Most of the coverity patch applied upstream, context changes for rebase
This commit is contained in:
parent
70c2ac20bd
commit
5878ebb50e
@ -7,6 +7,6 @@ diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
|
||||
|
||||
+ if (!state)
|
||||
+ return 0;
|
||||
/* filedescriptors in and out are the same, so it's a socket */
|
||||
if (state->connection_in == state->connection_out)
|
||||
return 1;
|
||||
if (state->connection_in == -1 || state->connection_out == -1)
|
||||
return 0;
|
||||
|
||||
|
@ -247,8 +247,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/*
|
||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
|
||||
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100
|
||||
|
@ -1,20 +1,19 @@
|
||||
diff --git a/canohost.c b/canohost.c
|
||||
index a61a8c9..97ce58c 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
|
||||
option_size = sizeof(options);
|
||||
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
|
||||
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
|
||||
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
|
||||
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
|
||||
|
||||
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
|
||||
&option_size) >= 0 && option_size != 0) {
|
||||
- text[0] = '\0';
|
||||
- for (i = 0; i < option_size; i++)
|
||||
- snprintf(text + i*3, sizeof(text) - i*3,
|
||||
- " %2.2x", options[i]);
|
||||
- fatal("Connection from %.100s with IP options:%.800s",
|
||||
- ipaddr, text);
|
||||
- " %2.2x", opts[i]);
|
||||
- fatal("Connection from %.100s port %d with IP opts: %.800s",
|
||||
- ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
+ i = 0;
|
||||
+ do {
|
||||
+ switch (options[i]) {
|
||||
+ switch (opts[i]) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ ++i;
|
||||
@ -22,7 +21,7 @@ index a61a8c9..97ce58c 100644
|
||||
+ case 130:
|
||||
+ case 133:
|
||||
+ case 134:
|
||||
+ i += options[i + 1];
|
||||
+ i += opts[i + 1];
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* Fail, fatally, if we detect either loose or strict
|
||||
@ -30,11 +29,11 @@ index a61a8c9..97ce58c 100644
|
||||
+ text[0] = '\0';
|
||||
+ for (i = 0; i < option_size; i++)
|
||||
+ snprintf(text + i*3, sizeof(text) - i*3,
|
||||
+ " %2.2x", options[i]);
|
||||
+ fatal("Connection from %.100s with IP options:%.800s",
|
||||
+ ipaddr, text);
|
||||
+ " %2.2x", opts[i]);
|
||||
+ fatal("Connection from %.100s port %d with IP options:%.800s",
|
||||
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
+ }
|
||||
+ } while (i < option_size);
|
||||
}
|
||||
return;
|
||||
#endif /* IP_OPTIONS */
|
||||
}
|
||||
|
@ -18,7 +18,7 @@ index 843225d..041bbab 100644
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
@ -235,7 +235,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
|
@ -52,8 +52,8 @@ index c735429..e68ddee 100644
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
@@ -36,6 +40,7 @@
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
+SyslogFacility AUTHPRIV
|
||||
#LogLevel INFO
|
||||
|
@ -1,20 +1,3 @@
|
||||
diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
|
||||
--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100
|
||||
+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
signal(SIGCHLD, sshpam_oldsig);
|
||||
- waitpid(thread, &status, 0);
|
||||
+ while (waitpid(thread, &status, 0) < 0) {
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ fatal("%s: waitpid: %s", __func__,
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
return (status);
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
|
||||
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
|
||||
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
|
||||
@ -60,27 +43,6 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
|
||||
;
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ debug3("%s: key %p is %s",
|
||||
+ __func__, key, allowed ? "allowed" : "not allowed");
|
||||
+
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
|
||||
@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
free(chost);
|
||||
}
|
||||
|
||||
- debug3("%s: key %p is %s",
|
||||
- __func__, key, allowed ? "allowed" : "not allowed");
|
||||
-
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
|
||||
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
|
||||
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@ -270,96 +232,6 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
@@ -335,7 +335,7 @@ local_do_ls(const char *args)
|
||||
|
||||
/* Strip one path (usually the pwd) from the start of another */
|
||||
static char *
|
||||
-path_strip(char *path, char *strip)
|
||||
+path_strip(const char *path, const char *strip)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
|
||||
}
|
||||
|
||||
static char *
|
||||
-make_absolute(char *p, char *pwd)
|
||||
+make_absolute(char *p, const char *pwd)
|
||||
{
|
||||
char *abs_str;
|
||||
|
||||
@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
|
||||
}
|
||||
|
||||
static int
|
||||
-is_dir(char *path)
|
||||
+is_dir(const char *path)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
@@ -563,7 +563,7 @@ is_dir(char *path)
|
||||
}
|
||||
|
||||
static int
|
||||
-remote_is_dir(struct sftp_conn *conn, char *path)
|
||||
+remote_is_dir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
|
||||
|
||||
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
|
||||
static int
|
||||
-pathname_is_dir(char *pathname)
|
||||
+pathname_is_dir(const char *pathname)
|
||||
{
|
||||
size_t l = strlen(pathname);
|
||||
|
||||
@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
|
||||
}
|
||||
|
||||
static int
|
||||
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag, int resume, int fflag)
|
||||
{
|
||||
char *abs_src = NULL;
|
||||
@@ -669,7 +669,7 @@ out:
|
||||
}
|
||||
|
||||
static int
|
||||
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag, int resume, int fflag)
|
||||
{
|
||||
char *tmp_dst = NULL;
|
||||
@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
|
||||
|
||||
/* sftp ls.1 replacement for directories */
|
||||
static int
|
||||
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
|
||||
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
|
||||
{
|
||||
int n;
|
||||
u_int c = 1, colspace = 0, columns = 1;
|
||||
@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
|
||||
|
||||
/* sftp ls.1 replacement which handles path globs */
|
||||
static int
|
||||
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
||||
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
|
||||
int lflag)
|
||||
{
|
||||
char *fname, *lname;
|
||||
@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
}
|
||||
|
||||
static int
|
||||
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
|
||||
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
|
||||
{
|
||||
struct sftp_statvfs st;
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
|
||||
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@ -372,8 +244,8 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
|
||||
+ (void) setegid(getgid());
|
||||
+ (void) setgid(getgid());
|
||||
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
platform_disable_tracing(0); /* strict=no */
|
||||
|
||||
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@ -398,4 +270,4 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
+ free(fdset);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
@ -127,8 +127,8 @@ index 1d03bdf..6af4c62 100644
|
||||
{
|
||||
u_int i;
|
||||
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
|
||||
dump_cfg_fmtint(oControlMaster, o->control_master);
|
||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
|
||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||
|
@ -850,7 +850,7 @@ diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c
|
||||
+++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100
|
||||
@@ -646,9 +646,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
#endif
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- audit_event(SSH_INVALID_USER);
|
||||
@ -1084,7 +1084,7 @@ diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h
|
||||
|
||||
+void newkeys_destroy(struct newkeys *newkeys);
|
||||
+
|
||||
int kex_dh_hash(const char *, const char *,
|
||||
int kex_dh_hash(int, const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
||||
diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h
|
||||
@ -1126,8 +1126,8 @@ diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h
|
||||
--- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100
|
||||
@@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
|
||||
int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
|
||||
u_char *, size_t);
|
||||
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
|
||||
const u_char *, size_t);
|
||||
void mac_clear(struct sshmac *);
|
||||
+void mac_destroy(struct sshmac *);
|
||||
|
||||
@ -1139,8 +1139,8 @@ diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
- platform-pledge.o
|
||||
+ platform-pledge.o auditstub.o
|
||||
- platform-pledge.o platform-tracing.o
|
||||
+ platform-pledge.o platform-tracing.o auditstub.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||
@ -1618,9 +1618,9 @@ diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h
|
||||
--- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100
|
||||
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
|
||||
int mm_user_key_allowed(struct passwd *, Key *, int);
|
||||
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
const char *, Key *);
|
||||
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
|
||||
const char *, Key *);
|
||||
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
||||
+int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
||||
+int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
|
||||
@ -1962,13 +1962,15 @@ diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c
|
||||
void
|
||||
do_cleanup(Authctxt *authctxt)
|
||||
{
|
||||
@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt)
|
||||
@@ -2793,7 +2861,7 @@ do_cleanup(Authctxt *authctxt)
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
- session_destroy_all(session_pty_cleanup2);
|
||||
+ session_destroy_all(do_cleanup_one_session);
|
||||
}
|
||||
|
||||
/* Return a name for the remote host that fits inside utmp_size */
|
||||
diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h
|
||||
--- openssh-7.2p1/session.h.audit 2016-02-26 04:40:04.000000000 +0100
|
||||
+++ openssh-7.2p1/session.h 2016-03-04 14:25:52.641329882 +0100
|
||||
|
@ -114,9 +114,9 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
@ -281,8 +281,8 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@ -433,7 +433,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -608,6 +618,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
+ if (FIPS_mode()) {
|
||||
|
@ -1392,6 +1392,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
+ u_char *kbuf;
|
||||
+ DH *dh;
|
||||
+ int min = -1, max = -1, nbits = -1;
|
||||
+ int cmin = -1, cmax = -1; /* client proposal */
|
||||
+ BIGNUM *shared_secret = NULL;
|
||||
+ BIGNUM *dh_client_pub = NULL;
|
||||
+ int type = 0;
|
||||
@ -1430,11 +1431,12 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
+ case KEX_GSS_GEX_SHA1:
|
||||
+ debug("Doing group exchange");
|
||||
+ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
|
||||
+ min = packet_get_int();
|
||||
+ /* store client proposal to provide valid signature */
|
||||
+ cmin = packet_get_int();
|
||||
+ nbits = packet_get_int();
|
||||
+ max = packet_get_int();
|
||||
+ min = MAX(DH_GRP_MIN, min);
|
||||
+ max = MIN(DH_GRP_MAX, max);
|
||||
+ cmax = packet_get_int();
|
||||
+ min = MAX(DH_GRP_MIN, cmin);
|
||||
+ max = MIN(DH_GRP_MAX, cmax);
|
||||
+ packet_check_eom();
|
||||
+ if (max < min || nbits < min || max < nbits)
|
||||
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
|
||||
@ -1557,7 +1559,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
+ NULL, 0,
|
||||
+ min, nbits, max,
|
||||
+ cmin, nbits, cmax,
|
||||
+ dh->p, dh->g,
|
||||
+ dh_client_pub,
|
||||
+ dh->pub_key,
|
||||
@ -1653,14 +1655,14 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
+int kexgss_server(struct ssh *);
|
||||
+#endif
|
||||
|
||||
int kex_dh_hash(const char *, const char *,
|
||||
int kex_dh_hash(int, const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in
|
||||
--- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100
|
||||
+++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100
|
||||
diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
|
||||
--- openssh/Makefile.in.gsskex 2016-07-25 14:11:42.978324182 +0200
|
||||
+++ openssh/Makefile.in 2016-07-25 14:14:15.560289050 +0200
|
||||
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
|
||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
+ kexgssc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
@ -2064,21 +2066,21 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh
|
||||
--- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
|
||||
diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
|
||||
--- openssh/regress/cert-hostkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
|
||||
+++ openssh/regress/cert-hostkey.sh 2016-07-25 14:15:17.784274722 +0200
|
||||
@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
|
||||
touch $OBJ/host_revoked_cert
|
||||
cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
|
||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||
|
||||
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
||||
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
|
||||
|
||||
# Prepare certificate, plain key and CA KRLs
|
||||
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
|
||||
diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh
|
||||
--- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
|
||||
--- openssh/regress/cert-userkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
|
||||
+++ openssh/regress/cert-userkey.sh 2016-07-25 14:15:36.769270354 +0200
|
||||
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@ -2086,11 +2088,11 @@ diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert
|
||||
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
|
||||
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
|
||||
|
||||
kname() {
|
||||
n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
|
||||
diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh
|
||||
--- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
|
||||
--- openssh/regress/kextype.sh.gsskex 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/regress/kextype.sh 2016-07-25 14:11:42.987324180 +0200
|
||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
||||
|
||||
tries="1 2 3 4"
|
||||
@ -2739,41 +2741,3 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
|
||||
KEY_UNSPEC
|
||||
};
|
||||
|
||||
diff --git a/kexgsss.c b/kexgsss.c
|
||||
index b2f9658..2d33ff7 100644
|
||||
--- a/kexgsss.c
|
||||
+++ b/kexgsss.c
|
||||
@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh)
|
||||
u_char *kbuf;
|
||||
DH *dh;
|
||||
int min = -1, max = -1, nbits = -1;
|
||||
+ int cmin = -1, cmax = -1; /* client proposal */
|
||||
BIGNUM *shared_secret = NULL;
|
||||
BIGNUM *dh_client_pub = NULL;
|
||||
int type = 0;
|
||||
@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh)
|
||||
case KEX_GSS_GEX_SHA1:
|
||||
debug("Doing group exchange");
|
||||
packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
|
||||
- min = packet_get_int();
|
||||
+ /* store client proposal to provide valid signature */
|
||||
+ cmin = packet_get_int();
|
||||
nbits = packet_get_int();
|
||||
- max = packet_get_int();
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
- max = MIN(DH_GRP_MAX, max);
|
||||
+ cmax = packet_get_int();
|
||||
+ min = MAX(DH_GRP_MIN, cmin);
|
||||
+ max = MIN(DH_GRP_MAX, cmax);
|
||||
packet_check_eom();
|
||||
if (max < min || nbits < min || max < nbits)
|
||||
fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
|
||||
@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh)
|
||||
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
|
||||
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
|
||||
NULL, 0,
|
||||
- min, nbits, max,
|
||||
+ cmin, nbits, cmax,
|
||||
dh->p, dh->g,
|
||||
dh_client_pub,
|
||||
dh->pub_key,
|
||||
|
@ -331,8 +331,8 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
+ M_CP_INTOPT(expose_auth_methods);
|
||||
|
||||
/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
|
||||
#define M_CP_STROPT(n) do {\
|
||||
/*
|
||||
* The bind_mask is a mode_t that may be unsigned, so we can't use
|
||||
@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val)
|
||||
return fmt_multistate_int(val, multistate_tcpfwd);
|
||||
case sFingerprintHash:
|
||||
|
Loading…
Reference in New Issue
Block a user