diff options
Diffstat (limited to 'sshd.c')
-rw-r--r-- | sshd.c | 41 |
1 files changed, 23 insertions, 18 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.533 2019/03/01 02:32:39 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.537 2019/06/28 13:35:04 deraadt Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -345,7 +345,7 @@ main_sigchld_handler(int sig) | |||
345 | int status; | 345 | int status; |
346 | 346 | ||
347 | while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || | 347 | while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || |
348 | (pid < 0 && errno == EINTR)) | 348 | (pid == -1 && errno == EINTR)) |
349 | ; | 349 | ; |
350 | errno = save_errno; | 350 | errno = save_errno; |
351 | } | 351 | } |
@@ -468,7 +468,7 @@ privsep_preauth_child(void) | |||
468 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, | 468 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, |
469 | (u_int)privsep_pw->pw_gid); | 469 | (u_int)privsep_pw->pw_gid); |
470 | gidset[0] = privsep_pw->pw_gid; | 470 | gidset[0] = privsep_pw->pw_gid; |
471 | if (setgroups(1, gidset) < 0) | 471 | if (setgroups(1, gidset) == -1) |
472 | fatal("setgroups: %.100s", strerror(errno)); | 472 | fatal("setgroups: %.100s", strerror(errno)); |
473 | permanently_set_uid(privsep_pw); | 473 | permanently_set_uid(privsep_pw); |
474 | } | 474 | } |
@@ -508,7 +508,7 @@ privsep_preauth(struct ssh *ssh) | |||
508 | monitor_child_preauth(ssh, pmonitor); | 508 | monitor_child_preauth(ssh, pmonitor); |
509 | 509 | ||
510 | /* Wait for the child's exit status */ | 510 | /* Wait for the child's exit status */ |
511 | while (waitpid(pid, &status, 0) < 0) { | 511 | while (waitpid(pid, &status, 0) == -1) { |
512 | if (errno == EINTR) | 512 | if (errno == EINTR) |
513 | continue; | 513 | continue; |
514 | pmonitor->m_pid = -1; | 514 | pmonitor->m_pid = -1; |
@@ -967,7 +967,7 @@ listen_on_addrs(struct listenaddr *la) | |||
967 | /* Create socket for listening. */ | 967 | /* Create socket for listening. */ |
968 | listen_sock = socket(ai->ai_family, ai->ai_socktype, | 968 | listen_sock = socket(ai->ai_family, ai->ai_socktype, |
969 | ai->ai_protocol); | 969 | ai->ai_protocol); |
970 | if (listen_sock < 0) { | 970 | if (listen_sock == -1) { |
971 | /* kernel may not support ipv6 */ | 971 | /* kernel may not support ipv6 */ |
972 | verbose("socket: %.100s", strerror(errno)); | 972 | verbose("socket: %.100s", strerror(errno)); |
973 | continue; | 973 | continue; |
@@ -996,7 +996,7 @@ listen_on_addrs(struct listenaddr *la) | |||
996 | debug("Bind to port %s on %s.", strport, ntop); | 996 | debug("Bind to port %s on %s.", strport, ntop); |
997 | 997 | ||
998 | /* Bind the socket to the desired port. */ | 998 | /* Bind the socket to the desired port. */ |
999 | if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { | 999 | if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
1000 | error("Bind to port %s on %s failed: %.200s.", | 1000 | error("Bind to port %s on %s failed: %.200s.", |
1001 | strport, ntop, strerror(errno)); | 1001 | strport, ntop, strerror(errno)); |
1002 | close(listen_sock); | 1002 | close(listen_sock); |
@@ -1006,7 +1006,7 @@ listen_on_addrs(struct listenaddr *la) | |||
1006 | num_listen_socks++; | 1006 | num_listen_socks++; |
1007 | 1007 | ||
1008 | /* Start listening on the port. */ | 1008 | /* Start listening on the port. */ |
1009 | if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) | 1009 | if (listen(listen_sock, SSH_LISTEN_BACKLOG) == -1) |
1010 | fatal("listen on [%s]:%s: %.100s", | 1010 | fatal("listen on [%s]:%s: %.100s", |
1011 | ntop, strport, strerror(errno)); | 1011 | ntop, strport, strerror(errno)); |
1012 | logit("Server listening on %s port %s%s%s.", | 1012 | logit("Server listening on %s port %s%s%s.", |
@@ -1091,7 +1091,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1091 | 1091 | ||
1092 | /* Wait in select until there is a connection. */ | 1092 | /* Wait in select until there is a connection. */ |
1093 | ret = select(maxfd+1, fdset, NULL, NULL, NULL); | 1093 | ret = select(maxfd+1, fdset, NULL, NULL, NULL); |
1094 | if (ret < 0 && errno != EINTR) | 1094 | if (ret == -1 && errno != EINTR) |
1095 | error("select: %.100s", strerror(errno)); | 1095 | error("select: %.100s", strerror(errno)); |
1096 | if (received_sigterm) { | 1096 | if (received_sigterm) { |
1097 | logit("Received signal %d; terminating.", | 1097 | logit("Received signal %d; terminating.", |
@@ -1101,7 +1101,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1101 | unlink(options.pid_file); | 1101 | unlink(options.pid_file); |
1102 | exit(received_sigterm == SIGTERM ? 0 : 255); | 1102 | exit(received_sigterm == SIGTERM ? 0 : 255); |
1103 | } | 1103 | } |
1104 | if (ret < 0) | 1104 | if (ret == -1) |
1105 | continue; | 1105 | continue; |
1106 | 1106 | ||
1107 | for (i = 0; i < options.max_startups; i++) { | 1107 | for (i = 0; i < options.max_startups; i++) { |
@@ -1141,7 +1141,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1141 | fromlen = sizeof(from); | 1141 | fromlen = sizeof(from); |
1142 | *newsock = accept(listen_socks[i], | 1142 | *newsock = accept(listen_socks[i], |
1143 | (struct sockaddr *)&from, &fromlen); | 1143 | (struct sockaddr *)&from, &fromlen); |
1144 | if (*newsock < 0) { | 1144 | if (*newsock == -1) { |
1145 | if (errno != EINTR && errno != EWOULDBLOCK && | 1145 | if (errno != EINTR && errno != EWOULDBLOCK && |
1146 | errno != ECONNABORTED && errno != EAGAIN) | 1146 | errno != ECONNABORTED && errno != EAGAIN) |
1147 | error("accept: %.100s", | 1147 | error("accept: %.100s", |
@@ -1261,7 +1261,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1261 | 1261 | ||
1262 | /* Parent. Stay in the loop. */ | 1262 | /* Parent. Stay in the loop. */ |
1263 | platform_post_fork_parent(pid); | 1263 | platform_post_fork_parent(pid); |
1264 | if (pid < 0) | 1264 | if (pid == -1) |
1265 | error("fork: %.100s", strerror(errno)); | 1265 | error("fork: %.100s", strerror(errno)); |
1266 | else | 1266 | else |
1267 | debug("Forked child %ld.", (long)pid); | 1267 | debug("Forked child %ld.", (long)pid); |
@@ -1314,7 +1314,7 @@ check_ip_options(struct ssh *ssh) | |||
1314 | 1314 | ||
1315 | memset(&from, 0, sizeof(from)); | 1315 | memset(&from, 0, sizeof(from)); |
1316 | if (getpeername(sock_in, (struct sockaddr *)&from, | 1316 | if (getpeername(sock_in, (struct sockaddr *)&from, |
1317 | &fromlen) < 0) | 1317 | &fromlen) == -1) |
1318 | return; | 1318 | return; |
1319 | if (from.ss_family != AF_INET) | 1319 | if (from.ss_family != AF_INET) |
1320 | return; | 1320 | return; |
@@ -1375,7 +1375,7 @@ set_process_rdomain(struct ssh *ssh, const char *name) | |||
1375 | 1375 | ||
1376 | static void | 1376 | static void |
1377 | accumulate_host_timing_secret(struct sshbuf *server_cfg, | 1377 | accumulate_host_timing_secret(struct sshbuf *server_cfg, |
1378 | const struct sshkey *key) | 1378 | struct sshkey *key) |
1379 | { | 1379 | { |
1380 | static struct ssh_digest_ctx *ctx; | 1380 | static struct ssh_digest_ctx *ctx; |
1381 | u_char *hash; | 1381 | u_char *hash; |
@@ -1433,8 +1433,6 @@ main(int ac, char **av) | |||
1433 | Authctxt *authctxt; | 1433 | Authctxt *authctxt; |
1434 | struct connection_info *connection_info = NULL; | 1434 | struct connection_info *connection_info = NULL; |
1435 | 1435 | ||
1436 | ssh_malloc_init(); /* must be called before any mallocs */ | ||
1437 | |||
1438 | #ifdef HAVE_SECUREWARE | 1436 | #ifdef HAVE_SECUREWARE |
1439 | (void)set_auth_parameters(ac, av); | 1437 | (void)set_auth_parameters(ac, av); |
1440 | #endif | 1438 | #endif |
@@ -1725,6 +1723,12 @@ main(int ac, char **av) | |||
1725 | &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) | 1723 | &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) |
1726 | do_log2(ll, "Unable to load host key \"%s\": %s", | 1724 | do_log2(ll, "Unable to load host key \"%s\": %s", |
1727 | options.host_key_files[i], ssh_err(r)); | 1725 | options.host_key_files[i], ssh_err(r)); |
1726 | if (r == 0 && (r = sshkey_shield_private(key)) != 0) { | ||
1727 | do_log2(ll, "Unable to shield host key \"%s\": %s", | ||
1728 | options.host_key_files[i], ssh_err(r)); | ||
1729 | sshkey_free(key); | ||
1730 | key = NULL; | ||
1731 | } | ||
1728 | if ((r = sshkey_load_public(options.host_key_files[i], | 1732 | if ((r = sshkey_load_public(options.host_key_files[i], |
1729 | &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) | 1733 | &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) |
1730 | do_log2(ll, "Unable to load host key \"%s\": %s", | 1734 | do_log2(ll, "Unable to load host key \"%s\": %s", |
@@ -1843,6 +1847,7 @@ main(int ac, char **av) | |||
1843 | */ | 1847 | */ |
1844 | if (connection_info == NULL) | 1848 | if (connection_info == NULL) |
1845 | connection_info = get_connection_info(ssh, 0, 0); | 1849 | connection_info = get_connection_info(ssh, 0, 0); |
1850 | connection_info->test = 1; | ||
1846 | parse_server_match_config(&options, connection_info); | 1851 | parse_server_match_config(&options, connection_info); |
1847 | dump_config(&options); | 1852 | dump_config(&options); |
1848 | } | 1853 | } |
@@ -1890,7 +1895,7 @@ main(int ac, char **av) | |||
1890 | already_daemon = daemonized(); | 1895 | already_daemon = daemonized(); |
1891 | if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) { | 1896 | if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) { |
1892 | 1897 | ||
1893 | if (daemon(0, 0) < 0) | 1898 | if (daemon(0, 0) == -1) |
1894 | fatal("daemon() failed: %.200s", strerror(errno)); | 1899 | fatal("daemon() failed: %.200s", strerror(errno)); |
1895 | 1900 | ||
1896 | disconnect_controlling_tty(); | 1901 | disconnect_controlling_tty(); |
@@ -1953,7 +1958,7 @@ main(int ac, char **av) | |||
1953 | * controlling terminal which will result in "could not set | 1958 | * controlling terminal which will result in "could not set |
1954 | * controlling tty" errors. | 1959 | * controlling tty" errors. |
1955 | */ | 1960 | */ |
1956 | if (!debug_flag && !inetd_flag && setsid() < 0) | 1961 | if (!debug_flag && !inetd_flag && setsid() == -1) |
1957 | error("setsid: %.100s", strerror(errno)); | 1962 | error("setsid: %.100s", strerror(errno)); |
1958 | #endif | 1963 | #endif |
1959 | 1964 | ||
@@ -2031,7 +2036,7 @@ main(int ac, char **av) | |||
2031 | 2036 | ||
2032 | /* Set SO_KEEPALIVE if requested. */ | 2037 | /* Set SO_KEEPALIVE if requested. */ |
2033 | if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) && | 2038 | if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) && |
2034 | setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) | 2039 | setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) == -1) |
2035 | error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); | 2040 | error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); |
2036 | 2041 | ||
2037 | if ((remote_port = ssh_remote_port(ssh)) < 0) { | 2042 | if ((remote_port = ssh_remote_port(ssh)) < 0) { |