forked from rpms/openssh
		
	cleanup and remove FIPS code from audit patch
This commit is contained in:
		
							parent
							
								
									5160c9c8f3
								
							
						
					
					
						commit
						9f526c6f31
					
				| @ -894,25 +894,30 @@ index 0f52b68..472a5b2 100644 | |||||||
|  #ifdef USE_PAM |  #ifdef USE_PAM | ||||||
|  		if (options.use_pam) |  		if (options.use_pam) | ||||||
| diff --git a/cipher.c b/cipher.c
 | diff --git a/cipher.c b/cipher.c
 | ||||||
| index 53d9b4f..87317ab 100644
 | index 53d9b4f..226e56d 100644
 | ||||||
| --- a/cipher.c
 | --- a/cipher.c
 | ||||||
| +++ b/cipher.c
 | +++ b/cipher.c
 | ||||||
| @@ -57,6 +57,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
 | @@ -57,20 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
 | ||||||
|  extern const EVP_CIPHER *evp_ssh1_3des(void); |  extern const EVP_CIPHER *evp_ssh1_3des(void); | ||||||
|  extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); |  extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); | ||||||
|   |   | ||||||
| +#if 0
 | -struct Cipher {
 | ||||||
|  struct Cipher { | -	char	*name;
 | ||||||
|  	char	*name; | -	int	number;		/* for ssh1 only */
 | ||||||
|  	int	number;		/* for ssh1 only */ | -	u_int	block_size;
 | ||||||
| @@ -70,6 +71,7 @@ struct Cipher {
 | -	u_int	key_len;
 | ||||||
|  #define CFLAG_CHACHAPOLY	(1<<1) | -	u_int	iv_len;		/* defaults to block_size */
 | ||||||
|  	const EVP_CIPHER	*(*evptype)(void); | -	u_int	auth_len;
 | ||||||
|  }; | -	u_int	discard_len;
 | ||||||
| +#endif
 | -	u_int	flags;
 | ||||||
|   | -#define CFLAG_CBC		(1<<0)
 | ||||||
|  | -#define CFLAG_CHACHAPOLY	(1<<1)
 | ||||||
|  | -	const EVP_CIPHER	*(*evptype)(void);
 | ||||||
|  | -};
 | ||||||
|  | -
 | ||||||
|  static const struct Cipher ciphers[] = { |  static const struct Cipher ciphers[] = { | ||||||
|  	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, |  	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, | ||||||
|  |  	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, | ||||||
| diff --git a/cipher.h b/cipher.h
 | diff --git a/cipher.h b/cipher.h
 | ||||||
| index 133d2e7..d41758e 100644
 | index 133d2e7..d41758e 100644
 | ||||||
| --- a/cipher.h
 | --- a/cipher.h
 | ||||||
| @ -2038,7 +2043,7 @@ index 6a2f35e..e9b312e 100644 | |||||||
|  void	 session_close(Session *); |  void	 session_close(Session *); | ||||||
|  void	 do_setusercontext(struct passwd *); |  void	 do_setusercontext(struct passwd *); | ||||||
| diff --git a/sshd.c b/sshd.c
 | diff --git a/sshd.c b/sshd.c
 | ||||||
| index 512c7ed..be1171b 100644
 | index 512c7ed..b561ec8 100644
 | ||||||
| --- a/sshd.c
 | --- a/sshd.c
 | ||||||
| +++ b/sshd.c
 | +++ b/sshd.c
 | ||||||
| @@ -119,6 +119,7 @@
 | @@ -119,6 +119,7 @@
 | ||||||
| @ -2074,7 +2079,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  static void |  static void | ||||||
|  close_startup_pipes(void) |  close_startup_pipes(void) | ||||||
|  { |  { | ||||||
| @@ -562,22 +572,47 @@ sshd_exchange_identification(int sock_in, int sock_out)
 | @@ -562,22 +572,45 @@ sshd_exchange_identification(int sock_in, int sock_out)
 | ||||||
|  	} |  	} | ||||||
|  } |  } | ||||||
|   |   | ||||||
| @ -2102,9 +2107,7 @@ index 512c7ed..be1171b 100644 | |||||||
| +			char *fp;
 | +			char *fp;
 | ||||||
| +
 | +
 | ||||||
| +			if (key_is_private(sensitive_data.host_keys[i]))
 | +			if (key_is_private(sensitive_data.host_keys[i]))
 | ||||||
| +				fp = key_fingerprint(sensitive_data.host_keys[i],
 | +				fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
 | ||||||
| +					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
 |  | ||||||
| +					SSH_FP_HEX);
 |  | ||||||
| +			else
 | +			else
 | ||||||
| +				fp = NULL;
 | +				fp = NULL;
 | ||||||
|  			key_free(sensitive_data.host_keys[i]); |  			key_free(sensitive_data.host_keys[i]); | ||||||
| @ -2125,7 +2128,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  			key_free(sensitive_data.host_certificates[i]); |  			key_free(sensitive_data.host_certificates[i]); | ||||||
|  			sensitive_data.host_certificates[i] = NULL; |  			sensitive_data.host_certificates[i] = NULL; | ||||||
|  		} |  		} | ||||||
| @@ -591,6 +626,8 @@ void
 | @@ -591,6 +624,8 @@ void
 | ||||||
|  demote_sensitive_data(void) |  demote_sensitive_data(void) | ||||||
|  { |  { | ||||||
|  	Key *tmp; |  	Key *tmp; | ||||||
| @ -2134,7 +2137,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	int i; |  	int i; | ||||||
|   |   | ||||||
|  	if (sensitive_data.server_key) { |  	if (sensitive_data.server_key) { | ||||||
| @@ -599,13 +636,27 @@ demote_sensitive_data(void)
 | @@ -599,13 +634,25 @@ demote_sensitive_data(void)
 | ||||||
|  		sensitive_data.server_key = tmp; |  		sensitive_data.server_key = tmp; | ||||||
|  	} |  	} | ||||||
|   |   | ||||||
| @ -2145,9 +2148,7 @@ index 512c7ed..be1171b 100644 | |||||||
| +			char *fp;
 | +			char *fp;
 | ||||||
| +
 | +
 | ||||||
| +			if (key_is_private(sensitive_data.host_keys[i]))
 | +			if (key_is_private(sensitive_data.host_keys[i]))
 | ||||||
| +				fp = key_fingerprint(sensitive_data.host_keys[i],
 | +				fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
 | ||||||
| +					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
 |  | ||||||
| +					SSH_FP_HEX);
 |  | ||||||
| +			else
 | +			else
 | ||||||
| +				fp = NULL;
 | +				fp = NULL;
 | ||||||
|  			tmp = key_demote(sensitive_data.host_keys[i]); |  			tmp = key_demote(sensitive_data.host_keys[i]); | ||||||
| @ -2162,7 +2163,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  		} |  		} | ||||||
|  		/* Certs do not need demotion */ |  		/* Certs do not need demotion */ | ||||||
|  	} |  	} | ||||||
| @@ -675,7 +726,7 @@ privsep_preauth(Authctxt *authctxt)
 | @@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
 | ||||||
|   |   | ||||||
|  	if (use_privsep == PRIVSEP_ON) |  	if (use_privsep == PRIVSEP_ON) | ||||||
|  		box = ssh_sandbox_init(pmonitor); |  		box = ssh_sandbox_init(pmonitor); | ||||||
| @ -2171,7 +2172,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	if (pid == -1) { |  	if (pid == -1) { | ||||||
|  		fatal("fork of unprivileged child failed"); |  		fatal("fork of unprivileged child failed"); | ||||||
|  	} else if (pid != 0) { |  	} else if (pid != 0) { | ||||||
| @@ -729,6 +780,8 @@ privsep_preauth(Authctxt *authctxt)
 | @@ -729,6 +776,8 @@ privsep_preauth(Authctxt *authctxt)
 | ||||||
|  	} |  	} | ||||||
|  } |  } | ||||||
|   |   | ||||||
| @ -2180,7 +2181,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  static void |  static void | ||||||
|  privsep_postauth(Authctxt *authctxt) |  privsep_postauth(Authctxt *authctxt) | ||||||
|  { |  { | ||||||
| @@ -753,6 +806,10 @@ privsep_postauth(Authctxt *authctxt)
 | @@ -753,6 +802,10 @@ privsep_postauth(Authctxt *authctxt)
 | ||||||
|  	else if (pmonitor->m_pid != 0) { |  	else if (pmonitor->m_pid != 0) { | ||||||
|  		verbose("User child is on pid %ld", (long)pmonitor->m_pid); |  		verbose("User child is on pid %ld", (long)pmonitor->m_pid); | ||||||
|  		buffer_clear(&loginmsg); |  		buffer_clear(&loginmsg); | ||||||
| @ -2191,7 +2192,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  		monitor_child_postauth(pmonitor); |  		monitor_child_postauth(pmonitor); | ||||||
|   |   | ||||||
|  		/* NEVERREACHED */ |  		/* NEVERREACHED */ | ||||||
| @@ -1211,6 +1268,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 | @@ -1211,6 +1264,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 | ||||||
|  		if (received_sigterm) { |  		if (received_sigterm) { | ||||||
|  			logit("Received signal %d; terminating.", |  			logit("Received signal %d; terminating.", | ||||||
|  			    (int) received_sigterm); |  			    (int) received_sigterm); | ||||||
| @ -2199,7 +2200,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  			close_listen_socks(); |  			close_listen_socks(); | ||||||
|  			unlink(options.pid_file); |  			unlink(options.pid_file); | ||||||
|  			exit(received_sigterm == SIGTERM ? 0 : 255); |  			exit(received_sigterm == SIGTERM ? 0 : 255); | ||||||
| @@ -2134,6 +2192,7 @@ main(int ac, char **av)
 | @@ -2134,6 +2188,7 @@ main(int ac, char **av)
 | ||||||
|  	 */ |  	 */ | ||||||
|  	if (use_privsep) { |  	if (use_privsep) { | ||||||
|  		mm_send_keystate(pmonitor); |  		mm_send_keystate(pmonitor); | ||||||
| @ -2207,7 +2208,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  		exit(0); |  		exit(0); | ||||||
|  	} |  	} | ||||||
|   |   | ||||||
| @@ -2179,7 +2238,7 @@ main(int ac, char **av)
 | @@ -2179,7 +2234,7 @@ main(int ac, char **av)
 | ||||||
|  		privsep_postauth(authctxt); |  		privsep_postauth(authctxt); | ||||||
|  		/* the monitor process [priv] will not return */ |  		/* the monitor process [priv] will not return */ | ||||||
|  		if (!compat20) |  		if (!compat20) | ||||||
| @ -2216,7 +2217,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	} |  	} | ||||||
|   |   | ||||||
|  	packet_set_timeout(options.client_alive_interval, |  	packet_set_timeout(options.client_alive_interval, | ||||||
| @@ -2189,6 +2248,9 @@ main(int ac, char **av)
 | @@ -2189,6 +2244,9 @@ main(int ac, char **av)
 | ||||||
|  	do_authenticated(authctxt); |  	do_authenticated(authctxt); | ||||||
|   |   | ||||||
|  	/* The connection has been terminated. */ |  	/* The connection has been terminated. */ | ||||||
| @ -2226,7 +2227,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); |  	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); | ||||||
|  	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); |  	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); | ||||||
|  	verbose("Transferred: sent %llu, received %llu bytes", |  	verbose("Transferred: sent %llu, received %llu bytes", | ||||||
| @@ -2346,6 +2408,10 @@ do_ssh1_kex(void)
 | @@ -2346,6 +2404,10 @@ do_ssh1_kex(void)
 | ||||||
|  		if (cookie[i] != packet_get_char()) |  		if (cookie[i] != packet_get_char()) | ||||||
|  			packet_disconnect("IP Spoofing check bytes do not match."); |  			packet_disconnect("IP Spoofing check bytes do not match."); | ||||||
|   |   | ||||||
| @ -2237,7 +2238,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	debug("Encryption type: %.200s", cipher_name(cipher_type)); |  	debug("Encryption type: %.200s", cipher_name(cipher_type)); | ||||||
|   |   | ||||||
|  	/* Get the encrypted integer. */ |  	/* Get the encrypted integer. */ | ||||||
| @@ -2418,7 +2484,7 @@ do_ssh1_kex(void)
 | @@ -2418,7 +2480,7 @@ do_ssh1_kex(void)
 | ||||||
|  			session_id[i] = session_key[i] ^ session_key[i + 16]; |  			session_id[i] = session_key[i] ^ session_key[i + 16]; | ||||||
|  	} |  	} | ||||||
|  	/* Destroy the private and public keys. No longer. */ |  	/* Destroy the private and public keys. No longer. */ | ||||||
| @ -2246,7 +2247,7 @@ index 512c7ed..be1171b 100644 | |||||||
|   |   | ||||||
|  	if (use_privsep) |  	if (use_privsep) | ||||||
|  		mm_ssh1_session_id(session_id); |  		mm_ssh1_session_id(session_id); | ||||||
| @@ -2584,6 +2650,16 @@ do_ssh2_kex(void)
 | @@ -2584,6 +2646,16 @@ do_ssh2_kex(void)
 | ||||||
|  void |  void | ||||||
|  cleanup_exit(int i) |  cleanup_exit(int i) | ||||||
|  { |  { | ||||||
| @ -2263,7 +2264,7 @@ index 512c7ed..be1171b 100644 | |||||||
|  	if (the_authctxt) { |  	if (the_authctxt) { | ||||||
|  		do_cleanup(the_authctxt); |  		do_cleanup(the_authctxt); | ||||||
|  		if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { |  		if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { | ||||||
| @@ -2594,9 +2670,14 @@ cleanup_exit(int i)
 | @@ -2594,9 +2666,14 @@ cleanup_exit(int i)
 | ||||||
|  				    pmonitor->m_pid, strerror(errno)); |  				    pmonitor->m_pid, strerror(errno)); | ||||||
|  		} |  		} | ||||||
|  	} |  	} | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user