CVS commit: [netbsd-5-0] src/crypto/dist/ssh

2012-01-27 Thread Jeff Rizzo 
Module Name:src
Committed By:   riz
Date:   Fri Jan 27 19:32:10 UTC 2012

Modified Files:
src/crypto/dist/ssh [netbsd-5-0]: auth-options.c

Log Message:
Pull up following revision(s) (requested by drochner in ticket #1717):
crypto/dist/ssh/auth-options.c  patch

Prevent minor information disclosure in ssh.
[drochner, ticket #1717]


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.9.12.1 src/crypto/dist/ssh/auth-options.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ssh/auth-options.c
diff -u src/crypto/dist/ssh/auth-options.c:1.9 src/crypto/dist/ssh/auth-options.c:1.9.12.1
--- src/crypto/dist/ssh/auth-options.c:1.9	Sun Apr  6 23:38:19 2008
+++ src/crypto/dist/ssh/auth-options.c	Fri Jan 27 19:32:10 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: auth-options.c,v 1.9 2008/04/06 23:38:19 christos Exp $	*/
+/*	$NetBSD: auth-options.c,v 1.9.12.1 2012/01/27 19:32:10 riz Exp $	*/
 /* $OpenBSD: auth-options.c,v 1.41 2008/03/26 21:28:14 djm Exp $ */
 /*
  * Author: Tatu Ylonen y...@cs.hut.fi
@@ -12,7 +12,7 @@
  */
 
 #include includes.h
-__RCSID($NetBSD: auth-options.c,v 1.9 2008/04/06 23:38:19 christos Exp $);
+__RCSID($NetBSD: auth-options.c,v 1.9.12.1 2012/01/27 19:32:10 riz Exp $);
 #include sys/types.h
 
 #include netdb.h
@@ -156,7 +156,7 @@ auth_parse_options(struct passwd *pw, ch
 goto bad_option;
 			}
 			forced_command[i] = '\0';
-			auth_debug_add(Forced command: %.900s, forced_command);
+			auth_debug_add(Forced command.);
 			opts++;
 			goto next_option;
 		}

CVS commit: [netbsd-5-0] src/crypto/dist/ssh

2009-06-29 Thread Soren Jacobsen 
Module Name:src
Committed By:   snj
Date:   Mon Jun 29 23:01:24 UTC 2009

Modified Files:
src/crypto/dist/ssh [netbsd-5-0]: cipher.c cipher.h packet.c

Log Message:
Pull up following revision(s) (requested by tonnerre in ticket #843):
crypto/dist/ssh/cipher.c: revision 1.22
crypto/dist/ssh/cipher.h: revision 1.3
crypto/dist/ssh/packet.c: revision 1.32
Add special handling for CBC cipher modes to make them appear less favorable
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from Drop connection to Ignore
packets up to 256kB. This affects CBC mode ciphers only.
Patch from OpenBSD.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.8.1 src/crypto/dist/ssh/cipher.c
cvs rdiff -u -r1.2 -r1.2.28.1 src/crypto/dist/ssh/cipher.h
cvs rdiff -u -r1.30 -r1.30.8.1 src/crypto/dist/ssh/packet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ssh/cipher.c
diff -u src/crypto/dist/ssh/cipher.c:1.21 src/crypto/dist/ssh/cipher.c:1.21.8.1
--- src/crypto/dist/ssh/cipher.c:1.21	Mon Jun 23 14:51:31 2008
+++ src/crypto/dist/ssh/cipher.c	Mon Jun 29 23:01:24 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $	*/
+/*	$NetBSD: cipher.c,v 1.21.8.1 2009/06/29 23:01:24 snj Exp $	*/
 /* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */
 /*
  * Author: Tatu Ylonen y...@cs.hut.fi
@@ -37,7 +37,7 @@
  */
 
 #include includes.h
-__RCSID($NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $);
+__RCSID($NetBSD: cipher.c,v 1.21.8.1 2009/06/29 23:01:24 snj Exp $);
 #include sys/types.h
 
 #include openssl/md5.h
@@ -62,38 +62,39 @@
 	u_int	block_size;
 	u_int	key_len;
 	u_int	discard_len;
+	u_int	cbc_mode;
 	const EVP_CIPHER	*(*evptype)(void);
 } ciphers[] = {
-	{ none,		SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
-	{ des,		SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
-	{ 3des,		SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
-	{ blowfish,		SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
-
-	{ 3des-cbc,		SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
-	{ blowfish-cbc,	SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
-	{ cast128-cbc,	SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
-	{ arcfour,		SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
-	{ arcfour128,		SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
-	{ arcfour256,		SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
-	{ aes128-cbc,		SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
-	{ aes192-cbc,		SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
-	{ aes256-cbc,		SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
+	{ none,		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
+	{ des,		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
+	{ 3des,		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
+	{ blowfish,		SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, evp_ssh1_bf },
+
+	{ 3des-cbc,		SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
+	{ blowfish-cbc,	SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc },
+	{ cast128-cbc,	SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc },
+	{ arcfour,		SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 },
+	{ arcfour128,		SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 },
+	{ arcfour256,		SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 },
+	{ aes128-cbc,		SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
+	{ aes192-cbc,		SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
+	{ aes256-cbc,		SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
 	{ rijndael-...@lysator.liu.se,
-SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
+SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
 #ifdef AES_CTR_MT
-	{ aes128-ctr,		SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_ctr_mt },
-	{ aes192-ctr,		SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_ctr_mt },
-	{ aes256-ctr,		SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_ctr_mt },
+	{ aes128-ctr,		SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
+	{ aes192-ctr,		SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
+	{ aes256-ctr,		SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
 #else
-	{ aes128-ctr,		SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
-	{ aes192-ctr,		SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
-	{ aes256-ctr,		SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
+	{ aes128-ctr,		SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
+	{ aes192-ctr,		SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
+	{ aes256-ctr,		SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
 #endif
 #ifdef ACSS
-	{ a...@openssh.org,	SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
+	{ a...@openssh.org,	SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
 #endif
 
-	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, NULL }
+	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
 };
 
 #ifndef ACSS
@@ -121,6 +122,12 @@
 }
 
 u_int
+cipher_is_cbc(const Cipher *c)
+{
+	return (c-cbc_mode);
+}
+
+u_int
 cipher_mask_ssh1(int client)
 {
 	u_int mask = 0;

Index: src/crypto/dist/ssh/cipher.h
diff -u src/crypto/dist/ssh/cipher.h:1.2 src/crypto/dist/ssh/cipher.h:1.2.28.1
---