Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported. MFC after: 1 week
This commit is contained in:
commit
a0ee8cc636
@ -1,3 +1,934 @@
|
||||
20131006
|
||||
- (djm) Release OpenSSH-6.7
|
||||
|
||||
20141003
|
||||
- (djm) [sshd_config.5] typo; from Iain Morgan
|
||||
|
||||
20141001
|
||||
- (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
|
||||
[openbsd-compat/openbsd-compat.h] Kludge around bad glibc
|
||||
_FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
|
||||
ok dtucker@
|
||||
|
||||
20140910
|
||||
- (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
|
||||
patch from Felix von Leitner; ok dtucker
|
||||
|
||||
20140908
|
||||
- (dtucker) [INSTALL] Update info about egd. ok djm@
|
||||
|
||||
20140904
|
||||
- (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
|
||||
|
||||
20140903
|
||||
- (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
|
||||
conditionalise to avoid duplicate definition.
|
||||
- (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
|
||||
permissions/ACLs; from Corinna Vinschen
|
||||
|
||||
20140830
|
||||
- (djm) [openbsd-compat/openssl-compat.h] add
|
||||
OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
|
||||
- (djm) [misc.c] Missing newline between functions
|
||||
- (djm) [openbsd-compat/openssl-compat.h] add include guard
|
||||
- (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
|
||||
|
||||
20140827
|
||||
- (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
||||
[regress/unittests/sshkey/common.c]
|
||||
[regress/unittests/sshkey/test_file.c]
|
||||
[regress/unittests/sshkey/test_fuzz.c]
|
||||
[regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
|
||||
on !ECC OpenSSL systems
|
||||
- (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
|
||||
monitor, not preauth; bz#2263
|
||||
- (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
|
||||
using memset_s() where possible; improve fallback to indirect bzero
|
||||
via a volatile pointer to give it more of a chance to avoid being
|
||||
optimised away.
|
||||
|
||||
20140825
|
||||
- (djm) [bufec.c] Skip this file on !ECC OpenSSL
|
||||
- (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
|
||||
update OpenSSL version requirement.
|
||||
|
||||
20140824
|
||||
- (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
|
||||
PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
|
||||
|
||||
20140823
|
||||
- (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
|
||||
lastlog writing on platforms with high UIDs; bz#2263
|
||||
- (djm) [configure.ac] We now require a working vsnprintf everywhere (not
|
||||
just for systems that lack asprintf); check for it always and extend
|
||||
test to catch more brokenness. Fixes builds on Solaris <= 9
|
||||
|
||||
20140822
|
||||
- (djm) [configure.ac] include leading zero characters in OpenSSL version
|
||||
number; fixes test for unsupported versions
|
||||
- (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
|
||||
- (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
|
||||
definition mismatch) and warning for broken/missing snprintf case.
|
||||
- (djm) [configure.ac] double braces to appease autoconf
|
||||
|
||||
20140821
|
||||
- (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
|
||||
- (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
|
||||
- (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
|
||||
don't set __progname. Diagnosed by Tom Christensen.
|
||||
|
||||
20140820
|
||||
- (djm) [configure.ac] Check OpenSSL version is supported at configure time;
|
||||
suggested by Kevin Brott
|
||||
- (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
|
||||
-L/-l; fixes linking problems on some platforms
|
||||
- (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
|
||||
- (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
|
||||
|
||||
20140819
|
||||
- (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
|
||||
- (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
|
||||
- (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
|
||||
- (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
|
||||
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
|
||||
of TCP wrappers.
|
||||
|
||||
20140811
|
||||
- (djm) [myproposal.h] Make curve25519 KEX dependent on
|
||||
HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
|
||||
|
||||
20140810
|
||||
- (djm) [README contrib/caldera/openssh.spec]
|
||||
[contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
|
||||
|
||||
20140801
|
||||
- (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
|
||||
a better solution, but this will have to do for now.
|
||||
- (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
|
||||
is closed; avoid regress failures when stdin is /dev/null
|
||||
- (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
|
||||
nc from stdin, it's more portable
|
||||
|
||||
20140730
|
||||
- OpenBSD CVS Sync
|
||||
- millert@cvs.openbsd.org 2014/07/24 22:57:10
|
||||
[ssh.1]
|
||||
Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
|
||||
- dtucker@cvs.openbsd.org 2014/07/25 21:22:03
|
||||
[ssh-agent.c]
|
||||
Clear buffer used for handling messages. This prevents keys being
|
||||
left in memory after they have been expired or deleted in some cases
|
||||
(but note that ssh-agent is setgid so you would still need root to
|
||||
access them). Pointed out by Kevin Burns, ok deraadt
|
||||
- schwarze@cvs.openbsd.org 2014/07/28 15:40:08
|
||||
[sftp-server.8 sshd_config.5]
|
||||
some systems no longer need /dev/log;
|
||||
issue noticed by jirib;
|
||||
ok deraadt
|
||||
|
||||
20140725
|
||||
- (djm) [regress/multiplex.sh] restore incorrectly deleted line;
|
||||
pointed out by Christian Hesse
|
||||
|
||||
20140722
|
||||
- (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
|
||||
put it back
|
||||
- (djm) [regress/multiplex.sh] change the test for still-open Unix
|
||||
domain sockets to be robust against nc implementations that produce
|
||||
error messages.
|
||||
- (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
|
||||
specific tests inside OPENSSL_HAS_ECC.
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2014/07/22 01:18:50
|
||||
[key.c]
|
||||
Prevent spam from key_load_private_pem during hostbased auth. ok djm@
|
||||
- guenther@cvs.openbsd.org 2014/07/22 07:13:42
|
||||
[umac.c]
|
||||
Convert from <sys/endian.h> to the shiney new <endian.h>
|
||||
ok dtucker@, who also confirmed that -portable handles this already
|
||||
(ID sync only, includes.h pulls in endian.h if available.)
|
||||
- djm@cvs.openbsd.org 2014/07/22 01:32:12
|
||||
[regress/multiplex.sh]
|
||||
change the test for still-open Unix domain sockets to be robust against
|
||||
nc implementations that produce error messages. from -portable
|
||||
(Id sync only)
|
||||
- dtucker@cvs.openbsd.org 2014/07/22 23:23:22
|
||||
[regress/unittests/sshkey/mktestdata.sh]
|
||||
Sign test certs with ed25519 instead of ecdsa so that they'll work in
|
||||
-portable on platforms that don't have ECDSA in their OpenSSL. ok djm
|
||||
- dtucker@cvs.openbsd.org 2014/07/22 23:57:40
|
||||
[regress/unittests/sshkey/mktestdata.sh]
|
||||
Add $OpenBSD tag to make syncs easier
|
||||
- dtucker@cvs.openbsd.org 2014/07/22 23:35:38
|
||||
[regress/unittests/sshkey/testdata/*]
|
||||
Regenerate test keys with certs signed with ed25519 instead of ecdsa.
|
||||
These can be used in -portable on platforms that don't support ECDSA.
|
||||
|
||||
20140721
|
||||
- OpenBSD CVS Sync
|
||||
- millert@cvs.openbsd.org 2014/07/15 15:54:15
|
||||
[forwarding.sh multiplex.sh]
|
||||
Add support for Unix domain socket forwarding. A remote TCP port
|
||||
may be forwarded to a local Unix domain socket and vice versa or
|
||||
both ends may be a Unix domain socket. This is a reimplementation
|
||||
of the streamlocal patches by William Ahern from:
|
||||
http://www.25thandclement.com/~william/projects/streamlocal.html
|
||||
OK djm@ markus@
|
||||
- (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
|
||||
- (dtucker) [sshkey.c] ifdef out unused variable when compiling without
|
||||
OPENSSL_HAS_ECC.
|
||||
|
||||
20140721
|
||||
- (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
|
||||
needed to build AES CTR mode against OpenSSL 0.9.8f and above. ok djm
|
||||
- (dtucker) [regress/unittests/sshkey/
|
||||
{common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
|
||||
ifdefs.
|
||||
|
||||
20140719
|
||||
- (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
|
||||
in servconf.h.
|
||||
|
||||
20140718
|
||||
- OpenBSD CVS Sync
|
||||
- millert@cvs.openbsd.org 2014/07/15 15:54:14
|
||||
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
|
||||
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
|
||||
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
|
||||
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
|
||||
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
|
||||
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
|
||||
[sshd_config.5 sshlogin.c]
|
||||
Add support for Unix domain socket forwarding. A remote TCP port
|
||||
may be forwarded to a local Unix domain socket and vice versa or
|
||||
both ends may be a Unix domain socket. This is a reimplementation
|
||||
of the streamlocal patches by William Ahern from:
|
||||
http://www.25thandclement.com/~william/projects/streamlocal.html
|
||||
OK djm@ markus@
|
||||
- jmc@cvs.openbsd.org 2014/07/16 14:48:57
|
||||
[ssh.1]
|
||||
add the streamlocal* options to ssh's -o list; millert says they're
|
||||
irrelevant for scp/sftp;
|
||||
ok markus millert
|
||||
- djm@cvs.openbsd.org 2014/07/17 00:10:56
|
||||
[sandbox-systrace.c]
|
||||
ifdef SYS_sendsyslog so this will compile without patching on -stable
|
||||
- djm@cvs.openbsd.org 2014/07/17 00:10:18
|
||||
[mux.c]
|
||||
preserve errno across syscall
|
||||
- djm@cvs.openbsd.org 2014/07/17 00:12:03
|
||||
[key.c]
|
||||
silence "incorrect passphrase" error spam; reported and ok dtucker@
|
||||
- djm@cvs.openbsd.org 2014/07/17 07:22:19
|
||||
[mux.c ssh.c]
|
||||
reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
|
||||
previously we were always returning 0. bz#2255 reported by Brendan
|
||||
Germain; ok dtucker
|
||||
- djm@cvs.openbsd.org 2014/07/18 02:46:01
|
||||
[ssh-agent.c]
|
||||
restore umask around listener socket creation (dropped in streamlocal patch
|
||||
merge)
|
||||
- (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
|
||||
in servconf.h.
|
||||
- (dtucker) [Makefile.in] Add a t-exec target to run just the executable
|
||||
tests.
|
||||
- (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
|
||||
|
||||
20140717
|
||||
- (djm) [digest-openssl.c] Preserve array order when disabling digests.
|
||||
Reported by Petr Lautrbach.
|
||||
- OpenBSD CVS Sync
|
||||
- deraadt@cvs.openbsd.org 2014/07/11 08:09:54
|
||||
[sandbox-systrace.c]
|
||||
Permit use of SYS_sendsyslog from inside the sandbox. Clock is ticking,
|
||||
update your kernels and sshd soon.. libc will start using sendsyslog()
|
||||
in about 4 days.
|
||||
- tedu@cvs.openbsd.org 2014/07/11 13:54:34
|
||||
[myproposal.h]
|
||||
by popular demand, add back hamc-sha1 to server proposal for better compat
|
||||
with many clients still in use. ok deraadt
|
||||
|
||||
20140715
|
||||
- (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
|
||||
has been located; fixes builds agains libressl-portable
|
||||
|
||||
20140711
|
||||
- OpenBSD CVS Sync
|
||||
- benno@cvs.openbsd.org 2014/07/09 14:15:56
|
||||
[ssh-add.c]
|
||||
fix ssh-add crash while loading more than one key
|
||||
ok markus@
|
||||
|
||||
20140709
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/07/07 08:19:12
|
||||
[ssh_config.5]
|
||||
mention that ProxyCommand is executed using shell "exec" to avoid
|
||||
a lingering process; bz#1977
|
||||
- djm@cvs.openbsd.org 2014/07/09 01:45:10
|
||||
[sftp.c]
|
||||
more useful error message when GLOB_NOSPACE occurs;
|
||||
bz#2254, patch from Orion Poplawski
|
||||
- djm@cvs.openbsd.org 2014/07/09 03:02:15
|
||||
[key.c]
|
||||
downgrade more error() to debug() to better match what old authfile.c
|
||||
did; suppresses spurious errors with hostbased authentication enabled
|
||||
- djm@cvs.openbsd.org 2014/07/06 07:42:03
|
||||
[multiplex.sh test-exec.sh]
|
||||
add a hook to the cleanup() function to kill $SSH_PID if it is set
|
||||
|
||||
use it to kill the mux master started in multiplex.sh (it was being left
|
||||
around on fatal failures)
|
||||
- djm@cvs.openbsd.org 2014/07/07 08:15:26
|
||||
[multiplex.sh]
|
||||
remove forced-fatal that I stuck in there to test the new cleanup
|
||||
logic and forgot to remove...
|
||||
|
||||
20140706
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/07/03 23:18:35
|
||||
[authfile.h]
|
||||
remove leakmalloc droppings
|
||||
- djm@cvs.openbsd.org 2014/07/05 23:11:48
|
||||
[channels.c]
|
||||
fix remote-forward cancel regression; ok markus@
|
||||
|
||||
20140704
|
||||
- OpenBSD CVS Sync
|
||||
- jsing@cvs.openbsd.org 2014/07/03 12:42:16
|
||||
[cipher-chachapoly.c]
|
||||
Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
|
||||
makes it easier to verify that chacha_encrypt_bytes() is only called once
|
||||
per chacha_ivsetup() call.
|
||||
ok djm@
|
||||
- djm@cvs.openbsd.org 2014/07/03 22:23:46
|
||||
[sshconnect.c]
|
||||
when rekeying, skip file/DNS lookup if it is the same as the key sent
|
||||
during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
|
||||
- djm@cvs.openbsd.org 2014/07/03 22:33:41
|
||||
[channels.c]
|
||||
allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
|
||||
GatewayPorts=no; allows client to choose address family;
|
||||
bz#2222 ok markus@
|
||||
- djm@cvs.openbsd.org 2014/07/03 22:40:43
|
||||
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
|
||||
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
|
||||
executed, mirroring the no-user-rc authorized_keys option;
|
||||
bz#2160; ok markus@
|
||||
|
||||
20140703
|
||||
- (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
|
||||
doesn't support it.
|
||||
- (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
|
||||
bz#2237
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/07/03 01:45:38
|
||||
[sshkey.c]
|
||||
make Ed25519 keys' title fit properly in the randomart border; bz#2247
|
||||
based on patch from Christian Hesse
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:11:03
|
||||
[ssh-agent.c]
|
||||
Only cleanup agent socket in the main agent process and not in any
|
||||
subprocesses it may have started (e.g. forked askpass). Fixes
|
||||
agent sockets being zapped when askpass processes fatal();
|
||||
bz#2236 patch from Dmitry V. Levin
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:15:01
|
||||
[ssh-add.c]
|
||||
make stdout line-buffered; saves partial output getting lost when
|
||||
ssh-add fatal()s part-way through (e.g. when listing keys from an
|
||||
agent that supports key types that ssh-add doesn't);
|
||||
bz#2234, reported by Phil Pennock
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:26:43
|
||||
[digest-openssl.c]
|
||||
use EVP_Digest() for one-shot hash instead of creating, updating,
|
||||
finalising and destroying a context.
|
||||
bz#2231, based on patch from Timo Teras
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:34:09
|
||||
[gss-serv.c session.c ssh-keygen.c]
|
||||
standardise on NI_MAXHOST for gethostname() string lengths; about
|
||||
1/2 the cases were using it already. Fixes bz#2239 en passant
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:47:27
|
||||
[ssh-keygen.c]
|
||||
When hashing or removing hosts using ssh-keygen, don't choke on
|
||||
@revoked markers and don't remove @cert-authority markers;
|
||||
bz#2241, reported by mlindgren AT runelind.net
|
||||
- djm@cvs.openbsd.org 2014/07/03 04:36:45
|
||||
[digest.h]
|
||||
forward-declare struct sshbuf so consumers don't need to include sshbuf.h
|
||||
- djm@cvs.openbsd.org 2014/07/03 05:32:36
|
||||
[ssh_config.5]
|
||||
mention '%%' escape sequence in HostName directives and how it may
|
||||
be used to specify IPv6 link-local addresses
|
||||
- djm@cvs.openbsd.org 2014/07/03 05:38:17
|
||||
[ssh.1]
|
||||
document that -g will only work in the multiplexed case if applied to
|
||||
the mux master
|
||||
- djm@cvs.openbsd.org 2014/07/03 06:39:19
|
||||
[ssh.c ssh_config.5]
|
||||
Add a %C escape sequence for LocalCommand and ControlPath that expands
|
||||
to a unique identifer based on a has of the tuple of (local host,
|
||||
remote user, hostname, port).
|
||||
|
||||
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
|
||||
control paths.
|
||||
|
||||
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
|
||||
- jmc@cvs.openbsd.org 2014/07/03 07:45:27
|
||||
[ssh_config.5]
|
||||
escape %C since groff thinks it part of an Rs/Re block;
|
||||
- djm@cvs.openbsd.org 2014/07/03 11:16:55
|
||||
[auth.c auth.h auth1.c auth2.c]
|
||||
make the "Too many authentication failures" message include the
|
||||
user, source address, port and protocol in a format similar to the
|
||||
authentication success / failure messages; bz#2199, ok dtucker
|
||||
|
||||
20140702
|
||||
- OpenBSD CVS Sync
|
||||
- deraadt@cvs.openbsd.org 2014/06/13 08:26:29
|
||||
[sandbox-systrace.c]
|
||||
permit SYS_getentropy
|
||||
from matthew
|
||||
- matthew@cvs.openbsd.org 2014/06/18 02:59:13
|
||||
[sandbox-systrace.c]
|
||||
Now that we have a dedicated getentropy(2) system call for
|
||||
arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
|
||||
sandbox.
|
||||
|
||||
ok djm
|
||||
- naddy@cvs.openbsd.org 2014/06/18 15:42:09
|
||||
[sshbuf-getput-crypto.c]
|
||||
The ssh_get_bignum functions must accept the same range of bignums
|
||||
the corresponding ssh_put_bignum functions create. This fixes the
|
||||
use of 16384-bit RSA keys (bug reported by Eivind Evensen).
|
||||
ok djm@
|
||||
- djm@cvs.openbsd.org 2014/06/24 00:52:02
|
||||
[krl.c]
|
||||
fix bug in KRL generation: multiple consecutive revoked certificate
|
||||
serial number ranges could be serialised to an invalid format.
|
||||
|
||||
Readers of a broken KRL caused by this bug will fail closed, so no
|
||||
should-have-been-revoked key will be accepted.
|
||||
- djm@cvs.openbsd.org 2014/06/24 01:13:21
|
||||
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
|
||||
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
|
||||
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
|
||||
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
|
||||
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
|
||||
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
|
||||
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
|
||||
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
|
||||
[sshconnect2.c sshd.c sshkey.c sshkey.h
|
||||
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
|
||||
New key API: refactor key-related functions to be more library-like,
|
||||
existing API is offered as a set of wrappers.
|
||||
|
||||
with and ok markus@
|
||||
|
||||
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
|
||||
Dempsky and Ron Bowes for a detailed review a few months ago.
|
||||
NB. This commit also removes portable OpenSSH support for OpenSSL
|
||||
<0.9.8e.
|
||||
- djm@cvs.openbsd.org 2014/06/24 02:19:48
|
||||
[ssh.c]
|
||||
don't fatal() when hostname canonicalisation fails with a
|
||||
ProxyCommand in use; continue and allow the ProxyCommand to
|
||||
connect anyway (e.g. to a host with a name outside the DNS
|
||||
behind a bastion)
|
||||
- djm@cvs.openbsd.org 2014/06/24 02:21:01
|
||||
[scp.c]
|
||||
when copying local->remote fails during read, don't send uninitialised
|
||||
heap to the remote end. Reported by Jann Horn
|
||||
- deraadt@cvs.openbsd.org 2014/06/25 14:16:09
|
||||
[sshbuf.c]
|
||||
unblock SIGSEGV before raising it
|
||||
ok djm
|
||||
- markus@cvs.openbsd.org 2014/06/27 16:41:56
|
||||
[channels.c channels.h clientloop.c ssh.c]
|
||||
fix remote fwding with same listen port but different listen address
|
||||
with gerhard@, ok djm@
|
||||
- markus@cvs.openbsd.org 2014/06/27 18:50:39
|
||||
[ssh-add.c]
|
||||
fix loading of private keys
|
||||
- djm@cvs.openbsd.org 2014/06/30 12:54:39
|
||||
[key.c]
|
||||
suppress spurious error message when loading key with a passphrase;
|
||||
reported by kettenis@ ok markus@
|
||||
- djm@cvs.openbsd.org 2014/07/02 04:59:06
|
||||
[cipher-3des1.c]
|
||||
fix ssh protocol 1 on the server that regressed with the sshkey change
|
||||
(sometimes fatal() after auth completed), make file return useful status
|
||||
codes.
|
||||
NB. Id sync only for these two. They were bundled into the sshkey merge
|
||||
above, since it was easier to sync the entire file and then apply
|
||||
portable-specific changed atop it.
|
||||
- djm@cvs.openbsd.org 2014/04/30 05:32:00
|
||||
[regress/Makefile]
|
||||
unit tests for new buffer API; including basic fuzz testing
|
||||
NB. Id sync only.
|
||||
- djm@cvs.openbsd.org 2014/05/21 07:04:21
|
||||
[regress/integrity.sh]
|
||||
when failing because of unexpected output, show the offending output
|
||||
- djm@cvs.openbsd.org 2014/06/24 01:04:43
|
||||
[regress/krl.sh]
|
||||
regress test for broken consecutive revoked serial number ranges
|
||||
- djm@cvs.openbsd.org 2014/06/24 01:14:17
|
||||
[Makefile.in regress/Makefile regress/unittests/Makefile]
|
||||
[regress/unittests/sshkey/Makefile]
|
||||
[regress/unittests/sshkey/common.c]
|
||||
[regress/unittests/sshkey/common.h]
|
||||
[regress/unittests/sshkey/mktestdata.sh]
|
||||
[regress/unittests/sshkey/test_file.c]
|
||||
[regress/unittests/sshkey/test_fuzz.c]
|
||||
[regress/unittests/sshkey/test_sshkey.c]
|
||||
[regress/unittests/sshkey/tests.c]
|
||||
[regress/unittests/sshkey/testdata/dsa_1]
|
||||
[regress/unittests/sshkey/testdata/dsa_1-cert.fp]
|
||||
[regress/unittests/sshkey/testdata/dsa_1-cert.pub]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.fp]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.param.g]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.param.priv]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.param.pub]
|
||||
[regress/unittests/sshkey/testdata/dsa_1.pub]
|
||||
[regress/unittests/sshkey/testdata/dsa_1_pw]
|
||||
[regress/unittests/sshkey/testdata/dsa_2]
|
||||
[regress/unittests/sshkey/testdata/dsa_2.fp]
|
||||
[regress/unittests/sshkey/testdata/dsa_2.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/dsa_2.pub]
|
||||
[regress/unittests/sshkey/testdata/dsa_n]
|
||||
[regress/unittests/sshkey/testdata/dsa_n_pw]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.fp]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1.pub]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_1_pw]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.fp]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_2.pub]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_n]
|
||||
[regress/unittests/sshkey/testdata/ecdsa_n_pw]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1.fp]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1.pub]
|
||||
[regress/unittests/sshkey/testdata/ed25519_1_pw]
|
||||
[regress/unittests/sshkey/testdata/ed25519_2]
|
||||
[regress/unittests/sshkey/testdata/ed25519_2.fp]
|
||||
[regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/ed25519_2.pub]
|
||||
[regress/unittests/sshkey/testdata/pw]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1.fp]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1.param.n]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1.pub]
|
||||
[regress/unittests/sshkey/testdata/rsa1_1_pw]
|
||||
[regress/unittests/sshkey/testdata/rsa1_2]
|
||||
[regress/unittests/sshkey/testdata/rsa1_2.fp]
|
||||
[regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/rsa1_2.param.n]
|
||||
[regress/unittests/sshkey/testdata/rsa1_2.pub]
|
||||
[regress/unittests/sshkey/testdata/rsa_1]
|
||||
[regress/unittests/sshkey/testdata/rsa_1-cert.fp]
|
||||
[regress/unittests/sshkey/testdata/rsa_1-cert.pub]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.fp]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.param.n]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.param.p]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.param.q]
|
||||
[regress/unittests/sshkey/testdata/rsa_1.pub]
|
||||
[regress/unittests/sshkey/testdata/rsa_1_pw]
|
||||
[regress/unittests/sshkey/testdata/rsa_2]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.fp]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.fp.bb]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.param.n]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.param.p]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.param.q]
|
||||
[regress/unittests/sshkey/testdata/rsa_2.pub]
|
||||
[regress/unittests/sshkey/testdata/rsa_n]
|
||||
[regress/unittests/sshkey/testdata/rsa_n_pw]
|
||||
unit and fuzz tests for new key API
|
||||
- (djm) [sshkey.c] Conditionalise inclusion of util.h
|
||||
- (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
|
||||
|
||||
20140618
|
||||
- (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
|
||||
|
||||
20140617
|
||||
- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
|
||||
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
|
||||
Move the OpenSSL header/library version test into its own function and add
|
||||
tests for it. Fix it to allow fix version upgrades (but not downgrades).
|
||||
Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
|
||||
ok djm@ chl@
|
||||
|
||||
20140616
|
||||
- (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via
|
||||
OpenSMTPD and chl@
|
||||
|
||||
20140612
|
||||
- (dtucker) [configure.ac] Remove tcpwrappers support, support has already
|
||||
been removed from sshd.c.
|
||||
|
||||
20140611
|
||||
- (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
|
||||
openbsd-compat/bsd-asprintf.c.
|
||||
- (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
|
||||
Wrap stdlib.h include an ifdef for platforms that don't have it.
|
||||
- (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
|
||||
u_intXX_t types.
|
||||
|
||||
20140610
|
||||
- (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
|
||||
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
|
||||
curve tests if OpenSSL has them.
|
||||
- (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
|
||||
the proposal if the version of OpenSSL we're using doesn't support ECC.
|
||||
- (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
|
||||
ECC variable too.
|
||||
- (dtucker) OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/06/05 22:17:50
|
||||
[sshconnect2.c]
|
||||
fix inverted test that caused PKCS#11 keys that were explicitly listed
|
||||
not to be preferred. Reported by Dirk-Willem van Gulik
|
||||
- dtucker@cvs.openbsd.org 2014/06/10 21:46:11
|
||||
[sshbuf.h]
|
||||
Group ECC functions together to make things a little easier in -portable.
|
||||
"doesn't bother me" deraadt@
|
||||
- (dtucker) [sshbuf.h] Only declare ECC functions if building without
|
||||
OpenSSL or if OpenSSL has ECC.
|
||||
- (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
|
||||
assigment that might get optimized out. ok djm@
|
||||
- (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
|
||||
compat stuff, specifically whether or not OpenSSL has ECC.
|
||||
|
||||
20140527
|
||||
- (djm) [cipher.c] Fix merge botch.
|
||||
- (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
|
||||
from Corinna Vinschen, fixing a number of bugs and preparing for
|
||||
Cygwin 1.7.30.
|
||||
- (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
|
||||
[openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
|
||||
separation user at runtime, since it may need to be a domain account.
|
||||
Patch from Corinna Vinschen.
|
||||
|
||||
20140522
|
||||
- (djm) [Makefile.in] typo in path
|
||||
|
||||
20140521
|
||||
- (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
|
||||
vhangup on Linux. It doens't work for non-root users, and for them
|
||||
it just messes up the tty settings.
|
||||
- (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
|
||||
when it is available. It takes into account time spent suspended,
|
||||
thereby ensuring timeouts (e.g. for expiring agent keys) fire
|
||||
correctly. bz#2228 reported by John Haxby
|
||||
|
||||
20140519
|
||||
- (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
|
||||
OpenBSD
|
||||
- OpenBSD CVS Sync
|
||||
- logan@cvs.openbsd.org 2014/04/20 09:24:26
|
||||
[dns.c dns.h ssh-keygen.c]
|
||||
Add support for SSHFP DNS records for ED25519 key types.
|
||||
OK from djm@
|
||||
- logan@cvs.openbsd.org 2014/04/21 14:36:16
|
||||
[sftp-client.c sftp-client.h sftp.c]
|
||||
Implement sftp upload resume support.
|
||||
OK from djm@, with input from guenther@, mlarkin@ and
|
||||
okan@
|
||||
- logan@cvs.openbsd.org 2014/04/22 10:07:12
|
||||
[sftp.c]
|
||||
Sort the sftp command list.
|
||||
OK from djm@
|
||||
- logan@cvs.openbsd.org 2014/04/22 12:42:04
|
||||
[sftp.1]
|
||||
Document sftp upload resume.
|
||||
OK from djm@, with feedback from okan@.
|
||||
- jmc@cvs.openbsd.org 2014/04/22 14:16:30
|
||||
[sftp.1]
|
||||
zap eol whitespace;
|
||||
- djm@cvs.openbsd.org 2014/04/23 12:42:34
|
||||
[readconf.c]
|
||||
don't record duplicate IdentityFiles
|
||||
- djm@cvs.openbsd.org 2014/04/28 03:09:18
|
||||
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
|
||||
[ssh-keygen.c]
|
||||
buffer_get_string_ptr's return should be const to remind
|
||||
callers that futzing with it will futz with the actual buffer
|
||||
contents
|
||||
- djm@cvs.openbsd.org 2014/04/29 13:10:30
|
||||
[clientloop.c serverloop.c]
|
||||
bz#1818 - don't send channel success/failre replies on channels that
|
||||
have sent a close already; analysis and patch from Simon Tatham;
|
||||
ok markus@
|
||||
- markus@cvs.openbsd.org 2014/04/29 18:01:49
|
||||
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
|
||||
[kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
|
||||
[roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
|
||||
[ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
|
||||
make compiling against OpenSSL optional (make OPENSSL=no);
|
||||
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
|
||||
allows us to explore further options; with and ok djm
|
||||
- dtucker@cvs.openbsd.org 2014/04/29 19:58:50
|
||||
[sftp.c]
|
||||
Move nulling of variable next to where it's freed. ok markus@
|
||||
- dtucker@cvs.openbsd.org 2014/04/29 20:36:51
|
||||
[sftp.c]
|
||||
Don't attempt to append a nul quote char to the filename. Should prevent
|
||||
fatal'ing with "el_insertstr failed" when there's a single quote char
|
||||
somewhere in the string. bz#2238, ok markus@
|
||||
- djm@cvs.openbsd.org 2014/04/30 05:29:56
|
||||
[bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
|
||||
[sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
|
||||
[ssherr.h]
|
||||
New buffer API; the first installment of the conversion/replacement
|
||||
of OpenSSH's internals to make them usable as a standalone library.
|
||||
|
||||
This includes a set of wrappers to make it compatible with the
|
||||
existing buffer API so replacement can occur incrementally.
|
||||
|
||||
With and ok markus@
|
||||
|
||||
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
|
||||
Dempsky and Ron Bowes for a detailed review.
|
||||
- naddy@cvs.openbsd.org 2014/04/30 19:07:48
|
||||
[mac.c myproposal.h umac.c]
|
||||
UMAC can use our local fallback implementation of AES when OpenSSL isn't
|
||||
available. Glue code straight from Ted Krovetz's original umac.c.
|
||||
ok markus@
|
||||
- djm@cvs.openbsd.org 2014/05/02 03:27:54
|
||||
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
|
||||
[misc.h poly1305.h ssh-pkcs11.c defines.h]
|
||||
revert __bounded change; it causes way more problems for portable than
|
||||
it solves; pointed out by dtucker@
|
||||
- markus@cvs.openbsd.org 2014/05/03 17:20:34
|
||||
[monitor.c packet.c packet.h]
|
||||
unbreak compression, by re-init-ing the compression code in the
|
||||
post-auth child. the new buffer code is more strict, and requires
|
||||
buffer_init() while the old code was happy after a bzero();
|
||||
originally from djm@
|
||||
- logan@cvs.openbsd.org 2014/05/05 07:02:30
|
||||
[sftp.c]
|
||||
Zap extra whitespace.
|
||||
|
||||
OK from djm@ and dtucker@
|
||||
- (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
|
||||
portability glue to support building without libcrypto
|
||||
- (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
|
||||
[sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/03/13 20:44:49
|
||||
[login-timeout.sh]
|
||||
this test is a sorry mess of race conditions; add another sleep
|
||||
to avoid a failure on slow machines (at least until I find a
|
||||
better way)
|
||||
- djm@cvs.openbsd.org 2014/04/21 22:15:37
|
||||
[dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
|
||||
repair regress tests broken by server-side default cipher/kex/mac changes
|
||||
by ensuring that the option under test is included in the server's
|
||||
algorithm list
|
||||
- dtucker@cvs.openbsd.org 2014/05/03 18:46:14
|
||||
[proxy-connect.sh]
|
||||
Add tests for with and without compression, with and without privsep.
|
||||
- logan@cvs.openbsd.org 2014/05/04 10:40:59
|
||||
[connect-privsep.sh]
|
||||
Remove the Z flag from the list of malloc options as it
|
||||
was removed from malloc.c 10 days ago.
|
||||
|
||||
OK from miod@
|
||||
- (djm) [regress/unittests/Makefile]
|
||||
[regress/unittests/Makefile.inc]
|
||||
[regress/unittests/sshbuf/Makefile]
|
||||
[regress/unittests/sshbuf/test_sshbuf.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_fixed.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_fuzz.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_misc.c]
|
||||
[regress/unittests/sshbuf/tests.c]
|
||||
[regress/unittests/test_helper/Makefile]
|
||||
[regress/unittests/test_helper/fuzz.c]
|
||||
[regress/unittests/test_helper/test_helper.c]
|
||||
[regress/unittests/test_helper/test_helper.h]
|
||||
Import new unit tests from OpenBSD; not yet hooked up to build.
|
||||
- (djm) [regress/Makefile Makefile.in]
|
||||
[regress/unittests/sshbuf/test_sshbuf.c
|
||||
[regress/unittests/sshbuf/test_sshbuf_fixed.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_fuzz.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
|
||||
[regress/unittests/sshbuf/test_sshbuf_misc.c]
|
||||
[regress/unittests/sshbuf/tests.c]
|
||||
[regress/unittests/test_helper/fuzz.c]
|
||||
[regress/unittests/test_helper/test_helper.c]
|
||||
Hook new unit tests into the build and "make tests"
|
||||
- (djm) [sshbuf.c] need __predict_false
|
||||
|
||||
20140430
|
||||
- (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
|
||||
have it. Only attempt to use __attribute__(__bounded__) for gcc.
|
||||
|
||||
20140420
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/03/03 22:22:30
|
||||
[session.c]
|
||||
ignore enviornment variables with embedded '=' or '\0' characters;
|
||||
spotted by Jann Horn; ok deraadt@
|
||||
Id sync only - portable already has this.
|
||||
- djm@cvs.openbsd.org 2014/03/12 04:44:58
|
||||
[ssh-keyscan.c]
|
||||
scan for Ed25519 keys by default too
|
||||
- djm@cvs.openbsd.org 2014/03/12 04:50:32
|
||||
[auth-bsdauth.c ssh-keygen.c]
|
||||
don't count on things that accept arguments by reference to clear
|
||||
things for us on error; most things do, but it's unsafe form.
|
||||
- djm@cvs.openbsd.org 2014/03/12 04:51:12
|
||||
[authfile.c]
|
||||
correct test that kdf name is not "none" or "bcrypt"
|
||||
- naddy@cvs.openbsd.org 2014/03/12 13:06:59
|
||||
[ssh-keyscan.1]
|
||||
scan for Ed25519 keys by default too
|
||||
- deraadt@cvs.openbsd.org 2014/03/15 17:28:26
|
||||
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
|
||||
Improve usage() and documentation towards the standard form.
|
||||
In particular, this line saves a lot of man page reading time.
|
||||
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
|
||||
[-N new_passphrase] [-C comment] [-f output_keyfile]
|
||||
ok schwarze jmc
|
||||
- tedu@cvs.openbsd.org 2014/03/17 19:44:10
|
||||
[ssh.1]
|
||||
old descriptions of des and blowfish are old. maybe ok deraadt
|
||||
- tedu@cvs.openbsd.org 2014/03/19 14:42:44
|
||||
[scp.1]
|
||||
there is no need for rcp anymore
|
||||
ok deraadt millert
|
||||
- markus@cvs.openbsd.org 2014/03/25 09:40:03
|
||||
[myproposal.h]
|
||||
trimm default proposals.
|
||||
|
||||
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
|
||||
(arcfour), and the broken modes (CBC) from the default configuration
|
||||
(the patch only changes the default, all the modes are still available
|
||||
for the config files).
|
||||
|
||||
ok djm@, reminded by tedu@ & naddy@ and discussed with many
|
||||
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
|
||||
[myproposal.h]
|
||||
The current sharing of myproposal[] between both client and server code
|
||||
makes the previous diff highly unpallatable. We want to go in that
|
||||
direction for the server, but not for the client. Sigh.
|
||||
Brought up by naddy.
|
||||
- markus@cvs.openbsd.org 2014/03/27 23:01:27
|
||||
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
|
||||
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
||||
- djm@cvs.openbsd.org 2014/03/26 04:55:35
|
||||
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
|
||||
[misc.h poly1305.h ssh-pkcs11.c]
|
||||
use __bounded(...) attribute recently added to sys/cdefs.h instead of
|
||||
longform __attribute__(__bounded(...));
|
||||
|
||||
for brevity and a warning free compilation with llvm/clang
|
||||
- tedu@cvs.openbsd.org 2014/03/26 19:58:37
|
||||
[sshd.8 sshd.c]
|
||||
remove libwrap support. ok deraadt djm mfriedl
|
||||
- naddy@cvs.openbsd.org 2014/03/28 05:17:11
|
||||
[ssh_config.5 sshd_config.5]
|
||||
sync available and default algorithms, improve algorithm list formatting
|
||||
help from jmc@ and schwarze@, ok deraadt@
|
||||
- jmc@cvs.openbsd.org 2014/03/31 13:39:34
|
||||
[ssh-keygen.1]
|
||||
the text for the -K option was inserted in the wrong place in -r1.108;
|
||||
fix From: Matthew Clarke
|
||||
- djm@cvs.openbsd.org 2014/04/01 02:05:27
|
||||
[ssh-keysign.c]
|
||||
include fingerprint of key not found
|
||||
use arc4random_buf() instead of loop+arc4random()
|
||||
- djm@cvs.openbsd.org 2014/04/01 03:34:10
|
||||
[sshconnect.c]
|
||||
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
|
||||
certificate keys to plain keys and attempt SSHFP resolution.
|
||||
|
||||
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||
dialog by offering only certificate keys.
|
||||
|
||||
Reported by mcv21 AT cam.ac.uk
|
||||
- djm@cvs.openbsd.org 2014/04/01 05:32:57
|
||||
[packet.c]
|
||||
demote a debug3 to PACKET_DEBUG; ok markus@
|
||||
- djm@cvs.openbsd.org 2014/04/12 04:55:53
|
||||
[sshd.c]
|
||||
avoid crash at exit: check that pmonitor!=NULL before dereferencing;
|
||||
bz#2225, patch from kavi AT juniper.net
|
||||
- djm@cvs.openbsd.org 2014/04/16 23:22:45
|
||||
[bufaux.c]
|
||||
skip leading zero bytes in buffer_put_bignum2_from_string();
|
||||
reported by jan AT mojzis.com; ok markus@
|
||||
- djm@cvs.openbsd.org 2014/04/16 23:28:12
|
||||
[ssh-agent.1]
|
||||
remove the identity files from this manpage - ssh-agent doesn't deal
|
||||
with them at all and the same information is duplicated in ssh-add.1
|
||||
(which does deal with them); prodded by deraadt@
|
||||
- djm@cvs.openbsd.org 2014/04/18 23:52:25
|
||||
[compat.c compat.h sshconnect2.c sshd.c version.h]
|
||||
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
|
||||
using the curve25519-sha256@libssh.org KEX exchange method to fail
|
||||
when connecting with something that implements the spec properly.
|
||||
|
||||
Disable this KEX method when speaking to one of the affected
|
||||
versions.
|
||||
|
||||
reported by Aris Adamantiadis; ok markus@
|
||||
- djm@cvs.openbsd.org 2014/04/19 05:54:59
|
||||
[compat.c]
|
||||
missing wildcard; pointed out by naddy@
|
||||
- tedu@cvs.openbsd.org 2014/04/19 14:53:48
|
||||
[ssh-keysign.c sshd.c]
|
||||
Delete futile calls to RAND_seed. ok djm
|
||||
NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
|
||||
- tedu@cvs.openbsd.org 2014/04/19 18:15:16
|
||||
[sshd.8]
|
||||
remove some really old rsh references
|
||||
- tedu@cvs.openbsd.org 2014/04/19 18:42:19
|
||||
[ssh.1]
|
||||
delete .xr to hosts.equiv. there's still an unfortunate amount of
|
||||
documentation referring to rhosts equivalency in here.
|
||||
- djm@cvs.openbsd.org 2014/04/20 02:30:25
|
||||
[misc.c misc.h umac.c]
|
||||
use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
|
||||
strict-alignment architectures; reported by and ok stsp@
|
||||
- djm@cvs.openbsd.org 2014/04/20 02:49:32
|
||||
[compat.c]
|
||||
add a canonical 6.6 + curve25519 bignum fix fake version that I can
|
||||
recommend people use ahead of the openssh-6.7 release
|
||||
|
||||
20140401
|
||||
- (djm) On platforms that support it, use prctl() to prevent sftp-server
|
||||
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
|
||||
- (djm) Use full release (e.g. 6.5p1) in debug output rather than just
|
||||
version. From des@des.no
|
||||
|
||||
20140317
|
||||
- (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
|
||||
remind myself to add sandbox violation logging via the log socket.
|
||||
|
||||
20140314
|
||||
- (tim) [opensshd.init.in] Add support for ed25519
|
||||
|
||||
20140313
|
||||
- (djm) Release OpenSSH 6.6
|
||||
|
||||
@ -2884,4 +3815,3 @@
|
||||
[contrib/suse/openssh.spec] Update for release 6.0
|
||||
- (djm) [README] Update URL to release notes.
|
||||
- (djm) Release openssh-6.0
|
||||
|
||||
|
@ -1,22 +1,26 @@
|
||||
1. Prerequisites
|
||||
----------------
|
||||
|
||||
You will need working installations of Zlib and OpenSSL.
|
||||
You will need working installations of Zlib and libcrypto (LibreSSL /
|
||||
OpenSSL)
|
||||
|
||||
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
|
||||
http://www.gzip.org/zlib/
|
||||
|
||||
OpenSSL 0.9.6 or greater:
|
||||
http://www.openssl.org/
|
||||
libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
|
||||
LibreSSL http://www.libressl.org/ ; or
|
||||
OpenSSL http://www.openssl.org/
|
||||
|
||||
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
|
||||
Blowfish) do not work correctly.)
|
||||
LibreSSL/OpenSSL should be compiled as a position-independent library
|
||||
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
|
||||
If you must use a non-position-independent libcrypto, then you may need
|
||||
to configure OpenSSH --without-pie.
|
||||
|
||||
The remaining items are optional.
|
||||
|
||||
NB. If you operating system supports /dev/random, you should configure
|
||||
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
|
||||
/dev/random, or failing that, either prngd or egd
|
||||
libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
|
||||
direct support of /dev/random, or failing that, either prngd or egd
|
||||
|
||||
PRNGD:
|
||||
|
||||
@ -27,10 +31,10 @@ http://prngd.sourceforge.net/
|
||||
|
||||
EGD:
|
||||
|
||||
The Entropy Gathering Daemon (EGD) is supported if you have a system which
|
||||
lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
|
||||
If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
|
||||
supported only if libcrypto supports it.
|
||||
|
||||
http://www.lothar.com/tech/crypto/
|
||||
http://egd.sourceforge.net/
|
||||
|
||||
PAM:
|
||||
|
||||
@ -204,10 +208,11 @@ created.
|
||||
|
||||
--with-xauth=PATH specifies the location of the xauth binary
|
||||
|
||||
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
|
||||
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
|
||||
libraries
|
||||
are installed.
|
||||
|
||||
--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
|
||||
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
|
||||
|
||||
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
|
||||
real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
|
||||
@ -266,4 +271,4 @@ Please refer to the "reporting bugs" section of the webpage at
|
||||
http://www.openssh.com/
|
||||
|
||||
|
||||
$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $
|
||||
$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $
|
||||
# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
@ -29,6 +29,7 @@ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
TEST_SHELL=@TEST_SHELL@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
@ -63,7 +64,16 @@ MANFMT=@MANFMT@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssherr.o \
|
||||
sshbuf.o \
|
||||
sshkey.o \
|
||||
sshbuf-getput-basic.o \
|
||||
sshbuf-misc.o \
|
||||
sshbuf-getput-crypto.o
|
||||
|
||||
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
@ -135,7 +145,7 @@ $(SSHOBJS): Makefile.in config.h
|
||||
$(SSHDOBJS): Makefile.in config.h
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
|
||||
|
||||
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
||||
$(LIBCOMPAT): always
|
||||
@ -214,6 +224,12 @@ umac128.o: umac.c
|
||||
clean: regressclean
|
||||
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||
rm -f *.out core survey
|
||||
rm -f regress/unittests/test_helper/*.a
|
||||
rm -f regress/unittests/test_helper/*.o
|
||||
rm -f regress/unittests/sshbuf/*.o
|
||||
rm -f regress/unittests/sshbuf/test_sshbuf
|
||||
rm -f regress/unittests/sshkey/*.o
|
||||
rm -f regress/unittests/sshkey/test_sshkey
|
||||
(cd openbsd-compat && $(MAKE) clean)
|
||||
|
||||
distclean: regressclean
|
||||
@ -222,6 +238,12 @@ distclean: regressclean
|
||||
rm -f Makefile buildpkg.sh config.h config.status
|
||||
rm -f survey.sh openbsd-compat/regress/Makefile *~
|
||||
rm -rf autom4te.cache
|
||||
rm -f regress/unittests/test_helper/*.a
|
||||
rm -f regress/unittests/test_helper/*.o
|
||||
rm -f regress/unittests/sshbuf/*.o
|
||||
rm -f regress/unittests/sshbuf/test_sshbuf
|
||||
rm -f regress/unittests/sshkey/*.o
|
||||
rm -f regress/unittests/sshkey/test_sshkey
|
||||
(cd openbsd-compat && $(MAKE) distclean)
|
||||
if test -d pkg ; then \
|
||||
rm -fr pkg ; \
|
||||
@ -394,23 +416,71 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||
regress-prep:
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
|
||||
[ -d `pwd`/regress/unittests/test_helper ] || \
|
||||
mkdir -p `pwd`/regress/unittests/test_helper
|
||||
[ -d `pwd`/regress/unittests/sshbuf ] || \
|
||||
mkdir -p `pwd`/regress/unittests/sshbuf
|
||||
[ -d `pwd`/regress/unittests/sshkey ] || \
|
||||
mkdir -p `pwd`/regress/unittests/sshkey
|
||||
[ -f `pwd`/regress/Makefile ] || \
|
||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||
|
||||
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
|
||||
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
[ -f `pwd`/regress/Makefile ] || \
|
||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
|
||||
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
|
||||
UNITTESTS_TEST_HELPER_OBJS=\
|
||||
regress/unittests/test_helper/test_helper.o \
|
||||
regress/unittests/test_helper/fuzz.o
|
||||
|
||||
regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
|
||||
$(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
UNITTESTS_TEST_SSHBUF_OBJS=\
|
||||
regress/unittests/sshbuf/tests.o \
|
||||
regress/unittests/sshbuf/test_sshbuf.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_misc.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_fuzz.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
|
||||
regress/unittests/sshbuf/test_sshbuf_fixed.o
|
||||
|
||||
regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
|
||||
regress/unittests/test_helper/libtest_helper.a libssh.a
|
||||
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
|
||||
regress/unittests/test_helper/libtest_helper.a \
|
||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
UNITTESTS_TEST_SSHKEY_OBJS=\
|
||||
regress/unittests/sshkey/test_fuzz.o \
|
||||
regress/unittests/sshkey/tests.o \
|
||||
regress/unittests/sshkey/common.o \
|
||||
regress/unittests/sshkey/test_file.o \
|
||||
regress/unittests/sshkey/test_sshkey.o
|
||||
|
||||
regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
|
||||
regress/unittests/test_helper/libtest_helper.a libssh.a
|
||||
$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
|
||||
regress/unittests/test_helper/libtest_helper.a \
|
||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
REGRESS_BINARIES=\
|
||||
regress/modpipe$(EXEEXT) \
|
||||
regress/setuid-allowed$(EXEEXT) \
|
||||
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
|
||||
regress/unittests/sshkey/test_sshkey$(EXEEXT)
|
||||
|
||||
tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
|
||||
BUILDDIR=`pwd`; \
|
||||
TEST_SHELL="@TEST_SHELL@"; \
|
||||
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
|
||||
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
|
||||
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
|
||||
@ -434,7 +504,6 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
|
||||
OBJ="$${BUILDDIR}/regress/" \
|
||||
PATH="$${BUILDDIR}:$${PATH}" \
|
||||
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
|
||||
TEST_SHELL="$${TEST_SHELL}" \
|
||||
TEST_SSH_SCP="$${TEST_SSH_SCP}" \
|
||||
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
|
||||
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
|
||||
@ -450,6 +519,7 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
|
||||
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
|
||||
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
|
||||
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
|
||||
TEST_SHELL="${TEST_SHELL}" \
|
||||
EXEEXT="$(EXEEXT)" \
|
||||
$@ && echo all tests passed
|
||||
|
||||
|
@ -232,6 +232,56 @@ The contents of the "data" field for layer 2 packets is:
|
||||
The "frame" field contains an IEEE 802.3 Ethernet frame, including
|
||||
header.
|
||||
|
||||
2.4. connection: Unix domain socket forwarding
|
||||
|
||||
OpenSSH supports local and remote Unix domain socket forwarding
|
||||
using the "streamlocal" extension. Forwarding is initiated as per
|
||||
TCP sockets but with a single path instead of a host and port.
|
||||
|
||||
Similar to direct-tcpip, direct-streamlocal is sent by the client
|
||||
to request that the server make a connection to a Unix domain socket.
|
||||
|
||||
byte SSH_MSG_CHANNEL_OPEN
|
||||
string "direct-streamlocal@openssh.com"
|
||||
uint32 sender channel
|
||||
uint32 initial window size
|
||||
uint32 maximum packet size
|
||||
string socket path
|
||||
string reserved for future use
|
||||
|
||||
Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
|
||||
server when the client has previously send the server a streamlocal-forward
|
||||
GLOBAL_REQUEST.
|
||||
|
||||
byte SSH_MSG_CHANNEL_OPEN
|
||||
string "forwarded-streamlocal@openssh.com"
|
||||
uint32 sender channel
|
||||
uint32 initial window size
|
||||
uint32 maximum packet size
|
||||
string socket path
|
||||
string reserved for future use
|
||||
|
||||
The reserved field is not currently defined and is ignored on the
|
||||
remote end. It is intended to be used in the future to pass
|
||||
information about the socket file, such as ownership and mode.
|
||||
The client currently sends the empty string for this field.
|
||||
|
||||
Similar to tcpip-forward, streamlocal-forward is sent by the client
|
||||
to request remote forwarding of a Unix domain socket.
|
||||
|
||||
byte SSH2_MSG_GLOBAL_REQUEST
|
||||
string "streamlocal-forward@openssh.com"
|
||||
boolean TRUE
|
||||
string socket path
|
||||
|
||||
Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
|
||||
by the client cancel the forwarding of a Unix domain socket.
|
||||
|
||||
byte SSH2_MSG_GLOBAL_REQUEST
|
||||
string "cancel-streamlocal-forward@openssh.com"
|
||||
boolean FALSE
|
||||
string socket path
|
||||
|
||||
3. SFTP protocol changes
|
||||
|
||||
3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
|
||||
@ -356,4 +406,4 @@ respond with a SSH_FXP_STATUS message.
|
||||
This extension is advertised in the SSH_FXP_VERSION hello with version
|
||||
"1".
|
||||
|
||||
$OpenBSD: PROTOCOL,v 1.23 2013/12/01 23:19:05 djm Exp $
|
||||
$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
See http://www.openssh.com/txt/release-6.6 for the release notes.
|
||||
See http://www.openssh.com/txt/release-6.7 for the release notes.
|
||||
|
||||
- A Japanese translation of this document and of the OpenSSH FAQ is
|
||||
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
||||
@ -62,4 +62,4 @@ References -
|
||||
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
||||
[7] http://www.openssh.com/faq.html
|
||||
|
||||
$Id: README,v 1.86 2014/02/27 23:03:53 djm Exp $
|
||||
$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-bsdauth.c,v 1.11 2007/09/21 08:15:29 djm Exp $ */
|
||||
/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -26,6 +26,8 @@
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
@ -54,6 +56,11 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
|
||||
Authctxt *authctxt = ctx;
|
||||
char *challenge = NULL;
|
||||
|
||||
*infotxt = NULL;
|
||||
*numprompts = 0;
|
||||
*prompts = NULL;
|
||||
*echo_on = NULL;
|
||||
|
||||
if (authctxt->as != NULL) {
|
||||
debug2("bsdauth_query: try reuse session");
|
||||
challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
|
||||
/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -26,6 +26,9 @@
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
@ -34,6 +37,7 @@
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* limited protocol v1 interface to kbd-interactive authentication */
|
||||
|
@ -40,6 +40,7 @@
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "uidswap.h"
|
||||
#include "key.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-options.c,v 1.62 2013/12/19 00:27:57 djm Exp $ */
|
||||
/* $OpenBSD: auth-options.c,v 1.64 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -26,9 +26,9 @@
|
||||
#include "log.h"
|
||||
#include "canohost.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "channels.h"
|
||||
#include "servconf.h"
|
||||
#include "misc.h"
|
||||
#include "key.h"
|
||||
#include "auth-options.h"
|
||||
#include "hostfile.h"
|
||||
@ -325,6 +325,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
patterns[i] = '\0';
|
||||
opts++;
|
||||
p = patterns;
|
||||
/* XXX - add streamlocal support */
|
||||
host = hpdelim(&p);
|
||||
if (host == NULL || strlen(host) >= NI_MAXHOST) {
|
||||
debug("%.100s, line %lu: Bad permitopen "
|
||||
@ -586,8 +587,8 @@ auth_cert_options(Key *k, struct passwd *pw)
|
||||
|
||||
if (key_cert_is_legacy(k)) {
|
||||
/* All options are in the one field for v00 certs */
|
||||
if (parse_option_list(buffer_ptr(&k->cert->critical),
|
||||
buffer_len(&k->cert->critical), pw,
|
||||
if (parse_option_list(buffer_ptr(k->cert->critical),
|
||||
buffer_len(k->cert->critical), pw,
|
||||
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
|
||||
&cert_no_port_forwarding_flag,
|
||||
&cert_no_agent_forwarding_flag,
|
||||
@ -599,14 +600,14 @@ auth_cert_options(Key *k, struct passwd *pw)
|
||||
return -1;
|
||||
} else {
|
||||
/* Separate options and extensions for v01 certs */
|
||||
if (parse_option_list(buffer_ptr(&k->cert->critical),
|
||||
buffer_len(&k->cert->critical), pw,
|
||||
if (parse_option_list(buffer_ptr(k->cert->critical),
|
||||
buffer_len(k->cert->critical), pw,
|
||||
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
|
||||
&cert_forced_command,
|
||||
&cert_source_address_done) == -1)
|
||||
return -1;
|
||||
if (parse_option_list(buffer_ptr(&k->cert->extensions),
|
||||
buffer_len(&k->cert->extensions), pw,
|
||||
if (parse_option_list(buffer_ptr(k->cert->extensions),
|
||||
buffer_len(k->cert->extensions), pw,
|
||||
OPTIONS_EXTENSIONS, 1,
|
||||
&cert_no_port_forwarding_flag,
|
||||
&cert_no_agent_forwarding_flag,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-passwd.c,v 1.43 2007/09/21 08:15:29 djm Exp $ */
|
||||
/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -48,6 +48,7 @@
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-rh-rsa.c,v 1.43 2010/03/04 10:36:03 djm Exp $ */
|
||||
/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -24,6 +24,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-rhosts.c,v 1.44 2010/03/07 11:57:13 dtucker Exp $ */
|
||||
/* $OpenBSD: auth-rhosts.c,v 1.45 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -34,12 +34,12 @@
|
||||
#include "uidswap.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "misc.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */
|
||||
/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,6 +35,7 @@
|
||||
#include "buffer.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "auth-options.h"
|
||||
@ -45,7 +46,6 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
|
||||
#include "digest.h"
|
||||
|
||||
@ -144,7 +144,8 @@ auth_rsa_challenge_dialog(Key *key)
|
||||
challenge = PRIVSEP(auth_rsa_generate_challenge(key));
|
||||
|
||||
/* Encrypt the challenge with the public key. */
|
||||
rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
|
||||
if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
|
||||
fatal("%s: rsa_public_encrypt failed", __func__);
|
||||
|
||||
/* Send the encrypted challenge to the client. */
|
||||
packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
|
||||
/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -57,6 +57,7 @@ __RCSID("$FreeBSD$");
|
||||
#include "groupaccess.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@ -64,7 +65,6 @@ __RCSID("$FreeBSD$");
|
||||
#include "auth-options.h"
|
||||
#include "canohost.h"
|
||||
#include "uidswap.h"
|
||||
#include "misc.h"
|
||||
#include "packet.h"
|
||||
#include "loginrec.h"
|
||||
#ifdef GSSAPI
|
||||
@ -327,6 +327,20 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
auth_maxtries_exceeded(Authctxt *authctxt)
|
||||
{
|
||||
packet_disconnect("Too many authentication failures for "
|
||||
"%s%.100s from %.200s port %d %s",
|
||||
authctxt->valid ? "" : "invalid user ",
|
||||
authctxt->user,
|
||||
get_remote_ipaddr(),
|
||||
get_remote_port(),
|
||||
compat20 ? "ssh2" : "ssh1");
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether root logins are disallowed.
|
||||
*/
|
||||
@ -660,6 +674,7 @@ getpwnamallow(const char *user)
|
||||
int
|
||||
auth_key_is_revoked(Key *key)
|
||||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
char *key_fp;
|
||||
|
||||
if (options.revoked_keys_file == NULL)
|
||||
@ -672,6 +687,7 @@ auth_key_is_revoked(Key *key)
|
||||
default:
|
||||
goto revoked;
|
||||
}
|
||||
#endif
|
||||
debug3("%s: treating %s as a key list", __func__,
|
||||
options.revoked_keys_file);
|
||||
switch (key_in_file(key, options.revoked_keys_file, 0)) {
|
||||
@ -683,6 +699,7 @@ auth_key_is_revoked(Key *key)
|
||||
error("Revoked keys file is unreadable: refusing public key "
|
||||
"authentication");
|
||||
return 1;
|
||||
#ifdef WITH_OPENSSL
|
||||
case 1:
|
||||
revoked:
|
||||
/* Key revoked */
|
||||
@ -691,6 +708,7 @@ auth_key_is_revoked(Key *key)
|
||||
"%s key %s ", key_type(key), key_fp);
|
||||
free(key_fp);
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
fatal("key_in_file returned junk");
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.78 2014/07/03 11:16:55 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -154,6 +154,7 @@ void auth_info(Authctxt *authctxt, const char *, ...)
|
||||
__attribute__((__format__ (printf, 2, 3)))
|
||||
__attribute__((__nonnull__ (2)));
|
||||
void auth_log(Authctxt *, int, int, const char *, const char *);
|
||||
void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
|
||||
void userauth_finish(Authctxt *, int, const char *, const char *);
|
||||
int auth_root_allowed(const char *);
|
||||
|
||||
@ -210,8 +211,6 @@ struct passwd *fakepw(void);
|
||||
|
||||
int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
|
||||
|
||||
#define SKEY_PROMPT "\nS/Key Password: "
|
||||
|
||||
#if defined(KRB5) && !defined(HEIMDAL)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -27,6 +27,7 @@
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
@ -363,7 +364,7 @@ do_authloop(Authctxt *authctxt)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
auth_maxtries_exceeded(authctxt);
|
||||
}
|
||||
|
||||
packet_start(SSH_SMSG_FAILURE);
|
||||
|
@ -41,6 +41,7 @@
|
||||
#include "packet.h"
|
||||
#include "dispatch.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* import */
|
||||
|
@ -40,6 +40,7 @@
|
||||
#include "log.h"
|
||||
#include "dispatch.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "packet.h"
|
||||
#include "ssh-gss.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */
|
||||
/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -36,6 +36,7 @@
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
|
||||
/* $OpenBSD: auth2-kbdint.c,v 1.7 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -36,6 +36,7 @@
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* import */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-none.c,v 1.16 2010/06/25 08:46:17 djm Exp $ */
|
||||
/* $OpenBSD: auth2-none.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -30,9 +30,10 @@
|
||||
#include <sys/uio.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "atomicio.h"
|
||||
#include "xmalloc.h"
|
||||
@ -42,6 +43,7 @@
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-passwd.c,v 1.11 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: auth2-passwd.c,v 1.12 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -41,6 +41,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* import */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.39 2013/12/30 23:52:27 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.41 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -48,6 +48,7 @@
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
@ -61,7 +62,6 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "misc.h"
|
||||
#include "authfile.h"
|
||||
#include "match.h"
|
||||
|
||||
@ -230,7 +230,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
}
|
||||
|
||||
static int
|
||||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||
{
|
||||
char *result;
|
||||
u_int i;
|
||||
@ -250,7 +250,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
}
|
||||
|
||||
static int
|
||||
match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
|
||||
match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
|
||||
{
|
||||
FILE *f;
|
||||
char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2.c,v 1.130 2014/01/29 06:18:35 djm Exp $ */
|
||||
/* $OpenBSD: auth2.c,v 1.132 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -42,6 +42,7 @@ __RCSID("$FreeBSD$");
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
@ -392,7 +393,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
auth_maxtries_exceeded(authctxt);
|
||||
}
|
||||
methods = authmethods_get(authctxt);
|
||||
debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authfd.c,v 1.92 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: authfd.c,v 1.93 2014/04/29 18:01:49 markus Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -41,9 +41,6 @@
|
||||
#include <sys/un.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <signal.h>
|
||||
@ -313,8 +310,10 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
|
||||
Key *
|
||||
ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
|
||||
{
|
||||
#ifdef WITH_SSH1
|
||||
int keybits;
|
||||
u_int bits;
|
||||
#endif
|
||||
u_char *blob;
|
||||
u_int blen;
|
||||
Key *key = NULL;
|
||||
@ -328,6 +327,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
|
||||
* error if the packet is too short or contains corrupt data.
|
||||
*/
|
||||
switch (version) {
|
||||
#ifdef WITH_SSH1
|
||||
case 1:
|
||||
key = key_new(KEY_RSA1);
|
||||
bits = buffer_get_int(&auth->identities);
|
||||
@ -339,6 +339,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
|
||||
logit("Warning: identity keysize mismatch: actual %d, announced %u",
|
||||
BN_num_bits(key->rsa->n), bits);
|
||||
break;
|
||||
#endif
|
||||
case 2:
|
||||
blob = buffer_get_string(&auth->identities, &blen);
|
||||
*comment = buffer_get_string(&auth->identities, NULL);
|
||||
@ -361,6 +362,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
|
||||
* supported) and 1 corresponding to protocol version 1.1.
|
||||
*/
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
int
|
||||
ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||
Key* key, BIGNUM *challenge,
|
||||
@ -410,6 +412,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||
buffer_free(&buffer);
|
||||
return success;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* ask agent to sign data, returns -1 on error, 0 on success */
|
||||
int
|
||||
@ -457,6 +460,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
|
||||
|
||||
/* Encode key for a message to the agent. */
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
static void
|
||||
ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
|
||||
{
|
||||
@ -470,6 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
|
||||
buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */
|
||||
buffer_put_cstring(b, comment);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
|
||||
@ -493,6 +498,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
|
||||
buffer_init(&msg);
|
||||
|
||||
switch (key->type) {
|
||||
#ifdef WITH_SSH1
|
||||
case KEY_RSA1:
|
||||
type = constrained ?
|
||||
SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
|
||||
@ -500,6 +506,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
|
||||
buffer_put_char(&msg, type);
|
||||
ssh_encode_identity_rsa1(&msg, key->rsa, comment);
|
||||
break;
|
||||
#endif
|
||||
#ifdef WITH_OPENSSL
|
||||
case KEY_RSA:
|
||||
case KEY_RSA_CERT:
|
||||
case KEY_RSA_CERT_V00:
|
||||
@ -508,6 +516,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
|
||||
case KEY_DSA_CERT_V00:
|
||||
case KEY_ECDSA:
|
||||
case KEY_ECDSA_CERT:
|
||||
#endif
|
||||
case KEY_ED25519:
|
||||
case KEY_ED25519_CERT:
|
||||
type = constrained ?
|
||||
@ -552,12 +561,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
|
||||
|
||||
buffer_init(&msg);
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
if (key->type == KEY_RSA1) {
|
||||
buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
|
||||
buffer_put_int(&msg, BN_num_bits(key->rsa->n));
|
||||
buffer_put_bignum(&msg, key->rsa->e);
|
||||
buffer_put_bignum(&msg, key->rsa->n);
|
||||
} else if (key->type != KEY_UNSPEC) {
|
||||
} else
|
||||
#endif
|
||||
if (key->type != KEY_UNSPEC) {
|
||||
key_to_blob(key, &blob, &blen);
|
||||
buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
|
||||
buffer_put_string(&msg, blob, blen);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,32 +1,47 @@
|
||||
/* $OpenBSD: authfile.h,v 1.17 2013/12/06 13:34:54 markus Exp $ */
|
||||
/* $OpenBSD: authfile.h,v 1.19 2014/07/03 23:18:35 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef AUTHFILE_H
|
||||
#define AUTHFILE_H
|
||||
|
||||
int key_save_private(Key *, const char *, const char *, const char *,
|
||||
int, const char *, int);
|
||||
int key_load_file(int, const char *, Buffer *);
|
||||
Key *key_load_cert(const char *);
|
||||
Key *key_load_public(const char *, char **);
|
||||
Key *key_load_public_type(int, const char *, char **);
|
||||
Key *key_parse_private(Buffer *, const char *, const char *, char **);
|
||||
Key *key_load_private(const char *, const char *, char **);
|
||||
Key *key_load_private_cert(int, const char *, const char *, int *);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **, int *);
|
||||
Key *key_load_private_pem(int, int, const char *, char **);
|
||||
int key_perm_ok(int, const char *);
|
||||
int key_in_file(Key *, const char *, int);
|
||||
struct sshbuf;
|
||||
struct sshkey;
|
||||
|
||||
int sshkey_save_private(struct sshkey *, const char *,
|
||||
const char *, const char *, int, const char *, int);
|
||||
int sshkey_load_file(int, const char *, struct sshbuf *);
|
||||
int sshkey_load_cert(const char *, struct sshkey **);
|
||||
int sshkey_load_public(const char *, struct sshkey **, char **);
|
||||
int sshkey_load_private(const char *, const char *, struct sshkey **, char **);
|
||||
int sshkey_load_private_cert(int, const char *, const char *,
|
||||
struct sshkey **, int *);
|
||||
int sshkey_load_private_type(int, const char *, const char *,
|
||||
struct sshkey **, char **, int *);
|
||||
int sshkey_load_private_pem(int, int, const char *, struct sshkey **, char **);
|
||||
int sshkey_perm_ok(int, const char *);
|
||||
int sshkey_in_file(struct sshkey *, const char *, int);
|
||||
|
||||
#endif
|
||||
|
@ -1,70 +1,40 @@
|
||||
/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
|
||||
/* $OpenBSD: bufaux.c,v 1.60 2014/04/30 05:29:56 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Auxiliary functions for storing and retrieving various data types to/from
|
||||
* Buffers.
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
*
|
||||
* SSH2 packet format added by Markus Friedl
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
|
||||
/*
|
||||
* Returns integers from the buffer (msb first).
|
||||
*/
|
||||
#include "ssherr.h"
|
||||
|
||||
int
|
||||
buffer_get_short_ret(u_short *ret, Buffer *buffer)
|
||||
buffer_get_short_ret(u_short *v, Buffer *buffer)
|
||||
{
|
||||
u_char buf[2];
|
||||
int ret;
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
|
||||
return (-1);
|
||||
*ret = get_u16(buf);
|
||||
return (0);
|
||||
if ((ret = sshbuf_get_u16(buffer, v)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
u_short
|
||||
@ -73,21 +43,21 @@ buffer_get_short(Buffer *buffer)
|
||||
u_short ret;
|
||||
|
||||
if (buffer_get_short_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_short: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_int_ret(u_int *ret, Buffer *buffer)
|
||||
buffer_get_int_ret(u_int *v, Buffer *buffer)
|
||||
{
|
||||
u_char buf[4];
|
||||
int ret;
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
|
||||
return (-1);
|
||||
if (ret != NULL)
|
||||
*ret = get_u32(buf);
|
||||
return (0);
|
||||
if ((ret = sshbuf_get_u32(buffer, v)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
u_int
|
||||
@ -96,21 +66,21 @@ buffer_get_int(Buffer *buffer)
|
||||
u_int ret;
|
||||
|
||||
if (buffer_get_int_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_int: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
|
||||
buffer_get_int64_ret(u_int64_t *v, Buffer *buffer)
|
||||
{
|
||||
u_char buf[8];
|
||||
int ret;
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
|
||||
return (-1);
|
||||
if (ret != NULL)
|
||||
*ret = get_u64(buf);
|
||||
return (0);
|
||||
if ((ret = sshbuf_get_u64(buffer, v)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
u_int64_t
|
||||
@ -119,78 +89,52 @@ buffer_get_int64(Buffer *buffer)
|
||||
u_int64_t ret;
|
||||
|
||||
if (buffer_get_int64_ret(&ret, buffer) == -1)
|
||||
fatal("buffer_get_int: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores integers in the buffer, msb first.
|
||||
*/
|
||||
void
|
||||
buffer_put_short(Buffer *buffer, u_short value)
|
||||
{
|
||||
char buf[2];
|
||||
int ret;
|
||||
|
||||
put_u16(buf, value);
|
||||
buffer_append(buffer, buf, 2);
|
||||
if ((ret = sshbuf_put_u16(buffer, value)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_int(Buffer *buffer, u_int value)
|
||||
{
|
||||
char buf[4];
|
||||
int ret;
|
||||
|
||||
put_u32(buf, value);
|
||||
buffer_append(buffer, buf, 4);
|
||||
if ((ret = sshbuf_put_u32(buffer, value)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_int64(Buffer *buffer, u_int64_t value)
|
||||
{
|
||||
char buf[8];
|
||||
int ret;
|
||||
|
||||
put_u64(buf, value);
|
||||
buffer_append(buffer, buf, 8);
|
||||
if ((ret = sshbuf_put_u64(buffer, value)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns an arbitrary binary string from the buffer. The string cannot
|
||||
* be longer than 256k. The returned value points to memory allocated
|
||||
* with xmalloc; it is the responsibility of the calling function to free
|
||||
* the data. If length_ptr is non-NULL, the length of the returned data
|
||||
* will be stored there. A null character will be automatically appended
|
||||
* to the returned string, and is not counted in length.
|
||||
*/
|
||||
void *
|
||||
buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
size_t len;
|
||||
int ret;
|
||||
u_char *value;
|
||||
u_int len;
|
||||
|
||||
/* Get the length. */
|
||||
if (buffer_get_int_ret(&len, buffer) != 0) {
|
||||
error("buffer_get_string_ret: cannot extract length");
|
||||
return (NULL);
|
||||
if ((ret = sshbuf_get_string(buffer, &value, &len)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return NULL;
|
||||
}
|
||||
if (len > 256 * 1024) {
|
||||
error("buffer_get_string_ret: bad string length %u", len);
|
||||
return (NULL);
|
||||
}
|
||||
/* Allocate space for the string. Add one byte for a null character. */
|
||||
value = xmalloc(len + 1);
|
||||
/* Get the string. */
|
||||
if (buffer_get_ret(buffer, value, len) == -1) {
|
||||
error("buffer_get_string_ret: buffer_get failed");
|
||||
free(value);
|
||||
return (NULL);
|
||||
}
|
||||
/* Append a null character to make processing easier. */
|
||||
value[len] = '\0';
|
||||
/* Optionally return the length of the string. */
|
||||
if (length_ptr)
|
||||
*length_ptr = len;
|
||||
return (value);
|
||||
if (length_ptr != NULL)
|
||||
*length_ptr = len; /* Safe: sshbuf never stores len > 2^31 */
|
||||
return value;
|
||||
}
|
||||
|
||||
void *
|
||||
@ -199,31 +143,24 @@ buffer_get_string(Buffer *buffer, u_int *length_ptr)
|
||||
void *ret;
|
||||
|
||||
if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
|
||||
fatal("buffer_get_string: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
char *
|
||||
buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
u_int length;
|
||||
char *cp, *ret = buffer_get_string_ret(buffer, &length);
|
||||
size_t len;
|
||||
int ret;
|
||||
char *value;
|
||||
|
||||
if (ret == NULL)
|
||||
if ((ret = sshbuf_get_cstring(buffer, &value, &len)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return NULL;
|
||||
if ((cp = memchr(ret, '\0', length)) != NULL) {
|
||||
/* XXX allow \0 at end-of-string for a while, remove later */
|
||||
if (cp == ret + length - 1)
|
||||
error("buffer_get_cstring_ret: string contains \\0");
|
||||
else {
|
||||
explicit_bzero(ret, length);
|
||||
free(ret);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
if (length_ptr != NULL)
|
||||
*length_ptr = length;
|
||||
return ret;
|
||||
*length_ptr = len; /* Safe: sshbuf never stores len > 2^31 */
|
||||
return value;
|
||||
}
|
||||
|
||||
char *
|
||||
@ -232,162 +169,91 @@ buffer_get_cstring(Buffer *buffer, u_int *length_ptr)
|
||||
char *ret;
|
||||
|
||||
if ((ret = buffer_get_cstring_ret(buffer, length_ptr)) == NULL)
|
||||
fatal("buffer_get_cstring: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void *
|
||||
const void *
|
||||
buffer_get_string_ptr_ret(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
void *ptr;
|
||||
u_int len;
|
||||
size_t len;
|
||||
int ret;
|
||||
const u_char *value;
|
||||
|
||||
if (buffer_get_int_ret(&len, buffer) != 0)
|
||||
return NULL;
|
||||
if (len > 256 * 1024) {
|
||||
error("buffer_get_string_ptr: bad string length %u", len);
|
||||
if ((ret = sshbuf_get_string_direct(buffer, &value, &len)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return NULL;
|
||||
}
|
||||
ptr = buffer_ptr(buffer);
|
||||
buffer_consume(buffer, len);
|
||||
if (length_ptr)
|
||||
*length_ptr = len;
|
||||
return (ptr);
|
||||
if (length_ptr != NULL)
|
||||
*length_ptr = len; /* Safe: sshbuf never stores len > 2^31 */
|
||||
return value;
|
||||
}
|
||||
|
||||
void *
|
||||
const void *
|
||||
buffer_get_string_ptr(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
void *ret;
|
||||
const void *ret;
|
||||
|
||||
if ((ret = buffer_get_string_ptr_ret(buffer, length_ptr)) == NULL)
|
||||
fatal("buffer_get_string_ptr: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores and arbitrary binary string in the buffer.
|
||||
*/
|
||||
void
|
||||
buffer_put_string(Buffer *buffer, const void *buf, u_int len)
|
||||
{
|
||||
buffer_put_int(buffer, len);
|
||||
buffer_append(buffer, buf, len);
|
||||
int ret;
|
||||
|
||||
if ((ret = sshbuf_put_string(buffer, buf, len)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_cstring(Buffer *buffer, const char *s)
|
||||
{
|
||||
if (s == NULL)
|
||||
fatal("buffer_put_cstring: s == NULL");
|
||||
buffer_put_string(buffer, s, strlen(s));
|
||||
int ret;
|
||||
|
||||
if ((ret = sshbuf_put_cstring(buffer, s)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns a character from the buffer (0 - 255).
|
||||
*/
|
||||
int
|
||||
buffer_get_char_ret(u_char *ret, Buffer *buffer)
|
||||
buffer_get_char_ret(char *v, Buffer *buffer)
|
||||
{
|
||||
if (buffer_get_ret(buffer, ret, 1) == -1) {
|
||||
error("buffer_get_char_ret: buffer_get_ret failed");
|
||||
return (-1);
|
||||
int ret;
|
||||
|
||||
if ((ret = sshbuf_get_u8(buffer, (u_char *)v)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_char(Buffer *buffer)
|
||||
{
|
||||
u_char ch;
|
||||
char ch;
|
||||
|
||||
if (buffer_get_char_ret(&ch, buffer) == -1)
|
||||
fatal("buffer_get_char: buffer error");
|
||||
return ch;
|
||||
fatal("%s: buffer error", __func__);
|
||||
return (u_char) ch;
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores a character in the buffer.
|
||||
*/
|
||||
void
|
||||
buffer_put_char(Buffer *buffer, int value)
|
||||
{
|
||||
char ch = value;
|
||||
int ret;
|
||||
|
||||
buffer_append(buffer, &ch, 1);
|
||||
if ((ret = sshbuf_put_u8(buffer, value)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
/* Pseudo bignum functions */
|
||||
|
||||
void *
|
||||
buffer_get_bignum2_as_string_ret(Buffer *buffer, u_int *length_ptr)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin, *p, *ret;
|
||||
|
||||
if ((p = bin = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("%s: invalid bignum", __func__);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80)) {
|
||||
error("%s: negative numbers not supported", __func__);
|
||||
free(bin);
|
||||
return NULL;
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("%s: cannot handle BN of size %d", __func__, len);
|
||||
free(bin);
|
||||
return NULL;
|
||||
}
|
||||
/* Skip zero prefix on numbers with the MSB set */
|
||||
if (len > 1 && bin[0] == 0x00 && (bin[1] & 0x80) != 0) {
|
||||
p++;
|
||||
len--;
|
||||
}
|
||||
ret = xmalloc(len);
|
||||
memcpy(ret, p, len);
|
||||
explicit_bzero(p, len);
|
||||
free(bin);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void *
|
||||
buffer_get_bignum2_as_string(Buffer *buffer, u_int *l)
|
||||
{
|
||||
void *ret = buffer_get_bignum2_as_string_ret(buffer, l);
|
||||
|
||||
if (ret == NULL)
|
||||
fatal("%s: buffer error", __func__);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores a string using the bignum encoding rules (\0 pad if MSB set).
|
||||
*/
|
||||
void
|
||||
buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
|
||||
{
|
||||
u_char *buf, *p;
|
||||
int pad = 0;
|
||||
int ret;
|
||||
|
||||
if (l > 8 * 1024)
|
||||
fatal("%s: length %u too long", __func__, l);
|
||||
/* Skip leading zero bytes */
|
||||
for (; l > 0 && *s == 0; l--, s++)
|
||||
;
|
||||
p = buf = xmalloc(l + 1);
|
||||
/*
|
||||
* If most significant bit is set then prepend a zero byte to
|
||||
* avoid interpretation as a negative number.
|
||||
*/
|
||||
if (l > 0 && (s[0] & 0x80) != 0) {
|
||||
*p++ = '\0';
|
||||
pad = 1;
|
||||
}
|
||||
memcpy(p, s, l);
|
||||
buffer_put_string(buffer, buf, l + pad);
|
||||
explicit_bzero(buf, l + pad);
|
||||
free(buf);
|
||||
if ((ret = sshbuf_put_bignum2_bytes(buffer, s, l)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
|
||||
|
@ -1,229 +1,103 @@
|
||||
/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/
|
||||
/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Auxiliary functions for storing and retrieving various data types to/from
|
||||
* Buffers.
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
*
|
||||
* SSH2 packet format added by Markus Friedl
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
|
||||
* by (bits+7)/8 bytes of binary data, msb first.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
int bits = BN_num_bits(value);
|
||||
int bin_size = (bits + 7) / 8;
|
||||
u_char *buf = xmalloc(bin_size);
|
||||
int oi;
|
||||
char msg[2];
|
||||
int ret;
|
||||
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf);
|
||||
if (oi != bin_size) {
|
||||
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
|
||||
oi, bin_size);
|
||||
free(buf);
|
||||
return (-1);
|
||||
if ((ret = sshbuf_put_bignum1(buffer, value)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Store the number of bits in the buffer in two bytes, msb first. */
|
||||
put_u16(msg, bits);
|
||||
buffer_append(buffer, msg, 2);
|
||||
/* Store the binary data. */
|
||||
buffer_append(buffer, buf, oi);
|
||||
|
||||
explicit_bzero(buf, bin_size);
|
||||
free(buf);
|
||||
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieves a BIGNUM from the buffer.
|
||||
*/
|
||||
int
|
||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int bits, bytes;
|
||||
u_char buf[2], *bin;
|
||||
int ret;
|
||||
|
||||
/* Get the number of bits. */
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
|
||||
error("buffer_get_bignum_ret: invalid length");
|
||||
return (-1);
|
||||
if ((ret = sshbuf_get_bignum1(buffer, value)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
bits = get_u16(buf);
|
||||
if (bits > 65535-7) {
|
||||
error("buffer_get_bignum_ret: cannot handle BN of size %d",
|
||||
bits);
|
||||
return (-1);
|
||||
}
|
||||
/* Compute the number of binary bytes that follow. */
|
||||
bytes = (bits + 7) / 8;
|
||||
if (bytes > 8 * 1024) {
|
||||
error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
|
||||
return (-1);
|
||||
}
|
||||
if (buffer_len(buffer) < bytes) {
|
||||
error("buffer_get_bignum_ret: input buffer too small");
|
||||
return (-1);
|
||||
}
|
||||
bin = buffer_ptr(buffer);
|
||||
if (BN_bin2bn(bin, bytes, value) == NULL) {
|
||||
error("buffer_get_bignum_ret: BN_bin2bn failed");
|
||||
return (-1);
|
||||
}
|
||||
if (buffer_consume_ret(buffer, bytes) == -1) {
|
||||
error("buffer_get_bignum_ret: buffer_consume failed");
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores a BIGNUM in the buffer in SSH2 format.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
u_int bytes;
|
||||
u_char *buf;
|
||||
int oi;
|
||||
u_int hasnohigh = 0;
|
||||
int ret;
|
||||
|
||||
if (BN_is_zero(value)) {
|
||||
buffer_put_int(buffer, 0);
|
||||
return 0;
|
||||
if ((ret = sshbuf_put_bignum2(buffer, value)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
if (value->neg) {
|
||||
error("buffer_put_bignum2_ret: negative numbers not supported");
|
||||
return (-1);
|
||||
}
|
||||
bytes = BN_num_bytes(value) + 1; /* extra padding byte */
|
||||
if (bytes < 2) {
|
||||
error("buffer_put_bignum2_ret: BN too small");
|
||||
return (-1);
|
||||
}
|
||||
buf = xmalloc(bytes);
|
||||
buf[0] = 0x00;
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf+1);
|
||||
if (oi < 0 || (u_int)oi != bytes - 1) {
|
||||
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
|
||||
"oi %d != bin_size %d", oi, bytes);
|
||||
free(buf);
|
||||
return (-1);
|
||||
}
|
||||
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
|
||||
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
|
||||
explicit_bzero(buf, bytes);
|
||||
free(buf);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum2: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin;
|
||||
int ret;
|
||||
|
||||
if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("buffer_get_bignum2_ret: invalid bignum");
|
||||
return (-1);
|
||||
if ((ret = sshbuf_get_bignum2(buffer, value)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80)) {
|
||||
error("buffer_get_bignum2_ret: negative numbers not supported");
|
||||
free(bin);
|
||||
return (-1);
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d",
|
||||
len);
|
||||
free(bin);
|
||||
return (-1);
|
||||
}
|
||||
if (BN_bin2bn(bin, len, value) == NULL) {
|
||||
error("buffer_get_bignum2_ret: BN_bin2bn failed");
|
||||
free(bin);
|
||||
return (-1);
|
||||
}
|
||||
free(bin);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum2: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
@ -1,6 +1,7 @@
|
||||
/* $OpenBSD: bufec.c,v 1.3 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: bufec.c,v 1.4 2014/04/30 05:29:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2010 Damien Miller <djm@mindrot.org>
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@ -15,73 +16,29 @@
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ec.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
/*
|
||||
* Maximum supported EC GFp field length is 528 bits. SEC1 uncompressed
|
||||
* encoding represents this as two bitstring points that should each
|
||||
* be no longer than the field length, SEC1 specifies a 1 byte
|
||||
* point type header.
|
||||
* Being paranoid here may insulate us to parsing problems in
|
||||
* EC_POINT_oct2point.
|
||||
*/
|
||||
#define BUFFER_MAX_ECPOINT_LEN ((528*2 / 8) + 1)
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
|
||||
/*
|
||||
* Append an EC_POINT to the buffer as a string containing a SEC1 encoded
|
||||
* uncompressed point. Fortunately OpenSSL handles the gory details for us.
|
||||
*/
|
||||
int
|
||||
buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
|
||||
const EC_POINT *point)
|
||||
{
|
||||
u_char *buf = NULL;
|
||||
size_t len;
|
||||
BN_CTX *bnctx;
|
||||
int ret = -1;
|
||||
int ret;
|
||||
|
||||
/* Determine length */
|
||||
if ((bnctx = BN_CTX_new()) == NULL)
|
||||
fatal("%s: BN_CTX_new failed", __func__);
|
||||
len = EC_POINT_point2oct(curve, point, POINT_CONVERSION_UNCOMPRESSED,
|
||||
NULL, 0, bnctx);
|
||||
if (len > BUFFER_MAX_ECPOINT_LEN) {
|
||||
error("%s: giant EC point: len = %lu (max %u)",
|
||||
__func__, (u_long)len, BUFFER_MAX_ECPOINT_LEN);
|
||||
goto out;
|
||||
if ((ret = sshbuf_put_ec(buffer, point, curve)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
/* Convert */
|
||||
buf = xmalloc(len);
|
||||
if (EC_POINT_point2oct(curve, point, POINT_CONVERSION_UNCOMPRESSED,
|
||||
buf, len, bnctx) != len) {
|
||||
error("%s: EC_POINT_point2oct length mismatch", __func__);
|
||||
goto out;
|
||||
}
|
||||
/* Append */
|
||||
buffer_put_string(buffer, buf, len);
|
||||
ret = 0;
|
||||
out:
|
||||
if (buf != NULL) {
|
||||
explicit_bzero(buf, len);
|
||||
free(buf);
|
||||
}
|
||||
BN_CTX_free(bnctx);
|
||||
return ret;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
@ -96,43 +53,13 @@ int
|
||||
buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
|
||||
EC_POINT *point)
|
||||
{
|
||||
u_char *buf;
|
||||
u_int len;
|
||||
BN_CTX *bnctx;
|
||||
int ret = -1;
|
||||
int ret;
|
||||
|
||||
if ((buf = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("%s: invalid point", __func__);
|
||||
if ((ret = sshbuf_get_ec(buffer, point, curve)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
if ((bnctx = BN_CTX_new()) == NULL)
|
||||
fatal("%s: BN_CTX_new failed", __func__);
|
||||
if (len > BUFFER_MAX_ECPOINT_LEN) {
|
||||
error("%s: EC_POINT too long: %u > max %u", __func__,
|
||||
len, BUFFER_MAX_ECPOINT_LEN);
|
||||
goto out;
|
||||
}
|
||||
if (len == 0) {
|
||||
error("%s: EC_POINT buffer is empty", __func__);
|
||||
goto out;
|
||||
}
|
||||
if (buf[0] != POINT_CONVERSION_UNCOMPRESSED) {
|
||||
error("%s: EC_POINT is in an incorrect form: "
|
||||
"0x%02x (want 0x%02x)", __func__, buf[0],
|
||||
POINT_CONVERSION_UNCOMPRESSED);
|
||||
goto out;
|
||||
}
|
||||
if (EC_POINT_oct2point(curve, point, buf, len, bnctx) != 1) {
|
||||
error("buffer_get_bignum2_ret: BN_bin2bn failed");
|
||||
goto out;
|
||||
}
|
||||
/* EC_POINT_oct2point verifies that the point is on the curve for us */
|
||||
ret = 0;
|
||||
out:
|
||||
BN_CTX_free(bnctx);
|
||||
explicit_bzero(buf, len);
|
||||
free(buf);
|
||||
return ret;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
@ -144,3 +71,4 @@ buffer_get_ecpoint(Buffer *buffer, const EC_GROUP *curve,
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
|
||||
|
@ -1,254 +1,119 @@
|
||||
/* $OpenBSD: buffer.c,v 1.35 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: buffer.c,v 1.36 2014/04/30 05:29:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Functions for manipulating fifo buffers (that can grow if needed).
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
|
||||
|
||||
#include "includes.h"
|
||||
__RCSID("$FreeBSD$");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
|
||||
#define BUFFER_MAX_CHUNK 0x100000
|
||||
#define BUFFER_MAX_LEN 0xa00000
|
||||
#define BUFFER_ALLOCSZ 0x008000
|
||||
|
||||
/* Initializes the buffer structure. */
|
||||
|
||||
void
|
||||
buffer_init(Buffer *buffer)
|
||||
{
|
||||
const u_int len = 4096;
|
||||
|
||||
buffer->alloc = 0;
|
||||
buffer->buf = xmalloc(len);
|
||||
buffer->alloc = len;
|
||||
buffer->offset = 0;
|
||||
buffer->end = 0;
|
||||
}
|
||||
|
||||
/* Frees any memory used for the buffer. */
|
||||
|
||||
void
|
||||
buffer_free(Buffer *buffer)
|
||||
{
|
||||
if (buffer->alloc > 0) {
|
||||
explicit_bzero(buffer->buf, buffer->alloc);
|
||||
buffer->alloc = 0;
|
||||
free(buffer->buf);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Clears any data from the buffer, making it empty. This does not actually
|
||||
* zero the memory.
|
||||
*/
|
||||
|
||||
void
|
||||
buffer_clear(Buffer *buffer)
|
||||
{
|
||||
buffer->offset = 0;
|
||||
buffer->end = 0;
|
||||
}
|
||||
|
||||
/* Appends data to the buffer, expanding it if necessary. */
|
||||
#include "ssherr.h"
|
||||
|
||||
void
|
||||
buffer_append(Buffer *buffer, const void *data, u_int len)
|
||||
{
|
||||
void *p;
|
||||
p = buffer_append_space(buffer, len);
|
||||
memcpy(p, data, len);
|
||||
}
|
||||
int ret;
|
||||
|
||||
static int
|
||||
buffer_compact(Buffer *buffer)
|
||||
{
|
||||
/*
|
||||
* If the buffer is quite empty, but all data is at the end, move the
|
||||
* data to the beginning.
|
||||
*/
|
||||
if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
|
||||
memmove(buffer->buf, buffer->buf + buffer->offset,
|
||||
buffer->end - buffer->offset);
|
||||
buffer->end -= buffer->offset;
|
||||
buffer->offset = 0;
|
||||
return (1);
|
||||
}
|
||||
return (0);
|
||||
if ((ret = sshbuf_put(buffer, data, len)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
/*
|
||||
* Appends space to the buffer, expanding the buffer if necessary. This does
|
||||
* not actually copy the data into the buffer, but instead returns a pointer
|
||||
* to the allocated region.
|
||||
*/
|
||||
|
||||
void *
|
||||
buffer_append_space(Buffer *buffer, u_int len)
|
||||
{
|
||||
u_int newlen;
|
||||
void *p;
|
||||
int ret;
|
||||
u_char *p;
|
||||
|
||||
if (len > BUFFER_MAX_CHUNK)
|
||||
fatal("buffer_append_space: len %u not supported", len);
|
||||
|
||||
/* If the buffer is empty, start using it from the beginning. */
|
||||
if (buffer->offset == buffer->end) {
|
||||
buffer->offset = 0;
|
||||
buffer->end = 0;
|
||||
}
|
||||
restart:
|
||||
/* If there is enough space to store all data, store it now. */
|
||||
if (buffer->end + len < buffer->alloc) {
|
||||
p = buffer->buf + buffer->end;
|
||||
buffer->end += len;
|
||||
return p;
|
||||
}
|
||||
|
||||
/* Compact data back to the start of the buffer if necessary */
|
||||
if (buffer_compact(buffer))
|
||||
goto restart;
|
||||
|
||||
/* Increase the size of the buffer and retry. */
|
||||
newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
|
||||
if (newlen > BUFFER_MAX_LEN)
|
||||
fatal("buffer_append_space: alloc %u not supported",
|
||||
newlen);
|
||||
buffer->buf = xrealloc(buffer->buf, 1, newlen);
|
||||
buffer->alloc = newlen;
|
||||
goto restart;
|
||||
/* NOTREACHED */
|
||||
if ((ret = sshbuf_reserve(buffer, len, &p)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
return p;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether an allocation of 'len' will fit in the buffer
|
||||
* This must follow the same math as buffer_append_space
|
||||
*/
|
||||
int
|
||||
buffer_check_alloc(Buffer *buffer, u_int len)
|
||||
{
|
||||
if (buffer->offset == buffer->end) {
|
||||
buffer->offset = 0;
|
||||
buffer->end = 0;
|
||||
}
|
||||
restart:
|
||||
if (buffer->end + len < buffer->alloc)
|
||||
return (1);
|
||||
if (buffer_compact(buffer))
|
||||
goto restart;
|
||||
if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
|
||||
return (1);
|
||||
return (0);
|
||||
int ret = sshbuf_check_reserve(buffer, len);
|
||||
|
||||
if (ret == 0)
|
||||
return 1;
|
||||
if (ret == SSH_ERR_NO_BUFFER_SPACE)
|
||||
return 0;
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
/* Returns the number of bytes of data in the buffer. */
|
||||
|
||||
u_int
|
||||
buffer_len(const Buffer *buffer)
|
||||
{
|
||||
return buffer->end - buffer->offset;
|
||||
}
|
||||
|
||||
/* Gets data from the beginning of the buffer. */
|
||||
|
||||
int
|
||||
buffer_get_ret(Buffer *buffer, void *buf, u_int len)
|
||||
{
|
||||
if (len > buffer->end - buffer->offset) {
|
||||
error("buffer_get_ret: trying to get more bytes %d than in buffer %d",
|
||||
len, buffer->end - buffer->offset);
|
||||
return (-1);
|
||||
int ret;
|
||||
|
||||
if ((ret = sshbuf_get(buffer, buf, len)) != 0) {
|
||||
error("%s: %s", __func__, ssh_err(ret));
|
||||
return -1;
|
||||
}
|
||||
memcpy(buf, buffer->buf + buffer->offset, len);
|
||||
buffer->offset += len;
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get(Buffer *buffer, void *buf, u_int len)
|
||||
{
|
||||
if (buffer_get_ret(buffer, buf, len) == -1)
|
||||
fatal("buffer_get: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
/* Consumes the given number of bytes from the beginning of the buffer. */
|
||||
|
||||
int
|
||||
buffer_consume_ret(Buffer *buffer, u_int bytes)
|
||||
{
|
||||
if (bytes > buffer->end - buffer->offset) {
|
||||
error("buffer_consume_ret: trying to get more bytes than in buffer");
|
||||
return (-1);
|
||||
}
|
||||
buffer->offset += bytes;
|
||||
return (0);
|
||||
int ret = sshbuf_consume(buffer, bytes);
|
||||
|
||||
if (ret == 0)
|
||||
return 0;
|
||||
if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
|
||||
return -1;
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
void
|
||||
buffer_consume(Buffer *buffer, u_int bytes)
|
||||
{
|
||||
if (buffer_consume_ret(buffer, bytes) == -1)
|
||||
fatal("buffer_consume: buffer error");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
/* Consumes the given number of bytes from the end of the buffer. */
|
||||
|
||||
int
|
||||
buffer_consume_end_ret(Buffer *buffer, u_int bytes)
|
||||
{
|
||||
if (bytes > buffer->end - buffer->offset)
|
||||
return (-1);
|
||||
buffer->end -= bytes;
|
||||
return (0);
|
||||
int ret = sshbuf_consume_end(buffer, bytes);
|
||||
|
||||
if (ret == 0)
|
||||
return 0;
|
||||
if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
|
||||
return -1;
|
||||
fatal("%s: %s", __func__, ssh_err(ret));
|
||||
}
|
||||
|
||||
void
|
||||
buffer_consume_end(Buffer *buffer, u_int bytes)
|
||||
{
|
||||
if (buffer_consume_end_ret(buffer, bytes) == -1)
|
||||
fatal("buffer_consume_end: trying to get more bytes than in buffer");
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
/* Returns a pointer to the first used byte in the buffer. */
|
||||
|
||||
void *
|
||||
buffer_ptr(const Buffer *buffer)
|
||||
{
|
||||
return buffer->buf + buffer->offset;
|
||||
}
|
||||
|
||||
/* Dumps the contents of the buffer to stderr. */
|
||||
|
||||
void
|
||||
buffer_dump(const Buffer *buffer)
|
||||
{
|
||||
u_int i;
|
||||
u_char *ucp = buffer->buf;
|
||||
|
||||
for (i = buffer->offset; i < buffer->end; i++) {
|
||||
fprintf(stderr, "%02x", ucp[i]);
|
||||
if ((i-buffer->offset)%16==15)
|
||||
fprintf(stderr, "\r\n");
|
||||
else if ((i-buffer->offset)%2==1)
|
||||
fprintf(stderr, " ");
|
||||
}
|
||||
fprintf(stderr, "\r\n");
|
||||
}
|
||||
|
@ -1,58 +1,59 @@
|
||||
/* $OpenBSD: buffer.h,v 1.23 2014/01/12 08:13:13 djm Exp $ */
|
||||
/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Code for manipulating FIFO buffers.
|
||||
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
|
||||
|
||||
#ifndef BUFFER_H
|
||||
#define BUFFER_H
|
||||
|
||||
typedef struct {
|
||||
u_char *buf; /* Buffer for data. */
|
||||
u_int alloc; /* Number of bytes allocated for data. */
|
||||
u_int offset; /* Offset of first byte containing data. */
|
||||
u_int end; /* Offset of last byte containing data. */
|
||||
} Buffer;
|
||||
#include "sshbuf.h"
|
||||
|
||||
void buffer_init(Buffer *);
|
||||
void buffer_clear(Buffer *);
|
||||
void buffer_free(Buffer *);
|
||||
typedef struct sshbuf Buffer;
|
||||
|
||||
u_int buffer_len(const Buffer *);
|
||||
void *buffer_ptr(const Buffer *);
|
||||
#define buffer_init(b) sshbuf_init(b)
|
||||
#define buffer_clear(b) sshbuf_reset(b)
|
||||
#define buffer_free(b) sshbuf_free(b)
|
||||
#define buffer_dump(b) sshbuf_dump(b, stderr)
|
||||
|
||||
/* XXX cast is safe: sshbuf never stores more than len 2^31 */
|
||||
#define buffer_len(b) ((u_int) sshbuf_len(b))
|
||||
#define buffer_ptr(b) sshbuf_mutable_ptr(b)
|
||||
|
||||
void buffer_append(Buffer *, const void *, u_int);
|
||||
void *buffer_append_space(Buffer *, u_int);
|
||||
|
||||
int buffer_check_alloc(Buffer *, u_int);
|
||||
|
||||
void buffer_get(Buffer *, void *, u_int);
|
||||
|
||||
void buffer_consume(Buffer *, u_int);
|
||||
void buffer_consume_end(Buffer *, u_int);
|
||||
|
||||
void buffer_dump(const Buffer *);
|
||||
|
||||
int buffer_get_ret(Buffer *, void *, u_int);
|
||||
int buffer_consume_ret(Buffer *, u_int);
|
||||
int buffer_consume_end_ret(Buffer *, u_int);
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
void buffer_put_bignum(Buffer *, const BIGNUM *);
|
||||
void buffer_put_bignum2(Buffer *, const BIGNUM *);
|
||||
void buffer_get_bignum(Buffer *, BIGNUM *);
|
||||
void buffer_get_bignum2(Buffer *, BIGNUM *);
|
||||
void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
|
||||
|
||||
u_short buffer_get_short(Buffer *);
|
||||
void buffer_put_short(Buffer *, u_short);
|
||||
@ -67,13 +68,12 @@ int buffer_get_char(Buffer *);
|
||||
void buffer_put_char(Buffer *, int);
|
||||
|
||||
void *buffer_get_string(Buffer *, u_int *);
|
||||
void *buffer_get_string_ptr(Buffer *, u_int *);
|
||||
const void *buffer_get_string_ptr(Buffer *, u_int *);
|
||||
void buffer_put_string(Buffer *, const void *, u_int);
|
||||
char *buffer_get_cstring(Buffer *, u_int *);
|
||||
void buffer_put_cstring(Buffer *, const char *);
|
||||
|
||||
#define buffer_skip_string(b) \
|
||||
do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
|
||||
#define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL);
|
||||
|
||||
int buffer_put_bignum_ret(Buffer *, const BIGNUM *);
|
||||
int buffer_get_bignum_ret(Buffer *, BIGNUM *);
|
||||
@ -84,20 +84,16 @@ int buffer_get_int_ret(u_int *, Buffer *);
|
||||
int buffer_get_int64_ret(u_int64_t *, Buffer *);
|
||||
void *buffer_get_string_ret(Buffer *, u_int *);
|
||||
char *buffer_get_cstring_ret(Buffer *, u_int *);
|
||||
void *buffer_get_string_ptr_ret(Buffer *, u_int *);
|
||||
int buffer_get_char_ret(u_char *, Buffer *);
|
||||
|
||||
void *buffer_get_bignum2_as_string_ret(Buffer *, u_int *);
|
||||
void *buffer_get_bignum2_as_string(Buffer *, u_int *);
|
||||
void buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
|
||||
const void *buffer_get_string_ptr_ret(Buffer *, u_int *);
|
||||
int buffer_get_char_ret(char *, Buffer *);
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
#include <openssl/ec.h>
|
||||
|
||||
int buffer_put_ecpoint_ret(Buffer *, const EC_GROUP *, const EC_POINT *);
|
||||
void buffer_put_ecpoint(Buffer *, const EC_GROUP *, const EC_POINT *);
|
||||
int buffer_get_ecpoint_ret(Buffer *, const EC_GROUP *, EC_POINT *);
|
||||
void buffer_get_ecpoint(Buffer *, const EC_GROUP *, EC_POINT *);
|
||||
#endif
|
||||
|
||||
#endif /* BUFFER_H */
|
||||
#endif /* BUFFER_H */
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: canohost.c,v 1.70 2014/01/19 04:17:29 dtucker Exp $ */
|
||||
/* $OpenBSD: canohost.c,v 1.71 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -16,6 +16,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
@ -262,6 +263,11 @@ get_socket_address(int sock, int remote, int flags)
|
||||
if (addr.ss_family == AF_INET6)
|
||||
addrlen = sizeof(struct sockaddr_in6);
|
||||
|
||||
if (addr.ss_family == AF_UNIX) {
|
||||
/* Get the Unix domain socket path. */
|
||||
return xstrdup(((struct sockaddr_un *)&addr)->sun_path);
|
||||
}
|
||||
|
||||
ipv64_normalise_mapped(&addr, &addrlen);
|
||||
|
||||
/* Get the address in ascii. */
|
||||
@ -384,6 +390,10 @@ get_sock_port(int sock, int local)
|
||||
if (from.ss_family == AF_INET6)
|
||||
fromlen = sizeof(struct sockaddr_in6);
|
||||
|
||||
/* Unix domain sockets don't have a port number. */
|
||||
if (from.ss_family == AF_UNIX)
|
||||
return 0;
|
||||
|
||||
/* Return port number. */
|
||||
if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
|
||||
strport, sizeof(strport), NI_NUMERICSERV)) != 0)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: chacha.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */
|
||||
/* $OpenBSD: chacha.h,v 1.3 2014/05/02 03:27:54 djm Exp $ */
|
||||
|
||||
/*
|
||||
chacha-merged.c version 20080118
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.115 2014/07/15 15:54:14 millert Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -57,7 +57,9 @@
|
||||
#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */
|
||||
#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
|
||||
#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
|
||||
#define SSH_CHANNEL_MAX_TYPE 18
|
||||
#define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */
|
||||
#define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */
|
||||
#define SSH_CHANNEL_MAX_TYPE 20
|
||||
|
||||
#define CHANNEL_CANCEL_PORT_STATIC -1
|
||||
|
||||
@ -255,6 +257,8 @@ char *channel_open_message(void);
|
||||
int channel_find_open(void);
|
||||
|
||||
/* tcp forwarding */
|
||||
struct Forward;
|
||||
struct ForwardOptions;
|
||||
void channel_set_af(int af);
|
||||
void channel_permit_all_opens(void);
|
||||
void channel_add_permitted_opens(char *, int);
|
||||
@ -264,18 +268,19 @@ void channel_update_permitted_opens(int, int);
|
||||
void channel_clear_permitted_opens(void);
|
||||
void channel_clear_adm_permitted_opens(void);
|
||||
void channel_print_adm_permitted_opens(void);
|
||||
int channel_input_port_forward_request(int, int);
|
||||
Channel *channel_connect_to(const char *, u_short, char *, char *);
|
||||
int channel_input_port_forward_request(int, struct ForwardOptions *);
|
||||
Channel *channel_connect_to_port(const char *, u_short, char *, char *);
|
||||
Channel *channel_connect_to_path(const char *, char *, char *);
|
||||
Channel *channel_connect_stdio_fwd(const char*, u_short, int, int);
|
||||
Channel *channel_connect_by_listen_address(u_short, char *, char *);
|
||||
int channel_request_remote_forwarding(const char *, u_short,
|
||||
const char *, u_short);
|
||||
int channel_setup_local_fwd_listener(const char *, u_short,
|
||||
const char *, u_short, int);
|
||||
int channel_request_rforward_cancel(const char *host, u_short port);
|
||||
int channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
|
||||
int channel_cancel_rport_listener(const char *, u_short);
|
||||
int channel_cancel_lport_listener(const char *, u_short, int, int);
|
||||
Channel *channel_connect_by_listen_address(const char *, u_short,
|
||||
char *, char *);
|
||||
Channel *channel_connect_by_listen_path(const char *, char *, char *);
|
||||
int channel_request_remote_forwarding(struct Forward *);
|
||||
int channel_setup_local_fwd_listener(struct Forward *, struct ForwardOptions *);
|
||||
int channel_request_rforward_cancel(struct Forward *);
|
||||
int channel_setup_remote_fwd_listener(struct Forward *, int *, struct ForwardOptions *);
|
||||
int channel_cancel_rport_listener(struct Forward *);
|
||||
int channel_cancel_lport_listener(struct Forward *, int, struct ForwardOptions *);
|
||||
int permitopen_port(const char *);
|
||||
|
||||
/* x11 forwarding */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cipher-3des1.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: cipher-3des1.c,v 1.11 2014/07/02 04:59:06 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -29,13 +29,11 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
/*
|
||||
* This is used by SSH1:
|
||||
@ -57,7 +55,7 @@ struct ssh1_3des_ctx
|
||||
};
|
||||
|
||||
const EVP_CIPHER * evp_ssh1_3des(void);
|
||||
void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
|
||||
static int
|
||||
ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
|
||||
@ -67,11 +65,12 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
|
||||
u_char *k1, *k2, *k3;
|
||||
|
||||
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
|
||||
c = xcalloc(1, sizeof(*c));
|
||||
if ((c = calloc(1, sizeof(*c))) == NULL)
|
||||
return 0;
|
||||
EVP_CIPHER_CTX_set_app_data(ctx, c);
|
||||
}
|
||||
if (key == NULL)
|
||||
return (1);
|
||||
return 1;
|
||||
if (enc == -1)
|
||||
enc = ctx->encrypt;
|
||||
k1 = k2 = k3 = (u_char *) key;
|
||||
@ -85,44 +84,29 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
|
||||
EVP_CIPHER_CTX_init(&c->k1);
|
||||
EVP_CIPHER_CTX_init(&c->k2);
|
||||
EVP_CIPHER_CTX_init(&c->k3);
|
||||
#ifdef SSH_OLD_EVP
|
||||
EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
|
||||
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
|
||||
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
|
||||
#else
|
||||
if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
|
||||
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
|
||||
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
|
||||
explicit_bzero(c, sizeof(*c));
|
||||
free(c);
|
||||
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
return (1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
|
||||
LIBCRYPTO_EVP_INL_TYPE len)
|
||||
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
|
||||
{
|
||||
struct ssh1_3des_ctx *c;
|
||||
|
||||
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
|
||||
error("ssh1_3des_cbc: no context");
|
||||
return (0);
|
||||
}
|
||||
#ifdef SSH_OLD_EVP
|
||||
EVP_Cipher(&c->k1, dest, (u_char *)src, len);
|
||||
EVP_Cipher(&c->k2, dest, dest, len);
|
||||
EVP_Cipher(&c->k3, dest, dest, len);
|
||||
#else
|
||||
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
|
||||
return 0;
|
||||
if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
|
||||
EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
|
||||
EVP_Cipher(&c->k3, dest, dest, len) == 0)
|
||||
return (0);
|
||||
#endif
|
||||
return (1);
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
@ -138,29 +122,28 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
free(c);
|
||||
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
|
||||
}
|
||||
return (1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
int
|
||||
ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
|
||||
{
|
||||
struct ssh1_3des_ctx *c;
|
||||
|
||||
if (len != 24)
|
||||
fatal("%s: bad 3des iv length: %d", __func__, len);
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
|
||||
fatal("%s: no 3des context", __func__);
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
if (doset) {
|
||||
debug3("%s: Installed 3DES IV", __func__);
|
||||
memcpy(c->k1.iv, iv, 8);
|
||||
memcpy(c->k2.iv, iv + 8, 8);
|
||||
memcpy(c->k3.iv, iv + 16, 8);
|
||||
} else {
|
||||
debug3("%s: Copying 3DES IV", __func__);
|
||||
memcpy(iv, c->k1.iv, 8);
|
||||
memcpy(iv + 8, c->k2.iv, 8);
|
||||
memcpy(iv + 16, c->k3.iv, 8);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
const EVP_CIPHER *
|
||||
@ -176,8 +159,6 @@ evp_ssh1_3des(void)
|
||||
ssh1_3des.init = ssh1_3des_init;
|
||||
ssh1_3des.cleanup = ssh1_3des_cleanup;
|
||||
ssh1_3des.do_cipher = ssh1_3des_cbc;
|
||||
#ifndef SSH_OLD_EVP
|
||||
ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
|
||||
#endif
|
||||
return (&ssh1_3des);
|
||||
return &ssh1_3des;
|
||||
}
|
||||
|
78
crypto/openssh/cipher-aesctr.c
Normal file
78
crypto/openssh/cipher-aesctr.c
Normal file
@ -0,0 +1,78 @@
|
||||
/* $OpenBSD: cipher-aesctr.c,v 1.1 2014/04/29 15:39:33 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "cipher-aesctr.h"
|
||||
|
||||
/*
|
||||
* increment counter 'ctr',
|
||||
* the counter is of size 'len' bytes and stored in network-byte-order.
|
||||
* (LSB at ctr[len-1], MSB at ctr[0])
|
||||
*/
|
||||
static __inline__ void
|
||||
aesctr_inc(u8 *ctr, u32 len)
|
||||
{
|
||||
ssize_t i;
|
||||
|
||||
#ifndef CONSTANT_TIME_INCREMENT
|
||||
for (i = len - 1; i >= 0; i--)
|
||||
if (++ctr[i]) /* continue on overflow */
|
||||
return;
|
||||
#else
|
||||
u8 x, add = 1;
|
||||
|
||||
for (i = len - 1; i >= 0; i--) {
|
||||
ctr[i] += add;
|
||||
/* constant time for: x = ctr[i] ? 1 : 0 */
|
||||
x = ctr[i];
|
||||
x = (x | (x >> 4)) & 0xf;
|
||||
x = (x | (x >> 2)) & 0x3;
|
||||
x = (x | (x >> 1)) & 0x1;
|
||||
add *= (x^1);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
|
||||
{
|
||||
x->rounds = rijndaelKeySetupEnc(x->ek, k, kbits);
|
||||
}
|
||||
|
||||
void
|
||||
aesctr_ivsetup(aesctr_ctx *x,const u8 *iv)
|
||||
{
|
||||
memcpy(x->ctr, iv, AES_BLOCK_SIZE);
|
||||
}
|
||||
|
||||
void
|
||||
aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
|
||||
{
|
||||
u32 n = 0;
|
||||
u8 buf[AES_BLOCK_SIZE];
|
||||
|
||||
while ((bytes--) > 0) {
|
||||
if (n == 0) {
|
||||
rijndaelEncrypt(x->ek, x->rounds, x->ctr, buf);
|
||||
aesctr_inc(x->ctr, AES_BLOCK_SIZE);
|
||||
}
|
||||
*(c++) = *(m++) ^ buf[n];
|
||||
n = (n + 1) % AES_BLOCK_SIZE;
|
||||
}
|
||||
}
|
35
crypto/openssh/cipher-aesctr.h
Normal file
35
crypto/openssh/cipher-aesctr.h
Normal file
@ -0,0 +1,35 @@
|
||||
/* $OpenBSD: cipher-aesctr.h,v 1.1 2014/04/29 15:39:33 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2014 Markus Friedl
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef OPENSSH_AESCTR_H
|
||||
#define OPENSSH_AESCTR_H
|
||||
|
||||
#include "rijndael.h"
|
||||
|
||||
#define AES_BLOCK_SIZE 16
|
||||
|
||||
typedef struct aesctr_ctx {
|
||||
int rounds; /* keylen-dependent #rounds */
|
||||
u32 ek[4*(AES_MAXROUNDS + 1)]; /* encrypt key schedule */
|
||||
u8 ctr[AES_BLOCK_SIZE]; /* counter */
|
||||
} aesctr_ctx;
|
||||
|
||||
void aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits);
|
||||
void aesctr_ivsetup(aesctr_ctx *x,const u8 *iv);
|
||||
void aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes);
|
||||
|
||||
#endif
|
@ -14,7 +14,7 @@
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
@ -24,16 +24,18 @@
|
||||
#include <stdio.h> /* needed for misc.h */
|
||||
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "sshbuf.h"
|
||||
#include "ssherr.h"
|
||||
#include "cipher-chachapoly.h"
|
||||
|
||||
void chachapoly_init(struct chachapoly_ctx *ctx,
|
||||
int chachapoly_init(struct chachapoly_ctx *ctx,
|
||||
const u_char *key, u_int keylen)
|
||||
{
|
||||
if (keylen != (32 + 32)) /* 2 x 256 bit keys */
|
||||
fatal("%s: invalid keylen %u", __func__, keylen);
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
chacha_keysetup(&ctx->main_ctx, key, 256);
|
||||
chacha_keysetup(&ctx->header_ctx, key + 32, 256);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -52,33 +54,37 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
|
||||
u_char seqbuf[8];
|
||||
const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
|
||||
u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
|
||||
int r = -1;
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
/*
|
||||
* Run ChaCha20 once to generate the Poly1305 key. The IV is the
|
||||
* packet sequence number.
|
||||
*/
|
||||
memset(poly_key, 0, sizeof(poly_key));
|
||||
put_u64(seqbuf, seqnr);
|
||||
POKE_U64(seqbuf, seqnr);
|
||||
chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
|
||||
chacha_encrypt_bytes(&ctx->main_ctx,
|
||||
poly_key, poly_key, sizeof(poly_key));
|
||||
/* Set Chacha's block counter to 1 */
|
||||
chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
|
||||
|
||||
/* If decrypting, check tag before anything else */
|
||||
if (!do_encrypt) {
|
||||
const u_char *tag = src + aadlen + len;
|
||||
|
||||
poly1305_auth(expected_tag, src, aadlen + len, poly_key);
|
||||
if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
|
||||
if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
|
||||
r = SSH_ERR_MAC_INVALID;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/* Crypt additional data */
|
||||
if (aadlen) {
|
||||
chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
|
||||
chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
|
||||
}
|
||||
|
||||
/* Set Chacha's block counter to 1 */
|
||||
chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
|
||||
chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
|
||||
dest + aadlen, len);
|
||||
|
||||
@ -88,7 +94,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
|
||||
poly_key);
|
||||
}
|
||||
r = 0;
|
||||
|
||||
out:
|
||||
explicit_bzero(expected_tag, sizeof(expected_tag));
|
||||
explicit_bzero(seqbuf, sizeof(seqbuf));
|
||||
@ -104,11 +109,11 @@ chachapoly_get_length(struct chachapoly_ctx *ctx,
|
||||
u_char buf[4], seqbuf[8];
|
||||
|
||||
if (len < 4)
|
||||
return -1; /* Insufficient length */
|
||||
put_u64(seqbuf, seqnr);
|
||||
return SSH_ERR_MESSAGE_INCOMPLETE;
|
||||
POKE_U64(seqbuf, seqnr);
|
||||
chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
|
||||
chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
|
||||
*plenp = get_u32(buf);
|
||||
*plenp = PEEK_U32(buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cipher-chachapoly.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */
|
||||
/* $OpenBSD: cipher-chachapoly.h,v 1.4 2014/06/24 01:13:21 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) Damien Miller 2013 <djm@mindrot.org>
|
||||
@ -28,7 +28,7 @@ struct chachapoly_ctx {
|
||||
struct chacha_ctx main_ctx, header_ctx;
|
||||
};
|
||||
|
||||
void chachapoly_init(struct chachapoly_ctx *cpctx,
|
||||
int chachapoly_init(struct chachapoly_ctx *cpctx,
|
||||
const u_char *key, u_int keylen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
int chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cipher.c,v 1.97 2014/02/07 06:55:54 djm Exp $ */
|
||||
/* $OpenBSD: cipher.c,v 1.99 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -43,21 +43,21 @@
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "cipher.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "sshbuf.h"
|
||||
#include "ssherr.h"
|
||||
#include "digest.h"
|
||||
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
extern const EVP_CIPHER *evp_ssh1_bf(void);
|
||||
extern const EVP_CIPHER *evp_ssh1_3des(void);
|
||||
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
#endif
|
||||
|
||||
struct Cipher {
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
int number; /* for ssh1 only */
|
||||
u_int block_size;
|
||||
@ -68,15 +68,23 @@ struct Cipher {
|
||||
u_int flags;
|
||||
#define CFLAG_CBC (1<<0)
|
||||
#define CFLAG_CHACHAPOLY (1<<1)
|
||||
#define CFLAG_AESCTR (1<<2)
|
||||
#define CFLAG_NONE (1<<3)
|
||||
#ifdef WITH_OPENSSL
|
||||
const EVP_CIPHER *(*evptype)(void);
|
||||
#else
|
||||
void *ignored;
|
||||
#endif
|
||||
};
|
||||
|
||||
static const struct Cipher ciphers[] = {
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
static const struct sshcipher ciphers[] = {
|
||||
#ifdef WITH_SSH1
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
|
||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
|
||||
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
|
||||
|
||||
#endif /* WITH_SSH1 */
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
{ "blowfish-cbc",
|
||||
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
|
||||
@ -93,26 +101,33 @@ static const struct Cipher ciphers[] = {
|
||||
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
#ifdef OPENSSL_HAVE_EVPGCM
|
||||
# ifdef OPENSSL_HAVE_EVPGCM
|
||||
{ "aes128-gcm@openssh.com",
|
||||
SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
{ "aes256-gcm@openssh.com",
|
||||
SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
#endif
|
||||
# endif /* OPENSSL_HAVE_EVPGCM */
|
||||
#else /* WITH_OPENSSL */
|
||||
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
|
||||
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
|
||||
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
|
||||
#endif /* WITH_OPENSSL */
|
||||
{ "chacha20-poly1305@openssh.com",
|
||||
SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
|
||||
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
/*--*/
|
||||
|
||||
/* Returns a list of supported ciphers separated by the specified char. */
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
char *
|
||||
cipher_alg_list(char sep, int auth_only)
|
||||
{
|
||||
char *ret = NULL;
|
||||
char *tmp, *ret = NULL;
|
||||
size_t nlen, rlen = 0;
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
|
||||
for (c = ciphers; c->name != NULL; c++) {
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
@ -122,7 +137,11 @@ cipher_alg_list(char sep, int auth_only)
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(c->name);
|
||||
ret = xrealloc(ret, 1, rlen + nlen + 2);
|
||||
if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
|
||||
free(ret);
|
||||
return NULL;
|
||||
}
|
||||
ret = tmp;
|
||||
memcpy(ret + rlen, c->name, nlen + 1);
|
||||
rlen += nlen;
|
||||
}
|
||||
@ -130,19 +149,19 @@ cipher_alg_list(char sep, int auth_only)
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_blocksize(const Cipher *c)
|
||||
cipher_blocksize(const struct sshcipher *c)
|
||||
{
|
||||
return (c->block_size);
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_keylen(const Cipher *c)
|
||||
cipher_keylen(const struct sshcipher *c)
|
||||
{
|
||||
return (c->key_len);
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_seclen(const Cipher *c)
|
||||
cipher_seclen(const struct sshcipher *c)
|
||||
{
|
||||
if (strcmp("3des-cbc", c->name) == 0)
|
||||
return 14;
|
||||
@ -150,13 +169,13 @@ cipher_seclen(const Cipher *c)
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_authlen(const Cipher *c)
|
||||
cipher_authlen(const struct sshcipher *c)
|
||||
{
|
||||
return (c->auth_len);
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_ivlen(const Cipher *c)
|
||||
cipher_ivlen(const struct sshcipher *c)
|
||||
{
|
||||
/*
|
||||
* Default is cipher block size, except for chacha20+poly1305 that
|
||||
@ -167,13 +186,13 @@ cipher_ivlen(const Cipher *c)
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_get_number(const Cipher *c)
|
||||
cipher_get_number(const struct sshcipher *c)
|
||||
{
|
||||
return (c->number);
|
||||
}
|
||||
|
||||
u_int
|
||||
cipher_is_cbc(const Cipher *c)
|
||||
cipher_is_cbc(const struct sshcipher *c)
|
||||
{
|
||||
return (c->flags & CFLAG_CBC) != 0;
|
||||
}
|
||||
@ -190,20 +209,20 @@ cipher_mask_ssh1(int client)
|
||||
return mask;
|
||||
}
|
||||
|
||||
const Cipher *
|
||||
const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
for (c = ciphers; c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const Cipher *
|
||||
const struct sshcipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
for (c = ciphers; c->name != NULL; c++)
|
||||
if (c->number == id)
|
||||
return c;
|
||||
@ -214,23 +233,22 @@ cipher_by_number(int id)
|
||||
int
|
||||
ciphers_valid(const char *names)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
char *cipher_list, *cp;
|
||||
char *p;
|
||||
|
||||
if (names == NULL || strcmp(names, "") == 0)
|
||||
return 0;
|
||||
cipher_list = cp = xstrdup(names);
|
||||
if ((cipher_list = cp = strdup(names)) == NULL)
|
||||
return 0;
|
||||
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
|
||||
(p = strsep(&cp, CIPHER_SEP))) {
|
||||
c = cipher_by_name(p);
|
||||
if (c == NULL || c->number != SSH_CIPHER_SSH2) {
|
||||
debug("bad cipher %s [%s]", p, names);
|
||||
free(cipher_list);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
debug3("ciphers ok: [%s]", names);
|
||||
free(cipher_list);
|
||||
return 1;
|
||||
}
|
||||
@ -243,7 +261,7 @@ ciphers_valid(const char *names)
|
||||
int
|
||||
cipher_number(const char *name)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
for (c = ciphers; c->name != NULL; c++)
|
||||
@ -255,90 +273,104 @@ cipher_number(const char *name)
|
||||
char *
|
||||
cipher_name(int id)
|
||||
{
|
||||
const Cipher *c = cipher_by_number(id);
|
||||
const struct sshcipher *c = cipher_by_number(id);
|
||||
return (c==NULL) ? "<unknown>" : c->name;
|
||||
}
|
||||
|
||||
void
|
||||
cipher_init(CipherContext *cc, const Cipher *cipher,
|
||||
const char *
|
||||
cipher_warning_message(const struct sshcipher_ctx *cc)
|
||||
{
|
||||
if (cc == NULL || cc->cipher == NULL)
|
||||
return NULL;
|
||||
if (cc->cipher->number == SSH_CIPHER_DES)
|
||||
return "use of DES is strongly discouraged due to "
|
||||
"cryptographic weaknesses";
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int
|
||||
cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
|
||||
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
|
||||
int do_encrypt)
|
||||
{
|
||||
static int dowarn = 1;
|
||||
#ifdef SSH_OLD_EVP
|
||||
EVP_CIPHER *type;
|
||||
#else
|
||||
#ifdef WITH_OPENSSL
|
||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||
const EVP_CIPHER *type;
|
||||
int klen;
|
||||
#endif
|
||||
u_char *junk, *discard;
|
||||
|
||||
if (cipher->number == SSH_CIPHER_DES) {
|
||||
if (dowarn) {
|
||||
error("Warning: use of DES is strongly discouraged "
|
||||
"due to cryptographic weaknesses");
|
||||
dowarn = 0;
|
||||
}
|
||||
if (keylen > 8)
|
||||
keylen = 8;
|
||||
}
|
||||
#endif
|
||||
cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
|
||||
cc->encrypt = do_encrypt;
|
||||
|
||||
if (keylen < cipher->key_len)
|
||||
fatal("cipher_init: key length %d is insufficient for %s.",
|
||||
keylen, cipher->name);
|
||||
if (iv != NULL && ivlen < cipher_ivlen(cipher))
|
||||
fatal("cipher_init: iv length %d is insufficient for %s.",
|
||||
ivlen, cipher->name);
|
||||
cc->cipher = cipher;
|
||||
if (keylen < cipher->key_len ||
|
||||
(iv != NULL && ivlen < cipher_ivlen(cipher)))
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
cc->cipher = cipher;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
chachapoly_init(&cc->cp_ctx, key, keylen);
|
||||
return;
|
||||
return chachapoly_init(&cc->cp_ctx, key, keylen);
|
||||
}
|
||||
#ifndef WITH_OPENSSL
|
||||
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
|
||||
aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
|
||||
aesctr_ivsetup(&cc->ac_ctx, iv);
|
||||
return 0;
|
||||
}
|
||||
if ((cc->cipher->flags & CFLAG_NONE) != 0)
|
||||
return 0;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
#else
|
||||
type = (*cipher->evptype)();
|
||||
EVP_CIPHER_CTX_init(&cc->evp);
|
||||
#ifdef SSH_OLD_EVP
|
||||
if (type->key_len > 0 && type->key_len != keylen) {
|
||||
debug("cipher_init: set keylen (%d -> %d)",
|
||||
type->key_len, keylen);
|
||||
type->key_len = keylen;
|
||||
}
|
||||
EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
|
||||
(do_encrypt == CIPHER_ENCRYPT));
|
||||
#else
|
||||
if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
|
||||
(do_encrypt == CIPHER_ENCRYPT)) == 0)
|
||||
fatal("cipher_init: EVP_CipherInit failed for %s",
|
||||
cipher->name);
|
||||
(do_encrypt == CIPHER_ENCRYPT)) == 0) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto bad;
|
||||
}
|
||||
if (cipher_authlen(cipher) &&
|
||||
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
|
||||
-1, (u_char *)iv))
|
||||
fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
|
||||
cipher->name);
|
||||
-1, (u_char *)iv)) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto bad;
|
||||
}
|
||||
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
|
||||
if (klen > 0 && keylen != (u_int)klen) {
|
||||
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
|
||||
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
|
||||
fatal("cipher_init: set keylen failed (%d -> %d)",
|
||||
klen, keylen);
|
||||
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto bad;
|
||||
}
|
||||
if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
|
||||
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
|
||||
cipher->name);
|
||||
#endif
|
||||
|
||||
if (cipher->discard_len > 0) {
|
||||
junk = xmalloc(cipher->discard_len);
|
||||
discard = xmalloc(cipher->discard_len);
|
||||
if (EVP_Cipher(&cc->evp, discard, junk,
|
||||
cipher->discard_len) == 0)
|
||||
fatal("evp_crypt: EVP_Cipher failed during discard");
|
||||
if ((junk = malloc(cipher->discard_len)) == NULL ||
|
||||
(discard = malloc(cipher->discard_len)) == NULL) {
|
||||
if (junk != NULL)
|
||||
free(junk);
|
||||
ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto bad;
|
||||
}
|
||||
ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
|
||||
explicit_bzero(discard, cipher->discard_len);
|
||||
free(junk);
|
||||
free(discard);
|
||||
if (ret != 1) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
bad:
|
||||
EVP_CIPHER_CTX_cleanup(&cc->evp);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -350,204 +382,244 @@ cipher_init(CipherContext *cc, const Cipher *cipher,
|
||||
* Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
|
||||
* This tag is written on encryption and verified on decryption.
|
||||
* Both 'aadlen' and 'authlen' can be set to 0.
|
||||
* cipher_crypt() returns 0 on success and -1 if the decryption integrity
|
||||
* check fails.
|
||||
*/
|
||||
int
|
||||
cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
|
||||
u_int len, u_int aadlen, u_int authlen)
|
||||
cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
|
||||
const u_char *src, u_int len, u_int aadlen, u_int authlen)
|
||||
{
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len,
|
||||
aadlen, authlen, cc->encrypt);
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
|
||||
len, aadlen, authlen, cc->encrypt);
|
||||
}
|
||||
#ifndef WITH_OPENSSL
|
||||
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
|
||||
if (aadlen)
|
||||
memcpy(dest, src, aadlen);
|
||||
aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
|
||||
dest + aadlen, len);
|
||||
return 0;
|
||||
}
|
||||
if ((cc->cipher->flags & CFLAG_NONE) != 0) {
|
||||
memcpy(dest, src, aadlen + len);
|
||||
return 0;
|
||||
}
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
#else
|
||||
if (authlen) {
|
||||
u_char lastiv[1];
|
||||
|
||||
if (authlen != cipher_authlen(cc->cipher))
|
||||
fatal("%s: authlen mismatch %d", __func__, authlen);
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
/* increment IV */
|
||||
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
|
||||
1, lastiv))
|
||||
fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
/* set tag on decyption */
|
||||
if (!cc->encrypt &&
|
||||
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
|
||||
authlen, (u_char *)src + aadlen + len))
|
||||
fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
}
|
||||
if (aadlen) {
|
||||
if (authlen &&
|
||||
EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
|
||||
fatal("%s: EVP_Cipher(aad) failed", __func__);
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
memcpy(dest, src, aadlen);
|
||||
}
|
||||
if (len % cc->cipher->block_size)
|
||||
fatal("%s: bad plaintext length %d", __func__, len);
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
|
||||
len) < 0)
|
||||
fatal("%s: EVP_Cipher failed", __func__);
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
if (authlen) {
|
||||
/* compute tag (on encrypt) or verify tag (on decrypt) */
|
||||
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
|
||||
if (cc->encrypt)
|
||||
fatal("%s: EVP_Cipher(final) failed", __func__);
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
|
||||
return cc->encrypt ?
|
||||
SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
|
||||
if (cc->encrypt &&
|
||||
!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
|
||||
authlen, dest + aadlen + len))
|
||||
fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
}
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Extract the packet length, including any decryption necessary beforehand */
|
||||
int
|
||||
cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
|
||||
cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
||||
const u_char *cp, u_int len)
|
||||
{
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
|
||||
cp, len);
|
||||
if (len < 4)
|
||||
return -1;
|
||||
return SSH_ERR_MESSAGE_INCOMPLETE;
|
||||
*plenp = get_u32(cp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
cipher_cleanup(CipherContext *cc)
|
||||
int
|
||||
cipher_cleanup(struct sshcipher_ctx *cc)
|
||||
{
|
||||
if (cc == NULL || cc->cipher == NULL)
|
||||
return 0;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
||||
else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
|
||||
explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
|
||||
#ifdef WITH_OPENSSL
|
||||
else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
|
||||
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Selects the cipher, and keys if by computing the MD5 checksum of the
|
||||
* passphrase and using the resulting 16 bytes as the key.
|
||||
*/
|
||||
|
||||
void
|
||||
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
|
||||
int
|
||||
cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
|
||||
const char *passphrase, int do_encrypt)
|
||||
{
|
||||
u_char digest[16];
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase),
|
||||
digest, sizeof(digest)) < 0)
|
||||
fatal("%s: md5 failed", __func__);
|
||||
|
||||
cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
|
||||
if ((r = ssh_digest_memory(SSH_DIGEST_MD5,
|
||||
passphrase, strlen(passphrase),
|
||||
digest, sizeof(digest))) != 0)
|
||||
goto out;
|
||||
|
||||
r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
|
||||
out:
|
||||
explicit_bzero(digest, sizeof(digest));
|
||||
return r;
|
||||
}
|
||||
|
||||
/*
|
||||
* Exports an IV from the CipherContext required to export the key
|
||||
* Exports an IV from the sshcipher_ctx required to export the key
|
||||
* state back from the unprivileged child to the privileged parent
|
||||
* process.
|
||||
*/
|
||||
|
||||
int
|
||||
cipher_get_keyiv_len(const CipherContext *cc)
|
||||
cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
|
||||
{
|
||||
const Cipher *c = cc->cipher;
|
||||
int ivlen;
|
||||
const struct sshcipher *c = cc->cipher;
|
||||
int ivlen = 0;
|
||||
|
||||
if (c->number == SSH_CIPHER_3DES)
|
||||
ivlen = 24;
|
||||
else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
ivlen = 0;
|
||||
#ifdef WITH_OPENSSL
|
||||
else
|
||||
ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
|
||||
#endif /* WITH_OPENSSL */
|
||||
return (ivlen);
|
||||
}
|
||||
|
||||
void
|
||||
cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
|
||||
int
|
||||
cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
|
||||
{
|
||||
const Cipher *c = cc->cipher;
|
||||
int evplen;
|
||||
const struct sshcipher *c = cc->cipher;
|
||||
#ifdef WITH_OPENSSL
|
||||
int evplen;
|
||||
#endif
|
||||
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
if (len != 0)
|
||||
fatal("%s: wrong iv length %d != %d", __func__, len, 0);
|
||||
return;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
return 0;
|
||||
}
|
||||
if ((cc->cipher->flags & CFLAG_NONE) != 0)
|
||||
return 0;
|
||||
|
||||
switch (c->number) {
|
||||
case SSH_CIPHER_SSH2:
|
||||
case SSH_CIPHER_DES:
|
||||
case SSH_CIPHER_BLOWFISH:
|
||||
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
|
||||
if (evplen <= 0)
|
||||
return;
|
||||
if ((u_int)evplen != len)
|
||||
fatal("%s: wrong iv length %d != %d", __func__,
|
||||
evplen, len);
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
if (c->evptype == evp_rijndael)
|
||||
ssh_rijndael_iv(&cc->evp, 0, iv, len);
|
||||
else
|
||||
#endif
|
||||
#ifndef OPENSSL_HAVE_EVPCTR
|
||||
if (c->evptype == evp_aes_128_ctr)
|
||||
ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
|
||||
else
|
||||
#endif
|
||||
memcpy(iv, cc->evp.iv, len);
|
||||
break;
|
||||
case SSH_CIPHER_3DES:
|
||||
ssh1_3des_iv(&cc->evp, 0, iv, 24);
|
||||
break;
|
||||
default:
|
||||
fatal("%s: bad cipher %d", __func__, c->number);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
cipher_set_keyiv(CipherContext *cc, u_char *iv)
|
||||
{
|
||||
const Cipher *c = cc->cipher;
|
||||
int evplen = 0;
|
||||
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
return;
|
||||
|
||||
switch (c->number) {
|
||||
#ifdef WITH_OPENSSL
|
||||
case SSH_CIPHER_SSH2:
|
||||
case SSH_CIPHER_DES:
|
||||
case SSH_CIPHER_BLOWFISH:
|
||||
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
|
||||
if (evplen == 0)
|
||||
return;
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
if (c->evptype == evp_rijndael)
|
||||
ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
|
||||
else
|
||||
#endif
|
||||
return 0;
|
||||
else if (evplen < 0)
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
if ((u_int)evplen != len)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
#ifndef OPENSSL_HAVE_EVPCTR
|
||||
if (c->evptype == evp_aes_128_ctr)
|
||||
ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
|
||||
ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
|
||||
else
|
||||
#endif
|
||||
memcpy(cc->evp.iv, iv, evplen);
|
||||
if (cipher_authlen(c)) {
|
||||
if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
|
||||
len, iv))
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
} else
|
||||
memcpy(iv, cc->evp.iv, len);
|
||||
break;
|
||||
#endif
|
||||
#ifdef WITH_SSH1
|
||||
case SSH_CIPHER_3DES:
|
||||
ssh1_3des_iv(&cc->evp, 1, iv, 24);
|
||||
break;
|
||||
return ssh1_3des_iv(&cc->evp, 0, iv, 24);
|
||||
#endif
|
||||
default:
|
||||
fatal("%s: bad cipher %d", __func__, c->number);
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
cipher_get_keycontext(const CipherContext *cc, u_char *dat)
|
||||
cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
|
||||
{
|
||||
const Cipher *c = cc->cipher;
|
||||
const struct sshcipher *c = cc->cipher;
|
||||
#ifdef WITH_OPENSSL
|
||||
int evplen = 0;
|
||||
#endif
|
||||
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
return 0;
|
||||
if ((cc->cipher->flags & CFLAG_NONE) != 0)
|
||||
return 0;
|
||||
|
||||
switch (c->number) {
|
||||
#ifdef WITH_OPENSSL
|
||||
case SSH_CIPHER_SSH2:
|
||||
case SSH_CIPHER_DES:
|
||||
case SSH_CIPHER_BLOWFISH:
|
||||
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
|
||||
if (evplen <= 0)
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
if (cipher_authlen(c)) {
|
||||
/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
|
||||
if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
|
||||
EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
} else
|
||||
memcpy(cc->evp.iv, iv, evplen);
|
||||
break;
|
||||
#endif
|
||||
#ifdef WITH_SSH1
|
||||
case SSH_CIPHER_3DES:
|
||||
return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
|
||||
#endif
|
||||
default:
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#define EVP_X_STATE(evp) (evp).cipher_data
|
||||
#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
|
||||
#endif
|
||||
|
||||
int
|
||||
cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
|
||||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
const struct sshcipher *c = cc->cipher;
|
||||
int plen = 0;
|
||||
|
||||
if (c->evptype == EVP_rc4) {
|
||||
@ -557,16 +629,21 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat)
|
||||
memcpy(dat, EVP_X_STATE(cc->evp), plen);
|
||||
}
|
||||
return (plen);
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
cipher_set_keycontext(CipherContext *cc, u_char *dat)
|
||||
cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
|
||||
{
|
||||
const Cipher *c = cc->cipher;
|
||||
#ifdef WITH_OPENSSL
|
||||
const struct sshcipher *c = cc->cipher;
|
||||
int plen;
|
||||
|
||||
if (c->evptype == EVP_rc4) {
|
||||
plen = EVP_X_STATE_LEN(cc->evp);
|
||||
memcpy(EVP_X_STATE(cc->evp), dat, plen);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */
|
||||
/* $OpenBSD: cipher.h,v 1.46 2014/06/24 01:13:21 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -37,8 +37,10 @@
|
||||
#ifndef CIPHER_H
|
||||
#define CIPHER_H
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <openssl/evp.h>
|
||||
#include "cipher-chachapoly.h"
|
||||
#include "cipher-aesctr.h"
|
||||
|
||||
/*
|
||||
* Cipher types for SSH-1. New types can be added, but old types should not
|
||||
@ -60,44 +62,47 @@
|
||||
#define CIPHER_ENCRYPT 1
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
typedef struct Cipher Cipher;
|
||||
typedef struct CipherContext CipherContext;
|
||||
|
||||
struct Cipher;
|
||||
struct CipherContext {
|
||||
struct sshcipher;
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
EVP_CIPHER_CTX evp;
|
||||
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
||||
const Cipher *cipher;
|
||||
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||
const struct sshcipher *cipher;
|
||||
};
|
||||
|
||||
typedef struct sshcipher Cipher ;
|
||||
typedef struct sshcipher_ctx CipherContext ;
|
||||
|
||||
u_int cipher_mask_ssh1(int);
|
||||
const Cipher *cipher_by_name(const char *);
|
||||
const Cipher *cipher_by_number(int);
|
||||
const struct sshcipher *cipher_by_name(const char *);
|
||||
const struct sshcipher *cipher_by_number(int);
|
||||
int cipher_number(const char *);
|
||||
char *cipher_name(int);
|
||||
int ciphers_valid(const char *);
|
||||
char *cipher_alg_list(char, int);
|
||||
void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
|
||||
const u_char *, u_int, int);
|
||||
int cipher_crypt(CipherContext *, u_int, u_char *, const u_char *,
|
||||
int cipher_init(struct sshcipher_ctx *, const struct sshcipher *,
|
||||
const u_char *, u_int, const u_char *, u_int, int);
|
||||
const char* cipher_warning_message(const struct sshcipher_ctx *);
|
||||
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
|
||||
u_int, u_int, u_int);
|
||||
int cipher_get_length(CipherContext *, u_int *, u_int,
|
||||
int cipher_get_length(struct sshcipher_ctx *, u_int *, u_int,
|
||||
const u_char *, u_int);
|
||||
void cipher_cleanup(CipherContext *);
|
||||
void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
|
||||
u_int cipher_blocksize(const Cipher *);
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_seclen(const Cipher *);
|
||||
u_int cipher_authlen(const Cipher *);
|
||||
u_int cipher_ivlen(const Cipher *);
|
||||
u_int cipher_is_cbc(const Cipher *);
|
||||
int cipher_cleanup(struct sshcipher_ctx *);
|
||||
int cipher_set_key_string(struct sshcipher_ctx *, const struct sshcipher *,
|
||||
const char *, int);
|
||||
u_int cipher_blocksize(const struct sshcipher *);
|
||||
u_int cipher_keylen(const struct sshcipher *);
|
||||
u_int cipher_seclen(const struct sshcipher *);
|
||||
u_int cipher_authlen(const struct sshcipher *);
|
||||
u_int cipher_ivlen(const struct sshcipher *);
|
||||
u_int cipher_is_cbc(const struct sshcipher *);
|
||||
|
||||
u_int cipher_get_number(const Cipher *);
|
||||
void cipher_get_keyiv(CipherContext *, u_char *, u_int);
|
||||
void cipher_set_keyiv(CipherContext *, u_char *);
|
||||
int cipher_get_keyiv_len(const CipherContext *);
|
||||
int cipher_get_keycontext(const CipherContext *, u_char *);
|
||||
void cipher_set_keycontext(CipherContext *, u_char *);
|
||||
u_int cipher_get_number(const struct sshcipher *);
|
||||
int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
|
||||
int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
|
||||
int cipher_get_keyiv_len(const struct sshcipher_ctx *);
|
||||
int cipher_get_keycontext(const struct sshcipher_ctx *, u_char *);
|
||||
void cipher_set_keycontext(struct sshcipher_ctx *, const u_char *);
|
||||
#endif /* CIPHER_H */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: clientloop.c,v 1.258 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.261 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -101,13 +101,13 @@ __RCSID("$FreeBSD$");
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "readconf.h"
|
||||
#include "clientloop.h"
|
||||
#include "sshconnect.h"
|
||||
#include "authfd.h"
|
||||
#include "atomicio.h"
|
||||
#include "sshpty.h"
|
||||
#include "misc.h"
|
||||
#include "match.h"
|
||||
#include "msg.h"
|
||||
#include "roaming.h"
|
||||
@ -872,13 +872,11 @@ static void
|
||||
process_cmdline(void)
|
||||
{
|
||||
void (*handler)(int);
|
||||
char *s, *cmd, *cancel_host;
|
||||
int delete = 0, local = 0, remote = 0, dynamic = 0;
|
||||
int cancel_port, ok;
|
||||
Forward fwd;
|
||||
char *s, *cmd;
|
||||
int ok, delete = 0, local = 0, remote = 0, dynamic = 0;
|
||||
struct Forward fwd;
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
fwd.listen_host = fwd.connect_host = NULL;
|
||||
|
||||
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
|
||||
handler = signal(SIGINT, SIG_IGN);
|
||||
@ -944,29 +942,20 @@ process_cmdline(void)
|
||||
|
||||
/* XXX update list of forwards in options */
|
||||
if (delete) {
|
||||
cancel_port = 0;
|
||||
cancel_host = hpdelim(&s); /* may be NULL */
|
||||
if (s != NULL) {
|
||||
cancel_port = a2port(s);
|
||||
cancel_host = cleanhostname(cancel_host);
|
||||
} else {
|
||||
cancel_port = a2port(cancel_host);
|
||||
cancel_host = NULL;
|
||||
}
|
||||
if (cancel_port <= 0) {
|
||||
logit("Bad forwarding close port");
|
||||
/* We pass 1 for dynamicfwd to restrict to 1 or 2 fields. */
|
||||
if (!parse_forward(&fwd, s, 1, 0)) {
|
||||
logit("Bad forwarding close specification.");
|
||||
goto out;
|
||||
}
|
||||
if (remote)
|
||||
ok = channel_request_rforward_cancel(cancel_host,
|
||||
cancel_port) == 0;
|
||||
ok = channel_request_rforward_cancel(&fwd) == 0;
|
||||
else if (dynamic)
|
||||
ok = channel_cancel_lport_listener(cancel_host,
|
||||
cancel_port, 0, options.gateway_ports) > 0;
|
||||
ok = channel_cancel_lport_listener(&fwd,
|
||||
0, &options.fwd_opts) > 0;
|
||||
else
|
||||
ok = channel_cancel_lport_listener(cancel_host,
|
||||
cancel_port, CHANNEL_CANCEL_PORT_STATIC,
|
||||
options.gateway_ports) > 0;
|
||||
ok = channel_cancel_lport_listener(&fwd,
|
||||
CHANNEL_CANCEL_PORT_STATIC,
|
||||
&options.fwd_opts) > 0;
|
||||
if (!ok) {
|
||||
logit("Unkown port forwarding.");
|
||||
goto out;
|
||||
@ -978,16 +967,13 @@ process_cmdline(void)
|
||||
goto out;
|
||||
}
|
||||
if (local || dynamic) {
|
||||
if (!channel_setup_local_fwd_listener(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host,
|
||||
fwd.connect_port, options.gateway_ports)) {
|
||||
if (!channel_setup_local_fwd_listener(&fwd,
|
||||
&options.fwd_opts)) {
|
||||
logit("Port forwarding failed.");
|
||||
goto out;
|
||||
}
|
||||
} else {
|
||||
if (channel_request_remote_forwarding(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host,
|
||||
fwd.connect_port) < 0) {
|
||||
if (channel_request_remote_forwarding(&fwd) < 0) {
|
||||
logit("Port forwarding failed.");
|
||||
goto out;
|
||||
}
|
||||
@ -1000,7 +986,9 @@ process_cmdline(void)
|
||||
enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
|
||||
free(cmd);
|
||||
free(fwd.listen_host);
|
||||
free(fwd.listen_path);
|
||||
free(fwd.connect_host);
|
||||
free(fwd.connect_path);
|
||||
}
|
||||
|
||||
/* reasons to suppress output of an escape command in help output */
|
||||
@ -1846,11 +1834,10 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
|
||||
originator_port = packet_get_int();
|
||||
packet_check_eom();
|
||||
|
||||
debug("client_request_forwarded_tcpip: listen %s port %d, "
|
||||
"originator %s port %d", listen_address, listen_port,
|
||||
originator_address, originator_port);
|
||||
debug("%s: listen %s port %d, originator %s port %d", __func__,
|
||||
listen_address, listen_port, originator_address, originator_port);
|
||||
|
||||
c = channel_connect_by_listen_address(listen_port,
|
||||
c = channel_connect_by_listen_address(listen_address, listen_port,
|
||||
"forwarded-tcpip", originator_address);
|
||||
|
||||
free(originator_address);
|
||||
@ -1858,6 +1845,27 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
|
||||
return c;
|
||||
}
|
||||
|
||||
static Channel *
|
||||
client_request_forwarded_streamlocal(const char *request_type, int rchan)
|
||||
{
|
||||
Channel *c = NULL;
|
||||
char *listen_path;
|
||||
|
||||
/* Get the remote path. */
|
||||
listen_path = packet_get_string(NULL);
|
||||
/* XXX: Skip reserved field for now. */
|
||||
if (packet_get_string_ptr(NULL) == NULL)
|
||||
fatal("%s: packet_get_string_ptr failed", __func__);
|
||||
packet_check_eom();
|
||||
|
||||
debug("%s: %s", __func__, listen_path);
|
||||
|
||||
c = channel_connect_by_listen_path(listen_path,
|
||||
"forwarded-streamlocal@openssh.com", "forwarded-streamlocal");
|
||||
free(listen_path);
|
||||
return c;
|
||||
}
|
||||
|
||||
static Channel *
|
||||
client_request_x11(const char *request_type, int rchan)
|
||||
{
|
||||
@ -1985,6 +1993,8 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
|
||||
|
||||
if (strcmp(ctype, "forwarded-tcpip") == 0) {
|
||||
c = client_request_forwarded_tcpip(ctype, rchan);
|
||||
} else if (strcmp(ctype, "forwarded-streamlocal@openssh.com") == 0) {
|
||||
c = client_request_forwarded_streamlocal(ctype, rchan);
|
||||
} else if (strcmp(ctype, "x11") == 0) {
|
||||
c = client_request_x11(ctype, rchan);
|
||||
} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
|
||||
@ -2055,7 +2065,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
|
||||
}
|
||||
packet_check_eom();
|
||||
}
|
||||
if (reply && c != NULL) {
|
||||
if (reply && c != NULL && !(c->flags & CHAN_CLOSE_SENT)) {
|
||||
packet_start(success ?
|
||||
SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
|
||||
packet_put_int(c->remote_id);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
|
||||
/* $OpenBSD: compat.c,v 1.85 2014/04/20 02:49:32 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */
|
||||
/* $OpenBSD: compat.h,v 1.45 2014/04/18 23:52:25 djm Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
|
@ -421,6 +421,9 @@
|
||||
/* Define to 1 if you have the `EVP_MD_CTX_init' function. */
|
||||
#define HAVE_EVP_MD_CTX_INIT 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_ripemd160' function. */
|
||||
#define HAVE_EVP_RIPEMD160 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_sha256' function. */
|
||||
#define HAVE_EVP_SHA256 1
|
||||
|
||||
@ -428,7 +431,7 @@
|
||||
/* #undef HAVE_EXIT_IN_UTMP */
|
||||
|
||||
/* Define to 1 if you have the `explicit_bzero' function. */
|
||||
/* #undef HAVE_EXPLICIT_BZERO */
|
||||
#define HAVE_EXPLICIT_BZERO 1
|
||||
|
||||
/* Define to 1 if you have the `fchmod' function. */
|
||||
#define HAVE_FCHMOD 1
|
||||
@ -769,6 +772,9 @@
|
||||
/* Define to 1 if you have the <memory.h> header file. */
|
||||
#define HAVE_MEMORY_H 1
|
||||
|
||||
/* Define to 1 if you have the `memset_s' function. */
|
||||
/* #undef HAVE_MEMSET_S */
|
||||
|
||||
/* Define to 1 if you have the `mkdtemp' function. */
|
||||
#define HAVE_MKDTEMP 1
|
||||
|
||||
@ -1140,7 +1146,7 @@
|
||||
/* #undef HAVE_SYS_BSDTTY_H */
|
||||
|
||||
/* Define to 1 if you have the <sys/capability.h> header file. */
|
||||
#define HAVE_SYS_CAPABILITY_H 1
|
||||
/* #undef HAVE_SYS_CAPABILITY_H */
|
||||
|
||||
/* Define to 1 if you have the <sys/cdefs.h> header file. */
|
||||
#define HAVE_SYS_CDEFS_H 1
|
||||
@ -1325,9 +1331,6 @@
|
||||
/* Define if va_copy exists */
|
||||
#define HAVE_VA_COPY 1
|
||||
|
||||
/* Define to 1 if you have the `vhangup' function. */
|
||||
/* #undef HAVE_VHANGUP */
|
||||
|
||||
/* Define to 1 if you have the <vis.h> header file. */
|
||||
#define HAVE_VIS_H 1
|
||||
|
||||
@ -1663,9 +1666,15 @@
|
||||
/* Define if you want IRIX project management */
|
||||
/* #undef WITH_IRIX_PROJECT */
|
||||
|
||||
/* use libcrypto for cryptography */
|
||||
#define WITH_OPENSSL 1
|
||||
|
||||
/* Define if you want SELinux support. */
|
||||
/* #undef WITH_SELINUX */
|
||||
|
||||
/* include SSH protocol version 1 support */
|
||||
#define WITH_SSH1 1
|
||||
|
||||
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||
significant byte first (like Motorola and SPARC, unlike Intel). */
|
||||
#if defined AC_APPLE_UNIVERSAL_BUILD
|
||||
|
@ -420,6 +420,9 @@
|
||||
/* Define to 1 if you have the `EVP_MD_CTX_init' function. */
|
||||
#undef HAVE_EVP_MD_CTX_INIT
|
||||
|
||||
/* Define to 1 if you have the `EVP_ripemd160' function. */
|
||||
#undef HAVE_EVP_RIPEMD160
|
||||
|
||||
/* Define to 1 if you have the `EVP_sha256' function. */
|
||||
#undef HAVE_EVP_SHA256
|
||||
|
||||
@ -768,6 +771,9 @@
|
||||
/* Define to 1 if you have the <memory.h> header file. */
|
||||
#undef HAVE_MEMORY_H
|
||||
|
||||
/* Define to 1 if you have the `memset_s' function. */
|
||||
#undef HAVE_MEMSET_S
|
||||
|
||||
/* Define to 1 if you have the `mkdtemp' function. */
|
||||
#undef HAVE_MKDTEMP
|
||||
|
||||
@ -1324,9 +1330,6 @@
|
||||
/* Define if va_copy exists */
|
||||
#undef HAVE_VA_COPY
|
||||
|
||||
/* Define to 1 if you have the `vhangup' function. */
|
||||
#undef HAVE_VHANGUP
|
||||
|
||||
/* Define to 1 if you have the <vis.h> header file. */
|
||||
#undef HAVE_VIS_H
|
||||
|
||||
@ -1662,9 +1665,15 @@
|
||||
/* Define if you want IRIX project management */
|
||||
#undef WITH_IRIX_PROJECT
|
||||
|
||||
/* use libcrypto for cryptography */
|
||||
#undef WITH_OPENSSL
|
||||
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
/* include SSH protocol version 1 support */
|
||||
#undef WITH_SSH1
|
||||
|
||||
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||
significant byte first (like Motorola and SPARC, unlike Intel). */
|
||||
#if defined AC_APPLE_UNIVERSAL_BUILD
|
||||
|
138
crypto/openssh/configure
vendored
138
crypto/openssh/configure
vendored
@ -1,5 +1,5 @@
|
||||
#! /bin/sh
|
||||
# From configure.ac Revision: 1.571 .
|
||||
# From configure.ac Revision: 1.583 .
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.68 for OpenSSH Portable.
|
||||
#
|
||||
@ -6604,7 +6604,6 @@ for ac_header in \
|
||||
sys/audit.h \
|
||||
sys/bitypes.h \
|
||||
sys/bsdtty.h \
|
||||
sys/capability.h \
|
||||
sys/cdefs.h \
|
||||
sys/dir.h \
|
||||
sys/mman.h \
|
||||
@ -6646,6 +6645,25 @@ fi
|
||||
done
|
||||
|
||||
|
||||
# sys/capsicum.h requires sys/types.h
|
||||
for ac_header in sys/capsicum.h
|
||||
do :
|
||||
ac_fn_c_check_header_compile "$LINENO" "sys/capsicum.h" "ac_cv_header_sys_capsicum_h" "
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
#endif
|
||||
|
||||
"
|
||||
if test "x$ac_cv_header_sys_capsicum_h" = xyes; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_SYS_CAPSICUM_H 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
|
||||
# lastlog.h requires sys/time.h to be included first on Solaris
|
||||
for ac_header in lastlog.h
|
||||
do :
|
||||
@ -10348,10 +10366,6 @@ for ac_func in \
|
||||
Blowfish_expandstate \
|
||||
Blowfish_expand0state \
|
||||
Blowfish_stream2word \
|
||||
arc4random \
|
||||
arc4random_buf \
|
||||
arc4random_stir \
|
||||
arc4random_uniform \
|
||||
asprintf \
|
||||
b64_ntop \
|
||||
__b64_ntop \
|
||||
@ -10395,6 +10409,7 @@ for ac_func in \
|
||||
mblen \
|
||||
md5_crypt \
|
||||
memmove \
|
||||
memset_s \
|
||||
mkdtemp \
|
||||
mmap \
|
||||
ngetaddrinfo \
|
||||
@ -10453,7 +10468,6 @@ for ac_func in \
|
||||
user_from_uid \
|
||||
usleep \
|
||||
vasprintf \
|
||||
vhangup \
|
||||
vsnprintf \
|
||||
waitpid \
|
||||
|
||||
@ -11269,11 +11283,9 @@ fi
|
||||
|
||||
fi
|
||||
|
||||
# If we don't have a working asprintf, then we strongly depend on vsnprintf
|
||||
# returning the right thing on overflow: the number of characters it tried to
|
||||
# create (as per SUSv3)
|
||||
if test "x$ac_cv_func_asprintf" != "xyes" && \
|
||||
test "x$ac_cv_func_vsnprintf" = "xyes" ; then
|
||||
# We depend on vsnprintf returning the right thing on overflow: the
|
||||
# number of characters it tried to create (as per SUSv3)
|
||||
if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether vsnprintf returns correct values on overflow" >&5
|
||||
$as_echo_n "checking whether vsnprintf returns correct values on overflow... " >&6; }
|
||||
if test "$cross_compiling" = yes; then :
|
||||
@ -11288,10 +11300,14 @@ else
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
int x_snprintf(char *str,size_t count,const char *fmt,...)
|
||||
int x_snprintf(char *str, size_t count, const char *fmt, ...)
|
||||
{
|
||||
size_t ret; va_list ap;
|
||||
va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
|
||||
size_t ret;
|
||||
va_list ap;
|
||||
|
||||
va_start(ap, fmt);
|
||||
ret = vsnprintf(str, count, fmt, ap);
|
||||
va_end(ap);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -11299,8 +11315,12 @@ int
|
||||
main ()
|
||||
{
|
||||
|
||||
char x[1];
|
||||
exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
|
||||
char x[1];
|
||||
if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
|
||||
return 1;
|
||||
if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
|
||||
return 1;
|
||||
return 0;
|
||||
|
||||
;
|
||||
return 0;
|
||||
@ -11897,7 +11917,7 @@ main ()
|
||||
if(fd == NULL)
|
||||
exit(1);
|
||||
|
||||
if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
|
||||
if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
|
||||
exit(1);
|
||||
|
||||
exit(0);
|
||||
@ -11954,7 +11974,8 @@ main ()
|
||||
if(fd == NULL)
|
||||
exit(1);
|
||||
|
||||
if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
|
||||
if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
|
||||
SSLeay_version(SSLEAY_VERSION))) <0)
|
||||
exit(1);
|
||||
|
||||
exit(0);
|
||||
@ -11966,6 +11987,13 @@ _ACEOF
|
||||
if ac_fn_c_try_run "$LINENO"; then :
|
||||
|
||||
ssl_library_ver=`cat conftest.ssllibver`
|
||||
# Check version is supported.
|
||||
case "$ssl_library_ver" in
|
||||
0090[0-7]*|009080[0-5]*)
|
||||
as_fn_error $? "OpenSSL >= 0.9.8f required" "$LINENO" 5
|
||||
;;
|
||||
*) ;;
|
||||
esac
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5
|
||||
$as_echo "$ssl_library_ver" >&6; }
|
||||
|
||||
@ -11981,6 +12009,18 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
|
||||
fi
|
||||
|
||||
|
||||
# XXX make --without-openssl work
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define WITH_OPENSSL 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define WITH_SSH1 1
|
||||
_ACEOF
|
||||
|
||||
|
||||
|
||||
# Check whether --with-openssl-header-check was given.
|
||||
if test "${with_openssl_header_check+set}" = set; then :
|
||||
@ -12511,6 +12551,25 @@ else
|
||||
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
|
||||
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
# Search for RIPE-MD support in OpenSSL
|
||||
for ac_func in EVP_ripemd160
|
||||
do :
|
||||
ac_fn_c_check_func "$LINENO" "EVP_ripemd160" "ac_cv_func_EVP_ripemd160"
|
||||
if test "x$ac_cv_func_EVP_ripemd160" = xyes; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_EVP_RIPEMD160 1
|
||||
_ACEOF
|
||||
|
||||
else
|
||||
unsupported_algorithms="$unsupported_algorithms \
|
||||
hmac-ripemd160
|
||||
hmac-ripemd160@openssh.com
|
||||
hmac-ripemd160-etm@openssh.com"
|
||||
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
@ -12714,6 +12773,24 @@ fi
|
||||
|
||||
|
||||
|
||||
for ac_func in \
|
||||
arc4random \
|
||||
arc4random_buf \
|
||||
arc4random_stir \
|
||||
arc4random_uniform \
|
||||
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
saved_LIBS="$LIBS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ia_openinfo in -liaf" >&5
|
||||
$as_echo_n "checking for ia_openinfo in -liaf... " >&6; }
|
||||
@ -13123,7 +13200,14 @@ fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
fi
|
||||
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
case "$host" in
|
||||
*-*-cygwin*)
|
||||
SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
|
||||
;;
|
||||
*)
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
;;
|
||||
esac
|
||||
|
||||
# Check whether --with-privsep-user was given.
|
||||
if test "${with_privsep_user+set}" = set; then :
|
||||
@ -13136,11 +13220,19 @@ if test "${with_privsep_user+set}" = set; then :
|
||||
|
||||
fi
|
||||
|
||||
if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define SSH_PRIVSEP_USER CYGWIN_SSH_PRIVSEP_USER
|
||||
_ACEOF
|
||||
|
||||
else
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
|
||||
_ACEOF
|
||||
|
||||
fi
|
||||
|
||||
|
||||
if test "x$have_linux_no_new_privs" = "x1" ; then
|
||||
@ -13404,10 +13496,10 @@ $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h
|
||||
|
||||
elif test "x$sandbox_arg" = "xcapsicum" || \
|
||||
( test -z "$sandbox_arg" && \
|
||||
test "x$ac_cv_header_sys_capability_h" = "xyes" && \
|
||||
test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
|
||||
test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
|
||||
test "x$ac_cv_header_sys_capability_h" != "xyes" && \
|
||||
as_fn_error $? "capsicum sandbox requires sys/capability.h header" "$LINENO" 5
|
||||
test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
|
||||
as_fn_error $? "capsicum sandbox requires sys/capsicum.h header" "$LINENO" 5
|
||||
test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
|
||||
as_fn_error $? "capsicum sandbox requires cap_rights_limit function" "$LINENO" 5
|
||||
SANDBOX_STYLE="capsicum"
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: configure.ac,v 1.571 2014/02/21 17:09:34 tim Exp $
|
||||
# $Id: configure.ac,v 1.583 2014/08/26 20:32:01 djm Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
@ -15,7 +15,7 @@
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
|
||||
AC_REVISION($Revision: 1.571 $)
|
||||
AC_REVISION($Revision: 1.583 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
AC_LANG([C])
|
||||
|
||||
@ -364,7 +364,6 @@ AC_CHECK_HEADERS([ \
|
||||
sys/audit.h \
|
||||
sys/bitypes.h \
|
||||
sys/bsdtty.h \
|
||||
sys/capability.h \
|
||||
sys/cdefs.h \
|
||||
sys/dir.h \
|
||||
sys/mman.h \
|
||||
@ -394,6 +393,13 @@ AC_CHECK_HEADERS([ \
|
||||
vis.h \
|
||||
])
|
||||
|
||||
# sys/capsicum.h requires sys/types.h
|
||||
AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
# include <sys/types.h>
|
||||
#endif
|
||||
])
|
||||
|
||||
# lastlog.h requires sys/time.h to be included first on Solaris
|
||||
AC_CHECK_HEADERS([lastlog.h], [], [], [
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
@ -1631,10 +1637,6 @@ AC_CHECK_FUNCS([ \
|
||||
Blowfish_expandstate \
|
||||
Blowfish_expand0state \
|
||||
Blowfish_stream2word \
|
||||
arc4random \
|
||||
arc4random_buf \
|
||||
arc4random_stir \
|
||||
arc4random_uniform \
|
||||
asprintf \
|
||||
b64_ntop \
|
||||
__b64_ntop \
|
||||
@ -1678,6 +1680,7 @@ AC_CHECK_FUNCS([ \
|
||||
mblen \
|
||||
md5_crypt \
|
||||
memmove \
|
||||
memset_s \
|
||||
mkdtemp \
|
||||
mmap \
|
||||
ngetaddrinfo \
|
||||
@ -1736,7 +1739,6 @@ AC_CHECK_FUNCS([ \
|
||||
user_from_uid \
|
||||
usleep \
|
||||
vasprintf \
|
||||
vhangup \
|
||||
vsnprintf \
|
||||
waitpid \
|
||||
])
|
||||
@ -1948,11 +1950,9 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then
|
||||
)
|
||||
fi
|
||||
|
||||
# If we don't have a working asprintf, then we strongly depend on vsnprintf
|
||||
# returning the right thing on overflow: the number of characters it tried to
|
||||
# create (as per SUSv3)
|
||||
if test "x$ac_cv_func_asprintf" != "xyes" && \
|
||||
test "x$ac_cv_func_vsnprintf" = "xyes" ; then
|
||||
# We depend on vsnprintf returning the right thing on overflow: the
|
||||
# number of characters it tried to create (as per SUSv3)
|
||||
if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
|
||||
AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
|
||||
AC_RUN_IFELSE(
|
||||
[AC_LANG_PROGRAM([[
|
||||
@ -1960,15 +1960,23 @@ if test "x$ac_cv_func_asprintf" != "xyes" && \
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
int x_snprintf(char *str,size_t count,const char *fmt,...)
|
||||
int x_snprintf(char *str, size_t count, const char *fmt, ...)
|
||||
{
|
||||
size_t ret; va_list ap;
|
||||
va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
|
||||
size_t ret;
|
||||
va_list ap;
|
||||
|
||||
va_start(ap, fmt);
|
||||
ret = vsnprintf(str, count, fmt, ap);
|
||||
va_end(ap);
|
||||
return ret;
|
||||
}
|
||||
]], [[
|
||||
char x[1];
|
||||
exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
|
||||
char x[1];
|
||||
if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
|
||||
return 1;
|
||||
if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
|
||||
return 1;
|
||||
return 0;
|
||||
]])],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[
|
||||
@ -2304,7 +2312,7 @@ AC_RUN_IFELSE(
|
||||
if(fd == NULL)
|
||||
exit(1);
|
||||
|
||||
if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
|
||||
if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
|
||||
exit(1);
|
||||
|
||||
exit(0);
|
||||
@ -2339,13 +2347,21 @@ AC_RUN_IFELSE(
|
||||
if(fd == NULL)
|
||||
exit(1);
|
||||
|
||||
if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
|
||||
if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
|
||||
SSLeay_version(SSLEAY_VERSION))) <0)
|
||||
exit(1);
|
||||
|
||||
exit(0);
|
||||
]])],
|
||||
[
|
||||
ssl_library_ver=`cat conftest.ssllibver`
|
||||
# Check version is supported.
|
||||
case "$ssl_library_ver" in
|
||||
0090[[0-7]]*|009080[[0-5]]*)
|
||||
AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
|
||||
;;
|
||||
*) ;;
|
||||
esac
|
||||
AC_MSG_RESULT([$ssl_library_ver])
|
||||
],
|
||||
[
|
||||
@ -2357,6 +2373,10 @@ AC_RUN_IFELSE(
|
||||
]
|
||||
)
|
||||
|
||||
# XXX make --without-openssl work
|
||||
AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
|
||||
AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support])
|
||||
|
||||
AC_ARG_WITH([openssl-header-check],
|
||||
[ --without-openssl-header-check Disable OpenSSL version consistency check],
|
||||
[ if test "x$withval" = "xno" ; then
|
||||
@ -2565,6 +2585,14 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
|
||||
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
|
||||
]
|
||||
)
|
||||
# Search for RIPE-MD support in OpenSSL
|
||||
AC_CHECK_FUNCS([EVP_ripemd160], ,
|
||||
[unsupported_algorithms="$unsupported_algorithms \
|
||||
hmac-ripemd160
|
||||
hmac-ripemd160@openssh.com
|
||||
hmac-ripemd160-etm@openssh.com"
|
||||
]
|
||||
)
|
||||
|
||||
# Check complete ECC support in OpenSSL
|
||||
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
|
||||
@ -2685,6 +2713,13 @@ fi
|
||||
AC_SUBST([TEST_SSH_ECC])
|
||||
AC_SUBST([COMMENT_OUT_ECC])
|
||||
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
arc4random_buf \
|
||||
arc4random_stir \
|
||||
arc4random_uniform \
|
||||
])
|
||||
|
||||
saved_LIBS="$LIBS"
|
||||
AC_CHECK_LIB([iaf], [ia_openinfo], [
|
||||
LIBS="$LIBS -liaf"
|
||||
@ -2868,7 +2903,14 @@ if test "x$PAM_MSG" = "xyes" ; then
|
||||
])
|
||||
fi
|
||||
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
case "$host" in
|
||||
*-*-cygwin*)
|
||||
SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
|
||||
;;
|
||||
*)
|
||||
SSH_PRIVSEP_USER=sshd
|
||||
;;
|
||||
esac
|
||||
AC_ARG_WITH([privsep-user],
|
||||
[ --with-privsep-user=user Specify non-privileged user for privilege separation],
|
||||
[
|
||||
@ -2878,8 +2920,13 @@ AC_ARG_WITH([privsep-user],
|
||||
fi
|
||||
]
|
||||
)
|
||||
AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
|
||||
[non-privileged user for privilege separation])
|
||||
if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
|
||||
AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
|
||||
[Cygwin function to fetch non-privileged user for privilege separation])
|
||||
else
|
||||
AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
|
||||
[non-privileged user for privilege separation])
|
||||
fi
|
||||
AC_SUBST([SSH_PRIVSEP_USER])
|
||||
|
||||
if test "x$have_linux_no_new_privs" = "x1" ; then
|
||||
@ -3044,10 +3091,10 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
|
||||
AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
|
||||
elif test "x$sandbox_arg" = "xcapsicum" || \
|
||||
( test -z "$sandbox_arg" && \
|
||||
test "x$ac_cv_header_sys_capability_h" = "xyes" && \
|
||||
test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
|
||||
test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
|
||||
test "x$ac_cv_header_sys_capability_h" != "xyes" && \
|
||||
AC_MSG_ERROR([capsicum sandbox requires sys/capability.h header])
|
||||
test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
|
||||
AC_MSG_ERROR([capsicum sandbox requires sys/capsicum.h header])
|
||||
test "x$ac_cv_func_cap_rights_limit" != "xyes" && \
|
||||
AC_MSG_ERROR([capsicum sandbox requires cap_rights_limit function])
|
||||
SANDBOX_STYLE="capsicum"
|
||||
|
@ -16,7 +16,7 @@
|
||||
|
||||
#old cvs stuff. please update before use. may be deprecated.
|
||||
%define use_stable 1
|
||||
%define version 6.6p1
|
||||
%define version 6.7p1
|
||||
%if %{use_stable}
|
||||
%define cvs %{nil}
|
||||
%define release 1
|
||||
@ -178,7 +178,6 @@ by Jim Knoble <jmknoble@pobox.com>.
|
||||
CFLAGS="$RPM_OPT_FLAGS" \
|
||||
%configure \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
#leave this line for easy edits.
|
||||
|
||||
@ -363,4 +362,4 @@ fi
|
||||
* Mon Jan 01 1998 ...
|
||||
Template Version: 1.31
|
||||
|
||||
$Id: openssh.spec,v 1.83 2014/02/27 23:03:55 djm Exp $
|
||||
$Id: openssh.spec,v 1.85 2014/08/19 01:36:08 djm Exp $
|
||||
|
@ -69,7 +69,7 @@ Building OpenSSH
|
||||
Building from source is easy. Just unpack the source archive, cd to that
|
||||
directory, and call cygport:
|
||||
|
||||
cygport openssh.cygport almostall
|
||||
cygport openssh.cygport all
|
||||
|
||||
You must have installed the following packages to be able to build OpenSSH
|
||||
with the aforementioned cygport script:
|
||||
@ -77,7 +77,6 @@ with the aforementioned cygport script:
|
||||
zlib
|
||||
crypt
|
||||
openssl-devel
|
||||
libwrap-devel
|
||||
libedit-devel
|
||||
libkrb5-devel
|
||||
|
||||
|
@ -34,9 +34,9 @@ declare -a csih_required_commands=(
|
||||
/usr/bin/mv coreutils
|
||||
/usr/bin/rm coreutils
|
||||
/usr/bin/cygpath cygwin
|
||||
/usr/bin/mkpasswd cygwin
|
||||
/usr/bin/mount cygwin
|
||||
/usr/bin/ps cygwin
|
||||
/usr/bin/setfacl cygwin
|
||||
/usr/bin/umount cygwin
|
||||
/usr/bin/cmp diffutils
|
||||
/usr/bin/grep grep
|
||||
@ -59,8 +59,9 @@ PREFIX=/usr
|
||||
SYSCONFDIR=/etc
|
||||
LOCALSTATEDIR=/var
|
||||
|
||||
sshd_config_configured=no
|
||||
port_number=22
|
||||
privsep_configured=no
|
||||
strictmodes=yes
|
||||
privsep_used=yes
|
||||
cygwin_value=""
|
||||
user_account=
|
||||
@ -89,28 +90,8 @@ update_services_file() {
|
||||
# Depends on the above mount
|
||||
_wservices=`cygpath -w "${_services}"`
|
||||
|
||||
# Remove sshd 22/port from services
|
||||
if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
||||
if [ -f "${_serv_tmp}" ]
|
||||
then
|
||||
if /usr/bin/mv "${_serv_tmp}" "${_services}"
|
||||
then
|
||||
csih_inform "Removing sshd from ${_wservices}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
/usr/bin/rm -f "${_serv_tmp}"
|
||||
else
|
||||
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add ssh 22/tcp and ssh 22/udp to services
|
||||
if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
||||
if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
|
||||
then
|
||||
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
||||
then
|
||||
@ -131,18 +112,46 @@ update_services_file() {
|
||||
return $ret
|
||||
} # --- End of update_services_file --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: sshd_strictmodes
|
||||
# MODIFIES: strictmodes
|
||||
# ======================================================================
|
||||
sshd_strictmodes() {
|
||||
if [ "${sshd_config_configured}" != "yes" ]
|
||||
then
|
||||
echo
|
||||
csih_inform "StrictModes is set to 'yes' by default."
|
||||
csih_inform "This is the recommended setting, but it requires that the POSIX"
|
||||
csih_inform "permissions of the user's home directory, the user's .ssh"
|
||||
csih_inform "directory, and the user's ssh key files are tight so that"
|
||||
csih_inform "only the user has write permissions."
|
||||
csih_inform "On the other hand, StrictModes don't work well with default"
|
||||
csih_inform "Windows permissions of a home directory mounted with the"
|
||||
csih_inform "'noacl' option, and they don't work at all if the home"
|
||||
csih_inform "directory is on a FAT or FAT32 partition."
|
||||
if ! csih_request "Should StrictModes be used?"
|
||||
then
|
||||
strictmodes=no
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# ======================================================================
|
||||
# Routine: sshd_privsep
|
||||
# MODIFIES: privsep_configured privsep_used
|
||||
# MODIFIES: privsep_used
|
||||
# ======================================================================
|
||||
sshd_privsep() {
|
||||
local sshdconfig_tmp
|
||||
local ret=0
|
||||
|
||||
if [ "${privsep_configured}" != "yes" ]
|
||||
if [ "${sshd_config_configured}" != "yes" ]
|
||||
then
|
||||
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
|
||||
csih_inform "However, this requires a non-privileged account called 'sshd'."
|
||||
echo
|
||||
csih_inform "Privilege separation is set to 'sandbox' by default since"
|
||||
csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
|
||||
csih_inform "to 'yes' or 'no'."
|
||||
csih_inform "However, using privilege separation requires a non-privileged account"
|
||||
csih_inform "called 'sshd'."
|
||||
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
||||
if csih_request "Should privilege separation be used?"
|
||||
then
|
||||
@ -159,36 +168,53 @@ sshd_privsep() {
|
||||
privsep_used=no
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of sshd_privsep --- #
|
||||
|
||||
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
||||
# modify to add the missing privsep configuration option
|
||||
if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||
# ======================================================================
|
||||
# Routine: sshd_config_tweak
|
||||
# ======================================================================
|
||||
sshd_config_tweak() {
|
||||
local ret=0
|
||||
|
||||
# Modify sshd_config
|
||||
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
|
||||
if [ "${port_number}" -ne 22 ]
|
||||
then
|
||||
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
|
||||
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
|
||||
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
||||
s/^#Port 22/Port ${port_number}/
|
||||
s/^#StrictModes yes/StrictModes no/" \
|
||||
< ${SYSCONFDIR}/sshd_config \
|
||||
> "${sshdconfig_tmp}"
|
||||
if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
|
||||
/usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
|
||||
${SYSCONFDIR}/sshd_config
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
csih_warning "Setting listening port to ${port_number} failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
fi
|
||||
elif [ "${privsep_configured}" != "yes" ]
|
||||
fi
|
||||
if [ "${strictmodes}" = "no" ]
|
||||
then
|
||||
echo >> ${SYSCONFDIR}/sshd_config
|
||||
if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
||||
/usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
|
||||
${SYSCONFDIR}/sshd_config
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
csih_warning "Setting StrictModes to 'no' failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
if [ "${sshd_config_configured}" != "yes" ]
|
||||
then
|
||||
/usr/bin/sed -i -e "
|
||||
s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
|
||||
${SYSCONFDIR}/sshd_config
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
csih_warning "Setting privilege separation failed!"
|
||||
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||
let ++ret
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
} # --- End of sshd_privsep --- #
|
||||
} # --- End of sshd_config_tweak --- #
|
||||
|
||||
# ======================================================================
|
||||
# Routine: update_inetd_conf
|
||||
@ -207,11 +233,11 @@ update_inetd_conf() {
|
||||
# we have inetutils-1.5 inetd.d support
|
||||
if [ -f "${_inetcnf}" ]
|
||||
then
|
||||
/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
|
||||
/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
|
||||
|
||||
# check for sshd OR ssh in top-level inetd.conf file, and remove
|
||||
# will be replaced by a file in inetd.d/
|
||||
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
if [ -f "${_inetcnf_tmp}" ]
|
||||
@ -236,9 +262,9 @@ update_inetd_conf() {
|
||||
then
|
||||
if [ "${_with_comment}" -eq 0 ]
|
||||
then
|
||||
/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
else
|
||||
/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||
fi
|
||||
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
|
||||
then
|
||||
@ -251,13 +277,13 @@ update_inetd_conf() {
|
||||
|
||||
elif [ -f "${_inetcnf}" ]
|
||||
then
|
||||
/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
|
||||
/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
|
||||
|
||||
# check for sshd in top-level inetd.conf file, and remove
|
||||
# will be replaced by a file in inetd.d/
|
||||
if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||
then
|
||||
/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||
if [ -f "${_inetcnf_tmp}" ]
|
||||
then
|
||||
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||
@ -305,17 +331,26 @@ check_service_files_ownership() {
|
||||
|
||||
if [ -z "${run_service_as}" ]
|
||||
then
|
||||
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
|
||||
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
|
||||
/usr/bin/sed -ne 's/^Account *: *//gp')
|
||||
if [ "${accnt_name}" = "LocalSystem" ]
|
||||
then
|
||||
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
|
||||
accnt_name="SYSTEM:"
|
||||
elif [[ "${accnt_name}" =~ ^\.\\ ]]
|
||||
then
|
||||
# Convert "." domain to local machine name
|
||||
accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
|
||||
run_service_as="SYSTEM"
|
||||
else
|
||||
dom="${accnt_name%%\\*}"
|
||||
accnt_name="${accnt_name#*\\}"
|
||||
if [ "${dom}" = '.' ]
|
||||
then
|
||||
# Check local account
|
||||
run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
|
||||
/usr/bin/awk -F: '{print $1;}')
|
||||
else
|
||||
# Check domain
|
||||
run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
|
||||
/usr/bin/awk -F: '{print $1;}')
|
||||
fi
|
||||
fi
|
||||
run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
|
||||
if [ -z "${run_service_as}" ]
|
||||
then
|
||||
csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
|
||||
@ -615,32 +650,6 @@ echo
|
||||
|
||||
warning_cnt=0
|
||||
|
||||
# Check for ${SYSCONFDIR} directory
|
||||
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
|
||||
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${SYSCONFDIR}!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# Check for /var/log directory
|
||||
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
|
||||
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# Create /var/log/lastlog if not already exists
|
||||
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
||||
then
|
||||
@ -665,13 +674,9 @@ then
|
||||
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
|
||||
then
|
||||
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
|
||||
let ++warning_cnt
|
||||
fi
|
||||
|
||||
# generate missing host keys
|
||||
csih_inform "Generating missing SSH host keys"
|
||||
/usr/bin/ssh-keygen -A || let warning_cnt+=$?
|
||||
|
||||
# handle ssh_config
|
||||
@ -690,10 +695,11 @@ fi
|
||||
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
|
||||
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||
then
|
||||
/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
||||
sshd_config_configured=yes
|
||||
fi
|
||||
sshd_strictmodes || let warning_cnt+=$?
|
||||
sshd_privsep || let warning_cnt+=$?
|
||||
|
||||
sshd_config_tweak || let warning_cnt+=$?
|
||||
update_services_file || let warning_cnt+=$?
|
||||
update_inetd_conf || let warning_cnt+=$?
|
||||
install_service || let warning_cnt+=$?
|
||||
|
@ -1,4 +1,4 @@
|
||||
%define ver 6.6p1
|
||||
%define ver 6.7p1
|
||||
%define rel 1
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
@ -86,7 +86,7 @@ PreReq: initscripts >= 5.00
|
||||
%else
|
||||
Requires: initscripts >= 5.20
|
||||
%endif
|
||||
BuildRequires: perl, openssl-devel, tcp_wrappers
|
||||
BuildRequires: perl, openssl-devel
|
||||
BuildRequires: /bin/login
|
||||
%if ! %{build6x}
|
||||
BuildPreReq: glibc-devel, pam
|
||||
@ -192,7 +192,6 @@ echo K5DIR=$K5DIR
|
||||
--sysconfdir=%{_sysconfdir}/ssh \
|
||||
--libexecdir=%{_libexecdir}/openssh \
|
||||
--datadir=%{_datadir}/openssh \
|
||||
--with-tcp-wrappers \
|
||||
--with-rsh=%{_bindir}/rsh \
|
||||
--with-default-path=/usr/local/bin:/bin:/usr/bin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
|
||||
|
@ -13,7 +13,7 @@
|
||||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 6.6p1
|
||||
Version: 6.7p1
|
||||
URL: http://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
@ -28,11 +28,9 @@ Provides: ssh
|
||||
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
|
||||
# building prerequisites -- stuff for
|
||||
# OpenSSL (openssl-devel),
|
||||
# TCP Wrappers (tcpd-devel),
|
||||
# and Gnome (glibdev, gtkdev, and gnlibsd)
|
||||
#
|
||||
BuildPrereq: openssl
|
||||
BuildPrereq: tcpd-devel
|
||||
BuildPrereq: zlib-devel
|
||||
#BuildPrereq: glibdev
|
||||
#BuildPrereq: gtkdev
|
||||
@ -140,7 +138,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
|
||||
--mandir=%{_mandir} \
|
||||
--with-privsep-path=/var/lib/empty \
|
||||
--with-pam \
|
||||
--with-tcp-wrappers \
|
||||
--libexecdir=%{_libdir}/ssh
|
||||
make
|
||||
|
||||
|
@ -25,7 +25,7 @@
|
||||
#ifndef _DEFINES_H
|
||||
#define _DEFINES_H
|
||||
|
||||
/* $Id: defines.h,v 1.176 2014/01/17 13:12:38 dtucker Exp $ */
|
||||
/* $Id: defines.h,v 1.183 2014/09/02 19:33:26 djm Exp $ */
|
||||
|
||||
|
||||
/* Constants */
|
||||
@ -405,7 +405,7 @@ struct winsize {
|
||||
|
||||
/* user may have set a different path */
|
||||
#if defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY)
|
||||
# undef _PATH_MAILDIR MAILDIR
|
||||
# undef _PATH_MAILDIR
|
||||
#endif /* defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY) */
|
||||
|
||||
#ifdef MAIL_DIRECTORY
|
||||
@ -603,10 +603,6 @@ struct winsize {
|
||||
# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
|
||||
#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
|
||||
|
||||
#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX)
|
||||
# define USE_VHANGUP
|
||||
#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */
|
||||
|
||||
#ifndef GETPGRP_VOID
|
||||
# include <unistd.h>
|
||||
# define getpgrp() getpgrp(0)
|
||||
@ -826,4 +822,23 @@ struct winsize {
|
||||
# define arc4random_stir()
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_VA_COPY
|
||||
# ifdef HAVE___VA_COPY
|
||||
# define va_copy(dest, src) __va_copy(dest, src)
|
||||
# else
|
||||
# define va_copy(dest, src) (dest) = (src)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef __predict_true
|
||||
# if defined(__GNUC__) && \
|
||||
((__GNUC__ > (2)) || (__GNUC__ == (2) && __GNUC_MINOR__ >= (96)))
|
||||
# define __predict_true(exp) __builtin_expect(((exp) != 0), 1)
|
||||
# define __predict_false(exp) __builtin_expect(((exp) != 0), 0)
|
||||
# else
|
||||
# define __predict_true(exp) ((exp) != 0)
|
||||
# define __predict_false(exp) ((exp) != 0)
|
||||
# endif /* gcc version */
|
||||
#endif /* __predict_true */
|
||||
|
||||
#endif /* _DEFINES_H */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: digest-libc.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
||||
* Copyright (c) 2014 Markus Friedl. All rights reserved.
|
||||
@ -28,7 +28,8 @@
|
||||
#include <sha1.h>
|
||||
#include <sha2.h>
|
||||
|
||||
#include "buffer.h"
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
typedef void md_init_fn(void *mdctx);
|
||||
@ -164,7 +165,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
|
||||
const struct ssh_digest *digest = ssh_digest_by_alg(from->alg);
|
||||
|
||||
if (digest == NULL || from->alg != to->alg)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
memcpy(to->mdctx, from->mdctx, digest->ctx_len);
|
||||
return 0;
|
||||
}
|
||||
@ -175,15 +176,15 @@ ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
|
||||
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
|
||||
|
||||
if (digest == NULL)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
digest->md_update(ctx->mdctx, m, mlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
|
||||
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
|
||||
{
|
||||
return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
|
||||
return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
|
||||
}
|
||||
|
||||
int
|
||||
@ -192,11 +193,11 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
|
||||
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
|
||||
|
||||
if (digest == NULL)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen > UINT_MAX)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen < digest->digest_len) /* No truncation allowed */
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
digest->md_final(d, ctx->mdctx);
|
||||
return 0;
|
||||
}
|
||||
@ -223,16 +224,16 @@ ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
|
||||
struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
|
||||
|
||||
if (ctx == NULL)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (ssh_digest_update(ctx, m, mlen) != 0 ||
|
||||
ssh_digest_final(ctx, d, dlen) != 0)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
ssh_digest_free(ctx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
|
||||
ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
|
||||
{
|
||||
return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
|
||||
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: digest-openssl.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
@ -26,8 +26,18 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include "buffer.h"
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
#ifndef HAVE_EVP_RIPEMD160
|
||||
# define EVP_ripemd160 NULL
|
||||
#endif /* HAVE_EVP_RIPEMD160 */
|
||||
#ifndef HAVE_EVP_SHA256
|
||||
# define EVP_sha256 NULL
|
||||
# define EVP_sha384 NULL
|
||||
# define EVP_sha512 NULL
|
||||
#endif /* HAVE_EVP_SHA256 */
|
||||
|
||||
struct ssh_digest_ctx {
|
||||
int alg;
|
||||
@ -46,11 +56,9 @@ const struct ssh_digest digests[] = {
|
||||
{ SSH_DIGEST_MD5, "MD5", 16, EVP_md5 },
|
||||
{ SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 },
|
||||
{ SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
|
||||
#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */
|
||||
{ SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
|
||||
{ SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
|
||||
{ SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
|
||||
#endif
|
||||
{ -1, NULL, 0, NULL },
|
||||
};
|
||||
|
||||
@ -61,6 +69,8 @@ ssh_digest_by_alg(int alg)
|
||||
return NULL;
|
||||
if (digests[alg].id != alg) /* sanity */
|
||||
return NULL;
|
||||
if (digests[alg].mdfunc == NULL)
|
||||
return NULL;
|
||||
return &(digests[alg]);
|
||||
}
|
||||
|
||||
@ -98,9 +108,11 @@ ssh_digest_start(int alg)
|
||||
int
|
||||
ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
|
||||
{
|
||||
if (from->alg != to->alg)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
/* we have bcopy-style order while openssl has memcpy-style */
|
||||
if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
|
||||
return -1;
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -108,14 +120,14 @@ int
|
||||
ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
|
||||
{
|
||||
if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
|
||||
return -1;
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
|
||||
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
|
||||
{
|
||||
return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
|
||||
return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
|
||||
}
|
||||
|
||||
int
|
||||
@ -125,13 +137,13 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
|
||||
u_int l = dlen;
|
||||
|
||||
if (dlen > UINT_MAX)
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen < digest->digest_len) /* No truncation allowed */
|
||||
return -1;
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1)
|
||||
return -1;
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
if (l != digest->digest_len) /* sanity */
|
||||
return -1;
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -148,19 +160,23 @@ ssh_digest_free(struct ssh_digest_ctx *ctx)
|
||||
int
|
||||
ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
|
||||
{
|
||||
struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
|
||||
const struct ssh_digest *digest = ssh_digest_by_alg(alg);
|
||||
u_int mdlen;
|
||||
|
||||
if (ctx == NULL)
|
||||
return -1;
|
||||
if (ssh_digest_update(ctx, m, mlen) != 0 ||
|
||||
ssh_digest_final(ctx, d, dlen) != 0)
|
||||
return -1;
|
||||
ssh_digest_free(ctx);
|
||||
if (digest == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen > UINT_MAX)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (dlen < digest->digest_len)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
mdlen = dlen;
|
||||
if (!EVP_Digest(m, mlen, d, &mdlen, digest->mdfunc(), NULL))
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
|
||||
ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
|
||||
{
|
||||
return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
|
||||
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: digest.h,v 1.2 2014/01/27 18:58:14 markus Exp $ */
|
||||
/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
@ -30,6 +30,7 @@
|
||||
#define SSH_DIGEST_SHA512 5
|
||||
#define SSH_DIGEST_MAX 6
|
||||
|
||||
struct sshbuf;
|
||||
struct ssh_digest_ctx;
|
||||
|
||||
/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
|
||||
@ -47,14 +48,15 @@ int ssh_digest_memory(int alg, const void *m, size_t mlen,
|
||||
u_char *d, size_t dlen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)))
|
||||
__attribute__((__bounded__(__buffer__, 4, 5)));
|
||||
int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
|
||||
int ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
|
||||
__attribute__((__bounded__(__buffer__, 3, 4)));
|
||||
|
||||
/* Update API */
|
||||
struct ssh_digest_ctx *ssh_digest_start(int alg);
|
||||
int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b);
|
||||
int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx,
|
||||
const struct sshbuf *b);
|
||||
int ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
void ssh_digest_free(struct ssh_digest_ctx *ctx);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */
|
||||
/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
||||
@ -34,6 +34,8 @@
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@ -96,6 +98,11 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
|
||||
if (!*digest_type)
|
||||
*digest_type = SSHFP_HASH_SHA256;
|
||||
break;
|
||||
case KEY_ED25519:
|
||||
*algorithm = SSHFP_KEY_ED25519;
|
||||
if (!*digest_type)
|
||||
*digest_type = SSHFP_HASH_SHA256;
|
||||
break;
|
||||
default:
|
||||
*algorithm = SSHFP_KEY_RESERVED; /* 0 */
|
||||
*digest_type = SSHFP_HASH_RESERVED; /* 0 */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dns.h,v 1.12 2012/05/23 03:28:28 djm Exp $ */
|
||||
/* $OpenBSD: dns.h,v 1.13 2014/04/20 09:24:26 logan Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
||||
@ -32,7 +32,8 @@ enum sshfp_types {
|
||||
SSHFP_KEY_RESERVED = 0,
|
||||
SSHFP_KEY_RSA = 1,
|
||||
SSHFP_KEY_DSA = 2,
|
||||
SSHFP_KEY_ECDSA = 3
|
||||
SSHFP_KEY_ECDSA = 3,
|
||||
SSHFP_KEY_ED25519 = 4
|
||||
};
|
||||
|
||||
enum sshfp_hashes {
|
||||
|
@ -43,6 +43,8 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
#include "xmalloc.h"
|
||||
@ -209,16 +211,7 @@ seed_rng(void)
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
unsigned char buf[RANDOM_SEED_SIZE];
|
||||
#endif
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
* We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
* After that, we acceptable compatible fix versions (so we
|
||||
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
* within a patch series.
|
||||
*/
|
||||
u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
|
||||
if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
|
||||
(SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
|
@ -15,6 +15,10 @@ configure_args="
|
||||
|
||||
set -e
|
||||
|
||||
# make sure configure uses the correct compiler
|
||||
export CC=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCC)
|
||||
export CPP=$(echo ".include <bsd.lib.mk>" | make -f /dev/stdin -VCPP)
|
||||
|
||||
# generate config.h with krb5 and stash it
|
||||
sh configure $configure_args --with-kerberos5
|
||||
mv config.log config.log.orig
|
||||
|
@ -39,6 +39,7 @@
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
#include "buffer.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -97,13 +97,13 @@ static OM_uint32
|
||||
ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
{
|
||||
OM_uint32 status;
|
||||
char lname[MAXHOSTNAMELEN];
|
||||
char lname[NI_MAXHOST];
|
||||
gss_OID_set oidset;
|
||||
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
if (gethostname(lname, sizeof(lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: hmac.h,v 1.6 2014/01/27 18:58:14 markus Exp $ */
|
||||
/* $OpenBSD: hmac.h,v 1.9 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2014 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -21,6 +21,7 @@
|
||||
/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
|
||||
size_t ssh_hmac_bytes(int alg);
|
||||
|
||||
struct sshbuf;
|
||||
struct ssh_hmac_ctx;
|
||||
struct ssh_hmac_ctx *ssh_hmac_start(int alg);
|
||||
|
||||
@ -29,7 +30,7 @@ int ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
int ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b);
|
||||
int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const struct sshbuf *b);
|
||||
int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
|
||||
__attribute__((__bounded__(__buffer__, 2, 3)));
|
||||
void ssh_hmac_free(struct ssh_hmac_ctx *ctx);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: hostfile.c,v 1.55 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: hostfile.c,v 1.57 2014/06/24 01:13:21 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -47,6 +47,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
@ -182,6 +183,7 @@ static int
|
||||
hostfile_check_key(int bits, const Key *key, const char *host,
|
||||
const char *filename, u_long linenum)
|
||||
{
|
||||
#ifdef WITH_SSH1
|
||||
if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL)
|
||||
return 1;
|
||||
if (bits != BN_num_bits(key->rsa->n)) {
|
||||
@ -191,6 +193,7 @@ hostfile_check_key(int bits, const Key *key, const char *host,
|
||||
logit("Warning: replace %d with %d in %s, line %lu.",
|
||||
bits, BN_num_bits(key->rsa->n), filename, linenum);
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -296,11 +299,15 @@ load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
|
||||
key = key_new(KEY_UNSPEC);
|
||||
if (!hostfile_read_key(&cp, &kbits, key)) {
|
||||
key_free(key);
|
||||
#ifdef WITH_SSH1
|
||||
key = key_new(KEY_RSA1);
|
||||
if (!hostfile_read_key(&cp, &kbits, key)) {
|
||||
key_free(key);
|
||||
continue;
|
||||
}
|
||||
#else
|
||||
continue;
|
||||
#endif
|
||||
}
|
||||
if (!hostfile_check_key(kbits, key, host, path, linenum))
|
||||
continue;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.c,v 1.98 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: kex.c,v 1.99 2014/04/29 18:01:49 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -33,7 +33,9 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
@ -70,12 +72,13 @@ struct kexalg {
|
||||
int hash_alg;
|
||||
};
|
||||
static const struct kexalg kexalgs[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
#endif /* HAVE_EVP_SHA256 */
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
||||
NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
||||
@ -84,12 +87,13 @@ static const struct kexalg kexalgs[] = {
|
||||
# ifdef OPENSSL_HAS_NISTP521
|
||||
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
||||
SSH_DIGEST_SHA512 },
|
||||
# endif
|
||||
#endif
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
#endif /* WITH_OPENSSL */
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
#endif /* HAVE_EVP_SHA256 */
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@ -615,6 +619,7 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen,
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
void
|
||||
kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret)
|
||||
{
|
||||
@ -626,6 +631,7 @@ kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret)
|
||||
buffer_ptr(&shared_secret), buffer_len(&shared_secret));
|
||||
buffer_free(&shared_secret);
|
||||
}
|
||||
#endif
|
||||
|
||||
Newkeys *
|
||||
kex_get_newkeys(int mode)
|
||||
@ -637,6 +643,7 @@ kex_get_newkeys(int mode)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
void
|
||||
derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
|
||||
u_int8_t cookie[8], u_int8_t id[16])
|
||||
@ -669,6 +676,7 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
|
||||
explicit_bzero(nbuf, sizeof(nbuf));
|
||||
explicit_bzero(obuf, sizeof(obuf));
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
|
||||
void
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.64 2014/05/02 03:27:54 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kexc25519.c,v 1.5 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: kexc25519.c,v 1.7 2014/05/02 03:27:54 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001, 2013 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
|
2864
crypto/openssh/key.c
2864
crypto/openssh/key.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */
|
||||
/* $OpenBSD: key.h,v 1.42 2014/06/24 01:13:21 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -26,141 +26,86 @@
|
||||
#ifndef KEY_H
|
||||
#define KEY_H
|
||||
|
||||
#include "buffer.h"
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/dsa.h>
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
#include <openssl/ec.h>
|
||||
#include "sshkey.h"
|
||||
|
||||
typedef struct sshkey Key;
|
||||
|
||||
#define types sshkey_types
|
||||
#define fp_type sshkey_fp_type
|
||||
#define fp_rep sshkey_fp_rep
|
||||
|
||||
#ifndef SSH_KEY_NO_DEFINE
|
||||
#define key_new sshkey_new
|
||||
#define key_free sshkey_free
|
||||
#define key_equal_public sshkey_equal_public
|
||||
#define key_equal sshkey_equal
|
||||
#define key_fingerprint sshkey_fingerprint
|
||||
#define key_type sshkey_type
|
||||
#define key_cert_type sshkey_cert_type
|
||||
#define key_ssh_name sshkey_ssh_name
|
||||
#define key_ssh_name_plain sshkey_ssh_name_plain
|
||||
#define key_type_from_name sshkey_type_from_name
|
||||
#define key_ecdsa_nid_from_name sshkey_ecdsa_nid_from_name
|
||||
#define key_type_is_cert sshkey_type_is_cert
|
||||
#define key_size sshkey_size
|
||||
#define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
|
||||
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
|
||||
#define key_names_valid2 sshkey_names_valid2
|
||||
#define key_is_cert sshkey_is_cert
|
||||
#define key_type_plain sshkey_type_plain
|
||||
#define key_cert_is_legacy sshkey_cert_is_legacy
|
||||
#define key_curve_name_to_nid sshkey_curve_name_to_nid
|
||||
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
|
||||
#define key_curve_nid_to_name sshkey_curve_nid_to_name
|
||||
#define key_ec_nid_to_hash_alg sshkey_ec_nid_to_hash_alg
|
||||
#define key_dump_ec_point sshkey_dump_ec_point
|
||||
#define key_dump_ec_key sshkey_dump_ec_key
|
||||
#define key_fingerprint sshkey_fingerprint
|
||||
#endif
|
||||
|
||||
typedef struct Key Key;
|
||||
enum types {
|
||||
KEY_RSA1,
|
||||
KEY_RSA,
|
||||
KEY_DSA,
|
||||
KEY_ECDSA,
|
||||
KEY_ED25519,
|
||||
KEY_RSA_CERT,
|
||||
KEY_DSA_CERT,
|
||||
KEY_ECDSA_CERT,
|
||||
KEY_ED25519_CERT,
|
||||
KEY_RSA_CERT_V00,
|
||||
KEY_DSA_CERT_V00,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
SSH_FP_SHA1,
|
||||
SSH_FP_MD5,
|
||||
SSH_FP_SHA256
|
||||
};
|
||||
enum fp_rep {
|
||||
SSH_FP_HEX,
|
||||
SSH_FP_BUBBLEBABBLE,
|
||||
SSH_FP_RANDOMART
|
||||
};
|
||||
|
||||
/* key is stored in external hardware */
|
||||
#define KEY_FLAG_EXT 0x0001
|
||||
|
||||
#define CERT_MAX_PRINCIPALS 256
|
||||
struct KeyCert {
|
||||
Buffer certblob; /* Kept around for use on wire */
|
||||
u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
|
||||
u_int64_t serial;
|
||||
char *key_id;
|
||||
u_int nprincipals;
|
||||
char **principals;
|
||||
u_int64_t valid_after, valid_before;
|
||||
Buffer critical;
|
||||
Buffer extensions;
|
||||
Key *signature_key;
|
||||
};
|
||||
|
||||
struct Key {
|
||||
int type;
|
||||
int flags;
|
||||
RSA *rsa;
|
||||
DSA *dsa;
|
||||
int ecdsa_nid; /* NID of curve */
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
EC_KEY *ecdsa;
|
||||
#else
|
||||
void *ecdsa;
|
||||
#endif
|
||||
struct KeyCert *cert;
|
||||
u_char *ed25519_sk;
|
||||
u_char *ed25519_pk;
|
||||
};
|
||||
|
||||
#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES
|
||||
#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES
|
||||
|
||||
Key *key_new(int);
|
||||
void key_add_private(Key *);
|
||||
Key *key_new_private(int);
|
||||
void key_free(Key *);
|
||||
Key *key_demote(const Key *);
|
||||
int key_equal_public(const Key *, const Key *);
|
||||
int key_equal(const Key *, const Key *);
|
||||
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
const char *key_type(const Key *);
|
||||
const char *key_cert_type(const Key *);
|
||||
int key_write(const Key *, FILE *);
|
||||
int key_read(Key *, char **);
|
||||
u_int key_size(const Key *);
|
||||
void key_add_private(Key *);
|
||||
Key *key_new_private(int);
|
||||
void key_free(Key *);
|
||||
Key *key_demote(const Key *);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
int key_write(const Key *, FILE *);
|
||||
int key_read(Key *, char **);
|
||||
|
||||
Key *key_generate(int, u_int);
|
||||
Key *key_from_private(const Key *);
|
||||
int key_type_from_name(char *);
|
||||
int key_is_cert(const Key *);
|
||||
int key_type_is_cert(int);
|
||||
int key_type_plain(int);
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
int key_certify(Key *, Key *);
|
||||
void key_cert_copy(const Key *, struct Key *);
|
||||
void key_cert_copy(const Key *, Key *);
|
||||
int key_cert_check_authority(const Key *, int, int, const char *,
|
||||
const char **);
|
||||
int key_cert_is_legacy(const Key *);
|
||||
char *key_alg_list(int, int);
|
||||
|
||||
int key_ecdsa_nid_from_name(const char *);
|
||||
int key_curve_name_to_nid(const char *);
|
||||
const char *key_curve_nid_to_name(int);
|
||||
u_int key_curve_nid_to_bits(int);
|
||||
int key_ecdsa_bits_to_nid(int);
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
int key_ecdsa_key_to_nid(EC_KEY *);
|
||||
int key_ec_nid_to_hash_alg(int nid);
|
||||
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
|
||||
int key_ec_validate_private(const EC_KEY *);
|
||||
#endif
|
||||
char *key_alg_list(int, int);
|
||||
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
|
||||
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
|
||||
int key_ec_validate_private(const EC_KEY *);
|
||||
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
|
||||
|
||||
Key *key_from_blob(const u_char *, u_int);
|
||||
int key_to_blob(const Key *, u_char **, u_int *);
|
||||
const char *key_ssh_name(const Key *);
|
||||
const char *key_ssh_name_plain(const Key *);
|
||||
int key_names_valid2(const char *);
|
||||
Key *key_from_blob(const u_char *, u_int);
|
||||
int key_to_blob(const Key *, u_char **, u_int *);
|
||||
|
||||
int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
|
||||
int ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
int ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
void key_private_serialize(const Key *, struct sshbuf *);
|
||||
Key *key_private_deserialize(struct sshbuf *);
|
||||
|
||||
#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
|
||||
void key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
|
||||
void key_dump_ec_key(const EC_KEY *);
|
||||
#endif
|
||||
|
||||
void key_private_serialize(const Key *, Buffer *);
|
||||
Key *key_private_deserialize(Buffer *);
|
||||
/* authfile.c */
|
||||
int key_save_private(Key *, const char *, const char *, const char *,
|
||||
int, const char *, int);
|
||||
int key_load_file(int, const char *, struct sshbuf *);
|
||||
Key *key_load_cert(const char *);
|
||||
Key *key_load_public(const char *, char **);
|
||||
Key *key_load_private(const char *, const char *, char **);
|
||||
Key *key_load_private_cert(int, const char *, const char *, int *);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **, int *);
|
||||
Key *key_load_private_pem(int, int, const char *, char **);
|
||||
int key_perm_ok(int, const char *);
|
||||
int key_in_file(Key *, const char *, int);
|
||||
|
||||
#endif
|
||||
|
@ -14,7 +14,7 @@
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $OpenBSD: krl.c,v 1.14 2014/01/31 16:39:19 tedu Exp $ */
|
||||
/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
@ -366,7 +366,7 @@ plain_key_blob(const Key *key, u_char **blob, u_int *blen)
|
||||
}
|
||||
r = key_to_blob(kcopy, blob, blen);
|
||||
free(kcopy);
|
||||
return r == 0 ? -1 : 0;
|
||||
return r;
|
||||
}
|
||||
|
||||
/* Revoke a key blob. Ownership of blob is transferred to the tree */
|
||||
@ -394,7 +394,7 @@ ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
|
||||
u_int len;
|
||||
|
||||
debug3("%s: revoke type %s", __func__, key_type(key));
|
||||
if (plain_key_blob(key, &blob, &len) != 0)
|
||||
if (plain_key_blob(key, &blob, &len) < 0)
|
||||
return -1;
|
||||
return revoke_blob(&krl->revoked_keys, blob, len);
|
||||
}
|
||||
@ -575,6 +575,7 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
|
||||
buffer_put_char(buf, state);
|
||||
buffer_put_string(buf,
|
||||
buffer_ptr(§), buffer_len(§));
|
||||
buffer_clear(§);
|
||||
}
|
||||
|
||||
/* If we are starting a new section then prepare it now */
|
||||
@ -753,7 +754,8 @@ static int
|
||||
parse_revoked_certs(Buffer *buf, struct ssh_krl *krl)
|
||||
{
|
||||
int ret = -1, nbits;
|
||||
u_char type, *blob;
|
||||
u_char type;
|
||||
const u_char *blob;
|
||||
u_int blen;
|
||||
Buffer subsect;
|
||||
u_int64_t serial, serial_lo, serial_hi;
|
||||
@ -887,7 +889,8 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
|
||||
char timestamp[64];
|
||||
int ret = -1, r, sig_seen;
|
||||
Key *key = NULL, **ca_used = NULL;
|
||||
u_char type, *blob, *rdata = NULL;
|
||||
u_char type, *rdata = NULL;
|
||||
const u_char *blob;
|
||||
u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
|
||||
|
||||
nca_used = 0;
|
||||
@ -1127,7 +1130,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
|
||||
|
||||
/* Next, explicit keys */
|
||||
memset(&rb, 0, sizeof(rb));
|
||||
if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
|
||||
if (plain_key_blob(key, &rb.blob, &rb.len) < 0)
|
||||
return -1;
|
||||
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
|
||||
free(rb.blob);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: mac.c,v 1.28 2014/02/07 06:55:54 djm Exp $ */
|
||||
/* $OpenBSD: mac.c,v 1.30 2014/04/30 19:07:48 naddy Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -175,7 +175,8 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
|
||||
u_char m[EVP_MAX_MD_SIZE];
|
||||
u_int64_t for_align;
|
||||
} u;
|
||||
u_char b[4], nonce[8];
|
||||
u_char b[4];
|
||||
u_char nonce[8];
|
||||
|
||||
if (mac->mac_len > sizeof(u))
|
||||
fatal("mac_compute: mac too long %u %zu",
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: misc.c,v 1.92 2013/10/14 23:28:23 djm Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.94 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
|
||||
@ -30,6 +30,7 @@ __RCSID("$FreeBSD$");
|
||||
#include <sys/types.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -789,6 +790,20 @@ get_u32(const void *vp)
|
||||
return (v);
|
||||
}
|
||||
|
||||
u_int32_t
|
||||
get_u32_le(const void *vp)
|
||||
{
|
||||
const u_char *p = (const u_char *)vp;
|
||||
u_int32_t v;
|
||||
|
||||
v = (u_int32_t)p[0];
|
||||
v |= (u_int32_t)p[1] << 8;
|
||||
v |= (u_int32_t)p[2] << 16;
|
||||
v |= (u_int32_t)p[3] << 24;
|
||||
|
||||
return (v);
|
||||
}
|
||||
|
||||
u_int16_t
|
||||
get_u16(const void *vp)
|
||||
{
|
||||
@ -827,6 +842,16 @@ put_u32(void *vp, u_int32_t v)
|
||||
p[3] = (u_char)v & 0xff;
|
||||
}
|
||||
|
||||
void
|
||||
put_u32_le(void *vp, u_int32_t v)
|
||||
{
|
||||
u_char *p = (u_char *)vp;
|
||||
|
||||
p[0] = (u_char)v & 0xff;
|
||||
p[1] = (u_char)(v >> 8) & 0xff;
|
||||
p[2] = (u_char)(v >> 16) & 0xff;
|
||||
p[3] = (u_char)(v >> 24) & 0xff;
|
||||
}
|
||||
|
||||
void
|
||||
put_u16(void *vp, u_int16_t v)
|
||||
@ -859,17 +884,24 @@ ms_to_timeval(struct timeval *tv, int ms)
|
||||
time_t
|
||||
monotime(void)
|
||||
{
|
||||
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
|
||||
#if defined(HAVE_CLOCK_GETTIME) && \
|
||||
(defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
|
||||
struct timespec ts;
|
||||
static int gettime_failed = 0;
|
||||
|
||||
if (!gettime_failed) {
|
||||
#if defined(CLOCK_BOOTTIME)
|
||||
if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
|
||||
return (ts.tv_sec);
|
||||
#endif
|
||||
#if defined(CLOCK_MONOTONIC)
|
||||
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
|
||||
return (ts.tv_sec);
|
||||
#endif
|
||||
debug3("clock_gettime: %s", strerror(errno));
|
||||
gettime_failed = 1;
|
||||
}
|
||||
#endif
|
||||
#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
|
||||
|
||||
return time(NULL);
|
||||
}
|
||||
@ -1026,6 +1058,53 @@ lowercase(char *s)
|
||||
for (; *s; s++)
|
||||
*s = tolower((u_char)*s);
|
||||
}
|
||||
|
||||
int
|
||||
unix_listener(const char *path, int backlog, int unlink_first)
|
||||
{
|
||||
struct sockaddr_un sunaddr;
|
||||
int saved_errno, sock;
|
||||
|
||||
memset(&sunaddr, 0, sizeof(sunaddr));
|
||||
sunaddr.sun_family = AF_UNIX;
|
||||
if (strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) {
|
||||
error("%s: \"%s\" too long for Unix domain socket", __func__,
|
||||
path);
|
||||
errno = ENAMETOOLONG;
|
||||
return -1;
|
||||
}
|
||||
|
||||
sock = socket(PF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock < 0) {
|
||||
saved_errno = errno;
|
||||
error("socket: %.100s", strerror(errno));
|
||||
errno = saved_errno;
|
||||
return -1;
|
||||
}
|
||||
if (unlink_first == 1) {
|
||||
if (unlink(path) != 0 && errno != ENOENT)
|
||||
error("unlink(%s): %.100s", path, strerror(errno));
|
||||
}
|
||||
if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
|
||||
saved_errno = errno;
|
||||
error("bind: %.100s", strerror(errno));
|
||||
close(sock);
|
||||
error("%s: cannot bind to path: %s", __func__, path);
|
||||
errno = saved_errno;
|
||||
return -1;
|
||||
}
|
||||
if (listen(sock, backlog) < 0) {
|
||||
saved_errno = errno;
|
||||
error("listen: %.100s", strerror(errno));
|
||||
close(sock);
|
||||
unlink(path);
|
||||
error("%s: cannot listen on path: %s", __func__, path);
|
||||
errno = saved_errno;
|
||||
return -1;
|
||||
}
|
||||
return sock;
|
||||
}
|
||||
|
||||
void
|
||||
sock_set_v6only(int s)
|
||||
{
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: misc.h,v 1.50 2013/10/14 23:28:23 djm Exp $ */
|
||||
/* $OpenBSD: misc.h,v 1.54 2014/07/15 15:54:14 millert Exp $ */
|
||||
/* $FreeBSD$ */
|
||||
|
||||
/*
|
||||
@ -16,6 +16,25 @@
|
||||
#ifndef _MISC_H
|
||||
#define _MISC_H
|
||||
|
||||
/* Data structure for representing a forwarding request. */
|
||||
struct Forward {
|
||||
char *listen_host; /* Host (address) to listen on. */
|
||||
int listen_port; /* Port to forward. */
|
||||
char *listen_path; /* Path to bind domain socket. */
|
||||
char *connect_host; /* Host to connect. */
|
||||
int connect_port; /* Port to connect on connect_host. */
|
||||
char *connect_path; /* Path to connect domain socket. */
|
||||
int allocated_port; /* Dynamically allocated listen port */
|
||||
int handle; /* Handle for dynamic listen ports */
|
||||
};
|
||||
|
||||
/* Common server and client forwarding options. */
|
||||
struct ForwardOptions {
|
||||
int gateway_ports; /* Allow remote connects to forwarded ports. */
|
||||
mode_t streamlocal_bind_mask; /* umask for streamlocal binds */
|
||||
int streamlocal_bind_unlink; /* unlink socket before bind */
|
||||
};
|
||||
|
||||
/* misc.c */
|
||||
|
||||
char *chop(char *);
|
||||
@ -38,6 +57,7 @@ void ms_subtract_diff(struct timeval *, int *);
|
||||
void ms_to_timeval(struct timeval *, int);
|
||||
time_t monotime(void);
|
||||
void lowercase(char *s);
|
||||
int unix_listener(const char *, int, int);
|
||||
|
||||
void sock_set_v6only(int);
|
||||
|
||||
@ -69,6 +89,9 @@ int tun_open(int, int);
|
||||
#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1)
|
||||
#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2)
|
||||
|
||||
/* Fake port to indicate that host field is really a path. */
|
||||
#define PORT_STREAMLOCAL -2
|
||||
|
||||
/* Functions to extract or store big-endian words of various sizes */
|
||||
u_int64_t get_u64(const void *)
|
||||
__attribute__((__bounded__( __minbytes__, 1, 8)));
|
||||
@ -83,6 +106,12 @@ void put_u32(void *, u_int32_t)
|
||||
void put_u16(void *, u_int16_t)
|
||||
__attribute__((__bounded__( __minbytes__, 1, 2)));
|
||||
|
||||
/* Little-endian store/load, used by umac.c */
|
||||
u_int32_t get_u32_le(const void *)
|
||||
__attribute__((__bounded__(__minbytes__, 1, 4)));
|
||||
void put_u32_le(void *, u_int32_t)
|
||||
__attribute__((__bounded__(__minbytes__, 1, 4)));
|
||||
|
||||
struct bwlimit {
|
||||
size_t buflen;
|
||||
u_int64_t rate, thresh, lamt;
|
||||
|
@ -1,4 +1,4 @@
|
||||
MODULI(5) OpenBSD Programmer's Manual MODULI(5)
|
||||
MODULI(5) File Formats Manual MODULI(5)
|
||||
|
||||
NAME
|
||||
moduli - Diffie-Hellman moduli
|
||||
@ -71,4 +71,4 @@ STANDARDS
|
||||
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
|
||||
2006.
|
||||
|
||||
OpenBSD 5.5 September 26, 2012 OpenBSD 5.5
|
||||
OpenBSD 5.6 September 26, 2012 OpenBSD 5.6
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -40,9 +40,10 @@
|
||||
#endif
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#ifdef HAVE_POLL_H
|
||||
#include <poll.h>
|
||||
@ -56,7 +57,9 @@
|
||||
#include <skey.h>
|
||||
#endif
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/dh.h>
|
||||
#endif
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
#include "atomicio.h"
|
||||
@ -84,6 +87,7 @@
|
||||
#include "sshlogin.h"
|
||||
#include "canohost.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "monitor.h"
|
||||
#include "monitor_mm.h"
|
||||
@ -92,7 +96,6 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "monitor_fdpass.h"
|
||||
#include "misc.h"
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#include "roaming.h"
|
||||
@ -185,7 +188,10 @@ int mm_answer_audit_command(int, Buffer *);
|
||||
static int monitor_read_log(struct monitor *);
|
||||
|
||||
static Authctxt *authctxt;
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
|
||||
#endif
|
||||
|
||||
/* local state for key verify */
|
||||
static u_char *key_blob = NULL;
|
||||
@ -215,7 +221,9 @@ struct mon_table {
|
||||
#define MON_PERMIT 0x1000 /* Request is permitted */
|
||||
|
||||
struct mon_table mon_dispatch_proto20[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
|
||||
#endif
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -252,7 +260,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
};
|
||||
|
||||
struct mon_table mon_dispatch_postauth20[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
#endif
|
||||
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||
{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
|
||||
@ -265,6 +275,7 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
};
|
||||
|
||||
struct mon_table mon_dispatch_proto15[] = {
|
||||
#ifdef WITH_SSH1
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
|
||||
{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
|
||||
@ -292,10 +303,12 @@ struct mon_table mon_dispatch_proto15[] = {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
#endif
|
||||
#endif /* WITH_SSH1 */
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
struct mon_table mon_dispatch_postauth15[] = {
|
||||
#ifdef WITH_SSH1
|
||||
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
|
||||
{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
|
||||
{MONITOR_REQ_TERM, 0, mm_answer_term},
|
||||
@ -303,6 +316,7 @@ struct mon_table mon_dispatch_postauth15[] = {
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||
#endif
|
||||
#endif /* WITH_SSH1 */
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
@ -457,6 +471,9 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
signal(SIGINT, &monitor_child_handler);
|
||||
#ifdef SIGXFSZ
|
||||
signal(SIGXFSZ, SIG_IGN);
|
||||
#endif
|
||||
|
||||
if (compat20) {
|
||||
mon_dispatch = mon_dispatch_postauth20;
|
||||
@ -630,6 +647,7 @@ monitor_reset_key_state(void)
|
||||
hostbased_chost = NULL;
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
int
|
||||
mm_answer_moduli(int sock, Buffer *m)
|
||||
{
|
||||
@ -664,6 +682,7 @@ mm_answer_moduli(int sock, Buffer *m)
|
||||
mm_request_send(sock, MONITOR_ANS_MODULI, m);
|
||||
return (0);
|
||||
}
|
||||
#endif
|
||||
|
||||
extern AuthenticationConnection *auth_conn;
|
||||
|
||||
@ -1166,6 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
|
||||
cuser, chost);
|
||||
auth_method = "hostbased";
|
||||
break;
|
||||
#ifdef WITH_SSH1
|
||||
case MM_RSAHOSTKEY:
|
||||
key->type = KEY_RSA1; /* XXX */
|
||||
allowed = options.rhosts_rsa_authentication &&
|
||||
@ -1175,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
|
||||
auth_clear_options();
|
||||
auth_method = "rsa";
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
fatal("%s: unknown key type %d", __func__, type);
|
||||
break;
|
||||
@ -1511,6 +1532,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
int
|
||||
mm_answer_sesskey(int sock, Buffer *m)
|
||||
{
|
||||
@ -1688,6 +1710,7 @@ mm_answer_rsa_response(int sock, Buffer *m)
|
||||
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
mm_answer_term(int sock, Buffer *req)
|
||||
@ -1792,6 +1815,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
|
||||
if (options.compression)
|
||||
mm_init_compression(pmonitor->m_zlib);
|
||||
|
||||
packet_set_postauth();
|
||||
|
||||
if (options.rekey_limit || options.rekey_interval)
|
||||
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
||||
(time_t)options.rekey_interval);
|
||||
@ -1828,11 +1853,13 @@ mm_get_kex(Buffer *m)
|
||||
timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
|
||||
fatal("mm_get_get: internal error: bad session id");
|
||||
kex->we_need = buffer_get_int(m);
|
||||
#ifdef WITH_OPENSSL
|
||||
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
||||
kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
|
||||
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
kex->server = 1;
|
||||
kex->hostkey_type = buffer_get_int(m);
|
||||
|
@ -34,12 +34,17 @@
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_POLL_H
|
||||
#include <poll.h>
|
||||
#endif
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#ifdef HAVE_POLL_H
|
||||
# include <poll.h>
|
||||
#else
|
||||
# ifdef HAVE_SYS_POLL_H
|
||||
# include <sys/poll.h>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
#include "monitor_fdpass.h"
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.79 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.80 2014/04/29 18:01:49 markus Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -38,14 +38,18 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/evp.h>
|
||||
#endif
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#ifdef WITH_OPENSSL
|
||||
#include "dh.h"
|
||||
#endif
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
@ -174,6 +178,7 @@ mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m)
|
||||
rtype, type);
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
DH *
|
||||
mm_choose_dh(int min, int nbits, int max)
|
||||
{
|
||||
@ -207,6 +212,7 @@ mm_choose_dh(int min, int nbits, int max)
|
||||
|
||||
return (dh_new_group(g, p));
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen)
|
||||
@ -911,6 +917,7 @@ mm_terminate(void)
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
int
|
||||
mm_ssh1_session_key(BIGNUM *num)
|
||||
{
|
||||
@ -930,6 +937,7 @@ mm_ssh1_session_key(BIGNUM *num)
|
||||
|
||||
return (rsafail);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
|
||||
@ -1077,6 +1085,7 @@ mm_ssh1_session_id(u_char session_id[16])
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
int
|
||||
mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
|
||||
{
|
||||
@ -1172,6 +1181,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
|
||||
|
||||
return (success);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
void
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */
|
||||
/* $OpenBSD: mux.c,v 1.48 2014/07/17 07:22:19 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -106,6 +106,11 @@ struct mux_session_confirm_ctx {
|
||||
u_int rid;
|
||||
};
|
||||
|
||||
/* Context for stdio fwd open confirmation callback */
|
||||
struct mux_stdio_confirm_ctx {
|
||||
u_int rid;
|
||||
};
|
||||
|
||||
/* Context for global channel callback */
|
||||
struct mux_channel_confirm_ctx {
|
||||
u_int cid; /* channel id */
|
||||
@ -158,6 +163,7 @@ struct mux_master_state {
|
||||
#define MUX_FWD_DYNAMIC 3
|
||||
|
||||
static void mux_session_confirm(int, int, void *);
|
||||
static void mux_stdio_confirm(int, int, void *);
|
||||
|
||||
static int process_mux_master_hello(u_int, Channel *, Buffer *, Buffer *);
|
||||
static int process_mux_new_session(u_int, Channel *, Buffer *, Buffer *);
|
||||
@ -510,29 +516,33 @@ process_mux_terminate(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
}
|
||||
|
||||
static char *
|
||||
format_forward(u_int ftype, Forward *fwd)
|
||||
format_forward(u_int ftype, struct Forward *fwd)
|
||||
{
|
||||
char *ret;
|
||||
|
||||
switch (ftype) {
|
||||
case MUX_FWD_LOCAL:
|
||||
xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
|
||||
(fwd->listen_path != NULL) ? fwd->listen_path :
|
||||
(fwd->listen_host == NULL) ?
|
||||
(options.gateway_ports ? "*" : "LOCALHOST") :
|
||||
(options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
|
||||
fwd->listen_host, fwd->listen_port,
|
||||
(fwd->connect_path != NULL) ? fwd->connect_path :
|
||||
fwd->connect_host, fwd->connect_port);
|
||||
break;
|
||||
case MUX_FWD_DYNAMIC:
|
||||
xasprintf(&ret, "dynamic forward %.200s:%d -> *",
|
||||
(fwd->listen_host == NULL) ?
|
||||
(options.gateway_ports ? "*" : "LOCALHOST") :
|
||||
(options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
|
||||
fwd->listen_host, fwd->listen_port);
|
||||
break;
|
||||
case MUX_FWD_REMOTE:
|
||||
xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
|
||||
(fwd->listen_path != NULL) ? fwd->listen_path :
|
||||
(fwd->listen_host == NULL) ?
|
||||
"LOCALHOST" : fwd->listen_host,
|
||||
fwd->listen_port,
|
||||
(fwd->connect_path != NULL) ? fwd->connect_path :
|
||||
fwd->connect_host, fwd->connect_port);
|
||||
break;
|
||||
default:
|
||||
@ -552,14 +562,18 @@ compare_host(const char *a, const char *b)
|
||||
}
|
||||
|
||||
static int
|
||||
compare_forward(Forward *a, Forward *b)
|
||||
compare_forward(struct Forward *a, struct Forward *b)
|
||||
{
|
||||
if (!compare_host(a->listen_host, b->listen_host))
|
||||
return 0;
|
||||
if (!compare_host(a->listen_path, b->listen_path))
|
||||
return 0;
|
||||
if (a->listen_port != b->listen_port)
|
||||
return 0;
|
||||
if (!compare_host(a->connect_host, b->connect_host))
|
||||
return 0;
|
||||
if (!compare_host(a->connect_path, b->connect_path))
|
||||
return 0;
|
||||
if (a->connect_port != b->connect_port)
|
||||
return 0;
|
||||
|
||||
@ -571,7 +585,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
struct mux_channel_confirm_ctx *fctx = ctxt;
|
||||
char *failmsg = NULL;
|
||||
Forward *rfwd;
|
||||
struct Forward *rfwd;
|
||||
Channel *c;
|
||||
Buffer out;
|
||||
|
||||
@ -588,7 +602,8 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
||||
rfwd = &options.remote_forwards[fctx->fid];
|
||||
debug("%s: %s for: listen %d, connect %s:%d", __func__,
|
||||
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
|
||||
rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
|
||||
rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
|
||||
rfwd->connect_host, rfwd->connect_port);
|
||||
if (type == SSH2_MSG_REQUEST_SUCCESS) {
|
||||
if (rfwd->listen_port == 0) {
|
||||
rfwd->allocated_port = packet_get_int();
|
||||
@ -608,8 +623,12 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
||||
} else {
|
||||
if (rfwd->listen_port == 0)
|
||||
channel_update_permitted_opens(rfwd->handle, -1);
|
||||
xasprintf(&failmsg, "remote port forwarding failed for "
|
||||
"listen port %d", rfwd->listen_port);
|
||||
if (rfwd->listen_path != NULL)
|
||||
xasprintf(&failmsg, "remote port forwarding failed for "
|
||||
"listen path %s", rfwd->listen_path);
|
||||
else
|
||||
xasprintf(&failmsg, "remote port forwarding failed for "
|
||||
"listen port %d", rfwd->listen_port);
|
||||
}
|
||||
fail:
|
||||
error("%s: %s", __func__, failmsg);
|
||||
@ -628,34 +647,45 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
|
||||
static int
|
||||
process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
{
|
||||
Forward fwd;
|
||||
struct Forward fwd;
|
||||
char *fwd_desc = NULL;
|
||||
char *listen_addr, *connect_addr;
|
||||
u_int ftype;
|
||||
u_int lport, cport;
|
||||
int i, ret = 0, freefwd = 1;
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
|
||||
/* XXX - lport/cport check redundant */
|
||||
if (buffer_get_int_ret(&ftype, m) != 0 ||
|
||||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
(listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
buffer_get_int_ret(&lport, m) != 0 ||
|
||||
(fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
(connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
buffer_get_int_ret(&cport, m) != 0 ||
|
||||
lport > 65535 || cport > 65535) {
|
||||
(lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
|
||||
(cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
|
||||
error("%s: malformed message", __func__);
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
if (*listen_addr == '\0') {
|
||||
free(listen_addr);
|
||||
listen_addr = NULL;
|
||||
}
|
||||
if (*connect_addr == '\0') {
|
||||
free(connect_addr);
|
||||
connect_addr = NULL;
|
||||
}
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
fwd.listen_port = lport;
|
||||
if (fwd.listen_port == PORT_STREAMLOCAL)
|
||||
fwd.listen_path = listen_addr;
|
||||
else
|
||||
fwd.listen_host = listen_addr;
|
||||
fwd.connect_port = cport;
|
||||
if (*fwd.listen_host == '\0') {
|
||||
free(fwd.listen_host);
|
||||
fwd.listen_host = NULL;
|
||||
}
|
||||
if (*fwd.connect_host == '\0') {
|
||||
free(fwd.connect_host);
|
||||
fwd.connect_host = NULL;
|
||||
}
|
||||
if (fwd.connect_port == PORT_STREAMLOCAL)
|
||||
fwd.connect_path = connect_addr;
|
||||
else
|
||||
fwd.connect_host = connect_addr;
|
||||
|
||||
debug2("%s: channel %d: request %s", __func__, c->self,
|
||||
(fwd_desc = format_forward(ftype, &fwd)));
|
||||
@ -664,25 +694,30 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
ftype != MUX_FWD_DYNAMIC) {
|
||||
logit("%s: invalid forwarding type %u", __func__, ftype);
|
||||
invalid:
|
||||
free(fwd.listen_host);
|
||||
free(fwd.connect_host);
|
||||
free(listen_addr);
|
||||
free(connect_addr);
|
||||
buffer_put_int(r, MUX_S_FAILURE);
|
||||
buffer_put_int(r, rid);
|
||||
buffer_put_cstring(r, "Invalid forwarding request");
|
||||
return 0;
|
||||
}
|
||||
if (fwd.listen_port >= 65536) {
|
||||
if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
|
||||
logit("%s: streamlocal and dynamic forwards "
|
||||
"are mutually exclusive", __func__);
|
||||
goto invalid;
|
||||
}
|
||||
if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
|
||||
logit("%s: invalid listen port %u", __func__,
|
||||
fwd.listen_port);
|
||||
goto invalid;
|
||||
}
|
||||
if (fwd.connect_port >= 65536 || (ftype != MUX_FWD_DYNAMIC &&
|
||||
ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) {
|
||||
if ((fwd.connect_port != PORT_STREAMLOCAL && fwd.connect_port >= 65536)
|
||||
|| (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) {
|
||||
logit("%s: invalid connect port %u", __func__,
|
||||
fwd.connect_port);
|
||||
goto invalid;
|
||||
}
|
||||
if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL) {
|
||||
if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && fwd.connect_path == NULL) {
|
||||
logit("%s: missing connect host", __func__);
|
||||
goto invalid;
|
||||
}
|
||||
@ -733,9 +768,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
}
|
||||
|
||||
if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
|
||||
if (!channel_setup_local_fwd_listener(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host, fwd.connect_port,
|
||||
options.gateway_ports)) {
|
||||
if (!channel_setup_local_fwd_listener(&fwd,
|
||||
&options.fwd_opts)) {
|
||||
fail:
|
||||
logit("slave-requested %s failed", fwd_desc);
|
||||
buffer_put_int(r, MUX_S_FAILURE);
|
||||
@ -748,8 +782,7 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
} else {
|
||||
struct mux_channel_confirm_ctx *fctx;
|
||||
|
||||
fwd.handle = channel_request_remote_forwarding(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host, fwd.connect_port);
|
||||
fwd.handle = channel_request_remote_forwarding(&fwd);
|
||||
if (fwd.handle < 0)
|
||||
goto fail;
|
||||
add_remote_forward(&options, &fwd);
|
||||
@ -770,7 +803,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
free(fwd_desc);
|
||||
if (freefwd) {
|
||||
free(fwd.listen_host);
|
||||
free(fwd.listen_path);
|
||||
free(fwd.connect_host);
|
||||
free(fwd.connect_path);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
@ -778,37 +813,47 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
static int
|
||||
process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
{
|
||||
Forward fwd, *found_fwd;
|
||||
struct Forward fwd, *found_fwd;
|
||||
char *fwd_desc = NULL;
|
||||
const char *error_reason = NULL;
|
||||
char *listen_addr = NULL, *connect_addr = NULL;
|
||||
u_int ftype;
|
||||
int i, listen_port, ret = 0;
|
||||
int i, ret = 0;
|
||||
u_int lport, cport;
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
|
||||
if (buffer_get_int_ret(&ftype, m) != 0 ||
|
||||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
(listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
buffer_get_int_ret(&lport, m) != 0 ||
|
||||
(fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
(connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
buffer_get_int_ret(&cport, m) != 0 ||
|
||||
lport > 65535 || cport > 65535) {
|
||||
(lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
|
||||
(cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
|
||||
error("%s: malformed message", __func__);
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
fwd.listen_port = lport;
|
||||
fwd.connect_port = cport;
|
||||
|
||||
if (*fwd.listen_host == '\0') {
|
||||
free(fwd.listen_host);
|
||||
fwd.listen_host = NULL;
|
||||
if (*listen_addr == '\0') {
|
||||
free(listen_addr);
|
||||
listen_addr = NULL;
|
||||
}
|
||||
if (*fwd.connect_host == '\0') {
|
||||
free(fwd.connect_host);
|
||||
fwd.connect_host = NULL;
|
||||
if (*connect_addr == '\0') {
|
||||
free(connect_addr);
|
||||
connect_addr = NULL;
|
||||
}
|
||||
|
||||
memset(&fwd, 0, sizeof(fwd));
|
||||
fwd.listen_port = lport;
|
||||
if (fwd.listen_port == PORT_STREAMLOCAL)
|
||||
fwd.listen_path = listen_addr;
|
||||
else
|
||||
fwd.listen_host = listen_addr;
|
||||
fwd.connect_port = cport;
|
||||
if (fwd.connect_port == PORT_STREAMLOCAL)
|
||||
fwd.connect_path = connect_addr;
|
||||
else
|
||||
fwd.connect_host = connect_addr;
|
||||
|
||||
debug2("%s: channel %d: request cancel %s", __func__, c->self,
|
||||
(fwd_desc = format_forward(ftype, &fwd)));
|
||||
|
||||
@ -843,18 +888,14 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
* This shouldn't fail unless we confused the host/port
|
||||
* between options.remote_forwards and permitted_opens.
|
||||
* However, for dynamic allocated listen ports we need
|
||||
* to lookup the actual listen port.
|
||||
* to use the actual listen port.
|
||||
*/
|
||||
listen_port = (fwd.listen_port == 0) ?
|
||||
found_fwd->allocated_port : fwd.listen_port;
|
||||
if (channel_request_rforward_cancel(fwd.listen_host,
|
||||
listen_port) == -1)
|
||||
if (channel_request_rforward_cancel(found_fwd) == -1)
|
||||
error_reason = "port not in permitted opens";
|
||||
} else { /* local and dynamic forwards */
|
||||
/* Ditto */
|
||||
if (channel_cancel_lport_listener(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_port,
|
||||
options.gateway_ports) == -1)
|
||||
if (channel_cancel_lport_listener(&fwd, fwd.connect_port,
|
||||
&options.fwd_opts) == -1)
|
||||
error_reason = "port not found";
|
||||
}
|
||||
|
||||
@ -863,8 +904,11 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
buffer_put_int(r, rid);
|
||||
|
||||
free(found_fwd->listen_host);
|
||||
free(found_fwd->listen_path);
|
||||
free(found_fwd->connect_host);
|
||||
free(found_fwd->connect_path);
|
||||
found_fwd->listen_host = found_fwd->connect_host = NULL;
|
||||
found_fwd->listen_path = found_fwd->connect_path = NULL;
|
||||
found_fwd->listen_port = found_fwd->connect_port = 0;
|
||||
} else {
|
||||
buffer_put_int(r, MUX_S_FAILURE);
|
||||
@ -873,8 +917,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
}
|
||||
out:
|
||||
free(fwd_desc);
|
||||
free(fwd.listen_host);
|
||||
free(fwd.connect_host);
|
||||
free(listen_addr);
|
||||
free(connect_addr);
|
||||
|
||||
return ret;
|
||||
}
|
||||
@ -886,6 +930,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
char *reserved, *chost;
|
||||
u_int cport, i, j;
|
||||
int new_fd[2];
|
||||
struct mux_stdio_confirm_ctx *cctx;
|
||||
|
||||
chost = reserved = NULL;
|
||||
if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
|
||||
@ -965,15 +1010,60 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
|
||||
channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1);
|
||||
|
||||
/* prepare reply */
|
||||
/* XXX defer until channel confirmed */
|
||||
buffer_put_int(r, MUX_S_SESSION_OPENED);
|
||||
buffer_put_int(r, rid);
|
||||
buffer_put_int(r, nc->self);
|
||||
cctx = xcalloc(1, sizeof(*cctx));
|
||||
cctx->rid = rid;
|
||||
channel_register_open_confirm(nc->self, mux_stdio_confirm, cctx);
|
||||
c->mux_pause = 1; /* stop handling messages until open_confirm done */
|
||||
|
||||
/* reply is deferred, sent by mux_session_confirm */
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Callback on open confirmation in mux master for a mux stdio fwd session. */
|
||||
static void
|
||||
mux_stdio_confirm(int id, int success, void *arg)
|
||||
{
|
||||
struct mux_stdio_confirm_ctx *cctx = arg;
|
||||
Channel *c, *cc;
|
||||
Buffer reply;
|
||||
|
||||
if (cctx == NULL)
|
||||
fatal("%s: cctx == NULL", __func__);
|
||||
if ((c = channel_by_id(id)) == NULL)
|
||||
fatal("%s: no channel for id %d", __func__, id);
|
||||
if ((cc = channel_by_id(c->ctl_chan)) == NULL)
|
||||
fatal("%s: channel %d lacks control channel %d", __func__,
|
||||
id, c->ctl_chan);
|
||||
|
||||
if (!success) {
|
||||
debug3("%s: sending failure reply", __func__);
|
||||
/* prepare reply */
|
||||
buffer_init(&reply);
|
||||
buffer_put_int(&reply, MUX_S_FAILURE);
|
||||
buffer_put_int(&reply, cctx->rid);
|
||||
buffer_put_cstring(&reply, "Session open refused by peer");
|
||||
goto done;
|
||||
}
|
||||
|
||||
debug3("%s: sending success reply", __func__);
|
||||
/* prepare reply */
|
||||
buffer_init(&reply);
|
||||
buffer_put_int(&reply, MUX_S_SESSION_OPENED);
|
||||
buffer_put_int(&reply, cctx->rid);
|
||||
buffer_put_int(&reply, c->self);
|
||||
|
||||
done:
|
||||
/* Send reply */
|
||||
buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply));
|
||||
buffer_free(&reply);
|
||||
|
||||
if (cc->mux_pause <= 0)
|
||||
fatal("%s: mux_pause %d", __func__, cc->mux_pause);
|
||||
cc->mux_pause = 0; /* start processing messages again */
|
||||
c->open_confirm_ctx = NULL;
|
||||
free(cctx);
|
||||
}
|
||||
|
||||
static int
|
||||
process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r)
|
||||
{
|
||||
@ -1013,7 +1103,7 @@ mux_master_read_cb(Channel *c)
|
||||
{
|
||||
struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
|
||||
Buffer in, out;
|
||||
void *ptr;
|
||||
const u_char *ptr;
|
||||
u_int type, rid, have, i;
|
||||
int ret = -1;
|
||||
|
||||
@ -1136,12 +1226,11 @@ mux_tty_alloc_failed(Channel *c)
|
||||
void
|
||||
muxserver_listen(void)
|
||||
{
|
||||
struct sockaddr_un addr;
|
||||
socklen_t sun_len;
|
||||
mode_t old_umask;
|
||||
char *orig_control_path = options.control_path;
|
||||
char rbuf[16+1];
|
||||
u_int i, r;
|
||||
int oerrno;
|
||||
|
||||
if (options.control_path == NULL ||
|
||||
options.control_master == SSHCTL_MASTER_NO)
|
||||
@ -1166,24 +1255,12 @@ muxserver_listen(void)
|
||||
xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
|
||||
debug3("%s: temporary control path %s", __func__, options.control_path);
|
||||
|
||||
memset(&addr, '\0', sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
sun_len = offsetof(struct sockaddr_un, sun_path) +
|
||||
strlen(options.control_path) + 1;
|
||||
|
||||
if (strlcpy(addr.sun_path, options.control_path,
|
||||
sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
|
||||
error("ControlPath \"%s\" too long for Unix domain socket",
|
||||
options.control_path);
|
||||
goto disable_mux_master;
|
||||
}
|
||||
|
||||
if ((muxserver_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
|
||||
fatal("%s socket(): %s", __func__, strerror(errno));
|
||||
|
||||
old_umask = umask(0177);
|
||||
if (bind(muxserver_sock, (struct sockaddr *)&addr, sun_len) == -1) {
|
||||
if (errno == EINVAL || errno == EADDRINUSE) {
|
||||
muxserver_sock = unix_listener(options.control_path, 64, 0);
|
||||
oerrno = errno;
|
||||
umask(old_umask);
|
||||
if (muxserver_sock < 0) {
|
||||
if (oerrno == EINVAL || oerrno == EADDRINUSE) {
|
||||
error("ControlSocket %s already exists, "
|
||||
"disabling multiplexing", options.control_path);
|
||||
disable_mux_master:
|
||||
@ -1196,13 +1273,11 @@ muxserver_listen(void)
|
||||
options.control_path = NULL;
|
||||
options.control_master = SSHCTL_MASTER_NO;
|
||||
return;
|
||||
} else
|
||||
fatal("%s bind(): %s", __func__, strerror(errno));
|
||||
} else {
|
||||
/* unix_listener() logs the error */
|
||||
cleanup_exit(255);
|
||||
}
|
||||
}
|
||||
umask(old_umask);
|
||||
|
||||
if (listen(muxserver_sock, 64) == -1)
|
||||
fatal("%s listen(): %s", __func__, strerror(errno));
|
||||
|
||||
/* Now atomically "move" the mux socket into position */
|
||||
if (link(options.control_path, orig_control_path) != 0) {
|
||||
@ -1432,7 +1507,7 @@ mux_client_read_packet(int fd, Buffer *m)
|
||||
{
|
||||
Buffer queue;
|
||||
u_int need, have;
|
||||
void *ptr;
|
||||
const u_char *ptr;
|
||||
int oerrno;
|
||||
|
||||
buffer_init(&queue);
|
||||
@ -1596,7 +1671,7 @@ mux_client_request_terminate(int fd)
|
||||
}
|
||||
|
||||
static int
|
||||
mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
|
||||
mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
|
||||
{
|
||||
Buffer m;
|
||||
char *e, *fwd_desc;
|
||||
@ -1611,11 +1686,19 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
|
||||
buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
|
||||
buffer_put_int(&m, muxclient_request_id);
|
||||
buffer_put_int(&m, ftype);
|
||||
buffer_put_cstring(&m,
|
||||
fwd->listen_host == NULL ? "" : fwd->listen_host);
|
||||
if (fwd->listen_path != NULL) {
|
||||
buffer_put_cstring(&m, fwd->listen_path);
|
||||
} else {
|
||||
buffer_put_cstring(&m,
|
||||
fwd->listen_host == NULL ? "" : fwd->listen_host);
|
||||
}
|
||||
buffer_put_int(&m, fwd->listen_port);
|
||||
buffer_put_cstring(&m,
|
||||
fwd->connect_host == NULL ? "" : fwd->connect_host);
|
||||
if (fwd->connect_path != NULL) {
|
||||
buffer_put_cstring(&m, fwd->connect_path);
|
||||
} else {
|
||||
buffer_put_cstring(&m,
|
||||
fwd->connect_host == NULL ? "" : fwd->connect_host);
|
||||
}
|
||||
buffer_put_int(&m, fwd->connect_port);
|
||||
|
||||
if (mux_client_write_packet(fd, &m) != 0)
|
||||
@ -1925,7 +2008,7 @@ mux_client_request_stdio_fwd(int fd)
|
||||
case MUX_S_FAILURE:
|
||||
e = buffer_get_string(&m, NULL);
|
||||
buffer_free(&m);
|
||||
fatal("%s: stdio forwarding request failed: %s", __func__, e);
|
||||
fatal("Stdio forwarding request failed: %s", e);
|
||||
default:
|
||||
buffer_free(&m);
|
||||
error("%s: unexpected response from master 0x%08x",
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.41 2014/07/11 13:54:34 tedu Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -69,23 +69,28 @@
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
# define KEX_SHA256_METHODS \
|
||||
"diffie-hellman-group-exchange-sha256,"
|
||||
#define KEX_CURVE25519_METHODS \
|
||||
"curve25519-sha256@libssh.org,"
|
||||
#define SHA2_HMAC_MODES \
|
||||
"hmac-sha2-256," \
|
||||
"hmac-sha2-512,"
|
||||
#else
|
||||
# define KEX_SHA256_METHODS
|
||||
# define KEX_CURVE25519_METHODS
|
||||
# define SHA2_HMAC_MODES
|
||||
#endif
|
||||
|
||||
# define KEX_DEFAULT_KEX \
|
||||
#ifdef WITH_OPENSSL
|
||||
# ifdef HAVE_EVP_SHA256
|
||||
# define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org,"
|
||||
# else
|
||||
# define KEX_CURVE25519_METHODS ""
|
||||
# endif
|
||||
#define KEX_SERVER_KEX \
|
||||
KEX_CURVE25519_METHODS \
|
||||
KEX_ECDH_METHODS \
|
||||
KEX_SHA256_METHODS \
|
||||
"diffie-hellman-group14-sha1"
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
|
||||
"diffie-hellman-group-exchange-sha1," \
|
||||
"diffie-hellman-group14-sha1," \
|
||||
"diffie-hellman-group1-sha1"
|
||||
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
@ -102,47 +107,91 @@
|
||||
|
||||
/* the actual algorithms */
|
||||
|
||||
#define KEX_DEFAULT_ENCRYPT \
|
||||
#define KEX_SERVER_ENCRYPT \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
"arcfour256,arcfour128," \
|
||||
AESGCM_CIPHER_MODES \
|
||||
"chacha20-poly1305@openssh.com," \
|
||||
"chacha20-poly1305@openssh.com"
|
||||
|
||||
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
|
||||
"arcfour256,arcfour128," \
|
||||
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
|
||||
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
|
||||
|
||||
#define KEX_DEFAULT_MAC \
|
||||
"hmac-md5-etm@openssh.com," \
|
||||
"hmac-sha1-etm@openssh.com," \
|
||||
#define KEX_SERVER_MAC \
|
||||
"umac-64-etm@openssh.com," \
|
||||
"umac-128-etm@openssh.com," \
|
||||
"hmac-sha2-256-etm@openssh.com," \
|
||||
"hmac-sha2-512-etm@openssh.com," \
|
||||
"hmac-sha1-etm@openssh.com," \
|
||||
"umac-64@openssh.com," \
|
||||
"umac-128@openssh.com," \
|
||||
"hmac-sha2-256," \
|
||||
"hmac-sha2-512," \
|
||||
"hmac-sha1"
|
||||
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
|
||||
"hmac-md5-etm@openssh.com," \
|
||||
"hmac-ripemd160-etm@openssh.com," \
|
||||
"hmac-sha1-96-etm@openssh.com," \
|
||||
"hmac-md5-96-etm@openssh.com," \
|
||||
"hmac-md5," \
|
||||
"hmac-sha1," \
|
||||
"umac-64@openssh.com," \
|
||||
"umac-128@openssh.com," \
|
||||
SHA2_HMAC_MODES \
|
||||
"hmac-ripemd160," \
|
||||
"hmac-ripemd160@openssh.com," \
|
||||
"hmac-sha1-96," \
|
||||
"hmac-md5-96"
|
||||
|
||||
#else
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
"curve25519-sha256@libssh.org"
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ssh-ed25519"
|
||||
#define KEX_SERVER_ENCRYPT \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
"chacha20-poly1305@openssh.com"
|
||||
#define KEX_SERVER_MAC \
|
||||
"umac-64-etm@openssh.com," \
|
||||
"umac-128-etm@openssh.com," \
|
||||
"hmac-sha2-256-etm@openssh.com," \
|
||||
"hmac-sha2-512-etm@openssh.com," \
|
||||
"hmac-sha1-etm@openssh.com," \
|
||||
"umac-64@openssh.com," \
|
||||
"umac-128@openssh.com," \
|
||||
"hmac-sha2-256," \
|
||||
"hmac-sha2-512," \
|
||||
"hmac-sha1"
|
||||
|
||||
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
KEX_DEFAULT_PK_ALG,
|
||||
KEX_DEFAULT_ENCRYPT,
|
||||
KEX_DEFAULT_ENCRYPT,
|
||||
KEX_DEFAULT_MAC,
|
||||
KEX_DEFAULT_MAC,
|
||||
KEX_DEFAULT_COMP,
|
||||
KEX_DEFAULT_COMP,
|
||||
KEX_DEFAULT_LANG,
|
||||
#define KEX_CLIENT \
|
||||
KEX_CLIENT_KEX, \
|
||||
KEX_DEFAULT_PK_ALG, \
|
||||
KEX_CLIENT_ENCRYPT, \
|
||||
KEX_CLIENT_ENCRYPT, \
|
||||
KEX_CLIENT_MAC, \
|
||||
KEX_CLIENT_MAC, \
|
||||
KEX_DEFAULT_COMP, \
|
||||
KEX_DEFAULT_COMP, \
|
||||
KEX_DEFAULT_LANG, \
|
||||
KEX_DEFAULT_LANG
|
||||
};
|
||||
|
||||
#define KEX_SERVER \
|
||||
KEX_SERVER_KEX, \
|
||||
KEX_DEFAULT_PK_ALG, \
|
||||
KEX_SERVER_ENCRYPT, \
|
||||
KEX_SERVER_ENCRYPT, \
|
||||
KEX_SERVER_MAC, \
|
||||
KEX_SERVER_MAC, \
|
||||
KEX_DEFAULT_COMP, \
|
||||
KEX_DEFAULT_COMP, \
|
||||
KEX_DEFAULT_LANG, \
|
||||
KEX_DEFAULT_LANG
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $
|
||||
# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
|
@ -87,7 +87,7 @@ _rs_stir(void)
|
||||
_rs_init(rnd, sizeof(rnd));
|
||||
} else
|
||||
_rs_rekey(rnd, sizeof(rnd));
|
||||
memset(rnd, 0, sizeof(rnd));
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
|
||||
/* invalidate rs_buf */
|
||||
rs_have = 0;
|
||||
@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n)
|
||||
buf[i] = r & 0xff;
|
||||
r >>= 8;
|
||||
}
|
||||
i = r = 0;
|
||||
explicit_bzero(&r, sizeof(r));
|
||||
}
|
||||
#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
|
||||
|
||||
|
@ -57,6 +57,22 @@ check_ntsec(const char *filename)
|
||||
return (pathconf(filename, _PC_POSIX_PERMISSIONS));
|
||||
}
|
||||
|
||||
const char *
|
||||
cygwin_ssh_privsep_user()
|
||||
{
|
||||
static char cyg_privsep_user[DNLEN + UNLEN + 2];
|
||||
|
||||
if (!cyg_privsep_user[0])
|
||||
{
|
||||
#ifdef CW_CYGNAME_FROM_WINNAME
|
||||
if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user,
|
||||
sizeof cyg_privsep_user) != 0)
|
||||
#endif
|
||||
strcpy (cyg_privsep_user, "sshd");
|
||||
}
|
||||
return cyg_privsep_user;
|
||||
}
|
||||
|
||||
#define NL(x) x, (sizeof (x) - 1)
|
||||
#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */
|
||||
/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
|
||||
@ -39,6 +39,8 @@
|
||||
/* Avoid including windows headers. */
|
||||
typedef void *HANDLE;
|
||||
#define INVALID_HANDLE_VALUE ((HANDLE) -1)
|
||||
#define DNLEN 16
|
||||
#define UNLEN 256
|
||||
|
||||
/* Cygwin functions for which declarations are only available when including
|
||||
windows headers, so we have to define them here explicitely. */
|
||||
@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE);
|
||||
#include <sys/cygwin.h>
|
||||
#include <io.h>
|
||||
|
||||
#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user())
|
||||
const char *cygwin_ssh_privsep_user();
|
||||
|
||||
int binary_open(const char *, int , ...);
|
||||
int check_ntsec(const char *);
|
||||
|
@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
}
|
||||
while (*value && (cnt < max)) {
|
||||
DOPR_OUTCH(buffer, *currlen, maxlen, *value);
|
||||
*value++;
|
||||
value++;
|
||||
++cnt;
|
||||
}
|
||||
while ((padlen < 0) && (cnt < max)) {
|
||||
@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
|
||||
|
||||
static int
|
||||
fmtint(char *buffer, size_t *currlen, size_t maxlen,
|
||||
LLONG value, int base, int min, int max, int flags)
|
||||
intmax_t value, int base, int min, int max, int flags)
|
||||
{
|
||||
int signvalue = 0;
|
||||
unsigned LLONG uvalue;
|
||||
|
@ -7,14 +7,34 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifndef HAVE_EXPLICIT_BZERO
|
||||
|
||||
/*
|
||||
* explicit_bzero - don't let the compiler optimize away bzero
|
||||
*/
|
||||
|
||||
#ifndef HAVE_EXPLICIT_BZERO
|
||||
|
||||
#ifdef HAVE_MEMSET_S
|
||||
|
||||
void
|
||||
explicit_bzero(void *p, size_t n)
|
||||
{
|
||||
bzero(p, n);
|
||||
(void)memset_s(p, n, 0, n);
|
||||
}
|
||||
#endif
|
||||
|
||||
#else /* HAVE_MEMSET_S */
|
||||
|
||||
/*
|
||||
* Indirect bzero through a volatile pointer to hopefully avoid
|
||||
* dead-store optimisation eliminating the call.
|
||||
*/
|
||||
static void (* volatile ssh_bzero)(void *, size_t) = bzero;
|
||||
|
||||
void
|
||||
explicit_bzero(void *p, size_t n)
|
||||
{
|
||||
ssh_bzero(p, n);
|
||||
}
|
||||
|
||||
#endif /* HAVE_MEMSET_S */
|
||||
|
||||
#endif /* HAVE_EXPLICIT_BZERO */
|
||||
|
28
crypto/openssh/openbsd-compat/kludge-fd_set.c
Normal file
28
crypto/openssh/openbsd-compat/kludge-fd_set.c
Normal file
@ -0,0 +1,28 @@
|
||||
/* Placed in the public domain. */
|
||||
|
||||
/*
|
||||
* _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b)
|
||||
* where n > FD_SETSIZE. This breaks OpenSSH and other programs that
|
||||
* explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a
|
||||
* function compiled without _FORTIFY_SOURCE.
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
|
||||
# include <features.h>
|
||||
# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
|
||||
# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
|
||||
# undef _FORTIFY_SOURCE
|
||||
# undef __USE_FORTIFY_LEVEL
|
||||
# include <sys/socket.h>
|
||||
void kludge_FD_SET(int n, fd_set *set) {
|
||||
FD_SET(n, set);
|
||||
}
|
||||
int kludge_FD_ISSET(int n, fd_set *set) {
|
||||
return FD_ISSET(n, set);
|
||||
}
|
||||
# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
|
||||
# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
|
||||
#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */
|
||||
/* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
|
||||
@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw);
|
||||
#include "port-tun.h"
|
||||
#include "port-uw.h"
|
||||
|
||||
/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */
|
||||
#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
|
||||
# include <features.h>
|
||||
# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
|
||||
# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
|
||||
# include <sys/socket.h> /* Ensure include guard is defined */
|
||||
# undef FD_SET
|
||||
# undef FD_ISSET
|
||||
# define FD_SET(n, set) kludge_FD_SET(n, set)
|
||||
# define FD_ISSET(n, set) kludge_FD_ISSET(n, set)
|
||||
void kludge_FD_SET(int, fd_set *);
|
||||
int kludge_FD_ISSET(int, fd_set *);
|
||||
# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
|
||||
# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
|
||||
#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
|
||||
|
||||
#endif /* _OPENBSD_COMPAT_H */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
@ -16,6 +16,7 @@
|
||||
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
|
||||
#include "includes.h"
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -26,148 +27,45 @@
|
||||
# include <openssl/conf.h>
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_RSA_GET_DEFAULT_METHOD
|
||||
# include <openssl/rsa.h>
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
|
||||
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
|
||||
#include "openssl-compat.h"
|
||||
|
||||
#ifdef SSH_OLD_EVP
|
||||
int
|
||||
ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
|
||||
unsigned char *key, unsigned char *iv, int enc)
|
||||
{
|
||||
EVP_CipherInit(evp, type, key, iv, enc);
|
||||
return 1;
|
||||
}
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
* We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
* After that, we acceptable compatible fix versions (so we
|
||||
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
* within a patch series.
|
||||
*/
|
||||
|
||||
int
|
||||
ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
|
||||
ssh_compatible_openssl(long headerver, long libver)
|
||||
{
|
||||
EVP_Cipher(evp, dst, src, len);
|
||||
return 1;
|
||||
long mask, hfix, lfix;
|
||||
|
||||
/* exact match is always OK */
|
||||
if (headerver == libver)
|
||||
return 1;
|
||||
|
||||
/* for versions < 1.0.0, major,minor,fix,status must match */
|
||||
if (headerver < 0x1000000f) {
|
||||
mask = 0xfffff00fL; /* major,minor,fix,status */
|
||||
return (headerver & mask) == (libver & mask);
|
||||
}
|
||||
|
||||
/*
|
||||
* For versions >= 1.0.0, major,minor,status must match and library
|
||||
* fix version must be equal to or newer than the header.
|
||||
*/
|
||||
mask = 0xfff0000fL; /* major,minor,status */
|
||||
hfix = (headerver & 0x000ff000) >> 12;
|
||||
lfix = (libver & 0x000ff000) >> 12;
|
||||
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
|
||||
{
|
||||
EVP_CIPHER_CTX_cleanup(evp);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_EVP_DIGESTINIT_EX
|
||||
int
|
||||
EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
|
||||
{
|
||||
if (engine != NULL)
|
||||
fatal("%s: ENGINE is not supported", __func__);
|
||||
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||
EVP_DigestInit(ctx, md);
|
||||
return 1;
|
||||
# else
|
||||
return EVP_DigestInit(ctx, md);
|
||||
# endif
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_EVP_DIGESTFINAL_EX
|
||||
int
|
||||
EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s)
|
||||
{
|
||||
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||
EVP_DigestFinal(ctx, md, s);
|
||||
return 1;
|
||||
# else
|
||||
return EVP_DigestFinal(ctx, md, s);
|
||||
# endif
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||
int
|
||||
ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
|
||||
{
|
||||
EVP_DigestUpdate(ctx, d, cnt);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_EVP_MD_CTX_COPY_EX
|
||||
int
|
||||
EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
|
||||
{
|
||||
return EVP_MD_CTX_copy(out, in);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_BN_IS_PRIME_EX
|
||||
int
|
||||
BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
|
||||
{
|
||||
if (cb != NULL)
|
||||
fatal("%s: callback args not supported", __func__);
|
||||
return BN_is_prime(p, nchecks, NULL, ctx, NULL);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_RSA_GENERATE_KEY_EX
|
||||
int
|
||||
RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb)
|
||||
{
|
||||
RSA *new_rsa, tmp_rsa;
|
||||
unsigned long e;
|
||||
|
||||
if (cb != NULL)
|
||||
fatal("%s: callback args not supported", __func__);
|
||||
e = BN_get_word(bn_e);
|
||||
if (e == 0xffffffffL)
|
||||
fatal("%s: value of e too large", __func__);
|
||||
new_rsa = RSA_generate_key(bits, e, NULL, NULL);
|
||||
if (new_rsa == NULL)
|
||||
return 0;
|
||||
/* swap rsa/new_rsa then free new_rsa */
|
||||
tmp_rsa = *rsa;
|
||||
*rsa = *new_rsa;
|
||||
*new_rsa = tmp_rsa;
|
||||
RSA_free(new_rsa);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
|
||||
int
|
||||
DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed,
|
||||
int seed_len, int *counter_ret, unsigned long *h_ret, void *cb)
|
||||
{
|
||||
DSA *new_dsa, tmp_dsa;
|
||||
|
||||
if (cb != NULL)
|
||||
fatal("%s: callback args not supported", __func__);
|
||||
new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len,
|
||||
counter_ret, h_ret, NULL, NULL);
|
||||
if (new_dsa == NULL)
|
||||
return 0;
|
||||
/* swap dsa/new_dsa then free new_dsa */
|
||||
tmp_dsa = *dsa;
|
||||
*dsa = *new_dsa;
|
||||
*new_dsa = tmp_dsa;
|
||||
DSA_free(new_dsa);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_RSA_GET_DEFAULT_METHOD
|
||||
RSA_METHOD *
|
||||
RSA_get_default_method(void)
|
||||
{
|
||||
return RSA_PKCS1_SSLeay();
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_OPENSSL_ENGINE
|
||||
void
|
||||
ssh_OpenSSL_add_all_algorithms(void)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */
|
||||
/* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||
@ -16,28 +16,19 @@
|
||||
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef _OPENSSL_COMPAT_H
|
||||
#define _OPENSSL_COMPAT_H
|
||||
|
||||
#include "includes.h"
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/dsa.h>
|
||||
|
||||
/* Only in 0.9.8 */
|
||||
#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
||||
#endif
|
||||
#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
|
||||
#endif
|
||||
int ssh_compatible_openssl(long, long);
|
||||
|
||||
/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
|
||||
#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
|
||||
# define OPENSSL_free(x) Free(x)
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x00906000L
|
||||
# define SSH_OLD_EVP
|
||||
# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
|
||||
#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
|
||||
# error OpenSSL 0.9.8f or greater is required
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10000001L
|
||||
@ -46,27 +37,17 @@
|
||||
# define LIBCRYPTO_EVP_INL_TYPE size_t
|
||||
#endif
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
|
||||
# define USE_BUILTIN_RIJNDAEL
|
||||
#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
|
||||
#endif
|
||||
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
# include "rijndael.h"
|
||||
# define AES_KEY rijndael_ctx
|
||||
# define AES_BLOCK_SIZE 16
|
||||
# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
|
||||
# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
|
||||
# define EVP_aes_128_cbc evp_rijndael
|
||||
# define EVP_aes_192_cbc evp_rijndael
|
||||
# define EVP_aes_256_cbc evp_rijndael
|
||||
const EVP_CIPHER *evp_rijndael(void);
|
||||
void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||
#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_HAVE_EVPCTR
|
||||
#define EVP_aes_128_ctr evp_aes_128_ctr
|
||||
#define EVP_aes_192_ctr evp_aes_128_ctr
|
||||
#define EVP_aes_256_ctr evp_aes_128_ctr
|
||||
# define EVP_aes_128_ctr evp_aes_128_ctr
|
||||
# define EVP_aes_192_ctr evp_aes_128_ctr
|
||||
# define EVP_aes_256_ctr evp_aes_128_ctr
|
||||
const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||
void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
|
||||
#endif
|
||||
@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x00907000L
|
||||
#define EVP_X_STATE(evp) &(evp).c
|
||||
#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
|
||||
#else
|
||||
#define EVP_X_STATE(evp) (evp).cipher_data
|
||||
#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
|
||||
#endif
|
||||
|
||||
/* OpenSSL 0.9.8e returns cipher key len not context key len */
|
||||
#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
|
||||
# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_RSA_GET_DEFAULT_METHOD
|
||||
RSA_METHOD *RSA_get_default_method(void);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* We overload some of the OpenSSL crypto functions with ssh_* equivalents
|
||||
* which cater for older and/or less featureful OpenSSL version.
|
||||
* to automatically handle OpenSSL engine initialisation.
|
||||
*
|
||||
* In order for the compat library to call the real functions, it must
|
||||
* define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
|
||||
@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void);
|
||||
*/
|
||||
#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
|
||||
|
||||
# ifdef SSH_OLD_EVP
|
||||
# ifdef EVP_Cipher
|
||||
# undef EVP_Cipher
|
||||
# endif
|
||||
# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
|
||||
# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
|
||||
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
|
||||
# endif /* SSH_OLD_EVP */
|
||||
|
||||
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||
# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c))
|
||||
# endif
|
||||
|
||||
# ifdef USE_OPENSSL_ENGINE
|
||||
# ifdef OpenSSL_add_all_algorithms
|
||||
# undef OpenSSL_add_all_algorithms
|
||||
@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void);
|
||||
# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms()
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_BN_IS_PRIME_EX
|
||||
int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *);
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
|
||||
int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *,
|
||||
unsigned long *, void *);
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_RSA_GENERATE_KEY_EX
|
||||
int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *);
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_EVP_DIGESTINIT_EX
|
||||
int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_EVP_DISESTFINAL_EX
|
||||
int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
|
||||
# endif
|
||||
|
||||
# ifndef EVP_MD_CTX_COPY_EX
|
||||
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
|
||||
# endif
|
||||
|
||||
int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
|
||||
unsigned char *, int);
|
||||
int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
|
||||
int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
|
||||
void ssh_OpenSSL_add_all_algorithms(void);
|
||||
|
||||
# ifndef HAVE_HMAC_CTX_INIT
|
||||
# define HMAC_CTX_init(a)
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_EVP_MD_CTX_INIT
|
||||
# define EVP_MD_CTX_init(a)
|
||||
# endif
|
||||
|
||||
# ifndef HAVE_EVP_MD_CTX_CLEANUP
|
||||
# define EVP_MD_CTX_cleanup(a)
|
||||
# endif
|
||||
|
||||
#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
|
||||
|
||||
#endif /* _OPENSSL_COMPAT_H */
|
||||
|
@ -42,6 +42,7 @@
|
||||
#include "key.h"
|
||||
#include "auth-options.h"
|
||||
#include "log.h"
|
||||
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
#include "servconf.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
|
||||
# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
|
||||
|
||||
sysconfdir=@sysconfdir@
|
||||
piddir=@piddir@
|
||||
@ -16,11 +16,11 @@ LIBS=@LIBS@
|
||||
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
||||
|
||||
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
||||
strtonumtest$(EXEEXT)
|
||||
strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
|
||||
|
||||
all: t-exec ${OTHERTESTS}
|
||||
|
||||
%$(EXEEXT): %.c
|
||||
%$(EXEEXT): %.c $(LIBCOMPAT)
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
|
||||
|
||||
t-exec: $(TESTPROGS)
|
||||
|
69
crypto/openssh/openbsd-compat/regress/opensslvertest.c
Normal file
69
crypto/openssh/openbsd-compat/regress/opensslvertest.c
Normal file
@ -0,0 +1,69 @@
|
||||
/*
|
||||
* Copyright (c) 2014 Darren Tucker
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int ssh_compatible_openssl(long, long);
|
||||
|
||||
struct version_test {
|
||||
long headerver;
|
||||
long libver;
|
||||
int result;
|
||||
} version_tests[] = {
|
||||
/* built with 0.9.8b release headers */
|
||||
{ 0x0090802fL, 0x0090802fL, 1}, /* exact match */
|
||||
{ 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
|
||||
{ 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
|
||||
{ 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
|
||||
{ 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
|
||||
{ 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
|
||||
{ 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
|
||||
|
||||
/* built with 1.0.1b release headers */
|
||||
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
|
||||
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
|
||||
{ 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
|
||||
{ 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
|
||||
{ 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
|
||||
{ 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
|
||||
};
|
||||
|
||||
void
|
||||
fail(long hver, long lver, int result)
|
||||
{
|
||||
fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
unsigned int i;
|
||||
int res;
|
||||
long hver, lver;
|
||||
|
||||
for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
|
||||
hver = version_tests[i].headerver;
|
||||
lver = version_tests[i].libver;
|
||||
res = version_tests[i].result;
|
||||
if (ssh_compatible_openssl(hver, lver) != res)
|
||||
fail(hver, lver, res);
|
||||
}
|
||||
exit(0);
|
||||
}
|
@ -21,6 +21,7 @@ HOST_KEY_RSA1=$sysconfdir/ssh_host_key
|
||||
HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
|
||||
HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
|
||||
@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
|
||||
HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key
|
||||
|
||||
|
||||
checkkeys() {
|
||||
@ -36,6 +37,9 @@ checkkeys() {
|
||||
@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then
|
||||
@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
|
||||
@COMMENT_OUT_ECC@ fi
|
||||
if [ ! -f $HOST_KEY_ED25519 ]; then
|
||||
${SSH_KEYGEN} -t ed25519 -f ${HOST_KEY_ED25519} -N ""
|
||||
fi
|
||||
}
|
||||
|
||||
stop_service() {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: packet.c,v 1.192 2014/02/02 03:44:31 djm Exp $ */
|
||||
/* $OpenBSD: packet.c,v 1.198 2014/07/15 15:54:14 millert Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -67,7 +67,6 @@ __RCSID("$FreeBSD$");
|
||||
#include "crc32.h"
|
||||
#include "compress.h"
|
||||
#include "deattack.h"
|
||||
#include "channels.h"
|
||||
#include "compat.h"
|
||||
#include "ssh1.h"
|
||||
#include "ssh2.h"
|
||||
@ -78,7 +77,9 @@ __RCSID("$FreeBSD$");
|
||||
#include "log.h"
|
||||
#include "canohost.h"
|
||||
#include "misc.h"
|
||||
#include "channels.h"
|
||||
#include "ssh.h"
|
||||
#include "ssherr.h"
|
||||
#include "roaming.h"
|
||||
|
||||
#ifdef PACKET_DEBUG
|
||||
@ -223,6 +224,7 @@ void
|
||||
packet_set_connection(int fd_in, int fd_out)
|
||||
{
|
||||
const Cipher *none = cipher_by_name("none");
|
||||
int r;
|
||||
|
||||
if (none == NULL)
|
||||
fatal("packet_set_connection: cannot load cipher 'none'");
|
||||
@ -230,10 +232,11 @@ packet_set_connection(int fd_in, int fd_out)
|
||||
active_state = alloc_session_state();
|
||||
active_state->connection_in = fd_in;
|
||||
active_state->connection_out = fd_out;
|
||||
cipher_init(&active_state->send_context, none, (const u_char *)"",
|
||||
0, NULL, 0, CIPHER_ENCRYPT);
|
||||
cipher_init(&active_state->receive_context, none, (const u_char *)"",
|
||||
0, NULL, 0, CIPHER_DECRYPT);
|
||||
if ((r = cipher_init(&active_state->send_context, none,
|
||||
(const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
|
||||
(r = cipher_init(&active_state->receive_context, none,
|
||||
(const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0)
|
||||
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
|
||||
active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL;
|
||||
if (!active_state->initialized) {
|
||||
active_state->initialized = 1;
|
||||
@ -330,13 +333,15 @@ void
|
||||
packet_get_keyiv(int mode, u_char *iv, u_int len)
|
||||
{
|
||||
CipherContext *cc;
|
||||
int r;
|
||||
|
||||
if (mode == MODE_OUT)
|
||||
cc = &active_state->send_context;
|
||||
else
|
||||
cc = &active_state->receive_context;
|
||||
|
||||
cipher_get_keyiv(cc, iv, len);
|
||||
if ((r = cipher_get_keyiv(cc, iv, len)) != 0)
|
||||
fatal("%s: cipher_get_keyiv: %s", __func__, ssh_err(r));
|
||||
}
|
||||
|
||||
int
|
||||
@ -382,13 +387,15 @@ void
|
||||
packet_set_iv(int mode, u_char *dat)
|
||||
{
|
||||
CipherContext *cc;
|
||||
int r;
|
||||
|
||||
if (mode == MODE_OUT)
|
||||
cc = &active_state->send_context;
|
||||
else
|
||||
cc = &active_state->receive_context;
|
||||
|
||||
cipher_set_keyiv(cc, dat);
|
||||
if ((r = cipher_set_keyiv(cc, dat)) != 0)
|
||||
fatal("%s: cipher_set_keyiv: %s", __func__, ssh_err(r));
|
||||
}
|
||||
|
||||
int
|
||||
@ -553,6 +560,7 @@ void
|
||||
packet_set_encryption_key(const u_char *key, u_int keylen, int number)
|
||||
{
|
||||
const Cipher *cipher = cipher_by_number(number);
|
||||
int r;
|
||||
|
||||
if (cipher == NULL)
|
||||
fatal("packet_set_encryption_key: unknown cipher number %d", number);
|
||||
@ -562,10 +570,11 @@ packet_set_encryption_key(const u_char *key, u_int keylen, int number)
|
||||
fatal("packet_set_encryption_key: keylen too big: %d", keylen);
|
||||
memcpy(active_state->ssh1_key, key, keylen);
|
||||
active_state->ssh1_keylen = keylen;
|
||||
cipher_init(&active_state->send_context, cipher, key, keylen, NULL,
|
||||
0, CIPHER_ENCRYPT);
|
||||
cipher_init(&active_state->receive_context, cipher, key, keylen, NULL,
|
||||
0, CIPHER_DECRYPT);
|
||||
if ((r = cipher_init(&active_state->send_context, cipher,
|
||||
key, keylen, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
|
||||
(r = cipher_init(&active_state->receive_context, cipher,
|
||||
key, keylen, NULL, 0, CIPHER_DECRYPT)) != 0)
|
||||
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
|
||||
}
|
||||
|
||||
u_int
|
||||
@ -631,6 +640,7 @@ packet_put_raw(const void *buf, u_int len)
|
||||
buffer_append(&active_state->outgoing_packet, buf, len);
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
void
|
||||
packet_put_bignum(BIGNUM * value)
|
||||
{
|
||||
@ -642,6 +652,7 @@ packet_put_bignum2(BIGNUM * value)
|
||||
{
|
||||
buffer_put_bignum2(&active_state->outgoing_packet, value);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
void
|
||||
@ -743,7 +754,7 @@ set_newkeys(int mode)
|
||||
Comp *comp;
|
||||
CipherContext *cc;
|
||||
u_int64_t *max_blocks;
|
||||
int crypt_type;
|
||||
int r, crypt_type;
|
||||
|
||||
debug2("set_newkeys: mode %d", mode);
|
||||
|
||||
@ -785,8 +796,9 @@ set_newkeys(int mode)
|
||||
if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
|
||||
mac->enabled = 1;
|
||||
DBG(debug("cipher_init_context: %d", mode));
|
||||
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
|
||||
enc->iv, enc->iv_len, crypt_type);
|
||||
if ((r = cipher_init(cc, enc->cipher, enc->key, enc->key_len,
|
||||
enc->iv, enc->iv_len, crypt_type)) != 0)
|
||||
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
|
||||
/* Deleting the keys does not gain extra security */
|
||||
/* explicit_bzero(enc->iv, enc->block_size);
|
||||
explicit_bzero(enc->key, enc->key_len);
|
||||
@ -913,8 +925,8 @@ packet_send2_wrapped(void)
|
||||
roundup(active_state->extra_pad, block_size);
|
||||
pad = active_state->extra_pad -
|
||||
((len + padlen) % active_state->extra_pad);
|
||||
debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
|
||||
pad, len, padlen, active_state->extra_pad);
|
||||
DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
|
||||
__func__, pad, len, padlen, active_state->extra_pad));
|
||||
padlen += pad;
|
||||
active_state->extra_pad = 0;
|
||||
}
|
||||
@ -1570,6 +1582,7 @@ packet_get_int64(void)
|
||||
* must have been initialized before this call.
|
||||
*/
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
void
|
||||
packet_get_bignum(BIGNUM * value)
|
||||
{
|
||||
@ -1599,6 +1612,7 @@ packet_get_raw(u_int *length_ptr)
|
||||
*length_ptr = bytes;
|
||||
return buffer_ptr(&active_state->incoming_packet);
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
packet_remaining(void)
|
||||
@ -1619,7 +1633,7 @@ packet_get_string(u_int *length_ptr)
|
||||
return buffer_get_string(&active_state->incoming_packet, length_ptr);
|
||||
}
|
||||
|
||||
void *
|
||||
const void *
|
||||
packet_get_string_ptr(u_int *length_ptr)
|
||||
{
|
||||
return buffer_get_string_ptr(&active_state->incoming_packet, length_ptr);
|
||||
@ -2056,3 +2070,23 @@ packet_restore_state(void)
|
||||
add_recv_bytes(len);
|
||||
}
|
||||
}
|
||||
|
||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||
void
|
||||
packet_set_postauth(void)
|
||||
{
|
||||
Comp *comp;
|
||||
int mode;
|
||||
|
||||
debug("%s: called", __func__);
|
||||
/* This was set in net child, but is not visible in user child */
|
||||
active_state->after_authentication = 1;
|
||||
active_state->rekeying = 0;
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
if (active_state->newkeys[mode] == NULL)
|
||||
continue;
|
||||
comp = &active_state->newkeys[mode]->comp;
|
||||
if (comp && comp->enabled)
|
||||
packet_init_compression();
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */
|
||||
/* $OpenBSD: packet.h,v 1.61 2014/05/03 17:20:34 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -70,7 +70,7 @@ void packet_get_ecpoint(const EC_GROUP *, EC_POINT *);
|
||||
void *packet_get_raw(u_int *length_ptr);
|
||||
void *packet_get_string(u_int *length_ptr);
|
||||
char *packet_get_cstring(u_int *length_ptr);
|
||||
void *packet_get_string_ptr(u_int *length_ptr);
|
||||
const void *packet_get_string_ptr(u_int *length_ptr);
|
||||
void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
|
||||
void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
|
||||
@ -120,6 +120,7 @@ time_t packet_get_rekey_timeout(void);
|
||||
|
||||
void packet_backup_state(void);
|
||||
void packet_restore_state(void);
|
||||
void packet_set_postauth(void);
|
||||
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: platform.c,v 1.21 2014/01/21 01:59:29 tim Exp $ */
|
||||
/* $Id: platform.c,v 1.22 2014/07/18 04:11:26 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2006 Darren Tucker. All rights reserved.
|
||||
@ -25,6 +25,7 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: poly1305.h,v 1.2 2013/12/19 22:57:13 djm Exp $ */
|
||||
/* $OpenBSD: poly1305.h,v 1.4 2014/05/02 03:27:54 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Public Domain poly1305 from Andrew Moon
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user