Merge "Build only sftp-server"
diff --git a/Android.bp b/Android.bp
index 0d8d6e9..ec35047 100644
--- a/Android.bp
+++ b/Android.bp
@@ -51,7 +51,6 @@
cc_defaults {
name: "ssh_defaults",
- vendor: true,
cflags: [
"-Wno-incompatible-pointer-types",
"-Wno-pointer-sign",
@@ -62,10 +61,7 @@
"external/openssh/prebuilt-intermediates",
],
shared_libs: [
- "libdl",
"libcrypto",
- "libssl",
- "libz",
],
}
@@ -91,6 +87,7 @@
"cleanup.c",
"compat.c",
"dh.c",
+ "digest-libc.c",
"digest-openssl.c",
"dispatch.c",
"dns.c",
@@ -138,6 +135,7 @@
"openbsd-compat/getopt_long.c",
"openbsd-compat/glob.c",
"openbsd-compat/libressl-api-compat.c",
+ "openbsd-compat/md5.c",
"openbsd-compat/openssl-compat.c",
"openbsd-compat/port-linux.c",
"openbsd-compat/port-net.c",
@@ -147,6 +145,8 @@
"openbsd-compat/recallocarray.c",
"openbsd-compat/rresvport.c",
"openbsd-compat/setproctitle.c",
+ "openbsd-compat/sha1.c",
+ "openbsd-compat/sha2.c",
"openbsd-compat/strcasestr.c",
"openbsd-compat/strmode.c",
"openbsd-compat/strtonum.c",
@@ -186,117 +186,16 @@
}
cc_binary {
- name: "ssh",
+ name: "sftp-server",
defaults: ["ssh_defaults"],
srcs: [
- "clientloop.c",
- "mux.c",
- "readconf.c",
- "ssh.c",
- "sshconnect.c",
- "sshconnect2.c",
- "sshtty.c",
- ],
- shared_libs: ["libssh"],
-}
-
-cc_binary {
- name: "sftp",
- defaults: ["ssh_defaults"],
- srcs: [
- "sftp.c",
- "sftp-client.c",
- "sftp-common.c",
- "sftp-glob.c",
- "progressmeter.c",
- ],
- shared_libs: ["libssh"],
-}
-
-cc_binary {
- name: "scp",
- defaults: ["ssh_defaults"],
- srcs: [
- "scp.c",
- "sftp-client.c",
- "sftp-common.c",
- "sftp-glob.c",
- "progressmeter.c",
- ],
- shared_libs: ["libssh"],
-}
-
-cc_binary {
- name: "sshd",
- defaults: ["ssh_defaults"],
- srcs: [
- "audit-bsm.c",
- "audit-linux.c",
- "audit.c",
- "auth-bsdauth.c",
- "auth-krb5.c",
- "auth-options.c",
- "auth-pam.c",
- "auth-rhosts.c",
- "auth-shadow.c",
- "auth-sia.c",
- "auth.c",
- "auth2-chall.c",
- "auth2-gss.c",
- "auth2-hostbased.c",
- "auth2-kbdint.c",
- "auth2-none.c",
- "auth2-passwd.c",
- "auth2-pubkey.c",
- "auth2.c",
- "groupaccess.c",
- "gss-serv-krb5.c",
- "gss-serv.c",
- "kexgexs.c",
- "loginrec.c",
- "monitor.c",
- "monitor_wrap.c",
- "platform.c",
"platform-tracing.c",
- "sandbox-null.c",
- "sandbox-rlimit.c",
- "sandbox-systrace.c",
- "servconf.c",
- "serverloop.c",
- "session.c",
"sftp-common.c",
"sftp-realpath.c",
"sftp-server.c",
- "srclimit.c",
- "sshd.c",
- "sshlogin.c",
- "sshpty.c",
+ "sftp-server-main.c",
],
shared_libs: [
- "libcutils",
"libssh",
],
}
-
-cc_binary {
- name: "ssh-keygen",
- defaults: ["ssh_defaults"],
- srcs: [
- "ssh-keygen.c",
- "sshsig.c",
- ],
- shared_libs: ["libssh"],
-}
-
-prebuilt_etc {
- name: "sshd_config",
- vendor: true,
- src: "sshd_config.android",
- relative_install_path: "ssh",
-}
-
-sh_binary {
- name: "start-ssh",
- vendor: true,
- src: "start-ssh",
-}
diff --git a/auth.c b/auth.c
index f2ea845..58754c0 100644
--- a/auth.c
+++ b/auth.c
@@ -542,14 +542,6 @@
aix_setauthdb(user);
#endif
-#if defined(ANDROID)
- // Android has a fixed set of users. Any incoming user that we can't
- // identify should be authenticated as the shell user.
- if (strcmp(user, "root") && strcmp(user, "shell")) {
- logit("Login name %.100s forced to shell", user);
- user = "shell";
- }
-#endif
pw = getpwnam(user);
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
diff --git a/auth2-none.c b/auth2-none.c
index 41cb515..d9f9722 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -66,12 +66,8 @@
none_enabled = 0;
if ((r = sshpkt_get_end(ssh)) != 0)
fatal_fr(r, "parse packet");
-
- /* no password authentication in Android. */
-#if !defined(ANDROID)
if (options.permit_empty_passwd && options.password_authentication)
return (PRIVSEP(auth_password(ssh, "")));
-#endif
return (0);
}
diff --git a/auth2-passwd.c b/auth2-passwd.c
index cb142c2..f8a6dbc 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -64,11 +64,8 @@
if (change)
logit("password change not supported");
-#if !defined(ANDROID)
- /* no password authentication in Android */
else if (PRIVSEP(auth_password(ssh, password)) == 1)
authenticated = 1;
-#endif
freezero(password, len);
return authenticated;
}
diff --git a/dns.c b/dns.c
index 331089f..8ae2fde 100644
--- a/dns.c
+++ b/dns.c
@@ -224,10 +224,9 @@
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
DNS_RDATATYPE_SSHFP, 0, &fingerprints);
#else
- /* unsupported in Android. */
- result = -1;
+ /* unsupported in Android. */
+ result = -1;
#endif
-
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff --git a/misc.c b/misc.c
index 4514053..85d2236 100644
--- a/misc.c
+++ b/misc.c
@@ -2180,9 +2180,7 @@
char buf[PATH_MAX], homedir[PATH_MAX];
char *cp;
int comparehome = 0;
-#if !defined(ANDROID)
struct stat st;
-#endif
if (realpath(name, buf) == NULL) {
snprintf(err, errlen, "realpath %s failed: %s", name,
@@ -2211,8 +2209,6 @@
}
strlcpy(buf, cp, sizeof(buf));
-#if !defined(ANDROID)
- /* /data is owned by system user, which causes this check to fail */
if (stat(buf, &st) == -1 ||
(!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
(st.st_mode & 022) != 0) {
@@ -2220,7 +2216,6 @@
"bad ownership or modes for directory %s", buf);
return -1;
}
-#endif
/* If are past the homedir then we can stop */
if (comparehome && strcmp(homedir, buf) == 0)
diff --git a/monitor.c b/monitor.c
index 4f16f9d..20b9f67 100644
--- a/monitor.c
+++ b/monitor.c
@@ -876,25 +876,18 @@
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
static int call_count;
-#if !defined(ANDROID)
char *passwd;
-#endif
int r, authenticated;
- size_t plen = 0;
+ size_t plen;
if (!options.password_authentication)
fatal_f("password authentication not enabled");
-#if !defined(ANDROID)
if ((r = sshbuf_get_cstring(m, &passwd, &plen)) != 0)
fatal_fr(r, "parse");
/* Only authenticate if the context is valid */
authenticated = options.password_authentication &&
auth_password(ssh, passwd);
freezero(passwd, plen);
-#else
- /* no password authentication in Android. */
- authenticated = 0;
-#endif
sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c
index 4afac42..bc2c568 100644
--- a/openbsd-compat/bsd-openpty.c
+++ b/openbsd-compat/bsd-openpty.c
@@ -106,7 +106,6 @@
return (-1);
}
-#if !defined(ANDROID)
# if defined(I_FIND) && defined(__SVR4)
/*
* If the streams modules have already been pushed then there
@@ -125,7 +124,6 @@
# ifndef __hpux
ioctl(*aslave, I_PUSH, "ttcompat");
# endif /* __hpux */
-#endif
return (0);
}
diff --git a/openbsd-compat/bsd-statvfs.c b/openbsd-compat/bsd-statvfs.c
index cddc20e..18ca726 100644
--- a/openbsd-compat/bsd-statvfs.c
+++ b/openbsd-compat/bsd-statvfs.c
@@ -22,11 +22,6 @@
# include <sys/mount.h>
#endif
-#if defined(ANDROID)
-#include <sys/param.h>
-#define MNAMELEN PATH_MAX
-#endif
-
#include <errno.h>
#ifndef MNAMELEN
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
index 4ffc655..88027ea 100644
--- a/openbsd-compat/explicit_bzero.c
+++ b/openbsd-compat/explicit_bzero.c
@@ -39,11 +39,7 @@
* Indirect bzero through a volatile pointer to hopefully avoid
* dead-store optimisation eliminating the call.
*/
-#if defined(ANDROID)
static void (* volatile ssh_bzero)(void *, size_t) = __bionic_bzero;
-#else
-static void (* volatile ssh_bzero)(void *, size_t) = bzero;
-#endif
void
explicit_bzero(void *p, size_t n)
diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
index 4d30322..801a2e8 100644
--- a/openbsd-compat/libressl-api-compat.c
+++ b/openbsd-compat/libressl-api-compat.c
@@ -519,9 +519,7 @@
if (length < 0 || length > INT_MAX)
return 0;
-#if !defined(OPENSSL_IS_BORINGSSL)
dh->length = length;
-#endif
return 1;
}
#endif /* HAVE_DH_SET_LENGTH */
diff --git a/prebuilt-intermediates/config.h b/prebuilt-intermediates/config.h
index e8df2f7..59312e0 100644
--- a/prebuilt-intermediates/config.h
+++ b/prebuilt-intermediates/config.h
@@ -327,7 +327,7 @@
#define HAVE_DECL__GETSHORT 0
/* Define if you have /dev/ptmx */
-#define HAVE_DEV_PTMX 1
+/* #define HAVE_DEV_PTMX 1 */
/* Define if you have /dev/ptc */
/* #undef HAVE_DEV_PTS_AND_PTC */
@@ -384,6 +384,8 @@
/* Define to 1 if you have the `EVP_sha256' function. */
#define HAVE_EVP_SHA256 1
+ #define HAVE_EVP_SHA384 1
+ #define HAVE_EVP_SHA512 1
/* Define if you have ut_exit in utmp.h */
#define HAVE_EXIT_IN_UTMP 1
@@ -1373,7 +1375,7 @@
/* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */
/* libcrypto includes complete ECC support */
-#define OPENSSL_HAS_ECC 1
+/* #define OPENSSL_HAS_ECC 1 */
/* libcrypto has NID_X9_62_prime256v1 */
#define OPENSSL_HAS_NISTP256 1
@@ -1571,7 +1573,7 @@
/* #undef WITH_IRIX_PROJECT */
/* use libcrypto for cryptography */
-#define WITH_OPENSSL 1
+/* #define WITH_OPENSSL 1 */
/* Define if you want SELinux support. */
/* #undef WITH_SELINUX */
@@ -1631,7 +1633,7 @@
#define HAVE_DH_GET0_PQG 1
#define HAVE_DH_SET0_KEY 1
#define HAVE_DH_SET0_PQG 1
-#define HAVE_DH_SET_LENGTH 1
+/* #define HAVE_DH_SET_LENGTH 1 */
#define HAVE_DSA_GET0_KEY 1
#define HAVE_DSA_GET0_PQG 1
#define HAVE_DSA_SET0_KEY 1
@@ -1658,3 +1660,4 @@
#define HAVE_RSA_SET0_CRT_PARAMS 1
#define HAVE_RSA_SET0_FACTORS 1
#define HAVE_RSA_SET0_KEY 1
+#define HAVE_STRUCT_POLLFD_FD 1
diff --git a/servconf.c b/servconf.c
index 4b12396..9d9681f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -71,10 +71,6 @@
#include "myproposal.h"
#include "digest.h"
-#if defined(ANDROID)
-#include <cutils/properties.h>
-#endif
-
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *,
@@ -2521,20 +2517,10 @@
struct include_list *includes, struct connection_info *connectinfo)
{
ServerOptions mo;
-#if defined(ANDROID)
- char value[PROPERTY_VALUE_MAX];
-#endif
initialize_server_options(&mo);
parse_server_config(&mo, "reprocess config", cfg, includes,
connectinfo, 0);
-#if defined(ANDROID)
- /* Allow root login if ro.debuggable is set. */
- property_get("ro.debuggable", value, "");
- if (strcmp(value, "1") == 0) {
- mo.permit_root_login = PERMIT_YES;
- }
-#endif
copy_set_server_options(options, &mo, 0);
}
diff --git a/session.c b/session.c
index 7a2814f..e67d24d 100644
--- a/session.c
+++ b/session.c
@@ -1051,13 +1051,11 @@
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
-#if !defined(ANDROID)
if (!options.use_pam) {
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
child_set_env(&env, &envsize, "MAIL", buf);
}
-#endif
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index d8c3d95..9b14f9a 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -132,10 +132,8 @@
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
-#if !defined(OPENSSL_IS_BORINGSSL)
BN_set_flags(aux, BN_FLG_CONSTTIME);
BN_set_flags(d_consttime, BN_FLG_CONSTTIME);
-#endif
if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) ||
(BN_mod(rsa_dmq1, d_consttime, aux, ctx) == 0) ||
diff --git a/sshd.c b/sshd.c
index a2fe301..0ee65b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1807,9 +1807,7 @@
freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
privsep_pw->pw_passwd = xstrdup("*");
}
-#if !defined(ANDROID)
endpwent();
-#endif
/* load host keys */
sensitive_data.host_keys = xcalloc(options.num_host_key_files,
diff --git a/sshd_config.android b/sshd_config.android
deleted file mode 100644
index 211ac52..0000000
--- a/sshd_config.android
+++ /dev/null
@@ -1,5 +0,0 @@
-Protocol 2
-HostKey /data/ssh/ssh_host_rsa_key
-HostKey /data/ssh/ssh_host_dsa_key
-AuthorizedKeysFile /data/ssh/authorized_keys
-PasswordAuthentication no
diff --git a/sshkey.c b/sshkey.c
index a9e8348..f1e9200 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -4537,9 +4537,7 @@
case ERR_LIB_PEM:
switch (pem_reason) {
case PEM_R_BAD_PASSWORD_READ:
-#ifdef PEM_R_PROBLEMS_GETTING_PASSWORD
case PEM_R_PROBLEMS_GETTING_PASSWORD:
-#endif
case PEM_R_BAD_DECRYPT:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
default:
@@ -4547,10 +4545,8 @@
}
case ERR_LIB_EVP:
switch (pem_reason) {
-#ifdef EVP_R_BAD_DECRYPT
case EVP_R_BAD_DECRYPT:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
-#endif
#ifdef EVP_R_BN_DECODE_ERROR
case EVP_R_BN_DECODE_ERROR:
#endif
diff --git a/start-ssh b/start-ssh
deleted file mode 100644
index 9a668fa..0000000
--- a/start-ssh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/system/bin/sh
-
-umask 077
-
-# DEBUG=1
-
-DSA_KEY=/data/ssh/ssh_host_dsa_key
-DSA_PUB_KEY=/data/ssh/ssh_host_dsa_key.pub
-RSA_KEY=/data/ssh/ssh_host_rsa_key
-RSA_PUB_KEY=/data/ssh/ssh_host_rsa_key.pub
-AUTHORIZED_KEYS=/data/ssh/authorized_keys
-DEFAULT_AUTHORIZED_KEYS=/vendor/etc/security/authorized_keys.default
-
-if [ ! -f $DSA_KEY ]; then
- /system/bin/ssh-keygen -t dsa -f $DSA_KEY -N ""
- chmod 600 /$DSA_KEY
- chmod 644 $DSA_PUB_KEY
-fi
-
-if [ ! -f $RSA_KEY ]; then
- /system/bin/ssh-keygen -t rsa -f $RSA_KEY -N ""
- chmod 600 /$RSA_KEY
- chmod 644 $RSA_PUB_KEY
-fi
-
-if [[ ! -f $AUTHORIZED_KEYS && -f $DEFAULT_AUTHORIZED_KEYS ]]; then
- cat $DEFAULT_AUTHORIZED_KEYS > $AUTHORIZED_KEYS
-fi
-
-
-if [ "1" == "$DEBUG" ] ; then
- # run sshd in debug mode and capture output to logcat
- /system/bin/logwrapper /system/bin/sshd -f /vendor/etc/ssh/sshd_config -D -d
-else
- # don't daemonize - otherwise we can't stop the sshd service
- /system/bin/sshd -f /vendor/etc/ssh/sshd_config -D
-fi
diff --git a/uidswap.c b/uidswap.c
index d373859..6ed3024 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -28,21 +28,6 @@
#include "uidswap.h"
#include "xmalloc.h"
-#if defined(ANDROID)
-#define AID_GRAPHICS 1003
-#define AID_INPUT 1004
-#define AID_LOG 1007
-#define AID_MOUNT 1009
-#define AID_SDCARD_RW 1015
-#define AID_SHELL 2000
-#define AID_NET_BT_ADMIN 3001
-#define AID_NET_BT 3002
-#define AID_INET 3003
-#define AID_NET_BW_STATS 3006
-#include <sys/capability.h>
-#include <sys/prctl.h>
-#endif
-
/*
* Note: all these functions must work in all of the following cases:
* 1. euid=0, ruid=0
@@ -199,10 +184,6 @@
uid_t old_uid = getuid();
gid_t old_gid = getgid();
#endif
-#if defined(ANDROID)
- struct __user_cap_header_struct header;
- struct __user_cap_data_struct cap;
-#endif
if (pw == NULL)
fatal("permanently_set_uid: no user given");
@@ -211,26 +192,6 @@
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
-#if defined(ANDROID)
- if (pw->pw_uid == AID_SHELL) {
- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
-
- /* add extra groups needed for shell user:
- * - AID_LOG to read system logs (adb logcat)
- * - AID_INPUT to diagnose input issues (getevent)
- * - AID_INET to diagnose network issues (netcfg, ping)
- * - AID_GRAPHICS to access the frame buffer
- * - AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
- * - AID_SDCARD_RW to allow writing to the SD card
- * - AID_MOUNT to allow unmounting the SD card before rebooting
- * - AID_NET_BW_STATS to read out qtaguid statistics. */
- gid_t groups[] = {AID_LOG, AID_INPUT, AID_INET,
- AID_GRAPHICS, AID_NET_BT, AID_NET_BT_ADMIN,
- AID_SDCARD_RW, AID_MOUNT, AID_NET_BW_STATS};
- setgroups(sizeof(groups)/sizeof(groups[0]), groups);
- }
-#endif
-
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
@@ -274,16 +235,4 @@
__func__, (u_int)getuid(), (u_int)geteuid(),
(u_int)pw->pw_uid);
}
-
-#if defined(ANDROID)
- if (pw->pw_uid == AID_SHELL) {
- /* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */
- header.version = _LINUX_CAPABILITY_VERSION;
- header.pid = 0;
- cap.effective = cap.permitted = (1 << CAP_SYS_BOOT);
- cap.inheritable = 0;
- capset(&header, &cap);
- }
-#endif
-
}