diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c 2017-02-07 14:41:20.483509205 +0100 @@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv) case EOF: case '\0': if (len > 0) { - argv = pamsshagentauth_xrealloc(argv, count + 1, sizeof(*argv)); - argv[count] = pamsshagentauth_xcalloc(len + 1, sizeof(*argv[count])); + argv = xreallocarray(argv, count + 1, sizeof(*argv)); + argv[count] = xcalloc(len + 1, sizeof(*argv[count])); strncpy(argv[count++], argbuf, len); memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1); len = 0; @@ -105,9 +105,9 @@ pamsshagentauth_free_command_line(char * { size_t i; for (i = 0; i < n_args; i++) - pamsshagentauth_xfree(argv[i]); + free(argv[i]); - pamsshagentauth_xfree(argv); + free(argv); return; } diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2017-02-07 14:41:20.479509208 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:41:20.481509206 +0100 @@ -58,6 +58,8 @@ #include "get_command_line.h" extern char **environ; +#define PAM_SSH_AGENT_AUTH_REQUESTv1 101 + /* * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user * A cursory check is done, but to avoid race conditions, it is necessary @@ -77,7 +79,7 @@ log_action(char ** action, size_t count) if (count == 0) return NULL; - buf = pamsshagentauth_xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf)); + buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf)); for (i = 0; i < count; i++) { strcat(buf, (i > 0) ? " '" : "'"); strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG); @@ -90,12 +92,12 @@ void agent_action(Buffer *buf, char ** action, size_t count) { size_t i; - pamsshagentauth_buffer_init(buf); + buffer_init(buf); - pamsshagentauth_buffer_put_int(buf, count); + buffer_put_int(buf, count); for (i = 0; i < count; i++) { - pamsshagentauth_buffer_put_cstring(buf, action[i]); + buffer_put_cstring(buf, action[i]); } } @@ -119,17 +121,17 @@ pamsshagentauth_session_id2_gen(Buffer * char * retc; int32_t reti; - rnd = pamsshagentauth_arc4random(); + rnd = arc4random(); cookie_len = ((uint8_t) rnd); while (cookie_len < 16) { cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */ } - cookie = pamsshagentauth_xcalloc(1,cookie_len); + cookie = xcalloc(1,cookie_len); for (i = 0; i < cookie_len; i++) { if (i % 4 == 0) { - rnd = pamsshagentauth_arc4random(); + rnd = arc4random(); } cookie[i] = (u_char) rnd; rnd >>= 8; @@ -144,7 +146,7 @@ pamsshagentauth_session_id2_gen(Buffer * } else { action_logbuf = "unknown on this platform"; - pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */ + buffer_init(&action_agentbuf); /* stays empty, means unavailable */ } /* @@ -161,35 +163,35 @@ pamsshagentauth_session_id2_gen(Buffer * retc = getcwd(pwd, sizeof(pwd) - 1); time(&ts); - pamsshagentauth_buffer_init(session_id2); + buffer_init(session_id2); - pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1); - /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */ - pamsshagentauth_buffer_put_string(session_id2, cookie, cookie_len); - /* pamsshagentauth_debug3("user: %s", user); */ - pamsshagentauth_buffer_put_cstring(session_id2, user); - /* pamsshagentauth_debug3("ruser: %s", ruser); */ - pamsshagentauth_buffer_put_cstring(session_id2, ruser); - /* pamsshagentauth_debug3("servicename: %s", servicename); */ - pamsshagentauth_buffer_put_cstring(session_id2, servicename); - /* pamsshagentauth_debug3("pwd: %s", pwd); */ + buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1); + /* debug3("cookie: %s", tohex(cookie, cookie_len)); */ + buffer_put_string(session_id2, cookie, cookie_len); + /* debug3("user: %s", user); */ + buffer_put_cstring(session_id2, user); + /* debug3("ruser: %s", ruser); */ + buffer_put_cstring(session_id2, ruser); + /* debug3("servicename: %s", servicename); */ + buffer_put_cstring(session_id2, servicename); + /* debug3("pwd: %s", pwd); */ if(retc) - pamsshagentauth_buffer_put_cstring(session_id2, pwd); + buffer_put_cstring(session_id2, pwd); else - pamsshagentauth_buffer_put_cstring(session_id2, ""); - /* pamsshagentauth_debug3("action: %s", action_logbuf); */ - pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset); + buffer_put_cstring(session_id2, ""); + /* debug3("action: %s", action_logbuf); */ + buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf)); if (free_logbuf) { - pamsshagentauth_xfree(action_logbuf); - pamsshagentauth_buffer_free(&action_agentbuf); + free(action_logbuf); + buffer_free(&action_agentbuf); } - /* pamsshagentauth_debug3("hostname: %s", hostname); */ + /* debug3("hostname: %s", hostname); */ if(reti >= 0) - pamsshagentauth_buffer_put_cstring(session_id2, hostname); + buffer_put_cstring(session_id2, hostname); else - pamsshagentauth_buffer_put_cstring(session_id2, ""); - /* pamsshagentauth_debug3("ts: %ld", ts); */ - pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts); + buffer_put_cstring(session_id2, ""); + /* debug3("ts: %ld", ts); */ + buffer_put_int64(session_id2, (uint64_t) ts); free(cookie); return; @@ -295,29 +297,29 @@ pamsshagentauth_find_authorized_keys(con pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); if ((ac = ssh_get_authentication_connection_for_uid(uid))) { - pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); + verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) { if(key != NULL) { - id = pamsshagentauth_xcalloc(1, sizeof(*id)); + id = xcalloc(1, sizeof(*id)); id->key = key; id->filename = comment; id->ac = ac; if(userauth_pubkey_from_id(ruser, id, &session_id2)) { retval = 1; } - pamsshagentauth_xfree(id->filename); - pamsshagentauth_key_free(id->key); - pamsshagentauth_xfree(id); + free(id->filename); + key_free(id->key); + free(id); if(retval == 1) break; } } - pamsshagentauth_buffer_free(&session_id2); + buffer_free(&session_id2); ssh_close_authentication_connection(ac); } else { - pamsshagentauth_verbose("No ssh-agent could be contacted"); + verbose("No ssh-agent could be contacted"); } /* pamsshagentauth_xfree(session_id2); */ EVP_cleanup(); diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2017-02-07 14:41:20.480509207 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-02-07 14:44:20.549369019 +0100 @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh, * a patch 8-) */ #if ! HAVE___PROGNAME || HAVE_BUNDLE - __progname = pamsshagentauth_xstrdup(servicename); + __progname = xstrdup(servicename); #endif for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) { @@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh, #endif } - pamsshagentauth_log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0); + log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0); pam_get_item(pamh, PAM_USER, (void *) &user); pam_get_item(pamh, PAM_RUSER, (void *) &ruser_ptr); - pamsshagentauth_verbose("Beginning pam_ssh_agent_auth for user %s", user); + verbose("Beginning pam_ssh_agent_auth for user %s", user); if(ruser_ptr) { strncpy(ruser, ruser_ptr, sizeof(ruser) - 1); @@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh, #ifdef ENABLE_SUDO_HACK if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) { strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 ); - pamsshagentauth_verbose( "Using environment variable SUDO_USER (%s)", ruser ); + verbose( "Using environment variable SUDO_USER (%s)", ruser ); } else #endif { if( ! getpwuid(getuid()) ) { - pamsshagentauth_verbose("Unable to getpwuid(getuid())"); + verbose("Unable to getpwuid(getuid())"); goto cleanexit; } strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1); @@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh, /* Might as well explicitely confirm the user exists here */ if(! getpwnam(ruser) ) { - pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", ruser); + verbose("getpwnam(%s) failed, bailing out", ruser); goto cleanexit; } if( ! getpwnam(user) ) { - pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", user); + verbose("getpwnam(%s) failed, bailing out", user); goto cleanexit; } @@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh, */ parse_authorized_key_file(user, authorized_keys_file_input); } else { - pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys"); - authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys"); + verbose("Using default file=/etc/security/authorized_keys"); + authorized_keys_file = xstrdup("/etc/security/authorized_keys"); } /* @@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh, */ if(user && strlen(ruser) > 0) { - pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); + verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); /* * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user */ if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */ - pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file); + logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file); retval = PAM_SUCCESS; } else { - pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); + logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file); } } else { - pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" ); + logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" ); } cleanexit: diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-02-07 14:41:20.484509204 +0100 @@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us } else { slash_ptr = strchr(auth_keys_file_buf, '/'); if(!slash_ptr) - pamsshagentauth_fatal + fatal ("cannot expand tilde in path without a `/'"); owner_uname_len = slash_ptr - auth_keys_file_buf - 1; if(owner_uname_len > (sizeof(owner_uname) - 1)) - pamsshagentauth_fatal("Username too long"); + fatal("Username too long"); strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len); if(!authorized_keys_file_allowed_owner_uid) @@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us getpwnam(owner_uname)->pw_uid; } authorized_keys_file = - pamsshagentauth_tilde_expand_filename(auth_keys_file_buf, + tilde_expand_filename(auth_keys_file_buf, authorized_keys_file_allowed_owner_uid); strncpy(auth_keys_file_buf, authorized_keys_file, sizeof(auth_keys_file_buf) - 1); - pamsshagentauth_xfree(authorized_keys_file) /* when we + free(authorized_keys_file) /* when we percent_expand later, we'd step on this, so free @@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us strncat(hostname, fqdn, strcspn(fqdn, ".")); #endif authorized_keys_file = - pamsshagentauth_percent_expand(auth_keys_file_buf, "h", + percent_expand(auth_keys_file_buf, "h", getpwnam(user)->pw_dir, "H", hostname, "f", fqdn, "u", user, NULL); } diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-02-07 14:41:20.484509204 +0100 @@ -48,11 +48,13 @@ #include "buffer.h" #include "log.h" #include "compat.h" +#include "digest.h" #include "key.h" #include "pathnames.h" #include "misc.h" #include "secure_filename.h" #include "uidswap.h" +#include #include "identity.h" @@ -68,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE char *fp; found_key = 0; - found = pamsshagentauth_key_new(key->type); + found = key_new(key->type); while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { char *cp = NULL; /* *key_options = NULL; */ @@ -78,11 +80,11 @@ pamsshagentauth_check_authkeys_file(FILE if(!*cp || *cp == '\n' || *cp == '#') continue; - if(pamsshagentauth_key_read(found, &cp) != 1) { + if(key_read(found, &cp) != 1) { /* no key? check if there are options for this key */ int quoted = 0; - pamsshagentauth_verbose("user_key_allowed: check options: '%s'", cp); + verbose("user_key_allowed: check options: '%s'", cp); /* key_options = cp; */ for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if(*cp == '\\' && cp[1] == '"') @@ -92,26 +94,26 @@ pamsshagentauth_check_authkeys_file(FILE } /* Skip remaining whitespace. */ for(; *cp == ' ' || *cp == '\t'; cp++); - if(pamsshagentauth_key_read(found, &cp) != 1) { - pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp); + if(key_read(found, &cp) != 1) { + verbose("user_key_allowed: advance: '%s'", cp); /* still no key? advance to next line */ continue; } } - if(pamsshagentauth_key_equal(found, key)) { + if(key_equal(found, key)) { found_key = 1; - pamsshagentauth_logit("matching key found: file/command %s, line %lu", file, + logit("matching key found: file/command %s, line %lu", file, linenum); - fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - pamsshagentauth_logit("Found matching %s key: %s", - pamsshagentauth_key_type(found), fp); - pamsshagentauth_xfree(fp); + fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX); + logit("Found matching %s key: %s", + key_type(found), fp); + free(fp); break; } } - pamsshagentauth_key_free(found); + key_free(found); if(!found_key) - pamsshagentauth_verbose("key not found"); + verbose("key not found"); return found_key; } @@ -128,11 +130,11 @@ pamsshagentauth_user_key_allowed2(struct char buf[SSH_MAX_PUBKEY_BYTES]; /* Temporarily use the user's uid. */ - pamsshagentauth_verbose("trying public key file %s", file); + verbose("trying public key file %s", file); /* Fail not so quietly if file does not exist */ if(stat(file, &st) < 0) { - pamsshagentauth_verbose("File not found: %s", file); + verbose("File not found: %s", file); return 0; } @@ -144,7 +146,7 @@ pamsshagentauth_user_key_allowed2(struct if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) { fclose(f); - pamsshagentauth_logit("Authentication refused: %s", buf); + logit("Authentication refused: %s", buf); return 0; } @@ -187,44 +189,44 @@ pamsshagentauth_user_key_command_allowed else { pw = getpwnam(authorized_keys_command_user); if(pw == NULL) { - pamsshagentauth_logerror("authorized_keys_command_user \"%s\" not found: %s", + error("authorized_keys_command_user \"%s\" not found: %s", authorized_keys_command_user, strerror(errno)); return 0; } } - pamsshagentauth_temporarily_use_uid(pw); + temporarily_use_uid(pw); if(stat(authorized_keys_command, &st) < 0) { - pamsshagentauth_logerror + error ("Could not stat AuthorizedKeysCommand \"%s\": %s", authorized_keys_command, strerror(errno)); goto out; } if(pamsshagentauth_auth_secure_path (authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { - pamsshagentauth_logerror("Unsafe AuthorizedKeysCommand: %s", errmsg); + error("Unsafe AuthorizedKeysCommand: %s", errmsg); goto out; } /* open the pipe and read the keys */ if(pipe(p) != 0) { - pamsshagentauth_logerror("%s: pipe: %s", __func__, strerror(errno)); + error("%s: pipe: %s", __func__, strerror(errno)); goto out; } - pamsshagentauth_debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"", + debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"", authorized_keys_command, pw->pw_name, username); /* * Don't want to call this in the child, where it can fatal() and * run cleanup_exit() code. */ - pamsshagentauth_restore_uid(); + restore_uid(); switch ((pid = fork())) { case -1: /* error */ - pamsshagentauth_logerror("%s: fork: %s", __func__, strerror(errno)); + error("%s: fork: %s", __func__, strerror(errno)); close(p[0]); close(p[1]); return 0; @@ -234,13 +236,13 @@ pamsshagentauth_user_key_command_allowed /* do this before the setresuid so thta they can be logged */ if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { - pamsshagentauth_logerror("%s: open %s: %s", __func__, _PATH_DEVNULL, + error("%s: open %s: %s", __func__, _PATH_DEVNULL, strerror(errno)); _exit(1); } if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1 || dup2(devnull, STDERR_FILENO) == -1) { - pamsshagentauth_logerror("%s: dup2: %s", __func__, strerror(errno)); + error("%s: dup2: %s", __func__, strerror(errno)); _exit(1); } #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) @@ -248,7 +250,7 @@ pamsshagentauth_user_key_command_allowed #else if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) { #endif - pamsshagentauth_logerror("setresgid %u: %s", (u_int) pw->pw_gid, + error("setresgid %u: %s", (u_int) pw->pw_gid, strerror(errno)); _exit(1); } @@ -258,7 +260,7 @@ pamsshagentauth_user_key_command_allowed #else if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) { #endif - pamsshagentauth_logerror("setresuid %u: %s", (u_int) pw->pw_uid, + error("setresuid %u: %s", (u_int) pw->pw_uid, strerror(errno)); _exit(1); } @@ -270,18 +272,18 @@ pamsshagentauth_user_key_command_allowed /* pretty sure this will barf because we are now suid, but since we should't reach this anyway, I'll leave it here */ - pamsshagentauth_logerror("AuthorizedKeysCommand %s exec failed: %s", + error("AuthorizedKeysCommand %s exec failed: %s", authorized_keys_command, strerror(errno)); _exit(127); default: /* parent */ break; } - pamsshagentauth_temporarily_use_uid(pw); + temporarily_use_uid(pw); close(p[1]); if((f = fdopen(p[0], "r")) == NULL) { - pamsshagentauth_logerror("%s: fdopen: %s", __func__, strerror(errno)); + error("%s: fdopen: %s", __func__, strerror(errno)); close(p[0]); /* Don't leave zombie child */ while(waitpid(pid, NULL, 0) == -1 && errno == EINTR); @@ -292,22 +294,22 @@ pamsshagentauth_user_key_command_allowed while(waitpid(pid, &status, 0) == -1) { if(errno != EINTR) { - pamsshagentauth_logerror("%s: waitpid: %s", __func__, + error("%s: waitpid: %s", __func__, strerror(errno)); goto out; } } if(WIFSIGNALED(status)) { - pamsshagentauth_logerror("AuthorizedKeysCommand %s exited on signal %d", + error("AuthorizedKeysCommand %s exited on signal %d", authorized_keys_command, WTERMSIG(status)); goto out; } else if(WEXITSTATUS(status) != 0) { - pamsshagentauth_logerror("AuthorizedKeysCommand %s returned status %d", + error("AuthorizedKeysCommand %s returned status %d", authorized_keys_command, WEXITSTATUS(status)); goto out; } found_key = ok; out: - pamsshagentauth_restore_uid(); + restore_uid(); return found_key; } diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c 2017-02-07 14:41:20.481509206 +0100 @@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c int comparehome = 0; struct stat st; - pamsshagentauth_verbose("auth_secure_filename: checking for uid: %u", uid); + verbose("auth_secure_filename: checking for uid: %u", uid); if (realpath(name, buf) == NULL) { snprintf(err, errlen, "realpath %s failed: %s", name, @@ -115,9 +115,9 @@ pamsshagentauth_auth_secure_path(const c snprintf(err, errlen, "dirname() failed"); return -1; } - pamsshagentauth_strlcpy(buf, cp, sizeof(buf)); + strlcpy(buf, cp, sizeof(buf)); - pamsshagentauth_verbose("secure_filename: checking '%s'", buf); + verbose("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || (st.st_uid != 0 && st.st_uid != uid) || (st.st_mode & 022) != 0) { @@ -128,7 +128,7 @@ pamsshagentauth_auth_secure_path(const c /* If are passed the homedir then we can stop */ if (comparehome && strcmp(homedir, buf) == 0) { - pamsshagentauth_verbose("secure_filename: terminating check at '%s'", + verbose("secure_filename: terminating check at '%s'", buf); break; } diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-02-07 14:41:20.484509204 +0100 @@ -48,6 +48,8 @@ #include "identity.h" #include "pam_user_authorized_keys.h" +#define SSH2_MSG_USERAUTH_TRUST_REQUEST 54 + /* extern u_char *session_id2; extern uint8_t session_id_len; */ @@ -65,37 +67,38 @@ userauth_pubkey_from_id(const char *ruse /* first test if this key is even allowed */ if(! pam_user_key_allowed(ruser, id->key)) - goto user_auth_clean_exit; + goto user_auth_clean_exit_without_buffer; - if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0) - goto user_auth_clean_exit; + if(key_to_blob(id->key, &pkblob, &blen) == 0) + goto user_auth_clean_exit_without_buffer; /* construct packet to sign and test */ - pamsshagentauth_buffer_init(&b); + buffer_init(&b); - pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset); - pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST); - pamsshagentauth_buffer_put_cstring(&b, ruser); - pamsshagentauth_buffer_put_cstring(&b, "pam_ssh_agent_auth"); - pamsshagentauth_buffer_put_cstring(&b, "publickey"); - pamsshagentauth_buffer_put_char(&b, 1); - pamsshagentauth_buffer_put_cstring(&b, pkalg); - pamsshagentauth_buffer_put_string(&b, pkblob, blen); + buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2)); + buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST); + buffer_put_cstring(&b, ruser); + buffer_put_cstring(&b, "pam_ssh_agent_auth"); + buffer_put_cstring(&b, "publickey"); + buffer_put_char(&b, 1); + buffer_put_cstring(&b, pkalg); + buffer_put_string(&b, pkblob, blen); - if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0) + if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0) goto user_auth_clean_exit; /* test for correct signature */ - if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1) + if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; user_auth_clean_exit: /* if(&b != NULL) */ - pamsshagentauth_buffer_free(&b); + buffer_free(&b); + user_auth_clean_exit_without_buffer: if(sig != NULL) - pamsshagentauth_xfree(sig); + free(sig); if(pkblob != NULL) - pamsshagentauth_xfree(pkblob); + free(pkblob); CRYPTO_cleanup_all_ex_data(); return authenticated; } diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c 2017-02-07 14:41:20.484509204 +0100 @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; len = pamsshagentauth___b64_pton(encoded, target, targsize); - pamsshagentauth_xfree(encoded); + xfree(encoded); return len; } @@ -70,7 +70,7 @@ pamsshagentauth_dump_base64(FILE *fp, co fprintf(fp, "dump_base64: len > 65536\n"); return; } - buf = pamsshagentauth_xmalloc(2*len); + buf = malloc(2*len); n = pamsshagentauth_uuencode(data, len, buf, 2*len); for (i = 0; i < n; i++) { fprintf(fp, "%c", buf[i]); @@ -79,5 +79,5 @@ pamsshagentauth_dump_base64(FILE *fp, co } if (i % 70 != 69) fprintf(fp, "\n"); - pamsshagentauth_xfree(buf); + free(buf); }