compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
OpenBSD-Commit-ID:
6df986f38e4ab389f795a6e39e7c6857a763ba72
-/* $OpenBSD: cipher.c,v 1.122 2024/08/14 15:42:18 tobias Exp $ */
+/* $OpenBSD: cipher.c,v 1.123 2024/08/23 04:51:00 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
compression_alg_list(int compression)
{
#ifdef WITH_ZLIB
- return compression ? "zlib@openssh.com,zlib,none" :
- "none,zlib@openssh.com,zlib";
+ return compression ? "zlib@openssh.com,none" :
+ "none,zlib@openssh.com";
#else
return "none";
#endif
-/* $OpenBSD: kex.c,v 1.186 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.187 2024/08/23 04:51:00 deraadt Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
#ifdef WITH_ZLIB
if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED;
- } else if (strcmp(name, "zlib") == 0) {
- comp->type = COMP_ZLIB;
} else
#endif /* WITH_ZLIB */
if (strcmp(name, "none") == 0) {
-/* $OpenBSD: kex.h,v 1.124 2024/08/22 23:11:30 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.125 2024/08/23 04:51:00 deraadt Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
#define KEX_SNTRUP761X25519_SHA512_OLD "sntrup761x25519-sha512@openssh.com"
#define COMP_NONE 0
-/* pre-auth compression (COMP_ZLIB) is only supported in the client */
-#define COMP_ZLIB 1
#define COMP_DELAYED 2
#define CURVE25519_SIZE 32
-/* $OpenBSD: packet.c,v 1.316 2024/08/15 00:51:51 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.317 2024/08/23 04:51:00 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
/* explicit_bzero(enc->iv, enc->block_size);
explicit_bzero(enc->key, enc->key_len);
explicit_bzero(mac->key, mac->key_len); */
- if ((comp->type == COMP_ZLIB ||
- (comp->type == COMP_DELAYED &&
- state->after_authentication)) && comp->enabled == 0) {
+ if (((comp->type == COMP_DELAYED && state->after_authentication)) &&
+ comp->enabled == 0) {
if ((r = ssh_packet_init_compression(ssh)) < 0)
return r;
if (mode == MODE_OUT) {
-/* $OpenBSD: readconf.c,v 1.387 2024/05/17 02:39:11 jsg Exp $ */
+/* $OpenBSD: readconf.c,v 1.388 2024/08/23 04:51:00 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
};
static const struct multistate multistate_compression[] = {
#ifdef WITH_ZLIB
- { "yes", COMP_ZLIB },
+ { "yes", COMP_DELAYED },
#endif
{ "no", COMP_NONE },
{ NULL, -1 }
projects / thirdparty / openssh-portable.git / commitdiff
