summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-05-02 08:49:03 +0000
committerDamien Miller <djm@mindrot.org>2016-05-02 20:35:04 +1000
commit1a31d02b2411c4718de58ce796dbb7b5e14db93e (patch)
treec6e06a9890e71bc97cd3cdc6ce74919e504c8fd8
parentd2d6bf864e52af8491a60dd507f85b74361f5da3 (diff)
upstream commit
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@ Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
Diffstat
-rw-r--r--auth2-chall.c6
-rw-r--r--auth2.c6
-rw-r--r--kex.h7
-rw-r--r--kexc25519.c6
-rw-r--r--monitor.c27
-rw-r--r--servconf.c5
-rw-r--r--sftp-client.c5
-rw-r--r--ssh-agent.c15
-rw-r--r--ssh-keygen.c8
-rw-r--r--sshbuf-misc.c25
-rw-r--r--sshbuf.h9
-rw-r--r--sshconnect2.c6
-rw-r--r--sshd.c51
13 files changed, 112 insertions, 64 deletions
diff --git a/auth2-chall.c b/auth2-chall.c
index 4aff09d80..ead480318 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.44 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -122,8 +122,8 @@ kbdint_alloc(const char *devs)
122 buffer_append(&b, devices[i]->name, 122 buffer_append(&b, devices[i]->name,
123 strlen(devices[i]->name)); 123 strlen(devices[i]->name));
124 } 124 }
125 buffer_append(&b, "\0", 1); 125 if ((kbdintctxt->devices = sshbuf_dup_string(&b)) == NULL)
126 kbdintctxt->devices = xstrdup(buffer_ptr(&b)); 126 fatal("%s: sshbuf_dup_string failed", __func__);
127 buffer_free(&b); 127 buffer_free(&b);
128 } else { 128 } else {
129 kbdintctxt->devices = xstrdup(devs); 129 kbdintctxt->devices = xstrdup(devs);
diff --git a/auth2.c b/auth2.c
index 717796228..9108b8612 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.135 2015/01/19 20:07:45 markus Exp $ */ 1/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -424,8 +424,8 @@ authmethods_get(Authctxt *authctxt)
424 buffer_append(&b, authmethods[i]->name, 424 buffer_append(&b, authmethods[i]->name,
425 strlen(authmethods[i]->name)); 425 strlen(authmethods[i]->name));
426 } 426 }
427 buffer_append(&b, "\0", 1); 427 if ((list = sshbuf_dup_string(&b)) == NULL)
428 list = xstrdup(buffer_ptr(&b)); 428 fatal("%s: sshbuf_dup_string failed", __func__);
429 buffer_free(&b); 429 buffer_free(&b);
430 return list; 430 return list;
431} 431}
diff --git a/kex.h b/kex.h
index 1c5896605..131b8d93d 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.h,v 1.76 2016/02/08 10:57:07 djm Exp $ */ 1/* $OpenBSD: kex.h,v 1.77 2016/05/02 08:49:03 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -205,8 +205,9 @@ int kex_ecdh_hash(int, const EC_GROUP *, const char *, const char *,
205 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, 205 const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
206 const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *); 206 const EC_POINT *, const EC_POINT *, const BIGNUM *, u_char *, size_t *);
207 207
208int kex_c25519_hash(int, const char *, const char *, const char *, size_t, 208int kex_c25519_hash(int, const char *, const char *,
209 const char *, size_t, const u_char *, size_t, const u_char *, const u_char *, 209 const u_char *, size_t, const u_char *, size_t,
210 const u_char *, size_t, const u_char *, const u_char *,
210 const u_char *, size_t, u_char *, size_t *); 211 const u_char *, size_t, u_char *, size_t *);
211 212
212void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) 213void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
diff --git a/kexc25519.c b/kexc25519.c
index 8d8cd4a2b..0897b8c51 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexc25519.c,v 1.9 2015/03/26 07:00:04 djm Exp $ */ 1/* $OpenBSD: kexc25519.c,v 1.10 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001, 2013 Markus Friedl. All rights reserved.
4 * Copyright (c) 2010 Damien Miller. All rights reserved. 4 * Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -86,8 +86,8 @@ kex_c25519_hash(
86 int hash_alg, 86 int hash_alg,
87 const char *client_version_string, 87 const char *client_version_string,
88 const char *server_version_string, 88 const char *server_version_string,
89 const char *ckexinit, size_t ckexinitlen, 89 const u_char *ckexinit, size_t ckexinitlen,
90 const char *skexinit, size_t skexinitlen, 90 const u_char *skexinit, size_t skexinitlen,
91 const u_char *serverhostkeyblob, size_t sbloblen, 91 const u_char *serverhostkeyblob, size_t sbloblen,
92 const u_char client_dh_pub[CURVE25519_SIZE], 92 const u_char client_dh_pub[CURVE25519_SIZE],
93 const u_char server_dh_pub[CURVE25519_SIZE], 93 const u_char server_dh_pub[CURVE25519_SIZE],
diff --git a/monitor.c b/monitor.c
index 6b780e480..dce920c23 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.158 2016/03/07 19:02:43 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.159 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -34,6 +34,7 @@
34 34
35#include <errno.h> 35#include <errno.h>
36#include <fcntl.h> 36#include <fcntl.h>
37#include <limits.h>
37#ifdef HAVE_PATHS_H 38#ifdef HAVE_PATHS_H
38#include <paths.h> 39#include <paths.h>
39#endif 40#endif
@@ -688,7 +689,8 @@ mm_answer_sign(int sock, Buffer *m)
688 u_char *p = NULL, *signature = NULL; 689 u_char *p = NULL, *signature = NULL;
689 char *alg = NULL; 690 char *alg = NULL;
690 size_t datlen, siglen, alglen; 691 size_t datlen, siglen, alglen;
691 int r, keyid, is_proof = 0; 692 int r, is_proof = 0;
693 u_int keyid;
692 const char proof_req[] = "hostkeys-prove-00@openssh.com"; 694 const char proof_req[] = "hostkeys-prove-00@openssh.com";
693 695
694 debug3("%s", __func__); 696 debug3("%s", __func__);
@@ -697,6 +699,8 @@ mm_answer_sign(int sock, Buffer *m)
697 (r = sshbuf_get_string(m, &p, &datlen)) != 0 || 699 (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
698 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) 700 (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
699 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 701 fatal("%s: buffer error: %s", __func__, ssh_err(r));
702 if (keyid > INT_MAX)
703 fatal("%s: invalid key ID", __func__);
700 704
701 /* 705 /*
702 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes), 706 * Supported KEX types use SHA1 (20 bytes), SHA256 (32 bytes),
@@ -1289,7 +1293,8 @@ static int
1289monitor_valid_userblob(u_char *data, u_int datalen) 1293monitor_valid_userblob(u_char *data, u_int datalen)
1290{ 1294{
1291 Buffer b; 1295 Buffer b;
1292 char *p, *userstyle; 1296 u_char *p;
1297 char *userstyle, *cp;
1293 u_int len; 1298 u_int len;
1294 int fail = 0; 1299 int fail = 0;
1295 1300
@@ -1314,26 +1319,26 @@ monitor_valid_userblob(u_char *data, u_int datalen)
1314 } 1319 }
1315 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) 1320 if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
1316 fail++; 1321 fail++;
1317 p = buffer_get_cstring(&b, NULL); 1322 cp = buffer_get_cstring(&b, NULL);
1318 xasprintf(&userstyle, "%s%s%s", authctxt->user, 1323 xasprintf(&userstyle, "%s%s%s", authctxt->user,
1319 authctxt->style ? ":" : "", 1324 authctxt->style ? ":" : "",
1320 authctxt->style ? authctxt->style : ""); 1325 authctxt->style ? authctxt->style : "");
1321 if (strcmp(userstyle, p) != 0) { 1326 if (strcmp(userstyle, cp) != 0) {
1322 logit("wrong user name passed to monitor: expected %s != %.100s", 1327 logit("wrong user name passed to monitor: "
1323 userstyle, p); 1328 "expected %s != %.100s", userstyle, cp);
1324 fail++; 1329 fail++;
1325 } 1330 }
1326 free(userstyle); 1331 free(userstyle);
1327 free(p); 1332 free(cp);
1328 buffer_skip_string(&b); 1333 buffer_skip_string(&b);
1329 if (datafellows & SSH_BUG_PKAUTH) { 1334 if (datafellows & SSH_BUG_PKAUTH) {
1330 if (!buffer_get_char(&b)) 1335 if (!buffer_get_char(&b))
1331 fail++; 1336 fail++;
1332 } else { 1337 } else {
1333 p = buffer_get_cstring(&b, NULL); 1338 cp = buffer_get_cstring(&b, NULL);
1334 if (strcmp("publickey", p) != 0) 1339 if (strcmp("publickey", cp) != 0)
1335 fail++; 1340 fail++;
1336 free(p); 1341 free(cp);
1337 if (!buffer_get_char(&b)) 1342 if (!buffer_get_char(&b))
1338 fail++; 1343 fail++;
1339 buffer_skip_string(&b); 1344 buffer_skip_string(&b);
diff --git a/servconf.c b/servconf.c
index ba39dce1d..6111c5a94 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.286 2016/03/07 19:02:43 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.287 2016/05/02 08:49:03 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -2059,7 +2059,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2059 2059
2060 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2060 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2061 2061
2062 obuf = cbuf = xstrdup(buffer_ptr(conf)); 2062 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2063 fatal("%s: sshbuf_dup_string failed", __func__);
2063 active = connectinfo ? 0 : 1; 2064 active = connectinfo ? 0 : 1;
2064 linenum = 1; 2065 linenum = 1;
2065 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2066 while ((cp = strsep(&cbuf, "\n")) != NULL) {
diff --git a/sftp-client.c b/sftp-client.c
index cd990579e..faf14684c 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sftp-client.c,v 1.122 2016/04/08 08:19:17 djm Exp $ */ 1/* $OpenBSD: sftp-client.c,v 1.123 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> 3 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
4 * 4 *
@@ -515,8 +515,7 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
515 struct sshbuf *msg; 515 struct sshbuf *msg;
516 u_int count, id, i, expected_id, ents = 0; 516 u_int count, id, i, expected_id, ents = 0;
517 size_t handle_len; 517 size_t handle_len;
518 u_char type; 518 u_char type, *handle;
519 char *handle;
520 int status = SSH2_FX_FAILURE; 519 int status = SSH2_FX_FAILURE;
521 int r; 520 int r;
522 521
diff --git a/ssh-agent.c b/ssh-agent.c
index c38906d94..8aa25b30d 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.212 2016/02/15 09:47:49 dtucker Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.213 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -144,8 +144,8 @@ char socket_dir[PATH_MAX];
144#define LOCK_SALT_SIZE 16 144#define LOCK_SALT_SIZE 16
145#define LOCK_ROUNDS 1 145#define LOCK_ROUNDS 1
146int locked = 0; 146int locked = 0;
147char lock_passwd[LOCK_SIZE]; 147u_char lock_pwhash[LOCK_SIZE];
148char lock_salt[LOCK_SALT_SIZE]; 148u_char lock_salt[LOCK_SALT_SIZE];
149 149
150extern char *__progname; 150extern char *__progname;
151 151
@@ -677,7 +677,8 @@ static void
677process_lock_agent(SocketEntry *e, int lock) 677process_lock_agent(SocketEntry *e, int lock)
678{ 678{
679 int r, success = 0, delay; 679 int r, success = 0, delay;
680 char *passwd, passwdhash[LOCK_SIZE]; 680 char *passwd;
681 u_char passwdhash[LOCK_SIZE];
681 static u_int fail_count = 0; 682 static u_int fail_count = 0;
682 size_t pwlen; 683 size_t pwlen;
683 684
@@ -689,11 +690,11 @@ process_lock_agent(SocketEntry *e, int lock)
689 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), 690 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
690 passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0) 691 passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0)
691 fatal("bcrypt_pbkdf"); 692 fatal("bcrypt_pbkdf");
692 if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) { 693 if (timingsafe_bcmp(passwdhash, lock_pwhash, LOCK_SIZE) == 0) {
693 debug("agent unlocked"); 694 debug("agent unlocked");
694 locked = 0; 695 locked = 0;
695 fail_count = 0; 696 fail_count = 0;
696 explicit_bzero(lock_passwd, sizeof(lock_passwd)); 697 explicit_bzero(lock_pwhash, sizeof(lock_pwhash));
697 success = 1; 698 success = 1;
698 } else { 699 } else {
699 /* delay in 0.1s increments up to 10s */ 700 /* delay in 0.1s increments up to 10s */
@@ -710,7 +711,7 @@ process_lock_agent(SocketEntry *e, int lock)
710 locked = 1; 711 locked = 1;
711 arc4random_buf(lock_salt, sizeof(lock_salt)); 712 arc4random_buf(lock_salt, sizeof(lock_salt));
712 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), 713 if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
713 lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0) 714 lock_pwhash, sizeof(lock_pwhash), LOCK_ROUNDS) < 0)
714 fatal("bcrypt_pbkdf"); 715 fatal("bcrypt_pbkdf");
715 success = 1; 716 success = 1;
716 } 717 }
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 478520123..079f10321 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.288 2016/02/15 09:47:49 dtucker Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.289 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -883,7 +883,7 @@ do_fingerprint(struct passwd *pw)
883 char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES]; 883 char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];
884 int i, invalid = 1; 884 int i, invalid = 1;
885 const char *path; 885 const char *path;
886 long int lnum = 0; 886 u_long lnum = 0;
887 887
888 if (!have_identity) 888 if (!have_identity)
889 ask_filename(pw, "Enter file in which the key is"); 889 ask_filename(pw, "Enter file in which the key is");
@@ -946,7 +946,7 @@ do_fingerprint(struct passwd *pw)
946 } 946 }
947 /* Retry after parsing leading hostname/key options */ 947 /* Retry after parsing leading hostname/key options */
948 if (public == NULL && (public = try_read_key(&cp)) == NULL) { 948 if (public == NULL && (public = try_read_key(&cp)) == NULL) {
949 debug("%s:%ld: not a public key", path, lnum); 949 debug("%s:%lu: not a public key", path, lnum);
950 continue; 950 continue;
951 } 951 }
952 952
@@ -1920,7 +1920,7 @@ do_show_cert(struct passwd *pw)
1920 FILE *f; 1920 FILE *f;
1921 char *cp, line[SSH_MAX_PUBKEY_BYTES]; 1921 char *cp, line[SSH_MAX_PUBKEY_BYTES];
1922 const char *path; 1922 const char *path;
1923 long int lnum = 0; 1923 u_long lnum = 0;
1924 1924
1925 if (!have_identity) 1925 if (!have_identity)
1926 ask_filename(pw, "Enter file in which the key is"); 1926 ask_filename(pw, "Enter file in which the key is");
diff --git a/sshbuf-misc.c b/sshbuf-misc.c
index 3da4b80e7..15dcfbc79 100644
--- a/sshbuf-misc.c
+++ b/sshbuf-misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshbuf-misc.c,v 1.5 2015/10/05 17:11:21 djm Exp $ */ 1/* $OpenBSD: sshbuf-misc.c,v 1.6 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller 3 * Copyright (c) 2011 Damien Miller
4 * 4 *
@@ -136,3 +136,26 @@ sshbuf_b64tod(struct sshbuf *buf, const char *b64)
136 return 0; 136 return 0;
137} 137}
138 138
139char *
140sshbuf_dup_string(struct sshbuf *buf)
141{
142 const u_char *p = NULL, *s = sshbuf_ptr(buf);
143 size_t l = sshbuf_len(buf);
144 char *r;
145
146 if (s == NULL || l > SIZE_MAX)
147 return NULL;
148 /* accept a nul only as the last character in the buffer */
149 if (l > 0 && (p = memchr(s, '\0', l)) != NULL) {
150 if (p != s + l - 1)
151 return NULL;
152 l--; /* the nul is put back below */
153 }
154 if ((r = malloc(l + 1)) == NULL)
155 return NULL;
156 if (l > 0)
157 memcpy(r, s, l);
158 r[l] = '\0';
159 return r;
160}
161
diff --git a/sshbuf.h b/sshbuf.h
index 63495fbb0..52ff017cc 100644
--- a/sshbuf.h
+++ b/sshbuf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshbuf.h,v 1.6 2015/12/10 07:01:35 mmcc Exp $ */ 1/* $OpenBSD: sshbuf.h,v 1.7 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller 3 * Copyright (c) 2011 Damien Miller
4 * 4 *
@@ -239,6 +239,13 @@ char *sshbuf_dtob64(struct sshbuf *buf);
239/* Decode base64 data and append it to the buffer */ 239/* Decode base64 data and append it to the buffer */
240int sshbuf_b64tod(struct sshbuf *buf, const char *b64); 240int sshbuf_b64tod(struct sshbuf *buf, const char *b64);
241 241
242/*
243 * Duplicate the contents of a buffer to a string (caller to free).
244 * Returns NULL on buffer error, or if the buffer contains a premature
245 * nul character.
246 */
247char *sshbuf_dup_string(struct sshbuf *buf);
248
242/* Macros for decoding/encoding integers */ 249/* Macros for decoding/encoding integers */
243#define PEEK_U64(p) \ 250#define PEEK_U64(p) \
244 (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ 251 (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
diff --git a/sshconnect2.c b/sshconnect2.c
index f7d0644e8..1dddf75aa 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.241 2016/04/28 14:30:21 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.242 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -1922,8 +1922,8 @@ authmethods_get(void)
1922 buffer_append(&b, method->name, strlen(method->name)); 1922 buffer_append(&b, method->name, strlen(method->name));
1923 } 1923 }
1924 } 1924 }
1925 buffer_append(&b, "\0", 1); 1925 if ((list = sshbuf_dup_string(&b)) == NULL)
1926 list = xstrdup(buffer_ptr(&b)); 1926 fatal("%s: sshbuf_dup_string failed", __func__);
1927 buffer_free(&b); 1927 buffer_free(&b);
1928 return list; 1928 return list;
1929} 1929}
diff --git a/sshd.c b/sshd.c
index d21aed515..8b8af2494 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.466 2016/03/07 19:02:43 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.467 2016/05/02 08:49:03 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -845,8 +845,8 @@ list_hostkey_types(void)
845 break; 845 break;
846 } 846 }
847 } 847 }
848 buffer_append(&b, "\0", 1); 848 if ((ret = sshbuf_dup_string(&b)) == NULL)
849 ret = xstrdup(buffer_ptr(&b)); 849 fatal("%s: sshbuf_dup_string failed", __func__);
850 buffer_free(&b); 850 buffer_free(&b);
851 debug("list_hostkey_types: %s", ret); 851 debug("list_hostkey_types: %s", ret);
852 return ret; 852 return ret;
@@ -1027,12 +1027,13 @@ usage(void)
1027} 1027}
1028 1028
1029static void 1029static void
1030send_rexec_state(int fd, Buffer *conf) 1030send_rexec_state(int fd, struct sshbuf *conf)
1031{ 1031{
1032 Buffer m; 1032 struct sshbuf *m;
1033 int r;
1033 1034
1034 debug3("%s: entering fd = %d config len %d", __func__, fd, 1035 debug3("%s: entering fd = %d config len %zu", __func__, fd,
1035 buffer_len(conf)); 1036 sshbuf_len(conf));
1036 1037
1037 /* 1038 /*
1038 * Protocol from reexec master to child: 1039 * Protocol from reexec master to child:
@@ -1046,31 +1047,41 @@ send_rexec_state(int fd, Buffer *conf)
1046 * bignum q " 1047 * bignum q "
1047 * string rngseed (only if OpenSSL is not self-seeded) 1048 * string rngseed (only if OpenSSL is not self-seeded)
1048 */ 1049 */
1049 buffer_init(&m); 1050 if ((m = sshbuf_new()) == NULL)
1050 buffer_put_cstring(&m, buffer_ptr(conf)); 1051 fatal("%s: sshbuf_new failed", __func__);
1052 if ((r = sshbuf_put_stringb(m, conf)) != 0)
1053 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1051 1054
1052#ifdef WITH_SSH1 1055#ifdef WITH_SSH1
1053 if (sensitive_data.server_key != NULL && 1056 if (sensitive_data.server_key != NULL &&
1054 sensitive_data.server_key->type == KEY_RSA1) { 1057 sensitive_data.server_key->type == KEY_RSA1) {
1055 buffer_put_int(&m, 1); 1058 if ((r = sshbuf_put_u32(m, 1)) != 0 ||
1056 buffer_put_bignum(&m, sensitive_data.server_key->rsa->e); 1059 (r = sshbuf_put_bignum1(m,
1057 buffer_put_bignum(&m, sensitive_data.server_key->rsa->n); 1060 sensitive_data.server_key->rsa->e)) != 0 ||
1058 buffer_put_bignum(&m, sensitive_data.server_key->rsa->d); 1061 (r = sshbuf_put_bignum1(m,
1059 buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp); 1062 sensitive_data.server_key->rsa->n)) != 0 ||
1060 buffer_put_bignum(&m, sensitive_data.server_key->rsa->p); 1063 (r = sshbuf_put_bignum1(m,
1061 buffer_put_bignum(&m, sensitive_data.server_key->rsa->q); 1064 sensitive_data.server_key->rsa->d)) != 0 ||
1065 (r = sshbuf_put_bignum1(m,
1066 sensitive_data.server_key->rsa->iqmp)) != 0 ||
1067 (r = sshbuf_put_bignum1(m,
1068 sensitive_data.server_key->rsa->p)) != 0 ||
1069 (r = sshbuf_put_bignum1(m,
1070 sensitive_data.server_key->rsa->q)) != 0)
1071 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1062 } else 1072 } else
1063#endif 1073#endif
1064 buffer_put_int(&m, 0); 1074 if ((r = sshbuf_put_u32(m, 1)) != 0)
1075 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1065 1076
1066#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) 1077#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
1067 rexec_send_rng_seed(&m); 1078 rexec_send_rng_seed(m);
1068#endif 1079#endif
1069 1080
1070 if (ssh_msg_send(fd, 0, &m) == -1) 1081 if (ssh_msg_send(fd, 0, m) == -1)
1071 fatal("%s: ssh_msg_send failed", __func__); 1082 fatal("%s: ssh_msg_send failed", __func__);
1072 1083
1073 buffer_free(&m); 1084 sshbuf_free(m);
1074 1085
1075 debug3("%s: done", __func__); 1086 debug3("%s: done", __func__);
1076} 1087}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 18:03:49 +0000