d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 6.3p1.

Browse Source 
Approved by:	re (gjb)
This commit is contained in:
Dag-Erling Smørgrav 2013-09-21 21:36:09 +00:00
commit e4a9863fb7
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=255767
154 changed files with 4263 additions and 2392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

629
crypto/openssh/ChangeLog
View File

@ -1,11 +1,628 @@
20130913
- (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;
ok dtucker@
- (djm) [channels.c] sigh, typo s/buffet_/buffer_/
- (djm) Release 6.3p1
20130808
- (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
since some platforms (eg really old FreeBSD) don't have it. Instead,
run "make clean" before a complete regress run. ok djm.
- (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the
CLOCK_MONOTONIC define but don't actually support it. Found and tested
by Kevin Brott, ok djm.
- (dtucker) [misc.c] Remove define added for fallback testing that was
mistakenly included in the previous commit.
- (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
removal. The "make clean" removes modpipe which is built by the top-level
directory before running the tests. Spotted by tim@
20130804
- (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
for building with older Heimdal versions. ok djm.
20130801
- (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
blocking connecting socket will clear any stored errno that might
otherwise have been retrievable via getsockopt(). A hack to limit writes
to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
it in an #ifdef. Diagnosis and patch from Ivo Raisr.
- (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
20130725
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/07/20 22:20:42
[krl.c]
fix verification error in (as-yet usused) KRL signature checking path
- djm@cvs.openbsd.org 2013/07/22 05:00:17
[umac.c]
make MAC key, data to be hashed and nonce for final hash const;
checked with -Wcast-qual
- djm@cvs.openbsd.org 2013/07/22 12:20:02
[umac.h]
oops, forgot to commit corresponding header change;
spotted by jsg and jasper
- djm@cvs.openbsd.org 2013/07/25 00:29:10
[ssh.c]
daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
it is fully detached from its controlling terminal. based on debugging
- djm@cvs.openbsd.org 2013/07/25 00:56:52
[sftp-client.c sftp-client.h sftp.1 sftp.c]
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@
- djm@cvs.openbsd.org 2013/07/25 00:57:37
[version.h]
openssh-6.3 for release
- dtucker@cvs.openbsd.org 2013/05/30 20:12:32
[regress/test-exec.sh]
use ssh and sshd as testdata since it needs to be >256k for the rekey test
- dtucker@cvs.openbsd.org 2013/06/10 21:56:43
[regress/forwarding.sh]
Add test for forward config parsing
- djm@cvs.openbsd.org 2013/06/21 02:26:26
[regress/sftp-cmds.sh regress/test-exec.sh]
unbreak sftp-cmds for renamed test data (s/ls/data/)
- (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
Solaris and UnixWare. Feedback and OK djm@
- (tim) [regress/forwarding.sh] Fix for building outside source tree.
20130720
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2013/07/19 07:37:48
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
[servconf.h session.c sshd.c sshd_config.5]
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@
- djm@cvs.openbsd.org 2013/07/20 01:43:46
[umac.c]
use a union to ensure correct alignment; ok deraadt
- djm@cvs.openbsd.org 2013/07/20 01:44:37
[ssh-keygen.c ssh.c]
More useful error message on missing current user in /etc/passwd
- djm@cvs.openbsd.org 2013/07/20 01:50:20
[ssh-agent.c]
call cleanup_handler on SIGINT when in debug mode to ensure sockets
are cleaned up on manual exit; bz#2120
- djm@cvs.openbsd.org 2013/07/20 01:55:13
[auth-krb5.c gss-serv-krb5.c gss-serv.c]
fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
20130718
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/10 19:19:44
[readconf.c]
revert 1.203 while we investigate crashes reported by okan@
- guenther@cvs.openbsd.org 2013/06/17 04:48:42
[scp.c]
Handle time_t values as long long's when formatting them and when
parsing them from remote servers.
Improve error checking in parsing of 'T' lines.
ok dtucker@ deraadt@
- markus@cvs.openbsd.org 2013/06/20 19:15:06
[krl.c]
don't leak the rdata blob on errors; ok djm@
- djm@cvs.openbsd.org 2013/06/21 00:34:49
[auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
for hostbased authentication, print the client host and user on
the auth success/failure line; bz#2064, ok dtucker@
- djm@cvs.openbsd.org 2013/06/21 00:37:49
[ssh_config.5]
explicitly mention that IdentitiesOnly can be used with IdentityFile
to control which keys are offered from an agent.
- djm@cvs.openbsd.org 2013/06/21 05:42:32
[dh.c]
sprinkle in some error() to explain moduli(5) parse failures
- djm@cvs.openbsd.org 2013/06/21 05:43:10
[scp.c]
make this -Wsign-compare clean after time_t conversion
- djm@cvs.openbsd.org 2013/06/22 06:31:57
[scp.c]
improved time_t overflow check suggested by guenther@
- jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
do not use Sx for sections outwith the man page - ingo informs me that
stuff like html will render with broken links;
issue reported by Eric S. Raymond, via djm
- markus@cvs.openbsd.org 2013/07/02 12:31:43
[dh.c]
remove extra whitespace
- djm@cvs.openbsd.org 2013/07/12 00:19:59
[auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
[hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
- djm@cvs.openbsd.org 2013/07/12 00:20:00
[sftp.c ssh-keygen.c ssh-pkcs11.c]
fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
- djm@cvs.openbsd.org 2013/07/12 00:43:50
[misc.c]
in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
errno == 0. Avoids confusing error message in some broken resolver
cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
- djm@cvs.openbsd.org 2013/07/12 05:42:03
[ssh-keygen.c]
do_print_resource_record() can never be called with a NULL filename, so
don't attempt (and bungle) asking for one if it has not been specified
bz#2127 ok dtucker@
- djm@cvs.openbsd.org 2013/07/12 05:48:55
[ssh.c]
set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
- schwarze@cvs.openbsd.org 2013/07/16 00:07:52
[scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
- djm@cvs.openbsd.org 2013/07/18 01:12:26
[ssh.1]
be more exact wrt perms for ~/.ssh/config; bz#2078
20130702
- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
contrib/cygwin/ssh-user-config] Modernizes and improve readability of
the Cygwin README file (which hasn't been updated for ages), drop
unsupported OSes from the ssh-host-config help text, and drop an
unneeded option from ssh-user-config. Patch from vinschen at redhat com.
20130610
- (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/07 15:37:52
[channels.c channels.h clientloop.c]
Add an "ABANDONED" channel state and use for mux sessions that are
disconnected via the ~. escape sequence. Channels in this state will
be able to close if the server responds, but do not count as active channels.
This means that if you ~. all of the mux clients when using ControlPersist
on a broken network, the backgrounded mux master will exit when the
Control Persist time expires rather than hanging around indefinitely.
bz#1917, also reported and tested by tedu@. ok djm@ markus@.
- (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
- (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
the required OpenSSL support. Patch from naddy at freebsd.
- (dtucker) [myproposal.h] Make the conditional algorithm support consistent
and add some comments so it's clear what goes where.
20130605
- (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
the necessary functions, not from the openssl version.
- (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test.
Patch from cjwatson at debian.
- (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the
forwarding test is extremely slow copying data on some machines so switch
back to copying the much smaller ls binary until we can figure out why
this is.
- (dtucker) [Makefile.in] append $CFLAGS to compiler options when building
modpipe in case there's anything in there we need.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/02 21:01:51
[channels.h]
typo in comment
- dtucker@cvs.openbsd.org 2013/06/02 23:36:29
[clientloop.h clientloop.c mux.c]
No need for the mux cleanup callback to be visible so restore it to static
and call it through the detach_user function pointer. ok djm@
- dtucker@cvs.openbsd.org 2013/06/03 00:03:18
[mac.c]
force the MAC output to be 64-bit aligned so umac won't see unaligned
accesses on strict-alignment architectures. bz#2101, patch from
tomas.kuthan at oracle.com, ok djm@
- dtucker@cvs.openbsd.org 2013/06/04 19:12:23
[scp.c]
use MAXPATHLEN for buffer size instead of fixed value. ok markus
- dtucker@cvs.openbsd.org 2013/06/04 20:42:36
[sftp.c]
Make sftp's libedit interface marginally multibyte aware by building up
the quoted string by character instead of by byte. Prevents failures
when linked against a libedit built with wide character support (bz#1990).
"looks ok" djm
- dtucker@cvs.openbsd.org 2013/06/05 02:07:29
[mux.c]
fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967,
ok djm
- dtucker@cvs.openbsd.org 2013/06/05 02:27:50
[sshd.c]
When running sshd -D, close stderr unless we have explicitly requesting
logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch
so, err, ok dtucker.
- dtucker@cvs.openbsd.org 2013/06/05 12:52:38
[sshconnect2.c]
Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm
- dtucker@cvs.openbsd.org 2013/06/05 22:00:28
[readconf.c]
plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djm
- (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for
platforms that don't have multibyte character support (specifically,
mblen).
20130602
- (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy
linking regress/modpipe.
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2013/06/02 13:33:05
[progressmeter.c]
Add misc.h for monotime prototype. (ID sync only).
- dtucker@cvs.openbsd.org 2013/06/02 13:35:58
[ssh-agent.c]
Make parent_alive_interval time_t to avoid signed/unsigned comparison
- (dtucker) [configure.ac] sys/un.h needs sys/socket.h on some platforms
to prevent noise from configure. Patch from Nathan Osman. (bz#2114).
- (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android.
Patch from Nathan Osman.
- (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we
need a shell that can handle "[ file1 -nt file2 ]". Rather than keep
dealing with shell portability issues in regression tests, we let
configure find us a capable shell on those platforms with an old /bin/sh.
- (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr.
feedback and ok dtucker
- (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker
- (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h.
- (dtucker) [configure.ac] Some other platforms need sys/types.h before
sys/socket.h.
20130601
- (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to
using openssl's DES_crypt function on platorms that don't have a native
one, eg Android. Based on a patch from Nathan Osman.
- (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS
rather than trying to enumerate the plaforms that don't have them.
Based on a patch from Nathan Osman, with help from tim@.
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@
- djm@cvs.openbsd.org 2013/05/19 02:38:28
[auth2-pubkey.c]
fix failure to recognise cert-authority keys if a key of a different type
appeared in authorized_keys before it; ok markus@
- djm@cvs.openbsd.org 2013/05/19 02:42:42
[auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.
Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@
- dtucker@cvs.openbsd.org 2013/05/31 12:28:10
[ssh-agent.c]
Use time_t where appropriate. ok djm
- dtucker@cvs.openbsd.org 2013/06/01 13:15:52
[ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
channels.c sandbox-systrace.c]
Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
keepalives and rekeying will work properly over clock steps. Suggested by
markus@, "looks good" djm@.
- dtucker@cvs.openbsd.org 2013/06/01 20:59:25
[scp.c sftp-client.c]
Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.
- dtucker@cvs.openbsd.org 2013/06/01 22:34:50
[sftp-client.c]
Update progressmeter when data is acked, not when it's sent. bz#2108, from
Debian via Colin Watson, ok djm@
- (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
with the equivalent calls to free.
- (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall
back to time(NULL) if we can't find it anywhere.
- (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.
20130529
- (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
implementation of endgrent for platforms that don't have it (eg Android).
Loosely based on a patch from Nathan Osman, ok djm
20130517
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2013/03/07 00:20:34
[regress/proxy-connect.sh]
repeat test with a style appended to the username
- dtucker@cvs.openbsd.org 2013/03/23 11:09:43
[regress/test-exec.sh]
Only regenerate host keys if they don't exist or if ssh-keygen has changed
since they were. Reduces test runtime by 5-30% depending on machine
speed.
- dtucker@cvs.openbsd.org 2013/04/06 06:00:22
[regress/rekey.sh regress/test-exec.sh regress/integrity.sh
regress/multiplex.sh Makefile regress/cfgmatch.sh]
Split the regress log into 3 parts: the debug output from ssh, the debug
log from sshd and the output from the client command (ssh, scp or sftp).
Somewhat functional now, will become more useful when ssh/sshd -E is added.
- dtucker@cvs.openbsd.org 2013/04/07 02:16:03
[regress/Makefile regress/rekey.sh regress/integrity.sh
regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh]
use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and
save the output from any failing tests. If a test fails the debug output
from ssh and sshd for the failing tests (and only the failing tests) should
be available in failed-ssh{,d}.log.
- djm@cvs.openbsd.org 2013/04/18 02:46:12
[regress/Makefile regress/sftp-chroot.sh]
test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@
- dtucker@cvs.openbsd.org 2013/04/22 07:23:08
[regress/multiplex.sh]
Write mux master logs to regress.log instead of ssh.log to keep separate
- djm@cvs.openbsd.org 2013/05/10 03:46:14
[regress/modpipe.c]
sync some portability changes from portable OpenSSH (id sync only)
- dtucker@cvs.openbsd.org 2013/05/16 02:10:35
[regress/rekey.sh]
Add test for time-based rekeying
- dtucker@cvs.openbsd.org 2013/05/16 03:33:30
[regress/rekey.sh]
test rekeying when there's no data being transferred
- dtucker@cvs.openbsd.org 2013/05/16 04:26:10
[regress/rekey.sh]
add server-side rekey test
- dtucker@cvs.openbsd.org 2013/05/16 05:48:31
[regress/rekey.sh]
add tests for RekeyLimit parsing
- dtucker@cvs.openbsd.org 2013/05/17 00:37:40
[regress/agent.sh regress/keytype.sh regress/cfgmatch.sh
regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh
regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh
regress/ssh-com.sh]
replace 'echo -n' with 'printf' since it's more portable
also remove "echon" hack.
- dtucker@cvs.openbsd.org 2013/05/17 01:16:09
[regress/agent-timeout.sh]
Pull back some portability changes from -portable:
- TIMEOUT is a read-only variable in some shells
- not all greps have -q so redirect to /dev/null instead.
(ID sync only)
- dtucker@cvs.openbsd.org 2013/05/17 01:32:11
[regress/integrity.sh]
don't print output from ssh before getting it (it's available in ssh.log)
- dtucker@cvs.openbsd.org 2013/05/17 04:29:14
[regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh
regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh
regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh
regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh
regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh
regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh
regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh
regress/multiplex.sh]
Move the setting of DATA and COPY into test-exec.sh
- dtucker@cvs.openbsd.org 2013/05/17 10:16:26
[regress/try-ciphers.sh]
use expr for math to keep diffs vs portable down
(id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:23:52
[regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh]
Use SUDO when cat'ing pid files and running the sshd log wrapper so that
it works with a restrictive umask and the pid files are not world readable.
Changes from -portable. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:24:48
[regress/localcommand.sh]
use backticks for portability. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:26:26
[regress/sftp-badcmds.sh]
remove unused BATCH variable. (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:28:11
[regress/sftp.sh]
only compare copied data if sftp succeeds. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:30:07
[regress/test-exec.sh]
wait a bit longer for startup and use case for absolute path.
from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:33:09
[regress/agent-getpeereid.sh]
don't redirect stdout from sudo. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:34:30
[regress/portnum.sh]
use a more portable negated if structure. from portable (id sync only)
- dtucker@cvs.openbsd.org 2013/05/17 10:35:43
[regress/scp.sh]
use a file extention that's not special on some platforms. from portable
(id sync only)
- (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it
in portable and it's long gone in openbsd.
- (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange
methods. When the openssl version doesn't support ECDH then next one on
the list is DH group exchange, but that causes a bit more traffic which can
mean that the tests flip bits in the initial exchange rather than the MACed
traffic and we get different errors to what the tests look for.
- (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits.
- (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd.
- (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd.
- (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]
Move the jot helper function to portable-specific part of test-exec.sh.
- (dtucker) [regress/test-exec.sh] Move the portable-specific functions
together and add a couple of missing lines from openbsd.
- (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5
helper function to the portable part of test-exec.sh.
- (dtucker) [regress/runtests.sh] Remove obsolete test driver script.
- (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by
rev 1.6 which calls wait.
20130516
- (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
executed if mktemp failed; bz#2105 ok dtucker@
- (dtucker) OpenBSD CVS Sync
- tedu@cvs.openbsd.org 2013/04/23 17:49:45
[misc.c]
use xasprintf instead of a series of strlcats and strdup. ok djm
- tedu@cvs.openbsd.org 2013/04/24 16:01:46
[misc.c]
remove extra parens noticed by nicm
- dtucker@cvs.openbsd.org 2013/05/06 07:35:12
[sftp-server.8]
Reference the version of the sftp draft we actually implement. ok djm@
- djm@cvs.openbsd.org 2013/05/10 03:40:07
[sshconnect2.c]
fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
Colin Watson
- djm@cvs.openbsd.org 2013/05/10 04:08:01
[key.c]
memleak in cert_free(), wasn't actually freeing the struct;
bz#2096 from shm AT digitalsun.pl
- dtucker@cvs.openbsd.org 2013/05/10 10:13:50
[ssh-pkcs11-helper.c]
remove unused extern optarg. ok markus@
- dtucker@cvs.openbsd.org 2013/05/16 02:00:34
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
ssh_config.5 packet.h]
Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm
- dtucker@cvs.openbsd.org 2013/05/16 04:09:14
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
- djm@cvs.openbsd.org 2013/05/16 04:27:50
[ssh_config.5 readconf.h readconf.c]
add the ability to ignore specific unrecognised ssh_config options;
bz#866; ok markus@
- jmc@cvs.openbsd.org 2013/05/16 06:28:45
[ssh_config.5]
put IgnoreUnknown in the right place;
- jmc@cvs.openbsd.org 2013/05/16 06:30:06
[sshd_config.5]
oops! avoid Xr to self;
- dtucker@cvs.openbsd.org 2013/05/16 09:08:41
[log.c scp.c sshd.c serverloop.c schnorr.c sftp.c]
Fix some "unused result" warnings found via clang and -portable.
ok markus@
- dtucker@cvs.openbsd.org 2013/05/16 09:12:31
[readconf.c servconf.c]
switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@
- dtucker@cvs.openbsd.org 2013/05/16 10:43:34
[servconf.c readconf.c]
remove now-unused variables
- dtucker@cvs.openbsd.org 2013/05/16 10:44:06
[servconf.c]
remove another now-unused variable
- (dtucker) [configure.ac readconf.c servconf.c
openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled.
20130510
- (djm) OpenBSD CVS Cherrypick
- (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler
supports it. Mentioned by Colin Watson in bz#2100, ok djm.
- (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to
getopt.c. Preprocessed source is identical other than line numbers.
- (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD. No
portability changes yet.
- (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c
openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add
portability code to getopt_long.c and switch over Makefile and the ugly
hack in modpipe.c. Fixes bz#1448.
- (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c
openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb
in to use it when we're using our own getopt.
- (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the
underlying libraries support them.
- (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so
we don't get a warning on compilers that *don't* support it. Add
-Wno-unknown-warning-option. Move both to the start of the list for
maximum noise suppression. Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9.
20130423
- (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support
platforms, such as Android, that lack struct passwd.pw_gecos. Report
and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2013/03/05 20:16:09
[sshconnect2.c]
reset pubkey order on partial success; ok djm@
- djm@cvs.openbsd.org 2013/03/06 23:35:23
[session.c]
fatal() when ChrootDirectory specified by running without root privileges;
ok markus@
- djm@cvs.openbsd.org 2013/03/06 23:36:53
[readconf.c]
g/c unused variable (-Wunused)
- djm@cvs.openbsd.org 2013/03/07 00:19:59
[auth2-pubkey.c monitor.c]
reconstruct the original username that was sent by the client, which may
have included a style (e.g. "root:skey") when checking public key
signatures. Fixes public key and hostbased auth when the client specified
a style; ok markus@
- markus@cvs.openbsd.org 2013/03/07 19:27:25
[auth.h auth2-chall.c auth2.c monitor.c sshd_config.5]
add submethod support to AuthenticationMethods; ok and freedback djm@
- djm@cvs.openbsd.org 2013/03/08 06:32:58
[ssh.c]
allow "ssh -f none ..." ok markus@
- djm@cvs.openbsd.org 2013/04/05 00:14:00
[auth2-gss.c krl.c sshconnect2.c]
hush some {unused, printf type} warnings
- djm@cvs.openbsd.org 2013/04/05 00:31:49
[pathnames.h]
use the existing _PATH_SSH_USER_RC define to construct the other
pathnames; bz#2077, ok dtucker@ (no binary change)
- djm@cvs.openbsd.org 2013/04/05 00:58:51
[mux.c]
cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too
(in addition to ones already in OPEN); bz#2079, ok dtucker@
- markus@cvs.openbsd.org 2013/04/06 16:07:00
[channels.c sshd.c]
handle ECONNABORTED for accept(); ok deraadt some time ago...
- dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
Add -E option to ssh and sshd to append debugging logs to a specified file
instead of stderr or syslog. ok markus@, man page help jmc@
- dtucker@cvs.openbsd.org 2013/04/07 09:40:27
[sshd.8]
clarify -e text. suggested by & ok jmc@
- djm@cvs.openbsd.org 2013/04/11 02:27:50
[packet.c]
quiet disconnect notifications on the server from error() back to logit()
if it is a normal client closure; bz#2057 ok+feedback dtucker@
- (djm) [version.h contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Crank version numbers for release.
- dtucker@cvs.openbsd.org 2013/04/17 09:04:09
[session.c]
revert rev 1.262; it fails because uid is already set here. ok djm@
- djm@cvs.openbsd.org 2013/04/18 02:16:07
[sftp.c]
make "sftp -q" do what it says on the sticker: hush everything but errors;
ok dtucker@
- djm@cvs.openbsd.org 2013/04/19 01:00:10
[sshd_config.5]
document the requirment that the AuthorizedKeysCommand be owned by root;
ok dtucker@ markus@
- djm@cvs.openbsd.org 2013/04/19 01:01:00
[ssh-keygen.c]
fix some memory leaks; bz#2088 ok dtucker@
- djm@cvs.openbsd.org 2013/04/19 01:03:01
[session.c]
reintroduce 1.262 without the connection-killing bug:
fatal() when ChrootDirectory specified by running without root privileges;
ok markus@
- djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
[key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
add the ability to query supported ciphers, MACs, key type and KEX
algorithms to ssh. Includes some refactoring of KEX and key type handling
to be table-driven; ok markus@
- djm@cvs.openbsd.org 2013/04/19 11:10:18
[ssh.c]
add -Q to usage; reminded by jmc@
- djm@cvs.openbsd.org 2013/04/19 12:07:08
[kex.c]
remove duplicated list entry pointed out by naddy@
- dtucker@cvs.openbsd.org 2013/04/22 01:17:18
[mux.c]
typo in debug output: evitval->exitval
20130418
- (djm) [config.guess config.sub] Update to last versions before they switch
to GPL3. ok dtucker@
- (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from
unused argument warnings (in particular, -fno-builtin-memset) from clang.
20130404
- (dtucker) OpenBSD CVS Sync
@ -34,10 +651,16 @@
to avoid conflicting definitions of __int64, adding the required bits.
Patch from Corinna Vinschen.
20120323
- (tim) [Makefile.in] remove some duplication introduced in 20130220 commit.
20120322
- (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
Hands' greatly revised version.
- (djm) Release 6.2p1
- (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype.
- (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before
defining it again. Prevents warnings if someone, eg, sets it in CFLAGS.
20120318
- (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]

4
crypto/openssh/README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-6.2p2 for the release notes.
See http://www.openssh.com/txt/release-6.3 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.82.2.1 2013/05/10 06:12:54 djm Exp $
$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $

13
crypto/openssh/aclocal.m4 vendored
View File

@ -1,4 +1,4 @@
dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $
dnl
dnl OpenSSH-specific autoconf macros
dnl
@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
_define_flag="$2"
test "x$_define_flag" = "x" && _define_flag="$1"
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
[ AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"],
[
if `grep -i "unrecognized option" conftest.err >/dev/null`
then
AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS"
else
AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"
fi],
[ AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS" ]
)

6
crypto/openssh/addrmatch.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */
/* $OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list)
goto foundit;
}
}
xfree(o);
free(o);
return ret;
}
@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list)
continue;
}
}
xfree(o);
free(o);
return ret;
}

22
crypto/openssh/auth-chall.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt)
fatal("get_challenge: numprompts < 1");
challenge = xstrdup(prompts[0]);
for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(name);
xfree(echo_on);
xfree(info);
free(prompts[i]);
free(prompts);
free(name);
free(echo_on);
free(info);
return (challenge);
}
@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response)
authenticated = 1;
for (i = 0; i < numprompts; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(name);
xfree(echo_on);
xfree(info);
free(prompts[i]);
free(prompts);
free(name);
free(echo_on);
free(info);
break;
}
device->free_ctx(authctxt->kbdintctxt);

27
crypto/openssh/auth-krb5.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
krb5_ccache ccache = NULL;
int len;
char *client, *platform_client;
const char *errmsg;
/* get platform-specific kerberos client principal name (if it exists) */
platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_mcc_ops.prefix, NULL, &ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
# endif
if (problem)
goto out;
@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
problem = krb5_cc_new_unique(authctxt->krb5_ctx,
krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
# endif
if (problem)
goto out;
@ -181,17 +192,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
out:
restore_uid();
if (platform_client != NULL)
xfree(platform_client);
free(platform_client);
if (problem) {
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else
if (authctxt->krb5_ctx != NULL && problem!=-1) {
errmsg = krb5_get_error_message(authctxt->krb5_ctx,
problem);
debug("Kerberos password authentication failed: %s",
errmsg);
krb5_free_error_message(authctxt->krb5_ctx, errmsg);
} else
debug("Kerberos password authentication failed: %d",
problem);

66
crypto/openssh/auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -72,15 +72,15 @@ auth_clear_options(void)
while (custom_environment) {
struct envstring *ce = custom_environment;
custom_environment = ce->next;
xfree(ce->s);
xfree(ce);
free(ce->s);
free(ce);
}
if (forced_command) {
xfree(forced_command);
free(forced_command);
forced_command = NULL;
}
if (authorized_principals) {
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = NULL;
}
forced_tun_device = -1;
@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (forced_command != NULL)
xfree(forced_command);
free(forced_command);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(forced_command);
free(forced_command);
forced_command = NULL;
goto bad_option;
}
@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (authorized_principals != NULL)
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(authorized_principals);
free(authorized_principals);
authorized_principals = NULL;
goto bad_option;
}
@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(s);
free(s);
goto bad_option;
}
s[i] = '\0';
@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
patterns[i] = '\0';
@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
switch (match_host_and_ip(remote_host, remote_ip,
patterns)) {
case 1:
xfree(patterns);
free(patterns);
/* Host name matches. */
goto next_option;
case -1:
@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
"invalid criteria", file, linenum);
/* FALLTHROUGH */
case 0:
xfree(patterns);
free(patterns);
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
"host (host=%.200s, ip=%.200s).",
@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing "
"end quote", file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
patterns[i] = '\0';
@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
auth_debug_add("%.100s, line %lu: "
"Bad permitopen specification", file,
linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
host = cleanhostname(host);
@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
"Bad permitopen port", file, linenum);
xfree(patterns);
free(patterns);
goto bad_option;
}
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
channel_add_permitted_opens(host, port);
xfree(patterns);
free(patterns);
goto next_option;
}
cp = "tunnel=\"";
@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
file, linenum);
auth_debug_add("%.100s, line %lu: missing end quote",
file, linenum);
xfree(tun);
free(tun);
forced_tun_device = -1;
goto bad_option;
}
tun[i] = '\0';
forced_tun_device = a2tun(tun, NULL);
xfree(tun);
free(tun);
if (forced_tun_device == SSH_TUNID_ERR) {
debug("%.100s, line %lu: invalid tun device",
file, linenum);
@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
{
char *command, *allowed;
const char *remote_ip;
u_char *name = NULL, *data_blob = NULL;
char *name = NULL;
u_char *data_blob = NULL;
u_int nlen, dlen, clen;
Buffer c, data;
int ret = -1, found;
@ -484,7 +485,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if (*cert_forced_command != NULL) {
error("Certificate has multiple "
"force-command options");
xfree(command);
free(command);
goto out;
}
*cert_forced_command = command;
@ -500,7 +501,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if ((*cert_source_address_done)++) {
error("Certificate has multiple "
"source-address options");
xfree(allowed);
free(allowed);
goto out;
}
remote_ip = get_remote_ipaddr();
@ -508,7 +509,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
allowed)) {
case 1:
/* accepted */
xfree(allowed);
free(allowed);
break;
case 0:
/* no match */
@ -521,12 +522,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
"is not permitted to use this "
"certificate for login.",
remote_ip);
xfree(allowed);
free(allowed);
goto out;
case -1:
error("Certificate source-address "
"contents invalid");
xfree(allowed);
free(allowed);
goto out;
}
found = 1;
@ -548,9 +549,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
goto out;
}
buffer_clear(&data);
xfree(name);
xfree(data_blob);
name = data_blob = NULL;
free(name);
free(data_blob);
name = NULL;
data_blob = NULL;
}
/* successfully parsed all options */
ret = 0;
@ -559,13 +561,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
if (ret != 0 &&
cert_forced_command != NULL &&
*cert_forced_command != NULL) {
xfree(*cert_forced_command);
free(*cert_forced_command);
*cert_forced_command = NULL;
}
if (name != NULL)
xfree(name);
free(name);
if (data_blob != NULL)
xfree(data_blob);
free(data_blob);
buffer_free(&data);
buffer_free(&c);
return ret;
@ -627,7 +629,7 @@ auth_cert_options(Key *k, struct passwd *pw)
/* CA-specified forced command supersedes key option */
if (cert_forced_command != NULL) {
if (forced_command != NULL)
xfree(forced_command);
free(forced_command);
forced_command = cert_forced_command;
}
return 0;

44
crypto/openssh/auth-pam.c
View File

@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
buffer_free(&buffer);
return (PAM_CONV_ERR);
}
@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}
@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt)
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
xfree(ctxt);
free(ctxt);
return (NULL);
}
ctxt->pam_psock = socks[0];
@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt)
strerror(errno));
close(socks[0]);
close(socks[1]);
xfree(ctxt);
free(ctxt);
return (NULL);
}
cleanup_ctxt = ctxt;
@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info,
strlcpy(**prompts + plen, msg, len - plen);
plen += mlen;
**echo_on = (type == PAM_PROMPT_ECHO_ON);
xfree(msg);
free(msg);
return (0);
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info,
plen += mlen;
strlcat(**prompts + plen, "\n", len - plen);
plen++;
xfree(msg);
free(msg);
break;
case PAM_ACCT_EXPIRED:
sshpam_account_status = 0;
@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info,
*num = 0;
**echo_on = 0;
ctxt->pam_done = -1;
xfree(msg);
free(msg);
return 0;
}
/* FALLTHROUGH */
@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info,
debug("PAM: %s", **prompts);
buffer_append(&loginmsg, **prompts,
strlen(**prompts));
xfree(**prompts);
free(**prompts);
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info,
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
xfree(msg);
free(msg);
return (0);
}
error("PAM: %s for %s%.100s from %.100s", msg,
@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info,
default:
*num = 0;
**echo_on = 0;
xfree(msg);
free(msg);
ctxt->pam_done = -1;
return (-1);
}
@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp)
debug3("PAM: %s entering", __func__);
sshpam_thread_cleanup();
xfree(ctxt);
free(ctxt);
/*
* We don't call sshpam_cleanup() here because we may need the PAM
* handle at a later stage, e.g. when setting up a session. It's
@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}
@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value)
snprintf(compound, len, "%s=%s", name, value);
ret = pam_putenv(sshpam_handle, compound);
xfree(compound);
free(compound);
#endif
return (ret);
@ -1108,8 +1105,8 @@ free_pam_environment(char **env)
return;
for (envp = env; *envp; envp++)
xfree(*envp);
xfree(env);
free(*envp);
free(env);
}
/*
@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
fail:
for(i = 0; i < n; i++) {
if (reply[i].resp != NULL)
xfree(reply[i].resp);
free(reply[i].resp);
}
xfree(reply);
free(reply);
return (PAM_CONV_ERR);
}

23
crypto/openssh/auth-rsa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */
/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -164,9 +164,8 @@ static int
rsa_key_allowed_in_file(struct passwd *pw, char *file,
const BIGNUM *client_n, Key **rkey)
{
char line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0;
u_int bits;
char *fp, line[SSH_MAX_PUBKEY_BYTES];
int allowed = 0, bits;
FILE *f;
u_long linenum = 0;
Key *key;
@ -227,11 +226,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
/* check the real bits */
keybits = BN_num_bits(key->rsa->n);
if (keybits < 0 || bits != (u_int)keybits)
if (keybits < 0 || bits != keybits)
logit("Warning: %s, line %lu: keysize mismatch: "
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
/* Never accept a revoked key */
if (auth_key_is_revoked(key))
break;
@ -281,7 +285,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
xfree(file);
free(file);
}
restore_uid();
@ -298,7 +302,6 @@ int
auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
{
Key *key;
char *fp;
struct passwd *pw = authctxt->pw;
/* no user given */
@ -328,11 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
* options; this will be reset if the options cause the
* authentication to be rejected.
*/
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(key), fp);
xfree(fp);
key_free(key);
pubkey_auth_info(authctxt, key, NULL);
packet_send_debug("RSA authentication accepted.");
return (1);

48
crypto/openssh/auth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */
/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -73,6 +73,7 @@ __RCSID("$FreeBSD$");
#include "authfile.h"
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
/* import */
extern ServerOptions options;
@ -166,17 +167,17 @@ allowed_user(struct passwd * pw)
if (stat(shell, &st) != 0) {
logit("User %.100s not allowed because shell %.100s "
"does not exist", pw->pw_name, shell);
xfree(shell);
free(shell);
return 0;
}
if (S_ISREG(st.st_mode) == 0 ||
(st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
logit("User %.100s not allowed because shell %.100s "
"is not executable", pw->pw_name, shell);
xfree(shell);
free(shell);
return 0;
}
xfree(shell);
free(shell);
}
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
@ -252,9 +253,26 @@ allowed_user(struct passwd * pw)
return 1;
}
void
auth_info(Authctxt *authctxt, const char *fmt, ...)
{
va_list ap;
int i;
free(authctxt->info);
authctxt->info = NULL;
va_start(ap, fmt);
i = vasprintf(&authctxt->info, fmt, ap);
va_end(ap);
if (i < 0 || authctxt->info == NULL)
fatal("vasprintf failed");
}
void
auth_log(Authctxt *authctxt, int authenticated, int partial,
const char *method, const char *submethod, const char *info)
const char *method, const char *submethod)
{
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;
@ -276,7 +294,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
else
authmsg = authenticated ? "Accepted" : "Failed";
authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
authmsg,
method,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@ -284,7 +302,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
info);
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
free(authctxt->info);
authctxt->info = NULL;
#ifdef CUSTOM_FAILED_LOGIN
if (authenticated == 0 && !authctxt->postponed &&
@ -356,7 +378,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
if (i < 0 || (size_t)i >= sizeof(ret))
fatal("expand_authorized_keys: path too long");
xfree(file);
free(file);
return (xstrdup(ret));
}
@ -398,7 +420,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
load_hostkeys(hostkeys, host, user_hostfile);
restore_uid();
}
xfree(user_hostfile);
free(user_hostfile);
}
host_status = check_key_in_hostkeys(hostkeys, key, &found);
if (host_status == HOST_REVOKED)
@ -667,7 +689,7 @@ auth_key_is_revoked(Key *key)
key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
"%s key %s ", key_type(key), key_fp);
xfree(key_fp);
free(key_fp);
return 1;
}
fatal("key_in_file returned junk");
@ -698,7 +720,7 @@ auth_debug_send(void)
while (buffer_len(&auth_debug)) {
msg = buffer_get_string(&auth_debug, NULL);
packet_send_debug("%s", msg);
xfree(msg);
free(msg);
}
}
@ -722,10 +744,12 @@ fakepw(void)
fake.pw_name = "NOUSER";
fake.pw_passwd =
"$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
fake.pw_gecos = "NOUSER";
#endif
fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
fake.pw_class = "";
#endif
fake.pw_dir = "/nonexist";

16
crypto/openssh/auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -60,6 +60,7 @@ struct Authctxt {
struct passwd *pw; /* set if 'valid' */
char *style;
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
void *jpake_ctx;
#ifdef BSD_AUTH
auth_session_t *as;
@ -121,6 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *);
void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
__attribute__((__format__ (printf, 3, 4)));
struct stat;
int auth_secure_path(const char *, struct stat *, const char *, uid_t,
@ -148,8 +151,10 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
void auth_log(Authctxt *, int, int, const char *, const char *,
const char *);
void auth_info(Authctxt *authctxt, const char *, ...)
__attribute__((__format__ (printf, 2, 3)))
__attribute__((__nonnull__ (2)));
void auth_log(Authctxt *, int, int, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
int auth_root_allowed(const char *);
@ -157,8 +162,9 @@ void userauth_send_banner(const char *);
char *auth2_read_banner(void);
int auth2_methods_valid(const char *, int);
int auth2_update_methods_lists(Authctxt *, const char *);
int auth2_update_methods_lists(Authctxt *, const char *, const char *);
int auth2_setup_methods_lists(Authctxt *);
int auth2_method_allowed(Authctxt *, const char *, const char *);
void privsep_challenge_enable(void);
@ -192,10 +198,12 @@ check_key_in_hostfiles(struct passwd *, Key *, const char *,
/* hostkey handling */
Key *get_hostkey_by_index(int);
Key *get_hostkey_public_by_index(int);
Key *get_hostkey_public_by_type(int);
Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

47
crypto/openssh/auth1.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -45,11 +45,11 @@
extern ServerOptions options;
extern Buffer loginmsg;
static int auth1_process_password(Authctxt *, char *, size_t);
static int auth1_process_rsa(Authctxt *, char *, size_t);
static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
static int auth1_process_tis_response(Authctxt *, char *, size_t);
static int auth1_process_password(Authctxt *);
static int auth1_process_rsa(Authctxt *);
static int auth1_process_rhosts_rsa(Authctxt *);
static int auth1_process_tis_challenge(Authctxt *);
static int auth1_process_tis_response(Authctxt *);
static char *client_user = NULL; /* Used to fill in remote user for PAM */
@ -57,7 +57,7 @@ struct AuthMethod1 {
int type;
char *name;
int *enabled;
int (*method)(Authctxt *, char *, size_t);
int (*method)(Authctxt *);
};
const struct AuthMethod1 auth1_methods[] = {
@ -112,7 +112,7 @@ get_authname(int type)
/*ARGSUSED*/
static int
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
auth1_process_password(Authctxt *authctxt)
{
int authenticated = 0;
char *password;
@ -130,14 +130,14 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
authenticated = PRIVSEP(auth_password(authctxt, password));
memset(password, 0, dlen);
xfree(password);
free(password);
return (authenticated);
}
/*ARGSUSED*/
static int
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
auth1_process_rsa(Authctxt *authctxt)
{
int authenticated = 0;
BIGNUM *n;
@ -155,7 +155,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
/*ARGSUSED*/
static int
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
auth1_process_rhosts_rsa(Authctxt *authctxt)
{
int keybits, authenticated = 0;
u_int bits;
@ -187,14 +187,14 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
client_host_key);
key_free(client_host_key);
snprintf(info, infolen, " ruser %.100s", client_user);
auth_info(authctxt, "ruser %.100s", client_user);
return (authenticated);
}
/*ARGSUSED*/
static int
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
auth1_process_tis_challenge(Authctxt *authctxt)
{
char *challenge;
@ -204,7 +204,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
debug("sending challenge '%s'", challenge);
packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
packet_put_cstring(challenge);
xfree(challenge);
free(challenge);
packet_send();
packet_write_wait();
@ -213,7 +213,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
/*ARGSUSED*/
static int
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
auth1_process_tis_response(Authctxt *authctxt)
{
int authenticated = 0;
char *response;
@ -223,7 +223,7 @@ auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
packet_check_eom();
authenticated = verify_response(authctxt, response);
memset(response, 'r', dlen);
xfree(response);
free(response);
return (authenticated);
}
@ -236,7 +236,6 @@ static void
do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
char info[1024];
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
@ -254,7 +253,7 @@ do_authloop(Authctxt *authctxt)
#endif
{
auth_log(authctxt, 1, 0, "without authentication",
NULL, "");
NULL);
return;
}
}
@ -268,7 +267,6 @@ do_authloop(Authctxt *authctxt)
/* default to fail */
authenticated = 0;
info[0] = '\0';
/* Get a packet from the client. */
prev = type;
@ -298,7 +296,7 @@ do_authloop(Authctxt *authctxt)
goto skip;
}
authenticated = meth->method(authctxt, info, sizeof(info));
authenticated = meth->method(authctxt);
if (authenticated == -1)
continue; /* "postponed" */
@ -353,13 +351,10 @@ do_authloop(Authctxt *authctxt)
skip:
/* Log before sending the reply */
auth_log(authctxt, authenticated, 0, get_authname(type),
NULL, info);
auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
if (client_user != NULL) {
xfree(client_user);
client_user = NULL;
}
free(client_user);
client_user = NULL;
if (authenticated)
return;

37
crypto/openssh/auth2-chall.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-chall.c,v 1.36 2012/12/03 00:14:06 djm Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.38 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
@ -147,15 +147,13 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
{
if (kbdintctxt->device)
kbdint_reset_device(kbdintctxt);
if (kbdintctxt->devices) {
xfree(kbdintctxt->devices);
kbdintctxt->devices = NULL;
}
xfree(kbdintctxt);
free(kbdintctxt->devices);
bzero(kbdintctxt, sizeof(*kbdintctxt));
free(kbdintctxt);
}
/* get next device */
static int
kbdint_next_device(KbdintAuthctxt *kbdintctxt)
kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
{
size_t len;
char *t;
@ -169,12 +167,16 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
if (len == 0)
break;
for (i = 0; devices[i]; i++)
for (i = 0; devices[i]; i++) {
if (!auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
kbdintctxt->device = devices[i];
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
xfree(t);
free(t);
debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
kbdintctxt->devices : "<empty>");
} while (kbdintctxt->devices && !kbdintctxt->device);
@ -221,7 +223,7 @@ auth2_challenge_start(Authctxt *authctxt)
debug2("auth2_challenge_start: devices %s",
kbdintctxt->devices ? kbdintctxt->devices : "<empty>");
if (kbdint_next_device(kbdintctxt) == 0) {
if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
auth2_challenge_stop(authctxt);
return 0;
}
@ -268,11 +270,11 @@ send_userauth_info_request(Authctxt *authctxt)
packet_write_wait();
for (i = 0; i < kbdintctxt->nreq; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(echo_on);
xfree(name);
xfree(instr);
free(prompts[i]);
free(prompts);
free(echo_on);
free(name);
free(instr);
return 1;
}
@ -311,10 +313,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
for (i = 0; i < nresp; i++) {
memset(response[i], 'r', strlen(response[i]));
xfree(response[i]);
free(response[i]);
}
if (response)
xfree(response);
free(response);
switch (res) {
case 0:

20
crypto/openssh/auth2-gss.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -81,8 +81,7 @@ userauth_gssapi(Authctxt *authctxt)
do {
mechs--;
if (doid)
xfree(doid);
free(doid);
present = 0;
doid = packet_get_string(&len);
@ -101,7 +100,7 @@ userauth_gssapi(Authctxt *authctxt)
gss_release_oid_set(&ms, &supported);
if (!present) {
xfree(doid);
free(doid);
authctxt->server_caused_failure = 1;
return (0);
}
@ -109,7 +108,7 @@ userauth_gssapi(Authctxt *authctxt)
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
xfree(doid);
free(doid);
authctxt->server_caused_failure = 1;
return (0);
}
@ -122,7 +121,7 @@ userauth_gssapi(Authctxt *authctxt)
packet_put_string(doid, len);
packet_send();
xfree(doid);
free(doid);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
@ -153,7 +152,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, &flags));
xfree(recv_tok.value);
free(recv_tok.value);
if (GSS_ERROR(maj_status)) {
if (send_tok.length != 0) {
@ -208,7 +207,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, NULL));
xfree(recv_tok.value);
free(recv_tok.value);
/* We can't return anything to the client, even if we wanted to */
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@ -229,14 +228,11 @@ static void
input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
/*
* We don't need to check the status, because we're only enabled in
* the dispatcher once the exchange is complete
@ -284,7 +280,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
logit("GSSAPI MIC check failed");
buffer_free(&b);
xfree(mic.value);
free(mic.value);
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

18
crypto/openssh/auth2-hostbased.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-hostbased.c,v 1.14 2010/08/04 05:42:47 djm Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
pubkey_auth_info(authctxt, key,
"client user \"%.100s\", client host \"%.100s\"", cuser, chost);
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@ -128,11 +132,11 @@ userauth_hostbased(Authctxt *authctxt)
debug2("userauth_hostbased: authenticated %d", authenticated);
if (key != NULL)
key_free(key);
xfree(pkalg);
xfree(pkblob);
xfree(cuser);
xfree(chost);
xfree(sig);
free(pkalg);
free(pkblob);
free(cuser);
free(chost);
free(sig);
return authenticated;
}
@ -207,7 +211,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
verbose("Accepted %s public key %s from %s@%s",
key_type(key), fp, cuser, lookup);
}
xfree(fp);
free(fp);
}
return (host_status == HOST_OK);

24
crypto/openssh/auth2-jpake.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@ -179,7 +179,7 @@ derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
__func__, len, digest_len);
memcpy(rawsalt, digest, len);
bzero(digest, digest_len);
xfree(digest);
free(digest);
}
/* ASCII an integer [0, 64) for inclusion in a password/salt */
@ -258,7 +258,7 @@ fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
makesalt(22, authctxt->user));
*scheme = xstrdup("bcrypt");
}
xfree(style);
free(style);
debug3("%s: fake %s salt for user %s: %s",
__func__, *scheme, authctxt->user, *salt);
}
@ -361,7 +361,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
#endif
bzero(secret, secret_len);
xfree(secret);
free(secret);
}
/*
@ -403,12 +403,12 @@ auth2_jpake_start(Authctxt *authctxt)
bzero(hash_scheme, strlen(hash_scheme));
bzero(salt, strlen(salt));
xfree(hash_scheme);
xfree(salt);
free(hash_scheme);
free(salt);
bzero(x3_proof, x3_proof_len);
bzero(x4_proof, x4_proof_len);
xfree(x3_proof);
xfree(x4_proof);
free(x3_proof);
free(x4_proof);
/* Expect step 1 packet from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
@ -455,8 +455,8 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
bzero(x1_proof, x1_proof_len);
bzero(x2_proof, x2_proof_len);
xfree(x1_proof);
xfree(x2_proof);
free(x1_proof);
free(x2_proof);
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
@ -469,7 +469,7 @@ input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
packet_write_wait();
bzero(x4_s_proof, x4_s_proof_len);
xfree(x4_s_proof);
free(x4_s_proof);
/* Expect step 2 packet from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
@ -510,7 +510,7 @@ input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
&pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
bzero(x2_s_proof, x2_s_proof_len);
xfree(x2_s_proof);
free(x2_s_proof);
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));

6
crypto/openssh/auth2-kbdint.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -56,8 +56,8 @@ userauth_kbdint(Authctxt *authctxt)
if (options.challenge_response_authentication)
authenticated = auth2_challenge(authctxt, devs);
xfree(devs);
xfree(lang);
free(devs);
free(lang);
return authenticated;
}

6
crypto/openssh/auth2-passwd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */
/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -60,7 +60,7 @@ userauth_passwd(Authctxt *authctxt)
/* discard new password from packet */
newpass = packet_get_string(&newlen);
memset(newpass, 0, newlen);
xfree(newpass);
free(newpass);
}
packet_check_eom();
@ -69,7 +69,7 @@ userauth_passwd(Authctxt *authctxt)
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
authenticated = 1;
memset(password, 0, len);
xfree(password);
free(password);
return authenticated;
}

85
crypto/openssh/auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.34 2013/02/14 21:35:59 djm Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -75,7 +75,7 @@ userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
char *pkalg;
char *pkalg, *userstyle;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int have_sig, pktype;
@ -127,7 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, authctxt->user);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
@ -143,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
pubkey_auth_info(authctxt, key, NULL);
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@ -150,7 +156,7 @@ userauth_pubkey(Authctxt *authctxt)
buffer_len(&b))) == 1)
authenticated = 1;
buffer_free(&b);
xfree(sig);
free(sig);
} else {
debug("test whether pkalg/pkblob are acceptable");
packet_check_eom();
@ -178,11 +184,45 @@ userauth_pubkey(Authctxt *authctxt)
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
if (key != NULL)
key_free(key);
xfree(pkalg);
xfree(pkblob);
free(pkalg);
free(pkblob);
return authenticated;
}
void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{
char *fp, *extra;
va_list ap;
int i;
extra = NULL;
if (fmt != NULL) {
va_start(ap, fmt);
i = vasprintf(&extra, fmt, ap);
va_end(ap);
if (i < 0 || extra == NULL)
fatal("%s: vasprintf failed", __func__);
}
if (key_is_cert(key)) {
fp = key_fingerprint(key->cert->signature_key,
SSH_FP_MD5, SSH_FP_HEX);
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
key_type(key->cert->signature_key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
}
free(extra);
}
static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{
@ -196,7 +236,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
principal_list, NULL)) != NULL) {
debug3("matched principal from key options \"%.100s\"",
result);
xfree(result);
free(result);
return 1;
}
}
@ -276,11 +316,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
char *fp;
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
found = NULL;
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp, *key_options = NULL;
if (found != NULL)
key_free(found);
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
auth_clear_options();
/* Skip leading whitespace, empty and comment lines. */
@ -332,7 +374,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
reason = "Certificate does not contain an "
"authorized principal";
fail_reason:
xfree(fp);
free(fp);
error("%s", reason);
auth_debug_add("%s", reason);
continue;
@ -342,13 +384,13 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
&reason) != 0)
goto fail_reason;
if (auth_cert_options(key, pw) != 0) {
xfree(fp);
free(fp);
continue;
}
verbose("Accepted certificate ID \"%s\" "
"signed by %s CA %s via %s", key->cert->key_id,
key_type(found), fp, file);
xfree(fp);
free(fp);
found_key = 1;
break;
} else if (key_equal(found, key)) {
@ -358,16 +400,15 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
if (key_is_cert_authority)
continue;
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(found), fp);
free(fp);
break;
}
}
key_free(found);
if (found != NULL)
key_free(found);
if (!found_key)
debug2("key not found");
return found_key;
@ -421,10 +462,8 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
ret = 1;
out:
if (principals_file != NULL)
xfree(principals_file);
if (ca_fp != NULL)
xfree(ca_fp);
free(principals_file);
free(ca_fp);
return ret;
}
@ -629,7 +668,7 @@ user_key_allowed(struct passwd *pw, Key *key)
options.authorized_keys_files[i], pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
free(file);
}
return success;

93
crypto/openssh/auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -100,8 +100,12 @@ static void input_userauth_request(int, u_int32_t, void *);
/* helper */
static Authmethod *authmethod_lookup(Authctxt *, const char *);
static char *authmethods_get(Authctxt *authctxt);
static int method_allowed(Authctxt *, const char *);
static int list_starts_with(const char *, const char *);
#define MATCH_NONE 0 /* method or submethod mismatch */
#define MATCH_METHOD 1 /* method matches (no submethod specified) */
#define MATCH_BOTH 2 /* method and submethod match */
#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */
static int list_starts_with(const char *, const char *, const char *);
char *
auth2_read_banner(void)
@ -128,7 +132,7 @@ auth2_read_banner(void)
close(fd);
if (n != len) {
xfree(banner);
free(banner);
return (NULL);
}
banner[n] = '\0';
@ -164,8 +168,7 @@ userauth_banner(void)
userauth_send_banner(banner);
done:
if (banner)
xfree(banner);
free(banner);
}
/*
@ -210,7 +213,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
debug("bad service request %s", service);
packet_disconnect("bad service request %s", service);
}
xfree(service);
free(service);
}
/*ARGSUSED*/
@ -318,9 +321,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
}
userauth_finish(authctxt, authenticated, method, NULL);
xfree(service);
xfree(user);
xfree(method);
free(service);
free(user);
free(method);
}
void
@ -346,14 +349,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
}
if (authenticated && options.num_auth_methods != 0) {
if (!auth2_update_methods_lists(authctxt, method)) {
if (!auth2_update_methods_lists(authctxt, method, submethod)) {
authenticated = 0;
partial = 1;
}
}
/* Log before sending the reply */
auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
auth_log(authctxt, authenticated, partial, method, submethod);
if (authctxt->postponed)
return;
@ -408,7 +411,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
packet_put_char(partial);
packet_send();
packet_write_wait();
xfree(methods);
free(methods);
}
}
@ -417,8 +420,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
* methods list. Returns 1 if allowed, or no methods lists configured.
* 0 otherwise.
*/
static int
method_allowed(Authctxt *authctxt, const char *method)
int
auth2_method_allowed(Authctxt *authctxt, const char *method,
const char *submethod)
{
u_int i;
@ -429,7 +433,8 @@ method_allowed(Authctxt *authctxt, const char *method)
if (options.num_auth_methods == 0)
return 1;
for (i = 0; i < authctxt->num_auth_methods; i++) {
if (list_starts_with(authctxt->auth_methods[i], method))
if (list_starts_with(authctxt->auth_methods[i], method,
submethod) != MATCH_NONE)
return 1;
}
return 0;
@ -449,7 +454,8 @@ authmethods_get(Authctxt *authctxt)
if (authmethods[i]->enabled == NULL ||
*(authmethods[i]->enabled) == 0)
continue;
if (!method_allowed(authctxt, authmethods[i]->name))
if (!auth2_method_allowed(authctxt, authmethods[i]->name,
NULL))
continue;
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
@ -472,7 +478,8 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
if (authmethods[i]->enabled != NULL &&
*(authmethods[i]->enabled) != 0 &&
strcmp(name, authmethods[i]->name) == 0 &&
method_allowed(authctxt, authmethods[i]->name))
auth2_method_allowed(authctxt,
authmethods[i]->name, NULL))
return authmethods[i];
debug2("Unrecognized authentication method name: %s",
name ? name : "NULL");
@ -487,7 +494,7 @@ authmethod_lookup(Authctxt *authctxt, const char *name)
int
auth2_methods_valid(const char *_methods, int need_enable)
{
char *methods, *omethods, *method;
char *methods, *omethods, *method, *p;
u_int i, found;
int ret = -1;
@ -498,6 +505,8 @@ auth2_methods_valid(const char *_methods, int need_enable)
omethods = methods = xstrdup(_methods);
while ((method = strsep(&methods, ",")) != NULL) {
for (found = i = 0; !found && authmethods[i] != NULL; i++) {
if ((p = strchr(method, ':')) != NULL)
*p = '\0';
if (strcmp(method, authmethods[i]->name) != 0)
continue;
if (need_enable) {
@ -563,15 +572,30 @@ auth2_setup_methods_lists(Authctxt *authctxt)
}
static int
list_starts_with(const char *methods, const char *method)
list_starts_with(const char *methods, const char *method,
const char *submethod)
{
size_t l = strlen(method);
int match;
const char *p;
if (strncmp(methods, method, l) != 0)
return 0;
if (methods[l] != ',' && methods[l] != '\0')
return 0;
return 1;
return MATCH_NONE;
p = methods + l;
match = MATCH_METHOD;
if (*p == ':') {
if (!submethod)
return MATCH_PARTIAL;
l = strlen(submethod);
p += 1;
if (strncmp(submethod, p, l))
return MATCH_NONE;
p += l;
match = MATCH_BOTH;
}
if (*p != ',' && *p != '\0')
return MATCH_NONE;
return match;
}
/*
@ -580,14 +604,21 @@ list_starts_with(const char *methods, const char *method)
* if it did.
*/
static int
remove_method(char **methods, const char *method)
remove_method(char **methods, const char *method, const char *submethod)
{
char *omethods = *methods;
char *omethods = *methods, *p;
size_t l = strlen(method);
int match;
if (!list_starts_with(omethods, method))
match = list_starts_with(omethods, method, submethod);
if (match != MATCH_METHOD && match != MATCH_BOTH)
return 0;
*methods = xstrdup(omethods + l + (omethods[l] == ',' ? 1 : 0));
p = omethods + l;
if (submethod && match == MATCH_BOTH)
p += 1 + strlen(submethod); /* include colon */
if (*p == ',')
p++;
*methods = xstrdup(p);
free(omethods);
return 1;
}
@ -599,13 +630,15 @@ remove_method(char **methods, const char *method)
* Returns 1 if the method completed any authentication list or 0 otherwise.
*/
int
auth2_update_methods_lists(Authctxt *authctxt, const char *method)
auth2_update_methods_lists(Authctxt *authctxt, const char *method,
const char *submethod)
{
u_int i, found = 0;
debug3("%s: updating methods list after \"%s\"", __func__, method);
for (i = 0; i < authctxt->num_auth_methods; i++) {
if (!remove_method(&(authctxt->auth_methods[i]), method))
if (!remove_method(&(authctxt->auth_methods[i]), method,
submethod))
continue;
found = 1;
if (*authctxt->auth_methods[i] == '\0') {

10
crypto/openssh/authfd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.c,v 1.86 2011/07/06 18:09:21 tedu Exp $ */
/* $OpenBSD: authfd.c,v 1.87 2013/05/17 00:13:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -224,7 +224,7 @@ ssh_close_authentication_connection(AuthenticationConnection *auth)
{
buffer_free(&auth->identities);
close(auth->fd);
xfree(auth);
free(auth);
}
/* Lock/unlock agent */
@ -343,7 +343,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
blob = buffer_get_string(&auth->identities, &blen);
*comment = buffer_get_string(&auth->identities, NULL);
key = key_from_blob(blob, blen);
xfree(blob);
free(blob);
break;
default:
return NULL;
@ -436,7 +436,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
buffer_put_string(&msg, blob, blen);
buffer_put_string(&msg, data, datalen);
buffer_put_int(&msg, flags);
xfree(blob);
free(blob);
if (ssh_request_reply(auth, &msg, &msg) == 0) {
buffer_free(&msg);
@ -612,7 +612,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
key_to_blob(key, &blob, &blen);
buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
buffer_put_string(&msg, blob, blen);
xfree(blob);
free(blob);
} else {
buffer_free(&msg);
return 0;

14
crypto/openssh/authfile.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfile.c,v 1.95 2013/01/08 18:49:04 markus Exp $ */
/* $OpenBSD: authfile.c,v 1.97 2013/05/17 00:13:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -89,7 +89,7 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
u_char buf[100], *cp;
int i, cipher_num;
CipherContext ciphercontext;
Cipher *cipher;
const Cipher *cipher;
u_int32_t rnd;
/*
@ -421,7 +421,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
Buffer decrypted;
u_char *cp;
CipherContext ciphercontext;
Cipher *cipher;
const Cipher *cipher;
Key *prv = NULL;
Buffer copy;
@ -509,8 +509,8 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
return prv;
fail:
if (commentp)
xfree(*commentp);
if (commentp != NULL)
free(*commentp);
key_free(prv);
return NULL;
}
@ -832,10 +832,10 @@ key_load_cert(const char *filename)
pub = key_new(KEY_UNSPEC);
xasprintf(&file, "%s-cert.pub", filename);
if (key_try_load_public(pub, file, NULL) == 1) {
xfree(file);
free(file);
return pub;
}
xfree(file);
free(file);
key_free(pub);
return NULL;
}

12
crypto/openssh/bufaux.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufaux.c,v 1.50 2010/08/31 09:58:37 djm Exp $ */
/* $OpenBSD: bufaux.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -181,7 +181,7 @@ buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
/* Get the string. */
if (buffer_get_ret(buffer, value, len) == -1) {
error("buffer_get_string_ret: buffer_get failed");
xfree(value);
free(value);
return (NULL);
}
/* Append a null character to make processing easier. */
@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
error("buffer_get_cstring_ret: string contains \\0");
else {
bzero(ret, length);
xfree(ret);
free(ret);
return NULL;
}
}
@ -285,7 +285,7 @@ buffer_put_cstring(Buffer *buffer, const char *s)
* Returns a character from the buffer (0 - 255).
*/
int
buffer_get_char_ret(char *ret, Buffer *buffer)
buffer_get_char_ret(u_char *ret, Buffer *buffer)
{
if (buffer_get_ret(buffer, ret, 1) == -1) {
error("buffer_get_char_ret: buffer_get_ret failed");
@ -297,11 +297,11 @@ buffer_get_char_ret(char *ret, Buffer *buffer)
int
buffer_get_char(Buffer *buffer)
{
char ch;
u_char ch;
if (buffer_get_char_ret(&ch, buffer) == -1)
fatal("buffer_get_char: buffer error");
return (u_char) ch;
return ch;
}
/*

18
crypto/openssh/bufbn.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/
/* $OpenBSD: bufbn.c,v 1.7 2013/05/17 00:13:13 djm Exp $*/
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -69,7 +69,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
if (oi != bin_size) {
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
oi, bin_size);
xfree(buf);
free(buf);
return (-1);
}
@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
buffer_append(buffer, buf, oi);
memset(buf, 0, bin_size);
xfree(buf);
free(buf);
return (0);
}
@ -167,13 +167,13 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
if (oi < 0 || (u_int)oi != bytes - 1) {
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
"oi %d != bin_size %d", oi, bytes);
xfree(buf);
free(buf);
return (-1);
}
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
memset(buf, 0, bytes);
xfree(buf);
free(buf);
return (0);
}
@ -197,21 +197,21 @@ buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
if (len > 0 && (bin[0] & 0x80)) {
error("buffer_get_bignum2_ret: negative numbers not supported");
xfree(bin);
free(bin);
return (-1);
}
if (len > 8 * 1024) {
error("buffer_get_bignum2_ret: cannot handle BN of size %d",
len);
xfree(bin);
free(bin);
return (-1);
}
if (BN_bin2bn(bin, len, value) == NULL) {
error("buffer_get_bignum2_ret: BN_bin2bn failed");
xfree(bin);
free(bin);
return (-1);
}
xfree(bin);
free(bin);
return (0);
}

6
crypto/openssh/bufec.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufec.c,v 1.1 2010/08/31 11:54:45 djm Exp $ */
/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2010 Damien Miller <djm@mindrot.org>
*
@ -78,7 +78,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
out:
if (buf != NULL) {
bzero(buf, len);
xfree(buf);
free(buf);
}
BN_CTX_free(bnctx);
return ret;
@ -131,7 +131,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
out:
BN_CTX_free(bnctx);
bzero(buf, len);
xfree(buf);
free(buf);
return ret;
}

4
crypto/openssh/buffer.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: buffer.c,v 1.32 2010/02/09 03:56:28 djm Exp $ */
/* $OpenBSD: buffer.c,v 1.33 2013/05/17 00:13:13 djm Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -51,7 +51,7 @@ buffer_free(Buffer *buffer)
if (buffer->alloc > 0) {
memset(buffer->buf, 0, buffer->alloc);
buffer->alloc = 0;
xfree(buffer->buf);
free(buffer->buf);
}
}

4
crypto/openssh/buffer.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: buffer.h,v 1.21 2010/08/31 11:54:45 djm Exp $ */
/* $OpenBSD: buffer.h,v 1.22 2013/07/12 00:19:58 djm Exp $ */
/* $FreeBSD$ */
/*
@ -87,7 +87,7 @@ int buffer_get_int64_ret(u_int64_t *, Buffer *);
void *buffer_get_string_ret(Buffer *, u_int *);
char *buffer_get_cstring_ret(Buffer *, u_int *);
void *buffer_get_string_ptr_ret(Buffer *, u_int *);
int buffer_get_char_ret(char *, Buffer *);
int buffer_get_char_ret(u_char *, Buffer *);
#ifdef OPENSSL_HAS_ECC
#include <openssl/ec.h>

10
crypto/openssh/canohost.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */
/* $OpenBSD: canohost.c,v 1.67 2013/05/17 00:13:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,7 +41,7 @@ static int cached_port = -1;
/*
* Return the canonical name of the host at the other end of the socket. The
* caller should free the returned string with xfree.
* caller should free the returned string.
*/
static char *
@ -323,10 +323,8 @@ get_local_name(int fd)
void
clear_cached_addr(void)
{
if (canonical_host_ip != NULL) {
xfree(canonical_host_ip);
canonical_host_ip = NULL;
}
free(canonical_host_ip);
canonical_host_ip = NULL;
cached_port = -1;
}

137
crypto/openssh/channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */
/* $OpenBSD: channels.c,v 1.324 2013/07/12 00:19:58 djm Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -219,6 +219,7 @@ channel_lookup(int id)
case SSH_CHANNEL_OPEN:
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
case SSH_CHANNEL_ABANDONED:
return (c);
}
logit("Non-public channel %d, type %d.", id, c->type);
@ -253,7 +254,10 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
if ((c->isatty = is_tty) != 0)
debug2("channel %d: rfd %d isatty", c->self, c->rfd);
#ifdef _AIX
/* XXX: Later AIX versions can't push as much data to tty */
c->wfd_isatty = is_tty || isatty(c->wfd);
#endif
/* enable nonblocking mode */
if (nonblock) {
@ -408,7 +412,7 @@ channel_free(Channel *c)
s = channel_open_message();
debug3("channel %d: status: %s", c->self, s);
xfree(s);
free(s);
if (c->sock != -1)
shutdown(c->sock, SHUT_RDWR);
@ -416,29 +420,23 @@ channel_free(Channel *c)
buffer_free(&c->input);
buffer_free(&c->output);
buffer_free(&c->extended);
if (c->remote_name) {
xfree(c->remote_name);
c->remote_name = NULL;
}
if (c->path) {
xfree(c->path);
c->path = NULL;
}
if (c->listening_addr) {
xfree(c->listening_addr);
c->listening_addr = NULL;
}
free(c->remote_name);
c->remote_name = NULL;
free(c->path);
c->path = NULL;
free(c->listening_addr);
c->listening_addr = NULL;
while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
if (cc->abandon_cb != NULL)
cc->abandon_cb(c, cc->ctx);
TAILQ_REMOVE(&c->status_confirms, cc, entry);
bzero(cc, sizeof(*cc));
xfree(cc);
free(cc);
}
if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
c->filter_cleanup(c->self, c->filter_ctx);
channels[c->self] = NULL;
xfree(c);
free(c);
}
void
@ -543,6 +541,7 @@ channel_still_open(void)
case SSH_CHANNEL_DYNAMIC:
case SSH_CHANNEL_CONNECTING:
case SSH_CHANNEL_ZOMBIE:
case SSH_CHANNEL_ABANDONED:
continue;
case SSH_CHANNEL_LARVAL:
if (!compat20)
@ -588,6 +587,7 @@ channel_find_open(void)
case SSH_CHANNEL_OPENING:
case SSH_CHANNEL_CONNECTING:
case SSH_CHANNEL_ZOMBIE:
case SSH_CHANNEL_ABANDONED:
continue;
case SSH_CHANNEL_LARVAL:
case SSH_CHANNEL_AUTH_SOCKET:
@ -635,6 +635,7 @@ channel_open_message(void)
case SSH_CHANNEL_CLOSED:
case SSH_CHANNEL_AUTH_SOCKET:
case SSH_CHANNEL_ZOMBIE:
case SSH_CHANNEL_ABANDONED:
case SSH_CHANNEL_MUX_CLIENT:
case SSH_CHANNEL_MUX_LISTENER:
continue;
@ -1122,10 +1123,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
strlcpy(username, p, sizeof(username));
buffer_consume(&c->input, len);
if (c->path != NULL) {
xfree(c->path);
c->path = NULL;
}
free(c->path);
c->path = NULL;
if (need == 1) { /* SOCKS4: one string */
host = inet_ntoa(s4_req.dest_addr);
c->path = xstrdup(host);
@ -1185,7 +1184,8 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
u_int8_t atyp;
} s5_req, s5_rsp;
u_int16_t dest_port;
u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
u_char *p;
u_int have, need, i, found, nmethods, addrlen, af;
debug2("channel %d: decode socks5", c->self);
@ -1255,13 +1255,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
buffer_consume(&c->input, sizeof(s5_req));
if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
buffer_consume(&c->input, 1); /* host string length */
buffer_get(&c->input, (char *)&dest_addr, addrlen);
buffer_get(&c->input, &dest_addr, addrlen);
buffer_get(&c->input, (char *)&dest_port, 2);
dest_addr[addrlen] = '\0';
if (c->path != NULL) {
xfree(c->path);
c->path = NULL;
}
free(c->path);
c->path = NULL;
if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
if (addrlen >= NI_MAXHOST) {
error("channel %d: dynamic request: socks5 hostname "
@ -1283,11 +1281,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
s5_rsp.command = SSH_SOCKS5_SUCCESS;
s5_rsp.reserved = 0; /* ignored */
s5_rsp.atyp = SSH_SOCKS5_IPV4;
((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
dest_port = 0; /* ignored */
buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
buffer_append(&c->output, &dest_addr, sizeof(struct in_addr));
buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */
buffer_append(&c->output, &dest_port, sizeof(dest_port));
return 1;
}
@ -1366,7 +1363,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
{
Channel *nc;
struct sockaddr_storage addr;
int newsock;
int newsock, oerrno;
socklen_t addrlen;
char buf[16384], *remote_ipaddr;
int remote_port;
@ -1376,14 +1373,18 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
addrlen = sizeof(addr);
newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
if (c->single_connection) {
oerrno = errno;
debug2("single_connection: closing X11 listener.");
channel_close_fd(&c->sock);
chan_mark_dead(c);
errno = oerrno;
}
if (newsock < 0) {
error("accept: %.100s", strerror(errno));
if (errno != EINTR && errno != EWOULDBLOCK &&
errno != ECONNABORTED)
error("accept: %.100s", strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = time(NULL) + 1;
c->notbefore = monotime() + 1;
return;
}
set_nodelay(newsock);
@ -1417,7 +1418,7 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
packet_put_cstring(buf);
packet_send();
}
xfree(remote_ipaddr);
free(remote_ipaddr);
}
}
@ -1431,7 +1432,7 @@ port_open_helper(Channel *c, char *rtype)
if (remote_port == -1) {
/* Fake addr/port to appease peers that validate it (Tectia) */
xfree(remote_ipaddr);
free(remote_ipaddr);
remote_ipaddr = xstrdup("127.0.0.1");
remote_port = 65535;
}
@ -1444,7 +1445,7 @@ port_open_helper(Channel *c, char *rtype)
rtype, c->listening_port, c->path, c->host_port,
remote_ipaddr, remote_port);
xfree(c->remote_name);
free(c->remote_name);
c->remote_name = xstrdup(buf);
if (compat20) {
@ -1476,7 +1477,7 @@ port_open_helper(Channel *c, char *rtype)
packet_put_cstring(c->remote_name);
packet_send();
}
xfree(remote_ipaddr);
free(remote_ipaddr);
}
static void
@ -1526,9 +1527,11 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
addrlen = sizeof(addr);
newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
if (newsock < 0) {
error("accept: %.100s", strerror(errno));
if (errno != EINTR && errno != EWOULDBLOCK &&
errno != ECONNABORTED)
error("accept: %.100s", strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = time(NULL) + 1;
c->notbefore = monotime() + 1;
return;
}
set_nodelay(newsock);
@ -1564,7 +1567,7 @@ channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
error("accept from auth socket: %.100s",
strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = time(NULL) + 1;
c->notbefore = monotime() + 1;
return;
}
nc = channel_new("accepted auth socket",
@ -1727,7 +1730,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
if (c->datagram) {
/* ignore truncated writes, datagrams might get lost */
len = write(c->wfd, buf, dlen);
xfree(data);
free(data);
if (len < 0 && (errno == EINTR || errno == EAGAIN ||
errno == EWOULDBLOCK))
return 1;
@ -1979,7 +1982,7 @@ channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset)
&addrlen)) == -1) {
error("%s accept: %s", __func__, strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = time(NULL) + 1;
c->notbefore = monotime() + 1;
return;
}
@ -2142,7 +2145,7 @@ channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset,
channel_handler_init();
did_init = 1;
}
now = time(NULL);
now = monotime();
if (unpause_secs != NULL)
*unpause_secs = 0;
for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
@ -2272,7 +2275,7 @@ channel_output_poll(void)
debug("channel %d: datagram "
"too big for channel",
c->self);
xfree(data);
free(data);
continue;
}
packet_start(SSH2_MSG_CHANNEL_DATA);
@ -2280,7 +2283,7 @@ channel_output_poll(void)
packet_put_string(data, dlen);
packet_send();
c->remote_window -= dlen + 4;
xfree(data);
free(data);
}
continue;
}
@ -2452,13 +2455,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
if (data_len > c->local_window) {
logit("channel %d: rcvd too much extended_data %d, win %d",
c->self, data_len, c->local_window);
xfree(data);
free(data);
return;
}
debug2("channel %d: rcvd ext data %d", c->self, data_len);
c->local_window -= data_len;
buffer_append(&c->extended, data, data_len);
xfree(data);
free(data);
}
/* ARGSUSED */
@ -2548,7 +2551,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
if (c == NULL)
packet_disconnect("Received close confirmation for "
"out-of-range channel %d.", id);
if (c->type != SSH_CHANNEL_CLOSED)
if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED)
packet_disconnect("Received close confirmation for "
"non-closed channel %d (type %d).", id, c->type);
channel_free(c);
@ -2624,10 +2627,8 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
}
logit("channel %d: open failed: %s%s%s", id,
reason2txt(reason), msg ? ": ": "", msg ? msg : "");
if (msg != NULL)
xfree(msg);
if (lang != NULL)
xfree(lang);
free(msg);
free(lang);
if (c->open_confirm) {
debug2("callback start");
c->open_confirm(c->self, 0, c->open_confirm_ctx);
@ -2685,8 +2686,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
packet_check_eom();
c = channel_connect_to(host, host_port,
"connected socket", originator_string);
xfree(originator_string);
xfree(host);
free(originator_string);
free(host);
if (c == NULL) {
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(remote_id);
@ -2721,7 +2722,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
cc->cb(type, c, cc->ctx);
TAILQ_REMOVE(&c->status_confirms, cc, entry);
bzero(cc, sizeof(*cc));
xfree(cc);
free(cc);
}
/* -- tcp forwarding */
@ -3117,7 +3118,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
permitted_opens[i].listen_port = 0;
permitted_opens[i].port_to_connect = 0;
xfree(permitted_opens[i].host_to_connect);
free(permitted_opens[i].host_to_connect);
permitted_opens[i].host_to_connect = NULL;
return 0;
@ -3158,7 +3159,7 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
host_port, gateway_ports);
/* Free the argument string. */
xfree(hostname);
free(hostname);
return (success ? 0 : -1);
}
@ -3213,7 +3214,7 @@ channel_update_permitted_opens(int idx, int newport)
} else {
permitted_opens[idx].listen_port = 0;
permitted_opens[idx].port_to_connect = 0;
xfree(permitted_opens[idx].host_to_connect);
free(permitted_opens[idx].host_to_connect);
permitted_opens[idx].host_to_connect = NULL;
}
}
@ -3246,12 +3247,9 @@ channel_clear_permitted_opens(void)
int i;
for (i = 0; i < num_permitted_opens; i++)
if (permitted_opens[i].host_to_connect != NULL)
xfree(permitted_opens[i].host_to_connect);
if (num_permitted_opens > 0) {
xfree(permitted_opens);
permitted_opens = NULL;
}
free(permitted_opens[i].host_to_connect);
free(permitted_opens);
permitted_opens = NULL;
num_permitted_opens = 0;
}
@ -3261,12 +3259,9 @@ channel_clear_adm_permitted_opens(void)
int i;
for (i = 0; i < num_adm_permitted_opens; i++)
if (permitted_adm_opens[i].host_to_connect != NULL)
xfree(permitted_adm_opens[i].host_to_connect);
if (num_adm_permitted_opens > 0) {
xfree(permitted_adm_opens);
permitted_adm_opens = NULL;
}
free(permitted_adm_opens[i].host_to_connect);
free(permitted_adm_opens);
permitted_adm_opens = NULL;
num_adm_permitted_opens = 0;
}
@ -3360,7 +3355,7 @@ connect_next(struct channel_connect *cctx)
static void
channel_connect_ctx_free(struct channel_connect *cctx)
{
xfree(cctx->host);
free(cctx->host);
if (cctx->aitop)
freeaddrinfo(cctx->aitop);
bzero(cctx, sizeof(*cctx));
@ -3761,7 +3756,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
c->remote_id = remote_id;
c->force_drain = 1;
}
xfree(remote_host);
free(remote_host);
if (c == NULL) {
/* Send refusal to the remote host. */
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
@ -3869,7 +3864,7 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
packet_put_int(screen_number);
packet_send();
packet_write_wait();
xfree(new_data);
free(new_data);
}

9
crypto/openssh/channels.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.111 2012/04/11 13:16:19 djm Exp $ */
/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */
/* $FreeBSD$ */
/*
@ -56,7 +56,8 @@
#define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */
#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */
#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
#define SSH_CHANNEL_MAX_TYPE 17
#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
#define SSH_CHANNEL_MAX_TYPE 18
#define CHANNEL_CANCEL_PORT_STATIC -1
@ -103,7 +104,9 @@ struct Channel {
int sock; /* sock fd */
int ctl_chan; /* control channel (multiplexed connections) */
int isatty; /* rfd is a tty */
#ifdef _AIX
int wfd_isatty; /* wfd is a tty */
#endif
int client_tty; /* (client) TTY has been requested */
int force_drain; /* force close on iEOF */
time_t notbefore; /* Pause IO until deadline (time_t) */
@ -111,7 +114,7 @@ struct Channel {
* channels are delayed until the first call
* to a matching pre-select handler.
* this way post-select handlers are not
* accidenly called if a FD gets reused */
* accidentally called if a FD gets reused */
Buffer input; /* data read from socket, to be sent over
* encrypted connection */
Buffer output; /* data received over encrypted connection for

6
crypto/openssh/cipher-3des1.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cipher-3des1.c,v 1.7 2010/10/01 23:05:32 djm Exp $ */
/* $OpenBSD: cipher-3des1.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
*
@ -94,7 +94,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
memset(c, 0, sizeof(*c));
xfree(c);
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
return (0);
}
@ -135,7 +135,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
EVP_CIPHER_CTX_cleanup(&c->k2);
EVP_CIPHER_CTX_cleanup(&c->k3);
memset(c, 0, sizeof(*c));
xfree(c);
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);

2
crypto/openssh/cipher-aes.c
View File

@ -120,7 +120,7 @@ ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
xfree(c);
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);

2
crypto/openssh/cipher-ctr.c
View File

@ -104,7 +104,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
memset(c, 0, sizeof(*c));
xfree(c);
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);

63
crypto/openssh/cipher.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.c,v 1.87 2013/01/26 06:11:05 djm Exp $ */
/* $OpenBSD: cipher.c,v 1.89 2013/05/17 00:13:13 djm Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -66,7 +66,9 @@ struct Cipher {
u_int discard_len;
u_int cbc_mode;
const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
};
static const struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
@ -99,6 +101,27 @@ struct Cipher {
/*--*/
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(void)
{
char *ret = NULL;
size_t nlen, rlen = 0;
const Cipher *c;
for (c = ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(c->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
memcpy(ret + rlen, c->name, nlen + 1);
rlen += nlen;
}
return ret;
}
u_int
cipher_blocksize(const Cipher *c)
{
@ -147,20 +170,20 @@ cipher_mask_ssh1(int client)
return mask;
}
Cipher *
const Cipher *
cipher_by_name(const char *name)
{
Cipher *c;
const Cipher *c;
for (c = ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
}
Cipher *
const Cipher *
cipher_by_number(int id)
{
Cipher *c;
const Cipher *c;
for (c = ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
@ -171,7 +194,7 @@ cipher_by_number(int id)
int
ciphers_valid(const char *names)
{
Cipher *c;
const Cipher *c;
char *cipher_list, *cp;
char *p;
@ -188,14 +211,14 @@ ciphers_valid(const char *names)
if (c == NULL || (c->number != SSH_CIPHER_SSH2)) {
#endif
debug("bad cipher %s [%s]", p, names);
xfree(cipher_list);
free(cipher_list);
return 0;
} else {
debug3("cipher ok: %s [%s]", p, names);
}
}
debug3("ciphers ok: [%s]", names);
xfree(cipher_list);
free(cipher_list);
return 1;
}
@ -207,7 +230,7 @@ ciphers_valid(const char *names)
int
cipher_number(const char *name)
{
Cipher *c;
const Cipher *c;
if (name == NULL)
return -1;
for (c = ciphers; c->name != NULL; c++)
@ -219,12 +242,12 @@ cipher_number(const char *name)
char *
cipher_name(int id)
{
Cipher *c = cipher_by_number(id);
const Cipher *c = cipher_by_number(id);
return (c==NULL) ? "<unknown>" : c->name;
}
void
cipher_init(CipherContext *cc, Cipher *cipher,
cipher_init(CipherContext *cc, const Cipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
@ -297,8 +320,8 @@ cipher_init(CipherContext *cc, Cipher *cipher,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
xfree(junk);
xfree(discard);
free(junk);
free(discard);
}
}
@ -370,7 +393,7 @@ cipher_cleanup(CipherContext *cc)
*/
void
cipher_set_key_string(CipherContext *cc, Cipher *cipher,
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
MD5_CTX md;
@ -395,7 +418,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
int
cipher_get_keyiv_len(const CipherContext *cc)
{
Cipher *c = cc->cipher;
const Cipher *c = cc->cipher;
int ivlen;
if (c->number == SSH_CIPHER_3DES)
@ -408,7 +431,7 @@ cipher_get_keyiv_len(const CipherContext *cc)
void
cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
{
Cipher *c = cc->cipher;
const Cipher *c = cc->cipher;
int evplen;
switch (c->number) {
@ -447,7 +470,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
void
cipher_set_keyiv(CipherContext *cc, u_char *iv)
{
Cipher *c = cc->cipher;
const Cipher *c = cc->cipher;
int evplen = 0;
switch (c->number) {
@ -483,7 +506,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
int
cipher_get_keycontext(const CipherContext *cc, u_char *dat)
{
Cipher *c = cc->cipher;
const Cipher *c = cc->cipher;
int plen = 0;
if (c->evptype == EVP_rc4) {
@ -498,7 +521,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat)
void
cipher_set_keycontext(CipherContext *cc, u_char *dat)
{
Cipher *c = cc->cipher;
const Cipher *c = cc->cipher;
int plen;
if (c->evptype == EVP_rc4) {

13
crypto/openssh/cipher.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.h,v 1.39 2013/01/08 18:49:04 markus Exp $ */
/* $OpenBSD: cipher.h,v 1.40 2013/04/19 01:06:50 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -66,21 +66,22 @@ struct CipherContext {
int plaintext;
int encrypt;
EVP_CIPHER_CTX evp;
Cipher *cipher;
const Cipher *cipher;
};
u_int cipher_mask_ssh1(int);
Cipher *cipher_by_name(const char *);
Cipher *cipher_by_number(int);
const Cipher *cipher_by_name(const char *);
const Cipher *cipher_by_number(int);
int cipher_number(const char *);
char *cipher_name(int);
int ciphers_valid(const char *);
void cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
char *cipher_alg_list(void);
void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *,
u_int, u_int, u_int);
void cipher_cleanup(CipherContext *);
void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_authlen(const Cipher *);

91
crypto/openssh/clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.248 2013/01/02 00:32:07 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.253 2013/06/07 15:37:52 dtucker Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -274,7 +274,7 @@ set_control_persist_exit_time(void)
control_persist_exit_time = 0;
} else if (control_persist_exit_time <= 0) {
/* a client connection has recently closed */
control_persist_exit_time = time(NULL) +
control_persist_exit_time = monotime() +
(time_t)options.control_persist_timeout;
debug2("%s: schedule exit in %d seconds", __func__,
options.control_persist_timeout);
@ -357,7 +357,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
if (system(cmd) == 0)
generated = 1;
if (x11_refuse_time == 0) {
now = time(NULL) + 1;
now = monotime() + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
@ -394,10 +394,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
unlink(xauthfile);
rmdir(xauthdir);
}
if (xauthdir)
xfree(xauthdir);
if (xauthfile)
xfree(xauthfile);
free(xauthdir);
free(xauthfile);
/*
* If we didn't get authentication data, just make up some
@ -553,7 +551,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
if (--gc->ref_count <= 0) {
TAILQ_REMOVE(&global_confirms, gc, entry);
bzero(gc, sizeof(*gc));
xfree(gc);
free(gc);
}
packet_set_alive_timeouts(0);
@ -584,7 +582,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
{
struct timeval tv, *tvp;
int timeout_secs;
time_t minwait_secs = 0;
time_t minwait_secs = 0, server_alive_time = 0, now = monotime();
int ret;
/* Add any selections by the channel mechanism. */
@ -633,12 +631,16 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
*/
timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
if (options.server_alive_interval > 0 && compat20)
if (options.server_alive_interval > 0 && compat20) {
timeout_secs = options.server_alive_interval;
server_alive_time = now + options.server_alive_interval;
}
if (options.rekey_interval > 0 && compat20 && !rekeying)
timeout_secs = MIN(timeout_secs, packet_get_rekey_timeout());
set_control_persist_exit_time();
if (control_persist_exit_time > 0) {
timeout_secs = MIN(timeout_secs,
control_persist_exit_time - time(NULL));
control_persist_exit_time - now);
if (timeout_secs < 0)
timeout_secs = 0;
}
@ -670,8 +672,15 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
buffer_append(&stderr_buffer, buf, strlen(buf));
quit_pending = 1;
} else if (ret == 0)
server_alive_check();
} else if (ret == 0) {
/*
* Timeout. Could have been either keepalive or rekeying.
* Keepalive we check here, rekeying is checked in clientloop.
*/
if (server_alive_time != 0 && server_alive_time <= monotime())
server_alive_check();
}
}
static void
@ -816,13 +825,13 @@ client_status_confirm(int type, Channel *c, void *ctx)
chan_write_failed(c);
}
}
xfree(cr);
free(cr);
}
static void
client_abandon_status_confirm(Channel *c, void *ctx)
{
xfree(ctx);
free(ctx);
}
void
@ -989,12 +998,9 @@ process_cmdline(void)
out:
signal(SIGINT, handler);
enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
if (cmd)
xfree(cmd);
if (fwd.listen_host != NULL)
xfree(fwd.listen_host);
if (fwd.connect_host != NULL)
xfree(fwd.connect_host);
free(cmd);
free(fwd.listen_host);
free(fwd.connect_host);
}
/* reasons to suppress output of an escape command in help output */
@ -1104,8 +1110,11 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
if (c && c->ctl_chan != -1) {
chan_read_failed(c);
chan_write_failed(c);
mux_master_session_cleanup_cb(c->self,
NULL);
if (c->detach_user)
c->detach_user(c->self, NULL);
c->type = SSH_CHANNEL_ABANDONED;
buffer_clear(&c->input);
chan_ibuf_empty(c);
return 0;
} else
quit_pending = 1;
@ -1251,7 +1260,7 @@ process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr,
buffer_append(berr, string, strlen(string));
s = channel_open_message();
buffer_append(berr, s, strlen(s));
xfree(s);
free(s);
continue;
case 'C':
@ -1440,7 +1449,7 @@ client_new_escape_filter_ctx(int escape_char)
void
client_filter_cleanup(int cid, void *ctx)
{
xfree(ctx);
free(ctx);
}
int
@ -1645,16 +1654,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
* connections, then quit.
*/
if (control_persist_exit_time > 0) {
if (time(NULL) >= control_persist_exit_time) {
if (monotime() >= control_persist_exit_time) {
debug("ControlPersist timeout expired");
break;
}
}
}
if (readset)
xfree(readset);
if (writeset)
xfree(writeset);
free(readset);
free(writeset);
/* Terminate the session. */
@ -1756,7 +1763,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt)
packet_check_eom();
buffer_append(&stdout_buffer, data, data_len);
memset(data, 0, data_len);
xfree(data);
free(data);
}
static void
client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
@ -1766,7 +1773,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
packet_check_eom();
buffer_append(&stderr_buffer, data, data_len);
memset(data, 0, data_len);
xfree(data);
free(data);
}
static void
client_input_exit_status(int type, u_int32_t seq, void *ctxt)
@ -1846,8 +1853,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
c = channel_connect_by_listen_address(listen_port,
"forwarded-tcpip", originator_address);
xfree(originator_address);
xfree(listen_address);
free(originator_address);
free(listen_address);
return c;
}
@ -1865,7 +1872,7 @@ client_request_x11(const char *request_type, int rchan)
"malicious server.");
return NULL;
}
if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
verbose("Rejected X11 connection after ForwardX11Timeout "
"expired");
return NULL;
@ -1881,7 +1888,7 @@ client_request_x11(const char *request_type, int rchan)
/* XXX check permission */
debug("client_request_x11: request from %s %d", originator,
originator_port);
xfree(originator);
free(originator);
sock = x11_connect_display();
if (sock < 0)
return NULL;
@ -2025,7 +2032,7 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
}
packet_send();
}
xfree(ctype);
free(ctype);
}
static void
client_input_channel_req(int type, u_int32_t seq, void *ctxt)
@ -2071,7 +2078,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
packet_put_int(c->remote_id);
packet_send();
}
xfree(rtype);
free(rtype);
}
static void
client_input_global_request(int type, u_int32_t seq, void *ctxt)
@ -2090,7 +2097,7 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
packet_send();
packet_write_wait();
}
xfree(rtype);
free(rtype);
}
void
@ -2140,7 +2147,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
/* Split */
name = xstrdup(env[i]);
if ((val = strchr(name, '=')) == NULL) {
xfree(name);
free(name);
continue;
}
*val++ = '\0';
@ -2154,7 +2161,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
}
if (!matched) {
debug3("Ignored env %s", name);
xfree(name);
free(name);
continue;
}
@ -2163,7 +2170,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
packet_put_cstring(name);
packet_put_cstring(val);
packet_send();
xfree(name);
free(name);
}
}

3
crypto/openssh/clientloop.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.30 2012/08/17 00:45:45 dtucker Exp $ */
/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -76,5 +76,4 @@ void muxserver_listen(void);
void muxclient(const char *);
void mux_exit_message(Channel *, int);
void mux_tty_alloc_failed(Channel *);
void mux_master_session_cleanup_cb(int, void *);

6
crypto/openssh/compat.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.80 2012/08/17 01:30:00 djm Exp $ */
/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */
/* $FreeBSD$ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
@ -215,7 +215,7 @@ proto_spec(const char *spec)
break;
}
}
xfree(s);
free(s);
return ret;
}
@ -241,7 +241,7 @@ compat_cipher_proposal(char *cipher_prop)
buffer_append(&b, "\0", 1);
fix_ciphers = xstrdup(buffer_ptr(&b));
buffer_free(&b);
xfree(orig_prop);
free(orig_prop);
debug2("Original cipher proposal: %s", cipher_prop);
debug2("Compat cipher proposal: %s", fix_ciphers);
if (!*fix_ciphers)

262
crypto/openssh/config.guess vendored
View File

@ -2,9 +2,9 @@
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# 2011, 2012, 2013 Free Software Foundation, Inc.
timestamp='2011-01-23'
timestamp='2012-12-23'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -17,9 +17,7 @@ timestamp='2011-01-23'
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -57,8 +55,8 @@ GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,
2012, 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:NetBSD:*:*)
# NetBSD (nbsd) targets should (where applicable) match one or
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
# switched to ELF, *-*-netbsd* would select the old
# object file format. This provides both forward
@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
fi
;;
*)
os=netbsd
os=netbsd
;;
esac
# The OS release
@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
exit ;;
*:OpenBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
;;
*5.*)
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
;;
esac
# According to Compaq, /usr/sbin/psrinfo has been available on
@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
echo s390-ibm-zvmoe
exit ;;
*:OS400:*:*)
echo powerpc-ibm-os400
echo powerpc-ibm-os400
exit ;;
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
exit ;;
arm:riscos:*:*|arm:RISCOS:*:*)
arm*:riscos:*:*|arm*:RISCOS:*:*)
echo arm-unknown-riscos
exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
# MiNT. But MiNT is downward compatible to TOS, so this should
# be no problem.
atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
exit ;;
*falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
echo m68k-atari-mint${UNAME_RELEASE}
echo m68k-atari-mint${UNAME_RELEASE}
exit ;;
milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
echo m68k-milan-mint${UNAME_RELEASE}
exit ;;
echo m68k-milan-mint${UNAME_RELEASE}
exit ;;
hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
echo m68k-hades-mint${UNAME_RELEASE}
exit ;;
echo m68k-hades-mint${UNAME_RELEASE}
exit ;;
*:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
echo m68k-unknown-mint${UNAME_RELEASE}
exit ;;
echo m68k-unknown-mint${UNAME_RELEASE}
exit ;;
m68k:machten:*:*)
echo m68k-apple-machten${UNAME_RELEASE}
exit ;;
@ -484,8 +486,8 @@ EOF
echo m88k-motorola-sysv3
exit ;;
AViiON:dgux:*:*)
# DG/UX returns AViiON for all architectures
UNAME_PROCESSOR=`/usr/bin/uname -p`
# DG/UX returns AViiON for all architectures
UNAME_PROCESSOR=`/usr/bin/uname -p`
if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
then
if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
@ -498,7 +500,7 @@ EOF
else
echo i586-dg-dgux${UNAME_RELEASE}
fi
exit ;;
exit ;;
M88*:DolphinOS:*:*) # DolphinOS (SVR3)
echo m88k-dolphin-sysv3
exit ;;
@ -598,52 +600,52 @@ EOF
9000/[678][0-9][0-9])
if [ -x /usr/bin/getconf ]; then
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
32) HP_ARCH="hppa2.0n" ;;
64) HP_ARCH="hppa2.0w" ;;
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
32) HP_ARCH="hppa2.0n" ;;
64) HP_ARCH="hppa2.0w" ;;
'') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
esac ;;
esac
esac ;;
esac
fi
if [ "${HP_ARCH}" = "" ]; then
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
sed 's/^ //' << EOF >$dummy.c
#define _HPUX_SOURCE
#include <stdlib.h>
#include <unistd.h>
#define _HPUX_SOURCE
#include <stdlib.h>
#include <unistd.h>
int main ()
{
#if defined(_SC_KERNEL_BITS)
long bits = sysconf(_SC_KERNEL_BITS);
#endif
long cpu = sysconf (_SC_CPU_VERSION);
int main ()
{
#if defined(_SC_KERNEL_BITS)
long bits = sysconf(_SC_KERNEL_BITS);
#endif
long cpu = sysconf (_SC_CPU_VERSION);
switch (cpu)
{
case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
case CPU_PA_RISC2_0:
#if defined(_SC_KERNEL_BITS)
switch (bits)
{
case 64: puts ("hppa2.0w"); break;
case 32: puts ("hppa2.0n"); break;
default: puts ("hppa2.0"); break;
} break;
#else /* !defined(_SC_KERNEL_BITS) */
puts ("hppa2.0"); break;
#endif
default: puts ("hppa1.0"); break;
}
exit (0);
}
switch (cpu)
{
case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
case CPU_PA_RISC2_0:
#if defined(_SC_KERNEL_BITS)
switch (bits)
{
case 64: puts ("hppa2.0w"); break;
case 32: puts ("hppa2.0n"); break;
default: puts ("hppa2.0"); break;
} break;
#else /* !defined(_SC_KERNEL_BITS) */
puts ("hppa2.0"); break;
#endif
default: puts ("hppa1.0"); break;
}
exit (0);
}
EOF
(CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
@ -734,22 +736,22 @@ EOF
exit ;;
C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
echo c1-convex-bsd
exit ;;
exit ;;
C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
exit ;;
C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
echo c34-convex-bsd
exit ;;
exit ;;
C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
echo c38-convex-bsd
exit ;;
exit ;;
C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
echo c4-convex-bsd
exit ;;
exit ;;
CRAY*Y-MP:*:*:*)
echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
@ -773,14 +775,14 @@ EOF
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
@ -792,30 +794,35 @@ EOF
echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
exit ;;
*:FreeBSD:*:*)
case ${UNAME_MACHINE} in
pc98)
echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
UNAME_PROCESSOR=`/usr/bin/uname -p`
case ${UNAME_PROCESSOR} in
amd64)
echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
*)
echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
esac
exit ;;
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
*:MINGW64*:*)
echo ${UNAME_MACHINE}-pc-mingw64
exit ;;
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
# uname -m includes "-pc" on this system.
echo ${UNAME_MACHINE}-mingw32
# uname -m includes "-pc" on this system.
echo ${UNAME_MACHINE}-mingw32
exit ;;
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
exit ;;
*:Interix*:*)
case ${UNAME_MACHINE} in
case ${UNAME_MACHINE} in
x86)
echo i586-pc-interix${UNAME_RELEASE}
exit ;;
@ -861,6 +868,13 @@ EOF
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
aarch64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
aarch64_be:Linux:*:*)
UNAME_MACHINE=aarch64_be
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
@ -870,7 +884,7 @@ EOF
EV6) UNAME_MACHINE=alphaev6 ;;
EV67) UNAME_MACHINE=alphaev67 ;;
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
@ -882,20 +896,29 @@ EOF
then
echo ${UNAME_MACHINE}-unknown-linux-gnu
else
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
else
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
fi
fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
cris:Linux:*:*)
echo cris-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-gnu
exit ;;
crisv32:Linux:*:*)
echo crisv32-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-gnu
exit ;;
frv:Linux:*:*)
echo frv-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
hexagon:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
i*86:Linux:*:*)
LIBC=gnu
@ -937,7 +960,7 @@ EOF
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
;;
or32:Linux:*:*)
echo or32-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-gnu
@ -963,7 +986,7 @@ EOF
echo ${UNAME_MACHINE}-ibm-linux
exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
@ -972,16 +995,16 @@ EOF
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
tile*:Linux:*:*)
echo ${UNAME_MACHINE}-tilera-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
vax:Linux:*:*)
echo ${UNAME_MACHINE}-dec-linux-gnu
exit ;;
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-gnu
exit ;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@ -990,11 +1013,11 @@ EOF
echo i386-sequent-sysv4
exit ;;
i*86:UNIX_SV:4.2MP:2.*)
# Unixware is an offshoot of SVR4, but it has its own version
# number series starting with 2...
# I am not positive that other SVR4 systems won't match this,
# Unixware is an offshoot of SVR4, but it has its own version
# number series starting with 2...
# I am not positive that other SVR4 systems won't match this,
# I just have to hope. -- rms.
# Use sysv4.2uw... so that sysv4* matches it.
# Use sysv4.2uw... so that sysv4* matches it.
echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
exit ;;
i*86:OS/2:*:*)
@ -1026,7 +1049,7 @@ EOF
fi
exit ;;
i*86:*:5:[678]*)
# UnixWare 7.x, OpenUNIX and OpenServer 6.
# UnixWare 7.x, OpenUNIX and OpenServer 6.
case `/bin/uname -X | grep "^Machine"` in
*486*) UNAME_MACHINE=i486 ;;
*Pentium) UNAME_MACHINE=i586 ;;
@ -1054,13 +1077,13 @@ EOF
exit ;;
pc:*:*:*)
# Left here for compatibility:
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
# prints for the "djgpp" host, or else GDB configury will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
exit ;;
Intel:Mach:3*:*)
echo i386-pc-mach3
exit ;;
@ -1095,8 +1118,8 @@ EOF
/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
&& { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
&& { echo i486-ncr-sysv4; exit; } ;;
/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
&& { echo i486-ncr-sysv4; exit; } ;;
NCR*:*:4.2:* | MPRAS*:*:4.2:*)
OS_REL='.3'
test -r /etc/.relid \
@ -1139,10 +1162,10 @@ EOF
echo ns32k-sni-sysv
fi
exit ;;
PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
# says <Richard.M.Bartel@ccMail.Census.GOV>
echo i586-unisys-sysv4
exit ;;
PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
# says <Richard.M.Bartel@ccMail.Census.GOV>
echo i586-unisys-sysv4
exit ;;
*:UNIX_System_V:4*:FTX*)
# From Gerald Hewes <hewes@openmarket.com>.
# How about differentiating between stratus architectures? -djm
@ -1168,11 +1191,11 @@ EOF
exit ;;
R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
if [ -d /usr/nec ]; then
echo mips-nec-sysv${UNAME_RELEASE}
echo mips-nec-sysv${UNAME_RELEASE}
else
echo mips-unknown-sysv${UNAME_RELEASE}
echo mips-unknown-sysv${UNAME_RELEASE}
fi
exit ;;
exit ;;
BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only.
echo powerpc-be-beos
exit ;;
@ -1185,6 +1208,9 @@ EOF
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
echo i586-pc-haiku
exit ;;
x86_64:Haiku:*:*)
echo x86_64-unknown-haiku
exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
exit ;;
@ -1240,7 +1266,7 @@ EOF
NEO-?:NONSTOP_KERNEL:*:*)
echo neo-tandem-nsk${UNAME_RELEASE}
exit ;;
NSE-?:NONSTOP_KERNEL:*:*)
NSE-*:NONSTOP_KERNEL:*:*)
echo nse-tandem-nsk${UNAME_RELEASE}
exit ;;
NSR-?:NONSTOP_KERNEL:*:*)
@ -1285,13 +1311,13 @@ EOF
echo pdp10-unknown-its
exit ;;
SEI:*:*:SEIUX)
echo mips-sei-seiux${UNAME_RELEASE}
echo mips-sei-seiux${UNAME_RELEASE}
exit ;;
*:DragonFly:*:*)
echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
exit ;;
*:*VMS:*:*)
UNAME_MACHINE=`(uname -p) 2>/dev/null`
UNAME_MACHINE=`(uname -p) 2>/dev/null`
case "${UNAME_MACHINE}" in
A*) echo alpha-dec-vms ; exit ;;
I*) echo ia64-dec-vms ; exit ;;
@ -1309,11 +1335,11 @@ EOF
i*86:AROS:*:*)
echo ${UNAME_MACHINE}-pc-aros
exit ;;
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
esac
#echo '(No uname command or uname output not recognized.)' 1>&2
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
@ -1331,11 +1357,11 @@ main ()
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
"4"
#else
""
""
#endif
); exit (0);
); exit (0);
#endif
#endif

90
crypto/openssh/config.h
View File

@ -157,7 +157,7 @@
/* #undef GLOB_HAS_GL_STATV */
/* Define this if you want GSSAPI support in the version 2 protocol */
/* #undef GSSAPI */
#define GSSAPI 1
/* Define if you want to use shadow password expire field */
/* #undef HAS_SHADOW_EXPIRE */
@ -231,6 +231,9 @@
/* Define to 1 if you have the `clock' function. */
#define HAVE_CLOCK 1
/* Have clock_gettime */
#define HAVE_CLOCK_GETTIME 1
/* define if you have clock_t data type */
#define HAVE_CLOCK_T 1
@ -243,6 +246,9 @@
/* Define if your system uses ancillary data style file descriptor passing */
#define HAVE_CONTROL_IN_MSGHDR 1
/* Define to 1 if you have the `crypt' function. */
#define HAVE_CRYPT 1
/* Define to 1 if you have the <crypto/sha2.h> header file. */
/* #undef HAVE_CRYPTO_SHA2_H */
@ -265,7 +271,11 @@
/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
and to 0 if you don't. */
/* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */
#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE 1
/* Define to 1 if you have the declaration of `howmany', and to 0 if you
don't. */
#define HAVE_DECL_HOWMANY 1
/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
don't. */
@ -287,6 +297,10 @@
don't. */
#define HAVE_DECL_MAXSYMLINKS 1
/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
don't. */
#define HAVE_DECL_NFDBITS 1
/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
don't. */
#define HAVE_DECL_OFFSETOF 1
@ -319,6 +333,9 @@
don't. */
#define HAVE_DECL__GETSHORT 0
/* Define to 1 if you have the `DES_crypt' function. */
#define HAVE_DES_CRYPT 1
/* Define if you have /dev/ptmx */
/* #undef HAVE_DEV_PTMX */
@ -340,6 +357,9 @@
/* Define to 1 if you have the <elf.h> header file. */
#define HAVE_ELF_H 1
/* Define to 1 if you have the `endgrent' function. */
#define HAVE_ENDGRENT 1
/* Define to 1 if you have the <endian.h> header file. */
/* #undef HAVE_ENDIAN_H */
@ -373,6 +393,9 @@
/* Define to 1 if you have the <fcntl.h> header file. */
#define HAVE_FCNTL_H 1
/* Define to 1 if the system has the type `fd_mask'. */
#define HAVE_FD_MASK 1
/* Define to 1 if you have the <features.h> header file. */
/* #undef HAVE_FEATURES_H */
@ -512,10 +535,10 @@
/* #undef HAVE_GSSAPI_GSSAPI_GENERIC_H */
/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
/* #undef HAVE_GSSAPI_GSSAPI_H */
#define HAVE_GSSAPI_GSSAPI_H 1
/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
/* Define to 1 if you have the <gssapi.h> header file. */
/* #undef HAVE_GSSAPI_H */
@ -577,6 +600,15 @@
/* Define if you have isblank(3C). */
#define HAVE_ISBLANK 1
/* Define to 1 if you have the `krb5_cc_new_unique' function. */
#define HAVE_KRB5_CC_NEW_UNIQUE 1
/* Define to 1 if you have the `krb5_free_error_message' function. */
#define HAVE_KRB5_FREE_ERROR_MESSAGE 1
/* Define to 1 if you have the `krb5_get_error_message' function. */
#define HAVE_KRB5_GET_ERROR_MESSAGE 1
/* Define to 1 if you have the <lastlog.h> header file. */
/* #undef HAVE_LASTLOG_H */
@ -637,6 +669,9 @@
/* Define to 1 if you have the <linux/seccomp.h> header file. */
/* #undef HAVE_LINUX_SECCOMP_H */
/* Define to 1 if you have the <locale.h> header file. */
#define HAVE_LOCALE_H 1
/* Define to 1 if you have the `login' function. */
/* #undef HAVE_LOGIN */
@ -664,6 +699,9 @@
/* Define to 1 if you have the <maillock.h> header file. */
/* #undef HAVE_MAILLOCK_H */
/* Define to 1 if you have the `mblen' function. */
#define HAVE_MBLEN 1
/* Define to 1 if you have the `md5_crypt' function. */
/* #undef HAVE_MD5_CRYPT */
@ -770,15 +808,6 @@
/* Define to 1 if you have the `pututxline' function. */
#define HAVE_PUTUTXLINE 1
/* Define if your password has a pw_change field */
#define HAVE_PW_CHANGE_IN_PASSWD 1
/* Define if your password has a pw_class field */
#define HAVE_PW_CLASS_IN_PASSWD 1
/* Define if your password has a pw_expire field */
#define HAVE_PW_EXPIRE_IN_PASSWD 1
/* Define to 1 if you have the `readpassphrase' function. */
#define HAVE_READPASSPHRASE 1
@ -815,6 +844,9 @@
/* define if you have sa_family_t data type */
#define HAVE_SA_FAMILY_T 1
/* Define to 1 if you have the `scan_scaled' function. */
/* #undef HAVE_SCAN_SCALED */
/* Define if you have SecureWare-based protected password database */
/* #undef HAVE_SECUREWARE */
@ -1004,6 +1036,18 @@
/* define if you have struct in6_addr data type */
#define HAVE_STRUCT_IN6_ADDR 1
/* Define to 1 if `pw_change' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_CHANGE 1
/* Define to 1 if `pw_class' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_CLASS 1
/* Define to 1 if `pw_expire' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_EXPIRE 1
/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */
#define HAVE_STRUCT_PASSWD_PW_GECOS 1
/* define if you have struct sockaddr_in6 data type */
#define HAVE_STRUCT_SOCKADDR_IN6 1
@ -1266,7 +1310,7 @@
#define HAVE___func__ 1
/* Define this if you are using the Heimdal version of Kerberos V5 */
/* #undef HEIMDAL */
#define HEIMDAL 1
/* Define if you need to use IP address instead of hostname in $DISPLAY */
/* #undef IPADDR_IN_DISPLAY */
@ -1278,7 +1322,7 @@
/* #undef IP_TOS_IS_BROKEN */
/* Define if you want Kerberos 5 support */
/* #undef KRB5 */
#define KRB5 1
/* Define if pututxline updates lastlog too */
/* #undef LASTLOG_WRITE_PUTUTXLINE */
@ -1324,15 +1368,6 @@
/* Set this to your mail directory if you do not have _PATH_MAILDIR */
/* #undef MAIL_DIRECTORY */
/* Define on *nto-qnx systems */
/* #undef MISSING_FD_MASK */
/* Define on *nto-qnx systems */
/* #undef MISSING_HOWMANY */
/* Define on *nto-qnx systems */
/* #undef MISSING_NFDBITS */
/* Need setpgrp to acquire controlling tty */
/* #undef NEED_SETPGRP */
@ -1434,7 +1469,7 @@
#define SIZEOF_INT 4
/* The size of `long int', as computed by sizeof. */
#define SIZEOF_LONG_INT 4
#define SIZEOF_LONG_INT 8
/* The size of `long long int', as computed by sizeof. */
#define SIZEOF_LONG_LONG_INT 8
@ -1570,11 +1605,6 @@
/* Define if xauth is found in your path */
/* #undef XAUTH_PATH */
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
/* #undef _FILE_OFFSET_BITS */

71
crypto/openssh/config.h.in
View File

@ -230,6 +230,9 @@
/* Define to 1 if you have the `clock' function. */
#undef HAVE_CLOCK
/* Have clock_gettime */
#undef HAVE_CLOCK_GETTIME
/* define if you have clock_t data type */
#undef HAVE_CLOCK_T
@ -242,6 +245,9 @@
/* Define if your system uses ancillary data style file descriptor passing */
#undef HAVE_CONTROL_IN_MSGHDR
/* Define to 1 if you have the `crypt' function. */
#undef HAVE_CRYPT
/* Define to 1 if you have the <crypto/sha2.h> header file. */
#undef HAVE_CRYPTO_SHA2_H
@ -266,6 +272,10 @@
and to 0 if you don't. */
#undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
/* Define to 1 if you have the declaration of `howmany', and to 0 if you
don't. */
#undef HAVE_DECL_HOWMANY
/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
don't. */
#undef HAVE_DECL_H_ERRNO
@ -286,6 +296,10 @@
don't. */
#undef HAVE_DECL_MAXSYMLINKS
/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
don't. */
#undef HAVE_DECL_NFDBITS
/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
don't. */
#undef HAVE_DECL_OFFSETOF
@ -318,6 +332,9 @@
don't. */
#undef HAVE_DECL__GETSHORT
/* Define to 1 if you have the `DES_crypt' function. */
#undef HAVE_DES_CRYPT
/* Define if you have /dev/ptmx */
#undef HAVE_DEV_PTMX
@ -339,6 +356,9 @@
/* Define to 1 if you have the <elf.h> header file. */
#undef HAVE_ELF_H
/* Define to 1 if you have the `endgrent' function. */
#undef HAVE_ENDGRENT
/* Define to 1 if you have the <endian.h> header file. */
#undef HAVE_ENDIAN_H
@ -372,6 +392,9 @@
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define to 1 if the system has the type `fd_mask'. */
#undef HAVE_FD_MASK
/* Define to 1 if you have the <features.h> header file. */
#undef HAVE_FEATURES_H
@ -576,6 +599,15 @@
/* Define if you have isblank(3C). */
#undef HAVE_ISBLANK
/* Define to 1 if you have the `krb5_cc_new_unique' function. */
#undef HAVE_KRB5_CC_NEW_UNIQUE
/* Define to 1 if you have the `krb5_free_error_message' function. */
#undef HAVE_KRB5_FREE_ERROR_MESSAGE
/* Define to 1 if you have the `krb5_get_error_message' function. */
#undef HAVE_KRB5_GET_ERROR_MESSAGE
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
@ -636,6 +668,9 @@
/* Define to 1 if you have the <linux/seccomp.h> header file. */
#undef HAVE_LINUX_SECCOMP_H
/* Define to 1 if you have the <locale.h> header file. */
#undef HAVE_LOCALE_H
/* Define to 1 if you have the `login' function. */
#undef HAVE_LOGIN
@ -663,6 +698,9 @@
/* Define to 1 if you have the <maillock.h> header file. */
#undef HAVE_MAILLOCK_H
/* Define to 1 if you have the `mblen' function. */
#undef HAVE_MBLEN
/* Define to 1 if you have the `md5_crypt' function. */
#undef HAVE_MD5_CRYPT
@ -769,15 +807,6 @@
/* Define to 1 if you have the `pututxline' function. */
#undef HAVE_PUTUTXLINE
/* Define if your password has a pw_change field */
#undef HAVE_PW_CHANGE_IN_PASSWD
/* Define if your password has a pw_class field */
#undef HAVE_PW_CLASS_IN_PASSWD
/* Define if your password has a pw_expire field */
#undef HAVE_PW_EXPIRE_IN_PASSWD
/* Define to 1 if you have the `readpassphrase' function. */
#undef HAVE_READPASSPHRASE
@ -814,6 +843,9 @@
/* define if you have sa_family_t data type */
#undef HAVE_SA_FAMILY_T
/* Define to 1 if you have the `scan_scaled' function. */
#undef HAVE_SCAN_SCALED
/* Define if you have SecureWare-based protected password database */
#undef HAVE_SECUREWARE
@ -1003,6 +1035,18 @@
/* define if you have struct in6_addr data type */
#undef HAVE_STRUCT_IN6_ADDR
/* Define to 1 if `pw_change' is a member of `struct passwd'. */
#undef HAVE_STRUCT_PASSWD_PW_CHANGE
/* Define to 1 if `pw_class' is a member of `struct passwd'. */
#undef HAVE_STRUCT_PASSWD_PW_CLASS
/* Define to 1 if `pw_expire' is a member of `struct passwd'. */
#undef HAVE_STRUCT_PASSWD_PW_EXPIRE
/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */
#undef HAVE_STRUCT_PASSWD_PW_GECOS
/* define if you have struct sockaddr_in6 data type */
#undef HAVE_STRUCT_SOCKADDR_IN6
@ -1323,15 +1367,6 @@
/* Set this to your mail directory if you do not have _PATH_MAILDIR */
#undef MAIL_DIRECTORY
/* Define on *nto-qnx systems */
#undef MISSING_FD_MASK
/* Define on *nto-qnx systems */
#undef MISSING_HOWMANY
/* Define on *nto-qnx systems */
#undef MISSING_NFDBITS
/* Need setpgrp to acquire controlling tty */
#undef NEED_SETPGRP

24
crypto/openssh/defines.h
View File

@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.171 2013/03/07 09:06:13 dtucker Exp $ */
/* $Id: defines.h,v 1.172 2013/06/01 21:18:48 dtucker Exp $ */
/* Constants */
@ -171,11 +171,6 @@ enum
# define MAP_FAILED ((void *)-1)
#endif
/* *-*-nto-qnx doesn't define this constant in the system headers */
#ifdef MISSING_NFDBITS
# define NFDBITS (8 * sizeof(unsigned long))
#endif
/*
SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
including rpc/rpc.h breaks Solaris 6
@ -355,11 +350,19 @@ struct winsize {
};
#endif
/* *-*-nto-qnx does not define this type in the system headers */
#ifdef MISSING_FD_MASK
/* bits needed for select that may not be in the system headers */
#ifndef HAVE_FD_MASK
typedef unsigned long int fd_mask;
#endif
#if defined(HAVE_DECL_NFDBITS) && HAVE_DECL_NFDBITS == 0
# define NFDBITS (8 * sizeof(unsigned long))
#endif
#if defined(HAVE_DECL_HOWMANY) && HAVE_DECL_HOWMANY == 0
# define howmany(x,y) (((x)+((y)-1))/(y))
#endif
/* Paths */
#ifndef _PATH_BSHELL
@ -484,11 +487,6 @@ struct winsize {
# define __nonnull__(x)
#endif
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
#endif
#ifndef OSSH_ALIGNBYTES
#define OSSH_ALIGNBYTES (sizeof(int) - 1)
#endif

74
crypto/openssh/dh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@ -48,6 +48,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
const char *errstr = NULL;
long long n;
dhg->p = dhg->g = NULL;
cp = line;
if ((arg = strdelim(&cp)) == NULL)
return 0;
@ -59,66 +60,85 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
/* time */
if (cp == NULL || *arg == '\0')
goto fail;
goto truncated;
arg = strsep(&cp, " "); /* type */
if (cp == NULL || *arg == '\0')
goto fail;
goto truncated;
/* Ensure this is a safe prime */
n = strtonum(arg, 0, 5, &errstr);
if (errstr != NULL || n != MODULI_TYPE_SAFE)
if (errstr != NULL || n != MODULI_TYPE_SAFE) {
error("moduli:%d: type is not %d", linenum, MODULI_TYPE_SAFE);
goto fail;
}
arg = strsep(&cp, " "); /* tests */
if (cp == NULL || *arg == '\0')
goto fail;
goto truncated;
/* Ensure prime has been tested and is not composite */
n = strtonum(arg, 0, 0x1f, &errstr);
if (errstr != NULL ||
(n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE))
(n & MODULI_TESTS_COMPOSITE) || !(n & ~MODULI_TESTS_COMPOSITE)) {
error("moduli:%d: invalid moduli tests flag", linenum);
goto fail;
}
arg = strsep(&cp, " "); /* tries */
if (cp == NULL || *arg == '\0')
goto fail;
goto truncated;
n = strtonum(arg, 0, 1<<30, &errstr);
if (errstr != NULL || n == 0)
if (errstr != NULL || n == 0) {
error("moduli:%d: invalid primality trial count", linenum);
goto fail;
}
strsize = strsep(&cp, " "); /* size */
if (cp == NULL || *strsize == '\0' ||
(dhg->size = (int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
errstr)
errstr) {
error("moduli:%d: invalid prime length", linenum);
goto fail;
}
/* The whole group is one bit larger */
dhg->size++;
gen = strsep(&cp, " "); /* gen */
if (cp == NULL || *gen == '\0')
goto fail;
goto truncated;
prime = strsep(&cp, " "); /* prime */
if (cp != NULL || *prime == '\0')
if (cp != NULL || *prime == '\0') {
truncated:
error("moduli:%d: truncated", linenum);
goto fail;
}
if ((dhg->g = BN_new()) == NULL)
fatal("parse_prime: BN_new failed");
if ((dhg->p = BN_new()) == NULL)
fatal("parse_prime: BN_new failed");
if (BN_hex2bn(&dhg->g, gen) == 0)
goto failclean;
if (BN_hex2bn(&dhg->g, gen) == 0) {
error("moduli:%d: could not parse generator value", linenum);
goto fail;
}
if (BN_hex2bn(&dhg->p, prime) == 0) {
error("moduli:%d: could not parse prime value", linenum);
goto fail;
}
if (BN_num_bits(dhg->p) != dhg->size) {
error("moduli:%d: prime has wrong size: actual %d listed %d",
linenum, BN_num_bits(dhg->p), dhg->size - 1);
goto fail;
}
if (BN_cmp(dhg->g, BN_value_one()) <= 0) {
error("moduli:%d: generator is invalid", linenum);
goto fail;
}
if (BN_hex2bn(&dhg->p, prime) == 0)
goto failclean;
return 1;
if (BN_num_bits(dhg->p) != dhg->size)
goto failclean;
if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
goto failclean;
return (1);
failclean:
BN_clear_free(dhg->g);
BN_clear_free(dhg->p);
fail:
if (dhg->g != NULL)
BN_clear_free(dhg->g);
if (dhg->p != NULL)
BN_clear_free(dhg->p);
dhg->g = dhg->p = NULL;
error("Bad prime description in line %d", linenum);
return (0);
return 0;
}
DH *

10
crypto/openssh/dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.28 2012/05/23 03:28:28 djm Exp $ */
/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -261,7 +261,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
if (hostkey_digest_type != dnskey_digest_type) {
hostkey_digest_type = dnskey_digest_type;
xfree(hostkey_digest);
free(hostkey_digest);
/* Initialize host key parameters */
if (!dns_read_key(&hostkey_algorithm,
@ -281,10 +281,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
hostkey_digest_len) == 0)
*flags |= DNS_VERIFY_MATCH;
}
xfree(dnskey_digest);
free(dnskey_digest);
}
xfree(hostkey_digest); /* from key_fingerprint_raw() */
free(hostkey_digest); /* from key_fingerprint_raw() */
freerrset(fingerprints);
if (*flags & DNS_VERIFY_FOUND)
@ -327,7 +327,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
for (i = 0; i < rdata_digest_len; i++)
fprintf(f, "%02x", rdata_digest[i]);
fprintf(f, "\n");
xfree(rdata_digest); /* from key_fingerprint_raw() */
free(rdata_digest); /* from key_fingerprint_raw() */
success = 1;
}
}

26
crypto/openssh/fixalgorithms Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# fixciphers - remove unsupported ciphers from man pages.
# Usage: fixpaths /path/to/sed cipher1 [cipher2] <infile >outfile
#
# Author: Darren Tucker (dtucker at zip com.au). Placed in the public domain.
die() {
echo $*
exit -1
}
SED=$1
shift
for c in $*; do
subs="$subs -e /.Dq.$c.*$/d"
subs="$subs -e s/$c,//g"
done
# now remove any entirely empty lines
subs="$subs -e /^$/d"
${SED} $subs
exit 0

9
crypto/openssh/groupaccess.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: groupaccess.c,v 1.13 2008/07/04 03:44:59 djm Exp $ */
/* $OpenBSD: groupaccess.c,v 1.14 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Kevin Steves. All rights reserved.
*
@ -31,6 +31,7 @@
#include <grp.h>
#include <unistd.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include "xmalloc.h"
@ -68,7 +69,7 @@ ga_init(const char *user, gid_t base)
for (i = 0, j = 0; i < ngroups; i++)
if ((gr = getgrgid(groups_bygid[i])) != NULL)
groups_byname[j++] = xstrdup(gr->gr_name);
xfree(groups_bygid);
free(groups_bygid);
return (ngroups = j);
}
@ -122,8 +123,8 @@ ga_free(void)
if (ngroups > 0) {
for (i = 0; i < ngroups; i++)
xfree(groups_byname[i]);
free(groups_byname[i]);
ngroups = 0;
xfree(groups_byname);
free(groups_byname);
}
}

16
crypto/openssh/gss-genr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
/* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -59,8 +59,8 @@ void
ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
{
if (ctx->oid != GSS_C_NO_OID) {
xfree(ctx->oid->elements);
xfree(ctx->oid);
free(ctx->oid->elements);
free(ctx->oid);
}
ctx->oid = xmalloc(sizeof(gss_OID_desc));
ctx->oid->length = len;
@ -83,7 +83,7 @@ ssh_gssapi_error(Gssctxt *ctxt)
s = ssh_gssapi_last_error(ctxt, NULL, NULL);
debug("%s", s);
xfree(s);
free(s);
}
char *
@ -164,8 +164,8 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
if ((*ctx)->name != GSS_C_NO_NAME)
gss_release_name(&ms, &(*ctx)->name);
if ((*ctx)->oid != GSS_C_NO_OID) {
xfree((*ctx)->oid->elements);
xfree((*ctx)->oid);
free((*ctx)->oid->elements);
free((*ctx)->oid);
(*ctx)->oid = GSS_C_NO_OID;
}
if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
@ -175,7 +175,7 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx)
if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
gss_release_cred(&ms, &(*ctx)->client_creds);
xfree(*ctx);
free(*ctx);
*ctx = NULL;
}
@ -222,7 +222,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
ssh_gssapi_error(ctx);
xfree(gssbuf.value);
free(gssbuf.value);
return (ctx->major);
}

44
crypto/openssh/gss-serv-krb5.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -48,12 +48,11 @@ extern ServerOptions options;
#ifdef HEIMDAL
# include <krb5.h>
#else
# ifdef HAVE_GSSAPI_KRB5_H
# include <gssapi_krb5.h>
# elif HAVE_GSSAPI_GSSAPI_KRB5_H
# include <gssapi/gssapi_krb5.h>
# endif
#endif
#ifdef HAVE_GSSAPI_KRB5_H
# include <gssapi_krb5.h>
#elif HAVE_GSSAPI_GSSAPI_KRB5_H
# include <gssapi/gssapi_krb5.h>
#endif
static krb5_context krb_context = NULL;
@ -87,14 +86,16 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
{
krb5_principal princ;
int retval;
const char *errmsg;
if (ssh_gssapi_krb5_init() == 0)
return 0;
if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
&princ))) {
logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, retval));
errmsg = krb5_get_error_message(krb_context, retval);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
@ -120,6 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
@ -130,30 +132,34 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
return;
#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
#else
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
logit("ssh_krb5_cc_gen(): %.100s",
krb5_get_err_text(krb_context, problem));
errmsg = krb5_get_error_message(krb_context, problem);
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;

4
crypto/openssh/gss-serv.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -50,7 +50,7 @@
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
ssh_gssapi_mech gssapi_null_mech =
{ NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};

31
crypto/openssh/hostfile.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: hostfile.c,v 1.50 2010/12/04 13:31:37 djm Exp $ */
/* $OpenBSD: hostfile.c,v 1.52 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -64,7 +64,7 @@ struct hostkeys {
};
static int
extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len)
{
char *p, *b64salt;
u_int b64len;
@ -96,7 +96,7 @@ extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
b64salt[b64len] = '\0';
ret = __b64_pton(b64salt, salt, salt_len);
xfree(b64salt);
free(b64salt);
if (ret == -1) {
debug2("extract_salt: salt decode error");
return (-1);
@ -115,7 +115,8 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
{
const EVP_MD *md = EVP_sha1();
HMAC_CTX mac_ctx;
char salt[256], result[256], uu_salt[512], uu_result[512];
u_char salt[256], result[256];
char uu_salt[512], uu_result[512];
static char encoded[1024];
u_int i, len;
@ -133,7 +134,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
}
HMAC_Init(&mac_ctx, salt, len, md);
HMAC_Update(&mac_ctx, host, strlen(host));
HMAC_Update(&mac_ctx, (u_char *)host, strlen(host));
HMAC_Final(&mac_ctx, result, NULL);
HMAC_cleanup(&mac_ctx);
@ -153,7 +154,7 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
*/
int
hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
hostfile_read_key(char **cpp, int *bitsp, Key *ret)
{
char *cp;
@ -170,8 +171,10 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
/* Return results. */
*cpp = cp;
if (bitsp != NULL)
*bitsp = key_size(ret);
if (bitsp != NULL) {
if ((*bitsp = key_size(ret)) <= 0)
return 0;
}
return 1;
}
@ -327,16 +330,14 @@ free_hostkeys(struct hostkeys *hostkeys)
u_int i;
for (i = 0; i < hostkeys->num_entries; i++) {
xfree(hostkeys->entries[i].host);
xfree(hostkeys->entries[i].file);
free(hostkeys->entries[i].host);
free(hostkeys->entries[i].file);
key_free(hostkeys->entries[i].key);
bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
}
if (hostkeys->entries != NULL)
xfree(hostkeys->entries);
hostkeys->entries = NULL;
hostkeys->num_entries = 0;
xfree(hostkeys);
free(hostkeys->entries);
bzero(hostkeys, sizeof(*hostkeys));
free(hostkeys);
}
static int

4
crypto/openssh/hostfile.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: hostfile.h,v 1.19 2010/11/29 23:45:51 djm Exp $ */
/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -40,7 +40,7 @@ HostStatus check_key_in_hostkeys(struct hostkeys *, Key *,
int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
const struct hostkey_entry **);
int hostfile_read_key(char **, u_int *, Key *);
int hostfile_read_key(char **, int *, Key *);
int add_host_to_hostfile(const char *, const char *, const Key *, int);
#define HASH_MAGIC "|1|"

2
crypto/openssh/includes.h
View File

@ -18,7 +18,9 @@
#include "config.h"
#ifndef _GNU_SOURCE
#define _GNU_SOURCE /* activate extra prototypes for glibc */
#endif
#include <sys/types.h>
#include <sys/socket.h> /* For CMSG_* */

8
crypto/openssh/jpake.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: jpake.c,v 1.7 2012/06/18 11:43:53 dtucker Exp $ */
/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@ -106,7 +106,7 @@ jpake_free(struct jpake_ctx *pctx)
do { \
if ((v) != NULL) { \
bzero((v), (l)); \
xfree(v); \
free(v); \
(v) = NULL; \
(l) = 0; \
} \
@ -134,7 +134,7 @@ jpake_free(struct jpake_ctx *pctx)
#undef JPAKE_BUF_CLEAR_FREE
bzero(pctx, sizeof(*pctx));
xfree(pctx);
free(pctx);
}
/* dump entire jpake_ctx. NB. includes private values! */
@ -445,7 +445,7 @@ jpake_check_confirm(const BIGNUM *k,
expected_confirm_hash_len) == 0)
success = 1;
bzero(expected_confirm_hash, expected_confirm_hash_len);
xfree(expected_confirm_hash);
free(expected_confirm_hash);
debug3("%s: success = %d", __func__, success);
return success;
}

104
crypto/openssh/kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.88 2013/01/08 18:49:04 markus Exp $ */
/* $OpenBSD: kex.c,v 1.91 2013/05/17 00:13:13 djm Exp $ */
/* $FreeBSD$ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -63,6 +63,57 @@ extern const EVP_MD *evp_ssh_sha256(void);
static void kex_kexinit_finish(Kex *);
static void kex_choose_conf(Kex *);
struct kexalg {
char *name;
int type;
int ec_nid;
const EVP_MD *(*mdfunc)(void);
};
static const struct kexalg kexalgs[] = {
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, EVP_sha1 },
{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, EVP_sha1 },
{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, EVP_sha1 },
#ifdef HAVE_EVP_SHA256
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, EVP_sha256 },
#endif
#ifdef OPENSSL_HAS_ECC
{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, NID_X9_62_prime256v1, EVP_sha256 },
{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
#endif
{ NULL, -1, -1, NULL},
};
char *
kex_alg_list(void)
{
char *ret = NULL;
size_t nlen, rlen = 0;
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(k->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
memcpy(ret + rlen, k->name, nlen + 1);
rlen += nlen;
}
return ret;
}
static const struct kexalg *
kex_alg_by_name(const char *name)
{
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
}
return NULL;
}
/* Validate KEX method name list */
int
kex_names_valid(const char *names)
@ -74,20 +125,14 @@ kex_names_valid(const char *names)
s = cp = xstrdup(names);
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (strcmp(p, KEX_DHGEX_SHA256) != 0 &&
strcmp(p, KEX_DHGEX_SHA1) != 0 &&
strcmp(p, KEX_DH14) != 0 &&
strcmp(p, KEX_DH1) != 0 &&
(strncmp(p, KEX_ECDH_SHA2_STEM,
sizeof(KEX_ECDH_SHA2_STEM) - 1) != 0 ||
kex_ecdh_name_to_nid(p) == -1)) {
if (kex_alg_by_name(p) == NULL) {
error("Unsupported KEX algorithm \"%.100s\"", p);
xfree(s);
free(s);
return 0;
}
}
debug3("kex names ok: [%s]", names);
xfree(s);
free(s);
return 1;
}
@ -152,8 +197,8 @@ kex_prop_free(char **proposal)
u_int i;
for (i = 0; i < PROPOSAL_MAX; i++)
xfree(proposal[i]);
xfree(proposal);
free(proposal[i]);
free(proposal);
}
/* ARGSUSED */
@ -190,7 +235,7 @@ kex_finish(Kex *kex)
buffer_clear(&kex->peer);
/* buffer_clear(&kex->my); */
kex->flags &= ~KEX_INIT_SENT;
xfree(kex->name);
free(kex->name);
kex->name = NULL;
}
@ -247,7 +292,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
for (i = 0; i < KEX_COOKIE_LEN; i++)
packet_get_char();
for (i = 0; i < PROPOSAL_MAX; i++)
xfree(packet_get_string(NULL));
free(packet_get_string(NULL));
/*
* XXX RFC4253 sec 7: "each side MAY guess" - currently no supported
* KEX method has the server move first, but a server might be using
@ -354,29 +399,16 @@ choose_comp(Comp *comp, char *client, char *server)
static void
choose_kex(Kex *k, char *client, char *server)
{
const struct kexalg *kexalg;
k->name = match_list(client, server, NULL);
if (k->name == NULL)
fatal("Unable to negotiate a key exchange method");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
k->evp_md = EVP_sha1();
} else if (strcmp(k->name, KEX_DH14) == 0) {
k->kex_type = KEX_DH_GRP14_SHA1;
k->evp_md = EVP_sha1();
} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
k->kex_type = KEX_DH_GEX_SHA1;
k->evp_md = EVP_sha1();
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
k->kex_type = KEX_DH_GEX_SHA256;
k->evp_md = evp_ssh_sha256();
} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
k->kex_type = KEX_ECDH_SHA2;
k->evp_md = kex_ecdh_name_to_evpmd(k->name);
#endif
} else
fatal("bad kex alg %s", k->name);
if ((kexalg = kex_alg_by_name(k->name)) == NULL)
fatal("unsupported kex alg %s", k->name);
k->kex_type = kexalg->type;
k->evp_md = kexalg->mdfunc();
k->ec_nid = kexalg->ec_nid;
}
static void
@ -388,7 +420,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server)
k->hostkey_type = key_type_from_name(hostkeyalg);
if (k->hostkey_type == KEY_UNSPEC)
fatal("bad hostkey alg '%s'", hostkeyalg);
xfree(hostkeyalg);
free(hostkeyalg);
}
static int
@ -445,7 +477,7 @@ kex_choose_conf(Kex *kex)
roaming = match_list(KEX_RESUME, peer[PROPOSAL_KEX_ALGS], NULL);
if (roaming) {
kex->roaming = 1;
xfree(roaming);
free(roaming);
}
}

17
crypto/openssh/kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.54 2013/01/08 18:49:04 markus Exp $ */
/* $OpenBSD: kex.h,v 1.56 2013/07/19 07:37:48 markus Exp $ */
/* $FreeBSD$ */
/*
@ -41,8 +41,9 @@
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
#define KEX_RESUME "resume@appgate.com"
/* The following represents the family of ECDH methods */
#define KEX_ECDH_SHA2_STEM "ecdh-sha2-"
#define KEX_ECDH_SHA2_NISTP256 "ecdh-sha2-nistp256"
#define KEX_ECDH_SHA2_NISTP384 "ecdh-sha2-nistp384"
#define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521"
#define COMP_NONE 0
#define COMP_ZLIB 1
@ -87,7 +88,7 @@ typedef struct Newkeys Newkeys;
struct Enc {
char *name;
Cipher *cipher;
const Cipher *cipher;
int enabled;
u_int key_len;
u_int iv_len;
@ -132,16 +133,19 @@ struct Kex {
sig_atomic_t done;
int flags;
const EVP_MD *evp_md;
int ec_nid;
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
Key *(*load_host_public_key)(int);
Key *(*load_host_private_key)(int);
int (*host_key_index)(Key *);
void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
void (*kex[KEX_MAX])(Kex *);
};
int kex_names_valid(const char *);
char *kex_alg_list(void);
#ifdef NONE_CIPHER_ENABLED
void kex_prop2buf(Buffer *, char *[PROPOSAL_MAX]);
@ -175,11 +179,6 @@ void
kex_ecdh_hash(const EVP_MD *, const EC_GROUP *, char *, char *, char *, int,
char *, int, u_char *, int, const EC_POINT *, const EC_POINT *,
const BIGNUM *, u_char **, u_int *);
int kex_ecdh_name_to_nid(const char *);
const EVP_MD *kex_ecdh_name_to_evpmd(const char *);
#else
# define kex_ecdh_name_to_nid(x) (-1)
# define kex_ecdh_name_to_evpmd(x) (NULL)
#endif
void

8
crypto/openssh/kexdhc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexdhc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */
/* $OpenBSD: kexdhc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -125,7 +125,7 @@ kexdh_client(Kex *kex)
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexdh_client: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
/* calc and verify H */
kex_dh_hash(
@ -139,14 +139,14 @@ kexdh_client(Kex *kex)
shared_secret,
&hash, &hashlen
);
xfree(server_host_key_blob);
free(server_host_key_blob);
BN_clear_free(dh_server_pub);
DH_free(dh);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
free(signature);
/* save session id */
if (kex->session_id == NULL) {

16
crypto/openssh/kexdhs.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexdhs.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */
/* $OpenBSD: kexdhs.c,v 1.14 2013/07/19 07:37:48 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -80,9 +80,6 @@ kexdh_server(Kex *kex)
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
/* key, cert */
if ((dh_client_pub = BN_new()) == NULL)
@ -118,7 +115,7 @@ kexdh_server(Kex *kex)
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexdh_server: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
@ -144,9 +141,8 @@ kexdh_server(Kex *kex)
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash,
hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
kex->sign(server_host_private, server_host_public, &signature, &slen,
hash, hashlen);
/* destroy_sensitive_data(); */
@ -157,8 +153,8 @@ kexdh_server(Kex *kex)
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
free(signature);
free(server_host_key_blob);
/* have keys, free DH */
DH_free(dh);

20
crypto/openssh/kexecdh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexecdh.c,v 1.3 2010/09/22 05:01:29 djm Exp $ */
/* $OpenBSD: kexecdh.c,v 1.4 2013/04/19 01:06:50 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@ -45,24 +45,6 @@
#include "kex.h"
#include "log.h"
int
kex_ecdh_name_to_nid(const char *kexname)
{
if (strlen(kexname) < sizeof(KEX_ECDH_SHA2_STEM) - 1)
fatal("%s: kexname too short \"%s\"", __func__, kexname);
return key_curve_name_to_nid(kexname + sizeof(KEX_ECDH_SHA2_STEM) - 1);
}
const EVP_MD *
kex_ecdh_name_to_evpmd(const char *kexname)
{
int nid = kex_ecdh_name_to_nid(kexname);
if (nid == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kexname);
return key_ec_nid_to_evpmd(nid);
}
void
kex_ecdh_hash(
const EVP_MD *evp_md,

13
crypto/openssh/kexecdhc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexecdhc.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */
/* $OpenBSD: kexecdhc.c,v 1.4 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@ -57,11 +57,8 @@ kexecdh_client(Kex *kex)
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int curve_nid;
if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
if ((client_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(client_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
@ -123,7 +120,7 @@ kexecdh_client(Kex *kex)
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
/* calc and verify H */
kex_ecdh_hash(
@ -139,14 +136,14 @@ kexecdh_client(Kex *kex)
shared_secret,
&hash, &hashlen
);
xfree(server_host_key_blob);
free(server_host_key_blob);
EC_POINT_clear_free(server_public);
EC_KEY_free(client_key);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
free(signature);
/* save session id */
if (kex->session_id == NULL) {

21
crypto/openssh/kexecdhs.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexecdhs.c,v 1.2 2010/09/22 05:01:29 djm Exp $ */
/* $OpenBSD: kexecdhs.c,v 1.5 2013/07/19 07:37:48 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@ -59,11 +59,8 @@ kexecdh_server(Kex *kex)
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
int curve_nid;
if ((curve_nid = kex_ecdh_name_to_nid(kex->name)) == -1)
fatal("%s: unsupported ECDH curve \"%s\"", __func__, kex->name);
if ((server_key = EC_KEY_new_by_curve_name(curve_nid)) == NULL)
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(server_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
@ -81,9 +78,6 @@ kexecdh_server(Kex *kex)
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
debug("expecting SSH2_MSG_KEX_ECDH_INIT");
packet_read_expect(SSH2_MSG_KEX_ECDH_INIT);
@ -115,7 +109,7 @@ kexecdh_server(Kex *kex)
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
/* calc H */
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
@ -142,9 +136,8 @@ kexecdh_server(Kex *kex)
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen,
hash, hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
kex->sign(server_host_private, server_host_public, &signature, &slen,
hash, hashlen);
/* destroy_sensitive_data(); */
@ -155,8 +148,8 @@ kexecdh_server(Kex *kex)
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
free(signature);
free(server_host_key_blob);
/* have keys, free server key */
EC_KEY_free(server_key);

8
crypto/openssh/kexgexc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexgexc.c,v 1.12 2010/11/10 01:33:07 djm Exp $ */
/* $OpenBSD: kexgexc.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -163,7 +163,7 @@ kexgex_client(Kex *kex)
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexgex_client: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
if (datafellows & SSH_OLD_DHGEX)
min = max = -1;
@ -186,13 +186,13 @@ kexgex_client(Kex *kex)
/* have keys, free DH */
DH_free(dh);
xfree(server_host_key_blob);
free(server_host_key_blob);
BN_clear_free(dh_server_pub);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
xfree(signature);
free(signature);
/* save session id */
if (kex->session_id == NULL) {

17
crypto/openssh/kexgexs.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexgexs.c,v 1.14 2010/11/10 01:33:07 djm Exp $ */
/* $OpenBSD: kexgexs.c,v 1.16 2013/07/19 07:37:48 markus Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -68,10 +68,6 @@ kexgex_server(Kex *kex)
if (server_host_public == NULL)
fatal("Unsupported hostkey type %d", kex->hostkey_type);
server_host_private = kex->load_host_private_key(kex->hostkey_type);
if (server_host_private == NULL)
fatal("Missing private key for hostkey type %d",
kex->hostkey_type);
type = packet_read();
switch (type) {
@ -155,7 +151,7 @@ kexgex_server(Kex *kex)
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
fatal("kexgex_server: BN_bin2bn failed");
memset(kbuf, 0, klen);
xfree(kbuf);
free(kbuf);
key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
@ -187,9 +183,8 @@ kexgex_server(Kex *kex)
}
/* sign H */
if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash,
hashlen)) < 0)
fatal("kexgex_server: key_sign failed");
kex->sign(server_host_private, server_host_public, &signature, &slen,
hash, hashlen);
/* destroy_sensitive_data(); */
@ -201,8 +196,8 @@ kexgex_server(Kex *kex)
packet_put_string(signature, slen);
packet_send();
xfree(signature);
xfree(server_host_key_blob);
free(signature);
free(server_host_key_blob);
/* have keys, free DH */
DH_free(dh);

286
crypto/openssh/key.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */
/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -187,14 +187,13 @@ cert_free(struct KeyCert *cert)
buffer_free(&cert->certblob);
buffer_free(&cert->critical);
buffer_free(&cert->extensions);
if (cert->key_id != NULL)
xfree(cert->key_id);
free(cert->key_id);
for (i = 0; i < cert->nprincipals; i++)
xfree(cert->principals[i]);
if (cert->principals != NULL)
xfree(cert->principals);
free(cert->principals[i]);
free(cert->principals);
if (cert->signature_key != NULL)
key_free(cert->signature_key);
free(cert);
}
void
@ -238,7 +237,7 @@ key_free(Key *k)
k->cert = NULL;
}
xfree(k);
free(k);
}
static int
@ -388,7 +387,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
EVP_DigestUpdate(&ctx, blob, len);
EVP_DigestFinal(&ctx, retval, dgst_raw_length);
memset(blob, 0, len);
xfree(blob);
free(blob);
} else {
fatal("key_fingerprint_raw: blob is null");
}
@ -570,7 +569,7 @@ key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
}
char *
key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
{
char *retval = NULL;
u_char *dgst_raw;
@ -595,7 +594,7 @@ key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
break;
}
memset(dgst_raw, 0, dgst_raw_len);
xfree(dgst_raw);
free(dgst_raw);
return retval;
}
@ -740,11 +739,11 @@ key_read(Key *ret, char **cpp)
n = uudecode(cp, blob, len);
if (n < 0) {
error("key_read: uudecode %s failed", cp);
xfree(blob);
free(blob);
return -1;
}
k = key_from_blob(blob, (u_int)n);
xfree(blob);
free(blob);
if (k == NULL) {
error("key_read: key_from_blob %s failed", cp);
return -1;
@ -885,42 +884,12 @@ key_write(const Key *key, FILE *f)
fprintf(f, "%s %s", key_ssh_name(key), uu);
success = 1;
}
xfree(blob);
xfree(uu);
free(blob);
free(uu);
return success;
}
const char *
key_type(const Key *k)
{
switch (k->type) {
case KEY_RSA1:
return "RSA1";
case KEY_RSA:
return "RSA";
case KEY_DSA:
return "DSA";
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
return "ECDSA";
#endif
case KEY_RSA_CERT_V00:
return "RSA-CERT-V00";
case KEY_DSA_CERT_V00:
return "DSA-CERT-V00";
case KEY_RSA_CERT:
return "RSA-CERT";
case KEY_DSA_CERT:
return "DSA-CERT";
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
return "ECDSA-CERT";
#endif
}
return "unknown";
}
const char *
key_cert_type(const Key *k)
{
@ -934,48 +903,59 @@ key_cert_type(const Key *k)
}
}
struct keytype {
char *name;
char *shortname;
int type;
int nid;
int cert;
};
static const struct keytype keytypes[] = {
{ NULL, "RSA1", KEY_RSA1, 0, 0 },
{ "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
{ "ssh-dss", "DSA", KEY_DSA, 0, 0 },
#ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
{ "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
#endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
#ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
KEY_ECDSA_CERT, NID_secp384r1, 1 },
{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
KEY_ECDSA_CERT, NID_secp521r1, 1 },
#endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
KEY_RSA_CERT_V00, 0, 1 },
{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
KEY_DSA_CERT_V00, 0, 1 },
{ NULL, NULL, -1, -1, 0 }
};
const char *
key_type(const Key *k)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type == k->type)
return kt->shortname;
}
return "unknown";
}
static const char *
key_ssh_name_from_type_nid(int type, int nid)
{
switch (type) {
case KEY_RSA:
return "ssh-rsa";
case KEY_DSA:
return "ssh-dss";
case KEY_RSA_CERT_V00:
return "ssh-rsa-cert-v00@openssh.com";
case KEY_DSA_CERT_V00:
return "ssh-dss-cert-v00@openssh.com";
case KEY_RSA_CERT:
return "ssh-rsa-cert-v01@openssh.com";
case KEY_DSA_CERT:
return "ssh-dss-cert-v01@openssh.com";
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
switch (nid) {
case NID_X9_62_prime256v1:
return "ecdsa-sha2-nistp256";
case NID_secp384r1:
return "ecdsa-sha2-nistp384";
case NID_secp521r1:
return "ecdsa-sha2-nistp521";
default:
break;
}
break;
case KEY_ECDSA_CERT:
switch (nid) {
case NID_X9_62_prime256v1:
return "ecdsa-sha2-nistp256-cert-v01@openssh.com";
case NID_secp384r1:
return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
case NID_secp521r1:
return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
default:
break;
}
break;
#endif /* OPENSSL_HAS_ECC */
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
return kt->name;
}
return "ssh-unknown";
}
@ -993,6 +973,56 @@ key_ssh_name_plain(const Key *k)
k->ecdsa_nid);
}
int
key_type_from_name(char *name)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
/* Only allow shortname matches for plain key types */
if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
(!kt->cert && strcasecmp(kt->shortname, name) == 0))
return kt->type;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
}
int
key_ecdsa_nid_from_name(const char *name)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
continue;
if (kt->name != NULL && strcmp(name, kt->name) == 0)
return kt->nid;
}
debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
return -1;
}
char *
key_alg_list(void)
{
char *ret = NULL;
size_t nlen, rlen = 0;
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->name == NULL)
continue;
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(kt->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
memcpy(ret + rlen, kt->name, nlen + 1);
rlen += nlen;
}
return ret;
}
u_int
key_size(const Key *k)
{
@ -1247,65 +1277,6 @@ key_from_private(const Key *k)
return n;
}
int
key_type_from_name(char *name)
{
if (strcmp(name, "rsa1") == 0) {
return KEY_RSA1;
} else if (strcmp(name, "rsa") == 0) {
return KEY_RSA;
} else if (strcmp(name, "dsa") == 0) {
return KEY_DSA;
} else if (strcmp(name, "ssh-rsa") == 0) {
return KEY_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return KEY_DSA;
#ifdef OPENSSL_HAS_ECC
} else if (strcmp(name, "ecdsa") == 0 ||
strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
strcmp(name, "ecdsa-sha2-nistp521") == 0) {
return KEY_ECDSA;
#endif
} else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
return KEY_RSA_CERT_V00;
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
return KEY_DSA_CERT_V00;
} else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
return KEY_RSA_CERT;
} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
return KEY_DSA_CERT;
#ifdef OPENSSL_HAS_ECC
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
}
int
key_ecdsa_nid_from_name(const char *name)
{
#ifdef OPENSSL_HAS_ECC
if (strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0)
return NID_X9_62_prime256v1;
if (strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0)
return NID_secp384r1;
if (strcmp(name, "ecdsa-sha2-nistp521") == 0 ||
strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
return NID_secp521r1;
#endif /* OPENSSL_HAS_ECC */
debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
return -1;
}
int
key_names_valid2(const char *names)
{
@ -1319,12 +1290,12 @@ key_names_valid2(const char *names)
switch (key_type_from_name(p)) {
case KEY_RSA1:
case KEY_UNSPEC:
xfree(s);
free(s);
return 0;
}
}
debug3("key names ok: [%s]", names);
xfree(s);
free(s);
return 1;
}
@ -1446,16 +1417,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
out:
buffer_free(&tmp);
if (principals != NULL)
xfree(principals);
if (critical != NULL)
xfree(critical);
if (exts != NULL)
xfree(exts);
if (sig_key != NULL)
xfree(sig_key);
if (sig != NULL)
xfree(sig);
free(principals);
free(critical);
free(exts);
free(sig_key);
free(sig);
return ret;
}
@ -1575,10 +1541,8 @@ key_from_blob(const u_char *blob, u_int blen)
if (key != NULL && rlen != 0)
error("key_from_blob: remaining bytes in key blob %d", rlen);
out:
if (ktype != NULL)
xfree(ktype);
if (curve != NULL)
xfree(curve);
free(ktype);
free(curve);
#ifdef OPENSSL_HAS_ECC
if (q != NULL)
EC_POINT_free(q);
@ -1928,7 +1892,7 @@ key_certify(Key *k, Key *ca)
default:
error("%s: key has incorrect type %s", __func__, key_type(k));
buffer_clear(&k->cert->certblob);
xfree(ca_blob);
free(ca_blob);
return -1;
}
@ -1964,7 +1928,7 @@ key_certify(Key *k, Key *ca)
buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
xfree(ca_blob);
free(ca_blob);
/* Sign the whole mess */
if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
@ -1975,7 +1939,7 @@ key_certify(Key *k, Key *ca)
}
/* Append signature and we are done */
buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
xfree(sig_blob);
free(sig_blob);
return 0;
}

9
crypto/openssh/key.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.h,v 1.35 2013/01/17 23:00:01 djm Exp $ */
/* $OpenBSD: key.h,v 1.37 2013/05/19 02:42:42 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -95,7 +95,7 @@ void key_free(Key *);
Key *key_demote(const Key *);
int key_equal_public(const Key *, const Key *);
int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
@ -118,15 +118,16 @@ int key_cert_is_legacy(const Key *);
int key_ecdsa_nid_from_name(const char *);
int key_curve_name_to_nid(const char *);
const char * key_curve_nid_to_name(int);
const char *key_curve_nid_to_name(int);
u_int key_curve_nid_to_bits(int);
int key_ecdsa_bits_to_nid(int);
#ifdef OPENSSL_HAS_ECC
int key_ecdsa_key_to_nid(EC_KEY *);
const EVP_MD * key_ec_nid_to_evpmd(int nid);
const EVP_MD *key_ec_nid_to_evpmd(int nid);
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
int key_ec_validate_private(const EC_KEY *);
#endif
char *key_alg_list(void);
Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);

35
crypto/openssh/krl.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $OpenBSD: krl.c,v 1.10 2013/02/19 02:12:47 dtucker Exp $ */
/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */
#include "includes.h"
@ -502,11 +502,11 @@ choose_next_state(int current_state, u_int64_t contig, int final,
}
debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
"list %llu range %llu bitmap %llu new bitmap %llu, "
"selected 0x%02x%s", __func__, (unsigned long long)contig,
(unsigned long long)last_gap, (unsigned long long)next_gap, final,
(unsigned long long)cost_list, (unsigned long long)cost_range,
(unsigned long long)cost_bitmap,
(unsigned long long)cost_bitmap_restart, new_state,
"selected 0x%02x%s", __func__, (long long unsigned)contig,
(long long unsigned)last_gap, (long long unsigned)next_gap, final,
(long long unsigned)cost_list, (long long unsigned)cost_range,
(long long unsigned)cost_bitmap,
(long long unsigned)cost_bitmap_restart, new_state,
*force_new_section ? " restart" : "");
return new_state;
}
@ -542,7 +542,7 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
rs != NULL;
rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
debug3("%s: serial %llu:%llu state 0x%02x", __func__,
(unsigned long long)rs->lo, (unsigned long long)rs->hi,
(long long unsigned)rs->lo, (long long unsigned)rs->hi,
state);
/* Check contiguous length and gap to next section (if any) */
@ -887,9 +887,10 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
char timestamp[64];
int ret = -1, r, sig_seen;
Key *key = NULL, **ca_used = NULL;
u_char type, *blob;
u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0;
u_char type, *blob, *rdata = NULL;
u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
nca_used = 0;
*krlp = NULL;
if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
@ -933,7 +934,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
debug("KRL version %llu generated at %s%s%s",
(unsigned long long)krl->krl_version, timestamp,
(long long unsigned)krl->krl_version, timestamp,
*krl->comment ? ": " : "", krl->comment);
/*
@ -972,7 +973,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
}
/* Check signature over entire KRL up to this point */
if (key_verify(key, blob, blen,
buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) {
buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) {
error("bad signaure on KRL");
goto out;
}
@ -1015,21 +1016,22 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
case KRL_SECTION_EXPLICIT_KEY:
case KRL_SECTION_FINGERPRINT_SHA1:
while (buffer_len(&sect) > 0) {
if ((blob = buffer_get_string_ret(&sect,
&blen)) == NULL) {
if ((rdata = buffer_get_string_ret(&sect,
&rlen)) == NULL) {
error("%s: buffer error", __func__);
goto out;
}
if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
blen != 20) {
rlen != 20) {
error("%s: bad SHA1 length", __func__);
goto out;
}
if (revoke_blob(
type == KRL_SECTION_EXPLICIT_KEY ?
&krl->revoked_keys : &krl->revoked_sha1s,
blob, blen) != 0)
goto out; /* revoke_blob frees blob */
rdata, rlen) != 0)
goto out;
rdata = NULL; /* revoke_blob frees blob */
}
break;
case KRL_SECTION_SIGNATURE:
@ -1095,6 +1097,7 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
key_free(ca_used[i]);
}
free(ca_used);
free(rdata);
if (key != NULL)
key_free(key);
buffer_free(&copy);

20
crypto/openssh/log.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: log.c,v 1.43 2012/09/06 04:37:39 dtucker Exp $ */
/* $OpenBSD: log.c,v 1.45 2013/05/16 09:08:41 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -38,6 +38,7 @@
#include <sys/types.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@ -54,6 +55,7 @@
static LogLevel log_level = SYSLOG_LEVEL_INFO;
static int log_on_stderr = 1;
static int log_stderr_fd = STDERR_FILENO;
static int log_facility = LOG_AUTH;
static char *argv0;
static log_handler_fn *log_handler;
@ -344,6 +346,20 @@ log_is_on_stderr(void)
return log_on_stderr;
}
/* redirect what would usually get written to stderr to specified file */
void
log_redirect_stderr_to(const char *logfile)
{
int fd;
if ((fd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0600)) == -1) {
fprintf(stderr, "Couldn't open logfile %s: %s\n", logfile,
strerror(errno));
exit(1);
}
log_stderr_fd = fd;
}
#define MSGBUFSIZ 1024
void
@ -429,7 +445,7 @@ do_log(LogLevel level, const char *fmt, va_list args)
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
write(STDERR_FILENO, msgbuf, strlen(msgbuf));
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);

3
crypto/openssh/log.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: log.h,v 1.19 2012/09/06 04:37:39 dtucker Exp $ */
/* $OpenBSD: log.h,v 1.20 2013/04/07 02:10:33 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -51,6 +51,7 @@ typedef void (log_handler_fn)(LogLevel, const char *, void *);
void log_init(char *, LogLevel, SyslogFacility, int);
void log_change_level(LogLevel);
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
SyslogFacility log_facility_number(char *);
const char * log_facility_name(SyslogFacility);

2
crypto/openssh/loginrec.c
View File

@ -347,7 +347,7 @@ logininfo *login_alloc_entry(pid_t pid, const char *username,
void
login_free_entry(struct logininfo *li)
{
xfree(li);
free(li);
}

81
crypto/openssh/mac.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mac.c,v 1.21 2012/12/11 22:51:45 sthen Exp $ */
/* $OpenBSD: mac.c,v 1.24 2013/06/03 00:03:18 dtucker Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -50,7 +50,7 @@
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
struct {
struct macalg {
char *name;
int type;
const EVP_MD * (*mdfunc)(void);
@ -58,7 +58,9 @@ struct {
int key_len; /* just for UMAC */
int len; /* just for UMAC */
int etm; /* Encrypt-then-MAC */
} macs[] = {
};
static const struct macalg macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@ -89,38 +91,58 @@ struct {
{ NULL, 0, NULL, 0, 0, 0, 0 }
};
/* Returns a comma-separated list of supported MACs. */
char *
mac_alg_list(void)
{
char *ret = NULL;
size_t nlen, rlen = 0;
const struct macalg *m;
for (m = macs; m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(m->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
memcpy(ret + rlen, m->name, nlen + 1);
rlen += nlen;
}
return ret;
}
static void
mac_setup_by_id(Mac *mac, int which)
mac_setup_by_alg(Mac *mac, const struct macalg *macalg)
{
int evp_len;
mac->type = macs[which].type;
mac->type = macalg->type;
if (mac->type == SSH_EVP) {
mac->evp_md = (*macs[which].mdfunc)();
mac->evp_md = macalg->mdfunc();
if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
fatal("mac %s len %d", mac->name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
} else {
mac->mac_len = macs[which].len / 8;
mac->key_len = macs[which].key_len / 8;
mac->mac_len = macalg->len / 8;
mac->key_len = macalg->key_len / 8;
mac->umac_ctx = NULL;
}
if (macs[which].truncatebits != 0)
mac->mac_len = macs[which].truncatebits / 8;
mac->etm = macs[which].etm;
if (macalg->truncatebits != 0)
mac->mac_len = macalg->truncatebits / 8;
mac->etm = macalg->etm;
}
int
mac_setup(Mac *mac, char *name)
{
int i;
const struct macalg *m;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL)
mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name);
return (0);
}
for (m = macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
mac_setup_by_alg(mac, m);
debug2("mac_setup: found %s", name);
return (0);
}
debug2("mac_setup: unknown %s", name);
return (-1);
@ -152,12 +174,15 @@ mac_init(Mac *mac)
u_char *
mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
{
static u_char m[EVP_MAX_MD_SIZE];
static union {
u_char m[EVP_MAX_MD_SIZE];
u_int64_t for_align;
} u;
u_char b[4], nonce[8];
if (mac->mac_len > sizeof(m))
if (mac->mac_len > sizeof(u))
fatal("mac_compute: mac too long %u %lu",
mac->mac_len, (u_long)sizeof(m));
mac->mac_len, (u_long)sizeof(u));
switch (mac->type) {
case SSH_EVP:
@ -166,22 +191,22 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
HMAC_Update(&mac->evp_ctx, b, sizeof(b));
HMAC_Update(&mac->evp_ctx, data, datalen);
HMAC_Final(&mac->evp_ctx, m, NULL);
HMAC_Final(&mac->evp_ctx, u.m, NULL);
break;
case SSH_UMAC:
put_u64(nonce, seqno);
umac_update(mac->umac_ctx, data, datalen);
umac_final(mac->umac_ctx, m, nonce);
umac_final(mac->umac_ctx, u.m, nonce);
break;
case SSH_UMAC128:
put_u64(nonce, seqno);
umac128_update(mac->umac_ctx, data, datalen);
umac128_final(mac->umac_ctx, m, nonce);
umac128_final(mac->umac_ctx, u.m, nonce);
break;
default:
fatal("mac_compute: unknown MAC type");
}
return (m);
return (u.m);
}
void
@ -213,13 +238,13 @@ mac_valid(const char *names)
(p = strsep(&cp, MAC_SEP))) {
if (mac_setup(NULL, p) < 0) {
debug("bad mac %s [%s]", p, names);
xfree(maclist);
free(maclist);
return (0);
} else {
debug3("mac ok: %s [%s]", p, names);
}
}
debug3("macs ok: [%s]", names);
xfree(maclist);
free(maclist);
return (1);
}

3
crypto/openssh/mac.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */
/* $OpenBSD: mac.h,v 1.7 2013/04/19 01:06:50 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -24,6 +24,7 @@
*/
int mac_valid(const char *);
char *mac_alg_list(void);
int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);

15
crypto/openssh/match.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */
/* $OpenBSD: match.c,v 1.28 2013/05/17 00:13:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -40,6 +40,7 @@
#include <sys/types.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include "xmalloc.h"
@ -226,14 +227,14 @@ match_user(const char *user, const char *host, const char *ipaddr,
if ((ret = match_pattern(user, pat)) == 1)
ret = match_host_and_ip(host, ipaddr, p);
xfree(pat);
free(pat);
return ret;
}
/*
* Returns first item from client-list that is also supported by server-list,
* caller must xfree() returned string.
* caller must free the returned string.
*/
#define MAX_PROP 40
#define SEP ","
@ -264,15 +265,15 @@ match_list(const char *client, const char *server, u_int *next)
if (next != NULL)
*next = (cp == NULL) ?
strlen(c) : (u_int)(cp - c);
xfree(c);
xfree(s);
free(c);
free(s);
return ret;
}
}
}
if (next != NULL)
*next = strlen(c);
xfree(c);
xfree(s);
free(c);
free(s);
return NULL;
}

59
crypto/openssh/misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.86 2011/09/05 05:59:08 djm Exp $ */
/* $OpenBSD: misc.c,v 1.91 2013/07/12 00:43:50 djm Exp $ */
/* $FreeBSD$ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -128,7 +128,7 @@ unset_nonblock(int fd)
const char *
ssh_gai_strerror(int gaierr)
{
if (gaierr == EAI_SYSTEM)
if (gaierr == EAI_SYSTEM && errno != 0)
return strerror(errno);
return gai_strerror(gaierr);
}
@ -207,16 +207,18 @@ pwcopy(struct passwd *pw)
copy->pw_name = xstrdup(pw->pw_name);
copy->pw_passwd = xstrdup(pw->pw_passwd);
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
copy->pw_gecos = xstrdup(pw->pw_gecos);
#endif
copy->pw_uid = pw->pw_uid;
copy->pw_gid = pw->pw_gid;
#ifdef HAVE_PW_EXPIRE_IN_PASSWD
#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
copy->pw_expire = pw->pw_expire;
#endif
#ifdef HAVE_PW_CHANGE_IN_PASSWD
#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
copy->pw_change = pw->pw_change;
#endif
#ifdef HAVE_PW_CLASS_IN_PASSWD
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
copy->pw_class = xstrdup(pw->pw_class);
#endif
copy->pw_dir = xstrdup(pw->pw_dir);
@ -252,13 +254,13 @@ a2tun(const char *s, int *remote)
*remote = SSH_TUNID_ANY;
sp = xstrdup(s);
if ((ep = strchr(sp, ':')) == NULL) {
xfree(sp);
free(sp);
return (a2tun(s, NULL));
}
ep[0] = '\0'; ep++;
*remote = a2tun(ep, NULL);
tun = a2tun(sp, NULL);
xfree(sp);
free(sp);
return (*remote == SSH_TUNID_ERR ? *remote : tun);
}
@ -491,7 +493,7 @@ replacearg(arglist *args, u_int which, char *fmt, ...)
if (which >= args->num)
fatal("replacearg: tried to replace invalid arg %d >= %d",
which, args->num);
xfree(args->list[which]);
free(args->list[which]);
args->list[which] = cp;
}
@ -502,8 +504,8 @@ freeargs(arglist *args)
if (args->list != NULL) {
for (i = 0; i < args->num; i++)
xfree(args->list[i]);
xfree(args->list);
free(args->list[i]);
free(args->list);
args->nalloc = args->num = 0;
args->list = NULL;
}
@ -516,8 +518,8 @@ freeargs(arglist *args)
char *
tilde_expand_filename(const char *filename, uid_t uid)
{
const char *path;
char user[128], ret[MAXPATHLEN];
const char *path, *sep;
char user[128], *ret;
struct passwd *pw;
u_int len, slash;
@ -537,22 +539,21 @@ tilde_expand_filename(const char *filename, uid_t uid)
} else if ((pw = getpwuid(uid)) == NULL) /* ~/path */
fatal("tilde_expand_filename: No such uid %ld", (long)uid);
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
fatal("tilde_expand_filename: Path too long");
/* Make sure directory has a trailing '/' */
len = strlen(pw->pw_dir);
if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
fatal("tilde_expand_filename: Path too long");
if (len == 0 || pw->pw_dir[len - 1] != '/')
sep = "/";
else
sep = "";
/* Skip leading '/' from specified path */
if (path != NULL)
filename = path + 1;
if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret))
if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= MAXPATHLEN)
fatal("tilde_expand_filename: Path too long");
return (xstrdup(ret));
return (ret);
}
/*
@ -854,6 +855,24 @@ ms_to_timeval(struct timeval *tv, int ms)
tv->tv_usec = (ms % 1000) * 1000;
}
time_t
monotime(void)
{
#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
struct timespec ts;
static int gettime_failed = 0;
if (!gettime_failed) {
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
return (ts.tv_sec);
debug3("clock_gettime: %s", strerror(errno));
gettime_failed = 1;
}
#endif
return time(NULL);
}
void
bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen)
{

3
crypto/openssh/misc.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.h,v 1.48 2011/03/29 18:54:17 stevesk Exp $ */
/* $OpenBSD: misc.h,v 1.49 2013/06/01 13:15:52 dtucker Exp $ */
/* $FreeBSD$ */
/*
@ -36,6 +36,7 @@ char *tohex(const void *, size_t);
void sanitise_stdfd(void);
void ms_subtract_diff(struct timeval *, int *);
void ms_to_timeval(struct timeval *, int);
time_t monotime(void);
void sock_set_v6only(int);
void sock_get_rcvbuf(int *, int);

10
crypto/openssh/moduli.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: moduli.c,v 1.26 2012/07/06 00:41:59 dtucker Exp $ */
/* $OpenBSD: moduli.c,v 1.27 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright 1994 Phil Karn <karn@qualcomm.com>
* Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@ -433,9 +433,9 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
time(&time_stop);
xfree(LargeSieve);
xfree(SmallSieve);
xfree(TinySieve);
free(LargeSieve);
free(SmallSieve);
free(TinySieve);
logit("%.24s Found %u candidates", ctime(&time_stop), r);
@ -709,7 +709,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
}
time(&time_stop);
xfree(lp);
free(lp);
BN_free(p);
BN_free(q);
BN_CTX_free(ctx);

214
crypto/openssh/monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */
/* $OpenBSD: monitor.c,v 1.127 2013/07/19 07:37:48 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -97,6 +97,7 @@
#include "ssh2.h"
#include "jpake.h"
#include "roaming.h"
#include "authfd.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
@ -392,7 +393,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
"with SSH protocol 1");
if (authenticated &&
!auth2_update_methods_lists(authctxt,
auth_method)) {
auth_method, auth_submethod)) {
debug3("%s: method %s: partial", __func__,
auth_method);
authenticated = 0;
@ -422,8 +423,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
}
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, partial,
auth_method, auth_submethod,
compat20 ? " ssh2" : "");
auth_method, auth_submethod);
if (!authenticated)
authctxt->failures++;
}
@ -551,7 +551,7 @@ monitor_read_log(struct monitor *pmonitor)
do_log2(level, "%s [preauth]", msg);
buffer_free(&logmsg);
xfree(msg);
free(msg);
return 0;
}
@ -642,12 +642,9 @@ static void
monitor_reset_key_state(void)
{
/* reset state */
if (key_blob != NULL)
xfree(key_blob);
if (hostbased_cuser != NULL)
xfree(hostbased_cuser);
if (hostbased_chost != NULL)
xfree(hostbased_chost);
free(key_blob);
free(hostbased_cuser);
free(hostbased_chost);
key_blob = NULL;
key_bloblen = 0;
key_blobtype = MM_NOKEY;
@ -690,6 +687,8 @@ mm_answer_moduli(int sock, Buffer *m)
return (0);
}
extern AuthenticationConnection *auth_conn;
int
mm_answer_sign(int sock, Buffer *m)
{
@ -718,18 +717,24 @@ mm_answer_sign(int sock, Buffer *m)
memcpy(session_id2, p, session_id2_len);
}
if ((key = get_hostkey_by_index(keyid)) == NULL)
if ((key = get_hostkey_by_index(keyid)) != NULL) {
if (key_sign(key, &signature, &siglen, p, datlen) < 0)
fatal("%s: key_sign failed", __func__);
} else if ((key = get_hostkey_public_by_index(keyid)) != NULL &&
auth_conn != NULL) {
if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p,
datlen) < 0)
fatal("%s: ssh_agent_sign failed", __func__);
} else
fatal("%s: no hostkey from index %d", __func__, keyid);
if (key_sign(key, &signature, &siglen, p, datlen) < 0)
fatal("%s: key_sign failed", __func__);
debug3("%s: signature %p(%u)", __func__, signature, siglen);
buffer_clear(m);
buffer_put_string(m, signature, siglen);
xfree(p);
xfree(signature);
free(p);
free(signature);
mm_request_send(sock, MONITOR_ANS_SIGN, m);
@ -760,7 +765,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
authctxt->user = xstrdup(username);
setproctitle("%s [priv]", pwent ? username : "unknown");
xfree(username);
free(username);
buffer_clear(m);
@ -778,8 +783,10 @@ mm_answer_pwnamallow(int sock, Buffer *m)
buffer_put_string(m, pwent, sizeof(struct passwd));
buffer_put_cstring(m, pwent->pw_name);
buffer_put_cstring(m, "*");
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
buffer_put_cstring(m, pwent->pw_gecos);
#ifdef HAVE_PW_CLASS_IN_PASSWD
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
buffer_put_cstring(m, pwent->pw_class);
#endif
buffer_put_cstring(m, pwent->pw_dir);
@ -838,9 +845,7 @@ int mm_answer_auth2_read_banner(int sock, Buffer *m)
banner = auth2_read_banner();
buffer_put_cstring(m, banner != NULL ? banner : "");
mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
if (banner != NULL)
xfree(banner);
free(banner);
return (0);
}
@ -856,7 +861,7 @@ mm_answer_authserv(int sock, Buffer *m)
__func__, authctxt->service, authctxt->style);
if (strlen(authctxt->style) == 0) {
xfree(authctxt->style);
free(authctxt->style);
authctxt->style = NULL;
}
@ -876,7 +881,7 @@ mm_answer_authpassword(int sock, Buffer *m)
authenticated = options.password_authentication &&
auth_password(authctxt, passwd);
memset(passwd, 0, strlen(passwd));
xfree(passwd);
free(passwd);
buffer_clear(m);
buffer_put_int(m, authenticated);
@ -916,10 +921,10 @@ mm_answer_bsdauthquery(int sock, Buffer *m)
mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
if (success) {
xfree(name);
xfree(infotxt);
xfree(prompts);
xfree(echo_on);
free(name);
free(infotxt);
free(prompts);
free(echo_on);
}
return (0);
@ -939,7 +944,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
auth_userresponse(authctxt->as, response, 0);
authctxt->as = NULL;
debug3("%s: <%s> = <%d>", __func__, response, authok);
xfree(response);
free(response);
buffer_clear(m);
buffer_put_int(m, authok);
@ -947,9 +952,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
debug3("%s: sending authenticated: %d", __func__, authok);
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
if (compat20)
auth_method = "keyboard-interactive"; /* XXX auth_submethod */
else
if (compat20) {
auth_method = "keyboard-interactive";
auth_submethod = "bsdauth";
} else
auth_method = "bsdauth";
return (authok != 0);
@ -991,7 +997,7 @@ mm_answer_skeyrespond(int sock, Buffer *m)
skey_haskey(authctxt->pw->pw_name) == 0 &&
skey_passcheck(authctxt->pw->pw_name, response) != -1);
xfree(response);
free(response);
buffer_clear(m);
buffer_put_int(m, authok);
@ -1076,19 +1082,17 @@ mm_answer_pam_query(int sock, Buffer *m)
buffer_clear(m);
buffer_put_int(m, ret);
buffer_put_cstring(m, name);
xfree(name);
free(name);
buffer_put_cstring(m, info);
xfree(info);
free(info);
buffer_put_int(m, num);
for (i = 0; i < num; ++i) {
buffer_put_cstring(m, prompts[i]);
xfree(prompts[i]);
free(prompts[i]);
buffer_put_int(m, echo_on[i]);
}
if (prompts != NULL)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
free(prompts);
free(echo_on);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
@ -1111,8 +1115,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
resp[i] = buffer_get_string(m, NULL);
ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
for (i = 0; i < num; ++i)
xfree(resp[i]);
xfree(resp);
free(resp[i]);
free(resp);
} else {
ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
}
@ -1170,6 +1174,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
case MM_USERKEY:
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
pubkey_auth_info(authctxt, key, NULL);
auth_method = "publickey";
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
@ -1178,6 +1183,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
allowed = options.hostbased_authentication &&
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
pubkey_auth_info(authctxt, key,
"client user \"%.100s\", client host \"%.100s\"",
cuser, chost);
auth_method = "hostbased";
break;
case MM_RSAHOSTKEY:
@ -1209,11 +1217,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
hostbased_chost = chost;
} else {
/* Log failed attempt */
auth_log(authctxt, 0, 0, auth_method, NULL,
compat20 ? " ssh2" : "");
xfree(blob);
xfree(cuser);
xfree(chost);
auth_log(authctxt, 0, 0, auth_method, NULL);
free(blob);
free(cuser);
free(chost);
}
debug3("%s: key %p is %s",
@ -1235,7 +1242,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
char *p;
char *p, *userstyle;
u_int len;
int fail = 0;
@ -1256,26 +1263,30 @@ monitor_valid_userblob(u_char *data, u_int datalen)
(len != session_id2_len) ||
(timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
fail++;
xfree(p);
free(p);
}
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
p = buffer_get_cstring(&b, NULL);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
if (strcmp(userstyle, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
userstyle, p);
fail++;
}
xfree(p);
free(userstyle);
free(p);
buffer_skip_string(&b);
if (datafellows & SSH_BUG_PKAUTH) {
if (!buffer_get_char(&b))
fail++;
} else {
p = buffer_get_string(&b, NULL);
p = buffer_get_cstring(&b, NULL);
if (strcmp("publickey", p) != 0)
fail++;
xfree(p);
free(p);
if (!buffer_get_char(&b))
fail++;
buffer_skip_string(&b);
@ -1292,7 +1303,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost)
{
Buffer b;
char *p;
char *p, *userstyle;
u_int len;
int fail = 0;
@ -1304,22 +1315,26 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
(len != session_id2_len) ||
(timingsafe_bcmp(p, session_id2, session_id2_len) != 0))
fail++;
xfree(p);
free(p);
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
p = buffer_get_cstring(&b, NULL);
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
if (strcmp(userstyle, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
userstyle, p);
fail++;
}
xfree(p);
free(userstyle);
free(p);
buffer_skip_string(&b); /* service */
p = buffer_get_string(&b, NULL);
p = buffer_get_cstring(&b, NULL);
if (strcmp(p, "hostbased") != 0)
fail++;
xfree(p);
free(p);
buffer_skip_string(&b); /* pkalg */
buffer_skip_string(&b); /* pkblob */
@ -1329,13 +1344,13 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
p[len - 1] = '\0';
if (strcmp(p, chost) != 0)
fail++;
xfree(p);
free(p);
/* verify client user */
p = buffer_get_string(&b, NULL);
if (strcmp(p, cuser) != 0)
fail++;
xfree(p);
free(p);
if (buffer_len(&b) != 0)
fail++;
@ -1384,9 +1399,9 @@ mm_answer_keyverify(int sock, Buffer *m)
__func__, key, (verified == 1) ? "verified" : "unverified");
key_free(key);
xfree(blob);
xfree(signature);
xfree(data);
free(blob);
free(signature);
free(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@ -1514,7 +1529,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
if ((s = session_by_tty(tty)) != NULL)
mm_session_close(s);
buffer_clear(m);
xfree(tty);
free(tty);
return (0);
}
@ -1646,7 +1661,7 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
xfree(blob);
free(blob);
key_free(key);
return (0);
}
@ -1678,9 +1693,9 @@ mm_answer_rsa_response(int sock, Buffer *m)
fatal("%s: received bad response to challenge", __func__);
success = auth_rsa_verify_response(key, ssh1_challenge, response);
xfree(blob);
free(blob);
key_free(key);
xfree(response);
free(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@ -1759,7 +1774,7 @@ mm_answer_audit_command(int socket, Buffer *m)
cmd = buffer_get_string(m, &len);
/* sanity check command, if so how? */
audit_run_command(cmd);
xfree(cmd);
free(cmd);
return (0);
}
#endif /* SSH_AUDIT_EVENTS */
@ -1774,20 +1789,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
packet_set_protocol_flags(child_state.ssh1protoflags);
packet_set_encryption_key(child_state.ssh1key,
child_state.ssh1keylen, child_state.ssh1cipher);
xfree(child_state.ssh1key);
free(child_state.ssh1key);
}
/* for rc4 and other stateful ciphers */
packet_set_keycontext(MODE_OUT, child_state.keyout);
xfree(child_state.keyout);
free(child_state.keyout);
packet_set_keycontext(MODE_IN, child_state.keyin);
xfree(child_state.keyin);
free(child_state.keyin);
if (!compat20) {
packet_set_iv(MODE_OUT, child_state.ivout);
xfree(child_state.ivout);
free(child_state.ivout);
packet_set_iv(MODE_IN, child_state.ivin);
xfree(child_state.ivin);
free(child_state.ivin);
}
memcpy(&incoming_stream, &child_state.incoming,
@ -1799,18 +1814,22 @@ monitor_apply_keystate(struct monitor *pmonitor)
if (options.compression)
mm_init_compression(pmonitor->m_zlib);
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
/* Network I/O buffers */
/* XXX inefficient for large buffers, need: buffer_init_from_string */
buffer_clear(packet_get_input());
buffer_append(packet_get_input(), child_state.input, child_state.ilen);
memset(child_state.input, 0, child_state.ilen);
xfree(child_state.input);
free(child_state.input);
buffer_clear(packet_get_output());
buffer_append(packet_get_output(), child_state.output,
child_state.olen);
memset(child_state.output, 0, child_state.olen);
xfree(child_state.output);
free(child_state.output);
/* Roaming */
if (compat20)
@ -1842,11 +1861,11 @@ mm_get_kex(Buffer *m)
blob = buffer_get_string(m, &bloblen);
buffer_init(&kex->my);
buffer_append(&kex->my, blob, bloblen);
xfree(blob);
free(blob);
blob = buffer_get_string(m, &bloblen);
buffer_init(&kex->peer);
buffer_append(&kex->peer, blob, bloblen);
xfree(blob);
free(blob);
kex->done = 1;
kex->flags = buffer_get_int(m);
kex->client_version_string = buffer_get_string(m, NULL);
@ -1854,6 +1873,7 @@ mm_get_kex(Buffer *m)
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
kex->sign = sshd_hostkey_sign;
return (kex);
}
@ -1889,12 +1909,12 @@ mm_get_keystate(struct monitor *pmonitor)
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
xfree(blob);
free(blob);
debug3("%s: Waiting for second key", __func__);
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
xfree(blob);
free(blob);
/* Now get sequence numbers for the packets */
seqnr = buffer_get_int(&m);
@ -1919,13 +1939,13 @@ mm_get_keystate(struct monitor *pmonitor)
if (plen != sizeof(child_state.outgoing))
fatal("%s: bad request size", __func__);
memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
xfree(p);
free(p);
p = buffer_get_string(&m, &plen);
if (plen != sizeof(child_state.incoming))
fatal("%s: bad request size", __func__);
memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
xfree(p);
free(p);
/* Network I/O buffers */
debug3("%s: Getting Network I/O buffers", __func__);
@ -2047,7 +2067,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
major = ssh_gssapi_server_ctx(&gsscontext, &goid);
xfree(goid.elements);
free(goid.elements);
buffer_clear(m);
buffer_put_int(m, major);
@ -2072,7 +2092,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
xfree(in.value);
free(in.value);
buffer_clear(m);
buffer_put_int(m, major);
@ -2104,8 +2124,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
xfree(gssbuf.value);
xfree(mic.value);
free(gssbuf.value);
free(mic.value);
buffer_clear(m);
buffer_put_int(m, ret);
@ -2175,8 +2195,8 @@ mm_answer_jpake_step1(int sock, Buffer *m)
bzero(x3_proof, x3_proof_len);
bzero(x4_proof, x4_proof_len);
xfree(x3_proof);
xfree(x4_proof);
free(x3_proof);
free(x4_proof);
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
@ -2205,8 +2225,8 @@ mm_answer_jpake_get_pwdata(int sock, Buffer *m)
bzero(hash_scheme, strlen(hash_scheme));
bzero(salt, strlen(salt));
xfree(hash_scheme);
xfree(salt);
free(hash_scheme);
free(salt);
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
@ -2245,8 +2265,8 @@ mm_answer_jpake_step2(int sock, Buffer *m)
bzero(x1_proof, x1_proof_len);
bzero(x2_proof, x2_proof_len);
xfree(x1_proof);
xfree(x2_proof);
free(x1_proof);
free(x2_proof);
buffer_clear(m);
@ -2257,7 +2277,7 @@ mm_answer_jpake_step2(int sock, Buffer *m)
mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
bzero(x4_s_proof, x4_s_proof_len);
xfree(x4_s_proof);
free(x4_s_proof);
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
@ -2325,7 +2345,7 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
bzero(peer_confirm_hash, peer_confirm_hash_len);
xfree(peer_confirm_hash);
free(peer_confirm_hash);
buffer_clear(m);
buffer_put_int(m, authenticated);

13
crypto/openssh/monitor_mm.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */
/* $OpenBSD: monitor_mm.c,v 1.17 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@ -35,6 +35,7 @@
#include <errno.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include "xmalloc.h"
@ -124,7 +125,7 @@ mm_freelist(struct mm_master *mmalloc, struct mmtree *head)
next = RB_NEXT(mmtree, head, mms);
RB_REMOVE(mmtree, head, mms);
if (mmalloc == NULL)
xfree(mms);
free(mms);
else
mm_free(mmalloc, mms);
}
@ -147,7 +148,7 @@ mm_destroy(struct mm_master *mm)
__func__);
#endif
if (mm->mmalloc == NULL)
xfree(mm);
free(mm);
else
mm_free(mm->mmalloc, mm);
}
@ -198,7 +199,7 @@ mm_malloc(struct mm_master *mm, size_t size)
if (mms->size == 0) {
RB_REMOVE(mmtree, &mm->rb_free, mms);
if (mm->mmalloc == NULL)
xfree(mms);
free(mms);
else
mm_free(mm->mmalloc, mms);
}
@ -254,7 +255,7 @@ mm_free(struct mm_master *mm, void *address)
prev->size += mms->size;
RB_REMOVE(mmtree, &mm->rb_free, mms);
if (mm->mmalloc == NULL)
xfree(mms);
free(mms);
else
mm_free(mm->mmalloc, mms);
} else
@ -278,7 +279,7 @@ mm_free(struct mm_master *mm, void *address)
RB_REMOVE(mmtree, &mm->rb_free, mms);
if (mm->mmalloc == NULL)
xfree(mms);
free(mms);
else
mm_free(mm->mmalloc, mms);
}

38
crypto/openssh/monitor_wrap.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.75 2013/01/08 18:49:04 markus Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.76 2013/05/17 00:13:13 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -259,8 +259,10 @@ mm_getpwnamallow(const char *username)
fatal("%s: struct passwd size mismatch", __func__);
pw->pw_name = buffer_get_string(&m, NULL);
pw->pw_passwd = buffer_get_string(&m, NULL);
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
pw->pw_gecos = buffer_get_string(&m, NULL);
#ifdef HAVE_PW_CLASS_IN_PASSWD
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
pw->pw_class = buffer_get_string(&m, NULL);
#endif
pw->pw_dir = buffer_get_string(&m, NULL);
@ -286,7 +288,7 @@ mm_getpwnamallow(const char *username)
#undef M_CP_STRARRAYOPT
copy_set_server_options(&options, newopts, 1);
xfree(newopts);
free(newopts);
buffer_free(&m);
@ -312,7 +314,7 @@ mm_auth2_read_banner(void)
/* treat empty banner as missing banner */
if (strlen(banner) == 0) {
xfree(banner);
free(banner);
banner = NULL;
}
return (banner);
@ -405,7 +407,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
buffer_put_cstring(&m, user ? user : "");
buffer_put_cstring(&m, host ? host : "");
buffer_put_string(&m, blob, len);
xfree(blob);
free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
@ -448,7 +450,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
buffer_put_string(&m, blob, len);
buffer_put_string(&m, sig, siglen);
buffer_put_string(&m, data, datalen);
xfree(blob);
free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
@ -617,7 +619,7 @@ mm_send_keystate(struct monitor *monitor)
keylen = packet_get_encryption_key(key);
buffer_put_string(&m, key, keylen);
memset(key, 0, keylen);
xfree(key);
free(key);
ivlen = packet_get_keyiv_len(MODE_OUT);
packet_get_keyiv(MODE_OUT, iv, ivlen);
@ -640,13 +642,13 @@ mm_send_keystate(struct monitor *monitor)
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
xfree(blob);
free(blob);
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
xfree(blob);
free(blob);
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
buffer_put_int(&m, seqnr);
@ -666,13 +668,13 @@ mm_send_keystate(struct monitor *monitor)
p = xmalloc(plen+1);
packet_get_keycontext(MODE_OUT, p);
buffer_put_string(&m, p, plen);
xfree(p);
free(p);
plen = packet_get_keycontext(MODE_IN, NULL);
p = xmalloc(plen+1);
packet_get_keycontext(MODE_IN, p);
buffer_put_string(&m, p, plen);
xfree(p);
free(p);
/* Compression state */
debug3("%s: Sending compression state", __func__);
@ -734,10 +736,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
buffer_free(&m);
strlcpy(namebuf, p, namebuflen); /* Possible truncation */
xfree(p);
free(p);
buffer_append(&loginmsg, msg, strlen(msg));
xfree(msg);
free(msg);
if ((*ptyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1 ||
(*ttyfd = mm_receive_fd(pmonitor->m_recvfd)) == -1)
@ -803,7 +805,7 @@ mm_do_pam_account(void)
ret = buffer_get_int(&m);
msg = buffer_get_string(&m, NULL);
buffer_append(&loginmsg, msg, strlen(msg));
xfree(msg);
free(msg);
buffer_free(&m);
@ -1033,7 +1035,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
xfree(challenge);
free(challenge);
return (0);
}
@ -1107,7 +1109,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
if ((key = key_from_blob(blob, blen)) == NULL)
fatal("%s: key_from_blob failed", __func__);
*rkey = key;
xfree(blob);
free(blob);
}
buffer_free(&m);
@ -1134,7 +1136,7 @@ mm_auth_rsa_generate_challenge(Key *key)
buffer_init(&m);
buffer_put_string(&m, blob, blen);
xfree(blob);
free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m);
@ -1163,7 +1165,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
buffer_init(&m);
buffer_put_string(&m, blob, blen);
buffer_put_string(&m, response, 16);
xfree(blob);
free(blob);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m);

154
crypto/openssh/mux.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mux.c,v 1.38 2013/01/02 00:32:07 djm Exp $ */
/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@ -184,7 +184,7 @@ static const struct {
/* Cleanup callback fired on closure of mux slave _session_ channel */
/* ARGSUSED */
void
static void
mux_master_session_cleanup_cb(int cid, void *unused)
{
Channel *cc, *c = channel_by_id(cid);
@ -219,7 +219,8 @@ mux_master_control_cleanup_cb(int cid, void *unused)
__func__, c->self, c->remote_id);
c->remote_id = -1;
sc->ctl_chan = -1;
if (sc->type != SSH_CHANNEL_OPEN) {
if (sc->type != SSH_CHANNEL_OPEN &&
sc->type != SSH_CHANNEL_OPENING) {
debug2("%s: channel %d: not open", __func__, sc->self);
chan_mark_dead(sc);
} else {
@ -286,13 +287,13 @@ process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r)
char *value = buffer_get_string_ret(m, NULL);
if (name == NULL || value == NULL) {
if (name != NULL)
xfree(name);
free(name);
free(value);
goto malf;
}
debug2("Unrecognised slave extension \"%s\"", name);
xfree(name);
xfree(value);
free(name);
free(value);
}
state->hello_rcvd = 1;
return 0;
@ -323,21 +324,17 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
(cctx->term = buffer_get_string_ret(m, &len)) == NULL ||
(cmd = buffer_get_string_ret(m, &len)) == NULL) {
malf:
if (cmd != NULL)
xfree(cmd);
if (reserved != NULL)
xfree(reserved);
free(cmd);
free(reserved);
for (j = 0; j < env_len; j++)
xfree(cctx->env[j]);
if (env_len > 0)
xfree(cctx->env);
if (cctx->term != NULL)
xfree(cctx->term);
xfree(cctx);
free(cctx->env[j]);
free(cctx->env);
free(cctx->term);
free(cctx);
error("%s: malformed message", __func__);
return -1;
}
xfree(reserved);
free(reserved);
reserved = NULL;
while (buffer_len(m) > 0) {
@ -345,7 +342,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
if ((cp = buffer_get_string_ret(m, &len)) == NULL)
goto malf;
if (!env_permitted(cp)) {
xfree(cp);
free(cp);
continue;
}
cctx->env = xrealloc(cctx->env, env_len + 2,
@ -366,7 +363,7 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
buffer_init(&cctx->cmd);
buffer_append(&cctx->cmd, cmd, strlen(cmd));
xfree(cmd);
free(cmd);
cmd = NULL;
/* Gather fds from client */
@ -377,12 +374,11 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
for (j = 0; j < i; j++)
close(new_fd[j]);
for (j = 0; j < env_len; j++)
xfree(cctx->env[j]);
if (env_len > 0)
xfree(cctx->env);
xfree(cctx->term);
free(cctx->env[j]);
free(cctx->env);
free(cctx->term);
buffer_free(&cctx->cmd);
xfree(cctx);
free(cctx);
/* prepare reply */
buffer_put_int(r, MUX_S_FAILURE);
@ -407,14 +403,14 @@ process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
close(new_fd[0]);
close(new_fd[1]);
close(new_fd[2]);
xfree(cctx->term);
free(cctx->term);
if (env_len != 0) {
for (i = 0; i < env_len; i++)
xfree(cctx->env[i]);
xfree(cctx->env);
free(cctx->env[i]);
free(cctx->env);
}
buffer_free(&cctx->cmd);
xfree(cctx);
free(cctx);
return 0;
}
@ -619,7 +615,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
buffer_put_int(&out, MUX_S_FAILURE);
buffer_put_int(&out, fctx->rid);
buffer_put_cstring(&out, failmsg);
xfree(failmsg);
free(failmsg);
out:
buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out));
buffer_free(&out);
@ -634,25 +630,28 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
Forward fwd;
char *fwd_desc = NULL;
u_int ftype;
u_int lport, cport;
int i, ret = 0, freefwd = 1;
fwd.listen_host = fwd.connect_host = NULL;
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&fwd.listen_port, m) != 0 ||
buffer_get_int_ret(&lport, m) != 0 ||
(fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&fwd.connect_port, m) != 0) {
buffer_get_int_ret(&cport, m) != 0 ||
lport > 65535 || cport > 65535) {
error("%s: malformed message", __func__);
ret = -1;
goto out;
}
fwd.listen_port = lport;
fwd.connect_port = cport;
if (*fwd.listen_host == '\0') {
xfree(fwd.listen_host);
free(fwd.listen_host);
fwd.listen_host = NULL;
}
if (*fwd.connect_host == '\0') {
xfree(fwd.connect_host);
free(fwd.connect_host);
fwd.connect_host = NULL;
}
@ -663,10 +662,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
ftype != MUX_FWD_DYNAMIC) {
logit("%s: invalid forwarding type %u", __func__, ftype);
invalid:
if (fwd.listen_host)
xfree(fwd.listen_host);
if (fwd.connect_host)
xfree(fwd.connect_host);
free(fwd.listen_host);
free(fwd.connect_host);
buffer_put_int(r, MUX_S_FAILURE);
buffer_put_int(r, rid);
buffer_put_cstring(r, "Invalid forwarding request");
@ -768,13 +765,10 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
buffer_put_int(r, MUX_S_OK);
buffer_put_int(r, rid);
out:
if (fwd_desc != NULL)
xfree(fwd_desc);
free(fwd_desc);
if (freefwd) {
if (fwd.listen_host != NULL)
xfree(fwd.listen_host);
if (fwd.connect_host != NULL)
xfree(fwd.connect_host);
free(fwd.listen_host);
free(fwd.connect_host);
}
return ret;
}
@ -787,24 +781,28 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
const char *error_reason = NULL;
u_int ftype;
int i, listen_port, ret = 0;
u_int lport, cport;
fwd.listen_host = fwd.connect_host = NULL;
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&fwd.listen_port, m) != 0 ||
buffer_get_int_ret(&lport, m) != 0 ||
(fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&fwd.connect_port, m) != 0) {
buffer_get_int_ret(&cport, m) != 0 ||
lport > 65535 || cport > 65535) {
error("%s: malformed message", __func__);
ret = -1;
goto out;
}
fwd.listen_port = lport;
fwd.connect_port = cport;
if (*fwd.listen_host == '\0') {
xfree(fwd.listen_host);
free(fwd.listen_host);
fwd.listen_host = NULL;
}
if (*fwd.connect_host == '\0') {
xfree(fwd.connect_host);
free(fwd.connect_host);
fwd.connect_host = NULL;
}
@ -861,10 +859,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
buffer_put_int(r, MUX_S_OK);
buffer_put_int(r, rid);
if (found_fwd->listen_host != NULL)
xfree(found_fwd->listen_host);
if (found_fwd->connect_host != NULL)
xfree(found_fwd->connect_host);
free(found_fwd->listen_host);
free(found_fwd->connect_host);
found_fwd->listen_host = found_fwd->connect_host = NULL;
found_fwd->listen_port = found_fwd->connect_port = 0;
} else {
@ -873,12 +869,9 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
buffer_put_cstring(r, error_reason);
}
out:
if (fwd_desc != NULL)
xfree(fwd_desc);
if (fwd.listen_host != NULL)
xfree(fwd.listen_host);
if (fwd.connect_host != NULL)
xfree(fwd.connect_host);
free(fwd_desc);
free(fwd.listen_host);
free(fwd.connect_host);
return ret;
}
@ -895,14 +888,12 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
(chost = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&cport, m) != 0) {
if (reserved != NULL)
xfree(reserved);
if (chost != NULL)
xfree(chost);
free(reserved);
free(chost);
error("%s: malformed message", __func__);
return -1;
}
xfree(reserved);
free(reserved);
debug2("%s: channel %d: request stdio fwd to %s:%u",
__func__, c->self, chost, cport);
@ -914,7 +905,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
__func__, i);
for (j = 0; j < i; j++)
close(new_fd[j]);
xfree(chost);
free(chost);
/* prepare reply */
buffer_put_int(r, MUX_S_FAILURE);
@ -938,7 +929,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
cleanup:
close(new_fd[0]);
close(new_fd[1]);
xfree(chost);
free(chost);
return 0;
}
@ -1000,7 +991,7 @@ process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r)
if (mux_listener_channel != NULL) {
channel_free(mux_listener_channel);
client_stop_mux();
xfree(options.control_path);
free(options.control_path);
options.control_path = NULL;
mux_listener_channel = NULL;
muxserver_sock = -1;
@ -1100,7 +1091,7 @@ mux_exit_message(Channel *c, int exitval)
Buffer m;
Channel *mux_chan;
debug3("%s: channel %d: exit message, evitval %d", __func__, c->self,
debug3("%s: channel %d: exit message, exitval %d", __func__, c->self,
exitval);
if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL)
@ -1197,8 +1188,8 @@ muxserver_listen(void)
close(muxserver_sock);
muxserver_sock = -1;
}
xfree(orig_control_path);
xfree(options.control_path);
free(orig_control_path);
free(options.control_path);
options.control_path = NULL;
options.control_master = SSHCTL_MASTER_NO;
return;
@ -1223,7 +1214,7 @@ muxserver_listen(void)
goto disable_mux_master;
}
unlink(options.control_path);
xfree(options.control_path);
free(options.control_path);
options.control_path = orig_control_path;
set_nonblock(muxserver_sock);
@ -1308,13 +1299,13 @@ mux_session_confirm(int id, int success, void *arg)
cc->mux_pause = 0; /* start processing messages again */
c->open_confirm_ctx = NULL;
buffer_free(&cctx->cmd);
xfree(cctx->term);
free(cctx->term);
if (cctx->env != NULL) {
for (i = 0; cctx->env[i] != NULL; i++)
xfree(cctx->env[i]);
xfree(cctx->env);
free(cctx->env[i]);
free(cctx->env);
}
xfree(cctx);
free(cctx);
}
/* ** Multiplexing client support */
@ -1444,7 +1435,9 @@ mux_client_read_packet(int fd, Buffer *m)
buffer_init(&queue);
if (mux_client_read(fd, &queue, 4) != 0) {
if ((oerrno = errno) == EPIPE)
debug3("%s: read header failed: %s", __func__, strerror(errno));
debug3("%s: read header failed: %s", __func__,
strerror(errno));
buffer_free(&queue);
errno = oerrno;
return -1;
}
@ -1452,6 +1445,7 @@ mux_client_read_packet(int fd, Buffer *m)
if (mux_client_read(fd, &queue, need) != 0) {
oerrno = errno;
debug3("%s: read body failed: %s", __func__, strerror(errno));
buffer_free(&queue);
errno = oerrno;
return -1;
}
@ -1498,8 +1492,8 @@ mux_client_hello_exchange(int fd)
char *value = buffer_get_string(&m, NULL);
debug2("Unrecognised master extension \"%s\"", name);
xfree(name);
xfree(value);
free(name);
free(value);
}
buffer_free(&m);
return 0;
@ -1608,7 +1602,7 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
fwd_desc = format_forward(ftype, fwd);
debug("Requesting %s %s",
cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
xfree(fwd_desc);
free(fwd_desc);
buffer_init(&m);
buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
@ -1845,7 +1839,7 @@ mux_client_request_session(int fd)
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
if (muxclient_terminate) {
debug2("Exiting on signal %d", muxclient_terminate);
debug2("Exiting on signal %ld", (long)muxclient_terminate);
exitval = 255;
} else if (!exitval_seen) {
debug2("Control master terminated unexpectedly");

28
crypto/openssh/myproposal.h
View File

@ -27,6 +27,8 @@
#include <openssl/opensslv.h>
/* conditional algorithm support */
#ifdef OPENSSL_HAS_ECC
# define KEX_ECDH_METHODS \
"ecdh-sha2-nistp256," \
@ -46,12 +48,22 @@
# define HOSTKEY_ECDSA_METHODS
#endif
/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#ifdef OPENSSL_HAVE_EVPGCM
# define AESGCM_CIPHER_MODES \
"aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
#else
# define AESGCM_CIPHER_MODES
#endif
#ifdef HAVE_EVP_SHA256
# define KEX_SHA256_METHODS \
"diffie-hellman-group-exchange-sha256,"
#define SHA2_HMAC_MODES \
"hmac-sha2-256," \
"hmac-sha2-512,"
#else
# define KEX_SHA256_METHODS
# define SHA2_HMAC_MODES
#endif
# define KEX_DEFAULT_KEX \
@ -71,23 +83,19 @@
"ssh-rsa," \
"ssh-dss"
/* the actual algorithms */
#define KEX_DEFAULT_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \
"arcfour256,arcfour128," \
"aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
AESGCM_CIPHER_MODES \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
#ifdef NONE_CIPHER_ENABLED
#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
",none"
#endif
#ifdef HAVE_EVP_SHA256
#define SHA2_HMAC_MODES \
"hmac-sha2-256," \
"hmac-sha2-512,"
#else
# define SHA2_HMAC_MODES
#endif
#define KEX_DEFAULT_MAC \
"hmac-md5-etm@openssh.com," \
"hmac-sha1-etm@openssh.com," \

2
crypto/openssh/openbsd-compat/bsd-cygwin_util.c
View File

@ -97,7 +97,7 @@ fetch_windows_environment(void)
void
free_windows_environment(char **p)
{
xfree(p);
free(p);
}
#endif /* HAVE_CYGWIN */

2
crypto/openssh/openbsd-compat/bsd-cygwin_util.h
View File

@ -1,4 +1,4 @@
/* $Id: bsd-cygwin_util.h,v 1.15.4.1 2013/04/04 23:53:31 dtucker Exp $ */
/* $Id: bsd-cygwin_util.h,v 1.16 2013/04/01 01:40:49 dtucker Exp $ */
/*
* Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>

14
crypto/openssh/openbsd-compat/bsd-misc.h
View File

@ -1,4 +1,4 @@
/* $Id: bsd-misc.h,v 1.23 2013/03/14 23:34:27 djm Exp $ */
/* $Id: bsd-misc.h,v 1.25 2013/08/04 11:48:41 dtucker Exp $ */
/*
* Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@ -110,4 +110,16 @@ int isblank(int);
pid_t getpgid(pid_t);
#endif
#ifndef HAVE_ENDGRENT
# define endgrent() do { } while (0)
#endif
#ifndef HAVE_KRB5_GET_ERROR_MESSAGE
# define krb5_get_error_message krb5_get_err_text
#endif
#ifndef HAVE_KRB5_FREE_ERROR_MESSAGE
# define krb5_free_error_message(a,b) do { } while(0)
#endif
#endif /* _BSD_MISC_H */

123
crypto/openssh/openbsd-compat/getopt.c
View File

@ -1,123 +0,0 @@
/*
* Copyright (c) 1987, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
#include "includes.h"
#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
#if defined(LIBC_SCCS) && !defined(lint)
static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $";
#endif /* LIBC_SCCS and not lint */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int BSDopterr = 1, /* if error message should be printed */
BSDoptind = 1, /* index into parent argv vector */
BSDoptopt, /* character checked for validity */
BSDoptreset; /* reset getopt */
char *BSDoptarg; /* argument associated with option */
#define BADCH (int)'?'
#define BADARG (int)':'
#define EMSG ""
/*
* getopt --
* Parse argc/argv argument vector.
*/
int
BSDgetopt(nargc, nargv, ostr)
int nargc;
char * const *nargv;
const char *ostr;
{
extern char *__progname;
static char *place = EMSG; /* option letter processing */
char *oli; /* option letter list index */
if (ostr == NULL)
return (-1);
if (BSDoptreset || !*place) { /* update scanning pointer */
BSDoptreset = 0;
if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') {
place = EMSG;
return (-1);
}
if (place[1] && *++place == '-') { /* found "--" */
++BSDoptind;
place = EMSG;
return (-1);
}
} /* option letter okay? */
if ((BSDoptopt = (int)*place++) == (int)':' ||
!(oli = strchr(ostr, BSDoptopt))) {
/*
* if the user didn't specify '-' as an option,
* assume it means -1.
*/
if (BSDoptopt == (int)'-')
return (-1);
if (!*place)
++BSDoptind;
if (BSDopterr && *ostr != ':')
(void)fprintf(stderr,
"%s: illegal option -- %c\n", __progname, BSDoptopt);
return (BADCH);
}
if (*++oli != ':') { /* don't need argument */
BSDoptarg = NULL;
if (!*place)
++BSDoptind;
}
else { /* need an argument */
if (*place) /* no white space */
BSDoptarg = place;
else if (nargc <= ++BSDoptind) { /* no arg */
place = EMSG;
if (*ostr == ':')
return (BADARG);
if (BSDopterr)
(void)fprintf(stderr,
"%s: option requires an argument -- %c\n",
__progname, BSDoptopt);
return (BADCH);
}
else /* white space */
BSDoptarg = nargv[BSDoptind];
place = EMSG;
++BSDoptind;
}
return (BSDoptopt); /* dump back option letter */
}
#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */

74
crypto/openssh/openbsd-compat/getopt.h Normal file
View File

@ -0,0 +1,74 @@
/* $OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $ */
/* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */
/*-
* Copyright (c) 2000 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Dieter Baron and Thomas Klausner.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _GETOPT_H_
#define _GETOPT_H_
/*
* GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
*/
#define no_argument 0
#define required_argument 1
#define optional_argument 2
struct option {
/* name of long option */
const char *name;
/*
* one of no_argument, required_argument, and optional_argument:
* whether option takes an argument
*/
int has_arg;
/* if not NULL, set *flag to val when option found */
int *flag;
/* if flag not NULL, value to set *flag to; else return value */
int val;
};
int getopt_long(int, char * const *, const char *,
const struct option *, int *);
int getopt_long_only(int, char * const *, const char *,
const struct option *, int *);
#ifndef _GETOPT_DEFINED_
#define _GETOPT_DEFINED_
int getopt(int, char * const *, const char *);
int getsubopt(char **, char * const *, char **);
extern char *optarg; /* getopt(3) external variables */
extern int opterr;
extern int optind;
extern int optopt;
extern int optreset;
extern char *suboptarg; /* getsubopt(3) external variable */
#endif
#endif /* !_GETOPT_H_ */

532
crypto/openssh/openbsd-compat/getopt_long.c Normal file
View File

@ -0,0 +1,532 @@
/* $OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $ */
/* $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $ */
/*
* Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
/*-
* Copyright (c) 2000 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
* by Dieter Baron and Thomas Klausner.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt_long.c */
#include "includes.h"
#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
/*
* Some defines to make it easier to keep the code in sync with upstream.
* getopt opterr optind optopt optreset optarg are all in defines.h which is
* pulled in by includes.h.
*/
#define warnx logit
#if 0
#include <err.h>
#include <getopt.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include "log.h"
int opterr = 1; /* if error message should be printed */
int optind = 1; /* index into parent argv vector */
int optopt = '?'; /* character checked for validity */
int optreset; /* reset getopt */
char *optarg; /* argument associated with option */
#define PRINT_ERROR ((opterr) && (*options != ':'))
#define FLAG_PERMUTE 0x01 /* permute non-options to the end of argv */
#define FLAG_ALLARGS 0x02 /* treat non-options as args to option "-1" */
#define FLAG_LONGONLY 0x04 /* operate as getopt_long_only */
/* return values */
#define BADCH (int)'?'
#define BADARG ((*options == ':') ? (int)':' : (int)'?')
#define INORDER (int)1
#define EMSG ""
static int getopt_internal(int, char * const *, const char *,
const struct option *, int *, int);
static int parse_long_options(char * const *, const char *,
const struct option *, int *, int);
static int gcd(int, int);
static void permute_args(int, int, int, char * const *);
static char *place = EMSG; /* option letter processing */
/* XXX: set optreset to 1 rather than these two */
static int nonopt_start = -1; /* first non option argument (for permute) */
static int nonopt_end = -1; /* first option after non options (for permute) */
/* Error messages */
static const char recargchar[] = "option requires an argument -- %c";
static const char recargstring[] = "option requires an argument -- %s";
static const char ambig[] = "ambiguous option -- %.*s";
static const char noarg[] = "option doesn't take an argument -- %.*s";
static const char illoptchar[] = "unknown option -- %c";
static const char illoptstring[] = "unknown option -- %s";
/*
* Compute the greatest common divisor of a and b.
*/
static int
gcd(int a, int b)
{
int c;
c = a % b;
while (c != 0) {
a = b;
b = c;
c = a % b;
}
return (b);
}
/*
* Exchange the block from nonopt_start to nonopt_end with the block
* from nonopt_end to opt_end (keeping the same order of arguments
* in each block).
*/
static void
permute_args(int panonopt_start, int panonopt_end, int opt_end,
char * const *nargv)
{
int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos;
char *swap;
/*
* compute lengths of blocks and number and size of cycles
*/
nnonopts = panonopt_end - panonopt_start;
nopts = opt_end - panonopt_end;
ncycle = gcd(nnonopts, nopts);
cyclelen = (opt_end - panonopt_start) / ncycle;
for (i = 0; i < ncycle; i++) {
cstart = panonopt_end+i;
pos = cstart;
for (j = 0; j < cyclelen; j++) {
if (pos >= panonopt_end)
pos -= nnonopts;
else
pos += nopts;
swap = nargv[pos];
/* LINTED const cast */
((char **) nargv)[pos] = nargv[cstart];
/* LINTED const cast */
((char **)nargv)[cstart] = swap;
}
}
}
/*
* parse_long_options --
* Parse long options in argc/argv argument vector.
* Returns -1 if short_too is set and the option does not match long_options.
*/
static int
parse_long_options(char * const *nargv, const char *options,
const struct option *long_options, int *idx, int short_too)
{
char *current_argv, *has_equal;
size_t current_argv_len;
int i, match;
current_argv = place;
match = -1;
optind++;
if ((has_equal = strchr(current_argv, '=')) != NULL) {
/* argument found (--option=arg) */
current_argv_len = has_equal - current_argv;
has_equal++;
} else
current_argv_len = strlen(current_argv);
for (i = 0; long_options[i].name; i++) {
/* find matching long option */
if (strncmp(current_argv, long_options[i].name,
current_argv_len))
continue;
if (strlen(long_options[i].name) == current_argv_len) {
/* exact match */
match = i;
break;
}
/*
* If this is a known short option, don't allow
* a partial match of a single character.
*/
if (short_too && current_argv_len == 1)
continue;
if (match == -1) /* partial match */
match = i;
else {
/* ambiguous abbreviation */
if (PRINT_ERROR)
warnx(ambig, (int)current_argv_len,
current_argv);
optopt = 0;
return (BADCH);
}
}
if (match != -1) { /* option found */
if (long_options[match].has_arg == no_argument
&& has_equal) {
if (PRINT_ERROR)
warnx(noarg, (int)current_argv_len,
current_argv);
/*
* XXX: GNU sets optopt to val regardless of flag
*/
if (long_options[match].flag == NULL)
optopt = long_options[match].val;
else
optopt = 0;
return (BADARG);
}
if (long_options[match].has_arg == required_argument ||
long_options[match].has_arg == optional_argument) {
if (has_equal)
optarg = has_equal;
else if (long_options[match].has_arg ==
required_argument) {
/*
* optional argument doesn't use next nargv
*/
optarg = nargv[optind++];
}
}
if ((long_options[match].has_arg == required_argument)
&& (optarg == NULL)) {
/*
* Missing argument; leading ':' indicates no error
* should be generated.
*/
if (PRINT_ERROR)
warnx(recargstring,
current_argv);
/*
* XXX: GNU sets optopt to val regardless of flag
*/
if (long_options[match].flag == NULL)
optopt = long_options[match].val;
else
optopt = 0;
--optind;
return (BADARG);
}
} else { /* unknown option */
if (short_too) {
--optind;
return (-1);
}
if (PRINT_ERROR)
warnx(illoptstring, current_argv);
optopt = 0;
return (BADCH);
}
if (idx)
*idx = match;
if (long_options[match].flag) {
*long_options[match].flag = long_options[match].val;
return (0);
} else
return (long_options[match].val);
}
/*
* getopt_internal --
* Parse argc/argv argument vector. Called by user level routines.
*/
static int
getopt_internal(int nargc, char * const *nargv, const char *options,
const struct option *long_options, int *idx, int flags)
{
char *oli; /* option letter list index */
int optchar, short_too;
static int posixly_correct = -1;
if (options == NULL)
return (-1);
/*
* XXX Some GNU programs (like cvs) set optind to 0 instead of
* XXX using optreset. Work around this braindamage.
*/
if (optind == 0)
optind = optreset = 1;
/*
* Disable GNU extensions if POSIXLY_CORRECT is set or options
* string begins with a '+'.
*/
if (posixly_correct == -1 || optreset)
posixly_correct = (getenv("POSIXLY_CORRECT") != NULL);
if (*options == '-')
flags |= FLAG_ALLARGS;
else if (posixly_correct || *options == '+')
flags &= ~FLAG_PERMUTE;
if (*options == '+' || *options == '-')
options++;
optarg = NULL;
if (optreset)
nonopt_start = nonopt_end = -1;
start:
if (optreset || !*place) { /* update scanning pointer */
optreset = 0;
if (optind >= nargc) { /* end of argument vector */
place = EMSG;
if (nonopt_end != -1) {
/* do permutation, if we have to */
permute_args(nonopt_start, nonopt_end,
optind, nargv);
optind -= nonopt_end - nonopt_start;
}
else if (nonopt_start != -1) {
/*
* If we skipped non-options, set optind
* to the first of them.
*/
optind = nonopt_start;
}
nonopt_start = nonopt_end = -1;
return (-1);
}
if (*(place = nargv[optind]) != '-' ||
(place[1] == '\0' && strchr(options, '-') == NULL)) {
place = EMSG; /* found non-option */
if (flags & FLAG_ALLARGS) {
/*
* GNU extension:
* return non-option as argument to option 1
*/
optarg = nargv[optind++];
return (INORDER);
}
if (!(flags & FLAG_PERMUTE)) {
/*
* If no permutation wanted, stop parsing
* at first non-option.
*/
return (-1);
}
/* do permutation */
if (nonopt_start == -1)
nonopt_start = optind;
else if (nonopt_end != -1) {
permute_args(nonopt_start, nonopt_end,
optind, nargv);
nonopt_start = optind -
(nonopt_end - nonopt_start);
nonopt_end = -1;
}
optind++;
/* process next argument */
goto start;
}
if (nonopt_start != -1 && nonopt_end == -1)
nonopt_end = optind;
/*
* If we have "-" do nothing, if "--" we are done.
*/
if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
optind++;
place = EMSG;
/*
* We found an option (--), so if we skipped
* non-options, we have to permute.
*/
if (nonopt_end != -1) {
permute_args(nonopt_start, nonopt_end,
optind, nargv);
optind -= nonopt_end - nonopt_start;
}
nonopt_start = nonopt_end = -1;
return (-1);
}
}
/*
* Check long options if:
* 1) we were passed some
* 2) the arg is not just "-"
* 3) either the arg starts with -- we are getopt_long_only()
*/
if (long_options != NULL && place != nargv[optind] &&
(*place == '-' || (flags & FLAG_LONGONLY))) {
short_too = 0;
if (*place == '-')
place++; /* --foo long option */
else if (*place != ':' && strchr(options, *place) != NULL)
short_too = 1; /* could be short option too */
optchar = parse_long_options(nargv, options, long_options,
idx, short_too);
if (optchar != -1) {
place = EMSG;
return (optchar);
}
}
if ((optchar = (int)*place++) == (int)':' ||
(optchar == (int)'-' && *place != '\0') ||
(oli = strchr(options, optchar)) == NULL) {
/*
* If the user specified "-" and '-' isn't listed in
* options, return -1 (non-option) as per POSIX.
* Otherwise, it is an unknown option character (or ':').
*/
if (optchar == (int)'-' && *place == '\0')
return (-1);
if (!*place)
++optind;
if (PRINT_ERROR)
warnx(illoptchar, optchar);
optopt = optchar;
return (BADCH);
}
if (long_options != NULL && optchar == 'W' && oli[1] == ';') {
/* -W long-option */
if (*place) /* no space */
/* NOTHING */;
else if (++optind >= nargc) { /* no arg */
place = EMSG;
if (PRINT_ERROR)
warnx(recargchar, optchar);
optopt = optchar;
return (BADARG);
} else /* white space */
place = nargv[optind];
optchar = parse_long_options(nargv, options, long_options,
idx, 0);
place = EMSG;
return (optchar);
}
if (*++oli != ':') { /* doesn't take argument */
if (!*place)
++optind;
} else { /* takes (optional) argument */
optarg = NULL;
if (*place) /* no white space */
optarg = place;
else if (oli[1] != ':') { /* arg not optional */
if (++optind >= nargc) { /* no arg */
place = EMSG;
if (PRINT_ERROR)
warnx(recargchar, optchar);
optopt = optchar;
return (BADARG);
} else
optarg = nargv[optind];
}
place = EMSG;
++optind;
}
/* dump back option letter */
return (optchar);
}
/*
* getopt --
* Parse argc/argv argument vector.
*
* [eventually this will replace the BSD getopt]
*/
int
getopt(int nargc, char * const *nargv, const char *options)
{
/*
* We don't pass FLAG_PERMUTE to getopt_internal() since
* the BSD getopt(3) (unlike GNU) has never done this.
*
* Furthermore, since many privileged programs call getopt()
* before dropping privileges it makes sense to keep things
* as simple (and bug-free) as possible.
*/
return (getopt_internal(nargc, nargv, options, NULL, NULL, 0));
}
#if 0
/*
* getopt_long --
* Parse argc/argv argument vector.
*/
int
getopt_long(int nargc, char * const *nargv, const char *options,
const struct option *long_options, int *idx)
{
return (getopt_internal(nargc, nargv, options, long_options, idx,
FLAG_PERMUTE));
}
/*
* getopt_long_only --
* Parse argc/argv argument vector.
*/
int
getopt_long_only(int nargc, char * const *nargv, const char *options,
const struct option *long_options, int *idx)
{
return (getopt_internal(nargc, nargv, options, long_options, idx,
FLAG_PERMUTE|FLAG_LONGONLY));
}
#endif
#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */

1
crypto/openssh/openbsd-compat/getrrsetbyname-ldns.c
View File

@ -58,7 +58,6 @@
#define malloc(x) (xmalloc(x))
#define calloc(x, y) (xcalloc((x),(y)))
#define free(x) (xfree(x))
int
getrrsetbyname(const char *hostname, unsigned int rdclass,

12
crypto/openssh/openbsd-compat/openbsd-compat.h
View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.55 2013/02/15 01:20:42 dtucker Exp $ */
/* $Id: openbsd-compat.h,v 1.58 2013/06/05 22:30:21 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -111,6 +111,10 @@ char *dirname(const char *path);
int fmt_scaled(long long number, char *result);
#endif
#ifndef HAVE_SCAN_SCALED
int scan_scaled(char *, long long *);
#endif
#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
char *inet_ntoa(struct in_addr in);
#endif
@ -139,6 +143,7 @@ int getgrouplist(const char *, gid_t, gid_t *, int *);
#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
int BSDgetopt(int argc, char * const *argv, const char *opts);
#include "openbsd-compat/getopt.h"
#endif
#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
@ -202,6 +207,11 @@ unsigned long long strtoull(const char *, char **, int);
long long strtonum(const char *, long long, long long, const char **);
#endif
/* multibyte character support */
#ifndef HAVE_MBLEN
# define mblen(x, y) 1
#endif
#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
# include <stdarg.h>
#endif

10
crypto/openssh/openbsd-compat/port-aix.c
View File

@ -86,7 +86,7 @@ aix_usrinfo(struct passwd *pw)
fatal("Couldn't set usrinfo: %s", strerror(errno));
debug3("AIX/UsrInfo: set len %d", i);
xfree(cp);
free(cp);
}
# ifdef WITH_AIXAUTHENTICATE
@ -215,16 +215,14 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
default: /* user can't change(2) or other error (-1) */
logit("Password can't be changed for user %s: %.100s",
name, msg);
if (msg)
xfree(msg);
free(msg);
authsuccess = 0;
}
aix_restoreauthdb();
}
if (authmsg != NULL)
xfree(authmsg);
free(authmsg);
return authsuccess;
}
@ -269,7 +267,7 @@ sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
if (!permitted)
logit("Login restricted for %s: %.100s", pw->pw_name, msg);
xfree(msg);
free(msg);
return permitted;
}

12
crypto/openssh/openbsd-compat/port-linux.c
View File

@ -1,4 +1,4 @@
/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */
/* $Id: port-linux.c,v 1.18 2013/06/01 22:07:32 dtucker Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -96,10 +96,8 @@ ssh_selinux_getctxbyname(char *pwname)
}
#ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL)
xfree(sename);
if (lvl != NULL)
xfree(lvl);
free(sename);
free(lvl);
#endif
return sc;
@ -217,8 +215,8 @@ ssh_selinux_change_context(const char *newname)
if (setcon(newctx) < 0)
switchlog("%s: setcon %s from %s failed with %s", __func__,
newctx, oldctx, strerror(errno));
xfree(oldctx);
xfree(newctx);
free(oldctx);
free(newctx);
}
void

7
crypto/openssh/openbsd-compat/xcrypt.c
View File

@ -55,7 +55,12 @@
# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
# include "md5crypt.h"
# endif
# endif
# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# include <openssl/des.h>
# define crypt DES_crypt
# endif
char *
xcrypt(const char *password, const char *salt)

75
crypto/openssh/packet.c
View File

@ -1,5 +1,4 @@
/* $OpenBSD: packet.c,v 1.181 2013/02/10 23:35:24 djm Exp $ */
/* $OpenBSD: packet.c,v 1.182 2013/04/11 02:27:50 djm Exp $ */
/* $OpenBSD: packet.c,v 1.188 2013/07/12 00:19:58 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -59,6 +58,7 @@
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <time.h>
#include "xmalloc.h"
#include "buffer.h"
@ -166,9 +166,14 @@ struct session_state {
Newkeys *newkeys[MODE_MAX];
struct packet_state p_read, p_send;
/* Volume-based rekeying */
u_int64_t max_blocks_in, max_blocks_out;
u_int32_t rekey_limit;
/* Time-based rekeying */
time_t rekey_interval; /* how often in seconds */
time_t rekey_time; /* time of last rekeying */
/* Session key for protocol v1 */
u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
u_int ssh1_keylen;
@ -219,7 +224,7 @@ alloc_session_state(void)
void
packet_set_connection(int fd_in, int fd_out)
{
Cipher *none = cipher_by_name("none");
const Cipher *none = cipher_by_name("none");
if (none == NULL)
fatal("packet_set_connection: cannot load cipher 'none'");
@ -549,7 +554,7 @@ packet_start_compression(int level)
void
packet_set_encryption_key(const u_char *key, u_int keylen, int number)
{
Cipher *cipher = cipher_by_number(number);
const Cipher *cipher = cipher_by_number(number);
if (cipher == NULL)
fatal("packet_set_encryption_key: unknown cipher number %d", number);
@ -764,13 +769,13 @@ set_newkeys(int mode)
memset(enc->iv, 0, enc->iv_len);
memset(enc->key, 0, enc->key_len);
memset(mac->key, 0, mac->key_len);
xfree(enc->name);
xfree(enc->iv);
xfree(enc->key);
xfree(mac->name);
xfree(mac->key);
xfree(comp->name);
xfree(active_state->newkeys[mode]);
free(enc->name);
free(enc->iv);
free(enc->key);
free(mac->name);
free(mac->key);
free(comp->name);
free(active_state->newkeys[mode]);
}
active_state->newkeys[mode] = kex_get_newkeys(mode);
if (active_state->newkeys[mode] == NULL)
@ -1013,6 +1018,7 @@ packet_send2(void)
/* after a NEWKEYS message we can send the complete queue */
if (type == SSH2_MSG_NEWKEYS) {
active_state->rekeying = 0;
active_state->rekey_time = monotime();
while ((p = TAILQ_FIRST(&active_state->outgoing))) {
type = p->type;
debug("dequeue packet: %u", type);
@ -1020,7 +1026,7 @@ packet_send2(void)
memcpy(&active_state->outgoing_packet, &p->payload,
sizeof(Buffer));
TAILQ_REMOVE(&active_state->outgoing, p, next);
xfree(p);
free(p);
packet_send2_wrapped();
}
}
@ -1045,7 +1051,7 @@ packet_send(void)
int
packet_read_seqnr(u_int32_t *seqnr_p)
{
int type, len, ret, ms_remain, cont;
int type, len, ret, cont, ms_remain = 0;
fd_set *setp;
char buf[8192];
struct timeval timeout, start, *timeoutp = NULL;
@ -1070,7 +1076,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
packet_check_eom();
/* If we got a packet, return it. */
if (type != SSH_MSG_NONE) {
xfree(setp);
free(setp);
return type;
}
/*
@ -1458,9 +1464,9 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
packet_get_char();
msg = packet_get_string(NULL);
debug("Remote: %.900s", msg);
xfree(msg);
free(msg);
msg = packet_get_string(NULL);
xfree(msg);
free(msg);
break;
case SSH2_MSG_DISCONNECT:
reason = packet_get_int();
@ -1471,7 +1477,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
"Received disconnect from %s: %u: %.400s",
get_remote_ipaddr(), reason, msg);
xfree(msg);
free(msg);
cleanup_exit(255);
break;
case SSH2_MSG_UNIMPLEMENTED:
@ -1485,12 +1491,14 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
} else {
type = packet_read_poll1();
switch (type) {
case SSH_MSG_NONE:
return SSH_MSG_NONE;
case SSH_MSG_IGNORE:
break;
case SSH_MSG_DEBUG:
msg = packet_get_string(NULL);
debug("Remote: %.900s", msg);
xfree(msg);
free(msg);
break;
case SSH_MSG_DISCONNECT:
msg = packet_get_string(NULL);
@ -1499,8 +1507,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
cleanup_exit(255);
break;
default:
if (type)
DBG(debug("received packet type %d", type));
DBG(debug("received packet type %d", type));
return type;
}
}
@ -1737,7 +1744,7 @@ void
packet_write_wait(void)
{
fd_set *setp;
int ret, ms_remain;
int ret, ms_remain = 0;
struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
@ -1778,7 +1785,7 @@ packet_write_wait(void)
}
packet_write_poll();
}
xfree(setp);
free(setp);
}
/* Returns true if there is buffered data to write to the connection. */
@ -1952,13 +1959,33 @@ packet_need_rekeying(void)
(active_state->max_blocks_out &&
(active_state->p_send.blocks > active_state->max_blocks_out)) ||
(active_state->max_blocks_in &&
(active_state->p_read.blocks > active_state->max_blocks_in));
(active_state->p_read.blocks > active_state->max_blocks_in)) ||
(active_state->rekey_interval != 0 && active_state->rekey_time +
active_state->rekey_interval <= monotime());
}
void
packet_set_rekey_limit(u_int32_t bytes)
packet_set_rekey_limits(u_int32_t bytes, time_t seconds)
{
debug3("rekey after %lld bytes, %d seconds", (long long)bytes,
(int)seconds);
active_state->rekey_limit = bytes;
active_state->rekey_interval = seconds;
/*
* We set the time here so that in post-auth privsep slave we count
* from the completion of the authentication.
*/
active_state->rekey_time = monotime();
}
time_t
packet_get_rekey_timeout(void)
{
time_t seconds;
seconds = active_state->rekey_time + active_state->rekey_interval -
monotime();
return (seconds <= 0 ? 1 : seconds);
}
void

7
crypto/openssh/packet.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.h,v 1.57 2012/01/25 19:40:09 markus Exp $ */
/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */
/* $FreeBSD$ */
/*
@ -75,7 +75,7 @@ void *packet_get_raw(u_int *length_ptr);
void *packet_get_string(u_int *length_ptr);
char *packet_get_cstring(u_int *length_ptr);
void *packet_get_string_ptr(u_int *length_ptr);
void packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
void packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
void set_newkeys(int mode);
@ -122,7 +122,8 @@ int packet_need_rekeying(void);
#ifdef NONE_CIPHER_ENABLED
void packet_request_rekeying(void);
#endif
void packet_set_rekey_limit(u_int32_t);
void packet_set_rekey_limits(u_int32_t, time_t);
time_t packet_get_rekey_timeout(void);
void packet_backup_state(void);
void packet_restore_state(void);

22
crypto/openssh/pathnames.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pathnames.h,v 1.22 2011/05/23 03:30:07 djm Exp $ */
/* $OpenBSD: pathnames.h,v 1.23 2013/04/05 00:31:49 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -65,18 +65,18 @@
* readable by anyone except the user him/herself, though this does not
* contain anything particularly secret.
*/
#define _PATH_SSH_USER_HOSTFILE "~/.ssh/known_hosts"
#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts"
/* backward compat for protocol 2 */
#define _PATH_SSH_USER_HOSTFILE2 "~/.ssh/known_hosts2"
#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2"
/*
* Name of the default file containing client-side authentication key. This
* file should only be readable by the user him/herself.
*/
#define _PATH_SSH_CLIENT_IDENTITY ".ssh/identity"
#define _PATH_SSH_CLIENT_ID_DSA ".ssh/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA ".ssh/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa"
#define _PATH_SSH_CLIENT_IDENTITY _PATH_SSH_USER_DIR "/identity"
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
/*
* Configuration file in user's home directory. This file need not be
@ -84,7 +84,7 @@
* particularly secret. If the user's home directory resides on an NFS
* volume where root is mapped to nobody, this may need to be world-readable.
*/
#define _PATH_SSH_USER_CONFFILE ".ssh/config"
#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
/*
* File containing a list of those rsa keys that permit logging in as this
@ -94,10 +94,10 @@
* may need to be world-readable. (This file is read by the daemon which is
* running as root.)
*/
#define _PATH_SSH_USER_PERMITTED_KEYS ".ssh/authorized_keys"
#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
/* backward compat for protocol v2 */
#define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2"
#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
/*
* Per-user and system-wide ssh "rc" files. These files are executed with
@ -105,7 +105,7 @@
* passed "proto cookie" as arguments if X11 forwarding with spoofing is in
* use. xauth will be run if neither of these exists.
*/
#define _PATH_SSH_USER_RC ".ssh/rc"
#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc"
#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc"
/*

6
crypto/openssh/progressmeter.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: progressmeter.c,v 1.39 2013/06/02 13:33:05 dtucker Exp $ */
/*
* Copyright (c) 2003 Nils Nordman. All rights reserved.
*
@ -131,7 +131,7 @@ refresh_progress_meter(void)
transferred = *counter - cur_pos;
cur_pos = *counter;
now = time(NULL);
now = monotime();
bytes_left = end_pos - cur_pos;
if (bytes_left > 0)
@ -249,7 +249,7 @@ update_progress_meter(int ignore)
void
start_progress_meter(char *f, off_t filesize, off_t *ctr)
{
start = last_update = time(NULL);
start = last_update = monotime();
file = f;
end_pos = filesize;
cur_pos = 0;

130
crypto/openssh/readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */
/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -33,6 +33,9 @@ __RCSID("$FreeBSD$");
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
#include "xmalloc.h"
#include "ssh.h"
@ -138,13 +141,13 @@ typedef enum {
oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
oIgnoredUnknownOption,
oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
#ifdef NONE_CIPHER_ENABLED
oNoneEnabled, oNoneSwitch,
#endif
oVersionAddendum,
oDeprecated, oUnsupported
oVersionAddendum, oDeprecated, oUnsupported
} OpCodes;
/* Textual representations of the tokens. */
@ -255,6 +258,7 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "ignoreunknown", oIgnoreUnknown },
{ "hpndisabled", oHPNDisabled },
{ "hpnbuffersize", oHPNBufferSize },
{ "tcprcvbufpoll", oTcpRcvBufPoll },
@ -334,22 +338,20 @@ clear_forwardings(Options *options)
int i;
for (i = 0; i < options->num_local_forwards; i++) {
if (options->local_forwards[i].listen_host != NULL)
xfree(options->local_forwards[i].listen_host);
xfree(options->local_forwards[i].connect_host);
free(options->local_forwards[i].listen_host);
free(options->local_forwards[i].connect_host);
}
if (options->num_local_forwards > 0) {
xfree(options->local_forwards);
free(options->local_forwards);
options->local_forwards = NULL;
}
options->num_local_forwards = 0;
for (i = 0; i < options->num_remote_forwards; i++) {
if (options->remote_forwards[i].listen_host != NULL)
xfree(options->remote_forwards[i].listen_host);
xfree(options->remote_forwards[i].connect_host);
free(options->remote_forwards[i].listen_host);
free(options->remote_forwards[i].connect_host);
}
if (options->num_remote_forwards > 0) {
xfree(options->remote_forwards);
free(options->remote_forwards);
options->remote_forwards = NULL;
}
options->num_remote_forwards = 0;
@ -381,14 +383,17 @@ add_identity_file(Options *options, const char *dir, const char *filename,
*/
static OpCodes
parse_token(const char *cp, const char *filename, int linenum)
parse_token(const char *cp, const char *filename, int linenum,
const char *ignored_unknown)
{
u_int i;
int i;
for (i = 0; keywords[i].name; i++)
if (strcasecmp(cp, keywords[i].name) == 0)
if (strcmp(cp, keywords[i].name) == 0)
return keywords[i].opcode;
if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
strlen(ignored_unknown), 1) == 1)
return oIgnoredUnknownOption;
error("%s: line %d: Bad configuration option: %s",
filename, linenum, cp);
return oBadOption;
@ -407,10 +412,10 @@ process_config_line(Options *options, const char *host,
{
char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
char **cpptr, fwdarg[256];
u_int *uintptr, max_entries = 0;
int negated, opcode, *intptr, value, value2, scale;
u_int i, *uintptr, max_entries = 0;
int negated, opcode, *intptr, value, value2;
LogLevel *log_level_ptr;
long long orig, val64;
long long val64;
size_t len;
Forward fwd;
@ -430,14 +435,22 @@ process_config_line(Options *options, const char *host,
keyword = strdelim(&s);
if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
return 0;
/* Match lowercase keyword */
for (i = 0; i < strlen(keyword); i++)
keyword[i] = tolower(keyword[i]);
opcode = parse_token(keyword, filename, linenum);
opcode = parse_token(keyword, filename, linenum,
options->ignored_unknown);
switch (opcode) {
case oBadOption:
/* don't panic, but count bad options */
return -1;
/* NOTREACHED */
case oIgnoredUnknownOption:
debug("%s line %d: Ignored unknown option \"%s\"",
filename, linenum, keyword);
return 0;
case oConnectTimeout:
intptr = &options->connection_timeout;
parse_time:
@ -592,39 +605,32 @@ process_config_line(Options *options, const char *host,
case oRekeyLimit:
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
if (arg[0] < '0' || arg[0] > '9')
fatal("%.200s line %d: Bad number.", filename, linenum);
orig = val64 = strtoll(arg, &endofnumber, 10);
if (arg == endofnumber)
fatal("%.200s line %d: Bad number.", filename, linenum);
switch (toupper(*endofnumber)) {
case '\0':
scale = 1;
break;
case 'K':
scale = 1<<10;
break;
case 'M':
scale = 1<<20;
break;
case 'G':
scale = 1<<30;
break;
default:
fatal("%.200s line %d: Invalid RekeyLimit suffix",
filename, linenum);
fatal("%.200s line %d: Missing argument.", filename,
linenum);
if (strcmp(arg, "default") == 0) {
val64 = 0;
} else {
if (scan_scaled(arg, &val64) == -1)
fatal("%.200s line %d: Bad number '%s': %s",
filename, linenum, arg, strerror(errno));
/* check for too-large or too-small limits */
if (val64 > UINT_MAX)
fatal("%.200s line %d: RekeyLimit too large",
filename, linenum);
if (val64 != 0 && val64 < 16)
fatal("%.200s line %d: RekeyLimit too small",
filename, linenum);
}
val64 *= scale;
/* detect integer wrap and too-large limits */
if ((val64 / scale) != orig || val64 > UINT_MAX)
fatal("%.200s line %d: RekeyLimit too large",
filename, linenum);
if (val64 < 16)
fatal("%.200s line %d: RekeyLimit too small",
filename, linenum);
if (*activep && options->rekey_limit == -1)
options->rekey_limit = (u_int32_t)val64;
if (s != NULL) { /* optional rekey interval present */
if (strcmp(s, "none") == 0) {
(void)strdelim(&s); /* discard */
break;
}
intptr = &options->rekey_interval;
goto parse_time;
}
break;
case oIdentityFile:
@ -1149,6 +1155,10 @@ process_config_line(Options *options, const char *host,
}
return 0;
case oIgnoreUnknown:
charptr = &options->ignored_unknown;
goto parse_string;
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@ -1289,6 +1299,7 @@ initialize_options(Options * options)
options->no_host_authentication_for_localhost = - 1;
options->identities_only = - 1;
options->rekey_limit = - 1;
options->rekey_interval = -1;
options->verify_host_key_dns = -1;
options->server_alive_interval = -1;
options->server_alive_count_max = -1;
@ -1310,6 +1321,7 @@ initialize_options(Options * options)
options->ip_qos_bulk = -1;
options->request_tty = -1;
options->version_addendum = NULL;
options->ignored_unknown = NULL;
options->hpn_disabled = -1;
options->hpn_buffer_size = -1;
options->tcp_rcv_buf_poll = -1;
@ -1328,8 +1340,6 @@ initialize_options(Options * options)
void
fill_default_options(Options * options)
{
int len;
if (options->forward_agent == -1)
options->forward_agent = 0;
if (options->forward_x11 == -1)
@ -1435,6 +1445,8 @@ fill_default_options(Options * options)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
options->rekey_limit = 0;
if (options->rekey_interval == -1)
options->rekey_interval = 0;
#if HAVE_LDNS
if (options->verify_host_key_dns == -1)
/* automatically trust a verified SSHFP record */
@ -1576,7 +1588,7 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
i = 0; /* failure */
}
xfree(p);
free(p);
if (dynamicfwd) {
if (!(i == 1 || i == 2))
@ -1602,13 +1614,9 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
return (i);
fail_free:
if (fwd->connect_host != NULL) {
xfree(fwd->connect_host);
fwd->connect_host = NULL;
}
if (fwd->listen_host != NULL) {
xfree(fwd->listen_host);
fwd->listen_host = NULL;
}
free(fwd->connect_host);
fwd->connect_host = NULL;
free(fwd->listen_host);
fwd->listen_host = NULL;
return (0);
}

6
crypto/openssh/readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */
/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */
/* $FreeBSD$ */
/*
@ -111,6 +111,7 @@ typedef struct {
int enable_ssh_keysign;
int64_t rekey_limit;
int rekey_interval;
int no_host_authentication_for_localhost;
int identities_only;
int server_alive_interval;
@ -137,6 +138,9 @@ typedef struct {
int use_roaming;
int request_tty;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
char *version_addendum; /* Appended to SSH banner */
int hpn_disabled; /* Switch to disable HPN buffer management. */

4
crypto/openssh/readpass.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readpass.c,v 1.48 2010/12/15 00:49:27 djm Exp $ */
/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -186,7 +186,7 @@ ask_permission(const char *fmt, ...)
if (*p == '\0' || *p == '\n' ||
strcasecmp(p, "yes") == 0)
allowed = 1;
xfree(p);
free(p);
}
return (allowed);

9
crypto/openssh/roaming_client.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */
/* $OpenBSD: roaming_client.c,v 1.5 2013/05/17 00:13:14 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@ -187,10 +187,10 @@ roaming_resume(void)
debug("server doesn't allow resume");
goto fail;
}
xfree(str);
free(str);
for (i = 1; i < PROPOSAL_MAX; i++) {
/* kex algorithm taken care of so start with i=1 and not 0 */
xfree(packet_get_string(&len));
free(packet_get_string(&len));
}
i = packet_get_char(); /* first_kex_packet_follows */
if (i && (c = strchr(kexlist, ',')))
@ -226,8 +226,7 @@ roaming_resume(void)
return 0;
fail:
if (kexlist)
xfree(kexlist);
free(kexlist);
if (packet_get_connection_in() == packet_get_connection_out())
close(packet_get_connection_in());
else {

4
crypto/openssh/roaming_common.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */
/* $OpenBSD: roaming_common.c,v 1.10 2013/07/12 00:19:59 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@ -227,7 +227,7 @@ calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
{
const EVP_MD *md = EVP_sha1();
EVP_MD_CTX ctx;
char hash[EVP_MAX_MD_SIZE];
u_char hash[EVP_MAX_MD_SIZE];
Buffer b;
buffer_init(&b);

10
crypto/openssh/rsa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -96,8 +96,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
memset(outbuf, 0, olen);
memset(inbuf, 0, ilen);
xfree(outbuf);
xfree(inbuf);
free(outbuf);
free(inbuf);
}
int
@ -122,8 +122,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
}
memset(outbuf, 0, olen);
memset(inbuf, 0, ilen);
xfree(outbuf);
xfree(inbuf);
free(outbuf);
free(inbuf);
return len;
}

Some files were not shown because too many files have changed in this diff Show More