Disable non-delayed zlib for server

2025-03-03 10:41:39 +00:00 · 2015-01-28 21:38:27 +08:00 · 2015-01-28 21:38:27 +08:00 · a7a79d569a
commit a7a79d569a
parent 6165f53fcd
7 changed files with 42 additions and 10 deletions
--- a/algo.h
+++ b/algo.h
@ -51,6 +51,7 @@ extern algo_type sshhostkey[];
 extern algo_type sshciphers[];
 extern algo_type sshhashes[];
 extern algo_type ssh_compress[];
+extern algo_type ssh_delaycompress[];
 extern algo_type ssh_nocompress[];

 extern const struct dropbear_cipher dropbear_nocipher;
--- a/cli-runopts.c
+++ b/cli-runopts.c
@ -156,7 +156,7 @@ void cli_getopts(int argc, char ** argv) {
 	cli_opts.proxycmd = NULL;
 #endif
 #ifndef DISABLE_ZLIB
-	opts.enable_compress = 1;
+	opts.compress_mode = DROPBEAR_COMPRESS_ON;
 #endif
 #ifdef ENABLE_USER_ALGO_LIST
 	opts.cipher_list = NULL;
@ -609,7 +609,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
 				passthrough_args, remainder);
 #ifndef DISABLE_ZLIB
 		/* The stream will be incompressible since it's encrypted. */
-		opts.enable_compress = 0;
+		opts.compress_mode = DROPBEAR_COMPRESS_OFF;
 #endif
 		m_free(passthrough_args);
 	}
--- a/common-algo.c
+++ b/common-algo.c
@ -205,6 +205,12 @@ algo_type ssh_compress[] = {
 	{"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
 	{NULL, 0, NULL, 0, NULL}
 };
+
+algo_type ssh_delaycompress[] = {
+	{"zlib@openssh.com", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL},
+	{"none", DROPBEAR_COMP_NONE, NULL, 1, NULL},
+	{NULL, 0, NULL, 0, NULL}
+};
 #endif

 algo_type ssh_nocompress[] = {
--- a/common-kex.c
+++ b/common-kex.c
@ -238,14 +238,24 @@ void recv_msg_newkeys() {
 void kexfirstinitialise() {
 	ses.kexstate.donefirstkex = 0;

-#ifndef DISABLE_ZLIB
-	if (opts.enable_compress) {
-		ses.compress_algos = ssh_compress;
-	} else
-#endif
-	{
+#ifdef DISABLE_ZLIB
 	ses.compress_algos = ssh_nocompress;
+#else
+	switch (opts.compress_mode)
+	{
+		case DROPBEAR_COMPRESS_DELAYED:
+			ses.compress_algos = ssh_delaycompress;
+			break;
+
+		case DROPBEAR_COMPRESS_ON:
+			ses.compress_algos = ssh_compress;
+			break;
+
+		case DROPBEAR_COMPRESS_OFF:
+			ses.compress_algos = ssh_nocompress;
+			break;
 	}
+#endif
 	kexinitialise();
 }

--- a/options.h
+++ b/options.h
@ -174,6 +174,11 @@ much traffic. */
 #define DROPBEAR_ZLIB_WINDOW_BITS 15 
 #endif

+/* Server won't allow zlib compression until after authentication. Prevents
+   flaws in the zlib library being unauthenticated exploitable flaws.
+   Some old ssh clients may not support the alternative zlib@openssh.com method */
+#define DROPBEAR_SERVER_DELAY_ZLIB 1
+
 /* Whether to do reverse DNS lookups. */
 /*#define DO_HOST_LOOKUP */

--- a/runopts.h
+++ b/runopts.h
@ -44,7 +44,11 @@ typedef struct runopts {
 	/* TODO: add a commandline flag. Currently this is on by default if compression
 	 * is compiled in, but disabled for a client's non-final multihop stages. (The
 	 * intermediate stages are compressed streams, so are uncompressible. */
-	int enable_compress;
+	enum {
+		DROPBEAR_COMPRESS_DELAYED, /* Server only */
+		DROPBEAR_COMPRESS_ON,
+		DROPBEAR_COMPRESS_OFF,
+	} compress_mode;
 #endif

 #ifdef ENABLE_USER_ALGO_LIST
--- a/svr-runopts.c
+++ b/svr-runopts.c
@ -140,9 +140,15 @@ void svr_getopts(int argc, char ** argv) {
 #ifdef ENABLE_SVR_REMOTETCPFWD
 	svr_opts.noremotetcp = 0;
 #endif
+
 #ifndef DISABLE_ZLIB
-	opts.enable_compress = 1;
+#if DROPBEAR_SERVER_DELAY_ZLIB
+	opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
+#else
+	opts.compress_mode = DROPBEAR_COMPRESS_ON;
 #endif
+#endif 
+
 	/* not yet
 	opts.ipv4 = 1;
 	opts.ipv6 = 1;