d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of OpenSSH 4.2p1.

Browse Source
This commit is contained in:
Dag-Erling Smørgrav 2005-09-03 06:59:33 +00:00
parent 4518870c72
commit 043840df5b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-crypto/openssh/dist/; revision=149749
117 changed files with 3848 additions and 1686 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/openssh/CREDITS
View File

@ -3,6 +3,7 @@ Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt, and Dug Song - Creators of OpenSSH
Ahsan Rashid <arms@sco.com> - UnixWare long passwords
Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
Andre Lucas <andre@ae-35.com> - new login code, many fixes
@ -32,6 +33,7 @@ David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
David Hesprich <darkgrue@gue-tech.org> - Configure fixes
David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
Garrick James <garrick@james.net> - configure fixes
Gary E. Miller <gem@rellim.com> - SCO support
@ -98,5 +100,5 @@ Apologies to anyone I have missed.
Damien Miller <djm@mindrot.org>
$Id: CREDITS,v 1.79 2004/05/26 23:59:31 dtucker Exp $
$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $

497
crypto/openssh/ChangeLog
View File

@ -1,3 +1,496 @@
20050901
- (djm) Update RPM spec file versions
20050831
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/08/30 22:08:05
[gss-serv.c sshconnect2.c]
destroy credentials if krb5_kuserok() call fails. Stops credentials being
delegated to users who are not authorised for GSSAPIAuthentication when
GSSAPIDeletegateCredentials=yes and another authentication mechanism
succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
- markus@cvs.openbsd.org 2005/08/31 09:28:42
[version.h]
4.2
- (dtucker) [README] Update release note URL to 4.2
- (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
Feedback and OK dtucker@
20050830
- (tim) [configure.ac] Back out last change. It needs to be done differently.
20050829
- (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
password support to 7.x for now.
20050826
- (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
by tim@. Feedback and OK dtucker@
20050823
- (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
and "//foo" to be different. Spotted by vinschen at redhat.com.
- (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
and OK dtucker@
- (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
20050821
- (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@
20050816
- (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
from Jacob Nevins; ok dtucker@
20050815
- (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
- (tim) [configure.ac] corrections to libedit tests. Report and patches
by skeleten AT shillest.net
20050812
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2005/07/28 17:36:22
[packet.c]
missing packet_init_compression(); from solar
- djm@cvs.openbsd.org 2005/07/30 01:26:16
[ssh.c]
fix -D listen_host initialisation, so it picks up gateway_ports setting
correctly
- djm@cvs.openbsd.org 2005/07/30 02:03:47
[readconf.c]
listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
- dtucker@cvs.openbsd.org 2005/08/06 10:03:12
[servconf.c]
Unbreak sshd ListenAddress for bare IPv6 addresses.
Report from Janusz Mucka; ok djm@
- jaredy@cvs.openbsd.org 2005/08/08 13:22:48
[sftp.c]
sftp prompt enhancements:
- in non-interactive mode, do not print an empty prompt at the end
before finishing
- print newline after EOF in editline mode
- call el_end() in editline mode
ok dtucker djm
20050810
- (dtucker) [configure.ac] Test libedit library and headers for compatibility.
Report from skeleten AT shillest.net, ok djm@
- (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
Sync current (thread-safe) version of realpath.c from OpenBSD (which is
in turn based on FreeBSD's). ok djm@
20050809
- (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
Report by skeleten AT shillest.net
20050803
- (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
individually and use a value less likely to collide with real values from
netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
- (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
latter is specified in the standard.
20050802
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2005/07/27 10:39:03
[scp.c hostfile.c sftp-client.c]
Silence bogus -Wuninitialized warnings; ok djm@
- (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
with gcc. ok djm@
- (dtucker) [configure.ac] Add a --with-Werror option to configure for
adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
20050726
- (dtucker) [configure.ac] Update zlib warning message too, pointed out by
tim@.
- (djm) OpenBSD CVS Sync
- otto@cvs.openbsd.org 2005/07/19 15:32:26
[auth-passwd.c]
auth_usercheck(3) can return NULL, so check for that. Report from
mpech@. ok markus@
- markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@
20050725
- (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
20050717
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/07/16 01:35:24
[auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
[sshconnect.c]
spacing
- (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
[cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
- (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
- djm@cvs.openbsd.org 2005/07/17 06:49:04
[channels.c channels.h session.c session.h]
Fix a number of X11 forwarding channel leaks:
1. Refuse multiple X11 forwarding requests on the same session
2. Clean up all listeners after a single_connection X11 forward, not just
the one that made the single connection
3. Destroy X11 listeners when the session owning them goes away
testing and ok dtucker@
- djm@cvs.openbsd.org 2005/07/17 07:17:55
[auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
[cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
[serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
[sshconnect.c sshconnect2.c]
knf says that a 2nd level indent is four (not three or five) spaces
-(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
[ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
- (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
20050716
- (dtucker) [auth-pam.c] Ensure that only one side of the authentication
socketpair stays open on in both the monitor and PAM process. Patch from
Joerg Sonnenberger.
20050714
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2005/07/06 09:33:05
[ssh.1]
clarify meaning of ssh -b ; with & ok jmc@
- dtucker@cvs.openbsd.org 2005/07/08 09:26:18
[misc.c]
Make comment match code; ok djm@
- markus@cvs.openbsd.org 2005/07/08 09:41:33
[channels.h]
race when efd gets closed while there is still buffered data:
change CHANNEL_EFD_OUTPUT_ACTIVE()
1) c->efd must always be valid AND
2a) no EOF has been seen OR
2b) there is buffered data
report, initial fix and testing Chuck Cranor
- dtucker@cvs.openbsd.org 2005/07/08 10:20:41
[ssh_config.5]
change BindAddress to match recent ssh -b change; prompted by markus@
- jmc@cvs.openbsd.org 2005/07/08 12:53:10
[ssh_config.5]
new sentence, new line;
- dtucker@cvs.openbsd.org 2005/07/14 04:00:43
[misc.h]
use __sentinel__ attribute; ok deraadt@ djm@ markus@
- (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
compiler doesn't understand it to prevent warnings. If any mainstream
compiler versions acquire it we can test for those versions. Based on
discussion with djm@.
20050707
- dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
the MIT Kerberos code path into a common function and expand mkstemp
template to be consistent with the rest of OpenSSH. From sxw at
inf.ed.ac.uk, ok djm@
- (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
in the case where the buffer is insufficient, so always return ENOMEM.
Also pointed out by sxw at inf.ed.ac.uk.
- (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
calls to krb5_init_ets, which has not been required since krb-1.1.x and
most Kerberos versions no longer export in their public API. From sxw
at inf.ed.ac.uk, ok djm@
20050706
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2005/07/01 13:19:47
[channels.c]
don't free() if getaddrinfo() fails; report mpech@
- djm@cvs.openbsd.org 2005/07/04 00:58:43
[channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
implement support for X11 and agent forwarding over multiplex slave
connections. Because of protocol limitations, the slave connections inherit
the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
their own.
ok dtucker@ "put it in" deraadt@
- jmc@cvs.openbsd.org 2005/07/04 11:29:51
[ssh_config.5]
fix Xr and a little grammar;
- markus@cvs.openbsd.org 2005/07/04 14:04:11
[channels.c]
don't forget to set x11_saved_display
20050626
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/06/17 22:53:47
[ssh.c sshconnect.c]
Fix ControlPath's %p expanding to "0" for a default port,
spotted dwmw2 AT infradead.org; ok markus@
- djm@cvs.openbsd.org 2005/06/18 04:30:36
[ssh.c ssh_config.5]
allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
- djm@cvs.openbsd.org 2005/06/25 22:47:49
[ssh.c]
do the default port filling code a few lines earlier, so it really
does fix %p
20050618
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/05/20 12:57:01;
[auth1.c] split protocol 1 auth methods into separate functions, makes
authloop much more readable; fixes and ok markus@ (portable ok &
polish dtucker@)
- djm@cvs.openbsd.org 2005/06/17 02:44:33
[auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
- (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
tested and fixes tim@
20050617
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2005/06/16 03:38:36
[channels.c channels.h clientloop.c clientloop.h ssh.c]
move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
easier later; ok deraadt@
- markus@cvs.openbsd.org 2005/06/16 08:00:00
[canohost.c channels.c sshd.c]
don't exit if getpeername fails for forwarded ports; bugzilla #1054;
ok djm
- djm@cvs.openbsd.org 2005/06/17 02:44:33
[auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
[bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
[kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
[servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
[ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
make this -Wsign-compare clean; ok avsm@ markus@
NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
NB2. more work may be needed to make portable Wsign-compare clean
- (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
openbsd-compat/openssl-compat.c] only include openssl compat stuff where
it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by
and ok tim@
20050616
- (djm) OpenBSD CVS Sync
- jaredy@cvs.openbsd.org 2005/06/07 13:25:23
[progressmeter.c]
catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
- djm@cvs.openbsd.org 2005/06/06 11:20:36
[auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
introduce a generic %foo expansion function. replace existing % expansion
and add expansion to ControlPath; ok markus@
- djm@cvs.openbsd.org 2005/06/08 03:50:00
[ssh-keygen.1 ssh-keygen.c sshd.8]
increase default rsa/dsa key length from 1024 to 2048 bits;
ok markus@ deraadt@
- djm@cvs.openbsd.org 2005/06/08 11:25:09
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
add ControlMaster=auto/autoask options to support opportunistic
multiplexing; tested avsm@ and jakob@, ok markus@
- dtucker@cvs.openbsd.org 2005/06/09 13:43:49
[cipher.c]
Correctly initialize end of array sentinel; ok djm@
(Id sync only, change already in portable)
20050609
- (dtucker) [cipher.c openbsd-compat/Makefile.in
openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
Move compatibility code for supporting older OpenSSL versions to the
compat layer. Suggested by and "no objection" djm@
20050607
- (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
in today's episode we attempt to coax it from limits.h where it may be
hiding, failing that we take the DIY approach. Tested by tim@
20050603
- (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
defined, and check that it helps before keeping it in CFLAGS. Some old
gcc's don't set an error code when encountering an unknown value in -std.
Found and tested by tim@.
- (dtucker) [configure.ac] Point configure's reporting address at the
openssh-unix-dev list. ok tim@ djm@
20050602
- (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
must be run on all platforms) Add missing ;; to case statement. OK dtucker@
20050601
- (dtucker) [configure.ac] Look for _getshort and _getlong in
arpa/nameser.h.
- (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
Add strtoll to the compat library, from OpenBSD.
- (dtucker) OpenBSD CVS Sync
- avsm@cvs.openbsd.org 2005/05/26 02:08:05
[scp.c]
If copying multiple files to a target file (which normally fails, as it
must be a target directory), kill the spawned ssh child before exiting.
This stops it trying to authenticate and spewing lots of output.
deraadt@ ok
- dtucker@cvs.openbsd.org 2005/05/26 09:08:12
[ssh-keygen.c]
uint32_t -> u_int32_t for consistency; ok djm@
- djm@cvs.openbsd.org 2005/05/27 08:30:37
[ssh.c]
fix -O for cases where no ControlPath has been specified or socket at
ControlPath is not contactable; spotted by and ok avsm@
- (tim) [config.guess config.sub] Update to '2005-05-27' version.
- (tim) [configure.ac] set TEST_SHELL for OpenServer 6
20050531
- (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at
vintela.com.
- (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
20050530
- (dtucker) [README] Link to new release notes. Beter late than never...
20050529
- (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
argument to passwdexpired to be initialized to NULL. Suggested by tim@
While at it, initialize the other arguments to auth functions in case they
ever acquire this behaviour.
- (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
- (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
spotted by tim@.
20050528
- (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
one entry per line to make it easier to merge changes. ok djm@
- (dtucker) [configure.ac] strsep() may be defined in string.h, so check
for its presence and include it in the strsep check.
- (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
its presence before doing AC_FUNC_GETPGRP.
- (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
version-specific variations as required.
- (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
per the autoconf man page. Configure should always define them but it
doesn't hurt to check.
20050527
- (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
David Leach; ok dtucker@
- (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo.
Required changes from Bernhard Simon, integrated by me. ok djm@
20050525
- (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not
been used for a while
- (djm) OpenBSD CVS Sync
- otto@cvs.openbsd.org 2005/04/05 13:45:31
[ssh-keygen.c]
- djm@cvs.openbsd.org 2005/04/06 09:43:59
[sshd.c]
avoid harmless logspam by not performing setsockopt() on non-socket;
ok markus@
- dtucker@cvs.openbsd.org 2005/04/06 12:26:06
[ssh.c]
Fix debug call for port forwards; patch from pete at seebeyond.com,
ok djm@ (ID sync only - change already in portable)
- djm@cvs.openbsd.org 2005/04/09 04:32:54
[misc.c misc.h tildexpand.c Makefile.in]
replace tilde_expand_filename with a simpler implementation, ahead of
more whacking; ok deraadt@
- jmc@cvs.openbsd.org 2005/04/14 12:30:30
[ssh.1]
arg to -b is an address, not if_name;
ok markus@
- jakob@cvs.openbsd.org 2005/04/20 10:05:45
[dns.c]
do not try to look up SSHFP for numerical hostname. ok djm@
- djm@cvs.openbsd.org 2005/04/21 06:17:50
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
[sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
variable, so don't say that we do (bz #623); ok deraadt@
- djm@cvs.openbsd.org 2005/04/21 11:47:19
[ssh.c]
don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
- dtucker@cvs.openbsd.org 2005/04/23 23:43:47
[readpass.c]
Add debug message if read_passphrase can't open /dev/tty; bz #471;
ok djm@
- jmc@cvs.openbsd.org 2005/04/26 12:59:02
[sftp-client.h]
spelling correction in comment from wiz@netbsd;
- jakob@cvs.openbsd.org 2005/04/26 13:08:37
[ssh.c ssh_config.5]
fallback gracefully if client cannot connect to ControlPath. ok djm@
- moritz@cvs.openbsd.org 2005/04/28 10:17:56
[progressmeter.c ssh-keyscan.c]
add snprintf checks. ok djm@ markus@
- markus@cvs.openbsd.org 2005/05/02 21:13:22
[readpass.c]
missing {}
- djm@cvs.openbsd.org 2005/05/10 10:28:11
[ssh.c]
print nice error message for EADDRINUSE as well (ID sync only)
- djm@cvs.openbsd.org 2005/05/10 10:30:43
[ssh.c]
report real errors on fallback from ControlMaster=no to normal connect
- markus@cvs.openbsd.org 2005/05/16 15:30:51
[readconf.c servconf.c]
check return value from strdelim() for NULL (AddressFamily); mpech
- djm@cvs.openbsd.org 2005/05/19 02:39:55
[sshd_config.5]
sort config options, from grunk AT pestilenz.org; ok jmc@
- djm@cvs.openbsd.org 2005/05/19 02:40:52
[sshd_config]
whitespace nit, from grunk AT pestilenz.org
- djm@cvs.openbsd.org 2005/05/19 02:42:26
[includes.h]
fix cast, from grunk AT pestilenz.org
- djm@cvs.openbsd.org 2005/05/20 10:50:55
[ssh_config.5]
give a ProxyCommand example using nc(1), with and ok jmc@
- jmc@cvs.openbsd.org 2005/05/20 11:23:32
[ssh_config.5]
oops - article and spacing;
- avsm@cvs.openbsd.org 2005/05/23 22:44:01
[moduli.c ssh-keygen.c]
- removes signed/unsigned comparisons in moduli generation
- use strtonum instead of atoi where its easier
- check some strlcpy overflow and fatal instead of truncate
- djm@cvs.openbsd.org 2005/05/23 23:32:46
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
ok markus@
- avsm@cvs.openbsd.org 2005/05/24 02:05:09
[ssh-keygen.c]
some style nits from dmiller@, and use a fatal() instead of a printf()/exit
- avsm@cvs.openbsd.org 2005/05/24 17:32:44
[atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
[ssh-keyscan.c sshconnect.c]
Switch atomicio to use a simpler interface; it now returns a size_t
(containing number of bytes read/written), and indicates error by
returning 0. EOF is signalled by errno==EPIPE.
Typical use now becomes:
if (atomicio(read, ..., len) != len)
err(1,"read");
ok deraadt@, cloder@, djm@
- (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
Cygwin.
- (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
warning: dereferencing type-punned pointer will break strict-aliasing rules
warning: passing arg 3 of `pam_get_item' from incompatible pointer type
The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
- (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
templates for _getshort and _getlong if missing to prevent compiler warnings
on Linux.
- (djm) [configure.ac openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
Add strtonum(3) from OpenBSD libc, new code needs it.
Unfortunately Linux forces us to do a bizarre dance with compiler
options to get LLONG_MIN/MAX; Spotted by and ok dtucker@
20050524
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update spec file versions to 4.1p1
@ -9,7 +502,7 @@
- (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
allocation when retrieving core Windows environment. Add CYGWIN variable
to propagated variables. Patch from vinschen at redhat.com, ok djm@
- (djm) Release 4.1p1
- Release 4.1p1
20050524
- (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
@ -2496,4 +2989,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3758.2.2 2005/05/25 12:24:56 djm Exp $
$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $

2
crypto/openssh/LICENCE
View File

@ -204,6 +204,7 @@ OpenSSH contains no GPL code.
William Jones
Darren Tucker
Sun Microsystems
The SCO Group
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -255,6 +256,7 @@ OpenSSH contains no GPL code.
Damien Miller
Eric P. Allman
The Regents of the University of California
Constantin S. Svintsoff
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

8
crypto/openssh/Makefile.in
View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.270 2005/02/25 23:12:38 dtucker Exp $
# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@ -66,8 +66,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o moduli.o mpaux.o nchan.o packet.o \
readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o \
log.o match.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
@ -190,7 +190,7 @@ ssh_prng_cmds.out: ssh_prng_cmds
$(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
fi
# fake rule to stop make trying to compile moduli.o into a binary "modulo"
# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
moduli:
echo

9
crypto/openssh/README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-4.0 for the release notes.
See http://www.openssh.com/txt/release-4.2 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -56,9 +56,10 @@ References -
[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
[3] http://www.gzip.org/zlib/
[4] http://www.openssl.org/
[5] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris
and HP-UX 11)
[5] http://www.openpam.org
http://www.kernel.org/pub/linux/libs/pam/
(PAM also is standard on Solaris and HP-UX 11)
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.57 2005/03/09 03:32:28 dtucker Exp $
$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $

6
crypto/openssh/README.privsep
View File

@ -38,8 +38,8 @@ privsep user and chroot directory:
Privsep requires operating system support for file descriptor passing.
Compression will be disabled on systems without a working mmap MAP_ANON.
PAM-enabled OpenSSH is known to function with privsep on AIX, HP-UX
(including Trusted Mode), Linux and Solaris.
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
part of privsep is supported. Post-authentication privsep is disabled
@ -60,4 +60,4 @@ process 1005 is the sshd process listening for new connections.
process 6917 is the privileged monitor process, 6919 is the user owned
sshd process and 6921 is the shell process.
$Id: README.privsep,v 1.15 2004/10/06 10:09:32 dtucker Exp $
$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $

4
crypto/openssh/WARNING.RNG
View File

@ -57,7 +57,7 @@ disproportionate time to execute.
Tuning the random helper can be done by running ./ssh-random-helper in
very verbose mode ("-vvv") and identifying the commands that are taking
accessive amounts of time or hanging altogher. Any problem commands can
excessive amounts of time or hanging altogher. Any problem commands can
be modified or removed from ssh_prng_cmds.
The default entropy collector will timeout programs which take too long
@ -92,4 +92,4 @@ If you are forced to use ssh-rand-helper consider still downloading
prngd/egd and configure OpenSSH using --with-prngd-port=xx or
--with-prngd-socket=xx (refer to INSTALL for more information).
$Id: WARNING.RNG,v 1.7 2004/12/06 11:40:11 dtucker Exp $
$Id: WARNING.RNG,v 1.8 2005/05/26 01:47:54 djm Exp $

8
crypto/openssh/acconfig.h
View File

@ -1,4 +1,4 @@
/* $Id: acconfig.h,v 1.181 2005/02/25 23:07:38 dtucker Exp $ */
/* $Id: acconfig.h,v 1.183 2005/07/07 10:33:36 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -119,9 +119,6 @@
/* Define if you are on NeXT */
#undef HAVE_NEXT
/* Define if you are on NEWS-OS */
#undef HAVE_NEWS4
/* Define if you want to enable PAM support */
#undef USE_PAM
@ -205,9 +202,6 @@
/* Define if you don't want to use lastlog in session.c */
#undef NO_SSH_LASTLOG
/* Define if have krb5_init_ets */
#undef KRB5_INIT_ETS
/* Define if you don't want to use utmp */
#undef DISABLE_UTMP

128
crypto/openssh/acss.c
View File

@ -1,4 +1,4 @@
/* $Id: acss.c,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
/* $Id: acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $ */
/*
* Copyright (c) 2004 The OpenBSD project
*
@ -24,37 +24,37 @@
/* decryption sbox */
static unsigned char sboxdec[] = {
0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
};
@ -95,38 +95,38 @@ static unsigned char sboxenc[] = {
};
static unsigned char reverse[] = {
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
};
/*

14
crypto/openssh/atomicio.c
View File

@ -1,4 +1,5 @@
/*
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
* All rights reserved.
*
@ -24,14 +25,14 @@
*/
#include "includes.h"
RCSID("$OpenBSD: atomicio.c,v 1.12 2003/07/31 15:50:16 avsm Exp $");
RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
#include "atomicio.h"
/*
* ensure all of data on socket comes through. f==read || f==vwrite
*/
ssize_t
size_t
atomicio(f, fd, _s, n)
ssize_t (*f) (int, void *, size_t);
int fd;
@ -39,7 +40,8 @@ atomicio(f, fd, _s, n)
size_t n;
{
char *s = _s;
ssize_t res, pos = 0;
size_t pos = 0;
ssize_t res;
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
@ -51,10 +53,12 @@ atomicio(f, fd, _s, n)
if (errno == EINTR || errno == EAGAIN)
#endif
continue;
return 0;
case 0:
return (res);
errno = EPIPE;
return pos;
default:
pos += res;
pos += (u_int)res;
}
}
return (pos);

4
crypto/openssh/atomicio.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: atomicio.h,v 1.5 2003/06/28 16:23:06 deraadt Exp $ */
/* $OpenBSD: atomicio.h,v 1.6 2005/05/24 17:32:43 avsm Exp $ */
/*
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
@ -28,6 +28,6 @@
/*
* Ensure all of data on socket comes through. f==read || f==vwrite
*/
ssize_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
#define vwrite (ssize_t (*)(int, void *, size_t))write

8
crypto/openssh/audit.c
View File

@ -1,4 +1,4 @@
/* $Id: audit.c,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */
/* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */
/*
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
@ -120,7 +120,7 @@ void
audit_connection_from(const char *host, int port)
{
debug("audit connection from %s port %d euid %d", host, port,
(int)geteuid());
(int)geteuid());
}
/*
@ -147,7 +147,7 @@ audit_session_open(const char *ttyn)
const char *t = ttyn ? ttyn : "(no tty)";
debug("audit session open euid %d user %s tty name %s", geteuid(),
audit_username(), t);
audit_username(), t);
}
/*
@ -163,7 +163,7 @@ audit_session_close(const char *ttyn)
const char *t = ttyn ? ttyn : "(no tty)";
debug("audit session close euid %d user %s tty name %s", geteuid(),
audit_username(), t);
audit_username(), t);
}
/*

57
crypto/openssh/auth-krb5.c
View File

@ -54,9 +54,6 @@ krb5_init(void *context)
problem = krb5_init_context(&authctxt->krb5_ctx);
if (problem)
return (problem);
#ifdef KRB5_INIT_ETS
krb5_init_ets(authctxt->krb5_ctx);
#endif
}
return (0);
}
@ -67,9 +64,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
#ifndef HEIMDAL
krb5_creds creds;
krb5_principal server;
char ccname[40];
int tmpfd;
mode_t old_umask;
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
@ -146,26 +140,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
}
snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
goto out;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
goto out;
}
close(tmpfd);
problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
if (problem)
goto out;
@ -234,4 +209,34 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
}
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
int tmpfd, ret;
char ccname[40];
mode_t old_umask;
ret = snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
if (ret == -1 || ret >= sizeof(ccname))
return ENOMEM;
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(errno));
return errno;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
return errno;
}
close(tmpfd);
return (krb5_cc_resolve(ctx, ccname, ccache));
}
#endif /* !HEIMDAL */
#endif /* KRB5 */

45
crypto/openssh/auth-pam.c
View File

@ -47,7 +47,7 @@
/* Based on $FreeBSD$ */
#include "includes.h"
RCSID("$Id: auth-pam.c,v 1.122 2005/05/25 06:18:10 dtucker Exp $");
RCSID("$Id: auth-pam.c,v 1.126 2005/07/17 07:18:50 djm Exp $");
#ifdef USE_PAM
#if defined(HAVE_SECURITY_PAM_APPL_H)
@ -56,6 +56,13 @@ RCSID("$Id: auth-pam.c,v 1.122 2005/05/25 06:18:10 dtucker Exp $");
#include <pam/pam_appl.h>
#endif
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, AIX */
#else
# define sshpam_const const /* LinuxPAM, OpenPAM */
#endif
#include "auth.h"
#include "auth-pam.h"
#include "buffer.h"
@ -116,14 +123,14 @@ static struct pam_ctxt *cleanup_ctxt;
static int sshpam_thread_status = -1;
static mysig_t sshpam_oldsig;
static void
static void
sshpam_sigchld_handler(int sig)
{
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
<= 0) {
<= 0) {
/* PAM thread has not exitted, privsep slave must have */
kill(cleanup_ctxt->pam_thread, SIGTERM);
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
@ -150,6 +157,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
void *(*thread_start)(void *), void *arg)
{
pid_t pid;
struct pam_ctxt *ctx = arg;
sshpam_thread_status = -1;
switch ((pid = fork())) {
@ -157,10 +165,14 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
error("fork(): %s", strerror(errno));
return (-1);
case 0:
close(ctx->pam_psock);
ctx->pam_psock = -1;
thread_start(arg);
_exit(1);
default:
*thread = pid;
close(ctx->pam_csock);
ctx->pam_csock = -1;
sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
return (0);
}
@ -300,7 +312,7 @@ import_environments(Buffer *b)
* Conversation function for authentication thread.
*/
static int
sshpam_thread_conv(int n, struct pam_message **msg,
sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
Buffer buffer;
@ -399,8 +411,10 @@ sshpam_thread(void *ctxtp)
char **env_from_pam;
u_int i;
const char *pam_user;
const char **ptr_pam_user = &pam_user;
pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user);
pam_get_item(sshpam_handle, PAM_USER,
(sshpam_const void **)ptr_pam_user);
environ[0] = NULL;
if (sshpam_authctxt != NULL) {
@ -492,7 +506,7 @@ sshpam_thread_cleanup(void)
}
static int
sshpam_null_conv(int n, struct pam_message **msg,
sshpam_null_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
debug3("PAM: %s entering, %d messages", __func__, n);
@ -502,7 +516,7 @@ sshpam_null_conv(int n, struct pam_message **msg,
static struct pam_conv null_conv = { sshpam_null_conv, NULL };
static int
sshpam_store_conv(int n, struct pam_message **msg,
sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
@ -571,11 +585,12 @@ sshpam_init(Authctxt *authctxt)
{
extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
sshpam_err = pam_get_item(sshpam_handle,
PAM_USER, (void **)&pam_user);
PAM_USER, (sshpam_const void **)ptr_pam_user);
if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
return (0);
pam_end(sshpam_handle, sshpam_err);
@ -765,7 +780,7 @@ sshpam_respond(void *ctx, u_int num, char **resp)
buffer_init(&buffer);
if (sshpam_authctxt->valid &&
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
@ -838,7 +853,7 @@ do_pam_account(void)
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
return (sshpam_account_status);
@ -891,7 +906,7 @@ do_pam_setcred(int init)
}
static int
sshpam_tty_conv(int n, struct pam_message **msg,
sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
char input[PAM_MAX_MSG_SIZE];
@ -1050,7 +1065,7 @@ free_pam_environment(char **env)
* display.
*/
static int
sshpam_passwd_conv(int n, struct pam_message **msg,
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
{
struct pam_response *reply;
@ -1096,7 +1111,7 @@ sshpam_passwd_conv(int n, struct pam_message **msg,
*resp = reply;
return (PAM_SUCCESS);
fail:
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
@ -1129,7 +1144,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
* information via timing (eg if the PAM config has a delay on fail).
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
options.permit_root_login != PERMIT_YES))
sshpam_password = badpw;
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@ -1143,7 +1158,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;
return 1;
} else {
debug("PAM: password authentication failed for %.100s: %s",
authctxt->valid ? authctxt->user : "an illegal user",

4
crypto/openssh/auth-passwd.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-passwd.c,v 1.33 2005/01/24 11:47:13 dtucker Exp $");
RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
#include "packet.h"
#include "buffer.h"
@ -163,6 +163,8 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password);
if (as == NULL)
return (0);
if (auth_getstate(as) & AUTH_PWEXPIRED) {
auth_close(as);
disable_forwarding();

4
crypto/openssh/auth-rh-rsa.c
View File

@ -13,7 +13,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $");
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
#include "packet.h"
#include "uidswap.h"
@ -86,7 +86,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
*/
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
pw->pw_name, cuser, chost);
pw->pw_name, cuser, chost);
packet_send_debug("Rhosts with RSA host authentication accepted.");
return 1;
}

4
crypto/openssh/auth-rhosts.c
View File

@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $");
RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $");
#include "packet.h"
#include "uidswap.h"
@ -133,7 +133,7 @@ check_rhosts_file(const char *filename, const char *hostname,
/* If the entry was negated, deny access. */
if (negated) {
auth_debug_add("Matched negative entry in %.100s.",
filename);
filename);
return 0;
}
/* Accept authentication. */

6
crypto/openssh/auth-rsa.c
View File

@ -14,7 +14,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth-rsa.c,v 1.62 2004/12/11 01:48:56 dtucker Exp $");
RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
@ -205,6 +205,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp;
char *key_options;
int keybits;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@ -243,7 +244,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
continue;
/* check the real bits */
if (bits != BN_num_bits(key->rsa->n))
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);

4
crypto/openssh/auth-shadow.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$Id: auth-shadow.c,v 1.6 2005/02/16 03:20:06 dtucker Exp $");
RCSID("$Id: auth-shadow.c,v 1.7 2005/07/17 07:04:47 djm Exp $");
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#include <shadow.h>
@ -101,7 +101,7 @@ auth_shadow_pwexpired(Authctxt *ctxt)
#if defined(__hpux) && !defined(HAVE_SECUREWARE)
if (iscomsec()) {
struct pr_passwd *pr;
pr = getprpwnam((char *)user);
/* Test for Trusted Mode expiry disabled */

2
crypto/openssh/auth-skey.c
View File

@ -47,7 +47,7 @@ skey_query(void *ctx, char **name, char **infotxt,
int len;
struct skey skey;
if (_compat_skeychallenge(&skey, authctxt->user, challenge,
if (_compat_skeychallenge(&skey, authctxt->user, challenge,
sizeof(challenge)) == -1)
return -1;

68
crypto/openssh/auth.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $");
RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
@ -76,7 +76,7 @@ allowed_user(struct passwd * pw)
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
int i;
u_int i;
#ifdef USE_SHADOW
struct spwd *spw = NULL;
#endif
@ -97,7 +97,11 @@ allowed_user(struct passwd * pw)
/* grab passwd field for locked account check */
#ifdef USE_SHADOW
if (spw != NULL)
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
#else
passwd = pw->pw_passwd;
#endif
@ -119,6 +123,9 @@ allowed_user(struct passwd * pw)
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
free(passwd);
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
@ -326,64 +333,41 @@ auth_root_allowed(char *method)
*
* This returns a buffer allocated by xmalloc.
*/
char *
expand_filename(const char *filename, struct passwd *pw)
static char *
expand_authorized_keys(const char *filename, struct passwd *pw)
{
Buffer buffer;
char *file;
const char *cp;
char *file, *ret;
/*
* Build the filename string in the buffer by making the appropriate
* substitutions to the given file name.
*/
buffer_init(&buffer);
for (cp = filename; *cp; cp++) {
if (cp[0] == '%' && cp[1] == '%') {
buffer_append(&buffer, "%", 1);
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'h') {
buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
cp++;
continue;
}
if (cp[0] == '%' && cp[1] == 'u') {
buffer_append(&buffer, pw->pw_name,
strlen(pw->pw_name));
cp++;
continue;
}
buffer_append(&buffer, cp, 1);
}
buffer_append(&buffer, "\0", 1);
file = percent_expand(filename, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
/*
* Ensure that filename starts anchored. If not, be backward
* compatible and prepend the '%h/'
*/
file = xmalloc(MAXPATHLEN);
cp = buffer_ptr(&buffer);
if (*cp != '/')
snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
else
strlcpy(file, cp, MAXPATHLEN);
if (*file == '/')
return (file);
buffer_free(&buffer);
return file;
ret = xmalloc(MAXPATHLEN);
if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
fatal("expand_authorized_keys: path too long");
xfree(file);
return (ret);
}
char *
authorized_keys_file(struct passwd *pw)
{
return expand_filename(options.authorized_keys_file, pw);
return expand_authorized_keys(options.authorized_keys_file, pw);
}
char *
authorized_keys_file2(struct passwd *pw)
{
return expand_filename(options.authorized_keys_file2, pw);
return expand_authorized_keys(options.authorized_keys_file2, pw);
}
/* return ok if key exists in sysfile or userfile */

8
crypto/openssh/auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */
/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -163,7 +163,6 @@ char *get_challenge(Authctxt *);
int verify_response(Authctxt *, const char *);
void abandon_challenge_response(Authctxt *);
char *expand_filename(const char *, struct passwd *);
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
@ -192,4 +191,9 @@ int sys_auth_passwd(Authctxt *, const char *);
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#define SKEY_PROMPT "\nS/Key Password: "
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
#endif
#endif

328
crypto/openssh/auth1.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
#include "xmalloc.h"
#include "rsa.h"
@ -31,28 +31,182 @@ RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
extern ServerOptions options;
extern Buffer loginmsg;
/*
* convert ssh auth msg type into description
*/
static int auth1_process_password(Authctxt *, char *, size_t);
static int auth1_process_rsa(Authctxt *, char *, size_t);
static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
static int auth1_process_tis_response(Authctxt *, char *, size_t);
static char *client_user = NULL; /* Used to fill in remote user for PAM */
struct AuthMethod1 {
int type;
char *name;
int *enabled;
int (*method)(Authctxt *, char *, size_t);
};
const struct AuthMethod1 auth1_methods[] = {
{
SSH_CMSG_AUTH_PASSWORD, "password",
&options.password_authentication, auth1_process_password
},
{
SSH_CMSG_AUTH_RSA, "rsa",
&options.rsa_authentication, auth1_process_rsa
},
{
SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
},
{
SSH_CMSG_AUTH_TIS, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_challenge
},
{
SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
&options.challenge_response_authentication,
auth1_process_tis_response
},
{ -1, NULL, NULL, NULL}
};
static const struct AuthMethod1
*lookup_authmethod1(int type)
{
int i;
for(i = 0; auth1_methods[i].name != NULL; i++)
if (auth1_methods[i].type == type)
return (&(auth1_methods[i]));
return (NULL);
}
static char *
get_authname(int type)
{
static char buf[1024];
switch (type) {
case SSH_CMSG_AUTH_PASSWORD:
return "password";
case SSH_CMSG_AUTH_RSA:
return "rsa";
case SSH_CMSG_AUTH_RHOSTS_RSA:
return "rhosts-rsa";
case SSH_CMSG_AUTH_RHOSTS:
return "rhosts";
case SSH_CMSG_AUTH_TIS:
case SSH_CMSG_AUTH_TIS_RESPONSE:
return "challenge-response";
const struct AuthMethod1 *a;
static char buf[64];
if ((a = lookup_authmethod1(type)) != NULL)
return (a->name);
snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
return (buf);
}
static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *password;
u_int dlen;
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
xfree(password);
return (authenticated);
}
static int
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
BIGNUM *n;
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
return (authenticated);
}
static int
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
{
int keybits, authenticated = 0;
u_int bits;
Key *client_host_key;
u_int ulen;
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
keybits = BN_num_bits(client_host_key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits) {
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
}
snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
return buf;
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
snprintf(info, infolen, " ruser %.100s", client_user);
return (authenticated);
}
static int
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
{
char *challenge;
if ((challenge = get_challenge(authctxt)) == NULL)
return (0);
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
packet_send();
packet_write_wait();
return (-1);
}
static int
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
{
int authenticated = 0;
char *response;
u_int dlen;
response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
return (authenticated);
}
/*
@ -63,14 +217,9 @@ static void
do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
u_int bits;
Key *client_host_key;
BIGNUM *n;
char *client_user, *password;
char info[1024];
u_int dlen;
u_int ulen;
int prev, type = 0;
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
@ -95,8 +244,6 @@ do_authloop(Authctxt *authctxt)
packet_send();
packet_write_wait();
client_user = NULL;
for (;;) {
/* default to fail */
authenticated = 0;
@ -118,107 +265,21 @@ do_authloop(Authctxt *authctxt)
type != SSH_CMSG_AUTH_TIS_RESPONSE)
abandon_challenge_response(authctxt);
/* Process the packet. */
switch (type) {
case SSH_CMSG_AUTH_RHOSTS_RSA:
if (!options.rhosts_rsa_authentication) {
verbose("Rhosts with RSA authentication disabled.");
break;
}
/*
* Get client user name. Note that we just have to
* trust the client; root on the client machine can
* claim to be any user.
*/
client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key = key_new(KEY_RSA1);
bits = packet_get_int();
packet_get_bignum(client_host_key->rsa->e);
packet_get_bignum(client_host_key->rsa->n);
if (bits != BN_num_bits(client_host_key->rsa->n))
verbose("Warning: keysize mismatch for client_host_key: "
"actual %d, announced %d",
BN_num_bits(client_host_key->rsa->n), bits);
packet_check_eom();
authenticated = auth_rhosts_rsa(authctxt, client_user,
client_host_key);
key_free(client_host_key);
snprintf(info, sizeof info, " ruser %.100s", client_user);
break;
case SSH_CMSG_AUTH_RSA:
if (!options.rsa_authentication) {
verbose("RSA authentication disabled.");
break;
}
/* RSA authentication requested. */
if ((n = BN_new()) == NULL)
fatal("do_authloop: BN_new failed");
packet_get_bignum(n);
packet_check_eom();
authenticated = auth_rsa(authctxt, n);
BN_clear_free(n);
break;
case SSH_CMSG_AUTH_PASSWORD:
if (!options.password_authentication) {
verbose("Password authentication disabled.");
break;
}
/*
* Read user password. It is in plain text, but was
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
password = packet_get_string(&dlen);
packet_check_eom();
/* Try authentication with the password. */
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, strlen(password));
xfree(password);
break;
case SSH_CMSG_AUTH_TIS:
debug("rcvd SSH_CMSG_AUTH_TIS");
if (options.challenge_response_authentication == 1) {
char *challenge = get_challenge(authctxt);
if (challenge != NULL) {
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
packet_send();
packet_write_wait();
continue;
}
}
break;
case SSH_CMSG_AUTH_TIS_RESPONSE:
debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
if (options.challenge_response_authentication == 1) {
char *response = packet_get_string(&dlen);
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
}
break;
default:
/*
* Any unknown messages will be ignored (and failure
* returned) during authentication.
*/
logit("Unknown message during authentication: type %d", type);
break;
if ((meth = lookup_authmethod1(type)) == NULL) {
logit("Unknown message during authentication: "
"type %d", type);
goto skip;
}
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
goto skip;
}
authenticated = meth->method(authctxt, info, sizeof(info));
if (authenticated == -1)
continue; /* "postponed" */
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);
@ -238,7 +299,7 @@ do_authloop(Authctxt *authctxt)
#ifdef HAVE_CYGWIN
if (authenticated &&
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
authctxt->pw)) {
packet_disconnect("Authentication rejected for uid %d.",
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
@ -247,8 +308,8 @@ do_authloop(Authctxt *authctxt)
#else
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type))) {
authenticated = 0;
!auth_root_allowed(meth->name)) {
authenticated = 0;
# ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
# endif
@ -262,7 +323,7 @@ do_authloop(Authctxt *authctxt)
size_t len;
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
buffer_append(&loginmsg, "\0", 1);
msg = buffer_ptr(&loginmsg);
@ -276,6 +337,7 @@ do_authloop(Authctxt *authctxt)
}
#endif
skip:
/* Log before sending the reply */
auth_log(authctxt, authenticated, get_authname(type), info);
@ -341,7 +403,7 @@ do_authentication(Authctxt *authctxt)
/*
* If we are not running as root, the user must have the same uid as
* the server. (Unless you are running Windows)
* the server.
*/
#ifndef HAVE_CYGWIN
if (!use_privsep && getuid() != 0 && authctxt->pw &&

11
crypto/openssh/auth2-chall.c
View File

@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-chall.c,v 1.22 2005/01/19 13:11:47 dtucker Exp $");
RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
#include "ssh2.h"
#include "auth.h"
@ -167,7 +167,7 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
kbdintctxt->devices : "<empty>");
kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
return kbdintctxt->device ? 1 : 0;
@ -239,8 +239,7 @@ send_userauth_info_request(Authctxt *authctxt)
{
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
int i;
u_int *echo_on;
u_int i, *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
@ -273,8 +272,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
KbdintAuthctxt *kbdintctxt;
int i, authenticated = 0, res, len;
u_int nresp;
int authenticated = 0, res, len;
u_int i, nresp;
char **response = NULL, *method;
if (authctxt == NULL)

9
crypto/openssh/auth2-gss.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -61,7 +61,7 @@ userauth_gssapi(Authctxt *authctxt)
int present;
OM_uint32 ms;
u_int len;
char *doid = NULL;
u_char *doid = NULL;
if (!authctxt->valid || authctxt->user == NULL)
return (0);
@ -82,9 +82,8 @@ userauth_gssapi(Authctxt *authctxt)
present = 0;
doid = packet_get_string(&len);
if (len > 2 &&
doid[0] == SSH_GSS_OIDTYPE &&
doid[1] == len - 2) {
if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
doid[1] == len - 2) {
goid.elements = doid + 2;
goid.length = len - 2;
gss_test_oid_set_member(&ms, &goid, supported,

2
crypto/openssh/auth2.c
View File

@ -234,7 +234,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
packet_write_wait();
}
fatal("Access denied for user %s by PAM account "
"configuration", authctxt->user);
"configuration", authctxt->user);
}
}
#endif

12
crypto/openssh/authfd.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: authfd.c,v 1.64 2004/08/11 21:44:31 avsm Exp $");
RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
@ -114,8 +114,7 @@ ssh_get_authentication_socket(void)
static int
ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
{
int l;
u_int len;
u_int l, len;
char buf[1024];
/* Get the length of the message, and format it in the buffer. */
@ -149,8 +148,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
l = len;
if (l > sizeof(buf))
l = sizeof(buf);
l = atomicio(read, auth->fd, buf, l);
if (l <= 0) {
if (atomicio(read, auth->fd, buf, l) != l) {
error("Error reading response from authentication socket.");
return 0;
}
@ -303,6 +301,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
Key *
ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
{
int keybits;
u_int bits;
u_char *blob;
u_int blen;
@ -323,7 +322,8 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
buffer_get_bignum(&auth->identities, key->rsa->e);
buffer_get_bignum(&auth->identities, key->rsa->n);
*comment = buffer_get_string(&auth->identities, NULL);
if (bits != BN_num_bits(key->rsa->n))
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
logit("Warning: identity keysize mismatch: actual %d, announced %u",
BN_num_bits(key->rsa->n), bits);
break;

16
crypto/openssh/authfile.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
#include <openssl/err.h>
#include <openssl/evp.h>
@ -52,6 +52,7 @@ RCSID("$OpenBSD: authfile.c,v 1.60 2004/12/11 01:48:56 dtucker Exp $");
#include "authfile.h"
#include "rsa.h"
#include "misc.h"
#include "atomicio.h"
/* Version identification string for SSH v1 identity files. */
static const char authfile_id_string[] =
@ -147,8 +148,8 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase,
buffer_free(&encrypted);
return 0;
}
if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
buffer_len(&encrypted)) {
if (atomicio(vwrite, fd, buffer_ptr(&encrypted),
buffer_len(&encrypted)) != buffer_len(&encrypted)) {
error("write to key file %s failed: %s", filename,
strerror(errno));
buffer_free(&encrypted);
@ -236,7 +237,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
Key *pub;
struct stat st;
char *cp;
int i;
u_int i;
size_t len;
if (fstat(fd, &st) < 0) {
@ -253,7 +254,7 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
if (read(fd, cp, (size_t) len) != (size_t) len) {
if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);
@ -322,7 +323,8 @@ static Key *
key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
char **commentp)
{
int i, check1, check2, cipher_type;
u_int i;
int check1, check2, cipher_type;
size_t len;
Buffer buffer, decrypted;
u_char *cp;
@ -347,7 +349,7 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
buffer_init(&buffer);
cp = buffer_append_space(&buffer, len);
if (read(fd, cp, (size_t) len) != (size_t) len) {
if (atomicio(read, fd, cp, len) != len) {
debug("Read from key file %.200s failed: %.100s", filename,
strerror(errno));
buffer_free(&buffer);

4
crypto/openssh/bufaux.c
View File

@ -37,7 +37,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: bufaux.c,v 1.35 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: bufaux.c,v 1.36 2005/06/17 02:44:32 djm Exp $");
#include <openssl/bn.h>
#include "bufaux.h"
@ -154,7 +154,7 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
buf[0] = 0x00;
/* Get the value of in binary */
oi = BN_bn2bin(value, buf+1);
if (oi != bytes-1) {
if (oi < 0 || (u_int)oi != bytes - 1) {
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
"oi %d != bin_size %d", oi, bytes);
xfree(buf);

9
crypto/openssh/canohost.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: canohost.c,v 1.42 2005/02/18 03:05:53 djm Exp $");
RCSID("$OpenBSD: canohost.c,v 1.44 2005/06/17 02:44:32 djm Exp $");
#include "packet.h"
#include "xmalloc.h"
@ -143,7 +143,8 @@ check_ip_options(int sock, char *ipaddr)
u_char options[200];
char text[sizeof(options) * 3 + 1];
socklen_t option_size;
int i, ipproto;
u_int i;
int ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
@ -173,7 +174,7 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
struct in_addr inaddr;
u_int16_t port;
if (addr->ss_family != AF_INET6 ||
if (addr->ss_family != AF_INET6 ||
!IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
return;
@ -346,7 +347,7 @@ get_sock_port(int sock, int local)
} else {
if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
cleanup_exit(255);
return -1;
}
}

106
crypto/openssh/channels.c
View File

@ -39,7 +39,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -111,6 +111,9 @@ static int all_opens_permitted = 0;
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
/* Saved X11 local (client) display. */
static char *x11_saved_display = NULL;
/* Saved X11 authentication protocol name. */
static char *x11_saved_proto = NULL;
@ -727,8 +730,8 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
FD_SET(c->wfd, writeset);
} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
debug2("channel %d: obuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
debug2("channel %d: obuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
else
chan_obuf_empty(c);
}
@ -894,7 +897,7 @@ static int
channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
{
char *p, *host;
int len, have, i, found;
u_int len, have, i, found;
char username[256];
struct {
u_int8_t version;
@ -979,7 +982,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
} s5_req, s5_rsp;
u_int16_t dest_port;
u_char *p, dest_addr[255+1];
int i, have, found, nmethods, addrlen, af;
u_int have, i, found, nmethods, addrlen, af;
debug2("channel %d: decode socks5", c->self);
p = buffer_ptr(&c->input);
@ -1075,7 +1078,8 @@ static void
channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
{
u_char *p;
int have, ret;
u_int have;
int ret;
have = buffer_len(&c->input);
c->delayed = 0;
@ -1178,7 +1182,7 @@ port_open_helper(Channel *c, char *rtype)
int direct;
char buf[1024];
char *remote_ipaddr = get_peer_ipaddr(c->sock);
u_short remote_port = get_peer_port(c->sock);
int remote_port = get_peer_port(c->sock);
direct = (strcmp(rtype, "direct-tcpip") == 0);
@ -1208,7 +1212,7 @@ port_open_helper(Channel *c, char *rtype)
}
/* originator host and port */
packet_put_cstring(remote_ipaddr);
packet_put_int(remote_port);
packet_put_int((u_int)remote_port);
packet_send();
} else {
packet_start(SSH_MSG_PORT_OPEN);
@ -1809,8 +1813,8 @@ channel_output_poll(void)
* hack for extended data: delay EOF if EFD still in use.
*/
if (CHANNEL_EFD_INPUT_ACTIVE(c))
debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
c->self, c->efd, buffer_len(&c->extended));
else
chan_ibuf_empty(c);
}
@ -2195,11 +2199,11 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
if (host == NULL) {
error("No forward host name.");
return success;
return 0;
}
if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
error("Forward host name too long.");
return success;
return 0;
}
/*
@ -2250,12 +2254,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
packet_disconnect("getaddrinfo: fatal error: %s",
gai_strerror(r));
} else {
verbose("channel_setup_fwd_listener: "
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
packet_send_debug("channel_setup_fwd_listener: "
error("channel_setup_fwd_listener: "
"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
}
aitop = NULL;
return 0;
}
for (ai = aitop; ai; ai = ai->ai_next) {
@ -2657,7 +2659,7 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
int single_connection, u_int *display_numberp)
int single_connection, u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
int display_number, sock;
@ -2747,6 +2749,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
}
/* Allocate a channel for each socket. */
if (chanids != NULL)
*chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
nc = channel_new("x11 listener",
@ -2754,7 +2758,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
0, "X11 inet listener", 1);
nc->single_connection = single_connection;
if (*chanids != NULL)
(*chanids)[n] = nc->self;
}
if (*chanids != NULL)
(*chanids)[n] = -1;
/* Return the display number for the DISPLAY environment variable. */
*display_numberp = display_number;
@ -2952,19 +2960,27 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
* This should be called in the client only.
*/
void
x11_request_forwarding_with_spoofing(int client_session_id,
x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
const char *proto, const char *data)
{
u_int data_len = (u_int) strlen(data) / 2;
u_int i, value, len;
u_int i, value;
char *new_data;
int screen_number;
const char *cp;
u_int32_t rnd = 0;
cp = getenv("DISPLAY");
if (cp)
cp = strchr(cp, ':');
if (x11_saved_display == NULL)
x11_saved_display = xstrdup(disp);
else if (strcmp(disp, x11_saved_display) != 0) {
error("x11_request_forwarding_with_spoofing: different "
"$DISPLAY already forwarded");
return;
}
cp = disp;
if (disp)
cp = strchr(disp, ':');
if (cp)
cp = strchr(cp, '.');
if (cp)
@ -2972,33 +2988,31 @@ x11_request_forwarding_with_spoofing(int client_session_id,
else
screen_number = 0;
/* Save protocol name. */
x11_saved_proto = xstrdup(proto);
/*
* Extract real authentication data and generate fake data of the
* same length.
*/
x11_saved_data = xmalloc(data_len);
x11_fake_data = xmalloc(data_len);
for (i = 0; i < data_len; i++) {
if (sscanf(data + 2 * i, "%2x", &value) != 1)
fatal("x11_request_forwarding: bad authentication data: %.100s", data);
if (i % 4 == 0)
rnd = arc4random();
x11_saved_data[i] = value;
x11_fake_data[i] = rnd & 0xff;
rnd >>= 8;
if (x11_saved_proto == NULL) {
/* Save protocol name. */
x11_saved_proto = xstrdup(proto);
/*
* Extract real authentication data and generate fake data
* of the same length.
*/
x11_saved_data = xmalloc(data_len);
x11_fake_data = xmalloc(data_len);
for (i = 0; i < data_len; i++) {
if (sscanf(data + 2 * i, "%2x", &value) != 1)
fatal("x11_request_forwarding: bad "
"authentication data: %.100s", data);
if (i % 4 == 0)
rnd = arc4random();
x11_saved_data[i] = value;
x11_fake_data[i] = rnd & 0xff;
rnd >>= 8;
}
x11_saved_data_len = data_len;
x11_fake_data_len = data_len;
}
x11_saved_data_len = data_len;
x11_fake_data_len = data_len;
/* Convert the fake data into hex. */
len = 2 * data_len + 1;
new_data = xmalloc(len);
for (i = 0; i < data_len; i++)
snprintf(new_data + 2 * i, len - 2 * i,
"%02x", (u_char) x11_fake_data[i]);
new_data = tohex(x11_fake_data, data_len);
/* Send the request packet. */
if (compat20) {

9
crypto/openssh/channels.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.76 2005/03/01 10:09:52 djm Exp $ */
/* $OpenBSD: channels.h,v 1.79 2005/07/17 06:49:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -149,7 +149,7 @@ struct Channel {
buffer_len(&c->extended) > 0))
#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
(compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
((c->efd != -1 && !(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD))) || \
c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
buffer_len(&c->extended) > 0))
/* channel management */
@ -214,9 +214,10 @@ int channel_cancel_rport_listener(const char *, u_short);
/* x11 forwarding */
int x11_connect_display(void);
int x11_create_display_inet(int, int, int, u_int *);
int x11_create_display_inet(int, int, int, u_int *, int **);
void x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *);
void deny_input_open(int, u_int32_t, void *);
/* agent forwarding */

6
crypto/openssh/cipher-acss.c
View File

@ -17,7 +17,7 @@
#include "includes.h"
#include <openssl/evp.h>
RCSID("$Id: cipher-acss.c,v 1.2 2004/02/06 04:26:11 dtucker Exp $");
RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $");
#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
@ -33,7 +33,7 @@ typedef struct {
#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
static int
acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
@ -41,7 +41,7 @@ acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
}
static int
acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
unsigned int inl)
{
acss(&data(ctx)->ks,inl,in,out);

4
crypto/openssh/cipher-ctr.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
RCSID("$OpenBSD: cipher-ctr.c,v 1.5 2004/12/22 02:13:19 djm Exp $");
RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
@ -95,7 +95,7 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
}
if (key != NULL)
AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
&c->aes_ctx);
&c->aes_ctx);
if (iv != NULL)
memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
return (1);

100
crypto/openssh/cipher.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
#include "xmalloc.h"
#include "log.h"
@ -43,25 +43,8 @@ RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $");
#include <openssl/md5.h>
#if OPENSSL_VERSION_NUMBER < 0x00906000L
#define SSH_OLD_EVP
#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#endif
#if OPENSSL_VERSION_NUMBER < 0x00907000L
extern const EVP_CIPHER *evp_rijndael(void);
extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
#endif
#if !defined(EVP_CTRL_SET_ACSS_MODE)
# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
extern const EVP_CIPHER *evp_acss(void);
# define EVP_acss evp_acss
# define EVP_CTRL_SET_ACSS_MODE xxx /* used below */
# else
# define EVP_acss NULL /* Don't try to support ACSS on older OpenSSL */
# endif /* (OPENSSL_VERSION_NUMBER >= 0x00906000L) */
#endif /* !defined(EVP_CTRL_SET_ACSS_MODE) */
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
@ -74,39 +57,32 @@ struct Cipher {
int number; /* for ssh1 only */
u_int block_size;
u_int key_len;
u_int discard_len;
const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf },
{ "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 },
#if OPENSSL_VERSION_NUMBER < 0x00907000L
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
{ "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
{ "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, evp_rijndael },
#else
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
#ifdef USE_CIPHER_ACSS
{ "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
#endif
#if defined(EVP_CTRL_SET_ACSS_MODE)
{ "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss },
#endif
{ NULL, SSH_CIPHER_INVALID, 0, 0, NULL }
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
};
/*--*/
@ -222,8 +198,9 @@ cipher_init(CipherContext *cc, Cipher *cipher,
EVP_CIPHER *type;
#else
const EVP_CIPHER *type;
#endif
int klen;
#endif
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) {
@ -261,7 +238,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
fatal("cipher_init: EVP_CipherInit failed for %s",
cipher->name);
klen = EVP_CIPHER_CTX_key_length(&cc->evp);
if (klen > 0 && keylen != klen) {
if (klen > 0 && keylen != (u_int)klen) {
debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
fatal("cipher_init: set keylen failed (%d -> %d)",
@ -271,6 +248,17 @@ cipher_init(CipherContext *cc, Cipher *cipher,
fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name);
#endif
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
xfree(junk);
xfree(discard);
}
}
void
@ -278,23 +266,15 @@ cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
{
if (len % cc->cipher->block_size)
fatal("cipher_encrypt: bad plaintext length %d", len);
#ifdef SSH_OLD_EVP
EVP_Cipher(&cc->evp, dest, (u_char *)src, len);
#else
if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
fatal("evp_crypt: EVP_Cipher failed");
#endif
}
void
cipher_cleanup(CipherContext *cc)
{
#ifdef SSH_OLD_EVP
EVP_CIPHER_CTX_cleanup(&cc->evp);
#else
if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
#endif
}
/*
@ -349,9 +329,9 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
if (evplen == 0)
if (evplen <= 0)
return;
if (evplen != len)
if ((u_int)evplen != len)
fatal("%s: wrong iv length %d != %d", __func__,
evplen, len);
#if OPENSSL_VERSION_NUMBER < 0x00907000L

153
crypto/openssh/clientloop.c
View File

@ -59,7 +59,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: clientloop.c,v 1.136 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -140,6 +140,8 @@ int session_ident = -1;
struct confirm_ctx {
int want_tty;
int want_subsys;
int want_x_fwd;
int want_agent_fwd;
Buffer cmd;
char *term;
struct termios tio;
@ -208,6 +210,109 @@ get_current_time(void)
return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
}
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, char **_proto, char **_data)
{
char cmd[1024];
char line[512];
char xdisplay[512];
static char proto[512], data[512];
FILE *f;
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
debug("No xauth program.");
} else {
if (display == NULL) {
debug("x11_get_proto: DISPLAY not set");
return;
}
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
* just try "xauth list unix:displaynum.screennum".
* XXX: "localhost" match to determine FamilyLocal
* is not perfect.
*/
if (strncmp(display, "localhost:", 10) == 0) {
snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
display + 10);
display = xdisplay;
}
if (trusted == 0) {
xauthdir = xmalloc(MAXPATHLEN);
xauthfile = xmalloc(MAXPATHLEN);
strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout 1200 2>" _PATH_DEVNULL,
xauth_path, xauthfile, display);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
generated = 1;
}
}
snprintf(cmd, sizeof(cmd),
"%s %s%s list %s . 2>" _PATH_DEVNULL,
xauth_path,
generated ? "-f " : "" ,
generated ? xauthfile : "",
display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
}
if (do_unlink) {
unlink(xauthfile);
rmdir(xauthdir);
}
if (xauthdir)
xfree(xauthdir);
if (xauthfile)
xfree(xauthfile);
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
* response anyway, and substitute this data. The X11
* server, however, will ignore this fake data and use
* whatever authentication mechanisms it was using otherwise
* for the local connection.
*/
if (!got_data) {
u_int32_t rnd = 0;
logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
rnd = arc4random();
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
rnd & 0xff);
rnd >>= 8;
}
}
}
/*
* This is called when the interactive is entered. This checks if there is
* an EOF coming on stdin. We must check this explicitly, as select() does
@ -528,6 +633,7 @@ static void
client_extra_session2_setup(int id, void *arg)
{
struct confirm_ctx *cctx = arg;
const char *display;
Channel *c;
int i;
@ -536,6 +642,24 @@ client_extra_session2_setup(int id, void *arg)
if ((c = channel_lookup(id)) == NULL)
fatal("%s: no channel for id %d", __func__, id);
display = getenv("DISPLAY");
if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing.");
x11_request_forwarding_with_spoofing(id, display, proto, data);
/* XXX wait for reply */
}
if (cctx->want_agent_fwd && options.forward_agent) {
debug("Requesting authentication agent forwarding.");
channel_request_start(id, "auth-agent-req@openssh.com", 0);
packet_send();
}
client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
client_subsystem_reply);
@ -556,12 +680,12 @@ client_process_control(fd_set * readset)
{
Buffer m;
Channel *c;
int client_fd, new_fd[3], ver, i, allowed;
int client_fd, new_fd[3], ver, allowed;
socklen_t addrlen;
struct sockaddr_storage addr;
struct confirm_ctx *cctx;
char *cmd;
u_int len, env_len, command, flags;
u_int i, len, env_len, command, flags;
uid_t euid;
gid_t egid;
@ -601,7 +725,7 @@ client_process_control(fd_set * readset)
buffer_free(&m);
return;
}
if ((ver = buffer_get_char(&m)) != 1) {
if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
error("%s: wrong client version %d", __func__, ver);
buffer_free(&m);
close(client_fd);
@ -616,13 +740,15 @@ client_process_control(fd_set * readset)
switch (command) {
case SSHMUX_COMMAND_OPEN:
if (options.control_master == 2)
if (options.control_master == SSHCTL_MASTER_ASK ||
options.control_master == SSHCTL_MASTER_AUTO_ASK)
allowed = ask_permission("Allow shared connection "
"to %s? ", host);
/* continue below */
break;
case SSHMUX_COMMAND_TERMINATE:
if (options.control_master == 2)
if (options.control_master == SSHCTL_MASTER_ASK ||
options.control_master == SSHCTL_MASTER_AUTO_ASK)
allowed = ask_permission("Terminate shared connection "
"to %s? ", host);
if (allowed)
@ -633,7 +759,7 @@ client_process_control(fd_set * readset)
buffer_clear(&m);
buffer_put_int(&m, allowed);
buffer_put_int(&m, getpid());
if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
buffer_free(&m);
@ -653,7 +779,7 @@ client_process_control(fd_set * readset)
buffer_clear(&m);
buffer_put_int(&m, allowed);
buffer_put_int(&m, getpid());
if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
buffer_free(&m);
@ -674,7 +800,7 @@ client_process_control(fd_set * readset)
buffer_free(&m);
return;
}
if ((ver = buffer_get_char(&m)) != 1) {
if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
error("%s: wrong client version %d", __func__, ver);
buffer_free(&m);
close(client_fd);
@ -685,6 +811,8 @@ client_process_control(fd_set * readset)
memset(cctx, 0, sizeof(*cctx));
cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0;
cctx->term = buffer_get_string(&m, &len);
cmd = buffer_get_string(&m, &len);
@ -718,7 +846,7 @@ client_process_control(fd_set * readset)
/* This roundtrip is just for synchronisation of ttymodes */
buffer_clear(&m);
if (ssh_msg_send(client_fd, /* version */1, &m) == -1) {
if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
error("%s: client msg_send failed", __func__);
close(client_fd);
close(new_fd[0]);
@ -866,7 +994,10 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
u_char ch;
char *s;
for (i = 0; i < len; i++) {
if (len <= 0)
return (0);
for (i = 0; i < (u_int)len; i++) {
/* Get one character at a time. */
ch = buf[i];

9
crypto/openssh/clientloop.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.12 2004/11/07 00:01:46 djm Exp $ */
/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -37,10 +37,15 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
void client_x11_get_proto(const char *, const char *, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
int, Buffer *, char **, dispatch_fn *);
/* Multiplexing protocol version */
#define SSHMUX_VER 1
/* Multiplexing control protocol flags */
#define SSHMUX_COMMAND_OPEN 1 /* Open new connection */
#define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */
@ -48,3 +53,5 @@ void client_session2_setup(int, int, int, const char *, struct termios *,
#define SSHMUX_FLAG_TTY (1) /* Request tty on open */
#define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */
#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */
#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */

590
crypto/openssh/config.guess vendored
View File

File diff suppressed because it is too large Load Diff

136
crypto/openssh/config.sub vendored
View File

@ -1,9 +1,9 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
timestamp='2003-08-18'
timestamp='2005-05-12'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@ -21,14 +21,15 @@ timestamp='2003-08-18'
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted ChangeLog entry.
#
@ -70,7 +71,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
@ -83,11 +84,11 @@ Try \`$me --help' for more information."
while test $# -gt 0 ; do
case $1 in
--time-stamp | --time* | -t )
echo "$timestamp" ; exit 0 ;;
echo "$timestamp" ; exit ;;
--version | -v )
echo "$version" ; exit 0 ;;
echo "$version" ; exit ;;
--help | --h* | -h )
echo "$usage"; exit 0 ;;
echo "$usage"; exit ;;
-- ) # Stop option processing
shift; break ;;
- ) # Use stdin as input.
@ -99,7 +100,7 @@ while test $# -gt 0 ; do
*local*)
# First pass through any local machine types.
echo $1
exit 0;;
exit ;;
* )
break ;;
@ -118,7 +119,8 @@ esac
# Here we must recognize all the valid KERNEL-OS combinations.
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
nto-qnx* | linux-gnu* | linux-dietlibc | kfreebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
@ -144,7 +146,7 @@ case $os in
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis)
-apple | -axis | -knuth | -cray)
os=
basic_machine=$1
;;
@ -230,13 +232,14 @@ case $basic_machine in
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
| bfin \
| c4x | clipper \
| d10v | d30v | dlx | dsp16xx \
| fr30 | frv \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| m32r | m68000 | m68k | m88k | mcore \
| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@ -261,12 +264,13 @@ case $basic_machine in
| pyramid \
| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
| sparcv8 | sparcv9 | sparcv9b \
| strongarm \
| tahoe | thumb | tic4x | tic80 | tron \
| v850 | v850e \
| we32k \
| x86 | xscale | xstormy16 | xtensa \
| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
| z8k)
basic_machine=$basic_machine-unknown
;;
@ -297,9 +301,9 @@ case $basic_machine in
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* \
| bs2000-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
| clipper-* | cydra-* \
| clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
@ -307,9 +311,9 @@ case $basic_machine in
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| m32r-* \
| m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | mcore-* \
| m88110-* | m88k-* | maxq-* | mcore-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@ -325,8 +329,9 @@ case $basic_machine in
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipstx39-* | mipstx39el-* \
| mmix-* \
| msp430-* \
| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
@ -334,15 +339,16 @@ case $basic_machine in
| romp-* | rs6000-* \
| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
| sparclite-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
| tahoe-* | thumb-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tron-* \
| v850-* | v850e-* | vax-* \
| we32k-* \
| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
| xtensa-* \
| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
| xstormy16-* | xtensa-* \
| ymp-* \
| z8k-*)
;;
@ -362,6 +368,9 @@ case $basic_machine in
basic_machine=a29k-amd
os=-udi
;;
abacus)
basic_machine=abacus-unknown
;;
adobe68k)
basic_machine=m68010-adobe
os=-scout
@ -379,6 +388,9 @@ case $basic_machine in
amd64)
basic_machine=x86_64-pc
;;
amd64-*)
basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
amdahl)
basic_machine=580-amdahl
os=-sysv
@ -438,12 +450,27 @@ case $basic_machine in
basic_machine=j90-cray
os=-unicos
;;
craynv)
basic_machine=craynv-cray
os=-unicosmp
;;
cr16c)
basic_machine=cr16c-unknown
os=-elf
;;
crds | unos)
basic_machine=m68k-crds
;;
crisv32 | crisv32-* | etraxfs*)
basic_machine=crisv32-axis
;;
cris | cris-* | etrax*)
basic_machine=cris-axis
;;
crx)
basic_machine=crx-unknown
os=-elf
;;
da30 | da30-*)
basic_machine=m68k-da30
;;
@ -466,6 +493,10 @@ case $basic_machine in
basic_machine=m88k-motorola
os=-sysv3
;;
djgpp)
basic_machine=i586-pc
os=-msdosdjgpp
;;
dpx20 | dpx20-*)
basic_machine=rs6000-bull
os=-bosx
@ -644,10 +675,6 @@ case $basic_machine in
mips3*)
basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
;;
mmix*)
basic_machine=mmix-knuth
os=-mmixware
;;
monitor)
basic_machine=m68k-rom68k
os=-coff
@ -728,10 +755,6 @@ case $basic_machine in
np1)
basic_machine=np1-gould
;;
nv1)
basic_machine=nv1-cray
os=-unicosmp
;;
nsr-tandem)
basic_machine=nsr-tandem
;;
@ -743,6 +766,10 @@ case $basic_machine in
basic_machine=or32-unknown
os=-coff
;;
os400)
basic_machine=powerpc-ibm
os=-os400
;;
OSE68000 | ose68000)
basic_machine=m68000-ericsson
os=-ose
@ -963,6 +990,10 @@ case $basic_machine in
tower | tower-32)
basic_machine=m68k-ncr
;;
tpf)
basic_machine=s390x-ibm
os=-tpf
;;
udi29k)
basic_machine=a29k-amd
os=-udi
@ -1006,6 +1037,10 @@ case $basic_machine in
basic_machine=hppa1.1-winbond
os=-proelf
;;
xbox)
basic_machine=i686-pc
os=-mingw32
;;
xps | xps100)
basic_machine=xps100-honeywell
;;
@ -1036,6 +1071,9 @@ case $basic_machine in
romp)
basic_machine=romp-ibm
;;
mmix)
basic_machine=mmix-knuth
;;
rs6000)
basic_machine=rs6000-ibm
;;
@ -1058,7 +1096,7 @@ case $basic_machine in
sh64)
basic_machine=sh64-unknown
;;
sparc | sparcv9 | sparcv9b)
sparc | sparcv8 | sparcv9 | sparcv9b)
basic_machine=sparc-sun
;;
cydra)
@ -1131,19 +1169,20 @@ case $os in
| -aos* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \
| -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* \
| -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
| -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei*)
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1182,6 +1221,9 @@ case $os in
-opened*)
os=-openedition
;;
-os400*)
os=-os400
;;
-wince*)
os=-wince
;;
@ -1203,6 +1245,9 @@ case $os in
-atheos*)
os=-atheos
;;
-syllable*)
os=-syllable
;;
-386bsd)
os=-bsd
;;
@ -1225,6 +1270,9 @@ case $os in
-sinix*)
os=-sysv4
;;
-tpf*)
os=-tpf
;;
-triton*)
os=-sysv3
;;
@ -1261,6 +1309,9 @@ case $os in
-kaos*)
os=-kaos
;;
-zvmoe)
os=-zvmoe
;;
-none)
;;
*)
@ -1341,6 +1392,9 @@ case $basic_machine in
*-ibm)
os=-aix
;;
*-knuth)
os=-mmixware
;;
*-wec)
os=-proelf
;;
@ -1473,9 +1527,15 @@ case $basic_machine in
-mvs* | -opened*)
vendor=ibm
;;
-os400*)
vendor=ibm
;;
-ptx*)
vendor=sequent
;;
-tpf*)
vendor=ibm
;;
-vxsim* | -vxworks* | -windiss*)
vendor=wrs
;;
@ -1500,7 +1560,7 @@ case $basic_machine in
esac
echo $basic_machine$os
exit 0
exit
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)

403
crypto/openssh/configure.ac
View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.260 2005/04/24 07:52:23 dtucker Exp $
# $Id: configure.ac,v 1.292 2005/08/31 16:59:49 tim Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@ -14,7 +14,7 @@
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable)
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@ -77,8 +77,94 @@ fi
AC_SUBST(LD)
AC_C_INLINE
AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized"
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC --version`
case $GCC_VER in
1.*) ;;
2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
2.*) ;;
*) CFLAGS="$CFLAGS -Wsign-compare" ;;
esac
if test -z "$have_llong_max"; then
# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
unset ac_cv_have_decl_LLONG_MAX
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -std=gnu99"
AC_CHECK_DECL(LLONG_MAX,
[have_llong_max=1],
[CFLAGS="$saved_CFLAGS"],
[#include <limits.h>]
)
fi
fi
if test -z "$have_llong_max"; then
AC_MSG_CHECKING([for max value of long long])
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <stdio.h>
/* Why is this so damn hard? */
#ifdef __GNUC__
# undef __GNUC__
#endif
#define __USE_ISOC99
#include <limits.h>
#define DATA "conftest.llminmax"
int main(void) {
FILE *f;
long long i, llmin, llmax = 0;
if((f = fopen(DATA,"w")) == NULL)
exit(1);
#if defined(LLONG_MIN) && defined(LLONG_MAX)
fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
llmin = LLONG_MIN;
llmax = LLONG_MAX;
#else
fprintf(stderr, "Calculating LLONG_MIN and LLONG_MAX\n");
/* This will work on one's complement and two's complement */
for (i = 1; i > llmax; i <<= 1, i++)
llmax = i;
llmin = llmax + 1LL; /* wrap */
#endif
/* Sanity check */
if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
|| llmax - 1 > llmax) {
fprintf(f, "unknown unknown\n");
exit(2);
}
if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
exit(3);
exit(0);
}
]])],
[
llong_min=`$AWK '{print $1}' conftest.llminmax`
llong_max=`$AWK '{print $2}' conftest.llminmax`
AC_MSG_RESULT($llong_max)
AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
[max value of long long calculated by configure])
AC_MSG_CHECKING([for min value of long long])
AC_MSG_RESULT($llong_min)
AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
[min value of long long calculated by configure])
],
[
AC_MSG_RESULT(not found)
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
fi
AC_ARG_WITH(rpath,
@ -181,26 +267,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1)
;;
*-*-hpux10.26)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(HAVE_SECUREWARE)
AC_DEFINE(USE_PIPES)
AC_DEFINE(LOGIN_NO_ENDOPT)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec -lsecpw"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
disable_ptmx_check=yes
;;
*-*-hpux10*)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
*-*-hpux*)
# first we define all of the options common to all HP-UX releases
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(USE_PIPES)
@ -209,23 +277,33 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
;;
*-*-hpux11*)
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
IPADDR_IN_DISPLAY=yes
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(USE_PIPES)
AC_DEFINE(LOGIN_NO_ENDOPT)
AC_DEFINE(LOGIN_NEEDS_UTMPX)
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(LOCKED_PASSWD_STRING, "*")
AC_DEFINE(SPT_TYPE,SPT_PSTAT)
AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
check_for_hpux_broken_getaddrinfo=1
check_for_conflicting_getspnam=1
LIBS="$LIBS -lsec"
AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
AC_CHECK_LIB(xnet, t_error, ,
AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
# next, we define all of the options specific to major releases
case "$host" in
*-*-hpux10*)
if test -z "$GCC"; then
CFLAGS="$CFLAGS -Ae"
fi
;;
*-*-hpux11*)
AC_DEFINE(PAM_SUN_CODEBASE)
AC_DEFINE(DISABLE_UTMP)
AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
check_for_hpux_broken_getaddrinfo=1
check_for_conflicting_getspnam=1
;;
esac
# lastly, we define options specific to minor releases
case "$host" in
*-*-hpux10.26)
AC_DEFINE(HAVE_SECUREWARE)
disable_ptmx_check=yes
LIBS="$LIBS -lsecpw"
;;
esac
;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
@ -269,7 +347,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
esac
;;
mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(HAVE_NEWS4)
AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
SONY=1
;;
*-*-netbsd*)
@ -296,6 +374,9 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(USE_PIPES)
AC_DEFINE(BROKEN_SAVED_UIDS)
;;
*-*-openbsd*)
AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
;;
*-*-solaris*)
if test "x$withval" != "xno" ; then
need_dash_r=1
@ -365,11 +446,19 @@ mips-sony-bsd|mips-sony-newsos4)
;;
# UnixWare 7.x, OpenUNIX 8
*-*-sysv5*)
check_for_libcrypt_later=1
AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
AC_DEFINE(USE_PIPES)
AC_DEFINE(SETEUID_BREAKS_SETUID)
AC_DEFINE(BROKEN_SETREUID)
AC_DEFINE(BROKEN_SETREGID)
AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
case "$host" in
*-*-sysv5SCO_SV*) # SCO OpenServer 6.x
TEST_SHELL=/u95/bin/sh
AC_DEFINE(BROKEN_LIBIAF, 1, [ia_uinfo routines not supported by OS yet])
;;
esac
;;
*-*-sysv*)
;;
@ -468,6 +557,19 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(MISSING_FD_MASK)
;;
*-*-ultrix*)
AC_DEFINE(BROKEN_GETGROUPS, [], [getgroups(0,NULL) will return -1])
AC_DEFINE(BROKEN_MMAP, [], [Ultrix mmap can't map files])
AC_DEFINE(NEED_SETPRGP, [], [Need setpgrp to acquire controlling tty])
AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
;;
*-*-lynxos)
CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
AC_DEFINE(MISSING_HOWMANY)
AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
;;
esac
# Allow user to specify flags
@ -507,6 +609,17 @@ AC_ARG_WITH(libs,
fi
]
)
AC_ARG_WITH(Werror,
[ --with-Werror Build main code with -Werror],
[
if test -n "$withval" && test "x$withval" != "xno"; then
werror_flags="-Werror"
if "x${withval}" != "xyes"; then
werror_flags="$withval"
fi
fi
]
)
AC_MSG_CHECKING(compiler and flags for sanity)
AC_RUN_IFELSE(
@ -522,17 +635,67 @@ int main(){exit(0);}
[ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
)
# Checks for header files.
AC_CHECK_HEADERS(bstring.h crypt.h dirent.h endian.h features.h \
floatingpoint.h getopt.h glob.h ia.h lastlog.h limits.h login.h \
login_cap.h maillock.h ndir.h netdb.h netgroup.h \
netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
strings.h sys/dir.h sys/strtio.h sys/audit.h sys/bitypes.h \
sys/bsdtty.h sys/cdefs.h sys/mman.h sys/ndir.h sys/prctl.h \
sys/pstat.h sys/select.h sys/stat.h sys/stream.h \
sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h sys/un.h \
time.h tmpdir.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
dnl Checks for header files.
AC_CHECK_HEADERS( \
bstring.h \
crypt.h \
dirent.h \
endian.h \
features.h \
floatingpoint.h \
getopt.h \
glob.h \
ia.h \
iaf.h \
lastlog.h \
limits.h \
login.h \
login_cap.h \
maillock.h \
ndir.h \
netdb.h \
netgroup.h \
netinet/in_systm.h \
pam/pam_appl.h \
paths.h \
pty.h \
readpassphrase.h \
rpc/types.h \
security/pam_appl.h \
shadow.h \
stddef.h \
stdint.h \
string.h \
strings.h \
sys/audit.h \
sys/bitypes.h \
sys/bsdtty.h \
sys/cdefs.h \
sys/dir.h \
sys/mman.h \
sys/ndir.h \
sys/prctl.h \
sys/pstat.h \
sys/select.h \
sys/stat.h \
sys/stream.h \
sys/stropts.h \
sys/strtio.h \
sys/sysmacros.h \
sys/time.h \
sys/timers.h \
sys/un.h \
time.h \
tmpdir.h \
ttyent.h \
unistd.h \
usersec.h \
util.h \
utime.h \
utmp.h \
utmpx.h \
vis.h \
)
# sys/ptms.h requires sys/stream.h to be included first on Solaris
AC_CHECK_HEADERS(sys/ptms.h, [], [], [
@ -660,8 +823,8 @@ int main()
if (a == 1 && b == 1 && c >= 4)
exit(0);
/* 1.2.1.2 and up are OK */
if (v >= 1020102)
/* 1.2.3 and up are OK */
if (v >= 1020300)
exit(0);
exit(2);
@ -675,7 +838,7 @@ Your reported zlib version has known security problems. It's possible your
vendor has fixed these problems without changing the version number. If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
If you are in doubt, upgrade zlib to version 1.2.1.2 or greater.
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.])
else
AC_MSG_WARN([zlib version may have security problems])
@ -876,6 +1039,21 @@ AC_ARG_WITH(libedit,
[ AC_MSG_ERROR(libedit not found) ],
[ -lcurses ]
)
AC_MSG_CHECKING(if libedit version is compatible)
AC_COMPILE_IFELSE(
[AC_LANG_SOURCE([[
#include <histedit.h>
int main(void)
{
int i = H_SETSIZE;
el_init("", NULL, NULL, NULL);
exit(0);
}
]])],
[ AC_MSG_RESULT(yes) ],
[ AC_MSG_RESULT(no)
AC_MSG_ERROR(libedit version is not compatible) ]
)
fi ]
)
@ -904,6 +1082,9 @@ AC_ARG_WITH(audit,
AC_MSG_RESULT(debug)
AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module)
;;
no)
AC_MSG_RESULT(no)
;;
*)
AC_MSG_ERROR([Unknown audit module $withval])
;;
@ -911,19 +1092,87 @@ AC_ARG_WITH(audit,
)
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS(\
arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
bindresvport_sa clock closefrom dirfd fchdir fchmod fchown \
freeaddrinfo futimes getaddrinfo getcwd getgrouplist getnameinfo \
getopt getpeereid _getpty getrlimit getttyent glob inet_aton \
inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
setproctitle setregid setreuid setrlimit \
setsid setvbuf sigaction sigvec snprintf socketpair strerror \
strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
AC_CHECK_FUNCS( \
arc4random \
b64_ntop \
__b64_ntop \
b64_pton \
__b64_pton \
bcopy \
bindresvport_sa \
clock \
closefrom \
dirfd \
fchmod \
fchown \
freeaddrinfo \
futimes \
getaddrinfo \
getcwd \
getgrouplist \
getnameinfo \
getopt \
getpeereid \
_getpty \
getrlimit \
getttyent \
glob \
inet_aton \
inet_ntoa \
inet_ntop \
innetgr \
login_getcapbool \
md5_crypt \
memmove \
mkdtemp \
mmap \
ngetaddrinfo \
nsleep \
ogetaddrinfo \
openlog_r \
openpty \
prctl \
pstat \
readpassphrase \
realpath \
recvmsg \
rresvport_af \
sendmsg \
setdtablesize \
setegid \
setenv \
seteuid \
setgroups \
setlogin \
setpcred \
setproctitle \
setregid \
setreuid \
setrlimit \
setsid \
setvbuf \
sigaction \
sigvec \
snprintf \
socketpair \
strdup \
strerror \
strlcat \
strlcpy \
strmode \
strnvis \
strtonum \
strtoll \
strtoul \
sysconf \
tcgetpgrp \
truncate \
unsetenv \
updwtmpx \
utimes \
vhangup \
vsnprintf \
waitpid \
)
# IRIX has a const char return value for gai_strerror()
@ -944,8 +1193,15 @@ str = gai_strerror(0);],[
AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
dnl Make sure prototypes are defined for these before using them.
AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
AC_CHECK_DECL(strsep,
[AC_CHECK_FUNCS(strsep)],
[],
[
#ifdef HAVE_STRING_H
# include <string.h>
#endif
])
dnl tcsendbreak might be a macro
AC_CHECK_DECL(tcsendbreak,
@ -1469,6 +1725,7 @@ if test "x$check_for_libcrypt_later" = "x1"; then
AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
fi
AC_CHECK_LIB(iaf, ia_openinfo)
### Configure cryptographic random number support
@ -2402,6 +2659,9 @@ int main()
AC_MSG_RESULT(no)])
])
AC_CHECK_FUNCS(_getshort _getlong)
AC_CHECK_DECLS([_getshort, _getlong], , ,
[#include <sys/types.h>
#include <arpa/nameser.h>])
AC_CHECK_MEMBER(HEADER.ad,
[AC_DEFINE(HAVE_HEADER_AD)],,
[#include <arpa/nameser.h>])
@ -2505,7 +2765,6 @@ AC_ARG_WITH(kerberos5,
LIBS="$LIBS $K5LIBS"
AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
]
)
@ -3144,6 +3403,10 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
LIBS=`echo $LIBS | sed 's/-ldl //'`
fi
dnl Adding -Werror to CFLAGS early prevents configure tests from running.
dnl Add now.
CFLAGS="$CFLAGS $werror_flags"
AC_EXEEXT
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
scard/Makefile ssh_prng_cmds survey.sh])

51
crypto/openssh/defines.h
View File

@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.119 2005/02/20 10:01:49 dtucker Exp $ */
/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */
/* Constants */
@ -54,10 +54,24 @@ enum
# ifdef PATH_MAX
# define MAXPATHLEN PATH_MAX
# else /* PATH_MAX */
# define MAXPATHLEN 64 /* Should be safe */
# define MAXPATHLEN 64
/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */
# ifndef BROKEN_REALPATH
# define BROKEN_REALPATH 1
# endif /* BROKEN_REALPATH */
# endif /* PATH_MAX */
#endif /* MAXPATHLEN */
#ifndef PATH_MAX
# ifdef _POSIX_PATH_MAX
# define PATH_MAX _POSIX_PATH_MAX
# endif
#endif
#ifndef MAXSYMLINKS
# define MAXSYMLINKS 5
#endif
#ifndef STDIN_FILENO
# define STDIN_FILENO 0
#endif
@ -432,6 +446,10 @@ struct winsize {
# define __dead __attribute__((noreturn))
#endif
#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
# define __sentinel__
#endif
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
@ -567,6 +585,23 @@ struct winsize {
# define SSH_SYSFDMAX 10000
#endif
#if defined(__Lynx__)
/*
* LynxOS defines these in param.h which we do not want to include since
* it will also pull in a bunch of kernel definitions.
*/
# define ALIGNBYTES (sizeof(int) - 1)
# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES)
/* Missing prototypes on LynxOS */
int snprintf (char *, size_t, const char *, ...);
int mkstemp (char *);
char *crypt (const char *, const char *);
int seteuid (uid_t);
int setegid (gid_t);
char *mkdtemp (char *);
int rresvport_af (int *, sa_family_t);
int innetgr (const char *, const char *, const char *, const char *);
#endif
/*
* Define this to use pipes instead of socketpairs for communicating with the
@ -653,6 +688,10 @@ struct winsize {
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
/* HP-UX 11.11 */
#ifdef BTMP_FILE
# define _PATH_BTMP BTMP_FILE
@ -664,4 +703,12 @@ struct winsize {
/** end of login recorder definitions */
#ifdef BROKEN_GETGROUPS
# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b)))
#endif
#if defined(HAVE_MMAP) && defined(BROKEN_MMAP)
# undef HAVE_MMAP
#endif
#endif /* _DEFINES_H */

33
crypto/openssh/dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $ */
/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -43,7 +43,7 @@
#include "uuencode.h"
extern char *__progname;
RCSID("$OpenBSD: dns.c,v 1.10 2004/06/21 17:36:31 avsm Exp $");
RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
#ifndef LWRES
static const char *errset_text[] = {
@ -142,6 +142,26 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
return success;
}
/*
* Check if hostname is numerical.
* Returns -1 if hostname is numeric, 0 otherwise
*/
static int
is_numeric_hostname(const char *hostname)
{
struct addrinfo hints, *ai;
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(hostname, "0", &hints, &ai) == 0) {
freeaddrinfo(ai);
return -1;
}
return 0;
}
/*
* Verify the given hostname, address and host key using DNS.
@ -151,7 +171,7 @@ int
verify_host_key_dns(const char *hostname, struct sockaddr *address,
const Key *hostkey, int *flags)
{
int counter;
u_int counter;
int result;
struct rrsetinfo *fingerprints = NULL;
@ -171,6 +191,11 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
if (hostkey == NULL)
fatal("No key to look up!");
if (is_numeric_hostname(hostname)) {
debug("skipped DNS lookup for numerical hostname");
return -1;
}
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
DNS_RDATATYPE_SSHFP, 0, &fingerprints);
if (result) {
@ -249,7 +274,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
u_char *rdata_digest;
u_int rdata_digest_len;
int i;
u_int i;
int success = 0;
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,

6
crypto/openssh/entropy.c
View File

@ -45,7 +45,7 @@
* XXX: we should tell the child how many bytes we need.
*/
RCSID("$Id: entropy.c,v 1.48 2003/11/21 12:56:47 djm Exp $");
RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $");
#ifndef OPENSSL_PRNG_ONLY
#define RANDOM_SEED_SIZE 48
@ -114,8 +114,8 @@ seed_rng(void)
close(p[0]);
if (waitpid(pid, &ret, 0) == -1)
fatal("Couldn't wait for ssh-rand-helper completion: %s",
strerror(errno));
fatal("Couldn't wait for ssh-rand-helper completion: %s",
strerror(errno));
signal(SIGCHLD, old_sigchld);
/* We don't mind if the child exits upon a SIGPIPE */

6
crypto/openssh/gss-genr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */
/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -78,8 +78,8 @@ ssh_gssapi_error(Gssctxt *ctxt)
}
char *
ssh_gssapi_last_error(Gssctxt *ctxt,
OM_uint32 *major_status, OM_uint32 *minor_status)
ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
OM_uint32 *minor_status)
{
OM_uint32 lmin;
gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;

35
crypto/openssh/gss-serv-krb5.c
View File

@ -65,9 +65,6 @@ ssh_gssapi_krb5_init(void)
logit("Cannot initialize krb5 context");
return 0;
}
#ifdef KRB5_INIT_ETS
krb5_init_ets(krb_context);
#endif
return 1;
}
@ -131,34 +128,10 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
return;
}
#else
{
int tmpfd;
char ccname[40];
mode_t old_umask;
snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
return;
}
if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
return;
}
close(tmpfd);
if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
logit("ssh_krb5_cc_gen(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#endif /* #ifdef HEIMDAL */

21
crypto/openssh/gss-serv.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */
/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -134,7 +134,7 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
static OM_uint32
ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
{
char *tok;
u_char *tok;
OM_uint32 offset;
OM_uint32 oidl;
@ -164,7 +164,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
*/
if (tok[4] != 0x06 || tok[5] != oidl ||
ename->length < oidl+6 ||
!ssh_gssapi_check_oid(ctx,tok+6,oidl))
!ssh_gssapi_check_oid(ctx,tok+6,oidl))
return GSS_S_FAILURE;
offset = oidl+6;
@ -267,7 +267,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
debug("Setting %s to %s", gssapi_client.store.envvar,
gssapi_client.store.envval);
child_set_env(envp, envsizep, gssapi_client.store.envvar,
gssapi_client.store.envval);
gssapi_client.store.envval);
}
}
@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
int
ssh_gssapi_userok(char *user)
{
OM_uint32 lmin;
if (gssapi_client.exportedname.length == 0 ||
gssapi_client.exportedname.value == NULL) {
debug("No suitable client data");
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
return ((*gssapi_client.mech->userok)(&gssapi_client, user));
if ((*gssapi_client.mech->userok)(&gssapi_client, user))
return 1;
else {
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
gss_release_cred(&lmin, &gssapi_client.creds);
memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
return 0;
}
else
debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
return (0);

4
crypto/openssh/hostfile.c
View File

@ -36,7 +36,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: hostfile.c,v 1.34 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: hostfile.c,v 1.35 2005/07/27 10:39:03 dtucker Exp $");
#include <resolv.h>
#include <openssl/hmac.h>
@ -315,7 +315,7 @@ add_host_to_hostfile(const char *filename, const char *host, const Key *key,
{
FILE *f;
int success = 0;
char *hashed_host;
char *hashed_host = NULL;
if (key == NULL)
return 1; /* XXX ? */

13
crypto/openssh/includes.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: includes.h,v 1.18 2004/06/13 15:03:02 djm Exp $ */
/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -17,10 +17,11 @@
#define INCLUDES_H
#define RCSID(msg) \
static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
#include "config.h"
#include <stdarg.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>
@ -168,6 +169,10 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
# include <ia.h>
#endif
#ifdef HAVE_IAF_H
# include <iaf.h>
#endif
#ifdef HAVE_TMPDIR_H
# include <tmpdir.h>
#endif
@ -181,6 +186,10 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
# include <kafs.h>
#endif
#if defined(HAVE_SYS_SYSLOG_H)
# include <sys/syslog.h>
#endif
/*
* On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
* of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.

43
crypto/openssh/kex.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: kex.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
#include <openssl/crypto.h>
@ -52,7 +52,7 @@ static void kex_choose_conf(Kex *);
static void
kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
{
int i;
u_int i;
buffer_clear(b);
/*
@ -101,7 +101,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
static void
kex_prop_free(char **proposal)
{
int i;
u_int i;
for (i = 0; i < PROPOSAL_MAX; i++)
xfree(proposal[i]);
@ -150,7 +150,7 @@ kex_send_kexinit(Kex *kex)
{
u_int32_t rnd = 0;
u_char *cookie;
int i;
u_int i;
if (kex == NULL) {
error("kex_send_kexinit: no kex, cannot rekey");
@ -183,8 +183,7 @@ void
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
{
char *ptr;
int dlen;
int i;
u_int i, dlen;
Kex *kex = (Kex *)ctxt;
debug("SSH2_MSG_KEXINIT received");
@ -276,10 +275,12 @@ choose_comp(Comp *comp, char *client, char *server)
char *name = match_list(client, server, NULL);
if (name == NULL)
fatal("no matching comp found: client %s server %s", client, server);
if (strcmp(name, "zlib") == 0) {
comp->type = 1;
if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
comp->type = COMP_ZLIB;
} else if (strcmp(name, "none") == 0) {
comp->type = 0;
comp->type = COMP_NONE;
} else {
fatal("unsupported comp %s", name);
}
@ -343,9 +344,7 @@ kex_choose_conf(Kex *kex)
char **my, **peer;
char **cprop, **sprop;
int nenc, nmac, ncomp;
int mode;
int ctos; /* direction: if true client-to-server */
int need;
u_int mode, ctos, need;
int first_kex_follows, type;
my = kex_buf2prop(&kex->my, NULL);
@ -395,7 +394,7 @@ kex_choose_conf(Kex *kex)
/* ignore the next message if the proposals do not match */
if (first_kex_follows && !proposals_match(my, peer) &&
!(datafellows & SSH_BUG_FIRSTKEX)) {
!(datafellows & SSH_BUG_FIRSTKEX)) {
type = packet_read();
debug2("skipping next packet (type %u)", type);
}
@ -405,15 +404,19 @@ kex_choose_conf(Kex *kex)
}
static u_char *
derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret)
derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
{
Buffer b;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
char c = id;
int have;
u_int have;
int mdsz = EVP_MD_size(evp_md);
u_char *digest = xmalloc(roundup(need, mdsz));
u_char *digest;
if (mdsz < 0)
fatal("derive_key: mdsz < 0");
digest = xmalloc(roundup(need, mdsz));
buffer_init(&b);
buffer_put_bignum2(&b, shared_secret);
@ -455,7 +458,7 @@ void
kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
{
u_char *keys[NKEYS];
int i, mode, ctos;
u_int i, mode, ctos;
for (i = 0; i < NKEYS; i++)
keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
@ -493,13 +496,13 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
EVP_DigestInit(&md, evp_md);
len = BN_num_bytes(host_modulus);
if (len < (512 / 8) || len > sizeof(nbuf))
if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad host modulus (len %d)", __func__, len);
BN_bn2bin(host_modulus, nbuf);
EVP_DigestUpdate(&md, nbuf, len);
len = BN_num_bytes(server_modulus);
if (len < (512 / 8) || len > sizeof(nbuf))
if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad server modulus (len %d)", __func__, len);
BN_bn2bin(server_modulus, nbuf);
EVP_DigestUpdate(&md, nbuf, len);
@ -518,7 +521,7 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
void
dump_digest(char *msg, u_char *digest, int len)
{
int i;
u_int i;
fprintf(stderr, "%s\n", msg);
for (i = 0; i< len; i++) {

12
crypto/openssh/kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.35 2004/06/13 12:53:24 djm Exp $ */
/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -35,6 +35,10 @@
#define KEX_DH14 "diffie-hellman-group14-sha1"
#define KEX_DHGEX "diffie-hellman-group-exchange-sha1"
#define COMP_NONE 0
#define COMP_ZLIB 1
#define COMP_DELAYED 2
enum kex_init_proposals {
PROPOSAL_KEX_ALGS,
PROPOSAL_SERVER_HOST_KEY_ALGS,
@ -83,9 +87,9 @@ struct Mac {
char *name;
int enabled;
const EVP_MD *md;
int mac_len;
u_int mac_len;
u_char *key;
int key_len;
u_int key_len;
};
struct Comp {
int type;
@ -101,7 +105,7 @@ struct Kex {
u_char *session_id;
u_int session_id_len;
Newkeys *newkeys[MODE_MAX];
int we_need;
u_int we_need;
int server;
char *name;
int hostkey_type;

4
crypto/openssh/key.c
View File

@ -32,7 +32,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");
RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
#include <openssl/evp.h>
@ -231,7 +231,7 @@ static char *
key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
{
char *retval;
int i;
u_int i;
retval = xmalloc(dgst_raw_len * 3 + 1);
retval[0] = '\0';

39
crypto/openssh/loginrec.c
View File

@ -165,7 +165,7 @@
# include <libutil.h>
#endif
RCSID("$Id: loginrec.c,v 1.67 2005/02/15 11:19:28 dtucker Exp $");
RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $");
/**
** prototypes for helper functions in this file
@ -362,7 +362,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
strlcpy(li->username, username, sizeof(li->username));
pw = getpwnam(li->username);
if (pw == NULL) {
fatal("%s: Cannot find user \"%s\"", __func__,
fatal("%s: Cannot find user \"%s\"", __func__,
li->username);
}
li->uid = pw->pw_uid;
@ -374,7 +374,7 @@ login_init_entry(struct logininfo *li, int pid, const char *username,
return (1);
}
/*
/*
* login_set_current_time(struct logininfo *) - set the current time
*
* Set the current time in a logininfo structure. This function is
@ -443,8 +443,9 @@ login_write(struct logininfo *li)
wtmpx_write_entry(li);
#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line, &loginmsg))
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
&loginmsg))
logit("Writing login record failed for %s", li->username);
#endif
#ifdef SSH_AUDIT_EVENTS
@ -534,7 +535,7 @@ getlast_entry(struct logininfo *li)
* sure dst has enough space, if not just copy src (ugh)
*/
char *
line_fullname(char *dst, const char *src, int dstsize)
line_fullname(char *dst, const char *src, u_int dstsize)
{
memset(dst, '\0', dstsize);
if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5)))
@ -558,7 +559,7 @@ line_stripname(char *dst, const char *src, int dstsize)
return (dst);
}
/*
/*
* line_abbrevname(): Return the abbreviated (usually four-character)
* form of the line (Just use the last <dstsize> characters of the
* full name.)
@ -808,7 +809,7 @@ utmp_write_library(struct logininfo *li, struct utmp *ut)
}
# else /* UTMP_USE_LIBRARY */
/*
/*
* Write a utmp entry direct to the file
* This is a slightly modification of code in OpenBSD's login.c
*/
@ -852,7 +853,7 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
return (0);
}
if (ret != pos) {
logit("%s: Couldn't seek to tty %d slot in %s",
logit("%s: Couldn't seek to tty %d slot in %s",
__func__, tty, UTMP_FILE);
return (0);
}
@ -1052,7 +1053,7 @@ utmpx_write_entry(struct logininfo *li)
#ifdef USE_WTMP
/*
/*
* Write a wtmp entry direct to the end of the file
* This is a slight modification of code in OpenBSD's logwtmp.c
*/
@ -1113,7 +1114,7 @@ wtmp_write_entry(struct logininfo *li)
}
/*
/*
* Notes on fetching login data from wtmp/wtmpx
*
* Logouts are usually recorded with (amongst other things) a blank
@ -1157,12 +1158,12 @@ wtmp_get_entry(struct logininfo *li)
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMP_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
logit("%s: couldn't stat %s: %s", __func__,
logit("%s: couldn't stat %s: %s", __func__,
WTMP_FILE, strerror(errno));
close(fd);
return (0);
@ -1177,7 +1178,7 @@ wtmp_get_entry(struct logininfo *li)
while (!found) {
if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
logit("%s: read of %s failed: %s", __func__,
logit("%s: read of %s failed: %s", __func__,
WTMP_FILE, strerror(errno));
close (fd);
return (0);
@ -1235,7 +1236,7 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx)
int fd, ret = 1;
if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
@ -1322,12 +1323,12 @@ wtmpx_get_entry(struct logininfo *li)
li->tv_sec = li->tv_usec = 0;
if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
logit("%s: problem opening %s: %s", __func__,
logit("%s: problem opening %s: %s", __func__,
WTMPX_FILE, strerror(errno));
return (0);
}
if (fstat(fd, &st) != 0) {
logit("%s: couldn't stat %s: %s", __func__,
logit("%s: couldn't stat %s: %s", __func__,
WTMPX_FILE, strerror(errno));
close(fd);
return (0);
@ -1342,13 +1343,13 @@ wtmpx_get_entry(struct logininfo *li)
while (!found) {
if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
logit("%s: read of %s failed: %s", __func__,
logit("%s: read of %s failed: %s", __func__,
WTMPX_FILE, strerror(errno));
close (fd);
return (0);
}
/*
* Logouts are recorded as a blank username on a particular
* Logouts are recorded as a blank username on a particular
* line. So, we just need to find the username in struct utmpx
*/
if (wtmpx_islogin(li, &utx)) {

4
crypto/openssh/loginrec.h
View File

@ -35,7 +35,7 @@
#include <netinet/in.h>
#include <sys/socket.h>
/* RCSID("$Id: loginrec.h,v 1.9 2005/02/02 06:10:11 dtucker Exp $"); */
/* RCSID("$Id: loginrec.h,v 1.10 2005/06/19 00:19:44 djm Exp $"); */
/**
** you should use the login_* calls to work around platform dependencies
@ -128,7 +128,7 @@ struct logininfo *login_get_lastlog(struct logininfo *li, const int uid);
unsigned int login_get_lastlog_time(const int uid);
/* produce various forms of the line filename */
char *line_fullname(char *dst, const char *src, int dstsize);
char *line_fullname(char *dst, const char *src, u_int dstsize);
char *line_stripname(char *dst, const char *src, int dstsize);
char *line_abbrevname(char *dst, const char *src, int dstsize);

11
crypto/openssh/mac.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: mac.c,v 1.6 2003/09/18 13:02:21 miod Exp $");
RCSID("$OpenBSD: mac.c,v 1.7 2005/06/17 02:44:32 djm Exp $");
#include <openssl/hmac.h>
@ -51,12 +51,15 @@ struct {
int
mac_init(Mac *mac, char *name)
{
int i;
int i, evp_len;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL) {
mac->md = (*macs[i].mdfunc)();
mac->key_len = mac->mac_len = EVP_MD_size(mac->md);
if ((evp_len = EVP_MD_size(mac->md)) <= 0)
fatal("mac %s len %d", name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
if (macs[i].truncatebits != 0)
mac->mac_len = macs[i].truncatebits/8;
}
@ -77,7 +80,7 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
if (mac->key == NULL)
fatal("mac_compute: no key");
if ((u_int)mac->mac_len > sizeof(m))
if (mac->mac_len > sizeof(m))
fatal("mac_compute: mac too long");
HMAC_Init(&c, mac->key, mac->key_len, mac->md);
PUT_32BIT(b, seqno);

4
crypto/openssh/match.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: match.c,v 1.19 2002/03/01 13:12:10 markus Exp $");
RCSID("$OpenBSD: match.c,v 1.20 2005/06/17 02:44:32 djm Exp $");
#include "match.h"
#include "xmalloc.h"
@ -254,7 +254,7 @@ match_list(const char *client, const char *server, u_int *next)
ret = xstrdup(p);
if (next != NULL)
*next = (cp == NULL) ?
strlen(c) : cp - c;
strlen(c) : (u_int)(cp - c);
xfree(c);
xfree(s);
return ret;

3
crypto/openssh/mdoc2man.awk
View File

@ -140,6 +140,9 @@ function add(str) {
} else if(match(words[w],"^Dt$")) {
id=wtail()
next
} else if(match(words[w],"^Ox$")) {
add("OpenBSD")
skip=1
} else if(match(words[w],"^Os$")) {
add(".TH " id " \"" date "\" \"" wtail() "\"")
} else if(match(words[w],"^Sh$")) {

128
crypto/openssh/misc.c
View File

@ -1,5 +1,6 @@
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -23,7 +24,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: misc.c,v 1.29 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $");
#include "misc.h"
#include "log.h"
@ -375,6 +376,114 @@ addargs(arglist *args, char *fmt, ...)
args->list[args->num] = NULL;
}
/*
* Expands tildes in the file name. Returns data allocated by xmalloc.
* Warning: this calls getpw*.
*/
char *
tilde_expand_filename(const char *filename, uid_t uid)
{
const char *path;
char user[128], ret[MAXPATHLEN];
struct passwd *pw;
u_int len, slash;
if (*filename != '~')
return (xstrdup(filename));
filename++;
path = strchr(filename, '/');
if (path != NULL && path > filename) { /* ~user/path */
slash = path - filename;
if (slash > sizeof(user) - 1)
fatal("tilde_expand_filename: ~username too long");
memcpy(user, filename, slash);
user[slash] = '\0';
if ((pw = getpwnam(user)) == NULL)
fatal("tilde_expand_filename: No such user %s", user);
} else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
fatal("tilde_expand_filename: No such uid %d", uid);
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
fatal("tilde_expand_filename: Path too long");
/* Make sure directory has a trailing '/' */
len = strlen(pw->pw_dir);
if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
fatal("tilde_expand_filename: Path too long");
/* Skip leading '/' from specified path */
if (path != NULL)
filename = path + 1;
if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret))
fatal("tilde_expand_filename: Path too long");
return (xstrdup(ret));
}
/*
* Expand a string with a set of %[char] escapes. A number of escapes may be
* specified as (char *escape_chars, char *replacement) pairs. The list must
* be terminated by a NULL escape_char. Returns replaced string in memory
* allocated by xmalloc.
*/
char *
percent_expand(const char *string, ...)
{
#define EXPAND_MAX_KEYS 16
struct {
const char *key;
const char *repl;
} keys[EXPAND_MAX_KEYS];
u_int num_keys, i, j;
char buf[4096];
va_list ap;
/* Gather keys */
va_start(ap, string);
for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) {
keys[num_keys].key = va_arg(ap, char *);
if (keys[num_keys].key == NULL)
break;
keys[num_keys].repl = va_arg(ap, char *);
if (keys[num_keys].repl == NULL)
fatal("percent_expand: NULL replacement");
}
va_end(ap);
if (num_keys >= EXPAND_MAX_KEYS)
fatal("percent_expand: too many keys");
/* Expand string */
*buf = '\0';
for (i = 0; *string != '\0'; string++) {
if (*string != '%') {
append:
buf[i++] = *string;
if (i >= sizeof(buf))
fatal("percent_expand: string too long");
buf[i] = '\0';
continue;
}
string++;
if (*string == '%')
goto append;
for (j = 0; j < num_keys; j++) {
if (strchr(keys[j].key, *string) != NULL) {
i = strlcat(buf, keys[j].repl, sizeof(buf));
if (i >= sizeof(buf))
fatal("percent_expand: string too long");
break;
}
}
if (j >= num_keys)
fatal("percent_expand: unknown key %%%c", *string);
}
return (xstrdup(buf));
#undef EXPAND_MAX_KEYS
}
/*
* Read an entire line from a public key file into a static buffer, discarding
* lines that exceed the buffer size. Returns 0 on success, -1 on failure.
@ -397,3 +506,20 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
}
return -1;
}
char *
tohex(const u_char *d, u_int l)
{
char b[3], *r;
u_int i, hl;
hl = l * 2 + 1;
r = xmalloc(hl);
*r = '\0';
for (i = 0; i < l; i++) {
snprintf(b, sizeof(b), "%02x", d[i]);
strlcat(r, b, hl);
}
return (r);
}

9
crypto/openssh/misc.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.h,v 1.21 2005/03/01 10:09:52 djm Exp $ */
/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -24,6 +24,9 @@ char *hpdelim(char **);
char *cleanhostname(char *);
char *colon(char *);
long convtime(const char *);
char *tilde_expand_filename(const char *, uid_t);
char *percent_expand(const char *, ...) __attribute__((__sentinel__));
char *tohex(const u_char *, u_int);
struct passwd *pwcopy(struct passwd *);
@ -35,10 +38,6 @@ struct arglist {
};
void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
/* tildexpand.c */
char *tilde_expand_filename(const char *, uid_t);
/* readpass.c */
#define RP_ECHO 0x0001

33
crypto/openssh/moduli.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: moduli.c,v 1.10 2005/01/17 03:25:46 dtucker Exp $ */
/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@ -112,22 +112,22 @@
#define TINY_NUMBER (1UL<<16)
/* Ensure enough bit space for testing 2*q. */
#define TEST_MAXIMUM (1UL<<16)
#define TEST_MINIMUM (QSIZE_MINIMUM + 1)
/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */
#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */
#define TEST_MAXIMUM (1UL<<16)
#define TEST_MINIMUM (QSIZE_MINIMUM + 1)
/* real TEST_MINIMUM (1UL << (SHIFT_WORD - TEST_POWER)) */
#define TEST_POWER (3) /* 2**n, n < SHIFT_WORD */
/* bit operations on 32-bit words */
#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
#define BIT_CLEAR(a,n) ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
#define BIT_SET(a,n) ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
#define BIT_TEST(a,n) ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
/*
* Prime testing defines
*/
/* Minimum number of primality tests to perform */
#define TRIAL_MINIMUM (4)
#define TRIAL_MINIMUM (4)
/*
* Sieving data (XXX - move to struct)
@ -144,7 +144,7 @@ static u_int32_t *LargeSieve, largewords, largetries, largenumbers;
static u_int32_t largebits, largememory; /* megabytes */
static BIGNUM *largebase;
int gen_candidates(FILE *, int, int, BIGNUM *);
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
/*
@ -241,19 +241,20 @@ sieve_large(u_int32_t s)
* The list is checked against small known primes (less than 2**30).
*/
int
gen_candidates(FILE *out, int memory, int power, BIGNUM *start)
gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
{
BIGNUM *q;
u_int32_t j, r, s, t;
u_int32_t smallwords = TINY_NUMBER >> 6;
u_int32_t tinywords = TINY_NUMBER >> 6;
time_t time_start, time_stop;
int i, ret = 0;
u_int32_t i;
int ret = 0;
largememory = memory;
if (memory != 0 &&
(memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
(memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
error("Invalid memory amount (min %ld, max %ld)",
LARGE_MINIMUM, LARGE_MAXIMUM);
return (-1);
@ -371,8 +372,8 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start)
* fencepost errors, the last pass is skipped.
*/
for (smallbase = TINY_NUMBER + 3;
smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
smallbase += TINY_NUMBER) {
smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
smallbase += TINY_NUMBER) {
for (i = 0; i < tinybits; i++) {
if (BIT_TEST(TinySieve, i))
continue; /* 2*i+3 is composite */
@ -548,7 +549,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
* due to earlier inconsistencies in interpretation, check
* the proposed bit size.
*/
if (BN_num_bits(p) != (in_size + 1)) {
if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) {
debug2("%10u: bit size %u mismatch", count_in, in_size);
continue;
}

8
crypto/openssh/monitor.c
View File

@ -869,8 +869,8 @@ int
mm_answer_pam_query(int sock, Buffer *m)
{
char *name, *info, **prompts;
u_int num, *echo_on;
int i, ret;
u_int i, num, *echo_on;
int ret;
debug3("%s", __func__);
sshpam_authok = NULL;
@ -903,8 +903,8 @@ int
mm_answer_pam_respond(int sock, Buffer *m)
{
char **resp;
u_int num;
int i, ret;
u_int i, num;
int ret;
debug3("%s", __func__);
sshpam_authok = NULL;

25
crypto/openssh/monitor_wrap.c
View File

@ -25,7 +25,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: monitor_wrap.c,v 1.39 2004/07/17 05:31:41 dtucker Exp $");
RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
#include <openssl/bn.h>
#include <openssl/dh.h>
@ -95,9 +95,9 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
PUT_32BIT(buf, mlen + 1);
buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
fatal("%s: write", __func__);
fatal("%s: write: %s", __func__, strerror(errno));
if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
fatal("%s: write", __func__);
fatal("%s: write: %s", __func__, strerror(errno));
}
void
@ -105,24 +105,21 @@ mm_request_receive(int sock, Buffer *m)
{
u_char buf[4];
u_int msg_len;
ssize_t res;
debug3("%s entering", __func__);
res = atomicio(read, sock, buf, sizeof(buf));
if (res != sizeof(buf)) {
if (res == 0)
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
if (errno == EPIPE)
cleanup_exit(255);
fatal("%s: read: %ld", __func__, (long)res);
fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = GET_32BIT(buf);
if (msg_len > 256 * 1024)
fatal("%s: read: bad msg_len %d", __func__, msg_len);
buffer_clear(m);
buffer_append_space(m, msg_len);
res = atomicio(read, sock, buffer_ptr(m), msg_len);
if (res != msg_len)
fatal("%s: read: %ld != msg_len", __func__, (long)res);
if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
fatal("%s: read: %s", __func__, strerror(errno));
}
void
@ -767,7 +764,8 @@ mm_sshpam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
Buffer m;
int i, ret;
u_int i;
int ret;
debug3("%s", __func__);
buffer_init(&m);
@ -793,7 +791,8 @@ int
mm_sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer m;
int i, ret;
u_int i;
int ret;
debug3("%s", __func__);
buffer_init(&m);

15
crypto/openssh/msg.c
View File

@ -22,7 +22,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: msg.c,v 1.7 2003/11/17 09:45:39 djm Exp $");
RCSID("$OpenBSD: msg.c,v 1.8 2005/05/24 17:32:43 avsm Exp $");
#include "buffer.h"
#include "getput.h"
@ -55,15 +55,13 @@ int
ssh_msg_recv(int fd, Buffer *m)
{
u_char buf[4];
ssize_t res;
u_int msg_len;
debug3("ssh_msg_recv entering");
res = atomicio(read, fd, buf, sizeof(buf));
if (res != sizeof(buf)) {
if (res != 0)
error("ssh_msg_recv: read: header %ld", (long)res);
if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
if (errno != EPIPE)
error("ssh_msg_recv: read: header");
return (-1);
}
msg_len = GET_32BIT(buf);
@ -73,9 +71,8 @@ ssh_msg_recv(int fd, Buffer *m)
}
buffer_clear(m);
buffer_append_space(m, msg_len);
res = atomicio(read, fd, buffer_ptr(m), msg_len);
if (res != msg_len) {
error("ssh_msg_recv: read: %ld != msg_len", (long)res);
if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
error("ssh_msg_recv: read: %s", strerror(errno));
return (-1);
}
return (0);

7
crypto/openssh/myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */
/* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -28,14 +28,15 @@
"diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"arcfour128,arcfour256,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
"hmac-md5,hmac-sha1,hmac-ripemd160," \
"hmac-ripemd160@openssh.com," \
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""

8
crypto/openssh/openbsd-compat/Makefile.in
View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.31 2004/08/15 08:41:00 djm Exp $
# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
@ -16,11 +16,11 @@ RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o
COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-irix.o port-aix.o
PORTS=port-irix.o port-aix.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<

2
crypto/openssh/openbsd-compat/bsd-cygwin_util.c
View File

@ -29,7 +29,7 @@
#include "includes.h"
RCSID("$Id: bsd-cygwin_util.c,v 1.13.4.1 2005/05/25 09:42:40 dtucker Exp $");
RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
#ifdef HAVE_CYGWIN

20
crypto/openssh/openbsd-compat/bsd-misc.c
View File

@ -18,7 +18,7 @@
#include "includes.h"
#include "xmalloc.h"
RCSID("$Id: bsd-misc.c,v 1.26 2005/02/25 23:07:38 dtucker Exp $");
RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $");
#ifndef HAVE___PROGNAME
char *__progname;
@ -212,3 +212,21 @@ mysignal(int sig, mysig_t act)
return (signal(sig, act));
#endif
}
#ifndef HAVE_STRDUP
char *
strdup(const char *str)
{
size_t len;
char *cp;
len = strlen(str) + 1;
cp = malloc(len);
if (cp != NULL)
if (strlcpy(cp, str, len) != len) {
free(cp);
return NULL;
}
return cp;
}
#endif

16
crypto/openssh/openbsd-compat/fake-rfc2553.h
View File

@ -1,4 +1,4 @@
/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */
/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
/*
* Copyright (C) 2000-2003 Damien Miller. All rights reserved.
@ -114,10 +114,16 @@ struct sockaddr_in6 {
#endif /* !NI_MAXHOST */
#ifndef EAI_NODATA
# define EAI_NODATA 1
# define EAI_MEMORY 2
# define EAI_NONAME 3
# define EAI_SYSTEM 4
# define EAI_NODATA (INT_MAX - 1)
#endif
#ifndef EAI_MEMORY
# define EAI_MEMORY (INT_MAX - 2)
#endif
#ifndef EAI_NONAME
# define EAI_NONAME (INT_MAX - 3)
#endif
#ifndef EAI_SYSTEM
# define EAI_SYSTEM (INT_MAX - 4)
#endif
#ifndef HAVE_STRUCT_ADDRINFO

4
crypto/openssh/openbsd-compat/getrrsetbyname.c
View File

@ -144,6 +144,8 @@ _getshort(msgp)
GETSHORT(u, msgp);
return (u);
}
#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
u_int16_t _getshort(register const u_char *);
#endif
#ifndef HAVE__GETLONG
@ -156,6 +158,8 @@ _getlong(msgp)
GETLONG(u, msgp);
return (u);
}
#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
u_int32_t _getlong(register const u_char *);
#endif
int

7
crypto/openssh/openbsd-compat/openbsd-compat.h
View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.26 2004/08/15 08:41:00 djm Exp $ */
/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -152,6 +152,10 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
int snprintf(char *, size_t, const char *, ...);
#endif
#ifndef HAVE_STRTONUM
long long strtonum(const char *, long long, long long, const char **);
#endif
#ifndef HAVE_VSNPRINTF
int vsnprintf(char *, size_t, const char *, va_list);
#endif
@ -169,5 +173,6 @@ char *shadow_pw(struct passwd *pw);
#include "bsd-cygwin_util.h"
#include "port-irix.h"
#include "port-aix.h"
#include "port-uw.h"
#endif /* _OPENBSD_COMPAT_H */

46
crypto/openssh/openbsd-compat/openssl-compat.c Normal file
View File

@ -0,0 +1,46 @@
/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
* IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#define SSH_DONT_REDEF_EVP
#include "openssl-compat.h"
#ifdef SSH_OLD_EVP
int
ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
unsigned char *key, unsigned char *iv, int enc)
{
EVP_CipherInit(evp, type, key, iv, enc);
return 1;
}
int
ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
{
EVP_Cipher(evp, dst, src, len);
return 1;
}
int
ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
{
EVP_CIPHER_CTX_cleanup(evp);
return 1;
}
#endif

65
crypto/openssh/openbsd-compat/openssl-compat.h Normal file
View File

@ -0,0 +1,65 @@
/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
* IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <openssl/evp.h>
#if OPENSSL_VERSION_NUMBER < 0x00906000L
# define SSH_OLD_EVP
# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#endif
#if OPENSSL_VERSION_NUMBER < 0x00907000L
# define EVP_aes_128_cbc evp_rijndael
# define EVP_aes_192_cbc evp_rijndael
# define EVP_aes_256_cbc evp_rijndael
extern const EVP_CIPHER *evp_rijndael(void);
extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
#endif
#if !defined(EVP_CTRL_SET_ACSS_MODE)
# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# define USE_CIPHER_ACSS 1
extern const EVP_CIPHER *evp_acss(void);
# define EVP_acss evp_acss
# else
# define EVP_acss NULL
# endif
#endif
/*
* insert comment here
*/
#ifdef SSH_OLD_EVP
# ifndef SSH_DONT_REDEF_EVP
# ifdef EVP_Cipher
# undef EVP_Cipher
# endif
# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
# endif
int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
unsigned char *, int);
int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
#endif

16
crypto/openssh/openbsd-compat/port-aix.c
View File

@ -1,7 +1,7 @@
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
* Copyright (c) 2003,2004 Darren Tucker. All rights reserved.
* Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -42,14 +42,12 @@ static char old_registry[REGISTRY_SIZE] = "";
# endif
/*
* AIX has a "usrinfo" area where logname and other stuff is stored -
* AIX has a "usrinfo" area where logname and other stuff is stored -
* a few applications actually use this and die if it's not set
*
* NOTE: TTY= should be set, but since no one uses it and it's hard to
* acquire due to privsep code. We will just drop support.
*/
void
aix_usrinfo(struct passwd *pw)
{
@ -60,7 +58,7 @@ aix_usrinfo(struct passwd *pw)
len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
cp = xmalloc(len);
i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
pw->pw_name, '\0');
if (usrinfo(SETUINFO, cp, i) == -1)
fatal("Couldn't set usrinfo: %s", strerror(errno));
@ -153,14 +151,14 @@ aix_valid_authentications(const char *user)
int
sys_auth_passwd(Authctxt *ctxt, const char *password)
{
char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
int authsuccess = 0, expired, reenter, result;
do {
result = authenticate((char *)name, (char *)password, &reenter,
&authmsg);
aix_remove_embedded_newlines(authmsg);
debug3("AIX/authenticate result %d, msg %.100s", result,
debug3("AIX/authenticate result %d, authmsg %.100s", result,
authmsg);
} while (reenter);
@ -170,7 +168,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
if (result == 0) {
authsuccess = 1;
/*
/*
* Record successful login. We don't have a pty yet, so just
* label the line as "ssh"
*/
@ -257,7 +255,7 @@ int
sys_auth_record_login(const char *user, const char *host, const char *ttynm,
Buffer *loginmsg)
{
char *msg;
char *msg = NULL;
int success = 0;
aix_setauthdb(user);

15
crypto/openssh/openbsd-compat/port-aix.h
View File

@ -1,8 +1,9 @@
/* $Id: port-aix.h,v 1.25 2005/03/21 11:46:34 dtucker Exp $ */
/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
/*
*
* Copyright (c) 2001 Gert Doering. All rights reserved.
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -47,23 +48,23 @@
/* These should be in the system headers but are not. */
int usrinfo(int, char *, int);
#if (HAVE_DECL_SETAUTHDB == 0)
#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
int setauthdb(const char *, char *);
#endif
/* these may or may not be in the headers depending on the version */
#if (HAVE_DECL_AUTHENTICATE == 0)
#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
int authenticate(char *, char *, int *, char **);
#endif
#if (HAVE_DECL_LOGINFAILED == 0)
#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
int loginfailed(char *, char *, char *);
#endif
#if (HAVE_DECL_LOGINRESTRICTIONS == 0)
#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
int loginrestrictions(char *, int, char *, char **);
#endif
#if (HAVE_DECL_LOGINSUCCESS == 0)
#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
int loginsuccess(char *, char *, char *, char **);
#endif
#if (HAVE_DECL_PASSWDEXPIRED == 0)
#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
int passwdexpired(char *, char **);
#endif

134
crypto/openssh/openbsd-compat/port-uw.c Normal file
View File

@ -0,0 +1,134 @@
/*
* Copyright (c) 2005 The SCO Group. All rights reserved.
* Copyright (c) 2005 Tim Rice. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
#ifdef HAVE_CRYPT_H
#include <crypt.h>
#endif
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "servconf.h"
#include "auth.h"
#include "auth-options.h"
int nischeck(char *);
int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
char *encrypted_password;
char *salt;
int result;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
/* Check for users with no password. */
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
/* Encrypt the candidate password using the proper salt. */
salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
#ifdef UNIXWARE_LONG_PASSWORDS
if (!nischeck(pw->pw_name))
encrypted_password = bigcrypt(password, salt);
else
#endif /* UNIXWARE_LONG_PASSWORDS */
encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords
* are identical.
*/
result = (strcmp(encrypted_password, pw_password) == 0);
if (authctxt->valid)
free(pw_password);
return(result);
}
#ifdef UNIXWARE_LONG_PASSWORDS
int
nischeck(char *namep)
{
char password_file[] = "/etc/passwd";
FILE *fd;
struct passwd *ent = NULL;
if ((fd = fopen (password_file, "r")) == NULL) {
/*
* If the passwd file has dissapeared we are in a bad state.
* However, returning 0 will send us back through the
* authentication scheme that has checked the ia database for
* passwords earlier.
*/
return(0);
}
/*
* fgetpwent() only reads from password file, so we know for certain
* that the user is local.
*/
while (ent = fgetpwent(fd)) {
if (strcmp (ent->pw_name, namep) == 0) {
/* Local user */
fclose (fd);
return(0);
}
}
fclose (fd);
return (1);
}
#endif /* UNIXWARE_LONG_PASSWORDS */
/*
NOTE: ia_get_logpwd() allocates memory for arg 2
functions that call shadow_pw() will need to free
*/
char *
get_iaf_password(struct passwd *pw)
{
char *pw_password = NULL;
uinfo_t uinfo;
if (!ia_openinfo(pw->pw_name,&uinfo)) {
ia_get_logpwd(uinfo, &pw_password);
if (pw_password == NULL)
fatal("ia_get_logpwd: Unable to get the shadow passwd");
ia_closeinfo(uinfo);
return pw_password;
}
else
fatal("ia_openinfo: Unable to open the shadow passwd file");
}
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */

30
crypto/openssh/openbsd-compat/port-uw.h Normal file
View File

@ -0,0 +1,30 @@
/*
* Copyright (c) 2005 Tim Rice. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
char * get_iaf_password(struct passwd *pw);
#endif

268
crypto/openssh/openbsd-compat/realpath.c
View File

@ -1,11 +1,7 @@
/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
/*
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Jan-Simon Pendry.
* Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -15,14 +11,14 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* 3. The names of the authors may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@ -36,169 +32,165 @@
#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
#if defined(LIBC_SCCS) && !defined(lint)
static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/param.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
* MAXSYMLINKS
*/
#ifndef MAXSYMLINKS
#define MAXSYMLINKS 5
#endif
/*
* char *realpath(const char *path, char resolved_path[MAXPATHLEN]);
* char *realpath(const char *path, char resolved[PATH_MAX]);
*
* Find the real name of path, by removing all ".", ".." and symlink
* components. Returns (resolved) on success, or (NULL) on failure,
* in which case the path which caused trouble is left in (resolved).
*/
char *
realpath(const char *path, char *resolved)
realpath(const char *path, char resolved[PATH_MAX])
{
struct stat sb;
int fd, n, needslash, serrno;
char *p, *q, wbuf[MAXPATHLEN];
int symlinks = 0;
char *p, *q, *s;
size_t left_len, resolved_len;
unsigned symlinks;
int serrno, slen;
char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
/* Save the starting point. */
#ifndef HAVE_FCHDIR
char start[MAXPATHLEN];
/* this is potentially racy but without fchdir we have no option */
if (getcwd(start, sizeof(start)) == NULL) {
resolved[0] = '.';
serrno = errno;
symlinks = 0;
if (path[0] == '/') {
resolved[0] = '/';
resolved[1] = '\0';
return (NULL);
}
#endif
if ((fd = open(".", O_RDONLY)) < 0) {
resolved[0] = '.';
resolved[1] = '\0';
return (NULL);
}
/* Convert "." -> "" to optimize away a needless lstat() and chdir() */
if (path[0] == '.' && path[1] == '\0')
path = "";
/*
* Find the dirname and basename from the path to be resolved.
* Change directory to the dirname component.
* lstat the basename part.
* if it is a symlink, read in the value and loop.
* if it is a directory, then change to that directory.
* get the current directory name and append the basename.
*/
if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) {
serrno = ENAMETOOLONG;
goto err2;
}
loop:
q = strrchr(resolved, '/');
if (q != NULL) {
p = q + 1;
if (q == resolved)
q = "/";
else {
do {
--q;
} while (q > resolved && *q == '/');
q[1] = '\0';
q = resolved;
}
if (chdir(q) < 0)
goto err1;
} else
p = resolved;
/* Deal with the last component. */
if (*p != '\0' && lstat(p, &sb) == 0) {
if (S_ISLNK(sb.st_mode)) {
if (++symlinks > MAXSYMLINKS) {
errno = ELOOP;
goto err1;
}
if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0)
goto err1;
resolved[n] = '\0';
goto loop;
}
if (S_ISDIR(sb.st_mode)) {
if (chdir(p) < 0)
goto err1;
p = "";
if (path[1] == '\0')
return (resolved);
resolved_len = 1;
left_len = strlcpy(left, path + 1, sizeof(left));
} else {
if (getcwd(resolved, PATH_MAX) == NULL) {
strlcpy(resolved, ".", PATH_MAX);
return (NULL);
}
resolved_len = strlen(resolved);
left_len = strlcpy(left, path, sizeof(left));
}
/*
* Save the last component name and get the full pathname of
* the current directory.
*/
if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
goto err1;
return (NULL);
}
if (getcwd(resolved, MAXPATHLEN) == NULL)
goto err1;
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
* Iterate over path components in `left'.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
needslash = 0;
else
needslash = 1;
if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
while (left_len != 0) {
/*
* Extract the next path component and adjust `left'
* and its length.
*/
p = strchr(left, '/');
s = p ? p : left + left_len;
if (s - left >= sizeof(next_token)) {
errno = ENAMETOOLONG;
goto err1;
return (NULL);
}
if (needslash) {
if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) {
memcpy(next_token, left, s - left);
next_token[s - left] = '\0';
left_len -= s - left;
if (p != NULL)
memmove(left, s + 1, left_len + 1);
if (resolved[resolved_len - 1] != '/') {
if (resolved_len + 1 >= PATH_MAX) {
errno = ENAMETOOLONG;
goto err1;
return (NULL);
}
resolved[resolved_len++] = '/';
resolved[resolved_len] = '\0';
}
if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) {
if (next_token[0] == '\0')
continue;
else if (strcmp(next_token, ".") == 0)
continue;
else if (strcmp(next_token, "..") == 0) {
/*
* Strip the last path component except when we have
* single "/"
*/
if (resolved_len > 1) {
resolved[resolved_len - 1] = '\0';
q = strrchr(resolved, '/') + 1;
*q = '\0';
resolved_len = q - resolved;
}
continue;
}
/*
* Append the next path component and lstat() it. If
* lstat() fails we still can return successfully if
* there are no more path components left.
*/
resolved_len = strlcat(resolved, next_token, PATH_MAX);
if (resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
goto err1;
return (NULL);
}
if (lstat(resolved, &sb) != 0) {
if (errno == ENOENT && p == NULL) {
errno = serrno;
return (resolved);
}
return (NULL);
}
if (S_ISLNK(sb.st_mode)) {
if (symlinks++ > MAXSYMLINKS) {
errno = ELOOP;
return (NULL);
}
slen = readlink(resolved, symlink, sizeof(symlink) - 1);
if (slen < 0)
return (NULL);
symlink[slen] = '\0';
if (symlink[0] == '/') {
resolved[1] = 0;
resolved_len = 1;
} else if (resolved_len > 1) {
/* Strip the last path component. */
resolved[resolved_len - 1] = '\0';
q = strrchr(resolved, '/') + 1;
*q = '\0';
resolved_len = q - resolved;
}
/*
* If there are any path components left, then
* append them to symlink. The result is placed
* in `left'.
*/
if (p != NULL) {
if (symlink[slen - 1] != '/') {
if (slen + 1 >= sizeof(symlink)) {
errno = ENAMETOOLONG;
return (NULL);
}
symlink[slen] = '/';
symlink[slen + 1] = 0;
}
left_len = strlcat(symlink, left, sizeof(left));
if (left_len >= sizeof(left)) {
errno = ENAMETOOLONG;
return (NULL);
}
}
left_len = strlcpy(left, symlink, sizeof(left));
}
}
/* Go back to where we came from. */
#ifdef HAVE_FCHDIR
if (fchdir(fd) < 0) {
#else
if (chdir(start) < 0) {
#endif
serrno = errno;
goto err2;
}
/* It's okay if the close fails, what's an fd more or less? */
(void)close(fd);
/*
* Remove trailing slash except when the resolved pathname
* is a single "/".
*/
if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
resolved[resolved_len - 1] = '\0';
return (resolved);
err1: serrno = errno;
#ifdef HAVE_FCHDIR
(void)fchdir(fd);
#else
chdir(start);
#endif
err2: (void)close(fd);
errno = serrno;
return (NULL);
}
#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */

151
crypto/openssh/openbsd-compat/strtoll.c Normal file
View File

@ -0,0 +1,151 @@
/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
/*-
* Copyright (c) 1992 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "includes.h"
#ifndef HAVE_STRTOLL
#if defined(LIBC_SCCS) && !defined(lint)
static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/types.h>
#include <ctype.h>
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
/*
* Convert a string to a long long.
*
* Ignores `locale' stuff. Assumes that the upper and lower case
* alphabets and digits are each contiguous.
*/
long long
strtoll(const char *nptr, char **endptr, int base)
{
const char *s;
long long acc, cutoff;
int c;
int neg, any, cutlim;
/*
* Skip white space and pick up leading +/- sign if any.
* If base is 0, allow 0x for hex and 0 for octal, else
* assume decimal; if base is already 16, allow 0x.
*/
s = nptr;
do {
c = (unsigned char) *s++;
} while (isspace(c));
if (c == '-') {
neg = 1;
c = *s++;
} else {
neg = 0;
if (c == '+')
c = *s++;
}
if ((base == 0 || base == 16) &&
c == '0' && (*s == 'x' || *s == 'X')) {
c = s[1];
s += 2;
base = 16;
}
if (base == 0)
base = c == '0' ? 8 : 10;
/*
* Compute the cutoff value between legal numbers and illegal
* numbers. That is the largest legal value, divided by the
* base. An input number that is greater than this value, if
* followed by a legal input character, is too big. One that
* is equal to this value may be valid or not; the limit
* between valid and invalid numbers is then based on the last
* digit. For instance, if the range for long longs is
* [-9223372036854775808..9223372036854775807] and the input base
* is 10, cutoff will be set to 922337203685477580 and cutlim to
* either 7 (neg==0) or 8 (neg==1), meaning that if we have
* accumulated a value > 922337203685477580, or equal but the
* next digit is > 7 (or 8), the number is too big, and we will
* return a range error.
*
* Set any if any `digits' consumed; make it negative to indicate
* overflow.
*/
cutoff = neg ? LLONG_MIN : LLONG_MAX;
cutlim = cutoff % base;
cutoff /= base;
if (neg) {
if (cutlim > 0) {
cutlim -= base;
cutoff += 1;
}
cutlim = -cutlim;
}
for (acc = 0, any = 0;; c = (unsigned char) *s++) {
if (isdigit(c))
c -= '0';
else if (isalpha(c))
c -= isupper(c) ? 'A' - 10 : 'a' - 10;
else
break;
if (c >= base)
break;
if (any < 0)
continue;
if (neg) {
if (acc < cutoff || (acc == cutoff && c > cutlim)) {
any = -1;
acc = LLONG_MIN;
errno = ERANGE;
} else {
any = 1;
acc *= base;
acc -= c;
}
} else {
if (acc > cutoff || (acc == cutoff && c > cutlim)) {
any = -1;
acc = LLONG_MAX;
errno = ERANGE;
} else {
any = 1;
acc *= base;
acc += c;
}
}
}
if (endptr != 0)
*endptr = (char *) (any ? s - 1 : nptr);
return (acc);
}
#endif /* HAVE_STRTOLL */

69
crypto/openssh/openbsd-compat/strtonum.c Normal file
View File

@ -0,0 +1,69 @@
/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
/* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */
/*
* Copyright (c) 2004 Ted Unangst and Todd Miller
* All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#ifndef HAVE_STRTONUM
#include <limits.h>
#define INVALID 1
#define TOOSMALL 2
#define TOOLARGE 3
long long
strtonum(const char *numstr, long long minval, long long maxval,
const char **errstrp)
{
long long ll = 0;
char *ep;
int error = 0;
struct errval {
const char *errstr;
int err;
} ev[4] = {
{ NULL, 0 },
{ "invalid", EINVAL },
{ "too small", ERANGE },
{ "too large", ERANGE },
};
ev[0].err = errno;
errno = 0;
if (minval > maxval)
error = INVALID;
else {
ll = strtoll(numstr, &ep, 10);
if (numstr == ep || *ep != '\0')
error = INVALID;
else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
error = TOOSMALL;
else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
error = TOOLARGE;
}
if (errstrp != NULL)
*errstrp = ev[error].errstr;
errno = ev[error].err;
if (error)
ll = 0;
return (ll);
}
#endif /* HAVE_STRTONUM */

5
crypto/openssh/openbsd-compat/xcrypt.c
View File

@ -93,6 +93,11 @@ shadow_pw(struct passwd *pw)
if (spw != NULL)
pw_password = spw->sp_pwdp;
# endif
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
return(get_iaf_password(pw));
#endif
# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)

63
crypto/openssh/packet.c
View File

@ -37,7 +37,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: packet.c,v 1.116 2004/10/20 11:48:53 markus Exp $");
RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $");
#include "openbsd-compat/sys-queue.h"
@ -116,6 +116,12 @@ static int initialized = 0;
/* Set to true if the connection is interactive. */
static int interactive_mode = 0;
/* Set to true if we are the server side. */
static int server_side = 0;
/* Set to true if we are authenticated. */
static int after_authentication = 0;
/* Session key information for Encryption and MAC */
Newkeys *newkeys[MODE_MAX];
static struct packet_state {
@ -624,7 +630,9 @@ set_newkeys(int mode)
/* Deleting the keys does not gain extra security */
/* memset(enc->iv, 0, enc->block_size);
memset(enc->key, 0, enc->key_len); */
if (comp->type != 0 && comp->enabled == 0) {
if ((comp->type == COMP_ZLIB ||
(comp->type == COMP_DELAYED && after_authentication)) &&
comp->enabled == 0) {
packet_init_compression();
if (mode == MODE_OUT)
buffer_compress_init_send(6);
@ -644,6 +652,35 @@ set_newkeys(int mode)
*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
}
/*
* Delayed compression for SSH2 is enabled after authentication:
* This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
* and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
*/
static void
packet_enable_delayed_compress(void)
{
Comp *comp = NULL;
int mode;
/*
* Remember that we are past the authentication step, so rekeying
* with COMP_DELAYED will turn on compression immediately.
*/
after_authentication = 1;
for (mode = 0; mode < MODE_MAX; mode++) {
comp = &newkeys[mode]->comp;
if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
packet_init_compression();
if (mode == MODE_OUT)
buffer_compress_init_send(6);
else
buffer_compress_init_recv();
comp->enabled = 1;
}
}
}
/*
* Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
*/
@ -757,6 +794,8 @@ packet_send2_wrapped(void)
if (type == SSH2_MSG_NEWKEYS)
set_newkeys(MODE_OUT);
else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
packet_enable_delayed_compress();
}
static void
@ -992,7 +1031,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
static u_int packet_length = 0;
u_int padlen, need;
u_char *macbuf, *cp, type;
int maclen, block_size;
u_int maclen, block_size;
Enc *enc = NULL;
Mac *mac = NULL;
Comp *comp = NULL;
@ -1099,6 +1138,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
packet_disconnect("Invalid ssh2 packet type: %d", type);
if (type == SSH2_MSG_NEWKEYS)
set_newkeys(MODE_IN);
else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
packet_enable_delayed_compress();
#ifdef PACKET_DEBUG
fprintf(stderr, "read/plain[%d]:\r\n", type);
buffer_dump(&incoming_packet);
@ -1229,9 +1270,9 @@ packet_get_bignum2(BIGNUM * value)
}
void *
packet_get_raw(int *length_ptr)
packet_get_raw(u_int *length_ptr)
{
int bytes = buffer_len(&incoming_packet);
u_int bytes = buffer_len(&incoming_packet);
if (length_ptr != NULL)
*length_ptr = bytes;
@ -1524,3 +1565,15 @@ packet_set_rekey_limit(u_int32_t bytes)
{
rekey_limit = bytes;
}
void
packet_set_server(void)
{
server_side = 1;
}
void
packet_set_authenticated(void)
{
after_authentication = 1;
}

6
crypto/openssh/packet.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.h,v 1.41 2004/05/11 19:01:43 deraadt Exp $ */
/* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -30,6 +30,8 @@ u_int packet_get_protocol_flags(void);
void packet_start_compression(int);
void packet_set_interactive(int);
int packet_is_interactive(void);
void packet_set_server(void);
void packet_set_authenticated(void);
void packet_start(u_char);
void packet_put_char(int ch);
@ -52,7 +54,7 @@ u_int packet_get_char(void);
u_int packet_get_int(void);
void packet_get_bignum(BIGNUM * value);
void packet_get_bignum2(BIGNUM * value);
void *packet_get_raw(int *length_ptr);
void *packet_get_raw(u_int *length_ptr);
void *packet_get_string(u_int *length_ptr);
void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));

49
crypto/openssh/progressmeter.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: progressmeter.c,v 1.22 2004/07/11 17:48:47 deraadt Exp $");
RCSID("$OpenBSD: progressmeter.c,v 1.24 2005/06/07 13:25:23 jaredy Exp $");
#include "progressmeter.h"
#include "atomicio.h"
@ -42,6 +42,10 @@ static int can_output(void);
static void format_size(char *, int, off_t);
static void format_rate(char *, int, off_t);
/* window resizing */
static void sig_winch(int);
static void setscreensize(void);
/* updates the progressmeter to reflect the current state of the transfer */
void refresh_progress_meter(void);
@ -57,6 +61,7 @@ static volatile off_t *counter; /* progress counter */
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
static int win_size; /* terminal window size */
static volatile sig_atomic_t win_resized; /* for window resizing */
/* units for format_size */
static const char unit[] = " KMGT";
@ -147,6 +152,8 @@ refresh_progress_meter(void)
len = snprintf(buf, file_len + 1, "\r%s", file);
if (len < 0)
len = 0;
if (len >= file_len + 1)
len = file_len;
for (i = len; i < file_len; i++ )
buf[i] = ' ';
buf[file_len] = '\0';
@ -215,6 +222,10 @@ update_progress_meter(int ignore)
save_errno = errno;
if (win_resized) {
setscreensize();
win_resized = 0;
}
if (can_output())
refresh_progress_meter();
@ -226,8 +237,6 @@ update_progress_meter(int ignore)
void
start_progress_meter(char *f, off_t filesize, off_t *ctr)
{
struct winsize winsize;
start = last_update = time(NULL);
file = f;
end_pos = filesize;
@ -236,20 +245,12 @@ start_progress_meter(char *f, off_t filesize, off_t *ctr)
stalled = 0;
bytes_per_second = 0;
if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
winsize.ws_col != 0) {
if (winsize.ws_col > MAX_WINSIZE)
win_size = MAX_WINSIZE;
else
win_size = winsize.ws_col;
} else
win_size = DEFAULT_WINSIZE;
win_size += 1; /* trailing \0 */
setscreensize();
if (can_output())
refresh_progress_meter();
signal(SIGALRM, update_progress_meter);
signal(SIGWINCH, sig_winch);
alarm(UPDATE_INTERVAL);
}
@ -267,3 +268,25 @@ stop_progress_meter(void)
atomicio(vwrite, STDOUT_FILENO, "\n", 1);
}
static void
sig_winch(int sig)
{
win_resized = 1;
}
static void
setscreensize(void)
{
struct winsize winsize;
if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
winsize.ws_col != 0) {
if (winsize.ws_col > MAX_WINSIZE)
win_size = MAX_WINSIZE;
else
win_size = winsize.ws_col;
} else
win_size = DEFAULT_WINSIZE;
win_size += 1; /* trailing \0 */
}

31
crypto/openssh/readconf.c
View File

@ -12,7 +12,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: readconf.c,v 1.139 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $");
#include "ssh.h"
#include "xmalloc.h"
@ -695,7 +695,7 @@ process_config_line(Options *options, const char *host,
fwd.listen_host = cleanhostname(fwd.listen_host);
} else {
fwd.listen_port = a2port(fwd.listen_host);
fwd.listen_host = "";
fwd.listen_host = NULL;
}
if (fwd.listen_port == 0)
fatal("%.200s line %d: Badly formatted port number.",
@ -743,6 +743,9 @@ process_config_line(Options *options, const char *host,
case oAddressFamily:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%s line %d: missing address family.",
filename, linenum);
intptr = &options->address_family;
if (strcasecmp(arg, "inet") == 0)
value = AF_INET;
@ -793,7 +796,27 @@ process_config_line(Options *options, const char *host,
case oControlMaster:
intptr = &options->control_master;
goto parse_yesnoask;
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing ControlMaster argument.",
filename, linenum);
value = 0; /* To avoid compiler warning... */
if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
value = SSHCTL_MASTER_YES;
else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
value = SSHCTL_MASTER_NO;
else if (strcmp(arg, "auto") == 0)
value = SSHCTL_MASTER_AUTO;
else if (strcmp(arg, "ask") == 0)
value = SSHCTL_MASTER_ASK;
else if (strcmp(arg, "autoask") == 0)
value = SSHCTL_MASTER_AUTO_ASK;
else
fatal("%.200s line %d: Bad ControlMaster argument.",
filename, linenum);
if (*activep && *intptr == -1)
*intptr = value;
break;
case oHashKnownHosts:
intptr = &options->hash_known_hosts;
@ -816,7 +839,7 @@ process_config_line(Options *options, const char *host,
/* Check that there is no garbage at end of line. */
if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
filename, linenum, arg);
filename, linenum, arg);
}
return 0;
}

7
crypto/openssh/readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -116,6 +116,11 @@ typedef struct {
int hash_known_hosts;
} Options;
#define SSHCTL_MASTER_NO 0
#define SSHCTL_MASTER_YES 1
#define SSHCTL_MASTER_AUTO 2
#define SSHCTL_MASTER_ASK 3
#define SSHCTL_MASTER_AUTO_ASK 4
void initialize_options(Options *);
void fill_default_options(Options *);

11
crypto/openssh/readpass.c
View File

@ -23,7 +23,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: readpass.c,v 1.31 2004/10/29 22:53:56 djm Exp $");
RCSID("$OpenBSD: readpass.c,v 1.33 2005/05/02 21:13:22 markus Exp $");
#include "xmalloc.h"
#include "misc.h"
@ -106,15 +106,20 @@ read_passphrase(const char *prompt, int flags)
if (flags & RP_USE_ASKPASS)
use_askpass = 1;
else if (flags & RP_ALLOW_STDIN) {
if (!isatty(STDIN_FILENO))
if (!isatty(STDIN_FILENO)) {
debug("read_passphrase: stdin is not a tty");
use_askpass = 1;
}
} else {
rppflags |= RPP_REQUIRE_TTY;
ttyfd = open(_PATH_TTY, O_RDWR);
if (ttyfd >= 0)
close(ttyfd);
else
else {
debug("read_passphrase: can't open %s: %s", _PATH_TTY,
strerror(errno));
use_askpass = 1;
}
}
if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)

6
crypto/openssh/regress/reexec.sh
View File

@ -3,10 +3,10 @@
tid="reexec tests"
DATA=/bin/ls
DATA=/bin/ls${EXEEXT}
COPY=${OBJ}/copy
SSHD_ORIG=$SSHD
SSHD_COPY=$OBJ/sshd
SSHD_ORIG=$SSHD${EXEEXT}
SSHD_COPY=$OBJ/sshd${EXEEXT}
# Start a sshd and then delete it
start_sshd_copy ()

7
crypto/openssh/regress/test-exec.sh
View File

@ -96,9 +96,10 @@ if [ "x$TEST_SSH_SCP" != "x" ]; then
fi
# Path to sshd must be absolute for rexec
if [ ! -x /$SSHD ]; then
SSHD=`which sshd`
fi
case "$SSHD" in
/*) ;;
*) SSHD=`which sshd` ;;
esac
if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
TEST_SSH_LOGFILE=/dev/null

42
crypto/openssh/scp.c
View File

@ -71,7 +71,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: scp.c,v 1.121 2005/04/02 12:41:16 djm Exp $");
RCSID("$OpenBSD: scp.c,v 1.125 2005/07/27 10:39:03 dtucker Exp $");
#include "xmalloc.h"
#include "atomicio.h"
@ -109,11 +109,13 @@ static void
killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo);
kill(do_cmd_pid, signo ? signo : SIGTERM);
waitpid(do_cmd_pid, NULL, 0);
}
_exit(1);
if (signo)
_exit(1);
exit(1);
}
/*
@ -184,7 +186,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
}
typedef struct {
int cnt;
size_t cnt;
char *buf;
} BUF;
@ -502,8 +504,9 @@ source(int argc, char **argv)
struct stat stb;
static BUF buffer;
BUF *bp;
off_t i, amt, result, statbytes;
int fd, haderr, indx;
off_t i, amt, statbytes;
size_t result;
int fd = -1, haderr, indx;
char *last, *name, buf[2048];
int len;
@ -578,14 +581,14 @@ next: (void) close(fd);
if (!haderr) {
result = atomicio(read, fd, bp->buf, amt);
if (result != amt)
haderr = result >= 0 ? EIO : errno;
haderr = errno;
}
if (haderr)
(void) atomicio(vwrite, remout, bp->buf, amt);
else {
result = atomicio(vwrite, remout, bp->buf, amt);
if (result != amt)
haderr = result >= 0 ? EIO : errno;
haderr = errno;
statbytes += result;
}
if (limit_rate)
@ -720,8 +723,9 @@ sink(int argc, char **argv)
YES, NO, DISPLAYED
} wrerr;
BUF *bp;
off_t i, j;
int amt, count, exists, first, mask, mode, ofd, omode;
off_t i;
size_t j, count;
int amt, exists, first, mask, mode, ofd, omode;
off_t size, statbytes;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
@ -748,7 +752,7 @@ sink(int argc, char **argv)
targisdir = 1;
for (first = 1;; first = 0) {
cp = buf;
if (atomicio(read, remin, cp, 1) <= 0)
if (atomicio(read, remin, cp, 1) != 1)
return;
if (*cp++ == '\n')
SCREWUP("unexpected <newline>");
@ -829,7 +833,7 @@ sink(int argc, char **argv)
}
if (targisdir) {
static char *namebuf;
static int cursize;
static size_t cursize;
size_t need;
need = strlen(targ) + strlen(cp) + 250;
@ -902,7 +906,7 @@ bad: run_err("%s: %s", np, strerror(errno));
count += amt;
do {
j = atomicio(read, remin, cp, amt);
if (j <= 0) {
if (j == 0) {
run_err("%s", j ? strerror(errno) :
"dropped connection");
exit(1);
@ -918,10 +922,10 @@ bad: run_err("%s: %s", np, strerror(errno));
if (count == bp->cnt) {
/* Keep reading so we stay sync'd up. */
if (wrerr == NO) {
j = atomicio(vwrite, ofd, bp->buf, count);
if (j != count) {
if (atomicio(vwrite, ofd, bp->buf,
count) != count) {
wrerr = YES;
wrerrno = j >= 0 ? EIO : errno;
wrerrno = errno;
}
}
count = 0;
@ -931,9 +935,9 @@ bad: run_err("%s: %s", np, strerror(errno));
if (showprogress)
stop_progress_meter();
if (count != 0 && wrerr == NO &&
(j = atomicio(vwrite, ofd, bp->buf, count)) != count) {
atomicio(vwrite, ofd, bp->buf, count) != count) {
wrerr = YES;
wrerrno = j >= 0 ? EIO : errno;
wrerrno = errno;
}
if (wrerr == NO && ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
@ -1070,7 +1074,7 @@ verifydir(char *cp)
errno = ENOTDIR;
}
run_err("%s: %s", cp, strerror(errno));
exit(1);
killchild(0);
}
int

36
crypto/openssh/servconf.c
View File

@ -10,7 +10,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: servconf.c,v 1.140 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
#include "ssh.h"
#include "log.h"
@ -201,7 +201,7 @@ fill_default_server_options(ServerOptions *options)
if (options->use_login == -1)
options->use_login = 0;
if (options->compression == -1)
options->compression = 1;
options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
@ -398,7 +398,7 @@ parse_token(const char *cp, const char *filename,
static void
add_listen_addr(ServerOptions *options, char *addr, u_short port)
{
int i;
u_int i;
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@ -438,9 +438,10 @@ process_server_config_line(ServerOptions *options, char *line,
const char *filename, int linenum)
{
char *cp, **charptr, *arg, *p;
int *intptr, value, i, n;
int *intptr, value, n;
ServerOpCodes opcode;
u_short port;
u_int i;
cp = line;
arg = strdelim(&cp);
@ -516,6 +517,12 @@ process_server_config_line(ServerOptions *options, char *line,
if (arg == NULL || *arg == '\0')
fatal("%s line %d: missing address",
filename, linenum);
/* check for bare IPv6 address: no "[]" and 2 or more ":" */
if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
&& strchr(p+1, ':') != NULL) {
add_listen_addr(options, arg, 0);
break;
}
p = hpdelim(&arg);
if (p == NULL)
fatal("%s line %d: bad address:port usage",
@ -532,6 +539,9 @@ process_server_config_line(ServerOptions *options, char *line,
case sAddressFamily:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing address family.",
filename, linenum);
intptr = &options->address_family;
if (options->listen_addrs != NULL)
fatal("%s line %d: address family must be specified before "
@ -721,7 +731,23 @@ process_server_config_line(ServerOptions *options, char *line,
case sCompression:
intptr = &options->compression;
goto parse_flag;
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing yes/no/delayed "
"argument.", filename, linenum);
value = 0; /* silence compiler */
if (strcmp(arg, "delayed") == 0)
value = COMP_DELAYED;
else if (strcmp(arg, "yes") == 0)
value = COMP_ZLIB;
else if (strcmp(arg, "no") == 0)
value = COMP_NONE;
else
fatal("%s line %d: Bad yes/no/delayed "
"argument: %s", filename, linenum, arg);
if (*intptr == -1)
*intptr = value;
break;
case sGatewayPorts:
intptr = &options->gateway_ports;

6
crypto/openssh/serverloop.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: serverloop.c,v 1.117 2004/08/11 21:43:05 avsm Exp $");
RCSID("$OpenBSD: serverloop.c,v 1.118 2005/07/17 07:17:55 djm Exp $");
#include "xmalloc.h"
#include "packet.h"
@ -865,7 +865,7 @@ server_request_direct_tcpip(void)
packet_check_eom();
debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
originator, originator_port, target, target_port);
originator, originator_port, target, target_port);
/* XXX check permission */
sock = channel_connect_to(target, target_port);
@ -983,7 +983,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
#ifndef NO_IPPORT_RESERVED_CONCEPT
|| (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
#endif
) {
) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {

133
crypto/openssh/session.c
View File

@ -33,7 +33,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@ -56,6 +56,7 @@ RCSID("$OpenBSD: session.c,v 1.181 2004/12/23 17:35:48 markus Exp $");
#include "serverloop.h"
#include "canohost.h"
#include "session.h"
#include "kex.h"
#include "monitor_wrap.h"
#if defined(KRB5) && defined(USE_AFS)
@ -196,11 +197,11 @@ auth_input_request_forwarding(struct passwd * pw)
static void
display_loginmsg(void)
{
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
if (buffer_len(&loginmsg) > 0) {
buffer_append(&loginmsg, "\0", 1);
printf("%s", (char *)buffer_ptr(&loginmsg));
buffer_clear(&loginmsg);
}
}
void
@ -272,7 +273,7 @@ do_authenticated1(Authctxt *authctxt)
compression_level);
break;
}
if (!options.compression) {
if (options.compression == COMP_NONE) {
debug2("compression disabled");
break;
}
@ -946,7 +947,8 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
void copy_environment(char **source, char ***env, u_int *envsize)
void
copy_environment(char **source, char ***env, u_int *envsize)
{
char *var_name, *var_val;
int i;
@ -1332,6 +1334,11 @@ do_setusercontext(struct passwd *pw)
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
if (set_id(pw->pw_name) != 0) {
exit(1);
}
#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@ -1529,7 +1536,7 @@ do_child(Session *s, const char *command)
*/
if (options.kerberos_get_afs_token && k_hasafs() &&
(s->authctxt->krb5_ctx != NULL)) {
(s->authctxt->krb5_ctx != NULL)) {
char cell[64];
debug("Getting AFS token");
@ -1633,6 +1640,7 @@ session_new(void)
s->ttyfd = -1;
s->used = 1;
s->self = i;
s->x11_chanids = NULL;
debug("session_new: session %d", i);
return s;
}
@ -1705,6 +1713,29 @@ session_by_channel(int id)
return NULL;
}
static Session *
session_by_x11_channel(int id)
{
int i, j;
for (i = 0; i < MAX_SESSIONS; i++) {
Session *s = &sessions[i];
if (s->x11_chanids == NULL || !s->used)
continue;
for (j = 0; s->x11_chanids[j] != -1; j++) {
if (s->x11_chanids[j] == id) {
debug("session_by_x11_channel: session %d "
"channel %d", s->self, id);
return s;
}
}
}
debug("session_by_x11_channel: unknown channel %d", id);
session_dump();
return NULL;
}
static Session *
session_by_pid(pid_t pid)
{
@ -1800,7 +1831,7 @@ session_subsystem_req(Session *s)
u_int len;
int success = 0;
char *cmd, *subsys = packet_get_string(&len);
int i;
u_int i;
packet_check_eom();
logit("subsystem request for %.100s", subsys);
@ -1834,6 +1865,11 @@ session_x11_req(Session *s)
{
int success;
if (s->auth_proto != NULL || s->auth_data != NULL) {
error("session_x11_req: session %d: "
"x11 fowarding already active", s->self);
return 0;
}
s->single_connection = packet_get_char();
s->auth_proto = packet_get_string(NULL);
s->auth_data = packet_get_string(NULL);
@ -2058,10 +2094,67 @@ sig2name(int sig)
return "SIG@openssh.com";
}
static void
session_close_x11(int id)
{
Channel *c;
if ((c = channel_lookup(id)) == NULL) {
debug("session_close_x11: x11 channel %d missing", id);
} else {
/* Detach X11 listener */
debug("session_close_x11: detach x11 channel %d", id);
channel_cancel_cleanup(id);
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_mark_dead(c);
}
}
static void
session_close_single_x11(int id, void *arg)
{
Session *s;
u_int i;
debug3("session_close_single_x11: channel %d", id);
channel_cancel_cleanup(id);
if ((s = session_by_x11_channel(id)) == NULL)
fatal("session_close_single_x11: no x11 channel %d", id);
for (i = 0; s->x11_chanids[i] != -1; i++) {
debug("session_close_single_x11: session %d: "
"closing channel %d", s->self, s->x11_chanids[i]);
/*
* The channel "id" is already closing, but make sure we
* close all of its siblings.
*/
if (s->x11_chanids[i] != id)
session_close_x11(s->x11_chanids[i]);
}
xfree(s->x11_chanids);
s->x11_chanids = NULL;
if (s->display) {
xfree(s->display);
s->display = NULL;
}
if (s->auth_proto) {
xfree(s->auth_proto);
s->auth_proto = NULL;
}
if (s->auth_data) {
xfree(s->auth_data);
s->auth_data = NULL;
}
if (s->auth_display) {
xfree(s->auth_display);
s->auth_display = NULL;
}
}
static void
session_exit_message(Session *s, int status)
{
Channel *c;
u_int i;
if ((c = channel_lookup(s->chanid)) == NULL)
fatal("session_exit_message: session %d: no channel %d",
@ -2101,12 +2194,20 @@ session_exit_message(Session *s, int status)
if (c->ostate != CHAN_OUTPUT_CLOSED)
chan_write_failed(c);
s->chanid = -1;
/* Close any X11 listeners associated with this session */
if (s->x11_chanids != NULL) {
for (i = 0; s->x11_chanids[i] != -1; i++) {
session_close_x11(s->x11_chanids[i]);
s->x11_chanids[i] = -1;
}
}
}
void
session_close(Session *s)
{
int i;
u_int i;
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
@ -2115,6 +2216,8 @@ session_close(Session *s)
xfree(s->term);
if (s->display)
xfree(s->display);
if (s->x11_chanids)
xfree(s->x11_chanids);
if (s->auth_display)
xfree(s->auth_display);
if (s->auth_data)
@ -2153,6 +2256,7 @@ void
session_close_by_channel(int id, void *arg)
{
Session *s = session_by_channel(id);
if (s == NULL) {
debug("session_close_by_channel: no session for id %d", id);
return;
@ -2233,6 +2337,7 @@ session_setup_x11fwd(Session *s)
struct stat st;
char display[512], auth_display[512];
char hostname[MAXHOSTNAMELEN];
u_int i;
if (no_x11_forwarding_flag) {
packet_send_debug("X11 forwarding disabled in user configuration file.");
@ -2258,10 +2363,14 @@ session_setup_x11fwd(Session *s)
}
if (x11_create_display_inet(options.x11_display_offset,
options.x11_use_localhost, s->single_connection,
&s->display_number) == -1) {
&s->display_number, &s->x11_chanids) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
for (i = 0; s->x11_chanids[i] != -1; i++) {
channel_register_cleanup(s->x11_chanids[i],
session_close_single_x11);
}
/* Set up a suitable value for the DISPLAY variable. */
if (gethostname(hostname, sizeof(hostname)) < 0)

5
crypto/openssh/session.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.h,v 1.23 2004/07/17 05:31:41 dtucker Exp $ */
/* $OpenBSD: session.h,v 1.25 2005/07/17 06:49:04 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -49,8 +49,9 @@ struct Session {
int single_connection;
/* proto 2 */
int chanid;
int *x11_chanids;
int is_subsystem;
int num_env;
u_int num_env;
struct {
char *name;
char *val;

39
crypto/openssh/sftp-client.c
View File

@ -20,7 +20,7 @@
/* XXX: copy between two remote sites */
#include "includes.h"
RCSID("$OpenBSD: sftp-client.c,v 1.53 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $");
#include "openbsd-compat/sys-queue.h"
@ -64,10 +64,10 @@ send_msg(int fd, Buffer *m)
/* Send length first */
PUT_32BIT(mlen, buffer_len(m));
if (atomicio(vwrite, fd, mlen, sizeof(mlen)) <= 0)
if (atomicio(vwrite, fd, mlen, sizeof(mlen)) != sizeof(mlen))
fatal("Couldn't send packet: %s", strerror(errno));
if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) <= 0)
if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) != buffer_len(m))
fatal("Couldn't send packet: %s", strerror(errno));
buffer_clear(m);
@ -76,26 +76,27 @@ send_msg(int fd, Buffer *m)
static void
get_msg(int fd, Buffer *m)
{
ssize_t len;
u_int msg_len;
buffer_append_space(m, 4);
len = atomicio(read, fd, buffer_ptr(m), 4);
if (len == 0)
fatal("Connection closed");
else if (len == -1)
fatal("Couldn't read packet: %s", strerror(errno));
if (atomicio(read, fd, buffer_ptr(m), 4) != 4) {
if (errno == EPIPE)
fatal("Connection closed");
else
fatal("Couldn't read packet: %s", strerror(errno));
}
msg_len = buffer_get_int(m);
if (msg_len > MAX_MSG_LENGTH)
fatal("Received message too long %u", msg_len);
buffer_append_space(m, msg_len);
len = atomicio(read, fd, buffer_ptr(m), msg_len);
if (len == 0)
fatal("Connection closed");
else if (len == -1)
fatal("Read packet: %s", strerror(errno));
if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
if (errno == EPIPE)
fatal("Connection closed");
else
fatal("Read packet: %s", strerror(errno));
}
}
static void
@ -310,7 +311,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
SFTP_DIRENT ***dir)
{
Buffer msg;
u_int type, id, handle_len, i, expected_id, ents = 0;
u_int count, type, id, handle_len, i, expected_id, ents = 0;
char *handle;
id = conn->msg_id++;
@ -334,8 +335,6 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
}
for (; !interrupted;) {
int count;
id = expected_id = conn->msg_id++;
debug3("Sending SSH2_FXP_READDIR I:%u", id);
@ -743,10 +742,10 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
Attrib junk, *a;
Buffer msg;
char *handle;
int local_fd, status, num_req, max_req, write_error;
int local_fd, status = 0, write_error;
int read_error, write_errno;
u_int64_t offset, size;
u_int handle_len, mode, type, id, buflen;
u_int handle_len, mode, type, id, buflen, num_req, max_req;
off_t progress_counter;
struct request {
u_int id;
@ -1127,7 +1126,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
goto done;
}
debug3("In write loop, ack for %u %u bytes at %llu",
ack->id, ack->len, (unsigned long long)ack->offset);
ack->id, ack->len, (unsigned long long)ack->offset);
++ackid;
xfree(ack);
}

4
crypto/openssh/sftp-client.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.h,v 1.13 2004/11/29 07:41:24 djm Exp $ */
/* $OpenBSD: sftp-client.h,v 1.14 2005/04/26 12:59:02 jmc Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@ -30,7 +30,7 @@ struct SFTP_DIRENT {
};
/*
* Initialiase a SSH filexfer connection. Returns NULL on error or
* Initialise a SSH filexfer connection. Returns NULL on error or
* a pointer to a initialized sftp_conn struct on success.
*/
struct sftp_conn *do_init(int, int, u_int, u_int);

12
crypto/openssh/sftp-server.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
RCSID("$OpenBSD: sftp-server.c,v 1.47 2004/06/25 05:38:48 dtucker Exp $");
RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $");
#include "buffer.h"
#include "bufaux.h"
@ -130,7 +130,7 @@ Handle handles[100];
static void
handle_init(void)
{
int i;
u_int i;
for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
handles[i].use = HANDLE_UNUSED;
@ -139,7 +139,7 @@ handle_init(void)
static int
handle_new(int use, const char *name, int fd, DIR *dirp)
{
int i;
u_int i;
for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) {
if (handles[i].use == HANDLE_UNUSED) {
@ -156,7 +156,7 @@ handle_new(int use, const char *name, int fd, DIR *dirp)
static int
handle_is_ok(int i, int type)
{
return i >= 0 && i < sizeof(handles)/sizeof(Handle) &&
return i >= 0 && (u_int)i < sizeof(handles)/sizeof(Handle) &&
handles[i].use == type;
}
@ -477,10 +477,10 @@ process_write(void)
} else {
/* XXX ATOMICIO ? */
ret = write(fd, data, len);
if (ret == -1) {
if (ret < 0) {
error("process_write: write failed");
status = errno_to_portable(errno);
} else if (ret == len) {
} else if ((size_t)ret == len) {
status = SSH2_FX_OK;
} else {
logit("nothing at all written");

53
crypto/openssh/sftp.c
View File

@ -16,7 +16,7 @@
#include "includes.h"
RCSID("$OpenBSD: sftp.c,v 1.63 2005/03/10 22:01:05 deraadt Exp $");
RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $");
#ifdef USE_LIBEDIT
#include <histedit.h>
@ -404,7 +404,7 @@ get_pathname(const char **cpp, char **path)
{
const char *cp = *cpp, *end;
char quot;
int i, j;
u_int i, j;
cp += strspn(cp, WHITESPACE);
if (!*cp) {
@ -664,14 +664,15 @@ sdirent_comp(const void *aa, const void *bb)
static int
do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
{
int n, c = 1, colspace = 0, columns = 1;
int n;
u_int c = 1, colspace = 0, columns = 1;
SFTP_DIRENT **d;
if ((n = do_readdir(conn, path, &d)) != 0)
return (n);
if (!(lflag & LS_SHORT_VIEW)) {
int m = 0, width = 80;
u_int m = 0, width = 80;
struct winsize ws;
char *tmp;
@ -747,7 +748,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
int lflag)
{
glob_t g;
int i, c = 1, colspace = 0, columns = 1;
u_int i, c = 1, colspace = 0, columns = 1;
Attrib *a = NULL;
memset(&g, 0, sizeof(g));
@ -783,7 +784,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
}
if (!(lflag & LS_SHORT_VIEW)) {
int m = 0, width = 80;
u_int m = 0, width = 80;
struct winsize ws;
/* Count entries for sort and find longest filename */
@ -1236,7 +1237,7 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
char *dir = NULL;
char cmd[2048];
struct sftp_conn *conn;
int err;
int err, interactive;
EditLine *el = NULL;
#ifdef USE_LIBEDIT
History *hl = NULL;
@ -1294,14 +1295,15 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
xfree(dir);
}
#if HAVE_SETVBUF
#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF)
setvbuf(stdout, NULL, _IOLBF, 0);
setvbuf(infile, NULL, _IOLBF, 0);
#else
setlinebuf(stdout);
setlinebuf(infile);
setlinebuf(stdout);
setlinebuf(infile);
#endif
interactive = !batchmode && isatty(STDIN_FILENO);
err = 0;
for (;;) {
char *cp;
@ -1309,20 +1311,28 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
signal(SIGINT, SIG_IGN);
if (el == NULL) {
printf("sftp> ");
if (interactive)
printf("sftp> ");
if (fgets(cmd, sizeof(cmd), infile) == NULL) {
printf("\n");
if (interactive)
printf("\n");
break;
}
if (batchmode) /* Echo command */
printf("%s", cmd);
if (!interactive) { /* Echo command */
printf("sftp> %s", cmd);
if (strlen(cmd) > 0 &&
cmd[strlen(cmd) - 1] != '\n')
printf("\n");
}
} else {
#ifdef USE_LIBEDIT
const char *line;
int count = 0;
if ((line = el_gets(el, &count)) == NULL || count <= 0)
break;
if ((line = el_gets(el, &count)) == NULL || count <= 0) {
printf("\n");
break;
}
history(hl, &hev, H_ENTER, line);
if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) {
fprintf(stderr, "Error: input line too long\n");
@ -1345,6 +1355,11 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
}
xfree(pwd);
#ifdef USE_LIBEDIT
if (el != NULL)
el_end(el);
#endif /* USE_LIBEDIT */
/* err == 1 signifies normal "quit" exit */
return (err >= 0 ? 0 : -1);
}
@ -1475,7 +1490,7 @@ main(int argc, char **argv)
/* Allow "-" as stdin */
if (strcmp(optarg, "-") != 0 &&
(infile = fopen(optarg, "r")) == NULL)
(infile = fopen(optarg, "r")) == NULL)
fatal("%s (%s).", strerror(errno), optarg);
showprogress = 0;
batchmode = 1;
@ -1561,8 +1576,8 @@ main(int argc, char **argv)
err = interactive_loop(in, out, file1, file2);
#if !defined(USE_PIPES)
shutdown(in, SHUT_RDWR);
shutdown(out, SHUT_RDWR);
shutdown(in, SHUT_RDWR);
shutdown(out, SHUT_RDWR);
#endif
close(in);

14
crypto/openssh/ssh-add.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-add.1,v 1.42 2005/03/01 17:32:19 jmc Exp $
.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
.\"
.\" -*- nroff -*-
.\"
@ -57,10 +57,10 @@
adds RSA or DSA identities to the authentication agent,
.Xr ssh-agent 1 .
When run without arguments, it adds the files
.Pa $HOME/.ssh/id_rsa ,
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa
and
.Pa $HOME/.ssh/identity .
.Pa ~/.ssh/identity .
Alternative file names can be given on the command line.
If any file requires a passphrase,
.Nm
@ -142,11 +142,11 @@ agent.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa $HOME/.ssh/id_dsa
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa $HOME/.ssh/id_rsa
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
.Pp

4
crypto/openssh/ssh-add.c
View File

@ -35,7 +35,7 @@
*/
#include "includes.h"
RCSID("$OpenBSD: ssh-add.c,v 1.71 2005/03/10 22:01:06 deraadt Exp $");
RCSID("$OpenBSD: ssh-add.c,v 1.72 2005/07/17 07:17:55 djm Exp $");
#include <openssl/evp.h>
@ -145,7 +145,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
/* clear passphrase since it did not work */
clear_pass();
snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
comment);
comment);
for (;;) {
pass = read_passphrase(msg, RP_ALLOW_STDIN);
if (strcmp(pass, "") == 0) {

14
crypto/openssh/ssh-agent.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.41 2004/07/11 17:48:47 deraadt Exp $
.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -111,10 +111,10 @@ Keys are added using
When executed without arguments,
.Xr ssh-add 1
adds the files
.Pa $HOME/.ssh/id_rsa ,
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa
and
.Pa $HOME/.ssh/identity .
.Pa ~/.ssh/identity .
If the identity has a passphrase,
.Xr ssh-add 1
asks for the passphrase (using a small X11 application if running
@ -179,11 +179,11 @@ The agent exits automatically when the command given on the command
line terminates.
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
.It Pa $HOME/.ssh/id_dsa
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa $HOME/.ssh/id_rsa
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
Unix-domain sockets used to contain the connection to the

30
crypto/openssh/ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.67 2005/03/14 10:09:03 dtucker Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $
.\"
.\" -*- nroff -*-
.\"
@ -129,10 +129,10 @@ section for details.
Normally each user wishing to use SSH
with RSA or DSA authentication runs this once to create the authentication
key in
.Pa $HOME/.ssh/identity ,
.Pa $HOME/.ssh/id_dsa
.Pa ~/.ssh/identity ,
.Pa ~/.ssh/id_dsa
or
.Pa $HOME/.ssh/id_rsa .
.Pa ~/.ssh/id_rsa .
Additionally, the system administrator may use this to generate host keys,
as seen in
.Pa /etc/rc .
@ -188,8 +188,8 @@ Show the bubblebabble digest of specified private or public key file.
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
Generally, 1024 bits is considered sufficient.
The default is 1024 bits.
Generally, 2048 bits is considered sufficient.
The default is 2048 bits.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
@ -381,7 +381,7 @@ It is important that this file contains moduli of a range of bit lengths and
that both ends of a connection share common moduli.
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
.It Pa ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
@ -392,14 +392,14 @@ This file is not automatically accessed by
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa $HOME/.ssh/identity.pub
.It Pa ~/.ssh/identity.pub
Contains the protocol version 1 RSA public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_dsa
.It Pa ~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
@ -410,14 +410,14 @@ This file is not automatically accessed by
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa $HOME/.ssh/id_dsa.pub
.It Pa ~/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_rsa
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
@ -428,10 +428,10 @@ This file is not automatically accessed by
but it is offered as the default file for the private key.
.Xr ssh 1
will read this file when a login attempt is made.
.It Pa $HOME/.ssh/id_rsa.pub
.It Pa ~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
.Pa ~/.ssh/authorized_keys
on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.

Some files were not shown because too many files have changed in this diff Show More