- djm@cvs.openbsd.org 2004/12/22 02:13:19
[cipher-ctr.c cipher.c]
remove fallback AES support for old OpenSSL, as OpenBSD has had it for
many years now; ok deraadt@
(Id sync only: Portable will continue to support older OpenSSLs)
diff --git a/ChangeLog b/ChangeLog
index 19101ef..9eab2b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,11 @@
behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
+ - djm@cvs.openbsd.org 2004/12/22 02:13:19
+ [cipher-ctr.c cipher.c]
+ remove fallback AES support for old OpenSSL, as OpenBSD has had it for
+ many years now; ok deraadt@
+ (Id sync only: Portable will continue to support older OpenSSLs)
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.
@@ -2005,4 +2010,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3617 2005/01/20 01:43:38 dtucker Exp $
+$Id: ChangeLog,v 1.3618 2005/01/20 02:27:56 dtucker Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 996964f..5bffe33 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.119 2005/01/20 01:43:39 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.120 2005/01/20 02:27:56 dtucker Exp $");
#ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -245,6 +245,17 @@
}
}
+/* Check ssh internal flags in addition to PAM */
+
+static int
+sshpam_login_allowed(Authctxt *ctxt)
+{
+ if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
+ options.permit_root_login == PERMIT_YES))
+ return 1;
+ return 0;
+}
+
/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)
@@ -702,9 +713,7 @@
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
- if (!sshpam_authctxt->valid ||
- (sshpam_authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ if (!sshpam_login_allowed(sshpam_authctxt))
fatal("Internal error: PAM auth "
"succeeded when it should have "
"failed");
@@ -753,9 +762,7 @@
return (-1);
}
buffer_init(&buffer);
- if (sshpam_authctxt->valid &&
- (sshpam_authctxt->pw->pw_uid != 0 ||
- options.permit_root_login == PERMIT_YES))
+ if (sshpam_login_allowed(sshpam_authctxt))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
@@ -1118,8 +1125,7 @@
* by PermitRootLogin, use an invalid password to prevent leaking
* information via timing (eg if the PAM config has a delay on fail).
*/
- if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ if (!sshpam_login_allowed(authctxt))
sshpam_password = badpw;
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@@ -1130,7 +1136,7 @@
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
- if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 395dabe..43f1ede 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $");
+RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
#include <openssl/evp.h>
diff --git a/cipher.c b/cipher.c
index 075a4c5..64be057 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.71 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.72 2004/12/22 02:13:19 djm Exp $");
#include "xmalloc.h"
#include "log.h"