From: djm@openbsd.org Date: Tue, 30 Dec 2025 00:35:37 +0000 (+0000) Subject: upstream: Remove bug compatibility for implementations that don't X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd49a87bf4e4a219978bf20f03e2a72041f57b2f;p=thirdparty%2Fopenssh-portable.git upstream: Remove bug compatibility for implementations that don't support rekeying. AFAIK this is only an ancient Sun SSH version. If such an implementation tries to interoperate with OpenSSH, it will eventually fail when the transport needs rekeying. This is probably long enough to use it to download a modern SSH implementation that lacks this problem :) ok markus@ deraadt@ OpenBSD-Commit-ID: 228a502fee808cf8b7caee23169eb6a1ab1c331a --- diff --git a/packet.c b/packet.c index 2df7a97b7..1c781763c 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.328 2025/12/30 00:22:58 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.329 2025/12/30 00:35:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1118,10 +1118,6 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) if (ssh_packet_is_rekeying(ssh)) return 0; - /* Peer can't rekey */ - if (ssh->compat & SSH_BUG_NOREKEY) - return 0; - /* * Permit one packet in or out per rekey - this allows us to * make progress when rekey limits are very small. @@ -1368,8 +1364,7 @@ ssh_packet_send2_wrapped(struct ssh *ssh) logit("outgoing seqnr wraps around"); } if (++state->p_send.packets == 0) - if (!(ssh->compat & SSH_BUG_NOREKEY)) - return SSH_ERR_NEED_REKEY; + return SSH_ERR_NEED_REKEY; state->p_send.blocks += len / block_size; state->p_send.bytes += len; sshbuf_reset(state->outgoing_packet); @@ -1784,8 +1779,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) logit("incoming seqnr wraps around"); } if (++state->p_read.packets == 0) - if (!(ssh->compat & SSH_BUG_NOREKEY)) - return SSH_ERR_NEED_REKEY; + return SSH_ERR_NEED_REKEY; state->p_read.blocks += (state->packlen + 4) / block_size; state->p_read.bytes += state->packlen + 4; diff --git a/sshconnect.c b/sshconnect.c index 4b4a90189..9dd1d02ea 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.377 2025/12/22 01:49:03 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.378 2025/12/30 00:35:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -44,6 +44,7 @@ #include "xmalloc.h" #include "hostfile.h" #include "ssh.h" +#include "compat.h" #include "sshbuf.h" #include "packet.h" #include "sshkey.h" @@ -1609,6 +1610,11 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, options.version_addendum)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); + if ((ssh->compat & SSH_BUG_NOREKEY)) { + logit("Warning: this server does not support rekeying."); + logit("This session will eventually fail"); + } + /* Put the connection into non-blocking mode. */ ssh_packet_set_nonblocking(ssh); diff --git a/sshd-session.c b/sshd-session.c index 5d384fa2f..5f34f6444 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-session.c,v 1.18 2025/12/16 08:32:50 dtucker Exp $ */ +/* $OpenBSD: sshd-session.c,v 1.19 2025/12/30 00:35:37 djm Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -1252,6 +1252,9 @@ main(int ac, char **av) options.version_addendum)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); + if ((ssh->compat & SSH_BUG_NOREKEY)) + debug("client does not support rekeying"); + ssh_packet_set_nonblocking(ssh); /* allocate authentication context */