"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "contrib/mod_sftp/keys.c" between
proftpd-1.3.6b.tar.gz and proftpd-1.3.6c.tar.gz

About: ProFTPD is a highly configurable FTP server software (with FTPS and SFTP support).

keys.c  (proftpd-1.3.6b):keys.c  (proftpd-1.3.6c)
skipping to change at line 108 skipping to change at line 108
* http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm * http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/key-size.htm
* *
* Note that the RSA size refers to the size of the modulus. The DSA size * Note that the RSA size refers to the size of the modulus. The DSA size
* refers to the size of the modulus. The EC size refers to the minimum * refers to the size of the modulus. The EC size refers to the minimum
* order of the base point on the elliptic curve. * order of the base point on the elliptic curve.
*/ */
static int keys_rsa_min_nbits = 768; static int keys_rsa_min_nbits = 768;
static int keys_dsa_min_nbits = 384; static int keys_dsa_min_nbits = 384;
static int keys_ec_min_nbits = 160; static int keys_ec_min_nbits = 160;
/* OpenSSH's homegrown private key file format.
*
* See the PROTOCOL.key file in the OpenSSH source distribution for details
* on their homegrown private key format. See also the implementations in
* sskey.c#sshkey_private_to_blob2 (for writing private keys) and
* sshkey.c#sshkey_parse_private2 (for reading private keys). The values
* for different encryption ciphers are in the `ciphers[]` table in cipher.c.
*/
#define SFTP_OPENSSH_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
#define SFTP_OPENSSH_END "-----END OPENSSH PRIVATE KEY-----\n"
#define SFTP_OPENSSH_BEGIN_LEN (sizeof(SFTP_OPENSSH_BEGIN) - 1)
#define SFTP_OPENSSH_END_LEN (sizeof(SFTP_OPENSSH_END) - 1)
static const char *trace_channel = "ssh2"; static const char *trace_channel = "ssh2";
static void prepare_provider_fds(int stdout_fd, int stderr_fd) { static void prepare_provider_fds(int stdout_fd, int stderr_fd) {
long nfiles = 0; long nfiles = 0;
register unsigned int i = 0; register unsigned int i = 0;
struct rlimit rlim; struct rlimit rlim;
if (stdout_fd != STDOUT_FILENO) { if (stdout_fd != STDOUT_FILENO) {
if (dup2(stdout_fd, STDOUT_FILENO) < 0) { if (dup2(stdout_fd, STDOUT_FILENO) < 0) {
pr_log_debug(DEBUG0, MOD_SFTP_VERSION pr_log_debug(DEBUG0, MOD_SFTP_VERSION
skipping to change at line 529 skipping to change at line 543
exit(1); exit(1);
} }
*ptr = d; *ptr = d;
p = ((long) d + (pagesz-1)) &~ (pagesz-1); p = ((long) d + (pagesz-1)) &~ (pagesz-1);
return ((char *) p); return ((char *) p);
} }
static int is_openssh_private_key(int fd) {
struct stat st;
char begin_buf[SFTP_OPENSSH_BEGIN_LEN], end_buf[SFTP_OPENSSH_END_LEN];
ssize_t len;
off_t minsz;
if (fstat(fd, &st) < 0) {
return -1;
}
minsz = SFTP_OPENSSH_BEGIN_LEN + SFTP_OPENSSH_END_LEN;
if (st.st_size < minsz) {
return FALSE;
}
len = pread(fd, begin_buf, sizeof(begin_buf), 0);
if (len != sizeof(begin_buf)) {
return FALSE;
}
if (memcmp(begin_buf, SFTP_OPENSSH_BEGIN, SFTP_OPENSSH_BEGIN_LEN) != 0) {
return FALSE;
}
len = pread(fd, end_buf, sizeof(end_buf), st.st_size - SFTP_OPENSSH_END_LEN);
if (len != sizeof(end_buf)) {
return FALSE;
}
if (memcmp(end_buf, SFTP_OPENSSH_END, SFTP_OPENSSH_END_LEN) != 0) {
return FALSE;
}
return TRUE;
}
static int get_passphrase_cb(char *buf, int buflen, int rwflag, void *d) { static int get_passphrase_cb(char *buf, int buflen, int rwflag, void *d) {
static int need_banner = TRUE; static int need_banner = TRUE;
struct sftp_pkey_data *pdata = d; struct sftp_pkey_data *pdata = d;
if (passphrase_provider == NULL) { if (passphrase_provider == NULL) {
register unsigned int attempt; register unsigned int attempt;
size_t pwlen = 0; size_t pwlen = 0;
pr_log_debug(DEBUG0, MOD_SFTP_VERSION ": requesting passphrase from admin"); pr_log_debug(DEBUG0, MOD_SFTP_VERSION ": requesting passphrase from admin");
skipping to change at line 610 skipping to change at line 660
#else #else
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
#endif #endif
pr_memscrub(buf, buflen); pr_memscrub(buf, buflen);
return -1; return -1;
} }
static int get_passphrase(struct sftp_pkey *k, const char *path) { static int get_passphrase(struct sftp_pkey *k, const char *path) {
char prompt[256]; char prompt[256];
FILE *fp; FILE *fp = NULL;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
int fd, prompt_fd = -1, res, xerrno; int fd, prompt_fd = -1, res, xerrno, openssh_format = FALSE;
struct sftp_pkey_data pdata; struct sftp_pkey_data pdata;
register unsigned int attempt; register unsigned int attempt;
memset(prompt, '\0', sizeof(prompt)); memset(prompt, '\0', sizeof(prompt));
res = snprintf(prompt, sizeof(prompt)-1, res = snprintf(prompt, sizeof(prompt)-1,
"Host key for the %s#%d (%s) server: ", "Host key for the %s#%d (%s) server: ",
pr_netaddr_get_ipstr(k->server->addr), k->server->ServerPort, pr_netaddr_get_ipstr(k->server->addr), k->server->ServerPort,
k->server->ServerName); k->server->ServerName);
prompt[res] = '\0'; prompt[res] = '\0';
prompt[sizeof(prompt)-1] = '\0'; prompt[sizeof(prompt)-1] = '\0';
skipping to change at line 639 skipping to change at line 689
if (fd < 0) { if (fd < 0) {
SYSerr(SYS_F_FOPEN, xerrno); SYSerr(SYS_F_FOPEN, xerrno);
errno = xerrno; errno = xerrno;
return -1; return -1;
} }
/* Make sure the fd isn't one of the big three. */ /* Make sure the fd isn't one of the big three. */
if (fd <= STDERR_FILENO) { if (fd <= STDERR_FILENO) {
res = pr_fs_get_usable_fd(fd); res = pr_fs_get_usable_fd(fd);
if (res >= 0) { if (res >= 0) {
close(fd); (void) close(fd);
fd = res; fd = res;
} }
} }
fp = fdopen(fd, "r"); openssh_format = is_openssh_private_key(fd);
if (fp == NULL) { if (openssh_format != TRUE) {
xerrno = errno; fp = fdopen(fd, "r");
if (fp == NULL) {
xerrno = errno;
(void) close(fd); (void) close(fd);
SYSerr(SYS_F_FOPEN, xerrno); SYSerr(SYS_F_FOPEN, xerrno);
errno = xerrno; errno = xerrno;
return -1;
}
/* As the file contains sensitive data, we do not want it lingering
* around in stdio buffers.
*/
(void) setvbuf(fp, NULL, _IONBF, 0);
} else {
pr_log_pri(PR_LOG_NOTICE, MOD_SFTP_VERSION
": detected OpenSSH-encoded private SFTPHostKey '%s'; use `ssh-keygen -e -
m PEM -f %s` to convert to supported PEM-encoded key", path, path);
(void) close(fd);
return -1; return -1;
} }
/* As the file contains sensitive data, we do not want it lingering
* around in stdio buffers.
*/
(void) setvbuf(fp, NULL, _IONBF, 0);
k->host_pkey = get_page(PEM_BUFSIZE, &k->host_pkey_ptr); k->host_pkey = get_page(PEM_BUFSIZE, &k->host_pkey_ptr);
if (k->host_pkey == NULL) { if (k->host_pkey == NULL) {
pr_log_pri(PR_LOG_ALERT, MOD_SFTP_VERSION ": Out of memory!"); pr_log_pri(PR_LOG_ALERT, MOD_SFTP_VERSION ": Out of memory!");
exit(1); exit(1);
} }
pdata.s = k->server; pdata.s = k->server;
pdata.buf = k->host_pkey; pdata.buf = k->host_pkey;
pdata.buflen = 0; pdata.buflen = 0;
pdata.bufsz = k->pkeysz; pdata.bufsz = k->pkeysz;
skipping to change at line 3402 skipping to change at line 3461
DSA_free(dsa); DSA_free(dsa);
errno = EINVAL; errno = EINVAL;
return -1; return -1;
} }
} }
dsa_sig = DSA_SIG_new(); dsa_sig = DSA_SIG_new();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
!defined(HAVE_LIBRESSL) !defined(HAVE_LIBRESSL)
DSA_SIG_get0(sig, &sig_r, &sig_s); DSA_SIG_get0(dsa_sig, &sig_r, &sig_s);
#else #else
sig_r = dsa_sig->r; sig_r = dsa_sig->r;
sig_s = dsa_sig->s; sig_s = dsa_sig->s;
#endif /* prior to OpenSSL-1.1.0 */ #endif /* prior to OpenSSL-1.1.0 */
sig_r = BN_bin2bn(sig, 20, sig_r); sig_r = BN_bin2bn(sig, 20, sig_r);
if (sig_r == NULL) { if (sig_r == NULL) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
"error obtaining 'r' DSA signature component: %s", "error obtaining 'r' DSA signature component: %s",
sftp_crypto_get_errors()); sftp_crypto_get_errors());
 End of changes. 10 change blocks. 
15 lines changed or deleted 75 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)