Commit 0dddc34c authored by Dag-Erling Smørgrav's avatar Dag-Erling Smørgrav
Browse files

Vendor import of OpenSSH 6.3p1

parent caafb97d
This diff is collapsed.
# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $
# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
......@@ -121,6 +121,8 @@ PATHSUBS = \
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
FIXPATHSCMD = $(SED) $(PATHSUBS)
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
......@@ -184,9 +186,10 @@ $(MANPAGES): $(MANPAGES_IN)
manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
fi; \
if test "$(MANTYPE)" = "man"; then \
$(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
$(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
else \
$(FIXPATHSCMD) $${manpage} > $@; \
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
fi
$(CONFIGFILES): $(CONFIGFILES_IN)
......@@ -382,15 +385,14 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
$(CC) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
BUILDDIR=`pwd`; \
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
TEST_SHELL="@TEST_SHELL@"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
......
See http://www.openssh.com/txt/release-6.2p2 for the release notes.
See http://www.openssh.com/txt/release-6.3 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
......@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.82.2.1 2013/05/10 06:12:54 djm Exp $
$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $
dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $
dnl
dnl OpenSSH-specific autoconf macros
dnl
......@@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
_define_flag="$2"
test "x$_define_flag" = "x" && _define_flag="$1"
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
[ AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"],
[
if `grep -i "unrecognized option" conftest.err >/dev/null`
then
AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS"
else
AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"
fi],
[ AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS" ]
)
......
/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */
/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
......@@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list)
goto foundit;
}
}
xfree(o);
free(o);
return ret;
}
......@@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list)
continue;
}
}
xfree(o);
free(o);
return ret;
}
/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
......@@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt)
fatal("get_challenge: numprompts < 1");
challenge = xstrdup(prompts[0]);
for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(name);
xfree(echo_on);
xfree(info);
free(prompts[i]);
free(prompts);
free(name);
free(echo_on);
free(info);
return (challenge);
}
......@@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response)
authenticated = 1;
for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(name);
xfree(echo_on);
xfree(info);
free(prompts[i]);
free(prompts);
free(name);
free(echo_on);
free(info);
break;
}
device->free_ctx(authctxt->kbdintctxt);
......
/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
......@@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
krb5_ccache ccache = NULL;
int len;
char *client, *platform_client;
const char *errmsg;
/* get platform-specific kerberos client principal name (if it exists) */
platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
......@@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_mcc_ops.prefix, NULL, &ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
# endif
if (problem)
goto out;
......@@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
# endif
if (problem)
goto out;
......@@ -181,17 +192,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
out:
restore_uid();
if (platform_client != NULL)
xfree(platform_client);
free(platform_client);
if (problem) {
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else
if (authctxt->krb5_ctx != NULL && problem!=-1) {
errmsg = krb5_get_error_message(authctxt->krb5_ctx,
problem);
debug("Kerberos password authentication failed: %s",
errmsg);
krb5_free_error_message(authctxt->krb5_ctx, errmsg);
} else
debug("Kerberos password authentication failed: %d",
problem);
......
/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -72,15 +72,15 @@ auth_clear_options(void)
while (custom_environment) {
struct envstring *ce = custom_environment;
custom_environment = ce->next;
xfree(ce->s);
xfree(ce);
free(ce->s);
free(ce);
}
if (forced_command) {
xfree(forced_command);
free(forced_command);
forced_command = NULL;
}
if (authorized_principals) {
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = NULL;
}
forced_tun_device = -1;
......@@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (forced_command != NULL)
xfree(forced_command);
free(forced_command);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
......@@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(forced_command);
free(forced_command);
forced_command = NULL;
goto bad_option;
}
......@@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (authorized_principals != NULL)
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
......@@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = NULL;
goto bad_option;
}
......@@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(s);
free(s);
goto bad_option;
}
s[i] = '\0';
......@@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
patterns[i] = '\0';
......@@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
switch (match_host_and_ip(remote_host, remote_ip,
patterns)) {
case 1:
xfree(patterns);
free(patterns);
/* Host name matches. */
goto next_option;
case -1:
......@@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
"invalid criteria", file, linenum);
/* FALLTHROUGH */
case 0:
xfree(patterns);
free(patterns);
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
......@@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing "
"end quote", file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
patterns[i] = '\0';
......@@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
auth_debug_add("%.100s, line %lu: "
"Bad permitopen specification", file,
linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
host = cleanhostname(host);
......@@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
"Bad permitopen port", file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
channel_add_permitted_opens(host, port);
xfree(patterns);
free(patterns);
goto next_option;
}
cp = "tunnel=\"";
......@@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(tun);
free(tun);
forced_tun_device = -1;
goto bad_option;
}
tun[i] = '\0';
forced_tun_device = a2tun(tun, NULL);
xfree(tun);
free(tun);
if (forced_tun_device == SSH_TUNID_ERR) {
debug("%.100s, line %lu: invalid tun device",
file, linenum);
......@@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
{
char *command, *allowed;
const char *remote_ip;
u_char *name = NULL, *data_blob = NULL;
char *name = NULL;
u_char *data_blob = NULL;
u_int nlen, dlen, clen;
Buffer c, data;
int ret = -1, found;
......@@ -484,7 +485,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if (*cert_forced_command != NULL) {
error("Certificate has multiple "
"force-command options");
xfree(command);
free(command);
goto out;
}
*cert_forced_command = command;
......@@ -500,7 +501,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if ((*cert_source_address_done)++) {
error("Certificate has multiple "
"source-address options");
xfree(allowed);
free(allowed);
goto out;
}
remote_ip = get_remote_ipaddr();
......@@ -508,7 +509,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
allowed)) {
case 1:
/* accepted */
xfree(allowed);
free(allowed);
break;
case 0:
/* no match */
......@@ -521,12 +522,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
"is not permitted to use this "
"certificate for login.",
remote_ip);
xfree(allowed);
free(allowed);
goto out;
case -1:
error("Certificate source-address "
"contents invalid");
xfree(allowed);
free(allowed);
goto out;
}
found = 1;
......@@ -548,9 +549,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
goto out;
}
buffer_clear(&data);
xfree(name);
xfree(data_blob);
name = data_blob = NULL;
free(name);
free(data_blob);
name = NULL;
data_blob = NULL;
}
/* successfully parsed all options */
ret = 0;
......@@ -559,13 +561,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if (ret != 0 &&
cert_forced_command != NULL &&
*cert_forced_command != NULL) {
xfree(*cert_forced_command);
free(*cert_forced_command);
*cert_forced_command = NULL;
}
if (name != NULL)
xfree(name);
free(name);
if (data_blob != NULL)
xfree(data_blob);
free(data_blob);
buffer_free(&data);
buffer_free(&c);
return ret;
......@@ -627,7 +629,7 @@ auth_cert_options(Key *k, struct passwd *pw)
/* CA-specified forced command supersedes key option */
if (cert_forced_command != NULL) {
if (forced_command != NULL)
xfree(forced_command);
free(forced_command);
forced_command = cert_forced_command;
}
return 0;
......
......@@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
......@@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}
......@@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt)
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(ctxt);
free(ctxt);
return (NULL);
}
ctxt->pam_psock = socks[0];
......@@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt)
strerror(errno));
close(socks[0]);
close(socks[1]);
xfree(ctxt);
free(ctxt);
return (NULL);
}
cleanup_ctxt = ctxt;
......@@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info,
strlcpy(**prompts + plen, msg, len - plen);
plen += mlen;
**echo_on = (type == PAM_PROMPT_ECHO_ON);
xfree(msg);
free(msg);
return (0);
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
......@@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info,
plen += mlen;
strlcat(**prompts + plen, "\n", len - plen);
plen++;
xfree(msg);
free(msg);
break;
case PAM_ACCT_EXPIRED:
sshpam_account_status = 0;
......@@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info,
*num = 0;
**echo_on = 0;
ctxt->pam_done = -1;
xfree(msg);
free(msg);
return 0;
}
/* FALLTHROUGH */
......@@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info,
debug("PAM: %s", **prompts);
buffer_append(&loginmsg, **prompts,
strlen(**prompts));
xfree(**prompts);
free(**prompts);
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
......@@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info,
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
xfree(msg);
free(msg);
return (0);
}
error("PAM: %s for %s%.100s from %.100s", msg,
......@@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info,
default:
*num = 0;
**echo_on = 0;
xfree(msg);
free(msg);
ctxt->pam_done = -1;
return (-1);
}
......@@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp)
debug3("PAM: %s entering", __func__);
sshpam_thread_cleanup();
xfree(ctxt);
free(ctxt);
/*
* We don't call sshpam_cleanup() here because we may need the PAM
* handle at a later stage, e.g. when setting up a session. It's
......@@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}
......@@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value)
snprintf(compound, len, "%s=%s", name, value);
ret = pam_putenv(sshpam_handle, compound);
xfree(compound);
free(compound);
#endif
return (ret);
......@@ -1108,8 +1105,8 @@ free_pam_environment(char **env)
return;
for (envp = env; *envp; envp++)
xfree(*envp);
xfree(env);
free(*envp);
free(env);
}
/*
......@@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}
......
/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */
/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -164,9 +164,8 @@ static int
rsa_key_allowed_in_file(struct passwd *pw, char *file,
const BIGNUM *client_n, Key **rkey)
{
char line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0;
u_int bits;
char *fp, line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0, bits;
FILE *f;
u_long linenum = 0;
Key *key;
......@@ -227,11 +226,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
if (keybits < 0 || bits != keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
/* Never accept a revoked key */
if (auth_key_is_revoked(key))
break;
......@@ -281,7 +285,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
xfree(file);
free(file);
}
restore_uid();
......@@ -298,7 +302,6 @@ int
auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
{
Key *key;
char *fp;
struct passwd *pw = authctxt->pw;
/* no user given */
......@@ -328,11 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
* options; this will be reset if the options cause the
* authentication to be rejected.