From e936694229354244eed3addad14a07f76614e67e Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Wed, 23 Sep 2009 18:58:04 +0200 Subject: convert bzero to memset, allow root login --- package/openssh/files/sshd_config | 2 +- package/openssh/patches/patch-auth2-jpake_c | 79 ++++++++++++++++++++++ package/openssh/patches/patch-channels_c | 29 ++++++++ package/openssh/patches/patch-clientloop_c | 20 ++++++ package/openssh/patches/patch-jpake_c | 38 +++++++++++ package/openssh/patches/patch-monitor_c | 62 +++++++++++++++++ .../patches/patch-openbsd-compat_port-tun_c | 13 +++- package/openssh/patches/patch-schnorr_c | 11 +++ package/openssh/patches/patch-session_c | 11 +++ package/openssh/patches/patch-sftp-client_c | 11 +++ package/openssh/patches/patch-ssh_c | 13 ++++ package/openssh/patches/patch-sshconnect2_c | 71 +++++++++++++++++++ 12 files changed, 357 insertions(+), 3 deletions(-) create mode 100644 package/openssh/patches/patch-auth2-jpake_c create mode 100644 package/openssh/patches/patch-channels_c create mode 100644 package/openssh/patches/patch-clientloop_c create mode 100644 package/openssh/patches/patch-jpake_c create mode 100644 package/openssh/patches/patch-monitor_c create mode 100644 package/openssh/patches/patch-schnorr_c create mode 100644 package/openssh/patches/patch-session_c create mode 100644 package/openssh/patches/patch-sftp-client_c create mode 100644 package/openssh/patches/patch-ssh_c create mode 100644 package/openssh/patches/patch-sshconnect2_c (limited to 'package') diff --git a/package/openssh/files/sshd_config b/package/openssh/files/sshd_config index 19b87bd17..1ef114940 100644 --- a/package/openssh/files/sshd_config +++ b/package/openssh/files/sshd_config @@ -38,7 +38,7 @@ HostKey /etc/ssh/ssh_host_rsa_key # Authentication: #LoginGraceTime 2m -PermitRootLogin without-password +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 diff --git a/package/openssh/patches/patch-auth2-jpake_c b/package/openssh/patches/patch-auth2-jpake_c new file mode 100644 index 000000000..3ea529fce --- /dev/null +++ b/package/openssh/patches/patch-auth2-jpake_c @@ -0,0 +1,79 @@ +--- openssh-5.2p1.orig/auth2-jpake.c 2008-11-11 06:33:03.000000000 +0100 ++++ openssh-5.2p1/auth2-jpake.c 2009-09-18 12:28:10.000000000 +0200 +@@ -172,7 +172,7 @@ derive_rawsalt(const char *username, u_c + fatal("%s: not enough bytes for rawsalt (want %u have %u)", + __func__, len, digest_len); + memcpy(rawsalt, digest, len); +- bzero(digest, digest_len); ++ memset(digest, 0, digest_len); + xfree(digest); + } + +@@ -197,10 +197,10 @@ makesalt(u_int want, const char *user) + fatal("%s: want %u", __func__, want); + + derive_rawsalt(user, rawsalt, sizeof(rawsalt)); +- bzero(ret, sizeof(ret)); ++ memset(ret, 0, sizeof(ret)); + for (i = 0; i < want; i++) + ret[i] = pw_encode64(rawsalt[i]); +- bzero(rawsalt, sizeof(rawsalt)); ++ memset(rawsalt, 0, sizeof(rawsalt)); + + return ret; + } +@@ -354,7 +354,7 @@ auth2_jpake_get_pwdata(Authctxt *authctx + debug3("%s: scheme = %s", __func__, *hash_scheme); + JPAKE_DEBUG_BN((*s, "%s: s = ", __func__)); + #endif +- bzero(secret, secret_len); ++ memset(secret, 0, secret_len); + xfree(secret); + } + +@@ -395,12 +395,12 @@ auth2_jpake_start(Authctxt *authctxt) + packet_send(); + packet_write_wait(); + +- bzero(hash_scheme, strlen(hash_scheme)); +- bzero(salt, strlen(salt)); ++ memset(hash_scheme, 0, strlen(hash_scheme)); ++ memset(salt, 0, strlen(salt)); + xfree(hash_scheme); + xfree(salt); +- bzero(x3_proof, x3_proof_len); +- bzero(x4_proof, x4_proof_len); ++ memset(x3_proof, 0, x3_proof_len); ++ memset(x4_proof, 0, x4_proof_len); + xfree(x3_proof); + xfree(x4_proof); + +@@ -447,8 +447,8 @@ input_userauth_jpake_client_step1(int ty + &pctx->b, + &x4_s_proof, &x4_s_proof_len)); + +- bzero(x1_proof, x1_proof_len); +- bzero(x2_proof, x2_proof_len); ++ memset(x1_proof, 0, x1_proof_len); ++ memset(x2_proof, 0, x2_proof_len); + xfree(x1_proof); + xfree(x2_proof); + +@@ -462,7 +462,7 @@ input_userauth_jpake_client_step1(int ty + packet_send(); + packet_write_wait(); + +- bzero(x4_s_proof, x4_s_proof_len); ++ memset(x4_s_proof, 0, x4_s_proof_len); + xfree(x4_s_proof); + + /* Expect step 2 packet from peer */ +@@ -503,7 +503,7 @@ input_userauth_jpake_client_step2(int ty + &pctx->k, + &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len)); + +- bzero(x2_s_proof, x2_s_proof_len); ++ memset(x2_s_proof, 0, x2_s_proof_len); + xfree(x2_s_proof); + + if (!use_privsep) diff --git a/package/openssh/patches/patch-channels_c b/package/openssh/patches/patch-channels_c new file mode 100644 index 000000000..3712809e4 --- /dev/null +++ b/package/openssh/patches/patch-channels_c @@ -0,0 +1,29 @@ +--- openssh-5.2p1.orig/channels.c 2009-02-14 06:28:21.000000000 +0100 ++++ openssh-5.2p1/channels.c 2009-09-18 12:29:28.000000000 +0200 +@@ -411,7 +411,7 @@ channel_free(Channel *c) + if (cc->abandon_cb != NULL) + cc->abandon_cb(c, cc->ctx); + TAILQ_REMOVE(&c->status_confirms, cc, entry); +- bzero(cc, sizeof(*cc)); ++ memset(cc, 0, sizeof(*cc)); + xfree(cc); + } + if (c->filter_cleanup != NULL && c->filter_ctx != NULL) +@@ -2447,7 +2447,7 @@ channel_input_status_confirm(int type, u + return; + cc->cb(type, c, cc->ctx); + TAILQ_REMOVE(&c->status_confirms, cc, entry); +- bzero(cc, sizeof(*cc)); ++ memset(cc, 0, sizeof(*cc)); + xfree(cc); + } + +@@ -2941,7 +2941,7 @@ channel_connect_ctx_free(struct channel_ + xfree(cctx->host); + if (cctx->aitop) + freeaddrinfo(cctx->aitop); +- bzero(cctx, sizeof(*cctx)); ++ memset(cctx, 0, sizeof(*cctx)); + cctx->host = NULL; + cctx->ai = cctx->aitop = NULL; + } diff --git a/package/openssh/patches/patch-clientloop_c b/package/openssh/patches/patch-clientloop_c new file mode 100644 index 000000000..1da1d31c9 --- /dev/null +++ b/package/openssh/patches/patch-clientloop_c @@ -0,0 +1,20 @@ +--- openssh-5.2p1.orig/clientloop.c 2009-02-14 06:28:21.000000000 +0100 ++++ openssh-5.2p1/clientloop.c 2009-09-18 12:28:59.000000000 +0200 +@@ -487,7 +487,7 @@ client_global_request_reply(int type, u_ + gc->cb(type, seq, gc->ctx); + if (--gc->ref_count <= 0) { + TAILQ_REMOVE(&global_confirms, gc, entry); +- bzero(gc, sizeof(*gc)); ++ memset(gc, 0, sizeof(*gc)); + xfree(gc); + } + +@@ -768,7 +768,7 @@ process_cmdline(void) + int cancel_port; + Forward fwd; + +- bzero(&fwd, sizeof(fwd)); ++ memset(&fwd, 0, sizeof(fwd)); + fwd.listen_host = fwd.connect_host = NULL; + + leave_raw_mode(); diff --git a/package/openssh/patches/patch-jpake_c b/package/openssh/patches/patch-jpake_c new file mode 100644 index 000000000..37b69ee45 --- /dev/null +++ b/package/openssh/patches/patch-jpake_c @@ -0,0 +1,38 @@ +--- openssh-5.2p1.orig/jpake.c 2008-11-05 06:20:46.000000000 +0100 ++++ openssh-5.2p1/jpake.c 2009-09-18 12:26:24.000000000 +0200 +@@ -160,7 +160,7 @@ hash_buffer(const u_char *buf, u_int len + success = 0; + out: + EVP_MD_CTX_cleanup(&evp_md_ctx); +- bzero(digest, sizeof(digest)); ++ memset(digest, 0, sizeof(digest)); + digest_len = 0; + return success; + } +@@ -259,7 +259,7 @@ jpake_free(struct jpake_ctx *pctx) + #define JPAKE_BUF_CLEAR_FREE(v, l) \ + do { \ + if ((v) != NULL) { \ +- bzero((v), (l)); \ ++ memset((v), 0, (l)); \ + xfree(v); \ + (v) = NULL; \ + (l) = 0; \ +@@ -287,7 +287,7 @@ jpake_free(struct jpake_ctx *pctx) + #undef JPAKE_BN_CLEAR_FREE + #undef JPAKE_BUF_CLEAR_FREE + +- bzero(pctx, sizeof(pctx)); ++ memset(pctx, 0, sizeof(pctx)); + xfree(pctx); + } + +@@ -592,7 +592,7 @@ jpake_check_confirm(const BIGNUM *k, + else if (memcmp(peer_confirm_hash, expected_confirm_hash, + expected_confirm_hash_len) == 0) + success = 1; +- bzero(expected_confirm_hash, expected_confirm_hash_len); ++ memset(expected_confirm_hash, 0, expected_confirm_hash_len); + xfree(expected_confirm_hash); + debug3("%s: success = %d", __func__, success); + return success; diff --git a/package/openssh/patches/patch-monitor_c b/package/openssh/patches/patch-monitor_c new file mode 100644 index 000000000..8992b3e6e --- /dev/null +++ b/package/openssh/patches/patch-monitor_c @@ -0,0 +1,62 @@ +--- openssh-5.2p1.orig/monitor.c 2009-02-14 06:33:31.000000000 +0100 ++++ openssh-5.2p1/monitor.c 2009-09-18 12:31:53.000000000 +0200 +@@ -2029,8 +2029,8 @@ mm_answer_jpake_step1(int sock, Buffer * + debug3("%s: sending step1", __func__); + mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m); + +- bzero(x3_proof, x3_proof_len); +- bzero(x4_proof, x4_proof_len); ++ memset(x3_proof, 0, x3_proof_len); ++ memset(x4_proof, 0, x4_proof_len); + xfree(x3_proof); + xfree(x4_proof); + +@@ -2059,8 +2059,8 @@ mm_answer_jpake_get_pwdata(int sock, Buf + debug3("%s: sending pwdata", __func__); + mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m); + +- bzero(hash_scheme, strlen(hash_scheme)); +- bzero(salt, strlen(salt)); ++ memset(hash_scheme, 0, strlen(hash_scheme)); ++ memset(salt, 0, strlen(salt)); + xfree(hash_scheme); + xfree(salt); + +@@ -2099,8 +2099,8 @@ mm_answer_jpake_step2(int sock, Buffer * + + JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__)); + +- bzero(x1_proof, x1_proof_len); +- bzero(x2_proof, x2_proof_len); ++ memset(x1_proof, 0, x1_proof_len); ++ memset(x2_proof, 0, x2_proof_len); + xfree(x1_proof); + xfree(x2_proof); + +@@ -2112,7 +2112,7 @@ mm_answer_jpake_step2(int sock, Buffer * + debug3("%s: sending step2", __func__); + mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m); + +- bzero(x4_s_proof, x4_s_proof_len); ++ memset(x4_s_proof, 0, x4_s_proof_len); + xfree(x4_s_proof); + + monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1); +@@ -2146,7 +2146,7 @@ mm_answer_jpake_key_confirm(int sock, Bu + + JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__)); + +- bzero(x2_s_proof, x2_s_proof_len); ++ memset(x2_s_proof, 0, x2_s_proof_len); + buffer_clear(m); + + /* pctx->k is sensitive, not sent */ +@@ -2180,7 +2180,7 @@ mm_answer_jpake_check_confirm(int sock, + + JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__)); + +- bzero(peer_confirm_hash, peer_confirm_hash_len); ++ memset(peer_confirm_hash, 0, peer_confirm_hash_len); + xfree(peer_confirm_hash); + + buffer_clear(m); diff --git a/package/openssh/patches/patch-openbsd-compat_port-tun_c b/package/openssh/patches/patch-openbsd-compat_port-tun_c index bc6e0b1b3..c4eb11c4c 100644 --- a/package/openssh/patches/patch-openbsd-compat_port-tun_c +++ b/package/openssh/patches/patch-openbsd-compat_port-tun_c @@ -1,6 +1,15 @@ $Id: update-patches 24 2008-08-31 14:56:13Z wbx $ ---- openssh-5.1p1.orig/openbsd-compat/port-tun.c 2008-05-19 07:28:36.000000000 +0200 -+++ openssh-5.1p1/openbsd-compat/port-tun.c 2008-10-14 10:20:42.000000000 +0200 +--- openssh-5.2p1.orig/openbsd-compat/port-tun.c 2008-05-19 07:28:36.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/port-tun.c 2009-09-18 12:25:49.000000000 +0200 +@@ -67,7 +67,7 @@ sys_tun_open(int tun, int mode) + return (-1); + } + +- bzero(&ifr, sizeof(ifr)); ++ memset(&ifr, 0, sizeof(ifr)); + + if (mode == SSH_TUNMODE_ETHERNET) { + ifr.ifr_flags = IFF_TAP; @@ -213,7 +213,7 @@ sys_tun_infilter(struct Channel *c, char if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) return (-1); diff --git a/package/openssh/patches/patch-schnorr_c b/package/openssh/patches/patch-schnorr_c new file mode 100644 index 000000000..aff2497ba --- /dev/null +++ b/package/openssh/patches/patch-schnorr_c @@ -0,0 +1,11 @@ +--- openssh-5.2p1.orig/schnorr.c 2009-02-21 02:45:18.000000000 +0100 ++++ openssh-5.2p1/schnorr.c 2009-09-18 12:28:29.000000000 +0200 +@@ -105,7 +105,7 @@ schnorr_hash(const BIGNUM *p, const BIGN + out: + buffer_free(&b); + EVP_MD_CTX_cleanup(&evp_md_ctx); +- bzero(digest, digest_len); ++ memset(digest, 0, digest_len); + xfree(digest); + digest_len = 0; + if (success == 0) diff --git a/package/openssh/patches/patch-session_c b/package/openssh/patches/patch-session_c new file mode 100644 index 000000000..ea9508cfd --- /dev/null +++ b/package/openssh/patches/patch-session_c @@ -0,0 +1,11 @@ +--- openssh-5.2p1.orig/session.c 2009-01-28 06:29:49.000000000 +0100 ++++ openssh-5.2p1/session.c 2009-09-18 12:25:29.000000000 +0200 +@@ -1865,7 +1865,7 @@ session_unused(int id) + fatal("%s: insane session id %d (max %d nalloc %d)", + __func__, id, options.max_sessions, sessions_nalloc); + } +- bzero(&sessions[id], sizeof(*sessions)); ++ memset(&sessions[id], 0, sizeof(*sessions)); + sessions[id].self = id; + sessions[id].used = 0; + sessions[id].chanid = -1; diff --git a/package/openssh/patches/patch-sftp-client_c b/package/openssh/patches/patch-sftp-client_c new file mode 100644 index 000000000..21363fee7 --- /dev/null +++ b/package/openssh/patches/patch-sftp-client_c @@ -0,0 +1,11 @@ +--- openssh-5.2p1.orig/sftp-client.c 2008-07-04 15:10:49.000000000 +0200 ++++ openssh-5.2p1/sftp-client.c 2009-09-18 12:30:56.000000000 +0200 +@@ -273,7 +273,7 @@ get_decode_statvfs(int fd, struct sftp_s + SSH2_FXP_EXTENDED_REPLY, type); + } + +- bzero(st, sizeof(*st)); ++ memset(st, 0, sizeof(*st)); + st->f_bsize = buffer_get_int64(&msg); + st->f_frsize = buffer_get_int64(&msg); + st->f_blocks = buffer_get_int64(&msg); diff --git a/package/openssh/patches/patch-ssh_c b/package/openssh/patches/patch-ssh_c new file mode 100644 index 000000000..486429320 --- /dev/null +++ b/package/openssh/patches/patch-ssh_c @@ -0,0 +1,13 @@ +--- openssh-5.2p1.orig/ssh.c 2009-02-14 06:28:21.000000000 +0100 ++++ openssh-5.2p1/ssh.c 2009-09-18 12:26:46.000000000 +0200 +@@ -1277,8 +1277,8 @@ load_public_identity_files(void) + options.identity_files[i] = filename; + options.identity_keys[i] = public; + } +- bzero(pwname, strlen(pwname)); ++ memset(pwname, 0, strlen(pwname)); + xfree(pwname); +- bzero(pwdir, strlen(pwdir)); ++ memset(pwdir, 0, strlen(pwdir)); + xfree(pwdir); + } diff --git a/package/openssh/patches/patch-sshconnect2_c b/package/openssh/patches/patch-sshconnect2_c new file mode 100644 index 000000000..405989001 --- /dev/null +++ b/package/openssh/patches/patch-sshconnect2_c @@ -0,0 +1,71 @@ +--- openssh-5.2p1.orig/sshconnect2.c 2008-11-05 06:20:47.000000000 +0100 ++++ openssh-5.2p1/sshconnect2.c 2009-09-18 12:30:37.000000000 +0200 +@@ -921,14 +921,14 @@ jpake_password_to_secret(Authctxt *authc + &secret, &secret_len) != 0) + fatal("%s: hash_buffer", __func__); + +- bzero(password, strlen(password)); +- bzero(crypted, strlen(crypted)); ++ memset(password, 0, strlen(password)); ++ memset(crypted, 0, strlen(crypted)); + xfree(password); + xfree(crypted); + + if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL) + fatal("%s: BN_bin2bn (secret)", __func__); +- bzero(secret, secret_len); ++ memset(secret, 0, secret_len); + xfree(secret); + + return ret; +@@ -965,8 +965,8 @@ input_userauth_jpake_server_step1(int ty + + /* Obtain password and derive secret */ + pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt); +- bzero(crypt_scheme, strlen(crypt_scheme)); +- bzero(salt, strlen(salt)); ++ memset(crypt_scheme, 0, strlen(crypt_scheme)); ++ memset(salt, 0, strlen(salt)); + xfree(crypt_scheme); + xfree(salt); + JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__)); +@@ -981,8 +981,8 @@ input_userauth_jpake_server_step1(int ty + &pctx->a, + &x2_s_proof, &x2_s_proof_len); + +- bzero(x3_proof, x3_proof_len); +- bzero(x4_proof, x4_proof_len); ++ memset(x3_proof, 0, x3_proof_len); ++ memset(x4_proof, 0, x4_proof_len); + xfree(x3_proof); + xfree(x4_proof); + +@@ -994,7 +994,7 @@ input_userauth_jpake_server_step1(int ty + packet_put_string(x2_s_proof, x2_s_proof_len); + packet_send(); + +- bzero(x2_s_proof, x2_s_proof_len); ++ memset(x2_s_proof, 0, x2_s_proof_len); + xfree(x2_s_proof); + + /* Expect step 2 packet from peer */ +@@ -1034,7 +1034,7 @@ input_userauth_jpake_server_step2(int ty + &pctx->k, + &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len); + +- bzero(x4_s_proof, x4_s_proof_len); ++ memset(x4_s_proof, 0, x4_s_proof_len); + xfree(x4_s_proof); + + JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__)); +@@ -1700,8 +1700,8 @@ userauth_jpake(Authctxt *authctxt) + packet_put_string(x2_proof, x2_proof_len); + packet_send(); + +- bzero(x1_proof, x1_proof_len); +- bzero(x2_proof, x2_proof_len); ++ memset(x1_proof, 0, x1_proof_len); ++ memset(x2_proof, 0, x2_proof_len); + xfree(x1_proof); + xfree(x2_proof); + -- cgit v1.2.3