Commit db903103 authored by Ed Maste's avatar Ed Maste
Browse files

Vendor import of OpenSSH 8.3p1

parent 82e5fdc5
This diff is collapsed.
......@@ -16,6 +16,9 @@ db6375fc302e3bdf07d96430c63c991b2c2bd3ff moduli update
14806a59353152f843eb349e618abbf6f4dd3ada Makefile.inc
8ea4455a2d9364a0a04f9e4a2cbfa4c9fcefe77e Makefile.inc
d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc
7b7b619c1452a459310b0cf4391c5757c6bdbc0f moduli update
5010ff08f7ad92082e87dde098b20f5c24921a8f moduli regen script update
3bcae7a754db3fc5ad3cab63dd46774edb35b8ae moduli regen script update
Old upstream tree:
......
This diff is collapsed.
......@@ -19,7 +19,7 @@ Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/
libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
is supported but severely restricts the avilable ciphers and algorithms.
is supported but severely restricts the available ciphers and algorithms.
- LibreSSL (https://www.libressl.org/)
- OpenSSL (https://www.openssl.org) with any of the following versions:
- 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
......@@ -51,7 +51,7 @@ http://prngd.sourceforge.net/
EGD:
The Entropy Gathering Daemon (EGD) suppports the same interface as prngd.
The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
It also supported only if libcrypto is configured to support it.
http://egd.sourceforge.net/
......@@ -277,6 +277,6 @@ summary data may be published.
5. Problems?
------------
If you experience problems compiling, installing or running OpenSSH.
Please refer to the "reporting bugs" section of the webpage at
If you experience problems compiling, installing or running OpenSSH,
please refer to the "reporting bugs" section of the webpage at
https://www.openssh.com/
......@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-ed25519-sk.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
ssh-ed25519.o digest-openssl.o digest-libc.o \
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
......@@ -350,11 +350,15 @@ depend: depend-rebuild
rm -f .depend.bak
depend-rebuild:
rm -f config.h
touch config.h
mv .depend .depend.old
rm -f config.h .depend
touch config.h .depend
makedepend -w1000 -Y. -f .depend *.c 2>/dev/null
(head -2 .depend; tail +3 .depend | sort) >.depend.tmp
(echo '# Automatically generated by makedepend.'; \
echo '# Run "make depend" to rebuild.'; sort .depend ) >.depend.tmp
mv .depend.tmp .depend
rm -f .depend.bak
mv .depend.old .depend.bak
rm -f config.h
depend-check: depend-rebuild
......@@ -631,6 +635,8 @@ SK_DUMMY_OBJS=\
regress/misc/sk-dummy/fatal.lo \
ed25519.lo hash.lo ge25519.lo fe25519.lo sc25519.lo verify.lo
SK_DUMMY_LIBRARY=@SK_DUMMY_LIBRARY@
.c.lo: Makefile.in config.h
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -o $@
......@@ -644,7 +650,7 @@ regress-binaries: regress-prep $(LIBCOMPAT) \
regress/netcat$(EXEEXT) \
regress/check-perm$(EXEEXT) \
regress/mkdtemp$(EXEEXT) \
regress/misc/sk-dummy/sk-dummy.so
$(SK_DUMMY_LIBRARY)
regress-unit-binaries: regress-prep $(REGRESSLIBS) \
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
......@@ -670,27 +676,8 @@ unit: regress-unit-binaries
interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
BUILDDIR=`pwd`; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_SSHSKHELPER="$${BUILDDIR}/ssh-sk-helper"; \
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
TEST_SSH_PKCS11_HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
TEST_SSH_SK_HELPER="$${BUILDDIR}/ssh-sk-helper"; \
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
TEST_SSH_PLINK="plink"; \
TEST_SSH_PUTTYGEN="puttygen"; \
TEST_SSH_CONCH="conch"; \
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
cd $(srcdir)/regress || exit $$?; \
EGREP='@EGREP@' \
$(MAKE) \
.OBJDIR="$${BUILDDIR}/regress" \
.CURDIR="`pwd`" \
......@@ -699,24 +686,24 @@ interop-tests t-exec file-tests: regress-prep regress-binaries $(TARGETS)
PATH="$${BUILDDIR}:$${PATH}" \
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_SSH_SCP="$${TEST_SSH_SCP}" \
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
TEST_SSH_PKCS11_HELPER="$${TEST_SSH_PKCS11_HELPER}" \
TEST_SSH_SK_HELPER="$${TEST_SSH_SK_HELPER}" \
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
TEST_SSH_SCP="$${BUILDDIR}/scp" \
TEST_SSH_SSH="$${BUILDDIR}/ssh" \
TEST_SSH_SSHD="$${BUILDDIR}/sshd" \
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent" \
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add" \
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen" \
TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper" \
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan" \
TEST_SSH_SFTP="$${BUILDDIR}/sftp" \
TEST_SSH_PKCS11_HELPER="$${BUILDDIR}/ssh-pkcs11-helper" \
TEST_SSH_SK_HELPER="$${BUILDDIR}/ssh-sk-helper" \
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server" \
TEST_SSH_PLINK="plink" \
TEST_SSH_PUTTYGEN="puttygen" \
TEST_SSH_CONCH="conch" \
TEST_SSH_IPV6="@TEST_SSH_IPV6@" \
TEST_SSH_UTF8="@TEST_SSH_UTF8@" \
TEST_SSH_ECC="@TEST_SSH_ECC@" \
TEST_SHELL="${TEST_SHELL}" \
EXEEXT="$(EXEEXT)" \
$@ && echo all $@ passed
......
......@@ -194,7 +194,7 @@ layer 2 frames or layer 3 packets. It may take one of the following values:
SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */
The "tunnel unit number" specifies the remote interface number, or may
be 0x7fffffff to allow the server to automatically chose an interface. A
be 0x7fffffff to allow the server to automatically choose an interface. A
server that is not willing to open a client-specified unit should refuse
the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
......@@ -298,7 +298,7 @@ Upon receiving this message, a client should check which of the
supplied host keys are present in known_hosts.
Note that the server may send key types that the client does not
support. The client should disgregard such keys if they are received.
support. The client should disregard such keys if they are received.
If the client identifies any keys that are not present for the host,
it should send a "hostkeys-prove@openssh.com" message to request the
......@@ -496,4 +496,4 @@ OpenSSH's connection multiplexing uses messages as described in
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
$OpenBSD: PROTOCOL,v 1.36 2018/10/02 12:51:58 djm Exp $
$OpenBSD: PROTOCOL,v 1.37 2020/02/21 00:04:43 dtucker Exp $
......@@ -34,7 +34,7 @@ Detailed Construction
The chacha20-poly1305@openssh.com cipher requires 512 bits of key
material as output from the SSH key exchange. This forms two 256 bit
keys (K_1 and K_2), used by two separate instances of chacha20.
The first 256 bits consitute K_2 and the second 256 bits become
The first 256 bits constitute K_2 and the second 256 bits become
K_1.
The instance keyed by K_1 is a stream cipher that is used only
......@@ -103,5 +103,5 @@ References
[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
$OpenBSD: PROTOCOL.chacha20poly1305,v 1.4 2018/04/10 00:10:49 djm Exp $
$OpenBSD: PROTOCOL.chacha20poly1305,v 1.5 2020/02/21 00:04:43 dtucker Exp $
......@@ -39,7 +39,7 @@ messages between the client and server. The client therefore must
speak a significant subset of the SSH protocol, but in return is able
to access basically the full suite of connection protocol features.
Moreover, as no file descriptor passing is required, the connection
supporting a proxy client may iteself be forwarded or relayed to another
supporting a proxy client may itself be forwarded or relayed to another
host if necessary.
1. Connection setup
......@@ -295,4 +295,4 @@ XXX session inspection via master
XXX signals via mux request
XXX list active connections via mux
$OpenBSD: PROTOCOL.mux,v 1.11 2018/09/26 07:30:05 djm Exp $
$OpenBSD: PROTOCOL.mux,v 1.12 2020/03/13 03:17:07 djm Exp $
......@@ -142,7 +142,7 @@ choose not to include this information in the public key or save it by
default.
Attestation information is useful for out-of-band key and certificate
registration worksflows, e.g. proving to a CA that a key is backed
registration workflows, e.g. proving to a CA that a key is backed
by trusted hardware before it will issue a certificate. To support this
case, OpenSSH optionally allows retaining the attestation information
at the time of key generation. It will take the following format:
......@@ -169,7 +169,7 @@ is signed over a blob that consists of:
byte[] extensions
byte[32] SHA256(message)
No extensons are yet defined for SSH use. If any are defined in the future,
No extensions are yet defined for SSH use. If any are defined in the future,
it will be possible to infer their presence from the contents of the "flags"
value.
......@@ -236,7 +236,7 @@ support for the common case of USB HID security keys internally.
The middleware library need only expose a handful of functions:
#define SSH_SK_VERSION_MAJOR 0x00040000 /* API version */
#define SSH_SK_VERSION_MAJOR 0x00050000 /* API version */
#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
/* Flags */
......
See https://www.openssh.com/releasenotes.html#8.2p1 for the release notes.
See https://www.openssh.com/releasenotes.html#8.3p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or
......@@ -29,10 +29,10 @@ all logins, not just when using password authentication.
There is now several mailing lists for this port of OpenSSH. Please
refer to https://www.openssh.com/list.html for details on how to join.
Please send bug reports and patches to the mailing list
openssh-unix-dev@mindrot.org. The list is open to posting by unsubscribed
users. Code contribution are welcomed, but please follow the OpenBSD
style guidelines[1].
Please send bug reports and patches to https://bugzilla.mindrot.org or
the mailing list openssh-unix-dev@mindrot.org. To mitigate spam, the
list only allows posting from subscribed addresses. Code contribution
are welcomed, but please follow the OpenBSD style guidelines[1].
Please refer to the INSTALL document for information on dependencies and
how to install OpenSSH on your system.
......
/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.92 2020/03/06 18:15:38 markus Exp $ */
/*
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
*
......@@ -222,8 +222,7 @@ sshauthopt_free(struct sshauthopt *opts)
free(opts->permitlisten[i]);
free(opts->permitlisten);
explicit_bzero(opts, sizeof(*opts));
free(opts);
freezero(opts, sizeof(*opts));
}
struct sshauthopt *
......@@ -735,9 +734,11 @@ deserialise_array(struct sshbuf *m, char ***ap, size_t *np)
*np = n;
n = 0;
out:
for (i = 0; i < n; i++)
free(a[i]);
free(a);
if (a != NULL) {
for (i = 0; i < n; i++)
free(a[i]);
free(a);
}
sshbuf_free(b);
return r;
}
......
/* $OpenBSD: auth-rhosts.c,v 1.51 2019/10/02 00:42:30 djm Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.52 2020/04/17 03:30:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -298,7 +298,9 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* Check if we have been configured to ignore .rhosts
* and .shosts files.
*/
if (options.ignore_rhosts) {
if (options.ignore_rhosts == IGNORE_RHOSTS_YES ||
(options.ignore_rhosts == IGNORE_RHOSTS_SHOSTS &&
strcmp(rhosts_files[rhosts_file_index], ".shosts") != 0)) {
auth_debug_add("Server has been configured to "
"ignore %.100s.", rhosts_files[rhosts_file_index]);
continue;
......
/* $OpenBSD: auth2-chall.c,v 1.52 2019/11/13 04:47:52 deraadt Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.53 2020/02/26 13:40:09 jsg Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
......@@ -147,8 +147,7 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
if (kbdintctxt->device)
kbdint_reset_device(kbdintctxt);
free(kbdintctxt->devices);
explicit_bzero(kbdintctxt, sizeof(*kbdintctxt));
free(kbdintctxt);
freezero(kbdintctxt, sizeof(*kbdintctxt));
}
/* get next device */
static int
......
/* $OpenBSD: auth2-passwd.c,v 1.17 2019/09/06 04:53:27 djm Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.18 2020/02/26 13:40:09 jsg Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -66,8 +66,7 @@ userauth_passwd(struct ssh *ssh)
logit("password change not supported");
else if (PRIVSEP(auth_password(ssh, password)) == 1)
authenticated = 1;
explicit_bzero(password, len);
free(password);
freezero(password, len);
return authenticated;
}
......
/* $OpenBSD: auth2.c,v 1.157 2019/09/06 04:53:27 djm Exp $ */
/* $OpenBSD: auth2.c,v 1.158 2020/03/06 18:16:21 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -217,7 +217,7 @@ input_service_request(int type, u_int32_t seq, struct ssh *ssh)
r = 0;
out:
free(service);
return 0;
return r;
}
#define MIN_FAIL_DELAY_SECONDS 0.005
......
/* $OpenBSD: authfd.c,v 1.121 2019/12/21 02:19:13 djm Exp $ */
/* $OpenBSD: authfd.c,v 1.123 2020/03/06 18:24:39 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -342,7 +342,7 @@ ssh_agent_has_key(int sock, struct sshkey *key)
size_t i;
struct ssh_identitylist *idlist = NULL;
if ((r = ssh_fetch_identitylist(sock, &idlist)) < 0) {
if ((r = ssh_fetch_identitylist(sock, &idlist)) != 0) {
return r;
}
......@@ -561,10 +561,8 @@ ssh_remove_identity(int sock, struct sshkey *key)
goto out;
r = decode_reply(type);
out:
if (blob != NULL) {
explicit_bzero(blob, blen);
free(blob);
}
if (blob != NULL)
freezero(blob, blen);
sshbuf_free(msg);
return r;
}
......
/* $OpenBSD: authfile.c,v 1.137 2020/01/25 23:02:13 djm Exp $ */
/* $OpenBSD: authfile.c,v 1.140 2020/04/17 07:15:11 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
......@@ -140,6 +140,14 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase,
return r;
}
int
sshkey_load_private(const char *filename, const char *passphrase,
struct sshkey **keyp, char **commentp)
{
return sshkey_load_private_type(KEY_UNSPEC, filename, passphrase,
keyp, commentp);
}
int
sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
struct sshkey **keyp, char **commentp)
......@@ -161,51 +169,57 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
return r;
}
/* XXX this is almost identical to sshkey_load_private_type() */
int
sshkey_load_private(const char *filename, const char *passphrase,
struct sshkey **keyp, char **commentp)
/* Load a pubkey from the unencrypted envelope of a new-format private key */
static int
sshkey_load_pubkey_from_private(const char *filename, struct sshkey **pubkeyp)
{
struct sshbuf *buffer = NULL;
struct sshkey *pubkey = NULL;
int r, fd;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
if (pubkeyp != NULL)
*pubkeyp = NULL;
if ((fd = open(filename, O_RDONLY)) == -1)
return SSH_ERR_SYSTEM_ERROR;
if (sshkey_perm_ok(fd, filename) != 0) {
r = SSH_ERR_KEY_BAD_PERMISSIONS;
goto out;
}
if ((r = sshbuf_load_fd(fd, &buffer)) != 0 ||
(r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
commentp)) != 0)
(r = sshkey_parse_pubkey_from_private_fileblob_type(buffer,
KEY_UNSPEC, &pubkey)) != 0)
goto out;
if (keyp && *keyp &&
(r = sshkey_set_filename(*keyp, filename)) != 0)
if ((r = sshkey_set_filename(pubkey, filename)) != 0)
goto out;
/* success */
if (pubkeyp != NULL) {
*pubkeyp = pubkey;
pubkey = NULL;
}
r = 0;
out:
close(fd);
sshbuf_free(buffer);
sshkey_free(pubkey);
return r;
}
static int
sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
sshkey_try_load_public(struct sshkey **kp, const char *filename,
char **commentp)
{
FILE *f;
char *line = NULL, *cp;
size_t linesize = 0;
int r;
struct sshkey *k = NULL;
*kp = NULL;
if (commentp != NULL)
*commentp = NULL;
if ((f = fopen(filename, "r")) == NULL)
return SSH_ERR_SYSTEM_ERROR;
if ((k = sshkey_new(KEY_UNSPEC)) == NULL) {
fclose(f);
return SSH_ERR_ALLOC_FAIL;
}
while (getline(&line, &linesize, f) != -1) {
cp = line;
switch (*cp) {
......@@ -230,12 +244,15 @@ sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
if (*commentp == NULL)
r = SSH_ERR_ALLOC_FAIL;
}
/* success */
*kp = k;
free(line);
fclose(f);
return r;
}
}
}
free(k);
free(line);
fclose(f);
return SSH_ERR_INVALID_FORMAT;
......@@ -245,8 +262,7 @@ sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
int
sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
{
struct sshkey *pub = NULL;
char *file = NULL;
char *pubfile = NULL;
int r;
if (keyp != NULL)
......@@ -254,35 +270,21 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
if (commentp != NULL)
*commentp = NULL;
if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
if (keyp != NULL) {
*keyp = pub;
pub = NULL;
}
r = 0;
if ((r = sshkey_try_load_public(keyp, filename, commentp)) == 0)
goto out;
}
sshkey_free(pub);
/* try .pub suffix */
if (asprintf(&file, "%s.pub", filename) == -1)
if (asprintf(&pubfile, "%s.pub", filename) == -1)
return SSH_ERR_ALLOC_FAIL;
if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_try_load_public(keyp, pubfile, commentp)) == 0)
goto out;
}
if ((r = sshkey_try_load_public(pub, file, commentp)) == 0) {
if (keyp != NULL) {
*keyp = pub;
pub = NULL;
}
r = 0;
}
/* finally, try to extract public key from private key file */
if ((r = sshkey_load_pubkey_from_private(filename, keyp)) == 0)
goto out;
out:
free(file);
sshkey_free(pub);
free(pubfile);
return r;
}
......@@ -300,18 +302,7 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
if (asprintf(&file, "%s-cert.pub", filename) == -1)
return SSH_ERR_ALLOC_FAIL;
if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
goto out;
}
if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
goto out;
/* success */
if (keyp != NULL) {
*keyp = pub;
pub = NULL;
}
r = 0;
out:
r = sshkey_try_load_public(keyp, file, NULL);
free(file);
sshkey_free(pub);
return r;
......
/* $OpenBSD: channels.c,v 1.395 2020/01/25 06:40:20 djm Exp $ */
/* $OpenBSD: channels.c,v 1.398 2020/04/25 06:59:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -454,7 +454,7 @@ fwd_perm_clear(struct permission *perm)
free(perm->host_to_connect);
free(perm->listen_host);
free(perm->listen_path);
bzero(perm, sizeof(*perm));
memset(perm, 0, sizeof(*perm));
}
/* Returns an printable name for the specified forwarding permission list */
......@@ -625,14 +625,12 @@ channel_free(struct ssh *ssh, Channel *c)
if (cc->abandon_cb != NULL)
cc->abandon_cb(ssh, c, cc->ctx);
TAILQ_REMOVE(&c->status_confirms, cc, entry);
explicit_bzero(cc, sizeof(*cc));
free(cc);
freezero(cc, sizeof(*cc));
}
if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
c->filter_cleanup(ssh, c->self, c->filter_ctx);
sc->channels[c->self] = NULL;
explicit_bzero(c, sizeof(*c));
free(c);
freezero(c, sizeof(*c));
}
void
......@@ -3295,8 +3293,7 @@ channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
return 0;
cc->cb(ssh, type, c, cc->ctx);
TAILQ_REMOVE(&c->status_confirms, cc, entry);
explicit_bzero(cc, sizeof(*cc));
free(cc);
freezero(cc, sizeof(*cc));
return 0;
}
......@@ -4004,7 +4001,7 @@ channel_request_rforward_cancel_tcpip(struct ssh *ssh,
struct permission_set *pset = &sc->local_perms;
int r;
u_int i;
struct permission *perm;
struct permission *perm = NULL;
for (i = 0; i < pset->num_permitted_user; i++) {
perm = &pset->permitted_user[i];
......@@ -4040,7 +4037,7 @@ channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
struct permission_set *pset = &sc->local_perms;
int r;
u_int i;
struct permission *perm;
struct permission *perm = NULL;
for (i = 0; i < pset->num_permitted_user; i++) {
perm = &pset->permitted_user[i];
......
/*
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above