Vendor import of OpenSSH 7.1p2.

README

@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-7.1 for the release notes.
+See http://www.openssh.com/txt/release-7.1p2 for the release notes.
 
 Please read http://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or

bitmap.c

@@ -53,7 +53,7 @@ void
 bitmap_free(struct bitmap *b)
 {
 	if (b != NULL && b->d != NULL) {
-		memset(b->d, 0, b->len);
+		explicit_bzero(b->d, b->len);
 		free(b->d);
 	}
 	free(b);

contrib/redhat/openssh.spec

@@ -1,4 +1,4 @@
-%define ver 7.1p1
+%define ver 7.1p2
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID

contrib/suse/openssh.spec

@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	7.1p1
+Version:	7.1p2
 URL:		http://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz

kex.c

@@ -270,13 +270,13 @@ kex_buf2prop(struct sshbuf *raw, int *first_kex_follows, char ***propp)
 		debug2("kex_parse_kexinit: %s", proposal[i]);
 	}
 	/* first kex follows / reserved */
-	if ((r = sshbuf_get_u8(b, &v)) != 0 ||
+	if ((r = sshbuf_get_u8(b, &v)) != 0 ||	/* first_kex_follows */
-	    (r = sshbuf_get_u32(b, &i)) != 0)
+	    (r = sshbuf_get_u32(b, &i)) != 0)	/* reserved */
 		goto out;
 	if (first_kex_follows != NULL)
-		*first_kex_follows = i;
+		*first_kex_follows = v;
-	debug2("kex_parse_kexinit: first_kex_follows %d ", v);
+	debug2("first_kex_follows %d ", v);
-	debug2("kex_parse_kexinit: reserved %u ", i);
+	debug2("reserved %u ", i);
 	r = 0;
 	*propp = proposal;
  out:

packet.c

@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			logit("Bad packet length %u.", state->packlen);
 			if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
 				return r;
+			return SSH_ERR_CONN_CORRUPT;
 		}
 		sshbuf_reset(state->incoming_packet);
 	} else if (state->packlen == 0) {

readconf.c

@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
 	options->tun_remote = -1;
 	options->local_command = NULL;
 	options->permit_local_command = -1;
-	options->use_roaming = -1;
+	options->use_roaming = 0;
 	options->visual_host_key = -1;
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
@@ -1833,8 +1833,7 @@ fill_default_options(Options * options)
 		options->tun_remote = SSH_TUNID_ANY;
 	if (options->permit_local_command == -1)
 		options->permit_local_command = 0;
-	if (options->use_roaming == -1)
+	options->use_roaming = 0;
-		options->use_roaming = 1;
 	if (options->visual_host_key == -1)
 		options->visual_host_key = 0;
 	if (options->ip_qos_interactive == -1)

ssh.c

@@ -1932,9 +1932,6 @@ ssh_session2(void)
 			fork_postauth();
 	}
 
-	if (options.use_roaming)
-		request_roaming();
-
 	return client_loop(tty_flag, tty_flag ?
 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
 }

sshbuf-getput-crypto.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf-getput-crypto.c,v 1.4 2015/01/14 15:02:39 djm Exp $	*/
+/*	$OpenBSD: sshbuf-getput-crypto.c,v 1.5 2016/01/12 23:42:54 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -158,10 +158,10 @@ sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v)
 	if (len > 0 && (d[1] & 0x80) != 0)
 		prepend = 1;
 	if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) {
-		bzero(d, sizeof(d));
+		explicit_bzero(d, sizeof(d));
 		return r;
 	}
-	bzero(d, sizeof(d));
+	explicit_bzero(d, sizeof(d));
 	return 0;
 }
 
@@ -177,13 +177,13 @@ sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v)
 	if (BN_bn2bin(v, d) != (int)len_bytes)
 		return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
 	if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) {
-		bzero(d, sizeof(d));
+		explicit_bzero(d, sizeof(d));
 		return r;
 	}
 	POKE_U16(dp, len_bits);
 	if (len_bytes != 0)
 		memcpy(dp + 2, d, len_bytes);
-	bzero(d, sizeof(d));
+	explicit_bzero(d, sizeof(d));
 	return 0;
 }
 
@@ -210,7 +210,7 @@ sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g)
 	}
 	BN_CTX_free(bn_ctx);
 	ret = sshbuf_put_string(buf, d, len);
-	bzero(d, len);
+	explicit_bzero(d, len);
 	return ret;
 }
 

sshbuf-misc.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf-misc.c,v 1.4 2015/03/24 20:03:44 markus Exp $	*/
+/*	$OpenBSD: sshbuf-misc.c,v 1.5 2015/10/05 17:11:21 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -103,7 +103,7 @@ sshbuf_dtob64(struct sshbuf *buf)
 	if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL)
 		return NULL;
 	if ((r = b64_ntop(p, len, ret, plen)) == -1) {
-		bzero(ret, plen);
+		explicit_bzero(ret, plen);
 		free(ret);
 		return NULL;
 	}
@@ -122,16 +122,16 @@ sshbuf_b64tod(struct sshbuf *buf, const char *b64)
 	if ((p = malloc(plen)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 	if ((nlen = b64_pton(b64, p, plen)) < 0) {
-		bzero(p, plen);
+		explicit_bzero(p, plen);
 		free(p);
 		return SSH_ERR_INVALID_FORMAT;
 	}
 	if ((r = sshbuf_put(buf, p, nlen)) < 0) {
-		bzero(p, plen);
+		explicit_bzero(p, plen);
 		free(p);
 		return r;
 	}
-	bzero(p, plen);
+	explicit_bzero(p, plen);
 	free(p);
 	return 0;
 }

sshbuf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf.c,v 1.3 2015/01/20 23:14:00 deraadt Exp $	*/
+/*	$OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -134,7 +134,7 @@ sshbuf_fromb(struct sshbuf *buf)
 void
 sshbuf_init(struct sshbuf *ret)
 {
-	bzero(ret, sizeof(*ret));
+	explicit_bzero(ret, sizeof(*ret));
 	ret->alloc = SSHBUF_SIZE_INIT;
 	ret->max_size = SSHBUF_SIZE_MAX;
 	ret->readonly = 0;
@@ -177,10 +177,10 @@ sshbuf_free(struct sshbuf *buf)
 		return;
 	dont_free = buf->dont_free;
 	if (!buf->readonly) {
-		bzero(buf->d, buf->alloc);
+		explicit_bzero(buf->d, buf->alloc);
 		free(buf->d);
 	}
-	bzero(buf, sizeof(*buf));
+	explicit_bzero(buf, sizeof(*buf));
 	if (!dont_free)
 		free(buf);
 }
@@ -196,7 +196,7 @@ sshbuf_reset(struct sshbuf *buf)
 		return;
 	}
 	if (sshbuf_check_sanity(buf) == 0)
-		bzero(buf->d, buf->alloc);
+		explicit_bzero(buf->d, buf->alloc);
 	buf->off = buf->size = 0;
 	if (buf->alloc != SSHBUF_SIZE_INIT) {
 		if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) {
@@ -255,7 +255,7 @@ sshbuf_set_max_size(struct sshbuf *buf, size_t max_size)
 			rlen = roundup(buf->size, SSHBUF_SIZE_INC);
 		if (rlen > max_size)
 			rlen = max_size;
-		bzero(buf->d + buf->size, buf->alloc - buf->size);
+		explicit_bzero(buf->d + buf->size, buf->alloc - buf->size);
 		SSHBUF_DBG(("new alloc = %zu", rlen));
 		if ((dp = realloc(buf->d, rlen)) == NULL)
 			return SSH_ERR_ALLOC_FAIL;

sshd.c

@@ -624,6 +624,8 @@ privsep_preauth_child(void)
 	arc4random_buf(rnd, sizeof(rnd));
 #ifdef WITH_OPENSSL
 	RAND_seed(rnd, sizeof(rnd));
+	if ((RAND_bytes((u_char *)rnd, 1)) != 1)
+		fatal("%s: RAND_bytes failed", __func__);
 #endif
 	explicit_bzero(rnd, sizeof(rnd));
 
@@ -767,6 +769,8 @@ privsep_postauth(Authctxt *authctxt)
 	arc4random_buf(rnd, sizeof(rnd));
 #ifdef WITH_OPENSSL
 	RAND_seed(rnd, sizeof(rnd));
+	if ((RAND_bytes((u_char *)rnd, 1)) != 1)
+		fatal("%s: RAND_bytes failed", __func__);
 #endif
 	explicit_bzero(rnd, sizeof(rnd));
 
@@ -1436,6 +1440,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 			arc4random_buf(rnd, sizeof(rnd));
 #ifdef WITH_OPENSSL
 			RAND_seed(rnd, sizeof(rnd));
+			if ((RAND_bytes((u_char *)rnd, 1)) != 1)
+				fatal("%s: RAND_bytes failed", __func__);
 #endif
 			explicit_bzero(rnd, sizeof(rnd));
 		}

version.h

@@ -2,5 +2,5 @@
 
 #define SSH_VERSION	"OpenSSH_7.1"
 
-#define SSH_PORTABLE	"p1"
+#define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE