Vendor import of OpenSSH 6.8p1.

c1e08615 · Dag-Erling Smørgrav · c0bbca73 · c1e08615 · c1e08615 · c1e08615
Commit c1e08615 authored Jul 02, 2015 by Dag-Erling Smørgrav
--- a/.cvsignore
+++ b/.cvsignore
+*.0
+*.out
+Makefile
+autom4te.cache
+buildit.sh
+buildpkg.sh
+config.cache
+config.h
+config.h.in
+config.log
+config.status
+configure
+openssh.xml
+opensshd.init
+scp
+sftp
+sftp-server
+ssh
+ssh-add
+ssh-agent
+ssh-keygen
+ssh-keyscan
+ssh-keysign
+ssh-pkcs11-helper
+sshd
+stamp-h.in
+survey
+survey.sh
--- a/ChangeLog
+++ b/ChangeLog
--- a/Makefile.in
+++ b/Makefile.in
@@ -65,28 +65,33 @@ MANFMT=@MANFMT@
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)

 LIBOPENSSH_OBJS=\
+	ssh_api.o \
 	ssherr.o \
 	sshbuf.o \
 	sshkey.o \
 	sshbuf-getput-basic.o \
 	sshbuf-misc.o \
-	sshbuf-getput-crypto.o
+	sshbuf-getput-crypto.o \
+	krl.o \
+	bitmap.o

 LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
-	authfd.o authfile.o bufaux.o bufbn.o buffer.o \
-	canohost.o channels.o cipher.o cipher-aes.o \
+	authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
+	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
-	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
+	compat.o crc32.o deattack.o fatal.o hostfile.o \
+	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
-	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	ssh-pkcs11.o krl.o smult_curve25519_ref.o \
-	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-	ssh-ed25519.o digest-openssl.o hmac.o \
-	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
+	ssh-pkcs11.o smult_curve25519_ref.o \
+	poly1305.o chacha.o cipher-chachapoly.o \
+	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
+	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
+	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o

 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -99,8 +104,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	auth-chall.o auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
-	kexc25519s.o auth-krb5.o \
+	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
@@ -230,6 +234,12 @@ clean:	regressclean
 	rm -f regress/unittests/sshbuf/test_sshbuf
 	rm -f regress/unittests/sshkey/*.o
 	rm -f regress/unittests/sshkey/test_sshkey
+	rm -f regress/unittests/bitmap/*.o
+	rm -f regress/unittests/bitmap/test_bitmap
+	rm -f regress/unittests/hostkeys/*.o
+	rm -f regress/unittests/hostkeys/test_hostkeys
+	rm -f regress/unittests/kex/*.o
+	rm -f regress/unittests/kex/test_kex
 	(cd openbsd-compat && $(MAKE) clean)

 distclean:	regressclean
@@ -244,6 +254,12 @@ distclean:	regressclean
 	rm -f regress/unittests/sshbuf/test_sshbuf
 	rm -f regress/unittests/sshkey/*.o
 	rm -f regress/unittests/sshkey/test_sshkey
+	rm -f regress/unittests/bitmap/*.o
+	rm -f regress/unittests/bitmap/test_bitmap
+	rm -f regress/unittests/hostkeys/*.o
+	rm -f regress/unittests/hostkeys/test_hostkeys
+	rm -f regress/unittests/kex/*.o
+	rm -f regress/unittests/kex/test_kex
 	(cd openbsd-compat && $(MAKE) distclean)
 	if test -d pkg ; then \
 		rm -fr pkg ; \
@@ -417,15 +433,21 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1

 regress-prep:
-	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
-	[ -d `pwd`/regress/unittests ]  ||  mkdir -p `pwd`/regress/unittests
-	[ -d `pwd`/regress/unittests/test_helper ]  || \
+	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
+	[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
+	[ -d `pwd`/regress/unittests/test_helper ] || \
 		mkdir -p `pwd`/regress/unittests/test_helper
-	[ -d `pwd`/regress/unittests/sshbuf ]  || \
+	[ -d `pwd`/regress/unittests/sshbuf ] || \
 		mkdir -p `pwd`/regress/unittests/sshbuf
-	[ -d `pwd`/regress/unittests/sshkey ]  || \
+	[ -d `pwd`/regress/unittests/sshkey ] || \
 		mkdir -p `pwd`/regress/unittests/sshkey
-	[ -f `pwd`/regress/Makefile ]  || \
+	[ -d `pwd`/regress/unittests/bitmap ] || \
+		mkdir -p `pwd`/regress/unittests/bitmap
+	[ -d `pwd`/regress/unittests/hostkeys ] || \
+		mkdir -p `pwd`/regress/unittests/hostkeys
+	[ -d `pwd`/regress/unittests/kex ] || \
+		mkdir -p `pwd`/regress/unittests/kex
+	[ -f `pwd`/regress/Makefile ] || \
 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile

 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
@@ -436,6 +458,10 @@ regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 UNITTESTS_TEST_HELPER_OBJS=\
 	regress/unittests/test_helper/test_helper.o \
 	regress/unittests/test_helper/fuzz.o
@@ -473,11 +499,46 @@ regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+UNITTESTS_TEST_BITMAP_OBJS=\
+	regress/unittests/bitmap/tests.o
+
+regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_BITMAP_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_KEX_OBJS=\
+	regress/unittests/kex/tests.o \
+	regress/unittests/kex/test_kex.o \
+	roaming_dummy.o
+
+regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_KEX_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_HOSTKEYS_OBJS=\
+	regress/unittests/hostkeys/tests.o \
+	regress/unittests/hostkeys/test_iterate.o
+
+regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
+    ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 REGRESS_BINARIES=\
 	regress/modpipe$(EXEEXT) \
 	regress/setuid-allowed$(EXEEXT) \
+	regress/netcat$(EXEEXT) \
 	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-	regress/unittests/sshkey/test_sshkey$(EXEEXT)
+	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
+	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
+	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
+	regress/unittests/kex/test_kex$(EXEEXT)

 tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
 	BUILDDIR=`pwd`; \

--- a/PROTOCOL
+++ b/PROTOCOL
@@ -40,8 +40,8 @@ http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
     "ecdsa-sha2-nistp521-cert-v01@openssh.com"

 OpenSSH introduces new public key algorithms to support certificate
-authentication for users and hostkeys. These methods are documented in
-the file PROTOCOL.certkeys
+authentication for users and host keys. These methods are documented
+in the file PROTOCOL.certkeys

 1.4. transport: Elliptic Curve cryptography

@@ -282,6 +282,53 @@ by the client cancel the forwarding of a Unix domain socket.
 	boolean		FALSE
 	string		socket path

+2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
+and "hostkeys-prove-00@openssh.com"
+
+OpenSSH supports a protocol extension allowing a server to inform
+a client of all its protocol v.2 host keys after user-authentication
+has completed.
+
+	byte		SSH_MSG_GLOBAL_REQUEST
+	string		"hostkeys-00@openssh.com"
+	string[]	hostkeys
+
+Upon receiving this message, a client should check which of the
+supplied host keys are present in known_hosts. For keys that are
+not present, it should send a "hostkeys-prove@openssh.com" message
+to request the server prove ownership of the private half of the
+key.
+
+	byte		SSH_MSG_GLOBAL_REQUEST
+	string		"hostkeys-prove-00@openssh.com"
+	char		1 /* want-reply */
+	string[]	hostkeys
+
+When a server receives this message, it should generate a signature
+using each requested key over the following:
+
+	string		"hostkeys-prove-00@openssh.com"
+	string		session identifier
+	string		hostkey
+
+These signatures should be included in the reply, in the order matching
+the hostkeys in the request:
+
+	byte		SSH_MSG_REQUEST_SUCCESS
+	string[]	signatures
+
+When the client receives this reply (and not a failure), it should
+validate the signatures and may update its known_hosts file, adding keys
+that it has not seen before and deleting keys for the server host that
+are no longer offered.
+
+These extensions let a client learn key types that it had not previously
+encountered, thereby allowing it to potentially upgrade from weaker
+key algorithms to better ones. It also supports graceful key rotation:
+a server may offer multiple keys of the same type for a period (to
+give clients an opportunity to learn them using this extension) before
+removing the deprecated key from those offered.
+
 3. SFTP protocol changes

 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -406,4 +453,4 @@ respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".

-$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
+$OpenBSD: PROTOCOL,v 1.27 2015/02/20 22:17:21 djm Exp $
--- a/PROTOCOL.krl
+++ b/PROTOCOL.krl
@@ -37,7 +37,7 @@ The available section types are:
 #define KRL_SECTION_FINGERPRINT_SHA1		3
 #define KRL_SECTION_SIGNATURE			4

-3. Certificate serial section
+2. Certificate section

 These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
 serial number or key ID. The consist of the CA key that issued the
@@ -47,6 +47,11 @@ ignored.
 	string ca_key
 	string reserved

+Where "ca_key" is the standard SSH wire serialisation of the CA's
+public key. Alternately, "ca_key" may be an empty string to indicate
+the certificate section applies to all CAs (this is most useful when
+revoking key IDs).
+
 Followed by one or more sections:

 	byte	cert_section_type
@@ -161,4 +166,4 @@ Implementations that retrieve KRLs over untrusted channels must verify
 signatures. Signature sections are optional for KRLs distributed by
 trusted means.

-$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
+$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $
--- a/README
+++ b/README
-See http://www.openssh.com/txt/release-6.7 for the release notes.
+See http://www.openssh.com/txt/release-6.8 for the release notes.

 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html

--- a/atomicio.c
+++ b/atomicio.c
-/* $OpenBSD: atomicio.c,v 1.26 2010/09/22 22:58:51 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */
 /*
 * Copyright (c) 2006 Damien Miller. All rights reserved.
 * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -41,6 +41,7 @@
 #endif
 #include <string.h>
 #include <unistd.h>
+#include <limits.h>

 #include "atomicio.h"


--- a/auth-options.c
+++ b/auth-options.c
-/* $OpenBSD: auth-options.c,v 1.64 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth-options.c,v 1.65 2015/01/14 10:30:34 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -21,15 +21,19 @@
 #include <stdarg.h>

 #include "openbsd-compat/sys-queue.h"
+
+#include "key.h"	/* XXX for typedef */
+#include "buffer.h"	/* XXX for typedef */
 #include "xmalloc.h"
 #include "match.h"
+#include "ssherr.h"
 #include "log.h"
 #include "canohost.h"
-#include "buffer.h"
+#include "sshbuf.h"
 #include "misc.h"
 #include "channels.h"
 #include "servconf.h"
-#include "key.h"
+#include "sshkey.h"
 #include "auth-options.h"
 #include "hostfile.h"
 #include "auth.h"
@@ -417,7 +421,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 #define OPTIONS_CRITICAL	1
 #define OPTIONS_EXTENSIONS	2
 static int
-parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
+parse_option_list(struct sshbuf *oblob, struct passwd *pw,
    u_int which, int crit,
    int *cert_no_port_forwarding_flag,
    int *cert_no_agent_forwarding_flag,
@@ -430,26 +434,25 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 	char *command, *allowed;
 	const char *remote_ip;
 	char *name = NULL;
-	u_char *data_blob = NULL;
-	u_int nlen, dlen, clen;
-	Buffer c, data;
-	int ret = -1, result, found;
-
-	buffer_init(&data);
+	struct sshbuf *c = NULL, *data = NULL;
+	int r, ret = -1, result, found;

-	/* Make copy to avoid altering original */
-	buffer_init(&c);
-	buffer_append(&c, optblob, optblob_len);
+	if ((c = sshbuf_fromb(oblob)) == NULL) {
+		error("%s: sshbuf_fromb failed", __func__);
+		goto out;
+	}

-	while (buffer_len(&c) > 0) {
-		if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL ||
-		    (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) {
-			error("Certificate options corrupt");
+	while (sshbuf_len(c) > 0) {
+		sshbuf_free(data);
+		data = NULL;
+		if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
+		    (r = sshbuf_froms(c, &data)) != 0) {
+			error("Unable to parse certificate options: %s",
+			    ssh_err(r));
 			goto out;
 		}
-		buffer_append(&data, data_blob, dlen);
-		debug3("found certificate option \"%.100s\" len %u",
-		    name, dlen);
+		debug3("found certificate option \"%.100s\" len %zu",
+		    name, sshbuf_len(data));
 		found = 0;
 		if ((which & OPTIONS_EXTENSIONS) != 0) {
 			if (strcmp(name, "permit-X11-forwarding") == 0) {
@@ -473,10 +476,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 		}
 		if (!found && (which & OPTIONS_CRITICAL) != 0) {
 			if (strcmp(name, "force-command") == 0) {
-				if ((command = buffer_get_cstring_ret(&data,
-				    &clen)) == NULL) {
-					error("Certificate constraint \"%s\" "
-					    "corrupt", name);
+				if ((r = sshbuf_get_cstring(data, &command,
+				    NULL)) != 0) {
+					error("Unable to parse \"%s\" "
+					    "section: %s", name, ssh_err(r));
 					goto out;
 				}
 				if (*cert_forced_command != NULL) {
@@ -489,10 +492,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 				found = 1;
 			}
 			if (strcmp(name, "source-address") == 0) {
-				if ((allowed = buffer_get_cstring_ret(&data,
-				    &clen)) == NULL) {
-					error("Certificate constraint "
-					    "\"%s\" corrupt", name);
+				if ((r = sshbuf_get_cstring(data, &allowed,
+				    NULL)) != 0) {
+					error("Unable to parse \"%s\" "
+					    "section: %s", name, ssh_err(r));
 					goto out;
 				}
 				if ((*cert_source_address_done)++) {
@@ -540,16 +543,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 				logit("Certificate extension \"%s\" "
 				    "is not supported", name);
 			}
-		} else if (buffer_len(&data) != 0) {
+		} else if (sshbuf_len(data) != 0) {
 			error("Certificate option \"%s\" corrupt "
 			    "(extra data)", name);
 			goto out;
 		}
-		buffer_clear(&data);
 		free(name);
-		free(data_blob);
 		name = NULL;
-		data_blob = NULL;
 	}
 	/* successfully parsed all options */
 	ret = 0;
@@ -563,10 +563,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 	}
 	if (name != NULL)
 		free(name);
-	if (data_blob != NULL)
-		free(data_blob);
-	buffer_free(&data);
-	buffer_free(&c);
+	sshbuf_free(data);
+	sshbuf_free(c);
 	return ret;
 }

@@ -575,7 +573,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 * options so this must be called after auth_parse_options().
 */
 int
-auth_cert_options(Key *k, struct passwd *pw)
+auth_cert_options(struct sshkey *k, struct passwd *pw)
 {
 	int cert_no_port_forwarding_flag = 1;
 	int cert_no_agent_forwarding_flag = 1;
@@ -585,10 +583,9 @@ auth_cert_options(Key *k, struct passwd *pw)
 	char *cert_forced_command = NULL;
 	int cert_source_address_done = 0;

-	if (key_cert_is_legacy(k)) {
+	if (sshkey_cert_is_legacy(k)) {
 		/* All options are in the one field for v00 certs */
-		if (parse_option_list(buffer_ptr(k->cert->critical),
-		    buffer_len(k->cert->critical), pw,
+		if (parse_option_list(k->cert->critical, pw,
 		    OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
 		    &cert_no_port_forwarding_flag,
 		    &cert_no_agent_forwarding_flag,
@@ -600,14 +597,12 @@ auth_cert_options(Key *k, struct passwd *pw)
 			return -1;
 	} else {
 		/* Separate options and extensions for v01 certs */
-		if (parse_option_list(buffer_ptr(k->cert->critical),
-		    buffer_len(k->cert->critical), pw,
+		if (parse_option_list(k->cert->critical, pw,
 		    OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
 		    &cert_forced_command,
 		    &cert_source_address_done) == -1)
 			return -1;
-		if (parse_option_list(buffer_ptr(k->cert->extensions),
-		    buffer_len(k->cert->extensions), pw,
+		if (parse_option_list(k->cert->extensions, pw,
 		    OPTIONS_EXTENSIONS, 1,
 		    &cert_no_port_forwarding_flag,
 		    &cert_no_agent_forwarding_flag,

--- a/auth-options.h
+++ b/auth-options.h
-/* $OpenBSD: auth-options.h,v 1.20 2010/05/07 11:30:29 djm Exp $ */
+/* $OpenBSD: auth-options.h,v 1.21 2015/01/14 10:30:34 markus Exp $ */

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -35,6 +35,6 @@ extern char *authorized_principals;

 int	auth_parse_options(struct passwd *, char *, char *, u_long);
 void	auth_clear_options(void);
-int	auth_cert_options(Key *, struct passwd *);
+int	auth_cert_options(struct sshkey *, struct passwd *);

 #endif
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -15,6 +15,8 @@

 #include "includes.h"

+#ifdef WITH_SSH1
+
 #include <sys/types.h>

 #include <pwd.h>
@@ -102,3 +104,5 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
 	packet_send_debug("Rhosts with RSA host authentication accepted.");
 	return 1;
 }
+
+#endif /* WITH_SSH1 */
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
-/* $OpenBSD: auth-rhosts.c,v 1.45 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -57,7 +57,8 @@ check_rhosts_file(const char *filename, const char *hostname,
 		  const char *server_user)
 {
 	FILE *f;
-	char buf[1024];	/* Must not be larger than host, user, dummy below. */
+#define RBUFLN 1024
+	char buf[RBUFLN];/* Must not be larger than host, user, dummy below. */
 	int fd;
 	struct stat st;

@@ -80,8 +81,9 @@ check_rhosts_file(const char *filename, const char *hostname,
 		return 0;
 	}
 	while (fgets(buf, sizeof(buf), f)) {
-		/* All three must be at least as big as buf to avoid overflows. */
-		char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
+		/* All three must have length >= buf to avoid overflows. */
+		char hostbuf[RBUFLN], userbuf[RBUFLN], dummy[RBUFLN];
+		char *host, *user, *cp;
 		int negated;

 		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
@@ -140,8 +142,8 @@ check_rhosts_file(const char *filename, const char *hostname,
 		/* Check for empty host/user names (particularly '+'). */
 		if (!host[0] || !user[0]) {
 			/* We come here if either was '+' or '-'. */
-			auth_debug_add("Ignoring wild host/user names in %.100s.",
-			    filename);
+			auth_debug_add("Ignoring wild host/user names "
+			    "in %.100s.", filename);
 			continue;
 		}
 		/* Verify that host name matches. */
@@ -149,7 +151,8 @@ check_rhosts_file(const char *filename, const char *hostname,
 			if (!innetgr(host + 1, hostname, NULL, NULL) &&
 			    !innetgr(host + 1, ipaddr, NULL, NULL))
 				continue;
-		} else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
+		} else if (strcasecmp(host, hostname) &&
+		    strcmp(host, ipaddr) != 0)
 			continue;	/* Different hostname. */

 		/* Verify that user name matches. */
@@ -208,7 +211,8 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
 	/* Switch to the user's uid. */
 	temporarily_use_uid(pw);
 	/*
-	 * Quick check: if the user has no .shosts or .rhosts files, return
+	 * Quick check: if the user has no .shosts or .rhosts files and
+	 * no system hosts.equiv/shosts.equiv files exist then return
 	 * failure immediately without doing costly lookups from name
 	 * servers.
 	 */
@@ -223,27 +227,38 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
 	/* Switch back to privileged uid. */
 	restore_uid();

-	/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
+	/*
+	 * Deny if The user has no .shosts or .rhosts file and there
+	 * are no system-wide files.
+	 */
 	if (!rhosts_files[rhosts_file_index] &&
 	    stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
-	    stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
+	    stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) {
+		debug3("%s: no hosts access files exist", __func__);
 		return 0;
+	}

-	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
-	if (pw->pw_uid != 0) {
+	/*
+	 * If not logging in as superuser, try /etc/hosts.equiv and
+	 * shosts.equiv.
+	 */
+	if (pw->pw_uid == 0)
+		debug3("%s: root user, ignoring system hosts files", __func__);
+	else {
 		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
 		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
-			    hostname, ipaddr);
+			auth_debug_add("Accepted for %.100s [%.100s] by "
+			    "/etc/hosts.equiv.", hostname, ipaddr);
 			return 1;
 		}
 		if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
 		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
-			    hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
+			auth_debug_add("Accepted for %.100s [%.100s] by "
+			    "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
 			return 1;
 		}
 	}
+
 	/*
 	 * Check that the home directory is owned by root or the user, and is
 	 * not group or world writable.
@@ -290,20 +305,25 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
 			auth_debug_add("Bad file modes for %.200s", buf);
 			continue;
 		}
-		/* Check if we have been configured to ignore .rhosts and .shosts files. */
+		/*
+		 * Check if we have been configured to ignore .rhosts
+		 * and .shosts files.
+		 */
 		if (options.ignore_rhosts) {
-			auth_debug_add("Server has been configured to ignore %.100s.",
-			    rhosts_files[rhosts_file_index]);
+			auth_debug_add("Server has been configured to "
+			    "ignore %.100s.", rhosts_files[rhosts_file_index]);
 			continue;