summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
committerColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
commit978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree89400a44e42d84937deba7864e4964d6c7734da5 /openbsd-compat
parent87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/bsd-cygwin_util.c17
-rw-r--r--openbsd-compat/bsd-cygwin_util.h6
-rw-r--r--openbsd-compat/openssl-compat.c6
-rw-r--r--openbsd-compat/openssl-compat.h10
-rw-r--r--openbsd-compat/port-linux.c24
-rw-r--r--openbsd-compat/port-linux.h2
-rw-r--r--openbsd-compat/regress/closefromtest.c2
7 files changed, 33 insertions, 34 deletions
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index e9fa3a0e2..9eedc88d2 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com> 2 * Copyright (c) 2000, 2001, 2011 Corinna Vinschen <vinschen@redhat.com>
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
@@ -34,9 +34,6 @@
34#if defined(open) && open == binary_open 34#if defined(open) && open == binary_open
35# undef open 35# undef open
36#endif 36#endif
37#if defined(pipe) && open == binary_pipe
38# undef pipe
39#endif
40 37
41#include <sys/types.h> 38#include <sys/types.h>
42 39
@@ -59,18 +56,6 @@ binary_open(const char *filename, int flags, ...)
59 return (open(filename, flags | O_BINARY, mode)); 56 return (open(filename, flags | O_BINARY, mode));
60} 57}
61 58
62int
63binary_pipe(int fd[2])
64{
65 int ret = pipe(fd);
66
67 if (!ret) {
68 setmode(fd[0], O_BINARY);
69 setmode(fd[1], O_BINARY);
70 }
71 return (ret);
72}
73
74int 59int
75check_ntsec(const char *filename) 60check_ntsec(const char *filename)
76{ 61{
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 39b8eb788..48f64b740 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,7 +1,7 @@
1/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ 1/* $Id: bsd-cygwin_util.h,v 1.13 2011/08/17 01:31:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com> 4 * Copyright (c) 2000, 2001, 2011 Corinna Vinschen <vinschen@redhat.com>
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -41,13 +41,11 @@
41#include <io.h> 41#include <io.h>
42 42
43int binary_open(const char *, int , ...); 43int binary_open(const char *, int , ...);
44int binary_pipe(int fd[2]);
45int check_ntsec(const char *); 44int check_ntsec(const char *);
46char **fetch_windows_environment(void); 45char **fetch_windows_environment(void);
47void free_windows_environment(char **); 46void free_windows_environment(char **);
48 47
49#define open binary_open 48#define open binary_open
50#define pipe binary_pipe
51 49
52#endif /* HAVE_CYGWIN */ 50#endif /* HAVE_CYGWIN */
53 51
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index b617fdf19..5189cab61 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.c,v 1.13 2011/01/21 22:37:06 dtucker Exp $ */ 1/* $Id: openssl-compat.c,v 1.14 2011/05/10 01:13:38 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -134,9 +134,9 @@ RSA_get_default_method(void)
134 134
135#ifdef USE_OPENSSL_ENGINE 135#ifdef USE_OPENSSL_ENGINE
136void 136void
137ssh_SSLeay_add_all_algorithms(void) 137ssh_OpenSSL_add_all_algorithms(void)
138{ 138{
139 SSLeay_add_all_algorithms(); 139 OpenSSL_add_all_algorithms();
140 140
141 /* Enable use of crypto hardware */ 141 /* Enable use of crypto hardware */
142 ENGINE_load_builtin_engines(); 142 ENGINE_load_builtin_engines();
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 6d4f3f215..c5fc24eb4 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.18 2011/01/21 22:37:06 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.19 2011/05/10 01:13:38 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -106,10 +106,10 @@ RSA_METHOD *RSA_get_default_method(void);
106# endif 106# endif
107 107
108# ifdef USE_OPENSSL_ENGINE 108# ifdef USE_OPENSSL_ENGINE
109# ifdef SSLeay_add_all_algorithms 109# ifdef OpenSSL_add_all_algorithms
110# undef SSLeay_add_all_algorithms 110# undef OpenSSL_add_all_algorithms
111# endif 111# endif
112# define SSLeay_add_all_algorithms() ssh_SSLeay_add_all_algorithms() 112# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms()
113# endif 113# endif
114 114
115# ifndef HAVE_BN_IS_PRIME_EX 115# ifndef HAVE_BN_IS_PRIME_EX
@@ -129,6 +129,6 @@ int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
129 unsigned char *, int); 129 unsigned char *, int);
130int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); 130int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
131int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); 131int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
132void ssh_SSLeay_add_all_algorithms(void); 132void ssh_OpenSSL_add_all_algorithms(void);
133#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ 133#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
134 134
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index dc8b1fa55..ef91e4446 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
1/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ 1/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> 4 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -44,6 +44,10 @@
44#include <selinux/flask.h> 44#include <selinux/flask.h>
45#include <selinux/get_context_list.h> 45#include <selinux/get_context_list.h>
46 46
47#ifndef SSH_SELINUX_UNCONFINED_TYPE
48# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
49#endif
50
47/* Wrapper around is_selinux_enabled() to log its return value once only */ 51/* Wrapper around is_selinux_enabled() to log its return value once only */
48int 52int
49ssh_selinux_enabled(void) 53ssh_selinux_enabled(void)
@@ -190,12 +194,13 @@ ssh_selinux_change_context(const char *newname)
190{ 194{
191 int len, newlen; 195 int len, newlen;
192 char *oldctx, *newctx, *cx; 196 char *oldctx, *newctx, *cx;
197 void (*switchlog) (const char *fmt,...) = logit;
193 198
194 if (!ssh_selinux_enabled()) 199 if (!ssh_selinux_enabled())
195 return; 200 return;
196 201
197 if (getcon((security_context_t *)&oldctx) < 0) { 202 if (getcon((security_context_t *)&oldctx) < 0) {
198 logit("%s: getcon failed with %s", __func__, strerror (errno)); 203 logit("%s: getcon failed with %s", __func__, strerror(errno));
199 return; 204 return;
200 } 205 }
201 if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == 206 if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
@@ -204,6 +209,14 @@ ssh_selinux_change_context(const char *newname)
204 return; 209 return;
205 } 210 }
206 211
212 /*
213 * Check whether we are attempting to switch away from an unconfined
214 * security context.
215 */
216 if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
217 sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
218 switchlog = debug3;
219
207 newlen = strlen(oldctx) + strlen(newname) + 1; 220 newlen = strlen(oldctx) + strlen(newname) + 1;
208 newctx = xmalloc(newlen); 221 newctx = xmalloc(newlen);
209 len = cx - oldctx + 1; 222 len = cx - oldctx + 1;
@@ -211,10 +224,11 @@ ssh_selinux_change_context(const char *newname)
211 strlcpy(newctx + len, newname, newlen - len); 224 strlcpy(newctx + len, newname, newlen - len);
212 if ((cx = index(cx + 1, ':'))) 225 if ((cx = index(cx + 1, ':')))
213 strlcat(newctx, cx, newlen); 226 strlcat(newctx, cx, newlen);
214 debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, 227 debug3("%s: setting context from '%s' to '%s'", __func__,
215 newctx); 228 oldctx, newctx);
216 if (setcon(newctx) < 0) 229 if (setcon(newctx) < 0)
217 logit("%s: setcon failed with %s", __func__, strerror (errno)); 230 switchlog("%s: setcon %s from %s failed with %s", __func__,
231 newctx, oldctx, strerror(errno));
218 xfree(oldctx); 232 xfree(oldctx);
219 xfree(newctx); 233 xfree(newctx);
220} 234}
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3804fa2d1..80ce13ad9 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -1,4 +1,4 @@
1/* $Id: port-linux.h,v 1.4.10.1 2011/02/04 00:42:21 djm Exp $ */ 1/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2006 Damien Miller <djm@openbsd.org> 4 * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
diff --git a/openbsd-compat/regress/closefromtest.c b/openbsd-compat/regress/closefromtest.c
index 145b09d7b..82ffeb9a7 100644
--- a/openbsd-compat/regress/closefromtest.c
+++ b/openbsd-compat/regress/closefromtest.c
@@ -24,6 +24,8 @@
24 24
25#define NUM_OPENS 10 25#define NUM_OPENS 10
26 26
27int closefrom(int);
28
27void 29void
28fail(char *msg) 30fail(char *msg)
29{ 31{