(cherry picked from commit 16c46ecdaf71e4c9dddcd933778f02d78425f6a5)
Conflicts:
sshsh512.c
Cherry-picker's notes: the conflict was because the original commit
also added smemclrs to SHA384_Simple and the ssh_hash structures for
SHA-384 and SHA-512, none of which exists on this branch so those
changes are irrelevant.
Now that we have modes in which the MAC verification happens before
any other crypto operation and hence will be the only thing seen by an
attacker, it seems like about time we got round to doing it in a
cautious way that tries to prevent the attacker from using our memcmp
as a timing oracle.
So, here's an smemeq() function which has the semantics of !memcmp but
attempts to run in time dependent only on the length parameter. All
the MAC implementations now use this in place of !memcmp to verify the
MAC on input data.
(cherry picked from commit 9d5a16402168f82ba1bd695c3e95bb4812ccd0a9)
Cherry-picker's notes: the above commit comment isn't really true on
this branch, since the ETM packet protocol changes haven't been
cherry-picked. But it seemed silly to deliberately leave out even a
small safety measure.
as specified in RFC 6668. This is not so much because I think it's
necessary, but because scrypt uses HMAC-SHA-256 and once we've got it we
may as well use it.
Code very closely derived from the HMAC-SHA-1 code.
Tested against OpenSSH 5.9p1 Debian-5ubuntu1.
[originally from svn r9759]
diffie-hellman-group-exchange-sha256, which the last DHGEX draft defined.
Code lifted from Simon's "crypto" directory, with changes to make it look
more like sshsh512.c.
[originally from svn r6252]
