Commit Graph

670 Commits

Author SHA1 Message Date
Darren Tucker
282cad2240 Import fmt_scaled.c rev 1.16 from OpenBSD.
Fix overly-conservative overflow checks on mulitplications and add checks
on additions.  This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
will still be flagged as a range error).  ok millert@
2017-03-29 16:34:44 +11:00
Darren Tucker
c73a229e4e Import fmt_scaled.c rev 1.15 from OpenBSD.
Collapse underflow and overflow checks into a single block.
ok djm@ millert@
2017-03-29 16:34:02 +11:00
Darren Tucker
d427b73bf5 Import fmt_scaled.c rev 1.14 from OpenBSD.
Catch integer underflow in scan_scaled reported by Nicolas Iooss.
ok deraadt@ djm@
2017-03-29 16:32:57 +11:00
Darren Tucker
d38f05dbdd Add llabs() implementation. 2017-03-20 13:39:27 +11:00
Damien Miller
d94c1dfef2 sync fmt_scaled.c with OpenBSD
revision 1.13
date: 2017/03/11 23:37:23;  author: djm;  state: Exp;  lines: +14 -1;  commitid: jnFKyHkB3CEiEZ2R;
fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
using AFL against ssh_config. ok deraadt@ millert@
----------------------------
revision 1.12
date: 2013/11/29 19:00:51;  author: deraadt;  state: Exp;  lines: +6 -5;
fairly simple unsigned char casts for ctype
ok krw
----------------------------
revision 1.11
date: 2012/11/12 14:07:20;  author: halex;  state: Exp;  lines: +4 -2;
make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
an invalid multiplier, like the man page says it should

"looks sensible" deraadt@, ok ian@
----------------------------
revision 1.10
date: 2009/06/20 15:00:04;  author: martynas;  state: Exp;  lines: +4 -4;
use llabs instead of the home-grown version;  and some comment changes
ok ian@, millert@
----------------------------
2017-03-12 10:48:14 +11:00
Darren Tucker
b9b8ba3f9e Remove commented-out includes.
These commented-out includes have "Still needed?" comments.  Since
they've been commented out for ~13 years I assert that they're not.
2016-12-13 12:56:40 +11:00
Darren Tucker
25275f1c9d Add prototype for strcasestr in compat library. 2016-12-13 12:54:23 +11:00
Darren Tucker
afec07732a Add strcasestr to compat library.
Fixes build on (at least) Solaris 10.
2016-12-13 10:23:03 +11:00
Darren Tucker
a9ff3950b8 Move OPENSSL_NO_RIPEMD160 to compat.
Move OPENSSL_NO_RIPEMD160 to compat and add ifdefs to mac.c around the
ripemd160 MACs.
2016-10-28 14:26:58 +11:00
Darren Tucker
b4e96b4c9b Use !=NULL instead of >0 for getdefaultproj.
getdefaultproj() returns a pointer so test it for NULL inequality
instead of >0.  Fixes compiler warning and is more correct.  Patch from
David Binderman.
2016-10-26 08:43:25 +11:00
Darren Tucker
8f866d8a57 Import readpassphrase.c rev 1.26.
Author: miller@openbsd.org:
Avoid generate SIGTTOU when restoring the terminal mode.  If we get
SIGTTOU it means the process is not in the foreground process group
which, in most cases, means that the shell has taken control of the tty.
Requiring the user the fg the process in this case doesn't make sense
and can result in both SIGTSTP and SIGTTOU being sent which can lead to
the process being suspended again immediately after being brought into
the foreground.
2016-10-19 03:26:09 +11:00
Darren Tucker
f901440cc8 Import readpassphrase.c rev 1.25.
Wrap <readpassphrase.h> so internal calls go direct and
readpassphrase is weak.

(DEF_WEAK is a no-op in portable.)
2016-10-19 03:23:16 +11:00
Darren Tucker
032147b695 Move DEF_WEAK into defines.h.
As well pull in more recent changes from OpenBSD these will start to
arrive so put it where the definition is shared.
2016-10-15 05:51:12 +11:00
Darren Tucker
29d4031939 Import rev 1.24 from OpenBSD.
revision 1.24
date: 2013/11/24 23:51:29;  author: deraadt;  state: Exp;  lines: +4 -4;
most obvious unsigned char casts for ctype
ok jca krw ingo
2016-10-13 04:07:20 +11:00
Darren Tucker
12069e5622 Import rev 1.23 from OpenBSD. Fixes bz#2619.
revision 1.23
date: 2010/05/14 13:30:34;  author: millert;  state: Exp;  lines: +41 -39;
Defer installing signal handlers until echo is disabled so that we
get suspended normally when not the foreground process.  Fix potential
infinite loop when restoring terminal settings if process is in the
background when restore occurs.  OK miod@
2016-10-13 04:04:44 +11:00
Darren Tucker
7508d83eff If we don't have TCSASOFT, define it to zero.
This makes it a no-op when we use it below, which allows us to re-sync
those lines with the upstream and make future updates easier.
2016-10-13 03:53:51 +11:00
Damien Miller
1cfd5c06ef Remove portability support for mmap
We no longer need to wrap/replace mmap for portability now that
pre-auth compression has been removed from OpenSSH.
2016-09-29 03:19:23 +10:00
Darren Tucker
1e8013a17f Remove obsolete CVS $Id from source files.
Since -portable switched to git the CVS $Id tags are no longer being
updated and are becoming increasingly misleading.  Remove them.
2016-08-17 14:08:42 +10:00
Damien Miller
74433a19bb fix false positives when compiled with msan
Our explicit_bzero successfully confused clang -fsanitize-memory
in to thinking that memset is never called to initialise memory.
Ensure that it is called in a way that the compiler recognises.
2016-08-16 13:37:26 +10:00
Darren Tucker
dd1031b78b Replace spaces with tabs.
Mechanically replace spaces with tabs in compat files not synced with
OpenBSD.
2016-08-02 10:01:52 +10:00
Darren Tucker
c20dccb561 Strip trailing whitespace.
Mechanically strip trailing whitespace on files not synced with OpenBSD
(or in the case of bsd-snprint.c, rsync).
2016-08-02 09:44:25 +10:00
Darren Tucker
30f9bd1c09 Repair $OpenBSD markers. 2016-08-02 09:06:27 +10:00
Darren Tucker
9715d4ad4b Repair $OpenBSD marker. 2016-08-02 09:02:42 +10:00
Darren Tucker
dbf788b4d9 Search users for one with a valid salt.
If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users.  ok djm@
2016-07-21 14:17:31 +10:00
Damien Miller
4a984fd342 cast to avoid type warning in error message 2016-07-15 20:02:27 +10:00
Darren Tucker
5abfb15ced Move VA_COPY macro into compat header.
Some AIX compilers unconditionally undefine va_copy but don't set it back
to an internal function, causing link errors.  In some compat code we
already use VA_COPY instead so move the two existing instances into the
shared header and use for sshbuf-getput-basic.c too.  Should fix building
with at lease some versions of AIX's compiler.  bz#2589, ok djm@
2016-07-15 14:54:16 +10:00
Darren Tucker
9286875a73 Determine appropriate salt for invalid users.
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client.  That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512).  This allows
user enumeration by, eg, sending large password strings.  This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).

To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system.  ok djm@
2016-07-15 13:45:42 +10:00
Darren Tucker
a233358417 Add compat code for missing wcwidth.
If we don't have wcwidth force fallback implementations of nl_langinfo
and mbtowc.  Based on advice from Ingo Schwarze.
2016-07-14 10:59:09 +10:00
Darren Tucker
6310ef27a2 Move err.h replacements into compat lib.
Move implementations of err.h replacement functions into their own file
in the libopenbsd-compat so we can use them in kexfuzz.c too.  ok djm@
2016-07-13 14:42:35 +10:00
Darren Tucker
9f919d1a32 Remove now-defunct .cvsignore files. ok djm 2016-06-14 13:51:01 +10:00
Darren Tucker
ae9c0d4d5c Update vis.h and vis.c from OpenBSD.
This will be needed for the upcoming utf8 changes.
2016-06-03 16:03:44 +10:00
Damien Miller
604a037d84 whitespace at EOL 2016-05-31 16:45:28 +10:00
Damien Miller
332ff3d770 initialise salen in binresvport_sa
avoids failures with UsePrivilegedPort=yes

patch from Juan Gallego
2016-05-10 09:51:06 +10:00
Darren Tucker
627824480c Include priv.h for priv_set_t.
From alex at cooperi.net.
2016-03-11 14:47:41 +11:00
Darren Tucker
907091acb1 Make Solaris privs code build on older systems.
Not all systems with Solaris privs have priv_basicset so factor that
out and provide backward compatibility code.  Similarly, not all have
PRIV_NET_ACCESS so wrap that in #ifdef.  Based on code from
alex at cooperi.net and djm@ with help from carson at taltos.org and
wieland at purdue.edu.
2016-02-19 09:05:39 +11:00
Darren Tucker
60d860e54b Rollback addition of va_start.
va_start was added in 0f754e29dd, however
it has the wrong number of args and it's not usable in non-variadic
functions anyway so it breaks things (for example Solaris 2.6 as
reported by Tom G. Christensen).i  ok djm@
2016-02-17 13:37:09 +11:00
Damien Miller
4626cbaf78 Support Illumos/Solaris fine-grained privileges
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.

ok dtucker@
2016-01-08 14:29:12 +11:00
Damien Miller
f0191d7c8e Revert "stub for pledge(2) for systems that lack it"
This reverts commit 14c887c839.

dtucker beat me to it :/
2015-11-30 10:53:25 +11:00
Damien Miller
14c887c839 stub for pledge(2) for systems that lack it 2015-11-30 09:45:54 +11:00
Darren Tucker
3ddd15e1b6 Add a null implementation of pledge.
Fixes builds on almost everything.
2015-11-30 07:23:53 +11:00
Darren Tucker
8db134e7f4 Prevent name collisions with system glob (bz#2463)
Move glob.h from includes.h to the only caller (sftp) and override the
names for the symbols.  This prevents name collisions with the system glob
in the case where something other than ssh uses it (eg kerberos).  With
jjelen at redhat.com, ok djm@
2015-10-29 10:48:23 +11:00
Damien Miller
0f754e29dd need va_copy before va_start
reported by Nicholas Lemonias
2015-10-16 10:53:38 +11:00
Damien Miller
eb6c50d82a fix compilation on systems without SYMLOOP_MAX 2015-10-15 15:48:28 -07:00
Damien Miller
8f22911027 upstream commit
revision 1.20
date: 2015/10/13 20:55:37;  author: millert;  state: Exp;  lines: +2 -2;  commitid: X39sl5ay1czgFIgp;
In rev 1.15 the sizeof argument was fixed in a strlcat() call but
the truncation check immediately following it was not updated to
match.  Not an issue in practice since the buffers are the same
size.  OK deraadt@
2015-10-14 08:28:19 +11:00
Damien Miller
23fa695bb7 upstream commit
revision 1.19
date: 2015/01/16 16:48:51;  author: deraadt;  state: Exp;  lines: +3 -3;  commitid: 0DYulI8hhujBHMcR;
Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther
2015-10-14 08:27:51 +11:00
Damien Miller
c71be375a6 upstream commit
revision 1.18
date: 2014/10/19 03:56:28;  author: doug;  state: Exp;  lines: +9 -9;  commitid: U6QxmtbXrGoc02S5;
Revert last commit due to changed semantics found by make release.
2015-10-14 08:27:08 +11:00
Damien Miller
c39ad23b06 upstream commit
revision 1.17
date: 2014/10/18 20:43:52;  author: doug;  state: Exp;  lines: +10 -10;  commitid: I74hI1tVZtsspKEt;
Better POSIX compliance in realpath(3).

millert@ made changes to realpath.c based on FreeBSD's version.  I merged
Todd's changes into dl_realpath.c.

ok millert@, guenther@
2015-10-14 08:26:24 +11:00
Damien Miller
e929a43f95 upstream commit
revision 1.16
date: 2013/04/05 12:59:54;  author: kurt;  state: Exp;  lines: +3 -1;
- Add comments regarding copies of these files also in libexec/ld.so
okay guenther@
2015-10-14 08:25:55 +11:00
Damien Miller
5225db68e5 upstream commit
revision 1.15
date: 2012/09/13 15:39:05;  author: deraadt;  state: Exp;  lines: +2 -2;
specify the bounds of the dst to strlcat (both values were static and
equal, but it is more correct)
from Michal Mazurek
2015-10-14 08:25:32 +11:00
Damien Miller
7365fe5b48 upstream commit
revision 1.14
date: 2011/07/24 21:03:00;  author: miod;  state: Exp;  lines: +35 -13;
Recent Single Unix will malloc memory if the second argument of realpath()
is NULL, and third-party software is starting to rely upon this.
Adapted from FreeBSD via Jona Joachim (jaj ; hcl-club , .lu), with minor
tweaks from nicm@ and yours truly.
2015-10-14 08:25:09 +11:00