diff -ruN openssh-5.3p1+x509-6.2.1/log.c openssh-5.3p1+x509-6.2.2/log.c --- openssh-5.3p1+x509-6.2.1/log.c 2009-10-02 09:06:01.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/log.c 2010-02-28 09:06:01.000000000 +0200 @@ -394,11 +394,11 @@ } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); - syslog_r(pri, &sdata, "%.500s", fmtbuf); + syslog_r(pri, &sdata, "%.1000s", fmtbuf); closelog_r(&sdata); #else openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); - syslog(pri, "%.500s", fmtbuf); + syslog(pri, "%.1000s", fmtbuf); closelog(); #endif } diff -ruN openssh-5.3p1+x509-6.2.1/moduli.0 openssh-5.3p1+x509-6.2.2/moduli.0 --- openssh-5.3p1+x509-6.2.1/moduli.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/moduli.0 2010-02-28 09:06:00.000000000 +0200 @@ -69,4 +69,4 @@ Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, 2006. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/README.x509v3 openssh-5.3p1+x509-6.2.2/README.x509v3 --- openssh-5.3p1+x509-6.2.1/README.x509v3 2009-08-03 01:26:31.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/README.x509v3 2009-12-26 17:25:29.000000000 +0200 @@ -120,9 +120,9 @@ IMPORTANT NOTE (if a distinguished name contain non-ascii character): - for versions 6.+: ALWAIS use "openssl x509" command option -nameopt ! - The parser don't and willn't support output without -nameopt + The parser don't and won't support output without -nameopt - for versions prior 6.0: - The program could'not parse subject. Use "blob" format (see below). + The program could'not parse non-latin subject. Use "blob" format (see below). - Order of items in is not important and separator can be symbol "/", "," or mixed. All following subjects are equal: @@ -134,7 +134,7 @@ - CertBlob is base64 encoded sequence of bytes in only one line. Shell sample: -- "Distinguished Name" format: +- "Distinguished Name" format (rsa key): $ ( printf 'x509v3-sign-rsa '; openssl x509 -noout -subject \ -in A_OPENSSH_IDENTITY_FILE \ diff -ruN openssh-5.3p1+x509-6.2.1/scp.0 openssh-5.3p1+x509-6.2.2/scp.0 --- openssh-5.3p1+x509-6.2.1/scp.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/scp.0 2010-02-28 09:06:00.000000000 +0200 @@ -95,4 +95,4 @@ Timo Rinne Tatu Ylonen -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/sftp.0 openssh-5.3p1+x509-6.2.2/sftp.0 --- openssh-5.3p1+x509-6.2.1/sftp.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/sftp.0 2010-02-28 09:06:00.000000000 +0200 @@ -221,4 +221,4 @@ T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/sftp-server.0 openssh-5.3p1+x509-6.2.2/sftp-server.0 --- openssh-5.3p1+x509-6.2.1/sftp-server.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/sftp-server.0 2010-02-28 09:06:00.000000000 +0200 @@ -47,4 +47,4 @@ AUTHORS Markus Friedl -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh.0 openssh-5.3p1+x509-6.2.2/ssh.0 --- openssh-5.3p1+x509-6.2.1/ssh.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh.0 2010-02-28 09:06:00.000000000 +0200 @@ -856,4 +856,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-add.0 openssh-5.3p1+x509-6.2.2/ssh-add.0 --- openssh-5.3p1+x509-6.2.1/ssh-add.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-add.0 2010-02-28 09:06:00.000000000 +0200 @@ -107,4 +107,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-agent.0 openssh-5.3p1+x509-6.2.2/ssh-agent.0 --- openssh-5.3p1+x509-6.2.1/ssh-agent.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-agent.0 2010-02-28 09:06:00.000000000 +0200 @@ -119,4 +119,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh_config.0 openssh-5.3p1+x509-6.2.2/ssh_config.0 --- openssh-5.3p1+x509-6.2.1/ssh_config.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh_config.0 2010-02-28 09:06:00.000000000 +0200 @@ -799,4 +799,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/sshd.0 openssh-5.3p1+x509-6.2.2/sshd.0 --- openssh-5.3p1+x509-6.2.1/sshd.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/sshd.0 2010-02-28 09:06:00.000000000 +0200 @@ -609,4 +609,4 @@ System security is not improved unless rshd, rlogind, and rexecd are dis- abled (thus completely disabling rlogin and rsh into the machine). -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/sshd_config.0 openssh-5.3p1+x509-6.2.2/sshd_config.0 --- openssh-5.3p1+x509-6.2.1/sshd_config.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/sshd_config.0 2010-02-28 09:06:00.000000000 +0200 @@ -774,4 +774,4 @@ for privilege separation. Roumen Petrov contributed support for X.509 certificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-keygen.0 openssh-5.3p1+x509-6.2.2/ssh-keygen.0 --- openssh-5.3p1+x509-6.2.1/ssh-keygen.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-keygen.0 2010-02-28 09:06:00.000000000 +0200 @@ -305,4 +305,4 @@ versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-keyscan.0 openssh-5.3p1+x509-6.2.2/ssh-keyscan.0 --- openssh-5.3p1+x509-6.2.1/ssh-keyscan.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-keyscan.0 2010-02-28 09:06:00.000000000 +0200 @@ -111,4 +111,4 @@ This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-keysign.0 openssh-5.3p1+x509-6.2.2/ssh-keysign.0 --- openssh-5.3p1+x509-6.2.1/ssh-keysign.0 2009-10-02 09:06:00.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-keysign.0 2010-02-28 09:06:00.000000000 +0200 @@ -41,4 +41,4 @@ AUTHORS Markus Friedl -BSD October 1, 2009 BSD +BSD February 28, 2010 BSD diff -ruN openssh-5.3p1+x509-6.2.1/ssh-ocsp.c openssh-5.3p1+x509-6.2.2/ssh-ocsp.c --- openssh-5.3p1+x509-6.2.1/ssh-ocsp.c 2009-08-03 01:37:57.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-ocsp.c 2009-12-26 12:34:11.000000000 +0200 @@ -45,30 +45,24 @@ #ifdef sk_OPENSSL_STRING_new_null /* - * STACK_OF(OPENSSL_STRING) is defined for openssl version >= 1.1 - * (OPENSSL_VERSION_NUMBER >= 0x10100000L). + * STACK_OF(OPENSSL_STRING) is defined for openssl version >= 1.0 + * (OPENSSL_VERSION_NUMBER >= 0x10000000L). * NOTE: We will test for definition of sk_OPENSSL_STRING_new_null * instead openssl version number ! */ #define ssh_sk_OPENSSL_STRING STACK_OF(OPENSSL_STRING) -#if 0 -/* +static void OPENSSL_STRING_xfree(OPENSSL_STRING p) { +/* xfree warnings for OpenSSL 1+: .../ssh-ocsp.c: In function 'ssh_ocsp_validate2': -.../ssh-ocsp.c:840: warning: pointer type mismatch in conditional expression -.../ssh-ocsp.c:840: warning: ISO C forbids conversion of object pointer to function pointer type +.../ssh-ocsp.c:845: warning: pointer type mismatch in conditional expression +.../ssh-ocsp.c:845: warning: ISO C forbids conversion of object pointer to function pointer type */ -#undef sk_OPENSSL_STRING_pop_free -#define SSH_CHECKED_SK_FREE_FUNC2(type, p) \ - ((void (*)(void *)) ((1 ? (void (*)(type))p : (void (*)(type))0))) - -#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(\ - CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), \ - SSH_CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func) \ -) -#endif + xfree(p); +} + +#else /* !def sk_OPENSSL_STRING_new_null */ -#else #ifdef sk_STRING_new_null /*some OpenSSL 1.0 pre and release candidate */ # define ssh_sk_OPENSSL_STRING STACK_OF(STRING) @@ -77,14 +71,24 @@ # define sk_OPENSSL_STRING_num sk_STRING_num # define sk_OPENSSL_STRING_value sk_STRING_value # define sk_OPENSSL_STRING_pop_free sk_STRING_pop_free -#else + +static void OPENSSL_STRING_xfree(STRING p) { + xfree(p); +} + +#else /* !def sk_STRING_new_null */ + # define ssh_sk_OPENSSL_STRING STACK # define sk_OPENSSL_STRING_new_null sk_new_null # define sk_OPENSSL_STRING_push sk_push # define sk_OPENSSL_STRING_num sk_num # define sk_OPENSSL_STRING_value sk_value # define sk_OPENSSL_STRING_pop_free sk_pop_free + +#define OPENSSL_STRING_xfree xfree + #endif + #endif static VAOptions va = { SSHVA_NONE, NULL, NULL }; @@ -849,7 +853,7 @@ exit: if (br != NULL) OCSP_BASICRESP_free(br); if (resp != NULL) OCSP_RESPONSE_free(resp); - if (subjs != NULL) sk_OPENSSL_STRING_pop_free(subjs, xfree); + if (subjs != NULL) sk_OPENSSL_STRING_pop_free(subjs, OPENSSL_STRING_xfree); if (ids != NULL) sk_OCSP_CERTID_free(ids); if (req != NULL) OCSP_REQUEST_free(req); if (vacrts != NULL) sk_X509_pop_free(vacrts, X509_free); diff -ruN openssh-5.3p1+x509-6.2.1/ssh-x509.c openssh-5.3p1+x509-6.2.2/ssh-x509.c --- openssh-5.3p1+x509-6.2.1/ssh-x509.c 2007-10-24 01:09:03.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-x509.c 2010-02-27 17:44:37.000000000 +0200 @@ -52,6 +52,30 @@ } +static inline int +ssh_EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type) { +#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + /* OpenSSL < 0.9.7 */ + EVP_VerifyInit(ctx, type); + return(1); +#else + return(EVP_VerifyInit(ctx, type)); +#endif +} + + +static inline int +ssh_EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt) { +#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID + /* OpenSSL < 0.9.7 */ + EVP_VerifyUpdate(ctx, d, cnt); + return(1); +#else + return(EVP_VerifyUpdate(ctx, d, cnt)); +#endif +} + + int ssh_X509_NAME_print(BIO* bio, X509_NAME *xn) { static u_long print_flags = ((XN_FLAG_ONELINE & \ @@ -1084,8 +1108,22 @@ EVP_MD_CTX ctx; debug3("ssh_x509_verify: md=%.30s, loc=%d", xkalg->dgst.name, loc); - EVP_VerifyInit(&ctx, xkalg->dgst.evp); - EVP_VerifyUpdate(&ctx, data, datalen); + ret = ssh_EVP_VerifyInit(&ctx, xkalg->dgst.evp); + if (ret <= 0) { + char ebuf[256]; + error("ssh_x509_verify: EVP_VerifyInit" + " fail with errormsg='%.*s'" + , sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf))); + continue; + } + ret = ssh_EVP_VerifyUpdate(&ctx, data, datalen); + if (ret <= 0) { + char ebuf[256]; + error("ssh_x509_verify: EVP_VerifyUpdate" + " fail with errormsg='%.*s'" + , sizeof(ebuf), openssl_errormsg(ebuf, sizeof(ebuf))); + continue; + } ret = EVP_VerifyFinal(&ctx, sigblob, len, pubkey); if (ret > 0) break; } diff -ruN openssh-5.3p1+x509-6.2.1/ssh-xkalg.c openssh-5.3p1+x509-6.2.2/ssh-xkalg.c --- openssh-5.3p1+x509-6.2.1/ssh-xkalg.c 2009-07-31 19:34:20.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/ssh-xkalg.c 2009-10-15 22:42:37.000000000 +0300 @@ -187,7 +187,7 @@ EVP_PKEY_DSARAW_method, SHA_CBLOCK, sizeof(EVP_MD *)+sizeof(SHA_CTX), -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10000000L NULL /*md_ctrl*/ #endif }; diff -ruN openssh-5.3p1+x509-6.2.1/tests/CA/config openssh-5.3p1+x509-6.2.2/tests/CA/config --- openssh-5.3p1+x509-6.2.1/tests/CA/config 2009-06-16 01:39:20.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/tests/CA/config 2010-02-28 00:49:36.000000000 +0200 @@ -88,12 +88,18 @@ # These are the known patent issues with OpenSSL: # name # expires -# mdc2: 4,908,861 13/03/2007 +# mdc2: 4,908,861 13/03/2007 - enabled in OpenSSL 1.x branches from 2009-08-12 # idea: 5,214,703 25/05/2010 # rc5: 5,724,428 03/03/2015 +# +# Note the MD2 hash algorithm is considered as weak (2009) and +# most vendors disable it in openssl. Also from 2009-07-08 +# OpenSSL team disable md2 by default in 0.9.8 and 1.x branches. +# This is reason md2 to be removed from list starting with +# "X.509 certificate support version 6.3". if test -z "${RSA_DIGEST_LIST}"; then - for DIGEST in md5 sha1 md2 md4 rmd160; do + for DIGEST in md5 sha1 mdc2 md4 rmd160; do if "${OPENSSL}" dgst -${DIGEST} "${OPENSSL}" >/dev/null 2>&1; then RSA_DIGEST_LIST="${RSA_DIGEST_LIST} ${DIGEST}" fi diff -ruN openssh-5.3p1+x509-6.2.1/tests/CA/openssh_tests.sh openssh-5.3p1+x509-6.2.2/tests/CA/openssh_tests.sh --- openssh-5.3p1+x509-6.2.1/tests/CA/openssh_tests.sh 2007-01-29 01:17:54.000000000 +0200 +++ openssh-5.3p1+x509-6.2.2/tests/CA/openssh_tests.sh 2010-02-28 00:38:06.000000000 +0200 @@ -39,7 +39,11 @@ #TEST_SSH_SFTP #TEST_SSH_SFTPSERVER +# prevent user environment influence +unset SSH_AGENT_PID +unset SSH_AUTH_SOCK +# regression test files SSHD_LOG="${CWD}/sshd_x509.log" SSHD_PID="${CWD}/.sshd_x509.pid" SSHD_CFG="${CWD}/sshd_config-certTests" diff -ruN openssh-5.3p1+x509-6.2.1/x509store.c openssh-5.3p1+x509-6.2.2/x509store.c --- openssh-5.3p1+x509-6.2.1/x509store.c 2009-08-03 01:09:06.000000000 +0300 +++ openssh-5.3p1+x509-6.2.2/x509store.c 2009-12-26 12:22:45.000000000 +0200 @@ -59,7 +59,6 @@ #ifndef SSH_X509STORE_DISABLED static X509_STORE *x509store = NULL; - #if OPENSSL_VERSION_NUMBER < 0x00907000L /* void X509_STORE_CTX_init() */ static int ssh_X509_STORE_CTX_init ( @@ -133,35 +132,24 @@ static int ssh_x509store_cb(int ok, X509_STORE_CTX *ctx) { + int ctx_error = X509_STORE_CTX_get_error(ctx); + X509 *ctx_cert = X509_STORE_CTX_get_current_cert(ctx); + if ((!ok) && - (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) + (ctx_error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ) { if (ssh_x509flags.key_allow_selfissued) - ok = ssh_is_selfsigned(ctx->cert); + ok = ssh_is_selfsigned(ctx_cert); } if (!ok) { char *buf; - buf = ssh_X509_NAME_oneline(X509_get_subject_name(ctx->current_cert)); /*fatal on error*/ + buf = ssh_X509_NAME_oneline(X509_get_subject_name(ctx_cert)); /*fatal on error*/ error("ssh_x509store_cb: subject='%s', error %d at %d depth lookup:%.200s", buf, - ctx->error, - ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); + ctx_error, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(ctx_error)); xfree(buf); - -#if 0 - if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; - /* since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - /* Continue after extension errors too */ - if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; - if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; - if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; - if (ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ok=1; -#endif } #ifdef SSH_CHECK_REVOKED if (ok) {