optimized FD_CLOEXEC on accept socket
This commit is contained in:
parent
f974d29a95
commit
61d8caa61f
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c
|
||||
--- openssh-5.3p1/channels.c.cloexec 2010-01-19 09:26:50.000000000 +0100
|
||||
+++ openssh-5.3p1/channels.c 2010-01-19 09:26:51.000000000 +0100
|
||||
--- openssh-5.3p1/channels.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
||||
+++ openssh-5.3p1/channels.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
@ -29,8 +29,8 @@ diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c
|
||||
c->wfd = wfd;
|
||||
c->sock = (rfd == wfd) ? rfd : -1;
|
||||
diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.cloexec 2010-01-19 09:26:50.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2010-01-19 09:26:51.000000000 +0100
|
||||
--- openssh-5.3p1/sshconnect2.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
@ -49,7 +49,7 @@ diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c
|
||||
if (dup2(from[1], STDOUT_FILENO) < 0)
|
||||
diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c
|
||||
--- openssh-5.3p1/sshconnect.c.cloexec 2009-06-21 10:53:53.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect.c 2010-01-19 09:26:51.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@ -72,13 +72,16 @@ diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c
|
||||
/* Bind the socket to an alternative local IP address */
|
||||
if (options.bind_address == NULL)
|
||||
diff -up openssh-5.3p1/sshd.c.cloexec openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.cloexec 2010-01-19 09:43:45.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd.c 2010-01-19 09:47:04.000000000 +0100
|
||||
@@ -1105,6 +1105,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
error("accept: %.100s", strerror(errno));
|
||||
continue;
|
||||
}
|
||||
+ fcntl(*newsock, F_SETFD, FD_CLOEXEC);
|
||||
if (unset_nonblock(*newsock) == -1) {
|
||||
close(*newsock);
|
||||
continue;
|
||||
--- openssh-5.3p1/sshd.c.cloexec 2010-01-25 17:25:55.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd.c 2010-01-25 18:29:23.000000000 +0100
|
||||
@@ -1756,6 +1756,10 @@ main(int ac, char **av)
|
||||
sock_in, sock_out, newsock, startup_pipe, config_s[0]);
|
||||
}
|
||||
|
||||
+ /* set fd cloexec on io/sockets to avoid to forward them to childern */
|
||||
+ fcntl(sock_out, F_SETFD, FD_CLOEXEC);
|
||||
+ fcntl(sock_in, F_SETFD, FD_CLOEXEC);
|
||||
+
|
||||
/*
|
||||
* Disable the key regeneration alarm. We will not regenerate the
|
||||
* key since we are no longer in a position to give it to anyone. We
|
||||
|
@ -1,110 +1,13 @@
|
||||
diff -up openssh-5.3p1/ssh-add.c.randclean openssh-5.3p1/ssh-add.c
|
||||
--- openssh-5.3p1/ssh-add.c.randclean 2010-01-20 19:13:28.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh-add.c 2010-01-20 19:13:29.000000000 +0100
|
||||
@@ -41,6 +41,7 @@
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/fips.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@@ -471,6 +472,9 @@ main(int argc, char **argv)
|
||||
int use_nss = 0;
|
||||
#endif
|
||||
diff -up openssh-5.3p1/entropy.c.randclean openssh-5.3p1/entropy.c
|
||||
--- openssh-5.3p1/entropy.c.randclean 2010-01-21 09:26:30.000000000 +0100
|
||||
+++ openssh-5.3p1/entropy.c 2010-01-21 09:26:37.000000000 +0100
|
||||
@@ -159,6 +159,9 @@ init_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
diff -up openssh-5.3p1/ssh.c.randclean openssh-5.3p1/ssh.c
|
||||
--- openssh-5.3p1/ssh.c.randclean 2010-01-20 19:13:29.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh.c 2010-01-20 19:13:29.000000000 +0100
|
||||
@@ -70,6 +70,7 @@
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/fips.h>
|
||||
@@ -220,6 +221,9 @@ main(int ac, char **av)
|
||||
struct servent *sp;
|
||||
Forward fwd;
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
diff -up openssh-5.3p1/sshd.c.randclean openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.randclean 2010-01-20 19:13:29.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd.c 2010-01-20 19:13:29.000000000 +0100
|
||||
@@ -1263,6 +1263,9 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.3p1/ssh-keygen.c.randclean openssh-5.3p1/ssh-keygen.c
|
||||
--- openssh-5.3p1/ssh-keygen.c.randclean 2010-01-20 19:13:29.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh-keygen.c 2010-01-20 19:13:29.000000000 +0100
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/fips.h>
|
||||
@@ -1120,6 +1121,9 @@ main(int argc, char **argv)
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
|
||||
diff -up openssh-5.3p1/ssh-keyscan.c.randclean openssh-5.3p1/ssh-keyscan.c
|
||||
--- openssh-5.3p1/ssh-keyscan.c.randclean 2009-01-28 06:31:23.000000000 +0100
|
||||
+++ openssh-5.3p1/ssh-keyscan.c 2010-01-20 19:21:16.000000000 +0100
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
+#include <openssl/rand.h>
|
||||
#include <openssl/bn.h>
|
||||
|
||||
#include <netdb.h>
|
||||
@@ -730,6 +731,9 @@ main(int argc, char **argv)
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
init_rng();
|
||||
seed_rng();
|
||||
diff -up openssh-5.3p1/ssh-keysign.c.randclean openssh-5.3p1/ssh-keysign.c
|
||||
--- openssh-5.3p1/ssh-keysign.c.randclean 2006-09-01 07:38:37.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-keysign.c 2010-01-20 19:13:29.000000000 +0100
|
||||
@@ -158,6 +158,9 @@ main(int argc, char **argv)
|
||||
u_int slen, dlen;
|
||||
u_int32_t rnd[256];
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
/* Ensure that stdin and stdout are connected */
|
||||
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
|
||||
exit(1);
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
original_uid = getuid();
|
||||
original_euid = geteuid();
|
||||
|
@ -69,7 +69,7 @@
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 5.3p1
|
||||
Release: 16%{?dist}%{?rescue_rel}
|
||||
Release: 18%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshauth.sourceforge.net
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
@ -527,6 +527,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 28 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18
|
||||
- optimized FD_CLOEXEC on accept socket (#541809)
|
||||
|
||||
* Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
|
||||
- optimized RAND_cleanup patch (#557166)
|
||||
|
||||
* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
|
||||
- add RAND_cleanup at the exit of each program using RAND (#557166)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user