diff options
| author | des <des@FreeBSD.org> | 2006-11-10 16:52:41 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2006-11-10 16:52:41 +0000 |
| commit | f486315183c122f23f1b35b42ac8dd3c2b635caa (patch) | |
| tree | 538ffcf6acb6ece62b0734e0707ef5a1e8efbd7a | |
| parent | 11e3a8c8c1e6142fc51e7fc357907b54bd433aa7 (diff) | |
| download | FreeBSD-src-f486315183c122f23f1b35b42ac8dd3c2b635caa.zip FreeBSD-src-f486315183c122f23f1b35b42ac8dd3c2b635caa.tar.gz | |
Resolve conflicts.
| -rw-r--r-- | crypto/openssh/audit-bsm.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/auth-rsa.c | 10 | ||||
| -rw-r--r-- | crypto/openssh/auth.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/bufaux.h | 55 | ||||
| -rw-r--r-- | crypto/openssh/configure.ac | 7 | ||||
| -rw-r--r-- | crypto/openssh/key.c | 16 | ||||
| -rw-r--r-- | crypto/openssh/monitor.c | 8 | ||||
| -rw-r--r-- | crypto/openssh/rsa.c | 18 | ||||
| -rw-r--r-- | crypto/openssh/serverloop.c | 8 | ||||
| -rw-r--r-- | crypto/openssh/session.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh-agent.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh-keyscan.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh.1 | 22 | ||||
| -rw-r--r-- | crypto/openssh/ssh.c | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh_config | 2 | ||||
| -rw-r--r-- | crypto/openssh/ssh_config.5 | 2 | ||||
| -rw-r--r-- | crypto/openssh/sshconnect.c | 11 | ||||
| -rw-r--r-- | crypto/openssh/sshconnect1.c | 22 | ||||
| -rw-r--r-- | crypto/openssh/sshd.c | 24 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config | 2 | ||||
| -rw-r--r-- | crypto/openssh/sshd_config.5 | 2 | ||||
| -rw-r--r-- | crypto/openssh/version.h | 6 |
22 files changed, 100 insertions, 127 deletions
diff --git a/crypto/openssh/audit-bsm.c b/crypto/openssh/audit-bsm.c index 16a223f..224296a 100644 --- a/crypto/openssh/audit-bsm.c +++ b/crypto/openssh/audit-bsm.c @@ -1,4 +1,4 @@ -/* $Id: audit-bsm.c,v 1.4 2006/09/01 05:38:36 djm Exp $ */ +/* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */ /* * TODO diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c index 8c43458..69f9a58 100644 --- a/crypto/openssh/auth-rsa.c +++ b/crypto/openssh/auth-rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rsa.c,v 1.71 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-rsa.c,v 1.72 2006/11/06 21:25:27 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -76,10 +76,12 @@ auth_rsa_generate_challenge(Key *key) if ((challenge = BN_new()) == NULL) fatal("auth_rsa_generate_challenge: BN_new() failed"); /* Generate a random challenge. */ - BN_rand(challenge, 256, 0, 0); + if (BN_rand(challenge, 256, 0, 0) == 0) + fatal("auth_rsa_generate_challenge: BN_rand failed"); if ((ctx = BN_CTX_new()) == NULL) - fatal("auth_rsa_generate_challenge: BN_CTX_new() failed"); - BN_mod(challenge, challenge, key->rsa->n, ctx); + fatal("auth_rsa_generate_challenge: BN_CTX_new failed"); + if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) + fatal("auth_rsa_generate_challenge: BN_mod failed"); BN_CTX_free(ctx); return challenge; diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c index 5d1f218..2b6e09a 100644 --- a/crypto/openssh/auth.c +++ b/crypto/openssh/auth.c @@ -570,8 +570,6 @@ fakepw(void) fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; - fake.pw_uid = (uid_t)-1; - fake.pw_gid = (gid_t)-1; fake.pw_uid = privsep_pw->pw_uid; fake.pw_gid = privsep_pw->pw_gid; #ifdef HAVE_PW_CLASS_IN_PASSWD diff --git a/crypto/openssh/bufaux.h b/crypto/openssh/bufaux.h deleted file mode 100644 index 8a53598..0000000 --- a/crypto/openssh/bufaux.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $OpenBSD: bufaux.h,v 1.22 2006/03/25 22:22:42 djm Exp $ */ - -/* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - */ - -#ifndef BUFAUX_H -#define BUFAUX_H - -#include "buffer.h" -#include <openssl/bn.h> - -void buffer_put_bignum(Buffer *, const BIGNUM *); -void buffer_put_bignum2(Buffer *, const BIGNUM *); -void buffer_get_bignum(Buffer *, BIGNUM *); -void buffer_get_bignum2(Buffer *, BIGNUM *); - -u_short buffer_get_short(Buffer *); -void buffer_put_short(Buffer *, u_short); - -u_int buffer_get_int(Buffer *); -void buffer_put_int(Buffer *, u_int); - -u_int64_t buffer_get_int64(Buffer *); -void buffer_put_int64(Buffer *, u_int64_t); - -int buffer_get_char(Buffer *); -void buffer_put_char(Buffer *, int); - -void *buffer_get_string(Buffer *, u_int *); -void buffer_put_string(Buffer *, const void *, u_int); -void buffer_put_cstring(Buffer *, const char *); - -#define buffer_skip_string(b) \ - do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0) - -int buffer_put_bignum_ret(Buffer *, const BIGNUM *); -int buffer_get_bignum_ret(Buffer *, BIGNUM *); -int buffer_put_bignum2_ret(Buffer *, const BIGNUM *); -int buffer_get_bignum2_ret(Buffer *, BIGNUM *); -int buffer_get_short_ret(u_short *, Buffer *); -int buffer_get_int_ret(u_int *, Buffer *); -int buffer_get_int64_ret(u_int64_t *, Buffer *); -void *buffer_get_string_ret(Buffer *, u_int *); -int buffer_get_char_ret(char *, Buffer *); - -#endif /* BUFAUX_H */ diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index 00196b0..485bfbd 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.369 2006/10/03 16:34:35 tim Exp $ +# $Id: configure.ac,v 1.370 2006/10/06 23:07:21 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.369 $) +AC_REVISION($Revision: 1.370 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -3184,7 +3184,10 @@ AC_ARG_WITH(selinux, AC_MSG_ERROR(SELinux support requires selinux.h header)) AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) + save_LIBS="$LIBS" + LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" fi ] ) AC_SUBST(LIBSELINUX) diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c index f3b3d6b..93b2d41 100644 --- a/crypto/openssh/key.c +++ b/crypto/openssh/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.67 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -617,16 +617,18 @@ key_from_private(const Key *k) switch (k->type) { case KEY_DSA: n = key_new(k->type); - BN_copy(n->dsa->p, k->dsa->p); - BN_copy(n->dsa->q, k->dsa->q); - BN_copy(n->dsa->g, k->dsa->g); - BN_copy(n->dsa->pub_key, k->dsa->pub_key); + if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || + (BN_copy(n->dsa->q, k->dsa->q) == NULL) || + (BN_copy(n->dsa->g, k->dsa->g) == NULL) || + (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) + fatal("key_from_private: BN_copy failed"); break; case KEY_RSA: case KEY_RSA1: n = key_new(k->type); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("key_from_private: BN_copy failed"); break; default: fatal("key_from_private: unknown type %d", k->type); diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c index 0bc172f..8702a91 100644 --- a/crypto/openssh/monitor.c +++ b/crypto/openssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.88 2006/08/12 20:46:46 miod Exp $ */ +/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -359,7 +359,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* The first few requests do not require asynchronous access */ while (!authenticated) { auth_method = "unknown"; - authenticated = monitor_read(pmonitor, mon_dispatch, &ent); + authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", @@ -1226,7 +1226,7 @@ mm_answer_keyverify(int sock, Buffer *m) verified = key_verify(key, signature, signaturelen, data, datalen); debug3("%s: key %p signature %s", - __func__, key, verified ? "verified" : "unverified"); + __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); xfree(blob); @@ -1241,7 +1241,7 @@ mm_answer_keyverify(int sock, Buffer *m) buffer_put_int(m, verified); mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); - return (verified); + return (verified == 1); } static void diff --git a/crypto/openssh/rsa.c b/crypto/openssh/rsa.c index 08cc820..bec1d19 100644 --- a/crypto/openssh/rsa.c +++ b/crypto/openssh/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.28 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -91,7 +91,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) RSA_PKCS1_PADDING)) <= 0) fatal("rsa_public_encrypt() failed"); - BN_bin2bn(outbuf, len, out); + if (BN_bin2bn(outbuf, len, out) == NULL) + fatal("rsa_public_encrypt: BN_bin2bn failed"); memset(outbuf, 0, olen); memset(inbuf, 0, ilen); @@ -116,7 +117,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) RSA_PKCS1_PADDING)) <= 0) { error("rsa_private_decrypt() failed"); } else { - BN_bin2bn(outbuf, len, out); + if (BN_bin2bn(outbuf, len, out) == NULL) + fatal("rsa_private_decrypt: BN_bin2bn failed"); } memset(outbuf, 0, olen); memset(inbuf, 0, ilen); @@ -137,11 +139,11 @@ rsa_generate_additional_parameters(RSA *rsa) if ((ctx = BN_CTX_new()) == NULL) fatal("rsa_generate_additional_parameters: BN_CTX_new failed"); - BN_sub(aux, rsa->q, BN_value_one()); - BN_mod(rsa->dmq1, rsa->d, aux, ctx); - - BN_sub(aux, rsa->p, BN_value_one()); - BN_mod(rsa->dmp1, rsa->d, aux, ctx); + if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) || + (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) || + (BN_sub(aux, rsa->p, BN_value_one()) == 0) || + (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) + fatal("rsa_generate_additional_parameters: BN_sub/mod failed"); BN_clear_free(aux); BN_CTX_free(ctx); diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c index 6e5fdc2..69304b5 100644 --- a/crypto/openssh/serverloop.c +++ b/crypto/openssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.144 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: serverloop.c,v 1.145 2006/10/11 12:38:03 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -248,8 +248,10 @@ client_alive_check(void) int channel_id; /* timeout, check to see how many we have had */ - if (++client_alive_timeouts > options.client_alive_count_max) - packet_disconnect("Timeout, your session not responding."); + if (++client_alive_timeouts > options.client_alive_count_max) { + logit("Timeout, client not responding."); + cleanup_exit(255); + } /* * send a bogus global/channel request with "wantreply", diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index fb33d49..a752e72 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.219 2006/08/29 10:40:19 djm Exp $ */ +/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index df9024a..29a4e5a 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.152 2006/08/04 20:46:05 stevesk Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index 416d3f5..b198640 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.73 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.74 2006/10/06 02:29:19 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. * diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index a26d771..b04616a 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.263 2006/07/11 18:50:48 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $ .\" $FreeBSD$ .Dd September 25, 1999 .Dt SSH 1 @@ -1079,12 +1079,22 @@ controls whether the server supports this, and at what level (layer 2 or 3 traffic). .Pp The following example would connect client network 10.0.50.0/24 -with remote network 10.0.99.0/24, provided that the SSH server -running on the gateway to the remote network, -at 192.168.1.15, allows it: +with remote network 10.0.99.0/24 using a point-to-point connection +from 10.1.1.1 to 10.1.1.2, +provided that the SSH server running on the gateway to the remote network, +at 192.168.1.15, allows it. +.Pp +On the client: .Bd -literal -offset indent # ssh -f -w 0:1 192.168.1.15 true -# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 +# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 +# route add 10.0.99.0/24 10.1.1.2 +.Ed +.Pp +On the server: +.Bd -literal -offset indent +# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 +# route add 10.0.50.0/24 10.1.1.1 .Ed .Pp Client access may be more finely tuned via the @@ -1107,7 +1117,7 @@ tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john .Ed .Pp -Since a SSH-based setup entails a fair amount of overhead, +Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such as for wireless VPNs. More permanent VPNs are better provided by tools such as diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index bb3c810..67844a9 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.293 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config index 4cda5ad..07e4086 100644 --- a/crypto/openssh/ssh_config +++ b/crypto/openssh/ssh_config @@ -43,4 +43,4 @@ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no -# VersionAddendum FreeBSD-20060930 +# VersionAddendum FreeBSD-20061110 diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 6a66cd7..c648cdf 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -1040,7 +1040,7 @@ in Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20060930 . +.Dq FreeBSD-20061110 . .It Cm XAuthLocation Specifies the full pathname of the .Xr xauth 1 diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c index a7a4e8a..a222233 100644 --- a/crypto/openssh/sshconnect.c +++ b/crypto/openssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.199 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.200 2006/10/10 10:12:45 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -324,9 +324,11 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, gai_strerror(gaierr)); for (attempt = 0; attempt < connection_attempts; attempt++) { - if (attempt > 0) + if (attempt > 0) { + /* Sleep a moment before retrying. */ + sleep(1); debug("Trying again..."); - + } /* * Loop through addresses for this host, and try each one in * sequence until the connection succeeds. @@ -363,9 +365,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } if (sock != -1) break; /* Successful connection. */ - - /* Sleep a moment before retrying. */ - sleep(1); } freeaddrinfo(aitop); diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c index 90fcb34..fd07bbf 100644 --- a/crypto/openssh/sshconnect1.c +++ b/crypto/openssh/sshconnect1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect1.c,v 1.69 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -563,14 +563,20 @@ ssh_kex(char *host, struct sockaddr *hostaddr) * the first 16 bytes of the session id. */ if ((key = BN_new()) == NULL) - fatal("respond_to_rsa_challenge: BN_new failed"); - BN_set_word(key, 0); + fatal("ssh_kex: BN_new failed"); + if (BN_set_word(key, 0) == 0) + fatal("ssh_kex: BN_set_word failed"); for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { - BN_lshift(key, key, 8); - if (i < 16) - BN_add_word(key, session_key[i] ^ session_id[i]); - else - BN_add_word(key, session_key[i]); + if (BN_lshift(key, key, 8) == 0) + fatal("ssh_kex: BN_lshift failed"); + if (i < 16) { + if (BN_add_word(key, session_key[i] ^ session_id[i]) + == 0) + fatal("ssh_kex: BN_add_word failed"); + } else { + if (BN_add_word(key, session_key[i]) == 0) + fatal("ssh_kex: BN_add_word failed"); + } } /* diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 151aa04..5832526 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.347 2006/08/18 09:15:20 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1441,13 +1441,17 @@ main(int ac, char **av) debug("sshd version %.100s", SSH_RELEASE); - /* Store privilege separation user for later use */ - if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) - fatal("Privilege separation user %s does not exist", - SSH_PRIVSEP_USER); - memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); - privsep_pw->pw_passwd = "*"; - privsep_pw = pwcopy(privsep_pw); + /* Store privilege separation user for later use if required. */ + if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { + if (use_privsep || options.kerberos_authentication) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); + } else { + memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd)); + privsep_pw = pwcopy(privsep_pw); + xfree(privsep_pw->pw_passwd); + privsep_pw->pw_passwd = xstrdup("*"); + } endpwent(); /* load private host keys */ @@ -2042,10 +2046,10 @@ do_ssh1_kex(void) * key is in the highest bits. */ if (!rsafail) { - BN_mask_bits(session_key_int, sizeof(session_key) * 8); + (void) BN_mask_bits(session_key_int, sizeof(session_key) * 8); len = BN_num_bytes(session_key_int); if (len < 0 || (u_int)len > sizeof(session_key)) { - error("do_connection: bad session key len from %s: " + error("do_ssh1_kex: bad session key len from %s: " "session_key_int %d > sizeof(session_key) %lu", get_remote_ipaddr(), len, (u_long)sizeof(session_key)); rsafail++; diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 237f72b..e01d240 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -14,7 +14,7 @@ # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. -#VersionAddendum FreeBSD-20060930 +#VersionAddendum FreeBSD-20061110 #Port 22 #Protocol 2 diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 0975114..7741dca 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -860,7 +860,7 @@ The default is Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20060930 . +.Dq FreeBSD-20061110 . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index 628f93f..3976bd1 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -1,12 +1,12 @@ -/* $OpenBSD: version.h,v 1.47 2006/08/30 00:14:37 djm Exp $ */ +/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */ /* $FreeBSD$ */ #ifndef SSH_VERSION #define SSH_VERSION (ssh_version_get()) #define SSH_RELEASE (ssh_version_get()) -#define SSH_VERSION_BASE "OpenSSH_4.4p1" -#define SSH_VERSION_ADDENDUM "FreeBSD-20060930" +#define SSH_VERSION_BASE "OpenSSH_4.5p1" +#define SSH_VERSION_ADDENDUM "FreeBSD-20061110" const char *ssh_version_get(void); void ssh_version_set_addendum(const char *add); |
