diff options
| -rw-r--r-- | algo.h | 1 | ||||
| -rw-r--r-- | cli-runopts.c | 4 | ||||
| -rw-r--r-- | common-algo.c | 6 | ||||
| -rw-r--r-- | common-kex.c | 22 | ||||
| -rw-r--r-- | options.h | 5 | ||||
| -rw-r--r-- | runopts.h | 6 | ||||
| -rw-r--r-- | svr-runopts.c | 8 |
7 files changed, 42 insertions, 10 deletions
@@ -51,6 +51,7 @@ extern algo_type sshhostkey[]; extern algo_type sshciphers[]; extern algo_type sshhashes[]; extern algo_type ssh_compress[]; +extern algo_type ssh_delaycompress[]; extern algo_type ssh_nocompress[]; extern const struct dropbear_cipher dropbear_nocipher; diff --git a/cli-runopts.c b/cli-runopts.c index 11c6890..467776b 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -156,7 +156,7 @@ void cli_getopts(int argc, char ** argv) { cli_opts.proxycmd = NULL; #endif #ifndef DISABLE_ZLIB - opts.enable_compress = 1; + opts.compress_mode = DROPBEAR_COMPRESS_ON; #endif #ifdef ENABLE_USER_ALGO_LIST opts.cipher_list = NULL; @@ -609,7 +609,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0) passthrough_args, remainder); #ifndef DISABLE_ZLIB /* The stream will be incompressible since it's encrypted. */ - opts.enable_compress = 0; + opts.compress_mode = DROPBEAR_COMPRESS_OFF; #endif m_free(passthrough_args); } diff --git a/common-algo.c b/common-algo.c index 95c53f4..9abc330 100644 --- a/common-algo.c +++ b/common-algo.c @@ -205,6 +205,12 @@ algo_type ssh_compress[] = { {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL}, {NULL, 0, NULL, 0, NULL} }; + +algo_type ssh_delaycompress[] = { + {"zlib@openssh.com", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL}, + {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL}, + {NULL, 0, NULL, 0, NULL} +}; #endif algo_type ssh_nocompress[] = { diff --git a/common-kex.c b/common-kex.c index 65746a2..7d93708 100644 --- a/common-kex.c +++ b/common-kex.c @@ -238,14 +238,24 @@ void recv_msg_newkeys() { void kexfirstinitialise() { ses.kexstate.donefirstkex = 0; -#ifndef DISABLE_ZLIB - if (opts.enable_compress) { - ses.compress_algos = ssh_compress; - } else -#endif +#ifdef DISABLE_ZLIB + ses.compress_algos = ssh_nocompress; +#else + switch (opts.compress_mode) { - ses.compress_algos = ssh_nocompress; + case DROPBEAR_COMPRESS_DELAYED: + ses.compress_algos = ssh_delaycompress; + break; + + case DROPBEAR_COMPRESS_ON: + ses.compress_algos = ssh_compress; + break; + + case DROPBEAR_COMPRESS_OFF: + ses.compress_algos = ssh_nocompress; + break; } +#endif kexinitialise(); } @@ -174,6 +174,11 @@ much traffic. */ #define DROPBEAR_ZLIB_WINDOW_BITS 15 #endif +/* Server won't allow zlib compression until after authentication. Prevents + flaws in the zlib library being unauthenticated exploitable flaws. + Some old ssh clients may not support the alternative zlib@openssh.com method */ +#define DROPBEAR_SERVER_DELAY_ZLIB 1 + /* Whether to do reverse DNS lookups. */ /*#define DO_HOST_LOOKUP */ @@ -44,7 +44,11 @@ typedef struct runopts { /* TODO: add a commandline flag. Currently this is on by default if compression * is compiled in, but disabled for a client's non-final multihop stages. (The * intermediate stages are compressed streams, so are uncompressible. */ - int enable_compress; + enum { + DROPBEAR_COMPRESS_DELAYED, /* Server only */ + DROPBEAR_COMPRESS_ON, + DROPBEAR_COMPRESS_OFF, + } compress_mode; #endif #ifdef ENABLE_USER_ALGO_LIST diff --git a/svr-runopts.c b/svr-runopts.c index 1360813..09fc9af 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -140,9 +140,15 @@ void svr_getopts(int argc, char ** argv) { #ifdef ENABLE_SVR_REMOTETCPFWD svr_opts.noremotetcp = 0; #endif + #ifndef DISABLE_ZLIB - opts.enable_compress = 1; +#if DROPBEAR_SERVER_DELAY_ZLIB + opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; +#else + opts.compress_mode = DROPBEAR_COMPRESS_ON; #endif +#endif + /* not yet opts.ipv4 = 1; opts.ipv6 = 1; |