Reabse to latest release of pam_ssh_agent_auth with preserving current functionality

* Rebase to latest upstream version
 * Clean up older patches for pam_ssh_agent_auth
 * Remove prefixes from upstream release so we can build it against current
   openssh library
 * Remove copied files and headers so we make sure we build against current openssh
This commit is contained in:
Jakub Jelen 2016-01-22 17:22:39 +01:00
parent 7bc64374b0
commit 87ab5fc4af
9 changed files with 809 additions and 644 deletions

View File

@ -147,26 +147,6 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbs
+void linux_seed(void); +void linux_seed(void);
+ +
#endif /* ! _PORT_LINUX_H */ #endif /* ! _PORT_LINUX_H */
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity 2015-03-18 17:21:51.788265059 +0100
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c 2015-03-18 17:21:51.898264829 +0100
@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw,
found = key_new(key->type);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
- char *cp, *key_options = NULL;
+ char *cp = NULL;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw,
/* no key? check if there are options for this key */
int quoted = 0;
verbose("user_key_allowed: check options: '%s'", cp);
- key_options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100 --- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100 +++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100

View File

@ -67,8 +67,8 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.1p2 %global openssh_ver 7.1p2
%global openssh_rel 1 %global openssh_rel 1
%global pam_ssh_agent_ver 0.9.3 %global pam_ssh_agent_ver 0.10.2
%global pam_ssh_agent_rel 9 %global pam_ssh_agent_rel 1
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -114,12 +114,10 @@ Patch300: pam_ssh_agent_auth-0.9.3-build.patch
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
# explicitly make pam callbacks visible # explicitly make pam callbacks visible
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
# don't use xfree (#1024965)
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
# use SSH_DIGEST_* for fingerprint hashes
Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
# update to current version of agent structure # update to current version of agent structure
Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch
# remove prefixes to be able to build against current openssh library
Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.6p1-role-mls.patch Patch400: openssh-6.6p1-role-mls.patch
@ -131,7 +129,7 @@ Patch501: openssh-6.7p1-ldap.patch
#? #?
Patch502: openssh-6.6p1-keycat.patch Patch502: openssh-6.6p1-keycat.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-6.6p1-allow-ip-opts.patch Patch601: openssh-6.6p1-allow-ip-opts.patch
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
Patch603: openssh-5.8p1-glob.patch Patch603: openssh-5.8p1-glob.patch
@ -407,13 +405,12 @@ The module is most useful for su and sudo service stacks.
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
%patch300 -p1 -b .psaa-build %patch300 -p2 -b .psaa-build
%patch301 -p1 -b .psaa-seteuid %patch301 -p1 -b .psaa-seteuid
%patch302 -p1 -b .psaa-visibility %patch302 -p2 -b .psaa-visibility
%patch303 -p1 -b .psaa-xfree %patch306 -p2 -b .psaa-compat
%patch304 -p2 -b .psaa-fingerprint
%patch305 -p2 -b .psaa-agent %patch305 -p2 -b .psaa-agent
# Remove duplicate headers # Remove duplicate headers and library files
rm -f $(cat %{SOURCE5}) rm -f $(cat %{SOURCE5})
popd popd
%endif %endif

View File

@ -1,20 +1,37 @@
authfd.c
authfd.h authfd.h
atomicio.c
atomicio.h atomicio.h
bufaux.c
bufbn.c
buffer.h buffer.h
buffer.c
cleanup.c
cipher.h cipher.h
compat.h compat.h
defines.h defines.h
entropy.c
entropy.h entropy.h
fatal.c
includes.h includes.h
kex.h kex.h
key.c
key.h key.h
log.c
log.h log.h
match.h match.h
misc.c
misc.h misc.h
pathnames.h pathnames.h
platform.h platform.h
rsa.h rsa.h
ssh-dss.c
ssh-rsa.c
ssh.h ssh.h
ssh2.h ssh2.h
uidswap.c
uidswap.h
uuencode.c
uuencode.h uuencode.h
xmalloc.c
xmalloc.h xmalloc.h

View File

@ -0,0 +1,688 @@
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.old 2016-01-22 16:27:56.867903172 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 16:56:48.114868014 +0100
@@ -59,6 +59,8 @@
#include "get_command_line.h"
extern char **environ;
+#define PAM_SSH_AGENT_AUTH_REQUESTv1 101
+
/*
* Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
* A cursory check is done, but to avoid race conditions, it is necessary
@@ -77,7 +77,7 @@ log_action(char ** action, size_t count)
if (count == 0)
return NULL;
- buf = pamsshagentauth_xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
+ buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
for (i = 0; i < count; i++) {
strcat(buf, (i > 0) ? " '" : "'");
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
@@ -71,12 +90,12 @@ void
agent_action(Buffer *buf, char ** action, size_t count)
{
size_t i;
- pamsshagentauth_buffer_init(buf);
+ buffer_init(buf);
- pamsshagentauth_buffer_put_int(buf, count);
+ buffer_put_int(buf, count);
for (i = 0; i < count; i++) {
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
+ buffer_put_cstring(buf, action[i]);
}
}
@@ -100,7 +119,7 @@ pamsshagentauth_session_id2_gen(Buffer *
char * retc;
int32_t reti;
- rnd = pamsshagentauth_arc4random();
+ rnd = arc4random();
cookie_len = ((uint8_t) rnd);
while (cookie_len < 16) {
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
@@ -126,7 +128,7 @@ pamsshagentauth_session_id2_gen(Buffer *
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
}
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
+ cookie = xcalloc(1,cookie_len);
for (i = 0; i < cookie_len; i++) {
if (i % 4 == 0) {
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer *
for (i = 0; i < cookie_len; i++) {
if (i % 4 == 0) {
- rnd = pamsshagentauth_arc4random();
+ rnd = arc4random();
}
cookie[i] = (u_char) rnd;
rnd >>= 8;
@@ -125,7 +144,7 @@ pamsshagentauth_session_id2_gen(Buffer *
}
else {
action_logbuf = "unknown on this platform";
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
+ buffer_init(&action_agentbuf); /* stays empty, means unavailable */
}
/*
@@ -142,35 +161,35 @@ pamsshagentauth_session_id2_gen(Buffer *
retc = getcwd(pwd, sizeof(pwd) - 1);
time(&ts);
- pamsshagentauth_buffer_init(session_id2);
+ buffer_init(session_id2);
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
- pamsshagentauth_buffer_put_string(session_id2, cookie, cookie_len);
- /* pamsshagentauth_debug3("user: %s", user); */
- pamsshagentauth_buffer_put_cstring(session_id2, user);
- /* pamsshagentauth_debug3("ruser: %s", ruser); */
- pamsshagentauth_buffer_put_cstring(session_id2, ruser);
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
+ buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
+ /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
+ buffer_put_string(session_id2, cookie, cookie_len);
+ /* debug3("user: %s", user); */
+ buffer_put_cstring(session_id2, user);
+ /* debug3("ruser: %s", ruser); */
+ buffer_put_cstring(session_id2, ruser);
+ /* debug3("servicename: %s", servicename); */
+ buffer_put_cstring(session_id2, servicename);
+ /* debug3("pwd: %s", pwd); */
if(retc)
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
+ buffer_put_cstring(session_id2, pwd);
else
- pamsshagentauth_buffer_put_cstring(session_id2, "");
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
+ buffer_put_cstring(session_id2, "");
+ /* debug3("action: %s", action_logbuf); */
+ buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf));
if (free_logbuf) {
- pamsshagentauth_xfree(action_logbuf);
- pamsshagentauth_buffer_free(&action_agentbuf);
+ free(action_logbuf);
+ buffer_free(&action_agentbuf);
}
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
+ /* debug3("hostname: %s", hostname); */
if(reti >= 0)
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
+ buffer_put_cstring(session_id2, hostname);
else
- pamsshagentauth_buffer_put_cstring(session_id2, "");
- /* pamsshagentauth_debug3("ts: %ld", ts); */
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
+ buffer_put_cstring(session_id2, "");
+ /* debug3("ts: %ld", ts); */
+ buffer_put_int64(session_id2, (uint64_t) ts);
free(cookie);
return;
@@ -190,11 +289,11 @@ pamsshagentauth_find_authorized_keys(con
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
+ verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
{
if(key != NULL) {
- id = pamsshagentauth_xcalloc(1, sizeof(*id));
+ id = xcalloc(1, sizeof(*id));
id->key = key;
id->filename = comment;
id->ac = ac;
@@ -203,18 +302,18 @@ pamsshagentauth_find_authorized_keys(con
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
retval = 1;
}
- pamsshagentauth_xfree(id->filename);
- pamsshagentauth_key_free(id->key);
- pamsshagentauth_xfree(id);
+ free(id->filename);
+ key_free(id->key);
+ free(id);
if(retval == 1)
break;
}
}
- pamsshagentauth_buffer_free(&session_id2);
+ buffer_free(&session_id2);
ssh_close_authentication_connection(ac);
}
else {
- pamsshagentauth_verbose("No ssh-agent could be contacted");
+ verbose("No ssh-agent could be contacted");
}
/* pamsshagentauth_xfree(session_id2); */
EVP_cleanup();
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.old 2016-01-22 17:03:42.746602825 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 17:06:07.841485483 +0100
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
* a patch 8-)
*/
#if ! HAVE___PROGNAME || HAVE_BUNDLE
- __progname = pamsshagentauth_xstrdup(servicename);
+ __progname = xstrdup(servicename);
#endif
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
#endif
}
- pamsshagentauth_log_init(__progname, log_lvl, facility, 0);
+ log_init(__progname, log_lvl, facility, 0);
pam_get_item(pamh, PAM_USER, (void *) &user);
pam_get_item(pamh, PAM_RUSER, (void *) &ruser_ptr);
- pamsshagentauth_verbose("Beginning pam_ssh_agent_auth for user %s", user);
+ verbose("Beginning pam_ssh_agent_auth for user %s", user);
if(ruser_ptr) {
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
#ifdef ENABLE_SUDO_HACK
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
- pamsshagentauth_verbose( "Using environment variable SUDO_USER (%s)", ruser );
+ verbose( "Using environment variable SUDO_USER (%s)", ruser );
} else
#endif
{
if( ! getpwuid(getuid()) ) {
- pamsshagentauth_verbose("Unable to getpwuid(getuid())");
+ verbose("Unable to getpwuid(getuid())");
goto cleanexit;
}
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
/* Might as well explicitely confirm the user exists here */
if(! getpwnam(ruser) ) {
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", ruser);
+ verbose("getpwnam(%s) failed, bailing out", ruser);
goto cleanexit;
}
if( ! getpwnam(user) ) {
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", user);
+ verbose("getpwnam(%s) failed, bailing out", user);
goto cleanexit;
}
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
*/
parse_authorized_key_file(user, authorized_keys_file_input);
} else {
- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
+ verbose("Using default file=/etc/security/authorized_keys");
+ authorized_keys_file = xstrdup("/etc/security/authorized_keys");
}
/*
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
*/
if(user && strlen(ruser) > 0) {
- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
/*
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
*/
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
retval = PAM_SUCCESS;
} else {
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+ logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
}
} else {
- pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
+ logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
}
cleanexit:
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.old 2016-01-22 16:57:15.210850825 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 17:03:13.913623276 +0100
@@ -48,6 +48,8 @@
#include "identity.h"
#include "pam_user_authorized_keys.h"
+#define SSH2_MSG_USERAUTH_TRUST_REQUEST 54
+
/* extern u_char *session_id2;
extern uint8_t session_id_len;
*/
@@ -67,35 +67,35 @@ userauth_pubkey_from_id(const char *ruse
if(! pam_user_key_allowed(ruser, id->key))
goto user_auth_clean_exit;
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
goto user_auth_clean_exit;
/* construct packet to sign and test */
- pamsshagentauth_buffer_init(&b);
+ buffer_init(&b);
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
- pamsshagentauth_buffer_put_cstring(&b, ruser);
- pamsshagentauth_buffer_put_cstring(&b, "pam_ssh_agent_auth");
- pamsshagentauth_buffer_put_cstring(&b, "publickey");
- pamsshagentauth_buffer_put_char(&b, 1);
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
+ buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2));
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
+ buffer_put_cstring(&b, ruser);
+ buffer_put_cstring(&b, "pam_ssh_agent_auth");
+ buffer_put_cstring(&b, "publickey");
+ buffer_put_char(&b, 1);
+ buffer_put_cstring(&b, pkalg);
+ buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
+ if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
goto user_auth_clean_exit;
/* test for correct signature */
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
+ if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
authenticated = 1;
user_auth_clean_exit:
/* if(&b != NULL) */
- pamsshagentauth_buffer_free(&b);
+ buffer_free(&b);
if(sig != NULL)
- pamsshagentauth_xfree(sig);
+ free(sig);
if(pkblob != NULL)
- pamsshagentauth_xfree(pkblob);
+ free(pkblob);
CRYPTO_cleanup_all_ex_data();
return authenticated;
}
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c.old 2016-01-22 17:12:03.026198234 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/secure_filename.c 2016-01-22 17:12:31.817174950 +0100
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
int comparehome = 0;
struct stat st;
- pamsshagentauth_verbose("auth_secure_filename: checking for uid: %u", uid);
+ verbose("auth_secure_filename: checking for uid: %u", uid);
if (realpath(name, buf) == NULL) {
snprintf(err, errlen, "realpath %s failed: %s", name,
@@ -115,9 +115,9 @@ pamsshagentauth_auth_secure_path(const c
snprintf(err, errlen, "dirname() failed");
return -1;
}
- pamsshagentauth_strlcpy(buf, cp, sizeof(buf));
+ strlcpy(buf, cp, sizeof(buf));
- pamsshagentauth_verbose("secure_filename: checking '%s'", buf);
+ verbose("secure_filename: checking '%s'", buf);
if (stat(buf, &st) < 0 ||
(st.st_uid != 0 && st.st_uid != uid) ||
(st.st_mode & 022) != 0) {
@@ -128,7 +128,7 @@ pamsshagentauth_auth_secure_path(const c
/* If are passed the homedir then we can stop */
if (comparehome && strcmp(homedir, buf) == 0) {
- pamsshagentauth_verbose("secure_filename: terminating check at '%s'",
+ verbose("secure_filename: terminating check at '%s'",
buf);
break;
}
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c.old 2016-01-22 17:13:18.226137418 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/get_command_line.c 2016-01-22 17:14:27.753081189 +0100
@@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv)
case EOF:
case '\0':
if (len > 0) {
- argv = pamsshagentauth_xrealloc(argv, count + 1, sizeof(*argv));
- argv[count] = pamsshagentauth_xcalloc(len + 1, sizeof(*argv[count]));
+ argv = xreallocarray(argv, count + 1, sizeof(*argv));
+ argv[count] = xcalloc(len + 1, sizeof(*argv[count]));
strncpy(argv[count++], argbuf, len);
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
len = 0;
@@ -105,9 +105,9 @@ pamsshagentauth_free_command_line(char *
{
size_t i;
for (i = 0; i < n_args; i++)
- pamsshagentauth_xfree(argv[i]);
+ free(argv[i]);
- pamsshagentauth_xfree(argv);
+ free(argv);
return;
}
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.old openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.old 2016-01-22 17:15:57.547008570 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c 2016-01-22 17:16:18.297991788 +0100
@@ -48,6 +48,7 @@
#include "buffer.h"
#include "log.h"
#include "compat.h"
+#include "digest.h"
#include "key.h"
#include "pathnames.h"
#include "misc.h"
@@ -54,6 +54,7 @@
#include "misc.h"
#include "secure_filename.h"
#include "uidswap.h"
+#include <unistd.h>
#include "identity.h"
@@ -68,7 +68,7 @@ pamsshagentauth_check_authkeys_file(FILE
char *fp;
found_key = 0;
- found = pamsshagentauth_key_new(key->type);
+ found = key_new(key->type);
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp = NULL; /* *key_options = NULL; */
@@ -78,11 +78,11 @@ pamsshagentauth_check_authkeys_file(FILE
if(!*cp || *cp == '\n' || *cp == '#')
continue;
- if(pamsshagentauth_key_read(found, &cp) != 1) {
+ if(key_read(found, &cp) != 1) {
/* no key? check if there are options for this key */
int quoted = 0;
- pamsshagentauth_verbose("user_key_allowed: check options: '%s'", cp);
+ verbose("user_key_allowed: check options: '%s'", cp);
/* key_options = cp; */
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if(*cp == '\\' && cp[1] == '"')
@@ -92,26 +92,26 @@ pamsshagentauth_check_authkeys_file(FILE
}
/* Skip remaining whitespace. */
for(; *cp == ' ' || *cp == '\t'; cp++);
- if(pamsshagentauth_key_read(found, &cp) != 1) {
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
+ if(key_read(found, &cp) != 1) {
+ verbose("user_key_allowed: advance: '%s'", cp);
/* still no key? advance to next line */
continue;
}
}
- if(pamsshagentauth_key_equal(found, key)) {
+ if(key_equal(found, key)) {
found_key = 1;
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
+ logit("matching key found: file/command %s, line %lu", file,
linenum);
- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
- pamsshagentauth_logit("Found matching %s key: %s",
- pamsshagentauth_key_type(found), fp);
- pamsshagentauth_xfree(fp);
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
+ logit("Found matching %s key: %s",
+ key_type(found), fp);
+ free(fp);
break;
}
}
- pamsshagentauth_key_free(found);
+ key_free(found);
if(!found_key)
- pamsshagentauth_verbose("key not found");
+ verbose("key not found");
return found_key;
}
@@ -128,11 +128,11 @@ pamsshagentauth_user_key_allowed2(struct
char buf[SSH_MAX_PUBKEY_BYTES];
/* Temporarily use the user's uid. */
- pamsshagentauth_verbose("trying public key file %s", file);
+ verbose("trying public key file %s", file);
/* Fail not so quietly if file does not exist */
if(stat(file, &st) < 0) {
- pamsshagentauth_verbose("File not found: %s", file);
+ verbose("File not found: %s", file);
return 0;
}
@@ -144,7 +144,7 @@ pamsshagentauth_user_key_allowed2(struct
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
fclose(f);
- pamsshagentauth_logit("Authentication refused: %s", buf);
+ logit("Authentication refused: %s", buf);
return 0;
}
@@ -187,44 +187,44 @@ pamsshagentauth_user_key_command_allowed
else {
pw = getpwnam(authorized_keys_command_user);
if(pw == NULL) {
- pamsshagentauth_logerror("authorized_keys_command_user \"%s\" not found: %s",
+ error("authorized_keys_command_user \"%s\" not found: %s",
authorized_keys_command_user, strerror(errno));
return 0;
}
}
- pamsshagentauth_temporarily_use_uid(pw);
+ temporarily_use_uid(pw);
if(stat(authorized_keys_command, &st) < 0) {
- pamsshagentauth_logerror
+ error
("Could not stat AuthorizedKeysCommand \"%s\": %s",
authorized_keys_command, strerror(errno));
goto out;
}
if(pamsshagentauth_auth_secure_path
(authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
- pamsshagentauth_logerror("Unsafe AuthorizedKeysCommand: %s", errmsg);
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
goto out;
}
/* open the pipe and read the keys */
if(pipe(p) != 0) {
- pamsshagentauth_logerror("%s: pipe: %s", __func__, strerror(errno));
+ error("%s: pipe: %s", __func__, strerror(errno));
goto out;
}
- pamsshagentauth_debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
+ debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
authorized_keys_command, pw->pw_name, username);
/*
* Don't want to call this in the child, where it can fatal() and
* run cleanup_exit() code.
*/
- pamsshagentauth_restore_uid();
+ restore_uid();
switch ((pid = fork())) {
case -1: /* error */
- pamsshagentauth_logerror("%s: fork: %s", __func__, strerror(errno));
+ error("%s: fork: %s", __func__, strerror(errno));
close(p[0]);
close(p[1]);
return 0;
@@ -234,13 +234,13 @@ pamsshagentauth_user_key_command_allowed
/* do this before the setresuid so thta they can be logged */
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
- pamsshagentauth_logerror("%s: open %s: %s", __func__, _PATH_DEVNULL,
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
strerror(errno));
_exit(1);
}
if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1
|| dup2(devnull, STDERR_FILENO) == -1) {
- pamsshagentauth_logerror("%s: dup2: %s", __func__, strerror(errno));
+ error("%s: dup2: %s", __func__, strerror(errno));
_exit(1);
}
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
@@ -248,7 +248,7 @@ pamsshagentauth_user_key_command_allowed
#else
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
#endif
- pamsshagentauth_logerror("setresgid %u: %s", (u_int) pw->pw_gid,
+ error("setresgid %u: %s", (u_int) pw->pw_gid,
strerror(errno));
_exit(1);
}
@@ -258,7 +258,7 @@ pamsshagentauth_user_key_command_allowed
#else
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
#endif
- pamsshagentauth_logerror("setresuid %u: %s", (u_int) pw->pw_uid,
+ error("setresuid %u: %s", (u_int) pw->pw_uid,
strerror(errno));
_exit(1);
}
@@ -270,18 +270,18 @@ pamsshagentauth_user_key_command_allowed
/* pretty sure this will barf because we are now suid, but since we
should't reach this anyway, I'll leave it here */
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exec failed: %s",
+ error("AuthorizedKeysCommand %s exec failed: %s",
authorized_keys_command, strerror(errno));
_exit(127);
default: /* parent */
break;
}
- pamsshagentauth_temporarily_use_uid(pw);
+ temporarily_use_uid(pw);
close(p[1]);
if((f = fdopen(p[0], "r")) == NULL) {
- pamsshagentauth_logerror("%s: fdopen: %s", __func__, strerror(errno));
+ error("%s: fdopen: %s", __func__, strerror(errno));
close(p[0]);
/* Don't leave zombie child */
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
@@ -292,22 +292,22 @@ pamsshagentauth_user_key_command_allowed
while(waitpid(pid, &status, 0) == -1) {
if(errno != EINTR) {
- pamsshagentauth_logerror("%s: waitpid: %s", __func__,
+ error("%s: waitpid: %s", __func__,
strerror(errno));
goto out;
}
}
if(WIFSIGNALED(status)) {
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exited on signal %d",
+ error("AuthorizedKeysCommand %s exited on signal %d",
authorized_keys_command, WTERMSIG(status));
goto out;
} else if(WEXITSTATUS(status) != 0) {
- pamsshagentauth_logerror("AuthorizedKeysCommand %s returned status %d",
+ error("AuthorizedKeysCommand %s returned status %d",
authorized_keys_command, WEXITSTATUS(status));
goto out;
}
found_key = ok;
out:
- pamsshagentauth_restore_uid();
+ restore_uid();
return found_key;
}
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c.psaa-xfree openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c.psaa-xfree 2016-01-22 15:30:26.300302721 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c 2016-01-22 15:33:57.567226875 +0100
@@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us
} else {
slash_ptr = strchr(auth_keys_file_buf, '/');
if(!slash_ptr)
- pamsshagentauth_fatal
+ fatal
("cannot expand tilde in path without a `/'");
owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
if(owner_uname_len > (sizeof(owner_uname) - 1))
- pamsshagentauth_fatal("Username too long");
+ fatal("Username too long");
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
if(!authorized_keys_file_allowed_owner_uid)
@@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us
getpwnam(owner_uname)->pw_uid;
}
authorized_keys_file =
- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
+ tilde_expand_filename(auth_keys_file_buf,
authorized_keys_file_allowed_owner_uid);
strncpy(auth_keys_file_buf, authorized_keys_file,
sizeof(auth_keys_file_buf) - 1);
- pamsshagentauth_xfree(authorized_keys_file) /* when we
+ free(authorized_keys_file) /* when we
percent_expand
later, we'd step
on this, so free
@@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us
strncat(hostname, fqdn, strcspn(fqdn, "."));
#endif
authorized_keys_file =
- pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
+ percent_expand(auth_keys_file_buf, "h",
getpwnam(user)->pw_dir, "H", hostname,
"f", fqdn, "u", user, NULL);
}
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c.psaa-xfree openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c.psaa-xfree 2014-03-23 23:52:21.000000000 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/uuencode.c 2016-01-22 15:39:26.210104334 +0100
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
/* and remove trailing whitespace because __b64_pton needs this */
*p = '\0';
len = pamsshagentauth___b64_pton(encoded, target, targsize);
- pamsshagentauth_xfree(encoded);
+ xfree(encoded);
return len;
}
@@ -70,7 +70,7 @@ pamsshagentauth_dump_base64(FILE *fp, u_
fprintf(fp, "dump_base64: len > 65536\n");
return;
}
- buf = pamsshagentauth_xmalloc(2*len);
+ buf = malloc(2*len);
n = pamsshagentauth_uuencode(data, len, buf, 2*len);
for (i = 0; i < n; i++) {
fprintf(fp, "%c", buf[i]);
@@ -79,5 +79,5 @@ pamsshagentauth_dump_base64(FILE *fp, u_
}
if (i % 70 != 69)
fprintf(fp, "\n");
- pamsshagentauth_xfree(buf);
+ free(buf);
}

View File

@ -1,7 +1,7 @@
diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
--- pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility 2009-12-21 20:57:34.000000000 +0100 --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility 2014-03-31 19:35:17.000000000 +0200
+++ pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c 2012-06-21 20:01:31.356259429 +0200 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 15:22:40.984469774 +0100
@@ -68,7 +68,7 @@ char *__progname; @@ -72,7 +72,7 @@ char *__progname;
extern char *__progname; extern char *__progname;
#endif #endif
@ -10,7 +10,7 @@ diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{ {
char **argv_ptr; char **argv_ptr;
@@ -184,7 +184,7 @@ pam_sm_authenticate(pam_handle_t * pamh, @@ -214,7 +214,7 @@ cleanexit:
} }
@ -18,4 +18,4 @@ diff -up pam_ssh_agent_auth-0.9.2/pam_ssh_agent_auth.c.visibility pam_ssh_agent_
+PAM_EXTERN int __attribute__ ((visibility ("default"))) +PAM_EXTERN int __attribute__ ((visibility ("default")))
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
{ {
return PAM_SUCCESS; UNUSED(pamh);

View File

@ -1,30 +1,47 @@
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200 --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent 2014-03-31 19:35:16.000000000 +0200
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h 2016-01-22 15:47:15.999919059 +0100
@@ -37,6 +37,7 @@ @@ -38,6 +38,12 @@
typedef struct identity Identity;
typedef struct idlist Idlist;
+typedef struct {
+ int fd;
+ Buffer identities;
+ int howmany;
+} AuthenticationConnection;
+
struct identity {
TAILQ_ENTRY(identity) next;
AuthenticationConnection *ac; /* set if agent supports key */
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent 2016-01-22 15:47:15.998919060 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:53:38.427768239 +0100
@@ -39,6 +39,7 @@
#include "buffer.h" #include "buffer.h"
#include "key.h" #include "key.h"
#include "authfd.h" #include "authfd.h"
+#include "ssherr.h" +#include "ssherr.h"
#include "ssh.h"
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <openssl/evp.h>
@@ -177,34 +178,41 @@ int #include "ssh2.h"
find_authorized_keys(uid_t uid) @@ -285,36 +286,43 @@ pamsshagentauth_find_authorized_keys(con
{ {
Buffer session_id2 = { 0 };
Identity *id; Identity *id;
- Key *key; - Key *key;
AuthenticationConnection *ac; AuthenticationConnection *ac;
- char *comment; - char *comment;
uint8_t retval = 0; uint8_t retval = 0;
uid_t uid = getpwnam(ruser)->pw_uid;
+ struct ssh_identitylist *idlist; + struct ssh_identitylist *idlist;
+ int r, i; + int r, i;
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
session_id2 = session_id2_gen(); pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
if ((ac = ssh_get_authentication_connection_for_uid(uid))) { if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid); verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) - for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
+ if ((r = ssh_fetch_identitylist(ac->fd, 2, + if ((r = ssh_fetch_identitylist(ac->fd, 2,
+ &idlist)) != 0) { + &idlist)) != 0) {
@ -42,7 +59,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
+ id->key = idlist->keys[i]; + id->key = idlist->keys[i];
+ id->filename = idlist->comments[i]; + id->filename = idlist->comments[i];
id->ac = ac; id->ac = ac;
if(userauth_pubkey_from_id(id)) { if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
retval = 1; retval = 1;
} }
- free(id->filename); - free(id->filename);
@ -52,6 +69,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
break; break;
} }
} }
buffer_free(&session_id2);
- ssh_close_authentication_connection(ac); - ssh_close_authentication_connection(ac);
+ ssh_free_identitylist(idlist); + ssh_free_identitylist(idlist);
+ ssh_close_authentication_socket(ac->fd); + ssh_close_authentication_socket(ac->fd);
@ -60,28 +78,12 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-ag
} }
else { else {
verbose("No ssh-agent could be contacted"); verbose("No ssh-agent could be contacted");
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200 --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent 2016-01-22 15:47:15.995919061 +0100
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 16:06:20.611464261 +0100
@@ -14,6 +14,12 @@ @@ -55,10 +55,11 @@ extern uint8_t session_id_len;
typedef struct identity Identity;
typedef struct idlist Idlist;
+typedef struct {
+ int fd;
+ Buffer identities;
+ int howmany;
+} AuthenticationConnection;
+
struct identity {
TAILQ_ENTRY(identity) next;
AuthenticationConnection *ac; /* set if agent supports key */
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200
@@ -54,10 +54,11 @@ extern uint8_t session_id_len;
int int
userauth_pubkey_from_id(Identity * id) userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
{ {
- Buffer b = { 0 }; - Buffer b = { 0 };
+ Buffer b; + Buffer b;
@ -93,20 +95,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-a
int authenticated = 0; int authenticated = 0;
pkalg = (char *) key_ssh_name(id->key); pkalg = (char *) key_ssh_name(id->key);
@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id) @@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse
/* first test if this key is even allowed */
if(! pam_user_key_allowed(id->key))
- goto user_auth_clean_exit;
+ goto user_auth_clean_exit_without_buffer;
if(key_to_blob(id->key, &pkblob, &blen) == 0)
- goto user_auth_clean_exit;
+ goto user_auth_clean_exit_without_buffer;
/* construct packet to sign and test */
buffer_init(&b);
@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id)
buffer_put_cstring(&b, pkalg); buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen); buffer_put_string(&b, pkblob, blen);
@ -115,11 +104,3 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-a
goto user_auth_clean_exit; goto user_auth_clean_exit;
/* test for correct signature */ /* test for correct signature */
@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id)
user_auth_clean_exit:
if(&b != NULL)
buffer_free(&b);
+ user_auth_clean_exit_without_buffer:
if(sig != NULL)
free(sig);
if(pkblob != NULL)

View File

@ -1,12 +1,11 @@
diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build 2010-01-13 03:17:01.000000000 +0100 --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build 2016-01-22 14:59:18.943919791 +0100
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2012-06-21 20:14:56.432527764 +0200 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:16:12.534599318 +0100
@@ -37,7 +37,16 @@ @@ -43,12 +43,31 @@
#include "buffer.h" #include <openssl/evp.h>
#include "key.h" #include "ssh2.h"
#include "authfd.h" #include "misc.h"
+#include "ssh.h" +#include "ssh.h"
#include <stdio.h>
+#include <sys/types.h> +#include <sys/types.h>
+#include <sys/stat.h> +#include <sys/stat.h>
+#include <sys/socket.h> +#include <sys/socket.h>
@ -15,12 +14,11 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
+#include <stdlib.h> +#include <stdlib.h>
+#include <errno.h> +#include <errno.h>
+#include <fcntl.h> +#include <fcntl.h>
#include <openssl/evp.h>
#include "userauth_pubkey_from_id.h" #include "userauth_pubkey_from_id.h"
@@ -69,6 +78,96 @@ session_id2_gen() #include "identity.h"
return cookie; #include "get_command_line.h"
} extern char **environ;
+/* +/*
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user + * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
@ -32,7 +30,31 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
+ * race condition; so a more "direct" log message is generated. + * race condition; so a more "direct" log message is generated.
+ */ + */
+ +
+int static char *
log_action(char ** action, size_t count)
{
@@ -85,7 +104,7 @@ void
pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
const char * ruser, const char * servicename)
{
- char *cookie = NULL;
+ u_char *cookie = NULL;
uint8_t i = 0;
uint32_t rnd = 0;
uint8_t cookie_len;
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer *
if (i % 4 == 0) {
rnd = pamsshagentauth_arc4random();
}
- cookie[i] = (char) rnd;
+ cookie[i] = (u_char) rnd;
rnd >>= 8;
}
@@ -142,6 +161,86 @@ pamsshagentauth_session_id2_gen(Buffer *
}
int
+ssh_get_authentication_socket_for_uid(uid_t uid) +ssh_get_authentication_socket_for_uid(uid_t uid)
+{ +{
+ const char *authsocket; + const char *authsocket;
@ -112,27 +134,23 @@ diff -up pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_ag
+ return auth; + return auth;
+} +}
+ +
int +int
find_authorized_keys(uid_t uid) pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
{ {
@@ -81,7 +180,7 @@ find_authorized_keys(uid_t uid) Buffer session_id2 = { 0 };
@@ -190,7 +289,7 @@ pamsshagentauth_find_authorized_keys(con
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
session_id2 = session_id2_gen(); pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
- if ((ac = ssh_get_authentication_connection(uid))) { - if ((ac = ssh_get_authentication_connection(uid))) {
+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) { + if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid); pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
{ {
@@ -109,3 +208,4 @@ find_authorized_keys(uid_t uid) diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in
EVP_cleanup(); --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build 2014-03-31 19:35:17.000000000 +0200
return retval; +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in 2016-01-22 15:20:16.479521651 +0100
} @@ -52,7 +52,7 @@ PATHS=
+
diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.3/Makefile.in
--- pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build 2009-10-27 21:19:41.000000000 +0100
+++ pam_ssh_agent_auth-0.9.3/Makefile.in 2012-06-21 20:14:56.432527764 +0200
@@ -28,7 +28,7 @@ PATHS=
CC=@CC@ CC=@CC@
LD=@LD@ LD=@LD@
CFLAGS=@CFLAGS@ CFLAGS=@CFLAGS@
@ -141,7 +159,7 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
LIBS=@LIBS@ LIBS=@LIBS@
AR=@AR@ AR=@AR@
AWK=@AWK@ AWK=@AWK@
@@ -37,7 +37,7 @@ INSTALL=@INSTALL@ @@ -61,7 +61,7 @@ INSTALL=@INSTALL@
PERL=@PERL@ PERL=@PERL@
SED=@SED@ SED=@SED@
ENT=@ENT@ ENT=@ENT@
@ -150,16 +168,16 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
LDFLAGS_SHARED = @LDFLAGS_SHARED@ LDFLAGS_SHARED = @LDFLAGS_SHARED@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so @@ -72,7 +72,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o uidswap.o
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o -PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o +PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
MANPAGES_IN = pam_ssh_agent_auth.pod MANPAGES_IN = pam_ssh_agent_auth.pod
@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h @@ -91,13 +91,13 @@ $(PAM_MODULES): Makefile.in config.h
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
@ -170,31 +188,9 @@ diff -up pam_ssh_agent_auth-0.9.3/Makefile.in.psaa-build pam_ssh_agent_auth-0.9.
always: always:
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o - $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o +pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o + $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -lnss3
$(MANPAGES): $(MANPAGES_IN) $(MANPAGES): $(MANPAGES_IN)
pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 pod2man --section=8 --release=v0.10.2 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
diff --git pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
index e2c5777..9b8b863 100644
--- pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-build
+++ pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c
@@ -58,7 +58,7 @@ uint8_t session_id_len = 0;
u_char *
session_id2_gen()
{
- char *cookie = NULL;
+ u_char *cookie = NULL;
uint8_t i = 0;
uint32_t rnd = 0;
@@ -71,7 +71,7 @@ session_id2_gen()
if (i % 4 == 0) {
rnd = arc4random();
}
- cookie[i] = (char) rnd;
+ cookie[i] = (u_char) rnd;
rnd >>= 8;
}

View File

@ -1,64 +0,0 @@
diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c
index 9555e7e..c17aae6 100644
--- a/pam_ssh_agent_auth-0.9.3/key.c
+++ b/pam_ssh_agent_auth-0.9.3/key.c
@@ -55,6 +55,7 @@
#include "uuencode.h"
#include "buffer.h"
#include "log.h"
+#include "digest.h"
Key *
key_new(int type)
@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b)
}
u_char*
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+sshkey_fingerprint_raw(const Key *k, int dgst_type,
u_int *dgst_raw_length)
{
const EVP_MD *md = NULL;
@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
*dgst_raw_length = 0;
switch (dgst_type) {
- case SSH_FP_MD5:
+ case SSH_DIGEST_MD5:
md = EVP_md5();
break;
- case SSH_FP_SHA1:
+ case SSH_DIGEST_SHA1:
md = EVP_sha1();
break;
default:
@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
}
char *
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+sshkey_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep)
{
char *retval = NULL;
u_char *dgst_raw;
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
index dddcba9..8ba6d87 100644
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
@@ -43,6 +43,7 @@
#include "buffer.h"
#include "log.h"
#include "compat.h"
+#include "digest.h"
#include "key.h"
#include "pathnames.h"
#include "misc.h"
@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
found_key = 1;
logit("matching key found: file %s, line %lu",
file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
free(fp);

View File

@ -1,430 +0,0 @@
--- pam_ssh_agent_auth-0.9.3.orig/authfd.c 2013-10-30 17:14:26.013615342 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/authfd.c 2013-10-30 17:15:07.353327799 +0100
@@ -260,7 +260,7 @@
{
buffer_free(&auth->identities);
close(auth->fd);
- xfree(auth);
+ free(auth);
}
/* Lock/unlock agent */
@@ -379,7 +379,7 @@
blob = buffer_get_string(&auth->identities, &blen);
*comment = buffer_get_string(&auth->identities, NULL);
key = key_from_blob(blob, blen);
- xfree(blob);
+ free(blob);
break;
default:
return NULL;
@@ -472,7 +472,7 @@
buffer_put_string(&msg, blob, blen);
buffer_put_string(&msg, data, datalen);
buffer_put_int(&msg, flags);
- xfree(blob);
+ free(blob);
if (ssh_request_reply(auth, &msg, &msg) == 0) {
buffer_free(&msg);
@@ -612,7 +612,7 @@
key_to_blob(key, &blob, &blen);
buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
buffer_put_string(&msg, blob, blen);
- xfree(blob);
+ free(blob);
} else {
buffer_free(&msg);
return 0;
--- pam_ssh_agent_auth-0.9.3.orig/bufaux.c 2013-10-30 17:14:26.014615310 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/bufaux.c 2013-10-30 17:15:07.354327768 +0100
@@ -176,7 +176,7 @@
/* Get the string. */
if (buffer_get_ret(buffer, value, len) == -1) {
logerror("buffer_get_string_ret: buffer_get failed");
- xfree(value);
+ free(value);
return (NULL);
}
/* Append a null character to make processing easier. */
--- pam_ssh_agent_auth-0.9.3.orig/bufbn.c 2013-10-30 17:14:26.014615310 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/bufbn.c 2013-10-30 17:15:07.354327768 +0100
@@ -69,7 +69,7 @@
if (oi != bin_size) {
logerror("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
oi, bin_size);
- xfree(buf);
+ free(buf);
return (-1);
}
@@ -80,7 +80,7 @@
buffer_append(buffer, buf, oi);
memset(buf, 0, bin_size);
- xfree(buf);
+ free(buf);
return (0);
}
@@ -167,13 +167,13 @@
if (oi < 0 || (u_int)oi != bytes - 1) {
logerror("buffer_put_bignum2_ret: BN_bn2bin() failed: "
"oi %d != bin_size %d", oi, bytes);
- xfree(buf);
+ free(buf);
return (-1);
}
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
memset(buf, 0, bytes);
- xfree(buf);
+ free(buf);
return (0);
}
@@ -197,21 +197,21 @@
if (len > 0 && (bin[0] & 0x80)) {
logerror("buffer_get_bignum2_ret: negative numbers not supported");
- xfree(bin);
+ free(bin);
return (-1);
}
if (len > 8 * 1024) {
logerror("buffer_get_bignum2_ret: cannot handle BN of size %d",
len);
- xfree(bin);
+ free(bin);
return (-1);
}
if (BN_bin2bn(bin, len, value) == NULL) {
logerror("buffer_get_bignum2_ret: BN_bin2bn failed");
- xfree(bin);
+ free(bin);
return (-1);
}
- xfree(bin);
+ free(bin);
return (0);
}
--- pam_ssh_agent_auth-0.9.3.orig/buffer.c 2013-10-30 17:14:26.014615310 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/buffer.c 2013-10-30 17:15:07.355327737 +0100
@@ -50,7 +50,7 @@
if (buffer->alloc > 0) {
memset(buffer->buf, 0, buffer->alloc);
buffer->alloc = 0;
- xfree(buffer->buf);
+ free(buffer->buf);
}
}
--- pam_ssh_agent_auth-0.9.3.orig/iterate_ssh_agent_keys.c 2013-10-30 17:14:26.031614782 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/iterate_ssh_agent_keys.c 2013-10-30 17:15:07.357327674 +0100
@@ -197,9 +197,9 @@
if(userauth_pubkey_from_id(id)) {
retval = 1;
}
- xfree(id->filename);
+ free(id->filename);
key_free(id->key);
- xfree(id);
+ free(id);
if(retval == 1)
break;
}
@@ -209,7 +209,7 @@
else {
verbose("No ssh-agent could be contacted");
}
- xfree(session_id2);
+ free(session_id2);
EVP_cleanup();
return retval;
}
--- pam_ssh_agent_auth-0.9.3.orig/key.c 2013-10-30 17:14:26.017615218 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/key.c 2013-10-30 17:15:07.358327643 +0100
@@ -154,7 +154,7 @@
fatal("key_free: bad key type %d", k->type);
break;
}
- xfree(k);
+ free(k);
}
int
@@ -229,7 +229,7 @@
EVP_DigestUpdate(&ctx, blob, len);
EVP_DigestFinal(&ctx, retval, dgst_raw_length);
memset(blob, 0, len);
- xfree(blob);
+ free(blob);
} else {
fatal("key_fingerprint_raw: blob is null");
}
@@ -324,7 +324,7 @@
break;
}
memset(dgst_raw, 0, dgst_raw_len);
- xfree(dgst_raw);
+ free(dgst_raw);
return retval;
}
@@ -447,11 +447,11 @@
n = uudecode(cp, blob, len);
if (n < 0) {
logerror("key_read: uudecode %s failed", cp);
- xfree(blob);
+ free(blob);
return -1;
}
k = key_from_blob(blob, (u_int)n);
- xfree(blob);
+ free(blob);
if (k == NULL) {
logerror("key_read: key_from_blob %s failed", cp);
return -1;
@@ -526,8 +526,8 @@
fprintf(f, "%s %s", key_ssh_name(key), uu);
success = 1;
}
- xfree(blob);
- xfree(uu);
+ free(blob);
+ free(uu);
}
return success;
}
@@ -673,12 +673,12 @@
switch (key_type_from_name(p)) {
case KEY_RSA1:
case KEY_UNSPEC:
- xfree(s);
+ free(s);
return 0;
}
}
verbose("key names ok: [%s]", names);
- xfree(s);
+ free(s);
return 1;
}
@@ -743,7 +743,7 @@
logerror("key_from_blob: remaining bytes in key blob %d", rlen);
out:
if (ktype != NULL)
- xfree(ktype);
+ free(ktype);
buffer_free(&b);
return key;
}
--- pam_ssh_agent_auth-0.9.3.orig/misc.c 2013-10-30 17:14:26.017615218 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/misc.c 2013-10-30 17:15:07.360327581 +0100
@@ -251,13 +251,13 @@
*remote = SSH_TUNID_ANY;
sp = xstrdup(s);
if ((ep = strchr(sp, ':')) == NULL) {
- xfree(sp);
+ free(sp);
return (a2tun(s, NULL));
}
ep[0] = '\0'; ep++;
*remote = a2tun(ep, NULL);
tun = a2tun(sp, NULL);
- xfree(sp);
+ free(sp);
return (*remote == SSH_TUNID_ERR ? *remote : tun);
}
@@ -490,7 +490,7 @@
if (which >= args->num)
fatal("replacearg: tried to replace invalid arg %d >= %d",
which, args->num);
- xfree(args->list[which]);
+ free(args->list[which]);
args->list[which] = cp;
}
@@ -501,8 +501,8 @@
if (args->list != NULL) {
for (i = 0; i < args->num; i++)
- xfree(args->list[i]);
- xfree(args->list);
+ free(args->list[i]);
+ free(args->list);
args->nalloc = args->num = 0;
args->list = NULL;
}
--- pam_ssh_agent_auth-0.9.3.orig/pam_user_authorized_keys.c 2013-10-30 17:14:26.017615218 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/pam_user_authorized_keys.c 2013-10-30 17:15:07.361327550 +0100
@@ -121,7 +121,7 @@
}
authorized_keys_file = tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid);
strncpy(auth_keys_file_buf, authorized_keys_file, sizeof(auth_keys_file_buf) - 1 );
- xfree(authorized_keys_file) /* when we percent_expand later, we'd step on this, so free it immediately */;
+ free(authorized_keys_file) /* when we percent_expand later, we'd step on this, so free it immediately */;
}
if(strstr(auth_keys_file_buf, "%h")) {
--- pam_ssh_agent_auth-0.9.3.orig/pam_user_key_allowed2.c 2013-10-30 17:14:26.018615187 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/pam_user_key_allowed2.c 2013-10-30 17:15:07.361327550 +0100
@@ -121,7 +121,7 @@
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
- xfree(fp);
+ free(fp);
break;
}
}
--- pam_ssh_agent_auth-0.9.3.orig/ssh-dss.c 2013-10-30 17:14:26.014615310 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/ssh-dss.c 2013-10-30 17:15:07.361327550 +0100
@@ -135,17 +135,17 @@
if (strcmp("ssh-dss", ktype) != 0) {
logerror("ssh_dss_verify: cannot handle type %s", ktype);
buffer_free(&b);
- xfree(ktype);
+ free(ktype);
return -1;
}
- xfree(ktype);
+ free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
logerror("ssh_dss_verify: "
"remaining bytes in signature %d", rlen);
- xfree(sigblob);
+ free(sigblob);
return -1;
}
}
@@ -167,7 +167,7 @@
/* clean up */
memset(sigblob, 0, len);
- xfree(sigblob);
+ free(sigblob);
/* sha1 the data */
EVP_DigestInit(&md, evp_md);
--- pam_ssh_agent_auth-0.9.3.orig/ssh-rsa.c 2013-10-30 17:14:26.015615278 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/ssh-rsa.c 2013-10-30 17:15:07.362327518 +0100
@@ -70,7 +70,7 @@
logerror("ssh_rsa_sign: RSA_sign failed: %s",
ERR_error_string(ecode, NULL));
- xfree(sig);
+ free(sig);
return -1;
}
if (len < slen) {
@@ -80,7 +80,7 @@
memset(sig, 0, diff);
} else if (len > slen) {
logerror("ssh_rsa_sign: slen %u slen2 %u", slen, len);
- xfree(sig);
+ free(sig);
return -1;
}
/* encode signature */
@@ -96,7 +96,7 @@
}
buffer_free(&b);
memset(sig, 's', slen);
- xfree(sig);
+ free(sig);
return 0;
}
@@ -128,23 +128,23 @@
if (strcmp("ssh-rsa", ktype) != 0) {
logerror("ssh_rsa_verify: cannot handle type %s", ktype);
buffer_free(&b);
- xfree(ktype);
+ free(ktype);
return -1;
}
- xfree(ktype);
+ free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
logerror("ssh_rsa_verify: remaining bytes in signature %d", rlen);
- xfree(sigblob);
+ free(sigblob);
return -1;
}
/* RSA_verify expects a signature of RSA_size */
modlen = RSA_size(key->rsa);
if (len > modlen) {
logerror("ssh_rsa_verify: len %u > modlen %u", len, modlen);
- xfree(sigblob);
+ free(sigblob);
return -1;
} else if (len < modlen) {
u_int diff = modlen - len;
@@ -158,7 +158,7 @@
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
logerror("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
- xfree(sigblob);
+ free(sigblob);
return -1;
}
EVP_DigestInit(&md, evp_md);
@@ -168,7 +168,7 @@
ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
memset(digest, 'd', sizeof(digest));
memset(sigblob, 's', len);
- xfree(sigblob);
+ free(sigblob);
verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
return ret;
}
@@ -258,6 +258,6 @@
ret = 1;
done:
if (decrypted)
- xfree(decrypted);
+ free(decrypted);
return ret;
}
--- pam_ssh_agent_auth-0.9.3.orig/userauth_pubkey_from_id.c 2013-10-30 17:14:26.014615310 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/userauth_pubkey_from_id.c 2013-10-30 17:15:07.362327518 +0100
@@ -92,9 +92,9 @@
if(&b != NULL)
buffer_free(&b);
if(sig != NULL)
- xfree(sig);
+ free(sig);
if(pkblob != NULL)
- xfree(pkblob);
+ free(pkblob);
CRYPTO_cleanup_all_ex_data();
return authenticated;
}
--- pam_ssh_agent_auth-0.9.3.orig/uuencode.c 2013-10-30 17:14:26.015615278 +0100
+++ pam_ssh_agent_auth-0.9.3.orig/uuencode.c 2013-10-30 17:15:07.362327518 +0100
@@ -56,7 +56,7 @@
/* and remove trailing whitespace because __b64_pton needs this */
*p = '\0';
len = __b64_pton(encoded, target, targsize);
- xfree(encoded);
+ free(encoded);
return len;
}
@@ -79,5 +79,5 @@
}
if (i % 70 != 69)
fprintf(fp, "\n");
- xfree(buf);
+ free(buf);
}