tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/openssh/openssh-portable into latestw

This commit is contained in:
Manoj Ampalam 2017-04-10 15:11:19 -07:00
parent 3965d200c7 d9048861be
commit e91d1f7ef1
8 changed files with 31 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.in
View File

@ -80,7 +80,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o crc32.o deattack.o fatal.o hostfile.o \ compat.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \ log.o match.o moduli.o nchan.o packet.o opacket.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

21
auth-pam.c
View File

@ -106,7 +106,6 @@ extern char *__progname;
extern ServerOptions options; extern ServerOptions options;
extern Buffer loginmsg; extern Buffer loginmsg;
extern int compat20;
extern u_int utmp_len; extern u_int utmp_len;
/* so we don't silently change behaviour */ /* so we don't silently change behaviour */
@ -468,18 +467,16 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS) if (sshpam_err != PAM_SUCCESS)
goto auth_fail; goto auth_fail;
if (compat20) { if (!do_pam_account()) {
if (!do_pam_account()) { sshpam_err = PAM_ACCT_EXPIRED;
sshpam_err = PAM_ACCT_EXPIRED; goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail; goto auth_fail;
} sshpam_password_change_required(0);
if (sshpam_authctxt->force_pwchange) {
sshpam_err = pam_chauthtok(sshpam_handle,
PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_password_change_required(0);
}
} }
buffer_put_cstring(&buffer, "OK"); buffer_put_cstring(&buffer, "OK");

10
configure.ac
View File

@ -179,6 +179,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
CFLAGS="$saved_CFLAGS" CFLAGS="$saved_CFLAGS"
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
OSSH_CHECK_CFLAG_COMPILE([-pipe])
OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
OSSH_CHECK_CFLAG_COMPILE([-Wall]) OSSH_CHECK_CFLAG_COMPILE([-Wall])
@ -2769,9 +2770,6 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[ ]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
const EVP_MD *m = EVP_sha256(); /* We need this too */ const EVP_MD *m = EVP_sha256(); /* We need this too */
@ -2790,9 +2788,6 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[ ]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
const EVP_MD *m = EVP_sha384(); /* We need this too */ const EVP_MD *m = EVP_sha384(); /* We need this too */
@ -2811,9 +2806,6 @@ if test "x$openssl" = "xyes" ; then
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[ ]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
const EVP_MD *m = EVP_sha512(); /* We need this too */ const EVP_MD *m = EVP_sha512(); /* We need this too */

8
kex.c
View File

@ -54,14 +54,6 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
# else
extern const EVP_MD *evp_ssh_sha256(void);
# endif
#endif
/* prototype */ /* prototype */
static int kex_choose_conf(struct ssh *); static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, void *); static int kex_input_newkeys(int, u_int32_t, void *);

86
md-sha256.c
View File

@ -1,86 +0,0 @@
/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
/*
* Copyright (c) 2005 Damien Miller <djm@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* EVP wrapper for SHA256 */
#include "includes.h"
#include <sys/types.h>
#include <openssl/opensslv.h>
#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
#include <string.h>
#include <openssl/evp.h>
#ifdef HAVE_SHA256_UPDATE
# ifdef HAVE_SHA2_H
# include <sha2.h>
# elif defined(HAVE_CRYPTO_SHA2_H)
# include <crypto/sha2.h>
# endif
#endif
const EVP_MD *evp_ssh_sha256(void);
static int
ssh_sha256_init(EVP_MD_CTX *ctxt)
{
SHA256_Init(ctxt->md_data);
return (1);
}
static int
ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len)
{
SHA256_Update(ctxt->md_data, data, len);
return (1);
}
static int
ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest)
{
SHA256_Final(digest, ctxt->md_data);
return (1);
}
static int
ssh_sha256_cleanup(EVP_MD_CTX *ctxt)
{
memset(ctxt->md_data, 0, sizeof(SHA256_CTX));
return (1);
}
const EVP_MD *
evp_ssh_sha256(void)
{
static EVP_MD ssh_sha256;
memset(&ssh_sha256, 0, sizeof(ssh_sha256));
ssh_sha256.type = NID_undef;
ssh_sha256.md_size = SHA256_DIGEST_LENGTH;
ssh_sha256.init = ssh_sha256_init;
ssh_sha256.update = ssh_sha256_update;
ssh_sha256.final = ssh_sha256_final;
ssh_sha256.cleanup = ssh_sha256_cleanup;
ssh_sha256.block_size = SHA256_BLOCK_LENGTH;
ssh_sha256.ctx_size = sizeof(SHA256_CTX);
return (&ssh_sha256);
}
#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */

18
openbsd-compat/fmt_scaled.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: fmt_scaled.c,v 1.13 2017/03/11 23:37:23 djm Exp $ */ /* $OpenBSD: fmt_scaled.c,v 1.16 2017/03/16 02:40:46 dtucker Exp $ */
/* /*
* Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved. * Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved.
@ -125,22 +125,30 @@ scan_scaled(char *scaled, long long *result)
/* ignore extra fractional digits */ /* ignore extra fractional digits */
continue; continue;
fract_digits++; /* for later scaling */ fract_digits++; /* for later scaling */
if (fpart >= LLONG_MAX / 10) { if (fpart > LLONG_MAX / 10) {
errno = ERANGE; errno = ERANGE;
return -1; return -1;
} }
fpart *= 10; fpart *= 10;
if (i > LLONG_MAX - fpart) {
errno = ERANGE;
return -1;
}
fpart += i; fpart += i;
} else { /* normal digit */ } else { /* normal digit */
if (++ndigits >= MAX_DIGITS) { if (++ndigits >= MAX_DIGITS) {
errno = ERANGE; errno = ERANGE;
return -1; return -1;
} }
if (whole >= LLONG_MAX / 10) { if (whole > LLONG_MAX / 10) {
errno = ERANGE; errno = ERANGE;
return -1; return -1;
} }
whole *= 10; whole *= 10;
if (i > LLONG_MAX - whole) {
errno = ERANGE;
return -1;
}
whole += i; whole += i;
} }
} }
@ -170,7 +178,9 @@ scan_scaled(char *scaled, long long *result)
} }
scale_fact = scale_factors[i]; scale_fact = scale_factors[i];
if (whole >= LLONG_MAX / scale_fact) { /* check for overflow and underflow after scaling */
if (whole > LLONG_MAX / scale_fact ||
whole < LLONG_MIN / scale_fact) {
errno = ERANGE; errno = ERANGE;
return -1; return -1;
} }

8
sshd.c
View File

@ -233,6 +233,7 @@ int use_privsep = -1;
#endif #endif
struct monitor *pmonitor = NULL; struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1; int privsep_is_preauth = 1;
static int privsep_chroot = 1;
/* global authentication context */ /* global authentication context */
Authctxt *the_authctxt = NULL; Authctxt *the_authctxt = NULL;
@ -577,7 +578,7 @@ privsep_preauth_child(void)
demote_sensitive_data(); demote_sensitive_data();
/* Demote the child */ /* Demote the child */
if (getuid() == 0 || geteuid() == 0) { if (privsep_chroot) {
/* Change our root directory */ /* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@ -1717,8 +1718,9 @@ main(int ac, char **av)
#ifndef WINDOWS /* not applicable in Windows */ #ifndef WINDOWS /* not applicable in Windows */
/* Store privilege separation user for later use if required. */ /* Store privilege separation user for later use if required. */
privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
if (use_privsep || options.kerberos_authentication) if (privsep_chroot || options.kerberos_authentication)
fatal("Privilege separation user %s does not exist", fatal("Privilege separation user %s does not exist",
SSH_PRIVSEP_USER); SSH_PRIVSEP_USER);
} else { } else {
@ -1847,7 +1849,7 @@ main(int ac, char **av)
key_type(key)); key_type(key));
} }
if (use_privsep) { if (privsep_chroot) {
struct stat st; struct stat st;
if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||

6
sshkey.c
View File

@ -3513,11 +3513,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
int success, r; int success, r;
int blen, len = strlen(_passphrase); int blen, len = strlen(_passphrase);
u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
#if (OPENSSL_VERSION_NUMBER < 0x00907000L) const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
#else
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
#endif
const u_char *bptr; const u_char *bptr;
BIO *bio = NULL; BIO *bio = NULL;