* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /monitor_wrap.c
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 188 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 125f879c5..92e04901d 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.63 2008/07/10 18:08:11 markus Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,6 +40,7 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include <openssl/evp.h>
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@@ -70,7 +71,7 @@
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "misc.h"
-#include "servconf.h"
+#include "jpake.h"
 #include "channels.h"
 #include "session.h"
@@ -1256,7 +1257,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 }
 int
-mm_ssh_gssapi_userok(char *user)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
 {
        Buffer m;
        int authenticated = 0;
@@ -1296,4 +1297,188 @@ mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
        return(major);
 }
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
+        Buffer m;
+        int ok;
+        buffer_init(&m);
+        buffer_put_cstring(&m, store->filename ? store->filename : "");
+        buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+        buffer_put_cstring(&m, store->envval ? store->envval : "");
+        
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+        ok = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        return (ok);
+}
 #endif /* GSSAPI */
+#ifdef JPAKE
+void
+mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
+    char **hash_scheme, char **salt)
+{
+        Buffer m;
+        debug3("%s entering", __func__);
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd,
+            MONITOR_REQ_JPAKE_GET_PWDATA, &m);
+        debug3("%s: waiting for MONITOR_ANS_JPAKE_GET_PWDATA", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_JPAKE_GET_PWDATA, &m);
+        *hash_scheme = buffer_get_string(&m, NULL);
+        *salt = buffer_get_string(&m, NULL);
+        buffer_free(&m);
+}
+void
+mm_jpake_step1(struct jpake_group *grp,
+    u_char **id, u_int *id_len,
+    BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
+    u_char **priv1_proof, u_int *priv1_proof_len,
+    u_char **priv2_proof, u_int *priv2_proof_len)
+{
+        Buffer m;
+        debug3("%s entering", __func__);
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd,
+            MONITOR_REQ_JPAKE_STEP1, &m);
+        debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP1", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_JPAKE_STEP1, &m);
+        if ((*priv1 = BN_new()) == NULL ||
+            (*priv2 = BN_new()) == NULL ||
+            (*g_priv1 = BN_new()) == NULL ||
+            (*g_priv2 = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        *id = buffer_get_string(&m, id_len);
+        /* priv1 and priv2 are, well, private */
+        buffer_get_bignum2(&m, *g_priv1);
+        buffer_get_bignum2(&m, *g_priv2);
+        *priv1_proof = buffer_get_string(&m, priv1_proof_len);
+        *priv2_proof = buffer_get_string(&m, priv2_proof_len);
+        buffer_free(&m);
+}
+void
+mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
+    BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
+    const u_char *theirid, u_int theirid_len,
+    const u_char *myid, u_int myid_len,
+    const u_char *theirpub1_proof, u_int theirpub1_proof_len,
+    const u_char *theirpub2_proof, u_int theirpub2_proof_len,
+    BIGNUM **newpub,
+    u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
+{
+        Buffer m;
+        debug3("%s entering", __func__);
+        buffer_init(&m);
+        /* monitor already has all bignums except theirpub1, theirpub2 */
+        buffer_put_bignum2(&m, theirpub1);
+        buffer_put_bignum2(&m, theirpub2);
+        /* monitor already knows our id */
+        buffer_put_string(&m, theirid, theirid_len);
+        buffer_put_string(&m, theirpub1_proof, theirpub1_proof_len);
+        buffer_put_string(&m, theirpub2_proof, theirpub2_proof_len);
+        mm_request_send(pmonitor->m_recvfd,
+            MONITOR_REQ_JPAKE_STEP2, &m);
+        debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP2", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_JPAKE_STEP2, &m);
+        if ((*newpub = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        buffer_get_bignum2(&m, *newpub);
+        *newpub_exponent_proof = buffer_get_string(&m,
+            newpub_exponent_proof_len);
+        buffer_free(&m);
+}
+void
+mm_jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
+    BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
+    BIGNUM *theirpub1, BIGNUM *theirpub2,
+    const u_char *my_id, u_int my_id_len,
+    const u_char *their_id, u_int their_id_len,
+    const u_char *sess_id, u_int sess_id_len,
+    const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
+    BIGNUM **k,
+    u_char **confirm_hash, u_int *confirm_hash_len)
+{
+        Buffer m;
+        debug3("%s entering", __func__);
+        buffer_init(&m);
+        /* monitor already has all bignums except step2_val */
+        buffer_put_bignum2(&m, step2_val);
+        /* monitor already knows all the ids */
+        buffer_put_string(&m, theirpriv2_s_proof, theirpriv2_s_proof_len);
+        mm_request_send(pmonitor->m_recvfd,
+            MONITOR_REQ_JPAKE_KEY_CONFIRM, &m);
+        debug3("%s: waiting for MONITOR_ANS_JPAKE_KEY_CONFIRM", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_JPAKE_KEY_CONFIRM, &m);
+        /* 'k' is sensitive and stays in the monitor */
+        *confirm_hash = buffer_get_string(&m, confirm_hash_len);
+        buffer_free(&m);
+}
+int
+mm_jpake_check_confirm(const BIGNUM *k,
+    const u_char *peer_id, u_int peer_id_len,
+    const u_char *sess_id, u_int sess_id_len,
+    const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
+{
+        Buffer m;
+        int success = 0;
+        debug3("%s entering", __func__);
+        buffer_init(&m);
+        /* k is dummy in slave, ignored */
+        /* monitor knows all the ids */
+        buffer_put_string(&m, peer_confirm_hash, peer_confirm_hash_len);
+        mm_request_send(pmonitor->m_recvfd,
+            MONITOR_REQ_JPAKE_CHECK_CONFIRM, &m);
+        debug3("%s: waiting for MONITOR_ANS_JPAKE_CHECK_CONFIRM", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd,
+            MONITOR_ANS_JPAKE_CHECK_CONFIRM, &m);
+        success = buffer_get_int(&m);
+        buffer_free(&m);
+        debug3("%s: success = %d", __func__, success);
+        return success;
+}
+#endif /* JPAKE */
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /monitor_wrap.c
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/monitor_wrap.c b/monitor_wrap.c index 125f879c5..92e04901d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor_wrap.c,v 1.63 2008/07/10 18:08:11 markus Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,6 +40,7 @@
40		40
41	#include <openssl/bn.h>	41	#include <openssl/bn.h>
42	#include <openssl/dh.h>	42	#include <openssl/dh.h>
		43	#include <openssl/evp.h>
43		44
44	#include "openbsd-compat/sys-queue.h"	45	#include "openbsd-compat/sys-queue.h"
45	#include "xmalloc.h"	46	#include "xmalloc.h"
@@ -70,7 +71,7 @@
70	#include "atomicio.h"	71	#include "atomicio.h"
71	#include "monitor_fdpass.h"	72	#include "monitor_fdpass.h"
72	#include "misc.h"	73	#include "misc.h"
73	#include "servconf.h"	74	#include "jpake.h"
74		75
75	#include "channels.h"	76	#include "channels.h"
76	#include "session.h"	77	#include "session.h"
@@ -1256,7 +1257,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
1256	}	1257	}
1257		1258
1258	int	1259	int
1259	mm_ssh_gssapi_userok(char *user)	1260	mm_ssh_gssapi_userok(char user, struct passwd pw)
1260	{	1261	{
1261	Buffer m;	1262	Buffer m;
1262	int authenticated = 0;	1263	int authenticated = 0;
@@ -1296,4 +1297,188 @@ mm_ssh_gssapi_sign(Gssctxt ctx, gss_buffer_desc data, gss_buffer_desc *hash)
1296	return(major);	1297	return(major);
1297	}	1298	}
1298		1299
		1300	int
		1301	mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
		1302	{
		1303	Buffer m;
		1304	int ok;
		1305
		1306	buffer_init(&m);
		1307
		1308	buffer_put_cstring(&m, store->filename ? store->filename : "");
		1309	buffer_put_cstring(&m, store->envvar ? store->envvar : "");
		1310	buffer_put_cstring(&m, store->envval ? store->envval : "");
		1311
		1312	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
		1313	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
		1314
		1315	ok = buffer_get_int(&m);
		1316
		1317	buffer_free(&m);
		1318
		1319	return (ok);
		1320	}
		1321
1299	#endif /* GSSAPI */	1322	#endif /* GSSAPI */
		1323
		1324	#ifdef JPAKE
		1325	void
		1326	mm_auth2_jpake_get_pwdata(Authctxt authctxt, BIGNUM *s,
		1327	char hash_scheme, char salt)
		1328	{
		1329	Buffer m;
		1330
		1331	debug3("%s entering", __func__);
		1332
		1333	buffer_init(&m);
		1334	mm_request_send(pmonitor->m_recvfd,
		1335	MONITOR_REQ_JPAKE_GET_PWDATA, &m);
		1336
		1337	debug3("%s: waiting for MONITOR_ANS_JPAKE_GET_PWDATA", __func__);
		1338	mm_request_receive_expect(pmonitor->m_recvfd,
		1339	MONITOR_ANS_JPAKE_GET_PWDATA, &m);
		1340
		1341	*hash_scheme = buffer_get_string(&m, NULL);
		1342	*salt = buffer_get_string(&m, NULL);
		1343
		1344	buffer_free(&m);
		1345	}
		1346
		1347	void
		1348	mm_jpake_step1(struct jpake_group *grp,
		1349	u_char *id, u_int id_len,
		1350	BIGNUM priv1, BIGNUM priv2, BIGNUM g_priv1, BIGNUM g_priv2,
		1351	u_char *priv1_proof, u_int priv1_proof_len,
		1352	u_char *priv2_proof, u_int priv2_proof_len)
		1353	{
		1354	Buffer m;
		1355
		1356	debug3("%s entering", __func__);
		1357
		1358	buffer_init(&m);
		1359	mm_request_send(pmonitor->m_recvfd,
		1360	MONITOR_REQ_JPAKE_STEP1, &m);
		1361
		1362	debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP1", __func__);
		1363	mm_request_receive_expect(pmonitor->m_recvfd,
		1364	MONITOR_ANS_JPAKE_STEP1, &m);
		1365
		1366	if ((*priv1 = BN_new()) == NULL \|\|
		1367	(*priv2 = BN_new()) == NULL \|\|
		1368	(*g_priv1 = BN_new()) == NULL \|\|
		1369	(*g_priv2 = BN_new()) == NULL)
		1370	fatal("%s: BN_new", __func__);
		1371
		1372	*id = buffer_get_string(&m, id_len);
		1373	/* priv1 and priv2 are, well, private */
		1374	buffer_get_bignum2(&m, *g_priv1);
		1375	buffer_get_bignum2(&m, *g_priv2);
		1376	*priv1_proof = buffer_get_string(&m, priv1_proof_len);
		1377	*priv2_proof = buffer_get_string(&m, priv2_proof_len);
		1378
		1379	buffer_free(&m);
		1380	}
		1381
		1382	void
		1383	mm_jpake_step2(struct jpake_group grp, BIGNUM s,
		1384	BIGNUM mypub1, BIGNUM theirpub1, BIGNUM theirpub2, BIGNUM mypriv2,
		1385	const u_char *theirid, u_int theirid_len,
		1386	const u_char *myid, u_int myid_len,
		1387	const u_char *theirpub1_proof, u_int theirpub1_proof_len,
		1388	const u_char *theirpub2_proof, u_int theirpub2_proof_len,
		1389	BIGNUM **newpub,
		1390	u_char *newpub_exponent_proof, u_int newpub_exponent_proof_len)
		1391	{
		1392	Buffer m;
		1393
		1394	debug3("%s entering", __func__);
		1395
		1396	buffer_init(&m);
		1397	/* monitor already has all bignums except theirpub1, theirpub2 */
		1398	buffer_put_bignum2(&m, theirpub1);
		1399	buffer_put_bignum2(&m, theirpub2);
		1400	/* monitor already knows our id */
		1401	buffer_put_string(&m, theirid, theirid_len);
		1402	buffer_put_string(&m, theirpub1_proof, theirpub1_proof_len);
		1403	buffer_put_string(&m, theirpub2_proof, theirpub2_proof_len);
		1404
		1405	mm_request_send(pmonitor->m_recvfd,
		1406	MONITOR_REQ_JPAKE_STEP2, &m);
		1407
		1408	debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP2", __func__);
		1409	mm_request_receive_expect(pmonitor->m_recvfd,
		1410	MONITOR_ANS_JPAKE_STEP2, &m);
		1411
		1412	if ((*newpub = BN_new()) == NULL)
		1413	fatal("%s: BN_new", __func__);
		1414
		1415	buffer_get_bignum2(&m, *newpub);
		1416	*newpub_exponent_proof = buffer_get_string(&m,
		1417	newpub_exponent_proof_len);
		1418
		1419	buffer_free(&m);
		1420	}
		1421
		1422	void
		1423	mm_jpake_key_confirm(struct jpake_group grp, BIGNUM s, BIGNUM *step2_val,
		1424	BIGNUM mypriv2, BIGNUM mypub1, BIGNUM *mypub2,
		1425	BIGNUM theirpub1, BIGNUM theirpub2,
		1426	const u_char *my_id, u_int my_id_len,
		1427	const u_char *their_id, u_int their_id_len,
		1428	const u_char *sess_id, u_int sess_id_len,
		1429	const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
		1430	BIGNUM **k,
		1431	u_char *confirm_hash, u_int confirm_hash_len)
		1432	{
		1433	Buffer m;
		1434
		1435	debug3("%s entering", __func__);
		1436
		1437	buffer_init(&m);
		1438	/* monitor already has all bignums except step2_val */
		1439	buffer_put_bignum2(&m, step2_val);
		1440	/* monitor already knows all the ids */
		1441	buffer_put_string(&m, theirpriv2_s_proof, theirpriv2_s_proof_len);
		1442
		1443	mm_request_send(pmonitor->m_recvfd,
		1444	MONITOR_REQ_JPAKE_KEY_CONFIRM, &m);
		1445
		1446	debug3("%s: waiting for MONITOR_ANS_JPAKE_KEY_CONFIRM", __func__);
		1447	mm_request_receive_expect(pmonitor->m_recvfd,
		1448	MONITOR_ANS_JPAKE_KEY_CONFIRM, &m);
		1449
		1450	/* 'k' is sensitive and stays in the monitor */
		1451	*confirm_hash = buffer_get_string(&m, confirm_hash_len);
		1452
		1453	buffer_free(&m);
		1454	}
		1455
		1456	int
		1457	mm_jpake_check_confirm(const BIGNUM *k,
		1458	const u_char *peer_id, u_int peer_id_len,
		1459	const u_char *sess_id, u_int sess_id_len,
		1460	const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
		1461	{
		1462	Buffer m;
		1463	int success = 0;
		1464
		1465	debug3("%s entering", __func__);
		1466
		1467	buffer_init(&m);
		1468	/* k is dummy in slave, ignored */
		1469	/* monitor knows all the ids */
		1470	buffer_put_string(&m, peer_confirm_hash, peer_confirm_hash_len);
		1471	mm_request_send(pmonitor->m_recvfd,
		1472	MONITOR_REQ_JPAKE_CHECK_CONFIRM, &m);
		1473
		1474	debug3("%s: waiting for MONITOR_ANS_JPAKE_CHECK_CONFIRM", __func__);
		1475	mm_request_receive_expect(pmonitor->m_recvfd,
		1476	MONITOR_ANS_JPAKE_CHECK_CONFIRM, &m);
		1477
		1478	success = buffer_get_int(&m);
		1479	buffer_free(&m);
		1480
		1481	debug3("%s: success = %d", __func__, success);
		1482	return success;
		1483	}
		1484	#endif /* JPAKE */