Upgrade to OpenSSH 5.3p1.
This commit is contained in:
commit
7aee6ffee0
@ -1,3 +1,282 @@
|
|||||||
|
20090926
|
||||||
|
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
|
||||||
|
[contrib/suse/openssh.spec] Update for release
|
||||||
|
- (djm) [README] update relnotes URL
|
||||||
|
- (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
|
||||||
|
- (djm) Release 5.3p1
|
||||||
|
|
||||||
|
20090911
|
||||||
|
- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
|
||||||
|
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
|
||||||
|
from jbasney at ncsa uiuc edu.
|
||||||
|
|
||||||
|
20090908
|
||||||
|
- (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
|
||||||
|
(-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
|
||||||
|
|
||||||
|
20090901
|
||||||
|
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
|
||||||
|
krb5-config if it's not in the location specified by --with-kerberos5.
|
||||||
|
Patch from jchadima at redhat.
|
||||||
|
|
||||||
|
20090829
|
||||||
|
- (dtucker) [README.platform] Add text about development packages, based on
|
||||||
|
text from Chris Pepper in bug #1631.
|
||||||
|
|
||||||
|
20090828
|
||||||
|
- dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
|
||||||
|
causes problems in some Tru64 configurations.
|
||||||
|
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
|
||||||
|
and mention PAM as another provider for ChallengeResponseAuthentication;
|
||||||
|
bz#1408; ok dtucker@
|
||||||
|
- (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
|
||||||
|
attempting atomic rename(); ok dtucker@
|
||||||
|
- (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
|
||||||
|
in argv, so pass them in the environment; ok dtucker@
|
||||||
|
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
|
||||||
|
the pty master on Solaris, since it never succeeds and can hang if large
|
||||||
|
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
|
||||||
|
originally from Doke Scott, ok djm@
|
||||||
|
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
|
||||||
|
size a compile-time option and set it to 64k on Cygwin, since Corinna
|
||||||
|
reports that it makes a significant difference to performance. ok djm@
|
||||||
|
- (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
|
||||||
|
|
||||||
|
20090820
|
||||||
|
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
|
||||||
|
using it since the type conflicts can cause problems on FreeBSD. Patch
|
||||||
|
from Jonathan Chen.
|
||||||
|
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
|
||||||
|
the setpcred call on AIX to immediately before the permanently_set_uid().
|
||||||
|
Ensures that we still have privileges when we call chroot and
|
||||||
|
pam_open_sesson. Based on a patch from David Leonard.
|
||||||
|
|
||||||
|
20090817
|
||||||
|
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
|
||||||
|
zlib, which should make the errors slightly more meaningful on platforms
|
||||||
|
where there's separate "-devel" packages for those.
|
||||||
|
- (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
|
||||||
|
PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
|
||||||
|
|
||||||
|
20090729
|
||||||
|
- (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
|
||||||
|
function. Patch from Corinna Vinschen.
|
||||||
|
|
||||||
|
20090713
|
||||||
|
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
|
||||||
|
fits into 16 bits to work around a bug in glibc's resolver where it masks
|
||||||
|
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
|
||||||
|
|
||||||
|
20090712
|
||||||
|
- (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test,
|
||||||
|
prevents configure complaining on older BSDs.
|
||||||
|
- (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch
|
||||||
|
from Corinna Vinschen.
|
||||||
|
- (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
|
||||||
|
logout to after the session close. Patch from Anicka Bernathova,
|
||||||
|
originally from Andreas Schwab via Novelll ok djm.
|
||||||
|
|
||||||
|
20090707
|
||||||
|
- (dtucker) [contrib/cygwin/ssh-host-config] better support for automated
|
||||||
|
scripts and fix usage of eval. Patch from Corinna Vinschen.
|
||||||
|
|
||||||
|
20090705
|
||||||
|
- (dtucker) OpenBSD CVS Sync
|
||||||
|
- andreas@cvs.openbsd.org 2009/06/27 09:29:06
|
||||||
|
[packet.h packet.c]
|
||||||
|
packet_bacup_state() and packet_restore_state() will be used to
|
||||||
|
temporarily save the current state ren resuming a suspended connection.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/06/27 09:32:43
|
||||||
|
[roaming_common.c roaming.h]
|
||||||
|
It may be necessary to retransmit some data when resuming, so add it
|
||||||
|
to a buffer when roaming is enabled.
|
||||||
|
Most of this code was written by Martin Forssen, maf at appgate dot com.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/06/27 09:35:06
|
||||||
|
[readconf.h readconf.c]
|
||||||
|
Add client option UseRoaming. It doesn't do anything yet but will
|
||||||
|
control whether the client tries to use roaming if enabled on the
|
||||||
|
server. From Martin Forssen.
|
||||||
|
ok markus@
|
||||||
|
- markus@cvs.openbsd.org 2009/06/30 14:54:40
|
||||||
|
[version.h]
|
||||||
|
crank version; ok deraadt
|
||||||
|
- dtucker@cvs.openbsd.org 2009/07/02 02:11:47
|
||||||
|
[ssh.c]
|
||||||
|
allow for long home dir paths (bz #1615). ok deraadt
|
||||||
|
(based in part on a patch from jchadima at redhat)
|
||||||
|
- stevesk@cvs.openbsd.org 2009/07/05 19:28:33
|
||||||
|
[clientloop.c]
|
||||||
|
only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@
|
||||||
|
ok deraadt@ markus@
|
||||||
|
|
||||||
|
20090622
|
||||||
|
- (dtucker) OpenBSD CVS Sync
|
||||||
|
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
|
||||||
|
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
|
||||||
|
alphabetize includes; reduces diff vs portable and style(9).
|
||||||
|
ok stevesk djm
|
||||||
|
(Id sync only; these were already in order in -portable)
|
||||||
|
|
||||||
|
20090621
|
||||||
|
- (dtucker) OpenBSD CVS Sync
|
||||||
|
- markus@cvs.openbsd.org 2009/03/17 21:37:00
|
||||||
|
[ssh.c]
|
||||||
|
pass correct argv[0] to openlog(); ok djm@
|
||||||
|
- jmc@cvs.openbsd.org 2009/03/19 15:15:09
|
||||||
|
[ssh.1]
|
||||||
|
for "Ciphers", just point the reader to the keyword in ssh_config(5), just
|
||||||
|
as we do for "MACs": this stops us getting out of sync when the lists
|
||||||
|
change;
|
||||||
|
fixes documentation/6102, submitted by Peter J. Philipp
|
||||||
|
alternative fix proposed by djm
|
||||||
|
ok markus
|
||||||
|
- tobias@cvs.openbsd.org 2009/03/23 08:31:19
|
||||||
|
[ssh-agent.c]
|
||||||
|
Fixed a possible out-of-bounds memory access if the environment variable
|
||||||
|
SHELL is shorter than 3 characters.
|
||||||
|
with input by and ok dtucker
|
||||||
|
- tobias@cvs.openbsd.org 2009/03/23 19:38:04
|
||||||
|
[ssh-agent.c]
|
||||||
|
My previous commit didn't fix the problem at all, so stick at my first
|
||||||
|
version of the fix presented to dtucker.
|
||||||
|
Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
|
||||||
|
ok dtucker
|
||||||
|
- sobrado@cvs.openbsd.org 2009/03/26 08:38:39
|
||||||
|
[sftp-server.8 sshd.8 ssh-agent.1]
|
||||||
|
fix a few typographical errors found by spell(1).
|
||||||
|
ok dtucker@, jmc@
|
||||||
|
- stevesk@cvs.openbsd.org 2009/04/13 19:07:44
|
||||||
|
[sshd_config.5]
|
||||||
|
fix possessive; ok djm@
|
||||||
|
- stevesk@cvs.openbsd.org 2009/04/14 16:33:42
|
||||||
|
[sftp-server.c]
|
||||||
|
remove unused option character from getopt() optstring; ok markus@
|
||||||
|
- jj@cvs.openbsd.org 2009/04/14 21:10:54
|
||||||
|
[servconf.c]
|
||||||
|
Fixed a few the-the misspellings in comments. Skipped a bunch in
|
||||||
|
binutils,gcc and so on. ok jmc@
|
||||||
|
- stevesk@cvs.openbsd.org 2009/04/17 19:23:06
|
||||||
|
[session.c]
|
||||||
|
use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
|
||||||
|
ok djm@ markus@
|
||||||
|
- stevesk@cvs.openbsd.org 2009/04/17 19:40:17
|
||||||
|
[sshd_config.5]
|
||||||
|
clarify that even internal-sftp needs /dev/log for logging to work; ok
|
||||||
|
markus@
|
||||||
|
- jmc@cvs.openbsd.org 2009/04/18 18:39:10
|
||||||
|
[sshd_config.5]
|
||||||
|
tweak previous; ok stevesk
|
||||||
|
- stevesk@cvs.openbsd.org 2009/04/21 15:13:17
|
||||||
|
[sshd_config.5]
|
||||||
|
clarify we cd to user's home after chroot; ok markus@ on
|
||||||
|
earlier version; tweaks and ok jmc@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/25 06:48:01
|
||||||
|
[channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c
|
||||||
|
monitor.c]
|
||||||
|
Put the globals in packet.c into a struct and don't access it directly
|
||||||
|
from other files. No functional changes.
|
||||||
|
ok markus@ djm@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/27 06:31:25
|
||||||
|
[canohost.h canohost.c]
|
||||||
|
Add clear_cached_addr(), needed for upcoming changes allowing the peer
|
||||||
|
address to change.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/27 06:33:39
|
||||||
|
[clientloop.c]
|
||||||
|
Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
|
||||||
|
change from Martin Forssen, maf at appgate dot com.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/27 06:34:36
|
||||||
|
[kex.c kex.h]
|
||||||
|
Move the KEX_COOKIE_LEN define to kex.h
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/27 06:36:07
|
||||||
|
[packet.h packet.c]
|
||||||
|
Add packet_put_int64() and packet_get_int64(), part of a larger change
|
||||||
|
from Martin Forssen.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/27 06:38:16
|
||||||
|
[sshconnect.h sshconnect.c]
|
||||||
|
Un-static ssh_exchange_identification(), part of a larger change from
|
||||||
|
Martin Forssen and needed for upcoming changes.
|
||||||
|
ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
|
||||||
|
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
|
||||||
|
monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
|
||||||
|
Keep track of number of bytes read and written. Needed for upcoming
|
||||||
|
changes. Most code from Martin Forssen, maf at appgate dot com.
|
||||||
|
ok markus@
|
||||||
|
Also, applied appropriate changes to Makefile.in
|
||||||
|
- andreas@cvs.openbsd.org 2009/06/12 20:43:22
|
||||||
|
[monitor.c packet.c]
|
||||||
|
Fix warnings found by chl@ and djm@ and change roaming_atomicio's
|
||||||
|
return type to match atomicio's
|
||||||
|
Diff from djm@, ok markus@
|
||||||
|
- andreas@cvs.openbsd.org 2009/06/12 20:58:32
|
||||||
|
[packet.c]
|
||||||
|
Move some more statics into session_state
|
||||||
|
ok markus@ djm@
|
||||||
|
- dtucker@cvs.openbsd.org 2009/06/21 07:37:15
|
||||||
|
[kexdhs.c kexgexs.c]
|
||||||
|
abort if key_sign fails, preventing possible null deref. Based on report
|
||||||
|
from Paolo Ganci, ok markus@ djm@
|
||||||
|
- dtucker@cvs.openbsd.org 2009/06/21 09:04:03
|
||||||
|
[roaming.h roaming_common.c roaming_dummy.c]
|
||||||
|
Add tags for the benefit of the sync scripts
|
||||||
|
Also: pull in the changes for 1.1->1.2 missed in the previous sync.
|
||||||
|
- (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and
|
||||||
|
header-order changes to reduce diff vs OpenBSD.
|
||||||
|
- (dtucker) [servconf.c sshd.c] More whitespace sync.
|
||||||
|
- (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in
|
||||||
|
ifdef.
|
||||||
|
|
||||||
|
20090616
|
||||||
|
- (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
|
||||||
|
is a struct with a __val member. Fixes build on, eg, Redhat 6.2.
|
||||||
|
|
||||||
|
20090504
|
||||||
|
- (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
|
||||||
|
variable declarations. Should prevent unused warnings anywhere it's set
|
||||||
|
(only Crays as far as I can tell) and be a no-op everywhere else.
|
||||||
|
|
||||||
|
20090318
|
||||||
|
- (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
|
||||||
|
that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
|
||||||
|
Based on patch from vinschen at redhat com.
|
||||||
|
|
||||||
|
20090308
|
||||||
|
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
|
||||||
|
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
|
||||||
|
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
|
||||||
|
version of Cygwin. Patch from vinschen at redhat com.
|
||||||
|
|
||||||
|
20090307
|
||||||
|
- (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
|
||||||
|
exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
|
||||||
|
has a /dev/random).
|
||||||
|
- (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add
|
||||||
|
EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c
|
||||||
|
to use them. Allows building with older OpenSSL versions.
|
||||||
|
- (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed.
|
||||||
|
- (dtucker) [configure.ac] Missing comma in type list.
|
||||||
|
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
|
||||||
|
EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
|
||||||
|
in openssl 0.9.6) so add an explicit test for it.
|
||||||
|
|
||||||
|
20090306
|
||||||
|
- (djm) OpenBSD CVS Sync
|
||||||
|
- djm@cvs.openbsd.org 2009/03/05 07:18:19
|
||||||
|
[auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
|
||||||
|
[sshconnect2.c]
|
||||||
|
refactor the (disabled) Schnorr proof code to make it a little more
|
||||||
|
generally useful
|
||||||
|
- djm@cvs.openbsd.org 2009/03/05 11:30:50
|
||||||
|
[uuencode.c]
|
||||||
|
document what these functions do so I don't ever have to recuse into
|
||||||
|
b64_pton/ntop to remember their return values
|
||||||
|
|
||||||
20090223
|
20090223
|
||||||
- (djm) OpenBSD CVS Sync
|
- (djm) OpenBSD CVS Sync
|
||||||
- djm@cvs.openbsd.org 2009/02/22 23:50:57
|
- djm@cvs.openbsd.org 2009/02/22 23:50:57
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
See http://www.openssh.com/txt/release-5.2 for the release notes.
|
See http://www.openssh.com/txt/release-5.3 for the release notes.
|
||||||
|
|
||||||
- A Japanese translation of this document and of the OpenSSH FAQ is
|
- A Japanese translation of this document and of the OpenSSH FAQ is
|
||||||
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
|
||||||
@ -62,4 +62,4 @@ References -
|
|||||||
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
|
||||||
[7] http://www.openssh.com/faq.html
|
[7] http://www.openssh.com/faq.html
|
||||||
|
|
||||||
$Id: README,v 1.70 2009/02/23 00:11:57 djm Exp $
|
$Id: README,v 1.70.4.1 2009/09/26 04:11:47 djm Exp $
|
||||||
|
@ -56,6 +56,18 @@ using a third party driver. More information is available at:
|
|||||||
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
|
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
|
||||||
|
|
||||||
|
|
||||||
|
Linux
|
||||||
|
-----
|
||||||
|
|
||||||
|
Some Linux distributions (including Red Hat/Fedora/CentOS) include
|
||||||
|
headers and library links in the -devel RPMs rather than the main
|
||||||
|
binary RPMs. If you get an error about headers, or complaining about a
|
||||||
|
missing prerequisite then you may need to install the equivalent
|
||||||
|
development packages. On Redhat based distros these may be openssl-devel,
|
||||||
|
zlib-devel and pam-devel, on Debian based distros these may be
|
||||||
|
libssl-dev, libz-dev and libpam-dev.
|
||||||
|
|
||||||
|
|
||||||
Solaris
|
Solaris
|
||||||
-------
|
-------
|
||||||
If you enable BSM auditing on Solaris, you need to update audit_event(4)
|
If you enable BSM auditing on Solaris, you need to update audit_event(4)
|
||||||
@ -81,4 +93,4 @@ account stacks which will prevent authentication entirely, but will still
|
|||||||
return the output from pam_nologin to the client.
|
return the output from pam_nologin to the client.
|
||||||
|
|
||||||
|
|
||||||
$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
|
$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
|
||||||
|
@ -602,16 +602,16 @@ sshpam_cleanup(void)
|
|||||||
return;
|
return;
|
||||||
debug("PAM: cleanup");
|
debug("PAM: cleanup");
|
||||||
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
||||||
if (sshpam_cred_established) {
|
|
||||||
debug("PAM: deleting credentials");
|
|
||||||
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
|
||||||
sshpam_cred_established = 0;
|
|
||||||
}
|
|
||||||
if (sshpam_session_open) {
|
if (sshpam_session_open) {
|
||||||
debug("PAM: closing session");
|
debug("PAM: closing session");
|
||||||
pam_close_session(sshpam_handle, PAM_SILENT);
|
pam_close_session(sshpam_handle, PAM_SILENT);
|
||||||
sshpam_session_open = 0;
|
sshpam_session_open = 0;
|
||||||
}
|
}
|
||||||
|
if (sshpam_cred_established) {
|
||||||
|
debug("PAM: deleting credentials");
|
||||||
|
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
||||||
|
sshpam_cred_established = 0;
|
||||||
|
}
|
||||||
sshpam_authenticated = 0;
|
sshpam_authenticated = 0;
|
||||||
pam_end(sshpam_handle, sshpam_err);
|
pam_end(sshpam_handle, sshpam_err);
|
||||||
sshpam_handle = NULL;
|
sshpam_handle = NULL;
|
||||||
|
@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const char *password)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
if (is_winnt) {
|
{
|
||||||
HANDLE hToken = cygwin_logon_user(pw, password);
|
HANDLE hToken = cygwin_logon_user(pw, password);
|
||||||
|
|
||||||
if (hToken == INVALID_HANDLE_VALUE)
|
if (hToken == INVALID_HANDLE_VALUE)
|
||||||
|
@ -34,10 +34,6 @@
|
|||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/security.h>
|
|
||||||
#include <prot.h>
|
|
||||||
#include <time.h>
|
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
@ -53,52 +49,6 @@ extern ServerOptions options;
|
|||||||
extern int saved_argc;
|
extern int saved_argc;
|
||||||
extern char **saved_argv;
|
extern char **saved_argv;
|
||||||
|
|
||||||
static int
|
|
||||||
sia_password_change_required(const char *user)
|
|
||||||
{
|
|
||||||
struct es_passwd *acct;
|
|
||||||
time_t pw_life;
|
|
||||||
time_t pw_date;
|
|
||||||
|
|
||||||
set_auth_parameters(saved_argc, saved_argv);
|
|
||||||
|
|
||||||
if ((acct = getespwnam(user)) == NULL) {
|
|
||||||
error("Couldn't access protected database entry for %s", user);
|
|
||||||
endprpwent();
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If forced password change flag is set, honor it */
|
|
||||||
if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
|
|
||||||
endprpwent();
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Obtain password lifetime; if none, it can't have expired */
|
|
||||||
if (acct->uflg->fg_expire)
|
|
||||||
pw_life = acct->ufld->fd_expire;
|
|
||||||
else if (acct->sflg->fg_expire)
|
|
||||||
pw_life = acct->sfld->fd_expire;
|
|
||||||
else {
|
|
||||||
endprpwent();
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Offset from last change; if none, it must be expired */
|
|
||||||
if (acct->uflg->fg_schange)
|
|
||||||
pw_date = acct->ufld->fd_schange + pw_life;
|
|
||||||
else {
|
|
||||||
endprpwent();
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
endprpwent();
|
|
||||||
|
|
||||||
/* If expiration date is prior to now, change password */
|
|
||||||
|
|
||||||
return (pw_date <= time((time_t *) NULL));
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
int
|
||||||
sys_auth_passwd(Authctxt *authctxt, const char *pass)
|
sys_auth_passwd(Authctxt *authctxt, const char *pass)
|
||||||
{
|
{
|
||||||
@ -126,9 +76,6 @@ sys_auth_passwd(Authctxt *authctxt, const char *pass)
|
|||||||
|
|
||||||
sia_ses_release(&ent);
|
sia_ses_release(&ent);
|
||||||
|
|
||||||
authctxt->force_pwchange = sia_password_change_required(
|
|
||||||
authctxt->user);
|
|
||||||
|
|
||||||
return (1);
|
return (1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt)
|
|||||||
}
|
}
|
||||||
#endif /* _UNICOS */
|
#endif /* _UNICOS */
|
||||||
|
|
||||||
#ifdef HAVE_CYGWIN
|
#ifndef HAVE_CYGWIN
|
||||||
if (authenticated &&
|
|
||||||
!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
|
|
||||||
authctxt->pw)) {
|
|
||||||
packet_disconnect("Authentication rejected for uid %d.",
|
|
||||||
authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
|
|
||||||
authenticated = 0;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
/* Special handling for root */
|
/* Special handling for root */
|
||||||
if (authenticated && authctxt->pw->pw_uid == 0 &&
|
if (authenticated && authctxt->pw->pw_uid == 0 &&
|
||||||
!auth_root_allowed(meth->name)) {
|
!auth_root_allowed(meth->name)) {
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: auth2-jpake.c,v 1.2 2008/11/07 23:34:48 dtucker Exp $ */
|
/* $OpenBSD: auth2-jpake.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -42,8 +42,8 @@
|
|||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
#include "buffer.h"
|
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
|
#include "buffer.h"
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -55,6 +55,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
|
|
||||||
|
#include "schnorr.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -359,7 +360,7 @@ auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Being authentication attempt.
|
* Begin authentication attempt.
|
||||||
* Note, sets authctxt->postponed while in subprotocol
|
* Note, sets authctxt->postponed while in subprotocol
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
|
@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt)
|
|||||||
|
|
||||||
xfree(devs);
|
xfree(devs);
|
||||||
xfree(lang);
|
xfree(lang);
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (check_nt_auth(0, authctxt->pw) == 0)
|
|
||||||
authenticated = 0;
|
|
||||||
#endif
|
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt)
|
|||||||
{
|
{
|
||||||
none_enabled = 0;
|
none_enabled = 0;
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (check_nt_auth(1, authctxt->pw) == 0)
|
|
||||||
return (0);
|
|
||||||
#endif
|
|
||||||
if (options.password_authentication)
|
if (options.password_authentication)
|
||||||
return (PRIVSEP(auth_password(authctxt, "")));
|
return (PRIVSEP(auth_password(authctxt, "")));
|
||||||
return (0);
|
return (0);
|
||||||
|
@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt)
|
|||||||
logit("password change not supported");
|
logit("password change not supported");
|
||||||
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
|
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (check_nt_auth(1, authctxt->pw) == 0)
|
|
||||||
authenticated = 0;
|
|
||||||
#endif
|
|
||||||
memset(password, 0, len);
|
memset(password, 0, len);
|
||||||
xfree(password);
|
xfree(password);
|
||||||
return authenticated;
|
return authenticated;
|
||||||
|
@ -170,10 +170,6 @@ userauth_pubkey(Authctxt *authctxt)
|
|||||||
key_free(key);
|
key_free(key);
|
||||||
xfree(pkalg);
|
xfree(pkalg);
|
||||||
xfree(pkblob);
|
xfree(pkblob);
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (check_nt_auth(0, authctxt->pw) == 0)
|
|
||||||
authenticated = 0;
|
|
||||||
#endif
|
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: auth2.c,v 1.120 2008/11/04 08:22:12 djm Exp $ */
|
/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -36,8 +36,8 @@ __RCSID("$FreeBSD$");
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "atomicio.h"
|
#include "atomicio.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "packet.h"
|
#include "packet.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: canohost.c,v 1.64 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: canohost.c,v 1.65 2009/05/27 06:31:25 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -35,6 +35,8 @@
|
|||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
|
||||||
static void check_ip_options(int, char *);
|
static void check_ip_options(int, char *);
|
||||||
|
static char *canonical_host_ip = NULL;
|
||||||
|
static int cached_port = -1;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Return the canonical name of the host at the other end of the socket. The
|
* Return the canonical name of the host at the other end of the socket. The
|
||||||
@ -304,6 +306,16 @@ get_local_name(int sock)
|
|||||||
return get_socket_address(sock, 0, NI_NAMEREQD);
|
return get_socket_address(sock, 0, NI_NAMEREQD);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
clear_cached_addr(void)
|
||||||
|
{
|
||||||
|
if (canonical_host_ip != NULL) {
|
||||||
|
xfree(canonical_host_ip);
|
||||||
|
canonical_host_ip = NULL;
|
||||||
|
}
|
||||||
|
cached_port = -1;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Returns the IP-address of the remote host as a string. The returned
|
* Returns the IP-address of the remote host as a string. The returned
|
||||||
* string must not be freed.
|
* string must not be freed.
|
||||||
@ -312,8 +324,6 @@ get_local_name(int sock)
|
|||||||
const char *
|
const char *
|
||||||
get_remote_ipaddr(void)
|
get_remote_ipaddr(void)
|
||||||
{
|
{
|
||||||
static char *canonical_host_ip = NULL;
|
|
||||||
|
|
||||||
/* Check whether we have cached the ipaddr. */
|
/* Check whether we have cached the ipaddr. */
|
||||||
if (canonical_host_ip == NULL) {
|
if (canonical_host_ip == NULL) {
|
||||||
if (packet_connection_is_on_socket()) {
|
if (packet_connection_is_on_socket()) {
|
||||||
@ -402,13 +412,11 @@ get_peer_port(int sock)
|
|||||||
int
|
int
|
||||||
get_remote_port(void)
|
get_remote_port(void)
|
||||||
{
|
{
|
||||||
static int port = -1;
|
|
||||||
|
|
||||||
/* Cache to avoid getpeername() on a dead connection */
|
/* Cache to avoid getpeername() on a dead connection */
|
||||||
if (port == -1)
|
if (cached_port == -1)
|
||||||
port = get_port(0);
|
cached_port = get_port(0);
|
||||||
|
|
||||||
return port;
|
return cached_port;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: canohost.h,v 1.10 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -24,6 +24,6 @@ char *get_local_name(int);
|
|||||||
int get_remote_port(void);
|
int get_remote_port(void);
|
||||||
int get_local_port(void);
|
int get_local_port(void);
|
||||||
int get_sock_port(int, int);
|
int get_sock_port(int, int);
|
||||||
|
void clear_cached_addr(void);
|
||||||
|
|
||||||
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
|
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: channels.c,v 1.295 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -1653,6 +1653,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
|
|||||||
}
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
#ifndef BROKEN_TCGETATTR_ICANON
|
||||||
if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
|
if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
|
||||||
if (tcgetattr(c->wfd, &tio) == 0 &&
|
if (tcgetattr(c->wfd, &tio) == 0 &&
|
||||||
!(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
|
!(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
|
||||||
@ -1666,6 +1667,7 @@ channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
|
|||||||
packet_send();
|
packet_send();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
buffer_consume(&c->output, len);
|
buffer_consume(&c->output, len);
|
||||||
if (compat20 && len > 0) {
|
if (compat20 && len > 0) {
|
||||||
c->local_consumed += len;
|
c->local_consumed += len;
|
||||||
@ -2431,7 +2433,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
|
|||||||
int id;
|
int id;
|
||||||
|
|
||||||
/* Reset keepalive timeout */
|
/* Reset keepalive timeout */
|
||||||
keep_alive_timeouts = 0;
|
packet_set_alive_timeouts(0);
|
||||||
|
|
||||||
id = packet_get_int();
|
id = packet_get_int();
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: clientloop.c,v 1.213 2009/07/05 19:28:33 stevesk Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -109,6 +109,7 @@
|
|||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
#include "msg.h"
|
#include "msg.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
/* import options */
|
/* import options */
|
||||||
extern Options options;
|
extern Options options;
|
||||||
@ -491,13 +492,13 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
|
|||||||
xfree(gc);
|
xfree(gc);
|
||||||
}
|
}
|
||||||
|
|
||||||
keep_alive_timeouts = 0;
|
packet_set_alive_timeouts(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
server_alive_check(void)
|
server_alive_check(void)
|
||||||
{
|
{
|
||||||
if (++keep_alive_timeouts > options.server_alive_count_max) {
|
if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
|
||||||
logit("Timeout, server not responding.");
|
logit("Timeout, server not responding.");
|
||||||
cleanup_exit(255);
|
cleanup_exit(255);
|
||||||
}
|
}
|
||||||
@ -634,8 +635,8 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
|
|||||||
static void
|
static void
|
||||||
client_process_net_input(fd_set *readset)
|
client_process_net_input(fd_set *readset)
|
||||||
{
|
{
|
||||||
int len;
|
int len, cont = 0;
|
||||||
char buf[8192];
|
char buf[SSH_IOBUFSZ];
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Read input from the server, and add any such data to the buffer of
|
* Read input from the server, and add any such data to the buffer of
|
||||||
@ -643,8 +644,8 @@ client_process_net_input(fd_set *readset)
|
|||||||
*/
|
*/
|
||||||
if (FD_ISSET(connection_in, readset)) {
|
if (FD_ISSET(connection_in, readset)) {
|
||||||
/* Read as much as possible. */
|
/* Read as much as possible. */
|
||||||
len = read(connection_in, buf, sizeof(buf));
|
len = roaming_read(connection_in, buf, sizeof(buf), &cont);
|
||||||
if (len == 0) {
|
if (len == 0 && cont == 0) {
|
||||||
/*
|
/*
|
||||||
* Received EOF. The remote host has closed the
|
* Received EOF. The remote host has closed the
|
||||||
* connection.
|
* connection.
|
||||||
@ -1128,7 +1129,7 @@ static void
|
|||||||
client_process_input(fd_set *readset)
|
client_process_input(fd_set *readset)
|
||||||
{
|
{
|
||||||
int len;
|
int len;
|
||||||
char buf[8192];
|
char buf[SSH_IOBUFSZ];
|
||||||
|
|
||||||
/* Read input from stdin. */
|
/* Read input from stdin. */
|
||||||
if (FD_ISSET(fileno(stdin), readset)) {
|
if (FD_ISSET(fileno(stdin), readset)) {
|
||||||
@ -1476,6 +1477,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
|
|||||||
/* Stop watching for window change. */
|
/* Stop watching for window change. */
|
||||||
signal(SIGWINCH, SIG_DFL);
|
signal(SIGWINCH, SIG_DFL);
|
||||||
|
|
||||||
|
if (compat20) {
|
||||||
|
packet_start(SSH2_MSG_DISCONNECT);
|
||||||
|
packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
|
||||||
|
packet_put_cstring("disconnected by user");
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
}
|
||||||
|
|
||||||
channel_free_all();
|
channel_free_all();
|
||||||
|
|
||||||
if (have_pty)
|
if (have_pty)
|
||||||
|
@ -69,6 +69,9 @@
|
|||||||
/* Define if your snprintf is busted */
|
/* Define if your snprintf is busted */
|
||||||
/* #undef BROKEN_SNPRINTF */
|
/* #undef BROKEN_SNPRINTF */
|
||||||
|
|
||||||
|
/* tcgetattr with ICANON may hang */
|
||||||
|
/* #undef BROKEN_TCGETATTR_ICANON */
|
||||||
|
|
||||||
/* updwtmpx is broken (if present) */
|
/* updwtmpx is broken (if present) */
|
||||||
/* #undef BROKEN_UPDWTMPX */
|
/* #undef BROKEN_UPDWTMPX */
|
||||||
|
|
||||||
@ -123,9 +126,12 @@
|
|||||||
/* Builtin PRNG command timeout */
|
/* Builtin PRNG command timeout */
|
||||||
#define ENTROPY_TIMEOUT_MSEC 200
|
#define ENTROPY_TIMEOUT_MSEC 200
|
||||||
|
|
||||||
/* f_fsid has members */
|
/* fsid_t has member val */
|
||||||
/* #undef FSID_HAS_VAL */
|
/* #undef FSID_HAS_VAL */
|
||||||
|
|
||||||
|
/* fsid_t has member __val */
|
||||||
|
/* #undef FSID_HAS___VAL */
|
||||||
|
|
||||||
/* Define to 1 if the `getpgrp' function requires zero arguments. */
|
/* Define to 1 if the `getpgrp' function requires zero arguments. */
|
||||||
#define GETPGRP_VOID 1
|
#define GETPGRP_VOID 1
|
||||||
|
|
||||||
@ -519,6 +525,9 @@
|
|||||||
/* Define to 1 if the system has the type `in_addr_t'. */
|
/* Define to 1 if the system has the type `in_addr_t'. */
|
||||||
#define HAVE_IN_ADDR_T 1
|
#define HAVE_IN_ADDR_T 1
|
||||||
|
|
||||||
|
/* Define to 1 if the system has the type `in_port_t'. */
|
||||||
|
#define HAVE_IN_PORT_T 1
|
||||||
|
|
||||||
/* Define to 1 if you have the <lastlog.h> header file. */
|
/* Define to 1 if you have the <lastlog.h> header file. */
|
||||||
/* #undef HAVE_LASTLOG_H */
|
/* #undef HAVE_LASTLOG_H */
|
||||||
|
|
||||||
@ -1227,6 +1236,9 @@
|
|||||||
/* Define if X11 doesn't support AF_UNIX sockets on that system */
|
/* Define if X11 doesn't support AF_UNIX sockets on that system */
|
||||||
/* #undef NO_X11_UNIX_SOCKETS */
|
/* #undef NO_X11_UNIX_SOCKETS */
|
||||||
|
|
||||||
|
/* Define if EVP_DigestUpdate returns void */
|
||||||
|
/* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */
|
||||||
|
|
||||||
/* libcrypto is missing AES 192 and 256 bit functions */
|
/* libcrypto is missing AES 192 and 256 bit functions */
|
||||||
/* #undef OPENSSL_LOBOTOMISED_AES */
|
/* #undef OPENSSL_LOBOTOMISED_AES */
|
||||||
|
|
||||||
@ -1310,6 +1322,9 @@
|
|||||||
/* Use audit debugging module */
|
/* Use audit debugging module */
|
||||||
/* #undef SSH_AUDIT_EVENTS */
|
/* #undef SSH_AUDIT_EVENTS */
|
||||||
|
|
||||||
|
/* Windows is sensitive to read buffer size */
|
||||||
|
/* #undef SSH_IOBUFSZ */
|
||||||
|
|
||||||
/* non-privileged user for privilege separation */
|
/* non-privileged user for privilege separation */
|
||||||
#define SSH_PRIVSEP_USER "sshd"
|
#define SSH_PRIVSEP_USER "sshd"
|
||||||
|
|
||||||
@ -1398,9 +1413,13 @@
|
|||||||
/* Define if you want SELinux support. */
|
/* Define if you want SELinux support. */
|
||||||
/* #undef WITH_SELINUX */
|
/* #undef WITH_SELINUX */
|
||||||
|
|
||||||
/* Define to 1 if your processor stores words with the most significant byte
|
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||||
/* #undef WORDS_BIGENDIAN */
|
#if defined __BIG_ENDIAN__
|
||||||
|
# define WORDS_BIGENDIAN 1
|
||||||
|
#elif ! defined __LITTLE_ENDIAN__
|
||||||
|
/* # undef WORDS_BIGENDIAN */
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Define if xauth is found in your path */
|
/* Define if xauth is found in your path */
|
||||||
/* #undef XAUTH_PATH */
|
/* #undef XAUTH_PATH */
|
||||||
|
@ -1,5 +1,8 @@
|
|||||||
/* config.h.in. Generated from configure.ac by autoheader. */
|
/* config.h.in. Generated from configure.ac by autoheader. */
|
||||||
|
|
||||||
|
/* Define if building universal (internal helper macro) */
|
||||||
|
#undef AC_APPLE_UNIVERSAL_BUILD
|
||||||
|
|
||||||
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
|
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
|
||||||
*/
|
*/
|
||||||
#undef AIX_GETNAMEINFO_HACK
|
#undef AIX_GETNAMEINFO_HACK
|
||||||
@ -68,6 +71,9 @@
|
|||||||
/* Define if your snprintf is busted */
|
/* Define if your snprintf is busted */
|
||||||
#undef BROKEN_SNPRINTF
|
#undef BROKEN_SNPRINTF
|
||||||
|
|
||||||
|
/* tcgetattr with ICANON may hang */
|
||||||
|
#undef BROKEN_TCGETATTR_ICANON
|
||||||
|
|
||||||
/* updwtmpx is broken (if present) */
|
/* updwtmpx is broken (if present) */
|
||||||
#undef BROKEN_UPDWTMPX
|
#undef BROKEN_UPDWTMPX
|
||||||
|
|
||||||
@ -122,9 +128,12 @@
|
|||||||
/* Builtin PRNG command timeout */
|
/* Builtin PRNG command timeout */
|
||||||
#undef ENTROPY_TIMEOUT_MSEC
|
#undef ENTROPY_TIMEOUT_MSEC
|
||||||
|
|
||||||
/* f_fsid has members */
|
/* fsid_t has member val */
|
||||||
#undef FSID_HAS_VAL
|
#undef FSID_HAS_VAL
|
||||||
|
|
||||||
|
/* fsid_t has member __val */
|
||||||
|
#undef FSID_HAS___VAL
|
||||||
|
|
||||||
/* Define to 1 if the `getpgrp' function requires zero arguments. */
|
/* Define to 1 if the `getpgrp' function requires zero arguments. */
|
||||||
#undef GETPGRP_VOID
|
#undef GETPGRP_VOID
|
||||||
|
|
||||||
@ -518,6 +527,9 @@
|
|||||||
/* Define to 1 if the system has the type `in_addr_t'. */
|
/* Define to 1 if the system has the type `in_addr_t'. */
|
||||||
#undef HAVE_IN_ADDR_T
|
#undef HAVE_IN_ADDR_T
|
||||||
|
|
||||||
|
/* Define to 1 if the system has the type `in_port_t'. */
|
||||||
|
#undef HAVE_IN_PORT_T
|
||||||
|
|
||||||
/* Define to 1 if you have the <lastlog.h> header file. */
|
/* Define to 1 if you have the <lastlog.h> header file. */
|
||||||
#undef HAVE_LASTLOG_H
|
#undef HAVE_LASTLOG_H
|
||||||
|
|
||||||
@ -1226,6 +1238,9 @@
|
|||||||
/* Define if X11 doesn't support AF_UNIX sockets on that system */
|
/* Define if X11 doesn't support AF_UNIX sockets on that system */
|
||||||
#undef NO_X11_UNIX_SOCKETS
|
#undef NO_X11_UNIX_SOCKETS
|
||||||
|
|
||||||
|
/* Define if EVP_DigestUpdate returns void */
|
||||||
|
#undef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||||
|
|
||||||
/* libcrypto is missing AES 192 and 256 bit functions */
|
/* libcrypto is missing AES 192 and 256 bit functions */
|
||||||
#undef OPENSSL_LOBOTOMISED_AES
|
#undef OPENSSL_LOBOTOMISED_AES
|
||||||
|
|
||||||
@ -1309,6 +1324,9 @@
|
|||||||
/* Use audit debugging module */
|
/* Use audit debugging module */
|
||||||
#undef SSH_AUDIT_EVENTS
|
#undef SSH_AUDIT_EVENTS
|
||||||
|
|
||||||
|
/* Windows is sensitive to read buffer size */
|
||||||
|
#undef SSH_IOBUFSZ
|
||||||
|
|
||||||
/* non-privileged user for privilege separation */
|
/* non-privileged user for privilege separation */
|
||||||
#undef SSH_PRIVSEP_USER
|
#undef SSH_PRIVSEP_USER
|
||||||
|
|
||||||
@ -1397,9 +1415,17 @@
|
|||||||
/* Define if you want SELinux support. */
|
/* Define if you want SELinux support. */
|
||||||
#undef WITH_SELINUX
|
#undef WITH_SELINUX
|
||||||
|
|
||||||
/* Define to 1 if your processor stores words with the most significant byte
|
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
significant byte first (like Motorola and SPARC, unlike Intel). */
|
||||||
#undef WORDS_BIGENDIAN
|
#if defined AC_APPLE_UNIVERSAL_BUILD
|
||||||
|
# if defined __BIG_ENDIAN__
|
||||||
|
# define WORDS_BIGENDIAN 1
|
||||||
|
# endif
|
||||||
|
#else
|
||||||
|
# ifndef WORDS_BIGENDIAN
|
||||||
|
# undef WORDS_BIGENDIAN
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Define if xauth is found in your path */
|
/* Define if xauth is found in your path */
|
||||||
#undef XAUTH_PATH
|
#undef XAUTH_PATH
|
||||||
|
@ -25,7 +25,7 @@
|
|||||||
#ifndef _DEFINES_H
|
#ifndef _DEFINES_H
|
||||||
#define _DEFINES_H
|
#define _DEFINES_H
|
||||||
|
|
||||||
/* $Id: defines.h,v 1.153 2009/02/01 11:19:54 dtucker Exp $ */
|
/* $Id: defines.h,v 1.156 2009/08/28 01:21:07 dtucker Exp $ */
|
||||||
|
|
||||||
|
|
||||||
/* Constants */
|
/* Constants */
|
||||||
@ -300,6 +300,9 @@ struct sockaddr_un {
|
|||||||
#ifndef HAVE_IN_ADDR_T
|
#ifndef HAVE_IN_ADDR_T
|
||||||
typedef u_int32_t in_addr_t;
|
typedef u_int32_t in_addr_t;
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef HAVE_IN_PORT_T
|
||||||
|
typedef u_int16_t in_port_t;
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
|
#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
|
||||||
#define _STRUCT_WINSIZE
|
#define _STRUCT_WINSIZE
|
||||||
@ -591,6 +594,10 @@ struct winsize {
|
|||||||
#define FSID_TO_ULONG(f) \
|
#define FSID_TO_ULONG(f) \
|
||||||
((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
|
((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
|
||||||
((f).val[1] & 0xffffffffUL))
|
((f).val[1] & 0xffffffffUL))
|
||||||
|
#elif defined(FSID_HAS___VAL)
|
||||||
|
#define FSID_TO_ULONG(f) \
|
||||||
|
((((u_int64_t)(f).__val[0] & 0xffffffffUL) << 32) | \
|
||||||
|
((f).__val[1] & 0xffffffffUL))
|
||||||
#else
|
#else
|
||||||
# define FSID_TO_ULONG(f) ((f))
|
# define FSID_TO_ULONG(f) ((f))
|
||||||
#endif
|
#endif
|
||||||
@ -742,4 +749,8 @@ struct winsize {
|
|||||||
#define INET6_ADDRSTRLEN 46
|
#define INET6_ADDRSTRLEN 46
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef SSH_IOBUFSZ
|
||||||
|
# define SSH_IOBUFSZ 8192
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif /* _DEFINES_H */
|
#endif /* _DEFINES_H */
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
|
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||||
|
@ -31,7 +31,8 @@
|
|||||||
#endif
|
#endif
|
||||||
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
|
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
|
||||||
defined(GLOB_HAS_GL_MATCHC) && \
|
defined(GLOB_HAS_GL_MATCHC) && \
|
||||||
defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0
|
defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
|
||||||
|
!defined(BROKEN_GLOB)
|
||||||
# include <glob.h>
|
# include <glob.h>
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_ENDIAN_H
|
#ifdef HAVE_ENDIAN_H
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: jpake.c,v 1.1 2008/11/04 08:22:12 djm Exp $ */
|
/* $OpenBSD: jpake.c,v 1.2 2009/03/05 07:18:19 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -47,6 +47,7 @@
|
|||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
|
#include "schnorr.h"
|
||||||
|
|
||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
|
|
||||||
@ -60,165 +61,10 @@
|
|||||||
"98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
|
"98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
|
||||||
"9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
|
"9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
|
||||||
|
|
||||||
struct jpake_group *
|
struct modp_group *
|
||||||
jpake_default_group(void)
|
jpake_default_group(void)
|
||||||
{
|
{
|
||||||
struct jpake_group *ret;
|
return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
|
||||||
|
|
||||||
ret = xmalloc(sizeof(*ret));
|
|
||||||
ret->p = ret->q = ret->g = NULL;
|
|
||||||
if (BN_hex2bn(&ret->p, JPAKE_GROUP_P) == 0 ||
|
|
||||||
BN_hex2bn(&ret->g, JPAKE_GROUP_G) == 0)
|
|
||||||
fatal("%s: BN_hex2bn", __func__);
|
|
||||||
/* Subgroup order is p/2 (p is a safe prime) */
|
|
||||||
if ((ret->q = BN_new()) == NULL)
|
|
||||||
fatal("%s: BN_new", __func__);
|
|
||||||
if (BN_rshift1(ret->q, ret->p) != 1)
|
|
||||||
fatal("%s: BN_rshift1", __func__);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Generate uniformly distributed random number in range (1, high).
|
|
||||||
* Return number on success, NULL on failure.
|
|
||||||
*/
|
|
||||||
BIGNUM *
|
|
||||||
bn_rand_range_gt_one(const BIGNUM *high)
|
|
||||||
{
|
|
||||||
BIGNUM *r, *tmp;
|
|
||||||
int success = -1;
|
|
||||||
|
|
||||||
if ((tmp = BN_new()) == NULL) {
|
|
||||||
error("%s: BN_new", __func__);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
if ((r = BN_new()) == NULL) {
|
|
||||||
error("%s: BN_new failed", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (BN_set_word(tmp, 2) != 1) {
|
|
||||||
error("%s: BN_set_word(tmp, 2)", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (BN_sub(tmp, high, tmp) == -1) {
|
|
||||||
error("%s: BN_sub failed (tmp = high - 2)", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (BN_rand_range(r, tmp) == -1) {
|
|
||||||
error("%s: BN_rand_range failed", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (BN_set_word(tmp, 2) != 1) {
|
|
||||||
error("%s: BN_set_word(tmp, 2)", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (BN_add(r, r, tmp) == -1) {
|
|
||||||
error("%s: BN_add failed (r = r + 2)", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
success = 0;
|
|
||||||
out:
|
|
||||||
BN_clear_free(tmp);
|
|
||||||
if (success == 0)
|
|
||||||
return r;
|
|
||||||
BN_clear_free(r);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
|
|
||||||
* with digest via 'digestp' (caller to free) and length via 'lenp'.
|
|
||||||
* Returns -1 on failure.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
hash_buffer(const u_char *buf, u_int len, const EVP_MD *md,
|
|
||||||
u_char **digestp, u_int *lenp)
|
|
||||||
{
|
|
||||||
u_char digest[EVP_MAX_MD_SIZE];
|
|
||||||
u_int digest_len;
|
|
||||||
EVP_MD_CTX evp_md_ctx;
|
|
||||||
int success = -1;
|
|
||||||
|
|
||||||
EVP_MD_CTX_init(&evp_md_ctx);
|
|
||||||
|
|
||||||
if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) {
|
|
||||||
error("%s: EVP_DigestInit_ex", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) {
|
|
||||||
error("%s: EVP_DigestUpdate", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) {
|
|
||||||
error("%s: EVP_DigestFinal_ex", __func__);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
*digestp = xmalloc(digest_len);
|
|
||||||
*lenp = digest_len;
|
|
||||||
memcpy(*digestp, digest, *lenp);
|
|
||||||
success = 0;
|
|
||||||
out:
|
|
||||||
EVP_MD_CTX_cleanup(&evp_md_ctx);
|
|
||||||
bzero(digest, sizeof(digest));
|
|
||||||
digest_len = 0;
|
|
||||||
return success;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* print formatted string followed by bignum */
|
|
||||||
void
|
|
||||||
jpake_debug3_bn(const BIGNUM *n, const char *fmt, ...)
|
|
||||||
{
|
|
||||||
char *out, *h;
|
|
||||||
va_list args;
|
|
||||||
|
|
||||||
out = NULL;
|
|
||||||
va_start(args, fmt);
|
|
||||||
vasprintf(&out, fmt, args);
|
|
||||||
va_end(args);
|
|
||||||
if (out == NULL)
|
|
||||||
fatal("%s: vasprintf failed", __func__);
|
|
||||||
|
|
||||||
if (n == NULL)
|
|
||||||
debug3("%s(null)", out);
|
|
||||||
else {
|
|
||||||
h = BN_bn2hex(n);
|
|
||||||
debug3("%s0x%s", out, h);
|
|
||||||
free(h);
|
|
||||||
}
|
|
||||||
free(out);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* print formatted string followed by buffer contents in hex */
|
|
||||||
void
|
|
||||||
jpake_debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
|
|
||||||
{
|
|
||||||
char *out, h[65];
|
|
||||||
u_int i, j;
|
|
||||||
va_list args;
|
|
||||||
|
|
||||||
out = NULL;
|
|
||||||
va_start(args, fmt);
|
|
||||||
vasprintf(&out, fmt, args);
|
|
||||||
va_end(args);
|
|
||||||
if (out == NULL)
|
|
||||||
fatal("%s: vasprintf failed", __func__);
|
|
||||||
|
|
||||||
debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
|
|
||||||
free(out);
|
|
||||||
if (buf == NULL)
|
|
||||||
return;
|
|
||||||
|
|
||||||
*h = '\0';
|
|
||||||
for (i = j = 0; i < len; i++) {
|
|
||||||
snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
|
|
||||||
j += 2;
|
|
||||||
if (j >= sizeof(h) - 1 || i == len - 1) {
|
|
||||||
debug3(" %s", h);
|
|
||||||
*h = '\0';
|
|
||||||
j = 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
struct jpake_ctx *
|
struct jpake_ctx *
|
||||||
@ -243,7 +89,6 @@ jpake_new(void)
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
jpake_free(struct jpake_ctx *pctx)
|
jpake_free(struct jpake_ctx *pctx)
|
||||||
{
|
{
|
||||||
@ -344,7 +189,7 @@ jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
|
|||||||
|
|
||||||
/* Shared parts of step 1 exchange calculation */
|
/* Shared parts of step 1 exchange calculation */
|
||||||
void
|
void
|
||||||
jpake_step1(struct jpake_group *grp,
|
jpake_step1(struct modp_group *grp,
|
||||||
u_char **id, u_int *id_len,
|
u_char **id, u_int *id_len,
|
||||||
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
|
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
|
||||||
u_char **priv1_proof, u_int *priv1_proof_len,
|
u_char **priv1_proof, u_int *priv1_proof_len,
|
||||||
@ -383,11 +228,11 @@ jpake_step1(struct jpake_group *grp,
|
|||||||
fatal("%s: BN_mod_exp", __func__);
|
fatal("%s: BN_mod_exp", __func__);
|
||||||
|
|
||||||
/* Generate proofs for holding x1/x3 and x2/x4 */
|
/* Generate proofs for holding x1/x3 and x2/x4 */
|
||||||
if (schnorr_sign(grp->p, grp->q, grp->g,
|
if (schnorr_sign_buf(grp->p, grp->q, grp->g,
|
||||||
*priv1, *g_priv1, *id, *id_len,
|
*priv1, *g_priv1, *id, *id_len,
|
||||||
priv1_proof, priv1_proof_len) != 0)
|
priv1_proof, priv1_proof_len) != 0)
|
||||||
fatal("%s: schnorr_sign", __func__);
|
fatal("%s: schnorr_sign", __func__);
|
||||||
if (schnorr_sign(grp->p, grp->q, grp->g,
|
if (schnorr_sign_buf(grp->p, grp->q, grp->g,
|
||||||
*priv2, *g_priv2, *id, *id_len,
|
*priv2, *g_priv2, *id, *id_len,
|
||||||
priv2_proof, priv2_proof_len) != 0)
|
priv2_proof, priv2_proof_len) != 0)
|
||||||
fatal("%s: schnorr_sign", __func__);
|
fatal("%s: schnorr_sign", __func__);
|
||||||
@ -397,7 +242,7 @@ jpake_step1(struct jpake_group *grp,
|
|||||||
|
|
||||||
/* Shared parts of step 2 exchange calculation */
|
/* Shared parts of step 2 exchange calculation */
|
||||||
void
|
void
|
||||||
jpake_step2(struct jpake_group *grp, BIGNUM *s,
|
jpake_step2(struct modp_group *grp, BIGNUM *s,
|
||||||
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
|
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
|
||||||
const u_char *theirid, u_int theirid_len,
|
const u_char *theirid, u_int theirid_len,
|
||||||
const u_char *myid, u_int myid_len,
|
const u_char *myid, u_int myid_len,
|
||||||
@ -415,10 +260,10 @@ jpake_step2(struct jpake_group *grp, BIGNUM *s,
|
|||||||
if (BN_cmp(theirpub2, BN_value_one()) <= 0)
|
if (BN_cmp(theirpub2, BN_value_one()) <= 0)
|
||||||
fatal("%s: theirpub2 <= 1", __func__);
|
fatal("%s: theirpub2 <= 1", __func__);
|
||||||
|
|
||||||
if (schnorr_verify(grp->p, grp->q, grp->g, theirpub1,
|
if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
|
||||||
theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
|
theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
|
||||||
fatal("%s: schnorr_verify theirpub1 failed", __func__);
|
fatal("%s: schnorr_verify theirpub1 failed", __func__);
|
||||||
if (schnorr_verify(grp->p, grp->q, grp->g, theirpub2,
|
if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
|
||||||
theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
|
theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
|
||||||
fatal("%s: schnorr_verify theirpub2 failed", __func__);
|
fatal("%s: schnorr_verify theirpub2 failed", __func__);
|
||||||
|
|
||||||
@ -459,7 +304,7 @@ jpake_step2(struct jpake_group *grp, BIGNUM *s,
|
|||||||
JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
|
JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
|
||||||
|
|
||||||
/* Note the generator here is 'tmp', not g */
|
/* Note the generator here is 'tmp', not g */
|
||||||
if (schnorr_sign(grp->p, grp->q, tmp, exponent, *newpub,
|
if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
|
||||||
myid, myid_len,
|
myid, myid_len,
|
||||||
newpub_exponent_proof, newpub_exponent_proof_len) != 0)
|
newpub_exponent_proof, newpub_exponent_proof_len) != 0)
|
||||||
fatal("%s: schnorr_sign newpub", __func__);
|
fatal("%s: schnorr_sign newpub", __func__);
|
||||||
@ -496,7 +341,7 @@ jpake_confirm_hash(const BIGNUM *k,
|
|||||||
|
|
||||||
/* Shared parts of key derivation and confirmation calculation */
|
/* Shared parts of key derivation and confirmation calculation */
|
||||||
void
|
void
|
||||||
jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
|
jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
|
||||||
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
|
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
|
||||||
BIGNUM *theirpub1, BIGNUM *theirpub2,
|
BIGNUM *theirpub1, BIGNUM *theirpub2,
|
||||||
const u_char *my_id, u_int my_id_len,
|
const u_char *my_id, u_int my_id_len,
|
||||||
@ -531,7 +376,7 @@ jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
|
|||||||
|
|
||||||
JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
|
JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
|
||||||
|
|
||||||
if (schnorr_verify(grp->p, grp->q, tmp, step2_val,
|
if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val,
|
||||||
their_id, their_id_len,
|
their_id, their_id_len,
|
||||||
theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
|
theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
|
||||||
fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
|
fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: jpake.h,v 1.1 2008/11/04 08:22:13 djm Exp $ */
|
/* $OpenBSD: jpake.h,v 1.2 2009/03/05 07:18:19 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -28,20 +28,16 @@
|
|||||||
# define JPAKE_DEBUG_BUF(a)
|
# define JPAKE_DEBUG_BUF(a)
|
||||||
# define JPAKE_DEBUG_CTX(a)
|
# define JPAKE_DEBUG_CTX(a)
|
||||||
#else
|
#else
|
||||||
# define JPAKE_DEBUG_BN(a) jpake_debug3_bn a
|
# define JPAKE_DEBUG_BN(a) debug3_bn a
|
||||||
# define JPAKE_DEBUG_BUF(a) jpake_debug3_buf a
|
# define JPAKE_DEBUG_BUF(a) debug3_buf a
|
||||||
# define JPAKE_DEBUG_CTX(a) jpake_dump a
|
# define JPAKE_DEBUG_CTX(a) jpake_dump a
|
||||||
#endif /* SCHNORR_DEBUG */
|
#endif /* JPAKE_DEBUG */
|
||||||
|
|
||||||
struct jpake_group {
|
|
||||||
BIGNUM *p, *q, *g;
|
|
||||||
};
|
|
||||||
|
|
||||||
#define KZP_ID_LEN 16 /* Length of client and server IDs */
|
#define KZP_ID_LEN 16 /* Length of client and server IDs */
|
||||||
|
|
||||||
struct jpake_ctx {
|
struct jpake_ctx {
|
||||||
/* Parameters */
|
/* Parameters */
|
||||||
struct jpake_group *grp;
|
struct modp_group *grp;
|
||||||
|
|
||||||
/* Private values shared by client and server */
|
/* Private values shared by client and server */
|
||||||
BIGNUM *s; /* Secret (salted, crypted password) */
|
BIGNUM *s; /* Secret (salted, crypted password) */
|
||||||
@ -83,26 +79,18 @@ struct jpake_ctx {
|
|||||||
};
|
};
|
||||||
|
|
||||||
/* jpake.c */
|
/* jpake.c */
|
||||||
struct jpake_group *jpake_default_group(void);
|
struct modp_group *jpake_default_group(void);
|
||||||
BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
|
|
||||||
int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
|
|
||||||
void jpake_debug3_bn(const BIGNUM *, const char *, ...)
|
|
||||||
__attribute__((__nonnull__ (2)))
|
|
||||||
__attribute__((format(printf, 2, 3)));
|
|
||||||
void jpake_debug3_buf(const u_char *, u_int, const char *, ...)
|
|
||||||
__attribute__((__nonnull__ (3)))
|
|
||||||
__attribute__((format(printf, 3, 4)));
|
|
||||||
void jpake_dump(struct jpake_ctx *, const char *, ...)
|
void jpake_dump(struct jpake_ctx *, const char *, ...)
|
||||||
__attribute__((__nonnull__ (2)))
|
__attribute__((__nonnull__ (2)))
|
||||||
__attribute__((format(printf, 2, 3)));
|
__attribute__((format(printf, 2, 3)));
|
||||||
struct jpake_ctx *jpake_new(void);
|
struct jpake_ctx *jpake_new(void);
|
||||||
void jpake_free(struct jpake_ctx *);
|
void jpake_free(struct jpake_ctx *);
|
||||||
|
|
||||||
void jpake_step1(struct jpake_group *, u_char **, u_int *,
|
void jpake_step1(struct modp_group *, u_char **, u_int *,
|
||||||
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
|
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
|
||||||
u_char **, u_int *, u_char **, u_int *);
|
u_char **, u_int *, u_char **, u_int *);
|
||||||
|
|
||||||
void jpake_step2(struct jpake_group *, BIGNUM *,
|
void jpake_step2(struct modp_group *, BIGNUM *,
|
||||||
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
@ -113,7 +101,7 @@ void jpake_confirm_hash(const BIGNUM *,
|
|||||||
const u_char *, u_int,
|
const u_char *, u_int,
|
||||||
u_char **, u_int *);
|
u_char **, u_int *);
|
||||||
|
|
||||||
void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
|
void jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
|
||||||
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
@ -122,13 +110,5 @@ void jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
|
|||||||
int jpake_check_confirm(const BIGNUM *, const u_char *, u_int,
|
int jpake_check_confirm(const BIGNUM *, const u_char *, u_int,
|
||||||
const u_char *, u_int, const u_char *, u_int);
|
const u_char *, u_int, const u_char *, u_int);
|
||||||
|
|
||||||
/* schnorr.c */
|
|
||||||
int schnorr_sign(const BIGNUM *, const BIGNUM *, const BIGNUM *,
|
|
||||||
const BIGNUM *, const BIGNUM *, const u_char *, u_int ,
|
|
||||||
u_char **, u_int *);
|
|
||||||
int schnorr_verify(const BIGNUM *, const BIGNUM *, const BIGNUM *,
|
|
||||||
const BIGNUM *, const u_char *, u_int,
|
|
||||||
const u_char *, u_int);
|
|
||||||
|
|
||||||
#endif /* JPAKE_H */
|
#endif /* JPAKE_H */
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: kex.c,v 1.80 2008/09/06 12:24:13 djm Exp $ */
|
/* $OpenBSD: kex.c,v 1.81 2009/05/27 06:34:36 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -49,8 +49,6 @@
|
|||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "monitor.h"
|
#include "monitor.h"
|
||||||
|
|
||||||
#define KEX_COOKIE_LEN 16
|
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||||
# if defined(HAVE_EVP_SHA256)
|
# if defined(HAVE_EVP_SHA256)
|
||||||
# define evp_ssh_sha256 EVP_sha256
|
# define evp_ssh_sha256 EVP_sha256
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
|
/* $OpenBSD: kex.h,v 1.47 2009/05/27 06:34:36 andreas Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
@ -30,6 +30,8 @@
|
|||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/hmac.h>
|
#include <openssl/hmac.h>
|
||||||
|
|
||||||
|
#define KEX_COOKIE_LEN 16
|
||||||
|
|
||||||
#define KEX_DH1 "diffie-hellman-group1-sha1"
|
#define KEX_DH1 "diffie-hellman-group1-sha1"
|
||||||
#define KEX_DH14 "diffie-hellman-group14-sha1"
|
#define KEX_DH14 "diffie-hellman-group14-sha1"
|
||||||
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
|
#define KEX_DHGEX_SHA1 "diffie-hellman-group-exchange-sha1"
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
|
/* $OpenBSD: kexdhs.c,v 1.10 2009/06/21 07:37:15 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -137,7 +137,9 @@ kexdh_server(Kex *kex)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* sign H */
|
/* sign H */
|
||||||
PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
|
if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
|
||||||
|
hashlen)) < 0)
|
||||||
|
fatal("kexdh_server: key_sign failed");
|
||||||
|
|
||||||
/* destroy_sensitive_data(); */
|
/* destroy_sensitive_data(); */
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: kexgexs.c,v 1.11 2009/01/01 21:17:36 djm Exp $ */
|
/* $OpenBSD: kexgexs.c,v 1.12 2009/06/21 07:37:15 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||||
@ -179,7 +179,9 @@ kexgex_server(Kex *kex)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* sign H */
|
/* sign H */
|
||||||
PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
|
if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
|
||||||
|
hashlen)) < 0)
|
||||||
|
fatal("kexgex_server: key_sign failed");
|
||||||
|
|
||||||
/* destroy_sensitive_data(); */
|
/* destroy_sensitive_data(); */
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
|
/* $OpenBSD: monitor.c,v 1.104 2009/06/12 20:43:22 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
@ -88,6 +88,7 @@
|
|||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
static Gssctxt *gsscontext = NULL;
|
static Gssctxt *gsscontext = NULL;
|
||||||
@ -100,7 +101,6 @@ extern Newkeys *current_keys[];
|
|||||||
extern z_stream incoming_stream;
|
extern z_stream incoming_stream;
|
||||||
extern z_stream outgoing_stream;
|
extern z_stream outgoing_stream;
|
||||||
extern u_char session_id[];
|
extern u_char session_id[];
|
||||||
extern Buffer input, output;
|
|
||||||
extern Buffer auth_debug;
|
extern Buffer auth_debug;
|
||||||
extern int auth_debug_init;
|
extern int auth_debug_init;
|
||||||
extern Buffer loginmsg;
|
extern Buffer loginmsg;
|
||||||
@ -126,6 +126,8 @@ struct {
|
|||||||
u_int ilen;
|
u_int ilen;
|
||||||
u_char *output;
|
u_char *output;
|
||||||
u_int olen;
|
u_int olen;
|
||||||
|
u_int64_t sent_bytes;
|
||||||
|
u_int64_t recv_bytes;
|
||||||
} child_state;
|
} child_state;
|
||||||
|
|
||||||
/* Functions on the monitor that answer unprivileged requests */
|
/* Functions on the monitor that answer unprivileged requests */
|
||||||
@ -1670,15 +1672,20 @@ monitor_apply_keystate(struct monitor *pmonitor)
|
|||||||
|
|
||||||
/* Network I/O buffers */
|
/* Network I/O buffers */
|
||||||
/* XXX inefficient for large buffers, need: buffer_init_from_string */
|
/* XXX inefficient for large buffers, need: buffer_init_from_string */
|
||||||
buffer_clear(&input);
|
buffer_clear(packet_get_input());
|
||||||
buffer_append(&input, child_state.input, child_state.ilen);
|
buffer_append(packet_get_input(), child_state.input, child_state.ilen);
|
||||||
memset(child_state.input, 0, child_state.ilen);
|
memset(child_state.input, 0, child_state.ilen);
|
||||||
xfree(child_state.input);
|
xfree(child_state.input);
|
||||||
|
|
||||||
buffer_clear(&output);
|
buffer_clear(packet_get_output());
|
||||||
buffer_append(&output, child_state.output, child_state.olen);
|
buffer_append(packet_get_output(), child_state.output,
|
||||||
|
child_state.olen);
|
||||||
memset(child_state.output, 0, child_state.olen);
|
memset(child_state.output, 0, child_state.olen);
|
||||||
xfree(child_state.output);
|
xfree(child_state.output);
|
||||||
|
|
||||||
|
/* Roaming */
|
||||||
|
if (compat20)
|
||||||
|
roam_set_bytes(child_state.sent_bytes, child_state.recv_bytes);
|
||||||
}
|
}
|
||||||
|
|
||||||
static Kex *
|
static Kex *
|
||||||
@ -1794,6 +1801,12 @@ mm_get_keystate(struct monitor *pmonitor)
|
|||||||
child_state.input = buffer_get_string(&m, &child_state.ilen);
|
child_state.input = buffer_get_string(&m, &child_state.ilen);
|
||||||
child_state.output = buffer_get_string(&m, &child_state.olen);
|
child_state.output = buffer_get_string(&m, &child_state.olen);
|
||||||
|
|
||||||
|
/* Roaming */
|
||||||
|
if (compat20) {
|
||||||
|
child_state.sent_bytes = buffer_get_int64(&m);
|
||||||
|
child_state.recv_bytes = buffer_get_int64(&m);
|
||||||
|
}
|
||||||
|
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
|
/* $OpenBSD: monitor_mm.c,v 1.16 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: monitor_wrap.c,v 1.64 2008/11/04 08:22:13 djm Exp $ */
|
/* $OpenBSD: monitor_wrap.c,v 1.68 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
@ -71,19 +71,19 @@
|
|||||||
#include "atomicio.h"
|
#include "atomicio.h"
|
||||||
#include "monitor_fdpass.h"
|
#include "monitor_fdpass.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
#include "schnorr.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
|
|
||||||
#include "channels.h"
|
#include "channels.h"
|
||||||
#include "session.h"
|
#include "session.h"
|
||||||
#include "servconf.h"
|
#include "servconf.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
/* Imports */
|
/* Imports */
|
||||||
extern int compat20;
|
extern int compat20;
|
||||||
extern Newkeys *newkeys[];
|
|
||||||
extern z_stream incoming_stream;
|
extern z_stream incoming_stream;
|
||||||
extern z_stream outgoing_stream;
|
extern z_stream outgoing_stream;
|
||||||
extern struct monitor *pmonitor;
|
extern struct monitor *pmonitor;
|
||||||
extern Buffer input, output;
|
|
||||||
extern Buffer loginmsg;
|
extern Buffer loginmsg;
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
|
||||||
@ -508,7 +508,7 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
|
|||||||
Enc *enc;
|
Enc *enc;
|
||||||
Mac *mac;
|
Mac *mac;
|
||||||
Comp *comp;
|
Comp *comp;
|
||||||
Newkeys *newkey = newkeys[mode];
|
Newkeys *newkey = (Newkeys *)packet_get_newkeys(mode);
|
||||||
|
|
||||||
debug3("%s: converting %p", __func__, newkey);
|
debug3("%s: converting %p", __func__, newkey);
|
||||||
|
|
||||||
@ -570,7 +570,7 @@ mm_send_kex(Buffer *m, Kex *kex)
|
|||||||
void
|
void
|
||||||
mm_send_keystate(struct monitor *monitor)
|
mm_send_keystate(struct monitor *monitor)
|
||||||
{
|
{
|
||||||
Buffer m;
|
Buffer m, *input, *output;
|
||||||
u_char *blob, *p;
|
u_char *blob, *p;
|
||||||
u_int bloblen, plen;
|
u_int bloblen, plen;
|
||||||
u_int32_t seqnr, packets;
|
u_int32_t seqnr, packets;
|
||||||
@ -608,7 +608,8 @@ mm_send_keystate(struct monitor *monitor)
|
|||||||
}
|
}
|
||||||
|
|
||||||
debug3("%s: Sending new keys: %p %p",
|
debug3("%s: Sending new keys: %p %p",
|
||||||
__func__, newkeys[MODE_OUT], newkeys[MODE_IN]);
|
__func__, packet_get_newkeys(MODE_OUT),
|
||||||
|
packet_get_newkeys(MODE_IN));
|
||||||
|
|
||||||
/* Keys from Kex */
|
/* Keys from Kex */
|
||||||
if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
|
if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
|
||||||
@ -655,8 +656,16 @@ mm_send_keystate(struct monitor *monitor)
|
|||||||
buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
|
buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
|
||||||
|
|
||||||
/* Network I/O buffers */
|
/* Network I/O buffers */
|
||||||
buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input));
|
input = (Buffer *)packet_get_input();
|
||||||
buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output));
|
output = (Buffer *)packet_get_output();
|
||||||
|
buffer_put_string(&m, buffer_ptr(input), buffer_len(input));
|
||||||
|
buffer_put_string(&m, buffer_ptr(output), buffer_len(output));
|
||||||
|
|
||||||
|
/* Roaming */
|
||||||
|
if (compat20) {
|
||||||
|
buffer_put_int64(&m, get_sent_bytes());
|
||||||
|
buffer_put_int64(&m, get_recv_bytes());
|
||||||
|
}
|
||||||
|
|
||||||
mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
|
mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
|
||||||
debug3("%s: Finished sending state", __func__);
|
debug3("%s: Finished sending state", __func__);
|
||||||
@ -1282,7 +1291,7 @@ mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
mm_jpake_step1(struct jpake_group *grp,
|
mm_jpake_step1(struct modp_group *grp,
|
||||||
u_char **id, u_int *id_len,
|
u_char **id, u_int *id_len,
|
||||||
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
|
BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
|
||||||
u_char **priv1_proof, u_int *priv1_proof_len,
|
u_char **priv1_proof, u_int *priv1_proof_len,
|
||||||
@ -1317,7 +1326,7 @@ mm_jpake_step1(struct jpake_group *grp,
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
|
mm_jpake_step2(struct modp_group *grp, BIGNUM *s,
|
||||||
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
|
BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
|
||||||
const u_char *theirid, u_int theirid_len,
|
const u_char *theirid, u_int theirid_len,
|
||||||
const u_char *myid, u_int myid_len,
|
const u_char *myid, u_int myid_len,
|
||||||
@ -1357,7 +1366,7 @@ mm_jpake_step2(struct jpake_group *grp, BIGNUM *s,
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
mm_jpake_key_confirm(struct jpake_group *grp, BIGNUM *s, BIGNUM *step2_val,
|
mm_jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
|
||||||
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
|
BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
|
||||||
BIGNUM *theirpub1, BIGNUM *theirpub2,
|
BIGNUM *theirpub1, BIGNUM *theirpub2,
|
||||||
const u_char *my_id, u_int my_id_len,
|
const u_char *my_id, u_int my_id_len,
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: monitor_wrap.h,v 1.21 2008/11/04 08:22:13 djm Exp $ */
|
/* $OpenBSD: monitor_wrap.h,v 1.22 2009/03/05 07:18:19 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
@ -102,17 +102,17 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
|
|||||||
int mm_skey_respond(void *, u_int, char **);
|
int mm_skey_respond(void *, u_int, char **);
|
||||||
|
|
||||||
/* jpake */
|
/* jpake */
|
||||||
struct jpake_group;
|
struct modp_group;
|
||||||
void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
|
void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
|
||||||
void mm_jpake_step1(struct jpake_group *, u_char **, u_int *,
|
void mm_jpake_step1(struct modp_group *, u_char **, u_int *,
|
||||||
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
|
BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
|
||||||
u_char **, u_int *, u_char **, u_int *);
|
u_char **, u_int *, u_char **, u_int *);
|
||||||
void mm_jpake_step2(struct jpake_group *, BIGNUM *,
|
void mm_jpake_step2(struct modp_group *, BIGNUM *,
|
||||||
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
BIGNUM **, u_char **, u_int *);
|
BIGNUM **, u_char **, u_int *);
|
||||||
void mm_jpake_key_confirm(struct jpake_group *, BIGNUM *, BIGNUM *,
|
void mm_jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
|
||||||
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
const u_char *, u_int, const u_char *, u_int,
|
const u_char *, u_int, const u_char *, u_int,
|
||||||
|
@ -39,9 +39,6 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <sys/utsname.h>
|
|
||||||
#include <sys/vfs.h>
|
|
||||||
|
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@ -49,11 +46,6 @@
|
|||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#define is_winnt (GetVersion() < 0x80000000)
|
|
||||||
|
|
||||||
#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
|
|
||||||
#define ntsec_off(c) ((c) && strstr((c),"nontsec"))
|
|
||||||
#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
|
|
||||||
|
|
||||||
int
|
int
|
||||||
binary_open(const char *filename, int flags, ...)
|
binary_open(const char *filename, int flags, ...)
|
||||||
@ -79,128 +71,12 @@ binary_pipe(int fd[2])
|
|||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
#define HAS_CREATE_TOKEN 1
|
|
||||||
#define HAS_NTSEC_BY_DEFAULT 2
|
|
||||||
#define HAS_CREATE_TOKEN_WO_NTSEC 3
|
|
||||||
|
|
||||||
static int
|
|
||||||
has_capability(int what)
|
|
||||||
{
|
|
||||||
static int inited;
|
|
||||||
static int has_create_token;
|
|
||||||
static int has_ntsec_by_default;
|
|
||||||
static int has_create_token_wo_ntsec;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* has_capability() basically calls uname() and checks if
|
|
||||||
* specific capabilities of Cygwin can be evaluated from that.
|
|
||||||
* This simplifies the calling functions which only have to ask
|
|
||||||
* for a capability using has_capability() instead of having
|
|
||||||
* to figure that out by themselves.
|
|
||||||
*/
|
|
||||||
if (!inited) {
|
|
||||||
struct utsname uts;
|
|
||||||
|
|
||||||
if (!uname(&uts)) {
|
|
||||||
int major_high = 0, major_low = 0, minor = 0;
|
|
||||||
int api_major_version = 0, api_minor_version = 0;
|
|
||||||
char *c;
|
|
||||||
|
|
||||||
sscanf(uts.release, "%d.%d.%d", &major_high,
|
|
||||||
&major_low, &minor);
|
|
||||||
if ((c = strchr(uts.release, '(')) != NULL) {
|
|
||||||
sscanf(c + 1, "%d.%d", &api_major_version,
|
|
||||||
&api_minor_version);
|
|
||||||
}
|
|
||||||
if (major_high > 1 ||
|
|
||||||
(major_high == 1 && (major_low > 3 ||
|
|
||||||
(major_low == 3 && minor >= 2))))
|
|
||||||
has_create_token = 1;
|
|
||||||
if (api_major_version > 0 || api_minor_version >= 56)
|
|
||||||
has_ntsec_by_default = 1;
|
|
||||||
if (major_high > 1 ||
|
|
||||||
(major_high == 1 && major_low >= 5))
|
|
||||||
has_create_token_wo_ntsec = 1;
|
|
||||||
inited = 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
switch (what) {
|
|
||||||
case HAS_CREATE_TOKEN:
|
|
||||||
return (has_create_token);
|
|
||||||
case HAS_NTSEC_BY_DEFAULT:
|
|
||||||
return (has_ntsec_by_default);
|
|
||||||
case HAS_CREATE_TOKEN_WO_NTSEC:
|
|
||||||
return (has_create_token_wo_ntsec);
|
|
||||||
}
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
check_nt_auth(int pwd_authenticated, struct passwd *pw)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* The only authentication which is able to change the user
|
|
||||||
* context on NT systems is the password authentication. So
|
|
||||||
* we deny all requsts for changing the user context if another
|
|
||||||
* authentication method is used.
|
|
||||||
*
|
|
||||||
* This doesn't apply to Cygwin versions >= 1.3.2 anymore which
|
|
||||||
* uses the undocumented NtCreateToken() call to create a user
|
|
||||||
* token if the process has the appropriate privileges and if
|
|
||||||
* CYGWIN ntsec setting is on.
|
|
||||||
*/
|
|
||||||
static int has_create_token = -1;
|
|
||||||
|
|
||||||
if (pw == NULL)
|
|
||||||
return 0;
|
|
||||||
if (is_winnt) {
|
|
||||||
if (has_create_token < 0) {
|
|
||||||
char *cygwin = getenv("CYGWIN");
|
|
||||||
|
|
||||||
has_create_token = 0;
|
|
||||||
if (has_capability(HAS_CREATE_TOKEN) &&
|
|
||||||
(ntsec_on(cygwin) ||
|
|
||||||
(has_capability(HAS_NTSEC_BY_DEFAULT) &&
|
|
||||||
!ntsec_off(cygwin)) ||
|
|
||||||
has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
|
|
||||||
has_create_token = 1;
|
|
||||||
}
|
|
||||||
if (has_create_token < 1 &&
|
|
||||||
!pwd_authenticated && geteuid() != pw->pw_uid)
|
|
||||||
return (0);
|
|
||||||
}
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
int
|
||||||
check_ntsec(const char *filename)
|
check_ntsec(const char *filename)
|
||||||
{
|
{
|
||||||
return (pathconf(filename, _PC_POSIX_PERMISSIONS));
|
return (pathconf(filename, _PC_POSIX_PERMISSIONS));
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
|
||||||
register_9x_service(void)
|
|
||||||
{
|
|
||||||
HINSTANCE kerneldll;
|
|
||||||
DWORD (*RegisterServiceProcess)(DWORD, DWORD);
|
|
||||||
|
|
||||||
/* The service register mechanism in 9x/Me is pretty different from
|
|
||||||
* NT/2K/XP. In NT/2K/XP we're using a special service starter
|
|
||||||
* application to register and control sshd as service. This method
|
|
||||||
* doesn't play nicely with 9x/Me. For that reason we register here
|
|
||||||
* as service when running under 9x/Me. This function is only called
|
|
||||||
* by the child sshd when it's going to daemonize.
|
|
||||||
*/
|
|
||||||
if (is_winnt)
|
|
||||||
return;
|
|
||||||
if (!(kerneldll = LoadLibrary("KERNEL32.DLL")))
|
|
||||||
return;
|
|
||||||
if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
|
|
||||||
GetProcAddress(kerneldll, "RegisterServiceProcess")))
|
|
||||||
return;
|
|
||||||
RegisterServiceProcess(0, 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define NL(x) x, (sizeof (x) - 1)
|
#define NL(x) x, (sizeof (x) - 1)
|
||||||
#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
|
#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */
|
/* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
|
* Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
|
||||||
@ -35,7 +35,6 @@
|
|||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
|
|
||||||
#undef ERROR
|
#undef ERROR
|
||||||
#define is_winnt (GetVersion() < 0x80000000)
|
|
||||||
|
|
||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
#include <sys/cygwin.h>
|
#include <sys/cygwin.h>
|
||||||
@ -43,9 +42,7 @@
|
|||||||
|
|
||||||
int binary_open(const char *, int , ...);
|
int binary_open(const char *, int , ...);
|
||||||
int binary_pipe(int fd[2]);
|
int binary_pipe(int fd[2]);
|
||||||
int check_nt_auth(int, struct passwd *);
|
|
||||||
int check_ntsec(const char *);
|
int check_ntsec(const char *);
|
||||||
void register_9x_service(void);
|
|
||||||
char **fetch_windows_environment(void);
|
char **fetch_windows_environment(void);
|
||||||
void free_windows_environment(char **);
|
void free_windows_environment(char **);
|
||||||
|
|
||||||
|
@ -57,18 +57,8 @@ daemon(int nochdir, int noclose)
|
|||||||
case -1:
|
case -1:
|
||||||
return (-1);
|
return (-1);
|
||||||
case 0:
|
case 0:
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
register_9x_service();
|
|
||||||
#endif
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
/*
|
|
||||||
* This sleep avoids a race condition which kills the
|
|
||||||
* child process if parent is started by a NT/W2K service.
|
|
||||||
*/
|
|
||||||
sleep(1);
|
|
||||||
#endif
|
|
||||||
_exit(0);
|
_exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -143,7 +143,7 @@ u_int32_t _getlong(register const u_char *);
|
|||||||
|
|
||||||
/* ************** */
|
/* ************** */
|
||||||
|
|
||||||
#define ANSWER_BUFFER_SIZE 1024*64
|
#define ANSWER_BUFFER_SIZE 0xffff
|
||||||
|
|
||||||
struct dns_query {
|
struct dns_query {
|
||||||
char *name;
|
char *name;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: openssl-compat.c,v 1.6 2008/02/28 08:13:52 dtucker Exp $ */
|
/* $Id: openssl-compat.c,v 1.8 2009/03/07 11:22:35 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||||
@ -49,6 +49,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||||
|
int
|
||||||
|
ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
|
||||||
|
{
|
||||||
|
EVP_DigestUpdate(ctx, d, cnt);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef USE_OPENSSL_ENGINE
|
#ifdef USE_OPENSSL_ENGINE
|
||||||
void
|
void
|
||||||
ssh_SSLeay_add_all_algorithms(void)
|
ssh_SSLeay_add_all_algorithms(void)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: openssl-compat.h,v 1.12 2008/02/28 08:22:04 dtucker Exp $ */
|
/* $Id: openssl-compat.h,v 1.14 2009/03/07 11:22:35 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
|
||||||
@ -80,6 +80,10 @@ extern const EVP_CIPHER *evp_acss(void);
|
|||||||
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
|
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
|
||||||
# endif /* SSH_OLD_EVP */
|
# endif /* SSH_OLD_EVP */
|
||||||
|
|
||||||
|
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
|
||||||
|
# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c))
|
||||||
|
# endif
|
||||||
|
|
||||||
# ifdef USE_OPENSSL_ENGINE
|
# ifdef USE_OPENSSL_ENGINE
|
||||||
# ifdef SSLeay_add_all_algorithms
|
# ifdef SSLeay_add_all_algorithms
|
||||||
# undef SSLeay_add_all_algorithms
|
# undef SSLeay_add_all_algorithms
|
||||||
|
@ -57,6 +57,8 @@
|
|||||||
|
|
||||||
#include "port-aix.h"
|
#include "port-aix.h"
|
||||||
|
|
||||||
|
static char *lastlogin_msg = NULL;
|
||||||
|
|
||||||
# ifdef HAVE_SETAUTHDB
|
# ifdef HAVE_SETAUTHDB
|
||||||
static char old_registry[REGISTRY_SIZE] = "";
|
static char old_registry[REGISTRY_SIZE] = "";
|
||||||
# endif
|
# endif
|
||||||
@ -276,23 +278,30 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
|
|||||||
Buffer *loginmsg)
|
Buffer *loginmsg)
|
||||||
{
|
{
|
||||||
char *msg = NULL;
|
char *msg = NULL;
|
||||||
static int msg_done = 0;
|
|
||||||
int success = 0;
|
int success = 0;
|
||||||
|
|
||||||
aix_setauthdb(user);
|
aix_setauthdb(user);
|
||||||
if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
|
if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
|
||||||
success = 1;
|
success = 1;
|
||||||
if (msg != NULL && loginmsg != NULL && !msg_done) {
|
if (msg != NULL) {
|
||||||
debug("AIX/loginsuccess: msg %s", msg);
|
debug("AIX/loginsuccess: msg %s", msg);
|
||||||
buffer_append(loginmsg, msg, strlen(msg));
|
if (lastlogin_msg == NULL)
|
||||||
xfree(msg);
|
lastlogin_msg = msg;
|
||||||
msg_done = 1;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
aix_restoreauthdb();
|
aix_restoreauthdb();
|
||||||
return (success);
|
return (success);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
char *
|
||||||
|
sys_auth_get_lastlogin_msg(const char *user, uid_t uid)
|
||||||
|
{
|
||||||
|
char *msg = lastlogin_msg;
|
||||||
|
|
||||||
|
lastlogin_msg = NULL;
|
||||||
|
return msg;
|
||||||
|
}
|
||||||
|
|
||||||
# ifdef CUSTOM_FAILED_LOGIN
|
# ifdef CUSTOM_FAILED_LOGIN
|
||||||
/*
|
/*
|
||||||
* record_failed_login: generic "login failed" interface function
|
* record_failed_login: generic "login failed" interface function
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $Id: port-aix.h,v 1.29 2008/03/09 05:36:55 dtucker Exp $ */
|
/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
@ -71,6 +71,11 @@ int passwdexpired(char *, char **);
|
|||||||
# include <sys/timers.h>
|
# include <sys/timers.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* for setpcred and friends */
|
||||||
|
#ifdef HAVE_USERSEC_H
|
||||||
|
# include <usersec.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* According to the setauthdb man page, AIX password registries must be 15
|
* According to the setauthdb man page, AIX password registries must be 15
|
||||||
* chars or less plus terminating NUL.
|
* chars or less plus terminating NUL.
|
||||||
@ -87,6 +92,8 @@ void aix_usrinfo(struct passwd *);
|
|||||||
int sys_auth_allowed_user(struct passwd *, Buffer *);
|
int sys_auth_allowed_user(struct passwd *, Buffer *);
|
||||||
# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
|
# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
|
||||||
int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
|
int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
|
||||||
|
# define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
|
||||||
|
char *sys_auth_get_lastlogin_msg(const char *, uid_t);
|
||||||
# define CUSTOM_FAILED_LOGIN 1
|
# define CUSTOM_FAILED_LOGIN 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: packet.h,v 1.49 2008/07/10 18:08:11 markus Exp $ */
|
/* $OpenBSD: packet.h,v 1.52 2009/06/27 09:29:06 andreas Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -39,6 +39,7 @@ void packet_set_authenticated(void);
|
|||||||
void packet_start(u_char);
|
void packet_start(u_char);
|
||||||
void packet_put_char(int ch);
|
void packet_put_char(int ch);
|
||||||
void packet_put_int(u_int value);
|
void packet_put_int(u_int value);
|
||||||
|
void packet_put_int64(u_int64_t value);
|
||||||
void packet_put_bignum(BIGNUM * value);
|
void packet_put_bignum(BIGNUM * value);
|
||||||
void packet_put_bignum2(BIGNUM * value);
|
void packet_put_bignum2(BIGNUM * value);
|
||||||
void packet_put_string(const void *buf, u_int len);
|
void packet_put_string(const void *buf, u_int len);
|
||||||
@ -55,6 +56,7 @@ int packet_read_poll_seqnr(u_int32_t *seqnr_p);
|
|||||||
|
|
||||||
u_int packet_get_char(void);
|
u_int packet_get_char(void);
|
||||||
u_int packet_get_int(void);
|
u_int packet_get_int(void);
|
||||||
|
u_int64_t packet_get_int64(void);
|
||||||
void packet_get_bignum(BIGNUM * value);
|
void packet_get_bignum(BIGNUM * value);
|
||||||
void packet_get_bignum2(BIGNUM * value);
|
void packet_get_bignum2(BIGNUM * value);
|
||||||
void *packet_get_raw(u_int *length_ptr);
|
void *packet_get_raw(u_int *length_ptr);
|
||||||
@ -72,6 +74,7 @@ void packet_get_state(int, u_int32_t *, u_int64_t *, u_int32_t *, u_int64_t *);
|
|||||||
void packet_set_state(int, u_int32_t, u_int64_t, u_int32_t, u_int64_t);
|
void packet_set_state(int, u_int32_t, u_int64_t, u_int32_t, u_int64_t);
|
||||||
int packet_get_ssh1_cipher(void);
|
int packet_get_ssh1_cipher(void);
|
||||||
void packet_set_iv(int, u_char *);
|
void packet_set_iv(int, u_char *);
|
||||||
|
void *packet_get_newkeys(int);
|
||||||
|
|
||||||
void packet_write_poll(void);
|
void packet_write_poll(void);
|
||||||
void packet_write_wait(void);
|
void packet_write_wait(void);
|
||||||
@ -87,10 +90,10 @@ void packet_add_padding(u_char);
|
|||||||
void tty_make_modes(int, struct termios *);
|
void tty_make_modes(int, struct termios *);
|
||||||
void tty_parse_modes(int, int *);
|
void tty_parse_modes(int, int *);
|
||||||
|
|
||||||
extern u_int max_packet_size;
|
void packet_set_alive_timeouts(int);
|
||||||
extern int keep_alive_timeouts;
|
int packet_inc_alive_timeouts(void);
|
||||||
int packet_set_maxsize(u_int);
|
int packet_set_maxsize(u_int);
|
||||||
#define packet_get_maxsize() max_packet_size
|
u_int packet_get_maxsize(void);
|
||||||
|
|
||||||
/* don't allow remaining bytes after the end of the message */
|
/* don't allow remaining bytes after the end of the message */
|
||||||
#define packet_check_eom() \
|
#define packet_check_eom() \
|
||||||
@ -106,4 +109,10 @@ do { \
|
|||||||
int packet_need_rekeying(void);
|
int packet_need_rekeying(void);
|
||||||
void packet_set_rekey_limit(u_int32_t);
|
void packet_set_rekey_limit(u_int32_t);
|
||||||
|
|
||||||
|
void packet_backup_state(void);
|
||||||
|
void packet_restore_state(void);
|
||||||
|
|
||||||
|
void *packet_get_input(void);
|
||||||
|
void *packet_get_output(void);
|
||||||
|
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -133,7 +133,7 @@ typedef enum {
|
|||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
|
||||||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
|
||||||
oVisualHostKey, oZeroKnowledgePasswordAuthentication,
|
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
|
||||||
oVersionAddendum,
|
oVersionAddendum,
|
||||||
oDeprecated, oUnsupported
|
oDeprecated, oUnsupported
|
||||||
} OpCodes;
|
} OpCodes;
|
||||||
@ -232,6 +232,7 @@ static struct {
|
|||||||
{ "localcommand", oLocalCommand },
|
{ "localcommand", oLocalCommand },
|
||||||
{ "permitlocalcommand", oPermitLocalCommand },
|
{ "permitlocalcommand", oPermitLocalCommand },
|
||||||
{ "visualhostkey", oVisualHostKey },
|
{ "visualhostkey", oVisualHostKey },
|
||||||
|
{ "useroaming", oUseRoaming },
|
||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
{ "zeroknowledgepasswordauthentication",
|
{ "zeroknowledgepasswordauthentication",
|
||||||
oZeroKnowledgePasswordAuthentication },
|
oZeroKnowledgePasswordAuthentication },
|
||||||
@ -931,6 +932,10 @@ process_config_line(Options *options, const char *host,
|
|||||||
intptr = &options->visual_host_key;
|
intptr = &options->visual_host_key;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
|
case oUseRoaming:
|
||||||
|
intptr = &options->use_roaming;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
case oVersionAddendum:
|
case oVersionAddendum:
|
||||||
ssh_version_set_addendum(strtok(s, "\n"));
|
ssh_version_set_addendum(strtok(s, "\n"));
|
||||||
do {
|
do {
|
||||||
@ -1087,6 +1092,7 @@ initialize_options(Options * options)
|
|||||||
options->tun_remote = -1;
|
options->tun_remote = -1;
|
||||||
options->local_command = NULL;
|
options->local_command = NULL;
|
||||||
options->permit_local_command = -1;
|
options->permit_local_command = -1;
|
||||||
|
options->use_roaming = -1;
|
||||||
options->visual_host_key = -1;
|
options->visual_host_key = -1;
|
||||||
options->zero_knowledge_password_authentication = -1;
|
options->zero_knowledge_password_authentication = -1;
|
||||||
}
|
}
|
||||||
@ -1223,6 +1229,8 @@ fill_default_options(Options * options)
|
|||||||
options->tun_remote = SSH_TUNID_ANY;
|
options->tun_remote = SSH_TUNID_ANY;
|
||||||
if (options->permit_local_command == -1)
|
if (options->permit_local_command == -1)
|
||||||
options->permit_local_command = 0;
|
options->permit_local_command = 0;
|
||||||
|
if (options->use_roaming == -1)
|
||||||
|
options->use_roaming = 1;
|
||||||
if (options->visual_host_key == -1)
|
if (options->visual_host_key == -1)
|
||||||
options->visual_host_key = 0;
|
options->visual_host_key = 0;
|
||||||
if (options->zero_knowledge_password_authentication == -1)
|
if (options->zero_knowledge_password_authentication == -1)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: readconf.h,v 1.79 2009/06/27 09:35:06 andreas Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -123,6 +123,8 @@ typedef struct {
|
|||||||
int permit_local_command;
|
int permit_local_command;
|
||||||
int visual_host_key;
|
int visual_host_key;
|
||||||
|
|
||||||
|
int use_roaming;
|
||||||
|
|
||||||
} Options;
|
} Options;
|
||||||
|
|
||||||
#define SSHCTL_MASTER_NO 0
|
#define SSHCTL_MASTER_NO 0
|
||||||
|
38
crypto/openssh/roaming.h
Normal file
38
crypto/openssh/roaming.h
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
/* $OpenBSD: roaming.h,v 1.4 2009/06/27 09:32:43 andreas Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef ROAMING_H
|
||||||
|
#define ROAMING_H
|
||||||
|
|
||||||
|
#define DEFAULT_ROAMBUF 65536
|
||||||
|
|
||||||
|
extern int resume_in_progress;
|
||||||
|
|
||||||
|
int get_snd_buf_size(void);
|
||||||
|
int get_recv_buf_size(void);
|
||||||
|
void add_recv_bytes(u_int64_t);
|
||||||
|
void set_out_buffer_size(size_t);
|
||||||
|
ssize_t roaming_write(int, const void *, size_t, int *);
|
||||||
|
ssize_t roaming_read(int, void *, size_t, int *);
|
||||||
|
size_t roaming_atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
|
||||||
|
u_int64_t get_recv_bytes(void);
|
||||||
|
u_int64_t get_sent_bytes(void);
|
||||||
|
void roam_set_bytes(u_int64_t, u_int64_t);
|
||||||
|
void resend_bytes(int, u_int64_t *);
|
||||||
|
int resume_kex(void);
|
||||||
|
|
||||||
|
#endif /* ROAMING */
|
201
crypto/openssh/roaming_common.c
Normal file
201
crypto/openssh/roaming_common.c
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
/* $OpenBSD: roaming_common.c,v 1.5 2009/06/27 09:32:43 andreas Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <sys/uio.h>
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#ifdef HAVE_INTTYPES_H
|
||||||
|
#include <inttypes.h>
|
||||||
|
#endif
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "atomicio.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "packet.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "cipher.h"
|
||||||
|
#include "buffer.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
|
static size_t out_buf_size = 0;
|
||||||
|
static char *out_buf = NULL;
|
||||||
|
static size_t out_start;
|
||||||
|
static size_t out_last;
|
||||||
|
|
||||||
|
static u_int64_t write_bytes = 0;
|
||||||
|
static u_int64_t read_bytes = 0;
|
||||||
|
|
||||||
|
int roaming_enabled = 0;
|
||||||
|
int resume_in_progress = 0;
|
||||||
|
|
||||||
|
int
|
||||||
|
get_snd_buf_size()
|
||||||
|
{
|
||||||
|
int fd = packet_get_connection_out();
|
||||||
|
int optval, optvallen;
|
||||||
|
|
||||||
|
optvallen = sizeof(optval);
|
||||||
|
if (getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &optval, &optvallen) != 0)
|
||||||
|
optval = DEFAULT_ROAMBUF;
|
||||||
|
return optval;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
get_recv_buf_size()
|
||||||
|
{
|
||||||
|
int fd = packet_get_connection_in();
|
||||||
|
int optval, optvallen;
|
||||||
|
|
||||||
|
optvallen = sizeof(optval);
|
||||||
|
if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &optval, &optvallen) != 0)
|
||||||
|
optval = DEFAULT_ROAMBUF;
|
||||||
|
return optval;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
set_out_buffer_size(size_t size)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* The buffer size can only be set once and the buffer will live
|
||||||
|
* as long as the session lives.
|
||||||
|
*/
|
||||||
|
if (out_buf == NULL) {
|
||||||
|
out_buf_size = size;
|
||||||
|
out_buf = xmalloc(size);
|
||||||
|
out_start = 0;
|
||||||
|
out_last = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
u_int64_t
|
||||||
|
get_recv_bytes(void)
|
||||||
|
{
|
||||||
|
return read_bytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
add_recv_bytes(u_int64_t num)
|
||||||
|
{
|
||||||
|
read_bytes += num;
|
||||||
|
}
|
||||||
|
|
||||||
|
u_int64_t
|
||||||
|
get_sent_bytes(void)
|
||||||
|
{
|
||||||
|
return write_bytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
roam_set_bytes(u_int64_t sent, u_int64_t recvd)
|
||||||
|
{
|
||||||
|
read_bytes = recvd;
|
||||||
|
write_bytes = sent;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
buf_append(const char *buf, size_t count)
|
||||||
|
{
|
||||||
|
if (count > out_buf_size) {
|
||||||
|
buf += count - out_buf_size;
|
||||||
|
count = out_buf_size;
|
||||||
|
}
|
||||||
|
if (count < out_buf_size - out_last) {
|
||||||
|
memcpy(out_buf + out_last, buf, count);
|
||||||
|
if (out_start > out_last)
|
||||||
|
out_start += count;
|
||||||
|
out_last += count;
|
||||||
|
} else {
|
||||||
|
/* data will wrap */
|
||||||
|
size_t chunk = out_buf_size - out_last;
|
||||||
|
memcpy(out_buf + out_last, buf, chunk);
|
||||||
|
memcpy(out_buf, buf + chunk, count - chunk);
|
||||||
|
out_last = count - chunk;
|
||||||
|
out_start = out_last + 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t
|
||||||
|
roaming_write(int fd, const void *buf, size_t count, int *cont)
|
||||||
|
{
|
||||||
|
ssize_t ret;
|
||||||
|
|
||||||
|
ret = write(fd, buf, count);
|
||||||
|
if (ret > 0 && !resume_in_progress) {
|
||||||
|
write_bytes += ret;
|
||||||
|
if (out_buf_size > 0)
|
||||||
|
buf_append(buf, ret);
|
||||||
|
}
|
||||||
|
debug3("Wrote %ld bytes for a total of %llu", (long)ret,
|
||||||
|
(unsigned long long)write_bytes);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t
|
||||||
|
roaming_read(int fd, void *buf, size_t count, int *cont)
|
||||||
|
{
|
||||||
|
ssize_t ret = read(fd, buf, count);
|
||||||
|
if (ret > 0) {
|
||||||
|
if (!resume_in_progress) {
|
||||||
|
read_bytes += ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t
|
||||||
|
roaming_atomicio(ssize_t(*f)(int, void*, size_t), int fd, void *buf,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
size_t ret = atomicio(f, fd, buf, count);
|
||||||
|
|
||||||
|
if (f == vwrite && ret > 0 && !resume_in_progress) {
|
||||||
|
write_bytes += ret;
|
||||||
|
} else if (f == read && ret > 0 && !resume_in_progress) {
|
||||||
|
read_bytes += ret;
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
resend_bytes(int fd, u_int64_t *offset)
|
||||||
|
{
|
||||||
|
size_t available, needed;
|
||||||
|
|
||||||
|
if (out_start < out_last)
|
||||||
|
available = out_last - out_start;
|
||||||
|
else
|
||||||
|
available = out_buf_size;
|
||||||
|
needed = write_bytes - *offset;
|
||||||
|
debug3("resend_bytes: resend %lu bytes from %llu",
|
||||||
|
(unsigned long)needed, (unsigned long long)*offset);
|
||||||
|
if (needed > available)
|
||||||
|
fatal("Needed to resend more data than in the cache");
|
||||||
|
if (out_last < needed) {
|
||||||
|
int chunkend = needed - out_last;
|
||||||
|
atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
|
||||||
|
chunkend);
|
||||||
|
atomicio(vwrite, fd, out_buf, out_last);
|
||||||
|
} else {
|
||||||
|
atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
|
||||||
|
}
|
||||||
|
}
|
61
crypto/openssh/roaming_dummy.c
Normal file
61
crypto/openssh/roaming_dummy.c
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
/* $OpenBSD: roaming_dummy.c,v 1.3 2009/06/21 09:04:03 dtucker Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2004-2009 AppGate Network Security AB
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is included in the client programs which should not
|
||||||
|
* support roaming.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
|
int resume_in_progress = 0;
|
||||||
|
|
||||||
|
u_int64_t
|
||||||
|
get_recv_bytes(void)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t
|
||||||
|
roaming_write(int fd, const void *buf, size_t count, int *cont)
|
||||||
|
{
|
||||||
|
return write(fd, buf, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t
|
||||||
|
roaming_read(int fd, void *buf, size_t count, int *cont)
|
||||||
|
{
|
||||||
|
if (cont)
|
||||||
|
*cont = 0;
|
||||||
|
return read(fd, buf, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
add_recv_bytes(u_int64_t num)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
resume_kex(void)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: schnorr.c,v 1.2 2009/02/18 04:31:21 djm Exp $ */
|
/* $OpenBSD: schnorr.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */
|
||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
@ -41,38 +41,36 @@
|
|||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
|
||||||
#include "jpake.h"
|
#include "schnorr.h"
|
||||||
|
|
||||||
#ifdef JPAKE
|
#ifdef JPAKE
|
||||||
|
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
/* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
|
/* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
|
||||||
/* #define SCHNORR_MAIN */ /* Include main() selftest */
|
/* #define SCHNORR_MAIN */ /* Include main() selftest */
|
||||||
|
|
||||||
/* XXX */
|
|
||||||
/* Parametise signature hash? (sha256, sha1, etc.) */
|
|
||||||
/* Signature format - include type name, hash type, group params? */
|
|
||||||
|
|
||||||
#ifndef SCHNORR_DEBUG
|
#ifndef SCHNORR_DEBUG
|
||||||
# define SCHNORR_DEBUG_BN(a)
|
# define SCHNORR_DEBUG_BN(a)
|
||||||
# define SCHNORR_DEBUG_BUF(a)
|
# define SCHNORR_DEBUG_BUF(a)
|
||||||
#else
|
#else
|
||||||
# define SCHNORR_DEBUG_BN(a) jpake_debug3_bn a
|
# define SCHNORR_DEBUG_BN(a) debug3_bn a
|
||||||
# define SCHNORR_DEBUG_BUF(a) jpake_debug3_buf a
|
# define SCHNORR_DEBUG_BUF(a) debug3_buf a
|
||||||
#endif /* SCHNORR_DEBUG */
|
#endif /* SCHNORR_DEBUG */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
|
* Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
|
||||||
* using SHA1. Returns signature as bignum or NULL on error.
|
* using the hash function defined by "evp_md". Returns signature as
|
||||||
|
* bignum or NULL on error.
|
||||||
*/
|
*/
|
||||||
static BIGNUM *
|
static BIGNUM *
|
||||||
schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
||||||
const BIGNUM *g_v, const BIGNUM *g_x,
|
const EVP_MD *evp_md, const BIGNUM *g_v, const BIGNUM *g_x,
|
||||||
const u_char *id, u_int idlen)
|
const u_char *id, u_int idlen)
|
||||||
{
|
{
|
||||||
u_char *digest;
|
u_char *digest;
|
||||||
u_int digest_len;
|
u_int digest_len;
|
||||||
BIGNUM *h;
|
BIGNUM *h;
|
||||||
EVP_MD_CTX evp_md_ctx;
|
|
||||||
Buffer b;
|
Buffer b;
|
||||||
int success = -1;
|
int success = -1;
|
||||||
|
|
||||||
@ -82,7 +80,6 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
|||||||
}
|
}
|
||||||
|
|
||||||
buffer_init(&b);
|
buffer_init(&b);
|
||||||
EVP_MD_CTX_init(&evp_md_ctx);
|
|
||||||
|
|
||||||
/* h = H(g || p || q || g^v || g^x || id) */
|
/* h = H(g || p || q || g^v || g^x || id) */
|
||||||
buffer_put_bignum2(&b, g);
|
buffer_put_bignum2(&b, g);
|
||||||
@ -94,7 +91,7 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
|||||||
|
|
||||||
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
||||||
"%s: hashblob", __func__));
|
"%s: hashblob", __func__));
|
||||||
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
|
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), evp_md,
|
||||||
&digest, &digest_len) != 0) {
|
&digest, &digest_len) != 0) {
|
||||||
error("%s: hash_buffer", __func__);
|
error("%s: hash_buffer", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
@ -107,7 +104,6 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
|||||||
SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
|
SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
|
||||||
out:
|
out:
|
||||||
buffer_free(&b);
|
buffer_free(&b);
|
||||||
EVP_MD_CTX_cleanup(&evp_md_ctx);
|
|
||||||
bzero(digest, digest_len);
|
bzero(digest, digest_len);
|
||||||
xfree(digest);
|
xfree(digest);
|
||||||
digest_len = 0;
|
digest_len = 0;
|
||||||
@ -120,18 +116,20 @@ schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
|
|||||||
/*
|
/*
|
||||||
* Generate Schnorr signature to prove knowledge of private value 'x' used
|
* Generate Schnorr signature to prove knowledge of private value 'x' used
|
||||||
* in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
|
* in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
|
||||||
|
* using the hash function "evp_md".
|
||||||
* 'idlen' bytes from 'id' will be included in the signature hash as an anti-
|
* 'idlen' bytes from 'id' will be included in the signature hash as an anti-
|
||||||
* replay salt.
|
* replay salt.
|
||||||
* On success, 0 is returned and *siglen bytes of signature are returned in
|
*
|
||||||
* *sig (caller to free). Returns -1 on failure.
|
* On success, 0 is returned. The signature values are returned as *e_p
|
||||||
|
* (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
|
||||||
|
* On failure, -1 is returned.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
|
const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
|
||||||
u_char **sig, u_int *siglen)
|
const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p)
|
||||||
{
|
{
|
||||||
int success = -1;
|
int success = -1;
|
||||||
Buffer b;
|
|
||||||
BIGNUM *h, *tmp, *v, *g_v, *r;
|
BIGNUM *h, *tmp, *v, *g_v, *r;
|
||||||
BN_CTX *bn_ctx;
|
BN_CTX *bn_ctx;
|
||||||
|
|
||||||
@ -174,7 +172,7 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
|||||||
SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
|
SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
|
||||||
|
|
||||||
/* h = H(g || g^v || g^x || id) */
|
/* h = H(g || g^v || g^x || id) */
|
||||||
if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
|
if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, g_v, g_x,
|
||||||
id, idlen)) == NULL) {
|
id, idlen)) == NULL) {
|
||||||
error("%s: schnorr_hash failed", __func__);
|
error("%s: schnorr_hash failed", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
@ -189,19 +187,12 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
|||||||
error("%s: BN_mod_mul (r = v - tmp)", __func__);
|
error("%s: BN_mod_mul (r = v - tmp)", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));
|
||||||
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
|
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
|
||||||
|
|
||||||
/* Signature is (g_v, r) */
|
*e_p = g_v;
|
||||||
buffer_init(&b);
|
*r_p = r;
|
||||||
/* XXX sigtype-hash as string? */
|
|
||||||
buffer_put_bignum2(&b, g_v);
|
|
||||||
buffer_put_bignum2(&b, r);
|
|
||||||
*siglen = buffer_len(&b);
|
|
||||||
*sig = xmalloc(*siglen);
|
|
||||||
memcpy(*sig, buffer_ptr(&b), *siglen);
|
|
||||||
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
|
||||||
"%s: sigblob", __func__));
|
|
||||||
buffer_free(&b);
|
|
||||||
success = 0;
|
success = 0;
|
||||||
out:
|
out:
|
||||||
BN_CTX_free(bn_ctx);
|
BN_CTX_free(bn_ctx);
|
||||||
@ -209,29 +200,65 @@ schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
|||||||
BN_clear_free(h);
|
BN_clear_free(h);
|
||||||
if (v != NULL)
|
if (v != NULL)
|
||||||
BN_clear_free(v);
|
BN_clear_free(v);
|
||||||
BN_clear_free(r);
|
|
||||||
BN_clear_free(g_v);
|
|
||||||
BN_clear_free(tmp);
|
BN_clear_free(tmp);
|
||||||
|
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify Schnorr signature 'sig' of length 'siglen' against public exponent
|
* Generate Schnorr signature to prove knowledge of private value 'x' used
|
||||||
* g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g'.
|
* in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
|
||||||
|
* using a SHA256 hash.
|
||||||
|
* 'idlen' bytes from 'id' will be included in the signature hash as an anti-
|
||||||
|
* replay salt.
|
||||||
|
* On success, 0 is returned and *siglen bytes of signature are returned in
|
||||||
|
* *sig (caller to free). Returns -1 on failure.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
|
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
|
u_char **sig, u_int *siglen)
|
||||||
|
{
|
||||||
|
Buffer b;
|
||||||
|
BIGNUM *r, *e;
|
||||||
|
|
||||||
|
if (schnorr_sign(grp_p, grp_q, grp_g, EVP_sha256(),
|
||||||
|
x, g_x, id, idlen, &r, &e) != 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
/* Signature is (e, r) */
|
||||||
|
buffer_init(&b);
|
||||||
|
/* XXX sigtype-hash as string? */
|
||||||
|
buffer_put_bignum2(&b, e);
|
||||||
|
buffer_put_bignum2(&b, r);
|
||||||
|
*siglen = buffer_len(&b);
|
||||||
|
*sig = xmalloc(*siglen);
|
||||||
|
memcpy(*sig, buffer_ptr(&b), *siglen);
|
||||||
|
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
||||||
|
"%s: sigblob", __func__));
|
||||||
|
buffer_free(&b);
|
||||||
|
|
||||||
|
BN_clear_free(r);
|
||||||
|
BN_clear_free(e);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
|
||||||
|
* public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
|
||||||
|
* 'grp_g' using hash "evp_md".
|
||||||
* Signature hash will be salted with 'idlen' bytes from 'id'.
|
* Signature hash will be salted with 'idlen' bytes from 'id'.
|
||||||
* Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
|
* Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
const BIGNUM *g_x, const u_char *id, u_int idlen,
|
const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
const u_char *sig, u_int siglen)
|
const BIGNUM *r, const BIGNUM *e)
|
||||||
{
|
{
|
||||||
int success = -1;
|
int success = -1;
|
||||||
Buffer b;
|
BIGNUM *h, *g_xh, *g_r, *expected;
|
||||||
BIGNUM *g_v, *h, *r, *g_xh, *g_r, *expected;
|
|
||||||
BN_CTX *bn_ctx;
|
BN_CTX *bn_ctx;
|
||||||
u_int rlen;
|
|
||||||
|
|
||||||
SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
|
SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
|
||||||
|
|
||||||
@ -241,39 +268,23 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
g_v = h = r = g_xh = g_r = expected = NULL;
|
h = g_xh = g_r = expected = NULL;
|
||||||
if ((bn_ctx = BN_CTX_new()) == NULL) {
|
if ((bn_ctx = BN_CTX_new()) == NULL) {
|
||||||
error("%s: BN_CTX_new", __func__);
|
error("%s: BN_CTX_new", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if ((g_v = BN_new()) == NULL ||
|
if ((g_xh = BN_new()) == NULL ||
|
||||||
(r = BN_new()) == NULL ||
|
|
||||||
(g_xh = BN_new()) == NULL ||
|
|
||||||
(g_r = BN_new()) == NULL ||
|
(g_r = BN_new()) == NULL ||
|
||||||
(expected = BN_new()) == NULL) {
|
(expected = BN_new()) == NULL) {
|
||||||
error("%s: BN_new", __func__);
|
error("%s: BN_new", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Extract g^v and r from signature blob */
|
SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
|
||||||
buffer_init(&b);
|
|
||||||
buffer_append(&b, sig, siglen);
|
|
||||||
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
|
||||||
"%s: sigblob", __func__));
|
|
||||||
buffer_get_bignum2(&b, g_v);
|
|
||||||
buffer_get_bignum2(&b, r);
|
|
||||||
rlen = buffer_len(&b);
|
|
||||||
buffer_free(&b);
|
|
||||||
if (rlen != 0) {
|
|
||||||
error("%s: remaining bytes in signature %d", __func__, rlen);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
buffer_free(&b);
|
|
||||||
SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
|
|
||||||
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
|
SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
|
||||||
|
|
||||||
/* h = H(g || g^v || g^x || id) */
|
/* h = H(g || g^v || g^x || id) */
|
||||||
if ((h = schnorr_hash(grp_p, grp_q, grp_g, g_v, g_x,
|
if ((h = schnorr_hash(grp_p, grp_q, grp_g, evp_md, e, g_x,
|
||||||
id, idlen)) == NULL) {
|
id, idlen)) == NULL) {
|
||||||
error("%s: schnorr_hash failed", __func__);
|
error("%s: schnorr_hash failed", __func__);
|
||||||
goto out;
|
goto out;
|
||||||
@ -300,20 +311,248 @@ schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
|||||||
}
|
}
|
||||||
SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
|
SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
|
||||||
|
|
||||||
/* Check g_v == expected */
|
/* Check e == expected */
|
||||||
success = BN_cmp(expected, g_v) == 0;
|
success = BN_cmp(expected, e) == 0;
|
||||||
out:
|
out:
|
||||||
BN_CTX_free(bn_ctx);
|
BN_CTX_free(bn_ctx);
|
||||||
if (h != NULL)
|
if (h != NULL)
|
||||||
BN_clear_free(h);
|
BN_clear_free(h);
|
||||||
BN_clear_free(g_v);
|
|
||||||
BN_clear_free(r);
|
|
||||||
BN_clear_free(g_xh);
|
BN_clear_free(g_xh);
|
||||||
BN_clear_free(g_r);
|
BN_clear_free(g_r);
|
||||||
BN_clear_free(expected);
|
BN_clear_free(expected);
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify Schnorr signature 'sig' of length 'siglen' against public exponent
|
||||||
|
* g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
|
||||||
|
* SHA256 hash.
|
||||||
|
* Signature hash will be salted with 'idlen' bytes from 'id'.
|
||||||
|
* Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
|
||||||
|
const BIGNUM *grp_g,
|
||||||
|
const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
|
const u_char *sig, u_int siglen)
|
||||||
|
{
|
||||||
|
Buffer b;
|
||||||
|
int ret = -1;
|
||||||
|
u_int rlen;
|
||||||
|
BIGNUM *r, *e;
|
||||||
|
|
||||||
|
e = r = NULL;
|
||||||
|
if ((e = BN_new()) == NULL ||
|
||||||
|
(r = BN_new()) == NULL) {
|
||||||
|
error("%s: BN_new", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Extract g^v and r from signature blob */
|
||||||
|
buffer_init(&b);
|
||||||
|
buffer_append(&b, sig, siglen);
|
||||||
|
SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
|
||||||
|
"%s: sigblob", __func__));
|
||||||
|
buffer_get_bignum2(&b, e);
|
||||||
|
buffer_get_bignum2(&b, r);
|
||||||
|
rlen = buffer_len(&b);
|
||||||
|
buffer_free(&b);
|
||||||
|
if (rlen != 0) {
|
||||||
|
error("%s: remaining bytes in signature %d", __func__, rlen);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = schnorr_verify(grp_p, grp_q, grp_g, EVP_sha256(),
|
||||||
|
g_x, id, idlen, r, e);
|
||||||
|
out:
|
||||||
|
BN_clear_free(e);
|
||||||
|
BN_clear_free(r);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Helper functions */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Generate uniformly distributed random number in range (1, high).
|
||||||
|
* Return number on success, NULL on failure.
|
||||||
|
*/
|
||||||
|
BIGNUM *
|
||||||
|
bn_rand_range_gt_one(const BIGNUM *high)
|
||||||
|
{
|
||||||
|
BIGNUM *r, *tmp;
|
||||||
|
int success = -1;
|
||||||
|
|
||||||
|
if ((tmp = BN_new()) == NULL) {
|
||||||
|
error("%s: BN_new", __func__);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if ((r = BN_new()) == NULL) {
|
||||||
|
error("%s: BN_new failed", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (BN_set_word(tmp, 2) != 1) {
|
||||||
|
error("%s: BN_set_word(tmp, 2)", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (BN_sub(tmp, high, tmp) == -1) {
|
||||||
|
error("%s: BN_sub failed (tmp = high - 2)", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (BN_rand_range(r, tmp) == -1) {
|
||||||
|
error("%s: BN_rand_range failed", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (BN_set_word(tmp, 2) != 1) {
|
||||||
|
error("%s: BN_set_word(tmp, 2)", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (BN_add(r, r, tmp) == -1) {
|
||||||
|
error("%s: BN_add failed (r = r + 2)", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
success = 0;
|
||||||
|
out:
|
||||||
|
BN_clear_free(tmp);
|
||||||
|
if (success == 0)
|
||||||
|
return r;
|
||||||
|
BN_clear_free(r);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
|
||||||
|
* with digest via 'digestp' (caller to free) and length via 'lenp'.
|
||||||
|
* Returns -1 on failure.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
hash_buffer(const u_char *buf, u_int len, const EVP_MD *md,
|
||||||
|
u_char **digestp, u_int *lenp)
|
||||||
|
{
|
||||||
|
u_char digest[EVP_MAX_MD_SIZE];
|
||||||
|
u_int digest_len;
|
||||||
|
EVP_MD_CTX evp_md_ctx;
|
||||||
|
int success = -1;
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&evp_md_ctx);
|
||||||
|
|
||||||
|
if (EVP_DigestInit_ex(&evp_md_ctx, md, NULL) != 1) {
|
||||||
|
error("%s: EVP_DigestInit_ex", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (EVP_DigestUpdate(&evp_md_ctx, buf, len) != 1) {
|
||||||
|
error("%s: EVP_DigestUpdate", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (EVP_DigestFinal_ex(&evp_md_ctx, digest, &digest_len) != 1) {
|
||||||
|
error("%s: EVP_DigestFinal_ex", __func__);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
*digestp = xmalloc(digest_len);
|
||||||
|
*lenp = digest_len;
|
||||||
|
memcpy(*digestp, digest, *lenp);
|
||||||
|
success = 0;
|
||||||
|
out:
|
||||||
|
EVP_MD_CTX_cleanup(&evp_md_ctx);
|
||||||
|
bzero(digest, sizeof(digest));
|
||||||
|
digest_len = 0;
|
||||||
|
return success;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* print formatted string followed by bignum */
|
||||||
|
void
|
||||||
|
debug3_bn(const BIGNUM *n, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
char *out, *h;
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
out = NULL;
|
||||||
|
va_start(args, fmt);
|
||||||
|
vasprintf(&out, fmt, args);
|
||||||
|
va_end(args);
|
||||||
|
if (out == NULL)
|
||||||
|
fatal("%s: vasprintf failed", __func__);
|
||||||
|
|
||||||
|
if (n == NULL)
|
||||||
|
debug3("%s(null)", out);
|
||||||
|
else {
|
||||||
|
h = BN_bn2hex(n);
|
||||||
|
debug3("%s0x%s", out, h);
|
||||||
|
free(h);
|
||||||
|
}
|
||||||
|
free(out);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* print formatted string followed by buffer contents in hex */
|
||||||
|
void
|
||||||
|
debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
char *out, h[65];
|
||||||
|
u_int i, j;
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
out = NULL;
|
||||||
|
va_start(args, fmt);
|
||||||
|
vasprintf(&out, fmt, args);
|
||||||
|
va_end(args);
|
||||||
|
if (out == NULL)
|
||||||
|
fatal("%s: vasprintf failed", __func__);
|
||||||
|
|
||||||
|
debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
|
||||||
|
free(out);
|
||||||
|
if (buf == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
*h = '\0';
|
||||||
|
for (i = j = 0; i < len; i++) {
|
||||||
|
snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
|
||||||
|
j += 2;
|
||||||
|
if (j >= sizeof(h) - 1 || i == len - 1) {
|
||||||
|
debug3(" %s", h);
|
||||||
|
*h = '\0';
|
||||||
|
j = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Construct a MODP group from hex strings p (which must be a safe
|
||||||
|
* prime) and g, automatically calculating subgroup q as (p / 2)
|
||||||
|
*/
|
||||||
|
struct modp_group *
|
||||||
|
modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
|
||||||
|
{
|
||||||
|
struct modp_group *ret;
|
||||||
|
|
||||||
|
ret = xmalloc(sizeof(*ret));
|
||||||
|
ret->p = ret->q = ret->g = NULL;
|
||||||
|
if (BN_hex2bn(&ret->p, grp_p) == 0 ||
|
||||||
|
BN_hex2bn(&ret->g, grp_g) == 0)
|
||||||
|
fatal("%s: BN_hex2bn", __func__);
|
||||||
|
/* Subgroup order is p/2 (p is a safe prime) */
|
||||||
|
if ((ret->q = BN_new()) == NULL)
|
||||||
|
fatal("%s: BN_new", __func__);
|
||||||
|
if (BN_rshift1(ret->q, ret->p) != 1)
|
||||||
|
fatal("%s: BN_rshift1", __func__);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
modp_group_free(struct modp_group *grp)
|
||||||
|
{
|
||||||
|
if (grp->g != NULL)
|
||||||
|
BN_clear_free(grp->g);
|
||||||
|
if (grp->p != NULL)
|
||||||
|
BN_clear_free(grp->p);
|
||||||
|
if (grp->q != NULL)
|
||||||
|
BN_clear_free(grp->q);
|
||||||
|
bzero(grp, sizeof(*grp));
|
||||||
|
xfree(grp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* main() function for self-test */
|
||||||
|
|
||||||
#ifdef SCHNORR_MAIN
|
#ifdef SCHNORR_MAIN
|
||||||
static void
|
static void
|
||||||
schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
|
schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
|
||||||
@ -331,16 +570,17 @@ schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
|
|||||||
|
|
||||||
if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
|
if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
|
||||||
fatal("%s: g_x", __func__);
|
fatal("%s: g_x", __func__);
|
||||||
if (schnorr_sign(grp_p, grp_q, grp_g, x, g_x, "junk", 4, &sig, &siglen))
|
if (schnorr_sign_buf(grp_p, grp_q, grp_g, x, g_x, "junk", 4,
|
||||||
|
&sig, &siglen))
|
||||||
fatal("%s: schnorr_sign", __func__);
|
fatal("%s: schnorr_sign", __func__);
|
||||||
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
|
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
|
||||||
sig, siglen) != 1)
|
sig, siglen) != 1)
|
||||||
fatal("%s: verify fail", __func__);
|
fatal("%s: verify fail", __func__);
|
||||||
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
|
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
|
||||||
sig, siglen) != 0)
|
sig, siglen) != 0)
|
||||||
fatal("%s: verify should have failed (bad ID)", __func__);
|
fatal("%s: verify should have failed (bad ID)", __func__);
|
||||||
sig[4] ^= 1;
|
sig[4] ^= 1;
|
||||||
if (schnorr_verify(grp_p, grp_q, grp_g, g_x, "junk", 4,
|
if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
|
||||||
sig, siglen) != 0)
|
sig, siglen) != 0)
|
||||||
fatal("%s: verify should have failed (bit error)", __func__);
|
fatal("%s: verify should have failed (bit error)", __func__);
|
||||||
xfree(sig);
|
xfree(sig);
|
||||||
@ -352,7 +592,7 @@ static void
|
|||||||
schnorr_selftest(void)
|
schnorr_selftest(void)
|
||||||
{
|
{
|
||||||
BIGNUM *x;
|
BIGNUM *x;
|
||||||
struct jpake_group *grp;
|
struct modp_group *grp;
|
||||||
u_int i;
|
u_int i;
|
||||||
char *hh;
|
char *hh;
|
||||||
|
|
||||||
|
60
crypto/openssh/schnorr.h
Normal file
60
crypto/openssh/schnorr.h
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
/* $OpenBSD: schnorr.h,v 1.1 2009/03/05 07:18:19 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2009 Damien Miller. All rights reserved.
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef SCHNORR_H
|
||||||
|
#define SCHNORR_H
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
|
||||||
|
struct modp_group {
|
||||||
|
BIGNUM *p, *q, *g;
|
||||||
|
};
|
||||||
|
|
||||||
|
BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
|
||||||
|
int hash_buffer(const u_char *, u_int, const EVP_MD *, u_char **, u_int *);
|
||||||
|
void debug3_bn(const BIGNUM *, const char *, ...)
|
||||||
|
__attribute__((__nonnull__ (2)))
|
||||||
|
__attribute__((format(printf, 2, 3)));
|
||||||
|
void debug3_buf(const u_char *, u_int, const char *, ...)
|
||||||
|
__attribute__((__nonnull__ (3)))
|
||||||
|
__attribute__((format(printf, 3, 4)));
|
||||||
|
struct modp_group *modp_group_from_g_and_safe_p(const char *, const char *);
|
||||||
|
void modp_group_free(struct modp_group *);
|
||||||
|
|
||||||
|
/* Signature and verification functions */
|
||||||
|
int
|
||||||
|
schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
|
const EVP_MD *evp_md, const BIGNUM *x, const BIGNUM *g_x,
|
||||||
|
const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p);
|
||||||
|
int
|
||||||
|
schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
|
const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
|
u_char **sig, u_int *siglen);
|
||||||
|
int
|
||||||
|
schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
|
||||||
|
const EVP_MD *evp_md, const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
|
const BIGNUM *r, const BIGNUM *e);
|
||||||
|
int
|
||||||
|
schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
|
||||||
|
const BIGNUM *grp_g,
|
||||||
|
const BIGNUM *g_x, const u_char *id, u_int idlen,
|
||||||
|
const u_char *sig, u_int siglen);
|
||||||
|
|
||||||
|
#endif /* JPAKE_H */
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
|
/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
@ -345,7 +345,7 @@ static struct {
|
|||||||
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
|
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
|
||||||
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
|
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
|
||||||
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
|
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
|
||||||
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
|
{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
|
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
|
||||||
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
|
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
|
||||||
@ -419,10 +419,10 @@ static struct {
|
|||||||
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
|
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
|
||||||
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
|
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
|
||||||
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
|
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
|
||||||
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
|
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
|
||||||
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
|
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
|
||||||
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
|
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
|
||||||
{ "match", sMatch, SSHCFG_ALL },
|
{ "match", sMatch, SSHCFG_ALL },
|
||||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||||
@ -1386,7 +1386,7 @@ parse_server_match_config(ServerOptions *options, const char *user,
|
|||||||
/*
|
/*
|
||||||
* Copy any supported values that are set.
|
* Copy any supported values that are set.
|
||||||
*
|
*
|
||||||
* If the preauth flag is set, we do not bother copying the the string or
|
* If the preauth flag is set, we do not bother copying the string or
|
||||||
* array values that are not used pre-authentication, because any that we
|
* array values that are not used pre-authentication, because any that we
|
||||||
* do use must be explictly sent in mm_getpwnamallow().
|
* do use must be explictly sent in mm_getpwnamallow().
|
||||||
*/
|
*/
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: serverloop.c,v 1.157 2009/02/12 03:16:01 djm Exp $ */
|
/* $OpenBSD: serverloop.c,v 1.159 2009/05/28 16:50:16 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -78,6 +78,7 @@
|
|||||||
#include "auth-options.h"
|
#include "auth-options.h"
|
||||||
#include "serverloop.h"
|
#include "serverloop.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
|
||||||
@ -249,7 +250,7 @@ client_alive_check(void)
|
|||||||
int channel_id;
|
int channel_id;
|
||||||
|
|
||||||
/* timeout, check to see how many we have had */
|
/* timeout, check to see how many we have had */
|
||||||
if (++keep_alive_timeouts > options.client_alive_count_max) {
|
if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
|
||||||
logit("Timeout, client not responding.");
|
logit("Timeout, client not responding.");
|
||||||
cleanup_exit(255);
|
cleanup_exit(255);
|
||||||
}
|
}
|
||||||
@ -391,8 +392,11 @@ process_input(fd_set *readset)
|
|||||||
|
|
||||||
/* Read and buffer any input data from the client. */
|
/* Read and buffer any input data from the client. */
|
||||||
if (FD_ISSET(connection_in, readset)) {
|
if (FD_ISSET(connection_in, readset)) {
|
||||||
len = read(connection_in, buf, sizeof(buf));
|
int cont = 0;
|
||||||
|
len = roaming_read(connection_in, buf, sizeof(buf), &cont);
|
||||||
if (len == 0) {
|
if (len == 0) {
|
||||||
|
if (cont)
|
||||||
|
return;
|
||||||
verbose("Connection closed by %.100s",
|
verbose("Connection closed by %.100s",
|
||||||
get_remote_ipaddr());
|
get_remote_ipaddr());
|
||||||
connection_closed = 1;
|
connection_closed = 1;
|
||||||
@ -890,7 +894,7 @@ server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
|
|||||||
* even if this was generated by something other than
|
* even if this was generated by something other than
|
||||||
* the bogus CHANNEL_REQUEST we send for keepalives.
|
* the bogus CHANNEL_REQUEST we send for keepalives.
|
||||||
*/
|
*/
|
||||||
keep_alive_timeouts = 0;
|
packet_set_alive_timeouts(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -1120,7 +1124,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
|
|||||||
no_port_forwarding_flag ||
|
no_port_forwarding_flag ||
|
||||||
(!want_reply && listen_port == 0)
|
(!want_reply && listen_port == 0)
|
||||||
#ifndef NO_IPPORT_RESERVED_CONCEPT
|
#ifndef NO_IPPORT_RESERVED_CONCEPT
|
||||||
|| (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
|
|| (listen_port != 0 && listen_port < IPPORT_RESERVED &&
|
||||||
|
pw->pw_uid != 0)
|
||||||
#endif
|
#endif
|
||||||
) {
|
) {
|
||||||
success = 0;
|
success = 0;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: session.c,v 1.245 2009/01/22 09:46:01 djm Exp $ */
|
/* $OpenBSD: session.c,v 1.246 2009/04/17 19:23:06 stevesk Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
@ -572,8 +572,7 @@ do_exec_no_pty(Session *s, const char *command)
|
|||||||
signal(WJSIGNAL, cray_job_termination_handler);
|
signal(WJSIGNAL, cray_job_termination_handler);
|
||||||
#endif /* _UNICOS */
|
#endif /* _UNICOS */
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
if (is_winnt)
|
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
|
||||||
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
s->pid = pid;
|
s->pid = pid;
|
||||||
@ -717,8 +716,8 @@ do_exec_pty(Session *s, const char *command)
|
|||||||
* Do common processing for the child, such as execing
|
* Do common processing for the child, such as execing
|
||||||
* the command.
|
* the command.
|
||||||
*/
|
*/
|
||||||
do_child(s, command);
|
do_child(s, command);
|
||||||
/* NOTREACHED */
|
/* NOTREACHED */
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -727,8 +726,7 @@ do_exec_pty(Session *s, const char *command)
|
|||||||
signal(WJSIGNAL, cray_job_termination_handler);
|
signal(WJSIGNAL, cray_job_termination_handler);
|
||||||
#endif /* _UNICOS */
|
#endif /* _UNICOS */
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
if (is_winnt)
|
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
|
||||||
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
s->pid = pid;
|
s->pid = pid;
|
||||||
@ -848,7 +846,7 @@ do_login(Session *s, const char *command)
|
|||||||
fromlen = sizeof(from);
|
fromlen = sizeof(from);
|
||||||
if (packet_connection_is_on_socket()) {
|
if (packet_connection_is_on_socket()) {
|
||||||
if (getpeername(packet_get_connection_in(),
|
if (getpeername(packet_get_connection_in(),
|
||||||
(struct sockaddr *) & from, &fromlen) < 0) {
|
(struct sockaddr *)&from, &fromlen) < 0) {
|
||||||
debug("getpeername: %.100s", strerror(errno));
|
debug("getpeername: %.100s", strerror(errno));
|
||||||
cleanup_exit(255);
|
cleanup_exit(255);
|
||||||
}
|
}
|
||||||
@ -1135,7 +1133,7 @@ do_setup_env(Session *s, const char *shell)
|
|||||||
u_int i, envsize;
|
u_int i, envsize;
|
||||||
char **env, *laddr;
|
char **env, *laddr;
|
||||||
struct passwd *pw = s->pw;
|
struct passwd *pw = s->pw;
|
||||||
#ifndef HAVE_LOGIN_CAP
|
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
|
||||||
char *path = NULL;
|
char *path = NULL;
|
||||||
#else
|
#else
|
||||||
extern char **environ;
|
extern char **environ;
|
||||||
@ -1498,11 +1496,6 @@ do_setusercontext(struct passwd *pw)
|
|||||||
if (getuid() == 0 || geteuid() == 0)
|
if (getuid() == 0 || geteuid() == 0)
|
||||||
#endif /* HAVE_CYGWIN */
|
#endif /* HAVE_CYGWIN */
|
||||||
{
|
{
|
||||||
|
|
||||||
#ifdef HAVE_SETPCRED
|
|
||||||
if (setpcred(pw->pw_name, (char **)NULL) == -1)
|
|
||||||
fatal("Failed to set process credentials");
|
|
||||||
#endif /* HAVE_SETPCRED */
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
# ifdef __bsdi__
|
# ifdef __bsdi__
|
||||||
setpgid(0, 0);
|
setpgid(0, 0);
|
||||||
@ -1570,6 +1563,10 @@ do_setusercontext(struct passwd *pw)
|
|||||||
free(chroot_path);
|
free(chroot_path);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_SETPCRED
|
||||||
|
if (setpcred(pw->pw_name, (char **)NULL) == -1)
|
||||||
|
fatal("Failed to set process credentials");
|
||||||
|
#endif /* HAVE_SETPCRED */
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
|
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
|
||||||
perror("unable to set user context (setuser)");
|
perror("unable to set user context (setuser)");
|
||||||
@ -1581,9 +1578,6 @@ do_setusercontext(struct passwd *pw)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (is_winnt)
|
|
||||||
#endif
|
|
||||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||||
|
|
||||||
@ -1824,7 +1818,7 @@ do_child(Session *s, const char *command)
|
|||||||
int i;
|
int i;
|
||||||
char *p, *args;
|
char *p, *args;
|
||||||
|
|
||||||
setproctitle("%s@internal-sftp-server", s->pw->pw_name);
|
setproctitle("%s@%s", s->pw->pw_name, INTERNAL_SFTP_NAME);
|
||||||
args = xstrdup(command ? command : "sftp-server");
|
args = xstrdup(command ? command : "sftp-server");
|
||||||
for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
|
for (i = 0, (p = strtok(args, " ")); p; (p = strtok(NULL, " ")))
|
||||||
if (i < ARGV_MAX - 1)
|
if (i < ARGV_MAX - 1)
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sftp-client.c,v 1.86 2008/06/26 06:10:09 djm Exp $ */
|
/* $OpenBSD: sftp-client.c,v 1.87 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||||
*
|
*
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
.\" $OpenBSD: sftp-server.8,v 1.14 2008/07/18 22:51:01 jmc Exp $
|
.\" $OpenBSD: sftp-server.8,v 1.15 2009/03/26 08:38:39 sobrado Exp $
|
||||||
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
.\"
|
.\"
|
||||||
@ -22,7 +23,7 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd July 18 2008
|
.Dd March 26 2009
|
||||||
.Dt SFTP-SERVER 8
|
.Dt SFTP-SERVER 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -79,7 +80,7 @@ must be able to access
|
|||||||
.Pa /dev/log .
|
.Pa /dev/log .
|
||||||
Use of
|
Use of
|
||||||
.Nm
|
.Nm
|
||||||
in a chroot configuation therefore requires that
|
in a chroot configuration therefore requires that
|
||||||
.Xr syslogd 8
|
.Xr syslogd 8
|
||||||
establish a logging socket inside the chroot directory.
|
establish a logging socket inside the chroot directory.
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sftp-server.c,v 1.84 2008/06/26 06:10:09 djm Exp $ */
|
/* $OpenBSD: sftp-server.c,v 1.85 2009/04/14 16:33:42 stevesk Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -1041,7 +1041,7 @@ process_rename(void)
|
|||||||
else if (S_ISREG(sb.st_mode)) {
|
else if (S_ISREG(sb.st_mode)) {
|
||||||
/* Race-free rename of regular files */
|
/* Race-free rename of regular files */
|
||||||
if (link(oldpath, newpath) == -1) {
|
if (link(oldpath, newpath) == -1) {
|
||||||
if (errno == EOPNOTSUPP
|
if (errno == EOPNOTSUPP || errno == ENOSYS
|
||||||
#ifdef EXDEV
|
#ifdef EXDEV
|
||||||
|| errno == EXDEV
|
|| errno == EXDEV
|
||||||
#endif
|
#endif
|
||||||
@ -1341,7 +1341,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
|||||||
__progname = ssh_get_progname(argv[0]);
|
__progname = ssh_get_progname(argv[0]);
|
||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
|
|
||||||
while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
|
while (!skipargs && (ch = getopt(argc, argv, "f:l:che")) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case 'c':
|
case 'c':
|
||||||
/*
|
/*
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
.\" $OpenBSD: ssh-agent.1,v 1.46 2007/09/09 11:38:01 sobrado Exp $
|
.\" $OpenBSD: ssh-agent.1,v 1.47 2009/03/26 08:38:39 sobrado Exp $
|
||||||
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -34,7 +35,7 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd June 5 2007
|
.Dd March 26 2009
|
||||||
.Dt SSH-AGENT 1
|
.Dt SSH-AGENT 1
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -141,7 +142,7 @@ The second is that the agent prints the needed shell commands (either
|
|||||||
.Xr sh 1
|
.Xr sh 1
|
||||||
or
|
or
|
||||||
.Xr csh 1
|
.Xr csh 1
|
||||||
syntax can be generated) which can be evalled in the calling shell, eg
|
syntax can be generated) which can be evaluated in the calling shell, eg
|
||||||
.Cm eval `ssh-agent -s`
|
.Cm eval `ssh-agent -s`
|
||||||
for Bourne-type shells such as
|
for Bourne-type shells such as
|
||||||
.Xr sh 1
|
.Xr sh 1
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: ssh-agent.c,v 1.159 2008/06/28 14:05:15 djm Exp $ */
|
/* $OpenBSD: ssh-agent.c,v 1.161 2009/03/23 19:38:04 tobias Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -1062,6 +1062,7 @@ main(int ac, char **av)
|
|||||||
pid_t pid;
|
pid_t pid;
|
||||||
char pidstrbuf[1 + 3 * sizeof pid];
|
char pidstrbuf[1 + 3 * sizeof pid];
|
||||||
struct timeval *tvp = NULL;
|
struct timeval *tvp = NULL;
|
||||||
|
size_t len;
|
||||||
|
|
||||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
@ -1123,8 +1124,8 @@ main(int ac, char **av)
|
|||||||
|
|
||||||
if (ac == 0 && !c_flag && !s_flag) {
|
if (ac == 0 && !c_flag && !s_flag) {
|
||||||
shell = getenv("SHELL");
|
shell = getenv("SHELL");
|
||||||
if (shell != NULL &&
|
if (shell != NULL && (len = strlen(shell)) > 2 &&
|
||||||
strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
|
strncmp(shell + len - 3, "csh", 3) == 0)
|
||||||
c_flag = 1;
|
c_flag = 1;
|
||||||
}
|
}
|
||||||
if (k_flag) {
|
if (k_flag) {
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: ssh-keygen.c,v 1.173 2009/02/21 19:32:04 tobias Exp $ */
|
/* $OpenBSD: ssh-keygen.c,v 1.174 2009/06/22 05:39:28 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -34,9 +34,9 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: ssh.1,v 1.282 2009/02/12 03:44:25 djm Exp $
|
.\" $OpenBSD: ssh.1,v 1.283 2009/03/19 15:15:09 jmc Exp $
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.Dd February 12 2009
|
.Dd March 19 2009
|
||||||
.Dt SSH 1
|
.Dt SSH 1
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -192,26 +192,9 @@ For protocol version 2,
|
|||||||
.Ar cipher_spec
|
.Ar cipher_spec
|
||||||
is a comma-separated list of ciphers
|
is a comma-separated list of ciphers
|
||||||
listed in order of preference.
|
listed in order of preference.
|
||||||
The supported ciphers are:
|
See the
|
||||||
3des-cbc,
|
.Cm Ciphers
|
||||||
aes128-cbc,
|
keyword for more information.
|
||||||
aes192-cbc,
|
|
||||||
aes256-cbc,
|
|
||||||
aes128-ctr,
|
|
||||||
aes192-ctr,
|
|
||||||
aes256-ctr,
|
|
||||||
arcfour128,
|
|
||||||
arcfour256,
|
|
||||||
arcfour,
|
|
||||||
blowfish-cbc,
|
|
||||||
and
|
|
||||||
cast128-cbc.
|
|
||||||
The default is:
|
|
||||||
.Bd -literal -offset indent
|
|
||||||
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
|
|
||||||
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
|
|
||||||
aes192-ctr,aes256-ctr
|
|
||||||
.Ed
|
|
||||||
.It Fl D Xo
|
.It Fl D Xo
|
||||||
.Sm off
|
.Sm off
|
||||||
.Oo Ar bind_address : Oc
|
.Oo Ar bind_address : Oc
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: ssh.c,v 1.324 2009/02/12 03:00:56 djm Exp $ */
|
/* $OpenBSD: ssh.c,v 1.326 2009/07/02 02:11:47 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -49,6 +49,7 @@ __RCSID("$FreeBSD$");
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/resource.h>
|
#include <sys/resource.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
|
#include <sys/param.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
|
||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
@ -204,8 +205,8 @@ void muxserver_listen(void);
|
|||||||
int
|
int
|
||||||
main(int ac, char **av)
|
main(int ac, char **av)
|
||||||
{
|
{
|
||||||
int i, opt, exit_status, use_syslog;
|
int i, r, opt, exit_status, use_syslog;
|
||||||
char *p, *cp, *line, buf[256];
|
char *p, *cp, *line, *argv0, buf[MAXPATHLEN];
|
||||||
struct stat st;
|
struct stat st;
|
||||||
struct passwd *pw;
|
struct passwd *pw;
|
||||||
int dummy, timeout_ms;
|
int dummy, timeout_ms;
|
||||||
@ -271,6 +272,7 @@ main(int ac, char **av)
|
|||||||
/* Parse command-line arguments. */
|
/* Parse command-line arguments. */
|
||||||
host = NULL;
|
host = NULL;
|
||||||
use_syslog = 0;
|
use_syslog = 0;
|
||||||
|
argv0 = av[0];
|
||||||
|
|
||||||
again:
|
again:
|
||||||
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
|
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
|
||||||
@ -601,7 +603,7 @@ main(int ac, char **av)
|
|||||||
* Initialize "log" output. Since we are the client all output
|
* Initialize "log" output. Since we are the client all output
|
||||||
* actually goes to stderr.
|
* actually goes to stderr.
|
||||||
*/
|
*/
|
||||||
log_init(av[0],
|
log_init(argv0,
|
||||||
options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
|
options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
|
||||||
SYSLOG_FACILITY_USER, !use_syslog);
|
SYSLOG_FACILITY_USER, !use_syslog);
|
||||||
|
|
||||||
@ -614,9 +616,10 @@ main(int ac, char **av)
|
|||||||
fatal("Can't open user config file %.100s: "
|
fatal("Can't open user config file %.100s: "
|
||||||
"%.100s", config, strerror(errno));
|
"%.100s", config, strerror(errno));
|
||||||
} else {
|
} else {
|
||||||
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
|
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
|
||||||
_PATH_SSH_USER_CONFFILE);
|
_PATH_SSH_USER_CONFFILE);
|
||||||
(void)read_config_file(buf, host, &options, 1);
|
if (r > 0 && (size_t)r < sizeof(buf))
|
||||||
|
(void)read_config_file(buf, host, &options, 1);
|
||||||
|
|
||||||
/* Read systemwide configuration file after use config. */
|
/* Read systemwide configuration file after use config. */
|
||||||
(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
|
(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
|
||||||
@ -629,7 +632,7 @@ main(int ac, char **av)
|
|||||||
channel_set_af(options.address_family);
|
channel_set_af(options.address_family);
|
||||||
|
|
||||||
/* reinit */
|
/* reinit */
|
||||||
log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
|
log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
|
||||||
|
|
||||||
seed_rng();
|
seed_rng();
|
||||||
|
|
||||||
@ -784,9 +787,9 @@ main(int ac, char **av)
|
|||||||
* Now that we are back to our own permissions, create ~/.ssh
|
* Now that we are back to our own permissions, create ~/.ssh
|
||||||
* directory if it doesn't already exist.
|
* directory if it doesn't already exist.
|
||||||
*/
|
*/
|
||||||
snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
|
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
|
||||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
||||||
if (stat(buf, &st) < 0)
|
if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
|
||||||
if (mkdir(buf, 0700) < 0)
|
if (mkdir(buf, 0700) < 0)
|
||||||
error("Could not create directory '%.200s'.", buf);
|
error("Could not create directory '%.200s'.", buf);
|
||||||
|
|
||||||
|
@ -45,4 +45,4 @@
|
|||||||
# TunnelDevice any:any
|
# TunnelDevice any:any
|
||||||
# PermitLocalCommand no
|
# PermitLocalCommand no
|
||||||
# VisualHostKey no
|
# VisualHostKey no
|
||||||
# VersionAddendum FreeBSD-20090522
|
# VersionAddendum FreeBSD-20091001
|
||||||
|
@ -1073,7 +1073,7 @@ in
|
|||||||
Specifies a string to append to the regular version string to identify
|
Specifies a string to append to the regular version string to identify
|
||||||
OS- or site-specific modifications.
|
OS- or site-specific modifications.
|
||||||
The default is
|
The default is
|
||||||
.Dq FreeBSD-20090522 .
|
.Dq FreeBSD-20091001 .
|
||||||
.It Cm VisualHostKey
|
.It Cm VisualHostKey
|
||||||
If this flag is set to
|
If this flag is set to
|
||||||
.Dq yes ,
|
.Dq yes ,
|
||||||
|
@ -153,6 +153,7 @@
|
|||||||
#define ciphers_valid ssh_ciphers_valid
|
#define ciphers_valid ssh_ciphers_valid
|
||||||
#define cleanhostname ssh_cleanhostname
|
#define cleanhostname ssh_cleanhostname
|
||||||
#define cleanup_exit ssh_cleanup_exit
|
#define cleanup_exit ssh_cleanup_exit
|
||||||
|
#define clear_cached_addr ssh_clear_cached_addr
|
||||||
#define colon ssh_colon
|
#define colon ssh_colon
|
||||||
#define compat_cipher_proposal ssh_compat_cipher_proposal
|
#define compat_cipher_proposal ssh_compat_cipher_proposal
|
||||||
#define compat_datafellows ssh_compat_datafellows
|
#define compat_datafellows ssh_compat_datafellows
|
||||||
@ -279,6 +280,7 @@
|
|||||||
#define ms_to_timeval ssh_ms_to_timeval
|
#define ms_to_timeval ssh_ms_to_timeval
|
||||||
#define mysignal ssh_mysignal
|
#define mysignal ssh_mysignal
|
||||||
#define packet_add_padding ssh_packet_add_padding
|
#define packet_add_padding ssh_packet_add_padding
|
||||||
|
#define packet_backup_state ssh_packet_backup_state
|
||||||
#define packet_close ssh_packet_close
|
#define packet_close ssh_packet_close
|
||||||
#define packet_connection_is_ipv4 ssh_packet_connection_is_ipv4
|
#define packet_connection_is_ipv4 ssh_packet_connection_is_ipv4
|
||||||
#define packet_connection_is_on_socket ssh_packet_connection_is_on_socket
|
#define packet_connection_is_on_socket ssh_packet_connection_is_on_socket
|
||||||
@ -289,10 +291,15 @@
|
|||||||
#define packet_get_connection_in ssh_packet_get_connection_in
|
#define packet_get_connection_in ssh_packet_get_connection_in
|
||||||
#define packet_get_connection_out ssh_packet_get_connection_out
|
#define packet_get_connection_out ssh_packet_get_connection_out
|
||||||
#define packet_get_encryption_key ssh_packet_get_encryption_key
|
#define packet_get_encryption_key ssh_packet_get_encryption_key
|
||||||
|
#define packet_get_input ssh_packet_get_input
|
||||||
#define packet_get_int ssh_packet_get_int
|
#define packet_get_int ssh_packet_get_int
|
||||||
|
#define packet_get_int64 ssh_packet_get_int64
|
||||||
#define packet_get_keycontext ssh_packet_get_keycontext
|
#define packet_get_keycontext ssh_packet_get_keycontext
|
||||||
#define packet_get_keyiv ssh_packet_get_keyiv
|
#define packet_get_keyiv ssh_packet_get_keyiv
|
||||||
#define packet_get_keyiv_len ssh_packet_get_keyiv_len
|
#define packet_get_keyiv_len ssh_packet_get_keyiv_len
|
||||||
|
#define packet_get_maxsize ssh_packet_get_maxsize
|
||||||
|
#define packet_get_newkeys ssh_packet_get_newkeys
|
||||||
|
#define packet_get_output ssh_packet_get_output
|
||||||
#define packet_get_protocol_flags ssh_packet_get_protocol_flags
|
#define packet_get_protocol_flags ssh_packet_get_protocol_flags
|
||||||
#define packet_get_raw ssh_packet_get_raw
|
#define packet_get_raw ssh_packet_get_raw
|
||||||
#define packet_get_ssh1_cipher ssh_packet_get_ssh1_cipher
|
#define packet_get_ssh1_cipher ssh_packet_get_ssh1_cipher
|
||||||
@ -300,6 +307,7 @@
|
|||||||
#define packet_get_string ssh_packet_get_string
|
#define packet_get_string ssh_packet_get_string
|
||||||
#define packet_get_string_ptr ssh_packet_get_string_ptr
|
#define packet_get_string_ptr ssh_packet_get_string_ptr
|
||||||
#define packet_have_data_to_write ssh_packet_have_data_to_write
|
#define packet_have_data_to_write ssh_packet_have_data_to_write
|
||||||
|
#define packet_inc_alive_timeouts ssh_packet_inc_alive_timeouts
|
||||||
#define packet_is_interactive ssh_packet_is_interactive
|
#define packet_is_interactive ssh_packet_is_interactive
|
||||||
#define packet_need_rekeying ssh_packet_need_rekeying
|
#define packet_need_rekeying ssh_packet_need_rekeying
|
||||||
#define packet_not_very_much_data_to_write ssh_packet_not_very_much_data_to_write
|
#define packet_not_very_much_data_to_write ssh_packet_not_very_much_data_to_write
|
||||||
@ -309,6 +317,7 @@
|
|||||||
#define packet_put_char ssh_packet_put_char
|
#define packet_put_char ssh_packet_put_char
|
||||||
#define packet_put_cstring ssh_packet_put_cstring
|
#define packet_put_cstring ssh_packet_put_cstring
|
||||||
#define packet_put_int ssh_packet_put_int
|
#define packet_put_int ssh_packet_put_int
|
||||||
|
#define packet_put_int64 ssh_packet_put_int64
|
||||||
#define packet_put_raw ssh_packet_put_raw
|
#define packet_put_raw ssh_packet_put_raw
|
||||||
#define packet_put_string ssh_packet_put_string
|
#define packet_put_string ssh_packet_put_string
|
||||||
#define packet_read ssh_packet_read
|
#define packet_read ssh_packet_read
|
||||||
@ -317,9 +326,11 @@
|
|||||||
#define packet_read_poll_seqnr ssh_packet_read_poll_seqnr
|
#define packet_read_poll_seqnr ssh_packet_read_poll_seqnr
|
||||||
#define packet_read_seqnr ssh_packet_read_seqnr
|
#define packet_read_seqnr ssh_packet_read_seqnr
|
||||||
#define packet_remaining ssh_packet_remaining
|
#define packet_remaining ssh_packet_remaining
|
||||||
|
#define packet_restore_state ssh_packet_restore_state
|
||||||
#define packet_send ssh_packet_send
|
#define packet_send ssh_packet_send
|
||||||
#define packet_send_debug ssh_packet_send_debug
|
#define packet_send_debug ssh_packet_send_debug
|
||||||
#define packet_send_ignore ssh_packet_send_ignore
|
#define packet_send_ignore ssh_packet_send_ignore
|
||||||
|
#define packet_set_alive_timeouts ssh_packet_set_alive_timeouts
|
||||||
#define packet_set_authenticated ssh_packet_set_authenticated
|
#define packet_set_authenticated ssh_packet_set_authenticated
|
||||||
#define packet_set_connection ssh_packet_set_connection
|
#define packet_set_connection ssh_packet_set_connection
|
||||||
#define packet_set_encryption_key ssh_packet_set_encryption_key
|
#define packet_set_encryption_key ssh_packet_set_encryption_key
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sshconnect.c,v 1.212 2008/10/14 18:11:33 stevesk Exp $ */
|
/* $OpenBSD: sshconnect.c,v 1.214 2009/05/28 16:50:16 andreas Exp $ */
|
||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
@ -57,6 +57,7 @@
|
|||||||
#include "atomicio.h"
|
#include "atomicio.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "dns.h"
|
#include "dns.h"
|
||||||
|
#include "roaming.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
|
|
||||||
char *client_version_string = NULL;
|
char *client_version_string = NULL;
|
||||||
@ -414,7 +415,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
|
|||||||
* Waits for the server identification string, and sends our own
|
* Waits for the server identification string, and sends our own
|
||||||
* identification string.
|
* identification string.
|
||||||
*/
|
*/
|
||||||
static void
|
void
|
||||||
ssh_exchange_identification(int timeout_ms)
|
ssh_exchange_identification(int timeout_ms)
|
||||||
{
|
{
|
||||||
char buf[256], remote_version[256]; /* must be same size! */
|
char buf[256], remote_version[256]; /* must be same size! */
|
||||||
@ -453,7 +454,7 @@ ssh_exchange_identification(int timeout_ms)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
len = atomicio(read, connection_in, &buf[i], 1);
|
len = roaming_atomicio(read, connection_in, &buf[i], 1);
|
||||||
|
|
||||||
if (len != 1 && errno == EPIPE)
|
if (len != 1 && errno == EPIPE)
|
||||||
fatal("ssh_exchange_identification: "
|
fatal("ssh_exchange_identification: "
|
||||||
@ -538,7 +539,8 @@ ssh_exchange_identification(int timeout_ms)
|
|||||||
compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
|
compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
|
||||||
compat20 ? PROTOCOL_MINOR_2 : minor1,
|
compat20 ? PROTOCOL_MINOR_2 : minor1,
|
||||||
SSH_VERSION, compat20 ? "\r\n" : "\n");
|
SSH_VERSION, compat20 ? "\r\n" : "\n");
|
||||||
if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
|
if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
|
||||||
|
!= strlen(buf))
|
||||||
fatal("write: %.100s", strerror(errno));
|
fatal("write: %.100s", strerror(errno));
|
||||||
client_version_string = xstrdup(buf);
|
client_version_string = xstrdup(buf);
|
||||||
chop(client_version_string);
|
chop(client_version_string);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sshconnect.h,v 1.24 2007/09/04 11:15:56 djm Exp $ */
|
/* $OpenBSD: sshconnect.h,v 1.25 2009/05/27 06:38:16 andreas Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
@ -38,6 +38,8 @@ ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
|
|||||||
void
|
void
|
||||||
ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *, int);
|
ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *, int);
|
||||||
|
|
||||||
|
void ssh_exchange_identification(int);
|
||||||
|
|
||||||
int verify_host_key(char *, struct sockaddr *, Key *);
|
int verify_host_key(char *, struct sockaddr *, Key *);
|
||||||
|
|
||||||
void ssh_kex(char *, struct sockaddr *);
|
void ssh_kex(char *, struct sockaddr *);
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
|
/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
@ -68,6 +68,7 @@
|
|||||||
#include "msg.h"
|
#include "msg.h"
|
||||||
#include "pathnames.h"
|
#include "pathnames.h"
|
||||||
#include "uidswap.h"
|
#include "uidswap.h"
|
||||||
|
#include "schnorr.h"
|
||||||
#include "jpake.h"
|
#include "jpake.h"
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
|
@ -34,9 +34,9 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd.8,v 1.247 2008/10/03 13:08:12 jmc Exp $
|
.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.Dd October 3 2008
|
.Dd March 26 2009
|
||||||
.Dt SSHD 8
|
.Dt SSHD 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -546,7 +546,7 @@ for more information on patterns.
|
|||||||
In addition to the wildcard matching that may be applied to hostnames or
|
In addition to the wildcard matching that may be applied to hostnames or
|
||||||
addresses, a
|
addresses, a
|
||||||
.Cm from
|
.Cm from
|
||||||
stanza may match IP addressess using CIDR address/masklen notation.
|
stanza may match IP addresses using CIDR address/masklen notation.
|
||||||
.Pp
|
.Pp
|
||||||
The purpose of this option is to optionally increase security: public key
|
The purpose of this option is to optionally increase security: public key
|
||||||
authentication by itself does not trust the network or name servers or
|
authentication by itself does not trust the network or name servers or
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sshd.c,v 1.366 2009/01/22 10:02:34 djm Exp $ */
|
/* $OpenBSD: sshd.c,v 1.367 2009/05/28 16:50:16 andreas Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
@ -128,6 +128,7 @@ __RCSID("$FreeBSD$");
|
|||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
|
#include "roaming.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
|
|
||||||
#ifdef LIBWRAP
|
#ifdef LIBWRAP
|
||||||
@ -430,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
|
|||||||
server_version_string = xstrdup(buf);
|
server_version_string = xstrdup(buf);
|
||||||
|
|
||||||
/* Send our protocol version identification. */
|
/* Send our protocol version identification. */
|
||||||
if (atomicio(vwrite, sock_out, server_version_string,
|
if (roaming_atomicio(vwrite, sock_out, server_version_string,
|
||||||
strlen(server_version_string))
|
strlen(server_version_string))
|
||||||
!= strlen(server_version_string)) {
|
!= strlen(server_version_string)) {
|
||||||
logit("Could not write ident string to %s", get_remote_ipaddr());
|
logit("Could not write ident string to %s", get_remote_ipaddr());
|
||||||
@ -440,7 +441,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
|
|||||||
/* Read other sides version identification. */
|
/* Read other sides version identification. */
|
||||||
memset(buf, 0, sizeof(buf));
|
memset(buf, 0, sizeof(buf));
|
||||||
for (i = 0; i < sizeof(buf) - 1; i++) {
|
for (i = 0; i < sizeof(buf) - 1; i++) {
|
||||||
if (atomicio(read, sock_in, &buf[i], 1) != 1) {
|
if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) {
|
||||||
logit("Did not receive identification string from %s",
|
logit("Did not receive identification string from %s",
|
||||||
get_remote_ipaddr());
|
get_remote_ipaddr());
|
||||||
cleanup_exit(255);
|
cleanup_exit(255);
|
||||||
@ -588,7 +589,7 @@ demote_sensitive_data(void)
|
|||||||
static void
|
static void
|
||||||
privsep_preauth_child(void)
|
privsep_preauth_child(void)
|
||||||
{
|
{
|
||||||
u_int32_t rnd[256];
|
u_int32_t rnd[256];
|
||||||
gid_t gidset[1];
|
gid_t gidset[1];
|
||||||
|
|
||||||
/* Enable challenge-response authentication for privilege separation */
|
/* Enable challenge-response authentication for privilege separation */
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
|
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
|
||||||
# FreeBSD has a few additional options.
|
# FreeBSD has a few additional options.
|
||||||
|
|
||||||
#VersionAddendum FreeBSD-20090522
|
#VersionAddendum FreeBSD-20091001
|
||||||
|
|
||||||
#Port 22
|
#Port 22
|
||||||
#Protocol 2
|
#Protocol 2
|
||||||
|
@ -34,9 +34,9 @@
|
|||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.102 2009/02/22 23:59:25 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.Dd February 22 2009
|
.Dd April 21 2009
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -177,9 +177,9 @@ then no banner is displayed.
|
|||||||
This option is only available for protocol version 2.
|
This option is only available for protocol version 2.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed.
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
See also
|
PAM or though authentication styles supported in
|
||||||
.Cm UsePAM .
|
.Xr login.conf 5 )
|
||||||
The default is
|
The default is
|
||||||
.Dq yes .
|
.Dq yes .
|
||||||
.It Cm ChrootDirectory
|
.It Cm ChrootDirectory
|
||||||
@ -188,6 +188,9 @@ Specifies a path to
|
|||||||
to after authentication.
|
to after authentication.
|
||||||
This path, and all its components, must be root-owned directories that are
|
This path, and all its components, must be root-owned directories that are
|
||||||
not writable by any other user or group.
|
not writable by any other user or group.
|
||||||
|
After the chroot,
|
||||||
|
.Xr sshd 8
|
||||||
|
changes the working directory to the user's home directory.
|
||||||
.Pp
|
.Pp
|
||||||
The path may contain the following tokens that are expanded at runtime once
|
The path may contain the following tokens that are expanded at runtime once
|
||||||
the connecting user has been authenticated: %% is replaced by a literal '%',
|
the connecting user has been authenticated: %% is replaced by a literal '%',
|
||||||
@ -197,7 +200,7 @@ the connecting user has been authenticated: %% is replaced by a literal '%',
|
|||||||
The
|
The
|
||||||
.Cm ChrootDirectory
|
.Cm ChrootDirectory
|
||||||
must contain the necessary files and directories to support the
|
must contain the necessary files and directories to support the
|
||||||
users' session.
|
user's session.
|
||||||
For an interactive session this requires at least a shell, typically
|
For an interactive session this requires at least a shell, typically
|
||||||
.Xr sh 1 ,
|
.Xr sh 1 ,
|
||||||
and basic
|
and basic
|
||||||
@ -215,8 +218,11 @@ devices.
|
|||||||
For file transfer sessions using
|
For file transfer sessions using
|
||||||
.Dq sftp ,
|
.Dq sftp ,
|
||||||
no additional configuration of the environment is necessary if the
|
no additional configuration of the environment is necessary if the
|
||||||
in-process sftp server is used (see
|
in-process sftp server is used,
|
||||||
.Cm Subsystem
|
though sessions which use logging do require
|
||||||
|
.Pa /dev/log
|
||||||
|
inside the chroot directory (see
|
||||||
|
.Xr sftp-server 8
|
||||||
for details).
|
for details).
|
||||||
.Pp
|
.Pp
|
||||||
The default is not to
|
The default is not to
|
||||||
@ -949,7 +955,7 @@ The default is
|
|||||||
Specifies a string to append to the regular version string to identify
|
Specifies a string to append to the regular version string to identify
|
||||||
OS- or site-specific modifications.
|
OS- or site-specific modifications.
|
||||||
The default is
|
The default is
|
||||||
.Dq FreeBSD-20090522 .
|
.Dq FreeBSD-20091001 .
|
||||||
.It Cm X11DisplayOffset
|
.It Cm X11DisplayOffset
|
||||||
Specifies the first display number available for
|
Specifies the first display number available for
|
||||||
.Xr sshd 8 Ns 's
|
.Xr sshd 8 Ns 's
|
||||||
|
@ -86,13 +86,20 @@ get_last_login_time(uid_t uid, const char *logname,
|
|||||||
static void
|
static void
|
||||||
store_lastlog_message(const char *user, uid_t uid)
|
store_lastlog_message(const char *user, uid_t uid)
|
||||||
{
|
{
|
||||||
|
#ifndef NO_SSH_LASTLOG
|
||||||
char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512];
|
char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512];
|
||||||
time_t last_login_time;
|
time_t last_login_time;
|
||||||
|
|
||||||
#ifndef NO_SSH_LASTLOG
|
|
||||||
if (!options.print_lastlog)
|
if (!options.print_lastlog)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
# ifdef CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
|
||||||
|
time_string = sys_auth_get_lastlogin_msg(user, uid);
|
||||||
|
if (time_string != NULL) {
|
||||||
|
buffer_append(&loginmsg, time_string, strlen(time_string));
|
||||||
|
xfree(time_string);
|
||||||
|
}
|
||||||
|
# else
|
||||||
last_login_time = get_last_login_time(uid, user, hostname,
|
last_login_time = get_last_login_time(uid, user, hostname,
|
||||||
sizeof(hostname));
|
sizeof(hostname));
|
||||||
|
|
||||||
@ -107,6 +114,7 @@ store_lastlog_message(const char *user, uid_t uid)
|
|||||||
time_string, hostname);
|
time_string, hostname);
|
||||||
buffer_append(&loginmsg, buf, strlen(buf));
|
buffer_append(&loginmsg, buf, strlen(buf));
|
||||||
}
|
}
|
||||||
|
# endif /* CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG */
|
||||||
#endif /* NO_SSH_LASTLOG */
|
#endif /* NO_SSH_LASTLOG */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */
|
/* $OpenBSD: uuencode.c,v 1.25 2009/03/05 11:30:50 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
@ -33,6 +33,12 @@
|
|||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "uuencode.h"
|
#include "uuencode.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Encode binary 'src' of length 'srclength', writing base64-encoded text
|
||||||
|
* to 'target' of size 'targsize'. Will always nul-terminate 'target'.
|
||||||
|
* Returns the number of bytes stored in 'target' or -1 on error (inc.
|
||||||
|
* 'targsize' too small).
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
uuencode(const u_char *src, u_int srclength,
|
uuencode(const u_char *src, u_int srclength,
|
||||||
char *target, size_t targsize)
|
char *target, size_t targsize)
|
||||||
@ -40,6 +46,11 @@ uuencode(const u_char *src, u_int srclength,
|
|||||||
return __b64_ntop(src, srclength, target, targsize);
|
return __b64_ntop(src, srclength, target, targsize);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Decode base64-encoded 'src' into buffer 'target' of 'targsize' bytes.
|
||||||
|
* Will skip leading and trailing whitespace. Returns the number of bytes
|
||||||
|
* stored in 'target' or -1 on error (inc. targsize too small).
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
uudecode(const char *src, u_char *target, size_t targsize)
|
uudecode(const char *src, u_char *target, size_t targsize)
|
||||||
{
|
{
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */
|
/* $OpenBSD: version.h,v 1.56 2009/06/30 14:54:40 markus Exp $ */
|
||||||
/* $FreeBSD$ */
|
/* $FreeBSD$ */
|
||||||
|
|
||||||
#ifndef SSH_VERSION
|
#ifndef SSH_VERSION
|
||||||
|
|
||||||
#define SSH_VERSION (ssh_version_get())
|
#define SSH_VERSION (ssh_version_get())
|
||||||
#define SSH_RELEASE (ssh_version_get())
|
#define SSH_RELEASE (ssh_version_get())
|
||||||
#define SSH_VERSION_BASE "OpenSSH_5.2p1"
|
#define SSH_VERSION_BASE "OpenSSH_5.3p1"
|
||||||
#define SSH_VERSION_ADDENDUM "FreeBSD-20090522"
|
#define SSH_VERSION_ADDENDUM "FreeBSD-20091001"
|
||||||
|
|
||||||
const char *ssh_version_get(void);
|
const char *ssh_version_get(void);
|
||||||
void ssh_version_set_addendum(const char *);
|
void ssh_version_set_addendum(const char *);
|
||||||
|
@ -6,7 +6,7 @@ MAN= sftp-server.8
|
|||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz
|
LDADD= -lcrypt -lcrypto -lz -static -lssh
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
.include <bsd.prog.mk>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= ssh-keysign
|
PROG= ssh-keysign
|
||||||
SRCS= ssh-keysign.c readconf.c
|
SRCS= ssh-keysign.c readconf.c roaming_dummy.c
|
||||||
MAN= ssh-keysign.8
|
MAN= ssh-keysign.8
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
.if defined(ENABLE_SUID_SSH)
|
.if defined(ENABLE_SUID_SSH)
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= scp
|
PROG= scp
|
||||||
|
SRCS= scp.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
|
# required when linking with a dynamic libssh
|
||||||
|
SRCS+= roaming_dummy.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz
|
LDADD= -lssh -lcrypt -lcrypto -lz
|
||||||
|
|
||||||
|
@ -4,6 +4,9 @@ PROG= sftp
|
|||||||
SRCS= sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
|
SRCS= sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
|
# required when linking with a dynamic libssh
|
||||||
|
SRCS+= roaming_dummy.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz -ledit -lncurses
|
LDADD= -lssh -lcrypt -lcrypto -lz -ledit -lncurses
|
||||||
|
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= ssh-add
|
PROG= ssh-add
|
||||||
|
SRCS+= ssh-add.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
|
# required when linking with a dynamic libssh
|
||||||
|
SRCS+= roaming_dummy.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz
|
LDADD= -lssh -lcrypt -lcrypto -lz
|
||||||
|
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= ssh-agent
|
PROG= ssh-agent
|
||||||
|
SRCS= ssh-agent.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
|
# required when linking with a dynamic libssh
|
||||||
|
SRCS+= roaming_dummy.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz
|
LDADD= -lssh -lcrypt -lcrypto -lz
|
||||||
|
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= ssh-keygen
|
PROG= ssh-keygen
|
||||||
|
SRCS= ssh-keygen.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
|
# required when linking with a dynamic libssh
|
||||||
|
SRCS+= roaming_dummy.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
LDADD= -lssh -lcrypt -lcrypto -lz
|
LDADD= -lssh -lcrypt -lcrypto -lz
|
||||||
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
|
|
||||||
PROG= ssh-keyscan
|
PROG= ssh-keyscan
|
||||||
|
SRCS= ssh-keyscan.c roaming_dummy.c
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
|
||||||
|
@ -11,7 +11,10 @@ MLINKS= ssh.1 slogin.1
|
|||||||
|
|
||||||
SRCS= ssh.c readconf.c clientloop.c sshtty.c \
|
SRCS= ssh.c readconf.c clientloop.c sshtty.c \
|
||||||
sshconnect.c sshconnect1.c sshconnect2.c mux.c \
|
sshconnect.c sshconnect1.c sshconnect2.c mux.c \
|
||||||
gss-genr.c
|
roaming_common.c
|
||||||
|
|
||||||
|
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
|
||||||
|
SRCS+= gss-genr.c
|
||||||
|
|
||||||
DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ}
|
DPADD= ${LIBSSH} ${LIBUTIL} ${LIBZ}
|
||||||
LDADD= -lssh -lutil -lz
|
LDADD= -lssh -lutil -lz
|
||||||
|
@ -15,9 +15,10 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
|
|||||||
auth2-gss.c gss-serv.c gss-serv-krb5.c \
|
auth2-gss.c gss-serv.c gss-serv-krb5.c \
|
||||||
loginrec.c auth-pam.c auth-shadow.c auth-sia.c md5crypt.c \
|
loginrec.c auth-pam.c auth-shadow.c auth-sia.c md5crypt.c \
|
||||||
audit.c audit-bsm.c platform.c sftp-server.c sftp-common.c \
|
audit.c audit-bsm.c platform.c sftp-server.c sftp-common.c \
|
||||||
gss-genr.c
|
roaming_common.c
|
||||||
|
|
||||||
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
|
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
|
||||||
|
SRCS+= gss-genr.c
|
||||||
|
|
||||||
MAN= sshd.8 sshd_config.5
|
MAN= sshd.8 sshd_config.5
|
||||||
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
|
||||||
|
Loading…
Reference in New Issue
Block a user