diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 12:13:50 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 12:13:50 +0100 |
commit | 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (patch) | |
tree | a2cff6fec1e6c4b4153a170a3e172cfe6bfdec46 /openbsd-compat | |
parent | 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff) | |
parent | 28453d58058a4d60c3ebe7d7f0c31a510cbf6158 (diff) |
Import openssh_6.7p1.orig.tar.gz
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/Makefile.in | 4 | ||||
-rw-r--r-- | openbsd-compat/arc4random.c | 4 | ||||
-rw-r--r-- | openbsd-compat/bsd-cygwin_util.c | 16 | ||||
-rw-r--r-- | openbsd-compat/bsd-cygwin_util.h | 6 | ||||
-rw-r--r-- | openbsd-compat/bsd-snprintf.c | 4 | ||||
-rw-r--r-- | openbsd-compat/explicit_bzero.c | 26 | ||||
-rw-r--r-- | openbsd-compat/kludge-fd_set.c | 28 | ||||
-rw-r--r-- | openbsd-compat/openbsd-compat.h | 18 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.c | 166 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.h | 121 | ||||
-rw-r--r-- | openbsd-compat/port-uw.c | 1 | ||||
-rw-r--r-- | openbsd-compat/regress/Makefile.in | 6 | ||||
-rw-r--r-- | openbsd-compat/regress/opensslvertest.c | 69 |
13 files changed, 216 insertions, 253 deletions
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 6ecfb93d5..ab1a3e315 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $ | 1 | # $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $ |
2 | 2 | ||
3 | sysconfdir=@sysconfdir@ | 3 | sysconfdir=@sysconfdir@ |
4 | piddir=@piddir@ | 4 | piddir=@piddir@ |
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ | |||
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o | 19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o |
20 | 20 | ||
21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o | 21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o |
22 | 22 | ||
23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o | 23 | PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o |
24 | 24 | ||
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c index eac073cc0..09dbfda16 100644 --- a/openbsd-compat/arc4random.c +++ b/openbsd-compat/arc4random.c | |||
@@ -87,7 +87,7 @@ _rs_stir(void) | |||
87 | _rs_init(rnd, sizeof(rnd)); | 87 | _rs_init(rnd, sizeof(rnd)); |
88 | } else | 88 | } else |
89 | _rs_rekey(rnd, sizeof(rnd)); | 89 | _rs_rekey(rnd, sizeof(rnd)); |
90 | memset(rnd, 0, sizeof(rnd)); | 90 | explicit_bzero(rnd, sizeof(rnd)); |
91 | 91 | ||
92 | /* invalidate rs_buf */ | 92 | /* invalidate rs_buf */ |
93 | rs_have = 0; | 93 | rs_have = 0; |
@@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n) | |||
229 | buf[i] = r & 0xff; | 229 | buf[i] = r & 0xff; |
230 | r >>= 8; | 230 | r >>= 8; |
231 | } | 231 | } |
232 | i = r = 0; | 232 | explicit_bzero(&r, sizeof(r)); |
233 | } | 233 | } |
234 | #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ | 234 | #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ |
235 | 235 | ||
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c index 267e77a11..a2d82126d 100644 --- a/openbsd-compat/bsd-cygwin_util.c +++ b/openbsd-compat/bsd-cygwin_util.c | |||
@@ -57,6 +57,22 @@ check_ntsec(const char *filename) | |||
57 | return (pathconf(filename, _PC_POSIX_PERMISSIONS)); | 57 | return (pathconf(filename, _PC_POSIX_PERMISSIONS)); |
58 | } | 58 | } |
59 | 59 | ||
60 | const char * | ||
61 | cygwin_ssh_privsep_user() | ||
62 | { | ||
63 | static char cyg_privsep_user[DNLEN + UNLEN + 2]; | ||
64 | |||
65 | if (!cyg_privsep_user[0]) | ||
66 | { | ||
67 | #ifdef CW_CYGNAME_FROM_WINNAME | ||
68 | if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user, | ||
69 | sizeof cyg_privsep_user) != 0) | ||
70 | #endif | ||
71 | strcpy (cyg_privsep_user, "sshd"); | ||
72 | } | ||
73 | return cyg_privsep_user; | ||
74 | } | ||
75 | |||
60 | #define NL(x) x, (sizeof (x) - 1) | 76 | #define NL(x) x, (sizeof (x) - 1) |
61 | #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) | 77 | #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) |
62 | 78 | ||
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h index 1177366f1..79cb2a197 100644 --- a/openbsd-compat/bsd-cygwin_util.h +++ b/openbsd-compat/bsd-cygwin_util.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */ | 1 | /* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> | 4 | * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> |
@@ -39,6 +39,8 @@ | |||
39 | /* Avoid including windows headers. */ | 39 | /* Avoid including windows headers. */ |
40 | typedef void *HANDLE; | 40 | typedef void *HANDLE; |
41 | #define INVALID_HANDLE_VALUE ((HANDLE) -1) | 41 | #define INVALID_HANDLE_VALUE ((HANDLE) -1) |
42 | #define DNLEN 16 | ||
43 | #define UNLEN 256 | ||
42 | 44 | ||
43 | /* Cygwin functions for which declarations are only available when including | 45 | /* Cygwin functions for which declarations are only available when including |
44 | windows headers, so we have to define them here explicitely. */ | 46 | windows headers, so we have to define them here explicitely. */ |
@@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE); | |||
48 | #include <sys/cygwin.h> | 50 | #include <sys/cygwin.h> |
49 | #include <io.h> | 51 | #include <io.h> |
50 | 52 | ||
53 | #define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user()) | ||
54 | const char *cygwin_ssh_privsep_user(); | ||
51 | 55 | ||
52 | int binary_open(const char *, int , ...); | 56 | int binary_open(const char *, int , ...); |
53 | int check_ntsec(const char *); | 57 | int check_ntsec(const char *); |
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c index 975991e7f..23a635989 100644 --- a/openbsd-compat/bsd-snprintf.c +++ b/openbsd-compat/bsd-snprintf.c | |||
@@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, | |||
538 | } | 538 | } |
539 | while (*value && (cnt < max)) { | 539 | while (*value && (cnt < max)) { |
540 | DOPR_OUTCH(buffer, *currlen, maxlen, *value); | 540 | DOPR_OUTCH(buffer, *currlen, maxlen, *value); |
541 | *value++; | 541 | value++; |
542 | ++cnt; | 542 | ++cnt; |
543 | } | 543 | } |
544 | while ((padlen < 0) && (cnt < max)) { | 544 | while ((padlen < 0) && (cnt < max)) { |
@@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, | |||
553 | 553 | ||
554 | static int | 554 | static int |
555 | fmtint(char *buffer, size_t *currlen, size_t maxlen, | 555 | fmtint(char *buffer, size_t *currlen, size_t maxlen, |
556 | LLONG value, int base, int min, int max, int flags) | 556 | intmax_t value, int base, int min, int max, int flags) |
557 | { | 557 | { |
558 | int signvalue = 0; | 558 | int signvalue = 0; |
559 | unsigned LLONG uvalue; | 559 | unsigned LLONG uvalue; |
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c index b106741e5..3c85a4843 100644 --- a/openbsd-compat/explicit_bzero.c +++ b/openbsd-compat/explicit_bzero.c | |||
@@ -7,14 +7,34 @@ | |||
7 | 7 | ||
8 | #include "includes.h" | 8 | #include "includes.h" |
9 | 9 | ||
10 | /* | ||
11 | * explicit_bzero - don't let the compiler optimize away bzero | ||
12 | */ | ||
13 | |||
10 | #ifndef HAVE_EXPLICIT_BZERO | 14 | #ifndef HAVE_EXPLICIT_BZERO |
11 | 15 | ||
16 | #ifdef HAVE_MEMSET_S | ||
17 | |||
18 | void | ||
19 | explicit_bzero(void *p, size_t n) | ||
20 | { | ||
21 | (void)memset_s(p, n, 0, n); | ||
22 | } | ||
23 | |||
24 | #else /* HAVE_MEMSET_S */ | ||
25 | |||
12 | /* | 26 | /* |
13 | * explicit_bzero - don't let the compiler optimize away bzero | 27 | * Indirect bzero through a volatile pointer to hopefully avoid |
28 | * dead-store optimisation eliminating the call. | ||
14 | */ | 29 | */ |
30 | static void (* volatile ssh_bzero)(void *, size_t) = bzero; | ||
31 | |||
15 | void | 32 | void |
16 | explicit_bzero(void *p, size_t n) | 33 | explicit_bzero(void *p, size_t n) |
17 | { | 34 | { |
18 | bzero(p, n); | 35 | ssh_bzero(p, n); |
19 | } | 36 | } |
20 | #endif | 37 | |
38 | #endif /* HAVE_MEMSET_S */ | ||
39 | |||
40 | #endif /* HAVE_EXPLICIT_BZERO */ | ||
diff --git a/openbsd-compat/kludge-fd_set.c b/openbsd-compat/kludge-fd_set.c new file mode 100644 index 000000000..6c2ffb64b --- /dev/null +++ b/openbsd-compat/kludge-fd_set.c | |||
@@ -0,0 +1,28 @@ | |||
1 | /* Placed in the public domain. */ | ||
2 | |||
3 | /* | ||
4 | * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b) | ||
5 | * where n > FD_SETSIZE. This breaks OpenSSH and other programs that | ||
6 | * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a | ||
7 | * function compiled without _FORTIFY_SOURCE. | ||
8 | */ | ||
9 | |||
10 | #include "config.h" | ||
11 | |||
12 | #if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE) | ||
13 | # include <features.h> | ||
14 | # if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ) | ||
15 | # if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) | ||
16 | # undef _FORTIFY_SOURCE | ||
17 | # undef __USE_FORTIFY_LEVEL | ||
18 | # include <sys/socket.h> | ||
19 | void kludge_FD_SET(int n, fd_set *set) { | ||
20 | FD_SET(n, set); | ||
21 | } | ||
22 | int kludge_FD_ISSET(int n, fd_set *set) { | ||
23 | return FD_ISSET(n, set); | ||
24 | } | ||
25 | # endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */ | ||
26 | # endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */ | ||
27 | #endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */ | ||
28 | |||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index bc9888e31..ce6abae82 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */ | 1 | /* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. | 4 | * Copyright (c) 1999-2003 Damien Miller. All rights reserved. |
@@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw); | |||
268 | #include "port-tun.h" | 268 | #include "port-tun.h" |
269 | #include "port-uw.h" | 269 | #include "port-uw.h" |
270 | 270 | ||
271 | /* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */ | ||
272 | #if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE) | ||
273 | # include <features.h> | ||
274 | # if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ) | ||
275 | # if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) | ||
276 | # include <sys/socket.h> /* Ensure include guard is defined */ | ||
277 | # undef FD_SET | ||
278 | # undef FD_ISSET | ||
279 | # define FD_SET(n, set) kludge_FD_SET(n, set) | ||
280 | # define FD_ISSET(n, set) kludge_FD_ISSET(n, set) | ||
281 | void kludge_FD_SET(int, fd_set *); | ||
282 | int kludge_FD_ISSET(int, fd_set *); | ||
283 | # endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */ | ||
284 | # endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */ | ||
285 | #endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */ | ||
286 | |||
271 | #endif /* _OPENBSD_COMPAT_H */ | 287 | #endif /* _OPENBSD_COMPAT_H */ |
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 885c121f2..36570e4ad 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -16,6 +16,7 @@ | |||
16 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 16 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | */ | 17 | */ |
18 | 18 | ||
19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | ||
19 | #include "includes.h" | 20 | #include "includes.h" |
20 | 21 | ||
21 | #include <stdarg.h> | 22 | #include <stdarg.h> |
@@ -26,147 +27,44 @@ | |||
26 | # include <openssl/conf.h> | 27 | # include <openssl/conf.h> |
27 | #endif | 28 | #endif |
28 | 29 | ||
29 | #ifndef HAVE_RSA_GET_DEFAULT_METHOD | ||
30 | # include <openssl/rsa.h> | ||
31 | #endif | ||
32 | |||
33 | #include "log.h" | 30 | #include "log.h" |
34 | 31 | ||
35 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | ||
36 | #include "openssl-compat.h" | 32 | #include "openssl-compat.h" |
37 | 33 | ||
38 | #ifdef SSH_OLD_EVP | 34 | /* |
39 | int | 35 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status |
40 | ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, | 36 | * We match major, minor, fix and status (not patch) for <1.0.0. |
41 | unsigned char *key, unsigned char *iv, int enc) | 37 | * After that, we acceptable compatible fix versions (so we |
42 | { | 38 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed |
43 | EVP_CipherInit(evp, type, key, iv, enc); | 39 | * within a patch series. |
44 | return 1; | 40 | */ |
45 | } | ||
46 | |||
47 | int | ||
48 | ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len) | ||
49 | { | ||
50 | EVP_Cipher(evp, dst, src, len); | ||
51 | return 1; | ||
52 | } | ||
53 | |||
54 | int | ||
55 | ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) | ||
56 | { | ||
57 | EVP_CIPHER_CTX_cleanup(evp); | ||
58 | return 1; | ||
59 | } | ||
60 | #endif | ||
61 | |||
62 | #ifndef HAVE_EVP_DIGESTINIT_EX | ||
63 | int | ||
64 | EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) | ||
65 | { | ||
66 | if (engine != NULL) | ||
67 | fatal("%s: ENGINE is not supported", __func__); | ||
68 | # ifdef OPENSSL_EVP_DIGESTUPDATE_VOID | ||
69 | EVP_DigestInit(ctx, md); | ||
70 | return 1; | ||
71 | # else | ||
72 | return EVP_DigestInit(ctx, md); | ||
73 | # endif | ||
74 | } | ||
75 | #endif | ||
76 | |||
77 | #ifndef HAVE_EVP_DIGESTFINAL_EX | ||
78 | int | ||
79 | EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) | ||
80 | { | ||
81 | # ifdef OPENSSL_EVP_DIGESTUPDATE_VOID | ||
82 | EVP_DigestFinal(ctx, md, s); | ||
83 | return 1; | ||
84 | # else | ||
85 | return EVP_DigestFinal(ctx, md, s); | ||
86 | # endif | ||
87 | } | ||
88 | #endif | ||
89 | |||
90 | #ifdef OPENSSL_EVP_DIGESTUPDATE_VOID | ||
91 | int | ||
92 | ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) | ||
93 | { | ||
94 | EVP_DigestUpdate(ctx, d, cnt); | ||
95 | return 1; | ||
96 | } | ||
97 | #endif | ||
98 | |||
99 | #ifndef HAVE_EVP_MD_CTX_COPY_EX | ||
100 | int | ||
101 | EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) | ||
102 | { | ||
103 | return EVP_MD_CTX_copy(out, in); | ||
104 | } | ||
105 | #endif | ||
106 | |||
107 | #ifndef HAVE_BN_IS_PRIME_EX | ||
108 | int | ||
109 | BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb) | ||
110 | { | ||
111 | if (cb != NULL) | ||
112 | fatal("%s: callback args not supported", __func__); | ||
113 | return BN_is_prime(p, nchecks, NULL, ctx, NULL); | ||
114 | } | ||
115 | #endif | ||
116 | |||
117 | #ifndef HAVE_RSA_GENERATE_KEY_EX | ||
118 | int | ||
119 | RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb) | ||
120 | { | ||
121 | RSA *new_rsa, tmp_rsa; | ||
122 | unsigned long e; | ||
123 | |||
124 | if (cb != NULL) | ||
125 | fatal("%s: callback args not supported", __func__); | ||
126 | e = BN_get_word(bn_e); | ||
127 | if (e == 0xffffffffL) | ||
128 | fatal("%s: value of e too large", __func__); | ||
129 | new_rsa = RSA_generate_key(bits, e, NULL, NULL); | ||
130 | if (new_rsa == NULL) | ||
131 | return 0; | ||
132 | /* swap rsa/new_rsa then free new_rsa */ | ||
133 | tmp_rsa = *rsa; | ||
134 | *rsa = *new_rsa; | ||
135 | *new_rsa = tmp_rsa; | ||
136 | RSA_free(new_rsa); | ||
137 | return 1; | ||
138 | } | ||
139 | #endif | ||
140 | 41 | ||
141 | #ifndef HAVE_DSA_GENERATE_PARAMETERS_EX | ||
142 | int | 42 | int |
143 | DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed, | 43 | ssh_compatible_openssl(long headerver, long libver) |
144 | int seed_len, int *counter_ret, unsigned long *h_ret, void *cb) | ||
145 | { | 44 | { |
146 | DSA *new_dsa, tmp_dsa; | 45 | long mask, hfix, lfix; |
147 | 46 | ||
148 | if (cb != NULL) | 47 | /* exact match is always OK */ |
149 | fatal("%s: callback args not supported", __func__); | 48 | if (headerver == libver) |
150 | new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len, | 49 | return 1; |
151 | counter_ret, h_ret, NULL, NULL); | 50 | |
152 | if (new_dsa == NULL) | 51 | /* for versions < 1.0.0, major,minor,fix,status must match */ |
153 | return 0; | 52 | if (headerver < 0x1000000f) { |
154 | /* swap dsa/new_dsa then free new_dsa */ | 53 | mask = 0xfffff00fL; /* major,minor,fix,status */ |
155 | tmp_dsa = *dsa; | 54 | return (headerver & mask) == (libver & mask); |
156 | *dsa = *new_dsa; | 55 | } |
157 | *new_dsa = tmp_dsa; | 56 | |
158 | DSA_free(new_dsa); | 57 | /* |
159 | return 1; | 58 | * For versions >= 1.0.0, major,minor,status must match and library |
160 | } | 59 | * fix version must be equal to or newer than the header. |
161 | #endif | 60 | */ |
162 | 61 | mask = 0xfff0000fL; /* major,minor,status */ | |
163 | #ifndef HAVE_RSA_GET_DEFAULT_METHOD | 62 | hfix = (headerver & 0x000ff000) >> 12; |
164 | RSA_METHOD * | 63 | lfix = (libver & 0x000ff000) >> 12; |
165 | RSA_get_default_method(void) | 64 | if ( (headerver & mask) == (libver & mask) && lfix >= hfix) |
166 | { | 65 | return 1; |
167 | return RSA_PKCS1_SSLeay(); | 66 | return 0; |
168 | } | 67 | } |
169 | #endif | ||
170 | 68 | ||
171 | #ifdef USE_OPENSSL_ENGINE | 69 | #ifdef USE_OPENSSL_ENGINE |
172 | void | 70 | void |
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 276b9706d..3695d412b 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ | 1 | /* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> | 4 | * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> |
@@ -16,28 +16,19 @@ | |||
16 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 16 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | */ | 17 | */ |
18 | 18 | ||
19 | #ifndef _OPENSSL_COMPAT_H | ||
20 | #define _OPENSSL_COMPAT_H | ||
21 | |||
19 | #include "includes.h" | 22 | #include "includes.h" |
20 | #include <openssl/opensslv.h> | 23 | #include <openssl/opensslv.h> |
21 | #include <openssl/evp.h> | 24 | #include <openssl/evp.h> |
22 | #include <openssl/rsa.h> | 25 | #include <openssl/rsa.h> |
23 | #include <openssl/dsa.h> | 26 | #include <openssl/dsa.h> |
24 | 27 | ||
25 | /* Only in 0.9.8 */ | 28 | int ssh_compatible_openssl(long, long); |
26 | #ifndef OPENSSL_DSA_MAX_MODULUS_BITS | ||
27 | # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 | ||
28 | #endif | ||
29 | #ifndef OPENSSL_RSA_MAX_MODULUS_BITS | ||
30 | # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 | ||
31 | #endif | ||
32 | |||
33 | /* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */ | ||
34 | #if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f) | ||
35 | # define OPENSSL_free(x) Free(x) | ||
36 | #endif | ||
37 | 29 | ||
38 | #if OPENSSL_VERSION_NUMBER < 0x00906000L | 30 | #if (OPENSSL_VERSION_NUMBER <= 0x0090805fL) |
39 | # define SSH_OLD_EVP | 31 | # error OpenSSL 0.9.8f or greater is required |
40 | # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) | ||
41 | #endif | 32 | #endif |
42 | 33 | ||
43 | #if OPENSSL_VERSION_NUMBER < 0x10000001L | 34 | #if OPENSSL_VERSION_NUMBER < 0x10000001L |
@@ -46,27 +37,17 @@ | |||
46 | # define LIBCRYPTO_EVP_INL_TYPE size_t | 37 | # define LIBCRYPTO_EVP_INL_TYPE size_t |
47 | #endif | 38 | #endif |
48 | 39 | ||
49 | #if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) | 40 | #ifndef OPENSSL_RSA_MAX_MODULUS_BITS |
50 | # define USE_BUILTIN_RIJNDAEL | 41 | # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 |
51 | #endif | 42 | #endif |
52 | 43 | #ifndef OPENSSL_DSA_MAX_MODULUS_BITS | |
53 | #ifdef USE_BUILTIN_RIJNDAEL | 44 | # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 |
54 | # include "rijndael.h" | ||
55 | # define AES_KEY rijndael_ctx | ||
56 | # define AES_BLOCK_SIZE 16 | ||
57 | # define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b) | ||
58 | # define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1) | ||
59 | # define EVP_aes_128_cbc evp_rijndael | ||
60 | # define EVP_aes_192_cbc evp_rijndael | ||
61 | # define EVP_aes_256_cbc evp_rijndael | ||
62 | const EVP_CIPHER *evp_rijndael(void); | ||
63 | void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); | ||
64 | #endif | 45 | #endif |
65 | 46 | ||
66 | #ifndef OPENSSL_HAVE_EVPCTR | 47 | #ifndef OPENSSL_HAVE_EVPCTR |
67 | #define EVP_aes_128_ctr evp_aes_128_ctr | 48 | # define EVP_aes_128_ctr evp_aes_128_ctr |
68 | #define EVP_aes_192_ctr evp_aes_128_ctr | 49 | # define EVP_aes_192_ctr evp_aes_128_ctr |
69 | #define EVP_aes_256_ctr evp_aes_128_ctr | 50 | # define EVP_aes_256_ctr evp_aes_128_ctr |
70 | const EVP_CIPHER *evp_aes_128_ctr(void); | 51 | const EVP_CIPHER *evp_aes_128_ctr(void); |
71 | void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); | 52 | void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); |
72 | #endif | 53 | #endif |
@@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); | |||
88 | # endif | 69 | # endif |
89 | #endif | 70 | #endif |
90 | 71 | ||
91 | #if OPENSSL_VERSION_NUMBER < 0x00907000L | ||
92 | #define EVP_X_STATE(evp) &(evp).c | ||
93 | #define EVP_X_STATE_LEN(evp) sizeof((evp).c) | ||
94 | #else | ||
95 | #define EVP_X_STATE(evp) (evp).cipher_data | ||
96 | #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size | ||
97 | #endif | ||
98 | |||
99 | /* OpenSSL 0.9.8e returns cipher key len not context key len */ | ||
100 | #if (OPENSSL_VERSION_NUMBER == 0x0090805fL) | ||
101 | # define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) | ||
102 | #endif | ||
103 | |||
104 | #ifndef HAVE_RSA_GET_DEFAULT_METHOD | ||
105 | RSA_METHOD *RSA_get_default_method(void); | ||
106 | #endif | ||
107 | |||
108 | /* | 72 | /* |
109 | * We overload some of the OpenSSL crypto functions with ssh_* equivalents | 73 | * We overload some of the OpenSSL crypto functions with ssh_* equivalents |
110 | * which cater for older and/or less featureful OpenSSL version. | 74 | * to automatically handle OpenSSL engine initialisation. |
111 | * | 75 | * |
112 | * In order for the compat library to call the real functions, it must | 76 | * In order for the compat library to call the real functions, it must |
113 | * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and | 77 | * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and |
@@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void); | |||
115 | */ | 79 | */ |
116 | #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS | 80 | #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS |
117 | 81 | ||
118 | # ifdef SSH_OLD_EVP | ||
119 | # ifdef EVP_Cipher | ||
120 | # undef EVP_Cipher | ||
121 | # endif | ||
122 | # define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e)) | ||
123 | # define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d)) | ||
124 | # define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a)) | ||
125 | # endif /* SSH_OLD_EVP */ | ||
126 | |||
127 | # ifdef OPENSSL_EVP_DIGESTUPDATE_VOID | ||
128 | # define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c)) | ||
129 | # endif | ||
130 | |||
131 | # ifdef USE_OPENSSL_ENGINE | 82 | # ifdef USE_OPENSSL_ENGINE |
132 | # ifdef OpenSSL_add_all_algorithms | 83 | # ifdef OpenSSL_add_all_algorithms |
133 | # undef OpenSSL_add_all_algorithms | 84 | # undef OpenSSL_add_all_algorithms |
@@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void); | |||
135 | # define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() | 86 | # define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() |
136 | # endif | 87 | # endif |
137 | 88 | ||
138 | # ifndef HAVE_BN_IS_PRIME_EX | ||
139 | int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *); | ||
140 | # endif | ||
141 | |||
142 | # ifndef HAVE_DSA_GENERATE_PARAMETERS_EX | ||
143 | int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *, | ||
144 | unsigned long *, void *); | ||
145 | # endif | ||
146 | |||
147 | # ifndef HAVE_RSA_GENERATE_KEY_EX | ||
148 | int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); | ||
149 | # endif | ||
150 | |||
151 | # ifndef HAVE_EVP_DIGESTINIT_EX | ||
152 | int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *); | ||
153 | # endif | ||
154 | |||
155 | # ifndef HAVE_EVP_DISESTFINAL_EX | ||
156 | int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); | ||
157 | # endif | ||
158 | |||
159 | # ifndef EVP_MD_CTX_COPY_EX | ||
160 | int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); | ||
161 | # endif | ||
162 | |||
163 | int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, | ||
164 | unsigned char *, int); | ||
165 | int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); | ||
166 | int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); | ||
167 | void ssh_OpenSSL_add_all_algorithms(void); | 89 | void ssh_OpenSSL_add_all_algorithms(void); |
168 | 90 | ||
169 | # ifndef HAVE_HMAC_CTX_INIT | ||
170 | # define HMAC_CTX_init(a) | ||
171 | # endif | ||
172 | |||
173 | # ifndef HAVE_EVP_MD_CTX_INIT | ||
174 | # define EVP_MD_CTX_init(a) | ||
175 | # endif | ||
176 | |||
177 | # ifndef HAVE_EVP_MD_CTX_CLEANUP | ||
178 | # define EVP_MD_CTX_cleanup(a) | ||
179 | # endif | ||
180 | |||
181 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ | 91 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ |
182 | 92 | ||
93 | #endif /* _OPENSSL_COMPAT_H */ | ||
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c index b1fbfa208..db24dbb94 100644 --- a/openbsd-compat/port-uw.c +++ b/openbsd-compat/port-uw.c | |||
@@ -42,6 +42,7 @@ | |||
42 | #include "key.h" | 42 | #include "key.h" |
43 | #include "auth-options.h" | 43 | #include "auth-options.h" |
44 | #include "log.h" | 44 | #include "log.h" |
45 | #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ | ||
45 | #include "servconf.h" | 46 | #include "servconf.h" |
46 | #include "hostfile.h" | 47 | #include "hostfile.h" |
47 | #include "auth.h" | 48 | #include "auth.h" |
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in index bcf214bd0..dabdb0912 100644 --- a/openbsd-compat/regress/Makefile.in +++ b/openbsd-compat/regress/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ | 1 | # $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $ |
2 | 2 | ||
3 | sysconfdir=@sysconfdir@ | 3 | sysconfdir=@sysconfdir@ |
4 | piddir=@piddir@ | 4 | piddir=@piddir@ |
@@ -16,11 +16,11 @@ LIBS=@LIBS@ | |||
16 | LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) | 16 | LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) |
17 | 17 | ||
18 | TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ | 18 | TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ |
19 | strtonumtest$(EXEEXT) | 19 | strtonumtest$(EXEEXT) opensslvertest$(EXEEXT) |
20 | 20 | ||
21 | all: t-exec ${OTHERTESTS} | 21 | all: t-exec ${OTHERTESTS} |
22 | 22 | ||
23 | %$(EXEEXT): %.c | 23 | %$(EXEEXT): %.c $(LIBCOMPAT) |
24 | $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) | 24 | $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) |
25 | 25 | ||
26 | t-exec: $(TESTPROGS) | 26 | t-exec: $(TESTPROGS) |
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c new file mode 100644 index 000000000..5d019b598 --- /dev/null +++ b/openbsd-compat/regress/opensslvertest.c | |||
@@ -0,0 +1,69 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2014 Darren Tucker | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | #include <stdio.h> | ||
18 | #include <stdlib.h> | ||
19 | |||
20 | int ssh_compatible_openssl(long, long); | ||
21 | |||
22 | struct version_test { | ||
23 | long headerver; | ||
24 | long libver; | ||
25 | int result; | ||
26 | } version_tests[] = { | ||
27 | /* built with 0.9.8b release headers */ | ||
28 | { 0x0090802fL, 0x0090802fL, 1}, /* exact match */ | ||
29 | { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ | ||
30 | { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ | ||
31 | { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ | ||
32 | { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ | ||
33 | { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ | ||
34 | { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ | ||
35 | |||
36 | /* built with 1.0.1b release headers */ | ||
37 | { 0x1000101fL, 0x1000101fL, 1},/* exact match */ | ||
38 | { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ | ||
39 | { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ | ||
40 | { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ | ||
41 | { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ | ||
42 | { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ | ||
43 | { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ | ||
44 | { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ | ||
45 | }; | ||
46 | |||
47 | void | ||
48 | fail(long hver, long lver, int result) | ||
49 | { | ||
50 | fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
54 | int | ||
55 | main(void) | ||
56 | { | ||
57 | unsigned int i; | ||
58 | int res; | ||
59 | long hver, lver; | ||
60 | |||
61 | for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) { | ||
62 | hver = version_tests[i].headerver; | ||
63 | lver = version_tests[i].libver; | ||
64 | res = version_tests[i].result; | ||
65 | if (ssh_compatible_openssl(hver, lver) != res) | ||
66 | fail(hver, lver, res); | ||
67 | } | ||
68 | exit(0); | ||
69 | } | ||