Skip to content
GitLab
Commit 0c79dacc authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of OpenSSH 6.6p1.

parent 02d4c2ac
Hide whitespace changes
Inline Side-by-side
ChangeLog
View file @ 0c79dacc
20140313
- (djm) Release OpenSSH 6.6
20140304
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
20140301
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.
20140228
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/02/27 00:41:49
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
- djm@cvs.openbsd.org 2014/02/27 08:25:09
[bufbn.c]
off by one in range check
- djm@cvs.openbsd.org 2014/02/27 22:47:07
[sshd_config.5]
bz#2184 clarify behaviour of a keyword that appears in multiple
matching Match blocks; ok dtucker@
- djm@cvs.openbsd.org 2014/02/27 22:57:40
[version.h]
openssh-6.6
- dtucker@cvs.openbsd.org 2014/01/19 23:43:02
[regress/sftp-chroot.sh]
Don't use -q on sftp as it suppresses logging, instead redirect the
output to the regress logfile.
- dtucker@cvs.openbsd.org 2014/01/20 00:00:30
[sregress/ftp-chroot.sh]
append to rather than truncating the log file
- dtucker@cvs.openbsd.org 2014/01/25 04:35:32
[regress/Makefile regress/dhgex.sh]
Add a test for DH GEX sizes
- djm@cvs.openbsd.org 2014/01/26 10:22:10
[regress/cert-hostkey.sh]
automatically generate revoked keys from listed keys rather than
manually specifying each type; from portable
(Id sync only)
- djm@cvs.openbsd.org 2014/01/26 10:49:17
[scp-ssh-wrapper.sh scp.sh]
make sure $SCP is tested on the remote end rather than whichever one
happens to be in $PATH; from portable
(Id sync only)
- djm@cvs.openbsd.org 2014/02/27 20:04:16
[login-timeout.sh]
remove any existing LoginGraceTime from sshd_config before adding
a specific one for the test back in
- djm@cvs.openbsd.org 2014/02/27 21:21:25
[agent-ptrace.sh agent.sh]
keep return values that are printed in error messages;
from portable
(Id sync only)
- (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers
- (djm) [regress/host-expand.sh] Add RCS Id
20140227
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/02/26 20:18:37
[ssh.c]
bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
ok dtucker@ markus@
- djm@cvs.openbsd.org 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
- djm@cvs.openbsd.org 2014/02/26 20:29:29
[channels.c]
don't assume that the socks4 username is \0 terminated;
spotted by Ben Hawkes; ok markus@
- markus@cvs.openbsd.org 2014/02/26 21:53:37
[sshd.c]
ssh_gssapi_prepare_supported_oids needs GSSAPI
20140224
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/02/07 06:55:54
[cipher.c mac.c]
remove some logging that makes ssh debugging output very verbose;
ok markus
- djm@cvs.openbsd.org 2014/02/15 23:05:36
[channels.c]
avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
bz#2200, debian#738692 via Colin Watson; ok dtucker@
- djm@cvs.openbsd.org 2014/02/22 01:32:19
[readconf.c]
when processing Match blocks, skip 'exec' clauses if previous predicates
failed to match; ok markus@
- djm@cvs.openbsd.org 2014/02/23 20:03:42
[ssh-ed25519.c]
check for unsigned overflow; not reachable in OpenSSH but others might
copy our code...
- djm@cvs.openbsd.org 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
20140213
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add compat
code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
20140207
- OpenBSD CVS Sync
- naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
while here, fix ordering in usage(); requested by jmc@
- djm@cvs.openbsd.org 2014/02/06 22:21:01
[sshconnect.c]
in ssh_create_socket(), only do the getaddrinfo for BindAddress when
BindAddress is actually specified. Fixes regression in 6.5 for
UsePrivilegedPort=yes; patch from Corinna Vinschen
20140206
- (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
before freeing since free(NULL) is a no-op. ok djm.
- (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
__NR_shutdown; some go via the socketcall(2) multiplexer.
20140205
- (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
headers/libc but not supported by the kernel. Patch from Loganaden
Velvindron @ AfriNIC
20140204
- OpenBSD CVS Sync
- markus@cvs.openbsd.org 2014/01/27 18:58:14
[Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
replace openssl HMAC with an implementation based on our ssh_digest_*
ok and feedback djm@
- markus@cvs.openbsd.org 2014/01/27 19:18:54
[auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
replace openssl MD5 with our ssh_digest_*; ok djm@
- markus@cvs.openbsd.org 2014/01/27 20:13:46
[digest.c digest-openssl.c digest-libc.c Makefile.in]
rename digest.c to digest-openssl.c and add libc variant; ok djm@
- jmc@cvs.openbsd.org 2014/01/28 14:13:39
[ssh-keyscan.1]
kill some bad Pa;
From: Jan Stary
- djm@cvs.openbsd.org 2014/01/29 00:19:26
[sshd.c]
use kill(0, ...) instead of killpg(0, ...); on most operating systems
they are equivalent, but SUSv2 describes the latter as having undefined
behaviour; from portable; ok dtucker
(Id sync only; change is already in portable)
- djm@cvs.openbsd.org 2014/01/29 06:18:35
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
- jmc@cvs.openbsd.org 2014/01/29 14:04:51
[sshd_config.5]
document kbdinteractiveauthentication;
requested From: Ross L Richardson
dtucker/markus helped explain its workings;
- djm@cvs.openbsd.org 2014/01/30 22:26:14
[sandbox-systrace.c]
allow shutdown(2) syscall in sandbox - it may be called by packet_close()
from portable
(Id sync only; change is already in portable)
- tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
- djm@cvs.openbsd.org 2014/02/02 03:44:32
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
- djm@cvs.openbsd.org 2014/02/03 23:28:00
[ssh-ecdsa.c]
fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
DSA_SIG_new. Reported by Batz Spear; ok markus@
- djm@cvs.openbsd.org 2014/02/02 03:44:31
[digest-libc.c digest-openssl.c]
convert memset of potentially-private data to explicit_bzero()
- djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
delay lowercasing of hostname until right before hostname
canonicalisation to unbreak case-sensitive matching of ssh_config;
reported by Ike Devolder; ok markus@
- (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
- (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
20140131
- (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
syscall from sandboxes; it may be called by packet_close.
- (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros. Fixes
build with HP-UX's compiler. Patch from Kevin Brott.
- (tim) [Makefile.in] build regress/setuid-allow.
20140130
- (djm) [configure.ac] Only check for width-specified integer types
in headers that actually exist. patch from Tom G. Christensen;
......@@ -2663,3 +2884,4 @@
[contrib/suse/openssh.spec] Update for release 6.0
- (djm) [README] Update URL to release notes.
- (djm) Release openssh-6.0
Makefile.in
View file @ 0c79dacc
# $Id: Makefile.in,v 1.352 2014/01/27 06:35:04 dtucker Exp $
# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
......@@ -73,9 +73,9 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
ssh-ed25519.o digest-openssl.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
......@@ -88,7 +88,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
kexc25519s.o auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
......@@ -408,7 +408,7 @@ regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
BUILDDIR=`pwd`; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
......
README
View file @ 0c79dacc
See http://www.openssh.com/txt/release-6.5 for the release notes.
See http://www.openssh.com/txt/release-6.6 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
......@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.85 2014/01/16 07:51:45 djm Exp $
$Id: README,v 1.86 2014/02/27 23:03:53 djm Exp $
auth-rsa.c
View file @ 0c79dacc
/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -20,7 +20,6 @@
#include <sys/stat.h>
#include <openssl/rsa.h>
#include <openssl/md5.h>
#include <pwd.h>
#include <stdio.h>
......@@ -48,6 +47,8 @@
#include "ssh.h"
#include "misc.h"
#include "digest.h"
/* import */
extern ServerOptions options;
......@@ -91,12 +92,13 @@ int
auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
{
u_char buf[32], mdbuf[16];
MD5_CTX md;
struct ssh_digest_ctx *md;
int len;
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
error("%s: RSA modulus too small: %d < minimum %d bits",
__func__,
BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
return (0);
}
......@@ -104,13 +106,15 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > 32)
fatal("auth_rsa_verify_response: bad challenge length %d", len);
fatal("%s: bad challenge length %d", __func__, len);
memset(buf, 0, 32);
BN_bn2bin(challenge, buf + 32 - len);
MD5_Init(&md);
MD5_Update(&md, buf, 32);
MD5_Update(&md, session_id, 16);
MD5_Final(mdbuf, &md);
if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
ssh_digest_update(md, buf, 32) < 0 ||
ssh_digest_update(md, session_id, 16) < 0 ||
ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
fatal("%s: md5 failed", __func__);
ssh_digest_free(md);
/* Verify that the response is the original challenge. */
if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
......
auth.h
View file @ 0c79dacc
/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */
/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
......@@ -61,7 +61,6 @@ struct Authctxt {
char *style;
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
void *jpake_ctx;
#ifdef BSD_AUTH
auth_session_t *as;
#endif
......@@ -175,9 +174,6 @@ int bsdauth_respond(void *, u_int, char **);
int skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int skey_respond(void *, u_int, char **);
void auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **);
void auth2_jpake_stop(Authctxt *);
int allowed_user(struct passwd *);
struct passwd * getpwnamallow(const char *user);
......
auth1.c
View file @ 0c79dacc
/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
......@@ -129,7 +129,7 @@ auth1_process_password(Authctxt *authctxt)
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
explicit_bzero(password, dlen);
free(password);
return (authenticated);
......@@ -222,7 +222,7 @@ auth1_process_tis_response(Authctxt *authctxt)
response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
explicit_bzero(response, dlen);
free(response);
return (authenticated);
......
auth2-chall.c
View file @ 0c79dacc
/* $OpenBSD: auth2-chall.c,v 1.39 2013/11/08 00:39:14 djm Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.41 2014/02/02 03:44:31 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
......@@ -148,7 +148,7 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
if (kbdintctxt->device)
kbdint_reset_device(kbdintctxt);
free(kbdintctxt->devices);
bzero(kbdintctxt, sizeof(*kbdintctxt));
explicit_bzero(kbdintctxt, sizeof(*kbdintctxt));
free(kbdintctxt);
}
/* get next device */
......@@ -312,7 +312,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
for (i = 0; i < nresp; i++) {
memset(response[i], 'r', strlen(response[i]));
explicit_bzero(response[i], strlen(response[i]));
free(response[i]);
}
free(response);
......
auth2-gss.c
View file @ 0c79dacc
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
......@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
gss_OID_desc goid = {0, NULL};
Gssctxt *ctxt = NULL;
int mechs;
gss_OID_set supported;
int present;
OM_uint32 ms;
u_int len;
......@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
return (0);
}
ssh_gssapi_supported_oids(&supported);
do {
mechs--;
......@@ -90,15 +88,12 @@ userauth_gssapi(Authctxt *authctxt)
doid[1] == len - 2) {
goid.elements = doid + 2;
goid.length = len - 2;
gss_test_oid_set_member(&ms, &goid, supported,
&present);
ssh_gssapi_test_oid_supported(&ms, &goid, &present);
} else {
logit("Badly formed OID received");
}
} while (mechs > 0 && !present);
gss_release_oid_set(&ms, &supported);
if (!present) {
free(doid);
authctxt->server_caused_failure = 1;
......
auth2-jpake.c deleted 100644 → 0
View file @ 02d4c2ac
/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Server side of zero-knowledge password auth using J-PAKE protocol
* as described in:
*
* F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
* 16th Workshop on Security Protocols, Cambridge, April 2008
*
* http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
*/
#ifdef JPAKE
#include <sys/types.h>
#include <sys/param.h>
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include <login_cap.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include "xmalloc.h"
#include "ssh2.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#include "packet.h"
#include "dispatch.h"
#include "log.h"
#include "servconf.h"
#include "auth-options.h"
#include "canohost.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "schnorr.h"
#include "jpake.h"
/*
* XXX options->permit_empty_passwd (at the moment, they will be refused
* anyway because they will mismatch on fake salt.
*/
/* Dispatch handlers */
static void input_userauth_jpake_client_step1(int, u_int32_t, void *);
static void input_userauth_jpake_client_step2(int, u_int32_t, void *);
static void input_userauth_jpake_client_confirm(int, u_int32_t, void *);
static int auth2_jpake_start(Authctxt *);
/* import */
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
/*
* Attempt J-PAKE authentication.
*/
static int
userauth_jpake(Authctxt *authctxt)
{
int authenticated = 0;
packet_check_eom();
debug("jpake-01@openssh.com requested");
if (authctxt->user != NULL) {
if (authctxt->jpake_ctx == NULL)
authctxt->jpake_ctx = jpake_new();
if (options.zero_knowledge_password_authentication)
authenticated = auth2_jpake_start(authctxt);
}
return authenticated;
}
Authmethod method_jpake = {
"jpake-01@openssh.com",
userauth_jpake,
&options.zero_knowledge_password_authentication
};
/* Clear context and callbacks */
void
auth2_jpake_stop(Authctxt *authctxt)
{
/* unregister callbacks */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
if (authctxt->jpake_ctx != NULL) {
jpake_free(authctxt->jpake_ctx);
authctxt->jpake_ctx = NULL;
}
}
/* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */
static int
valid_crypt_salt(int c)
{
if (c >= 'A' && c <= 'Z')
return 1;
if (c >= 'a' && c <= 'z')
return 1;
if (c >= '.' && c <= '9')
return 1;
return 0;
}
/*
* Derive fake salt as H(username || first_private_host_key)
* This provides relatively stable fake salts for non-existent
* users and avoids the jpake method becoming an account validity
* oracle.
*/
static void
derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
{
u_char *digest;
u_int digest_len;
Buffer b;
Key *k;
buffer_init(&b);
buffer_put_cstring(&b, username);
if ((k = get_hostkey_by_index(0)) == NULL ||
(k->flags & KEY_FLAG_EXT))
fatal("%s: no hostkeys", __func__);
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
if (k->rsa->p == NULL || k->rsa->q == NULL)
fatal("%s: RSA key missing p and/or q", __func__);
buffer_put_bignum2(&b, k->rsa->p);
buffer_put_bignum2(&b, k->rsa->q);
break;
case KEY_DSA:
if (k->dsa->priv_key == NULL)
fatal("%s: DSA key missing priv_key", __func__);
buffer_put_bignum2(&b, k->dsa->priv_key);
break;
case KEY_ECDSA:
if (EC_KEY_get0_private_key(k->ecdsa) == NULL)
fatal("%s: ECDSA key missing priv_key", __func__);
buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa));
break;
default:
fatal("%s: unknown key type %d", __func__, k->type);
}
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
&digest, &digest_len) != 0)
fatal("%s: hash_buffer", __func__);
buffer_free(&b);
if (len > digest_len)
fatal("%s: not enough bytes for rawsalt (want %u have %u)",
__func__, len, digest_len);
memcpy(rawsalt, digest, len);
bzero(digest, digest_len);
free(digest);
}
/* ASCII an integer [0, 64) for inclusion in a password/salt */
static char
pw_encode64(u_int i64)
{
const u_char e64[] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
return e64[i64 % 64];
}
/* Generate ASCII salt bytes for user */
static char *
makesalt(u_int want, const char *user)
{
u_char rawsalt[32];
static char ret[33];
u_int i;