d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- MFC

Browse Source
This commit is contained in:
gonzo 2009-10-02 19:51:03 +00:00
commit 757d78c594
799 changed files with 30382 additions and 8240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.inc1
View File

@ -5,7 +5,7 @@
# -DNO_CLEANDIR run ${MAKE} clean, instead of ${MAKE} cleandir
# -DNO_CLEAN do not clean at all
# -DNO_SHARE do not go into share subdir
# -DKERNFAST define NO_KERNELCONFIG, NO_KERNELCLEAN and NO_KERNELCONFIG
# -DKERNFAST define NO_KERNELCONFIG, NO_KERNELCLEAN and NO_KERNELDEPEND
# -DNO_KERNELCONFIG do not run config in ${MAKE} buildkernel
# -DNO_KERNELCLEAN do not run ${MAKE} clean in ${MAKE} buildkernel
# -DNO_KERNELDEPEND do not run ${MAKE} depend in ${MAKE} buildkernel

3
ObsoleteFiles.inc
View File

@ -14,6 +14,9 @@
# The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last.
#
# 20090909: vesa and dpms promoted to be i386/amd64 common
OLD_FILES+=usr/include/machine/pc/vesa.h
OLD_FILES+=usr/share/man/man4/i386/dpms.4.gz
# 20090904: remove lukemftpd
OLD_FILES+=usr/libexec/lukemftpd
OLD_FILES+=usr/share/man/man5/ftpd.conf.5.gz

59
UPDATING
View File

@ -22,6 +22,65 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.x IS SLOW:
machines to maximize performance. (To disable malloc debugging, run
ln -s aj /etc/malloc.conf.)
20090926:
The rc.d/network_ipv6, IPv6 configuration script has been integrated
into rc.d/netif. The changes are the following:
1. To use IPv6, simply define $ifconfig_IF_ipv6 like $ifconfig_IF
for IPv4. For aliases, $ifconfig_IF_aliasN should be used.
Note that both variables need the "inet6" keyword at the head.
Do not set $ipv6_network_interfaces manually if you do not
understand what you are doing. It is not needed in most cases.
$ipv6_ifconfig_IF and $ipv6_ifconfig_IF_aliasN still work, but
they are obsolete.
2. $ipv6_enable is obsolete. Use $ipv6_prefer and
"inet6 accept_rtadv" keyword in ifconfig(8) instead.
If you define $ipv6_enable=YES, it means $ipv6_prefer=YES and
all configured interfaces have "inet6 accept_rtadv" in the
$ifconfig_IF_ipv6. These are for backward compatibility.
3. A new variable $ipv6_prefer has been added. If NO, IPv6
functionality of interfaces with no corresponding
$ifconfig_IF_ipv6 is disabled by using "inet6 ifdisabled" flag,
and the default address selection policy of ip6addrctl(8)
is the IPv4-preferred one (see rc.d/ip6addrctl for more details).
Note that if you want to configure IPv6 functionality on the
disabled interfaces after boot, first you need to clear the flag by
using ifconfig(8) like:
ifconfig em0 inet6 -ifdisabled
If YES, the default address selection policy is set as
IPv6-preferred.
The default value of $ipv6_prefer is NO.
4. If your system need to receive Router Advertisement messages,
define "inet6 accept_rtadv" in $ifconfig_IF_ipv6. The rc(8)
scripts automatically invoke rtsol(8) when the interface becomes
UP. The Router Advertisement messages are used for SLAAC
(State-Less Address AutoConfiguration).
20090922:
802.11s D3.03 support was committed. This is incompatible with the
previous code, which was based on D3.0.
20090912:
A sysctl variable net.inet6.ip6.accept_rtadv now sets the default value
of a per-interface flag ND6_IFF_ACCEPT_RTADV, not a global knob to
control whether accepting Router Advertisement messages or not.
Also, a per-interface flag ND6_IFF_AUTO_LINKLOCAL has been added and
a sysctl variable net.inet6.ip6.auto_linklocal is its default value.
The ifconfig(8) utility now supports these flags.
20090910:
ZFS snapshots are now mounted with MNT_IGNORE flag. Use -v option for
mount(8) and -a option for df(1) to see them.
20090825:
The old tunable hw.bus.devctl_disable has been superseded by
hw.bus.devctl_queue. hw.bus.devctl_disable=1 in loader.conf should be

4
bin/sh/sh.1
View File

@ -375,6 +375,10 @@ introduces a comment if used at the beginning of a word.
The word starting with
.Ql #
and the rest of the line are ignored.
.Pp
.Tn ASCII
.Dv NUL
characters (character code 0) are not allowed in shell input.
.Ss Quoting
Quoting is used to remove the special meaning of certain characters
or words to the shell, such as operators, whitespace, keywords,

55
cddl/compat/opensolaris/include/assert.h Normal file
View File

@ -0,0 +1,55 @@
/*-
* Copyright (c) 2009 Pawel Jakub Dawidek <pjd@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#undef assert
#undef _assert
#ifdef NDEBUG
#define assert(e) ((void)0)
#define _assert(e) ((void)0)
#else
#define _assert(e) assert(e)
#define assert(e) ((e) ? (void)0 : __assert(#e, __FILE__, __LINE__))
#endif /* NDEBUG */
#ifndef _ASSERT_H_
#define _ASSERT_H_
#include <stdio.h>
#include <stdlib.h>
static __inline void
__assert(const char *expr, const char *file, int line)
{
(void)fprintf(stderr, "Assertion failed: (%s), file %s, line %d.\n",
expr, file, line);
abort();
/* NOTREACHED */
}
#endif /* !_ASSERT_H_ */

2
cddl/contrib/opensolaris/cmd/zfs/zfs.8
View File

@ -535,7 +535,7 @@ This property is not inherited.
.ad
.sp .6
.RS 4n
Controls the checksum used to verify data integrity. The default value is "on", which automatically selects an appropriate algorithm (currently, \fIfletcher2\fR, but this may change in future releases). The value "off" disables integrity
Controls the checksum used to verify data integrity. The default value is "on", which automatically selects an appropriate algorithm (currently, \fIfletcher4\fR, but this may change in future releases). The value "off" disables integrity
checking on user data. Disabling checksums is NOT a recommended practice.
.RE

81
cddl/contrib/opensolaris/head/assert.h
View File

@ -1,81 +0,0 @@
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/* Copyright (c) 1988 AT&T */
/* All Rights Reserved */
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _ASSERT_H
#define _ASSERT_H
#pragma ident "%Z%%M% %I% %E% SMI" /* SVr4.0 1.6.1.4 */
#ifdef __cplusplus
extern "C" {
#endif
#if defined(__STDC__)
#if __STDC_VERSION__ - 0 >= 199901L
extern void __assert(const char *, const char *, int);
#else
extern void __assert(const char *, const char *, int);
#endif /* __STDC_VERSION__ - 0 >= 199901L */
#else
extern void _assert();
#endif
#ifdef __cplusplus
}
#endif
#endif /* _ASSERT_H */
/*
* Note that the ANSI C Standard requires all headers to be idempotent except
* <assert.h> which is explicitly required not to be idempotent (section 4.1.2).
* Therefore, it is by intent that the header guards (#ifndef _ASSERT_H) do
* not span this entire file.
*/
#undef assert
#ifdef NDEBUG
#define assert(EX) ((void)0)
#else
#if defined(__STDC__)
#if __STDC_VERSION__ - 0 >= 199901L
#define assert(EX) (void)((EX) || (__assert(#EX, __FILE__, __LINE__), 0))
#else
#define assert(EX) (void)((EX) || (__assert(#EX, __FILE__, __LINE__), 0))
#endif /* __STDC_VERSION__ - 0 >= 199901L */
#else
#define assert(EX) (void)((EX) || (_assert("EX", __FILE__, __LINE__), 0))
#endif /* __STDC__ */
#endif /* NDEBUG */

279
crypto/openssh/ChangeLog
View File

@ -1,3 +1,282 @@
20090926
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update for release
- (djm) [README] update relnotes URL
- (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
- (djm) Release 5.3p1
20090911
- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
from jbasney at ncsa uiuc edu.
20090908
- (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
(-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
20090901
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
krb5-config if it's not in the location specified by --with-kerberos5.
Patch from jchadima at redhat.
20090829
- (dtucker) [README.platform] Add text about development packages, based on
text from Chris Pepper in bug #1631.
20090828
- dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
causes problems in some Tru64 configurations.
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
and mention PAM as another provider for ChallengeResponseAuthentication;
bz#1408; ok dtucker@
- (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
attempting atomic rename(); ok dtucker@
- (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
in argv, so pass them in the environment; ok dtucker@
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
size a compile-time option and set it to 64k on Cygwin, since Corinna
reports that it makes a significant difference to performance. ok djm@
- (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
20090820
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
using it since the type conflicts can cause problems on FreeBSD. Patch
from Jonathan Chen.
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
20090817
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
zlib, which should make the errors slightly more meaningful on platforms
where there's separate "-devel" packages for those.
- (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
20090729
- (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
function. Patch from Corinna Vinschen.
20090713
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
fits into 16 bits to work around a bug in glibc's resolver where it masks
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
20090712
- (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test,
prevents configure complaining on older BSDs.
- (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch
from Corinna Vinschen.
- (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
logout to after the session close. Patch from Anicka Bernathova,
originally from Andreas Schwab via Novelll ok djm.
20090707
- (dtucker) [contrib/cygwin/ssh-host-config] better support for automated
scripts and fix usage of eval. Patch from Corinna Vinschen.
20090705
- (dtucker) OpenBSD CVS Sync
- andreas@cvs.openbsd.org 2009/06/27 09:29:06
[packet.h packet.c]
packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:32:43
[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
Most of this code was written by Martin Forssen, maf at appgate dot com.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:35:06
[readconf.h readconf.c]
Add client option UseRoaming. It doesn't do anything yet but will
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
- markus@cvs.openbsd.org 2009/06/30 14:54:40
[version.h]
crank version; ok deraadt
- dtucker@cvs.openbsd.org 2009/07/02 02:11:47
[ssh.c]
allow for long home dir paths (bz #1615). ok deraadt
(based in part on a patch from jchadima at redhat)
- stevesk@cvs.openbsd.org 2009/07/05 19:28:33
[clientloop.c]
only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@
ok deraadt@ markus@
20090622
- (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
alphabetize includes; reduces diff vs portable and style(9).
ok stevesk djm
(Id sync only; these were already in order in -portable)
20090621
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/03/17 21:37:00
[ssh.c]
pass correct argv[0] to openlog(); ok djm@
- jmc@cvs.openbsd.org 2009/03/19 15:15:09
[ssh.1]
for "Ciphers", just point the reader to the keyword in ssh_config(5), just
as we do for "MACs": this stops us getting out of sync when the lists
change;
fixes documentation/6102, submitted by Peter J. Philipp
alternative fix proposed by djm
ok markus
- tobias@cvs.openbsd.org 2009/03/23 08:31:19
[ssh-agent.c]
Fixed a possible out-of-bounds memory access if the environment variable
SHELL is shorter than 3 characters.
with input by and ok dtucker
- tobias@cvs.openbsd.org 2009/03/23 19:38:04
[ssh-agent.c]
My previous commit didn't fix the problem at all, so stick at my first
version of the fix presented to dtucker.
Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
ok dtucker
- sobrado@cvs.openbsd.org 2009/03/26 08:38:39
[sftp-server.8 sshd.8 ssh-agent.1]
fix a few typographical errors found by spell(1).
ok dtucker@, jmc@
- stevesk@cvs.openbsd.org 2009/04/13 19:07:44
[sshd_config.5]
fix possessive; ok djm@
- stevesk@cvs.openbsd.org 2009/04/14 16:33:42
[sftp-server.c]
remove unused option character from getopt() optstring; ok markus@
- jj@cvs.openbsd.org 2009/04/14 21:10:54
[servconf.c]
Fixed a few the-the misspellings in comments. Skipped a bunch in
binutils,gcc and so on. ok jmc@
- stevesk@cvs.openbsd.org 2009/04/17 19:23:06
[session.c]
use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
ok djm@ markus@
- stevesk@cvs.openbsd.org 2009/04/17 19:40:17
[sshd_config.5]
clarify that even internal-sftp needs /dev/log for logging to work; ok
markus@
- jmc@cvs.openbsd.org 2009/04/18 18:39:10
[sshd_config.5]
tweak previous; ok stevesk
- stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
clarify we cd to user's home after chroot; ok markus@ on
earlier version; tweaks and ok jmc@
- andreas@cvs.openbsd.org 2009/05/25 06:48:01
[channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c
monitor.c]
Put the globals in packet.c into a struct and don't access it directly
from other files. No functional changes.
ok markus@ djm@
- andreas@cvs.openbsd.org 2009/05/27 06:31:25
[canohost.h canohost.c]
Add clear_cached_addr(), needed for upcoming changes allowing the peer
address to change.
ok markus@
- andreas@cvs.openbsd.org 2009/05/27 06:33:39
[clientloop.c]
Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
change from Martin Forssen, maf at appgate dot com.
ok markus@
- andreas@cvs.openbsd.org 2009/05/27 06:34:36
[kex.c kex.h]
Move the KEX_COOKIE_LEN define to kex.h
ok markus@
- andreas@cvs.openbsd.org 2009/05/27 06:36:07
[packet.h packet.c]
Add packet_put_int64() and packet_get_int64(), part of a larger change
from Martin Forssen.
ok markus@
- andreas@cvs.openbsd.org 2009/05/27 06:38:16
[sshconnect.h sshconnect.c]
Un-static ssh_exchange_identification(), part of a larger change from
Martin Forssen and needed for upcoming changes.
ok markus@
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@
Also, applied appropriate changes to Makefile.in
- andreas@cvs.openbsd.org 2009/06/12 20:43:22
[monitor.c packet.c]
Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@
- andreas@cvs.openbsd.org 2009/06/12 20:58:32
[packet.c]
Move some more statics into session_state
ok markus@ djm@
- dtucker@cvs.openbsd.org 2009/06/21 07:37:15
[kexdhs.c kexgexs.c]
abort if key_sign fails, preventing possible null deref. Based on report
from Paolo Ganci, ok markus@ djm@
- dtucker@cvs.openbsd.org 2009/06/21 09:04:03
[roaming.h roaming_common.c roaming_dummy.c]
Add tags for the benefit of the sync scripts
Also: pull in the changes for 1.1->1.2 missed in the previous sync.
- (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and
header-order changes to reduce diff vs OpenBSD.
- (dtucker) [servconf.c sshd.c] More whitespace sync.
- (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in
ifdef.
20090616
- (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
is a struct with a __val member. Fixes build on, eg, Redhat 6.2.
20090504
- (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
variable declarations. Should prevent unused warnings anywhere it's set
(only Crays as far as I can tell) and be a no-op everywhere else.
20090318
- (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
Based on patch from vinschen at redhat com.
20090308
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
20090307
- (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
has a /dev/random).
- (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add
EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c
to use them. Allows building with older OpenSSL versions.
- (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed.
- (dtucker) [configure.ac] Missing comma in type list.
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
in openssl 0.9.6) so add an explicit test for it.
20090306
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2009/03/05 07:18:19
[auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
[sshconnect2.c]
refactor the (disabled) Schnorr proof code to make it a little more
generally useful
- djm@cvs.openbsd.org 2009/03/05 11:30:50
[uuencode.c]
document what these functions do so I don't ever have to recuse into
b64_pton/ntop to remember their return values
20090223
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2009/02/22 23:50:57

4
crypto/openssh/README
View File

@ -1,4 +1,4 @@
See http://www.openssh.com/txt/release-5.2 for the release notes.
See http://www.openssh.com/txt/release-5.3 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
$Id: README,v 1.70 2009/02/23 00:11:57 djm Exp $
$Id: README,v 1.70.4.1 2009/09/26 04:11:47 djm Exp $

14
crypto/openssh/README.platform
View File

@ -56,6 +56,18 @@ using a third party driver. More information is available at:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
Linux
-----
Some Linux distributions (including Red Hat/Fedora/CentOS) include
headers and library links in the -devel RPMs rather than the main
binary RPMs. If you get an error about headers, or complaining about a
missing prerequisite then you may need to install the equivalent
development packages. On Redhat based distros these may be openssl-devel,
zlib-devel and pam-devel, on Debian based distros these may be
libssl-dev, libz-dev and libpam-dev.
Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
@ -81,4 +93,4 @@ account stacks which will prevent authentication entirely, but will still
return the output from pam_nologin to the client.
$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $

10
crypto/openssh/auth-pam.c
View File

@ -602,16 +602,16 @@ sshpam_cleanup(void)
return;
debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
if (sshpam_cred_established) {
debug("PAM: deleting credentials");
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
sshpam_cred_established = 0;
}
if (sshpam_session_open) {
debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
if (sshpam_cred_established) {
debug("PAM: deleting credentials");
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
sshpam_cred_established = 0;
}
sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;

2
crypto/openssh/auth-passwd.c
View File

@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password)
}
#endif
#ifdef HAVE_CYGWIN
if (is_winnt) {
{
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)

53
crypto/openssh/auth-sia.c
View File

@ -34,10 +34,6 @@
#include <unistd.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
#include <time.h>
#include "ssh.h"
#include "key.h"
@ -53,52 +49,6 @@ extern ServerOptions options;
extern int saved_argc;
extern char **saved_argv;
static int
sia_password_change_required(const char *user)
{
struct es_passwd *acct;
time_t pw_life;
time_t pw_date;
set_auth_parameters(saved_argc, saved_argv);
if ((acct = getespwnam(user)) == NULL) {
error("Couldn't access protected database entry for %s", user);
endprpwent();
return (0);
}
/* If forced password change flag is set, honor it */
if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
endprpwent();
return (1);
}
/* Obtain password lifetime; if none, it can't have expired */
if (acct->uflg->fg_expire)
pw_life = acct->ufld->fd_expire;
else if (acct->sflg->fg_expire)
pw_life = acct->sfld->fd_expire;
else {
endprpwent();
return (0);
}
/* Offset from last change; if none, it must be expired */
if (acct->uflg->fg_schange)
pw_date = acct->ufld->fd_schange + pw_life;
else {
endprpwent();
return (1);
}
endprpwent();
/* If expiration date is prior to now, change password */
return (pw_date <= time((time_t *) NULL));
}
int
sys_auth_passwd(Authctxt *authctxt, const char *pass)
{
@ -126,9 +76,6 @@ sys_auth_passwd(Authctxt *authctxt, const char *pass)
sia_ses_release(&ent);
authctxt->force_pwchange = sia_password_change_required(
authctxt->user);
return (1);
}

10
crypto/openssh/auth1.c
View File

@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt)
}
#endif /* _UNICOS */
#ifdef HAVE_CYGWIN
if (authenticated &&
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
authctxt->pw)) {
packet_disconnect("Authentication rejected for uid %d.",
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
authenticated = 0;
}
#else
#ifndef HAVE_CYGWIN
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(meth->name)) {

7
crypto/openssh/auth2-jpake.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-jpake.c,v 1.2 2008/11/07 23:34:48 dtucker Exp $ */
/* $OpenBSD: auth2-jpake.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@ -42,8 +42,8 @@
#include "ssh2.h"
#include "key.h"
#include "hostfile.h"
#include "buffer.h"
#include "auth.h"
#include "buffer.h"
#include "packet.h"
#include "dispatch.h"
#include "log.h"
@ -55,6 +55,7 @@
#endif
#include "monitor_wrap.h"
#include "schnorr.h"
#include "jpake.h"
/*
@ -359,7 +360,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
}
/*
* Being authentication attempt.
* Begin authentication attempt.
* Note, sets authctxt->postponed while in subprotocol
*/
static int

4
crypto/openssh/auth2-kbdint.c
View File

@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt)
xfree(devs);
xfree(lang);
#ifdef HAVE_CYGWIN
if (check_nt_auth(0, authctxt->pw) == 0)
authenticated = 0;
#endif
return authenticated;
}

4
crypto/openssh/auth2-none.c
View File

@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
#ifdef HAVE_CYGWIN
if (check_nt_auth(1, authctxt->pw) == 0)
return (0);
#endif
if (options.password_authentication)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);

4
crypto/openssh/auth2-passwd.c
View File

@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt)
logit("password change not supported");
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
authenticated = 1;
#ifdef HAVE_CYGWIN
if (check_nt_auth(1, authctxt->pw) == 0)
authenticated = 0;
#endif
memset(password, 0, len);
xfree(password);
return authenticated;

4
crypto/openssh/auth2-pubkey.c
View File

@ -170,10 +170,6 @@ userauth_pubkey(Authctxt *authctxt)
key_free(key);
xfree(pkalg);
xfree(pkblob);
#ifdef HAVE_CYGWIN
if (check_nt_auth(0, authctxt->pw) == 0)
authenticated = 0;
#endif
return authenticated;
}

4
crypto/openssh/auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.120 2008/11/04 08:22:12 djm Exp $ */
/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -36,8 +36,8 @@ __RCSID("$FreeBSD$");
#include <string.h>
#include <unistd.h>
#include "xmalloc.h"
#include "atomicio.h"
#include "xmalloc.h"
#include "ssh2.h"
#include "packet.h"
#include "log.h"

24
crypto/openssh/canohost.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: canohost.c,v 1.64 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: canohost.c,v 1.65 2009/05/27 06:31:25 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,6 +35,8 @@
#include "misc.h"
static void check_ip_options(int, char *);
static char *canonical_host_ip = NULL;
static int cached_port = -1;
/*
* Return the canonical name of the host at the other end of the socket. The
@ -304,6 +306,16 @@ get_local_name(int sock)
return get_socket_address(sock, 0, NI_NAMEREQD);
}
void
clear_cached_addr(void)
{
if (canonical_host_ip != NULL) {
xfree(canonical_host_ip);
canonical_host_ip = NULL;
}
cached_port = -1;
}
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@ -312,8 +324,6 @@ get_local_name(int sock)
const char *
get_remote_ipaddr(void)
{
static char *canonical_host_ip = NULL;
/* Check whether we have cached the ipaddr. */
if (canonical_host_ip == NULL) {
if (packet_connection_is_on_socket()) {
@ -402,13 +412,11 @@ get_peer_port(int sock)
int
get_remote_port(void)
{
static int port = -1;
/* Cache to avoid getpeername() on a dead connection */
if (port == -1)
port = get_port(0);
if (cached_port == -1)
cached_port = get_port(0);
return port;
return cached_port;
}
int

4
crypto/openssh/canohost.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: canohost.h,v 1.10 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -24,6 +24,6 @@ char *get_local_name(int);
int get_remote_port(void);
int get_local_port(void);
int get_sock_port(int, int);
void clear_cached_addr(void);
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);

6
crypto/openssh/channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.295 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1653,6 +1653,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
}
return -1;
}
#ifndef BROKEN_TCGETATTR_ICANON
if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
if (tcgetattr(c->wfd, &tio) == 0 &&
!(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
@ -1666,6 +1667,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
packet_send();
}
}
#endif
buffer_consume(&c->output, len);
if (compat20 && len > 0) {
c->local_consumed += len;
@ -2431,7 +2433,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
int id;
/* Reset keepalive timeout */
keep_alive_timeouts = 0;
packet_set_alive_timeouts(0);
id = packet_get_int();
packet_check_eom();

25
crypto/openssh/clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.213 2009/07/05 19:28:33 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -109,6 +109,7 @@
#include "misc.h"
#include "match.h"
#include "msg.h"
#include "roaming.h"
/* import options */
extern Options options;
@ -491,13 +492,13 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
xfree(gc);
}
keep_alive_timeouts = 0;
packet_set_alive_timeouts(0);
}
static void
server_alive_check(void)
{
if (++keep_alive_timeouts > options.server_alive_count_max) {
if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
logit("Timeout, server not responding.");
cleanup_exit(255);
}
@ -634,8 +635,8 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
static void
client_process_net_input(fd_set *readset)
{
int len;
char buf[8192];
int len, cont = 0;
char buf[SSH_IOBUFSZ];
/*
* Read input from the server, and add any such data to the buffer of
@ -643,8 +644,8 @@ client_process_net_input(fd_set *readset)
*/
if (FD_ISSET(connection_in, readset)) {
/* Read as much as possible. */
len = read(connection_in, buf, sizeof(buf));
if (len == 0) {
len = roaming_read(connection_in, buf, sizeof(buf), &cont);
if (len == 0 && cont == 0) {
/*
* Received EOF. The remote host has closed the
* connection.
@ -1128,7 +1129,7 @@ static void
client_process_input(fd_set *readset)
{
int len;
char buf[8192];
char buf[SSH_IOBUFSZ];
/* Read input from stdin. */
if (FD_ISSET(fileno(stdin), readset)) {
@ -1476,6 +1477,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
/* Stop watching for window change. */
signal(SIGWINCH, SIG_DFL);
if (compat20) {
packet_start(SSH2_MSG_DISCONNECT);
packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
packet_put_cstring("disconnected by user");
packet_send();
packet_write_wait();
}
channel_free_all();
if (have_pty)

27
crypto/openssh/config.h
View File

@ -69,6 +69,9 @@
/* Define if your snprintf is busted */
/* #undef BROKEN_SNPRINTF */
/* tcgetattr with ICANON may hang */
/* #undef BROKEN_TCGETATTR_ICANON */
/* updwtmpx is broken (if present) */
/* #undef BROKEN_UPDWTMPX */
@ -123,9 +126,12 @@
/* Builtin PRNG command timeout */
#define ENTROPY_TIMEOUT_MSEC 200
/* f_fsid has members */
/* fsid_t has member val */
/* #undef FSID_HAS_VAL */
/* fsid_t has member __val */
/* #undef FSID_HAS___VAL */
/* Define to 1 if the `getpgrp' function requires zero arguments. */
#define GETPGRP_VOID 1
@ -519,6 +525,9 @@
/* Define to 1 if the system has the type `in_addr_t'. */
#define HAVE_IN_ADDR_T 1
/* Define to 1 if the system has the type `in_port_t'. */
#define HAVE_IN_PORT_T 1
/* Define to 1 if you have the <lastlog.h> header file. */
/* #undef HAVE_LASTLOG_H */
@ -1227,6 +1236,9 @@
/* Define if X11 doesn't support AF_UNIX sockets on that system */
/* #undef NO_X11_UNIX_SOCKETS */
/* Define if EVP_DigestUpdate returns void */
/* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */
/* libcrypto is missing AES 192 and 256 bit functions */
/* #undef OPENSSL_LOBOTOMISED_AES */
@ -1310,6 +1322,9 @@
/* Use audit debugging module */
/* #undef SSH_AUDIT_EVENTS */
/* Windows is sensitive to read buffer size */
/* #undef SSH_IOBUFSZ */
/* non-privileged user for privilege separation */
#define SSH_PRIVSEP_USER "sshd"
@ -1398,9 +1413,13 @@
/* Define if you want SELinux support. */
/* #undef WITH_SELINUX */
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
/* #undef WORDS_BIGENDIAN */
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
#if defined __BIG_ENDIAN__
# define WORDS_BIGENDIAN 1
#elif ! defined __LITTLE_ENDIAN__
/* # undef WORDS_BIGENDIAN */
#endif
/* Define if xauth is found in your path */
/* #undef XAUTH_PATH */

34
crypto/openssh/config.h.in
View File

@ -1,5 +1,8 @@
/* config.h.in. Generated from configure.ac by autoheader. */
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
*/
#undef AIX_GETNAMEINFO_HACK
@ -68,6 +71,9 @@
/* Define if your snprintf is busted */
#undef BROKEN_SNPRINTF
/* tcgetattr with ICANON may hang */
#undef BROKEN_TCGETATTR_ICANON
/* updwtmpx is broken (if present) */
#undef BROKEN_UPDWTMPX
@ -122,9 +128,12 @@
/* Builtin PRNG command timeout */
#undef ENTROPY_TIMEOUT_MSEC
/* f_fsid has members */
/* fsid_t has member val */
#undef FSID_HAS_VAL
/* fsid_t has member __val */
#undef FSID_HAS___VAL
/* Define to 1 if the `getpgrp' function requires zero arguments. */
#undef GETPGRP_VOID
@ -518,6 +527,9 @@
/* Define to 1 if the system has the type `in_addr_t'. */
#undef HAVE_IN_ADDR_T
/* Define to 1 if the system has the type `in_port_t'. */
#undef HAVE_IN_PORT_T
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
@ -1226,6 +1238,9 @@
/* Define if X11 doesn't support AF_UNIX sockets on that system */
#undef NO_X11_UNIX_SOCKETS
/* Define if EVP_DigestUpdate returns void */
#undef OPENSSL_EVP_DIGESTUPDATE_VOID
/* libcrypto is missing AES 192 and 256 bit functions */
#undef OPENSSL_LOBOTOMISED_AES
@ -1309,6 +1324,9 @@
/* Use audit debugging module */
#undef SSH_AUDIT_EVENTS
/* Windows is sensitive to read buffer size */
#undef SSH_IOBUFSZ
/* non-privileged user for privilege separation */
#undef SSH_PRIVSEP_USER
@ -1397,9 +1415,17 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
#if defined AC_APPLE_UNIVERSAL_BUILD
# if defined __BIG_ENDIAN__
# define WORDS_BIGENDIAN 1
# endif
#else
# ifndef WORDS_BIGENDIAN
# undef WORDS_BIGENDIAN
# endif
#endif
/* Define if xauth is found in your path */
#undef XAUTH_PATH

13
crypto/openssh/defines.h
View File

@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
/* $Id: defines.h,v 1.153 2009/02/01 11:19:54 dtucker Exp $ */
/* $Id: defines.h,v 1.156 2009/08/28 01:21:07 dtucker Exp $ */
/* Constants */
@ -300,6 +300,9 @@ struct sockaddr_un {
#ifndef HAVE_IN_ADDR_T
typedef u_int32_t in_addr_t;
#endif
#ifndef HAVE_IN_PORT_T
typedef u_int16_t in_port_t;
#endif
#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
#define _STRUCT_WINSIZE
@ -591,6 +594,10 @@ struct winsize {
#define FSID_TO_ULONG(f) \
((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
((f).val[1] & 0xffffffffUL))
#elif defined(FSID_HAS___VAL)
#define FSID_TO_ULONG(f) \
((((u_int64_t)(f).__val[0] & 0xffffffffUL) << 32) | \
((f).__val[1] & 0xffffffffUL))
#else
# define FSID_TO_ULONG(f) ((f))
#endif
@ -742,4 +749,8 @@ struct winsize {
#define INET6_ADDRSTRLEN 46
#endif
#ifndef SSH_IOBUFSZ
# define SSH_IOBUFSZ 8192
#endif
#endif /* _DEFINES_H */

2
crypto/openssh/gss-genr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

3
crypto/openssh/includes.h
View File

@ -31,7 +31,8 @@
#endif
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
defined(GLOB_HAS_GL_MATCHC) && \
defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0
defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
!defined(BROKEN_GLOB)
# include <glob.h>
#endif
#ifdef HAVE_ENDIAN_H

181
crypto/openssh/jpake.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: jpake.c,v 1.1 2008/11/04 08:22:12 djm Exp $ */
/* $OpenBSD: jpake.c,v 1.2 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@ -47,6 +47,7 @@
#include "log.h"
#include "jpake.h"
#include "schnorr.h"
#ifdef JPAKE
@ -60,165 +61,10 @@
"98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
"9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
struct jpake_group *
struct modp_group *
jpake_default_group(void)
{
struct jpake_group *ret;
ret = xmalloc(sizeof(*ret));
ret->p = ret->q = ret->g = NULL;
if (BN_hex2bn(&ret->p, JPAKE_GROUP_P) == 0 ||
BN_hex2bn(&ret->g, JPAKE_GROUP_G) == 0)
fatal("%s: BN_hex2bn", __func__);
/* Subgroup order is p/2 (p is a safe prime) */
if ((ret->q = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
if (BN_rshift1(ret->q, ret->p) != 1)
fatal("%s: BN_rshift1", __func__);
return ret;
}
/*
* Generate uniformly distributed random number in range (1, high).
* Return number on success, NULL on failure.
*/
BIGNUM *
bn_rand_range_gt_one(const BIGNUM *high)
{
BIGNUM *r, *tmp;
int success = -1;
if ((tmp = BN_new()) == NULL) {
error("%s: BN_new", __func__);
return NULL;
}
if ((r = BN_new()) == NULL) {
error("%s: BN_new failed", __func__);
goto out;
}
if (BN_set_word(tmp, 2) != 1) {
error("%s: BN_set_word(tmp, 2)", __func__);
goto out;
}
if (BN_sub(tmp, high, tmp) == -1) {
error("%s: BN_sub failed (tmp = high - 2)", __func__);
goto out;
}
if (BN_rand_range(r, tmp) == -1) {
error("%s: BN_rand_range failed", __func__);
goto out;
}
if (BN_set_word(tmp, 2) != 1) {
error("%s: BN_set_word(tmp, 2)", __func__);
goto out;
}
if (BN_add(r, r, tmp) == -1) {
error("%s: BN_add failed (r = r + 2)", __func__);
goto out;
}
success = 0;
out:
BN_clear_free(tmp);
if (success == 0)
return r;
BN_clear_free(r);
return NULL;
}
/*
* Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
* with digest via 'digestp' (caller to free) and length via 'lenp'.
* Returns -1 on failure.
*/
int
hash_buffer(const u_char *buf, u_int len, const EVP_MD *md,
u_char **digestp, u_int *lenp)
{
u_char digest[EVP_MAX_MD_SIZE];
u_int digest_len;
EVP_MD_CTX evp_md_ctx;
int success = -1;
EVP_MD_CTX_init(&evp_md_ctx);
if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) {
error("%s: EVP_DigestInit_ex", __func__);
goto out;
}
if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) {
error("%s: EVP_DigestUpdate", __func__);
goto out;
}
if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) {
error("%s: EVP_DigestFinal_ex", __func__);
goto out;
}
*digestp = xmalloc(digest_len);
*lenp = digest_len;
memcpy(*digestp, digest, *lenp);
success = 0;
out:
EVP_MD_CTX_cleanup(&evp_md_ctx);
bzero(digest, sizeof(digest));
digest_len = 0;
return success;
}
/* print formatted string followed by bignum */
void
jpake_debug3_bn(const BIGNUM *n, const char *fmt, ...)
{
char *out, *h;
va_list args;
out = NULL;
va_start(args, fmt);
vasprintf(&out, fmt, args);
va_end(args);
if (out == NULL)
fatal("%s: vasprintf failed", __func__);
if (n == NULL)
debug3("%s(null)", out);
else {
h = BN_bn2hex(n);
debug3("%s0x%s", out, h);
free(h);
}
free(out);
}
/* print formatted string followed by buffer contents in hex */
void
jpake_debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
{
char *out, h[65];
u_int i, j;
va_list args;
out = NULL;
va_start(args, fmt);
vasprintf(&out, fmt, args);
va_end(args);
if (out == NULL)
fatal("%s: vasprintf failed", __func__);
debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
free(out);
if (buf == NULL)
return;
*h = '\0';
for (i = j = 0; i < len; i++) {
snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
j += 2;
if (j >= sizeof(h) - 1 || i == len - 1) {
debug3(" %s", h);
*h = '\0';
j = 0;
}
}
return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
}
struct jpake_ctx *
@ -243,7 +89,6 @@ jpake_new(void)
return ret;
}
void
jpake_free(struct jpake_ctx *pctx)
{
@ -344,7 +189,7 @@ jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
/* Shared parts of step 1 exchange calculation */
void
jpake_step1(struct jpake_group *grp,
jpake_step1(struct modp_group *grp,
u_char **id, u_int *id_len,
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
u_char **priv1_proof, u_int *priv1_proof_len,
@ -383,11 +228,11 @@ jpake_step1(struct jpake_group *grp,
fatal("%s: BN_mod_exp", __func__);
/* Generate proofs for holding x1/x3 and x2/x4 */
if (schnorr_sign(grp->p, grp->q, grp->g,
if (schnorr_sign_buf(grp->p, grp->q, grp->g,
*priv1, *g_priv1, *id, *id_len,
priv1_proof, priv1_proof_len) != 0)
fatal("%s: schnorr_sign", __func__);
if (schnorr_sign(grp->p, grp->q, grp->g,
if (schnorr_sign_buf(grp->p, grp->q, grp->g,
*priv2, *g_priv2, *id, *id_len,
priv2_proof, priv2_proof_len) != 0)
fatal("%s: schnorr_sign", __func__);
@ -397,7 +242,7 @@ jpake_step1(struct jpake_group *grp,
/* Shared parts of step 2 exchange calculation */
void
jpake_step2(struct jpake_group *grp, BIGNUM *s,
jpake_step2(struct modp_group *grp, BIGNUM *s,
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
const u_char *theirid, u_int theirid_len,
const u_char *myid, u_int myid_len,
@ -415,10 +260,10 @@ jpake_step2(struct jpake_group *grp, BIGNUM *s,
if (BN_cmp(theirpub2, BN_value_one()) <= 0)
fatal("%s: theirpub2 <= 1", __func__);
if (schnorr_verify(grp->p, grp->q, grp->g, theirpub1,
if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
fatal("%s: schnorr_verify theirpub1 failed", __func__);
if (schnorr_verify(grp->p, grp->q, grp->g, theirpub2,
if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
fatal("%s: schnorr_verify theirpub2 failed", __func__);
@ -459,7 +304,7 @@ jpake_step2(struct jpake_group *grp, BIGNUM *s,
JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
/* Note the generator here is 'tmp', not g */
if (schnorr_sign(grp->p, grp->q, tmp, exponent, *newpub,
if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
myid, myid_len,
newpub_exponent_proof, newpub_exponent_proof_len) != 0)
fatal("%s: schnorr_sign newpub", __func__);
@ -496,7 +341,7 @@ jpake_confirm_hash(const BIGNUM *k,
/* Shared parts of key derivation and confirmation calculation */
void
jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
BIGNUM *theirpub1, BIGNUM *theirpub2,
const u_char *my_id, u_int my_id_len,
@ -531,7 +376,7 @@ jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
if (schnorr_verify(grp->p, grp->q, tmp, step2_val,
if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val,
their_id, their_id_len,
theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);

38
crypto/openssh/jpake.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: jpake.h,v 1.1 2008/11/04 08:22:13 djm Exp $ */
/* $OpenBSD: jpake.h,v 1.2 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@ -28,20 +28,16 @@
# define JPAKE_DEBUG_BUF(a)
# define JPAKE_DEBUG_CTX(a)
#else
# define JPAKE_DEBUG_BN(a) jpake_debug3_bn a
# define JPAKE_DEBUG_BUF(a) jpake_debug3_buf a
# define JPAKE_DEBUG_BN(a) debug3_bn a
# define JPAKE_DEBUG_BUF(a) debug3_buf a
# define JPAKE_DEBUG_CTX(a) jpake_dump a
#endif /* SCHNORR_DEBUG */
struct jpake_group {
BIGNUM *p, *q, *g;
};
#endif /* JPAKE_DEBUG */
#define KZP_ID_LEN 16 /* Length of client and server IDs */
struct jpake_ctx {
/* Parameters */
struct jpake_group *grp;
struct modp_group *grp;
/* Private values shared by client and server */
BIGNUM *s; /* Secret (salted, crypted password) */
@ -83,26 +79,18 @@ struct jpake_ctx {
};
/* jpake.c */
struct jpake_group *jpake_default_group(void);
BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
void jpake_debug3_bn(const BIGNUM *, const char *, ...)
__attribute__((__nonnull__ (2)))
__attribute__((format(printf, 2, 3)));
void jpake_debug3_buf(const u_char *, u_int, const char *, ...)
__attribute__((__nonnull__ (3)))
__attribute__((format(printf, 3, 4)));
struct modp_group *jpake_default_group(void);
void jpake_dump(struct jpake_ctx *, const char *, ...)
__attribute__((__nonnull__ (2)))
__attribute__((format(printf, 2, 3)));
struct jpake_ctx *jpake_new(void);
void jpake_free(struct jpake_ctx *);
void jpake_step1(struct jpake_group *, u_char **, u_int *,
void jpake_step1(struct modp_group *, u_char **, u_int *,
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
u_char **, u_int *, u_char **, u_int *);
void jpake_step2(struct jpake_group *, BIGNUM *,
void jpake_step2(struct modp_group *, BIGNUM *,
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
const u_char *, u_int, const u_char *, u_int,
const u_char *, u_int, const u_char *, u_int,
@ -113,7 +101,7 @@ void jpake_confirm_hash(const BIGNUM *,
const u_char *, u_int,
u_char **, u_int *);
void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
void jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
const u_char *, u_int, const u_char *, u_int,
const u_char *, u_int, const u_char *, u_int,
@ -122,13 +110,5 @@ void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
int jpake_check_confirm(const BIGNUM *, const u_char *, u_int,
const u_char *, u_int, const u_char *, u_int);
/* schnorr.c */
int schnorr_sign(const BIGNUM *, const BIGNUM *, const BIGNUM *,
const BIGNUM *, const BIGNUM *, const u_char *, u_int ,
u_char **, u_int *);
int schnorr_verify(const BIGNUM *, const BIGNUM *, const BIGNUM *,
const BIGNUM *, const u_char *, u_int,
const u_char *, u_int);
#endif /* JPAKE_H */

4
crypto/openssh/kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.80 2008/09/06 12:24:13 djm Exp $ */
/* $OpenBSD: kex.c,v 1.81 2009/05/27 06:34:36 andreas Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -49,8 +49,6 @@
#include "dispatch.h"
#include "monitor.h"
#define KEX_COOKIE_LEN 16
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256

4
crypto/openssh/kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
/* $OpenBSD: kex.h,v 1.47 2009/05/27 06:34:36 andreas Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -30,6 +30,8 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#define KEX_COOKIE_LEN 16
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14 "diffie-hellman-group14-sha1"
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"

6
crypto/openssh/kexdhs.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
/* $OpenBSD: kexdhs.c,v 1.10 2009/06/21 07:37:15 dtucker Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -137,7 +137,9 @@ kexdh_server(Kex *kex)
}
/* sign H */
PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
hashlen)) < 0)
fatal("kexdh_server: key_sign failed");
/* destroy_sensitive_data(); */

6
crypto/openssh/kexgexs.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexgexs.c,v 1.11 2009/01/01 21:17:36 djm Exp $ */
/* $OpenBSD: kexgexs.c,v 1.12 2009/06/21 07:37:15 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@ -179,7 +179,9 @@ kexgex_server(Kex *kex)
}
/* sign H */
PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
hashlen)) < 0)
fatal("kexgex_server: key_sign failed");
/* destroy_sensitive_data(); */

25
crypto/openssh/monitor.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.104 2009/06/12 20:43:22 andreas Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -88,6 +88,7 @@
#include "compat.h"
#include "ssh2.h"
#include "jpake.h"
#include "roaming.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
@ -100,7 +101,6 @@ extern Newkeys *current_keys[];
extern z_stream incoming_stream;
extern z_stream outgoing_stream;
extern u_char session_id[];
extern Buffer input, output;
extern Buffer auth_debug;
extern int auth_debug_init;
extern Buffer loginmsg;
@ -126,6 +126,8 @@ struct {
u_int ilen;
u_char *output;
u_int olen;
u_int64_t sent_bytes;
u_int64_t recv_bytes;
} child_state;
/* Functions on the monitor that answer unprivileged requests */
@ -1670,15 +1672,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
/* Network I/O buffers */
/* XXX inefficient for large buffers, need: buffer_init_from_string */
buffer_clear(&input);
buffer_append(&input, child_state.input, child_state.ilen);
buffer_clear(packet_get_input());
buffer_append(packet_get_input(), child_state.input, child_state.ilen);
memset(child_state.input, 0, child_state.ilen);
xfree(child_state.input);
buffer_clear(&output);
buffer_append(&output, child_state.output, child_state.olen);
buffer_clear(packet_get_output());
buffer_append(packet_get_output(), child_state.output,
child_state.olen);
memset(child_state.output, 0, child_state.olen);
xfree(child_state.output);
/* Roaming */
if (compat20)
roam_set_bytes(child_state.sent_bytes, child_state.recv_bytes);
}
static Kex *
@ -1794,6 +1801,12 @@ mm_get_keystate(struct monitor *pmonitor)
child_state.input = buffer_get_string(&m, &child_state.ilen);
child_state.output = buffer_get_string(&m, &child_state.olen);
/* Roaming */
if (compat20) {
child_state.sent_bytes = buffer_get_int64(&m);
child_state.recv_bytes = buffer_get_int64(&m);
}
buffer_free(&m);
}

2
crypto/openssh/monitor_mm.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.

31
crypto/openssh/monitor_wrap.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.68 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -71,19 +71,19 @@
#include "atomicio.h"
#include "monitor_fdpass.h"
#include "misc.h"
#include "schnorr.h"
#include "jpake.h"
#include "channels.h"
#include "session.h"
#include "servconf.h"
#include "roaming.h"
/* Imports */
extern int compat20;
extern Newkeys *newkeys[];
extern z_stream incoming_stream;
extern z_stream outgoing_stream;
extern struct monitor *pmonitor;
extern Buffer input, output;
extern Buffer loginmsg;
extern ServerOptions options;
@ -508,7 +508,7 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
Enc *enc;
Mac *mac;
Comp *comp;
Newkeys *newkey = newkeys[mode];
Newkeys *newkey = (Newkeys *)packet_get_newkeys(mode);
debug3("%s: converting %p", __func__, newkey);
@ -570,7 +570,7 @@ mm_send_kex(Buffer *m, Kex *kex)
void
mm_send_keystate(struct monitor *monitor)
{
Buffer m;
Buffer m, *input, *output;
u_char *blob, *p;
u_int bloblen, plen;
u_int32_t seqnr, packets;
@ -608,7 +608,8 @@ mm_send_keystate(struct monitor *monitor)
}
debug3("%s: Sending new keys: %p %p",
__func__, newkeys[MODE_OUT], newkeys[MODE_IN]);
__func__, packet_get_newkeys(MODE_OUT),
packet_get_newkeys(MODE_IN));
/* Keys from Kex */
if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
@ -655,8 +656,16 @@ mm_send_keystate(struct monitor *monitor)
buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
/* Network I/O buffers */
buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input));
buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output));
input = (Buffer *)packet_get_input();
output = (Buffer *)packet_get_output();
buffer_put_string(&m, buffer_ptr(input), buffer_len(input));
buffer_put_string(&m, buffer_ptr(output), buffer_len(output));
/* Roaming */
if (compat20) {
buffer_put_int64(&m, get_sent_bytes());
buffer_put_int64(&m, get_recv_bytes());
}
mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
debug3("%s: Finished sending state", __func__);
@ -1282,7 +1291,7 @@ mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
}
void
mm_jpake_step1(struct jpake_group *grp,
mm_jpake_step1(struct modp_group *grp,
u_char **id, u_int *id_len,
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
u_char **priv1_proof, u_int *priv1_proof_len,
@ -1317,7 +1326,7 @@ mm_jpake_step1(struct jpake_group *grp,
}
void
mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
mm_jpake_step2(struct modp_group *grp, BIGNUM *s,
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
const u_char *theirid, u_int theirid_len,
const u_char *myid, u_int myid_len,
@ -1357,7 +1366,7 @@ mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
}
void
mm_jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
mm_jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
BIGNUM *theirpub1, BIGNUM *theirpub2,
const u_char *my_id, u_int my_id_len,

10
crypto/openssh/monitor_wrap.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor_wrap.h,v 1.21 2008/11/04 08:22:13 djm Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.22 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -102,17 +102,17 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
int mm_skey_respond(void *, u_int, char **);
/* jpake */
struct jpake_group;
struct modp_group;
void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
void mm_jpake_step1(struct jpake_group *, u_char **, u_int *,
void mm_jpake_step1(struct modp_group *, u_char **, u_int *,
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
u_char **, u_int *, u_char **, u_int *);
void mm_jpake_step2(struct jpake_group *, BIGNUM *,
void mm_jpake_step2(struct modp_group *, BIGNUM *,
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
const u_char *, u_int, const u_char *, u_int,
const u_char *, u_int, const u_char *, u_int,
BIGNUM **, u_char **, u_int *);
void mm_jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
void mm_jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
const u_char *, u_int, const u_char *, u_int,
const u_char *, u_int, const u_char *, u_int,

124
crypto/openssh/openbsd-compat/bsd-cygwin_util.c
View File

@ -39,9 +39,6 @@
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/utsname.h>
#include <sys/vfs.h>
#include <fcntl.h>
#include <stdlib.h>
@ -49,11 +46,6 @@
#include <windows.h>
#include "xmalloc.h"
#define is_winnt (GetVersion() < 0x80000000)
#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
int
binary_open(const char *filename, int flags, ...)
@ -79,128 +71,12 @@ binary_pipe(int fd[2])
return (ret);
}
#define HAS_CREATE_TOKEN 1
#define HAS_NTSEC_BY_DEFAULT 2
#define HAS_CREATE_TOKEN_WO_NTSEC 3
static int
has_capability(int what)
{
static int inited;
static int has_create_token;
static int has_ntsec_by_default;
static int has_create_token_wo_ntsec;
/*
* has_capability() basically calls uname() and checks if
* specific capabilities of Cygwin can be evaluated from that.
* This simplifies the calling functions which only have to ask
* for a capability using has_capability() instead of having
* to figure that out by themselves.
*/
if (!inited) {
struct utsname uts;
if (!uname(&uts)) {
int major_high = 0, major_low = 0, minor = 0;
int api_major_version = 0, api_minor_version = 0;
char *c;
sscanf(uts.release, "%d.%d.%d", &major_high,
&major_low, &minor);
if ((c = strchr(uts.release, '(')) != NULL) {
sscanf(c + 1, "%d.%d", &api_major_version,
&api_minor_version);
}
if (major_high > 1 ||
(major_high == 1 && (major_low > 3 ||
(major_low == 3 && minor >= 2))))
has_create_token = 1;
if (api_major_version > 0 || api_minor_version >= 56)
has_ntsec_by_default = 1;
if (major_high > 1 ||
(major_high == 1 && major_low >= 5))
has_create_token_wo_ntsec = 1;
inited = 1;
}
}
switch (what) {
case HAS_CREATE_TOKEN:
return (has_create_token);
case HAS_NTSEC_BY_DEFAULT:
return (has_ntsec_by_default);
case HAS_CREATE_TOKEN_WO_NTSEC:
return (has_create_token_wo_ntsec);
}
return (0);
}
int
check_nt_auth(int pwd_authenticated, struct passwd *pw)
{
/*
* The only authentication which is able to change the user
* context on NT systems is the password authentication. So
* we deny all requsts for changing the user context if another
* authentication method is used.
*
* This doesn't apply to Cygwin versions >= 1.3.2 anymore which
* uses the undocumented NtCreateToken() call to create a user
* token if the process has the appropriate privileges and if
* CYGWIN ntsec setting is on.
*/
static int has_create_token = -1;
if (pw == NULL)
return 0;
if (is_winnt) {
if (has_create_token < 0) {
char *cygwin = getenv("CYGWIN");
has_create_token = 0;
if (has_capability(HAS_CREATE_TOKEN) &&
(ntsec_on(cygwin) ||
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
!ntsec_off(cygwin)) ||
has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
has_create_token = 1;
}
if (has_create_token < 1 &&
!pwd_authenticated && geteuid() != pw->pw_uid)
return (0);
}
return (1);
}
int
check_ntsec(const char *filename)
{
return (pathconf(filename, _PC_POSIX_PERMISSIONS));
}
void
register_9x_service(void)
{
HINSTANCE kerneldll;
DWORD (*RegisterServiceProcess)(DWORD, DWORD);
/* The service register mechanism in 9x/Me is pretty different from
* NT/2K/XP. In NT/2K/XP we're using a special service starter
* application to register and control sshd as service. This method
* doesn't play nicely with 9x/Me. For that reason we register here
* as service when running under 9x/Me. This function is only called
* by the child sshd when it's going to daemonize.
*/
if (is_winnt)
return;
if (!(kerneldll = LoadLibrary("KERNEL32.DLL")))
return;
if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
GetProcAddress(kerneldll, "RegisterServiceProcess")))
return;
RegisterServiceProcess(0, 1);
}
#define NL(x) x, (sizeof (x) - 1)
#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))

5
crypto/openssh/openbsd-compat/bsd-cygwin_util.h
View File

@ -1,4 +1,4 @@
/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */
/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */
/*
* Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
@ -35,7 +35,6 @@
#ifdef HAVE_CYGWIN
#undef ERROR
#define is_winnt (GetVersion() < 0x80000000)
#include <windows.h>
#include <sys/cygwin.h>
@ -43,9 +42,7 @@
int binary_open(const char *, int , ...);
int binary_pipe(int fd[2]);
int check_nt_auth(int, struct passwd *);
int check_ntsec(const char *);
void register_9x_service(void);
char **fetch_windows_environment(void);
void free_windows_environment(char **);

10
crypto/openssh/openbsd-compat/daemon.c
View File

@ -57,18 +57,8 @@ daemon(int nochdir, int noclose)
case -1:
return (-1);
case 0:
#ifdef HAVE_CYGWIN
register_9x_service();
#endif
break;
default:
#ifdef HAVE_CYGWIN
/*
* This sleep avoids a race condition which kills the
* child process if parent is started by a NT/W2K service.
*/
sleep(1);
#endif
_exit(0);
}

2
crypto/openssh/openbsd-compat/getrrsetbyname.c
View File

@ -143,7 +143,7 @@ u_int32_t _getlong(register const u_char *);
/* ************** */
#define ANSWER_BUFFER_SIZE 1024*64
#define ANSWER_BUFFER_SIZE 0xffff
struct dns_query {
char *name;

11
crypto/openssh/openbsd-compat/openssl-compat.c
View File

@ -1,4 +1,4 @@
/* $Id: openssl-compat.c,v 1.6 2008/02/28 08:13:52 dtucker Exp $ */
/* $Id: openssl-compat.c,v 1.8 2009/03/07 11:22:35 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@ -49,6 +49,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
}
#endif
#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
int
ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
{
EVP_DigestUpdate(ctx, d, cnt);
return 1;
}
#endif
#ifdef USE_OPENSSL_ENGINE
void
ssh_SSLeay_add_all_algorithms(void)

6
crypto/openssh/openbsd-compat/openssl-compat.h
View File

@ -1,4 +1,4 @@
/* $Id: openssl-compat.h,v 1.12 2008/02/28 08:22:04 dtucker Exp $ */
/* $Id: openssl-compat.h,v 1.14 2009/03/07 11:22:35 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@ -80,6 +80,10 @@ extern const EVP_CIPHER *evp_acss(void);
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
# endif /* SSH_OLD_EVP */
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c))
# endif
# ifdef USE_OPENSSL_ENGINE
# ifdef SSLeay_add_all_algorithms
# undef SSLeay_add_all_algorithms

19
crypto/openssh/openbsd-compat/port-aix.c
View File

@ -57,6 +57,8 @@
#include "port-aix.h"
static char *lastlogin_msg = NULL;
# ifdef HAVE_SETAUTHDB
static char old_registry[REGISTRY_SIZE] = "";
# endif
@ -276,23 +278,30 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
Buffer *loginmsg)
{
char *msg = NULL;
static int msg_done = 0;
int success = 0;
aix_setauthdb(user);
if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
success = 1;
if (msg != NULL && loginmsg != NULL && !msg_done) {
if (msg != NULL) {
debug("AIX/loginsuccess: msg %s", msg);
buffer_append(loginmsg, msg, strlen(msg));
xfree(msg);
msg_done = 1;
if (lastlogin_msg == NULL)
lastlogin_msg = msg;
}
}
aix_restoreauthdb();
return (success);
}
char *
sys_auth_get_lastlogin_msg(const char *user, uid_t uid)
{
char *msg = lastlogin_msg;
lastlogin_msg = NULL;
return msg;
}
# ifdef CUSTOM_FAILED_LOGIN
/*
* record_failed_login: generic "login failed" interface function

9
crypto/openssh/openbsd-compat/port-aix.h
View File

@ -1,4 +1,4 @@
/* $Id: port-aix.h,v 1.29 2008/03/09 05:36:55 dtucker Exp $ */
/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */
/*
*
@ -71,6 +71,11 @@ int passwdexpired(char *, char **);
# include <sys/timers.h>
#endif
/* for setpcred and friends */
#ifdef HAVE_USERSEC_H
# include <usersec.h>
#endif
/*
* According to the setauthdb man page, AIX password registries must be 15
* chars or less plus terminating NUL.
@ -87,6 +92,8 @@ void aix_usrinfo(struct passwd *);
int sys_auth_allowed_user(struct passwd *, Buffer *);
# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
# define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
char *sys_auth_get_lastlogin_msg(const char *, uid_t);
# define CUSTOM_FAILED_LOGIN 1
#endif

997
crypto/openssh/packet.c
View File

File diff suppressed because it is too large Load Diff

17
crypto/openssh/packet.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: packet.h,v 1.49 2008/07/10 18:08:11 markus Exp $ */
/* $OpenBSD: packet.h,v 1.52 2009/06/27 09:29:06 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -39,6 +39,7 @@ void packet_set_authenticated(void);
void packet_start(u_char);
void packet_put_char(int ch);
void packet_put_int(u_int value);
void packet_put_int64(u_int64_t value);
void packet_put_bignum(BIGNUM * value);
void packet_put_bignum2(BIGNUM * value);
void packet_put_string(const void *buf, u_int len);
@ -55,6 +56,7 @@ int packet_read_poll_seqnr(u_int32_t *seqnr_p);
u_int packet_get_char(void);
u_int packet_get_int(void);
u_int64_t packet_get_int64(void);
void packet_get_bignum(BIGNUM * value);
void packet_get_bignum2(BIGNUM * value);
void *packet_get_raw(u_int *length_ptr);
@ -72,6 +74,7 @@ void packet_get_state(int, u_int32_t *, u_int64_t *, u_int32_t *, u_int64_t *);
void packet_set_state(int, u_int32_t, u_int64_t, u_int32_t, u_int64_t);
int packet_get_ssh1_cipher(void);
void packet_set_iv(int, u_char *);
void *packet_get_newkeys(int);
void packet_write_poll(void);
void packet_write_wait(void);
@ -87,10 +90,10 @@ void packet_add_padding(u_char);
void tty_make_modes(int, struct termios *);
void tty_parse_modes(int, int *);
extern u_int max_packet_size;
extern int keep_alive_timeouts;
void packet_set_alive_timeouts(int);
int packet_inc_alive_timeouts(void);
int packet_set_maxsize(u_int);
#define packet_get_maxsize() max_packet_size
u_int packet_get_maxsize(void);
/* don't allow remaining bytes after the end of the message */
#define packet_check_eom() \
@ -106,4 +109,10 @@ do { \
int packet_need_rekeying(void);
void packet_set_rekey_limit(u_int32_t);
void packet_backup_state(void);
void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
#endif /* PACKET_H */

12
crypto/openssh/readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -133,7 +133,7 @@ typedef enum {
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oZeroKnowledgePasswordAuthentication,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oVersionAddendum,
oDeprecated, oUnsupported
} OpCodes;
@ -232,6 +232,7 @@ static struct {
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
{ "visualhostkey", oVisualHostKey },
{ "useroaming", oUseRoaming },
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication",
oZeroKnowledgePasswordAuthentication },
@ -931,6 +932,10 @@ process_config_line(Options *options, const char *host,
intptr = &options->visual_host_key;
goto parse_flag;
case oUseRoaming:
intptr = &options->use_roaming;
goto parse_flag;
case oVersionAddendum:
ssh_version_set_addendum(strtok(s, "\n"));
do {
@ -1087,6 +1092,7 @@ initialize_options(Options * options)
options->tun_remote = -1;
options->local_command = NULL;
options->permit_local_command = -1;
options->use_roaming = -1;
options->visual_host_key = -1;
options->zero_knowledge_password_authentication = -1;
}
@ -1223,6 +1229,8 @@ fill_default_options(Options * options)
options->tun_remote = SSH_TUNID_ANY;
if (options->permit_local_command == -1)
options->permit_local_command = 0;
if (options->use_roaming == -1)
options->use_roaming = 1;
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->zero_knowledge_password_authentication == -1)

4
crypto/openssh/readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.79 2009/06/27 09:35:06 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -123,6 +123,8 @@ typedef struct {
int permit_local_command;
int visual_host_key;
int use_roaming;
} Options;
#define SSHCTL_MASTER_NO 0

38
crypto/openssh/roaming.h Normal file
View File

@ -0,0 +1,38 @@
/* $OpenBSD: roaming.h,v 1.4 2009/06/27 09:32:43 andreas Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef ROAMING_H
#define ROAMING_H
#define DEFAULT_ROAMBUF 65536
extern int resume_in_progress;
int get_snd_buf_size(void);
int get_recv_buf_size(void);
void add_recv_bytes(u_int64_t);
void set_out_buffer_size(size_t);
ssize_t roaming_write(int, const void *, size_t, int *);
ssize_t roaming_read(int, void *, size_t, int *);
size_t roaming_atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
u_int64_t get_recv_bytes(void);
u_int64_t get_sent_bytes(void);
void roam_set_bytes(u_int64_t, u_int64_t);
void resend_bytes(int, u_int64_t *);
int resume_kex(void);
#endif /* ROAMING */

201
crypto/openssh/roaming_common.c Normal file
View File

@ -0,0 +1,201 @@
/* $OpenBSD: roaming_common.c,v 1.5 2009/06/27 09:32:43 andreas Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <errno.h>
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include "atomicio.h"
#include "log.h"
#include "packet.h"
#include "xmalloc.h"
#include "cipher.h"
#include "buffer.h"
#include "roaming.h"
static size_t out_buf_size = 0;
static char *out_buf = NULL;
static size_t out_start;
static size_t out_last;
static u_int64_t write_bytes = 0;
static u_int64_t read_bytes = 0;
int roaming_enabled = 0;
int resume_in_progress = 0;
int
get_snd_buf_size()
{
int fd = packet_get_connection_out();
int optval, optvallen;
optvallen = sizeof(optval);
if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &optval, &optvallen) != 0)
optval = DEFAULT_ROAMBUF;
return optval;
}
int
get_recv_buf_size()
{
int fd = packet_get_connection_in();
int optval, optvallen;
optvallen = sizeof(optval);
if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &optval, &optvallen) != 0)
optval = DEFAULT_ROAMBUF;
return optval;
}
void
set_out_buffer_size(size_t size)
{
/*
* The buffer size can only be set once and the buffer will live
* as long as the session lives.
*/
if (out_buf == NULL) {
out_buf_size = size;
out_buf = xmalloc(size);
out_start = 0;
out_last = 0;
}
}
u_int64_t
get_recv_bytes(void)
{
return read_bytes;
}
void
add_recv_bytes(u_int64_t num)
{
read_bytes += num;
}
u_int64_t
get_sent_bytes(void)
{
return write_bytes;
}
void
roam_set_bytes(u_int64_t sent, u_int64_t recvd)
{
read_bytes = recvd;
write_bytes = sent;
}
static void
buf_append(const char *buf, size_t count)
{
if (count > out_buf_size) {
buf += count - out_buf_size;
count = out_buf_size;
}
if (count < out_buf_size - out_last) {
memcpy(out_buf + out_last, buf, count);
if (out_start > out_last)
out_start += count;
out_last += count;
} else {
/* data will wrap */
size_t chunk = out_buf_size - out_last;
memcpy(out_buf + out_last, buf, chunk);
memcpy(out_buf, buf + chunk, count - chunk);
out_last = count - chunk;
out_start = out_last + 1;
}
}
ssize_t
roaming_write(int fd, const void *buf, size_t count, int *cont)
{
ssize_t ret;
ret = write(fd, buf, count);
if (ret > 0 && !resume_in_progress) {
write_bytes += ret;
if (out_buf_size > 0)
buf_append(buf, ret);
}
debug3("Wrote %ld bytes for a total of %llu", (long)ret,
(unsigned long long)write_bytes);
return ret;
}
ssize_t
roaming_read(int fd, void *buf, size_t count, int *cont)
{
ssize_t ret = read(fd, buf, count);
if (ret > 0) {
if (!resume_in_progress) {
read_bytes += ret;
}
}
return ret;
}
size_t
roaming_atomicio(ssize_t(*f)(int, void*, size_t), int fd, void *buf,
size_t count)
{
size_t ret = atomicio(f, fd, buf, count);
if (f == vwrite && ret > 0 && !resume_in_progress) {
write_bytes += ret;
} else if (f == read && ret > 0 && !resume_in_progress) {
read_bytes += ret;
}
return ret;
}
void
resend_bytes(int fd, u_int64_t *offset)
{
size_t available, needed;
if (out_start < out_last)
available = out_last - out_start;
else
available = out_buf_size;
needed = write_bytes - *offset;
debug3("resend_bytes: resend %lu bytes from %llu",
(unsigned long)needed, (unsigned long long)*offset);
if (needed > available)
fatal("Needed to resend more data than in the cache");
if (out_last < needed) {
int chunkend = needed - out_last;
atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
chunkend);
atomicio(vwrite, fd, out_buf, out_last);
} else {
atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
}
}

61
crypto/openssh/roaming_dummy.c Normal file
View File

@ -0,0 +1,61 @@
/* $OpenBSD: roaming_dummy.c,v 1.3 2009/06/21 09:04:03 dtucker Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This file is included in the client programs which should not
* support roaming.
*/
#include "includes.h"
#include <sys/types.h>
#include <unistd.h>
#include "roaming.h"
int resume_in_progress = 0;
u_int64_t
get_recv_bytes(void)
{
return 0;
}
ssize_t
roaming_write(int fd, const void *buf, size_t count, int *cont)
{
return write(fd, buf, count);
}
ssize_t
roaming_read(int fd, void *buf, size_t count, int *cont)
{
if (cont)
*cont = 0;
return read(fd, buf, count);
}
void
add_recv_bytes(u_int64_t num)
{
}
int
resume_kex(void)
{
return 1;
}

378
crypto/openssh/schnorr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: schnorr.c,v 1.2 2009/02/18 04:31:21 djm Exp $ */
/* $OpenBSD: schnorr.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */
/* $FreeBSD$ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
@ -41,38 +41,36 @@
#include "buffer.h"
#include "log.h"
#include "jpake.h"
#include "schnorr.h"
#ifdef JPAKE
#include "openbsd-compat/openssl-compat.h"
/* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
/* #define SCHNORR_MAIN */ /* Include main() selftest */
/* XXX */
/* Parametise signature hash? (sha256, sha1, etc.) */
/* Signature format - include type name, hash type, group params? */
#ifndef SCHNORR_DEBUG
# define SCHNORR_DEBUG_BN(a)
# define SCHNORR_DEBUG_BUF(a)
#else
# define SCHNORR_DEBUG_BN(a) jpake_debug3_bn a
# define SCHNORR_DEBUG_BUF(a) jpake_debug3_buf a
# define SCHNORR_DEBUG_BN(a) debug3_bn a
# define SCHNORR_DEBUG_BUF(a) debug3_buf a
#endif /* SCHNORR_DEBUG */
/*
* Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
* using SHA1. Returns signature as bignum or NULL on error.
* using the hash function defined by "evp_md". Returns signature as
* bignum or NULL on error.
*/
static BIGNUM *
schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
const BIGNUM *g_v, const BIGNUM *g_x,
const EVP_MD *evp_md, const BIGNUM *g_v, const BIGNUM *g_x,
const u_char *id, u_int idlen)
{
u_char *digest;
u_int digest_len;
BIGNUM *h;
EVP_MD_CTX evp_md_ctx;
Buffer b;
int success = -1;
@ -82,7 +80,6 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
}
buffer_init(&b);
EVP_MD_CTX_init(&evp_md_ctx);
/* h = H(g || p || q || g^v || g^x || id) */
buffer_put_bignum2(&b, g);
@ -94,7 +91,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
"%s: hashblob", __func__));
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_md,
&digest, &digest_len) != 0) {
error("%s: hash_buffer", __func__);
goto out;
@ -107,7 +104,6 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
out:
buffer_free(&b);
EVP_MD_CTX_cleanup(&evp_md_ctx);
bzero(digest, digest_len);
xfree(digest);
digest_len = 0;
@ -120,18 +116,20 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
/*
* Generate Schnorr signature to prove knowledge of private value 'x' used
* in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
* using the hash function "evp_md".
* 'idlen' bytes from 'id' will be included in the signature hash as an anti-
* replay salt.
* On success, 0 is returned and *siglen bytes of signature are returned in
* *sig (caller to free). Returns -1 on failure.
*
* On success, 0 is returned. The signature values are returned as *e_p
* (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
* On failure, -1 is returned.
*/
int
schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
u_char **sig, u_int *siglen)
const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p)
{
int success = -1;
Buffer b;
BIGNUM *h, *tmp, *v, *g_v, *r;
BN_CTX *bn_ctx;
@ -174,7 +172,7 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
/* h = H(g || g^v || g^x || id) */
if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x,
id, idlen)) == NULL) {
error("%s: schnorr_hash failed", __func__);
goto out;
@ -189,19 +187,12 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
error("%s: BN_mod_mul (r = v - tmp)", __func__);
goto out;
}
SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
/* Signature is (g_v, r) */
buffer_init(&b);
/* XXX sigtype-hash as string? */
buffer_put_bignum2(&b, g_v);
buffer_put_bignum2(&b, r);
*siglen = buffer_len(&b);
*sig = xmalloc(*siglen);
memcpy(*sig, buffer_ptr(&b), *siglen);
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
"%s: sigblob", __func__));
buffer_free(&b);
*e_p = g_v;
*r_p = r;
success = 0;
out:
BN_CTX_free(bn_ctx);
@ -209,29 +200,65 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
BN_clear_free(h);
if (v != NULL)
BN_clear_free(v);
BN_clear_free(r);
BN_clear_free(g_v);
BN_clear_free(tmp);
return success;
}
/*
* Verify Schnorr signature 'sig' of length 'siglen' against public exponent
* g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g'.
* Generate Schnorr signature to prove knowledge of private value 'x' used
* in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
* using a SHA256 hash.
* 'idlen' bytes from 'id' will be included in the signature hash as an anti-
* replay salt.
* On success, 0 is returned and *siglen bytes of signature are returned in
* *sig (caller to free). Returns -1 on failure.
*/
int
schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
u_char **sig, u_int *siglen)
{
Buffer b;
BIGNUM *r, *e;
if (schnorr_sign(grp_p, grp_q, grp_g, EVP_sha256(),
x, g_x, id, idlen, &r, &e) != 0)
return -1;
/* Signature is (e, r) */
buffer_init(&b);
/* XXX sigtype-hash as string? */
buffer_put_bignum2(&b, e);
buffer_put_bignum2(&b, r);
*siglen = buffer_len(&b);
*sig = xmalloc(*siglen);
memcpy(*sig, buffer_ptr(&b), *siglen);
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
"%s: sigblob", __func__));
buffer_free(&b);
BN_clear_free(r);
BN_clear_free(e);
return 0;
}
/*
* Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
* public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
* 'grp_g' using hash "evp_md".
* Signature hash will be salted with 'idlen' bytes from 'id'.
* Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
*/
int
schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const BIGNUM *g_x, const u_char *id, u_int idlen,
const u_char *sig, u_int siglen)
const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
const BIGNUM *r, const BIGNUM *e)
{
int success = -1;
Buffer b;
BIGNUM *g_v, *h, *r, *g_xh, *g_r, *expected;
BIGNUM *h, *g_xh, *g_r, *expected;
BN_CTX *bn_ctx;
u_int rlen;
SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
@ -241,39 +268,23 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
return -1;
}
g_v = h = r = g_xh = g_r = expected = NULL;
h = g_xh = g_r = expected = NULL;
if ((bn_ctx = BN_CTX_new()) == NULL) {
error("%s: BN_CTX_new", __func__);
goto out;
}
if ((g_v = BN_new()) == NULL ||
(r = BN_new()) == NULL ||
(g_xh = BN_new()) == NULL ||
if ((g_xh = BN_new()) == NULL ||
(g_r = BN_new()) == NULL ||
(expected = BN_new()) == NULL) {
error("%s: BN_new", __func__);
goto out;
}
/* Extract g^v and r from signature blob */
buffer_init(&b);
buffer_append(&b, sig, siglen);
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
"%s: sigblob", __func__));
buffer_get_bignum2(&b, g_v);
buffer_get_bignum2(&b, r);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
goto out;
}
buffer_free(&b);
SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
/* h = H(g || g^v || g^x || id) */
if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x,
id, idlen)) == NULL) {
error("%s: schnorr_hash failed", __func__);
goto out;
@ -300,20 +311,248 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
}
SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
/* Check g_v == expected */
success = BN_cmp(expected, g_v) == 0;
/* Check e == expected */
success = BN_cmp(expected, e) == 0;
out:
BN_CTX_free(bn_ctx);
if (h != NULL)
BN_clear_free(h);
BN_clear_free(g_v);
BN_clear_free(r);
BN_clear_free(g_xh);
BN_clear_free(g_r);
BN_clear_free(expected);
return success;
}
/*
* Verify Schnorr signature 'sig' of length 'siglen' against public exponent
* g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
* SHA256 hash.
* Signature hash will be salted with 'idlen' bytes from 'id'.
* Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
*/
int
schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
const BIGNUM *grp_g,
const BIGNUM *g_x, const u_char *id, u_int idlen,
const u_char *sig, u_int siglen)
{
Buffer b;
int ret = -1;
u_int rlen;
BIGNUM *r, *e;
e = r = NULL;
if ((e = BN_new()) == NULL ||
(r = BN_new()) == NULL) {
error("%s: BN_new", __func__);
goto out;
}
/* Extract g^v and r from signature blob */
buffer_init(&b);
buffer_append(&b, sig, siglen);
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
"%s: sigblob", __func__));
buffer_get_bignum2(&b, e);
buffer_get_bignum2(&b, r);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
goto out;
}
ret = schnorr_verify(grp_p, grp_q, grp_g, EVP_sha256(),
g_x, id, idlen, r, e);
out:
BN_clear_free(e);
BN_clear_free(r);
return ret;
}
/* Helper functions */
/*
* Generate uniformly distributed random number in range (1, high).
* Return number on success, NULL on failure.
*/
BIGNUM *
bn_rand_range_gt_one(const BIGNUM *high)
{
BIGNUM *r, *tmp;
int success = -1;
if ((tmp = BN_new()) == NULL) {
error("%s: BN_new", __func__);
return NULL;
}
if ((r = BN_new()) == NULL) {
error("%s: BN_new failed", __func__);
goto out;
}
if (BN_set_word(tmp, 2) != 1) {
error("%s: BN_set_word(tmp, 2)", __func__);
goto out;
}
if (BN_sub(tmp, high, tmp) == -1) {
error("%s: BN_sub failed (tmp = high - 2)", __func__);
goto out;
}
if (BN_rand_range(r, tmp) == -1) {
error("%s: BN_rand_range failed", __func__);
goto out;
}
if (BN_set_word(tmp, 2) != 1) {
error("%s: BN_set_word(tmp, 2)", __func__);
goto out;
}
if (BN_add(r, r, tmp) == -1) {
error("%s: BN_add failed (r = r + 2)", __func__);
goto out;
}
success = 0;
out:
BN_clear_free(tmp);
if (success == 0)
return r;
BN_clear_free(r);
return NULL;
}
/*
* Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
* with digest via 'digestp' (caller to free) and length via 'lenp'.
* Returns -1 on failure.
*/
int
hash_buffer(const u_char *buf, u_int len, const EVP_MD *md,
u_char **digestp, u_int *lenp)
{
u_char digest[EVP_MAX_MD_SIZE];
u_int digest_len;
EVP_MD_CTX evp_md_ctx;
int success = -1;
EVP_MD_CTX_init(&evp_md_ctx);
if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) {
error("%s: EVP_DigestInit_ex", __func__);
goto out;
}
if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) {
error("%s: EVP_DigestUpdate", __func__);
goto out;
}
if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) {
error("%s: EVP_DigestFinal_ex", __func__);
goto out;
}
*digestp = xmalloc(digest_len);
*lenp = digest_len;
memcpy(*digestp, digest, *lenp);
success = 0;
out:
EVP_MD_CTX_cleanup(&evp_md_ctx);
bzero(digest, sizeof(digest));
digest_len = 0;
return success;
}
/* print formatted string followed by bignum */
void
debug3_bn(const BIGNUM *n, const char *fmt, ...)
{
char *out, *h;
va_list args;
out = NULL;
va_start(args, fmt);
vasprintf(&out, fmt, args);
va_end(args);
if (out == NULL)
fatal("%s: vasprintf failed", __func__);
if (n == NULL)
debug3("%s(null)", out);
else {
h = BN_bn2hex(n);
debug3("%s0x%s", out, h);
free(h);
}
free(out);
}
/* print formatted string followed by buffer contents in hex */
void
debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
{
char *out, h[65];
u_int i, j;
va_list args;
out = NULL;
va_start(args, fmt);
vasprintf(&out, fmt, args);
va_end(args);
if (out == NULL)
fatal("%s: vasprintf failed", __func__);
debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
free(out);
if (buf == NULL)
return;
*h = '\0';
for (i = j = 0; i < len; i++) {
snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
j += 2;
if (j >= sizeof(h) - 1 || i == len - 1) {
debug3(" %s", h);
*h = '\0';
j = 0;
}
}
}
/*
* Construct a MODP group from hex strings p (which must be a safe
* prime) and g, automatically calculating subgroup q as (p / 2)
*/
struct modp_group *
modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
{
struct modp_group *ret;
ret = xmalloc(sizeof(*ret));
ret->p = ret->q = ret->g = NULL;
if (BN_hex2bn(&ret->p, grp_p) == 0 ||
BN_hex2bn(&ret->g, grp_g) == 0)
fatal("%s: BN_hex2bn", __func__);
/* Subgroup order is p/2 (p is a safe prime) */
if ((ret->q = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
if (BN_rshift1(ret->q, ret->p) != 1)
fatal("%s: BN_rshift1", __func__);
return ret;
}
void
modp_group_free(struct modp_group *grp)
{
if (grp->g != NULL)
BN_clear_free(grp->g);
if (grp->p != NULL)
BN_clear_free(grp->p);
if (grp->q != NULL)
BN_clear_free(grp->q);
bzero(grp, sizeof(*grp));
xfree(grp);
}
/* main() function for self-test */
#ifdef SCHNORR_MAIN
static void
schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
@ -331,16 +570,17 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
fatal("%s: g_x", __func__);
if (schnorr_sign(grp_p, grp_q, grp_g, x, g_x, "junk", 4, &sig, &siglen))
if (schnorr_sign_buf(grp_p, grp_q, grp_g, x, g_x, "junk", 4,
&sig, &siglen))
fatal("%s: schnorr_sign", __func__);
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
sig, siglen) != 1)
fatal("%s: verify fail", __func__);
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
sig, siglen) != 0)
fatal("%s: verify should have failed (bad ID)", __func__);
sig[4] ^= 1;
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
sig, siglen) != 0)
fatal("%s: verify should have failed (bit error)", __func__);
xfree(sig);
@ -352,7 +592,7 @@ static void
schnorr_selftest(void)
{
BIGNUM *x;
struct jpake_group *grp;
struct modp_group *grp;
u_int i;
char *hh;

60
crypto/openssh/schnorr.h Normal file
View File

@ -0,0 +1,60 @@
/* $OpenBSD: schnorr.h,v 1.1 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2009 Damien Miller. All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef SCHNORR_H
#define SCHNORR_H
#include <sys/types.h>
#include <openssl/bn.h>
struct modp_group {
BIGNUM *p, *q, *g;
};
BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
void debug3_bn(const BIGNUM *, const char *, ...)
__attribute__((__nonnull__ (2)))
__attribute__((format(printf, 2, 3)));
void debug3_buf(const u_char *, u_int, const char *, ...)
__attribute__((__nonnull__ (3)))
__attribute__((format(printf, 3, 4)));
struct modp_group *modp_group_from_g_and_safe_p(const char *, const char *);
void modp_group_free(struct modp_group *);
/* Signature and verification functions */
int
schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p);
int
schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
u_char **sig, u_int *siglen);
int
schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
const BIGNUM *r, const BIGNUM *e);
int
schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
const BIGNUM *grp_g,
const BIGNUM *g_x, const u_char *id, u_int idlen,
const u_char *sig, u_int siglen);
#endif /* JPAKE_H */

10
crypto/openssh/servconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -345,7 +345,7 @@ static struct {
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
@ -419,10 +419,10 @@ static struct {
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
{ "match", sMatch, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@ -1386,7 +1386,7 @@ parse_server_match_config(ServerOptions *options, const char *user,
/*
* Copy any supported values that are set.
*
* If the preauth flag is set, we do not bother copying the the string or
* If the preauth flag is set, we do not bother copying the string or
* array values that are not used pre-authentication, because any that we
* do use must be explictly sent in mm_getpwnamallow().
*/

15
crypto/openssh/serverloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.157 2009/02/12 03:16:01 djm Exp $ */
/* $OpenBSD: serverloop.c,v 1.159 2009/05/28 16:50:16 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -78,6 +78,7 @@
#include "auth-options.h"
#include "serverloop.h"
#include "misc.h"
#include "roaming.h"
extern ServerOptions options;
@ -249,7 +250,7 @@ client_alive_check(void)
int channel_id;
/* timeout, check to see how many we have had */
if (++keep_alive_timeouts > options.client_alive_count_max) {
if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
logit("Timeout, client not responding.");
cleanup_exit(255);
}
@ -391,8 +392,11 @@ process_input(fd_set *readset)
/* Read and buffer any input data from the client. */
if (FD_ISSET(connection_in, readset)) {
len = read(connection_in, buf, sizeof(buf));
int cont = 0;
len = roaming_read(connection_in, buf, sizeof(buf), &cont);
if (len == 0) {
if (cont)
return;
verbose("Connection closed by %.100s",
get_remote_ipaddr());
connection_closed = 1;
@ -890,7 +894,7 @@ server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
* even if this was generated by something other than
* the bogus CHANNEL_REQUEST we send for keepalives.
*/
keep_alive_timeouts = 0;
packet_set_alive_timeouts(0);
}
static void
@ -1120,7 +1124,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
no_port_forwarding_flag ||
(!want_reply && listen_port == 0)
#ifndef NO_IPPORT_RESERVED_CONCEPT
|| (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
|| (listen_port != 0 && listen_port < IPPORT_RESERVED &&
pw->pw_uid != 0)
#endif
) {
success = 0;

30
crypto/openssh/session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.245 2009/01/22 09:46:01 djm Exp $ */
/* $OpenBSD: session.c,v 1.246 2009/04/17 19:23:06 stevesk Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -572,8 +572,7 @@ do_exec_no_pty(Session *s, const char *command)
signal(WJSIGNAL, cray_job_termination_handler);
#endif /* _UNICOS */
#ifdef HAVE_CYGWIN
if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
s->pid = pid;
@ -717,8 +716,8 @@ do_exec_pty(Session *s, const char *command)
* Do common processing for the child, such as execing
* the command.
*/
do_child(s, command);
/* NOTREACHED */
do_child(s, command);
/* NOTREACHED */
default:
break;
}
@ -727,8 +726,7 @@ do_exec_pty(Session *s, const char *command)
signal(WJSIGNAL, cray_job_termination_handler);
#endif /* _UNICOS */
#ifdef HAVE_CYGWIN
if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
#endif
s->pid = pid;
@ -848,7 +846,7 @@ do_login(Session *s, const char *command)
fromlen = sizeof(from);
if (packet_connection_is_on_socket()) {
if (getpeername(packet_get_connection_in(),
(struct sockaddr *) & from, &fromlen) < 0) {
(struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername: %.100s", strerror(errno));
cleanup_exit(255);
}
@ -1135,7 +1133,7 @@ do_setup_env(Session *s, const char *shell)
u_int i, envsize;
char **env, *laddr;
struct passwd *pw = s->pw;
#ifndef HAVE_LOGIN_CAP
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
#else
extern char **environ;
@ -1498,11 +1496,6 @@ do_setusercontext(struct passwd *pw)
if (getuid() == 0 || geteuid() == 0)
#endif /* HAVE_CYGWIN */
{
#ifdef HAVE_SETPCRED
if (setpcred(pw->pw_name, (char **)NULL) == -1)
fatal("Failed to set process credentials");
#endif /* HAVE_SETPCRED */
#ifdef HAVE_LOGIN_CAP
# ifdef __bsdi__
setpgid(0, 0);
@ -1570,6 +1563,10 @@ do_setusercontext(struct passwd *pw)
free(chroot_path);
}
#ifdef HAVE_SETPCRED
if (setpcred(pw->pw_name, (char **)NULL) == -1)
fatal("Failed to set process credentials");
#endif /* HAVE_SETPCRED */
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
perror("unable to set user context (setuser)");
@ -1581,9 +1578,6 @@ do_setusercontext(struct passwd *pw)
#endif
}
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
@ -1824,7 +1818,7 @@ do_child(Session *s, const char *command)
int i;
char *p, *args;
setproctitle("%s@internal-sftp-server", s->pw->pw_name);
setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
args = xstrdup(command ? command : "sftp-server");
for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
if (i < ARGV_MAX - 1)

2
crypto/openssh/sftp-client.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.86 2008/06/26 06:10:09 djm Exp $ */
/* $OpenBSD: sftp-client.c,v 1.87 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*

7
crypto/openssh/sftp-server.8
View File

@ -1,4 +1,5 @@
.\" $OpenBSD: sftp-server.8,v 1.14 2008/07/18 22:51:01 jmc Exp $
.\" $OpenBSD: sftp-server.8,v 1.15 2009/03/26 08:38:39 sobrado Exp $
.\" $FreeBSD$
.\"
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
.\"
@ -22,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 18 2008
.Dd March 26 2009
.Dt SFTP-SERVER 8
.Os
.Sh NAME
@ -79,7 +80,7 @@ must be able to access
.Pa /dev/log .
Use of
.Nm
in a chroot configuation therefore requires that
in a chroot configuration therefore requires that
.Xr syslogd 8
establish a logging socket inside the chroot directory.
.Sh SEE ALSO

6
crypto/openssh/sftp-server.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-server.c,v 1.84 2008/06/26 06:10:09 djm Exp $ */
/* $OpenBSD: sftp-server.c,v 1.85 2009/04/14 16:33:42 stevesk Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@ -1041,7 +1041,7 @@ process_rename(void)
else if (S_ISREG(sb.st_mode)) {
/* Race-free rename of regular files */
if (link(oldpath, newpath) == -1) {
if (errno == EOPNOTSUPP
if (errno == EOPNOTSUPP || errno == ENOSYS
#ifdef EXDEV
|| errno == EXDEV
#endif
@ -1341,7 +1341,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
while (!skipargs && (ch = getopt(argc, argv, "f:l:che")) != -1) {
switch (ch) {
case 'c':
/*

7
crypto/openssh/ssh-agent.1
View File

@ -1,4 +1,5 @@
.\" $OpenBSD: ssh-agent.1,v 1.46 2007/09/09 11:38:01 sobrado Exp $
.\" $OpenBSD: ssh-agent.1,v 1.47 2009/03/26 08:38:39 sobrado Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -34,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd June 5 2007
.Dd March 26 2009
.Dt SSH-AGENT 1
.Os
.Sh NAME
@ -141,7 +142,7 @@ The second is that the agent prints the needed shell commands (either
.Xr sh 1
or
.Xr csh 1
syntax can be generated) which can be evalled in the calling shell, eg
syntax can be generated) which can be evaluated in the calling shell, eg
.Cm eval `ssh-agent -s`
for Bourne-type shells such as
.Xr sh 1

7
crypto/openssh/ssh-agent.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.159 2008/06/28 14:05:15 djm Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.161 2009/03/23 19:38:04 tobias Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1062,6 +1062,7 @@ main(int ac, char **av)
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval *tvp = NULL;
size_t len;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@ -1123,8 +1124,8 @@ main(int ac, char **av)
if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL");
if (shell != NULL &&
strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
if (shell != NULL && (len = strlen(shell)) > 2 &&
strncmp(shell + len - 3, "csh", 3) == 0)
c_flag = 1;
}
if (k_flag) {

2
crypto/openssh/ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.173 2009/02/21 19:32:04 tobias Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.174 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland

27
crypto/openssh/ssh.1
View File

@ -34,9 +34,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.282 2009/02/12 03:44:25 djm Exp $
.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $
.\" $FreeBSD$
.Dd February 12 2009
.Dd March 19 2009
.Dt SSH 1
.Os
.Sh NAME
@ -192,26 +192,9 @@ For protocol version 2,
.Ar cipher_spec
is a comma-separated list of ciphers
listed in order of preference.
The supported ciphers are:
3des-cbc,
aes128-cbc,
aes192-cbc,
aes256-cbc,
aes128-ctr,
aes192-ctr,
aes256-ctr,
arcfour128,
arcfour256,
arcfour,
blowfish-cbc,
and
cast128-cbc.
The default is:
.Bd -literal -offset indent
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr
.Ed
See the
.Cm Ciphers
keyword for more information.
.It Fl D Xo
.Sm off
.Oo Ar bind_address : Oc

21
crypto/openssh/ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.324 2009/02/12 03:00:56 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.326 2009/07/02 02:11:47 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -49,6 +49,7 @@ __RCSID("$FreeBSD$");
#endif
#include <sys/resource.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <ctype.h>
@ -204,8 +205,8 @@ void muxserver_listen(void);
int
main(int ac, char **av)
{
int i, opt, exit_status, use_syslog;
char *p, *cp, *line, buf[256];
int i, r, opt, exit_status, use_syslog;
char *p, *cp, *line, *argv0, buf[MAXPATHLEN];
struct stat st;
struct passwd *pw;
int dummy, timeout_ms;
@ -271,6 +272,7 @@ main(int ac, char **av)
/* Parse command-line arguments. */
host = NULL;
use_syslog = 0;
argv0 = av[0];
again:
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
@ -601,7 +603,7 @@ main(int ac, char **av)
* Initialize "log" output. Since we are the client all output
* actually goes to stderr.
*/
log_init(av[0],
log_init(argv0,
options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
SYSLOG_FACILITY_USER, !use_syslog);
@ -614,9 +616,10 @@ main(int ac, char **av)
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
(void)read_config_file(buf, host, &options, 1);
if (r > 0 && (size_t)r < sizeof(buf))
(void)read_config_file(buf, host, &options, 1);
/* Read systemwide configuration file after use config. */
(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
@ -629,7 +632,7 @@ main(int ac, char **av)
channel_set_af(options.address_family);
/* reinit */
log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
seed_rng();
@ -784,9 +787,9 @@ main(int ac, char **av)
* Now that we are back to our own permissions, create ~/.ssh
* directory if it doesn't already exist.
*/
snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
if (stat(buf, &st) < 0)
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
if (mkdir(buf, 0700) < 0)
error("Could not create directory '%.200s'.", buf);

2
crypto/openssh/ssh_config
View File

@ -45,4 +45,4 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# VersionAddendum FreeBSD-20090522
# VersionAddendum FreeBSD-20091001

2
crypto/openssh/ssh_config.5
View File

@ -1073,7 +1073,7 @@ in
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
.Dq FreeBSD-20090522 .
.Dq FreeBSD-20091001 .
.It Cm VisualHostKey
If this flag is set to
.Dq yes ,

11
crypto/openssh/ssh_namespace.h
View File

@ -153,6 +153,7 @@
#define ciphers_valid ssh_ciphers_valid
#define cleanhostname ssh_cleanhostname
#define cleanup_exit ssh_cleanup_exit
#define clear_cached_addr ssh_clear_cached_addr
#define colon ssh_colon
#define compat_cipher_proposal ssh_compat_cipher_proposal
#define compat_datafellows ssh_compat_datafellows
@ -279,6 +280,7 @@
#define ms_to_timeval ssh_ms_to_timeval
#define mysignal ssh_mysignal
#define packet_add_padding ssh_packet_add_padding
#define packet_backup_state ssh_packet_backup_state
#define packet_close ssh_packet_close
#define packet_connection_is_ipv4 ssh_packet_connection_is_ipv4
#define packet_connection_is_on_socket ssh_packet_connection_is_on_socket
@ -289,10 +291,15 @@
#define packet_get_connection_in ssh_packet_get_connection_in
#define packet_get_connection_out ssh_packet_get_connection_out
#define packet_get_encryption_key ssh_packet_get_encryption_key
#define packet_get_input ssh_packet_get_input
#define packet_get_int ssh_packet_get_int
#define packet_get_int64 ssh_packet_get_int64
#define packet_get_keycontext ssh_packet_get_keycontext
#define packet_get_keyiv ssh_packet_get_keyiv
#define packet_get_keyiv_len ssh_packet_get_keyiv_len
#define packet_get_maxsize ssh_packet_get_maxsize
#define packet_get_newkeys ssh_packet_get_newkeys
#define packet_get_output ssh_packet_get_output
#define packet_get_protocol_flags ssh_packet_get_protocol_flags
#define packet_get_raw ssh_packet_get_raw
#define packet_get_ssh1_cipher ssh_packet_get_ssh1_cipher
@ -300,6 +307,7 @@
#define packet_get_string ssh_packet_get_string
#define packet_get_string_ptr ssh_packet_get_string_ptr
#define packet_have_data_to_write ssh_packet_have_data_to_write
#define packet_inc_alive_timeouts ssh_packet_inc_alive_timeouts
#define packet_is_interactive ssh_packet_is_interactive
#define packet_need_rekeying ssh_packet_need_rekeying
#define packet_not_very_much_data_to_write ssh_packet_not_very_much_data_to_write
@ -309,6 +317,7 @@
#define packet_put_char ssh_packet_put_char
#define packet_put_cstring ssh_packet_put_cstring
#define packet_put_int ssh_packet_put_int
#define packet_put_int64 ssh_packet_put_int64
#define packet_put_raw ssh_packet_put_raw
#define packet_put_string ssh_packet_put_string
#define packet_read ssh_packet_read
@ -317,9 +326,11 @@
#define packet_read_poll_seqnr ssh_packet_read_poll_seqnr
#define packet_read_seqnr ssh_packet_read_seqnr
#define packet_remaining ssh_packet_remaining
#define packet_restore_state ssh_packet_restore_state
#define packet_send ssh_packet_send
#define packet_send_debug ssh_packet_send_debug
#define packet_send_ignore ssh_packet_send_ignore
#define packet_set_alive_timeouts ssh_packet_set_alive_timeouts
#define packet_set_authenticated ssh_packet_set_authenticated
#define packet_set_connection ssh_packet_set_connection
#define packet_set_encryption_key ssh_packet_set_encryption_key

10
crypto/openssh/sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.212 2008/10/14 18:11:33 stevesk Exp $ */
/* $OpenBSD: sshconnect.c,v 1.214 2009/05/28 16:50:16 andreas Exp $ */
/* $FreeBSD$ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -57,6 +57,7 @@
#include "atomicio.h"
#include "misc.h"
#include "dns.h"
#include "roaming.h"
#include "version.h"
char *client_version_string = NULL;
@ -414,7 +415,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
* Waits for the server identification string, and sends our own
* identification string.
*/
static void
void
ssh_exchange_identification(int timeout_ms)
{
char buf[256], remote_version[256]; /* must be same size! */
@ -453,7 +454,7 @@ ssh_exchange_identification(int timeout_ms)
}
}
len = atomicio(read, connection_in, &buf[i], 1);
len = roaming_atomicio(read, connection_in, &buf[i], 1);
if (len != 1 && errno == EPIPE)
fatal("ssh_exchange_identification: "
@ -538,7 +539,8 @@ ssh_exchange_identification(int timeout_ms)
compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
compat20 ? PROTOCOL_MINOR_2 : minor1,
SSH_VERSION, compat20 ? "\r\n" : "\n");
if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
!= strlen(buf))
fatal("write: %.100s", strerror(errno));
client_version_string = xstrdup(buf);
chop(client_version_string);

4
crypto/openssh/sshconnect.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.h,v 1.24 2007/09/04 11:15:56 djm Exp $ */
/* $OpenBSD: sshconnect.h,v 1.25 2009/05/27 06:38:16 andreas Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -38,6 +38,8 @@ ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
void
ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *, int);
void ssh_exchange_identification(int);
int verify_host_key(char *, struct sockaddr *, Key *);
void ssh_kex(char *, struct sockaddr *);

3
crypto/openssh/sshconnect2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@ -68,6 +68,7 @@
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
#include "schnorr.h"
#include "jpake.h"
#ifdef GSSAPI

6
crypto/openssh/sshd.8
View File

@ -34,9 +34,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.247 2008/10/03 13:08:12 jmc Exp $
.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $
.\" $FreeBSD$
.Dd October 3 2008
.Dd March 26 2009
.Dt SSHD 8
.Os
.Sh NAME
@ -546,7 +546,7 @@ for more information on patterns.
In addition to the wildcard matching that may be applied to hostnames or
addresses, a
.Cm from
stanza may match IP addressess using CIDR address/masklen notation.
stanza may match IP addresses using CIDR address/masklen notation.
.Pp
The purpose of this option is to optionally increase security: public key
authentication by itself does not trust the network or name servers or

9
crypto/openssh/sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.366 2009/01/22 10:02:34 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.367 2009/05/28 16:50:16 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -128,6 +128,7 @@ __RCSID("$FreeBSD$");
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "roaming.h"
#include "version.h"
#ifdef LIBWRAP
@ -430,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
if (atomicio(vwrite, sock_out, server_version_string,
if (roaming_atomicio(vwrite, sock_out, server_version_string,
strlen(server_version_string))
!= strlen(server_version_string)) {
logit("Could not write ident string to %s", get_remote_ipaddr());
@ -440,7 +441,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
/* Read other sides version identification. */
memset(buf, 0, sizeof(buf));
for (i = 0; i < sizeof(buf) - 1; i++) {
if (atomicio(read, sock_in, &buf[i], 1) != 1) {
if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) {
logit("Did not receive identification string from %s",
get_remote_ipaddr());
cleanup_exit(255);
@ -588,7 +589,7 @@ demote_sensitive_data(void)
static void
privsep_preauth_child(void)
{
u_int32_t rnd[256];
u_int32_t rnd[256];
gid_t gidset[1];
/* Enable challenge-response authentication for privilege separation */

2
crypto/openssh/sshd_config
View File

@ -14,7 +14,7 @@
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20090522
#VersionAddendum FreeBSD-20091001
#Port 22
#Protocol 2

24
crypto/openssh/sshd_config.5
View File

@ -34,9 +34,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.102 2009/02/22 23:59:25 djm Exp $
.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
.\" $FreeBSD$
.Dd February 22 2009
.Dd April 21 2009
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -177,9 +177,9 @@ then no banner is displayed.
This option is only available for protocol version 2.
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
See also
.Cm UsePAM .
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or though authentication styles supported in
.Xr login.conf 5 )
The default is
.Dq yes .
.It Cm ChrootDirectory
@ -188,6 +188,9 @@ Specifies a path to
to after authentication.
This path, and all its components, must be root-owned directories that are
not writable by any other user or group.
After the chroot,
.Xr sshd 8
changes the working directory to the user's home directory.
.Pp
The path may contain the following tokens that are expanded at runtime once
the connecting user has been authenticated: %% is replaced by a literal '%',
@ -197,7 +200,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
The
.Cm ChrootDirectory
must contain the necessary files and directories to support the
users' session.
user's session.
For an interactive session this requires at least a shell, typically
.Xr sh 1 ,
and basic
@ -215,8 +218,11 @@ devices.
For file transfer sessions using
.Dq sftp ,
no additional configuration of the environment is necessary if the
in-process sftp server is used (see
.Cm Subsystem
in-process sftp server is used,
though sessions which use logging do require
.Pa /dev/log
inside the chroot directory (see
.Xr sftp-server 8
for details).
.Pp
The default is not to
@ -949,7 +955,7 @@ The default is
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
.Dq FreeBSD-20090522 .
.Dq FreeBSD-20091001 .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's

10
crypto/openssh/sshlogin.c
View File

@ -86,13 +86,20 @@ get_last_login_time(uid_t uid, const char *logname,
static void
store_lastlog_message(const char *user, uid_t uid)
{
#ifndef NO_SSH_LASTLOG
char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512];
time_t last_login_time;
#ifndef NO_SSH_LASTLOG
if (!options.print_lastlog)
return;
# ifdef CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
time_string = sys_auth_get_lastlogin_msg(user, uid);
if (time_string != NULL) {
buffer_append(&loginmsg, time_string, strlen(time_string));
xfree(time_string);
}
# else
last_login_time = get_last_login_time(uid, user, hostname,
sizeof(hostname));
@ -107,6 +114,7 @@ store_lastlog_message(const char *user, uid_t uid)
time_string, hostname);
buffer_append(&loginmsg, buf, strlen(buf));
}
# endif /* CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG */
#endif /* NO_SSH_LASTLOG */
}

13
crypto/openssh/uuencode.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: uuencode.c,v 1.25 2009/03/05 11:30:50 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -33,6 +33,12 @@
#include "xmalloc.h"
#include "uuencode.h"
/*
* Encode binary 'src' of length 'srclength', writing base64-encoded text
* to 'target' of size 'targsize'. Will always nul-terminate 'target'.
* Returns the number of bytes stored in 'target' or -1 on error (inc.
* 'targsize' too small).
*/
int
uuencode(const u_char *src, u_int srclength,
char *target, size_t targsize)
@ -40,6 +46,11 @@ uuencode(const u_char *src, u_int srclength,
return __b64_ntop(src, srclength, target, targsize);
}
/*
* Decode base64-encoded 'src' into buffer 'target' of 'targsize' bytes.
* Will skip leading and trailing whitespace. Returns the number of bytes
* stored in 'target' or -1 on error (inc. targsize too small).
*/
int
uudecode(const char *src, u_char *target, size_t targsize)
{

6
crypto/openssh/version.h
View File

@ -1,12 +1,12 @@
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */
/* $OpenBSD: version.h,v 1.56 2009/06/30 14:54:40 markus Exp $ */
/* $FreeBSD$ */
#ifndef SSH_VERSION
#define SSH_VERSION (ssh_version_get())
#define SSH_RELEASE (ssh_version_get())
#define SSH_VERSION_BASE "OpenSSH_5.2p1"
#define SSH_VERSION_ADDENDUM "FreeBSD-20090522"
#define SSH_VERSION_BASE "OpenSSH_5.3p1"
#define SSH_VERSION_ADDENDUM "FreeBSD-20091001"
const char *ssh_version_get(void);
void ssh_version_set_addendum(const char *);

27
etc/defaults/rc.conf
View File

@ -23,6 +23,7 @@
rc_debug="NO" # Set to YES to enable debugging output from rc.d
rc_info="NO" # Enables display of informational messages at boot.
rc_startmsgs="YES" # Show "Starting foo:" messages at boot
rcshutdown_timeout="30" # Seconds to wait before terminating rc.shutdown
early_late_divider="FILESYSTEMS" # Script that separates early/late
# stages of the boot process. Make sure you know
@ -196,6 +197,8 @@ cloned_interfaces="" # List of cloned network interfaces to create.
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
#ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry.
#ifconfig_ed0_ipv6="inet6 2001:db8:1::1 prefixlen 64" # Sample IPv6 addr entry
#ifconfig_ed0_alias0="inet6 2001:db8:2::1 prefixlen 64" # Sample IPv6 alias
#ifconfig_fxp0_name="net0" # Change interface name from fxp0 to net0.
#wlans_ath0="wlan0" # wlan(4) interfaces for ath0 device
#wlandebug_wlan0="scan+auth+assoc" # Set debug flags with wlanddebug(8)
@ -361,9 +364,9 @@ static_arp_pairs="" # Set to static ARP list (or leave empty).
static_routes="" # Set to static route list (or leave empty).
natm_static_routes="" # Set to static route list for NATM (or leave empty).
gateway_enable="NO" # Set to YES if this host will be a gateway.
router_enable="NO" # Set to YES to enable a routing daemon.
router="/sbin/routed" # Name of routing daemon to use if enabled.
router_flags="-q" # Flags for routing daemon.
routed_enable="NO" # Set to YES to enable a routing daemon.
routed_program="/sbin/routed" # Name of routing daemon to use if enabled.
routed_flags="-q" # Flags for routing daemon.
mrouted_enable="NO" # Do IPv4 multicast routing.
mrouted_program="/usr/local/sbin/mrouted" # Name of IPv4 multicast
# routing daemon. You need to
@ -418,8 +421,8 @@ rfcomm_pppd_server_two_channel="3" # Override local channel for 'two'
icmp_bmcastecho="NO" # respond to broadcast ping packets
### IPv6 options: ###
ipv6_enable="NO" # Set to YES to set up for IPv6.
ipv6_network_interfaces="auto" # List of network interfaces (or "auto").
ipv6_network_interfaces="none" # List of IPv6 network interfaces
# (or "auto" or "none").
ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO).
#ipv6_defaultrouter="2002:c058:6301::" # Use this for 6to4 (RFC 3068)
ipv6_static_routes="" # Set to static route list (or leave empty).
@ -427,20 +430,19 @@ ipv6_static_routes="" # Set to static route list (or leave empty).
# route toward loopback interface.
#ipv6_route_xxx="fec0:0000:0000:0006:: -prefixlen 64 ::1"
ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway.
ipv6_router_enable="NO" # Set to YES to enable an IPv6 routing daemon.
ipv6_router="/usr/sbin/route6d" # Name of IPv6 routing daemon.
ipv6_router_flags="" # Flags to IPv6 routing daemon.
#ipv6_router_flags="-l" # Example for route6d with only IPv6 site local
route6d_enable="NO" # Set to YES to enable an IPv6 routing daemon.
route6d_program="/usr/sbin/route6d" # Name of IPv6 routing daemon.
route6d_flags="" # Flags to IPv6 routing daemon.
#route6d_flags="-l" # Example for route6d with only IPv6 site local
# addrs.
#ipv6_router_flags="-q" # If you want to run a routing daemon on an end
#route6d_flags="-q" # If you want to run a routing daemon on an end
# node, you should stop advertisement.
#ipv6_network_interfaces="ed0 ep0" # Examples for router
# or static configuration for end node.
# Choose correct prefix value.
#ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr.
#ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr.
#ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64" # Sample manual assign entry
#ipv6_ifconfig_ed0_alias0="fec0:0:0:5::2 prefixlen 64" # Sample alias entry.
ipv6_default_interface="NO" # Default output interface for scoped addrs.
# Now this works only for IPv6 link local
# multicast addrs.
@ -482,6 +484,7 @@ ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
# for examples
ip6addrctl_enable="YES" # Set to YES to enable default address selection
ip6addrctl_verbose="NO" # Set to YES to enable verbose configuration messages
ipv6_prefer="NO" # Use IPv6 when both IPv4 and IPv6 can be used
##############################################################
### System console options #################################

2
etc/mtree/BSD.usr.dist
View File

@ -1031,6 +1031,8 @@
..
fr_FR.UTF-8
..
gl_ES.ISO8859-1
..
he_IL.UTF-8
..
hi_IN.ISCII-DEV

995
etc/network.subr
View File

File diff suppressed because it is too large Load Diff

3
etc/periodic/daily/400.status-disks
View File

@ -19,6 +19,9 @@ case "$daily_status_disks_enable" in
df $daily_status_disks_df_flags && rc=1 || rc=3
# display which filesystems need backing up
if ! [ -f /etc/fstab ]; then
export PATH_FSTAB=/dev/null
fi
echo ""
dump W || rc=3;;

3
etc/periodic/security/200.chkmounts
View File

@ -50,6 +50,9 @@ case "$daily_status_security_chkmounts_enable" in
ignore="${ignore}|^amd:"
esac
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
if ! [ -f /etc/fstab ]; then
export PATH_FSTAB=/dev/null
fi
mount -p | sort | ${cmd} |
check_diff mount - "${host} changes in mounted filesystems:"
rc=$?;;

8
etc/rc.d/Makefile
View File

@ -4,13 +4,13 @@
FILES= DAEMON FILESYSTEMS LOGIN NETWORKING SERVERS \
abi accounting addswap adjkerntz amd \
apm apmd archdep atm1 atm2 atm3 auditd auto_linklocal \
apm apmd archdep atm1 atm2 atm3 auditd \
bgfsck bluetooth bootparams bridge bsnmpd bthidd \
ccd cleanvar cleartmp cron \
ddb defaultroute devd devfs dhclient \
dmesg dumpon \
encswap \
fsck ftp-proxy ftpd \
faith fsck ftp-proxy ftpd \
gbde geli geli2 gssd \
hcsecd \
hostapd hostid hostid_save hostname \
@ -23,7 +23,7 @@ FILES= DAEMON FILESYSTEMS LOGIN NETWORKING SERVERS \
mixer motd mountcritlocal mountcritremote mountlate \
mdconfig mdconfig2 mountd moused mroute6d mrouted msgs \
named natd netif netoptions \
network_ipv6 newsyslog nfsclient nfscbd nfsd \
newsyslog nfsclient nfscbd nfsd \
nfsserver nfsuserd nisdomain nsswitch ntpd ntpdate \
othermta \
pf pflog pfsync \
@ -32,7 +32,7 @@ FILES= DAEMON FILESYSTEMS LOGIN NETWORKING SERVERS \
random rarpd resolv rfcomm_pppd_server root \
route6d routed routing rpcbind rtadvd rwho \
savecore sdpd securelevel sendmail \
serial sppp statd static_arp swap1 \
serial sppp statd static_arp stf swap1 \
syscons sysctl syslogd \
timed tmp \
ugidfw \

2
etc/rc.d/NETWORKING
View File

@ -4,7 +4,7 @@
#
# PROVIDE: NETWORKING NETWORK
# REQUIRE: netif netoptions routing network_ipv6 ppp ipfw
# REQUIRE: netif netoptions routing ppp ipfw stf faith
# REQUIRE: defaultroute routed mrouted route6d mroute6d resolv
# This is a dummy dependency, for services which require networking

1
etc/rc.d/addswap
View File

@ -7,7 +7,6 @@
# PROVIDE: addswap
# REQUIRE: FILESYSTEMS
# BEFORE: sysctl
# KEYWORD: nojail
. /etc/rc.subr

33
etc/rc.d/auto_linklocal
View File

@ -1,33 +0,0 @@
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: auto_linklocal
# REQUIRE: root
# BEFORE: sysctl
# KEYWORD: nojail
. /etc/rc.subr
. /etc/network.subr
name="auto_linklocal"
start_cmd="auto_linklocal_start"
stop_cmd=":"
auto_linklocal_start()
{
if ! checkyesno ipv6_enable && ${SYSCTL} net.inet6 > /dev/null 2>&1; then
if ! ${SYSCTL_W} net.inet6.ip6.auto_linklocal=0 >/dev/null 2>&1; then
warn "failed to set sysctl(8)"
return 1
fi
laddr=`network6_getladdr lo0`
if [ -z "${laddr}" ]; then
ifconfig lo0 inet6 fe80::1 prefixlen 64
fi
fi
}
load_rc_config $name
run_rc_command "$1"

10
etc/rc.d/defaultroute
View File

@ -6,7 +6,7 @@
#
# PROVIDE: defaultroute
# REQUIRE: devd netif network_ipv6
# REQUIRE: devd faith netif stf
# KEYWORD: nojail
. /etc/rc.subr
@ -18,7 +18,7 @@ stop_cmd=":"
defaultroute_start()
{
local output carrier nocarrier
local output carrier nocarrier nl
# Return without waiting if we don't have dhcp interfaces or
# if none of the dhcp interfaces is plugged in.
@ -41,6 +41,7 @@ defaultroute_start()
if [ -n "${defif}" ]; then
if [ ${delay} -ne ${defaultroute_delay} ]; then
echo -n "($defif)"
nl=1
fi
break
fi
@ -49,11 +50,12 @@ defaultroute_start()
else
echo -n .
fi
nl=1
sleep 1
delay=`expr $delay - 1`
delay=$(($delay - 1))
done
echo
[ -n "$nl" ] && echo
}
load_rc_config $name

2
etc/rc.d/devd
View File

@ -4,7 +4,7 @@
#
# PROVIDE: devd
# REQUIRE: netif network_ipv6
# REQUIRE: netif
# BEFORE: NETWORKING mountcritremote
# KEYWORD: nojail shutdown

77
etc/rc.d/faith Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh
# $FreeBSD$
#
# PROVIDE: faith
# REQUIRE: netif routing
# KEYWORD: nojail
. /etc/rc.subr
. /etc/network.subr
name="faith"
start_cmd="faith_up"
stop_cmd="faith_down"
faith_up()
{
case ${ipv6_faith_prefix} in
[Nn][Oo] | '')
;;
*)
echo "Configuring IPv6-to-IPv4 TCP relay capturing interface:" \
" faith0."
${SYSCTL_W} net.inet6.ip6.keepfaith=1
ifconfig faith0 create >/dev/null 2>&1
ifconfig faith0 up
for prefix in ${ipv6_faith_prefix}; do
prefixlen=`expr "${prefix}" : ".*/\(.*\)"`
case ${prefixlen} in
'')
prefixlen=96
;;
*)
prefix=`expr "${prefix}" : \
"\(.*\)/${prefixlen}"`
;;
esac
route add -inet6 ${prefix} -prefixlen ${prefixlen} ::1
route change -inet6 ${prefix} -prefixlen ${prefixlen} \
-ifp faith0
done
if [ -z "${rc_quiet}" ]; then
ifconfig faith0
fi
;;
esac
}
faith_down()
{
echo "Removing IPv6-to-IPv4 TCP relay capturing interface: faith0."
ifconfig faith0 destroy
${SYSCTL_W} net.inet6.ip6.keepfaith=0
case ${ipv6_faith_prefix} in
[Nn][Oo] | '')
;;
*)
for prefix in ${ipv6_faith_prefix}; do
prefixlen=`expr "${prefix}" : ".*/\(.*\)"`
case ${prefixlen} in
'')
prefixlen=96
;;
*)
prefix=`expr "${prefix}" : \
"\(.*\)/${prefixlen}"`
;;
esac
route delete -inet6 ${prefix} -prefixlen ${prefixlen}
done
;;
esac
}
load_rc_config $name
run_rc_command "$1"

8
etc/rc.d/ip6addrctl
View File

@ -4,8 +4,8 @@
#
# PROVIDE: ip6addrctl
# REQUIRE: FILESYSTEMS netif
# BEFORE: network_ipv6
# REQUIRE: FILESYSTEMS
# BEFORE: netif
# KEYWORD: nojail
. /etc/rc.subr
@ -19,6 +19,8 @@ status_cmd="ip6addrctl"
prefer_ipv6_cmd="ip6addrctl_prefer_ipv6"
prefer_ipv4_cmd="ip6addrctl_prefer_ipv4"
set_rcvar_obsolete ipv6_enable ipv6_prefer
ip6addrctl_prefer_ipv6()
{
ip6addrctl flush >/dev/null 2>&1
@ -52,7 +54,7 @@ ip6addrctl_start()
ip6addrctl install /etc/ip6addrctl.conf
checkyesno ip6addrctl_verbose && ip6addrctl
else
if checkyesno ipv6_enable; then
if checkyesno ipv6_prefer; then
ip6addrctl_prefer_ipv6
else
ip6addrctl_prefer_ipv4

3
etc/rc.d/mroute6d
View File

@ -4,7 +4,8 @@
#
# PROVIDE: mroute6d
# REQUIRE: network_ipv6
# REQUIRE: netif routing
# BEFORE: NETWORKING
# KEYWORD: nojail
. /etc/rc.subr

2
etc/rc.d/netif
View File

@ -41,6 +41,8 @@ clonedown_cmd="clone_down"
extra_commands="cloneup clonedown"
cmdifn=
set_rcvar_obsolete ipv6_enable ipv6_prefer
network_start()
{
# Set the list of interfaces to work on.

119
etc/rc.d/netoptions
View File

@ -5,9 +5,15 @@
# PROVIDE: netoptions
# REQUIRE: FILESYSTEMS
# BEFORE: netif
# KEYWORD: nojail
. /etc/rc.subr
. /etc/network.subr
name="netoptions"
start_cmd="netoptions_start"
stop_cmd=:
_netoptions_initdone=
netoptions_init()
@ -18,75 +24,60 @@ netoptions_init()
fi
}
load_rc_config 'XXX'
netoptions_start()
{
if checkyesno log_in_vain; then
netoptions_init
echo -n " log_in_vain=${log_in_vain}"
${SYSCTL_W} net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
${SYSCTL_W} net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
fi
case ${log_in_vain} in
[Nn][Oo] | '')
log_in_vain=0
;;
[Yy][Ee][Ss])
log_in_vain=1
;;
[0-9]*)
;;
*)
netoptions_init
echo " invalid log_in_vain setting: ${log_in_vain}"
log_in_vain=0
;;
esac
if checkyesno tcp_extensions; then
netoptions_init
echo -n ' rfc1323 extensions=NO'
${SYSCTL_W} net.inet.tcp.rfc1323=0 >/dev/null
fi
if [ "${log_in_vain}" -ne 0 ]; then
netoptions_init
echo -n " log_in_vain=${log_in_vain}"
sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
fi
if ! checkyesno tcp_keepalive; then
netoptions_init
echo -n ' TCP keepalive=NO'
${SYSCTL_W} net.inet.tcp.always_keepalive=0 >/dev/null
fi
case ${tcp_extensions} in
[Yy][Ee][Ss] | '')
;;
*)
netoptions_init
echo -n ' tcp extensions=NO'
sysctl net.inet.tcp.rfc1323=0 >/dev/null
;;
esac
if checkyesno tcp_drop_synfin; then
netoptions_init
echo -n ' drop SYN+FIN packets=YES'
${SYSCTL_W} net.inet.tcp.drop_synfin=1 >/dev/null
fi
case ${tcp_keepalive} in
[Nn][Oo])
netoptions_init
echo -n ' TCP keepalive=NO'
sysctl net.inet.tcp.always_keepalive=0 >/dev/null
;;
esac
case ${ip_portrange_first} in
[0-9]*)
netoptions_init
echo -n " ip_portrange_first=$ip_portrange_first"
${SYSCTL_W} net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
;;
esac
case ${tcp_drop_synfin} in
[Yy][Ee][Ss])
netoptions_init
echo -n ' drop SYN+FIN packets=YES'
sysctl net.inet.tcp.drop_synfin=1 >/dev/null
;;
esac
case ${ip_portrange_last} in
[0-9]*)
netoptions_init
echo -n " ip_portrange_last=$ip_portrange_last"
${SYSCTL_W} net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
;;
esac
case ${ip_portrange_first} in
[Nn][Oo] | '')
;;
*)
netoptions_init
echo -n " ip_portrange_first=$ip_portrange_first"
sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
;;
esac
if afexists inet6; then
if checkyesno ipv6_ipv4mapping; then
${SYSCTL_W} net.inet6.ip6.v6only=0 >/dev/null
else
echo -n " no-ipv4-mapped-ipv6"
${SYSCTL_W} net.inet6.ip6.v6only=1 >/dev/null
fi
fi
case ${ip_portrange_last} in
[Nn][Oo] | '')
;;
*)
netoptions_init
echo -n " ip_portrange_last=$ip_portrange_last"
sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
;;
esac
[ -n "${_netoptions_initdone}" ] && echo '.'
}
[ -n "${_netoptions_initdone}" ] && echo '.'
load_rc_config $name
run_rc_command $1

126
etc/rc.d/network_ipv6
View File

@ -1,126 +0,0 @@
#!/bin/sh
#
# Copyright (c) 2000 The KAME Project
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
# From: src/etc/rc.network6,v 1.29 2002/04/06 15:15:43
#
# PROVIDE: network_ipv6
# REQUIRE: routing ip6fw
# KEYWORD: nojail
. /etc/rc.subr
. /etc/network.subr
name="network_ipv6"
rcvar=`set_rcvar ipv6`
start_cmd="network_ipv6_start"
network_ipv6_start()
{
# disallow "internal" addresses to appear on the wire
route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
# Get a list of network interfaces
ipv6_network_interfaces="`ifconfig -l`"
;;
[Nn][Oo][Nn][Ee])
ipv6_network_interfaces=''
;;
esac
if checkyesno ipv6_gateway_enable; then
# act as a router
${SYSCTL_W} net.inet6.ip6.forwarding=1
${SYSCTL_W} net.inet6.ip6.accept_rtadv=0
# wait for DAD
for i in $ipv6_network_interfaces; do
ifconfig $i up
done
sleep `${SYSCTL_N} net.inet6.ip6.dad_count`
sleep 1
else
# act as endhost - start with manual configuration
# Setup of net.inet6.ip6.accept_rtadv is done later by
# network6_interface_setup.
${SYSCTL_W} net.inet6.ip6.forwarding=0
fi
if [ -n "${ipv6_network_interfaces}" ]; then
# Setup the interfaces
network6_interface_setup $ipv6_network_interfaces
# wait for DAD's completion (for global addrs)
sleep `${SYSCTL_N} net.inet6.ip6.dad_count`
sleep 1
fi
# Filter out interfaces on which IPv6 initialization failed.
if checkyesno ipv6_gateway_enable; then
ipv6_working_interfaces=""
for i in ${ipv6_network_interfaces}; do
laddr=`network6_getladdr $i exclude_tentative`
case ${laddr} in
'')
;;
*)
ipv6_working_interfaces="$i \
${ipv6_working_interfaces}"
;;
esac
done
ipv6_network_interfaces=${ipv6_working_interfaces}
fi
# Setup IPv6 to IPv4 mapping
network6_stf_setup
# Install the "default interface" to kernel, which will be used
# as the default route when there's no router.
network6_default_interface_setup
# Setup static routes
network6_static_routes_setup
# Setup faith
network6_faith_setup
# Support for IPv4 address tacked onto an IPv6 address
if checkyesno ipv6_ipv4mapping; then
echo 'IPv4 mapped IPv6 address support=YES'
${SYSCTL_W} net.inet6.ip6.v6only=0 >/dev/null
else
echo 'IPv4 mapped IPv6 address support=NO'
${SYSCTL_W} net.inet6.ip6.v6only=1 >/dev/null
fi
}
load_rc_config $name
run_rc_command "$1"

8
etc/rc.d/ppp
View File

@ -95,8 +95,12 @@ ppp_poststart()
{
# Re-Sync ipfilter and pf so they pick up any new network interfaces
#
/etc/rc.d/ipfilter quietresync
/etc/rc.d/pf quietresync
if [ -f /etc/rc.d/ipfilter ]; then
/etc/rc.d/ipfilter quietresync
fi
if [ -f /etc/rc.d/pf ]; then
/etc/rc.d/pf quietresync
fi
}
ppp_stop_profile() {

17
etc/rc.d/route6d
View File

@ -4,22 +4,17 @@
#
# PROVIDE: route6d
# REQUIRE: network_ipv6
# REQUIRE: netif routing
# KEYWORD: nojail
. /etc/rc.subr
name="route6d"
rcvar=`set_rcvar`
set_rcvar_obsolete ipv6_router_enable route6d_enable
set_rcvar_obsolete ipv6_router route6d_program
set_rcvar_obsolete ipv6_router_flags route6d_flags
# XXX - Executable may be in a different location. The $name variable
# is different from the variable in rc.conf(5) so the
# subroutines in rc.subr won't catch it. In this case, it
# is also needed by the eval statement in the FreeBSD conditional.
#
load_rc_config $name
rcvar="ipv6_router_enable"
command="${ipv6_router:-/usr/sbin/${name}}"
eval ${name}_flags=\"${ipv6_router_flags}\"
run_rc_command "$1"

13
etc/rc.d/routed
View File

@ -10,13 +10,12 @@
. /etc/rc.subr
name="routed"
desc="network RIP and router discovery routing daemon"
rcvar=`set_rcvar`
set_rcvar_obsolete router_enable routed_enable
set_rcvar_obsolete router routed_program
set_rcvar_obsolete router_flags routed_flags
# XXX - Executable may be in a different location. The $name variable
# is different from the variable in rc.conf(5) so the
# subroutines in rc.subr won't catch it.
#
load_rc_config $name
rcvar="router_enable"
command="${router:-/sbin/${name}}"
eval ${name}_flags=\"${router_flags}\"
run_rc_command "$1"

Some files were not shown because too many files have changed in this diff Show More