Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh/dist patch for OpenSSL-1.1
details: https://anonhg.NetBSD.org/src/rev/500df916eb58
branches: trunk
changeset: 359218:500df916eb58
user: christos <christos%NetBSD.org@localhost>
date: Mon Feb 05 00:13:50 2018 +0000
description:
patch for OpenSSL-1.1
diffstat:
crypto/external/bsd/openssh/dist/auth-pam.c | 7 +-
crypto/external/bsd/openssh/dist/cipher.c | 12 +-
crypto/external/bsd/openssh/dist/cipher.h | 13 +-
crypto/external/bsd/openssh/dist/dh.c | 65 +-
crypto/external/bsd/openssh/dist/dh.h | 4 +-
crypto/external/bsd/openssh/dist/digest-openssl.c | 21 +-
crypto/external/bsd/openssh/dist/kexdhc.c | 24 +-
crypto/external/bsd/openssh/dist/kexdhs.c | 26 +-
crypto/external/bsd/openssh/dist/kexgexc.c | 36 +-
crypto/external/bsd/openssh/dist/kexgexs.c | 40 +-
crypto/external/bsd/openssh/dist/monitor.c | 10 +-
crypto/external/bsd/openssh/dist/ssh-dss.c | 31 +-
crypto/external/bsd/openssh/dist/ssh-ecdsa.c | 33 +-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 88 ++-
crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c | 15 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11.c | 51 +-
crypto/external/bsd/openssh/dist/ssh-rsa.c | 30 +-
crypto/external/bsd/openssh/dist/sshkey.c | 584 +++++++++++++++---
18 files changed, 846 insertions(+), 244 deletions(-)
diffs (truncated from 2061 to 300 lines):
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/auth-pam.c
--- a/crypto/external/bsd/openssh/dist/auth-pam.c Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-pam.c Mon Feb 05 00:13:50 2018 +0000
@@ -50,7 +50,7 @@
/*
* NetBSD local changes
*/
-__RCSID("$NetBSD: auth-pam.c,v 1.12 2017/10/07 19:39:19 christos Exp $");
+__RCSID("$NetBSD: auth-pam.c,v 1.13 2018/02/05 00:13:50 christos Exp $");
#undef USE_POSIX_THREADS /* Not yet */
#define HAVE_SECURITY_PAM_APPL_H
#define HAVE_PAM_GETENVLIST
@@ -142,6 +142,11 @@
typedef pthread_t sp_pthread_t;
#else
typedef pid_t sp_pthread_t;
+# undef pthread_exit
+# define pthread_create(a, b, c, d) _ssh_compat_pthread_create(a, b, c, d)
+# define pthread_exit(a) _ssh_compat_pthread_exit(a)
+# define pthread_cancel(a) _ssh_compat_pthread_cancel(a)
+# define pthread_join(a, b) _ssh_compat_pthread_join(a, b)
#endif
struct pam_ctxt {
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/cipher.c
--- a/crypto/external/bsd/openssh/dist/cipher.c Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/cipher.c Mon Feb 05 00:13:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cipher.c,v 1.11 2017/10/07 19:39:19 christos Exp $ */
+/* $NetBSD: cipher.c,v 1.12 2018/02/05 00:13:50 christos Exp $ */
/* $OpenBSD: cipher.c,v 1.107 2017/05/07 23:12:57 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -37,7 +37,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: cipher.c,v 1.11 2017/10/07 19:39:19 christos Exp $");
+__RCSID("$NetBSD: cipher.c,v 1.12 2018/02/05 00:13:50 christos Exp $");
#include <sys/types.h>
#include <string.h>
@@ -294,7 +294,9 @@
goto out;
}
}
- if (EVP_CipherInit(cc->evp, NULL, __UNCONST(key), NULL, -1) == 0) {
+ /* in OpenSSL 1.1.0, EVP_CipherInit clears all previous setups;
+ use EVP_CipherInit_ex for augmenting */
+ if (EVP_CipherInit_ex(cc->evp, NULL, NULL, __UNCONST(key), NULL, -1) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
@@ -478,7 +480,7 @@
len, iv))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
- memcpy(iv, cc->evp->iv, len);
+ memcpy(iv, EVP_CIPHER_CTX_iv(cc->evp), len);
#endif
return 0;
}
@@ -506,7 +508,7 @@
EVP_CTRL_GCM_SET_IV_FIXED, -1, __UNCONST(iv)))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
- memcpy(cc->evp->iv, iv, evplen);
+ memcpy(EVP_CIPHER_CTX_iv_noconst(cc->evp), iv, evplen);
#endif
return 0;
}
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/cipher.h
--- a/crypto/external/bsd/openssh/dist/cipher.h Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/cipher.h Mon Feb 05 00:13:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cipher.h,v 1.11 2017/10/07 19:39:19 christos Exp $ */
+/* $NetBSD: cipher.h,v 1.12 2018/02/05 00:13:50 christos Exp $ */
/* $OpenBSD: cipher.h,v 1.52 2017/05/07 23:12:57 djm Exp $ */
/*
@@ -47,7 +47,18 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
+#if 0
+struct sshcipher_ctx {
+ int plaintext;
+ int encrypt;
+ EVP_CIPHER_CTX *evp;
+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ const struct sshcipher *cipher;
+};
+#else
struct sshcipher_ctx;
+#endif
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/dh.c
--- a/crypto/external/bsd/openssh/dist/dh.c Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/dh.c Mon Feb 05 00:13:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dh.c,v 1.12 2017/04/18 18:41:46 christos Exp $ */
+/* $NetBSD: dh.c,v 1.13 2018/02/05 00:13:50 christos Exp $ */
/* $OpenBSD: dh.c,v 1.62 2016/12/15 21:20:41 dtucker Exp $ */
/*
@@ -26,7 +26,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: dh.c,v 1.12 2017/04/18 18:41:46 christos Exp $");
+__RCSID("$NetBSD: dh.c,v 1.13 2018/02/05 00:13:50 christos Exp $");
#include <sys/param.h> /* MIN */
#include <openssl/bn.h>
@@ -216,14 +216,15 @@
/* diffie-hellman-groupN-sha1 */
int
-dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+dh_pub_is_valid(const DH *dh, const BIGNUM *dh_pub)
{
int i;
int n = BN_num_bits(dh_pub);
int bits_set = 0;
BIGNUM *tmp;
+ const BIGNUM *p;
- if (dh_pub->neg) {
+ if (BN_is_negative(dh_pub)) {
logit("invalid public DH value: negative");
return 0;
}
@@ -236,7 +237,8 @@
error("%s: BN_new failed", __func__);
return 0;
}
- if (!BN_sub(tmp, dh->p, BN_value_one()) ||
+ DH_get0_pqg(dh, &p, NULL, NULL);
+ if (!BN_sub(tmp, p, BN_value_one()) ||
BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
BN_clear_free(tmp);
logit("invalid public DH value: >= p-1");
@@ -247,14 +249,14 @@
for (i = 0; i <= n; i++)
if (BN_is_bit_set(dh_pub, i))
bits_set++;
- debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
+ debug2("bits set: %d/%d", bits_set, BN_num_bits(p));
/*
* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial
*/
if (bits_set < 4) {
logit("invalid public DH value (%d/%d)",
- bits_set, BN_num_bits(dh->p));
+ bits_set, BN_num_bits(p));
return 0;
}
return 1;
@@ -264,9 +266,12 @@
dh_gen_key(DH *dh, int need)
{
int pbits;
+ const BIGNUM *p, *pub_key, *priv_key;
- if (need < 0 || dh->p == NULL ||
- (pbits = BN_num_bits(dh->p)) <= 0 ||
+ DH_get0_pqg(dh, &p, NULL, NULL);
+
+ if (need < 0 || p == NULL ||
+ (pbits = BN_num_bits(p)) <= 0 ||
need > INT_MAX / 2 || 2 * need > pbits)
return SSH_ERR_INVALID_ARGUMENT;
if (need < 256)
@@ -275,10 +280,15 @@
* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
* so double requested need here.
*/
- dh->length = MINIMUM(need * 2, pbits - 1);
- if (DH_generate_key(dh) == 0 ||
- !dh_pub_is_valid(dh, dh->pub_key)) {
- BN_clear_free(dh->priv_key);
+ DH_set_length(dh, MIN(need * 2, pbits - 1));
+ if (DH_generate_key(dh) == 0) {
+ return SSH_ERR_LIBCRYPTO_ERROR;
+ }
+ DH_get0_key(dh, &pub_key, &priv_key);
+ if (!dh_pub_is_valid(dh, pub_key)) {
+#if 0
+ BN_clear(priv_key);
+#endif
return SSH_ERR_LIBCRYPTO_ERROR;
}
return 0;
@@ -287,16 +297,27 @@
DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
- DH *dh;
+ DH *dh = NULL;
+ BIGNUM *p=NULL, *g=NULL;
- if ((dh = DH_new()) == NULL)
- return NULL;
- if (BN_hex2bn(&dh->p, modulus) == 0 ||
- BN_hex2bn(&dh->g, gen) == 0) {
- DH_free(dh);
- return NULL;
+ if ((dh = DH_new()) == NULL ||
+ (p = BN_new()) == NULL ||
+ (g = BN_new()) == NULL)
+ goto null;
+ if (BN_hex2bn(&p, modulus) == 0 ||
+ BN_hex2bn(&g, gen) == 0) {
+ goto null;
}
+ if (DH_set0_pqg(dh, p, NULL, g) == 0) {
+ goto null;
+ }
+ p = g = NULL;
return (dh);
+null:
+ BN_free(p);
+ BN_free(g);
+ DH_free(dh);
+ return NULL;
}
/*
@@ -311,8 +332,8 @@
if ((dh = DH_new()) == NULL)
return NULL;
- dh->p = modulus;
- dh->g = gen;
+ if (DH_set0_pqg(dh, modulus, NULL, gen) == 0)
+ return NULL;
return (dh);
}
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/dh.h
--- a/crypto/external/bsd/openssh/dist/dh.h Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/dh.h Mon Feb 05 00:13:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dh.h,v 1.9 2017/04/18 18:41:46 christos Exp $ */
+/* $NetBSD: dh.h,v 1.10 2018/02/05 00:13:50 christos Exp $ */
/* $OpenBSD: dh.h,v 1.15 2016/05/02 10:26:04 djm Exp $ */
/*
@@ -43,7 +43,7 @@
DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int);
-int dh_pub_is_valid(DH *, BIGNUM *);
+int dh_pub_is_valid(const DH *, const BIGNUM *);
u_int dh_estimate(int);
diff -r d392360b5106 -r 500df916eb58 crypto/external/bsd/openssh/dist/digest-openssl.c
--- a/crypto/external/bsd/openssh/dist/digest-openssl.c Mon Feb 05 00:11:33 2018 +0000
+++ b/crypto/external/bsd/openssh/dist/digest-openssl.c Mon Feb 05 00:13:50 2018 +0000
@@ -15,7 +15,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-__RCSID("$NetBSD: digest-openssl.c,v 1.6 2017/10/07 19:39:19 christos Exp $");
+__RCSID("$NetBSD: digest-openssl.c,v 1.7 2018/02/05 00:13:50 christos Exp $");
#include <sys/types.h>
#include <limits.h>
@@ -30,7 +30,7 @@
struct ssh_digest_ctx {
int alg;
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx;
};
struct ssh_digest {
@@ -91,20 +91,21 @@
size_t
ssh_digest_blocksize(struct ssh_digest_ctx *ctx)
{
- return EVP_MD_CTX_block_size(&ctx->mdctx);
+ return EVP_MD_CTX_block_size(ctx->mdctx);
}
struct ssh_digest_ctx *
ssh_digest_start(int alg)
{
const struct ssh_digest *digest = ssh_digest_by_alg(alg);
- struct ssh_digest_ctx *ret;
+ struct ssh_digest_ctx *ret = NULL;
if (digest == NULL || ((ret = calloc(1, sizeof(*ret))) == NULL))
return NULL;
ret->alg = alg;
Home |
Main Index |
Thread Index |
Old Index