From 0082fba4efdd492f765ed4c53f0d0fbd3bdbdf7f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 28 Sep 2016 16:33:06 +0000 Subject: upstream commit Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf --- packet.h | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'packet.h') diff --git a/packet.h b/packet.h index 464d83b1..690f2ec7 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.71 2016/03/07 19:02:43 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.72 2016/09/28 16:33:07 djm Exp $ */ /* * Author: Tatu Ylonen @@ -120,11 +120,6 @@ void ssh_packet_send_debug(struct ssh *, const char *fmt, ...) __attribute__ int ssh_set_newkeys(struct ssh *, int mode); void ssh_packet_get_bytes(struct ssh *, u_int64_t *, u_int64_t *); -typedef void *(ssh_packet_comp_alloc_func)(void *, u_int, u_int); -typedef void (ssh_packet_comp_free_func)(void *, void *); -void ssh_packet_set_compress_hooks(struct ssh *, void *, - ssh_packet_comp_alloc_func *, ssh_packet_comp_free_func *); - int ssh_packet_write_poll(struct ssh *); int ssh_packet_write_wait(struct ssh *); int ssh_packet_have_data_to_write(struct ssh *); -- cgit v1.2.1