Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssh / d059297112922cabb0c674840589be8db821fd9a^! / . / auth2-chall.c
commitd059297112922cabb0c674840589be8db821fd9a[log] [tgz]
authorAdam Langley <agl@google.com>Mon Mar 30 14:49:51 2015 -0700
committerAdam Langley <agl@google.com>Tue Apr 07 17:50:50 2015 -0700
tree9c2045d28ec1c8594090f38bc32e9f523dc6c68d
parentf5c67b478bef9992de9e9ec91ce10af4f6205e0d [diff] [blame]
external/openssh: update to 6.8p1.

In preparation for some updates to external/openssh to make it work with
BoringSSL, this change updates the code to a recent version. The current
version (5.9p1) is coming up on four years old now.

  * Confirmed that f5c67b478bef9992de9e9ec91ce10af4f6205e0d matches
    OpenSSH 5.9p1 exactly (save for the removal of the scard
    subdirectory).

  * Downloaded openssh-6.8p1.tar.gz (SHA256:
    3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e)
    and verified with PGP signature. (I've verified Damien's key in
    person previously.)

  * Applied changes between f5c67b478bef9992de9e9ec91ce10af4f6205e0d and
    OpenSSH 5.9p1 to 6.8p1 and updated the build as best I can. The
    ugliest change is probably the duplication of umac.c to umac128.c
    because Android conditionally compiles that file twice. See the
    comment in those files.

Change-Id: I63cb07a8118afb5a377f116087a0882914cea486

diff --git a/auth2-chall.c b/auth2-chall.c
index e6dbffe..ddabe1a 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -41,6 +41,7 @@
 #include "packet.h"
 #include "dispatch.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 
 /* import */
@@ -48,7 +49,7 @@
 
 static int auth2_challenge_start(Authctxt *);
 static int send_userauth_info_request(Authctxt *);
-static void input_userauth_info_response(int, u_int32_t, void *);
+static int input_userauth_info_response(int, u_int32_t, void *);
 
 #ifdef BSD_AUTH
 extern KbdintDevice bsdauth_device;
@@ -111,7 +112,7 @@
 		remove_kbdint_device("pam");
 #endif
 
-	kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
+	kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
 	if (strcmp(devs, "") == 0) {
 		buffer_init(&b);
 		for (i = 0; devices[i]; i++) {
@@ -147,15 +148,13 @@
 {
 	if (kbdintctxt->device)
 		kbdint_reset_device(kbdintctxt);
-	if (kbdintctxt->devices) {
-		xfree(kbdintctxt->devices);
-		kbdintctxt->devices = NULL;
-	}
-	xfree(kbdintctxt);
+	free(kbdintctxt->devices);
+	explicit_bzero(kbdintctxt, sizeof(*kbdintctxt));
+	free(kbdintctxt);
 }
 /* get next device */
 static int
-kbdint_next_device(KbdintAuthctxt *kbdintctxt)
+kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 {
 	size_t len;
 	char *t;
@@ -169,12 +168,16 @@
 
 		if (len == 0)
 			break;
-		for (i = 0; devices[i]; i++)
+		for (i = 0; devices[i]; i++) {
+			if (!auth2_method_allowed(authctxt,
+			    "keyboard-interactive", devices[i]->name))
+				continue;
 			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
 				kbdintctxt->device = devices[i];
+		}
 		t = kbdintctxt->devices;
 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
-		xfree(t);
+		free(t);
 		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
 		    kbdintctxt->devices : "<empty>");
 	} while (kbdintctxt->devices && !kbdintctxt->device);
@@ -221,7 +224,7 @@
 	debug2("auth2_challenge_start: devices %s",
 	    kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
 
-	if (kbdint_next_device(kbdintctxt) == 0) {
+	if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
 		auth2_challenge_stop(authctxt);
 		return 0;
 	}
@@ -268,22 +271,23 @@
 	packet_write_wait();
 
 	for (i = 0; i < kbdintctxt->nreq; i++)
-		xfree(prompts[i]);
-	xfree(prompts);
-	xfree(echo_on);
-	xfree(name);
-	xfree(instr);
+		free(prompts[i]);
+	free(prompts);
+	free(echo_on);
+	free(name);
+	free(instr);
 	return 1;
 }
 
-static void
+static int
 input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	KbdintAuthctxt *kbdintctxt;
 	int authenticated = 0, res;
 	u_int i, nresp;
-	char **response = NULL, *method;
+	const char *devicename = NULL;
+	char **response = NULL;
 
 	if (authctxt == NULL)
 		fatal("input_userauth_info_response: no authctxt");
@@ -309,11 +313,10 @@
 	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
 
 	for (i = 0; i < nresp; i++) {
-		memset(response[i], 'r', strlen(response[i]));
-		xfree(response[i]);
+		explicit_bzero(response[i], strlen(response[i]));
+		free(response[i]);
 	}
-	if (response)
-		xfree(response);
+	free(response);
 
 	switch (res) {
 	case 0:
@@ -329,9 +332,7 @@
 		/* Failure! */
 		break;
 	}
-
-	xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name);
-
+	devicename = kbdintctxt->device->name;
 	if (!authctxt->postponed) {
 		if (authenticated) {
 			auth2_challenge_stop(authctxt);
@@ -341,8 +342,9 @@
 			auth2_challenge_start(authctxt);
 		}
 	}
-	userauth_finish(authctxt, authenticated, method);
-	xfree(method);
+	userauth_finish(authctxt, authenticated, "keyboard-interactive",
+	    devicename);
+	return 0;
 }
 
 void