mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-07 00:50:50 +00:00
535af610a4
Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
87 lines
2.4 KiB
C
87 lines
2.4 KiB
C
/*
|
|
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
|
|
int
|
|
EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, unsigned char *iv, size_t len)
|
|
{
|
|
if (ctx == NULL)
|
|
return 0;
|
|
if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
|
|
return 0;
|
|
if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
|
|
return 0;
|
|
if (len > EVP_MAX_IV_LENGTH)
|
|
return 0; /* sanity check; shouldn't happen */
|
|
/*
|
|
* Skip the memcpy entirely when the requested IV length is zero,
|
|
* since the iv pointer may be NULL or invalid.
|
|
*/
|
|
if (len != 0) {
|
|
if (iv == NULL)
|
|
return 0;
|
|
# ifdef HAVE_EVP_CIPHER_CTX_IV
|
|
memcpy(iv, EVP_CIPHER_CTX_iv(ctx), len);
|
|
# else
|
|
memcpy(iv, ctx->iv, len);
|
|
# endif /* HAVE_EVP_CIPHER_CTX_IV */
|
|
}
|
|
return 1;
|
|
}
|
|
#endif /* HAVE_EVP_CIPHER_CTX_GET_IV */
|
|
|
|
#ifndef HAVE_EVP_CIPHER_CTX_SET_IV
|
|
int
|
|
EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
|
|
{
|
|
if (ctx == NULL)
|
|
return 0;
|
|
if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
|
|
return 0;
|
|
if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
|
|
return 0;
|
|
if (len > EVP_MAX_IV_LENGTH)
|
|
return 0; /* sanity check; shouldn't happen */
|
|
/*
|
|
* Skip the memcpy entirely when the requested IV length is zero,
|
|
* since the iv pointer may be NULL or invalid.
|
|
*/
|
|
if (len != 0) {
|
|
if (iv == NULL)
|
|
return 0;
|
|
# ifdef HAVE_EVP_CIPHER_CTX_IV_NOCONST
|
|
memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, len);
|
|
# else
|
|
memcpy(ctx->iv, iv, len);
|
|
# endif /* HAVE_EVP_CIPHER_CTX_IV_NOCONST */
|
|
}
|
|
return 1;
|
|
}
|
|
#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
|
|
|
|
#endif /* WITH_OPENSSL */
|