From owner-freebsd-ports Sat May 26 7:41: 4 2001 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2936437B423 for ; Sat, 26 May 2001 07:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4QEe2B33115; Sat, 26 May 2001 07:40:02 -0700 (PDT) (envelope-from gnats) Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by hub.freebsd.org (Postfix) with ESMTP id 075B337B423 for ; Sat, 26 May 2001 07:32:17 -0700 (PDT) (envelope-from dm@home.dinoex.sub.org) Received: from home.dinoex.sub.org (home [217.6.200.196]) by net2.dinoex.sub.org (8.11.3/8.11.3) with ESMTP id f4QEVoc17470 for ; Sat, 26 May 2001 16:31:51 +0200 (CEST) (envelope-from dm@home.dinoex.sub.org) Received: (from dm@localhost) by home.dinoex.sub.org (8.11.3/8.11.3) id f4QEVlE33306; Sat, 26 May 2001 16:31:47 +0200 (CEST) (envelope-from dm) Message-Id: <200105261431.f4QEVlE33306@home.dinoex.sub.org> Date: Sat, 26 May 2001 16:31:47 +0200 (CEST) From: dirk.meyer@dinoex.sub.org Reply-To: dirk.meyer@dinoex.sub.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/27662: ports/security/openssh Update Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 27662 >Category: ports >Synopsis: ports/security/openssh Update >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat May 26 07:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Dirk Meyer >Release: FreeBSD 4.3-STABLE i386 >Organization: privat >Environment: FreeBSD 4.3-STABLE i386 >Description: Study to upgrade OpenSSH 2.2.0 to OpenSSH 2.9 Features: - Possible use of sftp/sftp-server with older FreeBSD releases. - Use a newer version independently from the Base system. - Easier to test and fix possible security bugs. Bugs: - pam_ssm.so won't be supported any more, if teh port gets updated. >How-To-Repeat: Try to compile the new Version. Most patches don't apply anymore, lots of changes in OpenSSH >Fix: Problem: Please review the patches, I am not sure if this updated should be commited at all. To update: apply the patch: removed files: pam_ssh.c pam_ssh_Makefile patch-aw patch-ay patch-az patch-bleichenbacher added files: patch-misc.c patch-sftp-Makefile patch-sftp-server-Makefile patch-ssh-keyscan-Makefile diff openssh/Makefile openssh/Makefile --- openssh/Makefile Tue Apr 3 21:05:22 2001 +++ openssh/Makefile Sat May 26 16:03:18 2001 @@ -6,8 +6,7 @@ # PORTNAME= OpenSSH -PORTVERSION= 2.2.0 -PORTREVISION= 2 +PORTVERSION= 2.9 CATEGORIES= security MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ @@ -62,23 +61,11 @@ @${CP} ${FILESDIR}/getnameinfo.c ${WRKSRC}/lib/ @${CP} ${FILESDIR}/netdb.h ${WRKSRC}/ .endif - @${MKDIR} ${WRKSRC}/pam_ssh - @${CP} ${FILESDIR}/pam_ssh_Makefile ${WRKSRC}/pam_ssh/Makefile - @${CP} ${FILESDIR}/pam_ssh.c ${WRKSRC}/pam_ssh/ post-patch: @${PERL} -pi -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h \ - ${WRKSRC}/sshd_config ${WRKSRC}/pam_ssh/pam_ssh.c \ - ${WRKSRC}/sshd.sh - -.if ${PAM} == yes -PLIST= ${WRKDIR}/PLIST - -do-configure: - @${CP} ${PKGDIR}/pkg-plist ${PLIST} - @${ECHO} "@cwd /usr" >> ${PLIST} - @${ECHO} "lib/pam_ssh.so" >> ${PLIST} -.endif + ${WRKSRC}/sshd_config ${WRKSRC}/sshd.sh \ + ${WRKSRC}/pathnames.h post-install: .if !exists(${PREFIX}/etc/ssh_host_key) diff openssh/distinfo openssh/distinfo --- openssh/distinfo Sun Nov 5 00:04:20 2000 +++ openssh/distinfo Sat May 26 14:27:03 2001 @@ -1 +1 @@ -MD5 (openssh-2.2.0.tgz) = 8ecfebc800f1c0646cbe09231a012764 +MD5 (openssh-2.9.tgz) = 80b842f8bae8786b2a8b81ba8a09772a diff openssh/files/pam_ssh.c openssh/files/pam_ssh.c --- openssh/files/pam_ssh.c Sun Nov 5 00:04:25 2000 +++ openssh/files/pam_ssh.c Thu Jan 1 01:00:00 1970 @@ -1,496 +0,0 @@ -/*- - * Copyright (c) 1999 Andrew J. Korty - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: ports/security/openssh/files/pam_ssh.c,v 1.4 2000/11/04 23:04:25 green Exp $ - * - */ - - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH -#define PAM_SM_SESSION -#include -#include - -#include - -#include "includes.h" -#include "rsa.h" -#include "key.h" -#include "ssh.h" -#include "authfd.h" -#include "authfile.h" - -#define MODULE_NAME "pam_ssh" -#define NEED_PASSPHRASE "Need passphrase for %s (%s).\nEnter passphrase: " -#define PATH_SSH_AGENT "__PREFIX__/bin/ssh-agent" - - -void -rsa_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ - if (data) - RSA_free(data); -} - - -void -ssh_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ - if (data) - free(data); -} - - -/* - * The following set of functions allow the module to manipulate the - * environment without calling the putenv() or setenv() stdlib functions. - * At least one version of these functions, on the first call, copies - * the environment into dynamically-allocated memory and then augments - * it. On subsequent calls, the realloc() call is used to grow the - * previously allocated buffer. Problems arise when the "environ" - * variable is changed to point to static memory after putenv()/setenv() - * have been called. - * - * We don't use putenv() or setenv() in case the application subsequently - * manipulates environ, (e.g., to clear the environment by pointing - * environ at an array of one element equal to NULL). - */ - -SLIST_HEAD(env_head, env_entry); - -struct env_entry { - char *ee_env; - SLIST_ENTRY(env_entry) ee_entries; -}; - -typedef struct env { - char **e_environ_orig; - char **e_environ_new; - int e_count; - struct env_head e_head; - int e_committed; -} ENV; - -extern char **environ; - - -static ENV * -env_new(void) -{ - ENV *self; - - if (!(self = malloc(sizeof (ENV)))) { - syslog(LOG_CRIT, "%m"); - return NULL; - } - SLIST_INIT(&self->e_head); - self->e_count = 0; - self->e_committed = 0; - return self; -} - - -static int -env_put(ENV *self, char *s) -{ - struct env_entry *env; - - if (!(env = malloc(sizeof (struct env_entry))) || - !(env->ee_env = strdup(s))) { - syslog(LOG_CRIT, "%m"); - return PAM_SERVICE_ERR; - } - SLIST_INSERT_HEAD(&self->e_head, env, ee_entries); - ++self->e_count; - return PAM_SUCCESS; -} - - -static void -env_swap(ENV *self, int which) -{ - environ = which ? self->e_environ_new : self->e_environ_orig; -} - - -static int -env_commit(ENV *self) -{ - int n; - struct env_entry *p; - char **v; - - for (v = environ, n = 0; v && *v; v++, n++) - ; - if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) { - syslog(LOG_CRIT, "%m"); - return PAM_SERVICE_ERR; - } - self->e_committed = 1; - (void)memcpy(v, environ, n * sizeof (char *)); - SLIST_FOREACH(p, &self->e_head, ee_entries) - v[n++] = p->ee_env; - v[n] = NULL; - self->e_environ_orig = environ; - self->e_environ_new = v; - env_swap(self, 1); - return PAM_SUCCESS; -} - - -static void -env_destroy(ENV *self) -{ - struct env_entry *p; - - env_swap(self, 0); - SLIST_FOREACH(p, &self->e_head, ee_entries) { - free(p->ee_env); - free(p); - } - if (self->e_committed) - free(self->e_environ_new); - free(self); -} - - -void -env_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ - if (data) - env_destroy(data); -} - - -typedef struct passwd PASSWD; - -PAM_EXTERN int -pam_sm_authenticate( - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - char *comment_priv; /* on private key */ - char *comment_pub; /* on public key */ - char *identity; /* user's identity file */ - Key key; /* user's private key */ - int options; /* module options */ - const char *pass; /* passphrase */ - char *prompt; /* passphrase prompt */ - Key public_key; /* user's public key */ - const PASSWD *pwent; /* user's passwd entry */ - PASSWD *pwent_keep; /* our own copy */ - int retval; /* from calls */ - uid_t saved_uid; /* caller's uid */ - const char *user; /* username */ - - options = 0; - while (argc--) - pam_std_option(&options, *argv++); - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; - if (!((pwent = getpwnam(user)) && pwent->pw_dir)) { - /* delay? */ - return PAM_AUTH_ERR; - } - /* locate the user's private key file */ - if (!asprintf(&identity, "%s/%s", pwent->pw_dir, - SSH_CLIENT_IDENTITY)) { - syslog(LOG_CRIT, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; - } - /* - * Fail unless we can load the public key. Change to the - * owner's UID to appease load_public_key(). - */ - key.type = KEY_RSA; - key.rsa = RSA_new(); - public_key.type = KEY_RSA; - public_key.rsa = RSA_new(); - saved_uid = getuid(); - (void)setreuid(pwent->pw_uid, saved_uid); - retval = load_public_key(identity, &public_key, &comment_pub); - (void)setuid(saved_uid); - if (!retval) { - free(identity); - return PAM_AUTH_ERR; - } - RSA_free(public_key.rsa); - /* build the passphrase prompt */ - retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub); - free(comment_pub); - if (!retval) { - syslog(LOG_CRIT, "%s: %m", MODULE_NAME); - free(identity); - return PAM_SERVICE_ERR; - } - /* pass prompt message to application and receive passphrase */ - retval = pam_get_pass(pamh, &pass, prompt, options); - free(prompt); - if (retval != PAM_SUCCESS) { - free(identity); - return retval; - } - /* - * Try to decrypt the private key with the passphrase provided. - * If success, the user is authenticated. - */ - (void)setreuid(pwent->pw_uid, saved_uid); - retval = load_private_key(identity, pass, &key, &comment_priv); - free(identity); - (void)setuid(saved_uid); - if (!retval) - return PAM_AUTH_ERR; - /* - * Save the key and comment to pass to ssh-agent in the session - * phase. - */ - if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa, - rsa_cleanup)) != PAM_SUCCESS) { - RSA_free(key.rsa); - free(comment_priv); - return retval; - } - if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv, - ssh_cleanup)) != PAM_SUCCESS) { - free(comment_priv); - return retval; - } - /* - * Copy the passwd entry (in case successive calls are made) - * and save it for the session phase. - */ - if (!(pwent_keep = malloc(sizeof *pwent))) { - syslog(LOG_CRIT, "%m"); - return PAM_SERVICE_ERR; - } - (void)memcpy(pwent_keep, pwent, sizeof *pwent_keep); - if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, - ssh_cleanup)) != PAM_SUCCESS) { - free(pwent_keep); - return retval; - } - return PAM_SUCCESS; -} - - -PAM_EXTERN int -pam_sm_setcred( - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - return PAM_SUCCESS; -} - - -typedef AuthenticationConnection AC; - -PAM_EXTERN int -pam_sm_open_session( - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - AC *ac; /* to ssh-agent */ - char *comment; /* on private key */ - char *env_end; /* end of env */ - char *env_file; /* to store env */ - FILE *env_fp; /* env_file handle */ - Key key; /* user's private key */ - FILE *pipe; /* ssh-agent handle */ - const PASSWD *pwent; /* user's passwd entry */ - int retval; /* from calls */ - uid_t saved_uid; /* caller's uid */ - ENV *ssh_env; /* env handle */ - const char *tty; /* tty or display name */ - char hname[MAXHOSTNAMELEN]; /* local hostname */ - char parse[BUFSIZ]; /* commands output */ - - /* dump output of ssh-agent in ~/.ssh */ - if ((retval = pam_get_data(pamh, "ssh_passwd_entry", - (const void **)&pwent)) != PAM_SUCCESS) - return retval; - /* use the tty or X display name in the filename */ - if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty)) - != PAM_SUCCESS) - return retval; - if (*tty == ':' && gethostname(hname, sizeof hname) == 0) { - if (asprintf(&env_file, "%s/.ssh/agent-%s%s", - pwent->pw_dir, hname, tty) == -1) { - syslog(LOG_CRIT, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; - } - } else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir, - tty) == -1) { - syslog(LOG_CRIT, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; - } - /* save the filename so we can delete the file on session close */ - if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file, - ssh_cleanup)) != PAM_SUCCESS) { - free(env_file); - return retval; - } - /* start the agent as the user */ - saved_uid = geteuid(); - (void)seteuid(pwent->pw_uid); - env_fp = fopen(env_file, "w"); - pipe = popen(PATH_SSH_AGENT, "r"); - (void)seteuid(saved_uid); - if (!pipe) { - syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); - if (env_fp) - (void)fclose(env_fp); - return PAM_SESSION_ERR; - } - if (!(ssh_env = env_new())) - return PAM_SESSION_ERR; - if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env, - env_cleanup)) != PAM_SUCCESS) - return retval; - while (fgets(parse, sizeof parse, pipe)) { - if (env_fp) - (void)fputs(parse, env_fp); - /* - * Save environment for application with pam_putenv() - * but also with env_* functions for our own call to - * ssh_get_authentication_connection(). - */ - if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) { - *env_end = '\0'; - /* pass to the application ... */ - if (!((retval = pam_putenv(pamh, parse)) == - PAM_SUCCESS)) { - (void)pclose(pipe); - if (env_fp) - (void)fclose(env_fp); - env_destroy(ssh_env); - return PAM_SERVICE_ERR; - } - env_put(ssh_env, parse); - } - } - if (env_fp) - (void)fclose(env_fp); - switch (retval = pclose(pipe)) { - case -1: - syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); - env_destroy(ssh_env); - return PAM_SESSION_ERR; - case 0: - break; - case 127: - syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME, - PATH_SSH_AGENT); - env_destroy(ssh_env); - return PAM_SESSION_ERR; - default: - syslog(LOG_ERR, "%s: %s exited with status %d", - MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); - env_destroy(ssh_env); - return PAM_SESSION_ERR; - } - key.type = KEY_RSA; - /* connect to the agent and hand off the private key */ - if ((retval = pam_get_data(pamh, "ssh_private_key", - (const void **)&key.rsa)) != PAM_SUCCESS || - (retval = pam_get_data(pamh, "ssh_key_comment", - (const void **)&comment)) != PAM_SUCCESS || - (retval = env_commit(ssh_env)) != PAM_SUCCESS) { - env_destroy(ssh_env); - return retval; - } - if (!(ac = ssh_get_authentication_connection())) { - syslog(LOG_ERR, "%s: could not connect to agent", - MODULE_NAME); - env_destroy(ssh_env); - return PAM_SESSION_ERR; - } - retval = ssh_add_identity(ac, &key, comment); - ssh_close_authentication_connection(ac); - env_swap(ssh_env, 0); - return retval ? PAM_SUCCESS : PAM_SESSION_ERR; -} - - -PAM_EXTERN int -pam_sm_close_session( - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - const char *env_file; /* ssh-agent environment */ - int retval; /* from calls */ - ENV *ssh_env; /* env handle */ - - if ((retval = pam_get_data(pamh, "ssh_env_handle", - (const void **)&ssh_env)) != PAM_SUCCESS) - return retval; - env_swap(ssh_env, 1); - /* kill the agent */ - retval = system(PATH_SSH_AGENT " -k"); - env_destroy(ssh_env); - switch (retval) { - case -1: - syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME, - PATH_SSH_AGENT); - return PAM_SESSION_ERR; - case 0: - break; - case 127: - syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME, - PATH_SSH_AGENT); - return PAM_SESSION_ERR; - default: - syslog(LOG_ERR, "%s: %s -k exited with status %d", - MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); - return PAM_SESSION_ERR; - } - /* retrieve environment filename, then remove the file */ - if ((retval = pam_get_data(pamh, "ssh_agent_env", - (const void **)&env_file)) != PAM_SUCCESS) - return retval; - (void)unlink(env_file); - return PAM_SUCCESS; -} - - -PAM_MODULE_ENTRY(MODULE_NAME); diff openssh/files/pam_ssh_Makefile openssh/files/pam_ssh_Makefile --- openssh/files/pam_ssh_Makefile Mon Nov 29 08:09:44 1999 +++ openssh/files/pam_ssh_Makefile Thu Jan 1 01:00:00 1970 @@ -1,15 +0,0 @@ -# PAM module for SSH -# $FreeBSD: ports/security/openssh/files/pam_ssh_Makefile,v 1.1 1999/11/29 07:09:44 green Exp $ -.PATH: ${.CURDIR}/.. - -LIB= pam_ssh -DESTDIR= -SHLIB_NAME= pam_ssh.so -SRCS= log-client.c pam_ssh.c -CFLAGS+= -Wall -DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} ${LIBGCC_PIC} -LDADD+= ${CRYPTOLIBS} -lutil -lz -lgcc_pic -INTERNALLIB= yes -INTERNALSTATICLIB=yes - -.include diff openssh/files/patch-aa openssh/files/patch-aa --- openssh/files/patch-aa Wed Feb 23 12:30:04 2000 +++ openssh/files/patch-aa Sat May 26 16:04:02 2001 @@ -1,15 +1,13 @@ ---- Makefile.orig Wed Feb 23 06:18:58 2000 -+++ Makefile Wed Feb 23 06:22:22 2000 -@@ -1,13 +1,17 @@ - # $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ +--- Makefile.orig Sun Feb 4 12:11:53 2001 ++++ Makefile Sat May 26 16:03:54 2001 +@@ -1,14 +1,15 @@ + # $OpenBSD: Makefile,v 1.8 2001/02/04 11:11:53 djm Exp $ .include +.include "Makefile.inc" - SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp -+.if ${PAM} == yes -+SUBDIR+= pam_ssh -+.endif + SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \ + ssh-keyscan sftp distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ diff openssh/files/patch-ad openssh/files/patch-ad --- openssh/files/patch-ad Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-ad Sat May 26 14:40:01 2001 @@ -1,11 +1,11 @@ ---- lib/Makefile.orig Sat Aug 19 17:34:44 2000 -+++ lib/Makefile Sat Nov 4 16:41:11 2000 -@@ -5,7 +5,12 @@ - cipher.c compat.c compress.c crc32.c deattack.c \ +--- lib/Makefile.orig Tue Apr 3 21:53:30 2001 ++++ lib/Makefile Sat May 26 14:39:03 2001 +@@ -8,7 +8,12 @@ hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ -- key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c -+ key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c \ + key.c dispatch.c kex.c mac.c uuencode.c misc.c \ +- cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c ++ cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \ + strlcpy.c strlcat.c + +.if defined(COMPAT_GETADDRINFO) @@ -14,11 +14,11 @@ NOPROFILE= yes NOPIC= yes -@@ -14,6 +19,7 @@ +@@ -17,6 +22,7 @@ @echo -n .include +.include "../Makefile.inc" - .if (${KERBEROS} == "yes") + .if (${KERBEROS:L} == "yes") CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV diff openssh/files/patch-ae openssh/files/patch-ae --- openssh/files/patch-ae Wed Nov 24 04:36:20 1999 +++ openssh/files/patch-ae Sat May 26 14:42:38 2001 @@ -1,8 +1,8 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/login.c Tue Nov 23 18:55:14 1999 -+++ ./login.c Tue Nov 23 19:35:08 1999 -@@ -20,7 +20,11 @@ +--- sshlogin.c.orig Sat Mar 24 17:43:27 2001 ++++ sshlogin.c Sat May 26 14:42:30 2001 +@@ -41,7 +41,11 @@ #include "includes.h" - RCSID("$Id: login.c,v 1.8 1999/11/23 22:25:54 markus Exp $"); + RCSID("$OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $"); +#ifdef __FreeBSD__ +#include @@ -10,5 +10,5 @@ #include +#endif /* __FreeBSD__ */ #include - #include "ssh.h" - + #include "sshlogin.h" + #include "log.h" diff openssh/files/patch-ag openssh/files/patch-ag --- openssh/files/patch-ag Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-ag Sat May 26 16:10:11 2001 @@ -1,6 +1,6 @@ ---- ssh/Makefile.orig Thu Jun 29 14:35:47 2000 -+++ ssh/Makefile Sat Nov 4 16:58:41 2000 -@@ -5,8 +5,8 @@ +--- ssh/Makefile.orig Sat Apr 14 18:33:20 2001 ++++ ssh/Makefile Sat May 26 14:54:24 2001 +@@ -7,8 +7,8 @@ BINMODE?=4555 @@ -11,26 +11,26 @@ LINKS= ${BINDIR}/ssh ${BINDIR}/slogin MLINKS= ssh.1 slogin.1 -@@ -14,10 +14,11 @@ +@@ -16,10 +16,11 @@ sshconnect.c sshconnect1.c sshconnect2.c .include # for AFS +.include "../Makefile.inc" - .if (${KERBEROS} == "yes") + .if (${KERBEROS:L} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -LDADD+= -lkrb +CFLAGS+= -DKRB4 -I/usr/include/kerberosIV +LDADD+= -lkrb -lcom_err DPADD+= ${LIBKRB} - .if (${AFS} == "yes") + .if (${AFS:L} == "yes") CFLAGS+= -DAFS -@@ -27,6 +28,7 @@ +@@ -29,6 +30,7 @@ .endif # KERBEROS .include +.include "../Makefile.inc" --LDADD+= -lutil -lz -lcrypto -+LDADD+= -lutil -lz ${CRYPTOLIBS} - DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} +-LDADD+= -lcrypto -lz ++LDADD+= ${CRYPTOLIBS} -lz + DPADD+= ${LIBCRYPTO} ${LIBZ} diff openssh/files/patch-ah openssh/files/patch-ah --- openssh/files/patch-ah Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-ah Sat May 26 16:10:24 2001 @@ -1,6 +1,6 @@ ---- ssh-add/Makefile.orig Thu Jun 29 14:35:47 2000 -+++ ssh-add/Makefile Sat Nov 4 17:01:50 2000 -@@ -5,12 +5,12 @@ +--- ssh-add/Makefile.orig Sun Mar 4 01:51:25 2001 ++++ ssh-add/Makefile Sat May 26 14:56:29 2001 +@@ -7,12 +7,12 @@ BINMODE?=555 @@ -9,10 +9,10 @@ +BINDIR= /bin +MAN1= ssh-add.1 - SRCS= ssh-add.c log-client.c + SRCS= ssh-add.c .include --LDADD+= -lcrypto -lutil -lz -+LDADD+= ${CRYPTOLIBS} -lutil -lz - DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+= -lcrypto ++LDADD+= ${CRYPTOLIBS} + DPADD+= ${LIBCRYPTO} diff openssh/files/patch-ai openssh/files/patch-ai --- openssh/files/patch-ai Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-ai Sat May 26 16:10:41 2001 @@ -1,6 +1,6 @@ ---- ssh-agent/Makefile.orig Thu Jun 29 14:35:48 2000 -+++ ssh-agent/Makefile Sat Nov 4 17:06:34 2000 -@@ -5,12 +5,12 @@ +--- ssh-agent/Makefile.orig Sun Mar 4 01:51:25 2001 ++++ ssh-agent/Makefile Sat May 26 14:58:48 2001 +@@ -7,12 +7,12 @@ BINMODE?=555 @@ -9,10 +9,10 @@ +BINDIR= /bin +MAN1= ssh-agent.1 - SRCS= ssh-agent.c log-client.c + SRCS= ssh-agent.c .include --LDADD+= -lcrypto -lutil -lz -+LDADD+= ${CRYPTOLIBS} -lutil -lz - DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+= -lcrypto ++LDADD+= ${CRYPTOLIBS} + DPADD+= ${LIBCRYPTO} diff openssh/files/patch-aj openssh/files/patch-aj --- openssh/files/patch-aj Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-aj Sat May 26 16:10:52 2001 @@ -1,6 +1,6 @@ ---- ssh-keygen/Makefile.orig Thu Jun 29 14:35:48 2000 -+++ ssh-keygen/Makefile Sat Nov 4 17:06:49 2000 -@@ -5,12 +5,12 @@ +--- ssh-keygen/Makefile.orig Sun Mar 4 01:51:26 2001 ++++ ssh-keygen/Makefile Sat May 26 15:02:25 2001 +@@ -7,12 +7,12 @@ BINMODE?=555 @@ -9,10 +9,10 @@ +BINDIR= /bin +MAN1= ssh-keygen.1 - SRCS= ssh-keygen.c log-client.c + SRCS= ssh-keygen.c .include --LDADD+= -lcrypto -lutil -lz -+LDADD+= ${CRYPTOLIBS} -lutil -lz - DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+= -lcrypto ++LDADD+= ${CRYPTOLIBS} + DPADD+= ${LIBCRYPTO} diff openssh/files/patch-ak openssh/files/patch-ak --- openssh/files/patch-ak Tue Jun 27 23:30:39 2000 +++ openssh/files/patch-ak Sat May 26 15:08:27 2001 @@ -1,6 +1,6 @@ ---- ssh.c.orig Tue May 30 23:36:40 2000 -+++ ssh.c Tue Jun 20 16:15:29 2000 -@@ -156,6 +156,9 @@ +--- ssh.c.orig Tue Apr 17 14:55:04 2001 ++++ ssh.c Sat May 26 15:05:28 2001 +@@ -199,6 +199,9 @@ log("Using rsh. WARNING: Connection will not be encrypted."); /* Build argument list for rsh. */ i = 0; @@ -10,15 +10,3 @@ args[i++] = _PATH_RSH; /* host may have to come after user on some systems */ args[i++] = host; -@@ -482,6 +485,11 @@ - pwcopy.pw_gid = pw->pw_gid; - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+ pwcopy.pw_class = xstrdup(pw->pw_class); -+ pwcopy.pw_expire = pw->pw_expire; -+ pwcopy.pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - pw = &pwcopy; - - /* Initialize "log" output. Since we are the client all output diff openssh/files/patch-al openssh/files/patch-al --- openssh/files/patch-al Sun Nov 28 23:40:28 1999 +++ openssh/files/patch-al Sat May 26 15:11:33 2001 @@ -1,20 +1,20 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh.h Sun Nov 28 16:47:46 1999 -+++ ssh.h Sun Nov 28 17:00:07 1999 -@@ -61,7 +61,7 @@ +--- pathnames.h.orig Thu Apr 12 21:15:24 2001 ++++ pathnames.h Sat May 26 15:11:30 2001 +@@ -12,7 +12,7 @@ + * called by a name other than "ssh" or "Secure Shell". */ - #define SSH_SERVICE_NAME "ssh" --#define ETCDIR "/etc" -+#define ETCDIR "__PREFIX__/etc" - #define PIDDIR "/var/run" +-#define ETCDIR "/etc" ++#define ETCDIR "__PREFIX__/etc" + #define _PATH_SSH_PIDDIR "/var/run" /* -@@ -78,7 +78,7 @@ - #define SERVER_CONFIG_FILE ETCDIR "/sshd_config" - #define HOST_CONFIG_FILE ETCDIR "/ssh_config" +@@ -33,7 +33,7 @@ + #define _PATH_HOST_RSA_KEY_FILE ETCDIR "/ssh_host_rsa_key" + #define _PATH_DH_PRIMES ETCDIR "/primes" --#define SSH_PROGRAM "/usr/bin/ssh" -+#define SSH_PROGRAM "__PREFIX__/bin/ssh" +-#define _PATH_SSH_PROGRAM "/usr/bin/ssh" ++#define _PATH_SSH_PROGRAM "__PREFIX__/bin/ssh" /* * The process id of the daemon listening for connections is saved here to diff openssh/files/patch-ao openssh/files/patch-ao --- openssh/files/patch-ao Sun Nov 5 00:04:25 2000 +++ openssh/files/patch-ao Sat May 26 15:15:18 2001 @@ -1,29 +1,35 @@ ---- sshd_config.orig Fri Aug 4 16:30:35 2000 -+++ sshd_config Sat Nov 4 17:32:28 2000 -@@ -4,12 +4,11 @@ +--- sshd_config.orig Sat May 26 14:48:18 2001 ++++ sshd_config Sat May 26 15:15:11 2001 +@@ -7,13 +7,13 @@ #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: -HostKey /etc/ssh_host_key +-HostKey /etc/ssh_host_rsa_key +-HostKey /etc/ssh_host_dsa_key +HostKey /usr/local/etc/ssh_host_key ++HostKey /usr/local/etc/ssh_host_rsa_key ++HostKey /usr/local/etc/ssh_host_dsa_key ServerKeyBits 768 -LoginGraceTime 600 +LoginGraceTime 120 KeyRegenerationInterval 3600 -PermitRootLogin yes --# +PermitRootLogin no + # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -@@ -48,7 +47,7 @@ +@@ -57,10 +57,10 @@ #KerberosTgtPassing yes #CheckMail yes -#UseLogin no +UseLogin no --#Subsystem sftp /usr/local/sbin/sftpd -#MaxStartups 10:30:60 -+Subsystem sftp /usr/local/sbin/sftpd +MaxStartups 10:30:60 + #Banner /etc/issue.net + #ReverseMappingCheck yes + +-Subsystem sftp /usr/libexec/sftp-server ++Subsystem sftp /usr/local/libexec/sftp-server diff openssh/files/patch-ap openssh/files/patch-ap --- openssh/files/patch-ap Tue Nov 14 05:51:10 2000 +++ openssh/files/patch-ap Sat May 26 15:18:53 2001 @@ -1,50 +1,11 @@ -Index: clientloop.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/clientloop.c,v -retrieving revision 1.1.1.3 -diff -u -r1.1.1.3 clientloop.c ---- clientloop.c 2000/09/10 08:29:25 1.1.1.3 -+++ clientloop.c 2000/11/14 03:15:02 -@@ -75,6 +75,8 @@ - #include "buffer.h" - #include "bufaux.h" +--- clientloop.c.orig Fri Apr 20 09:17:51 2001 ++++ clientloop.c Sat May 26 15:18:51 2001 +@@ -1131,7 +1131,7 @@ -+extern Options options; -+ - /* Flag indicating that stdin should be redirected from /dev/null. */ - extern int stdin_null_flag; - -@@ -793,7 +795,6 @@ - int - client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) - { -- extern Options options; - double start_time, total_time; - int len; - char buf[100]; -@@ -1036,7 +1037,7 @@ - debug("client_input_channel_open: ctype %s rchan %d win %d max %d", - ctype, rchan, rwindow, rmaxpack); - -- if (strcmp(ctype, "x11") == 0) { -+ if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - int sock; - char *originator; - int originator_port; -@@ -1108,11 +1109,14 @@ - dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); - dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); - dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); -- dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request); - dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); - dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); - dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); -- dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open); -+ -+ dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? -+ &auth_input_open_request : NULL); -+ dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? -+ &x11_input_open : NULL); - } - void - client_init_dispatch_15() + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_request_forwarded_tcpip(ctype, rchan); +- } else if (strcmp(ctype, "x11") == 0) { ++ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { + c = client_request_x11(ctype, rchan); + } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { + c = client_request_agent(ctype, rchan); diff openssh/files/patch-as openssh/files/patch-as --- openssh/files/patch-as Thu Dec 23 07:37:30 1999 +++ openssh/files/patch-as Sat May 26 15:21:42 2001 @@ -1,14 +1,14 @@ ---- pty.c.orig Thu Dec 23 01:13:10 1999 -+++ pty.c Thu Dec 23 01:14:05 1999 -@@ -16,7 +16,11 @@ +--- sshpty.c.orig Sun Mar 4 02:46:30 2001 ++++ sshpty.c Sat May 26 15:21:34 2001 +@@ -14,7 +14,11 @@ #include "includes.h" - RCSID("$Id: pty.c,v 1.11 1999/12/11 09:35:46 markus Exp $"); + RCSID("$OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $"); +#ifdef __FreeBSD__ +#include +#else #include +#endif - #include "pty.h" - #include "ssh.h" + #include "sshpty.h" + #include "log.h" diff openssh/files/patch-au openssh/files/patch-au --- openssh/files/patch-au Sun Feb 18 18:48:35 2001 +++ openssh/files/patch-au Sat May 26 15:46:25 2001 @@ -1,8 +1,8 @@ ---- /home/bright/ssh/ssh/session.c Sun Aug 27 20:50:54 2000 -+++ session.c Fri Feb 9 11:19:14 2001 -@@ -28,6 +28,12 @@ - #include "auth.h" - #include "auth-options.h" +--- session.c.orig Tue Apr 17 21:34:25 2001 ++++ session.c Sat May 26 15:45:15 2001 +@@ -58,6 +58,12 @@ + #include "canohost.h" + #include "session.h" +#ifdef __FreeBSD__ +#include @@ -10,10 +10,10 @@ +#include +#endif /* __FreeBSD__ */ + - #ifdef HAVE_LOGIN_CAP - #include - #endif -@@ -413,6 +419,13 @@ + /* types */ + + #define TTYSZ 64 +@@ -461,6 +467,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* @@ -22,12 +22,12 @@ + */ + if (command != NULL) + options.use_login = 0; -+ ++ + /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ -@@ -516,6 +529,13 @@ +@@ -566,6 +579,13 @@ /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -37,22 +37,26 @@ + */ + if (command != NULL) + options.use_login = 0; -+ ++ /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -602,6 +622,7 @@ +@@ -639,6 +659,11 @@ time_t last_login_time; struct passwd * pw = s->pw; pid_t pid = getpid(); ++#ifdef HAVE_LOGIN_CAP ++ FILE *f; ++ char buf[256]; + char *fname; ++#endif /* HAVE_LOGIN_CAP */ /* * Get IP address of client. If the connection is not a socket, let -@@ -644,6 +665,20 @@ - else - printf("Last login: %s from %s\r\n", time_string, buf); +@@ -679,6 +704,21 @@ + printf("Last login: %s from %s\r\n", time_string, hostname); } + +#ifdef HAVE_LOGIN_CAP + if (!options.use_login) { + fname = login_getcapstr(lc, "copyright", NULL, NULL); @@ -67,10 +71,11 @@ + "All rights reserved."); + } +#endif /* HAVE_LOGIN_CAP */ - if (options.print_motd) { - #ifdef HAVE_LOGIN_CAP - f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", -@@ -949,7 +984,7 @@ ++ + do_motd(); + } + +@@ -1027,7 +1067,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ @@ -79,11 +84,10 @@ close(i); /* Change current directory to the user\'s home directory. */ -@@ -973,7 +1008,27 @@ +@@ -1051,6 +1091,26 @@ * in this order). */ if (!options.use_login) { -- if (stat(SSH_USER_RC, &st) >= 0) { +#ifdef __FreeBSD__ + /* + * If the password change time is set and has passed, give the @@ -104,7 +108,6 @@ + } + } +#endif /* __FreeBSD__ */ -+ if (stat(SSH_USER_RC, &st) >= 0) { + /* ignore _PATH_SSH_USER_RC for subsystems */ + if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { if (debug_flag) - fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); - diff openssh/files/patch-aw openssh/files/patch-aw --- openssh/files/patch-aw Sat May 13 21:25:57 2000 +++ openssh/files/patch-aw Thu Jan 1 01:00:00 1970 @@ -1,14 +0,0 @@ ---- auth1.c.orig Thu Apr 20 17:21:58 2000 -+++ auth1.c Thu Apr 20 17:50:06 2000 -@@ -523,6 +532,11 @@ - pwcopy.pw_gid = pw->pw_gid; - pwcopy.pw_dir = xstrdup(pw->pw_dir); - pwcopy.pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+ pwcopy.pw_class = xstrdup(pw->pw_class); -+ pwcopy.pw_expire = pw->pw_expire; -+ pwcopy.pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - pw = &pwcopy; - - /* diff openssh/files/patch-ay openssh/files/patch-ay --- openssh/files/patch-ay Tue Jun 27 23:30:39 2000 +++ openssh/files/patch-ay Thu Jan 1 01:00:00 1970 @@ -1,14 +0,0 @@ ---- auth2.c.orig Tue Jun 27 14:20:06 2000 -+++ auth2.c Tue Jun 27 14:21:20 2000 -@@ -357,6 +357,11 @@ - copy->pw_gid = pw->pw_gid; - copy->pw_dir = xstrdup(pw->pw_dir); - copy->pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+ copy->pw_class = xstrdup(pw->pw_class); -+ copy->pw_expire = pw->pw_expire; -+ copy->pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - authctxt->valid = 1; - } else { - if (strcmp(u, authctxt->user) != 0 || diff openssh/files/patch-az openssh/files/patch-az --- openssh/files/patch-az Fri Feb 9 23:37:50 2001 +++ openssh/files/patch-az Thu Jan 1 01:00:00 1970 @@ -1,11 +0,0 @@ ---- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000 -+++ deattack.c Fri Feb 9 10:58:54 2001 -@@ -84,7 +84,7 @@ - detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) - { - static u_int16_t *h = (u_int16_t *) NULL; -- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; -+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; - register u_int32_t i, j; - u_int32_t l; - register unsigned char *c; diff openssh/files/patch-bleichenbacher openssh/files/patch-bleichenbacher --- openssh/files/patch-bleichenbacher Mon Feb 12 09:06:56 2001 +++ openssh/files/patch-bleichenbacher Thu Jan 1 01:00:00 1970 @@ -1,189 +0,0 @@ -Index: rsa.h -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/rsa.h,v -retrieving revision 1.2.2.2 -diff -u -r1.2.2.2 rsa.h ---- rsa.h 2000/10/28 23:00:49 1.2.2.2 -+++ rsa.h 2001/02/12 04:03:40 -@@ -32,6 +32,6 @@ - int rsa_alive __P((void)); - - void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); --void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); -+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); - - #endif /* RSA_H */ -Index: ssh-agent.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/ssh-agent.c,v -retrieving revision 1.2.2.5 -diff -u -r1.2.2.5 ssh-agent.c ---- ssh-agent.c 2001/02/04 20:24:33 1.2.2.5 -+++ ssh-agent.c 2001/02/12 04:03:40 -@@ -194,7 +194,8 @@ - private = lookup_private_key(key, NULL, 1); - if (private != NULL) { - /* Decrypt the challenge using the private key. */ -- rsa_private_decrypt(challenge, challenge, private->rsa); -+ if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) -+ goto failure; - - /* The response is MD5 of decrypted challenge plus session id. */ - len = BN_num_bytes(challenge); -Index: sshconnect1.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/sshconnect1.c,v -retrieving revision 1.2.2.3 -diff -u -r1.2.2.3 sshconnect1.c ---- sshconnect1.c 2001/01/12 04:25:58 1.2.2.3 -+++ sshconnect1.c 2001/02/12 04:03:40 -@@ -152,14 +152,17 @@ - int i, len; - - /* Decrypt the challenge using the private key. */ -- rsa_private_decrypt(challenge, challenge, prv); -+ /* XXX think about Bleichenbacher, too */ -+ if (rsa_private_decrypt(challenge, challenge, prv) <= 0) -+ packet_disconnect( -+ "respond_to_rsa_challenge: rsa_private_decrypt failed"); - - /* Compute the response. */ - /* The response is MD5 of decrypted challenge plus session id. */ - len = BN_num_bytes(challenge); - if (len <= 0 || len > sizeof(buf)) -- packet_disconnect("respond_to_rsa_challenge: bad challenge length %d", -- len); -+ packet_disconnect( -+ "respond_to_rsa_challenge: bad challenge length %d", len); - - memset(buf, 0, sizeof(buf)); - BN_bn2bin(challenge, buf + sizeof(buf) - len); -Index: sshd.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/sshd.c,v -retrieving revision 1.6.2.5 -diff -u -r1.6.2.5 sshd.c ---- sshd.c 2001/01/18 22:36:53 1.6.2.5 -+++ sshd.c 2001/02/12 04:09:43 -@@ -1108,6 +1108,7 @@ - { - int i, len; - int plen, slen; -+ int rsafail = 0; - BIGNUM *session_key_int; - unsigned char session_key[SSH_SESSION_KEY_LENGTH]; - unsigned char cookie[8]; -@@ -1229,7 +1230,7 @@ - * with larger modulus first). - */ - if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) { -- /* Private key has bigger modulus. */ -+ /* Server key has bigger modulus. */ - if (BN_num_bits(sensitive_data.private_key->n) < - BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { - fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", -@@ -1238,10 +1239,12 @@ - BN_num_bits(sensitive_data.host_key->n), - SSH_KEY_BITS_RESERVED); - } -- rsa_private_decrypt(session_key_int, session_key_int, -- sensitive_data.private_key); -- rsa_private_decrypt(session_key_int, session_key_int, -- sensitive_data.host_key); -+ if (rsa_private_decrypt(session_key_int, session_key_int, -+ sensitive_data.private_key) <= 0) -+ rsafail++; -+ if (rsa_private_decrypt(session_key_int, session_key_int, -+ sensitive_data.host_key) <= 0) -+ rsafail++; - } else { - /* Host key has bigger modulus (or they are equal). */ - if (BN_num_bits(sensitive_data.host_key->n) < -@@ -1252,10 +1255,12 @@ - BN_num_bits(sensitive_data.private_key->n), - SSH_KEY_BITS_RESERVED); - } -- rsa_private_decrypt(session_key_int, session_key_int, -- sensitive_data.host_key); -- rsa_private_decrypt(session_key_int, session_key_int, -- sensitive_data.private_key); -+ if (rsa_private_decrypt(session_key_int, session_key_int, -+ sensitive_data.host_key) < 0) -+ rsafail++; -+ if (rsa_private_decrypt(session_key_int, session_key_int, -+ sensitive_data.private_key) < 0) -+ rsafail++; - } - - compute_session_id(session_id, cookie, -@@ -1270,14 +1275,29 @@ - * least significant 256 bits of the integer; the first byte of the - * key is in the highest bits. - */ -- BN_mask_bits(session_key_int, sizeof(session_key) * 8); -- len = BN_num_bytes(session_key_int); -- if (len < 0 || len > sizeof(session_key)) -- fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", -- get_remote_ipaddr(), -- len, sizeof(session_key)); -- memset(session_key, 0, sizeof(session_key)); -- BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); -+ if (!rsafail) { -+ BN_mask_bits(session_key_int, sizeof(session_key) * 8); -+ len = BN_num_bytes(session_key_int); -+ if (len < 0 || len > sizeof(session_key)) { -+ error("do_connection: bad session key len from %s: " -+ "session_key_int %d > sizeof(session_key) %d", -+ get_remote_ipaddr(), len, sizeof(session_key)); -+ rsafail++; -+ } else { -+ memset(session_key, 0, sizeof(session_key)); -+ BN_bn2bin(session_key_int, -+ session_key + sizeof(session_key) - len); -+ } -+ } -+ if (rsafail) { -+ log("do_connection: generating a fake encryption key"); -+ for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { -+ if (i % 4 == 0) -+ rand = arc4random(); -+ session_key[i] = rand & 0xff; -+ rand >>= 8; -+ } -+ } - - /* Destroy the decrypted integer. It is no longer needed. */ - BN_clear_free(session_key_int); ---- rsa.c.orig Mon Jun 19 18:39:44 2000 -+++ rsa.c Mon Feb 12 00:04:02 2001 -@@ -135,7 +135,7 @@ - xfree(inbuf); - } - --void -+int - rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) - { - unsigned char *inbuf, *outbuf; -@@ -149,15 +149,16 @@ - BN_bn2bin(in, inbuf); - - if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key, -- RSA_PKCS1_PADDING)) <= 0) -- fatal("rsa_private_decrypt() failed"); -- -- BN_bin2bn(outbuf, len, out); -- -+ RSA_PKCS1_PADDING)) <= 0) { -+ error("rsa_private_decrypt() failed"); -+ } else { -+ BN_bin2bn(outbuf, len, out); -+ } - memset(outbuf, 0, olen); - memset(inbuf, 0, ilen); - xfree(outbuf); - xfree(inbuf); -+ return len; - } - - /* Set whether to output verbose messages during key generation. */ diff openssh/files/patch-misc.c openssh/files/patch-misc.c --- openssh/files/patch-misc.c Thu Jan 1 01:00:00 1970 +++ openssh/files/patch-misc.c Sat May 26 15:39:30 2001 @@ -0,0 +1,13 @@ +--- misc.c.orig Thu Apr 12 22:09:37 2001 ++++ misc.c Sat May 26 15:39:25 2001 +@@ -111,6 +111,10 @@ + copy->pw_class = xstrdup(pw->pw_class); + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); ++#ifdef __FreeBSD__ ++ copy->pw_expire = pw->pw_expire; ++ copy->pw_change = pw->pw_change; ++#endif /* __FreeBSD__ */ + return copy; + } + diff openssh/files/patch-sftp-Makefile openssh/files/patch-sftp-Makefile --- openssh/files/patch-sftp-Makefile Thu Jan 1 01:00:00 1970 +++ openssh/files/patch-sftp-Makefile Sat May 26 16:11:25 2001 @@ -0,0 +1,13 @@ +--- sftp/Makefile.orig Mon Apr 16 04:31:52 2001 ++++ sftp/Makefile Sat May 26 15:49:42 2001 +@@ -7,8 +7,8 @@ + + BINMODE?=555 + +-BINDIR= /usr/bin +-MAN= sftp.1 ++BINDIR= /bin ++MAN1= sftp.1 + + SRCS= sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c scp-common.c + diff openssh/files/patch-sftp-server-Makefile openssh/files/patch-sftp-server-Makefile --- openssh/files/patch-sftp-server-Makefile Thu Jan 1 01:00:00 1970 +++ openssh/files/patch-sftp-server-Makefile Sat May 26 16:11:33 2001 @@ -0,0 +1,13 @@ +--- sftp-server/Makefile.orig Sun Mar 4 00:59:36 2001 ++++ sftp-server/Makefile Sat May 26 15:47:57 2001 +@@ -7,8 +7,8 @@ + + BINMODE?=555 + +-BINDIR= /usr/libexec +-MAN= sftp-server.8 ++BINDIR= /libexec ++MAN8= sftp-server.8 + + SRCS= sftp-server.c sftp-common.c + diff openssh/files/patch-ssh-keyscan-Makefile openssh/files/patch-ssh-keyscan-Makefile --- openssh/files/patch-ssh-keyscan-Makefile Thu Jan 1 01:00:00 1970 +++ openssh/files/patch-ssh-keyscan-Makefile Sat May 26 16:14:09 2001 @@ -0,0 +1,13 @@ +--- ssh-keyscan/Makefile.orig Sun Mar 4 00:59:39 2001 ++++ ssh-keyscan/Makefile Sat May 26 16:14:05 2001 +@@ -7,8 +7,8 @@ + + BINMODE?=555 + +-BINDIR= /usr/bin +-MAN= ssh-keyscan.1 ++BINDIR= /bin ++MAN1= ssh-keyscan.1 + + SRCS= ssh-keyscan.c + diff openssh/pkg-plist openssh/pkg-plist --- openssh/pkg-plist Tue Apr 3 21:05:22 2001 +++ openssh/pkg-plist Sat May 26 16:16:47 2001 @@ -1,13 +1,16 @@ bin/scp +bin/sftp bin/slogin bin/ssh bin/ssh-add bin/ssh-agent bin/ssh-keygen +bin/ssh-keyscan etc/rc.d/sshd.sh etc/ssh_config etc/sshd_config sbin/sshd +libexec/sftp-server @exec if [ ! -f %D/etc/ssh_host_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi @exec if [ ! -f %D/etc/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -d -N "" -f %D/etc/ssh_host_dsa_key; fi @exec if [ ! -x %D/etc/rc.d/sshd.sh ]; then echo "#!/bin/sh" > %D/etc/rc.d/sshd.sh && exec echo "[ -x %D/sbin/sshd ] && %D/sbin/sshd && echo -n ' sshd'" >> %D/etc/rc.d/sshd.sh && exec chmod 0555 %D/etc/rc.d/sshd.sh; fi >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message