- djm@cvs.openbsd.org 2014/01/09 23:26:48 [sshconnect.c sshd.c] ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient, deranged and might make some attacks on KEX easier; ok markus@

commit: 58cd63bc63038acddfb4051ed14e11179d8f4941 [log] [tgz]
author: Damien Miller <djm@mindrot.org> Fri Jan 10 10:59:24 2014 +1100
committer: Damien Miller <djm@mindrot.org> Fri Jan 10 10:59:24 2014 +1100
tree: eb65dbe7f28e207756131ad75ec746310ff5eaa2
parent: b3051d01e505c9c2dc00faab472a0d06fa6b0e65 [diff] [blame]
diff --git a/sshconnect.c b/sshconnect.c
index 791b31c..d21781e 100644
--- a/sshconnect.c
+++ b/sshconnect.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -662,6 +662,9 @@
 		fatal("Protocol major versions differ: %d vs. %d",
 		    (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
 		    remote_major);
+	if ((datafellows & SSH_BUG_DERIVEKEY) != 0)
+		fatal("Server version \"%.100s\" uses unsafe key agreement; "
+		    "refusing connection", remote_version);
 	if ((datafellows & SSH_BUG_RSASIGMD5) != 0)
 		logit("Server version \"%.100s\" uses unsafe RSA signature "
 		    "scheme; disabling use of RSA keys", remote_version);
commit	58cd63bc63038acddfb4051ed14e11179d8f4941	[log] [tgz]
author	Damien Miller <djm@mindrot.org>	Fri Jan 10 10:59:24 2014 +1100
committer	Damien Miller <djm@mindrot.org>	Fri Jan 10 10:59:24 2014 +1100
tree	eb65dbe7f28e207756131ad75ec746310ff5eaa2
parent	b3051d01e505c9c2dc00faab472a0d06fa6b0e65 [diff] [blame]