search for: arc4random_buf

https://bugzilla.mindrot.org/show_bug.cgi?id=2465 Bug ID: 2465 Summary: openssh portable does not check if arc4random_buf is declared in the system headers? Product: Portable OpenSSH Version: 7.1p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: Build system Assignee: un...

libXdmcp is the X Display Manager Control Protocol library, used by both X servers and display managers to handle both ends of the XDMCP connection. This release provides a fix for CVE-2017-2625 for platforms which don't have arc4random_buf() in their default libraries but do have getentropy(), such as Linux platforms with a kernel version of 3.17 or newer and a glibc version of 2.25 or newer. (libXdmcp 1.1.2 already ensured that arc4random_buf() is used on platforms that have it to provide sufficient entropy in XDMCP key generation...

libICE provides the API for the Inter-Client Exchange protocol. This release provides a fix for CVE-2017-2626 for platforms which don't have arc4random_buf() in their default libraries but do have getentropy(), such as Linux platforms with a kernel version of 3.17 or newer and a glibc version of 2.25 or newer. (libICE 1.0.9 already ensured that arc4random_buf() is used on platforms that have it to provide sufficient entropy in ICE key generation, bu...

...====== RCS file: /cvs/src/usr.bin/ssh/key.c,v retrieving revision 1.95 diff -u -r1.95 key.c --- key.c 10 Nov 2010 01:33:07 -0000 1.95 +++ key.c 3 Feb 2011 06:52:33 -0000 @@ -1823,8 +1823,8 @@ buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); /* -v01 certs put nonce first */ + arc4random_buf(&nonce, sizeof(nonce)); if (!key_cert_is_legacy(k)) { - arc4random_buf(&nonce, sizeof(nonce)); buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); }

...====== RCS file: /cvs/src/usr.bin/ssh/key.c,v retrieving revision 1.95 diff -u -r1.95 key.c --- key.c 10 Nov 2010 01:33:07 -0000 1.95 +++ key.c 3 Feb 2011 06:52:33 -0000 @@ -1823,8 +1823,8 @@ buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); /* -v01 certs put nonce first */ + arc4random_buf(&nonce, sizeof(nonce)); if (!key_cert_is_legacy(k)) { - arc4random_buf(&nonce, sizeof(nonce)); buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); }

Hi, Yesterday I tried to replace the system openssl in a gentoo system with libressl. With openssh an interesting issue popped up: * RAND_bytes in libressl calls arc4random * arc4random is a compat function both in openssh and libressl * arc4random from openssh uses RAND_bytes So what's happening is a recursion. arc4random wants to use RAND_bytes and RAND_bytes wants to use arc4random. The

OpenSSL 1.1.0 has deprecated this function. --- configure.ac | 1 + openbsd-compat/openssl-compat.c | 2 ++ openbsd-compat/openssl-compat.h | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/configure.ac b/configure.ac index 3f7fe2cd..db2aade8 100644 --- a/configure.ac +++ b/configure.ac @@ -2710,6 +2710,7 @@ if test "x$openssl" = "xyes" ; then ])

...y Chris Wilson (3):       xfree86: Take the input lock for xf86RecolorCursor       xfree86: Take input lock for xf86TransparentCursor       xfree86: Take input_lock() for xf86ScreenCheckHWCursor Matthieu Herrb (4):       Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624       Use arc4random_buf(3) if available to generate cookies.       auth: remove AuthToIDFunc and associated functions. Not used anymore.       Brown bag commit to fix 957e8d (arc4random_buf() support) Michel Dänzer (3):       prime: Sync shared pixmap from root window instead of screen pixmap       present: Allow flippin...

Dear openssh developers In a shell script I need to verify if a key belonging to a given public key file is already loaded into the agent. To achieve this, I added a new option -v to ssh-add which does this verification. The patch bases on openssh v5.8p1. The regression test agent.sh was extended to test this new feature. Is there any chance for inclusion of attached patch? Cheers Konrad --

Hello, With current portable master source tree HAVE_CRYPT and HAVE_DES_CRYPT are not defined. It seems to me this is regression introduced with implementation of configure options --with-openssl. Impacted code is in xcrypt.c: ... # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) # include <openssl/des.h> # define crypt DES_crypt # endif ...

Hi, A question regarding chroot, internal-sftp, and time zones: Is it possible to get the time stamps presented by the chrooted internal-sftp to always be aligned with the system global time zone setting? What is the reason this not done by default, that is couldn't the chrooted internal-sftp inherit the time zone information from the SSH daemon? /John -- John Olsson Ericsson AB

...... > +void > +kexc25519_client(Kex *kex) > +{ > ... > + /* generate private key */ > + for (i = 0; i < sizeof(client_key); i++) { > + if (i % 4 == 0) > + rnd = arc4random(); > + client_key[i] = rnd; > + rnd >>= 8; > + } > > easier to use arc4random_buf() here. If we use the -donna implementation > then we need to do the > > client_key[0] &= 248; > client_key[31] &= 127; > client_key[31] |= 64; > > ourselves. It might be better to have put a kex_c25519_genkey() in > kexc25519.c that does it all and use it in both...

...ences were checking: if ${CC} supports compile flag -fzero-call-used-regs=all if ${CC} supports compile flag -ftrivial-auto-var-init=zero for sys/sysctl.h for library containing login for closefrom for close_range for library containing dlopen for arc4random for arc4random_buf for arc4random_uniform if libc defines sys_errlist if libc defines sys_nerr for library containing res_query for library containing dn_expand if res_query will link for _getshort for _getlong While most of these configuration difference seem trivial and innocuous, t...

...ng: re-set the crtc's mode when link-status goes BAD Martin Wilck (1): xfree86: add default modes for 16:9 and 16:10 Matt Turner (1): xkb: Correct type of XkbDfltAccessXOptions. Matthieu Herrb (4): Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624 Use arc4random_buf(3) if available to generate cookies. auth: remove AuthToIDFunc and associated functions. Not used anymore. Brown bag commit to fix 957e8d (arc4random_buf() support) Michael Thayer (3): xfree86: Immediately handle failure to set HW cursor, v5 modesetting: Immediately handle...

Hi, OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Dear OpenSSH developers, I've worked this week on an alternative key exchange mechanism, in reaction to the whole NSA leaks and claims over cryptographic backdoors and/or cracking advances. The key exchange is in my opinion the most critical defense against passive eavesdropping attacks. I believe Curve25519 from DJB can give users a secure alternative to classical Diffie-Hellman (with fixed

...T extensions for glob... no checking whether GLOB_NOMATCH is declared... yes checking whether struct dirent allocates space for d_name... configure: WARNING: cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME checking for /proc/pid/fd directory... yes checking for arc4random... no checking for arc4random_buf... no checking for arc4random_uniform... no checking for asprintf... no checking for b64_ntop... no checking for __b64_ntop... yes checking for b64_pton... no checking for __b64_pton... yes checking for bcopy... yes checking for bindresvport_sa... yes checking for clock... yes checking for closefro...

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.