- (djm) Fix SSH1 challenge kludge

 - (djm) Bug #671: Fix builds on OpenBSD
 - (djm) Bug #676: Fix PAM stack corruption
 - (djm) Fix bad free() in PAM code
 - (djm) Don't call pam_end before pam_init
 - (djm) Enable build with old OpenSSL again
 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

13 files changed, 95 insertions, 51 deletions

diff --git a/ChangeLog b/ChangeLog
index b49a8536..9b34d4a6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,14 @@
    - markus@cvs.openbsd.org 2003/09/19 09:02:02
      [packet.c]
      buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
+ - (djm) Fix SSH1 challenge kludge
+ - (djm) Bug #671: Fix builds on OpenBSD
+ - (djm) Bug #676: Fix PAM stack corruption
+ - (djm) Fix bad free() in PAM code
+ - (djm) Don't call pam_end before pam_init
+ - (djm) Enable build with old OpenSSL again
+ - (djm) Trim deprecated options from INSTALL. Mention UsePAM
+ - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
 20030922
  - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree
@@ -1178,4 +1186,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2994.2.31 2003/09/23 09:00:41 dtucker Exp $
+$Id: ChangeLog,v 1.2994.2.32 2003/09/23 09:24:21 djm Exp $
diff --git a/INSTALL b/INSTALL
index 7b6f71d5..0df6fba1 100644
--- a/INSTALL
+++ b/INSTALL
@@ -101,11 +101,8 @@ name).
 
 There are a few other options to the configure script:
 
---with-pam enables PAM support.
-
---enable-gnome-askpass will build the GNOME passphrase dialog. You
-need a working installation of GNOME, including the development
-headers, for this to work.
+--with-pam enables PAM support. If PAM support is compiled in, it must
+also be enabled in sshd_config (refer to the UsePAM directive).
 
 --with-prngd-socket=/some/file allows you to enable EGD or PRNGD 
 support and to specify a PRNGd socket. Use this if your Unix lacks 
@@ -126,16 +123,6 @@ it if lastlog is installed in a different place.
 --with-osfsia, --without-osfsia will enable or disable OSF1's Security 
 Integration Architecture.  The default for OSF1 machines is enable.
 
---with-kerberos4=PATH will enable Kerberos IV support. You will need
-to have the Kerberos libraries and header files installed for this
-to work. Use the optional PATH argument to specify the root of your
-Kerberos installation.
-
---with-afs=PATH will enable AFS support. You will need to have the
-Kerberos IV and the AFS libraries and header files installed for this
-to work.  Use the optional PATH argument to specify the root of your
-AFS installation. AFS requires Kerberos support to be enabled.
-
 --with-skey=PATH will enable S/Key one time password support. You will 
 need the S/Key libraries and header files installed for this to work.
 
@@ -211,4 +198,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
 
 
-$Id: INSTALL,v 1.56.2.3 2003/09/22 03:29:00 dtucker Exp $
+$Id: INSTALL,v 1.56.2.4 2003/09/23 09:24:21 djm Exp $
diff --git a/auth-chall.c b/auth-chall.c
index 6b7c8bd1..00d6e0ec 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -92,7 +92,7 @@ verify_response(Authctxt *authctxt, const char *response)
 			xfree(info);
 		}
 		/* if we received more prompts, we're screwed */
-		res = (numprompts != 0);
+		res = (res == 0 && numprompts == 0) ? 0 : -1;
 	}
 	device->free_ctx(authctxt->kbdintctxt);
 	authctxt->kbdintctxt = NULL;
diff --git a/auth-pam.c b/auth-pam.c
index 754cbf6d..2c8feb65 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -31,7 +31,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.72.2.1 2003/09/16 06:00:52 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.72.2.2 2003/09/23 09:24:21 djm Exp $");
 
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -111,12 +111,12 @@ pthread_join(sp_pthread_t thread, void **value __unused)
 #endif
 
 
-static pam_handle_t *sshpam_handle;
-static int sshpam_err;
-static int sshpam_authenticated;
-static int sshpam_new_authtok_reqd;
-static int sshpam_session_open;
-static int sshpam_cred_established;
+static pam_handle_t *sshpam_handle = NULL;
+static int sshpam_err = 0;
+static int sshpam_authenticated = 0;
+static int sshpam_new_authtok_reqd = 0;
+static int sshpam_session_open = 0;
+static int sshpam_cred_established = 0;
 
 struct pam_ctxt {
 	sp_pthread_t	 pam_thread;
@@ -136,42 +136,51 @@ sshpam_thread_conv(int n, const struct pam_message **msg,
 {
 	Buffer buffer;
 	struct pam_ctxt *ctxt;
+	struct pam_response *reply;
 	int i;
 
+	*resp = NULL;
+
 	ctxt = data;
 	if (n <= 0 || n > PAM_MAX_NUM_MSG)
 		return (PAM_CONV_ERR);
-	*resp = xmalloc(n * sizeof **resp);
+
+	if ((reply = malloc(n * sizeof(*reply))) == NULL)
+		return (PAM_CONV_ERR);
+	memset(reply, 0, n * sizeof(*reply));
+
 	buffer_init(&buffer);
 	for (i = 0; i < n; ++i) {
-		resp[i]->resp_retcode = 0;
-		resp[i]->resp = NULL;
 		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
 		case PAM_PROMPT_ECHO_OFF:
-			buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
+			buffer_put_cstring(&buffer, 
+			    PAM_MSG_MEMBER(msg, i, msg));
 			ssh_msg_send(ctxt->pam_csock, 
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
 			ssh_msg_recv(ctxt->pam_csock, &buffer);
 			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
 				goto fail;
-			resp[i]->resp = buffer_get_string(&buffer, NULL);
+			reply[i].resp = buffer_get_string(&buffer, NULL);
 			break;
 		case PAM_PROMPT_ECHO_ON:
-			buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
+			buffer_put_cstring(&buffer, 
+			    PAM_MSG_MEMBER(msg, i, msg));
 			ssh_msg_send(ctxt->pam_csock, 
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
 			ssh_msg_recv(ctxt->pam_csock, &buffer);
 			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
 				goto fail;
-			resp[i]->resp = buffer_get_string(&buffer, NULL);
+			reply[i].resp = buffer_get_string(&buffer, NULL);
 			break;
 		case PAM_ERROR_MSG:
-			buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
+			buffer_put_cstring(&buffer, 
+			    PAM_MSG_MEMBER(msg, i, msg));
 			ssh_msg_send(ctxt->pam_csock, 
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
 			break;
 		case PAM_TEXT_INFO:
-			buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
+			buffer_put_cstring(&buffer, 
+			    PAM_MSG_MEMBER(msg, i, msg));
 			ssh_msg_send(ctxt->pam_csock, 
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
 			break;
@@ -181,12 +190,15 @@ sshpam_thread_conv(int n, const struct pam_message **msg,
 		buffer_clear(&buffer);
 	}
 	buffer_free(&buffer);
+	*resp = reply;
 	return (PAM_SUCCESS);
+
  fail:
-	while (i)
-		xfree(resp[--i]);
-	xfree(*resp);
-	*resp = NULL;
+	for(i = 0; i < n; i++) {
+		if (reply[i].resp != NULL)
+			xfree(reply[i].resp);
+	}
+	xfree(reply);
 	buffer_free(&buffer);
 	return (PAM_CONV_ERR);
 }
@@ -258,6 +270,8 @@ sshpam_cleanup(void *arg)
 {
 	(void)arg;
 	debug("PAM: cleanup");
+	if (sshpam_handle == NULL)
+		return;
 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
 	if (sshpam_cred_established) {
 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
@@ -600,40 +614,50 @@ pam_chauthtok_conv(int n, const struct pam_message **msg,
     struct pam_response **resp, void *data)
 {
 	char input[PAM_MAX_MSG_SIZE];
+	struct pam_response *reply;
 	int i;
 
+	*resp = NULL;
+
 	if (n <= 0 || n > PAM_MAX_NUM_MSG)
 		return (PAM_CONV_ERR);
-	*resp = xmalloc(n * sizeof **resp);
+
+	if ((reply = malloc(n * sizeof(*reply))) == NULL)
+		return (PAM_CONV_ERR);
+	memset(reply, 0, n * sizeof(*reply));
+
 	for (i = 0; i < n; ++i) {
 		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
 		case PAM_PROMPT_ECHO_OFF:
-			resp[i]->resp =
+			reply[i].resp =
 			    read_passphrase(PAM_MSG_MEMBER(msg, i, msg), 
 			    RP_ALLOW_STDIN);
-			resp[i]->resp_retcode = PAM_SUCCESS;
+			reply[i].resp_retcode = PAM_SUCCESS;
 			break;
 		case PAM_PROMPT_ECHO_ON:
 			fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
 			fgets(input, sizeof input, stdin);
-			resp[i]->resp = xstrdup(input);
-			resp[i]->resp_retcode = PAM_SUCCESS;
+			reply[i].resp = xstrdup(input);
+			reply[i].resp_retcode = PAM_SUCCESS;
 			break;
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
 			fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
-			resp[i]->resp_retcode = PAM_SUCCESS;
+			reply[i].resp_retcode = PAM_SUCCESS;
 			break;
 		default:
 			goto fail;
 		}
 	}
+	*resp = reply;
 	return (PAM_SUCCESS);
+
  fail:
-	while (i)
-		xfree(resp[--i]);
-	xfree(*resp);
-	*resp = NULL;
+	for(i = 0; i < n; i++) {
+		if (reply[i].resp != NULL)
+			xfree(reply[i].resp);
+	}
+	xfree(reply);
 	return (PAM_CONV_ERR);
 }
 
diff --git a/cipher-3des1.c b/cipher-3des1.c
index f9a35239..6f9f5dd6 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -29,6 +29,10 @@ RCSID("$OpenBSD: cipher-3des1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
 #include "xmalloc.h"
 #include "log.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+#define SSH_OLD_EVP
+#endif
+
 /*
  * This is used by SSH1:
  *
diff --git a/cipher-aes.c b/cipher-aes.c
index c41def60..7ba95019 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -31,6 +31,10 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
 #include "xmalloc.h"
 #include "log.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+#define SSH_OLD_EVP
+#endif
+
 #define RIJNDAEL_BLOCKSIZE 16
 struct ssh_rijndael_ctx
 {
diff --git a/cipher-bf1.c b/cipher-bf1.c
index 64578bae..5af695c1 100644
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@@ -28,6 +28,11 @@ RCSID("$OpenBSD: cipher-bf1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
 #include <openssl/evp.h>
 #include "xmalloc.h"
 #include "log.h"
+
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+#define SSH_OLD_EVP
+#endif
+
 /*
  * SSH1 uses a variation on Blowfish, all bytes must be swapped before
  * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
diff --git a/cipher-ctr.c b/cipher-ctr.c
index a2bab5c1..4f0814b2 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -21,6 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.2 2003/06/17 18:14:23 markus Exp $");
 #include "log.h"
 #include "xmalloc.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+#define SSH_OLD_EVP
+#endif
+
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
 #include "rijndael.h"
 #define AES_KEY rijndael_ctx
@@ -135,7 +139,9 @@ evp_aes_128_ctr(void)
 	aes_ctr.init = ssh_aes_ctr_init;
 	aes_ctr.cleanup = ssh_aes_ctr_cleanup;
 	aes_ctr.do_cipher = ssh_aes_ctr;
+#ifndef SSH_OLD_EVP
 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
 	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+#endif
 	return (&aes_ctr);
 }
diff --git a/cipher.c b/cipher.c
index e7c3c541..ce533670 100644
--- a/cipher.c
+++ b/cipher.c
@@ -87,9 +87,11 @@ struct Cipher {
 	{ "rijndael-cbc@lysator.liu.se",
 				SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x00906000L
 	{ "aes128-ctr", 	SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
 	{ "aes192-ctr", 	SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
 	{ "aes256-ctr", 	SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
+#endif
 
 	{ NULL,			SSH_CIPHER_ILLEGAL, 0, 0, NULL }
 };
diff --git a/configure.ac b/configure.ac
index 71643108..916dc107 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.154.2.10 2003/09/23 02:51:37 tim Exp $
+# $Id: configure.ac,v 1.154.2.11 2003/09/23 09:24:21 djm Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -480,7 +480,7 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
 	sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
 	sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
 	sys/un.h time.h tmpdir.h ttyent.h usersec.h \
-	util.h utime.h utmp.h utmpx.h)
+	util.h utime.h utmp.h utmpx.h vis.h)
 
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
diff --git a/log.c b/log.c
index 58ce8e5d..9bce2555 100644
--- a/log.c
+++ b/log.c
@@ -40,6 +40,9 @@ RCSID("$OpenBSD: log.c,v 1.28 2003/05/24 09:02:22 djm Exp $");
 #include "xmalloc.h"
 
 #include <syslog.h>
+#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+# include <vis.h>
+#endif
 
 static LogLevel log_level = SYSLOG_LEVEL_INFO;
 static int log_on_stderr = 1;
diff --git a/servconf.c b/servconf.c
index 71e28b3c..58f49a2f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -110,7 +110,7 @@ fill_default_server_options(ServerOptions *options)
 {
 	/* Portable-specific options */
 	if (options->use_pam == -1)
-		options->use_pam = 1;
+		options->use_pam = 0;
 
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
diff --git a/sftp-int.c b/sftp-int.c
index 94299aa4..c93eaabf 100644
--- a/sftp-int.c
+++ b/sftp-int.c
@@ -351,6 +351,7 @@ get_pathname(const char **cpp, char **path)
 		for (i = j = 0; i <= strlen(cp); i++) {
 			if (cp[i] == quot) {	/* Found quote */
 				(*path)[j] = '\0';
+				i++;
 				break;
 			}
 			if (cp[i] == '\0') {	/* End of string */