Compare commits
23 Commits
Author | SHA1 | Date |
---|---|---|
|
4769e25cb1 | |
|
e3688ed6ab | |
|
9718c78d6b | |
|
e83e64b469 | |
|
6d6c363361 | |
|
284aebf281 | |
|
6b64f7566c | |
|
87ef7b8238 | |
|
11084609c9 | |
|
91cb47ec28 | |
|
2de83b1356 | |
|
2f3cd96ab9 | |
|
b64b2cc975 | |
|
1232a2070b | |
|
c53250668e | |
|
4a92081130 | |
|
3c7aefbbeb | |
|
f9f5754ffc | |
|
2ab5418106 | |
|
a1fe096ff3 | |
|
9f170e3ec1 | |
|
81226fcc51 | |
|
66d55f7a69 |
|
@ -1,14 +1,11 @@
|
|||
diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
|
||||
+++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
|
||||
@@ -130,6 +130,10 @@ X11Forwarding yes
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -48,3 +48,7 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+#
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+#Host *.local
|
||||
+# CheckHostIP no
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
|
|
|
@ -30,7 +30,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
|||
+ if (authctxt->krb5_ticket_file[0] == ':')
|
||||
+ authctxt->krb5_ticket_file++;
|
||||
+
|
||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type);
|
||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
+
|
||||
|
|
|
@ -1,167 +0,0 @@
|
|||
diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
|
||||
--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
|
||||
+++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
|
||||
@@ -55,6 +55,20 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
+int
|
||||
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
|
||||
+{
|
||||
+ if (options.use_kuserok)
|
||||
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
|
||||
+ else {
|
||||
+ char kuser[65];
|
||||
+
|
||||
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
|
||||
+ return 0;
|
||||
+ return strcmp(kuser, client) == 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
|
||||
--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
|
||||
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
static krb5_context krb_context = NULL;
|
||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
|
||||
@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
|
||||
/* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||
* because if they are on a krb5-protected filesystem, user credentials
|
||||
* to access these files aren't available yet. */
|
||||
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
+ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
|
||||
--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
|
||||
+++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
|
||||
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -336,7 +339,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -409,11 +412,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
|
||||
--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
|
||||
+++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
+ int use_kuserok;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
|
||||
--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -675,6 +675,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -833,6 +837,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
+.Cm KerberosUseKuserok ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
|
||||
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
|
@ -761,7 +761,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
|||
+
|
||||
--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
|
||||
+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
|
||||
@@ -0,0 +1,720 @@
|
||||
@@ -0,0 +1,722 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||
|
@ -1078,6 +1078,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
|||
+ else
|
||||
+ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
|
||||
+ if (*intptr == -1)
|
||||
+ *intptr = value;
|
||||
+ break;
|
||||
+
|
||||
+ case lSSLPath:
|
||||
|
@ -1142,6 +1143,7 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
|||
+ else
|
||||
+ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
|
||||
+ if (*intptr == -1)
|
||||
+ *intptr = value;
|
||||
+ break;
|
||||
+
|
||||
+ case lTLS_CaCertFile:
|
||||
|
|
|
@ -2,9 +2,9 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
|
|||
--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
|
||||
+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
|
||||
@@ -46,3 +46,14 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
# Uncomment this if you want to use .local domain
|
||||
#Host *.local
|
||||
# CheckHostIP no
|
||||
+Host *
|
||||
+ GSSAPIAuthentication yes
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
|
|
|
@ -0,0 +1,137 @@
|
|||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 0a4930e..a7c0c5f 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
char line[BUFSIZ];
|
||||
- char kuser[65]; /* match krb5_kuserok() */
|
||||
struct stat st;
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
int found_principal = 0;
|
||||
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
- if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
+ if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
|
||||
return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
k5login_exists);
|
||||
}
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index d482e79..ad5869b 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->use_kuserok = -1;
|
||||
+ options->enable_k5users = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->show_patchlevel = 0;
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -356,7 +359,7 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
sGssKeyEx, sGssStoreRekey,
|
||||
sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
@@ -430,6 +433,7 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -437,6 +441,7 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssEnablek5users:
|
||||
+ intptr = &options->enable_k5users;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
+ M_CP_INTOPT(enable_k5users);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 5117dfa..d63cb71 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -173,7 +173,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
- int use_kuserok;
|
||||
+ int use_kuserok;
|
||||
+ int enable_k5users;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 43671f6..6ab00ed 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
+#GSSAPIEnablek5users no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index e0e5fff..aa9525d 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -505,6 +505,12 @@ on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
+.It Cm GSSAPIEnablek5users
|
||||
+Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
+access control. Further details are described in
|
||||
+.Xr ksu 1 .
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against. If
|
|
@ -0,0 +1,70 @@
|
|||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 55dee98..7bcd596 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+20140703
|
||||
+ - OpenBSD CVS Sync
|
||||
+ - djm@cvs.openbsd.org 2014/07/03 03:34:09
|
||||
+ [gss-serv.c session.c ssh-keygen.c]
|
||||
+ standardise on NI_MAXHOST for gethostname() string lengths; about
|
||||
+ 1/2 the cases were using it already. Fixes bz#2239 en passant
|
||||
+
|
||||
20140304
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/03/03 22:22:30
|
||||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index e533c3a..7e343db 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -83,14 +83,14 @@ static OM_uint32
|
||||
ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
{
|
||||
OM_uint32 status;
|
||||
- char lname[MAXHOSTNAMELEN];
|
||||
+ char lname[NI_MAXHOST];
|
||||
gss_OID_set oidset;
|
||||
|
||||
if (options.gss_strict_acceptor) {
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
+ if (gethostname(lname, sizeof(lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
diff --git a/session.c b/session.c
|
||||
index f5b6848..86da7cf 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
+#include <netdb.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
#include <paths.h>
|
||||
#endif
|
||||
@@ -2697,7 +2698,7 @@ session_setup_x11fwd(Session *s)
|
||||
{
|
||||
struct stat st;
|
||||
char display[512], auth_display[512];
|
||||
- char hostname[MAXHOSTNAMELEN];
|
||||
+ char hostname[NI_MAXHOST];
|
||||
u_int i;
|
||||
|
||||
if (no_x11_forwarding_flag) {
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 2569016..1bddd72 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -153,7 +153,7 @@ char *pkcs11provider = NULL;
|
||||
/* argv0 */
|
||||
extern char *__progname;
|
||||
|
||||
-char hostname[MAXHOSTNAMELEN];
|
||||
+char hostname[NI_MAXHOST];
|
||||
|
||||
/* moduli.c */
|
||||
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
|
|
@ -1,7 +1,8 @@
|
|||
diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in
|
||||
--- openssh-6.3p1/Makefile.in.audit 2013-06-11 03:26:10.000000000 +0200
|
||||
+++ openssh-6.3p1/Makefile.in 2013-10-07 15:53:34.246717277 +0200
|
||||
@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 92c95a9..d2f41bd 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
|
@ -10,10 +11,11 @@ diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in
|
|||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
|
||||
--- openssh-6.3p1/audit-bsm.c.audit 2012-02-24 00:40:43.000000000 +0100
|
||||
+++ openssh-6.3p1/audit-bsm.c 2013-10-07 15:53:34.246717277 +0200
|
||||
@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
|
||||
diff --git a/audit-bsm.c b/audit-bsm.c
|
||||
index 6135591..5160869 100644
|
||||
--- a/audit-bsm.c
|
||||
+++ b/audit-bsm.c
|
||||
@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port)
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -38,7 +40,7 @@ diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
|
|||
}
|
||||
|
||||
void
|
||||
@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li
|
||||
@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li)
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
|
@ -92,9 +94,10 @@ diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
|
|||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
|
||||
--- openssh-6.3p1/audit-linux.c.audit 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-6.3p1/audit-linux.c 2013-10-07 15:53:34.246717277 +0200
|
||||
diff --git a/audit-linux.c b/audit-linux.c
|
||||
index b3ee2f4..946f7fa 100644
|
||||
--- a/audit-linux.c
|
||||
+++ b/audit-linux.c
|
||||
@@ -35,13 +35,24 @@
|
||||
|
||||
#include "log.h"
|
||||
|
@ -107,7 +110,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
|
|||
+#include "packet.h"
|
||||
+#include "cipher.h"
|
||||
|
||||
+#define AUDIT_LOG_SIZE 128
|
||||
+#define AUDIT_LOG_SIZE 256
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
@ -123,7 +126,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
|
|||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
|
||||
@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const
|
||||
@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username,
|
||||
if (audit_fd < 0) {
|
||||
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
errno == EAFNOSUPPORT)
|
||||
|
@ -138,7 +141,7 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
|
|||
NULL, "login", username ? username : "(unknown)",
|
||||
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
saved_errno = errno;
|
||||
@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const
|
||||
@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username,
|
||||
if ((rc == -EPERM) && (geteuid() != 0))
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
|
@ -481,9 +484,10 @@ diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
|
|||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
|
||||
--- openssh-6.3p1/audit.c.audit 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-6.3p1/audit.c 2013-10-07 15:53:34.246717277 +0200
|
||||
diff --git a/audit.c b/audit.c
|
||||
index ced57fa..13c6849 100644
|
||||
--- a/audit.c
|
||||
+++ b/audit.c
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
|
@ -502,7 +506,23 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
|
|||
|
||||
/*
|
||||
* Care must be taken when using this since it WILL NOT be initialized when
|
||||
@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
|
||||
const char *
|
||||
audit_username(void)
|
||||
{
|
||||
- static const char unknownuser[] = "(unknown user)";
|
||||
- static const char invaliduser[] = "(invalid user)";
|
||||
+ static const char unknownuser[] = "(unknown)";
|
||||
|
||||
- if (the_authctxt == NULL || the_authctxt->user == NULL)
|
||||
+ if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid)
|
||||
return (unknownuser);
|
||||
- if (!the_authctxt->valid)
|
||||
- return (invaliduser);
|
||||
return (the_authctxt->user);
|
||||
}
|
||||
|
||||
@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
|
||||
|
@ -543,7 +563,7 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
|
|||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -561,7 +581,7 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
|
|||
* Called when a user session is started. Argument is the tty allocated to
|
||||
* the session, or NULL if no tty was allocated.
|
||||
*
|
||||
@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li
|
||||
@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
|
||||
/*
|
||||
* This will be called when a user runs a non-interactive command. Note that
|
||||
* it may be called multiple times for a single connection since SSH2 allows
|
||||
|
@ -655,9 +675,10 @@ diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
|
|||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h
|
||||
--- openssh-6.3p1/audit.h.audit 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-6.3p1/audit.h 2013-10-07 15:53:34.246717277 +0200
|
||||
diff --git a/audit.h b/audit.h
|
||||
index 92ede5b..a2dc3ff 100644
|
||||
--- a/audit.h
|
||||
+++ b/audit.h
|
||||
@@ -28,6 +28,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
|
@ -693,9 +714,11 @@ diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h
|
|||
+void audit_generate_ephemeral_server_key(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c
|
||||
--- openssh-6.3p1/auditstub.c.audit 2013-10-07 15:53:34.247717272 +0200
|
||||
+++ openssh-6.3p1/auditstub.c 2013-10-07 15:53:34.247717272 +0200
|
||||
diff --git a/auditstub.c b/auditstub.c
|
||||
new file mode 100644
|
||||
index 0000000..45817e0
|
||||
--- /dev/null
|
||||
+++ b/auditstub.c
|
||||
@@ -0,0 +1,50 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
|
@ -747,10 +770,11 @@ diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c
|
|||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
|
||||
--- openssh-6.3p1/auth-rsa.c.audit 2013-07-18 08:12:44.000000000 +0200
|
||||
+++ openssh-6.3p1/auth-rsa.c 2013-10-07 15:53:34.247717272 +0200
|
||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
diff --git a/auth-rsa.c b/auth-rsa.c
|
||||
index 545aa49..dee0864 100644
|
||||
--- a/auth-rsa.c
|
||||
+++ b/auth-rsa.c
|
||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
|
||||
{
|
||||
u_char buf[32], mdbuf[16];
|
||||
MD5_CTX md;
|
||||
|
@ -762,7 +786,7 @@ diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
|
|||
|
||||
/* don't allow short keys */
|
||||
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
|
||||
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
|
||||
MD5_Final(mdbuf, &md);
|
||||
|
||||
/* Verify that the response is the original challenge. */
|
||||
|
@ -786,10 +810,25 @@ diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
|
|||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h
|
||||
--- openssh-6.3p1/auth.h.audit 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/auth.h 2013-10-07 16:02:38.629171107 +0200
|
||||
@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 420a85b..d613f8c 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- audit_event(SSH_INVALID_USER);
|
||||
-#endif /* SSH_AUDIT_EVENTS */
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(pw))
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 80f0898..157c738 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt *);
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
char *authorized_principals_file(struct passwd *);
|
||||
|
@ -805,9 +844,10 @@ diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h
|
|||
|
||||
/* debug messages during authentication */
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c
|
||||
--- openssh-6.3p1/auth2-hostbased.c.audit 2013-10-07 15:53:34.223717384 +0200
|
||||
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:53:34.247717272 +0200
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index 572b12d..615e4bd 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -123,7 +123,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
/* test for allowed key and correct signature */
|
||||
authenticated = 0;
|
||||
|
@ -836,9 +876,10 @@ diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c
|
|||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
|
||||
--- openssh-6.3p1/auth2-pubkey.c.audit 2013-10-07 15:53:34.224717379 +0200
|
||||
+++ openssh-6.3p1/auth2-pubkey.c 2013-10-08 15:11:42.282436972 +0200
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 2dfba9e..c3771a3 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -152,7 +152,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
|
@ -848,7 +889,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
|
|||
buffer_len(&b))) == 1)
|
||||
authenticated = 1;
|
||||
buffer_free(&b);
|
||||
@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
free(extra);
|
||||
}
|
||||
|
||||
|
@ -867,10 +908,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
|
|||
static int
|
||||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
{
|
||||
diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c
|
||||
--- openssh-6.3p1/auth2.c.audit 2013-06-01 23:41:51.000000000 +0200
|
||||
+++ openssh-6.3p1/auth2.c 2013-10-07 15:53:34.248717268 +0200
|
||||
@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index f0cab8c..64c03a8 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
} else {
|
||||
logit("input_userauth_request: invalid user %s", user);
|
||||
authctxt->pw = fakepw();
|
||||
|
@ -880,10 +922,11 @@ diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c
|
|||
}
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c
|
||||
--- openssh-6.3p1/cipher.c.audit 2013-10-07 15:53:34.248717268 +0200
|
||||
+++ openssh-6.3p1/cipher.c 2013-10-07 16:06:51.117971891 +0200
|
||||
@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index a2cbe2b..02dceec 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
|
||||
extern const EVP_CIPHER *evp_ssh1_3des(void);
|
||||
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
|
||||
|
@ -902,9 +945,10 @@ diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c
|
|||
static const struct Cipher ciphers[] = {
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
|
||||
diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h
|
||||
--- openssh-6.3p1/cipher.h.audit 2013-04-23 11:24:32.000000000 +0200
|
||||
+++ openssh-6.3p1/cipher.h 2013-10-07 15:53:34.248717268 +0200
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index b878d50..d4e801b 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
@@ -61,7 +61,18 @@
|
||||
typedef struct Cipher Cipher;
|
||||
typedef struct CipherContext CipherContext;
|
||||
|
@ -925,9 +969,10 @@ diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h
|
|||
struct CipherContext {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
|
||||
--- openssh-6.3p1/kex.c.audit 2013-06-01 23:31:18.000000000 +0200
|
||||
+++ openssh-6.3p1/kex.c 2013-10-07 15:53:34.249717264 +0200
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 54bd1a4..1c617b9 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
|
@ -990,7 +1035,7 @@ diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
|
|||
}
|
||||
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, int len)
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
#endif
|
||||
|
@ -1025,9 +1070,10 @@ diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
|
|||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
+
|
||||
diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h
|
||||
--- openssh-6.3p1/kex.h.audit 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/kex.h 2013-10-07 15:53:34.249717264 +0200
|
||||
diff --git a/kex.h b/kex.h
|
||||
index 9f1e1ad..7d81793 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
@@ -162,6 +162,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
|
@ -1037,9 +1083,10 @@ diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h
|
|||
void
|
||||
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c
|
||||
--- openssh-6.3p1/key.c.audit 2013-10-07 15:53:34.224717379 +0200
|
||||
+++ openssh-6.3p1/key.c 2013-10-07 15:53:34.249717264 +0200
|
||||
diff --git a/key.c b/key.c
|
||||
index 4b10ef4..8c0a47d 100644
|
||||
--- a/key.c
|
||||
+++ b/key.c
|
||||
@@ -1773,6 +1773,30 @@ key_demote(const Key *k)
|
||||
}
|
||||
|
||||
|
@ -1071,9 +1118,10 @@ diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c
|
|||
key_is_cert(const Key *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h
|
||||
--- openssh-6.3p1/key.h.audit 2013-10-07 15:53:34.224717379 +0200
|
||||
+++ openssh-6.3p1/key.h 2013-10-07 15:53:34.249717264 +0200
|
||||
diff --git a/key.h b/key.h
|
||||
index 9d0e7a8..7a5b8f5 100644
|
||||
--- a/key.h
|
||||
+++ b/key.h
|
||||
@@ -110,6 +110,7 @@ Key *key_generate(int, u_int);
|
||||
Key *key_from_private(const Key *);
|
||||
int key_type_from_name(char *);
|
||||
|
@ -1082,9 +1130,10 @@ diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h
|
|||
int key_type_plain(int);
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c
|
||||
--- openssh-6.3p1/mac.c.audit 2013-06-06 00:12:37.000000000 +0200
|
||||
+++ openssh-6.3p1/mac.c 2013-10-07 15:53:34.250717259 +0200
|
||||
diff --git a/mac.c b/mac.c
|
||||
index c4dfb50..cb53860 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
@@ -224,6 +224,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
|
@ -1106,17 +1155,19 @@ diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c
|
|||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
diff -up openssh-6.3p1/mac.h.audit openssh-6.3p1/mac.h
|
||||
--- openssh-6.3p1/mac.h.audit 2013-04-23 11:24:32.000000000 +0200
|
||||
+++ openssh-6.3p1/mac.h 2013-10-07 15:53:34.250717259 +0200
|
||||
diff --git a/mac.h b/mac.h
|
||||
index 260798a..f51508e 100644
|
||||
--- a/mac.h
|
||||
+++ b/mac.h
|
||||
@@ -29,3 +29,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
||||
--- openssh-6.3p1/monitor.c.audit 2013-10-07 15:53:34.217717411 +0200
|
||||
+++ openssh-6.3p1/monitor.c 2013-10-08 15:10:38.270726936 +0200
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index b5414ba..e28690e 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -98,6 +98,7 @@
|
||||
#include "jpake.h"
|
||||
#include "roaming.h"
|
||||
|
@ -1134,7 +1185,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
/* State exported from the child */
|
||||
|
||||
struct {
|
||||
@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer *);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
|
@ -1146,7 +1197,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
#endif
|
||||
|
||||
static int monitor_read_log(struct monitor *);
|
||||
@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
|
@ -1157,7 +1208,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
|
@ -1169,7 +1220,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[] = {
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
|
@ -1180,7 +1231,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15
|
||||
@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15[] = {
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||
|
@ -1254,7 +1305,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buff
|
||||
@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buffer *m)
|
||||
{
|
||||
u_int len;
|
||||
char *cmd;
|
||||
|
@ -1299,7 +1350,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
|
||||
blob = buffer_get_string(&m, &bloblen);
|
||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||
|
@ -1313,7 +1364,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
free(blob);
|
||||
|
||||
/* Now get sequence numbers for the packets */
|
||||
@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
}
|
||||
|
||||
buffer_free(&m);
|
||||
|
@ -1335,7 +1386,7 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
}
|
||||
|
||||
|
||||
@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
|
||||
}
|
||||
|
||||
#endif /* JPAKE */
|
||||
|
@ -1422,9 +1473,10 @@ diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
|
|||
+ return 0;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
|
||||
--- openssh-6.3p1/monitor.h.audit 2012-12-02 23:53:21.000000000 +0100
|
||||
+++ openssh-6.3p1/monitor.h 2013-10-07 15:53:34.251717254 +0200
|
||||
diff --git a/monitor.h b/monitor.h
|
||||
index 2caa469..1a15066 100644
|
||||
--- a/monitor.h
|
||||
+++ b/monitor.h
|
||||
@@ -68,7 +68,13 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
|
@ -1440,10 +1492,11 @@ diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
|
|||
|
||||
};
|
||||
|
||||
diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
||||
--- openssh-6.4p1/monitor_wrap.c.audit 2013-11-08 13:26:47.062595006 +0100
|
||||
+++ openssh-6.4p1/monitor_wrap.c 2013-11-08 13:26:47.089594877 +0100
|
||||
@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, cha
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 4940761..75e9cba 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
|
||||
*/
|
||||
|
||||
int
|
||||
|
@ -1452,7 +1505,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
|||
{
|
||||
Buffer m;
|
||||
u_char *blob;
|
||||
@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
||||
@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
||||
return (0);
|
||||
|
||||
buffer_init(&m);
|
||||
|
@ -1460,7 +1513,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
|||
buffer_put_string(&m, blob, len);
|
||||
buffer_put_string(&m, sig, siglen);
|
||||
buffer_put_string(&m, data, datalen);
|
||||
@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
|
||||
@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
|
||||
return (verified);
|
||||
}
|
||||
|
||||
|
@ -1480,7 +1533,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
|||
/* Export key state after authentication */
|
||||
Newkeys *
|
||||
mm_newkeys_from_blob(u_char *blob, int blen)
|
||||
@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor
|
||||
@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor)
|
||||
fatal("%s: conversion of newkeys failed", __func__);
|
||||
|
||||
buffer_put_string(&m, blob, bloblen);
|
||||
|
@ -1508,7 +1561,7 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
|||
|
||||
debug3("%s entering command %s", __func__, command);
|
||||
|
||||
@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command
|
||||
@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command)
|
||||
buffer_put_cstring(&m, command);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
||||
|
@ -1608,10 +1661,11 @@ diff -up openssh-6.4p1/monitor_wrap.c.audit openssh-6.4p1/monitor_wrap.c
|
|||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h
|
||||
--- openssh-6.3p1/monitor_wrap.h.audit 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-6.3p1/monitor_wrap.h 2013-10-07 15:53:34.252717250 +0200
|
||||
@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 0c7f2e3..f47c7df 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
|
||||
int mm_user_key_allowed(struct passwd *, Key *);
|
||||
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
|
@ -1635,9 +1689,10 @@ diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h
|
|||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c
|
||||
--- openssh-6.3p1/packet.c.audit 2013-10-07 15:53:34.231717347 +0200
|
||||
+++ openssh-6.3p1/packet.c 2013-10-07 16:08:00.764639577 +0200
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 776660e..01eb4d1 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -61,6 +61,7 @@
|
||||
#include <time.h>
|
||||
|
||||
|
@ -1834,18 +1889,20 @@ diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c
|
|||
+ backup_state = NULL;
|
||||
}
|
||||
+
|
||||
diff -up openssh-6.3p1/packet.h.audit openssh-6.3p1/packet.h
|
||||
--- openssh-6.3p1/packet.h.audit 2013-07-18 08:12:45.000000000 +0200
|
||||
+++ openssh-6.3p1/packet.h 2013-10-07 15:53:34.252717250 +0200
|
||||
diff --git a/packet.h b/packet.h
|
||||
index f8edf85..c36c812 100644
|
||||
--- a/packet.h
|
||||
+++ b/packet.h
|
||||
@@ -124,4 +124,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
||||
--- openssh-6.3p1/session.c.audit 2013-07-20 05:21:53.000000000 +0200
|
||||
+++ openssh-6.3p1/session.c 2013-10-07 16:03:43.975861636 +0200
|
||||
diff --git a/session.c b/session.c
|
||||
index d4b57bd..4279af5 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -137,7 +137,7 @@ extern int log_stderr;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
|
@ -1855,7 +1912,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
|||
extern Buffer loginmsg;
|
||||
|
||||
/* original command from peer. */
|
||||
@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *comm
|
||||
@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *command)
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
|
@ -1892,7 +1949,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
|||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(s, command);
|
||||
@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command
|
||||
@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command)
|
||||
int r = 0;
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
|
@ -1912,7 +1969,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
|||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
}
|
||||
|
||||
Session *
|
||||
|
@ -1932,7 +1989,7 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
|||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int sta
|
||||
@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int status)
|
||||
chan_write_failed(c);
|
||||
}
|
||||
|
||||
|
@ -1997,9 +2054,10 @@ diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
|
|||
- session_destroy_all(session_pty_cleanup2);
|
||||
+ session_destroy_all(do_cleanup_one_session);
|
||||
}
|
||||
diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h
|
||||
--- openssh-6.3p1/session.h.audit 2008-05-19 07:34:50.000000000 +0200
|
||||
+++ openssh-6.3p1/session.h 2013-10-07 15:53:34.253717245 +0200
|
||||
diff --git a/session.h b/session.h
|
||||
index cbb8e3a..fc6a7d3 100644
|
||||
--- a/session.h
|
||||
+++ b/session.h
|
||||
@@ -60,6 +60,12 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
|
@ -2024,9 +2082,10 @@ diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h
|
|||
Session *session_by_tty(char *);
|
||||
void session_close(Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
|
||||
--- openssh-6.3p1/sshd.c.audit 2013-10-07 15:53:34.221717393 +0200
|
||||
+++ openssh-6.3p1/sshd.c 2013-10-07 15:53:34.254717240 +0200
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 5b8a432..c792495 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -119,6 +119,7 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
@ -2060,7 +2119,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
|
|||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in
|
||||
@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in, int sock_out)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -2177,7 +2236,7 @@ diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
|
|||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
diff -up openssh-6.4p1/compat.c.cisco-dh openssh-6.4p1/compat.c
|
||||
--- openssh-6.4p1/compat.c.cisco-dh 2013-06-01 23:31:18.000000000 +0200
|
||||
+++ openssh-6.4p1/compat.c 2014-12-04 13:28:03.717787655 +0100
|
||||
@@ -164,6 +164,7 @@ compat_datafellows(const char *version)
|
||||
SSH_BUG_SCANNER },
|
||||
{ "Probe-*",
|
||||
SSH_BUG_PROBE },
|
||||
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
diff -up openssh-6.4p1/compat.h.cisco-dh openssh-6.4p1/compat.h
|
||||
--- openssh-6.4p1/compat.h.cisco-dh 2014-12-04 13:28:03.717787655 +0100
|
||||
+++ openssh-6.4p1/compat.h 2014-12-04 13:28:36.579658095 +0100
|
||||
@@ -59,6 +59,7 @@
|
||||
#define SSH_BUG_RFWD_ADDR 0x02000000
|
||||
#define SSH_NEW_OPENSSH 0x04000000
|
||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||
+#define SSH_BUG_MAX4096DH 0x20000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
diff -up openssh-6.4p1/kexgexc.c.cisco-dh openssh-6.4p1/kexgexc.c
|
||||
--- openssh-6.4p1/kexgexc.c.cisco-dh 2014-12-04 13:28:03.717787655 +0100
|
||||
+++ openssh-6.4p1/kexgexc.c 2014-12-04 13:31:03.270079756 +0100
|
||||
@@ -60,20 +60,36 @@ kexgex_client(Kex *kex)
|
||||
int min, max, nbits;
|
||||
DH *dh;
|
||||
|
||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
+ max = DH_GRP_MAX;
|
||||
+
|
||||
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
+ * We need to also ensure that min < nbits < max */
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* The largest min for these servers is 4096 */
|
||||
+ min = MIN(min, 4096);
|
||||
+ }
|
||||
+
|
||||
nbits = dh_estimate(kex->we_need * 8);
|
||||
+ nbits = MIN(nbits, max);
|
||||
+ nbits = MAX(nbits, min);
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* Cannot have a nbits > 4096 for these servers */
|
||||
+ nbits = MIN(nbits, 4096);
|
||||
+ /* nbits has to be powers of two */
|
||||
+ if (nbits == 3072)
|
||||
+ nbits = 4096;
|
||||
+ }
|
||||
|
||||
if (datafellows & SSH_OLD_DHGEX) {
|
||||
/* Old GEX request */
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||
packet_put_int(nbits);
|
||||
- min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
-
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
- min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||
packet_put_int(min);
|
||||
packet_put_int(nbits);
|
|
@ -0,0 +1,28 @@
|
|||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 7bcd596..3a0d993 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,9 @@
|
||||
+20140823
|
||||
+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
|
||||
+ lastlog writing on platforms with high UIDs; bz#2263
|
||||
+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
|
||||
+ monitor, not preauth; bz#2263
|
||||
+
|
||||
20140703
|
||||
- OpenBSD CVS Sync
|
||||
- djm@cvs.openbsd.org 2014/07/03 03:34:09
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 453bea3..9dadb4d 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -524,6 +524,9 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
signal(SIGINT, &monitor_child_handler);
|
||||
+#ifdef SIGXFSZ
|
||||
+ signal(SIGXFSZ, SIG_IGN);
|
||||
+#endif
|
||||
|
||||
if (compat20) {
|
||||
mon_dispatch = mon_dispatch_postauth20;
|
|
@ -0,0 +1,24 @@
|
|||
diff --git a/misc.c b/misc.c
|
||||
index 2f11de4..36402d1 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -396,7 +396,7 @@ hpdelim(char **cp)
|
||||
return NULL;
|
||||
else
|
||||
s++;
|
||||
- } else if ((s = strpbrk(s, ":/")) == NULL)
|
||||
+ } else if ((s = strpbrk(s, ":")) == NULL)
|
||||
s = *cp + strlen(*cp); /* skip to end (see first case below) */
|
||||
|
||||
switch (*s) {
|
||||
@@ -405,7 +405,6 @@ hpdelim(char **cp)
|
||||
break;
|
||||
|
||||
case ':':
|
||||
- case '/':
|
||||
*s = '\0'; /* terminate */
|
||||
*cp = s + 1;
|
||||
break;
|
||||
--
|
||||
2.1.0
|
||||
|
|
@ -0,0 +1,291 @@
|
|||
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||
index 7c83f59..966b4cb 100644
|
||||
--- a/auth-krb5.c
|
||||
+++ b/auth-krb5.c
|
||||
@@ -54,6 +54,21 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
+int
|
||||
+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client,
|
||||
+ int k5login_exists)
|
||||
+{
|
||||
+ if (options.use_kuserok || !k5login_exists)
|
||||
+ return krb5_kuserok(krb5_ctx, krb5_user, client);
|
||||
+ else {
|
||||
+ char kuser[65];
|
||||
+
|
||||
+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
|
||||
+ return 0;
|
||||
+ return strcmp(kuser, client) == 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -157,7 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
|
||||
+ /* Use !options.use_kuserok here to make ssh_krb5_kuserok() not
|
||||
+ * depend on the existance of .k5login */
|
||||
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client, !options.use_kuserok)) {
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index b4d479e..a9326a7 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
|
||||
int);
|
||||
|
||||
static krb5_context krb_context = NULL;
|
||||
+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *, int);
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
|
||||
@@ -92,6 +93,103 @@ ssh_gssapi_krb5_init(void)
|
||||
* Returns true if the user is OK to log in, otherwise returns 0
|
||||
*/
|
||||
|
||||
+/* The purpose of the function is to find out if a Kerberos principal is
|
||||
+ * allowed to log in as the given local user. This is a general problem with
|
||||
+ * Kerberized services because by design the Kerberos principals are
|
||||
+ * completely independent from the local user names. This is one of the
|
||||
+ * reasons why Kerberos is working well on different operating systems like
|
||||
+ * Windows and UNIX/Linux. Nevertheless a relationship between a Kerberos
|
||||
+ * principal and a local user name must be established because otherwise every
|
||||
+ * access would be granted for every principal with a valid ticket.
|
||||
+ *
|
||||
+ * Since it is a general issue libkrb5 provides some functions for
|
||||
+ * applications to find out about the relationship between the Kerberos
|
||||
+ * principal and a local user name. They are krb5_kuserok() and
|
||||
+ * krb5_aname_to_localname().
|
||||
+ *
|
||||
+ * krb5_kuserok() can be used to "Determine if a principal is authorized to
|
||||
+ * log in as a local user" (from the MIT Kerberos documentation of this
|
||||
+ * function). Which is exactly what we are looking for and should be the
|
||||
+ * preferred choice. It accepts the Kerberos principal and a local user name
|
||||
+ * and let libkrb5 or its plugins determine if they relate to each other or
|
||||
+ * not.
|
||||
+ *
|
||||
+ * krb5_aname_to_localname() can use used to "Convert a principal name to a
|
||||
+ * local name" (from the MIT Kerberos documentation of this function). It
|
||||
+ * accepts a Kerberos principle and returns a local name and it is up to the
|
||||
+ * application to do any additional checks. There are two issues using
|
||||
+ * krb5_aname_to_localname(). First, since POSIX user names are case
|
||||
+ * sensitive, the calling application in general has no other choice than
|
||||
+ * doing a case-sensitive string comparison between the name returned by
|
||||
+ * krb5_aname_to_localname() and the name used at the login prompt. When the
|
||||
+ * users are provided by a case in-sensitive server, e.g. Active Directory,
|
||||
+ * this might lead to login failures because the user typing the name at the
|
||||
+ * login prompt might not be aware of the right case. Another issue might be
|
||||
+ * caused if there are multiple alias names available for a single user. E.g.
|
||||
+ * the canonical name of a user is user@group.department.example.com but there
|
||||
+ * exists a shorter login name, e.g. user@example.com, to safe typing at the
|
||||
+ * login prompt. Here krb5_aname_to_localname() can only return the canonical
|
||||
+ * name, but if the short alias is used at the login prompt authentication
|
||||
+ * will fail as well. All this can be avoided by using krb5_kuserok() and
|
||||
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
|
||||
+ * given environment.
|
||||
+ *
|
||||
+ * The Fedora and RHEL version of openssh contain two patches which modify the
|
||||
+ * access control behavior:
|
||||
+ * - openssh-6.6p1-kuserok.patch
|
||||
+ * - openssh-6.6p1-force_krb.patch
|
||||
+ *
|
||||
+ * openssh-6.6p1-kuserok.patch adds a new option KerberosUseKuserok for
|
||||
+ * sshd_config which controls if krb5_kuserok() is used to check if the
|
||||
+ * principle is authorized or if krb5_aname_to_localname() should be used.
|
||||
+ * The reason to add this patch was that krb5_kuserok() by default checks if
|
||||
+ * a .k5login file exits in the users home-directory. With this the user can
|
||||
+ * give access to his account for any given principal which might be
|
||||
+ * in violation with company policies and it would be useful if this can be
|
||||
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
|
||||
+ * no only check .k5login but other sources as well and checking .k5login can
|
||||
+ * be disabled for all applications in krb5.conf as well. With this new
|
||||
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
|
||||
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
|
||||
+ * restrictions mentioned above.
|
||||
+ *
|
||||
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
|
||||
+ * using GSSAPI authentication only commands configured in the .k5user can be
|
||||
+ * executed. Here the wrong assumption that krb5_kuserok() only checks
|
||||
+ * .k5login is made as well. In contrast ksu checks .k5login directly and
|
||||
+ * does not use krb5_kuserok() which might be more useful for the given
|
||||
+ * purpose. Additionally this patch is not synced with
|
||||
+ * openssh-6.6p1-kuserok.patch.
|
||||
+ *
|
||||
+ * The current patch tries to restore the usage of krb5_kuserok() so that e.g.
|
||||
+ * localauth plugins can be used. It does so by adding a forth parameter to
|
||||
+ * ssh_krb5_kuserok() which indicates whether .k5login exists or not. If it
|
||||
+ * does not exists krb5_kuserok() is called even if KerberosUseKuserok is set
|
||||
+ * to 'no' because the intent of the option is to not check .k5login and if it
|
||||
+ * does not exists krb5_kuserok() returns a result without checking .k5login.
|
||||
+ * If .k5login does exists and KerberosUseKuserok is 'no' we fall back to
|
||||
+ * krb5_aname_to_localname(). This is in my point of view an acceptable
|
||||
+ * limitation and does not break the current behaviour.
|
||||
+ *
|
||||
+ * Additionally with this patch ssh_krb5_kuserok() is called in
|
||||
+ * ssh_gssapi_krb5_cmdok() instead of only krb5_aname_to_localname() is
|
||||
+ * neither .k5login nor .k5users exists to allow plugin evaluation via
|
||||
+ * krb5_kuserok() as well.
|
||||
+ *
|
||||
+ * I tried to keep the patch as minimal as possible, nevertheless I see some
|
||||
+ * areas for improvement which, if they make sense, have to be evaluated
|
||||
+ * carefully because they might change existing behaviour and cause breaks
|
||||
+ * during upgrade:
|
||||
+ * - I wonder if disabling .k5login usage make sense in sshd or if it should
|
||||
+ * be better disabled globally in krb5.conf
|
||||
+ * - if really needed openssh-6.6p1-kuserok.patch should be fixed to really
|
||||
+ * only disable checking .k5login and maybe .k5users
|
||||
+ * - the ksu behaviour should be configurable and maybe check the .k5login and
|
||||
+ * .k5users files directly like ksu itself does
|
||||
+ * - to make krb5_aname_to_localname() more useful an option for sshd to use
|
||||
+ * the canonical name (the one returned by getpwnam()) instead of the name
|
||||
+ * given at the login prompt might be useful */
|
||||
+
|
||||
static int
|
||||
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
{
|
||||
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
/* NOTE: .k5login and .k5users must opened as root, not the user,
|
||||
* because if they are on a krb5-protected filesystem, user credentials
|
||||
* to access these files aren't available yet. */
|
||||
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||
+ if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
|
||||
+ && k5login_exists) {
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
- return (krb5_aname_to_localname(krb_context, principal,
|
||||
- sizeof(kuser), kuser) == 0) &&
|
||||
- (strcmp(kuser, luser) == 0);
|
||||
+ return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
+ k5login_exists);
|
||||
}
|
||||
if ((fp = fopen(file, "r")) == NULL) {
|
||||
int saved_errno = errno;
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 277b2bd..1e88905 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -336,7 +339,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -409,11 +412,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 57752cb..615aaba 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
+ int use_kuserok;
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
|
||||
--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -675,6 +675,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -833,6 +837,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
+.Cm KerberosUseKuserok ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
|
||||
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
|
||||
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
|
||||
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
|
@ -0,0 +1,16 @@
|
|||
diff --git a/auth2.c b/auth2.c
|
||||
index 06b672c..8cb9a97 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -377,8 +377,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
|
||||
authctxt->success = 1;
|
||||
} else {
|
||||
|
||||
- /* Allow initial try of "none" auth without failure penalty */
|
||||
- if (!authctxt->server_caused_failure &&
|
||||
+ /* Allow initial try of "none" auth without failure penalty
|
||||
+ * Partial succes is not failure */
|
||||
+ if (!authctxt->server_caused_failure && !partial &&
|
||||
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
|
||||
authctxt->failures++;
|
||||
if (authctxt->failures >= options.max_authtries) {
|
|
@ -0,0 +1,14 @@
|
|||
--- a/scp.c
|
||||
+++ a/scp.c
|
||||
@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
|
||||
free(vect[0]);
|
||||
continue;
|
||||
}
|
||||
+ if (buf[0] == 'C' && ! exists && np[strlen(np)-1] == '/') {
|
||||
+ errno = ENOTDIR;
|
||||
+ goto bad;
|
||||
+ }
|
||||
omode = mode;
|
||||
mode |= S_IWUSR;
|
||||
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
|
||||
--
|
|
@ -0,0 +1,31 @@
|
|||
diff --git a/servconf.c b/servconf.c
|
||||
index 1e88905..f20504b 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1562,7 +1562,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
|
||||
case sForceCommand:
|
||||
- if (cp == NULL)
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
fatal("%.200s line %d: Missing argument.", filename,
|
||||
linenum);
|
||||
len = strspn(cp, WHITESPACE);
|
||||
@@ -1607,7 +1607,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
|
||||
case sVersionAddendum:
|
||||
- if (cp == NULL)
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
fatal("%.200s line %d: Missing argument.", filename,
|
||||
linenum);
|
||||
len = strspn(cp, WHITESPACE);
|
||||
@@ -1642,6 +1642,8 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
|
||||
case sAuthenticationMethods:
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
if (*activep && options->num_auth_methods == 0) {
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_auth_methods >=
|
|
@ -0,0 +1,87 @@
|
|||
diff --git a/canohost.c b/canohost.c
|
||||
index f5cb854..c53cc39 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -343,6 +343,21 @@ clear_cached_addr(void)
|
||||
cached_port = -1;
|
||||
}
|
||||
|
||||
+void set_remote_ipaddr(void) {
|
||||
+ if (canonical_host_ip != NULL)
|
||||
+ free(canonical_host_ip);
|
||||
+
|
||||
+ if (packet_connection_is_on_socket()) {
|
||||
+ canonical_host_ip =
|
||||
+ get_peer_ipaddr(packet_get_connection_in());
|
||||
+ if (canonical_host_ip == NULL)
|
||||
+ cleanup_exit(255);
|
||||
+ } else {
|
||||
+ /* If not on socket, return UNKNOWN. */
|
||||
+ canonical_host_ip = xstrdup("UNKNOWN");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -352,17 +367,9 @@ const char *
|
||||
get_remote_ipaddr(void)
|
||||
{
|
||||
/* Check whether we have cached the ipaddr. */
|
||||
- if (canonical_host_ip == NULL) {
|
||||
- if (packet_connection_is_on_socket()) {
|
||||
- canonical_host_ip =
|
||||
- get_peer_ipaddr(packet_get_connection_in());
|
||||
- if (canonical_host_ip == NULL)
|
||||
- cleanup_exit(255);
|
||||
- } else {
|
||||
- /* If not on socket, return UNKNOWN. */
|
||||
- canonical_host_ip = xstrdup("UNKNOWN");
|
||||
- }
|
||||
- }
|
||||
+ if (canonical_host_ip == NULL)
|
||||
+ set_remote_ipaddr();
|
||||
+
|
||||
return canonical_host_ip;
|
||||
}
|
||||
|
||||
diff --git a/canohost.h b/canohost.h
|
||||
index 4c8636f..4079953 100644
|
||||
--- a/canohost.h
|
||||
+++ b/canohost.h
|
||||
@@ -13,6 +13,7 @@
|
||||
*/
|
||||
|
||||
const char *get_canonical_hostname(int);
|
||||
+void set_remote_ipaddr(void);
|
||||
const char *get_remote_ipaddr(void);
|
||||
const char *get_remote_name_or_ip(u_int, int);
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 4d8c718..b0b4870 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -61,6 +61,7 @@
|
||||
#include "roaming.h"
|
||||
#include "ssh2.h"
|
||||
#include "version.h"
|
||||
+#include "canohost.h"
|
||||
|
||||
char *client_version_string = NULL;
|
||||
char *server_version_string = NULL;
|
||||
@@ -172,6 +173,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
|
||||
packet_set_connection(pout[0], pin[1]);
|
||||
packet_set_timeout(options.server_alive_interval,
|
||||
options.server_alive_count_max);
|
||||
+ set_remote_ipaddr();
|
||||
|
||||
/* Indicate OK return */
|
||||
return 0;
|
||||
@@ -433,6 +435,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
||||
packet_set_connection(sock, sock);
|
||||
packet_set_timeout(options.server_alive_interval,
|
||||
options.server_alive_count_max);
|
||||
+ set_remote_ipaddr();
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
diff --git a/sftp.c b/sftp.c
|
||||
index 4e1a026..6f16f7c 100644
|
||||
--- a/sftp.c
|
||||
+++ b/sftp.c
|
||||
@@ -1356,7 +1356,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
|
||||
case I_SYMLINK:
|
||||
sflag = 1;
|
||||
case I_LINK:
|
||||
- path1 = make_absolute(path1, *pwd);
|
||||
+ if (!sflag)
|
||||
+ path1 = make_absolute(path1, *pwd);
|
||||
path2 = make_absolute(path2, *pwd);
|
||||
err = (sflag ? do_symlink : do_hardlink)(conn, path1, path2);
|
||||
break;
|
||||
--
|
|
@ -0,0 +1,994 @@
|
|||
diff --git a/Makefile.in b/Makefile.in
|
||||
index a82bb07..2c0ada8 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -79,7 +79,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
kexgssc.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
- jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
|
||||
+ jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o utf8_stringprep.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff --git a/misc.h b/misc.h
|
||||
index fceb306..379f7f3 100644
|
||||
--- a/misc.h
|
||||
+++ b/misc.h
|
||||
@@ -104,4 +104,7 @@ char *read_passphrase(const char *, int);
|
||||
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
|
||||
|
||||
+/* utf8_stringprep.c */
|
||||
+int utf8_stringprep(const char *, char *, size_t);
|
||||
+
|
||||
#endif /* _MISC_H */
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 3179d82..c74644a 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -33,6 +33,8 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <langinfo.h>
|
||||
+#include <locale.h>
|
||||
#include <netdb.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
@@ -542,21 +544,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
|
||||
"type %d", type);
|
||||
}
|
||||
|
||||
+/* Check whether we can display UTF-8 safely */
|
||||
+static int
|
||||
+utf8_ok(void)
|
||||
+{
|
||||
+ static int ret = -1;
|
||||
+ char *cp;
|
||||
+
|
||||
+ if (ret == -1) {
|
||||
+ setlocale(LC_CTYPE, "");
|
||||
+ cp = nl_langinfo(CODESET);
|
||||
+ ret = strcmp(cp, "UTF-8") == 0;
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* ARGSUSED */
|
||||
void
|
||||
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
char *msg, *raw, *lang;
|
||||
- u_int len;
|
||||
+ u_int done, len;
|
||||
|
||||
debug3("input_userauth_banner");
|
||||
+
|
||||
raw = packet_get_string(&len);
|
||||
lang = packet_get_string(NULL);
|
||||
if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
|
||||
if (len > 65536)
|
||||
len = 65536;
|
||||
msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
|
||||
- strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
|
||||
+ done = 0;
|
||||
+ if (utf8_ok()) {
|
||||
+ if (utf8_stringprep(raw, msg, len * 4 + 1) == 0)
|
||||
+ done = 1;
|
||||
+ else
|
||||
+ debug2("%s: UTF8 stringprep failed", __func__);
|
||||
+ }
|
||||
+ /*
|
||||
+ * Fallback to strnvis if UTF8 display not supported or
|
||||
+ * conversion failed.
|
||||
+ */
|
||||
+ if (!done) {
|
||||
+ strnvis(msg, raw, len * 4 + 1,
|
||||
+ VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
|
||||
+ }
|
||||
fprintf(stderr, "%s", msg);
|
||||
free(msg);
|
||||
}
|
||||
diff --git a/stringprep-tables.c b/stringprep-tables.c
|
||||
new file mode 100644
|
||||
index 0000000..49f4d9d
|
||||
--- /dev/null
|
||||
+++ b/stringprep-tables.c
|
||||
@@ -0,0 +1,661 @@
|
||||
+/* Public domain. */
|
||||
+
|
||||
+/* $OpenBSD$ */
|
||||
+
|
||||
+/*
|
||||
+ * Tables for RFC3454 stringprep algorithm, updated with a table of allocated
|
||||
+ * characters generated from Unicode.6.2's UnicodeData.txt
|
||||
+ *
|
||||
+ * Intended to be included directly from utf8_stringprep.c
|
||||
+ */
|
||||
+
|
||||
+/* Unassigned characters in Unicode 6.2 */
|
||||
+static const struct u32_range unassigned[] = {
|
||||
+ { 0x0378, 0x0379 },
|
||||
+ { 0x037F, 0x0383 },
|
||||
+ { 0x038B, 0x038B },
|
||||
+ { 0x038D, 0x038D },
|
||||
+ { 0x03A2, 0x03A2 },
|
||||
+ { 0x0528, 0x0530 },
|
||||
+ { 0x0557, 0x0558 },
|
||||
+ { 0x0560, 0x0560 },
|
||||
+ { 0x0588, 0x0588 },
|
||||
+ { 0x058B, 0x058E },
|
||||
+ { 0x0590, 0x0590 },
|
||||
+ { 0x05C8, 0x05CF },
|
||||
+ { 0x05EB, 0x05EF },
|
||||
+ { 0x05F5, 0x05FF },
|
||||
+ { 0x0605, 0x0605 },
|
||||
+ { 0x061C, 0x061D },
|
||||
+ { 0x070E, 0x070E },
|
||||
+ { 0x074B, 0x074C },
|
||||
+ { 0x07B2, 0x07BF },
|
||||
+ { 0x07FB, 0x07FF },
|
||||
+ { 0x082E, 0x082F },
|
||||
+ { 0x083F, 0x083F },
|
||||
+ { 0x085C, 0x085D },
|
||||
+ { 0x085F, 0x089F },
|
||||
+ { 0x08A1, 0x08A1 },
|
||||
+ { 0x08AD, 0x08E3 },
|
||||
+ { 0x08FF, 0x08FF },
|
||||
+ { 0x0978, 0x0978 },
|
||||
+ { 0x0980, 0x0980 },
|
||||
+ { 0x0984, 0x0984 },
|
||||
+ { 0x098D, 0x098E },
|
||||
+ { 0x0991, 0x0992 },
|
||||
+ { 0x09A9, 0x09A9 },
|
||||
+ { 0x09B1, 0x09B1 },
|
||||
+ { 0x09B3, 0x09B5 },
|
||||
+ { 0x09BA, 0x09BB },
|
||||
+ { 0x09C5, 0x09C6 },
|
||||
+ { 0x09C9, 0x09CA },
|
||||
+ { 0x09CF, 0x09D6 },
|
||||
+ { 0x09D8, 0x09DB },
|
||||
+ { 0x09DE, 0x09DE },
|
||||
+ { 0x09E4, 0x09E5 },
|
||||
+ { 0x09FC, 0x0A00 },
|
||||
+ { 0x0A04, 0x0A04 },
|
||||
+ { 0x0A0B, 0x0A0E },
|
||||
+ { 0x0A11, 0x0A12 },
|
||||
+ { 0x0A29, 0x0A29 },
|
||||
+ { 0x0A31, 0x0A31 },
|
||||
+ { 0x0A34, 0x0A34 },
|
||||
+ { 0x0A37, 0x0A37 },
|
||||
+ { 0x0A3A, 0x0A3B },
|
||||
+ { 0x0A3D, 0x0A3D },
|
||||
+ { 0x0A43, 0x0A46 },
|
||||
+ { 0x0A49, 0x0A4A },
|
||||
+ { 0x0A4E, 0x0A50 },
|
||||
+ { 0x0A52, 0x0A58 },
|
||||
+ { 0x0A5D, 0x0A5D },
|
||||
+ { 0x0A5F, 0x0A65 },
|
||||
+ { 0x0A76, 0x0A80 },
|
||||
+ { 0x0A84, 0x0A84 },
|
||||
+ { 0x0A8E, 0x0A8E },
|
||||
+ { 0x0A92, 0x0A92 },
|
||||
+ { 0x0AA9, 0x0AA9 },
|
||||
+ { 0x0AB1, 0x0AB1 },
|
||||
+ { 0x0AB4, 0x0AB4 },
|
||||
+ { 0x0ABA, 0x0ABB },
|
||||
+ { 0x0AC6, 0x0AC6 },
|
||||
+ { 0x0ACA, 0x0ACA },
|
||||
+ { 0x0ACE, 0x0ACF },
|
||||
+ { 0x0AD1, 0x0ADF },
|
||||
+ { 0x0AE4, 0x0AE5 },
|
||||
+ { 0x0AF2, 0x0B00 },
|
||||
+ { 0x0B04, 0x0B04 },
|
||||
+ { 0x0B0D, 0x0B0E },
|
||||
+ { 0x0B11, 0x0B12 },
|
||||
+ { 0x0B29, 0x0B29 },
|
||||
+ { 0x0B31, 0x0B31 },
|
||||
+ { 0x0B34, 0x0B34 },
|
||||
+ { 0x0B3A, 0x0B3B },
|
||||
+ { 0x0B45, 0x0B46 },
|
||||
+ { 0x0B49, 0x0B4A },
|
||||
+ { 0x0B4E, 0x0B55 },
|
||||
+ { 0x0B58, 0x0B5B },
|
||||
+ { 0x0B5E, 0x0B5E },
|
||||
+ { 0x0B64, 0x0B65 },
|
||||
+ { 0x0B78, 0x0B81 },
|
||||
+ { 0x0B84, 0x0B84 },
|
||||
+ { 0x0B8B, 0x0B8D },
|
||||
+ { 0x0B91, 0x0B91 },
|
||||
+ { 0x0B96, 0x0B98 },
|
||||
+ { 0x0B9B, 0x0B9B },
|
||||
+ { 0x0B9D, 0x0B9D },
|
||||
+ { 0x0BA0, 0x0BA2 },
|
||||
+ { 0x0BA5, 0x0BA7 },
|
||||
+ { 0x0BAB, 0x0BAD },
|
||||
+ { 0x0BBA, 0x0BBD },
|
||||
+ { 0x0BC3, 0x0BC5 },
|
||||
+ { 0x0BC9, 0x0BC9 },
|
||||
+ { 0x0BCE, 0x0BCF },
|
||||
+ { 0x0BD1, 0x0BD6 },
|
||||
+ { 0x0BD8, 0x0BE5 },
|
||||
+ { 0x0BFB, 0x0C00 },
|
||||
+ { 0x0C04, 0x0C04 },
|
||||
+ { 0x0C0D, 0x0C0D },
|
||||
+ { 0x0C11, 0x0C11 },
|
||||
+ { 0x0C29, 0x0C29 },
|
||||
+ { 0x0C34, 0x0C34 },
|
||||
+ { 0x0C3A, 0x0C3C },
|
||||
+ { 0x0C45, 0x0C45 },
|
||||
+ { 0x0C49, 0x0C49 },
|
||||
+ { 0x0C4E, 0x0C54 },
|
||||
+ { 0x0C57, 0x0C57 },
|
||||
+ { 0x0C5A, 0x0C5F },
|
||||
+ { 0x0C64, 0x0C65 },
|
||||
+ { 0x0C70, 0x0C77 },
|
||||
+ { 0x0C80, 0x0C81 },
|
||||
+ { 0x0C84, 0x0C84 },
|
||||
+ { 0x0C8D, 0x0C8D },
|
||||
+ { 0x0C91, 0x0C91 },
|
||||
+ { 0x0CA9, 0x0CA9 },
|
||||
+ { 0x0CB4, 0x0CB4 },
|
||||
+ { 0x0CBA, 0x0CBB },
|
||||
+ { 0x0CC5, 0x0CC5 },
|
||||
+ { 0x0CC9, 0x0CC9 },
|
||||
+ { 0x0CCE, 0x0CD4 },
|
||||
+ { 0x0CD7, 0x0CDD },
|
||||
+ { 0x0CDF, 0x0CDF },
|
||||
+ { 0x0CE4, 0x0CE5 },
|
||||
+ { 0x0CF0, 0x0CF0 },
|
||||
+ { 0x0CF3, 0x0D01 },
|
||||
+ { 0x0D04, 0x0D04 },
|
||||
+ { 0x0D0D, 0x0D0D },
|
||||
+ { 0x0D11, 0x0D11 },
|
||||
+ { 0x0D3B, 0x0D3C },
|
||||
+ { 0x0D45, 0x0D45 },
|
||||
+ { 0x0D49, 0x0D49 },
|
||||
+ { 0x0D4F, 0x0D56 },
|
||||
+ { 0x0D58, 0x0D5F },
|
||||
+ { 0x0D64, 0x0D65 },
|
||||
+ { 0x0D76, 0x0D78 },
|
||||
+ { 0x0D80, 0x0D81 },
|
||||
+ { 0x0D84, 0x0D84 },
|
||||
+ { 0x0D97, 0x0D99 },
|
||||
+ { 0x0DB2, 0x0DB2 },
|
||||
+ { 0x0DBC, 0x0DBC },
|
||||
+ { 0x0DBE, 0x0DBF },
|
||||
+ { 0x0DC7, 0x0DC9 },
|
||||
+ { 0x0DCB, 0x0DCE },
|
||||
+ { 0x0DD5, 0x0DD5 },
|
||||
+ { 0x0DD7, 0x0DD7 },
|
||||
+ { 0x0DE0, 0x0DF1 },
|
||||
+ { 0x0DF5, 0x0E00 },
|
||||
+ { 0x0E3B, 0x0E3E },
|
||||
+ { 0x0E5C, 0x0E80 },
|
||||
+ { 0x0E83, 0x0E83 },
|
||||
+ { 0x0E85, 0x0E86 },
|
||||
+ { 0x0E89, 0x0E89 },
|
||||
+ { 0x0E8B, 0x0E8C },
|
||||
+ { 0x0E8E, 0x0E93 },
|
||||
+ { 0x0E98, 0x0E98 },
|
||||
+ { 0x0EA0, 0x0EA0 },
|
||||
+ { 0x0EA4, 0x0EA4 },
|
||||
+ { 0x0EA6, 0x0EA6 },
|
||||
+ { 0x0EA8, 0x0EA9 },
|
||||
+ { 0x0EAC, 0x0EAC },
|
||||
+ { 0x0EBA, 0x0EBA },
|
||||
+ { 0x0EBE, 0x0EBF },
|
||||
+ { 0x0EC5, 0x0EC5 },
|
||||
+ { 0x0EC7, 0x0EC7 },
|
||||
+ { 0x0ECE, 0x0ECF },
|
||||
+ { 0x0EDA, 0x0EDB },
|
||||
+ { 0x0EE0, 0x0EFF },
|
||||
+ { 0x0F48, 0x0F48 },
|
||||
+ { 0x0F6D, 0x0F70 },
|
||||
+ { 0x0F98, 0x0F98 },
|
||||
+ { 0x0FBD, 0x0FBD },
|
||||
+ { 0x0FCD, 0x0FCD },
|
||||
+ { 0x0FDB, 0x0FFF },
|
||||
+ { 0x10C6, 0x10C6 },
|
||||
+ { 0x10C8, 0x10CC },
|
||||
+ { 0x10CE, 0x10CF },
|
||||
+ { 0x1249, 0x1249 },
|
||||
+ { 0x124E, 0x124F },
|
||||
+ { 0x1257, 0x1257 },
|
||||
+ { 0x1259, 0x1259 },
|
||||
+ { 0x125E, 0x125F },
|
||||
+ { 0x1289, 0x1289 },
|
||||
+ { 0x128E, 0x128F },
|
||||
+ { 0x12B1, 0x12B1 },
|
||||
+ { 0x12B6, 0x12B7 },
|
||||
+ { 0x12BF, 0x12BF },
|
||||
+ { 0x12C1, 0x12C1 },
|
||||
+ { 0x12C6, 0x12C7 },
|
||||
+ { 0x12D7, 0x12D7 },
|
||||
+ { 0x1311, 0x1311 },
|
||||
+ { 0x1316, 0x1317 },
|
||||
+ { 0x135B, 0x135C },
|
||||
+ { 0x137D, 0x137F },
|
||||
+ { 0x139A, 0x139F },
|
||||
+ { 0x13F5, 0x13FF },
|
||||
+ { 0x169D, 0x169F },
|
||||
+ { 0x16F1, 0x16FF },
|
||||
+ { 0x170D, 0x170D },
|
||||
+ { 0x1715, 0x171F },
|
||||
+ { 0x1737, 0x173F },
|
||||
+ { 0x1754, 0x175F },
|
||||
+ { 0x176D, 0x176D },
|
||||
+ { 0x1771, 0x1771 },
|
||||
+ { 0x1774, 0x177F },
|
||||
+ { 0x17DE, 0x17DF },
|
||||
+ { 0x17EA, 0x17EF },
|
||||
+ { 0x17FA, 0x17FF },
|
||||
+ { 0x180F, 0x180F },
|
||||
+ { 0x181A, 0x181F },
|
||||
+ { 0x1878, 0x187F },
|
||||
+ { 0x18AB, 0x18AF },
|
||||
+ { 0x18F6, 0x18FF },
|
||||
+ { 0x191D, 0x191F },
|
||||
+ { 0x192C, 0x192F },
|
||||
+ { 0x193C, 0x193F },
|
||||
+ { 0x1941, 0x1943 },
|
||||
+ { 0x196E, 0x196F },
|
||||
+ { 0x1975, 0x197F },
|
||||
+ { 0x19AC, 0x19AF },
|
||||
+ { 0x19CA, 0x19CF },
|
||||
+ { 0x19DB, 0x19DD },
|
||||
+ { 0x1A1C, 0x1A1D },
|
||||
+ { 0x1A5F, 0x1A5F },
|
||||
+ { 0x1A7D, 0x1A7E },
|
||||
+ { 0x1A8A, 0x1A8F },
|
||||
+ { 0x1A9A, 0x1A9F },
|
||||
+ { 0x1AAE, 0x1AFF },
|
||||
+ { 0x1B4C, 0x1B4F },
|
||||
+ { 0x1B7D, 0x1B7F },
|
||||
+ { 0x1BF4, 0x1BFB },
|
||||
+ { 0x1C38, 0x1C3A },
|
||||
+ { 0x1C4A, 0x1C4C },
|
||||
+ { 0x1C80, 0x1CBF },
|
||||
+ { 0x1CC8, 0x1CCF },
|
||||
+ { 0x1CF7, 0x1CFF },
|
||||
+ { 0x1DE7, 0x1DFB },
|
||||
+ { 0x1F16, 0x1F17 },
|
||||
+ { 0x1F1E, 0x1F1F },
|
||||
+ { 0x1F46, 0x1F47 },
|
||||
+ { 0x1F4E, 0x1F4F },
|
||||
+ { 0x1F58, 0x1F58 },
|
||||
+ { 0x1F5A, 0x1F5A },
|
||||
+ { 0x1F5C, 0x1F5C },
|
||||
+ { 0x1F5E, 0x1F5E },
|
||||
+ { 0x1F7E, 0x1F7F },
|
||||
+ { 0x1FB5, 0x1FB5 },
|
||||
+ { 0x1FC5, 0x1FC5 },
|
||||
+ { 0x1FD4, 0x1FD5 },
|
||||
+ { 0x1FDC, 0x1FDC },
|
||||
+ { 0x1FF0, 0x1FF1 },
|
||||
+ { 0x1FF5, 0x1FF5 },
|
||||
+ { 0x1FFF, 0x1FFF },
|
||||
+ { 0x2065, 0x2069 },
|
||||
+ { 0x2072, 0x2073 },
|
||||
+ { 0x208F, 0x208F },
|
||||
+ { 0x209D, 0x209F },
|
||||
+ { 0x20BB, 0x20CF },
|
||||
+ { 0x20F1, 0x20FF },
|
||||
+ { 0x218A, 0x218F },
|
||||
+ { 0x23F4, 0x23FF },
|
||||
+ { 0x2427, 0x243F },
|
||||
+ { 0x244B, 0x245F },
|
||||
+ { 0x2700, 0x2700 },
|
||||
+ { 0x2B4D, 0x2B4F },
|
||||
+ { 0x2B5A, 0x2BFF },
|
||||
+ { 0x2C2F, 0x2C2F },
|
||||
+ { 0x2C5F, 0x2C5F },
|
||||
+ { 0x2CF4, 0x2CF8 },
|
||||
+ { 0x2D26, 0x2D26 },
|
||||
+ { 0x2D28, 0x2D2C },
|
||||
+ { 0x2D2E, 0x2D2F },
|
||||
+ { 0x2D68, 0x2D6E },
|
||||
+ { 0x2D71, 0x2D7E },
|
||||
+ { 0x2D97, 0x2D9F },
|
||||
+ { 0x2DA7, 0x2DA7 },
|
||||
+ { 0x2DAF, 0x2DAF },
|
||||
+ { 0x2DB7, 0x2DB7 },
|
||||
+ { 0x2DBF, 0x2DBF },
|
||||
+ { 0x2DC7, 0x2DC7 },
|
||||
+ { 0x2DCF, 0x2DCF },
|
||||
+ { 0x2DD7, 0x2DD7 },
|
||||
+ { 0x2DDF, 0x2DDF },
|
||||
+ { 0x2E3C, 0x2E7F },
|
||||
+ { 0x2E9A, 0x2E9A },
|
||||
+ { 0x2EF4, 0x2EFF },
|
||||
+ { 0x2FD6, 0x2FEF },
|
||||
+ { 0x2FFC, 0x2FFF },
|
||||
+ { 0x3040, 0x3040 },
|
||||
+ { 0x3097, 0x3098 },
|
||||
+ { 0x3100, 0x3104 },
|
||||
+ { 0x312E, 0x3130 },
|
||||
+ { 0x318F, 0x318F },
|
||||
+ { 0x31BB, 0x31BF },
|
||||
+ { 0x31E4, 0x31EF },
|
||||
+ { 0x321F, 0x321F },
|
||||
+ { 0x32FF, 0x32FF },
|
||||
+ { 0x4DB6, 0x4DBF },
|
||||
+ { 0x9FA6, 0x9FCB },
|
||||
+ { 0x9FCD, 0x9FFF },
|
||||
+ { 0xA48D, 0xA48F },
|
||||
+ { 0xA4C7, 0xA4CF },
|
||||
+ { 0xA62C, 0xA63F },
|
||||
+ { 0xA698, 0xA69E },
|
||||
+ { 0xA6F8, 0xA6FF },
|
||||
+ { 0xA78F, 0xA78F },
|
||||
+ { 0xA794, 0xA79F },
|
||||
+ { 0xA7AB, 0xA7F7 },
|
||||
+ { 0xA82C, 0xA82F },
|
||||
+ { 0xA83A, 0xA83F },
|
||||
+ { 0xA878, 0xA87F },
|
||||
+ { 0xA8C5, 0xA8CD },
|
||||
+ { 0xA8DA, 0xA8DF },
|
||||
+ { 0xA8FC, 0xA8FF },
|
||||
+ { 0xA954, 0xA95E },
|
||||
+ { 0xA97D, 0xA97F },
|
||||
+ { 0xA9CE, 0xA9CE },
|
||||
+ { 0xA9DA, 0xA9DD },
|
||||
+ { 0xA9E0, 0xA9FF },
|
||||
+ { 0xAA37, 0xAA3F },
|
||||
+ { 0xAA4E, 0xAA4F },
|
||||
+ { 0xAA5A, 0xAA5B },
|
||||
+ { 0xAA7C, 0xAA7F },
|
||||
+ { 0xAAC3, 0xAADA },
|
||||
+ { 0xAAF7, 0xAB00 },
|
||||
+ { 0xAB07, 0xAB08 },
|
||||
+ { 0xAB0F, 0xAB10 },
|
||||
+ { 0xAB17, 0xAB1F },
|
||||
+ { 0xAB27, 0xAB27 },
|
||||
+ { 0xAB2F, 0xABBF },
|
||||
+ { 0xABEE, 0xABEF },
|
||||
+ { 0xABFA, 0xABFF },
|
||||
+ { 0xD7A4, 0xD7AF },
|
||||
+ { 0xD7C7, 0xD7CA },
|
||||
+ { 0xD7FC, 0xD7FF },
|
||||
+ { 0xFA6E, 0xFA6F },
|
||||
+ { 0xFADA, 0xFAFF },
|
||||
+ { 0xFB07, 0xFB12 },
|
||||
+ { 0xFB18, 0xFB1C },
|
||||
+ { 0xFB37, 0xFB37 },
|
||||
+ { 0xFB3D, 0xFB3D },
|
||||
+ { 0xFB3F, 0xFB3F },
|
||||
+ { 0xFB42, 0xFB42 },
|
||||
+ { 0xFB45, 0xFB45 },
|
||||
+ { 0xFBC2, 0xFBD2 },
|
||||
+ { 0xFD40, 0xFD4F },
|
||||
+ { 0xFD90, 0xFD91 },
|
||||
+ { 0xFDC8, 0xFDCF },
|
||||
+ { 0xFDFE, 0xFDFF },
|
||||
+ { 0xFE1A, 0xFE1F },
|
||||
+ { 0xFE27, 0xFE2F },
|
||||
+ { 0xFE53, 0xFE53 },
|
||||
+ { 0xFE67, 0xFE67 },
|
||||
+ { 0xFE6C, 0xFE6F },
|
||||
+ { 0xFE75, 0xFE75 },
|
||||
+ { 0xFEFD, 0xFEFE },
|
||||
+ { 0xFF00, 0xFF00 },
|
||||
+ { 0xFFBF, 0xFFC1 },
|
||||
+ { 0xFFC8, 0xFFC9 },
|
||||
+ { 0xFFD0, 0xFFD1 },
|
||||
+ { 0xFFD8, 0xFFD9 },
|
||||
+ { 0xFFDD, 0xFFDF },
|
||||
+ { 0xFFE7, 0xFFE7 },
|
||||
+ { 0xFFEF, 0xFFF8 },
|
||||
+ { 0x1000C, 0x1000C },
|
||||
+ { 0x10027, 0x10027 },
|
||||
+ { 0x1003B, 0x1003B },
|
||||
+ { 0x1003E, 0x1003E },
|
||||
+ { 0x1004E, 0x1004F },
|
||||
+ { 0x1005E, 0x1007F },
|
||||
+ { 0x100FB, 0x100FF },
|
||||
+ { 0x10103, 0x10106 },
|
||||
+ { 0x10134, 0x10136 },
|
||||
+ { 0x1018B, 0x1018F },
|
||||
+ { 0x1019C, 0x101CF },
|
||||
+ { 0x101FE, 0x1027F },
|
||||
+ { 0x1029D, 0x1029F },
|
||||
+ { 0x102D1, 0x102FF },
|
||||
+ { 0x1031F, 0x1031F },
|
||||
+ { 0x10324, 0x1032F },
|
||||
+ { 0x1034B, 0x1037F },
|
||||
+ { 0x1039E, 0x1039E },
|
||||
+ { 0x103C4, 0x103C7 },
|
||||
+ { 0x103D6, 0x103FF },
|
||||
+ { 0x1049E, 0x1049F },
|
||||
+ { 0x104AA, 0x107FF },
|
||||
+ { 0x10806, 0x10807 },
|
||||
+ { 0x10809, 0x10809 },
|
||||
+ { 0x10836, 0x10836 },
|
||||
+ { 0x10839, 0x1083B },
|
||||
+ { 0x1083D, 0x1083E },
|
||||
+ { 0x10856, 0x10856 },
|
||||
+ { 0x10860, 0x108FF },
|
||||
+ { 0x1091C, 0x1091E },
|
||||
+ { 0x1093A, 0x1093E },
|
||||
+ { 0x10940, 0x1097F },
|
||||
+ { 0x109B8, 0x109BD },
|
||||
+ { 0x109C0, 0x109FF },
|
||||
+ { 0x10A04, 0x10A04 },
|
||||
+ { 0x10A07, 0x10A0B },
|
||||
+ { 0x10A14, 0x10A14 },
|
||||
+ { 0x10A18, 0x10A18 },
|
||||
+ { 0x10A34, 0x10A37 },
|
||||
+ { 0x10A3B, 0x10A3E },
|
||||
+ { 0x10A48, 0x10A4F },
|
||||
+ { 0x10A59, 0x10A5F },
|
||||
+ { 0x10A80, 0x10AFF },
|
||||
+ { 0x10B36, 0x10B38 },
|
||||
+ { 0x10B56, 0x10B57 },
|
||||
+ { 0x10B73, 0x10B77 },
|
||||
+ { 0x10B80, 0x10BFF },
|
||||
+ { 0x10C49, 0x10E5F },
|
||||
+ { 0x10E7F, 0x10FFF },
|
||||
+ { 0x1104E, 0x11051 },
|
||||
+ { 0x11070, 0x1107F },
|
||||
+ { 0x110C2, 0x110CF },
|
||||
+ { 0x110E9, 0x110EF },
|
||||
+ { 0x110FA, 0x110FF },
|
||||
+ { 0x11135, 0x11135 },
|
||||
+ { 0x11144, 0x1117F },
|
||||
+ { 0x111C9, 0x111CF },
|
||||
+ { 0x111DA, 0x1167F },
|
||||
+ { 0x116B8, 0x116BF },
|
||||
+ { 0x116CA, 0x11FFF },
|
||||
+ { 0x1236F, 0x123FF },
|
||||
+ { 0x12463, 0x1246F },
|
||||
+ { 0x12474, 0x12FFF },
|
||||
+ { 0x1342F, 0x167FF },
|
||||
+ { 0x16A39, 0x16EFF },
|
||||
+ { 0x16F45, 0x16F4F },
|
||||
+ { 0x16F7F, 0x16F8E },
|
||||
+ { 0x16FA0, 0x1AFFF },
|
||||
+ { 0x1B002, 0x1CFFF },
|
||||
+ { 0x1D0F6, 0x1D0FF },
|
||||
+ { 0x1D127, 0x1D128 },
|
||||
+ { 0x1D1DE, 0x1D1FF },
|
||||
+ { 0x1D246, 0x1D2FF },
|
||||
+ { 0x1D357, 0x1D35F },
|
||||
+ { 0x1D372, 0x1D3FF },
|
||||
+ { 0x1D455, 0x1D455 },
|
||||
+ { 0x1D49D, 0x1D49D },
|
||||
+ { 0x1D4A0, 0x1D4A1 },
|
||||
+ { 0x1D4A3, 0x1D4A4 },
|
||||
+ { 0x1D4A7, 0x1D4A8 },
|
||||
+ { 0x1D4AD, 0x1D4AD },
|
||||
+ { 0x1D4BA, 0x1D4BA },
|
||||
+ { 0x1D4BC, 0x1D4BC },
|
||||
+ { 0x1D4C4, 0x1D4C4 },
|
||||
+ { 0x1D506, 0x1D506 },
|
||||
+ { 0x1D50B, 0x1D50C },
|
||||
+ { 0x1D515, 0x1D515 },
|
||||
+ { 0x1D51D, 0x1D51D },
|
||||
+ { 0x1D53A, 0x1D53A },
|
||||
+ { 0x1D53F, 0x1D53F },
|
||||
+ { 0x1D545, 0x1D545 },
|
||||
+ { 0x1D547, 0x1D549 },
|
||||
+ { 0x1D551, 0x1D551 },
|
||||
+ { 0x1D6A6, 0x1D6A7 },
|
||||
+ { 0x1D7CC, 0x1D7CD },
|
||||
+ { 0x1D800, 0x1EDFF },
|
||||
+ { 0x1EE04, 0x1EE04 },
|
||||
+ { 0x1EE20, 0x1EE20 },
|
||||
+ { 0x1EE23, 0x1EE23 },
|
||||
+ { 0x1EE25, 0x1EE26 },
|
||||
+ { 0x1EE28, 0x1EE28 },
|
||||
+ { 0x1EE33, 0x1EE33 },
|
||||
+ { 0x1EE38, 0x1EE38 },
|
||||
+ { 0x1EE3A, 0x1EE3A },
|
||||
+ { 0x1EE3C, 0x1EE41 },
|
||||
+ { 0x1EE43, 0x1EE46 },
|
||||
+ { 0x1EE48, 0x1EE48 },
|
||||
+ { 0x1EE4A, 0x1EE4A },
|
||||
+ { 0x1EE4C, 0x1EE4C },
|
||||
+ { 0x1EE50, 0x1EE50 },
|
||||
+ { 0x1EE53, 0x1EE53 },
|
||||
+ { 0x1EE55, 0x1EE56 },
|
||||
+ { 0x1EE58, 0x1EE58 },
|
||||
+ { 0x1EE5A, 0x1EE5A },
|
||||
+ { 0x1EE5C, 0x1EE5C },
|
||||
+ { 0x1EE5E, 0x1EE5E },
|
||||
+ { 0x1EE60, 0x1EE60 },
|
||||
+ { 0x1EE63, 0x1EE63 },
|
||||
+ { 0x1EE65, 0x1EE66 },
|
||||
+ { 0x1EE6B, 0x1EE6B },
|
||||
+ { 0x1EE73, 0x1EE73 },
|
||||
+ { 0x1EE78, 0x1EE78 },
|
||||
+ { 0x1EE7D, 0x1EE7D },
|
||||
+ { 0x1EE7F, 0x1EE7F },
|
||||
+ { 0x1EE8A, 0x1EE8A },
|
||||
+ { 0x1EE9C, 0x1EEA0 },
|
||||
+ { 0x1EEA4, 0x1EEA4 },
|
||||
+ { 0x1EEAA, 0x1EEAA },
|
||||
+ { 0x1EEBC, 0x1EEEF },
|
||||
+ { 0x1EEF2, 0x1EFFF },
|
||||
+ { 0x1F02C, 0x1F02F },
|
||||
+ { 0x1F094, 0x1F09F },
|
||||
+ { 0x1F0AF, 0x1F0B0 },
|
||||
+ { 0x1F0BF, 0x1F0C0 },
|
||||
+ { 0x1F0D0, 0x1F0D0 },
|
||||
+ { 0x1F0E0, 0x1F0FF },
|
||||
+ { 0x1F10B, 0x1F10F },
|
||||
+ { 0x1F12F, 0x1F12F },
|
||||
+ { 0x1F16C, 0x1F16F },
|
||||
+ { 0x1F19B, 0x1F1E5 },
|
||||
+ { 0x1F203, 0x1F20F },
|
||||
+ { 0x1F23B, 0x1F23F },
|
||||
+ { 0x1F249, 0x1F24F },
|
||||
+ { 0x1F252, 0x1F2FF },
|
||||
+ { 0x1F321, 0x1F32F },
|
||||
+ { 0x1F336, 0x1F336 },
|
||||
+ { 0x1F37D, 0x1F37F },
|
||||
+ { 0x1F394, 0x1F39F },
|
||||
+ { 0x1F3C5, 0x1F3C5 },
|
||||
+ { 0x1F3CB, 0x1F3DF },
|
||||
+ { 0x1F3F1, 0x1F3FF },
|
||||
+ { 0x1F43F, 0x1F43F },
|
||||
+ { 0x1F441, 0x1F441 },
|
||||
+ { 0x1F4F8, 0x1F4F8 },
|
||||
+ { 0x1F4FD, 0x1F4FF },
|
||||
+ { 0x1F53E, 0x1F53F },
|
||||
+ { 0x1F544, 0x1F54F },
|
||||
+ { 0x1F568, 0x1F5FA },
|
||||
+ { 0x1F641, 0x1F644 },
|
||||
+ { 0x1F650, 0x1F67F },
|
||||
+ { 0x1F6C6, 0x1F6FF },
|
||||
+ { 0x1F774, 0x1FFFD },
|
||||
+ { 0x2A6D7, 0x2A6FF },
|
||||
+ { 0x2A701, 0x2B733 },
|
||||
+ { 0x2B735, 0x2B73F },
|
||||
+ { 0x2B741, 0x2B81C },
|
||||
+ { 0x2B81E, 0x2F7FF },
|
||||
+ { 0x2FA1E, 0x2FFFD },
|
||||
+ { 0x30000, 0x3FFFD },
|
||||
+ { 0x40000, 0x4FFFD },
|
||||
+ { 0x50000, 0x5FFFD },
|
||||
+ { 0x60000, 0x6FFFD },
|
||||
+ { 0x70000, 0x7FFFD },
|
||||
+ { 0x80000, 0x8FFFD },
|
||||
+ { 0x90000, 0x9FFFD },
|
||||
+ { 0xA0000, 0xAFFFD },
|
||||
+ { 0xB0000, 0xBFFFD },
|
||||
+ { 0xC0000, 0xCFFFD },
|
||||
+ { 0xD0000, 0xDFFFD },
|
||||
+ { 0xE0000, 0xE0000 },
|
||||
+ { 0xE0002, 0xE001F },
|
||||
+ { 0xE0080, 0xE00FF },
|
||||
+ { 0xE01F0, 0xEFFFD },
|
||||
+};
|
||||
+
|
||||
+/* RFC3454 Table B.1 */
|
||||
+static const struct u32_range map_to_nothing[] = {
|
||||
+ { 0x00AD, 0x00AD },
|
||||
+ { 0x034F, 0x034F },
|
||||
+ { 0x1806, 0x1806 },
|
||||
+ { 0x180B, 0x180D },
|
||||
+ { 0x200B, 0x200D },
|
||||
+ { 0x2060, 0x2060 },
|
||||
+ { 0xFE00, 0xFE0F },
|
||||
+ { 0xFEFF, 0xFEFF },
|
||||
+};
|
||||
+
|
||||
+/* Local: allow tab, CR and LF */
|
||||
+static const struct u32_range whitelist[] = {
|
||||
+ { 0x09, 0x09 },
|
||||
+ { 0x0a, 0x0a },
|
||||
+ { 0x0d, 0x0d },
|
||||
+};
|
||||
+
|
||||
+/* RFC3454 Tables in appendix C */
|
||||
+static const struct u32_range prohibited[] = {
|
||||
+ /* C.2.1 ASCII control characters */
|
||||
+ { 0x0000, 0x001F },
|
||||
+ { 0x007F, 0x007F },
|
||||
+ /* C.2.2 Non-ASCII control characters */
|
||||
+ { 0x0080, 0x009F },
|
||||
+ { 0x06DD, 0x06DD },
|
||||
+ { 0x070F, 0x070F },
|
||||
+ { 0x180E, 0x180E },
|
||||
+ { 0x200C, 0x200C },
|
||||
+ { 0x200D, 0x200D },
|
||||
+ { 0x2028, 0x2028 },
|
||||
+ { 0x2029, 0x2029 },
|
||||
+ { 0x2060, 0x2060 },
|
||||
+ { 0x2061, 0x2061 },
|
||||
+ { 0x2062, 0x2062 },
|
||||
+ { 0x2063, 0x2063 },
|
||||
+ { 0x206A, 0x206F },
|
||||
+ { 0xFEFF, 0xFEFF },
|
||||
+ { 0xFFF9, 0xFFFC },
|
||||
+ { 0x1D173, 0x1D17A },
|
||||
+ /* C.3 Private use */
|
||||
+ { 0xE000, 0xF8FF },
|
||||
+ { 0xF0000, 0xFFFFD },
|
||||
+ { 0x100000, 0x10FFFD },
|
||||
+ /* C.4 Non-character code points */
|
||||
+ { 0xFDD0, 0xFDEF },
|
||||
+ { 0xFFFE, 0xFFFF },
|
||||
+ { 0x1FFFE, 0x1FFFF },
|
||||
+ { 0x2FFFE, 0x2FFFF },
|
||||
+ { 0x3FFFE, 0x3FFFF },
|
||||
+ { 0x4FFFE, 0x4FFFF },
|
||||
+ { 0x5FFFE, 0x5FFFF },
|
||||
+ { 0x6FFFE, 0x6FFFF },
|
||||
+ { 0x7FFFE, 0x7FFFF },
|
||||
+ { 0x8FFFE, 0x8FFFF },
|
||||
+ { 0x9FFFE, 0x9FFFF },
|
||||
+ { 0xAFFFE, 0xAFFFF },
|
||||
+ { 0xBFFFE, 0xBFFFF },
|
||||
+ { 0xCFFFE, 0xCFFFF },
|
||||
+ { 0xDFFFE, 0xDFFFF },
|
||||
+ { 0xEFFFE, 0xEFFFF },
|
||||
+ { 0xFFFFE, 0xFFFFF },
|
||||
+ { 0x10FFFE, 0x10FFFF },
|
||||
+ /* C.5 Surrogate codes */
|
||||
+ { 0xD800, 0xDFFF },
|
||||
+ /* C.6 Inappropriate for plain text */
|
||||
+ { 0xFFF9, 0xFFF9 },
|
||||
+ { 0xFFFA, 0xFFFA },
|
||||
+ { 0xFFFB, 0xFFFB },
|
||||
+ { 0xFFFC, 0xFFFC },
|
||||
+ { 0xFFFD, 0xFFFD },
|
||||
+ /* C.7 Inappropriate for canonical representation */
|
||||
+ { 0x2FF0, 0x2FFB },
|
||||
+ /* C.8 Change display properties or are deprecated */
|
||||
+ { 0x0340, 0x0340 },
|
||||
+ { 0x0341, 0x0341 },
|
||||
+ { 0x200E, 0x200E },
|
||||
+ { 0x200F, 0x200F },
|
||||
+ { 0x202A, 0x202A },
|
||||
+ { 0x202B, 0x202B },
|
||||
+ { 0x202C, 0x202C },
|
||||
+ { 0x202D, 0x202D },
|
||||
+ { 0x202E, 0x202E },
|
||||
+ { 0x206A, 0x206A },
|
||||
+ { 0x206B, 0x206B },
|
||||
+ { 0x206C, 0x206C },
|
||||
+ { 0x206D, 0x206D },
|
||||
+ { 0x206E, 0x206E },
|
||||
+ { 0x206F, 0x206F },
|
||||
+ /* C.9 Tagging characters */
|
||||
+ { 0xE0001, 0xE0001 },
|
||||
+ { 0xE0020, 0xE007F },
|
||||
+};
|
||||
+
|
||||
diff --git a/utf8_stringprep.c b/utf8_stringprep.c
|
||||
new file mode 100644
|
||||
index 0000000..bcafae7
|
||||
--- /dev/null
|
||||
+++ b/utf8_stringprep.c
|
||||
@@ -0,0 +1,229 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This is a simple RFC3454 stringprep profile to sanitise UTF-8 strings
|
||||
+ * from untrusted sources.
|
||||
+ *
|
||||
+ * It is intended to be used prior to display of untrusted strings only.
|
||||
+ * It should not be used for logging because of bi-di ambiguity. It
|
||||
+ * should also not be used in any case where lack of normalisation may
|
||||
+ * cause problems.
|
||||
+ *
|
||||
+ * This profile uses the prohibition and mapping tables from RFC3454
|
||||
+ * (listed below) but the unassigned character table has been updated to
|
||||
+ * Unicode 6.2. It uses a local whitelist of whitespace characters (\n,
|
||||
+ * \a and \t). Unicode normalisation and bi-di testing are not used.
|
||||
+ *
|
||||
+ * XXX: implement bi-di handling (needed for logs)
|
||||
+ * XXX: implement KC normalisation (needed for passing to libs/syscalls)
|
||||
+ */
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <limits.h>
|
||||
+#include <ctype.h>
|
||||
+
|
||||
+#include "misc.h"
|
||||
+
|
||||
+struct u32_range {
|
||||
+ u_int32_t lo, hi; /* Inclusive */
|
||||
+};
|
||||
+
|
||||
+#include "stringprep-tables.c"
|
||||
+
|
||||
+/* Returns 1 if code 'c' appears in the table or 0 otherwise */
|
||||
+static int
|
||||
+code_in_table(u_int32_t c, const struct u32_range *table, size_t tlen)
|
||||
+{
|
||||
+ const struct u32_range *e, *end = (void *)(tlen + (char *)table);
|
||||
+
|
||||
+ for (e = table; e < end; e++) {
|
||||
+ if (c >= e->lo && c <= e->hi)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Decode the next valid UCS character from a UTF-8 string, skipping past bad
|
||||
+ * codes. Returns the decoded character or 0 for end-of-string and updates
|
||||
+ * nextc to point to the start of the next character (if any).
|
||||
+ * had_error is set if an invalid code was encountered.
|
||||
+ */
|
||||
+static u_int32_t
|
||||
+decode_utf8(const char *in, const char **nextc, int *had_error)
|
||||
+{
|
||||
+ int state = 0;
|
||||
+ size_t i;
|
||||
+ u_int32_t c, e;
|
||||
+
|
||||
+ e = c = 0;
|
||||
+ for (i = 0; in[i] != '\0'; i++) {
|
||||
+ e = (u_char)in[i];
|
||||
+ /* Invalid code point state */
|
||||
+ if (state == -1) {
|
||||
+ /*
|
||||
+ * Continue eating continuation characters until
|
||||
+ * a new start character comes along.
|
||||
+ */
|
||||
+ if ((e & 0xc0) == 0x80)
|
||||
+ continue;
|
||||
+ state = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* New code point state */
|
||||
+ if (state == 0) {
|
||||
+ if ((e & 0x80) == 0) { /* 7 bit code */
|
||||
+ c = e & 0x7f;
|
||||
+ goto have_code;
|
||||
+ } else if ((e & 0xe0) == 0xc0) { /* 11 bit code point */
|
||||
+ state = 1;
|
||||
+ c = (e & 0x1f) << 6;
|
||||
+ } else if ((e & 0xf0) == 0xe0) { /* 16 bit code point */
|
||||
+ state = 2;
|
||||
+ c = (e & 0xf) << 12;
|
||||
+ } else if ((e & 0xf8) == 0xf0) { /* 21 bit code point */
|
||||
+ state = 3;
|
||||
+ c = (e & 0x7) << 18;
|
||||
+ } else {
|
||||
+ /* A five or six byte header, or 0xff */
|
||||
+ goto bad_encoding;
|
||||
+ }
|
||||
+ /*
|
||||
+ * Check that the header byte has some non-zero data
|
||||
+ * after masking off the length marker. If not it is
|
||||
+ * an invalid encoding.
|
||||
+ */
|
||||
+ if (c == 0) {
|
||||
+ bad_encoding:
|
||||
+ c = 0;
|
||||
+ state = -1;
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* Sanity check: should never happen */
|
||||
+ if (state < 1 || state > 5) {
|
||||
+ *nextc = NULL;
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* Multibyte code point state */
|
||||
+ state--;
|
||||
+ c |= (e & 0x3f) << (state * 6);
|
||||
+ if (state > 0)
|
||||
+ continue;
|
||||
+
|
||||
+ /* RFC3629 bans codepoints > U+10FFFF */
|
||||
+ if (c > 0x10FFFF) {
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ continue;
|
||||
+ }
|
||||
+ have_code:
|
||||
+ *nextc = in + i + 1;
|
||||
+ return c;
|
||||
+ }
|
||||
+ if (state != 0 && had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ *nextc = in + i;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Attempt to encode a UCS character as a UTF-8 sequence. Returns the number
|
||||
+ * of characters used or -1 on error (insufficient space or bad code).
|
||||
+ */
|
||||
+static int
|
||||
+encode_utf8(u_int32_t c, char *s, size_t slen)
|
||||
+{
|
||||
+ size_t i, need;
|
||||
+ u_char h;
|
||||
+
|
||||
+ if (c < 0x80) {
|
||||
+ if (slen >= 1) {
|
||||
+ s[0] = (char)c;
|
||||
+ }
|
||||
+ return 1;
|
||||
+ } else if (c < 0x800) {
|
||||
+ need = 2;
|
||||
+ h = 0xc0;
|
||||
+ } else if (c < 0x10000) {
|
||||
+ need = 3;
|
||||
+ h = 0xe0;
|
||||
+ } else if (c < 0x200000) {
|
||||
+ need = 4;
|
||||
+ h = 0xf0;
|
||||
+ } else {
|
||||
+ /* Invalid code point > U+10FFFF */
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (need > slen)
|
||||
+ return -1;
|
||||
+ for (i = 0; i < need; i++) {
|
||||
+ s[i] = (i == 0 ? h : 0x80);
|
||||
+ s[i] |= (c >> (need - i - 1) * 6) & 0x3f;
|
||||
+ }
|
||||
+ return need;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/*
|
||||
+ * Normalise a UTF-8 string using the RFC3454 stringprep algorithm.
|
||||
+ * Returns 0 on success or -1 on failure (prohibited code or insufficient
|
||||
+ * length in the output string.
|
||||
+ * Requires an output buffer at most the same length as the input.
|
||||
+ */
|
||||
+int
|
||||
+utf8_stringprep(const char *in, char *out, size_t olen)
|
||||
+{
|
||||
+ int r;
|
||||
+ size_t o;
|
||||
+ u_int32_t c;
|
||||
+
|
||||
+ if (olen < 1)
|
||||
+ return -1;
|
||||
+
|
||||
+ for (o = 0; (c = decode_utf8(in, &in, NULL)) != 0;) {
|
||||
+ /* Mapping */
|
||||
+ if (code_in_table(c, map_to_nothing, sizeof(map_to_nothing)))
|
||||
+ continue;
|
||||
+
|
||||
+ /* Prohibitied output */
|
||||
+ if (code_in_table(c, prohibited, sizeof(prohibited)) &&
|
||||
+ !code_in_table(c, whitelist, sizeof(whitelist)))
|
||||
+ return -1;
|
||||
+
|
||||
+ /* Map unassigned code points to U+FFFD */
|
||||
+ if (code_in_table(c, unassigned, sizeof(unassigned)))
|
||||
+ c = 0xFFFD;
|
||||
+
|
||||
+ /* Encode the character */
|
||||
+ r = encode_utf8(c, out + o, olen - o - 1);
|
||||
+ if (r < 0)
|
||||
+ return -1;
|
||||
+ o += r;
|
||||
+ }
|
||||
+ out[o] = '\0';
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
74
openssh.spec
74
openssh.spec
|
@ -64,7 +64,7 @@
|
|||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.4p1
|
||||
%define openssh_rel 4
|
||||
%define openssh_rel 8
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 1
|
||||
|
||||
|
@ -175,9 +175,12 @@ Patch713: openssh-6.3p1-ctr-cavstest.patch
|
|||
Patch800: openssh-6.3p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.3p1-force_krb.patch
|
||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||
# CVE-2014-9278
|
||||
Patch802: openssh-6.4p1-GSSAPIEnablek5users.patch
|
||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||
Patch901: openssh-6.3p1-kuserok.patch
|
||||
Patch901: openssh-6.4p1-kuserok.patch
|
||||
# use default_ccache_name from /etc/krb5.conf (#991186)
|
||||
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
|
@ -195,7 +198,32 @@ Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
|
|||
Patch908: openssh-6.4p1-CVE-2014-2653.patch
|
||||
# ignore environment variables with embedded '=' or '\0' characters (#1077843)
|
||||
Patch909: openssh-6.4p1-ignore-bad-env-var.patch
|
||||
|
||||
# standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
|
||||
Patch910: openssh-6.4p1-NI_MAXHOST.patch
|
||||
# set a client's address right after a connection is set
|
||||
# http://bugzilla.mindrot.org/show_bug.cgi?id=2257
|
||||
Patch911: openssh-6.4p1-set_remote_ipaddr.patch
|
||||
# apply RFC3454 stringprep to banners when possible
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2058
|
||||
# slightly changed patch from comment 10
|
||||
Patch912: openssh-6.4p1-utf8-banner.patch
|
||||
# don't consider a partial success as a failure
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2270
|
||||
Patch913: openssh-6.4p1-partial-success.patch
|
||||
# fix parsing of empty options in sshd_conf
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
|
||||
Patch914: openssh-6.4p1-servconf-parser.patch
|
||||
# Ignore SIGXFSZ in postauth monitor
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
|
||||
Patch915: openssh-6.4p1-ignore-SIGXFSZ-in-postauth.patch
|
||||
# use different values for DH for Cisco servers (#1026430)
|
||||
Patch916: openssh-6.4p1-cisco-dh-keys.patch
|
||||
# sftp: remote directory always prepended to relative symbolic links (#825538)
|
||||
Patch917: openssh-6.4p1-sftp-symlink-prepend-relative-links.patch
|
||||
# scp file into non-existing directory (#1142223)
|
||||
Patch918: openssh-6.4p1-scp-non-existing-directory.patch
|
||||
# Config parser shouldn't accept ip/port syntax (#1130733)
|
||||
Patch919: openssh-6.4p1-ip-port-config-parser.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
|
@ -423,6 +451,18 @@ popd
|
|||
%patch907 -p1 -b .CLOCK_BOOTTIME
|
||||
%patch908 -p1 -b .CVE-2014-2653
|
||||
%patch909 -p1 -b .bad-env-var
|
||||
%patch910 -p1 -b .NI_MAXHOST
|
||||
%patch911 -p1 -b .set_remote_ipaddr
|
||||
%patch912 -p1 -b .utf8-banner
|
||||
%patch913 -p1 -b .partial-success
|
||||
%patch914 -p1 -b .servconf
|
||||
%patch915 -p1 -b .SIGXFSZ
|
||||
%patch916 -p1 -b .cisco-dh
|
||||
%patch917 -p1 -b .sftp
|
||||
%patch918 -p1 -b .scp
|
||||
%patch919 -p1 -b .config
|
||||
%patch802 -p1 -b .GSSAPIEnablek5users
|
||||
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
|
@ -477,7 +517,7 @@ fi
|
|||
--with-default-path=/usr/local/bin:/usr/bin \
|
||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||
--with-privsep-path=%{_var}/empty/sshd \
|
||||
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
|
||||
--enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
|
||||
--disable-strip \
|
||||
--without-zlib-version-check \
|
||||
--with-ssl-engine \
|
||||
|
@ -737,6 +777,32 @@ getent passwd sshd >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.4p1-8 + 0.9.3-1
|
||||
- error message if scp when directory doesn't exist (#1142223)
|
||||
- parsing configuration file values (#1130733)
|
||||
- documentation in service and socket files for systemd (#1181593)
|
||||
- updated ldap patch (#981058)
|
||||
- fixed vendor-patchlevel
|
||||
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745)
|
||||
- increase size of AUDIT_LOG_SIZE to 256
|
||||
- backport fix for sftp prepending remote directory to relative symlinks (#825538)
|
||||
|
||||
* Thu Dec 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-7 + 0.9.3-1
|
||||
- use different values for DH for Cisco servers (#1026430)
|
||||
|
||||
* Tue Nov 11 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-6 + 0.9.3-1
|
||||
- correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073)
|
||||
- change audit trail for unknown users (mindrot#2245)
|
||||
- fix kuserok patch which checked for the existence of .k5login
|
||||
unconditionally and hence prevented other mechanisms to be used properly
|
||||
- ignore SIGXFSZ in postauth monitor (mindrot#2263)
|
||||
- set a client's address right after a connection is set (mindrot#2257)
|
||||
- apply RFC3454 stringprep to banners when possible (mindrot#2058)
|
||||
- don't consider a partial success as a failure (mindrot#2270)
|
||||
|
||||
* Fri Jul 18 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-5 + 0.9.3-1
|
||||
- standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
|
||||
|
||||
* Thu May 15 2014 Petr Lautrbach <plautrba@redhat.com> 6.4p1-4 + 0.9.3-1
|
||||
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
|
||||
- make /etc/ssh/moduli file public (#1043661)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
[Unit]
|
||||
Description=OpenSSH server daemon
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
After=syslog.target network.target auditd.service
|
||||
|
||||
[Service]
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
[Unit]
|
||||
Description=OpenSSH per-connection server daemon
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
Wants=sshd-keygen.service
|
||||
After=auditd.service sshd-keygen.service
|
||||
|
||||
|
|
Loading…
Reference in New Issue