diff options
Diffstat (limited to 'sshd.c')
| -rw-r--r-- | sshd.c | 41 |
1 files changed, 23 insertions, 18 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshd.c,v 1.533 2019/03/01 02:32:39 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.537 2019/06/28 13:35:04 deraadt Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -360,7 +360,7 @@ main_sigchld_handler(int sig) | |||
| 360 | int status; | 360 | int status; |
| 361 | 361 | ||
| 362 | while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || | 362 | while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || |
| 363 | (pid < 0 && errno == EINTR)) | 363 | (pid == -1 && errno == EINTR)) |
| 364 | ; | 364 | ; |
| 365 | errno = save_errno; | 365 | errno = save_errno; |
| 366 | } | 366 | } |
| @@ -483,7 +483,7 @@ privsep_preauth_child(void) | |||
| 483 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, | 483 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, |
| 484 | (u_int)privsep_pw->pw_gid); | 484 | (u_int)privsep_pw->pw_gid); |
| 485 | gidset[0] = privsep_pw->pw_gid; | 485 | gidset[0] = privsep_pw->pw_gid; |
| 486 | if (setgroups(1, gidset) < 0) | 486 | if (setgroups(1, gidset) == -1) |
| 487 | fatal("setgroups: %.100s", strerror(errno)); | 487 | fatal("setgroups: %.100s", strerror(errno)); |
| 488 | permanently_set_uid(privsep_pw); | 488 | permanently_set_uid(privsep_pw); |
| 489 | } | 489 | } |
| @@ -523,7 +523,7 @@ privsep_preauth(struct ssh *ssh) | |||
| 523 | monitor_child_preauth(ssh, pmonitor); | 523 | monitor_child_preauth(ssh, pmonitor); |
| 524 | 524 | ||
| 525 | /* Wait for the child's exit status */ | 525 | /* Wait for the child's exit status */ |
| 526 | while (waitpid(pid, &status, 0) < 0) { | 526 | while (waitpid(pid, &status, 0) == -1) { |
| 527 | if (errno == EINTR) | 527 | if (errno == EINTR) |
| 528 | continue; | 528 | continue; |
| 529 | pmonitor->m_pid = -1; | 529 | pmonitor->m_pid = -1; |
| @@ -982,7 +982,7 @@ listen_on_addrs(struct listenaddr *la) | |||
| 982 | /* Create socket for listening. */ | 982 | /* Create socket for listening. */ |
| 983 | listen_sock = socket(ai->ai_family, ai->ai_socktype, | 983 | listen_sock = socket(ai->ai_family, ai->ai_socktype, |
| 984 | ai->ai_protocol); | 984 | ai->ai_protocol); |
| 985 | if (listen_sock < 0) { | 985 | if (listen_sock == -1) { |
| 986 | /* kernel may not support ipv6 */ | 986 | /* kernel may not support ipv6 */ |
| 987 | verbose("socket: %.100s", strerror(errno)); | 987 | verbose("socket: %.100s", strerror(errno)); |
| 988 | continue; | 988 | continue; |
| @@ -1011,7 +1011,7 @@ listen_on_addrs(struct listenaddr *la) | |||
| 1011 | debug("Bind to port %s on %s.", strport, ntop); | 1011 | debug("Bind to port %s on %s.", strport, ntop); |
| 1012 | 1012 | ||
| 1013 | /* Bind the socket to the desired port. */ | 1013 | /* Bind the socket to the desired port. */ |
| 1014 | if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { | 1014 | if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
| 1015 | error("Bind to port %s on %s failed: %.200s.", | 1015 | error("Bind to port %s on %s failed: %.200s.", |
| 1016 | strport, ntop, strerror(errno)); | 1016 | strport, ntop, strerror(errno)); |
| 1017 | close(listen_sock); | 1017 | close(listen_sock); |
| @@ -1021,7 +1021,7 @@ listen_on_addrs(struct listenaddr *la) | |||
| 1021 | num_listen_socks++; | 1021 | num_listen_socks++; |
| 1022 | 1022 | ||
| 1023 | /* Start listening on the port. */ | 1023 | /* Start listening on the port. */ |
| 1024 | if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) | 1024 | if (listen(listen_sock, SSH_LISTEN_BACKLOG) == -1) |
| 1025 | fatal("listen on [%s]:%s: %.100s", | 1025 | fatal("listen on [%s]:%s: %.100s", |
| 1026 | ntop, strport, strerror(errno)); | 1026 | ntop, strport, strerror(errno)); |
| 1027 | logit("Server listening on %s port %s%s%s.", | 1027 | logit("Server listening on %s port %s%s%s.", |
| @@ -1106,7 +1106,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
| 1106 | 1106 | ||
| 1107 | /* Wait in select until there is a connection. */ | 1107 | /* Wait in select until there is a connection. */ |
| 1108 | ret = select(maxfd+1, fdset, NULL, NULL, NULL); | 1108 | ret = select(maxfd+1, fdset, NULL, NULL, NULL); |
| 1109 | if (ret < 0 && errno != EINTR) | 1109 | if (ret == -1 && errno != EINTR) |
| 1110 | error("select: %.100s", strerror(errno)); | 1110 | error("select: %.100s", strerror(errno)); |
| 1111 | if (received_sigterm) { | 1111 | if (received_sigterm) { |
| 1112 | logit("Received signal %d; terminating.", | 1112 | logit("Received signal %d; terminating.", |
| @@ -1116,7 +1116,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
| 1116 | unlink(options.pid_file); | 1116 | unlink(options.pid_file); |
| 1117 | exit(received_sigterm == SIGTERM ? 0 : 255); | 1117 | exit(received_sigterm == SIGTERM ? 0 : 255); |
| 1118 | } | 1118 | } |
| 1119 | if (ret < 0) | 1119 | if (ret == -1) |
| 1120 | continue; | 1120 | continue; |
| 1121 | 1121 | ||
| 1122 | for (i = 0; i < options.max_startups; i++) { | 1122 | for (i = 0; i < options.max_startups; i++) { |
| @@ -1156,7 +1156,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
| 1156 | fromlen = sizeof(from); | 1156 | fromlen = sizeof(from); |
| 1157 | *newsock = accept(listen_socks[i], | 1157 | *newsock = accept(listen_socks[i], |
| 1158 | (struct sockaddr *)&from, &fromlen); | 1158 | (struct sockaddr *)&from, &fromlen); |
| 1159 | if (*newsock < 0) { | 1159 | if (*newsock == -1) { |
| 1160 | if (errno != EINTR && errno != EWOULDBLOCK && | 1160 | if (errno != EINTR && errno != EWOULDBLOCK && |
| 1161 | errno != ECONNABORTED && errno != EAGAIN) | 1161 | errno != ECONNABORTED && errno != EAGAIN) |
| 1162 | error("accept: %.100s", | 1162 | error("accept: %.100s", |
| @@ -1276,7 +1276,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
| 1276 | 1276 | ||
| 1277 | /* Parent. Stay in the loop. */ | 1277 | /* Parent. Stay in the loop. */ |
| 1278 | platform_post_fork_parent(pid); | 1278 | platform_post_fork_parent(pid); |
| 1279 | if (pid < 0) | 1279 | if (pid == -1) |
| 1280 | error("fork: %.100s", strerror(errno)); | 1280 | error("fork: %.100s", strerror(errno)); |
| 1281 | else | 1281 | else |
| 1282 | debug("Forked child %ld.", (long)pid); | 1282 | debug("Forked child %ld.", (long)pid); |
| @@ -1329,7 +1329,7 @@ check_ip_options(struct ssh *ssh) | |||
| 1329 | 1329 | ||
| 1330 | memset(&from, 0, sizeof(from)); | 1330 | memset(&from, 0, sizeof(from)); |
| 1331 | if (getpeername(sock_in, (struct sockaddr *)&from, | 1331 | if (getpeername(sock_in, (struct sockaddr *)&from, |
| 1332 | &fromlen) < 0) | 1332 | &fromlen) == -1) |
| 1333 | return; | 1333 | return; |
| 1334 | if (from.ss_family != AF_INET) | 1334 | if (from.ss_family != AF_INET) |
| 1335 | return; | 1335 | return; |
| @@ -1390,7 +1390,7 @@ set_process_rdomain(struct ssh *ssh, const char *name) | |||
| 1390 | 1390 | ||
| 1391 | static void | 1391 | static void |
| 1392 | accumulate_host_timing_secret(struct sshbuf *server_cfg, | 1392 | accumulate_host_timing_secret(struct sshbuf *server_cfg, |
| 1393 | const struct sshkey *key) | 1393 | struct sshkey *key) |
| 1394 | { | 1394 | { |
| 1395 | static struct ssh_digest_ctx *ctx; | 1395 | static struct ssh_digest_ctx *ctx; |
| 1396 | u_char *hash; | 1396 | u_char *hash; |
| @@ -1448,8 +1448,6 @@ main(int ac, char **av) | |||
| 1448 | Authctxt *authctxt; | 1448 | Authctxt *authctxt; |
| 1449 | struct connection_info *connection_info = NULL; | 1449 | struct connection_info *connection_info = NULL; |
| 1450 | 1450 | ||
| 1451 | ssh_malloc_init(); /* must be called before any mallocs */ | ||
| 1452 | |||
| 1453 | #ifdef HAVE_SECUREWARE | 1451 | #ifdef HAVE_SECUREWARE |
| 1454 | (void)set_auth_parameters(ac, av); | 1452 | (void)set_auth_parameters(ac, av); |
| 1455 | #endif | 1453 | #endif |
| @@ -1740,6 +1738,12 @@ main(int ac, char **av) | |||
| 1740 | &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) | 1738 | &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) |
| 1741 | do_log2(ll, "Unable to load host key \"%s\": %s", | 1739 | do_log2(ll, "Unable to load host key \"%s\": %s", |
| 1742 | options.host_key_files[i], ssh_err(r)); | 1740 | options.host_key_files[i], ssh_err(r)); |
| 1741 | if (r == 0 && (r = sshkey_shield_private(key)) != 0) { | ||
| 1742 | do_log2(ll, "Unable to shield host key \"%s\": %s", | ||
| 1743 | options.host_key_files[i], ssh_err(r)); | ||
| 1744 | sshkey_free(key); | ||
| 1745 | key = NULL; | ||
| 1746 | } | ||
| 1743 | if ((r = sshkey_load_public(options.host_key_files[i], | 1747 | if ((r = sshkey_load_public(options.host_key_files[i], |
| 1744 | &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) | 1748 | &pubkey, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) |
| 1745 | do_log2(ll, "Unable to load host key \"%s\": %s", | 1749 | do_log2(ll, "Unable to load host key \"%s\": %s", |
| @@ -1859,6 +1863,7 @@ main(int ac, char **av) | |||
| 1859 | */ | 1863 | */ |
| 1860 | if (connection_info == NULL) | 1864 | if (connection_info == NULL) |
| 1861 | connection_info = get_connection_info(ssh, 0, 0); | 1865 | connection_info = get_connection_info(ssh, 0, 0); |
| 1866 | connection_info->test = 1; | ||
| 1862 | parse_server_match_config(&options, connection_info); | 1867 | parse_server_match_config(&options, connection_info); |
| 1863 | dump_config(&options); | 1868 | dump_config(&options); |
| 1864 | } | 1869 | } |
| @@ -1906,7 +1911,7 @@ main(int ac, char **av) | |||
| 1906 | already_daemon = daemonized(); | 1911 | already_daemon = daemonized(); |
| 1907 | if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) { | 1912 | if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) { |
| 1908 | 1913 | ||
| 1909 | if (daemon(0, 0) < 0) | 1914 | if (daemon(0, 0) == -1) |
| 1910 | fatal("daemon() failed: %.200s", strerror(errno)); | 1915 | fatal("daemon() failed: %.200s", strerror(errno)); |
| 1911 | 1916 | ||
| 1912 | disconnect_controlling_tty(); | 1917 | disconnect_controlling_tty(); |
| @@ -1974,7 +1979,7 @@ main(int ac, char **av) | |||
| 1974 | * controlling terminal which will result in "could not set | 1979 | * controlling terminal which will result in "could not set |
| 1975 | * controlling tty" errors. | 1980 | * controlling tty" errors. |
| 1976 | */ | 1981 | */ |
| 1977 | if (!debug_flag && !inetd_flag && setsid() < 0) | 1982 | if (!debug_flag && !inetd_flag && setsid() == -1) |
| 1978 | error("setsid: %.100s", strerror(errno)); | 1983 | error("setsid: %.100s", strerror(errno)); |
| 1979 | #endif | 1984 | #endif |
| 1980 | 1985 | ||
| @@ -2052,7 +2057,7 @@ main(int ac, char **av) | |||
| 2052 | 2057 | ||
| 2053 | /* Set SO_KEEPALIVE if requested. */ | 2058 | /* Set SO_KEEPALIVE if requested. */ |
| 2054 | if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) && | 2059 | if (options.tcp_keep_alive && ssh_packet_connection_is_on_socket(ssh) && |
| 2055 | setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) | 2060 | setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) == -1) |
| 2056 | error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); | 2061 | error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); |
| 2057 | 2062 | ||
| 2058 | if ((remote_port = ssh_remote_port(ssh)) < 0) { | 2063 | if ((remote_port = ssh_remote_port(ssh)) < 0) { |