components/network/hpn-ssh/patches/0028-Compatibility-for-SunSSH_1.5-should-include-old-DH-K.patch

   1 We use the kex compat mechanism here to recognise old SunSSH
   2 versions and present a kex proposal that always includes the
   3 dh-group14 and -group1 algorithms.
   4
   5 Without this, an old SunSSH client cannot connect to our
   6 new daemon.
   7
   8 --- hpn-ssh-hpn-18.4.2/compat.c.orig
   9 +++ hpn-ssh-hpn-18.4.2/compat.c
  10 @@ -36,6 +36,7 @@
  11  #include "compat.h"
  12  #include "log.h"
  13  #include "match.h"
  14 +#include "sshbuf.h"
  15
  16  /* determine bug flags from SSH protocol banner */
  17  void
  18 @@ -51,8 +52,12 @@
  19                   "OpenSSH_3.1*",       SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR|
  20                                         SSH_BUG_SIGTYPE},
  21                 { "OpenSSH_3.*",        SSH_OLD_FORWARD_ADDR|SSH_BUG_SIGTYPE },
  22 -               { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
  23 -                                       SSH_BUG_SIGTYPE},
  24 +               { "Sun_SSH_1.2*,"
  25 +                 "Sun_SSH_1.3*,"
  26 +                 "Sun_SSH_1.4*,"
  27 +                 "Sun_SSH_1.5*",       SSH_OLD_DHGEX},
  28 +               { "Sun_SSH_1.*",        SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
  29 +                                       SSH_BUG_SIGTYPE|SSH_OLD_DHGEX},
  30                 { "OpenSSH_2*,"
  31                   "OpenSSH_3*,"
  32                   "OpenSSH_4*",         SSH_BUG_SIGTYPE },
  33 @@ -167,6 +172,31 @@
  34         debug_f("no match: %s", version);
  35  }
  36
  37 +/*
  38 + * Adds an algorithm to the end of a proposal list, only if the algorithm is
  39 + * not already present.
  40 + */
  41 +static char *
  42 +append_proposal(char *proposal, const char *append)
  43 +{
  44 +       struct sshbuf *b;
  45 +       char *fix_prop;
  46 +
  47 +       if (strstr(proposal, append) != NULL)
  48 +               return proposal;
  49 +       if ((b = sshbuf_new()) == NULL)
  50 +               fatal("sshbuf_new()");
  51 +       sshbuf_put(b, proposal, strlen(proposal));
  52 +       if (sshbuf_len(b) > 0)
  53 +               sshbuf_put(b, ",", 1);
  54 +       sshbuf_put(b, append, strlen(append));
  55 +       sshbuf_put(b, "\0", 1);
  56 +       fix_prop = sshbuf_dup_string(b);
  57 +       sshbuf_free(b);
  58 +
  59 +       return fix_prop;
  60 +}
  61 +
  62  /* Always returns pointer to allocated memory, caller must free. */
  63  char *
  64  compat_kex_proposal(struct ssh *ssh, const char *p)
  65 @@ -185,6 +215,8 @@
  66                     "diffie-hellman-group-exchange-sha256,"
  67                     "diffie-hellman-group-exchange-sha1")) == NULL)
  68                         fatal("match_filter_denylist failed");
  69 +               p = append_proposal(p, "diffie-hellman-group14-sha1");
  70 +               p = append_proposal(p, "diffie-hellman-group1-sha1");
  71                 free(cp);
  72                 cp = cp2;
  73         }