diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog index 9573f8672846..b55b7692c125 100644 --- a/crypto/openssh/ChangeLog +++ b/crypto/openssh/ChangeLog @@ -1,3 +1,832 @@ +20060201 + - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to + determine the user's login name - needed for regress tests on Solaris + 10 and OpenSolaris + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/02/01 09:06:50 + [sshd.8] + - merge sections on protocols 1 and 2 into a single section + - remove configuration file section + ok markus + - jmc@cvs.openbsd.org 2006/02/01 09:11:41 + [sshd.8] + small tweak; + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Update versions ahead of release + - markus@cvs.openbsd.org 2006/02/01 11:27:22 + [version.h] + openssh 4.3 + - (djm) Release OpenSSH 4.3p1 + +20060131 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/20 11:21:45 + [ssh_config.5] + - word change, agreed w/ markus + - consistency fixes + - jmc@cvs.openbsd.org 2006/01/25 09:04:34 + [sshd.8] + move the options description up the page, and a few additional tweaks + whilst in here; + ok markus + - jmc@cvs.openbsd.org 2006/01/25 09:07:22 + [sshd.8] + move subsections to full sections; + - jmc@cvs.openbsd.org 2006/01/26 08:47:56 + [ssh.1] + add a section on verifying host keys in dns; + written with a lot of help from jakob; + feedback dtucker/markus; + ok markus + - reyk@cvs.openbsd.org 2006/01/30 12:22:22 + [channels.c] + mark channel as write failed or dead instead of read failed on error + of the channel output filter. + ok markus@ + - jmc@cvs.openbsd.org 2006/01/30 13:37:49 + [ssh.1] + remove an incorrect sentence; + reported by roumen petrov; + ok djm markus + - djm@cvs.openbsd.org 2006/01/31 10:19:02 + [misc.c misc.h scp.c sftp.c] + fix local arbitrary command execution vulnerability on local/local and + remote/remote copies (CVE-2006-0225, bz #1094), patch by + t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ + - djm@cvs.openbsd.org 2006/01/31 10:35:43 + [scp.c] + "scp a b c" shouldn't clobber "c" when it is not a directory, report and + fix from biorn@; ok markus@ + - (djm) Sync regress tests to OpenBSD: + - dtucker@cvs.openbsd.org 2005/03/10 10:20:39 + [regress/forwarding.sh] + Regress test for ClearAllForwardings (bz #994); ok markus@ + - dtucker@cvs.openbsd.org 2005/04/25 09:54:09 + [regress/multiplex.sh] + Don't call cleanup in multiplex as test-exec will cleanup anyway + found by tim@, ok djm@ + NB. ID sync only, we already had this + - djm@cvs.openbsd.org 2005/05/20 23:14:15 + [regress/test-exec.sh] + force addressfamily=inet for tests, unbreaking dynamic-forward regress for + recently committed nc SOCKS5 changes + - djm@cvs.openbsd.org 2005/05/24 04:10:54 + [regress/try-ciphers.sh] + oops, new arcfour modes here too + - markus@cvs.openbsd.org 2005/06/30 11:02:37 + [regress/scp.sh] + allow SUDO=sudo; from Alexander Bluhm + - grunk@cvs.openbsd.org 2005/11/14 21:25:56 + [regress/agent-getpeereid.sh] + all other scripts in this dir use $SUDO, not 'sudo', so pull this even + ok markus@ + - dtucker@cvs.openbsd.org 2005/12/14 04:36:39 + [regress/scp-ssh-wrapper.sh] + Fix assumption about how many args scp will pass; ok djm@ + NB. ID sync only, we already had this + - djm@cvs.openbsd.org 2006/01/27 06:49:21 + [scp.sh] + regress test for local to local scp copies; ok dtucker@ + - djm@cvs.openbsd.org 2006/01/31 10:23:23 + [scp.sh] + regression test for CVE-2006-0225 written by dtucker@ + - djm@cvs.openbsd.org 2006/01/31 10:36:33 + [scp.sh] + regress test for "scp a b c" where "c" is not a directory + +20060129 + - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the + opensshd.init script interpretter if /sbin/sh does not exist. ok tim@ + +20060120 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/15 17:37:05 + [ssh.1] + correction from deraadt + - jmc@cvs.openbsd.org 2006/01/18 10:53:29 + [ssh.1] + add a section on ssh-based vpn, based on reyk's README.tun; + - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 + [scp.1 ssh.1 ssh_config.5 sftp.1] + Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot + #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ + +20060114 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/06 13:27:32 + [ssh.1] + weed out some duplicate info in the known_hosts FILES entries; + ok djm + - jmc@cvs.openbsd.org 2006/01/06 13:29:10 + [ssh.1] + final round of whacking FILES for duplicate info, and some consistency + fixes; + ok djm + - jmc@cvs.openbsd.org 2006/01/12 14:44:12 + [ssh.1] + split sections on tcp and x11 forwarding into two sections. + add an example in the tcp section, based on sth i wrote for ssh faq; + help + ok: djm markus dtucker + - jmc@cvs.openbsd.org 2006/01/12 18:48:48 + [ssh.1] + refer to `TCP' rather than `TCP/IP' in the context of connection + forwarding; + ok markus + - jmc@cvs.openbsd.org 2006/01/12 22:20:00 + [sshd.8] + refer to TCP forwarding, rather than TCP/IP forwarding; + - jmc@cvs.openbsd.org 2006/01/12 22:26:02 + [ssh_config.5] + refer to TCP forwarding, rather than TCP/IP forwarding; + - jmc@cvs.openbsd.org 2006/01/12 22:34:12 + [ssh.1] + back out a sentence - AUTHENTICATION already documents this; + +20060109 + - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on + tcpip service so it's always started after IP is up. Patch from + vinschen at redhat.com. + +20060106 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/03 16:31:10 + [ssh.1] + move FILES to a -compact list, and make each files an item in that list. + this avoids nastly line wrap when we have long pathnames, and treats + each file as a separate item; + remove the .Pa too, since it is useless. + - jmc@cvs.openbsd.org 2006/01/03 16:35:30 + [ssh.1] + use a larger width for the ENVIRONMENT list; + - jmc@cvs.openbsd.org 2006/01/03 16:52:36 + [ssh.1] + put FILES in some sort of order: sort by pathname + - jmc@cvs.openbsd.org 2006/01/03 16:55:18 + [ssh.1] + tweak the description of ~/.ssh/environment + - jmc@cvs.openbsd.org 2006/01/04 18:42:46 + [ssh.1] + chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES + entries; + ok markus + - jmc@cvs.openbsd.org 2006/01/04 18:45:01 + [ssh.1] + remove .Xr's to rsh(1) and telnet(1): they are hardly needed; + - jmc@cvs.openbsd.org 2006/01/04 19:40:24 + [ssh.1] + +.Xr ssh-keyscan 1 , + - jmc@cvs.openbsd.org 2006/01/04 19:50:09 + [ssh.1] + -.Xr gzip 1 , + - djm@cvs.openbsd.org 2006/01/05 23:43:53 + [misc.c] + check that stdio file descriptors are actually closed before clobbering + them in sanitise_stdfd(). problems occurred when a lower numbered fd was + closed, but higher ones weren't. spotted by, and patch tested by + Frédéric Olivié + +20060103 + - (djm) [channels.c] clean up harmless merge error, from reyk@ + +20060103 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/02 17:09:49 + [ssh_config.5 sshd_config.5] + some corrections from michael knudsen; + +20060102 + - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/12/31 10:46:17 + [ssh.1] + merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER + AUTHENTICATION" sections into "AUTHENTICATION"; + some rewording done to make the text read better, plus some + improvements from djm; + ok djm + - jmc@cvs.openbsd.org 2005/12/31 13:44:04 + [ssh.1] + clean up ENVIRONMENT a little; + - jmc@cvs.openbsd.org 2005/12/31 13:45:19 + [ssh.1] + .Nm does not require an argument; + - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 + [includes.h misc.c] + move ; ok djm@ + - stevesk@cvs.openbsd.org 2006/01/01 10:08:48 + [misc.c] + no trailing "\n" for debug() + - djm@cvs.openbsd.org 2006/01/02 01:20:31 + [sftp-client.c sftp-common.h sftp-server.c] + use a common max. packet length, no binary change + - reyk@cvs.openbsd.org 2006/01/02 07:53:44 + [misc.c] + clarify tun(4) opening - set the mode and bring the interface up. also + (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. + suggested and ok by djm@ + - jmc@cvs.openbsd.org 2006/01/02 12:31:06 + [ssh.1] + start to cut some duplicate info from FILES; + help/ok djm + +20060101 + - (djm) [Makefile.in configure.ac includes.h misc.c] + [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support + for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is + limited to IPv4 tunnels only, and most versions don't support the + tap(4) device at all. + - (djm) [configure.ac] Fix linux/if_tun.h test + - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too + +20051229 + - (djm) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 + [canohost.c channels.c clientloop.c] + use 'break-in' for consistency; ok deraadt@ ok and input jmc@ + - reyk@cvs.openbsd.org 2005/12/30 15:56:37 + [channels.c channels.h clientloop.c] + add channel output filter interface. + ok djm@, suggested by markus@ + - jmc@cvs.openbsd.org 2005/12/30 16:59:00 + [sftp.1] + do not suggest that interactive authentication will work + with the -b flag; + based on a diff from john l. scarfone; + ok djm + - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 + [ssh.1] + document -MM; ok djm@ + - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac] + [serverloop.c ssh.c openbsd-compat/Makefile.in] + [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding + compatability support for Linux, diff from reyk@ + - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does + not exist + - (djm) [configure.ac] oops, make that linux/if_tun.h + +20051229 + - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd + +20051224 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/12/20 21:59:43 + [ssh.1] + merge the sections on protocols 1 and 2 into one section on + authentication; + feedback djm dtucker + ok deraadt markus dtucker + - jmc@cvs.openbsd.org 2005/12/20 22:02:50 + [ssh.1] + .Ss -> .Sh: subsections have not made this page more readable + - jmc@cvs.openbsd.org 2005/12/20 22:09:41 + [ssh.1] + move info on ssh return values and config files up into the main + description; + - jmc@cvs.openbsd.org 2005/12/21 11:48:16 + [ssh.1] + -L and -R descriptions are now above, not below, ~C description; + - jmc@cvs.openbsd.org 2005/12/21 11:57:25 + [ssh.1] + options now described `above', rather than `later'; + - jmc@cvs.openbsd.org 2005/12/21 12:53:31 + [ssh.1] + -Y does X11 forwarding too; + ok markus + - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 + [sshd.8] + clarify precedence of -p, Port, ListenAddress; ok and help jmc@ + - jmc@cvs.openbsd.org 2005/12/22 10:31:40 + [ssh_config.5] + put the description of "UsePrivilegedPort" in the correct place; + - jmc@cvs.openbsd.org 2005/12/22 11:23:42 + [ssh.1] + expand the description of -w somewhat; + help/ok reyk + - jmc@cvs.openbsd.org 2005/12/23 14:55:53 + [ssh.1] + - sync the description of -e w/ synopsis + - simplify the description of -I + - note that -I is only available if support compiled in, and that it + isn't by default + feedback/ok djm@ + - jmc@cvs.openbsd.org 2005/12/23 23:46:23 + [ssh.1] + less mark up for -c; + - djm@cvs.openbsd.org 2005/12/24 02:27:41 + [session.c sshd.c] + eliminate some code duplicated in privsep and non-privsep paths, and + explicitly clear SIGALRM handler; "groovy" deraadt@ + +20051220 + - (dtucker) OpenBSD CVS Sync + - reyk@cvs.openbsd.org 2005/12/13 15:03:02 + [serverloop.c] + if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY + - jmc@cvs.openbsd.org 2005/12/16 18:07:08 + [ssh.1] + move the option descriptions up the page: start of a restructure; + ok markus deraadt + - jmc@cvs.openbsd.org 2005/12/16 18:08:53 + [ssh.1] + simplify a sentence; + - jmc@cvs.openbsd.org 2005/12/16 18:12:22 + [ssh.1] + make the description of -c a little nicer; + - jmc@cvs.openbsd.org 2005/12/16 18:14:40 + [ssh.1] + signpost the protocol sections; + - stevesk@cvs.openbsd.org 2005/12/17 21:13:05 + [ssh_config.5 session.c] + spelling: fowarding, fowarded + - stevesk@cvs.openbsd.org 2005/12/17 21:36:42 + [ssh_config.5] + spelling: intented -> intended + - dtucker@cvs.openbsd.org 2005/12/20 04:41:07 + [ssh.c] + exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@ + +20051219 + - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac + openbsd-compat/openssl-compat.h] Check for and work around broken AES + ciphers >128bit on (some) Solaris 10 systems. ok djm@ + +20051217 + - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which + scp.c also uses, so undef them here. + - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our + snprintf replacement can have a conflicting declaration in HP-UX's system + headers (const vs. no const) so we now check for and work around it. Patch + from the dynamic duo of David Leonard and Ted Percival. + +20051214 + - (dtucker) OpenBSD CVS Sync (regress/) + - dtucker@cvs.openbsd.org 2005/12/30 04:36:39 + [regress/scp-ssh-wrapper.sh] + Fix assumption about how many args scp will pass; ok djm@ + +20051213 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/11/30 11:18:27 + [ssh.1] + timezone -> time zone + - jmc@cvs.openbsd.org 2005/11/30 11:45:20 + [ssh.1] + avoid ambiguities in describing TZ; + ok djm@ + - reyk@cvs.openbsd.org 2005/12/06 22:38:28 + [auth-options.c auth-options.h channels.c channels.h clientloop.c] + [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] + [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] + [sshconnect.h sshd.8 sshd_config sshd_config.5] + Add support for tun(4) forwarding over OpenSSH, based on an idea and + initial channel code bits by markus@. This is a simple and easy way to + use OpenSSH for ad hoc virtual private network connections, e.g. + administrative tunnels or secure wireless access. It's based on a new + ssh channel and works similar to the existing TCP forwarding support, + except that it depends on the tun(4) network interface on both ends of + the connection for layer 2 or layer 3 tunneling. This diff also adds + support for LocalCommand in the ssh(1) client. + ok djm@, markus@, jmc@ (manpages), tested and discussed with others + - djm@cvs.openbsd.org 2005/12/07 03:52:22 + [clientloop.c] + reyk forgot to compile with -Werror (missing header) + - jmc@cvs.openbsd.org 2005/12/07 10:52:13 + [ssh.1] + - avoid line split in SYNOPSIS + - add args to -w + - kill trailing whitespace + - jmc@cvs.openbsd.org 2005/12/08 14:59:44 + [ssh.1 ssh_config.5] + make `!command' a little clearer; + ok reyk + - jmc@cvs.openbsd.org 2005/12/08 15:06:29 + [ssh_config.5] + keep options in order; + - reyk@cvs.openbsd.org 2005/12/08 18:34:11 + [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] + [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] + two changes to the new ssh tunnel support. this breaks compatibility + with the initial commit but is required for a portable approach. + - make the tunnel id u_int and platform friendly, use predefined types. + - support configuration of layer 2 (ethernet) or layer 3 + (point-to-point, default) modes. configuration is done using the + Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and + restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option + in sshd_config(5). + ok djm@, man page bits by jmc@ + - jmc@cvs.openbsd.org 2005/12/08 21:37:50 + [ssh_config.5] + new sentence, new line; + - markus@cvs.openbsd.org 2005/12/12 13:46:18 + [channels.c channels.h session.c] + make sure protocol messages for internal channels are ignored. + allow adjust messages for non-open channels; with and ok djm@ + - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable + again by providing a sys_tun_open() function for your platform and + setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match + OpenBSD's tunnel protocol, which prepends the address family to the + packet + +20051201 + - (djm) [envpass.sh] Remove regress script that was accidentally committed + in top level directory and not noticed for over a year :) + +20051129 + - (tim) [ssh-keygen.c] Move DSA length test after setting default when + bits == 0. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 + [ssh-keygen.c] + Populate default key sizes before checking them; from & ok tim@ + - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) + for UnixWare. + +20051128 + - (dtucker) [regress/yes-head.sh] Work around breakage caused by some + versions of GNU head. Based on patch from zappaman at buraphalinux.org + - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use + _GNU_SOURCE instead. Patch from t8m at centrum.cz. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 + [ssh-keygen.1 ssh-keygen.c] + Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, + increase minumum RSA key size to 768 bits and update man page to reflect + these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), + ok djm@, grudging ok deraadt@. + - dtucker@cvs.openbsd.org 2005/11/28 06:02:56 + [ssh-agent.1] + Update agent socket path templates to reflect reality, correct xref for + time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@ + +20051126 + - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, + when they're available) need the real UID set otherwise pam_chauthtok will + set ADMCHG after changing the password, forcing the user to change it + again immediately. + +20051125 + - (dtucker) [configure.ac] Apply tim's fix for older systems where the + resolver state in resolv.h is "state" not "__res_state". With slight + modification by me to also work on old AIXes. ok djm@ + - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for + snprintf formats, fixes warnings on some 64 bit platforms. Patch from + shaw at vranix.com, ok djm@ + +20051124 + - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c + openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an + asprintf() implementation, after syncing our {v,}snprintf() implementation + with some extra fixes from Samba's version. With help and debugging from + dtucker and tim; ok dtucker@ + - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument + order in Reliant Unix block. Patch from johane at lysator.liu.se. + - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so + many and use them only once. Speeds up testing on older/slower hardware. + +20051122 + - (dtucker) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2005/11/12 18:37:59 + [ssh-add.c] + space + - deraadt@cvs.openbsd.org 2005/11/12 18:38:15 + [scp.c] + avoid close(-1), as in rcp; ok cloder + - millert@cvs.openbsd.org 2005/11/15 11:59:54 + [includes.h] + Include sys/queue.h explicitly instead of assuming some other header + will pull it in. At the moment it gets pulled in by sys/select.h + (which ssh has no business including) via event.h. OK markus@ + (ID sync only in -portable) + - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 + [auth-krb5.c] + Perform Kerberos calls even for invalid users to prevent leaking + information about account validity. bz #975, patch originally from + Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, + ok markus@ + - dtucker@cvs.openbsd.org 2005/11/22 03:36:03 + [hostfile.c] + Correct format/arguments to debug call; spotted by shaw at vranix.com + ok djm@ + - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch + from shaw at vranix.com. + +20051120 + - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what + is going on. + +20051112 + - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific + ifdef lost during sync. Spotted by tim@. + - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag. + - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test. + - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@ + - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure + test: if sshd takes too long to reconfigure the subsequent connection will + fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready. + +20051110 + - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from + OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of + "register"). + - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove + unnecessary prototype. + - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c + revs 1.7 - 1.9. + - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path. + Patch from djm@. + - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+ + since they're not useful right now. Patch from djm@. + - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI + prototypes, removal of "register"). + - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal + of "register"). + - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to + after the copyright notices. Having them at the top next to the CVSIDs + guarantees a conflict for each and every sync. + - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10. + - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker. + - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7. + Removal of rcsid, "whiteout" inode type. + - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14. + Removal of rcsid, will no longer strlcpy parts of the string. + - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5. + - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7. + - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18. + - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5. + - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25. + - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9. + - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14. + - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up + with OpenBSD code since we don't support platforms without fstat any more. + - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9. + - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6. + - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7. + - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6. + - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6. + - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13. + - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19. + - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8. + - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker. + - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17. + - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4. + Id and copyright sync only, there were no substantial changes we need. + - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c] + -Wsign-compare fixes from djm. + - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3. + Id and copyright sync only, there were no substantial changes we need. + - (dtucker) [configure.ac] Try to get the gcc version number in a way that + doesn't change between versions, and use a safer default. + +20051105 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2005/10/07 11:13:57 + [ssh-keygen.c] + change DSA default back to 1024, as it's defined for 1024 bits only + and this causes interop problems with other clients. moreover, + in order to improve the security of DSA you need to change more + components of DSA key generation (e.g. the internal SHA1 hash); + ok deraadt + - djm@cvs.openbsd.org 2005/10/10 10:23:08 + [channels.c channels.h clientloop.c serverloop.c session.c] + fix regression I introduced in 4.2: X11 forwardings initiated after + a session has exited (e.g. "(sleep 5; xterm) &") would not start. + bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@ + - djm@cvs.openbsd.org 2005/10/11 23:37:37 + [channels.c] + bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing + bind() failure when a previous connection's listeners are in TIME_WAIT, + reported by plattner AT inf.ethz.ch; ok dtucker@ + - stevesk@cvs.openbsd.org 2005/10/13 14:03:01 + [auth2-gss.c gss-genr.c gss-serv.c] + remove unneeded #includes; ok markus@ + - stevesk@cvs.openbsd.org 2005/10/13 14:20:37 + [gss-serv.c] + spelling in comments + - stevesk@cvs.openbsd.org 2005/10/13 19:08:08 + [gss-serv-krb5.c gss-serv.c] + unused declarations; ok deraadt@ + (id sync only for gss-serv-krb5.c) + - stevesk@cvs.openbsd.org 2005/10/13 19:13:41 + [dns.c] + unneeded #include, unused declaration, little knf; ok deraadt@ + - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 + [auth2-gss.c gss-genr.c gss-serv.c monitor.c] + KNF; ok djm@ + - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 + [ssh-keygen.c ssh.c sshconnect2.c] + no trailing "\n" for log functions; ok djm@ + - stevesk@cvs.openbsd.org 2005/10/14 02:29:37 + [channels.c clientloop.c] + free()->xfree(); ok djm@ + - stevesk@cvs.openbsd.org 2005/10/15 15:28:12 + [sshconnect.c] + make external definition static; ok deraadt@ + - stevesk@cvs.openbsd.org 2005/10/17 13:45:05 + [dns.c] + fix memory leaks from 2 sources: + 1) key_fingerprint_raw() + 2) malloc in dns_read_rdata() + ok jakob@ + - stevesk@cvs.openbsd.org 2005/10/17 14:01:28 + [dns.c] + remove #ifdef LWRES; ok jakob@ + - stevesk@cvs.openbsd.org 2005/10/17 14:13:35 + [dns.c dns.h] + more cleanups; ok jakob@ + - djm@cvs.openbsd.org 2005/10/30 01:23:19 + [ssh_config.5] + mention control socket fallback behaviour, reported by + tryponraj AT gmail.com + - djm@cvs.openbsd.org 2005/10/30 04:01:03 + [ssh-keyscan.c] + make ssh-keygen discard junk from server before SSH- ident, spotted by + dave AT cirt.net; ok dtucker@ + - djm@cvs.openbsd.org 2005/10/30 04:03:24 + [ssh.c] + fix misleading debug message; ok dtucker@ + - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 + [canohost.c sshd.c] + Check for connections with IP options earlier and drop silently. ok djm@ + - jmc@cvs.openbsd.org 2005/10/30 08:43:47 + [ssh_config.5] + remove trailing whitespace; + - djm@cvs.openbsd.org 2005/10/30 08:52:18 + [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] + [ssh.c sshconnect.c sshconnect1.c sshd.c] + no need to escape single quotes in comments, no binary change + - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 + [sftp.c] + Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ + - djm@cvs.openbsd.org 2005/10/31 11:12:49 + [ssh-keygen.1 ssh-keygen.c] + generate a protocol 2 RSA key by default + - djm@cvs.openbsd.org 2005/10/31 11:48:29 + [serverloop.c] + make sure we clean up wtmp, etc. file when we receive a SIGTERM, + SIGINT or SIGQUIT when running without privilege separation (the + normal privsep case is already OK). Patch mainly by dtucker@ and + senthilkumar_sen AT hotpop.com; ok dtucker@ + - jmc@cvs.openbsd.org 2005/10/31 19:55:25 + [ssh-keygen.1] + grammar; + - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 + [canohost.c] + Cache reverse lookups with and without DNS separately; ok markus@ + - djm@cvs.openbsd.org 2005/11/04 05:15:59 + [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] + remove hardcoded hash lengths in key exchange code, allowing + implementation of KEX methods with different hashes (e.g. SHA-256); + ok markus@ dtucker@ stevesk@ + - djm@cvs.openbsd.org 2005/11/05 05:01:15 + [bufaux.c] + Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT + cs.stanford.edu; ok dtucker@ + - (dtucker) [README.platform] Add PAM section. + - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version, + resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu; + ok dtucker@ + +20051102 + - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). + Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net + via FreeBSD. + +20051030 + - (djm) [contrib/suse/openssh.spec contrib/suse/rc. + sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init + files from imorgan AT nas.nasa.gov + - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is + enabled, instead allow PAM to handle it. Note that on platforms using PAM, + the pam_nologin module should be added to sshd's session stack in order to + maintain exising behaviour. Based on patch and discussion from t8m at + centrum.cz, ok djm@ + +20051025 + - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the + sizeof(long long) checks, to make fixing bug #1104 easier (no changes + yet). + - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't + understand "%lld", even though the compiler has "long long", so handle + it as a special case. Patch tested by mcaskill.scott at epa.gov. + - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no + prompt. Patch from vinschen at redhat.com. + +20051017 + - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling. + /etc/default/login report and testing from aabaker at iee.org, corrections + from tim@. + +20051009 + - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current + versions from OpenBSD. ok djm@ + +20051008 + - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from + brian.smith at agilent com. + - (djm) [configure.ac] missing 'test' call for -with-Werror test + +20051005 + - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended + "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and + senthilkumar_sen at hotpop.com. + +20051003 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2005/09/07 08:53:53 + [channels.c] + enforce chanid != NULL; ok djm + - markus@cvs.openbsd.org 2005/09/09 19:18:05 + [clientloop.c] + typo; from mark at mcs.vuw.ac.nz, bug #1082 + - djm@cvs.openbsd.org 2005/09/13 23:40:07 + [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c + scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] + ensure that stdio fds are attached; ok deraadt@ + - djm@cvs.openbsd.org 2005/09/19 11:37:34 + [ssh_config.5 ssh.1] + mention ability to specify bind_address for DynamicForward and -D options; + bz#1077 spotted by Haruyama Seigo + - djm@cvs.openbsd.org 2005/09/19 11:47:09 + [sshd.c] + stop connection abort on rekey with delayed compression enabled when + post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@ + - djm@cvs.openbsd.org 2005/09/19 11:48:10 + [gss-serv.c] + typo + - jmc@cvs.openbsd.org 2005/09/19 15:38:27 + [ssh.1] + some more .Bk/.Ek to avoid ugly line split; + - jmc@cvs.openbsd.org 2005/09/19 15:42:44 + [ssh.c] + update -D usage here too; + - djm@cvs.openbsd.org 2005/09/19 23:31:31 + [ssh.1] + spelling nit from stevesk@ + - djm@cvs.openbsd.org 2005/09/21 23:36:54 + [sshd_config.5] + aquire -> acquire, from stevesk@ + - djm@cvs.openbsd.org 2005/09/21 23:37:11 + [sshd.c] + change label at markus@'s request + - jaredy@cvs.openbsd.org 2005/09/30 20:34:26 + [ssh-keyscan.1] + deploy .An -nosplit; ok jmc + - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 + [canohost.c] + Relocate check_ip_options call to prevent logging of garbage for + connections with IP options set. bz#1092 from David Leonard, + "looks good" deraadt@ + - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp + is required in the system path for the multiplex test to work. + +20050930 + - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype + for strtoll. Patch from o.flebbe at science-computing.de. + - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep + child during PAM account check without clearing it. This restores the + post-login warnings such as LDAP password expiry. Patch from Tomas Mraz + with help from several others. + +20050929 + - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg + introduced during sync. + +20050928 + - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. + - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from + PAM via keyboard-interactive. Patch tested by the folks at Vintela. + +20050927 + - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid + calls, since they can't possibly fail. ok djm@ + - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed + process when sshd relies on ssh-random-helper. Should result in faster + logins on systems without a real random device or prngd. ok djm@ + +20050924 + - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove + duplicate call. ok djm@ + +20050922 + - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from + skeleten at shillest.net. + - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at + shillest.net. + +20050919 + - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to + AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages. + ok dtucker@ + +20050912 + - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by + Mike Frysinger. + +20050908 + - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to + OpenServer 6 and add osr5bigcrypt support so when someone migrates + passwords between UnixWare and OpenServer they will still work. OK dtucker@ + 20050901 - (djm) Update RPM spec file versions @@ -2989,4 +3818,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $ +$Id: ChangeLog,v 1.4117.2.1 2006/02/01 11:33:14 djm Exp $ diff --git a/crypto/openssh/Makefile.in b/crypto/openssh/Makefile.in index fcbc522f20f7..af881c521209 100644 --- a/crypto/openssh/Makefile.in +++ b/crypto/openssh/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $ +# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -139,7 +139,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/crypto/openssh/README b/crypto/openssh/README index 51f0ca4fb1b0..924293b663cd 100644 --- a/crypto/openssh/README +++ b/crypto/openssh/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-4.2 for the release notes. +See http://www.openssh.com/txt/release-4.3 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $ +$Id: README,v 1.61 2005/12/01 11:21:04 dtucker Exp $ diff --git a/crypto/openssh/README.platform b/crypto/openssh/README.platform index af551de481e5..4c18a3278a60 100644 --- a/crypto/openssh/README.platform +++ b/crypto/openssh/README.platform @@ -45,4 +45,14 @@ number is already in use on your system, you may change it at build time by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. -$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $ +Platforms using PAM +------------------- +As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when +PAM is enabled. To maintain existing behaviour, pam_nologin should be +added to sshd's session stack which will prevent users from starting shell +sessions. Alternatively, pam_nologin can be added to either the auth or +account stacks which will prevent authentication entirely, but will still +return the output from pam_nologin to the client. + + +$Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $ diff --git a/crypto/openssh/README.tun b/crypto/openssh/README.tun new file mode 100644 index 000000000000..d814f396d5b9 --- /dev/null +++ b/crypto/openssh/README.tun @@ -0,0 +1,132 @@ +How to use OpenSSH-based virtual private networks +------------------------------------------------- + +OpenSSH contains support for VPN tunneling using the tun(4) network +tunnel pseudo-device which is available on most platforms, either for +layer 2 or 3 traffic. + +The following brief instructions on how to use this feature use +a network configuration specific to the OpenBSD operating system. + +(1) Server: Enable support for SSH tunneling + +To enable the ssh server to accept tunnel requests from the client, you +have to add the following option to the ssh server configuration file +(/etc/ssh/sshd_config): + + PermitTunnel yes + +Restart the server or send the hangup signal (SIGHUP) to let the server +reread it's configuration. + +(2) Server: Restrict client access and assign the tunnel + +The OpenSSH server simply uses the file /root/.ssh/authorized_keys to +restrict the client to connect to a specified tunnel and to +automatically start the related interface configuration command. These +settings are optional but recommended: + + tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org + +(3) Client: Configure the local network tunnel interface + +Use the hostname.if(5) interface-specific configuration file to set up +the network tunnel configuration with OpenBSD. For example, use the +following configuration in /etc/hostname.tun0 to set up the layer 3 +tunnel on the client: + + inet 192.168.5.1 255.255.255.252 192.168.5.2 + +OpenBSD also supports layer 2 tunneling over the tun device by adding +the link0 flag: + + inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 + +Layer 2 tunnels can be used in combination with an Ethernet bridge(4) +interface, like the following example for /etc/bridgename.bridge0: + + add tun0 + add sis0 + up + +(4) Client: Configure the OpenSSH client + +To establish tunnel forwarding for connections to a specified +remote host by default, use the following ssh client configuration for +the privileged user (in /root/.ssh/config): + + Host sshgateway + Tunnel yes + TunnelDevice 0:any + PermitLocalCommand yes + LocalCommand sh /etc/netstart tun0 + +A more complicated configuration is possible to establish a tunnel to +a remote host which is not directly accessible by the client. +The following example describes a client configuration to connect to +the remote host over two ssh hops in between. It uses the OpenSSH +ProxyCommand in combination with the nc(1) program to forward the final +ssh tunnel destination over multiple ssh sessions. + + Host access.somewhere.net + User puffy + Host dmzgw + User puffy + ProxyCommand ssh access.somewhere.net nc dmzgw 22 + Host sshgateway + Tunnel Ethernet + TunnelDevice 0:any + PermitLocalCommand yes + LocalCommand sh /etc/netstart tun0 + ProxyCommand ssh dmzgw nc sshgateway 22 + +The following network plan illustrates the previous configuration in +combination with layer 2 tunneling and Ethernet bridging. + ++--------+ ( ) +----------------------+ +| Client |------( Internet )-----| access.somewhere.net | ++--------+ ( ) +----------------------+ + : 192.168.1.78 | + :............................. +-------+ + Forwarded ssh connection : | dmzgw | + Layer 2 tunnel : +-------+ + : | + : | + : +------------+ + :......| sshgateway | + | +------------+ +--- real connection Bridge -> | +----------+ +... "virtual connection" [ X ]--------| somehost | +[X] switch +----------+ + 192.168.1.25 + +(5) Client: Connect to the server and establish the tunnel + +Finally connect to the OpenSSH server to establish the tunnel by using +the following command: + + ssh sshgateway + +It is also possible to tell the client to fork into the background after +the connection has been successfully established: + + ssh -f sshgateway true + +Without the ssh configuration done in step (4), it is also possible +to use the following command lines: + + ssh -fw 0:1 sshgateway true + ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 + +Using OpenSSH tunnel forwarding is a simple way to establish secure +and ad hoc virtual private networks. Possible fields of application +could be wireless networks or administrative VPN tunnels. + +Nevertheless, ssh tunneling requires some packet header overhead and +runs on top of TCP. It is still suggested to use the IP Security +Protocol (IPSec) for robust and permanent VPN connections and to +interconnect corporate networks. + + Reyk Floeter + +$OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $ diff --git a/crypto/openssh/aclocal.m4 b/crypto/openssh/aclocal.m4 index 2705a9b23f7e..b68a47080ffc 100644 --- a/crypto/openssh/aclocal.m4 +++ b/crypto/openssh/aclocal.m4 @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.5 2001/10/22 00:53:59 tim Exp $ +dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -26,7 +26,7 @@ AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [ if test -n "`echo $ossh_varname`"; then AC_MSG_RESULT($ossh_result) if test "x$ossh_result" = "xyes"; then - AC_DEFINE($3) + AC_DEFINE($3, 1, [Define if you have $1 in $2]) fi else AC_MSG_RESULT(no) diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c index a85e408359ee..ad97e612939d 100644 --- a/crypto/openssh/auth-options.c +++ b/crypto/openssh/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $"); #include "xmalloc.h" #include "match.h" @@ -35,6 +35,9 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; +/* "tunnel=" option. */ +int forced_tun_device = -1; + extern ServerOptions options; void @@ -54,6 +57,7 @@ auth_clear_options(void) xfree(forced_command); forced_command = NULL; } + forced_tun_device = -1; channel_clear_permitted_opens(); auth_debug_reset(); } @@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto next_option; } + cp = "tunnel=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char *tun = NULL; + opts += strlen(cp); + tun = xmalloc(strlen(opts) + 1); + i = 0; + while (*opts) { + if (*opts == '"') + break; + tun[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(tun); + forced_tun_device = -1; + goto bad_option; + } + tun[i] = 0; + forced_tun_device = a2tun(tun, NULL); + xfree(tun); + if (forced_tun_device == SSH_TUNID_ERR) { + debug("%.100s, line %lu: invalid tun device", + file, linenum); + auth_debug_add("%.100s, line %lu: invalid tun device", + file, linenum); + forced_tun_device = -1; + goto bad_option; + } + auth_debug_add("Forced tun device: %d", forced_tun_device); + opts++; + goto next_option; + } next_option: /* * Skip the comma, and move to the next option diff --git a/crypto/openssh/auth-options.h b/crypto/openssh/auth-options.h index 15fb21255e53..3cd02a71ff0d 100644 --- a/crypto/openssh/auth-options.h +++ b/crypto/openssh/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */ +/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag; extern int no_pty_flag; extern char *forced_command; extern struct envstring *custom_environment; +extern int forced_tun_device; int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); diff --git a/crypto/openssh/auth2-gss.c b/crypto/openssh/auth2-gss.c index 4d468a0e8b79..95844a05e5ba 100644 --- a/crypto/openssh/auth2-gss.c +++ b/crypto/openssh/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -34,7 +34,6 @@ #include "log.h" #include "dispatch.h" #include "servconf.h" -#include "compat.h" #include "packet.h" #include "monitor_wrap.h" @@ -49,7 +48,7 @@ static void input_gssapi_errtok(int, u_int32_t, void *); /* * We only support those mechanisms that we know about (ie ones that we know - * how to check local user kuserok and the like + * how to check local user kuserok and the like) */ static int userauth_gssapi(Authctxt *authctxt) @@ -105,7 +104,7 @@ userauth_gssapi(Authctxt *authctxt) return (0); } - authctxt->methoddata=(void *)ctxt; + authctxt->methoddata = (void *)ctxt; packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); diff --git a/crypto/openssh/buildpkg.sh.in b/crypto/openssh/buildpkg.sh.in index f90ae6e8113e..cb9eb3048712 100644 --- a/crypto/openssh/buildpkg.sh.in +++ b/crypto/openssh/buildpkg.sh.in @@ -353,7 +353,7 @@ else # Create user if required [ "\$DO_PASSWD" = yes ] && { # Use uid of 67 if possible - if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null then : else diff --git a/crypto/openssh/cipher-aes.c b/crypto/openssh/cipher-aes.c index 22d500d4290a..228ddb104417 100644 --- a/crypto/openssh/cipher-aes.c +++ b/crypto/openssh/cipher-aes.c @@ -23,7 +23,11 @@ */ #include "includes.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L + +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" + +#ifdef USE_BUILTIN_RIJNDAEL RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include @@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include "xmalloc.h" #include "log.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif - #define RIJNDAEL_BLOCKSIZE 16 struct ssh_rijndael_ctx { @@ -157,4 +157,4 @@ evp_rijndael(void) #endif return (&rijndal_cbc); } -#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* USE_BUILTIN_RIJNDAEL */ diff --git a/crypto/openssh/cipher-ctr.c b/crypto/openssh/cipher-ctr.c index 856177349d17..8a98f3c42559 100644 --- a/crypto/openssh/cipher-ctr.c +++ b/crypto/openssh/cipher-ctr.c @@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $"); #include "log.h" #include "xmalloc.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL #include "rijndael.h" #define AES_KEY rijndael_ctx #define AES_BLOCK_SIZE 16 diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c index 47f3c7ecd9bf..b76f7cfe0536 100644 --- a/crypto/openssh/clientloop.c +++ b/crypto/openssh/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -77,6 +77,7 @@ RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $"); #include "log.h" #include "readconf.h" #include "clientloop.h" +#include "sshconnect.h" #include "authfd.h" #include "atomicio.h" #include "sshpty.h" @@ -113,7 +114,7 @@ extern char *host; static volatile sig_atomic_t received_window_change_signal = 0; static volatile sig_atomic_t received_signal = 0; -/* Flag indicating whether the user\'s terminal is in non-blocking mode. */ +/* Flag indicating whether the user's terminal is in non-blocking mode. */ static int in_non_blocking_mode = 0; /* Common data for the client loop code. */ @@ -266,7 +267,7 @@ client_x11_get_proto(const char *display, const char *xauth_path, } } snprintf(cmd, sizeof(cmd), - "%s %s%s list %s . 2>" _PATH_DEVNULL, + "%s %s%s list %s 2>" _PATH_DEVNULL, xauth_path, generated ? "-f " : "" , generated ? xauthfile : "", @@ -914,6 +915,15 @@ process_cmdline(void) logit(" -Lport:host:hostport Request local forward"); logit(" -Rport:host:hostport Request remote forward"); logit(" -KRhostport Cancel remote forward"); + if (!options.permit_local_command) + goto out; + logit(" !args Execute local command"); + goto out; + } + + if (*s == '!' && options.permit_local_command) { + s++; + ssh_local_cmd(s); goto out; } @@ -1376,10 +1386,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) session_ident = ssh2_chan_id; if (escape_char != SSH_ESCAPECHAR_NONE) channel_register_filter(session_ident, - simple_escape_filter); + simple_escape_filter, NULL); if (session_ident != -1) channel_register_cleanup(session_ident, - client_channel_closed); + client_channel_closed, 0); } else { /* Check if we should immediately send eof on stdin. */ client_check_initial_eof_on_stdin(); @@ -1678,7 +1688,7 @@ client_request_x11(const char *request_type, int rchan) if (!options.forward_x11) { error("Warning: ssh server tried X11 forwarding."); - error("Warning: this is probably a break in attempt by a malicious server."); + error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } originator = packet_get_string(NULL); @@ -1711,7 +1721,7 @@ client_request_agent(const char *request_type, int rchan) if (!options.forward_agent) { error("Warning: ssh server tried agent forwarding."); - error("Warning: this is probably a break in attempt by a malicious server."); + error("Warning: this is probably a break-in attempt by a malicious server."); return NULL; } sock = ssh_get_authentication_socket(); @@ -1880,7 +1890,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, /* Split */ name = xstrdup(env[i]); if ((val = strchr(name, '=')) == NULL) { - free(name); + xfree(name); continue; } *val++ = '\0'; @@ -1894,7 +1904,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, } if (!matched) { debug3("Ignored env %s", name); - free(name); + xfree(name); continue; } @@ -1903,7 +1913,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem, packet_put_cstring(name); packet_put_cstring(val); packet_send(); - free(name); + xfree(name); } } diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h index 408b988b5a97..f25934176440 100644 --- a/crypto/openssh/defines.h +++ b/crypto/openssh/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */ +/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */ /* Constants */ @@ -450,6 +450,10 @@ struct winsize { # define __sentinel__ #endif +#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__) +# define __bounded__(x, y, z) +#endif + /* *-*-nto-qnx doesn't define this macro in the system headers */ #ifdef MISSING_HOWMANY # define howmany(x,y) (((x)+((y)-1))/(y)) @@ -688,7 +692,7 @@ struct winsize { # define CUSTOM_SYS_AUTH_PASSWD 1 #endif -#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) +#ifdef HAVE_LIBIAF # define CUSTOM_SYS_AUTH_PASSWD 1 #endif @@ -711,4 +715,12 @@ struct winsize { # undef HAVE_MMAP #endif +/* some system headers on HP-UX define YES/NO */ +#ifdef YES +# undef YES +#endif +#ifdef NO +# undef NO +#endif + #endif /* _DEFINES_H */ diff --git a/crypto/openssh/dns.c b/crypto/openssh/dns.c index 4487c1abaf23..a71dd9bff120 100644 --- a/crypto/openssh/dns.c +++ b/crypto/openssh/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -25,27 +25,16 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - #include "includes.h" +RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $"); -#include -#ifdef LWRES -#include -#include -#else /* LWRES */ #include -#endif /* LWRES */ #include "xmalloc.h" #include "key.h" #include "dns.h" #include "log.h" -#include "uuencode.h" -extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $"); - -#ifndef LWRES static const char *errset_text[] = { "success", /* 0 ERRSET_SUCCESS */ "out of memory", /* 1 ERRSET_NOMEMORY */ @@ -75,8 +64,6 @@ dns_result_totext(unsigned int res) return "unknown error"; } } -#endif /* LWRES */ - /* * Read SSHFP parameters from key buffer. @@ -95,12 +82,14 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, *algorithm = SSHFP_KEY_DSA; break; default: - *algorithm = SSHFP_KEY_RESERVED; + *algorithm = SSHFP_KEY_RESERVED; /* 0 */ } if (*algorithm) { *digest_type = SSHFP_HASH_SHA1; *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len); + if (*digest == NULL) + fatal("dns_read_key: null from key_fingerprint_raw()"); success = 1; } else { *digest_type = SSHFP_HASH_RESERVED; @@ -133,7 +122,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, *digest = (u_char *) xmalloc(*digest_len); memcpy(*digest, rdata + 2, *digest_len); } else { - *digest = NULL; + *digest = xstrdup(""); } success = 1; @@ -187,7 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, *flags = 0; - debug3("verify_hostkey_dns"); + debug3("verify_host_key_dns"); if (hostkey == NULL) fatal("No key to look up!"); @@ -223,7 +212,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, if (fingerprints->rri_nrdatas) *flags |= DNS_VERIFY_FOUND; - for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { + for (counter = 0; counter < fingerprints->rri_nrdatas; counter++) { /* * Extract the key from the answer. Ignore any badly * formatted fingerprints. @@ -247,8 +236,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, *flags |= DNS_VERIFY_MATCH; } } + xfree(dnskey_digest); } + xfree(hostkey_digest); /* from key_fingerprint_raw() */ freerrset(fingerprints); if (*flags & DNS_VERIFY_FOUND) @@ -262,7 +253,6 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, return 0; } - /* * Export the fingerprint of a key as a DNS resource record */ @@ -278,7 +268,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic) int success = 0; if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, - &rdata_digest, &rdata_digest_len, key)) { + &rdata_digest, &rdata_digest_len, key)) { if (generic) fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname, @@ -291,9 +281,10 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic) for (i = 0; i < rdata_digest_len; i++) fprintf(f, "%02x", rdata_digest[i]); fprintf(f, "\n"); + xfree(rdata_digest); /* from key_fingerprint_raw() */ success = 1; } else { - error("dns_export_rr: unsupported algorithm"); + error("export_dns_rr: unsupported algorithm"); } return success; diff --git a/crypto/openssh/dns.h b/crypto/openssh/dns.h index c5da22ef61a4..0aa1c28f2845 100644 --- a/crypto/openssh/dns.h +++ b/crypto/openssh/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $ */ +/* $OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -25,7 +25,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - #include "includes.h" #ifndef DNS_H @@ -49,7 +48,6 @@ enum sshfp_hashes { #define DNS_VERIFY_MATCH 0x00000002 #define DNS_VERIFY_SECURE 0x00000004 - int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); int export_dns_rr(const char *, const Key *, FILE *, int); diff --git a/crypto/openssh/entropy.c b/crypto/openssh/entropy.c index 410bbb927500..e5b45b0b614f 100644 --- a/crypto/openssh/entropy.c +++ b/crypto/openssh/entropy.c @@ -26,6 +26,7 @@ #include #include +#include #include "ssh.h" #include "misc.h" @@ -33,6 +34,8 @@ #include "atomicio.h" #include "pathnames.h" #include "log.h" +#include "buffer.h" +#include "bufaux.h" /* * Portable OpenSSH PRNG seeding: @@ -45,7 +48,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $"); +RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -145,10 +148,35 @@ init_rng(void) "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); #ifndef OPENSSL_PRNG_ONLY - if ((original_uid = getuid()) == -1) - fatal("getuid: %s", strerror(errno)); - if ((original_euid = geteuid()) == -1) - fatal("geteuid: %s", strerror(errno)); + original_uid = getuid(); + original_euid = geteuid(); #endif } +#ifndef OPENSSL_PRNG_ONLY +void +rexec_send_rng_seed(Buffer *m) +{ + u_char buf[RANDOM_SEED_SIZE]; + + if (RAND_bytes(buf, sizeof(buf)) <= 0) { + error("Couldn't obtain random bytes (error %ld)", + ERR_get_error()); + buffer_put_string(m, "", 0); + } else + buffer_put_string(m, buf, sizeof(buf)); +} + +void +rexec_recv_rng_seed(Buffer *m) +{ + u_char *buf; + u_int len; + + buf = buffer_get_string_ret(m, &len); + if (buf != NULL) { + debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len); + RAND_add(buf, len, len); + } +} +#endif diff --git a/crypto/openssh/entropy.h b/crypto/openssh/entropy.h index 5f63c1f1fc4d..ec1ebcc57600 100644 --- a/crypto/openssh/entropy.h +++ b/crypto/openssh/entropy.h @@ -22,12 +22,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */ +/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */ #ifndef _RANDOMS_H #define _RANDOMS_H +#include "buffer.h" + void seed_rng(void); void init_rng(void); +void rexec_send_rng_seed(Buffer *); +void rexec_recv_rng_seed(Buffer *); + #endif /* _RANDOMS_H */ diff --git a/crypto/openssh/gss-genr.c b/crypto/openssh/gss-genr.c index 9bc31aa2a2a1..c2b4f2dd84bb 100644 --- a/crypto/openssh/gss-genr.c +++ b/crypto/openssh/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -30,9 +30,7 @@ #include "xmalloc.h" #include "bufaux.h" -#include "compat.h" #include "log.h" -#include "monitor_wrap.h" #include "ssh2.h" #include "ssh-gss.h" @@ -270,7 +268,8 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, } OM_uint32 -ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { +ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) +{ if (*ctx) ssh_gssapi_delete_ctx(ctx); ssh_gssapi_build_ctx(ctx); diff --git a/crypto/openssh/gss-serv-krb5.c b/crypto/openssh/gss-serv-krb5.c index 4f02621ddda2..5c5837ffb996 100644 --- a/crypto/openssh/gss-serv-krb5.c +++ b/crypto/openssh/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. diff --git a/crypto/openssh/gss-serv.c b/crypto/openssh/gss-serv.c index 11713045919e..26eec25bdc81 100644 --- a/crypto/openssh/gss-serv.c +++ b/crypto/openssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -29,20 +29,16 @@ #ifdef GSSAPI #include "bufaux.h" -#include "compat.h" #include "auth.h" #include "log.h" #include "channels.h" #include "session.h" #include "servconf.h" -#include "monitor_wrap.h" #include "xmalloc.h" #include "getput.h" #include "ssh-gss.h" -extern ServerOptions options; - static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; @@ -61,7 +57,7 @@ ssh_gssapi_mech* supported_mechs[]= { &gssapi_null_mech, }; -/* Unpriviledged */ +/* Unprivileged */ void ssh_gssapi_supported_oids(gss_OID_set *oidset) { @@ -90,7 +86,7 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) * oid * credentials (from ssh_gssapi_acquire_cred) */ -/* Priviledged */ +/* Privileged */ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, gss_buffer_desc *send_tok, OM_uint32 *flags) @@ -138,14 +134,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) OM_uint32 offset; OM_uint32 oidl; - tok=ename->value; + tok = ename->value; /* * Check that ename is long enough for all of the fixed length * header, and that the initial ID bytes are correct */ - if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) + if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0) return GSS_S_FAILURE; /* @@ -164,7 +160,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) */ if (tok[4] != 0x06 || tok[5] != oidl || ename->length < oidl+6 || - !ssh_gssapi_check_oid(ctx,tok+6,oidl)) + !ssh_gssapi_check_oid(ctx, tok+6, oidl)) return GSS_S_FAILURE; offset = oidl+6; @@ -179,7 +175,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) return GSS_S_FAILURE; name->value = xmalloc(name->length+1); - memcpy(name->value,tok+offset,name->length); + memcpy(name->value, tok+offset,name->length); ((char *)name->value)[name->length] = 0; return GSS_S_COMPLETE; @@ -188,7 +184,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) /* Extract the client details from a given context. This can only reliably * be called once for a context */ -/* Priviledged (called from accept_secure_ctx) */ +/* Privileged (called from accept_secure_ctx) */ OM_uint32 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) { @@ -263,15 +259,14 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) if (gssapi_client.store.envvar != NULL && gssapi_client.store.envval != NULL) { - debug("Setting %s to %s", gssapi_client.store.envvar, - gssapi_client.store.envval); + gssapi_client.store.envval); child_set_env(envp, envsizep, gssapi_client.store.envvar, gssapi_client.store.envval); } } -/* Priviledged */ +/* Privileged */ int ssh_gssapi_userok(char *user) { @@ -298,7 +293,7 @@ ssh_gssapi_userok(char *user) return (0); } -/* Priviledged */ +/* Privileged */ OM_uint32 ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) { diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c index 5dce335fe5f1..cd71be9ca778 100644 --- a/crypto/openssh/kex.c +++ b/crypto/openssh/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $"); #include @@ -294,13 +294,17 @@ choose_kex(Kex *k, char *client, char *server) fatal("no kex alg"); if (strcmp(k->name, KEX_DH1) == 0) { k->kex_type = KEX_DH_GRP1_SHA1; + k->evp_md = EVP_sha1(); } else if (strcmp(k->name, KEX_DH14) == 0) { k->kex_type = KEX_DH_GRP14_SHA1; - } else if (strcmp(k->name, KEX_DHGEX) == 0) { + k->evp_md = EVP_sha1(); + } else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) { k->kex_type = KEX_DH_GEX_SHA1; + k->evp_md = EVP_sha1(); } else fatal("bad kex alg %s", k->name); } + static void choose_hostkeyalg(Kex *k, char *client, char *server) { @@ -404,28 +408,28 @@ kex_choose_conf(Kex *kex) } static u_char * -derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret) +derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, + BIGNUM *shared_secret) { Buffer b; - const EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; char c = id; u_int have; - int mdsz = EVP_MD_size(evp_md); + int mdsz; u_char *digest; - if (mdsz < 0) - fatal("derive_key: mdsz < 0"); - digest = xmalloc(roundup(need, mdsz)); + if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0) + fatal("bad kex md size %d", mdsz); + digest = xmalloc(roundup(need, mdsz)); buffer_init(&b); buffer_put_bignum2(&b, shared_secret); /* K1 = HASH(K || H || "A" || session_id) */ - EVP_DigestInit(&md, evp_md); + EVP_DigestInit(&md, kex->evp_md); if (!(datafellows & SSH_BUG_DERIVEKEY)) EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, mdsz); + EVP_DigestUpdate(&md, hash, hashlen); EVP_DigestUpdate(&md, &c, 1); EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len); EVP_DigestFinal(&md, digest, NULL); @@ -436,10 +440,10 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret) * Key = K1 || K2 || ... || Kn */ for (have = mdsz; need > have; have += mdsz) { - EVP_DigestInit(&md, evp_md); + EVP_DigestInit(&md, kex->evp_md); if (!(datafellows & SSH_BUG_DERIVEKEY)) EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); - EVP_DigestUpdate(&md, hash, mdsz); + EVP_DigestUpdate(&md, hash, hashlen); EVP_DigestUpdate(&md, digest, have); EVP_DigestFinal(&md, digest + have, NULL); } @@ -455,13 +459,15 @@ Newkeys *current_keys[MODE_MAX]; #define NKEYS 6 void -kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret) +kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret) { u_char *keys[NKEYS]; u_int i, mode, ctos; - for (i = 0; i < NKEYS; i++) - keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); + for (i = 0; i < NKEYS; i++) { + keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen, + shared_secret); + } debug2("kex_derive_keys"); for (mode = 0; mode < MODE_MAX; mode++) { diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h index 3024a27172ea..bbd931e049df 100644 --- a/crypto/openssh/kex.h +++ b/crypto/openssh/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -31,9 +31,9 @@ #include "cipher.h" #include "key.h" -#define KEX_DH1 "diffie-hellman-group1-sha1" -#define KEX_DH14 "diffie-hellman-group14-sha1" -#define KEX_DHGEX "diffie-hellman-group-exchange-sha1" +#define KEX_DH1 "diffie-hellman-group1-sha1" +#define KEX_DH14 "diffie-hellman-group14-sha1" +#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1" #define COMP_NONE 0 #define COMP_ZLIB 1 @@ -114,6 +114,7 @@ struct Kex { Buffer peer; int done; int flags; + const EVP_MD *evp_md; char *client_version_string; char *server_version_string; int (*verify_host_key)(Key *); @@ -127,7 +128,7 @@ void kex_finish(Kex *); void kex_send_kexinit(Kex *); void kex_input_kexinit(int, u_int32_t, void *); -void kex_derive_keys(Kex *, u_char *, BIGNUM *); +void kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *); Newkeys *kex_get_newkeys(int); @@ -136,12 +137,13 @@ void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); -u_char * +void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, - BIGNUM *, BIGNUM *, BIGNUM *); -u_char * -kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int, - int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *); + BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); +void +kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, + int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, + BIGNUM *, BIGNUM *, u_char **, u_int *); void derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); diff --git a/crypto/openssh/kexdh.c b/crypto/openssh/kexdh.c index 4bbb7d1dba98..f79d8781d267 100644 --- a/crypto/openssh/kexdh.c +++ b/crypto/openssh/kexdh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $"); #include @@ -32,7 +32,7 @@ RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $"); #include "ssh2.h" #include "kex.h" -u_char * +void kex_dh_hash( char *client_version_string, char *server_version_string, @@ -41,7 +41,8 @@ kex_dh_hash( u_char *serverhostkeyblob, int sbloblen, BIGNUM *client_dh_pub, BIGNUM *server_dh_pub, - BIGNUM *shared_secret) + BIGNUM *shared_secret, + u_char **hash, u_int *hashlen) { Buffer b; static u_char digest[EVP_MAX_MD_SIZE]; @@ -77,5 +78,6 @@ kex_dh_hash( #ifdef DEBUG_KEX dump_digest("hash", digest, EVP_MD_size(evp_md)); #endif - return digest; + *hash = digest; + *hashlen = EVP_MD_size(evp_md); } diff --git a/crypto/openssh/kexdhc.c b/crypto/openssh/kexdhc.c index f48bd46785b4..d8a2fa3b7d8b 100644 --- a/crypto/openssh/kexdhc.c +++ b/crypto/openssh/kexdhc.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); +RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -41,7 +41,7 @@ kexdh_client(Kex *kex) Key *server_host_key; u_char *server_host_key_blob = NULL, *signature = NULL; u_char *kbuf, *hash; - u_int klen, kout, slen, sbloblen; + u_int klen, kout, slen, sbloblen, hashlen; /* generate and send 'e', client DH public key */ switch (kex->kex_type) { @@ -114,7 +114,7 @@ kexdh_client(Kex *kex) xfree(kbuf); /* calc and verify H */ - hash = kex_dh_hash( + kex_dh_hash( kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), @@ -122,25 +122,26 @@ kexdh_client(Kex *kex) server_host_key_blob, sbloblen, dh->pub_key, dh_server_pub, - shared_secret + shared_secret, + &hash, &hashlen ); xfree(server_host_key_blob); BN_clear_free(dh_server_pub); DH_free(dh); - if (key_verify(server_host_key, signature, slen, hash, 20) != 1) + if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); xfree(signature); /* save session id */ if (kex->session_id == NULL) { - kex->session_id_len = 20; + kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, shared_secret); + kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexdhs.c b/crypto/openssh/kexdhs.c index 225e655926ca..26c8cdfd6950 100644 --- a/crypto/openssh/kexdhs.c +++ b/crypto/openssh/kexdhs.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $"); +RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -41,7 +41,7 @@ kexdh_server(Kex *kex) DH *dh; Key *server_host_key; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout; + u_int sbloblen, klen, kout, hashlen; u_int slen; /* generate server DH public key */ @@ -103,7 +103,7 @@ kexdh_server(Kex *kex) key_to_blob(server_host_key, &server_host_key_blob, &sbloblen); /* calc H */ - hash = kex_dh_hash( + kex_dh_hash( kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), @@ -111,21 +111,20 @@ kexdh_server(Kex *kex) server_host_key_blob, sbloblen, dh_client_pub, dh->pub_key, - shared_secret + shared_secret, + &hash, &hashlen ); BN_clear_free(dh_client_pub); /* save session id := H */ - /* XXX hashlen depends on KEX */ if (kex->session_id == NULL) { - kex->session_id_len = 20; + kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } /* sign H */ - /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); + PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen)); /* destroy_sensitive_data(); */ @@ -141,7 +140,7 @@ kexdh_server(Kex *kex) /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, shared_secret); + kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); } diff --git a/crypto/openssh/kexgex.c b/crypto/openssh/kexgex.c index b0c39c8cbcd5..705484a4755d 100644 --- a/crypto/openssh/kexgex.c +++ b/crypto/openssh/kexgex.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $"); #include @@ -33,8 +33,9 @@ RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $"); #include "kex.h" #include "ssh2.h" -u_char * +void kexgex_hash( + const EVP_MD *evp_md, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, @@ -43,11 +44,11 @@ kexgex_hash( int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen, BIGNUM *client_dh_pub, BIGNUM *server_dh_pub, - BIGNUM *shared_secret) + BIGNUM *shared_secret, + u_char **hash, u_int *hashlen) { Buffer b; static u_char digest[EVP_MAX_MD_SIZE]; - const EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; buffer_init(&b); @@ -79,14 +80,15 @@ kexgex_hash( #ifdef DEBUG_KEXDH buffer_dump(&b); #endif + EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b)); EVP_DigestFinal(&md, digest, NULL); buffer_free(&b); - + *hash = digest; + *hashlen = EVP_MD_size(evp_md); #ifdef DEBUG_KEXDH - dump_digest("hash", digest, EVP_MD_size(evp_md)); + dump_digest("hash", digest, *hashlen); #endif - return digest; } diff --git a/crypto/openssh/kexgexc.c b/crypto/openssh/kexgexc.c index 0193183b954a..a6ff8757d653 100644 --- a/crypto/openssh/kexgexc.c +++ b/crypto/openssh/kexgexc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $"); +RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -42,7 +42,7 @@ kexgex_client(Kex *kex) BIGNUM *p = NULL, *g = NULL; Key *server_host_key; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int klen, kout, slen, sbloblen; + u_int klen, kout, slen, sbloblen, hashlen; int min, max, nbits; DH *dh; @@ -155,7 +155,8 @@ kexgex_client(Kex *kex) min = max = -1; /* calc and verify H */ - hash = kexgex_hash( + kexgex_hash( + kex->evp_md, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->my), buffer_len(&kex->my), @@ -165,25 +166,27 @@ kexgex_client(Kex *kex) dh->p, dh->g, dh->pub_key, dh_server_pub, - shared_secret + shared_secret, + &hash, &hashlen ); + /* have keys, free DH */ DH_free(dh); xfree(server_host_key_blob); BN_clear_free(dh_server_pub); - if (key_verify(server_host_key, signature, slen, hash, 20) != 1) + if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1) fatal("key_verify failed for server_host_key"); key_free(server_host_key); xfree(signature); /* save session id */ if (kex->session_id == NULL) { - kex->session_id_len = 20; + kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } - kex_derive_keys(kex, hash, shared_secret); + kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); diff --git a/crypto/openssh/kexgexs.c b/crypto/openssh/kexgexs.c index baebfcfb0fa8..c48b27af9dee 100644 --- a/crypto/openssh/kexgexs.c +++ b/crypto/openssh/kexgexs.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $"); #include "xmalloc.h" #include "key.h" @@ -43,7 +43,7 @@ kexgex_server(Kex *kex) Key *server_host_key; DH *dh; u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL; - u_int sbloblen, klen, kout, slen; + u_int sbloblen, klen, kout, slen, hashlen; int min = -1, max = -1, nbits = -1, type; if (kex->load_host_key == NULL) @@ -137,8 +137,9 @@ kexgex_server(Kex *kex) if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) min = max = -1; - /* calc H */ /* XXX depends on 'kex' */ - hash = kexgex_hash( + /* calc H */ + kexgex_hash( + kex->evp_md, kex->client_version_string, kex->server_version_string, buffer_ptr(&kex->peer), buffer_len(&kex->peer), @@ -148,21 +149,20 @@ kexgex_server(Kex *kex) dh->p, dh->g, dh_client_pub, dh->pub_key, - shared_secret + shared_secret, + &hash, &hashlen ); BN_clear_free(dh_client_pub); /* save session id := H */ - /* XXX hashlen depends on KEX */ if (kex->session_id == NULL) { - kex->session_id_len = 20; + kex->session_id_len = hashlen; kex->session_id = xmalloc(kex->session_id_len); memcpy(kex->session_id, hash, kex->session_id_len); } /* sign H */ - /* XXX hashlen depends on KEX */ - PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20)); + PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen)); /* destroy_sensitive_data(); */ @@ -179,7 +179,7 @@ kexgex_server(Kex *kex) /* have keys, free DH */ DH_free(dh); - kex_derive_keys(kex, hash, shared_secret); + kex_derive_keys(kex, hash, hashlen, shared_secret); BN_clear_free(shared_secret); kex_finish(kex); diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c index 2dd8ae6e36ff..29e92888642e 100644 --- a/crypto/openssh/misc.c +++ b/crypto/openssh/misc.c @@ -24,7 +24,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $"); +RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $"); + +#ifdef SSH_TUN_OPENBSD +#include +#endif #include "misc.h" #include "log.h" @@ -194,6 +198,37 @@ a2port(const char *s) return port; } +int +a2tun(const char *s, int *remote) +{ + const char *errstr = NULL; + char *sp, *ep; + int tun; + + if (remote != NULL) { + *remote = SSH_TUNID_ANY; + sp = xstrdup(s); + if ((ep = strchr(sp, ':')) == NULL) { + xfree(sp); + return (a2tun(s, NULL)); + } + ep[0] = '\0'; ep++; + *remote = a2tun(ep, NULL); + tun = a2tun(sp, NULL); + xfree(sp); + return (*remote == SSH_TUNID_ERR ? *remote : tun); + } + + if (strcasecmp(s, "any") == 0) + return (SSH_TUNID_ANY); + + tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr); + if (errstr != NULL) + return (SSH_TUNID_ERR); + + return (tun); +} + #define SECONDS 1 #define MINUTES (SECONDS * 60) #define HOURS (MINUTES * 60) @@ -356,12 +391,15 @@ void addargs(arglist *args, char *fmt, ...) { va_list ap; - char buf[1024]; + char *cp; u_int nalloc; + int r; va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); + r = vasprintf(&cp, fmt, ap); va_end(ap); + if (r == -1) + fatal("addargs: argument too long"); nalloc = args->nalloc; if (args->list == NULL) { @@ -372,10 +410,44 @@ addargs(arglist *args, char *fmt, ...) args->list = xrealloc(args->list, nalloc * sizeof(char *)); args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); + args->list[args->num++] = cp; args->list[args->num] = NULL; } +void +replacearg(arglist *args, u_int which, char *fmt, ...) +{ + va_list ap; + char *cp; + int r; + + va_start(ap, fmt); + r = vasprintf(&cp, fmt, ap); + va_end(ap); + if (r == -1) + fatal("replacearg: argument too long"); + + if (which >= args->num) + fatal("replacearg: tried to replace invalid arg %d >= %d", + which, args->num); + xfree(args->list[which]); + args->list[which] = cp; +} + +void +freeargs(arglist *args) +{ + u_int i; + + if (args->list != NULL) { + for (i = 0; i < args->num; i++) + xfree(args->list[i]); + xfree(args->list); + args->nalloc = args->num = 0; + args->list = NULL; + } +} + /* * Expands tildes in the file name. Returns data allocated by xmalloc. * Warning: this calls getpw*. @@ -507,6 +579,99 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, return -1; } +int +tun_open(int tun, int mode) +{ +#if defined(CUSTOM_SYS_TUN_OPEN) + return (sys_tun_open(tun, mode)); +#elif defined(SSH_TUN_OPENBSD) + struct ifreq ifr; + char name[100]; + int fd = -1, sock; + + /* Open the tunnel device */ + if (tun <= SSH_TUNID_MAX) { + snprintf(name, sizeof(name), "/dev/tun%d", tun); + fd = open(name, O_RDWR); + } else if (tun == SSH_TUNID_ANY) { + for (tun = 100; tun >= 0; tun--) { + snprintf(name, sizeof(name), "/dev/tun%d", tun); + if ((fd = open(name, O_RDWR)) >= 0) + break; + } + } else { + debug("%s: invalid tunnel %u", __func__, tun); + return (-1); + } + + if (fd < 0) { + debug("%s: %s open failed: %s", __func__, name, strerror(errno)); + return (-1); + } + + debug("%s: %s mode %d fd %d", __func__, name, mode, fd); + + /* Set the tunnel device operation mode */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun); + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) + goto failed; + + if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) + goto failed; + + /* Set interface mode */ + ifr.ifr_flags &= ~IFF_UP; + if (mode == SSH_TUNMODE_ETHERNET) + ifr.ifr_flags |= IFF_LINK0; + else + ifr.ifr_flags &= ~IFF_LINK0; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; + + /* Bring interface up */ + ifr.ifr_flags |= IFF_UP; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; + + close(sock); + return (fd); + + failed: + if (fd >= 0) + close(fd); + if (sock >= 0) + close(sock); + debug("%s: failed to set %s mode %d: %s", __func__, name, + mode, strerror(errno)); + return (-1); +#else + error("Tunnel interfaces are not supported on this platform"); + return (-1); +#endif +} + +void +sanitise_stdfd(void) +{ + int nullfd, dupfd; + + if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) { + fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno)); + exit(1); + } + while (++dupfd <= 2) { + /* Only clobber closed fds */ + if (fcntl(dupfd, F_GETFL, 0) >= 0) + continue; + if (dup2(nullfd, dupfd) == -1) { + fprintf(stderr, "dup2: %s", strerror(errno)); + exit(1); + } + } + if (nullfd > 2) + close(nullfd); +} + char * tohex(const u_char *d, u_int l) { diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h index 2d630feb5f87..0a1a09a68baa 100644 --- a/crypto/openssh/misc.h +++ b/crypto/openssh/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $ */ +/* $OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $ */ /* * Author: Tatu Ylonen @@ -20,6 +20,7 @@ int set_nonblock(int); int unset_nonblock(int); void set_nodelay(int); int a2port(const char *); +int a2tun(const char *, int *); char *hpdelim(char **); char *cleanhostname(char *); char *colon(char *); @@ -27,6 +28,7 @@ long convtime(const char *); char *tilde_expand_filename(const char *, uid_t); char *percent_expand(const char *, ...) __attribute__((__sentinel__)); char *tohex(const u_char *, u_int); +void sanitise_stdfd(void); struct passwd *pwcopy(struct passwd *); @@ -36,7 +38,11 @@ struct arglist { u_int num; u_int nalloc; }; -void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void addargs(arglist *, char *, ...) + __attribute__((format(printf, 2, 3))); +void replacearg(arglist *, u_int, char *, ...) + __attribute__((format(printf, 3, 4))); +void freeargs(arglist *); /* readpass.c */ @@ -48,3 +54,16 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); char *read_passphrase(const char *, int); int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); + +int tun_open(int, int); + +/* Common definitions for ssh tunnel device forwarding */ +#define SSH_TUNMODE_NO 0x00 +#define SSH_TUNMODE_POINTOPOINT 0x01 +#define SSH_TUNMODE_ETHERNET 0x02 +#define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT +#define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET) + +#define SSH_TUNID_ANY 0x7fffffff +#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1) +#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2) diff --git a/crypto/openssh/openbsd-compat/Makefile.in b/crypto/openssh/openbsd-compat/Makefile.in index 6f5ee2845134..3a8703bc1a2a 100644 --- a/crypto/openssh/openbsd-compat/Makefile.in +++ b/crypto/openssh/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $ +# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -18,9 +18,9 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o -COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o +COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o -PORTS=port-irix.o port-aix.o port-uw.o +PORTS=port-irix.o port-aix.o port-uw.o port-tun.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/crypto/openssh/openbsd-compat/base64.c b/crypto/openssh/openbsd-compat/base64.c index dcaa03e5d701..9a60f583b7e7 100644 --- a/crypto/openssh/openbsd-compat/base64.c +++ b/crypto/openssh/openbsd-compat/base64.c @@ -1,5 +1,3 @@ -/* OPENBSD ORIGINAL: lib/libc/net/base64.c */ - /* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ /* @@ -44,6 +42,8 @@ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. */ +/* OPENBSD ORIGINAL: lib/libc/net/base64.c */ + #include "includes.h" #if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) @@ -139,7 +139,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) size_t datalength = 0; u_char input[3]; u_char output[4]; - int i; + u_int i; while (2 < srclength) { input[0] = *src++; @@ -206,7 +206,8 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) int b64_pton(char const *src, u_char *target, size_t targsize) { - int tarindex, state, ch; + u_int tarindex, state; + int ch; char *pos; state = 0; diff --git a/crypto/openssh/openbsd-compat/basename.c b/crypto/openssh/openbsd-compat/basename.c index 552dc1e1cde7..ad040e139205 100644 --- a/crypto/openssh/openbsd-compat/basename.c +++ b/crypto/openssh/openbsd-compat/basename.c @@ -1,9 +1,7 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ - -/* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */ +/* $OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */ /* - * Copyright (c) 1997 Todd C. Miller + * Copyright (c) 1997, 2004 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,34 +16,35 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ + #include "includes.h" #ifndef HAVE_BASENAME -#ifndef lint -static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $"; -#endif /* not lint */ - char * basename(const char *path) { static char bname[MAXPATHLEN]; - register const char *endp, *startp; + size_t len; + const char *endp, *startp; /* Empty or NULL string gets treated as "." */ if (path == NULL || *path == '\0') { - (void)strlcpy(bname, ".", sizeof bname); - return(bname); + bname[0] = '.'; + bname[1] = '\0'; + return (bname); } - /* Strip trailing slashes */ + /* Strip any trailing slashes */ endp = path + strlen(path) - 1; while (endp > path && *endp == '/') endp--; - /* All slashes become "/" */ + /* All slashes becomes "/" */ if (endp == path && *endp == '/') { - (void)strlcpy(bname, "/", sizeof bname); - return(bname); + bname[0] = '/'; + bname[1] = '\0'; + return (bname); } /* Find the start of the base */ @@ -53,12 +52,14 @@ basename(const char *path) while (startp > path && *(startp - 1) != '/') startp--; - if (endp - startp + 2 > sizeof(bname)) { + len = endp - startp + 1; + if (len >= sizeof(bname)) { errno = ENAMETOOLONG; - return(NULL); + return (NULL); } - strlcpy(bname, startp, endp - startp + 2); - return(bname); + memcpy(bname, startp, len); + bname[len] = '\0'; + return (bname); } #endif /* !defined(HAVE_BASENAME) */ diff --git a/crypto/openssh/openbsd-compat/bindresvport.c b/crypto/openssh/openbsd-compat/bindresvport.c index 8a273f9b5e81..7f48fd03a251 100644 --- a/crypto/openssh/openbsd-compat/bindresvport.c +++ b/crypto/openssh/openbsd-compat/bindresvport.c @@ -1,6 +1,6 @@ /* This file has be substantially modified from the original OpenBSD source */ -/* $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $ */ +/* $OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $ */ /* * Copyright 1996, Jason Downs. All rights reserved. @@ -28,6 +28,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */ + #include "includes.h" #ifndef HAVE_BINDRESVPORT_SA @@ -42,9 +44,7 @@ * Bind a socket to a privileged IP port */ int -bindresvport_sa(sd, sa) - int sd; - struct sockaddr *sa; +bindresvport_sa(int sd, struct sockaddr *sa) { int error, af; struct sockaddr_storage myaddr; diff --git a/crypto/openssh/openbsd-compat/bsd-asprintf.c b/crypto/openssh/openbsd-compat/bsd-asprintf.c new file mode 100644 index 000000000000..5ca01f80f3d9 --- /dev/null +++ b/crypto/openssh/openbsd-compat/bsd-asprintf.c @@ -0,0 +1,95 @@ +/* + * Copyright (c) 2004 Darren Tucker. + * + * Based originally on asprintf.c from OpenBSD: + * Copyright (c) 1997 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifndef HAVE_VASPRINTF + +#ifndef VA_COPY +# ifdef HAVE_VA_COPY +# define VA_COPY(dest, src) va_copy(dest, src) +# else +# ifdef HAVE___VA_COPY +# define VA_COPY(dest, src) __va_copy(dest, src) +# else +# define VA_COPY(dest, src) (dest) = (src) +# endif +# endif +#endif + +#define INIT_SZ 128 + +int vasprintf(char **str, const char *fmt, va_list ap) +{ + int ret = -1; + va_list ap2; + char *string, *newstr; + size_t len; + + VA_COPY(ap2, ap); + if ((string = malloc(INIT_SZ)) == NULL) + goto fail; + + ret = vsnprintf(string, INIT_SZ, fmt, ap2); + if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */ + *str = string; + } else if (ret == INT_MAX) { /* shouldn't happen */ + goto fail; + } else { /* bigger than initial, realloc allowing for nul */ + len = (size_t)ret + 1; + if ((newstr = realloc(string, len)) == NULL) { + free(string); + goto fail; + } else { + va_end(ap2); + VA_COPY(ap2, ap); + ret = vsnprintf(newstr, len, fmt, ap2); + if (ret >= 0 && (size_t)ret < len) { + *str = newstr; + } else { /* failed with realloc'ed string, give up */ + free(newstr); + goto fail; + } + } + } + va_end(ap2); + return (ret); + +fail: + *str = NULL; + errno = ENOMEM; + va_end(ap2); + return (-1); +} +#endif + +#ifndef HAVE_ASPRINTF +int asprintf(char **str, const char *fmt, ...) +{ + va_list ap; + int ret; + + *str = NULL; + va_start(ap, fmt); + ret = vasprintf(str, fmt, ap); + va_end(ap); + + return ret; +} +#endif diff --git a/crypto/openssh/openbsd-compat/bsd-closefrom.c b/crypto/openssh/openbsd-compat/bsd-closefrom.c index 61a9fa3916b2..5b7b94ae4aca 100644 --- a/crypto/openssh/openbsd-compat/bsd-closefrom.c +++ b/crypto/openssh/openbsd-compat/bsd-closefrom.c @@ -46,7 +46,7 @@ # define OPEN_MAX 256 #endif -RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $"); +RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $"); #ifndef lint static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $"; @@ -67,7 +67,7 @@ closefrom(int lowfd) /* Check for a /proc/$$/fd directory. */ len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid()); - if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) { + if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) { while ((dent = readdir(dirp)) != NULL) { fd = strtol(dent->d_name, &endp, 10); if (dent->d_name != endp && *endp == '\0' && diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c index 6ba9bd9865d3..d32b054d7227 100644 --- a/crypto/openssh/openbsd-compat/bsd-misc.c +++ b/crypto/openssh/openbsd-compat/bsd-misc.c @@ -18,7 +18,7 @@ #include "includes.h" #include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $"); +RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $"); #ifndef HAVE___PROGNAME char *__progname; @@ -223,10 +223,7 @@ strdup(const char *str) len = strlen(str) + 1; cp = malloc(len); if (cp != NULL) - if (strlcpy(cp, str, len) != len) { - free(cp); - return NULL; - } - return cp; + return(memcpy(cp, str, len)); + return NULL; } #endif diff --git a/crypto/openssh/openbsd-compat/bsd-snprintf.c b/crypto/openssh/openbsd-compat/bsd-snprintf.c index b5a7ef7a02ab..e4ba154fdb14 100644 --- a/crypto/openssh/openbsd-compat/bsd-snprintf.c +++ b/crypto/openssh/openbsd-compat/bsd-snprintf.c @@ -45,45 +45,82 @@ * missing. Some systems only have snprintf() but not vsnprintf(), so * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. * - * Ben Lindstrom 09/27/00 for OpenSSH - * Welcome to the world of %lld and %qd support. With other - * long long support. This is needed for sftp-server to work - * right. + * Andrew Tridgell (tridge@samba.org) Oct 1998 + * fixed handling of %.0f + * added test for HAVE_LONG_DOUBLE * - * Ben Lindstrom 02/12/01 for OpenSSH - * Removed all hint of VARARGS stuff and banished it to the void, - * and did a bit of KNF style work to make things a bit more - * acceptable. Consider stealing from mutt or enlightenment. + * tridge@samba.org, idra@samba.org, April 2001 + * got rid of fcvt code (twas buggy and made testing harder) + * added C99 semantics + * + * date: 2002/12/19 19:56:31; author: herb; state: Exp; lines: +2 -0 + * actually print args for %g and %e + * + * date: 2002/06/03 13:37:52; author: jmcd; state: Exp; lines: +8 -0 + * Since includes.h isn't included here, VA_COPY has to be defined here. I don't + * see any include file that is guaranteed to be here, so I'm defining it + * locally. Fixes AIX and Solaris builds. + * + * date: 2002/06/03 03:07:24; author: tridge; state: Exp; lines: +5 -13 + * put the ifdef for HAVE_VA_COPY in one place rather than in lots of + * functions + * + * date: 2002/05/17 14:51:22; author: jmcd; state: Exp; lines: +21 -4 + * Fix usage of va_list passed as an arg. Use __va_copy before using it + * when it exists. + * + * date: 2002/04/16 22:38:04; author: idra; state: Exp; lines: +20 -14 + * Fix incorrect zpadlen handling in fmtfp. + * Thanks to Ollie Oldham for spotting it. + * few mods to make it easier to compile the tests. + * addedd the "Ollie" test to the floating point ones. + * + * Martin Pool (mbp@samba.org) April 2003 + * Remove NO_CONFIG_H so that the test case can be built within a source + * tree with less trouble. + * Remove unnecessary SAFE_FREE() definition. + * + * Martin Pool (mbp@samba.org) May 2003 + * Put in a prototype for dummy_snprintf() to quiet compiler warnings. + * + * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even + * if the C library has some snprintf functions already. **************************************************************/ #include "includes.h" -RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $"); +RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $"); #if defined(BROKEN_SNPRINTF) /* For those with broken snprintf() */ # undef HAVE_SNPRINTF # undef HAVE_VSNPRINTF #endif +#ifndef VA_COPY +# ifdef HAVE_VA_COPY +# define VA_COPY(dest, src) va_copy(dest, src) +# else +# ifdef HAVE___VA_COPY +# define VA_COPY(dest, src) __va_copy(dest, src) +# else +# define VA_COPY(dest, src) (dest) = (src) +# endif +# endif +#endif + #if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) -static void -dopr(char *buffer, size_t maxlen, const char *format, va_list args); +#ifdef HAVE_LONG_DOUBLE +# define LDOUBLE long double +#else +# define LDOUBLE double +#endif -static void -fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, - int min, int max); - -static void -fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base, - int min, int max, int flags); - -static void -fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, - int min, int max, int flags); - -static void -dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); +#ifdef HAVE_LONG_LONG +# define LLONG long long +#else +# define LLONG long +#endif /* * dopr(): poor man's version of doprintf @@ -109,28 +146,49 @@ dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); #define DP_F_UNSIGNED (1 << 6) /* Conversion Flags */ -#define DP_C_SHORT 1 -#define DP_C_LONG 2 -#define DP_C_LDOUBLE 3 -#define DP_C_LONG_LONG 4 +#define DP_C_SHORT 1 +#define DP_C_LONG 2 +#define DP_C_LDOUBLE 3 +#define DP_C_LLONG 4 -#define char_to_int(p) (p - '0') -#define abs_val(p) (p < 0 ? -p : p) +#define char_to_int(p) ((p)- '0') +#ifndef MAX +# define MAX(p,q) (((p) >= (q)) ? (p) : (q)) +#endif +static size_t dopr(char *buffer, size_t maxlen, const char *format, + va_list args_in); +static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, + char *value, int flags, int min, int max); +static void fmtint(char *buffer, size_t *currlen, size_t maxlen, + long value, int base, int min, int max, int flags); +static void fmtfp(char *buffer, size_t *currlen, size_t maxlen, + LDOUBLE fvalue, int min, int max, int flags); +static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); -static void -dopr(char *buffer, size_t maxlen, const char *format, va_list args) +static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) { - char *strvalue, ch; - long value; - long double fvalue; - int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0; - size_t currlen = 0; - - ch = *format++; + char ch; + LLONG value; + LDOUBLE fvalue; + char *strvalue; + int min; + int max; + int state; + int flags; + int cflags; + size_t currlen; + va_list args; + VA_COPY(args, args_in); + + state = DP_S_DEFAULT; + currlen = flags = cflags = min = 0; + max = -1; + ch = *format++; + while (state != DP_S_DONE) { - if ((ch == '\0') || (currlen >= maxlen)) + if (ch == '\0') state = DP_S_DONE; switch(state) { @@ -138,7 +196,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) if (ch == '%') state = DP_S_FLAGS; else - dopr_outch(buffer, &currlen, maxlen, ch); + dopr_outch (buffer, &currlen, maxlen, ch); ch = *format++; break; case DP_S_FLAGS: @@ -170,34 +228,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) break; case DP_S_MIN: if (isdigit((unsigned char)ch)) { - min = 10 * min + char_to_int (ch); + min = 10*min + char_to_int (ch); ch = *format++; } else if (ch == '*') { min = va_arg (args, int); ch = *format++; state = DP_S_DOT; - } else + } else { state = DP_S_DOT; + } break; case DP_S_DOT: if (ch == '.') { state = DP_S_MAX; ch = *format++; - } else + } else { state = DP_S_MOD; + } break; case DP_S_MAX: if (isdigit((unsigned char)ch)) { if (max < 0) max = 0; - max = 10 * max + char_to_int(ch); + max = 10*max + char_to_int (ch); ch = *format++; } else if (ch == '*') { max = va_arg (args, int); ch = *format++; state = DP_S_MOD; - } else + } else { state = DP_S_MOD; + } break; case DP_S_MOD: switch (ch) { @@ -208,15 +269,11 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) case 'l': cflags = DP_C_LONG; ch = *format++; - if (ch == 'l') { - cflags = DP_C_LONG_LONG; + if (ch == 'l') { /* It's a long long */ + cflags = DP_C_LLONG; ch = *format++; } break; - case 'q': - cflags = DP_C_LONG_LONG; - ch = *format++; - break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; @@ -231,37 +288,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) case 'd': case 'i': if (cflags == DP_C_SHORT) - value = va_arg(args, int); + value = va_arg (args, int); else if (cflags == DP_C_LONG) - value = va_arg(args, long int); - else if (cflags == DP_C_LONG_LONG) - value = va_arg (args, long long); + value = va_arg (args, long int); + else if (cflags == DP_C_LLONG) + value = va_arg (args, LLONG); else value = va_arg (args, int); - fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags); + fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); break; case 'o': flags |= DP_F_UNSIGNED; if (cflags == DP_C_SHORT) - value = va_arg(args, unsigned int); + value = va_arg (args, unsigned int); else if (cflags == DP_C_LONG) - value = va_arg(args, unsigned long int); - else if (cflags == DP_C_LONG_LONG) - value = va_arg(args, unsigned long long); + value = (long)va_arg (args, unsigned long int); + else if (cflags == DP_C_LLONG) + value = (long)va_arg (args, unsigned LLONG); else - value = va_arg(args, unsigned int); - fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags); + value = (long)va_arg (args, unsigned int); + fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags); break; case 'u': flags |= DP_F_UNSIGNED; if (cflags == DP_C_SHORT) - value = va_arg(args, unsigned int); + value = va_arg (args, unsigned int); else if (cflags == DP_C_LONG) - value = va_arg(args, unsigned long int); - else if (cflags == DP_C_LONG_LONG) - value = va_arg(args, unsigned long long); + value = (long)va_arg (args, unsigned long int); + else if (cflags == DP_C_LLONG) + value = (LLONG)va_arg (args, unsigned LLONG); else - value = va_arg(args, unsigned int); + value = (long)va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); break; case 'X': @@ -269,79 +326,86 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) case 'x': flags |= DP_F_UNSIGNED; if (cflags == DP_C_SHORT) - value = va_arg(args, unsigned int); + value = va_arg (args, unsigned int); else if (cflags == DP_C_LONG) - value = va_arg(args, unsigned long int); - else if (cflags == DP_C_LONG_LONG) - value = va_arg(args, unsigned long long); + value = (long)va_arg (args, unsigned long int); + else if (cflags == DP_C_LLONG) + value = (LLONG)va_arg (args, unsigned LLONG); else - value = va_arg(args, unsigned int); - fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags); + value = (long)va_arg (args, unsigned int); + fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags); break; case 'f': if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, long double); + fvalue = va_arg (args, LDOUBLE); else - fvalue = va_arg(args, double); + fvalue = va_arg (args, double); /* um, floating point? */ - fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags); + fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags); break; case 'E': flags |= DP_F_UP; case 'e': if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, long double); + fvalue = va_arg (args, LDOUBLE); else - fvalue = va_arg(args, double); + fvalue = va_arg (args, double); + fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags); break; case 'G': flags |= DP_F_UP; case 'g': if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, long double); + fvalue = va_arg (args, LDOUBLE); else - fvalue = va_arg(args, double); + fvalue = va_arg (args, double); + fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags); break; case 'c': - dopr_outch(buffer, &currlen, maxlen, va_arg(args, int)); + dopr_outch (buffer, &currlen, maxlen, va_arg (args, int)); break; case 's': - strvalue = va_arg(args, char *); - if (max < 0) - max = maxlen; /* ie, no max */ - fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max); + strvalue = va_arg (args, char *); + if (!strvalue) strvalue = "(NULL)"; + if (max == -1) { + max = strlen(strvalue); + } + if (min > 0 && max >= 0 && min > max) max = min; + fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max); break; case 'p': - strvalue = va_arg(args, void *); - fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags); + strvalue = va_arg (args, void *); + fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags); break; case 'n': if (cflags == DP_C_SHORT) { short int *num; - num = va_arg(args, short int *); + num = va_arg (args, short int *); *num = currlen; } else if (cflags == DP_C_LONG) { long int *num; - num = va_arg(args, long int *); - *num = currlen; - } else if (cflags == DP_C_LONG_LONG) { - long long *num; - num = va_arg(args, long long *); - *num = currlen; + num = va_arg (args, long int *); + *num = (long int)currlen; + } else if (cflags == DP_C_LLONG) { + LLONG *num; + num = va_arg (args, LLONG *); + *num = (LLONG)currlen; } else { int *num; - num = va_arg(args, int *); + num = va_arg (args, int *); *num = currlen; } break; case '%': - dopr_outch(buffer, &currlen, maxlen, ch); + dopr_outch (buffer, &currlen, maxlen, ch); break; - case 'w': /* not supported yet, treat as next char */ + case 'w': + /* not supported yet, treat as next char */ ch = *format++; break; - default: /* Unknown, skip */ - break; + default: + /* Unknown, skip */ + break; } ch = *format++; state = DP_S_DEFAULT; @@ -350,24 +414,33 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args) break; case DP_S_DONE: break; - default: /* hmm? */ + default: + /* hmm? */ break; /* some picky compilers need this */ } } - if (currlen < maxlen - 1) - buffer[currlen] = '\0'; - else - buffer[maxlen - 1] = '\0'; + if (maxlen != 0) { + if (currlen < maxlen - 1) + buffer[currlen] = '\0'; + else if (maxlen > 0) + buffer[maxlen - 1] = '\0'; + } + + return currlen; } -static void -fmtstr(char *buffer, size_t *currlen, size_t maxlen, - char *value, int flags, int min, int max) +static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, + char *value, int flags, int min, int max) { - int cnt = 0, padlen, strln; /* amount to pad */ - - if (value == 0) + int padlen, strln; /* amount to pad */ + int cnt = 0; + +#ifdef DEBUG_SNPRINTF + printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value); +#endif + if (value == 0) { value = ""; + } for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */ padlen = min - strln; @@ -375,18 +448,18 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; /* Left Justify */ - + while ((padlen > 0) && (cnt < max)) { - dopr_outch(buffer, currlen, maxlen, ' '); + dopr_outch (buffer, currlen, maxlen, ' '); --padlen; ++cnt; } while (*value && (cnt < max)) { - dopr_outch(buffer, currlen, maxlen, *value++); + dopr_outch (buffer, currlen, maxlen, *value++); ++cnt; } while ((padlen < 0) && (cnt < max)) { - dopr_outch(buffer, currlen, maxlen, ' '); + dopr_outch (buffer, currlen, maxlen, ' '); ++padlen; ++cnt; } @@ -394,49 +467,49 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */ -static void -fmtint(char *buffer, size_t *currlen, size_t maxlen, - long value, int base, int min, int max, int flags) +static void fmtint(char *buffer, size_t *currlen, size_t maxlen, + long value, int base, int min, int max, int flags) { + int signvalue = 0; unsigned long uvalue; char convert[20]; - int signvalue = 0, place = 0, caps = 0; + int place = 0; int spadlen = 0; /* amount to space pad */ int zpadlen = 0; /* amount to zero pad */ - + int caps = 0; + if (max < 0) max = 0; - + uvalue = value; - - if (!(flags & DP_F_UNSIGNED)) { - if (value < 0) { + + if(!(flags & DP_F_UNSIGNED)) { + if( value < 0 ) { signvalue = '-'; uvalue = -value; - } else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ - signvalue = '+'; - else if (flags & DP_F_SPACE) - signvalue = ' '; + } else { + if (flags & DP_F_PLUS) /* Do a sign (+/i) */ + signvalue = '+'; + else if (flags & DP_F_SPACE) + signvalue = ' '; + } } - if (flags & DP_F_UP) - caps = 1; /* Should characters be upper case? */ + if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */ + do { convert[place++] = - (caps ? "0123456789ABCDEF" : "0123456789abcdef") - [uvalue % (unsigned)base]; + (caps? "0123456789ABCDEF":"0123456789abcdef") + [uvalue % (unsigned)base ]; uvalue = (uvalue / (unsigned)base ); - } while (uvalue && (place < 20)); - if (place == 20) - place--; + } while(uvalue && (place < 20)); + if (place == 20) place--; convert[place] = 0; zpadlen = max - place; spadlen = min - MAX (max, place) - (signvalue ? 1 : 0); - if (zpadlen < 0) - zpadlen = 0; - if (spadlen < 0) - spadlen = 0; + if (zpadlen < 0) zpadlen = 0; + if (spadlen < 0) spadlen = 0; if (flags & DP_F_ZERO) { zpadlen = MAX(zpadlen, spadlen); spadlen = 0; @@ -444,27 +517,32 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, if (flags & DP_F_MINUS) spadlen = -spadlen; /* Left Justifty */ +#ifdef DEBUG_SNPRINTF + printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n", + zpadlen, spadlen, min, max, place); +#endif + /* Spaces */ while (spadlen > 0) { - dopr_outch(buffer, currlen, maxlen, ' '); + dopr_outch (buffer, currlen, maxlen, ' '); --spadlen; } /* Sign */ if (signvalue) - dopr_outch(buffer, currlen, maxlen, signvalue); + dopr_outch (buffer, currlen, maxlen, signvalue); /* Zeros */ if (zpadlen > 0) { while (zpadlen > 0) { - dopr_outch(buffer, currlen, maxlen, '0'); + dopr_outch (buffer, currlen, maxlen, '0'); --zpadlen; } } /* Digits */ while (place > 0) - dopr_outch(buffer, currlen, maxlen, convert[--place]); + dopr_outch (buffer, currlen, maxlen, convert[--place]); /* Left Justified spaces */ while (spadlen < 0) { @@ -473,11 +551,20 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen, } } -static long double -pow10(int exp) +static LDOUBLE abs_val(LDOUBLE value) { - long double result = 1; + LDOUBLE result = value; + if (value < 0) + result = -value; + + return result; +} + +static LDOUBLE POW10(int exp) +{ + LDOUBLE result = 1; + while (exp) { result *= 10; exp--; @@ -486,28 +573,69 @@ pow10(int exp) return result; } -static long -round(long double value) +static LLONG ROUND(LDOUBLE value) { - long intpart = value; - - value -= intpart; - if (value >= 0.5) - intpart++; + LLONG intpart; + intpart = (LLONG)value; + value = value - intpart; + if (value >= 0.5) intpart++; + return intpart; } -static void -fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, - int min, int max, int flags) +/* a replacement for modf that doesn't need the math library. Should + be portable, but slow */ +static double my_modf(double x0, double *iptr) { - char iconvert[20], fconvert[20]; - int signvalue = 0, iplace = 0, fplace = 0; + int i; + long l; + double x = x0; + double f = 1.0; + + for (i=0;i<100;i++) { + l = (long)x; + if (l <= (x+1) && l >= (x-1)) break; + x *= 0.1; + f *= 10.0; + } + + if (i == 100) { + /* yikes! the number is beyond what we can handle. What do we do? */ + (*iptr) = 0; + return 0; + } + + if (i != 0) { + double i2; + double ret; + + ret = my_modf(x0-l*f, &i2); + (*iptr) = l*f + i2; + return ret; + } + + (*iptr) = l; + return x - (*iptr); +} + + +static void fmtfp (char *buffer, size_t *currlen, size_t maxlen, + LDOUBLE fvalue, int min, int max, int flags) +{ + int signvalue = 0; + double ufvalue; + char iconvert[311]; + char fconvert[311]; + int iplace = 0; + int fplace = 0; int padlen = 0; /* amount to pad */ - int zpadlen = 0, caps = 0; - long intpart, fracpart; - long double ufvalue; + int zpadlen = 0; + int caps = 0; + int idx; + double intpart; + double fracpart; + double temp; /* * AIX manpage says the default is 0, but Solaris says the default @@ -516,137 +644,159 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, if (max < 0) max = 6; - ufvalue = abs_val(fvalue); + ufvalue = abs_val (fvalue); - if (fvalue < 0) + if (fvalue < 0) { signvalue = '-'; - else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ - signvalue = '+'; - else if (flags & DP_F_SPACE) - signvalue = ' '; + } else { + if (flags & DP_F_PLUS) { /* Do a sign (+/i) */ + signvalue = '+'; + } else { + if (flags & DP_F_SPACE) + signvalue = ' '; + } + } - intpart = ufvalue; +#if 0 + if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */ +#endif + +#if 0 + if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */ +#endif /* - * Sorry, we only support 9 digits past the decimal because of our + * Sorry, we only support 16 digits past the decimal because of our * conversion method */ - if (max > 9) - max = 9; + if (max > 16) + max = 16; /* We "cheat" by converting the fractional part to integer by * multiplying by a factor of 10 */ - fracpart = round((pow10 (max)) * (ufvalue - intpart)); - if (fracpart >= pow10 (max)) { + temp = ufvalue; + my_modf(temp, &intpart); + + fracpart = ROUND((POW10(max)) * (ufvalue - intpart)); + + if (fracpart >= POW10(max)) { intpart++; - fracpart -= pow10 (max); + fracpart -= POW10(max); } /* Convert integer part */ do { + temp = intpart*0.1; + my_modf(temp, &intpart); + idx = (int) ((temp -intpart +0.05)* 10.0); + /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */ + /* printf ("%llf, %f, %x\n", temp, intpart, idx); */ iconvert[iplace++] = - (caps ? "0123456789ABCDEF" : "0123456789abcdef") - [intpart % 10]; - intpart = (intpart / 10); - } while(intpart && (iplace < 20)); - if (iplace == 20) - iplace--; + (caps? "0123456789ABCDEF":"0123456789abcdef")[idx]; + } while (intpart && (iplace < 311)); + if (iplace == 311) iplace--; iconvert[iplace] = 0; /* Convert fractional part */ - do { - fconvert[fplace++] = - (caps ? "0123456789ABCDEF" : "0123456789abcdef") - [fracpart % 10]; - fracpart = (fracpart / 10); - } while(fracpart && (fplace < 20)); - if (fplace == 20) - fplace--; + if (fracpart) + { + do { + temp = fracpart*0.1; + my_modf(temp, &fracpart); + idx = (int) ((temp -fracpart +0.05)* 10.0); + /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */ + /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */ + fconvert[fplace++] = + (caps? "0123456789ABCDEF":"0123456789abcdef")[idx]; + } while(fracpart && (fplace < 311)); + if (fplace == 311) fplace--; + } fconvert[fplace] = 0; - + /* -1 for decimal point, another -1 if we are printing a sign */ padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); zpadlen = max - fplace; - if (zpadlen < 0) - zpadlen = 0; + if (zpadlen < 0) zpadlen = 0; if (padlen < 0) padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; /* Left Justifty */ - + if ((flags & DP_F_ZERO) && (padlen > 0)) { if (signvalue) { - dopr_outch(buffer, currlen, maxlen, signvalue); + dopr_outch (buffer, currlen, maxlen, signvalue); --padlen; signvalue = 0; } while (padlen > 0) { - dopr_outch(buffer, currlen, maxlen, '0'); + dopr_outch (buffer, currlen, maxlen, '0'); --padlen; } } while (padlen > 0) { - dopr_outch(buffer, currlen, maxlen, ' '); + dopr_outch (buffer, currlen, maxlen, ' '); --padlen; } if (signvalue) - dopr_outch(buffer, currlen, maxlen, signvalue); - + dopr_outch (buffer, currlen, maxlen, signvalue); + while (iplace > 0) - dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]); + dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]); + +#ifdef DEBUG_SNPRINTF + printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen); +#endif /* - * Decimal point. This should probably use locale to find the - * correct char to print out. + * Decimal point. This should probably use locale to find the correct + * char to print out. */ - dopr_outch(buffer, currlen, maxlen, '.'); + if (max > 0) { + dopr_outch (buffer, currlen, maxlen, '.'); + + while (zpadlen > 0) { + dopr_outch (buffer, currlen, maxlen, '0'); + --zpadlen; + } - while (fplace > 0) - dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]); - - while (zpadlen > 0) { - dopr_outch(buffer, currlen, maxlen, '0'); - --zpadlen; + while (fplace > 0) + dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]); } while (padlen < 0) { - dopr_outch(buffer, currlen, maxlen, ' '); + dopr_outch (buffer, currlen, maxlen, ' '); ++padlen; } } -static void -dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) +static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) { - if (*currlen < maxlen) - buffer[(*currlen)++] = c; + if (*currlen < maxlen) { + buffer[(*currlen)] = c; + } + (*currlen)++; } #endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */ -#ifndef HAVE_VSNPRINTF -int -vsnprintf(char *str, size_t count, const char *fmt, va_list args) +#if !defined(HAVE_VSNPRINTF) +int vsnprintf (char *str, size_t count, const char *fmt, va_list args) { - str[0] = 0; - dopr(str, count, fmt, args); - - return(strlen(str)); + return dopr(str, count, fmt, args); } -#endif /* !HAVE_VSNPRINTF */ +#endif -#ifndef HAVE_SNPRINTF -int -snprintf(char *str,size_t count,const char *fmt,...) +#if !defined(HAVE_SNPRINTF) +int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...) { + size_t ret; va_list ap; va_start(ap, fmt); - (void) vsnprintf(str, count, fmt, ap); + ret = vsnprintf(str, count, fmt, ap); va_end(ap); - - return(strlen(str)); + return ret; } +#endif -#endif /* !HAVE_SNPRINTF */ diff --git a/crypto/openssh/openbsd-compat/daemon.c b/crypto/openssh/openbsd-compat/daemon.c index c0be5fff9d8c..f8a0680bf844 100644 --- a/crypto/openssh/openbsd-compat/daemon.c +++ b/crypto/openssh/openbsd-compat/daemon.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ - +/* $OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */ /*- * Copyright (c) 1990, 1993 * The Regents of the University of California. All rights reserved. @@ -29,14 +28,12 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ + #include "includes.h" #ifndef HAVE_DAEMON -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - int daemon(int nochdir, int noclose) { diff --git a/crypto/openssh/openbsd-compat/dirname.c b/crypto/openssh/openbsd-compat/dirname.c index 25ab34dd683f..30fcb496856d 100644 --- a/crypto/openssh/openbsd-compat/dirname.c +++ b/crypto/openssh/openbsd-compat/dirname.c @@ -1,9 +1,7 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ - -/* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */ +/* $OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $ */ /* - * Copyright (c) 1997 Todd C. Miller + * Copyright (c) 1997, 2004 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,13 +16,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ + #include "includes.h" #ifndef HAVE_DIRNAME -#ifndef lint -static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $"; -#endif /* not lint */ - #include #include #include @@ -32,16 +28,18 @@ static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Ex char * dirname(const char *path) { - static char bname[MAXPATHLEN]; - register const char *endp; + static char dname[MAXPATHLEN]; + size_t len; + const char *endp; /* Empty or NULL string gets treated as "." */ if (path == NULL || *path == '\0') { - (void)strlcpy(bname, ".", sizeof bname); - return(bname); + dname[0] = '.'; + dname[1] = '\0'; + return (dname); } - /* Strip trailing slashes */ + /* Strip any trailing slashes */ endp = path + strlen(path) - 1; while (endp > path && *endp == '/') endp--; @@ -52,19 +50,23 @@ dirname(const char *path) /* Either the dir is "/" or there are no slashes */ if (endp == path) { - (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname); - return(bname); + dname[0] = *endp == '/' ? '/' : '.'; + dname[1] = '\0'; + return (dname); } else { + /* Move forward past the separating slashes */ do { endp--; } while (endp > path && *endp == '/'); } - if (endp - path + 2 > sizeof(bname)) { + len = endp - path + 1; + if (len >= sizeof(dname)) { errno = ENAMETOOLONG; - return(NULL); + return (NULL); } - strlcpy(bname, path, endp - path + 2); - return(bname); + memcpy(dname, path, len); + dname[len] = '\0'; + return (dname); } #endif diff --git a/crypto/openssh/openbsd-compat/getcwd.c b/crypto/openssh/openbsd-compat/getcwd.c index 19be59172ea2..711cb9cd5d47 100644 --- a/crypto/openssh/openbsd-compat/getcwd.c +++ b/crypto/openssh/openbsd-compat/getcwd.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ - +/* $OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */ /* * Copyright (c) 1989, 1991, 1993 * The Regents of the University of California. All rights reserved. @@ -29,14 +28,12 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ + #include "includes.h" #if !defined(HAVE_GETCWD) -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include #include @@ -54,12 +51,12 @@ static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp char * getcwd(char *pt, size_t size) { - register struct dirent *dp; - register DIR *dir = NULL; - register dev_t dev; - register ino_t ino; - register int first; - register char *bpt, *bup; + struct dirent *dp; + DIR *dir = NULL; + dev_t dev; + ino_t ino; + int first; + char *bpt, *bup; struct stat s; dev_t root_dev; ino_t root_ino; @@ -80,7 +77,7 @@ getcwd(char *pt, size_t size) } ept = pt + size; } else { - if ((pt = malloc(ptsize = 1024 - 4)) == NULL) + if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL) return (NULL); ept = pt + ptsize; } @@ -88,13 +85,13 @@ getcwd(char *pt, size_t size) *bpt = '\0'; /* - * Allocate bytes (1024 - malloc space) for the string of "../"'s. + * Allocate bytes for the string of "../"'s. * Should always be enough (it's 340 levels). If it's not, allocate * as necessary. Special * case the first stat, it's ".", not "..". */ - if ((up = malloc(upsize = 1024 - 4)) == NULL) + if ((up = malloc(upsize = MAXPATHLEN)) == NULL) goto err; - eup = up + MAXPATHLEN; + eup = up + upsize; bup = up; up[0] = '.'; up[1] = '\0'; @@ -139,18 +136,16 @@ getcwd(char *pt, size_t size) if ((nup = realloc(up, upsize *= 2)) == NULL) goto err; + bup = nup + (bup - up); up = nup; - bup = up; eup = up + upsize; } *bup++ = '.'; *bup++ = '.'; *bup = '\0'; - /* Open and stat parent directory. - * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) - */ - if (!(dir = opendir(up)) || lstat(up,&s)) + /* Open and stat parent directory. */ + if (!(dir = opendir(up)) || fstat(dirfd(dir), &s)) goto err; /* Add trailing slash for next directory. */ @@ -175,7 +170,7 @@ getcwd(char *pt, size_t size) goto notfound; if (ISDOT(dp)) continue; - memmove(bup, dp->d_name, dp->d_namlen + 1); + memcpy(bup, dp->d_name, dp->d_namlen + 1); /* Save the first error for later. */ if (lstat(up, &s)) { @@ -193,19 +188,18 @@ getcwd(char *pt, size_t size) * leading slash. */ if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) { - size_t len, off; + size_t len; char *npt; if (!ptsize) { errno = ERANGE; goto err; } - off = bpt - pt; len = ept - bpt; if ((npt = realloc(pt, ptsize *= 2)) == NULL) goto err; + bpt = npt + (bpt - pt); pt = npt; - bpt = pt + off; ept = pt + ptsize; memmove(ept - len, bpt, len); bpt = ept - len; @@ -213,7 +207,7 @@ getcwd(char *pt, size_t size) if (!first) *--bpt = '/'; bpt -= dp->d_namlen; - memmove(bpt, dp->d_name, dp->d_namlen); + memcpy(bpt, dp->d_name, dp->d_namlen); (void)closedir(dir); /* Truncate any file name. */ @@ -230,12 +224,16 @@ getcwd(char *pt, size_t size) errno = save_errno ? save_errno : ENOENT; /* FALLTHROUGH */ err: + save_errno = errno; + if (ptsize) free(pt); - if (up) - free(up); + free(up); if (dir) (void)closedir(dir); + + errno = save_errno; + return (NULL); } diff --git a/crypto/openssh/openbsd-compat/getgrouplist.c b/crypto/openssh/openbsd-compat/getgrouplist.c index 59c164f4455d..a57d7d388626 100644 --- a/crypto/openssh/openbsd-compat/getgrouplist.c +++ b/crypto/openssh/openbsd-compat/getgrouplist.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ - +/* $OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */ /* * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. @@ -29,14 +28,12 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ + #include "includes.h" #ifndef HAVE_GETGROUPLIST -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - /* * get credential */ @@ -46,14 +43,10 @@ static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraad #include int -getgrouplist(uname, agroup, groups, grpcnt) - const char *uname; - gid_t agroup; - register gid_t *groups; - int *grpcnt; +getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt) { - register struct group *grp; - register int i, ngroups; + struct group *grp; + int i, ngroups; int ret, maxgroups; int bail; diff --git a/crypto/openssh/openbsd-compat/getopt.c b/crypto/openssh/openbsd-compat/getopt.c index f5ee6778da41..5450e43d957b 100644 --- a/crypto/openssh/openbsd-compat/getopt.c +++ b/crypto/openssh/openbsd-compat/getopt.c @@ -1,5 +1,3 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ - /* * Copyright (c) 1987, 1993, 1994 * The Regents of the University of California. All rights reserved. @@ -29,6 +27,8 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ + #include "includes.h" #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET) diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname.c b/crypto/openssh/openbsd-compat/getrrsetbyname.c index 2016ffe312f3..bea6aea3b5bd 100644 --- a/crypto/openssh/openbsd-compat/getrrsetbyname.c +++ b/crypto/openssh/openbsd-compat/getrrsetbyname.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ - -/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */ +/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */ /* * Copyright (c) 2001 Jakob Schlyter. All rights reserved. @@ -45,54 +43,26 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ + #include "includes.h" #ifndef HAVE_GETRRSETBYNAME #include "getrrsetbyname.h" -#define ANSWER_BUFFER_SIZE 1024*64 - #if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO extern int h_errno; #endif -struct dns_query { - char *name; - u_int16_t type; - u_int16_t class; - struct dns_query *next; -}; +/* We don't need multithread support here */ +#ifdef _THREAD_PRIVATE +# undef _THREAD_PRIVATE +#endif +#define _THREAD_PRIVATE(a,b,c) (c) +struct __res_state _res; -struct dns_rr { - char *name; - u_int16_t type; - u_int16_t class; - u_int16_t ttl; - u_int16_t size; - void *rdata; - struct dns_rr *next; -}; - -struct dns_response { - HEADER header; - struct dns_query *query; - struct dns_rr *answer; - struct dns_rr *authority; - struct dns_rr *additional; -}; - -static struct dns_response *parse_dns_response(const u_char *, int); -static struct dns_query *parse_dns_qsection(const u_char *, int, - const u_char **, int); -static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **, - int); - -static void free_dns_query(struct dns_query *); -static void free_dns_rr(struct dns_rr *); -static void free_dns_response(struct dns_response *); - -static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t); +/* Necessary functions and macros */ /* * Inline versions of get/put short/long. Pointer is advanced. @@ -162,14 +132,56 @@ _getlong(msgp) u_int32_t _getlong(register const u_char *); #endif +/* ************** */ + +#define ANSWER_BUFFER_SIZE 1024*64 + +struct dns_query { + char *name; + u_int16_t type; + u_int16_t class; + struct dns_query *next; +}; + +struct dns_rr { + char *name; + u_int16_t type; + u_int16_t class; + u_int16_t ttl; + u_int16_t size; + void *rdata; + struct dns_rr *next; +}; + +struct dns_response { + HEADER header; + struct dns_query *query; + struct dns_rr *answer; + struct dns_rr *authority; + struct dns_rr *additional; +}; + +static struct dns_response *parse_dns_response(const u_char *, int); +static struct dns_query *parse_dns_qsection(const u_char *, int, + const u_char **, int); +static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **, + int); + +static void free_dns_query(struct dns_query *); +static void free_dns_rr(struct dns_rr *); +static void free_dns_response(struct dns_response *); + +static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t); + int getrrsetbyname(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res) { + struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res); int result; struct rrsetinfo *rrset = NULL; - struct dns_response *response; + struct dns_response *response = NULL; struct dns_rr *rr; struct rdatainfo *rdata; int length; @@ -195,19 +207,19 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, } /* initialize resolver */ - if ((_res.options & RES_INIT) == 0 && res_init() == -1) { + if ((_resp->options & RES_INIT) == 0 && res_init() == -1) { result = ERRSET_FAIL; goto fail; } #ifdef DEBUG - _res.options |= RES_DEBUG; + _resp->options |= RES_DEBUG; #endif /* DEBUG */ #ifdef RES_USE_DNSSEC /* turn on DNSSEC if EDNS0 is configured */ - if (_res.options & RES_USE_EDNS0) - _res.options |= RES_USE_DNSSEC; + if (_resp->options & RES_USE_EDNS0) + _resp->options |= RES_USE_DNSSEC; #endif /* RES_USE_DNSEC */ /* make query */ @@ -257,13 +269,11 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, #endif /* copy name from answer section */ - length = strlen(response->answer->name); - rrset->rri_name = malloc(length + 1); + rrset->rri_name = strdup(response->answer->name); if (rrset->rri_name == NULL) { result = ERRSET_NOMEMORY; goto fail; } - strlcpy(rrset->rri_name, response->answer->name, length + 1); /* count answers */ rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass, @@ -281,7 +291,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, /* allocate memory for signatures */ rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); - if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) { + if (rrset->rri_sigs == NULL) { result = ERRSET_NOMEMORY; goto fail; } @@ -311,6 +321,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, memcpy(rdata->rdi_data, rr->rdata, rr->size); } } + free_dns_response(response); *res = rrset; return (ERRSET_SUCCESS); @@ -318,6 +329,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, fail: if (rrset != NULL) freerrset(rrset); + if (response != NULL) + free_dns_response(response); return (result); } @@ -467,7 +480,8 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count) } static struct dns_rr * -parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count) +parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, + int count) { struct dns_rr *head, *curr, *prev; int i, length; diff --git a/crypto/openssh/openbsd-compat/glob.c b/crypto/openssh/openbsd-compat/glob.c index 7fafc8c40287..f6a04ea3f4fe 100644 --- a/crypto/openssh/openbsd-compat/glob.c +++ b/crypto/openssh/openbsd-compat/glob.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ - +/* $OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */ /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. @@ -32,6 +31,8 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ + #include "includes.h" #include @@ -50,14 +51,6 @@ get_arg_max(void) #if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \ !defined(GLOB_HAS_GL_MATCHC) -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char sccsid[] = "@(#)glob.c 8.3 (Berkeley) 10/13/93"; -#else -static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $"; -#endif -#endif /* LIBC_SCCS and not lint */ - /* * glob(3) -- a superset of the one defined in POSIX 1003.2. * @@ -158,10 +151,8 @@ static void qprintf(const char *, Char *); #endif int -glob(pattern, flags, errfunc, pglob) - const char *pattern; - int flags, (*errfunc)(const char *, int); - glob_t *pglob; +glob(const char *pattern, int flags, int (*errfunc)(const char *, int), + glob_t *pglob) { const u_char *patnext; int c; @@ -209,9 +200,7 @@ glob(pattern, flags, errfunc, pglob) * characters */ static int -globexp1(pattern, pglob) - const Char *pattern; - glob_t *pglob; +globexp1(const Char *pattern, glob_t *pglob) { const Char* ptr = pattern; int rv; @@ -234,10 +223,7 @@ globexp1(pattern, pglob) * If it fails then it tries to glob the rest of the pattern and returns. */ static int -globexp2(ptr, pattern, pglob, rv) - const Char *ptr, *pattern; - glob_t *pglob; - int *rv; +globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv) { int i; Char *lm, *ls; @@ -342,11 +328,7 @@ globexp2(ptr, pattern, pglob, rv) * expand tilde from the passwd file. */ static const Char * -globtilde(pattern, patbuf, patbuf_len, pglob) - const Char *pattern; - Char *patbuf; - size_t patbuf_len; - glob_t *pglob; +globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob) { struct passwd *pwd; char *h; @@ -414,9 +396,7 @@ globtilde(pattern, patbuf, patbuf_len, pglob) * to find no matches. */ static int -glob0(pattern, pglob) - const Char *pattern; - glob_t *pglob; +glob0(const Char *pattern, glob_t *pglob) { const Char *qpatnext; int c, err, oldpathc; @@ -503,17 +483,13 @@ glob0(pattern, pglob) } static int -compare(p, q) - const void *p, *q; +compare(const void *p, const void *q) { return(strcmp(*(char **)p, *(char **)q)); } static int -glob1(pattern, pattern_last, pglob, limitp) - Char *pattern, *pattern_last; - glob_t *pglob; - size_t *limitp; +glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp) { Char pathbuf[MAXPATHLEN]; @@ -531,12 +507,8 @@ glob1(pattern, pattern_last, pglob, limitp) * meta characters. */ static int -glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, - pattern_last, pglob, limitp) - Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; - Char *pattern, *pattern_last; - glob_t *pglob; - size_t *limitp; +glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last, + Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp) { struct stat sb; Char *p, *q; @@ -595,14 +567,11 @@ glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern, } static int -glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, - restpattern, restpattern_last, pglob, limitp) - Char *pathbuf, *pathbuf_last, *pathend, *pathend_last; - Char *pattern, *pattern_last, *restpattern, *restpattern_last; - glob_t *pglob; - size_t *limitp; +glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last, + Char *pattern, Char *pattern_last, Char *restpattern, + Char *restpattern_last, glob_t *pglob, size_t *limitp) { - register struct dirent *dp; + struct dirent *dp; DIR *dirp; int err; char buf[MAXPATHLEN]; @@ -640,8 +609,8 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, else readdirfunc = (struct dirent *(*)(void *))readdir; while ((dp = (*readdirfunc)(dirp))) { - register u_char *sc; - register Char *dc; + u_char *sc; + Char *dc; /* Initial DOT must be matched literally. */ if (dp->d_name[0] == DOT && *pattern != DOT) @@ -689,13 +658,10 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last, * gl_pathv points to (gl_offs + gl_pathc + 1) items. */ static int -globextend(path, pglob, limitp) - const Char *path; - glob_t *pglob; - size_t *limitp; +globextend(const Char *path, glob_t *pglob, size_t *limitp) { - register char **pathv; - register int i; + char **pathv; + int i; u_int newsize, len; char *copy; const Char *p; @@ -747,8 +713,7 @@ globextend(path, pglob, limitp) * pattern causes a recursion level. */ static int -match(name, pat, patend) - register Char *name, *pat, *patend; +match(Char *name, Char *pat, Char *patend) { int ok, negate_range; Char c, k; @@ -759,11 +724,10 @@ match(name, pat, patend) case M_ALL: if (pat == patend) return(1); - do + do { if (match(name, pat, patend)) return(1); - while (*name++ != EOS) - ; + } while (*name++ != EOS); return(0); case M_ONE: if (*name++ == EOS) @@ -796,11 +760,10 @@ match(name, pat, patend) /* Free allocated data belonging to a glob_t structure. */ void -globfree(pglob) - glob_t *pglob; +globfree(glob_t *pglob) { - register int i; - register char **pp; + int i; + char **pp; if (pglob->gl_pathv != NULL) { pp = pglob->gl_pathv + pglob->gl_offs; @@ -813,9 +776,7 @@ globfree(pglob) } static DIR * -g_opendir(str, pglob) - register Char *str; - glob_t *pglob; +g_opendir(Char *str, glob_t *pglob) { char buf[MAXPATHLEN]; @@ -833,10 +794,7 @@ g_opendir(str, pglob) } static int -g_lstat(fn, sb, pglob) - register Char *fn; - struct stat *sb; - glob_t *pglob; +g_lstat(Char *fn, struct stat *sb, glob_t *pglob) { char buf[MAXPATHLEN]; @@ -848,10 +806,7 @@ g_lstat(fn, sb, pglob) } static int -g_stat(fn, sb, pglob) - register Char *fn; - struct stat *sb; - glob_t *pglob; +g_stat(Char *fn, struct stat *sb, glob_t *pglob) { char buf[MAXPATHLEN]; @@ -863,9 +818,7 @@ g_stat(fn, sb, pglob) } static Char * -g_strchr(str, ch) - Char *str; - int ch; +g_strchr(Char *str, int ch) { do { if (*str == ch) @@ -875,10 +828,7 @@ g_strchr(str, ch) } static int -g_Ctoc(str, buf, len) - register const Char *str; - char *buf; - u_int len; +g_Ctoc(const Char *str, char *buf, u_int len) { while (len--) { @@ -890,11 +840,9 @@ g_Ctoc(str, buf, len) #ifdef DEBUG static void -qprintf(str, s) - const char *str; - register Char *s; +qprintf(const char *str, Char *s) { - register Char *p; + Char *p; (void)printf("%s:\n", str); for (p = s; *p; p++) diff --git a/crypto/openssh/openbsd-compat/glob.h b/crypto/openssh/openbsd-compat/glob.h index 3428b201352e..4fdbfc1eabd8 100644 --- a/crypto/openssh/openbsd-compat/glob.h +++ b/crypto/openssh/openbsd-compat/glob.h @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: include/glob.h */ - -/* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */ +/* $OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $ */ /* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */ /* @@ -37,6 +35,8 @@ * @(#)glob.h 8.1 (Berkeley) 6/2/93 */ +/* OPENBSD ORIGINAL: include/glob.h */ + #if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \ !defined(GLOB_HAS_GL_MATCHC) @@ -72,6 +72,7 @@ typedef struct { #define GLOB_MARK 0x0008 /* Append / to matching directories. */ #define GLOB_NOCHECK 0x0010 /* Return pattern itself if nothing matches. */ #define GLOB_NOSORT 0x0020 /* Don't sort. */ +#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */ #define GLOB_ALTDIRFUNC 0x0040 /* Use alternately specified directory funcs. */ #define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ @@ -79,7 +80,6 @@ typedef struct { #define GLOB_NOMAGIC 0x0200 /* GLOB_NOCHECK without magic chars (csh). */ #define GLOB_QUOTE 0x0400 /* Quote special chars with \. */ #define GLOB_TILDE 0x0800 /* Expand tilde names from the passwd file. */ -#define GLOB_NOESCAPE 0x1000 /* Disable backslash escaping. */ #define GLOB_LIMIT 0x2000 /* Limit pattern match output to ARG_MAX */ /* Error values returned by glob(3) */ diff --git a/crypto/openssh/openbsd-compat/inet_aton.c b/crypto/openssh/openbsd-compat/inet_aton.c index c141bcc68a4a..130597e147c7 100644 --- a/crypto/openssh/openbsd-compat/inet_aton.c +++ b/crypto/openssh/openbsd-compat/inet_aton.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ - -/* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */ +/* $OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $ */ /* * Copyright (c) 1983, 1990, 1993 @@ -51,19 +49,12 @@ * --Copyright-- */ +/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ + #include "includes.h" #if !defined(HAVE_INET_ATON) -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $"; -#else -static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $"; -#endif -#endif /* LIBC_SCCS and not lint */ - #include #include #include @@ -76,8 +67,7 @@ static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert E * The value returned is in network order. */ in_addr_t -inet_addr(cp) - register const char *cp; +inet_addr(const char *cp) { struct in_addr val; @@ -97,11 +87,11 @@ inet_addr(cp) int inet_aton(const char *cp, struct in_addr *addr) { - register u_int32_t val; - register int base, n; - register char c; - unsigned int parts[4]; - register unsigned int *pp = parts; + u_int32_t val; + int base, n; + char c; + u_int parts[4]; + u_int *pp = parts; c = *cp; for (;;) { diff --git a/crypto/openssh/openbsd-compat/inet_ntoa.c b/crypto/openssh/openbsd-compat/inet_ntoa.c index dc010dc53f8a..0eb7b3bd76c4 100644 --- a/crypto/openssh/openbsd-compat/inet_ntoa.c +++ b/crypto/openssh/openbsd-compat/inet_ntoa.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ - +/* $OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */ /* * Copyright (c) 1983, 1993 * The Regents of the University of California. All rights reserved. @@ -29,14 +28,12 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ + #include "includes.h" #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - /* * Convert network-format internet address * to base 256 d.d.d.d representation. @@ -46,10 +43,11 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E #include #include -char *inet_ntoa(struct in_addr in) +char * +inet_ntoa(struct in_addr in) { static char b[18]; - register char *p; + char *p; p = (char *)∈ #define UC(b) (((int)b)&0xff) diff --git a/crypto/openssh/openbsd-compat/inet_ntop.c b/crypto/openssh/openbsd-compat/inet_ntop.c index 47796c37032d..e7ca4b7f8beb 100644 --- a/crypto/openssh/openbsd-compat/inet_ntop.c +++ b/crypto/openssh/openbsd-compat/inet_ntop.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ - -/* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */ +/* $OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $ */ /* Copyright (c) 1996 by Internet Software Consortium. * @@ -18,18 +16,12 @@ * SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ + #include "includes.h" #ifndef HAVE_INET_NTOP -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $"; -#else -static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $"; -#endif -#endif /* LIBC_SCCS and not lint */ - #include #include #include @@ -65,11 +57,7 @@ static const char *inet_ntop6(const u_char *src, char *dst, size_t size); * Paul Vixie, 1996. */ const char * -inet_ntop(af, src, dst, size) - int af; - const void *src; - char *dst; - size_t size; +inet_ntop(int af, const void *src, char *dst, size_t size) { switch (af) { case AF_INET: @@ -95,10 +83,7 @@ inet_ntop(af, src, dst, size) * Paul Vixie, 1996. */ static const char * -inet_ntop4(src, dst, size) - const u_char *src; - char *dst; - size_t size; +inet_ntop4(const u_char *src, char *dst, size_t size) { static const char fmt[] = "%u.%u.%u.%u"; char tmp[sizeof "255.255.255.255"]; @@ -120,10 +105,7 @@ inet_ntop4(src, dst, size) * Paul Vixie, 1996. */ static const char * -inet_ntop6(src, dst, size) - const u_char *src; - char *dst; - size_t size; +inet_ntop6(const u_char *src, char *dst, size_t size) { /* * Note that int32_t and int16_t need only be "at least" large enough diff --git a/crypto/openssh/openbsd-compat/mktemp.c b/crypto/openssh/openbsd-compat/mktemp.c index 969f69580641..88e04c5200bc 100644 --- a/crypto/openssh/openbsd-compat/mktemp.c +++ b/crypto/openssh/openbsd-compat/mktemp.c @@ -1,8 +1,7 @@ -/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */ - /* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ /* Changes: Removed mktemp */ +/* $OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */ /* * Copyright (c) 1987, 1993 * The Regents of the University of California. All rights reserved. @@ -32,20 +31,16 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */ + #include "includes.h" #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - static int _gettemp(char *, int *, int, int); int -mkstemps(path, slen) - char *path; - int slen; +mkstemps(char *path, int slen) { int fd; @@ -53,8 +48,7 @@ mkstemps(path, slen) } int -mkstemp(path) - char *path; +mkstemp(char *path) { int fd; @@ -62,8 +56,7 @@ mkstemp(path) } char * -mkdtemp(path) - char *path; +mkdtemp(char *path) { return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); } diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h index ba68bc27e764..1a3027353959 100644 --- a/crypto/openssh/openbsd-compat/openbsd-compat.h +++ b/crypto/openssh/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */ +/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -142,6 +142,10 @@ unsigned int arc4random(void); void arc4random_stir(void); #endif /* !HAVE_ARC4RANDOM */ +#ifndef HAVE_ASPRINTF +int asprintf(char **, const char *, ...); +#endif + #ifndef HAVE_OPENPTY int openpty(int *, int *, char *, struct termios *, struct winsize *); #endif /* HAVE_OPENPTY */ @@ -152,10 +156,18 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *); int snprintf(char *, size_t, const char *, ...); #endif +#ifndef HAVE_STRTOLL +long long strtoll(const char *, char **, int); +#endif + #ifndef HAVE_STRTONUM long long strtonum(const char *, long long, long long, const char **); #endif +#ifndef HAVE_VASPRINTF +int vasprintf(char **, const char *, va_list); +#endif + #ifndef HAVE_VSNPRINTF int vsnprintf(char *, size_t, const char *, va_list); #endif @@ -174,5 +186,6 @@ char *shadow_pw(struct passwd *pw); #include "port-irix.h" #include "port-aix.h" #include "port-uw.h" +#include "port-tun.h" #endif /* _OPENBSD_COMPAT_H */ diff --git a/crypto/openssh/openbsd-compat/openssl-compat.h b/crypto/openssh/openbsd-compat/openssl-compat.h index d9b2fa55ff8d..8a015ec438bb 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.h +++ b/crypto/openssh/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -24,7 +24,11 @@ # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) #endif -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) +# define USE_BUILTIN_RIJNDAEL +#endif + +#ifdef USE_BUILTIN_RIJNDAEL # define EVP_aes_128_cbc evp_rijndael # define EVP_aes_192_cbc evp_rijndael # define EVP_aes_256_cbc evp_rijndael @@ -43,7 +47,12 @@ extern const EVP_CIPHER *evp_acss(void); #endif /* - * insert comment here + * We overload some of the OpenSSL crypto functions with ssh_* equivalents + * which cater for older and/or less featureful OpenSSL version. + * + * In order for the compat library to call the real functions, it must + * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and + * implement the ssh_* equivalents. */ #ifdef SSH_OLD_EVP diff --git a/crypto/openssh/openbsd-compat/port-tun.c b/crypto/openssh/openbsd-compat/port-tun.c new file mode 100644 index 000000000000..31921615fac0 --- /dev/null +++ b/crypto/openssh/openbsd-compat/port-tun.c @@ -0,0 +1,252 @@ +/* + * Copyright (c) 2005 Reyk Floeter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include "log.h" +#include "misc.h" +#include "bufaux.h" + +/* + * This is the portable version of the SSH tunnel forwarding, it + * uses some preprocessor definitions for various platform-specific + * settings. + * + * SSH_TUN_LINUX Use the (newer) Linux tun/tap device + * SSH_TUN_COMPAT_AF Translate the OpenBSD address family + * SSH_TUN_PREPEND_AF Prepend/remove the address family + */ + +/* + * System-specific tunnel open function + */ + +#if defined(SSH_TUN_LINUX) +#include +#include + +int +sys_tun_open(int tun, int mode) +{ + struct ifreq ifr; + int fd = -1; + const char *name = NULL; + + if ((fd = open("/dev/net/tun", O_RDWR)) == -1) { + debug("%s: failed to open tunnel control interface: %s", + __func__, strerror(errno)); + return (-1); + } + + bzero(&ifr, sizeof(ifr)); + + if (mode == SSH_TUNMODE_ETHERNET) { + ifr.ifr_flags = IFF_TAP; + name = "tap%d"; + } else { + ifr.ifr_flags = IFF_TUN; + name = "tun%d"; + } + ifr.ifr_flags |= IFF_NO_PI; + + if (tun != SSH_TUNID_ANY) { + if (tun > SSH_TUNID_MAX) { + debug("%s: invalid tunnel id %x: %s", __func__, + tun, strerror(errno)); + goto failed; + } + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun); + } + + if (ioctl(fd, TUNSETIFF, &ifr) == -1) { + debug("%s: failed to configure tunnel (mode %d): %s", __func__, + mode, strerror(errno)); + goto failed; + } + + if (tun == SSH_TUNID_ANY) + debug("%s: tunnel mode %d fd %d", __func__, mode, fd); + else + debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd); + + return (fd); + + failed: + close(fd); + return (-1); +} +#endif /* SSH_TUN_LINUX */ + +#ifdef SSH_TUN_FREEBSD +#include +#include +#include + +int +sys_tun_open(int tun, int mode) +{ + struct ifreq ifr; + char name[100]; + int fd = -1, sock, flag; + const char *tunbase = "tun"; + + if (mode == SSH_TUNMODE_ETHERNET) { +#ifdef SSH_TUN_NO_L2 + debug("%s: no layer 2 tunnelling support", __func__); + return (-1); +#else + tunbase = "tap"; +#endif + } + + /* Open the tunnel device */ + if (tun <= SSH_TUNID_MAX) { + snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun); + fd = open(name, O_RDWR); + } else if (tun == SSH_TUNID_ANY) { + for (tun = 100; tun >= 0; tun--) { + snprintf(name, sizeof(name), "/dev/%s%d", + tunbase, tun); + if ((fd = open(name, O_RDWR)) >= 0) + break; + } + } else { + debug("%s: invalid tunnel %u\n", __func__, tun); + return (-1); + } + + if (fd < 0) { + debug("%s: %s open failed: %s", __func__, name, + strerror(errno)); + return (-1); + } + + /* Turn on tunnel headers */ + flag = 1; +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) + if (mode != SSH_TUNMODE_ETHERNET && + ioctl(fd, TUNSIFHEAD, &flag) == -1) { + debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd, + strerror(errno)); + close(fd); + } +#endif + + debug("%s: %s mode %d fd %d", __func__, name, mode, fd); + + /* Set the tunnel device operation mode */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun); + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) + goto failed; + + if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) + goto failed; + ifr.ifr_flags |= IFF_UP; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; + + close(sock); + return (fd); + + failed: + if (fd >= 0) + close(fd); + if (sock >= 0) + close(sock); + debug("%s: failed to set %s mode %d: %s", __func__, name, + mode, strerror(errno)); + return (-1); +} +#endif /* SSH_TUN_FREEBSD */ + +/* + * System-specific channel filters + */ + +#if defined(SSH_TUN_FILTER) +#define OPENBSD_AF_INET 2 +#define OPENBSD_AF_INET6 24 + +int +sys_tun_infilter(struct Channel *c, char *buf, int len) +{ +#if defined(SSH_TUN_PREPEND_AF) + char rbuf[CHAN_RBUF]; + struct ip *iph; +#endif + u_int32_t *af; + char *ptr = buf; + +#if defined(SSH_TUN_PREPEND_AF) + if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) + return (-1); + ptr = (char *)&rbuf[0]; + bcopy(buf, ptr + sizeof(u_int32_t), len); + len += sizeof(u_int32_t); + af = (u_int32_t *)ptr; + + iph = (struct ip *)(ptr + sizeof(u_int32_t)); + switch (iph->ip_v) { + case 6: + *af = AF_INET6; + break; + case 4: + default: + *af = AF_INET; + break; + } +#endif + +#if defined(SSH_TUN_COMPAT_AF) + if (len < (int)sizeof(u_int32_t)) + return (-1); + + af = (u_int32_t *)ptr; + if (*af == htonl(AF_INET6)) + *af = htonl(OPENBSD_AF_INET6); + else + *af = htonl(OPENBSD_AF_INET); +#endif + + buffer_put_string(&c->input, ptr, len); + return (0); +} + +u_char * +sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen) +{ + u_char *buf; + u_int32_t *af; + + *data = buffer_get_string(&c->output, dlen); + if (*dlen < sizeof(*af)) + return (NULL); + buf = *data; + +#if defined(SSH_TUN_PREPEND_AF) + *dlen -= sizeof(u_int32_t); + buf = *data + sizeof(u_int32_t); +#elif defined(SSH_TUN_COMPAT_AF) + af = ntohl(*(u_int32_t *)buf); + if (*af == OPENBSD_AF_INET6) + *af = htonl(AF_INET6); + else + *af = htonl(AF_INET); +#endif + + return (buf); +} +#endif /* SSH_TUN_FILTER */ diff --git a/crypto/openssh/openbsd-compat/port-tun.h b/crypto/openssh/openbsd-compat/port-tun.h new file mode 100644 index 000000000000..86d9272b4e7f --- /dev/null +++ b/crypto/openssh/openbsd-compat/port-tun.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2005 Reyk Floeter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _PORT_TUN_H +#define _PORT_TUN_H + +#include "channels.h" + +#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD) +# define CUSTOM_SYS_TUN_OPEN +int sys_tun_open(int, int); +#endif + +#if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF) +# define SSH_TUN_FILTER +int sys_tun_infilter(struct Channel *, char *, int); +u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *); +#endif + +#endif diff --git a/crypto/openssh/openbsd-compat/port-uw.c b/crypto/openssh/openbsd-compat/port-uw.c index d881ff028ddd..c644271218a8 100644 --- a/crypto/openssh/openbsd-compat/port-uw.c +++ b/crypto/openssh/openbsd-compat/port-uw.c @@ -25,7 +25,7 @@ #include "includes.h" -#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF) +#ifdef HAVE_LIBIAF #ifdef HAVE_CRYPT_H #include #endif @@ -42,7 +42,6 @@ int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; - char *encrypted_password; char *salt; int result; @@ -55,21 +54,24 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) /* Encrypt the candidate password using the proper salt. */ salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx"; -#ifdef UNIXWARE_LONG_PASSWORDS - if (!nischeck(pw->pw_name)) - encrypted_password = bigcrypt(password, salt); - else -#endif /* UNIXWARE_LONG_PASSWORDS */ - encrypted_password = xcrypt(password, salt); /* * Authentication is accepted if the encrypted passwords * are identical. */ - result = (strcmp(encrypted_password, pw_password) == 0); +#ifdef UNIXWARE_LONG_PASSWORDS + if (!nischeck(pw->pw_name)) { + result = ((strcmp(bigcrypt(password, salt), pw_password) == 0) + || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0)); + } + else +#endif /* UNIXWARE_LONG_PASSWORDS */ + result = (strcmp(xcrypt(password, salt), pw_password) == 0); +#if !defined(BROKEN_LIBIAF) if (authctxt->valid) free(pw_password); +#endif return(result); } @@ -114,6 +116,7 @@ nischeck(char *namep) functions that call shadow_pw() will need to free */ +#if !defined(BROKEN_LIBIAF) char * get_iaf_password(struct passwd *pw) { @@ -130,5 +133,6 @@ get_iaf_password(struct passwd *pw) else fatal("ia_openinfo: Unable to open the shadow passwd file"); } -#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */ +#endif /* !BROKEN_LIBIAF */ +#endif /* HAVE_LIBIAF */ diff --git a/crypto/openssh/openbsd-compat/readpassphrase.c b/crypto/openssh/openbsd-compat/readpassphrase.c index eb060bdbfbc0..919c0174a906 100644 --- a/crypto/openssh/openbsd-compat/readpassphrase.c +++ b/crypto/openssh/openbsd-compat/readpassphrase.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ - -/* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */ +/* $OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $ */ /* * Copyright (c) 2000-2002 Todd C. Miller @@ -22,9 +20,7 @@ * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ -#if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ +/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ #include "includes.h" diff --git a/crypto/openssh/openbsd-compat/readpassphrase.h b/crypto/openssh/openbsd-compat/readpassphrase.h index 178edf346194..5fd7c5d77aba 100644 --- a/crypto/openssh/openbsd-compat/readpassphrase.h +++ b/crypto/openssh/openbsd-compat/readpassphrase.h @@ -1,34 +1,27 @@ -/* OPENBSD ORIGINAL: include/readpassphrase.h */ - -/* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */ +/* $OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $ */ /* - * Copyright (c) 2000 Todd C. Miller - * All rights reserved. + * Copyright (c) 2000, 2002 Todd C. Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ +/* OPENBSD ORIGINAL: include/readpassphrase.h */ + #ifndef _READPASSPHRASE_H_ #define _READPASSPHRASE_H_ diff --git a/crypto/openssh/openbsd-compat/realpath.c b/crypto/openssh/openbsd-compat/realpath.c index 8430bec24d8f..b6120d034d5d 100644 --- a/crypto/openssh/openbsd-compat/realpath.c +++ b/crypto/openssh/openbsd-compat/realpath.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ - +/* $OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 2003 Constantin S. Svintsoff * @@ -28,6 +27,8 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ + #include "includes.h" #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) diff --git a/crypto/openssh/openbsd-compat/rresvport.c b/crypto/openssh/openbsd-compat/rresvport.c index 75167065ca5f..71cf6e6eb4cc 100644 --- a/crypto/openssh/openbsd-compat/rresvport.c +++ b/crypto/openssh/openbsd-compat/rresvport.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ - +/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */ /* * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. * Copyright (c) 1983, 1993, 1994 @@ -30,26 +29,21 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ + #include "includes.h" #ifndef HAVE_RRESVPORT_AF -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include "includes.h" - #if 0 int -rresvport(alport) - int *alport; +rresvport(int *alport) { return rresvport_af(alport, AF_INET); } #endif -int +int rresvport_af(int *alport, sa_family_t af) { struct sockaddr_storage ss; diff --git a/crypto/openssh/openbsd-compat/setenv.c b/crypto/openssh/openbsd-compat/setenv.c index c3a86c651cbc..b52a99c2ccd2 100644 --- a/crypto/openssh/openbsd-compat/setenv.c +++ b/crypto/openssh/openbsd-compat/setenv.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ - +/* $OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 1987 Regents of the University of California. * All rights reserved. @@ -29,36 +28,31 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ + #include "includes.h" #if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include -char *__findenv(const char *name, int *offset); +extern char **environ; +/* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */ /* * __findenv -- * Returns pointer to value associated with name, if any, else NULL. * Sets offset to be the offset of the name/value combination in the * environmental array, for use by setenv(3) and unsetenv(3). * Explicitly removes '=' in argument name. - * - * This routine *should* be a static; don't use it. */ -char * -__findenv(name, offset) - register const char *name; - int *offset; +static char * +__findenv(const char *name, int *offset) { extern char **environ; - register int len, i; - register const char *np; - register char **p, *cp; + int len, i; + const char *np; + char **p, *cp; if (name == NULL || environ == NULL) return (NULL); @@ -84,14 +78,10 @@ __findenv(name, offset) * "value". If rewrite is set, replace any current value. */ int -setenv(name, value, rewrite) - register const char *name; - register const char *value; - int rewrite; +setenv(const char *name, const char *value, int rewrite) { - extern char **environ; - static int alloced; /* if allocated space before */ - register char *C; + static char **lastenv; /* last value of environ */ + char *C; int l_value, offset; if (*value == '=') /* no `=' in value */ @@ -106,30 +96,23 @@ setenv(name, value, rewrite) return (0); } } else { /* create new slot */ - register int cnt; - register char **P; + size_t cnt; + char **P; - for (P = environ, cnt = 0; *P; ++P, ++cnt); - if (alloced) { /* just increase size */ - P = (char **)realloc((void *)environ, - (size_t)(sizeof(char *) * (cnt + 2))); - if (!P) - return (-1); - environ = P; - } - else { /* get new space */ - alloced = 1; /* copy old entries into it */ - P = (char **)malloc((size_t)(sizeof(char *) * - (cnt + 2))); - if (!P) - return (-1); - memmove(P, environ, cnt * sizeof(char *)); - environ = P; - } - environ[cnt + 1] = NULL; + for (P = environ; *P != NULL; P++) + ; + cnt = P - environ; + P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2)); + if (!P) + return (-1); + if (lastenv != environ) + memcpy(P, environ, cnt * sizeof(char *)); + lastenv = environ = P; offset = cnt; + environ[cnt + 1] = NULL; } - for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ + for (C = (char *)name; *C && *C != '='; ++C) + ; /* no `=' in name */ if (!(environ[offset] = /* name + `=' + value */ malloc((size_t)((int)(C - name) + l_value + 2)))) return (-1); @@ -147,15 +130,12 @@ setenv(name, value, rewrite) * Delete environmental variable "name". */ void -unsetenv(name) - const char *name; +unsetenv(const char *name) { - extern char **environ; - register char **P; + char **P; int offset; - char *__findenv(); - while (__findenv(name, &offset)) /* if set multiple times */ + while (__findenv(name, &offset)) /* if set multiple times */ for (P = &environ[offset];; ++P) if (!(*P = *(P + 1))) break; diff --git a/crypto/openssh/openbsd-compat/sigact.c b/crypto/openssh/openbsd-compat/sigact.c index 2772ac574aae..8b8e4dd2c461 100644 --- a/crypto/openssh/openbsd-compat/sigact.c +++ b/crypto/openssh/openbsd-compat/sigact.c @@ -1,9 +1,7 @@ -/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ - -/* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */ +/* $OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $ */ /**************************************************************************** - * Copyright (c) 1998 Free Software Foundation, Inc. * + * Copyright (c) 1998,2000 Free Software Foundation, Inc. * * * * Permission is hereby granted, free of charge, to any person obtaining a * * copy of this software and associated documentation files (the * @@ -35,6 +33,8 @@ * and: Eric S. Raymond * ****************************************************************************/ +/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ + #include "includes.h" #include #include "sigact.h" diff --git a/crypto/openssh/openbsd-compat/sigact.h b/crypto/openssh/openbsd-compat/sigact.h index b37c1f84a8f1..db96d0a5c58b 100644 --- a/crypto/openssh/openbsd-compat/sigact.h +++ b/crypto/openssh/openbsd-compat/sigact.h @@ -1,7 +1,7 @@ -/* $OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $ */ +/* $OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $ */ /**************************************************************************** - * Copyright (c) 1998 Free Software Foundation, Inc. * + * Copyright (c) 1998,2000 Free Software Foundation, Inc. * * * * Permission is hereby granted, free of charge, to any person obtaining a * * copy of this software and associated documentation files (the * @@ -34,12 +34,14 @@ ****************************************************************************/ /* - * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $ + * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $ * * This file exists to handle non-POSIX systems which don't have , * and usually no sigaction() nor */ +/* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */ + #ifndef _SIGACTION_H #define _SIGACTION_H diff --git a/crypto/openssh/openbsd-compat/strlcat.c b/crypto/openssh/openbsd-compat/strlcat.c index 70f01cb2a6a7..bcc1b61ad885 100644 --- a/crypto/openssh/openbsd-compat/strlcat.c +++ b/crypto/openssh/openbsd-compat/strlcat.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ - -/* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */ +/* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 1998 Todd C. Miller @@ -18,13 +16,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ + #include "includes.h" #ifndef HAVE_STRLCAT -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include @@ -38,9 +34,9 @@ static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp size_t strlcat(char *dst, const char *src, size_t siz) { - register char *d = dst; - register const char *s = src; - register size_t n = siz; + char *d = dst; + const char *s = src; + size_t n = siz; size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ diff --git a/crypto/openssh/openbsd-compat/strlcpy.c b/crypto/openssh/openbsd-compat/strlcpy.c index ccfa12a0a5e0..679a5b291f58 100644 --- a/crypto/openssh/openbsd-compat/strlcpy.c +++ b/crypto/openssh/openbsd-compat/strlcpy.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ - -/* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */ +/* $OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 1998 Todd C. Miller @@ -18,13 +16,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ + #include "includes.h" #ifndef HAVE_STRLCPY -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include @@ -36,9 +32,9 @@ static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp size_t strlcpy(char *dst, const char *src, size_t siz) { - register char *d = dst; - register const char *s = src; - register size_t n = siz; + char *d = dst; + const char *s = src; + size_t n = siz; /* Copy as many bytes as will fit */ if (n != 0 && --n != 0) { diff --git a/crypto/openssh/openbsd-compat/strmode.c b/crypto/openssh/openbsd-compat/strmode.c index ea8d515e3874..4a816142264a 100644 --- a/crypto/openssh/openbsd-compat/strmode.c +++ b/crypto/openssh/openbsd-compat/strmode.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ - +/* $OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. * All rights reserved. @@ -29,13 +28,11 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ + #include "includes.h" #ifndef HAVE_STRMODE -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include #include @@ -71,11 +68,6 @@ strmode(int mode, char *p) case S_IFIFO: /* fifo */ *p++ = 'p'; break; -#endif -#ifdef S_IFWHT - case S_IFWHT: /* whiteout */ - *p++ = 'w'; - break; #endif default: /* unknown */ *p++ = '?'; diff --git a/crypto/openssh/openbsd-compat/strsep.c b/crypto/openssh/openbsd-compat/strsep.c index 330d84ce151b..b36eb8fdad70 100644 --- a/crypto/openssh/openbsd-compat/strsep.c +++ b/crypto/openssh/openbsd-compat/strsep.c @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ - -/* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */ +/* $OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -31,6 +29,8 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ + #include "includes.h" #if !defined(HAVE_STRSEP) @@ -38,14 +38,6 @@ #include #include -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char sccsid[] = "@(#)strsep.c 8.1 (Berkeley) 6/4/93"; -#else -static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $"; -#endif -#endif /* LIBC_SCCS and not lint */ - /* * Get next token from string *stringp, where tokens are possibly-empty * strings separated by characters from delim. diff --git a/crypto/openssh/openbsd-compat/strtoll.c b/crypto/openssh/openbsd-compat/strtoll.c index 60c276f8a95b..f62930388598 100644 --- a/crypto/openssh/openbsd-compat/strtoll.c +++ b/crypto/openssh/openbsd-compat/strtoll.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */ - +/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */ /*- * Copyright (c) 1992 The Regents of the University of California. * All rights reserved. @@ -29,13 +28,11 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */ + #include "includes.h" #ifndef HAVE_STRTOLL -#if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include diff --git a/crypto/openssh/openbsd-compat/strtonum.c b/crypto/openssh/openbsd-compat/strtonum.c index b681ed83ba72..8ad0d0058bbf 100644 --- a/crypto/openssh/openbsd-compat/strtonum.c +++ b/crypto/openssh/openbsd-compat/strtonum.c @@ -1,5 +1,3 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */ - /* $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $ */ /* @@ -19,6 +17,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */ + #include "includes.h" #ifndef HAVE_STRTONUM #include diff --git a/crypto/openssh/openbsd-compat/strtoul.c b/crypto/openssh/openbsd-compat/strtoul.c index 24d0e253dd29..8219c8391b31 100644 --- a/crypto/openssh/openbsd-compat/strtoul.c +++ b/crypto/openssh/openbsd-compat/strtoul.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ - +/* $OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 1990 Regents of the University of California. * All rights reserved. @@ -29,13 +28,11 @@ * SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ + #include "includes.h" #ifndef HAVE_STRTOUL -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include #include @@ -48,15 +45,12 @@ static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp * alphabets and digits are each contiguous. */ unsigned long -strtoul(nptr, endptr, base) - const char *nptr; - char **endptr; - register int base; +strtoul(const char *nptr, char **endptr, int base) { - register const char *s; - register unsigned long acc, cutoff; - register int c; - register int neg, any, cutlim; + const char *s; + unsigned long acc, cutoff; + int c; + int neg, any, cutlim; /* * See strtol for comments as to the logic used. diff --git a/crypto/openssh/openbsd-compat/sys-queue.h b/crypto/openssh/openbsd-compat/sys-queue.h index c49a9465099b..402343324f97 100644 --- a/crypto/openssh/openbsd-compat/sys-queue.h +++ b/crypto/openssh/openbsd-compat/sys-queue.h @@ -1,5 +1,3 @@ -/* OPENBSD ORIGINAL: sys/sys/queue.h */ - /* $OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $ */ /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ @@ -34,6 +32,8 @@ * @(#)queue.h 8.5 (Berkeley) 8/20/94 */ +/* OPENBSD ORIGINAL: sys/sys/queue.h */ + #ifndef _FAKE_QUEUE_H_ #define _FAKE_QUEUE_H_ diff --git a/crypto/openssh/openbsd-compat/sys-tree.h b/crypto/openssh/openbsd-compat/sys-tree.h index 73cfbe72a661..c80b90b21e42 100644 --- a/crypto/openssh/openbsd-compat/sys-tree.h +++ b/crypto/openssh/openbsd-compat/sys-tree.h @@ -1,5 +1,3 @@ -/* OPENBSD ORIGINAL: sys/sys/tree.h */ - /* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ /* * Copyright 2002 Niels Provos @@ -26,6 +24,8 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* OPENBSD ORIGINAL: sys/sys/tree.h */ + #ifndef _SYS_TREE_H_ #define _SYS_TREE_H_ diff --git a/crypto/openssh/openbsd-compat/vis.c b/crypto/openssh/openbsd-compat/vis.c index 1fb7a01e3a95..3a087b341987 100644 --- a/crypto/openssh/openbsd-compat/vis.c +++ b/crypto/openssh/openbsd-compat/vis.c @@ -1,5 +1,4 @@ -/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ - +/* $OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */ /*- * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. @@ -28,36 +27,34 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ + +/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ + #include "includes.h" #if !defined(HAVE_STRNVIS) -#if defined(LIBC_SCCS) && !defined(lint) -static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - #include #include #include "vis.h" #define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') -#define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ - isgraph((u_char)(c))) || \ - ((flag & VIS_SP) == 0 && (c) == ' ') || \ - ((flag & VIS_TAB) == 0 && (c) == '\t') || \ - ((flag & VIS_NL) == 0 && (c) == '\n') || \ - ((flag & VIS_SAFE) && ((c) == '\b' || \ - (c) == '\007' || (c) == '\r' || \ - isgraph((u_char)(c))))) +#define isvisible(c) \ + (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ + (((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') || \ + (flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) || \ + ((flag & VIS_SP) == 0 && (c) == ' ') || \ + ((flag & VIS_TAB) == 0 && (c) == '\t') || \ + ((flag & VIS_NL) == 0 && (c) == '\n') || \ + ((flag & VIS_SAFE) && ((c) == '\b' || \ + (c) == '\007' || (c) == '\r' || \ + isgraph((u_char)(c))))) /* * vis - visually encode characters */ char * -vis(dst, c, flag, nextc) - register char *dst; - int c, nextc; - register int flag; +vis(char *dst, int c, int flag, int nextc) { if (isvisible(c)) { *dst++ = c; @@ -111,7 +108,8 @@ vis(dst, c, flag, nextc) goto done; } } - if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) { + if (((c & 0177) == ' ') || (flag & VIS_OCTAL) || + ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) { *dst++ = '\\'; *dst++ = ((u_char)c >> 6 & 07) + '0'; *dst++ = ((u_char)c >> 3 & 07) + '0'; @@ -124,7 +122,7 @@ vis(dst, c, flag, nextc) c &= 0177; *dst++ = 'M'; } - if (iscntrl(c)) { + if (iscntrl((u_char)c)) { *dst++ = '^'; if (c == 0177) *dst++ = '?'; @@ -153,12 +151,9 @@ vis(dst, c, flag, nextc) * This is useful for encoding a block of data. */ int -strvis(dst, src, flag) - register char *dst; - register const char *src; - int flag; +strvis(char *dst, const char *src, int flag) { - register char c; + char c; char *start; for (start = dst; (c = *src);) @@ -168,16 +163,11 @@ strvis(dst, src, flag) } int -strnvis(dst, src, siz, flag) - char *dst; - const char *src; - size_t siz; - int flag; +strnvis(char *dst, const char *src, size_t siz, int flag) { - char c; char *start, *end; char tbuf[5]; - int i; + int c, i; i = 0; for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) { @@ -217,13 +207,9 @@ strnvis(dst, src, siz, flag) } int -strvisx(dst, src, len, flag) - register char *dst; - register const char *src; - register size_t len; - int flag; +strvisx(char *dst, const char *src, size_t len, int flag) { - register char c; + char c; char *start; for (start = dst; len > 1; len--) { diff --git a/crypto/openssh/openbsd-compat/vis.h b/crypto/openssh/openbsd-compat/vis.h index 663355a240f0..3898a9e70ba4 100644 --- a/crypto/openssh/openbsd-compat/vis.h +++ b/crypto/openssh/openbsd-compat/vis.h @@ -1,6 +1,4 @@ -/* OPENBSD ORIGINAL: include/vis.h */ - -/* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */ +/* $OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $ */ /* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ /*- @@ -34,6 +32,8 @@ * @(#)vis.h 5.9 (Berkeley) 4/3/91 */ +/* OPENBSD ORIGINAL: include/vis.h */ + #include "includes.h" #if !defined(HAVE_STRNVIS) @@ -63,6 +63,7 @@ * other */ #define VIS_NOSLASH 0x40 /* inhibit printing '\' */ +#define VIS_GLOB 0x100 /* encode glob(3) magics and '#' */ /* * unvis return codes @@ -80,10 +81,14 @@ char *vis(char *, int, int, int); int strvis(char *, const char *, int); -int strnvis(char *, const char *, size_t, int); -int strvisx(char *, const char *, size_t, int); +int strnvis(char *, const char *, size_t, int) + __attribute__ ((__bounded__(__string__,1,3))); +int strvisx(char *, const char *, size_t, int) + __attribute__ ((__bounded__(__string__,1,3))); int strunvis(char *, const char *); int unvis(char *, char, int *, int); +ssize_t strnunvis(char *, const char *, size_t) + __attribute__ ((__bounded__(__string__,1,3))); #endif /* !_VIS_H_ */ diff --git a/crypto/openssh/opensshd.init.in b/crypto/openssh/opensshd.init.in index ffa7cdac21ff..c36c5c88aed5 100755 --- a/crypto/openssh/opensshd.init.in +++ b/crypto/openssh/opensshd.init.in @@ -1,4 +1,4 @@ -#!/sbin/sh +#!@STARTUP_SCRIPT_SHELL@ # Donated code that was put under PD license. # # Stripped PRNGd out of it for the time being. diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c index 70e0110cbaf8..db2aa24119d1 100644 --- a/crypto/openssh/packet.c +++ b/crypto/openssh/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -572,7 +572,7 @@ packet_send1(void) buffer_clear(&outgoing_packet); /* - * Note that the packet is now only buffered in output. It won\'t be + * Note that the packet is now only buffered in output. It won't be * actually sent until packet_write_wait or packet_write_poll is * called. */ diff --git a/crypto/openssh/progressmeter.c b/crypto/openssh/progressmeter.c index 3cda090616f1..13c51d87ef70 100644 --- a/crypto/openssh/progressmeter.c +++ b/crypto/openssh/progressmeter.c @@ -85,8 +85,8 @@ format_rate(char *buf, int size, off_t bytes) bytes = (bytes + 512) / 1024; } snprintf(buf, size, "%3lld.%1lld%c%s", - (int64_t) (bytes + 5) / 100, - (int64_t) (bytes + 5) / 10 % 10, + (long long) (bytes + 5) / 100, + (long long) (bytes + 5) / 10 % 10, unit[i], i ? "B" : " "); } @@ -99,7 +99,7 @@ format_size(char *buf, int size, off_t bytes) for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++) bytes = (bytes + 512) / 1024; snprintf(buf, size, "%4lld%c%s", - (int64_t) bytes, + (long long) bytes, unit[i], i ? "B" : " "); } diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress index 0c07c9cf1ba5..5aaf734bde92 100644 --- a/crypto/openssh/regress/README.regress +++ b/crypto/openssh/regress/README.regress @@ -97,8 +97,12 @@ Known Issues. unless ssh-rand-helper is in pre-installed (the path to ssh-rand-helper is hard coded). +- Similarly, if you do not have "scp" in your system's $PATH then the + multiplex scp tests will fail (since the system's shell startup scripts + will determine where the shell started by sshd will look for scp). + - Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head test to fail. The old behaviour can be restored by setting (and exporting) _POSIX2_VERSION=199209 before running the tests. -$Id: README.regress,v 1.9 2004/08/17 12:31:33 dtucker Exp $ +$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $ diff --git a/crypto/openssh/regress/agent-getpeereid.sh b/crypto/openssh/regress/agent-getpeereid.sh index 46d20dc2b587..6186a8d489e9 100644 --- a/crypto/openssh/regress/agent-getpeereid.sh +++ b/crypto/openssh/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" @@ -27,7 +27,7 @@ else fail "ssh-add failed with $r != 1" fi - < /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1 + < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1 r=$? if [ $r -lt 2 ]; then fail "ssh-add did not fail for ${UNPRIV}: $r < 2" diff --git a/crypto/openssh/regress/forwarding.sh b/crypto/openssh/regress/forwarding.sh index dfe065dd65f1..3b171144fb03 100644 --- a/crypto/openssh/regress/forwarding.sh +++ b/crypto/openssh/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $ +# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -32,3 +32,34 @@ for p in 1 2; do sleep 10 done + +for p in 1 2; do + trace "simple clear forwarding proto $p" + ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true + + trace "clear local forward proto $p" + ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 + if [ $? != 0 ]; then + fail "connection failed with cleared local forwarding" + else + # this one should fail + ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ + 2>${TEST_SSH_LOGFILE} && \ + fail "local forwarding not cleared" + fi + sleep 10 + + trace "clear remote forward proto $p" + ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ + -oClearAllForwardings=yes somehost sleep 10 + if [ $? != 0 ]; then + fail "connection failed with cleared remote forwarding" + else + # this one should fail + ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ + 2>${TEST_SSH_LOGFILE} && \ + fail "remote forwarding not cleared" + fi + sleep 10 +done diff --git a/crypto/openssh/regress/multiplex.sh b/crypto/openssh/regress/multiplex.sh index a172e579052d..4fba7b5accd0 100644 --- a/crypto/openssh/regress/multiplex.sh +++ b/crypto/openssh/regress/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $ # Placed in the Public Domain. CTL=/tmp/openssh.regress.ctl-sock.$$ diff --git a/crypto/openssh/regress/reconfigure.sh b/crypto/openssh/regress/reconfigure.sh index ba6dbc6f5079..1daf29f9a6e8 100644 --- a/crypto/openssh/regress/reconfigure.sh +++ b/crypto/openssh/regress/reconfigure.sh @@ -15,8 +15,9 @@ esac start_sshd -$SUDO kill -HUP `cat $PIDFILE` -sleep 1 +PID=`cat $PIDFILE` +rm -f $PIDFILE +$SUDO kill -HUP $PID trace "wait for sshd to restart" i=0; diff --git a/crypto/openssh/regress/scp-ssh-wrapper.sh b/crypto/openssh/regress/scp-ssh-wrapper.sh index 8e4314773119..d1005a995a17 100644 --- a/crypto/openssh/regress/scp-ssh-wrapper.sh +++ b/crypto/openssh/regress/scp-ssh-wrapper.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $ +# $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $ # Placed in the Public Domain. printname () { @@ -16,8 +16,11 @@ printname () { done } -# discard first 5 args -shift; shift; shift; shift; shift +# Discard all but last argument. We use arg later. +while test "$1" != ""; do + arg="$1" + shift +done BAD="../../../../../../../../../../../../../${DIR}/dotpathdir" @@ -49,6 +52,6 @@ badserver_4) echo "X" ;; *) - exec $1 + exec $arg ;; esac diff --git a/crypto/openssh/regress/scp.sh b/crypto/openssh/regress/scp.sh index c3034b6e7dd5..c5d412dd9516 100644 --- a/crypto/openssh/regress/scp.sh +++ b/crypto/openssh/regress/scp.sh @@ -1,4 +1,4 @@ -# $OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $ +# $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $ # Placed in the Public Domain. tid="scp" @@ -28,6 +28,11 @@ scpclean() { mkdir ${DIR} ${DIR2} } +verbose "$tid: simple copy local file to local file" +scpclean +$SCP $scpopts ${DATA} ${COPY} || fail "copy failed" +cmp ${DATA} ${COPY} || fail "corrupted copy" + verbose "$tid: simple copy local file to remote file" scpclean $SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed" @@ -44,6 +49,12 @@ cp ${DATA} ${COPY} $SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed" cmp ${COPY} ${DIR}/copy || fail "corrupted copy" +verbose "$tid: simple copy local file to local dir" +scpclean +cp ${DATA} ${COPY} +$SCP $scpopts ${COPY} ${DIR} || fail "copy failed" +cmp ${COPY} ${DIR}/copy || fail "corrupted copy" + verbose "$tid: simple copy remote file to local dir" scpclean cp ${DATA} ${COPY} @@ -57,6 +68,13 @@ cp ${DATA} ${DIR}/copy $SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed" diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" +verbose "$tid: recursive local dir to local dir" +scpclean +rm -rf ${DIR2} +cp ${DATA} ${DIR}/copy +$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed" +diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + verbose "$tid: recursive remote dir to local dir" scpclean rm -rf ${DIR2} @@ -64,6 +82,13 @@ cp ${DATA} ${DIR}/copy $SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed" diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" +verbose "$tid: shell metacharacters" +scpclean +(cd ${DIR} && \ +touch '`touch metachartest`' && \ +$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \ +[ ! -f metachartest ] ) || fail "shell metacharacters" + if [ ! -z "$SUDO" ]; then verbose "$tid: skipped file after scp -p with failed chown+utimes" scpclean @@ -73,7 +98,7 @@ if [ ! -z "$SUDO" ]; then chmod 660 ${DIR2}/copy $SUDO chown root ${DIR2}/copy $SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1 - diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" + $SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy" $SUDO rm ${DIR2}/copy fi @@ -91,5 +116,12 @@ for i in 0 1 2 3 4; do [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" done +verbose "$tid: detect non-directory target" +scpclean +echo a > ${COPY} +echo b > ${COPY2} +$SCP $scpopts ${DATA} ${COPY} ${COPY2} +cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target" + scpclean rm -f ${OBJ}/scp-ssh-wrapper.scp diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh index 4b3a70eb3c3a..59ae33c0848a 100644 --- a/crypto/openssh/regress/test-exec.sh +++ b/crypto/openssh/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -24,6 +24,8 @@ if [ -x /usr/ucb/whoami ]; then USER=`/usr/ucb/whoami` elif whoami >/dev/null 2>&1; then USER=`whoami` +elif logname >/dev/null 2>&1; then + USER=`logname` else USER=`id -un` fi @@ -194,6 +196,7 @@ trap fatal 3 2 cat << EOF > $OBJ/sshd_config StrictModes no Port $PORT + AddressFamily inet ListenAddress 127.0.0.1 #ListenAddress ::1 PidFile $PIDFILE @@ -244,7 +247,7 @@ trace "generate keys" for t in rsa rsa1; do # generate user key rm -f $OBJ/$t - ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ + ${SSHKEYGEN} -b 1024 -q -N '' -t $t -f $OBJ/$t ||\ fail "ssh-keygen for $t failed" # known hosts file for client diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh index c6e1b9152865..379fe353a7bc 100644 --- a/crypto/openssh/regress/try-ciphers.sh +++ b/crypto/openssh/regress/try-ciphers.sh @@ -1,9 +1,10 @@ -# $OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $ # Placed in the Public Domain. tid="try ciphers" -ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour +ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc + arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96" diff --git a/crypto/openssh/regress/yes-head.sh b/crypto/openssh/regress/yes-head.sh index 17a4d0dd4685..a8e6bc80019b 100644 --- a/crypto/openssh/regress/yes-head.sh +++ b/crypto/openssh/regress/yes-head.sh @@ -4,7 +4,7 @@ tid="yes pipe head" for p in 1 2; do - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)` + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` if [ $? -ne 0 ]; then fail "yes|head test failed" lines = 0; diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1 index b5191e318129..d9b1f8e8fa58 100644 --- a/crypto/openssh/scp.1 +++ b/crypto/openssh/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -152,6 +152,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication +.It RekeyLimit .It RhostsRSAAuthentication .It RSAAuthentication .It SendEnv diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c index afbd1e6f3784..05bce3368ea8 100644 --- a/crypto/openssh/sftp-client.c +++ b/crypto/openssh/sftp-client.c @@ -20,7 +20,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -42,9 +42,6 @@ extern int showprogress; /* Minimum amount of data to read at at time */ #define MIN_READ_SIZE 512 -/* Maximum packet size */ -#define MAX_MSG_LENGTH (256 * 1024) - struct sftp_conn { int fd_in; int fd_out; @@ -59,7 +56,7 @@ send_msg(int fd, Buffer *m) { u_char mlen[4]; - if (buffer_len(m) > MAX_MSG_LENGTH) + if (buffer_len(m) > SFTP_MAX_MSG_LENGTH) fatal("Outbound message too long %u", buffer_len(m)); /* Send length first */ @@ -87,7 +84,7 @@ get_msg(int fd, Buffer *m) } msg_len = buffer_get_int(m); - if (msg_len > MAX_MSG_LENGTH) + if (msg_len > SFTP_MAX_MSG_LENGTH) fatal("Received message too long %u", msg_len); buffer_append_space(m, msg_len); diff --git a/crypto/openssh/sftp-common.h b/crypto/openssh/sftp-common.h index b42ba91409f8..2b1995a2de7e 100644 --- a/crypto/openssh/sftp-common.h +++ b/crypto/openssh/sftp-common.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $ */ +/* $OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -25,6 +25,9 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* Maximum packet that we are willing to send/accept */ +#define SFTP_MAX_MSG_LENGTH (256 * 1024) + typedef struct Attrib Attrib; /* File attributes */ diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c index 6870e7732039..7060c44ad083 100644 --- a/crypto/openssh/sftp-server.c +++ b/crypto/openssh/sftp-server.c @@ -14,13 +14,14 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $"); #include "buffer.h" #include "bufaux.h" #include "getput.h" #include "log.h" #include "xmalloc.h" +#include "misc.h" #include "sftp.h" #include "sftp-common.h" @@ -427,7 +428,7 @@ process_read(void) len = get_int(); TRACE("read id %u handle %d off %llu len %d", id, handle, - (u_int64_t)off, len); + (unsigned long long)off, len); if (len > sizeof buf) { len = sizeof buf; logit("read change len %d", len); @@ -468,7 +469,7 @@ process_write(void) data = get_string(&len); TRACE("write id %u handle %d off %llu len %d", id, handle, - (u_int64_t)off, len); + (unsigned long long)off, len); fd = handle_to_fd(handle); if (fd >= 0) { if (lseek(fd, off, SEEK_SET) < 0) { @@ -945,7 +946,7 @@ process(void) return; /* Incomplete message. */ cp = buffer_ptr(&iqueue); msg_len = GET_32BIT(cp); - if (msg_len > 256 * 1024) { + if (msg_len > SFTP_MAX_MSG_LENGTH) { error("bad message "); exit(11); } @@ -1036,6 +1037,9 @@ main(int ac, char **av) int in, out, max; ssize_t len, olen, set_size; + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + /* XXX should use getopt */ __progname = ssh_get_progname(av[0]); diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1 index c89ffc30fc77..47aafa89e61b 100644 --- a/crypto/openssh/sftp.1 +++ b/crypto/openssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.61 2005/03/01 17:19:35 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -78,7 +78,7 @@ to start in a remote directory. The final usage format allows for automated sessions using the .Fl b option. -In such cases, it is usually necessary to configure public key authentication +In such cases, it is necessary to configure non-interactive authentication to obviate the need to enter a password at connection time (see .Xr sshd 8 and @@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication +.It RekeyLimit .It RhostsRSAAuthentication .It RSAAuthentication .It SendEnv diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c index f98ed7d27505..a2e3f6aad65f 100644 --- a/crypto/openssh/sftp.c +++ b/crypto/openssh/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $"); #ifdef USE_LIBEDIT #include @@ -697,6 +697,8 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) } if (lflag & SORT_FLAGS) { + for (n = 0; d[n] != NULL; n++) + ; /* count entries */ sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT); qsort(d, n, sizeof(*d), sdirent_comp); } @@ -1447,11 +1449,16 @@ main(int argc, char **argv) extern int optind; extern char *optarg; + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, ssh_program); addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); + addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes"); ll = SYSLOG_LEVEL_INFO; @@ -1483,6 +1490,7 @@ main(int argc, char **argv) break; case 'S': ssh_program = optarg; + replacearg(&args, 0, "%s", ssh_program); break; case 'b': if (batchmode) @@ -1559,7 +1567,6 @@ main(int argc, char **argv) addargs(&args, "%s", host); addargs(&args, "%s", (sftp_server != NULL ? sftp_server : "sftp")); - args.list[0] = ssh_program; if (!batchmode) fprintf(stderr, "Connecting to %s...\n", host); @@ -1572,6 +1579,7 @@ main(int argc, char **argv) fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } + freeargs(&args); err = interactive_loop(in, out, file1, file2); diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1 index 741cf4bd18b7..fd6bd3f6cc2b 100644 --- a/crypto/openssh/ssh-agent.1 +++ b/crypto/openssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -70,7 +70,7 @@ The options are as follows: Bind the agent to the unix-domain socket .Ar bind_address . The default is -.Pa /tmp/ssh-XXXXXXXX/agent. . +.Pa /tmp/ssh-XXXXXXXXXX/agent. . .It Fl c Generate C-shell commands on .Dv stdout . @@ -90,7 +90,7 @@ environment variable). .It Fl t Ar life Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in -.Xr sshd 8 . +.Xr sshd_config 5 . A lifetime specified for an identity with .Xr ssh-add 1 overrides this value. @@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -.It Pa /tmp/ssh-XXXXXXXX/agent. +.It Pa /tmp/ssh-XXXXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1 index 5454d00ce883..ab16bcd77731 100644 --- a/crypto/openssh/ssh-keygen.1 +++ b/crypto/openssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ .\" .\" -*- nroff -*- .\" @@ -118,6 +118,9 @@ keys for use by SSH protocol version 2. The type of key to be generated is specified with the .Fl t option. +If invoked without any arguments, +.Nm +will generate an RSA key for use in SSH protocol 2 connections. .Pp .Nm is also used to generate groups for use in Diffie-Hellman group @@ -187,9 +190,9 @@ command. Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits Specifies the number of bits in the key to create. -Minimum is 512 bits. +For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. -The default is 2048 bits. +DSA keys must be exactly 1024 bits as specified by FIPS 186-2. .It Fl C Ar comment Provides a new comment. .It Fl c diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c index b17851946c5a..64fadc7a1d7f 100644 --- a/crypto/openssh/ssh-keygen.c +++ b/crypto/openssh/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $"); #include #include @@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); #endif #include "dns.h" -/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ -u_int32_t bits = 2048; +/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ +#define DEFAULT_BITS 2048 +#define DEFAULT_BITS_DSA 1024 +u_int32_t bits = 0; /* * Flag indicating that we just want to change the passphrase. This can be @@ -1018,6 +1020,9 @@ main(int ac, char **av) extern int optind; extern char *optarg; + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + __progname = ssh_get_progname(av[0]); SSLeay_add_all_algorithms(); @@ -1041,7 +1046,7 @@ main(int ac, char **av) "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': - bits = strtonum(optarg, 512, 32768, &errstr); + bits = strtonum(optarg, 768, 32768, &errstr); if (errstr) fatal("Bits has bad value %s (%s)", optarg, errstr); @@ -1214,8 +1219,10 @@ main(int ac, char **av) out_file, strerror(errno)); return (1); } + if (bits == 0) + bits = DEFAULT_BITS; if (gen_candidates(out, memory, bits, start) != 0) - fatal("modulus candidate generation failed\n"); + fatal("modulus candidate generation failed"); return (0); } @@ -1238,21 +1245,24 @@ main(int ac, char **av) out_file, strerror(errno)); } if (prime_test(in, out, trials, generator_wanted) != 0) - fatal("modulus screening failed\n"); + fatal("modulus screening failed"); return (0); } arc4random_stir(); - if (key_type_name == NULL) { - printf("You must specify a key type (-t).\n"); - usage(); - } + if (key_type_name == NULL) + key_type_name = "rsa"; + type = key_type_from_name(key_type_name); if (type == KEY_UNSPEC) { fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } + if (bits == 0) + bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; + if (type == KEY_DSA && bits != 1024) + fatal("DSA keys must be 1024 bits"); if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); @@ -1265,7 +1275,7 @@ main(int ac, char **av) if (!have_identity) ask_filename(pw, "Enter file in which to save the key"); - /* Create ~/.ssh directory if it doesn\'t already exist. */ + /* Create ~/.ssh directory if it doesn't already exist. */ snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); if (strstr(identity_file, dotsshdir) != NULL && stat(dotsshdir, &st) < 0) { diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1 index 7e846f77c4ae..80fc8cd96034 100644 --- a/crypto/openssh/ssh-keyscan.1 +++ b/crypto/openssh/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -156,6 +156,7 @@ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e .Xr ssh 1 , .Xr sshd 8 .Sh AUTHORS +.An -nosplit .An David Mazieres Aq dm@lcs.mit.edu wrote the initial version, and .An Wayne Davison Aq wayned@users.sourceforge.net diff --git a/crypto/openssh/ssh-keysign.c b/crypto/openssh/ssh-keysign.c index 04597a91d4d4..dae3a2e8c91b 100644 --- a/crypto/openssh/ssh-keysign.c +++ b/crypto/openssh/ssh-keysign.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.18 2004/08/23 14:29:23 dtucker Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $"); #include #include @@ -148,6 +148,13 @@ main(int argc, char **argv) u_int slen, dlen; u_int32_t rnd[256]; + /* Ensure that stdin and stdout are connected */ + if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) + exit(1); + /* Leave /dev/null fd iff it is attached to stderr */ + if (fd > 2) + close(fd); + key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);