From 5e39a49930d885aac9c76af3129332b6e772cd75 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Dec 2014 02:24:32 +0000 Subject: upstream commit add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys. --- authfile.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 48 insertions(+), 10 deletions(-) (limited to 'authfile.c') diff --git a/authfile.c b/authfile.c index e93d86738..95877e159 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.107 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.108 2014/12/04 02:24:32 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -48,6 +48,7 @@ #include "atomicio.h" #include "sshbuf.h" #include "ssherr.h" +#include "krl.h" #define MAX_KEY_FILE_SIZE (1024 * 1024) @@ -494,11 +495,14 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, /* * Returns success if the specified "key" is listed in the file "filename", * SSH_ERR_KEY_NOT_FOUND: if the key is not listed or another error. - * If strict_type is set then the key type must match exactly, + * If "strict_type" is set then the key type must match exactly, * otherwise a comparison that ignores certficiate data is performed. + * If "check_ca" is set and "key" is a certificate, then its CA key is + * also checked and sshkey_in_file() will return success if either is found. */ int -sshkey_in_file(struct sshkey *key, const char *filename, int strict_type) +sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, + int check_ca) { FILE *f; char line[SSH_MAX_PUBKEY_BYTES]; @@ -509,12 +513,8 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type) int (*sshkey_compare)(const struct sshkey *, const struct sshkey *) = strict_type ? sshkey_equal : sshkey_equal_public; - if ((f = fopen(filename, "r")) == NULL) { - if (errno == ENOENT) - return SSH_ERR_KEY_NOT_FOUND; - else - return SSH_ERR_SYSTEM_ERROR; - } + if ((f = fopen(filename, "r")) == NULL) + return SSH_ERR_SYSTEM_ERROR; while (read_keyfile_line(f, filename, line, sizeof(line), &linenum) != -1) { @@ -538,7 +538,9 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type) } if ((r = sshkey_read(pub, &cp)) != 0) goto out; - if (sshkey_compare(key, pub)) { + if (sshkey_compare(key, pub) || + (check_ca && sshkey_is_cert(key) && + sshkey_compare(key->cert->signature_key, pub))) { r = 0; goto out; } @@ -553,3 +555,39 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type) return r; } +/* + * Checks whether the specified key is revoked, returning 0 if not, + * SSH_ERR_KEY_REVOKED if it is or another error code if something + * unexpected happened. + * This will check both the key and, if it is a certificate, its CA key too. + * "revoked_keys_file" may be a KRL or a one-per-line list of public keys. + */ +int +sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file) +{ + int r; + +#ifdef WITH_OPENSSL + r = ssh_krl_file_contains_key(revoked_keys_file, key); + /* If this was not a KRL to begin with then continue below */ + if (r != SSH_ERR_KRL_BAD_MAGIC) + return r; +#endif + + /* + * If the file is not a KRL or we can't handle KRLs then attempt to + * parse the file as a flat list of keys. + */ + switch ((r = sshkey_in_file(key, revoked_keys_file, 0, 1))) { + case 0: + /* Key found => revoked */ + return SSH_ERR_KEY_REVOKED; + case SSH_ERR_KEY_NOT_FOUND: + /* Key not found => not revoked */ + return 0; + default: + /* Some other error occurred */ + return r; + } +} + -- cgit v1.2.3 From 1195f4cb07ef4b0405c839293c38600b3e9bdb46 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 8 Jan 2015 10:14:08 +0000 Subject: upstream commit deprecate key_load_private_pem() and sshkey_load_private_pem() interfaces. Refactor the generic key loading API to not require pathnames to be specified (they weren't really used). Fixes a few other things en passant: Makes ed25519 keys work for hostbased authentication (ssh-keysign previously used the PEM-only routines). Fixes key comment regression bz#2306: key pathnames were being lost as comment fields. ok markus@ --- auth2-hostbased.c | 3 ++- authfile.c | 64 +++++++++++++++++++++---------------------------------- authfile.h | 10 ++++++--- key.c | 25 ++-------------------- key.h | 3 +-- krl.c | 4 ++-- ssh-keysign.c | 21 +++++++++++------- sshconnect2.c | 4 +++- sshkey.c | 26 ++++++---------------- sshkey.h | 4 +--- 10 files changed, 62 insertions(+), 102 deletions(-) (limited to 'authfile.c') diff --git a/auth2-hostbased.c b/auth2-hostbased.c index eb6bee50b..2db3d2524 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.20 2014/12/23 22:42:48 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.21 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -84,6 +84,7 @@ userauth_hostbased(Authctxt *authctxt) buffer_dump(&b); buffer_free(&b); #endif + /* XXX provide some way to allow admin to specify key types accepted */ pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { /* this is perfectly legal */ diff --git a/authfile.c b/authfile.c index 95877e159..de9708607 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.108 2014/12/04 02:24:32 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.109 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -95,7 +95,7 @@ sshkey_save_private(struct sshkey *key, const char *filename, /* Load a key from a fd into a buffer */ int -sshkey_load_file(int fd, const char *filename, struct sshbuf *blob) +sshkey_load_file(int fd, struct sshbuf *blob) { u_char buf[1024]; size_t len; @@ -142,8 +142,7 @@ sshkey_load_file(int fd, const char *filename, struct sshbuf *blob) * otherwise. */ static int -sshkey_load_public_rsa1(int fd, const char *filename, - struct sshkey **keyp, char **commentp) +sshkey_load_public_rsa1(int fd, struct sshkey **keyp, char **commentp) { struct sshbuf *b = NULL; int r; @@ -154,7 +153,7 @@ sshkey_load_public_rsa1(int fd, const char *filename, if ((b = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; - if ((r = sshkey_load_file(fd, filename, b)) != 0) + if ((r = sshkey_load_file(fd, b)) != 0) goto out; if ((r = sshkey_parse_public_rsa1_fileblob(b, keyp, commentp)) != 0) goto out; @@ -165,33 +164,6 @@ sshkey_load_public_rsa1(int fd, const char *filename, } #endif /* WITH_SSH1 */ -#ifdef WITH_OPENSSL -/* XXX Deprecate? */ -int -sshkey_load_private_pem(int fd, int type, const char *passphrase, - struct sshkey **keyp, char **commentp) -{ - struct sshbuf *buffer = NULL; - int r; - - *keyp = NULL; - if (commentp != NULL) - *commentp = NULL; - - if ((buffer = sshbuf_new()) == NULL) - return SSH_ERR_ALLOC_FAIL; - if ((r = sshkey_load_file(fd, NULL, buffer)) != 0) - goto out; - if ((r = sshkey_parse_private_pem_fileblob(buffer, type, passphrase, - keyp, commentp)) != 0) - goto out; - r = 0; - out: - sshbuf_free(buffer); - return r; -} -#endif /* WITH_OPENSSL */ - /* XXX remove error() calls from here? */ int sshkey_perm_ok(int fd, const char *filename) @@ -227,7 +199,6 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase, struct sshkey **keyp, char **commentp, int *perm_ok) { int fd, r; - struct sshbuf *buffer = NULL; *keyp = NULL; if (commentp != NULL) @@ -247,18 +218,31 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase, if (perm_ok != NULL) *perm_ok = 1; + r = sshkey_load_private_type_fd(fd, type, passphrase, keyp, commentp); + out: + close(fd); + return r; +} + +int +sshkey_load_private_type_fd(int fd, int type, const char *passphrase, + struct sshkey **keyp, char **commentp) +{ + struct sshbuf *buffer = NULL; + int r; + if ((buffer = sshbuf_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } - if ((r = sshkey_load_file(fd, filename, buffer)) != 0) - goto out; - if ((r = sshkey_parse_private_fileblob_type(buffer, type, passphrase, - keyp, commentp)) != 0) + if ((r = sshkey_load_file(fd, buffer)) != 0 || + (r = sshkey_parse_private_fileblob_type(buffer, type, + passphrase, keyp, commentp)) != 0) goto out; + + /* success */ r = 0; out: - close(fd); if (buffer != NULL) sshbuf_free(buffer); return r; @@ -287,7 +271,7 @@ sshkey_load_private(const char *filename, const char *passphrase, r = SSH_ERR_ALLOC_FAIL; goto out; } - if ((r = sshkey_load_file(fd, filename, buffer)) != 0 || + if ((r = sshkey_load_file(fd, buffer)) != 0 || (r = sshkey_parse_private_fileblob(buffer, passphrase, filename, keyp, commentp)) != 0) goto out; @@ -363,7 +347,7 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) goto skip; #ifdef WITH_SSH1 /* try rsa1 private key */ - r = sshkey_load_public_rsa1(fd, filename, keyp, commentp); + r = sshkey_load_public_rsa1(fd, keyp, commentp); close(fd); switch (r) { case SSH_ERR_INTERNAL_ERROR: diff --git a/authfile.h b/authfile.h index 645404e61..624d269f1 100644 --- a/authfile.h +++ b/authfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.h,v 1.20 2014/12/04 02:24:32 djm Exp $ */ +/* $OpenBSD: authfile.h,v 1.21 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. @@ -30,9 +30,12 @@ struct sshbuf; struct sshkey; +/* XXX document these */ +/* XXX some of these could probably be merged/retired */ + int sshkey_save_private(struct sshkey *, const char *, const char *, const char *, int, const char *, int); -int sshkey_load_file(int, const char *, struct sshbuf *); +int sshkey_load_file(int, struct sshbuf *); int sshkey_load_cert(const char *, struct sshkey **); int sshkey_load_public(const char *, struct sshkey **, char **); int sshkey_load_private(const char *, const char *, struct sshkey **, char **); @@ -40,7 +43,8 @@ int sshkey_load_private_cert(int, const char *, const char *, struct sshkey **, int *); int sshkey_load_private_type(int, const char *, const char *, struct sshkey **, char **, int *); -int sshkey_load_private_pem(int, int, const char *, struct sshkey **, char **); +int sshkey_load_private_type_fd(int fd, int type, const char *passphrase, + struct sshkey **keyp, char **commentp); int sshkey_perm_ok(int, const char *); int sshkey_in_file(struct sshkey *, const char *, int, int); int sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file); diff --git a/key.c b/key.c index b821d9e1d..37eb67634 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.124 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: key.c,v 1.125 2015/01/08 10:14:08 djm Exp $ */ /* * placed in the public domain */ @@ -328,7 +328,7 @@ key_load_file(int fd, const char *filename, struct sshbuf *blob) { int r; - if ((r = sshkey_load_file(fd, filename, blob)) != 0) { + if ((r = sshkey_load_file(fd, blob)) != 0) { fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR); error("%s: %s", __func__, ssh_err(r)); return 0; @@ -435,27 +435,6 @@ key_load_private_type(int type, const char *filename, const char *passphrase, return ret; } -#ifdef WITH_OPENSSL -Key * -key_load_private_pem(int fd, int type, const char *passphrase, - char **commentp) -{ - int r; - Key *ret = NULL; - - if ((r = sshkey_load_private_pem(fd, type, passphrase, - &ret, commentp)) != 0) { - fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR); - if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) - debug("%s: %s", __func__, ssh_err(r)); - else - error("%s: %s", __func__, ssh_err(r)); - return NULL; - } - return ret; -} -#endif /* WITH_OPENSSL */ - int key_perm_ok(int fd, const char *filename) { diff --git a/key.h b/key.h index de7865733..7190b842d 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.44 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: key.h,v 1.45 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -104,7 +104,6 @@ Key *key_load_public(const char *, char **); Key *key_load_private(const char *, const char *, char **); Key *key_load_private_cert(int, const char *, const char *, int *); Key *key_load_private_type(int, const char *, const char *, char **, int *); -Key *key_load_private_pem(int, int, const char *, char **); int key_perm_ok(int, const char *); #endif diff --git a/krl.c b/krl.c index 3439e9c29..711d370fe 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.21 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.22 2015/01/08 10:14:08 djm Exp $ */ #include "includes.h" @@ -1248,7 +1248,7 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) oerrno = errno; goto out; } - if ((r = sshkey_load_file(fd, path, krlbuf)) != 0) { + if ((r = sshkey_load_file(fd, krlbuf)) != 0) { oerrno = errno; goto out; } diff --git a/ssh-keysign.c b/ssh-keysign.c index b86e18d8c..d59f115fc 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.44 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.45 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -52,6 +52,8 @@ #include "pathnames.h" #include "readconf.h" #include "uidswap.h" +#include "sshkey.h" +#include "ssherr.h" /* XXX readconf.c needs these */ uid_t original_real_uid; @@ -69,6 +71,8 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, char *pkalg, *p; int pktype, fail; + if (ret != NULL) + *ret = NULL; fail = 0; buffer_init(&b); @@ -153,7 +157,7 @@ main(int argc, char **argv) #define NUM_KEYTYPES 4 Key *keys[NUM_KEYTYPES], *key = NULL; struct passwd *pw; - int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; + int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd; u_char *signature, *data; char *host, *fp; u_int slen, dlen; @@ -209,14 +213,15 @@ main(int argc, char **argv) keys[i] = NULL; if (key_fd[i] == -1) continue; -#ifdef WITH_OPENSSL -/* XXX wrong api */ - keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC, - NULL, NULL); -#endif + r = sshkey_load_private_type_fd(key_fd[i], KEY_UNSPEC, + NULL, &key, NULL); close(key_fd[i]); - if (keys[i] != NULL) + if (r != 0) + debug("parse key %d: %s", i, ssh_err(r)); + else if (key != NULL) { + keys[i] = key; found = 1; + } } if (!found) fatal("no hostkey found"); diff --git a/sshconnect2.c b/sshconnect2.c index ad20fae6a..6a7b69938 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.212 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.213 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1489,6 +1489,8 @@ userauth_hostbased(Authctxt *authctxt) u_int blen, slen; int ok, i, found = 0; + /* XXX provide some way to allow user to specify key types attempted */ + /* check for a useful key */ for (i = 0; i < sensitive->nkeys; i++) { private = sensitive->keys[i]; diff --git a/sshkey.c b/sshkey.c index 9b37c9aed..3a90217dd 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.7 2014/12/21 22:27:55 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.8 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -3719,20 +3719,16 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, #endif /* WITH_SSH1 */ #ifdef WITH_OPENSSL -/* XXX make private once ssh-keysign.c fixed */ -int +static int sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, - const char *passphrase, struct sshkey **keyp, char **commentp) + const char *passphrase, struct sshkey **keyp) { EVP_PKEY *pk = NULL; struct sshkey *prv = NULL; - char *name = ""; BIO *bio = NULL; int r; *keyp = NULL; - if (commentp != NULL) - *commentp = NULL; if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) return SSH_ERR_ALLOC_FAIL; @@ -3755,7 +3751,6 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, } prv->rsa = EVP_PKEY_get1_RSA(pk); prv->type = KEY_RSA; - name = "rsa w/o comment"; #ifdef DEBUG_PK RSA_print_fp(stderr, prv->rsa, 8); #endif @@ -3771,7 +3766,6 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, } prv->dsa = EVP_PKEY_get1_DSA(pk); prv->type = KEY_DSA; - name = "dsa w/o comment"; #ifdef DEBUG_PK DSA_print_fp(stderr, prv->dsa, 8); #endif @@ -3793,7 +3787,6 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, r = SSH_ERR_INVALID_FORMAT; goto out; } - name = "ecdsa w/o comment"; # ifdef DEBUG_PK if (prv != NULL && prv->ecdsa != NULL) sshkey_dump_ec_key(prv->ecdsa); @@ -3803,11 +3796,6 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, r = SSH_ERR_INVALID_FORMAT; goto out; } - if (commentp != NULL && - (*commentp = strdup(name)) == NULL) { - r = SSH_ERR_ALLOC_FAIL; - goto out; - } r = 0; *keyp = prv; prv = NULL; @@ -3839,8 +3827,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, case KEY_DSA: case KEY_ECDSA: case KEY_RSA: - return sshkey_parse_private_pem_fileblob(blob, type, passphrase, - keyp, commentp); + return sshkey_parse_private_pem_fileblob(blob, type, + passphrase, keyp); #endif /* WITH_OPENSSL */ case KEY_ED25519: return sshkey_parse_private2(blob, type, passphrase, @@ -3850,8 +3838,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, commentp)) == 0) return 0; #ifdef WITH_OPENSSL - return sshkey_parse_private_pem_fileblob(blob, type, passphrase, - keyp, commentp); + return sshkey_parse_private_pem_fileblob(blob, type, + passphrase, keyp); #else return SSH_ERR_INVALID_FORMAT; #endif /* WITH_OPENSSL */ diff --git a/sshkey.h b/sshkey.h index 4554b09b5..65194d6e4 100644 --- a/sshkey.h +++ b/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.3 2015/01/08 10:14:08 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -184,8 +184,6 @@ int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, int force_new_format, const char *new_format_cipher, int new_format_rounds); int sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, struct sshkey **keyp, char **commentp); -int sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, - const char *passphrase, struct sshkey **keyp, char **commentp); int sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, const char *filename, struct sshkey **keyp, char **commentp); -- cgit v1.2.3 From b03ebe2c22b8166e4f64c37737f4278676e3488d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 15 Jan 2015 03:08:58 +1100 Subject: more --without-openssl fix some regressions caused by upstream merges enable KRLs now that they no longer require BIGNUMs --- authfile.c | 2 -- krl.c | 3 --- ssh-agent.c | 2 ++ ssh-keygen.c | 10 ---------- sshbuf.h | 4 ++-- 5 files changed, 4 insertions(+), 17 deletions(-) (limited to 'authfile.c') diff --git a/authfile.c b/authfile.c index de9708607..d47e0058f 100644 --- a/authfile.c +++ b/authfile.c @@ -551,12 +551,10 @@ sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file) { int r; -#ifdef WITH_OPENSSL r = ssh_krl_file_contains_key(revoked_keys_file, key); /* If this was not a KRL to begin with then continue below */ if (r != SSH_ERR_KRL_BAD_MAGIC) return r; -#endif /* * If the file is not a KRL or we can't handle KRLs then attempt to diff --git a/krl.c b/krl.c index b19def79f..3917338f9 100644 --- a/krl.c +++ b/krl.c @@ -18,8 +18,6 @@ #include "includes.h" -#ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */ - #include #include #include @@ -1284,4 +1282,3 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) errno = oerrno; return r; } -#endif /* WITH_OPENSSL */ diff --git a/ssh-agent.c b/ssh-agent.c index 4925d47a3..43000a429 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -524,6 +524,7 @@ reaper(void) return (deadline - now); } +#ifdef WITH_SSH1 /* * XXX this and the corresponding serialisation function probably belongs * in key.c @@ -565,6 +566,7 @@ agent_decode_rsa1(struct sshbuf *m, struct sshkey **kp) sshkey_free(k); return r; } +#endif static void process_add_identity(SocketEntry *e, int version) diff --git a/ssh-keygen.c b/ssh-keygen.c index 75f8e2e09..7f775ff16 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1964,7 +1964,6 @@ do_show_cert(struct passwd *pw) exit(0); } -#ifdef WITH_OPENSSL static void load_krl(const char *path, struct ssh_krl **krlp) { @@ -2106,12 +2105,10 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, fclose(krl_spec); free(path); } -#endif /* WITH_OPENSSL */ static void do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) { -#ifdef WITH_OPENSSL struct ssh_krl *krl; struct stat sb; Key *ca = NULL; @@ -2161,15 +2158,11 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) ssh_krl_free(krl); if (ca != NULL) key_free(ca); -#else /* WITH_OPENSSL */ - fatal("KRLs not supported without OpenSSL"); -#endif /* WITH_OPENSSL */ } static void do_check_krl(struct passwd *pw, int argc, char **argv) { -#ifdef WITH_OPENSSL int i, r, ret = 0; char *comment; struct ssh_krl *krl; @@ -2192,9 +2185,6 @@ do_check_krl(struct passwd *pw, int argc, char **argv) } ssh_krl_free(krl); exit(ret); -#else /* WITH_OPENSSL */ - fatal("KRLs not supported without OpenSSL"); -#endif /* WITH_OPENSSL */ } static void diff --git a/sshbuf.h b/sshbuf.h index ac0191936..eb0d92e10 100644 --- a/sshbuf.h +++ b/sshbuf.h @@ -209,11 +209,11 @@ int sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp, * curve points. */ int sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len); +int sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf, + const u_char **valp, size_t *lenp); #ifdef WITH_OPENSSL int sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v); int sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v); -int sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf, - const u_char **valp, size_t *lenp); int sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v); int sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v); # ifdef OPENSSL_HAS_ECC -- cgit v1.2.3 From 087266ec33c76fc8d54ac5a19efacf2f4a4ca076 Mon Sep 17 00:00:00 2001 From: "deraadt@openbsd.org" Date: Tue, 20 Jan 2015 23:14:00 +0000 Subject: upstream commit Reduce use of and transition to throughout. ok djm markus --- auth.c | 8 ++++---- authfile.c | 6 +++--- channels.c | 5 +++-- clientloop.c | 13 +++++++------ deattack.c | 3 +-- dh.c | 5 +++-- groupaccess.c | 4 ++-- gss-genr.c | 3 ++- gss-serv.c | 3 +-- kex.c | 4 ++-- kexgexs.c | 4 ++-- key.c | 4 ++-- krl.c | 4 ++-- moduli.c | 9 +++++---- monitor.c | 4 ++-- monitor_mm.c | 4 ++-- mux.c | 3 +-- packet.c | 5 +++-- sandbox-systrace.c | 4 ++-- serverloop.c | 4 ++-- sftp-client.c | 4 ++-- sftp-common.c | 4 ++-- sftp-server.c | 10 +++++----- sftp.c | 6 ++++-- ssh-keyscan.c | 3 +-- ssh-pkcs11-helper.c | 3 +-- ssh.c | 8 ++++---- sshbuf.c | 4 ++-- sshconnect.c | 4 ++-- sshd.c | 10 +++++----- sshlogin.c | 6 +++--- 31 files changed, 82 insertions(+), 79 deletions(-) (limited to 'authfile.c') diff --git a/auth.c b/auth.c index b259c6ef1..facc962b2 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.108 2014/12/21 22:27:56 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.109 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -27,7 +27,6 @@ #include #include -#include #include @@ -50,6 +49,7 @@ #include #include #include +#include #include "xmalloc.h" #include "match.h" @@ -376,7 +376,7 @@ auth_root_allowed(const char *method) char * expand_authorized_keys(const char *filename, struct passwd *pw) { - char *file, ret[MAXPATHLEN]; + char *file, ret[PATH_MAX]; int i; file = percent_expand(filename, "h", pw->pw_dir, @@ -468,7 +468,7 @@ int auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, uid_t uid, char *err, size_t errlen) { - char buf[MAXPATHLEN], homedir[MAXPATHLEN]; + char buf[PATH_MAX], homedir[PATH_MAX]; char *cp; int comparehome = 0; struct stat st; diff --git a/authfile.c b/authfile.c index d47e0058f..7d7f45ead 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.109 2015/01/08 10:14:08 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.110 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -27,7 +27,6 @@ #include #include -#include #include #include @@ -37,6 +36,7 @@ #include #include #include +#include #include "cipher.h" #include "key.h" @@ -335,7 +335,7 @@ int sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) { struct sshkey *pub = NULL; - char file[MAXPATHLEN]; + char file[PATH_MAX]; int r, fd; if (keyp != NULL) diff --git a/channels.c b/channels.c index 29a62f70a..2fedaf89d 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.339 2015/01/19 20:07:45 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.340 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,7 +42,7 @@ #include "includes.h" #include -#include +#include /* MIN MAX */ #include #include #include @@ -62,6 +62,7 @@ #include #include #include +#include #include #include "openbsd-compat/sys-queue.h" diff --git a/clientloop.c b/clientloop.c index 5a018ac79..4522a6332 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.265 2015/01/19 20:16:15 markus Exp $ */ +/* $OpenBSD: clientloop.c,v 1.266 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -61,9 +61,9 @@ #include "includes.h" +#include /* MIN MAX */ #include #include -#include #ifdef HAVE_SYS_STAT_H # include #endif @@ -85,6 +85,7 @@ #include #include #include +#include #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -339,12 +340,12 @@ client_x11_get_proto(const char *display, const char *xauth_path, display = xdisplay; } if (trusted == 0) { - xauthdir = xmalloc(MAXPATHLEN); - xauthfile = xmalloc(MAXPATHLEN); - mktemp_proto(xauthdir, MAXPATHLEN); + xauthdir = xmalloc(PATH_MAX); + xauthfile = xmalloc(PATH_MAX); + mktemp_proto(xauthdir, PATH_MAX); if (mkdtemp(xauthdir) != NULL) { do_unlink = 1; - snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", + snprintf(xauthfile, PATH_MAX, "%s/xauthfile", xauthdir); snprintf(cmd, sizeof(cmd), "%s -f %s generate %s " SSH_X11_PROTO diff --git a/deattack.c b/deattack.c index b102401e7..e76481a6d 100644 --- a/deattack.c +++ b/deattack.c @@ -1,4 +1,4 @@ -/* $OpenBSD: deattack.c,v 1.31 2015/01/19 19:52:16 markus Exp $ */ +/* $OpenBSD: deattack.c,v 1.32 2015/01/20 23:14:00 deraadt Exp $ */ /* * Cryptographic attack detector for ssh - source code * @@ -20,7 +20,6 @@ #include "includes.h" -#include #include #include #include diff --git a/dh.c b/dh.c index 38ad615c5..a260240fd 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.54 2015/01/19 20:16:15 markus Exp $ */ +/* $OpenBSD: dh.c,v 1.55 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -25,7 +25,7 @@ #include "includes.h" -#include +#include /* MIN */ #include #include @@ -34,6 +34,7 @@ #include #include #include +#include #include "dh.h" #include "pathnames.h" diff --git a/groupaccess.c b/groupaccess.c index 1eab10b19..4fca04471 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.15 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -26,13 +26,13 @@ #include "includes.h" #include -#include #include #include #include #include #include +#include #include "xmalloc.h" #include "groupaccess.h" diff --git a/gss-genr.c b/gss-genr.c index b39281bc1..60ac65f8d 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -31,6 +31,7 @@ #include #include +#include #include #include #include diff --git a/gss-serv.c b/gss-serv.c index 5c599247b..e7b8c5223 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -29,7 +29,6 @@ #ifdef GSSAPI #include -#include #include #include diff --git a/kex.c b/kex.c index 9280dd3f4..5b7b1e86a 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.102 2015/01/19 20:16:15 markus Exp $ */ +/* $OpenBSD: kex.c,v 1.103 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -25,7 +25,7 @@ #include "includes.h" -#include +#include /* MAX roundup */ #include #include diff --git a/kexgexs.c b/kexgexs.c index d45682063..ca5ee13e9 100644 --- a/kexgexs.c +++ b/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.22 2015/01/20 07:55:33 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -28,7 +28,7 @@ #ifdef WITH_OPENSSL -#include +#include /* MIN MAX */ #include #include diff --git a/key.c b/key.c index 37eb67634..c2b696af9 100644 --- a/key.c +++ b/key.c @@ -1,15 +1,15 @@ -/* $OpenBSD: key.c,v 1.125 2015/01/08 10:14:08 djm Exp $ */ +/* $OpenBSD: key.c,v 1.126 2015/01/20 23:14:00 deraadt Exp $ */ /* * placed in the public domain */ #include "includes.h" -#include #include #include #include #include +#include #define SSH_KEY_NO_DEFINE #include "key.h" diff --git a/krl.c b/krl.c index acfb22732..363bf122f 100644 --- a/krl.c +++ b/krl.c @@ -14,12 +14,12 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.28 2015/01/19 17:35:48 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.29 2015/01/20 23:14:00 deraadt Exp $ */ #include "includes.h" +#include /* MIN */ #include -#include #include #include diff --git a/moduli.c b/moduli.c index 729d55c10..ed1bdc946 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.29 2014/08/21 01:08:52 doug Exp $ */ +/* $OpenBSD: moduli.c,v 1.30 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -41,7 +41,7 @@ #ifdef WITH_OPENSSL -#include +#include /* MAX */ #include #include @@ -54,6 +54,7 @@ #include #include #include +#include #include "xmalloc.h" #include "dh.h" @@ -449,11 +450,11 @@ static void write_checkpoint(char *cpfile, u_int32_t lineno) { FILE *fp; - char tmp[MAXPATHLEN]; + char tmp[PATH_MAX]; int r; r = snprintf(tmp, sizeof(tmp), "%s.XXXXXXXXXX", cpfile); - if (r == -1 || r >= MAXPATHLEN) { + if (r == -1 || r >= PATH_MAX) { logit("write_checkpoint: temp pathname too long"); return; } diff --git a/monitor.c b/monitor.c index 40fff097d..90db9800b 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.140 2015/01/19 20:16:15 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.141 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -28,7 +28,6 @@ #include "includes.h" #include -#include #include #include "openbsd-compat/sys-tree.h" #include @@ -42,6 +41,7 @@ #include #include #include +#include #include #include #include diff --git a/monitor_mm.c b/monitor_mm.c index 0ba0658a1..f224fb67e 100644 --- a/monitor_mm.c +++ b/monitor_mm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_mm.c,v 1.19 2014/01/04 17:50:55 tedu Exp $ */ +/* $OpenBSD: monitor_mm.c,v 1.20 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright 2002 Niels Provos * All rights reserved. @@ -30,7 +30,6 @@ #ifdef HAVE_SYS_MMAN_H #include #endif -#include #include "openbsd-compat/sys-tree.h" #include @@ -38,6 +37,7 @@ #include #include #include +#include #include "xmalloc.h" #include "ssh.h" diff --git a/mux.c b/mux.c index 52d478c2b..f3faaeec9 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.49 2014/12/22 07:24:11 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.50 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -33,7 +33,6 @@ #include "includes.h" #include -#include #include #include #include diff --git a/packet.c b/packet.c index cf9d3648b..2c8d8aa9b 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.202 2015/01/19 20:30:23 markus Exp $ */ +/* $OpenBSD: packet.c,v 1.203 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -39,9 +39,9 @@ #include "includes.h" +#include /* MIN roundup */ #include #include "openbsd-compat/sys-queue.h" -#include #include #ifdef HAVE_SYS_TIME_H # include @@ -57,6 +57,7 @@ #include #include #include +#include #include #include diff --git a/sandbox-systrace.c b/sandbox-systrace.c index aaa3d8f0a..f30e70575 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sandbox-systrace.c,v 1.13 2014/07/17 00:10:56 djm Exp $ */ +/* $OpenBSD: sandbox-systrace.c,v 1.14 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -20,7 +20,6 @@ #ifdef SANDBOX_SYSTRACE #include -#include #include #include #include @@ -37,6 +36,7 @@ #include #include #include +#include #include "atomicio.h" #include "log.h" diff --git a/serverloop.c b/serverloop.c index 83a1e010d..48bb3f631 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.175 2015/01/19 20:16:15 markus Exp $ */ +/* $OpenBSD: serverloop.c,v 1.176 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -37,8 +37,8 @@ #include "includes.h" +#include /* MIN MAX */ #include -#include #include #include #ifdef HAVE_SYS_TIME_H diff --git a/sftp-client.c b/sftp-client.c index 574da833a..80f4805cb 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.116 2015/01/14 13:54:13 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.117 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -22,8 +22,8 @@ #include "includes.h" +#include /* MIN MAX */ #include -#include #ifdef HAVE_SYS_STATVFS_H #include #endif diff --git a/sftp-common.c b/sftp-common.c index 9c54d5c6b..9dc1f9831 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.27 2015/01/14 13:54:13 djm Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -26,9 +26,9 @@ #include "includes.h" +#include /* MAX */ #include #include -#include #include #include diff --git a/sftp-server.c b/sftp-server.c index 7d09504d9..4f735cd93 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.104 2015/01/14 13:54:13 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.105 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -17,8 +17,8 @@ #include "includes.h" +#include /* MIN */ #include -#include #include #ifdef HAVE_SYS_TIME_H # include @@ -1055,7 +1055,7 @@ process_readdir(u_int32_t id) send_status(id, SSH2_FX_FAILURE); } else { struct stat st; - char pathname[MAXPATHLEN]; + char pathname[PATH_MAX]; Stat *stats; int nstats = 10, count = 0, i; @@ -1150,7 +1150,7 @@ process_rmdir(u_int32_t id) static void process_realpath(u_int32_t id) { - char resolvedname[MAXPATHLEN]; + char resolvedname[PATH_MAX]; char *path; int r; @@ -1238,7 +1238,7 @@ static void process_readlink(u_int32_t id) { int r, len; - char buf[MAXPATHLEN]; + char buf[PATH_MAX]; char *path; if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) diff --git a/sftp.c b/sftp.c index eee472d08..cb9b967ed 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.169 2015/01/14 13:54:13 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.170 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -17,6 +17,7 @@ #include "includes.h" +#include /* MIN MAX */ #include #include #ifdef HAVE_SYS_STAT_H @@ -46,6 +47,7 @@ #else typedef void EditLine; #endif +#include #include #include #include @@ -1401,7 +1403,7 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, int cmdnum, i; unsigned long n_arg = 0; Attrib a, *aa; - char path_buf[MAXPATHLEN]; + char path_buf[PATH_MAX]; int err = 0; glob_t g; diff --git a/ssh-keyscan.c b/ssh-keyscan.c index e02a3bbb1..62dbd62fa 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.95 2015/01/19 20:32:39 markus Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.96 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -10,7 +10,6 @@ #include "includes.h" #include -#include #include "openbsd-compat/sys-queue.h" #include #ifdef HAVE_SYS_TIME_H diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index d487f023b..ceabc8ba7 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-helper.c,v 1.9 2014/12/11 08:20:09 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.10 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -18,7 +18,6 @@ #include "includes.h" #include -#include #ifdef HAVE_SYS_TIME_H # include #endif diff --git a/ssh.c b/ssh.c index 5190f1f9b..430773c74 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.413 2015/01/16 07:19:48 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.414 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -48,7 +48,6 @@ #endif #include #include -#include #include #include @@ -67,6 +66,7 @@ #include #include #include +#include #include #include @@ -454,7 +454,7 @@ resolve_canonicalize(char **hostp, int port) static void process_config_files(const char *host_arg, struct passwd *pw, int post_canon) { - char buf[MAXPATHLEN]; + char buf[PATH_MAX]; int r; if (config != NULL) { @@ -505,7 +505,7 @@ int main(int ac, char **av) { int i, r, opt, exit_status, use_syslog, config_test = 0; - char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; + char *p, *cp, *line, *argv0, buf[PATH_MAX], *host_arg, *logfile; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; char cname[NI_MAXHOST]; struct stat st; diff --git a/sshbuf.c b/sshbuf.c index 78f5340a1..dbe0c9192 100644 --- a/sshbuf.c +++ b/sshbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.2 2014/06/25 14:16:09 deraadt Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.3 2015/01/20 23:14:00 deraadt Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -18,8 +18,8 @@ #define SSHBUF_INTERNAL #include "includes.h" +#include /* roundup */ #include -#include #include #include #include diff --git a/sshconnect.c b/sshconnect.c index 1a633211a..6fc3fa520 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.255 2015/01/19 20:20:20 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.256 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -15,8 +15,8 @@ #include "includes.h" +#include /* roundup */ #include -#include #include #include #include diff --git a/sshd.c b/sshd.c index 6e40ba42e..ef63bd1e8 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.437 2015/01/20 20:16:21 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.438 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,7 +45,6 @@ #include "includes.h" #include -#include #include #include #ifdef HAVE_SYS_STAT_H @@ -72,6 +71,7 @@ #include #include #include +#include #ifdef WITH_OPENSSL #include @@ -229,7 +229,7 @@ u_char *session_id2 = NULL; u_int session_id2_len = 0; /* record remote hostname or ip */ -u_int utmp_len = MAXHOSTNAMELEN; +u_int utmp_len = HOST_NAME_MAX+1; /* options.max_startup sized array of fd ints */ int *startup_pipes = NULL; @@ -1544,8 +1544,8 @@ main(int ac, char **av) exit(1); break; case 'u': - utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL); - if (utmp_len > MAXHOSTNAMELEN) { + utmp_len = (u_int)strtonum(optarg, 0, HOST_NAME_MAX+1+1, NULL); + if (utmp_len > HOST_NAME_MAX+1) { fprintf(stderr, "Invalid utmp length.\n"); exit(1); } diff --git a/sshlogin.c b/sshlogin.c index 3313ac998..818312ff1 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.30 2015/01/16 06:40:12 deraadt Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.31 2015/01/20 23:14:00 deraadt Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -42,7 +42,6 @@ #include "includes.h" #include -#include /* MAXHOSTNAMELEN */ #include #include @@ -54,6 +53,7 @@ #include #include #include +#include #include "loginrec.h" #include "log.h" @@ -88,7 +88,7 @@ static void store_lastlog_message(const char *user, uid_t uid) { #ifndef NO_SSH_LASTLOG - char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512]; + char *time_string, hostname[HOST_NAME_MAX+1] = "", buf[512]; time_t last_login_time; if (!options.print_lastlog) -- cgit v1.2.3 From 5248429b5ec524d0a65507cff0cdd6e0cb99effd Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 23 Feb 2015 16:55:51 +0000 Subject: upstream commit add an XXX to remind me to improve sshkey_load_public --- authfile.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'authfile.c') diff --git a/authfile.c b/authfile.c index 7d7f45ead..3a81786c7 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.110 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: authfile.c,v 1.111 2015/02/23 16:55:51 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -343,6 +343,8 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) if (commentp != NULL) *commentp = NULL; + /* XXX should load file once and attempt to parse each format */ + if ((fd = open(filename, O_RDONLY)) < 0) goto skip; #ifdef WITH_SSH1 @@ -394,6 +396,7 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) return 0; } sshkey_free(pub); + return r; } -- cgit v1.2.3