? openbsd43_5.1.patch Index: auth2-jpake.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-jpake.c,v retrieving revision 1.2 diff -u -p -u -p -r1.2 auth2-jpake.c --- auth2-jpake.c 7 Nov 2008 23:34:48 -0000 1.2 +++ auth2-jpake.c 23 Feb 2009 01:21:09 -0000 @@ -57,6 +57,8 @@ #include "jpake.h" +extern const EVP_MD *evp_ssh_sha256(void); + /* * XXX options->permit_empty_passwd (at the moment, they will be refused * anyway because they will mismatch on fake salt. @@ -164,7 +166,7 @@ derive_rawsalt(const char *username, u_c default: fatal("%s: unknown key type %d", __func__, k->type); } - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), + if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_ssh_sha256(), &digest, &digest_len) != 0) fatal("%s: hash_buffer", __func__); buffer_free(&b); @@ -343,7 +345,7 @@ auth2_jpake_get_pwdata(Authctxt *authctx fake_salt_and_scheme(authctxt, salt, hash_scheme); if (hash_buffer(authctxt->pw->pw_passwd, - strlen(authctxt->pw->pw_passwd), EVP_sha256(), + strlen(authctxt->pw->pw_passwd), evp_ssh_sha256(), &secret, &secret_len) != 0) fatal("%s: hash_buffer", __func__); if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL) Index: jpake.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/jpake.c,v retrieving revision 1.1 diff -u -p -u -p -r1.1 jpake.c --- jpake.c 4 Nov 2008 08:22:12 -0000 1.1 +++ jpake.c 23 Feb 2009 01:21:09 -0000 @@ -43,11 +43,14 @@ #include "packet.h" #include "dispatch.h" #include "log.h" +#include "misc.h" #include "jpake.h" #ifdef JPAKE +extern const EVP_MD *evp_ssh_sha256(void); + /* RFC3526 group 5, 1536 bits */ #define JPAKE_GROUP_G "2" #define JPAKE_GROUP_P \ @@ -486,7 +489,7 @@ jpake_confirm_hash(const BIGNUM *k, buffer_put_bignum2(&b, k); buffer_put_string(&b, endpoint_id, endpoint_id_len); buffer_put_string(&b, sess_id, sess_id_len); - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), + if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_ssh_sha256(), confirm_hash, confirm_hash_len) != 0) fatal("%s: hash_buffer", __func__); buffer_free(&b); Index: kex.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/kex.c,v retrieving revision 1.80 diff -u -p -u -p -r1.80 kex.c --- kex.c 6 Sep 2008 12:24:13 -0000 1.80 +++ kex.c 23 Feb 2009 01:21:09 -0000 @@ -52,6 +52,8 @@ static void kex_kexinit_finish(Kex *); static void kex_choose_conf(Kex *); +extern const EVP_MD *evp_ssh_sha256(void); + /* put algorithm proposal into buffer */ static void kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) @@ -313,7 +315,7 @@ choose_kex(Kex *k, char *client, char *s k->evp_md = EVP_sha1(); } else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) { k->kex_type = KEX_DH_GEX_SHA256; - k->evp_md = EVP_sha256(); + k->evp_md = evp_ssh_sha256(); } else fatal("bad kex alg %s", k->name); } Index: md-sha256.c =================================================================== RCS file: md-sha256.c diff -N md-sha256.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ md-sha256.c 23 Feb 2009 01:21:09 -0000 @@ -0,0 +1,73 @@ +/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */ +/* + * Copyright (c) 2005 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* EVP wrapper for SHA256 */ + +#include + +#include + +#include +#include + +const EVP_MD *evp_ssh_sha256(void); + +static int +ssh_sha256_init(EVP_MD_CTX *ctxt) +{ + SHA256_Init(ctxt->md_data); + return (1); +} + +static int +ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len) +{ + SHA256_Update(ctxt->md_data, data, len); + return (1); +} + +static int +ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest) +{ + SHA256_Final(digest, ctxt->md_data); + return (1); +} + +static int +ssh_sha256_cleanup(EVP_MD_CTX *ctxt) +{ + memset(ctxt->md_data, 0, sizeof(SHA256_CTX)); + return (1); +} + +const EVP_MD * +evp_ssh_sha256(void) +{ + static EVP_MD ssh_sha256; + + memset(&ssh_sha256, 0, sizeof(ssh_sha256)); + ssh_sha256.type = NID_undef; + ssh_sha256.md_size = SHA256_DIGEST_LENGTH; + ssh_sha256.init = ssh_sha256_init; + ssh_sha256.update = ssh_sha256_update; + ssh_sha256.final = ssh_sha256_final; + ssh_sha256.cleanup = ssh_sha256_cleanup; + ssh_sha256.block_size = SHA256_BLOCK_LENGTH; + ssh_sha256.ctx_size = sizeof(SHA256_CTX); + + return (&ssh_sha256); +} Index: misc.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.c,v retrieving revision 1.71 diff -u -p -u -p -r1.71 misc.c --- misc.c 21 Feb 2009 19:32:04 -0000 1.71 +++ misc.c 23 Feb 2009 01:21:09 -0000 @@ -829,3 +829,64 @@ ms_to_timeval(struct timeval *tv, int ms tv->tv_usec = (ms % 1000) * 1000; } +/* + * Calculate a uniformly distributed random number less than upper_bound + * avoiding "modulo bias". + * + * Uniformity is achieved by generating new random numbers until the one + * returned is outside the range [0, 2**32 % upper_bound). This + * guarantees the selected random number will be inside + * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) + * after reduction modulo upper_bound. + */ +u_int32_t +arc4random_uniform(u_int32_t upper_bound) +{ + u_int32_t r, min; + + if (upper_bound < 2) + return 0; + +#if (ULONG_MAX > 0xffffffffUL) + min = 0x100000000UL % upper_bound; +#else + /* Calculate (2**32 % upper_bound) avoiding 64-bit math */ + if (upper_bound > 0x80000000) + min = 1 + ~upper_bound; /* 2**32 - upper_bound */ + else { + /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */ + min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound; + } +#endif + + /* + * This could theoretically loop forever but each retry has + * p > 0.5 (worst case, usually far better) of selecting a + * number inside the range we need, so it should rarely need + * to re-roll. + */ + for (;;) { + r = arc4random(); + if (r >= min) + break; + } + + return r % upper_bound; +} + +void +arc4random_buf(void *_buf, size_t n) +{ + u_char *buf = (u_char *)_buf; + size_t i; + u_int32_t r; + + for (i = 0; i < n; i++) { + if (i % 4 == 0) + r = arc4random(); + buf[i] = r & 0xff; + r >>= 8; + } + r = 0; +} + Index: misc.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.h,v retrieving revision 1.38 diff -u -p -u -p -r1.38 misc.h --- misc.h 12 Jun 2008 20:38:28 -0000 1.38 +++ misc.h 23 Feb 2009 01:21:09 -0000 @@ -78,6 +78,8 @@ void put_u32(void *, u_int32_t) void put_u16(void *, u_int16_t) __attribute__((__bounded__( __minbytes__, 1, 2))); +u_int32_t arc4random_uniform(u_int32_t); +void arc4random_buf(void *, size_t); /* readpass.c */ Index: monitor_fdpass.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/monitor_fdpass.c,v retrieving revision 1.18 diff -u -p -u -p -r1.18 monitor_fdpass.c --- monitor_fdpass.c 30 Nov 2008 11:59:26 -0000 1.18 +++ monitor_fdpass.c 23 Feb 2009 01:21:09 -0000 @@ -50,7 +50,7 @@ mm_send_fd(int sock, int fd) memset(&msg, 0, sizeof(msg)); msg.msg_control = (caddr_t)&cmsgbuf.buf; - msg.msg_controllen = sizeof(cmsgbuf.buf); + msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; @@ -99,7 +99,7 @@ mm_receive_fd(int sock) msg.msg_iov = &vec; msg.msg_iovlen = 1; msg.msg_control = &cmsgbuf.buf; - msg.msg_controllen = sizeof(cmsgbuf.buf); + msg.msg_controllen = CMSG_LEN(sizeof(int)); while ((n = recvmsg(sock, &msg, 0)) == -1 && (errno == EAGAIN || errno == EINTR)) Index: schnorr.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/schnorr.c,v retrieving revision 1.2 diff -u -p -u -p -r1.2 schnorr.c --- schnorr.c 18 Feb 2009 04:31:21 -0000 1.2 +++ schnorr.c 23 Feb 2009 01:21:09 -0000 @@ -55,6 +55,8 @@ # define SCHNORR_DEBUG_BUF(a) jpake_debug3_buf a #endif /* SCHNORR_DEBUG */ +extern const EVP_MD *evp_ssh_sha256(void); + /* * Calculate hash component of Schnorr signature H(g || g^v || g^x || id) * using SHA1. Returns signature as bignum or NULL on error. @@ -89,7 +91,7 @@ schnorr_hash(const BIGNUM *p, const BIGN SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b), "%s: hashblob", __func__)); - if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(), + if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_ssh_sha256(), &digest, &digest_len) != 0) { error("%s: hash_buffer", __func__); goto out; Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.86 diff -u -p -u -p -r1.86 sftp-client.c --- sftp-client.c 26 Jun 2008 06:10:09 -0000 1.86 +++ sftp-client.c 23 Feb 2009 01:21:09 -0000 @@ -25,7 +25,6 @@ #include #include #include -#include #include #include @@ -278,8 +277,10 @@ get_decode_statvfs(int fd, struct sftp_s flag = buffer_get_int64(&msg); st->f_namemax = buffer_get_int64(&msg); +#if 0 st->f_flag = (flag & SSH2_FXE_STATVFS_ST_RDONLY) ? ST_RDONLY : 0; st->f_flag |= (flag & SSH2_FXE_STATVFS_ST_NOSUID) ? ST_NOSUID : 0; +#endif buffer_free(&msg); Index: sftp-server.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-server.c,v retrieving revision 1.84 diff -u -p -u -p -r1.84 sftp-server.c --- sftp-server.c 26 Jun 2008 06:10:09 -0000 1.84 +++ sftp-server.c 23 Feb 2009 01:21:10 -0000 @@ -20,7 +20,9 @@ #include #include #include +#if 0 #include +#endif #include #include @@ -475,6 +477,7 @@ send_attrib(u_int32_t id, const Attrib * buffer_free(&msg); } +#if 0 static void send_statvfs(u_int32_t id, struct statvfs *st) { @@ -501,6 +504,7 @@ send_statvfs(u_int32_t id, struct statvf send_msg(&msg); buffer_free(&msg); } +#endif /* parse incoming */ @@ -517,12 +521,14 @@ process_init(void) /* POSIX rename extension */ buffer_put_cstring(&msg, "posix-rename@openssh.com"); buffer_put_cstring(&msg, "1"); /* version */ +#if 0 /* statvfs extension */ buffer_put_cstring(&msg, "statvfs@openssh.com"); buffer_put_cstring(&msg, "2"); /* version */ /* fstatvfs extension */ buffer_put_cstring(&msg, "fstatvfs@openssh.com"); buffer_put_cstring(&msg, "2"); /* version */ +#endif send_msg(&msg); buffer_free(&msg); } @@ -1116,6 +1122,7 @@ process_extended_posix_rename(u_int32_t xfree(newpath); } +#if 0 static void process_extended_statvfs(u_int32_t id) { @@ -1151,6 +1158,7 @@ process_extended_fstatvfs(u_int32_t id) else send_statvfs(id, &st); } +#endif static void process_extended(void) @@ -1162,10 +1170,12 @@ process_extended(void) request = get_string(NULL); if (strcmp(request, "posix-rename@openssh.com") == 0) process_extended_posix_rename(id); +#if 0 else if (strcmp(request, "statvfs@openssh.com") == 0) process_extended_statvfs(id); else if (strcmp(request, "fstatvfs@openssh.com") == 0) process_extended_fstatvfs(id); +#endif else send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ xfree(request); Index: sftp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp.c,v retrieving revision 1.107 diff -u -p -u -p -r1.107 sftp.c --- sftp.c 2 Feb 2009 11:15:14 -0000 1.107 +++ sftp.c 23 Feb 2009 01:21:10 -0000 @@ -21,7 +21,6 @@ #include #include #include -#include #include #include Index: sshconnect2.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v retrieving revision 1.170 diff -u -p -u -p -r1.170 sshconnect2.c --- sshconnect2.c 4 Nov 2008 08:22:13 -0000 1.170 +++ sshconnect2.c 23 Feb 2009 01:21:10 -0000 @@ -72,6 +72,7 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; +extern const EVP_MD *evp_ssh_sha256(void); /* * SSH2 key exchange @@ -911,7 +912,7 @@ jpake_password_to_secret(Authctxt *authc debug3("%s: crypted = %s", __func__, crypted); #endif - if (hash_buffer(crypted, strlen(crypted), EVP_sha256(), + if (hash_buffer(crypted, strlen(crypted), evp_ssh_sha256(), &secret, &secret_len) != 0) fatal("%s: hash_buffer", __func__); Index: lib/Makefile =================================================================== RCS file: /cvs/src/usr.bin/ssh/lib/Makefile,v retrieving revision 1.58 diff -u -p -u -p -r1.58 Makefile --- lib/Makefile 4 Nov 2008 08:22:13 -0000 1.58 +++ lib/Makefile 23 Feb 2009 01:21:10 -0000 @@ -12,7 +12,7 @@ SRCS= authfd.c authfile.c bufaux.c bufbn key.c dispatch.c kex.c mac.c uidswap.c uuencode.c misc.c \ ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \ kexdhc.c kexgexc.c scard.c msg.c progressmeter.c dns.c \ - monitor_fdpass.c umac.c addrmatch.c schnorr.c jpake.c + monitor_fdpass.c umac.c addrmatch.c schnorr.c jpake.c md-sha256.c DEBUGLIBS= no NOPROFILE= yes