diff options
Diffstat (limited to 'crypto/openssh/sshd.c')
| -rw-r--r-- | crypto/openssh/sshd.c | 76 |
1 files changed, 39 insertions, 37 deletions
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c index 3db3551..dd7fcdd 100644 --- a/crypto/openssh/sshd.c +++ b/crypto/openssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.458 2015/08/20 22:32:42 deraadt Exp $ */ +/* $OpenBSD: sshd.c,v 1.465 2016/02/15 09:47:49 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -132,7 +132,6 @@ __RCSID("$FreeBSD$"); #include "ssh-gss.h" #endif #include "monitor_wrap.h" -#include "roaming.h" #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" @@ -455,7 +454,7 @@ sshd_exchange_identification(int sock_in, int sock_out) options.version_addendum, newline); /* Send our protocol version identification. */ - if (roaming_atomicio(vwrite, sock_out, server_version_string, + if (atomicio(vwrite, sock_out, server_version_string, strlen(server_version_string)) != strlen(server_version_string)) { logit("Could not write ident string to %s", get_remote_ipaddr()); @@ -465,7 +464,7 @@ sshd_exchange_identification(int sock_in, int sock_out) /* Read other sides version identification. */ memset(buf, 0, sizeof(buf)); for (i = 0; i < sizeof(buf) - 1; i++) { - if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) { + if (atomicio(read, sock_in, &buf[i], 1) != 1) { logit("Did not receive identification string from %s", get_remote_ipaddr()); cleanup_exit(255); @@ -650,25 +649,23 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, - strerror(errno)); - if (chdir("/") == -1) - fatal("chdir(\"/\"): %s", strerror(errno)); - - /* Drop our privileges */ - debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, - (u_int)privsep_pw->pw_gid); -#if 0 - /* XXX not ready, too heavy after chroot */ - do_setusercontext(privsep_pw); -#else - gidset[0] = privsep_pw->pw_gid; - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(privsep_pw); -#endif + /* Demote the child */ + if (getuid() == 0 || geteuid() == 0) { + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, + strerror(errno)); + if (chdir("/") == -1) + fatal("chdir(\"/\"): %s", strerror(errno)); + + /* Drop our privileges */ + debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, + (u_int)privsep_pw->pw_gid); + gidset[0] = privsep_pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(privsep_pw); + } } static int @@ -734,9 +731,7 @@ privsep_preauth(Authctxt *authctxt) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); - /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) - privsep_preauth_child(); + privsep_preauth_child(); setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); @@ -838,6 +833,12 @@ list_hostkey_types(void) buffer_append(&b, ",", 1); p = key_ssh_name(key); buffer_append(&b, p, strlen(p)); + + /* for RSA we also support SHA2 signatures */ + if (key->type == KEY_RSA) { + p = ",rsa-sha2-512,rsa-sha2-256"; + buffer_append(&b, p, strlen(p)); + } break; } /* If the private key has a cert peer, then list that too */ @@ -1278,8 +1279,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) for (;;) { if (received_sighup) sighup_restart(); - if (fdset != NULL) - free(fdset); + free(fdset); fdset = xcalloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask)); @@ -1499,6 +1499,8 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = get_connection_info(0, 0); + ssh_malloc_init(); /* must be called before any mallocs */ + #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); #endif @@ -1559,7 +1561,7 @@ main(int ac, char **av) no_daemon_flag = 1; break; case 'E': - logfile = xstrdup(optarg); + logfile = optarg; /* FALLTHROUGH */ case 'e': log_stderr = 1; @@ -1661,10 +1663,8 @@ main(int ac, char **av) #endif /* If requested, redirect the logs to the specified logfile. */ - if (logfile != NULL) { + if (logfile != NULL) log_redirect_stderr_to(logfile); - free(logfile); - } /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) @@ -2581,24 +2581,26 @@ do_ssh1_kex(void) int sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen, - const u_char *data, size_t dlen, u_int flag) + const u_char *data, size_t dlen, const char *alg, u_int flag) { int r; u_int xxx_slen, xxx_dlen = dlen; if (privkey) { - if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen) < 0)) + if (PRIVSEP(key_sign(privkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0)) fatal("%s: key_sign failed", __func__); if (slen) *slen = xxx_slen; } else if (use_privsep) { - if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen) < 0) + if (mm_key_sign(pubkey, signature, &xxx_slen, data, xxx_dlen, + alg) < 0) fatal("%s: pubkey_sign failed", __func__); if (slen) *slen = xxx_slen; } else { if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slen, - data, dlen, datafellows)) != 0) + data, dlen, alg, datafellows)) != 0) fatal("%s: ssh_agent_sign failed: %s", __func__, ssh_err(r)); } @@ -2631,7 +2633,7 @@ do_ssh2_kex(void) } if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, + packet_set_rekey_limits(options.rekey_limit, (time_t)options.rekey_interval); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
