.c
  288. uidswap.h
  289. umac.c
  290. umac.h
  291. utf8.c
  292. utf8.h
  293. uuencode.c
  294. uuencode.h
  295. verify.c
  296. version.h
  297. xmalloc.c
  298. xmalloc.h