From 3d6d09f2e90f4ad650ebda6520bf2da446f37f14 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 30 Apr 2017 23:23:54 +0000 Subject: [PATCH] upstream commit remove SSHv1 support from packet and buffer APIs ok markus@ Upstream-ID: bfc290053d40b806ecac46317d300677d80e1dc9 --- bufbn.c | 42 +--------------- buffer.h | 6 +-- packet.c | 149 +------------------------------------------------------ packet.h | 5 +- 4 files changed, 4 insertions(+), 198 deletions(-) diff --git a/bufbn.c b/bufbn.c index 33ae7f73f..98f9466bc 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */ +/* $OpenBSD: bufbn.c,v 1.13 2017/04/30 23:23:54 djm Exp $ */ /* * Copyright (c) 2012 Damien Miller @@ -28,46 +28,6 @@ #include "log.h" #include "ssherr.h" -#ifdef WITH_SSH1 -int -buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) -{ - int ret; - - if ((ret = sshbuf_put_bignum1(buffer, value)) != 0) { - error("%s: %s", __func__, ssh_err(ret)); - return -1; - } - return 0; -} - -void -buffer_put_bignum(Buffer *buffer, const BIGNUM *value) -{ - if (buffer_put_bignum_ret(buffer, value) == -1) - fatal("%s: buffer error", __func__); -} - -int -buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) -{ - int ret; - - if ((ret = sshbuf_get_bignum1(buffer, value)) != 0) { - error("%s: %s", __func__, ssh_err(ret)); - return -1; - } - return 0; -} - -void -buffer_get_bignum(Buffer *buffer, BIGNUM *value) -{ - if (buffer_get_bignum_ret(buffer, value) == -1) - fatal("%s: buffer error", __func__); -} -#endif /* WITH_SSH1 */ - int buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) { diff --git a/buffer.h b/buffer.h index df1aebc02..56174394c 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.26 2017/04/30 23:23:54 djm Exp $ */ /* * Copyright (c) 2012 Damien Miller @@ -49,9 +49,7 @@ int buffer_consume_end_ret(Buffer *, u_int); #include #include -void buffer_put_bignum(Buffer *, const BIGNUM *); void buffer_put_bignum2(Buffer *, const BIGNUM *); -void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int); @@ -75,8 +73,6 @@ void buffer_put_cstring(Buffer *, const char *); #define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL); -int buffer_put_bignum_ret(Buffer *, const BIGNUM *); -int buffer_get_bignum_ret(Buffer *, BIGNUM *); int buffer_put_bignum2_ret(Buffer *, const BIGNUM *); int buffer_get_bignum2_ret(Buffer *, BIGNUM *); int buffer_get_short_ret(u_short *, Buffer *); diff --git a/packet.c b/packet.c index 31499c827..6cec93372 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.249 2017/04/30 23:13:25 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.250 2017/04/30 23:23:54 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1397,153 +1397,6 @@ ssh_packet_read_expect(struct ssh *ssh, u_int expected_type) return 0; } -/* Checks if a full packet is available in the data received so far via - * packet_process_incoming. If so, reads the packet; otherwise returns - * SSH_MSG_NONE. This does not wait for data from the connection. - * - * SSH_MSG_DISCONNECT is handled specially here. Also, - * SSH_MSG_IGNORE messages are skipped by this function and are never returned - * to higher levels. - */ - -int -ssh_packet_read_poll1(struct ssh *ssh, u_char *typep) -{ - struct session_state *state = ssh->state; - u_int len, padded_len; - const char *emsg; - const u_char *cp; - u_char *p; - u_int checksum, stored_checksum; - int r; - - *typep = SSH_MSG_NONE; - - /* Check if input size is less than minimum packet size. */ - if (sshbuf_len(state->input) < 4 + 8) - return 0; - /* Get length of incoming packet. */ - len = PEEK_U32(sshbuf_ptr(state->input)); - if (len < 1 + 2 + 2 || len > 256 * 1024) { - if ((r = sshpkt_disconnect(ssh, "Bad packet length %u", - len)) != 0) - return r; - return SSH_ERR_CONN_CORRUPT; - } - padded_len = (len + 8) & ~7; - - /* Check if the packet has been entirely received. */ - if (sshbuf_len(state->input) < 4 + padded_len) - return 0; - - /* The entire packet is in buffer. */ - - /* Consume packet length. */ - if ((r = sshbuf_consume(state->input, 4)) != 0) - goto out; - - /* - * Cryptographic attack detector for ssh - * (C)1998 CORE-SDI, Buenos Aires Argentina - * Ariel Futoransky(futo@core-sdi.com) - */ - if (!cipher_ctx_is_plaintext(state->receive_context)) { - emsg = NULL; - switch (detect_attack(&state->deattack, - sshbuf_ptr(state->input), padded_len)) { - case DEATTACK_OK: - break; - case DEATTACK_DETECTED: - emsg = "crc32 compensation attack detected"; - break; - case DEATTACK_DOS_DETECTED: - emsg = "deattack denial of service detected"; - break; - default: - emsg = "deattack error"; - break; - } - if (emsg != NULL) { - error("%s", emsg); - if ((r = sshpkt_disconnect(ssh, "%s", emsg)) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - return r; - return SSH_ERR_CONN_CORRUPT; - } - } - - /* Decrypt data to incoming_packet. */ - sshbuf_reset(state->incoming_packet); - if ((r = sshbuf_reserve(state->incoming_packet, padded_len, &p)) != 0) - goto out; - if ((r = cipher_crypt(state->receive_context, 0, p, - sshbuf_ptr(state->input), padded_len, 0, 0)) != 0) - goto out; - - if ((r = sshbuf_consume(state->input, padded_len)) != 0) - goto out; - -#ifdef PACKET_DEBUG - fprintf(stderr, "read_poll plain: "); - sshbuf_dump(state->incoming_packet, stderr); -#endif - - /* Compute packet checksum. */ - checksum = ssh_crc32(sshbuf_ptr(state->incoming_packet), - sshbuf_len(state->incoming_packet) - 4); - - /* Skip padding. */ - if ((r = sshbuf_consume(state->incoming_packet, 8 - len % 8)) != 0) - goto out; - - /* Test check bytes. */ - if (len != sshbuf_len(state->incoming_packet)) { - error("%s: len %d != sshbuf_len %zd", __func__, - len, sshbuf_len(state->incoming_packet)); - if ((r = sshpkt_disconnect(ssh, "invalid packet length")) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - return r; - return SSH_ERR_CONN_CORRUPT; - } - - cp = sshbuf_ptr(state->incoming_packet) + len - 4; - stored_checksum = PEEK_U32(cp); - if (checksum != stored_checksum) { - error("Corrupted check bytes on input"); - if ((r = sshpkt_disconnect(ssh, "connection corrupted")) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - return r; - return SSH_ERR_CONN_CORRUPT; - } - if ((r = sshbuf_consume_end(state->incoming_packet, 4)) < 0) - goto out; - - if (state->packet_compression) { - sshbuf_reset(state->compression_buffer); - if ((r = uncompress_buffer(ssh, state->incoming_packet, - state->compression_buffer)) != 0) - goto out; - sshbuf_reset(state->incoming_packet); - if ((r = sshbuf_putb(state->incoming_packet, - state->compression_buffer)) != 0) - goto out; - } - state->p_read.packets++; - state->p_read.bytes += padded_len + 4; - if ((r = sshbuf_get_u8(state->incoming_packet, typep)) != 0) - goto out; - if (*typep < SSH_MSG_MIN || *typep > SSH_MSG_MAX) { - error("Invalid ssh1 packet type: %d", *typep); - if ((r = sshpkt_disconnect(ssh, "invalid packet type")) != 0 || - (r = ssh_packet_write_wait(ssh)) != 0) - return r; - return SSH_ERR_PROTOCOL_ERROR; - } - r = 0; - out: - return r; -} - static int ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) { diff --git a/packet.h b/packet.h index a1a1990b0..b169f4ea1 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.77 2017/04/30 23:13:25 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.78 2017/04/30 23:23:54 djm Exp $ */ /* * Author: Tatu Ylonen @@ -118,7 +118,6 @@ int ssh_packet_send2(struct ssh *); int ssh_packet_read(struct ssh *); int ssh_packet_read_expect(struct ssh *, u_int type); int ssh_packet_read_poll(struct ssh *); -int ssh_packet_read_poll1(struct ssh *, u_char *); int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p); int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len); int ssh_packet_read_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p); @@ -181,7 +180,6 @@ int sshpkt_put_string(struct ssh *ssh, const void *v, size_t len); int sshpkt_put_cstring(struct ssh *ssh, const void *v); int sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v); int sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g); -int sshpkt_put_bignum1(struct ssh *ssh, const BIGNUM *v); int sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v); int sshpkt_get(struct ssh *ssh, void *valp, size_t len); @@ -192,7 +190,6 @@ int sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp); int sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp); int sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp); int sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g); -int sshpkt_get_bignum1(struct ssh *ssh, BIGNUM *v); int sshpkt_get_bignum2(struct ssh *ssh, BIGNUM *v); int sshpkt_get_end(struct ssh *ssh); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);