Merge branch 'master' of https://github.com/openssh/openssh-portable into latestw
This commit is contained in:
Manoj Ampalam
commit
e91d1f7ef1
|
|
@ -80,7 +80,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
|||
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
|
||||
log.o match.o moduli.o nchan.o packet.o opacket.o \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
|
|
|
|||
|
|
@ -106,7 +106,6 @@ extern char *__progname;
|
|||
|
||||
extern ServerOptions options;
|
||||
extern Buffer loginmsg;
|
||||
extern int compat20;
|
||||
extern u_int utmp_len;
|
||||
|
||||
/* so we don't silently change behaviour */
|
||||
|
|
@ -468,7 +467,6 @@ sshpam_thread(void *ctxtp)
|
|||
if (sshpam_err != PAM_SUCCESS)
|
||||
goto auth_fail;
|
||||
|
||||
if (compat20) {
|
||||
if (!do_pam_account()) {
|
||||
sshpam_err = PAM_ACCT_EXPIRED;
|
||||
goto auth_fail;
|
||||
|
|
@ -480,7 +478,6 @@ sshpam_thread(void *ctxtp)
|
|||
goto auth_fail;
|
||||
sshpam_password_change_required(0);
|
||||
}
|
||||
}
|
||||
|
||||
buffer_put_cstring(&buffer, "OK");
|
||||
|
||||
|
|
|
|||
10
configure.ac
10
configure.ac
|
|
@ -179,6 +179,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
|
|||
CFLAGS="$saved_CFLAGS"
|
||||
|
||||
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
|
||||
OSSH_CHECK_CFLAG_COMPILE([-pipe])
|
||||
OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
|
||||
OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
|
||||
OSSH_CHECK_CFLAG_COMPILE([-Wall])
|
||||
|
|
@ -2769,9 +2770,6 @@ if test "x$openssl" = "xyes" ; then
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
|
||||
# error "OpenSSL < 0.9.8g has unreliable ECC code"
|
||||
#endif
|
||||
]], [[
|
||||
EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
const EVP_MD *m = EVP_sha256(); /* We need this too */
|
||||
|
|
@ -2790,9 +2788,6 @@ if test "x$openssl" = "xyes" ; then
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
|
||||
# error "OpenSSL < 0.9.8g has unreliable ECC code"
|
||||
#endif
|
||||
]], [[
|
||||
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
|
||||
const EVP_MD *m = EVP_sha384(); /* We need this too */
|
||||
|
|
@ -2811,9 +2806,6 @@ if test "x$openssl" = "xyes" ; then
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
|
||||
# error "OpenSSL < 0.9.8g has unreliable ECC code"
|
||||
#endif
|
||||
]], [[
|
||||
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
|
||||
const EVP_MD *m = EVP_sha512(); /* We need this too */
|
||||
|
|
|
|||
8
kex.c
8
kex.c
|
|
@ -54,14 +54,6 @@
|
|||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
# else
|
||||
extern const EVP_MD *evp_ssh_sha256(void);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *);
|
||||
static int kex_input_newkeys(int, u_int32_t, void *);
|
||||
|
|
|
|||
86
md-sha256.c
86
md-sha256.c
|
|
@ -1,86 +0,0 @@
|
|||
/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2005 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* EVP wrapper for SHA256 */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#ifdef HAVE_SHA256_UPDATE
|
||||
# ifdef HAVE_SHA2_H
|
||||
# include <sha2.h>
|
||||
# elif defined(HAVE_CRYPTO_SHA2_H)
|
||||
# include <crypto/sha2.h>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
const EVP_MD *evp_ssh_sha256(void);
|
||||
|
||||
static int
|
||||
ssh_sha256_init(EVP_MD_CTX *ctxt)
|
||||
{
|
||||
SHA256_Init(ctxt->md_data);
|
||||
return (1);
|
||||
}
|
||||
|
||||
static int
|
||||
ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len)
|
||||
{
|
||||
SHA256_Update(ctxt->md_data, data, len);
|
||||
return (1);
|
||||
}
|
||||
|
||||
static int
|
||||
ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest)
|
||||
{
|
||||
SHA256_Final(digest, ctxt->md_data);
|
||||
return (1);
|
||||
}
|
||||
|
||||
static int
|
||||
ssh_sha256_cleanup(EVP_MD_CTX *ctxt)
|
||||
{
|
||||
memset(ctxt->md_data, 0, sizeof(SHA256_CTX));
|
||||
return (1);
|
||||
}
|
||||
|
||||
const EVP_MD *
|
||||
evp_ssh_sha256(void)
|
||||
{
|
||||
static EVP_MD ssh_sha256;
|
||||
|
||||
memset(&ssh_sha256, 0, sizeof(ssh_sha256));
|
||||
ssh_sha256.type = NID_undef;
|
||||
ssh_sha256.md_size = SHA256_DIGEST_LENGTH;
|
||||
ssh_sha256.init = ssh_sha256_init;
|
||||
ssh_sha256.update = ssh_sha256_update;
|
||||
ssh_sha256.final = ssh_sha256_final;
|
||||
ssh_sha256.cleanup = ssh_sha256_cleanup;
|
||||
ssh_sha256.block_size = SHA256_BLOCK_LENGTH;
|
||||
ssh_sha256.ctx_size = sizeof(SHA256_CTX);
|
||||
|
||||
return (&ssh_sha256);
|
||||
}
|
||||
|
||||
#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: fmt_scaled.c,v 1.13 2017/03/11 23:37:23 djm Exp $ */
|
||||
/* $OpenBSD: fmt_scaled.c,v 1.16 2017/03/16 02:40:46 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved.
|
||||
|
|
@ -125,22 +125,30 @@ scan_scaled(char *scaled, long long *result)
|
|||
/* ignore extra fractional digits */
|
||||
continue;
|
||||
fract_digits++; /* for later scaling */
|
||||
if (fpart >= LLONG_MAX / 10) {
|
||||
if (fpart > LLONG_MAX / 10) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
fpart *= 10;
|
||||
if (i > LLONG_MAX - fpart) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
fpart += i;
|
||||
} else { /* normal digit */
|
||||
if (++ndigits >= MAX_DIGITS) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
if (whole >= LLONG_MAX / 10) {
|
||||
if (whole > LLONG_MAX / 10) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
whole *= 10;
|
||||
if (i > LLONG_MAX - whole) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
whole += i;
|
||||
}
|
||||
}
|
||||
|
|
@ -170,7 +178,9 @@ scan_scaled(char *scaled, long long *result)
|
|||
}
|
||||
scale_fact = scale_factors[i];
|
||||
|
||||
if (whole >= LLONG_MAX / scale_fact) {
|
||||
/* check for overflow and underflow after scaling */
|
||||
if (whole > LLONG_MAX / scale_fact ||
|
||||
whole < LLONG_MIN / scale_fact) {
|
||||
errno = ERANGE;
|
||||
return -1;
|
||||
}
|
||||
|
|
|
|||
8
sshd.c
8
sshd.c
|
|
@ -233,6 +233,7 @@ int use_privsep = -1;
|
|||
#endif
|
||||
struct monitor *pmonitor = NULL;
|
||||
int privsep_is_preauth = 1;
|
||||
static int privsep_chroot = 1;
|
||||
|
||||
/* global authentication context */
|
||||
Authctxt *the_authctxt = NULL;
|
||||
|
|
@ -577,7 +578,7 @@ privsep_preauth_child(void)
|
|||
demote_sensitive_data();
|
||||
|
||||
/* Demote the child */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
if (privsep_chroot) {
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
|
|
@ -1717,8 +1718,9 @@ main(int ac, char **av)
|
|||
|
||||
#ifndef WINDOWS /* not applicable in Windows */
|
||||
/* Store privilege separation user for later use if required. */
|
||||
privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
if (use_privsep || options.kerberos_authentication)
|
||||
if (privsep_chroot || options.kerberos_authentication)
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
SSH_PRIVSEP_USER);
|
||||
} else {
|
||||
|
|
@ -1847,7 +1849,7 @@ main(int ac, char **av)
|
|||
key_type(key));
|
||||
}
|
||||
|
||||
if (use_privsep) {
|
||||
if (privsep_chroot) {
|
||||
struct stat st;
|
||||
|
||||
if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
|
||||
|
|
|
|||
4
sshkey.c
4
sshkey.c
|
|
@ -3513,11 +3513,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
|||
int success, r;
|
||||
int blen, len = strlen(_passphrase);
|
||||
u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
|
||||
const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
|
||||
#else
|
||||
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
|
||||
#endif
|
||||
const u_char *bptr;
|
||||
BIO *bio = NULL;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue