CVS commit: [netbsd-5] src/crypto/dist/ssh
Module Name:src Committed By: riz Date: Fri Jan 27 19:31:37 UTC 2012 Modified Files: src/crypto/dist/ssh [netbsd-5]: auth-options.c Log Message: Pull up following revision(s) (requested by drochner in ticket #1717): crypto/dist/ssh/auth-options.c patch Prevent minor information disclosure in ssh. [drochner, ticket #1717] To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.8.1 src/crypto/dist/ssh/auth-options.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ssh/auth-options.c diff -u src/crypto/dist/ssh/auth-options.c:1.9 src/crypto/dist/ssh/auth-options.c:1.9.8.1 --- src/crypto/dist/ssh/auth-options.c:1.9 Sun Apr 6 23:38:19 2008 +++ src/crypto/dist/ssh/auth-options.c Fri Jan 27 19:31:37 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: auth-options.c,v 1.9 2008/04/06 23:38:19 christos Exp $ */ +/* $NetBSD: auth-options.c,v 1.9.8.1 2012/01/27 19:31:37 riz Exp $ */ /* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */ /* * Author: Tatu Ylonen y...@cs.hut.fi @@ -12,7 +12,7 @@ */ #include includes.h -__RCSID($NetBSD: auth-options.c,v 1.9 2008/04/06 23:38:19 christos Exp $); +__RCSID($NetBSD: auth-options.c,v 1.9.8.1 2012/01/27 19:31:37 riz Exp $); #include sys/types.h #include netdb.h @@ -156,7 +156,7 @@ auth_parse_options(struct passwd *pw, ch goto bad_option; } forced_command[i] = '\0'; - auth_debug_add(Forced command: %.900s, forced_command); + auth_debug_add(Forced command.); opts++; goto next_option; }
CVS commit: [netbsd-5] src/crypto/dist/ssh
Module Name:src Committed By: riz Date: Sat Nov 20 18:27:50 UTC 2010 Modified Files: src/crypto/dist/ssh [netbsd-5]: misc.c Log Message: Pull up following revision(s) (requested by jnemeth in ticket #1392): crypto/external/bsd/openssh/dist/misc.c: revision 1.3 Fix tunnelling (ssh -w). The kernel expects a device to be passed to the socked, not a path. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.22.4.1 src/crypto/dist/ssh/misc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ssh/misc.c diff -u src/crypto/dist/ssh/misc.c:1.22 src/crypto/dist/ssh/misc.c:1.22.4.1 --- src/crypto/dist/ssh/misc.c:1.22 Wed Sep 17 15:45:50 2008 +++ src/crypto/dist/ssh/misc.c Sat Nov 20 18:27:50 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: misc.c,v 1.22 2008/09/17 15:45:50 christos Exp $ */ +/* $NetBSD: misc.c,v 1.22.4.1 2010/11/20 18:27:50 riz Exp $ */ /* $OpenBSD: misc.c,v 1.67 2008/01/01 08:47:04 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,7 +26,7 @@ */ #include includes.h -__RCSID($NetBSD: misc.c,v 1.22 2008/09/17 15:45:50 christos Exp $); +__RCSID($NetBSD: misc.c,v 1.22.4.1 2010/11/20 18:27:50 riz Exp $); #include sys/types.h #include sys/ioctl.h #include sys/socket.h @@ -680,6 +680,7 @@ debug(%s: %s mode %d fd %d, __func__, ifr.ifr_name, mode, fd); /* Set the tunnel device operation mode */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), %s%d, tunbase, tun); if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) goto failed;
CVS commit: [netbsd-5] src/crypto/dist/ssh
Module Name:src Committed By: snj Date: Thu May 20 05:25:30 UTC 2010 Modified Files: src/crypto/dist/ssh [netbsd-5]: ssh_config ssh_config.5 sshd_config.5 Log Message: Pull up following revision(s) (requested by drochner in ticket #1384): crypto/external/bsd/openssh/dist/ssh_config.5: revision 1.3 via patch crypto/external/bsd/openssh/dist/sshd_config.5: revision 1.4 via patch crypto/external/bsd/openssh/dist/ssh_config: revision 1.3 via patch Don't mention umac...@openssh.com MAC algorithm which is not enabled in our SSH client and daemon as it causes crashes on architectures which strict aligment requirements (e.g. NetBSD/sparc64). This fixes PR bin/43221 by myself. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.14.6.1 src/crypto/dist/ssh/ssh_config cvs rdiff -u -r1.16 -r1.16.8.1 src/crypto/dist/ssh/ssh_config.5 cvs rdiff -u -r1.15 -r1.15.8.1 src/crypto/dist/ssh/sshd_config.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ssh/ssh_config diff -u src/crypto/dist/ssh/ssh_config:1.14 src/crypto/dist/ssh/ssh_config:1.14.6.1 --- src/crypto/dist/ssh/ssh_config:1.14 Fri Apr 25 15:01:45 2008 +++ src/crypto/dist/ssh/ssh_config Thu May 20 05:25:30 2010 @@ -1,4 +1,4 @@ -# $NetBSD: ssh_config,v 1.14 2008/04/25 15:01:45 jmmv Exp $ +# $NetBSD: ssh_config,v 1.14.6.1 2010/05/20 05:25:30 snj Exp $ # $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $ # This is the ssh client system-wide configuration file. See @@ -39,7 +39,7 @@ # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# MACs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160 +# MACs hmac-md5,hmac-sha1,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any Index: src/crypto/dist/ssh/ssh_config.5 diff -u src/crypto/dist/ssh/ssh_config.5:1.16 src/crypto/dist/ssh/ssh_config.5:1.16.8.1 --- src/crypto/dist/ssh/ssh_config.5:1.16 Sun Apr 6 23:38:20 2008 +++ src/crypto/dist/ssh/ssh_config.5 Thu May 20 05:25:30 2010 @@ -1,4 +1,4 @@ -.\ $NetBSD: ssh_config.5,v 1.16 2008/04/06 23:38:20 christos Exp $ +.\ $NetBSD: ssh_config.5,v 1.16.8.1 2010/05/20 05:25:30 snj Exp $ .\ -*- nroff -*- .\ .\ Author: Tatu Ylonen y...@cs.hut.fi @@ -651,7 +651,7 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac...@openssh.com, +hmac-md5,hmac-sha1, hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .Ed .It Cm NoHostAuthenticationForLocalhost Index: src/crypto/dist/ssh/sshd_config.5 diff -u src/crypto/dist/ssh/sshd_config.5:1.15 src/crypto/dist/ssh/sshd_config.5:1.15.8.1 --- src/crypto/dist/ssh/sshd_config.5:1.15 Sun Apr 6 23:38:20 2008 +++ src/crypto/dist/ssh/sshd_config.5 Thu May 20 05:25:30 2010 @@ -1,4 +1,4 @@ -.\ $NetBSD: sshd_config.5,v 1.15 2008/04/06 23:38:20 christos Exp $ +.\ $NetBSD: sshd_config.5,v 1.15.8.1 2010/05/20 05:25:30 snj Exp $ .\ -*- nroff -*- .\ .\ Author: Tatu Ylonen y...@cs.hut.fi @@ -538,7 +538,7 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent -hmac-md5,hmac-sha1,umac...@openssh.com, +hmac-md5,hmac-sha1, hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .Ed .It Cm Match
CVS commit: [netbsd-5] src/crypto/dist/ssh
Module Name:src Committed By: snj Date: Mon Jun 29 22:58:38 UTC 2009 Modified Files: src/crypto/dist/ssh [netbsd-5]: cipher.c cipher.h packet.c Log Message: Pull up following revision(s) (requested by tonnerre in ticket #843): crypto/dist/ssh/cipher.c: revision 1.22 crypto/dist/ssh/cipher.h: revision 1.3 crypto/dist/ssh/packet.c: revision 1.32 Add special handling for CBC cipher modes to make them appear less favorable than CTR modes. Also, in order to avoid creating oracles unnecessarily, change behavior in various situations from Drop connection to Ignore packets up to 256kB. This affects CBC mode ciphers only. Patch from OpenBSD. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.21.4.1 src/crypto/dist/ssh/cipher.c cvs rdiff -u -r1.2 -r1.2.24.1 src/crypto/dist/ssh/cipher.h cvs rdiff -u -r1.30 -r1.30.4.1 src/crypto/dist/ssh/packet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ssh/cipher.c diff -u src/crypto/dist/ssh/cipher.c:1.21 src/crypto/dist/ssh/cipher.c:1.21.4.1 --- src/crypto/dist/ssh/cipher.c:1.21 Mon Jun 23 14:51:31 2008 +++ src/crypto/dist/ssh/cipher.c Mon Jun 29 22:58:38 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $ */ +/* $NetBSD: cipher.c,v 1.21.4.1 2009/06/29 22:58:38 snj Exp $ */ /* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */ /* * Author: Tatu Ylonen y...@cs.hut.fi @@ -37,7 +37,7 @@ */ #include includes.h -__RCSID($NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $); +__RCSID($NetBSD: cipher.c,v 1.21.4.1 2009/06/29 22:58:38 snj Exp $); #include sys/types.h #include openssl/md5.h @@ -62,38 +62,39 @@ u_int block_size; u_int key_len; u_int discard_len; + u_int cbc_mode; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { none, SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null }, - { des, SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc }, - { 3des, SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des }, - { blowfish, SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf }, - - { 3des-cbc, SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc }, - { blowfish-cbc, SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc }, - { cast128-cbc, SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc }, - { arcfour, SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 }, - { arcfour128, SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 }, - { arcfour256, SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 }, - { aes128-cbc, SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc }, - { aes192-cbc, SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc }, - { aes256-cbc, SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, + { none, SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, + { des, SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc }, + { 3des, SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, + { blowfish, SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, evp_ssh1_bf }, + + { 3des-cbc, SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, + { blowfish-cbc, SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc }, + { cast128-cbc, SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc }, + { arcfour, SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 }, + { arcfour128, SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 }, + { arcfour256, SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 }, + { aes128-cbc, SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, + { aes192-cbc, SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, + { aes256-cbc, SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, { rijndael-...@lysator.liu.se, -SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, +SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, #ifdef AES_CTR_MT - { aes128-ctr, SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_ctr_mt }, - { aes192-ctr, SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_ctr_mt }, - { aes256-ctr, SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_ctr_mt }, + { aes128-ctr, SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt }, + { aes192-ctr, SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt }, + { aes256-ctr, SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt }, #else - { aes128-ctr, SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, - { aes192-ctr, SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr }, - { aes256-ctr, SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr }, + { aes128-ctr, SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, + { aes192-ctr, SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, + { aes256-ctr, SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, #endif #ifdef ACSS - { a...@openssh.org, SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss }, + { a...@openssh.org, SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss }, #endif - { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } }; #ifndef ACSS @@ -121,6 +122,12 @@ } u_int +cipher_is_cbc(const Cipher *c) +{ + return (c-cbc_mode); +} + +u_int cipher_mask_ssh1(int client) { u_int mask = 0; Index: src/crypto/dist/ssh/cipher.h diff -u src/crypto/dist/ssh/cipher.h:1.2 src/crypto/dist/ssh/cipher.h:1.2.24.1 ---