From d231186fd0acb8fee480faf61c4e9e4cc6186faf Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Thu, 20 Jan 2005 13:27:56 +1100
Subject:    - djm@cvs.openbsd.org 2004/12/22 02:13:19      [cipher-ctr.c
 cipher.c]      remove fallback AES support for old OpenSSL, as OpenBSD has
 had it for      many years now; ok deraadt@      (Id sync only: Portable will
 continue to support older OpenSSLs)

---
 ChangeLog    |  7 ++++++-
 auth-pam.c   | 26 ++++++++++++++++----------
 cipher-ctr.c |  2 +-
 cipher.c     |  2 +-
 4 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 19101efd6..9eab2b462 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,11 @@
      behaviour for bsdauth is maintained by checking authctxt->valid in the
      bsdauth driver.  Note that any third-party kbdint drivers will now need
      to be able to handle responses for invalid logins.  ok markus@
+   - djm@cvs.openbsd.org 2004/12/22 02:13:19
+     [cipher-ctr.c cipher.c]
+     remove fallback AES support for old OpenSSL, as OpenBSD has had it for
+     many years now; ok deraadt@
+     (Id sync only: Portable will continue to support older OpenSSLs)
  - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
    existence via keyboard-interactive/pam, in conjunction with previous
    auth2-chall.c change; with Colin Watson and djm.
@@ -2005,4 +2010,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
+$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 996964fcd..5bffe338f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -245,6 +245,17 @@ sshpam_password_change_required(int reqd)
 	}
 }
 
+/* Check ssh internal flags in addition to PAM */
+
+static int
+sshpam_login_allowed(Authctxt *ctxt)
+{
+	if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
+	    options.permit_root_login == PERMIT_YES))
+		return 1;
+	return 0;
+}
+
 /* Import regular and PAM environment from subprocess */
 static void
 import_environments(Buffer *b)
@@ -702,9 +713,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				**prompts = NULL;
 			}
 			if (type == PAM_SUCCESS) {
-				if (!sshpam_authctxt->valid ||
-				    (sshpam_authctxt->pw->pw_uid == 0 &&
-				    options.permit_root_login != PERMIT_YES))
+				if (!sshpam_login_allowed(sshpam_authctxt))
 					fatal("Internal error: PAM auth "
 					    "succeeded when it should have "
 					    "failed");
@@ -753,9 +762,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 		return (-1);
 	}
 	buffer_init(&buffer);
-	if (sshpam_authctxt->valid &&
-	    (sshpam_authctxt->pw->pw_uid != 0 ||
-	     options.permit_root_login == PERMIT_YES))
+	if (sshpam_login_allowed(sshpam_authctxt))
 		buffer_put_cstring(&buffer, *resp);
 	else
 		buffer_put_cstring(&buffer, badpw);
@@ -1118,8 +1125,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 	 * by PermitRootLogin, use an invalid password to prevent leaking
 	 * information via timing (eg if the PAM config has a delay on fail).
 	 */
-	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
-	     options.permit_root_login != PERMIT_YES))
+	if (!sshpam_login_allowed(authctxt))
 		sshpam_password = badpw;
 
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@@ -1130,7 +1136,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	sshpam_password = NULL;
-	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+	if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
 		debug("PAM: password authentication accepted for %.100s",
 		    authctxt->user);
                return 1;
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 395dabedd..43f1ede57 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $");
+RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
 
 #include <openssl/evp.h>
 
diff --git a/cipher.c b/cipher.c
index 075a4c5fc..64be0571f 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $");
 
 #include "xmalloc.h"
 #include "log.h"
-- 
cgit v1.2.3