Vendor import of OpenSSH 4.4p1.
This commit is contained in:
parent
30c2033ae7
commit
761efaa70c
@ -25,6 +25,7 @@ Chris, the Young One <cky@pobox.com> - Password auth fixes
|
||||
Christos Zoulas <christos@zoulas.com> - Autoconf fixes
|
||||
Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
|
||||
Corinna Vinschen <vinschen@redhat.com> - Cygwin support
|
||||
Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
|
||||
Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
|
||||
Darren Hall <dhall@virage.org> - AIX patches
|
||||
Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
|
||||
@ -100,5 +101,5 @@ Apologies to anyone I have missed.
|
||||
|
||||
Damien Miller <djm@mindrot.org>
|
||||
|
||||
$Id: CREDITS,v 1.80 2005/08/26 20:15:20 tim Exp $
|
||||
$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -12,6 +12,8 @@ http://www.openssl.org/
|
||||
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
|
||||
Blowfish) do not work correctly.)
|
||||
|
||||
The remaining items are optional.
|
||||
|
||||
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
|
||||
supports it. PAM is standard on Redhat and Debian Linux, Solaris and
|
||||
HP-UX 11.
|
||||
@ -57,13 +59,29 @@ installed. No other S/Key library is currently known to be supported.
|
||||
http://www.sparc.spb.su/solaris/skey/
|
||||
|
||||
LibEdit:
|
||||
sftp now supports command-line editing via NetBSD's libedit. If your
|
||||
platform has it available natively you can use that, alternatively
|
||||
you might try these multi-platform ports:
|
||||
|
||||
sftp supports command-line editing via NetBSD's libedit. If your platform
|
||||
has it available natively you can use that, alternatively you might try
|
||||
these multi-platform ports:
|
||||
|
||||
http://www.thrysoee.dk/editline/
|
||||
http://sourceforge.net/projects/libedit/
|
||||
|
||||
Autoconf:
|
||||
|
||||
If you modify configure.ac or configure doesn't exist (eg if you checked
|
||||
the code out of CVS yourself) then you will need autoconf-2.60 to rebuild
|
||||
the automatically generated files by running "autoreconf".
|
||||
|
||||
http://www.gnu.org/software/autoconf/
|
||||
|
||||
Basic Security Module (BSM):
|
||||
|
||||
Native BSM support is know to exist in Solaris from at least 2.5.1,
|
||||
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
|
||||
implementation (http://www.openbsm.org).
|
||||
|
||||
|
||||
2. Building / Installation
|
||||
--------------------------
|
||||
|
||||
@ -113,6 +131,10 @@ name).
|
||||
|
||||
There are a few other options to the configure script:
|
||||
|
||||
--with-audit=[module] enable additional auditing via the specified module.
|
||||
Currently, drivers for "debug" (additional info via syslog) and "bsm"
|
||||
(Sun's Basic Security Module) are supported.
|
||||
|
||||
--with-pam enables PAM support. If PAM support is compiled in, it must
|
||||
also be enabled in sshd_config (refer to the UsePAM directive).
|
||||
|
||||
@ -165,6 +187,8 @@ created.
|
||||
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
|
||||
are installed.
|
||||
|
||||
--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
|
||||
|
||||
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
|
||||
real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
|
||||
|
||||
@ -208,7 +232,8 @@ for sshd, ssh and ssh-agent.
|
||||
-------------------------
|
||||
|
||||
$ make survey
|
||||
[check the contents and make sure there's no sensitive information]
|
||||
[check the contents of the file "survey" to ensure there's no information
|
||||
that you consider sensitive]
|
||||
$ make send-survey
|
||||
|
||||
This will send configuration information for the currently configured
|
||||
@ -225,4 +250,4 @@ Please refer to the "reporting bugs" section of the webpage at
|
||||
http://www.openssh.com/
|
||||
|
||||
|
||||
$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $
|
||||
$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $
|
||||
|
@ -287,6 +287,8 @@ OpenSSH contains no GPL code.
|
||||
|
||||
Internet Software Consortium.
|
||||
Todd C. Miller
|
||||
Reyk Floeter
|
||||
Chad Mynhier
|
||||
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $
|
||||
# $Id: Makefile.in,v 1.282 2006/09/12 11:54:10 djm Exp $
|
||||
|
||||
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
@ -43,6 +43,8 @@ LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
LIBSELINUX=@LIBSELINUX@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBPAM=@LIBPAM@
|
||||
LIBWRAP=@LIBWRAP@
|
||||
@ -62,11 +64,11 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \
|
||||
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o moduli.o nchan.o packet.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
||||
@ -86,7 +88,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
auth-krb5.o \
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
audit.o audit-bsm.o
|
||||
audit.o audit-bsm.o platform.o
|
||||
|
||||
MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
|
||||
MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
|
||||
@ -107,7 +109,7 @@ PATHSUBS = \
|
||||
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
||||
-e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \
|
||||
-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
|
||||
-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
|
||||
-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
|
||||
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
|
||||
@ -136,7 +138,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@ -201,8 +203,9 @@ clean: regressclean
|
||||
|
||||
distclean: regressclean
|
||||
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||
rm -f *.out core opensshd.init
|
||||
rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds survey.sh *~
|
||||
rm -f *.out core opensshd.init openssh.xml
|
||||
rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds
|
||||
rm -f survey.sh openbsd-compat/regress/Makefile *~
|
||||
rm -rf autom4te.cache
|
||||
(cd openbsd-compat && $(MAKE) distclean)
|
||||
(cd scard && $(MAKE) distclean)
|
||||
@ -410,6 +413,9 @@ tests: $(TARGETS)
|
||||
EXEEXT="$(EXEEXT)" \
|
||||
$@
|
||||
|
||||
compat-tests: $(LIBCOMPAT)
|
||||
(cd openbsd-compat/regress && $(MAKE))
|
||||
|
||||
regressclean:
|
||||
if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
|
||||
(cd regress && $(MAKE) clean) \
|
||||
|
@ -162,8 +162,7 @@ these programs.
|
||||
- There are several other files in the distribution that contain
|
||||
various auxiliary routines:
|
||||
ssh.h the main header file for ssh (various definitions)
|
||||
getput.h byte-order independent storage of integers
|
||||
includes.h includes most system headers. Lots of #ifdefs.
|
||||
tildexpand.c expand tilde in file names
|
||||
uidswap.c uid-swapping
|
||||
xmalloc.c "safe" malloc routines
|
||||
|
||||
$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
See http://www.openssh.com/txt/release-4.3 for the release notes.
|
||||
See http://www.openssh.com/txt/release-4.4 for the release notes.
|
||||
|
||||
- A Japanese translation of this document and of the OpenSSH FAQ is
|
||||
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
||||
@ -62,4 +62,4 @@ References -
|
||||
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
||||
[7] http://www.openssh.com/faq.html
|
||||
|
||||
$Id: README,v 1.61 2005/12/01 11:21:04 dtucker Exp $
|
||||
$Id: README,v 1.63 2006/09/01 11:32:53 dtucker Exp $
|
||||
|
@ -30,6 +30,18 @@ gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
|
||||
openssl-devel, zlib, minres, minires-devel.
|
||||
|
||||
|
||||
Darwin and MacOS X
|
||||
------------------
|
||||
Darwin does not provide a tun(4) driver required for OpenSSH-based
|
||||
virtual private networks. The BSD manpage still exists, but the driver
|
||||
has been removed in recent releases of Darwin and MacOS X.
|
||||
|
||||
Nevertheless, tunnel support is known to work with Darwin 8 and
|
||||
MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
|
||||
using a third party driver. More information is available at:
|
||||
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
|
||||
|
||||
|
||||
Solaris
|
||||
-------
|
||||
If you enable BSM auditing on Solaris, you need to update audit_event(4)
|
||||
@ -55,4 +67,4 @@ account stacks which will prevent authentication entirely, but will still
|
||||
return the output from pam_nologin to the client.
|
||||
|
||||
|
||||
$Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $
|
||||
$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
|
||||
|
@ -87,12 +87,12 @@ combination with layer 2 tunneling and Ethernet bridging.
|
||||
| Client |------( Internet )-----| access.somewhere.net |
|
||||
+--------+ ( ) +----------------------+
|
||||
: 192.168.1.78 |
|
||||
:............................. +-------+
|
||||
:............................. +-------+
|
||||
Forwarded ssh connection : | dmzgw |
|
||||
Layer 2 tunnel : +-------+
|
||||
: |
|
||||
: |
|
||||
: +------------+
|
||||
: +------------+
|
||||
:......| sshgateway |
|
||||
| +------------+
|
||||
--- real connection Bridge -> | +----------+
|
||||
@ -104,7 +104,7 @@ combination with layer 2 tunneling and Ethernet bridging.
|
||||
|
||||
Finally connect to the OpenSSH server to establish the tunnel by using
|
||||
the following command:
|
||||
|
||||
|
||||
ssh sshgateway
|
||||
|
||||
It is also possible to tell the client to fork into the background after
|
||||
@ -129,4 +129,4 @@ interconnect corporate networks.
|
||||
|
||||
Reyk Floeter
|
||||
|
||||
$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
|
||||
$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $ */
|
||||
/* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2004 The OpenBSD project
|
||||
*
|
||||
@ -16,6 +16,9 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
|
||||
|
@ -1,4 +1,6 @@
|
||||
/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2006 Damien Miller. All rights reserved.
|
||||
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
|
||||
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
|
||||
* All rights reserved.
|
||||
@ -25,7 +27,12 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/uio.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "atomicio.h"
|
||||
|
||||
@ -33,11 +40,7 @@ RCSID("$OpenBSD: atomicio.c,v 1.13 2005/05/24 17:32:43 avsm Exp $");
|
||||
* ensure all of data on socket comes through. f==read || f==vwrite
|
||||
*/
|
||||
size_t
|
||||
atomicio(f, fd, _s, n)
|
||||
ssize_t (*f) (int, void *, size_t);
|
||||
int fd;
|
||||
void *_s;
|
||||
size_t n;
|
||||
atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
|
||||
{
|
||||
char *s = _s;
|
||||
size_t pos = 0;
|
||||
@ -58,8 +61,60 @@ atomicio(f, fd, _s, n)
|
||||
errno = EPIPE;
|
||||
return pos;
|
||||
default:
|
||||
pos += (u_int)res;
|
||||
pos += (size_t)res;
|
||||
}
|
||||
}
|
||||
return (pos);
|
||||
}
|
||||
|
||||
/*
|
||||
* ensure all of data on socket comes through. f==readv || f==writev
|
||||
*/
|
||||
size_t
|
||||
atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
|
||||
const struct iovec *_iov, int iovcnt)
|
||||
{
|
||||
size_t pos = 0, rem;
|
||||
ssize_t res;
|
||||
struct iovec iov_array[IOV_MAX], *iov = iov_array;
|
||||
|
||||
if (iovcnt > IOV_MAX) {
|
||||
errno = EINVAL;
|
||||
return 0;
|
||||
}
|
||||
/* Make a copy of the iov array because we may modify it below */
|
||||
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
|
||||
|
||||
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
|
||||
res = (f) (fd, iov, iovcnt);
|
||||
switch (res) {
|
||||
case -1:
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
continue;
|
||||
return 0;
|
||||
case 0:
|
||||
errno = EPIPE;
|
||||
return pos;
|
||||
default:
|
||||
rem = (size_t)res;
|
||||
pos += rem;
|
||||
/* skip completed iov entries */
|
||||
while (iovcnt > 0 && rem >= iov[0].iov_len) {
|
||||
rem -= iov[0].iov_len;
|
||||
iov++;
|
||||
iovcnt--;
|
||||
}
|
||||
/* This shouldn't happen... */
|
||||
if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
|
||||
errno = EFAULT;
|
||||
return 0;
|
||||
}
|
||||
if (iovcnt == 0)
|
||||
break;
|
||||
/* update pointer in partially complete iov */
|
||||
iov[0].iov_base = ((char *)iov[0].iov_base) + rem;
|
||||
iov[0].iov_len -= rem;
|
||||
}
|
||||
}
|
||||
return pos;
|
||||
}
|
||||
|
@ -1,6 +1,7 @@
|
||||
/* $OpenBSD: atomicio.h,v 1.6 2005/05/24 17:32:43 avsm Exp $ */
|
||||
/* $OpenBSD: atomicio.h,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2006 Damien Miller. All rights reserved.
|
||||
* Copyright (c) 1995,1999 Theo de Raadt. All rights reserved.
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -25,9 +26,20 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _ATOMICIO_H
|
||||
#define _ATOMICIO_H
|
||||
|
||||
/*
|
||||
* Ensure all of data on socket comes through. f==read || f==vwrite
|
||||
*/
|
||||
size_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
|
||||
|
||||
#define vwrite (ssize_t (*)(int, void *, size_t))write
|
||||
|
||||
/*
|
||||
* ensure all of data on socket comes through. f==readv || f==writev
|
||||
*/
|
||||
size_t atomiciov(ssize_t (*)(int, const struct iovec *, int),
|
||||
int, const struct iovec *, int);
|
||||
|
||||
#endif /* _ATOMICIO_H */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: audit-bsm.c,v 1.1 2005/02/20 10:08:00 dtucker Exp $ */
|
||||
/* $Id: audit-bsm.c,v 1.4 2006/09/01 05:38:36 djm Exp $ */
|
||||
|
||||
/*
|
||||
* TODO
|
||||
@ -37,8 +37,15 @@
|
||||
#include "includes.h"
|
||||
#if defined(USE_BSM_AUDIT)
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */
|
||||
/* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
|
||||
@ -26,10 +26,15 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
||||
#include "audit.h"
|
||||
#include "log.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $Id: audit.h,v 1.2 2005/02/08 10:52:48 dtucker Exp $ */
|
||||
/* $Id: audit.h,v 1.3 2006/08/05 14:05:10 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
|
||||
@ -24,8 +24,6 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "auth.h"
|
||||
|
||||
#ifndef _SSH_AUDIT_H
|
||||
# define _SSH_AUDIT_H
|
||||
enum ssh_audit_event_type {
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-bsdauth.c,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -21,13 +22,23 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-bsdauth.c,v 1.6 2005/01/19 13:11:47 dtucker Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
#ifdef BSD_AUTH
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
static void *
|
||||
@ -69,9 +80,8 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
|
||||
*name = xstrdup("");
|
||||
*infotxt = xstrdup("");
|
||||
*numprompts = 1;
|
||||
*prompts = xmalloc(*numprompts * sizeof(char *));
|
||||
*echo_on = xmalloc(*numprompts * sizeof(u_int));
|
||||
(*echo_on)[0] = 0;
|
||||
*prompts = xcalloc(*numprompts, sizeof(char *));
|
||||
*echo_on = xcalloc(*numprompts, sizeof(u_int));
|
||||
(*prompts)[0] = xstrdup(challenge);
|
||||
|
||||
return 0;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,11 +24,16 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "servconf.h"
|
||||
|
||||
/* limited protocol v1 interface to kbd-interactive authentication */
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Kerberos v5 authentication and ticket-passing routines.
|
||||
*
|
||||
@ -28,18 +29,27 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "uidswap.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
|
||||
#ifdef KRB5
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <krb5.h>
|
||||
|
||||
extern ServerOptions options;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -10,18 +11,31 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <netdb.h>
|
||||
#include <pwd.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
#include "log.h"
|
||||
#include "canohost.h"
|
||||
#include "buffer.h"
|
||||
#include "channels.h"
|
||||
#include "auth-options.h"
|
||||
#include "servconf.h"
|
||||
#include "misc.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* Flags set authorized_keys flags */
|
||||
int no_port_forwarding_flag = 0;
|
||||
@ -131,7 +145,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
forced_command = NULL;
|
||||
goto bad_option;
|
||||
}
|
||||
forced_command[i] = 0;
|
||||
forced_command[i] = '\0';
|
||||
auth_debug_add("Forced command: %.900s", forced_command);
|
||||
opts++;
|
||||
goto next_option;
|
||||
@ -163,7 +177,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
xfree(s);
|
||||
goto bad_option;
|
||||
}
|
||||
s[i] = 0;
|
||||
s[i] = '\0';
|
||||
auth_debug_add("Adding to environment: %.900s", s);
|
||||
debug("Adding to environment: %.900s", s);
|
||||
opts++;
|
||||
@ -200,7 +214,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
xfree(patterns);
|
||||
goto bad_option;
|
||||
}
|
||||
patterns[i] = 0;
|
||||
patterns[i] = '\0';
|
||||
opts++;
|
||||
if (match_host_and_ip(remote_host, remote_ip,
|
||||
patterns) != 1) {
|
||||
@ -245,7 +259,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
xfree(patterns);
|
||||
goto bad_option;
|
||||
}
|
||||
patterns[i] = 0;
|
||||
patterns[i] = '\0';
|
||||
opts++;
|
||||
p = patterns;
|
||||
host = hpdelim(&p);
|
||||
@ -293,7 +307,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
||||
forced_tun_device = -1;
|
||||
goto bad_option;
|
||||
}
|
||||
tun[i] = 0;
|
||||
tun[i] = '\0';
|
||||
forced_tun_device = a2tun(tun, NULL);
|
||||
xfree(tun);
|
||||
if (forced_tun_device == SSH_TUNID_ERR) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */
|
||||
/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -47,7 +47,16 @@
|
||||
|
||||
/* Based on $FreeBSD$ */
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifdef USE_PAM
|
||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||
@ -63,20 +72,31 @@ RCSID("$Id: auth-pam.c,v 1.128 2006/01/29 05:46:13 dtucker Exp $");
|
||||
# define sshpam_const const /* LinuxPAM, OpenPAM */
|
||||
#endif
|
||||
|
||||
/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
|
||||
#ifdef PAM_SUN_CODEBASE
|
||||
# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
|
||||
#else
|
||||
# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "auth-pam.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "canohost.h"
|
||||
#include "log.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "msg.h"
|
||||
#include "packet.h"
|
||||
#include "misc.h"
|
||||
#include "servconf.h"
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "auth-options.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
extern Buffer loginmsg;
|
||||
@ -146,14 +166,16 @@ sshpam_sigchld_handler(int sig)
|
||||
fatal("PAM: authentication thread exited uncleanly");
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
pthread_exit(void *value __unused)
|
||||
pthread_exit(void *value)
|
||||
{
|
||||
_exit(0);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
pthread_create(sp_pthread_t *thread, const void *attr __unused,
|
||||
pthread_create(sp_pthread_t *thread, const void *attr,
|
||||
void *(*thread_start)(void *), void *arg)
|
||||
{
|
||||
pid_t pid;
|
||||
@ -185,8 +207,9 @@ pthread_cancel(sp_pthread_t thread)
|
||||
return (kill(thread, SIGTERM));
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
pthread_join(sp_pthread_t thread, void **value __unused)
|
||||
pthread_join(sp_pthread_t thread, void **value)
|
||||
{
|
||||
int status;
|
||||
|
||||
@ -284,7 +307,10 @@ import_environments(Buffer *b)
|
||||
|
||||
/* Import environment from subprocess */
|
||||
num_env = buffer_get_int(b);
|
||||
sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
|
||||
if (num_env > 1024)
|
||||
fatal("%s: received %u environment variables, expected <= 1024",
|
||||
__func__, num_env);
|
||||
sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env));
|
||||
debug3("PAM: num env strings %d", num_env);
|
||||
for(i = 0; i < num_env; i++)
|
||||
sshpam_env[i] = buffer_get_string(b, NULL);
|
||||
@ -331,9 +357,8 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
if ((reply = calloc(n, sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
buffer_init(&buffer);
|
||||
for (i = 0; i < n; ++i) {
|
||||
@ -412,10 +437,16 @@ sshpam_thread(void *ctxtp)
|
||||
u_int i;
|
||||
const char *pam_user;
|
||||
const char **ptr_pam_user = &pam_user;
|
||||
char *tz = getenv("TZ");
|
||||
|
||||
pam_get_item(sshpam_handle, PAM_USER,
|
||||
(sshpam_const void **)ptr_pam_user);
|
||||
|
||||
environ[0] = NULL;
|
||||
if (tz != NULL)
|
||||
if (setenv("TZ", tz, 1) == -1)
|
||||
error("PAM: could not set TZ environment: %s",
|
||||
strerror(errno));
|
||||
|
||||
if (sshpam_authctxt != NULL) {
|
||||
setproctitle("%s [pam]",
|
||||
@ -439,8 +470,10 @@ sshpam_thread(void *ctxtp)
|
||||
goto auth_fail;
|
||||
|
||||
if (compat20) {
|
||||
if (!do_pam_account())
|
||||
if (!do_pam_account()) {
|
||||
sshpam_err = PAM_ACCT_EXPIRED;
|
||||
goto auth_fail;
|
||||
}
|
||||
if (sshpam_authctxt->force_pwchange) {
|
||||
sshpam_err = pam_chauthtok(sshpam_handle,
|
||||
PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
@ -482,7 +515,10 @@ sshpam_thread(void *ctxtp)
|
||||
buffer_put_cstring(&buffer,
|
||||
pam_strerror(sshpam_handle, sshpam_err));
|
||||
/* XXX - can't do much about an error here */
|
||||
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
|
||||
if (sshpam_err == PAM_ACCT_EXPIRED)
|
||||
ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
|
||||
else
|
||||
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
|
||||
buffer_free(&buffer);
|
||||
pthread_exit(NULL);
|
||||
|
||||
@ -529,9 +565,8 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
if ((reply = calloc(n, sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
for (i = 0; i < n; ++i) {
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
@ -638,8 +673,11 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||
int socks[2];
|
||||
|
||||
debug3("PAM: %s entering", __func__);
|
||||
/* Refuse to start if we don't have PAM enabled */
|
||||
if (!options.use_pam)
|
||||
/*
|
||||
* Refuse to start if we don't have PAM enabled or do_pam_account
|
||||
* has previously failed.
|
||||
*/
|
||||
if (!options.use_pam || sshpam_account_status == 0)
|
||||
return NULL;
|
||||
|
||||
/* Initialize PAM */
|
||||
@ -699,7 +737,7 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
case PAM_PROMPT_ECHO_OFF:
|
||||
*num = 1;
|
||||
len = plen + mlen + 1;
|
||||
**prompts = xrealloc(**prompts, len);
|
||||
**prompts = xrealloc(**prompts, 1, len);
|
||||
strlcpy(**prompts + plen, msg, len - plen);
|
||||
plen += mlen;
|
||||
**echo_on = (type == PAM_PROMPT_ECHO_ON);
|
||||
@ -709,21 +747,25 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
case PAM_TEXT_INFO:
|
||||
/* accumulate messages */
|
||||
len = plen + mlen + 2;
|
||||
**prompts = xrealloc(**prompts, len);
|
||||
**prompts = xrealloc(**prompts, 1, len);
|
||||
strlcpy(**prompts + plen, msg, len - plen);
|
||||
plen += mlen;
|
||||
strlcat(**prompts + plen, "\n", len - plen);
|
||||
plen++;
|
||||
xfree(msg);
|
||||
break;
|
||||
case PAM_ACCT_EXPIRED:
|
||||
sshpam_account_status = 0;
|
||||
/* FALLTHROUGH */
|
||||
case PAM_AUTH_ERR:
|
||||
debug3("PAM: PAM_AUTH_ERR");
|
||||
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
|
||||
if (**prompts != NULL && strlen(**prompts) != 0) {
|
||||
*info = **prompts;
|
||||
**prompts = NULL;
|
||||
*num = 0;
|
||||
**echo_on = 0;
|
||||
ctxt->pam_done = -1;
|
||||
xfree(msg);
|
||||
return 0;
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
@ -930,9 +972,8 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
|
||||
return (PAM_CONV_ERR);
|
||||
|
||||
if ((reply = malloc(n * sizeof(*reply))) == NULL)
|
||||
if ((reply = calloc(n, sizeof(*reply))) == NULL)
|
||||
return (PAM_CONV_ERR);
|
||||
memset(reply, 0, n * sizeof(*reply));
|
||||
|
||||
for (i = 0; i < n; ++i) {
|
||||
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-passwd.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -36,12 +37,20 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-passwd.c,v 1.34 2005/07/19 15:32:26 otto Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "auth-options.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-rh-rsa.c,v 1.42 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -13,18 +14,25 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.38 2005/07/17 07:17:54 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "packet.h"
|
||||
#include "uidswap.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "pathnames.h"
|
||||
#include "auth.h"
|
||||
#include "canohost.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* import */
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -14,14 +15,27 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rhosts.c,v 1.33 2005/07/17 07:17:54 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#ifdef HAVE_NETGROUP_H
|
||||
# include <netgroup.h>
|
||||
#endif
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "uidswap.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
|
||||
/* import */
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-rsa.c,v 1.71 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -14,23 +15,35 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rsa.c,v 1.63 2005/06/17 02:44:32 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/md5.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "ssh1.h"
|
||||
#include "uidswap.h"
|
||||
#include "match.h"
|
||||
#include "buffer.h"
|
||||
#include "auth-options.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "auth.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
@ -137,7 +150,7 @@ auth_rsa_challenge_dialog(Key *key)
|
||||
/* Wait for a response. */
|
||||
packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
|
||||
for (i = 0; i < 16; i++)
|
||||
response[i] = packet_get_char();
|
||||
response[i] = (u_char)packet_get_char();
|
||||
packet_check_eom();
|
||||
|
||||
success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
|
||||
|
@ -23,11 +23,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-shadow.c,v 1.7 2005/07/17 07:04:47 djm Exp $");
|
||||
|
||||
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
|
||||
#include <shadow.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
|
@ -25,14 +25,6 @@
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef HAVE_OSF_SIA
|
||||
#include "ssh.h"
|
||||
#include "auth.h"
|
||||
#include "auth-sia.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
#include "uidswap.h"
|
||||
|
||||
#include <sia.h>
|
||||
#include <siad.h>
|
||||
#include <pwd.h>
|
||||
@ -40,8 +32,19 @@
|
||||
#include <setjmp.h>
|
||||
#include <sys/resource.h>
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "ssh.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "auth-sia.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
#include "uidswap.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
extern int saved_argc;
|
||||
extern char **saved_argv;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -21,15 +22,23 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
|
||||
|
||||
#ifdef SKEY
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <skey.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "ssh-gss.h"
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
static void *
|
||||
@ -43,8 +52,7 @@ skey_query(void *ctx, char **name, char **infotxt,
|
||||
u_int* numprompts, char ***prompts, u_int **echo_on)
|
||||
{
|
||||
Authctxt *authctxt = ctx;
|
||||
char challenge[1024], *p;
|
||||
int len;
|
||||
char challenge[1024];
|
||||
struct skey skey;
|
||||
|
||||
if (_compat_skeychallenge(&skey, authctxt->user, challenge,
|
||||
@ -54,15 +62,10 @@ skey_query(void *ctx, char **name, char **infotxt,
|
||||
*name = xstrdup("");
|
||||
*infotxt = xstrdup("");
|
||||
*numprompts = 1;
|
||||
*prompts = xmalloc(*numprompts * sizeof(char *));
|
||||
*echo_on = xmalloc(*numprompts * sizeof(u_int));
|
||||
(*echo_on)[0] = 0;
|
||||
*prompts = xcalloc(*numprompts, sizeof(char *));
|
||||
*echo_on = xcalloc(*numprompts, sizeof(u_int));
|
||||
|
||||
len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
|
||||
p = xmalloc(len);
|
||||
strlcpy(p, challenge, len);
|
||||
strlcat(p, SKEY_PROMPT, len);
|
||||
(*prompts)[0] = p;
|
||||
xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,39 +24,56 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
# include <paths.h>
|
||||
#endif
|
||||
#include <pwd.h>
|
||||
#ifdef HAVE_LOGIN_H
|
||||
#include <login.h>
|
||||
#endif
|
||||
#ifdef USE_SHADOW
|
||||
#include <shadow.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LIBGEN_H
|
||||
#include <libgen.h>
|
||||
#endif
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
#include "groupaccess.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "auth-options.h"
|
||||
#include "canohost.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "uidswap.h"
|
||||
#include "misc.h"
|
||||
#include "bufaux.h"
|
||||
#include "packet.h"
|
||||
#include "loginrec.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
extern int use_privsep;
|
||||
extern Buffer loginmsg;
|
||||
extern struct passwd *privsep_pw;
|
||||
|
||||
/* Debugging messages */
|
||||
Buffer auth_debug;
|
||||
@ -231,6 +249,9 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||
void (*authlog) (const char *fmt,...) = verbose;
|
||||
char *authmsg;
|
||||
|
||||
if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
|
||||
return;
|
||||
|
||||
/* Raise logging level */
|
||||
if (authenticated == 1 ||
|
||||
!authctxt->valid ||
|
||||
@ -259,44 +280,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||
strcmp(method, "challenge-response") == 0))
|
||||
record_failed_login(authctxt->user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
# ifdef WITH_AIXAUTHENTICATE
|
||||
if (authenticated)
|
||||
sys_auth_record_login(authctxt->user,
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed) {
|
||||
ssh_audit_event_t event;
|
||||
|
||||
debug3("audit failed auth attempt, method %s euid %d",
|
||||
method, (int)geteuid());
|
||||
/*
|
||||
* Because the auth loop is used in both monitor and slave,
|
||||
* we must be careful to send each event only once and with
|
||||
* enough privs to write the event.
|
||||
*/
|
||||
event = audit_classify_auth(method);
|
||||
switch(event) {
|
||||
case SSH_AUTH_FAIL_NONE:
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
break;
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
/*
|
||||
* This is required to handle the case where privsep
|
||||
* is enabled but it's root logging in, since
|
||||
* use_privsep won't be cleared until after a
|
||||
* successful login.
|
||||
*/
|
||||
if (geteuid() == 0)
|
||||
audit_event(event);
|
||||
else
|
||||
PRIVSEP(audit_event(event));
|
||||
break;
|
||||
default:
|
||||
error("unknown authentication audit event %d", event);
|
||||
}
|
||||
}
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -309,7 +301,6 @@ auth_root_allowed(char *method)
|
||||
switch (options.permit_root_login) {
|
||||
case PERMIT_YES:
|
||||
return 1;
|
||||
break;
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "password") != 0)
|
||||
return 1;
|
||||
@ -336,7 +327,8 @@ auth_root_allowed(char *method)
|
||||
static char *
|
||||
expand_authorized_keys(const char *filename, struct passwd *pw)
|
||||
{
|
||||
char *file, *ret;
|
||||
char *file, ret[MAXPATHLEN];
|
||||
int i;
|
||||
|
||||
file = percent_expand(filename, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
@ -348,14 +340,11 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
|
||||
if (*file == '/')
|
||||
return (file);
|
||||
|
||||
ret = xmalloc(MAXPATHLEN);
|
||||
if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
|
||||
strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
|
||||
strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
|
||||
i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
|
||||
if (i < 0 || (size_t)i >= sizeof(ret))
|
||||
fatal("expand_authorized_keys: path too long");
|
||||
|
||||
xfree(file);
|
||||
return (ret);
|
||||
return (xstrdup(ret));
|
||||
}
|
||||
|
||||
char *
|
||||
@ -492,6 +481,9 @@ getpwnamallow(const char *user)
|
||||
#endif
|
||||
struct passwd *pw;
|
||||
|
||||
parse_server_match_config(&options, user,
|
||||
get_canonical_hostname(options.use_dns), get_remote_ipaddr());
|
||||
|
||||
pw = getpwnam(user);
|
||||
if (pw == NULL) {
|
||||
logit("Invalid user %.100s from %.100s",
|
||||
@ -579,6 +571,8 @@ fakepw(void)
|
||||
fake.pw_gecos = "NOUSER";
|
||||
fake.pw_uid = (uid_t)-1;
|
||||
fake.pw_gid = (gid_t)-1;
|
||||
fake.pw_uid = privsep_pw->pw_uid;
|
||||
fake.pw_gid = privsep_pw->pw_gid;
|
||||
#ifdef HAVE_PW_CLASS_IN_PASSWD
|
||||
fake.pw_class = "";
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.58 2006/08/18 09:15:20 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -28,9 +28,8 @@
|
||||
#ifndef AUTH_H
|
||||
#define AUTH_H
|
||||
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "buffer.h"
|
||||
#include <signal.h>
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
@ -48,7 +47,8 @@ typedef struct Authmethod Authmethod;
|
||||
typedef struct KbdintDevice KbdintDevice;
|
||||
|
||||
struct Authctxt {
|
||||
int success;
|
||||
sig_atomic_t success;
|
||||
int authenticated; /* authenticated and alarms cancelled */
|
||||
int postponed; /* authentication needs another step */
|
||||
int valid; /* user exists and is allowed to login */
|
||||
int attempt;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth1.c,v 1.70 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -10,7 +11,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "rsa.h"
|
||||
@ -20,10 +28,15 @@ RCSID("$OpenBSD: auth1.c,v 1.62 2005/07/16 01:35:24 djm Exp $");
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "channels.h"
|
||||
#include "session.h"
|
||||
#include "uidswap.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "buffer.h"
|
||||
|
||||
@ -77,7 +90,7 @@ static const struct AuthMethod1
|
||||
{
|
||||
int i;
|
||||
|
||||
for(i = 0; auth1_methods[i].name != NULL; i++)
|
||||
for (i = 0; auth1_methods[i].name != NULL; i++)
|
||||
if (auth1_methods[i].type == type)
|
||||
return (&(auth1_methods[i]));
|
||||
|
||||
@ -96,6 +109,7 @@ get_authname(int type)
|
||||
return (buf);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static int
|
||||
auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
|
||||
{
|
||||
@ -120,6 +134,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
|
||||
return (authenticated);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static int
|
||||
auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
|
||||
{
|
||||
@ -137,6 +152,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
|
||||
return (authenticated);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static int
|
||||
auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
|
||||
{
|
||||
@ -175,6 +191,7 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
|
||||
return (authenticated);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static int
|
||||
auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
|
||||
{
|
||||
@ -193,6 +210,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static int
|
||||
auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
|
||||
{
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2001 Per Allansson. All rights reserved.
|
||||
@ -22,14 +23,22 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-chall.c,v 1.24 2005/07/17 07:17:54 djm Exp $");
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "dispatch.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
@ -291,7 +300,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
|
||||
if (nresp > 100)
|
||||
fatal("input_userauth_info_response: too many replies");
|
||||
if (nresp > 0) {
|
||||
response = xmalloc(nresp * sizeof(char *));
|
||||
response = xcalloc(nresp, sizeof(char *));
|
||||
for (i = 0; i < nresp; i++)
|
||||
response[i] = packet_get_string(NULL);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $ */
|
||||
/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -28,16 +28,22 @@
|
||||
|
||||
#ifdef GSSAPI
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "dispatch.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "packet.h"
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
#include "ssh-gss.h"
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@ -100,6 +106,8 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
}
|
||||
|
||||
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
||||
if (ctxt != NULL)
|
||||
ssh_gssapi_delete_ctx(&ctxt);
|
||||
xfree(doid);
|
||||
return (0);
|
||||
}
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-hostbased.c,v 1.11 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,19 +24,27 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-hostbased.c,v 1.6 2004/01/19 21:25:15 markus Exp $");
|
||||
|
||||
#include "ssh2.h"
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "bufaux.h"
|
||||
#include "auth.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "canohost.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "pathnames.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,13 +24,19 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-none.c,v 1.13 2006/08/05 07:52:52 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,16 +24,29 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-none.c,v 1.7 2004/05/11 19:01:43 deraadt Exp $");
|
||||
|
||||
#include "auth.h"
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/uio.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdarg.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "atomicio.h"
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* import */
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,12 +24,22 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-passwd.c,v 1.5 2003/12/31 00:24:50 dtucker Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "servconf.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,23 +24,32 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-pubkey.c,v 1.9 2004/12/11 01:48:56 dtucker Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "bufaux.h"
|
||||
#include "auth.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "pathnames.h"
|
||||
#include "uidswap.h"
|
||||
#include "auth-options.h"
|
||||
#include "canohost.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "misc.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,23 +24,31 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
|
||||
|
||||
#include "ssh2.h"
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "servconf.h"
|
||||
#include "compat.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "dispatch.h"
|
||||
#include "pathnames.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "buffer.h"
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
/* import */
|
||||
extern ServerOptions options;
|
||||
@ -96,6 +105,7 @@ do_authentication2(Authctxt *authctxt)
|
||||
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static void
|
||||
input_service_request(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -129,6 +139,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
|
||||
xfree(service);
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
static void
|
||||
input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,16 +36,25 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "rsa.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "xmalloc.h"
|
||||
#include "getput.h"
|
||||
#include "key.h"
|
||||
#include "authfd.h"
|
||||
#include "cipher.h"
|
||||
@ -52,6 +62,7 @@ RCSID("$OpenBSD: authfd.c,v 1.66 2005/06/17 02:44:32 djm Exp $");
|
||||
#include "compat.h"
|
||||
#include "log.h"
|
||||
#include "atomicio.h"
|
||||
#include "misc.h"
|
||||
|
||||
static int agent_present = 0;
|
||||
|
||||
@ -103,7 +114,7 @@ ssh_get_authentication_socket(void)
|
||||
close(sock);
|
||||
return -1;
|
||||
}
|
||||
if (connect(sock, (struct sockaddr *) &sunaddr, sizeof sunaddr) < 0) {
|
||||
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||
close(sock);
|
||||
return -1;
|
||||
}
|
||||
@ -119,7 +130,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
|
||||
|
||||
/* Get the length of the message, and format it in the buffer. */
|
||||
len = buffer_len(request);
|
||||
PUT_32BIT(buf, len);
|
||||
put_u32(buf, len);
|
||||
|
||||
/* Send the length and then the packet to the agent. */
|
||||
if (atomicio(vwrite, auth->fd, buf, 4) != 4 ||
|
||||
@ -138,7 +149,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
|
||||
}
|
||||
|
||||
/* Extract the length, and check it for sanity. */
|
||||
len = GET_32BIT(buf);
|
||||
len = get_u32(buf);
|
||||
if (len > 256 * 1024)
|
||||
fatal("Authentication response too long: %u", len);
|
||||
|
||||
@ -335,7 +346,6 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
|
||||
break;
|
||||
default:
|
||||
return NULL;
|
||||
break;
|
||||
}
|
||||
/* Decrement the number of remaining entries. */
|
||||
auth->howmany--;
|
||||
@ -394,7 +404,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
|
||||
* fatal error if the packet is corrupt.
|
||||
*/
|
||||
for (i = 0; i < 16; i++)
|
||||
response[i] = buffer_get_char(&buffer);
|
||||
response[i] = (u_char)buffer_get_char(&buffer);
|
||||
}
|
||||
buffer_free(&buffer);
|
||||
return success;
|
||||
@ -517,7 +527,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
|
||||
default:
|
||||
buffer_free(&msg);
|
||||
return 0;
|
||||
break;
|
||||
}
|
||||
if (constrained) {
|
||||
if (life != 0) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authfd.h,v 1.34 2003/11/21 11:57:03 djm Exp $ */
|
||||
/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -16,8 +16,6 @@
|
||||
#ifndef AUTHFD_H
|
||||
#define AUTHFD_H
|
||||
|
||||
#include "buffer.h"
|
||||
|
||||
/* Messages for the authentication agent connection. */
|
||||
#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
|
||||
#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: authfile.c,v 1.76 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -36,16 +37,27 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: authfile.c,v 1.61 2005/06/17 02:44:32 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/uio.h>
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
#include "cipher.h"
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "cipher.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "key.h"
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
@ -184,7 +196,7 @@ key_save_private_pem(Key *key, const char *filename, const char *_passphrase,
|
||||
return 0;
|
||||
}
|
||||
fp = fdopen(fd, "w");
|
||||
if (fp == NULL ) {
|
||||
if (fp == NULL) {
|
||||
error("fdopen %s failed: %s.", filename, strerror(errno));
|
||||
close(fd);
|
||||
return 0;
|
||||
@ -211,12 +223,10 @@ key_save_private(Key *key, const char *filename, const char *passphrase,
|
||||
case KEY_RSA1:
|
||||
return key_save_private_rsa1(key, filename, passphrase,
|
||||
comment);
|
||||
break;
|
||||
case KEY_DSA:
|
||||
case KEY_RSA:
|
||||
return key_save_private_pem(key, filename, passphrase,
|
||||
comment);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@ -507,7 +517,7 @@ key_load_private_pem(int fd, int type, const char *passphrase,
|
||||
return prv;
|
||||
}
|
||||
|
||||
static int
|
||||
int
|
||||
key_perm_ok(int fd, const char *filename)
|
||||
{
|
||||
struct stat st;
|
||||
@ -537,7 +547,7 @@ key_perm_ok(int fd, const char *filename)
|
||||
|
||||
Key *
|
||||
key_load_private_type(int type, const char *filename, const char *passphrase,
|
||||
char **commentp)
|
||||
char **commentp, int *perm_ok)
|
||||
{
|
||||
int fd;
|
||||
|
||||
@ -545,22 +555,24 @@ key_load_private_type(int type, const char *filename, const char *passphrase,
|
||||
if (fd < 0)
|
||||
return NULL;
|
||||
if (!key_perm_ok(fd, filename)) {
|
||||
if (perm_ok != NULL)
|
||||
*perm_ok = 0;
|
||||
error("bad permissions: ignore key: %s", filename);
|
||||
close(fd);
|
||||
return NULL;
|
||||
}
|
||||
if (perm_ok != NULL)
|
||||
*perm_ok = 1;
|
||||
switch (type) {
|
||||
case KEY_RSA1:
|
||||
return key_load_private_rsa1(fd, filename, passphrase,
|
||||
commentp);
|
||||
/* closes fd */
|
||||
break;
|
||||
case KEY_DSA:
|
||||
case KEY_RSA:
|
||||
case KEY_UNSPEC:
|
||||
return key_load_private_pem(fd, type, passphrase, commentp);
|
||||
/* closes fd */
|
||||
break;
|
||||
default:
|
||||
close(fd);
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: authfile.h,v 1.10 2002/05/23 19:24:30 markus Exp $ */
|
||||
/* $OpenBSD: authfile.h,v 1.13 2006/04/25 08:02:27 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -19,7 +19,8 @@ int key_save_private(Key *, const char *, const char *, const char *);
|
||||
Key *key_load_public(const char *, char **);
|
||||
Key *key_load_public_type(int, const char *, char **);
|
||||
Key *key_load_private(const char *, const char *, char **);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **);
|
||||
Key *key_load_private_type(int, const char *, const char *, char **, int *);
|
||||
Key *key_load_private_pem(int, int, const char *, char **);
|
||||
int key_perm_ok(int, const char *);
|
||||
|
||||
#endif
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: bufaux.c,v 1.44 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -37,176 +38,18 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: bufaux.c,v 1.37 2005/11/05 05:01:15 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include "bufaux.h"
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "getput.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
|
||||
* by (bits+7)/8 bytes of binary data, msb first.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
int bits = BN_num_bits(value);
|
||||
int bin_size = (bits + 7) / 8;
|
||||
u_char *buf = xmalloc(bin_size);
|
||||
int oi;
|
||||
char msg[2];
|
||||
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf);
|
||||
if (oi != bin_size) {
|
||||
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
|
||||
oi, bin_size);
|
||||
xfree(buf);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/* Store the number of bits in the buffer in two bytes, msb first. */
|
||||
PUT_16BIT(msg, bits);
|
||||
buffer_append(buffer, msg, 2);
|
||||
/* Store the binary data. */
|
||||
buffer_append(buffer, (char *)buf, oi);
|
||||
|
||||
memset(buf, 0, bin_size);
|
||||
xfree(buf);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieves an BIGNUM from the buffer.
|
||||
*/
|
||||
int
|
||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int bits, bytes;
|
||||
u_char buf[2], *bin;
|
||||
|
||||
/* Get the number for bits. */
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
|
||||
error("buffer_get_bignum_ret: invalid length");
|
||||
return (-1);
|
||||
}
|
||||
bits = GET_16BIT(buf);
|
||||
/* Compute the number of binary bytes that follow. */
|
||||
bytes = (bits + 7) / 8;
|
||||
if (bytes > 8 * 1024) {
|
||||
error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
|
||||
return (-1);
|
||||
}
|
||||
if (buffer_len(buffer) < bytes) {
|
||||
error("buffer_get_bignum_ret: input buffer too small");
|
||||
return (-1);
|
||||
}
|
||||
bin = buffer_ptr(buffer);
|
||||
BN_bin2bn(bin, bytes, value);
|
||||
if (buffer_consume_ret(buffer, bytes) == -1) {
|
||||
error("buffer_get_bignum_ret: buffer_consume failed");
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer in SSH2 format.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
u_int bytes;
|
||||
u_char *buf;
|
||||
int oi;
|
||||
u_int hasnohigh = 0;
|
||||
|
||||
if (BN_is_zero(value)) {
|
||||
buffer_put_int(buffer, 0);
|
||||
return 0;
|
||||
}
|
||||
if (value->neg) {
|
||||
error("buffer_put_bignum2_ret: negative numbers not supported");
|
||||
return (-1);
|
||||
}
|
||||
bytes = BN_num_bytes(value) + 1; /* extra padding byte */
|
||||
if (bytes < 2) {
|
||||
error("buffer_put_bignum2_ret: BN too small");
|
||||
return (-1);
|
||||
}
|
||||
buf = xmalloc(bytes);
|
||||
buf[0] = 0x00;
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf+1);
|
||||
if (oi < 0 || (u_int)oi != bytes - 1) {
|
||||
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
|
||||
"oi %d != bin_size %d", oi, bytes);
|
||||
xfree(buf);
|
||||
return (-1);
|
||||
}
|
||||
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
|
||||
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
|
||||
memset(buf, 0, bytes);
|
||||
xfree(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum2: buffer error");
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin;
|
||||
|
||||
if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("buffer_get_bignum2_ret: invalid bignum");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80)) {
|
||||
error("buffer_get_bignum2_ret: negative numbers not supported");
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
BN_bin2bn(bin, len, value);
|
||||
xfree(bin);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum2: buffer error");
|
||||
}
|
||||
#include "misc.h"
|
||||
|
||||
/*
|
||||
* Returns integers from the buffer (msb first).
|
||||
@ -219,7 +62,7 @@ buffer_get_short_ret(u_short *ret, Buffer *buffer)
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
|
||||
return (-1);
|
||||
*ret = GET_16BIT(buf);
|
||||
*ret = get_u16(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -241,7 +84,7 @@ buffer_get_int_ret(u_int *ret, Buffer *buffer)
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
|
||||
return (-1);
|
||||
*ret = GET_32BIT(buf);
|
||||
*ret = get_u32(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -263,7 +106,7 @@ buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
|
||||
|
||||
if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
|
||||
return (-1);
|
||||
*ret = GET_64BIT(buf);
|
||||
*ret = get_u64(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -286,7 +129,7 @@ buffer_put_short(Buffer *buffer, u_short value)
|
||||
{
|
||||
char buf[2];
|
||||
|
||||
PUT_16BIT(buf, value);
|
||||
put_u16(buf, value);
|
||||
buffer_append(buffer, buf, 2);
|
||||
}
|
||||
|
||||
@ -295,7 +138,7 @@ buffer_put_int(Buffer *buffer, u_int value)
|
||||
{
|
||||
char buf[4];
|
||||
|
||||
PUT_32BIT(buf, value);
|
||||
put_u32(buf, value);
|
||||
buffer_append(buffer, buf, 4);
|
||||
}
|
||||
|
||||
@ -304,7 +147,7 @@ buffer_put_int64(Buffer *buffer, u_int64_t value)
|
||||
{
|
||||
char buf[8];
|
||||
|
||||
PUT_64BIT(buf, value);
|
||||
put_u64(buf, value);
|
||||
buffer_append(buffer, buf, 8);
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: bufaux.h,v 1.21 2005/03/10 22:01:05 deraadt Exp $ */
|
||||
/* $OpenBSD: bufaux.h,v 1.22 2006/03/25 22:22:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
215
crypto/openssh/bufbn.c
Normal file
215
crypto/openssh/bufbn.c
Normal file
@ -0,0 +1,215 @@
|
||||
/* $OpenBSD: bufbn.c,v 1.3 2006/08/03 03:34:41 deraadt Exp $*/
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
* Auxiliary functions for storing and retrieving various data types to/from
|
||||
* Buffers.
|
||||
*
|
||||
* As far as I am concerned, the code I have written for this software
|
||||
* can be used freely for any purpose. Any derived versions of this
|
||||
* software must be clearly marked as such, and if the derived work is
|
||||
* incompatible with the protocol description in the RFC file, it must be
|
||||
* called by a name other than "ssh" or "Secure Shell".
|
||||
*
|
||||
*
|
||||
* SSH2 packet format added by Markus Friedl
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
|
||||
* by (bits+7)/8 bytes of binary data, msb first.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
int bits = BN_num_bits(value);
|
||||
int bin_size = (bits + 7) / 8;
|
||||
u_char *buf = xmalloc(bin_size);
|
||||
int oi;
|
||||
char msg[2];
|
||||
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf);
|
||||
if (oi != bin_size) {
|
||||
error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
|
||||
oi, bin_size);
|
||||
xfree(buf);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/* Store the number of bits in the buffer in two bytes, msb first. */
|
||||
put_u16(msg, bits);
|
||||
buffer_append(buffer, msg, 2);
|
||||
/* Store the binary data. */
|
||||
buffer_append(buffer, buf, oi);
|
||||
|
||||
memset(buf, 0, bin_size);
|
||||
xfree(buf);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieves an BIGNUM from the buffer.
|
||||
*/
|
||||
int
|
||||
buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int bits, bytes;
|
||||
u_char buf[2], *bin;
|
||||
|
||||
/* Get the number for bits. */
|
||||
if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
|
||||
error("buffer_get_bignum_ret: invalid length");
|
||||
return (-1);
|
||||
}
|
||||
bits = get_u16(buf);
|
||||
/* Compute the number of binary bytes that follow. */
|
||||
bytes = (bits + 7) / 8;
|
||||
if (bytes > 8 * 1024) {
|
||||
error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
|
||||
return (-1);
|
||||
}
|
||||
if (buffer_len(buffer) < bytes) {
|
||||
error("buffer_get_bignum_ret: input buffer too small");
|
||||
return (-1);
|
||||
}
|
||||
bin = buffer_ptr(buffer);
|
||||
BN_bin2bn(bin, bytes, value);
|
||||
if (buffer_consume_ret(buffer, bytes) == -1) {
|
||||
error("buffer_get_bignum_ret: buffer_consume failed");
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum: buffer error");
|
||||
}
|
||||
|
||||
/*
|
||||
* Stores an BIGNUM in the buffer in SSH2 format.
|
||||
*/
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
u_int bytes;
|
||||
u_char *buf;
|
||||
int oi;
|
||||
u_int hasnohigh = 0;
|
||||
|
||||
if (BN_is_zero(value)) {
|
||||
buffer_put_int(buffer, 0);
|
||||
return 0;
|
||||
}
|
||||
if (value->neg) {
|
||||
error("buffer_put_bignum2_ret: negative numbers not supported");
|
||||
return (-1);
|
||||
}
|
||||
bytes = BN_num_bytes(value) + 1; /* extra padding byte */
|
||||
if (bytes < 2) {
|
||||
error("buffer_put_bignum2_ret: BN too small");
|
||||
return (-1);
|
||||
}
|
||||
buf = xmalloc(bytes);
|
||||
buf[0] = 0x00;
|
||||
/* Get the value of in binary */
|
||||
oi = BN_bn2bin(value, buf+1);
|
||||
if (oi < 0 || (u_int)oi != bytes - 1) {
|
||||
error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
|
||||
"oi %d != bin_size %d", oi, bytes);
|
||||
xfree(buf);
|
||||
return (-1);
|
||||
}
|
||||
hasnohigh = (buf[1] & 0x80) ? 0 : 1;
|
||||
buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
|
||||
memset(buf, 0, bytes);
|
||||
xfree(buf);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
if (buffer_put_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_put_bignum2: buffer error");
|
||||
}
|
||||
|
||||
int
|
||||
buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
u_int len;
|
||||
u_char *bin;
|
||||
|
||||
if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
|
||||
error("buffer_get_bignum2_ret: invalid bignum");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (len > 0 && (bin[0] & 0x80)) {
|
||||
error("buffer_get_bignum2_ret: negative numbers not supported");
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
if (len > 8 * 1024) {
|
||||
error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
|
||||
xfree(bin);
|
||||
return (-1);
|
||||
}
|
||||
BN_bin2bn(bin, len, value);
|
||||
xfree(bin);
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
|
||||
{
|
||||
if (buffer_get_bignum2_ret(buffer, value) == -1)
|
||||
fatal("buffer_get_bignum2: buffer error");
|
||||
}
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: buffer.c,v 1.31 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -12,12 +13,21 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
|
||||
#define BUFFER_MAX_CHUNK 0x100000
|
||||
#define BUFFER_MAX_LEN 0xa00000
|
||||
#define BUFFER_ALLOCSZ 0x008000
|
||||
|
||||
/* Initializes the buffer structure. */
|
||||
|
||||
void
|
||||
@ -66,6 +76,23 @@ buffer_append(Buffer *buffer, const void *data, u_int len)
|
||||
memcpy(p, data, len);
|
||||
}
|
||||
|
||||
static int
|
||||
buffer_compact(Buffer *buffer)
|
||||
{
|
||||
/*
|
||||
* If the buffer is quite empty, but all data is at the end, move the
|
||||
* data to the beginning.
|
||||
*/
|
||||
if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
|
||||
memmove(buffer->buf, buffer->buf + buffer->offset,
|
||||
buffer->end - buffer->offset);
|
||||
buffer->end -= buffer->offset;
|
||||
buffer->offset = 0;
|
||||
return (1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Appends space to the buffer, expanding the buffer if necessary. This does
|
||||
* not actually copy the data into the buffer, but instead returns a pointer
|
||||
@ -93,29 +120,43 @@ restart:
|
||||
buffer->end += len;
|
||||
return p;
|
||||
}
|
||||
/*
|
||||
* If the buffer is quite empty, but all data is at the end, move the
|
||||
* data to the beginning and retry.
|
||||
*/
|
||||
if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
|
||||
memmove(buffer->buf, buffer->buf + buffer->offset,
|
||||
buffer->end - buffer->offset);
|
||||
buffer->end -= buffer->offset;
|
||||
buffer->offset = 0;
|
||||
goto restart;
|
||||
}
|
||||
/* Increase the size of the buffer and retry. */
|
||||
|
||||
newlen = buffer->alloc + len + 32768;
|
||||
/* Compact data back to the start of the buffer if necessary */
|
||||
if (buffer_compact(buffer))
|
||||
goto restart;
|
||||
|
||||
/* Increase the size of the buffer and retry. */
|
||||
newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
|
||||
if (newlen > BUFFER_MAX_LEN)
|
||||
fatal("buffer_append_space: alloc %u not supported",
|
||||
newlen);
|
||||
buffer->buf = xrealloc(buffer->buf, newlen);
|
||||
buffer->buf = xrealloc(buffer->buf, 1, newlen);
|
||||
buffer->alloc = newlen;
|
||||
goto restart;
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether an allocation of 'len' will fit in the buffer
|
||||
* This must follow the same math as buffer_append_space
|
||||
*/
|
||||
int
|
||||
buffer_check_alloc(Buffer *buffer, u_int len)
|
||||
{
|
||||
if (buffer->offset == buffer->end) {
|
||||
buffer->offset = 0;
|
||||
buffer->end = 0;
|
||||
}
|
||||
restart:
|
||||
if (buffer->end + len < buffer->alloc)
|
||||
return (1);
|
||||
if (buffer_compact(buffer))
|
||||
goto restart;
|
||||
if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
|
||||
return (1);
|
||||
return (0);
|
||||
}
|
||||
|
||||
/* Returns the number of bytes of data in the buffer. */
|
||||
|
||||
u_int
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */
|
||||
/* $OpenBSD: buffer.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -23,9 +23,6 @@ typedef struct {
|
||||
u_int end; /* Offset of last byte containing data. */
|
||||
} Buffer;
|
||||
|
||||
#define BUFFER_MAX_CHUNK 0x100000
|
||||
#define BUFFER_MAX_LEN 0xa00000
|
||||
|
||||
void buffer_init(Buffer *);
|
||||
void buffer_clear(Buffer *);
|
||||
void buffer_free(Buffer *);
|
||||
@ -36,6 +33,8 @@ void *buffer_ptr(Buffer *);
|
||||
void buffer_append(Buffer *, const void *, u_int);
|
||||
void *buffer_append_space(Buffer *, u_int);
|
||||
|
||||
int buffer_check_alloc(Buffer *, u_int);
|
||||
|
||||
void buffer_get(Buffer *, void *, u_int);
|
||||
|
||||
void buffer_consume(Buffer *, u_int);
|
||||
@ -47,4 +46,40 @@ int buffer_get_ret(Buffer *, void *, u_int);
|
||||
int buffer_consume_ret(Buffer *, u_int);
|
||||
int buffer_consume_end_ret(Buffer *, u_int);
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
||||
void buffer_put_bignum(Buffer *, const BIGNUM *);
|
||||
void buffer_put_bignum2(Buffer *, const BIGNUM *);
|
||||
void buffer_get_bignum(Buffer *, BIGNUM *);
|
||||
void buffer_get_bignum2(Buffer *, BIGNUM *);
|
||||
|
||||
u_short buffer_get_short(Buffer *);
|
||||
void buffer_put_short(Buffer *, u_short);
|
||||
|
||||
u_int buffer_get_int(Buffer *);
|
||||
void buffer_put_int(Buffer *, u_int);
|
||||
|
||||
u_int64_t buffer_get_int64(Buffer *);
|
||||
void buffer_put_int64(Buffer *, u_int64_t);
|
||||
|
||||
int buffer_get_char(Buffer *);
|
||||
void buffer_put_char(Buffer *, int);
|
||||
|
||||
void *buffer_get_string(Buffer *, u_int *);
|
||||
void buffer_put_string(Buffer *, const void *, u_int);
|
||||
void buffer_put_cstring(Buffer *, const char *);
|
||||
|
||||
#define buffer_skip_string(b) \
|
||||
do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
|
||||
|
||||
int buffer_put_bignum_ret(Buffer *, const BIGNUM *);
|
||||
int buffer_get_bignum_ret(Buffer *, BIGNUM *);
|
||||
int buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
|
||||
int buffer_get_bignum2_ret(Buffer *, BIGNUM *);
|
||||
int buffer_get_short_ret(u_short *, Buffer *);
|
||||
int buffer_get_int_ret(u_int *, Buffer *);
|
||||
int buffer_get_int64_ret(u_int64_t *, Buffer *);
|
||||
void *buffer_get_string_ret(Buffer *, u_int *);
|
||||
int buffer_get_char_ret(char *, Buffer *);
|
||||
|
||||
#endif /* BUFFER_H */
|
||||
|
@ -35,7 +35,7 @@ SSHDGID=67 # Default privsep gid
|
||||
SYSVINITSTART=S98
|
||||
SYSVINITSTOPT=K30
|
||||
# We will source these if they exist
|
||||
POST_MAKE_INSTALL_FIXES=./pkg_post_make_install_fixes.sh
|
||||
POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
|
||||
POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
|
||||
# We'll be one level deeper looking for these
|
||||
PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
|
||||
@ -46,6 +46,8 @@ PKG_REQUEST_LOCAL=../pkg-request.local
|
||||
# end of sourced files
|
||||
#
|
||||
OPENSSHD=opensshd.init
|
||||
OPENSSH_MANIFEST=openssh.xml
|
||||
OPENSSH_FMRI=svc:/site/openssh:default
|
||||
|
||||
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
|
||||
PATH_USERADD_PROG=@PATH_USERADD_PROG@
|
||||
@ -60,6 +62,10 @@ SYSTEM_DIR="/etc \
|
||||
/etc/rc1.d \
|
||||
/etc/rc2.d \
|
||||
/etc/opt \
|
||||
/lib \
|
||||
/lib/svc \
|
||||
/lib/svc/method \
|
||||
/lib/svc/method/site \
|
||||
/opt \
|
||||
/opt/bin \
|
||||
/usr \
|
||||
@ -82,6 +88,9 @@ SYSTEM_DIR="/etc \
|
||||
/var \
|
||||
/var/opt \
|
||||
/var/run \
|
||||
/var/svc \
|
||||
/var/svc/manifest \
|
||||
/var/svc/manifest/site \
|
||||
/var/tmp \
|
||||
/tmp"
|
||||
|
||||
@ -119,6 +128,12 @@ do
|
||||
eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
|
||||
done
|
||||
|
||||
## Are we using Solaris' SMF?
|
||||
DO_SMF=0
|
||||
if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
|
||||
then
|
||||
DO_SMF=1
|
||||
fi
|
||||
|
||||
## Collect value of privsep user
|
||||
for confvar in SSH_PRIVSEP_USER
|
||||
@ -168,10 +183,25 @@ then
|
||||
fi
|
||||
|
||||
## Setup our run level stuff while we are at it.
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# For Solaris' SMF, /lib/svc/method/site is the preferred place
|
||||
# for start/stop scripts that aren't supplied with the OS, and
|
||||
# similarly /var/svc/manifest/site for manifests.
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
|
||||
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
|
||||
|
||||
cp ${OPENSSH_MANIFEST} $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
|
||||
chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${OPENSSH_MANIFEST}
|
||||
else
|
||||
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||
|
||||
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||
fi
|
||||
|
||||
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
|
||||
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||
@ -221,15 +251,22 @@ touch depend
|
||||
|
||||
## Build space file
|
||||
echo "Building space file..."
|
||||
cat > space << _EOF
|
||||
# extra space required by start/stop links added by installf in postinstall
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# XXX Is this necessary? If not, remove space line from mk-proto.awk.
|
||||
touch space
|
||||
else
|
||||
cat > space << _EOF
|
||||
# extra space required by start/stop links added by installf
|
||||
# in postinstall
|
||||
$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
|
||||
$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
|
||||
_EOF
|
||||
[ "$RC1_D" = no ] || \
|
||||
echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
[ "$RCS_D" = yes ] && \
|
||||
echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
[ "$RC1_D" = no ] || \
|
||||
echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
[ "$RCS_D" = yes ] && \
|
||||
echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||
fi
|
||||
|
||||
## Build preinstall file
|
||||
echo "Building preinstall file..."
|
||||
@ -243,7 +280,16 @@ _EOF
|
||||
|
||||
cat >> preinstall << _EOF
|
||||
#
|
||||
[ "\${PRE_INS_STOP}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
if [ "\${PRE_INS_STOP}" = "yes" ]
|
||||
then
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
svcadm disable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
@ -265,28 +311,41 @@ cat > postinstall << _EOF
|
||||
}
|
||||
|
||||
# make rc?.d dirs only if we are doing a test install
|
||||
[ -n "${TEST_DIR}" ] && {
|
||||
[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && {
|
||||
[ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
|
||||
mkdir -p ${TEST_DIR}/etc/rc0.d
|
||||
[ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d
|
||||
mkdir -p ${TEST_DIR}/etc/rc2.d
|
||||
}
|
||||
|
||||
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
[ "$RCS_D" = yes ] && \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
[ "$RC1_D" = no ] || \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
# Delete the existing service, if it exists, then import the
|
||||
# new one.
|
||||
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||
then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
# NOTE, if manifest enables sshd by default, this will actually
|
||||
# start the daemon, which may not be what the user wants.
|
||||
svccfg import ${TEST_DIR}/var/svc/manifest/site/$OPENSSH_MANIFEST
|
||||
else
|
||||
[ "$RCS_D" = yes ] && \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
[ "$RC1_D" = no ] || \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||
then
|
||||
[ "$RCS_D" = yes ] && \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
[ "$RC1_D" = no ] || \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||
else
|
||||
[ "$RCS_D" = yes ] && \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
[ "$RC1_D" = no ] || \
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||
fi
|
||||
fi
|
||||
|
||||
# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
|
||||
@ -311,14 +370,7 @@ then
|
||||
chroot=echo
|
||||
fi
|
||||
|
||||
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
|
||||
then
|
||||
echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
|
||||
echo "or group."
|
||||
else
|
||||
echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
|
||||
|
||||
# user required?
|
||||
echo "PrivilegeSeparation user always required."
|
||||
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||
then
|
||||
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||
@ -363,9 +415,18 @@ else
|
||||
\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
|
||||
\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
|
||||
}
|
||||
fi
|
||||
|
||||
[ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
|
||||
if [ "\${POST_INS_START}" = "yes" ]
|
||||
then
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# See svccfg import note above. The service may already
|
||||
# be started.
|
||||
svcadm enable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
_EOF
|
||||
|
||||
@ -374,7 +435,12 @@ echo "Building preremove file..."
|
||||
cat > preremove << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
svcadm disable $OPENSSH_FMRI
|
||||
else
|
||||
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||
fi
|
||||
_EOF
|
||||
|
||||
# local preremove changes here
|
||||
@ -389,6 +455,13 @@ echo "Building postremove file..."
|
||||
cat > postremove << _EOF
|
||||
#! ${SCRIPT_SHELL}
|
||||
#
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||
then
|
||||
svccfg delete -f $OPENSSH_FMRI
|
||||
fi
|
||||
fi
|
||||
_EOF
|
||||
|
||||
# local postremove changes here
|
||||
@ -454,7 +527,45 @@ done
|
||||
|
||||
_EOF
|
||||
|
||||
cat >> request << _EOF
|
||||
if [ $DO_SMF -eq 1 ]
|
||||
then
|
||||
# This could get hairy, as the running sshd may not be under SMF.
|
||||
# We'll assume an earlier version of OpenSSH started via SMF.
|
||||
cat >> request << _EOF
|
||||
PRE_INS_STOP=no
|
||||
POST_INS_START=no
|
||||
# determine if should restart the daemon
|
||||
if [ -s ${piddir}/sshd.pid ] && \
|
||||
/usr/bin/svcs $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
|
||||
then
|
||||
ans=\`ckyorn -d n \
|
||||
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) PRE_INS_STOP=yes
|
||||
POST_INS_START=yes
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
|
||||
# determine if we should start sshd
|
||||
ans=\`ckyorn -d n \
|
||||
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
|
||||
case \$ans in
|
||||
[y,Y]*) POST_INS_START=yes ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# make parameters available to installation service,
|
||||
# and so to any other packaging scripts
|
||||
cat >\$1 <<!
|
||||
PRE_INS_STOP='\$PRE_INS_STOP'
|
||||
POST_INS_START='\$POST_INS_START'
|
||||
!
|
||||
|
||||
_EOF
|
||||
else
|
||||
cat >> request << _EOF
|
||||
USE_SYM_LINKS=no
|
||||
PRE_INS_STOP=no
|
||||
POST_INS_START=no
|
||||
@ -495,6 +606,7 @@ POST_INS_START='\$POST_INS_START'
|
||||
!
|
||||
|
||||
_EOF
|
||||
fi
|
||||
|
||||
# local request changes here
|
||||
[ -s "${PKG_REQUEST_LOCAL}" ] && . ${PKG_REQUEST_LOCAL}
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: canohost.c,v 1.61 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -12,10 +13,23 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
#include "log.h"
|
||||
#include "canohost.h"
|
||||
|
||||
@ -43,6 +57,9 @@ get_remote_hostname(int sock, int use_dns)
|
||||
cleanup_exit(255);
|
||||
}
|
||||
|
||||
if (from.ss_family == AF_INET)
|
||||
check_ip_options(sock, ntop);
|
||||
|
||||
ipv64_normalise_mapped(&from, &fromlen);
|
||||
|
||||
if (from.ss_family == AF_INET6)
|
||||
@ -52,9 +69,6 @@ get_remote_hostname(int sock, int use_dns)
|
||||
NULL, 0, NI_NUMERICHOST) != 0)
|
||||
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
|
||||
|
||||
if (from.ss_family == AF_INET)
|
||||
check_ip_options(sock, ntop);
|
||||
|
||||
if (!use_dns)
|
||||
return xstrdup(ntop);
|
||||
|
||||
@ -87,7 +101,7 @@ get_remote_hostname(int sock, int use_dns)
|
||||
*/
|
||||
for (i = 0; name[i]; i++)
|
||||
if (isupper(name[i]))
|
||||
name[i] = tolower(name[i]);
|
||||
name[i] = (char)tolower(name[i]);
|
||||
/*
|
||||
* Map it back to an IP address and check that the given
|
||||
* address actually is an address of this host. This is
|
||||
@ -102,7 +116,7 @@ get_remote_hostname(int sock, int use_dns)
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||
logit("reverse mapping checking getaddrinfo for %.700s "
|
||||
"failed - POSSIBLE BREAK-IN ATTEMPT!", name);
|
||||
"[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
|
||||
return xstrdup(ntop);
|
||||
}
|
||||
/* Look for the address from the list of addresses. */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: canohost.h,v 1.8 2001/06/26 17:27:23 markus Exp $ */
|
||||
/* $OpenBSD: canohost.h,v 1.9 2006/03/25 22:22:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -39,22 +40,41 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: channels.c,v 1.232 2006/01/30 12:22:22 reyk Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/socket.h>
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <netdb.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "ssh2.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "buffer.h"
|
||||
#include "channels.h"
|
||||
#include "compat.h"
|
||||
#include "canohost.h"
|
||||
#include "key.h"
|
||||
#include "authfd.h"
|
||||
#include "pathnames.h"
|
||||
#include "bufaux.h"
|
||||
|
||||
/* -- channel core */
|
||||
|
||||
@ -91,11 +111,18 @@ typedef struct {
|
||||
u_short listen_port; /* Remote side should listen port number. */
|
||||
} ForwardPermission;
|
||||
|
||||
/* List of all permitted host/port pairs to connect. */
|
||||
/* List of all permitted host/port pairs to connect by the user. */
|
||||
static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
|
||||
|
||||
/* Number of permitted host/port pairs in the array. */
|
||||
/* List of all permitted host/port pairs to connect by the admin. */
|
||||
static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
|
||||
|
||||
/* Number of permitted host/port pairs in the array permitted by the user. */
|
||||
static int num_permitted_opens = 0;
|
||||
|
||||
/* Number of permitted host/port pair in the array permitted by the admin. */
|
||||
static int num_adm_permitted_opens = 0;
|
||||
|
||||
/*
|
||||
* If this is true, all opens are permitted. This is the case on the server
|
||||
* on which we have to trust the client anyway, and the user could do
|
||||
@ -123,7 +150,7 @@ static u_int x11_saved_data_len = 0;
|
||||
* Fake X11 authentication data. This is what the server will be sending us;
|
||||
* we should replace any occurrences of this by the real data.
|
||||
*/
|
||||
static char *x11_fake_data = NULL;
|
||||
static u_char *x11_fake_data = NULL;
|
||||
static u_int x11_fake_data_len;
|
||||
|
||||
|
||||
@ -168,7 +195,7 @@ channel_lookup(int id)
|
||||
if ((c = channel_by_id(id)) == NULL)
|
||||
return (NULL);
|
||||
|
||||
switch(c->type) {
|
||||
switch (c->type) {
|
||||
case SSH_CHANNEL_X11_OPEN:
|
||||
case SSH_CHANNEL_LARVAL:
|
||||
case SSH_CHANNEL_CONNECTING:
|
||||
@ -178,7 +205,6 @@ channel_lookup(int id)
|
||||
case SSH_CHANNEL_INPUT_DRAINING:
|
||||
case SSH_CHANNEL_OUTPUT_DRAINING:
|
||||
return (c);
|
||||
break;
|
||||
}
|
||||
logit("Non-public channel %d, type %d.", id, c->type);
|
||||
return (NULL);
|
||||
@ -188,7 +214,6 @@ channel_lookup(int id)
|
||||
* Register filedescriptors for a channel, used when allocating a channel or
|
||||
* when the channel consumer/producer is ready, e.g. shell exec'd
|
||||
*/
|
||||
|
||||
static void
|
||||
channel_register_fds(Channel *c, int rfd, int wfd, int efd,
|
||||
int extusage, int nonblock)
|
||||
@ -235,7 +260,6 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
|
||||
* Allocate a new channel object and set its type and socket. This will cause
|
||||
* remote_name to be freed.
|
||||
*/
|
||||
|
||||
Channel *
|
||||
channel_new(char *ctype, int type, int rfd, int wfd, int efd,
|
||||
u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
|
||||
@ -247,7 +271,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
|
||||
/* Do initial allocation if this is the first call. */
|
||||
if (channels_alloc == 0) {
|
||||
channels_alloc = 10;
|
||||
channels = xmalloc(channels_alloc * sizeof(Channel *));
|
||||
channels = xcalloc(channels_alloc, sizeof(Channel *));
|
||||
for (i = 0; i < channels_alloc; i++)
|
||||
channels[i] = NULL;
|
||||
}
|
||||
@ -264,16 +288,15 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
|
||||
if (channels_alloc > 10000)
|
||||
fatal("channel_new: internal error: channels_alloc %d "
|
||||
"too big.", channels_alloc);
|
||||
channels = xrealloc(channels,
|
||||
(channels_alloc + 10) * sizeof(Channel *));
|
||||
channels = xrealloc(channels, channels_alloc + 10,
|
||||
sizeof(Channel *));
|
||||
channels_alloc += 10;
|
||||
debug2("channel: expanding %d", channels_alloc);
|
||||
for (i = found; i < channels_alloc; i++)
|
||||
channels[i] = NULL;
|
||||
}
|
||||
/* Initialize and return new channel. */
|
||||
c = channels[found] = xmalloc(sizeof(Channel));
|
||||
memset(c, 0, sizeof(Channel));
|
||||
c = channels[found] = xcalloc(1, sizeof(Channel));
|
||||
buffer_init(&c->input);
|
||||
buffer_init(&c->output);
|
||||
buffer_init(&c->extended);
|
||||
@ -337,7 +360,6 @@ channel_close_fd(int *fdp)
|
||||
}
|
||||
|
||||
/* Close all channel fd/socket. */
|
||||
|
||||
static void
|
||||
channel_close_fds(Channel *c)
|
||||
{
|
||||
@ -352,7 +374,6 @@ channel_close_fds(Channel *c)
|
||||
}
|
||||
|
||||
/* Free the channel and close its fd/socket. */
|
||||
|
||||
void
|
||||
channel_free(Channel *c)
|
||||
{
|
||||
@ -399,7 +420,6 @@ channel_free_all(void)
|
||||
* Closes the sockets/fds of all channels. This is used to close extra file
|
||||
* descriptors after a fork.
|
||||
*/
|
||||
|
||||
void
|
||||
channel_close_all(void)
|
||||
{
|
||||
@ -413,7 +433,6 @@ channel_close_all(void)
|
||||
/*
|
||||
* Stop listening to channels.
|
||||
*/
|
||||
|
||||
void
|
||||
channel_stop_listening(void)
|
||||
{
|
||||
@ -440,7 +459,6 @@ channel_stop_listening(void)
|
||||
* Returns true if no channel has too much buffered data, and false if one or
|
||||
* more channel is overfull.
|
||||
*/
|
||||
|
||||
int
|
||||
channel_not_very_much_buffered_data(void)
|
||||
{
|
||||
@ -470,7 +488,6 @@ channel_not_very_much_buffered_data(void)
|
||||
}
|
||||
|
||||
/* Returns true if any channel is still open. */
|
||||
|
||||
int
|
||||
channel_still_open(void)
|
||||
{
|
||||
@ -513,7 +530,6 @@ channel_still_open(void)
|
||||
}
|
||||
|
||||
/* Returns the id of an open channel suitable for keepaliving */
|
||||
|
||||
int
|
||||
channel_find_open(void)
|
||||
{
|
||||
@ -558,7 +574,6 @@ channel_find_open(void)
|
||||
* suitable for sending to the client. The message contains crlf pairs for
|
||||
* newlines.
|
||||
*/
|
||||
|
||||
char *
|
||||
channel_open_message(void)
|
||||
{
|
||||
@ -643,6 +658,7 @@ channel_request_start(int id, char *service, int wantconfirm)
|
||||
packet_put_cstring(service);
|
||||
packet_put_char(wantconfirm);
|
||||
}
|
||||
|
||||
void
|
||||
channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
|
||||
{
|
||||
@ -655,6 +671,7 @@ channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
|
||||
c->confirm = fn;
|
||||
c->confirm_ctx = ctx;
|
||||
}
|
||||
|
||||
void
|
||||
channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
|
||||
{
|
||||
@ -667,6 +684,7 @@ channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
|
||||
c->detach_user = fn;
|
||||
c->detach_close = do_close;
|
||||
}
|
||||
|
||||
void
|
||||
channel_cancel_cleanup(int id)
|
||||
{
|
||||
@ -679,6 +697,7 @@ channel_cancel_cleanup(int id)
|
||||
c->detach_user = NULL;
|
||||
c->detach_close = 0;
|
||||
}
|
||||
|
||||
void
|
||||
channel_register_filter(int id, channel_infilter_fn *ifn,
|
||||
channel_outfilter_fn *ofn)
|
||||
@ -718,25 +737,27 @@ channel_set_fds(int id, int rfd, int wfd, int efd,
|
||||
* 'channel_post*': perform any appropriate operations for channels which
|
||||
* have events pending.
|
||||
*/
|
||||
typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
|
||||
typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset);
|
||||
chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
|
||||
chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
FD_SET(c->sock, readset);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
debug3("channel %d: waiting for connection", c->self);
|
||||
FD_SET(c->sock, writeset);
|
||||
}
|
||||
|
||||
static void
|
||||
channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
if (buffer_len(&c->input) < packet_get_maxsize())
|
||||
FD_SET(c->sock, readset);
|
||||
@ -745,16 +766,14 @@ channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
|
||||
static void
|
||||
channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
|
||||
|
||||
/* check buffer limits */
|
||||
limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
|
||||
|
||||
if (c->istate == CHAN_INPUT_OPEN &&
|
||||
limit > 0 &&
|
||||
buffer_len(&c->input) < limit)
|
||||
buffer_len(&c->input) < limit &&
|
||||
buffer_check_alloc(&c->input, CHAN_RBUF))
|
||||
FD_SET(c->rfd, readset);
|
||||
if (c->ostate == CHAN_OUTPUT_OPEN ||
|
||||
c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
|
||||
@ -784,8 +803,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
FD_SET(c->ctl_fd, readset);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
if (buffer_len(&c->input) == 0) {
|
||||
packet_start(SSH_MSG_CHANNEL_CLOSE);
|
||||
@ -796,8 +816,9 @@ channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
if (buffer_len(&c->output) == 0)
|
||||
chan_mark_dead(c);
|
||||
@ -873,7 +894,7 @@ x11_open_helper(Buffer *b)
|
||||
}
|
||||
|
||||
static void
|
||||
channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
int ret = x11_open_helper(&c->output);
|
||||
|
||||
@ -899,7 +920,7 @@ channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
|
||||
static void
|
||||
channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
int ret = x11_open_helper(&c->output);
|
||||
|
||||
@ -925,8 +946,9 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
|
||||
/* try to decode a socks4 header */
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
char *p, *host;
|
||||
u_int len, have, i, found;
|
||||
@ -990,7 +1012,7 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
s4_rsp.command = 90; /* cd: req granted */
|
||||
s4_rsp.dest_port = 0; /* ignored */
|
||||
s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
|
||||
buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp));
|
||||
buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp));
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1003,8 +1025,9 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
#define SSH_SOCKS5_CONNECT 0x01
|
||||
#define SSH_SOCKS5_SUCCESS 0x00
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
struct {
|
||||
u_int8_t version;
|
||||
@ -1014,7 +1037,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
} s5_req, s5_rsp;
|
||||
u_int16_t dest_port;
|
||||
u_char *p, dest_addr[255+1];
|
||||
u_int have, i, found, nmethods, addrlen, af;
|
||||
u_int have, need, i, found, nmethods, addrlen, af;
|
||||
|
||||
debug2("channel %d: decode socks5", c->self);
|
||||
p = buffer_ptr(&c->input);
|
||||
@ -1030,7 +1053,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
return 0;
|
||||
/* look for method: "NO AUTHENTICATION REQUIRED" */
|
||||
for (found = 0, i = 2 ; i < nmethods + 2; i++) {
|
||||
if (p[i] == SSH_SOCKS5_NOAUTH ) {
|
||||
if (p[i] == SSH_SOCKS5_NOAUTH) {
|
||||
found = 1;
|
||||
break;
|
||||
}
|
||||
@ -1051,7 +1074,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
debug2("channel %d: socks5 post auth", c->self);
|
||||
if (have < sizeof(s5_req)+1)
|
||||
return 0; /* need more */
|
||||
memcpy((char *)&s5_req, p, sizeof(s5_req));
|
||||
memcpy(&s5_req, p, sizeof(s5_req));
|
||||
if (s5_req.version != 0x05 ||
|
||||
s5_req.command != SSH_SOCKS5_CONNECT ||
|
||||
s5_req.reserved != 0x00) {
|
||||
@ -1075,7 +1098,10 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
|
||||
return -1;
|
||||
}
|
||||
if (have < 4 + addrlen + 2)
|
||||
need = sizeof(s5_req) + addrlen + 2;
|
||||
if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
|
||||
need++;
|
||||
if (have < need)
|
||||
return 0;
|
||||
buffer_consume(&c->input, sizeof(s5_req));
|
||||
if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
|
||||
@ -1099,15 +1125,15 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
|
||||
dest_port = 0; /* ignored */
|
||||
|
||||
buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp));
|
||||
buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr));
|
||||
buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port));
|
||||
buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
|
||||
buffer_append(&c->output, &dest_addr, sizeof(struct in_addr));
|
||||
buffer_append(&c->output, &dest_port, sizeof(dest_port));
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* dynamic port forwarding */
|
||||
static void
|
||||
channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
u_char *p;
|
||||
u_int have;
|
||||
@ -1150,8 +1176,9 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
|
||||
/* This is our fake X11 server socket. */
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
Channel *nc;
|
||||
struct sockaddr addr;
|
||||
@ -1275,8 +1302,9 @@ channel_set_reuseaddr(int fd)
|
||||
/*
|
||||
* This socket is listening for connections to a forwarded TCP/IP port.
|
||||
*/
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
Channel *nc;
|
||||
struct sockaddr addr;
|
||||
@ -1332,8 +1360,9 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
* This is the authentication agent socket listening for connections from
|
||||
* clients.
|
||||
*/
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
Channel *nc;
|
||||
int newsock;
|
||||
@ -1365,8 +1394,9 @@ channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
int err = 0;
|
||||
socklen_t sz = sizeof(err);
|
||||
@ -1411,18 +1441,25 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
char buf[CHAN_RBUF];
|
||||
int len;
|
||||
|
||||
if (c->rfd != -1 &&
|
||||
FD_ISSET(c->rfd, readset)) {
|
||||
errno = 0;
|
||||
len = read(c->rfd, buf, sizeof(buf));
|
||||
if (len < 0 && (errno == EINTR || errno == EAGAIN))
|
||||
return 1;
|
||||
#ifndef PTY_ZEROREAD
|
||||
if (len <= 0) {
|
||||
#else
|
||||
if ((!c->isatty && len <= 0) ||
|
||||
(c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
|
||||
#endif
|
||||
debug2("channel %d: read<=0 rfd %d len %d",
|
||||
c->self, c->rfd, len);
|
||||
if (c->type != SSH_CHANNEL_OPEN) {
|
||||
@ -1451,8 +1488,10 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
struct termios tio;
|
||||
u_char *data = NULL, *buf;
|
||||
@ -1538,8 +1577,9 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
char buf[CHAN_RBUF];
|
||||
int len;
|
||||
@ -1581,8 +1621,10 @@ channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static int
|
||||
channel_handle_ctl(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
char buf[16];
|
||||
int len;
|
||||
@ -1608,6 +1650,7 @@ channel_handle_ctl(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
channel_check_window(Channel *c)
|
||||
{
|
||||
@ -1629,7 +1672,7 @@ channel_check_window(Channel *c)
|
||||
}
|
||||
|
||||
static void
|
||||
channel_post_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_open(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
if (c->delayed)
|
||||
return;
|
||||
@ -1642,8 +1685,9 @@ channel_post_open(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_check_window(c);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
static void
|
||||
channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
|
||||
channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
int len;
|
||||
|
||||
@ -1760,7 +1804,7 @@ channel_garbage_collect(Channel *c)
|
||||
}
|
||||
|
||||
static void
|
||||
channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
|
||||
channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
static int did_init = 0;
|
||||
u_int i;
|
||||
@ -1788,15 +1832,20 @@ void
|
||||
channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
|
||||
u_int *nallocp, int rekeying)
|
||||
{
|
||||
u_int n, sz;
|
||||
u_int n, sz, nfdset;
|
||||
|
||||
n = MAX(*maxfdp, channel_max_fd);
|
||||
|
||||
sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
|
||||
nfdset = howmany(n+1, NFDBITS);
|
||||
/* Explicitly test here, because xrealloc isn't always called */
|
||||
if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask))
|
||||
fatal("channel_prepare_select: max_fd (%d) is too large", n);
|
||||
sz = nfdset * sizeof(fd_mask);
|
||||
|
||||
/* perhaps check sz < nalloc/2 and shrink? */
|
||||
if (*readsetp == NULL || sz > *nallocp) {
|
||||
*readsetp = xrealloc(*readsetp, sz);
|
||||
*writesetp = xrealloc(*writesetp, sz);
|
||||
*readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask));
|
||||
*writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask));
|
||||
*nallocp = sz;
|
||||
}
|
||||
*maxfdp = n;
|
||||
@ -1812,14 +1861,13 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
|
||||
* events pending.
|
||||
*/
|
||||
void
|
||||
channel_after_select(fd_set * readset, fd_set * writeset)
|
||||
channel_after_select(fd_set *readset, fd_set *writeset)
|
||||
{
|
||||
channel_handler(channel_post, readset, writeset);
|
||||
}
|
||||
|
||||
|
||||
/* If there is data to send to the connection, enqueue some of it now. */
|
||||
|
||||
void
|
||||
channel_output_poll(void)
|
||||
{
|
||||
@ -1940,6 +1988,7 @@ channel_output_poll(void)
|
||||
|
||||
/* -- protocol input */
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_data(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -1999,6 +2048,7 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
|
||||
xfree(data);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2045,6 +2095,7 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
|
||||
xfree(data);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_ieof(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2068,6 +2119,7 @@ channel_input_ieof(int type, u_int32_t seq, void *ctxt)
|
||||
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_close(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2106,6 +2158,7 @@ channel_input_close(int type, u_int32_t seq, void *ctxt)
|
||||
}
|
||||
|
||||
/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_oclose(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2118,6 +2171,7 @@ channel_input_oclose(int type, u_int32_t seq, void *ctxt)
|
||||
chan_rcvd_oclose(c);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2134,6 +2188,7 @@ channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
|
||||
channel_free(c);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2181,6 +2236,7 @@ reason2txt(int reason)
|
||||
return "unknown reason";
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2212,6 +2268,7 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
|
||||
channel_free(c);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2236,6 +2293,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
|
||||
c->remote_window += adjust;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
channel_input_port_open(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -2454,7 +2512,7 @@ channel_setup_remote_fwd_listener(const char *listen_address,
|
||||
* the secure channel to host:port from local side.
|
||||
*/
|
||||
|
||||
void
|
||||
int
|
||||
channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
const char *host_to_connect, u_short port_to_connect)
|
||||
{
|
||||
@ -2498,7 +2556,6 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
success = 1;
|
||||
break;
|
||||
case SSH_SMSG_FAILURE:
|
||||
logit("Warning: Server denied remote port forwarding.");
|
||||
break;
|
||||
default:
|
||||
/* Unknown packet */
|
||||
@ -2512,6 +2569,7 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
|
||||
permitted_opens[num_permitted_opens].listen_port = listen_port;
|
||||
num_permitted_opens++;
|
||||
}
|
||||
return (success ? 0 : -1);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2551,13 +2609,13 @@ channel_request_rforward_cancel(const char *host, u_short port)
|
||||
/*
|
||||
* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
|
||||
* listening for the port, and sends back a success reply (or disconnect
|
||||
* message if there was an error). This never returns if there was an error.
|
||||
* message if there was an error).
|
||||
*/
|
||||
|
||||
void
|
||||
int
|
||||
channel_input_port_forward_request(int is_root, int gateway_ports)
|
||||
{
|
||||
u_short port, host_port;
|
||||
int success = 0;
|
||||
char *hostname;
|
||||
|
||||
/* Get arguments from the packet. */
|
||||
@ -2579,11 +2637,13 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
|
||||
#endif
|
||||
|
||||
/* Initiate forwarding */
|
||||
channel_setup_local_fwd_listener(NULL, port, hostname,
|
||||
success = channel_setup_local_fwd_listener(NULL, port, hostname,
|
||||
host_port, gateway_ports);
|
||||
|
||||
/* Free the argument string. */
|
||||
xfree(hostname);
|
||||
|
||||
return (success ? 0 : -1);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2602,7 +2662,7 @@ void
|
||||
channel_add_permitted_opens(char *host, int port)
|
||||
{
|
||||
if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
|
||||
fatal("channel_request_remote_forwarding: too many forwards");
|
||||
fatal("channel_add_permitted_opens: too many forwards");
|
||||
debug("allow port forwarding to host %s port %d", host, port);
|
||||
|
||||
permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
|
||||
@ -2612,6 +2672,19 @@ channel_add_permitted_opens(char *host, int port)
|
||||
all_opens_permitted = 0;
|
||||
}
|
||||
|
||||
int
|
||||
channel_add_adm_permitted_opens(char *host, int port)
|
||||
{
|
||||
if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
|
||||
fatal("channel_add_adm_permitted_opens: too many forwards");
|
||||
debug("config allows port forwarding to host %s port %d", host, port);
|
||||
|
||||
permitted_adm_opens[num_adm_permitted_opens].host_to_connect
|
||||
= xstrdup(host);
|
||||
permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
|
||||
return ++num_adm_permitted_opens;
|
||||
}
|
||||
|
||||
void
|
||||
channel_clear_permitted_opens(void)
|
||||
{
|
||||
@ -2621,9 +2694,18 @@ channel_clear_permitted_opens(void)
|
||||
if (permitted_opens[i].host_to_connect != NULL)
|
||||
xfree(permitted_opens[i].host_to_connect);
|
||||
num_permitted_opens = 0;
|
||||
|
||||
}
|
||||
|
||||
void
|
||||
channel_clear_adm_permitted_opens(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < num_adm_permitted_opens; i++)
|
||||
if (permitted_adm_opens[i].host_to_connect != NULL)
|
||||
xfree(permitted_adm_opens[i].host_to_connect);
|
||||
num_adm_permitted_opens = 0;
|
||||
}
|
||||
|
||||
/* return socket to remote host, port */
|
||||
static int
|
||||
@ -2701,7 +2783,7 @@ channel_connect_by_listen_address(u_short listen_port)
|
||||
int
|
||||
channel_connect_to(const char *host, u_short port)
|
||||
{
|
||||
int i, permit;
|
||||
int i, permit, permit_adm = 1;
|
||||
|
||||
permit = all_opens_permitted;
|
||||
if (!permit) {
|
||||
@ -2710,9 +2792,19 @@ channel_connect_to(const char *host, u_short port)
|
||||
permitted_opens[i].port_to_connect == port &&
|
||||
strcmp(permitted_opens[i].host_to_connect, host) == 0)
|
||||
permit = 1;
|
||||
|
||||
}
|
||||
if (!permit) {
|
||||
|
||||
if (num_adm_permitted_opens > 0) {
|
||||
permit_adm = 0;
|
||||
for (i = 0; i < num_adm_permitted_opens; i++)
|
||||
if (permitted_adm_opens[i].host_to_connect != NULL &&
|
||||
permitted_adm_opens[i].port_to_connect == port &&
|
||||
strcmp(permitted_adm_opens[i].host_to_connect, host)
|
||||
== 0)
|
||||
permit_adm = 1;
|
||||
}
|
||||
|
||||
if (!permit || !permit_adm) {
|
||||
logit("Received request to connect to host %.100s port %d, "
|
||||
"but the request was denied.", host, port);
|
||||
return -1;
|
||||
@ -2733,10 +2825,10 @@ channel_send_window_changes(void)
|
||||
if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
|
||||
continue;
|
||||
channel_request_start(i, "window-change", 0);
|
||||
packet_put_int(ws.ws_col);
|
||||
packet_put_int(ws.ws_row);
|
||||
packet_put_int(ws.ws_xpixel);
|
||||
packet_put_int(ws.ws_ypixel);
|
||||
packet_put_int((u_int)ws.ws_col);
|
||||
packet_put_int((u_int)ws.ws_row);
|
||||
packet_put_int((u_int)ws.ws_xpixel);
|
||||
packet_put_int((u_int)ws.ws_ypixel);
|
||||
packet_send();
|
||||
}
|
||||
}
|
||||
@ -2844,7 +2936,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
|
||||
}
|
||||
|
||||
/* Allocate a channel for each socket. */
|
||||
*chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
|
||||
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
|
||||
for (n = 0; n < num_socks; n++) {
|
||||
sock = socks[n];
|
||||
nc = channel_new("x11 listener",
|
||||
@ -2873,7 +2965,7 @@ connect_local_xsocket(u_int dnr)
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr);
|
||||
if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
|
||||
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
|
||||
return sock;
|
||||
close(sock);
|
||||
error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
|
||||
@ -2883,12 +2975,12 @@ connect_local_xsocket(u_int dnr)
|
||||
int
|
||||
x11_connect_display(void)
|
||||
{
|
||||
int display_number, sock = 0;
|
||||
u_int display_number;
|
||||
const char *display;
|
||||
char buf[1024], *cp;
|
||||
struct addrinfo hints, *ai, *aitop;
|
||||
char strport[NI_MAXSERV];
|
||||
int gaierr;
|
||||
int gaierr, sock = 0;
|
||||
|
||||
/* Try to open a socket for the local X server. */
|
||||
display = getenv("DISPLAY");
|
||||
@ -2908,7 +3000,7 @@ x11_connect_display(void)
|
||||
if (strncmp(display, "unix:", 5) == 0 ||
|
||||
display[0] == ':') {
|
||||
/* Connect to the unix domain socket. */
|
||||
if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
|
||||
if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
@ -2933,7 +3025,7 @@ x11_connect_display(void)
|
||||
}
|
||||
*cp = 0;
|
||||
/* buf now contains the host name. But first we parse the display number. */
|
||||
if (sscanf(cp + 1, "%d", &display_number) != 1) {
|
||||
if (sscanf(cp + 1, "%u", &display_number) != 1) {
|
||||
error("Could not parse display number from DISPLAY: %.100s",
|
||||
display);
|
||||
return -1;
|
||||
@ -2943,7 +3035,7 @@ x11_connect_display(void)
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%d", 6000 + display_number);
|
||||
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
|
||||
return -1;
|
||||
@ -2957,7 +3049,7 @@ x11_connect_display(void)
|
||||
}
|
||||
/* Connect it to the display. */
|
||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
debug2("connect %.100s port %d: %.100s", buf,
|
||||
debug2("connect %.100s port %u: %.100s", buf,
|
||||
6000 + display_number, strerror(errno));
|
||||
close(sock);
|
||||
continue;
|
||||
@ -2967,7 +3059,7 @@ x11_connect_display(void)
|
||||
}
|
||||
freeaddrinfo(aitop);
|
||||
if (!ai) {
|
||||
error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
|
||||
error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
|
||||
strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
@ -2981,6 +3073,7 @@ x11_connect_display(void)
|
||||
* with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
|
||||
*/
|
||||
|
||||
/* ARGSUSED */
|
||||
void
|
||||
x11_input_open(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -3024,6 +3117,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
|
||||
}
|
||||
|
||||
/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
|
||||
/* ARGSUSED */
|
||||
void
|
||||
deny_input_open(int type, u_int32_t seq, void *ctxt)
|
||||
{
|
||||
@ -3070,13 +3164,11 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
|
||||
return;
|
||||
}
|
||||
|
||||
cp = disp;
|
||||
if (disp)
|
||||
cp = strchr(disp, ':');
|
||||
cp = strchr(disp, ':');
|
||||
if (cp)
|
||||
cp = strchr(cp, '.');
|
||||
if (cp)
|
||||
screen_number = atoi(cp + 1);
|
||||
screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
|
||||
else
|
||||
screen_number = 0;
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.h,v 1.83 2005/12/30 15:56:37 reyk Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -38,8 +38,6 @@
|
||||
#ifndef CHANNEL_H
|
||||
#define CHANNEL_H
|
||||
|
||||
#include "buffer.h"
|
||||
|
||||
/* Definitions for channel types. */
|
||||
#define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */
|
||||
#define SSH_CHANNEL_PORT_LISTENER 2 /* Listening on a port. */
|
||||
@ -207,11 +205,13 @@ int channel_find_open(void);
|
||||
void channel_set_af(int af);
|
||||
void channel_permit_all_opens(void);
|
||||
void channel_add_permitted_opens(char *, int);
|
||||
int channel_add_adm_permitted_opens(char *, int);
|
||||
void channel_clear_permitted_opens(void);
|
||||
void channel_input_port_forward_request(int, int);
|
||||
void channel_clear_adm_permitted_opens(void);
|
||||
int channel_input_port_forward_request(int, int);
|
||||
int channel_connect_to(const char *, u_short);
|
||||
int channel_connect_by_listen_address(u_short);
|
||||
void channel_request_remote_forwarding(const char *, u_short,
|
||||
int channel_request_remote_forwarding(const char *, u_short,
|
||||
const char *, u_short);
|
||||
int channel_setup_local_fwd_listener(const char *, u_short,
|
||||
const char *, u_short, int);
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: cipher-3des1.c,v 1.6 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,9 +24,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher-3des1.c,v 1.2 2003/12/22 20:29:55 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
|
@ -15,9 +15,10 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
RCSID("$Id: cipher-acss.c,v 1.3 2005/07/17 07:04:47 djm Exp $");
|
||||
#include <string.h>
|
||||
|
||||
#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
|
||||
|
@ -28,9 +28,13 @@
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef USE_BUILTIN_RIJNDAEL
|
||||
RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "rijndael.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: cipher-bf1.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,9 +24,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher-bf1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: cipher-ctr.c,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
|
||||
*
|
||||
@ -14,12 +15,16 @@
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,14 +36,18 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cipher.c,v 1.77 2005/07/16 01:35:24 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/md5.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
#include "cipher.h"
|
||||
|
||||
#include <openssl/md5.h>
|
||||
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: cipher.h,v 1.35 2004/07/28 09:40:29 markus Exp $ */
|
||||
/* $OpenBSD: cipher.h,v 1.36 2006/03/25 22:22:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
|
||||
*
|
||||
@ -13,8 +14,13 @@
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: cleanup.c,v 1.1 2003/09/23 20:17:11 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "log.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: clientloop.c,v 1.175 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -59,20 +60,43 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/param.h>
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
#include <paths.h>
|
||||
#endif
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <termios.h>
|
||||
#include <pwd.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "packet.h"
|
||||
#include "buffer.h"
|
||||
#include "compat.h"
|
||||
#include "channels.h"
|
||||
#include "dispatch.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "readconf.h"
|
||||
@ -118,7 +142,7 @@ static volatile sig_atomic_t received_signal = 0;
|
||||
static int in_non_blocking_mode = 0;
|
||||
|
||||
/* Common data for the client loop code. */
|
||||
static int quit_pending; /* Set to non-zero to quit the client loop. */
|
||||
static volatile sig_atomic_t quit_pending; /* Set non-zero to quit the loop. */
|
||||
static int escape_char; /* Escape character. */
|
||||
static int escape_pending; /* Last character was the escape character */
|
||||
static int last_was_cr; /* Last character was a newline. */
|
||||
@ -178,7 +202,7 @@ enter_non_blocking(void)
|
||||
* Signal handler for the window change signal (SIGWINCH). This just sets a
|
||||
* flag indicating that the window has changed.
|
||||
*/
|
||||
|
||||
/*ARGSUSED */
|
||||
static void
|
||||
window_change_handler(int sig)
|
||||
{
|
||||
@ -190,7 +214,7 @@ window_change_handler(int sig)
|
||||
* Signal handler for signals that cause the program to terminate. These
|
||||
* signals must be trapped to restore terminal modes.
|
||||
*/
|
||||
|
||||
/*ARGSUSED */
|
||||
static void
|
||||
signal_handler(int sig)
|
||||
{
|
||||
@ -422,10 +446,10 @@ client_check_window_change(void)
|
||||
if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
|
||||
return;
|
||||
packet_start(SSH_CMSG_WINDOW_SIZE);
|
||||
packet_put_int(ws.ws_row);
|
||||
packet_put_int(ws.ws_col);
|
||||
packet_put_int(ws.ws_xpixel);
|
||||
packet_put_int(ws.ws_ypixel);
|
||||
packet_put_int((u_int)ws.ws_row);
|
||||
packet_put_int((u_int)ws.ws_col);
|
||||
packet_put_int((u_int)ws.ws_xpixel);
|
||||
packet_put_int((u_int)ws.ws_ypixel);
|
||||
packet_send();
|
||||
}
|
||||
}
|
||||
@ -569,7 +593,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
|
||||
}
|
||||
|
||||
static void
|
||||
client_process_net_input(fd_set * readset)
|
||||
client_process_net_input(fd_set *readset)
|
||||
{
|
||||
int len;
|
||||
char buf[8192];
|
||||
@ -677,7 +701,7 @@ client_extra_session2_setup(int id, void *arg)
|
||||
}
|
||||
|
||||
static void
|
||||
client_process_control(fd_set * readset)
|
||||
client_process_control(fd_set *readset)
|
||||
{
|
||||
Buffer m;
|
||||
Channel *c;
|
||||
@ -808,8 +832,7 @@ client_process_control(fd_set * readset)
|
||||
return;
|
||||
}
|
||||
|
||||
cctx = xmalloc(sizeof(*cctx));
|
||||
memset(cctx, 0, sizeof(*cctx));
|
||||
cctx = xcalloc(1, sizeof(*cctx));
|
||||
cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
|
||||
cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
|
||||
cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
|
||||
@ -824,7 +847,7 @@ client_process_control(fd_set * readset)
|
||||
env_len = MIN(env_len, 4096);
|
||||
debug3("%s: receiving %d env vars", __func__, env_len);
|
||||
if (env_len != 0) {
|
||||
cctx->env = xmalloc(sizeof(*cctx->env) * (env_len + 1));
|
||||
cctx->env = xcalloc(env_len + 1, sizeof(*cctx->env));
|
||||
for (i = 0; i < env_len; i++)
|
||||
cctx->env[i] = buffer_get_string(&m, &len);
|
||||
cctx->env[i] = NULL;
|
||||
@ -832,6 +855,7 @@ client_process_control(fd_set * readset)
|
||||
|
||||
debug2("%s: accepted tty %d, subsys %d, cmd %s", __func__,
|
||||
cctx->want_tty, cctx->want_subsys, cmd);
|
||||
xfree(cmd);
|
||||
|
||||
/* Gather fds from client */
|
||||
new_fd[0] = mm_receive_fd(client_fd);
|
||||
@ -912,12 +936,16 @@ process_cmdline(void)
|
||||
|
||||
if (*s == 'h' || *s == 'H' || *s == '?') {
|
||||
logit("Commands:");
|
||||
logit(" -Lport:host:hostport Request local forward");
|
||||
logit(" -Rport:host:hostport Request remote forward");
|
||||
logit(" -KRhostport Cancel remote forward");
|
||||
logit(" -L[bind_address:]port:host:hostport "
|
||||
"Request local forward");
|
||||
logit(" -R[bind_address:]port:host:hostport "
|
||||
"Request remote forward");
|
||||
logit(" -KR[bind_address:]port "
|
||||
"Cancel remote forward");
|
||||
if (!options.permit_local_command)
|
||||
goto out;
|
||||
logit(" !args Execute local command");
|
||||
logit(" !args "
|
||||
"Execute local command");
|
||||
goto out;
|
||||
}
|
||||
|
||||
@ -978,9 +1006,12 @@ process_cmdline(void)
|
||||
goto out;
|
||||
}
|
||||
} else {
|
||||
channel_request_remote_forwarding(fwd.listen_host,
|
||||
if (channel_request_remote_forwarding(fwd.listen_host,
|
||||
fwd.listen_port, fwd.connect_host,
|
||||
fwd.connect_port);
|
||||
fwd.connect_port) < 0) {
|
||||
logit("Port forwarding failed.");
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
logit("Forwarding port.");
|
||||
@ -1172,7 +1203,7 @@ Supported escape sequences:\r\n\
|
||||
}
|
||||
|
||||
static void
|
||||
client_process_input(fd_set * readset)
|
||||
client_process_input(fd_set *readset)
|
||||
{
|
||||
int len;
|
||||
char buf[8192];
|
||||
@ -1225,7 +1256,7 @@ client_process_input(fd_set * readset)
|
||||
}
|
||||
|
||||
static void
|
||||
client_process_output(fd_set * writeset)
|
||||
client_process_output(fd_set *writeset)
|
||||
{
|
||||
int len;
|
||||
char buf[100];
|
||||
@ -1869,10 +1900,10 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
|
||||
|
||||
channel_request_start(id, "pty-req", 0);
|
||||
packet_put_cstring(term != NULL ? term : "");
|
||||
packet_put_int(ws.ws_col);
|
||||
packet_put_int(ws.ws_row);
|
||||
packet_put_int(ws.ws_xpixel);
|
||||
packet_put_int(ws.ws_ypixel);
|
||||
packet_put_int((u_int)ws.ws_col);
|
||||
packet_put_int((u_int)ws.ws_row);
|
||||
packet_put_int((u_int)ws.ws_xpixel);
|
||||
packet_put_int((u_int)ws.ws_ypixel);
|
||||
tio = get_saved_tio();
|
||||
tty_make_modes(-1, tiop != NULL ? tiop : &tio);
|
||||
packet_send();
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -35,6 +35,8 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <termios.h>
|
||||
|
||||
/* Client side main loop for the interactive session. */
|
||||
int client_loop(int, int, int);
|
||||
void client_x11_get_proto(const char *, const char *, u_int,
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,11 +24,16 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: compat.c,v 1.71 2005/03/01 10:09:52 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
#include "compat.h"
|
||||
#include "log.h"
|
||||
#include "match.h"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compat.h,v 1.39 2005/03/01 10:09:52 djm Exp $ */
|
||||
/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: compress.c,v 1.25 2006/08/06 01:13:32 stevesk Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -12,11 +13,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: compress.c,v 1.21 2004/01/13 19:45:15 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <zlib.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "zlib.h"
|
||||
#include "compress.h"
|
||||
|
||||
z_stream incoming_stream;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: compress.h,v 1.11 2002/03/04 17:27:39 stevesk Exp $ */
|
||||
/* $OpenBSD: compress.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -1,4 +1,4 @@
|
||||
# $Id: configure.ac,v 1.322 2006/01/29 13:22:39 dtucker Exp $
|
||||
# $Id: configure.ac,v 1.367 2006/09/24 19:08:59 tim Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
@ -15,6 +15,7 @@
|
||||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
|
||||
AC_REVISION($Revision: 1.367 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
|
||||
AC_CONFIG_HEADER(config.h)
|
||||
@ -27,6 +28,7 @@ AC_PROG_AWK
|
||||
AC_PROG_CPP
|
||||
AC_PROG_RANLIB
|
||||
AC_PROG_INSTALL
|
||||
AC_PROG_EGREP
|
||||
AC_PATH_PROG(AR, ar)
|
||||
AC_PATH_PROG(CAT, cat)
|
||||
AC_PATH_PROG(KILL, kill)
|
||||
@ -125,15 +127,45 @@ AC_ARG_WITH(rpath,
|
||||
]
|
||||
)
|
||||
|
||||
# Messages for features tested for in target-specific section
|
||||
SIA_MSG="no"
|
||||
SPC_MSG="no"
|
||||
|
||||
# Check for some target-specific stuff
|
||||
case "$host" in
|
||||
*-*-aix*)
|
||||
# Some versions of VAC won't allow macro redefinitions at
|
||||
# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
|
||||
# particularly with older versions of vac or xlc.
|
||||
# It also throws errors about null macro argments, but these are
|
||||
# not fatal.
|
||||
AC_MSG_CHECKING(if compiler allows macro redefinitions)
|
||||
AC_COMPILE_IFELSE(
|
||||
[AC_LANG_SOURCE([[
|
||||
#define testmacro foo
|
||||
#define testmacro bar
|
||||
int main(void) { exit(0); }
|
||||
]])],
|
||||
[ AC_MSG_RESULT(yes) ],
|
||||
[ AC_MSG_RESULT(no)
|
||||
CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
|
||||
LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`"
|
||||
CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
|
||||
CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
|
||||
]
|
||||
)
|
||||
|
||||
AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
|
||||
if (test -z "$blibpath"); then
|
||||
blibpath="/usr/lib:/lib"
|
||||
fi
|
||||
saved_LDFLAGS="$LDFLAGS"
|
||||
for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
|
||||
if test "$GCC" = "yes"; then
|
||||
flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
|
||||
else
|
||||
flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
|
||||
fi
|
||||
for tryflags in $flags ;do
|
||||
if (test -z "$blibflags"); then
|
||||
LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
|
||||
AC_TRY_LINK([], [], [blibflags=$tryflags])
|
||||
@ -173,6 +205,12 @@ case "$host" in
|
||||
[#include <usersec.h>]
|
||||
)
|
||||
AC_CHECK_FUNCS(setauthdb)
|
||||
AC_CHECK_DECL(F_CLOSEM,
|
||||
AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
|
||||
[],
|
||||
[ #include <limits.h>
|
||||
#include <fcntl.h> ]
|
||||
)
|
||||
check_for_aix_broken_getaddrinfo=1
|
||||
AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
|
||||
AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
|
||||
@ -188,6 +226,7 @@ case "$host" in
|
||||
supported by bsd-setproctitle.c])
|
||||
AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
|
||||
[AIX 5.2 and 5.3 (and presumably newer) require this])
|
||||
AC_DEFINE(PTY_ZEROREAD, 1, [read(1) can return 0 for a non-closed fd])
|
||||
;;
|
||||
*-*-cygwin*)
|
||||
check_for_libcrypt_later=1
|
||||
@ -229,6 +268,14 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
AC_DEFINE(BROKEN_SETREGID)
|
||||
AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
|
||||
[Define if your resolver libs need this for getrrsetbyname])
|
||||
AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
|
||||
AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
;;
|
||||
*-*-dragonfly*)
|
||||
SSHDLIBS="$SSHDLIBS -lcrypt"
|
||||
;;
|
||||
*-*-hpux*)
|
||||
# first we define all of the options common to all HP-UX releases
|
||||
@ -343,7 +390,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
fi
|
||||
;;
|
||||
mips-sony-bsd|mips-sony-newsos4)
|
||||
AC_DEFINE(NEED_SETPRGP, 1, [Need setpgrp to acquire controlling tty])
|
||||
AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
|
||||
SONY=1
|
||||
;;
|
||||
*-*-netbsd*)
|
||||
@ -383,6 +430,8 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
|
||||
AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
|
||||
AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
|
||||
AC_DEFINE(SYSLOG_R_SAFE_IN_SIGHAND, 1,
|
||||
[syslog_r function is safe to use in in a signal handler])
|
||||
;;
|
||||
*-*-solaris*)
|
||||
if test "x$withval" != "xno" ; then
|
||||
@ -402,6 +451,8 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
|
||||
[Define if sshd somehow reacquires a controlling TTY
|
||||
after setsid()])
|
||||
AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd
|
||||
in case the name is longer than 8 chars])
|
||||
external_path_file=/etc/default/login
|
||||
# hardwire lastlog location (can't detect it on some versions)
|
||||
conf_lastlog_location="/var/adm/lastlog"
|
||||
@ -415,6 +466,17 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
else
|
||||
AC_MSG_RESULT(no)
|
||||
fi
|
||||
AC_ARG_WITH(solaris-contracts,
|
||||
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
|
||||
[
|
||||
AC_CHECK_LIB(contract, ct_tmpl_activate,
|
||||
[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
|
||||
[Define if you have Solaris process contracts])
|
||||
SSHDLIBS="$SSHDLIBS -lcontract"
|
||||
AC_SUBST(SSHDLIBS)
|
||||
SPC_MSG="yes" ], )
|
||||
],
|
||||
)
|
||||
;;
|
||||
*-*-sunos4*)
|
||||
CPPFLAGS="$CPPFLAGS -DSUNOS4"
|
||||
@ -452,7 +514,6 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
;;
|
||||
# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
|
||||
*-*-sysv4.2*)
|
||||
CFLAGS="$CFLAGS -Dva_list=_VA_LIST"
|
||||
AC_DEFINE(USE_PIPES)
|
||||
AC_DEFINE(SETEUID_BREAKS_SETUID)
|
||||
AC_DEFINE(BROKEN_SETREUID)
|
||||
@ -474,6 +535,7 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
TEST_SHELL=/u95/bin/sh
|
||||
AC_DEFINE(BROKEN_LIBIAF, 1,
|
||||
[ia_uinfo routines not supported by OS yet])
|
||||
AC_DEFINE(BROKEN_UPDWTMPX)
|
||||
;;
|
||||
*) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
|
||||
;;
|
||||
@ -563,6 +625,7 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
system's login() call])
|
||||
AC_DEFINE(DISABLE_FD_PASSING)
|
||||
LIBS="$LIBS -lsecurity -ldb -lm -laud"
|
||||
SIA_MSG="yes"
|
||||
else
|
||||
AC_MSG_RESULT(no)
|
||||
AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
|
||||
@ -575,18 +638,21 @@ mips-sony-bsd|mips-sony-newsos4)
|
||||
AC_DEFINE(BROKEN_SETREGID)
|
||||
;;
|
||||
|
||||
*-*-nto-qnx)
|
||||
*-*-nto-qnx*)
|
||||
AC_DEFINE(USE_PIPES)
|
||||
AC_DEFINE(NO_X11_UNIX_SOCKETS)
|
||||
AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems])
|
||||
AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
|
||||
AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
|
||||
AC_DEFINE(DISABLE_LASTLOG)
|
||||
AC_DEFINE(SSHD_ACQUIRES_CTTY)
|
||||
enable_etc_default_login=no # has incompatible /etc/default/login
|
||||
;;
|
||||
|
||||
*-*-ultrix*)
|
||||
AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1])
|
||||
AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files])
|
||||
AC_DEFINE(NEED_SETPRGP)
|
||||
AC_DEFINE(NEED_SETPGRP)
|
||||
AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
|
||||
;;
|
||||
|
||||
@ -664,30 +730,30 @@ dnl Checks for header files.
|
||||
AC_CHECK_HEADERS( \
|
||||
bstring.h \
|
||||
crypt.h \
|
||||
crypto/sha2.h \
|
||||
dirent.h \
|
||||
endian.h \
|
||||
features.h \
|
||||
fcntl.h \
|
||||
floatingpoint.h \
|
||||
getopt.h \
|
||||
glob.h \
|
||||
ia.h \
|
||||
iaf.h \
|
||||
lastlog.h \
|
||||
limits.h \
|
||||
login.h \
|
||||
login_cap.h \
|
||||
maillock.h \
|
||||
ndir.h \
|
||||
net/if.h \
|
||||
net/if_tun.h \
|
||||
netdb.h \
|
||||
netgroup.h \
|
||||
netinet/in_systm.h \
|
||||
pam/pam_appl.h \
|
||||
paths.h \
|
||||
pty.h \
|
||||
readpassphrase.h \
|
||||
rpc/types.h \
|
||||
security/pam_appl.h \
|
||||
sha2.h \
|
||||
shadow.h \
|
||||
stddef.h \
|
||||
stdint.h \
|
||||
@ -723,6 +789,13 @@ AC_CHECK_HEADERS( \
|
||||
vis.h \
|
||||
)
|
||||
|
||||
# lastlog.h requires sys/time.h to be included first on Solaris
|
||||
AC_CHECK_HEADERS(lastlog.h, [], [], [
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
#endif
|
||||
])
|
||||
|
||||
# sys/ptms.h requires sys/stream.h to be included first on Solaris
|
||||
AC_CHECK_HEADERS(sys/ptms.h, [], [], [
|
||||
#ifdef HAVE_SYS_STREAM_H
|
||||
@ -730,6 +803,11 @@ AC_CHECK_HEADERS(sys/ptms.h, [], [], [
|
||||
#endif
|
||||
])
|
||||
|
||||
# login_cap.h requires sys/types.h on NetBSD
|
||||
AC_CHECK_HEADERS(login_cap.h, [], [], [
|
||||
#include <sys/types.h>
|
||||
])
|
||||
|
||||
# Checks for libraries.
|
||||
AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
|
||||
AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
|
||||
@ -914,11 +992,9 @@ AC_EGREP_CPP(FOUNDIT,
|
||||
|
||||
# Check for g.gl_matchc glob() extension
|
||||
AC_MSG_CHECKING(for gl_matchc field in glob_t)
|
||||
AC_EGREP_CPP(FOUNDIT,
|
||||
[
|
||||
#include <glob.h>
|
||||
int main(void){glob_t g; g.gl_matchc = 1;}
|
||||
],
|
||||
AC_TRY_COMPILE(
|
||||
[ #include <glob.h> ],
|
||||
[glob_t g; g.gl_matchc = 1;],
|
||||
[
|
||||
AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
|
||||
[Define if your system glob() function has
|
||||
@ -930,6 +1006,8 @@ AC_EGREP_CPP(FOUNDIT,
|
||||
]
|
||||
)
|
||||
|
||||
AC_CHECK_DECLS(GLOB_NOMATCH, , , [#include <glob.h>])
|
||||
|
||||
AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
|
||||
AC_RUN_IFELSE(
|
||||
[AC_LANG_SOURCE([[
|
||||
@ -1111,7 +1189,13 @@ AC_ARG_WITH(audit,
|
||||
AUDIT_MODULE=bsm
|
||||
dnl Checks for headers, libs and functions
|
||||
AC_CHECK_HEADERS(bsm/audit.h, [],
|
||||
[AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)])
|
||||
[AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)],
|
||||
[
|
||||
#ifdef HAVE_TIME_H
|
||||
# include <time.h>
|
||||
#endif
|
||||
]
|
||||
)
|
||||
AC_CHECK_LIB(bsm, getaudit, [],
|
||||
[AC_MSG_ERROR(BSM enabled and required library not found)])
|
||||
AC_CHECK_FUNCS(getaudit, [],
|
||||
@ -1257,6 +1341,29 @@ AC_CHECK_DECL(tcsendbreak,
|
||||
|
||||
AC_CHECK_DECLS(h_errno, , ,[#include <netdb.h>])
|
||||
|
||||
AC_CHECK_DECLS(SHUT_RD, , ,
|
||||
[
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS(O_NONBLOCK, , ,
|
||||
[
|
||||
#include <sys/types.h>
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
#endif
|
||||
#ifdef HAVE_FCNTL_H
|
||||
# include <fcntl.h>
|
||||
#endif
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS(writev, , , [
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
])
|
||||
|
||||
AC_CHECK_FUNCS(setresuid, [
|
||||
dnl Some platorms have setresuid that isn't implemented, test for this
|
||||
AC_MSG_CHECKING(if setresuid seems to work)
|
||||
@ -1601,6 +1708,7 @@ main(void)
|
||||
AC_MSG_RESULT(no)
|
||||
AC_DEFINE(BROKEN_GETADDRINFO)
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT(cross-compiling, assuming no)
|
||||
]
|
||||
)
|
||||
@ -1626,61 +1734,6 @@ fi
|
||||
|
||||
AC_FUNC_GETPGRP
|
||||
|
||||
# Check for PAM libs
|
||||
PAM_MSG="no"
|
||||
AC_ARG_WITH(pam,
|
||||
[ --with-pam Enable PAM support ],
|
||||
[
|
||||
if test "x$withval" != "xno" ; then
|
||||
if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
|
||||
test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
|
||||
AC_MSG_ERROR([PAM headers not found])
|
||||
fi
|
||||
|
||||
AC_CHECK_LIB(dl, dlopen, , )
|
||||
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
|
||||
AC_CHECK_FUNCS(pam_getenvlist)
|
||||
AC_CHECK_FUNCS(pam_putenv)
|
||||
|
||||
PAM_MSG="yes"
|
||||
|
||||
AC_DEFINE(USE_PAM, 1,
|
||||
[Define if you want to enable PAM support])
|
||||
if test $ac_cv_lib_dl_dlopen = yes; then
|
||||
LIBPAM="-lpam -ldl"
|
||||
else
|
||||
LIBPAM="-lpam"
|
||||
fi
|
||||
AC_SUBST(LIBPAM)
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
# Check for older PAM
|
||||
if test "x$PAM_MSG" = "xyes" ; then
|
||||
# Check PAM strerror arguments (old PAM)
|
||||
AC_MSG_CHECKING([whether pam_strerror takes only one argument])
|
||||
AC_TRY_COMPILE(
|
||||
[
|
||||
#include <stdlib.h>
|
||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||
#include <security/pam_appl.h>
|
||||
#elif defined (HAVE_PAM_PAM_APPL_H)
|
||||
#include <pam/pam_appl.h>
|
||||
#endif
|
||||
],
|
||||
[(void)pam_strerror((pam_handle_t *)NULL, -1);],
|
||||
[AC_MSG_RESULT(no)],
|
||||
[
|
||||
AC_DEFINE(HAVE_OLD_PAM, 1,
|
||||
[Define if you have an old version of PAM
|
||||
which takes only one argument to pam_strerror])
|
||||
AC_MSG_RESULT(yes)
|
||||
PAM_MSG="yes (old library)"
|
||||
]
|
||||
)
|
||||
fi
|
||||
|
||||
# Search for OpenSSL
|
||||
saved_CPPFLAGS="$CPPFLAGS"
|
||||
saved_LDFLAGS="$LDFLAGS"
|
||||
@ -1826,13 +1879,61 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
|
||||
]
|
||||
)
|
||||
|
||||
AC_MSG_CHECKING([if programs using OpenSSL functions will link])
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_SOURCE([[
|
||||
#include <openssl/evp.h>
|
||||
int main(void) { SSLeay_add_all_algorithms(); }
|
||||
]])],
|
||||
[
|
||||
AC_MSG_RESULT(yes)
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT(no)
|
||||
saved_LIBS="$LIBS"
|
||||
LIBS="$LIBS -ldl"
|
||||
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_SOURCE([[
|
||||
#include <openssl/evp.h>
|
||||
int main(void) { SSLeay_add_all_algorithms(); }
|
||||
]])],
|
||||
[
|
||||
AC_MSG_RESULT(yes)
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT(no)
|
||||
LIBS="$saved_LIBS"
|
||||
]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
||||
AC_ARG_WITH(ssl-engine,
|
||||
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
|
||||
[ if test "x$withval" != "xno" ; then
|
||||
AC_MSG_CHECKING(for OpenSSL ENGINE support)
|
||||
AC_TRY_COMPILE(
|
||||
[ #include <openssl/engine.h>],
|
||||
[
|
||||
int main(void){ENGINE_load_builtin_engines();ENGINE_register_all_complete();}
|
||||
],
|
||||
[ AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(USE_OPENSSL_ENGINE, 1,
|
||||
[Enable OpenSSL engine support])
|
||||
],
|
||||
[ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
|
||||
)
|
||||
fi ]
|
||||
)
|
||||
|
||||
# Check for OpenSSL without EVP_aes_{192,256}_cbc
|
||||
AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
|
||||
AC_COMPILE_IFELSE(
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_SOURCE([[
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)}
|
||||
int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
|
||||
]])],
|
||||
[
|
||||
AC_MSG_RESULT(no)
|
||||
@ -1856,6 +1957,9 @@ if test "x$check_for_libcrypt_later" = "x1"; then
|
||||
AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
|
||||
fi
|
||||
|
||||
# Search for SHA256 support in libc and/or OpenSSL
|
||||
AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
|
||||
|
||||
AC_CHECK_LIB(iaf, ia_openinfo)
|
||||
|
||||
### Configure cryptographic random number support
|
||||
@ -1886,6 +1990,69 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
|
||||
]
|
||||
)
|
||||
|
||||
# Check for PAM libs
|
||||
PAM_MSG="no"
|
||||
AC_ARG_WITH(pam,
|
||||
[ --with-pam Enable PAM support ],
|
||||
[
|
||||
if test "x$withval" != "xno" ; then
|
||||
if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
|
||||
test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
|
||||
AC_MSG_ERROR([PAM headers not found])
|
||||
fi
|
||||
|
||||
saved_LIBS="$LIBS"
|
||||
AC_CHECK_LIB(dl, dlopen, , )
|
||||
AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
|
||||
AC_CHECK_FUNCS(pam_getenvlist)
|
||||
AC_CHECK_FUNCS(pam_putenv)
|
||||
LIBS="$saved_LIBS"
|
||||
|
||||
PAM_MSG="yes"
|
||||
|
||||
LIBPAM="-lpam"
|
||||
AC_DEFINE(USE_PAM, 1,
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
if test $ac_cv_lib_dl_dlopen = yes; then
|
||||
case "$LIBS" in
|
||||
*-ldl*)
|
||||
# libdl already in LIBS
|
||||
;;
|
||||
*)
|
||||
LIBPAM="$LIBPAM -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
AC_SUBST(LIBPAM)
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
# Check for older PAM
|
||||
if test "x$PAM_MSG" = "xyes" ; then
|
||||
# Check PAM strerror arguments (old PAM)
|
||||
AC_MSG_CHECKING([whether pam_strerror takes only one argument])
|
||||
AC_TRY_COMPILE(
|
||||
[
|
||||
#include <stdlib.h>
|
||||
#if defined(HAVE_SECURITY_PAM_APPL_H)
|
||||
#include <security/pam_appl.h>
|
||||
#elif defined (HAVE_PAM_PAM_APPL_H)
|
||||
#include <pam/pam_appl.h>
|
||||
#endif
|
||||
],
|
||||
[(void)pam_strerror((pam_handle_t *)NULL, -1);],
|
||||
[AC_MSG_RESULT(no)],
|
||||
[
|
||||
AC_DEFINE(HAVE_OLD_PAM, 1,
|
||||
[Define if you have an old version of PAM
|
||||
which takes only one argument to pam_strerror])
|
||||
AC_MSG_RESULT(yes)
|
||||
PAM_MSG="yes (old library)"
|
||||
]
|
||||
)
|
||||
fi
|
||||
|
||||
# Do we want to force the use of the rand helper?
|
||||
AC_ARG_WITH(rand-helper,
|
||||
@ -2105,6 +2272,34 @@ if test -z "$have_llong_max"; then
|
||||
#define __USE_ISOC99
|
||||
#include <limits.h>
|
||||
#define DATA "conftest.llminmax"
|
||||
#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
|
||||
|
||||
/*
|
||||
* printf in libc on some platforms (eg old Tru64) does not understand %lld so
|
||||
* we do this the hard way.
|
||||
*/
|
||||
static int
|
||||
fprint_ll(FILE *f, long long n)
|
||||
{
|
||||
unsigned int i;
|
||||
int l[sizeof(long long) * 8];
|
||||
|
||||
if (n < 0)
|
||||
if (fprintf(f, "-") < 0)
|
||||
return -1;
|
||||
for (i = 0; n != 0; i++) {
|
||||
l[i] = my_abs(n % 10);
|
||||
n /= 10;
|
||||
}
|
||||
do {
|
||||
if (fprintf(f, "%d", l[--i]) < 0)
|
||||
return -1;
|
||||
} while (i != 0);
|
||||
if (fprintf(f, " ") < 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
FILE *f;
|
||||
long long i, llmin, llmax = 0;
|
||||
@ -2126,14 +2321,18 @@ int main(void) {
|
||||
|
||||
/* Sanity check */
|
||||
if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
|
||||
|| llmax - 1 > llmax) {
|
||||
|| llmax - 1 > llmax || llmin == llmax || llmin == 0
|
||||
|| llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
|
||||
fprintf(f, "unknown unknown\n");
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (fprintf(f ,"%lld %lld", llmin, llmax) < 0)
|
||||
if (fprint_ll(f, llmin) < 0)
|
||||
exit(3);
|
||||
|
||||
if (fprint_ll(f, llmax) < 0)
|
||||
exit(4);
|
||||
if (fclose(f) < 0)
|
||||
exit(5);
|
||||
exit(0);
|
||||
}
|
||||
]])],
|
||||
@ -2141,17 +2340,6 @@ int main(void) {
|
||||
llong_min=`$AWK '{print $1}' conftest.llminmax`
|
||||
llong_max=`$AWK '{print $2}' conftest.llminmax`
|
||||
|
||||
# snprintf on some Tru64s doesn't understand "%lld"
|
||||
case "$host" in
|
||||
alpha-dec-osf*)
|
||||
if test "x$ac_cv_sizeof_long_long_int" = "x8" &&
|
||||
test "x$llong_max" = "xld"; then
|
||||
llong_min="-9223372036854775808"
|
||||
llong_max="9223372036854775807"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_MSG_RESULT($llong_max)
|
||||
AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
|
||||
[max value of long long calculated by configure])
|
||||
@ -2897,7 +3085,7 @@ AC_ARG_WITH(opensc,
|
||||
LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
|
||||
LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
|
||||
CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
|
||||
LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
|
||||
LIBS="$LIBS $LIBOPENSC_LIBS"
|
||||
AC_DEFINE(SMARTCARD)
|
||||
AC_DEFINE(USE_OPENSC, 1,
|
||||
[Define if you want smartcard support
|
||||
@ -2945,6 +3133,23 @@ int main()
|
||||
[#include <arpa/nameser.h>])
|
||||
])
|
||||
|
||||
# Check whether user wants SELinux support
|
||||
SELINUX_MSG="no"
|
||||
LIBSELINUX=""
|
||||
AC_ARG_WITH(selinux,
|
||||
[ --with-selinux Enable SELinux support],
|
||||
[ if test "x$withval" != "xno" ; then
|
||||
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
|
||||
SELINUX_MSG="yes"
|
||||
AC_CHECK_HEADER([selinux/selinux.h], ,
|
||||
AC_MSG_ERROR(SELinux support requires selinux.h header))
|
||||
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST(LIBSELINUX)
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@ -3707,20 +3912,13 @@ if test ! -z "$blibpath" ; then
|
||||
AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
|
||||
fi
|
||||
|
||||
dnl remove pam and dl because they are in $LIBPAM
|
||||
if test "$PAM_MSG" = yes ; then
|
||||
LIBS=`echo $LIBS | sed 's/-lpam //'`
|
||||
fi
|
||||
if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
|
||||
LIBS=`echo $LIBS | sed 's/-ldl //'`
|
||||
fi
|
||||
|
||||
dnl Adding -Werror to CFLAGS early prevents configure tests from running.
|
||||
dnl Add now.
|
||||
CFLAGS="$CFLAGS $werror_flags"
|
||||
|
||||
AC_EXEEXT
|
||||
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openbsd-compat/Makefile \
|
||||
AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
|
||||
openbsd-compat/Makefile openbsd-compat/regress/Makefile \
|
||||
scard/Makefile ssh_prng_cmds survey.sh])
|
||||
AC_OUTPUT
|
||||
|
||||
@ -3762,12 +3960,15 @@ echo " sshd superuser user PATH: $J"
|
||||
fi
|
||||
echo " Manpage format: $MANTYPE"
|
||||
echo " PAM support: $PAM_MSG"
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: crc32.c,v 1.9 2003/02/12 21:39:50 markus Exp $ */
|
||||
/* $OpenBSD: crc32.c,v 1.11 2006/04/22 18:29:33 stevesk Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl. All rights reserved.
|
||||
@ -99,7 +99,7 @@ ssh_crc32(const u_char *buf, u_int32_t size)
|
||||
u_int32_t i, crc;
|
||||
|
||||
crc = 0;
|
||||
for (i = 0; i < size; i++)
|
||||
for (i = 0; i < size; i++)
|
||||
crc = crc32tab[(crc ^ buf[i]) & 0xff] ^ (crc >> 8);
|
||||
return crc;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: crc32.h,v 1.14 2003/02/12 21:39:50 markus Exp $ */
|
||||
/* $OpenBSD: crc32.h,v 1.15 2006/03/25 22:22:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Markus Friedl. All rights reserved.
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */
|
||||
/*
|
||||
* Cryptographic attack detector for ssh - source code
|
||||
*
|
||||
@ -18,14 +19,36 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "deattack.h"
|
||||
#include "log.h"
|
||||
#include "crc32.h"
|
||||
#include "getput.h"
|
||||
#include "xmalloc.h"
|
||||
#include "deattack.h"
|
||||
#include "misc.h"
|
||||
|
||||
/*
|
||||
* CRC attack detection has a worst-case behaviour that is O(N^3) over
|
||||
* the number of identical blocks in a packet. This behaviour can be
|
||||
* exploited to create a limited denial of service attack.
|
||||
*
|
||||
* However, because we are dealing with encrypted data, identical
|
||||
* blocks should only occur every 2^35 maximally-sized packets or so.
|
||||
* Consequently, we can detect this DoS by looking for identical blocks
|
||||
* in a packet.
|
||||
*
|
||||
* The parameter below determines how many identical blocks we will
|
||||
* accept in a single packet, trading off between attack detection and
|
||||
* likelihood of terminating a legitimate connection. A value of 32
|
||||
* corresponds to an average of 2^40 messages before an attack is
|
||||
* misdetected
|
||||
*/
|
||||
#define MAX_IDENTICAL 32
|
||||
|
||||
/* SSH Constants */
|
||||
#define SSH_MAXBLOCKS (32 * 1024)
|
||||
@ -43,7 +66,7 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
|
||||
|
||||
|
||||
/* Hash function (Input keys are cipher results) */
|
||||
#define HASH(x) GET_32BIT(x)
|
||||
#define HASH(x) get_u32(x)
|
||||
|
||||
#define CMP(a, b) (memcmp(a, b, SSH_BLOCKSIZE))
|
||||
|
||||
@ -51,22 +74,17 @@ static void
|
||||
crc_update(u_int32_t *a, u_int32_t b)
|
||||
{
|
||||
b ^= *a;
|
||||
*a = ssh_crc32((u_char *) &b, sizeof(b));
|
||||
*a = ssh_crc32((u_char *)&b, sizeof(b));
|
||||
}
|
||||
|
||||
/* detect if a block is used in a particular pattern */
|
||||
static int
|
||||
check_crc(u_char *S, u_char *buf, u_int32_t len,
|
||||
u_char *IV)
|
||||
check_crc(u_char *S, u_char *buf, u_int32_t len)
|
||||
{
|
||||
u_int32_t crc;
|
||||
u_char *c;
|
||||
|
||||
crc = 0;
|
||||
if (IV && !CMP(S, IV)) {
|
||||
crc_update(&crc, 1);
|
||||
crc_update(&crc, 0);
|
||||
}
|
||||
for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
|
||||
if (!CMP(S, c)) {
|
||||
crc_update(&crc, 1);
|
||||
@ -82,12 +100,12 @@ check_crc(u_char *S, u_char *buf, u_int32_t len,
|
||||
|
||||
/* Detect a crc32 compensation attack on a packet */
|
||||
int
|
||||
detect_attack(u_char *buf, u_int32_t len, u_char *IV)
|
||||
detect_attack(u_char *buf, u_int32_t len)
|
||||
{
|
||||
static u_int16_t *h = (u_int16_t *) NULL;
|
||||
static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
|
||||
u_int32_t i, j;
|
||||
u_int32_t l;
|
||||
u_int32_t l, same;
|
||||
u_char *c;
|
||||
u_char *d;
|
||||
|
||||
@ -100,26 +118,20 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
|
||||
|
||||
if (h == NULL) {
|
||||
debug("Installing crc compensation attack detector.");
|
||||
h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
|
||||
h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE);
|
||||
n = l;
|
||||
} else {
|
||||
if (l > n) {
|
||||
h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
|
||||
h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE);
|
||||
n = l;
|
||||
}
|
||||
}
|
||||
|
||||
if (len <= HASH_MINBLOCKS) {
|
||||
for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
|
||||
if (IV && (!CMP(c, IV))) {
|
||||
if ((check_crc(c, buf, len, IV)))
|
||||
return (DEATTACK_DETECTED);
|
||||
else
|
||||
break;
|
||||
}
|
||||
for (d = buf; d < c; d += SSH_BLOCKSIZE) {
|
||||
if (!CMP(c, d)) {
|
||||
if ((check_crc(c, buf, len, IV)))
|
||||
if ((check_crc(c, buf, len)))
|
||||
return (DEATTACK_DETECTED);
|
||||
else
|
||||
break;
|
||||
@ -130,21 +142,13 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
|
||||
}
|
||||
memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
|
||||
|
||||
if (IV)
|
||||
h[HASH(IV) & (n - 1)] = HASH_IV;
|
||||
|
||||
for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
|
||||
for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
|
||||
for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
|
||||
i = (i + 1) & (n - 1)) {
|
||||
if (h[i] == HASH_IV) {
|
||||
if (!CMP(c, IV)) {
|
||||
if (check_crc(c, buf, len, IV))
|
||||
return (DEATTACK_DETECTED);
|
||||
else
|
||||
break;
|
||||
}
|
||||
} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
|
||||
if (check_crc(c, buf, len, IV))
|
||||
if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
|
||||
if (++same > MAX_IDENTICAL)
|
||||
return (DEATTACK_DOS_DETECTED);
|
||||
if (check_crc(c, buf, len))
|
||||
return (DEATTACK_DETECTED);
|
||||
else
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: deattack.h,v 1.7 2001/06/26 17:27:23 markus Exp $ */
|
||||
/* $OpenBSD: deattack.h,v 1.10 2006/09/16 19:53:37 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Cryptographic attack detector for ssh - Header file
|
||||
@ -25,6 +25,7 @@
|
||||
/* Return codes */
|
||||
#define DEATTACK_OK 0
|
||||
#define DEATTACK_DETECTED 1
|
||||
#define DEATTACK_DOS_DETECTED 2
|
||||
|
||||
int detect_attack(u_char *, u_int32_t, u_char[8]);
|
||||
int detect_attack(u_char *, u_int32_t);
|
||||
#endif
|
||||
|
@ -25,12 +25,12 @@
|
||||
#ifndef _DEFINES_H
|
||||
#define _DEFINES_H
|
||||
|
||||
/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */
|
||||
/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
|
||||
|
||||
|
||||
/* Constants */
|
||||
|
||||
#ifndef SHUT_RDWR
|
||||
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
|
||||
enum
|
||||
{
|
||||
SHUT_RD = 0, /* No more receptions. */
|
||||
@ -90,8 +90,8 @@ enum
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifndef O_NONBLOCK /* Non Blocking Open */
|
||||
# define O_NONBLOCK 00004
|
||||
#if defined(HAVE_DECL_O_NONBLOCK) && HAVE_DECL_O_NONBLOCK == 0
|
||||
# define O_NONBLOCK 00004 /* Non Blocking Open */
|
||||
#endif
|
||||
|
||||
#ifndef S_ISDIR
|
||||
@ -143,16 +143,11 @@ including rpc/rpc.h breaks Solaris 6
|
||||
#define INADDR_LOOPBACK ((u_long)0x7f000001)
|
||||
#endif
|
||||
|
||||
#ifndef __unused
|
||||
#define __unused
|
||||
#endif
|
||||
|
||||
/* Types */
|
||||
|
||||
/* If sys/types.h does not supply intXX_t, supply them ourselves */
|
||||
/* (or die trying) */
|
||||
|
||||
|
||||
#ifndef HAVE_U_INT
|
||||
typedef unsigned int u_int;
|
||||
#endif
|
||||
@ -496,6 +491,22 @@ struct winsize {
|
||||
# define offsetof(type, member) ((size_t) &((type *)0)->member)
|
||||
#endif
|
||||
|
||||
/* Set up BSD-style BYTE_ORDER definition if it isn't there already */
|
||||
/* XXX: doesn't try to cope with strange byte orders (PDP_ENDIAN) */
|
||||
#ifndef BYTE_ORDER
|
||||
# ifndef LITTLE_ENDIAN
|
||||
# define LITTLE_ENDIAN 1234
|
||||
# endif /* LITTLE_ENDIAN */
|
||||
# ifndef BIG_ENDIAN
|
||||
# define BIG_ENDIAN 4321
|
||||
# endif /* BIG_ENDIAN */
|
||||
# ifdef WORDS_BIGENDIAN
|
||||
# define BYTE_ORDER BIG_ENDIAN
|
||||
# else /* WORDS_BIGENDIAN */
|
||||
# define BYTE_ORDER LITTLE_ENDIAN
|
||||
# endif /* WORDS_BIGENDIAN */
|
||||
#endif /* BYTE_ORDER */
|
||||
|
||||
/* Function replacement / compatibility hacks */
|
||||
|
||||
#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
|
||||
@ -517,19 +528,6 @@ struct winsize {
|
||||
# define optarg BSDoptarg
|
||||
#endif
|
||||
|
||||
/* In older versions of libpam, pam_strerror takes a single argument */
|
||||
#ifdef HAVE_OLD_PAM
|
||||
# define PAM_STRERROR(a,b) pam_strerror((b))
|
||||
#else
|
||||
# define PAM_STRERROR(a,b) pam_strerror((a),(b))
|
||||
#endif
|
||||
|
||||
#ifdef PAM_SUN_CODEBASE
|
||||
# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
|
||||
#else
|
||||
# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
|
||||
#endif
|
||||
|
||||
#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
|
||||
# undef HAVE_GETADDRINFO
|
||||
#endif
|
||||
@ -544,6 +542,11 @@ struct winsize {
|
||||
# undef HAVE_UPDWTMPX
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
|
||||
defined(SYSLOG_R_SAFE_IN_SIGHAND)
|
||||
# define DO_LOG_SAFE_IN_SIGHAND
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
|
||||
# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
|
||||
#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
|
||||
@ -553,6 +556,7 @@ struct winsize {
|
||||
#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */
|
||||
|
||||
#ifndef GETPGRP_VOID
|
||||
# include <unistd.h>
|
||||
# define getpgrp() getpgrp(0)
|
||||
#endif
|
||||
|
||||
@ -715,12 +719,14 @@ struct winsize {
|
||||
# undef HAVE_MMAP
|
||||
#endif
|
||||
|
||||
/* some system headers on HP-UX define YES/NO */
|
||||
#ifdef YES
|
||||
# undef YES
|
||||
#endif
|
||||
#ifdef NO
|
||||
# undef NO
|
||||
#ifndef IOV_MAX
|
||||
# if defined(_XOPEN_IOV_MAX)
|
||||
# define IOV_MAX _XOPEN_IOV_MAX
|
||||
# elif defined(DEF_IOV_MAX)
|
||||
# define IOV_MAX DEF_IOV_MAX
|
||||
# else
|
||||
# define IOV_MAX 16
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#endif /* _DEFINES_H */
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: dh.c,v 1.42 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
*
|
||||
@ -23,17 +24,17 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: dh.c,v 1.31 2004/08/04 10:37:52 djm Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include "buffer.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "dh.h"
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
@ -44,9 +45,11 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||
{
|
||||
char *cp, *arg;
|
||||
char *strsize, *gen, *prime;
|
||||
const char *errstr = NULL;
|
||||
|
||||
cp = line;
|
||||
arg = strdelim(&cp);
|
||||
if ((arg = strdelim(&cp)) == NULL)
|
||||
return 0;
|
||||
/* Ignore leading whitespace */
|
||||
if (*arg == '\0')
|
||||
arg = strdelim(&cp);
|
||||
@ -67,7 +70,8 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||
goto fail;
|
||||
strsize = strsep(&cp, " "); /* size */
|
||||
if (cp == NULL || *strsize == '\0' ||
|
||||
(dhg->size = atoi(strsize)) == 0)
|
||||
(dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
|
||||
errstr)
|
||||
goto fail;
|
||||
/* The whole group is one bit larger */
|
||||
dhg->size++;
|
||||
@ -178,19 +182,36 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
|
||||
int i;
|
||||
int n = BN_num_bits(dh_pub);
|
||||
int bits_set = 0;
|
||||
BIGNUM *tmp;
|
||||
|
||||
if (dh_pub->neg) {
|
||||
logit("invalid public DH value: negativ");
|
||||
return 0;
|
||||
}
|
||||
if (BN_cmp(dh_pub, BN_value_one()) != 1) { /* pub_exp <= 1 */
|
||||
logit("invalid public DH value: <= 1");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((tmp = BN_new()) == NULL)
|
||||
return (-1);
|
||||
if (!BN_sub(tmp, dh->p, BN_value_one()) ||
|
||||
BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
|
||||
BN_clear_free(tmp);
|
||||
logit("invalid public DH value: >= p-1");
|
||||
return 0;
|
||||
}
|
||||
BN_clear_free(tmp);
|
||||
|
||||
for (i = 0; i <= n; i++)
|
||||
if (BN_is_bit_set(dh_pub, i))
|
||||
bits_set++;
|
||||
debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
|
||||
|
||||
/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
|
||||
if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
|
||||
if (bits_set > 1)
|
||||
return 1;
|
||||
|
||||
logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dh.h,v 1.8 2004/06/13 12:53:24 djm Exp $ */
|
||||
/* $OpenBSD: dh.h,v 1.9 2006/03/25 22:22:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: dispatch.c,v 1.21 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -21,8 +22,13 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: dispatch.c,v 1.16 2003/04/08 20:21:28 itojun Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "ssh1.h"
|
||||
#include "ssh2.h"
|
||||
@ -76,7 +82,7 @@ dispatch_set(int type, dispatch_fn *fn)
|
||||
dispatch[type] = fn;
|
||||
}
|
||||
void
|
||||
dispatch_run(int mode, int *done, void *ctxt)
|
||||
dispatch_run(int mode, volatile sig_atomic_t *done, void *ctxt)
|
||||
{
|
||||
for (;;) {
|
||||
int type;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dispatch.h,v 1.9 2002/01/11 13:39:36 markus Exp $ */
|
||||
/* $OpenBSD: dispatch.h,v 1.11 2006/04/20 09:27:09 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -23,6 +23,9 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <signal.h>
|
||||
|
||||
enum {
|
||||
DISPATCH_BLOCK,
|
||||
DISPATCH_NONBLOCK
|
||||
@ -33,6 +36,6 @@ typedef void dispatch_fn(int, u_int32_t, void *);
|
||||
void dispatch_init(dispatch_fn *);
|
||||
void dispatch_set(int, dispatch_fn *);
|
||||
void dispatch_range(u_int, u_int, dispatch_fn *);
|
||||
void dispatch_run(int, int *, void *);
|
||||
void dispatch_run(int, volatile sig_atomic_t *, void *);
|
||||
void dispatch_protocol_error(int, u_int32_t, void *);
|
||||
void dispatch_protocol_ignore(int, u_int32_t, void *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $ */
|
||||
/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
||||
@ -26,9 +26,14 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <netdb.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@ -122,7 +127,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
|
||||
*digest = (u_char *) xmalloc(*digest_len);
|
||||
memcpy(*digest, rdata + 2, *digest_len);
|
||||
} else {
|
||||
*digest = xstrdup("");
|
||||
*digest = (u_char *)xstrdup("");
|
||||
}
|
||||
|
||||
success = 1;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */
|
||||
/* $OpenBSD: dns.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
|
||||
@ -25,8 +25,6 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifndef DNS_H
|
||||
#define DNS_H
|
||||
|
||||
|
@ -24,6 +24,19 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#ifdef HAVE_SYS_STAT_H
|
||||
# include <sys/stat.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_FCNTL_H
|
||||
# include <fcntl.h>
|
||||
#endif
|
||||
#include <stdarg.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
@ -35,7 +48,6 @@
|
||||
#include "pathnames.h"
|
||||
#include "log.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
|
||||
/*
|
||||
* Portable OpenSSH PRNG seeding:
|
||||
@ -48,8 +60,6 @@
|
||||
* XXX: we should tell the child how many bytes we need.
|
||||
*/
|
||||
|
||||
RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $");
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
#define RANDOM_SEED_SIZE 48
|
||||
static uid_t original_uid, original_euid;
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: fatal.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,7 +24,10 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: fatal.c,v 1.2 2003/09/23 20:17:11 markus Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "log.h"
|
||||
|
||||
@ -33,6 +37,7 @@ void
|
||||
fatal(const char *fmt,...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
do_log(SYSLOG_LEVEL_FATAL, fmt, args);
|
||||
va_end(args);
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: groupaccess.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Kevin Steves. All rights reserved.
|
||||
*
|
||||
@ -23,10 +24,16 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $");
|
||||
|
||||
#include "groupaccess.h"
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <grp.h>
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "groupaccess.h"
|
||||
#include "match.h"
|
||||
#include "log.h"
|
||||
|
||||
@ -52,8 +59,8 @@ ga_init(const char *user, gid_t base)
|
||||
ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
|
||||
#endif
|
||||
|
||||
groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));
|
||||
groups_byname = xmalloc(ngroups * sizeof(*groups_byname));
|
||||
groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
|
||||
groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
|
||||
|
||||
if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
|
||||
logit("getgrouplist: groups list too small");
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: groupaccess.h,v 1.4 2001/06/26 17:27:23 markus Exp $ */
|
||||
/* $OpenBSD: groupaccess.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Kevin Steves. All rights reserved.
|
||||
@ -27,8 +27,6 @@
|
||||
#ifndef GROUPACCESS_H
|
||||
#define GROUPACCESS_H
|
||||
|
||||
#include <grp.h>
|
||||
|
||||
int ga_init(const char *, gid_t);
|
||||
int ga_match(char * const *, int);
|
||||
void ga_free(void);
|
||||
|
@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */
|
||||
/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -28,8 +28,15 @@
|
||||
|
||||
#ifdef GSSAPI
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "bufaux.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "ssh2.h"
|
||||
|
||||
@ -72,7 +79,11 @@ ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
|
||||
void
|
||||
ssh_gssapi_error(Gssctxt *ctxt)
|
||||
{
|
||||
debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
|
||||
char *s;
|
||||
|
||||
s = ssh_gssapi_last_error(ctxt, NULL, NULL);
|
||||
debug("%s", s);
|
||||
xfree(s);
|
||||
}
|
||||
|
||||
char *
|
||||
@ -131,9 +142,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
|
||||
void
|
||||
ssh_gssapi_build_ctx(Gssctxt **ctx)
|
||||
{
|
||||
*ctx = xmalloc(sizeof (Gssctxt));
|
||||
(*ctx)->major = 0;
|
||||
(*ctx)->minor = 0;
|
||||
*ctx = xcalloc(1, sizeof (Gssctxt));
|
||||
(*ctx)->context = GSS_C_NO_CONTEXT;
|
||||
(*ctx)->name = GSS_C_NO_NAME;
|
||||
(*ctx)->oid = GSS_C_NO_OID;
|
||||
@ -203,10 +212,11 @@ OM_uint32
|
||||
ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
|
||||
{
|
||||
gss_buffer_desc gssbuf;
|
||||
char *val;
|
||||
|
||||
gssbuf.length = sizeof("host@") + strlen(host);
|
||||
gssbuf.value = xmalloc(gssbuf.length);
|
||||
snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
|
||||
xasprintf(&val, "host@%s", host);
|
||||
gssbuf.value = val;
|
||||
gssbuf.length = strlen(gssbuf.value);
|
||||
|
||||
if ((ctx->major = gss_import_name(&ctx->minor,
|
||||
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
|
||||
@ -231,11 +241,15 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
if (gethostname(lname, MAXHOSTNAMELEN))
|
||||
if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
|
||||
if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
@ -277,4 +291,34 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
|
||||
return (ssh_gssapi_acquire_cred(*ctx));
|
||||
}
|
||||
|
||||
int
|
||||
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
|
||||
{
|
||||
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
|
||||
OM_uint32 major, minor;
|
||||
gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
|
||||
|
||||
/* RFC 4462 says we MUST NOT do SPNEGO */
|
||||
if (oid->length == spnego_oid.length &&
|
||||
(memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
|
||||
return 0; /* false */
|
||||
|
||||
ssh_gssapi_build_ctx(ctx);
|
||||
ssh_gssapi_set_oid(*ctx, oid);
|
||||
major = ssh_gssapi_import_name(*ctx, host);
|
||||
if (!GSS_ERROR(major)) {
|
||||
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
|
||||
NULL);
|
||||
gss_release_buffer(&minor, &token);
|
||||
if ((*ctx)->context != GSS_C_NO_CONTEXT)
|
||||
gss_delete_sec_context(&minor, &(*ctx)->context,
|
||||
GSS_C_NO_BUFFER);
|
||||
}
|
||||
|
||||
if (GSS_ERROR(major))
|
||||
ssh_gssapi_delete_ctx(ctx);
|
||||
|
||||
return (!GSS_ERROR(major));
|
||||
}
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $ */
|
||||
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -29,11 +29,19 @@
|
||||
#ifdef GSSAPI
|
||||
#ifdef KRB5
|
||||
|
||||
#include "auth.h"
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
|
||||
#include "buffer.h"
|
||||
#include "ssh-gss.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
@ -41,9 +49,9 @@ extern ServerOptions options;
|
||||
#ifdef HEIMDAL
|
||||
# include <krb5.h>
|
||||
#else
|
||||
# ifdef HAVE_GSSAPI_KRB5
|
||||
# ifdef HAVE_GSSAPI_KRB5_H
|
||||
# include <gssapi_krb5.h>
|
||||
# elif HAVE_GSSAPI_GSSAPI_KRB5
|
||||
# elif HAVE_GSSAPI_GSSAPI_KRB5_H
|
||||
# include <gssapi/gssapi_krb5.h>
|
||||
# endif
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -28,14 +28,21 @@
|
||||
|
||||
#ifdef GSSAPI
|
||||
|
||||
#include "bufaux.h"
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "channels.h"
|
||||
#include "session.h"
|
||||
#include "servconf.h"
|
||||
#include "xmalloc.h"
|
||||
#include "getput.h"
|
||||
#include "misc.h"
|
||||
|
||||
#include "ssh-gss.h"
|
||||
|
||||
@ -78,6 +85,8 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
|
||||
&supported_mechs[i]->oid, oidset);
|
||||
i++;
|
||||
}
|
||||
|
||||
gss_release_oid_set(&min_status, &supported);
|
||||
}
|
||||
|
||||
|
||||
@ -151,7 +160,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
|
||||
* second without.
|
||||
*/
|
||||
|
||||
oidl = GET_16BIT(tok+2); /* length including next two bytes */
|
||||
oidl = get_u16(tok+2); /* length including next two bytes */
|
||||
oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
|
||||
|
||||
/*
|
||||
@ -168,14 +177,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
|
||||
if (ename->length < offset+4)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
name->length = GET_32BIT(tok+offset);
|
||||
name->length = get_u32(tok+offset);
|
||||
offset += 4;
|
||||
|
||||
if (ename->length < offset+name->length)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
name->value = xmalloc(name->length+1);
|
||||
memcpy(name->value, tok+offset,name->length);
|
||||
memcpy(name->value, tok+offset, name->length);
|
||||
((char *)name->value)[name->length] = 0;
|
||||
|
||||
return GSS_S_COMPLETE;
|
||||
@ -234,7 +243,8 @@ ssh_gssapi_cleanup_creds(void)
|
||||
{
|
||||
if (gssapi_client.store.filename != NULL) {
|
||||
/* Unlink probably isn't sufficient */
|
||||
debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
|
||||
debug("removing gssapi cred file\"%s\"",
|
||||
gssapi_client.store.filename);
|
||||
unlink(gssapi_client.store.filename);
|
||||
}
|
||||
}
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: hostfile.c,v 1.45 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -36,18 +37,25 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: hostfile.c,v 1.36 2005/11/22 03:36:03 dtucker Exp $");
|
||||
|
||||
#include <resolv.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/sha.h>
|
||||
|
||||
#include "packet.h"
|
||||
#include <resolv.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
static int
|
||||
extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
|
||||
@ -254,8 +262,10 @@ check_host_in_hostfile_by_key_or_type(const char *filename,
|
||||
|
||||
if (key == NULL) {
|
||||
/* we found a key of the requested type */
|
||||
if (found->type == keytype)
|
||||
if (found->type == keytype) {
|
||||
fclose(f);
|
||||
return HOST_FOUND;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: hostfile.h,v 1.15 2005/03/01 10:40:26 djm Exp $ */
|
||||
/* $OpenBSD: hostfile.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $ */
|
||||
/* $OpenBSD: includes.h,v 1.54 2006/07/22 20:48:23 stevesk Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -16,44 +16,24 @@
|
||||
#ifndef INCLUDES_H
|
||||
#define INCLUDES_H
|
||||
|
||||
#define RCSID(msg) \
|
||||
static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#define _GNU_SOURCE /* activate extra prototypes for glibc */
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h> /* For O_NONBLOCK */
|
||||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <time.h>
|
||||
#include <dirent.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h> /* For CMSG_* */
|
||||
|
||||
#ifdef HAVE_LIMITS_H
|
||||
# include <limits.h> /* For PATH_MAX */
|
||||
#endif
|
||||
#ifdef HAVE_GETOPT_H
|
||||
# include <getopt.h>
|
||||
#endif
|
||||
#ifdef HAVE_BSTRING_H
|
||||
# include <bstring.h>
|
||||
#endif
|
||||
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
|
||||
defined(GLOB_HAS_GL_MATCHC)
|
||||
defined(GLOB_HAS_GL_MATCHC) && \
|
||||
defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0
|
||||
# include <glob.h>
|
||||
#endif
|
||||
#ifdef HAVE_NETGROUP_H
|
||||
# include <netgroup.h>
|
||||
#endif
|
||||
#ifdef HAVE_ENDIAN_H
|
||||
# include <endian.h>
|
||||
#endif
|
||||
@ -67,10 +47,11 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
|
||||
# include <maillock.h> /* For _PATH_MAILDIR */
|
||||
#endif
|
||||
#ifdef HAVE_NEXT
|
||||
# include <libc.h>
|
||||
# include <libc.h>
|
||||
#endif
|
||||
#ifdef HAVE_PATHS
|
||||
# include <paths.h>
|
||||
#endif
|
||||
#include <unistd.h> /* For STDIN_FILENO, etc */
|
||||
#include <termios.h> /* Struct winsize */
|
||||
|
||||
/*
|
||||
*-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
|
||||
@ -86,39 +67,22 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
|
||||
# include <utmp.h>
|
||||
#endif
|
||||
#ifdef HAVE_UTMPX_H
|
||||
# ifdef HAVE_TV_IN_UTMPX
|
||||
# include <sys/time.h>
|
||||
# endif
|
||||
# include <utmpx.h>
|
||||
#endif
|
||||
#ifdef HAVE_LASTLOG_H
|
||||
# include <lastlog.h>
|
||||
#endif
|
||||
#ifdef HAVE_PATHS_H
|
||||
# include <paths.h> /* For _PATH_XXX */
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/wait.h>
|
||||
#ifdef HAVE_SYS_TIME_H
|
||||
# include <sys/time.h> /* For timersub */
|
||||
#endif
|
||||
#include <sys/resource.h>
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
# include <sys/select.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_BSDTTY_H
|
||||
# include <sys/bsdtty.h>
|
||||
#endif
|
||||
#include <sys/param.h> /* For MAXPATHLEN and roundup() */
|
||||
#ifdef HAVE_SYS_UN_H
|
||||
# include <sys/un.h> /* For sockaddr_un */
|
||||
#endif
|
||||
#ifdef HAVE_STDINT_H
|
||||
# include <stdint.h>
|
||||
#endif
|
||||
#include <termios.h>
|
||||
#ifdef HAVE_SYS_BITYPES_H
|
||||
# include <sys/bitypes.h> /* For u_intXX_t */
|
||||
#endif
|
||||
@ -144,14 +108,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
|
||||
#include <sys/ptms.h> /* for grantpt() and friends */
|
||||
#endif
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h> /* For typedefs */
|
||||
#include <netinet/in.h> /* For IPv6 macros */
|
||||
#include <netinet/ip.h> /* For IPTOS macros */
|
||||
#include <netinet/tcp.h>
|
||||
#include <arpa/inet.h>
|
||||
#if defined(HAVE_NETDB_H)
|
||||
# include <netdb.h>
|
||||
#endif
|
||||
#ifdef HAVE_RPC_TYPES_H
|
||||
# include <rpc/types.h> /* For INADDR_LOOPBACK */
|
||||
#endif
|
||||
@ -205,7 +163,7 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
|
||||
|
||||
#include "defines.h"
|
||||
|
||||
#include "version.h"
|
||||
#include "platform.h"
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
#include "openbsd-compat/bsd-nextstep.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,19 +24,25 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <signal.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "packet.h"
|
||||
#include "compat.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "key.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "mac.h"
|
||||
#include "match.h"
|
||||
@ -44,6 +51,14 @@ RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#define KEX_COOKIE_LEN 16
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
# else
|
||||
extern const EVP_MD *evp_ssh_sha256(void);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* prototype */
|
||||
static void kex_kexinit_finish(Kex *);
|
||||
static void kex_choose_conf(Kex *);
|
||||
@ -75,7 +90,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
|
||||
int i;
|
||||
char **proposal;
|
||||
|
||||
proposal = xmalloc(PROPOSAL_MAX * sizeof(char *));
|
||||
proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
|
||||
|
||||
buffer_init(&b);
|
||||
buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
|
||||
@ -210,8 +225,7 @@ kex_setup(char *proposal[PROPOSAL_MAX])
|
||||
{
|
||||
Kex *kex;
|
||||
|
||||
kex = xmalloc(sizeof(*kex));
|
||||
memset(kex, 0, sizeof(*kex));
|
||||
kex = xcalloc(1, sizeof(*kex));
|
||||
buffer_init(&kex->peer);
|
||||
buffer_init(&kex->my);
|
||||
kex_prop2buf(&kex->my, proposal);
|
||||
@ -254,6 +268,7 @@ choose_enc(Enc *enc, char *client, char *server)
|
||||
enc->key_len = cipher_keylen(enc->cipher);
|
||||
enc->block_size = cipher_blocksize(enc->cipher);
|
||||
}
|
||||
|
||||
static void
|
||||
choose_mac(Mac *mac, char *client, char *server)
|
||||
{
|
||||
@ -269,6 +284,7 @@ choose_mac(Mac *mac, char *client, char *server)
|
||||
mac->key = NULL;
|
||||
mac->enabled = 0;
|
||||
}
|
||||
|
||||
static void
|
||||
choose_comp(Comp *comp, char *client, char *server)
|
||||
{
|
||||
@ -286,6 +302,7 @@ choose_comp(Comp *comp, char *client, char *server)
|
||||
}
|
||||
comp->name = name;
|
||||
}
|
||||
|
||||
static void
|
||||
choose_kex(Kex *k, char *client, char *server)
|
||||
{
|
||||
@ -301,6 +318,11 @@ choose_kex(Kex *k, char *client, char *server)
|
||||
} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
|
||||
k->kex_type = KEX_DH_GEX_SHA1;
|
||||
k->evp_md = EVP_sha1();
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
|
||||
k->kex_type = KEX_DH_GEX_SHA256;
|
||||
k->evp_md = evp_ssh_sha256();
|
||||
#endif
|
||||
} else
|
||||
fatal("bad kex alg %s", k->name);
|
||||
}
|
||||
@ -364,8 +386,7 @@ kex_choose_conf(Kex *kex)
|
||||
|
||||
/* Algorithm Negotiation */
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
newkeys = xmalloc(sizeof(*newkeys));
|
||||
memset(newkeys, 0, sizeof(*newkeys));
|
||||
newkeys = xcalloc(1, sizeof(*newkeys));
|
||||
kex->newkeys[mode] = newkeys;
|
||||
ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
|
||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||
@ -420,7 +441,7 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
|
||||
if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
|
||||
fatal("bad kex md size %d", mdsz);
|
||||
digest = xmalloc(roundup(need, mdsz));
|
||||
digest = xmalloc(roundup(need, mdsz));
|
||||
|
||||
buffer_init(&b);
|
||||
buffer_put_bignum2(&b, shared_secret);
|
||||
@ -473,7 +494,8 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
current_keys[mode] = kex->newkeys[mode];
|
||||
kex->newkeys[mode] = NULL;
|
||||
ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
|
||||
ctos = (!kex->server && mode == MODE_OUT) ||
|
||||
(kex->server && mode == MODE_IN);
|
||||
current_keys[mode]->enc.iv = keys[ctos ? 0 : 1];
|
||||
current_keys[mode]->enc.key = keys[ctos ? 2 : 3];
|
||||
current_keys[mode]->mac.key = keys[ctos ? 4 : 5];
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -26,14 +26,13 @@
|
||||
#ifndef KEX_H
|
||||
#define KEX_H
|
||||
|
||||
#include <signal.h>
|
||||
#include <openssl/evp.h>
|
||||
#include "buffer.h"
|
||||
#include "cipher.h"
|
||||
#include "key.h"
|
||||
|
||||
#define KEX_DH1 "diffie-hellman-group1-sha1"
|
||||
#define KEX_DH14 "diffie-hellman-group14-sha1"
|
||||
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
|
||||
#define KEX_DHGEX_SHA256 "diffie-hellman-group-exchange-sha256"
|
||||
|
||||
#define COMP_NONE 0
|
||||
#define COMP_ZLIB 1
|
||||
@ -63,6 +62,7 @@ enum kex_exchange {
|
||||
KEX_DH_GRP1_SHA1,
|
||||
KEX_DH_GRP14_SHA1,
|
||||
KEX_DH_GEX_SHA1,
|
||||
KEX_DH_GEX_SHA256,
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@ -112,7 +112,7 @@ struct Kex {
|
||||
int kex_type;
|
||||
Buffer my;
|
||||
Buffer peer;
|
||||
int done;
|
||||
sig_atomic_t done;
|
||||
int flags;
|
||||
const EVP_MD *evp_md;
|
||||
char *client_version_string;
|
||||
@ -142,7 +142,7 @@ kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
void
|
||||
kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
|
||||
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||
int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||
BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
|
||||
void
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,13 +24,17 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <signal.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "ssh2.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
|
||||
void
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexdhc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,10 +24,18 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "packet.h"
|
||||
@ -82,7 +91,7 @@ kexdh_client(Kex *kex)
|
||||
if (kex->verify_host_key(server_host_key) == -1)
|
||||
fatal("server_host_key verification failed");
|
||||
|
||||
/* DH paramter f, server public DH key */
|
||||
/* DH parameter f, server public DH key */
|
||||
if ((dh_server_pub = BN_new()) == NULL)
|
||||
fatal("dh_server_pub == NULL");
|
||||
packet_get_bignum2(dh_server_pub);
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexdhs.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -23,15 +24,25 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "packet.h"
|
||||
#include "dh.h"
|
||||
#include "ssh2.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
void
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
@ -24,12 +25,15 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "ssh2.h"
|
||||
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexgexc.c,v 1.9 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
@ -24,10 +25,18 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "packet.h"
|
||||
@ -120,7 +129,7 @@ kexgex_client(Kex *kex)
|
||||
if (kex->verify_host_key(server_host_key) == -1)
|
||||
fatal("server_host_key verification failed");
|
||||
|
||||
/* DH paramter f, server public DH key */
|
||||
/* DH parameter f, server public DH key */
|
||||
if ((dh_server_pub = BN_new()) == NULL)
|
||||
fatal("dh_server_pub == NULL");
|
||||
packet_get_bignum2(dh_server_pub);
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: kexgexs.c,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
@ -24,16 +25,27 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "cipher.h"
|
||||
#include "kex.h"
|
||||
#include "log.h"
|
||||
#include "packet.h"
|
||||
#include "dh.h"
|
||||
#include "ssh2.h"
|
||||
#include "compat.h"
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
||||
void
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: key.c,v 1.67 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
/*
|
||||
* read_bignum():
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -31,17 +32,22 @@
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: key.c,v 1.58 2005/06/17 02:44:32 djm Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "rsa.h"
|
||||
#include "uuencode.h"
|
||||
#include "buffer.h"
|
||||
#include "bufaux.h"
|
||||
#include "log.h"
|
||||
|
||||
Key *
|
||||
@ -50,9 +56,8 @@ key_new(int type)
|
||||
Key *k;
|
||||
RSA *rsa;
|
||||
DSA *dsa;
|
||||
k = xmalloc(sizeof(*k));
|
||||
k = xcalloc(1, sizeof(*k));
|
||||
k->type = type;
|
||||
k->flags = 0;
|
||||
k->dsa = NULL;
|
||||
k->rsa = NULL;
|
||||
switch (k->type) {
|
||||
@ -123,6 +128,8 @@ key_new_private(int type)
|
||||
void
|
||||
key_free(Key *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
fatal("key_free: key is NULL");
|
||||
switch (k->type) {
|
||||
case KEY_RSA1:
|
||||
case KEY_RSA:
|
||||
@ -155,14 +162,12 @@ key_equal(const Key *a, const Key *b)
|
||||
return a->rsa != NULL && b->rsa != NULL &&
|
||||
BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
|
||||
BN_cmp(a->rsa->n, b->rsa->n) == 0;
|
||||
break;
|
||||
case KEY_DSA:
|
||||
return a->dsa != NULL && b->dsa != NULL &&
|
||||
BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
|
||||
BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
|
||||
BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
|
||||
BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
|
||||
break;
|
||||
default:
|
||||
fatal("key_equal: bad key type %d", a->type);
|
||||
break;
|
||||
@ -209,7 +214,6 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
||||
break;
|
||||
case KEY_UNSPEC:
|
||||
return retval;
|
||||
break;
|
||||
default:
|
||||
fatal("key_fingerprint_raw: bad key type %d", k->type);
|
||||
break;
|
||||
@ -233,8 +237,7 @@ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
|
||||
char *retval;
|
||||
u_int i;
|
||||
|
||||
retval = xmalloc(dgst_raw_len * 3 + 1);
|
||||
retval[0] = '\0';
|
||||
retval = xcalloc(1, dgst_raw_len * 3 + 1);
|
||||
for (i = 0; i < dgst_raw_len; i++) {
|
||||
char hex[4];
|
||||
snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
|
||||
@ -256,7 +259,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
|
||||
char *retval;
|
||||
|
||||
rounds = (dgst_raw_len / 2) + 1;
|
||||
retval = xmalloc(sizeof(char) * (rounds*6));
|
||||
retval = xcalloc((rounds * 6), sizeof(char));
|
||||
retval[j++] = 'x';
|
||||
for (i = 0; i < rounds; i++) {
|
||||
u_int idx0, idx1, idx2, idx3, idx4;
|
||||
@ -530,13 +533,10 @@ key_type(const Key *k)
|
||||
switch (k->type) {
|
||||
case KEY_RSA1:
|
||||
return "RSA1";
|
||||
break;
|
||||
case KEY_RSA:
|
||||
return "RSA";
|
||||
break;
|
||||
case KEY_DSA:
|
||||
return "DSA";
|
||||
break;
|
||||
}
|
||||
return "unknown";
|
||||
}
|
||||
@ -547,10 +547,8 @@ key_ssh_name(const Key *k)
|
||||
switch (k->type) {
|
||||
case KEY_RSA:
|
||||
return "ssh-rsa";
|
||||
break;
|
||||
case KEY_DSA:
|
||||
return "ssh-dss";
|
||||
break;
|
||||
}
|
||||
return "ssh-unknown";
|
||||
}
|
||||
@ -562,10 +560,8 @@ key_size(const Key *k)
|
||||
case KEY_RSA1:
|
||||
case KEY_RSA:
|
||||
return BN_num_bits(k->rsa->n);
|
||||
break;
|
||||
case KEY_DSA:
|
||||
return BN_num_bits(k->dsa->p);
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@ -574,6 +570,7 @@ static RSA *
|
||||
rsa_generate_private_key(u_int bits)
|
||||
{
|
||||
RSA *private;
|
||||
|
||||
private = RSA_generate_key(bits, 35, NULL, NULL);
|
||||
if (private == NULL)
|
||||
fatal("rsa_generate_private_key: key generation failed.");
|
||||
@ -584,6 +581,7 @@ static DSA*
|
||||
dsa_generate_private_key(u_int bits)
|
||||
{
|
||||
DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
|
||||
|
||||
if (private == NULL)
|
||||
fatal("dsa_generate_private_key: DSA_generate_parameters failed");
|
||||
if (!DSA_generate_key(private))
|
||||
@ -793,14 +791,11 @@ key_sign(
|
||||
switch (key->type) {
|
||||
case KEY_DSA:
|
||||
return ssh_dss_sign(key, sigp, lenp, data, datalen);
|
||||
break;
|
||||
case KEY_RSA:
|
||||
return ssh_rsa_sign(key, sigp, lenp, data, datalen);
|
||||
break;
|
||||
default:
|
||||
error("key_sign: invalid key type %d", key->type);
|
||||
return -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -820,14 +815,11 @@ key_verify(
|
||||
switch (key->type) {
|
||||
case KEY_DSA:
|
||||
return ssh_dss_verify(key, signature, signaturelen, data, datalen);
|
||||
break;
|
||||
case KEY_RSA:
|
||||
return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
|
||||
break;
|
||||
default:
|
||||
error("key_verify: invalid key type %d", key->type);
|
||||
return -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -837,7 +829,7 @@ key_demote(const Key *k)
|
||||
{
|
||||
Key *pk;
|
||||
|
||||
pk = xmalloc(sizeof(*pk));
|
||||
pk = xcalloc(1, sizeof(*pk));
|
||||
pk->type = k->type;
|
||||
pk->flags = k->flags;
|
||||
pk->dsa = NULL;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: key.h,v 1.23 2003/11/10 16:23:41 jakob Exp $ */
|
||||
/* $OpenBSD: key.h,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -1,3 +1,4 @@
|
||||
/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -34,16 +35,22 @@
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: log.c,v 1.29 2003/09/23 20:17:11 markus Exp $");
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
||||
# include <vis.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
|
||||
static LogLevel log_level = SYSLOG_LEVEL_INFO;
|
||||
static int log_on_stderr = 1;
|
||||
static int log_facility = LOG_AUTH;
|
||||
@ -130,6 +137,20 @@ error(const char *fmt,...)
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
void
|
||||
sigdie(const char *fmt,...)
|
||||
{
|
||||
#ifdef DO_LOG_SAFE_IN_SIGHAND
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
do_log(SYSLOG_LEVEL_FATAL, fmt, args);
|
||||
va_end(args);
|
||||
#endif
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
|
||||
/* Log this message (information that usually should go to the log). */
|
||||
|
||||
void
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user